Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support did:x509 in Authorization Server metadata #3573

Merged
merged 3 commits into from
Nov 21, 2024
Merged

Support did:x509 in Authorization Server metadata #3573

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fd2b4c5
Support did:x509 in Authorization Server metadata, allowing credentia…
reinkrul Nov 19, 2024
1198e73
Always support did:jwk, web, x509 and key when verifying VCs
reinkrul Nov 19, 2024
e1de68c
PR feedback
reinkrul Nov 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 33 additions & 19 deletions auth/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,16 @@ import (
"errors"
"github.com/nuts-foundation/nuts-node/auth/client/iam"
"github.com/nuts-foundation/nuts-node/vdr"
"github.com/nuts-foundation/nuts-node/vdr/didjwk"
"github.com/nuts-foundation/nuts-node/vdr/didkey"
"github.com/nuts-foundation/nuts-node/vdr/didnuts"
"github.com/nuts-foundation/nuts-node/vdr/didsubject"
"github.com/nuts-foundation/nuts-node/vdr/didweb"
"github.com/nuts-foundation/nuts-node/vdr/didx509"
"github.com/nuts-foundation/nuts-node/vdr/resolver"
"net/url"
"path"
"slices"
"time"

"github.com/nuts-foundation/nuts-node/auth/services"
Expand All @@ -46,23 +52,25 @@ var _ AuthenticationServices = (*Auth)(nil)

// Auth is the main struct of the Auth service
type Auth struct {
config Config
jsonldManager jsonld.JSONLD
authzServer oauth.AuthorizationServer
relyingParty oauth.RelyingParty
contractNotary services.ContractNotary
serviceResolver didman.CompoundServiceResolver
keyStore crypto.KeyStore
vcr vcr.VCR
pkiProvider pki.Provider
shutdownFunc func()
vdrInstance vdr.VDR
publicURL *url.URL
strictMode bool
httpClientTimeout time.Duration
tlsConfig *tls.Config
subjectManager didsubject.Manager
supportedDIDMethods []string
config Config
jsonldManager jsonld.JSONLD
authzServer oauth.AuthorizationServer
relyingParty oauth.RelyingParty
contractNotary services.ContractNotary
serviceResolver didman.CompoundServiceResolver
keyStore crypto.KeyStore
vcr vcr.VCR
pkiProvider pki.Provider
shutdownFunc func()
vdrInstance vdr.VDR
publicURL *url.URL
strictMode bool
httpClientTimeout time.Duration
tlsConfig *tls.Config
subjectManager didsubject.Manager
// configuredDIDMethods contains the DID methods that are configured in the Nuts node,
// of which VDR will create DIDs.
configuredDIDMethods []string
}

// Name returns the name of the module.
Expand Down Expand Up @@ -137,7 +145,7 @@ func (auth *Auth) Configure(config core.ServerConfig) error {
return err
}

auth.supportedDIDMethods = config.DIDMethods
auth.configuredDIDMethods = config.DIDMethods

auth.contractNotary = notary.NewNotary(notary.Config{
PublicURL: auth.publicURL.String(),
Expand Down Expand Up @@ -179,7 +187,13 @@ func (auth *Auth) Configure(config core.ServerConfig) error {
}

func (auth *Auth) SupportedDIDMethods() []string {
return auth.supportedDIDMethods
// DID methods that don't require additional resources/configuration in the Nuts node are always supported.
// Other DID methods (did:nuts), are only supported if explicitly enabled.
result := []string{didweb.MethodName, didjwk.MethodName, didkey.MethodName, didx509.MethodName}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did:web can also be disabled

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking out loud: what would be the use case for NOT accepting did:web credentials?

  • did:web is arguably unsafer compared to jwk, key, x509 (since these aren't suspectible to network-bound attacks, e.g. DNS or domain hijacking). So verifiers might not want to accept it.
  • On the other hand, parties might want to accept it but might not want their Nuts node to create did:web DIDs.

Both are edge cases i.m.o., but I think the first argument is more credible. What do you think?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

currently our config defines it as on/off per method, for issuance, holding and verifying. It would be best to not differentiate between the behaviour of did:web and did:nuts

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, will do the same for did:web then

if slices.Contains(auth.configuredDIDMethods, didnuts.MethodName) {
result = append(result, didnuts.MethodName)
}
return result
}

// Start starts the Auth engine (Noop)
Expand Down
19 changes: 19 additions & 0 deletions auth/auth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,3 +125,22 @@ func TestAuth_IAMClient(t *testing.T) {
})

}

func TestAuth_SupportedDIDMethods(t *testing.T) {
t.Run("supports did:web", func(t *testing.T) {
assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "web")
})
t.Run("supports did:key", func(t *testing.T) {
assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "key")
})
t.Run("supports did:x509", func(t *testing.T) {
assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "x509")
})
t.Run("supports did:jwk", func(t *testing.T) {
assert.Contains(t, (&Auth{}).SupportedDIDMethods(), "jwk")
})
t.Run("supports did:nuts if configured", func(t *testing.T) {
assert.NotContains(t, (&Auth{}).SupportedDIDMethods(), "nuts")
assert.Contains(t, (&Auth{configuredDIDMethods: []string{"nuts"}}).SupportedDIDMethods(), "nuts")
})
}
2 changes: 1 addition & 1 deletion auth/interface.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,6 @@ type AuthenticationServices interface {
PublicURL() *url.URL
// AuthorizationEndpointEnabled returns whether the v2 API's OAuth2 Authorization Endpoint is enabled.
AuthorizationEndpointEnabled() bool
// SupportedDIDMethods list the DID methods configured for the nuts node in preferred order.
// SupportedDIDMethods lists the DID methods the Nuts node can resolve.
SupportedDIDMethods() []string
}
Loading