Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support did:x509 in Authorization Server metadata #3573

Merged
merged 3 commits into from
Nov 21, 2024
Merged

Support did:x509 in Authorization Server metadata #3573

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fd2b4c5
Support did:x509 in Authorization Server metadata, allowing credentia…
reinkrul Nov 19, 2024
1198e73
Always support did:jwk, web, x509 and key when verifying VCs
reinkrul Nov 19, 2024
e1de68c
PR feedback
reinkrul Nov 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 36 additions & 19 deletions auth/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,16 @@ import (
"errors"
"github.com/nuts-foundation/nuts-node/auth/client/iam"
"github.com/nuts-foundation/nuts-node/vdr"
"github.com/nuts-foundation/nuts-node/vdr/didjwk"
"github.com/nuts-foundation/nuts-node/vdr/didkey"
"github.com/nuts-foundation/nuts-node/vdr/didnuts"
"github.com/nuts-foundation/nuts-node/vdr/didsubject"
"github.com/nuts-foundation/nuts-node/vdr/didweb"
"github.com/nuts-foundation/nuts-node/vdr/didx509"
"github.com/nuts-foundation/nuts-node/vdr/resolver"
"net/url"
"path"
"slices"
"time"

"github.com/nuts-foundation/nuts-node/auth/services"
Expand All @@ -46,23 +52,25 @@ var _ AuthenticationServices = (*Auth)(nil)

// Auth is the main struct of the Auth service
type Auth struct {
config Config
jsonldManager jsonld.JSONLD
authzServer oauth.AuthorizationServer
relyingParty oauth.RelyingParty
contractNotary services.ContractNotary
serviceResolver didman.CompoundServiceResolver
keyStore crypto.KeyStore
vcr vcr.VCR
pkiProvider pki.Provider
shutdownFunc func()
vdrInstance vdr.VDR
publicURL *url.URL
strictMode bool
httpClientTimeout time.Duration
tlsConfig *tls.Config
subjectManager didsubject.Manager
supportedDIDMethods []string
config Config
jsonldManager jsonld.JSONLD
authzServer oauth.AuthorizationServer
relyingParty oauth.RelyingParty
contractNotary services.ContractNotary
serviceResolver didman.CompoundServiceResolver
keyStore crypto.KeyStore
vcr vcr.VCR
pkiProvider pki.Provider
shutdownFunc func()
vdrInstance vdr.VDR
publicURL *url.URL
strictMode bool
httpClientTimeout time.Duration
tlsConfig *tls.Config
subjectManager didsubject.Manager
// configuredDIDMethods contains the DID methods that are configured in the Nuts node,
// of which VDR will create DIDs.
configuredDIDMethods []string
}

// Name returns the name of the module.
Expand Down Expand Up @@ -137,7 +145,7 @@ func (auth *Auth) Configure(config core.ServerConfig) error {
return err
}

auth.supportedDIDMethods = config.DIDMethods
auth.configuredDIDMethods = config.DIDMethods

auth.contractNotary = notary.NewNotary(notary.Config{
PublicURL: auth.publicURL.String(),
Expand Down Expand Up @@ -179,7 +187,16 @@ func (auth *Auth) Configure(config core.ServerConfig) error {
}

func (auth *Auth) SupportedDIDMethods() []string {
return auth.supportedDIDMethods
// DID methods that don't require additional resources/configuration in the Nuts node are always supported.
// Other DID methods (did:nuts), are only supported if explicitly enabled.
result := []string{didjwk.MethodName, didkey.MethodName, didx509.MethodName}
if slices.Contains(auth.configuredDIDMethods, didnuts.MethodName) {
result = append(result, didnuts.MethodName)
}
if slices.Contains(auth.configuredDIDMethods, didweb.MethodName) {
result = append(result, didweb.MethodName)
}
return result
}

// Start starts the Auth engine (Noop)
Expand Down
20 changes: 20 additions & 0 deletions auth/auth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,3 +125,23 @@ func TestAuth_IAMClient(t *testing.T) {
})

}

func TestAuth_SupportedDIDMethods(t *testing.T) {
t.Run("supports did:key", func(t *testing.T) {
assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "key")
})
t.Run("supports did:x509", func(t *testing.T) {
assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "x509")
})
t.Run("supports did:jwk", func(t *testing.T) {
assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "jwk")
})
t.Run("supports did:nuts if configured", func(t *testing.T) {
assert.NotContains(t, (&Auth{}).SupportedDIDMethods(), "nuts")
assert.Contains(t, (&Auth{configuredDIDMethods: []string{"nuts"}}).SupportedDIDMethods(), "nuts")
})
t.Run("supports did:web if configured", func(t *testing.T) {
assert.NotContains(t, (&Auth{}).SupportedDIDMethods(), "web")
assert.Contains(t, (&Auth{configuredDIDMethods: []string{"web"}}).SupportedDIDMethods(), "web")
})
}
2 changes: 1 addition & 1 deletion auth/interface.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,6 @@ type AuthenticationServices interface {
PublicURL() *url.URL
// AuthorizationEndpointEnabled returns whether the v2 API's OAuth2 Authorization Endpoint is enabled.
AuthorizationEndpointEnabled() bool
// SupportedDIDMethods list the DID methods configured for the nuts node in preferred order.
// SupportedDIDMethods lists the DID methods the Nuts node can resolve.
SupportedDIDMethods() []string
}
Loading