Start with Credential Issuer and OAuth2 configuration discovery

cicnavi · cicnavi · commit da38910b8c1d · 2025-04-06T12:23:57.000+02:00
diff --git a/routing/routes/routes.php b/routing/routes/routes.php
@@ -17,7 +17,9 @@
 use SimpleSAML\Module\oidc\Controllers\Federation\EntityStatementController;
 use SimpleSAML\Module\oidc\Controllers\Federation\SubordinateListingsController;
 use SimpleSAML\Module\oidc\Controllers\JwksController;
+use SimpleSAML\Module\oidc\Controllers\OAuth2\OAuth2ServerConfigurationController;
 use SimpleSAML\Module\oidc\Controllers\UserInfoController;
+use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\CredentialIssuerConfigurationController;
 use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
 use Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator;
 
@@ -86,6 +88,13 @@
     $routes->add(RoutesEnum::Jwks->name, RoutesEnum::Jwks->value)
         ->controller([JwksController::class, 'jwks']);
 
+    /*****************************************************************************************************************
+     * OAuth 2.0 Authorization Server
+     ****************************************************************************************************************/
+
+    $routes->add(RoutesEnum::OAuth2Configuration->name, RoutesEnum::OAuth2Configuration->value)
+        ->controller(OAuth2ServerConfigurationController::class);
+
     /*****************************************************************************************************************
      * OpenID Federation
      ****************************************************************************************************************/
@@ -101,4 +110,12 @@
     $routes->add(RoutesEnum::FederationList->name, RoutesEnum::FederationList->value)
         ->controller([SubordinateListingsController::class, 'list'])
         ->methods([HttpMethodsEnum::GET->value]);
+
+    /*****************************************************************************************************************
+     * OpenID Verifiable Credential Issuance
+     ****************************************************************************************************************/
+
+    $routes->add(RoutesEnum::CredentialIssuerConfiguration->name, RoutesEnum::CredentialIssuerConfiguration->value)
+        ->controller([CredentialIssuerConfigurationController::class, 'configuration'])
+        ->methods([HttpMethodsEnum::GET->value]);
 };
diff --git a/src/Codebooks/RoutesEnum.php b/src/Codebooks/RoutesEnum.php
@@ -40,11 +40,24 @@ enum RoutesEnum: string
     case Jwks = 'jwks';
     case EndSession = 'end-session';
 
+    /*****************************************************************************************************************
+     * OAuth 2.0 Authorization Server
+     ****************************************************************************************************************/
+
+    // OAuth 2.0 Authorization Server Metadata https://www.rfc-editor.org/rfc/rfc8414.html
+    case OAuth2Configuration = '/.well-known/oauth-authorization-server';
+
     /*****************************************************************************************************************
      * OpenID Federation
      ****************************************************************************************************************/
 
     case FederationConfiguration = '.well-known/openid-federation';
     case FederationFetch = 'federation/fetch';
     case FederationList = 'federation/list';
+
+    /*****************************************************************************************************************
+     * OpenID Verifiable Credential Issuance
+     ****************************************************************************************************************/
+
+    case CredentialIssuerConfiguration = '.well-known/openid-credential-issuer';
 }
diff --git a/src/Controllers/OAuth2/OAuth2ServerConfigurationController.php b/src/Controllers/OAuth2/OAuth2ServerConfigurationController.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Controllers\OAuth2;
+
+use SimpleSAML\Module\oidc\Services\OpMetadataService;
+use SimpleSAML\Module\oidc\Utils\Routes;
+use Symfony\Component\HttpFoundation\JsonResponse;
+
+class OAuth2ServerConfigurationController
+{
+    public function __construct(
+        protected readonly OpMetadataService $opMetadataService,
+        protected readonly Routes $routes,
+    ) {
+    }
+
+    public function __invoke(): JsonResponse
+    {
+        // We'll reuse OIDC configuration.
+        return $this->routes->newJsonResponse(
+            $this->opMetadataService->getMetadata(),
+        );
+
+        // TODO mivanci Add ability for claim 'signed_metadata' when moving to simplesamlphp/openid, as per
+        // https://www.rfc-editor.org/rfc/rfc8414.html#section-2.1
+    }
+}
diff --git a/src/Controllers/VerifiableCredentials/CredentialIssuerConfigurationController.php b/src/Controllers/VerifiableCredentials/CredentialIssuerConfigurationController.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Controllers\VerifiableCredentials;
+
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use Symfony\Component\HttpFoundation\Response;
+
+class CredentialIssuerConfigurationController
+{
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly Routes $routes,
+    ) {
+    }
+
+    public function configuration(): Response
+    {
+        $configuration = [
+            ClaimsEnum::CredentialIssuer->value => $this->moduleConfig->getIssuer(),
+        ];
+
+        return $this->routes->newJsonResponse($configuration);
+    }
+}
