Overview#
DID Authentication (DID Auth) is the mechanism by which an entity can cryptographically prove that they are associated with a DID and DID Description.
Authentication is separate from Authorization because an entity may wish to enable other entities to update the DID Document, for example, to assist with key recovery without enabling them to prove ownership (and thus be able to impersonate the entity.
The rules for Authentication are:
- MAY include an authentication property.
- The value of the authentication property should be an array of proof mechanisms (LDAPWiki assumes these are Authentication Factors).
- Each proof mechanism MUST include the type property.
- Each proof mechanism MAY embed or reference a Public Key
DID Authentication Example#
{
"@context": "https://w3id.org/did/v1",
"id": "did:example:123456789abcdefghi",
...
"authentication": [{
// this key can be used to authenticate as DID ...fghi
"type": "RsaSignatureAuthentication2018",
"publicKey": "did:example:123456789abcdefghi#keys-1"
}, {
// this key can be used to authenticate as DID ...fghi
"type": "PseudonymousBiometricAuthentication2018",
"biometricTemplate": "did:example:123456789abcdefghi#bio-1"
}],
...
}
DID Authentication and Self-Issued OpenID Provider#
The current DID Authentication Working Group working in coordination with editors of the OpenID Connect specification to combine the knowledge from the DIF community and the OpenID Foundation and are using Self-Issued OpenID Provider for DID Authentication within the Verifiable Credentials. |
More Information#
There might be more information for this subject on one of the following:- [#1] - W3C Decentralized Identifiers (DIDs)
- based on information obtained 2018-11-29
- [#2] - Using OpenID Connect with Decentralized Identifiers - based on information obtained 2019-10-14
- [#3] - Using OpenID Connect Self-Issued to achieve DID Auth - based on information obtained 2019-10-14