WIP

www-data · www-data · commit 1d806d56c1c9 · 2025-05-14T15:18:14.000+02:00
diff --git a/routing/routes/routes.php b/routing/routes/routes.php
@@ -21,6 +21,7 @@
 use SimpleSAML\Module\oidc\Controllers\OAuth2\OAuth2ServerConfigurationController;
 use SimpleSAML\Module\oidc\Controllers\UserInfoController;
 use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\CredentialIssuerConfigurationController;
+use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\CredentialIssuerCredentialController;
 use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
 use Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator;
 
@@ -128,6 +129,6 @@
         ->methods([HttpMethodsEnum::GET->value]);
 
     $routes->add(RoutesEnum::CredentialIssuerCredential->name, RoutesEnum::CredentialIssuerCredential->value)
-        ->controller([CredentialIssuerConfigurationController::class, 'credential'])
-        ->methods([HttpMethodsEnum::GET->value]);
+        ->controller([CredentialIssuerCredentialController::class, 'credential'])
+        ->methods([HttpMethodsEnum::GET->value, HttpMethodsEnum::POST->value]);
 };
diff --git a/src/Controllers/Admin/VerifiableCredentailsTestController.php b/src/Controllers/Admin/VerifiableCredentailsTestController.php
@@ -11,17 +11,13 @@
 use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
 use SimpleSAML\Module\oidc\Factories\TemplateFactory;
-use SimpleSAML\Module\oidc\Helpers;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
 use SimpleSAML\Module\oidc\Repositories\ClientRepository;
 use SimpleSAML\Module\oidc\Services\LoggerService;
-use SimpleSAML\Module\oidc\Utils\Debug\ArrayLogger;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\GrantTypesEnum;
-use SimpleSAML\OpenID\Federation;
 use SimpleSAML\OpenID\VerifiableCredentials;
-use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
 class VerifiableCredentailsTestController
@@ -35,8 +31,6 @@ public function __construct(
         protected readonly AuthCodeEntityFactory $authCodeEntityFactory,
         protected readonly ClientRepository $clientRepository,
         protected readonly ClientEntityFactory $clientEntityFactory,
-        protected readonly Federation $federation,
-        protected readonly Helpers $helpers,
         protected readonly LoggerService $loggerService,
     ) {
         $this->authorization->requireAdmin(true);
@@ -47,7 +41,7 @@ public function __construct(
      * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
      * @throws \SimpleSAML\OpenID\Exceptions\CredentialOfferException
      */
-    public function verifiableCredentialIssuance(Request $request): Response
+    public function verifiableCredentialIssuance(): Response
     {
         $sampleData = [
             'eduPersonPrincipalName' => 'testuser@example.com',
@@ -59,7 +53,7 @@ public function verifiableCredentialIssuance(Request $request): Response
             'eduPersonScopedAffiliation' => 'member@example.com',
         ];
 
-        $this->loggerService->info('test', $sampleData);;
+        $this->loggerService->info('test', $sampleData);
 
         // TODO mivanci Wallet (client) credential_offer_endpoint metadata
         // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#client-metadata
diff --git a/src/Controllers/VerifiableCredentials/CredentialIssuerConfigurationController.php b/src/Controllers/VerifiableCredentials/CredentialIssuerConfigurationController.php
@@ -18,6 +18,7 @@
 use SimpleSAML\Module\oidc\Utils\Routes;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\CredentialFormatIdentifiersEnum;
+use SimpleSAML\OpenID\Codebooks\CredentialTypesEnum;
 use SimpleSAML\OpenID\Codebooks\LanguageTagsEnum;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -253,7 +254,7 @@ public function configuration(): Response
                     // REQUIRED
                     ClaimsEnum::CredentialDefinition->value => [
                         ClaimsEnum::Type->value => [
-                            'VerifiableCredential', // TODO mivanci CredentialTypesEnum
+                            CredentialTypesEnum::VerifiableCredential->value,
                             'ResearchAndScholarshipCredentialJwtVcJson',
                         ],
                     ],
diff --git a/src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php b/src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php
@@ -4,9 +4,20 @@
 
 namespace SimpleSAML\Module\oidc\Controllers\VerifiableCredentials;
 
+use League\OAuth2\Server\ResourceServer;
+use SimpleSAML\Module\oidc\Bridges\PsrHttpBridge;
 use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Repositories\AccessTokenRepository;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+use SimpleSAML\Module\oidc\Utils\FingerprintGenerator;
 use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
+use SimpleSAML\OpenID\Codebooks\AtContextsEnum;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Codebooks\CredentialTypesEnum;
+use SimpleSAML\OpenID\Jwk;
+use SimpleSAML\OpenID\VerifiableCredentials;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
 class CredentialIssuerCredentialController
@@ -15,19 +26,81 @@ class CredentialIssuerCredentialController
      * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
      */
     public function __construct(
+        protected readonly ResourceServer $resourceServer,
+        protected readonly AccessTokenRepository $accessTokenRepository,
         protected readonly ModuleConfig $moduleConfig,
         protected readonly Routes $routes,
+        protected readonly PsrHttpBridge $psrHttpBridge,
+        protected readonly VerifiableCredentials $verifiableCredentials,
+        protected readonly Jwk $jwk,
     ) {
         if (!$this->moduleConfig->getVerifiableCredentialEnabled()) {
             throw OidcServerException::forbidden('Verifiable Credential capabilities not enabled');
         }
     }
 
-    public function credential(): Response
+    public function credential(Request $request): Response
     {
+        $authorization = $this->resourceServer->validateAuthenticatedRequest(
+            $this->psrHttpBridge->getPsrHttpFactory()->createRequest($request),
+        );
+
+        // TODO mivanci validate
+        $accessToken = $this->accessTokenRepository->findById($authorization->getAttribute('oauth_access_token_id'));
+        if ($accessToken->isRevoked()) {
+            throw OidcServerException::accessDenied('Access token is revoked.');
+        }
+
+        // TODO mivanci validate requested credential identifier
+
+        $jwk = $this->jwk->jwkDecoratorFactory()->fromPkcs1Or8KeyFile(
+            $this->moduleConfig->getProtocolPrivateKeyPath(),
+            null,
+        );
+
+        $issuedAt = new \DateTimeImmutable();
+
+        $verifiableCredential = $this->verifiableCredentials->jwtVcJsonFactory()->fromData(
+            $jwk,
+            SignatureAlgorithmEnum::RS256,
+            [
+                ClaimsEnum::Vc->value => [
+                    ClaimsEnum::AtContext->value => [
+                        AtContextsEnum::W3Org2018CredentialsV1->value,
+                    ],
+                    ClaimsEnum::Type->value => [
+                        CredentialTypesEnum::VerifiableCredential->value,
+                        'ResearchAndScholarshipCredentialJwtVcJson',
+                    ],
+                    ClaimsEnum::Issuer->value => $this->moduleConfig->getIssuer(),
+                    ClaimsEnum::Issuance_Date->value => $issuedAt->format(\DateTimeInterface::RFC3339),
+                    ClaimsEnum::Credential_Subject->value => [
+                        'eduPersonPrincipalName' => 'testuser@example.com',
+                        'eduPersonTargetedID' => 'abc123',
+                        'displayName' => 'Test User',
+                        'givenName' => 'Test',
+                        'sn' => 'User',
+                        'mail' => 'testuser@example.com',
+                        'eduPersonScopedAffiliation' => 'member@example.com',
+                    ],
+                ],
+                ClaimsEnum::Iss->value => $this->moduleConfig->getIssuer(),
+                ClaimsEnum::Iat->value => $issuedAt->getTimestamp(),
+                ClaimsEnum::Nbf->value => $issuedAt->getTimestamp(),
+                ClaimsEnum::Sub->value => 'testuid',
+            ],
+            [
+                ClaimsEnum::Kid->value => FingerprintGenerator::forFile(
+                    $this->moduleConfig->getProtocolCertPath(),
+                ),
+            ],
+        );
+
         return $this->routes->newJsonResponse(
             [
-                'credential' => 'credential',
+                'credentials' => [
+                    'credential' => $verifiableCredential->getToken(),
+                ],
             ],
         );
     }
diff --git a/src/Factories/Grant/AuthCodeGrantFactory.php b/src/Factories/Grant/AuthCodeGrantFactory.php
@@ -62,7 +62,7 @@ public function build(): AuthCodeGrant
             $this->authCodeEntityFactory,
             $this->refreshTokenIssuer,
             $this->helpers,
-            $this->loggerService
+            $this->loggerService,
         );
         $authCodeGrant->setRefreshTokenTTL($this->moduleConfig->getRefreshTokenDuration());
 
diff --git a/src/Factories/Grant/PreAuthCodeGrantFactory.php b/src/Factories/Grant/PreAuthCodeGrantFactory.php
@@ -23,7 +23,6 @@
 use SimpleSAML\Module\oidc\Repositories\AccessTokenRepository;
 use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
 use SimpleSAML\Module\oidc\Repositories\RefreshTokenRepository;
-use SimpleSAML\Module\oidc\Server\Grants\AuthCodeGrant;
 use SimpleSAML\Module\oidc\Server\Grants\PreAuthCodeGrant;
 use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager;
 use SimpleSAML\Module\oidc\Server\TokenIssuers\RefreshTokenIssuer;
@@ -63,7 +62,7 @@ public function build(): PreAuthCodeGrant
             $this->authCodeEntityFactory,
             $this->refreshTokenIssuer,
             $this->helpers,
-            $this->loggerService
+            $this->loggerService,
         );
         $preAuthCodeGrant->setRefreshTokenTTL($this->moduleConfig->getRefreshTokenDuration());
 
diff --git a/src/Server/Grants/PreAuthCodeGrant.php b/src/Server/Grants/PreAuthCodeGrant.php
@@ -114,7 +114,7 @@ public function respondToAccessTokenRequest(
 
         $this->loggerService->debug(
             'Pre-authorized code grant respondToAccessTokenRequest',
-            $this->requestParamsResolver->getAllFromRequest($request)
+            $this->requestParamsResolver->getAllFromRequest($request),
         );
 
         $preAuthorizedCodeId = $this->requestParamsResolver->getAsStringBasedOnAllowedMethods(
diff --git a/src/Services/Container.php b/src/Services/Container.php
@@ -51,6 +51,7 @@
 use SimpleSAML\Module\oidc\Factories\FormFactory;
 use SimpleSAML\Module\oidc\Factories\Grant\AuthCodeGrantFactory;
 use SimpleSAML\Module\oidc\Factories\Grant\ImplicitGrantFactory;
+use SimpleSAML\Module\oidc\Factories\Grant\PreAuthCodeGrantFactory;
 use SimpleSAML\Module\oidc\Factories\Grant\RefreshTokenGrantFactory;
 use SimpleSAML\Module\oidc\Factories\IdTokenResponseFactory;
 use SimpleSAML\Module\oidc\Factories\JwksFactory;
@@ -71,6 +72,7 @@
 use SimpleSAML\Module\oidc\Server\AuthorizationServer;
 use SimpleSAML\Module\oidc\Server\Grants\AuthCodeGrant;
 use SimpleSAML\Module\oidc\Server\Grants\ImplicitGrant;
+use SimpleSAML\Module\oidc\Server\Grants\PreAuthCodeGrant;
 use SimpleSAML\Module\oidc\Server\Grants\RefreshTokenGrant;
 use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AcrValuesRule;
@@ -469,6 +471,21 @@ public function __construct()
         );
         $this->services[RefreshTokenGrant::class] = $refreshTokenGrantFactory->build();
 
+        $preAuthCodeGrantFactory = new PreAuthCodeGrantFactory(
+            $moduleConfig,
+            $authCodeRepository,
+            $accessTokenRepository,
+            $refreshTokenRepository,
+            $requestRuleManager,
+            $requestParamsResolver,
+            $accessTokenEntityFactory,
+            $authCodeEntityFactory,
+            $refreshTokenIssuer,
+            $helpers,
+            $loggerService,
+        );
+        $this->services[PreAuthCodeGrant::class] = $preAuthCodeGrantFactory->build();
+
         $authorizationServerFactory = new AuthorizationServerFactory(
             $moduleConfig,
             $clientRepository,
@@ -480,6 +497,7 @@ public function __construct()
             $this->services[IdTokenResponse::class],
             $requestRuleManager,
             $privateKey,
+            $this->services[PreAuthCodeGrant::class],
         );
         $this->services[AuthorizationServer::class] = $authorizationServerFactory->build();
 
