WIP

Author: cicnavi

src/Controllers/Admin/VerifiableCredentailsTestController.php

@@ -4,6 +4,7 @@
 
 namespace SimpleSAML\Module\oidc\Controllers\Admin;
 
+use DateTimeImmutable;
 use SimpleSAML\Auth\Simple;
 use SimpleSAML\Module\oidc\Admin\Authorization;
 use SimpleSAML\Module\oidc\Bridges\SspBridge;
@@ -183,25 +184,7 @@ public function verifiableCredentialIssuance(Request $request): Response
                 $this->clientRepository->update($client);
             }
 
-            $authCodeId = $this->sspBridge->utils()->random()->generateID();
 
-            // TODO mivanci Add indication of preAuthZ code to the auth code table.
-
-            if (($authCode = $this->authCodeRepository->findById($authCodeId)) === null) {
-                $authCode = $this->authCodeEntityFactory->fromData(
-                    id: $authCodeId,
-                    client: $client,
-                    scopes: [
-                        new ScopeEntity('openid'),
-                        new ScopeEntity($selectedCredentialConfigurationId),
-                    ],
-                    expiryDateTime: new \DateTimeImmutable('+10 minutes'),
-                    userIdentifier: $userId,
-                    redirectUri: 'openid-credential-offer://',
-                );
-
-                $this->authCodeRepository->persistNewAuthCode($authCode);
-            }
 
             $credentialOffer = $this->verifiableCredentials->credentialOfferFactory()->from(
                 parameters: [

src/Controllers/Api/VciCredentialOfferController.php

@@ -9,7 +9,9 @@
 use SimpleSAML\Module\oidc\Codebooks\ParametersEnum;
 use SimpleSAML\Module\oidc\Entities\ScopeEntity;
 use SimpleSAML\Module\oidc\Entities\UserEntity;
+use SimpleSAML\Module\oidc\Exceptions\AuthorizationException;
 use SimpleSAML\Module\oidc\Exceptions\OidcException;
+use SimpleSAML\Module\oidc\Factories\CredentialOfferUriFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\UserEntityFactory;
@@ -45,6 +47,7 @@ public function __construct(
         protected readonly AuthCodeRepository $authCodeRepository,
         protected readonly AuthCodeEntityFactory $authCodeEntityFactory,
         protected readonly Routes $routes,
+        protected readonly CredentialOfferUriFactory $credentialOfferUriFactory,
     ) {
         if (!$this->moduleConfig->getApiEnabled()) {
             throw OidcServerException::forbidden('API capabilities not enabled.');
@@ -55,27 +58,52 @@ public function __construct(
      */
     public function preAuthorizedCredentialOffer(Request $request): Response
     {
-        $this->authorization->requireTokenForAnyOfScope(
-            $request,
-            [ApiScopesEnum::VciCredentialOffer, ApiScopesEnum::VciAll, ApiScopesEnum::All],
+        try {
+            $this->authorization->requireTokenForAnyOfScope(
+                $request,
+                [ApiScopesEnum::VciCredentialOffer, ApiScopesEnum::VciAll, ApiScopesEnum::All],
+            );
+        } catch (AuthorizationException $e) {
+            return $this->routes->newJsonErrorResponse(
+                error: 'unauthorized',
+                description: $e->getMessage(),
+                httpCode: Response::HTTP_UNAUTHORIZED,
+            );
+        }
+
+        $input = $request->getPayload()->all();
+        $userAttributes = $input['user_attributes'] ?? [];
+
+        $selectedCredentialConfigurationId = $input['credential_configuration_id'] ?? null;
+
+        if (!is_string($selectedCredentialConfigurationId)) {
+            return $this->routes->newJsonErrorResponse(
+                error: 'invalid_request',
+                description: 'No credential configuration ID provided.',
+                httpCode: Response::HTTP_BAD_REQUEST,
+            );
+        }
+
+        $credentialOfferUri = $this->credentialOfferUriFactory->buildPreAuthorized(
+            [$selectedCredentialConfigurationId],
+            $userAttributes,
         );
 
-        // Currently, we need a dedicated client for which the PreAuthZed code will be bound to.
-        // TODO mivanci: Remove requirement for dedicated client for (pre-)authorization codes.
+        // TODO mivanci continue
+        dd($credentialOfferUri);
+
+
+        /////////
+
         $client = $this->clientEntityFactory->getGenericForVciPreAuthZFlow();
         if ($this->clientRepository->findById($client->getIdentifier()) === null) {
             $this->clientRepository->add($client);
         } else {
             $this->clientRepository->update($client);
         }
 
-        $input = $request->getPayload()->all();
-        $userAttributes = $input['user_attributes'] ?? [];
 
-        $selectedCredentialConfigurationId = $input['credential_configuration_id'] ?? null;
-        if ($selectedCredentialConfigurationId === null) {
-            throw new OidcException('No credential configuration ID provided.');
-        }
+
         $credentialConfigurationIdsSupported = $this->moduleConfig->getCredentialConfigurationIdsSupported();
 
         if (empty($credentialConfigurationIdsSupported)) {

src/Factories/CredentialOfferUriFactory.php

@@ -0,0 +1,180 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Factories;
+
+use DateTimeImmutable;
+use RuntimeException;
+use SimpleSAML\Module\oidc\Bridges\SspBridge;
+use SimpleSAML\Module\oidc\Codebooks\ParametersEnum;
+use SimpleSAML\Module\oidc\Entities\ScopeEntity;
+use SimpleSAML\Module\oidc\Entities\UserEntity;
+use SimpleSAML\Module\oidc\Exceptions\OidcException;
+use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
+use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
+use SimpleSAML\Module\oidc\Factories\Entities\UserEntityFactory;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
+use SimpleSAML\Module\oidc\Repositories\ClientRepository;
+use SimpleSAML\Module\oidc\Repositories\UserRepository;
+use SimpleSAML\Module\oidc\Services\LoggerService;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Codebooks\GrantTypesEnum;
+use SimpleSAML\OpenID\VerifiableCredentials;
+
+class CredentialOfferUriFactory
+{
+    public function __construct(
+        protected readonly VerifiableCredentials $verifiableCredentials,
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly SspBridge $sspBridge,
+        protected readonly AuthCodeRepository $authCodeRepository,
+        protected readonly AuthCodeEntityFactory $authCodeEntityFactory,
+        protected readonly ClientEntityFactory $clientEntityFactory,
+        protected readonly ClientRepository $clientRepository,
+        protected readonly LoggerService $loggerService,
+        protected readonly UserRepository $userRepository,
+        protected readonly UserEntityFactory $userEntityFactory,
+    )
+    {
+    }
+
+    /**
+     * @param string[] $credentialConfigurationIds
+     * @throws OidcException
+     */
+    public function buildPreAuthorized(
+        array $credentialConfigurationIds,
+        array $userAttributes,
+    ): string
+    {
+        if (empty($credentialConfigurationIds)) {
+            throw new RuntimeException('No credential configuration IDs provided.');
+        }
+
+        $credentialConfigurationIdsSupported = $this->moduleConfig->getCredentialConfigurationIdsSupported();
+
+        if (empty($credentialConfigurationIdsSupported)) {
+            throw new RuntimeException('No credential configuration IDs configured.');
+        }
+
+        if (array_diff($credentialConfigurationIds, $credentialConfigurationIdsSupported)) {
+            throw new RuntimeException('Unsupported credential configuration IDs provided.');
+        }
+
+        /* TODO mivanci TX Code handling
+            $email = $this->emailFactory->build(
+                subject: 'VC Issuance Transaction code',
+                to: '[email protected]',
+            );
+
+            $email->setData(['Transaction Code' => '1234']);
+            try {
+                $email->send();
+                $this->sessionMessagesService->addMessage('Email with tx code sent to: [email protected]');
+            } catch (Exception $e) {
+                $this->sessionMessagesService->addMessage('Error emailing tx code.');
+            }
+            */
+
+        // TODO mivanci Wallet (client) credential_offer_endpoint metadata
+        // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#client-metadata
+
+        $scopes = array_map(
+            fn (string $scope) => new ScopeEntity($scope),
+            ['openid', ...$credentialConfigurationIds],
+        );
+
+        // Currently, we need a dedicated client for which the PreAuthZed code will be bound to.
+        // TODO mivanci: Remove requirement for dedicated client for (pre-)authorization codes.
+        $client = $this->clientEntityFactory->getGenericForVciPreAuthZFlow();
+        if ($this->clientRepository->findById($client->getIdentifier()) === null) {
+            $this->clientRepository->add($client);
+        } else {
+            $this->clientRepository->update($client);
+        }
+
+        $userId = null;
+        try {
+            $userId = $this->sspBridge->utils()->attributes()->getExpectedAttribute(
+                $userAttributes,
+                $this->moduleConfig->getUserIdentifierAttribute(),
+            );
+        } catch (\Throwable $e) {
+            $this->loggerService->warning(
+                'Could not extract user identifier from user attributes: ' . $e->getMessage(),
+            );
+        }
+
+        if ($userId === null) {
+            $sortedAttributes = $userAttributes;
+            $this->verifiableCredentials->helpers()->arr()->hybridSort($sortedAttributes);
+            $userId = 'vci_preauthz_' . hash('sha256', serialize($sortedAttributes));
+        }
+
+        $oldUserEntity = $this->userRepository->getUserEntityByIdentifier($userId);
+
+        $userEntity = $this->userEntityFactory->fromData($userId, $userAttributes);
+
+        if ($oldUserEntity instanceof UserEntity) {
+            $this->userRepository->update($userEntity);
+        } else {
+            $this->userRepository->add($userEntity);
+        }
+
+        $authCodeId = null;
+        $authCodeIdGenerationAttempts = 3;
+        while ($authCodeIdGenerationAttempts > 0) {
+            $authCodeId = $this->sspBridge->utils()->random()->generateID();
+            if ($this->authCodeRepository->findById($authCodeId) === null) {
+                break;
+            }
+            $authCodeIdGenerationAttempts--;
+        }
+
+        if ($authCodeId === null) {
+            throw new RuntimeException('Failed to generate Authorization Code ID.');
+        }
+
+        // TODO mivanci Add indication of preAuthZ code to the auth code table.
+        $authCode = $this->authCodeEntityFactory->fromData(
+            id: $authCodeId,
+            client: $client,
+            scopes: $scopes,
+            expiryDateTime: (new DateTimeImmutable())->add($this->moduleConfig->getAuthCodeDuration()),
+            userIdentifier: $userId,
+            redirectUri: 'openid-credential-offer://',
+        );
+        $this->authCodeRepository->persistNewAuthCode($authCode);
+
+        $credentialOffer = $this->verifiableCredentials->credentialOfferFactory()->from(
+            parameters: [
+                ClaimsEnum::CredentialIssuer->value => $this->moduleConfig->getIssuer(),
+                ClaimsEnum::CredentialConfigurationIds->value => [
+                    ...$credentialConfigurationIds,
+                ],
+                ClaimsEnum::Grants->value => [
+                    GrantTypesEnum::PreAuthorizedCode->value => [
+                        ClaimsEnum::PreAuthorizedCode->value => $authCode->getIdentifier(),
+                        // TODO mivanci support for TxCode
+                        //                        ClaimsEnum::TxCode->value => [
+                        //                            ClaimsEnum::InputMode->value => 'numeric',
+                        //                            ClaimsEnum::Length->value => 6,
+                        //                            ClaimsEnum::Description->value => 'Sent to user mail',
+                        //                        ],
+                    ],
+                ],
+            ],
+        );
+
+        $credentialOfferValue = $credentialOffer->jsonSerialize();
+        $parameterName = ParametersEnum::CredentialOfferUri->value;
+        if (is_array($credentialOfferValue)) {
+            $parameterName = ParametersEnum::CredentialOffer->value;
+            $credentialOfferValue = json_encode($credentialOfferValue);
+        }
+
+        return "openid-credential-offer://?$parameterName=$credentialOfferValue";
+    }
+}

src/Services/Container.php

@@ -235,6 +235,7 @@ public function __construct()
             $helpers,
             $claimTranslatorExtractor,
             $requestParamsResolver,
+            $moduleConfig,
         );
         $this->services[ClientEntityFactory::class] = $clientEntityFactory;