WIP

Author: cicnavi

config/module_oidc.php.dist

@@ -823,4 +823,9 @@ $config = [
 //            \SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum::VciCredentialOffer, // Gives access to the credential offer endpoint.
 //        ],
     ],
+
+    // (optional) Issuer State TTL (validity duration), with the given example. If not set, falls back to
+    // Authorization Code TTL. For duration format info, check
+    // https://www.php.net/manual/en/dateinterval.construct.php
+    ModuleConfig::OPTION_ISSUER_STATE_TTL => 'PT10M', // 10 minutes
 ];

hooks/hook_cron.php

@@ -18,6 +18,7 @@
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\AccessTokenRepository;
 use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
+use SimpleSAML\Module\oidc\Repositories\IssuerStateRepository;
 use SimpleSAML\Module\oidc\Repositories\RefreshTokenRepository;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Services\Container;
@@ -64,6 +65,10 @@ function oidc_hook_cron(array &$croninfo): void
         $refreshTokenRepository = $container->get(RefreshTokenRepository::class);
         $refreshTokenRepository->removeExpired();
 
+        /** @var \SimpleSAML\Module\oidc\Repositories\IssuerStateRepository $issuerStateRepository */
+        $issuerStateRepository = $container->get(IssuerStateRepository::class);
+        $issuerStateRepository->removeInvalid();
+
         $croninfo['summary'][] = 'Module `oidc` clean up. Removed expired entries from storage.';
     } catch (Exception $e) {
         $message = 'Module `oidc` clean up cron script failed: ' . $e->getMessage();

src/Entities/IssuerStateEntity.php

@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Entities;
+
+use DateTimeImmutable;
+use SimpleSAML\Module\oidc\Entities\Interfaces\MementoInterface;
+
+/**
+ * @psalm-suppress PropertyNotSetInConstructor
+ */
+class IssuerStateEntity implements MementoInterface
+{
+    public function __construct(
+        protected readonly string $value,
+        protected readonly DateTimeImmutable $createdAt,
+        protected readonly DateTimeImmutable $expirestAt,
+        protected bool $isRevoked = false,
+    ) {
+    }
+
+    public function getState(): array
+    {
+        return [
+            'value' => $this->getValue(),
+            'created_at' => $this->getCreatedAt()->format('Y-m-d H:i:s'),
+            'expires_at' => $this->getExpirestAt()->format('Y-m-d H:i:s'),
+            'is_revoked' => $this->isRevoked(),
+        ];
+    }
+
+    public function getValue(): string
+    {
+        return $this->value;
+    }
+
+    public function getCreatedAt(): DateTimeImmutable
+    {
+        return $this->createdAt;
+    }
+
+    public function getExpirestAt(): DateTimeImmutable
+    {
+        return $this->expirestAt;
+    }
+
+    public function isRevoked(): bool
+    {
+        return $this->isRevoked;
+    }
+
+    public function revoke(): void
+    {
+        $this->isRevoked = true;
+    }
+}

src/Factories/CredentialOfferUriFactory.php

@@ -13,6 +13,7 @@
 use SimpleSAML\Module\oidc\Entities\UserEntity;
 use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
+use SimpleSAML\Module\oidc\Factories\Entities\IssuerStateEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\UserEntityFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
@@ -21,6 +22,7 @@
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\GrantTypesEnum;
+use SimpleSAML\OpenID\Exceptions\OpenIdException;
 use SimpleSAML\OpenID\VerifiableCredentials;
 use SimpleSAML\OpenID\VerifiableCredentials\TxCode;
 
@@ -38,9 +40,59 @@ public function __construct(
         protected readonly UserRepository $userRepository,
         protected readonly UserEntityFactory $userEntityFactory,
         protected readonly EmailFactory $emailFactory,
+        protected readonly IssuerStateEntityFactory $issuerStateEntityFactory,
     ) {
     }
 
+    /**
+     * @param string[] $credentialConfigurationIds
+     * @throws \SimpleSAML\OpenId\Exceptions\OpenIdException
+     */
+    public function buildForAuthorization(
+        array $credentialConfigurationIds,
+    ): string {
+
+        $issuerState = null;
+
+        $issuerStateGenerationAttempts = 3;
+        while ($issuerStateGenerationAttempts > 0) {
+            $newIssuerState = $this->issuerStateEntityFactory->buildNew();
+            if ($this->authCodeRepository->findById($newIssuerState->getValue()) === null) {
+                $issuerState = $newIssuerState;
+                break;
+            }
+            $issuerStateGenerationAttempts--;
+        }
+
+        if ($issuerState === null) {
+            throw new OpenIdException('Failed to generate issuer state.');
+        }
+
+
+        $credentialOffer = $this->verifiableCredentials->credentialOfferFactory()->from(
+            parameters: [
+                ClaimsEnum::CredentialIssuer->value => $this->moduleConfig->getIssuer(),
+                ClaimsEnum::CredentialConfigurationIds->value => [
+                    ...$credentialConfigurationIds,
+                ],
+                ClaimsEnum::Grants->value => [
+                    GrantTypesEnum::AuthorizationCode->value => [
+                        ClaimsEnum::IssuerState->value => $issuerState->getValue(),
+                    ],
+                ],
+            ],
+        );
+
+        $credentialOfferValue = $credentialOffer->jsonSerialize();
+        $parameterName = ParametersEnum::CredentialOfferUri->value;
+        if (is_array($credentialOfferValue)) {
+            $parameterName = ParametersEnum::CredentialOffer->value;
+            $credentialOfferValue = json_encode($credentialOfferValue);
+        }
+
+        return "openid-credential-offer://?$parameterName=$credentialOfferValue";
+    }
+
     /**
      * @param string[] $credentialConfigurationIds
      * @throws \SimpleSAML\OpenId\Exceptions\OpenIdException
@@ -119,8 +171,9 @@ public function buildPreAuthorized(
         $authCodeId = null;
         $authCodeIdGenerationAttempts = 3;
         while ($authCodeIdGenerationAttempts > 0) {
-            $authCodeId = $this->sspBridge->utils()->random()->generateID();
-            if ($this->authCodeRepository->findById($authCodeId) === null) {
+            $newAuthCodeId = $this->sspBridge->utils()->random()->generateID();
+            if ($this->authCodeRepository->findById($newAuthCodeId) === null) {
+                $authCodeId = $newAuthCodeId;
                 break;
             }
             $authCodeIdGenerationAttempts--;

src/Factories/Entities/IssuerStateEntityFactory.php

@@ -0,0 +1,87 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Factories\Entities;
+
+use DateTimeImmutable;
+use SimpleSAML\Module\oidc\Entities\IssuerStateEntity;
+use SimpleSAML\Module\oidc\Helpers;
+use SimpleSAML\Module\oidc\Helpers\Random;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\OpenID\Exceptions\OpenIdException;
+
+class IssuerStateEntityFactory
+{
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly Random $random,
+        protected readonly Helpers $helpers,
+    ) {
+    }
+
+    /**
+     * @throws OpenIdException
+     * @throws OidcServerException
+     * @throws \Exception
+     */
+    public function buildNew(
+        ?string $value = null,
+        ?DateTimeImmutable $createdAt = null,
+        ?DateTimeImmutable $expiresAt = null,
+        bool $isRevoked = false,
+    ): IssuerStateEntity {
+        $value ??= hash('sha256', $this->helpers->random()->getIdentifier());
+
+        $createdAt ??= $this->helpers->dateTime()->getUtc();
+        $expiresAt ??= $createdAt->add($this->moduleConfig->getIssuerStateDuration());
+
+        return $this->fromData($value, $createdAt, $expiresAt, $isRevoked);
+    }
+
+    /**
+     * @param string $value Issuer State Entity value, max 64 characters.
+     * @throws OpenIdException
+     */
+    public function fromData(
+        string $value,
+        DateTimeImmutable $createdAt,
+        DateTimeImmutable $expiresAt,
+        bool $isRevoked = false,
+    ): IssuerStateEntity {
+        if (strlen($value) > 64) {
+            throw new OpenIdException('Invalid Issuer State Entity value.');
+        }
+
+        return new IssuerStateEntity($value, $createdAt, $expiresAt, $isRevoked);
+    }
+
+    /**
+     * @param mixed[] $state
+     * @return IssuerStateEntity
+     * @throws OpenIdException
+     */
+    public function fromState(array $state): IssuerStateEntity
+    {
+        if (
+            !is_string($value = $state['value']) ||
+            !is_string($createdAt = $state['created_at']) ||
+            !is_string($expiresAt = $state['expires_at'])
+        ) {
+            throw new OpenIdException('Invalid Issuer State Entity state.');
+        }
+
+        if (strlen($value) > 64) {
+            throw new OpenIdException('Invalid Issuer State Entity value.');
+        }
+
+        $isRevoked = (bool)($state['is_revoked'] ?? true);
+
+        return new IssuerStateEntity(
+            $value,
+            $this->helpers->dateTime()->getUtc($createdAt),
+            $this->helpers->dateTime()->getUtc($expiresAt),
+            $isRevoked,
+        );
+    }
+}

src/ModuleConfig.php

@@ -108,6 +108,7 @@ class ModuleConfig
     final public const OPTION_DEFAULT_USERS_EMAIL_ATTRIBUTE_NAME = 'users_email_attribute_name';
     final public const OPTION_AUTH_SOURCES_TO_USERS_EMAIL_ATTRIBUTE_NAME_MAP =
     'auth_sources_to_users_email_attribute_name_map';
+    final public const OPTION_ISSUER_STATE_TTL = 'issuer_state_ttl';
 
     protected static array $standardScopes = [
         ScopesEnum::OpenId->value => [
@@ -991,4 +992,23 @@ public function getDefaultUsersEmailAttributeName(): string
     {
         return $this->config()->getOptionalString(self::OPTION_DEFAULT_USERS_EMAIL_ATTRIBUTE_NAME, 'mail');
     }
+
+    /**
+     * Get Issuer State Duration (TTL) if set. If not set, it will fall back to Authorization Code Duration.
+     *
+     * @return DateInterval
+     * @throws \Exception
+     */
+    public function getIssuerStateDuration(): DateInterval
+    {
+        $issuerStateDuration = $this->config()->getOptionalString(self::OPTION_ISSUER_STATE_TTL, null);
+
+        if (is_null($issuerStateDuration)) {
+            return $this->getAuthCodeDuration();
+        }
+
+        return new DateInterval(
+            $this->config()->getString(self::OPTION_ISSUER_STATE_TTL),
+        );
+    }
 }