Using walt-id for Gaia-X Dataspaces

[dcandas]

Hello, we would like to use walt-id for our gaia-x service, which may or may not become an SSI Domain (which we currently do not know). Basically, we have gaia-x compatible connectors from EDC that have been using a simple oauth2 flow with keycloak, where everyone is registered in a common realm and public/private keys are used to verify clients. Basic auth is not supported, only public/private keys during oauth2. There is an alternative flow from EDC with distributed identities that we are currently experimenting with.

To eventually function as an SSI domain, we have chosen two flows that we may need to partially fulfill, namely SSI OIDC Login and Initial Access Token Issuing. Here, we assume that we will have our own internal Keycloak as our own IAM Platform. We ignore the interactions between other components and are only interested in flows coming in and outside of the IAM Platform. We want to integrate walt-id using identity federation.

We were unable to answer the following questions:

• Can we use walt-id directly as an IAM Platform for these flows?
• Which parts of the flows can be handled by walt-id? Which parts must be done by an actor/program that interacts with walt-id and Keycloak?
• Each connector is registered as a client and not a user during the current flow. Should gaia-x connectors be tied to keycloak clients or users, or is this an arbitrary decision?
• After following the tutorial, we are able to create a user in Keycloak with the did:key... as the username. However, the basic flow currently supports either clients that use private/public keys or a distributed identity that looks up keys. For the first flow, is it possible to create clients in Keycloak after registering them as users from walt-id? If not, is it possible to have an internal IAM Platform combined with distributed id documents?
• In the case of the IAT flow, is it possible or desirable for a program to handle every step on its own (so we just have some sort of agent that has access to the wallet) or is it expected that an actual user clicks on Keycloak's than walt.id's UIs and eventually follows this diagram manually once?
• How much of a flow can be tested programmatically?

We are currently looking into developing or mocking missing parts ourselves (by extending code or writing scripts that act as user agents) and would like to use the built-in capabilities of walt-id as much as possible so that we actually test compatibility with SSIs instead of manually creating something that doesn't fulfill gaia-x requirements.

[philpotisk]

Dear @dcandas, this is a fantastic use case on which you are working one! As walt.id is already supporting the GAIA-X ecosystem to some extent, and furthermore the IDP Kit handles the mapping from SSI to OIDC (for the KeyCloak integration), we are positive that we will be able to meet your requirements.

We think it would be the best to have chat with you to discuss further details. Please drop us an email or ping us via Slack in order to schedule a call. Thx

[severinstampler]

Hi @dcandas, I'm looking forward to hearing more about your use case.
In the meantime, I think, you may want to read about the dynamic client registration API of the IDP Kit on our documentation:
https://docs.walt.id/v/idpkit/configuration-and-setup/oidc-manager-configuration/client-registration

The initial access token for registering new clients can currently be generated using the command line interface, whereas there is also a configuration option to allow unauthenticated client registrations (openClientRegistration). More details you find in the documentation linked above.

Also, I have just filed an issue to support private/public key client authentication (and other methods as well), as it definitely is a useful feature that we should implement:

walt-id/waltid-idpkit#19

best regards

[dcandas]

Hello @severinstampler, thank you for the quick reply!

We already use these capabilities in IDP Kit to register users at walt.id; however, we could not find a way to get an IAT/RAT after logging into Keycloak while using walt.id as our identity provider. walt.id creates users in Keycloak, but we require clients.

Currently, we are allowing users to create clients as they wish with mappers, but we would like to somehow get the IAT/RAT that walt.id uses (assuming that it does), or get a fresh one when we register for Keycloak for the first time with a given wallet/credential. It is also fine if walt.id creates a client in Keycloak and we can somehow manage that.

Thank you

[severinstampler]

Hi
The IDP Kit doesn't create users in KeyCloak. From the point of view of the IDP Kit, the KeyCloak IAM is like a client application, that requests an OIDC authentication flow. What the client does with the provided identity information is out of scope for the IDP Kit.
If you configure the IDP Kit as a federated identity provider in KeyCloak and a user logs in to KeyCloak using the IDP Kit, KeyCloak internally creates a user entry and maps it to the identity info provided by the IDP Kit.

In that case, if your users create client ids, they may have to register at KeyCloak as a client, not at the IDP Kit.

You can leave the KeyCloak out of the picture and use the IDP Kit only. In this case your application would create and register clients for your users, using the IAT of the IDP Kit. Your users shouldn't need an IAT.

Not sure if I understand your use case correctly, though...