Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/spruceid/oidc4vci-issuer


https://github.com/spruceid/oidc4vci-issuer

openid

Last synced: 5 days ago
JSON representation

Awesome Lists containing this project

README 

        
# OIDC4VCI Demo Issuer



This is an example issuer built with [`rocket`][] and [`oidc4vci-rs`][].



## Endpoints and support



Credential types supported:

  - [x] JWT

  - [ ] JSONLD



Endpoints available:



- `GET /`: to access a pre-authorized code in QRCode or link format, no `pin` support.

- `POST /issuer/preauth?`: to obtain a pre-authorized code with a specific `type`, `pin` and `user_id`.



- `GET /.well-known/openid-configuration`: to obtain the OIDC configuration.

- `GET /jwks`: to obtain JWKs used by the server.



- `POST /token`: to exchange the pre-authorized code by an access token.

- `POST /credential`: to issue a credential, requires `Authorization` provided by the previous step.



## Planned improvements



- Add JSONLD support;

- Add more configuration options;

  - Supported credential types;

  - Access token expiration time;

- External credential provider to easily change the hard-coded `OpenBadgeCredential`;



## Running



### `.env`



A `.env` file must be created with the following variables:



```bash

ISSUER=http://localhost:9000

JWK='{"kty":"OKP","crv":"Ed25519","x":"","d":""}'

JWE_SECRET=

```



The `ISSUER` will be used to fill the `oidc-configuration` endpoint and

inside the credential in the `.issuer.url` field.



The `JWK` will be used to create a DID and sign the credentials.



There are several ways to create your JWK. There are online tools, 

but those are of course not feasible for production use. Another way is to use [`jwk-generator`][], 

```bash

java -jar json-web-key-generator.jar -t EC -c P-256 -u sig

```

or openssl with a pem-jwk converter.



The `JWE_SECRET` will be used to support PIN enabled Issuance Request,

this password will be used with `PBES2_HS512_A256KW` `JWE` encryption.



### `docker-compose`



The `docker-compose` file can be used to run the required Redis instance.



```bash

docker compose up -d redis

```



If you want to point to a different instance of Redis, you can add the 

URL to the following variable in the `.env` file:



```bash

REDIS_URL=redis://127.0.0.1/

```



### Rust nightly



The `rust-toolchain.toml` file is configured to use Rust `nightly`.



If that doesn't work, you can add the override manually with:



```bash

rustup override set nightly

```



### `Rocket.toml`



In the `Rocket.toml`, you can change the port that the server will use as shown below:



```toml

[debug]

port = 8080

```



For more information on other server options provided by `Rocket` please refer to its documentation.



### Run rocket

Once the database instance is up and running you have to start the Rocket-based web service itself:

```bash

cargo run

```



## Example Usage



The following commented bash script is an example of the format and calls made to this issuer.



```bash

#!/bin/bash

# Change URL according to the server you're testing with

url=http://localhost:9000



# If `uuidgen` is not present in your environment, just substitute by a hardcoded value



uuid=`uuidgen`



preauth=$(curl -s -X POST $url/issuer/preauth\?type\=OpenBadgeCredential\&user_id\=$uuid)



# This requires `jq` to extract the `access_token` value from the JSON, could be done manually or in other ways

access_token=$(curl -s -X POST $url/token \

  -H 'Content-Type: application/x-www-form-urlencoded' \

  -d "grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code&pre-authorized_code=$preauth"\

  | jq -r '.access_token')



# Replace `proof.jwt` to one generated by your client.

# In this example, the `jwt` uses `did:key:z6MkwEGcHQYdp8dfiM34VSnEdVRMF9TNRECnhvbRHPCBqQr9`

# has a `http://localhost:9000` audience and a one year duration to facilitate testing.

# THEY ARE NOT INTENDED AS EXAMPLE PRODUCTION VALUES

# `type` and `format` might differ if working with other issuers.

# Only `jwt` is supported for `proof.proof_type` at the moment.

credential_request=$(cat <