openwallet-foundation · TimoGlastra · Aug 30, 2024 · Aug 30, 2024 · Sep 11, 2024 · Sep 11, 2024
diff --git a/demo-openid/package.json b/demo-openid/package.json
@@ -10,15 +10,19 @@
  "license": "Apache-2.0",
  "scripts": {
  "issuer": "ts-node src/IssuerInquirer.ts",
+ "provider": "tsx src/Provider.ts",
  "holder": "ts-node src/HolderInquirer.ts",
  "verifier": "ts-node src/VerifierInquirer.ts"
  },
  "dependencies": {
  "@hyperledger/anoncreds-nodejs": "^0.2.2",
  "@hyperledger/aries-askar-nodejs": "^0.2.3",
  "@hyperledger/indy-vdr-nodejs": "^0.2.2",
+ "@koa/bodyparser": "^5.1.1",
  "express": "^4.18.1",
- "inquirer": "^8.2.5"
+ "inquirer": "^8.2.5",
+ "jose": "^5.3.0",
+ "oidc-provider": "^8.4.6"
  },
  "devDependencies": {
  "@credo-ts/openid4vc": "workspace:*",
@@ -28,8 +32,10 @@
  "@types/express": "^4.17.13",
  "@types/figlet": "^1.5.4",
  "@types/inquirer": "^8.2.6",
+ "@types/oidc-provider": "^8.4.4",
  "clear": "^0.1.0",
  "figlet": "^1.5.2",
- "ts-node": "^10.4.0"
+ "ts-node": "^10.4.0",
+ "tsx": "^4.11.0"
  }
 }
diff --git a/demo-openid/src/Holder.ts b/demo-openid/src/Holder.ts
@@ -39,16 +39,34 @@ export class Holder extends BaseAgent<ReturnType<typeof getOpenIdHolderModules>>
  resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer,
  credentialsToRequest: string[]
  ) {
- const tokenResponse = await this.agent.modules.openId4VcHolder.requestToken({ resolvedCredentialOffer })
+ const resolvedAuthorizationRequest = await this.agent.modules.openId4VcHolder.resolveIssuanceAuthorizationRequest(
+ resolvedCredentialOffer,
+ {
+ clientId: 'foo',
+ redirectUri: 'http://example.com',
+ scope: ['openid', 'UniversityDegree'],
+ }
+ )
+
+ console.log(resolvedAuthorizationRequest.authorizationRequestUri)
+
+ let code = 'not a valid code!'
+ code = 'MU_MtTZjjhjmzuzGZdsLSam2GcC-7c4g_k5ukV2XO3i'
+
+ const tokenResponse = await this.agent.modules.openId4VcHolder.requestToken({
+ resolvedAuthorizationRequest,
+ code,
+ resolvedCredentialOffer,
+ })
+
  const credentialResponse = await this.agent.modules.openId4VcHolder.requestCredentials({
  resolvedCredentialOffer,
- ...tokenResponse,
- // TODO: add jwk support for holder binding
  credentialsToRequest,
  credentialBindingResolver: async () => ({
  method: 'did',
  didUrl: this.verificationMethod.id,
  }),
+ ...tokenResponse,
  })
 
  const storedCredentials = await Promise.all(

diff --git a/demo-openid/src/Issuer.ts b/demo-openid/src/Issuer.ts
@@ -4,6 +4,7 @@ import type {
  OpenId4VcCredentialHolderDidBinding,
  OpenId4VciCredentialRequestToCredentialMapper,
  OpenId4VciCredentialSupportedWithId,
+ OpenId4VciCredentialSupportedWithIdAndScope,
  OpenId4VcIssuerRecord,
 } from '@credo-ts/openid4vc'
 
@@ -28,13 +29,15 @@ export const universityDegreeCredential = {
  id: 'UniversityDegreeCredential',
  format: OpenId4VciCredentialFormatProfile.JwtVcJson,
  types: ['VerifiableCredential', 'UniversityDegreeCredential'],
-} satisfies OpenId4VciCredentialSupportedWithId
+ scope: 'openid4vc:credential:UniversityDegreeCredential',
+} satisfies OpenId4VciCredentialSupportedWithIdAndScope
 
 export const openBadgeCredential = {
  id: 'OpenBadgeCredential',
  format: OpenId4VciCredentialFormatProfile.JwtVcJson,
  types: ['VerifiableCredential', 'OpenBadgeCredential'],
-} satisfies OpenId4VciCredentialSupportedWithId
+ scope: 'openid4vc:credential:OpenBadgeCredential',
+} satisfies OpenId4VciCredentialSupportedWithIdAndScope
 
 export const universityDegreeCredentialSdJwt = {
  id: 'UniversityDegreeCredential-sdjwt',
@@ -148,7 +151,9 @@ export class Issuer extends BaseAgent<{
  const issuer = new Issuer(2000, 'OpenId4VcIssuer ' + Math.random().toString())
  await issuer.initializeAgent('96213c3d7fc8d4d6754c7a0fd969598f')
  issuer.issuerRecord = await issuer.agent.modules.openId4VcIssuer.createIssuer({
+ issuerId: '726222ad-7624-4f12-b15b-e08aa7042ffa',
  credentialsSupported,
+ authorizationServerConfigs: [{ baseUrl: 'http://localhost:3042' }],
  })
 
  return issuer
@@ -158,7 +163,7 @@ export class Issuer extends BaseAgent<{
  const { credentialOffer } = await this.agent.modules.openId4VcIssuer.createCredentialOffer({
  issuerId: this.issuerRecord.issuerId,
  offeredCredentials,
- preAuthorizedCodeFlowConfig: { userPinRequired: false },
+ authorizationCodeFlowConfig: { issuerState: 'f498b73c-144f-4eea-bd6b-7be89b35936e' },
  })
 
  return credentialOffer

diff --git a/demo-openid/src/Provider.ts b/demo-openid/src/Provider.ts
@@ -0,0 +1,81 @@
+import { bodyParser } from '@koa/bodyparser'
+import Provider from 'oidc-provider'
+
+const oidc = new Provider('http://localhost:3042', {
+ clients: [
+ {
+ client_id: 'foo',
+ client_secret: 'bar',
+ redirect_uris: ['http://example.com'],
+ scope: 'openid',
+ grant_types: ['authorization_code'],
+ },
+ ],
+ pkce: {
+ methods: ['S256'],
+ required: () => {
+ console.log('checking pkce')
+ return true
+ },
+ },
+ features: {
+ dPoP: { enabled: false },
+ pushedAuthorizationRequests: {
+ enabled: true,
+ //requirePushedAuthorizationRequests: true,
+ },
+ },
+
+ async findAccount(ctx, id) {
+ console.log('called findAccount')
+ return {
+ accountId: id,
+ async claims(use, scope) {
+ console.log('called claims', scope)
+ return { sub: id }
+ },
+ }
+ },
+})
+
+oidc.use(bodyParser())
+oidc.use(async (ctx, next) => {
+ /** pre-processing
+ * you may target a specific action here by matching `ctx.path`
+ */
+
+ console.log('pre middleware', ctx.method, ctx.path)
+
+ if (ctx.path.includes('request')) {
+ console.log(ctx.request.body)
+ ctx.request.body.client_secret = 'bar'
+ }
+
+ if (ctx.path.includes('auth')) {
+ const match = ctx.body?.match(/code=([^&]*)/)
+ const code = match ? match[1] : null
+ console.log('code', code)
+ }
+
+ if (ctx.path.includes('token')) {
+ console.log('token endpoint')
+ ctx.request.body.client_secret = 'bar'
+ }
+
+ await next()
+
+ /** post-processing
+ * since internal route matching was already executed you may target a specific action here
+ * checking `ctx.oidc.route`, the unique route names used are
+ */
+
+ console.log('post middleware', ctx.method, ctx.oidc?.route)
+ if (ctx.path.includes('token')) {
+ console.log('token endpoint')
+ ctx.response.body
+ }
+})
+
+oidc.listen(3042, () => {
+ console.log('oidc-provider listening on port 3042, check http://localhost:3042/.well-known/openid-configuration')
+})
diff --git a/packages/openid4vc/src/openid4vc-holder/OpenId4VciHolderService.ts b/packages/openid4vc/src/openid4vc-holder/OpenId4VciHolderService.ts
@@ -192,6 +192,7 @@ export class OpenId4VciHolderService {
  const codeVerifier = (
  await Promise.all([agentContext.wallet.generateNonce(), agentContext.wallet.generateNonce()])
  ).join('')
+
  const codeVerifierSha256 = Hasher.hash(codeVerifier, 'sha-256')
  const codeChallenge = TypedArrayEncoder.toBase64URL(codeVerifierSha256)
 
@@ -202,9 +203,6 @@ export class OpenId4VciHolderService {
  })
 
  const authDetailsLocation = metadata.credentialIssuerMetadata.authorization_server
- ? metadata.credentialIssuerMetadata.authorization_server
- : undefined
-
  const authDetails = offeredCredentials
  .map((credential) => this.getAuthDetailsFromOfferedCredential(credential, authDetailsLocation))
  .filter((authDetail): authDetail is AuthorizationDetails => authDetail !== undefined)
@@ -237,6 +235,7 @@ export class OpenId4VciHolderService {
  scope: scope ? scope.join(' ') : undefined,
  authorizationDetails: authDetails,
  parMode: PARMode.AUTO,
+ clientId,
  },
  })
 
@@ -342,6 +341,9 @@ export class OpenId4VciHolderService {
  codeVerifier,
  redirectUri,
  createDPoPOpts,
+ additionalParams: {
+ client_id: resolvedAuthorizationRequest.clientId,
+ },
  })
  } else {
  accessTokenResponse = await accessTokenClient.acquireAccessToken({