WIP

Author: cicnavi

routing/routes/routes.php

@@ -10,7 +10,8 @@
 use SimpleSAML\Module\oidc\Controllers\AccessTokenController;
 use SimpleSAML\Module\oidc\Controllers\Admin\ClientController;
 use SimpleSAML\Module\oidc\Controllers\Admin\ConfigController;
-use SimpleSAML\Module\oidc\Controllers\Admin\TestController;
+use SimpleSAML\Module\oidc\Controllers\Admin\FederationTestController;
+use SimpleSAML\Module\oidc\Controllers\Admin\VerifiableCredentailsTestController;
 use SimpleSAML\Module\oidc\Controllers\AuthorizationController;
 use SimpleSAML\Module\oidc\Controllers\ConfigurationDiscoveryController;
 use SimpleSAML\Module\oidc\Controllers\EndSessionController;
@@ -66,11 +67,16 @@
     // Testing
 
     $routes->add(RoutesEnum::AdminTestTrustChainResolution->name, RoutesEnum::AdminTestTrustChainResolution->value)
-        ->controller([TestController::class, 'trustChainResolution'])
+        ->controller([FederationTestController::class, 'trustChainResolution'])
         ->methods([HttpMethodsEnum::GET->value, HttpMethodsEnum::POST->value]);
     $routes->add(RoutesEnum::AdminTestTrustMarkValidation->name, RoutesEnum::AdminTestTrustMarkValidation->value)
-        ->controller([TestController::class, 'trustMarkValidation'])
+        ->controller([FederationTestController::class, 'trustMarkValidation'])
         ->methods([HttpMethodsEnum::GET->value, HttpMethodsEnum::POST->value]);
+    $routes->add(
+        RoutesEnum::AdminTestVerifiableCredentialIssuance->name,
+        RoutesEnum::AdminTestVerifiableCredentialIssuance->value,
+    )->controller([VerifiableCredentailsTestController::class, 'verifiableCredentialIssuance'])
+    ->methods([HttpMethodsEnum::GET->value, HttpMethodsEnum::POST->value]);
 
     /*****************************************************************************************************************
      * OpenID Connect

routing/services/services.yml

@@ -60,6 +60,9 @@ services:
     factory: ['@SimpleSAML\Module\oidc\Factories\Grant\ImplicitGrantFactory', 'build']
   SimpleSAML\Module\oidc\Server\Grants\RefreshTokenGrant:
     factory: ['@SimpleSAML\Module\oidc\Factories\Grant\RefreshTokenGrantFactory', 'build']
+  SimpleSAML\Module\oidc\Server\Grants\PreAuthCodeGrant:
+    factory: ['@SimpleSAML\Module\oidc\Factories\Grant\PreAuthCodeGrantFactory', 'build']
+
   # Responses
   SimpleSAML\Module\oidc\Server\ResponseTypes\IdTokenResponse:
     factory: ['@SimpleSAML\Module\oidc\Factories\IdTokenResponseFactory', 'build']
@@ -125,6 +128,8 @@ services:
     factory: [ '@SimpleSAML\Module\oidc\Factories\CoreFactory', 'build' ]
   SimpleSAML\OpenID\Federation:
     factory: [ '@SimpleSAML\Module\oidc\Factories\FederationFactory', 'build' ]
+  SimpleSAML\OpenID\VerifiableCredentials:
+    factory: [ '@SimpleSAML\Module\oidc\Factories\VerifiableCredentialsFactory', 'build' ]
   SimpleSAML\OpenID\Jwks:
     factory: [ '@SimpleSAML\Module\oidc\Factories\JwksFactory', 'build' ]
   SimpleSAML\OpenID\Jwk: ~

src/Codebooks/ParametersEnum.php

@@ -7,4 +7,6 @@
 enum ParametersEnum: string
 {
     case ClientId = 'client_id';
+    case CredentialOffer = 'credential_offer';
+    case CredentialOfferUri = 'credential_offer_uri';
 }

src/Codebooks/RoutesEnum.php

@@ -28,6 +28,7 @@ enum RoutesEnum: string
     // Testing
     case AdminTestTrustChainResolution = 'admin/test/trust-chain-resolution';
     case AdminTestTrustMarkValidation = 'admin/test/trust-mark-validation';
+    case AdminTestVerifiableCredentialIssuance = 'admin/test/verifiable-credential-issuance';
 
 
     /*****************************************************************************************************************

src/Controllers/Admin/TestController.php renamed to src/Controllers/Admin/FederationTestController.php

@@ -17,7 +17,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
-class TestController
+class FederationTestController
 {
     protected readonly Federation $federationWithArrayLogger;
 

src/Controllers/Admin/VerifiableCredentailsTestController.php

@@ -0,0 +1,145 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Controllers\Admin;
+
+use SimpleSAML\Module\oidc\Admin\Authorization;
+use SimpleSAML\Module\oidc\Codebooks\ParametersEnum;
+use SimpleSAML\Module\oidc\Codebooks\RoutesEnum;
+use SimpleSAML\Module\oidc\Entities\ScopeEntity;
+use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
+use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
+use SimpleSAML\Module\oidc\Factories\TemplateFactory;
+use SimpleSAML\Module\oidc\Helpers;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
+use SimpleSAML\Module\oidc\Repositories\ClientRepository;
+use SimpleSAML\Module\oidc\Services\LoggerService;
+use SimpleSAML\Module\oidc\Utils\Debug\ArrayLogger;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Codebooks\GrantTypesEnum;
+use SimpleSAML\OpenID\Federation;
+use SimpleSAML\OpenID\VerifiableCredentials;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class VerifiableCredentailsTestController
+{
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly TemplateFactory $templateFactory,
+        protected readonly Authorization $authorization,
+        protected readonly VerifiableCredentials $verifiableCredentials,
+        protected readonly AuthCodeRepository $authCodeRepository,
+        protected readonly AuthCodeEntityFactory $authCodeEntityFactory,
+        protected readonly ClientRepository $clientRepository,
+        protected readonly ClientEntityFactory $clientEntityFactory,
+        protected readonly Federation $federation,
+        protected readonly Helpers $helpers,
+        protected readonly LoggerService $loggerService,
+    ) {
+        $this->authorization->requireAdmin(true);
+    }
+
+    /**
+     * @throws \SimpleSAML\Error\ConfigurationError
+     * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
+     * @throws \SimpleSAML\OpenID\Exceptions\CredentialOfferException
+     */
+    public function verifiableCredentialIssuance(Request $request): Response
+    {
+        $sampleData = [
+            'eduPersonPrincipalName' => '[email protected]',
+            'eduPersonTargetedID' => 'abc123',
+            'displayName' => 'Test User',
+            'givenName' => 'Test',
+            'sn' => 'User',
+            'mail' => '[email protected]',
+            'eduPersonScopedAffiliation' => '[email protected]',
+        ];
+
+        $this->loggerService->info('test', $sampleData);;
+
+        // TODO mivanci Wallet (client) credential_offer_endpoint metadata
+        // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#client-metadata
+
+        $clientId = '1234567890';
+        $clientSecret = '1234567890';
+
+        if (($client = $this->clientRepository->findById($clientId)) === null) {
+            $client = $this->clientEntityFactory->fromData(
+                id: $clientId,
+                secret: $clientSecret,
+                name: 'VCI Test Client',
+                description: 'Test client for VCI',
+                redirectUri: ['https://example.com/oidc/callback'],
+                scopes: ['openid', 'ResearchAndScholarshipCredentialJwtVcJson'],
+                isEnabled: true,
+            );
+
+            $this->clientRepository->add($client);
+            ;
+        }
+
+        $authCodeId = '1234567890';
+
+        // TODO mivanci Add indication of preauthz code to the auth code table.
+
+        if (($authCode = $this->authCodeRepository->findById($authCodeId)) === null) {
+            $authCode = $this->authCodeEntityFactory->fromData(
+                id: $authCodeId,
+                client: $client,
+                scopes: [
+                    new ScopeEntity('openid'),
+                    new ScopeEntity('ResearchAndScholarshipCredentialJwtVcJson'),
+                ],
+                expiryDateTime: new \DateTimeImmutable('+1 month'),
+                userIdentifier: 'testuid',
+                redirectUri: 'https://example.com/oidc/callback',
+                nonce: '1234567890',
+            );
+
+            $this->authCodeRepository->persistNewAuthCode($authCode);
+        }
+
+
+        $credentialOffer = $this->verifiableCredentials->credentialOfferFactory()->from(
+            parameters: [
+                ClaimsEnum::CredentialIssuer->value => $this->moduleConfig->getIssuer(),
+                ClaimsEnum::CredentialConfigurationIds->value => [
+                    'ResearchAndScholarshipCredentialJwtVcJson',
+                ],
+                ClaimsEnum::Grants->value => [
+                    GrantTypesEnum::PreAuthorizedCode->value => [
+                        ClaimsEnum::PreAuthorizedCode->value => $authCode->getIdentifier(),
+                        // TODO mivanci support for TxCode
+            //                        ClaimsEnum::TxCode->value => [
+            //                            ClaimsEnum::InputMode->value => 'numeric',
+            //                            ClaimsEnum::Length->value => 6,
+            //                            ClaimsEnum::Description->value => 'Sent to user mail',
+            //                        ],
+                    ],
+                ],
+            ],
+        );
+
+        $credentialOfferValue = $credentialOffer->jsonSerialize();
+        $parameterName = ParametersEnum::CredentialOfferUri->value;
+        if (is_array($credentialOfferValue)) {
+            $parameterName = ParametersEnum::CredentialOffer->value;
+            $credentialOfferValue = json_encode($credentialOfferValue);
+        }
+
+        $credentialOfferUri = "openid-credential-offer://?$parameterName=$credentialOfferValue";
+
+        // https://quickchart.io/documentation/qr-codes/
+        $qrUri = 'https://quickchart.io/qr?size=200&margin=1&text=' . urlencode($credentialOfferUri);
+
+        return $this->templateFactory->build(
+            'oidc:tests/verifiable-credential-issuance.twig',
+            compact('qrUri', 'sampleData', 'credentialOfferUri'),
+            RoutesEnum::AdminTestVerifiableCredentialIssuance->value,
+        );
+    }
+}

src/Factories/AuthorizationServerFactory.php

@@ -24,6 +24,7 @@
 use SimpleSAML\Module\oidc\Server\AuthorizationServer;
 use SimpleSAML\Module\oidc\Server\Grants\AuthCodeGrant;
 use SimpleSAML\Module\oidc\Server\Grants\ImplicitGrant;
+use SimpleSAML\Module\oidc\Server\Grants\PreAuthCodeGrant;
 use SimpleSAML\Module\oidc\Server\Grants\RefreshTokenGrant;
 use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager;
 use SimpleSAML\Module\oidc\Server\ResponseTypes\IdTokenResponse;
@@ -41,6 +42,7 @@ public function __construct(
         private readonly IdTokenResponse $idTokenResponse,
         private readonly RequestRulesManager $requestRulesManager,
         private readonly CryptKey $privateKey,
+        private readonly PreAuthCodeGrant $preAuthCodeGrant,
     ) {
     }
 
@@ -71,6 +73,12 @@ public function build(): AuthorizationServer
             $this->moduleConfig->getAccessTokenDuration(),
         );
 
+        // TODO mivanci Only enable if VCI is enabled.
+        $authorizationServer->enableGrantType(
+            $this->preAuthCodeGrant,
+            $this->moduleConfig->getAccessTokenDuration(),
+        );
+
         return $authorizationServer;
     }
 }

src/Factories/Grant/AuthCodeGrantFactory.php

@@ -26,6 +26,7 @@
 use SimpleSAML\Module\oidc\Server\Grants\AuthCodeGrant;
 use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager;
 use SimpleSAML\Module\oidc\Server\TokenIssuers\RefreshTokenIssuer;
+use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
 
 class AuthCodeGrantFactory
@@ -41,6 +42,7 @@ public function __construct(
         private readonly AuthCodeEntityFactory $authCodeEntityFactory,
         private readonly RefreshTokenIssuer $refreshTokenIssuer,
         private readonly Helpers $helpers,
+        private readonly LoggerService $loggerService,
     ) {
     }
 
@@ -60,6 +62,7 @@ public function build(): AuthCodeGrant
             $this->authCodeEntityFactory,
             $this->refreshTokenIssuer,
             $this->helpers,
+            $this->loggerService
         );
         $authCodeGrant->setRefreshTokenTTL($this->moduleConfig->getRefreshTokenDuration());
 

src/Factories/Grant/PreAuthCodeGrantFactory.php

@@ -0,0 +1,72 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the simplesamlphp-module-oidc.
+ *
+ * Copyright (C) 2018 by the Spanish Research and Academic Network.
+ *
+ * This code was developed by Universidad de Córdoba (UCO https://www.uco.es)
+ * for the RedIRIS SIR service (SIR: http://www.rediris.es/sir)
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace SimpleSAML\Module\oidc\Factories\Grant;
+
+use SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory;
+use SimpleSAML\Module\oidc\Factories\Entities\AuthCodeEntityFactory;
+use SimpleSAML\Module\oidc\Helpers;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Repositories\AccessTokenRepository;
+use SimpleSAML\Module\oidc\Repositories\AuthCodeRepository;
+use SimpleSAML\Module\oidc\Repositories\RefreshTokenRepository;
+use SimpleSAML\Module\oidc\Server\Grants\AuthCodeGrant;
+use SimpleSAML\Module\oidc\Server\Grants\PreAuthCodeGrant;
+use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager;
+use SimpleSAML\Module\oidc\Server\TokenIssuers\RefreshTokenIssuer;
+use SimpleSAML\Module\oidc\Services\LoggerService;
+use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
+
+class PreAuthCodeGrantFactory
+{
+    public function __construct(
+        private readonly ModuleConfig $moduleConfig,
+        private readonly AuthCodeRepository $authCodeRepository,
+        private readonly AccessTokenRepository $accessTokenRepository,
+        private readonly RefreshTokenRepository $refreshTokenRepository,
+        private readonly RequestRulesManager $requestRulesManager,
+        private readonly RequestParamsResolver $requestParamsResolver,
+        private readonly AccessTokenEntityFactory $accessTokenEntityFactory,
+        private readonly AuthCodeEntityFactory $authCodeEntityFactory,
+        private readonly RefreshTokenIssuer $refreshTokenIssuer,
+        private readonly Helpers $helpers,
+        private readonly LoggerService $loggerService,
+    ) {
+    }
+
+    /**
+     * @throws \Exception
+     */
+    public function build(): PreAuthCodeGrant
+    {
+        $preAuthCodeGrant = new PreAuthCodeGrant(
+            $this->authCodeRepository,
+            $this->accessTokenRepository,
+            $this->refreshTokenRepository,
+            $this->moduleConfig->getAuthCodeDuration(),
+            $this->requestRulesManager,
+            $this->requestParamsResolver,
+            $this->accessTokenEntityFactory,
+            $this->authCodeEntityFactory,
+            $this->refreshTokenIssuer,
+            $this->helpers,
+            $this->loggerService
+        );
+        $preAuthCodeGrant->setRefreshTokenTTL($this->moduleConfig->getRefreshTokenDuration());
+
+        return $preAuthCodeGrant;
+    }
+}

src/Factories/TemplateFactory.php

@@ -148,6 +148,13 @@ protected function includeDefaultMenuItems(): void
                 Translate::noop('Verifiable Credential Settings'),
             ),
         );
+
+        $this->oidcMenu->addItem(
+            $this->oidcMenu->buildItem(
+                $this->moduleConfig->getModuleUrl(RoutesEnum::AdminTestVerifiableCredentialIssuance->value),
+                Translate::noop('Test Verifiable Credential Issuance'),
+            ),
+        );
     }
 
     public function setShowMenu(bool $showMenu): TemplateFactory