Generic policy enforcement based on claims

[DominikPinsel]

The idea is creating an extension, that makes it possible to configure validation against specific claims. This should be done in a generic way, so that it may be used to cover different use cases.

Assume the referringConnector of the DAT should be validated.

    {
            "typ": "JWT",
            "kid": "default",
            "alg": "RS256"
    }
    .
        {
            "scopes": [
            "idsc:IDS_CONNECTOR_ATTRIBUTES_ALL"
            ],
            "aud": "idsc:IDS_CONNECTORS_ALL",
            "iss": "https://daps.aisec.fraunhofer.de",
            "nbf": 1632982369,
            "iat": 1632982369,
            "jti": "OTAyNTE1OTMzNTczMDgyMzUxNg==",
            "exp": 1632985969,
            "securityProfile": "idsc:TRUST_SECURITY_PROFILE",
            "referringConnector": "http://consumer-core.demo",
            "@type": "ids:DatPayload",
            "@context": "https://w3id.org/idsa/contexts/context.jsonld",
            "transportCertsSha256": "c15e6558088dbfef215a43d2507bbd124f44fb8facd561c14561a2c1a669d0e0",
            "sub": "A5:0C:A5:F0:84:D9:90:BB:BC:D9:57:3A:04:C8:7F:93:ED:97:A2:52:keyid:CB:8C:C7:B6:85:79:A8:23:A6:CB:15:AB:17:50:2F:E6:65:43:5D:E8"
        }
    .
    <signature>

This generic constraint could be described using a custom leftOperand in an EDC Constraint.

    {
         "constraint": {
               "leftOperand": "my-custom-validation",
               "operator":  "EQ",
               "rightOperand": "http://consumer-core.demo"
         }
    }

The idea is to create a new extension, where its possible to configure one or more validations, that matches the constraint value against a specific claim of the participant. For example like this

// generic
edc.policy.validation.<leftOperand>.claim=<key>

// example
edc.policy.validation.my-custom-validation.claim=referringConnector

I assume the implementation of such an extension should be pretty straight forward. This would make it possible to enforce use cases like the current PartnerLevel and SpatialPosition by configuration.

What do you think? Do you see any flaws or issues I might have missed?

Edit: I forgot to mention that this may only be used for access control/policy. For all custom policies there is currently no way to send them to the other connector using IDS. Also making the same claim validation on the other connector side would probably not make much sense.

_{Dominik Pinsel dominik.pinsel@daimler.com, Daimler TSS GmbH, legal info/Impressum}