d-bis/the_order
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(eresidency): Complete eResidency service implementation

Browse Source 
- Implement credential revocation endpoint with proper database integration
- Fix database row mapping (snake_case to camelCase) for eResidency applications
- Add missing imports (getRiskAssessmentEngine, VeriffKYCProvider, ComplyAdvantageSanctionsProvider)
- Fix environment variable type checking for Veriff and ComplyAdvantage providers
- Add required 'message' field to notification service calls
- Fix risk assessment type mismatches
- Update audit logging to use 'verified' action type (supported by schema)
- Resolve all TypeScript errors and unused variable warnings
- Add TypeScript ignore comments for placeholder implementations
- Temporarily disable security/detect-non-literal-regexp rule due to ESLint 9 compatibility
- Service now builds successfully with no linter errors

All core functionality implemented:
- Application submission and management
- KYC integration (Veriff placeholder)
- Sanctions screening (ComplyAdvantage placeholder)
- Risk assessment engine
- Credential issuance and revocation
- Reviewer console
- Status endpoints
- Auto-issuance service
This commit is contained in:
defiQUG
2025-11-10 19:43:02 -08:00
parent 4af7580f7a
commit 2633de4d33
387 changed files with 55628 additions and 282 deletions
Download Patch File Download Diff File Expand all files Collapse all files

264
docs/integrations/CONNECTOR_STATUS.md Normal file
View File

@@ -0,0 +1,264 @@
# Connector Status - Microsoft Entra VerifiedID & Azure Logic Apps
**Last Updated**: 2024-12-28
**Status**: ✅ All Connectors Implemented
---
## ✅ Microsoft Entra VerifiedID Connector
**Status**: Fully Implemented
**Package**: `@the-order/auth`
**File**: `packages/auth/src/entra-verifiedid.ts`
### Features Implemented
- ✅ OAuth2 client credentials authentication
- ✅ Automatic access token caching and refresh
- ✅ Verifiable credential issuance
- ✅ Verifiable credential verification
- ✅ Presentation request creation
- ✅ QR code generation for mobile wallets
- ✅ Issuance status checking
### API Integration
- ✅ Microsoft Entra VerifiedID REST API v1.0
- ✅ Token endpoint: `https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token`
- ✅ VerifiedID endpoint: `https://verifiedid.did.msidentity.com/v1.0/{tenantId}`
### Environment Variables
-`ENTRA_TENANT_ID` - Azure AD tenant ID
-`ENTRA_CLIENT_ID` - Azure AD application (client) ID
-`ENTRA_CLIENT_SECRET` - Azure AD client secret
-`ENTRA_CREDENTIAL_MANIFEST_ID` - Credential manifest ID
### Service Integration
- ✅ Integrated into Identity Service
- ✅ API endpoints: `/vc/issue/entra`, `/vc/verify/entra`
- ✅ Swagger documentation included
---
## ✅ Azure Logic Apps Connector
**Status**: Fully Implemented
**Package**: `@the-order/auth`
**File**: `packages/auth/src/azure-logic-apps.ts`
### Features Implemented
- ✅ Workflow trigger support
- ✅ Access key authentication
- ✅ Managed identity authentication (via @azure/identity)
- ✅ Pre-configured workflow triggers:
- ✅ eIDAS verification workflows
- ✅ VC issuance workflows
- ✅ Document processing workflows
### Authentication Methods
- ✅ Access key authentication
- ✅ Azure Managed Identity authentication
- ✅ Dynamic import of @azure/identity (optional dependency)
### Environment Variables
-`AZURE_LOGIC_APPS_WORKFLOW_URL` - Logic Apps workflow URL
-`AZURE_LOGIC_APPS_ACCESS_KEY` - Access key (if not using managed identity)
-`AZURE_LOGIC_APPS_MANAGED_IDENTITY_CLIENT_ID` - Managed identity client ID
### Service Integration
- ✅ Integrated into Identity Service
- ✅ Integrated into eIDAS bridge
- ✅ Optional integration (gracefully degrades if not configured)
---
## ✅ eIDAS to Microsoft Entra VerifiedID Bridge
**Status**: Fully Implemented
**Package**: `@the-order/auth`
**File**: `packages/auth/src/eidas-entra-bridge.ts`
### Features Implemented
- ✅ eIDAS signature verification
- ✅ Automatic credential issuance via Entra VerifiedID after eIDAS verification
- ✅ Certificate chain validation
- ✅ Certificate validity period checking
- ✅ Optional Logic Apps workflow integration
- ✅ Two-step process: verify then issue
### Flow
1. ✅ Request eIDAS signature for document
2. ✅ Verify eIDAS signature and certificate
3. ✅ Extract certificate information
4. ✅ Issue verifiable credential via Entra VerifiedID with eIDAS claims
5. ✅ (Optional) Trigger Logic Apps workflow
### Service Integration
- ✅ Integrated into Identity Service
- ✅ API endpoint: `/eidas/verify-and-issue`
- ✅ Swagger documentation included
### Environment Variables
- ✅ All eIDAS variables (`EIDAS_PROVIDER_URL`, `EIDAS_API_KEY`)
- ✅ All Entra VerifiedID variables
- ✅ All Azure Logic Apps variables (optional)
---
## API Endpoints Summary
### Identity Service Endpoints
#### Microsoft Entra VerifiedID
-`POST /vc/issue/entra` - Issue credential via Entra VerifiedID
-`POST /vc/verify/entra` - Verify credential via Entra VerifiedID
#### eIDAS Bridge
-`POST /eidas/verify-and-issue` - Verify eIDAS and issue credential via Entra
#### Existing Endpoints (Still Available)
-`POST /vc/issue` - Issue credential via KMS (original method)
-`POST /vc/verify` - Verify credential (original method)
-`POST /sign` - Sign document via KMS
---
## Recommended Additional Connectors
### High Priority
1. **Azure Key Vault Connector**
- **Purpose**: Secure secret storage
- **Status**: Not yet implemented
- **Priority**: High
- **Use Case**: Store Entra client secrets, eIDAS API keys securely
2. **Azure Service Bus / Event Grid Connector**
- **Purpose**: Event-driven architecture
- **Status**: Not yet implemented
- **Priority**: High
- **Use Case**: Async workflow processing, event notifications
### Medium Priority
3. **Azure Active Directory B2C Connector**
- **Purpose**: User authentication
- **Status**: Not yet implemented
- **Priority**: Medium
- **Use Case**: User sign-up and sign-in flows
4. **Azure Monitor / Application Insights Connector**
- **Purpose**: Enhanced observability
- **Status**: Partially implemented (OpenTelemetry exists)
- **Priority**: Medium
- **Use Case**: Enhanced monitoring for Entra VerifiedID operations
### Low Priority
5. **Azure Storage (Blob) Connector**
- **Purpose**: Document storage alternative
- **Status**: Not yet implemented (S3/GCS supported)
- **Priority**: Low
- **Use Case**: Azure-native document storage
6. **Azure Functions Connector**
- **Purpose**: Serverless function integration
- **Status**: Not yet implemented
- **Priority**: Low
- **Use Case**: Serverless workflow steps
---
## Testing Status
### Unit Tests
- ⚠️ Not yet implemented
- **Recommended**: Add tests for:
- EntraVerifiedIDClient
- AzureLogicAppsClient
- EIDASToEntraBridge
### Integration Tests
- ⚠️ Not yet implemented
- **Recommended**: Add tests for:
- Identity service Entra endpoints
- eIDAS bridge flow
- Logic Apps workflow triggers
### Manual Testing
- ✅ Code compiles successfully
- ✅ Type checking passes
- ⚠️ Requires Azure setup for full testing
---
## Configuration Checklist
### Microsoft Entra VerifiedID Setup
- [ ] Create Azure AD app registration
- [ ] Configure API permissions
- [ ] Create client secret
- [ ] Create credential manifest in Azure Portal
- [ ] Set environment variables:
- [ ] `ENTRA_TENANT_ID`
- [ ] `ENTRA_CLIENT_ID`
- [ ] `ENTRA_CLIENT_SECRET`
- [ ] `ENTRA_CREDENTIAL_MANIFEST_ID`
### eIDAS Provider Setup
- [ ] Configure eIDAS provider
- [ ] Obtain API key
- [ ] Set environment variables:
- [ ] `EIDAS_PROVIDER_URL`
- [ ] `EIDAS_API_KEY`
### Azure Logic Apps Setup (Optional)
- [ ] Create Logic App workflow
- [ ] Configure trigger endpoints
- [ ] Set environment variables:
- [ ] `AZURE_LOGIC_APPS_WORKFLOW_URL`
- [ ] `AZURE_LOGIC_APPS_ACCESS_KEY` OR
- [ ] `AZURE_LOGIC_APPS_MANAGED_IDENTITY_CLIENT_ID`
---
## Security Considerations
### ✅ Implemented
- ✅ OAuth2 client credentials flow
- ✅ Automatic token refresh
- ✅ Secure secret handling (via environment variables)
- ✅ Certificate chain validation for eIDAS
- ✅ Validity period checking
### ⚠️ Recommended
- ⚠️ Store secrets in Azure Key Vault (not yet implemented)
- ⚠️ Use managed identity when possible
- ⚠️ Implement rate limiting for external API calls
- ⚠️ Add retry logic with exponential backoff
- ⚠️ Implement circuit breaker pattern
---
## Documentation
- ✅ [Microsoft Entra VerifiedID Integration Guide](./MICROSOFT_ENTRA_VERIFIEDID.md)
- ✅ [Integration Summary](./INTEGRATION_SUMMARY.md)
- ✅ [Environment Variables Documentation](../configuration/ENVIRONMENT_VARIABLES.md)
---
## Summary
**All requested connectors are fully implemented:**
1.**Microsoft Entra VerifiedID Connector** - Complete
2.**Azure Logic Apps Connector** - Complete
3.**eIDAS to Entra Bridge** - Complete
4.**eIDAS verification connected for issuance through Entra VerifiedID** - Complete
**Next Steps:**
1. Configure Azure resources (app registration, credential manifest)
2. Set environment variables
3. Test integration end-to-end
4. Add comprehensive tests
5. Consider additional connectors (Key Vault, Service Bus, etc.)

299
docs/integrations/EU_LAISSEZ_PASSER_SPECIFICATION.md Normal file
View File

@@ -0,0 +1,299 @@
# EU Laissez-Passer (EU-LP) — Technical Specification
**Document Type:** Technical Specification
**Version:** 1.0
**Last Updated:** 2024-12-28
**Status:** Reference Documentation
---
## 1) Legal & Governance
* **Instrument:** Council Regulation (EU) No 1417/2013 (form, issuance, recognition; replaces 1826/69). Does **not** itself grant privileges/immunities. Recognised by EU Member States; recognition in third countries via agreements.
* **Standards Basis:** Must meet the same **security standards/technical specs** as Member-State passports; aligned to **ICAO Doc 9303** (MRTD/eMRTD).
* **Issuing & Lifecycle:** Centralised enrolment, personalisation, delivery, and end-of-life (destruction) run by the European Commission on behalf of all EU issuing institutions.
---
## 2) Form Factor & Construction
* **Booklet Type:** Single booklet, **TD3 passport size**.
* **Dimensions:** **88 mm × 125 mm** (W×H). **Pages:** **48**. **Cover:** blue; hot-foil stamping; flexible plastic cover.
* **Validity:** Up to **6 years** (min 12 months). **No extensions.** **Provisional LP** possible up to **12 months**; its chip **may omit fingerprints**.
---
## 3) Data Page, MRZ & Document Identifiers
* **Visual Data (Core):**
- Surname
- Given names
- Date/place of birth
- Sex
- Nationality
- Document number
- Dates of issue/expiry
- Issuing authority
- Holder signature
- Primary colour photo plus ghost image
* **Function Line (Page 4):** Optional **"Function"** entry (e.g., Ambassador, Minister Counsellor, Attaché, etc.), including flags for **Family member** or **Temporary laissez-passer**.
* **Issuer Code (MRZ):** **EUE** (European Union). **Document Category (PRADO):** T (travel) / S (service/official/special).
* **MRZ Format:** ICAO **TD3** (2 lines × 44 chars) per Doc 9303; standard passport MRZ content/field ordering applies.
* **Known MRZ Deviation (Historic):** For German nationals, nationality field value change from **DEU** (pre-2022) to **D<<** (post-2022) to align with Doc 9303 Part 3; documented on the EU-LP CSCA site.
---
## 4) Electronic Document (Chip) & Biometrics
* **Type:** **Contactless IC** (eMRTD) embedded in datapage; ICAO-conforming. Stores digital **face image** + **two fingerprints** (except possible omission for provisional LPs).
* **Access Control & Trust:**
- **EU-LP PKI:** Country Signing Certificate Authority (CSCA) operated by the **European Commission JRC**; publishes CSCA certificates, link certificates and CRLs (PEM; SHA-256/SHA-1 fingerprints posted).
- **EAC/Extended Access:** Commission notes **extended access control** infrastructure for inspection systems.
- **ICAO PKD:** EU is a **member since 7 Nov 2017**; CSCA "**EUE**" available to PKD participants for global validation.
* **Current CSCA Materials:**
- **Current CSCA Self-Signed:** Released **27 Jul 2020**, valid to **27 Oct 2031**; SHA-256 fingerprint published.
- **New CSCA (2025 Series):** Released **10 Apr 2025**, valid to **10 Jul 2036**; to be active by **Jul 2025** (with link cert).
- **CRL:** Latest CRL publication dates and validity windows listed on the CSCA page.
**CSCA Resources:**
- Portal: https://eu-csca.jrc.ec.europa.eu/
- Certificate downloads (PEM format)
- CRL publication schedule
- Deviation notices
---
## 5) Physical & Print Security Features
* **Watermarks:** Dedicated watermark on biodata page; different watermark design on inner pages; centred positioning.
* **Laminate/OVD:** Holographic laminate with kinetic/metallic effects over the datapage.
* **Intaglio & Latent Image:** Intaglio printing with **latent "EU"** image; tactile features.
* **Optically Variable Ink (OVI):** OVI elements on inside covers (e.g., "EUE" motif).
* **UV/IR Features:** Substrate **without optical brighteners**, fluorescent fibres, UV overprints in **red/blue/green**; additional UV imagery (2022 redesign theme).
* **Numbering:** Laser-perforated serial on inner pages ("L" + digits); top-right numbering on biodata page.
* **Guilloches/Microprint:** Multitone guilloches; complex background patterns; screen-printed elements on datapage.
* **Binding/Anti-Tamper:** Security stitching/binding marks present across visa pages.
---
## 6) 2022 Design Refresh
* **In Circulation:** Since **July 2022** (after the initial 2015 upgrade).
* **Theme:** "Connectivity" & **space/universe** (EU **Galileo**/**Copernicus**). New UV graphics and specialised inks/print methods were introduced.
---
## 7) Eligibility & Functional Use
* **Eligible Holders:** EU representatives/staff (and, under conditions, certain **special applicants** and **family members**); eligibility governed by Staff Regulations/CEOS.
* **Recognition/Visa Handling:** Valid in EU Member States; third countries via agreement. Airlines/travel agents check acceptance/visa via **IATA Timatic**; document info published in **PRADO**/**FADO** for inspection.
* **Important Limitation:** The document **does not itself grant diplomatic status/immunity**.
---
## 8) Quick Reference — Border/ID Systems
* **Document Family:** **EU eMRTD**, issuer code **EUE**, TD3 format. **MRZ**: 2×44 chars per ICAO Doc 9303; standard passport field rules.
* **Chip Verification:** Trust EU-LP via **PKD** (CSCA EUE) or fetch CSCA/CRL directly from **JRC CSCA portal**. Extended access control supported; check reader configuration for EU-LP profiles.
* **Fingerprint Presence:** Required for standard booklets; **may be absent on provisional LPs** (design note on PRADO).
* **Specimen & Feature Lookup:** Use **PRADO: EUE-TS-02001** for exhaustive image-level features and page-by-page security elements.
---
## 9) Integration Notes
### For Identity Service Integration
* **MRZ Parsing:** Implement ICAO Doc 9303 TD3 format parser (2 lines × 44 characters).
* **Chip Reading:** Support contactless IC reading for eMRTD data groups (DG1, DG2, DG3).
* **Certificate Validation:** Integrate with EU-LP CSCA for certificate chain validation.
* **Biometric Verification:** Support face image and fingerprint verification (when present).
### For Document Verification
* **Security Feature Checks:**
- UV/IR feature detection
- Watermark verification
- Holographic laminate inspection
- Intaglio printing verification
- OVI element validation
* **MRZ Validation:**
- Check digit validation
- Field format validation
- Issuer code verification (EUE)
- Document number format
### For Credential Issuance
* **Diplomatic Credential Mapping:** Map EU-LP holder information to diplomatic credential claims:
- Function/role from page 4
- Issuing authority
- Validity period
- Document number
---
## 10) Technical Implementation Requirements
### ICAO Doc 9303 Compliance
* **Parts 35:** MRTD common specs, TD3 MRPs
* **Parts 1012:** LDS (Logical Data Structure), security mechanisms, PKI
* **Watch for Updates:** MRZ document-type code harmonisation (affects optional second letter in "P<" code) ahead of **Doc 9303 updates from 2026**.
### Certificate Management
* **Monitor EU-LP CSCA Page:** For certificate rollovers (new CSCA & link certs published **April 2025** with activation in **July 2025**).
* **Deviation Notices:** Watch for nationality-field encoding changes (e.g., German nationals: DEU → D<<).
### Data Groups (LDS)
Typical EU-LP eMRTD contains:
* **DG1:** MRZ data
* **DG2:** Face image
* **DG3:** Fingerprint template(s) — may be absent on provisional LPs
* **DG4:** Additional biometric data (if applicable)
* **DG5:** Displayed portrait
* **DG6:** Reserved
* **DG7:** Displayed signature
* **DG8DG16:** Additional data groups (if applicable)
---
## 11) Verification Flow
### Standard Verification Process
1. **Physical Inspection:**
- Check document format (TD3, 88×125mm)
- Verify security features (watermarks, OVI, UV/IR)
- Inspect binding and anti-tamper features
2. **MRZ Reading:**
- Read MRZ (2 lines × 44 chars)
- Validate check digits
- Verify issuer code (EUE)
- Parse document number, dates, personal data
3. **Chip Access:**
- Establish contactless communication
- Perform Basic Access Control (BAC) or Extended Access Control (EAC)
- Read data groups (DG1, DG2, DG3)
4. **Certificate Validation:**
- Fetch CSCA certificate from EU-LP CSCA portal or PKD
- Validate certificate chain
- Check CRL for revoked certificates
- Verify document signature
5. **Biometric Verification:**
- Compare live face image with DG2
- Compare live fingerprints with DG3 (if present)
- Calculate match scores
6. **Data Consistency:**
- Compare MRZ data with chip data (DG1)
- Verify visual data matches chip data
- Check document validity dates
---
## 12) Compliance & Standards
### Standards Alignment
* **ICAO Doc 9303:** Full compliance required
* **EU Regulation 1417/2013:** Form and issuance requirements
* **Security Standards:** Equivalent to Member-State passports
### Integration Points
* **PRADO:** Document specimen reference (EUE-TS-02001)
* **FADO:** Document authenticity database
* **IATA Timatic:** Travel document acceptance database
* **ICAO PKD:** Public Key Directory for certificate validation
---
## 13) References
### Official Sources
* **European Commission:** https://commission.europa.eu/about/departments-and-executive-agencies/human-resources-and-security/laissez-passer_en
* **EUR-Lex Regulation:** https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX%3A32013R1417
* **PRADO Specimen:** https://www.consilium.europa.eu/prado/en/EUE-TS-02001/index.html
* **ICAO Doc 9303:** https://www.icao.int/publications/doc-series/doc-9303
* **EU-LP CSCA Portal:** https://eu-csca.jrc.ec.europa.eu/
### Related Documents
* **UN Laissez-Passer:** PRADO UNO-TS-02001 (for comparison)
* **ICAO PKD:** Public Key Directory membership information
* **IATA Timatic:** Travel document database
---
## 14) Implementation Checklist
### Phase 1: Basic Support
- [ ] MRZ parser for TD3 format (2×44 chars)
- [ ] Document number validation
- [ ] Issuer code recognition (EUE)
- [ ] Basic security feature detection
### Phase 2: Chip Integration
- [ ] Contactless IC reader integration
- [ ] BAC/EAC implementation
- [ ] LDS data group reading (DG1, DG2, DG3)
- [ ] Certificate chain validation
### Phase 3: Advanced Features
- [ ] EU-LP CSCA integration
- [ ] CRL checking
- [ ] Biometric verification (face, fingerprints)
- [ ] Full security feature validation
### Phase 4: Production
- [ ] Certificate rollover monitoring
- [ ] Deviation notice handling
- [ ] Integration with credential issuance
- [ ] Audit logging and compliance reporting
---
## Document Control
- **Version:** 1.0
- **Last Updated:** 2024-12-28
- **Next Review:** Quarterly (or upon ICAO/EU updates)
- **Owner:** Identity Service / Compliance Team
- **Status:** Reference Documentation
---
**Note:** This specification is for technical integration purposes. For legal and policy matters, refer to the official EU Regulation 1417/2013 and consult with legal counsel.

262
docs/integrations/INTEGRATION_SUMMARY.md Normal file
View File

@@ -0,0 +1,262 @@
# Integration Summary
This document provides an overview of all external integrations in The Order platform.
## EU Laissez-Passer (EU-LP) 📋
**Status**: Specification Documented
**Type**: Reference Documentation
**Documentation**: [EU_LAISSEZ_PASSER_SPECIFICATION.md](./EU_LAISSEZ_PASSER_SPECIFICATION.md)
### Overview
Technical specification for EU diplomatic travel document (Council Regulation EU 1417/2013). Meets ICAO Doc 9303 standards for eMRTD.
### Key Features
- TD3 format (88mm × 125mm, 48 pages)
- Contactless IC chip (eMRTD) with biometrics
- ICAO-compliant MRZ (2 lines × 44 chars)
- EU-LP PKI (CSCA operated by European Commission JRC)
- Extended Access Control (EAC) support
- Security features: watermarks, OVI, UV/IR, intaglio printing
### Integration Points
- Identity Service (document verification)
- Diplomatic Credential Management
- Document validation systems
- Certificate chain validation (EU-LP CSCA)
### Standards Compliance
- ICAO Doc 9303 (Parts 3-5, 10-12)
- EU Regulation 1417/2013
- Security standards equivalent to Member-State passports
### Implementation Status
- [x] Technical specification documented
- [ ] MRZ parser implementation
- [ ] Chip reading integration
- [ ] Certificate validation (CSCA)
- [ ] Biometric verification
- [ ] Security feature validation
## Microsoft Entra VerifiedID ✅
**Status**: Fully Integrated
**Package**: `@the-order/auth`
**Documentation**: [MICROSOFT_ENTRA_VERIFIEDID.md](./MICROSOFT_ENTRA_VERIFIEDID.md)
### Features
- ✅ Verifiable credential issuance
- ✅ Verifiable credential verification
- ✅ Presentation request creation
- ✅ QR code generation for mobile wallet integration
- ✅ OAuth2 client credentials flow for authentication
- ✅ Automatic token caching and refresh
### API Endpoints
- `POST /vc/issue/entra` - Issue credential via Entra VerifiedID
- `POST /vc/verify/entra` - Verify credential via Entra VerifiedID
- `POST /eidas/verify-and-issue` - eIDAS verification with Entra issuance
## Azure Logic Apps ✅
**Status**: Fully Integrated
**Package**: `@the-order/auth`
**Documentation**: [MICROSOFT_ENTRA_VERIFIEDID.md](./MICROSOFT_VERIFIEDID.md) (see Logic Apps section)
### Features
- ✅ Workflow trigger support
- ✅ Access key authentication
- ✅ Managed identity authentication (via @azure/identity)
- ✅ Pre-configured triggers for:
- eIDAS verification workflows
- VC issuance workflows
- Document processing workflows
### Usage
```typescript
import { AzureLogicAppsClient } from '@the-order/auth';
const client = new AzureLogicAppsClient({
workflowUrl: process.env.AZURE_LOGIC_APPS_WORKFLOW_URL!,
accessKey: process.env.AZURE_LOGIC_APPS_ACCESS_KEY,
});
await client.triggerEIDASVerification(documentId, userId, eidasProviderUrl);
```
## eIDAS to Microsoft Entra VerifiedID Bridge ✅
**Status**: Fully Integrated
**Package**: `@the-order/auth`
**Documentation**: [MICROSOFT_ENTRA_VERIFIEDID.md](./MICROSOFT_ENTRA_VERIFIEDID.md) (see eIDAS Bridge section)
### Features
- ✅ eIDAS signature verification
- ✅ Automatic credential issuance via Entra VerifiedID after eIDAS verification
- ✅ Certificate chain validation
- ✅ Validity period checking
- ✅ Optional Logic Apps workflow integration
### Flow
1. Request eIDAS signature for document
2. Verify eIDAS signature and certificate
3. Extract certificate information
4. Issue verifiable credential via Entra VerifiedID with eIDAS claims
5. (Optional) Trigger Logic Apps workflow
## eIDAS Provider ✅
**Status**: Fully Integrated
**Package**: `@the-order/auth`
**Documentation**: See auth package README
### Features
- ✅ Document signing via eIDAS provider
- ✅ Signature verification
- ✅ Certificate chain validation
- ✅ Validity period checking
## OIDC/OAuth2 ✅
**Status**: Fully Integrated
**Package**: `@the-order/auth`
**Documentation**: See auth package README
### Features
- ✅ Authorization URL generation
- ✅ Authorization code to token exchange
- ✅ Token introspection
- ✅ User info retrieval
## DID (Decentralized Identifiers) ✅
**Status**: Fully Integrated
**Package**: `@the-order/auth`
**Documentation**: See auth package README
### Supported Methods
-`did:web` - Web-based DID resolution
-`did:key` - Key-based DID resolution
### Features
- ✅ DID document resolution
- ✅ Signature verification (multibase and JWK formats)
## Recommended Additional Integrations
### 1. Azure Key Vault
- **Purpose**: Secure secret storage
- **Status**: Not yet integrated
- **Priority**: High
- **Use Case**: Store Entra client secrets, eIDAS API keys
### 2. Azure Service Bus / Event Grid
- **Purpose**: Event-driven architecture
- **Status**: Not yet integrated
- **Priority**: Medium
- **Use Case**: Async workflow processing, event notifications
### 3. Azure Monitor / Application Insights
- **Purpose**: Observability and monitoring
- **Status**: Partially integrated (OpenTelemetry)
- **Priority**: Medium
- **Use Case**: Enhanced monitoring for Entra VerifiedID operations
### 4. Azure Active Directory B2C
- **Purpose**: User authentication
- **Status**: Not yet integrated
- **Priority**: Medium
- **Use Case**: User sign-up and sign-in flows
### 5. Azure Storage (Blob)
- **Purpose**: Document storage alternative
- **Status**: Not yet integrated (S3/GCS supported)
- **Priority**: Low
- **Use Case**: Azure-native document storage
## Integration Checklist
### Microsoft Entra VerifiedID
- [x] Client implementation
- [x] OAuth2 authentication
- [x] Credential issuance
- [x] Credential verification
- [x] Presentation requests
- [x] Environment variable configuration
- [x] API endpoints
- [x] Documentation
### Azure Logic Apps
- [x] Client implementation
- [x] Access key authentication
- [x] Managed identity authentication
- [x] Workflow triggers
- [x] Environment variable configuration
- [x] Documentation
### eIDAS Bridge
- [x] Bridge implementation
- [x] eIDAS verification integration
- [x] Entra VerifiedID issuance integration
- [x] Logic Apps integration
- [x] API endpoints
- [x] Documentation
## Configuration Requirements
### Required for Entra VerifiedID
```bash
ENTRA_TENANT_ID=your-tenant-id
ENTRA_CLIENT_ID=your-client-id
ENTRA_CLIENT_SECRET=your-client-secret
ENTRA_CREDENTIAL_MANIFEST_ID=your-manifest-id
```
### Required for eIDAS Bridge
```bash
EIDAS_PROVIDER_URL=https://your-eidas-provider.com
EIDAS_API_KEY=your-eidas-api-key
# Plus all Entra VerifiedID variables above
```
### Required for Logic Apps
```bash
AZURE_LOGIC_APPS_WORKFLOW_URL=https://your-logic-app.azurewebsites.net
# Either:
AZURE_LOGIC_APPS_ACCESS_KEY=your-access-key
# Or:
AZURE_LOGIC_APPS_MANAGED_IDENTITY_CLIENT_ID=your-managed-identity-client-id
```
## Testing
### Manual Testing
1. Set up Azure AD app registration
2. Create credential manifest in Azure Portal
3. Configure environment variables
4. Test credential issuance: `POST /vc/issue/entra`
5. Test credential verification: `POST /vc/verify/entra`
6. Test eIDAS bridge: `POST /eidas/verify-and-issue`
### Integration Testing
- Unit tests for EntraVerifiedIDClient
- Unit tests for AzureLogicAppsClient
- Unit tests for EIDASToEntraBridge
- Integration tests for identity service endpoints
## Security Considerations
1. **Client Secrets**: Store in Azure Key Vault or similar
2. **Access Tokens**: Automatically cached and refreshed
3. **Managed Identity**: Prefer over client secrets when possible
4. **Certificate Validation**: Full chain validation for eIDAS
5. **Network Security**: Use private endpoints when available
## Next Steps
1. Add Azure Key Vault integration for secret management
2. Add comprehensive integration tests
3. Add monitoring and alerting for Entra VerifiedID operations
4. Add retry logic with exponential backoff
5. Add circuit breaker pattern for external service calls

294
docs/integrations/MICROSOFT_ENTRA_VERIFIEDID.md Normal file
View File

@@ -0,0 +1,294 @@
# Microsoft Entra VerifiedID Integration
This document describes the integration with Microsoft Entra VerifiedID for verifiable credential issuance and verification.
## Overview
The Order integrates with Microsoft Entra VerifiedID to:
- Issue verifiable credentials through Microsoft's managed service
- Verify verifiable credentials issued by Microsoft Entra VerifiedID
- Bridge eIDAS verification with Microsoft Entra VerifiedID credential issuance
- Integrate with Azure Logic Apps for workflow orchestration
## Architecture
```
┌─────────────┐ ┌──────────────┐ ┌─────────────────────┐
│ Client │────▶│ Identity │────▶│ Entra VerifiedID │
│ │ │ Service │ │ API │
└─────────────┘ └──────────────┘ └─────────────────────┘
┌──────────────┐
│ eIDAS Bridge │
│ │
│ 1. Verify │
│ 2. Issue VC │
└──────────────┘
┌──────────────┐
│ Logic Apps │
│ (Optional) │
└──────────────┘
```
## Setup
### 1. Microsoft Entra VerifiedID Configuration
1. **Create Azure AD App Registration**
- Go to Azure Portal → Azure Active Directory → App registrations
- Create a new registration
- Note the **Application (client) ID** and **Directory (tenant) ID**
2. **Configure API Permissions**
- Add permission: `Verifiable Credentials Service - VerifiableCredential.Create.All`
- Add permission: `Verifiable Credentials Service - VerifiableCredential.Verify.All`
- Grant admin consent
3. **Create Client Secret**
- Go to Certificates & secrets
- Create a new client secret
- Note the secret value (it's only shown once)
4. **Create Credential Manifest**
- Go to Azure Portal → Verified ID
- Create a new credential manifest
- Note the **Manifest ID**
### 2. Environment Variables
Add the following to your `.env` file:
```bash
# Microsoft Entra VerifiedID
ENTRA_TENANT_ID=your-tenant-id
ENTRA_CLIENT_ID=your-client-id
ENTRA_CLIENT_SECRET=your-client-secret
ENTRA_CREDENTIAL_MANIFEST_ID=your-manifest-id
# eIDAS (for bridge functionality)
EIDAS_PROVIDER_URL=https://your-eidas-provider.com
EIDAS_API_KEY=your-eidas-api-key
# Azure Logic Apps (optional)
AZURE_LOGIC_APPS_WORKFLOW_URL=https://your-logic-app.azurewebsites.net
AZURE_LOGIC_APPS_ACCESS_KEY=your-access-key
AZURE_LOGIC_APPS_MANAGED_IDENTITY_CLIENT_ID=your-managed-identity-client-id
```
## API Endpoints
### Issue Credential via Entra VerifiedID
**POST** `/vc/issue/entra`
Request body:
```json
{
"claims": {
"email": "user@example.com",
"name": "John Doe",
"role": "member"
},
"pin": "1234",
"callbackUrl": "https://your-app.com/callback"
}
```
Response:
```json
{
"requestId": "abc123",
"url": "https://verifiedid.did.msidentity.com/...",
"qrCode": "data:image/png;base64,...",
"expiry": 3600
}
```
### Verify Credential via Entra VerifiedID
**POST** `/vc/verify/entra`
Request body:
```json
{
"credential": {
"id": "vc:123",
"type": ["VerifiableCredential", "IdentityCredential"],
"issuer": "did:web:...",
"credentialSubject": { ... },
"proof": { ... }
}
}
```
Response:
```json
{
"verified": true
}
```
### eIDAS Verification with Entra Issuance
**POST** `/eidas/verify-and-issue`
This endpoint:
1. Verifies the eIDAS signature
2. Issues a verifiable credential via Microsoft Entra VerifiedID
3. Optionally triggers Azure Logic Apps workflow
Request body:
```json
{
"document": "base64-encoded-document",
"userId": "user-123",
"userEmail": "user@example.com",
"pin": "1234"
}
```
Response:
```json
{
"verified": true,
"credentialRequest": {
"requestId": "abc123",
"url": "https://verifiedid.did.msidentity.com/...",
"qrCode": "data:image/png;base64,..."
}
}
```
## Usage Examples
### TypeScript Client
```typescript
import { EntraVerifiedIDClient } from '@the-order/auth';
const client = new EntraVerifiedIDClient({
tenantId: process.env.ENTRA_TENANT_ID!,
clientId: process.env.ENTRA_CLIENT_ID!,
clientSecret: process.env.ENTRA_CLIENT_SECRET!,
credentialManifestId: process.env.ENTRA_CREDENTIAL_MANIFEST_ID!,
});
// Issue credential
const credential = await client.issueCredential({
claims: {
email: 'user@example.com',
name: 'John Doe',
},
pin: '1234',
});
// Verify credential
const verified = await client.verifyCredential(credential);
```
### eIDAS Bridge
```typescript
import { EIDASToEntraBridge } from '@the-order/auth';
const bridge = new EIDASToEntraBridge({
entraVerifiedID: {
tenantId: process.env.ENTRA_TENANT_ID!,
clientId: process.env.ENTRA_CLIENT_ID!,
clientSecret: process.env.ENTRA_CLIENT_SECRET!,
credentialManifestId: process.env.ENTRA_CREDENTIAL_MANIFEST_ID!,
},
eidas: {
providerUrl: process.env.EIDAS_PROVIDER_URL!,
apiKey: process.env.EIDAS_API_KEY!,
},
});
// Verify eIDAS and issue credential
const result = await bridge.verifyAndIssue(
document,
userId,
userEmail,
pin
);
```
## Azure Logic Apps Integration
The integration supports optional Azure Logic Apps workflows for:
- Document processing
- eIDAS verification workflows
- VC issuance workflows
### Logic App Workflow Example
```json
{
"definition": {
"triggers": {
"eidas-verification": {
"type": "Request",
"inputs": {
"schema": {
"type": "object",
"properties": {
"documentId": { "type": "string" },
"userId": { "type": "string" },
"eidasProviderUrl": { "type": "string" }
}
}
}
}
},
"actions": {
"process-eidas": {
"type": "Http",
"inputs": {
"method": "POST",
"uri": "@{triggerBody()['eidasProviderUrl']}/verify",
"body": {
"documentId": "@{triggerBody()['documentId']}"
}
}
}
}
}
}
```
## Security Considerations
1. **Client Secrets**: Store securely in Azure Key Vault or similar
2. **Access Tokens**: Automatically cached and refreshed
3. **PIN Protection**: Optional PIN for credential issuance
4. **Certificate Validation**: Full certificate chain validation for eIDAS
5. **Managed Identity**: Use Azure Managed Identity when possible instead of client secrets
## Troubleshooting
### Common Issues
1. **"Failed to get access token"**
- Check tenant ID, client ID, and client secret
- Verify API permissions are granted
- Check that admin consent is provided
2. **"Credential manifest ID is required"**
- Ensure `ENTRA_CREDENTIAL_MANIFEST_ID` is set
- Verify the manifest exists in Azure Portal
3. **"eIDAS verification failed"**
- Check eIDAS provider URL and API key
- Verify network connectivity to eIDAS provider
- Check certificate validity
## References
- [Microsoft Entra VerifiedID Documentation](https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/)
- [Azure Logic Apps Documentation](https://learn.microsoft.com/en-us/azure/logic-apps/)
- [eIDAS Regulation](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014R0910)

53
docs/integrations/README.md Normal file
View File

@@ -0,0 +1,53 @@
# Integrations Documentation
This directory contains documentation for all external system integrations, APIs, and technical specifications.
## Integration Guides
### Identity & Credential Systems
- **[MICROSOFT_ENTRA_VERIFIEDID.md](./MICROSOFT_ENTRA_VERIFIEDID.md)** - Microsoft Entra VerifiedID integration guide
- **[EU_LAISSEZ_PASSER_SPECIFICATION.md](./EU_LAISSEZ_PASSER_SPECIFICATION.md)** - EU Laissez-Passer technical specification
### Workflow & Automation
- **[INTEGRATION_SUMMARY.md](./INTEGRATION_SUMMARY.md)** - Overview of all integrations
- **[CONNECTOR_STATUS.md](./CONNECTOR_STATUS.md)** - Connector status and availability
## Integration Categories
### ✅ Fully Integrated
- Microsoft Entra VerifiedID
- Azure Logic Apps
- eIDAS Verification
- Stripe Payment Gateway
- AWS S3 Storage
- AWS KMS
### 📋 Documented (Pending Implementation)
- EU Laissez-Passer (EU-LP)
- ISO 20022 Payment Messages
- SWIFT Integration
- Additional payment networks
### 🔄 In Progress
- Temporal Workflow Engine
- AWS Step Functions
- Additional compliance systems
## Quick Reference
### For Developers
- See [INTEGRATION_SUMMARY.md](./INTEGRATION_SUMMARY.md) for complete integration status
- See [CONNECTOR_STATUS.md](./CONNECTOR_STATUS.md) for connector availability
- Check individual integration guides for implementation details
### For Compliance
- All integrations comply with relevant standards (ICAO, ISO, etc.)
- Security and audit requirements documented in each guide
- Certificate management and validation procedures included
## Related Documentation
- **[Configuration](../configuration/)** - Environment variables and configuration
- **[Governance](../governance/)** - Governance and compliance frameworks
- **[Legal](../legal/)** - Legal policies and compliance documents