Coverage is based on the following editor draft:
https://w3c.github.io/webrtc-pc/archives/20170605/webrtc.html
9.3 Requesting Identity Assertions
[Trivial]
The identity assertion request process is triggered by a call to createOffer,
createAnswer, or getIdentityAssertion. When these calls are invoked and an
identity provider has been set, the following steps are executed:
[RTCPeerConnection-getIdentityAssertion]
1. The RTCPeerConnection instantiates an IdP as described in Identity Provider
Selection and Registering an IdP Proxy. If the IdP cannot be loaded, instantiated,
or the IdP proxy is not registered, this process fails.
[RTCPeerConnection-getIdentityAssertion]
2. The RTCPeerConnection invokes the generateAssertion method on the
RTCIdentityProvider methods registered by the IdP.
[RTCPeerConnection-getIdentityAssertion]
The RTCPeerConnection generates the contents parameter to this method as
described in [RTCWEB-SECURITY-ARCH]. The value of contents includes the
fingerprint of the certificate that was selected or generated during the
construction of the RTCPeerConnection. The origin parameter contains the
origin of the script that calls the RTCPeerConnection method that triggers
this behavior. The usernameHint value is the same value that is provided
to setIdentityProvider, if any such value was provided.
[RTCPeerConnection-getIdentityAssertion]
3. The IdP proxy returns a Promise to the RTCPeerConnection. The IdP proxy is
expected to generate the identity assertion asynchronously.
[RTCPeerConnection-getIdentityAssertion]
If the user has been authenticated by the IdP, and the IdP is able to generate
an identity assertion, the IdP resolves the promise with an identity assertion
in the form of an RTCIdentityAssertionResult .
[RTCPeerConnection-getIdentityAssertion]
This step depends entirely on the IdP. The methods by which an IdP authenticates
users or generates assertions is not specified, though they could involve
interacting with the IdP server or other servers.
[RTCPeerConnection-getIdentityAssertion]
4. If the IdP proxy produces an error or returns a promise that does not resolve
to a valid RTCIdentityValidationResult (see 9.5 IdP Error Handling), then
identity validation fails.
[Untestable]
5. The RTCPeerConnection MAY store the identity assertion for use with future
offers or answers. If a fresh identity assertion is needed for any reason,
applications can create a new RTCPeerConnection.
[RTCPeerConnection-getIdentityAssertion]
6. If the identity request was triggered by a createOffer() or createAnswer(),
then the assertion is converted to a JSON string, base64-encoded and inserted
into an a=identity attribute in the session description.
[RTCPeerConnection-getIdentityAssertion]
If assertion generation fails, then the promise for the corresponding function call
is rejected with a newly created OperationError.
9.3.1 User Login Procedure
[RTCPeerConnection-getIdentityAssertion]
An IdP MAY reject an attempt to generate an identity assertion if it is unable to
verify that a user is authenticated. This might be due to the IdP not having the
necessary authentication information available to it (such as cookies).
[RTCPeerConnection-getIdentityAssertion]
Rejecting the promise returned by generateAssertion will cause the error to propagate
to the application. Login errors are indicated by rejecting the promise with an RTCError
with errorDetail set to "idp-need-login".
[RTCPeerConnection-getIdentityAssertion]
The URL to login at will be passed to the application in the idpLoginUrl attribute of
the RTCPeerConnection.
[Out of Scope]
An application can load the login URL in an IFRAME or popup window; the resulting page
then SHOULD provide the user with an opportunity to enter any information necessary to
complete the authorization process.
[Out of Scope]
Once the authorization process is complete, the page loaded in the IFRAME or popup sends
a message using postMessage [webmessaging] to the page that loaded it (through the
window.opener attribute for popups, or through window.parent for pages loaded in an IFRAME).
The message MUST consist of the DOMString "LOGINDONE". This message informs the application
that another attempt at generating an identity assertion is likely to be successful.
9.4. Verifying Identity Assertions
The identity assertion request process involves the following asynchronous steps:
[TODO]
1. The RTCPeerConnection awaits any prior identity validation. Only one identity
validation can run at a time for an RTCPeerConnection. This can happen because
the resolution of setRemoteDescription is not blocked by identity validation
unless there is a target peer identity.
[RTCPeerConnection-peerIdentity]
2. The RTCPeerConnection loads the identity assertion from the session description
and decodes the base64 value, then parses the resulting JSON. The idp parameter
of the resulting dictionary contains a domain and an optional protocol value
that identifies the IdP, as described in [RTCWEB-SECURITY-ARCH].
[RTCPeerConnection-peerIdentity]
3. The RTCPeerConnection instantiates the identified IdP as described in 9.1.1
Identity Provider Selection and 9.2 Registering an IdP Proxy. If the IdP
cannot be loaded, instantiated or the IdP proxy is not registered, this
process fails.
[RTCPeerConnection-peerIdentity]
4. The RTCPeerConnection invokes the validateAssertion method registered by the IdP.
[RTCPeerConnection-peerIdentity]
The assertion parameter is taken from the decoded identity assertion. The origin
parameter contains the origin of the script that calls the RTCPeerConnection
method that triggers this behavior.
[RTCPeerConnection-peerIdentity]
5. The IdP proxy returns a promise and performs the validation process asynchronously.
[Out of Scope]
The IdP proxy verifies the identity assertion using whatever means necessary.
Depending on the authentication protocol this could involve interacting with the
IdP server.
[RTCPeerConnection-peerIdentity]
6. If the IdP proxy produces an error or returns a promise that does not resolve
to a valid RTCIdentityValidationResult (see 9.5 IdP Error Handling), then
identity validation fails.
[RTCPeerConnection-peerIdentity]
7. Once the assertion is successfully verified, the IdP proxy resolves the promise
with an RTCIdentityValidationResult containing the validated identity and the
original contents that are the payload of the assertion.
[RTCPeerConnection-peerIdentity]
8. The RTCPeerConnection decodes the contents and validates that it contains a
fingerprint value for every a=fingerprint attribute in the session description.
This ensures that the certificate used by the remote peer for communications
is covered by the identity assertion.
[RTCPeerConnection-peerIdentity]
9. The RTCPeerConnection validates that the domain portion of the identity matches
the domain of the IdP as described in [RTCWEB-SECURITY-ARCH]. If this check fails
then the identity validation fails.
[RTCPeerConnection-peerIdentity]
10. The RTCPeerConnection resolves the peerIdentity attribute with a new instance
of RTCIdentityAssertion that includes the IdP domain and peer identity.
[Out of Scope]
11. The user agent MAY display identity information to a user in its UI. Any user
identity information that is displayed in this fashion MUST use a mechanism that
cannot be spoofed by content.
[RTCPeerConnection-peerIdentity]
If identity validation fails, the peerIdentity promise is rejected with a newly
created OperationError.
[RTCPeerConnection-peerIdentity]
If identity validation fails and there is a target peer identity for the
RTCPeerConnection, the promise returned by setRemoteDescription MUST be rejected
with the same DOMException.
9.5. IdP Error Handling
[RTCPeerConnection-getIdentityAssertion]
- A RTCPeerConnection might be configured with an identity provider, but loading of
the IdP URI fails. Any procedure that attempts to invoke such an identity provider
and cannot load the URI fails with an RTCError with errorDetail set to
"idp-load-failure" and the httpRequestStatusCode attribute of the error set to the
HTTP status code of the response.
[Untestable]
- If the IdP loads fails due to the TLS certificate used for the HTTPS connection not
being trusted, it fails with an RTCError with errorDetail set to "idp-tls-failure".
This typically happens when the IdP uses certificate pinning and an intermediary
such as an enterprise firewall has intercepted the TLS connection.
[RTCPeerConnection-getIdentityAssertion]
- If the script loaded from the identity provider is not valid JavaScript or does not
implement the correct interfaces, it causes an IdP failure with an RTCError with
errorDetail set to "idp-bad-script-failure".
[TODO]
- An apparently valid identity provider might fail in several ways.
If the IdP token has expired, then the IdP MUST fail with an RTCError with
errorDetail set to "idp-token-expired".
If the IdP token is not valid, then the IdP MUST fail with an RTCError with
errorDetail set to "idp-token-invalid".
[Untestable]
- The user agent SHOULD limit the time that it allows for an IdP to 15 seconds.
This includes both the loading of the IdP proxy and the identity assertion
generation or validation. Failure to do so potentially causes the corresponding
operation to take an indefinite amount of time. This timer can be cancelled when
the IdP proxy produces a response. Expiration of this timer cases an IdP failure
with an RTCError with errorDetail set to "idp-timeout".
[RTCPeerConnection-getIdentityAssertion]
- If the identity provider requires the user to login, the operation will fail
RTCError with errorDetail set to "idp-need-login" and the idpLoginUrl attribute
of the error set to the URL that can be used to login.
[RTCPeerConnection-peerIdentity]
- Even when the IdP proxy produces a positive result, the procedure that uses this
information might still fail. Additional validation of a RTCIdentityValidationResult
value is still necessary. The procedure for validation of identity assertions
describes additional steps that are required to successfully validate the output
of the IdP proxy.
Coverage Report
Tested 29
Not Tested 2
Untestable 4
Total 35