Skip to content
osvauld

Sharing Credential with Users

The sequence diagram below shows how a user can share credentials with other users.

Sequence Diagram

Sequence diagram for sharing credentials with users

User Selection

  1. The user selects the credentials they want to share and clicks on the “Share” button.
  2. The client sends a request to the server to fetch the required credential fields.
  3. The server returns the credential fields, to the client.
[{
    "credentialId": "credentialId",
    "fields": [{
    "fieldId": "fieldId",
    "fieldValue": "encrypted_field_value",
    }
    ]
}]

User and Access Type Selection

  1. The user selects the required users they want to share the credentials with.
  2. For each selected user, the user specifies the access type (e.g., read, manager).

Background Service Processing

  1. The client sends the selected credentials and users, to the background service.
  2. The background service sends the credentials to the WASM module for decryption.
  3. The WASM module, which has the user’s private key loaded in memory, decrypts the credentials.
[{
    "credentialId": "credentialId",
    "fields": [{
    "fieldId": "field_id",
    "fieldValue": "decrypted_field_value",
    }
    ]
}]
  1. After decryption, the background service sends the decrypted fields to be encrypted using the target users public key to wasm module.
  2. The background service sends the encrypted credentials back to the client.
  3. The client then sends the whole payload to hash and then sign
  4. The client sends the payload to the server with signature in the header.
[{
    "userId": "user_id",
    "credentials":[
    {
        "credentialId": "credential_id",
        "fields": [
            {
            "fieldId": "field_id",
            "fieldValue": "field_value"
            }
        ]
    }
]
}]

Server Processing

  1. The client sends the encrypted credentials and user access information to the server.
{
  "userData": [{
    "accessType": "access_type",
    "userId": "user_id",
    "credentails": [{
      "credentialId": "credential_id",
      "fields": [{
        "fieldId": "field_id",
        "fieldValue": "encrypted_field_value"
      }
      ]
    }
    ]
  }
  ]
}
  1. The server infers the field names and field types from the received data after verifying the signature.
  2. In a single transaction, the server performs the following steps for each credential and user:
  • Adds the credential to the particular user’s access list.
  • Adds the credential field details to the corresponding tables.

Note: If the credential is shared once, the server will add another entry to the access list table and skip adding to fields table