Resolve some TODOs

README.md

@@ -25,6 +25,7 @@ configuration.
 
 Currently, the following OIDF features are supported:
 * automatic client registration using a Request Object (passing it by value)
+* federation participation limiting based on Trust Marks
 * endpoint for issuing configuration entity statement (statement about itself)
 * fetch endpoint for issuing statements about subordinates (registered clients)
 

UPGRADE.md

@@ -10,10 +10,11 @@
 - Key rollover support - you can now define additional (new) private / public key pair which will be published on 
 relevant JWKS endpoint or contained in JWKS property. In this way, you can "announce" new public key which can then
 be fetched by RPs, and do the switch between "old" and "new" key pair when you find appropriate.
-- OpenID capabilities
-  - New federation endpoints:
-    - endpoint for issuing configuration entity statement (statement about itself)
-    - fetch endpoint for issuing statements about subordinates (registered clients)
+- OpenID Federation capabilities:
+  - Automatic client registration using a Request Object (passing it by value)
+  - Federation participation limiting based on Trust Marks
+  - Endpoint for issuing configuration entity statement (statement about itself)
+  - Fetch endpoint for issuing statements about subordinates (registered clients)
   - Clients can now be configured with new properties:
     - Entity Identifier
     - Supported OpenID Federation Registration Types

composer.json

@@ -31,7 +31,7 @@
         "psr/container": "^2.0",
         "psr/log": "^3",
         "simplesamlphp/composer-module-installer": "^1.3",
-        "simplesamlphp/openid": "dev-master",
+        "simplesamlphp/openid": "^0",
         "spomky-labs/base64url": "^2.0",
         "symfony/expression-language": "^6.3",
         "symfony/psr-http-message-bridge": "^7.1",

rector.php

@@ -16,7 +16,7 @@
     ]);
 
     $rectorConfig->paths([
-        // TODO mivanci also go trough commented out paths...
+        // TODO v7 mivanci also go trough commented out paths...
         //__DIR__ . '/docker',
         //__DIR__ . '/hooks',
         //__DIR__ . '/public',

routing/routes/routes.php

@@ -96,8 +96,4 @@
     $routes->add(RoutesEnum::FederationFetch->name, RoutesEnum::FederationFetch->value)
         ->controller([EntityStatementController::class, 'fetch'])
         ->methods([HttpMethodsEnum::GET->value]);
-
-    // TODO mivanci delete
-    $routes->add('test', 'test')
-        ->controller(\SimpleSAML\Module\oidc\Controllers\Federation\Test::class);
 };

src/Bridges/SspBridge/Utils.php

@@ -4,6 +4,7 @@
 
 namespace SimpleSAML\Module\oidc\Bridges\SspBridge;
 
+use SimpleSAML\Utils\Attributes;
 use SimpleSAML\Utils\Auth;
 use SimpleSAML\Utils\Config;
 use SimpleSAML\Utils\HTTP;
@@ -15,6 +16,7 @@ class Utils
     protected static ?HTTP $http = null;
     protected static ?Random $random = null;
     protected static ?Auth $auth = null;
+    protected static ?Attributes $attributes = null;
 
     public function config(): Config
     {
@@ -35,4 +37,9 @@ public function auth(): Auth
     {
         return self::$auth ??= new Auth();
     }
+
+    public function attributes(): Attributes
+    {
+        return self::$attributes ??= new Attributes();
+    }
 }

src/Controllers/Admin/ClientController.php

@@ -299,7 +299,7 @@ public function edit(Request $request): Response
     }
 
     /**
-     * TODO mivanci Move to ClientEntityFactory::fromRegistrationData on dynamic client registration implementation.
+     * TODO v7 mivanci Move to ClientEntityFactory::fromRegistrationData on dynamic client registration implementation.
      * @throws \SimpleSAML\Module\oidc\Exceptions\OidcException
      */
     protected function buildClientEntityFromFormData(

src/Controllers/EndSessionController.php

@@ -41,7 +41,7 @@ public function __construct(
      */
     public function __invoke(ServerRequestInterface $request): Response
     {
-        // TODO Back-Channel Logout: https://openid.net/specs/openid-connect-backchannel-1_0.html
+        // TODO v7 Back-Channel Logout: https://openid.net/specs/openid-connect-backchannel-1_0.html
         //      [] Refresh tokens issued without the offline_access property to a session being logged out SHOULD
         //           be revoked. Refresh tokens issued with the offline_access property normally SHOULD NOT be revoked.
         //      - offline_access scope is now handled.
@@ -147,7 +147,7 @@ public static function logoutHandler(): void
         $sessionLogoutTickets = $sessionLogoutTicketStore->getAll();
 
         if (!empty($sessionLogoutTickets)) {
-            // TODO low mivanci This could brake since interface does not mandate type. Move to strong typing.
+            // TODO v7 low mivanci This could brake since interface does not mandate type. Move to strong typing.
             /** @var array $sessionLogoutTicket */
             foreach ($sessionLogoutTickets as $sessionLogoutTicket) {
                 $sid = (string)$sessionLogoutTicket['sid'];

src/Controllers/Federation/EntityStatementController.php

@@ -95,7 +95,7 @@ public function configuration(): Response
                         )),
                         ClaimsEnum::FederationFetchEndpoint->value =>
                             $this->moduleConfig->getModuleUrl(RoutesEnum::FederationFetch->value),
-                        // TODO mivanci Add when ready. Use ClaimsEnum for keys.
+                        // TODO v7 mivanci Add when ready. Use ClaimsEnum for keys.
                         // https://openid.net/specs/openid-federation-1_0.html#name-federation-entity
                         //'federation_list_endpoint',
                         //'federation_resolve_endpoint',
@@ -149,7 +149,7 @@ public function configuration(): Response
             $builder = $builder->withClaim(ClaimsEnum::TrustMarks->value, $trustMarks);
         }
 
-        // TODO mivanci Continue
+        // TODO v7 mivanci Continue
         // Remaining claims, add if / when ready.
         // * crit
 
@@ -235,14 +235,14 @@ public function fetch(Request $request): Response
                                 ClaimsEnum::PostLogoutRedirectUris->value => $client->getPostLogoutRedirectUri(),
                             ],
                         )),
-                        // TODO mivanci Continue
+                        // TODO v7 mivanci Continue
                         // https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
                         // https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata
                     ],
                 ],
             );
 
-        // TODO mivanci Continue
+        // TODO v7 mivanci Continue
         // Note: claims which can be present in subordinate statements:
         // * metadata_policy
         // * constraints

src/Factories/FormFactory.php

@@ -18,13 +18,19 @@
 
 use Nette\Forms\Form;
 use SimpleSAML\Error\Exception;
+use SimpleSAML\Module\oidc\Bridges\SspBridge;
 use SimpleSAML\Module\oidc\Forms\Controls\CsrfProtection;
+use SimpleSAML\Module\oidc\Helpers;
 use SimpleSAML\Module\oidc\ModuleConfig;
 
 class FormFactory
 {
-    public function __construct(private readonly ModuleConfig $moduleConfig, protected CsrfProtection $csrfProtection)
-    {
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly CsrfProtection $csrfProtection,
+        protected readonly SspBridge $sspBridge,
+        protected readonly Helpers $helpers,
+    ) {
     }
 
     /**
@@ -39,6 +45,11 @@ public function build(string $classname): Form
         }
 
         /** @psalm-suppress UnsafeInstantiation */
-        return new $classname($this->moduleConfig, $this->csrfProtection);
+        return new $classname(
+            $this->moduleConfig,
+            $this->csrfProtection,
+            $this->sspBridge,
+            $this->helpers,
+        );
     }
 }