Merge pull request #67 from FIWARE/token-exchang

Token exchange

Author: wistefan

.github/workflows/test.yaml

@@ -13,7 +13,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.21
+          go-version: 1.24
 
       - name: Install coveralls dependencies
         run: |
@@ -25,6 +25,7 @@ jobs:
         run: |
           go get github.com/gookit/goutil@v0.6.6
           go get github.com/gookit/goutil/envutil@v0.6.6
+          go get github.com/gin-gonic/gin@v1.9.1
 
       - name: Go test
         run: |

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23-alpine AS build
+FROM golang:1.24-alpine AS build
 
 WORKDIR /go/src/app
 COPY ./ ./
@@ -8,7 +8,7 @@ RUN apk add build-base
 RUN go get -d -v ./...
 RUN go build -v .
 
-FROM golang:1.23-alpine
+FROM golang:1.24-alpine
 
 LABEL org.opencontainers.image.source="https://github.com/FIWARE/VCVerifier"
 

api/api.yaml

@@ -10,6 +10,26 @@ tags:
     description: All api-endpoints, e.g. the once that can be reused by other applications
 
 paths:
+  /api/v1/authorization:
+    get:
+      tags: 
+        - api
+      parameters:
+        - $ref: '#/components/parameters/QueryState'
+        - $ref: '#/components/parameters/ClientId'
+        - $ref: '#/components/parameters/RedirectUri'
+        - $ref: '#/components/parameters/RequestUri'
+        - $ref: '#/components/parameters/Scope'
+        - $ref: '#/components/parameters/Nonce'
+        - $ref: '#/components/parameters/ResponseType'
+      operationId: AuthorizationEndpoint
+      summary: OAuth-2 compliant authorization endpoint, to provide the correct redirect
+      description: Endpoint to be used as entry for the authorization process, providing the redirect to the concrete authorization method.
+        In case a request_uri provides access to an request object, all mandatory parameters can also be provided as part of that object.
+      responses:
+        '302': 
+          description: A redirect to the authorization entrypoint.
+        
   /api/v2/loginQR:
     get:
       tags:
@@ -97,6 +117,9 @@ paths:
       parameters:
         - $ref: '#/components/parameters/QueryState'
         - $ref: '#/components/parameters/ClientId'
+        - $ref: '#/components/parameters/Scope'
+        - $ref: '#/components/parameters/RequestMode'
+        - $ref: '#/components/parameters/RedirectPath'
       operationId: StartSIOPSameDevice
       summary: Starts the siop flow for credentials hold by the same device
       description: When the credential is already present in the requesting browser, the same-device flow can be used. It creates the login information and then redirects to the /authenticationresponse path.
@@ -153,7 +176,6 @@ paths:
       responses:
         '204':  
           description: Ok when it worked
-        
   /token:
     post:
       tags:
@@ -302,6 +324,14 @@ components:
       schema:
         type: string
         example: https://my-app.com/request.jwt
+    RedirectPath:
+      name: redirect_path
+      description: If no redirect path is provided, an 'oid4vp' deeplink will be returned
+      in: query
+      required: false
+      schema:
+        type: string
+        example: /
     VpToken:
       name: vp_token
       description: base64URLEncoded VerifiablePresentation
@@ -344,6 +374,14 @@ components:
       schema: 
         type: string
         example: packet-delivery-portal
+    ResponseType:
+      name: response_type
+      in: query
+      required: false
+      description: Type of the expected response. Currently, only "code" is supported
+      schema:
+        type: string
+        enum: ["code"]
   schemas:
     CredentialsType:
       type: array
@@ -600,7 +638,7 @@ components:
       properties:
         grant_type: 
           type: string
-          enum: ["authorization_code"]
+          enum: ["authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange"]
         code:
           type: string
           example: myRandomString
@@ -609,15 +647,43 @@ components:
           format: uri
           description: Same uri as provided as callback in the original request.
           example: https://my-portal.com/auth_callback
+        resource:
+          type: string
+          format: uri
+          description: A URI that indicates the target service or resource where the client intends to use the requested security token. Resource 
+            is ignored if the target client is provided as path parameter
+        audience:
+          type: string
+          description: The logical name of the target service where the client intends to use the requested security token.
+        scope:
+          type: array
+          items:
+            type: string
+          description:  A list of space-delimited, case-sensitive strings, that allow the client to specify the desired scope of the requested security token in the context of the service or resource where the token will be used.
+        requested_token_type:
+          type: string
+          description:  An identifier, for the type of the requested security token.
+          enum: ["urn:ietf:params:oauth:token-type:access_token"]
+        subject_token:
+          type: string
+          description: A security token that represents the identity of the party on behalf of whom the request is being made.
+        subject_token_type:
+          type: string
+          description: An identifier that indicates the type of the security token in the subject_token parameter.
+          enum: ["urn:eu:oidf:vp_token"]
+      required:
+        - grant_type
     TokenResponse:
       type: object
       properties:
         token_type:
           type: string
           enum: ["Bearer"]
+        issued_token_type:
+          type: string
+          enum: ["urn:ietf:params:oauth:token-type:access_token"]
         expires_in: 
           type: number
           example: 3600
         access_token:
           type: string
-    

common/metadata.go

@@ -2,6 +2,9 @@ package common
 
 const TYPE_CODE = "authorization_code"
 const TYPE_VP_TOKEN = "vp_token"
+const TYPE_TOKEN_EXCHANGE = "urn:ietf:params:oauth:grant-type:token-exchange"
+const TYPE_VP_TOKEN_SUBJECT = "urn:eu:oidf:vp_token"
+const TYPE_ACCESS_TOKEN = "urn:ietf:params:oauth:token-type:access_token"
 
 type OpenIDProviderMetadata struct {
 	Issuer                                 string   `json:"issuer"`

config/config.go

@@ -73,7 +73,7 @@ type Verifier struct {
 	// policies that shall be checked
 	PolicyConfig Policies `mapstructure:"policies"`
 	// path of the authorizationEndpoint to be provided in the .well-known/openid-configuration
-	AuthorizationEndpoint string `mapstructure:"authorizationEndpoint" default:"/api/v2/loginQR"`
+	AuthorizationEndpoint string `mapstructure:"authorizationEndpoint"`
 	// Validation mode for validating the vcs. Does not touch verification, just content validation.
 	// applicable modes:
 	// * `none`: No validation, just swallow everything

config/configClient.go

@@ -40,9 +40,11 @@ type ServicesResponse struct {
 
 type ConfiguredService struct {
 	// Default OIDC scope to be used if none is specified
-	DefaultOidcScope string                `json:"defaultOidcScope" mapstructure:"defaultOidcScope"`
-	ServiceScopes    map[string]ScopeEntry `json:"oidcScopes" mapstructure:"oidcScopes"`
-	Id               string                `json:"id" mapstructure:"id"`
+	DefaultOidcScope  string                `json:"defaultOidcScope" mapstructure:"defaultOidcScope"`
+	ServiceScopes     map[string]ScopeEntry `json:"oidcScopes" mapstructure:"oidcScopes"`
+	Id                string                `json:"id" mapstructure:"id"`
+	AuthorizationType string                `json:"authorizationType,omitempty" mapstructure:"authorizationType,omitempty"`
+	AuthorizationPath string                `json:"authorizationPath,omitempty" mapstructure:"authorizationPath,omitempty"`
 }
 
 type ScopeEntry struct {
@@ -51,7 +53,7 @@ type ScopeEntry struct {
 	// 	Proofs to be requested - see https://identity.foundation/presentation-exchange/#presentation-definition
 	PresentationDefinition *PresentationDefinition `json:"presentationDefinition" mapstructure:"presentationDefinition"`
 	// JSON encoded query to request the credentials to be included in the presentation
-	DCQL *DCQL `json:"dcql,omitempty" mapstructure:"dcql,omitempty"`
+	DCQL *DCQL `json:"dcql" mapstructure:"dcql"`
 	// When set, the claim are flatten to plain JWT-claims before beeing included, instead of keeping the credential/presentation structure, where the claims are under the key vc or vp
 	FlatClaims bool `json:"flatClaims" mapstructure:"flatClaims"`
 }
@@ -155,7 +157,7 @@ type CredentialQuery struct {
 	// A string that specifies the format of the requested Credential.
 	Format string `json:"format,omitempty" mapstructure:"format,omitempty"`
 	// A boolean which indicates whether multiple Credentials can be returned for this Credential Query. If omitted, the default value is false.
-	Multiple bool `json:"multiple,omitempty" mapstructure:"multiple,omitempty"`
+	Multiple bool `json:"multiple" mapstructure:"multiple"`
 	// A non-empty array of objects  that specifies claims in the requested Credential. Verifiers MUST NOT point to the same claim more than once in a single query. Wallets SHOULD ignore such duplicate claim queries.
 	Claims []ClaimsQuery `json:"claims,omitempty" mapstructure:"claims,omitempty"`
 	// Defines additional properties requested by the Verifier that apply to the metadata and validity data of the Credential. The properties of this object are defined per Credential Format. If empty, no specific constraints are placed on the metadata or validity of the requested Credential.

config/configClient_test.go

@@ -2,7 +2,7 @@ package config
 
 import (
 	"io"
-	"io/ioutil"
+	"os"
 	"strings"
 	"testing"
 
@@ -20,7 +20,7 @@ func (mhc MockHttpClient) Get(url string) (resp *http.Response, err error) {
 }
 
 func readFile(filename string, t *testing.T) string {
-	data, err := ioutil.ReadFile("data/" + filename)
+	data, err := os.ReadFile("data/" + filename)
 	if err != nil {
 		t.Error("could not read file", err)
 	}

config/data/config_test.yaml

@@ -5,14 +5,15 @@ server:
 
 logging:
   level: "DEBUG"
-  jsonLogging: "true"
-  logRequests: "true"
+  jsonLogging: true
+  logRequests: true
   pathsToSkip: [/health]
 
 verifier:
   did: "did:key:somekey"
   tirAddress: "https://test.dev/trusted_issuer/v3/issuers/"
   sessionExpiry: 30
+  authorizationEndpoint: "/api/v2/loginQR"
   policies:
     default:
       SignaturePolicy: {}

config/data/test.yaml

@@ -0,0 +1,41 @@
+server: 
+  host: http://localhost:8080
+  port: 3000
+  staticDir: views/static
+  templateDir: views/
+m2m:
+  authEnabled: false
+logging:
+  level: DEBUG
+  logRequests: true
+  pathsToSkip:
+  - /metrics
+  - /health
+verifier:
+  did: did:key:somekey
+  tirAddress: https://test.dev/trusted_issuer/v3/issuers/
+  supportedModes:
+    - byValue
+    - byReference
+configRepo:
+  services:
+    - id: test-service-sd
+      defaultOidcScope: sd-test
+      authorizationType: "DEEPLINK"
+      authorizationPath: "/test-service-sd/authorization"
+      oidcScopes:     
+        "sd-test":
+          credentials:
+            - type: LegalPersonCredential
+              trustedParticipantsLists: 
+                - type: ebsi
+                  url: tir.org
+              trustedIssuersLists: 
+                - til.org
+          dcql:
+            credentials:
+              - id: legal-person-query
+                format: dc+sd-jwt
+                meta:
+                  vct_values:
+                    - LegalPersonCredential

config/provider.go

@@ -1,19 +1,77 @@
 package config
 
 import (
+	"fmt"
+	"reflect"
+
 	"github.com/gookit/config/v2"
 	"github.com/gookit/config/v2/yaml"
+	"github.com/mitchellh/mapstructure"
 )
 
 // read the config from the config file
 func ReadConfig(configFile string) (configuration Configuration, err error) {
 	config.WithOptions(config.ParseDefault)
 	config.AddDriver(yaml.Driver)
-	err = config.LoadFiles(configFile)
 
+	if err = config.LoadFiles(configFile); err != nil {
+		return
+	}
+
+	// pass 1: apply defaults & env vars
+	if err = config.BindStruct("", &configuration); err != nil {
+		return
+	}
+
+	raw := config.Data()
+	normalized := forceStringKeys(raw)
+
+	decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
+		TagName: "mapstructure",
+		Result:  &configuration,
+	})
 	if err != nil {
 		return
 	}
-	config.BindStruct("", &configuration)
+	if err = decoder.Decode(normalized); err != nil {
+		return
+	}
+
 	return
 }
+
+func forceStringKeys(m interface{}) interface{} {
+	switch v := m.(type) {
+	case map[interface{}]interface{}:
+		newMap := make(map[string]interface{})
+		for key, val := range v {
+			newMap[fmt.Sprintf("%v", key)] = forceStringKeys(val)
+		}
+		return newMap
+	case map[string]interface{}:
+		newMap := make(map[string]interface{})
+		for key, val := range v {
+			newMap[key] = forceStringKeys(val)
+		}
+		return newMap
+	case []interface{}:
+		for i := range v {
+			v[i] = forceStringKeys(v[i])
+		}
+		return v
+	default:
+		return v
+	}
+}
+
+func autoAllocHook() mapstructure.DecodeHookFunc {
+	return func(from reflect.Type, to reflect.Type, data interface{}) (interface{}, error) {
+		// If target type is a pointer to struct, and source is a map,
+		// allocate the target before decoding.
+		if to.Kind() == reflect.Ptr && to.Elem().Kind() == reflect.Struct {
+			v := reflect.New(to.Elem())
+			return v.Interface(), nil
+		}
+		return data, nil
+	}
+}