feat: support for OIDVP 20 and client_id_schemes

auer-martin · Jul 11, 2024 · d0823e4 · d0823e4
1 parent 70508a5
commit d0823e4
Show file tree

Hide file tree

Showing 18 changed files with 1,404 additions and 55 deletions.
diff --git a/.gitignore b/.gitignore
@@ -7,4 +7,5 @@ dist
 node_modules
 coverage
 *.log
+*.tsimp
 /src/schemas/validation/schemaValidation.js
diff --git a/generator/schemaGenerator.ts b/generator/schemaGenerator.ts
@@ -178,10 +178,21 @@ const authorizationRequestPayloadVD12OID4VPD18 = {
   skipTypeCheck: true,
 };
 
+const authorizationRequestPayloadVD12OID4VPD20 = {
+  path: '../src/types/SIOP.types.ts',
+  tsconfig: 'tsconfig.json',
+  type: 'AuthorizationRequestPayloadVD12OID4VPD20', // Or <type-name> if you want to generate schema for that one type only
+  schemaId: 'AuthorizationRequestPayloadVD12OID4VPD20Schema',
+  outputPath: 'src/schemas/AuthorizationRequestPayloadVD12OID4VPD20.schema.ts',
+  // outputConstName: 'AuthorizationRequestPayloadSchemaVD11',
+  skipTypeCheck: true,
+};
+
 let schemas: Schema[] = [
   writeSchema(authorizationRequestPayloadVID1),
   writeSchema(authorizationRequestPayloadVD11),
   writeSchema(authorizationRequestPayloadVD12OID4VPD18),
+  writeSchema(authorizationRequestPayloadVD12OID4VPD20),
   // writeSchema(requestOptsConf),
   writeSchema(responseOptsConf),
   writeSchema(rPRegistrationMetadataPayload),

diff --git a/src/authorization-request/AuthorizationRequest.ts b/src/authorization-request/AuthorizationRequest.ts
@@ -7,6 +7,7 @@ import { RequestObject } from '../request-object';
 import {
   AuthorizationRequestPayload,
   getJwtVerifierWithContext,
+  getRequestObjectJwtVerifier,
   PassBy,
   RequestObjectJwt,
   RequestObjectPayload,
@@ -122,13 +123,21 @@ export class AuthorizationRequest {
     if (parsedJwt) {
       requestObjectPayload = parsedJwt.payload as RequestObjectPayload;
 
-      const jwtVerifier = await getJwtVerifierWithContext(parsedJwt, 'request-object');
+      const jwtVerifier = await getRequestObjectJwtVerifier({ ...parsedJwt, payload: requestObjectPayload }, { type: 'request-object', raw: jwt });
       const result = await opts.verifyJwtCallback(jwtVerifier, { ...parsedJwt, raw: jwt });
-
       if (!result) {
         throw Error(SIOPErrors.ERROR_VERIFYING_SIGNATURE);
       }
 
+      // verify the verifier attestation
+      if (requestObjectPayload.client_id_scheme === 'verifier_attestation') {
+        const jwtVerifier = await getJwtVerifierWithContext(parsedJwt, { type: 'verifier-attestation' });
+        const result = await opts.verifyJwtCallback(jwtVerifier, { ...parsedJwt, raw: jwt });
+        if (!result) {
+          throw Error(SIOPErrors.ERROR_VERIFYING_SIGNATURE);
+        }
+      }
+
       if (this.hasRequestObject() && !this.payload.request_uri) {
         // Put back the request object as that won't be present yet
         this.payload.request = jwt;

diff --git a/src/helpers/SIOPSpecVersion.ts b/src/helpers/SIOPSpecVersion.ts
@@ -1,5 +1,8 @@
 import { AuthorizationRequestPayloadVD11Schema, AuthorizationRequestPayloadVID1Schema } from '../schemas';
-import { AuthorizationRequestPayloadVD12OID4VPD18Schema } from '../schemas/validation/schemaValidation';
+import {
+  AuthorizationRequestPayloadVD12OID4VPD18Schema,
+  AuthorizationRequestPayloadVD12OID4VPD20Schema,
+} from '../schemas/validation/schemaValidation';
 import { AuthorizationRequestPayload, ResponseMode, SupportedVersion } from '../types';
 import errors from '../types/Errors';
 
@@ -33,6 +36,18 @@ function isID1Payload(authorizationRequest: AuthorizationRequestPayload) {
 export const authorizationRequestVersionDiscovery = (authorizationRequest: AuthorizationRequestPayload): SupportedVersion[] => {
   const versions = [];
   const authorizationRequestCopy: AuthorizationRequestPayload = JSON.parse(JSON.stringify(authorizationRequest));
+  const vd13Validation = AuthorizationRequestPayloadVD12OID4VPD20Schema(authorizationRequestCopy);
+  if (vd13Validation) {
+    if (
+      !authorizationRequestCopy.registration_uri &&
+      !authorizationRequestCopy.registration &&
+      !(authorizationRequestCopy.claims && 'vp_token' in authorizationRequestCopy.claims) &&
+      authorizationRequestCopy.response_mode !== ResponseMode.POST // Post has been replaced by direct post
+    ) {
+      versions.push(SupportedVersion.SIOPv2_D12_OID4VP_D20);
+    }
+  }
+
   // todo: We could use v11 validation for v12 for now, as we do not differentiate in the schema at this point\
   const vd12Validation = AuthorizationRequestPayloadVD12OID4VPD18Schema(authorizationRequestCopy);
   if (vd12Validation) {

diff --git a/src/helpers/jwtUtils.ts b/src/helpers/jwtUtils.ts
@@ -2,7 +2,7 @@ import { jwtDecode } from 'jwt-decode';
 
 import { JwtHeader, JwtPayload, SIOPErrors } from '../types';
 
-export type JwtType = 'id-token' | 'request-object';
+export type JwtType = 'id-token' | 'request-object' | 'verifier-attestation';
 
 export type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'custom';
 

diff --git a/src/id-token/IDToken.ts b/src/id-token/IDToken.ts
@@ -157,22 +157,22 @@ export class IDToken {
 
     const parsedJwt = parseJWT(this._jwt);
     this.assertValidResponseJWT(parsedJwt);
+    const idTokenPayload = parsedJwt.payload as IDTokenPayload;
 
-    const jwtVerifier = await getJwtVerifierWithContext(parsedJwt, 'request-object');
+    const jwtVerifier = await getJwtVerifierWithContext(parsedJwt, { type: 'id-token' });
     const verificationResult = await verifyOpts.verifyJwtCallback(jwtVerifier, { ...parsedJwt, raw: this._jwt });
     if (!verificationResult) {
       throw Error(SIOPErrors.ERROR_VERIFYING_SIGNATURE);
     }
 
-    const verPayload = parsedJwt.payload as IDTokenPayload;
-    this.assertValidResponseJWT({ header: parsedJwt.header, verPayload: verPayload, audience: verifyOpts.audience });
+    this.assertValidResponseJWT({ header: parsedJwt.header, verPayload: idTokenPayload, audience: verifyOpts.audience });
     // Enforces verifyPresentationCallback function on the RP side,
     if (!verifyOpts?.verification.presentationVerificationCallback) {
       throw new Error(SIOPErrors.VERIFIABLE_PRESENTATION_VERIFICATION_FUNCTION_MISSING);
     }
     return {
       jwt: this._jwt,
-      payload: { ...verPayload },
+      payload: { ...idTokenPayload },
       verifyOpts,
     };
   }

diff --git a/src/request-object/Payload.ts b/src/request-object/Payload.ts
@@ -35,7 +35,7 @@ export const createRequestObjectPayload = async (opts: CreateAuthorizationReques
     scope: payload.scope ?? Scope.OPENID,
     //TODO implement /.well-known/openid-federation support in the OP side to resolve the client_id (URL) and retrieve the metadata
     client_id: clientId,
-    client_id_scheme: opts.clientMetadata.client_id_scheme,
+    client_id_scheme: opts.requestObject.payload.client_id_scheme,
     ...(payload.redirect_uri && { redirect_uri: payload.redirect_uri }),
     ...(payload.response_uri && { response_uri: payload.response_uri }),
     response_mode: payload.response_mode ?? ResponseMode.DIRECT_POST,

diff --git a/src/schemas/AuthorizationRequestPayloadVD12OID4VPD18.schema.ts b/src/schemas/AuthorizationRequestPayloadVD12OID4VPD18.schema.ts
@@ -118,7 +118,7 @@ export const AuthorizationRequestPayloadVD12OID4VPD18SchemaObj = {
           "type": "string"
         },
         "client_id_scheme": {
-          "$ref": "#/definitions/ClientIdScheme"
+          "$ref": "#/definitions/ClientIdSchemeOID4VPD18"
         },
         "response_uri": {
           "type": "string"
@@ -1056,15 +1056,13 @@ export const AuthorizationRequestPayloadVD12OID4VPD18SchemaObj = {
       ],
       "additionalProperties": false
     },
-    "ClientIdScheme": {
+    "ClientIdSchemeOID4VPD18": {
       "type": "string",
       "enum": [
         "pre-registered",
         "redirect_uri",
         "entity_id",
-        "did",
-        "x509_san_dns",
-        "x509_san_uri"
+        "did"
       ]
     }
   }