openwallet-foundation-labs · TimoGlastra · Nov 23, 2024 · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024
diff --git a/.changeset/brave-apricots-provide.md b/.changeset/brave-apricots-provide.md
@@ -0,0 +1,5 @@
+---
+"@animo-id/oauth2": minor
+---
+
+feat: add client attestations
diff --git a/.changeset/old-feet-begin.md b/.changeset/old-feet-begin.md
@@ -0,0 +1,5 @@
+---
+"@animo-id/oid4vci": minor
+---
+
+feat: add key attestations
diff --git a/packages/oauth2/src/Oauth2AuthorizationServer.ts b/packages/oauth2/src/Oauth2AuthorizationServer.ts
@@ -1,4 +1,4 @@
-import { parseWithErrorHandling } from '@animo-id/oauth2-utils'
+import { type FetchHeaders, parseWithErrorHandling } from '@animo-id/oauth2-utils'
 import { type CreateAccessTokenOptions, createAccessTokenJwt } from './access-token/create-access-token'
 import {
   type CreateAccessTokenResponseOptions,
@@ -22,6 +22,11 @@ import {
   parseAuthorizationChallengeRequest,
 } from './authorization-challenge/parse-authorization-challenge-request'
 import type { CallbackContext } from './callbacks'
+import {
+  extractClientAttestationJwtsFromHeaders,
+  verifyClientAttestationJwt,
+} from './client-attestation/clent-attestation'
+import { verifyClientAttestationPopJwt } from './client-attestation/client-attestation-pop'
 import { Oauth2ErrorCodes } from './common/v-oauth2-error'
 import {
   type AuthorizationServerMetadata,
@@ -159,4 +164,28 @@ export class Oauth2AuthorizationServer {
   public createAuthorizationChallengeErrorResponse(options: CreateAuthorizationChallengeErrorResponseOptions) {
     return createAuthorizationChallengeErrorResponse(options)
   }
+
+  public async verifyClientAttestation({
+    authorizationServer,
+    headers,
+  }: { authorizationServer: string; headers: FetchHeaders }) {
+    const { clientAttestationHeader, clientAttestationPopHeader } = extractClientAttestationJwtsFromHeaders(headers)
+
+    const clientAttestation = await verifyClientAttestationJwt({
+      callbacks: this.options.callbacks,
+      clientAttestationJwt: clientAttestationHeader,
+    })
+
+    const clientAttestationPop = await verifyClientAttestationPopJwt({
+      callbacks: this.options.callbacks,
+      authorizationServer,
+      clientAttestation,
+      clientAttestationPopJwt: clientAttestationPopHeader,
+    })
+
+    return {
+      clientAttestation,
+      clientAttestationPop,
+    }
+  }
 }
diff --git a/packages/oauth2/src/Oauth2Client.ts b/packages/oauth2/src/Oauth2Client.ts
@@ -16,7 +16,12 @@ import {
   createAuthorizationRequestUrl,
 } from './authorization-request/create-authorization-request'
 import type { CallbackContext } from './callbacks'
+import {
+  type CreateClientAttestationJwtOptions,
+  createClientAttestationJwt,
+} from './client-attestation/clent-attestation'
 import { Oauth2ErrorCodes } from './common/v-oauth2-error'
+import { extractDpopNonceFromHeaders } from './dpop/dpop'
 import { Oauth2ClientAuthorizationChallengeError } from './error/Oauth2ClientAuthorizationChallengeError'
 import { fetchAuthorizationServerMetadata } from './metadata/authorization-server/authorization-server-metadata'
 import type { AuthorizationServerMetadata } from './metadata/authorization-server/v-authorization-server-metadata'
@@ -84,6 +89,8 @@ export class Oauth2Client {
           pkceCodeVerifier: pkce?.codeVerifier,
           scope: options.scope,
           resource: options.resource,
+          clientAttestation: options.clientAttestation,
+          dpop: options.dpop,
         })
       } catch (error) {
         // In this case we resume with the normal auth flow
@@ -102,7 +109,14 @@ export class Oauth2Client {
             }
           ).toString()}`
 
+          const dpopNonce = extractDpopNonceFromHeaders(error.response.headers)
           return {
+            dpop: options.dpop
+              ? {
+                  ...options.dpop,
+                  nonce: dpopNonce,
+                }
+              : undefined,
             authorizationRequestUrl,
             pkce,
           }
@@ -118,6 +132,8 @@ export class Oauth2Client {
       scope: options.scope,
       pkceCodeVerifier: pkce?.codeVerifier,
       resource: options.resource,
+      clientAttestation: options.clientAttestation,
+      dpop: options.dpop,
     })
   }
 
@@ -138,6 +154,8 @@ export class Oauth2Client {
       scope: options.scope,
       callbacks: this.options.callbacks,
       pkceCodeVerifier: options.pkceCodeVerifier,
+      clientAttestation: options.clientAttestation,
+      dpop: options.dpop,
     })
   }
 
@@ -148,6 +166,7 @@ export class Oauth2Client {
     txCode,
     dpop,
     resource,
+    clientAttestation,
   }: Omit<RetrievePreAuthorizedCodeAccessTokenOptions, 'callbacks'>) {
     const result = await retrievePreAuthorizedCodeAccessToken({
       authorizationServerMetadata,
@@ -160,6 +179,7 @@ export class Oauth2Client {
       },
       callbacks: this.options.callbacks,
       dpop,
+      clientAttestation,
     })
 
     return result
@@ -173,6 +193,7 @@ export class Oauth2Client {
     redirectUri,
     resource,
     dpop,
+    clientAttestation,
   }: Omit<RetrieveAuthorizationCodeAccessTokenOptions, 'callbacks'>) {
     const result = await retrieveAuthorizationCodeAccessToken({
       authorizationServerMetadata,
@@ -183,6 +204,7 @@ export class Oauth2Client {
       callbacks: this.options.callbacks,
       dpop,
       redirectUri,
+      clientAttestation,
     })
 
     return result
@@ -194,6 +216,7 @@ export class Oauth2Client {
     refreshToken,
     resource,
     dpop,
+    clientAttestation,
   }: Omit<RetrieveRefreshTokenAccessTokenOptions, 'callbacks'>) {
     const result = await retrieveRefreshTokenAccessToken({
       authorizationServerMetadata,
@@ -202,6 +225,7 @@ export class Oauth2Client {
       resource,
       callbacks: this.options.callbacks,
       dpop,
+      clientAttestation,
     })
 
     return result
@@ -210,4 +234,14 @@ export class Oauth2Client {
   public async resourceRequest(options: ResourceRequestOptions) {
     return resourceRequest(options)
   }
+
+  /**
+   * @todo move this to another class?
+   */
+  public async createClientAttestationJwt(options: Omit<CreateClientAttestationJwtOptions, 'callbacks'>) {
+    return await createClientAttestationJwt({
+      callbacks: this.options.callbacks,
+      ...options,
+    })
+  }
 }
diff --git a/packages/oauth2/src/access-token/__tests__/parse-access-token-request.test.ts b/packages/oauth2/src/access-token/__tests__/parse-access-token-request.test.ts
@@ -85,7 +85,7 @@ describe('Parse Access Token Request', () => {
         },
         request: {
           headers: new Headers({
-            DPoP: ['hello', 'two'],
+            DPoP: ['ey.ey.S', 'ey.ey.S'],
           }),
           method: 'POST',
           url: 'https://request.com/token',

diff --git a/packages/oauth2/src/access-token/create-access-token.ts b/packages/oauth2/src/access-token/create-access-token.ts
@@ -1,11 +1,16 @@
-import { addSecondsToDate, dateToSeconds, encodeToBase64Url } from '@animo-id/oauth2-utils'
+import { addSecondsToDate, dateToSeconds, encodeToBase64Url, parseWithErrorHandling } from '@animo-id/oauth2-utils'
 import type { CallbackContext } from '../callbacks'
 import { HashAlgorithm } from '../callbacks'
 import { calculateJwkThumbprint } from '../common/jwk/jwk-thumbprint'
 import type { Jwk } from '../common/jwk/v-jwk'
 import { jwtHeaderFromJwtSigner } from '../common/jwt/decode-jwt'
 import type { JwtSigner } from '../common/jwt/v-jwt'
-import type { AccessTokenProfileJwtHeader, AccessTokenProfileJwtPayload } from './v-access-token-jwt'
+import {
+  type AccessTokenProfileJwtHeader,
+  type AccessTokenProfileJwtPayload,
+  vAccessTokenProfileJwtHeader,
+  vAccessTokenProfileJwtPayload,
+} from './v-access-token-jwt'
 
 export interface CreateAccessTokenOptions {
   callbacks: Pick<CallbackContext, 'signJwt' | 'generateRandom' | 'hash'>
@@ -70,14 +75,14 @@ export interface CreateAccessTokenOptions {
  * @see https://datatracker.ietf.org/doc/html/rfc9068
  */
 export async function createAccessTokenJwt(options: CreateAccessTokenOptions) {
-  const header = {
+  const header = parseWithErrorHandling(vAccessTokenProfileJwtHeader, {
     ...jwtHeaderFromJwtSigner(options.signer),
     typ: 'at+jwt',
-  } satisfies AccessTokenProfileJwtHeader
+  } satisfies AccessTokenProfileJwtHeader)
 
   const now = options.now ?? new Date()
 
-  const payload: AccessTokenProfileJwtPayload = {
+  const payload = parseWithErrorHandling(vAccessTokenProfileJwtPayload, {
     iat: dateToSeconds(now),
     exp: dateToSeconds(addSecondsToDate(now, options.expiresInSeconds)),
     aud: options.audience,
@@ -86,23 +91,23 @@ export async function createAccessTokenJwt(options: CreateAccessTokenOptions) {
     client_id: options.clientId,
     sub: options.subject,
     scope: options.scope,
+    cnf: options.dpopJwk
+      ? {
+          jkt: await calculateJwkThumbprint({
+            hashAlgorithm: HashAlgorithm.Sha256,
+            hashCallback: options.callbacks.hash,
+            jwk: options.dpopJwk,
+          }),
+        }
+      : undefined,
     ...options.additionalPayload,
-  }
-
-  if (options.dpopJwk) {
-    payload.cnf = {
-      jkt: await calculateJwkThumbprint({
-        hashAlgorithm: HashAlgorithm.Sha256,
-        hashCallback: options.callbacks.hash,
-        jwk: options.dpopJwk,
-      }),
-    }
-  }
+  } satisfies AccessTokenProfileJwtPayload)
 
-  const jwt = await options.callbacks.signJwt(options.signer, {
+  const { jwt } = await options.callbacks.signJwt(options.signer, {
     header,
     payload,
   })
+
   return {
     jwt,
   }