sirosfoundation
diff --git a/‎config.yaml‎
Lines changed: 20 additions & 0 deletions b/‎config.yaml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎internal/verifier/apiv1/client.go‎
Lines changed: 81 additions & 15 deletions b/‎internal/verifier/apiv1/client.go‎
Lines changed: 81 additions & 15 deletions
diff --git a/‎internal/verifier/apiv1/client_test.go‎
Lines changed: 0 additions & 60 deletions b/‎internal/verifier/apiv1/client_test.go‎
Lines changed: 0 additions & 60 deletions
@@ -171,6 +171,26 @@ verifier:
     refresh_token_duration: 86400        # Refresh token duration in seconds (24 hours)
     subject_type: "pairwise"
     subject_salt: "change-this-in-production"
+    # Static OIDC clients (optional)
+    # Pre-configured clients that don't require dynamic registration
+    # These are checked in addition to dynamically registered clients in the database
+    # Note: secrets.yaml currently only supports oidc.subject_salt, not static client secrets.
+    # For production, consider using dynamic client registration or environment variables.
+    # static_clients:
+    #   - client_id: "example-client-id"
+    #     client_secret: ""  # Set via environment variable or leave empty for public clients
+    #     redirect_uris:
+    #       - "https://example.com/callback"
+    #     allowed_scopes:  # If omitted, defaults to openid, profile, email, address, phone
+    #       - "openid"
+    #       - "profile"
+    #       - "pid"
+    #     token_endpoint_auth_method: "none"  # Use "none" for public clients (no secret required)
+    #     grant_types:  # Optional, default: ["authorization_code"]
+    #       - "authorization_code"
+    #     response_types:  # Optional, default: ["code"]
+    #       - "code"
+    #     client_name: "Example Static Client"  # Optional
   openid4vp:
     presentation_timeout: 300
     # Template-based presentation requests (optional)
 
@@ -3,6 +3,7 @@ package apiv1
 import (
 	"context"
 	"crypto/sha256"
+	"crypto/subtle"
 	"crypto/x509"
 	"encoding/base64"
 	"fmt"
@@ -18,6 +19,8 @@ import (
 	"vc/pkg/openid4vp"
 	"vc/pkg/pki"
 	"vc/pkg/trace"
+
+	"golang.org/x/crypto/bcrypt"
 )
 
 // Client holds the public api object
@@ -158,36 +161,99 @@ func (c *Client) containsOIDC(slice []string, value string) bool {
 	return false
 }
 
-// authenticateClient validates client credentials for the token endpoint
-func (c *Client) authenticateClient(ctx context.Context, clientID, clientSecret string) (*db.Client, error) {
+// verifyPlaintextSecret performs constant-time comparison of plaintext secrets
+func verifyPlaintextSecret(provided, stored string) bool {
+	return subtle.ConstantTimeCompare([]byte(provided), []byte(stored)) == 1
+}
+
+// getClientByID looks up a client by ID, checking both database and static configuration.
+// Returns the client and a boolean indicating if it's a static client (plaintext secret).
+func (c *Client) getClientByID(ctx context.Context, clientID string) (*db.Client, bool, error) {
+	// First, try to find the client in the database (dynamically registered clients)
 	client, err := c.db.Clients.GetByClientID(ctx, clientID)
+	if err != nil {
+		return nil, false, err
+	}
+	if client != nil {
+		return client, false, nil
+	}
+
+	// If not found in database, check static clients from configuration
+	if c.cfg.Verifier.OIDC != nil {
+		for _, staticClient := range c.cfg.Verifier.OIDC.StaticClients {
+			if staticClient.ClientID == clientID {
+				// Determine allowed scopes: empty means all scopes allowed
+				allowedScopes := staticClient.AllowedScopes
+				if len(allowedScopes) == 0 {
+					// Default to common OIDC scopes when not specified
+					allowedScopes = []string{"openid", "profile", "email", "address", "phone"}
+				}
+
+				// Convert static client config to db.Client for consistent handling
+				return &db.Client{
+					ClientID:                clientID,
+					ClientSecretHash:        staticClient.ClientSecret, // Plaintext for static clients
+					RedirectURIs:            staticClient.RedirectURIs,
+					GrantTypes:              getOrDefault(staticClient.GrantTypes, []string{"authorization_code"}),
+					ResponseTypes:           getOrDefault(staticClient.ResponseTypes, []string{"code"}),
+					TokenEndpointAuthMethod: getOrDefaultString(staticClient.TokenEndpointAuthMethod, "client_secret_basic"),
+					AllowedScopes:           allowedScopes,
+					ClientName:              staticClient.ClientName,
+				}, true, nil // true = static client (plaintext secret)
+			}
+		}
+	}
+
+	return nil, false, nil
+}
+
+// authenticateClient validates client credentials for the token endpoint.
+// It first checks dynamically registered clients in the database, then falls back
+// to static clients configured in config.yaml.
+func (c *Client) authenticateClient(ctx context.Context, clientID, clientSecret string) (*db.Client, error) {
+	client, isStatic, err := c.getClientByID(ctx, clientID)
 	if err != nil {
 		return nil, err
 	}
 	if client == nil {
 		return nil, ErrInvalidClient
 	}
 
-	// Verify client secret using constant-time comparison via hash
-	secretHash := sha256.Sum256([]byte(clientSecret))
-	storedHash := sha256.Sum256([]byte(client.ClientSecretHash))
-	if !hmacEqual(secretHash[:], storedHash[:]) {
-		return nil, ErrInvalidClient
+	// Public clients don't require secret verification
+	if client.TokenEndpointAuthMethod == "none" {
+		return client, nil
+	}
+
+	// Verify secret based on client type
+	if isStatic {
+		// Static clients have plaintext secrets in config
+		if !verifyPlaintextSecret(clientSecret, client.ClientSecretHash) {
+			return nil, ErrInvalidClient
+		}
+	} else {
+		// DB clients have bcrypt-hashed secrets
+		if bcrypt.CompareHashAndPassword([]byte(client.ClientSecretHash), []byte(clientSecret)) != nil {
+			return nil, ErrInvalidClient
+		}
 	}
 
 	return client, nil
 }
 
-// hmacEqual performs constant-time comparison of two byte slices
-func hmacEqual(a, b []byte) bool {
-	if len(a) != len(b) {
-		return false
+// getOrDefault returns the slice if non-empty, otherwise returns the default value
+func getOrDefault(s, defaultVal []string) []string {
+	if len(s) > 0 {
+		return s
 	}
-	var result byte
-	for i := 0; i < len(a); i++ {
-		result |= a[i] ^ b[i]
+	return defaultVal
+}
+
+// getOrDefaultString returns the string if non-empty, otherwise returns the default value
+func getOrDefaultString(s, defaultVal string) string {
+	if s != "" {
+		return s
 	}
-	return result == 0
+	return defaultVal
 }
 
 // createDCQLQuery creates a DCQL query based on the requested scopes
 
@@ -177,66 +177,6 @@ func TestPKCE_S256(t *testing.T) {
 	assert.Equal(t, "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM", challenge)
 }
 
-// TestHmacEqual tests the constant-time byte comparison function
-func TestHmacEqual(t *testing.T) {
-	tests := []struct {
-		name     string
-		a        []byte
-		b        []byte
-		expected bool
-	}{
-		{
-			name:     "equal slices",
-			a:        []byte("hello world"),
-			b:        []byte("hello world"),
-			expected: true,
-		},
-		{
-			name:     "different slices same length",
-			a:        []byte("hello world"),
-			b:        []byte("hello worle"),
-			expected: false,
-		},
-		{
-			name:     "different lengths",
-			a:        []byte("hello"),
-			b:        []byte("hello world"),
-			expected: false,
-		},
-		{
-			name:     "empty slices",
-			a:        []byte{},
-			b:        []byte{},
-			expected: true,
-		},
-		{
-			name:     "one empty one not",
-			a:        []byte{},
-			b:        []byte("hello"),
-			expected: false,
-		},
-		{
-			name:     "binary data equal",
-			a:        []byte{0x00, 0x01, 0x02, 0xff},
-			b:        []byte{0x00, 0x01, 0x02, 0xff},
-			expected: true,
-		},
-		{
-			name:     "binary data different",
-			a:        []byte{0x00, 0x01, 0x02, 0xff},
-			b:        []byte{0x00, 0x01, 0x02, 0xfe},
-			expected: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := hmacEqual(tt.a, tt.b)
-			assert.Equal(t, tt.expected, result)
-		})
-	}
-}
-
 func TestClient_buildLegacyDCQLQuery(t *testing.T) {
 	tests := []struct {
 		name                  string