Additional information

Authentication request header

Claim Values Required Comment
alg ES256K Yes In V1 we only sign tokens. ECDSA signature with SHA2-256.
typ ES256K / It is used to define the media type. Is must be JWT (JSON Web Token).
kid did:ace 0x1fb5ce0b0c0c09efe1a8f448d0d268365ed9d02dd34a6c2ffa56cc1626a95c02 Yes A hint indicating which key was used to secure the JWS. M UST be a DID URL referring to a public key in the RP's DID Document

Authentication request payload

Claim Values Required Comment
alg ES256K Yes In V1 we only sign tokens. ECDSA signature with SHA2-256.
typ ES256K / It is used to define the media type. Is must be JWT (JSON Web Token).
kid did:ace 0x1fb5ce0b0c0c09efe1a8f448d0d268365ed9d02dd34a6c2ffa56cc1626a95c02 Yes A hint indicating which key was used to secure the JWS. M UST be a DID URL referring to a public key in the RP's DID Document

Request Object Validation

  1. Request Object is a signed JWT.
  2. Verify that the `alg` param of the JWT header is: "ES256K"
  3. Verify that the `iss:` param is included in the payload.
  4. Verify that the DID is in the Trusted Issuers/Apps Registry.
  5. Obtain DID Document of the RP. If the `did_doc` param is NOT in the payload, obtain the DID Document from the DID API (https://ssi.aceblock.com/did-resolver/ 1.0/identifiers/{did}).
  6. Verify the DID Document.
  7. Verify that the `kid` URI from the JWT header points to a valid key in the DID Document.
  8. Verify the JWT signature against the key specified in the `kid`.
  9. (optional in V1) Verify that DID in the `register.jwks_uri` matches the DID in the `iss` claim.
  10. (optional in V1) Verify that registration.id_token_signed_response_alg contains "ES256K".
  11. Verify that `scope:"openid did_authn"`
  12. Verify that `response_type: "id_token"`