Capabilities

This page must be considered part of the iSHARE Framework

This page is considered normative and is therefore compliant with RFC 2119.

The /capabilities An endpoint is required for every participant that provides services:

  • Participant Registry

  • Authorisation Registry

  • Service Provider

  • Identity Provider

The endpoint returns the iSHARE capabilities of the iSHARE party. The server response is an iSHARE signed JSON Web Token.

Depending on whether or not an Access Token is provided to the capabilities endpoint, the endpoint must return public or public and restricted endpoints. in detail:

  • If an access token IS NOT provided

    • Return public endpoints, including the Access Token endpoint

  • If an access token IS provided

    • Return public endpoints, including the Access Token endpoint

    • Return restricted endpoints

Any endpoints that do not support the iSHARE's Identification, Authentication, and Authorisation (IAA) methods and are not intended for use by iSHARE roles should not be included in the capabilities endpoint response. This is because when a participant sees an endpoint in the capabilities response, they will assume it is iSHARE-compliant and supports iSHARE’s IAA mechanisms. However, if a party has other endpoints that rely on different authorisation methods and are not aligned with iSHARE, those should be excluded from the response to prevent misunderstandings.

Retrieves iSHARE capabilities

get

The /capabilities endpoint is required for every participant that provides services. The endpoint returns iSHARE capabilities (supported versions & optional features) of the iSHARE party.

The capabilities endpoint should only return the public endpoints if no access token is provided. If an access token is provided, the capabilities endpoint will also provide the restricted endpoints. A party may also have private endpoints, which are endpoints for their own internal organization, also known as endpoints that are implemented, but not to share with the others. These endpoints are not within the scope of iSHARE and should not be returned to other iSHARE parties.

Server response is an iSHARE signed JSON Web Token. Please refer to the models 'jwtHeader' and 'jwtPayloadCapabilitiesToken' which indicate what the decoded response will look like.

Authorizations
AuthorizationstringRequired

OAuth 2.0 authorization based on bearer token. MUST contain “Bearer “ + access token value. Must be provided if restricted endpoints are needed.

Responses
200

OK

application/json
get
/capabilities
200

OK

Response Model

The model of the capabilities_token JWT response is available on the iSHARE OpenAPI documentation. For convenience, the model of the parties_info object, contained within the token, is described below:

Decoded capabilities_token parameters:

It contains iSHARE-compliant JWT claims; however, if an access token is not provided, then aud The claim should be omitted while signing JWT. In addition to that, it also contains the following parameters:

  • capabilities_info Object. Root level. (Required) Contains information about capabilities.

    • publicServices An array of objects. Contained in capabilities_info. (Required) When no Authorisation header is presented when invoking the /capabilities endpoint, only public_services are returned. Public services themselves may (and usually will) require authentication to invoke them.

      • identifier String. Contained in public_services. (Required) Unique identifier of the service. For iSHARE-defined services, it must contain the predefined identifier (defined as operationId in the iSHARE generic OpenAPI specification). For other services, it might, for instance, refer to operationId in OpenAPI specifications, or other forms of identifiers in other specification formats.

      • title String. Contained in public_services. (Required) Human-readable name of the service.

      • description String. Contained in public_services. Description of the service.

      • endpointDescription String. Contained in public_services. URL that describes the service endpoint. Could be, for instance, a URL to an OpenAPI description, a WSDL document, a SPARQL Service Description, etc.

      • endpointURL String. Contained in public_services. (Required) URL of the endpoint, including the correct host. Depending on the setup, this information could also already be included in the description that is provided via the endpointDescription.

      • tokenEndpoint String. Contained in public_services. URL where the access token for the feature can be retrieved. This is optional because if the feature is an access token, it is not needed to mention it twice.

      • status String. Contained in public_services. (Required) Provides information on the status of the service. Must be either "deprecated" or "active".

      • serviceType String. Contained in public_services. (Required) Can be either "framework-defined", "dataspace-defined" or "self-defined". A framework-defined service is required from a framework perspective (including, for instance, the /capabilities endpoint), a dataspace-defined service is required from a dataspace perspective, and a self-defined service is defined by the provider of the service (actual data services are part of this category).

      • version Object. Contained in public_services. (Required) Versioning information of the provided service.

        • compliesWithFrameworkVersions An array of strings. Contained in version. An array of framework versions that the service complies with, at a framework level. If not included, the service is assumed to be compliant with the latest version. The versions can be retrieved using the /versions endpoint. Required for framework-defined services.

        • compliesWithDataspaceVersions An array of strings. Contained in version. An array of dataspace versions that the service complies with, at a dataspace level.

        • capabilityVersion An array of strings. Contained in version. (Required) Version of the provided service. The version numbering of services is not related to the version numbering of the framework or of a dataspace.

      • methods An array of strings. Contained in public_services. An array of operations supported by the endpoint. It could be HTTP methods when the endpoint is HTTP-based, for example: GET, POST, etc.

      • authRegistry Object. Contained in public_services. Optional object which contains details about the Authorisation Register that must be used for this service.

        • partyId String. Contained in authRegistry. (Required) Party Identifier of the Authorisation Registry provider that must be used for this service.

        • url String. Contained in authRegistry. (Required) The URL pointer specific to the party where authorisations can be queried/checked from.

    • restrictedServices An array of objects. Contained in capabilities_info. When an Authorisation header is presented when invoking the /capabilities endpoint, in addition to the public services, restricted services may be returned, based on the information provided on the participant by the Authorisation header. This could, for example, be implemented to expose services only to participants of a dataspaces. restrictedServices themselves may (and usually will) require authentication to invoke them. The attributes of restrictedServices are 100% equal to the attributes of publicServices and therefore omitted here.

Example request

Example response

The response contains an encoded JWT, which looks like this:

After decoding, the example content of the JWT looks like this:

PreviousAccess token (M2M)NextM2M Verifiable Credential Endpoints

Last updated