Merge branch 'fix/verified_token_null' into fix/SPHEREON-1157_MOSIP-d…

…emo-fixes

# Conflicts:
#	package.json
#	src/authorization-response/AuthorizationResponse.ts
#	src/request-object/Payload.ts
#	src/rp/RP.ts

CHANGELOG.md

@@ -1,8 +1,30 @@
 # Release Notes
 
-The DID Auth SIOP typescript library is still in an alpha state at this point. Please note that the interfaces might
+The DID Auth SIOP typescript library is still in an beta state at this point. Please note that the interfaces might
 still change a bit as the software still is in active development.
 
+## 0.6.2 - 2024-03-04
+
+- Fixed:
+  - RP kept stale options to create the request object, resulting in recreation of the same request object over and over
+
+## 0.6.0 - 2024-02-29
+- Added:
+  - Initial support for SIOPv2 draft 11
+  - Initial support for OID4VP draft 18
+  - SD-JWT support
+  - Partial support for http(s) client_ids instead of DIDs. No validation for keys in this case yet though!
+  - Convert presentation submissions that inadvertently come in from external OPs as a string instead of an object
+  - Allow id-token only handling
+  - Allow vp-token only handling
+  - EBSI support
+- Fixed:
+  - issue with determining whether a Presentation Definition reference has been used
+  - vp_token handling and nonce management was incorrect in certain cases (for instance when no id token is used)
+  - Make sure a presentation verification callback result throws an error if it does not verify
+  - Do not put VP token in the id token as default for spec versions above v10 if no explicit location is provided
+  - Several small fixes
+
 ## 0.4.2 - 2023-10-01
 
 Fixed an issue with did:key resolution used in Veramo

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/did-auth-siop",
-  "version": "0.6.0-unstable.10",
+  "version": "0.6.3-unstable.0",
   "source": "src/index.ts",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -30,9 +30,9 @@
   "dependencies": {
     "@astronautlabs/jsonpath": "^1.1.2",
     "@sphereon/did-uni-client": "^0.6.1",
-    "@sphereon/pex": "^3.2.0",
-    "@sphereon/pex-models": "^2.2.0",
-    "@sphereon/ssi-types": "0.18.1",
+    "@sphereon/pex": "^3.3.0",
+    "@sphereon/pex-models": "^2.2.2",
+    "@sphereon/ssi-types": "0.19.0",
     "@sphereon/wellknown-dids-client": "^0.1.3",
     "cross-fetch": "^4.0.0",
     "did-jwt": "6.11.6",

src/authorization-request/AuthorizationRequest.ts

@@ -12,6 +12,7 @@ import {
   RequestObjectJwt,
   RequestObjectPayload,
   RequestStateInfo,
+  ResponseType,
   ResponseURIType,
   RPRegistrationMetadataPayload,
   Schema,

src/authorization-response/Payload.ts

@@ -19,11 +19,13 @@ export const createResponsePayload = async (
 
   // If state was in request, it must be in response
   const state: string | undefined = await authorizationRequest.getMergedProperty('state');
+  const payload = await authorizationRequest.requestObject.getPayload();
 
   const responsePayload: AuthorizationResponsePayload = {
     ...(responseOpts.accessToken && { access_token: responseOpts.accessToken }),
     ...(responseOpts.tokenType && { token_type: responseOpts.tokenType }),
     ...(responseOpts.refreshToken && { refresh_token: responseOpts.refreshToken }),
+    ...(payload?.nonce && { nonce: payload.nonce}),
     expires_in: responseOpts.expiresIn || 3600,
     state,
   };

src/authorization-response/PresentationExchange.ts

@@ -344,7 +344,12 @@ export class PresentationExchange {
         // So the behavior here is to bypass it if not present
         if (verifyPresentationCallback) {
           try {
-            await verifyPresentationCallback(vpw.original as W3CVerifiablePresentation, presentationSubmission);
+            const verificationResult = await verifyPresentationCallback(vpw.original as W3CVerifiablePresentation, presentationSubmission);
+            if (!verificationResult.verified) {
+              throw new Error(
+                SIOPErrors.VERIFIABLE_PRESENTATION_SIGNATURE_NOT_VALID + verificationResult.reason ? `. ${verificationResult.reason}` : ''
+              );
+            }
           } catch (error: unknown) {
             throw new Error(SIOPErrors.VERIFIABLE_PRESENTATION_SIGNATURE_NOT_VALID);
           }

src/authorization-response/types.ts

@@ -87,7 +87,7 @@ export enum VPTokenLocation {
   TOKEN_RESPONSE = 'token_response',
 }
 
-export type PresentationVerificationResult = { verified: boolean };
+export type PresentationVerificationResult = { verified: boolean; reason?: string };
 
 export type PresentationVerificationCallback = (
   args: W3CVerifiablePresentation | CompactSdJwtVc,

src/request-object/Payload.ts

@@ -42,8 +42,8 @@ export const createRequestObjectPayload = async (opts: CreateAuthorizationReques
     scope: payload.scope ?? Scope.OPENID,
     //TODO implement /.well-known/openid-federation support in the OP side to resolve the client_id (URL) and retrieve the metadata
     client_id: clientId ?? opts.requestObject.signature.did,
-    redirect_uri: payload.redirect_uri,
-    response_uri: payload.response_uri,
+    ...(payload.redirect_uri && { redirect_uri: payload.redirect_uri }),
+    ...(payload.response_uri && { response_uri: payload.response_uri }),
     response_mode: payload.response_mode ?? ResponseMode.DIRECT_POST,
     ...(payload.id_token_hint && { id_token_hint: payload.id_token_hint }),
     registration_uri: registration.clientMetadataOpts.reference_uri,

src/schemas/AuthorizationRequestPayloadVD11.schema.ts

@@ -285,6 +285,9 @@ export const AuthorizationRequestPayloadVD11SchemaObj = {
         "jwt_vp": {
           "$ref": "#/definitions/JwtObject"
         },
+        "jwt_vp_json": {
+          "$ref": "#/definitions/JwtObject"
+        },
         "ldp": {
           "$ref": "#/definitions/LdpObject"
         },

src/schemas/AuthorizationRequestPayloadVD12OID4VPD18.schema.ts

@@ -291,6 +291,9 @@ export const AuthorizationRequestPayloadVD12OID4VPD18SchemaObj = {
         "jwt_vp": {
           "$ref": "#/definitions/JwtObject"
         },
+        "jwt_vp_json": {
+          "$ref": "#/definitions/JwtObject"
+        },
         "ldp": {
           "$ref": "#/definitions/LdpObject"
         },

src/schemas/AuthorizationRequestPayloadVID1.schema.ts

@@ -257,6 +257,9 @@ export const AuthorizationRequestPayloadVID1SchemaObj = {
         "jwt_vp": {
           "$ref": "#/definitions/JwtObject"
         },
+        "jwt_vp_json": {
+          "$ref": "#/definitions/JwtObject"
+        },
         "ldp": {
           "$ref": "#/definitions/LdpObject"
         },

src/schemas/AuthorizationResponseOpts.schema.ts

@@ -1409,6 +1409,9 @@ export const AuthorizationResponseOptsSchemaObj = {
         "jwt_vp": {
           "$ref": "#/definitions/JwtObject"
         },
+        "jwt_vp_json": {
+          "$ref": "#/definitions/JwtObject"
+        },
         "ldp": {
           "$ref": "#/definitions/LdpObject"
         },

src/schemas/DiscoveryMetadataPayload.schema.ts

@@ -1245,6 +1245,9 @@ export const DiscoveryMetadataPayloadSchemaObj = {
         "jwt_vp": {
           "$ref": "#/definitions/JwtObject"
         },
+        "jwt_vp_json": {
+          "$ref": "#/definitions/JwtObject"
+        },
         "ldp": {
           "$ref": "#/definitions/LdpObject"
         },

src/schemas/RPRegistrationMetadataPayload.schema.ts

@@ -169,6 +169,9 @@ export const RPRegistrationMetadataPayloadSchemaObj = {
         "jwt_vp": {
           "$ref": "#/definitions/JwtObject"
         },
+        "jwt_vp_json": {
+          "$ref": "#/definitions/JwtObject"
+        },
         "ldp": {
           "$ref": "#/definitions/LdpObject"
         },

src/types/SIOP.types.ts

@@ -155,6 +155,7 @@ export interface AuthorizationResponsePayload {
   refresh_token?: string;
   expires_in?: number;
   state?: string;
+  nonce?: string;
   id_token?: string;
   vp_token?: Array<W3CVerifiablePresentation | CompactSdJwtVc> | W3CVerifiablePresentation | CompactSdJwtVc;
   presentation_submission?: PresentationSubmission;

yarn.lock

@@ -2527,27 +2527,48 @@
     "@sd-jwt/types" "0.2.0"
     "@sd-jwt/utils" "0.2.0"
 
-"@sd-jwt/present@^0.2.0":
-  version "0.2.0"
-  resolved "https://registry.yarnpkg.com/@sd-jwt/present/-/present-0.2.0.tgz#01ecbd09dd21287be892b36d754a79c8629387f2"
-  integrity sha512-6xDBiB+UqCwW8k7O7OUJ7BgC/8zcO+AD5ZX1k4I6yjDM9vscgPulSVxT/yUH+Aov3cZ/BKvfKC0qDEZkHmP/kg==
+"@sd-jwt/decode@^0.3.0":
+  version "0.3.0"
+  resolved "https://registry.yarnpkg.com/@sd-jwt/decode/-/decode-0.3.0.tgz#23627ce1b7c678a6ac685d7241e7f64e18bd9a8c"
+  integrity sha512-jCN1g3VzopiUxUtBZWq0Ojfzbg+wYkE1/gV86Xq7/gV8aNacCJo7Su5a3pYtoYg/rnH7ou1kwpD6vteQFkvXMQ==
   dependencies:
-    "@sd-jwt/types" "0.2.0"
-    "@sd-jwt/utils" "0.2.0"
+    "@sd-jwt/types" "0.3.0"
+    "@sd-jwt/utils" "0.3.0"
+
+"@sd-jwt/present@^0.3.0":
+  version "0.3.0"
+  resolved "https://registry.yarnpkg.com/@sd-jwt/present/-/present-0.3.0.tgz#e054f66c0ec9c339570ec028e0f2291d75c279e3"
+  integrity sha512-dICPhH5hqOLXmuJMdTaA47ZMpCDkTzbWUQXsIgw0vma7Aj9Bc6ySNevPwlsUx4K8XBjPgYWwBM9tKdrs3tsCvQ==
+  dependencies:
+    "@sd-jwt/types" "0.3.0"
+    "@sd-jwt/utils" "0.3.0"
 
 "@sd-jwt/types@0.2.0":
   version "0.2.0"
   resolved "https://registry.yarnpkg.com/@sd-jwt/types/-/types-0.2.0.tgz#3cb50392e1b76ce69453f403c71c937a6e202352"
   integrity sha512-16WFRcL/maG0/JxN9UCSx07/vJ2SDbGscv9gDLmFLgJzhJcGPer41XfI6aDfVARYP430wHFixChfY/n7qC1L/Q==
 
-"@sd-jwt/utils@0.2.0", "@sd-jwt/utils@^0.2.0":
+"@sd-jwt/types@0.3.0":
+  version "0.3.0"
+  resolved "https://registry.yarnpkg.com/@sd-jwt/types/-/types-0.3.0.tgz#12f2fa7b448f1f5e368ddfac8db2143ed58c38f7"
+  integrity sha512-JbpZICZ+nWPiKPKw+Veg5tf0Oftit4EzxhLJyvcd0u4R6IulNZvi6LCoUL7b2IT1H86eYPd/qB1KvSh43ByZOA==
+
+"@sd-jwt/utils@0.2.0":
   version "0.2.0"
   resolved "https://registry.yarnpkg.com/@sd-jwt/utils/-/utils-0.2.0.tgz#ef52b744116e874f72ec01978f0631ad5a131eb7"
   integrity sha512-oHCfRYVHCb5RNwdq3eHAt7P9d7TsEaSM1TTux+xl1I9PeQGLtZETnto9Gchtzn8FlTrMdVsLlcuAcK6Viwj1Qw==
   dependencies:
     "@sd-jwt/types" "0.2.0"
     buffer "*"
 
+"@sd-jwt/utils@0.3.0", "@sd-jwt/utils@^0.3.0":
+  version "0.3.0"
+  resolved "https://registry.yarnpkg.com/@sd-jwt/utils/-/utils-0.3.0.tgz#73ce9809ccc98b35d5a6d1bf1ed34758bcdfb39d"
+  integrity sha512-jQNYxvyfLda9StVLeUqUZtv5csI6IuzcD6b55/wsC9xJgTuntZqf8vyJvuu4MwEJUFwm9PdGkCJXyl/nbpmNLw==
+  dependencies:
+    "@sd-jwt/types" "0.3.0"
+    buffer "*"
+
 "@sinclair/typebox@^0.27.8":
   version "0.27.8"
   resolved "https://registry.yarnpkg.com/@sinclair/typebox/-/typebox-0.27.8.tgz#6667fac16c436b5434a387a34dedb013198f6e6e"
@@ -2575,21 +2596,21 @@
     cross-fetch "^4.0.0"
     did-resolver "^4.1.0"
 
-"@sphereon/pex-models@^2.2.0":
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/@sphereon/pex-models/-/pex-models-2.2.0.tgz#32013fff43d4f47df03e213792a9bcc6866a1f06"
-  integrity sha512-dGDRdoxJj+P0TRqu0R8R0/IdIzrCya1MsnxIFbcmSW3rjPsbwXbV0EojEfxXGD5LhqsUJiuAffMtyE2dtVI/XQ==
+"@sphereon/pex-models@^2.2.2":
+  version "2.2.2"
+  resolved "https://registry.yarnpkg.com/@sphereon/pex-models/-/pex-models-2.2.2.tgz#3f8b12c49d8fab7372b4b47eae5bcbf8729cccba"
+  integrity sha512-CZIsBoaV5rMZEWYBsmH+RxsdoxpXf5FSDwDz0GB0qOf5WFk1BGUnzpZzi5yJ+2L151mhPk97dlRc9Wb01Awr4Q==
 
-"@sphereon/pex@^3.2.0":
-  version "3.2.0"
-  resolved "https://registry.yarnpkg.com/@sphereon/pex/-/pex-3.2.0.tgz#2b8cd5e9094c88c2cbf822b1b70584ca4a08293a"
-  integrity sha512-6qk4L7PaxFsHSVjG0w5SbffwuwI0sbnwyoaNBNku17u2WOThBcnH22sgCdNRRbzacXs0e4iAw7Cb1cd730LQaQ==
+"@sphereon/pex@^3.3.0":
+  version "3.3.0"
+  resolved "https://registry.yarnpkg.com/@sphereon/pex/-/pex-3.3.0.tgz#86384f7ee6e5a966b98d3e8010a27e93eb144317"
+  integrity sha512-CNthF/6dlIECqTqdOWGD5HOT72OWjzKTFVuFGmSbgOqsEtEtGU0e0g0gYbvXWNm0hYKsyFgS5XIZ1Uj3NR5UMg==
   dependencies:
     "@astronautlabs/jsonpath" "^1.1.2"
-    "@sd-jwt/decode" "^0.2.0"
-    "@sd-jwt/present" "^0.2.0"
-    "@sd-jwt/utils" "^0.2.0"
-    "@sphereon/pex-models" "^2.2.0"
+    "@sd-jwt/decode" "^0.3.0"
+    "@sd-jwt/present" "^0.3.0"
+    "@sd-jwt/utils" "^0.3.0"
+    "@sphereon/pex-models" "^2.2.2"
     "@sphereon/ssi-types" "0.18.1"
     ajv "^8.12.0"
     ajv-formats "^2.1.1"