Include AtContext in credential metadata

Author: cicnavi

routing/services/services.yml

@@ -97,6 +97,7 @@ services:
   SimpleSAML\Module\oidc\Utils\ClassInstanceBuilder: ~
   SimpleSAML\Module\oidc\Utils\JwksResolver: ~
   SimpleSAML\Module\oidc\Utils\AuthenticatedOAuth2ClientResolver: ~
+  SimpleSAML\Module\oidc\Utils\VciContextResolver: ~
   SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor:
     factory: ['@SimpleSAML\Module\oidc\Factories\ClaimTranslatorExtractorFactory', 'build']
   SimpleSAML\Module\oidc\Utils\FederationCache:

src/Controllers/VerifiableCredentials/CredentialIssuerConfigurationController.php

@@ -17,7 +17,9 @@
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\Module\oidc\Utils\VciContextResolver;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Codebooks\CredentialFormatIdentifiersEnum;
 use Symfony\Component\HttpFoundation\Response;
 
 class CredentialIssuerConfigurationController
@@ -29,6 +31,7 @@ public function __construct(
         protected readonly ModuleConfig $moduleConfig,
         protected readonly Routes $routes,
         protected readonly LoggerService $loggerService,
+        protected readonly VciContextResolver $vciContextResolver,
     ) {
         if (!$this->moduleConfig->getVciEnabled()) {
             $this->loggerService->warning('Verifiable Credential capabilities not enabled.');
@@ -47,6 +50,7 @@ public function configuration(): Response
         // For now, we only support one credential signing algorithm.
         /** @psalm-suppress MixedAssignment */
         foreach ($credentialConfigurationsSupported as $credentialConfigurationId => $credentialConfiguration) {
+            $credentialConfigurationId = (string) $credentialConfigurationId;
             if (is_array($credentialConfiguration)) {
                 $credentialConfiguration[ClaimsEnum::CredentialSigningAlgValuesSupported->value] = [
                     $signatureKeyPair->getSignatureAlgorithm()->value,
@@ -63,6 +67,25 @@ public function configuration(): Response
                             ->getAllNamesUnique(),
                     ],
                 ];
+
+                $credentialFormatId = $credentialConfiguration[ClaimsEnum::Format->value] ?? null;
+
+                if ($credentialFormatId === CredentialFormatIdentifiersEnum::VcSdJwt->value) {
+                    $atContext = $this->vciContextResolver->resolve(
+                        $credentialConfigurationId,
+                        $credentialConfiguration,
+                    );
+
+                    /** @psalm-suppress MixedArrayAccess */
+                    if (isset($credentialConfiguration[ClaimsEnum::CredentialDefinition->value])) {
+                        /** @psalm-suppress MixedArrayAssignment */
+                        $credentialConfiguration[ClaimsEnum::CredentialDefinition->value][ClaimsEnum::AtContext->value]
+                        = $atContext;
+                    } else {
+                        $credentialConfiguration[ClaimsEnum::AtContext->value] = $atContext;
+                    }
+                }
+
                 $credentialConfigurationsSupported[$credentialConfigurationId] = $credentialConfiguration;
             }
         }

src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php

@@ -17,6 +17,7 @@
 use SimpleSAML\Module\oidc\Services\NonceService;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
 use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\Module\oidc\Utils\VciContextResolver;
 use SimpleSAML\OpenID\Codebooks\AtContextsEnum;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\CredentialFormatIdentifiersEnum;
@@ -53,6 +54,7 @@ public function __construct(
         protected readonly Did $did,
         protected readonly IssuerStateRepository $issuerStateRepository,
         protected readonly NonceService $nonceService,
+        protected readonly VciContextResolver $vciContextResolver,
     ) {
         if (!$this->moduleConfig->getVciEnabled()) {
             $this->loggerService->warning('Verifiable Credential capabilities not enabled.');
@@ -762,37 +764,10 @@ public function credential(Request $request): Response
             }
 
             if ($credentialFormatId === CredentialFormatIdentifiersEnum::VcSdJwt->value) {
-            // Always start with the VCDM 2.0 base context URL (mandatory).
-                $atContext = [AtContextsEnum::W3OrgNsCredentialsV2->value];
-
-            // If a JSON-LD context document is configured for this credential,
-            // append the module-hosted context URL so that verifiers can
-            // resolve the custom credential subject terms.
-                if ($this->moduleConfig->getVciCredentialJsonLdContextFor($resolvedCredentialIdentifier) !== null) {
-                    $atContext[] = $this->routes->urlCredentialJsonLdContext($resolvedCredentialIdentifier);
-                }
-
-            // Append any additional context URLs declared in the credential
-            // configuration's @context field (skipping the base W3C URL,
-            // which is already first in the list).
-            /**
-             * @psalm-suppress MixedArrayAccess
-             * @psalm-suppress MixedAssignment
-             */
-                $configuredContexts = $resolvedCredentialConfiguration[ClaimsEnum::CredentialDefinition->value]
-                [ClaimsEnum::AtContext->value] ?? $resolvedCredentialConfiguration[ClaimsEnum::AtContext->value] ?? [];
-                if (is_array($configuredContexts)) {
-                /** @psalm-suppress MixedAssignment */
-                    foreach ($configuredContexts as $configuredContext) {
-                        if (
-                            is_string($configuredContext) &&
-                            $configuredContext !== AtContextsEnum::W3OrgNsCredentialsV2->value &&
-                            !in_array($configuredContext, $atContext, true)
-                        ) {
-                            $atContext[] = $configuredContext;
-                        }
-                    }
-                }
+                $atContext = $this->vciContextResolver->resolve(
+                    $resolvedCredentialIdentifier,
+                    $resolvedCredentialConfiguration,
+                );
 
                 $sdJwtPayload = [
                 ClaimsEnum::AtContext->value => $atContext,
@@ -839,6 +814,7 @@ public function credential(Request $request): Response
             $this->loggerService->debug(
                 'Verifiable credential issued successfully.',
                 ['token' => substr($token, 0, 20) . '...'],
+                //['token' => $token],
             );
         }
 

src/Services/Container.php

@@ -113,6 +113,7 @@
 use SimpleSAML\Module\oidc\Utils\ProtocolCache;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
 use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\Module\oidc\Utils\VciContextResolver;
 use SimpleSAML\OpenID\Core;
 use SimpleSAML\OpenID\Federation;
 use SimpleSAML\OpenID\Jwks;
@@ -183,6 +184,9 @@ public function __construct()
         );
         $this->services[Routes::class] = $routes;
 
+        $vciContextResolver = new VciContextResolver($moduleConfig, $routes);
+        $this->services[VciContextResolver::class] = $vciContextResolver;
+
         $templateFactory = new TemplateFactory(
             $simpleSAMLConfiguration,
             $moduleConfig,

src/Utils/VciContextResolver.php

@@ -0,0 +1,68 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Utils;
+
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\OpenID\Codebooks\AtContextsEnum;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+
+class VciContextResolver
+{
+    /**
+     * VciContextResolver constructor.
+     * @param ModuleConfig $moduleConfig
+     * @param Routes $routes
+     */
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly Routes $routes,
+    ) {
+    }
+
+    /**
+     * Resolve the @context array for a given credential configuration.
+     *
+     * @param string $credentialConfigurationId
+     * @param array $credentialConfiguration
+     * @return array<string>
+     */
+    public function resolve(string $credentialConfigurationId, array $credentialConfiguration): array
+    {
+        // Always start with the VCDM 2.0 base context URL (mandatory).
+        $atContext = [AtContextsEnum::W3OrgNsCredentialsV2->value];
+
+        // If a JSON-LD context document is configured for this credential,
+        // append the module-hosted context URL so that verifiers can
+        // resolve the custom credential subject terms.
+        if ($this->moduleConfig->getVciCredentialJsonLdContextFor($credentialConfigurationId) !== null) {
+            $atContext[] = $this->routes->urlCredentialJsonLdContext($credentialConfigurationId);
+        }
+
+        // Append any additional context URLs declared in the credential
+        // configuration's @context field (skipping the base W3C URL,
+        // which is already first in the list).
+        /**
+         * @psalm-suppress MixedArrayAccess
+         * @psalm-suppress MixedAssignment
+         */
+        $configuredContexts = $credentialConfiguration[ClaimsEnum::CredentialDefinition->value]
+        [ClaimsEnum::AtContext->value] ?? $credentialConfiguration[ClaimsEnum::AtContext->value] ?? [];
+
+        if (is_array($configuredContexts)) {
+            /** @psalm-suppress MixedAssignment */
+            foreach ($configuredContexts as $configuredContext) {
+                if (
+                    is_string($configuredContext) &&
+                    $configuredContext !== AtContextsEnum::W3OrgNsCredentialsV2->value &&
+                    !in_array($configuredContext, $atContext, true)
+                ) {
+                    $atContext[] = $configuredContext;
+                }
+            }
+        }
+
+        return $atContext;
+    }
+}

tests/unit/src/Controllers/VerifiableCredentials/CredentialIssuerCredentialControllerTest.php

@@ -22,6 +22,7 @@
 use SimpleSAML\Module\oidc\Services\NonceService;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
 use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\Module\oidc\Utils\VciContextResolver;
 use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
 use SimpleSAML\OpenID\Did;
 use SimpleSAML\OpenID\Did\DidJwkResolver;
@@ -54,6 +55,7 @@ class CredentialIssuerCredentialControllerTest extends TestCase
     protected MockObject $didMock;
     protected MockObject $issuerStateRepositoryMock;
     protected MockObject $nonceServiceMock;
+    protected MockObject $vciContextResolverMock;
 
     public function setUp(): void
     {
@@ -69,6 +71,7 @@ public function setUp(): void
         $this->didMock = $this->createMock(Did::class);
         $this->issuerStateRepositoryMock = $this->createMock(IssuerStateRepository::class);
         $this->nonceServiceMock = $this->createMock(NonceService::class);
+        $this->vciContextResolverMock = $this->createMock(VciContextResolver::class);
 
         // VCI must be enabled in constructor
         $this->moduleConfigMock->method('getVciEnabled')->willReturn(true);
@@ -186,6 +189,7 @@ public function testCredentialWithMultipleProofs(): void
             $this->didMock,
             $this->issuerStateRepositoryMock,
             $this->nonceServiceMock,
+            $this->vciContextResolverMock,
         );
 
         $sut->credential($request);