From 221f9a36f22d172b9167a45936adcec805869894 Mon Sep 17 00:00:00 2001 From: sander Date: Wed, 28 Feb 2024 16:36:26 +0100 Subject: [PATCH 01/14] SPHEREON-1157: include presentationSubmission in auth response, include nonce in AuthorizationResponsePayload --- src/authorization-response/AuthorizationResponse.ts | 4 +++- src/authorization-response/Payload.ts | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/authorization-response/AuthorizationResponse.ts b/src/authorization-response/AuthorizationResponse.ts index d36783a..fc09557 100644 --- a/src/authorization-response/AuthorizationResponse.ts +++ b/src/authorization-response/AuthorizationResponse.ts @@ -120,7 +120,9 @@ export class AuthorizationResponse { presentationDefinitions, presentations: wrappedPresentations, verificationCallback: verifyOpts.verification.presentationVerificationCallback, - opts: { ...responseOpts.presentationExchange, hasher: verifyOpts.hasher }, + opts: { ...responseOpts.presentationExchange, + presentationSubmission: (responseOpts.presentationExchange.presentationSubmission ?? authorizationResponsePayload.presentation_submission), + hasher: verifyOpts.hasher }, }); } diff --git a/src/authorization-response/Payload.ts b/src/authorization-response/Payload.ts index 7e65300..2c395aa 100644 --- a/src/authorization-response/Payload.ts +++ b/src/authorization-response/Payload.ts @@ -19,11 +19,13 @@ export const createResponsePayload = async ( // If state was in request, it must be in response const state: string | undefined = await authorizationRequest.getMergedProperty('state'); + const payload = await authorizationRequest.requestObject.getPayload(); const responsePayload: AuthorizationResponsePayload = { ...(responseOpts.accessToken && { access_token: responseOpts.accessToken }), ...(responseOpts.tokenType && { token_type: responseOpts.tokenType }), ...(responseOpts.refreshToken && { refresh_token: responseOpts.refreshToken }), + ...(payload?.nonce && { nonce: payload.nonce}), expires_in: responseOpts.expiresIn || 3600, state, }; From 6285f12806330e75f6ec6319a302c642abd4be10 Mon Sep 17 00:00:00 2001 From: sander Date: Wed, 28 Feb 2024 16:49:39 +0100 Subject: [PATCH 02/14] SPHEREON-1157: verifiedIdToken can be null --- src/authorization-response/AuthorizationResponse.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/authorization-response/AuthorizationResponse.ts b/src/authorization-response/AuthorizationResponse.ts index fc09557..f2d11e4 100644 --- a/src/authorization-response/AuthorizationResponse.ts +++ b/src/authorization-response/AuthorizationResponse.ts @@ -139,8 +139,8 @@ export class AuthorizationResponse { const verifiedIdToken = await this.idToken?.verify(verifyOpts); const oid4vp = await verifyPresentations(this, verifyOpts); - const nonce = merged.nonce ?? verifiedIdToken.payload.nonce ?? oid4vp.nonce; - const state = merged.state ?? verifiedIdToken.payload.state; + const nonce = merged.nonce ?? verifiedIdToken?.payload.nonce ?? oid4vp.nonce; + const state = merged.state ?? verifiedIdToken?.payload.state; if (!state) { throw Error(`State is required`); From 5d75581c82808ddd794e9d94721422ea78d12531 Mon Sep 17 00:00:00 2001 From: sander Date: Wed, 28 Feb 2024 16:53:55 +0100 Subject: [PATCH 03/14] SPHEREON-1157: prettier --- src/authorization-response/AuthorizationResponse.ts | 8 +++++--- src/authorization-response/Payload.ts | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/authorization-response/AuthorizationResponse.ts b/src/authorization-response/AuthorizationResponse.ts index f2d11e4..a84b5cc 100644 --- a/src/authorization-response/AuthorizationResponse.ts +++ b/src/authorization-response/AuthorizationResponse.ts @@ -120,9 +120,11 @@ export class AuthorizationResponse { presentationDefinitions, presentations: wrappedPresentations, verificationCallback: verifyOpts.verification.presentationVerificationCallback, - opts: { ...responseOpts.presentationExchange, - presentationSubmission: (responseOpts.presentationExchange.presentationSubmission ?? authorizationResponsePayload.presentation_submission), - hasher: verifyOpts.hasher }, + opts: { + ...responseOpts.presentationExchange, + presentationSubmission: responseOpts.presentationExchange.presentationSubmission ?? authorizationResponsePayload.presentation_submission, + hasher: verifyOpts.hasher, + }, }); } diff --git a/src/authorization-response/Payload.ts b/src/authorization-response/Payload.ts index 2c395aa..270c66c 100644 --- a/src/authorization-response/Payload.ts +++ b/src/authorization-response/Payload.ts @@ -25,7 +25,7 @@ export const createResponsePayload = async ( ...(responseOpts.accessToken && { access_token: responseOpts.accessToken }), ...(responseOpts.tokenType && { token_type: responseOpts.tokenType }), ...(responseOpts.refreshToken && { refresh_token: responseOpts.refreshToken }), - ...(payload?.nonce && { nonce: payload.nonce}), + ...(payload?.nonce && { nonce: payload.nonce }), expires_in: responseOpts.expiresIn || 3600, state, }; From 625de095a11b85ea054de540ef91c1c020af7b50 Mon Sep 17 00:00:00 2001 From: sander Date: Wed, 28 Feb 2024 17:00:07 +0100 Subject: [PATCH 04/14] SPHEREON-1157: requestObject can be undefined. (At least in tests) --- src/authorization-response/AuthorizationResponse.ts | 2 +- src/authorization-response/Payload.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/authorization-response/AuthorizationResponse.ts b/src/authorization-response/AuthorizationResponse.ts index a84b5cc..83fa12a 100644 --- a/src/authorization-response/AuthorizationResponse.ts +++ b/src/authorization-response/AuthorizationResponse.ts @@ -145,7 +145,7 @@ export class AuthorizationResponse { const state = merged.state ?? verifiedIdToken?.payload.state; if (!state) { - throw Error(`State is required`); + throw Error(`State is required`const payload = await authorizationRequest.requestObject.getPayload()); } else if (oid4vp.presentationDefinitions.length > 0 && !nonce) { throw Error('Nonce is required when using OID4VP'); } diff --git a/src/authorization-response/Payload.ts b/src/authorization-response/Payload.ts index 270c66c..0f178b8 100644 --- a/src/authorization-response/Payload.ts +++ b/src/authorization-response/Payload.ts @@ -19,7 +19,7 @@ export const createResponsePayload = async ( // If state was in request, it must be in response const state: string | undefined = await authorizationRequest.getMergedProperty('state'); - const payload = await authorizationRequest.requestObject.getPayload(); + const payload = await authorizationRequest.requestObject?.getPayload(); const responsePayload: AuthorizationResponsePayload = { ...(responseOpts.accessToken && { access_token: responseOpts.accessToken }), From e133e964b3d65d0d267bb5baa39bebac4d9edb4b Mon Sep 17 00:00:00 2001 From: sander Date: Wed, 28 Feb 2024 17:09:10 +0100 Subject: [PATCH 05/14] SPHEREON-1157: removed rogue paste --- src/authorization-response/AuthorizationResponse.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/authorization-response/AuthorizationResponse.ts b/src/authorization-response/AuthorizationResponse.ts index 83fa12a..a84b5cc 100644 --- a/src/authorization-response/AuthorizationResponse.ts +++ b/src/authorization-response/AuthorizationResponse.ts @@ -145,7 +145,7 @@ export class AuthorizationResponse { const state = merged.state ?? verifiedIdToken?.payload.state; if (!state) { - throw Error(`State is required`const payload = await authorizationRequest.requestObject.getPayload()); + throw Error(`State is required`); } else if (oid4vp.presentationDefinitions.length > 0 && !nonce) { throw Error('Nonce is required when using OID4VP'); } From 6bae0d4547c15f2ad7a28dbf3ce50c28dadbb9e3 Mon Sep 17 00:00:00 2001 From: sander Date: Wed, 28 Feb 2024 17:29:36 +0100 Subject: [PATCH 06/14] SPHEREON-1157: responseOpts.presentationExchange can be undefined --- src/authorization-response/AuthorizationResponse.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/authorization-response/AuthorizationResponse.ts b/src/authorization-response/AuthorizationResponse.ts index a84b5cc..b857417 100644 --- a/src/authorization-response/AuthorizationResponse.ts +++ b/src/authorization-response/AuthorizationResponse.ts @@ -122,7 +122,7 @@ export class AuthorizationResponse { verificationCallback: verifyOpts.verification.presentationVerificationCallback, opts: { ...responseOpts.presentationExchange, - presentationSubmission: responseOpts.presentationExchange.presentationSubmission ?? authorizationResponsePayload.presentation_submission, + presentationSubmission: responseOpts.presentationExchange?.presentationSubmission ?? authorizationResponsePayload.presentation_submission, hasher: verifyOpts.hasher, }, }); @@ -152,7 +152,7 @@ export class AuthorizationResponse { return { authorizationResponse: this, - verifyOpts, + verifyOpts, presentationSubmission: responseOpts.presentationExchange.presentationSubmissi nonce, state, correlationId: verifyOpts.correlationId, From 66358b378e120341f9ddf534345a43a1e17d70e0 Mon Sep 17 00:00:00 2001 From: sander Date: Wed, 28 Feb 2024 17:31:55 +0100 Subject: [PATCH 07/14] SPHEREON-1157: responseOpts.presentationExchange can be undefined --- src/authorization-response/AuthorizationResponse.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/authorization-response/AuthorizationResponse.ts b/src/authorization-response/AuthorizationResponse.ts index b857417..8922908 100644 --- a/src/authorization-response/AuthorizationResponse.ts +++ b/src/authorization-response/AuthorizationResponse.ts @@ -152,7 +152,8 @@ export class AuthorizationResponse { return { authorizationResponse: this, - verifyOpts, presentationSubmission: responseOpts.presentationExchange.presentationSubmissi + verifyOpts, + presentationSubmission: responseOpts.presentationExchange?.presentationSubmission, nonce, state, correlationId: verifyOpts.correlationId, From e16d20bb55f51e0a1d3b01a8aa2ee1c5b62efc7b Mon Sep 17 00:00:00 2001 From: sander Date: Wed, 28 Feb 2024 17:36:39 +0100 Subject: [PATCH 08/14] SPHEREON-1157: deleted rogue paste --- src/authorization-response/AuthorizationResponse.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/authorization-response/AuthorizationResponse.ts b/src/authorization-response/AuthorizationResponse.ts index 8922908..a84b5cc 100644 --- a/src/authorization-response/AuthorizationResponse.ts +++ b/src/authorization-response/AuthorizationResponse.ts @@ -122,7 +122,7 @@ export class AuthorizationResponse { verificationCallback: verifyOpts.verification.presentationVerificationCallback, opts: { ...responseOpts.presentationExchange, - presentationSubmission: responseOpts.presentationExchange?.presentationSubmission ?? authorizationResponsePayload.presentation_submission, + presentationSubmission: responseOpts.presentationExchange.presentationSubmission ?? authorizationResponsePayload.presentation_submission, hasher: verifyOpts.hasher, }, }); @@ -153,7 +153,6 @@ export class AuthorizationResponse { return { authorizationResponse: this, verifyOpts, - presentationSubmission: responseOpts.presentationExchange?.presentationSubmission, nonce, state, correlationId: verifyOpts.correlationId, From a02632365babc6f3e97b93ad1aa3d86c78ac1669 Mon Sep 17 00:00:00 2001 From: sander Date: Wed, 28 Feb 2024 17:39:38 +0100 Subject: [PATCH 09/14] SPHEREON-1157: responseOpts.presentationExchange can be undefined --- src/authorization-response/AuthorizationResponse.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/authorization-response/AuthorizationResponse.ts b/src/authorization-response/AuthorizationResponse.ts index a84b5cc..ac32b28 100644 --- a/src/authorization-response/AuthorizationResponse.ts +++ b/src/authorization-response/AuthorizationResponse.ts @@ -122,7 +122,7 @@ export class AuthorizationResponse { verificationCallback: verifyOpts.verification.presentationVerificationCallback, opts: { ...responseOpts.presentationExchange, - presentationSubmission: responseOpts.presentationExchange.presentationSubmission ?? authorizationResponsePayload.presentation_submission, + presentationSubmission: responseOpts.presentationExchange?.presentationSubmission ?? authorizationResponsePayload.presentation_submission, hasher: verifyOpts.hasher, }, }); From b74c3509cede78a9ff61884f286365489ebc2ae5 Mon Sep 17 00:00:00 2001 From: sander Date: Wed, 28 Feb 2024 17:44:34 +0100 Subject: [PATCH 10/14] SPHEREON-1157: presentationSubmission optional --- src/authorization-response/AuthorizationResponse.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/authorization-response/AuthorizationResponse.ts b/src/authorization-response/AuthorizationResponse.ts index ac32b28..ad54ba4 100644 --- a/src/authorization-response/AuthorizationResponse.ts +++ b/src/authorization-response/AuthorizationResponse.ts @@ -115,6 +115,8 @@ export class AuthorizationResponse { if (hasVpToken) { const wrappedPresentations = await extractPresentationsFromAuthorizationResponse(response, { hasher: verifyOpts.hasher }); + const presentationSubmission = + responseOpts.presentationExchange?.presentationSubmission ?? authorizationResponsePayload.presentation_submission; await assertValidVerifiablePresentations({ presentationDefinitions, @@ -122,7 +124,7 @@ export class AuthorizationResponse { verificationCallback: verifyOpts.verification.presentationVerificationCallback, opts: { ...responseOpts.presentationExchange, - presentationSubmission: responseOpts.presentationExchange?.presentationSubmission ?? authorizationResponsePayload.presentation_submission, + ...(presentationSubmission ? { presentationSubmission: presentationSubmission } : {}), hasher: verifyOpts.hasher, }, }); From 142c25b5c1d52bfb509924eda4715827bb90fabe Mon Sep 17 00:00:00 2001 From: sander Date: Fri, 1 Mar 2024 10:09:25 +0100 Subject: [PATCH 11/14] SPHEREON-1157: response_uri support --- src/request-object/Payload.ts | 1 + src/rp/RP.ts | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/request-object/Payload.ts b/src/request-object/Payload.ts index 94d8c10..dd6cba9 100644 --- a/src/request-object/Payload.ts +++ b/src/request-object/Payload.ts @@ -43,6 +43,7 @@ export const createRequestObjectPayload = async (opts: CreateAuthorizationReques //TODO implement /.well-known/openid-federation support in the OP side to resolve the client_id (URL) and retrieve the metadata client_id: clientId ?? opts.requestObject.signature.did, redirect_uri: payload.redirect_uri, + response_uri: payload.response_uri, response_mode: payload.response_mode ?? ResponseMode.DIRECT_POST, ...(payload.id_token_hint && { id_token_hint: payload.id_token_hint }), registration_uri: registration.clientMetadataOpts.reference_uri, diff --git a/src/rp/RP.ts b/src/rp/RP.ts index 1e58ce6..f512d62 100644 --- a/src/rp/RP.ts +++ b/src/rp/RP.ts @@ -237,14 +237,14 @@ export class RP { throw Error(`A response or redirect URI is required at this point`); } else { if (responseURIType === 'redirect_uri') { - if (this._createRequestOptions?.requestObject?.payload && !this._createRequestOptions.requestObject?.payload?.redirect_uri) { + if (this._createRequestOptions?.requestObject?.payload /*&& !this._createRequestOptions.requestObject?.payload?.redirect_uri*/) { this._createRequestOptions.requestObject.payload.redirect_uri = responseURI; } if (!referenceURI && !this._createRequestOptions.payload?.redirect_uri) { this._createRequestOptions.payload.redirect_uri = responseURI; } } else if (responseURIType === 'response_uri') { - if (this._createRequestOptions?.requestObject?.payload && !this._createRequestOptions.requestObject?.payload?.response_uri) { + if (this._createRequestOptions?.requestObject?.payload /*&& !this._createRequestOptions.requestObject?.payload?.response_uri*/) { this._createRequestOptions.requestObject.payload.response_uri = responseURI; } if (!referenceURI && !this._createRequestOptions.payload?.response_uri) { From 27ad7ef6a6ad4a0e060a337a8a314213f6002dea Mon Sep 17 00:00:00 2001 From: sander Date: Mon, 4 Mar 2024 17:37:51 +0100 Subject: [PATCH 12/14] v0.6.0-unstable.10 --- package.json | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/package.json b/package.json index 761e89e..d28dc2d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@sphereon/did-auth-siop", - "version": "0.6.0-unstable.9", + "version": "0.6.0-unstable.10", "source": "src/index.ts", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -46,20 +46,22 @@ "uuid": "^9.0.0" }, "devDependencies": { + "@babel/core": "^7.23.9", + "@babel/plugin-transform-runtime": "^7.16.0", + "@babel/preset-env": "^7.16.0", + "@cef-ebsi/ebsi-did-resolver": "^3.2.0", + "@cef-ebsi/key-did-resolver": "^1.1.0", + "@cef-ebsi/oauth2-auth": "^3.0.0", + "@cef-ebsi/siop-auth": "^4.0.0", + "@cef-ebsi/verifiable-presentation": "^6.1.0", + "@cef-ebsi/wallet-lib": "^4.2.0", "@digitalcredentials/did-method-key": "^2.0.3", "@digitalcredentials/ed25519-signature-2020": "^3.0.2", "@digitalcredentials/jsonld-signatures": "^9.3.2", "@digitalcredentials/vc": "^6.0.0", + "@transmute/did-key-ed25519": "^0.3.0-unstable.10", "@transmute/ed25519-key-pair": "0.7.0-unstable.82", "@transmute/ed25519-signature-2018": "^0.7.0-unstable.82", - "@transmute/did-key-ed25519": "^0.3.0-unstable.10", - "@cef-ebsi/wallet-lib": "^4.2.0", - "@cef-ebsi/siop-auth": "^4.0.0", - "@cef-ebsi/oauth2-auth": "^3.0.0", - "@cef-ebsi/ebsi-did-resolver": "^3.2.0", - "@cef-ebsi/key-did-resolver": "^1.1.0", - "@cef-ebsi/verifiable-presentation": "^6.1.0", - "did-resolver": "^4.1.0", "@types/jest": "^29.5.11", "@types/language-tags": "^1.0.4", "@types/qs": "^6.9.11", @@ -71,14 +73,12 @@ "bs58": "^5.0.0", "codecov": "^3.8.3", "cspell": "^6.26.3", + "did-resolver": "^4.1.0", "dotenv": "^16.3.1", "eslint": "^8.34.0", "eslint-config-prettier": "^8.6.0", "eslint-plugin-eslint-comments": "^3.2.0", "eslint-plugin-import": "^2.27.5", - "@babel/core": "^7.23.9", - "@babel/plugin-transform-runtime": "^7.16.0", - "@babel/preset-env": "^7.16.0", "ethers": "^6.10.0", "jest": "^29.7.0", "jest-junit": "^16.0.0", From e28f0001a4b07d8828bebccce4e31e90bfc87622 Mon Sep 17 00:00:00 2001 From: sander Date: Wed, 6 Mar 2024 16:32:25 +0100 Subject: [PATCH 13/14] SPHEREON-1157: remove unnecessary code --- src/authorization-response/AuthorizationResponse.ts | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/authorization-response/AuthorizationResponse.ts b/src/authorization-response/AuthorizationResponse.ts index ad54ba4..ca882d9 100644 --- a/src/authorization-response/AuthorizationResponse.ts +++ b/src/authorization-response/AuthorizationResponse.ts @@ -115,8 +115,6 @@ export class AuthorizationResponse { if (hasVpToken) { const wrappedPresentations = await extractPresentationsFromAuthorizationResponse(response, { hasher: verifyOpts.hasher }); - const presentationSubmission = - responseOpts.presentationExchange?.presentationSubmission ?? authorizationResponsePayload.presentation_submission; await assertValidVerifiablePresentations({ presentationDefinitions, @@ -124,7 +122,6 @@ export class AuthorizationResponse { verificationCallback: verifyOpts.verification.presentationVerificationCallback, opts: { ...responseOpts.presentationExchange, - ...(presentationSubmission ? { presentationSubmission: presentationSubmission } : {}), hasher: verifyOpts.hasher, }, }); From 9426648420ec38aab61a296cae4d8e0d12864954 Mon Sep 17 00:00:00 2001 From: sander Date: Wed, 6 Mar 2024 17:28:27 +0100 Subject: [PATCH 14/14] SPHEREON-1157: remove unnecessary code --- src/authorization-response/AuthorizationResponse.ts | 5 +---- src/authorization-response/Payload.ts | 2 -- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/src/authorization-response/AuthorizationResponse.ts b/src/authorization-response/AuthorizationResponse.ts index ca882d9..7999098 100644 --- a/src/authorization-response/AuthorizationResponse.ts +++ b/src/authorization-response/AuthorizationResponse.ts @@ -120,10 +120,7 @@ export class AuthorizationResponse { presentationDefinitions, presentations: wrappedPresentations, verificationCallback: verifyOpts.verification.presentationVerificationCallback, - opts: { - ...responseOpts.presentationExchange, - hasher: verifyOpts.hasher, - }, + opts: { ...responseOpts.presentationExchange, hasher: verifyOpts.hasher }, }); } diff --git a/src/authorization-response/Payload.ts b/src/authorization-response/Payload.ts index 0f178b8..7e65300 100644 --- a/src/authorization-response/Payload.ts +++ b/src/authorization-response/Payload.ts @@ -19,13 +19,11 @@ export const createResponsePayload = async ( // If state was in request, it must be in response const state: string | undefined = await authorizationRequest.getMergedProperty('state'); - const payload = await authorizationRequest.requestObject?.getPayload(); const responsePayload: AuthorizationResponsePayload = { ...(responseOpts.accessToken && { access_token: responseOpts.accessToken }), ...(responseOpts.tokenType && { token_type: responseOpts.tokenType }), ...(responseOpts.refreshToken && { refresh_token: responseOpts.refreshToken }), - ...(payload?.nonce && { nonce: payload.nonce }), expires_in: responseOpts.expiresIn || 3600, state, };