feat: 5.1.2. Using scope Parameter to Request Issuance of a Credential

Signed-off-by: Mykhailo Sizov <[email protected]>

component/wallet-cli/pkg/oidc4vci/oidc4vci_flow.go

@@ -207,6 +207,7 @@ func (f *Flow) Run(ctx context.Context) (*verifiable.Credential, error) {
 		"credential_offer_uri", f.credentialOffer,
 		"credential_type", f.credentialType,
 		"credential_format", f.oidcCredentialFormat,
+		"scope", f.scopes,
 	)
 
 	var (

pkg/restapi/v1/oidc4ci/controller.go

@@ -265,8 +265,6 @@ func (c *Controller) OidcAuthorize(e echo.Context, params OidcAuthorizeParams) e
 		},
 	}
 
-	scope := []string(ar.GetRequestedScopes())
-
 	var prepareAuthRequestAuthorizationDetails common.AuthorizationDetails
 
 	if params.AuthorizationDetails != nil {
@@ -306,7 +304,7 @@ func (c *Controller) OidcAuthorize(e echo.Context, params OidcAuthorizeParams) e
 			AuthorizationDetails: lo.ToPtr([]common.AuthorizationDetails{prepareAuthRequestAuthorizationDetails}),
 			OpState:              lo.FromPtr(params.IssuerState),
 			ResponseType:         params.ResponseType,
-			Scope:                lo.ToPtr(scope),
+			Scope:                lo.ToPtr([]string(ar.GetRequestedScopes())),
 		},
 	)
 	if err != nil {

pkg/service/oidc4ci/oidc4ci_service.go

@@ -19,6 +19,7 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+	"github.com/samber/lo"
 	util "github.com/trustbloc/did-go/doc/util/time"
 	"github.com/trustbloc/logutil-go/pkg/log"
 	"github.com/trustbloc/vc-go/verifiable"
@@ -218,26 +219,10 @@ func (s *Service) PushAuthorizationDetails(
 }
 
 func (s *Service) checkScopes(reqScopes []string, txScopes []string) error {
-	isScopeValid := true
-
-	for _, scope := range reqScopes {
-		found := false
-
-		for _, v := range txScopes {
-			if v == scope {
-				found = true
-				break
-			}
+	for _, reqScope := range reqScopes {
+		if !lo.Contains(txScopes, reqScope) {
+			return resterr.ErrInvalidScope
 		}
-
-		if !found {
-			isScopeValid = false
-			break
-		}
-	}
-
-	if !isScopeValid {
-		return resterr.ErrInvalidScope
 	}
 
 	return nil
@@ -306,9 +291,11 @@ func (s *Service) PrepareClaimDataAuthorizationRequest(
 		ProfileVersion:                     tx.ProfileVersion,
 		TxID:                               tx.ID,
 		ResponseType:                       tx.ResponseType,
-		Scope:                              tx.Scope,
 		AuthorizationEndpoint:              tx.AuthorizationEndpoint,
 		PushedAuthorizationRequestEndpoint: tx.PushedAuthorizationRequestEndpoint,
+		// Use request-specific Scope to Issuer OIDC in order to request user consent for
+		// specific scopes that were defined by Wallet.
+		Scope: req.Scope,
 	}, nil
 }
 

pkg/service/oidc4ci/oidc4ci_service_initiate_issuance.go

@@ -55,7 +55,7 @@ func (s *Service) InitiateIssuance( // nolint:funlen,gocyclo,gocognit
 		return nil, err
 	}
 
-	data := &TransactionData{
+	txData := &TransactionData{
 		ProfileID:               profile.ID,
 		ProfileVersion:          profile.Version,
 		OrgID:                   profile.OrganizationID,
@@ -75,23 +75,23 @@ func (s *Service) InitiateIssuance( // nolint:funlen,gocyclo,gocognit
 	}
 
 	if req.WalletInitiatedIssuance {
-		data.State = TransactionStateAwaitingIssuerOIDCAuthorization
+		txData.State = TransactionStateAwaitingIssuerOIDCAuthorization
 	}
 
-	if err = s.extendTransactionWithOIDCConfig(ctx, profile, data); err != nil {
+	if err = s.extendTransactionWithOIDCConfig(ctx, profile, txData); err != nil {
 		return nil, err
 	}
 
-	if err = setGrantType(data, profile.OIDCConfig.GrantTypesSupported, req.GrantType); err != nil {
+	if err = setGrantType(txData, profile.OIDCConfig.GrantTypesSupported, req.GrantType); err != nil {
 		return nil, err
 	}
 
-	if err = setScopes(data, profile.OIDCConfig.ScopesSupported, req.Scope); err != nil {
+	if err = setScopes(txData, profile.OIDCConfig.ScopesSupported, req.Scope); err != nil {
 		return nil, err
 	}
 
-	if data.ResponseType == "" {
-		data.ResponseType = defaultResponseType
+	if txData.ResponseType == "" {
+		txData.ResponseType = defaultResponseType
 	}
 
 	if isPreAuthorizeFlow {
@@ -120,19 +120,19 @@ func (s *Service) InitiateIssuance( // nolint:funlen,gocyclo,gocognit
 				fmt.Errorf("store claim data: %w", claimDataErr))
 		}
 
-		data.ClaimDataID = claimDataID
+		txData.ClaimDataID = claimDataID
 
-		data.IsPreAuthFlow = true
-		data.PreAuthCode = generatePreAuthCode()
-		data.PreAuthCodeExpiresAt = lo.ToPtr(time.Now().UTC().Add(time.Duration(s.preAuthCodeTTL) * time.Second))
-		data.OpState = data.PreAuthCode // set opState as it will be empty for pre-auth
+		txData.IsPreAuthFlow = true
+		txData.PreAuthCode = generatePreAuthCode()
+		txData.PreAuthCodeExpiresAt = lo.ToPtr(time.Now().UTC().Add(time.Duration(s.preAuthCodeTTL) * time.Second))
+		txData.OpState = txData.PreAuthCode // set opState as it will be empty for pre-auth
 	}
 
 	if req.UserPinRequired {
-		data.UserPin = s.pinGenerator.Generate(uuid.NewString())
+		txData.UserPin = s.pinGenerator.Generate(uuid.NewString())
 	}
 
-	tx, err := s.store.Create(ctx, data)
+	tx, err := s.store.Create(ctx, txData)
 	if err != nil {
 		return nil, resterr.NewSystemError(resterr.TransactionStoreComponent, "create",
 			fmt.Errorf("store tx: %w", err))

pkg/service/oidc4ci/oidc4ci_service_test.go

@@ -557,7 +557,7 @@ func TestService_PrepareClaimDataAuthorizationRequest(t *testing.T) {
 			check: func(t *testing.T, resp *oidc4ci.PrepareClaimDataAuthorizationResponse, err error) {
 				require.NoError(t, err)
 				require.NotNil(t, resp)
-				require.Equal(t, []string{"openid", "profile", "address"}, resp.Scope)
+				require.Equal(t, []string{"openid", "profile"}, resp.Scope)
 			},
 		},
 		{
@@ -616,7 +616,7 @@ func TestService_PrepareClaimDataAuthorizationRequest(t *testing.T) {
 			check: func(t *testing.T, resp *oidc4ci.PrepareClaimDataAuthorizationResponse, err error) {
 				require.NoError(t, err)
 				require.NotNil(t, resp)
-				require.Equal(t, []string{"openid", "profile", "address"}, resp.Scope)
+				require.Equal(t, []string{"openid", "profile"}, resp.Scope)
 			},
 		},
 		{