Move contractId from EDR authcode back to a dedicated header field.

[domreuter]

Problem

Within EDC the "cid" field from the JWT in the authCode of the EDR payload is meant to be the contractId.

When generating an JWT using a custom generator, the field "cid" is reserved to the entity that the JWT was issued for and cannot be used to hold the contractId furthermore.

This causes the contractId retrieval to crash as the given value is not equal to the expected contractId.

Additionally, there is currently extra effort to get the contractId out of the token. The JWT needs to be unwrapped and decoded first to get the contractId out of it.

We placed the information under an additional attributes section for our token, which differs from the EDC implementation and is therefore not a working solution.

Proposed Solution

The proposed solution would be to move the "contractId" one level up, next to the authcode into the header. This would avoid conflicts with other uses/interpretations for the field and reduce the extra token unwrapping effort.

Example

Current state when using a custom token generator:

{
    "jti": "",
    "az_attr": {
        "exp": 1692132629,
        "dad": "lYovmpLe5.........",
        "cid":"ZGR0ci1jeG1lbWJlcnMtY29udHJhY3Q=:ZGlnaXRhbC10d2luLXJlZ2lzdHJ5:MWYzYjJhMjktMTEzMi00MTg4LTlhOWQtMWY0MmY2MGU1Nzk"
    },
    "ext_attr": {
        "": "",
        "": "",
        "": "",
        "": ""
    },
    "sub": "",
    "authorities": [
        "",
        ""
    ],
    "scope": [
        "",
        ""
    ],
    "client_id": "",
    "cid": "ClientId for which the token was issued not contractId is expected here. EDC expects the contractId here",
    "azp": "",
    "grant_type": "",
    "rev_sig": "",
    "iat": "",
    "exp": "",
    "iss": "",
    "zid": "",
    "aud": [
        "",
        "",
        ""
    ]
}

Current EDC state:

{
    "exp": 1692132629,
    "dad": "lYovmpLe5.........",
    "cid":"ZGR0ci1jeG1lbWJlcnMtY29udHJhY3Q=:ZGlnaXRhbC10d2luLXJlZ2lzdHJ5:MWYzYjJhMjktMTEzMi00MTg4LTlhOWQtMWY0MmY2MGU1Nzk"
}

[paullatzelsperger]

in the interest of (backwards) compatibility, could it be an option to add an override switch for the key, i.e. you could then use "your_favourite_key": "contract12345" instead of "cid": "contract12345"?

In any event, this would be a topic for upstream EDC.

[domreuter]

Think this must be a valid solution to stay compatible with all implementations, don't think that the usage of connector specific fields will solve this issue.

Will take this over to the upstream repo then, thx.