# Generation of Distributed Credentials

IOTICS handles credentials through Decentralized Identity (DID) Documents. They are built based on the [W3C's decentralized ID](https://www.w3.org/TR/did-core/) standard.

DIDs are an emerging effort for establishing a standard for self-sovereign digital identities. They provide entities with the ability to self-manage cryptographic key material and other metadata about their identity. This data can be used to authenticate an entity to third parties or to request authorisation for access to a given resource.s.

The IOTICS Identity Library is used to manufacture the IDs and register them in IOTICS so that authentication and authorisation can be achieved.

The decentralised nature of the IOTICS concept and middleware fits very well with the concept of DID and IOTICS Implements the necessary crypto verifications to prove ownership of a private key.

If you'd like to know more about DIDs and how they work, you can check ou[t the Decentralised Identit](https://docs.iotics.com/docs/identity)y page, for an overview an[d the Identity API and Crede](https://docs.iotics.com/docs/identity-api-and-credentials)ntials page for a more in-depth ex

> You will see the scripts below will output secret information, this is only used for education purposes. It is recommeded to use existing scripts that generate and delegate the credentials and store them in environment files
planation.

## Pre-requisites 

In [1]:
!pip install iotics-identity
!pip install iotics-grpc-client

Defaulting to user installation because normal site-packages is not writeable
Collecting iotics-identity
  Downloading iotics_identity-2.0.0-py3-none-any.whl.metadata (5.8 kB)
Collecting base58==2.1.1 (from iotics-identity)
  Downloading base58-2.1.1-py3-none-any.whl (5.6 kB)
Collecting PyJWT==2.7.0 (from iotics-identity)
  Downloading PyJWT-2.7.0-py3-none-any.whl (22 kB)
Collecting mnemonic==0.20 (from iotics-identity)
  Downloading mnemonic-0.20-py3-none-any.whl (62 kB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m62.0/62.0 kB[0m [31m1.6 MB/s[0m eta [36m0:00:00[0m00:01[0m
[?25hCollecting cryptography<42,>=41.0.2 (from iotics-identity)
  Downloading cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl.metadata (5.2 kB)
Downloading iotics_identity-2.0.0-py3-none-any.whl (47 kB)
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m48.0/48.0 kB[0m [31m1.3 MB/s[0m eta [36m0:00:00[0m
[?25hDownloading cryptography-41.0.7-cp37-abi3-manylinux_2_28_x

# Generating Credentials and Delgating Permissions

## Key Concepts

### Identity creation

To start creating a DID you'll need 2 values:

 - A Seed, a random string of characters generated via the API.
 - A Key Name, a string of characters that uniquely identifies the entity.
 
Together they generate a Key Pair consisting of a public and a private key which corresponds to the DID itself. Both keys, Private and Public form the cryptographic key pair that ensures the correct entity authentication.

### Identity storage

When a DID is created, it's stored into its related DDO, Decentralised Identity Document, which, along with the DID, contains some other important information for entity identification.
Each entity has its own DDO, and they are stored in the Resolver, a database for this type of documen

### Delegation

Once the DIDs are created the Delegation can take place. Delegation is the process of granting another entity the ability to act on behalf of an identity owner.

In IOTICS the delegating entity is always a User or a Twin and the delegated entity is always the Agent. With this, we have two types of delegation:

 - Authentication delegation:  A User delegates authorisation to an Agent so it can authenticate itself on an IOTICSpace on behalf of such User.
 - Control delegation: A Twin delegates control to an Agent to grant it the ability to perform operations on behalf of such Twin.in.
    in.t.
    

# Credential Generation Code

In [5]:
import sys

from iotics.lib.identity.api.high_level_api import (
    get_rest_high_level_identity_api,
    HighLevelIdentityApi,
    RegisteredIdentity

)

In [6]:
RESOLVER_URL: str = "https://did.prd.iotics.com"  # You can find it at <space_url>/index.json --> "resolver"

## Seed Generation

A new Identity, be it a User, an Agent or a Twin can be created with:
1.  A Key Name: a string of characters that uniquely identifies the entity;
2.  A Seed: a random string of characters generated via the API;
3.  A Name (optional): a human-friendly string of characters that represents the entity.
4.  
The creation (or retrieval) of a User and an Agent Identity will most likely be the entry point of any
IOTICS application.

While the User Identity represents the Identity of yourself,
the Agent Identity represents the Identity of the Software application that will manage your Twins.

This means, you will create (and re-use) only 1 User Identity and a different Agent Identity per application.
This script is intended to show what the setup of a User and an Agent Identity will be like.


In [9]:
if not RESOLVER_URL:
    print("Please add the RESOLVER_URL to this script.")
    print('You can find it at <space_url>/index.json --> "resolver"')
    sys.exit(1)

identity_api: HighLevelIdentityApi = get_rest_high_level_identity_api(
    resolver_url=RESOLVER_URL
)

# The seed generated is a 'bytes' object
bytes_seed_u: bytes = identity_api.create_seed()
bytes_seed_a: bytes = identity_api.create_seed()

hex_string_seed_u: str = bytes_seed_u.hex()
hex_string_seed_a: str = bytes_seed_a.hex()

print("USER_SEED: str = ", hex_string_seed_u)
print("AGENT_SEED: str = ", hex_string_seed_a)

USER_SEED:  str = hex_string_seed_u
AGENT_SEED: str = hex_string_seed_a

USER_SEED: str =  fe350c6e2d22f9c36f76c2f4794038eff2c2c0e47012bbf415c6d12779ceabcd
AGENT_SEED: str =  05843bee27bda0979df21fa0e10e154d5f7b4f6ade820ad1fd59bfcb630108ad


## Managing Credentials

Make sure you store the following credentials in a safe place as they will be used any time you want to use the API.

If you lose them you will not be able to interact with your twins anymore.

As a minimum we recommend that these credentials are used from some enviorment file used to house secrets and that it is managed appropriately (e.g. in a vault)


In [4]:
USER_KEY_NAME: str = "pclarke"                                                       # A string of characters that uniquely identifies the User (i.e. your name)
AGENT_KEY_NAME: str = "demo-cx"                                                      # A string of characters that uniquely identifies the Agent (i.e. your application/script name)
obs
#USER_SEED: str = "713e9a6901e9ec61e0e97007d18b988913c76a786fd3bec5e722961b4c81e5e0"  # A seed string of hex characters generated via the API (you can use "generate_new_seed.py")
#AGENT_SEED: str = "713e9a6901e9ec61e0e97007d18b988913c76a786fd3bec5e722961b4c81e5e0" # A seed string of hex characters generated via the API (you can use "generate_new_seed.py")

## Delegation
Delegation is the process of granting another entity the ability to act on behalf of an identity owner.

In this case we want to grant the agent the right to act on behalf of the user

In [8]:
identity_api: HighLevelIdentityApi = get_rest_high_level_identity_api(
    resolver_url=RESOLVER_URL
)

user_identity: RegisteredIdentity
agent_identity: RegisteredIdentity
(
    user_identity,  # It won't be used in this script
    agent_identity,  # It won't be used in this script
) = identity_api.create_user_and_agent_with_auth_delegation(
    # The user seed has to be converted back to a "bytes" object.
    # We can use the built-in function "bytes.fromhex()"
    user_seed=bytes.fromhex(USER_SEED),
    user_key_name=USER_KEY_NAME,
    # The agent seed has to be converted back to a "bytes" object
    agent_seed=bytes.fromhex(AGENT_SEED),
    agent_key_name=AGENT_KEY_NAME,
)

print("User and Agent created with Authentication Delegation")
print("Please store the following credentials in a safe place !!")
print("---")
print("USER_KEY_NAME:", USER_KEY_NAME)
print("USER_SEED:", USER_SEED)
print("---")
print("AGENT_KEY_NAME:", AGENT_KEY_NAME)
print("AGENT_SEED:", AGENT_SEED)




User and Agent created with Authentication Delegation
Please store the following credentials in a safe place !!
---
USER_KEY_NAME: pclarke
USER_SEED: 713e9a6901e9ec61e0e97007d18b988913c76a786fd3bec5e722961b4c81e5e0
---
AGENT_KEY_NAME: demo-cx
AGENT_SEED: 713e9a6901e9ec61e0e97007d18b988913c76a786fd3bec5e722961b4c81e5e0
