Introduce auth code flow type attribute

Author: cicnavi

docker/conformance.sql

@@ -82,7 +82,7 @@ CREATE TABLE oidc_auth_code (
             client_id VARCHAR(191) NOT NULL,
             is_revoked BOOLEAN NOT NULL DEFAULT false,
             redirect_uri TEXT NOT NULL, nonce TEXT NULL,
-            is_pre_authorized BOOLEAN NOT NULL DEFAULT false,
+            flow_type CHAR(64) DEFAULT NULL,
             tx_code varchar(191) DEFAULT NULL,
             CONSTRAINT FK_97D32CA7A76ED395 FOREIGN KEY (user_id)
                 REFERENCES oidc_user (id) ON DELETE CASCADE,

src/Codebooks/FlowTypeEnum.php

@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Codebooks;
+
+enum FlowTypeEnum: string
+{
+    case OidcAuthorizationCode = 'oidc_authorization_code';
+    case OidcImplicit = 'oidc_implicit';
+    case OidcHybrid = 'oidc_hybrid';
+    case OidcRefreshToken = 'oidc_refresh_token';
+
+    case VciAuthorizationCode = 'vci_authorization_code';
+    case VciPreAuthorizedCode = 'vci_pre_authorized_code';
+}

src/Entities/AuthCodeEntity.php

@@ -19,6 +19,7 @@
 use League\OAuth2\Server\Entities\ClientEntityInterface as OAuth2ClientEntityInterface;
 use League\OAuth2\Server\Entities\Traits\EntityTrait;
 use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
+use SimpleSAML\Module\oidc\Codebooks\FlowTypeEnum;
 use SimpleSAML\Module\oidc\Entities\Interfaces\AuthCodeEntityInterface;
 use SimpleSAML\Module\oidc\Entities\Interfaces\MementoInterface;
 use SimpleSAML\Module\oidc\Entities\Traits\OidcAuthCodeTrait;
@@ -43,7 +44,7 @@ public function __construct(
         ?string $redirectUri = null,
         ?string $nonce = null,
         bool $isRevoked = false,
-        protected readonly bool $isPreAuthorized = false,
+        protected readonly ?FlowTypeEnum $flowTypeEnum = null,
         protected readonly ?string $txCode = null,
     ) {
         $this->identifier = $id;
@@ -70,18 +71,23 @@ public function getState(): array
             'is_revoked' => $this->isRevoked(),
             'redirect_uri' => $this->getRedirectUri(),
             'nonce' => $this->getNonce(),
-            'is_pre_authorized' => $this->isPreAuthorized,
+            'flow_type' => $this->flowTypeEnum?->value,
             'tx_code' => $this->txCode,
         ];
     }
 
-    public function isPreAuthorized(): bool
+    public function isVciPreAuthorized(): bool
     {
-        return $this->isPreAuthorized;
+        return $this->flowTypeEnum === FlowTypeEnum::VciPreAuthorizedCode;
     }
 
     public function getTxCode(): ?string
     {
         return $this->txCode;
     }
+
+    public function getFlowTypeEnum(): ?FlowTypeEnum
+    {
+        return $this->flowTypeEnum;
+    }
 }

src/Factories/CredentialOfferUriFactory.php

@@ -8,6 +8,7 @@
 use RuntimeException;
 use SimpleSAML\Error\Exception;
 use SimpleSAML\Module\oidc\Bridges\SspBridge;
+use SimpleSAML\Module\oidc\Codebooks\FlowTypeEnum;
 use SimpleSAML\Module\oidc\Codebooks\ParametersEnum;
 use SimpleSAML\Module\oidc\Entities\ScopeEntity;
 use SimpleSAML\Module\oidc\Entities\UserEntity;
@@ -202,7 +203,7 @@ public function buildPreAuthorized(
                     expiryDateTime: (new DateTimeImmutable())->add($this->moduleConfig->getAuthCodeDuration()),
                     userIdentifier: $userId,
                     redirectUri: 'openid-credential-offer://',
-                    isPreAuthorized: true,
+                    flowTypeEnum: FlowTypeEnum::VciPreAuthorizedCode,
                     txCode: $txCode instanceof VerifiableCredentials\TxCode ? $txCode->getCodeAsString() : null,
                 );
                 $this->authCodeRepository->persistNewAuthCode($authCode);

src/Factories/Entities/AuthCodeEntityFactory.php

@@ -6,6 +6,7 @@
 
 use DateTimeImmutable;
 use League\OAuth2\Server\Entities\ClientEntityInterface as OAuth2ClientEntityInterface;
+use SimpleSAML\Module\oidc\Codebooks\FlowTypeEnum;
 use SimpleSAML\Module\oidc\Entities\AuthCodeEntity;
 use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
 use SimpleSAML\Module\oidc\Helpers;
@@ -31,7 +32,7 @@ public function fromData(
         ?string $redirectUri = null,
         ?string $nonce = null,
         bool $isRevoked = false,
-        bool $isPreAuthorized = false,
+        ?FlowTypeEnum $flowTypeEnum = null,
         ?string $txCode = null,
     ): AuthCodeEntity {
         return new AuthCodeEntity(
@@ -43,7 +44,7 @@ public function fromData(
             $redirectUri,
             $nonce,
             $isRevoked,
-            $isPreAuthorized,
+            $flowTypeEnum,
             $txCode,
         );
     }
@@ -85,7 +86,7 @@ public function fromState(array $state): AuthCodeEntity
         $redirectUri = empty($state['redirect_uri']) ? null : (string)$state['redirect_uri'];
         $nonce = empty($state['nonce']) ? null : (string)$state['nonce'];
         $isRevoked = (bool) $state['is_revoked'];
-        $isPreAuthorized = (bool) $state['is_pre_authorized'];
+        $flowType = empty($state['flow_type']) ? null : FlowTypeEnum::tryFrom((string)$state['flow_type']);
         $txCode = empty($state['tx_code']) ? null : (string)$state['tx_code'];
 
         return $this->fromData(
@@ -97,7 +98,7 @@ public function fromState(array $state): AuthCodeEntity
             $redirectUri,
             $nonce,
             $isRevoked,
-            $isPreAuthorized,
+            $flowType,
             $txCode,
         );
     }

src/Repositories/AuthCodeRepository.php

@@ -80,7 +80,7 @@ public function persistNewAuthCode(OAuth2AuthCodeEntityInterface $authCodeEntity
                 is_revoked,
                 redirect_uri,
                 nonce,
-                is_pre_authorized,
+                flow_type,
                 tx_code
             ) VALUES (
                 :id,
@@ -91,7 +91,7 @@ public function persistNewAuthCode(OAuth2AuthCodeEntityInterface $authCodeEntity
                 :is_revoked,
                 :redirect_uri,
                 :nonce,
-                :is_pre_authorized,
+                :flow_type,
                 :tx_code
             )
             EOS,
@@ -214,7 +214,7 @@ private function update(AuthCodeEntity $authCodeEntity): void
                 is_revoked = :is_revoked,
                 redirect_uri = :redirect_uri,
                 nonce = :nonce,
-                is_pre_authorized = :is_pre_authorized,
+                flow_type = :flow_type,
                 tx_code = :tx_code
             WHERE id = :id
 EOS
@@ -239,10 +239,8 @@ private function update(AuthCodeEntity $authCodeEntity): void
     protected function preparePdoState(array $state): array
     {
         $isRevoked = (bool)($state['is_revoked'] ?? true);
-        $isPreAuthorized = (bool)($state['is_pre_authorized'] ?? false);
 
         $state['is_revoked'] = [$isRevoked, PDO::PARAM_BOOL];
-        $state['is_pre_authorized'] = [$isPreAuthorized, PDO::PARAM_BOOL];
 
         return $state;
     }

src/Server/Grants/AuthCodeGrant.php

@@ -21,6 +21,7 @@
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use LogicException;
 use Psr\Http\Message\ServerRequestInterface;
+use SimpleSAML\Module\oidc\Codebooks\FlowTypeEnum;
 use SimpleSAML\Module\oidc\Entities\Interfaces\AccessTokenEntityInterface;
 use SimpleSAML\Module\oidc\Entities\Interfaces\AuthCodeEntityInterface;
 use SimpleSAML\Module\oidc\Entities\Interfaces\RefreshTokenEntityInterface;
@@ -270,8 +271,7 @@ public function completeOidcAuthorizationRequest(
             $authorizationRequest->getClient(),
             $user->getIdentifier(),
             $finalRedirectUri,
-            $authorizationRequest->getScopes(),
-            $authorizationRequest->getNonce(),
+            $authorizationRequest,
         );
 
         $payload = [
@@ -307,7 +307,6 @@ public function completeOidcAuthorizationRequest(
     }
 
     /**
-     * @param \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes
      * @throws \League\OAuth2\Server\Exception\OAuthServerException
      * @throws \League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException
      */
@@ -316,25 +315,29 @@ protected function issueOidcAuthCode(
         OAuth2ClientEntityInterface $client,
         string $userIdentifier,
         string $redirectUri,
-        array $scopes = [],
-        ?string $nonce = null,
+        AuthorizationRequest $authorizationRequest,
     ): AuthCodeEntityInterface {
         $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
 
         if (!is_a($this->authCodeRepository, AuthCodeRepositoryInterface::class)) {
             throw OidcServerException::serverError('Unexpected auth code repository entity type.');
         }
 
+        $flowType = $authorizationRequest->isVciRequest() ?
+        FlowTypeEnum::VciAuthorizationCode :
+        FlowTypeEnum::OidcAuthorizationCode;
+
         while ($maxGenerationAttempts-- > 0) {
             try {
                 $authCode = $this->authCodeEntityFactory->fromData(
                     $this->generateUniqueIdentifier(),
                     $client,
-                    $scopes,
+                    $authorizationRequest->getScopes(),
                     (new DateTimeImmutable())->add($authCodeTTL),
                     $userIdentifier,
                     $redirectUri,
-                    $nonce,
+                    $authorizationRequest->getNonce(),
+                    flowTypeEnum: $flowType,
                 );
                 $this->authCodeRepository->persistNewAuthCode($authCode);
 

src/Server/Grants/PreAuthCodeGrant.php

@@ -142,7 +142,7 @@ public function respondToAccessTokenRequest(
             throw OidcServerException::invalidGrant('Invalid pre-authorized code.');
         }
 
-        if (!$preAuthorizedCode->isPreAuthorized()) {
+        if (!$preAuthorizedCode->isVciPreAuthorized()) {
             $this->loggerService->error(
                 'Pre-authorized code is not pre-authorized. Value was: ' . $preAuthorizedCodeId,
             );

src/Services/DatabaseMigration.php

@@ -174,6 +174,11 @@ public function migrate(): void
             $this->version20250908163000();
             $this->database->write("INSERT INTO $versionsTablename (version) VALUES ('20250908163000')");
         }
+
+        if (!in_array('20250912163000', $versions, true)) {
+            $this->version20250912163000();
+            $this->database->write("INSERT INTO $versionsTablename (version) VALUES ('20250912163000')");
+        }
     }
 
     private function versionsTableName(): string
@@ -571,6 +576,21 @@ private function version20250908163000(): void
             ,);
     }
 
+    private function version20250912163000(): void
+    {
+        $authCodeTableName = $this->database->applyPrefix(AuthCodeRepository::TABLE_NAME);
+        $this->database->write(<<< EOT
+        ALTER TABLE {$authCodeTableName}
+            DROP COLUMN is_pre_authorized;
+EOT
+            ,);
+        $this->database->write(<<< EOT
+        ALTER TABLE {$authCodeTableName}
+            ADD flow_type CHAR(64) NULL;
+EOT
+            ,);
+    }
+
     /**
      * @param string[] $columnNames
      */

tests/unit/src/Entities/AuthCodeEntityTest.php

@@ -98,7 +98,7 @@ public function testCanGetState(): void
                 'is_revoked' => false,
                 'redirect_uri' => 'https://localhost/redirect',
                 'nonce' => 'nonce',
-                'is_pre_authorized' => false,
+                'flow_type' => null,
                 'tx_code' => null,
             ],
         );