Artifacts and User Stories Definitions
On this page you can find the definition of the standard Alastria ID objects, namely Alastria Token(AT), Alastria Session (AS) and Alastria Identity Creation (AIC); and the technicals details of the Alastria ID Workflows, including some detailled sequence diagrams.
Still work in progress.
Alastria Artifacts are currently coded as JWT objects, so following JWT specifications they are structured in three parts:
- Header
- Payload
- Signature
WHen required (i.e.: communication) Alastria JWT objects are represented as three Base64url parts concatenated with ‘.’ (xxxxx.yyyyy.zzzzz)
HEADER
The header must be composed of:
- Token type (“typ”: Type)
- Hashing Algorithm (“alg”: Algorithm)
- Key identifier (“kid”) It is an optional field with a public key identifier
- Public key (“jwk”) It is an optional field with the public key used to sign the JWT in a standard format JWK (https://www.rfc-editor.org/rfc/rfc7517) Header example:
{
"alg": "ES256K",
"typ": "JWT",
"kid": "did:ala:quor:redt:QmeeasCZ9jLbX...ueBJ7d7csxhb#keys-1",
"jwk": {"keys": [
{"kty":"OKP",
"alg": "EdDSA",
"crv":"Ed25519",
"x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
"y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
"use":"sig",
"kid":"-1909572257"}
]
}
}Valid algorithm are as follow:
HS256 HMAC using SHA-256 hash algorithm
HS384 HMAC using SHA-384 hash algorithm
HS512 HMAC using SHA-512 hash algorithm
RS256 RSASSA using SHA-256 hash algorithm
RS384 RSASSA using SHA-384 hash algorithm
RS512 RSASSA using SHA-512 hash algorithm
ES256 ECDSA using P-256 curve and SHA-256 hash algorithm
ES384 ECDSA using P-384 curve and SHA-384 hash algorithm
ES512 ECDSA using P-521 curve and SHA-512 hash algorithm
none No digital signature or MAC value included
PAYLOAD
The payload content depends on the Alastria artifact type: Alastria Token (AT), Alastria Session (AS) and Alastria Identity Creation (AIC). They are specified in the corresponding sections.
SIGNATURE
Signature includes header and payload and must use the hashing algorithm specified in the header.
WHen HMAC a secret sharing signature is used:
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
WHen RSA or ECDSA is used, the signature is performed using the sender Private key so the identity of the sender is proofed. Ethereum uses SHA3-256 (RSASHA256) algorithm that is the recommended algorithm.
RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), RSA private key)
Header and signature parts follow JWT rules as explained in section 0. Objects Definition
PAYLOAD
The following fields are mandatory:
- “iss”: Issuer. Alastria DID of the sender (issuer) of the AT, could be an Issuer or a Service Provider in Alastria ID model terms.
- “gwu”: GatewayURL. Sender's url gateway, also known as "Alastria Open Access". The Wallet should store any gwu it receives along with the provider name so the user can select witch one to use.
- “cbu”: CallbackURL. Callback URL to which subject answer (including user public key) should be addressed.
- “iat”: IssueAt. Issuance date of the AT.
- “exp”: ExpirationTime. The Expiration time of the AT. 2021/10/05 Clarification. This is a technical expiration field, it means that the object cannot be processed after the expiration date. It does not reflect the validity of the data contained in the object, if any.
The following standard JWT fields are recommended but optional:
-
"@context": It should be at least "https://alastria.github.io/identity/artifacts/v1", more urls with other specifications are allowed (it is optional as it is a new addition in this artifact)
-
"type": It should be at least "AlastriaToken" (it is optional as it is a new addition in this artifact)
- It is also possible to add the use flow for this artifact, for AT valid values are:
- US12: Identity Creation
- US211: Authentication
- US221: Credential Issuance
- US231: Present presentation (this will change shortly)
- US142: Legacy ID and Alastria ID vinculation
- It is also possible to add the use flow for this artifact, for AT valid values are:
-
“nbf”: NotBefore. Token activation date
-
“jti”: JWTID. JWT unique identifier
-
"mfau": MFA (Multi Factor Authentication) URL. An optional URL for MFA callbacks, improves security in stories like US 1.2 Identity Creation
Alastria Token payload examples:
{
"jti ": "slfkjs-0923-...",
"iss": ""did:ala:quor:redT:bc0..."",
"gwu": "http://www.gateway_socio.com",
"cbu": "http://www.backend_service_provider.com/callback",
"iat": 14344660338,
"exp": 15346639338,
"nbf": 14344660338
}
{
"type": ["AlastriaToken","US12"],
"@context": ["https://alastria.github.io/identity/artifacts/v1"],
"nbf": 1587712704319,
"gwu": "http://url/rpc",
"cbu": "http://url/loginAID",
"iss": "did:ala:quor:redT:3235c170482ff9ca250fb2a3b83468cb605f6a4c",
"exp": 1587799104319,
"iat": 1587712704319,
"jti": "ze298y42sba",
"mfau": "http://url/mfa_server"
}
Header and signature parts follow JWT rules as explained in section 0. Objects Definition
PAYLOAD
The following fields are mandatory:
-
"@context": It should be at least "https://alastria.github.io/identity/artifacts/v1", more urls with other specifications are allowed
-
"type": It should be at least "AlastriaSession"
- It is also possible to add the use flow for this artifact, for AS valid values are:
- US211: Authentication
- US221: Credential Issuance
- US231: Present Presentation
- US142: Legacy ID and Alastria ID vinculation
- It is also possible to add the use flow for this artifact, for AS valid values are:
-
“iss”: Issuer. DID of the issuer of the Alastria Session. It is usually the subject/user in Alastria ID model.
-
"alastriaToken": VerifiedAT. Coded as a 64BaseURL JWT. The original [Alastria Token (AT)](0.1 Alastria Token (AT)) to which this Alastria Session is sent as answer.
The following standard JWT fields are recommended but optional:
- "jti"
- "iat"
- "exp" 2021/10/05 Clarification. This is a technical expiration field, it means that the object cannot be processed after the expiration date. It does not reflect the validity of the data contained in the object, if any.
- "nbf"
Alastria Session payload example:
{
"jti": "ze298y42sba"
"@context": ["https://alastria.github.io/identity/artifacts/v1"],
"type": ["AlastriaSession","US211"]
"iss": "did:ala:quor:redT:07dba616e17a45fca5cfc999a584180e45353aa9",
"iat": 1587712763,
"exp": 1563783392,
"nbf": 1563783392,
"alastriaToken": "eyJ0..4ea8",
}
Is the JWT object sent by the subject from his/her wallet to register an Alastria DID, thus completing the creation of an Alastria ID. Header and signature parts follow JWT rules as explained in section 0. Objects Definition
PAYLOAD
The following fields are mandatory:
- "@context": It should be at least "https://alastria.github.io/identity/artifacts/v1", more urls with other specifications are allowed
- "type": It should be "AlastriaIdentityCreation"
- It is also possible to add the use flow for this artifact, for AIC valid values are:
- US12: Alastria Identity Creation
- It is also possible to add the use flow for this artifact, for AIC valid values are:
- "createAlastriaTX": Hex coded (with initial 0x) createAlastriaID Transaction, signed by the subject.
- "alastriaToken": Originally received (coded as a 64BaseURL) Alastria Token JWT, the Alastria token is not signed by the subject, because it is included in a subject signed JWT, the AIC.
- "publicKey": Hex coded (with initial 0x) Subject's Public Key.
The following standard JWT fields are recommended but optional:
- "jti"
- "iat"
- "exp" 2021/10/05 Clarification. This is a technical expiration field, it means that the object cannot be processed after the expiration date. It does not reflect the validity of the data contained in the object, if any.
- "nbf"
Alastria Identity Creation payload examples:
{
"@context": ["https://alastria.github.io/identity/artifacts/v1"],
"type": ["AlastriaIdentityCreation","US12"],
"createAlastriaTX":"0xf9...",
"alastriaToken":"ey...",
"publicKey":"0x2e...",
"jti": "ze298y42sba",
"iat": 1587712763,
"exp": 1563783392,
"nbf": 1563783392
}
{
"@context": ["https://alastria.github.io/identity/artifacts/v1"],
"type": ["AlastriaIdentityCreation"],
"createAlastriaTX":
"0xf901888203af80830927c094bd4a2c84edb97be5beff7cd341bd63567e73f8c980b901246d69d99a000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000c450382c1a000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000803265353037616630313136376339386136616363633063643436616232613235366464366236633639656331633063323866383066623632653166376437303233333736386230633538646262646163316663333538623831343163303735613532303438336366393737396534656139386431336466323833336633373637000000000000000000000000000000000000000000000000000000001ba0ba71cde488ee7ce6c0547f64c89fbc5a5c4e60eb99afad69d0ae73cd16d1ead1a06deb0a6ad9e4c4e5eaa15448fb22f9d817905124f5368216cdfc6364ed005ccb",
"alastriaToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI...",
"publicKey": "0x2e507af01167c98a6accc0cd46ab2a256dd6b6c69ec1c0c28f80fb62e1f7d70233768b0c58dbbdac1fc358b8141c075a520483cf9779e4ea98d13df2833f3767"
}
Is the JWT object sent by the subject from his/her wallet to recover Alastria ID whose control has been lost (theft, lost, etc). Header and signature parts follow JWT rules as explained in 0. Objects Definition
PAYLOAD
The following fields are mandatory:
- "@context": It should be at least "https://alastria.github.io/identity/artifacts/v1", more urls with other specifications are allowed
- "type": It should be "AlastriaIdentityRecovery"
- It is also possible to add the use flow for this artifact, for AIR valid values are:
- US31: Identity Recovery
- It is also possible to add the use flow for this artifact, for AIR valid values are:
- "recoverAlastriaTX": Hex coded (with initial 0x) recoverAlastriaID Transaction, signed by the subject with the new Private Key.
- "alastriaToken": Originally received (coded as a 64BaseURL) Alastria Token JWT, the Alastria token is not signed by the subject, because it is included in a subject signed JWT, the AIR.
- "publicKey": Hex coded (with initial 0x) Subject's Public Key.
The following standard JWT fields are recommended but optional:
- "jti"
- "iat"
- "exp" 2021/10/05 Clarification. This is a technical expiration field, it means that the object cannot be processed after the expiration date. It does not reflect the validity of the data contained in the object, if any.
- "nbf"
Alastria Identity Recovery payload example:
{
"@context": ["https://alastria.github.io/identity/artifacts/v1"],
"type": ["AlastriaIdentityRecovery","US31"],
"recoverAlastriaTX":"0xf9...",
"alastriaToken":"ey...",
"publicKey":"0x2e...",
"jti": "ze298y42sba",
"iat": 1587712763,
"exp": 1563783392,
"nbf": 1563783392
}
UML diagram Used artifacts are Alastria Token and Alastria Identity Creation
UML diagram It uses no artifacts
UML diagram Used artifact is Alastria Token
Used artifact are Alastria Token and Alastria Session
Credentials status transitions 
Credentials transitions source
It uses no artifacts
It uses no artifacts
UML diagram It uses no artifacts
Out of MVP Scope
UML diagram Out of MVP Scope
Presentations status transitions 
Presentations transitions source
It uses no artifacts
It uses no artifacts
It uses no artifacts
Out of MVP Scope
UML diagram Uses AIR (Alastria Identity Recovery) artifact
Out of MVP Scope
A TinyURL will be used in those scenarios where the JWT token would be too big to show as a QR code / deeplink. In Alastria this corresponds to the following user stories:
In these cases, the wallet will receive an Alastria Token (AT) from the entity. Once the wallet has verified the AT, it will need to sign and send an Alastria Session (AS) to the specific entity’s endpoint defined by the CBU parameter inside the AT.
Once the entity verifies and validates the AS, it will send the wallet a JSON with the required credentials or presentation request.
The JSON response schema sent by the entity depends on the user story:
- 2.2.1 Credential Issuance:
{
"verifiableCredential":[
"eyJ0eXAgs...",
"eyJ2c3Rga...",
(…)
]
}The JSON contains a list of verifiableCredentials. This is defined in 3.4 Multiple Credentials
- 2.3.1.1 Presentation Request:
{
“presentationRequest":[
"eyJ0eXA...",
(…)
]
}The JSON contains the JWT with the presentation request.
A deeplink is utilized in situations where there is a requirement to transmit a JWT (JSON Web Token) and employing a QR code is not feasible. One such example is when a mobile application intends to send a JWT to a wallet located within the same device. Deep links have been defined for all of Alastria's US:
- Create AlastriaID:
The create Alastria ID deeplink will have the following structure:
walletapp://alastria.com/createAI?alastriaToken=
Followed by the Alastria Token JWT. For example:
walletapp://alastria.com/createAI?alastriaToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksifQ.eyJpc3MiOiJkaWQ6YWxhOnF1b3I6cmVkVDoyMjZiZDY1NjBhOTgzMDdmNzNiNDcwMDM5NjU2ZjkwZmFlZjMwMzU4IiwiZ3d1IjoiaHR0cDovLzYzLjMzLjIwNi4xMTEvcnBjIiwiY2J1IjoiaHR0cDovLzM0LjI0NC40Ny4yMzM6MTAwMTAvdjEvZW50aXR5L2FsYXN0cmlhL2RpZCIsImlhdCI6MTU4ODYxNTkyNiwiYW5pIjoicmVkVCIsIm5iZiI6MTU4ODYxNTkyNSwiZXhwIjoxNTg4NjE2NTI1LCJqdGkiOiJvcHZjaGgycnAybCJ9.M6Rj89uvL7MAn96qXXUdCSVquL2Mv7ObuuO8qGYra1mPEae-jPlZOCdzrO0xFbAwbs3WtWhJkGkfPPwNfr8Lhw- Login:
The loging deeplink will have the following structure:
walletapp://alastria.com/login?alastriaToken=
Followed by the Alastria Token JWT. For example:
walletapp://alastria.com/login?alastriaToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksifQ.eyJpc3MiOiJkaWQ6YWxhOnF1b3I6cmVkVDoyMjZiZDY1NjBhOTgzMDdmNzNiNDcwMDM5NjU2ZjkwZmFlZjMwMzU4IiwiZ3d1IjoiaHR0cDovLzYzLjMzLjIwNi4xMTEvcnBjIiwiY2J1IjoiaHR0cDovLzM0LjI0NC40Ny4yMzM6MTAwMTAvdjEvZW50aXR5L2FsYXN0cmlhL2FsYXN0cmlhU2Vzc2lvbiIsImlhdCI6MTU4ODYxNTg2MiwiYW5pIjoicmVkVCIsIm5iZiI6MTU4ODYxNTg2MiwiZXhwIjoxNTg4NjE2NDYyLCJqdGkiOiJpZWFoZ3U4eGd6In0.n4dIcuFhSHRH5UJUMvvab1VohZ7m7QJ39R1B6LCk-TWxyfPy2p4O21N1uN7AB5GHlFUfXBXJna1BbBYgDWsojA- Create credentials:
The deeplink to send credentials to the wallet will have the following structure:
walletapp://alastria.com/createCredentials?credentials=
Followed by the Alastria Token JWT. For example:
walletapp://alastria.com/createCredentials?credentials=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksiLCJraWQiOiJkaWQ6YWxhOnF1b3I6cmVkVDo4ZjQ0MDA0OWNiYmU1YzZiYzllZmY0NjM2OWY5MDkxZjFkODEzMzNjI2tleXMtMSJ9.eyJqdGkiOiIyNnhxNWRjbXRjeWkiLCJpc3MiOiJkaWQ6YWxhOnF1b3I6cmVkVDo4ZjQ0MDA0OWNiYmU1YzZiYzllZmY0NjM2OWY5MDkxZjFkODEzMzNjIiwic3ViIjoiZGlkOmFsYTpxdW9yOnJlZFQ6NTVlZGVmZDkyOTUwYmI0MTM0MDU0OTcyYWNmNWI3YTBlZWM2MzA4MSIsImlhdCI6MTU5MTg4NDQ5MCwiZXhwIjoxNTkxOTcwODg5NTYzLCJuYmYiOjE1OTE4ODQ0ODk1NjMsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIiwiSldUIl0sInR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJBbGFzdHJpYUV4YW1wbGVDcmVkZW50aWFsIl0sImNyZWRlbnRpYWxTdWJqZWN0Ijp7ImxldmVsT2ZBc3N1cmFuY2UiOjMsImZ1bGxuYW1lIjoiRGFuaWVsIGRlIGxhIFNvdGEifX19.BUjRebmKRNI1O_mlzF0aZfu-QFR3B-W2-85yA1zuu5GBBgxe6Khza35sukYNvNuqQ3ky1YfvlRxDjZXKWhQJBA- Create presentation:
The deeplink to send the presentation request to the wallet will have the following structure:
walletapp://alastria.com/createPresentations?alastriaToken=
Followed by the Alastria Token JWT. For example:
walletapp://alastria.com/createPresentations?alastriaToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksiLCJraWQiOiJkaWQ6YWxhOnF1b3I6cmVkVDo4ZjQ0MDA0OWNiYmU1YzZiYzllZmY0NjM2OWY5MDkxZjFkODEzMzNjI2tleXMtMSJ9.eyJqdGkiOiJrY3VvYzExa3k4byIsImlzcyI6ImRpZDphbGE6cXVvcjpyZWRUOjhmNDQwMDQ5Y2JiZTVjNmJjOWVmZjQ2MzY5ZjkwOTFmMWQ4MTMzM2MiLCJpYXQiOjE1OTE2MTM4OTcsImV4cCI6MTU5MTcwMDI5NzM1MCwibmJmIjoxNTkxNjEzODk3MzUwLCJjYnUiOiJodHRwOi8vMzQuMjQ0LjQ3LjIzMzoxMDAxMC92MS9lbnRpdHkvYWxhc3RyaWEvcHJlc2VudGF0aW9uIiwicHIiOnsiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiLCJKV1QiXSwidHlwZSI6WyJWZXJpZmlhYmxlUHJlc2VudGF0aW9uUmVxdWVzdCJdLCJwcm9jVXJsIjoiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiLCJwcm9jSGFzaCI6IjB4SDM5OHNqSGQuLi5rbGRqVVluNDc1biIsImRhdGEiOlt7IkBjb250ZXh0IjoiSldUIiwibGV2ZWxPZkFzc3VyYW5jZSI6MywicmVxdWlyZWQiOnRydWUsImZpZWxkX25hbWUiOiJmdWxsbmFtZSJ9LHsiQGNvbnRleHQiOiJKV1QiLCJsZXZlbE9mQXNzdXJhbmNlIjozLCJyZXF1aXJlZCI6ZmFsc2UsImZpZWxkX25hbWUiOiJhZGRyZXNzIn1dfX0.0KKoeO6NaELwWoD0CBDYCoq_cQij-cYmKxOKr0Yj_Jp5E-svznJPrpns8sVvpeA9CNBWwwnnNvqakLO5KqvOJg- Vinculation:
The deeplink sent to the wallet to start the vinculation procedure will have the following structure:
walletapp://alastria.com/vinculation?alastriaToken=
Followed by the Alastria Token JWT. For example:
walletapp://alastria.com/createPresentations?alastriaToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksiLCJraWQiOiJkaWQ6YWxhOnF1b3I6cmVkVDo4ZjQ0MDA0OWNiYmU1YzZiYzllZmY0NjM2OWY5MDkxZjFkODEzMzNjI2tleXMtMSJ9.eyJqdGkiOiJrY3VvYzExa3k4byIsImlzcyI6ImRpZDphbGE6cXVvcjpyZWRUOjhmNDQwMDQ5Y2JiZTVjNmJjOWVmZjQ2MzY5ZjkwOTFmMWQ4MTMzM2MiLCJpYXQiOjE1OTE2MTM4OTcsImV4cCI6MTU5MTcwMDI5NzM1MCwibmJmIjoxNTkxNjEzODk3MzUwLCJjYnUiOiJodHRwOi8vMzQuMjQ0LjQ3LjIzMzoxMDAxMC92MS9lbnRpdHkvYWxhc3RyaWEvcHJlc2VudGF0aW9uIiwicHIiOnsiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiLCJKV1QiXSwidHlwZSI6WyJWZXJpZmlhYmxlUHJlc2VudGF0aW9uUmVxdWVzdCJdLCJwcm9jVXJsIjoiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiLCJwcm9jSGFzaCI6IjB4SDM5OHNqSGQuLi5rbGRqVVluNDc1biIsImRhdGEiOlt7IkBjb250ZXh0IjoiSldUIiwibGV2ZWxPZkFzc3VyYW5jZSI6MywicmVxdWlyZWQiOnRydWUsImZpZWxkX25hbWUiOiJmdWxsbmFtZSJ9LHsiQGNvbnRleHQiOiJKV1QiLCJsZXZlbE9mQXNzdXJhbmNlIjozLCJyZXF1aXJlZCI6ZmFsc2UsImZpZWxkX25hbWUiOiJhZGRyZXNzIn1dfX0.0KKoeO6NaELwWoD0CBDYCoq_cQij-cYmKxOKr0Yj_Jp5E-svznJPrpns8sVvpeA9CNBWwwnnNvqakLO5KqvOJg