WIP

Author: cicnavi

config/module_oidc.php.dist

@@ -20,6 +20,7 @@ declare(strict_types=1);
  * For the full copyright and license information, please view the LICENSE
  * file that was distributed with this source code.
  */
+
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\CredentialFormatIdentifiersEnum;
@@ -788,4 +789,24 @@ $config = [
             ['eduPersonScopedAffiliation' => ['eduPersonScopedAffiliation']],
         ],
     ],
+
+    /**
+     * (optional) API-related options.
+     */
+
+    // (optional) Enable or disable API capabilities. Default is disabled (false).
+    ModuleConfig::OPTION_API_ENABLED => false,
+
+    /**
+     * List of API tokens which can be used to access API endpoints based on given scopes.
+     *
+     * The format is: ['token' => [ApiScopesEnum]]
+     */
+    ModuleConfig::OPTION_API_TOKENS => [
+//        'strong-random-token-string' => [
+//            \SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum::All, // Gives access to the whole API.
+//            \SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum::VciAll, // Gives access to all VCI-related endpoints.
+//            \SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum::VciCredentialOffer, // Gives access to the credential offer endpoint.
+//        ],
+    ],
 ];

routing/routes/routes.php

@@ -12,6 +12,7 @@
 use SimpleSAML\Module\oidc\Controllers\Admin\ConfigController;
 use SimpleSAML\Module\oidc\Controllers\Admin\FederationTestController;
 use SimpleSAML\Module\oidc\Controllers\Admin\VerifiableCredentailsTestController;
+use SimpleSAML\Module\oidc\Controllers\Api\VciCredentialOfferController;
 use SimpleSAML\Module\oidc\Controllers\AuthorizationController;
 use SimpleSAML\Module\oidc\Controllers\ConfigurationDiscoveryController;
 use SimpleSAML\Module\oidc\Controllers\EndSessionController;
@@ -140,4 +141,12 @@
     $routes->add(RoutesEnum::JwtVcIssuerConfiguration->name, RoutesEnum::JwtVcIssuerConfiguration->value)
         ->controller([JwtVcIssuerConfigurationController::class, 'configuration'])
         ->methods([HttpMethodsEnum::GET->value]);
+
+    /*****************************************************************************************************************
+     * API
+     ****************************************************************************************************************/
+
+    $routes->add(RoutesEnum::ApiVciCredentialOffer->name, RoutesEnum::ApiVciCredentialOffer->value)
+        ->controller([VciCredentialOfferController::class, 'credentialOffer'])
+        ->methods([HttpMethodsEnum::POST->value]);
 };

src/Codebooks/ApiScopesEnum.php

@@ -0,0 +1,14 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Codebooks;
+
+enum ApiScopesEnum: string
+{
+    case All = 'all'; // Gives access to the whole API.
+
+    // Verifiable Credential Issuance related scopes.
+    case VciAll = 'vci_all'; // Gives access to all VCI-related endpoints.
+    case VciCredentialOffer = 'vci_credential_offer'; // Gives access to the credential offer endpoint.
+}

src/Codebooks/RoutesEnum.php

@@ -69,4 +69,10 @@ enum RoutesEnum: string
      ****************************************************************************************************************/
 
     case JwtVcIssuerConfiguration = '.well-known/jwt-vc-issuer';
+
+    /*****************************************************************************************************************
+     * API
+     ****************************************************************************************************************/
+
+    case ApiVciCredentialOffer = 'api/vci/credential-offer';
 }

src/Controllers/Admin/VerifiableCredentailsTestController.php

@@ -175,25 +175,10 @@ public function verifiableCredentialIssuance(Request $request): Response
             // TODO mivanci Wallet (client) credential_offer_endpoint metadata
             // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#client-metadata
 
-            // TODO mivanci Implement API and API clients hanlding, together with API client to OIDC client binding.
-            $clientId = '1234567890';
             $clientSecret = '1234567890';
 
-            $client = $this->clientEntityFactory->fromData(
-                id: $clientId,
-                secret: $clientSecret,
-                name: 'VCI Pre-authorized Code Test Client',
-                description: 'Test client for VCI Pre-authorized Code',
-                redirectUri: ['https://example.com/oidc/callback'],
-                scopes: ['openid', ...$credentialConfigurationIdsSupported], // Test Client so will have
-                isEnabled: true,
-            );
 
-            if ($this->clientRepository->findById($clientId) === null) {
-                $this->clientRepository->add($client);
-            } else {
-                $this->clientRepository->update($client);
-            }
+            $client = $this->clientEntityFactory->getGenericForVciPreAuthZFlow();
 
             // TODO mivanci Randomly generate auth code.
             $authCodeId = '1234567890';

src/Controllers/Api/VciCredentialOfferController.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Controllers\Api;
+
+use SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum;
+use SimpleSAML\Module\oidc\Exceptions\AuthorizationException;
+use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+use SimpleSAML\Module\oidc\Services\Api\Authorization;
+use SimpleSAML\OpenID\VerifiableCredentials;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class VciCredentialOfferController
+{
+    /**
+     * @throws OidcServerException
+     */
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly Authorization $authorization,
+        protected readonly VerifiableCredentials $verifiableCredentials,
+        protected readonly ClientEntityFactory $clientEntityFactory,
+    ) {
+        if (!$this->moduleConfig->getApiEnabled()) {
+            throw OidcServerException::forbidden('API capabilities not enabled.');
+        }
+    }
+
+    /**
+     * @throws AuthorizationException
+     */
+    public function credentialOffer(Request $request): Response
+    {
+        $this->authorization->requireTokenForAnyOfScope(
+            $request,
+            [ApiScopesEnum::VciCredentialOffer, ApiScopesEnum::VciAll, ApiScopesEnum::All],
+        );
+
+        $input = $request->getPayload()->all();
+
+        // Currently, we need a dedicated client for which the PreAuthZed code will be bound to.
+        // TODO mivanci: Remove requirement for dedicated client for authorization codes.
+        $client = $this->clientEntityFactory->getGenericForVciPreAuthZFlow();
+
+        dd($this->verifiableCredentials->helpers()->arr()->hybridSort($input['user_attributes']));
+
+        return new JsonResponse(['ok']);
+    }
+}

src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php

@@ -260,8 +260,8 @@ public function credential(Request $request): Response
             // Normalize to string for single array values.
             $attributeValue = is_array($userAttributes[$userAttributeName]) &&
             count($userAttributes[$userAttributeName]) === 1 ?
-                reset($userAttributes[$userAttributeName]) :
-                $userAttributes[$userAttributeName];
+            reset($userAttributes[$userAttributeName]) :
+            $userAttributes[$userAttributeName];
 
             if ($credentialFormatId === CredentialFormatIdentifiersEnum::JwtVcJson->value) {
                 $this->verifiableCredentials->helpers()->arr()->setNestedValue(

src/Factories/Entities/ClientEntityFactory.php

@@ -11,6 +11,8 @@
 use SimpleSAML\Module\oidc\Entities\ClientEntity;
 use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
 use SimpleSAML\Module\oidc\Helpers;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Repositories\ClientRepository;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
@@ -29,6 +31,8 @@ public function __construct(
         private readonly Helpers $helpers,
         private readonly ClaimTranslatorExtractor $claimTranslatorExtractor,
         private readonly RequestParamsResolver $requestParamsResolver,
+        private readonly ModuleConfig $moduleConfig,
+        private readonly ClientRepository $clientRepository,
     ) {
     }
 
@@ -380,4 +384,41 @@ public function fromState(array $state): ClientEntityInterface
             $isFederated,
         );
     }
+
+    public function getGenericForVciPreAuthZFlow(): ClientEntityInterface
+    {
+        $clientId = 'vci_' .
+            hash('sha256', 'vci_'  . $this->moduleConfig->sspConfig()->getString('secretsalt'));
+
+        $clientSecret = $this->helpers->random()->getIdentifier();
+
+        $credentialConfigurationIdsSupported = $this->moduleConfig->getCredentialConfigurationIdsSupported();
+
+        $oldClient = $this->clientRepository->findById($clientId);
+        $createdAt = $this->helpers->dateTime()->getUtc();
+
+        if ($oldClient instanceof ClientEntityInterface) {
+            $createdAt = $oldClient->getCreatedAt();
+        }
+
+        $client = $this->fromData(
+            id: $clientId,
+            secret: $clientSecret,
+            name: 'VCI Pre-authorized Code Generic Client',
+            description: 'Generic client for VCI Pre-authorized Code',
+            redirectUri: ['openid-credential-offer://'],
+            scopes: ['openid', ...$credentialConfigurationIdsSupported],
+            isEnabled: true,
+            updatedAt: $this->helpers->dateTime()->getUtc(),
+            createdAt: $createdAt,
+        );
+
+        if ($oldClient === null) {
+            $this->clientRepository->add($client);
+        } else {
+            $this->clientRepository->update($client);
+        }
+
+        return $client;
+    }
 }

src/ModuleConfig.php

@@ -103,6 +103,8 @@ class ModuleConfig
     final public const OPTION_CREDENTIAL_CONFIGURATIONS_SUPPORTED = 'credential_configurations_supported';
     final public const OPTION_USER_ATTRIBUTE_TO_CREDENTIAL_CLAIM_PATH_MAP =
     'user_attribute_to_credential_claim_path_map';
+    final public const OPTION_API_ENABLED = 'api_enabled';
+    final public const OPTION_API_TOKENS = 'api_tokens';
 
     protected static array $standardScopes = [
         ScopesEnum::OpenId->value => [
@@ -931,4 +933,38 @@ public function getUserAttributeToCredentialClaimPathMapFor(string $credentialCo
     {
         return $this->getUserAttributeToCredentialClaimPathMap()[$credentialConfigurationId] ?? [];
     }
+
+
+
+    /*****************************************************************************************************************
+     * API-related config.
+     ****************************************************************************************************************/
+
+    public function getApiEnabled(): bool
+    {
+        return $this->config()->getOptionalBoolean(self::OPTION_API_ENABLED, false);
+    }
+
+    /**
+     * @return mixed[]|null
+     */
+    public function getApiTokens(): ?array
+    {
+        return $this->config()->getOptionalArray(self::OPTION_API_TOKENS, null);
+    }
+
+    /**
+     * @param string $token
+     * @return mixed[]
+     */
+    public function getApiTokenScopes(string $token): ?array
+    {
+        $tokenScopes = $this->getApiTokens()[$token] ?? null;
+
+        if (is_array($tokenScopes)) {
+            return $tokenScopes;
+        }
+
+        return null;
+    }
 }

src/Services/Api/Authorization.php

@@ -0,0 +1,97 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Services\Api;
+
+use SimpleSAML\Locale\Translate;
+use SimpleSAML\Module\oidc\Bridges\SspBridge;
+use SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum;
+use SimpleSAML\Module\oidc\Exceptions\AuthorizationException;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use Symfony\Component\HttpFoundation\Request;
+use Throwable;
+
+class Authorization
+{
+    public const KEY_TOKEN = 'token';
+
+    public const KEY_AUTHORIZATION = 'Authorization';
+
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly SspBridge $sspBridge,
+    ) {
+    }
+
+
+    /**
+     * @throws AuthorizationException
+     */
+    public function requireSimpleSAMLphpAdmin(bool $forceAdminAuthentication = false): void
+    {
+        if ($forceAdminAuthentication) {
+            try {
+                $this->sspBridge->utils()->auth()->requireAdmin();
+            } catch (\Throwable $exception) {
+                throw new AuthorizationException(
+                    Translate::noop('Unable to initiate admin authentication.'),
+                    $exception->getCode(),
+                    $exception,
+                );
+            }
+        }
+
+        if (! $this->sspBridge->utils()->auth()->isAdmin()) {
+            throw new AuthorizationException(Translate::noop('SimpleSAMLphp Admin access required.'));
+        }
+    }
+
+    /**
+     * @param ApiScopesEnum[] $requiredScopes
+     *
+     * @throws AuthorizationException
+     */
+    public function requireTokenForAnyOfScope(Request $request, array $requiredScopes): void
+    {
+        try {
+            $this->requireSimpleSAMLphpAdmin();
+            return;
+        } catch (Throwable) {
+            // Not admin, check for token.
+        }
+
+        if (empty($token = $this->findToken($request))) {
+            throw new AuthorizationException(Translate::noop('Token not provided.'));
+        }
+
+        if (empty($tokenScopes = $this->moduleConfig->getApiTokenScopes($token))) {
+            throw new AuthorizationException(Translate::noop('Token does not have defined scopes.'));
+        }
+
+        $hasAny = !empty(array_filter($tokenScopes, fn($tokenScope) => in_array($tokenScope, $requiredScopes, true)));
+
+        if (!$hasAny) {
+            throw new AuthorizationException(Translate::noop('Token is not authorized.'));
+        }
+    }
+
+    protected function findToken(Request $request): ?string
+    {
+        if ($token = trim((string) $request->get(self::KEY_TOKEN))) {
+            return $token;
+        }
+
+        if ($request->headers->has(self::KEY_AUTHORIZATION)) {
+            return trim(
+                (string) preg_replace(
+                    '/^\s*Bearer\s/',
+                    '',
+                    (string)$request->headers->get(self::KEY_AUTHORIZATION),
+                ),
+            );
+        }
+
+        return null;
+    }
+}