add presentation definition

README.md

@@ -77,49 +77,64 @@ curl -X 'POST' \
   -H 'Content-Type: application/json' \
   -d '{
   "id": "packet-delivery-service",
-  "credentials": [
-    {
-      "type": "VerifiableCredential",
-      "trustedParticipantsLists": [
-        "https://tir-pdc.ebsi.fiware.dev"
+  "defaultOidcScope": "default",
+  "oidcScopes": {
+    "default": {
+      "credentials": [
+        {
+          "type": "VerifiableCredential",
+          "trustedParticipantsLists": [
+            "https://tir-pdc.ebsi.fiware.dev"
+          ],
+          "trustedIssuersLists": [
+            "https://til-pdc.ebsi.fiware.dev"
+          ]
+        }
       ],
-      "trustedIssuersLists": [
-        "https://til-pdc.ebsi.fiware.dev"
-      ]
+      "presentationDefinition": {
+        "id": "somethingUnique",
+        "name": "Presentation to be requested.",
+        "purpose": "something that describes our request.",
+        "input_descriptors": [
+          {
+            "id": "somethingUnique",
+            "name": "User Age request",
+            "purpose": "Only users above a certain age should get service access",
+            "constraints": {
+              "fields": [
+                {
+                  "id": "somethingUnique",
+                  "name": "User Age request",
+                  "purpose": "Only users above a certain age should get service access",
+                  "optional": false,
+                  "path": [
+                      "$.dateOfBirth"
+                  ]
+                }
+              ]
+            },
+            "format": {
+              "vc+sd-jwt": 
+                "alg": ["ES256"]
+          }
+        ]
+      }
     }
-  ]
+  }
 }'
 ```
 Such configuration will define that the requested scope for authentication-requests to ```packet-delivery-service``` is 
 ```VerifiableCredential``` and that the issuer needs to be listed as a trusted-participant at 
 ```https://tir-pdc.ebsi.fiware.dev```  and that the information about the trusted-issuers should be retrieved from ```https://til-pdc.ebsi.fiware.dev```.
+Additionally, it describes the presentation to be requested need to include the claim ```$.dateOfBirth``` and should be a ```vc+sd-jwt``` credential, signed by an ```ES256``` algorithm.
 
 The verifier can access that information via:
 
 ```shell
 curl --location 'localhost:8080/service/packet-delivery-service'
 ```
 
-and receive:
-```shell
-{
-  "id": "packet-delivery-service",
-  "credentials": [
-    {
-      "type": "VerifiableCredential",
-      "trustedParticipantsLists": [
-        {
-          "type": "ebsi",
-          "url": "https://tir-pdc.ebsi.fiware.dev"
-        }
-      ],
-      "trustedIssuersLists": [
-        "https://til-pdc.ebsi.fiware.dev"
-      ]
-    }
-  ]
-}
-```
+#### Support for Gaia-X registries
 
 The config service also supports GAIA-X Registries as participants list(even mixed configurations):
 ```shell
@@ -188,6 +203,62 @@ and receive:
 ]
 ```
 
+#### Presentation Definition
+
+For each service and scope, a [Presentation Definition](https://identity.foundation/presentation-exchange/#presentation-definition) can be defined. 
+The Presentation Definition will be requested in the OID4VP exchange from the Holder's Wallet. 
+
+Example:
+
+```json
+  "presentationDefinition": {
+    "id": "somethingUnique",
+    "name": "Presentation to be requested.",
+    "purpose": "something that describes our request.",
+    "input_descriptors": [
+      {
+        "id": "somethingUnique",
+        "name": "User Age request",
+        "purpose": "Only users above a certain age should get service access",
+        "constraints": {
+          "fields": [
+            {
+              "id": "credential-type",
+              "name": "Type of the credential to be requested",
+              "purpose": "We do only accept offical documents for proofing the age.",
+              "optional": false,
+              "path": [
+                 "$.vct" 
+              ],
+              "filter": {
+                "const": "NaturalPersonCredential"         
+              }
+            },
+            {
+              "id": "user-age",
+              "name": "User Age request",
+              "purpose": "Only users above a certain age should get service access",
+              "optional": false,
+              "path": [
+                  "$.dateOfBirth"
+              ]
+            }
+          ]
+        },
+        "format": {
+          "vc+sd-jwt": 
+            "alg": ["ES256"]
+      }
+    ]
+  }
+```
+
+This definition will request a credential of type ```NaturalPersonCredential```, that contains the claim ```$.dateOfBirth```(defined by a JsonPath expression),
+in the ```vc+sd-jwt``` format, signed by the ```ES256``` algorithm. While PresentationDefinitions allow very fine-grained control about the claims and 
+credentials to be requested, most wallets do only support a limited complexity(f.e. only level-one path expressions or no filtering). At the moment, 
+its recommended to keep complexity at the minimal level.
+
+
 ## License
 
 Credentials-Config-Service is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.

api/credentials-config-service.yaml

@@ -245,10 +245,16 @@ components:
         - enabled
         - claim
     ServiceScopesEntry:
-      type: array
-      minItems: 1
-      items:
-        $ref: '#/components/schemas/Credential'
+      type: object
+      properties:
+        credentials:
+          type: array
+          description: Trust configuration for the credentials
+          minItems: 1
+          items:
+            $ref: '#/components/schemas/Credential'
+        presentationDefinition:
+          $ref: '#/components/schemas/PresentationDefinition'
     Service:
       type: object
       description: Configuration of a service and its credentials
@@ -290,6 +296,92 @@ components:
           description: The list of services
           items:
             $ref: '#/components/schemas/Service'
+    PresentationDefinition:
+      type: object
+      description: Proofs required by the service - see https://identity.foundation/presentation-exchange/#presentation-definition
+      properties:
+        id:
+          type: string
+          description: Id of the definition
+          example: "32f54163-7166-48f1-93d8-ff217bdb0653"
+        name:
+          type: string
+          description: A human readable name for the definition
+          example: My default service credentials
+        purpose:
+          type: string
+          description: A string that describes the purpose for wich the definition should be used
+          example: The service requires age and name of the requesting user.
+        input_descriptors:
+          type: array
+          description: List of requested inputs for the presentation
+          items:
+            $ref: '#/components/schemas/InputDescriptor'
+        format:
+          $ref: '#/components/schemas/Format'
+      required:
+        - id
+        - input_descriptors
+    InputDescriptor:
+      type: object
+      properties:
+        id:
+          type: string
+          description: Id of the descriptor
+          example: "32f54163-7166-48f1-93d8-ff217bdb0653"
+        name:
+          type: string
+          description: A human readable name for the definition
+          example: User Age request
+        purpose:
+          type: string
+          description: A string that describes the purpose for which the claim is requested
+          example: Only users above a certain age should get service access
+        constraints:
+          $ref: '#/components/schemas/Constraints'
+        format:
+          $ref: '#/components/schemas/Format'
+      required:
+        - id
+        - constraints
+    Constraints:
+      type: object
+      properties:
+        fields:
+          type: array
+          description: List of the requested claims
+          items:
+            $ref: '#/components/schemas/Field'
+    Field:
+      type: object
+      properties:
+        id:
+          type: string
+          description: Id of the field
+          example: "32f54163-7166-48f1-93d8-ff217bdb0653"
+        name:
+          type: string
+          description: A human readable name for the definition
+          example: User Age request
+        purpose:
+          type: string
+          description: A string that describes the purpose for which the claim is requested
+          example: Only users above a certain age should get service access
+        optional:
+          type: boolean
+          description: Defines if the described field is considered optional or not
+        path:
+          type: array
+          description: An array of JsonPaths that selects the value from the input
+          items:
+            type: string
+            example: "$.credentialSubject.dateOfBirth"
+        filter:
+          type: object
+          description: Filter to be evaluated against the values returned from path evaluation
+    Format:
+      type: object
+      additionalProperties: true
     ProblemDetails:
       type: object
       properties: