WIP Credential Issuer

Author: cicnavi

UPGRADE.md

@@ -1,3 +1,5 @@
+# TODO mivanci
+* Move to specific simplesamlphp/openid release (composer.json).
 
 # Version 5 to 6
 

composer.json

@@ -31,7 +31,7 @@
         "psr/container": "^2.0",
         "psr/log": "^3",
         "simplesamlphp/composer-module-installer": "^1.3",
-        "simplesamlphp/openid": "^0",
+        "simplesamlphp/openid": "dev-wip-vci",
         "spomky-labs/base64url": "^2.0",
         "symfony/expression-language": "^6.3",
         "symfony/psr-http-message-bridge": "^7.1",

config/module_oidc.php.dist

@@ -3,6 +3,13 @@
 declare(strict_types=1);
 
 /*
+ *        |
+ *   \  ___  /                           _________
+ *  _  /   \  _    GÉANT                 |  * *  | Co-Funded by
+ *     | ~ |       Trust & Identity      | *   * | the European
+ *      \_/        Incubator             |__*_*__| Union
+ *       =
+ *
  * This file is part of the simplesamlphp-module-oidc.
  *
  * Copyright (C) 2018 by the Spanish Research and Academic Network.
@@ -477,4 +484,13 @@ $config = [
     ModuleConfig::OPTION_LOGO_URI => null,
     ModuleConfig::OPTION_POLICY_URI => null,
     ModuleConfig::OPTION_HOMEPAGE_URI => null,
+
+
+    /**
+     * (optional) OpenID Verifiable Credential related options. If these are not set, OpenID Verifiable
+     * Credential capabilities will be disabled.
+     */
+
+    // Enable or disable verifiable credentials capabilities. Default is disabled (false).
+    ModuleConfig::OPTION_VERIFIABLE_CREDENTIAL_ENABLED => false,
 ];

routing/services/services.yml

@@ -127,6 +127,7 @@ services:
     factory: [ '@SimpleSAML\Module\oidc\Factories\FederationFactory', 'build' ]
   SimpleSAML\OpenID\Jwks:
     factory: [ '@SimpleSAML\Module\oidc\Factories\JwksFactory', 'build' ]
+  SimpleSAML\OpenID\Jwk: ~
 
   # SSP
   SimpleSAML\Database:

src/Controllers/Federation/EntityStatementController.php

@@ -13,7 +13,9 @@
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Services\OpMetadataService;
 use SimpleSAML\Module\oidc\Utils\FederationCache;
+use SimpleSAML\Module\oidc\Utils\FingerprintGenerator;
 use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\ClientRegistrationTypesEnum;
 use SimpleSAML\OpenID\Codebooks\ContentTypesEnum;
@@ -22,6 +24,7 @@
 use SimpleSAML\OpenID\Codebooks\HttpHeadersEnum;
 use SimpleSAML\OpenID\Codebooks\JwtTypesEnum;
 use SimpleSAML\OpenID\Federation;
+use SimpleSAML\OpenID\Jwk;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -42,6 +45,7 @@ public function __construct(
         private readonly Helpers $helpers,
         private readonly Routes $routes,
         private readonly Federation $federation,
+        private readonly Jwk $jwk,
         private readonly LoggerService $loggerService,
         private readonly ?FederationCache $federationCache,
     ) {
@@ -55,7 +59,6 @@ public function __construct(
      *
      * @return \Symfony\Component\HttpFoundation\Response
      * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
-     * @throws \ReflectionException
      * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @throws \Psr\SimpleCache\InvalidArgumentException
      */
@@ -71,59 +74,66 @@ public function configuration(): Response
             return $this->prepareEntityStatementResponse((string)$cachedEntityConfigurationToken);
         }
 
-        $builder = $this->jsonWebTokenBuilderService->getFederationJwtBuilder()
-            ->withHeader(ClaimsEnum::Typ->value, JwtTypesEnum::EntityStatementJwt->value)
-            ->relatedTo($this->moduleConfig->getIssuer()) // This is entity configuration (statement about itself).
-            ->expiresAt(
-                $this->helpers->dateTime()->getUtc()->add($this->moduleConfig->getFederationEntityStatementDuration()),
-            )->withClaim(
-                ClaimsEnum::Jwks->value,
-                ['keys' => array_values($this->jsonWebKeySetService->federationKeys()),],
-            )
-            ->withClaim(
-                ClaimsEnum::Metadata->value,
-                [
-                    EntityTypesEnum::FederationEntity->value => [
-                        // Common https://openid.net/specs/openid-federation-1_0.html#name-common-metadata-parameters
-                        ...(array_filter(
-                            [
-                                ClaimsEnum::OrganizationName->value => $this->moduleConfig->getOrganizationName(),
-                                ClaimsEnum::Contacts->value => $this->moduleConfig->getContacts(),
-                                ClaimsEnum::LogoUri->value => $this->moduleConfig->getLogoUri(),
-                                ClaimsEnum::PolicyUri->value => $this->moduleConfig->getPolicyUri(),
-                                ClaimsEnum::HomepageUri->value => $this->moduleConfig->getHomepageUri(),
-                            ],
-                        )),
-                        ClaimsEnum::FederationFetchEndpoint->value => $this->routes->urlFederationFetch(),
-                        ClaimsEnum::FederationListEndpoint->value => $this->routes->urlFederationList(),
-                        // TODO v7 mivanci Add when ready. Use ClaimsEnum for keys.
-                        // https://openid.net/specs/openid-federation-1_0.html#name-federation-entity
-                        //'federation_resolve_endpoint',
-                        //'federation_trust_mark_status_endpoint',
-                        //'federation_trust_mark_list_endpoint',
-                        //'federation_trust_mark_endpoint',
-                        //'federation_historical_keys_endpoint',
-                        //'endpoint_auth_signing_alg_values_supported'
-                        // Common https://openid.net/specs/openid-federation-1_0.html#name-common-metadata-parameters
-                        //'signed_jwks_uri',
-                        //'jwks_uri',
-                        //'jwks',
-                    ],
-                    // OP metadata with additional federation related claims.
-                    EntityTypesEnum::OpenIdProvider->value => [
-                        ...$this->opMetadataService->getMetadata(),
-                        ClaimsEnum::ClientRegistrationTypesSupported->value => [
-                            ClientRegistrationTypesEnum::Automatic->value,
+        $currentTimestamp = $this->helpers->dateTime()->getUtc()->getTimestamp();
+
+        $header = [
+            ClaimsEnum::Kid->value => FingerprintGenerator::forFile(
+                $this->moduleConfig->getFederationCertPath(),
+            ),
+        ];
+
+        $payload = [
+            ClaimsEnum::Iss->value => $this->moduleConfig->getIssuer(),
+            ClaimsEnum::Iat->value => $currentTimestamp,
+            ClaimsEnum::Jti->value => $this->helpers->random()->getIdentifier(),
+            // This is entity configuration (statement about itself).
+            ClaimsEnum::Sub->value => $this->moduleConfig->getIssuer(),
+            ClaimsEnum::Exp->value => $this->helpers->dateTime()->getUtc()->add(
+                $this->moduleConfig->getFederationEntityStatementDuration(),
+            )->getTimestamp(),
+            ClaimsEnum::Jwks->value => ['keys' => array_values($this->jsonWebKeySetService->federationKeys()),],
+            ClaimsEnum::Metadata->value => [
+                EntityTypesEnum::FederationEntity->value => [
+                    // Common https://openid.net/specs/openid-federation-1_0.html#name-common-metadata-parameters
+                    ...(array_filter(
+                        [
+                            ClaimsEnum::OrganizationName->value => $this->moduleConfig->getOrganizationName(),
+                            ClaimsEnum::Contacts->value => $this->moduleConfig->getContacts(),
+                            ClaimsEnum::LogoUri->value => $this->moduleConfig->getLogoUri(),
+                            ClaimsEnum::PolicyUri->value => $this->moduleConfig->getPolicyUri(),
+                            ClaimsEnum::HomepageUri->value => $this->moduleConfig->getHomepageUri(),
                         ],
+                    )),
+                    ClaimsEnum::FederationFetchEndpoint->value => $this->routes->urlFederationFetch(),
+                    ClaimsEnum::FederationListEndpoint->value => $this->routes->urlFederationList(),
+                    // TODO v7 mivanci Add when ready. Use ClaimsEnum for keys.
+                    // https://openid.net/specs/openid-federation-1_0.html#name-federation-entity
+                    //'federation_resolve_endpoint',
+                    //'federation_trust_mark_status_endpoint',
+                    //'federation_trust_mark_list_endpoint',
+                    //'federation_trust_mark_endpoint',
+                    //'federation_historical_keys_endpoint',
+                    //'endpoint_auth_signing_alg_values_supported'
+                    // Common https://openid.net/specs/openid-federation-1_0.html#name-common-metadata-parameters
+                    //'signed_jwks_uri',
+                    //'jwks_uri',
+                    //'jwks',
+                ],
+                // OP metadata with additional federation related claims.
+                EntityTypesEnum::OpenIdProvider->value => [
+                    ...$this->opMetadataService->getMetadata(),
+                    ClaimsEnum::ClientRegistrationTypesSupported->value => [
+                        ClientRegistrationTypesEnum::Automatic->value,
                     ],
                 ],
-            );
+            ],
+        ];
 
         if (
             is_array($authorityHints = $this->moduleConfig->getFederationAuthorityHints()) &&
             (!empty($authorityHints))
         ) {
-            $builder = $builder->withClaim(ClaimsEnum::AuthorityHints->value, $authorityHints);
+            $payload[ClaimsEnum::AuthorityHints->value] = $authorityHints;
         }
 
         $trustMarks = [];
@@ -186,16 +196,23 @@ public function configuration(): Response
         }
 
         if (!empty($trustMarks)) {
-            $builder = $builder->withClaim(ClaimsEnum::TrustMarks->value, $trustMarks);
+            $payload[ClaimsEnum::TrustMarks->value] = $trustMarks;
         }
 
         // TODO v7 mivanci Continue
         // Remaining claims, add if / when ready.
         // * crit
 
-        $jws = $this->jsonWebTokenBuilderService->getSignedFederationJwt($builder);
-
-        $entityConfigurationToken = $jws->toString();
+        /** @psalm-suppress ArgumentTypeCoercion */
+        $entityConfigurationToken = $this->federation->entityStatementFactory()->fromData(
+            $this->jwk->jwkDecoratorFactory()->fromPkcs1Or8KeyFile(
+                $this->moduleConfig->getFederationPrivateKeyPath(),
+            ),
+            SignatureAlgorithmEnum::from($this->moduleConfig->getFederationSigner()->algorithmId()),
+            $payload,
+            $header,
+        )
+        ->getToken();
 
         $this->federationCache?->set(
             $entityConfigurationToken,

src/Controllers/OAuth2/OAuth2ServerConfigurationController.php

@@ -24,6 +24,6 @@ public function __invoke(): JsonResponse
         );
 
         // TODO mivanci Add ability for claim 'signed_metadata' when moving to simplesamlphp/openid, as per
-        // https://www.rfc-editor.org/rfc/rfc8414.html#section-2.1
+        // https://www.rfc-editor.org/rfc/rfc8414.html#section-2.1, with caching support.
     }
 }

src/Controllers/VerifiableCredentials/CredentialIssuerConfigurationController.php

@@ -2,25 +2,130 @@
 
 declare(strict_types=1);
 
+/*
+ *        |
+ *   \  ___  /                           _________
+ *  _  /   \  _    GÉANT                 |  * *  | Co-Funded by
+ *     | ~ |       Trust & Identity      | *   * | the European
+ *      \_/        Incubator             |__*_*__| Union
+ *       =
+ */
+
 namespace SimpleSAML\Module\oidc\Controllers\VerifiableCredentials;
 
 use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Utils\Routes;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Codebooks\CredentialFormatIdentifiersEnum;
 use Symfony\Component\HttpFoundation\Response;
 
 class CredentialIssuerConfigurationController
 {
+    /**
+     * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
+     */
     public function __construct(
         protected readonly ModuleConfig $moduleConfig,
         protected readonly Routes $routes,
     ) {
+        if (!$this->moduleConfig->getVerifiableCredentialEnabled()) {
+            throw OidcServerException::forbidden('Verifiable Credential capabilities not enabled');
+        }
     }
 
     public function configuration(): Response
     {
+        // TODO mivanci Abstract configuring Credential Issuer / Configuration away from module config.
+        // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-issuer-metadata-p
+
+        $signer = $this->moduleConfig->getProtocolSigner();
+
         $configuration = [
             ClaimsEnum::CredentialIssuer->value => $this->moduleConfig->getIssuer(),
+
+            // OPTIONAL // WND
+            // authorization_servers
+
+            // REQUIRED
+            // TODO credential_endpoint
+
+            // OPTIONAL
+            // nonce_endpoint
+
+            // OPTIONAL
+            // deferred_credential_endpoint
+
+            // OPTIONAL
+            // notification_endpoint
+
+            // OPTIONAL
+            // credential_response_encryption
+
+            // OPTIONAL
+            // batch_credential_issuance
+
+            // OPTIONAL
+            // signed_metadata
+
+            // OPTIONAL
+            ClaimsEnum::Display->value => [
+                [
+                    ClaimsEnum::Name->value => $this->moduleConfig->getOrganizationName(),
+                    ClaimsEnum::Locale->value => 'en-US',
+                    // OPTIONAL
+                    // logo
+                ],
+
+            ],
+
+            ClaimsEnum::CredentialConfigurationsSupported->value => [
+                'ResearchAndScholarshipCredentialJwtVcJson' => [
+                    ClaimsEnum::Format->value => CredentialFormatIdentifiersEnum::JwtVcJson->value,
+                    ClaimsEnum::Scope->value => 'ResearchAndScholarshipCredentialJwtVcJson',
+
+                    // OPTIONAL
+                    // cryptographic_binding_methods_supported
+
+                    // OPTIONAL
+                    ClaimsEnum::CredentialSigningAlgValuesSupported->value => [
+                        $signer->algorithmId(),
+                    ],
+
+                    // OPTIONAL
+                    // proof_types_supported
+
+                    ClaimsEnum::Display->value => [
+                        [
+                            ClaimsEnum::Name->value => 'ResearchAndScholarshipCredentialJwtVcJson',
+                            ClaimsEnum::Locale->value => 'en-US',
+
+                            // OPTIONAL
+                            // logo
+
+                            // OPTIONAL
+                            ClaimsEnum::Description->value => 'Research and Scholarship Credential',
+
+                            // OPTIONAL
+                            // background_color
+
+                            // OPTIONAL
+                            // background_image
+
+                            // OPTIONAL
+                            // text_color
+                        ],
+                    ],
+
+                    // As per appendix A.1.1.2. https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-vc-signed-as-a-jwt-not-usin
+                    ClaimsEnum::Claims->value => [
+                        [
+
+                        ],
+                    ],
+                ],
+            ],
+
         ];
 
         return $this->routes->newJsonResponse($configuration);

src/ModuleConfig.php

@@ -93,6 +93,7 @@ class ModuleConfig
     final public const OPTION_PKI_FEDERATION_NEW_PRIVATE_KEY_PASSPHRASE = 'federation_new_private_key_passphrase';
     final public const OPTION_PKI_FEDERATION_NEW_PRIVATE_KEY_FILENAME = 'federation_new_private_key_filename';
     final public const OPTION_PKI_FEDERATION_NEW_CERTIFICATE_FILENAME = 'federation_new_certificate_filename';
+    final public const OPTION_VERIFIABLE_CREDENTIAL_ENABLED = 'verifiable_credentials_enabled';
 
     protected static array $standardScopes = [
         ScopesEnum::OpenId->value => [
@@ -773,4 +774,14 @@ public function isFederationParticipationLimitedByTrustMarksFor(string $trustAnc
     {
         return !empty($this->getTrustMarksNeededForFederationParticipationFor($trustAnchorId));
     }
+
+
+    /*****************************************************************************************************************
+     * OpenID Verifiable Credential related config.
+     ****************************************************************************************************************/
+
+    public function getVerifiableCredentialEnabled(): bool
+    {
+        return $this->config()->getOptionalBoolean(self::OPTION_VERIFIABLE_CREDENTIAL_ENABLED, false);
+    }
 }