feat: add scope discriminator mapping (#955)

* add discriminator mapping registry

* add prepopulation via config

* cosmetics

Author: paullatzelsperger

core/common-core/src/main/java/org/eclipse/edc/identityhub/DefaultServicesExtension.java

@@ -24,6 +24,7 @@
 import org.eclipse.edc.identityhub.defaults.store.InMemorySignatureSuiteRegistry;
 import org.eclipse.edc.identityhub.spi.credential.request.store.HolderCredentialRequestStore;
 import org.eclipse.edc.identityhub.spi.keypair.store.KeyPairResourceStore;
+import org.eclipse.edc.identityhub.spi.transformation.DiscriminatorMappingRegistry;
 import org.eclipse.edc.identityhub.spi.transformation.ScopeToCriterionTransformer;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.store.CredentialOfferStore;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.store.CredentialStore;
@@ -89,6 +90,8 @@ public class DefaultServicesExtension implements ServiceExtension {
     private JsonLd jsonLd;
     @Inject
     private JtiValidationStore jtiValidationStore;
+    @Inject
+    private DiscriminatorMappingRegistry discriminatorMappingRegistry;
 
     @Override
     public String name() {
@@ -128,9 +131,7 @@ public KeyPairResourceStore createDefaultKeyPairResourceStore() {
 
     @Provider(isDefault = true)
     public ScopeToCriterionTransformer createScopeTransformer(ServiceExtensionContext context) {
-        context.getMonitor().warning("Using the default EdcScopeToCriterionTransformer. This is not intended for production use and should be replaced " +
-                "with a specialized implementation for your dataspace");
-        return new EdcScopeToCriterionTransformer();
+        return new EdcScopeToCriterionTransformer(discriminatorMappingRegistry);
     }
 
     @Provider(isDefault = true)

core/common-core/src/main/java/org/eclipse/edc/identityhub/DiscriminatorMappingExtension.java

@@ -0,0 +1,62 @@
+/*
+ *  Copyright (c) 2026 Metaform Systems, Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems, Inc. - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.identityhub;
+
+import org.eclipse.edc.identityhub.defaults.DiscriminatorMappingRegistryImpl;
+import org.eclipse.edc.identityhub.spi.transformation.DiscriminatorMappingRegistry;
+import org.eclipse.edc.runtime.metamodel.annotation.Extension;
+import org.eclipse.edc.runtime.metamodel.annotation.Provider;
+import org.eclipse.edc.runtime.metamodel.annotation.Setting;
+import org.eclipse.edc.spi.system.ServiceExtension;
+import org.eclipse.edc.spi.system.ServiceExtensionContext;
+
+import static org.eclipse.edc.identityhub.DiscriminatorMappingExtension.NAME;
+
+
+@Extension(NAME)
+public class DiscriminatorMappingExtension implements ServiceExtension {
+
+    public static final String CONFIG_PREFIX = "edc.identityhub.discriminator";
+    public static final String DISCRIMINATOR_ALIAS = CONFIG_PREFIX + ".<alias>.";
+
+    @Setting(context = DISCRIMINATOR_ALIAS, description = "the full value for the discriminator")
+    public static final String DISCRIMINATOR_ALIAS_VALUE_SUFFIX = "value";
+
+    @Setting(context = DISCRIMINATOR_ALIAS, description = "the discriminator alias")
+    public static final String DISCRIMINATOR_ALIAS_SUFFIX = "alias";
+
+    public static final String NAME = "Discriminator Mapping Extension";
+
+    @Override
+    public String name() {
+        return NAME;
+    }
+
+    @Provider(isDefault = true)
+    public DiscriminatorMappingRegistry createDiscriminatorMappingRegistry(ServiceExtensionContext context) {
+        var config = context.getConfig(CONFIG_PREFIX);
+
+        var configs = config.partition().toList();
+
+        var discriminatorMappingRegistry = new DiscriminatorMappingRegistryImpl();
+        configs.forEach(c -> {
+            var value = c.getString(DISCRIMINATOR_ALIAS_VALUE_SUFFIX);
+            var alias = c.getString(DISCRIMINATOR_ALIAS_SUFFIX);
+            discriminatorMappingRegistry.addMapping(alias, value);
+        });
+
+        return discriminatorMappingRegistry;
+    }
+}

core/common-core/src/main/java/org/eclipse/edc/identityhub/defaults/DiscriminatorMappingRegistryImpl.java

@@ -0,0 +1,43 @@
+/*
+ *  Copyright (c) 2026 Metaform Systems, Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems, Inc. - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.identityhub.defaults;
+
+import org.eclipse.edc.identityhub.spi.transformation.DiscriminatorMappingRegistry;
+import org.jetbrains.annotations.NotNull;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+
+/**
+ * An implementation of the {@link DiscriminatorMappingRegistry} interface that maintains a registry
+ * of discriminator mappings in a thread-safe manner.
+ * <p>
+ * Thread-Safety: the class is designed to handle multiple threads concurrently accessing or modifying the mappings.
+ */
+public class DiscriminatorMappingRegistryImpl implements DiscriminatorMappingRegistry {
+    // this might be accessed from multiple threads (API requests), so it needs to be thread-safe
+    private final Map<String, String> mappings = new ConcurrentHashMap<>();
+
+    @Override
+    public void addMapping(String alias, String discriminator) {
+        mappings.put(alias, discriminator);
+    }
+
+    @Override
+    public @NotNull String getMapping(String alias) {
+        return mappings.getOrDefault(alias, alias);
+    }
+}

core/common-core/src/main/java/org/eclipse/edc/identityhub/defaults/EdcScopeToCriterionTransformer.java

@@ -14,6 +14,7 @@
 
 package org.eclipse.edc.identityhub.defaults;
 
+import org.eclipse.edc.identityhub.spi.transformation.DiscriminatorMappingRegistry;
 import org.eclipse.edc.identityhub.spi.transformation.ScopeToCriterionTransformer;
 import org.eclipse.edc.spi.query.Criterion;
 import org.eclipse.edc.spi.result.Result;
@@ -47,6 +48,12 @@ public class EdcScopeToCriterionTransformer implements ScopeToCriterionTransform
     private static final String SCOPE_SEPARATOR = ":";
     private final List<String> allowedOperations = List.of("read", "*", "all");
 
+    private final DiscriminatorMappingRegistry discriminatorMappingRegistry;
+
+    public EdcScopeToCriterionTransformer(DiscriminatorMappingRegistry discriminatorMappingRegistry) {
+        this.discriminatorMappingRegistry = discriminatorMappingRegistry;
+    }
+
     @Override
     public Result<List<Criterion>> transformScope(String scope) {
         var tokens = tokenize(scope);
@@ -55,7 +62,10 @@ public Result<List<Criterion>> transformScope(String scope) {
         }
         var discriminator = tokens.getContent()[1];
 
-        return convertDiscriminator(discriminator);
+        // see if there's a mapping for the discriminator
+        var mappedDiscriminator = discriminatorMappingRegistry.getMapping(discriminator);
+
+        return convertDiscriminator(mappedDiscriminator);
     }
 
     protected Result<String[]> tokenize(String scope) {

core/common-core/src/main/resources/META-INF/services/org.eclipse.edc.spi.system.ServiceExtension

@@ -12,4 +12,5 @@
 #
 #
 
-org.eclipse.edc.identityhub.DefaultServicesExtension
+org.eclipse.edc.identityhub.DefaultServicesExtension
+org.eclipse.edc.identityhub.DiscriminatorMappingExtension

core/common-core/src/test/java/org/eclipse/edc/identityhub/DiscriminatorMappingExtensionTest.java

@@ -0,0 +1,72 @@
+/*
+ *  Copyright (c) 2026 Metaform Systems, Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems, Inc. - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.identityhub;
+
+import org.eclipse.edc.identityhub.defaults.DiscriminatorMappingRegistryImpl;
+import org.eclipse.edc.junit.extensions.DependencyInjectionExtension;
+import org.eclipse.edc.spi.EdcException;
+import org.eclipse.edc.spi.system.ServiceExtensionContext;
+import org.eclipse.edc.spi.system.configuration.ConfigFactory;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import java.util.Map;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.eclipse.edc.identityhub.DiscriminatorMappingExtension.CONFIG_PREFIX;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(DependencyInjectionExtension.class)
+class DiscriminatorMappingExtensionTest {
+
+    @Test
+    void createDiscriminatorMappingRegistry(DiscriminatorMappingExtension extension, ServiceExtensionContext context) {
+        assertThat(extension.createDiscriminatorMappingRegistry(context))
+                .isInstanceOf(DiscriminatorMappingRegistryImpl.class);
+    }
+
+    @Test
+    void createDiscriminatorMappingRegistry_withSingleConfig(DiscriminatorMappingExtension extension, ServiceExtensionContext context) {
+        when(context.getConfig(eq(CONFIG_PREFIX)))
+                .thenReturn(ConfigFactory.fromMap(Map.of("foo.alias", "bar", "foo.value", "long-value")));
+        var discriminatorMappingRegistry = extension.createDiscriminatorMappingRegistry(context);
+        assertThat(discriminatorMappingRegistry)
+                .isInstanceOf(DiscriminatorMappingRegistryImpl.class);
+
+        assertThat(discriminatorMappingRegistry.getMapping("bar")).isEqualTo("long-value");
+    }
+
+    @Test
+    void createDiscriminatorMappingRegistry_withIncompleteConfig(DiscriminatorMappingExtension extension, ServiceExtensionContext context) {
+        when(context.getConfig(eq(CONFIG_PREFIX)))
+                .thenReturn(ConfigFactory.fromMap(Map.of("foo.alias", "bar")));
+        assertThatThrownBy(() -> extension.createDiscriminatorMappingRegistry(context))
+                .isInstanceOf(EdcException.class)
+                .hasMessage("No setting found for key foo.value");
+    }
+
+    @Test
+    void createDiscriminatorMappingRegistry_withInvalidSuffix(DiscriminatorMappingExtension extension, ServiceExtensionContext context) {
+        when(context.getConfig(eq(CONFIG_PREFIX)))
+                .thenReturn(ConfigFactory.fromMap(Map.of("foo.name", "bar", // should be .alias
+                        "foo.value", "long-value")));
+        assertThatThrownBy(() -> extension.createDiscriminatorMappingRegistry(context))
+                .isInstanceOf(EdcException.class)
+                .hasMessage("No setting found for key foo.alias");
+
+    }
+}

core/common-core/src/test/java/org/eclipse/edc/identityhub/defaults/DiscriminatorMappingRegistryImplTest.java

@@ -0,0 +1,63 @@
+/*
+ *  Copyright (c) 2026 Metaform Systems, Inc.
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Metaform Systems, Inc. - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.identityhub.defaults;
+
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class DiscriminatorMappingRegistryImplTest {
+
+    private final DiscriminatorMappingRegistryImpl registry = new DiscriminatorMappingRegistryImpl();
+
+    @Test
+    void addMapping_shouldStoreMapping() {
+        registry.addMapping("alias1", "discriminator1");
+
+        assertThat(registry.getMapping("alias1")).isEqualTo("discriminator1");
+    }
+
+    @Test
+    void addMapping_shouldOverwriteExistingMapping() {
+        registry.addMapping("alias1", "discriminator1");
+        registry.addMapping("alias1", "discriminator2");
+
+        assertThat(registry.getMapping("alias1")).isEqualTo("discriminator2");
+    }
+
+    @Test
+    void getMapping_shouldReturnDefaultWhenNotFound() {
+        assertThat(registry.getMapping("nonexistent")).isEqualTo("nonexistent");
+    }
+
+    @Test
+    void getMapping_shouldReturnMappedDiscriminator() {
+        registry.addMapping("short", "long.discriminator.value");
+
+        assertThat(registry.getMapping("short")).isEqualTo("long.discriminator.value");
+    }
+
+    @Test
+    void addMapping_withMultipleMappings_shouldStoreAll() {
+        registry.addMapping("alias1", "discriminator1");
+        registry.addMapping("alias2", "discriminator2");
+        registry.addMapping("alias3", "discriminator3");
+
+        assertThat(registry.getMapping("alias1")).isEqualTo("discriminator1");
+        assertThat(registry.getMapping("alias2")).isEqualTo("discriminator2");
+        assertThat(registry.getMapping("alias3")).isEqualTo("discriminator3");
+    }
+
+}

core/common-core/src/test/java/org/eclipse/edc/identityhub/defaults/EdcScopeToCriterionTransformerTest.java

@@ -14,13 +14,16 @@
 
 package org.eclipse.edc.identityhub.defaults;
 
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.ValueSource;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.eclipse.edc.junit.assertions.AbstractResultAssert.assertThat;
 
 class EdcScopeToCriterionTransformerTest {
-    private final EdcScopeToCriterionTransformer transformer = new EdcScopeToCriterionTransformer();
+    private final DiscriminatorMappingRegistryImpl discriminatorMappingRegistry = new DiscriminatorMappingRegistryImpl();
+    private final EdcScopeToCriterionTransformer transformer = new EdcScopeToCriterionTransformer(discriminatorMappingRegistry);
 
     @ParameterizedTest
     @ValueSource(strings = {
@@ -35,6 +38,17 @@ void transform_validScope(String scope) {
         assertThat(transformer.transformScope(scope)).isSucceeded();
     }
 
+    @Test
+    void transform_withAlias() {
+        discriminatorMappingRegistry.addMapping("SomeFancyCredential", "https://example.com/contexts/v1#TestCredential");
+        assertThat(transformer.transformScope("org.eclipse.dspace.dcp.vc.type:SomeFancyCredential:read")).isSucceeded()
+                .satisfies(criteria -> {
+                    assertThat(criteria).hasSize(2);
+                    assertThat(criteria).anyMatch(c -> c.getOperandRight().equals("https://example.com/contexts/v1"));
+                    assertThat(criteria).anyMatch(c -> c.getOperandRight().equals("TestCredential"));
+                });
+    }
+
     @ParameterizedTest
     @ValueSource(strings = {
             "invalidAlias:TestCredential:read",
@@ -47,4 +61,4 @@ void transform_validScope(String scope) {
     void transform_invalidScope(String scope) {
         assertThat(transformer.transformScope(scope)).isFailed();
     }
-}
+}

core/identity-hub-core/src/test/java/org/eclipse/edc/identityhub/core/services/query/CredentialQueryResolverImplTest.java

@@ -23,6 +23,7 @@
 import org.eclipse.edc.iam.verifiablecredentials.spi.model.VerifiableCredential;
 import org.eclipse.edc.iam.verifiablecredentials.spi.model.VerifiableCredentialContainer;
 import org.eclipse.edc.iam.verifiablecredentials.spi.model.presentationdefinition.PresentationDefinition;
+import org.eclipse.edc.identityhub.defaults.DiscriminatorMappingRegistryImpl;
 import org.eclipse.edc.identityhub.defaults.EdcScopeToCriterionTransformer;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.model.VerifiableCredentialResource;
 import org.eclipse.edc.identityhub.spi.verifiablecredentials.resolution.QueryFailure;
@@ -60,7 +61,7 @@ class CredentialQueryResolverImplTest {
     private final CredentialStore storeMock = mock();
     private final RevocationServiceRegistry revocationServiceRegistry = mock();
     private final Monitor monitor = mock();
-    private final CredentialQueryResolverImpl resolver = new CredentialQueryResolverImpl(storeMock, new EdcScopeToCriterionTransformer(), revocationServiceRegistry, monitor);
+    private final CredentialQueryResolverImpl resolver = new CredentialQueryResolverImpl(storeMock, new EdcScopeToCriterionTransformer(new DiscriminatorMappingRegistryImpl()), revocationServiceRegistry, monitor);
 
     @BeforeEach
     void setUp() {
@@ -134,7 +135,7 @@ void query_scopeStringHasWrongOperator_shouldReturnFailure() {
     }
 
     @Test
-    void query_scopeStringWithFqct() {
+    void query_scopeStringWithFullyQualifiedCredentialType() {
         var cred = createCredential("TestCredential").context("https://example.com/contexts/v1").build();
         var resource = createCredentialResource(cred).build();
         when(storeMock.query(any())).thenAnswer(i -> success(List.of(resource)));