feat: Add attest_jwt_client_auth option to Credential Issuer metadata

Signed-off-by: Mykhailo Sizov <[email protected]>
mishasizov-SK · Nov 7, 2023 · 2f02726 · 2f02726
1 parent f1f4962
commit 2f02726
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 0 deletions.
diff --git a/docs/v1/openapi.yaml b/docs/v1/openapi.yaml
@@ -918,6 +918,11 @@ components:
           description: An array of objects, where each object contains display properties of a Credential Issuer for a certain language.
           items:
             $ref: '#/components/schemas/CredentialDisplay'
+        token_endpoint_auth_methods_supported:
+          type: array
+          items:
+            type: string
+          description: JSON array containing a list of client authentication methods supported by this token endpoint. Default is "none".
       required:
         - authorization_endpoint
         - token_endpoint
@@ -929,6 +934,7 @@ components:
         - credential_issuer
         - credential_endpoint
         - credentials_supported
+        - token_endpoint_auth_methods_supported
       description: WellKnownOpenIDIssuerConfiguration represents the OIDC Configuration response for cases when VCS serves as IDP.
     CredentialIssuanceHistoryData:
       title: CredentialIssuanceHistory response

diff --git a/pkg/restapi/v1/issuer/openapi.gen.go b/pkg/restapi/v1/issuer/openapi.gen.go
diff --git a/pkg/service/wellknown/provider/testdata/profile.json b/pkg/service/wellknown/provider/testdata/profile.json
@@ -8,6 +8,7 @@
     "signed_issuer_metadata_supported": true,
     "grant_types_supported": ["grantType1","grantType2"],
     "scopes_supported": ["scope1","scope1"],
+    "token_endpoint_auth_methods_supported": ["none","attest_jwt_client_auth"],
     "pre-authorized_grant_anonymous_access_supported": true,
     "wallet_initiated_auth_flow_supported": true,
     "enable_dynamic_client_registration": true

diff --git a/pkg/service/wellknown/provider/wellknown_service.go b/pkg/service/wellknown/provider/wellknown_service.go
@@ -150,6 +150,7 @@ func (s *Service) getOpenIDIssuerConfig(issuerProfile *profileapi.Issuer) *issue
 		final.GrantTypesSupported = issuerProfile.OIDCConfig.GrantTypesSupported
 		final.ScopesSupported = issuerProfile.OIDCConfig.ScopesSupported
 		final.PreAuthorizedGrantAnonymousAccessSupported = issuerProfile.OIDCConfig.PreAuthorizedGrantAnonymousAccessSupported
+		final.TokenEndpointAuthMethodsSupported = issuerProfile.OIDCConfig.TokenEndpointAuthMethodsSupported
 
 		if issuerProfile.OIDCConfig.EnableDynamicClientRegistration {
 			regURL, _ := url.JoinPath(host, "oidc", issuerProfile.ID, issuerProfile.Version, "register")

diff --git a/pkg/service/wellknown/provider/wellknown_service_test.go b/pkg/service/wellknown/provider/wellknown_service_test.go
@@ -211,6 +211,7 @@ func checkWellKnownOpenIDIssuerConfiguration(
 	if includedOIDCConfig {
 		assert.Equal(t, []string{"grantType1", "grantType2"}, res.GrantTypesSupported)
 		assert.Equal(t, []string{"scope1", "scope1"}, res.ScopesSupported)
+		assert.Equal(t, []string{"none", "attest_jwt_client_auth"}, res.TokenEndpointAuthMethodsSupported)
 		assert.True(t, res.PreAuthorizedGrantAnonymousAccessSupported)
 
 		if includedClientRegistration {
@@ -225,6 +226,7 @@ func checkWellKnownOpenIDIssuerConfiguration(
 		assert.Nil(t, res.ScopesSupported)
 		assert.False(t, res.PreAuthorizedGrantAnonymousAccessSupported)
 		assert.Nil(t, res.RegistrationEndpoint)
+		assert.Nil(t, res.TokenEndpointAuthMethodsSupported)
 	}
 }