eclipse-edc
diff --git a/‎protocols/dcp/dcp-identityhub/credential-offer-api/build.gradle.kts
+50 b/‎protocols/dcp/dcp-identityhub/credential-offer-api/build.gradle.kts
+50
diff --git a/‎protocols/dcp/dcp-identityhub/credential-offer-api/src/main/java/org/eclipse/edc/identityhub/api/CredentialOfferApiExtension.java
+92 b/‎protocols/dcp/dcp-identityhub/credential-offer-api/src/main/java/org/eclipse/edc/identityhub/api/CredentialOfferApiExtension.java
+92
diff --git a/‎protocols/dcp/dcp-identityhub/credential-offer-api/src/main/java/org/eclipse/edc/identityhub/api/credentialoffer/ApiSchema.java
+36 b/‎protocols/dcp/dcp-identityhub/credential-offer-api/src/main/java/org/eclipse/edc/identityhub/api/credentialoffer/ApiSchema.java
+36
diff --git a/‎protocols/dcp/dcp-identityhub/credential-offer-api/src/main/java/org/eclipse/edc/identityhub/api/credentialoffer/CredentialOfferApi.java
+60 b/‎protocols/dcp/dcp-identityhub/credential-offer-api/src/main/java/org/eclipse/edc/identityhub/api/credentialoffer/CredentialOfferApi.java
+60
diff --git a/‎protocols/dcp/dcp-identityhub/credential-offer-api/src/main/java/org/eclipse/edc/identityhub/api/credentialoffer/CredentialOfferApiController.java
+96 b/‎protocols/dcp/dcp-identityhub/credential-offer-api/src/main/java/org/eclipse/edc/identityhub/api/credentialoffer/CredentialOfferApiController.java
+96
diff --git a/‎protocols/dcp/dcp-identityhub/credential-offer-api/src/main/java/org/eclipse/edc/identityhub/api/validation/CredentialObjectValidator.java
+44 b/‎protocols/dcp/dcp-identityhub/credential-offer-api/src/main/java/org/eclipse/edc/identityhub/api/validation/CredentialObjectValidator.java
+44
@@ -0,0 +1,50 @@
+/*
+ *  Copyright (c) 2025 Metaform Systems Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems Inc. - initial API and implementation
+ *
+ */
+
+plugins {
+    `java-library`
+    `maven-publish`
+    id("io.swagger.core.v3.swagger-gradle-plugin")
+}
+
+dependencies {
+    api(project(":spi:identity-hub-spi"))
+    api(project(":protocols:dcp:dcp-spi"))
+
+    api(libs.edc.spi.jsonld)
+    api(libs.edc.spi.jwt)
+    api(libs.edc.spi.core)
+
+    implementation(project(":protocols:dcp:dcp-identityhub:credentials-api-configuration"))
+    implementation(project(":protocols:dcp:dcp-transform-lib"))
+    implementation(libs.edc.spi.validator)
+    implementation(libs.edc.spi.web)
+    implementation(libs.edc.spi.dcp)
+    implementation(libs.edc.lib.jerseyproviders)
+    implementation(libs.edc.lib.transform)
+    implementation(libs.edc.dcp.transform)
+    implementation(libs.jakarta.rsApi)
+    testImplementation(libs.edc.junit)
+    testImplementation(libs.edc.jsonld)
+    testImplementation(testFixtures(libs.edc.core.jersey))
+    testImplementation(testFixtures(project(":spi:verifiable-credential-spi")))
+    testImplementation(libs.nimbus.jwt)
+    testImplementation(libs.restAssured)
+}
+
+edcBuild {
+    swagger {
+        apiGroup.set("credentials-api")
+    }
+}
@@ -0,0 +1,92 @@
+/*
+ *  Copyright (c) 2025 Metaform Systems Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems Inc. - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.identityhub.api;
+
+import org.eclipse.edc.identityhub.api.credentialoffer.CredentialOfferApiController;
+import org.eclipse.edc.identityhub.api.validation.CredentialOfferMessageValidator;
+import org.eclipse.edc.identityhub.protocols.dcp.spi.DcpIssuerTokenVerifier;
+import org.eclipse.edc.identityhub.protocols.dcp.transform.to.JsonObjectToCredentialObjectTransformer;
+import org.eclipse.edc.identityhub.protocols.dcp.transform.to.JsonObjectToCredentialOfferMessageTransformer;
+import org.eclipse.edc.identityhub.spi.participantcontext.ParticipantContextService;
+import org.eclipse.edc.identityhub.spi.verifiablecredentials.generator.CredentialWriter;
+import org.eclipse.edc.jsonld.spi.JsonLd;
+import org.eclipse.edc.runtime.metamodel.annotation.Extension;
+import org.eclipse.edc.runtime.metamodel.annotation.Inject;
+import org.eclipse.edc.spi.monitor.Monitor;
+import org.eclipse.edc.spi.system.ServiceExtension;
+import org.eclipse.edc.spi.system.ServiceExtensionContext;
+import org.eclipse.edc.spi.types.TypeManager;
+import org.eclipse.edc.transform.spi.TypeTransformerRegistry;
+import org.eclipse.edc.validator.spi.JsonObjectValidatorRegistry;
+import org.eclipse.edc.web.jersey.providers.jsonld.ObjectMapperProvider;
+import org.eclipse.edc.web.spi.WebService;
+
+import static org.eclipse.edc.iam.identitytrust.spi.DcpConstants.DSPACE_DCP_NAMESPACE_V_1_0;
+import static org.eclipse.edc.identityhub.api.CredentialOfferApiExtension.NAME;
+import static org.eclipse.edc.identityhub.protocols.dcp.spi.DcpConstants.DCP_SCOPE_V_1_0;
+import static org.eclipse.edc.identityhub.protocols.dcp.spi.model.CredentialMessage.CREDENTIAL_MESSAGE_TERM;
+import static org.eclipse.edc.identityhub.spi.webcontext.IdentityHubApiContext.CREDENTIALS;
+import static org.eclipse.edc.spi.constants.CoreConstants.JSON_LD;
+
+@Extension(value = NAME)
+public class CredentialOfferApiExtension implements ServiceExtension {
+
+    public static final String NAME = "Storage API Extension";
+
+    @Inject
+    private TypeTransformerRegistry typeTransformer;
+    @Inject
+    private JsonObjectValidatorRegistry validatorRegistry;
+    @Inject
+    private WebService webService;
+    @Inject
+    private JsonLd jsonLd;
+    @Inject
+    private TypeManager typeManager;
+    @Inject
+    private CredentialWriter writer;
+    @Inject
+    private DcpIssuerTokenVerifier issuerTokenVerifier;
+    @Inject
+    private Monitor monitor;
+
+    @Inject
+    private ParticipantContextService participantContextService;
+
+    @Override
+    public String name() {
+        return NAME;
+    }
+
+    @Override
+    public void initialize(ServiceExtensionContext context) {
+
+        validatorRegistry.register(DSPACE_DCP_NAMESPACE_V_1_0.toIri(CREDENTIAL_MESSAGE_TERM), new CredentialOfferMessageValidator());
+
+        var controller = new CredentialOfferApiController(validatorRegistry, typeTransformer, context.getMonitor().withPrefix("CredentialOfferApi"), issuerTokenVerifier, participantContextService);
+        webService.registerResource(CREDENTIALS, new ObjectMapperProvider(typeManager, JSON_LD));
+        webService.registerResource(CREDENTIALS, controller);
+
+        registerTransformers();
+    }
+
+    void registerTransformers() {
+        var scopedTransformerRegistry = typeTransformer.forContext(DCP_SCOPE_V_1_0);
+
+        // inbound
+        scopedTransformerRegistry.register(new JsonObjectToCredentialOfferMessageTransformer(DSPACE_DCP_NAMESPACE_V_1_0));
+        scopedTransformerRegistry.register(new JsonObjectToCredentialObjectTransformer(typeManager, JSON_LD, DSPACE_DCP_NAMESPACE_V_1_0));
+    }
+}
@@ -0,0 +1,36 @@
+/*
+ *  Copyright (c) 2025 Metaform Systems Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems Inc. - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.identityhub.api.credentialoffer;
+
+import io.swagger.v3.oas.annotations.media.Schema;
+
+public interface ApiSchema {
+    @Schema(name = "ApiErrorDetail", example = ApiErrorDetailSchema.API_ERROR_EXAMPLE)
+    record ApiErrorDetailSchema(
+            String message,
+            String type,
+            String path,
+            String invalidValue
+    ) {
+        public static final String API_ERROR_EXAMPLE = """
+                {
+                    "message": "error message",
+                    "type": "ErrorType",
+                    "path": "object.error.path",
+                    "invalidValue": "this value is not valid"
+                }
+                """;
+    }
+}
@@ -0,0 +1,60 @@
+/*
+ *  Copyright (c) 2025 Metaform Systems Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems Inc. - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.identityhub.api.credentialoffer;
+
+
+import io.swagger.v3.oas.annotations.ExternalDocumentation;
+import io.swagger.v3.oas.annotations.OpenAPIDefinition;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.enums.SecuritySchemeType;
+import io.swagger.v3.oas.annotations.info.Info;
+import io.swagger.v3.oas.annotations.media.ArraySchema;
+import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Schema;
+import io.swagger.v3.oas.annotations.parameters.RequestBody;
+import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import io.swagger.v3.oas.annotations.security.SecurityScheme;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.json.JsonObject;
+import jakarta.ws.rs.core.Response;
+
+import static org.eclipse.edc.identityhub.protocols.dcp.spi.DcpConstants.DCP_SPECIFICATION_URL;
+
+@OpenAPIDefinition(
+        info = @Info(description = "This implements the Credential Offer API as per DCP specification. It serves as notification facility for a holder.", title = "Credential Offer API",
+                version = "1"))
+@SecurityScheme(name = "Authentication",
+        description = "Self-Issued ID",
+        type = SecuritySchemeType.HTTP,
+        scheme = "bearer",
+        bearerFormat = "JWT")
+public interface CredentialOfferApi {
+
+    @Tag(name = "Credential Offer API")
+    @Operation(description = "Notifies the holder about the availability of a particular credential for issuance",
+            requestBody = @RequestBody(content = @Content(schema = @Schema(externalDocs = @ExternalDocumentation(description = "DCP Credential Offer API", url = DCP_SPECIFICATION_URL)))),
+            responses = {
+                    @ApiResponse(responseCode = "200", description = "The offer notification was successfully received."),
+                    @ApiResponse(responseCode = "400", description = "Request body was malformed",
+                            content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiSchema.ApiErrorDetailSchema.class)))),
+                    @ApiResponse(responseCode = "401", description = "No Authorization header was given.",
+                            content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiSchema.ApiErrorDetailSchema.class)))),
+                    @ApiResponse(responseCode = "403", description = "The given authentication token could not be validated.",
+                            content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiSchema.ApiErrorDetailSchema.class))))
+
+            }
+    )
+    Response offerCredential(String participantContextId, JsonObject credentialOfferMessage, String authHeader);
+}
@@ -0,0 +1,96 @@
+/*
+ *  Copyright (c) 2025 Metaform Systems Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems Inc. - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.identityhub.api.credentialoffer;
+
+import jakarta.json.JsonObject;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.HeaderParam;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.Response;
+import org.eclipse.edc.identityhub.protocols.dcp.spi.DcpIssuerTokenVerifier;
+import org.eclipse.edc.identityhub.protocols.dcp.spi.model.CredentialOfferMessage;
+import org.eclipse.edc.identityhub.spi.participantcontext.ParticipantContextService;
+import org.eclipse.edc.spi.monitor.Monitor;
+import org.eclipse.edc.transform.spi.TypeTransformerRegistry;
+import org.eclipse.edc.validator.spi.JsonObjectValidatorRegistry;
+import org.eclipse.edc.web.spi.exception.AuthenticationFailedException;
+import org.eclipse.edc.web.spi.exception.InvalidRequestException;
+import org.eclipse.edc.web.spi.exception.NotAuthorizedException;
+import org.eclipse.edc.web.spi.exception.ValidationFailureException;
+
+import static jakarta.ws.rs.core.HttpHeaders.AUTHORIZATION;
+import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
+import static org.eclipse.edc.iam.identitytrust.spi.DcpConstants.DSPACE_DCP_NAMESPACE_V_1_0;
+import static org.eclipse.edc.identityhub.protocols.dcp.spi.DcpConstants.DCP_SCOPE_V_1_0;
+import static org.eclipse.edc.identityhub.spi.participantcontext.ParticipantContextId.onEncoded;
+
+@Consumes(APPLICATION_JSON)
+@Produces(APPLICATION_JSON)
+@Path("/v1/participants/{participantContextId}/offers")
+public class CredentialOfferApiController implements CredentialOfferApi {
+
+    private final JsonObjectValidatorRegistry validatorRegistry;
+    private final TypeTransformerRegistry transformerRegistry;
+    private final Monitor monitor;
+    private final DcpIssuerTokenVerifier issuerTokenVerifier;
+    private final ParticipantContextService participantContextService;
+
+    public CredentialOfferApiController(JsonObjectValidatorRegistry validatorRegistry,
+                                        TypeTransformerRegistry transformerRegistry,
+                                        Monitor monitor,
+                                        DcpIssuerTokenVerifier issuerTokenVerifier,
+                                        ParticipantContextService participantContextService) {
+        this.validatorRegistry = validatorRegistry;
+        this.transformerRegistry = transformerRegistry;
+        this.monitor = monitor;
+        this.issuerTokenVerifier = issuerTokenVerifier;
+        this.participantContextService = participantContextService;
+    }
+
+
+    @POST
+    @Override
+    public Response offerCredential(@PathParam("participantContextId") String participantContextId, JsonObject credentialOfferMessage, @HeaderParam(AUTHORIZATION) String authHeader) {
+        if (credentialOfferMessage == null) {
+            throw new InvalidRequestException("Request body is null");
+        }
+        if (authHeader == null) {
+            throw new AuthenticationFailedException("Authorization header missing");
+        }
+        var authToken = authHeader.replace("Bearer", "").trim();
+        validatorRegistry.validate(DSPACE_DCP_NAMESPACE_V_1_0.toIri(CredentialOfferMessage.CREDENTIAL_OFFER_MESSAGE_TERM), credentialOfferMessage).orElseThrow(ValidationFailureException::new);
+        var protocolRegistry = transformerRegistry.forContext(DCP_SCOPE_V_1_0);
+
+        participantContextId = onEncoded(participantContextId).orElseThrow(InvalidRequestException::new);
+
+        var offerMessage = protocolRegistry.forContext(DCP_SCOPE_V_1_0).transform(credentialOfferMessage, CredentialOfferMessage.class).orElseThrow(InvalidRequestException::new);
+
+        var participantContext = participantContextService.getParticipantContext(participantContextId)
+                .orElseThrow((f) -> new AuthenticationFailedException("Invalid participant"));
+
+        // validate Issuer's SI token
+        issuerTokenVerifier.verify(participantContext, authToken)
+                .orElseThrow(f -> new NotAuthorizedException("ID token verification failed: %s".formatted(f.getFailureDetail())));
+
+
+        //todo: process credential offer message
+        monitor.warning("Credential offer was received but processing it is not yet implemented");
+        return Response.ok().build();
+    }
+
+}
@@ -0,0 +1,44 @@
+/*
+ *  Copyright (c) 2025 Metaform Systems Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems Inc. - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.identityhub.api.validation;
+
+import jakarta.json.JsonObject;
+import org.eclipse.edc.jsonld.spi.JsonLdNamespace;
+import org.eclipse.edc.validator.spi.ValidationResult;
+
+import static org.eclipse.edc.iam.identitytrust.spi.DcpConstants.DSPACE_DCP_NAMESPACE_V_1_0;
+import static org.eclipse.edc.identityhub.protocols.dcp.spi.model.CredentialObject.CREDENTIAL_OBJECT_CREDENTIAL_TYPE_TERM;
+import static org.eclipse.edc.validator.spi.ValidationResult.failure;
+import static org.eclipse.edc.validator.spi.ValidationResult.success;
+import static org.eclipse.edc.validator.spi.Violation.violation;
+
+public class CredentialObjectValidator extends JsonValidator {
+    private final JsonLdNamespace namespace = DSPACE_DCP_NAMESPACE_V_1_0;
+
+    @Override
+    public ValidationResult validate(JsonObject input) {
+        if (input == null) {
+            return failure(violation("CredentialObject was null", "."));
+        }
+
+        var credentialType = input.get(namespace.toIri(CREDENTIAL_OBJECT_CREDENTIAL_TYPE_TERM));
+        if (isNullObject(credentialType)) {
+            return failure(violation("Must contain a '%s' property.".formatted(CREDENTIAL_OBJECT_CREDENTIAL_TYPE_TERM), null));
+        }
+
+        return success();
+    }
+
+}