The Credentials Config Service manages and provides information about services and the credentials they are using. It returns the scope to be requested from the wallet per service and the credentials and issuers that are considered to be trusted for a certain service.
In an DSBA-compliant framework, a Verifier is responsible to communicate with wallets and verify the credentials they provide. To get this done, it needs information about:
- the credentials to be requested from a wallet
- the credentials and claims an issuer is allowed to issue
To do so, it requires a service that provides such information, e.g. the Credentials Config Service. See the following diagram on how the service integrates into the framework.
The Credentials-Config-Service Service is provided as a container at quay.io. To store information about the services, a database has to be provided. In a local setup, you can for example use:
docker run --name mysql -p 3306:3306 -e MYSQL_ROOT_PASSWORD=root -e MYSQL_USER=user -e MYSQL_PASSWORD=password -e MYSQL_DATABASE=db mysqland the start the service:
docker run --network host quay.io/fiware/credentials-config-service:0.0.1After that, its accessible at localhost:8080.
Configurations can be provided with the standard mechanisms of the Micronaut-Framework, e.g. environment variables or appliction.yaml file. The following table concentrates on the most important configuration parameters:
| Property | Env-Var | Description | Default |
|---|---|---|---|
micronaut.server.port |
MICRONAUT_SERVER_PORT |
Server port to be used for the notfication proxy. | 8080 |
micronaut.metrics.enabled |
MICRONAUT_METRICS_ENABLED |
Enable the metrics gathering | true |
datasources.default.url |
DATASOURCES_DEFAULT_URL |
JDBC connection string to the database. | jdbc:mysql://localhost:3306/db |
datasources.default.driverClassName |
DATASOURCES_DEFAULT_DRIVER_CLASS_NAME |
Driver to be used for the database connection. | com.mysql.cj.jdbc.Driver |
datasources.default.username |
DATASOURCES_DEFAULT_USERNAME |
Username to authenticate at the database. | user |
datasources.default.password |
DATASOURCES_DEFAULT_PASSWORD |
Password to authenticate at the database. | password |
datasources.default.dialect |
DATASOURCES_DEFAULT_DIALECT |
Dialect to be used with the DB. Currently MYSQL and H2 are supported. | MYSQL |
Credentials-Config-Service requires an SQL database. It currently supports MySql-compatible DBs and H2 (as an In-Memory DB for dev/test purposes). Migrations are applied via flyway, see the migration-scripts for the schema.
The service provides the following API:
It is used to manage the service-related entries and provides endpoints to retrieve the required information.
To have information about a service available, it first needs to be created. An example request would look like:
curl -X 'POST' \
'http://localhost:8080/service' \
-H 'accept: */*' \
-H 'Content-Type: application/json' \
-d '{
"id": "packet-delivery-service",
"defaultOidcScope": "default",
"oidcScopes": {
"default": {
"credentials": [
{
"type": "VerifiableCredential",
"trustedParticipantsLists": [
"https://tir-pdc.ebsi.fiware.dev"
],
"trustedIssuersLists": [
"https://til-pdc.ebsi.fiware.dev"
]
}
],
"presentationDefinition": {
"id": "somethingUnique",
"name": "Presentation to be requested.",
"purpose": "something that describes our request.",
"input_descriptors": [
{
"id": "somethingUnique",
"name": "User Age request",
"purpose": "Only users above a certain age should get service access",
"constraints": {
"fields": [
{
"id": "somethingUnique",
"name": "User Age request",
"purpose": "Only users above a certain age should get service access",
"optional": false,
"path": [
"$.dateOfBirth"
]
}
]
},
"format": {
"vc+sd-jwt":
"alg": ["ES256"]
}
]
}
}
}
}'Such configuration will define that the requested scope for authentication-requests to packet-delivery-service is
VerifiableCredential and that the issuer needs to be listed as a trusted-participant at
https://tir-pdc.ebsi.fiware.dev and that the information about the trusted-issuers should be retrieved from https://til-pdc.ebsi.fiware.dev.
Additionally, it describes the presentation to be requested need to include the claim $.dateOfBirth and should be a vc+sd-jwt credential, signed by an ES256 algorithm.
The verifier can access that information via:
curl --location 'localhost:8080/service/packet-delivery-service'The config service also supports GAIA-X Registries as participants list(even mixed configurations):
curl -X 'POST' \
'http://localhost:8080/service' \
-H 'accept: */*' \
-H 'Content-Type: application/json' \
-d '{
"id": "packet-delivery-service",
"credentials": [
{
"type": "VerifiableCredential",
"trustedParticipantsLists": [
{
"type": "ebsi",
"url": "https://tir-pdc.ebsi.fiware.dev"
},
{
"type": "gaia-x",
"url": "https://registry.lab.gaia-x.eu"
}
],
"trustedIssuersLists": [
"https://til-pdc.ebsi.fiware.dev"
]
}
]
}'and receive:
{
"id": "packet-delivery-service",
"credentials": [
{
"type": "VerifiableCredential",
"trustedParticipantsLists": [
{
"type": "ebsi",
"url": "https://tir-pdc.ebsi.fiware.dev"
},
{
"type": "gaia-x",
"url": "https://registry.lab.gaia-x.eu"
}
],
"trustedIssuersLists": [
"https://til-pdc.ebsi.fiware.dev"
]
}
]
}Besides that, it's also possible to get just the scope to be requested:
curl --location 'localhost:8080/service/packet-delivery-service/scope'and receive:
[
"VerifiableCredential"
]For each service and scope, a Presentation Definition can be defined. The Presentation Definition will be requested in the OID4VP exchange from the Holder's Wallet.
Example:
"presentationDefinition": {
"id": "somethingUnique",
"name": "Presentation to be requested.",
"purpose": "something that describes our request.",
"input_descriptors": [
{
"id": "somethingUnique",
"name": "User Age request",
"purpose": "Only users above a certain age should get service access",
"constraints": {
"fields": [
{
"id": "credential-type",
"name": "Type of the credential to be requested",
"purpose": "We do only accept offical documents for proofing the age.",
"optional": false,
"path": [
"$.vct"
],
"filter": {
"const": "NaturalPersonCredential"
}
},
{
"id": "user-age",
"name": "User Age request",
"purpose": "Only users above a certain age should get service access",
"optional": false,
"path": [
"$.dateOfBirth"
]
}
]
},
"format": {
"vc+sd-jwt":
"alg": ["ES256"]
}
]
}This definition will request a credential of type NaturalPersonCredential, that contains the claim $.dateOfBirth(defined by a JsonPath expression),
in the vc+sd-jwt format, signed by the ES256 algorithm. While PresentationDefinitions allow very fine-grained control about the claims and
credentials to be requested, most wallets do only support a limited complexity(f.e. only level-one path expressions or no filtering). At the moment,
its recommended to keep complexity at the minimal level.
Credentials-Config-Service is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.
© 2023 FIWARE Foundation e.V.