The initial version of Cherrytwist platform used centralized groups for managing roles, which then determined what access and actions could be carried out.
All roles at the moment are global roles, which means that a user either has the role or not. There is no notion of a user having a particular role within a given context e.g. Challenge Admin. This will be needed for any production version of the platform with many Challenges.
The medium term goal is to move to using full SSI with Verified Credentials. However as an intermediate step the platform is moving to using simple Credentials, so not cryptographically secure. This works as the platform is still centralized but it is important to switch already to Credential based authorization now so that the path to using decentralized authorisation is clear moving forward.
The terminology in this section borrows heavily from the CBAS material detailed out below. This is to both learn from the experience within the wider SSI field, as well as to make the subsequent move to using Verified Credentials easier.
Terms:
Phrasing it differently: The resource to which a given actor is being granted a privilege is identified as the subject
in the grant call.
Note: For now the Subject is implicit in Cherrytwist by virtue of the Credential being held by a User. For Verified Credentials this needs to be part of the cyrptographically secured credential.
Now:
Note by context aware authorization is meant that the authorization can check the actual instance of a particular entity e.g. challenge-7 vs Challenge, neil-smyth vs User.
Later:
Add support for Credentials being held by Users:
Note: the implementation of Credentials is generic, and not tied to Authorization i.e. other Credential types could easily also be stored in the same mechanism.
Expand Authorization to use AuthorizationCredentials
Authorization definitions and assignment:
global-admin
: able to assign global-community-admin
&& global-challenge-admin
credentials; able to do everything.global-registered
: for if we allow other types of access laterglobal-community-admin
: albl to create users, groups; able to assign users to groups, update organisationsglobal-challenge-admin
: able to add create Ecoverse's / challenges / opportunitiesFunctionality updates:
global-registered
Extend functionality to support the issuing and usage of context credentials i.e. a credential that is tied to a particular resource(s).
Distinguish between the granting of a Credential, and validating
Specifies the resource to which access is being delegated.
Validating is the action checking whether a particular action is authorized. It has the following parts:
The key design elements are:
Key is that the rules are fairly static, and they are assigned to an entity at the time that it is created. A worked example:
A sample authorization rules:
cerdentialRules: [
{
type: ecoverse-admin,
resourceID: '1234',
authorizations: ['read', 'update'],
},
{
type: global-admin,
resourceID: '',
authorizations: ['create', 'read', 'update', 'delete'],
}
]
The following context credentials are initially supported:
The key change is that all guard based authorization logic will be replaced by calls within the Services.
It is likely that there will need to be additional flexibility later regarding the authorization rules that are supported by the platform. The rules introduced in phase 2 are fairly rigid and custom - so later would like to move to leverage a claims authorisation package.
One such candidate is CASL, which is also supported by NestJS.
The CBAS component will allow the developer to easily create and consume Verifiable Credentials granting authority to perform specific actions on resources (guided by grant and delegation rules described in a corresponding Trust Framework document). The CBAS component will allow developers to specify if the permissions they issue can be delegated further, as well as specify additional constraint objects which will be evaluated when the capability is verified.
Please note that while the functionality supported by CBAS is not intended to change, the described API is provisional, and might be modified as development furthers and based on new learnings (both from the attempted use cases, as well as from communication with partners).
The following subsections describe the functions exposed by the CBAS module, detailing the expected inputs / outputs, and dependencies (in terms of other ESSIF Lab functional components, or other specifications)
Given a resource trust framework document, CBAS offers an API to enable developers to create Verifiable Credentials delegating authority / permissions:
Inputs:
rules
.Output:
did:example:alice
the authorization to "read", "write" the described resource.This credential can be presented when accessing the protected resource, as well as used as a base for further attenuated authorization delegations.
This method requires a createVC
implementation to be configured on the cbas
instance.
A CBAS instance configured with a governance framework document can be used to verify capabilities and return associated privileges as follows:
Inputs:
rules
defined in the governance framework document.In case the verification succeeded, a JSON object containing the following properties is returned:
rules
(defined in the governance framework document) passed validationIf the evaluation result lists the required privilege, access to the resource
described in the capability can be granted.
Evaluating constraints is currently delegated to the application developer.
This method requires a verifyVC
implementation to be configured on the cbas
instance.
When a capability needs to be used in a request, a signed Verifiable Presentation of the corresponding Verifiable Credential must be created. This can be achieved as follows:
Returns a signed Verifiable Presentation in JSON form. The invocation can be included with the request in various ways depending on the use case (e.g. via HTTP signatures, or via a DIDComm based protocol).
This method requires a createVP
and createVC
implementation to be configured on the cbas
instance.
A CBAS instance configured with a governance framework document can be used to verify capability invocations and return associated privileges. This function delegates to evaluateCapability
after performing the required validation on the Verifiable Presentation.
The return value is the same as when calling cbas.evaluateCapability
.
This method requires a verifyVC
and verifyVP
implementation to be configured on the cbas
instance.
Given a capability, the CBAS module allows the developers to further delegate the associated authorizations to other agents. Additional constraints can be added during the delegation process.
The inputs are:
parentCapability
must include the authorization
to delegate
.Output:
did:example:bob
the authorization to "read" and "write" from / to the described resource location. The returned credential references the capability from which it was derived via the delegationProofSection
, as described in the [data model] section.===============================================
In order to define the authorization policies relevant for the CBAS component, a collection of authorization rules describing the various privileges (as well as rules associated with granting and delegating them) is required / defined. The document is expected to list a number of SGL statements.
The aforementioned rules can be embedded in issued capabilities directly, as well as advertised publicly. For this purpose, a machine-readable ARIES Governance Framework document (Trust Framework RFC, machine-readable Governance Framework ) can be employed (this is also mandated by the Chained Credentials. Although the standardization / definition efforts are in early stages, the current example structure can suit the needs of the CBAS component.
A provisional version of a machine-readable document listing the privileges, and the associated granting rules, can look as follows:
The CBAS component will most likely impose some restrictions on the supported structures of listed SGL statements in order to simplify the APIs and implementation efforts.
The exact semantics for describing privileges
and associated rules are not final.
We intend to use the Verifiable Credentials (VC) specification as a foundation for expressing object capabilities. By doing so, we hope to be able to reuse existing tooling (e.g. libraries for creating / consuming Verifiable Credentials) and infrastructure (e.g. the Universal Issuer / Verifier, Credential schema / metadata registries, revocation registries, backup services, etc.). We also hope to benefit from previous / ongoing / future interoperability efforts in the Verifiable Credential area.
For the initial implementation of the CBAS module, we intend to support the JSON-LD representation of Verifiable Credentials (example), as well
as JSON-LD Verifiable Presentations (example) for expressing (potentially delegated) object capabilities. At later stages of development, alternative Verifiable Credential formats (e.g. Zero Knowledge based implementations) as well as alternative Verifiable Presentation variants can be integrated.
CBAS imposes additional requirements on the Verifiable Credential structure (mandated by specifications it builds upon) in order to model authorizations, constraints, and delegation of authority.
The CBAS module relies on Verifiable Credentials to encode permissions and permissions / capabilities. Permissions are expressed in the credentialSubject
field in the Credential, structured similar to the one described in the Chained Credentials ARIES RFC.
The contents of the credential are:
permission
- lists privileges granted to the holder as well as associated constraints.resource
- field is used to associate information with the resource to which access is being granted. This information can aid the client in initiating interactions / presenting capabilities.As outlined in the Chained Credentials Aries RFC, obeying a number of special conventions (e.g. including a "provenance proof") above the core requirements of an ordinary Verifiable Credential can be used to model delegation (potentially constrained) of authority.
Below is an example of a delegated capability derived from the Verifiable Credential created in a previous example:
The provenanceProofs
property of the Verifiable Credential includes a Verifiable Presentation of the Verifiable Credential created in a previous example. The presentation serves as a base / root for the derived capability.
Besides linking the derived credential to the root credential, a number of extra properties can be modified during delegation, specifically in the form of adding constraints:
A capability VC may include one or more constraint objects, which describe additional restrictions which must be considered when evaluating the Verifiable Credential.
===========================================
The CBAS component will allow the developer to easily create and consume Verifiable Credentials granting authority to perform specific actions on resources (guided by grant and delegation rules described in a corresponding Trust Framework document). The CBAS component will allow developers to specify if the permissions they issue can be delegated further, as well as specify additional constraint objects which will be evaluated when the capability is invoked.
The following sections will describe the core functions exposed by the CBAS module.
Please note that the API is provisional
The CBAS module allows the developers to leverage their existing Verifiable Credential implementations (including existing credential exchange protocols for issuing and requesting capabilities).
In order to simplify issuance / verification of credentials encoding various access rights for developers, the definition of authorization policies relevant for the CBAS user, a configuration / definition document describing the offered resources / services, as well as the associated authorization policies is required.
For this purpose, we intend to use a ARIES Trusft Framework document (specifically the Machine Readable variant)[LINK1, LINK2].
The CBAS component will allow developers to make use of Trust Framework documents they define to easily grant (potentially delegatable) Verifiable Credentials encoding permissions to perform certain actions outlined in the Framework document. The CBAS component also offers developers a simple way to evaluate presented Verifiable Credentials in the context of a Trust Framework document and get a list of allowed actions on resources.
Developers should be free to define custom authorization policies as they see fit to satisfy diverse use cases of varying complexity.
The CBAS component can make use of an underlying Verifiable Credential implementation (i.e. module or service for capable of issuing and verifying VCs) and an associated Trust Framework document to aid / simplify the issuance of object capabilities encoded as Verifiable Credentials.
The CBAS component will allow the developer to easily create Verifiable Credentials granting authorizations to perform specific actions on resources (guided by the listed grants and delegation rules encoded in a Trust Framework document).
The CBAS component will also allow developers to specify if the permissions they issue can be delegated further (given this is allowed by the Trust Framework / original authorizations
set), as well as specify additional constraint objects (attenuations) which will be evaluated when the capability is presented.
The developer will be able to use their preferred Verifiable Credential issuance protocol (e.g. ARIES RFC 0036) to issue the delegated capabilities to the delegatee.
The developer will be able to use existing / integrated Verifiable Credential revocation mechanisms to revoke delegated authorizations (as well as all Verifiable Credentials derived from it).
Besides issuing delegated authorizations, the developer will frequently generate requests for Verifiable Presentations proving the counterparty is authorized to perform certain actions on a resource. The CBAS module aims to simplify this process by allowing the developer to easily generate queries for Verifiable Credentials (as defined by the underlying credential exchange protocol) based on defined authorizations. The resulting requests for credentials can be communicated to the counterparty attempting to access a prottected resource.
The CBAS module will also expose developer friendly APIs to determine what actions are permitted / if a particular action is permitted given a Verifiable Credential (presented by the counterparty) and a Trust Framework document.
The evaluation process consists of first ensuring all presented Verifiable Credentials have been correctly signed, and are not mallformed. This step can be delegated to an underlying Verifiable Credential module.
CBAS must ensure that delegation happened correctly (i.e. constraints were only added, all delegations were authorized, no authorizations were added, etc.). Lastly, the presented capability can be evaluated against the policies / rules embedded within / advertised via a machine readable Trust Framework document.
In order to allow for more flexible and complex use cases, the capabilities issued by the CBAS library can be further delegated, by the subject / holder, to other agents (if the appropriate authorizations are allowed in the corresponding Trust Framework document).
As part of delegating authorization, the delegator can choose to restrict / modify the delegatee's resulting authorizations, e.g. via restricting the proxied permissions.
For instance, a developer holding a capability allowing them to "read", "write", and "delete" a resource can derive and delegate capabilities with restricted access (e.g. only granting the permission to "read") the resource to other agents / internal system components without having to share the original, more permissive, capability.
The developer should also be able to add additional constraints (outlined in the Trust Framework)[link] document to the Verifiable Credential during the delegation phase. These constraints can serve as additional restrictions which must be considered / verified when evaluating the Verifiable Credential
Lastly, traditional Verifiable Credential revocation approaches can be employed within this component as well, to hanlde revocation of capabilities.
The developer will be able to configure CBAS to use existing Verifiable Credential implementations (i.e. libraries for generating and consuming W3C Verifiable Credentials). This would allow developers to easily integrated with existing systems (without having to adopt a new Verifiable Credential format / representation), as well as select implementations catering to specific goals (e.g. privacy preserving ZKP based impelemtations, using JSON representation for VCs for smaller payload sizes and simpler signature verification / generation algorithms).
The CBAS component will be designed so that integration with remote VC issuance / verification services is supported as well (e.g. for simpler integration with existing ESSIF Lab software / functional componenets). to integrate the issuer and verifier functional components defined within the ESSIF Lab Functioanl architecture document to
Since capabilities generated by CBAS are Verifiable Credentials, the developers should be free to use their preferred credential exchange protocols and credential revocation mechanisms, which should offer the aforementioned advantages as well.
In order to show how the CBAS module can be used in the context of an example use case, a set of tests were written and included in the repository. These tests showcase the currently supported API, and serve as a good example of how a developer would use the CBAS library to implement authorization for their use case. We are also currently integrating the CBAS module with the UBS server / client components. We hope that the resulting integration can serve as a more complete usage example.*
The following supporting data structures are defined to enable the test use case:
privileges
relevant to the use case and associated grant rules. These rules are used in the tests to evaluate capabilities.We first show how an instance of the CBAS library can be used to issue capabilities authorizing the holder to perform some actions on certain resources.
The tests for getGrantsForCapability
and canGrantPrivilege
further show how the issued capability can be evaluated against a governance framework document (specifically the SGL statements in the rules
section) to grant certain defined privileges. These useful helpers can aid the client in finding the appropriate capabilities for a request, and the server in evaluating / verifying received capabilities.
The rest of the tests focus on the evaluateCapability
and evaluateInvocation
functions, which can be used to verify the signature and expiry date on a capability / invocation, and evaluate it against the rules
defined in the governance framework.
The tested API is further described in the "Interface Specification document"
We are currently focusing on the following areas of research / development for the next iteration of the CBAS module:
We intend to explore some of these topics in more detail as part of upcoming interoperability sessions.
===========================