Closed reinkrul closed 1 year ago
Discussed with @gerardsn:
oauth
service registered in the eOverdracht compound services (and others).oauth
service endpoint, but routing to /n2n/identity
instead of /n2n/auth/...
, thus could be derived. But it could differ (in some unforeseen situation) and might not be reachable due to strict reverse proxy config (proxying only the existing /n2n
URL).Suggestion:
oauth
service. If it is reachable (self-dial), register the DID serviceDecision:
Use SAN
from the client certificate to auto-discover the domain. Hopefully reverse proxies are using :443
and :5555
. And use the /n2n
path convention.
Migration will be a go routine continually checking DID documents to migrate. A configuration option should be available to disable this.
When creating and updating a DID Document the migration should run as well. This is a chicken and egg problem though.
When checking if a url is correct, the migration can dial the URL and check for data available at the URL. This would be an easy check for OIDC metadata. For GRPC this is a bit harder, a GRPC client could do the call and check the headers sent back.
The certificate and NodeDID config values are leading. (These will be replaced by domain for did:web)
Added benefit: NutsComm address registration is no longer required. (auto-detected)
We could check stable/acc/prd to find common patterns (e.g. :8443
).
Registry Admin Demo needs to be able to register the metadata URL.
Registry Admin Demo needs to be able to register the metadata URL.
As a fallback to the auto-migrate functionality?
It all boils down to resolving the OpenID4VCI wallet URL, when a care organization wants to issue a VC to another care organization. This endpoint is hosted by the receiving care organization's vendor, thus the wallet URL should be resolvable using the vendor's DID document. Since the wallet URL is a well-known endpoint, we'll use a base URL, from which the wallet metadata can be resolved. The care organization DID document will refer to the service on the vendor's DID document.
Given the following service in the vendor document:
{
"type": "node-http-services-baseurl",
"serviceEndpoint": "https://example.com/n2n"
}
The care organization's document will contain:
{
"type": "node-http-services-baseurl",
"serviceEndpoint": "did:nuts:1234?serviceType=node-http-services-baseurl"
}
To find the actual base URL of the DID document (for either vendor or care organization), the DID is appended to the base URL (adding a forward slash if required). To resolve specific services, well-known endpoints can be used to either resolve metadata or invoke it directly.
This is for runtime discovery. We want to automatically add these references a vendor's DID documents. The process is as follows:
I think it's missing 1 crucial check. When multiple SANs exist, the derived base url should be checked wit downloading the issuer metadata. This metadata contains the correct DID?
I think it's missing 1 crucial check. When multiple SANs exist, the derived base url should be checked wit downloading the issuer metadata. This metadata contains the correct DID?
It now executes a HTTP HEAD request to check for existence of the endpoint, since downloading the metadata while the node itself doesn't have its identifiers configured, would involve performing the same operation again, making it recursive.
Document what a vendor needs to do to start using (receiving, issuing) VCs over OpenID4VCI. Should be as little as possible.
A vendor currently needs to register a wallet metadata URL on each of its customer's DID documents, which is going to be very cumbersome when a vendor has more than a handful of customers. They also can't be updated transactionally, so keeping it synchronized is going to be tricky.
Therefore, we might want to introduce some conventions, e.g. when a DID document does not have a wallet metadata URL, look at its controllers for a wallet metadata base URL and inject/append the customer's DID into it to construct it (the wallet metadata URL).