Merge pull request #142 from auer-martin/fix/client_id_scheme

fix: client_id_scheme & default scope handling
Sphereon-Opensource · Aug 20, 2024 · d4e90b0 · d4e90b0
2 parents f257fca + c559618
commit d4e90b0
Show file tree

Hide file tree

Showing 8 changed files with 113 additions and 116 deletions.
diff --git a/packages/common/lib/jwt/JwtIssuer.ts b/packages/common/lib/jwt/JwtIssuer.ts
@@ -36,8 +36,6 @@ export interface JwtIssuerX5c extends JwtIssuerBase {
    * It must match an entry in the x5c certificate leaf entry dnsName / uriName
    */
   issuer: string;
-
-  clientIdScheme: 'x509_san_dns' | 'x509_san_uri';
 }
 
 export interface JwtIssuerJwk extends JwtIssuerBase {

diff --git a/packages/oid4vci-common/lib/types/CredentialIssuance.types.ts b/packages/oid4vci-common/lib/types/CredentialIssuance.types.ts
@@ -1,15 +1,15 @@
-import { BaseJWK } from '@sphereon/oid4vc-common'
-import { IVerifiableCredential } from '@sphereon/ssi-types'
-
-import { ExperimentalSubjectIssuance } from '../experimental/holder-vci'
-
-import { AuthzFlowType } from './Authorization.types'
-import { OID4VCICredentialFormat, TxCode, UniformCredentialRequest } from './Generic.types'
-import { OpenId4VCIVersion } from './OpenID4VCIVersions.types'
-import { CredentialOfferPayloadV1_0_08, CredentialRequestV1_0_08 } from './v1_0_08.types'
-import { CredentialOfferPayloadV1_0_09, CredentialOfferV1_0_09 } from './v1_0_09.types'
-import { CredentialOfferPayloadV1_0_11, CredentialOfferV1_0_11, CredentialRequestV1_0_11 } from './v1_0_11.types'
-import { CredentialOfferPayloadV1_0_13, CredentialOfferV1_0_13, CredentialRequestV1_0_13 } from './v1_0_13.types'
+import { BaseJWK } from '@sphereon/oid4vc-common';
+import { IVerifiableCredential } from '@sphereon/ssi-types';
+
+import { ExperimentalSubjectIssuance } from '../experimental/holder-vci';
+
+import { AuthzFlowType } from './Authorization.types';
+import { OID4VCICredentialFormat, TxCode, UniformCredentialRequest } from './Generic.types';
+import { OpenId4VCIVersion } from './OpenID4VCIVersions.types';
+import { CredentialOfferPayloadV1_0_08, CredentialRequestV1_0_08 } from './v1_0_08.types';
+import { CredentialOfferPayloadV1_0_09, CredentialOfferV1_0_09 } from './v1_0_09.types';
+import { CredentialOfferPayloadV1_0_11, CredentialOfferV1_0_11, CredentialRequestV1_0_11 } from './v1_0_11.types';
+import { CredentialOfferPayloadV1_0_13, CredentialOfferV1_0_13, CredentialRequestV1_0_13 } from './v1_0_13.types';
 
 export interface CredentialResponse extends ExperimentalSubjectIssuance {
   credential?: IVerifiableCredential | string; // OPTIONAL. Contains issued Credential. MUST be present when acceptance_token is not returned. MAY be a JSON string or a JSON object, depending on the Credential format. See Appendix E for the Credential format specific encoding requirements

diff --git a/packages/siop-oid4vp/lib/request-object/Payload.ts b/packages/siop-oid4vp/lib/request-object/Payload.ts
@@ -3,7 +3,7 @@ import { uuidv4 } from '@sphereon/oid4vc-common'
 import { CreateAuthorizationRequestOpts, createPresentationDefinitionClaimsProperties } from '../authorization-request'
 import { createRequestRegistration } from '../authorization-request/RequestRegistration'
 import { getNonce, getState, removeNullUndefined } from '../helpers'
-import { RequestObjectPayload, ResponseMode, ResponseType, Scope, SIOPErrors, SupportedVersion } from '../types'
+import { RequestObjectPayload, ResponseMode, ResponseType, SIOPErrors, SupportedVersion } from '../types'
 
 import { assertValidRequestObjectOpts } from './Opts'
 
@@ -33,10 +33,10 @@ export const createRequestObjectPayload = async (opts: CreateAuthorizationReques
 
   return removeNullUndefined({
     response_type: payload.response_type ?? ResponseType.ID_TOKEN,
-    scope: payload.scope ?? Scope.OPENID,
+    scope: payload.scope,
     //TODO implement /.well-known/openid-federation support in the OP side to resolve the client_id (URL) and retrieve the metadata
     client_id: clientId,
-    client_id_scheme: opts.requestObject.payload.client_id_scheme,
+    client_id_scheme: payload.client_id_scheme,
     ...(payload.redirect_uri && { redirect_uri: payload.redirect_uri }),
     ...(payload.response_uri && { response_uri: payload.response_uri }),
     response_mode: payload.response_mode ?? ResponseMode.DIRECT_POST,

diff --git a/packages/siop-oid4vp/lib/request-object/RequestObject.ts b/packages/siop-oid4vp/lib/request-object/RequestObject.ts
@@ -88,12 +88,12 @@ export class RequestObject {
         this.payload.iss = this.payload.iss ?? did
         this.payload.sub = this.payload.sub ?? did
         this.payload.client_id = this.payload.client_id ?? did
+        this.payload.client_id_scheme = 'did'
 
         const header = { kid: jwtIssuer.didUrl, alg: jwtIssuer.alg, typ: 'JWT' }
         this.jwt = await this.opts.createJwtCallback(jwtIssuer, { header, payload: this.payload })
       } else if (jwtIssuer.method === 'x5c') {
         this.payload.iss = jwtIssuer.issuer
-        this.payload.client_id_scheme = jwtIssuer.clientIdScheme
 
         const header = { x5c: jwtIssuer.x5c, typ: 'JWT' }
         this.jwt = await this.opts.createJwtCallback(jwtIssuer, { header, payload: this.payload })

diff --git a/packages/siop-oid4vp/lib/rp/RPBuilder.ts b/packages/siop-oid4vp/lib/rp/RPBuilder.ts
@@ -5,7 +5,7 @@ import { Hasher } from '@sphereon/ssi-types'
 
 import { PropertyTarget, PropertyTargets } from '../authorization-request'
 import { PresentationVerificationCallback } from '../authorization-response'
-import { CreateJwtCallback, RequestAud, VerifyJwtCallback } from '../types'
+import { ClientIdScheme, CreateJwtCallback, RequestAud, VerifyJwtCallback } from '../types'
 import {
   AuthorizationRequestPayload,
   ClientMetadataOpts,
@@ -39,6 +39,7 @@ export class RPBuilder {
 
   clientMetadata?: ClientMetadataOpts = undefined
   clientId: string
+  clientIdScheme: string
 
   hasher: Hasher
 
@@ -74,6 +75,13 @@ export class RPBuilder {
     return this
   }
 
+  withClientIdScheme(clientIdScheme: ClientIdScheme, targets?: PropertyTargets): RPBuilder {
+    this._authorizationRequestPayload.client_id_scheme = assignIfAuth({ propertyValue: clientIdScheme, targets }, false)
+    this._requestObjectPayload.client_id_scheme = assignIfRequestObject({ propertyValue: clientIdScheme, targets }, true)
+    this.clientIdScheme = clientIdScheme
+    return this
+  }
+
   withIssuer(issuer: ResponseIss, targets?: PropertyTargets): RPBuilder {
     this._authorizationRequestPayload.iss = assignIfAuth({ propertyValue: issuer, targets }, false)
     this._requestObjectPayload.iss = assignIfRequestObject({ propertyValue: issuer, targets }, true)

diff --git a/packages/siop-oid4vp/lib/schemas/AuthorizationResponseOpts.schema.ts b/packages/siop-oid4vp/lib/schemas/AuthorizationResponseOpts.schema.ts
@@ -1605,18 +1605,10 @@ export const AuthorizationResponseOptsSchemaObj = {
         "issuer": {
           "type": "string",
           "description": "The issuer jwt\n\nThis value will be used as the iss value of the issue jwt. It is also used as the client_id. And will also be set as the redirect_uri\n\nIt must match an entry in the x5c certificate leaf entry dnsName / uriName"
-        },
-        "clientIdScheme": {
-          "type": "string",
-          "enum": [
-            "x509_san_dns",
-            "x509_san_uri"
-          ]
         }
       },
       "required": [
         "alg",
-        "clientIdScheme",
         "issuer",
         "method",
         "x5c"

diff --git a/packages/siop-oid4vp/lib/types/SIOP.types.ts b/packages/siop-oid4vp/lib/types/SIOP.types.ts
@@ -395,7 +395,6 @@ export type RPRegistrationMetadataOpts = Partial<
     | 'clientPurpose'
   >
 > & {
-  client_id_scheme?: ClientIdScheme
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   [x: string]: any
 }