fix: Well-known DID resolution was not taking a configured resolver i…

…nto account
Sphereon-Opensource · Oct 1, 2023 · 8dd8304 · 8dd8304
1 parent 1bb9269
commit 8dd8304
Show file tree

Hide file tree

Showing 14 changed files with 583 additions and 32 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,17 +3,25 @@
 The DID Auth SIOP typescript library is still in an alpha state at this point. Please note that the interfaces might
 still change a bit as the software still is in active development.
 
+## 0.4.1 - 2023-10-01
+
+Fixed not being able to configure the resolver for well-known DIDs
+
+- Fixed:
+    - Well-known DIDs did not use a configured DID resolver and thus always used the universal resolver, which has
+      issues quite often.
+
 ## 0.4.0 - 2023-09-28
 
 - Fixed:
-  - Claims are not required in the auth request
-  - State is not required in payloads
-  - We didn't handle merging of verification options present on an object and passed in as argument nicely
+    - Claims are not required in the auth request
+    - State is not required in payloads
+    - We didn't handle merging of verification options present on an object and passed in as argument nicely
 
 - Updated:
-  - Updated to another JSONPath implementation for improved security `@astronautlabs/jsonpath`
-  - Better error handling and logging in the session manager
-  - Allow for numbers in the scheme thus supporting openid4vp://
+    - Updated to another JSONPath implementation for improved security `@astronautlabs/jsonpath`
+    - Better error handling and logging in the session manager
+    - Allow for numbers in the scheme thus supporting openid4vp://
 
 - Added:
     - Allow to pass additional claims as verified data in the authorization response. Which can be handy in case you

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/did-auth-siop",
-  "version": "0.4.1-unstable.0",
+  "version": "0.4.1",
   "source": "src/index.ts",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -30,8 +30,8 @@
   "dependencies": {
     "@sphereon/did-uni-client": "^0.6.0",
     "@sphereon/pex": "^2.1.2",
-    "@sphereon/pex-models": "^2.0.3",
-    "@sphereon/ssi-types": "^0.15.1",
+    "@sphereon/pex-models": "^2.1.0",
+    "@sphereon/ssi-types": "^0.17.3",
     "@sphereon/wellknown-dids-client": "^0.1.3",
     "@astronautlabs/jsonpath": "^1.1.2",
     "sha.js": "^2.4.11",

diff --git a/src/authorization-request/Payload.ts b/src/authorization-request/Payload.ts
@@ -94,17 +94,9 @@ export const checkWellknownDIDFromRequest = async (
 ): Promise<void> => {
   if (authorizationRequestPayload.client_id.startsWith('did:')) {
     if (opts.verification.checkLinkedDomain && opts.verification.checkLinkedDomain != CheckLinkedDomain.NEVER) {
-      await validateLinkedDomainWithDid(
-        authorizationRequestPayload.client_id,
-        opts.verification.wellknownDIDVerifyCallback,
-        opts.verification.checkLinkedDomain
-      );
+      await validateLinkedDomainWithDid(authorizationRequestPayload.client_id, opts.verification);
     } else if (!opts.verification.checkLinkedDomain && opts.verification.wellknownDIDVerifyCallback) {
-      await validateLinkedDomainWithDid(
-        authorizationRequestPayload.client_id,
-        opts.verification.wellknownDIDVerifyCallback,
-        CheckLinkedDomain.IF_PRESENT
-      );
+      await validateLinkedDomainWithDid(authorizationRequestPayload.client_id, opts.verification);
     }
   }
 };
diff --git a/src/did/DIDResolution.ts b/src/did/DIDResolution.ts
@@ -6,7 +6,7 @@ import { DIDDocument, ResolveOpts, SIOPErrors, SubjectIdentifierType, SubjectSyn
 import { getMethodFromDid, toSIOPRegistrationDidMethod } from './index';
 
 export function getResolver(opts: ResolveOpts): Resolvable {
-  if (opts?.resolver && typeof opts.resolver === 'object') {
+  if (opts && typeof opts.resolver === 'object') {
     return opts.resolver;
   }
   if (!opts || !opts.subjectSyntaxTypesSupported) {

diff --git a/src/did/LinkedDomainValidations.ts b/src/did/LinkedDomainValidations.ts
@@ -1,6 +1,6 @@
 import { IDomainLinkageValidation, ValidationStatusEnum, VerifyCallback, WDCErrors, WellKnownDidVerifier } from '@sphereon/wellknown-dids-client';
 
-import { CheckLinkedDomain, DIDDocument } from '../types';
+import { CheckLinkedDomain, DIDDocument, ExternalVerification, InternalVerification } from '../types';
 
 import { resolveDidDocument } from './DIDResolution';
 import { getMethodFromDid, toSIOPRegistrationDidMethod } from './DidJWT';
@@ -50,11 +50,15 @@ function checkInvalidMessages(validationErrorMessages: string[]): { status: bool
   return { status: true };
 }
 
-export async function validateLinkedDomainWithDid(did: string, verifyCallback: VerifyCallback, checkLinkedDomain: CheckLinkedDomain) {
+export async function validateLinkedDomainWithDid(did: string, verification: InternalVerification | ExternalVerification) {
+  const { checkLinkedDomain, resolveOpts, wellknownDIDVerifyCallback } = verification;
   if (checkLinkedDomain === CheckLinkedDomain.NEVER) {
     return;
   }
-  const didDocument = await resolveDidDocument(did, { subjectSyntaxTypesSupported: [toSIOPRegistrationDidMethod(getMethodFromDid(did))] });
+  const didDocument = await resolveDidDocument(did, {
+    ...resolveOpts,
+    subjectSyntaxTypesSupported: [toSIOPRegistrationDidMethod(getMethodFromDid(did))],
+  });
   if (!didDocument) {
     throw Error(`Could not resolve DID: ${did}`);
   }
@@ -63,7 +67,7 @@ export async function validateLinkedDomainWithDid(did: string, verifyCallback: V
     return;
   }
   try {
-    const validationResult = await checkWellKnownDid({ didDocument, verifyCallback });
+    const validationResult = await checkWellKnownDid({ didDocument, verifyCallback: wellknownDIDVerifyCallback });
     if (validationResult.status === ValidationStatusEnum.INVALID) {
       const validationErrorMessages = getValidationErrorMessages(validationResult);
       const messageCondition: { status: boolean; message?: string } = checkInvalidMessages(validationErrorMessages);

diff --git a/src/id-token/IDToken.ts b/src/id-token/IDToken.ts
@@ -121,9 +121,9 @@ export class IDToken {
 
     const issuerDid = getSubDidFromPayload(payload);
     if (verifyOpts.verification.checkLinkedDomain && verifyOpts.verification.checkLinkedDomain !== CheckLinkedDomain.NEVER) {
-      await validateLinkedDomainWithDid(issuerDid, verifyOpts.verification.wellknownDIDVerifyCallback, verifyOpts.verification.checkLinkedDomain);
+      await validateLinkedDomainWithDid(issuerDid, verifyOpts.verification);
     } else if (!verifyOpts.verification.checkLinkedDomain) {
-      await validateLinkedDomainWithDid(issuerDid, verifyOpts.verification.wellknownDIDVerifyCallback, CheckLinkedDomain.IF_PRESENT);
+      await validateLinkedDomainWithDid(issuerDid, verifyOpts.verification);
     }
     const verPayload = verifiedJWT.payload as IDTokenPayload;
     this.assertValidResponseJWT({ header, verPayload: verPayload, audience: verifyOpts.audience });