chore: entity_id fixes

Sphereon-Opensource · Nov 20, 2024 · 124522c · 124522c
1 parent 7c9e157
commit 124522c
Show file tree

Hide file tree

Showing 13 changed files with 52 additions and 830 deletions.
diff --git a/packages/callback-example/package.json b/packages/callback-example/package.json
@@ -19,7 +19,7 @@
     "@sphereon/oid4vci-client": "workspace:*",
     "@sphereon/oid4vci-common": "workspace:*",
     "@sphereon/oid4vci-issuer": "workspace:*",
-    "@sphereon/ssi-types": "0.30.1",
+    "@sphereon/ssi-types": "0.30.2-next.279",
     "jose": "^4.10.0"
   },
   "devDependencies": {

diff --git a/packages/client/package.json b/packages/client/package.json
@@ -17,7 +17,7 @@
   "dependencies": {
     "@sphereon/oid4vc-common": "workspace:*",
     "@sphereon/oid4vci-common": "workspace:*",
-    "@sphereon/ssi-types": "0.30.1",
+    "@sphereon/ssi-types": "0.30.2-next.279",
     "cross-fetch": "^3.1.8",
     "debug": "^4.3.5"
   },

diff --git a/packages/common/package.json b/packages/common/package.json
@@ -10,7 +10,7 @@
     "build:clean": "tsc --build --clean && tsc --build"
   },
   "dependencies": {
-    "@sphereon/ssi-types": "0.30.1",
+    "@sphereon/ssi-types": "0.30.2-next.279",
     "jwt-decode": "^4.0.0",
     "sha.js": "^2.4.11",
     "uint8arrays": "3.1.1",

diff --git a/packages/issuer-rest/package.json b/packages/issuer-rest/package.json
@@ -14,8 +14,8 @@
     "@sphereon/oid4vc-common": "workspace:*",
     "@sphereon/oid4vci-common": "workspace:*",
     "@sphereon/oid4vci-issuer": "workspace:*",
-    "@sphereon/ssi-express-support": "0.30.1",
-    "@sphereon/ssi-types": "0.30.1",
+    "@sphereon/ssi-express-support": "0.30.2-next.279",
+    "@sphereon/ssi-types": "0.30.2-next.279",
     "body-parser": "^1.20.2",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",

diff --git a/packages/issuer/package.json b/packages/issuer/package.json
@@ -12,7 +12,7 @@
   "dependencies": {
     "@sphereon/oid4vc-common": "workspace:*",
     "@sphereon/oid4vci-common": "workspace:*",
-    "@sphereon/ssi-types": "0.30.1",
+    "@sphereon/ssi-types": "0.30.2-next.279",
     "uuid": "^9.0.0"
   },
   "peerDependencies": {

diff --git a/packages/oid4vci-common/package.json b/packages/oid4vci-common/package.json
@@ -11,7 +11,7 @@
   },
   "dependencies": {
     "@sphereon/oid4vc-common": "workspace:*",
-    "@sphereon/ssi-types": "0.30.1",
+    "@sphereon/ssi-types": "0.30.2-next.279",
     "cross-fetch": "^3.1.8",
     "debug": "^4.3.5",
     "jwt-decode": "^4.0.0",

diff --git a/packages/siop-oid4vp/lib/request-object/Payload.ts b/packages/siop-oid4vp/lib/request-object/Payload.ts
@@ -35,8 +35,9 @@ export const createRequestObjectPayload = async (opts: CreateAuthorizationReques
     response_type: payload.response_type ?? ResponseType.ID_TOKEN,
     scope: payload.scope,
     //TODO implement /.well-known/openid-federation support in the OP side to resolve the client_id (URL) and retrieve the metadata
-    client_id: clientId,
     client_id_scheme: payload.client_id_scheme,
+    ...(clientId && { client_id: clientId }),
+    ...(payload.entity_id && { entity_id: payload.entity_id }),
     ...(payload.redirect_uri && { redirect_uri: payload.redirect_uri }),
     ...(payload.response_uri && { response_uri: payload.response_uri }),
     response_mode: payload.response_mode ?? ResponseMode.DIRECT_POST,

diff --git a/packages/siop-oid4vp/lib/rp/RPBuilder.ts b/packages/siop-oid4vp/lib/rp/RPBuilder.ts
@@ -40,6 +40,7 @@ export class RPBuilder {
 
   clientMetadata?: ClientMetadataOpts = undefined
   clientId: string
+  entityId: string
   clientIdScheme: string
 
   hasher: Hasher
@@ -83,6 +84,14 @@ export class RPBuilder {
     return this
   }
 
+  withEntityId(entityId: string, targets?: PropertyTargets): RPBuilder {
+    this._authorizationRequestPayload.entity_id = assignIfAuth({ propertyValue: entityId, targets }, false)
+    this._requestObjectPayload.entity_id = assignIfRequestObject({ propertyValue: entityId, targets }, true)
+    this.entityId = entityId
+    return this
+  }
+
+
   withIssuer(issuer: ResponseIss, targets?: PropertyTargets): RPBuilder {
     this._authorizationRequestPayload.iss = assignIfAuth({ propertyValue: issuer, targets }, false)
     this._requestObjectPayload.iss = assignIfRequestObject({ propertyValue: issuer, targets }, true)

diff --git a/packages/siop-oid4vp/lib/types/Errors.ts b/packages/siop-oid4vp/lib/types/Errors.ts
@@ -28,7 +28,7 @@ enum SIOPErrors {
   MISSING_ATTESTATION_JWT_WITH_CLIENT_ID_SCHEME_ATTESTATION = `Missing jwt header jwt with client_id_scheme 'verifier_attestation'.`,
   MISSING_ATTESTATION_JWT_TYP = `Attestation JWT missing typ 'verifier-attestation+jwt'.`,
   INVALID_CLIENT_ID_SCHEME = 'Invalid client_id_scheme.',
-  INVALID_REQUEST_OBJECT_ENTITY_ID_SCHEME_CLIENT_ID = `Request Object uses client_id_scheme 'entity_id', but the client_id is not a string.`,
+  INVALID_REQUEST_OBJECT_ENTITY_ID_SCHEME_CLIENT_ID = `Request Object uses client_id_scheme 'entity_id', but the entity_id is missing or not an https endpoint.`,
   EXPIRED = 'The token has expired',
   INVALID_AUDIENCE = 'Audience is invalid. Should be a string value.',
   NO_AUDIENCE = 'No audience found in JWT payload or not configured',

diff --git a/packages/siop-oid4vp/lib/types/SIOP.types.ts b/packages/siop-oid4vp/lib/types/SIOP.types.ts
@@ -36,6 +36,7 @@ export interface RequestObjectPayload extends RequestCommonPayload, JWTPayload {
   response_type: ResponseType | string // REQUIRED. Constant string value id_token.
   client_id: string // REQUIRED. RP's identifier at the Self-Issued OP.
   client_id_scheme?: ClientIdScheme // The client_id_scheme enables deployments of this specification to use different mechanisms to obtain and validate metadata of the Verifier beyond the scope of [RFC6749]. The term client_id_scheme is used since the Verifier is acting as an OAuth 2.0 Client.
+  entity_id?: string // OPTIONAL for OIDF
   client_metadata: ClientMetadataOpts
   redirect_uri?: string // REQUIRED before OID4VP v18, now optional because of response_uri. URI to which the Self-Issued OP Response will be sent
   response_uri?: string // New since OID4VP18 OPTIONAL. The Response URI to which the Wallet MUST send the Authorization Response using an HTTPS POST request as defined by the Response Mode direct_post. The Response URI receives all Authorization Response parameters as defined by the respective Response Type. When the response_uri parameter is present, the redirect_uri Authorization Request parameter MUST NOT be present. If the redirect_uri Authorization Request parameter is present when the Response Mode is direct_post, the Wallet MUST return an invalid_request Authorization Response error.

diff --git a/packages/siop-oid4vp/lib/types/VpJwtVerifier.ts b/packages/siop-oid4vp/lib/types/VpJwtVerifier.ts
@@ -152,11 +152,11 @@ export const getRequestObjectJwtVerifier = async (
     // If the Wallet cannot establish trust, it MUST refuse the request.
     return { method: 'jwk', type, jwk: attestationPayload.cnf['jwk'] as JWK, alg }
   } else if (clientIdScheme === 'entity_id') {
-    if (!clientId.startsWith('http')) {
+    const entityId = jwt.payload.entity_id
+    if (!entityId || !entityId.startsWith('https')) {
       throw new Error(SIOPErrors.INVALID_REQUEST_OBJECT_ENTITY_ID_SCHEME_CLIENT_ID)
     }
-
-    return { method: 'openid-federation', type, entityId: clientId }
+    return { method: 'openid-federation', type, entityId }
   }
 
   throw new Error(SIOPErrors.INVALID_CLIENT_ID_SCHEME)

diff --git a/packages/siop-oid4vp/package.json b/packages/siop-oid4vp/package.json
@@ -19,7 +19,7 @@
     "@sphereon/oid4vc-common": "workspace:*",
     "@sphereon/pex": "5.0.0-unstable.24",
     "@sphereon/pex-models": "^2.3.1",
-    "@sphereon/ssi-types": "0.30.2-next.129",
+    "@sphereon/ssi-types": "0.30.2-next.279",
     "cross-fetch": "^4.0.0",
     "debug": "^4.3.5",
     "events": "^3.3.0",