Initial auth-code implementation

Author: cicnavi

docker/conformance.sql

@@ -43,15 +43,16 @@ CREATE TABLE oidc_client (
             updated_at TIMESTAMP NULL DEFAULT NULL,
             created_at TIMESTAMP NULL DEFAULT NULL,
             expires_at TIMESTAMP NULL DEFAULT NULL,
-            is_federated BOOLEAN NOT NULL DEFAULT false
+            is_federated BOOLEAN NOT NULL DEFAULT false,
+            is_generic BOOLEAN NOT NULL DEFAULT false
 );
 -- Used 'httpd' host for back-channel logout url (https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout)
 -- since this is the hostname of conformance server while running in container environment
-INSERT INTO oidc_client VALUES('_55a99a1d298da921cb27d700d4604352e51171ebc4','_8967dd97d07cc59db7055e84ac00e79005157c1132','Conformance Client 1',replace('Client 1 for Conformance Testing  https://openid.net/certification/connect_op_testing/\n','\n',char(10)),'example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone","offline_access"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false);
-INSERT INTO oidc_client VALUES('_34efb61060172a11d62101bc804db789f8f9100b0e','_91a4607a1c10ba801268929b961b3f6c067ff82d21','Conformance Client 2','','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","offline_access"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false);
-INSERT INTO oidc_client VALUES('_0afb7d18e54b2de8205a93e38ca119e62ee321d031','_944e73bbeec7850d32b68f1b5c780562c955967e4e','Conformance Client 3','Client for client_secret_post','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false);
-INSERT INTO oidc_client VALUES('_8957eda35234902ba8343c0cdacac040310f17dfca','_322d16999f9da8b5abc9e9c0c08e853f60f4dc4804','RP-Initiated Logout Client','Client for testing RP-Initiated Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]',NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false);
-INSERT INTO oidc_client VALUES('_9fe2f7589ece1b71f5ef75a91847d71bc5125ec2a6','_3c0beb20194179c01d7796c6836f62801e9ed4b368','Back-Channel Logout Client','Client for testing Back-Channel Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false);
+INSERT INTO oidc_client VALUES('_55a99a1d298da921cb27d700d4604352e51171ebc4','_8967dd97d07cc59db7055e84ac00e79005157c1132','Conformance Client 1',replace('Client 1 for Conformance Testing  https://openid.net/certification/connect_op_testing/\n','\n',char(10)),'example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone","offline_access"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
+INSERT INTO oidc_client VALUES('_34efb61060172a11d62101bc804db789f8f9100b0e','_91a4607a1c10ba801268929b961b3f6c067ff82d21','Conformance Client 2','','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","offline_access"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
+INSERT INTO oidc_client VALUES('_0afb7d18e54b2de8205a93e38ca119e62ee321d031','_944e73bbeec7850d32b68f1b5c780562c955967e4e','Conformance Client 3','Client for client_secret_post','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
+INSERT INTO oidc_client VALUES('_8957eda35234902ba8343c0cdacac040310f17dfca','_322d16999f9da8b5abc9e9c0c08e853f60f4dc4804','RP-Initiated Logout Client','Client for testing RP-Initiated Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]',NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
+INSERT INTO oidc_client VALUES('_9fe2f7589ece1b71f5ef75a91847d71bc5125ec2a6','_3c0beb20194179c01d7796c6836f62801e9ed4b368','Back-Channel Logout Client','Client for testing Back-Channel Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
 CREATE TABLE oidc_access_token (
             id VARCHAR(191) PRIMARY KEY NOT NULL,
             scopes TEXT,
@@ -60,6 +61,10 @@ CREATE TABLE oidc_access_token (
             client_id VARCHAR(191) NOT NULL,
             is_revoked BOOLEAN NOT NULL DEFAULT false,
             auth_code_id varchar(191) DEFAULT NULL, requested_claims TEXT NULL,
+            flow_type CHAR(64) NULL,
+            authorization_details TEXT NULL,
+            bound_client_id TEXT NULL,
+            bound_redirect_uri TEXT NULL,
             CONSTRAINT FK_43C1650EA76ED395 FOREIGN KEY (user_id)
                 REFERENCES oidc_user (id) ON DELETE CASCADE,
             CONSTRAINT FK_43C1650E19EB6921 FOREIGN KEY (client_id)
@@ -85,6 +90,8 @@ CREATE TABLE oidc_auth_code (
             flow_type CHAR(64) DEFAULT NULL,
             tx_code varchar(191) DEFAULT NULL,
             authorization_details TEXT NULL,
+            bound_client_id TEXT NULL,
+            bound_redirect_uri TEXT NULL,
             CONSTRAINT FK_97D32CA7A76ED395 FOREIGN KEY (user_id)
                 REFERENCES oidc_user (id) ON DELETE CASCADE,
             CONSTRAINT FK_97D32CA719EB6921 FOREIGN KEY (client_id)

src/Codebooks/FlowTypeEnum.php

@@ -13,4 +13,20 @@ enum FlowTypeEnum: string
 
     case VciAuthorizationCode = 'vci_authorization_code';
     case VciPreAuthorizedCode = 'vci_pre_authorized_code';
+
+    public function isOidcFlow(): bool
+    {
+        return match ($this) {
+            self::OidcAuthorizationCode, self::OidcImplicit, self::OidcHybrid => true,
+            default => false,
+        };
+    }
+
+    public function isVciFlow(): bool
+    {
+        return match ($this) {
+            self::VciAuthorizationCode, self::VciPreAuthorizedCode => true,
+            default => false,
+        };
+    }
 }

src/Entities/AccessTokenEntity.php

@@ -24,6 +24,7 @@
 use League\OAuth2\Server\Entities\Traits\AccessTokenTrait;
 use League\OAuth2\Server\Entities\Traits\EntityTrait;
 use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
+use SimpleSAML\Module\oidc\Codebooks\FlowTypeEnum;
 use SimpleSAML\Module\oidc\Entities\Interfaces\AccessTokenEntityInterface;
 use SimpleSAML\Module\oidc\Entities\Interfaces\EntityStringRepresentationInterface;
 use SimpleSAML\Module\oidc\Entities\Traits\AssociateWithAuthCodeTrait;
@@ -69,6 +70,10 @@ public function __construct(
         ?array $requestedClaims = null,
         ?bool $isRevoked = false,
         ?Configuration $jwtConfiguration = null,
+        protected readonly ?FlowTypeEnum $flowTypeEnum = null,
+        protected readonly ?array $authorizationDetails = null,
+        protected readonly ?string $boundClientId = null,
+        protected readonly ?string $boundRedirectUri = null,
     ) {
         $this->setIdentifier($id);
         $this->setClient($clientEntity);
@@ -114,6 +119,12 @@ public function getState(): array
             'is_revoked' => $this->isRevoked(),
             'auth_code_id' => $this->getAuthCodeId(),
             'requested_claims' => json_encode($this->requestedClaims, JSON_THROW_ON_ERROR),
+            'flow_type' => $this->flowTypeEnum?->value,
+            'authorization_details' => is_array($this->authorizationDetails) ?
+                json_encode($this->authorizationDetails, JSON_THROW_ON_ERROR) :
+                null,
+            'bound_client_id' => $this->boundClientId,
+            'bound_redirect_uri' => $this->boundRedirectUri,
         ];
     }
 
@@ -158,4 +169,24 @@ protected function convertToJWT(): Token
 
         return $this->jsonWebTokenBuilderService->getSignedProtocolJwt($jwtBuilder);
     }
+
+    public function getFlowTypeEnum(): ?FlowTypeEnum
+    {
+        return $this->flowTypeEnum;
+    }
+
+    public function getAuthorizationDetails(): ?array
+    {
+        return $this->authorizationDetails;
+    }
+
+    public function getBoundClientId(): ?string
+    {
+        return $this->boundClientId;
+    }
+
+    public function getBoundRedirectUri(): ?string
+    {
+        return $this->boundRedirectUri;
+    }
 }

src/Entities/AuthCodeEntity.php

@@ -47,6 +47,8 @@ public function __construct(
         protected readonly ?FlowTypeEnum $flowTypeEnum = null,
         protected readonly ?string $txCode = null,
         protected readonly ?array $authorizationDetails = null,
+        protected readonly ?string $boundClientId = null,
+        protected readonly ?string $boundRedirectUri = null,
     ) {
         $this->identifier = $id;
         $this->client = $client;
@@ -77,6 +79,8 @@ public function getState(): array
             'authorization_details' => is_array($this->authorizationDetails) ?
                 json_encode($this->authorizationDetails, JSON_THROW_ON_ERROR) :
                 null,
+            'bound_client_id' => $this->boundClientId,
+            'bound_redirect_uri' => $this->boundRedirectUri,
         ];
     }
 
@@ -99,4 +103,14 @@ public function getAuthorizationDetails(): ?array
     {
         return $this->authorizationDetails;
     }
+
+    public function getBoundClientId(): ?string
+    {
+        return $this->boundClientId;
+    }
+
+    public function getBoundRedirectUri(): ?string
+    {
+        return $this->boundRedirectUri;
+    }
 }

src/Entities/ClientEntity.php

@@ -51,6 +51,7 @@ class ClientEntity implements ClientEntityInterface
     public const KEY_CREATED_AT = 'created_at';
     public const KEY_EXPIRES_AT = 'expires_at';
     public const KEY_IS_FEDERATED = 'is_federated';
+    public const KEY_IS_GENERIC = 'is_generic';
 
     private string $secret;
 
@@ -93,6 +94,7 @@ class ClientEntity implements ClientEntityInterface
     private ?DateTimeImmutable $createdAt;
     private ?DateTimeImmutable $expiresAt;
     private bool $isFederated;
+    private bool $isGeneric;
 
     /**
      * @param string[] $redirectUri
@@ -126,6 +128,7 @@ public function __construct(
         ?DateTimeImmutable $createdAt = null,
         ?DateTimeImmutable $expiresAt = null,
         bool $isFederated = false,
+        bool $isGeneric = false,
     ) {
         $this->identifier = $identifier;
         $this->secret = $secret;
@@ -150,6 +153,7 @@ public function __construct(
         $this->createdAt = $createdAt;
         $this->expiresAt = $expiresAt;
         $this->isFederated = $isFederated;
+        $this->isGeneric = $isGeneric;
     }
 
     /**
@@ -188,6 +192,7 @@ public function getState(): array
             self::KEY_CREATED_AT => $this->getCreatedAt()?->format('Y-m-d H:i:s'),
             self::KEY_EXPIRES_AT => $this->getExpiresAt()?->format('Y-m-d H:i:s'),
             self::KEY_IS_FEDERATED => $this->isFederated(),
+            self::KEY_IS_GENERIC => $this->isGeneric(),
         ];
     }
 
@@ -217,6 +222,7 @@ public function toArray(): array
             self::KEY_CREATED_AT => $this->createdAt,
             self::KEY_EXPIRES_AT => $this->expiresAt,
             self::KEY_IS_FEDERATED => $this->isFederated,
+            self::KEY_IS_GENERIC => $this->isGeneric,
         ];
     }
 
@@ -355,4 +361,9 @@ public function isFederated(): bool
     {
         return $this->isFederated;
     }
+
+    public function isGeneric(): bool
+    {
+        return $this->isGeneric;
+    }
 }

src/Entities/Interfaces/ClientEntityInterface.php

@@ -79,4 +79,5 @@ public function getCreatedAt(): ?DateTimeImmutable;
     public function getExpiresAt(): ?DateTimeImmutable;
     public function isExpired(): bool;
     public function isFederated(): bool;
+    public function isGeneric(): bool;
 }

src/Factories/Entities/AccessTokenEntityFactory.php

@@ -7,6 +7,7 @@
 use DateTimeImmutable;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Entities\ClientEntityInterface as OAuth2ClientEntityInterface;
+use SimpleSAML\Module\oidc\Codebooks\FlowTypeEnum;
 use SimpleSAML\Module\oidc\Entities\AccessTokenEntity;
 use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
 use SimpleSAML\Module\oidc\Helpers;
@@ -35,6 +36,10 @@ public function fromData(
         ?string $authCodeId = null,
         ?array $requestedClaims = null,
         ?bool $isRevoked = false,
+        ?FlowTypeEnum $flowTypeEnum = null,
+        ?array $authorizationDetails = null,
+        ?string $boundClientId = null,
+        ?string $boundRedirectUri = null,
     ): AccessTokenEntity {
         return new AccessTokenEntity(
             $id,
@@ -47,6 +52,10 @@ public function fromData(
             $authCodeId,
             $requestedClaims,
             $isRevoked,
+            flowTypeEnum: $flowTypeEnum,
+            authorizationDetails: $authorizationDetails,
+            boundClientId: $boundClientId,
+            boundRedirectUri: $boundRedirectUri,
         );
     }
 
@@ -90,6 +99,16 @@ public function fromState(array $state): AccessTokenEntity
             throw OidcServerException::serverError('Invalid Access Token Entity state: requested claims');
         }
 
+        $flowType = empty($state['flow_type']) ? null : FlowTypeEnum::tryFrom((string)$state['flow_type']);
+        /** @psalm-suppress MixedAssignment */
+        $authorizationDetails = isset($state['authorization_details']) && is_string($state['authorization_details']) ?
+        json_decode($state['authorization_details'], true, 512, JSON_THROW_ON_ERROR) :
+        null;
+        $authorizationDetails = is_array($authorizationDetails) ? $authorizationDetails : null;
+
+        $boundClientId = empty($state['bound_client_id']) ? null : (string)$state['bound_client_id'];
+        $boundRedirectUri = empty($state['bound_redirect_uri']) ? null : (string)$state['bound_redirect_uri'];
+
         return $this->fromData(
             $id,
             $client,
@@ -99,6 +118,10 @@ public function fromState(array $state): AccessTokenEntity
             $authCodeId,
             $stateRequestedClaims,
             $isRevoked,
+            $flowType,
+            $authorizationDetails,
+            $boundClientId,
+            $boundRedirectUri,
         );
     }
 }

src/Factories/Entities/AuthCodeEntityFactory.php

@@ -35,6 +35,8 @@ public function fromData(
         ?FlowTypeEnum $flowTypeEnum = null,
         ?string $txCode = null,
         ?array $authorizationDetails = null,
+        ?string $boundClientId = null,
+        ?string $boundRedirectUri = null,
     ): AuthCodeEntity {
         return new AuthCodeEntity(
             $id,
@@ -48,6 +50,8 @@ public function fromData(
             $flowTypeEnum,
             $txCode,
             $authorizationDetails,
+            $boundClientId,
+            $boundRedirectUri,
         );
     }
 
@@ -97,6 +101,9 @@ public function fromState(array $state): AuthCodeEntity
         null;
         $authorizationDetails = is_array($authorizationDetails) ? $authorizationDetails : null;
 
+        $boundClientId = empty($state['bound_client_id']) ? null : (string)$state['bound_client_id'];
+        $boundRedirectUri = empty($state['bound_redirect_uri']) ? null : (string)$state['bound_redirect_uri'];
+
         return $this->fromData(
             $id,
             $client,
@@ -109,6 +116,8 @@ public function fromState(array $state): AuthCodeEntity
             $flowType,
             $txCode,
             $authorizationDetails,
+            $boundClientId,
+            $boundRedirectUri,
         );
     }
 }

src/Factories/Entities/ClientEntityFactory.php

@@ -66,6 +66,7 @@ public function fromData(
         ?DateTimeImmutable $createdAt = null,
         ?DateTimeImmutable $expiresAt = null,
         bool $isFederated = false,
+        bool $isGeneric = false,
     ): ClientEntityInterface {
         return new ClientEntity(
             $id,
@@ -91,6 +92,7 @@ public function fromData(
             $createdAt,
             $expiresAt,
             $isFederated,
+            $isGeneric,
         );
     }
 
@@ -192,6 +194,7 @@ public function fromRegistrationData(
 //        $expiresAt = $expiresAt;
 
         $isFederated = $existingClient?->isFederated() ?? false;
+        $isGeneric = $existingClient?->isGeneric() ?? false;
 
         return $this->fromData(
             $id,
@@ -217,6 +220,7 @@ public function fromRegistrationData(
             $createdAt,
             $expiresAt,
             $isFederated,
+            $isGeneric,
         );
     }
 
@@ -355,6 +359,7 @@ public function fromState(array $state): ClientEntityInterface
         $this->helpers->dateTime()->getUtc((string)$state[ClientEntity::KEY_EXPIRES_AT]);
 
         $isFederated = (bool)$state[ClientEntity::KEY_IS_FEDERATED];
+        $isGeneric = (bool)$state[ClientEntity::KEY_IS_GENERIC];
 
         return $this->fromData(
             $id,
@@ -380,6 +385,7 @@ public function fromState(array $state): ClientEntityInterface
             $createdAt,
             $expiresAt,
             $isFederated,
+            $isGeneric,
         );
     }
 
@@ -404,6 +410,7 @@ public function getGenericForVci(): ClientEntityInterface
             isEnabled: true,
             updatedAt: $createdAt,
             createdAt: $createdAt,
+            isGeneric: true,
         );
     }
 }