The Vanadium Identity Service is a cloud service that is a blessing root for blessing names that begin with dev.v.io
. Applications can choose to recognize the authority of this service in order to broker authentication between different principals that the application communicates with.
The web interface for this service is accessible at https://dev.v.io/auth and the design of this service (along with how to obtain a blessing from it) is described in this document.
Some frequently asked questions about this service follow.
In order to obtain a blessing from this service, one must sign-in using their Google Account. For each blessing created by this service, the following is recorded:
Additionally, for each revocable blessing granted, the service also stores the timestamp at which the revocation happened (or the fact that the blessing has not yet been revoked).
All user-information stored by this service is accessible to the owner of the Google Account at https://dev.v.io/auth/google/listblessings
When creating a blessing of the form dev.v.io/users/<email_address>
(after using Google OAuth to determine the email address), the user is asked to select a set of caveats to be placed on the blessing.
By default, this form is pre-populated with a revocation caveat, which means that the blessing is valid until explicitly revoked by the user. The user may chose to remove this default caveat and insert other caveats instead.
Revocation (as opposed to say setting a short-lived expiration caveat) was chosen as the default for two reasons:
This choice of default may be revisited based on user feedback.
Use of the revocation caveat implies that the granted blessing is valid only when accompanied with a discharge issued by the identity service. This means that use of the blessing requires a periodic RPC to the identity service in order to obtain the discharge. This request to obtain a discharge only sends information about the caveat, no information on why the discharge is being requested is sent to this service.
Use of this service (including obtaining a blessing from it or listing blessings obtained from it) is subject to the terms of service of all cloud services hosted at v.io.
https://github.com/vanadium/go.ref/services/identity/identityd/main.go