diff --git a/docs/v1/openapi.yaml b/docs/v1/openapi.yaml index fec3aa045..375e92eca 100644 --- a/docs/v1/openapi.yaml +++ b/docs/v1/openapi.yaml @@ -918,6 +918,11 @@ components: description: An array of objects, where each object contains display properties of a Credential Issuer for a certain language. items: $ref: '#/components/schemas/CredentialDisplay' + token_endpoint_auth_methods_supported: + type: array + items: + type: string + description: JSON array containing a list of client authentication methods supported by this token endpoint. Default is "none". required: - authorization_endpoint - token_endpoint @@ -929,6 +934,7 @@ components: - credential_issuer - credential_endpoint - credentials_supported + - token_endpoint_auth_methods_supported description: WellKnownOpenIDIssuerConfiguration represents the OIDC Configuration response for cases when VCS serves as IDP. CredentialIssuanceHistoryData: title: CredentialIssuanceHistory response diff --git a/pkg/restapi/v1/issuer/openapi.gen.go b/pkg/restapi/v1/issuer/openapi.gen.go index ffb25c53d..d3bbc1841 100644 --- a/pkg/restapi/v1/issuer/openapi.gen.go +++ b/pkg/restapi/v1/issuer/openapi.gen.go @@ -361,6 +361,9 @@ type WellKnownOpenIDIssuerConfiguration struct { // URL of the OP's OAuth 2.0 Token Endpoint. TokenEndpoint string `json:"token_endpoint"` + + // JSON array containing a list of client authentication methods supported by this token endpoint. Default is "none". + TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"` } // PostCredentialsStatusJSONBody defines parameters for PostCredentialsStatus. diff --git a/pkg/service/wellknown/provider/testdata/profile.json b/pkg/service/wellknown/provider/testdata/profile.json index 205a5e60b..5912a8baf 100644 --- a/pkg/service/wellknown/provider/testdata/profile.json +++ b/pkg/service/wellknown/provider/testdata/profile.json @@ -8,6 +8,7 @@ "signed_issuer_metadata_supported": true, "grant_types_supported": ["grantType1","grantType2"], "scopes_supported": ["scope1","scope1"], + "token_endpoint_auth_methods_supported": ["none","attest_jwt_client_auth"], "pre-authorized_grant_anonymous_access_supported": true, "wallet_initiated_auth_flow_supported": true, "enable_dynamic_client_registration": true diff --git a/pkg/service/wellknown/provider/wellknown_service.go b/pkg/service/wellknown/provider/wellknown_service.go index 524455e02..1a100aaa9 100644 --- a/pkg/service/wellknown/provider/wellknown_service.go +++ b/pkg/service/wellknown/provider/wellknown_service.go @@ -150,6 +150,7 @@ func (s *Service) getOpenIDIssuerConfig(issuerProfile *profileapi.Issuer) *issue final.GrantTypesSupported = issuerProfile.OIDCConfig.GrantTypesSupported final.ScopesSupported = issuerProfile.OIDCConfig.ScopesSupported final.PreAuthorizedGrantAnonymousAccessSupported = issuerProfile.OIDCConfig.PreAuthorizedGrantAnonymousAccessSupported + final.TokenEndpointAuthMethodsSupported = issuerProfile.OIDCConfig.TokenEndpointAuthMethodsSupported if issuerProfile.OIDCConfig.EnableDynamicClientRegistration { regURL, _ := url.JoinPath(host, "oidc", issuerProfile.ID, issuerProfile.Version, "register") diff --git a/pkg/service/wellknown/provider/wellknown_service_test.go b/pkg/service/wellknown/provider/wellknown_service_test.go index c5081a05e..635763a2a 100644 --- a/pkg/service/wellknown/provider/wellknown_service_test.go +++ b/pkg/service/wellknown/provider/wellknown_service_test.go @@ -211,6 +211,7 @@ func checkWellKnownOpenIDIssuerConfiguration( if includedOIDCConfig { assert.Equal(t, []string{"grantType1", "grantType2"}, res.GrantTypesSupported) assert.Equal(t, []string{"scope1", "scope1"}, res.ScopesSupported) + assert.Equal(t, []string{"none", "attest_jwt_client_auth"}, res.TokenEndpointAuthMethodsSupported) assert.True(t, res.PreAuthorizedGrantAnonymousAccessSupported) if includedClientRegistration { @@ -225,6 +226,7 @@ func checkWellKnownOpenIDIssuerConfiguration( assert.Nil(t, res.ScopesSupported) assert.False(t, res.PreAuthorizedGrantAnonymousAccessSupported) assert.Nil(t, res.RegistrationEndpoint) + assert.Nil(t, res.TokenEndpointAuthMethodsSupported) } }