The Data Issuer only needs to follow this step for integration with the zkPass Service:
Sample codes for the Data Issuer implementation follow. Each step is explained in detail in the subsections. The code is also available on the zkpass-sdk repo, as shown here:
Providing a REST API to retrieve the user data
The Data Issuer is required to expose a REST API that facilitates secure user data token retrieval. The API should be designed to authenticate the user robustly, ensuring that only the legitimate owner can access the data. The zkPass SDK does not dictate the precise authentication mechanisms, API semantics, or response formats, providing developers the flexibility to implement an approach best suited to their application's architecture.
The Data Issuer needs to make sure the user data is in JSON encoding. The DVR app architecture does not dictate the schema or structure of the user data, however, JSON encoding is required.
By conforming to these guidelines, Data Issuers contribute to the robustness and security of the DVR app infrastructure, ensuring an optimized and secure experience for all users involved.
Signing the User Data
As the authority provisioning sensitive user data, the Data Issuer plays a critical role in the DVR ecosystem. To ensure the authenticity of the user data, the Data Issuer must sign this sensitive information into a JWS (JSON Web Signature) token. The signing of the user data by the Data Issuer is illustrated by part of the DVR/zkPass call sequence, which is highlighted in red below:
The zkpass-client SDK library provides a specialized utility method for this purpose: sign_data_to_jws_token
. How to digitally sign the user data using the zkpass-client SDK library is illustrated by the code snippet below.
Parameters passed to sign_data_to_jws_token:
ISSUER_PRIVKEY This is the signing private key owned by the Data Issuer.
json!(data) This is the user data in JSON encoding.
Some(ep) This is the Keyset Endpoint for the public key needed to verify the signed user data. If the Data Issuer does not implement the JWKS (JSON Web Key Set) endpoints, a None parameter can be passed here, meaning that the public key is distributed manually.