Move contractId from EDR authcode back to a dedicated header field

[domreuter]

Problem

Within EDC the "cid" field from the JWT in the authCode of the EDR payload is meant to be the contractId.

When generating an JWT using a custom generator, the field "cid" is reserved to the entity that the JWT was issued for and cannot be used to hold the contractId furthermore.

This causes the contractId retrieval to crash as the given value is not equal to the expected contractId.

Additionally, there is currently extra effort to get the contractId out of the token. The JWT needs to be unwrapped and decoded first to get the contractId out of it.

We placed the information under an additional attributes section for our token, which differs from the EDC implementation and is therefore not a working solution.

Proposed Solution

The proposed solution would be to move the "contractId" one level up, next to the authcode into the header. This would avoid conflicts with other uses/interpretations for the field and reduce the extra token unwrapping effort.

Example

Current state when using a custom token generator:

{
    "jti": "",
    "az_attr": {
        "exp": 1692132629,
        "dad": "lYovmpLe5.........",
        "cid":"ZGR0ci1jeG1lbWJlcnMtY29udHJhY3Q=:ZGlnaXRhbC10d2luLXJlZ2lzdHJ5:MWYzYjJhMjktMTEzMi00MTg4LTlhOWQtMWY0MmY2MGU1Nzk"
    },
    "ext_attr": {
        "": "",
        "": "",
        "": "",
        "": ""
    },
    "sub": "",
    "authorities": [
        "",
        ""
    ],
    "scope": [
        "",
        ""
    ],
    "client_id": "",
    "cid": "ClientId for which the token was issued not contractId is expected here. EDC expects the contractId here",
    "azp": "",
    "grant_type": "",
    "rev_sig": "",
    "iat": "",
    "exp": "",
    "iss": "",
    "zid": "",
    "aud": [
        "",
        "",
        ""
    ]
}

Current EDC state:

{
    "exp": 1692132629,
    "dad": "lYovmpLe5.........",
    "cid":"ZGR0ci1jeG1lbWJlcnMtY29udHJhY3Q=:ZGlnaXRhbC10d2luLXJlZ2lzdHJ5:MWYzYjJhMjktMTEzMi00MTg4LTlhOWQtMWY0MmY2MGU1Nzk"
}

[domreuter]

https://github.com/eclipse-edc/Connector/blob/e93e496dfde959d7cc840b4792c9b3b4ab5e0bef/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/transfer/dataplane/proxy/ConsumerPullDataPlaneProxyResolver.java#L55C5-L65C6

What about bringing the ContractId back in here?

.property(EDC_CONTRACT_ID, request.getContractId())

[paullatzelsperger]

Since changing this would constitute a breaking change, it was discussed in the Technical Committers meeting on Sept 27, 2023, and here's the outcome:

• we'll add a field called contractId to the body (not the header), which will contain the contract ID
• the cid field will remain unchanged for a transitional period, for compatibility reasons, so both the cid and contractId fields will contain the contract ID.
• we will stop using the cid field starting with 0.4.0 (Milestone 12)

So we'll create two issues, one to add the contractId field, one to stop populating the cid field.

[paullatzelsperger]

#3477 and #3478 respectively