complete code

Author: chgaowei

.gitignore

@@ -11,3 +11,5 @@ examples/negotiation_mode/workflow_code/
 examples/negotiation_mode/protocol_code/
 examples/negotiation_mode/*.json
 examples/simple_node_mode/*.json
+examples/did_wba_examples/did_keys/user_*/
+

agent_connect/authentication/did_wba.py

@@ -172,18 +172,23 @@ async def resolve_did_wba_document(did: str) -> Dict:
         async with aiohttp.ClientSession(timeout=timeout) as session:
             url = f"https://{domain}"
             if path_segments:
-                url += '/' + '/'.join(path_segments)
+                url += '/' + '/'.join(path_segments) + '/did.json'
             else:
                 url += '/.well-known/did.json'
-
+            
             logging.debug(f"Requesting DID document from URL: {url}")
-
+            
+            # TODO: Add DNS-over-HTTPS support
+            # resolver = aiohttp.AsyncResolver(nameservers=['8.8.8.8'])
+            # connector = aiohttp.TCPConnector(resolver=resolver)
+            
             async with session.get(
                 url,
                 headers={
                     'Accept': 'application/json'
                 },
                 ssl=True
+                # connector=connector
             ) as response:
                 response.raise_for_status()
                 did_document = await response.json()

examples/did_wba_examples/basic.py

@@ -0,0 +1,201 @@
+# AgentConnect: https://github.com/chgaowei/AgentConnect
+# Author: GaoWei Chang
+# Email: chgaowei@gmail.com
+# Website: https://agent-network-protocol.com/
+#
+# This project is open-sourced under the MIT License. For details, please see the LICENSE file.
+
+# This is a basic example of how to use DID WBA authentication.
+# It first creates a DID document and private keys.
+# Then it uploads the DID document to the server.
+# Then it generates an authentication header and tests the DID authentication.
+
+import os
+import sys
+import json
+import secrets
+import asyncio
+import aiohttp
+import logging
+from pathlib import Path
+from cryptography.hazmat.primitives import serialization, hashes
+from cryptography.hazmat.primitives.asymmetric import ec
+from canonicaljson import encode_canonical_json
+
+from agent_connect.authentication.did_wba import (
+    create_did_wba_document,
+    resolve_did_wba_document,
+    generate_auth_header
+)
+from agent_connect.utils.log_base import set_log_color_level
+
+_is_local_testing = False
+
+# TODO: Change to your own server domain. 
+# Or use the test domain we provide (currently using pi-unlimited.com, will later change to agent-network-protocol.com)
+# SERVER_DOMAIN = "agent-network-protocol.com"
+SERVER_DOMAIN = "pi-unlimited.com"
+
+def convert_url_for_local_testing(url: str) -> str:
+    if _is_local_testing:
+        url = url.replace('https://', 'http://')
+        url = url.replace(SERVER_DOMAIN, '127.0.0.1:9000')
+    return url
+
+async def upload_did_document(url: str, did_document: dict) -> bool:
+    """Upload DID document to server"""
+    try:
+        local_url = convert_url_for_local_testing(url)
+        logging.info("Converting URL from %s to %s", url, local_url)
+        
+        async with aiohttp.ClientSession() as session:
+            async with session.put(
+                local_url,
+                json=did_document,
+                headers={'Content-Type': 'application/json'}
+            ) as response:
+                return response.status == 200
+    except Exception as e:
+        logging.error("Failed to upload DID document: %s", e)
+        return False
+
+async def download_did_document(url: str) -> dict:
+    """Download DID document from server"""
+    try:
+        local_url = convert_url_for_local_testing(url)
+        logging.info("Converting URL from %s to %s", url, local_url)
+        
+        async with aiohttp.ClientSession() as session:
+            async with session.get(local_url) as response:
+                if response.status == 200:
+                    return await response.json()
+                logging.warning("Failed to download DID document, status: %d", response.status)
+                return None
+    except Exception as e:
+        logging.error("Failed to download DID document: %s", e)
+        return None
+
+async def test_did_auth(url: str, auth_header: str) -> tuple[bool, str]:
+    """Test DID authentication and get token"""
+    try:
+        local_url = convert_url_for_local_testing(url)
+        logging.info("Converting URL from %s to %s", url, local_url)
+        
+        async with aiohttp.ClientSession() as session:
+            async with session.get(
+                local_url,
+                headers={'Authorization': auth_header}
+            ) as response:
+                token = response.headers.get('Authorization', '')
+                if token.startswith('Bearer '):
+                    token = token[7:]  # Remove 'Bearer ' prefix
+                return response.status == 200, token
+    except Exception as e:
+        logging.error("DID authentication test failed: %s", e)
+        return False, ''
+
+def save_private_key(unique_id: str, keys: dict, did_document: dict) -> str:
+    """Save private keys and DID document to user directory and return the user directory path"""
+    current_dir = Path(__file__).parent.absolute()
+    user_dir = current_dir / "did_keys" / f"user_{unique_id}"
+    # Create parent directories if they don't exist
+    user_dir.mkdir(parents=True, exist_ok=True)
+    
+    # Save private keys
+    for method_fragment, (private_key_bytes, _) in keys.items():
+        private_key_path = user_dir / f"{method_fragment}_private.pem"
+        with open(private_key_path, 'wb') as f:
+            f.write(private_key_bytes)
+        logging.info("Saved private key '%s' to %s", method_fragment, private_key_path)
+    
+    # Save DID document
+    did_path = user_dir / "did.json"
+    with open(did_path, 'w', encoding='utf-8') as f:
+        json.dump(did_document, f, indent=2)
+    logging.info("Saved DID document to %s", did_path)
+    
+    return str(user_dir)
+
+def load_private_key(private_key_dir: str, method_fragment: str) -> ec.EllipticCurvePrivateKey:
+    """Load private key from file"""
+    key_dir = Path(private_key_dir)
+    key_path = key_dir / f"{method_fragment}_private.pem"
+    
+    logging.info("Loading private key from %s", key_path)
+    with open(key_path, 'rb') as f:
+        private_key_bytes = f.read()
+    return serialization.load_pem_private_key(
+        private_key_bytes,
+        password=None
+    )
+
+def sign_callback(content: bytes, method_fragment: str) -> bytes:
+    """Sign content using private key"""
+    # Load private key using the global variable
+    private_key = load_private_key(sign_callback.private_key_dir, method_fragment)
+    
+    # Sign the content
+    signature = private_key.sign(
+        content,
+        ec.ECDSA(hashes.SHA256())
+    )
+    return signature
+
+async def main():
+    # 1. Generate unique identifier (8 bytes = 16 hex characters)
+    unique_id = secrets.token_hex(8)
+    
+    # 2. Set server information
+    server_domain = SERVER_DOMAIN
+    base_path = f"/wba/user/{unique_id}"
+    did_path = f"{base_path}/did.json"
+    
+    # 3. Create DID document
+    logging.info("Creating DID document...")
+    did_document, keys = create_did_wba_document(
+        hostname=server_domain,
+        path_segments=["wba", "user", unique_id]
+    )
+    
+    # 4. Save private keys, DID document and set path for sign_callback
+    user_dir = save_private_key(unique_id, keys, did_document)
+    sign_callback.private_key_dir = user_dir
+    
+    # 5. Upload DID document (This should be stored on your server)
+    document_url = f"https://{server_domain}{did_path}"
+    logging.info("Uploading DID document to %s", document_url)
+    success = await upload_did_document(document_url, did_document)
+    if not success:
+        logging.error("Failed to upload DID document")
+        return
+    logging.info("DID document uploaded successfully")
+    
+    # 7. Generate authentication header
+    logging.info("Generating authentication header...")
+    auth_header = generate_auth_header(
+        did_document,
+        server_domain,
+        sign_callback
+    )
+    
+    # 8. Test DID authentication and get token
+    test_url = f"https://{server_domain}/wba/test"
+    logging.info("Testing DID authentication at %s", test_url)
+    auth_success, token = await test_did_auth(test_url, auth_header)
+    
+    if not auth_success or not token:
+        logging.error(f"DID authentication test failed. auth_success: {auth_success}, token: {token}")
+        return
+        
+    logging.info("DID authentication test successful")
+
+if __name__ == "__main__":
+    set_log_color_level(logging.INFO)
+    asyncio.run(main())
+
+
+
+
+
+
+

examples/did_wba_examples/client.py

@@ -0,0 +1,121 @@
+# AgentConnect: https://github.com/chgaowei/AgentConnect
+# Author: GaoWei Chang
+# Email: chgaowei@gmail.com
+# Website: https://agent-network-protocol.com/
+#
+# This project is open-sourced under the MIT License. For details, please see the LICENSE file.
+
+# This is a client example used to test whether your server supports DID WBA authentication.
+# It uses a pre-created DID document and private key to access a test interface on your server.
+# If it returns 200, it indicates that the server supports DID WBA authentication.
+
+import asyncio
+import json
+import logging
+import aiohttp
+from cryptography.hazmat.primitives import serialization, hashes
+from cryptography.hazmat.primitives.asymmetric import ec
+from agent_connect.authentication.did_wba import (
+    resolve_did_wba_document,
+    generate_auth_header
+)
+from agent_connect.utils.log_base import set_log_color_level
+
+# THIS IS A TEST DID DOCUMENT AND PRIVATE KEY
+CLIENT_DID = "did:wba:pi-unlimited.com:wba:user:1b299d9faa38ebaf"
+CLIENT_DID_DOCUMENT = '''{
+  "@context": [
+    "https://www.w3.org/ns/did/v1",
+    "https://w3id.org/security/suites/jws-2020/v1",
+    "https://w3id.org/security/suites/secp256k1-2019/v1"
+  ],
+  "id": "did:wba:pi-unlimited.com:wba:user:1b299d9faa38ebaf",
+  "verificationMethod": [
+    {
+      "id": "did:wba:pi-unlimited.com:wba:user:1b299d9faa38ebaf#key-1",
+      "type": "EcdsaSecp256k1VerificationKey2019",
+      "controller": "did:wba:pi-unlimited.com:wba:user:1b299d9faa38ebaf",
+      "publicKeyJwk": {
+        "kty": "EC",
+        "crv": "secp256k1",
+        "x": "P-vJSQGRoUbI2xnxywhVqblQ_hG0U0X-gja0JlfEWMg",
+        "y": "MRTV4uHKbNvkRRBknkXjqzMfyCMGFtBw5Qlild8aLZI",
+        "kid": "rs-lu83Tv498ETdLT_8wIC1sdFsM4ON6MKR7LQ0pI3I"
+      }
+    }
+  ],
+  "authentication": [
+    "did:wba:pi-unlimited.com:wba:user:1b299d9faa38ebaf#key-1"
+  ]
+}'''
+
+CLIENT_PRIVATE_KEY = '''-----BEGIN PRIVATE KEY-----
+MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgumb+i8ZYrGBUB1U8HkS5
+Mqe4cyelFE2z7RqYYyEN4o6hRANCAAQ/68lJAZGhRsjbGfHLCFWpuVD+EbRTRf6C
+NrQmV8RYyDEU1eLhymzb5EUQZJ5F46szH8gjBhbQcOUJYpXfGi2S
+-----END PRIVATE KEY-----
+'''
+
+# TODO: Change to your own server domain.
+TEST_DOMAIN = "pi-unlimited.com"
+
+def load_private_key(private_key_pem: str) -> ec.EllipticCurvePrivateKey:
+    """Load private key from PEM string"""
+    return serialization.load_pem_private_key(
+        private_key_pem.encode(),
+        password=None
+    )
+
+def sign_callback(content: bytes, method_fragment: str) -> bytes:
+    """Sign content using private key"""
+    private_key = load_private_key(CLIENT_PRIVATE_KEY)
+    signature = private_key.sign(
+        content,
+        ec.ECDSA(hashes.SHA256())
+    )
+    return signature
+
+async def test_did_auth(url: str, auth_header: str) -> tuple[bool, str]:
+    """Test DID authentication and get token"""
+    try:
+        async with aiohttp.ClientSession() as session:
+            async with session.get(
+                url,
+                headers={'Authorization': auth_header}
+            ) as response:
+                token = response.headers.get('Authorization', '')
+                if token.startswith('Bearer '):
+                    token = token[7:]  # Remove 'Bearer ' prefix
+                return response.status == 200, token
+    except Exception as e:
+        logging.error("DID authentication test failed: %s", e)
+        return False, ''
+
+async def main():
+    # 1. Generate authentication header
+    logging.info("Generating authentication header...")
+    did_document = json.loads(CLIENT_DID_DOCUMENT)
+    auth_header = generate_auth_header(
+        did_document,
+        TEST_DOMAIN,
+        sign_callback
+    )
+    
+    # 2. Test DID authentication
+    test_url = f"https://{TEST_DOMAIN}/wba/test"
+    logging.info("Testing DID authentication at %s", test_url)
+    auth_success, token = await test_did_auth(test_url, auth_header)
+    
+    if auth_success:
+        logging.info("DID authentication test successful!")
+        logging.info(f"Received token: {token}")
+    else:
+        logging.error("DID authentication test failed")
+
+if __name__ == "__main__":
+    set_log_color_level(logging.INFO)
+    asyncio.run(main())
+
+
+
+