Merge pull request #80 from FIWARE/authenticon-2

make nonce optional and improve jwt mapping

Author: wistefan

openapi/api_api.go

@@ -21,6 +21,7 @@ import (
 	"github.com/fiware/VCVerifier/common"
 	"github.com/fiware/VCVerifier/logging"
 	"github.com/fiware/VCVerifier/verifier"
+	"github.com/google/uuid"
 	"github.com/lestrrat-go/jwx/v3/jwa"
 	"github.com/lestrrat-go/jwx/v3/jwt"
 	vdr_jwk "github.com/trustbloc/did-go/method/jwk"
@@ -196,8 +197,7 @@ func AuthorizationEndpoint(c *gin.Context) {
 	}
 	if !nonceExists {
 		logging.Log().Info("Received an authorization request without a nonce.")
-		c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoNonce)
-		return
+		nonce = uuid.NewString()
 	}
 	if !stateExists {
 		logging.Log().Info("Received an authorization request without a state.")
@@ -235,6 +235,7 @@ func AuthorizationEndpoint(c *gin.Context) {
 }
 
 func buildFrontendV2Address(protocol, host, state, clientId, redirectUri, scope, nonce string) string {
+	logging.Log().Debugf("%s://%s/api/v2/loginQR?state=%s&client_id=%s&redirect_uri=%s&scope=%s&nonce=%s&request_mode=byReference", protocol, host, state, clientId, redirectUri, scope, nonce)
 	return fmt.Sprintf("%s://%s/api/v2/loginQR?state=%s&client_id=%s&redirect_uri=%s&scope=%s&nonce=%s&request_mode=byReference", protocol, host, state, clientId, redirectUri, scope, nonce)
 }
 

openapi/api_frontend.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/fiware/VCVerifier/logging"
 	"github.com/fiware/VCVerifier/verifier"
+	"github.com/google/uuid"
 
 	"github.com/gin-gonic/gin"
 )
@@ -131,9 +132,7 @@ func VerifierLoginQr(c *gin.Context) {
 
 	nonce, nonceExists := c.GetQuery("nonce")
 	if !nonceExists {
-		c.AbortWithStatusJSON(http.StatusBadRequest, ErrorMessageNoNonce)
-		// early exit
-		return
+		nonce = uuid.NewString()
 	}
 
 	requestMode, requestModeExists := c.GetQuery("request_mode")

verifier/verifier.go

@@ -18,6 +18,7 @@ import (
 
 	"golang.org/x/exp/slices"
 
+	"github.com/PaesslerAG/jsonpath"
 	common "github.com/fiware/VCVerifier/common"
 	configModel "github.com/fiware/VCVerifier/config"
 	"github.com/fiware/VCVerifier/gaiax"
@@ -682,14 +683,31 @@ func buildInclusion(credential *verifiable.Credential, inclusionConfig configMod
 
 	inclusion = make(map[string]interface{})
 	for _, claim := range inclusionConfig.ClaimsToInclude {
-		pathParts := strings.Split(claim.OriginalKey, ".")
-		if val, ok := getValueFromPath(credential.ToRawJSON(), pathParts); ok {
+		if strings.HasPrefix(claim.OriginalKey, "$") {
+			logging.Log().Debugf("Claim uses json path: %s from %s", claim.OriginalKey, logging.PrettyPrintObject(credential.ToRawJSON()))
+			claimValues, err := jsonpath.Get(claim.OriginalKey, credential.ToRawJSON())
+
+			if err != nil {
+				logging.Log().Warnf("Was not able to evaluate path %s", claim.OriginalKey)
+				continue
+			}
+
 			if claim.NewKey != "" {
-				setValueAtPath(inclusion, strings.Split(claim.NewKey, "."), val)
+				setValueAtPath(inclusion, strings.Split(claim.NewKey, "."), claimValues)
 			} else {
-				setValueAtPath(inclusion, strings.Split(claim.OriginalKey, "."), val)
+				setValueAtPath(inclusion, strings.Split(claim.OriginalKey, "."), claimValues)
+			}
+		} else {
+			pathParts := strings.Split(claim.OriginalKey, ".")
+			if val, ok := getValueFromPath(credential.ToRawJSON(), pathParts); ok {
+				if claim.NewKey != "" {
+					setValueAtPath(inclusion, strings.Split(claim.NewKey, "."), val)
+				} else {
+					setValueAtPath(inclusion, strings.Split(claim.OriginalKey, "."), val)
+				}
 			}
 		}
+
 	}
 	return inclusion
 }
@@ -813,9 +831,11 @@ func (v *CredentialVerifier) AuthenticationResponse(state string, verifiablePres
 	}
 	loginSession := loginSessionInterface.(loginSession)
 
-	// TODO extract into separate policy
+	credentialsByType, _ := extractCredentialTypes(verifiablePresentation)
 	trustedChain, _ := verifyChain(verifiablePresentation.Credentials())
+	var credentialsToBeIncluded []map[string]interface{}
 
+	flatClaims := false
 	for _, credential := range verifiablePresentation.Credentials() {
 
 		verificationContext, err := v.getTrustRegistriesValidationContext(loginSession.clientId, credential.Contents().Types, loginSession.scope)
@@ -845,21 +865,27 @@ func (v *CredentialVerifier) AuthenticationResponse(state string, verifiablePres
 				logging.Log().Infof("VC %s is not valid.", logging.PrettyPrintObject(credential))
 				return sameDevice, ErrorInvalidVC
 			}
+			shouldBeIncluded, inclusionConfig := v.shouldBeIncluded(loginSession.clientId, loginSession.scope, credential.Contents().Types)
+			if shouldBeIncluded {
+				credentialsToBeIncluded = append(credentialsToBeIncluded, buildInclusion(credential, inclusionConfig))
+			}
+			flatClaims, _ = v.credentialsConfig.GetFlatClaims(loginSession.clientId, loginSession.scope)
 		}
 	}
 
 	// we ignore the error here, since the only consequence is that sub will be empty.
 	hostname, _ := getHostName(loginSession.callback)
 
-	//TODO: properly handle inclusion config
-
-	var toBeIncluded []map[string]interface{}
-	for _, credential := range verifiablePresentation.Credentials() {
-		toBeIncluded = append(toBeIncluded, credential.ToRawJSON())
+	if len(credentialsToBeIncluded) == 0 {
+		vcTypes := []string{}
+		for k := range credentialsByType {
+			vcTypes = append(vcTypes, k)
+		}
+		logging.Log().Warnf("No valid credential type was provided. Provided credential type: %v", vcTypes)
+		return sameDevice, ErrorNoValidCredentialTypeProvided
 	}
 
-	flatClaims, _ := v.credentialsConfig.GetFlatClaims(loginSession.clientId, loginSession.scope)
-	token, err := v.generateJWT(toBeIncluded, verifiablePresentation.Holder, hostname, flatClaims)
+	token, err := v.generateJWT(credentialsToBeIncluded, verifiablePresentation.Holder, hostname, flatClaims)
 	if err != nil {
 		logging.Log().Warnf("Was not able to create a jwt for %s. Err: %v", state, err)
 		return sameDevice, err

verifier/verifier_test.go

@@ -551,7 +551,17 @@ func TestAuthenticationResponse(t *testing.T) {
 			testKey, _ := jwk.Import(ecdsaKey)
 			jwk.AssignKeyID(testKey)
 			nonceGenerator := mockNonceGenerator{staticValues: []string{"authCode"}}
-			credentialsConfig := mockCredentialConfig{}
+			credentialsConfig := mockCredentialConfig{
+				mockScopes: map[string]map[string]configModel.ScopeEntry{"clientId": {
+					"": {
+						Credentials: []configModel.Credential{{
+							Type:         "VerifiableCredential",
+							JwtInclusion: configModel.JwtInclusion{Enabled: true},
+						}},
+					},
+				},
+				},
+			}
 			verifier := CredentialVerifier{did: "did:key:verifier", signingKey: testKey, tokenCache: &tokenCache, sessionCache: &sessionCache, nonceGenerator: &nonceGenerator, validationServices: []ValidationService{&mockExternalSsiKit{tc.verificationResult, tc.verificationError}}, clock: mockClock{}, credentialsConfig: credentialsConfig, clientIdentification: configModel.ClientIdentification{Id: "did:key:verifier"}}
 
 			sameDeviceResponse, err := verifier.AuthenticationResponse(tc.requestedState, &tc.testVP)