# G2P OpenID VCI: Base ### Module name g2p\_openid\_vci ### Module title G2P OpenID VCI: Base ### Technology base [Odoo](https://www.odoo.com/) This repository contains an Odoo module that helps PBMS/Social Registry (SR) to issue [Verifiable Credentials](https://www.w3.org/TR/vc-data-model/) (VC). It provides default VC templates for SR and PBMS and adds [OpenID for VCI](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html) APIs to SR and PBMS. ### Functionality This module adds `g2p.openid.vci.issuers` model called ***VC Issuer***. The main fields in this VC Issuer model are given below.

Field	Description
`issuer_type`	It is a selection field and decides the functionality of this VC Issuer. If issuer_type is `Registry`, it is issuing Registry credentials.
`credential_format`	It is a Jq expression and it defines the format/template of the final VC.
`credential_type`	It is a name given to VC of this format. For example: "FarmerIDVerifiableCredential", "StudentVerifiableCredential", or something generic like "OpenG2PRegistryVerifiableCredential" etc.
`issuer_metadata_text`	It is a Jq expression to give out metadata of this issuer and metadata of the fields in the credential.
`context_json`	It is the JSON-LD context of this VC.
`scope`	It is an OIDC (OpenID Connect) authentication scope. In other words this issuer responds only to the requests for which the auth scope matches the scope configured here. For example: scopes; `farmer_id_vc_ldp` , etc.
`allowed auth token issuers, allowed auth token audience`	These fields are added to configure authentication. Here Registrant ID is present in the auth token subject, etc.

### Design notes This module is designed to create any number of issuers with different combinations of parameters such as scope, credential\_type, credential\_format, issuer\_metadata, and so on. For example: Follow the below steps if you want to issue two different types of credentials from your registry, each of which requires the credentials to have different fields. 1. Create two issuers, both issuer\_types are Registry. 2. Configure different credential types and scopes for both issuers. 3. Configure both issuers' credential formats with the necessary fields in place. 4. Modify the issuer metadata of both the issuers along with relevant metadata for the fields. 5. Modify contexts json with different fields and different credential type for both issuers. When a credential request is received, it will select the issuer based on the combination of scope (from auth JWT), credential type (from credential request body) (and supported\_format which defaults to ldp\_vc for now). This module also uses g2p.encryption.provider (of any type) to sign the final VC. If the encryption provider is not configured on the issuer, it will use the default encryption provider. Note: A credential will only be issued if the sub from auth JWT exists as one of IDs in registry against a registry entry. ### Guides To learn more about ***Configuration***, click [here](https://docs.openg2p.org/pbms/development/odoo-modules/openg2p-vci#configuration). ### Source code ### Create a custom VC Issuer This section describes the procedure for developing custom VC Issuers with the custom functionality that differ from the above Registry Credential Issuer and Beneficiary Credential Issuer. * Inherit `g2p.openid.vci.issuers` model. Add a new type to the `issuer_type` Selection field using selection\_add. Example ```python issuer_type = fields.Selection(selection_add=[("Mock", "Mock")], ondelete={"Mock": "cascade"}) ``` * Implement the following functions: * `issue_vc_{issuer_type}` * `set_default_credential_type_{issuer_type}` * `set_from_static_file_{issuer_type}` * Example: ```python class BeneficiaryOpenIDVCIssuer(models.Model): _inherit = "g2p.openid.vci.issuers" issuer_type = fields.Selection(selection_add=[("Mock", "Mock")], ondelete={"Mock": "cascade"}) def issue_vc_Mock(self, auth_claims, credential_request): ... def set_default_credential_type_Mock(self): self.credential_type = "OpenG2PMockVerifiableCredential" def set_from_static_file_Mock(self, **kwargs): kwargs.setdefault("module_name", "g2p_openid_vci_mock") return self.set_from_static_file_Registry(**kwargs) ``` ### Configuration * VCI Issuers' configs can be found under `Settings` Menu -> `VCI Issuers` page. * VC Issuer general config properties:

Name	Property name	Description
Name	name	Name of the Issuer.
Scope	scope	Scope that is to be accepted in authentication.
Issuer Type	issuer_type	Type of Issuer
Supported Format	supported_format	VC format supported. Defaults to `ldp_vc` .
Unique Issuer ID	unique_issuer_id	A unique ID (string) assigned to this issuer. Defaults to `did:example:12345678abcdefgh` .
Encryption Provider	encryption_provider_id	Encryption Provider. If left blank, it will choose default encryption provider.
Auth Subject ID Type	auth_sub_id_type_id	Type of ID which is present in Subject of Authentication.
Auth Allowed Audiences	auth_allowed_auds	Only authentications with "aud" from this list will be allowed. Separated by space/newline. If left blank, audience in auth will be ignored.
Auth Allowed Issuers	auth_allowed_issuers	Only authentications with "iss" from this list will be allowed. Separated by space/newline.
Auth Issuer JWKs Mapping	auth_issuer_jwks_mapping	JWKs URL of each issuer from "Auth Allowed Issuers". If there are 3 entries in "Auth Allowed Issuers", then there should be 3 JWKs URL in this too, one for each the issuer. Separated by space/newline.
Auth Allowed Client IDs	auth_allowed_client_ids	Only authentications with "client_id" from this list will be allowed. Separated by space/newline. If left blank, client_id in the auth will be ignored.
Credential Type	credential_type	Type of the VC. Leave it blank to take the default value, according to Issuer Type.
Credential Format	credential_format	Credential format as Jq expression. Leave it blank to take the default value, according to Issuer Type.
Issuer Metadata Text	issuer_metadata_text	Issuer Metadata as Jq expression. Leave it blank to take the default value, according to Issuer Type.
Contexts JSON	contexts_json	Contexts JSON for this credential Type Leave it blank to take the default value, according to Issuer Type.

* VC Issuer Program/Beneficiary specific configs:

Name	Property name	Description
Program	program_id	Program for which we are issuing the Beneficiary VC.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.openg2p.org/1.3/pbms/developer-zone/odoo-modules/g2p-openid-vci-base.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.