WIP

Author: cicnavi

config/module_oidc.php.dist

@@ -790,6 +790,20 @@ $config = [
         ],
     ],
 
+    // Map of authentication sources and user's email attribute names. This enables you to define a specific attribute
+    // name which contains the user's email address, per authentication source. This is used, for example, to send
+    // Transaction Code in the case of pre-authorized codes for verifiable credential issuance. If not set, the
+    // default user's email attribute name will be used (see the option below).
+    //
+    // Format is: 'authentication-source-id' => 'email-attribute-name'.
+    ModuleConfig::OPTION_AUTH_SOURCES_TO_USERS_EMAIL_ATTRIBUTE_NAME_MAP => [
+        'example-auth-source-id' => 'mail',
+    ],
+
+    // The default name of the attribute which contains the user's email address. If not set, it will
+    // fall back to 'mail'.
+    ModuleConfig::OPTION_DEFAULT_USERS_EMAIL_ATTRIBUTE_NAME => 'mail',
+
     /**
      * (optional) API-related options.
      */

src/Controllers/Admin/VerifiableCredentailsTestController.php

@@ -11,20 +11,11 @@
 use SimpleSAML\Module\oidc\Factories\AuthSimpleFactory;
 use SimpleSAML\Module\oidc\Factories\CredentialOfferUriFactory;
 use SimpleSAML\Module\oidc\Factories\EmailFactory;
-use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
-use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
-use SimpleSAML\Module\oidc\Factories\Entities\UserEntityFactory;
 use SimpleSAML\Module\oidc\Factories\TemplateFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
-use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
-use SimpleSAML\Module\oidc\Repositories\ClientRepository;
-use SimpleSAML\Module\oidc\Repositories\UserRepository;
 use SimpleSAML\Module\oidc\Services\LoggerService;
-use SimpleSAML\Module\oidc\Services\SessionMessagesService;
 use SimpleSAML\Module\oidc\Services\SessionService;
-use SimpleSAML\Module\oidc\Utils\ProtocolCache;
 use SimpleSAML\Module\oidc\Utils\Routes;
-use SimpleSAML\OpenID\VerifiableCredentials;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -123,16 +114,26 @@ public function verifiableCredentialIssuance(Request $request): Response
 
         $credentialOfferQrUri = null;
         $credentialOfferUri = null;
+        $useTxCode = (bool) $request->get('useTxCode');
+        $usersEmailAttributeName = $request->get('usersEmailAttributeName');
+        $usersEmailAttributeName = is_string($usersEmailAttributeName) && (trim($usersEmailAttributeName) !== '') ?
+        trim($usersEmailAttributeName) :
+        null;
 
         if (
             $authSource instanceof Simple &&
             $authSource->isAuthenticated()
         ) {
             $userAttributes = $authSource->getAttributes();
+            $usersEmailAttributeName ??= $this->moduleConfig->getUsersEmailAttributeNameForAuthSourceId(
+                $authSource->getAuthSource()->getAuthId(),
+            );
 
             $credentialOfferUri = $this->credentialOfferUriFactory->buildPreAuthorized(
                 [$selectedCredentialConfigurationId],
                 $userAttributes,
+                $useTxCode,
+                $usersEmailAttributeName,
             );
 
             // TODO mivanci Local QR code generator
@@ -142,6 +143,8 @@ public function verifiableCredentialIssuance(Request $request): Response
 
         $authSourceActionRoute = $this->routes->urlAdminTestVerifiableCredentialIssuance();
 
+        $defaultUsersEmailAttributeName = $this->moduleConfig->getDefaultUsersEmailAttributeName();
+
         return $this->templateFactory->build(
             'oidc:tests/verifiable-credential-issuance.twig',
             compact(
@@ -153,6 +156,8 @@ public function verifiableCredentialIssuance(Request $request): Response
                 'authSource',
                 'credentialConfigurationIdsSupported',
                 'selectedCredentialConfigurationId',
+                'defaultUsersEmailAttributeName',
+                'usersEmailAttributeName',
             ),
             RoutesEnum::AdminTestVerifiableCredentialIssuance->value,
         );

src/Controllers/Api/VciCredentialOfferController.php

@@ -78,9 +78,23 @@ public function credentialOffer(Request $request): Response
             );
         }
 
+        $useTxCode = boolval($input['use_tx_code'] ?? false);
+        $usersEmailAttributeName = $input['users_email_attribute_name'] ?? null;
+        $usersEmailAttributeName = is_string($usersEmailAttributeName) ? $usersEmailAttributeName : null;
+        $authenticationSourceId = $input['authentication_source_id'] ?? null;
+        $authenticationSourceId = is_string($authenticationSourceId) ? $authenticationSourceId : null;
+
+        if (is_null($usersEmailAttributeName) && is_string($authenticationSourceId)) {
+            $usersEmailAttributeName = $this->moduleConfig->getUsersEmailAttributeNameForAuthSourceId(
+                $authenticationSourceId,
+            );
+        }
+
         $credentialOfferUri = $this->credentialOfferUriFactory->buildPreAuthorized(
             [$selectedCredentialConfigurationId],
             $userAttributes,
+            $useTxCode,
+            $usersEmailAttributeName,
         );
 
         return $this->routes->newJsonResponse(

src/Entities/AuthCodeEntity.php

@@ -43,6 +43,8 @@ public function __construct(
         ?string $redirectUri = null,
         ?string $nonce = null,
         bool $isRevoked = false,
+        protected readonly bool $isPreAuthorized = false,
+        protected readonly ?string $txCode = null,
     ) {
         $this->identifier = $id;
         $this->client = $client;
@@ -68,6 +70,18 @@ public function getState(): array
             'is_revoked' => $this->isRevoked(),
             'redirect_uri' => $this->getRedirectUri(),
             'nonce' => $this->getNonce(),
+            'is_pre_authorized' => $this->isPreAuthorized,
+            'tx_code' => $this->txCode,
         ];
     }
+
+    public function isPreAuthorized(): bool
+    {
+        return $this->isPreAuthorized;
+    }
+
+    public function getTxCode(): ?string
+    {
+        return $this->txCode;
+    }
 }

src/Factories/CredentialOfferUriFactory.php

@@ -6,11 +6,11 @@
 
 use DateTimeImmutable;
 use RuntimeException;
+use SimpleSAML\Error\Exception;
 use SimpleSAML\Module\oidc\Bridges\SspBridge;
 use SimpleSAML\Module\oidc\Codebooks\ParametersEnum;
 use SimpleSAML\Module\oidc\Entities\ScopeEntity;
 use SimpleSAML\Module\oidc\Entities\UserEntity;
-use SimpleSAML\Module\oidc\Exceptions\OidcException;
 use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\UserEntityFactory;
@@ -21,8 +21,8 @@
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\GrantTypesEnum;
-use SimpleSAML\OpenID\Exceptions\OpenIdException;
 use SimpleSAML\OpenID\VerifiableCredentials;
+use SimpleSAML\OpenID\VerifiableCredentials\TxCode;
 
 class CredentialOfferUriFactory
 {
@@ -37,6 +37,7 @@ public function __construct(
         protected readonly LoggerService $loggerService,
         protected readonly UserRepository $userRepository,
         protected readonly UserEntityFactory $userEntityFactory,
+        protected readonly EmailFactory $emailFactory,
     ) {
     }
 
@@ -47,6 +48,8 @@ public function __construct(
     public function buildPreAuthorized(
         array $credentialConfigurationIds,
         array $userAttributes,
+        bool $useTxCode = false,
+        string $userEmailAttributeName = null,
     ): string {
         if (empty($credentialConfigurationIds)) {
             throw new RuntimeException('No credential configuration IDs provided.');
@@ -62,21 +65,6 @@ public function buildPreAuthorized(
             throw new RuntimeException('Unsupported credential configuration IDs provided.');
         }
 
-        /* TODO mivanci TX Code handling
-            $email = $this->emailFactory->build(
-                subject: 'VC Issuance Transaction code',
-                to: '[email protected]',
-            );
-
-            $email->setData(['Transaction Code' => '1234']);
-            try {
-                $email->send();
-                $this->sessionMessagesService->addMessage('Email with tx code sent to: [email protected]');
-            } catch (Exception $e) {
-                $this->sessionMessagesService->addMessage('Error emailing tx code.');
-            }
-            */
-
         // TODO mivanci Wallet (client) credential_offer_endpoint metadata
         // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#client-metadata
 
@@ -103,13 +91,19 @@ public function buildPreAuthorized(
         } catch (\Throwable $e) {
             $this->loggerService->warning(
                 'Could not extract user identifier from user attributes: ' . $e->getMessage(),
+                $userAttributes,
             );
         }
 
         if ($userId === null) {
+            $this->loggerService->warning('Falling back to user attributes hash for user identifier.');
             $sortedAttributes = $userAttributes;
             $this->verifiableCredentials->helpers()->arr()->hybridSort($sortedAttributes);
-            $userId = 'vci_preauthz_' . hash('sha256', serialize($sortedAttributes));
+            $userId = 'vci_credential_offer_preauthz_' . hash('sha256', serialize($sortedAttributes));
+            $this->loggerService->info(
+                'Generated user identifier based on user attributes: ' . $userId,
+                $userAttributes,
+            );
         }
 
         $oldUserEntity = $this->userRepository->getUserEntityByIdentifier($userId);
@@ -136,14 +130,28 @@ public function buildPreAuthorized(
             throw new RuntimeException('Failed to generate Authorization Code ID.');
         }
 
-        // TODO mivanci Add indication of preAuthZ code to the auth code table.
+        $txCode = null;
+        $userEmail = null;
+        $userEmailAttributeName ??= $this->moduleConfig->getDefaultUsersEmailAttributeName();
+        if ($useTxCode) {
+            $userEmail = $this->getUserEmail($userEmailAttributeName, $userAttributes);
+            $txCodeDescription = 'Please provide the one-time code that was sent to e-mail ' . $userEmail;
+            $txCode = $this->buildTxCode($txCodeDescription);
+            $this->loggerService->debug(
+                'Generated TxCode for sending by email: ' . $txCode->getCodeAsString(),
+                $txCode->jsonSerialize(),
+            );
+        }
+
         $authCode = $this->authCodeEntityFactory->fromData(
             id: $authCodeId,
             client: $client,
             scopes: $scopes,
             expiryDateTime: (new DateTimeImmutable())->add($this->moduleConfig->getAuthCodeDuration()),
             userIdentifier: $userId,
             redirectUri: 'openid-credential-offer://',
+            isPreAuthorized: true,
+            txCode: $txCode instanceof VerifiableCredentials\TxCode ? $txCode->getCodeAsString() : null,
         );
         $this->authCodeRepository->persistNewAuthCode($authCode);
 
@@ -156,17 +164,22 @@ public function buildPreAuthorized(
                 ClaimsEnum::Grants->value => [
                     GrantTypesEnum::PreAuthorizedCode->value => [
                         ClaimsEnum::PreAuthorizedCode->value => $authCode->getIdentifier(),
-                        // TODO mivanci support for TxCode
-                        //                        ClaimsEnum::TxCode->value => [
-                        //                            ClaimsEnum::InputMode->value => 'numeric',
-                        //                            ClaimsEnum::Length->value => 6,
-                        //                            ClaimsEnum::Description->value => 'Sent to user mail',
-                        //                        ],
+                        ...(array_filter(
+                            [
+                                ClaimsEnum::TxCode->value => $txCode instanceof VerifiableCredentials\TxCode ?
+                                    $txCode->jsonSerialize() :
+                                    null,
+                            ],
+                        )),
                     ],
                 ],
             ],
         );
 
+        if ($txCode instanceof VerifiableCredentials\TxCode && $userEmail !== null) {
+            $this->sendTxCodeByEmail($txCode, $userEmail);
+        }
+
         $credentialOfferValue = $credentialOffer->jsonSerialize();
         $parameterName = ParametersEnum::CredentialOfferUri->value;
         if (is_array($credentialOfferValue)) {
@@ -176,4 +189,60 @@ public function buildPreAuthorized(
 
         return "openid-credential-offer://?$parameterName=$credentialOfferValue";
     }
+
+    /**
+     * @param mixed[] $userAttributes
+     * @throws RuntimeException
+     */
+    public function getUserEmail(string $userEmailAttributeName, array $userAttributes): string
+    {
+        try {
+            $userEmail = $this->sspBridge->utils()->attributes()->getExpectedAttribute(
+                $userAttributes,
+                $userEmailAttributeName,
+                true,
+            );
+        } catch (Exception $e) {
+            throw new RuntimeException('Could not extract user email from user attributes: ' . $e->getMessage());
+        }
+
+        if (!is_string($userEmail)) {
+            throw new RuntimeException('User email attribute value is not a string.');
+        }
+
+        return $userEmail;
+    }
+
+    public function buildTxCode(
+        string $description,
+        int|string $txCode = null,
+    ): TxCode {
+        $txCode ??= rand(1000, 9999);
+
+        return $this->verifiableCredentials->txCodeFactory()->build(
+            $txCode,
+            $description,
+        );
+    }
+
+    /**
+     * @throws OidcException
+     */
+    public function sendTxCodeByEmail(TxCode $txCode, string $email, string $subject = null): void
+    {
+        $subject ??= 'Your one-time code';
+
+        $email = $this->emailFactory->build(
+            subject: $subject,
+            to: $email,
+        );
+
+        $email->setText('Use the following code to complete the transaction.');
+
+        $email->setData([
+            'Transaction Code' => $txCode->getCodeAsString(),
+        ]);
+
+        $email->send();
+    }
 }

src/Factories/Entities/AuthCodeEntityFactory.php

@@ -31,6 +31,8 @@ public function fromData(
         ?string $redirectUri = null,
         ?string $nonce = null,
         bool $isRevoked = false,
+        bool $isPreAuthorized = false,
+        ?string $txCode = null,
     ): AuthCodeEntity {
         return new AuthCodeEntity(
             $id,
@@ -41,6 +43,8 @@ public function fromData(
             $redirectUri,
             $nonce,
             $isRevoked,
+            $isPreAuthorized,
+            $txCode,
         );
     }
 
@@ -81,6 +85,8 @@ public function fromState(array $state): AuthCodeEntity
         $redirectUri = empty($state['redirect_uri']) ? null : (string)$state['redirect_uri'];
         $nonce = empty($state['nonce']) ? null : (string)$state['nonce'];
         $isRevoked = (bool) $state['is_revoked'];
+        $isPreAuthorized = (bool) $state['is_pre_authorized'];
+        $txCode = empty($state['tx_code']) ? null : (string)$state['tx_code'];
 
         return $this->fromData(
             $id,
@@ -91,6 +97,8 @@ public function fromState(array $state): AuthCodeEntity
             $redirectUri,
             $nonce,
             $isRevoked,
+            $isPreAuthorized,
+            $txCode,
         );
     }
 }