Merge pull request #66 from FIWARE/dcql

Support DCQL

Author: wistefan

config/configClient.go

@@ -49,7 +49,9 @@ type ScopeEntry struct {
 	// credential types with their trust configuration
 	Credentials []Credential `json:"credentials" mapstructure:"credentials"`
 	// 	Proofs to be requested - see https://identity.foundation/presentation-exchange/#presentation-definition
-	PresentationDefinition PresentationDefinition `json:"presentationDefinition" mapstructure:"presentationDefinition"`
+	PresentationDefinition *PresentationDefinition `json:"presentationDefinition" mapstructure:"presentationDefinition"`
+	// JSON encoded query to request the credentials to be included in the presentation
+	DCQL *DCQL `json:"dcql,omitempty" mapstructure:"dcql,omitempty"`
 	// When set, the claim are flatten to plain JWT-claims before beeing included, instead of keeping the credential/presentation structure, where the claims are under the key vc or vp
 	FlatClaims bool `json:"flatClaims" mapstructure:"flatClaims"`
 }
@@ -138,6 +140,78 @@ type Fields struct {
 	Filter interface{} `json:"filter" mapstructure:"filter"`
 }
 
+// DCQL defines a JSON encoded query to request the credentials to be included in the presentation
+type DCQL struct {
+	// A non-empty array of Credential Queries that specify the requested Credentials.
+	Credentials []CredentialQuery `json:"credentials" mapstructure:"credentials"`
+	// A non-empty array of Credential Set Queries that specifies additional constraints on which of the requested Credentials to return.
+	CredentialSets []CredentialSetQuery `json:"credential_sets,omitempty" mapstructure:"credential_sets,omitempty"`
+}
+
+// CredentialQuery is an object representing a request for a presentation of one or more matching Credentials
+type CredentialQuery struct {
+	// A string identifying the Credential in the response and, if provided, the constraints in credential_sets. The value MUST be a non-empty string consisting of alphanumeric, underscore (_), or hyphen (-) characters. Within the Authorization Request, the same id MUST NOT be present more than once.
+	Id string `json:"id,omitempty" mapstructure:"id,omitempty"`
+	// A string that specifies the format of the requested Credential.
+	Format string `json:"format,omitempty" mapstructure:"format,omitempty"`
+	// A boolean which indicates whether multiple Credentials can be returned for this Credential Query. If omitted, the default value is false.
+	Multiple bool `json:"multiple,omitempty" mapstructure:"multiple,omitempty"`
+	// A non-empty array of objects  that specifies claims in the requested Credential. Verifiers MUST NOT point to the same claim more than once in a single query. Wallets SHOULD ignore such duplicate claim queries.
+	Claims []ClaimsQuery `json:"claims,omitempty" mapstructure:"claims,omitempty"`
+	// Defines additional properties requested by the Verifier that apply to the metadata and validity data of the Credential. The properties of this object are defined per Credential Format. If empty, no specific constraints are placed on the metadata or validity of the requested Credential.
+	Meta *MetaDataQuery `json:"meta,omitempty" mapstructure:"meta,omitempty"`
+	// A boolean which indicates whether the Verifier requires a Cryptographic Holder Binding proof. The default value is true, i.e., a Verifiable Presentation with Cryptographic Holder Binding is required. If set to false, the Verifier accepts a Credential without Cryptographic Holder Binding proof.
+	RequireCryptographicHolderBinding bool `json:"require_cryptographic_holder_binding,omitempty" mapstructure:"require_cryptographic_holder_binding,omitempty"`
+	// A non-empty array containing arrays of identifiers for elements in claims that specifies which combinations of claims for the Credential are requested.
+	ClaimSets [][]string `json:"claim_sets,omitempty" mapstructure:"claim_sets,omitempty"`
+	// A non-empty array of objects  that specifies expected authorities or trust frameworks that certify Issuers, that the Verifier will accept. Every Credential returned by the Wallet SHOULD match at least one of the conditions present in the corresponding trusted_authorities array if present.
+	TrustedAuthorities []TrustedAuthorityQuery `json:"trusted_authorities,omitempty" mapstructure:"trusted_authorities,omitempty"`
+}
+
+// ClaimsQuery is a query to specifies claims in the requested Credential.
+type ClaimsQuery struct {
+	// REQUIRED if claim_sets is present in the Credential Query; OPTIONAL otherwise. A string identifying the particular claim. The value MUST be a non-empty string consisting of alphanumeric, underscore (_), or hyphen (-) characters. Within the particular claims array, the same id MUST NOT be present more than once.
+	Id string `json:"id,omitempty" mapstructure:"id,omitempty"`
+	//  The value MUST be a non-empty array representing a claims path pointer that specifies the path to a claim within the Credential. See https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-claims-path-pointer
+	Path []interface{} `json:"path,omitempty" mapstructure:"path,omitempty"`
+	// A non-empty array of strings, integers or boolean values that specifies the expected values of the claim. If the values property is present, the Wallet SHOULD return the claim only if the type and value of the claim both match exactly for at least one of the elements in the array.
+	Values []interface{} `json:"values,omitempty" mapstructure:"values,omitempty"`
+	// MDoc specific parameter, ignored for all other types. The flag can be set to inform that the reader wishes to keep(store) the data. In case of false, its data is only used to be dispalyed and verified.
+	IntentToRetain bool `json:"intent_to_retain,omitempty" mapstructure:"intent_to_retain,omitempty"`
+	// MDoc specific parameter, ignored for all other types. Refers to a namespace inside an mdoc.
+	Namespace string `json:"namespace,omitempty" mapstructure:"namespace,omitempty"`
+	// MDoc specific parameter, ignored for all other types. Identifier for the data-element in the namespace.
+	ClaimName string `json:"claim_name,omitempty" mapstructure:"claim_name,omitempty"`
+}
+
+// MetaDataQuery defines additional properties requested by the Verifier that apply to the metadata and validity data of the Credential.
+type MetaDataQuery struct {
+	// SD-JWT and JWT specific parameter. A non-empty array of strings that specifies allowed values for the type of the requested Verifiable Credential.The Wallet MAY return Credentials that inherit from any of the specified types, following the inheritance logic defined in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-sd-jwt-vc-10
+	VctValues []string `json:"vct_values,omitempty" mapstructure:"vct_values,omitempty"`
+	// Required for MDoc. String that specifies an allowed value for the doctype of the requested Verifiable Credential. It MUST be a valid doctype identifier as defined in https://www.iso.org/standard/69084.html
+	DoctypeValue string `json:"doctype_value,omitempty" mapstructure:"doctype_value,omitempty"`
+	// Required for ldp_vc. A non-empty array of string arrays. The Type value of the credential needs to be a subset of at least one of the string-arrays.
+	TypeValues [][]string `json:"type_values,omitempty" mapstructure:"type_values,omitempty"`
+}
+
+// TrustedAuthorityQuery is an object representing information that helps to identify an authority or the trust framework that certifies Issuers.
+type TrustedAuthorityQuery struct {
+	//  A string uniquely identifying the type of information about the issuer trust framework.
+	Type string `json:"type" mapstructure:"type"`
+	// A non-empty array of strings, where each string (value) contains information specific to the used Trusted Authorities Query type that allows the identification of an issuer, a trust framework, or a federation that an issuer belongs to.
+	Values []string `json:"values" mapstructure:"values"`
+}
+
+// CredentialSetQuery is a Credential Set Query is an object representing a request for one or more Credentials to satisfy a particular use case with the Verifier.
+type CredentialSetQuery struct {
+	// A non-empty array, where each value in the array is a list of Credential Query identifiers representing one set of Credentials that satisfies the use case. The value of each element in the options array is a non-empty array of identifiers which reference elements in credentials.
+	Options [][]string `json:"options,omitempty" mapstructure:"options,omitempty"`
+	// A boolean which indicates whether this set of Credentials is required to satisfy the particular use case at the Verifier.
+	Required bool `json:"required,omitempty" mapstructure:"required,omitempty"`
+	// A string, number or object specifying the purpose of the query. This specification does not define a specific structure or specific values for this property. The purpose is intended to be used by the Verifier to communicate the reason for the query to the Wallet. The Wallet MAY use this information to show the user the reason for the request.
+	Purpose interface{} `json:"purpose,omitempty" mapstructure:"purpose,omitempty"`
+}
+
 func (cs ConfiguredService) GetRequiredCredentialTypes(scope string) []string {
 	types := []string{}
 	for _, credential := range cs.GetCredentials(scope) {
@@ -157,10 +231,14 @@ func (cs ConfiguredService) GetCredentials(scope string) []Credential {
 	return cs.GetScope(scope).Credentials
 }
 
-func (cs ConfiguredService) GetPresentationDefinition(scope string) PresentationDefinition {
+func (cs ConfiguredService) GetPresentationDefinition(scope string) *PresentationDefinition {
 	return cs.GetScope(scope).PresentationDefinition
 }
 
+func (cs ConfiguredService) GetDcqlQuery(scope string) *DCQL {
+	return cs.GetScope(scope).DCQL
+}
+
 func (cs ConfiguredService) GetCredential(scope, credentialType string) (Credential, bool) {
 	credentials := cs.GetCredentials(scope)
 	for _, credential := range credentials {

config/configClient_test.go

@@ -49,7 +49,7 @@ func Test_getServices(t *testing.T) {
 							HolderVerification:       HolderVerification{Enabled: false, Claim: "subject"},
 						},
 					},
-					PresentationDefinition: PresentationDefinition{
+					PresentationDefinition: &PresentationDefinition{
 						Id: "my-pd",
 						InputDescriptors: []InputDescriptor{
 							{
@@ -65,6 +65,26 @@ func Test_getServices(t *testing.T) {
 							},
 						},
 					},
+					DCQL: &DCQL{
+						Credentials: []CredentialQuery{
+							{
+								Id:     "my-credential-query-id",
+								Format: "jwt_vc_json",
+								Claims: []ClaimsQuery{
+									{
+										Path:           []interface{}{"$.vc.credentialSubject.familyName"},
+										IntentToRetain: true,
+									},
+								},
+							},
+						},
+						CredentialSets: []CredentialSetQuery{
+							{
+								Options: [][]string{{"my-credential-query-id"}},
+								Purpose: "Please provide your family name.",
+							},
+						},
+					},
 				},
 			},
 		},

config/data/ccs_full.json

@@ -1,51 +1,71 @@
 {
     "total": 1,
     "pageNumber": 0,
-    "pageSize": 10,
+    "pageSize": 100,
     "services": [
-      {
-        "id": "service_all",
-        "defaultOidcScope": "did_write",
-        "oidcScopes": {
-          "did_write": {
-            "credentials": [
-              {
-                "type": "VerifiableCredential",
-                "trustedParticipantsLists": [
-                  {
-                    "type": "ebsi",
-                    "url": "https://tir-pdc.ebsi.fiware.dev"
-                  }
-                ],
-                "trustedIssuersLists": [
-                  "https://til-pdc.ebsi.fiware.dev"
-                ],
-                "holderVerification": {
-                  "enabled": false,
-                  "claim": "subject"
-                }
-              }
-            ],
-            "presentationDefinition": {
-              "id": "my-pd",
-              "input_descriptors": [
-                {
-                  "id": "my-descriptor",
-                  "constraints": {
-                    "fields": [
-                      {
-                        "id": "my-field",
-                        "path": [ 
-                          "$.vc.my.claim"
+        {
+            "id": "service_all",
+            "defaultOidcScope": "did_write",
+            "oidcScopes": {
+                "did_write": {
+                    "credentials": [
+                        {
+                            "type": "VerifiableCredential",
+                            "trustedParticipantsLists": [
+                                {
+                                    "type": "ebsi",
+                                    "url": "https://tir-pdc.ebsi.fiware.dev"
+                                }
+                            ],
+                            "trustedIssuersLists": [
+                                "https://til-pdc.ebsi.fiware.dev"
+                            ],
+                            "holderVerification": {
+                                "enabled": false,
+                                "claim": "subject"
+                            }
+                        }
+                    ],
+                    "presentationDefinition": {
+                        "id": "my-pd",
+                        "input_descriptors": [
+                            {
+                                "id": "my-descriptor",
+                                "constraints": {
+                                    "fields": [
+                                        {
+                                            "id": "my-field",
+                                            "path": [
+                                                "$.vc.my.claim"
+                                            ]
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "dcql": {
+                        "credentials": [
+                            {
+                                "id": "my-credential-query-id",
+                                "format": "jwt_vc_json",
+                                "claims": [
+                                    {
+                                        "path": ["$.vc.credentialSubject.familyName"],
+                                        "intent_to_retain": true
+                                    }
+                                ]
+                            }
+                        ],
+                        "credential_sets": [
+                            {
+                                "options": [["my-credential-query-id"]],
+                                "purpose": "Please provide your family name."
+                            }
                         ]
-                      }
-                    ]
-                  }
+                    }
                 }
-              ]
             }
-          }
         }
-      }
     ]
-  }
+}

config/provider_test.go

@@ -73,7 +73,7 @@ func Test_ReadConfig(t *testing.T) {
 											TrustedIssuersLists:      []string{"https://til-pdc.ebsi.fiware.dev"},
 										},
 									},
-									PresentationDefinition: PresentationDefinition{
+									PresentationDefinition: &PresentationDefinition{
 										Id: "my-pd",
 										InputDescriptors: []InputDescriptor{
 											{

openapi/api_api.go

@@ -291,6 +291,7 @@ func StartSIOPSameDevice(c *gin.Context) {
 	}
 
 	clientId, clientIdExists := c.GetQuery("client_id")
+	logging.Log().Debugf("The client id %s", clientId)
 	if !clientIdExists {
 		logging.Log().Infof("Start a login flow for a not specified client.")
 	}
@@ -379,10 +380,24 @@ func GetRequestByReference(c *gin.Context) {
 
 func extractVpFromToken(c *gin.Context, vpToken string) (parsedPresentation *verifiable.Presentation, err error) {
 
-	tokenBytes := decodeVpString(vpToken)
-
 	logging.Log().Debugf("The token %s.", vpToken)
 
+	parsedPresentation, err = getPresentationFromQuery(c, vpToken)
+
+	if err != nil {
+		logging.Log().Debugf("Received a vpToken with a query, but was not able to extract the presentation. Token: %s", vpToken)
+		return parsedPresentation, err
+	}
+	if parsedPresentation != nil {
+		return parsedPresentation, err
+	}
+	return tokenToPresentation(c, vpToken)
+
+}
+
+func tokenToPresentation(c *gin.Context, vpToken string) (parsedPresentation *verifiable.Presentation, err error) {
+	tokenBytes := decodeVpString(vpToken)
+
 	isSdJWT, parsedPresentation, err := isSdJWT(c, vpToken)
 	if isSdJWT && err != nil {
 		return
@@ -402,6 +417,31 @@ func extractVpFromToken(c *gin.Context, vpToken string) (parsedPresentation *ver
 	return
 }
 
+func getPresentationFromQuery(c *gin.Context, vpToken string) (parsedPresentation *verifiable.Presentation, err error) {
+	tokenBytes := decodeVpString(vpToken)
+
+	var queryMap map[string]string
+	//unmarshal
+	err = json.Unmarshal(tokenBytes, &queryMap)
+	if err != nil {
+		logging.Log().Debug("VP Token does not contain query map. Checking the other options.", err)
+		return nil, nil
+	}
+
+	for _, v := range queryMap {
+		p, err := tokenToPresentation(c, v)
+		if err != nil {
+			return nil, err
+		}
+		if parsedPresentation == nil {
+			parsedPresentation = p
+		} else {
+			parsedPresentation.AddCredentials(p.Credentials()...)
+		}
+	}
+	return parsedPresentation, err
+}
+
 // checks if the presented token contains a single sd-jwt credential. Will be repackage to a presentation for further validation
 func isSdJWT(c *gin.Context, vpToken string) (isSdJwt bool, presentation *verifiable.Presentation, err error) {
 	claims, err := getSdJwtParser().Parse(vpToken)