# Data flow

Credify works as an OpenID Connect (OIDC) provider, and allows service providers to access some data across the Credify network through OIDC.

Credify has the following 2 ways to manage user data.

1. User will maintain their own data
2. Markets will maintain the user data

# Case 1 - User maintains its own data

Data providers are able to provide idX users with their data (scope values) through Credify’s SDK or API. What the data providers are doing here is sending encrypted scope values with a public key of a target user in accordance with their custom scope definitions. The important thing is that Credify is not acting as a data custodian, but as a bridge between Markets and Service Providers so that they can share the data in a secure, efficient and seamless manner.

Credify is aware that it will not be realistic for some services to have users maintain their data on behalf of the providing services, even though this will be fully encrypted throughout the Credify system. Therefore, we offer an alternative way to manage personal data (Case 2, below).

# [1-1] Data push

A data providing service will call the Credify API to push their custom scope values. The scope values are to be encrypted with a public key of the subject user. The data structure in this payload is validated with the scope definitions registered on Dashboard.

# [1-2] Data store

The sent scope values are encrypted with a public key of the subject user, and will be stored in the Credify storage where only the data owner can access to the owning data with a JWT-based access token. This access token will be generated with a login API.

# [1-3] Authentication and Authorization

When a Service Provider (OIDC client) kicks off an OIDC flow, idX users will need to authenticate themselves on an authentication page first. Once authentication is done, the idX users will check which scope the data receiver wants to obtain. If they don't have the requested scope data, then they cannot go through the OIDC flow. User consent in terms of data access is leveraging OIDC in the Credify system, which allows users to determine which scopes they are willing to share on an extremely granular basis. OIDC is a well established de facto standard of authentication & authorization, as Facebook, Google, Twitter, and a lot of major platforms are utilizing it.

In the OIDC flow, users will decrypt the encrypted scope values and give consent about the data transmission.

# [1-4] Data transmission

After the consent, the users will encrypt the actual data with a public key of the Service Provider and send the encrypted data to the OIDC server. The data receiver will obtain it and be able to decrypt it with the corresponding private key.

# Case 2 - Markets maintain user data

In this scenario, data providing services will always hold the actual data.

# [2-1] Data push

A data providing service will call the Credify API to push digest data of their custom scope values with signature. The data structure in this payload is validated with the scope definitions registered on Dashboard.

# [2-2] Data store

The sent digest and signature of scope values will be stored in a blockchain. This signature ensures that the digest data is provided by the very Market.

# [2-3] Authentication and Authorization

Service Provider (OIDC client) initiates an OIDC flow. First, users needs to log into their account, and then they will proceed with the consent phase.

In this consent phase, the users can see some parts of their PII, such as phone number, email address, name, address, nationality, and some extended data pieces. Phone number, email address, name, address, and nationality are classified as standard claims in the Credify system. The extended data pieces are data provided by third parties and maintained by Credify (passive claims in the following diagram). The actual values of the data held only on the data providing services will not be visible.

# [2-4] Data transmission

Once users give consent to the Service Provider, the standard claims and passive claims will be encrypted with a public key of the data receiver. The encrypted data and a signature about the approval will be sent to the Credify system.

Credify will check the validity of the approval, and then it will generate an access token in order to retrieve custom scope values from the data providing service. The access token encodes who is granting which scope, and the data providing service can validate its validity. After the validation, the data providing service will encrypt the actual data with a public key of the Service Provider, and send it back to Credify. Credify will combine this encrypted data with the standard claims and the passive claims.

Upon a successful OIDC flow, the Service Provider can obtain access token and idToken. The idToken encodes encrypted scope values, which only data receiver can decrypt.

image

Credify team will support to integrate this API with the Markets. Credify is working on obtaining OpenID Certification now, as well.

Last Updated: 3/9/2021, 4:40:25 PM