Replies: 1 comment
-
|
I think you should read the Decentralized Claims Protocol specification, in particular the Presentation Flow. If i read this right your provider only sends its SI-token without also adding the consumer-sent access token (which is required). |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I am currently trying to send a "contract agreed" message to the customer contol-plane's DSP negotiation api (while pretending to be the provider).
Before that, the customer sent a negotiation request message, that I want to respond to.
With that message came an access token, that contained this payload:
In order to send a contract agreed message that will be accepted by the consumer, I need to attach an auth token to my http request.
I want to obtain this token from the provider-side STS. So I am sending a message to the STS with a request body like this:
grant_type=client_credentials&client_secret=secret&client_id=did%3Aweb%3Aprovider-identityhub%253A7083%3Aprovider&audience=did%3Aweb%3Aconsumer-identityhub%253A7083%3Aconsumer&scope=org.eclipse.edc.vc.type%3AMembershipCredential%3Aread+org.eclipse.edc.vc.type%3ADataProcessorCredential%3AreadThe response from the STS contains an access token, that actually seems to mirror the structure of the access token that came from the consumer (see above):
{
"aud": "did:web:provider-identityhub%3A7083:provider",
"sub": "did:web:consumer-identityhub%3A7083:consumer",
"nbf": 1738136638,
"scope": "org.eclipse.edc.vc.type:MembershipCredential:read org.eclipse.edc.vc.type:DataProcessorCredential:read",
"iss": "did:web:provider-identityhub%3A7083:provider",
"exp": 1738136938,
"iat": 1738136638,
"jti": "accesstoken-43b160ed-d6d7-41c3-b8f9-6d313d58b73d"
}
But when I use that access token, the consumer-controlplane responds to my contract-agreed message with status code 400.
I have also tried other variants of request bodies for the STS, like this:
grant_type=client_credentials&client_secret=secret&client_id=did%3Aweb%3Aprovider-identityhub%253A7083%3Aprovider&audience=did%3Aweb%3Aconsumer-identityhub%253A7083%3Aconsumer&scope=org.eclipse.edc.vc.type%3AMembershipCredential%3Aread&scope=org.eclipse.edc.vc.type%3ADataProcessorCredential%3AreadBut in that case, the STS simply returns an access token, that only has the MembershipCredential:read scope, but misses the DataProcessorCredential:read scope. So when I use that kind of access token, the consumer control-plane responds with status code 401.
So, I am currently a bit out clue, what else I could do here...
Any ideas how I could make this work, are greatly appreciated :)
Beta Was this translation helpful? Give feedback.
All reactions