Initial OpenID4VCI support (#322)

Initial OpenID4VCI support

Author: cicnavi

composer.json

@@ -31,7 +31,7 @@
         "psr/container": "^2.0",
         "psr/log": "^3",
         "simplesamlphp/composer-module-installer": "^1.3",
-        "simplesamlphp/openid": "~0.0.18",
+        "simplesamlphp/openid": "~0.1.0",
         "spomky-labs/base64url": "^2.0",
         "symfony/expression-language": "^6.3",
         "symfony/psr-http-message-bridge": "^7.1",

config/module_oidc.php.dist

@@ -1,6 +1,9 @@
 RewriteEngine On
 RewriteRule ^/.well-known/openid-configuration(.*) /${SSP_APACHE_ALIAS}module.php/oidc/.well-known/openid-configuration$1 [PT]
 RewriteRule ^/.well-known/openid-federation(.*) /${SSP_APACHE_ALIAS}module.php/oidc/.well-known/openid-federation$1 [PT]
+RewriteRule ^/.well-known/openid-credential-issuer(.*) /${SSP_APACHE_ALIAS}module.php/oidc/.well-known/openid-credential-issuer$1 [PT]
+RewriteRule ^/.well-known/oauth-authorization-server(.*) /${SSP_APACHE_ALIAS}module.php/oidc/.well-known/oauth-authorization-server$1 [PT]
+RewriteRule ^/.well-known/jwt-vc-issuer(.*) /${SSP_APACHE_ALIAS}module.php/oidc/.well-known/jwt-vc-issuer$1 [PT]
 
 # Leave Authorization header with Bearer tokens available in requests.
 # Solution 1:

docker/apache-override.cf

@@ -43,30 +43,36 @@ CREATE TABLE oidc_client (
             updated_at TIMESTAMP NULL DEFAULT NULL,
             created_at TIMESTAMP NULL DEFAULT NULL,
             expires_at TIMESTAMP NULL DEFAULT NULL,
-            is_federated BOOLEAN NOT NULL DEFAULT false
+            is_federated BOOLEAN NOT NULL DEFAULT false,
+            is_generic BOOLEAN NOT NULL DEFAULT false
 );
 -- Used 'httpd' host for back-channel logout url (https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout)
 -- since this is the hostname of conformance server while running in container environment
-INSERT INTO oidc_client VALUES('_55a99a1d298da921cb27d700d4604352e51171ebc4','_8967dd97d07cc59db7055e84ac00e79005157c1132','Conformance Client 1',replace('Client 1 for Conformance Testing  https://openid.net/certification/connect_op_testing/\n','\n',char(10)),'example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone","offline_access"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false);
-INSERT INTO oidc_client VALUES('_34efb61060172a11d62101bc804db789f8f9100b0e','_91a4607a1c10ba801268929b961b3f6c067ff82d21','Conformance Client 2','','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","offline_access"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false);
-INSERT INTO oidc_client VALUES('_0afb7d18e54b2de8205a93e38ca119e62ee321d031','_944e73bbeec7850d32b68f1b5c780562c955967e4e','Conformance Client 3','Client for client_secret_post','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false);
-INSERT INTO oidc_client VALUES('_8957eda35234902ba8343c0cdacac040310f17dfca','_322d16999f9da8b5abc9e9c0c08e853f60f4dc4804','RP-Initiated Logout Client','Client for testing RP-Initiated Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]',NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false);
-INSERT INTO oidc_client VALUES('_9fe2f7589ece1b71f5ef75a91847d71bc5125ec2a6','_3c0beb20194179c01d7796c6836f62801e9ed4b368','Back-Channel Logout Client','Client for testing Back-Channel Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false);
+INSERT INTO oidc_client VALUES('_55a99a1d298da921cb27d700d4604352e51171ebc4','_8967dd97d07cc59db7055e84ac00e79005157c1132','Conformance Client 1',replace('Client 1 for Conformance Testing  https://openid.net/certification/connect_op_testing/\n','\n',char(10)),'example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone","offline_access"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
+INSERT INTO oidc_client VALUES('_34efb61060172a11d62101bc804db789f8f9100b0e','_91a4607a1c10ba801268929b961b3f6c067ff82d21','Conformance Client 2','','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","offline_access"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
+INSERT INTO oidc_client VALUES('_0afb7d18e54b2de8205a93e38ca119e62ee321d031','_944e73bbeec7850d32b68f1b5c780562c955967e4e','Conformance Client 3','Client for client_secret_post','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
+INSERT INTO oidc_client VALUES('_8957eda35234902ba8343c0cdacac040310f17dfca','_322d16999f9da8b5abc9e9c0c08e853f60f4dc4804','RP-Initiated Logout Client','Client for testing RP-Initiated Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]',NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
+INSERT INTO oidc_client VALUES('_9fe2f7589ece1b71f5ef75a91847d71bc5125ec2a6','_3c0beb20194179c01d7796c6836f62801e9ed4b368','Back-Channel Logout Client','Client for testing Back-Channel Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
 CREATE TABLE oidc_access_token (
             id VARCHAR(191) PRIMARY KEY NOT NULL,
             scopes TEXT,
             expires_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-            user_id VARCHAR(191) NOT NULL,                          
+            user_id VARCHAR(191) NOT NULL,
             client_id VARCHAR(191) NOT NULL,
             is_revoked BOOLEAN NOT NULL DEFAULT false,
             auth_code_id varchar(191) DEFAULT NULL, requested_claims TEXT NULL,
-            CONSTRAINT FK_43C1650EA76ED395 FOREIGN KEY (user_id) 
-                REFERENCES oidc_user (id) ON DELETE CASCADE,                                 
-            CONSTRAINT FK_43C1650E19EB6921 FOREIGN KEY (client_id) 
-                REFERENCES oidc_client (id) ON DELETE CASCADE                                
+            flow_type CHAR(64) NULL,
+            authorization_details TEXT NULL,
+            bound_client_id TEXT NULL,
+            bound_redirect_uri TEXT NULL,
+            issuer_state TEXT NULL,
+            CONSTRAINT FK_43C1650EA76ED395 FOREIGN KEY (user_id)
+                REFERENCES oidc_user (id) ON DELETE CASCADE,
+            CONSTRAINT FK_43C1650E19EB6921 FOREIGN KEY (client_id)
+                REFERENCES oidc_client (id) ON DELETE CASCADE
         );
 CREATE TABLE oidc_refresh_token (
-            id VARCHAR(191) PRIMARY KEY NOT NULL,          
+            id VARCHAR(191) PRIMARY KEY NOT NULL,
             expires_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
             access_token_id VARCHAR(191) NOT NULL,
             is_revoked BOOLEAN NOT NULL DEFAULT false,
@@ -78,14 +84,20 @@ CREATE TABLE oidc_auth_code (
             id VARCHAR(191) PRIMARY KEY NOT NULL,
             scopes TEXT,
             expires_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-            user_id VARCHAR(191) NOT NULL,                          
+            user_id VARCHAR(191) NOT NULL,
             client_id VARCHAR(191) NOT NULL,
             is_revoked BOOLEAN NOT NULL DEFAULT false,
             redirect_uri TEXT NOT NULL, nonce TEXT NULL,
+            flow_type CHAR(64) DEFAULT NULL,
+            tx_code varchar(191) DEFAULT NULL,
+            authorization_details TEXT NULL,
+            bound_client_id TEXT NULL,
+            bound_redirect_uri TEXT NULL,
+            issuer_state TEXT NULL,
             CONSTRAINT FK_97D32CA7A76ED395 FOREIGN KEY (user_id)
-                REFERENCES oidc_user (id) ON DELETE CASCADE,                                 
+                REFERENCES oidc_user (id) ON DELETE CASCADE,
             CONSTRAINT FK_97D32CA719EB6921 FOREIGN KEY (client_id)
-                REFERENCES oidc_client (id) ON DELETE CASCADE                                            
+                REFERENCES oidc_client (id) ON DELETE CASCADE
         );
 CREATE TABLE oidc_allowed_origin (
             client_id varchar(191) NOT NULL,
@@ -98,4 +110,10 @@ CREATE TABLE oidc_session_logout_ticket (
            sid VARCHAR(191) NOT NULL,
            created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
 );
+CREATE TABLE oidc_vci_issuer_state (
+    value CHAR(64) PRIMARY KEY NOT NULL,
+    created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    expires_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    is_revoked BOOLEAN NOT NULL DEFAULT false
+);
 COMMIT;

docker/conformance.sql

@@ -30,6 +30,26 @@ Currently supported OIDFed features:
 OIDFed is implemented using the
 [SimpleSAMLphp OpenID library](https://github.com/simplesamlphp/openid).
 
+## Note on OpenID for Verifiable Credential Issuance (OpenID4VCI) support
+
+OpenID4VCI support was done as per draft 15 of the specification and is in the
+experimental stage. You should NOT use it in production environments.
+
+Currently implemented OpenID4VCI features:
+
+- Grant types:
+  - Pre-authorized Code flow (new flow defined by the OpenID4VCI spec)
+  - Authorization Code flow
+- Credential formats:
+  - jwt_vc_json, using VCDM v1.1
+  - dc+sd-jwt (previously vc+sd-jwt) (SD-JWT VC)
+- Proof types:
+  - jwt
+- API for credential offer fetching
+
+OpenID4VCI is also implemented using the
+[SimpleSAMLphp OpenID library](https://github.com/simplesamlphp/openid).
+
 ## Version compatibility
 
 Minor versions listed show which SimpleSAMLphp versions were used during

docs/1-oidc.md

@@ -34,12 +34,14 @@ and ensure at least the following parameters are set:
 
 Note: SQLite, PostgreSQL, and MySQL are supported.
 
-## 4. Create RSA key pairs
+## 4. Create key pairs
 
 ID and Access tokens are signed JWTs. Create a public/private RSA key
 pair for OIDC protocol operations. If you plan to use OpenID Federation,
 create a separate key pair for federation operations.
 
+### RSA key pair generation
+
 Generate private keys without a passphrase:
 
 ```bash
@@ -73,6 +75,43 @@ openssl rsa -in cert/oidc_module_federation.key -passin pass:myPassPhrase -pubou
 If you use different file names or a passphrase, update
 `config/module_oidc.php` accordingly.
 
+### EC key pair generation
+
+If you prefer to use Elliptic Curve Cryptography (ECC) instead of RSA.
+
+Generate private keys without a passphrase:
+
+```bash
+openssl ecparam -name prime256v1 -genkey -noout -out cert/oidc_module.key
+openssl ecparam -name prime256v1 -genkey -noout -out cert/oidc_module_federation.key
+```
+
+Generate private keys with a passphrase:
+
+```bash
+openssl ecparam -genkey -name secp384r1 -noout -out cert/oidc_module.key -passout pass:myPassPhrase
+openssl ecparam -genkey -name secp384r1 -noout -out cert/oidc_module_federation.key -passout pass:myPassPhrase
+```
+
+Extract public keys:
+
+Without passphrase:
+
+```bash
+openssl ec -in cert/oidc_module.key -pubout -out cert/oidc_module.crt
+openssl ec -in cert/oidc_module_federation.key -pubout -out cert/oidc_module_federation.crt
+```
+
+With a passphrase:
+
+```bash
+openssl ec -in cert/oidc_module.key -passin pass:myPassPhrase -pubout -out cert/oidc_module.crt
+openssl ec -in cert/oidc_module.key -passin pass:myPassPhrase -pubout -out cert/oidc_module.crt
+```
+
+If you use different file names or a passphrase, update
+`config/module_oidc.php` accordingly.
+
 ## 5. Enable the module
 
 Edit `config/config.php` and enable `oidc`:

docs/2-oidc-installation.md

@@ -54,6 +54,12 @@ There you can see discovery URLs. Typical discovery endpoints are:
 [https://yourserver/simplesaml/module.php/oidc/.well-known/openid-configuration](https://yourserver/simplesaml/module.php/oidc/.well-known/openid-configuration)
 - OpenID Federation configuration:
 [https://yourserver/simplesaml/module.php/oidc/.well-known/openid-federation](https://yourserver/simplesaml/module.php/oidc/.well-known/openid-federation)
+- OpenID for Verifiable Credential Issuance configuration:
+[https://yourserver/simplesaml/module.php/oidc/.well-known/openid-credential-issuer](https://yourserver/simplesaml/module.php/oidc/.well-known/openid-credential-issuer)
+- OAuth2 Authorization Server configuration:
+[https://yourserver/simplesaml/module.php/oidc/.well-known/oauth-authorization-server](https://yourserver/simplesaml/module.php/oidc/.well-known/oauth-authorization-server)
+- JWT VC Issuer configuration:
+[https://yourserver/simplesaml/module.php/oidc/.well-known/jwt-vc-issuer](https://yourserver/simplesaml/module.php/oidc/.well-known/jwt-vc-issuer)
 
 You may publish these as ".well-known" URLs at the web root using your
 web server. For example, for `openid-configuration`:

docs/3-oidc-configuration.md

@@ -7,8 +7,14 @@ apply those relevant to your deployment.
 
 New features:
 
+- Initial support for OpenID for Verifiable Credential Issuance
+(OpenID4VCI). Note that the implementation is experimental. You should not use
+it in production yet. 
+
 New configuration options:
 
+- Several new options regarding support for OpenID4VCI.
+
 Major impact changes:
 
 - In v6 of the module, when defining custom scopes, there was a possibility to