G2P OpenID VCI: Base
Module name
g2p_openid_vci
Module title
G2P OpenID VCI: Base
Technology base
This repository contains an Odoo module that helps PBMS/Social Registry (SR) to issue Verifiable Credentials (VC). It provides default VC templates for SR and PBMS and adds OpenID for VCI APIs to SR and PBMS.
Functionality
This module adds g2p.openid.vci.issuers
model called VC Issuer. The main fields in this VC Issuer model are given below.
issuer_type
It is a selection field and decides the functionality of this VC Issuer. If issuer_type is Registry
, it is issuing Registry credentials.
credential_format
credential_type
It is a name given to VC of this format.
For example: "FarmerIDVerifiableCredential", "StudentVerifiableCredential", or something generic like "OpenG2PRegistryVerifiableCredential" etc.
issuer_metadata_text
context_json
scope
It is an OIDC (OpenID Connect) authentication scope. In other words this issuer responds only to the requests for which the auth scope matches the scope configured here.
For example: scopes; farmer_id_vc_ldp
, etc.
allowed auth token issuers, allowed auth token audience
These fields are added to configure authentication. Here Registrant ID is present in the auth token subject, etc.
Design notes
This module is designed to create any number of issuers with different combinations of parameters such as scope, credential_type, credential_format, issuer_metadata, and so on.
For example: Follow the below steps if you want to issue two different types of credentials from your registry, each of which requires the credentials to have different fields.
Create two issuers, both issuer_types are Registry.
Configure different credential types and scopes for both issuers.
Configure both issuers' credential formats with the necessary fields in place.
Modify the issuer metadata of both the issuers along with relevant metadata for the fields.
Modify contexts json with different fields and different credential type for both issuers.
When a credential request is received, it will select the issuer based on the combination of scope (from auth JWT), credential type (from credential request body) (and supported_format which defaults to ldp_vc for now).
This module also uses g2p.encryption.provider (of any type) to sign the final VC. If the encryption provider is not configured on the issuer, it will use the default encryption provider.
Note:
A credential will only be issued if the sub from auth JWT exists as one of IDs in registry against a registry entry.
Guides
To learn more about Configuration, click here.
Source code
https://github.com/openg2p/openg2p-vci
Create a custom VC Issuer
This section describes the procedure for developing custom VC Issuers with the custom functionality that differ from the above Registry Credential Issuer and Beneficiary Credential Issuer.
Inherit
g2p.openid.vci.issuers
model. Add a new type to theissuer_type
Selection field using selection_add. ExampleImplement the following functions:
issue_vc_{issuer_type}
set_default_credential_type_{issuer_type}
set_from_static_file_{issuer_type}
Example:
Configuration
VCI Issuers' configs can be found under
Settings
Menu ->VCI Issuers
page.VC Issuer general config properties:
Name
name
Name of the Issuer.
Scope
scope
Scope that is to be accepted in authentication.
Issuer Type
issuer_type
Type of Issuer
Supported Format
supported_format
VC format supported. Defaults to ldp_vc
.
Unique Issuer ID
unique_issuer_id
A unique ID (string) assigned to this issuer. Defaults to did:example:12345678abcdefgh
.
Encryption Provider
encryption_provider_id
Encryption Provider. If left blank, it will choose default encryption provider.
Auth Subject ID Type
auth_sub_id_type_id
Type of ID which is present in Subject of Authentication.
Auth Allowed Audiences
auth_allowed_auds
Only authentications with "aud" from this list will be allowed.
Separated by space/newline.
If left blank, audience in auth will be ignored.
Auth Allowed Issuers
auth_allowed_issuers
Only authentications with "iss" from this list will be allowed.
Separated by space/newline.
Auth Issuer JWKs Mapping
auth_issuer_jwks_mapping
JWKs URL of each issuer from "Auth Allowed Issuers".
If there are 3 entries in "Auth Allowed Issuers", then there should be 3 JWKs URL in this too, one for each the issuer.
Separated by space/newline.
Auth Allowed Client IDs
auth_allowed_client_ids
Only authentications with "client_id" from this list will be allowed.
Separated by space/newline.
If left blank, client_id in the auth will be ignored.
Credential Type
credential_type
Type of the VC.
Leave it blank to take the default value, according to Issuer Type.
Credential Format
credential_format
Credential format as Jq expression.
Leave it blank to take the default value, according to Issuer Type.
Issuer Metadata Text
issuer_metadata_text
Issuer Metadata as Jq expression.
Leave it blank to take the default value, according to Issuer Type.
Contexts JSON
contexts_json
Contexts JSON for this credential Type
Leave it blank to take the default value, according to Issuer Type.
VC Issuer Program/Beneficiary specific configs:
Program
program_id
Program for which we are issuing the Beneficiary VC.
Last updated