Skip to main content
Version: v0.4.0

Configuration

In this section, the configuration of the wallet is explained. Configuration is used based on a config.yaml file which should be placed in the apps/backend folder. This config.yaml file is loaded when booting the application. The values get type checked, and it gives a clear error message if there is a configuration field missing or provided incorrectly. Next to the config.yaml file, you can also set environment variables. These override the values that are listed in the config.yaml file.

Databases

By default, the development database is sqlite. We use postgres databases for production type instances of the wallets.

Authentication

Authentication for frontend services can be done via OAuth. This helps users who need to login to several components to authenticate themselves faster. The wallet is tested against Casdoor, with an Helm chart provided alongside the Helm chart of the wallet, but other OAuth services should be usable (e.g. Keycloak, or hosted OAuth services).

DID Method

Two DID methods are currently supported: did:web and did:tdw. A comparison between the two is given below. The decision of which configuration to select should be made based on the specific use case of the wallet.

did:webdid:tdw
TSG Configuration value:did:web:did:tdw:
Specification link:W3C internal documentBCGov specification draft
Supported version:Unofficial draftDraft v1
Underlying technology:Web-based DID method that serves the DID Document as a JSON under a certain endpoint (.well-known path) of a web domain that is accessible by the public.Web-based DID method that utilizes a public JSON Lines file hosted under a web domain to store each change (create, update, delete) that occurs on a DID Document. The DID Document is then resolved by fetching and processing the JSON Lines file.
Identifier format:did:web:{{public web domain}}
e.g. did:web:example.com
did:tdw:{{public web domain}}:{{generated self-certifying identifier}}
e.g. did:tdw:example.com:b7ep277b2mvxdpcrbja3iergubfy
Advantages:Straightforward implementation with no additional processing other than hosting DID Document on web server.Additional security and validation mechanisms contained in the JSON Lines file that increases trustworthiness of DID Document.
Disadvantages:Easily compromisable without notice by resolving parties when malicious access is gained to the web server.DID Document is not directly available as extra processing to verify signatures and validate entry hashes retrieved from the JSON Lines file needs to be performed to resolve the DID Document.

Possible configuration parameters

NameData TypeRequiredExplanationDefault
Database Configuration
db.typeStringYesType of the database. Must be "sqlite" or "postgres".
db.databaseStringYesName of the database. Used as filename when "sqlite" is provided as database type
db.hostStringIf type is postgresHostname of the database
db.portIntegerIf type is postgresPort of the database
db.usernameStringIf type is postgresUsername of the user in the database
db.passwordStringIf type is postgresPassword of the user in the database
OAuth Configuration
auth.enabledBooleanBoolean indicating whether an external OAuth server should be used. If false, all other properties under auth are not usedtrue
auth.authorizationURLURLIf auth is enabledOAuth Authorization endpoint URL
auth.tokenURLURLIf auth is enabledOAuth Token endpoint URL for retrieving access token based used when the Wallet communicates with external services
auth.introspectionURLURLIf auth is enabledOAuth Introspection endpoint URL for validating access tokens
auth.callbackURLURLIf auth is enabledCallback URL of the Wallet on which it expects callback requests to arrive
auth.redirectURLURLIf auth is enabledRedirect URL of the Wallet which it used to redirect a user that has logged in
auth.clientIdStringIf auth is enabledOAuth client ID
auth.clientSecretStringIf auth is enabledOAuth client secret
auth.clientUsernameStringIf auth is enabledOAuth client username of user used by the Wallet for external services
auth.clientPasswordStringIf auth is enabledOAuth client password of user used by the Wallet for external services
auth.rolePathStringJSON Path used to translate roles into a simple array of roles, with as starting point the access token JWT payload"$.roles[*].name"
Server Configuration
server.listenStringNoIP address to listen on."0.0.0.0"
server.portNumberNoPort number for the server.3000
server.publicDomainStringNoPublic domain of the server."localhost"
server.publicAddressStringNoPublic address of the server."http://localhost:3000"
Initial Key Configuration
initKeys[].typeStringYesKey type. Must be "EdDSA", "ES384" or "X509"
initKeys[].idStringYesKey identifier
initKeys[].defaultBooleanNoFlag indicating whether this key should be used as defaultfalse
initKeys[].existingKeyStringNoExisting private key in PKCS#8 format, can be pointed to a file via "file:/path". Only used for "X509" typed keys
initKeys[].existingKeyStringNoExisting certificate in X.509 PEM format, can be pointed to a file via "file:/path". Only used for "X509" typed keys
Initial Credential Configuration
initCredentials[].contextArray of StringsNoJSON-LD Context URLs used for the credential[]
initCredentials[].typeArray of StringsNoVerifiable Credential type IRIs used for the credential[]
initCredentials[].idStringYesVerifiable Credential identifier
initCredentials[].keyIdStringNoIdentifier of key that should be used, if empty the default key will be used
initCredentials[].credentialSubjectCredentialSubjectYesVerifiable Credential credential subject
Trust Anchor Configuration
trustAnchors[].identifierStringYesDID identifier of trusted issuer
trustAnchors[].credentialTypesArray of StringsYesCredential types trusted from the specific issuer
JSON-LD Context Configuration
contexts[].idStringYesIdentifier of this context, will be used to make the context resolvable to /context/:id if document is provided
contexts[].credentialTypeStringYesCredential type that can be used with this context
contexts[].issuableBooleanYesWhether this wallet can issue credentials with this context
contexts[].documentUrlStringIf document is not providedRemote reference of the context
contexts[].documentObjectIf documentUrl is not providedContent of the JSON-LD document
contexts[].schemaObjectJSON-Schema of the context, used to provide UI forms and validation of credential subjects
OpenID4VCI Configuration
oid4vci.issuer[].holderIdStringYesDID Identifier of the targeted holder of the credential
oid4vci.issuer[].credentialTypeStringYesType of the credential that will be provided
oid4vci.issuer[].credentialSubjectCredentialSubjectYesCredential subject of the credential that will be provided
oid4vci.issuer[].preAuthorizationCodeStringPre authorization code the holder must use to request the credential
oid4vci.holder[].issuerUrlStringYesThe URL of the issuer of the credential, should be the root path of the issuer due to .well-known resolvement of metadata
oid4vci.holder[].credentialTypeStringYesType of credential that will be requested from the issuer
oid4vci.holder[].preAuthorizationCodeStringYesPre authorization code the holder will use to request the credential
DID Service Configuration
didServices[].idStringYesIdentifier of the service associated to this wallet (see the DID Services spec)
didServices[].typeStringYesType of the service
didServices[].serviceEndpointStringYesService endpoint of the service
Presentation Configuration
presentation.typesArray of StringsNoTypes of presentation exchanges this Wallet should support. Any of DIRECT, IATP, OID4VP["DIRECT", "IATP"]
Runtime Configuration
runtime.gaiaXSupportBooleanNoFlag indicating whether this wallet should support Gaia-X credentialsfalse
runtime.titleStringNoTitle of wallet instance that will be used in the UI
DID Configuration
did.methodStringNoDID method to be used by the walletdid:web:
Signature Configuration
signature.defaultStringNoDefault signature method for signatures requested via the APIDATA_INTEGRITY_PROOF
signature.credentialsStringNoDefault signature method for proofs in verifiable credentials created by this walletDATA_INTEGRITY_PROOF
signature.presentationsStringNoDefault signature method for proofs in non-JWT-based verifiable presentationsDATA_INTEGRITY_PROOF