From ed3a604e22e676f3aed9dde730d951a4bb7b64fd Mon Sep 17 00:00:00 2001 From: Rein Krul Date: Mon, 27 Nov 2023 16:28:20 +0100 Subject: [PATCH] set audience --- auth/api/iam/s2s_vptoken.go | 5 +++-- auth/services/oauth/relying_party.go | 2 ++ vcr/holder/wallet.go | 3 +++ vcr/holder/wallet_test.go | 8 +++++++- 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/auth/api/iam/s2s_vptoken.go b/auth/api/iam/s2s_vptoken.go index 884d18451c..77e679ee74 100644 --- a/auth/api/iam/s2s_vptoken.go +++ b/auth/api/iam/s2s_vptoken.go @@ -290,8 +290,9 @@ func validatePresentationAudience(presentation vc.VerifiablePresentation, issuer } } return oauth.OAuth2Error{ - Code: oauth.InvalidRequest, - Description: "presentation audience is missing or does not match", + Code: oauth.InvalidRequest, + Description: "presentation audience is missing or does not match", + InternalError: fmt.Errorf("expected: %s, got: %v", issuer, audience), } } diff --git a/auth/services/oauth/relying_party.go b/auth/services/oauth/relying_party.go index c4feb2e802..7025ae0177 100644 --- a/auth/services/oauth/relying_party.go +++ b/auth/services/oauth/relying_party.go @@ -168,11 +168,13 @@ func (s *relyingParty) RequestRFC021AccessToken(ctx context.Context, requester d } expires := time.Now().Add(time.Second * 5) // todo: support multiple wallets + domain := verifier.String() vp, err := s.wallet.BuildPresentation(ctx, signInstructions[0].VerifiableCredentials, holder.PresentationOptions{ Format: format, ProofOptions: proof.ProofOptions{ Created: time.Now(), Expires: &expires, + Domain: &domain, }, }, &requester, false) if err != nil { diff --git a/vcr/holder/wallet.go b/vcr/holder/wallet.go index ce4f8ac671..e7fa77fa46 100644 --- a/vcr/holder/wallet.go +++ b/vcr/holder/wallet.go @@ -125,6 +125,9 @@ func (h wallet) buildJWTPresentation(ctx context.Context, subjectDID did.DID, cr VerifiableCredential: credentials, }, } + if options.ProofOptions.Domain != nil { + claims[jwt.AudienceKey] = *options.ProofOptions.Domain + } if options.ProofOptions.Created.IsZero() { claims[jwt.NotBeforeKey] = time.Now().Unix() } else { diff --git a/vcr/holder/wallet_test.go b/vcr/holder/wallet_test.go index 4142848a04..907423825b 100644 --- a/vcr/holder/wallet_test.go +++ b/vcr/holder/wallet_test.go @@ -96,11 +96,13 @@ func TestWallet_BuildPresentation(t *testing.T) { t.Run("ok - custom options", func(t *testing.T) { ctrl := gomock.NewController(t) specialType := ssi.MustParseURI("SpecialPresentation") + domain := "https://example.com" options := PresentationOptions{ AdditionalContexts: []ssi.URI{credential.NutsV1ContextURI}, AdditionalTypes: []ssi.URI{specialType}, ProofOptions: proof.ProofOptions{ ProofPurpose: "authentication", + Domain: &domain, }, Format: JSONLDPresentationFormat, } @@ -118,7 +120,8 @@ func TestWallet_BuildPresentation(t *testing.T) { assert.True(t, result.ContainsContext(credential.NutsV1ContextURI)) proofs, _ := result.Proofs() require.Len(t, proofs, 1) - assert.Equal(t, proofs[0].ProofPurpose, "authentication") + assert.Equal(t, "authentication", proofs[0].ProofPurpose) + assert.Equal(t, "https://example.com", *proofs[0].Domain) assert.Equal(t, JSONLDPresentationFormat, result.Format()) }) t.Run("ok - multiple VCs", func(t *testing.T) { @@ -174,11 +177,13 @@ func TestWallet_BuildPresentation(t *testing.T) { }) t.Run("optional proof options", func(t *testing.T) { exp := time.Now().Local().Truncate(time.Second) + domain := "https://example.com" options := PresentationOptions{ Format: JWTPresentationFormat, ProofOptions: proof.ProofOptions{ Expires: &exp, Created: exp.Add(-1 * time.Hour), + Domain: &domain, }, } @@ -197,6 +202,7 @@ func TestWallet_BuildPresentation(t *testing.T) { assert.NotNil(t, result.JWT()) assert.Equal(t, *options.ProofOptions.Expires, result.JWT().Expiration().Local()) assert.Equal(t, options.ProofOptions.Created, result.JWT().NotBefore().Local()) + assert.Equal(t, []string{domain}, result.JWT().Audience()) }) }) t.Run("validation", func(t *testing.T) {