-
Notifications
You must be signed in to change notification settings - Fork 14
/
v1.yaml
139 lines (139 loc) · 5.73 KB
/
v1.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
openapi: 3.1.0
info:
title: Policy backend API specification
version: 0.1.0
servers:
- url: "http://localhost:8080"
paths:
/presentation_definitions:
parameters:
- name: authorizer
in: query
description: URLEncoded DID.
required: true
example: did:web:example.com:1
schema:
type: string
- name: scope
in: query
description: |
This is the scope used in the OpenID4VP authorization request.
It is a space separated list of scopes.
required: true
schema:
type: string
get:
summary: Returns a list of presentation definitions for the given DID and scope.
description: |
The DID is used for tenant selection. Not all tenants will probably support the same scopes.
The scope is used as selection criteria for the presentation definition.
It could be the case that the presentation definition is not found.
In that case the response will be 201 with an empty body.
operationId: "presentationDefinitions"
tags:
- policy
responses:
"200":
description: |
DID has been found and the scope is supported.
If the scope is supported but no presentation definition is required, the response will be 200 with a presentation definition without any input descriptors.
content:
application/json:
schema:
$ref: '#/components/schemas/WalletOwnerMapping'
"201":
description: The DID is known but the presented scope is not supported.
"404":
description: DID is not known to the policy backend.
/authorized:
post:
summary: Check if a resource request is authorized.
description: |
When an access token is used to request a resource, the resource server needs to know if the access token grants access to the requested resource.
The resource server will send a request to the policy backend to check if the access token grants access to the requested resource.
All cryptographic and presentation exchange validations have already been done by the caller.
operationId: "checkAuthorized"
tags:
- policy
requestBody:
description: Required params for policy backend to make an informed decision.
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/AuthorizedRequest'
responses:
"200":
description: A response that indicates if the access token grants access to the requested resource.
content:
application/json:
schema:
$ref: '#/components/schemas/AuthorizedResponse'
"404":
description: DID is not known to the policy backend.
components:
schemas:
AuthorizedRequest:
description: |
The request contains all params involved with the request.
It might be the case that the caller mapped credential fields to additional params.
type: object
required:
- audience
- client_id
- scope
- request_url
- request_method
- presentation_submissions
- vps
properties:
audience:
description: The audience of the access token. This is the identifier (DID) of the authorizer and issuer of the access token.
type: string
client_id:
description: The client ID of the client that requested the resource (DID).
type: string
scope:
description: The scope used in the authorization request.
type: string
request_url:
description: The URL of the resource request.
type: string
request_method:
description: The method of the resource request.
type: string
presentation_submission:
description: The presentation submissions that was used to request the access token.
type: array
items:
$ref: '#/components/schemas/PresentationSubmission'
vps:
description: |
The verifiable presentations that were used to request the access token.
The verifiable presentations could be in JWT format or in JSON format.
type: array
AuthorizedResponse:
description: |
The response indicates if the access token grants access to the requested resource.
If the access token grants access, the response will be 200 with a boolean value set to true.
If the access token does not grant access, the response will be 200 with a boolean value set to false.
type: object
required:
- authorized
properties:
authorized:
description: Indicates if the access token grants access to the requested resource.
type: boolean
WalletOwnerMapping:
description: A mapping from wallet type (user, organization) to presentation definition.
type: object
PresentationDefinition:
description: |
A presentation definition is a JSON object that describes the desired verifiable credentials and presentation formats.
Specified at https://identity.foundation/presentation-exchange/spec/v2.0.0/
A JSON schema is available at https://identity.foundation/presentation-exchange/#json-schema
PresentationSubmission:
description: |
A presentation submission is a JSON object that maps requirements from the Presentation Definition to the verifiable presentations that were used to request an access token.
Specified at https://identity.foundation/presentation-exchange/spec/v2.0.0/
A JSON schema is available at https://identity.foundation/presentation-exchange/#json-schema