feat: add Participant-aware STS (#614)

Author: paullatzelsperger

core/common-core/src/main/java/org/eclipse/edc/identityhub/DefaultServicesExtension.java

@@ -75,7 +75,7 @@ public class DefaultServicesExtension implements ServiceExtension {
     public static final String JWS_2020_JSON = "jws2020.json";
     public static final String CREDENTIALS_V_1_JSON = "credentials.v1.json";
 
-    
+
     public static final String NAME = "IdentityHub Default Services Extension";
     public static final long DEFAULT_REVOCATION_CACHE_VALIDITY_MILLIS = 15 * 60 * 1000L;
     static final String ACCESSTOKEN_JTI_VALIDATION_ACTIVATE = "edc.iam.accesstoken.jti.validation";

core/identity-hub-core/src/main/java/org/eclipse/edc/identityhub/core/CoreServicesExtension.java

@@ -18,7 +18,6 @@
 import org.eclipse.edc.http.spi.EdcHttpClient;
 import org.eclipse.edc.iam.did.spi.resolution.DidPublicKeyResolver;
 import org.eclipse.edc.iam.did.spi.resolution.DidResolverRegistry;
-import org.eclipse.edc.iam.identitytrust.spi.SecureTokenService;
 import org.eclipse.edc.iam.identitytrust.spi.verification.SignatureSuiteRegistry;
 import org.eclipse.edc.iam.verifiablecredentials.spi.model.CredentialFormat;
 import org.eclipse.edc.iam.verifiablecredentials.spi.model.RevocationServiceRegistry;
@@ -33,6 +32,7 @@
 import org.eclipse.edc.identityhub.core.services.verifiablepresentation.generators.LdpPresentationGenerator;
 import org.eclipse.edc.identityhub.core.services.verification.SelfIssuedTokenVerifierImpl;
 import org.eclipse.edc.identityhub.publickey.KeyPairResourcePublicKeyResolver;
+import org.eclipse.edc.identityhub.spi.authentication.ParticipantSecureTokenService;
 import org.eclipse.edc.identityhub.spi.credential.request.store.HolderCredentialRequestStore;
 import org.eclipse.edc.identityhub.spi.keypair.KeyPairService;
 import org.eclipse.edc.identityhub.spi.keypair.store.KeyPairResourceStore;
@@ -134,7 +134,7 @@ public class CoreServicesExtension implements ServiceExtension {
     @Inject
     private HolderCredentialRequestStore credentialRequestStore;
     @Inject
-    private SecureTokenService secureTokenService;
+    private ParticipantSecureTokenService secureTokenService;
     @Inject
     private EdcHttpClient httpClient;
 

core/identity-hub-core/src/main/java/org/eclipse/edc/identityhub/core/services/verifiablecredential/CredentialRequestManagerImpl.java

@@ -21,9 +21,9 @@
 import okhttp3.Response;
 import org.eclipse.edc.http.spi.EdcHttpClient;
 import org.eclipse.edc.iam.did.spi.resolution.DidResolverRegistry;
-import org.eclipse.edc.iam.identitytrust.spi.SecureTokenService;
 import org.eclipse.edc.identityhub.protocols.dcp.spi.model.CredentialRequest;
 import org.eclipse.edc.identityhub.protocols.dcp.spi.model.CredentialRequestMessage;
+import org.eclipse.edc.identityhub.spi.authentication.ParticipantSecureTokenService;
 import org.eclipse.edc.identityhub.spi.credential.request.model.HolderCredentialRequest;
 import org.eclipse.edc.identityhub.spi.credential.request.model.HolderRequestState;
 import org.eclipse.edc.identityhub.spi.credential.request.store.HolderCredentialRequestStore;
@@ -68,7 +68,7 @@ public class CredentialRequestManagerImpl extends AbstractStateEntityManager<Hol
     private DidResolverRegistry didResolverRegistry;
     private TypeTransformerRegistry dcpTypeTransformerRegistry;
     private EdcHttpClient httpClient;
-    private SecureTokenService secureTokenService;
+    private ParticipantSecureTokenService secureTokenService;
     private String ownDid;
     private TransactionContext transactionContext;
 
@@ -114,7 +114,7 @@ private Result<String> sendCredentialRequest(HolderCredentialRequest request, St
 
         return transactionContext.execute(() -> {
             transition(request.copy().toBuilder(), REQUESTING);
-            return getAuthToken(issuerDid, ownDid)
+            return getAuthToken(request.getParticipantContextId(), issuerDid, ownDid)
                     .compose(token -> createCredentialsRequest(token, endpoint, holderPid, typesAndFormats))
                     .compose(httpRequest -> httpClient.execute(httpRequest, this::mapResponseAsString));
         });
@@ -207,18 +207,19 @@ private Result<String> mapResponseAsString(Response response) {
     /**
      * Fetches the authentication token from the SecureTokenService.
      *
-     * @param audience the String used as {@code aud} claim
-     * @param myOwnDid the String used as {@code iss} and {@code sub} claims
+     * @param participantContextId The ID of the participant context on behalf of which the token is generated
+     * @param audience             the String used as {@code aud} claim
+     * @param myOwnDid             the String used as {@code iss} and {@code sub} claims
      * @return a JWT token that can be used to send DCP messages to the issuer
      */
-    private Result<TokenRepresentation> getAuthToken(String audience, String myOwnDid) {
+    private Result<TokenRepresentation> getAuthToken(String participantContextId, String audience, String myOwnDid) {
         var siTokenClaims = Map.of(
                 ISSUED_AT, Instant.now().toString(),
                 AUDIENCE, audience,
                 ISSUER, myOwnDid,
                 SUBJECT, myOwnDid,
                 EXPIRATION_TIME, Instant.now().plus(5, ChronoUnit.MINUTES).toString());
-        return secureTokenService.createToken(siTokenClaims, null);
+        return secureTokenService.createToken(participantContextId, siTokenClaims, null);
     }
 
     /**
@@ -262,7 +263,7 @@ public Builder httpClient(EdcHttpClient httpClient) {
             return this;
         }
 
-        public Builder secureTokenService(SecureTokenService secureTokenService) {
+        public Builder secureTokenService(ParticipantSecureTokenService secureTokenService) {
             manager.secureTokenService = secureTokenService;
             return this;
         }

core/identity-hub-core/src/test/java/org/eclipse/edc/identityhub/core/services/verifiablecredential/CredentialRequestManagerImplTest.java

@@ -21,9 +21,9 @@
 import org.eclipse.edc.iam.did.spi.document.DidDocument;
 import org.eclipse.edc.iam.did.spi.document.Service;
 import org.eclipse.edc.iam.did.spi.resolution.DidResolverRegistry;
-import org.eclipse.edc.iam.identitytrust.spi.SecureTokenService;
 import org.eclipse.edc.iam.verifiablecredentials.spi.model.CredentialFormat;
 import org.eclipse.edc.identityhub.protocols.dcp.spi.model.CredentialRequestMessage;
+import org.eclipse.edc.identityhub.spi.authentication.ParticipantSecureTokenService;
 import org.eclipse.edc.identityhub.spi.credential.request.model.HolderCredentialRequest;
 import org.eclipse.edc.identityhub.spi.credential.request.model.HolderRequestState;
 import org.eclipse.edc.identityhub.spi.credential.request.store.HolderCredentialRequestStore;
@@ -59,6 +59,7 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyInt;
 import static org.mockito.ArgumentMatchers.anyMap;
+import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.argThat;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.doThrow;
@@ -77,7 +78,7 @@ class CredentialRequestManagerImplTest {
     private final DidResolverRegistry resolver = mock();
     private final TypeTransformerRegistry transformerRegistry = mock();
     private final EdcHttpClient httpClient = mock();
-    private final SecureTokenService sts = mock();
+    private final ParticipantSecureTokenService sts = mock();
     private final CredentialRequestManagerImpl credentialRequestService = CredentialRequestManagerImpl.Builder.newInstance()
             .store(store)
             .didResolverRegistry(resolver)
@@ -94,7 +95,7 @@ class CredentialRequestManagerImplTest {
     void setUp() {
         when(transformerRegistry.transform(any(CredentialRequestMessage.class), eq(JsonObject.class)))
                 .thenReturn(success(Json.createObjectBuilder().build()));
-        when(sts.createToken(anyMap(), ArgumentMatchers.isNull())).thenReturn(success(TokenRepresentation.Builder.newInstance().build()));
+        when(sts.createToken(anyString(), anyMap(), ArgumentMatchers.isNull())).thenReturn(success(TokenRepresentation.Builder.newInstance().build()));
     }
 
     private DidDocument didDocument() {
@@ -156,7 +157,7 @@ void processInitial_shouldSendRequest(String stateString) {
                 var inOrder = inOrder(resolver, store, httpClient, sts);
                 inOrder.verify(resolver).resolve(eq(ISSUER_DID));
                 inOrder.verify(store).save(argThat(r -> r.getState() == REQUESTING.code()));
-                inOrder.verify(sts).createToken(anyMap(), ArgumentMatchers.isNull());
+                inOrder.verify(sts).createToken(anyString(), anyMap(), ArgumentMatchers.isNull());
                 inOrder.verify(httpClient).execute(any(), (Function<Response, Result<String>>) any());
                 inOrder.verify(store).save(argThat(r -> r.getState() == REQUESTED.code() && r.getIssuerPid() != null));
             });
@@ -218,7 +219,7 @@ void processInitial_whenStsFails_shouldTransitionToError(String stateString) {
             var state = HolderRequestState.valueOf(stateString);
 
             when(resolver.resolve(eq(ISSUER_DID))).thenReturn(success(didDocument()));
-            when(sts.createToken(anyMap(), ArgumentMatchers.isNull())).thenReturn(Result.failure("sts-failure"));
+            when(sts.createToken(anyString(), anyMap(), ArgumentMatchers.isNull())).thenReturn(Result.failure("sts-failure"));
 
             var rq = createRequest()
                     .state(state.code())
@@ -233,7 +234,7 @@ void processInitial_whenStsFails_shouldTransitionToError(String stateString) {
                 var inOrder = inOrder(resolver, store, httpClient, sts);
                 inOrder.verify(resolver).resolve(eq(ISSUER_DID));
                 inOrder.verify(store).save(argThat(r -> r.getState() == REQUESTING.code()));
-                inOrder.verify(sts).createToken(anyMap(), ArgumentMatchers.isNull());
+                inOrder.verify(sts).createToken(anyString(), anyMap(), ArgumentMatchers.isNull());
                 inOrder.verify(store).save(argThat(r -> r.getState() == ERROR.code() && r.getErrorDetail().equals("sts-failure")));
             });
         }
@@ -258,7 +259,7 @@ void processInitial_whenIssuerReturnsError_shouldTransitionToError(String stateS
                 var inOrder = inOrder(resolver, store, httpClient, sts);
                 inOrder.verify(resolver).resolve(eq(ISSUER_DID));
                 inOrder.verify(store).save(argThat(r -> r.getState() == REQUESTING.code()));
-                inOrder.verify(sts).createToken(anyMap(), ArgumentMatchers.isNull());
+                inOrder.verify(sts).createToken(anyString(), anyMap(), ArgumentMatchers.isNull());
                 inOrder.verify(httpClient).execute(any(), (Function<Response, Result<String>>) any());
                 inOrder.verify(store).save(argThat(r -> r.getState() == ERROR.code() && r.getErrorDetail().equals("issuer failure bad request")));
             });

core/identity-hub-participants/src/main/java/org/eclipse/edc/identityhub/participantcontext/ParticipantContextServiceImpl.java

@@ -178,6 +178,7 @@ private ParticipantContext convert(ParticipantManifest manifest) {
                 .did(manifest.getDid())
                 .apiTokenAlias("%s-%s".formatted(manifest.getParticipantId(), API_KEY_ALIAS_SUFFIX))
                 .state(ParticipantContextState.CREATED)
+                .properties(manifest.getAdditionalProperties())
                 .build();
     }
 }

e2e-tests/identity-api-tests/src/test/java/org/eclipse/edc/identityhub/tests/fixtures/IdentityHubEndToEndTestContext.java

@@ -116,7 +116,7 @@ public String storeCredential(VerifiableCredential credential, String participan
                 .participantContextId(participantContextId)
                 .holderId("holderId")
                 .issuerId("issuerId")
-                .credential(new VerifiableCredentialContainer("rawVc", CredentialFormat.JWT, credential))
+                .credential(new VerifiableCredentialContainer("rawVc", CredentialFormat.VC1_0_JWT, credential))
                 .build();
         runtime.getService(CredentialStore.class).create(resource).orElseThrow(f -> new EdcException(f.getFailureDetail()));
         return resource.getId();

extensions/api/identity-api/api-configuration/src/main/resources/identity-api-version.json

@@ -2,7 +2,7 @@
   {
     "version": "1.0.0-alpha",
     "urlPath": "/v1alpha",
-    "lastUpdated": "2025-02-21T12:00:00Z",
+    "lastUpdated": "2025-02-21T14:00:00Z",
     "maturity": null
   }
 ]

extensions/store/sql/identity-hub-participantcontext-store-sql/src/main/java/org/eclipse/edc/identityhub/store/sql/participantcontext/BaseSqlDialectStatements.java

@@ -32,6 +32,7 @@ public String getInsertTemplate() {
                 .column(getApiTokenAliasColumn())
                 .column(getDidColumn())
                 .jsonColumn(getRolesRolumn())
+                .jsonColumn(getPropertiesColumn())
                 .insertInto(getParticipantContextTable());
     }
 
@@ -45,6 +46,7 @@ public String getUpdateTemplate() {
                 .column(getApiTokenAliasColumn())
                 .column(getDidColumn())
                 .jsonColumn(getRolesRolumn())
+                .jsonColumn(getPropertiesColumn())
                 .update(getParticipantContextTable(), getIdColumn());
     }
 

extensions/store/sql/identity-hub-participantcontext-store-sql/src/main/java/org/eclipse/edc/identityhub/store/sql/participantcontext/ParticipantContextStoreStatements.java

@@ -55,6 +55,10 @@ default String getRolesRolumn() {
         return "roles";
     }
 
+    default String getPropertiesColumn() {
+        return "properties";
+    }
+
     String getInsertTemplate();
 
     String getUpdateTemplate();

extensions/store/sql/identity-hub-participantcontext-store-sql/src/main/java/org/eclipse/edc/identityhub/store/sql/participantcontext/SqlParticipantContextStore.java

@@ -14,7 +14,6 @@
 
 package org.eclipse.edc.identityhub.store.sql.participantcontext;
 
-import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.eclipse.edc.identityhub.spi.participantcontext.model.ParticipantContext;
 import org.eclipse.edc.identityhub.spi.participantcontext.model.ParticipantContextState;
@@ -32,6 +31,7 @@
 import java.sql.SQLException;
 import java.util.Collection;
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
 
 import static org.eclipse.edc.spi.result.StoreResult.alreadyExists;
@@ -43,8 +43,6 @@
  */
 public class SqlParticipantContextStore extends AbstractSqlStore implements ParticipantContextStore {
 
-    private static final TypeReference<List<String>> LIST_REF = new TypeReference<>() {
-    };
     private final ParticipantContextStoreStatements statements;
 
     public SqlParticipantContextStore(DataSourceRegistry dataSourceRegistry,
@@ -74,7 +72,8 @@ public StoreResult<Void> create(ParticipantContext participantContext) {
                         participantContext.getState(),
                         participantContext.getApiTokenAlias(),
                         participantContext.getDid(),
-                        toJson(participantContext.getRoles())
+                        toJson(participantContext.getRoles()),
+                        toJson(participantContext.getProperties())
                 );
                 return success();
 
@@ -114,6 +113,7 @@ public StoreResult<Void> update(ParticipantContext participantContext) {
                             participantContext.getApiTokenAlias(),
                             participantContext.getDid(),
                             toJson(participantContext.getRoles()),
+                            toJson(participantContext.getProperties()),
                             id);
                     return StoreResult.success();
                 }
@@ -156,7 +156,8 @@ private ParticipantContext mapResultSet(ResultSet resultSet) throws Exception {
         var state = resultSet.getInt(statements.getStateColumn());
         var tokenAliase = resultSet.getString(statements.getApiTokenAliasColumn());
         var did = resultSet.getString(statements.getDidColumn());
-        var roles = fromJson(resultSet.getString(statements.getRolesRolumn()), LIST_REF);
+        List<String> roles = fromJson(resultSet.getString(statements.getRolesRolumn()), getTypeRef());
+        Map<String, Object> props = fromJson(resultSet.getString(statements.getPropertiesColumn()), getTypeRef());
 
         return ParticipantContext.Builder.newInstance()
                 .participantContextId(id)
@@ -166,6 +167,7 @@ private ParticipantContext mapResultSet(ResultSet resultSet) throws Exception {
                 .apiTokenAlias(tokenAliase)
                 .did(did)
                 .roles(roles)
+                .properties(props)
                 .build();
     }
 }

extensions/store/sql/identity-hub-participantcontext-store-sql/src/main/resources/participant-schema.sql

@@ -21,7 +21,8 @@ CREATE TABLE IF NOT EXISTS participant_context
     state              INTEGER             NOT NULL, -- 0 = CREATED, 1 = ACTIVE, 2 = DEACTIVATED
     api_token_alias    VARCHAR             NOT NULL, -- alias under which this PC's api token is stored in the vault
     did                VARCHAR,                      -- the DID with which this participant is identified
-    roles              JSON                          -- JSON array containing all the roles a user has. may be empty
+    roles              JSON,                         -- JSON array containing all the roles a user has. may be empty
+    properties         JSON DEFAULT '{}'             -- JSON object containing additional information, such as OAuth2 client secret aliases
 );
 CREATE UNIQUE INDEX IF NOT EXISTS participant_context_participant_context_id_uindex ON participant_context USING btree (participant_context_id);
 

extensions/sts/sts-account-provisioner/src/main/java/org/eclipse/edc/identityhub/common/provisioner/StsAccountProvisionerImpl.java

@@ -34,8 +34,6 @@
 
 import java.util.Objects;
 
-import static java.util.Optional.ofNullable;
-
 /**
  * AccountProvisioner, that synchronizes the {@link org.eclipse.edc.identityhub.spi.participantcontext.model.ParticipantContext} object
  * to {@link StsAccount} entries. That means, when a participant is created, this provisioner takes care of creating a corresponding
@@ -79,9 +77,7 @@ public <E extends Event> void on(EventEnvelope<E> event) {
     @Override
     public ServiceResult<AccountInfo> create(ParticipantManifest manifest) {
 
-        var secretAlias = ofNullable(manifest.getProperty(CLIENT_SECRET_PROPERTY))
-                .map(Object::toString)
-                .orElseGet(() -> manifest.getParticipantId() + "-sts-client-secret");
+        var secretAlias = manifest.clientSecretAlias();
         var createResult = stsAccountService.createAccount(manifest, secretAlias)
                 .map(v -> stsClientSecretGenerator.generateClientSecret(null))
                 .map(secret -> new AccountInfo(manifest.getDid(), secret))

extensions/sts/sts-account-service-local/build.gradle.kts

@@ -20,8 +20,9 @@ plugins {
 dependencies {
 
     api(project(":spi:participant-context-spi"))
+    api(project(":spi:identity-hub-spi")) // participant STS
+    api(project(":spi:keypair-spi")) // keypair resource store
     implementation(libs.edc.lib.token)
-    implementation(libs.edc.sts)
     implementation(libs.edc.sts.spi)
     implementation(libs.edc.spi.core)
     implementation(libs.edc.spi.transaction)

extensions/sts/sts-account-service-local/src/main/java/org/eclipse/edc/identityhub/sts/AccessTokenDecorator.java

@@ -0,0 +1,56 @@
+/*
+ *  Copyright (c) 2025 Cofinity-X
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Cofinity-X - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.identityhub.sts;
+
+import org.eclipse.edc.spi.iam.TokenParameters;
+import org.eclipse.edc.token.spi.TokenDecorator;
+
+import java.time.Instant;
+import java.util.Date;
+import java.util.Map;
+
+import static org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames.EXPIRATION_TIME;
+import static org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames.ISSUED_AT;
+import static org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames.JWT_ID;
+import static org.eclipse.edc.jwt.spi.JwtRegisteredClaimNames.NOT_BEFORE;
+
+/**
+ * Opinionated decorator that adds "jti", "iat", "nbf" and "exp" claims to an existing set of claims, overwriting if the aforementioned
+ * are already contained in the map.
+ */
+class AccessTokenDecorator implements TokenDecorator {
+
+    private final String jti;
+    private final Instant now;
+    private final Instant expiration;
+    private final Map<String, String> claims;
+
+    AccessTokenDecorator(String jti, Instant now, Instant expiration, Map<String, String> claims) {
+        this.jti = jti;
+        this.now = now;
+        this.expiration = expiration;
+        this.claims = claims;
+    }
+
+    @Override
+    public TokenParameters.Builder decorate(TokenParameters.Builder tokenParameters) {
+        this.claims.forEach(tokenParameters::claims);
+        return tokenParameters
+                .claims(ISSUED_AT, Date.from(now))
+                .claims(NOT_BEFORE, Date.from(now))
+                .claims(EXPIRATION_TIME, Date.from(expiration))
+                .claims(JWT_ID, jti);
+    }
+}