model

package
v0.5.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 27, 2026 License: BSD-2-Clause Imports: 20 Imported by: 0

Documentation

Index

Examples

Constants

View Source 
const (
	AuthMethodBasic     = "basic"
	AuthMethodSAML      = "saml"
	AuthMethodOIDC      = "oidc"
	AuthMethodOpenID4VP = "openid4vp"
)
View Source 
const (
	CredentialTypeUrnEudiEhic1            = "urn:eudi:ehic:1"             // #nosec G101
	CredentialTypeUrnEudiPda11            = "urn:eudi:pda1:1"             // #nosec G101
	CredentialTypeUrnEudiPid1             = "urn:eudi:pid:1"              // #nosec G101
	CredentialTypeUrnEudiPidARF151        = "urn:eudi:pid:arf-1.5:1"      // #nosec G101
	CredentialTypeUrnEudiPidARG181        = "urn:eudi:pid:arf-1.8:1"      // #nosec G101
	CredentialTypeUrnEudiDiploma1         = "urn:eudi:diploma:1"          // #nosec G101
	CredentialTypeUrnEudiElm1             = "urn:eudi:elm:1"              // #nosec G101
	CredentialTypeUrnEudiMicroCredential1 = "urn:eudi:micro_credential:1" // #nosec G101
	CredentialTypeUrnEduID1               = "urn:credential:eduid:1"      // #nosec G101
)

Variables

View Source 
var (
	//StatusOK status ok
	StatusOK = "STATUS_OK_%s"
	// StatusFail status fail
	StatusFail = "STATUS_FAIL_%s"
)
View Source 
var (
	// BuildVariableGitCommit contains ldflags -X variable git commit hash
	BuildVariableGitCommit string = "undef"

	// BuildVariableTimestamp contains ldsflags -X variable build time
	BuildVariableTimestamp string = "undef"

	// BuildVariableGoVersion contains ldsflags -X variable go build version
	BuildVariableGoVersion string = "undef"

	// BuildVariableGoArch contains ldsflags -X variable go arch build
	BuildVariableGoArch string = "undef"

	// BuildVariableGitBranch contains ldsflags -X variable git branch
	BuildVariableGitBranch string = "undef"

	// BuildVersion contains ldsflags -X variable build version
	BuildVersion string = "undef"
)

Functions

func BoolPtr 

func BoolPtr(v bool) *bool

BoolPtr returns a pointer to the given bool value. Useful for initializing *bool fields in struct literals.

Example 
package main

import (
	"fmt"

	"github.com/SUNET/vc/pkg/model"
)

func main() {
	p := model.BoolPtr(true)
	fmt.Println(*p)
}

Output:
true

func BoolVal 

func BoolVal(b *bool, fallback bool) bool

BoolVal safely dereferences a *bool, returning the pointed-to value or the supplied fallback when the pointer is nil.

Example 
package main

import (
	"fmt"

	"github.com/SUNET/vc/pkg/model"
)

func main() {
	t := true
	fmt.Println(model.BoolVal(&t, false))
	fmt.Println(model.BoolVal(nil, false))
	fmt.Println(model.BoolVal(nil, true))
}

Output:
true
false
true

Types

type APIAuth 

type APIAuth struct {
	// BasicAuth holds the HTTP Basic authentication configuration.
	// When enabled, requests are allowed or rejected based on username/password only.
	BasicAuth APIAuthBasic `yaml:"basic_auth"`
	// JWT holds the JWT Bearer token authentication configuration.
	// When enabled, requests are validated via JWKS and optionally authorized
	// against SPOCP (S-expression) rules for fine-grained per-endpoint control.
	JWT APIAuthJWT `yaml:"jwt"`
}

APIAuth configures the authentication method for the /api/v1 route group. Exactly one of BasicAuth.Enable or JWT.Enable may be true. If neither is enabled, no authentication is applied (open access).

type APIAuthBasic 

type APIAuthBasic struct {
	// Enable enables HTTP Basic authentication
	Enable bool `yaml:"enable" default:"false"`
	// Users is a username to password mapping
	Users map[string]string `yaml:"users"`
}

APIAuthBasic holds the HTTP Basic authentication configuration. This is a simple allow/deny mechanism – valid credentials grant full access.

type APIAuthJWT 

type APIAuthJWT struct {
	// Enable enables JWT Bearer token authentication
	Enable bool `yaml:"enable" default:"false"`
	// JWKSURL is the URL of the JSON Web Key Set used to validate token signatures.
	JWKSURL string `` /* 129-byte string literal not displayed */
	// Issuer is the expected "iss" claim. Tokens with a different issuer are rejected.
	Issuer string `yaml:"issuer" validate:"required_if=Enable true"`
	// Audience is the expected "aud" claim. Tokens that do not contain this audience are rejected.
	Audience string `yaml:"audience" validate:"required_if=Enable true"`
	// Rules are SPOCP S-expression authorization rules loaded into an in-process engine.
	// When non-empty the middleware builds a query per request and checks it.
	Rules []string `yaml:"rules,omitempty" doc_example:"[\"(api (service apigw)(method POST)(path /api/v1/upload)(subject alice))\"]"`
	// RulesFile is an optional path to a file containing SPOCP rules (one per line).
	// Rules from this file are loaded in addition to the inline Rules list.
	RulesFile string `yaml:"rules_file,omitempty"`
}

APIAuthJWT holds the configuration for JWT Bearer token authentication with optional SPOCP-based authorization.

When Rules (and/or RulesFile) are configured, each request is checked against the SPOCP engine. A query of the form 

(api (service <SERVICE>)(method <HTTP_METHOD>)(path <REQUEST_PATH>)(subject <JWT_SUBJECT>))

is evaluated; the request is allowed only if a matching rule exists. The <SERVICE> value is supplied by the calling service at middleware registration time. When two services share endpoints, rules for one service do not grant access to the other. When no rules are configured, any valid JWT grants access.

type APIAuthSecrets 

type APIAuthSecrets struct {
	BasicAuth BasicAuthSecrets `yaml:"basic_auth,omitempty"`
}

APIAuthSecrets holds secrets for the api_auth section

type APIGW 

type APIGW struct {
	// APIServer is the HTTP API server configuration
	APIServer APIServer `yaml:"api_server" validate:"required"`
	// KeyConfig is the signing key configuration
	KeyConfig *pki.KeyConfig `yaml:"key_config" validate:"required"`
	// CredentialOffers holds credential offer wallet configurations
	CredentialOffers CredentialOffers `yaml:"credential_offers" validate:"omitempty"`
	// OauthServer is the OAuth2 server configuration
	OauthServer OAuthServer `yaml:"oauth_server" validate:"omitempty"`
	// IssuerMetadata holds the OpenID4VCI issuer metadata
	IssuerMetadata IssuerMetadata `yaml:"issuer_metadata" validate:"omitempty"`
	// PublicURL is the public URL of this service (must be valid HTTP/HTTPS URL)
	PublicURL string `yaml:"public_url" validate:"required,httpurl" doc_example:"\"https://issuer.sunet.se\""`
	// SAML holds the SAML Service Provider configuration
	SAML SAMLConfig `yaml:"saml,omitempty" validate:"omitempty"`
	// OIDCRP holds the OIDC Relying Party configuration
	OIDCRP OIDCRPConfig `yaml:"oidc_rp,omitempty" validate:"omitempty"`
	// IssuerClient is the gRPC client config for issuer
	IssuerClient GRPCClientTLS `yaml:"issuer_client" validate:"required"`
	// RegistryClient is the gRPC client config for registry
	RegistryClient GRPCClientTLS `yaml:"registry_client" validate:"required"`
}

APIGW holds the configuration for the API Gateway service that handles credential issuance requests

type APIGWSecrets 

type APIGWSecrets struct {
	APIServer APIServerSecrets `yaml:"api_server,omitempty"`
	OIDCRP    OIDCRPSecrets    `yaml:"oidc_rp,omitempty"`
}

APIGWSecrets holds API gateway secrets

type APIServer 

type APIServer struct {
	// Addr is the listen address for the HTTP server
	Addr string `yaml:"addr" validate:"required" default:":8080"`
	// ServedByHeader sets the X-Served-By response header value for HA troubleshooting.
	// Empty (default): header is not set. "hostname": uses os.Hostname().
	// Any other value is used as-is.
	ServedByHeader string  `yaml:"served_by_header,omitempty"`
	TLS            TLS     `yaml:"tls" validate:"omitempty"`
	APIAuth        APIAuth `yaml:"api_auth"`
	CORS           *CORS   `yaml:"cors,omitempty" validate:"omitempty"`
}

APIServer holds the HTTP API server configuration

type APIServerSecrets 

type APIServerSecrets struct {
	APIAuth APIAuthSecrets `yaml:"api_auth,omitempty"`
}

APIServerSecrets holds API server secrets (basic auth passwords)

type AdminGUI 

type AdminGUI struct {
	// Enable enables the admin GUI
	Enable *bool `yaml:"enable" default:"false"`
	// Username is the admin username
	Username string `yaml:"username" validate:"required_if=Enable true" default:"admin"`
	// Password is the admin password
	Password string `yaml:"password" validate:"required_if=Enable true"`
}

AdminGUI holds the admin GUI configuration

type AdminGUISecrets 

type AdminGUISecrets struct {
	// Password is the admin GUI login password
	Password string `yaml:"password"`
}

AdminGUISecrets holds admin GUI secrets

type AttributeConfig 

type AttributeConfig struct {
	// Claim is the target claim name (supports dot-notation for nesting)
	Claim string `yaml:"claim" validate:"required" doc_example:"\"identity.given_name\""`

	// Required indicates if this attribute must be present in the assertion/response
	Required bool `yaml:"required" default:"false"`

	// Transform is an optional transformation to apply
	// Supported: "lowercase", "uppercase", "trim"
	Transform string `yaml:"transform,omitempty" validate:"omitempty,oneof=lowercase uppercase trim"`

	// Default is an optional default value if attribute is missing
	Default string `yaml:"default,omitempty"`
}

AttributeConfig defines how a single external attribute maps to a credential claim Generic across protocols (SAML, OIDC, etc.) - uses protocol-specific identifiers as keys

type AuditLog 

type AuditLog struct {
	// Enable enables audit logging
	Enable bool `yaml:"enable" default:"false"`
	// Destinations is the list of log destinations (console/stdout, file path, or HTTP URL)
	Destinations []string `` /* 147-byte string literal not displayed */
	// FileSyncInterval controls fsync behavior for file destinations.
	// 0 = fsync after every write (strict durability, lower throughput).
	// >0 = periodic batched fsync at the given interval (better throughput, bounded data-loss window).
	// Has no effect on console or webhook destinations.
	FileSyncInterval time.Duration `yaml:"file_sync_interval" default:"5s"`
}

AuditLog holds audit log configuration for multiple destinations

type AuthorizationPageCSSConfig 

type AuthorizationPageCSSConfig struct {
	// CustomCSS is inline CSS that will be injected into the authorization page
	// Allows deployers to override default styling without modifying templates
	CustomCSS string `yaml:"custom_css,omitempty"`

	// CSSFile is a path to an external CSS file to include
	// If both CustomCSS and CSSFile are provided, both are included
	CSSFile string `yaml:"css_file,omitempty"`

	// Theme sets predefined color scheme: "light" (default), "dark", "blue", "purple"
	Theme string `yaml:"theme,omitempty" validate:"omitempty,oneof=light dark blue purple" default:"light"`

	// PrimaryColor overrides the primary brand color
	PrimaryColor string `yaml:"primary_color,omitempty" doc_example:"\"#667eea\""`

	// SecondaryColor overrides the secondary brand color
	SecondaryColor string `yaml:"secondary_color,omitempty" doc_example:"\"#764ba2\""`

	// LogoURL provides a URL to a custom logo image
	LogoURL string `yaml:"logo_url,omitempty"`

	// Title overrides the page title (default: "Wallet Authorization")
	Title string `yaml:"title,omitempty"`

	// Subtitle overrides the page subtitle
	Subtitle string `yaml:"subtitle,omitempty"`
}

AuthorizationPageCSSConfig allows deployers to customize the authorization page styling

type BasicAuthSecrets 

type BasicAuthSecrets struct {
	// Users maps usernames to passwords for HTTP Basic Authentication
	Users map[string]string `yaml:"users,omitempty" doc_example:"<username>: \"<password>\""`
}

BasicAuthSecrets holds basic auth user/password pairs

type Branding 

type Branding struct {
	// LogoPath is the file path to a custom logo PNG image; when empty, the built-in SUNET logo is used
	LogoPath string `yaml:"logo_path,omitempty" validate:"omitempty,image_png"`
	// FaviconPath is the file path to a custom favicon PNG image; when empty, the built-in SUNET favicon is used
	FaviconPath string `yaml:"favicon_path,omitempty" validate:"omitempty,image_png"`
}

Branding holds custom branding paths for logo and favicon

type CORS 

type CORS struct {
	// AllowedOrigins is the list of allowed CORS origins
	AllowedOrigins []string `` /* 126-byte string literal not displayed */
}

CORS holds the CORS configuration

type Cfg 

type Cfg struct {
	Common   *Common   `yaml:"common"`
	APIGW    *APIGW    `yaml:"apigw" validate:"omitempty"`
	Issuer   *Issuer   `yaml:"issuer" validate:"omitempty"`
	Verifier *Verifier `yaml:"verifier" validate:"omitempty"`
	Registry *Registry `yaml:"registry" validate:"omitempty"`
	MockAS   *MockAS   `yaml:"mock_as" validate:"omitempty"`
	UI       *UI       `yaml:"ui" validate:"omitempty"`
}

Cfg is the main configuration structure for this application

func (*Cfg) ApplySecrets 

func (cfg *Cfg) ApplySecrets(secrets *Secrets)

ApplySecrets applies secret values from the Secrets struct onto the Cfg. Only non-empty secret values are applied.

func (*Cfg) ClearSecrets 

func (cfg *Cfg) ClearSecrets()

ClearSecrets zeroes out all secret fields in the main config. Called when a secret file is used, to ensure config.yaml secrets are not used.

func (*Cfg) GetCredentialConstructor 

func (c *Cfg) GetCredentialConstructor(scope string) *CredentialConstructor

GetCredentialConstructor returns the credential constructor for a given scope

func (*Cfg) GetCredentialConstructorAuthMethod 

func (c *Cfg) GetCredentialConstructorAuthMethod(credentialType string) string

GetCredentialConstructorAuthMethod returns the auth method for the given credential type or "basic" if not found

func (*Cfg) GetFormatForScope 

func (c *Cfg) GetFormatForScope(scope string) string

GetFormatForScope returns the credential format for the given scope key. Returns empty string if the scope is not found in credential_constructor.

func (*Cfg) ResolveVCTUrls 

func (cfg *Cfg) ResolveVCTUrls(apigwPublicURL string) error

ResolveVCTUrls computes the URL-based VCT for each credential constructor and stores it in VCTURL. VCTM.VCT, VCTMRaw, and Integrity are left unchanged — the served VCTM document preserves the original VCT identifier from the VCTM file (e.g. a URN). For local VCTMs the URL is built from apigwPublicURL + /type-metadata/{scope}. For external VCTMs the VCTMUrl is used.

func (*Cfg) VCTIdentifiersForScopes 

func (c *Cfg) VCTIdentifiersForScopes(scopes []string) []string

VCTIdentifiersForScopes resolves a list of scope keys to the original VCT identifiers from the VCTM (e.g. URNs). Scopes without a loaded VCTM are silently skipped.

func (*Cfg) VCTUrlsForScopes 

func (c *Cfg) VCTUrlsForScopes(scopes []string) []string

VCTUrlsForScopes resolves a list of scope keys to their resolved VCT URLs. Scopes without a loaded VCTM are silently skipped.

type Collect 

type Collect struct {
	// required: false
	// example: 98fe67fc-c03f-11ee-bbee-4345224d414f
	ID string `json:"id,omitempty" bson:"id" validate:"omitempty,max=128,printascii"`

	// required: false
	// example: 509567558
	// format: int64
	ValidUntil int64 `json:"valid_until,omitempty" bson:"valid_until"`
}

Collect is a generic type for collect

type Common 

type Common struct {
	// Production enables production mode
	Production *bool `yaml:"production" default:"true"`
	// Log is the logging configuration
	Log Log `yaml:"log"`
	// Mongo is the MongoDB configuration
	Mongo Mongo `yaml:"mongo" validate:"omitempty"`
	// Tracing is the OpenTelemetry tracing configuration
	Tracing OTEL `yaml:"tracing" validate:"omitempty"`
	// Kafka is the Kafka message broker configuration
	Kafka Kafka `yaml:"kafka" validate:"omitempty"`
	// CredentialOfferQR holds credential offer QR code settings
	CredentialOfferQR CredentialOfferQRConfig `yaml:"credential_offer_qr" validate:"omitempty"`
	// SecretFilePath is the path to a separate YAML file containing secrets; when set, secret values in config.yaml are cleared and only non-empty fields from the secrets file are applied.
	SecretFilePath string `yaml:"secret_file_path,omitempty" doc_example:"\"/etc/vc/secrets.yaml\""`
	// HA configures high-availability mode. When Enable is true, caches use MongoDB
	// (Common.Mongo.URI) instead of in-memory storage so state is shared across instances.
	HA HAConfig `yaml:"ha" validate:"omitempty"`

	// Branding holds custom branding configuration (logo and favicon paths)
	Branding Branding `yaml:"branding"`

	// CredentialConstructor maps OAuth2 scope values to their constructor configuration, required by apigw, issuer, and verifier
	// Key: OAuth2 scope (e.g., "pid", "ehic", "diploma") - matches AuthorizationContext.Scope
	// The constructor contains the VCT URN and other configuration for issuing that credential type
	CredentialConstructor map[string]*CredentialConstructor `yaml:"credential_constructor" validate:"omitempty,dive"`
}

Common holds the shared configuration used across all services

type CommonSecrets 

type CommonSecrets struct {
	Mongo MongoSecrets `yaml:"mongo,omitempty"`
}

CommonSecrets holds secrets from the common section

type CompleteDocument 

type CompleteDocument struct {
	Meta            *MetaData        `json:"meta,omitempty" bson:"meta" validate:"required"`
	Identities      []Identity       `json:"identities,omitempty" bson:"identities" validate:"required"`
	DocumentDisplay *DocumentDisplay `json:"document_display,omitempty" bson:"document_display" validate:"required"`
	DocumentData    map[string]any   `json:"document_data,omitempty" bson:"document_data" validate:"required"`

	// required: true
	// example: "1.0.0"
	DocumentDataVersion string         `json:"document_data_version,omitempty" bson:"document_data_version" validate:"required,semver"`
	QR                  *openid4vci.QR `json:"qr,omitempty" bson:"qr"`
}

CompleteDocument is a generic type for upload

type CompleteDocuments 

type CompleteDocuments []CompleteDocument

CompleteDocuments is a array of CompleteDocument 

type Consent struct {
	// required: true
	// example: "Using my data for research"
	ConsentTo string `json:"consent_to,omitempty" bson:"consent_to" validate:"required,max=128,printascii"`

	// required: true
	// example: "sess-123"
	SessionID string `json:"session_id,omitempty" bson:"session_id" validate:"required,max=128,printascii"`

	// required: true
	// example: 509567558
	// format: int64
	CreatedAt int64 `json:"created_at,omitempty" bson:"created_at" validate:"required"`
}

Consent is a generic type for consent

type CredentialConstructor 

type CredentialConstructor struct {
	// VCTMFilePath is the path to a local VCTM JSON file.
	// When set, apigw will publish the VCTM at /type-metadata/:scope.
	// Mutually exclusive with VCTMUrl (one of the two is required).
	VCTMFilePath string `yaml:"vctm_file_path" json:"-" validate:"required_without=VCTMUrl"`
	// VCTMUrl is the URL where the VCTM is already published externally.
	// When set, the VCTM is fetched from this URL at startup for internal use
	// but NOT re-published by apigw.
	// Mutually exclusive with VCTMFilePath (one of the two is required).
	VCTMUrl string `yaml:"vctm_url" json:"-" validate:"required_without=VCTMFilePath,omitempty,url"`

	VCTM *sdjwtvc.VCTM `yaml:"-" json:"-"`
	// Format is the credential format to issue
	Format string `yaml:"format" json:"format" validate:"required" doc_example:"\"vc+sd-jwt\""`
	// AuthMethod is the authentication method used to verify the holder's identity. Supported values: basic, saml, oidc, openid4vp
	AuthMethod string `yaml:"auth_method" json:"auth_method" validate:"required,oneof=basic saml oidc openid4vp"`
	// AuthScopes lists credential_constructor keys whose VCTs are acceptable for
	// wallet authentication. Required when AuthMethod is "openid4vp".
	AuthScopes []string `yaml:"auth_scopes,omitempty" json:"auth_scopes,omitempty"`
	// AuthClaims lists identity claims to extract from the authentication credential.
	// Required when AuthMethod is "openid4vp".
	AuthClaims []string `yaml:"auth_claims,omitempty" json:"auth_claims,omitempty"`
	// Attributes maps claim names to their source fields and transformation rules for credential issuance
	Attributes map[string]map[string][]string `yaml:"attributes" json:"attributes_v2" validate:"omitempty,dive,required"`

	// VCTMRaw holds the raw JSON bytes of the VCTM document for serving
	// via /type-metadata/:scope. Only populated for local VCTMs (VCTMFilePath).
	VCTMRaw []byte `yaml:"-" json:"-"`

	// Integrity is the SRI hash of the VCTM document (e.g. "sha256-...").
	// Computed once in LoadVCTMetadata and used for vct#integrity in issued credentials.
	Integrity string `yaml:"-" json:"-"`

	// VCTURL is the published URL where the VCTM is served.
	// Set by ResolveVCTUrls for both local and external VCTMs.
	VCTURL string `yaml:"-" json:"-"`
	// contains filtered or unexported fields
}

func (*CredentialConstructor) GetAttributes 

func (c *CredentialConstructor) GetAttributes() map[string]map[string][]string

GetAttributes returns the derived attributes under a read lock.

func (*CredentialConstructor) GetIntegrity 

func (c *CredentialConstructor) GetIntegrity() string

GetIntegrity returns the SRI integrity hash of the VCTM under a read lock.

func (*CredentialConstructor) GetVCTM 

func (c *CredentialConstructor) GetVCTM() *sdjwtvc.VCTM

GetVCTM returns the cached VCTM under a read lock so it is safe to call concurrently with the background refresh loop.

func (*CredentialConstructor) GetVCTMRaw 

func (c *CredentialConstructor) GetVCTMRaw() []byte

GetVCTMRaw returns the raw VCTM JSON bytes under a read lock.

func (*CredentialConstructor) GetVCTURL 

func (c *CredentialConstructor) GetVCTURL() string

GetVCTURL returns the published URL where the VCTM is served.

func (*CredentialConstructor) IsLocalVCTM 

func (c *CredentialConstructor) IsLocalVCTM() bool

IsLocalVCTM returns true when the VCTM is loaded from a local file (i.e. apigw should publish it at /type-metadata/:scope).

func (*CredentialConstructor) LoadVCTMetadata 

func (c *CredentialConstructor) LoadVCTMetadata(ctx context.Context, scope string) error

The scope parameter is used only for error messages.

type CredentialDisplayConfig 

type CredentialDisplayConfig struct {
	// Enable allows users to optionally view credential details before completing authorization
	// When enabled, a checkbox appears on the authorization page
	Enable bool `yaml:"enable" default:"false"`

	// RequireConfirmation forces users to review credentials before proceeding
	// When true, the credential display step is mandatory (checkbox is pre-checked and disabled)
	RequireConfirmation bool `yaml:"require_confirmation" default:"false"`

	// ShowRawCredential displays the raw VP token/credential in the display page
	// Useful for debugging and technical users
	ShowRawCredential bool `yaml:"show_raw_credential" default:"false"`

	// ShowClaims displays the parsed claims that will be sent to the RP
	// Recommended for transparency and user consent
	ShowClaims *bool `yaml:"show_claims" default:"true"`

	// AllowEdit allows users to redact certain claims before sending to RP (future feature)
	// Currently not implemented
	AllowEdit bool `yaml:"allow_edit,omitempty" default:"false"`
}

CredentialDisplayConfig controls whether and how credentials are displayed before being sent to RP

type CredentialMapping 

type CredentialMapping struct {
	// CredentialConfigID is the OpenID4VCI credential configuration identifier
	CredentialConfigID string `yaml:"credential_config_id" validate:"required" doc_example:"\"urn:eudi:pid:1\""`

	// Attributes maps SAML attribute OIDs to claim paths with transformation rules
	Attributes map[string]AttributeConfig `yaml:"attributes" validate:"required" doc_example:"\"urn:oid:2.5.4.42\": {claim: \"identity.given_name\", required: true}"`

	// DefaultIdP is the optional default IdP entityID for this credential type
	DefaultIdP string `yaml:"default_idp,omitempty"`
}

CredentialMapping defines how to issue a specific credential type via SAML The credential type identifier (map key) is used in API requests and session state

type CredentialOffer 

type CredentialOffer struct {
	CredentialIssuer           string                       `json:"credential_issuer" validate:"omitempty,max=128,printascii"`
	CredentialConfigurationIDs []string                     `json:"credential_configuration_ids"`
	Grants                     map[string]map[string]string `json:"grants"`
}

CredentialOffer https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html 4.1.1 Credential Offer Parameters

type CredentialOfferQRConfig 

type CredentialOfferQRConfig struct {
	// Type is the credential offer type: "credential_offer" or "credential_offer_uri"
	Type string `yaml:"type" validate:"required,oneof=credential_offer_uri credential_offer" default:"credential_offer"`
	// QR holds QR code generation settings
	QR QRCfg `yaml:"qr" validate:"omitempty"`
}

CredentialOfferQRConfig holds credential offer QR code settings

type CredentialOfferWallets 

type CredentialOfferWallets struct {
	// Label is the display label for the wallet
	Label string `yaml:"label" validate:"required"`
	// RedirectURI is the wallet redirect URI
	RedirectURI string `yaml:"redirect_uri" validate:"required" doc_example:"\"eudi-wallet://credential-offer\""`
}

CredentialOfferWallets holds wallet redirect configuration

type CredentialOffers 

type CredentialOffers struct {
	// IssuerURL is the issuer URL for credential offers
	IssuerURL string `yaml:"issuer_url" validate:"required"`
	// Wallets holds wallet redirect configurations
	Wallets map[string]CredentialOfferWallets `yaml:"wallets" validate:"required"`
}

CredentialOffers holds credential offer configurations

type DigitalCredentialsConfig 

type DigitalCredentialsConfig struct {
	// Enable toggles W3C Digital Credentials API support in browser
	Enable bool `yaml:"enable" default:"false"`

	// UseJAR enables JWT Authorization Request (JAR) for wallet communication
	// When true, request objects are signed JWTs instead of plain JSON
	UseJAR bool `yaml:"use_jar" default:"false"`

	// PreferredFormats specifies the order of preference for credential formats
	// Supported values: "vc+sd-jwt", "dc+sd-jwt", "mso_mdoc"
	// Default: ["vc+sd-jwt", "dc+sd-jwt", "mso_mdoc"]
	PreferredFormats []string `yaml:"preferred_formats,omitempty" default:"[\"vc+sd-jwt\", \"dc+sd-jwt\", \"mso_mdoc\"]"`

	// ResponseMode specifies the OpenID4VP response mode for DC API flows
	// Supported values: "dc_api.jwt" (encrypted), "direct_post.jwt" (signed), "direct_post"
	// Default: "dc_api.jwt"
	ResponseMode string `yaml:"response_mode,omitempty" validate:"omitempty,oneof=dc_api.jwt direct_post.jwt direct_post" default:"dc_api.jwt"`

	// AllowQRFallback enables automatic fallback to QR code if DC API is unavailable
	// Default: true
	AllowQRFallback *bool `yaml:"allow_qr_fallback" default:"true"`

	// DeepLinkScheme for mobile wallet integration
	DeepLinkScheme string `yaml:"deep_link_scheme,omitempty" doc_example:"\"eudi-wallet://\""`
}

DigitalCredentialsConfig holds W3C Digital Credentials API configuration

type Document 

type Document struct {
	Meta         *MetaData `json:"meta,omitempty" bson:"meta" validate:"required"`
	DocumentData any       `json:"document_data" bson:"document_data" validate:"required"`
}

Document is a generic type for get document

type DocumentDisplay 

type DocumentDisplay struct {
	// required: true
	// example: "1.0.0"
	Version string `json:"version,omitempty" bson:"version" validate:"required,semver"`

	// required: true
	// example: secure
	Type string `json:"type,omitempty" bson:"type" validate:"required"`

	// DescriptionStructured is a map of structured descriptions
	// required: true
	// example: {"en": "European Health Insurance Card", "sv": "Europeiskt sjukförsäkringskortet"}
	DescriptionStructured map[string]any `json:"description_structured,omitempty" bson:"description_structured" validate:"required"`
}

DocumentDisplay is a collection of fields representing display of document

type DocumentList 

type DocumentList struct {
	Meta            *MetaData        `json:"meta,omitempty" bson:"meta" validate:"required"`
	DocumentDisplay *DocumentDisplay `json:"document_display,omitempty" bson:"document_display"`
	QR              *openid4vci.QR   `json:"qr,omitempty" bson:"qr" validate:"required"`
}

DocumentList is a generic type for document list

type GRPCClientTLS 

type GRPCClientTLS struct {
	// Addr is the gRPC server address
	Addr string `yaml:"addr" validate:"required" doc_example:"\"issuer:8090\""`
	// TLS enables TLS
	TLS bool `yaml:"tls" default:"false"`
	// CertFilePath is the client certificate for mTLS
	CertFilePath string `yaml:"cert_file_path"`
	// KeyFilePath is the client private key for mTLS
	KeyFilePath string `yaml:"key_file_path"`
	// CAFilePath is the CA certificate to verify the server
	CAFilePath string `yaml:"ca_file_path"`
	// ServerName is the server name for TLS verification (optional)
	ServerName string `yaml:"server_name"`
}

GRPCClientTLS holds mTLS configuration for gRPC client connections

type GRPCServer 

type GRPCServer struct {
	// Addr is the gRPC server listen address
	Addr string `yaml:"addr" validate:"required" default:":8090"`
	// TLS holds the mTLS configuration
	TLS GRPCTLS `yaml:"tls,omitempty"`
}

GRPCServer holds the gRPC server configuration

type GRPCTLS 

type GRPCTLS struct {
	Enable                    bool              `yaml:"enable" default:"false"`
	CertFilePath              string            `yaml:"cert_file_path" validate:"required_if=Enable true" default:"/pki/grpc_server.crt"` // Server certificate
	KeyFilePath               string            `yaml:"key_file_path" validate:"required_if=Enable true" default:"/pki/grpc_server.key"`  // Server private key
	ClientCAPath              string            `yaml:"client_ca_path" validate:"required_if=Enable true" default:"/pki/client_ca.crt"`   // CA to verify client certificates (for mTLS)
	AllowedClientFingerprints map[string]string `yaml:"allowed_client_fingerprints" doc_example:"a1b2c3...: issuer-prod"`                 // SHA256 fingerprint -> friendly name
	AllowedClientDNs          map[string]string `yaml:"allowed_client_dns" doc_example:"CN=apigw,O=SUNET: apigw-prod"`                    // Certificate Subject DN -> friendly name
}

GRPCTLS holds the mTLS configuration for gRPC server

type HAConfig 

type HAConfig struct {
	// Enable enables HA mode; when true caches are backed by MongoDB instead of in-memory storage.
	Enable bool `yaml:"enable" default:"false"`
	// CacheDatabaseName is the MongoDB database name used for caches.
	CacheDatabaseName string `yaml:"cache_database_name" default:"vc_cache"`
}

HAConfig holds the high-availability configuration

type Health 

type Health struct {
	ServiceName string   `json:"service_name,omitempty"`
	Probes      []*Probe `json:"probes,omitempty"`
	Status      string   `json:"status,omitempty"`
}

Health contains status for each service

type IDMapping 

type IDMapping struct {
	AuthenticSourcePersonID string `json:"authentic_source_person_id" validate:"omitempty,max=128,printascii"`
}

IDMapping is a generic type for ID mapping

type Identity 

type Identity struct {
	// required: true
	// example: 65636cbc-c03f-11ee-8dc4-67135cc9bd8a
	AuthenticSourcePersonID string `json:"authentic_source_person_id,omitempty" bson:"authentic_source_person_id" validate:"required,max=128,printascii"`

	Schema *IdentitySchema `json:"schema,omitempty" bson:"schema" validate:"required"`

	// required: true
	// example: Svensson
	FamilyName string `json:"family_name" bson:"family_name" validate:"required,min=1,max=100,printascii"`

	// required: true
	// example: Magnus
	GivenName string `json:"given_name" bson:"given_name" validate:"required,min=1,max=100,printascii"`

	// required: true
	// example: 1970-01-01 TODO: Day, month, and year?
	BirthDate string `json:"birth_date" bson:"birth_date" validate:"required,datetime=2006-01-02,printascii"`

	// required: true
	// example: Stockholm
	BirthPlace string `json:"birth_place,omitempty" bson:"birth_place,omitempty" validate:"omitempty,min=2,max=100,printascii"`

	// required: true
	// example: SE
	Nationality []string `json:"nationality,omitempty" bson:"nationality,omitempty" validate:"omitempty,dive,iso3166_1_alpha2"`

	// required: false
	// example: <personnummer>
	PersonalAdministrativeNumber string `` /* 140-byte string literal not displayed */

	// required: false
	// example: facial image compliant with ISO 19794-5 or ISO 39794 specifications
	Picture string `json:"picture,omitempty" bson:"picture,omitempty"`

	BirthFamilyName string `json:"birth_family_name,omitempty" bson:"birth_family_name,omitempty" validate:"omitempty,min=1,max=100,printascii"`

	BirthGivenName string `json:"birth_given_name,omitempty" bson:"birth_given_name,omitempty" validate:"omitempty,min=1,max=100,printascii"`

	// required: false
	// example: 0 = not known, 1 = male, 2 = female, ...
	Sex string `json:"sex,omitempty" bson:"sex,omitempty" validate:"omitempty,oneof=0 1 2 3 4 5 6 7 8 9"`

	// required: false
	// example: <email-address>
	EmailAddress string `json:"email_address,omitempty" bson:"email_address,omitempty" validate:"omitempty,email"`

	// required: false
	// example: <+mobile-phone-number>
	MobilePhoneNumber string `json:"mobile_phone_number,omitempty" bson:"mobile_phone_number,omitempty" validate:"omitempty,e164"`

	// required: false
	// example: 221b Baker street
	ResidentAddress string `json:"resident_address,omitempty" bson:"resident_address,omitempty" validate:"omitempty,printascii"`

	// required: false
	// example: Baker street
	ResidentStreetAddress string `` /* 127-byte string literal not displayed */

	// required: false
	// example: 221b
	ResidentHouseNumber string `json:"resident_house_number,omitempty" bson:"resident_house_number,omitempty" validate:"omitempty,printascii"`

	// required: false
	// example: W1U 6SG
	ResidentPostalCode string `json:"resident_postal_code,omitempty" bson:"resident_postal_code,omitempty" validate:"omitempty,printascii"`

	// required: false
	// example: London
	ResidentCity string `json:"resident_city,omitempty" bson:"resident_city,omitempty" validate:"omitempty,printascii"`
	// required: false
	// example: england
	ResidentState string `json:"resident_state,omitempty" bson:"resident_state,omitempty" validate:"omitempty,printascii"`
	// required: false
	// example: England
	ResidentCountry string `json:"resident_country,omitempty" bson:"resident_country,omitempty" validate:"omitempty,iso3166_1_alpha2"`

	AgeOver14 string `json:"age_over_14,omitempty" bson:"age_over_14,omitempty"`

	AgeOver16 bool `json:"age_over_16,omitempty" bson:"age_over_16,omitempty"`

	AgeOver18 bool `json:"age_over_18,omitempty" bson:"age_over_18,omitempty"`

	AgeOver21 bool `json:"age_over_21,omitempty" bson:"age_over_21,omitempty"`

	AgeOver65 bool `json:"age_over_65,omitempty" bson:"age_over_65,omitempty"`

	AgeInYears int `json:"age_in_years,omitempty" bson:"age_in_years,omitempty"`

	AgeBirthYear int `json:"age_birth_year,omitempty" bson:"age_birth_year,omitempty"`

	// required: false
	// example:
	IssuingAuthority string `json:"issuing_authority,omitempty" bson:"issuing_authority,omitempty" validate:"omitempty,printascii"`
	// required: false
	// example:
	IssuingCountry string `json:"issuing_country,omitempty" bson:"issuing_country,omitempty" validate:"omitempty,iso3166_1_alpha2"`

	// required: false
	// example: Date (and if possible time)
	ExpiryDate string `json:"expiry_date,omitempty" bson:"expiry_date,omitempty" validate:"omitempty,datetime=2006-01-02"`

	IssuanceDate string `json:"issuance_date,omitempty" bson:"issuance_date,omitempty"`

	// required: false
	// example:
	DocumentNumber string `json:"document_number,omitempty" bson:"document_number,omitempty" validate:"omitempty,max=128,printascii"`

	// required: false
	// example:
	IssuingJurisdiction string `json:"issuing_jurisdiction,omitempty" bson:"issuing_jurisdiction,omitempty" validate:"omitempty,max=128,printascii"`

	TrustAnchor string `json:"trust_anchor,omitempty" bson:"trust_anchor,omitempty" validate:"omitempty,max=128,printascii"`
}

Identity identifies a person

func (*Identity) GetAgeInYears 

func (i *Identity) GetAgeInYears() (int, error)

func (*Identity) GetOver14 

func (i *Identity) GetOver14() (bool, error)

func (*Identity) GetOver16 

func (i *Identity) GetOver16() (bool, error)

func (*Identity) GetOver18 

func (i *Identity) GetOver18() (bool, error)

func (*Identity) GetOver21 

func (i *Identity) GetOver21() (bool, error)

func (*Identity) GetOver65 

func (i *Identity) GetOver65() (bool, error)

func (*Identity) Marshal 

func (i *Identity) Marshal() (map[string]any, error)

Marshal marshals the document to a map

Example 
package main

import (
	"fmt"

	"github.com/SUNET/vc/pkg/model"
)

func main() {
	identity := &model.Identity{
		FamilyName: "Svensson",
		GivenName:  "Magnus",
		BirthDate:  "1970-01-01",
	}

	doc, err := identity.Marshal()
	if err != nil {
		fmt.Println("error:", err)
		return
	}

	fmt.Println("family_name:", doc["family_name"])
	fmt.Println("given_name:", doc["given_name"])
	fmt.Println("birth_date:", doc["birth_date"])
}

Output:
family_name: Svensson
given_name: Magnus
birth_date: 1970-01-01

type IdentitySchema 

type IdentitySchema struct {
	// required: true
	// example: "SE"
	Name string `json:"name" bson:"name" validate:"required,max=128,printascii"`

	// required: false
	// example: "1.0.0"
	Version string `json:"version,omitempty" bson:"version,omitempty" validate:"omitempty,semver"`
}

IdentitySchema is a collection of fields representing an identity schema

type Issuer 

type Issuer struct {
	// APIServer is the HTTP API server configuration
	APIServer APIServer `yaml:"api_server" validate:"required"`
	// GRPCServer is the gRPC server configuration
	GRPCServer GRPCServer `yaml:"grpc_server" validate:"required"`
	// KeyConfig is the signing key configuration
	KeyConfig *pki.KeyConfig `yaml:"key_config" validate:"required"`
	// JWTAttribute holds the JWT credential attribute configuration
	JWTAttribute JWTAttribute `yaml:"jwt_attribute" validate:"required"`
	// IssuerURL is the issuer identifier URL
	IssuerURL string `yaml:"issuer_url" validate:"required" doc_example:"\"https://issuer.sunet.se\""`
	// RegistryClient is the registry gRPC client config
	RegistryClient GRPCClientTLS `yaml:"registry_client" validate:"omitempty"`
	// MDoc holds mDL/mdoc configuration
	MDoc *MDocConfig `yaml:"mdoc" validate:"omitempty"`
	// AuditLog holds audit log configuration
	AuditLog *AuditLog `yaml:"audit_log" validate:"omitempty"`
}

Issuer holds the configuration for the Issuer service that signs and issues verifiable credentials

type IssuerMetadata 

type IssuerMetadata struct {
	// AuthorizationServers lists the authorization server URLs
	AuthorizationServers []string `yaml:"authorization_servers" validate:"omitempty"`
	// DeferredCredentialEndpoint is the deferred credential endpoint
	DeferredCredentialEndpoint string `yaml:"deferred_credential_endpoint" validate:"omitempty"`
	// NotificationEndpoint is the notification endpoint
	NotificationEndpoint string `yaml:"notification_endpoint" validate:"omitempty"`
	// CryptographicBindingMethodsSupported lists the supported binding methods
	CryptographicBindingMethodsSupported []string `yaml:"cryptographic_binding_methods_supported" validate:"omitempty"`
	// CredentialSigningAlgValuesSupported lists the supported signing algorithms
	CredentialSigningAlgValuesSupported []string `yaml:"credential_signing_alg_values_supported" validate:"omitempty"`
	// ProofSigningAlgValuesSupported lists the supported proof algorithms
	ProofSigningAlgValuesSupported []string `yaml:"proof_signing_alg_values_supported" validate:"omitempty"`
	// CredentialResponseEncryption holds the response encryption configuration
	CredentialResponseEncryption *openid4vci.MetadataCredentialResponseEncryption `yaml:"credential_response_encryption" validate:"omitempty"`
	// BatchCredentialIssuance holds the batch issuance configuration
	BatchCredentialIssuance *openid4vci.BatchCredentialIssuance `yaml:"batch_credential_issuance" validate:"omitempty"`
	// Display holds the display metadata
	Display []openid4vci.MetadataDisplay `yaml:"display" validate:"omitempty"`
}

IssuerMetadata holds the OpenID4VCI issuer metadata configuration

func (*IssuerMetadata) Generate 

func (cfg *IssuerMetadata) Generate(ctx context.Context, publicURL string, credentialConstructors map[string]*CredentialConstructor) (*openid4vci.CredentialIssuerMetadataParameters, error)

Generate generates issuer metadata from configuration. Returns unsigned metadata that should be signed on-demand in the endpoint handler for freshness.

type JWTAttribute 

type JWTAttribute struct {
	// Issuer of the token
	Issuer string `yaml:"issuer" validate:"required" doc_example:"https://issuer.sunet.se"`

	// StaticHost is the static host of the issuer, expose static files, like pictures.
	StaticHost string `yaml:"static_host" validate:"omitempty"`

	// EnableNotBefore states the time not before which the token is valid
	EnableNotBefore bool `yaml:"enable_not_before" default:"false"`

	// Valid duration of the token in seconds
	ValidDuration int64 `yaml:"valid_duration" validate:"required_with=EnableNotBefore" default:"3600"`

	// VerifiableCredentialType URL
	VerifiableCredentialType string `yaml:"verifiable_credential_type" validate:"required" doc_example:"https://credential.sunet.se/identity_credential"`

	// Status status of the Verifiable Credential
	Status string `yaml:"status"`

	// Kid key id of the signing key
	Kid string `yaml:"kid"`
}

JWTAttribute holds the jwt attribute configuration. In a later state this should be placed under authentic source in order to issue credentials based on that configuration.

type Kafka 

type Kafka struct {
	// Enable enables Kafka integration
	Enable bool `yaml:"enable" default:"false"`
	// Brokers is the list of Kafka broker addresses
	Brokers []string `yaml:"brokers" validate:"required" default:"[\"kafka0:9092\", \"kafka1:9092\"]"`
}

Kafka holds the Kafka message broker configuration

type Leaf 

type Leaf struct {
	gorm.Model
	Value []byte
}

Leaf is the database model of a leaf

type Leafs 

type Leafs []*Leaf

Leafs is the database model of a leafs

func (Leafs) Array 

func (l Leafs) Array() [][]byte

Array returns the leafs as an byte array of arrays

func (Leafs) Empty 

func (l Leafs) Empty() bool

Empty returns true if the leafs are empty

type Log 

type Log struct {
	// FolderPath is the path to the log folder
	FolderPath string `yaml:"folder_path" doc_example:"\"/var/log/vc\""`
}

Log holds the logging configuration

type MDocConfig 

type MDocConfig struct {
	// CertificateChainPath is the path to the PEM certificate chain
	// TODO(pki): Consider folding into pki.KeyConfig.ChainPath to unify certificate
	// chain loading with the standard key material configuration pattern.
	CertificateChainPath string `yaml:"certificate_chain_path" validate:"required"`
	// DefaultValidity is the default credential validity (default: 365 days)
	DefaultValidity time.Duration `yaml:"default_validity" default:"8760h"`
	// DigestAlgorithm is the digest algorithm: "SHA-256", "SHA-384", or "SHA-512"
	DigestAlgorithm string `yaml:"digest_algorithm" default:"SHA-256"`
}

MDocConfig holds mDL (ISO 18013-5) issuer configuration

type MetaData 

type MetaData struct {
	// required: true
	// example: SUNET
	AuthenticSource string `json:"authentic_source,omitempty" bson:"authentic_source" validate:"required,max=128,printascii"`

	// required: true
	// example: "1.0.0"
	DocumentVersion string `json:"document_version,omitempty" bson:"document_version" validate:"required,semver"`

	// VCT is the Verifiable Credential Type
	// required: true
	// example: "urn:eudi:pid:1"
	VCT string `json:"vct,omitempty" bson:"vct" validate:"required,max=128,printascii"`

	// Scope is the credential configuration ID scope
	// required: false
	// example: "ehic", "pda1"
	Scope string `json:"scope,omitempty" bson:"scope" validate:"required,max=128,printascii"`

	// required: true
	// example: 5e7a981c-c03f-11ee-b116-9b12c59362b9
	DocumentID string `json:"document_id,omitempty" bson:"document_id" validate:"required,max=128,printascii"`

	// RealData is a flag to indicate if the document contains real data
	// required: true
	// example: true
	RealData bool `json:"real_data" bson:"real_data"`

	Collect *Collect `json:"collect,omitempty" bson:"collect"`

	// Revocation is a collection of fields representing a revocation
	Revocation *Revocation `json:"revocation,omitempty" bson:"revocation"`

	// required: false
	// example: 509567558
	// format: int64
	CredentialValidFrom int64 `json:"credential_valid_from,omitempty" bson:"valid_from"`

	// required: false
	// example: 509567558
	// format: int64
	CredentialValidTo int64 `json:"credential_valid_to,omitempty" bson:"valid_to"`

	// required: false
	// example: file://path/to/schema.json or http://example.com/schema.json
	// format: string
	DocumentDataValidationRef string `json:"document_data_validation,omitempty" bson:"document_data_validation" validate:"omitempty,max=128,printascii"`
}

MetaData is a generic type for metadata

type MockAS 

type MockAS struct {
	// APIServer is the HTTP API server configuration
	APIServer APIServer `yaml:"api_server" validate:"required"`
	// DatastoreURL is the datastore service URL
	DatastoreURL string `yaml:"datastore_url" validate:"required" doc_example:"\"http://datastore:8080\""`
	// BootstrapUsers is the list of user IDs to bootstrap on startup
	BootstrapUsers []string `yaml:"bootstrap_users" default:"[\"100\", \"102\"]"`
}

MockAS holds the configuration for the Mock Authentic Source service used for testing

type Mongo 

type Mongo struct {
	// URI is the MongoDB connection URI
	URI string `yaml:"uri" validate:"required" doc_example:"\"mongodb://user:password@mongo:27017/vc\""`
	// TLS enables TLS for the MongoDB connection.
	// Can also be enabled via the connection URI parameter "tls=true".
	TLS bool `yaml:"tls" default:"false"`
	// CAFilePath is the path to a PEM-encoded CA certificate used to verify
	// the MongoDB server's certificate. When empty, the system root CAs are used.
	CAFilePath string `yaml:"ca_file_path" validate:"omitempty"`
	// CertFilePath is the path to a PEM-encoded client certificate for mutual TLS (mTLS).
	// Must be set together with KeyFilePath.
	CertFilePath string `yaml:"cert_file_path" validate:"required_with=KeyFilePath"`
	// KeyFilePath is the path to a PEM-encoded client private key for mutual TLS (mTLS).
	// Must be set together with CertFilePath.
	KeyFilePath string `yaml:"key_file_path" validate:"required_with=CertFilePath"`
}

Mongo holds the MongoDB configuration

func (*Mongo) MongoClientOptions 

func (m *Mongo) MongoClientOptions() (*options.ClientOptions, error)

MongoClientOptions returns a *options.ClientOptions configured from the Mongo settings. It applies the connection URI and, when TLS is enabled, builds the appropriate *tls.Config (CA verification and/or mTLS client certificate).

type MongoSecrets 

type MongoSecrets struct {
	// URI is the MongoDB connection string, which may include authentication credentials
	URI string `yaml:"uri"`
}

MongoSecrets holds the mongo connection URI (may contain credentials)

type OAuthServer 

type OAuthServer struct {
	// TokenEndpoint is the OAuth2 token endpoint URL
	TokenEndpoint string `yaml:"token_endpoint" validate:"required" doc_example:"\"https://verifier.sunet.se/token\""`
	// Clients holds the OAuth2 client configurations
	Clients oauth2.Clients `yaml:"clients" validate:"required"`
}

OAuthServer holds the OAuth2 server configuration

func (*OAuthServer) GenerateMetadata 

func (cfg *OAuthServer) GenerateMetadata(ctx context.Context, issuerURL string) *oauth2.AuthorizationServerMetadata

GenerateMetadata generates OAuth2 metadata from configuration. Returns unsigned metadata that should be signed on-demand in the endpoint handler for freshness.

type OAuthUsers 

type OAuthUsers struct {
	Username        string    `json:"username" bson:"username" validate:"required"`
	Password        string    `json:"password" bson:"password" validate:"required"`
	Identity        *Identity `json:"identity" bson:"identity" validate:"required"`
	AuthenticSource string    `json:"authentic_source" bson:"authentic_source" validate:"required"`
}

OAuthUsers is the model for the OAuth users in the database

type OIDCOPConfig 

type OIDCOPConfig struct {
	// Issuer is the OIDC Provider identifier that appears in ID tokens and discovery metadata.
	// This identifies the verifier as an OpenID Provider.
	// Must match the 'iss' claim in all issued ID tokens.
	Issuer string `yaml:"issuer" validate:"required" doc_example:"\"https://verifier.sunet.se\""`
	// SessionDuration is the session duration in seconds
	SessionDuration int `yaml:"session_duration" validate:"required" default:"3600"`
	// CodeDuration is the authorization code duration in seconds
	CodeDuration int `yaml:"code_duration" validate:"required" default:"300"`
	// AccessTokenDuration is the access token duration in seconds
	AccessTokenDuration int `yaml:"access_token_duration" validate:"required" default:"3600"`
	// IDTokenDuration is the ID token duration in seconds
	IDTokenDuration int `yaml:"id_token_duration" validate:"required" default:"3600"`
	// RefreshTokenDuration is the refresh token duration in seconds
	RefreshTokenDuration int `yaml:"refresh_token_duration" validate:"required" default:"86400"`
	// SubjectType is the subject type: "public" or "pairwise"
	SubjectType string `yaml:"subject_type" validate:"required,oneof=public pairwise"`
	// SubjectSalt is the salt for pairwise subject generation
	SubjectSalt string `yaml:"subject_salt" validate:"required"`
	// StaticClients is a list of pre-configured OIDC clients
	// These clients are checked in addition to dynamically registered clients
	StaticClients []StaticOIDCClient `yaml:"static_clients,omitempty"`
}

OIDCConfig holds OIDC-specific configuration for the verifier's role as an OpenID Provider. This configures how the verifier issues ID tokens and access tokens to relying parties. Note: This is NOT related to verifiable credential issuance (see IssuerConfig for VC issuance). The signing key is shared from the parent Verifier.KeyConfig.

type OIDCOPSecrets 

type OIDCOPSecrets struct {
	// SubjectSalt is a secret value used to derive pairwise subject identifiers for OIDC clients
	SubjectSalt string `yaml:"subject_salt"`
	// StaticClients maps client_id to client_secret for static OIDC clients.
	// Only clients listed here will have their secrets applied; clients not
	// present in this map keep whatever value the main config provides (which
	// will be empty after ClearSecrets).
	StaticClients map[string]string `yaml:"static_clients,omitempty" doc_example:"<client_id>: \"<client_secret>\""`
}

OIDCOPSecrets holds OIDC OP configuration secrets

type OIDCRPConfig 

type OIDCRPConfig struct {
	// Enable turns on OIDC RP support (default: false)
	Enable bool `yaml:"enable" default:"false"`

	// Registration configures how the client obtains credentials from the OIDC Provider.
	// Exactly one of preconfigured or dynamic must be set:
	//   - preconfigured: pre-registered client_id and client_secret
	//   - dynamic: RFC 7591 dynamic client registration (credentials obtained at startup)
	Registration *OIDCRPRegistrationConfig `yaml:"registration" validate:"required_if=Enable true"`

	// RedirectURI is the callback URL where the OIDC Provider sends the authorization response
	RedirectURI string `yaml:"redirect_uri" validate:"required_if=Enable true" doc_example:"\"https://issuer.sunet.se/oidcrp/callback\""`

	// IssuerURL is the OIDC Provider's issuer URL for discovery
	// Used for .well-known/openid-configuration discovery
	IssuerURL string `yaml:"issuer_url" validate:"required_if=Enable true" doc_example:"\"https://accounts.google.com\""`

	// Scopes are the OAuth2/OIDC scopes to request (at least one scope is required, e.g. "openid")
	Scopes []string `yaml:"scopes" validate:"required,min=1,dive,required" default:"[\"openid\", \"profile\", \"email\"]"`

	// SessionDuration is the maximum time in seconds an in-flight OIDC authorization flow
	// (state, nonce, PKCE verifier) may remain active before it expires
	SessionDuration int `yaml:"session_duration" validate:"required" default:"300"`

	// ClientName is a human-readable name for the OIDC client, shown during dynamic registration or consent
	ClientName string `yaml:"client_name,omitempty"`
	// ClientURI is a URL to the client's homepage, used for display during consent
	ClientURI string `yaml:"client_uri,omitempty"`
	// LogoURI is a URL to the client's logo image, shown during consent screens
	LogoURI string `yaml:"logo_uri,omitempty"`
	// Contacts is a list of email addresses for responsible parties of this client
	Contacts []string `yaml:"contacts,omitempty"`
	// TosURI is a URL to the client's Terms of Service document
	TosURI string `yaml:"tos_uri,omitempty"`
	// PolicyURI is a URL to the client's Privacy Policy document
	PolicyURI string `yaml:"policy_uri,omitempty"`

	// CredentialMappings defines how to map OIDC claims to credential claims
	// Key: credential type identifier (e.g., "pid", "diploma")
	// Maps to credential_constructor keys and OpenID4VCI credential_configuration_ids
	CredentialMappings map[string]CredentialMapping `yaml:"credential_mappings" validate:"required_if=Enable true"`
}

OIDCRPConfig holds OIDC Relying Party configuration for credential issuance.

type OIDCRPDynamicRegistrationConfig 

type OIDCRPDynamicRegistrationConfig struct {
	// Enable activates dynamic client registration
	Enable bool `yaml:"enable"`

	// InitialAccessToken is a bearer token for registration
	// Required by some OIDC Providers (e.g., Keycloak)
	InitialAccessToken string `yaml:"initial_access_token,omitempty" validate:"required_if=Enable true"`
}

OIDCRPDynamicRegistrationConfig configures RFC 7591 dynamic client registration. When set, client credentials are obtained automatically at startup and persisted in the database.

type OIDCRPDynamicSecrets 

type OIDCRPDynamicSecrets struct {
	// InitialAccessToken is the bearer token required by the OP for dynamic client registration
	InitialAccessToken string `yaml:"initial_access_token"`
}

OIDCRPDynamicSecrets holds dynamic registration secrets

type OIDCRPPreconfiguredConfig 

type OIDCRPPreconfiguredConfig struct {
	// Enable activates preconfigured client credentials
	Enable bool `yaml:"enable"`

	// ClientID is the OIDC client identifier
	ClientID string `yaml:"client_id" validate:"required_if=Enable true"`

	// ClientSecret is the OIDC client secret
	ClientSecret string `yaml:"client_secret" validate:"required_if=Enable true"`
}

OIDCRPPreconfiguredConfig holds pre-registered client credentials.

type OIDCRPPreconfiguredSecrets 

type OIDCRPPreconfiguredSecrets struct {
	// ClientSecret is the shared secret for the pre-configured OIDC RP client
	ClientSecret string `yaml:"client_secret"`
}

OIDCRPPreconfiguredSecrets holds pre-registered client secrets

type OIDCRPRegistrationConfig 

type OIDCRPRegistrationConfig struct {
	// Preconfigured uses pre-registered client credentials.
	// Set this when the client is already registered with the OIDC Provider.
	Preconfigured *OIDCRPPreconfiguredConfig `yaml:"preconfigured,omitempty" validate:"required_without=Dynamic,excluded_with=Dynamic"`

	// Dynamic uses RFC 7591 dynamic client registration.
	// Set this when the client should register itself at startup.
	Dynamic *OIDCRPDynamicRegistrationConfig `yaml:"dynamic,omitempty" validate:"required_without=Preconfigured,excluded_with=Preconfigured"`
}

OIDCRPRegistrationConfig configures how the client obtains its credentials. Exactly one of Preconfigured or Dynamic must be set.

type OIDCRPRegistrationSecrets 

type OIDCRPRegistrationSecrets struct {
	Preconfigured *OIDCRPPreconfiguredSecrets `yaml:"preconfigured,omitempty"`
	Dynamic       *OIDCRPDynamicSecrets       `yaml:"dynamic,omitempty"`
}

OIDCRPRegistrationSecrets holds registration secrets

type OIDCRPSecrets 

type OIDCRPSecrets struct {
	Registration OIDCRPRegistrationSecrets `yaml:"registration,omitempty"`
}

OIDCRPSecrets holds OIDC Relying Party secrets

type OTEL 

type OTEL struct {
	// Enable activates OpenTelemetry tracing
	Enable bool `yaml:"enable" default:"false"`
	// Addr is the OTEL collector address
	Addr string `yaml:"addr" validate:"required_if=Enable true" doc_example:"\"jaeger:4318\""`
	// Timeout is the timeout in seconds
	Timeout int64 `yaml:"timeout" default:"10"`
}

OTEL holds the OpenTelemetry tracing configuration

type OpenID4VPConfig 

type OpenID4VPConfig struct {
	// PresentationTimeout is the presentation timeout in seconds
	PresentationTimeout int `yaml:"presentation_timeout" validate:"required" default:"300"`
	// SupportedCredentials holds the supported credential configurations
	SupportedCredentials []SupportedCredentialConfig `yaml:"supported_credentials" validate:"required"`
	// PresentationRequestsDir is an optional directory with presentation request templates
	PresentationRequestsDir string `yaml:"presentation_requests_dir,omitempty"`
}

OpenID4VPConfig holds OpenID4VP-specific configuration

func (*OpenID4VPConfig) GetPresentationRequestsDir 

func (c *OpenID4VPConfig) GetPresentationRequestsDir() string

GetPresentationRequestsDir returns the presentation requests directory, or empty string if the config is nil.

func (*OpenID4VPConfig) GetSupportedCredentials 

func (c *OpenID4VPConfig) GetSupportedCredentials() []SupportedCredentialConfig

GetSupportedCredentials returns the supported credentials, or nil if the config is nil.

type PKCS11 

type PKCS11 struct {
	// ModulePath is the path to the PKCS#11 module
	ModulePath string `yaml:"module_path" default:"/usr/lib/softhsm/libsofthsm2.so"`
	// SlotID is the HSM slot ID
	SlotID uint `yaml:"slot_id" default:"0"`
	// PIN is the PIN for HSM access
	PIN string `yaml:"pin" validate:"required"`
	// KeyLabel is the key label in HSM
	KeyLabel string `yaml:"key_label" validate:"required"`
	// KeyID is the key ID in HSM
	KeyID string `yaml:"key_id" validate:"required"`
}

PKCS11 holds PKCS#11 HSM configuration for hardware security module integration

type Probe 

type Probe struct {
	Name          string    `json:"name,omitempty"`
	Healthy       bool      `json:"healthy,omitempty"`
	Message       string    `json:"message,omitempty"`
	LastCheckedTS time.Time `json:"timestamp"`
}

Probe type

type ProbeStore 

type ProbeStore struct {
	NextCheck      time.Time
	PreviousResult *Probe
}

ProbeStore contains the previous probe result and the next time to check

type Probes 

type Probes []*apiv1_status.StatusProbe

Probes contains probes

func (Probes) Check 

func (probes Probes) Check(serviceName string) *apiv1_status.StatusReply

Check checks the status of each status, return the first that does not pass.

type QRCfg 

type QRCfg struct {
	// RecoveryLevel is the error correction level (0-3)
	RecoveryLevel int `yaml:"recovery_level" validate:"required,min=0,max=3" default:"2"`
	// Size is the QR code size in pixels
	Size int `yaml:"size" validate:"required" default:"256"`
}

QRCfg holds the QR code generation settings

type Registry 

type Registry struct {
	// APIServer is the HTTP API server configuration
	APIServer APIServer `yaml:"api_server" validate:"required"`
	// PublicURL is the public URL of this service (must be valid HTTP/HTTPS URL)
	PublicURL string `yaml:"public_url" validate:"required,httpurl" doc_example:"\"https://registry.sunet.se\""`
	// GRPCServer is the gRPC server configuration
	GRPCServer GRPCServer `yaml:"grpc_server" validate:"required"`
	// TokenStatusLists holds the Token Status List configuration
	TokenStatusLists *TokenStatusLists `yaml:"token_status_lists" validate:"required"`
	// AdminGUI holds the admin GUI configuration
	AdminGUI AdminGUI `yaml:"admin_gui,omitempty" validate:"omitempty"`
}

Registry holds the configuration for the Registry service that manages credential status

type RegistrySecrets 

type RegistrySecrets struct {
	AdminGUI AdminGUISecrets `yaml:"admin_gui,omitempty"`
}

RegistrySecrets holds registry secrets

type Revocation 

type Revocation struct {

	// ID is the ID of the revocation
	// required: false
	// example: 8dbd2680-c03f-11ee-a21b-034aafe41222
	ID string `json:"id,omitempty" bson:"id" validate:"omitempty,max=128,printascii"`

	// Revoked is a flag to indicate if the document has been revoked
	// required: false
	// example: false
	Revoked bool `json:"revoked,omitempty" bson:"revoked"`

	Reference RevocationReference `json:"reference" bson:"reference"`

	// RevokedAt is the time the document was revoked or going to be revoked
	// required: false
	// example: 509567558
	// format: int64
	RevokedAt int64 `json:"revoked_at,omitempty" bson:"revoked_at"`

	// Reason is the reason for revocation
	// required: false
	// example: lost or stolen
	Reason string `json:"reason,omitempty" bson:"reason" validate:"omitempty,max=128,printascii"`
}

Revocation is a collection of fields representing a revocation

type RevocationReference 

type RevocationReference struct {
	AuthenticSource string `json:"authentic_source,omitempty" bson:"authentic_source" validate:"omitempty,max=128,printascii"`
	VCT             string `json:"vct,omitempty" bson:"vct" validate:"omitempty,max=128,printascii"`
	DocumentID      string `json:"document_id,omitempty" bson:"document_id" validate:"omitempty,max=128,printascii"`
}

RevocationReference refer to a document

type SAMLConfig 

type SAMLConfig struct {
	// Enable turns on SAML support (default: false)
	Enable bool `yaml:"enable" default:"false"`

	// EntityID is the SAML SP entity identifier (typically the metadata URL)
	EntityID string `yaml:"entity_id" validate:"required_if=Enable true" doc_example:"\"https://issuer.sunet.se/saml/metadata\""`

	// MetadataURL is the public URL where SP metadata is served (optional, auto-generated if empty)
	MetadataURL string `yaml:"metadata_url,omitempty"`

	// MDQServer is the base URL for MDQ (Metadata Query Protocol) server (must end with /)
	// Mutually exclusive with StaticIDPMetadata
	MDQServer string `yaml:"mdq_server,omitempty" doc_example:"\"https://md.sunet.se/entities/\""`

	// StaticIDPMetadata configures a single static IdP as alternative to MDQ
	// Mutually exclusive with MDQServer
	StaticIDPMetadata *StaticIDPConfig `yaml:"static_idp_metadata,omitempty"`

	// CertificatePath is the path to X.509 certificate for SAML signing/encryption
	// TODO(pki): Migrate to pki.KeyConfig for consistency with other services and
	// to enable HSM-backed SAML signing keys in the future.
	CertificatePath string `yaml:"certificate_path" validate:"required_if=Enable true"`

	// PrivateKeyPath is the path to private key for SAML signing/encryption
	// TODO(pki): See CertificatePath TODO — both fields would be replaced by a single KeyConfig.
	PrivateKeyPath string `yaml:"private_key_path" validate:"required_if=Enable true"`

	// ACSEndpoint is the Assertion Consumer Service URL where IdP sends SAML responses
	ACSEndpoint string `yaml:"acs_endpoint" validate:"required_if=Enable true" doc_example:"\"https://issuer.sunet.se/saml/acs\""`

	// SessionDuration is the maximum time in seconds an in-flight SAML authentication flow
	// (AuthnRequest → Response) may remain active before it expires
	SessionDuration int `yaml:"session_duration" validate:"required" default:"300"`

	// CredentialMappings defines how to map external attributes to credential claims
	// Key: credential type identifier (e.g., "pid", "diploma")
	// Maps to credential_constructor keys and OpenID4VCI credential_configuration_ids
	CredentialMappings map[string]CredentialMapping `yaml:"credential_mappings" validate:"required_if=Enable true"`

	// MetadataSigningCertPath is the path to the X.509 certificate used to verify
	// metadata signatures. When set, all fetched metadata (MDQ and static) must
	// carry a valid XML signature from this certificate.
	MetadataSigningCertPath string `yaml:"metadata_signing_cert_path,omitempty"`

	// MetadataCacheTTL in seconds (default: 3600) - how long to cache IdP metadata from MDQ
	MetadataCacheTTL int `yaml:"metadata_cache_ttl"`
}

SAMLConfig holds SAML Service Provider configuration for the issuer

type SearchDocumentsReply 

type SearchDocumentsReply struct {
	Documents      []*CompleteDocument `json:"documents"`
	HasMoreResults bool                `json:"has_more_results"`
}

SearchDocumentsReply the reply from search documents

type SearchDocumentsRequest 

type SearchDocumentsRequest struct {
	AuthenticSource string `json:"authentic_source,omitempty" validate:"omitempty,max=1000,excludesall=${}[]"`
	VCT             string `json:"vct,omitempty" validate:"omitempty,max=1000,excludesall=${}[]"`
	DocumentID      string `json:"document_id,omitempty" validate:"omitempty,max=1000,excludesall=${}[]"`
	CollectID       string `json:"collect_id,omitempty" validate:"omitempty,max=1000,excludesall=${}[]"`

	AuthenticSourcePersonID string `json:"authentic_source_person_id,omitempty" validate:"omitempty,max=1000,excludesall=${}[]"`

	FamilyName string `json:"family_name,omitempty" validate:"omitempty,max=597,excludesall=${}[]"`
	GivenName  string `json:"given_name,omitempty" validate:"omitempty,max=1019,excludesall=${}[]"`
	BirthDate  string `json:"birth_date,omitempty" validate:"omitempty,datetime=2006-01-02"`
	BirthPlace string `json:"birth_place,omitempty" validate:"omitempty,max=1000,excludesall=${}[]"`

	Limit      int64          `json:"limit,omitempty" validate:"omitempty,min=0,max=1000"`
	Fields     []string       `json:"fields,omitempty" validate:"omitempty,dive,max=100,excludesall=${}[]"`
	SortFields map[string]int `json:"sort_fields,omitempty" validate:"omitempty,dive,keys,max=100,endkeys,oneof=1 -1"`
}

SearchDocumentsRequest the request to search for documents

type Secrets 

type Secrets struct {
	Common   *CommonSecrets   `yaml:"common,omitempty"`
	APIGW    *APIGWSecrets    `yaml:"apigw,omitempty"`
	Registry *RegistrySecrets `yaml:"registry,omitempty"`
	Verifier *VerifierSecrets `yaml:"verifier,omitempty"`
	UI       *UISecrets       `yaml:"ui,omitempty"`
}

Secrets defines the structure of the separate secrets file. When Common.SecretFilePath is set, secret values in config.yaml are cleared; only non-empty fields from this file are applied. Fields omitted or left empty here remain at their zero value.

type StaticIDPConfig 

type StaticIDPConfig struct {
	// EntityID is the IdP entity identifier
	EntityID string `yaml:"entity_id" validate:"required"`

	// MetadataPath is the file path to IdP metadata XML (mutually exclusive with MetadataURL)
	MetadataPath string `yaml:"metadata_path,omitempty" validate:"required_without=MetadataURL,excluded_with=MetadataURL"`

	// MetadataURL is the HTTP(S) URL to fetch IdP metadata from (mutually exclusive with MetadataPath)
	MetadataURL string `yaml:"metadata_url,omitempty"`
}

StaticIDPConfig holds configuration for a single static IdP connection

type StaticOIDCClient 

type StaticOIDCClient struct {
	// ClientID is the unique identifier for the client
	ClientID string `yaml:"client_id" validate:"required"`
	// ClientSecret is the client secret for authentication.
	// Can be defined in the secrets file under verifier.oidc_op.static_clients
	// as a map of client_id to client_secret.
	// Required unless TokenEndpointAuthMethod is "none" (public client).
	ClientSecret string `yaml:"client_secret" validate:"required_unless=TokenEndpointAuthMethod none"`
	// RedirectURIs is the list of allowed redirect URIs for this client
	RedirectURIs []string `yaml:"redirect_uris" validate:"required,min=1,dive,redirect_uri"`
	// AllowedScopes is the list of scopes this client is allowed to request.
	// If empty, defaults to standard OIDC scopes (openid, profile, email, address, phone).
	AllowedScopes []string `yaml:"allowed_scopes,omitempty"`
	// TokenEndpointAuthMethod is the authentication method for the token endpoint.
	// Supported values: client_secret_basic, client_secret_post, none (public client)
	// Default: "client_secret_basic"
	TokenEndpointAuthMethod string `` /* 144-byte string literal not displayed */
	// GrantTypes is the list of allowed grant types.
	// Supported values: authorization_code, refresh_token
	// Default: ["authorization_code"]
	GrantTypes []string `` /* 128-byte string literal not displayed */
	// ResponseTypes is the list of allowed response types.
	// Supported values: code
	// Default: ["code"]
	ResponseTypes []string `yaml:"response_types,omitempty" default:"[\"code\"]" validate:"omitempty,dive,oneof=code"`
	// ClientName is an optional human-readable name for the client
	ClientName string `yaml:"client_name,omitempty"`
}

StaticOIDCClient defines a pre-configured OIDC client for the verifier's OIDC Provider. Static clients are configured in YAML and do not require dynamic registration. These clients are checked in addition to dynamically registered clients stored in the database.

type SupportedCredentialConfig 

type SupportedCredentialConfig struct {
	// VCT is the verifiable credential type
	VCT string `yaml:"vct" validate:"required" doc_example:"\"urn:eudi:pid:1\""`
	// Scopes are the OIDC scopes that grant access to this credential
	Scopes []string `yaml:"scopes" validate:"required"`
}

SupportedCredentialConfig maps credential types to OIDC scopes

type TLS 

type TLS struct {
	// Enable enables TLS
	Enable bool `yaml:"enable" default:"false"`
	// CertFilePath is the path to the TLS certificate
	CertFilePath string `yaml:"cert_file_path" validate:"required"`
	// KeyFilePath is the path to the TLS private key
	KeyFilePath string `yaml:"key_file_path" validate:"required"`
}

TLS holds the TLS configuration

type TokenStatusLists 

type TokenStatusLists struct {
	// KeyConfig holds the key configuration for signing Token Status List tokens.
	KeyConfig *pki.KeyConfig `yaml:"key_config" validate:"required"`
	// TokenRefreshInterval is how often (in seconds) new Token Status List tokens are generated. Default: 43200 (12 hours). Min: 301 (>5 minutes), Max: 86400 (24 hours)
	TokenRefreshInterval int64 `yaml:"token_refresh_interval" validate:"min=301,max=86400" default:"43200"`
	// SectionSize is the number of entries (decoys) per section. Default: 1000000 (1 million)
	SectionSize int64 `yaml:"section_size" default:"1000000"`
	// RateLimitRequestsPerMinute is the maximum requests per minute per IP for token status list endpoints. Default: 60
	RateLimitRequestsPerMinute int `yaml:"rate_limit_requests_per_minute" default:"60"`
}

TokenStatusLists holds the configuration for Token Status List per draft-ietf-oauth-status-list

type TrustConfig 

type TrustConfig struct {
	// PDPURL is the URL of the AuthZEN PDP (Policy Decision Point) service for trust evaluation.
	// When set, operates in "default deny" mode - trust decisions require PDP approval.
	// When empty, operates in "allow all" mode - resolved keys are always considered trusted.
	PDPURL string `yaml:"pdp_url,omitempty" doc_example:"\"https://trust.sunet.se/pdp\""`

	// LocalDIDMethods specifies which DID methods can be resolved locally without go-trust.
	// Self-contained methods like "did:key" and "did:jwk" are always resolved locally.
	LocalDIDMethods []string `yaml:"local_did_methods,omitempty" default:"[\"did:key\", \"did:jwk\"]"`

	// TrustPolicies configures per-role trust evaluation policies.
	// The key is the role (e.g., "issuer", "verifier") and the value contains policy settings.
	TrustPolicies map[string]TrustPolicyConfig `yaml:"trust_policies,omitempty"`

	// AllowedSignatureAlgorithms restricts which JWT signature algorithms are accepted.
	// If empty, defaults to a secure set: ES256, ES384, ES512, RS256, RS384, RS512, PS256, PS384, PS512, EdDSA.
	// The "none" algorithm is NEVER allowed regardless of configuration.
	AllowedSignatureAlgorithms []string `yaml:"allowed_signature_algorithms,omitempty" doc_example:"[\"ES256\", \"ES384\", \"ES512\", \"EdDSA\"]"`
}

TrustConfig holds configuration for key resolution and trust evaluation via go-trust. This is used for validating W3C VC Data Integrity proofs and other trust-related operations.

Trust evaluation operates in one of two modes:

  • When PDPURL is configured: "default deny" mode - all trust decisions go through the PDP
  • When PDPURL is empty: "allow all" mode - keys are resolved but always considered trusted

type TrustPolicyConfig 

type TrustPolicyConfig struct {
	// TrustFrameworks lists the accepted trust frameworks for this role.
	TrustFrameworks []string `yaml:"trust_frameworks,omitempty" doc_example:"[\"did:web\", \"did:ebsi\", \"etsi-tl\", \"openid-federation\", \"x509\"]"`

	// TrustAnchors specifies trusted root entities for this role.
	// Format depends on the trust framework (e.g., DID for did:web, federation entity for OpenID Fed).
	TrustAnchors []string `yaml:"trust_anchors,omitempty"`

	// RequireRevocationCheck enforces revocation status checking for this role.
	// Default: false
	RequireRevocationCheck bool `yaml:"require_revocation_check,omitempty" default:"false"`
}

TrustPolicyConfig defines trust policy settings for a specific role.

type UI 

type UI struct {
	// APIServer is the HTTP API server configuration
	APIServer APIServer `yaml:"api_server" validate:"required"`
	// Username is the UI login username
	Username string `yaml:"username" validate:"required" default:"admin"`
	// Password is the UI login password
	Password string `yaml:"password" validate:"required"`
	// SessionInactivityTimeoutInSeconds is the session inactivity timeout in seconds
	SessionInactivityTimeoutInSeconds int `yaml:"session_inactivity_timeout_in_seconds" validate:"required" default:"1800"`
	Services                          struct {
		APIGW struct {
			BaseURL string `yaml:"base_url"`
		} `yaml:"apigw"`
		MockAS struct {
			BaseURL string `yaml:"base_url"`
		} `yaml:"mockas"`
		Verifier struct {
			BaseURL string `yaml:"base_url"`
		} `yaml:"verifier"`
	} `yaml:"services"`
}

UI holds the configuration for the User Interface service

type UISecrets 

type UISecrets struct {
	// Password is the UI login password
	Password string `yaml:"password"`
}

UISecrets holds UI secrets

type Verifier 

type Verifier struct {
	// APIServer is the HTTP API server configuration
	APIServer APIServer `yaml:"api_server" validate:"required"`
	// PublicURL is the public URL of this service (must be valid HTTP/HTTPS URL)
	PublicURL string `yaml:"public_url" validate:"required,httpurl" doc_example:"\"https://verifier.sunet.se\""`
	// KeyConfig is the signing key configuration
	KeyConfig *pki.KeyConfig `yaml:"key_config" validate:"required"`
	// OAuthServer is the OAuth2 server configuration
	OAuthServer OAuthServer `yaml:"oauth_server" validate:"required"`
	// PreferredVPFormats specifies informational VP formats and algorithms supported by wallets
	PreferredVPFormats *openid4vp.VPFormatsSupported `yaml:"preferred_vp_formats,omitempty"`
	// SupportedWallets holds supported wallet configurations
	SupportedWallets map[string]string `yaml:"supported_wallets" validate:"omitempty"`
	// OIDCOP holds the OIDC Provider configuration
	OIDCOP *OIDCOPConfig `yaml:"oidc_op,omitempty" validate:"omitempty"`
	// OpenID4VP holds the OpenID4VP configuration
	OpenID4VP *OpenID4VPConfig `yaml:"openid4vp" validate:"omitempty"`
	// DigitalCredentials holds the W3C Digital Credentials API configuration
	DigitalCredentials DigitalCredentialsConfig `yaml:"digital_credentials,omitempty"`
	// AuthorizationPageCSS holds the authorization page styling configuration
	AuthorizationPageCSS AuthorizationPageCSSConfig `yaml:"authorization_page_css,omitempty"`
	// CredentialDisplay holds the credential display settings
	CredentialDisplay CredentialDisplayConfig `yaml:"credential_display,omitempty"`
	// Trust holds the trust evaluation configuration
	Trust TrustConfig `yaml:"trust,omitempty"`
}

Verifier holds the configuration for the Verifier service that verifies credentials and acts as an OIDC Provider

type VerifierSecrets 

type VerifierSecrets struct {
	OIDCOP OIDCOPSecrets `yaml:"oidc_op,omitempty"`
}

VerifierSecrets holds verifier secrets

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.