model

package
v0.5.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 21, 2026 License: BSD-2-Clause Imports: 20 Imported by: 0

Documentation

Index

Examples

Constants

View Source 
const (
	AuthProviderSAML      = "saml"
	AuthProviderOIDC      = "oidc"
	AuthProviderOpenID4VP = "openid4vp"
)
View Source 
const (
	CredentialTypeUrnEudiEhic1            = "urn:eudi:ehic:1"             // #nosec G101
	CredentialTypeUrnEudiPda11            = "urn:eudi:pda1:1"             // #nosec G101
	CredentialTypeUrnEudiPid1             = "urn:eudi:pid:1"              // #nosec G101
	CredentialTypeUrnEudiDiploma1         = "urn:eudi:diploma:1"          // #nosec G101
	CredentialTypeUrnEudiElm1             = "urn:eudi:elm:1"              // #nosec G101
	CredentialTypeUrnEudiMicroCredential1 = "urn:eudi:micro_credential:1" // #nosec G101
	CredentialTypeUrnEduID1               = "urn:credential:eduid:1"      // #nosec G101
)

Variables

View Source 
var (
	//StatusOK status ok
	StatusOK = "STATUS_OK_%s"
	// StatusFail status fail
	StatusFail = "STATUS_FAIL_%s"
)
View Source 
var (
	// BuildVariableGitCommit contains ldflags -X variable git commit hash
	BuildVariableGitCommit string = "undef"

	// BuildVariableTimestamp contains ldsflags -X variable build time
	BuildVariableTimestamp string = "undef"

	// BuildVariableGoVersion contains ldsflags -X variable go build version
	BuildVariableGoVersion string = "undef"

	// BuildVariableGoArch contains ldsflags -X variable go arch build
	BuildVariableGoArch string = "undef"

	// BuildVariableGitBranch contains ldsflags -X variable git branch
	BuildVariableGitBranch string = "undef"

	// BuildVersion contains ldsflags -X variable build version
	BuildVersion string = "undef"
)

Functions

func BoolPtr 

func BoolPtr(v bool) *bool

BoolPtr returns a pointer to the given bool value. Useful for initializing *bool fields in struct literals.

Example 
package main

import (
	"fmt"

	"github.com/SUNET/vc/pkg/model"
)

func main() {
	p := model.BoolPtr(true)
	fmt.Println(*p)
}

Output:
true

func BoolVal 

func BoolVal(b *bool, fallback bool) bool

BoolVal safely dereferences a *bool, returning the pointed-to value or the supplied fallback when the pointer is nil.

Example 
package main

import (
	"fmt"

	"github.com/SUNET/vc/pkg/model"
)

func main() {
	t := true
	fmt.Println(model.BoolVal(&t, false))
	fmt.Println(model.BoolVal(nil, false))
	fmt.Println(model.BoolVal(nil, true))
}

Output:
true
false
true

Types

type APIAuth 

type APIAuth struct {
	// JWKS holds the static JWKS Bearer token authentication configuration
	// When enabled, requests are validated against a manually configured JWKS URL
	JWKS APIAuthJWKS `yaml:"jwks"`
	// OIDC holds the OIDC Bearer token authentication configuration
	// When enabled, the JWKS endpoint is auto-discovered from the issuer's
	// .well-known/openid-configuration and Bearer JWTs are validated locally
	// The RP fields (client_id, redirect_uri, etc.) also enable the admin UI
	// login flow via OIDC redirect
	OIDC APIAuthOIDC `yaml:"oidc"`
	// Rules are SPOCP S-expression authorization rules loaded into an in-process engine
	// When non-empty the middleware builds a query per request and checks it
	// Rules apply regardless of whether JWKS or OIDC is the active auth method
	Rules []string `yaml:"rules,omitempty" doc_example:"[\"(vc (service apigw)(method POST)(path /api/v1/upload)(subject alice))\"]"`
	// RulesFile is an optional path to a file containing SPOCP rules (one per line)
	// Rules from this file are loaded in addition to the inline Rules list
	RulesFile string `yaml:"rules_file,omitempty"`
}

APIAuth configures authentication for the API route group (datastore, identity mapping, admin UI) JWKS and OIDC are mutually exclusive If neither is enabled, no authentication is applied (open access)

When Rules (and/or RulesFile) are configured, each authenticated request is checked against a SPOCP engine. A query of the form 

(vc (service <SERVICE>)(method <HTTP_METHOD>)(path <REQUEST_PATH>)(subject <JWT_SUBJECT>))

is evaluated; the request is allowed only if a matching rule exists. The <SERVICE> value is supplied by the calling service at middleware registration time. When two services share endpoints, rules for one service do not grant access to the other. When no rules are configured, any valid Bearer JWT grants access.

type APIAuthJWKS added in v0.5.7 

type APIAuthJWKS struct {
	// Enable enables static JWKS Bearer token authentication
	Enable bool `yaml:"enable" default:"false"`
	// JWKSURL is the URL of the JSON Web Key Set used to validate token signatures
	JWKSURL string `` /* 129-byte string literal not displayed */
	// Issuer is the expected "iss" claim. Tokens with a different issuer are rejected
	Issuer string `yaml:"issuer" validate:"required_if=Enable true"`
	// Audience is the expected "aud" claim. Tokens that do not contain this audience are rejected
	Audience string `yaml:"audience" validate:"required_if=Enable true"`
}

APIAuthJWKS holds the configuration for static JWKS Bearer token authentication

type APIAuthOIDC added in v0.5.7 

type APIAuthOIDC struct {
	// Enable enables OIDC authentication
	Enable bool `yaml:"enable" default:"false"`
	// IssuerURL is the OIDC provider's issuer URL used for discovery and "iss" claim validation.
	IssuerURL string `yaml:"issuer_url" validate:"required_if=Enable true,omitempty,url" doc_example:"\"https://auth.example.com\""`
	// Audience is the expected "aud" claim. Tokens that do not contain this audience are rejected.
	Audience string `yaml:"audience" validate:"required_if=Enable true"`
	// ClientID is the OAuth2 client identifier registered with the OIDC provider.
	ClientID string `yaml:"client_id" validate:"required_if=Enable true"`
	// ClientSecret is the OAuth2 client secret. May be empty for public clients.
	ClientSecret string `yaml:"client_secret"`
	// RedirectURI is the callback URL for the admin UI OIDC login flow (e.g. "https://apigw.example.com/ui/callback").
	RedirectURI string `yaml:"redirect_uri" validate:"required_if=Enable true,omitempty,url" doc_example:"\"https://apigw.example.com/ui/callback\""`
	// Scopes are the OAuth2/OIDC scopes to request (default: ["openid"]).
	Scopes []string `yaml:"scopes"`
}

APIAuthOIDC holds the configuration for OIDC-based authentication. It serves two purposes:

  • API auth: Bearer JWTs in Authorization headers are validated locally against the provider's JWKS (auto-discovered from IssuerURL).
  • Admin UI login: the RP fields (ClientID, RedirectURI, Scopes) enable an authorization-code redirect flow so admins log in via the OIDC provider.

type APIAuthSecrets 

type APIAuthSecrets struct {
	OIDC OIDCAuthSecrets `yaml:"oidc,omitempty"`
}

APIAuthSecrets holds secrets for the api_auth section

type APIGW 

type APIGW struct {
	// APIServer is the HTTP API server configuration
	APIServer APIServer `yaml:"api_server" validate:"required"`
	// AdminUIEnable enables the admin web UI. When false (default), the /ui routes are not registered.
	// This must be explicitly set to true to enable the admin interface.
	AdminUIEnable bool `yaml:"admin_ui_enable" default:"false"`
	// KeyConfig is the signing key configuration
	KeyConfig *pki.KeyConfig `yaml:"key_config" validate:"required"`
	// DataSources maps credential types to their data sources
	DataSources DataSources `yaml:"data_sources,omitempty" validate:"required"`
	// AuthProviders configures how users authenticate (SAML, OIDC)
	AuthProviders APIGWAuthProviders `yaml:"auth_providers,omitempty"`
	// Remotes defines named external API connections referenced by DataSources.ExternalAPI
	Remotes map[string]Remote `yaml:"remotes,omitempty" doc_key:"remote name" doc_example:"\"ladok\""`
	// Delivery groups credential delivery to wallets (OpenID4VCI, credential offers)
	Delivery APIGWDelivery `yaml:"delivery" validate:"required"`
	// IssuerMetadata holds the OpenID4VCI issuer metadata
	IssuerMetadata IssuerMetadata `yaml:"issuer_metadata" validate:"omitempty"`
	// PublicURL is the public URL of this service (must be valid HTTP/HTTPS URL)
	PublicURL string `yaml:"public_url" validate:"required,httpurl" doc_example:"\"https://issuer.sunet.se\""`
	// IssuerClient is the gRPC client config for issuer
	IssuerClient GRPCClientTLS `yaml:"issuer_client" validate:"required"`
	// RegistryClient is the gRPC client config for registry
	RegistryClient GRPCClientTLS `yaml:"registry_client" validate:"required"`
	// IdentityMappingImport configures automatic import of identity mappings from JSON files at startup.
	// When configured, APIGW reads JSON files and imports them into the
	// identity mappings collection on first startup (skipped if data already exists).
	IdentityMappingImport *IdentityMappingImport `yaml:"identity_mapping_import,omitempty"`
	// Trust holds the trust evaluation configuration for OpenID4VP credential validation.
	// When configured, credentials presented via VP are validated against a PDP.
	Trust TrustConfig `yaml:"trust,omitempty"`
}

APIGW holds the configuration for the API Gateway service that handles credential issuance requests

type APIGWAuthProviders added in v0.5.7 

type APIGWAuthProviders struct {
	// SAML configures the SAML SP auth provider
	SAML SAMLSP `yaml:"saml,omitempty" validate:"omitempty"`
	// OIDC configures the OIDC RP auth provider
	OIDC OIDCRP `yaml:"oidc,omitempty" validate:"omitempty"`
}

APIGWAuthProviders groups the authentication provider configurations.

type APIGWDelivery added in v0.5.7 

type APIGWDelivery struct {
	// OpenID4VCI configures the OpenID4VCI Authorization Server for wallet credential issuance
	OpenID4VCI OAuthServer `yaml:"openid4vci" validate:"required"`
	// CredentialOffers holds credential offer wallet configurations
	CredentialOffers CredentialOffers `yaml:"credential_offers" validate:"required"`
}

APIGWDelivery groups credential delivery configuration (wallets, offers).

type APIGWSecrets 

type APIGWSecrets struct {
	APIServer     APIServerSecrets     `yaml:"api_server,omitempty"`
	AuthProviders AuthProvidersSecrets `yaml:"auth_providers,omitempty"`
}

APIGWSecrets holds API gateway secrets

type APIServer 

type APIServer struct {
	// Addr is the listen address for the HTTP server
	Addr string `yaml:"addr" validate:"required" default:":8080"`
	// ServedByHeader sets the X-Served-By response header value for HA troubleshooting.
	// Empty (default): header is not set. "hostname": uses os.Hostname().
	// Any other value is used as-is.
	ServedByHeader string  `yaml:"served_by_header,omitempty"`
	TLS            TLS     `yaml:"tls" validate:"omitempty"`
	APIAuth        APIAuth `yaml:"api_auth"`
	CORS           *CORS   `yaml:"cors,omitempty" validate:"omitempty"`
	// TrustProxyTLS forces the Secure flag on session cookies even when TLS is not
	// enabled on this server. Use this when running behind a TLS-terminating reverse proxy.
	TrustProxyTLS bool `yaml:"trust_proxy_tls" default:"false"`
}

APIServer holds the HTTP API server configuration

type APIServerSecrets 

type APIServerSecrets struct {
	APIAuth APIAuthSecrets `yaml:"api_auth,omitempty"`
}

APIServerSecrets holds API server secrets (basic auth passwords)

type AdminGUI 

type AdminGUI struct {
	// Enable enables the admin GUI
	Enable *bool `yaml:"enable" default:"false"`
	// Username is the admin username
	Username string `yaml:"username" validate:"required_if=Enable true" default:"admin"`
	// Password is the admin password
	Password string `yaml:"password" validate:"required_if=Enable true"`
}

AdminGUI holds the admin GUI configuration

type AdminGUISecrets 

type AdminGUISecrets struct {
	// Password is the admin GUI login password
	Password string `yaml:"password"`
}

AdminGUISecrets holds admin GUI secrets

type AssertionConfig added in v0.5.7 

type AssertionConfig struct {
	// Scopes maps credential scope names to their assertion configuration
	Scopes map[string]AssertionScope `yaml:"scopes,omitempty" doc_key:"credential scope"`
}

AssertionConfig groups assertion credential scopes.

type AssertionScope added in v0.5.7 

type AssertionScope struct {
	// AuthProvider is the auth provider for this credential type (saml or oidc)
	AuthProvider string `yaml:"auth_provider" validate:"required,oneof=saml oidc"`
}

AssertionScope configures a credential type backed by authentication assertions. The data comes directly from the SAML attributes or OIDC claims.

type AttributeConfig 

type AttributeConfig struct {
	// Claim is the target claim name (supports dot-notation for nesting)
	Claim string `yaml:"claim" validate:"required" doc_example:"\"identity.given_name\""`

	// Required indicates if this attribute must be present in the assertion/response
	Required bool `yaml:"required" default:"false"`

	// Transform is an optional transformation to apply
	// Supported: "lowercase", "uppercase", "trim"
	Transform string `yaml:"transform,omitempty" validate:"omitempty,oneof=lowercase uppercase trim"`

	// Default is an optional default value if attribute is missing
	Default string `yaml:"default,omitempty"`
}

AttributeConfig defines how a single external attribute maps to a credential claim Generic across protocols (SAML, OIDC, etc.) - uses protocol-specific identifiers as keys

type AttributeMapping added in v0.5.7 

type AttributeMapping map[string]AttributeConfig

AttributeMapping maps external attribute names to claim configurations. Keys are protocol-specific identifiers (SAML OIDs, OIDC claim names, etc.), values define how each attribute maps to a credential claim.

type AuditLog 

type AuditLog struct {
	// Enable enables audit logging
	Enable bool `yaml:"enable" default:"false"`
	// Destinations is the list of log destinations (console/stdout, file path, or HTTP URL)
	Destinations []string `` /* 147-byte string literal not displayed */
	// FileSyncInterval controls fsync behavior for file destinations.
	// 0 = fsync after every write (strict durability, lower throughput).
	// >0 = periodic batched fsync at the given interval (better throughput, bounded data-loss window).
	// Has no effect on console or webhook destinations.
	FileSyncInterval time.Duration `yaml:"file_sync_interval" default:"5s"`
}

AuditLog holds audit log configuration for multiple destinations

type AuthProvidersSecrets added in v0.5.7 

type AuthProvidersSecrets struct {
	OIDC OIDCRPSecrets `yaml:"oidc,omitempty"`
}

AuthProvidersSecrets holds secrets for auth providers

type AuthorizationPageCSSConfig 

type AuthorizationPageCSSConfig struct {
	// CustomCSS is inline CSS that will be injected into the authorization page
	// Allows deployers to override default styling without modifying templates
	CustomCSS string `yaml:"custom_css,omitempty"`

	// CSSFile is a path to an external CSS file to include
	// If both CustomCSS and CSSFile are provided, both are included
	CSSFile string `yaml:"css_file,omitempty"`

	// Theme sets predefined color scheme: "light" (default), "dark", "blue", "purple"
	Theme string `yaml:"theme,omitempty" validate:"omitempty,oneof=light dark blue purple" default:"light"`

	// PrimaryColor overrides the primary brand color
	PrimaryColor string `yaml:"primary_color,omitempty" doc_example:"\"#667eea\""`

	// SecondaryColor overrides the secondary brand color
	SecondaryColor string `yaml:"secondary_color,omitempty" doc_example:"\"#764ba2\""`

	// LogoURL provides a URL to a custom logo image
	LogoURL string `yaml:"logo_url,omitempty"`

	// Title overrides the page title (default: "Wallet Authorization")
	Title string `yaml:"title,omitempty"`

	// Subtitle overrides the page subtitle
	Subtitle string `yaml:"subtitle,omitempty"`
}

AuthorizationPageCSSConfig allows deployers to customize the authorization page styling

type Branding 

type Branding struct {
	// LogoPath is the file path to a custom logo PNG image; when empty, the built-in SUNET logo is used
	LogoPath string `yaml:"logo_path,omitempty" validate:"omitempty,image_png"`
	// FaviconPath is the file path to a custom favicon PNG image; when empty, the built-in SUNET favicon is used
	FaviconPath string `yaml:"favicon_path,omitempty" validate:"omitempty,image_png"`
}

Branding holds custom branding paths for logo and favicon

type CORS 

type CORS struct {
	// AllowedOrigins is the list of allowed CORS origins
	AllowedOrigins []string `` /* 126-byte string literal not displayed */
}

CORS holds the CORS configuration

type Cfg 

type Cfg struct {
	Common   *Common   `yaml:"common"`
	APIGW    *APIGW    `yaml:"apigw" validate:"omitempty"`
	Issuer   *Issuer   `yaml:"issuer" validate:"omitempty"`
	Verifier *Verifier `yaml:"verifier" validate:"omitempty"`
	Registry *Registry `yaml:"registry" validate:"omitempty"`
}

Cfg is the main configuration structure for this application

func (*Cfg) ApplySecrets 

func (cfg *Cfg) ApplySecrets(secrets *Secrets)

ApplySecrets applies secret values from the Secrets struct onto the Cfg. Only non-empty secret values are applied.

func (*Cfg) ClearSecrets 

func (cfg *Cfg) ClearSecrets()

ClearSecrets zeroes out all secret fields in the main config. Called when a secret file is used, to ensure config.yaml secrets are not used.

func (*Cfg) GetCredentialMetadata added in v0.5.7 

func (c *Cfg) GetCredentialMetadata(scope string) *CredentialMetadata

GetCredentialMetadata returns the credential constructor for a given scope

func (*Cfg) GetFormatForScope 

func (c *Cfg) GetFormatForScope(scope string) string

GetFormatForScope returns the credential format for the given scope key. Returns empty string if the scope is not found in credentials.

func (*Cfg) GetOpenID4VPAuth added in v0.5.7 

func (c *Cfg) GetOpenID4VPAuth(scope string) *OpenID4VPCredentialAuth

GetOpenID4VPAuth returns the OpenID4VP authentication config for a credential type, or nil if not found.

func (*Cfg) LookupCredentialSources added in v0.5.7 

func (c *Cfg) LookupCredentialSources(scope string) ([]CredentialSource, error)

LookupCredentialSources returns full data source information for a credential type across all data sources where it is configured. Returns an error if the credential type is not configured in any DataSource.

func (*Cfg) ResolveVCTUrls 

func (cfg *Cfg) ResolveVCTUrls(apigwPublicURL string) error

ResolveVCTUrls computes the URL-based VCT for each credential metadata entry and stores it in VCTURL. VCTM.VCT, VCTMRaw, and Integrity are left unchanged — the served VCTM document preserves the original VCT identifier from the VCTM file (e.g. a URN). For local VCTMs the URL is built from apigwPublicURL + /type-metadata/{scope}. For external VCTMs the VCTMUrl is used.

func (*Cfg) VCTIdentifiersForScopes 

func (c *Cfg) VCTIdentifiersForScopes(scopes []string) []string

VCTIdentifiersForScopes resolves a list of scope keys to the original VCT identifiers from the VCTM (e.g. URNs). Scopes without a loaded VCTM are silently skipped.

func (*Cfg) VCTUrlsForScopes 

func (c *Cfg) VCTUrlsForScopes(scopes []string) []string

VCTUrlsForScopes resolves a list of scope keys to their resolved VCT URLs. Scopes without a loaded VCTM are silently skipped.

type Common 

type Common struct {
	// Production enables production mode
	Production *bool `yaml:"production" default:"true"`
	// Log is the logging configuration
	Log Log `yaml:"log"`
	// Mongo is the MongoDB configuration
	Mongo Mongo `yaml:"mongo" validate:"omitempty"`
	// Tracing is the OpenTelemetry tracing configuration
	Tracing OTEL `yaml:"tracing" validate:"omitempty"`
	// Kafka is the Kafka message broker configuration
	Kafka Kafka `yaml:"kafka" validate:"omitempty"`
	// SecretFilePath is the path to a separate YAML file containing secrets; when set, secret values in config.yaml are cleared and only non-empty fields from the secrets file are applied.
	SecretFilePath string `yaml:"secret_file_path,omitempty" doc_example:"\"/etc/vc/secrets.yaml\""`
	// HA configures high-availability mode. When Enable is true, caches use MongoDB
	// (Common.Mongo.URI) instead of in-memory storage so state is shared across instances.
	HA HAConfig `yaml:"ha" validate:"omitempty"`

	// Branding holds custom branding configuration (logo and favicon paths)
	Branding Branding `yaml:"branding"`

	// CredentialMetadata maps OAuth2 scope values to their credential configuration, required by apigw, issuer, and verifier
	// Key: OAuth2 scope (e.g., "pid", "ehic", "diploma") - matches AuthorizationContext.Scope
	// Each entry contains the VCTM reference, format, and other configuration for that credential type
	CredentialMetadata map[string]*CredentialMetadata `yaml:"credential_metadata" validate:"omitempty,dive" doc_key:"credential scope"`
}

Common holds the shared configuration used across all services

type CommonSecrets 

type CommonSecrets struct {
	Mongo MongoSecrets `yaml:"mongo,omitempty"`
}

CommonSecrets holds secrets from the common section

type CompleteDocument 

type CompleteDocument struct {
	Meta               *MetaData      `json:"meta,omitempty" bson:"meta" validate:"required"`
	IdentityMappingIDs []string       `json:"identity_mapping_ids,omitempty" bson:"identity_mapping_ids" validate:"required,min=1"`
	DocumentData       map[string]any `json:"document_data,omitempty" bson:"document_data" validate:"required"`
}

CompleteDocument is a generic type for upload

type CredentialDisplayConfig 

type CredentialDisplayConfig struct {
	// Enable allows users to optionally view credential details before completing authorization
	// When enabled, a checkbox appears on the authorization page
	Enable bool `yaml:"enable" default:"false"`

	// RequireConfirmation forces users to review credentials before proceeding
	// When true, the credential display step is mandatory (checkbox is pre-checked and disabled)
	RequireConfirmation bool `yaml:"require_confirmation" default:"false"`

	// ShowRawCredential displays the raw VP token/credential in the display page
	// Useful for debugging and technical users
	ShowRawCredential bool `yaml:"show_raw_credential" default:"false"`

	// ShowClaims displays the parsed claims that will be sent to the RP
	// Recommended for transparency and user consent
	ShowClaims *bool `yaml:"show_claims" default:"true"`

	// AllowEdit allows users to redact certain claims before sending to RP (future feature)
	// Currently not implemented
	AllowEdit bool `yaml:"allow_edit,omitempty" default:"false"`
}

CredentialDisplayConfig controls whether and how credentials are displayed before being sent to RP

type CredentialMetadata added in v0.5.7 

type CredentialMetadata struct {
	// VCTMFilePath is the path to a local VCTM JSON file.
	// When set, apigw will publish the VCTM at /type-metadata/:scope.
	// Mutually exclusive with VCTMUrl (one of the two is required).
	VCTMFilePath string `yaml:"vctm_file_path" json:"-" validate:"required_without=VCTMUrl"`
	// VCTMUrl is the URL where the VCTM is already published externally.
	// When set, the VCTM is fetched from this URL at startup for internal use
	// but NOT re-published by apigw.
	// Mutually exclusive with VCTMFilePath (one of the two is required).
	VCTMUrl string `yaml:"vctm_url" json:"-" validate:"required_without=VCTMFilePath,omitempty,url"`

	VCTM *sdjwtvc.VCTM `yaml:"-" json:"-"`
	// Format is the credential format to issue
	Format string `yaml:"format" json:"format" validate:"required" doc_example:"\"vc+sd-jwt\""`
	// Attributes maps claim names to their source fields and transformation rules for credential issuance
	Attributes map[string]map[string][]string `yaml:"attributes" json:"attributes_v2" validate:"omitempty,dive,required"`

	// VCTMRaw holds the raw JSON bytes of the VCTM document for serving
	// via /type-metadata/:scope. Only populated for local VCTMs (VCTMFilePath).
	VCTMRaw []byte `yaml:"-" json:"-"`

	// Integrity is the SRI hash of the VCTM document (e.g. "sha256-...").
	// Computed once in LoadVCTMetadata and used for vct#integrity in issued credentials.
	Integrity string `yaml:"-" json:"-"`

	// VCTURL is the published URL where the VCTM is served.
	// Set by ResolveVCTUrls for both local and external VCTMs.
	VCTURL string `yaml:"-" json:"-"`
	// contains filtered or unexported fields
}

func (*CredentialMetadata) GetAttributes added in v0.5.7 

func (c *CredentialMetadata) GetAttributes() map[string]map[string][]string

GetAttributes returns the derived attributes under a read lock.

func (*CredentialMetadata) GetIntegrity added in v0.5.7 

func (c *CredentialMetadata) GetIntegrity() string

GetIntegrity returns the SRI integrity hash of the VCTM under a read lock.

func (*CredentialMetadata) GetVCTM added in v0.5.7 

func (c *CredentialMetadata) GetVCTM() *sdjwtvc.VCTM

GetVCTM returns the cached VCTM under a read lock so it is safe to call concurrently with the background refresh loop.

func (*CredentialMetadata) GetVCTMRaw added in v0.5.7 

func (c *CredentialMetadata) GetVCTMRaw() []byte

GetVCTMRaw returns the raw VCTM JSON bytes under a read lock.

func (*CredentialMetadata) GetVCTURL added in v0.5.7 

func (c *CredentialMetadata) GetVCTURL() string

GetVCTURL returns the published URL where the VCTM is served.

func (*CredentialMetadata) IsLocalVCTM added in v0.5.7 

func (c *CredentialMetadata) IsLocalVCTM() bool

IsLocalVCTM returns true when the VCTM is loaded from a local file (i.e. apigw should publish it at /type-metadata/:scope).

func (*CredentialMetadata) LoadVCTMetadata added in v0.5.7 

func (c *CredentialMetadata) LoadVCTMetadata(ctx context.Context, scope string) error

The scope parameter is used only for error messages.

type CredentialOfferWallets 

type CredentialOfferWallets struct {
	// Label is the display label for the wallet
	Label string `yaml:"label" validate:"required"`
	// RedirectURI is the wallet redirect URI
	RedirectURI string `yaml:"redirect_uri" validate:"required" doc_example:"\"eudi-wallet://credential-offer\""`
}

CredentialOfferWallets holds wallet redirect configuration

type CredentialOffers 

type CredentialOffers struct {
	// IssuerURL is the issuer URL for credential offers
	IssuerURL string `yaml:"issuer_url" validate:"required"`
	// Wallets holds wallet redirect configurations
	Wallets map[string]CredentialOfferWallets `yaml:"wallets" validate:"required" doc_key:"wallet name"`
}

CredentialOffers holds credential offer configurations

type CredentialSource added in v0.5.7 

type CredentialSource struct {
	DataSource   DataSourceType
	AuthProvider string
	RemoteName   string // only for external_api
}

CredentialSource describes where a credential's data comes from and how the user authenticates.

type DataSourceType added in v0.5.7 

type DataSourceType string

DataSourceType identifies which data source a credential type belongs to. 

const (
	DataSourceDatastore   DataSourceType = "datastore"
	DataSourceAssertion   DataSourceType = "assertion"
	DataSourceExternalAPI DataSourceType = "external_api"
)

type DataSources added in v0.5.7 

type DataSources struct {
	// Datastore configures credential types backed by a pre-loaded datastore (e.g. MongoDB)
	Datastore DatastoreConfig `yaml:"datastore,omitempty"`

	// Assertion configures credential types backed by authentication assertions
	// (SAML attributes or OIDC claims)
	Assertion AssertionConfig `yaml:"assertion,omitempty"`

	// ExternalAPI configures credential types backed by an external API
	// Each credential references a named remote defined in APIGW.Remotes
	ExternalAPI ExternalAPIConfig `yaml:"external_api,omitempty"`
}

DataSources groups all data source configurations for credential issuance. Each key under a data source is a credential type.

func (*DataSources) LookupCredentialSources added in v0.5.7 

func (ds *DataSources) LookupCredentialSources(credentialType string) ([]CredentialSource, error)

LookupCredentialSources finds all data sources where a credential type is configured. A credential type can appear in multiple data sources with different auth providers. Returns an error if the credential type is not found in any data source.

func (*DataSources) ResolveDataSource added in v0.5.7 

func (ds *DataSources) ResolveDataSource(credentialType, authProvider string) (CredentialSource, error)

ResolveDataSource returns the data source for a credential type given the auth provider that was used. A credential can exist in multiple data sources but only one will have the matching auth provider.

type DatastoreConfig added in v0.5.7 

type DatastoreConfig struct {
	// Scopes maps credential scope names to their datastore configuration
	Scopes map[string]DatastoreScope `yaml:"scopes,omitempty" doc_key:"credential scope"`

	// Import configures automatic data import from JSON files at startup.
	// When configured, APIGW reads JSON files and imports them into the
	// datastore on first startup (skipped if data already exists).
	Import *DatastoreImport `yaml:"import,omitempty"`
}

DatastoreConfig groups datastore credential scopes and optional data import settings.

type DatastoreImport added in v0.5.7 

type DatastoreImport struct {
	// FilePaths lists JSON files to import into the datastore.
	// Each JSON file should contain a map of person IDs to CompleteDocument objects.
	// Import is skipped if the datastore already contains data.
	FilePaths []string `yaml:"file_paths" validate:"required,min=1" doc_example:"[\"./bootstrapping/pid.json\", \"./bootstrapping/ehic.json\"]"`

	// Users limits which person IDs to import. If empty, all persons are imported.
	Users []string `yaml:"users,omitempty" doc_example:"[\"100\", \"102\"]"`
}

DatastoreImport configures automatic import of JSON fixture data into the datastore.

type DatastoreScope added in v0.5.7 

type DatastoreScope struct {
	// AuthProvider is the auth provider for this credential type (openid4vp, saml, or oidc)
	AuthProvider string `yaml:"auth_provider" validate:"required,oneof=openid4vp saml oidc"`

	// AuthClaims lists the normalized claim names used for datastore identity lookup.
	// These names must match the BSON field names under "identities." in the datastore.
	// Use attribute_mappings (in auth_providers) to normalize provider-specific attribute
	// names (e.g. SAML urn:oid:2.5.4.42, eIDAS date_of_birth) to these canonical names.
	// Available identity fields: given_name, family_name, birth_date, birth_place,
	// authentic_source_person_id, personal_administrative_number.
	AuthClaims []string `yaml:"auth_claims,omitempty" doc_example:"[given_name, family_name, birth_date]"`

	// AuthScopes lists credential keys whose VCTs are acceptable for wallet authentication (for OpenID4VP)
	AuthScopes []string `yaml:"auth_scopes,omitempty" doc_example:"[pid]"`
}

DatastoreScope configures a credential type backed by the datastore.

func (*DatastoreScope) ExtractIdentityClaims added in v0.5.7 

func (d *DatastoreScope) ExtractIdentityClaims(claims map[string]any) map[string]string

ExtractIdentityClaims extracts identity field values from a claims map using the configured auth_claims. The claim names are used directly as BSON field names in the datastore query (e.g. "given_name" → identities.given_name).

type DigitalCredentialsConfig 

type DigitalCredentialsConfig struct {
	// Enable toggles W3C Digital Credentials API support in browser
	Enable bool `yaml:"enable" default:"false"`

	// UseJAR enables JWT Authorization Request (JAR) for wallet communication
	// When true, request objects are signed JWTs instead of plain JSON
	UseJAR bool `yaml:"use_jar" default:"false"`

	// PreferredFormats specifies the order of preference for credential formats
	// Supported values: "vc+sd-jwt", "dc+sd-jwt", "mso_mdoc"
	// Default: ["vc+sd-jwt", "dc+sd-jwt", "mso_mdoc"]
	PreferredFormats []string `yaml:"preferred_formats,omitempty" default:"[\"vc+sd-jwt\", \"dc+sd-jwt\", \"mso_mdoc\"]"`

	// ResponseMode specifies the OpenID4VP response mode for DC API flows
	// Supported values: "dc_api.jwt" (encrypted), "direct_post.jwt" (signed), "direct_post"
	// Default: "dc_api.jwt"
	ResponseMode string `yaml:"response_mode,omitempty" validate:"omitempty,oneof=dc_api.jwt direct_post.jwt direct_post" default:"dc_api.jwt"`

	// AllowQRFallback enables automatic fallback to QR code if DC API is unavailable
	// Default: true
	AllowQRFallback *bool `yaml:"allow_qr_fallback" default:"true"`

	// DeepLinkScheme for mobile wallet integration
	DeepLinkScheme string `yaml:"deep_link_scheme,omitempty" doc_example:"\"eudi-wallet://\""`
}

DigitalCredentialsConfig holds W3C Digital Credentials API configuration

type Document 

type Document struct {
	Meta         *MetaData `json:"meta,omitempty" bson:"meta" validate:"required"`
	DocumentData any       `json:"document_data" bson:"document_data" validate:"required"`
}

Document is a generic type for get document

type DocumentList 

type DocumentList struct {
	Meta *MetaData `json:"meta,omitempty" bson:"meta" validate:"required"`
}

DocumentList is a generic type for document list

type ExternalAPIConfig added in v0.5.7 

type ExternalAPIConfig struct {
	// Scopes maps credential scope names to their external API configuration
	Scopes map[string]ExternalAPIScope `yaml:"scopes,omitempty" doc_key:"credential scope"`
}

ExternalAPIConfig groups external API credential scopes.

type ExternalAPIScope added in v0.5.7 

type ExternalAPIScope struct {
	// Remote is the name of a remote defined in Remotes
	Remote string `yaml:"remote" validate:"required"`

	// AuthProvider is the auth provider to identify the user (saml or oidc)
	AuthProvider string `yaml:"auth_provider" validate:"required,oneof=saml oidc"`

	// AttributeMapping defines how to map API response data to credential claims
	AttributeMapping AttributeMapping `yaml:"attribute_mapping,omitempty" doc_key:"attribute"`
}

ExternalAPIScope configures a credential type backed by an external API.

type GRPCClientTLS 

type GRPCClientTLS struct {
	// Addr is the gRPC server address
	Addr string `yaml:"addr" validate:"required" doc_example:"\"issuer:8090\""`
	// TLS enables TLS
	TLS bool `yaml:"tls" default:"false"`
	// CertFilePath is the client certificate for mTLS
	CertFilePath string `yaml:"cert_file_path"`
	// KeyFilePath is the client private key for mTLS
	KeyFilePath string `yaml:"key_file_path"`
	// CAFilePath is the CA certificate to verify the server
	CAFilePath string `yaml:"ca_file_path"`
	// ServerName is the server name for TLS verification (optional)
	ServerName string `yaml:"server_name"`
}

GRPCClientTLS holds mTLS configuration for gRPC client connections

type GRPCServer 

type GRPCServer struct {
	// Addr is the gRPC server listen address
	Addr string `yaml:"addr" validate:"required" default:":8090"`
	// TLS holds the mTLS configuration
	TLS GRPCTLS `yaml:"tls,omitempty"`
}

GRPCServer holds the gRPC server configuration

type GRPCTLS 

type GRPCTLS struct {
	Enable                    bool              `yaml:"enable" default:"false"`
	CertFilePath              string            `yaml:"cert_file_path" validate:"required_if=Enable true" default:"/pki/grpc_server.crt"` // Server certificate
	KeyFilePath               string            `yaml:"key_file_path" validate:"required_if=Enable true" default:"/pki/grpc_server.key"`  // Server private key
	ClientCAPath              string            `yaml:"client_ca_path" validate:"required_if=Enable true" default:"/pki/client_ca.crt"`   // CA to verify client certificates (for mTLS)
	AllowedClientFingerprints map[string]string `yaml:"allowed_client_fingerprints" doc_example:"a1b2c3...: issuer-prod"`                 // SHA256 fingerprint -> friendly name
	AllowedClientDNs          map[string]string `yaml:"allowed_client_dns" doc_example:"apigw-prod: CN=apigw,O=SUNET"`                    // Friendly name -> Certificate Subject DN
}

GRPCTLS holds the mTLS configuration for gRPC server

type HAConfig 

type HAConfig struct {
	// Enable enables HA mode; when true caches are backed by MongoDB instead of in-memory storage.
	Enable bool `yaml:"enable" default:"false"`
	// CacheDatabaseName is the MongoDB database name used for caches.
	CacheDatabaseName string `yaml:"cache_database_name" default:"vc_cache"`
}

HAConfig holds the high-availability configuration

type Health 

type Health struct {
	ServiceName string   `json:"service_name,omitempty"`
	Probes      []*Probe `json:"probes,omitempty"`
	Status      string   `json:"status,omitempty"`
}

Health contains status for each service

type Identity 

type Identity struct {
	// required: true
	// example: 65636cbc-c03f-11ee-8dc4-67135cc9bd8a
	AuthenticSourcePersonID string `json:"authentic_source_person_id,omitempty" bson:"authentic_source_person_id" validate:"required,max=128,printascii"`

	// required: true
	// example: Svensson
	FamilyName string `json:"family_name" bson:"family_name" validate:"required,min=1,max=100,printascii"`

	// required: true
	// example: Magnus
	GivenName string `json:"given_name" bson:"given_name" validate:"required,min=1,max=100,printascii"`

	// required: true
	// example: 1970-01-01 TODO: Day, month, and year?
	BirthDate string `json:"birth_date" bson:"birth_date" validate:"required,datetime=2006-01-02,printascii"`

	// required: true
	// example: Stockholm
	BirthPlace string `json:"birth_place,omitempty" bson:"birth_place,omitempty" validate:"omitempty,min=2,max=100,printascii"`

	// required: true
	// example: SE
	Nationality []string `json:"nationality,omitempty" bson:"nationality,omitempty" validate:"omitempty,dive,iso3166_1_alpha2"`

	// required: false
	// example: <personnummer>
	PersonalAdministrativeNumber string `` /* 140-byte string literal not displayed */

	// required: false
	// example: facial image compliant with ISO 19794-5 or ISO 39794 specifications
	Picture string `json:"picture,omitempty" bson:"picture,omitempty"`

	BirthFamilyName string `json:"birth_family_name,omitempty" bson:"birth_family_name,omitempty" validate:"omitempty,min=1,max=100,printascii"`

	BirthGivenName string `json:"birth_given_name,omitempty" bson:"birth_given_name,omitempty" validate:"omitempty,min=1,max=100,printascii"`

	// required: false
	// example: 0 = not known, 1 = male, 2 = female, ...
	Sex string `json:"sex,omitempty" bson:"sex,omitempty" validate:"omitempty,oneof=0 1 2 3 4 5 6 7 8 9"`

	// required: false
	// example: <email-address>
	EmailAddress string `json:"email_address,omitempty" bson:"email_address,omitempty" validate:"omitempty,email"`

	// required: false
	// example: <+mobile-phone-number>
	MobilePhoneNumber string `json:"mobile_phone_number,omitempty" bson:"mobile_phone_number,omitempty" validate:"omitempty,e164"`

	// required: false
	// example: 221b Baker street
	ResidentAddress string `json:"resident_address,omitempty" bson:"resident_address,omitempty" validate:"omitempty,printascii"`

	// required: false
	// example: Baker street
	ResidentStreetAddress string `` /* 127-byte string literal not displayed */

	// required: false
	// example: 221b
	ResidentHouseNumber string `json:"resident_house_number,omitempty" bson:"resident_house_number,omitempty" validate:"omitempty,printascii"`

	// required: false
	// example: W1U 6SG
	ResidentPostalCode string `json:"resident_postal_code,omitempty" bson:"resident_postal_code,omitempty" validate:"omitempty,printascii"`

	// required: false
	// example: London
	ResidentCity string `json:"resident_city,omitempty" bson:"resident_city,omitempty" validate:"omitempty,printascii"`
	// required: false
	// example: england
	ResidentState string `json:"resident_state,omitempty" bson:"resident_state,omitempty" validate:"omitempty,printascii"`
	// required: false
	// example: England
	ResidentCountry string `json:"resident_country,omitempty" bson:"resident_country,omitempty" validate:"omitempty,iso3166_1_alpha2"`

	AgeOver14 string `json:"age_over_14,omitempty" bson:"age_over_14,omitempty"`

	AgeOver16 bool `json:"age_over_16,omitempty" bson:"age_over_16,omitempty"`

	AgeOver18 bool `json:"age_over_18,omitempty" bson:"age_over_18,omitempty"`

	AgeOver21 bool `json:"age_over_21,omitempty" bson:"age_over_21,omitempty"`

	AgeOver65 bool `json:"age_over_65,omitempty" bson:"age_over_65,omitempty"`

	AgeInYears int `json:"age_in_years,omitempty" bson:"age_in_years,omitempty"`

	AgeBirthYear int `json:"age_birth_year,omitempty" bson:"age_birth_year,omitempty"`

	// required: false
	// example:
	IssuingAuthority string `json:"issuing_authority,omitempty" bson:"issuing_authority,omitempty" validate:"omitempty,printascii"`
	// required: false
	// example:
	IssuingCountry string `json:"issuing_country,omitempty" bson:"issuing_country,omitempty" validate:"omitempty,iso3166_1_alpha2"`

	// required: false
	// example: Date (and if possible time)
	ExpiryDate string `json:"expiry_date,omitempty" bson:"expiry_date,omitempty" validate:"omitempty,datetime=2006-01-02"`

	IssuanceDate string `json:"issuance_date,omitempty" bson:"issuance_date,omitempty"`

	// required: false
	// example:
	DocumentNumber string `json:"document_number,omitempty" bson:"document_number,omitempty" validate:"omitempty,max=128,printascii"`

	// required: false
	// example:
	IssuingJurisdiction string `json:"issuing_jurisdiction,omitempty" bson:"issuing_jurisdiction,omitempty" validate:"omitempty,max=128,printascii"`
}

Identity identifies a person

func (*Identity) GetAgeInYears 

func (i *Identity) GetAgeInYears() (int, error)

func (*Identity) GetOver14 

func (i *Identity) GetOver14() (bool, error)

func (*Identity) GetOver16 

func (i *Identity) GetOver16() (bool, error)

func (*Identity) GetOver18 

func (i *Identity) GetOver18() (bool, error)

func (*Identity) GetOver21 

func (i *Identity) GetOver21() (bool, error)

func (*Identity) GetOver65 

func (i *Identity) GetOver65() (bool, error)

func (*Identity) Marshal 

func (i *Identity) Marshal() (map[string]any, error)

Marshal marshals the document to a map

Example 
package main

import (
	"fmt"

	"github.com/SUNET/vc/pkg/model"
)

func main() {
	identity := &model.Identity{
		FamilyName: "Svensson",
		GivenName:  "Magnus",
		BirthDate:  "1970-01-01",
	}

	doc, err := identity.Marshal()
	if err != nil {
		fmt.Println("error:", err)
		return
	}

	fmt.Println("family_name:", doc["family_name"])
	fmt.Println("given_name:", doc["given_name"])
	fmt.Println("birth_date:", doc["birth_date"])
}

Output:
family_name: Svensson
given_name: Magnus
birth_date: 1970-01-01

type IdentityMapping added in v0.5.7 

type IdentityMapping struct {
	// AuthenticSourcePersonID is the unique identifier for this entity within the authentic source
	AuthenticSourcePersonID string `json:"authentic_source_person_id" bson:"authentic_source_person_id" validate:"required,max=128,printascii"`

	// AuthenticSource is the source system that owns this identity
	AuthenticSource string `json:"authentic_source" bson:"authentic_source" validate:"required,max=128,printascii"`

	// Attributes holds identity attributes used for resolution (e.g. family_name, given_name, birth_date)
	Attributes map[string]string `json:"attributes,omitempty" bson:"attributes" validate:"omitempty,dive,keys,safe_key,endkeys"`

	// CreatedAt is the timestamp when the mapping was created
	CreatedAt time.Time `json:"created_at" bson:"created_at"`
}

IdentityMapping represents an identity stored in the "identity_mappings" collection. Documents reference these by AuthenticSourcePersonID in their IdentityMappingIDs []string field.

type IdentityMappingImport added in v0.5.7 

type IdentityMappingImport struct {
	// FilePaths lists JSON files containing identity mappings to import.
	// Each JSON file should contain a map of person IDs to arrays of IdentityMapping objects.
	// Import is skipped if the identity mappings collection already contains data.
	FilePaths []string `yaml:"file_paths" validate:"required,min=1" doc_example:"[\"./bootstrapping/identity_mappings.json\"]"`

	// Users limits which person IDs to import. If empty, all persons are imported.
	Users []string `yaml:"users,omitempty" doc_example:"[\"100\", \"102\"]"`
}

IdentityMappingImport configures automatic import of identity mappings at startup.

type Issuer 

type Issuer struct {
	// APIServer is the HTTP API server configuration
	APIServer APIServer `yaml:"api_server" validate:"required"`
	// GRPCServer is the gRPC server configuration
	GRPCServer GRPCServer `yaml:"grpc_server" validate:"required"`
	// KeyConfig is the signing key configuration
	KeyConfig *pki.KeyConfig `yaml:"key_config" validate:"required"`
	// JWTAttribute holds the JWT credential attribute configuration
	JWTAttribute JWTAttribute `yaml:"jwt_attribute" validate:"required"`
	// IssuerURL is the issuer identifier URL
	IssuerURL string `yaml:"issuer_url" validate:"required" doc_example:"\"https://issuer.sunet.se\""`
	// RegistryClient is the registry gRPC client config
	RegistryClient GRPCClientTLS `yaml:"registry_client" validate:"omitempty"`
	// MDoc holds mDL/mdoc configuration
	MDoc *MDocConfig `yaml:"mdoc" validate:"omitempty"`
	// AuditLog holds audit log configuration
	AuditLog *AuditLog `yaml:"audit_log" validate:"omitempty"`
}

Issuer holds the configuration for the Issuer service that signs and issues verifiable credentials

type IssuerMetadata 

type IssuerMetadata struct {
	// AuthorizationServers lists the authorization server URLs
	AuthorizationServers []string `yaml:"authorization_servers" validate:"omitempty"`
	// DeferredCredentialEndpoint is the deferred credential endpoint
	DeferredCredentialEndpoint string `yaml:"deferred_credential_endpoint" validate:"omitempty"`
	// NotificationEndpoint is the notification endpoint
	NotificationEndpoint string `yaml:"notification_endpoint" validate:"omitempty"`
	// CryptographicBindingMethodsSupported lists the supported binding methods
	CryptographicBindingMethodsSupported []string `yaml:"cryptographic_binding_methods_supported" validate:"omitempty"`
	// CredentialSigningAlgValuesSupported lists the supported signing algorithms
	CredentialSigningAlgValuesSupported []string `yaml:"credential_signing_alg_values_supported" validate:"omitempty"`
	// ProofSigningAlgValuesSupported lists the supported proof algorithms
	ProofSigningAlgValuesSupported []string `yaml:"proof_signing_alg_values_supported" validate:"omitempty"`
	// CredentialResponseEncryption holds the response encryption configuration
	CredentialResponseEncryption *openid4vci.MetadataCredentialResponseEncryption `yaml:"credential_response_encryption" validate:"omitempty"`
	// BatchCredentialIssuance holds the batch issuance configuration
	BatchCredentialIssuance *openid4vci.BatchCredentialIssuance `yaml:"batch_credential_issuance" validate:"omitempty"`
	// Display holds the display metadata
	Display []openid4vci.MetadataDisplay `yaml:"display" validate:"omitempty"`
}

IssuerMetadata holds the OpenID4VCI issuer metadata configuration

func (*IssuerMetadata) Generate 

func (cfg *IssuerMetadata) Generate(ctx context.Context, publicURL string, credentials map[string]*CredentialMetadata) (*openid4vci.CredentialIssuerMetadataParameters, error)

Generate generates issuer metadata from configuration. Returns unsigned metadata that should be signed on-demand in the endpoint handler for freshness.

type JWTAttribute 

type JWTAttribute struct {
	// Issuer of the token
	Issuer string `yaml:"issuer" validate:"required" doc_example:"https://issuer.sunet.se"`

	// StaticHost is the static host of the issuer, expose static files, like pictures.
	StaticHost string `yaml:"static_host" validate:"omitempty"`

	// EnableNotBefore states the time not before which the token is valid
	EnableNotBefore bool `yaml:"enable_not_before" default:"false"`

	// Valid duration of the token in seconds
	ValidDuration int64 `yaml:"valid_duration" validate:"required_with=EnableNotBefore" default:"3600"`

	// VerifiableCredentialType URL
	VerifiableCredentialType string `yaml:"verifiable_credential_type" validate:"required" doc_example:"https://credential.sunet.se/identity_credential"`

	// Status status of the Verifiable Credential
	Status string `yaml:"status"`

	// Kid key id of the signing key
	Kid string `yaml:"kid"`
}

JWTAttribute holds the jwt attribute configuration. In a later state this should be placed under authentic source in order to issue credentials based on that configuration.

type Kafka 

type Kafka struct {
	// Enable enables Kafka integration
	Enable bool `yaml:"enable" default:"false"`
	// Brokers is the list of Kafka broker addresses
	Brokers []string `yaml:"brokers" validate:"required" doc_example:"[\"kafka0:9092\", \"kafka1:9092\"]"`
}

Kafka holds the Kafka message broker configuration

type Leaf 

type Leaf struct {
	gorm.Model
	Value []byte
}

Leaf is the database model of a leaf

type Leafs 

type Leafs []*Leaf

Leafs is the database model of a leafs

func (Leafs) Array 

func (l Leafs) Array() [][]byte

Array returns the leafs as an byte array of arrays

func (Leafs) Empty 

func (l Leafs) Empty() bool

Empty returns true if the leafs are empty

type Log 

type Log struct {
	// FolderPath is the path to the log folder
	FolderPath string `yaml:"folder_path" doc_example:"\"/var/log/vc\""`
}

Log holds the logging configuration

type MDocConfig 

type MDocConfig struct {
	// CertificateChainPath is the path to the PEM certificate chain
	// TODO(pki): Consider folding into pki.KeyConfig.ChainPath to unify certificate
	// chain loading with the standard key material configuration pattern.
	CertificateChainPath string `yaml:"certificate_chain_path" validate:"required"`
	// DefaultValidity is the default credential validity (default: 365 days)
	DefaultValidity time.Duration `yaml:"default_validity" default:"8760h"`
	// DigestAlgorithm is the digest algorithm: "SHA-256", "SHA-384", or "SHA-512"
	DigestAlgorithm string `yaml:"digest_algorithm" default:"SHA-256"`
}

MDocConfig holds mDL (ISO 18013-5) issuer configuration

type MetaData 

type MetaData struct {
	// required: true
	// example: SUNET
	AuthenticSource string `json:"authentic_source,omitempty" bson:"authentic_source" validate:"required,max=128,printascii"`

	// Scope is the credential configuration ID scope
	// required: false
	// example: "ehic", "pda1"
	Scope string `json:"scope,omitempty" bson:"scope" validate:"required,max=128,printascii"`

	// required: false
	// example: 5e7a981c-c03f-11ee-b116-9b12c59362b9
	DocumentID string `json:"document_id,omitempty" bson:"document_id" validate:"omitempty,max=128,printascii"`

	// required: false
	// example: file://path/to/schema.json or http://example.com/schema.json
	// format: string
	DocumentDataValidationRef string `json:"document_data_validation,omitempty" bson:"document_data_validation" validate:"omitempty,max=128,printascii"`

	// CreatedAt is the timestamp when the document was created
	CreatedAt time.Time `json:"created_at" bson:"created_at"`

	// ValidNotAfter is an optional expiration timestamp for administrative purposes.
	// Documents past this time should not be used.
	ValidNotAfter *time.Time `json:"valid_not_after,omitempty" bson:"valid_not_after,omitempty"`
}

MetaData is a generic type for metadata

type Mongo 

type Mongo struct {
	// URI is the MongoDB connection URI
	URI string `yaml:"uri" validate:"required" doc_example:"\"mongodb://user:password@mongo:27017/vc\""`
	// TLS enables TLS for the MongoDB connection.
	// Can also be enabled via the connection URI parameter "tls=true".
	TLS bool `yaml:"tls" default:"false"`
	// CAFilePath is the path to a PEM-encoded CA certificate used to verify
	// the MongoDB server's certificate. When empty, the system root CAs are used.
	CAFilePath string `yaml:"ca_file_path" validate:"omitempty"`
	// CertFilePath is the path to a PEM-encoded client certificate for mutual TLS (mTLS).
	// Must be set together with KeyFilePath.
	CertFilePath string `yaml:"cert_file_path" validate:"required_with=KeyFilePath"`
	// KeyFilePath is the path to a PEM-encoded client private key for mutual TLS (mTLS).
	// Must be set together with CertFilePath.
	KeyFilePath string `yaml:"key_file_path" validate:"required_with=CertFilePath"`
}

Mongo holds the MongoDB configuration

func (*Mongo) MongoClientOptions 

func (m *Mongo) MongoClientOptions() (*options.ClientOptions, error)

MongoClientOptions returns a *options.ClientOptions configured from the Mongo settings. It applies the connection URI and, when TLS is enabled, builds the appropriate *tls.Config (CA verification and/or mTLS client certificate).

type MongoSecrets 

type MongoSecrets struct {
	// URI is the MongoDB connection string, which may include authentication credentials
	URI string `yaml:"uri"`
}

MongoSecrets holds the mongo connection URI (may contain credentials)

type OAuthServer 

type OAuthServer struct {
	// TokenEndpoint is the OAuth2 token endpoint URL
	TokenEndpoint string `yaml:"token_endpoint" validate:"required" doc_example:"\"https://verifier.sunet.se/token\""`
	// Clients holds the OAuth2 client configurations
	Clients oauth2.Clients `yaml:"clients" validate:"required" doc_key:"client id"`
}

OAuthServer holds the OAuth2 server configuration

func (*OAuthServer) GenerateMetadata 

func (cfg *OAuthServer) GenerateMetadata(ctx context.Context, issuerURL string) *oauth2.AuthorizationServerMetadata

GenerateMetadata generates OAuth2 metadata from configuration. Returns unsigned metadata that should be signed on-demand in the endpoint handler for freshness.

type OIDCAuthSecrets added in v0.5.7 

type OIDCAuthSecrets struct {
	// ClientSecret is the OAuth2 client secret for the OIDC provider
	ClientSecret string `yaml:"client_secret,omitempty"`
}

OIDCAuthSecrets holds OIDC client secret for API auth

type OIDCOP added in v0.5.7 

type OIDCOP struct {
	// Issuer is the OIDC Provider identifier that appears in ID tokens and discovery metadata.
	// This identifies the verifier as an OpenID Provider.
	// Must match the 'iss' claim in all issued ID tokens.
	Issuer string `yaml:"issuer" validate:"required" doc_example:"\"https://verifier.sunet.se\""`
	// SessionDuration is the session duration in seconds
	SessionDuration int `yaml:"session_duration" validate:"required" default:"3600"`
	// CodeDuration is the authorization code duration in seconds
	CodeDuration int `yaml:"code_duration" validate:"required" default:"300"`
	// AccessTokenDuration is the access token duration in seconds
	AccessTokenDuration int `yaml:"access_token_duration" validate:"required" default:"3600"`
	// IDTokenDuration is the ID token duration in seconds
	IDTokenDuration int `yaml:"id_token_duration" validate:"required" default:"3600"`
	// RefreshTokenDuration is the refresh token duration in seconds
	RefreshTokenDuration int `yaml:"refresh_token_duration" validate:"required" default:"86400"`
	// SubjectType is the subject type: "public" or "pairwise"
	SubjectType string `yaml:"subject_type" validate:"required,oneof=public pairwise"`
	// SubjectSalt is the salt for pairwise subject generation
	SubjectSalt string `yaml:"subject_salt" validate:"required"`
	// EnableUserInfo controls whether the verifier-OP advertises a userinfo_endpoint
	// in its discovery metadata and issues access tokens that can be used there.
	// When false (default), the verifier-OP omits userinfo_endpoint from discovery
	// and does not return access/refresh tokens in the token response, since the
	// verifier has no persistent user sessions. This prevents standard RP libraries
	// from attempting to call a non-functional UserInfo endpoint.
	// Set to true only when the OP supports real UserInfo sessions.
	EnableUserInfo bool `yaml:"enable_userinfo" default:"false"`
	// StaticClients is a list of pre-configured OIDC clients
	// These clients are checked in addition to dynamically registered clients
	StaticClients []StaticOIDCClient `yaml:"static_clients,omitempty"`
}

OIDCConfig holds OIDC-specific configuration for the verifier's role as an OpenID Provider. This configures how the verifier issues ID tokens and access tokens to relying parties. Note: This is NOT related to verifiable credential issuance (see IssuerConfig for VC issuance). The signing key is shared from the parent Verifier.KeyConfig.

type OIDCOPSecrets 

type OIDCOPSecrets struct {
	// SubjectSalt is a secret value used to derive pairwise subject identifiers for OIDC clients
	SubjectSalt string `yaml:"subject_salt"`
	// StaticClients maps client_id to client_secret for static OIDC clients.
	// Only clients listed here will have their secrets applied; clients not
	// present in this map keep whatever value the main config provides (which
	// will be empty after ClearSecrets).
	StaticClients map[string]string `yaml:"static_clients,omitempty" doc_example:"<client_id>: \"<client_secret>\""`
}

OIDCOPSecrets holds OIDC OP configuration secrets

type OIDCRP added in v0.5.7 

type OIDCRP struct {
	// Enable turns on OIDC RP support (default: false)
	Enable bool `yaml:"enable" default:"false"`

	// Registration configures how the client obtains credentials from the OIDC Provider.
	// Exactly one of preconfigured or dynamic must be set:
	//   - preconfigured: pre-registered client_id and client_secret
	//   - dynamic: RFC 7591 dynamic client registration (credentials obtained at startup)
	Registration *OIDCRPRegistrationConfig `yaml:"registration" validate:"required_if=Enable true"`

	// RedirectURI is the callback URL where the OIDC Provider sends the authorization response
	RedirectURI string `yaml:"redirect_uri" validate:"required_if=Enable true" doc_example:"\"https://issuer.sunet.se/oidcrp/callback\""`

	// IssuerURL is the OIDC Provider's issuer URL for discovery
	// Used for .well-known/openid-configuration discovery
	IssuerURL string `yaml:"issuer_url" validate:"required_if=Enable true" doc_example:"\"https://accounts.google.com\""`

	// Scopes are the OAuth2/OIDC scopes to request (at least one scope is required, e.g. "openid")
	Scopes []string `yaml:"scopes" validate:"required,min=1,dive,required" default:"[\"openid\", \"profile\", \"email\"]"`

	// SessionDuration is the maximum time in seconds an in-flight OIDC authorization flow
	// (state, nonce, PKCE verifier) may remain active before it expires
	SessionDuration int `yaml:"session_duration" validate:"required" default:"300"`

	// ClientName is a human-readable name for the OIDC client, shown during dynamic registration or consent
	ClientName string `yaml:"client_name,omitempty"`
	// ClientURI is a URL to the client's homepage, used for display during consent
	ClientURI string `yaml:"client_uri,omitempty"`
	// LogoURI is a URL to the client's logo image, shown during consent screens
	LogoURI string `yaml:"logo_uri,omitempty"`
	// Contacts is a list of email addresses for responsible parties of this client
	Contacts []string `yaml:"contacts,omitempty"`
	// TosURI is a URL to the client's Terms of Service document
	TosURI string `yaml:"tos_uri,omitempty"`
	// PolicyURI is a URL to the client's Privacy Policy document
	PolicyURI string `yaml:"policy_uri,omitempty"`

	// AttributeMapping normalizes OIDC claim names to canonical claim names.
	// Optional: when omitted, OIDC claims pass through as-is (standard names already match).
	// Which normalized attributes are used depends on the data source:
	//   - assertion: VCTM determines which go into the credential
	//   - datastore: auth_claims determines which are used for DB identity lookup
	AttributeMapping AttributeMapping `yaml:"attribute_mapping,omitempty" doc_key:"attribute"`
}

OIDCRP holds OIDC Relying Party configuration for credential issuance.

type OIDCRPDynamicRegistrationConfig 

type OIDCRPDynamicRegistrationConfig struct {
	// Enable activates dynamic client registration
	Enable bool `yaml:"enable"`

	// InitialAccessToken is a bearer token for registration
	// Required by some OIDC Providers (e.g., Keycloak)
	InitialAccessToken string `yaml:"initial_access_token,omitempty" validate:"required_if=Enable true"`
}

OIDCRPDynamicRegistrationConfig configures RFC 7591 dynamic client registration. When set, client credentials are obtained automatically at startup and persisted in the database.

type OIDCRPDynamicSecrets 

type OIDCRPDynamicSecrets struct {
	// InitialAccessToken is the bearer token required by the OP for dynamic client registration
	InitialAccessToken string `yaml:"initial_access_token"`
}

OIDCRPDynamicSecrets holds dynamic registration secrets

type OIDCRPPreconfiguredConfig 

type OIDCRPPreconfiguredConfig struct {
	// Enable activates preconfigured client credentials
	Enable bool `yaml:"enable"`

	// ClientID is the OIDC client identifier
	ClientID string `yaml:"client_id" validate:"required_if=Enable true"`

	// ClientSecret is the OIDC client secret
	ClientSecret string `yaml:"client_secret" validate:"required_if=Enable true"`
}

OIDCRPPreconfiguredConfig holds pre-registered client credentials.

type OIDCRPPreconfiguredSecrets 

type OIDCRPPreconfiguredSecrets struct {
	// ClientSecret is the shared secret for the pre-configured OIDC RP client
	ClientSecret string `yaml:"client_secret"`
}

OIDCRPPreconfiguredSecrets holds pre-registered client secrets

type OIDCRPRegistrationConfig 

type OIDCRPRegistrationConfig struct {
	// Preconfigured uses pre-registered client credentials.
	// Set this when the client is already registered with the OIDC Provider.
	Preconfigured *OIDCRPPreconfiguredConfig `yaml:"preconfigured,omitempty" validate:"required_without=Dynamic,excluded_with=Dynamic"`

	// Dynamic uses RFC 7591 dynamic client registration.
	// Set this when the client should register itself at startup.
	Dynamic *OIDCRPDynamicRegistrationConfig `yaml:"dynamic,omitempty" validate:"required_without=Preconfigured,excluded_with=Preconfigured"`
}

OIDCRPRegistrationConfig configures how the client obtains its credentials. Exactly one of Preconfigured or Dynamic must be set.

type OIDCRPRegistrationSecrets 

type OIDCRPRegistrationSecrets struct {
	Preconfigured *OIDCRPPreconfiguredSecrets `yaml:"preconfigured,omitempty"`
	Dynamic       *OIDCRPDynamicSecrets       `yaml:"dynamic,omitempty"`
}

OIDCRPRegistrationSecrets holds registration secrets

type OIDCRPSecrets 

type OIDCRPSecrets struct {
	Registration OIDCRPRegistrationSecrets `yaml:"registration,omitempty"`
}

OIDCRPSecrets holds OIDC Relying Party secrets

type OTEL 

type OTEL struct {
	// Enable activates OpenTelemetry tracing
	Enable bool `yaml:"enable" default:"false"`
	// Addr is the OTEL collector address
	Addr string `yaml:"addr" validate:"required_if=Enable true" doc_example:"\"jaeger:4318\""`
	// Timeout is the timeout in seconds
	Timeout int64 `yaml:"timeout" default:"10"`
}

OTEL holds the OpenTelemetry tracing configuration

type OpenID4VPConfig 

type OpenID4VPConfig struct {
	// PresentationTimeout is the presentation timeout in seconds
	PresentationTimeout int `yaml:"presentation_timeout" validate:"required" default:"300"`
	// SupportedCredentials holds the supported credential configurations
	SupportedCredentials []SupportedCredentialConfig `yaml:"supported_credentials" validate:"required"`
	// PresentationRequestsDir is an optional directory with presentation request templates
	PresentationRequestsDir string `yaml:"presentation_requests_dir,omitempty"`
	// TokenEndpoint is the OAuth2 token endpoint URL used for VP token exchange
	TokenEndpoint string `yaml:"token_endpoint" validate:"required" doc_example:"\"https://verifier.sunet.se/token\""`
	// Clients holds the OAuth2 client configurations for RP interactions
	Clients oauth2.Clients `yaml:"clients" validate:"required" doc_key:"client id"`
}

OpenID4VPConfig holds OpenID4VP-specific configuration

func (*OpenID4VPConfig) GenerateMetadata added in v0.5.7 

func (c *OpenID4VPConfig) GenerateMetadata(ctx context.Context, issuerURL string) *oauth2.AuthorizationServerMetadata

GenerateMetadata generates OAuth2 metadata from the OpenID4VP configuration. Returns unsigned metadata that should be signed on-demand in the endpoint handler for freshness.

func (*OpenID4VPConfig) GetPresentationRequestsDir 

func (c *OpenID4VPConfig) GetPresentationRequestsDir() string

GetPresentationRequestsDir returns the presentation requests directory, or empty string if the config is nil.

func (*OpenID4VPConfig) GetSupportedCredentials 

func (c *OpenID4VPConfig) GetSupportedCredentials() []SupportedCredentialConfig

GetSupportedCredentials returns the supported credentials, or nil if the config is nil.

type OpenID4VPCredentialAuth added in v0.5.7 

type OpenID4VPCredentialAuth struct {
	// AuthScopes lists credential keys whose VCTs are acceptable for wallet authentication
	AuthScopes []string `yaml:"auth_scopes" validate:"required,min=1"`
	// AuthClaims lists identity claims to extract from the authentication credential
	AuthClaims []string `yaml:"auth_claims" validate:"required,min=1"`
}

OpenID4VPCredentialAuth holds per-credential OpenID4VP authentication requirements

type PKCS11 

type PKCS11 struct {
	// ModulePath is the path to the PKCS#11 module
	ModulePath string `yaml:"module_path" default:"/usr/lib/softhsm/libsofthsm2.so"`
	// SlotID is the HSM slot ID
	SlotID uint `yaml:"slot_id" default:"0"`
	// PIN is the PIN for HSM access
	PIN string `yaml:"pin" validate:"required"`
	// KeyLabel is the key label in HSM
	KeyLabel string `yaml:"key_label" validate:"required"`
	// KeyID is the key ID in HSM
	KeyID string `yaml:"key_id" validate:"required"`
}

PKCS11 holds PKCS#11 HSM configuration for hardware security module integration

type Probe 

type Probe struct {
	Name          string    `json:"name,omitempty"`
	Healthy       bool      `json:"healthy,omitempty"`
	Message       string    `json:"message,omitempty"`
	LastCheckedTS time.Time `json:"timestamp"`
}

Probe type

type ProbeStore 

type ProbeStore struct {
	NextCheck      time.Time
	PreviousResult *Probe
}

ProbeStore contains the previous probe result and the next time to check

type Probes 

type Probes []*apiv1_status.StatusProbe

Probes contains probes

func (Probes) Check 

func (probes Probes) Check(serviceName string) *apiv1_status.StatusReply

Check checks the status of each status, return the first that does not pass.

type Registry 

type Registry struct {
	// APIServer is the HTTP API server configuration
	APIServer APIServer `yaml:"api_server" validate:"required"`
	// PublicURL is the public URL of this service (must be valid HTTP/HTTPS URL)
	PublicURL string `yaml:"public_url" validate:"required,httpurl" doc_example:"\"https://registry.sunet.se\""`
	// GRPCServer is the gRPC server configuration
	GRPCServer GRPCServer `yaml:"grpc_server" validate:"required"`
	// TokenStatusLists holds the Token Status List configuration
	TokenStatusLists *TokenStatusLists `yaml:"token_status_lists" validate:"required"`
	// AdminGUI holds the admin GUI configuration
	AdminGUI AdminGUI `yaml:"admin_gui,omitempty" validate:"omitempty"`
}

Registry holds the configuration for the Registry service that manages credential status

type RegistrySecrets 

type RegistrySecrets struct {
	AdminGUI AdminGUISecrets `yaml:"admin_gui,omitempty"`
}

RegistrySecrets holds registry secrets

type Remote added in v0.5.7 

type Remote struct {
	// Type is the API protocol type
	Type RemoteType `yaml:"type" validate:"required,oneof=eduapi ooapi"`

	// BaseURL is the base URL of the API endpoint
	BaseURL string `yaml:"base_url" validate:"required,url" doc_example:"\"https://api.ladok.se/eduapi\""`

	// TokenURL is the OAuth 2.0 token endpoint for Client Credentials Grant
	TokenURL string `yaml:"token_url" validate:"required,url" doc_example:"\"https://api.ladok.se/oauth2/token\""`

	// ClientID is the OAuth 2.0 client identifier
	ClientID string `yaml:"client_id" validate:"required"`

	// ClientSecret is the OAuth 2.0 client secret
	ClientSecret string `yaml:"client_secret" validate:"required"`

	// Scopes are the OAuth 2.0 scopes to request
	Scopes []string `yaml:"scopes,omitempty"`

	// Timeout is the HTTP client timeout
	Timeout time.Duration `yaml:"timeout" default:"10s"`
}

Remote defines an external API connection.

type RemoteType added in v0.5.7 

type RemoteType string

RemoteType identifies the protocol type of an external API connection. 

const (
	RemoteTypeEduAPI RemoteType = "eduapi"
	RemoteTypeOOAPI  RemoteType = "ooapi"
)

type SAMLSP added in v0.5.7 

type SAMLSP struct {
	// Enable turns on SAML support (default: false)
	Enable bool `yaml:"enable" default:"false"`

	// EntityID is the SAML SP entity identifier (typically the metadata URL)
	EntityID string `yaml:"entity_id" validate:"required_if=Enable true" doc_example:"\"https://issuer.sunet.se/saml/metadata\""`

	// MetadataURL is the public URL where SP metadata is served (optional, auto-generated if empty)
	MetadataURL string `yaml:"metadata_url,omitempty"`

	// MDQServer is the base URL for MDQ (Metadata Query Protocol) server (must end with /)
	// Mutually exclusive with StaticIDPMetadata
	MDQServer string `yaml:"mdq_server,omitempty" doc_example:"\"https://md.sunet.se/entities/\""`

	// StaticIDPMetadata configures a single static IdP as alternative to MDQ
	// Mutually exclusive with MDQServer
	StaticIDPMetadata *StaticIDPConfig `yaml:"static_idp_metadata,omitempty"`

	// CertificatePath is the path to X.509 certificate for SAML signing/encryption
	// TODO(pki): Migrate to pki.KeyConfig for consistency with other services and
	// to enable HSM-backed SAML signing keys in the future.
	CertificatePath string `yaml:"certificate_path" validate:"required_if=Enable true"`

	// PrivateKeyPath is the path to private key for SAML signing/encryption
	// TODO(pki): See CertificatePath TODO — both fields would be replaced by a single KeyConfig.
	PrivateKeyPath string `yaml:"private_key_path" validate:"required_if=Enable true"`

	// ACSEndpoint is the Assertion Consumer Service URL where IdP sends SAML responses
	ACSEndpoint string `yaml:"acs_endpoint" validate:"required_if=Enable true" doc_example:"\"https://issuer.sunet.se/saml/acs\""`

	// SessionDuration is the maximum time in seconds an in-flight SAML authentication flow
	// (AuthnRequest → Response) may remain active before it expires
	SessionDuration int `yaml:"session_duration" validate:"required" default:"300"`

	// AttributeMapping normalizes provider-specific attribute names (e.g. SAML OIDs)
	// to canonical claim names. Applied to ALL attributes in the assertion.
	// Which normalized attributes are used depends on the data source:
	//   - assertion: VCTM determines which go into the credential
	//   - datastore: auth_claims determines which are used for DB identity lookup
	AttributeMapping AttributeMapping `yaml:"attribute_mapping" validate:"required_if=Enable true" doc_key:"attribute"`

	// MetadataSigningCertPath is the path to the X.509 certificate used to verify
	// metadata signatures. When set, all fetched metadata (MDQ and static) must
	// carry a valid XML signature from this certificate.
	MetadataSigningCertPath string `yaml:"metadata_signing_cert_path,omitempty"`

	// MetadataCacheTTL in seconds (default: 3600) - how long to cache IdP metadata from MDQ
	MetadataCacheTTL int `yaml:"metadata_cache_ttl"`
}

SAMLSP holds SAML Service Provider configuration for the issuer

type SearchDocumentsReply 

type SearchDocumentsReply struct {
	Documents      []*CompleteDocument `json:"documents"`
	HasMoreResults bool                `json:"has_more_results"`
}

SearchDocumentsReply the reply from search documents

type SearchDocumentsRequest 

type SearchDocumentsRequest struct {
	AuthenticSource string `json:"authentic_source,omitempty" validate:"omitempty,max=1000,excludesall=${}[]"`
	Scope           string `json:"scope,omitempty" validate:"omitempty,max=1000,excludesall=${}[]"`
	DocumentID      string `json:"document_id,omitempty" validate:"omitempty,max=1000,excludesall=${}[]"`
	CollectID       string `json:"collect_id,omitempty" validate:"omitempty,max=1000,excludesall=${}[]"`

	AuthenticSourcePersonID string `json:"authentic_source_person_id,omitempty" validate:"omitempty,max=1000,excludesall=${}[]"`

	Limit      int64          `json:"limit,omitempty" validate:"omitempty,min=0,max=1000"`
	Fields     []string       `json:"fields,omitempty" validate:"omitempty,dive,max=100,excludesall=${}[]"`
	SortFields map[string]int `json:"sort_fields,omitempty" validate:"omitempty,dive,keys,max=100,endkeys,oneof=1 -1"`
}

SearchDocumentsRequest the request to search for documents

type Secrets 

type Secrets struct {
	Common   *CommonSecrets   `yaml:"common,omitempty"`
	APIGW    *APIGWSecrets    `yaml:"apigw,omitempty"`
	Registry *RegistrySecrets `yaml:"registry,omitempty"`
	Verifier *VerifierSecrets `yaml:"verifier,omitempty"`
}

Secrets defines the structure of the separate secrets file. When Common.SecretFilePath is set, secret values in config.yaml are cleared; only non-empty fields from this file are applied. Fields omitted or left empty here remain at their zero value.

type StaticIDPConfig 

type StaticIDPConfig struct {
	// EntityID is the IdP entity identifier
	EntityID string `yaml:"entity_id" validate:"required"`

	// MetadataPath is the file path to IdP metadata XML (mutually exclusive with MetadataURL)
	MetadataPath string `yaml:"metadata_path,omitempty" validate:"required_without=MetadataURL,excluded_with=MetadataURL"`

	// MetadataURL is the HTTP(S) URL to fetch IdP metadata from (mutually exclusive with MetadataPath)
	MetadataURL string `yaml:"metadata_url,omitempty"`
}

StaticIDPConfig holds configuration for a single static IdP connection

type StaticOIDCClient 

type StaticOIDCClient struct {
	// ClientID is the unique identifier for the client
	ClientID string `yaml:"client_id" validate:"required"`
	// ClientSecret is the client secret for authentication.
	// Can be defined in the secrets file under verifier.oidc_op.static_clients
	// as a map of client_id to client_secret.
	// Required unless TokenEndpointAuthMethod is "none" (public client).
	ClientSecret string `yaml:"client_secret" validate:"required_unless=TokenEndpointAuthMethod none"`
	// RedirectURIs is the list of allowed redirect URIs for this client
	RedirectURIs []string `yaml:"redirect_uris" validate:"required,min=1,dive,redirect_uri"`
	// AllowedScopes is the list of scopes this client is allowed to request.
	// If empty, defaults to standard OIDC scopes (openid, profile, email, address, phone).
	AllowedScopes []string `yaml:"allowed_scopes,omitempty"`
	// TokenEndpointAuthMethod is the authentication method for the token endpoint.
	// Supported values: client_secret_basic, client_secret_post, none (public client)
	// Default: "client_secret_basic"
	TokenEndpointAuthMethod string `` /* 144-byte string literal not displayed */
	// GrantTypes is the list of allowed grant types.
	// Supported values: authorization_code, refresh_token
	// Default: ["authorization_code"]
	GrantTypes []string `` /* 128-byte string literal not displayed */
	// ResponseTypes is the list of allowed response types.
	// Supported values: code
	// Default: ["code"]
	ResponseTypes []string `yaml:"response_types,omitempty" default:"[\"code\"]" validate:"omitempty,dive,oneof=code"`
	// ClientName is an optional human-readable name for the client
	ClientName string `yaml:"client_name,omitempty"`
}

StaticOIDCClient defines a pre-configured OIDC client for the verifier's OIDC Provider. Static clients are configured in YAML and do not require dynamic registration. These clients are checked in addition to dynamically registered clients stored in the database.

type SupportedCredentialConfig 

type SupportedCredentialConfig struct {
	// VCT is the verifiable credential type
	VCT string `yaml:"vct" validate:"required" doc_example:"\"urn:eudi:pid:1\""`
	// Scopes are the OIDC scopes that grant access to this credential
	Scopes []string `yaml:"scopes" validate:"required"`
}

SupportedCredentialConfig maps credential types to OIDC scopes

type TLS 

type TLS struct {
	// Enable enables TLS
	Enable bool `yaml:"enable" default:"false"`
	// CertFilePath is the path to the TLS certificate
	CertFilePath string `yaml:"cert_file_path" validate:"required"`
	// KeyFilePath is the path to the TLS private key
	KeyFilePath string `yaml:"key_file_path" validate:"required"`
}

TLS holds the TLS configuration

type TokenStatusLists 

type TokenStatusLists struct {
	// KeyConfig holds the key configuration for signing Token Status List tokens.
	KeyConfig *pki.KeyConfig `yaml:"key_config" validate:"required"`
	// TokenRefreshInterval is how often (in seconds) new Token Status List tokens are generated. Default: 43200 (12 hours). Min: 301 (>5 minutes), Max: 86400 (24 hours)
	TokenRefreshInterval int64 `yaml:"token_refresh_interval" validate:"min=301,max=86400" default:"43200"`
	// SectionSize is the number of entries (decoys) per section. Default: 1000000 (1 million)
	SectionSize int64 `yaml:"section_size" default:"1000000"`
	// RateLimitRequestsPerMinute is the maximum requests per minute per IP for token status list endpoints. Default: 60
	RateLimitRequestsPerMinute int `yaml:"rate_limit_requests_per_minute" default:"60"`
}

TokenStatusLists holds the configuration for Token Status List per draft-ietf-oauth-status-list

type TrustConfig 

type TrustConfig struct {
	// PDPURL is the URL of the AuthZEN PDP (Policy Decision Point) service for trust evaluation.
	// When set, operates in "default deny" mode - trust decisions require PDP approval.
	// When empty, operates in "allow all" mode - resolved keys are always considered trusted.
	PDPURL string `yaml:"pdp_url,omitempty" doc_example:"\"https://trust.sunet.se/pdp\""`

	// LocalDIDMethods specifies which DID methods can be resolved locally without go-trust.
	// Self-contained methods like "did:key" and "did:jwk" are always resolved locally.
	LocalDIDMethods []string `yaml:"local_did_methods,omitempty" default:"[\"did:key\", \"did:jwk\"]"`

	// TrustPolicies configures per-role trust evaluation policies.
	// The key is the role (e.g., "issuer", "verifier") and the value contains policy settings.
	TrustPolicies map[string]TrustPolicyConfig `yaml:"trust_policies,omitempty" doc_key:"role"`

	// AllowedSignatureAlgorithms restricts which JWT signature algorithms are accepted.
	// If empty, defaults to a secure set: ES256, ES384, ES512, RS256, RS384, RS512, PS256, PS384, PS512, EdDSA.
	// The "none" algorithm is NEVER allowed regardless of configuration.
	AllowedSignatureAlgorithms []string `yaml:"allowed_signature_algorithms,omitempty" doc_example:"[\"ES256\", \"ES384\", \"ES512\", \"EdDSA\"]"`
}

TrustConfig holds configuration for key resolution and trust evaluation via go-trust. This is used for validating W3C VC Data Integrity proofs and other trust-related operations.

Trust evaluation operates in one of two modes:

  • When PDPURL is configured: "default deny" mode - all trust decisions go through the PDP
  • When PDPURL is empty: "allow all" mode - keys are resolved but always considered trusted

type TrustPolicyConfig 

type TrustPolicyConfig struct {
	// TrustFrameworks lists the accepted trust frameworks for this role.
	TrustFrameworks []string `yaml:"trust_frameworks,omitempty" doc_example:"[\"did:web\", \"did:ebsi\", \"etsi-tl\", \"openid-federation\", \"x509\"]"`

	// TrustAnchors specifies trusted root entities for this role.
	// Format depends on the trust framework (e.g., DID for did:web, federation entity for OpenID Fed).
	TrustAnchors []string `yaml:"trust_anchors,omitempty"`

	// RequireRevocationCheck enforces revocation status checking for this role.
	// Default: false
	RequireRevocationCheck bool `yaml:"require_revocation_check,omitempty" default:"false"`
}

TrustPolicyConfig defines trust policy settings for a specific role.

type Verifier 

type Verifier struct {
	// APIServer is the HTTP API server configuration
	APIServer APIServer `yaml:"api_server" validate:"required"`
	// PublicURL is the public URL of this service (must be valid HTTP/HTTPS URL)
	PublicURL string `yaml:"public_url" validate:"required,httpurl" doc_example:"\"https://verifier.sunet.se\""`
	// KeyConfig is the signing key configuration
	KeyConfig *pki.KeyConfig `yaml:"key_config" validate:"required"`
	// PreferredVPFormats specifies informational VP formats and algorithms supported by wallets
	PreferredVPFormats *openid4vp.VPFormatsSupported `yaml:"preferred_vp_formats,omitempty"`
	// SupportedWallets holds supported wallet configurations
	SupportedWallets map[string]string `yaml:"supported_wallets" validate:"omitempty"`
	// Inbound groups inbound credential verification
	Inbound VerifierInbound `yaml:"inbound,omitempty"`
	// Outbound groups outbound identity assertion
	Outbound VerifierOutbound `yaml:"outbound,omitempty"`
	// DigitalCredentials holds the W3C Digital Credentials API configuration
	DigitalCredentials DigitalCredentialsConfig `yaml:"digital_credentials,omitempty"`
	// AuthorizationPageCSS holds the authorization page styling configuration
	AuthorizationPageCSS AuthorizationPageCSSConfig `yaml:"authorization_page_css,omitempty"`
	// CredentialDisplay holds the credential display settings
	CredentialDisplay CredentialDisplayConfig `yaml:"credential_display,omitempty"`
	// Trust holds the trust evaluation configuration
	Trust TrustConfig `yaml:"trust,omitempty"`
}

Verifier holds the configuration for the Verifier service that verifies credentials and acts as an OIDC Provider

type VerifierInbound added in v0.5.7 

type VerifierInbound struct {
	// OpenID4VP holds the OpenID4VP configuration for accepting wallet presentations
	OpenID4VP *OpenID4VPConfig `yaml:"openid4vp" validate:"required"`
}

VerifierInbound groups inbound credential verification configuration

type VerifierOutbound added in v0.5.7 

type VerifierOutbound struct {
	// OIDCProvider holds the OIDC Provider configuration for asserting verified identity to downstream RPs
	OIDCProvider *OIDCOP `yaml:"oidc_provider,omitempty" validate:"omitempty"`
}

VerifierOutbound groups outbound identity assertion configuration

type VerifierOutboundSecrets added in v0.5.7 

type VerifierOutboundSecrets struct {
	OIDCProvider OIDCOPSecrets `yaml:"oidc_provider,omitempty"`
}

VerifierOutboundSecrets holds outbound OIDC provider secrets

type VerifierSecrets 

type VerifierSecrets struct {
	Outbound VerifierOutboundSecrets `yaml:"outbound,omitempty"`
}

VerifierSecrets holds verifier secrets

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.