Identity Service

The Vanadium Identity Service generates blessings. It uses an OAuth2 identity provider to get the email address of the user on whose behalf the request is made and then issues a blessing for that email address. Blessings issued by this service are of two kinds:

Broadly, the identity service has three main components:

One additional service enables revocation of the granted blessings:

All services are exposed by a single binary - identityd. Since user-blessings are quite powerful, it is important to limit their scope using caveats. This complicates the flow for obtaining these blessings and involves a sequence of interactions with the authentication service and the Vanadium blessing service. In order to save users from interacting with multiple services and exchanging credentials betweeen them, we also provide a command-line tool - principal - that carries out the work of communicating with the services and obtaining a user-blessing for the principal that the tool is running as.


Before diving into the details of identityd's design, some prerequisites:

Service interfaces

The HTTPS Authentication Service runs at and uses the Google OAuth2 web service flow for authenticating users. It has a specific OAuth2 ClientID and ClientSecret obtained from the Google Developer Console. It supports the following routes:

Route Purpose
/google/seekblessings Receive user-blessing requests
/google/caveats Display a form for selecting caveats to be added to a blessing
/google/sendmacaroon Receive a POST request from the caveat selection form
/google/listblessings Enumerate all blessings made by a particular user
/google/revoke Receive revocation requests
/google/bless Receive application-blessing requests

The blessing service is a Vanadium RPC service reachable via the name / and presents the MacaroonBlesser interface:

type MacaroonBlesser interface {
  // Bless uses the provided macaroon (which contains email and caveats)
  // to return a blessing for the client.
  Bless(macaroon string) (blessing security.WireBlessings | error)

User-Blessing flow

The principal command-line tool is used to orchestrate the process of obtaining a macaroon from the HTTPS Authentication Service and exchanging it for a user-blessing from the Vanadium Blessing Service. The following sequence diagram lists the network requests involved in this process:

Blessing flow diagram

Steps 1 through 4 in the sequence diagram above result in the principal tool invocation obtaining a macaroon.

Steps 5 and 6 exchange that macaroon for a user-blessing.

  1. The tool generates a random state parameter toolState and starts an HTTP server on localhost for receiving the macaroon. toolURI denotes the URI of this server (e.g.,, and toolPublicKey denotes the public key of the principal running the tool. It then directs the web browser on the machine to the HTTP Authentication Service while informing it of toolURI, toolPublicKey and the toolState parameters. For example, it might redirect to:<toolURI>&state=<toolState>&public_key=<toolPublicKey>

  2. The HTTP Authentication Service extracts toolURI, toolState and toolPublicKey and redirects the browser to the Google OAuth2 endpoint (using the web service flow). The redirect_uri provided to this endpoint is set to the page that presents a form to control caveats on the final blessing and the state parameter is set to: oauthstate = Macaroonk(toolURI + toolState + toolPublicKey + serverCookie) where serverCookie is a cookie set by the HTTP Authentication Service in the user's browser. This leads the user's browser to a URL like:

    The Google OAuth2 endpoint asks the user to login and grant access to email address to the Vanadium Identity Server, after which it redirect the browser back to:<authcode>&state=<oauthstate>

  3. The caveats page at the HTTP Authentication Service receives authcode and oauthstate. It then:

    • Verifies that oauthstate is a valid macaroon generated by step 2.
    • Extracts toolURI, toolState, toolPublicKey and serverCookie from the macaroon.
    • Verifies that serverCookie matches the cookie presented by the browser
    • Exchanges authcode for an email address (via an identity token) using the OAuth2 client-secret.
    • Displays a form for selecting caveats to be added to the blessing that will ultimately be provided to the principal tool started in step 1. Embedded in this form is formstate = Macaroon<sub>k</sub>(toolURI + toolState + toolPublicKey + email + serverCookie).
  4. When the user submits the form rendered in step 3, the browser sends the form contents to which performs the following steps:

    • Verifies that formstate is a valid macaroon.
    • Extracts toolURI, toolState, toolPublicKey, email and serverCookie encapsulated in the macaroon.
    • Verifies that serverCookie matches the cookie presented by the browser.
    • Verifies that toolURI is a localhost URI.
    • Computes M = Macaroonk(email, toolPublicKey, caveats).
    • Redirects the browser to: https://<toolURI>/macaroon?state=<toolState>&macaroon=M&root_key=publicKey where publicKey is the blessing root of the identity service.
  5. The principal tool receives the macaroon M, toolState and the blessing root via the HTTP redirect in step 4. It then:

    • Verifies that toolState obtained here matches the one created in step 1.
    • Invokes the Bless RPC on the blessing service passing it M as an argument. It only sends this request if the the RPC server proves that it's public key is publicKey via the authentication protocol used in RPCs.
  6. The Vanadium Blessing Service that receives this RPC performs the following steps:

    • Verifies that the macaroon presented is valid.
    • Extracts email, toolPublicKey and caveats from it.
    • Verifies that the principal making the RPC request has the same public key as toolPublicKey. This check ensures that the macaroon can only be used by the principal tool that requested it in the first place. It protects against impersonation attacks wherein an attacker steals the macaroon handed out in step 5 and then tries to obtain a blessing for the email address encapsulated in the macaroon.
    • Generates a user-blessing with the name<email> and the caveats extracted from the macaroon. This blessing is bound to the public key of the principal making the RPC request (i.e., toolPublicKey).
    • Records the creation of this blessing in a database which can be queried via

Application-Blessing flow

Any application that possesses an OAuth2 token can make a request for an application-blessing. Such a request is made via GET request to the HTTPS Application-Blessing Service. The request must include the following parameters:

For example, the request URL may be:<publicKey>&token=<token>

The token provided must be a Google OAuth2 access token but may be bound to any OAuth2 Client ID. The Vanadium identity service may not have a pre-existing relationship with the application that the ClientID has been registered for.

When the service receives a request for an application-blessing, its presents the provided token to Google's tokeninfo endpoint, and among other things, obtains the email address and the ClientID that the token is bound to. (In particular, the ClientID is obtained from the aud field of the tokeninfo struct.) The service then generates an application-blessing for the provided public key. By default, the application identifier is set to the ClientID obtained from the access token. In some cases, the application corresponding to the ClientID may have registered a specific name with the Vanadium identity service, in which case, that name is used as the application identifier. The generated blessing carries any caveats provided during the request.

Supported caveats

The caveat addition form presented to the user in step 4 supports a few types of caveats:


The revocation caveat that is (at the user's request) added to the blessing is a third-party caveat with a unique 16-byte ID and the object name of the discharging service. Each time a revocation caveat is created, the blessing service stores the corresponding ID and the revocation status in a SQL database.

The discharge service run by identityd extracts the ID from the caveat and looks it up in the database. If the database suggests that blessing should be revoked, it refuses to issue a discharge.

This is implemented in services/identity/internal/revocation.

Revocation can be triggered by clicking buttons on