Skip to content
osvauld

Share Credentials with groups

The sequence diagram below shows how a user can share credentials with other users.

Sequence Diagram

Sequence diagram for sharing credentials with groups

User Selection

  1. The user selects the credentials they want to share and clicks on the “Share” button.
  2. The client sends a request to the server to fetch the required credential fields.
[{
    "credentialId": "credentialId",
    "fields": [{
    "fieldId": "field_id",
    "fieldValue": "decrypted_field_value",
    }
    ]
}]
  1. The server returns the credential fields to the client.

Group and Access Type Selection

  1. The user selects the required group they want to share the credentials with.
  2. The user specifies the access type (e.g., read, manager) for the selected group.

Background Service Processing

  1. The client sends the selected credentials and group members to the background service.
  2. The background service sends the credentials to the WASM module for decryption.
  3. The WASM module, which has the user’s private key loaded in memory, decrypts the credentials.
[{
    "credentialId": "credentialId",
    "fields": [{
    "fieldId": "field_id",
    "fieldValue": "decrypted_field_value",
    }
    ]
}]
  1. After decryption, the background service sends the decrypted fields to be encrypted using each group member’s public key to the WASM module.
[{
    "userId": "user_id",
    "credentials":[
    {
        "credentialId": "credential_id",
        "fields": [
            {
            "fieldId": "field_id",
            "fieldValue": "field_value"
            }
        ]
    }
]
}]
  1. The background service sends the encrypted credentials back to the client.
  2. The client then sends the whole payload to hash and then sign

Server Processing

  1. The client sends the encrypted credentials, user IDs, and group ID to the server with signature in the header.
{
    "groupData": [{
        "groupId": "group_id",
        "accessType": "access_type",
        "userData": [{
            "userId": "user_id",
            "credentials":[
                {
                    "credentialId": "credential_id",
                    "fields": [
                        {
                        "fieldId": "field_id",
                        "fieldValue": "field_value"
                        }
                    ]
                }
            ]


    }]
}]
}
  1. The server infers the field names and field types from the received data after verifying the signature.
  2. In a single transaction, the server performs the following steps for each credential and group member:
    • Adds the credential to the particular user’s access list with the access type inherited from the group.
    • Adds the credential field details to the corresponding tables.
Note: If the credential is shared once, the server will add another entry to the access list table and skip adding to the fields table.