tor-browser

identity.txt (11020B)

---

Coverage is based on the following editor draft:
https://w3c.github.io/webrtc-pc/archives/20170605/webrtc.html

9.3 Requesting Identity Assertions

 [Trivial]
 The identity assertion request process is triggered by a call to createOffer,
 createAnswer, or getIdentityAssertion. When these calls are invoked and an
 identity provider has been set, the following steps are executed:

   [RTCPeerConnection-getIdentityAssertion]
   1.  The RTCPeerConnection instantiates an IdP as described in Identity Provider
       Selection and Registering an IdP Proxy. If the IdP cannot be loaded, instantiated,
       or the IdP proxy is not registered, this process fails.

   [RTCPeerConnection-getIdentityAssertion]
   2.  The RTCPeerConnection invokes the generateAssertion method on the
       RTCIdentityProvider methods registered by the IdP.

       [RTCPeerConnection-getIdentityAssertion]
       The RTCPeerConnection generates the contents parameter to this method as
       described in [RTCWEB-SECURITY-ARCH]. The value of contents includes the
       fingerprint of the certificate that was selected or generated during the
       construction of the RTCPeerConnection. The origin parameter contains the
       origin of the script that calls the RTCPeerConnection method that triggers
       this behavior. The usernameHint value is the same value that is provided
       to setIdentityProvider, if any such value was provided.

   [RTCPeerConnection-getIdentityAssertion]
   3.  The IdP proxy returns a Promise to the RTCPeerConnection. The IdP proxy is
       expected to generate the identity assertion asynchronously.

       [RTCPeerConnection-getIdentityAssertion]
       If the user has been authenticated by the IdP, and the IdP is able to generate
       an identity assertion, the IdP resolves the promise with an identity assertion
       in the form of an RTCIdentityAssertionResult .

       [RTCPeerConnection-getIdentityAssertion]
       This step depends entirely on the IdP. The methods by which an IdP authenticates
       users or generates assertions is not specified, though they could involve
       interacting with the IdP server or other servers.

   [RTCPeerConnection-getIdentityAssertion]
   4.  If the IdP proxy produces an error or returns a promise that does not resolve
       to a valid RTCIdentityValidationResult (see 9.5 IdP Error Handling), then
       identity validation fails.

   [Untestable]
   5.  The RTCPeerConnection MAY store the identity assertion for use with future
       offers or answers. If a fresh identity assertion is needed for any reason,
       applications can create a new RTCPeerConnection.

   [RTCPeerConnection-getIdentityAssertion]
   6.  If the identity request was triggered by a createOffer() or createAnswer(),
       then the assertion is converted to a JSON string, base64-encoded and inserted
       into an a=identity attribute in the session description.

   [RTCPeerConnection-getIdentityAssertion]
   If assertion generation fails, then the promise for the corresponding function call
   is rejected with a newly created OperationError.

9.3.1 User Login Procedure
 [RTCPeerConnection-getIdentityAssertion]
 An IdP MAY reject an attempt to generate an identity assertion if it is unable to
 verify that a user is authenticated. This might be due to the IdP not having the
 necessary authentication information available to it (such as cookies).

 [RTCPeerConnection-getIdentityAssertion]
 Rejecting the promise returned by generateAssertion will cause the error to propagate
 to the application. Login errors are indicated by rejecting the promise with an RTCError
 with errorDetail set to "idp-need-login".

 [RTCPeerConnection-getIdentityAssertion]
 The URL to login at will be passed to the application in the idpLoginUrl attribute of
 the RTCPeerConnection.

 [Out of Scope]
 An application can load the login URL in an IFRAME or popup window; the resulting page
 then SHOULD provide the user with an opportunity to enter any information necessary to
 complete the authorization process.

 [Out of Scope]
 Once the authorization process is complete, the page loaded in the IFRAME or popup sends
 a message using postMessage [webmessaging] to the page that loaded it (through the
 window.opener attribute for popups, or through window.parent for pages loaded in an IFRAME).
 The message MUST consist of the DOMString "LOGINDONE". This message informs the application
 that another attempt at generating an identity assertion is likely to be successful.

9.4.  Verifying Identity Assertions
 The identity assertion request process involves the following asynchronous steps:

   [TODO]
   1.  The RTCPeerConnection awaits any prior identity validation. Only one identity
       validation can run at a time for an RTCPeerConnection. This can happen because
       the resolution of setRemoteDescription is not blocked by identity validation
       unless there is a target peer identity.

   [RTCPeerConnection-peerIdentity]
   2.  The RTCPeerConnection loads the identity assertion from the session description
       and decodes the base64 value, then parses the resulting JSON. The idp parameter
       of the resulting dictionary contains a domain and an optional protocol value
       that identifies the IdP, as described in [RTCWEB-SECURITY-ARCH].

   [RTCPeerConnection-peerIdentity]
   3.  The RTCPeerConnection instantiates the identified IdP as described in 9.1.1
       Identity Provider Selection and 9.2 Registering an IdP Proxy. If the IdP
       cannot be loaded, instantiated or the IdP proxy is not registered, this
       process fails.

   [RTCPeerConnection-peerIdentity]
   4.  The RTCPeerConnection invokes the validateAssertion method registered by the IdP.

       [RTCPeerConnection-peerIdentity]
       The assertion parameter is taken from the decoded identity assertion. The origin
       parameter contains the origin of the script that calls the RTCPeerConnection
       method that triggers this behavior.

   [RTCPeerConnection-peerIdentity]
   5.  The IdP proxy returns a promise and performs the validation process asynchronously.

       [Out of Scope]
       The IdP proxy verifies the identity assertion using whatever means necessary.
       Depending on the authentication protocol this could involve interacting with the
       IdP server.

   [RTCPeerConnection-peerIdentity]
   6.  If the IdP proxy produces an error or returns a promise that does not resolve
       to a valid RTCIdentityValidationResult (see 9.5 IdP Error Handling), then
       identity validation fails.

   [RTCPeerConnection-peerIdentity]
   7.  Once the assertion is successfully verified, the IdP proxy resolves the promise
       with an RTCIdentityValidationResult containing the validated identity and the
       original contents that are the payload of the assertion.

   [RTCPeerConnection-peerIdentity]
   8.  The RTCPeerConnection decodes the contents and validates that it contains a
       fingerprint value for every a=fingerprint attribute in the session description.
       This ensures that the certificate used by the remote peer for communications
       is covered by the identity assertion.

   [RTCPeerConnection-peerIdentity]
   9.  The RTCPeerConnection validates that the domain portion of the identity matches
       the domain of the IdP as described in [RTCWEB-SECURITY-ARCH]. If this check fails
       then the identity validation fails.

   [RTCPeerConnection-peerIdentity]
   10. The RTCPeerConnection resolves the peerIdentity attribute with a new instance
       of RTCIdentityAssertion that includes the IdP domain and peer identity.

   [Out of Scope]
   11. The user agent MAY display identity information to a user in its UI. Any user
       identity information that is displayed in this fashion MUST use a mechanism that
       cannot be spoofed by content.

 [RTCPeerConnection-peerIdentity]
 If identity validation fails, the peerIdentity promise is rejected with a newly
 created OperationError.

 [RTCPeerConnection-peerIdentity]
 If identity validation fails and there is a target peer identity for the
 RTCPeerConnection, the promise returned by setRemoteDescription MUST be rejected
 with the same DOMException.

9.5.  IdP Error Handling
 [RTCPeerConnection-getIdentityAssertion]
 - A RTCPeerConnection might be configured with an identity provider, but loading of
   the IdP URI fails. Any procedure that attempts to invoke such an identity provider
   and cannot load the URI fails with an RTCError with errorDetail set to
   "idp-load-failure" and the httpRequestStatusCode attribute of the error set to the
   HTTP status code of the response.

 [Untestable]
 - If the IdP loads fails due to the TLS certificate used for the HTTPS connection not
   being trusted, it fails with an RTCError with errorDetail set to "idp-tls-failure".
   This typically happens when the IdP uses certificate pinning and an intermediary
   such as an enterprise firewall has intercepted the TLS connection.

 [RTCPeerConnection-getIdentityAssertion]
 - If the script loaded from the identity provider is not valid JavaScript or does not
   implement the correct interfaces, it causes an IdP failure with an RTCError with
   errorDetail set to "idp-bad-script-failure".

 [TODO]
 - An apparently valid identity provider might fail in several ways.

   If the IdP token has expired, then the IdP MUST fail with an RTCError with
   errorDetail set to "idp-token-expired".

   If the IdP token is not valid, then the IdP MUST fail with an RTCError with
   errorDetail set to "idp-token-invalid".

 [Untestable]
 - The user agent SHOULD limit the time that it allows for an IdP to 15 seconds.
   This includes both the loading of the IdP proxy and the identity assertion
   generation or validation. Failure to do so potentially causes the corresponding
   operation to take an indefinite amount of time. This timer can be cancelled when
   the IdP proxy produces a response. Expiration of this timer cases an IdP failure
   with an RTCError with errorDetail set to "idp-timeout".

 [RTCPeerConnection-getIdentityAssertion]
 - If the identity provider requires the user to login, the operation will fail
   RTCError with errorDetail set to "idp-need-login" and the idpLoginUrl attribute
   of the error set to the URL that can be used to login.

 [RTCPeerConnection-peerIdentity]
 - Even when the IdP proxy produces a positive result, the procedure that uses this
   information might still fail. Additional validation of a RTCIdentityValidationResult
   value is still necessary. The procedure for validation of identity assertions
   describes additional steps that are required to successfully validate the output
   of the IdP proxy.


Coverage Report

 Tested        29
 Not Tested     2
 Untestable     4

 Total         35