From 735d5811bdda6a8761e50fdad367ecae8a95499c Mon Sep 17 00:00:00 2001 From: Wout Slakhorst Date: Wed, 18 Sep 2024 14:15:53 +0200 Subject: [PATCH] some leftover stuff from #3333 (#3387) --- auth/api/iam/api.go | 10 ++-------- auth/api/iam/jar_test.go | 6 +++--- auth/api/iam/metadata.go | 24 ++++++++++++++---------- auth/api/iam/metadata_test.go | 2 +- auth/api/iam/openid4vp.go | 3 +-- auth/oauth/types.go | 5 +++++ 6 files changed, 26 insertions(+), 24 deletions(-) diff --git a/auth/api/iam/api.go b/auth/api/iam/api.go index 072cea359..39bc7aaf6 100644 --- a/auth/api/iam/api.go +++ b/auth/api/iam/api.go @@ -600,7 +600,7 @@ func (r Wrapper) OAuthAuthorizationServerMetadata(_ context.Context, request OAu } func (r Wrapper) oauthAuthorizationServerMetadata(clientID url.URL) (*oauth.AuthorizationServerMetadata, error) { - md := authorizationServerMetadata(clientID, r.vdr.SupportedMethods()) + md := authorizationServerMetadata(&clientID, r.vdr.SupportedMethods()) if !r.auth.AuthorizationEndpointEnabled() { md.AuthorizationEndpoint = "" } @@ -895,13 +895,7 @@ func (r Wrapper) authzRequestObjectStore() storage.SessionStore { } func (r Wrapper) subjectToBaseURL(subject string) url.URL { - u := &url.URL{} - publicURL := r.auth.PublicURL() - if publicURL == nil { - panic("publicURL is nil") - } - u = publicURL.JoinPath("oauth2", subject) - return *u + return *r.auth.PublicURL().JoinPath("oauth2", subject) } // subjectExists checks whether the given subject is known on the local node. diff --git a/auth/api/iam/jar_test.go b/auth/api/iam/jar_test.go index 1d5cd11e4..5072dcdea 100644 --- a/auth/api/iam/jar_test.go +++ b/auth/api/iam/jar_test.go @@ -121,7 +121,7 @@ func TestJar_Parse(t *testing.T) { require.NoError(t, err) token := string(bytes) walletIssuerURL := test.MustParseURL(holderDID.String()) - verifierMetadata := authorizationServerMetadata(*verifierURL, []string{"web"}) + verifierMetadata := authorizationServerMetadata(verifierURL, []string{"web"}) configuration := &oauth.OpenIDConfiguration{ JWKs: jwkSet, } @@ -161,7 +161,7 @@ func TestJar_Parse(t *testing.T) { }) t.Run("ok - post", func(t *testing.T) { ctx := newJarTestCtx(t) - md := authorizationServerMetadata(*walletIssuerURL, []string{"web"}) + md := authorizationServerMetadata(walletIssuerURL, []string{"web"}) ctx.iamClient.EXPECT().RequestObjectByPost(context.Background(), "request_uri", md).Return(token, nil) ctx.keyResolver.EXPECT().ResolveKeyByID(kid, nil, resolver.AssertionMethod).Return(privateKey.Public(), nil) ctx.iamClient.EXPECT().OpenIDConfiguration(gomock.Any(), holderClientID).Return(configuration, nil) @@ -217,7 +217,7 @@ func TestJar_Parse(t *testing.T) { }) t.Run("post (made by wallet)", func(t *testing.T) { ctx := newJarTestCtx(t) - md := authorizationServerMetadata(*walletIssuerURL, []string{"web"}) + md := authorizationServerMetadata(walletIssuerURL, []string{"web"}) ctx.iamClient.EXPECT().RequestObjectByPost(context.Background(), "request_uri", md).Return("", errors.New("server error")) res, err := ctx.jar.Parse(context.Background(), md, map[string][]string{ diff --git a/auth/api/iam/metadata.go b/auth/api/iam/metadata.go index e8f1a804d..ec58fac86 100644 --- a/auth/api/iam/metadata.go +++ b/auth/api/iam/metadata.go @@ -31,14 +31,14 @@ import ( "github.com/nuts-foundation/nuts-node/crypto/jwx" ) -func authorizationServerMetadata(issuerURL url.URL, supportedDIDMethods []string) oauth.AuthorizationServerMetadata { +func authorizationServerMetadata(issuerURL *url.URL, supportedDIDMethods []string) oauth.AuthorizationServerMetadata { metadata := &oauth.AuthorizationServerMetadata{ AuthorizationEndpoint: "openid4vp:", ClientIdSchemesSupported: clientIdSchemesSupported, DIDMethodsSupported: supportedDIDMethods, DPoPSigningAlgValuesSupported: jwx.SupportedAlgorithmsAsStrings(), GrantTypesSupported: grantTypesSupported, - Issuer: issuerURL.String(), + Issuer: "https://self-issued.me/v2", PreAuthorizedGrantAnonymousAccessSupported: true, PresentationDefinitionUriSupported: to.Ptr(true), RequireSignedRequestObject: true, @@ -49,9 +49,12 @@ func authorizationServerMetadata(issuerURL url.URL, supportedDIDMethods []string RequestObjectSigningAlgValuesSupported: jwx.SupportedAlgorithmsAsStrings(), } - metadata.AuthorizationEndpoint = issuerURL.JoinPath("authorize").String() - metadata.PresentationDefinitionEndpoint = issuerURL.JoinPath("presentation_definition").String() - metadata.TokenEndpoint = issuerURL.JoinPath("token").String() + if issuerURL != nil { + metadata.Issuer = issuerURL.String() + metadata.AuthorizationEndpoint = issuerURL.JoinPath("authorize").String() + metadata.PresentationDefinitionEndpoint = issuerURL.JoinPath("presentation_definition").String() + metadata.TokenEndpoint = issuerURL.JoinPath("token").String() + } return *metadata } @@ -87,10 +90,11 @@ func clientMetadata(identity url.URL) oauth.OAuthClientMetadata { func openIDConfiguration(issuerURL url.URL, jwkSet jwk.Set, supportedDIDMethods []string) oauth.OpenIDConfiguration { return oauth.OpenIDConfiguration{ - Issuer: issuerURL.String(), - IssuedAt: time.Now().Unix(), - Subject: issuerURL.String(), - JWKs: jwkSet, - Metadata: oauth.EntityStatementMetadata{OpenIDProvider: authorizationServerMetadata(issuerURL, supportedDIDMethods)}, + Issuer: issuerURL.String(), + IssuedAt: time.Now().Unix(), + Expiration: time.Now().Add(time.Hour).Unix(), // just a number, data is retrieved runtime. Value must be larger than clock skew to prevent technical problems. + Subject: issuerURL.String(), + JWKs: jwkSet, + Metadata: oauth.EntityStatementMetadata{OpenIDProvider: authorizationServerMetadata(&issuerURL, supportedDIDMethods)}, } } diff --git a/auth/api/iam/metadata_test.go b/auth/api/iam/metadata_test.go index d4b3173a4..8f325b457 100644 --- a/auth/api/iam/metadata_test.go +++ b/auth/api/iam/metadata_test.go @@ -50,7 +50,7 @@ func Test_authorizationServerMetadata(t *testing.T) { RequestObjectSigningAlgValuesSupported: jwx.SupportedAlgorithmsAsStrings(), } authServerUrl := test.MustParseURL("https://example.com/oauth2/example") - md := authorizationServerMetadata(*authServerUrl, []string{"test"}) + md := authorizationServerMetadata(authServerUrl, []string{"test"}) assert.Equal(t, baseExpected, md) } diff --git a/auth/api/iam/openid4vp.go b/auth/api/iam/openid4vp.go index a18569021..62e32a3c8 100644 --- a/auth/api/iam/openid4vp.go +++ b/auth/api/iam/openid4vp.go @@ -384,8 +384,7 @@ func (r Wrapper) sendAndHandleDirectPost(ctx context.Context, subject string, vp // Dispatch a new HTTP request to the local OpenID4VP wallet's authorization endpoint that includes request parameters, // but with openid4vp: as scheme. // The context contains data from the previous request. Usage by the handler will probably result in incorrect behavior. - issuerURL := r.subjectToBaseURL(subject) - userWalletMetadata := authorizationServerMetadata(issuerURL, r.vdr.SupportedMethods()) + userWalletMetadata := authorizationServerMetadata(nil, r.vdr.SupportedMethods()) response, err := r.handleAuthorizeRequest(ctx, subject, userWalletMetadata, *parsedRedirectURI) if err != nil { return nil, err diff --git a/auth/oauth/types.go b/auth/oauth/types.go index 12d1027ac..d9aa5e904 100644 --- a/auth/oauth/types.go +++ b/auth/oauth/types.go @@ -415,6 +415,8 @@ type OpenIDConfiguration struct { Subject string `json:"sub"` // IssuedAt: the time the entity statement was issued IssuedAt int64 `json:"iat"` + // Expiration: the time after which the entity statement may no longer be processed + Expiration int64 `json:"exp"` // JWKs is the JSON Web Key Set of the entity statement. Contains keys of all DIDs for the subject JWKs jwk.Set `json:"jwks"` // Metadata: the metadata of the entity statement @@ -443,6 +445,9 @@ func (j *OpenIDConfiguration) UnmarshalJSON(bytes []byte) error { if issuedAt, ok := claims["iat"].(float64); ok { j.IssuedAt = int64(issuedAt) } + if expiration, ok := claims["exp"].(float64); ok { + j.Expiration = int64(expiration) + } metadataJson, _ := json.Marshal(claims["metadata"]) if err := json.Unmarshal(metadataJson, &j.Metadata); err != nil {