Til support

README.md

@@ -44,8 +44,13 @@ The following actions occur in the interaction:
 1. The user opens the frontend application.
 2. The frontend-application forwards the user to the login-page of VCVerifier
 3. The VCVerifier presents a QR-code, containing the ```openid:```-connection string with all necessary information to start the authentication process. The QR-code is scanned by the user's wallet.
+    1. the Verifier retrieves the Scope-Information from the Config-Service
 4. The user approves the wallet's interaction with the VCVerifier and the VerifiableCredential is presented via the OIDC4VP-flow. 
-5. VCVerifier requests verification of the credential with a defined set of policies at WaltID-SSIKit.
+5. VCVerifier verifies the credential:
+    1. at WaltID-SSIKit with the configured set of policies
+    2. (Optional) if a Gaia-X compliant chain is provided
+    3. that the credential is registered in the configured trusted-participants-registries
+    4. that the issuer is allowed to issuer the credential with the given claims by one of the configured trusted-issuers-list(s)
 6. A JWT is created, the frontend-application is informed via callback and the token is retrieved via the token-endpoint.
 7. Frontend start to interact with the backend-service, using the jwt.
 8. Authorization-Layer requests the JWKS from the VCVerifier(this can happen asynchronously, not in the sequential flow of the diagram).
@@ -111,6 +116,35 @@ ssiKit:
     # url of the ssikit auditor-api(see https://docs.walt.id/v/ssikit/getting-started/rest-apis/auditor-api)
     auditorURL:
 
+# configuration of the service to retrieve configuration for
+configRepo:
+    # endpoint of the configuration service, to retrieve the scope to be requested and the trust endpoints for the credentials.
+    configEndpoint: http://config-service:8080
+    # static configuration for services
+    services: 
+        # name of the service to be configured
+        testService: 
+            # scope to be requested from the wallet
+            scope: 
+                - VerifiableCredential
+                - CustomerCredential
+            # trusted participants endpoint configuration 
+            trustedParticipants:
+                # the credentials type to configure the endpoint(s) for
+                VerifiableCredential: 
+                - https://tir-pdc.gaia-x.fiware.dev
+                # the credentials type to configure the endpoint(s) for
+                CustomerCredential: 
+                - https://tir-pdc.gaia-x.fiware.dev
+            # trusted issuers endpoint configuration
+            trustedIssuers:
+                # the credentials type to configure the endpoint(s) for
+                VerifiableCredential: 
+                - https://tir-pdc.gaia-x.fiware.dev
+                # the credentials type to configure the endpoint(s) for
+                CustomerCredential: 
+                - https://tir-pdc.gaia-x.fiware.dev
+
 ```
 #### Templating
 

api/api.yaml

@@ -17,6 +17,7 @@ paths:
       parameters:
         - $ref: '#/components/parameters/QueryState'
         - $ref: '#/components/parameters/ClientCallback'
+        - $ref: '#/components/parameters/ClientId'
       operationId: VerifierPageDisplayQRSIOP
       summary: Presents a qr as starting point for the auth process
       description: Returns a rendered html with a QR encoding the login-starting point for the siop flow - e.g. 'openid://?scope=somethign&response_type=rt&response_mode=rm&client_id=ci&redirect_uri=uri&state=state&nonce=nonce'
@@ -40,6 +41,7 @@ paths:
         - api
       parameters:
         - $ref: '#/components/parameters/QueryState'
+        - $ref: '#/components/parameters/ClientId'
       operationId: StartSIOPSameDevice
       summary: Starts the siop flow for credentials hold by the same device
       description: When the credential is already present in the requesting browser, the same-device flow can be used. It creates the login information and then redirects to the /authenticationresponse path.
@@ -71,6 +73,7 @@ paths:
         - api 
       parameters:
         - $ref: '#/components/parameters/QueryState'
+        - $ref: '#/components/parameters/ClientId'
       operationId: VerifierAPIAuthenticationResponse
       summary: Stores the credential for the given session
       requestBody:
@@ -208,6 +211,14 @@ components:
       required: true
       schema:
         type: string
+    ClientId:
+      name: client_id
+      description: The id of the client/service that intents to start the authentication flow. Will be used to retrieve the scope and trust services to be used for verification.
+      in: query
+      required: false 
+      schema: 
+        type: string
+        example: packet-delivery-portal
   schemas:
     CredentialsType:
       type: array

config/config.go

@@ -4,10 +4,11 @@ package config
 
 // general structure of the configuration file
 type Configuration struct {
-	Server   Server   `mapstructure:"server"`
-	Verifier Verifier `mapstructure:"verifier"`
-	SSIKit   SSIKit   `mapstructure:"ssiKit"`
-	Logging  Logging  `mapstructure:"logging"`
+	Server     Server     `mapstructure:"server"`
+	Verifier   Verifier   `mapstructure:"verifier"`
+	SSIKit     SSIKit     `mapstructure:"ssiKit"`
+	Logging    Logging    `mapstructure:"logging"`
+	ConfigRepo ConfigRepo `mapstructure:"configRepo"`
 }
 
 // configuration to be used by the ssiKit configuration
@@ -46,8 +47,6 @@ type Verifier struct {
 	TirAddress string `mapstructure:"tirAddress"`
 	// expiry of auth sessions
 	SessionExpiry int `mapstructure:"sessionExpiry" default:"30"`
-	// scope to be used in the authentication request
-	RequestScope string `mapstructure:"requestScope"`
 	// policies that shall be checked
 	PolicyConfig Policies `mapstructure:"policies"`
 }
@@ -59,6 +58,19 @@ type Policies struct {
 	CredentialTypeSpecificPolicies map[string]PolicyMap `mapstructure:"credentialTypeSpecific"`
 }
 
+type ConfigRepo struct {
+	// url of the configuration service to be used
+	ConfigEndpoint string `mapstructure:"configEndpoint"`
+	// statically configured services with their trust anchors and scopes.
+	Services map[string]Service `mapstructure:"services"`
+}
+
 type PolicyMap map[string]PolicyConfigParameters
 
 type PolicyConfigParameters map[string]interface{}
+
+type Service struct {
+	Scope               []string            `mapstructure:"scope"`
+	TrustedParticipants map[string][]string `mapstructure:"trustedParticipants"`
+	TrustedIssuers      map[string][]string `mapstructure:"trustedIssuers"`
+}

config/data/config_test.yaml

@@ -21,5 +21,25 @@ verifier:
     credentialTypeSpecific:
       "gx:compliance":
          ValidFromBeforePolicy: {}
+
 ssiKit:
-  auditorURL: http://waltid:7003
+  auditorURL: http://waltid:7003
+
+configRepo:
+  services: 
+    testService: 
+      scope: 
+        - VerifiableCredential
+        - CustomerCredential
+      trustedParticipants:
+        VerifiableCredential: 
+          - https://tir-pdc.gaia-x.fiware.dev
+        CustomerCredential: 
+          - https://tir-pdc.gaia-x.fiware.dev
+      trustedIssuers:
+        VerifiableCredential: 
+          - https://tir-pdc.gaia-x.fiware.dev
+        CustomerCredential: 
+          - https://tir-pdc.gaia-x.fiware.dev
+
+

config/provider_test.go

@@ -30,7 +30,6 @@ func Test_ReadConfig(t *testing.T) {
 					Did:           "did:key:somekey",
 					TirAddress:    "https://test.dev/trusted_issuer/v3/issuers/",
 					SessionExpiry: 30,
-					RequestScope:  "",
 					PolicyConfig: Policies{
 						DefaultPolicies: PolicyMap{
 							"SignaturePolicy": {},
@@ -53,6 +52,20 @@ func Test_ReadConfig(t *testing.T) {
 					LogRequests: true,
 					PathsToSkip: []string{"/health"},
 				},
+				ConfigRepo: ConfigRepo{
+					ConfigEndpoint: "",
+					Services: map[string]Service{
+						"testService": {
+							Scope: []string{"VerifiableCredential", "CustomerCredential"},
+							TrustedParticipants: map[string][]string{
+								"VerifiableCredential": {"https://tir-pdc.gaia-x.fiware.dev"},
+								"CustomerCredential":   {"https://tir-pdc.gaia-x.fiware.dev"},
+							},
+							TrustedIssuers: map[string][]string{
+								"VerifiableCredential": {"https://tir-pdc.gaia-x.fiware.dev"},
+								"CustomerCredential":   {"https://tir-pdc.gaia-x.fiware.dev"},
+							}}},
+				},
 			},
 			false,
 		}, {
@@ -66,7 +79,6 @@ func Test_ReadConfig(t *testing.T) {
 				Verifier: Verifier{Did: "",
 					TirAddress:    "",
 					SessionExpiry: 30,
-					RequestScope:  "",
 				}, SSIKit: SSIKit{
 					AuditorURL: "",
 				},