From 6c4a31f32c3f32cf73e7c64e0dd97cc350197f3f Mon Sep 17 00:00:00 2001 From: beltram Date: Thu, 23 Nov 2023 13:12:49 +0100 Subject: [PATCH] works ! --- acme/src/identity/mod.rs | 12 +- e2e-identity/README.md | 945 +++++++++++++++++++++++++++- e2e-identity/tests/api.rs | 7 +- e2e-identity/tests/e2e.rs | 2 +- e2e-identity/tests/utils/cfg.rs | 3 +- e2e-identity/tests/utils/display.rs | 8 +- jwt/src/model/handle.rs | 23 +- 7 files changed, 978 insertions(+), 22 deletions(-) diff --git a/acme/src/identity/mod.rs b/acme/src/identity/mod.rs index 3232c124..63af5e53 100644 --- a/acme/src/identity/mod.rs +++ b/acme/src/identity/mod.rs @@ -49,7 +49,7 @@ impl WireIdentityReader for x509_cert::Certificate { Ok(WireIdentity { client_id, - handle: QualifiedHandle::try_from(handle)?, + handle, display_name, domain, status, @@ -118,7 +118,7 @@ fn try_extract_subject(cert: &x509_cert::TbsCertificate) -> RustyAcmeResult<(Str } /// extract Subject Alternative Name to pick client-id & display name -fn try_extract_san(cert: &x509_cert::TbsCertificate) -> RustyAcmeResult<(String, String)> { +fn try_extract_san(cert: &x509_cert::TbsCertificate) -> RustyAcmeResult<(String, QualifiedHandle)> { let extensions = cert.extensions.as_ref().ok_or(CertificateError::InvalidFormat)?; let san = extensions @@ -141,13 +141,7 @@ fn try_extract_san(cert: &x509_cert::TbsCertificate) -> RustyAcmeResult<(String, // a ClientId (since it's the most characterizable) and else fallback to a handle if let Ok(cid) = ClientId::try_from_uri(name) { client_id = Some(cid.to_qualified()); - } else if name.starts_with(ClientId::URI_PREFIX) { - let h = name - .strip_prefix(ClientId::URI_PREFIX) - .ok_or(RustyAcmeError::ImplementationError)? - .strip_prefix(Handle::PREFIX) - .ok_or(RustyAcmeError::ImplementationError)? - .to_string(); + } else if let Ok(h) = QualifiedHandle::try_from(name) { handle = Some(h); } Ok(()) diff --git a/e2e-identity/README.md b/e2e-identity/README.md index 6a9574ae..ebf5bc3e 100644 --- a/e2e-identity/README.md +++ b/e2e-identity/README.md @@ -1 +1,944 @@ -# Wire end to end identity example \ No newline at end of file +# Wire end to end identity example +Ed25519 - SHA256 +```mermaid +sequenceDiagram + autonumber + wire-client->>+acme-server: 🔒 GET /acme/wire/directory + acme-server->>-wire-client: 200 + wire-client->>+acme-server: 🔒 HEAD /acme/wire/new-nonce + acme-server->>-wire-client: 200 + wire-client->>+acme-server: 🔒 POST /acme/wire/new-account + acme-server->>-wire-client: 201 + wire-client->>+acme-server: 🔒 POST /acme/wire/new-order + acme-server->>-wire-client: 201 + wire-client->>+acme-server: 🔒 POST /acme/wire/authz/5lf0IcPG1jL692BobqoKeMOQwbVCXdep + acme-server->>-wire-client: 200 + wire-client->>+wire-server: GET /clients/token/nonce + wire-server->>-wire-client: 200 + wire-client->>wire-client: create DPoP token + wire-client->>+wire-server: POST /clients/c6dfb2622730ca11/access-token + wire-server->>-wire-client: 200 + wire-client->>+acme-server: 🔒 POST /acme/wire/challenge/5lf0IcPG1jL692BobqoKeMOQwbVCXdep/UewEvxrwNNB6rLg7Kp4o32faUQJcatqL + acme-server->>-wire-client: 200 + wire-client->>wire-client: OAUTH authorization request + wire-client->>+IdP: GET /dex/auth + IdP->>-wire-client: 200 + wire-client->>wire-client: OAUTH authorization code + wire-client->>+IdP: POST /dex/token + IdP->>-wire-client: 200 + wire-client->>+acme-server: 🔒 POST /acme/wire/challenge/5lf0IcPG1jL692BobqoKeMOQwbVCXdep/HZ6u6ugoePyELHDdwM7YVz272Ph4rWZW + acme-server->>-wire-client: 200 + wire-client->>+acme-server: 🔒 POST /acme/wire/order/WyRlrYXazPd3zd1bg0t8HVwV0heQ5toP + acme-server->>-wire-client: 200 + wire-client->>+acme-server: 🔒 POST /acme/wire/order/WyRlrYXazPd3zd1bg0t8HVwV0heQ5toP/finalize + acme-server->>-wire-client: 200 + wire-client->>+acme-server: 🔒 POST /acme/wire/certificate/0Czk0z4oZJFtJ9lwDLoYPGUevr5OL4Ga + acme-server->>-wire-client: 200 +``` +### Initial setup with ACME server +#### 1. fetch acme directory for hyperlinks +```http request +GET https://stepca:32934/acme/wire/directory + /acme/{acme-provisioner}/directory +``` +#### 2. get the ACME directory with links for newNonce, newAccount & newOrder +```http request +200 +content-type: application/json +vary: Origin +``` +```json +{ + "newNonce": "https://stepca:32934/acme/wire/new-nonce", + "newAccount": "https://stepca:32934/acme/wire/new-account", + "newOrder": "https://stepca:32934/acme/wire/new-order", + "revokeCert": "https://stepca:32934/acme/wire/revoke-cert" +} +``` +#### 3. fetch a new nonce for the very first request +```http request +HEAD https://stepca:32934/acme/wire/new-nonce + /acme/{acme-provisioner}/new-nonce +``` +#### 4. get a nonce for creating an account +```http request +200 +cache-control: no-store +link: ;rel="index" +replay-nonce: elYwVW9VcEM1aFUwV1VLb254R3dTQzdLQ0dQRXpudlQ +vary: Origin +``` +```text +elYwVW9VcEM1aFUwV1VLb254R3dTQzdLQ0dQRXpudlQ +``` +#### 5. create a new account +```http request +POST https://stepca:32934/acme/wire/new-account + /acme/{acme-provisioner}/new-account +content-type: application/jose+json +``` +```json +{ + "protected": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6InJQbDN4aFhHdFcwd1FkTmJxOEhlQnJtVWItcDQxRjFLVXFpSUpTSjI5WU0ifSwibm9uY2UiOiJlbFl3Vlc5VmNFTTFhRlV3VjFWTGIyNTRSM2RUUXpkTFEwZFFSWHB1ZGxRIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6MzI5MzQvYWNtZS93aXJlL25ldy1hY2NvdW50In0", + "payload": "eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZSwiY29udGFjdCI6WyJhbm9ueW1vdXNAYW5vbnltb3VzLmludmFsaWQiXSwib25seVJldHVybkV4aXN0aW5nIjpmYWxzZX0", + "signature": "QW4yHgRzRaZ2nFmevyaCcc--XNXDOdd7TNfNefKAPZs0-1d9Ze8oDIYHPlDxyJ3B1H7ObZMwzXFZjzB68RHcCw" +} +``` +```json +{ + "payload": { + "contact": [ + "anonymous@anonymous.invalid" + ], + "onlyReturnExisting": false, + "termsOfServiceAgreed": true + }, + "protected": { + "alg": "EdDSA", + "jwk": { + "crv": "Ed25519", + "kty": "OKP", + "x": "rPl3xhXGtW0wQdNbq8HeBrmUb-p41F1KUqiIJSJ29YM" + }, + "nonce": "elYwVW9VcEM1aFUwV1VLb254R3dTQzdLQ0dQRXpudlQ", + "typ": "JWT", + "url": "https://stepca:32934/acme/wire/new-account" + } +} +``` +#### 6. account created +```http request +201 +cache-control: no-store +content-type: application/json +link: ;rel="index" +location: https://stepca:32934/acme/wire/account/Ee4qTmdr2giWEfuHWDbnksxjJl94kEOt +replay-nonce: eTFUZlg5aHJVYVNUTFJLalJQQTRjUlZITXoyRTZNYkI +vary: Origin +``` +```json +{ + "status": "valid", + "orders": "https://stepca:32934/acme/wire/account/Ee4qTmdr2giWEfuHWDbnksxjJl94kEOt/orders" +} +``` +### Request a certificate with relevant identifiers +#### 7. create a new order +```http request +POST https://stepca:32934/acme/wire/new-order + /acme/{acme-provisioner}/new-order +content-type: application/jose+json +``` +```json +{ + "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjMyOTM0L2FjbWUvd2lyZS9hY2NvdW50L0VlNHFUbWRyMmdpV0VmdUhXRGJua3N4akpsOTRrRU90IiwidHlwIjoiSldUIiwibm9uY2UiOiJlVEZVWmxnNWFISlZZVk5VVEZKTGFsSlFRVFJqVWxaSVRYb3lSVFpOWWtJIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6MzI5MzQvYWNtZS93aXJlL25ldy1vcmRlciJ9", + "payload": "eyJpZGVudGlmaWVycyI6W3sidHlwZSI6IndpcmVhcHAtaWQiLCJ2YWx1ZSI6IntcIm5hbWVcIjpcIkFsaWNlIFNtaXRoXCIsXCJkb21haW5cIjpcIndpcmUuY29tXCIsXCJjbGllbnQtaWRcIjpcImltOndpcmVhcHA9Q3lCcjNNWE5TYXkyRm8xaC03RE8yQS9jNmRmYjI2MjI3MzBjYTExQHdpcmUuY29tXCIsXCJoYW5kbGVcIjpcImltOndpcmVhcHA9JTQwYWxpY2Vfd2lyZUB3aXJlLmNvbVwifSJ9XSwibm90QmVmb3JlIjoiMjAyMy0xMS0yM1QxMjoxMjo0My42ODc5NVoiLCJub3RBZnRlciI6IjIwMzMtMTEtMjBUMTI6MTI6NDMuNjg3OTVaIn0", + "signature": "_jRCwGjmTiFiP5tZroEs9hVGwf-sbM9uCOzreWYIGLe-Rw4Fzd4UdzP1jNUUVNTkwGme76C_QBlmXnqHN2opBw" +} +``` +```json +{ + "payload": { + "identifiers": [ + { + "type": "wireapp-id", + "value": "{\"name\":\"Alice Smith\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=CyBr3MXNSay2Fo1h-7DO2A/c6dfb2622730ca11@wire.com\",\"handle\":\"im:wireapp=%40alice_wire@wire.com\"}" + } + ], + "notAfter": "2033-11-20T12:12:43.68795Z", + "notBefore": "2023-11-23T12:12:43.68795Z" + }, + "protected": { + "alg": "EdDSA", + "kid": "https://stepca:32934/acme/wire/account/Ee4qTmdr2giWEfuHWDbnksxjJl94kEOt", + "nonce": "eTFUZlg5aHJVYVNUTFJLalJQQTRjUlZITXoyRTZNYkI", + "typ": "JWT", + "url": "https://stepca:32934/acme/wire/new-order" + } +} +``` +#### 8. get new order with authorization URLS and finalize URL +```http request +201 +cache-control: no-store +content-type: application/json +link: ;rel="index" +location: https://stepca:32934/acme/wire/order/WyRlrYXazPd3zd1bg0t8HVwV0heQ5toP +replay-nonce: bjRxUmJiU3pZZm9ZaE4xMXhVV0d6VEozUWUyanJUSHg +vary: Origin +``` +```json +{ + "status": "pending", + "finalize": "https://stepca:32934/acme/wire/order/WyRlrYXazPd3zd1bg0t8HVwV0heQ5toP/finalize", + "identifiers": [ + { + "type": "wireapp-id", + "value": "{\"name\":\"Alice Smith\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=CyBr3MXNSay2Fo1h-7DO2A/c6dfb2622730ca11@wire.com\",\"handle\":\"im:wireapp=%40alice_wire@wire.com\"}" + } + ], + "authorizations": [ + "https://stepca:32934/acme/wire/authz/5lf0IcPG1jL692BobqoKeMOQwbVCXdep" + ], + "expires": "2023-11-24T12:12:43Z", + "notBefore": "2023-11-23T12:12:43.68795Z", + "notAfter": "2033-11-20T12:12:43.68795Z" +} +``` +### Display-name and handle already authorized +#### 9. create authorization and fetch challenges +```http request +POST https://stepca:32934/acme/wire/authz/5lf0IcPG1jL692BobqoKeMOQwbVCXdep + /acme/{acme-provisioner}/authz/{authz-id} +content-type: application/jose+json +``` +```json +{ + "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjMyOTM0L2FjbWUvd2lyZS9hY2NvdW50L0VlNHFUbWRyMmdpV0VmdUhXRGJua3N4akpsOTRrRU90IiwidHlwIjoiSldUIiwibm9uY2UiOiJialJ4VW1KaVUzcFpabTlaYUU0eE1YaFZWMGQ2VkVvelVXVXlhbkpVU0hnIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6MzI5MzQvYWNtZS93aXJlL2F1dGh6LzVsZjBJY1BHMWpMNjkyQm9icW9LZU1PUXdiVkNYZGVwIn0", + "payload": "", + "signature": "uJOQnPD_vxacoAz25YzPdrhMgeP2Y5tAh-99PIDk36PYG5_8qnbOf5NsW7toYl9yEbaR9dAs-n2Mb7w-DblQAQ" +} +``` +```json +{ + "payload": {}, + "protected": { + "alg": "EdDSA", + "kid": "https://stepca:32934/acme/wire/account/Ee4qTmdr2giWEfuHWDbnksxjJl94kEOt", + "nonce": "bjRxUmJiU3pZZm9ZaE4xMXhVV0d6VEozUWUyanJUSHg", + "typ": "JWT", + "url": "https://stepca:32934/acme/wire/authz/5lf0IcPG1jL692BobqoKeMOQwbVCXdep" + } +} +``` +#### 10. get back challenges +```http request +200 +cache-control: no-store +content-type: application/json +link: ;rel="index" +location: https://stepca:32934/acme/wire/authz/5lf0IcPG1jL692BobqoKeMOQwbVCXdep +replay-nonce: S2x0SUg1b2hzM2NhNHFKUGtxTnBTUkR0TE9KV2NzdU4 +vary: Origin +``` +```json +{ + "status": "pending", + "expires": "2023-11-24T12:12:43Z", + "challenges": [ + { + "type": "wire-oidc-01", + "url": "https://stepca:32934/acme/wire/challenge/5lf0IcPG1jL692BobqoKeMOQwbVCXdep/HZ6u6ugoePyELHDdwM7YVz272Ph4rWZW", + "status": "pending", + "token": "l6rcJBTKc3dumAvfIsFOdk6uylqPKDfj", + "target": "http://dex:21146/dex" + }, + { + "type": "wire-dpop-01", + "url": "https://stepca:32934/acme/wire/challenge/5lf0IcPG1jL692BobqoKeMOQwbVCXdep/UewEvxrwNNB6rLg7Kp4o32faUQJcatqL", + "status": "pending", + "token": "l6rcJBTKc3dumAvfIsFOdk6uylqPKDfj", + "target": "http://wire.com:16059/clients/c6dfb2622730ca11/access-token" + } + ], + "identifier": { + "type": "wireapp-id", + "value": "{\"name\":\"Alice Smith\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=CyBr3MXNSay2Fo1h-7DO2A/c6dfb2622730ca11@wire.com\",\"handle\":\"im:wireapp=%40alice_wire@wire.com\"}" + } +} +``` +### Client fetches JWT DPoP access token (with wire-server) +#### 11. fetch a nonce from wire-server +```http request +GET http://wire.com:16059/clients/token/nonce +``` +#### 12. get wire-server nonce +```http request +200 + +``` +```text +cVR4V1BNSDlUOVoxZktsTmduZDZpb25jeTRSZ3hoMFQ +``` +#### 13. create client DPoP token + + +
+Dpop token + +See it on [jwt.io](https://jwt.io/#id_token=eyJhbGciOiJFZERTQSIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4IjoiclBsM3hoWEd0VzB3UWROYnE4SGVCcm1VYi1wNDFGMUtVcWlJSlNKMjlZTSJ9fQ.eyJpYXQiOjE3MDA3Mzc5NjMsImV4cCI6MTcwMDc0NTE2MywibmJmIjoxNzAwNzM3OTYzLCJzdWIiOiJpbTp3aXJlYXBwPUN5QnIzTVhOU2F5MkZvMWgtN0RPMkEvYzZkZmIyNjIyNzMwY2ExMUB3aXJlLmNvbSIsImp0aSI6Ijk1NjdjODI5LTY3YWYtNGE3Mi1iYWFmLTk4Yjc0NDk2NmRiZSIsIm5vbmNlIjoiY1ZSNFYxQk5TRGxVT1ZveFprdHNUbWR1WkRacGIyNWplVFJTWjNob01GUSIsImh0bSI6IlBPU1QiLCJodHUiOiJodHRwOi8vd2lyZS5jb206MTYwNTkvY2xpZW50cy9jNmRmYjI2MjI3MzBjYTExL2FjY2Vzcy10b2tlbiIsImNoYWwiOiJsNnJjSkJUS2MzZHVtQXZmSXNGT2RrNnV5bHFQS0RmaiIsImhhbmRsZSI6ImltOndpcmVhcHA9JTQwYWxpY2Vfd2lyZUB3aXJlLmNvbSIsInRlYW0iOiJ3aXJlIn0.pf0uVnoBDfic89NJ5f6-SnwPsVR5uCfKI9ewLbGlHCvj6QtueF823-nwsVCDk2YmBGkrndjbzPuFnH4oK-mGAQ) + +Raw: +```text +eyJhbGciOiJFZERTQSIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6Ik9L +UCIsImNydiI6IkVkMjU1MTkiLCJ4IjoiclBsM3hoWEd0VzB3UWROYnE4SGVCcm1V +Yi1wNDFGMUtVcWlJSlNKMjlZTSJ9fQ.eyJpYXQiOjE3MDA3Mzc5NjMsImV4cCI6M +TcwMDc0NTE2MywibmJmIjoxNzAwNzM3OTYzLCJzdWIiOiJpbTp3aXJlYXBwPUN5Q +nIzTVhOU2F5MkZvMWgtN0RPMkEvYzZkZmIyNjIyNzMwY2ExMUB3aXJlLmNvbSIsI +mp0aSI6Ijk1NjdjODI5LTY3YWYtNGE3Mi1iYWFmLTk4Yjc0NDk2NmRiZSIsIm5vb +mNlIjoiY1ZSNFYxQk5TRGxVT1ZveFprdHNUbWR1WkRacGIyNWplVFJTWjNob01GU +SIsImh0bSI6IlBPU1QiLCJodHUiOiJodHRwOi8vd2lyZS5jb206MTYwNTkvY2xpZ +W50cy9jNmRmYjI2MjI3MzBjYTExL2FjY2Vzcy10b2tlbiIsImNoYWwiOiJsNnJjS +kJUS2MzZHVtQXZmSXNGT2RrNnV5bHFQS0RmaiIsImhhbmRsZSI6ImltOndpcmVhc +HA9JTQwYWxpY2Vfd2lyZUB3aXJlLmNvbSIsInRlYW0iOiJ3aXJlIn0.pf0uVnoBD +fic89NJ5f6-SnwPsVR5uCfKI9ewLbGlHCvj6QtueF823-nwsVCDk2YmBGkrndjbz +PuFnH4oK-mGAQ +``` + +Decoded: + +```json +{ + "alg": "EdDSA", + "jwk": { + "crv": "Ed25519", + "kty": "OKP", + "x": "rPl3xhXGtW0wQdNbq8HeBrmUb-p41F1KUqiIJSJ29YM" + }, + "typ": "dpop+jwt" +} +``` + +```json +{ + "chal": "l6rcJBTKc3dumAvfIsFOdk6uylqPKDfj", + "exp": 1700745163, + "handle": "im:wireapp=%40alice_wire@wire.com", + "htm": "POST", + "htu": "http://wire.com:16059/clients/c6dfb2622730ca11/access-token", + "iat": 1700737963, + "jti": "9567c829-67af-4a72-baaf-98b744966dbe", + "nbf": 1700737963, + "nonce": "cVR4V1BNSDlUOVoxZktsTmduZDZpb25jeTRSZ3hoMFQ", + "sub": "im:wireapp=CyBr3MXNSay2Fo1h-7DO2A/c6dfb2622730ca11@wire.com", + "team": "wire" +} +``` + + +✅ Signature Verified with key: +```text +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIFgRwzcQ1Pv98tXXZC82gUyOCqmr0/fF0/a3dyKkIC6x +-----END PRIVATE KEY----- +-----BEGIN PUBLIC KEY----- +MCowBQYDK2VwAyEArPl3xhXGtW0wQdNbq8HeBrmUb+p41F1KUqiIJSJ29YM= +-----END PUBLIC KEY----- +``` + +
+ + +#### 14. trade client DPoP token for an access token +```http request +POST http://wire.com:16059/clients/c6dfb2622730ca11/access-token + /clients/{device-id}/access-token +dpop: ZXlKaGJHY2lPaUpGWkVSVFFTSXNJblI1Y0NJNkltUndiM0FyYW5kMElpd2lhbmRySWpwN0ltdDBlU0k2SWs5TFVDSXNJbU55ZGlJNklrVmtNalUxTVRraUxDSjRJam9pY2xCc00zaG9XRWQwVnpCM1VXUk9ZbkU0U0dWQ2NtMVZZaTF3TkRGR01VdFZjV2xKU2xOS01qbFpUU0o5ZlEuZXlKcFlYUWlPakUzTURBM016YzVOak1zSW1WNGNDSTZNVGN3TURjME5URTJNeXdpYm1KbUlqb3hOekF3TnpNM09UWXpMQ0p6ZFdJaU9pSnBiVHAzYVhKbFlYQndQVU41UW5JelRWaE9VMkY1TWtadk1XZ3ROMFJQTWtFdll6WmtabUl5TmpJeU56TXdZMkV4TVVCM2FYSmxMbU52YlNJc0ltcDBhU0k2SWprMU5qZGpPREk1TFRZM1lXWXROR0UzTWkxaVlXRm1MVGs0WWpjME5EazJObVJpWlNJc0ltNXZibU5sSWpvaVkxWlNORll4UWs1VFJHeFZUMVp2ZUZwcmRITlViV1IxV2tSYWNHSXlOV3BsVkZKVFdqTm9iMDFHVVNJc0ltaDBiU0k2SWxCUFUxUWlMQ0pvZEhVaU9pSm9kSFJ3T2k4dmQybHlaUzVqYjIwNk1UWXdOVGt2WTJ4cFpXNTBjeTlqTm1SbVlqSTJNakkzTXpCallURXhMMkZqWTJWemN5MTBiMnRsYmlJc0ltTm9ZV3dpT2lKc05uSmpTa0pVUzJNelpIVnRRWFptU1hOR1QyUnJOblY1YkhGUVMwUm1haUlzSW1oaGJtUnNaU0k2SW1sdE9uZHBjbVZoY0hBOUpUUXdZV3hwWTJWZmQybHlaVUIzYVhKbExtTnZiU0lzSW5SbFlXMGlPaUozYVhKbEluMC5wZjB1Vm5vQkRmaWM4OU5KNWY2LVNud1BzVlI1dUNmS0k5ZXdMYkdsSEN2ajZRdHVlRjgyMy1ud3NWQ0RrMlltQkdrcm5kamJ6UHVGbkg0b0stbUdBUQ +``` +#### 15. get a Dpop access token from wire-server +```http request +200 + +``` +```json +{ + "expires_in": 2082008461, + "token": "eyJhbGciOiJFZERTQSIsInR5cCI6ImF0K2p3dCIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6Im5GaW5KMEpHelBDd1E3QjNnRlVIbWdxMDRfLVdGUXNSMzNQb2xTcGhxOGsifX0.eyJpYXQiOjE3MDA3Mzc5NjMsImV4cCI6MTcwMDc0MTkyMywibmJmIjoxNzAwNzM3OTYzLCJpc3MiOiJodHRwOi8vd2lyZS5jb206MTYwNTkvY2xpZW50cy9jNmRmYjI2MjI3MzBjYTExL2FjY2Vzcy10b2tlbiIsInN1YiI6ImltOndpcmVhcHA9Q3lCcjNNWE5TYXkyRm8xaC03RE8yQS9jNmRmYjI2MjI3MzBjYTExQHdpcmUuY29tIiwiYXVkIjoiaHR0cDovL3dpcmUuY29tOjE2MDU5L2NsaWVudHMvYzZkZmIyNjIyNzMwY2ExMS9hY2Nlc3MtdG9rZW4iLCJqdGkiOiJkZDNlZDUxOC1kOWQyLTRhYmEtYjEyMS1kZmM5ZDlhOGYyMDAiLCJub25jZSI6ImNWUjRWMUJOU0RsVU9Wb3haa3RzVG1kdVpEWnBiMjVqZVRSU1ozaG9NRlEiLCJjaGFsIjoibDZyY0pCVEtjM2R1bUF2ZklzRk9kazZ1eWxxUEtEZmoiLCJjbmYiOnsia2lkIjoiUWYxTHpZZnc0U09hYVpJZHBnem1tS2RXSUpDTlRidXlTcTRsc2N6QVhERSJ9LCJwcm9vZiI6ImV5SmhiR2NpT2lKRlpFUlRRU0lzSW5SNWNDSTZJbVJ3YjNBcmFuZDBJaXdpYW5kcklqcDdJbXQwZVNJNklrOUxVQ0lzSW1OeWRpSTZJa1ZrTWpVMU1Ua2lMQ0o0SWpvaWNsQnNNM2hvV0VkMFZ6QjNVV1JPWW5FNFNHVkNjbTFWWWkxd05ERkdNVXRWY1dsSlNsTktNamxaVFNKOWZRLmV5SnBZWFFpT2pFM01EQTNNemM1TmpNc0ltVjRjQ0k2TVRjd01EYzBOVEUyTXl3aWJtSm1Jam94TnpBd056TTNPVFl6TENKemRXSWlPaUpwYlRwM2FYSmxZWEJ3UFVONVFuSXpUVmhPVTJGNU1rWnZNV2d0TjBSUE1rRXZZelprWm1JeU5qSXlOek13WTJFeE1VQjNhWEpsTG1OdmJTSXNJbXAwYVNJNklqazFOamRqT0RJNUxUWTNZV1l0TkdFM01pMWlZV0ZtTFRrNFlqYzBORGsyTm1SaVpTSXNJbTV2Ym1ObElqb2lZMVpTTkZZeFFrNVRSR3hWVDFadmVGcHJkSE5VYldSMVdrUmFjR0l5TldwbFZGSlRXak5vYjAxR1VTSXNJbWgwYlNJNklsQlBVMVFpTENKb2RIVWlPaUpvZEhSd09pOHZkMmx5WlM1amIyMDZNVFl3TlRrdlkyeHBaVzUwY3k5ak5tUm1ZakkyTWpJM016QmpZVEV4TDJGalkyVnpjeTEwYjJ0bGJpSXNJbU5vWVd3aU9pSnNObkpqU2tKVVMyTXpaSFZ0UVhabVNYTkdUMlJyTm5WNWJIRlFTMFJtYWlJc0ltaGhibVJzWlNJNkltbHRPbmRwY21WaGNIQTlKVFF3WVd4cFkyVmZkMmx5WlVCM2FYSmxMbU52YlNJc0luUmxZVzBpT2lKM2FYSmxJbjAucGYwdVZub0JEZmljODlOSjVmNi1TbndQc1ZSNXVDZktJOWV3TGJHbEhDdmo2UXR1ZUY4MjMtbndzVkNEazJZbUJHa3JuZGpielB1Rm5ING9LLW1HQVEiLCJjbGllbnRfaWQiOiJpbTp3aXJlYXBwPUN5QnIzTVhOU2F5MkZvMWgtN0RPMkEvYzZkZmIyNjIyNzMwY2ExMUB3aXJlLmNvbSIsImFwaV92ZXJzaW9uIjo1LCJzY29wZSI6IndpcmVfY2xpZW50X2lkIn0.ofH7FDeynOrmLcYSyrwR-vZ2a0tWsweDj1xj9HcC7jg9yFK7iklwbOULNf-EivCsyA4505V4eyQrI1QEVMTUDg", + "type": "DPoP" +} +``` + +
+Access token + +See it on [jwt.io](https://jwt.io/#id_token=eyJhbGciOiJFZERTQSIsInR5cCI6ImF0K2p3dCIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6Im5GaW5KMEpHelBDd1E3QjNnRlVIbWdxMDRfLVdGUXNSMzNQb2xTcGhxOGsifX0.eyJpYXQiOjE3MDA3Mzc5NjMsImV4cCI6MTcwMDc0MTkyMywibmJmIjoxNzAwNzM3OTYzLCJpc3MiOiJodHRwOi8vd2lyZS5jb206MTYwNTkvY2xpZW50cy9jNmRmYjI2MjI3MzBjYTExL2FjY2Vzcy10b2tlbiIsInN1YiI6ImltOndpcmVhcHA9Q3lCcjNNWE5TYXkyRm8xaC03RE8yQS9jNmRmYjI2MjI3MzBjYTExQHdpcmUuY29tIiwiYXVkIjoiaHR0cDovL3dpcmUuY29tOjE2MDU5L2NsaWVudHMvYzZkZmIyNjIyNzMwY2ExMS9hY2Nlc3MtdG9rZW4iLCJqdGkiOiJkZDNlZDUxOC1kOWQyLTRhYmEtYjEyMS1kZmM5ZDlhOGYyMDAiLCJub25jZSI6ImNWUjRWMUJOU0RsVU9Wb3haa3RzVG1kdVpEWnBiMjVqZVRSU1ozaG9NRlEiLCJjaGFsIjoibDZyY0pCVEtjM2R1bUF2ZklzRk9kazZ1eWxxUEtEZmoiLCJjbmYiOnsia2lkIjoiUWYxTHpZZnc0U09hYVpJZHBnem1tS2RXSUpDTlRidXlTcTRsc2N6QVhERSJ9LCJwcm9vZiI6ImV5SmhiR2NpT2lKRlpFUlRRU0lzSW5SNWNDSTZJbVJ3YjNBcmFuZDBJaXdpYW5kcklqcDdJbXQwZVNJNklrOUxVQ0lzSW1OeWRpSTZJa1ZrTWpVMU1Ua2lMQ0o0SWpvaWNsQnNNM2hvV0VkMFZ6QjNVV1JPWW5FNFNHVkNjbTFWWWkxd05ERkdNVXRWY1dsSlNsTktNamxaVFNKOWZRLmV5SnBZWFFpT2pFM01EQTNNemM1TmpNc0ltVjRjQ0k2TVRjd01EYzBOVEUyTXl3aWJtSm1Jam94TnpBd056TTNPVFl6TENKemRXSWlPaUpwYlRwM2FYSmxZWEJ3UFVONVFuSXpUVmhPVTJGNU1rWnZNV2d0TjBSUE1rRXZZelprWm1JeU5qSXlOek13WTJFeE1VQjNhWEpsTG1OdmJTSXNJbXAwYVNJNklqazFOamRqT0RJNUxUWTNZV1l0TkdFM01pMWlZV0ZtTFRrNFlqYzBORGsyTm1SaVpTSXNJbTV2Ym1ObElqb2lZMVpTTkZZeFFrNVRSR3hWVDFadmVGcHJkSE5VYldSMVdrUmFjR0l5TldwbFZGSlRXak5vYjAxR1VTSXNJbWgwYlNJNklsQlBVMVFpTENKb2RIVWlPaUpvZEhSd09pOHZkMmx5WlM1amIyMDZNVFl3TlRrdlkyeHBaVzUwY3k5ak5tUm1ZakkyTWpJM016QmpZVEV4TDJGalkyVnpjeTEwYjJ0bGJpSXNJbU5vWVd3aU9pSnNObkpqU2tKVVMyTXpaSFZ0UVhabVNYTkdUMlJyTm5WNWJIRlFTMFJtYWlJc0ltaGhibVJzWlNJNkltbHRPbmRwY21WaGNIQTlKVFF3WVd4cFkyVmZkMmx5WlVCM2FYSmxMbU52YlNJc0luUmxZVzBpT2lKM2FYSmxJbjAucGYwdVZub0JEZmljODlOSjVmNi1TbndQc1ZSNXVDZktJOWV3TGJHbEhDdmo2UXR1ZUY4MjMtbndzVkNEazJZbUJHa3JuZGpielB1Rm5ING9LLW1HQVEiLCJjbGllbnRfaWQiOiJpbTp3aXJlYXBwPUN5QnIzTVhOU2F5MkZvMWgtN0RPMkEvYzZkZmIyNjIyNzMwY2ExMUB3aXJlLmNvbSIsImFwaV92ZXJzaW9uIjo1LCJzY29wZSI6IndpcmVfY2xpZW50X2lkIn0.ofH7FDeynOrmLcYSyrwR-vZ2a0tWsweDj1xj9HcC7jg9yFK7iklwbOULNf-EivCsyA4505V4eyQrI1QEVMTUDg) + +Raw: +```text +eyJhbGciOiJFZERTQSIsInR5cCI6ImF0K2p3dCIsImp3ayI6eyJrdHkiOiJPS1Ai +LCJjcnYiOiJFZDI1NTE5IiwieCI6Im5GaW5KMEpHelBDd1E3QjNnRlVIbWdxMDRf +LVdGUXNSMzNQb2xTcGhxOGsifX0.eyJpYXQiOjE3MDA3Mzc5NjMsImV4cCI6MTcw +MDc0MTkyMywibmJmIjoxNzAwNzM3OTYzLCJpc3MiOiJodHRwOi8vd2lyZS5jb206 +MTYwNTkvY2xpZW50cy9jNmRmYjI2MjI3MzBjYTExL2FjY2Vzcy10b2tlbiIsInN1 +YiI6ImltOndpcmVhcHA9Q3lCcjNNWE5TYXkyRm8xaC03RE8yQS9jNmRmYjI2MjI3 +MzBjYTExQHdpcmUuY29tIiwiYXVkIjoiaHR0cDovL3dpcmUuY29tOjE2MDU5L2Ns +aWVudHMvYzZkZmIyNjIyNzMwY2ExMS9hY2Nlc3MtdG9rZW4iLCJqdGkiOiJkZDNl +ZDUxOC1kOWQyLTRhYmEtYjEyMS1kZmM5ZDlhOGYyMDAiLCJub25jZSI6ImNWUjRW +MUJOU0RsVU9Wb3haa3RzVG1kdVpEWnBiMjVqZVRSU1ozaG9NRlEiLCJjaGFsIjoi +bDZyY0pCVEtjM2R1bUF2ZklzRk9kazZ1eWxxUEtEZmoiLCJjbmYiOnsia2lkIjoi +UWYxTHpZZnc0U09hYVpJZHBnem1tS2RXSUpDTlRidXlTcTRsc2N6QVhERSJ9LCJw +cm9vZiI6ImV5SmhiR2NpT2lKRlpFUlRRU0lzSW5SNWNDSTZJbVJ3YjNBcmFuZDBJ +aXdpYW5kcklqcDdJbXQwZVNJNklrOUxVQ0lzSW1OeWRpSTZJa1ZrTWpVMU1Ua2lM +Q0o0SWpvaWNsQnNNM2hvV0VkMFZ6QjNVV1JPWW5FNFNHVkNjbTFWWWkxd05ERkdN +VXRWY1dsSlNsTktNamxaVFNKOWZRLmV5SnBZWFFpT2pFM01EQTNNemM1TmpNc0lt +VjRjQ0k2TVRjd01EYzBOVEUyTXl3aWJtSm1Jam94TnpBd056TTNPVFl6TENKemRX +SWlPaUpwYlRwM2FYSmxZWEJ3UFVONVFuSXpUVmhPVTJGNU1rWnZNV2d0TjBSUE1r +RXZZelprWm1JeU5qSXlOek13WTJFeE1VQjNhWEpsTG1OdmJTSXNJbXAwYVNJNklq +azFOamRqT0RJNUxUWTNZV1l0TkdFM01pMWlZV0ZtTFRrNFlqYzBORGsyTm1SaVpT +SXNJbTV2Ym1ObElqb2lZMVpTTkZZeFFrNVRSR3hWVDFadmVGcHJkSE5VYldSMVdr +UmFjR0l5TldwbFZGSlRXak5vYjAxR1VTSXNJbWgwYlNJNklsQlBVMVFpTENKb2RI +VWlPaUpvZEhSd09pOHZkMmx5WlM1amIyMDZNVFl3TlRrdlkyeHBaVzUwY3k5ak5t +Um1ZakkyTWpJM016QmpZVEV4TDJGalkyVnpjeTEwYjJ0bGJpSXNJbU5vWVd3aU9p +SnNObkpqU2tKVVMyTXpaSFZ0UVhabVNYTkdUMlJyTm5WNWJIRlFTMFJtYWlJc0lt +aGhibVJzWlNJNkltbHRPbmRwY21WaGNIQTlKVFF3WVd4cFkyVmZkMmx5WlVCM2FY +SmxMbU52YlNJc0luUmxZVzBpT2lKM2FYSmxJbjAucGYwdVZub0JEZmljODlOSjVm +Ni1TbndQc1ZSNXVDZktJOWV3TGJHbEhDdmo2UXR1ZUY4MjMtbndzVkNEazJZbUJH +a3JuZGpielB1Rm5ING9LLW1HQVEiLCJjbGllbnRfaWQiOiJpbTp3aXJlYXBwPUN5 +QnIzTVhOU2F5MkZvMWgtN0RPMkEvYzZkZmIyNjIyNzMwY2ExMUB3aXJlLmNvbSIs +ImFwaV92ZXJzaW9uIjo1LCJzY29wZSI6IndpcmVfY2xpZW50X2lkIn0.ofH7FDey +nOrmLcYSyrwR-vZ2a0tWsweDj1xj9HcC7jg9yFK7iklwbOULNf-EivCsyA4505V4 +eyQrI1QEVMTUDg +``` + +Decoded: + +```json +{ + "alg": "EdDSA", + "jwk": { + "crv": "Ed25519", + "kty": "OKP", + "x": "nFinJ0JGzPCwQ7B3gFUHmgq04_-WFQsR33PolSphq8k" + }, + "typ": "at+jwt" +} +``` + +```json +{ + "api_version": 5, + "aud": "http://wire.com:16059/clients/c6dfb2622730ca11/access-token", + "chal": "l6rcJBTKc3dumAvfIsFOdk6uylqPKDfj", + "client_id": "im:wireapp=CyBr3MXNSay2Fo1h-7DO2A/c6dfb2622730ca11@wire.com", + "cnf": { + "kid": "Qf1LzYfw4SOaaZIdpgzmmKdWIJCNTbuySq4lsczAXDE" + }, + "exp": 1700741923, + "iat": 1700737963, + "iss": "http://wire.com:16059/clients/c6dfb2622730ca11/access-token", + "jti": "dd3ed518-d9d2-4aba-b121-dfc9d9a8f200", + "nbf": 1700737963, + "nonce": "cVR4V1BNSDlUOVoxZktsTmduZDZpb25jeTRSZ3hoMFQ", + "proof": "eyJhbGciOiJFZERTQSIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4IjoiclBsM3hoWEd0VzB3UWROYnE4SGVCcm1VYi1wNDFGMUtVcWlJSlNKMjlZTSJ9fQ.eyJpYXQiOjE3MDA3Mzc5NjMsImV4cCI6MTcwMDc0NTE2MywibmJmIjoxNzAwNzM3OTYzLCJzdWIiOiJpbTp3aXJlYXBwPUN5QnIzTVhOU2F5MkZvMWgtN0RPMkEvYzZkZmIyNjIyNzMwY2ExMUB3aXJlLmNvbSIsImp0aSI6Ijk1NjdjODI5LTY3YWYtNGE3Mi1iYWFmLTk4Yjc0NDk2NmRiZSIsIm5vbmNlIjoiY1ZSNFYxQk5TRGxVT1ZveFprdHNUbWR1WkRacGIyNWplVFJTWjNob01GUSIsImh0bSI6IlBPU1QiLCJodHUiOiJodHRwOi8vd2lyZS5jb206MTYwNTkvY2xpZW50cy9jNmRmYjI2MjI3MzBjYTExL2FjY2Vzcy10b2tlbiIsImNoYWwiOiJsNnJjSkJUS2MzZHVtQXZmSXNGT2RrNnV5bHFQS0RmaiIsImhhbmRsZSI6ImltOndpcmVhcHA9JTQwYWxpY2Vfd2lyZUB3aXJlLmNvbSIsInRlYW0iOiJ3aXJlIn0.pf0uVnoBDfic89NJ5f6-SnwPsVR5uCfKI9ewLbGlHCvj6QtueF823-nwsVCDk2YmBGkrndjbzPuFnH4oK-mGAQ", + "scope": "wire_client_id", + "sub": "im:wireapp=CyBr3MXNSay2Fo1h-7DO2A/c6dfb2622730ca11@wire.com" +} +``` + + +✅ Signature Verified with key: +```text +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIGjqTWmsIXZn3NAkCkF5buQeggrJeVp7g3779P4tFVIr +-----END PRIVATE KEY----- +-----BEGIN PUBLIC KEY----- +MCowBQYDK2VwAyEAnFinJ0JGzPCwQ7B3gFUHmgq04/+WFQsR33PolSphq8k= +-----END PUBLIC KEY----- +``` + +
+ + +### Client provides access token +#### 16. validate Dpop challenge (clientId) +```http request +POST https://stepca:32934/acme/wire/challenge/5lf0IcPG1jL692BobqoKeMOQwbVCXdep/UewEvxrwNNB6rLg7Kp4o32faUQJcatqL + /acme/{acme-provisioner}/challenge/{authz-id}/{challenge-id} +content-type: application/jose+json +``` +```json +{ + "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjMyOTM0L2FjbWUvd2lyZS9hY2NvdW50L0VlNHFUbWRyMmdpV0VmdUhXRGJua3N4akpsOTRrRU90IiwidHlwIjoiSldUIiwibm9uY2UiOiJTMngwU1VnMWIyaHpNMk5oTkhGS1VHdHhUbkJUVWtSMFRFOUtWMk56ZFU0IiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6MzI5MzQvYWNtZS93aXJlL2NoYWxsZW5nZS81bGYwSWNQRzFqTDY5MkJvYnFvS2VNT1F3YlZDWGRlcC9VZXdFdnhyd05OQjZyTGc3S3A0bzMyZmFVUUpjYXRxTCJ9", + "payload": "eyJhY2Nlc3NfdG9rZW4iOiJleUpoYkdjaU9pSkZaRVJUUVNJc0luUjVjQ0k2SW1GMEsycDNkQ0lzSW1wM2F5STZleUpyZEhraU9pSlBTMUFpTENKamNuWWlPaUpGWkRJMU5URTVJaXdpZUNJNkltNUdhVzVLTUVwSGVsQkRkMUUzUWpOblJsVkliV2R4TURSZkxWZEdVWE5TTXpOUWIyeFRjR2h4T0dzaWZYMC5leUpwWVhRaU9qRTNNREEzTXpjNU5qTXNJbVY0Y0NJNk1UY3dNRGMwTVRreU15d2libUptSWpveE56QXdOek0zT1RZekxDSnBjM01pT2lKb2RIUndPaTh2ZDJseVpTNWpiMjA2TVRZd05Ua3ZZMnhwWlc1MGN5OWpObVJtWWpJMk1qSTNNekJqWVRFeEwyRmpZMlZ6Y3kxMGIydGxiaUlzSW5OMVlpSTZJbWx0T25kcGNtVmhjSEE5UTNsQ2NqTk5XRTVUWVhreVJtOHhhQzAzUkU4eVFTOWpObVJtWWpJMk1qSTNNekJqWVRFeFFIZHBjbVV1WTI5dElpd2lZWFZrSWpvaWFIUjBjRG92TDNkcGNtVXVZMjl0T2pFMk1EVTVMMk5zYVdWdWRITXZZelprWm1JeU5qSXlOek13WTJFeE1TOWhZMk5sYzNNdGRHOXJaVzRpTENKcWRHa2lPaUprWkRObFpEVXhPQzFrT1dReUxUUmhZbUV0WWpFeU1TMWtabU01WkRsaE9HWXlNREFpTENKdWIyNWpaU0k2SW1OV1VqUldNVUpPVTBSc1ZVOVdiM2hhYTNSelZHMWtkVnBFV25CaU1qVnFaVlJTVTFvemFHOU5SbEVpTENKamFHRnNJam9pYkRaeVkwcENWRXRqTTJSMWJVRjJaa2x6Ums5a2F6WjFlV3h4VUV0RVptb2lMQ0pqYm1ZaU9uc2lhMmxrSWpvaVVXWXhUSHBaWm5jMFUwOWhZVnBKWkhCbmVtMXRTMlJYU1VwRFRsUmlkWGxUY1RSc2MyTjZRVmhFUlNKOUxDSndjbTl2WmlJNkltVjVTbWhpUjJOcFQybEtSbHBGVWxSUlUwbHpTVzVTTldORFNUWkpiVkozWWpOQmNtRnVaREJKYVhkcFlXNWtja2xxY0RkSmJYUXdaVk5KTmtsck9VeFZRMGx6U1cxT2VXUnBTVFpKYTFaclRXcFZNVTFVYTJsTVEwbzBTV3B2YVdOc1FuTk5NMmh2VjBWa01GWjZRak5WVjFKUFdXNUZORk5IVmtOamJURldXV2t4ZDA1RVJrZE5WWFJXWTFkc1NsTnNUa3ROYW14YVZGTktPV1pSTG1WNVNuQlpXRkZwVDJwRk0wMUVRVE5OZW1NMVRtcE5jMGx0VmpSalEwazJUVlJqZDAxRVl6Qk9WRVV5VFhsM2FXSnRTbTFKYW05NFRucEJkMDU2VFROUFZGbDZURU5LZW1SWFNXbFBhVXB3WWxSd00yRllTbXhaV0VKM1VGVk9OVkZ1U1hwVVZtaFBWVEpHTlUxclduWk5WMmQwVGpCU1VFMXJSWFpaZWxwcldtMUplVTVxU1hsT2VrMTNXVEpGZUUxVlFqTmhXRXBzVEcxT2RtSlRTWE5KYlhBd1lWTkpOa2xxYXpGT2FtUnFUMFJKTlV4VVdUTlpWMWwwVGtkRk0wMXBNV2xaVjBadFRGUnJORmxxWXpCT1JHc3lUbTFTYVZwVFNYTkpiVFYyWW0xT2JFbHFiMmxaTVZwVFRrWlplRkZyTlZSU1IzaFdWREZhZG1WR2NISmtTRTVWWWxkU01WZHJVbUZqUjBsNVRsZHdiRlpHU2xSWGFrNXZZakF4UjFWVFNYTkpiV2d3WWxOSk5rbHNRbEJWTVZGcFRFTktiMlJJVldsUGFVcHZaRWhTZDA5cE9IWmtNbXg1V2xNMWFtSXlNRFpOVkZsM1RsUnJkbGt5ZUhCYVZ6VXdZM2s1YWs1dFVtMVpha2t5VFdwSk0wMTZRbXBaVkVWNFRESkdhbGt5Vm5wamVURXdZakowYkdKcFNYTkpiVTV2V1ZkM2FVOXBTbk5PYmtwcVUydEtWVk15VFhwYVNGWjBVVmhhYlZOWVRrZFVNbEp5VG01V05XSklSbEZUTUZKdFlXbEpjMGx0YUdoaWJWSnpXbE5KTmtsdGJIUlBibVJ3WTIxV2FHTklRVGxLVkZGM1dWZDRjRmt5Vm1aa01teDVXbFZDTTJGWVNteE1iVTUyWWxOSmMwbHVVbXhaVnpCcFQybEtNMkZZU214SmJqQXVjR1l3ZFZadWIwSkVabWxqT0RsT1NqVm1OaTFUYm5kUWMxWlNOWFZEWmt0Sk9XVjNUR0pIYkVoRGRtbzJVWFIxWlVZNE1qTXRibmR6VmtORWF6SlpiVUpIYTNKdVpHcGllbEIxUm01SU5HOUxMVzFIUVZFaUxDSmpiR2xsYm5SZmFXUWlPaUpwYlRwM2FYSmxZWEJ3UFVONVFuSXpUVmhPVTJGNU1rWnZNV2d0TjBSUE1rRXZZelprWm1JeU5qSXlOek13WTJFeE1VQjNhWEpsTG1OdmJTSXNJbUZ3YVY5MlpYSnphVzl1SWpvMUxDSnpZMjl3WlNJNkluZHBjbVZmWTJ4cFpXNTBYMmxrSW4wLm9mSDdGRGV5bk9ybUxjWVN5cndSLXZaMmEwdFdzd2VEajF4ajlIY0M3amc5eUZLN2lrbHdiT1VMTmYtRWl2Q3N5QTQ1MDVWNGV5UXJJMVFFVk1UVURnIn0", + "signature": "n9fW6-fTjhOTyMZlH5h8s4qsAgp28v6_BjjjrFMDQFFtebWtuxFIW9fMhe6XCsNlpfERK_jzfgOFKIzQZqnxCg" +} +``` +```json +{ + "payload": { + "access_token": "eyJhbGciOiJFZERTQSIsInR5cCI6ImF0K2p3dCIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6Im5GaW5KMEpHelBDd1E3QjNnRlVIbWdxMDRfLVdGUXNSMzNQb2xTcGhxOGsifX0.eyJpYXQiOjE3MDA3Mzc5NjMsImV4cCI6MTcwMDc0MTkyMywibmJmIjoxNzAwNzM3OTYzLCJpc3MiOiJodHRwOi8vd2lyZS5jb206MTYwNTkvY2xpZW50cy9jNmRmYjI2MjI3MzBjYTExL2FjY2Vzcy10b2tlbiIsInN1YiI6ImltOndpcmVhcHA9Q3lCcjNNWE5TYXkyRm8xaC03RE8yQS9jNmRmYjI2MjI3MzBjYTExQHdpcmUuY29tIiwiYXVkIjoiaHR0cDovL3dpcmUuY29tOjE2MDU5L2NsaWVudHMvYzZkZmIyNjIyNzMwY2ExMS9hY2Nlc3MtdG9rZW4iLCJqdGkiOiJkZDNlZDUxOC1kOWQyLTRhYmEtYjEyMS1kZmM5ZDlhOGYyMDAiLCJub25jZSI6ImNWUjRWMUJOU0RsVU9Wb3haa3RzVG1kdVpEWnBiMjVqZVRSU1ozaG9NRlEiLCJjaGFsIjoibDZyY0pCVEtjM2R1bUF2ZklzRk9kazZ1eWxxUEtEZmoiLCJjbmYiOnsia2lkIjoiUWYxTHpZZnc0U09hYVpJZHBnem1tS2RXSUpDTlRidXlTcTRsc2N6QVhERSJ9LCJwcm9vZiI6ImV5SmhiR2NpT2lKRlpFUlRRU0lzSW5SNWNDSTZJbVJ3YjNBcmFuZDBJaXdpYW5kcklqcDdJbXQwZVNJNklrOUxVQ0lzSW1OeWRpSTZJa1ZrTWpVMU1Ua2lMQ0o0SWpvaWNsQnNNM2hvV0VkMFZ6QjNVV1JPWW5FNFNHVkNjbTFWWWkxd05ERkdNVXRWY1dsSlNsTktNamxaVFNKOWZRLmV5SnBZWFFpT2pFM01EQTNNemM1TmpNc0ltVjRjQ0k2TVRjd01EYzBOVEUyTXl3aWJtSm1Jam94TnpBd056TTNPVFl6TENKemRXSWlPaUpwYlRwM2FYSmxZWEJ3UFVONVFuSXpUVmhPVTJGNU1rWnZNV2d0TjBSUE1rRXZZelprWm1JeU5qSXlOek13WTJFeE1VQjNhWEpsTG1OdmJTSXNJbXAwYVNJNklqazFOamRqT0RJNUxUWTNZV1l0TkdFM01pMWlZV0ZtTFRrNFlqYzBORGsyTm1SaVpTSXNJbTV2Ym1ObElqb2lZMVpTTkZZeFFrNVRSR3hWVDFadmVGcHJkSE5VYldSMVdrUmFjR0l5TldwbFZGSlRXak5vYjAxR1VTSXNJbWgwYlNJNklsQlBVMVFpTENKb2RIVWlPaUpvZEhSd09pOHZkMmx5WlM1amIyMDZNVFl3TlRrdlkyeHBaVzUwY3k5ak5tUm1ZakkyTWpJM016QmpZVEV4TDJGalkyVnpjeTEwYjJ0bGJpSXNJbU5vWVd3aU9pSnNObkpqU2tKVVMyTXpaSFZ0UVhabVNYTkdUMlJyTm5WNWJIRlFTMFJtYWlJc0ltaGhibVJzWlNJNkltbHRPbmRwY21WaGNIQTlKVFF3WVd4cFkyVmZkMmx5WlVCM2FYSmxMbU52YlNJc0luUmxZVzBpT2lKM2FYSmxJbjAucGYwdVZub0JEZmljODlOSjVmNi1TbndQc1ZSNXVDZktJOWV3TGJHbEhDdmo2UXR1ZUY4MjMtbndzVkNEazJZbUJHa3JuZGpielB1Rm5ING9LLW1HQVEiLCJjbGllbnRfaWQiOiJpbTp3aXJlYXBwPUN5QnIzTVhOU2F5MkZvMWgtN0RPMkEvYzZkZmIyNjIyNzMwY2ExMUB3aXJlLmNvbSIsImFwaV92ZXJzaW9uIjo1LCJzY29wZSI6IndpcmVfY2xpZW50X2lkIn0.ofH7FDeynOrmLcYSyrwR-vZ2a0tWsweDj1xj9HcC7jg9yFK7iklwbOULNf-EivCsyA4505V4eyQrI1QEVMTUDg" + }, + "protected": { + "alg": "EdDSA", + "kid": "https://stepca:32934/acme/wire/account/Ee4qTmdr2giWEfuHWDbnksxjJl94kEOt", + "nonce": "S2x0SUg1b2hzM2NhNHFKUGtxTnBTUkR0TE9KV2NzdU4", + "typ": "JWT", + "url": "https://stepca:32934/acme/wire/challenge/5lf0IcPG1jL692BobqoKeMOQwbVCXdep/UewEvxrwNNB6rLg7Kp4o32faUQJcatqL" + } +} +``` +#### 17. DPoP challenge is valid +```http request +200 +cache-control: no-store +content-type: application/json +link: ;rel="index" +link: ;rel="up" +location: https://stepca:32934/acme/wire/challenge/5lf0IcPG1jL692BobqoKeMOQwbVCXdep/UewEvxrwNNB6rLg7Kp4o32faUQJcatqL +replay-nonce: aHgxamkyYkFySXcxWG1xMDQzYUZYNXRXNGtYb1N1RlY +vary: Origin +``` +```json +{ + "type": "wire-dpop-01", + "url": "https://stepca:32934/acme/wire/challenge/5lf0IcPG1jL692BobqoKeMOQwbVCXdep/UewEvxrwNNB6rLg7Kp4o32faUQJcatqL", + "status": "valid", + "token": "l6rcJBTKc3dumAvfIsFOdk6uylqPKDfj", + "target": "http://wire.com:16059/clients/c6dfb2622730ca11/access-token" +} +``` +### Authenticate end user using OIDC Authorization Code with PKCE flow +#### 18. OAUTH authorization request + +```text +code_verifier=-LZ8KJJ80HN73nKcxVcJ0QebUWiBHlNYeFyowl4EY9Y&code_challenge=rciRN5xC9EULO1-bA0YlRagS3zJHuoe5sxXYKOYyFFQ +``` +#### 19. OAUTH authorization request (auth code endpoint) +```http request +GET http://dex:21146/dex/auth?response_type=code&client_id=wireapp&state=8x8o8eBtyx2AQ2recCgqlw&code_challenge=rciRN5xC9EULO1-bA0YlRagS3zJHuoe5sxXYKOYyFFQ&code_challenge_method=S256&redirect_uri=http%3A%2F%2Fwire.com%3A16059%2Fcallback&scope=openid+profile&nonce=AmtOcwN--xgx7lxRExqGyQ +``` + +#### 20. OAUTH authorization code +#### 21. OAUTH authorization code + +#### 22. OAUTH authorization code + verifier (token endpoint) +```http request +POST http://dex:21146/dex/token +accept: application/json +content-type: application/x-www-form-urlencoded +authorization: Basic d2lyZWFwcDpSazFwTXpSMk5uSmlVRFUyVUVOWk16UlVVamwxYVVJeQ== +``` +```text +grant_type=authorization_code&code=v3hvzrzkr3huqexy6vuvdugla&code_verifier=-LZ8KJJ80HN73nKcxVcJ0QebUWiBHlNYeFyowl4EY9Y&redirect_uri=http%3A%2F%2Fwire.com%3A16059%2Fcallback +``` +#### 23. OAUTH access token + +```text +{ + "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjE3YTA5NDlmZmJkYzJkMzFmY2M5ZTIxODY5NTdjMDg4ZDZhODkyZGYifQ.eyJpc3MiOiJodHRwOi8vZGV4OjIxMTQ2L2RleCIsInN1YiI6IkNqdHBiVHAzYVhKbFlYQndQVU41UW5JelRWaE9VMkY1TWtadk1XZ3ROMFJQTWtFdll6WmtabUl5TmpJeU56TXdZMkV4TVVCM2FYSmxMbU52YlJJRWJHUmhjQSIsImF1ZCI6IndpcmVhcHAiLCJleHAiOjE3MDA4Mjc5NjMsImlhdCI6MTcwMDc0MTU2Mywibm9uY2UiOiJBbXRPY3dOLS14Z3g3bHhSRXhxR3lRIiwiYXRfaGFzaCI6IkZpV3FMdTFHMklrWjlXa24tNFNCY0EiLCJuYW1lIjoiaW06d2lyZWFwcD0lNDBhbGljZV93aXJlQHdpcmUuY29tIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWxpY2UgU21pdGgifQ.OmDYK-HOaf6C74pp4xgOwhdPpbcT5W-rALC12lnzxrMZxjxFUf5qfzMoL4aZn9c6DDqrEA_c3lrlAryZ4fnglFo26VVqcSQa8xaITFgVQkLrwqovDyISeMmO-X76zP3qfy-iESZp84aIeYAKkMn_Fyuirdxj1nvXJlfsv3G4OS4x46UIz_vZV3NHZ9HOBqnOi4-AnZJMD3VQGFlNup8hnWgkaokIoZhFcpgytJKz_w3gFEo1ks84stBYe0bCObYJPlGCyYMGtc_HCGQQG5RcCpeXR5IT8wsLoCSvRkSC6sz6WuDGS2y182bGmbSJIChkANcQDdsNTWSkG8mv3gLB3Q", + "expires_in": 86399, + "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjE3YTA5NDlmZmJkYzJkMzFmY2M5ZTIxODY5NTdjMDg4ZDZhODkyZGYifQ.eyJpc3MiOiJodHRwOi8vZGV4OjIxMTQ2L2RleCIsInN1YiI6IkNqdHBiVHAzYVhKbFlYQndQVU41UW5JelRWaE9VMkY1TWtadk1XZ3ROMFJQTWtFdll6WmtabUl5TmpJeU56TXdZMkV4TVVCM2FYSmxMbU52YlJJRWJHUmhjQSIsImF1ZCI6IndpcmVhcHAiLCJleHAiOjE3MDA4Mjc5NjMsImlhdCI6MTcwMDc0MTU2Mywibm9uY2UiOiJBbXRPY3dOLS14Z3g3bHhSRXhxR3lRIiwiYXRfaGFzaCI6IlVsU0JDU01nWGcyTFpOSHdYN2pQQ0EiLCJjX2hhc2giOiJlamJFNXl1ZkhTYk16bnloZjAybWF3IiwibmFtZSI6ImltOndpcmVhcHA9JTQwYWxpY2Vfd2lyZUB3aXJlLmNvbSIsInByZWZlcnJlZF91c2VybmFtZSI6IkFsaWNlIFNtaXRoIn0.VVEZ4O99KKH0AEG27l53eHGbdD2L1ilgVHLlQIojhVxDlZmWXjg41Lj8OTCkK0snFNGyEgev31DfAjZ8JcPWoh2szM1iMdm8rUgaPFvbZ7d7A1RsOhaN7in-BGlvBQuckLXxAnBja45QTNpREyJyiH736ooCnhFET2CtpF5XX4PhKwCp5iwcJyETYG1jLrq2KcQy5K36fGmozBkn5uAsEy2YcaZsun4rfV4MzjoUKrcAb5Ymu1qZ4AyY0_DalO-ndG8Mk1flu31fQyOuar9YAztRMLnKUD_XPv8IDmvsfl35Qt-fM3peI_N9C-CX6jgqAQ8RF1iPOccM0RBPmCQN7Q", + "token_type": "bearer" +} +``` +```text +eyJhbGciOiJSUzI1NiIsImtpZCI6IjE3YTA5NDlmZmJkYzJkMzFmY2M5ZTIxODY5NTdjMDg4ZDZhODkyZGYifQ.eyJpc3MiOiJodHRwOi8vZGV4OjIxMTQ2L2RleCIsInN1YiI6IkNqdHBiVHAzYVhKbFlYQndQVU41UW5JelRWaE9VMkY1TWtadk1XZ3ROMFJQTWtFdll6WmtabUl5TmpJeU56TXdZMkV4TVVCM2FYSmxMbU52YlJJRWJHUmhjQSIsImF1ZCI6IndpcmVhcHAiLCJleHAiOjE3MDA4Mjc5NjMsImlhdCI6MTcwMDc0MTU2Mywibm9uY2UiOiJBbXRPY3dOLS14Z3g3bHhSRXhxR3lRIiwiYXRfaGFzaCI6IlVsU0JDU01nWGcyTFpOSHdYN2pQQ0EiLCJjX2hhc2giOiJlamJFNXl1ZkhTYk16bnloZjAybWF3IiwibmFtZSI6ImltOndpcmVhcHA9JTQwYWxpY2Vfd2lyZUB3aXJlLmNvbSIsInByZWZlcnJlZF91c2VybmFtZSI6IkFsaWNlIFNtaXRoIn0.VVEZ4O99KKH0AEG27l53eHGbdD2L1ilgVHLlQIojhVxDlZmWXjg41Lj8OTCkK0snFNGyEgev31DfAjZ8JcPWoh2szM1iMdm8rUgaPFvbZ7d7A1RsOhaN7in-BGlvBQuckLXxAnBja45QTNpREyJyiH736ooCnhFET2CtpF5XX4PhKwCp5iwcJyETYG1jLrq2KcQy5K36fGmozBkn5uAsEy2YcaZsun4rfV4MzjoUKrcAb5Ymu1qZ4AyY0_DalO-ndG8Mk1flu31fQyOuar9YAztRMLnKUD_XPv8IDmvsfl35Qt-fM3peI_N9C-CX6jgqAQ8RF1iPOccM0RBPmCQN7Q +``` +#### 24. validate oidc challenge (userId + displayName) + +
+Id token + +See it on [jwt.io](https://jwt.io/#id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjE3YTA5NDlmZmJkYzJkMzFmY2M5ZTIxODY5NTdjMDg4ZDZhODkyZGYifQ.eyJpc3MiOiJodHRwOi8vZGV4OjIxMTQ2L2RleCIsInN1YiI6IkNqdHBiVHAzYVhKbFlYQndQVU41UW5JelRWaE9VMkY1TWtadk1XZ3ROMFJQTWtFdll6WmtabUl5TmpJeU56TXdZMkV4TVVCM2FYSmxMbU52YlJJRWJHUmhjQSIsImF1ZCI6IndpcmVhcHAiLCJleHAiOjE3MDA4Mjc5NjMsImlhdCI6MTcwMDc0MTU2Mywibm9uY2UiOiJBbXRPY3dOLS14Z3g3bHhSRXhxR3lRIiwiYXRfaGFzaCI6IlVsU0JDU01nWGcyTFpOSHdYN2pQQ0EiLCJjX2hhc2giOiJlamJFNXl1ZkhTYk16bnloZjAybWF3IiwibmFtZSI6ImltOndpcmVhcHA9JTQwYWxpY2Vfd2lyZUB3aXJlLmNvbSIsInByZWZlcnJlZF91c2VybmFtZSI6IkFsaWNlIFNtaXRoIn0.VVEZ4O99KKH0AEG27l53eHGbdD2L1ilgVHLlQIojhVxDlZmWXjg41Lj8OTCkK0snFNGyEgev31DfAjZ8JcPWoh2szM1iMdm8rUgaPFvbZ7d7A1RsOhaN7in-BGlvBQuckLXxAnBja45QTNpREyJyiH736ooCnhFET2CtpF5XX4PhKwCp5iwcJyETYG1jLrq2KcQy5K36fGmozBkn5uAsEy2YcaZsun4rfV4MzjoUKrcAb5Ymu1qZ4AyY0_DalO-ndG8Mk1flu31fQyOuar9YAztRMLnKUD_XPv8IDmvsfl35Qt-fM3peI_N9C-CX6jgqAQ8RF1iPOccM0RBPmCQN7Q) + +Raw: +```text +eyJhbGciOiJSUzI1NiIsImtpZCI6IjE3YTA5NDlmZmJkYzJkMzFmY2M5ZTIxODY5 +NTdjMDg4ZDZhODkyZGYifQ.eyJpc3MiOiJodHRwOi8vZGV4OjIxMTQ2L2RleCIsI +nN1YiI6IkNqdHBiVHAzYVhKbFlYQndQVU41UW5JelRWaE9VMkY1TWtadk1XZ3ROM +FJQTWtFdll6WmtabUl5TmpJeU56TXdZMkV4TVVCM2FYSmxMbU52YlJJRWJHUmhjQ +SIsImF1ZCI6IndpcmVhcHAiLCJleHAiOjE3MDA4Mjc5NjMsImlhdCI6MTcwMDc0M +TU2Mywibm9uY2UiOiJBbXRPY3dOLS14Z3g3bHhSRXhxR3lRIiwiYXRfaGFzaCI6I +lVsU0JDU01nWGcyTFpOSHdYN2pQQ0EiLCJjX2hhc2giOiJlamJFNXl1ZkhTYk16b +nloZjAybWF3IiwibmFtZSI6ImltOndpcmVhcHA9JTQwYWxpY2Vfd2lyZUB3aXJlL +mNvbSIsInByZWZlcnJlZF91c2VybmFtZSI6IkFsaWNlIFNtaXRoIn0.VVEZ4O99K +KH0AEG27l53eHGbdD2L1ilgVHLlQIojhVxDlZmWXjg41Lj8OTCkK0snFNGyEgev3 +1DfAjZ8JcPWoh2szM1iMdm8rUgaPFvbZ7d7A1RsOhaN7in-BGlvBQuckLXxAnBja +45QTNpREyJyiH736ooCnhFET2CtpF5XX4PhKwCp5iwcJyETYG1jLrq2KcQy5K36f +GmozBkn5uAsEy2YcaZsun4rfV4MzjoUKrcAb5Ymu1qZ4AyY0_DalO-ndG8Mk1flu +31fQyOuar9YAztRMLnKUD_XPv8IDmvsfl35Qt-fM3peI_N9C-CX6jgqAQ8RF1iPO +ccM0RBPmCQN7Q +``` + +Decoded: + +```json +{ + "alg": "RS256", + "kid": "17a0949ffbdc2d31fcc9e2186957c088d6a892df" +} +``` + +```json +{ + "at_hash": "UlSBCSMgXg2LZNHwX7jPCA", + "aud": "wireapp", + "c_hash": "ejbE5yufHSbMznyhf02maw", + "exp": 1700827963, + "iat": 1700741563, + "iss": "http://dex:21146/dex", + "name": "im:wireapp=%40alice_wire@wire.com", + "nonce": "AmtOcwN--xgx7lxRExqGyQ", + "preferred_username": "Alice Smith", + "sub": "CjtpbTp3aXJlYXBwPUN5QnIzTVhOU2F5MkZvMWgtN0RPMkEvYzZkZmIyNjIyNzMwY2ExMUB3aXJlLmNvbRIEbGRhcA" +} +``` + + +✅ Signature Verified with key: +```text +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwuvj4e4F42bO2/08Yv1p +6B2THgybZJQ7iClYpWDcG6/jUg70j7pHhXW22IkRk+Gu3elAdBtpWYeouhdp4MC+ +HJRDnZkITXR/KIxWZGG1E/Ci8feMO7SyG9d1AUIkvZL2Q4LhBEmLLTTYsAsW4T1y +16j2efev+Z7itnkKMah1q65q6u+mtfn96c8PaHcRYm935HTCGVjEvBjphXbk3fHy +98oFOaPkcH+rGKCr/xC9Oxc2NPicnA4YNeK8bMGTqXo7c+XORk05MzvGCRpfqqfO +yOzN3n8VfNGy0k6vMmaR6/A05BkuQHT37AUjw5Pt6vYnsF9WkAr7HsMDuQp9+m/m +WQIDAQAB +-----END PUBLIC KEY----- +``` + +
+ + +Note: The ACME provisioner is configured with rules for transforming values received in the token into a Wire handle and display name. +```http request +POST https://stepca:32934/acme/wire/challenge/5lf0IcPG1jL692BobqoKeMOQwbVCXdep/HZ6u6ugoePyELHDdwM7YVz272Ph4rWZW + /acme/{acme-provisioner}/challenge/{authz-id}/{challenge-id} +content-type: application/jose+json +``` +```json +{ + "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjMyOTM0L2FjbWUvd2lyZS9hY2NvdW50L0VlNHFUbWRyMmdpV0VmdUhXRGJua3N4akpsOTRrRU90IiwidHlwIjoiSldUIiwibm9uY2UiOiJhSGd4YW1reVlrRnlTWGN4V0cxeE1EUXpZVVpZTlhSWE5HdFliMU4xUmxZIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6MzI5MzQvYWNtZS93aXJlL2NoYWxsZW5nZS81bGYwSWNQRzFqTDY5MkJvYnFvS2VNT1F3YlZDWGRlcC9IWjZ1NnVnb2VQeUVMSERkd003WVZ6MjcyUGg0cldaVyJ9", + "payload": "eyJpZF90b2tlbiI6ImV5SmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJakUzWVRBNU5EbG1abUprWXpKa016Rm1ZMk01WlRJeE9EWTVOVGRqTURnNFpEWmhPRGt5WkdZaWZRLmV5SnBjM01pT2lKb2RIUndPaTh2WkdWNE9qSXhNVFEyTDJSbGVDSXNJbk4xWWlJNklrTnFkSEJpVkhBellWaEtiRmxZUW5kUVZVNDFVVzVKZWxSV2FFOVZNa1kxVFd0YWRrMVhaM1JPTUZKUVRXdEZkbGw2V210YWJVbDVUbXBKZVU1NlRYZFpNa1Y0VFZWQ00yRllTbXhNYlU1MllsSkpSV0pIVW1oalFTSXNJbUYxWkNJNkluZHBjbVZoY0hBaUxDSmxlSEFpT2pFM01EQTRNamM1TmpNc0ltbGhkQ0k2TVRjd01EYzBNVFUyTXl3aWJtOXVZMlVpT2lKQmJYUlBZM2RPTFMxNFozZzNiSGhTUlhoeFIzbFJJaXdpWVhSZmFHRnphQ0k2SWxWc1UwSkRVMDFuV0djeVRGcE9TSGRZTjJwUVEwRWlMQ0pqWDJoaGMyZ2lPaUpsYW1KRk5YbDFaa2hUWWsxNmJubG9aakF5YldGM0lpd2libUZ0WlNJNkltbHRPbmRwY21WaGNIQTlKVFF3WVd4cFkyVmZkMmx5WlVCM2FYSmxMbU52YlNJc0luQnlaV1psY25KbFpGOTFjMlZ5Ym1GdFpTSTZJa0ZzYVdObElGTnRhWFJvSW4wLlZWRVo0Tzk5S0tIMEFFRzI3bDUzZUhHYmREMkwxaWxnVkhMbFFJb2poVnhEbFptV1hqZzQxTGo4T1RDa0swc25GTkd5RWdldjMxRGZBalo4SmNQV29oMnN6TTFpTWRtOHJVZ2FQRnZiWjdkN0ExUnNPaGFON2luLUJHbHZCUXVja0xYeEFuQmphNDVRVE5wUkV5SnlpSDczNm9vQ25oRkVUMkN0cEY1WFg0UGhLd0NwNWl3Y0p5RVRZRzFqTHJxMktjUXk1SzM2Zkdtb3pCa241dUFzRXkyWWNhWnN1bjRyZlY0TXpqb1VLcmNBYjVZbXUxcVo0QXlZMF9EYWxPLW5kRzhNazFmbHUzMWZReU91YXI5WUF6dFJNTG5LVURfWFB2OElEbXZzZmwzNVF0LWZNM3BlSV9OOUMtQ1g2amdxQVE4UkYxaVBPY2NNMFJCUG1DUU43USIsImtleWF1dGgiOiJsNnJjSkJUS2MzZHVtQXZmSXNGT2RrNnV5bHFQS0Rmai5RZjFMellmdzRTT2FhWklkcGd6bW1LZFdJSkNOVGJ1eVNxNGxzY3pBWERFIn0", + "signature": "kUdZ48U_tAAOfFC4QJDQcI2rpBvw0Hvu791n5CIJ_otUm7QsIobSQo7UpxVEZb8gYt9ROwNp4sw5PtIumu1PCg" +} +``` +```json +{ + "payload": { + "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjE3YTA5NDlmZmJkYzJkMzFmY2M5ZTIxODY5NTdjMDg4ZDZhODkyZGYifQ.eyJpc3MiOiJodHRwOi8vZGV4OjIxMTQ2L2RleCIsInN1YiI6IkNqdHBiVHAzYVhKbFlYQndQVU41UW5JelRWaE9VMkY1TWtadk1XZ3ROMFJQTWtFdll6WmtabUl5TmpJeU56TXdZMkV4TVVCM2FYSmxMbU52YlJJRWJHUmhjQSIsImF1ZCI6IndpcmVhcHAiLCJleHAiOjE3MDA4Mjc5NjMsImlhdCI6MTcwMDc0MTU2Mywibm9uY2UiOiJBbXRPY3dOLS14Z3g3bHhSRXhxR3lRIiwiYXRfaGFzaCI6IlVsU0JDU01nWGcyTFpOSHdYN2pQQ0EiLCJjX2hhc2giOiJlamJFNXl1ZkhTYk16bnloZjAybWF3IiwibmFtZSI6ImltOndpcmVhcHA9JTQwYWxpY2Vfd2lyZUB3aXJlLmNvbSIsInByZWZlcnJlZF91c2VybmFtZSI6IkFsaWNlIFNtaXRoIn0.VVEZ4O99KKH0AEG27l53eHGbdD2L1ilgVHLlQIojhVxDlZmWXjg41Lj8OTCkK0snFNGyEgev31DfAjZ8JcPWoh2szM1iMdm8rUgaPFvbZ7d7A1RsOhaN7in-BGlvBQuckLXxAnBja45QTNpREyJyiH736ooCnhFET2CtpF5XX4PhKwCp5iwcJyETYG1jLrq2KcQy5K36fGmozBkn5uAsEy2YcaZsun4rfV4MzjoUKrcAb5Ymu1qZ4AyY0_DalO-ndG8Mk1flu31fQyOuar9YAztRMLnKUD_XPv8IDmvsfl35Qt-fM3peI_N9C-CX6jgqAQ8RF1iPOccM0RBPmCQN7Q", + "keyauth": "l6rcJBTKc3dumAvfIsFOdk6uylqPKDfj.Qf1LzYfw4SOaaZIdpgzmmKdWIJCNTbuySq4lsczAXDE" + }, + "protected": { + "alg": "EdDSA", + "kid": "https://stepca:32934/acme/wire/account/Ee4qTmdr2giWEfuHWDbnksxjJl94kEOt", + "nonce": "aHgxamkyYkFySXcxWG1xMDQzYUZYNXRXNGtYb1N1RlY", + "typ": "JWT", + "url": "https://stepca:32934/acme/wire/challenge/5lf0IcPG1jL692BobqoKeMOQwbVCXdep/HZ6u6ugoePyELHDdwM7YVz272Ph4rWZW" + } +} +``` +#### 25. OIDC challenge is valid +```http request +200 +cache-control: no-store +content-type: application/json +link: ;rel="index" +link: ;rel="up" +location: https://stepca:32934/acme/wire/challenge/5lf0IcPG1jL692BobqoKeMOQwbVCXdep/HZ6u6ugoePyELHDdwM7YVz272Ph4rWZW +replay-nonce: WHZPZThnTVZPRHUxVGRMQTBoOTJsamNsWFpGZUc0N3E +vary: Origin +``` +```json +{ + "type": "wire-oidc-01", + "url": "https://stepca:32934/acme/wire/challenge/5lf0IcPG1jL692BobqoKeMOQwbVCXdep/HZ6u6ugoePyELHDdwM7YVz272Ph4rWZW", + "status": "valid", + "token": "l6rcJBTKc3dumAvfIsFOdk6uylqPKDfj", + "target": "http://dex:21146/dex" +} +``` +### Client presents a CSR and gets its certificate +#### 26. verify the status of the order +```http request +POST https://stepca:32934/acme/wire/order/WyRlrYXazPd3zd1bg0t8HVwV0heQ5toP + /acme/{acme-provisioner}/order/{order-id} +content-type: application/jose+json +``` +```json +{ + "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjMyOTM0L2FjbWUvd2lyZS9hY2NvdW50L0VlNHFUbWRyMmdpV0VmdUhXRGJua3N4akpsOTRrRU90IiwidHlwIjoiSldUIiwibm9uY2UiOiJXSFpQWlRoblRWWlBSSFV4VkdSTVFUQm9PVEpzYW1Oc1dGcEdaVWMwTjNFIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6MzI5MzQvYWNtZS93aXJlL29yZGVyL1d5UmxyWVhhelBkM3pkMWJnMHQ4SFZ3VjBoZVE1dG9QIn0", + "payload": "", + "signature": "Dza2oPg4iZ6xGAJwlMPTrrfI94RmrBuxwD9GzcBGnPSMm8MWM6_Yorfdk4tGwYtmZr2pNdva_xtNS3Y7kUpqDw" +} +``` +```json +{ + "payload": {}, + "protected": { + "alg": "EdDSA", + "kid": "https://stepca:32934/acme/wire/account/Ee4qTmdr2giWEfuHWDbnksxjJl94kEOt", + "nonce": "WHZPZThnTVZPRHUxVGRMQTBoOTJsamNsWFpGZUc0N3E", + "typ": "JWT", + "url": "https://stepca:32934/acme/wire/order/WyRlrYXazPd3zd1bg0t8HVwV0heQ5toP" + } +} +``` +#### 27. loop (with exponential backoff) until order is ready +```http request +200 +cache-control: no-store +content-type: application/json +link: ;rel="index" +location: https://stepca:32934/acme/wire/order/WyRlrYXazPd3zd1bg0t8HVwV0heQ5toP +replay-nonce: M0lYMENUd01PNGN4OUxEVDhLbFNYZVU5VldENmJVVkw +vary: Origin +``` +```json +{ + "status": "ready", + "finalize": "https://stepca:32934/acme/wire/order/WyRlrYXazPd3zd1bg0t8HVwV0heQ5toP/finalize", + "identifiers": [ + { + "type": "wireapp-id", + "value": "{\"name\":\"Alice Smith\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=CyBr3MXNSay2Fo1h-7DO2A/c6dfb2622730ca11@wire.com\",\"handle\":\"im:wireapp=%40alice_wire@wire.com\"}" + } + ], + "authorizations": [ + "https://stepca:32934/acme/wire/authz/5lf0IcPG1jL692BobqoKeMOQwbVCXdep" + ], + "expires": "2023-11-24T12:12:43Z", + "notBefore": "2023-11-23T12:12:43.68795Z", + "notAfter": "2033-11-20T12:12:43.68795Z" +} +``` +#### 28. create a CSR and call finalize url +```http request +POST https://stepca:32934/acme/wire/order/WyRlrYXazPd3zd1bg0t8HVwV0heQ5toP/finalize + /acme/{acme-provisioner}/order/{order-id}/finalize +content-type: application/jose+json +``` +```json +{ + "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjMyOTM0L2FjbWUvd2lyZS9hY2NvdW50L0VlNHFUbWRyMmdpV0VmdUhXRGJua3N4akpsOTRrRU90IiwidHlwIjoiSldUIiwibm9uY2UiOiJNMGxZTUVOVWQwMVBOR040T1V4RVZEaExiRk5ZWlZVNVZsZEVObUpWVmt3IiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6MzI5MzQvYWNtZS93aXJlL29yZGVyL1d5UmxyWVhhelBkM3pkMWJnMHQ4SFZ3VjBoZVE1dG9QL2ZpbmFsaXplIn0", + "payload": "eyJjc3IiOiJNSUlCTFRDQjRBSUJBREF4TVJFd0R3WURWUVFLREFoM2FYSmxMbU52YlRFY01Cb0dDMkNHU0FHRy1FSURBWUZ4REF0QmJHbGpaU0JUYldsMGFEQXFNQVVHQXl0bGNBTWhBS3o1ZDhZVnhyVnRNRUhUVzZ2QjNnYTVsR19xZU5SZFNsS29pQ1VpZHZXRG9Id3dlZ1lKS29aSWh2Y05BUWtPTVcwd2F6QnBCZ05WSFJFRVlqQmdoanRwYlRwM2FYSmxZWEJ3UFVONVFuSXpUVmhPVTJGNU1rWnZNV2d0TjBSUE1rRXZZelprWm1JeU5qSXlOek13WTJFeE1VQjNhWEpsTG1OdmJZWWhhVzA2ZDJseVpXRndjRDBsTkRCaGJHbGpaVjkzYVhKbFFIZHBjbVV1WTI5dE1BVUdBeXRsY0FOQkFJSGJTSk5pYWFXWk9zOTQ3ZGxqemxGYzItX0pxV1pIV1BLTjMzQ1YzOU1Jbk0xN1ZwRC1HSU1MbG44bVg5cEIwUXgydThPM1pOeFE0UjJGTnRfcGlRVSJ9", + "signature": "DJ3mZYxCujijqdxN-FWGbJGQ6oJfBabiYlYVSkaNEEkKcLii8UTHX3e0pOpMtmX7k91TYotes29JFwLHHOhXAQ" +} +``` +```json +{ + "payload": { + "csr": "MIIBLTCB4AIBADAxMREwDwYDVQQKDAh3aXJlLmNvbTEcMBoGC2CGSAGG-EIDAYFxDAtBbGljZSBTbWl0aDAqMAUGAytlcAMhAKz5d8YVxrVtMEHTW6vB3ga5lG_qeNRdSlKoiCUidvWDoHwwegYJKoZIhvcNAQkOMW0wazBpBgNVHREEYjBghjtpbTp3aXJlYXBwPUN5QnIzTVhOU2F5MkZvMWgtN0RPMkEvYzZkZmIyNjIyNzMwY2ExMUB3aXJlLmNvbYYhaW06d2lyZWFwcD0lNDBhbGljZV93aXJlQHdpcmUuY29tMAUGAytlcANBAIHbSJNiaaWZOs947dljzlFc2-_JqWZHWPKN33CV39MInM17VpD-GIMLln8mX9pB0Qx2u8O3ZNxQ4R2FNt_piQU" + }, + "protected": { + "alg": "EdDSA", + "kid": "https://stepca:32934/acme/wire/account/Ee4qTmdr2giWEfuHWDbnksxjJl94kEOt", + "nonce": "M0lYMENUd01PNGN4OUxEVDhLbFNYZVU5VldENmJVVkw", + "typ": "JWT", + "url": "https://stepca:32934/acme/wire/order/WyRlrYXazPd3zd1bg0t8HVwV0heQ5toP/finalize" + } +} +``` +###### CSR: +openssl -verify ✅ +``` +-----BEGIN CERTIFICATE REQUEST----- +MIIBLTCB4AIBADAxMREwDwYDVQQKDAh3aXJlLmNvbTEcMBoGC2CGSAGG+EIDAYFx +DAtBbGljZSBTbWl0aDAqMAUGAytlcAMhAKz5d8YVxrVtMEHTW6vB3ga5lG/qeNRd +SlKoiCUidvWDoHwwegYJKoZIhvcNAQkOMW0wazBpBgNVHREEYjBghjtpbTp3aXJl +YXBwPUN5QnIzTVhOU2F5MkZvMWgtN0RPMkEvYzZkZmIyNjIyNzMwY2ExMUB3aXJl +LmNvbYYhaW06d2lyZWFwcD0lNDBhbGljZV93aXJlQHdpcmUuY29tMAUGAytlcANB +AIHbSJNiaaWZOs947dljzlFc2+/JqWZHWPKN33CV39MInM17VpD+GIMLln8mX9pB +0Qx2u8O3ZNxQ4R2FNt/piQU= +-----END CERTIFICATE REQUEST----- + +``` +``` +Certificate Request: + Data: + Version: 1 (0x0) + Subject: O = wire.com, 2.16.840.1.113730.3.1.241 = Alice Smith + Subject Public Key Info: + Public Key Algorithm: ED25519 + ED25519 Public-Key: + pub: + ac:f9:77:c6:15:c6:b5:6d:30:41:d3:5b:ab:c1:de: + 06:b9:94:6f:ea:78:d4:5d:4a:52:a8:88:25:22:76: + f5:83 + Attributes: + Requested Extensions: + X509v3 Subject Alternative Name: + URI:im:wireapp=CyBr3MXNSay2Fo1h-7DO2A/c6dfb2622730ca11@wire.com, URI:im:wireapp=%40alice_wire@wire.com + Signature Algorithm: ED25519 + Signature Value: + 81:db:48:93:62:69:a5:99:3a:cf:78:ed:d9:63:ce:51:5c:db: + ef:c9:a9:66:47:58:f2:8d:df:70:95:df:d3:08:9c:cd:7b:56: + 90:fe:18:83:0b:96:7f:26:5f:da:41:d1:0c:76:bb:c3:b7:64: + dc:50:e1:1d:85:36:df:e9:89:05 + +``` + +#### 29. get back a url for fetching the certificate +```http request +200 +cache-control: no-store +content-type: application/json +link: ;rel="index" +location: https://stepca:32934/acme/wire/order/WyRlrYXazPd3zd1bg0t8HVwV0heQ5toP +replay-nonce: ZWFXNExXbnpSbFNqRkV6Z2ZpaXpTSXBBRUUzWFlRZXQ +vary: Origin +``` +```json +{ + "certificate": "https://stepca:32934/acme/wire/certificate/0Czk0z4oZJFtJ9lwDLoYPGUevr5OL4Ga", + "status": "valid", + "finalize": "https://stepca:32934/acme/wire/order/WyRlrYXazPd3zd1bg0t8HVwV0heQ5toP/finalize", + "identifiers": [ + { + "type": "wireapp-id", + "value": "{\"name\":\"Alice Smith\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=CyBr3MXNSay2Fo1h-7DO2A/c6dfb2622730ca11@wire.com\",\"handle\":\"im:wireapp=%40alice_wire@wire.com\"}" + } + ], + "authorizations": [ + "https://stepca:32934/acme/wire/authz/5lf0IcPG1jL692BobqoKeMOQwbVCXdep" + ], + "expires": "2023-11-24T12:12:43Z", + "notBefore": "2023-11-23T12:12:43.68795Z", + "notAfter": "2033-11-20T12:12:43.68795Z" +} +``` +#### 30. fetch the certificate +```http request +POST https://stepca:32934/acme/wire/certificate/0Czk0z4oZJFtJ9lwDLoYPGUevr5OL4Ga + /acme/{acme-provisioner}/certificate/{certificate-id} +content-type: application/jose+json +``` +```json +{ + "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjMyOTM0L2FjbWUvd2lyZS9hY2NvdW50L0VlNHFUbWRyMmdpV0VmdUhXRGJua3N4akpsOTRrRU90IiwidHlwIjoiSldUIiwibm9uY2UiOiJaV0ZYTkV4WGJucFNiRk5xUmtWNloyWnBhWHBUU1hCQlJVVXpXRmxSWlhRIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6MzI5MzQvYWNtZS93aXJlL2NlcnRpZmljYXRlLzBDemswejRvWkpGdEo5bHdETG9ZUEdVZXZyNU9MNEdhIn0", + "payload": "", + "signature": "aIy9JEy_jAy6fEF_PJGI36624VEFtL_mDjdmwPV5901TiE_2qKs9ScUbgzeW1Kaca_JqWZ27ewF27PaLitl3DQ" +} +``` +```json +{ + "payload": {}, + "protected": { + "alg": "EdDSA", + "kid": "https://stepca:32934/acme/wire/account/Ee4qTmdr2giWEfuHWDbnksxjJl94kEOt", + "nonce": "ZWFXNExXbnpSbFNqRkV6Z2ZpaXpTSXBBRUUzWFlRZXQ", + "typ": "JWT", + "url": "https://stepca:32934/acme/wire/certificate/0Czk0z4oZJFtJ9lwDLoYPGUevr5OL4Ga" + } +} +``` +#### 31. get the certificate chain +```http request +200 +cache-control: no-store +content-type: application/pem-certificate-chain +link: ;rel="index" +replay-nonce: emIwdzdsY0UzSUVtY1FTTmZUcGlNVmRQWGJUSVhTZVo +vary: Origin +``` +```json +"-----BEGIN CERTIFICATE-----\nMIICGTCCAb+gAwIBAgIQOmpDwme2Bdxn8dzhPkhuxzAKBggqhkjOPQQDAjAuMQ0w\nCwYDVQQKEwR3aXJlMR0wGwYDVQQDExR3aXJlIEludGVybWVkaWF0ZSBDQTAeFw0y\nMzExMjMxMjEyNDNaFw0zMzExMjAxMjEyNDNaMCkxETAPBgNVBAoTCHdpcmUuY29t\nMRQwEgYDVQQDEwtBbGljZSBTbWl0aDAqMAUGAytlcAMhAKz5d8YVxrVtMEHTW6vB\n3ga5lG/qeNRdSlKoiCUidvWDo4HyMIHvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUE\nDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUV4MejVdjk4TK0WrreJKv7QvGAeowHwYD\nVR0jBBgwFoAUBIckJTZIjsr6631WUFUdGBf7vlswaQYDVR0RBGIwYIYhaW06d2ly\nZWFwcD0lNDBhbGljZV93aXJlQHdpcmUuY29thjtpbTp3aXJlYXBwPUN5QnIzTVhO\nU2F5MkZvMWgtN0RPMkEvYzZkZmIyNjIyNzMwY2ExMUB3aXJlLmNvbTAdBgwrBgEE\nAYKkZMYoQAEEDTALAgEGBAR3aXJlBAAwCgYIKoZIzj0EAwIDSAAwRQIhAJ02lCXG\ncO5tJFIGQh7Q6BeNm/rLqsojqm+SeGH9Om4hAiAXcp6NC7c8HhuKCTyWCbhlrBg2\nSQD+waZLAiMHi8S3mg==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIBuDCCAV6gAwIBAgIQaAePfewj2VUvMCz+GSJ25jAKBggqhkjOPQQDAjAmMQ0w\nCwYDVQQKEwR3aXJlMRUwEwYDVQQDEwx3aXJlIFJvb3QgQ0EwHhcNMjMxMTIzMTIx\nMjQyWhcNMzMxMTIwMTIxMjQyWjAuMQ0wCwYDVQQKEwR3aXJlMR0wGwYDVQQDExR3\naXJlIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDv9\naFocZMJpPtD6WoY9BAQI5OLgmG5LeXX/XE09c+OCC50v/RKMtZ77RycSy1A28J9b\nD9TMolmSLZ8Q2MH0giijZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG\nAQH/AgEAMB0GA1UdDgQWBBQEhyQlNkiOyvrrfVZQVR0YF/u+WzAfBgNVHSMEGDAW\ngBTw5ZIMU5SWhAAnFz9p/RiW7u+PjzAKBggqhkjOPQQDAgNIADBFAiEA0mM1cuUQ\nM0eJY7w1TtaGi0gRFLhd0ge0/SnOHJE50m0CIDF2dWNJZ9jIp7K/iKikeXMGWRWz\nSDbb1lzNmHSA6exC\n-----END CERTIFICATE-----\n" +``` +###### Certificate #1 +openssl -verify ✅ +``` +-----BEGIN CERTIFICATE----- +MIICGTCCAb+gAwIBAgIQOmpDwme2Bdxn8dzhPkhuxzAKBggqhkjOPQQDAjAuMQ0w +CwYDVQQKEwR3aXJlMR0wGwYDVQQDExR3aXJlIEludGVybWVkaWF0ZSBDQTAeFw0y +MzExMjMxMjEyNDNaFw0zMzExMjAxMjEyNDNaMCkxETAPBgNVBAoTCHdpcmUuY29t +MRQwEgYDVQQDEwtBbGljZSBTbWl0aDAqMAUGAytlcAMhAKz5d8YVxrVtMEHTW6vB +3ga5lG/qeNRdSlKoiCUidvWDo4HyMIHvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUE +DDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUV4MejVdjk4TK0WrreJKv7QvGAeowHwYD +VR0jBBgwFoAUBIckJTZIjsr6631WUFUdGBf7vlswaQYDVR0RBGIwYIYhaW06d2ly +ZWFwcD0lNDBhbGljZV93aXJlQHdpcmUuY29thjtpbTp3aXJlYXBwPUN5QnIzTVhO +U2F5MkZvMWgtN0RPMkEvYzZkZmIyNjIyNzMwY2ExMUB3aXJlLmNvbTAdBgwrBgEE +AYKkZMYoQAEEDTALAgEGBAR3aXJlBAAwCgYIKoZIzj0EAwIDSAAwRQIhAJ02lCXG +cO5tJFIGQh7Q6BeNm/rLqsojqm+SeGH9Om4hAiAXcp6NC7c8HhuKCTyWCbhlrBg2 +SQD+waZLAiMHi8S3mg== +-----END CERTIFICATE----- + +``` +``` +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3a:6a:43:c2:67:b6:05:dc:67:f1:dc:e1:3e:48:6e:c7 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: O = wire, CN = wire Intermediate CA + Validity + Not Before: Nov 23 12:12:43 2023 GMT + Not After : Nov 20 12:12:43 2033 GMT + Subject: O = wire.com, CN = Alice Smith + Subject Public Key Info: + Public Key Algorithm: ED25519 + ED25519 Public-Key: + pub: + ac:f9:77:c6:15:c6:b5:6d:30:41:d3:5b:ab:c1:de: + 06:b9:94:6f:ea:78:d4:5d:4a:52:a8:88:25:22:76: + f5:83 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature + X509v3 Extended Key Usage: + TLS Web Client Authentication + X509v3 Subject Key Identifier: + 57:83:1E:8D:57:63:93:84:CA:D1:6A:EB:78:92:AF:ED:0B:C6:01:EA + X509v3 Authority Key Identifier: + 04:87:24:25:36:48:8E:CA:FA:EB:7D:56:50:55:1D:18:17:FB:BE:5B + X509v3 Subject Alternative Name: + URI:im:wireapp=%40alice_wire@wire.com, URI:im:wireapp=CyBr3MXNSay2Fo1h-7DO2A/c6dfb2622730ca11@wire.com + 1.3.6.1.4.1.37476.9000.64.1: + 0......wire.. + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:45:02:21:00:9d:36:94:25:c6:70:ee:6d:24:52:06:42:1e: + d0:e8:17:8d:9b:fa:cb:aa:ca:23:aa:6f:92:78:61:fd:3a:6e: + 21:02:20:17:72:9e:8d:0b:b7:3c:1e:1b:8a:09:3c:96:09:b8: + 65:ac:18:36:49:00:fe:c1:a6:4b:02:23:07:8b:c4:b7:9a + +``` + +###### Certificate #2 +openssl -verify ✅ +``` +-----BEGIN CERTIFICATE----- +MIIBuDCCAV6gAwIBAgIQaAePfewj2VUvMCz+GSJ25jAKBggqhkjOPQQDAjAmMQ0w +CwYDVQQKEwR3aXJlMRUwEwYDVQQDEwx3aXJlIFJvb3QgQ0EwHhcNMjMxMTIzMTIx +MjQyWhcNMzMxMTIwMTIxMjQyWjAuMQ0wCwYDVQQKEwR3aXJlMR0wGwYDVQQDExR3 +aXJlIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDv9 +aFocZMJpPtD6WoY9BAQI5OLgmG5LeXX/XE09c+OCC50v/RKMtZ77RycSy1A28J9b +D9TMolmSLZ8Q2MH0giijZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG +AQH/AgEAMB0GA1UdDgQWBBQEhyQlNkiOyvrrfVZQVR0YF/u+WzAfBgNVHSMEGDAW +gBTw5ZIMU5SWhAAnFz9p/RiW7u+PjzAKBggqhkjOPQQDAgNIADBFAiEA0mM1cuUQ +M0eJY7w1TtaGi0gRFLhd0ge0/SnOHJE50m0CIDF2dWNJZ9jIp7K/iKikeXMGWRWz +SDbb1lzNmHSA6exC +-----END CERTIFICATE----- + +``` +``` +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 68:07:8f:7d:ec:23:d9:55:2f:30:2c:fe:19:22:76:e6 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: O = wire, CN = wire Root CA + Validity + Not Before: Nov 23 12:12:42 2023 GMT + Not After : Nov 20 12:12:42 2033 GMT + Subject: O = wire, CN = wire Intermediate CA + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:3b:fd:68:5a:1c:64:c2:69:3e:d0:fa:5a:86:3d: + 04:04:08:e4:e2:e0:98:6e:4b:79:75:ff:5c:4d:3d: + 73:e3:82:0b:9d:2f:fd:12:8c:b5:9e:fb:47:27:12: + cb:50:36:f0:9f:5b:0f:d4:cc:a2:59:92:2d:9f:10: + d8:c1:f4:82:28 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Subject Key Identifier: + 04:87:24:25:36:48:8E:CA:FA:EB:7D:56:50:55:1D:18:17:FB:BE:5B + X509v3 Authority Key Identifier: + F0:E5:92:0C:53:94:96:84:00:27:17:3F:69:FD:18:96:EE:EF:8F:8F + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:45:02:21:00:d2:63:35:72:e5:10:33:47:89:63:bc:35:4e: + d6:86:8b:48:11:14:b8:5d:d2:07:b4:fd:29:ce:1c:91:39:d2: + 6d:02:20:31:76:75:63:49:67:d8:c8:a7:b2:bf:88:a8:a4:79: + 73:06:59:15:b3:48:36:db:d6:5c:cd:98:74:80:e9:ec:42 + +``` diff --git a/e2e-identity/tests/api.rs b/e2e-identity/tests/api.rs index b8ad81e9..c4eddc3a 100644 --- a/e2e-identity/tests/api.rs +++ b/e2e-identity/tests/api.rs @@ -20,7 +20,7 @@ fn e2e_api() { let qualified_client_id = format!("{user_id}:{device_id}@{domain}"); let display_name = "Alice Smith"; - let handle = Handle::from("alice_wire").to_qualified(domain); + let qualified_handle = Handle::from("alice_wire").to_qualified(domain); let team = "wire"; // GET http://acme-server/directory @@ -73,7 +73,7 @@ fn e2e_api() { .acme_new_order_request( display_name, &qualified_client_id, - handle.as_str(), + qualified_handle.as_str(), expiry, &directory, &account, @@ -155,6 +155,7 @@ fn e2e_api() { // POST http://wire-server/client-dpop-token let access_token = { let expiry = Duration::from_days(1).into(); + let handle = Handle::try_from(qualified_handle.clone()).unwrap(); let client_dpop_token = enrollment .new_dpop_token( &qualified_client_id.clone(), @@ -175,7 +176,7 @@ fn e2e_api() { let access_token = RustyJwtTools::generate_access_token( client_dpop_token.as_str(), &alice, - handle.into(), + qualified_handle.into(), team.into(), backend_nonce, htu, diff --git a/e2e-identity/tests/e2e.rs b/e2e-identity/tests/e2e.rs index 38b07c03..dad7f925 100644 --- a/e2e-identity/tests/e2e.rs +++ b/e2e-identity/tests/e2e.rs @@ -27,7 +27,7 @@ fn docker() -> &'static Cli { #[tokio::test] async fn demo_should_succeed() { let test = E2eTest::new_demo().start(docker()).await; - assert!(test.nominal_enrollment().await.is_ok()); + test.nominal_enrollment().await.unwrap(); } /// Tests the nominal case and prints the pretty output with the mermaid chart in this crate README. diff --git a/e2e-identity/tests/utils/cfg.rs b/e2e-identity/tests/utils/cfg.rs index df3317a2..06c0e6fe 100644 --- a/e2e-identity/tests/utils/cfg.rs +++ b/e2e-identity/tests/utils/cfg.rs @@ -101,6 +101,7 @@ impl<'a> E2eTest<'a> { let wire_client_id = random::(); let sub = ClientId::try_new(wire_user_id.to_string(), wire_client_id, &domain).unwrap(); let (handle, team, password) = ("alice_wire", "wire", "foo"); + let qualified_handle = Handle::from(handle).to_qualified(&domain); let email = format!("alicesmith@{domain}"); let audience = "wireapp"; let client_secret = rand_base64_str(24); @@ -157,7 +158,7 @@ impl<'a> E2eTest<'a> { ldap_cfg: LdapCfg { host: ldap_host.to_string(), display_name: display_name.to_string(), - handle: format!("{}%40{handle}@{domain}", ClientId::URI_PREFIX), + handle: qualified_handle.to_string(), email, password: password.to_string(), domain: domain.to_string(), diff --git a/e2e-identity/tests/utils/display.rs b/e2e-identity/tests/utils/display.rs index 77cc0e25..b69091c9 100644 --- a/e2e-identity/tests/utils/display.rs +++ b/e2e-identity/tests/utils/display.rs @@ -256,7 +256,11 @@ impl Event { Self::Step { number, title } => println!("{number}. {title}"), Self::Chapter { comment } => println!("----- {comment} -----\n"), Self::Token { label, token, .. } => println!("{label}: https://jwt.io/#id_token={token}\n"), - Self::Certificate { label, cert } => println!("{label}:\n{cert}\n"), + Self::Certificate { label, cert } => { + let (pretty, verify) = self.cert_pretty(); + // println!("{label}:\n{cert}\n") + println!("{label}\n{verify}\n```\n{cert}\n```\n```\n{pretty}\n```\n") + } Self::Csr { label, cert } => println!("{label}:\n{cert}\n"), Self::Request { req: Some(req), .. } => println!("=> {req:?}\n"), Self::Response { resp: Some(resp), .. } => println!("<= {resp:?}"), @@ -340,7 +344,7 @@ Decoded: } Self::Certificate { label, cert } => { let (pretty, verify) = self.cert_pretty(); - format!("###### {label}\n{verify}\n```\n{cert}\n```\n```\n{pretty}\n```\n",) + format!("###### {label}\n{verify}\n```\n{cert}\n```\n```\n{pretty}\n```\n") } Self::Csr { label, cert } => { let (pretty, verify) = self.cert_pretty(); diff --git a/jwt/src/model/handle.rs b/jwt/src/model/handle.rs index 1e5a7825..acf952aa 100644 --- a/jwt/src/model/handle.rs +++ b/jwt/src/model/handle.rs @@ -14,11 +14,17 @@ impl Handle { } } -impl From for Handle { - fn from(qh: QualifiedHandle) -> Self { - qh.trim_start_matches(ClientId::URI_PREFIX) - .trim_start_matches(Self::PREFIX) - .into() +impl TryFrom for Handle { + type Error = RustyJwtError; + + fn try_from(qh: QualifiedHandle) -> RustyJwtResult { + let trimmed = qh + .trim_start_matches(ClientId::URI_PREFIX) + .trim_start_matches(Self::PREFIX); + let Some((handle, _)) = trimmed.rsplit_once('@') else { + return Err(RustyJwtError::InvalidHandle); + }; + Ok(handle.into()) } } @@ -61,6 +67,13 @@ impl TryFrom for QualifiedHandle { } } } +impl TryFrom<&str> for QualifiedHandle { + type Error = RustyJwtError; + + fn try_from(s: &str) -> RustyJwtResult { + s.to_string().try_into() + } +} #[cfg(test)] impl Default for QualifiedHandle {