Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



28 Commits

Repository files navigation


Used by:


Java CI with Maven

CDOC2 has been tested with JDK 17 and Maven 3.8.8

mvn clean install

Get from GitHub package repo

Configure github package repo access

Example <profile> section of settings.xml for using cdoc2-auth-token:


Note: When pulling, the package index is based on the organization level, not the repository level.

So defining single Maven package repo from open-eid is enough for pulling cdoc2-* dependencies.

Use in Maven pom.xml:




cdoc2-auth uses semantic versioning.

GitHub release

Create release. It will trigger maven-release.yml workflow that will deploy Maven packages to GitHub Maven package repository and build & publish maven packages.

cdoc2.auth-token.v1 examples

In short, cdoc2 key-shares auth ticket is used to authenticate against multiple key-share servers by signing authenticated data ones and not revealing auth data to other servers. For this SDJWT format is used.

SdJWT in encoded format:


To decode sd-jwt use

To generate auth-ticket client must first generate nonce for each KeyShare object accessed using ${serverBaseUrl}/key-shares/${shareId}/nonce endpoint.


JWT header for cdoc2 auth ticket:

  "typ": "vnd.cdoc2.auth-token.v1+sd-jwt",
  "alg": "RS256"


JWT payload:

  "iss": "etsi/PNOEE-30303039914",
  "aud": [

Nonce value was acquired using ${serverBaseUrl}/key-shares/${shareId}/nonce endpoint.

Before signing, "aud" will be replaced with a digest value as specified in sd-jwt specification:

  "iss": "etsi/PNOEE-30303039914",
  "_sd": [
  "_sd_alg": "sha-256"

Values of "aud" will be selectively disclosed to CSS server that has shareID accessed.

sd-jwt (auth ticket) for accessing key-share with nonce 59b314d4815f21f73a0b9168cecbd5773cc694b6

(use to decode)


sd-jwt above has 2 Disclosures (base64 encoded data between ~)

Disclosure 1 (digest V5_DrlDm-FXeGPdcMZQrB7EZPEO98URIAYvykgWHZr0):

WyJFVjVmZjNrM1FQUlVaZ0ltaGRJUlhRIiwiYXVkIixbeyIuLi4iOiJsUkVVLURBY2FHTnpGVnkwVHVSSGM2TjZfRFBPSGxqQUxfWldpOVkzc0trIn0seyIuLi4iOiI2Q2lLSUpGZkYtSEhxQ1VuRm41dnY4T3RlLU5mbG5KWlYyS1VYMmk3VUNNIn1dXQ: ["EV5ff3k3QPRUZgImhdIRXQ","aud",[{"...":"lREU-DAcaGNzFVy0TuRHc6N6_DPOHljAL_ZWi9Y3sKk"},{"...":"6CiKIJFfF-HHqCUnFn5vv8Ote-NflnJZV2KUX2i7UCM"}]]

Disclosure 2 (digest lREU-DAcaGNzFVy0TuRHc6N6_DPOHljAL_ZWi9Y3sKk):

WyJjak0yMGEwdUxROUdPaXExb3NMeXBBIiwiaHR0cHM6Ly9jc3MucmlhLmVlOjQ0My9rZXktc2hhcmVzLzlFRTkwRjJELUQ5NDYtNEQ1NC05QzNELUY0QzY4RjdGRkFFMz9ub25jZVx1MDAzZDU5YjMxNGQ0ODE1ZjIxZjczYTBiOTE2OGNlY2JkNTc3M2NjNjk0YjYiXQ: ["cjM20a0uLQ9GOiq1osLypA","\u003d59b314d4815f21f73a0b9168cecbd5773cc694b6"]

Note: Disclosure 1 also contains digest 6CiKIJFfF-HHqCUnFn5vv8Ote-NflnJZV2KUX2i7UCM, but it is not disclosed as ShareId belongs to another key-share-server.

Content of Disclosures:

Digest Salt Claim Name Claim Value
V5_DrlDm-FXeGPdcMZQrB7EZPEO98URIAYvykgWHZr0 EV5ff3k3QPRUZgImhdIRXQ aud [{"...":"lREU-DAcaGNzFVy0TuRHc6N6_DPOHljAL_ZWi9Y3sKk"},{"...":"6CiKIJFfF-HHqCUnFn5vv8Ote-NflnJZV2KUX2i7UCM"}]
lREU-DAcaGNzFVy0TuRHc6N6_DPOHljAL_ZWi9Y3sKk cjM20a0uLQ9GOiq1osLypA (no value)\u003d59b314d4815f21f73a0b9168cecbd5773cc694b6

Note: Digest can be calculated using

echo -n WyJFVjVmZjNrM1FQUlVaZ0ltaGRJUlhRIiwiYXVkIixbeyIuLi4iOiJsUkVVLURBY2FHTnpGVnkwVHVSSGM2TjZfRFBPSGxqQUxfWldpOVkzc0trIn0seyIuLi4iOiI2Q2lLSUpGZkYtSEhxQ1VuRm41dnY4T3RlLU5mbG5KWlYyS1VYMmk3VUNNIn1dXQ |openssl dgst -sha256 -binary|base64url|tr -d '=\n'

After disclosing Disclosures from sd-jwt, JWT body will be:


Other rules to validate auth ticket:

Verifying SD-JWT (verifying authentication ticket)

For additional details see tests in src/test/java/