Skip to content

Commit 998ddc7

Browse files
reinkrulreinkrul
committed
PEX: Documentation on how a Policy maps Constraint Field IDs
1 parent 812017f commit 998ddc7

File tree

1 file changed

+55
-44
lines changed

1 file changed

+55
-44
lines changed

docs/pages/deployment/pex.rst

Lines changed: 55 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -22,71 +22,82 @@ To use file-based configuration, you need to define the path to a directory that
2222
.. code-block:: yaml
2323
2424
policy:
25-
directory: /path/to/directory
25+
directory: /path/to/directory
2626
2727
All JSON files in the directory will be loaded and used to define the mapping between scopes and presentation definitions.
2828

2929
To use a policy backend, you need to add the address of the policy backend to the configuration:
3030

3131
.. code-block:: yaml
3232
33-
policy:
34-
address: http://localhost:8080
33+
policy:
34+
address: http://localhost:8080
3535
3636
You cannot define both the directory and the address in the configuration. If both are defined, an error will be raised at startup.
3737

38-
File-based configuration
39-
************************
38+
Policy Structure
39+
****************
4040

41-
JSON files used for file-based configuration must have the following structure:
41+
JSON documents used for policies must have the following structure:
4242

4343
.. code-block:: json
4444
45-
{
46-
"example_scope": {
47-
"organization": {
48-
"id": "example",
49-
"format": {
50-
"ldp_vc": {
51-
"proof_type": ["JsonWebSignature2020"]
52-
},
53-
"ldp_vp": {
54-
"proof_type": ["JsonWebSignature2020"]
55-
}
56-
},
57-
"definition": {
58-
"input_descriptors": [
59-
{
60-
"id": "1",
61-
"constraints": {
62-
"fields": [
63-
{
64-
"path": ["$.type"],
65-
"filter": {
66-
"type": "string",
67-
"const": "ExampleCredential"
68-
}
69-
}
70-
]
71-
}
72-
}
73-
]
74-
}
75-
}
76-
}
77-
}
78-
79-
Where `example_scope` is the scope that the presentation definition is associated with.
80-
The `presentation_definition` object contains the presentation definition that should be used for the given scope.
81-
The `wallet_owner_type` field is used to determine the audience type of the presentation definition, valid values are `organization` and `user`.
45+
{
46+
"example_scope": {
47+
"organization": {
48+
"id": "example",
49+
"format": {
50+
"ldp_vc": {
51+
"proof_type": ["JsonWebSignature2020"]
52+
},
53+
"ldp_vp": {
54+
"proof_type": ["JsonWebSignature2020"]
55+
}
56+
},
57+
"definition": {
58+
"input_descriptors": [
59+
{
60+
"id": "1",
61+
"constraints": {
62+
"fields": [
63+
{
64+
"id": "example_credential_type",
65+
"path": ["$.type"],
66+
"filter": {
67+
"type": "string",
68+
"const": "ExampleCredential"
69+
}
70+
}
71+
]
72+
}
73+
}
74+
]
75+
}
76+
}
77+
}
78+
}
79+
80+
Where ``example_scope`` is the scope that the presentation definition is associated with.
81+
The ``presentation_definition`` object contains the presentation definition that should be used for the given scope.
82+
The ``wallet_owner_type`` field is used to determine the audience type of the presentation definition, valid values are ``organization`` and ``user``.
83+
84+
OAuth2 Token Introspection field mapping
85+
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
86+
87+
The fields that contain an ``id`` property (e.g., ``example_credential_type`` in the example above) are returned in the OAuth2 Token Introspection response.
88+
The value of the Verifiable Credential that the matched field constraint are included in the response as claims.
89+
Writer of policies should take into consideration:
90+
- fields that are intended to be used for logging or authorization decisions should have a distinct identifier.
91+
- claims ideally map a registered claim name.
92+
- overwriting properties already defined in the token introspection endpoint response is forbidden.
8293

8394
Policy backend API definition
8495
*****************************
8596

8697
The policy backend API is defined in the `OpenAPI 3.x <https://spec.openapis.org/oas/latest.html>`_ format.
8798
The API must have the following endpoint:
8899

89-
- `GET /presentation_definitions?scope=X&authorizer=Y`: Get the presentation definition for a given scope and tenant.
100+
- ``GET /presentation_definitions?scope=X&authorizer=Y``: Get the presentation definition for a given scope and tenant.
90101

91102
The full API definition can be downloaded `here <../../_static/policy/v1.yaml>`_.
92103

0 commit comments

Comments
 (0)