#3986: Pass correct wallet DID in OpenID4VCI proofs

Author: reinkrul

auth/api/iam/openid4vci.go

@@ -95,6 +95,7 @@ func (r Wrapper) RequestOpenid4VCICredentialIssuance(ctx context.Context, reques
 		AuthorizationServerMetadata: authzServerMetadata,
 		ClientFlow:                  credentialRequestClientFlow,
 		OwnSubject:                  &request.SubjectID,
+		OwnDID:                      walletDID,
 		RedirectURI:                 request.Body.RedirectUri,
 		PKCEParams:                  pkceParams,
 		// OpenID4VCI issuers may use multiple Authorization Servers
@@ -137,17 +138,13 @@ func (r Wrapper) handleOpenID4VCICallback(ctx context.Context, authorizationCode
 	checkURL := baseURL.JoinPath(oauth.CallbackPath)
 
 	// use code to request access token from remote token endpoint
-	clientDID, err := r.determineClientDID(ctx, *oauthSession.AuthorizationServerMetadata, *oauthSession.OwnSubject)
-	if err != nil {
-		return nil, withCallbackURI(oauthError(oauth.AccessDenied, fmt.Sprintf("error while determining client ID: %s", err.Error())), appCallbackURI)
-	}
 	response, err := r.auth.IAMClient().AccessToken(ctx, authorizationCode, oauthSession.TokenEndpoint, checkURL.String(), *oauthSession.OwnSubject, clientID, oauthSession.PKCEParams.Verifier, false)
 	if err != nil {
 		return nil, withCallbackURI(oauthError(oauth.AccessDenied, fmt.Sprintf("error while fetching the access_token from endpoint: %s, error: %s", oauthSession.TokenEndpoint, err.Error())), appCallbackURI)
 	}
 
 	// make proof and collect credential
-	proofJWT, err := r.openid4vciProof(ctx, *clientDID, oauthSession.IssuerURL, response.Get(oauth.CNonceParam))
+	proofJWT, err := r.openid4vciProof(ctx, *oauthSession.OwnDID, oauthSession.IssuerURL, response.Get(oauth.CNonceParam))
 	if err != nil {
 		return nil, withCallbackURI(oauthError(oauth.ServerError, fmt.Sprintf("error building proof to fetch the credential from endpoint %s, error: %s", oauthSession.IssuerCredentialEndpoint, err.Error())), appCallbackURI)
 	}
@@ -156,7 +153,7 @@ func (r Wrapper) handleOpenID4VCICallback(ctx context.Context, authorizationCode
 		return nil, withCallbackURI(oauthError(oauth.ServerError, fmt.Sprintf("error while fetching the credential from endpoint %s, error: %s", oauthSession.IssuerCredentialEndpoint, err.Error())), appCallbackURI)
 	}
 	// validate credential
-	// TODO: check that issued credential is bound to DID that requested it (OwnSubject)???
+	// TODO: check that issued credential is bound to DID that requested it (OwnDID)???
 	credential, err := vc.ParseVerifiableCredential(credentials.Credential)
 	if err != nil {
 		return nil, withCallbackURI(oauthError(oauth.ServerError, fmt.Sprintf("error while parsing the credential: %s, error: %s", credentials.Credential, err.Error())), appCallbackURI)

auth/api/iam/openid4vci_test.go

@@ -21,11 +21,12 @@ package iam
 import (
 	"context"
 	"errors"
-	"github.com/nuts-foundation/nuts-node/core/to"
 	"net/url"
 	"testing"
 	"time"
 
+	"github.com/nuts-foundation/nuts-node/core/to"
+
 	"github.com/nuts-foundation/nuts-node/auth/client/iam"
 	"github.com/nuts-foundation/nuts-node/auth/oauth"
 	"github.com/nuts-foundation/nuts-node/crypto"
@@ -190,6 +191,7 @@ func TestWrapper_handleOpenID4VCICallback(t *testing.T) {
 		},
 		ClientFlow:               "openid4vci_credential_request",
 		OwnSubject:               &holderSubjectID,
+		OwnDID:                   &holderDID,
 		RedirectURI:              redirectUrl,
 		PKCEParams:               pkceParams,
 		TokenEndpoint:            tokenEndpoint,

auth/api/iam/openid4vp_test.go

@@ -41,6 +41,7 @@ import (
 )
 
 var holderDID = did.MustParseDID("did:web:example.com:iam:holder")
+var holderDIDAlt = did.MustParseDID("did:web:example.com:iam:holder_alt")
 var issuerDID = did.MustParseDID("did:web:example.com:iam:issuer")
 var holderURL = test.MustParseURL("https://example.com/oauth2/holder")
 var issuerURL = test.MustParseURL("https://example.com/oauth2/issuer")

auth/api/iam/session.go

@@ -21,9 +21,10 @@ package iam
 import (
 	"errors"
 	"fmt"
-	"github.com/nuts-foundation/nuts-node/auth/oauth"
 	"net/url"
 
+	"github.com/nuts-foundation/nuts-node/auth/oauth"
+
 	"github.com/nuts-foundation/go-did/did"
 	"github.com/nuts-foundation/go-did/vc"
 	"github.com/nuts-foundation/nuts-node/http"
@@ -40,12 +41,15 @@ type OAuthSession struct {
 	ClientState                 string                             `json:"client_state,omitempty"`
 	OpenID4VPVerifier           *PEXConsumer                       `json:"openid4vp_verifier,omitempty"`
 	OwnSubject                  *string                            `json:"own_subject,omitempty"`
-	OtherDID                    *did.DID                           `json:"other_did,omitempty"`
-	PKCEParams                  PKCEParams                         `json:"pkce_params"`
-	RedirectURI                 string                             `json:"redirect_uri,omitempty"`
-	Scope                       string                             `json:"scope,omitempty"`
-	SessionID                   string                             `json:"session_id,omitempty"`
-	TokenEndpoint               string                             `json:"token_endpoint,omitempty"`
+	// OwnDID is the DID of the entity that owns this session, which must be a DID of the subject (OwnSubject).
+	// It is used in OpenID4VCI to select the target wallet.
+	OwnDID        *did.DID   `json:"own_did,omitempty"`
+	OtherDID      *did.DID   `json:"other_did,omitempty"`
+	PKCEParams    PKCEParams `json:"pkce_params"`
+	RedirectURI   string     `json:"redirect_uri,omitempty"`
+	Scope         string     `json:"scope,omitempty"`
+	SessionID     string     `json:"session_id,omitempty"`
+	TokenEndpoint string     `json:"token_endpoint,omitempty"`
 	// IssuerURL is the URL that identifies the OAuth2 Authorization Server according to RFC 8414 (Authorization Server Metadata).
 	IssuerURL string `json:"issuer_url,omitempty"`
 	UseDPoP   bool   `json:"use_dpop,omitempty"`