feat: api for discriminator aliases (#956)

paullatzelsperger · web-flow · commit 1235a96dc731 · 2026-03-25T12:11:35.000+01:00
* feat: add API to register discriminator mappings

* e2e test

* cleanup

* api version file
diff --git a/core/common-core/src/main/java/org/eclipse/edc/identityhub/defaults/DiscriminatorMappingRegistryImpl.java b/core/common-core/src/main/java/org/eclipse/edc/identityhub/defaults/DiscriminatorMappingRegistryImpl.java
@@ -33,6 +33,11 @@ public class DiscriminatorMappingRegistryImpl implements DiscriminatorMappingReg
 
     @Override
     public void addMapping(String alias, String discriminator) {
+
+        if (mappings.containsValue(discriminator)) {
+            throw new IllegalArgumentException("An alias for this discriminator already exists: '%s' -> '%s'".formatted(alias, discriminator));
+        }
+
         mappings.put(alias, discriminator);
     }
 
diff --git a/core/common-core/src/test/java/org/eclipse/edc/identityhub/defaults/DiscriminatorMappingRegistryImplTest.java b/core/common-core/src/test/java/org/eclipse/edc/identityhub/defaults/DiscriminatorMappingRegistryImplTest.java
@@ -17,6 +17,7 @@
 import org.junit.jupiter.api.Test;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 class DiscriminatorMappingRegistryImplTest {
 
@@ -60,4 +61,10 @@ void addMapping_withMultipleMappings_shouldStoreAll() {
         assertThat(registry.getMapping("alias3")).isEqualTo("discriminator3");
     }
 
+    @Test
+    void addMapping_duplicateDiscriminator_shouldThrowException() {
+        registry.addMapping("alias1", "discriminator1");
+        assertThatThrownBy(() -> registry.addMapping("alias2", "discriminator1"))
+                .isInstanceOf(IllegalArgumentException.class);
+    }
 }
diff --git a/e2e-tests/identity-api-tests/src/test/java/org/eclipse/edc/identityhub/tests/PresentationApiEndToEndTest.java b/e2e-tests/identity-api-tests/src/test/java/org/eclipse/edc/identityhub/tests/PresentationApiEndToEndTest.java
@@ -40,6 +40,7 @@
 import org.eclipse.edc.identityhub.spi.participantcontext.model.KeyDescriptor;
 import org.eclipse.edc.identityhub.spi.participantcontext.model.KeyPairUsage;
 import org.eclipse.edc.identityhub.spi.participantcontext.model.ParticipantManifest;
+import org.eclipse.edc.identityhub.spi.transformation.DiscriminatorMappingRegistry;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.model.VcStatus;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.model.VerifiableCredentialResource;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.store.CredentialStore;
@@ -747,6 +748,49 @@ void query_testScopesWithSingleCredential(String scope, IdentityHub identityHub,
                                     }));
         }
 
+        @Test
+        void query_withDiscriminatorAlias(IdentityHub identityHub, CredentialStore store, DiscriminatorMappingRegistry mappingRegistry) throws JsonProcessingException, JOSEException {
+            // both these credentials have the same type, but difference namespaces/contexts
+            var credResource = storeCredential(TestData.VC_EXAMPLE_OTHER_NAMESPACE, CredentialFormat.VC1_0_JWT, store);
+
+            // providing no specific scope should cause all credentials to be returned -> clash
+
+            when(DID_PUBLIC_KEY_RESOLVER.resolveKey(eq("did:web:consumer#key1"))).thenReturn(Result.success(CONSUMER_KEY.toPublicKey()));
+            when(DID_PUBLIC_KEY_RESOLVER.resolveKey(eq("did:web:provider#key1"))).thenReturn(Result.success(PROVIDER_KEY.toPublicKey()));
+
+            var credential = credResource.getVerifiableCredential().credential();
+            var context = credential.getContext().get(0);
+            var type = credential.getType().get(0);
+            var fqct = context + "#" + type;
+            var alias = "MyCred";
+
+            mappingRegistry.addMapping(alias, fqct);
+            var token = generateSiToken("org.eclipse.dspace.dcp.vc.type:%s:read".formatted(alias));
+
+
+            var response = identityHub.getCredentialsEndpoint().baseRequest()
+                    .contentType(JSON)
+                    .header(AUTHORIZATION, "Bearer " + token)
+                    .body(VALID_QUERY_WITH_FQCT_SCOPE_TEMPLATE.formatted(DSPACE_DCP_V_1_0_CONTEXT, "org.eclipse.dspace.dcp.vc.type:%s:read".formatted(alias)))
+                    .post("/v1/participants/%s/presentations/query".formatted(TEST_PARTICIPANT_CONTEXT_ID))
+                    .then()
+                    .statusCode(200)
+                    .log().ifValidationFails()
+                    .extract().body().as(JsonObject.class);
+
+            assertThat(response)
+                    .hasEntrySatisfying("type", jsonValue -> assertThat(jsonValue.toString()).contains("PresentationResponseMessage"))
+                    .hasEntrySatisfying("@context", jsonValue -> assertThat(jsonValue.asJsonArray()).hasSize(1))
+                    .hasEntrySatisfying("presentation", jsonValue ->
+                            assertThat(vpTokensExtractor(jsonValue)).hasSize(1)
+                                    .first()
+                                    .satisfies(vpToken -> {
+                                        assertThat(vpToken).isNotNull();
+                                        var credentials = extractCredentials(vpToken);
+                                        assertThat(credentials).hasSize(1);
+                                    }));
+        }
+
         /**
          * extracts a (potentially empty) list of verifiable credentials from a JWT-VP
          */
diff --git a/e2e-tests/identity-api-tests/src/test/java/org/eclipse/edc/identityhub/tests/fixtures/TestFunctions.java b/e2e-tests/identity-api-tests/src/test/java/org/eclipse/edc/identityhub/tests/fixtures/TestFunctions.java
@@ -87,6 +87,7 @@ public static VerifiableCredential createCredential() {
                 .type("test-type")
                 .issuanceDate(Instant.now())
                 .issuer(new Issuer("did:web:issuer"))
+                .context("https://example.com/contexts/v1")
                 .credentialSubject(CredentialSubject.Builder.newInstance().id("id").claim("foo", "bar").build())
                 .build();
     }
diff --git a/extensions/api/identity-api/identity-api-configuration/src/main/resources/identity-api-version.json b/extensions/api/identity-api/identity-api-configuration/src/main/resources/identity-api-version.json
@@ -2,7 +2,7 @@
   {
     "version": "1.0.0-alpha",
     "urlPath": "/v1alpha",
-    "lastUpdated": "2026-02-17T16:00:00Z",
+    "lastUpdated": "2026-03-25T11:00:00Z",
     "maturity": null
   }
 ]
diff --git a/extensions/api/identity-api/verifiable-credentials-api/src/main/java/org/eclipse/edc/identityhub/api/verifiablecredentials/VerifiableCredentialApiExtension.java b/extensions/api/identity-api/verifiable-credentials-api/src/main/java/org/eclipse/edc/identityhub/api/verifiablecredentials/VerifiableCredentialApiExtension.java
@@ -19,6 +19,7 @@
 import org.eclipse.edc.identityhub.api.verifiablecredentials.v1.unstable.GetAllCredentialsApiController;
 import org.eclipse.edc.identityhub.api.verifiablecredentials.v1.unstable.VerifiableCredentialsApiController;
 import org.eclipse.edc.identityhub.api.verifiablecredentials.v1.unstable.transformer.VerifiableCredentialManifestToVerifiableCredentialResourceTransformer;
+import org.eclipse.edc.identityhub.spi.transformation.DiscriminatorMappingRegistry;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.CredentialRequestManager;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.model.VerifiableCredentialResource;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.store.CredentialStore;
@@ -49,6 +50,8 @@ public class VerifiableCredentialApiExtension implements ServiceExtension {
     private AuthorizationService authorizationService;
     @Inject
     private CredentialRequestManager credentialRequestManager;
+    @Inject
+    private DiscriminatorMappingRegistry discriminatorMappingRegistry;
 
     @Override
     public String name() {
@@ -60,7 +63,7 @@ public void initialize(ServiceExtensionContext context) {
         authorizationService.addLookupFunction(VerifiableCredentialResource.class, this::queryById);
         var registry = typeTransformerRegistry.forContext("identity-api");
         registry.register(new VerifiableCredentialManifestToVerifiableCredentialResourceTransformer());
-        var controller = new VerifiableCredentialsApiController(credentialStore, authorizationService, new VerifiableCredentialManifestValidator(), registry, credentialRequestManager);
+        var controller = new VerifiableCredentialsApiController(credentialStore, authorizationService, new VerifiableCredentialManifestValidator(), registry, credentialRequestManager, discriminatorMappingRegistry);
         var getAllController = new GetAllCredentialsApiController(credentialStore);
         webService.registerResource(IdentityHubApiContext.IDENTITY, controller);
         webService.registerResource(IdentityHubApiContext.IDENTITY, getAllController);
diff --git a/extensions/api/identity-api/verifiable-credentials-api/src/main/java/org/eclipse/edc/identityhub/api/verifiablecredentials/v1/unstable/VerifiableCredentialsApi.java b/extensions/api/identity-api/verifiable-credentials-api/src/main/java/org/eclipse/edc/identityhub/api/verifiablecredentials/v1/unstable/VerifiableCredentialsApi.java
@@ -33,6 +33,7 @@
 import org.eclipse.edc.web.spi.ApiErrorDetail;
 
 import java.util.Collection;
+import java.util.Map;
 
 @OpenAPIDefinition(info = @Info(description = "This is the Identity API for manipulating VerifiableCredentials", title = "VerifiableCredentials Identity API", version = "1"))
 @Tag(name = "Verifiable Credentials")
@@ -104,7 +105,7 @@ public interface VerifiableCredentialsApi {
     @Operation(description = "Delete a VerifiableCredential.",
             operationId = "deleteCredential",
             responses = {
-                    @ApiResponse(responseCode = "200", description = "The VerifiableCredential was deleted successfully", content = {@Content(schema = @Schema(implementation = String.class))}),
+                    @ApiResponse(responseCode = "200", description = "The VerifiableCredential was deleted successfully", content = { @Content(schema = @Schema(implementation = String.class)) }),
                     @ApiResponse(responseCode = "400", description = "Request body was malformed, or the request could not be processed",
                             content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiErrorDetail.class)), mediaType = "application/json")),
                     @ApiResponse(responseCode = "403", description = "The request could not be completed, because either the authentication was missing or was not valid.",
@@ -144,4 +145,14 @@ public interface VerifiableCredentialsApi {
             }
     )
     HolderCredentialRequestDto getCredentialRequest(String participantContextId, String holderPid, SecurityContext securityContext);
+
+    @Operation(description = "Define a scope discriminator mapping (=short-hand) for the fully-qualified credential type",
+            operationId = "addDiscriminatorMapping",
+            requestBody = @RequestBody(description = "Mapping between alias (short-hand) and discriminator (fully-qualified credential type)", required = true),
+            responses = {
+                    @ApiResponse(responseCode = "204", description = "Discriminator mapping added successfully"),
+                    @ApiResponse(responseCode = "400", description = "Request body was malformed, or the request could not be processed",
+                            content = @Content(array = @ArraySchema(schema = @Schema(implementation = ApiErrorDetail.class)), mediaType = "application/json")),
+            })
+    void addDiscriminatorMapping(String participantContextId, Map<String, String> mappings, SecurityContext securityContext);
 }
diff --git a/extensions/api/identity-api/verifiable-credentials-api/src/main/java/org/eclipse/edc/identityhub/api/verifiablecredentials/v1/unstable/VerifiableCredentialsApiController.java b/extensions/api/identity-api/verifiable-credentials-api/src/main/java/org/eclipse/edc/identityhub/api/verifiablecredentials/v1/unstable/VerifiableCredentialsApiController.java
@@ -38,6 +38,7 @@
 import org.eclipse.edc.identityhub.spi.credential.request.model.HolderCredentialRequest;
 import org.eclipse.edc.identityhub.spi.credential.request.model.RequestedCredential;
 import org.eclipse.edc.identityhub.spi.participantcontext.model.IdentityHubParticipantContext;
+import org.eclipse.edc.identityhub.spi.transformation.DiscriminatorMappingRegistry;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.CredentialRequestManager;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.model.VerifiableCredentialManifest;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.model.VerifiableCredentialResource;
@@ -54,6 +55,7 @@
 
 import java.net.URI;
 import java.util.Collection;
+import java.util.Map;
 import java.util.UUID;
 
 import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
@@ -71,23 +73,26 @@ public class VerifiableCredentialsApiController implements VerifiableCredentials
     private final VerifiableCredentialManifestValidator validator;
     private final TypeTransformerRegistry typeTransformerRegistry;
     private final CredentialRequestManager credentialRequestService;
+    private final DiscriminatorMappingRegistry discriminatorMappingRegistry;
 
     public VerifiableCredentialsApiController(CredentialStore credentialStore,
                                               AuthorizationService authorizationService,
                                               VerifiableCredentialManifestValidator validator,
                                               TypeTransformerRegistry typeTransformerRegistry,
-                                              CredentialRequestManager credentialRequestService) {
+                                              CredentialRequestManager credentialRequestService,
+                                              DiscriminatorMappingRegistry discriminatorMappingRegistry) {
         this.credentialStore = credentialStore;
         this.authorizationService = authorizationService;
         this.validator = validator;
         this.typeTransformerRegistry = typeTransformerRegistry;
         this.credentialRequestService = credentialRequestService;
+        this.discriminatorMappingRegistry = discriminatorMappingRegistry;
     }
 
     @GET
     @Path("/{credentialId}")
     @RequiredScope("identity-api:read")
-    @RolesAllowed({ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT })
     @Override
     public VerifiableCredentialResource getCredential(@PathParam("participantContextId") String participantContextId, @PathParam("credentialId") String id, @Context SecurityContext securityContext) {
         authorizationService.authorize(securityContext, participantContextId, id, VerifiableCredentialResource.class)
@@ -100,7 +105,7 @@ public VerifiableCredentialResource getCredential(@PathParam("participantContext
 
     @POST
     @RequiredScope("identity-api:write")
-    @RolesAllowed({ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT })
     @Override
     public void addCredential(@PathParam("participantContextId") String participantContextId, VerifiableCredentialManifest manifest, @Context SecurityContext securityContext) {
         validator.validate(manifest).orElseThrow(ValidationFailureException::new);
@@ -115,7 +120,7 @@ public void addCredential(@PathParam("participantContextId") String participantC
 
     @PUT
     @RequiredScope("identity-api:write")
-    @RolesAllowed({ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT })
     @Override
     public void updateCredential(@PathParam("participantContextId") String participantContextId, VerifiableCredentialManifest manifest, @Context SecurityContext securityContext) {
         validator.validate(manifest).orElseThrow(ValidationFailureException::new);
@@ -130,7 +135,7 @@ public void updateCredential(@PathParam("participantContextId") String participa
 
     @GET
     @RequiredScope("identity-api:read")
-    @RolesAllowed({ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT })
     @Override
     public Collection<VerifiableCredentialResource> queryCredentialsByType(@PathParam("participantContextId") String participantContextId, @Nullable @QueryParam("type") String type, @Context SecurityContext securityContext) {
         var query = QuerySpec.Builder.newInstance();
@@ -149,7 +154,7 @@ public Collection<VerifiableCredentialResource> queryCredentialsByType(@PathPara
     @DELETE
     @Path("/{credentialId}")
     @RequiredScope("identity-api:write")
-    @RolesAllowed({ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT })
     @Override
     public void deleteCredential(@PathParam("participantContextId") String participantContextId, @PathParam("credentialId") String id, @Context SecurityContext securityContext) {
         authorizationService.authorize(securityContext, participantContextId, id, VerifiableCredentialResource.class)
@@ -163,7 +168,7 @@ public void deleteCredential(@PathParam("participantContextId") String participa
     @POST
     @Path("/request")
     @RequiredScope("identity-api:write")
-    @RolesAllowed({ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT })
     @Override
     public Response requestCredential(@PathParam("participantContextId") String participantContextId, CredentialRequestDto credentialRequestDto, @Context SecurityContext securityContext) {
         authorizationService.authorize(securityContext, participantContextId, participantContextId, IdentityHubParticipantContext.class)
@@ -180,7 +185,7 @@ public Response requestCredential(@PathParam("participantContextId") String part
     @GET
     @Path("/request/{holderPid}")
     @RequiredScope("identity-api:read")
-    @RolesAllowed({ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT})
+    @RolesAllowed({ ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT })
     @Override
     public HolderCredentialRequestDto getCredentialRequest(@PathParam("participantContextId") String participantContextId,
                                                            @PathParam("holderPid") String holderPid,
@@ -194,4 +199,19 @@ public HolderCredentialRequestDto getCredentialRequest(@PathParam("participantCo
                 .orElseThrow(() -> new ObjectNotFoundException(HolderCredentialRequest.class, holderPid));
     }
 
+    @POST
+    @Path("/discriminator")
+    @RequiredScope("identity-api:write")
+    @RolesAllowed({ ParticipantPrincipal.ROLE_ADMIN, ParticipantPrincipal.ROLE_PARTICIPANT })
+    @Override
+    public void addDiscriminatorMapping(@PathParam("participantContextId") String participantContextId,
+                                        Map<String, String> discriminatorMappings,
+                                        @Context SecurityContext securityContext) {
+
+        authorizationService.authorize(securityContext, participantContextId, participantContextId, IdentityHubParticipantContext.class)
+                .orElseThrow(exceptionMapper(IdentityHubParticipantContext.class, participantContextId));
+
+        discriminatorMappings.forEach(discriminatorMappingRegistry::addMapping);
+    }
+
 }
diff --git a/extensions/api/identity-api/verifiable-credentials-api/src/test/java/org/eclipse/edc/identityhub/api/verifiablecredentials/v1/unstable/VerifiableCredentialsApiControllerTest.java b/extensions/api/identity-api/verifiable-credentials-api/src/test/java/org/eclipse/edc/identityhub/api/verifiablecredentials/v1/unstable/VerifiableCredentialsApiControllerTest.java
diff --git a/spi/identity-hub-spi/src/main/java/org/eclipse/edc/identityhub/spi/transformation/DiscriminatorMappingRegistry.java b/spi/identity-hub-spi/src/main/java/org/eclipse/edc/identityhub/spi/transformation/DiscriminatorMappingRegistry.java

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@`
`17`	`17`	`import org.junit.jupiter.api.Test;`
`18`	`18`
`19`	`19`	`import static org.assertj.core.api.Assertions.assertThat;`
	`20`	`+import static org.assertj.core.api.Assertions.assertThatThrownBy;`
`20`	`21`
`21`	`22`	`class DiscriminatorMappingRegistryImplTest {`
`22`	`23`
`@@ -60,4 +61,10 @@ void addMapping_withMultipleMappings_shouldStoreAll() {`
`60`	`61`	`assertThat(registry.getMapping("alias3")).isEqualTo("discriminator3");`
`61`	`62`	`}`
`62`	`63`
	`64`	`+ @Test`
	`65`	`+ void addMapping_duplicateDiscriminator_shouldThrowException() {`
	`66`	`+ registry.addMapping("alias1", "discriminator1");`
	`67`	`+ assertThatThrownBy(() -> registry.addMapping("alias2", "discriminator1"))`
	`68`	`+ .isInstanceOf(IllegalArgumentException.class);`
	`69`	`+ }`
`63`	`70`	`}`
Original file line number	Diff line number	Diff line change
`@@ -87,6 +87,7 @@ public static VerifiableCredential createCredential() {`
`87`	`87`	`.type("test-type")`
`88`	`88`	`.issuanceDate(Instant.now())`
`89`	`89`	`.issuer(new Issuer("did:web:issuer"))`
	`90`	`+ .context("https://example.com/contexts/v1")`
`90`	`91`	`.credentialSubject(CredentialSubject.Builder.newInstance().id("id").claim("foo", "bar").build())`
`91`	`92`	`.build();`
`92`	`93`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`{`
`3`	`3`	`"version": "1.0.0-alpha",`
`4`	`4`	`"urlPath": "/v1alpha",`
`5`		`- "lastUpdated": "2026-02-17T16:00:00Z",`
	`5`	`+ "lastUpdated": "2026-03-25T11:00:00Z",`
`6`	`6`	`"maturity": null`
`7`	`7`	`}`
`8`	`8`	`]`