Skip to content

Commit

Permalink
Minimized client metadata sent to sphereon wallet
Browse files Browse the repository at this point in the history
  • Loading branch information
@reinkrul
reinkrul committed Oct 6, 2023
1 parent 89de568 commit 061f658
Showing 1 changed file with 25 additions and 64 deletions.
89 changes: 25 additions & 64 deletions auth/api/iam/openid.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,79 +43,40 @@ import (

const sessionExpiry = 5 * time.Minute

// createOpenIDAuthzRequest creates a new Authorization Request as specified by OpenID4VP: https://openid.net/specs/openid-4-verifiable-presentations-1_0.html.
// createOpenIDAuthzRequest creates a new SIOPv2/OpenID4VP Authorization Request: https://openid.net/specs/openid-4-verifiable-presentations-1_0.html.
// It is sent by a verifier to a wallet, to request one or more verifiable credentials as verifiable presentation from the wallet.
func (r Wrapper) createOpenIDAuthzRequest(ctx context.Context, scope string, state string, presentationDefinition pe.PresentationDefinition, responseTypes []string, redirectURL url.URL, verifierDID did.DID) (string, error) {
params := make(map[string]interface{})
params[scopeParam] = scope
params[redirectURIParam] = redirectURL.String()
// TODO: Specifying client_metadata_uri causes Sphereon Wallet to conclude the RP (Nuts Node) does not support SIOPv2 ID1
// (since client_metadata_uri was specified later, in d11?).
// Leading to the error message: RP does not support spec version 70, supported versions: 71
// Which is actually pretty weird, since the URI scheme used is openid-vc: (from JWT VC presentation profile),
// instead of openid: (from SIOPv2 ID1).
//params[clientMetadataURIParam] = r.auth.PublicURL().JoinPath(".well-known", "oauth-authorization-server", identifierPath).String()
params[responseTypeParam] = strings.Join(responseTypes, " ")
// TODO: What about including other (than openid) scopes?
params[clientIDParam] = verifierDID.String()
params["iss"] = verifierDID.String()
params["sub"] = verifierDID.String()
params["jti"] = uuid.NewString()
now := time.Now()
params["nbf"] = now
params["iat"] = now
params["exp"] = now.Add(time.Minute)
params["nonce"] = generateCode()
params["state"] = state
// TODO: This should be the RPs metadata
params["registration"] = map[string]interface{}{
"client_name": "Nuts Node",
"client_purpose": "Please share this information to perform medical data exchanges.",
"id_token_signing_alg_values_supported": []string{"EdDSA", "ES256", "ES256K"},
"request_object_signing_alg_values_supported": []string{"EdDSA", "ES256", "ES256K"},
//"response_types_supported": []string{"id_token", "vp_token"},
"response_types_supported": []string{"id_token"}, // TODO
"scopes_supported": []string{scope},
"subject_types_supported": []string{"pairwise"}, // what is this?
"subject_syntax_types_supported": []string{"did:jwk", "did:web", "did:ion", "did:key", "did:ethr"}, // TODO: did:ion, did:ethr is not actually supported
"vp_formats": map[string]interface{}{
// TODO: JWT VC presentation profile implementation, does not specify JSON-LD
"jwt_vc": map[string]interface{}{
"alg": []string{"EdDSA", "ES256", "ES256K"},
},
"jwt_vp": map[string]interface{}{
"alg": []string{"EdDSA", "ES256", "ES256K"},
},
},
}

//params["registration"] = clientMetadata(url.URL{})
params["registration"] = map[string]interface{}{
"client_name": "Nuts Node",
"client_purpose": "Please share this information to perform medical data exchanges.",
"id_token_signing_alg_values_supported": []string{"EdDSA", "ES256", "ES256K"},
"request_object_signing_alg_values_supported": []string{"EdDSA", "ES256", "ES256K"},
//"response_types_supported": []string{"id_token", "vp_token"},
"response_types_supported": []string{"id_token"}, // TODO
"scopes_supported": []string{scope},
"subject_types_supported": []string{"pairwise"}, // what is this?
"subject_syntax_types_supported": []string{"did:jwk", "did:web", "did:ion", "did:key", "did:ethr"}, // TODO: did:ion, did:ethr is not actually supported
"vp_formats": map[string]interface{}{
// TODO: JWT VC presentation profile implementation, does not specify JSON-LD
"jwt_vc": map[string]interface{}{
"alg": []string{"EdDSA", "ES256", "ES256K"},
},
"jwt_vp": map[string]interface{}{
"alg": []string{"EdDSA", "ES256", "ES256K"},
},
},
params := map[string]interface{}{
scopeParam: scope,
redirectURIParam: redirectURL.String(),
responseTypeParam: strings.Join(responseTypes, " "),
clientIDParam: verifierDID.String(),
jwt.IssuerKey: verifierDID.String(),
jwt.SubjectKey: verifierDID.String(),
jwt.JwtIDKey: uuid.NewString(),
jwt.IssuedAtKey: now,
jwt.NotBeforeKey: now,
jwt.ExpirationKey: now.Add(time.Minute),
"nonce": uuid.NewString(),
stateParam: state,
}

for _, responseType := range responseTypes {
switch responseType {
case responseTypeIDToken:
// JWT-VC Presentation profile (SIOPv2)
params[responseModeParam] = responseModePost
// TODO: Specifying client_metadata_uri causes Sphereon Wallet to conclude the RP (Nuts Node) does not support SIOPv2 ID1
// (since client_metadata_uri was specified later, in d11?).
// Leading to the error message: RP does not support spec version 70, supported versions: 71
// Which is actually pretty weird, since the URI scheme used is openid-vc: (from JWT VC presentation profile),
// instead of openid: (from SIOPv2 ID1).
// params[clientMetadataURIParam] = r.auth.PublicURL().JoinPath(".well-known", "oauth-authorization-server", identifierPath).String()
// Instead, we specify the registration claim containing the metadata:
params["registration"] = map[string]interface{}{
// We can specify loads of metadata fields, but Sphereon Wallet works if we only specify the one(s) below
"subject_syntax_types_supported": []string{"did:jwk", "did:web"},
}
params["claims"] = map[string]interface{}{
"vp_token": map[string]interface{}{
"presentation_definition": presentationDefinition,
Expand Down

0 comments on commit 061f658

Please sign in to comment.