WIP

Author: cicnavi

routing/routes/routes.php

@@ -146,7 +146,9 @@
      * API
      ****************************************************************************************************************/
 
-    $routes->add(RoutesEnum::ApiVciCredentialOffer->name, RoutesEnum::ApiVciCredentialOffer->value)
-        ->controller([VciCredentialOfferController::class, 'credentialOffer'])
+    $routes->add(
+        RoutesEnum::ApiVciPreAuthorizedCredentialOffer->name,
+        RoutesEnum::ApiVciPreAuthorizedCredentialOffer->value,
+    )->controller([VciCredentialOfferController::class, 'preAuthorizedCredentialOffer'])
         ->methods([HttpMethodsEnum::POST->value]);
 };

src/Codebooks/RoutesEnum.php

@@ -74,5 +74,5 @@ enum RoutesEnum: string
      * API
      ****************************************************************************************************************/
 
-    case ApiVciCredentialOffer = 'api/vci/credential-offer';
+    case ApiVciPreAuthorizedCredentialOffer = 'api/vci/pre-authorized-credential-offer';
 }

src/Controllers/Admin/VerifiableCredentailsTestController.php

@@ -175,15 +175,17 @@ public function verifiableCredentialIssuance(Request $request): Response
             // TODO mivanci Wallet (client) credential_offer_endpoint metadata
             // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#client-metadata
 
-            $clientSecret = '1234567890';
-
 
             $client = $this->clientEntityFactory->getGenericForVciPreAuthZFlow();
+            if ($this->clientRepository->findById($client->getIdentifier()) === null) {
+                $this->clientRepository->add($client);
+            } else {
+                $this->clientRepository->update($client);
+            }
 
-            // TODO mivanci Randomly generate auth code.
-            $authCodeId = '1234567890';
+            $authCodeId = $this->sspBridge->utils()->random()->generateID();
 
-            // TODO mivanci Add indication of preauthz code to the auth code table.
+            // TODO mivanci Add indication of preAuthZ code to the auth code table.
 
             if (($authCode = $this->authCodeRepository->findById($authCodeId)) === null) {
                 $authCode = $this->authCodeEntityFactory->fromData(
@@ -193,10 +195,9 @@ public function verifiableCredentialIssuance(Request $request): Response
                         new ScopeEntity('openid'),
                         new ScopeEntity($selectedCredentialConfigurationId),
                     ],
-                    expiryDateTime: new \DateTimeImmutable('+1 month'),
+                    expiryDateTime: new \DateTimeImmutable('+10 minutes'),
                     userIdentifier: $userId,
-                    redirectUri: 'https://example.com/oidc/callback',
-                    nonce: '1234567890',
+                    redirectUri: 'openid-credential-offer://',
                 );
 
                 $this->authCodeRepository->persistNewAuthCode($authCode);
@@ -236,10 +237,6 @@ public function verifiableCredentialIssuance(Request $request): Response
             $credentialOfferQrUri = 'https://quickchart.io/qr?size=200&margin=1&text=' . urlencode($credentialOfferUri);
         }
 
-
-
-
-
         $authSourceActionRoute = $this->routes->urlAdminTestVerifiableCredentialIssuance();
 
         return $this->templateFactory->build(

src/Controllers/Api/VciCredentialOfferController.php

@@ -4,14 +4,26 @@
 
 namespace SimpleSAML\Module\oidc\Controllers\Api;
 
+use SimpleSAML\Module\oidc\Bridges\SspBridge;
 use SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum;
-use SimpleSAML\Module\oidc\Exceptions\AuthorizationException;
+use SimpleSAML\Module\oidc\Codebooks\ParametersEnum;
+use SimpleSAML\Module\oidc\Entities\ScopeEntity;
+use SimpleSAML\Module\oidc\Entities\UserEntity;
+use SimpleSAML\Module\oidc\Exceptions\OidcException;
+use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
+use SimpleSAML\Module\oidc\Factories\Entities\UserEntityFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
+use SimpleSAML\Module\oidc\Repositories\ClientRepository;
+use SimpleSAML\Module\oidc\Repositories\UserRepository;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Services\Api\Authorization;
+use SimpleSAML\Module\oidc\Services\LoggerService;
+use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Codebooks\GrantTypesEnum;
 use SimpleSAML\OpenID\VerifiableCredentials;
-use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -25,30 +37,136 @@ public function __construct(
         protected readonly Authorization $authorization,
         protected readonly VerifiableCredentials $verifiableCredentials,
         protected readonly ClientEntityFactory $clientEntityFactory,
+        protected readonly ClientRepository $clientRepository,
+        protected readonly SspBridge $sspBridge,
+        protected readonly LoggerService $loggerService,
+        protected readonly UserRepository $userRepository,
+        protected readonly UserEntityFactory $userEntityFactory,
+        protected readonly AuthCodeRepository $authCodeRepository,
+        protected readonly AuthCodeEntityFactory $authCodeEntityFactory,
+        protected readonly Routes $routes,
     ) {
         if (!$this->moduleConfig->getApiEnabled()) {
             throw OidcServerException::forbidden('API capabilities not enabled.');
         }
     }
 
     /**
-     * @throws AuthorizationException
      */
-    public function credentialOffer(Request $request): Response
+    public function preAuthorizedCredentialOffer(Request $request): Response
     {
         $this->authorization->requireTokenForAnyOfScope(
             $request,
             [ApiScopesEnum::VciCredentialOffer, ApiScopesEnum::VciAll, ApiScopesEnum::All],
         );
 
-        $input = $request->getPayload()->all();
-
         // Currently, we need a dedicated client for which the PreAuthZed code will be bound to.
-        // TODO mivanci: Remove requirement for dedicated client for authorization codes.
+        // TODO mivanci: Remove requirement for dedicated client for (pre-)authorization codes.
         $client = $this->clientEntityFactory->getGenericForVciPreAuthZFlow();
+        if ($this->clientRepository->findById($client->getIdentifier()) === null) {
+            $this->clientRepository->add($client);
+        } else {
+            $this->clientRepository->update($client);
+        }
+
+        $input = $request->getPayload()->all();
+        $userAttributes = $input['user_attributes'] ?? [];
+
+        $selectedCredentialConfigurationId = $input['credential_configuration_id'] ?? null;
+        if ($selectedCredentialConfigurationId === null) {
+            throw new OidcException('No credential configuration ID provided.');
+        }
+        $credentialConfigurationIdsSupported = $this->moduleConfig->getCredentialConfigurationIdsSupported();
+
+        if (empty($credentialConfigurationIdsSupported)) {
+            throw new OidcException('No credential configuration IDs configured.');
+        }
+        if (!in_array($selectedCredentialConfigurationId, $credentialConfigurationIdsSupported, true)) {
+            throw new OidcException(
+                'Credential configuration ID not supported: ' . $selectedCredentialConfigurationId,
+            );
+        }
+
+        $userId = null;
+        try {
+            $userId = $this->sspBridge->utils()->attributes()->getExpectedAttribute(
+                $userAttributes,
+                $this->moduleConfig->getUserIdentifierAttribute(),
+            );
+        } catch (\Throwable $e) {
+            $this->loggerService->warning(
+                'Could not extract user identifier from user attributes: ' . $e->getMessage(),
+            );
+        }
+
+        if ($userId === null) {
+            $sortedAttributes = $userAttributes;
+            $this->verifiableCredentials->helpers()->arr()->hybridSort($sortedAttributes);
+            $userId = 'vci_preauthz_' . hash('sha256', serialize($sortedAttributes));
+        }
 
-        dd($this->verifiableCredentials->helpers()->arr()->hybridSort($input['user_attributes']));
+        $oldUserEntity = $this->userRepository->getUserEntityByIdentifier($userId);
 
-        return new JsonResponse(['ok']);
+        $userEntity = $this->userEntityFactory->fromData($userId, $userAttributes);
+
+        if ($oldUserEntity instanceof UserEntity) {
+            $this->userRepository->update($userEntity);
+        } else {
+            $this->userRepository->add($userEntity);
+        }
+
+
+        $authCodeId = $this->sspBridge->utils()->random()->generateID();
+
+        if (($authCode = $this->authCodeRepository->findById($authCodeId)) === null) {
+            $authCode = $this->authCodeEntityFactory->fromData(
+                id: $authCodeId,
+                client: $client,
+                scopes: [
+                    new ScopeEntity('openid'),
+                    new ScopeEntity($selectedCredentialConfigurationId),
+                ],
+                expiryDateTime: new \DateTimeImmutable('+10 minutes'),
+                userIdentifier: $userId,
+                redirectUri: 'openid-credential-offer://',
+            );
+
+            $this->authCodeRepository->persistNewAuthCode($authCode);
+        }
+
+        $credentialOffer = $this->verifiableCredentials->credentialOfferFactory()->from(
+            parameters: [
+                ClaimsEnum::CredentialIssuer->value => $this->moduleConfig->getIssuer(),
+                ClaimsEnum::CredentialConfigurationIds->value => [
+                    $selectedCredentialConfigurationId,
+                ],
+                ClaimsEnum::Grants->value => [
+                    GrantTypesEnum::PreAuthorizedCode->value => [
+                        ClaimsEnum::PreAuthorizedCode->value => $authCode->getIdentifier(),
+                        // TODO mivanci support for TxCode
+                        //                        ClaimsEnum::TxCode->value => [
+                        //                            ClaimsEnum::InputMode->value => 'numeric',
+                        //                            ClaimsEnum::Length->value => 6,
+                        //                            ClaimsEnum::Description->value => 'Sent to user mail',
+                        //                        ],
+                    ],
+                ],
+            ],
+        );
+
+        $credentialOfferValue = $credentialOffer->jsonSerialize();
+        $parameterName = ParametersEnum::CredentialOfferUri->value;
+        if (is_array($credentialOfferValue)) {
+            $parameterName = ParametersEnum::CredentialOffer->value;
+            $credentialOfferValue = json_encode($credentialOfferValue);
+        }
+
+        $credentialOfferUri = "openid-credential-offer://?$parameterName=$credentialOfferValue";
+
+        return $this->routes->newJsonResponse(
+            data: [
+                'credential_offer_uri' => $credentialOfferUri,
+            ],
+        );
     }
 }

src/Factories/Entities/ClientEntityFactory.php

@@ -12,7 +12,6 @@
 use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
 use SimpleSAML\Module\oidc\Helpers;
 use SimpleSAML\Module\oidc\ModuleConfig;
-use SimpleSAML\Module\oidc\Repositories\ClientRepository;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
@@ -32,7 +31,6 @@ public function __construct(
         private readonly ClaimTranslatorExtractor $claimTranslatorExtractor,
         private readonly RequestParamsResolver $requestParamsResolver,
         private readonly ModuleConfig $moduleConfig,
-        private readonly ClientRepository $clientRepository,
     ) {
     }
 
@@ -388,37 +386,24 @@ public function fromState(array $state): ClientEntityInterface
     public function getGenericForVciPreAuthZFlow(): ClientEntityInterface
     {
         $clientId = 'vci_' .
-            hash('sha256', 'vci_'  . $this->moduleConfig->sspConfig()->getString('secretsalt'));
+        hash('sha256', 'vci_'  . $this->moduleConfig->sspConfig()->getString('secretsalt'));
 
         $clientSecret = $this->helpers->random()->getIdentifier();
 
         $credentialConfigurationIdsSupported = $this->moduleConfig->getCredentialConfigurationIdsSupported();
 
-        $oldClient = $this->clientRepository->findById($clientId);
         $createdAt = $this->helpers->dateTime()->getUtc();
 
-        if ($oldClient instanceof ClientEntityInterface) {
-            $createdAt = $oldClient->getCreatedAt();
-        }
-
-        $client = $this->fromData(
+        return $this->fromData(
             id: $clientId,
             secret: $clientSecret,
             name: 'VCI Pre-authorized Code Generic Client',
             description: 'Generic client for VCI Pre-authorized Code',
             redirectUri: ['openid-credential-offer://'],
             scopes: ['openid', ...$credentialConfigurationIdsSupported],
             isEnabled: true,
-            updatedAt: $this->helpers->dateTime()->getUtc(),
+            updatedAt: $createdAt,
             createdAt: $createdAt,
         );
-
-        if ($oldClient === null) {
-            $this->clientRepository->add($client);
-        } else {
-            $this->clientRepository->update($client);
-        }
-
-        return $client;
     }
 }

src/Services/Api/Authorization.php

@@ -6,7 +6,6 @@
 
 use SimpleSAML\Locale\Translate;
 use SimpleSAML\Module\oidc\Bridges\SspBridge;
-use SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum;
 use SimpleSAML\Module\oidc\Exceptions\AuthorizationException;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use Symfony\Component\HttpFoundation\Request;

src/Utils/Routes.php

@@ -235,4 +235,13 @@ public function urlJwtVcIssuerConfiguration(array $parameters = []): string
     {
         return $this->getModuleUrl(RoutesEnum::JwtVcIssuerConfiguration->value, $parameters);
     }
+
+    /*****************************************************************************************************************
+     * API
+     ****************************************************************************************************************/
+
+    public function urlApiVciPreAuthorizedCredentialOffer(array $parameters = []): string
+    {
+        return $this->getModuleUrl(RoutesEnum::ApiVciPreAuthorizedCredentialOffer->value, $parameters);
+    }
 }