OID4VCI: Sign authn request only if AS supports it

Author: nodh

CHANGELOG.md

@@ -38,6 +38,10 @@ Release 5.7.0:
 Release 5.6.4:
  - OpenID for Verifiable Presentations:
    - Correctly handle requested attributes with nested paths, i.e. `address.formatted`
+ - OAuth2.0:
+   - In `OAuth2Client.createAuthRequest()` rename `wrapAsPar` to `wrapAsJar` to match its semantics
+ - OpenID for Verifiable Credential Issuance:
+   - Sign authn request as JAR only when AS supports it
 
 Release 5.6.3:
  - OpenID for Verifiable Credential Issuance:

vck-openid-ktor/src/commonMain/kotlin/at/asitplus/wallet/lib/ktor/openid/OpenId4VciClient.kt

@@ -484,15 +484,17 @@ class OpenId4VciClient(
         )
         val authorizationEndpointUrl = oauthMetadata.authorizationEndpoint
             ?: throw Exception("no authorizationEndpoint in $oauthMetadata")
+        val wrapAsJar = oauthMetadata.requestObjectSigningAlgorithmsSupported?.contains(JwsAlgorithm.Signature.ES256) == true
         val authRequest = oid4vciService.oauth2Client.createAuthRequest(
             state = state,
             authorizationDetails = if (scope == null) authorizationDetails else null,
             issuerState = issuerState,
-            scope = scope
+            scope = scope,
+            wrapAsJar = wrapAsJar
         )
-        val push = oauthMetadata.requirePushedAuthorizationRequests == true
+        val requiresPar = oauthMetadata.requirePushedAuthorizationRequests == true
         val parEndpointUrl = oauthMetadata.pushedAuthorizationRequestEndpoint
-        val authorizationUrl = if (parEndpointUrl != null && push) {
+        val authorizationUrl = if (parEndpointUrl != null && requiresPar) {
             val authRequestAfterPar = pushAuthorizationRequest(
                 authRequest = authRequest,
                 state = state,

vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oauth2/OAuth2Client.kt

@@ -79,7 +79,7 @@ class OAuth2Client(
      * of [IssuerMetadata.credentialIssuer]
      * @param issuerState for OID4VCI flows the value from [CredentialOfferGrantsAuthCode.issuerState]
      * @param audience for PAR the value of the `issuer` of the Authorization Server
-     * @param wrapAsPar whether to wrap the request as a PAR (i.e. a signed JWS)
+     * @param wrapAsJar whether to wrap the request as a JAR (i.e. a signed JWS with the authn request as payload)
      */
     suspend fun createAuthRequest(
         state: String,
@@ -88,7 +88,7 @@ class OAuth2Client(
         resource: String? = null,
         issuerState: String? = null,
         audience: String? = null,
-        wrapAsPar: Boolean = true,
+        wrapAsJar: Boolean = true,
     ) = AuthenticationRequestParameters(
         responseType = GRANT_TYPE_CODE,
         state = state,
@@ -100,12 +100,12 @@ class OAuth2Client(
         redirectUrl = redirectUrl,
         codeChallenge = generateCodeVerifier(state),
         codeChallengeMethod = CODE_CHALLENGE_METHOD_SHA256
-    ).wrapIfNecessary(wrapAsPar, audience)
+    ).wrapIfNecessary(wrapAsJar, audience)
 
-    private suspend fun AuthenticationRequestParameters.wrapIfNecessary(wrapAsPar: Boolean, audience: String?) =
-        if (signPushedAuthorizationRequest != null && wrapAsPar) wrapInPar(signPushedAuthorizationRequest, audience) else this
+    private suspend fun AuthenticationRequestParameters.wrapIfNecessary(wrapAsJar: Boolean, audience: String?) =
+        if (signPushedAuthorizationRequest != null && wrapAsJar) wrapInJar(signPushedAuthorizationRequest, audience) else this
 
-    private suspend fun AuthenticationRequestParameters.wrapInPar(
+    private suspend fun AuthenticationRequestParameters.wrapInJar(
         signPushedAuthorizationRequest: SignJwtFun<AuthenticationRequestParameters>,
         audience: String?,
     ) = AuthenticationRequestParameters(

vck-openid/src/commonTest/kotlin/at/asitplus/wallet/lib/oauth2/OAuth2ClientTest.kt

@@ -11,7 +11,6 @@ import io.kotest.matchers.nulls.shouldBeNull
 import io.kotest.matchers.nulls.shouldNotBeNull
 import io.kotest.matchers.shouldBe
 import io.kotest.matchers.types.shouldBeInstanceOf
-import kotlinx.serialization.json.JsonObject
 
 class OAuth2ClientTest : FunSpec({
 
@@ -83,7 +82,7 @@ class OAuth2ClientTest : FunSpec({
         val authnRequest = client.createAuthRequest(
             state = state,
             scope = scope,
-            wrapAsPar = true
+            wrapAsJar = true
         )
         val authnResponse = server.authorize(authnRequest).getOrThrow()
             .shouldBeInstanceOf<AuthenticationResponseResult.Redirect>()
@@ -104,7 +103,7 @@ class OAuth2ClientTest : FunSpec({
         val authnRequest = client.createAuthRequest(
             state = state,
             scope = scope,
-            wrapAsPar = false
+            wrapAsJar = false
         )
         val authnResponse = server.authorize(authnRequest).getOrThrow()
             .shouldBeInstanceOf<AuthenticationResponseResult.Redirect>()

vck-rqes/src/commonMain/kotlin/at/asitplus/wallet/lib/rqes/RqesOpenId4VpHolder.kt

@@ -140,7 +140,7 @@ class RqesOpenId4VpHolder(
     ): AuthenticationRequestParameters = oauth2Client.createAuthRequest(
         state = uuid4().toString(),
         scope = RqesOauthScope.SERVICE.value,
-        wrapAsPar = wrapAsPar,
+        wrapAsJar = wrapAsPar,
     ).enrichAuthRequest(
         redirectUrl = redirectUrl,
         optionalParameters = optionalParameters
@@ -160,7 +160,7 @@ class RqesOpenId4VpHolder(
     ): AuthenticationRequestParameters = oauth2Client.createAuthRequest(
         state = uuid4().toString(),
         authorizationDetails = setOf(getCscAuthenticationDetails(documentDigests, hashAlgorithm, documentLocation)),
-        wrapAsPar = wrapAsPar,
+        wrapAsJar = wrapAsPar,
     ).enrichAuthRequest(
         redirectUrl = redirectUrl,
         optionalParameters = optionalParameters