WIP

cicnavi · cicnavi · commit b2282fff9270 · 2025-08-04T10:59:22.000+02:00
diff --git a/README.md b/README.md
@@ -367,7 +367,7 @@ The module offers an OpenID Federation configuration endpoint at URL:
 
 You can configure your web server (Apache, Nginx) in a way to serve the mentioned URLs in a '.well-known'
 format. Below are some sample configurations for `openid-configuration`, but you can take the same approach for 
-`openid-federation`.
+`openid-federation`, `jwt-vc-issuer`, or any other.
 
 #### nginx 
     location = /.well-known/openid-configuration {
@@ -382,9 +382,9 @@ format. Below are some sample configurations for `openid-configuration`, but you
 
 ## Using Docker
 
-### With current git branch.
+### With the current git branch.
 
-To explore the module using docker run the below command. This will run an SSP image, with the current oidc module
+To explore the module using docker, run the below command. This will run an SSP image, with the current oidc module
 mounted in the container, along with some configuration files. Any code changes you make to your git checkout are
 "live" in the container, allowing you to test and iterate different things.
 
diff --git a/config/module_oidc.php.dist b/config/module_oidc.php.dist
@@ -514,6 +514,7 @@ $config = [
     // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#credential-issuer-parameters.
     // Check the example below on how this can be used.
     ModuleConfig::OPTION_CREDENTIAL_CONFIGURATIONS_SUPPORTED => [
+        // Sample for 'jwt_vc_json' format with notes about required and optional fields.
         'ResearchAndScholarshipCredentialJwtVcJson' => [
             // REQUIRED
             ClaimsEnum::Format->value => CredentialFormatIdentifiersEnum::JwtVcJson->value,
@@ -529,6 +530,9 @@ $config = [
             // OPTIONAL
             // proof_types_supported
 
+            // OPTIONAL
+            // cryptographic_binding_methods_supported
+
             ClaimsEnum::Display->value => [
                 [
                     ClaimsEnum::Name->value => 'ResearchAndScholarshipCredentialJwtVcJson',
@@ -588,8 +592,7 @@ $config = [
                  */
                 [
                     // REQUIRED
-                    ClaimsEnum::Path->value => [ClaimsEnum::Credential_Subject->value, 'eduPersonPrincipalName']
-                    ],
+                    ClaimsEnum::Path->value => [ClaimsEnum::Credential_Subject->value, 'eduPersonPrincipalName'],
                     // OPTIONAL
                     ClaimsEnum::Mandatory->value => true,
                     // OPTIONAL
@@ -668,6 +671,92 @@ $config = [
                     'ResearchAndScholarshipCredentialJwtVcJson',
                 ],
             ],
+        ],
+
+        // Sample for 'dc+sd-jwt' format without notes about required and optional fields.
+        'ResearchAndScholarshipCredentialDcSdJwt' => [
+            ClaimsEnum::Format->value => CredentialFormatIdentifiersEnum::JwtVcJson->value,
+            ClaimsEnum::Scope->value => 'ResearchAndScholarshipCredentialDcSdJwt',
+            ClaimsEnum::Display->value => [
+                [
+                    ClaimsEnum::Name->value => 'ResearchAndScholarshipCredentialDcSdJwt',
+                    ClaimsEnum::Locale->value => 'en-US',
+                    ClaimsEnum::Description->value => 'Research and Scholarship Credential',
+                ],
+            ],
+            ClaimsEnum::Claims->value => [
+                [
+                    ClaimsEnum::Path->value => ['eduPersonPrincipalName'],
+                    ClaimsEnum::Mandatory->value => true,
+                    ClaimsEnum::Display->value => [
+                        [
+                            ClaimsEnum::Name->value => 'Principal Name',
+                            ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
+                        ],
+                    ],
+                ],
+                [
+                    ClaimsEnum::Path->value => ['eduPersonTargetedID'],
+                    ClaimsEnum::Mandatory->value => false,
+                    ClaimsEnum::Display->value => [
+                        [
+                            ClaimsEnum::Name->value => 'Targeted ID',
+                            ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
+                        ],
+                    ],
+                ],
+                [
+                    ClaimsEnum::Path->value => ['displayName'],
+                    ClaimsEnum::Mandatory->value => false,
+                    ClaimsEnum::Display->value => [
+                        [
+                            ClaimsEnum::Name->value => 'Display Name',
+                            ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
+                        ],
+                    ],
+                ],
+                [
+                    ClaimsEnum::Path->value => ['givenName'],
+                    ClaimsEnum::Mandatory->value => false,
+                    ClaimsEnum::Display->value => [
+                        [
+                            ClaimsEnum::Name->value => 'Given Name',
+                            ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
+                        ],
+                    ],
+                ],
+                [
+                    ClaimsEnum::Path->value => ['sn'],
+                    ClaimsEnum::Display->value => [
+                        [
+                            ClaimsEnum::Name->value => 'Last Name',
+                            ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
+                        ],
+                    ],
+                ],
+                [
+                    ClaimsEnum::Path->value => ['mail'],
+                    ClaimsEnum::Display->value => [
+                        [
+                            ClaimsEnum::Name->value => 'Email Address',
+                            ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
+                        ],
+                    ],
+                ],
+                [
+                    ClaimsEnum::Path->value => ['eduPersonScopedAffiliation'],
+                    ClaimsEnum::Display->value => [
+                        [
+                            ClaimsEnum::Name->value => 'Scoped Affiliation',
+                            ClaimsEnum::Locale->value => LanguageTagsEnum::EnUs->value,
+                        ],
+                    ],
+                ],
+            ],
+
+            // REQUIRED
+            ClaimsEnum::Vct->value => 'ResearchAndScholarshipCredentialDcSdJwt',
+        ],
     ],
 
     // Mapping of user attributes to a credential claim path, per credential configuration ID.
@@ -689,5 +778,8 @@ $config = [
             ['mail' => [ClaimsEnum::Credential_Subject->value, 'mail']],
             ['eduPersonScopedAffiliation' => [ClaimsEnum::Credential_Subject->value, 'eduPersonScopedAffiliation']],
         ],
+        'ResearchAndScholarshipCredentialDcSdJwt' => [
+
+        ],
     ],
 ];
diff --git a/docker/apache-override.cf b/docker/apache-override.cf
@@ -1,6 +1,9 @@
 RewriteEngine On
 RewriteRule ^/.well-known/openid-configuration(.*) /${SSP_APACHE_ALIAS}module.php/oidc/.well-known/openid-configuration$1 [PT]
 RewriteRule ^/.well-known/openid-federation(.*) /${SSP_APACHE_ALIAS}module.php/oidc/.well-known/openid-federation$1 [PT]
+RewriteRule ^/.well-known/openid-credential-issuer(.*) /${SSP_APACHE_ALIAS}module.php/oidc/.well-known/openid-credential-issuer$1 [PT]
+RewriteRule ^/.well-known/oauth-authorization-server(.*) /${SSP_APACHE_ALIAS}module.php/oidc/.well-known/oauth-authorization-server$1 [PT]
+RewriteRule ^/.well-known/jwt-vc-issuer(.*) /${SSP_APACHE_ALIAS}module.php/oidc/.well-known/jwt-vc-issuer$1 [PT]
 
 # Leave Authorization header with Bearer tokens available in requests.
 # Solution 1:
diff --git a/routing/routes/routes.php b/routing/routes/routes.php
@@ -22,6 +22,7 @@
 use SimpleSAML\Module\oidc\Controllers\UserInfoController;
 use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\CredentialIssuerConfigurationController;
 use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\CredentialIssuerCredentialController;
+use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\JwtVcIssuerConfigurationController;
 use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
 use Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator;
 
@@ -131,4 +132,12 @@
     $routes->add(RoutesEnum::CredentialIssuerCredential->name, RoutesEnum::CredentialIssuerCredential->value)
         ->controller([CredentialIssuerCredentialController::class, 'credential'])
         ->methods([HttpMethodsEnum::GET->value, HttpMethodsEnum::POST->value]);
+
+    /*****************************************************************************************************************
+     * SD-JWT-based Verifiable Credentials (SD-JWT VC)
+     ****************************************************************************************************************/
+
+    $routes->add(RoutesEnum::JwtVcIssuerConfiguration->name, RoutesEnum::JwtVcIssuerConfiguration->value)
+        ->controller([JwtVcIssuerConfigurationController::class, 'configuration'])
+        ->methods([HttpMethodsEnum::GET->value]);
 };
diff --git a/src/Codebooks/RoutesEnum.php b/src/Codebooks/RoutesEnum.php
@@ -63,4 +63,10 @@ enum RoutesEnum: string
 
     case CredentialIssuerConfiguration = '.well-known/openid-credential-issuer';
     case CredentialIssuerCredential = 'credential-issuer/credential';
+
+    /*****************************************************************************************************************
+     * SD-JWT-based Verifiable Credentials (SD-JWT VC)
+     ****************************************************************************************************************/
+
+    case JwtVcIssuerConfiguration = '.well-known/jwt-vc-issuer';
 }
diff --git a/src/Controllers/VerifiableCredentials/JwtVcIssuerConfigurationController.php b/src/Controllers/VerifiableCredentials/JwtVcIssuerConfigurationController.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ *        |
+ *   \  ___  /                           _________
+ *  _  /   \  _    GÉANT                 |  * *  | Co-Funded by
+ *     | ~ |       Trust & Identity      | *   * | the European
+ *      \_/        Incubator             |__*_*__| Union
+ *       =
+ */
+
+namespace SimpleSAML\Module\oidc\Controllers\VerifiableCredentials;
+
+use SimpleSAML\Module\oidc\Codebooks\RoutesEnum;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use Symfony\Component\HttpFoundation\Response;
+
+class JwtVcIssuerConfigurationController
+{
+    /**
+     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
+     */
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly Routes $routes,
+    ) {
+        if (!$this->moduleConfig->getVerifiableCredentialEnabled()) {
+            throw OidcServerException::forbidden('Verifiable Credential capabilities not enabled');
+        }
+    }
+
+    public function configuration(): Response
+    {
+        $configuration = [
+            ClaimsEnum::Issuer->value => $this->moduleConfig->getIssuer(),
+            ClaimsEnum::JwksUri->value => $this->moduleConfig->getModuleUrl(RoutesEnum::Jwks->value),
+        ];
+
+        return $this->routes->newJsonResponse($configuration);
+    }
+}
diff --git a/src/Utils/Routes.php b/src/Utils/Routes.php
@@ -226,4 +226,14 @@ public function urlCredentialIssuerCredential(array $parameters = []): string
     {
         return $this->getModuleUrl(RoutesEnum::CredentialIssuerCredential->value, $parameters);
     }
+
+    /*****************************************************************************************************************
+     * SD-JWT-based Verifiable Credentials (SD-JWT VC)
+     ****************************************************************************************************************/
+
+    public function urlJwtVcIssuerConfiguration(array $parameters = []): string
+    {
+        return $this->getModuleUrl(RoutesEnum::JwtVcIssuerConfiguration->value, $parameters);
+    }
+
 }
diff --git a/templates/config/verifiable-credential.twig b/templates/config/verifiable-credential.twig
@@ -10,9 +10,13 @@
 
     <h4>{{ 'Entity'|trans }}</h4>
     <p>
-        {{ 'Configuration URL'|trans }}:
+        {{ 'Credential Issuer Configuration URL'|trans }}:
         <a href="{{ routes.urlCredentialIssuerConfiguration }}" target="_blank">{{ routes.urlCredentialIssuerConfiguration }}</a>
     </p>
+    <p>
+        {{ 'JWT VC Issuer Configuration URL'|trans }}:
+        <a href="{{ routes.urlJwtVcIssuerConfiguration }}" target="_blank">{{ routes.urlJwtVcIssuerConfiguration }}</a>
+    </p>
     <p>
         {{ 'Issuer'|trans }}: {{ moduleConfig.getIssuer }}
     </p>

Original file line number	Diff line number	Diff line change
`@@ -226,4 +226,14 @@ public function urlCredentialIssuerCredential(array $parameters = []): string`
`226`	`226`	`{`
`227`	`227`	`return $this->getModuleUrl(RoutesEnum::CredentialIssuerCredential->value, $parameters);`
`228`	`228`	`}`
	`229`	`+`
	`230`	`+ /*****************************************************************************************************************`
	`231`	`+ * SD-JWT-based Verifiable Credentials (SD-JWT VC)`
	`232`	`+ ****************************************************************************************************************/`
	`233`	`+`
	`234`	`+ public function urlJwtVcIssuerConfiguration(array $parameters = []): string`
	`235`	`+ {`
	`236`	`+ return $this->getModuleUrl(RoutesEnum::JwtVcIssuerConfiguration->value, $parameters);`
	`237`	`+ }`
	`238`	`+`
`229`	`239`	`}`