-
Notifications
You must be signed in to change notification settings - Fork 14
/
v1.yaml
748 lines (728 loc) · 25.1 KB
/
v1.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
openapi: 3.0.0
info:
title: Nuts Auth Service API
version: 1.0.0
servers:
- url: http://localhost:1323
paths:
/internal/auth/v1/signature/session:
post:
operationId: createSignSession
summary: Create a signing session for a supported means.
description: |
Create a signing session for a supported means.
error returns:
* 400 - one of the parameters has the wrong format
tags:
- contract
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/SignSessionRequest"
responses:
201:
description: When the signing session was successfully created.
content:
application/json:
schema:
$ref: "#/components/schemas/SignSessionResponse"
default:
$ref: '../common/error_response.yaml'
/internal/auth/v1/signature/session/{sessionID}:
get:
operationId: getSignSessionStatus
summary: Get the current status of a signing session
description: |
Get the current status of a signing session
error returns:
* 404 - session could not be found
* 500 - internal server error
tags:
- contract
parameters:
- name: sessionID
in: path
required: true
schema:
type: string
responses:
200:
description: When the session is found. Contains the current session status.
content:
application/json:
schema:
$ref: "#/components/schemas/SignSessionStatusResponse"
default:
$ref: '../common/error_response.yaml'
/internal/auth/v1/signature/verify:
put:
operationId: verifySignature
summary: Verify a signature in the form of a verifiable presentation
description: |
Verify a signature in the form of a verifiable presentation
error returns:
* 400 - one of the parameters has the wrong format
* 500 - internal server error
tags:
- contract
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/SignatureVerificationRequest"
responses:
200:
description: "When the verification could be performed. The response contains the verification result. Note: This status code does not indicate the validity of the signature."
content:
application/json:
schema:
$ref: "#/components/schemas/SignatureVerificationResponse"
default:
$ref: '../common/error_response.yaml'
/public/auth/v1/contract/{contractType}:
get:
operationId: getContractByType
summary: Get a contract by type and version
description: |
Get contract by type and version
error returns:
* 404 - contract does not exists
tags:
- contract
parameters:
- name: contractType
in: path
required: true
schema:
type: string
- name: version
description: The version of this contract. If omitted, the most recent version will be returned
required: false
in: query
schema:
type: string
- name: language
in: query
required: false
schema:
type: string
default: nl
responses:
'200':
description: Returns the contract of this type, version, and language
content:
application/json:
schema:
$ref: "#/components/schemas/Contract"
default:
$ref: '../common/error_response.yaml'
/internal/auth/v1/contract/drawup:
put:
operationId: drawUpContract
summary: Draw up a contract using a specified contract template, language and version
description: |
Draw up a contract using a specified contract template, language and version
error returns:
* 400 - one of the parameters has the wrong format
* 404 - combinetaion of template, language, and version not found
tags:
- contract
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/DrawUpContractRequest"
responses:
200:
description: When the contract was drawn up successfully.
content:
application/json:
schema:
$ref: "#/components/schemas/ContractResponse"
default:
$ref: '../common/error_response.yaml'
/internal/auth/v1/jwt-grant:
post:
operationId: createJwtGrant
summary: Create a JWT Grant
description: |
Create a JWT Grant which can be used in the createAccessToken request in the assertion field
error returns:
* 400 - one of the parameters has the wrong format
tags:
- auth
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/CreateJwtGrantRequest"
responses:
'200':
description: Successful request. Responds with JWT encoded Bearer Token
content:
application/json:
schema:
$ref: "#/components/schemas/JwtGrantResponse"
default:
$ref: '../common/error_response.yaml'
/internal/auth/v1/request-access-token:
post:
operationId: requestAccessToken
summary: Request an accesstoken from the authorizer
description: |
Create a JWT Grant and use it as authorization grant to get an accesstoken from the authorizer.
error returns:
* 400 - one of the parameters has the wrong format
tags:
- auth
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/RequestAccessTokenRequest"
responses:
'200':
description: Successful request. Responds with an accesstoken.
content:
application/json:
schema:
$ref: "#/components/schemas/AccessTokenResponse"
default:
$ref: '../common/error_response.yaml'
/n2n/auth/v1/accesstoken:
post:
operationId: createAccessToken
summary: Create an access token using a JWT as authorization grant
description: |
Create an access token using a JWT as authorization grant.
This endpoint must be available to other nodes for other applications to request access tokens.
It requires a two-way TLS connection according to the network agreement.
error returns:
* Follows the oauth framework error response: RFC6749
tags:
- auth
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: "#/components/schemas/CreateAccessTokenRequest"
responses:
'200':
description: The posted JWT is valid. Responds with access token
content:
application/json:
schema:
$ref: "#/components/schemas/AccessTokenResponse"
'400':
description: The posted JWT is invalid.
content:
application/json:
schema:
$ref: "#/components/schemas/AccessTokenRequestFailedResponse"
/internal/auth/v1/accesstoken/verify:
head:
operationId: verifyAccessToken
summary: Verifies the provided access token
description: |
Verifies the access token given in the Authorization header (as bearer token). If it's a valid access token issued by this server, it'll return a 200 status code.
error returns:
* 403 - Token cannot be verified. Note that the contents of the access token are not returned. The introspection API is for that.
tags:
- auth
parameters:
- name: Authorization
in: header
required: true
schema:
type: string
responses:
'200':
description: The access token is valid. It has been signed by this server.
'403':
description: The given access token is invalid or couldn't be verified.
/internal/auth/v1/accesstoken/introspect:
post:
operationId: introspectAccessToken
summary: Introspection endpoint to retrieve information from an Access Token as described by RFC7662
tags:
- auth
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
type: object
required:
- token
properties:
token:
type: string
description: JWT access token
responses:
'200':
description: An Introspection response as described in RFC7662 section 2.2
content:
application/json:
schema:
$ref: "#/components/schemas/TokenIntrospectionResponse"
components:
schemas:
VerifiableCredential:
type: object
description: A credential according to the W3C and Nuts specs.
required:
- "@context"
- type
- issuer
- issuanceDate
- credentialSubject
- proof
properties:
"@context":
description: List of URIs
type: array
items:
type: string
id:
description: credential ID. A Nuts DID followed by a large number.
example: "did:nuts:B8PUHs2AUHbFF1xLLK4eZjgErEcMXHxs68FteY7NDtCY"
type: string
type:
description: List of type definitions for the credential. Always includes 'VerifiableCredential'
type: array
items:
type: string
issuer:
$ref: '#/components/schemas/DID'
issuanceDate:
description: rfc3339 time string when the credential was issued.
type: string
example: "2012-01-02T12:00:00Z"
expirationDate:
description: rfc3339 time string untill when the credential is valid.
type: string
example: "2012-01-02T12:00:00Z"
credentialSubject:
$ref: '#/components/schemas/CredentialSubject'
proof:
description: one or multiple cryptographic proofs
type: object
CredentialSubject:
type: object
description: Subject of a Verifiable Credential identifying the holder and expressing claims.
CredentialIssuer:
type: object
required:
- issuer
- credentialType
properties:
issuer:
description: the DID of an issuer
example: "did:nuts:B8PUHs2AUHbFF1xLLK4eZjgErEcMXHxs68FteY7NDtCY"
type: string
credentialType:
description: a credential type
example: NutsOrganizationCredential
type: string
DID:
type: string
description: DID according to Nuts specification
example: "did:nuts:B8PUHs2AUHbFF1xLLK4eZjgErEcMXHxs68FteY7NDtCY"
#
# Everthing related to sessions and signing
#
SignSessionRequest:
required:
- means
- payload
- params
properties:
means:
type: string
enum: [ irma, dummy ]
example: irma
params:
type: object
description: Params are passed to the means. Should be documented in the means documentation.
payload:
type: string
description: Base64 encoded payload what needs to be signed.
SignSessionResponse:
required:
- sessionID
- sessionPtr
- means
properties:
sessionID:
description: Unique identifier of this sign session.
type: string
sessionPtr:
description: A pointer to a sign session. This is an opaque value which only has meaning in the context of the signing means. Can be an URL, base64 encoded image of a QRCode etc.
type: object
means:
description: The means this session uses to sign.
type: string
enum: [ irma, dummy ]
example: irma
SignSessionStatusResponse:
required:
- status
properties:
status:
description: Status indicates the status of the signing proces. Values depend on the implementation of the signing means.
type: string
verifiablePresentation:
$ref: "#/components/schemas/VerifiablePresentation"
VerifiablePresentation:
description: If the signature session is completed, this property contains the signature embedded in an w3c verifiable presentation.
type: object
required:
- "@context"
- type
- proof
properties:
"@context":
type: array
items:
type: string
type:
type: array
items:
type: string
proof:
type: object
SignatureVerificationRequest:
type: object
required:
- VerifiablePresentation
properties:
VerifiablePresentation:
$ref: "#/components/schemas/VerifiablePresentation"
checkTime:
description: Moment in time to check the validity of the signature. If omitted, the current time is used.
type: string
example: "2019-06-24T14:32:00+02:00"
SignatureVerificationResponse:
description: Contains the signature verification result.
type: object
required:
- validity
properties:
validity:
type: boolean
description: Indicates the validity of the signature.
vpType:
description: Type of Verifiable credential.
example: NutsDelegation
type: string
issuerAttributes:
description: Key vale pairs containing the attributes of the issuer.
type: object
example:
uziNr: 9000382
firstName: Henk
lastName: de Vries
credentials:
description: Key value pairs containing claims and their values.
type: object
example:
organization: Zorgcentrum de Oosterlanden
validFrom: 2020-12-16T10:57:00
validTo: 2020-12-16T12:57:00
#
# Everything related to Contracts
#
ContractType:
type: string
description: Type of which contract to sign.
example: "BehandelaarLogin"
ContractLanguage:
type: string
description: Language of the contract in all caps.
example: "NL"
ContractVersion:
type: string
description: Version of the contract.
example: "v1"
LegalEntity:
type: string
description: DID of the organization as registered in the Nuts registry.
example: "did:nuts:128903fjgfslcnmgpe84"
Contract:
required:
- type
- version
- language
properties:
type:
$ref: "#/components/schemas/ContractType"
language:
$ref: "#/components/schemas/ContractLanguage"
version:
$ref: "#/components/schemas/ContractVersion"
signer_attributes:
example:
type: array
items:
type: string
template:
type: string
example: ik verklaar dat ${acting_party} namens mij request mag maken
template_attributes:
type: array
items:
type: string
example: [ "irma-demo.MijnOverheid.ageLower.over12",
"irma-demo.MijnOverheid.fullName"
]
ContractSigningRequest:
required:
- type
- version
- language
- legalEntity
properties:
type:
$ref: "#/components/schemas/ContractType"
language:
$ref: "#/components/schemas/ContractLanguage"
version:
$ref: "#/components/schemas/ContractVersion"
legalEntity:
$ref: "#/components/schemas/LegalEntity"
valid_from:
type: string
description: "ValidFrom describes the time from which this contract should be considered valid"
example: "2019-06-24T14:32:00+02:00"
valid_to:
type: string
description: "ValidTo describes the time until this contract should be considered valid"
example: "2019-12-24T14:32:00+02:00"
ContractResponse:
required:
- message
- type
- version
- language
properties:
message:
type: string
description: The contract message.
example: I hereby declare that Pro Gen - Italia should be make requests in my name
type:
$ref: "#/components/schemas/ContractType"
language:
$ref: "#/components/schemas/ContractLanguage"
version:
$ref: "#/components/schemas/ContractVersion"
DrawUpContractRequest:
required:
- type
- version
- language
- legalEntity
properties:
type:
$ref: "#/components/schemas/ContractType"
language:
$ref: "#/components/schemas/ContractLanguage"
version:
$ref: "#/components/schemas/ContractVersion"
legalEntity:
$ref: "#/components/schemas/LegalEntity"
validFrom:
type: string
description: validFrom describes the time from which this contract should be considered valid. Current time is used when omitted.
example: "2019-06-24T14:32:00+02:00"
validDuration:
type: string
description: "The duration this contract is valid, starting from validFrom or current time if validFrom is omitted. Uses this node default when omitted. Valid time units are: 's', 'm', 'h'"
example: "2h"
#
# Everything related to JWT Grants
#
CreateJwtGrantRequest:
description: Request for a JWT Grant. The grant can be used during a Access Token Request in the assertion field
required:
- authorizer
- requester
- service
- credentials
properties:
authorizer:
type: string
requester:
type: string
identity:
$ref: "#/components/schemas/VerifiablePresentation"
service:
type: string
description: The service for which this access-token can be used. The right oauth endpoint is selected based on the service.
example: nuts-patient-transfer
credentials:
type: array
items:
$ref: '#/components/schemas/VerifiableCredential'
JwtGrantResponse:
description: Response with a JWT Grant. It contains a JWT, signed with the private key of the requestor software vendor.
required:
- bearer_token
- authorization_server_endpoint
properties:
bearer_token:
type: string
authorization_server_endpoint:
description: The URL that corresponds to the oauth endpoint of the selected service.
type: string
#
# Everything related to Access Tokens
#
RequestAccessTokenRequest:
description: Request for a JWT Grant and use it as authorization grant to get the access token from the authorizer
required:
- authorizer
- requester
- service
- credentials
properties:
authorizer:
type: string
requester:
type: string
identity:
$ref: '#/components/schemas/VerifiablePresentation'
service:
type: string
description: The service for which this access-token can be used. The right oauth endpoint is selected based on the service.
example: nuts-patient-transfer
credentials:
type: array
items:
$ref: '#/components/schemas/VerifiableCredential'
CreateAccessTokenRequest:
description: Request as described in RFC7523 section 2.1
required:
- grant_type
- assertion
properties:
grant_type:
type: string
description: always must contain the value "urn:ietf:params:oauth:grant-type:jwt-bearer"
example: urn:ietf:params:oauth:grant-type:jwt-bearer
assertion:
type: string
description: Base64 encoded JWT following rfc7523 and the Nuts documentation
example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjIuNC42LjE6NDgwMDAwMDAiLCJzdWIiOiJ1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjIuNC42LjE6MTI0ODEyNDgiLCJzaWQiOiJ1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjIuNC42LjM6OTk5OTk5MCIsImF1ZCI6Imh0dHBzOi8vdGFyZ2V0X3Rva2VuX2VuZHBvaW50IiwidXNpIjoiYmFzZTY0IGVuY29kZWQgc2lnbmF0dXJlIiwiZXhwIjoxNTc4MTEwNDgxLCJpYXQiOjE1Nzg5MTA0ODEsImp0aSI6IjEyMy00NTYtNzg5In0.76XtU81IyR3Ak_2fgrYsuLcvxndf0eedT1mFPa-rPXk"
AccessTokenResponse:
description: Successful response as described in rfc6749 section 5.1
required:
- access_token
- token_type
- expires_in
properties:
access_token:
description: |
The access token issued by the authorization server.
Could be a signed JWT or a random number. It should not have a meaning to the client.
type: string
example:
"12345"
token_type:
description: The type of the token issued
type: string
example: "nuts_session_token"
expires_in:
type: integer
description: The lifetime in seconds of the access token.
example: 900
AccessTokenRequestFailedResponse:
description: Error response when access token request fails as described in rfc6749 sectionn 5.2
required:
- error
- error_description
properties:
error:
type: string
enum: [ invalid_request, invalid_grant, unsupported_grant_type ]
error_description:
description: >
Human-readable ASCII text providing
additional information, used to assist the client developer in
understanding the error that occurred.
type: string
TokenIntrospectionRequest:
description: Token introspection request as described in RFC7662 section 2.1
required:
- token
properties:
token:
type: string
example:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhaWQiOiJ1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjIuNC42LjE6MDAwMDAwMDAiLCJleHAiOjE1ODE0MTI2NjcsImlhdCI6MTU4MTQxMTc2NywiaXNzIjoidXJuOm9pZDoyLjE2Ljg0MC4xLjExMzg4My4yLjQuNi4xOjAwMDAwMDAxIiwic2lkIjoidXJuOm9pZDoyLjE2Ljg0MC4xLjExMzg4My4yLjQuNi4zOjk5OTk5OTk5MCIsInN1YiI6IiJ9.OhniTJcPS45nhJVqXfxsngG5eYS_0BvqFg-96zaWFO90I_5_N9Eg_k7NmIF5eNZ9Xutl1aqSxlSp80EX07Gmk8uzZO9PEReo0YZxnNQV-Zeq1njCMmfdwusmiczFlwcBi5Bl1xYGmLrxP7NcAoljmDgMgmLH0xaKfP4VVim6snPkPHqBdSzAgSrrc-cgVDLl-9V2obPB1HiVsFMYfbHEIb4MPsnPRnSGavYHTxt34mHbRsS8BvoBy3v6VNYaewLr6yz-_Zstrnr4I_wxtYbSiPJUeVQHcD-a9Ck53BdjspnhVHZ4IFVvuNrpflVaB1A7P3A2xZ7G_a8gF_SHMynYSA
TokenIntrospectionResponse:
description: Token introspection response as described in RFC7662 section 2.2
required:
- active
properties:
active:
type: boolean
description: |
True if the token is active, false if the token is expired, malformed etc.
service:
type: string
iss:
type: string
description: |
The subject (not a Nuts subject) contains the DID of the authorizer.
example: "did:nuts:128903fjgfslcnmgpe84"
sub:
type: string
description: |
The subject is always the acting party, thus the care organization requesting access to data.
example: "did:nuts:128903fjgfslcnmgpe84"
aud:
type: string
description: |
As per rfc7523 https://tools.ietf.org/html/rfc7523>, the aud must be the
token endpoint. This can be taken from the Nuts registry.
example: "https://target_token_endpoint"
vcs:
type: array
items:
type: string
description: credential ID as string
resolvedVCs:
type: array
items:
$ref: '#/components/schemas/VerifiableCredential'
description: credentials resolved from `vcs` (VC IDs). It contains only those VCs that could be resolved.
osi:
type: string
description: encoded ops signature. (TBD)
exp:
type: integer
iat:
type: integer
family_name:
type: string
description: Surname(s) or last name(s) of the End-User.
example: Bruijn
prefix:
type: string
description: Surname prefix
example: de
initials:
type: string
description: Initials of the End-User.
example: I.
email:
type: string
description: End-User's preferred e-mail address. Should be a personal email and can be used to uniquely identify a user. Just like the email used for an account.
example: w.debruijn@example.org