Multitenancy and public DIDs #1657
Comments
|
Last time I checked all the base wallet could do was create sub wallets. So I would say yes you need another agent, sub wallet or standalone, that does the endorsement for you. As a remark there is also an open PR that endorses an ATTRIB transaction to set the endpoint on the ledger: #1616 For holder wallets this is the best option imho. In the end it depends on where to place the orchestration of the api calls. If I remember correctly the consent was to keep such logic in the controller (not aca-py). But what seems odd right now is that one part of the wallet initialisation logic lies in the sub wallet and one part in the base wallet. This means that there is a difference on what a freshly initialised sub- wallet controller must do vs a standalone controller. So maybe it would make sense to have the option to provide a did/seed when calling POST /multitenancy/wallet and as a second step have the option in the base wallet to write a NYM or ATTRIB transaction to the ledger (either directly or via an endorser). Like this all api calls would be in one place. |
This allows option 3 mentioned in openwallet-foundation#1657 which means the base wallet is able to register DIDs created for sub-wallets Signed-off-by: Matthias Binzer <[email protected]>
|
Thanks @etschelp I personally would prefer to have just 1 instance running. |
|
Short remark for others: The After debugging a lot, I switched to askar and now it seems it does everything I need (in combination with the mentioned PR) I think the initially described options still need to be discussed and decided what should be the desired behavior. |
|
#1 is the recommended option. With PR #1616 (should be completed soon) the sub-wallet can self-register their new DID via an endorser. Right now it's recommended that the endorser be a separate aca-py instance (not another sub-wallet and not the base wallet) because it will have different startup params (you can start up an aca-py instance configured as an author or as an endorser) - in a multitenant scenario the aca-py startup params apply to all sub-wallets, there is no way to configure one sub-wallet differently from the others. (Note - you can start up aca-py without any of the endorser parameters, but then author sub-wallets need to call all the aca-py endpoints with all the endorser parameters explicitly provided.) So, as above, #2 is possible but will require some extra care and attention for the author in calling the aca-py endpoints For #3, this relies on the controller calling the base wallet, so I'm not sure this would count as a "self serve" model (whereas connecting to an endorser would allow the author to manage their own ledger updates, and would be required for the schema and cred def updates anyways) |
|
Closing, replaced by Issue #1682 |
Hi all,
as I'm looking into acapy multitenancy a bit, I had some trouble registering public DIDs for sub-wallets.
It looks like I'm not the only one as there have been some issues here:
#1460
and there
#1358
I'm trying to summarize what I've learned so far:
Most important to understand:
/wallet/did/createand/wallet/did/publicendpoints are NOT enough./ledger/register-nymIN BETWEEN those endpoints!So far so good. The issue is, that:
Using this endpoint is not possible when using multitenancy. I think there are Options here:
Currently I only see option 1.
Option 2 does not work because I would need to be able to pre-seed / fill the DID I create in a sub-wallet - which seems not possible right now.
/wallet/did/createdoes not allow to add a seed or existing (on the ledger) DID/wallet/did/publicdoes not allow to add seed, so I can NOT add an existing (on the ledger) DIDOption 3 would have been my first guess, but with multitenancy enabled, it requires authentication, and this I get only for a sub-wallet.
Can someone confirm my observations or give some hints where I might have some misunderstandings?
Thanks a lot!
Matthias
The text was updated successfully, but these errors were encountered: