/credentials-config-service

Provide information about scope and trust-lists for verifier components.

Primary LanguageJavaApache License 2.0Apache-2.0

Credentials Config Service

The Credentials Config Service manages and provides information about services and the credentials they are using. It returns the scope to be requested from the wallet per service and the credentials and issuers that are considered to be trusted for a certain service.

FIWARE Security License badge Container Repository on Quay Coverage Status Test Release

Background

In an DSBA-compliant framework, a Verifier is responsible to communicate with wallets and verify the credentials they provide. To get this done, it needs information about:

  • the credentials to be requested from a wallet
  • the credentials and claims an issuer is allowed to issue

To do so, it requires a service that provides such information, e.g. the Credentials Config Service. See the following diagram on how the service integrates into the framework.

overview-setup

Installation

Container

The Credentials-Config-Service Service is provided as a container at quay.io. To store information about the services, a database has to be provided. In a local setup, you can for example use:

docker run --name mysql -p 3306:3306 -e MYSQL_ROOT_PASSWORD=root -e MYSQL_USER=user -e MYSQL_PASSWORD=password -e MYSQL_DATABASE=db mysql

and the start the service:

docker run --network host quay.io/fiware/credentials-config-service:0.0.1

After that, its accessible at localhost:8080.

Configuration

Configurations can be provided with the standard mechanisms of the Micronaut-Framework, e.g. environment variables or appliction.yaml file. The following table concentrates on the most important configuration parameters:

Property Env-Var Description Default
micronaut.server.port MICRONAUT_SERVER_PORT Server port to be used for the notfication proxy. 8080
micronaut.metrics.enabled MICRONAUT_METRICS_ENABLED Enable the metrics gathering true
datasources.default.url DATASOURCES_DEFAULT_URL JDBC connection string to the database. jdbc:mysql://localhost:3306/db
datasources.default.driverClassName DATASOURCES_DEFAULT_DRIVER_CLASS_NAME Driver to be used for the database connection. com.mysql.cj.jdbc.Driver
datasources.default.username DATASOURCES_DEFAULT_USERNAME Username to authenticate at the database. user
datasources.default.password DATASOURCES_DEFAULT_PASSWORD Password to authenticate at the database. password
datasources.default.dialect DATASOURCES_DEFAULT_DIALECT Dialect to be used with the DB. Currently MYSQL and H2 are supported. MYSQL

Database

Credentials-Config-Service requires an SQL database. It currently supports MySql-compatible DBs and H2 (as an In-Memory DB for dev/test purposes). Migrations are applied via flyway, see the migration-scripts for the schema.

Usage

The service provides the following API:

It is used to manage the service-related entries and provides endpoints to retrieve the required information.

Example

To have information about an service available, it first needs to be created. An example request would look like:

curl -X 'POST' \
  'http://localhost:8080/service' \
  -H 'accept: */*' \
  -H 'Content-Type: application/json' \
  -d '{
  "id": "packet-delivery-service",
  "credentials": [
    {
      "type": "VerifiableCredential",
      "trustedParticipantsLists": [
        "https://tir-pdc.gaia-x.fiware.dev"
      ],
      "trustedIssuersLists": [
        "https://til-pdc.gaia-x.fiware.dev"
      ]
    }
  ]
}'

Such configuration will define that the requested scope for authentication-requests to packet-delivery-service is VerifiableCredential and that the issuer needs to be listed as a trusted-participant at https://tir-pdc.gaia-x.fiware.dev and that the information about the trusted-issuers should be retrieved from https://til-pdc.gaia-x.fiware.dev.

The verifier can access that information via:

curl --location 'localhost:8080/service/packet-delivery-service'

and receive:

{
  "id": "packet-delivery-service",
  "credentials": [
    {
      "type": "VerifiableCredential",
      "trustedParticipantsLists": [
        "https://tir-pdc.gaia-x.fiware.dev"
      ],
      "trustedIssuersLists": [
        "https://til-pdc.gaia-x.fiware.dev"
      ]
    }
  ]
}

Besides that, it's also possible to get just the scope to be requested:

curl --location 'localhost:8080/service/packet-delivery-service/scope'

and receive:

[
  "VerifiableCredential"
]

License

Credentials-Config-Service is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.

© 2023 FIWARE Foundation e.V.