new recipe: token requiring an extra signature before being sent on the wire
divarvel opened this issue · comments
This use case will be made possible by 3rd party tokens.
Context
A service delivers a token to a principal, but this token is not usable as is; it requires an identity proof making sure that the holder is the intended one. This mitigates token theft, as the token requires an extra proof to be accepted. For instance, this proof could be provided by a hardware token or a smart card
Example
The token is delivered to principal A
. A
can prove their identity through the keypair pkA/skA
.
Token
right("resource"); // this token grants access to the resource `resource`
check if user("A") trusting {pkA};
As it is, this token cannot be used, as the check
cannot be fulfilled.
The only possible way to make this token valid is to append a third party block, signed by skA
, containing the fact user("A")
.
The intended flow is that A
adds it right before sending the query, with a very short TTL (a couple seconds), or with checks
that tie the 3rd party block to the request that's being sent.
user("A");
check if time($time), $time < {now + 30 seconds};
check if /* conditions tying the block to the request */
sequenceDiagram
Token Emitter->>A: Token with identity check
A-->>A: Appends Third-Party Block
A->>Service: Presents Token with identity proof appended