Start with JSON-LD

Author: cicnavi

config/module_oidc.php.dist

@@ -1106,6 +1106,62 @@ $config = [
         ],
     ],
 
+    /**
+     * (optional) JSON-LD context documents for vc+sd-jwt credential
+     * configurations. Providing context documents allows verifiers to resolve
+     * the meaning of custom terms (claims) used in the credentialSubject of
+     * issued vc+sd-jwt credentials, which is required for VCDM 2.0 JSON-LD
+     * compliance.
+     *
+     * When a context document is configured for a credential configuration ID,
+     * the module:
+     * 1. Serves the document at a stable HTTP endpoint on the credential issuer:
+     *    <issuer-base-url>/credential-issuer/context/{credentialConfigurationId}
+     *    with the Content-Type: application/ld+json header.
+     * 2. Automatically appends the URL of that endpoint after the mandatory
+     *    https://www.w3.org/ns/credentials/v2 entry in the @context array of
+     *    every vc+sd-jwt credential issued for the matching configuration ID.
+     *
+     * The format is a map of credential configuration IDs to JSON-LD context
+     * documents. Each context document is a plain PHP array that will be
+     * JSON-encoded and served as-is. You can use any valid JSON-LD context
+     * structure; the example below shows a simple term-mapping context.
+     *
+     * Notes:
+     * - Avoid @base or @vocab in the context document to maintain
+     *   interoperability with lightweight (type-specific) credential
+     *   processors, per the VCDM 2.0 specification.
+     * - If some custom claims are NOT defined in any context, you should add
+     *   'https://www.w3.org/ns/credentials/undefined-terms/v2' as the last
+     *   entry in the @context array of the credential configuration
+     *   (OPTION_VCI_CREDENTIAL_CONFIGURATIONS_SUPPORTED).
+     *
+     * @see https://www.w3.org/TR/vc-data-model-2.0/#contexts
+     * @see https://www.w3.org/TR/json-ld11/#the-context
+     *
+     * Format: array<string, array<mixed>>
+     */
+//    ModuleConfig::OPTION_VCI_CREDENTIAL_JSON_LD_CONTEXT => [
+//        'ResearchAndScholarshipCredentialVcSdJwt' => [
+//            '@context' => [
+//                'eduPersonPrincipalName' =>
+//                    'https://vocabulary.example.org/terms#eduPersonPrincipalName',
+//                'eduPersonTargetedID' =>
+//                    'https://vocabulary.example.org/terms#eduPersonTargetedID',
+//                'displayName' =>
+//                    'https://vocabulary.example.org/terms#displayName',
+//                'givenName' =>
+//                    'https://vocabulary.example.org/terms#givenName',
+//                'sn' =>
+//                    'https://vocabulary.example.org/terms#sn',
+//                'mail' =>
+//                    'https://vocabulary.example.org/terms#mail',
+//                'eduPersonScopedAffiliation' =>
+//                    'https://vocabulary.example.org/terms#eduPersonScopedAffiliation',
+//            ],
+//        ],
+//    ],
+
     /**
      * (optional) Issuer State TTL (validity duration), with the given example.
      * If not set, falls back to Authorization Code TTL. For duration format

routing/routes/routes.php

@@ -23,6 +23,7 @@
 use SimpleSAML\Module\oidc\Controllers\UserInfoController;
 use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\CredentialIssuerConfigurationController;
 use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\CredentialIssuerCredentialController;
+use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\CredentialJsonLdContextController;
 use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\JwtVcIssuerConfigurationController;
 use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\NonceController;
 use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
@@ -131,6 +132,10 @@
         ->controller([NonceController::class, 'nonce'])
         ->methods([HttpMethodsEnum::POST->value]);
 
+    $routes->add(RoutesEnum::CredentialJsonLdContext->name, RoutesEnum::CredentialJsonLdContext->value)
+        ->controller([CredentialJsonLdContextController::class, 'context'])
+        ->methods([HttpMethodsEnum::GET->value]);
+
     /*****************************************************************************************************************
      * SD-JWT-based Verifiable Credentials (SD-JWT VC)
      ****************************************************************************************************************/

src/Codebooks/RoutesEnum.php

@@ -64,6 +64,7 @@ enum RoutesEnum: string
     case CredentialIssuerConfiguration = '.well-known/openid-credential-issuer';
     case CredentialIssuerCredential = 'credential-issuer/credential';
     case CredentialIssuerNonce = 'credential-issuer/nonce';
+    case CredentialJsonLdContext = 'credential-issuer/context/{credentialConfigurationId}';
 
     /*****************************************************************************************************************
      * SD-JWT-based Verifiable Credentials (SD-JWT VC)

src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php

@@ -719,10 +719,34 @@ public function credential(Request $request): Response
         }
 
         if ($credentialFormatId === CredentialFormatIdentifiersEnum::VcSdJwt->value) {
+            // Always start with the VCDM 2.0 base context URL (mandatory).
+            $atContext = [AtContextsEnum::W3OrgNsCredentialsV2->value];
+
+            // If a JSON-LD context document is configured for this credential, append the module-hosted
+            // context URL so that verifiers can resolve the custom credential subject terms.
+            if ($this->moduleConfig->getVciCredentialJsonLdContextFor($resolvedCredentialIdentifier) !== null) {
+                $atContext[] = $this->routes->urlCredentialJsonLdContext($resolvedCredentialIdentifier);
+            }
+
+            // Append any additional context URLs declared in the credential configuration's @context field
+            // (skipping the base W3C URL, which is already first in the list).
+            /** @psalm-suppress MixedAssignment */
+            $configuredContexts = $resolvedCredentialConfiguration[ClaimsEnum::AtContext->value] ?? [];
+            if (is_array($configuredContexts)) {
+                /** @psalm-suppress MixedAssignment */
+                foreach ($configuredContexts as $configuredContext) {
+                    if (
+                        is_string($configuredContext) &&
+                        $configuredContext !== AtContextsEnum::W3OrgNsCredentialsV2->value &&
+                        !in_array($configuredContext, $atContext, true)
+                    ) {
+                        $atContext[] = $configuredContext;
+                    }
+                }
+            }
+
             $sdJwtPayload = [
-                ClaimsEnum::AtContext->value => [
-                    AtContextsEnum::W3OrgNsCredentialsV2->value,
-                ],
+                ClaimsEnum::AtContext->value => $atContext,
                 ClaimsEnum::Id->value => $vcId,
                 ClaimsEnum::Type->value => [
                     CredentialTypesEnum::VerifiableCredential->value,

src/Controllers/VerifiableCredentials/CredentialJsonLdContextController.php

@@ -0,0 +1,90 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ *        |
+ *   \  ___  /                           _________
+ *  _  /   \  _    GÉANT                 |  * *  | Co-Funded by
+ *     | ~ |       Trust & Identity      | *   * | the European
+ *      \_/        Incubator             |__*_*__| Union
+ *       =
+ *
+ * This file is part of the simplesamlphp-module-oidc.
+ *
+ * Copyright (C) 2018 by the Spanish Research and Academic Network.
+ *
+ * This code was developed by Universidad de Córdoba (UCO https://www.uco.es)
+ * for the RedIRIS SIR service (SIR: http://www.rediris.es/sir)
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace SimpleSAML\Module\oidc\Controllers\VerifiableCredentials;
+
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+use SimpleSAML\Module\oidc\Services\LoggerService;
+use SimpleSAML\Module\oidc\Utils\Routes;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * Serves the JSON-LD context document for a specific vc+sd-jwt credential configuration, allowing
+ * verifiers to resolve the custom terms used in credential subjects.
+ *
+ * The endpoint URL is included in the @context array of issued vc+sd-jwt credentials when a
+ * context document is configured for the matching credential configuration ID.
+ *
+ * @see https://www.w3.org/TR/json-ld11/#interpreting-json-as-json-ld
+ */
+class CredentialJsonLdContextController
+{
+    /**
+     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
+     */
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly Routes $routes,
+        protected readonly LoggerService $loggerService,
+    ) {
+        if (!$this->moduleConfig->getVciEnabled()) {
+            $this->loggerService->warning('Verifiable Credential capabilities not enabled.');
+            throw OidcServerException::forbidden('Verifiable Credential capabilities not enabled.');
+        }
+    }
+
+    /**
+     * Return the JSON-LD context document for the given credential configuration ID.
+     *
+     * Responds with HTTP 404 if no context document is configured for the given ID.
+     *
+     * @param string $credentialConfigurationId URL path parameter injected by the router.
+     */
+    public function context(string $credentialConfigurationId): Response
+    {
+        $this->loggerService->debug(
+            'CredentialJsonLdContextController::context',
+            ['credentialConfigurationId' => $credentialConfigurationId],
+        );
+
+        $contextDocument = $this->moduleConfig->getVciCredentialJsonLdContextFor($credentialConfigurationId);
+
+        if ($contextDocument === null) {
+            $this->loggerService->warning(
+                'CredentialJsonLdContextController::context: No JSON-LD context configured for credential ' .
+                'configuration ID.',
+                ['credentialConfigurationId' => $credentialConfigurationId],
+            );
+
+            return $this->routes->newResponse(null, Response::HTTP_NOT_FOUND);
+        }
+
+        return new JsonResponse(
+            $contextDocument,
+            Response::HTTP_OK,
+            ['Content-Type' => 'application/ld+json'],
+        );
+    }
+}

src/ModuleConfig.php

@@ -120,6 +120,7 @@ class ModuleConfig
     final public const string OPTION_FEDERATION_SIGNATURE_KEY_PAIRS = 'federation_signature_key_pairs';
     final public const string OPTION_TIMESTAMP_VALIDATION_LEEWAY = 'timestamp_validation_leeway';
     final public const string OPTION_VCI_SIGNATURE_KEY_PAIRS = 'vci_signature_key_pairs';
+    final public const string OPTION_VCI_CREDENTIAL_JSON_LD_CONTEXT = 'vci_credential_json_ld_context';
 
     protected static array $standardScopes = [
         ScopesEnum::OpenId->value => [
@@ -1037,6 +1038,37 @@ public function getVciAllowedRedirectUriPrefixesForNonRegisteredClients(): array
     }
 
 
+    /**
+     * Get the full map of a credential configuration ID => JSON-LD context
+     * document (as a PHP array).
+     *
+     * @return mixed[]
+     */
+    public function getVciCredentialJsonLdContext(): array
+    {
+        return $this->config()->getOptionalArray(self::OPTION_VCI_CREDENTIAL_JSON_LD_CONTEXT, []);
+    }
+
+    /**
+     * Get the JSON-LD context document (as a PHP array) configured for a
+     * specific credential configuration ID.
+     * Returns null if no context document is configured for the given ID.
+     *
+     * @return array<mixed>|null
+     */
+    public function getVciCredentialJsonLdContextFor(string $credentialConfigurationId): ?array
+    {
+        /** @psalm-suppress MixedAssignment */
+        $context = $this->getVciCredentialJsonLdContext()[$credentialConfigurationId] ?? null;
+
+        if (!is_array($context)) {
+            return null;
+        }
+
+        return $context;
+    }
+
+
     /*****************************************************************************************************************
      * API-related config.
      ****************************************************************************************************************/

src/Utils/Routes.php

@@ -232,6 +232,17 @@ public function urlCredentialIssuerNonce(array $parameters = []): string
         return $this->getModuleUrl(RoutesEnum::CredentialIssuerNonce->value, $parameters);
     }
 
+    public function urlCredentialJsonLdContext(string $credentialConfigurationId, array $parameters = []): string
+    {
+        $path = str_replace(
+            '{credentialConfigurationId}',
+            rawurlencode($credentialConfigurationId),
+            RoutesEnum::CredentialJsonLdContext->value,
+        );
+
+        return $this->getModuleUrl($path, $parameters);
+    }
+
     /*****************************************************************************************************************
      * SD-JWT-based Verifiable Credentials (SD-JWT VC)
      ****************************************************************************************************************/