Lint

Author: cicnavi

config/module_oidc.php.dist

@@ -676,7 +676,7 @@ $config = [
 
         // Sample for 'dc+sd-jwt' format without notes about required and optional fields.
         'ResearchAndScholarshipCredentialDcSdJwt' => [
-            ClaimsEnum::Format->value => CredentialFormatIdentifiersEnum::JwtVcJson->value,
+            ClaimsEnum::Format->value => CredentialFormatIdentifiersEnum::DcSdJwt->value,
             ClaimsEnum::Scope->value => 'ResearchAndScholarshipCredentialDcSdJwt',
             ClaimsEnum::Display->value => [
                 [

public/assets/js/src/test-verifiable-credential-issuance.js

@@ -0,0 +1,25 @@
+(function () {
+    'use strict';
+
+    // Handle option changes based on Grant Type
+    function togglePreAuthorizedCodeOptions() {
+        if (grantTypeSelect.value === "urn:ietf:params:oauth:grant-type:pre-authorized_code") {
+            useTxCodeCheckbox.disabled = false;
+            usersEmailAttributeNameInput.disabled = false;
+        } else {
+            useTxCodeCheckbox.disabled = true;
+            useTxCodeCheckbox.checked = false;
+            usersEmailAttributeNameInput.disabled = true;
+        }
+    }
+
+    const grantTypeSelect = document.getElementById("grantType");
+
+    // Get references to options
+    const useTxCodeCheckbox = document.getElementById("useTxCode");
+    const usersEmailAttributeNameInput = document.getElementById("usersEmailAttributeName");
+
+    grantTypeSelect.addEventListener("change", togglePreAuthorizedCodeOptions);
+
+    togglePreAuthorizedCodeOptions();
+})();

src/Controllers/Admin/VerifiableCredentailsTestController.php

@@ -5,17 +5,17 @@
 namespace SimpleSAML\Module\oidc\Controllers\Admin;
 
 use SimpleSAML\Auth\Simple;
+use SimpleSAML\Locale\Translate;
 use SimpleSAML\Module\oidc\Admin\Authorization;
 use SimpleSAML\Module\oidc\Bridges\SspBridge;
 use SimpleSAML\Module\oidc\Codebooks\RoutesEnum;
 use SimpleSAML\Module\oidc\Factories\AuthSimpleFactory;
 use SimpleSAML\Module\oidc\Factories\CredentialOfferUriFactory;
-use SimpleSAML\Module\oidc\Factories\EmailFactory;
 use SimpleSAML\Module\oidc\Factories\TemplateFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
-use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Services\SessionService;
 use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\OpenID\Codebooks\GrantTypesEnum;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -25,8 +25,6 @@ public function __construct(
         protected readonly ModuleConfig $moduleConfig,
         protected readonly TemplateFactory $templateFactory,
         protected readonly Authorization $authorization,
-        protected readonly LoggerService $loggerService,
-        protected readonly EmailFactory $emailFactory,
         protected readonly AuthSimpleFactory $authSimpleFactory,
         protected readonly SessionService $sessionService,
         protected readonly SspBridge $sspBridge,
@@ -40,6 +38,7 @@ public function __construct(
      * @throws \SimpleSAML\Error\ConfigurationError
      * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
      * @throws \SimpleSAML\OpenID\Exceptions\CredentialOfferException
+     * @psalm-suppress MixedAssignment, InternalMethod
      */
     public function verifiableCredentialIssuance(Request $request): Response
     {
@@ -85,11 +84,13 @@ public function verifiableCredentialIssuance(Request $request): Response
             $authSource->login(['ReturnTo' => $this->routes->urlAdminTestVerifiableCredentialIssuance()]);
         }
 
+        /** @psalm-suppress MixedAssignment */
         $selectedCredentialConfigurationId = $this->sessionService->getCurrentSession()->getData(
             'vci',
             'credential_configuration_id',
         );
 
+        /** @psalm-suppress MixedAssignment, InternalMethod */
         if (is_string($newCredentialConfigurationId = $request->get('credentialConfigurationId'))) {
             $this->sessionService->getCurrentSession()->setData(
                 'vci',
@@ -114,7 +115,11 @@ public function verifiableCredentialIssuance(Request $request): Response
 
         $credentialOfferQrUri = null;
         $credentialOfferUri = null;
+        /** @psalm-suppress MixedAssignment, InternalMethod */
+        $grantType = $request->get('grantType');
+        /** @psalm-suppress InternalMethod */
         $useTxCode = (bool) $request->get('useTxCode');
+        /** @psalm-suppress MixedAssignment, InternalMethod */
         $usersEmailAttributeName = $request->get('usersEmailAttributeName');
         $usersEmailAttributeName = is_string($usersEmailAttributeName) && (trim($usersEmailAttributeName) !== '') ?
         trim($usersEmailAttributeName) :
@@ -129,12 +134,18 @@ public function verifiableCredentialIssuance(Request $request): Response
                 $authSource->getAuthSource()->getAuthId(),
             );
 
-            $credentialOfferUri = $this->credentialOfferUriFactory->buildPreAuthorized(
-                [$selectedCredentialConfigurationId],
-                $userAttributes,
-                $useTxCode,
-                $usersEmailAttributeName,
-            );
+            if ($grantType === GrantTypesEnum::PreAuthorizedCode->value) {
+                $credentialOfferUri = $this->credentialOfferUriFactory->buildPreAuthorized(
+                    [$selectedCredentialConfigurationId],
+                    $userAttributes,
+                    $useTxCode,
+                    $usersEmailAttributeName,
+                );
+            } else {
+                $credentialOfferUri = $this->credentialOfferUriFactory->buildForAuthorization(
+                    [$selectedCredentialConfigurationId],
+                );
+            }
 
             // TODO mivanci Local QR code generator
             // https://quickchart.io/documentation/qr-codes/
@@ -145,6 +156,11 @@ public function verifiableCredentialIssuance(Request $request): Response
 
         $defaultUsersEmailAttributeName = $this->moduleConfig->getDefaultUsersEmailAttributeName();
 
+        $grantTypesSupported = [
+            GrantTypesEnum::AuthorizationCode->value => Translate::noop('Authorization Code'),
+            GrantTypesEnum::PreAuthorizedCode->value => Translate::noop('Pre-authorized Code'),
+        ];
+
         return $this->templateFactory->build(
             'oidc:tests/verifiable-credential-issuance.twig',
             compact(
@@ -158,6 +174,7 @@ public function verifiableCredentialIssuance(Request $request): Response
                 'selectedCredentialConfigurationId',
                 'defaultUsersEmailAttributeName',
                 'usersEmailAttributeName',
+                'grantTypesSupported',
             ),
             RoutesEnum::AdminTestVerifiableCredentialIssuance->value,
         );

src/Controllers/Api/VciCredentialOfferController.php

@@ -4,22 +4,14 @@
 
 namespace SimpleSAML\Module\oidc\Controllers\Api;
 
-use SimpleSAML\Module\oidc\Bridges\SspBridge;
 use SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum;
 use SimpleSAML\Module\oidc\Exceptions\AuthorizationException;
 use SimpleSAML\Module\oidc\Factories\CredentialOfferUriFactory;
-use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
-use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
-use SimpleSAML\Module\oidc\Factories\Entities\UserEntityFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
-use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
-use SimpleSAML\Module\oidc\Repositories\ClientRepository;
-use SimpleSAML\Module\oidc\Repositories\UserRepository;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Services\Api\Authorization;
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Utils\Routes;
-use SimpleSAML\OpenID\VerifiableCredentials;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -31,15 +23,7 @@ class VciCredentialOfferController
     public function __construct(
         protected readonly ModuleConfig $moduleConfig,
         protected readonly Authorization $authorization,
-        protected readonly VerifiableCredentials $verifiableCredentials,
-        protected readonly ClientEntityFactory $clientEntityFactory,
-        protected readonly ClientRepository $clientRepository,
-        protected readonly SspBridge $sspBridge,
         protected readonly LoggerService $loggerService,
-        protected readonly UserRepository $userRepository,
-        protected readonly UserEntityFactory $userEntityFactory,
-        protected readonly AuthCodeRepository $authCodeRepository,
-        protected readonly AuthCodeEntityFactory $authCodeEntityFactory,
         protected readonly Routes $routes,
         protected readonly CredentialOfferUriFactory $credentialOfferUriFactory,
     ) {
@@ -52,6 +36,7 @@ public function __construct(
      */
     public function credentialOffer(Request $request): Response
     {
+        $this->loggerService->debug('VCI credential offer request data: ', $request->getPayload()->all());
         try {
             $this->authorization->requireTokenForAnyOfScope(
                 $request,
@@ -66,7 +51,9 @@ public function credentialOffer(Request $request): Response
         }
 
         $input = $request->getPayload()->all();
+        /** @psalm-suppress MixedAssignment */
         $userAttributes = $input['user_attributes'] ?? [];
+        $userAttributes = is_array($userAttributes) ? $userAttributes : [];
 
         $selectedCredentialConfigurationId = $input['credential_configuration_id'] ?? null;
 
@@ -79,8 +66,10 @@ public function credentialOffer(Request $request): Response
         }
 
         $useTxCode = boolval($input['use_tx_code'] ?? false);
+        /** @psalm-suppress MixedAssignment */
         $usersEmailAttributeName = $input['users_email_attribute_name'] ?? null;
         $usersEmailAttributeName = is_string($usersEmailAttributeName) ? $usersEmailAttributeName : null;
+        /** @psalm-suppress MixedAssignment */
         $authenticationSourceId = $input['authentication_source_id'] ?? null;
         $authenticationSourceId = is_string($authenticationSourceId) ? $authenticationSourceId : null;
 

src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php

@@ -7,6 +7,7 @@
 use Base64Url\Base64Url;
 use League\OAuth2\Server\ResourceServer;
 use SimpleSAML\Module\oidc\Bridges\PsrHttpBridge;
+use SimpleSAML\Module\oidc\Entities\AccessTokenEntity;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\AccessTokenRepository;
 use SimpleSAML\Module\oidc\Repositories\UserRepository;
@@ -23,6 +24,7 @@
 use SimpleSAML\OpenID\Codebooks\JwtTypesEnum;
 use SimpleSAML\OpenID\Did;
 use SimpleSAML\OpenID\Exceptions\OpenId4VciProofException;
+use SimpleSAML\OpenID\Exceptions\OpenIdException;
 use SimpleSAML\OpenID\Jwk;
 use SimpleSAML\OpenID\VerifiableCredentials;
 use SimpleSAML\OpenID\VerifiableCredentials\OpenId4VciProof;
@@ -62,6 +64,7 @@ public function __construct(
      * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
      * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @throws \ReflectionException
+     * @throws OpenIdException
      */
     public function credential(Request $request): Response
     {
@@ -77,7 +80,18 @@ public function credential(Request $request): Response
         );
 
         // TODO mivanci validate access token
-        $accessToken = $this->accessTokenRepository->findById($authorization->getAttribute('oauth_access_token_id'));
+        $accessToken = $this->accessTokenRepository->findById(
+            (string)$authorization->getAttribute('oauth_access_token_id'),
+        );
+
+        if (! $accessToken instanceof AccessTokenEntity) {
+            return $this->routes->newJsonErrorResponse(
+                'invalid_token',
+                'Access token not found.',
+                401,
+            );
+        }
+
         if ($accessToken->isRevoked()) {
             return $this->routes->newJsonErrorResponse(
                 'invalid_token',
@@ -90,7 +104,7 @@ public function credential(Request $request): Response
 
         $credentialFormatId = $requestData[ClaimsEnum::Format->value] ?? null;
 
-        if (is_null($credentialFormatId)) {
+        if (!is_string($credentialFormatId)) {
             throw OidcServerException::serverError('Credential format missing in request.');
         }
 
@@ -111,6 +125,7 @@ public function credential(Request $request): Response
 
         $credentialConfigurationId = $requestData[ClaimsEnum::CredentialConfigurationId->value] ?? null;
 
+        /** @psalm-suppress MixedAssignment */
         if (is_null($credentialConfigurationId)) {
             // TODO mivanci Update this to newest draft.
             // Check per draft 14 (Sphereon wallet case).
@@ -133,7 +148,7 @@ public function credential(Request $request): Response
             }
         }
 
-        if (is_null($credentialConfigurationId)) {
+        if (!is_string($credentialConfigurationId)) {
             return $this->routes->newJsonErrorResponse(
                 'invalid_credential_request',
                 'Can not resolve credential configuration ID.',
@@ -148,6 +163,9 @@ public function credential(Request $request): Response
         }
 
         $userId = $accessToken->getUserIdentifier();
+        if (!is_string($userId)) {
+            throw OidcServerException::invalidRequest('User identifier not available in Access Token.');
+        }
         $userEntity = $this->userRepository->getUserEntityByIdentifier($userId);
         if ($userEntity === null) {
             throw OidcServerException::invalidRequest('User not found.');
@@ -159,12 +177,13 @@ public function credential(Request $request): Response
         $proof = null;
         // Validate proof, if provided.
         // TODO mivanci consider making proof mandatory (in issuer metadata).
+        /** @psalm-suppress MixedAssignment */
         if (
             isset($requestData['proof']['proof_type']) &&
             isset($requestData['proof']['jwt']) &&
-            $requestData['proof']['proof_type'] === 'jwt'
+            $requestData['proof']['proof_type'] === 'jwt' &&
+            is_string($proofJwt = $requestData['proof']['jwt'])
         ) {
-            $proofJwt = $requestData['proof']['jwt'];
             $this->loggerService->debug('Verifying proof JWT: ' . $proofJwt);
 
             try {
@@ -239,8 +258,30 @@ public function credential(Request $request): Response
             $credentialConfigurationId,
         );
         foreach ($attributeToCredentialClaimPathMap as $mapEntry) {
+            if (!is_array($mapEntry)) {
+                $this->loggerService->warning(
+                    sprintf(
+                        'Attribute to credential claim path map entry is not an array. Value was: %s',
+                        var_export($mapEntry, true),
+                    ),
+                );
+                continue;
+            }
+
             $userAttributeName = key($mapEntry);
+            /** @psalm-suppress MixedAssignment */
             $credentialClaimPath = current($mapEntry);
+            if (!is_array($credentialClaimPath)) {
+                $this->loggerService->warning(
+                    sprintf(
+                        'Credential claim path for user attribute name %s is not an array. Value was: %s',
+                        $userAttributeName,
+                        var_export($credentialClaimPath, true),
+                    ),
+                );
+                continue;
+            }
+            $credentialClaimPath = array_filter($credentialClaimPath, 'is_string');
             if (!in_array($credentialClaimPath, $validClaimPaths)) {
                 $this->loggerService->warning(
                     'Attribute "%s" does not use one of valid credential claim paths.',
@@ -258,6 +299,7 @@ public function credential(Request $request): Response
             }
 
             // Normalize to string for single array values.
+            /** @psalm-suppress MixedAssignment */
             $attributeValue = is_array($userAttributes[$userAttributeName]) &&
             count($userAttributes[$userAttributeName]) === 1 ?
             reset($userAttributes[$userAttributeName]) :
@@ -285,10 +327,11 @@ public function credential(Request $request): Response
                     continue;
                 }
 
+                /** @psalm-suppress ArgumentTypeCoercion */
                 $disclosure = $this->verifiableCredentials->disclosureFactory()->build(
                     value: $attributeValue,
                     name: $claimName,
-                    path: is_array($credentialClaimPath) ? $credentialClaimPath : [],
+                    path: $credentialClaimPath,
                     saltBlacklist: $disclosureBag->salts(),
                 );
 
@@ -389,6 +432,10 @@ public function credential(Request $request): Response
             );
         }
 
+        if ($verifiableCredential === null) {
+            throw new OpenIdException('Invalid credential format ID.');
+        }
+
         $this->loggerService->debug('response', [
             'credentials' => [
                 ['credential' => $verifiableCredential->getToken()],
@@ -407,15 +454,22 @@ public function credential(Request $request): Response
 
     /**
      * Helper method to set a claim value at a path. Supports creating nested arrays dynamically.
+     * @psalm-suppress UnusedVariable, MixedAssignment
+     * @param array-key[] $path
      */
     protected function setCredentialClaimValue(array &$claims, array $path, mixed $value): void
     {
         $temp = &$claims;
 
         foreach ($path as $key) {
+            if (!is_array($temp)) {
+                $temp = [];
+            }
+
             if (!isset($temp[$key])) {
                 $temp[$key] = [];
             }
+
             $temp = &$temp[$key];
         }