WHAT
The DataFlowPropertiesProviderExtension populates the DataFlowStartMessage (sent today from provider controlplane to provider dataplane) and the TransferStartMessage (sent from provider controlplane to consumer controlplane) with the https://w3id.org/tractusx/auth/audience property set to the counterparty's did. This did is used by the provider dataplane to perform the token refresh. Currently, that extension has a dependency on the BDRS.
That should be changed because there's an implicit dependency from the BDRS to the token refresh mechanism. That makes it unusable for other Dataspaces.
WHY
Enable downstream projects to use the refresh feature without duplicating the extension
HOW
I think there's three options
- leave everything as-is because this activity will likely be disrupted when the DPS features are downstreamed.
- split extension in two as sketched below. The refresh mechanism could remain untouched.
- legacy: checks if
assignee is BPN and calls BDRS to resolve it to a did. Populates https://w3id.org/tractusx/auth/audience with did. Does nothing otherwise.
- default: checks if
assignee is a did and populates tx-auth:audience with did. Does nothing otherwise.
- contemporary tractusx-edcs always set the
assignee to a did. This might justify to rework the refresh mechanism such that it works without https://w3id.org/tractusx/auth/audience entirely. This would impact DataPlaneTokenRefreshServiceImpl and AuthTokenAudienceRule.
FURTHER NOTES
This isn't urgent but could remove a set of technical debt that is currently inherited by each connector using the tx token refresh mechanism.
Some more analysis on Option 3: AuthTokenAudienceRule could also evaluate against participantId or participant_Id which hold the same value as https://w3id.org/tractusx/auth/audience. All are in accessTokenData.additionalProperties() [1].
I'm unsure if it's a plausible scenario that there's connectors that still have BPNs in participantId or participant_id persisted in the AccessTokenStore
[1]
|
var expectedAudience = accessTokenData.additionalProperties().getOrDefault(AUDIENCE_PROPERTY, null); |
WHAT
The
DataFlowPropertiesProviderExtensionpopulates theDataFlowStartMessage(sent today from provider controlplane to provider dataplane) and theTransferStartMessage(sent from provider controlplane to consumer controlplane) with thehttps://w3id.org/tractusx/auth/audienceproperty set to the counterparty's did. This did is used by the provider dataplane to perform the token refresh. Currently, that extension has a dependency on the BDRS.That should be changed because there's an implicit dependency from the BDRS to the token refresh mechanism. That makes it unusable for other Dataspaces.
WHY
Enable downstream projects to use the refresh feature without duplicating the extension
HOW
I think there's three options
assigneeis BPN and calls BDRS to resolve it to a did. Populateshttps://w3id.org/tractusx/auth/audiencewith did. Does nothing otherwise.assigneeis a did and populatestx-auth:audiencewith did. Does nothing otherwise.assigneeto a did. This might justify to rework the refresh mechanism such that it works withouthttps://w3id.org/tractusx/auth/audienceentirely. This would impactDataPlaneTokenRefreshServiceImplandAuthTokenAudienceRule.FURTHER NOTES
This isn't urgent but could remove a set of technical debt that is currently inherited by each connector using the tx token refresh mechanism.
Some more analysis on Option 3:
AuthTokenAudienceRulecould also evaluate againstparticipantIdorparticipant_Idwhich hold the same value ashttps://w3id.org/tractusx/auth/audience. All are inaccessTokenData.additionalProperties()[1].I'm unsure if it's a plausible scenario that there's connectors that still have BPNs in
participantIdorparticipant_idpersisted in theAccessTokenStore[1]
tractusx-edc/edc-extensions/dataplane/dataplane-token-refresh/token-refresh-core/src/main/java/org/eclipse/tractusx/edc/dataplane/tokenrefresh/core/rules/AuthTokenAudienceRule.java
Line 60 in 09ebd43