nov

identity_x = proof_identity(entity_x)
proofed_bank_identity = identity_x
proofed_payment_identity = bank_identity

if assume_entity(proofed_payment_identity) == assume_entity(proofed_bank_identity)
  :OK
else
  :NG

nov

{
  "MinimumRiskScore": 1,
  "AttenuationWeight": 50,
  "TransmissionWeight": 50,
  "DurationWeight": 50,
  "DaysSinceLastExposureWeight": 50,
  "TransmissionRiskScores": [1, 2, 3, 4, 5, 6, 7, 8],
  "AttenuationScores": [1, 2, 3, 4, 5, 6, 7, 8],
  "DurationScores": [1, 2, 3, 4, 5, 6, 7, 8],
  "DaysSinceLastExposureScores": [1, 2, 3, 4, 5, 6, 7, 8],

nov

Choice of DynReg, PKCE and/or DPoP

Code	Access Token	Refresh Token	Choice
Bearer	Bearer	Bearer	Nothing to use
Bearer	Bearer	Sender-Constrained	DPoP (in bearer access token mode)
Bearer	Sender-Constrained	Bearer	Impossible
Bearer	Sender-Constrained	Sender-Constrained	DPoP
Sender-Constrained	Bearer	Bearer	PKCE only
Sender-Constrained	Sender-Constrained	Bearer	Impossible

nov

require 'rack/oauth2'

Rack::OAuth2.debug!

client = Rack::OAuth2::Client.new(
  identifier: 'YOUR_CLIENT_ID',
  secret: 'YOUR_CLIENT_SECRET',
  redirect_uri: 'YOUR_REDIRECT_URI',
  authorization_endpoint: 'https://accounts.google.com/o/oauth2/v2/auth',
  token_endpoint: 'https://oauth2.googleapis.com/token'

nov

require 'apple_id'

# NOTE: in debugging mode, you can see all HTTPS request & response in the log.
# AppleID.debug!

pem = <<-PEM
-----BEGIN PRIVATE KEY-----
  :
  :
-----END PRIVATE KEY-----

nov

<policies>
    <inbound>
        <base />
        <!-- TODO: limit by client_id, not token itself -->
        <rate-limit-by-key calls="30" renewal-period="10" counter-key="@(context.Request.Headers.GetValueOrDefault("Authorization",""))" />
        <choose>
            <when condition="@(context.Request.Certificate != null && context.Request.Certificate.NotAfter > DateTime.Now)">
                <set-header name="Client-Certificate" exists-action="override">
                    <value>@(context.Request.Certificate.GetRawCertDataString())</value>
                </set-header>

nov

# NOTE:
#  * rack-oauth gem v1.8.2+ is required. (openid_connect gem is largelly developed on top of the rack-oauth2 gem)
#  * this feature isn't tested well yet.
#  * you can replace `OpenIDConnect` with `Rack::OAuth2` if you don't need ID Token & UserInfo API support.

require 'openid_connect'

OpenIDConnect.debug!

pem = <<-PEM

nov

require 'saml'
require 'open-uri'

idps_and_sps = Saml::Elements::EntityDescriptor.parse(
  open('https://metadata.gakunin.nii.ac.jp/gakunin-metadata.xml?generation=2')
)

sps = idps_and_sps.select do |idp_or_sp|
  idp_or_sp.sp_sso_descriptor.present?
end

nov

require 'openid_connect'

OpenIDConnect.debug!

config = {
  client_id: 'YOUR-CHANNEL-ID',
  client_secret: 'YOUR-CHANNEL-SECRET'
}

client = OpenIDConnect::Client.new(

nov

Desktop$ curl -i https://auth.login.yahoo.co.jp/yconnect/v2/.well-known/openid-configuration | od -c
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1485  100  1485    0     0   5671      0 --:--:-- --:--:-- --:--:--  5689
0000000    H   T   T   P   /   1   .   1       2   0   0       O   K  \r
0000020   \n   D   a   t   e   :       W   e   d   ,       1   7       M
0000040    a   y       2   0   1   7       0   5   :   2   8   :   2   5
0000060        G   M   T  \r  \n   P   3   P   :       p   o   l   i   c
0000100    y   r   e   f   =   "   h   t   t   p   :   /   /   p   r   i
0000120    v   a   c   y   .   y   a   h   o   o   .   c   o   .   j   p