simple

command
v0.6.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 27, 2026 License: MIT Imports: 8 Imported by: 0

README

AIMS Simple Example: WIT and WPT Authentication

This example demonstrates basic AIMS agent authentication using SPIFFE IDs and WIMSE tokens.

Overview

The example shows:

  • Creating a SPIFFE ID for an agent
  • Creating a Workload Identity Token (WIT)
  • Creating a WIMSE Proof Token (WPT) for a specific request
  • Validating tokens

Key Concepts

SPIFFE ID

The canonical identifier format for workloads:

spiffe://trust-domain/path

Example: spiffe://example.com/agent/calendar-bot

Workload Identity Token (WIT)

A JWT representing workload identity per draft-ietf-wimse-s2s-protocol:

{
  "iss": "https://spire.example.com",
  "sub": "spiffe://example.com/agent/calendar-bot",
  "aud": ["https://api.example.com"],
  "exp": 1234567890,
  "cnf": { "kid": "key-1" }
}
WIMSE Proof Token (WPT)

Binds authentication to a specific HTTP request:

{
  "iss": "spiffe://example.com/agent/calendar-bot",
  "aud": "https://api.example.com",
  "htm": "POST",
  "htu": "/api/v1/events",
  "iat": 1234567890,
  "exp": 1234568190
}

Running

go run ./aims/examples/simple

Expected Output

=== AIMS Simple Authentication Demo ===
This demo shows agent authentication using SPIFFE ID and WIMSE tokens.

1. Creating SPIFFE ID for agent...
   SPIFFE ID: spiffe://example.com/agent/calendar-bot
   Trust Domain: example.com
   Path: /agent/calendar-bot
   Is Agent: true

2. Generating agent key pair...
   Key type: ECDSA P-256
   Key ID: agent-key-1

3. Creating Workload Identity Token (WIT)...
   Issuer: spiffe://example.com
   Subject: spiffe://example.com/agent/calendar-bot
   Audience: [https://api.example.com]
   Expires in: 1h0m0s
   Signed WIT (length: XXX chars)

4. Creating WIMSE Proof Token (WPT) for request...
   Issuer: spiffe://example.com/agent/calendar-bot
   Audience: https://api.example.com
   HTTP Method (htm): POST
   HTTP URI (htu): /api/v1/events
   WPT added to header: Dpop

5. Creating AgentIdentity...
   SPIFFE ID: spiffe://example.com/agent/calendar-bot
   Credential Type: jwt-svid
   Is Valid: true

6. Validating tokens...
   WIT validation: PASSED
   WPT validation: PASSED
   WPT matches request: YES

Demo completed successfully!

Key Points

  • SPIFFE IDs provide portable, verifiable workload identity
  • WIT is the long-lived identity token (similar to an access token)
  • WPT provides request binding (proof-of-possession)
  • Both tokens are signed JWTs using ECDSA P-256

Documentation

Overview

Package main demonstrates basic AIMS agent authentication with SPIFFE ID.

This example shows:

  • Creating a SPIFFE ID for an agent
  • Creating a Workload Identity Token (WIT)
  • Creating a WIMSE Proof Token (WPT) for a specific request
  • Verifying the agent identity

EXPERIMENTAL

This example implements draft-klrc-aiagent-auth-00 and draft-ietf-wimse-s2s-protocol which are subject to change.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL