Pre auth code release modification

Author: cicnavi

config/module_oidc.php.dist

@@ -510,6 +510,25 @@ $config = [
     // Enable or disable verifiable credentials capabilities. Default is disabled (false).
     ModuleConfig::OPTION_VERIFIABLE_CREDENTIAL_ENABLED => false,
 
+    // Allow or disallow non-registered clients to request verifiable credentials. Default is disallowed (false).
+    ModuleConfig::OPTION_ALLOW_NON_REGISTERED_CLIENTS_FOR_VCI => false,
+
+    // Allowed redirect URI prefixes for non-registered clients. By default, this is set to
+    // 'openid-credential-offer://' to allow only redirect URIs with this prefix.
+    //
+    // Example:
+    // [
+    //     'https://example.org/redirect',
+    //     'https://example.org/redirect2',
+    // ]
+    //
+    ModuleConfig::OPTION_ALLOWED_REDIRECT_URI_PREFIXES_FOR_NON_REGISTERED_CLIENTS_FOR_VCI => [
+        'openid-credential-offer://',
+    ],
+
+    // Allow or disallow clients to request verifiable credentials using Authorization Code Grant without client ID.
+    // Default is disallowed (false).
+    ModuleConfig::OPTION_ALLOW_VCI_AUTHORIZATION_CODE_REQUESTS_WITHOUT_CLIENT_ID => false,
 
     // (optional) Credential configuration statements, as per `credential_configurations_supported` claim definition in
     // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#credential-issuer-parameters.
@@ -813,11 +832,8 @@ $config = [
     // (optional) Enable or disable API capabilities. Default is disabled (false).
     ModuleConfig::OPTION_API_ENABLED => false,
 
-    /**
-     * List of API tokens which can be used to access API endpoints based on given scopes.
-     *
-     * The format is: ['token' => [ApiScopesEnum]]
-     */
+    // List of API tokens which can be used to access API endpoints based on given scopes.
+    // The format is: ['token' => [ApiScopesEnum]]
     ModuleConfig::OPTION_API_TOKENS => [
 //        'strong-random-token-string' => [
 //            \SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum::All, // Gives access to the whole API.

src/Factories/AuthSimpleFactory.php

@@ -16,6 +16,7 @@
 
 namespace SimpleSAML\Module\oidc\Factories;
 
+use League\OAuth2\Server\Entities\ClientEntityInterface as OAuth2ClientEntityInterface;
 use SimpleSAML\Auth\Simple;
 use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
 use SimpleSAML\Module\oidc\ModuleConfig;
@@ -31,7 +32,7 @@ public function __construct(
      * @codeCoverageIgnore
      * @throws \Exception
      */
-    public function build(ClientEntityInterface $clientEntity): Simple
+    public function build(OAuth2ClientEntityInterface $clientEntity): Simple
     {
         $authSourceId = $this->resolveAuthSourceId($clientEntity);
 
@@ -52,9 +53,15 @@ public function getDefaultAuthSource(): Simple
      *
      * @throws \Exception
      */
-    public function resolveAuthSourceId(ClientEntityInterface $client): string
+    public function resolveAuthSourceId(OAuth2ClientEntityInterface $client): string
     {
-        return $client->getAuthSourceId() ?? $this->moduleConfig->getDefaultAuthSourceId();
+        $defaultAuthSourceId = $this->moduleConfig->getDefaultAuthSourceId();
+
+        if ($client instanceof ClientEntityInterface) {
+            $client->getAuthSourceId() ?? $this->moduleConfig->getDefaultAuthSourceId();
+        }
+
+        return $defaultAuthSourceId;
     }
 
     public function forAuthSourceId(string $authSourceId): Simple

src/Factories/CredentialOfferUriFactory.php

@@ -132,7 +132,7 @@ public function buildPreAuthorized(
 
         // Currently, we need a dedicated client for which the PreAuthZed code will be bound to.
         // TODO mivanci: Remove requirement for dedicated client for (pre-)authorization codes.
-        $client = $this->clientEntityFactory->getGenericForVciPreAuthZFlow();
+        $client = $this->clientEntityFactory->getGenericForVci();
         if ($this->clientRepository->findById($client->getIdentifier()) === null) {
             $this->clientRepository->add($client);
         } else {

src/Factories/Entities/ClientEntityFactory.php

@@ -383,7 +383,7 @@ public function fromState(array $state): ClientEntityInterface
         );
     }
 
-    public function getGenericForVciPreAuthZFlow(): ClientEntityInterface
+    public function getGenericForVci(): ClientEntityInterface
     {
         $clientId = 'vci_' .
         hash('sha256', 'vci_'  . $this->moduleConfig->sspConfig()->getString('secretsalt'));
@@ -397,8 +397,8 @@ public function getGenericForVciPreAuthZFlow(): ClientEntityInterface
         return $this->fromData(
             id: $clientId,
             secret: $clientSecret,
-            name: 'VCI Pre-authorized Code Generic Client',
-            description: 'Generic client for VCI Pre-authorized Code',
+            name: 'VCI Generic Client',
+            description: 'Generic client for Verifiable Credential Issuance flows.',
             redirectUri: ['openid-credential-offer://'],
             scopes: ['openid', ...$credentialConfigurationIdsSupported],
             isEnabled: true,

src/Factories/RequestRulesManagerFactory.php

@@ -10,6 +10,7 @@
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\ClientRepository;
 use SimpleSAML\Module\oidc\Repositories\CodeChallengeVerifiersRepository;
+use SimpleSAML\Module\oidc\Repositories\IssuerStateRepository;
 use SimpleSAML\Module\oidc\Repositories\ScopeRepository;
 use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AcrValuesRule;
@@ -20,6 +21,7 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeVerifierRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IdTokenHintRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IssuerStateRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\MaxAgeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\PostLogoutRedirectUriRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\PromptRule;
@@ -62,6 +64,7 @@ public function __construct(
         private readonly JwksResolver $jwksResolver,
         private readonly FederationParticipationValidator $federationParticipationValidator,
         private readonly SspBridge $sspBridge,
+        private readonly IssuerStateRepository $issuerStateRepository,
         private readonly ?FederationCache $federationCache = null,
         private readonly ?ProtocolCache $protocolCache = null,
     ) {
@@ -93,9 +96,10 @@ private function getDefaultRules(): array
                 $this->federation,
                 $this->jwksResolver,
                 $this->federationParticipationValidator,
+                $this->logger,
                 $this->federationCache,
             ),
-            new RedirectUriRule($this->requestParamsResolver, $this->helpers),
+            new RedirectUriRule($this->requestParamsResolver, $this->helpers, $this->moduleConfig),
             new RequestObjectRule($this->requestParamsResolver, $this->helpers, $this->jwksResolver),
             new PromptRule(
                 $this->requestParamsResolver,
@@ -141,6 +145,7 @@ private function getDefaultRules(): array
                 $this->protocolCache,
             ),
             new CodeVerifierRule($this->requestParamsResolver, $this->helpers),
+            new IssuerStateRule($this->requestParamsResolver, $this->helpers, $this->issuerStateRepository),
         ];
     }
 }

src/ModuleConfig.php

@@ -109,6 +109,11 @@ class ModuleConfig
     final public const OPTION_AUTH_SOURCES_TO_USERS_EMAIL_ATTRIBUTE_NAME_MAP =
     'auth_sources_to_users_email_attribute_name_map';
     final public const OPTION_ISSUER_STATE_TTL = 'issuer_state_ttl';
+    final public const OPTION_ALLOW_NON_REGISTERED_CLIENTS_FOR_VCI = 'allow_non_registered_clients_for_vci';
+    final public const OPTION_ALLOW_VCI_AUTHORIZATION_CODE_REQUESTS_WITHOUT_CLIENT_ID =
+    'allow_vci_authorization_code_requests_without_client_id';
+    final public const OPTION_ALLOWED_REDIRECT_URI_PREFIXES_FOR_NON_REGISTERED_CLIENTS_FOR_VCI =
+    'allowed_redirect_uri_prefixes_for_non_registered_clients_for_vci';
 
     protected static array $standardScopes = [
         ScopesEnum::OpenId->value => [
@@ -1048,4 +1053,25 @@ public function getIssuerStateDuration(): DateInterval
             $this->config()->getString(self::OPTION_ISSUER_STATE_TTL),
         );
     }
+
+    public function getAllowNonRegisteredClientsForVci(): bool
+    {
+        return $this->config()->getOptionalBoolean(self::OPTION_ALLOW_NON_REGISTERED_CLIENTS_FOR_VCI, false);
+    }
+
+    public function getAllowVciAuthorizationCodeRequestsWithoutClientId(): bool
+    {
+        return $this->config()->getOptionalBoolean(
+            self::OPTION_ALLOW_VCI_AUTHORIZATION_CODE_REQUESTS_WITHOUT_CLIENT_ID,
+            false,
+        );
+    }
+
+    public function getAllowedRedirectUriPrefixesForNonRegisteredClientsForVci(): array
+    {
+        return $this->config()->getOptionalArray(
+            self::OPTION_ALLOWED_REDIRECT_URI_PREFIXES_FOR_NON_REGISTERED_CLIENTS_FOR_VCI,
+            ['openid-credential-offer://',],
+        );
+    }
 }

src/Server/Grants/AuthCodeGrant.php

@@ -44,6 +44,7 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeMethodRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeVerifierRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IssuerStateRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\MaxAgeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\PromptRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RedirectUriRule;
@@ -658,6 +659,7 @@ public function validateAuthorizationRequestWithRequestRules(
             RequiredOpenIdScopeRule::class,
             CodeChallengeRule::class,
             CodeChallengeMethodRule::class,
+            IssuerStateRule::class,
         ];
 
         // Since we have already validated redirect_uri, and we have state, make it available for other checkers.
@@ -738,6 +740,17 @@ public function validateAuthorizationRequestWithRequestRules(
         $acrValues = $resultBag->getOrFail(AcrValuesRule::class)->getValue();
         $authorizationRequest->setRequestedAcrValues($acrValues);
 
+        $authorizationRequest->setIsVciRequest(
+            $this->requestParamsResolver->isVciAuthorizationCodeRequest(
+                $request,
+                $this->allowedAuthorizationHttpMethods,
+            ),
+        );
+
+        /** @var ?string $issuerState */
+        $issuerState = $resultBag->get(IssuerStateRule::class)?->getValue();
+        $authorizationRequest->setIssuerState($issuerState);
+
         return $authorizationRequest;
     }
 

src/Server/Grants/PreAuthCodeGrant.php

@@ -124,7 +124,7 @@ public function respondToAccessTokenRequest(
         );
 
         if (empty($preAuthorizedCodeId)) {
-            $this->loggerService->warning('Empty pre-authorized code ID.');
+            $this->loggerService->error('Empty pre-authorized code ID.');
             throw OidcServerException::invalidRequest(ParamsEnum::PreAuthorizedCode->value);
         }
 
@@ -142,6 +142,13 @@ public function respondToAccessTokenRequest(
             throw OidcServerException::invalidGrant('Invalid pre-authorized code.');
         }
 
+        if (!$preAuthorizedCode->isPreAuthorized()) {
+            $this->loggerService->error(
+                'Pre-authorized code is not pre-authorized. Value was: ' . $preAuthorizedCodeId,
+            );
+            throw OidcServerException::invalidGrant('Pre-authorized code is not pre-authorized.');
+        }
+
         if ($preAuthorizedCode->isRevoked()) {
             $this->loggerService->error('Pre-authorized code is revoked. Value was: ' . $preAuthorizedCodeId);
             throw OidcServerException::invalidGrant('Pre-authorized code is revoked.');