-
Notifications
You must be signed in to change notification settings - Fork 14
/
pyeudiw_backend.yaml
232 lines (208 loc) · 8.65 KB
/
pyeudiw_backend.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
module: pyeudiw.satosa.backend.OpenID4VPBackend
name: OpenID4VP
config:
ui:
static_storage_url: "https://localhost"
template_folder: "templates" # project root
qrcode_template: "qr_code.html"
error_template: "error.html"
error_url: "https://localhost/error_page.html"
endpoints:
pre_request: '/pre-request'
request:
module: pyeudiw.satosa.default.request_handler
class: RequestHandler
path: '/request-uri'
response:
module: pyeudiw.satosa.default.response_handler
class: ResponseHandler
path: '/response-uri'
entity_configuration: '/.well-known/openid-federation'
status: '/status'
get_response: '/get-response'
qrcode:
size: 250 # px
color: '#000000' # hex
expiration_time: 120 # seconds
logo_path: 'wallet-it/wallet-icon-blue.svg' # relative to static_storage_url
response_code:
sym_key: "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef" # hex string of 64 characters
jwt:
default_sig_alg: ES256 # or RS256
default_enc_alg: RSA-OAEP
default_enc_enc: A256CBC-HS512
default_exp: 6 # minutes
enc_alg_supported: &enc_alg_supported
- RSA-OAEP
- RSA-OAEP-256
- ECDH-ES
- ECDH-ES+A128KW
- ECDH-ES+A192KW
- ECDH-ES+A256KW
enc_enc_supported: &enc_enc_supported
- A128CBC-HS256
- A192CBC-HS384
- A256CBC-HS512
- A128GCM
- A192GCM
- A256GCM
sig_alg_supported: &sig_alg_supported
- RS256
- RS384
- RS512
- ES256
- ES384
- ES512
authorization:
url_scheme: haip
scopes:
- pid-sd-jwt:unique_id+given_name+family_name
default_acr_value: https://www.spid.gov.it/SpidL2
expiration_time: 5 # minutes
user_attributes:
unique_identifiers:
- tax_id_code
- unique_id
subject_id_random_value: CHANGEME!
network:
httpc_params:
connection:
ssl: true
session:
timeout: 6
trust:
direct_trust_sd_jwt_vc:
module: pyeudiw.trust.default.direct_trust_sd_jwt_vc
class: DirectTrustSdJwtVc
config:
jwk_endpoint: /.well-known/jwt-vc-issuer
federation:
module: pyeudiw.trust.default.federation
class: FederationTrustModel
config:
metadata_type: "wallet_relying_party"
authority_hints:
- http://127.0.0.1:8000
trust_anchors:
- public_keys: []
- http://127.0.0.1:8000
default_sig_alg: "RS256"
trust_marks: []
federation_entity_metadata:
organization_name: Developers Italia SATOSA OpenID4VP backend
homepage_uri: https://developers.italia.it
policy_uri: https://developers.italia.it
tos_uri: https://developers.italia.it
logo_uri: https://developers.italia.it/assets/icons/logo-it.svg
federation_jwks:
- kty: RSA
d: QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7vtyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVGH9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q
e: AQAB
kid: 9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w
n: utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBKwoxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw
p: 2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG68XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0
q: 2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPviH5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM
x509:
module: pyeudiw.trust.default.x509
class: X509TrustModel
config:
trust_anchor_certificates:
- "todo"
trust_anchors_cn: # we might mix CN and SAN together
- http://127.0.0.1:8000
# private jwk
metadata_jwks:
- crv: P-256
d: KzQBowMMoPmSZe7G8QsdEWc1IvR2nsgE8qTOYmMcLtc
kid: dDwPWXz5sCtczj7CJbqgPGJ2qQ83gZ9Sfs-tJyULi6s
use: sig
kty: EC
x: TSO-KOqdnUj5SUuasdlRB2VVFSqtJOxuR5GftUTuBdk
y: ByWgQt1wGBSnF56jQqLdoO1xKUynMY-BHIDB3eXlR7
- kty: RSA
d: QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7vtyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVGH9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q
e: AQAB
use: enc
kid: 9Cquk0X-fNPSdePQIgQcQZtD6J0IjIRrFigW2PPK_-w
n: utqtxbs-jnK0cPsV7aRkkZKA9t4S-WSZa3nCZtYIKDpgLnR_qcpeF0diJZvKOqXmj2cXaKFUE-8uHKAHo7BL7T-Rj2x3vGESh7SG1pE0thDGlXj4yNsg0qNvCXtk703L2H3i1UXwx6nq1uFxD2EcOE4a6qDYBI16Zl71TUZktJwmOejoHl16CPWqDLGo9GUSk_MmHOV20m4wXWkB4qbvpWVY8H6b2a0rB1B1YPOs5ZLYarSYZgjDEg6DMtZ4NgiwZ-4N1aaLwyO-GLwt9Vf-NBKwoxeRyD3zWE2FXRFBbhKGksMrCGnFDsNl5JTlPjaM3kYyImE941ggcuc495m-Fw
p: 2zmGXIMCEHPphw778YjVTar1eycih6fFSJ4I4bl1iq167GqO0PjlOx6CZ1-OdBTVU7HfrYRiUK_BnGRdPDn-DQghwwkB79ZdHWL14wXnpB5y-boHz_LxvjsEqXtuQYcIkidOGaMG68XNT1nM4F9a8UKFr5hHYT5_UIQSwsxlRQ0
q: 2jMFt2iFrdaYabdXuB4QMboVjPvbLA-IVb6_0hSG_-EueGBvgcBxdFGIZaG6kqHqlB7qMsSzdptU0vn6IgmCZnX-Hlt6c5X7JB_q91PZMLTO01pbZ2Bk58GloalCHnw_mjPh0YPviH5jGoWM5RHyl_HDDMI-UeLkzP7ImxGizrM
# Mongodb database configuration
storage:
mongo_db:
cache:
module: pyeudiw.storage.mongo_cache
class: MongoCache
init_params:
url: mongodb://localhost:27017
conf:
db_name: eudiw
# connection_params:
storage:
module: pyeudiw.storage.mongo_storage
class: MongoStorage
init_params:
url: mongodb://localhost:27017
conf:
db_name: eudiw
db_sessions_collection: sessions
db_trust_attestations_collection: trust_attestations
db_trust_anchors_collection: trust_anchors
db_trust_sources_collection: trust_sources
data_ttl: 63072000 # 2 years
# - connection_params:
#This is the configuration for the relaying party metadata
metadata:
application_type: web
#The following section contains all the algorithms supported for the encryption of response
authorization_encrypted_response_alg: *enc_alg_supported
authorization_encrypted_response_enc: *enc_enc_supported
authorization_signed_response_alg: *sig_alg_supported
#Various informations of the client
client_id: # this field is autopopulated using internal variables base_url and name using the following format: "<base_url>/<name>"
client_name: Name of an example organization
contacts:
default_acr_values:
- https://www.spid.gov.it/SpidL2
- https://www.spid.gov.it/SpidL3
default_max_age: 1111
#The following section contains all the algorithms supported for the encryption of id token response
id_token_encrypted_response_alg: *enc_alg_supported
id_token_encrypted_response_enc: *enc_enc_supported
id_token_signed_response_alg: *sig_alg_supported
# loaded in the __init__
# jwks:
#This section contains the details for presentation request
presentation_definition:
id: d76c51b7-ea90-49bb-8368-6b3d194fc131
input_descriptors:
- id: IdentityCredential
format:
vc+sd-jwt: { }
constraints:
limit_disclosure: required
fields:
- path:
- "$.vct"
filter:
type: string
const: IdentityCredential
- path:
- "$.family_name"
- path:
- "$.given_name"
redirect_uris:
# This field is autopopulated using internal variables base_url and name using the following format: <base_url>/<name>/redirect-uri"
request_uris:
# This field is autopopulated using internal variables base_url and name using the following format: <base_url>/<name>/request-uri"
require_auth_time: true
subject_type: pairwise
vp_formats:
vc+sd-jwt:
sd-jwt_alg_values:
- ES256
- ES384
kb-jwt_alg_values:
- ES256
- ES384