Skip to main content
Version: v0.25.0 (Latest)

Configuring the Authorization Server, Issuer, and Verifier

Tenant-owned service instances are configured through the Platform Config API at /api/platform/config/v1. This surface is separate from Platform Admin: Platform Admin manages tenants, domains, signup, operator onboarding, and federation IdPs; Platform Config manages service instances and typed configuration sections for those instances.

In EDK, a tenant has at most one authorization server, one OID4VCI issuer, and one OID4VP verifier. The configuration paths therefore do not include an instance id; the runtime couples the configuration to the tenant.

See the Platform Config API reference for the live schema and examples.

Authorization server configuration

The EDK authorization-server configuration endpoints live under:

/api/platform/config/v1/tenants/{tenantId}/oauth2/as

The AS management resources are proper subresources, not a generic configuration-item endpoint:

  • /tokens: access token, refresh token, authorization code, and ID token lifetimes, token format, and refresh token rotation.
  • /grants: enabled grant types, supported response types, and supported scopes.
  • /features: feature policy values such as OIDC, logout, introspection, revocation, PAR, PKCE, DPoP, JAR/JARM, and signed metadata.
  • /clients: public and confidential OAuth2 client registrations consumed by the AS runtime.

Reads return effective values with source markers:

{
  "accessTokenLifetimeSeconds": { "value": 1800, "source": "tenant" },
  "refreshTokenLifetimeSeconds": { "value": 2592000, "source": "default" }
}

PUT replaces one settings resource and clears omitted fields back to defaults. PATCH follows JSON Merge Patch semantics: absent fields stay unchanged and explicit null clears a tenant override. Clients are first-class resources with clientType: public or clientType: confidential; confidential client secrets are accepted on write and never returned.

Patch token settings

Patch AS token settings with JSON Merge Patch semantics. Send only the token fields to change. An explicit null removes the tenant override so the field falls back to the resolved default.

PATCH /api/platform/config/v1/tenants/{tenantId}/oauth2/as/tokens

The full request and response schema is in the API reference, or open the API reference tab to read it inline.

Register an OAuth2 client

Register a public or confidential OAuth2 client for the AS runtime. Public wallet and browser clients use clientType: public with tokenEndpointAuthMethod: none; backend clients use clientType: confidential and a configured authentication method such as client_secret_basic.

POST /api/platform/config/v1/tenants/{tenantId}/oauth2/as/clients

The full request and response schema is in the API reference, or open the API reference tab to read it inline.

Federated identity providers

External IdPs are registered in the tenant's federation registry on the AS service. The client secret is written into the secret backend selected during onboarding; responses only ever carry an opaque reference. Schemas are in the Platform Admin API reference.

01 Register federation IdP

Endpoint: POST /api/platform/admin/v1/federation/idps

Captured response: 201 Created

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

02 List federation IdPs

Endpoint: GET /api/platform/admin/v1/federation/idps

Captured response: 200 OK

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

Register an IdP disabled, run the connectivity test endpoint to confirm the issuer is reachable and its metadata is valid, and then enable it for sign-in.

Issuer configuration

The EDK OID4VCI issuer has singleton configuration paths:

/api/platform/config/v1/tenants/{tenantId}/oid4vci/issuer/metadata
/api/platform/config/v1/tenants/{tenantId}/oid4vci/issuer/security
/api/platform/config/v1/tenants/{tenantId}/oid4vci/issuer/issuance

These sections configure issuer runtime behavior. Credential designs, status lists, and per-credential authoring stay in their own APIs; issuer configuration references those resources rather than copying their bodies.

Patch issuer metadata

Set issuer metadata such as the issuer identifier, authorization-server references, wallet display name, locale, and metadata-signing key alias plus KMS provider id.

PATCH /api/platform/config/v1/tenants/{tenantId}/oid4vci/issuer/metadata

The full request and response schema is in the API reference, or open the API reference tab to read it inline.

Patch issuer security

Configure credential response encryption metadata and request-decryption key alias plus KMS provider id. Key material remains in KMS or the configured secrets backend; platform config stores descriptors and references only.

PATCH /api/platform/config/v1/tenants/{tenantId}/oid4vci/issuer/security

The full request and response schema is in the API reference, or open the API reference tab to read it inline.

Patch issuer issuance

Tune issuer runtime behavior such as batch credential issuance size and accepted issuance clock skew. Credential configuration definitions themselves stay in the credential-design API.

PATCH /api/platform/config/v1/tenants/{tenantId}/oid4vci/issuer/issuance

The full request and response schema is in the API reference, or open the API reference tab to read it inline.

Verifier configuration

The EDK OID4VP verifier has singleton configuration paths:

/api/platform/config/v1/tenants/{tenantId}/oid4vp/verifier/client
/api/platform/config/v1/tenants/{tenantId}/oid4vp/verifier/request-object-signing
/api/platform/config/v1/tenants/{tenantId}/oid4vp/verifier/sessions
/api/platform/config/v1/tenants/{tenantId}/oid4vp/verifier/identity-reconciliation

These sections configure verifier defaults. DCQL query bodies remain in the DCQL API and are referenced by id from verifier flows instead of being duplicated here.

Patch verifier client settings

Configure the verifier's external base URL, response URI, auth-bridge client id, and auth-bridge response URI.

PATCH /api/platform/config/v1/tenants/{tenantId}/oid4vp/verifier/client

The full request and response schema is in the API reference, or open the API reference tab to read it inline.

Patch request-object signing

Configure request-object signing mode, KMS key alias, provider id, issuer inclusion, audience, expiry, and DID or x509 binding details.

PATCH /api/platform/config/v1/tenants/{tenantId}/oid4vp/verifier/request-object-signing

The full request and response schema is in the API reference, or open the API reference tab to read it inline.

Patch session settings

Configure the authorization session lifetime used by the verifier runtime.

PATCH /api/platform/config/v1/tenants/{tenantId}/oid4vp/verifier/sessions

The full request and response schema is in the API reference, or open the API reference tab to read it inline.

Patch identity reconciliation

Configure post-presentation reconciliation behavior, including whether users may be auto-created, whether reconciliation is required, and which claim path identifies the user.

PATCH /api/platform/config/v1/tenants/{tenantId}/oid4vp/verifier/identity-reconciliation

The full request and response schema is in the API reference, or open the API reference tab to read it inline.

Next, create signing keys and the tenant's did:web identifier.