ClientIdentity

The ClientIdentity interface enables you to write a chaincode that makes access control decisions based on the identity of the client (i.e., the invoker of the chaincode). In particular, you can make access control decisions based on either or both of the following:

• The client identity's Membership Service Provider (MSP) ID

• Attributes associated with the client identity.

In essence, the client’s identity is the X.509 certificate, which may have some additional attributes, such as name and value pairs associated with an identity. For example, email=me@gmail.com indicates that an identity has the email attribute with the value of me@gmail.com. Any custom attributes may be specified during user registration and enrollment by Fabric CA (Certificate Authority). This process will be covered in more detail in the Interaction with Fabric CA from an Application chapter.

ClientIdentity is the main interface to interact with identities. This interface simplifies the identity parsing process and provides the following methods:

• getID(): string returns the ID associated with the invoking identity. This ID is guaranteed to be unique within the MSP. The resulting string has the following format: "x509::{subject DN}::{issuer DN}"

• getMSPID(): string returns the MSP ID of the client (e.g., Org1MSP).

• getAttributeValue(attrName: string): string returns the value of the client's attribute named attrName. If a client possesses the attribute, the return value equals the value of the attribute. Otherwise, null is returned.

• assertAttributeValue(attrName: string, attrValue: string): boolean checks if the client has the attrName attribute with a value of attrValue

• getIDBytes(): Uint8Array returns the ID bytes associated with the invoking identity. If the MSP is implemented with X.509 certificates, then ID bytes represent the underlying X.509 certificate. Parsing libraries should be used to inspect the content of this certificate (e.g., jsrsasign or @fidm/x509).

The ClientIdentity object can be accessed via the transaction context object passed into every chaincode function:

const cid = ctx.clientIdentity;