{"id":42688781,"url":"https://github.com/open-eid/cdoc2-auth","last_synced_at":"2026-01-29T12:45:01.516Z","repository":{"id":270338118,"uuid":"902770982","full_name":"open-eid/cdoc2-auth","owner":"open-eid","description":null,"archived":false,"fork":false,"pushed_at":"2025-02-25T15:38:30.000Z","size":84,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-02-25T16:30:40.755Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/open-eid.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-13T08:32:02.000Z","updated_at":"2025-02-25T15:37:44.000Z","dependencies_parsed_at":"2024-12-30T12:25:54.069Z","dependency_job_id":"503f6c16-5067-48ef-ba0a-eb6a887769ea","html_url":"https://github.com/open-eid/cdoc2-auth","commit_stats":null,"previous_names":["open-eid/cdoc2-auth"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/open-eid/cdoc2-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-eid%2Fcdoc2-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-eid%2Fcdoc2-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-eid%2Fcdoc2-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-eid%2Fcdoc2-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/open-eid","download_url":"https://codeload.github.com/open-eid/cdoc2-auth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-eid%2Fcdoc2-auth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28877877,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-29T10:31:27.438Z","status":"ssl_error","status_checked_at":"2026-01-29T10:31:01.017Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-29T12:45:00.910Z","updated_at":"2026-01-29T12:45:01.503Z","avatar_url":"https://github.com/open-eid.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cdoc-auth\n\n* Implements `x-cdoc2-auth-ticket` header parameter for \n  [GET /key-shares/\\${shareId}](https://github.com/open-eid/cdoc2-openapi/cdoc2-key-shares-openapi.yaml)\n* Supports ES256 and RS256 algorithms required to support [Mobile-ID](https://github.com/SK-EID/MID) \n  and [Smart-ID](https://github.com/SK-EID/smart-id-documentation) (other algorithms not tested)\n\nUsed by:\n\n* [cdoc2-java-ref-impl](https://github.com/open-eid/cdoc2-java-ref-impl) for auth-ticket creation\n* [cdoc2-shares-server](https://github.com/open-eid/cdoc2-shares-server) for auth-ticket validation\n\n\n## Building\n[![Java CI with Maven](https://github.com/open-eid/cdoc2-auth/actions/workflows/maven.yml/badge.svg)](https://github.com/open-eid/cdoc2-java-ref-impl/actions/workflows/maven.yml)\n\nCDOC2 has been tested with JDK 17 and Maven 3.8.8\n\n```\nmvn clean install\n```\n\n## Get from GitHub package repo\n\n\nConfigure github package repo access\nhttps://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry#authenticating-with-a-personal-access-token\n\nExample `\u003cprofile\u003e` section of `settings.xml` for using `cdoc2-auth-token`:\n```xml\n  \u003cprofile\u003e\n      \u003cid\u003egithub\u003c/id\u003e\n      \u003crepositories\u003e\n        \u003crepository\u003e\n          \u003cid\u003ecentral\u003c/id\u003e\n          \u003curl\u003ehttps://repo1.maven.org/maven2\u003c/url\u003e\n        \u003c/repository\u003e\n        \u003crepository\u003e\n          \u003cid\u003egithub\u003c/id\u003e\n          \u003curl\u003ehttps://maven.pkg.github.com/open-eid/cdoc2-auth\u003c/url\u003e\n        \u003c/repository\u003e\n      \u003c/repositories\u003e\n  \u003c/profile\u003e\n```\n\nNote: When pulling, the package index is based on the organization level, not the repository level.\nhttps://stackoverflow.com/questions/63041402/github-packages-single-maven-repository-for-github-organization\n\nSo defining single Maven package repo from `open-eid` is enough for pulling cdoc2-* dependencies.\n\nUse in Maven pom.xml:\n\n```xml\n  \u003cdependency\u003e\n    \u003cgroupId\u003eee.cyber.cdoc2\u003c/groupId\u003e\n    \u003cartifactId\u003ecdoc2-auth-token\u003c/artifactId\u003e\n    \u003cversion\u003e0.3.3-SNAPSHOT\u003c/version\u003e\n  \u003c/dependency\u003e\n```\n\n## Releasing\n\n### Versioning \n\ncdoc2-auth uses [semantic versioning](https://semver.org/).\n\n### GitHub release\n\n[Create release](https://docs.github.com/en/repositories/releasing-projects-on-github/managing-releases-in-a-repository#creating-a-release).\nIt will trigger `maven-release.yml` workflow that will deploy Maven packages to GitHub Maven package repository\nand build \u0026 publish maven packages.\n\n\n\n## cdoc2.auth-token.v1 examples\n\n* Official documentation: [SD-JWT based CDOC2 authentication protocol](https://open-eid.github.io/CDOC2/2.0-Draft/03_system_architecture/ch06_ID_authentication_protocol/) (TODO: update to final 2.0, when available)\n* `/key-shares` OAS specification can be found here: https://github.com/open-eid/cdoc2-openapi\n\nIn short, cdoc2 key-shares auth ticket is used to authenticate against multiple key-share servers by signing\nauthenticated data ones and not revealing auth data to other servers. For this \n[SDJWT](https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/) format is used.\n\nSdJWT in encoded format:\n\u003cpre\u003e\n\u0026lt;JWT_header\u0026gt;.\u0026lt;JWT_payload\u0026gt;.\u0026lt;JWT_signature\u0026gt;~\u0026lt;Disclosure1\u0026gt;~\u0026lt;Disclosure2\u0026gt;~\n\u003c/pre\u003e\n\nTo decode sd-jwt use [sdjwt.org](https://sdjwt.org/)\n\nTo generate auth-ticket client must first generate `nonce` for each `KeyShare` object accessed using\n[\\${serverBaseUrl}/key-shares/\\${shareId}/nonce](https://github.com/open-eid/cdoc2-openapi/blob/facc1371e3dc39a426541f8a153083c8a6d4539c/cdoc2-key-shares-openapi.yaml#L87) endpoint.\n\n### JWT_header\n\nJWT header for cdoc2 auth ticket:\n```json\n{\n  \"typ\": \"vnd.cdoc2.auth-token.v1+sd-jwt\",\n  \"alg\": \"RS256\"\n}\n```\n\n### JWT_payload\nJWT payload:\n```json\n{\n  \"iss\": \"etsi/PNOEE-30303039914\",\n  \"aud\": [\n    \"https://css.ria.ee:443/key-shares/9EE90F2D-D946-4D54-9C3D-F4C68F7FFAE3?nonce=59b314d4815f21f73a0b9168cecbd5773cc694b6\",\n    \"https://ccs.another-organization.org:443/key-shares/5BAE4603-C33C-4425-B301-125F2ACF9B1E?nonce=9d23660840b427f405009d970d269770417bc769\"\n  ]\n}\n```\n\nNonce value was acquired using [\\${serverBaseUrl}/key-shares/\\${shareId}/nonce](https://github.com/open-eid/cdoc2-openapi/blob/facc1371e3dc39a426541f8a153083c8a6d4539c/cdoc2-key-shares-openapi.yaml#L87) endpoint.\n\nBefore signing, \"aud\" will be replaced with a digest value as specified in \n[sd-jwt specification](https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/):\n```json\n{\n  \"iss\": \"etsi/PNOEE-30303039914\",\n  \"_sd\": [\n    \"V5_DrlDm-FXeGPdcMZQrB7EZPEO98URIAYvykgWHZr0\"\n  ],\n  \"_sd_alg\": \"sha-256\"\n}\n```\n\nValues of \"aud\" will be selectively disclosed to CSS server that has shareID accessed.\n\nsd-jwt (auth ticket) for accessing key-share `https://css.ria.ee:443/key-shares/9EE90F2D-D946-4D54-9C3D-F4C68F7FFAE3` \nwith `nonce` `59b314d4815f21f73a0b9168cecbd5773cc694b6`\n\n(use [sdjwt.org](https://sdjwt.org/) to decode)\n```\neyJ0eXAiOiJ2bmQuY2RvYzIuYXV0aC10b2tlbi52MStzZC1qd3QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJldHNpL1BOT0VFLTMwMzAzMDM5OTE0IiwiX3NkIjpbIlY1X0RybERtLUZYZUdQZGNNWlFyQjdFWlBFTzk4VVJJQVl2eWtnV0hacjAiXSwiX3NkX2FsZyI6InNoYS0yNTYifQ.U31NbtFFn9CxdsQGuiQN0K_HPcJGdN1GEVepkAVGWk4Ug0cjWjZ79l6ghSqSD-tnlNJ3_yAcXJfihhmhCNFkPapupds-74U52RuwjN5iPJAI9BsvgXuXCXojQbF8pm2pwx9S7Cdxwoog22xMwwVl8_qU7f0k3XQjjQsC3Yqv5NA9iFCDnedkprwGozPEDf8VdU0O8zholhfDuMZcsjM540Cz795ab3s3MSscfG0E62ZqK1w6fi_Tbvh81KbFJtKM9JEZdwUGX69QrePBrqpb8Kmww5C-fjiFKRK7U02GbfccnBmaMAZ1KNTegez0ZEEBxk1m1cmSfcQ8vO6Cq539y3OJUVlytZ6ObD47Yx2PTuFGCtCVbPSx0q9VEVvPSgT3HuAHH1IIi7sakuznRzktUD8k_iJ86OJLJ6TN8_IZ9nzeTKbwlsqiY6g5B_ISdEiwhZqB_Rc8d3p7I70nQaYT9980jAEJvdKiRM2RvG4dYs7C4-hi7hXVrOgVvcFy0GpOb8pVy4N6Z6n1q9tQll90HRFo79CtY16u8Zc5AwUC9vifb7N7GO4ZQnhd4YIiX5FXYTMYXRY9MfMfswikCSrtXddBScQ-tOcacZ920fceMsrrrPHzKfOUd_G2GFwCFW2D2sPz5FOEWt5Cp6Xq1jPgITNvfJyFtEyeZlPjD8LDIfE~WyJFVjVmZjNrM1FQUlVaZ0ltaGRJUlhRIiwiYXVkIixbeyIuLi4iOiJsUkVVLURBY2FHTnpGVnkwVHVSSGM2TjZfRFBPSGxqQUxfWldpOVkzc0trIn0seyIuLi4iOiI2Q2lLSUpGZkYtSEhxQ1VuRm41dnY4T3RlLU5mbG5KWlYyS1VYMmk3VUNNIn1dXQ~WyJjak0yMGEwdUxROUdPaXExb3NMeXBBIiwiaHR0cHM6Ly9jc3MucmlhLmVlOjQ0My9rZXktc2hhcmVzLzlFRTkwRjJELUQ5NDYtNEQ1NC05QzNELUY0QzY4RjdGRkFFMz9ub25jZVx1MDAzZDU5YjMxNGQ0ODE1ZjIxZjczYTBiOTE2OGNlY2JkNTc3M2NjNjk0YjYiXQ~\n```\n\nsd-jwt above has 2 Disclosures (base64 encoded data between `~`)\n\n#### Disclosure 1 (digest `V5_DrlDm-FXeGPdcMZQrB7EZPEO98URIAYvykgWHZr0`):\n`WyJFVjVmZjNrM1FQUlVaZ0ltaGRJUlhRIiwiYXVkIixbeyIuLi4iOiJsUkVVLURBY2FHTnpGVnkwVHVSSGM2TjZfRFBPSGxqQUxfWldpOVkzc0trIn0seyIuLi4iOiI2Q2lLSUpGZkYtSEhxQ1VuRm41dnY4T3RlLU5mbG5KWlYyS1VYMmk3VUNNIn1dXQ`:\n`[\"EV5ff3k3QPRUZgImhdIRXQ\",\"aud\",[{\"...\":\"lREU-DAcaGNzFVy0TuRHc6N6_DPOHljAL_ZWi9Y3sKk\"},{\"...\":\"6CiKIJFfF-HHqCUnFn5vv8Ote-NflnJZV2KUX2i7UCM\"}]]`\n\n#### Disclosure 2 (digest `lREU-DAcaGNzFVy0TuRHc6N6_DPOHljAL_ZWi9Y3sKk`):\n\n`WyJjak0yMGEwdUxROUdPaXExb3NMeXBBIiwiaHR0cHM6Ly9jc3MucmlhLmVlOjQ0My9rZXktc2hhcmVzLzlFRTkwRjJELUQ5NDYtNEQ1NC05QzNELUY0QzY4RjdGRkFFMz9ub25jZVx1MDAzZDU5YjMxNGQ0ODE1ZjIxZjczYTBiOTE2OGNlY2JkNTc3M2NjNjk0YjYiXQ`:\n`[\"cjM20a0uLQ9GOiq1osLypA\",\"https://css.ria.ee:443/key-shares/9EE90F2D-D946-4D54-9C3D-F4C68F7FFAE3?nonce\\u003d59b314d4815f21f73a0b9168cecbd5773cc694b6\"]`\n\nNote: Disclosure 1 also contains digest `6CiKIJFfF-HHqCUnFn5vv8Ote-NflnJZV2KUX2i7UCM`, but it is \nnot disclosed as ShareId belongs to another key-share-server. \n\nContent of Disclosures:\n\n| Digest                                        | Salt                     | Claim Name | Claim Value                                                                                                                  |\n|-----------------------------------------------|--------------------------|------------|------------------------------------------------------------------------------------------------------------------------------|\n| `V5_DrlDm-FXeGPdcMZQrB7EZPEO98URIAYvykgWHZr0` | `EV5ff3k3QPRUZgImhdIRXQ` | `aud`      | `[{\"...\":\"lREU-DAcaGNzFVy0TuRHc6N6_DPOHljAL_ZWi9Y3sKk\"},{\"...\":\"6CiKIJFfF-HHqCUnFn5vv8Ote-NflnJZV2KUX2i7UCM\"}]`              |\n| `lREU-DAcaGNzFVy0TuRHc6N6_DPOHljAL_ZWi9Y3sKk` | `cjM20a0uLQ9GOiq1osLypA` | (no value) | `https://css.ria.ee:443/key-shares/9EE90F2D-D946-4D54-9C3D-F4C68F7FFAE3?nonce\\u003d59b314d4815f21f73a0b9168cecbd5773cc694b6` |\n\nNote: `Digest` can be calculated using\n```bash\necho -n WyJFVjVmZjNrM1FQUlVaZ0ltaGRJUlhRIiwiYXVkIixbeyIuLi4iOiJsUkVVLURBY2FHTnpGVnkwVHVSSGM2TjZfRFBPSGxqQUxfWldpOVkzc0trIn0seyIuLi4iOiI2Q2lLSUpGZkYtSEhxQ1VuRm41dnY4T3RlLU5mbG5KWlYyS1VYMmk3VUNNIn1dXQ |openssl dgst -sha256 -binary|base64url|tr -d '=\\n'\n```\n\nAfter disclosing Disclosures from sd-jwt, JWT body will be:\n\n```json\n{\n  \"iss\":\"etsi/PNOEE-30303039914\",\n  \"aud\":[\"https://css.ria.ee:443/key-shares/9EE90F2D-D946-4D54-9C3D-F4C68F7FFAE3?nonce=59b314d4815f21f73a0b9168cecbd5773cc694b6\"]\n}\n```\n\nOther rules to validate auth ticket:\n\n[Verifying SD-JWT (verifying authentication ticket)](https://open-eid.github.io/CDOC2/2.0-Draft/03_system_architecture/ch06_ID_authentication_protocol/#verifying-sd-jwt-verifying-authentication-ticket)\n\nFor additional details see tests in `src/test/java/`\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopen-eid%2Fcdoc2-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopen-eid%2Fcdoc2-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopen-eid%2Fcdoc2-auth/lists"}