WIP Authorization Details in AuthCode

Author: cicnavi

docker/conformance.sql

@@ -84,6 +84,7 @@ CREATE TABLE oidc_auth_code (
             redirect_uri TEXT NOT NULL, nonce TEXT NULL,
             flow_type CHAR(64) DEFAULT NULL,
             tx_code varchar(191) DEFAULT NULL,
+            authorization_details TEXT NULL,
             CONSTRAINT FK_97D32CA7A76ED395 FOREIGN KEY (user_id)
                 REFERENCES oidc_user (id) ON DELETE CASCADE,
             CONSTRAINT FK_97D32CA719EB6921 FOREIGN KEY (client_id)

src/Entities/AuthCodeEntity.php

@@ -46,6 +46,7 @@ public function __construct(
         bool $isRevoked = false,
         protected readonly ?FlowTypeEnum $flowTypeEnum = null,
         protected readonly ?string $txCode = null,
+        protected readonly ?array $authorizationDetails = null,
     ) {
         $this->identifier = $id;
         $this->client = $client;
@@ -73,6 +74,7 @@ public function getState(): array
             'nonce' => $this->getNonce(),
             'flow_type' => $this->flowTypeEnum?->value,
             'tx_code' => $this->txCode,
+            'authorization_details' => json_encode($this->authorizationDetails, JSON_THROW_ON_ERROR),
         ];
     }
 
@@ -90,4 +92,9 @@ public function getFlowTypeEnum(): ?FlowTypeEnum
     {
         return $this->flowTypeEnum;
     }
+
+    public function getAuthorizationDetails(): ?array
+    {
+        return $this->authorizationDetails;
+    }
 }

src/Entities/Interfaces/AuthCodeEntityInterface.php

@@ -6,7 +6,7 @@
 
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface as OAuth2AuthCodeEntityInterface;
 
-interface AuthCodeEntityInterface extends OAuth2AuthCodeEntityInterface
+interface AuthCodeEntityInterface extends OAuth2AuthCodeEntityInterface, TokenRevokableInterface
 {
     /**
      * @return string|null

src/Factories/Entities/AuthCodeEntityFactory.php

@@ -34,6 +34,7 @@ public function fromData(
         bool $isRevoked = false,
         ?FlowTypeEnum $flowTypeEnum = null,
         ?string $txCode = null,
+        ?array $authorizationDetails = null,
     ): AuthCodeEntity {
         return new AuthCodeEntity(
             $id,
@@ -46,6 +47,7 @@ public function fromData(
             $isRevoked,
             $flowTypeEnum,
             $txCode,
+            $authorizationDetails,
         );
     }
 
@@ -89,6 +91,12 @@ public function fromState(array $state): AuthCodeEntity
         $flowType = empty($state['flow_type']) ? null : FlowTypeEnum::tryFrom((string)$state['flow_type']);
         $txCode = empty($state['tx_code']) ? null : (string)$state['tx_code'];
 
+        /** @psalm-suppress MixedAssignment */
+        $authorizationDetails = isset($state['authorization_details']) && is_string($state['authorization_details']) ?
+        json_decode($state['authorization_details'], true, 512, JSON_THROW_ON_ERROR) :
+        null;
+        $authorizationDetails = is_array($authorizationDetails) ? $authorizationDetails : null;
+
         return $this->fromData(
             $id,
             $client,
@@ -100,6 +108,7 @@ public function fromState(array $state): AuthCodeEntity
             $isRevoked,
             $flowType,
             $txCode,
+            $authorizationDetails,
         );
     }
 }

src/Factories/RequestRulesManagerFactory.php

@@ -15,6 +15,7 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AcrValuesRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AddClaimsToIdTokenRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AuthorizationDetailsRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientAuthenticationRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeMethodRule;
@@ -146,6 +147,7 @@ private function getDefaultRules(): array
             ),
             new CodeVerifierRule($this->requestParamsResolver, $this->helpers),
             new IssuerStateRule($this->requestParamsResolver, $this->helpers, $this->issuerStateRepository),
+            new AuthorizationDetailsRule($this->requestParamsResolver, $this->helpers, $this->moduleConfig),
         ];
     }
 }

src/Repositories/AuthCodeRepository.php

@@ -81,7 +81,8 @@ public function persistNewAuthCode(OAuth2AuthCodeEntityInterface $authCodeEntity
                 redirect_uri,
                 nonce,
                 flow_type,
-                tx_code
+                tx_code,
+                authorization_details
             ) VALUES (
                 :id,
                 :scopes,
@@ -92,7 +93,8 @@ public function persistNewAuthCode(OAuth2AuthCodeEntityInterface $authCodeEntity
                 :redirect_uri,
                 :nonce,
                 :flow_type,
-                :tx_code
+                :tx_code,
+                :authorization_details
             )
             EOS,
             $this->getTableName(),
@@ -116,7 +118,7 @@ public function persistNewAuthCode(OAuth2AuthCodeEntityInterface $authCodeEntity
      * Find Auth Code by id.
      * @throws \Exception
      */
-    public function findById(string $codeId): ?AuthCodeEntityInterface
+    public function findById(string $codeId): ?AuthCodeEntity
     {
         /** @var ?array $data */
         $data = $this->protocolCache?->get(null, $this->getCacheKey($codeId));
@@ -215,7 +217,8 @@ private function update(AuthCodeEntity $authCodeEntity): void
                 redirect_uri = :redirect_uri,
                 nonce = :nonce,
                 flow_type = :flow_type,
-                tx_code = :tx_code
+                tx_code = :tx_code,
+                authorization_details = :authorization_details
             WHERE id = :id
 EOS
             ,

src/Server/Grants/AuthCodeGrant.php

@@ -22,13 +22,15 @@
 use LogicException;
 use Psr\Http\Message\ServerRequestInterface;
 use SimpleSAML\Module\oidc\Codebooks\FlowTypeEnum;
+use SimpleSAML\Module\oidc\Entities\AuthCodeEntity;
 use SimpleSAML\Module\oidc\Entities\Interfaces\AccessTokenEntityInterface;
 use SimpleSAML\Module\oidc\Entities\Interfaces\AuthCodeEntityInterface;
 use SimpleSAML\Module\oidc\Entities\Interfaces\RefreshTokenEntityInterface;
 use SimpleSAML\Module\oidc\Entities\UserEntity;
 use SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
 use SimpleSAML\Module\oidc\Helpers;
+use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\AccessTokenRepositoryInterface;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\AuthCodeRepositoryInterface;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\RefreshTokenRepositoryInterface;
@@ -40,6 +42,7 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface;
 use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AcrValuesRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AuthorizationDetailsRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientAuthenticationRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeMethodRule;
@@ -288,6 +291,8 @@ public function completeOidcAuthorizationRequest(
             'claims'                => $authorizationRequest->getClaims(),
             'acr'                   => $authorizationRequest->getAcr(),
             'session_id'            => $authorizationRequest->getSessionId(),
+            // Do not add anything else to the payload, as it will make it dangerously long to send it as a query
+            // parameter. Use storage instead.
         ];
 
         $jsonPayload = json_encode($payload, JSON_THROW_ON_ERROR);
@@ -338,6 +343,7 @@ protected function issueOidcAuthCode(
                     $redirectUri,
                     $authorizationRequest->getNonce(),
                     flowTypeEnum: $flowType,
+                    authorizationDetails: $authorizationRequest->getAuthorizationDetails(),
                 );
                 $this->authCodeRepository->persistNewAuthCode($authCode);
 
@@ -448,7 +454,21 @@ public function respondToAccessTokenRequest(
              */
             $authCodePayload = json_decode($this->decrypt($encryptedAuthCode), null, 512, JSON_THROW_ON_ERROR);
 
-            $this->validateAuthorizationCode($authCodePayload, $client, $request);
+            if (!property_exists($authCodePayload, 'auth_code_id')) {
+                throw OAuthServerException::invalidRequest('code', 'Authorization code malformed');
+            }
+
+            if (! is_a($this->authCodeRepository, AuthCodeRepository::class)) {
+                throw OidcServerException::serverError('Unexpected auth code repository entity type.');
+            }
+
+            $storedAuthCodeEntity = $this->authCodeRepository->findById($authCodePayload->auth_code_id);
+
+            if ($storedAuthCodeEntity === null) {
+                throw OAuthServerException::invalidGrant('Authorization code not found');
+            }
+
+            $this->validateAuthorizationCode($authCodePayload, $client, $request, $storedAuthCodeEntity);
 
             $scopes = $this->scopeRepository->finalizeScopes(
                 $this->validateScopes($authCodePayload->scopes),
@@ -569,9 +589,6 @@ public function respondToAccessTokenRequest(
                 $responseType->setRefreshToken($refreshToken);
             }
         }
-        if (! is_a($this->authCodeRepository, AuthCodeRepositoryInterface::class)) {
-            throw OidcServerException::serverError('Unexpected auth code repository entity type.');
-        }
 
         // Revoke used auth code
         $this->authCodeRepository->revokeAuthCode($authCodePayload->auth_code_id);
@@ -592,20 +609,13 @@ protected function validateAuthorizationCode(
         object $authCodePayload,
         OAuth2ClientEntityInterface $client,
         ServerRequestInterface $request,
+        AuthCodeEntity $storedAuthCodeEntity,
     ): void {
         /**
          * @noinspection PhpUndefinedClassInspection
          * @psalm-var AuthCodePayloadObject $authCodePayload
          */
 
-        if (!property_exists($authCodePayload, 'auth_code_id')) {
-            throw OAuthServerException::invalidRequest('code', 'Authorization code malformed');
-        }
-
-        if (! is_a($this->authCodeRepository, AuthCodeRepositoryInterface::class)) {
-            throw OidcServerException::serverError('Unexpected auth code repository entity type.');
-        }
-
         if (! is_a($this->accessTokenRepository, AccessTokenRepositoryInterface::class)) {
             throw OidcServerException::serverError('Unexpected access token repository entity type.');
         }
@@ -618,7 +628,7 @@ protected function validateAuthorizationCode(
             throw OAuthServerException::invalidGrant('Authorization code has expired');
         }
 
-        if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) {
+        if ($storedAuthCodeEntity->isRevoked()) {
             // Code is reused, all related tokens must be revoked, per https://tools.ietf.org/html/rfc6749#section-4.1.2
             $this->accessTokenRepository->revokeByAuthCodeId($authCodePayload->auth_code_id);
             $this->refreshTokenRepository->revokeByAuthCodeId($authCodePayload->auth_code_id);
@@ -663,6 +673,7 @@ public function validateAuthorizationRequestWithRequestRules(
             CodeChallengeRule::class,
             CodeChallengeMethodRule::class,
             IssuerStateRule::class,
+            AuthorizationDetailsRule::class,
         ];
 
         // Since we have already validated redirect_uri, and we have state, make it available for other checkers.
@@ -710,7 +721,15 @@ public function validateAuthorizationRequestWithRequestRules(
             $oAuth2AuthorizationRequest->setCodeChallengeMethod($codeChallengeMethod);
         }
 
-        if (! $this->isOidcCandidate($oAuth2AuthorizationRequest)) {
+        $isVciAuthorizationCodeRequest = $this->requestParamsResolver->isVciAuthorizationCodeRequest(
+            $request,
+            $this->allowedAuthorizationHttpMethods,
+        );
+
+        if (
+            (! $this->isOidcCandidate($oAuth2AuthorizationRequest)) &&
+            (! $isVciAuthorizationCodeRequest)
+        ) {
             return $oAuth2AuthorizationRequest;
         }
 
@@ -743,17 +762,22 @@ public function validateAuthorizationRequestWithRequestRules(
         $acrValues = $resultBag->getOrFail(AcrValuesRule::class)->getValue();
         $authorizationRequest->setRequestedAcrValues($acrValues);
 
-        $authorizationRequest->setIsVciRequest(
-            $this->requestParamsResolver->isVciAuthorizationCodeRequest(
-                $request,
-                $this->allowedAuthorizationHttpMethods,
-            ),
+
+        $authorizationRequest->setIsVciRequest($isVciAuthorizationCodeRequest);
+        $authorizationRequest->setFlowType(
+            $isVciAuthorizationCodeRequest ?
+                FlowTypeEnum::VciAuthorizationCode :
+                FlowTypeEnum::OidcAuthorizationCode,
         );
 
         /** @var ?string $issuerState */
         $issuerState = $resultBag->get(IssuerStateRule::class)?->getValue();
         $authorizationRequest->setIssuerState($issuerState);
 
+        /** @var ?array $authorizationDetails */
+        $authorizationDetails = $resultBag->get(AuthorizationDetailsRule::class)?->getValue();
+        $authorizationRequest->setAuthorizationDetails($authorizationDetails);
+
         return $authorizationRequest;
     }
 

src/Server/Grants/PreAuthCodeGrant.php

@@ -236,6 +236,7 @@ protected function validateAuthorizationCode(
         object $authCodePayload,
         OAuth2ClientEntityInterface $client,
         ServerRequestInterface $request,
+        AuthCodeEntity $storedAuthCodeEntity,
     ): void {
     }