#314: configure dev Nuts node with policy, explain NUTS_URL config (#316)

reinkrul · web-flow · commit db5904769ae7 · 2026-02-09T08:39:41.000+01:00
diff --git a/config/nuts.yml b/config/nuts.yml
@@ -1,7 +1,10 @@
-url: http://localhost:8080
+url: http://localhost:8080/nuts
 
 didmethods:
   - web
 auth:
   contractvalidators:
-    - dummy
+    - dummy
+
+policy:
+  directory: "/app/config/policy"
diff --git a/config/policy/policy.json b/config/policy/policy.json
@@ -0,0 +1,144 @@
+{
+  "eOverdracht-sender": {
+    "organization": {
+      "format": {
+        "ldp_vc": {
+          "proof_type": [
+            "JsonWebSignature2020"
+          ]
+        },
+        "jwt_vc": {
+          "alg": [
+            "PS256"
+          ]
+        },
+        "jwt_vp": {
+          "alg": [
+            "ES256"
+          ]
+        }
+      },
+      "id": "pd_any_care_organization",
+      "name": "Care organization",
+      "purpose": "Finding a care organization",
+      "input_descriptors": [
+        {
+          "id": "id_uzicert_uracredential",
+          "name": "Care organization identity from fake UZI-server certificate",
+          "purpose": "Finding a care organization for authorizing access to medical metadata.",
+          "constraints": {
+            "fields": [
+              {
+                "path": ["$.type"],
+                "filter": {
+                  "type": "string",
+                  "const": "X509Credential"
+                }
+              },
+              {
+                "id": "organization_id",
+                "path": ["$.credentialSubject[0].id", "$.credentialSubject.id"],
+                "filter": {
+                  "type": "string",
+                  "pattern": "^did:web:"
+                }
+              },
+              {
+                "id": "organization_name",
+                "path": [
+                  "$.credentialSubject[0].subject.O",
+                  "$.credentialSubject.subject.O"
+                ],
+                "filter": {
+                  "type": "string"
+                }
+              },
+              {
+                "id": "organization_ura",
+                "path": [
+                  "$.credentialSubject[0].san.otherName",
+                  "$.credentialSubject.san.otherName"
+                ],
+                "filter": {
+                  "type": "string",
+                  "pattern": "^[0-9.]+-\\d+-\\d+-S-(\\d+)-00\\.000-\\d+$"
+                }
+              }
+            ]
+          }
+        }
+      ]
+    }
+  },
+  "eOverdracht-receiver": {
+    "organization": {
+      "format": {
+        "ldp_vc": {
+          "proof_type": [
+            "JsonWebSignature2020"
+          ]
+        },
+        "jwt_vc": {
+          "alg": [
+            "PS256"
+          ]
+        },
+        "jwt_vp": {
+          "alg": [
+            "ES256"
+          ]
+        }
+      },
+      "id": "pd_any_care_organization",
+      "name": "Care organization",
+      "purpose": "Finding a care organization",
+      "input_descriptors": [
+        {
+          "id": "id_uzicert_uracredential",
+          "name": "Care organization identity from fake UZI-server certificate",
+          "purpose": "Finding a care organization for authorizing access to medical metadata.",
+          "constraints": {
+            "fields": [
+              {
+                "path": ["$.type"],
+                "filter": {
+                  "type": "string",
+                  "const": "X509Credential"
+                }
+              },
+              {
+                "id": "organization_id",
+                "path": ["$.credentialSubject[0].id", "$.credentialSubject.id"],
+                "filter": {
+                  "type": "string",
+                  "pattern": "^did:web:"
+                }
+              },
+              {
+                "id": "organization_name",
+                "path": [
+                  "$.credentialSubject[0].subject.O",
+                  "$.credentialSubject.subject.O"
+                ],
+                "filter": {
+                  "type": "string"
+                }
+              },
+              {
+                "id": "organization_ura",
+                "path": [
+                  "$.credentialSubject[0].san.otherName",
+                  "$.credentialSubject.san.otherName"
+                ],
+                "filter": {
+                  "type": "string",
+                  "pattern": "^[0-9.]+-\\d+-\\d+-S-(\\d+)-00\\.000-\\d+$"
+                }
+              }
+            ]
+          }
+        }
+      ]
+    }
+  }
+}
diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md
@@ -106,6 +106,9 @@ or wants to have the Nuts node deployed separately, the Knooppunt can use that N
 
 Use [`nuts.enabled`](./CONFIGURATION.md) to configure the embedded or existing Nuts node.
 
+Note that you MUST configure the `url` (or `NUTS_URL`) property in the Nuts configuration to point to the **publicly accessible** base URL of the Knooppunt (the URL under which other Nuts nodes and clients can reach it). This is the URL the Nuts node advertises externally.
+The Knooppunt runs the embedded Nuts node on `/nuts`, so if the Knooppunt is publicly reachable at `https://knooppunt.example.com/`, the Nuts node URL must be `https://knooppunt.example.com/nuts` (not an internal-only address such as `http://knooppunt:8080/nuts`).
+
 ### Tracing
 
 The Knooppunt supports distributed tracing using OpenTelemetry. Traces can be sent to any OTLP-compatible collector (e.g. Jaeger, Grafana Tempo, or a vendor's existing observability platform).
