G2P OpenID VCI: Base

Module name

g2p_openid_vci

Module title

G2P OpenID VCI: Base

Technology base

Odoo

This repository contains an Odoo module that helps PBMS/Social Registry (SR) to issue Verifiable Credentials (VC). It provides default VC templates for SR and PBMS and adds OpenID for VCI APIs to SR and PBMS.

Functionality

This module adds g2p.openid.vci.issuers model called VC Issuer. The main fields in this VC Issuer model are given below.

FieldDescription

issuer_type

It is a selection field and decides the functionality of this VC Issuer. If issuer_type is Registry, it is issuing Registry credentials.

credential_format

It is a Jq expression and it defines the format/template of the final VC.

credential_type

It is a name given to VC of this format.

For example: "FarmerIDVerifiableCredential", "StudentVerifiableCredential", or something generic like "OpenG2PRegistryVerifiableCredential" etc.

issuer_metadata_text

It is a Jq expression to give out metadata of this issuer and metadata of the fields in the credential.

context_json

It is the JSON-LD context of this VC.

scope

It is an OIDC (OpenID Connect) authentication scope. In other words this issuer responds only to the requests for which the auth scope matches the scope configured here.

For example: scopes; farmer_id_vc_ldp , etc.

allowed auth token issuers, allowed auth token audience

These fields are added to configure authentication. Here Registrant ID is present in the auth token subject, etc.

Design notes

This module is designed to create any number of issuers with different combinations of parameters such as scope, credential_type, credential_format, issuer_metadata, and so on.

For example: Follow the below steps if you want to issue two different types of credentials from your registry, each of which requires the credentials to have different fields.

  1. Create two issuers, both issuer_types are Registry.

  2. Configure different credential types and scopes for both issuers.

  3. Configure both issuers' credential formats with the necessary fields in place.

  4. Modify the issuer metadata of both the issuers along with relevant metadata for the fields.

  5. Modify contexts json with different fields and different credential type for both issuers.

When a credential request is received, it will select the issuer based on the combination of scope (from auth JWT), credential type (from credential request body) (and supported_format which defaults to ldp_vc for now).

This module also uses g2p.encryption.provider (of any type) to sign the final VC. If the encryption provider is not configured on the issuer, it will use the default encryption provider.

Note:

A credential will only be issued if the sub from auth JWT exists as one of IDs in registry against a registry entry.

Guides

To learn more about Configuration, click here.

Source code

https://github.com/openg2p/openg2p-vci

Create a custom VC Issuer

This section describes the procedure for developing custom VC Issuers with the custom functionality that differ from the above Registry Credential Issuer and Beneficiary Credential Issuer.

  • Inherit g2p.openid.vci.issuers model. Add a new type to the issuer_type Selection field using selection_add. Example

    issuer_type = fields.Selection(selection_add=[("Mock", "Mock")], ondelete={"Mock": "cascade"})
  • Implement the following functions:

    • issue_vc_{issuer_type}

    • set_default_credential_type_{issuer_type}

    • set_from_static_file_{issuer_type}

  • Example:

    class BeneficiaryOpenIDVCIssuer(models.Model):
        _inherit = "g2p.openid.vci.issuers"
    
        issuer_type = fields.Selection(selection_add=[("Mock", "Mock")], ondelete={"Mock": "cascade"})
        
        def issue_vc_Mock(self, auth_claims, credential_request):
            ...    
        
        def set_default_credential_type_Mock(self):
            self.credential_type = "OpenG2PMockVerifiableCredential"
    
        def set_from_static_file_Mock(self, **kwargs):
            kwargs.setdefault("module_name", "g2p_openid_vci_mock")
            return self.set_from_static_file_Registry(**kwargs)

Configuration

  • VCI Issuers' configs can be found under Settings Menu -> VCI Issuers page.

  • VC Issuer general config properties:

NameProperty nameDescription

Name

name

Name of the Issuer.

Scope

scope

Scope that is to be accepted in authentication.

Issuer Type

issuer_type

Type of Issuer

Supported Format

supported_format

VC format supported. Defaults to ldp_vc .

Unique Issuer ID

unique_issuer_id

A unique ID (string) assigned to this issuer. Defaults to did:example:12345678abcdefgh .

Encryption Provider

encryption_provider_id

Encryption Provider. If left blank, it will choose default encryption provider.

Auth Subject ID Type

auth_sub_id_type_id

Type of ID which is present in Subject of Authentication.

Auth Allowed Audiences

auth_allowed_auds

  • Only authentications with "aud" from this list will be allowed.

  • Separated by space/newline.

  • If left blank, audience in auth will be ignored.

Auth Allowed Issuers

auth_allowed_issuers

  • Only authentications with "iss" from this list will be allowed.

  • Separated by space/newline.

Auth Issuer JWKs Mapping

auth_issuer_jwks_mapping

  • JWKs URL of each issuer from "Auth Allowed Issuers".

  • If there are 3 entries in "Auth Allowed Issuers", then there should be 3 JWKs URL in this too, one for each the issuer.

  • Separated by space/newline.

Auth Allowed Client IDs

auth_allowed_client_ids

  • Only authentications with "client_id" from this list will be allowed.

  • Separated by space/newline.

  • If left blank, client_id in the auth will be ignored.

Credential Type

credential_type

  • Type of the VC.

  • Leave it blank to take the default value, according to Issuer Type.

Credential Format

credential_format

  • Credential format as Jq expression.

  • Leave it blank to take the default value, according to Issuer Type.

Issuer Metadata Text

issuer_metadata_text

  • Issuer Metadata as Jq expression.

  • Leave it blank to take the default value, according to Issuer Type.

Contexts JSON

contexts_json

  • Contexts JSON for this credential Type

  • Leave it blank to take the default value, according to Issuer Type.

  • VC Issuer Program/Beneficiary specific configs:

NameProperty nameDescription

Program

program_id

Program for which we are issuing the Beneficiary VC.

Last updated

Logo

Copyright © OpenG2P. This work is licensed under Creative Common Attribution (CC-BY-4.0) International license unless otherwise noted.