feat: add .well-known/jwt-vc-issuer endpoint and fix RFC 8615 URL construction

Per draft-ietf-oauth-sd-jwt-vc-15 §5.3:
- Add /.well-known/jwt-vc-issuer endpoint to APIGW returning issuer
  metadata with jwks_uri pointing to /jwks
- Fix JWKSKeyResolver to construct jwt-vc-issuer well-known URL per
  RFC 8615 §3 (insert between host and path components, not append)
- Add buildWellKnownURL() utility for correct RFC 8615 construction:
  https://example.com/tenant → https://example.com/.well-known/jwt-vc-issuer/tenant

Author: leifj

internal/apigw/apiv1/handlers_oauth.go

@@ -288,6 +288,24 @@ func (c *Client) JWKS(ctx context.Context) (*JWKSResponse, error) {
 	return &JWKSResponse{Keys: keys}, nil
 }
 
+// JWTVCIssuerMetadataResponse represents JWT VC Issuer Metadata per SD-JWT VC §5.3.
+type JWTVCIssuerMetadataResponse struct {
+	Issuer  string `json:"issuer"`
+	JWKSURI string `json:"jwks_uri"`
+}
+
+// JWTVCIssuerMetadata returns the JWT VC Issuer Metadata per draft-ietf-oauth-sd-jwt-vc §5.3.
+// This metadata is served at /.well-known/jwt-vc-issuer and allows verifiers to discover
+// the issuer's JWKS endpoint.
+func (c *Client) JWTVCIssuerMetadata(ctx context.Context) (*JWTVCIssuerMetadataResponse, error) {
+	c.log.Debug("jwt-vc-issuer metadata request")
+
+	return &JWTVCIssuerMetadataResponse{
+		Issuer:  c.cfg.APIGW.PublicURL,
+		JWKSURI: c.cfg.APIGW.PublicURL + "/jwks",
+	}, nil
+}
+
 type OauthAuthorizationConsentRequest struct {
 	//AuthMethod string `json:"-"`
 	SessionID string `json:"-"`

internal/apigw/httpserver/api.go

@@ -49,6 +49,7 @@ type Apiv1 interface {
 	OAuthToken(ctx context.Context, req *openid4vci.TokenRequest) (*openid4vci.TokenResponse, error)
 	OAuthMetadata(ctx context.Context) (*oauth2.AuthorizationServerMetadata, error)
 	JWKS(ctx context.Context) (*apiv1.JWKSResponse, error)
+	JWTVCIssuerMetadata(ctx context.Context) (*apiv1.JWTVCIssuerMetadataResponse, error)
 
 	//Revoke(ctx context.Context, req *apiv1.RevokeRequest) (*apiv1.RevokeReply, error)
 

internal/apigw/httpserver/endpoints_oauth.go

@@ -139,6 +139,20 @@ func (s *Service) endpointJWKS(ctx context.Context, c *gin.Context) (any, error)
 	return reply, nil
 }
 
+func (s *Service) endpointJWTVCIssuerMetadata(ctx context.Context, c *gin.Context) (any, error) {
+	ctx, span := s.tracer.Start(ctx, "httpserver:endpointJWTVCIssuerMetadata")
+	defer span.End()
+
+	reply, err := s.apiv1.JWTVCIssuerMetadata(ctx)
+	if err != nil {
+		span.SetStatus(codes.Error, err.Error())
+		return nil, err
+	}
+
+	c.SetAccepted("application/json")
+	return reply, nil
+}
+
 func (s *Service) endpointOAuthAuthorizationConsent(ctx context.Context, c *gin.Context) (any, error) {
 	s.log.Debug("endpointOAuthAuthorizationConsent", "c.Request.URL", c.Request.URL.String(), "headers", c.Request.Header)
 	_, span := s.tracer.Start(ctx, "httpserver:endpointAuthorizationConsent")

internal/apigw/httpserver/service.go

@@ -39,7 +39,7 @@ type Service struct {
 	sessionsEncKey  string
 	sessionsAuthKey string
 	sessionsName    string
-	samlSPService     SAMLSPService
+	samlSPService   SAMLSPService
 	oidcrpService   OIDCRPService
 }
 
@@ -54,10 +54,10 @@ func New(ctx context.Context, cfg *model.Cfg, apiv1 *apiv1.Client, tracer *trace
 		server: &http.Server{
 			ReadHeaderTimeout: 3 * time.Second,
 		},
-		eventPublisher:  eventPublisher,
-		samlSPService:     samlSPService,
-		oidcrpService:   oidcrpService,
-		sessionsName:    "oauth_user_session",
+		eventPublisher: eventPublisher,
+		samlSPService:  samlSPService,
+		oidcrpService:  oidcrpService,
+		sessionsName:   "oauth_user_session",
 		sessionsOptions: sessions.Options{
 			Path:     "/",
 			Domain:   "",
@@ -149,6 +149,7 @@ func New(ctx context.Context, cfg *model.Cfg, apiv1 *apiv1.Client, tracer *trace
 	s.httpHelpers.Server.RegEndpoint(ctx, rgRoot, http.MethodGet, ".well-known/openid-credential-issuer", http.StatusOK, s.endpointVCIMetadata)
 
 	s.httpHelpers.Server.RegEndpoint(ctx, rgRoot, http.MethodGet, ".well-known/oauth-authorization-server", http.StatusOK, s.endpointOAuthMetadata)
+	s.httpHelpers.Server.RegEndpoint(ctx, rgRoot, http.MethodGet, ".well-known/jwt-vc-issuer", http.StatusOK, s.endpointJWTVCIssuerMetadata)
 	s.httpHelpers.Server.RegEndpoint(ctx, rgRoot, http.MethodGet, "jwks", http.StatusOK, s.endpointJWKS)
 	rgOAuthSession := rgRoot.Group("")
 	rgOAuthSession.Use(s.httpHelpers.Middleware.UserSession(s.sessionsName, s.sessionsAuthKey, s.sessionsEncKey, s.sessionsOptions))

pkg/trust/jwks_resolver.go

@@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"
 
@@ -52,9 +53,9 @@ type JWKSResolverConfig struct {
 //
 // Resolved JWKS are cached per issuer URL. Keys are matched by kid.
 type JWKSKeyResolver struct {
-	httpClient  *http.Client
-	cache       *ttlcache.Cache[string, *cachedJWKS]
-	parseJWK    func(jwkData any) (crypto.PublicKey, error)
+	httpClient *http.Client
+	cache      *ttlcache.Cache[string, *cachedJWKS]
+	parseJWK   func(jwkData any) (crypto.PublicKey, error)
 }
 
 // cachedJWKS holds the parsed JWKS keys for an issuer.
@@ -207,9 +208,12 @@ func (r *JWKSKeyResolver) fetchIssuerJWKS(ctx context.Context, issuerURL string)
 }
 
 // tryJWTVCIssuerMetadata tries the SD-JWT VC §5.3 primary discovery endpoint.
+// The well-known URL is constructed per RFC 8615 §3: the well-known string is inserted
+// between the host component and the path component of the issuer URL.
 func (r *JWKSKeyResolver) tryJWTVCIssuerMetadata(ctx context.Context, baseURL, issuerURL string) ([]json.RawMessage, error) {
+	metadataURL := buildWellKnownURL(baseURL, "jwt-vc-issuer")
 	var metadata jwtVCIssuerMetadata
-	if _, err := r.fetchJSON(ctx, baseURL+"/.well-known/jwt-vc-issuer", &metadata); err != nil {
+	if _, err := r.fetchJSON(ctx, metadataURL, &metadata); err != nil {
 		return nil, err
 	}
 
@@ -348,6 +352,30 @@ func (r *JWKSKeyResolver) fetchJSON(ctx context.Context, url string, target any)
 	return target, nil
 }
 
+// buildWellKnownURL constructs a well-known URL per RFC 8615 §3.
+// The well-known suffix is inserted between the host and path components of the entity URL.
+// For example, with suffix "jwt-vc-issuer":
+//
+//	https://example.com           → https://example.com/.well-known/jwt-vc-issuer
+//	https://example.com/tenant/1  → https://example.com/.well-known/jwt-vc-issuer/tenant/1
+func buildWellKnownURL(entity, suffix string) string {
+	entity = strings.TrimSuffix(entity, "/")
+
+	parsed, err := url.Parse(entity)
+	if err != nil || parsed.Host == "" {
+		// Best-effort fallback: just append
+		return entity + "/.well-known/" + suffix
+	}
+
+	path := strings.TrimPrefix(parsed.Path, "/")
+	base := parsed.Scheme + "://" + parsed.Host
+
+	if path == "" {
+		return base + "/.well-known/" + suffix
+	}
+	return base + "/.well-known/" + suffix + "/" + path
+}
+
 // Stop stops the cache's automatic expiration goroutine.
 func (r *JWKSKeyResolver) Stop() {
 	r.cache.Stop()

pkg/trust/jwks_resolver_test.go

@@ -376,7 +376,7 @@ func TestJWKSKeyResolverFallbackCredentialIssuerWithExplicitAS(t *testing.T) {
 		switch r.URL.Path {
 		case "/.well-known/openid-credential-issuer":
 			meta := map[string]any{
-				"credential_issuer":    serverURL,
+				"credential_issuer":     serverURL,
 				"authorization_servers": []string{serverURL + "/auth"},
 			}
 			w.Header().Set("Content-Type", "application/json")
@@ -452,3 +452,31 @@ func TestJWKSKeyResolverInvalidateIssuer(t *testing.T) {
 	require.NoError(t, err)
 	assert.Equal(t, 2, callCount) // now 2, fetched again
 }
+
+func TestBuildWellKnownURL(t *testing.T) {
+	tests := []struct {
+		entity string
+		suffix string
+		want   string
+	}{
+		// Host-only
+		{"https://example.com", "jwt-vc-issuer", "https://example.com/.well-known/jwt-vc-issuer"},
+		// Trailing slash
+		{"https://example.com/", "jwt-vc-issuer", "https://example.com/.well-known/jwt-vc-issuer"},
+		// Path-based (RFC 8615 §3: insert between host and path)
+		{"https://example.com/tenant1", "jwt-vc-issuer", "https://example.com/.well-known/jwt-vc-issuer/tenant1"},
+		// Deep path
+		{"https://example.com/org/tenant/v1", "jwt-vc-issuer", "https://example.com/.well-known/jwt-vc-issuer/org/tenant/v1"},
+		// With port
+		{"https://example.com:8443/tenant", "jwt-vc-issuer", "https://example.com:8443/.well-known/jwt-vc-issuer/tenant"},
+		// HTTP (test servers)
+		{"http://127.0.0.1:12345", "jwt-vc-issuer", "http://127.0.0.1:12345/.well-known/jwt-vc-issuer"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.entity, func(t *testing.T) {
+			got := buildWellKnownURL(tt.entity, tt.suffix)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}