set audience

nuts-foundation · Nov 27, 2023 · ed3a604 · ed3a604
1 parent 3a5dcd5
commit ed3a604
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/auth/api/iam/s2s_vptoken.go b/auth/api/iam/s2s_vptoken.go
@@ -290,8 +290,9 @@ func validatePresentationAudience(presentation vc.VerifiablePresentation, issuer
 		}
 	}
 	return oauth.OAuth2Error{
-		Code:        oauth.InvalidRequest,
-		Description: "presentation audience is missing or does not match",
+		Code:          oauth.InvalidRequest,
+		Description:   "presentation audience is missing or does not match",
+		InternalError: fmt.Errorf("expected: %s, got: %v", issuer, audience),
 	}
 }
 

diff --git a/auth/services/oauth/relying_party.go b/auth/services/oauth/relying_party.go
@@ -168,11 +168,13 @@ func (s *relyingParty) RequestRFC021AccessToken(ctx context.Context, requester d
 	}
 	expires := time.Now().Add(time.Second * 5)
 	// todo: support multiple wallets
+	domain := verifier.String()
 	vp, err := s.wallet.BuildPresentation(ctx, signInstructions[0].VerifiableCredentials, holder.PresentationOptions{
 		Format: format,
 		ProofOptions: proof.ProofOptions{
 			Created: time.Now(),
 			Expires: &expires,
+			Domain:  &domain,
 		},
 	}, &requester, false)
 	if err != nil {

diff --git a/vcr/holder/wallet.go b/vcr/holder/wallet.go
@@ -125,6 +125,9 @@ func (h wallet) buildJWTPresentation(ctx context.Context, subjectDID did.DID, cr
 			VerifiableCredential: credentials,
 		},
 	}
+	if options.ProofOptions.Domain != nil {
+		claims[jwt.AudienceKey] = *options.ProofOptions.Domain
+	}
 	if options.ProofOptions.Created.IsZero() {
 		claims[jwt.NotBeforeKey] = time.Now().Unix()
 	} else {

diff --git a/vcr/holder/wallet_test.go b/vcr/holder/wallet_test.go
@@ -96,11 +96,13 @@ func TestWallet_BuildPresentation(t *testing.T) {
 		t.Run("ok - custom options", func(t *testing.T) {
 			ctrl := gomock.NewController(t)
 			specialType := ssi.MustParseURI("SpecialPresentation")
+			domain := "https://example.com"
 			options := PresentationOptions{
 				AdditionalContexts: []ssi.URI{credential.NutsV1ContextURI},
 				AdditionalTypes:    []ssi.URI{specialType},
 				ProofOptions: proof.ProofOptions{
 					ProofPurpose: "authentication",
+					Domain:       &domain,
 				},
 				Format: JSONLDPresentationFormat,
 			}
@@ -118,7 +120,8 @@ func TestWallet_BuildPresentation(t *testing.T) {
 			assert.True(t, result.ContainsContext(credential.NutsV1ContextURI))
 			proofs, _ := result.Proofs()
 			require.Len(t, proofs, 1)
-			assert.Equal(t, proofs[0].ProofPurpose, "authentication")
+			assert.Equal(t, "authentication", proofs[0].ProofPurpose)
+			assert.Equal(t, "https://example.com", *proofs[0].Domain)
 			assert.Equal(t, JSONLDPresentationFormat, result.Format())
 		})
 		t.Run("ok - multiple VCs", func(t *testing.T) {
@@ -174,11 +177,13 @@ func TestWallet_BuildPresentation(t *testing.T) {
 		})
 		t.Run("optional proof options", func(t *testing.T) {
 			exp := time.Now().Local().Truncate(time.Second)
+			domain := "https://example.com"
 			options := PresentationOptions{
 				Format: JWTPresentationFormat,
 				ProofOptions: proof.ProofOptions{
 					Expires: &exp,
 					Created: exp.Add(-1 * time.Hour),
+					Domain:  &domain,
 				},
 			}
 
@@ -197,6 +202,7 @@ func TestWallet_BuildPresentation(t *testing.T) {
 			assert.NotNil(t, result.JWT())
 			assert.Equal(t, *options.ProofOptions.Expires, result.JWT().Expiration().Local())
 			assert.Equal(t, options.ProofOptions.Created, result.JWT().NotBefore().Local())
+			assert.Equal(t, []string{domain}, result.JWT().Audience())
 		})
 	})
 	t.Run("validation", func(t *testing.T) {