openwallet-foundation
diff --git a/‎.github/workflows/pr-linting-and-unit-tests.yaml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/pr-linting-and-unit-tests.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎oid4vc/README.md‎
Lines changed: 50 additions & 4 deletions b/‎oid4vc/README.md‎
Lines changed: 50 additions & 4 deletions
diff --git a/‎oid4vc/auth_server/README.md‎
Lines changed: 2 additions & 2 deletions b/‎oid4vc/auth_server/README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎oid4vc/auth_server/admin/routers/internal.py‎
Lines changed: 2 additions & 2 deletions b/‎oid4vc/auth_server/admin/routers/internal.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎oid4vc/auth_server/admin/schemas/client.py‎
Lines changed: 2 additions & 2 deletions b/‎oid4vc/auth_server/admin/schemas/client.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎oid4vc/auth_server/admin/security/bearer.py‎
Lines changed: 1 addition & 1 deletion b/‎oid4vc/auth_server/admin/security/bearer.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎oid4vc/auth_server/admin/services/client_service.py‎
Lines changed: 2 additions & 2 deletions b/‎oid4vc/auth_server/admin/services/client_service.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎oid4vc/auth_server/alembic/sql/init.sql‎
Lines changed: 7 additions & 13 deletions b/‎oid4vc/auth_server/alembic/sql/init.sql‎
Lines changed: 7 additions & 13 deletions
diff --git a/‎oid4vc/auth_server/core/consts.py‎
Lines changed: 2 additions & 2 deletions b/‎oid4vc/auth_server/core/consts.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎oid4vc/auth_server/core/security/client_auth.py‎
Lines changed: 6 additions & 5 deletions b/‎oid4vc/auth_server/core/security/client_auth.py‎
Lines changed: 6 additions & 5 deletions
@@ -73,6 +73,10 @@ jobs:
             cd $dir
             echo "Installing dependencies for $dir"
             poetry install --no-interaction --no-root --all-extras
+            # Install isomdl-uniffi from pre-built wheel (not on PyPI)
+            if [ "$dir" = "oid4vc" ]; then
+              poetry run pip install https://github.com/Indicio-tech/isomdl-uniffi/releases/download/v0.1.0-indicio.1/isomdl_uniffi-0.1.0-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
+            fi
             cd ..
           done
       #----------------------------------------------
 
@@ -255,10 +255,33 @@ The Plugin expects the following configuration options. These options can either
   - `credential_issuer` endpoint, seen in the Credential Offer
 - `OID4VCI_CRED_HANDLER` or `oid4vci.cred_handler`
   - Dict of credential handlers. e.g. `{"jwt_vc_json": "jwt_vc_json"}`
-- `OID4VCI_AUTH_SERVER_URL` or `oid4vci.auth_server_url`
-  - Optional authorization server URL
-- `OID4VCI_AUTH_SERVER_CLIENT` or `oid4vci.auth_server_client`
-  - Optional authorization server client credential, e.g. `{"auth_type": "client_secret_basic", "client_id": "client_id", "client_secret": "client_secret"}`
+
+#### Authorization Server (Per-Tenant)
+
+Authorization server configuration is managed per-tenant via the `IssuerConfiguration` record, not through global environment variables. Use the admin API:
+
+- `PUT /oid4vci/issuer/configuration` — create or update the issuer configuration
+- `GET /oid4vci/issuer/configuration` — retrieve the current configuration
+
+Example payload to configure an external authorization server:
+
+```json
+{
+  "authorization_servers": [
+    {
+      "public_url": "https://auth.example.com/tenant/abc123",
+      "private_url": "https://auth-internal:8080/tenant/abc123",
+      "auth_type": "client_secret_basic",
+      "client_credentials": {
+        "client_id": "issuer-client",
+        "client_secret": "secret"
+      }
+    }
+  ]
+}
+```
+
+Supported `auth_type` values: `client_secret_basic`, `client_secret_jwt`, `private_key_jwt`.
 
 ### Creating Supported Credential Records
 
@@ -426,6 +449,29 @@ docker compose down -v  # Clean up
 
 For Apple Silicon, the `DOCKER_DEFAULT_PLATFORM=linux/amd64` environment variable will be required.
 
+## Development Setup
+
+After cloning the repo and installing dependencies with `poetry install --all-extras`, you must install the `isomdl-uniffi` package separately. It provides the Rust-based ISO 18013-5 mDoc signing bindings and is not on PyPI — only pre-built wheels are available from GitHub releases.
+
+Pick the wheel for your platform:
+
+**macOS (Apple Silicon):**
+```bash
+poetry run pip install https://github.com/Indicio-tech/isomdl-uniffi/releases/download/v0.1.0-indicio.1/isomdl_uniffi-0.1.0-py3-none-macosx_11_0_arm64.whl
+```
+
+**macOS (Intel):**
+```bash
+poetry run pip install https://github.com/Indicio-tech/isomdl-uniffi/releases/download/v0.1.0-indicio.1/isomdl_uniffi-0.1.0-py3-none-macosx_10_12_x86_64.whl
+```
+
+**Linux (x86_64):**
+```bash
+poetry run pip install https://github.com/Indicio-tech/isomdl-uniffi/releases/download/v0.1.0-indicio.1/isomdl_uniffi-0.1.0-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
+```
+
+Without this, importing `mso_mdoc` will fail with `ModuleNotFoundError: No module named 'isomdl_uniffi'`.
+
 ## Not Implemented
 
 - `ldp_vc`
 
@@ -46,8 +46,8 @@ ADMIN_INTERNAL_AUTH_TOKEN=admin-internal-token
 
 ```
 TENANT_ISSUER_BASE_URL=http://localhost:9001
-TENANT_ADMIN_INTERNAL_BASE_URL=http://localhost:9000/internal
-TENANT_ADMIN_INTERNAL_AUTH_TOKEN=admin-internal-token
+TENANT_INTERNAL_BASE_URL=http://localhost:9000/internal
+TENANT_INTERNAL_AUTH_TOKEN=admin-internal-token
 ```
 
 ## ✅ Health Checks
 
@@ -10,11 +10,11 @@
     TenantDbResponse,
     TenantJwksResponse,
 )
-from admin.security.bearer import require_interal_auth
+from admin.security.bearer import require_internal_auth
 from admin.services.internal_service import get_tenant_db, get_tenant_jwks
 from admin.services.signing_service import sign_tenant_jwt
 
-router = APIRouter(prefix="/tenants/{uid}", dependencies=[Depends(require_interal_auth)])
+router = APIRouter(prefix="/tenants/{uid}", dependencies=[Depends(require_internal_auth)])
 
 
 @router.get("/db", response_model=TenantDbResponse)
 
@@ -13,15 +13,15 @@ class ClientIn(BaseModel):
         default=None,
     )
     client_auth_method: str | None = Field(
-        description="Auth method: client_secret_basic | shared_key_jwt | private_key_jwt",
+        description="Auth method: client_secret_basic|client_secret_jwt|private_key_jwt",
         default=None,
     )
     client_auth_signing_alg: str | None = Field(
         description="e.g., ES256 or HS256",
         default=None,
     )
     client_secret: str | None = Field(
-        description="For client_secret_basic or shared_key_jwt",
+        description="For client_secret_basic or client_secret_jwt",
         default=None,
     )
     jwks: dict[str, Any] | None = Field(
 
@@ -9,7 +9,7 @@
 _security = HTTPBearer(auto_error=False)
 
 
-def require_interal_auth(
+def require_internal_auth(
     credentials: HTTPAuthorizationCredentials | None = Depends(_security),
 ) -> bool:
     """Validate internal routes via Bearer from settings."""
 
@@ -33,7 +33,7 @@ async def create(self, data: ClientIn) -> Client:
         if not signing_alg:
             if method == ClientAuthMethod.PRIVATE_KEY_JWT:
                 signing_alg = "ES256"
-            elif method == ClientAuthMethod.SHARED_KEY_JWT:
+            elif method == ClientAuthMethod.CLIENT_SECRET_JWT:
                 signing_alg = "HS256"
 
         # Validate fields by method
@@ -42,7 +42,7 @@ async def create(self, data: ClientIn) -> Client:
             if not (data.jwks or data.jwks_uri):
                 raise HTTPException(status_code=400, detail="jwks_or_uri_required")
         elif method in (
-            ClientAuthMethod.SHARED_KEY_JWT,
+            ClientAuthMethod.CLIENT_SECRET_JWT,
             ClientAuthMethod.CLIENT_SECRET_BASIC,
         ):
             if not data.client_secret:
 
@@ -1,17 +1,11 @@
---
--- create auth_server_admin user
---
-CREATE ROLE auth_server_admin
+-- create :ADMIN_DB_USER user
+CREATE ROLE :ADMIN_DB_USER
 WITH
-    LOGIN PASSWORD 'auth_server_admin' NOSUPERUSER CREATEDB CREATEROLE INHERIT NOBYPASSRLS NOREPLICATION;
+    LOGIN PASSWORD :ADMIN_DB_PASSWORD NOSUPERUSER CREATEDB CREATEROLE INHERIT NOBYPASSRLS NOREPLICATION;
 
---
--- create auth_server_admin database
---
-CREATE DATABASE auth_server_admin OWNER auth_server_admin ENCODING 'UTF8' TEMPLATE template0;
+-- create :ADMIN_DB_NAME database
+CREATE DATABASE :ADMIN_DB_NAME OWNER :ADMIN_DB_USER ENCODING 'UTF8' TEMPLATE template0;
 
---
--- grant permissions to auth_server_admin
---
+-- grant permissions to :ADMIN_DB_USER
 GRANT CONNECT,
-CREATE ON DATABASE auth_server_admin TO auth_server_admin;
+CREATE ON DATABASE :ADMIN_DB_NAME TO :ADMIN_DB_USER;
@@ -20,11 +20,11 @@ class ClientAuthMethod:
 
     CLIENT_SECRET_BASIC = "client_secret_basic"
     PRIVATE_KEY_JWT = "private_key_jwt"
-    SHARED_KEY_JWT = "shared_bearer"
+    CLIENT_SECRET_JWT = "client_secret_jwt"
 
 
 CLIENT_AUTH_METHODS: tuple[str, ...] = (
     ClientAuthMethod.CLIENT_SECRET_BASIC,
     ClientAuthMethod.PRIVATE_KEY_JWT,
-    ClientAuthMethod.SHARED_KEY_JWT,
+    ClientAuthMethod.CLIENT_SECRET_JWT,
 )
@@ -109,10 +109,10 @@ async def _authenticate_private_key_jwt(
     )
 
 
-async def _authenticate_shared_key_jwt(
+async def _authenticate_client_secret_jwt(
     client: AuthClient, token: str, request: Request, presented_client_id: str
 ) -> Mapping[str, Any]:
-    """Validate shared_key_jwt assertions signed with a shared secret."""
+    """Validate client_secret_jwt assertions signed with a shared secret."""
 
     secret = client.client_secret or ""
     if not secret:
@@ -191,7 +191,8 @@ async def base_client_auth(
     if allowed == CLIENT_AUTH_METHOD.CLIENT_SECRET_BASIC and scheme != "basic":
         raise HTTPException(status_code=401, detail="unauthorized_client")
     if (
-        allowed in {CLIENT_AUTH_METHOD.PRIVATE_KEY_JWT, CLIENT_AUTH_METHOD.SHARED_KEY_JWT}
+        allowed
+        in {CLIENT_AUTH_METHOD.PRIVATE_KEY_JWT, CLIENT_AUTH_METHOD.CLIENT_SECRET_JWT}
         and scheme != "bearer"
     ):
         raise HTTPException(status_code=401, detail="unauthorized_client")
@@ -201,8 +202,8 @@ async def base_client_auth(
         request.state.client_id = str(client.client_id)
         return client
 
-    if allowed == CLIENT_AUTH_METHOD.SHARED_KEY_JWT:
-        await _authenticate_shared_key_jwt(client, token, request, str(client_id))
+    if allowed == CLIENT_AUTH_METHOD.CLIENT_SECRET_JWT:
+        await _authenticate_client_secret_jwt(client, token, request, str(client_id))
         request.state.client_id = str(client.client_id)
         return client
Original file line number	Diff line number	Diff line change
`@@ -13,15 +13,15 @@ class ClientIn(BaseModel):`
`13`	`13`	`default=None,`
`14`	`14`	`)`
`15`	`15`	`client_auth_method: str \| None = Field(`
`16`		`- description="Auth method: client_secret_basic \| shared_key_jwt \| private_key_jwt",`
	`16`	`+ description="Auth method: client_secret_basic\|client_secret_jwt\|private_key_jwt",`
`17`	`17`	`default=None,`
`18`	`18`	`)`
`19`	`19`	`client_auth_signing_alg: str \| None = Field(`
`20`	`20`	`description="e.g., ES256 or HS256",`
`21`	`21`	`default=None,`
`22`	`22`	`)`
`23`	`23`	`client_secret: str \| None = Field(`
`24`		`- description="For client_secret_basic or shared_key_jwt",`
	`24`	`+ description="For client_secret_basic or client_secret_jwt",`
`25`	`25`	`default=None,`
`26`	`26`	`)`
`27`	`27`	`jwks: dict[str, Any] \| None = Field(`