web-eid
diff --git a/‎README.md‎
Lines changed: 110 additions & 0 deletions b/‎README.md‎
Lines changed: 110 additions & 0 deletions
diff --git a/‎example/README.md‎
Lines changed: 1 addition & 0 deletions b/‎example/README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/WebEid.Security.Tests/TestUtils/AbstractTestWithValidator.cs‎
Lines changed: 21 additions & 5 deletions b/‎src/WebEid.Security.Tests/TestUtils/AbstractTestWithValidator.cs‎
Lines changed: 21 additions & 5 deletions
diff --git a/‎src/WebEid.Security.Tests/Validator/AuthTokenAlgorithmTest.cs‎
Lines changed: 52 additions & 8 deletions b/‎src/WebEid.Security.Tests/Validator/AuthTokenAlgorithmTest.cs‎
Lines changed: 52 additions & 8 deletions
@@ -298,6 +298,116 @@ When using standard [ASP.NET cookie authentication](https://docs.microsoft.com/e
     }
     ```
 
+- Similarly, the `MobileAuthInitController` generates a challenge nonce and returns the mobile deep-link for starting the Web eID Mobile authentication flow, and the `MobileAuthLoginController` handles the mobile login request by validating the returned authentication token and creating the authentication cookie.
+    ```cs
+    using System;
+    using System.Text;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.Extensions.Options;
+    using System.Text.Json;
+    using System.Text.Json.Serialization;
+    using Options;
+    using Security.Challenge;
+
+    [ApiController]
+    [Route("auth/mobile")]
+    public class MobileAuthInitController(
+        IChallengeNonceGenerator nonceGenerator,
+        IOptions<WebEidMobileOptions> mobileOptions
+    ) : ControllerBase
+    {
+        private const string WebEidMobileAuthPath = "auth";
+        private const string MobileLoginPath = "/auth/mobile/login";
+
+        [HttpPost("init")]
+        public IActionResult Init()
+        {
+            var challenge = nonceGenerator.GenerateAndStoreNonce(TimeSpan.FromMinutes(5));
+            var challengeBase64 = challenge.Base64EncodedNonce;
+
+            var loginUri = $"{Request.Scheme}://{Request.Host}{MobileLoginPath}";
+
+            var payload = new AuthPayload
+            {
+                Challenge = challengeBase64,
+                LoginUri = loginUri,
+                GetSigningCertificate = mobileOptions.Value.RequestSigningCert ? true : null
+            };
+
+            var json = JsonSerializer.Serialize(payload);
+            var encodedPayload = Convert.ToBase64String(Encoding.UTF8.GetBytes(json));
+
+            var authUri = BuildAuthUri(encodedPayload);
+
+            return Ok(new AuthUri
+            {
+                AuthUriValue = authUri
+            });
+        }
+    ```
+
+    ```cs
+    using Microsoft.AspNetCore.Mvc;
+    using System.Text.Json;
+    using Dto;
+    using Security.Challenge;
+    using Security.Validator;
+    using System.Security.Claims;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Authentication;
+    using Microsoft.AspNetCore.Authentication.Cookies;
+    using Security.Util;
+
+    [ApiController]
+    [Route("auth/mobile")]
+    public class MobileAuthLoginController(
+        IAuthTokenValidator authTokenValidator,
+        IChallengeNonceStore challengeNonceStore
+    ) : ControllerBase
+    {
+        [HttpPost("login")]
+        public async Task<IActionResult> MobileLogin([FromBody] AuthenticateRequestDto dto)
+        {
+            if (dto?.AuthToken == null)
+            {
+                return BadRequest(new { error = "Missing auth_token" });
+            }
+
+            var parsedToken = dto.AuthToken;
+            var certificate = await authTokenValidator.Validate(
+                parsedToken,
+                challengeNonceStore.GetAndRemove().Base64EncodedNonce);
+
+            var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);
+
+            identity.AddClaim(new Claim(ClaimTypes.GivenName, certificate.GetSubjectGivenName()));
+            identity.AddClaim(new Claim(ClaimTypes.Surname, certificate.GetSubjectSurname()));
+            identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, certificate.GetSubjectIdCode()));
+            identity.AddClaim(new Claim(ClaimTypes.Name, certificate.GetSubjectCn()));
+
+            if (!string.IsNullOrEmpty(parsedToken.UnverifiedSigningCertificate))
+            {
+                identity.AddClaim(new Claim("signingCertificate", parsedToken.UnverifiedSigningCertificate));
+            }
+
+            if (parsedToken.SupportedSignatureAlgorithms != null)
+            {
+                identity.AddClaim(new Claim(
+                    "supportedSignatureAlgorithms",
+                    JsonSerializer.Serialize(parsedToken.SupportedSignatureAlgorithms)));
+            }
+
+            await HttpContext.SignInAsync(
+                CookieAuthenticationDefaults.AuthenticationScheme,
+                new ClaimsPrincipal(identity),
+                new AuthenticationProperties { IsPersistent = false });
+
+            return Ok(new { redirect = "/welcome" });
+        }
+    }
+    ```
+
+
 # Table of contents
 
 * [Introduction](#introduction)
 
@@ -130,6 +130,7 @@ The `src\WebEid.AspNetCore.Example` directory contains the ASP.NET application s
 -   `DigiDoc`: contains the C# binding files of the `libdigidocpp` library; these files must be copied from the `libdigidocpp` installation directory `\include\digidocpp_csharp`,
 -   `Pages`: Razor pages,
 -   `Services`: Web eID signing service implementation that uses `libdigidocpp`.
+-   `Options`: strongly-typed configuration classes for mobile Web eID settings such as `BaseRequestUri` and `RequestSigningCert` (when set to false, initiates a separate signing-certificate flow to demo requesting the certificate without prior authentication, as the signing certificate normally comes from the authentication flow).
 
 ## More information
 
 
@@ -34,6 +34,15 @@ public abstract class AbstractTestWithValidator
         "\"appVersion\":\"https://web-eid.eu/web-eid-app/releases/2.0.0+0\"," +
         "\"signature\":\"tbMTrZD4CKUj6atjNCHZruIeyPFAEJk2htziQ1t08BSTyA5wKKqmNmzsJ7562hWQ6+tJd6nlidHGE5jVVJRKmPtNv3f9gbT2b7RXcD4t5Pjn8eUCBCA4IX99Af32Z5ln\"," +
         "\"format\":\"web-eid:1\"}";
+
+        protected const string ValidV11AuthTokenStr = "{\"algorithm\":\"ES384\"," +
+        "\"unverifiedCertificate\":\"MIIEBDCCA2WgAwIBAgIQY5OGshxoPMFg+Wfc0gFEaTAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTIxMDcyMjEyNDMwOFoXDTI2MDcwOTIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQmwEKsJTjaMHSaZj19hb9EJaJlwbKc5VFzmlGMFSJVk4dDy+eUxa5KOA7tWXqzcmhh5SYdv+MxcaQKlKWLMa36pfgv20FpEDb03GCtLqjLTRZ7649PugAQ5EmAqIic29CjggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFPlp/ceABC52itoqppEmbf71TJz6MGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBjAAwgYgCQgDCAgybz0u3W+tGI+AX+PiI5CrE9ptEHO5eezR1Jo4j7iGaO0i39xTGUB+NSC7P6AQbyE/ywqJjA1a62jTLcS9GHAJCARxN4NO4eVdWU3zVohCXm8WN3DWA7XUcn9TZiLGQ29P4xfQZOXJi/z4PNRRsR4plvSNB3dfyBvZn31HhC7my8woi\"," +
+        "\"unverifiedSigningCertificate\":\"MIID6zCCA02gAwIBAgIQT7j6zk6pmVRcyspLo5SqejAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTE5MDUwMjEwNDUzMVoXDTI5MDUwMjEwNDUzMVowfzELMAkGA1UEBhMCRUUxFjAUBgNVBCoMDUpBQUstS1JJU1RKQU4xEDAOBgNVBAQMB0rDlUVPUkcxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASkwENR8GmCpEs6OshDWDfIiKvGuyNMOD2rjIQW321AnZD3oIsqD0svBMNEJJj9Dlvq/47TYDObIa12KAU5IuOBfJs2lrFdSXZjaM+a5TWT3O2JTM36YDH2GcMe/eisepejggGrMIIBpzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIGQDBIBgNVHSAEQTA/MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAJBgcEAIvsQAECMB0GA1UdDgQWBBTVX3s48Spy/Es2TcXgkRvwUn2YcjCBigYIKwYBBQUHAQMEfjB8MAgGBgQAjkYBATAIBgYEAI5GAQQwEwYGBACORgEGMAkGBwQAjkYBBgEwUQYGBACORgEFMEcwRRY/aHR0cHM6Ly9zay5lZS9lbi9yZXBvc2l0b3J5L2NvbmRpdGlvbnMtZm9yLXVzZS1vZi1jZXJ0aWZpY2F0ZXMvEwJFTjAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBiwAwgYcCQgGBr+Jbo1GeqgWdIwgMo7SA29AP38JxNm2HWq2Qb+kIHpusAK574Co1K5D4+Mk7/ITTuXQaET5WphHoN7tdAciTaQJBAn0zBigYyVPYSTO68HM6hmlwTwi/KlJDdXW/2NsMjSqofFFJXpGvpxk2CTqSRCjcavxLPnkasTbNROYSJcmM8Xc=\"," +
+        "\"supportedSignatureAlgorithms\":[{\"cryptoAlgorithm\":\"RSA\",\"hashFunction\":\"SHA-256\",\"paddingScheme\":\"PKCS1.5\"}]," +
+        "\"appVersion\":\"https://web-eid.eu/web-eid-mobile-app/releases/v1.0.0\"," +
+        "\"signature\":\"0Ov7ME6pTY1K2GXMj8Wxov/o2fGIMEds8OMY5dKdkB0nrqQX7fG1E5mnsbvyHpMDecMUH6Yg+p1HXdgB/lLqOcFZjt/OVXPjAAApC5d1YgRYATDcxsR1zqQwiNcHdmWn\"," +
+        "\"format\":\"web-eid:1.1\"}";
+
         public const string ValidChallengeNonce = "12345678123456781234567812345678912356789123";
 
         private DateTimeProvider dateTimeProvider;
@@ -44,15 +53,22 @@ public abstract class AbstractTestWithValidator
         [SetUp]
         protected void SetUp()
         {
-            this.Validator = AuthTokenValidators.GetAuthTokenValidator();
-            this.ValidAuthToken = this.Validator.Parse(ValidAuthTokenStr);
-            this.dateTimeProvider = DateTimeProvider.OverrideUtcNow(new DateTime(2021, 3, 1));
+            Validator = AuthTokenValidators.GetAuthTokenValidator();
+            ValidAuthToken = Validator.Parse(ValidAuthTokenStr);
+            dateTimeProvider = DateTimeProvider.OverrideUtcNow(new DateTime(2021, 8, 1));
         }
 
         [TearDown]
-        public void TearDown() => this.dateTimeProvider?.Dispose();
+        public void TearDown() => dateTimeProvider?.Dispose();
 
         protected WebEidAuthToken ReplaceTokenField(string token, string field, string value) =>
-            this.Validator.Parse(token.Replace(field, value));
+            Validator.Parse(token.Replace(field, value));
+
+        protected string RemoveJsonField(string json, string fieldName)
+        {
+            var node = Newtonsoft.Json.Linq.JObject.Parse(json);
+            node.Remove(fieldName);
+            return node.ToString(Newtonsoft.Json.Formatting.None);
+        }
     }
 }
@@ -22,33 +22,77 @@
 namespace WebEid.Security.Tests.Validator
 {
     using NUnit.Framework;
-    using WebEid.Security.Exceptions;
-    using WebEid.Security.Tests.TestUtils;
+    using Exceptions;
+    using TestUtils;
 
     public class AuthTokenAlgorithmTest : AbstractTestWithValidator
     {
         [Test]
         public void WhenAlgorithmNoneThenValidationFailsAsync()
         {
-            var authToken = this.ReplaceTokenField(ValidAuthTokenStr, "ES384", "NONE");
-            Assert.ThrowsAsync<AuthTokenParseException>(() => this.Validator.Validate(authToken, ValidChallengeNonce))
+            var authToken = ReplaceTokenField(ValidAuthTokenStr, "ES384", "NONE");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(authToken, ValidChallengeNonce))
                 .WithMessage("Unsupported signature algorithm");
         }
 
         [Test]
         public void WhenAlgorithmEmptyThenParsingFailsAsync()
         {
-            var authToken = this.ReplaceTokenField(ValidAuthTokenStr, "ES384", "");
-            Assert.ThrowsAsync<AuthTokenParseException>(() => this.Validator.Validate(authToken, ValidChallengeNonce))
+            var authToken = ReplaceTokenField(ValidAuthTokenStr, "ES384", "");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(authToken, ValidChallengeNonce))
                 .WithMessage("'algorithm' is null or empty");
         }
 
         [Test]
         public void WhenAlgorithmInvalidThenParsingFailsAsync()
         {
-            var authToken = this.ReplaceTokenField(ValidAuthTokenStr, "ES384", "\u0000\t\ninvalid");
-            Assert.ThrowsAsync<AuthTokenParseException>(() => this.Validator.Validate(authToken, ValidChallengeNonce))
+            var authToken = ReplaceTokenField(ValidAuthTokenStr, "ES384", "\u0000\t\ninvalid");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(authToken, ValidChallengeNonce))
                 .WithMessage("Unsupported signature algorithm");
         }
+
+        [Test]
+        public void WhenV11TokenMissingSupportedAlgorithmsThenValidationFailsAsync()
+        {
+            var tokenJson = RemoveJsonField(ValidV11AuthTokenStr, "supportedSignatureAlgorithms");
+            var token = Validator.Parse(tokenJson);
+
+            var ex = Assert.ThrowsAsync<AuthTokenParseException>(() =>
+                Validator.Validate(token, ValidChallengeNonce));
+
+            Assert.That(ex.Message, Does.Contain("'supportedSignatureAlgorithms' field is missing"));
+        }
+
+        [Test]
+        public void WhenV11TokenHasInvalidCryptoAlgorithmThenValidationFailsAsync()
+        {
+            var token = ReplaceTokenField(ValidV11AuthTokenStr, "\"cryptoAlgorithm\":\"RSA\"", "\"cryptoAlgorithm\":\"INVALID\"");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(token, ValidChallengeNonce))
+                .WithMessage("Unsupported signature algorithm");
+        }
+
+        [Test]
+        public void WhenV11TokenHasInvalidHashFunctionThenValidationFailsAsync()
+        {
+            var token = ReplaceTokenField( ValidV11AuthTokenStr, "\"hashFunction\":\"SHA-256\"", "\"hashFunction\":\"NOT_A_HASH\"");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(token, ValidChallengeNonce))
+                .WithMessage("Unsupported signature algorithm");
+        }
+
+        [Test]
+        public void WhenV11TokenHasInvalidPaddingSchemeThenValidationFailsAsync()
+        {
+            var token = ReplaceTokenField( ValidV11AuthTokenStr, "\"paddingScheme\":\"PKCS1.5\"", "\"paddingScheme\":\"BAD_PADDING\"");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(token, ValidChallengeNonce))
+                .WithMessage("Unsupported signature algorithm");
+        }
+
+        [Test]
+        public void WhenV11TokenHasEmptySupportedAlgorithmsThenValidationFailsAsync()
+        {
+            var token = ReplaceTokenField( ValidV11AuthTokenStr, "\"supportedSignatureAlgorithms\":[{\"cryptoAlgorithm\":\"RSA\",\"hashFunction\":\"SHA-256\",\"paddingScheme\":\"PKCS1.5\"}]", "\"supportedSignatureAlgorithms\":[]");
+            Assert.ThrowsAsync<AuthTokenParseException>(() => Validator.Validate(token, ValidChallengeNonce))
+                .WithMessage("'supportedSignatureAlgorithms' field is missing");
+        }
     }
 }