The datastore services are the backbone of the swiss SSI inspired ecosystem. This repository does contain the current implementation for the base registry. The authoring service is a service with write-rights.
For a general overview of the public beta environment and its components, please check the Public Beta context.
A datastore service always includes 2 sub services:
- The authoring service, which essentially provides all the write operations.
Those should only be available to specified authorized systems like the controller system provided by the swiss gov. - The data service, which provides all the protocol conform read operations. Therefore we do require a strict separation of write operations in the code, so while the data models are shared through the shared libraries services and repositories are not shared.
Note
Starting the service with the local profile does not connect the data and authoring services. It only serves to start this service locally.
To install docker please follow the instructions on the respective pages.
In order to start the service locally, run:
docker compose upThen run:
./mvnw spring-boot:run -Dspring-boot.run.profiles=localThe openapi definition can then be found here
The data service is always unprotected as all data on the registers should be readable by everyone.
The authoring services do need protection, which is as of now handled by OAuth2.0.
We do recommend to add mTLS authentication to your infrastructure endpoints.
This service supports OAuth Multi-Tenancy. This means more than one OAuth authorization server can be used. The authorization servers must be OpenID Connect compliant.
Trusted authorization services can be added under the property spring.security.oauth2.trusted-oauth-issuers.*
This can also be done using spring environment variables.
SECURITY_OAUTH2_JWT_ISSUERURIS_*
Example
SECURITY_OAUTH2_JWT_ISSUERURIS_MYAUTHSERVER="https://www.example.com/auth"
SECURITY_OAUTH2_JWT_ISSUERURIS_OTHERAUTHSERVER="https://www.other.example.com/auth"
For being compliant the authorization server must create Bearer JWTs with the provided URI as issuer in the "iss" field.
Furthermore, the OpenID Configuration must be available under
https://www.example.com/auth/.well-known/openid-configuration
The code for this repository is developed privately and will be released after each sprint. The published code can therefore only be a snapshot of the current development and not a thoroughly tested version. However, we welcome any feedback on the code regarding both the implementation and security aspects. Please follow the guidelines for contributing found in CONTRIBUTING.md.
This project is licensed under the terms of the MIT license. See the LICENSE file for details.
