Skip to content

Commit 2eda4a0

Browse files
cicnavicicnavi
committed
WIP
1 parent bf4597e commit 2eda4a0

File tree

11 files changed

+586
-314
lines changed

11 files changed

+586
-314
lines changed

config/module_oidc.php.dist

Lines changed: 186 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,10 @@ declare(strict_types=1);
2121
* file that was distributed with this source code.
2222
*/
2323
use SimpleSAML\Module\oidc\ModuleConfig;
24+
use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
25+
use SimpleSAML\OpenID\Codebooks\CredentialFormatIdentifiersEnum;
26+
use SimpleSAML\OpenID\Codebooks\CredentialTypesEnum;
27+
use SimpleSAML\OpenID\Codebooks\LanguageTagsEnum;
2428

2529
/*
2630
* Note: In v5 of this module, all config keys have been moved to constants for easier handling and verification.
@@ -493,4 +497,186 @@ $config = [
493497

494498
// Enable or disable verifiable credentials capabilities. Default is disabled (false).
495499
ModuleConfig::OPTION_VERIFIABLE_CREDENTIAL_ENABLED => false,
500+
501+
502+
// (optional) Credential configuration statements, as per `credential_configurations_supported` claim definition in
503+
// https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#credential-issuer-parameters.
504+
// Check the example below on how this can be used.
505+
ModuleConfig::OPTION_CREDENTIAL_CONFIGURATIONS_SUPPORTED => [
506+
'ResearchAndScholarshipCredentialJwtVcJson' => [
507+
// REQUIRED
508+
ClaimsEnum::Format->value => CredentialFormatIdentifiersEnum::JwtVcJson->value,
509+
// OPTIONAL
510+
ClaimsEnum::Scope->value => 'ResearchAndScholarshipCredentialJwtVcJson',
511+
512+
// OPTIONAL
513+
// cryptographic_binding_methods_supported
514+
515+
// OPTIONAL - will be set / overridden to the protocol signing algorithm.
516+
// credential_signing_alg_values_supported
517+
518+
// OPTIONAL
519+
// proof_types_supported
520+
521+
ClaimsEnum::Display->value => [
522+
[
523+
ClaimsEnum::Name->value => 'ResearchAndScholarshipCredentialJwtVcJson',
524+
ClaimsEnum::Locale->value => 'en-US',
525+
526+
// OPTIONAL
527+
// logo
528+
529+
// OPTIONAL
530+
ClaimsEnum::Description->value => 'Research and Scholarship Credential',
531+
532+
// OPTIONAL
533+
// background_color
534+
535+
// OPTIONAL
536+
// background_image
537+
538+
// OPTIONAL
539+
// text_color
540+
],
541+
],
542+
543+
// OPTIONAL A.1.1.2. https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-vc-signed-as-a-jwt-not-usin
544+
ClaimsEnum::Claims->value => [
545+
/**
546+
* https://refeds.org/category/research-and-scholarship
547+
*
548+
* The R&S attribute bundle consists (abstractly) of the following required data elements:
549+
*
550+
* shared user identifier
551+
* person name
552+
* email address
553+
*
554+
* and one optional data element:
555+
*
556+
* affiliation
557+
*
558+
* where shared user identifier is a persistent, non-reassigned, non-targeted identifier
559+
* defined to be either of the following:
560+
*
561+
* eduPersonPrincipalName (if non-reassigned)
562+
* eduPersonPrincipalName + eduPersonTargetedID
563+
*
564+
* and where person name is defined to be either (or both) of the following:
565+
*
566+
* displayName
567+
* givenName + sn
568+
*
569+
* and where email address is defined to be the mail attribute,
570+
*
571+
* and where affiliation is defined to be the eduPersonScopedAffiliation attribute.
572+
*
573+
* All of the above attributes are defined or referenced in the [eduPerson] specification. The
574+
* specific naming and format of these attributes is guided by the protocol in use. For SAML
575+
* 2.0 the [SAMLAttr] profile MUST be used. This specification may be extended to reference
576+
* other protocol-specific formulations as circumstances warrant.
577+
*/
578+
[
579+
// REQUIRED
580+
ClaimsEnum::Path->value => [ClaimsEnum::Credential_Subject->value, 'eduPersonPrincipalName']
581+
],
582+
// OPTIONAL
583+
ClaimsEnum::Mandatory->value => true,
584+
// OPTIONAL
585+
ClaimsEnum::Display->value => [
586+
[
587+
// OPTIONAL
588+
ClaimsEnum::Name->value => 'Principal Name',
589+
// OPTIONAL
590+
ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
591+
],
592+
],
593+
],
594+
[
595+
ClaimsEnum::Path->value => [ClaimsEnum::Credential_Subject->value, 'eduPersonTargetedID'],
596+
ClaimsEnum::Mandatory->value => false,
597+
ClaimsEnum::Display->value => [
598+
[
599+
ClaimsEnum::Name->value => 'Targeted ID',
600+
ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
601+
],
602+
],
603+
],
604+
[
605+
ClaimsEnum::Path->value => [ClaimsEnum::Credential_Subject->value, 'displayName'],
606+
ClaimsEnum::Mandatory->value => false,
607+
ClaimsEnum::Display->value => [
608+
[
609+
ClaimsEnum::Name->value => 'Display Name',
610+
ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
611+
],
612+
],
613+
],
614+
[
615+
ClaimsEnum::Path->value => [ClaimsEnum::Credential_Subject->value, 'givenName'],
616+
ClaimsEnum::Mandatory->value => false,
617+
ClaimsEnum::Display->value => [
618+
[
619+
ClaimsEnum::Name->value => 'Given Name',
620+
ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
621+
],
622+
],
623+
],
624+
[
625+
ClaimsEnum::Path->value => [ClaimsEnum::Credential_Subject->value, 'sn'],
626+
ClaimsEnum::Display->value => [
627+
[
628+
ClaimsEnum::Name->value => 'Last Name',
629+
ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
630+
],
631+
],
632+
],
633+
[
634+
ClaimsEnum::Path->value => [ClaimsEnum::Credential_Subject->value, 'mail'],
635+
ClaimsEnum::Display->value => [
636+
[
637+
ClaimsEnum::Name->value => 'Email Address',
638+
ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
639+
],
640+
],
641+
],
642+
[
643+
ClaimsEnum::Path->value => [ClaimsEnum::Credential_Subject->value, 'eduPersonScopedAffiliation'],
644+
ClaimsEnum::Display->value => [
645+
[
646+
ClaimsEnum::Name->value => 'Scoped Affiliation',
647+
ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
648+
],
649+
],
650+
],
651+
],
652+
653+
// REQUIRED
654+
ClaimsEnum::CredentialDefinition->value => [
655+
ClaimsEnum::Type->value => [
656+
CredentialTypesEnum::VerifiableCredential->value,
657+
'ResearchAndScholarshipCredentialJwtVcJson',
658+
],
659+
],
660+
],
661+
662+
// Mapping of user attributes to a credential claim path, per credential configuration ID.
663+
// Note that the path must be present in the credential configuration supported above.
664+
// This is an array of arrays, with the following format:
665+
// [
666+
// 'credential-configuration-id' => [
667+
// ['user-attribute-name' => ['path-element', 'path-element', ...]],
668+
// '...',
669+
// ],
670+
// ],
671+
ModuleConfig::OPTION_USER_ATTRIBUTE_TO_CREDENTIAL_CLAIM_PATH_MAP => [
672+
'ResearchAndScholarshipCredentialJwtVcJson' => [
673+
['eduPersonPrincipalName' => [ClaimsEnum::Credential_Subject->value, 'eduPersonPrincipalName']],
674+
['eduPersonTargetedID' => [ClaimsEnum::Credential_Subject->value, 'eduPersonTargetedID']],
675+
['displayName' => [ClaimsEnum::Credential_Subject->value, 'displayName']],
676+
['givenName' => [ClaimsEnum::Credential_Subject->value, 'givenName']],
677+
['sn' => [ClaimsEnum::Credential_Subject->value, 'sn']],
678+
['mail' => [ClaimsEnum::Credential_Subject->value, 'mail']],
679+
['eduPersonScopedAffiliation' => [ClaimsEnum::Credential_Subject->value, 'eduPersonScopedAffiliation']],
680+
],
681+
],
496682
];

0 commit comments

Comments
 (0)