Participant Metadata

Overview

The Participant Metadata service, also called coordination function, collects, aggregates and distributes so called Metadata from the different participants. By retrieving this Metadata, participants are able to validate the authenticity of tickets issued by other entities and securely communicate directly with each other.

Implementation

Samtrafiken has developed an implementation, named BoB Metadata, of the participant metadata specification. Samtrafiken also runs the Administrative Body for Sweden, see endpoints below.

The specification is found at https://bitbucket.org/samtrafiken/bob-api-participant-metadata/src/master/participantMetadata.yaml

Endpoint

Production

Base URL v1 https://bobmetadata.samtrafiken.se/api/v1

Base URL v2 https://bobmetadata.samtrafiken.se/api/v2

To retrieve all metadata for all participants, call https://bobmetadata.samtrafiken.se/api/v2/participantMetadata.
This is the only call, to participant metadata service that doesn't require a PoP (proof-of-posession) token, but do keep in mind that the attached JWS must be verified before using the payload data (the HTTPS, really SSL/TLS, transport should not be trusted). Since the transport might be tampered with, before any processing of the payload data takes place, the authenticity of the payload data should be established, using the mechanisms defined in RFC 7515.

Proof-of-possesion authorisation (PoP) tokens are described in MTS5 (click "View raw")

JSON Web Signature (JWS) is described by RFC 7515

Test

Base URL v1 https://bobmetadata-pp.samtrafiken.se/api/v1

Base URL v2 https://bobmetadata-pp.samtrafiken.se/api/v2

To retrieve all test metadata for all participants in the test environment, call https://bobmetadata-pp.samtrafiken.se/api/v2/participantMetadata.

Technical details

Policy for what parts are required to be signed

In MTS5, chapter 2, it says "What parts are required to be signed is assumed to be a policy decision enforced the server end."

BoB Metadata has the following policies

Calls without body that also is a GET request

p ts

Calls without body

p ts h:content-type

Calls with body

p b ts h:content-type

Chapter 3.2 in MTS5 specifies and has more detailed information

  • p = URL path component

  • ts = Unix timestamp as a number

  • b = Hash of the request body

  • h = Request headers