simplesamlphp
diff --git a/‎config/module_oidc.php.dist‎
Lines changed: 0 additions & 4 deletions b/‎config/module_oidc.php.dist‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎src/Controllers/AuthorizationController.php‎
Lines changed: 2 additions & 0 deletions b/‎src/Controllers/AuthorizationController.php‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php‎
Lines changed: 236 additions & 33 deletions b/‎src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php‎
Lines changed: 236 additions & 33 deletions
diff --git a/‎src/Factories/AuthorizationServerFactory.php‎
Lines changed: 3 additions & 0 deletions b/‎src/Factories/AuthorizationServerFactory.php‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/ModuleConfig.php‎
Lines changed: 0 additions & 10 deletions b/‎src/ModuleConfig.php‎
Lines changed: 0 additions & 10 deletions
diff --git a/‎src/Server/AuthorizationServer.php‎
Lines changed: 46 additions & 1 deletion b/‎src/Server/AuthorizationServer.php‎
Lines changed: 46 additions & 1 deletion
diff --git a/‎src/Server/Grants/AuthCodeGrant.php‎
Lines changed: 66 additions & 9 deletions b/‎src/Server/Grants/AuthCodeGrant.php‎
Lines changed: 66 additions & 9 deletions
@@ -526,10 +526,6 @@ $config = [
         'openid-credential-offer://',
     ],
 
-    // Allow or disallow clients to request verifiable credentials using Authorization Code Grant without client ID.
-    // Default is disallowed (false).
-    ModuleConfig::OPTION_ALLOW_VCI_AUTHORIZATION_CODE_REQUESTS_WITHOUT_CLIENT_ID => false,
-
     // (optional) Credential configuration statements, as per `credential_configurations_supported` claim definition in
     // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#credential-issuer-parameters.
     // Check the example below on how this can be used.
 
@@ -59,8 +59,10 @@ public function __invoke(ServerRequestInterface $request): ResponseInterface
     {
         $queryParameters = $request->getQueryParams();
         $state = null;
+        $this->loggerService->debug('AuthorizationController::invoke: Request parameters: ', $queryParameters);
 
         if (!isset($queryParameters[ProcessingChain::AUTHPARAM])) {
+            $this->loggerService->debug('AuthorizationController::invoke: No AuthProcId query param.');
             $authorizationRequest = $this->authorizationServer->validateAuthorizationRequest($request);
             $state = $this->authenticationService->processRequest($request, $authorizationRequest);
             // processState will trigger a redirect
 
@@ -28,6 +28,7 @@
 use SimpleSAML\Module\oidc\Server\Grants\RefreshTokenGrant;
 use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager;
 use SimpleSAML\Module\oidc\Server\ResponseTypes\TokenResponse;
+use SimpleSAML\Module\oidc\Services\LoggerService;
 
 class AuthorizationServerFactory
 {
@@ -43,6 +44,7 @@ public function __construct(
         private readonly RequestRulesManager $requestRulesManager,
         private readonly CryptKey $privateKey,
         private readonly PreAuthCodeGrant $preAuthCodeGrant,
+        private readonly LoggerService $loggerService,
     ) {
     }
 
@@ -56,6 +58,7 @@ public function build(): AuthorizationServer
             $this->moduleConfig->getEncryptionKey(),
             $this->tokenResponse,
             $this->requestRulesManager,
+            $this->loggerService,
         );
 
         $authorizationServer->enableGrantType(
 
@@ -110,8 +110,6 @@ class ModuleConfig
     'auth_sources_to_users_email_attribute_name_map';
     final public const OPTION_ISSUER_STATE_TTL = 'issuer_state_ttl';
     final public const OPTION_ALLOW_NON_REGISTERED_CLIENTS_FOR_VCI = 'allow_non_registered_clients_for_vci';
-    final public const OPTION_ALLOW_VCI_AUTHORIZATION_CODE_REQUESTS_WITHOUT_CLIENT_ID =
-    'allow_vci_authorization_code_requests_without_client_id';
     final public const OPTION_ALLOWED_REDIRECT_URI_PREFIXES_FOR_NON_REGISTERED_CLIENTS_FOR_VCI =
     'allowed_redirect_uri_prefixes_for_non_registered_clients_for_vci';
 
@@ -1026,14 +1024,6 @@ public function getAllowNonRegisteredClientsForVci(): bool
         return $this->config()->getOptionalBoolean(self::OPTION_ALLOW_NON_REGISTERED_CLIENTS_FOR_VCI, false);
     }
 
-    public function getAllowVciAuthorizationCodeRequestsWithoutClientId(): bool
-    {
-        return $this->config()->getOptionalBoolean(
-            self::OPTION_ALLOW_VCI_AUTHORIZATION_CODE_REQUESTS_WITHOUT_CLIENT_ID,
-            false,
-        );
-    }
-
     public function getAllowedRedirectUriPrefixesForNonRegisteredClientsForVci(): array
     {
         return $this->config()->getOptionalArray(
 
@@ -25,6 +25,7 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule;
 use SimpleSAML\Module\oidc\Server\RequestTypes\LogoutRequest;
+use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
 
 class AuthorizationServer extends OAuth2AuthorizationServer
@@ -51,6 +52,7 @@ public function __construct(
         Key|string $encryptionKey,
         ?ResponseTypeInterface $responseType = null,
         ?RequestRulesManager $requestRulesManager = null,
+        protected readonly ?LoggerService $loggerService = null,
     ) {
         parent::__construct(
             $clientRepository,
@@ -77,6 +79,8 @@ public function __construct(
      */
     public function validateAuthorizationRequest(ServerRequestInterface $request): OAuth2AuthorizationRequest
     {
+        $this->loggerService?->debug('AuthorizationServer::validateAuthorizationRequest');
+
         $rulesToExecute = [
             StateRule::class,
             ClientRule::class,
@@ -91,27 +95,68 @@ public function validateAuthorizationRequest(ServerRequestInterface $request): O
                 [HttpMethodsEnum::GET, HttpMethodsEnum::POST],
             );
         } catch (OidcServerException $exception) {
-            $reason = sprintf("%s %s", $exception->getMessage(), $exception->getHint() ?? '');
+            $reason = sprintf(
+                "AuthorizationServer: %s %s",
+                $exception->getMessage(),
+                $exception->getHint() ?? '',
+            );
+            $this->loggerService?->error($reason);
             throw new BadRequest($reason);
         }
 
+        $this->loggerService?->debug(
+            'AuthorizationServer: Result bag validated',
+            ['rulesToExecute' => $rulesToExecute],
+        );
+
         // state and redirectUri is used here, so we can return HTTP redirect error in case of invalid response_type.
         /** @var ?string $state */
         $state = $resultBag->getOrFail(StateRule::class)->getValue();
         /** @var string $redirectUri */
         $redirectUri = $resultBag->getOrFail(ClientRedirectUriRule::class)->getValue();
 
         foreach ($this->enabledGrantTypes as $grantType) {
+            $this->loggerService?->debug(
+                'AuthorizationServer: Checking if grant type can respond to authorization request: ' .
+                $grantType::class,
+            );
             if ($grantType->canRespondToAuthorizationRequest($request)) {
+                $this->loggerService?->debug(
+                    'AuthorizationServer: Grant type can respond to authorization request: ' .
+                    $grantType::class,
+                );
+
                 if (! $grantType instanceof AuthorizationValidatableWithRequestRules) {
+                    $this->loggerService?->error(
+                        'AuthorizationServer: grant type must be validatable with ' .
+                        'already validated result bag: ' . $grantType::class,
+                    );
                     throw OidcServerException::serverError('grant type must be validatable with already validated ' .
                                                            'result bag');
                 }
 
+                $this->loggerService?->debug(
+                    sprintf(
+                        'AuthorizationServer: Grant type class: %s, identifier: %s ',
+                        $grantType::class,
+                        $grantType->getIdentifier(),
+                    ),
+                );
+
                 return $grantType->validateAuthorizationRequestWithRequestRules($request, $resultBag);
+            } else {
+                $this->loggerService?->debug(
+                    'AuthorizationServer: Grant type can NOT respond to ' .
+                    'authorization request: ' . $grantType::class,
+                );
             }
         }
 
+        $this->loggerService?->error(
+            'AuthorizationServer: Not a single registered grant type can respond to authorization ' .
+            'request.',
+            ['requestQueryParams' => $request->getQueryParams()],
+        );
         throw OidcServerException::unsupportedResponseType($redirectUri, $state);
     }
 
 
@@ -204,6 +204,8 @@ public function __construct(
      */
     public function canRespondToAuthorizationRequest(ServerRequestInterface $request): bool
     {
+        $this->loggerService->debug('AuthCodeGrant::canRespondToAuthorizationRequest');
+
         $requestParams = $this->requestParamsResolver->getAllBasedOnAllowedMethods(
             $request,
             $this->allowedAuthorizationHttpMethods,
@@ -732,6 +734,8 @@ public function validateAuthorizationRequestWithRequestRules(
         ServerRequestInterface $request,
         ResultBagInterface $resultBag,
     ): OAuth2AuthorizationRequest {
+        $this->loggerService->debug('AuthCodeGrant::validateAuthorizationRequestWithRequestRules');
+
         $rulesToExecute = [
             ClientIdRule::class,
             RequestObjectRule::class,
@@ -758,6 +762,12 @@ public function validateAuthorizationRequestWithRequestRules(
         /** @var \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface $client */
         $client = $resultBag->getOrFail(ClientRule::class)->getValue();
 
+        $this->loggerService->debug('AuthCodeGrant: Resolved data:', [
+            'redirectUri' => $redirectUri,
+            'state' => $state,
+            'clientId' => $client->getIdentifier(),
+        ]);
+
         // Some rules have to have certain things available in order to work properly...
         $this->requestRulesManager->setData('default_scope', $this->defaultScope);
         $this->requestRulesManager->setData('scope_delimiter_string', self::SCOPE_DELIMITER_STRING);
@@ -769,9 +779,13 @@ public function validateAuthorizationRequestWithRequestRules(
             $this->allowedAuthorizationHttpMethods,
         );
 
+        $this->loggerService->debug('AuthCodeGrant: executed rules.', ['rulesToExecute' => $rulesToExecute]);
+
         /** @var \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes */
         $scopes = $resultBag->getOrFail(ScopeRule::class)->getValue();
 
+        $this->loggerService->debug('AuthCodeGrant: Resolved scopes: ', ['scopes' => $scopes]);
+
         $oAuth2AuthorizationRequest = new OAuth2AuthorizationRequest();
 
         $oAuth2AuthorizationRequest->setClient($client);
@@ -786,42 +800,66 @@ public function validateAuthorizationRequestWithRequestRules(
         /** @var ?string $codeChallenge */
         $codeChallenge = $resultBag->getOrFail(CodeChallengeRule::class)->getValue();
         if ($codeChallenge) {
+            $this->loggerService->debug('AuthCodeGrant: Code challenge: ', [
+                'codeChallenge' => $codeChallenge,
+            ]);
             /** @var string $codeChallengeMethod */
             $codeChallengeMethod = $resultBag->getOrFail(CodeChallengeMethodRule::class)->getValue();
 
             $oAuth2AuthorizationRequest->setCodeChallenge($codeChallenge);
             $oAuth2AuthorizationRequest->setCodeChallengeMethod($codeChallengeMethod);
+        } else {
+            $this->loggerService->debug('AuthCodeGrant: No code challenge present.');
         }
 
+        $isOidcCandidate = $this->isOidcCandidate($oAuth2AuthorizationRequest);
+
+
+
+        $this->loggerService->debug('AuthCodeGrant: Is OIDC candidate: ', [
+            'isOidcCandidate' => $isOidcCandidate,
+        ]);
+
         $isVciAuthorizationCodeRequest = $this->requestParamsResolver->isVciAuthorizationCodeRequest(
             $request,
             $this->allowedAuthorizationHttpMethods,
         );
 
+        $this->loggerService->debug('AuthCodeGrant: Is VCI authorization code request: ', [
+            'isVciAuthorizationCodeRequest' => $isVciAuthorizationCodeRequest,
+        ]);
+
+
         if (
-            (! $this->isOidcCandidate($oAuth2AuthorizationRequest)) &&
+            (! $isOidcCandidate) &&
             (! $isVciAuthorizationCodeRequest)
         ) {
+            $this->loggerService->debug('Not an OIDC nor VCI request, returning as OAuth2 request.');
             return $oAuth2AuthorizationRequest;
         }
 
+        $this->loggerService->debug('AuthCodeGrant: OIDC or VCI request, continuing with request setup.');
+
         $authorizationRequest = AuthorizationRequest::fromOAuth2AuthorizationRequest($oAuth2AuthorizationRequest);
 
         $nonce = $this->requestParamsResolver->getAsStringBasedOnAllowedMethods(
             ParamsEnum::Nonce->value,
             $request,
             $this->allowedAuthorizationHttpMethods,
         );
+        $this->loggerService->debug('AuthCodeGrant: Nonce: ', ['nonce' => $nonce]);
         if ($nonce !== null) {
             $authorizationRequest->setNonce($nonce);
         }
 
         $maxAge = $resultBag->get(MaxAgeRule::class);
+        $this->loggerService->debug('AuthCodeGrant: MaxAge: ', ['maxAge' => $maxAge]);
         if (null !== $maxAge) {
             $authorizationRequest->setAuthTime((int) $maxAge->getValue());
         }
 
         $requestClaims = $resultBag->get(RequestedClaimsRule::class);
+        $this->loggerService->debug('AuthCodeGrant: Requested claims: ', ['requestClaims' => $requestClaims]);
         if (null !== $requestClaims) {
             /** @var ?array $requestClaimValues */
             $requestClaimValues = $requestClaims->getValue();
@@ -832,35 +870,54 @@ public function validateAuthorizationRequestWithRequestRules(
 
         /** @var array|null $acrValues */
         $acrValues = $resultBag->getOrFail(AcrValuesRule::class)->getValue();
+        $this->loggerService->debug('AuthCodeGrant: ACR values: ', ['acrValues' => $acrValues]);
         $authorizationRequest->setRequestedAcrValues($acrValues);
 
 
         $authorizationRequest->setIsVciRequest($isVciAuthorizationCodeRequest);
-        $authorizationRequest->setFlowType(
-            $isVciAuthorizationCodeRequest ?
-                FlowTypeEnum::VciAuthorizationCode :
-                FlowTypeEnum::OidcAuthorizationCode,
-        );
+        $flowType = $isVciAuthorizationCodeRequest ?
+        FlowTypeEnum::VciAuthorizationCode : FlowTypeEnum::OidcAuthorizationCode;
+        $this->loggerService->debug('AuthCodeGrant: FlowType: ', ['flowType' => $flowType]);
+        $authorizationRequest->setFlowType($flowType);
 
         /** @var ?string $issuerState */
         $issuerState = $resultBag->get(IssuerStateRule::class)?->getValue();
+        $this->loggerService->debug('AuthCodeGrant: Issuer state: ', ['issuerState' => $issuerState]);
         $authorizationRequest->setIssuerState($issuerState);
 
         /** @var ?array $authorizationDetails */
         $authorizationDetails = $resultBag->get(AuthorizationDetailsRule::class)?->getValue();
+        $this->loggerService->debug(
+            'AuthCodeGrant: Authorization details: ',
+            ['authorizationDetails' => $authorizationDetails],
+        );
         $authorizationRequest->setAuthorizationDetails($authorizationDetails);
 
         // Check if we are using a generic client for this request. This can happen for non-registered clients
         // in VCI flows. This can be removed once the VCI clients (wallets) are properly registered using DCR.
         if ($client->isGeneric()) {
+            $this->loggerService->debug(
+                'AuthCodeGrant: Generic client is used for authorization request.',
+                ['genericClientId' => $client->getIdentifier()],
+            );
             // The generic client was used. Make sure to store actually used client_id and redirect_uri params.
-            /** @var string $clientId */
-            $clientId = $resultBag->getOrFail(ClientIdRule::class)->getValue();
-            $authorizationRequest->setBoundClientId($clientId);
+            /** @var string $clientIdParam */
+            $clientIdParam = $resultBag->getOrFail(ClientIdRule::class)->getValue();
+            $this->loggerService->debug(
+                'AuthCodeGrant: Binding client_id param to request: ',
+                ['clientIdParam' => $clientIdParam],
+            );
+            $authorizationRequest->setBoundClientId($clientIdParam);
 
+            $this->loggerService->debug(
+                'AuthCodeGrant: Binding redirect_uri param to request: ',
+                ['redirectUri' => $redirectUri],
+            );
             $authorizationRequest->setBoundRedirectUri($redirectUri);
         }
 
+        $this->loggerService->debug('AuthCodeGrant: Finished setting up authorization request.');
+
         return $authorizationRequest;
     }