# Data flow
Credify works as an OpenID Connect (OIDC) provider, and allows Service Providers to access some data across the Credify network through OIDC.
Credify has the following 2 ways to manage user data.
1. User will maintain their own data 2. Markets will maintain the user data
# Case 1 - User maintains its own data
Markets are able to provide Credify users with their data (scope values) through serviceX SDK or API. What the Markets are doing here is sending scope values encrypted with a public key of a target user in accordance with their custom scope definitions. The important thing is that We are not acting as a data custodian, but as a bridge between Markets and Service Providers so that they can share the data in a secure, efficient and seamless manner.
We are aware that it will not be realistic for some Markets to have users maintain their data on behalf of the Markets, even though this will be fully encrypted throughout the Credify system. Therefore, we offer an alternative way to manage personal data (Case 2, below).
# [1-1] Data push
A Market will call the Credify API to push their custom scope values. The scope values are to be encrypted with a public key of the subject user. The data structure in this payload is validated with the scope definitions registered on Dashboard.
# [1-2] Data store
The scope values sent by the Market are encrypted with a public key of the subject user, and will be stored in the Credify storage where only the data owner can access to the owning data with a JWT-based access token. This access token will be generated with a login API.
# [1-3] Authentication and Authorization
When a Service Provider (OIDC client) kicks off an OIDC flow, Credify users will need to authenticate themselves on an authentication page first. Once authentication is done, the users will check which scope the Service Provider is asking. If they don't have the requested scope data, then they cannot go through the OIDC flow unless they provide the missing data in our context. User consent in terms of data access is leveraging OIDC in the Credify system, which allows users to determine which scopes they are willing to share on an extremely granular basis. OIDC is a well established de facto standard of authentication & authorization, as Facebook, Google, Twitter, and a lot of major platforms are utilizing it.
In the OIDC flow, users will decrypt the encrypted scope values and give consent about the data transmission.
# [1-4] Data transmission
After the consent, the users will encrypt the actual data with a public key of the Service Provider and send the encrypted data to the OIDC server. The data receiver will obtain it and be able to decrypt it with the corresponding private key.
# Case 2 - Markets maintain user data
In this scenario, Markets will always hold the actual data.
# [2-1] Data push
A Market will call the Credify API to push digest data of their custom scope values with signature. The data structure in this payload is validated with the scope definitions registered on Dashboard.
# [2-2] Data store
The digest and signature of scope values sent by the Market will be stored in a blockchain. This signature ensures that the digest data is provided by the very Market.
# [2-3] Authentication and Authorization
Service Provider (OIDC client) initiates an OIDC flow. First, users needs to log into their account, and then they will proceed with the consent phase. The users are required to make an explicit consent for sharing the data.
# [2-4] Data transmission
Once users give consent to the Service Provider, the claims will be encrypted with a public key of the Service Provider. The encrypted data and a signature about the approval will be sent to the Credify system.
Credify will check the validity of the approval, and then it will generate an access token in order to retrieve custom scope values from the Market. The access token encodes who is granting which scope, and the Market can validate its validity. After the validation, the Market will encrypt the actual data with a public key of the Service Provider. The encrypted data will be transferred to the Service Provider via Credify API.
Upon a successful OIDC flow, the Service Provider can obtain access token and id token. The id token encodes encrypted scope values, which only the corresponding Service Provider can decrypt.
Credify team will support to integrate this API with the Markets. Credify is working on obtaining OpenID Certification now, as well.