Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 0 additions & 7 deletions auth/api/iam/generated.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 2 additions & 14 deletions auth/api/iam/openid4vci.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ func (r Wrapper) RequestOpenid4VCICredentialIssuance(ctx context.Context, reques
if err != nil {
return nil, fmt.Errorf("failed to parse the authorization_endpoint: %w", err)
}
authzParams := map[string]string{
redirectUrl := nutsHttp.AddQueryParams(*authorizationEndpoint, map[string]string{
oauth.ResponseTypeParam: oauth.CodeResponseType,
oauth.StateParam: state,
oauth.ClientIDParam: clientID.String(),
Expand All @@ -137,19 +137,7 @@ func (r Wrapper) RequestOpenid4VCICredentialIssuance(ctx context.Context, reques
oauth.RedirectURIParam: redirectUri.String(),
oauth.CodeChallengeParam: pkceParams.Challenge,
oauth.CodeChallengeMethodParam: pkceParams.ChallengeMethod,
}
// Optional caller-supplied authorization request parameters, for issuers that need extras
// (e.g. auth_method=SmartCard). These may only add parameters; they must not override the
// OpenID4VCI parameters set by the node above, which are essential to the flow.
if request.Body.AuthorizationRequestParams != nil {
for key, value := range *request.Body.AuthorizationRequestParams {
if _, isNodeParam := authzParams[key]; isNodeParam {
return nil, core.InvalidInputError("authorization_request_params may not override the '%s' parameter set by the node", key)
}
authzParams[key] = value
}
}
redirectUrl := nutsHttp.AddQueryParams(*authorizationEndpoint, authzParams)
})

return RequestOpenid4VCICredentialIssuance200JSONResponse{
RedirectURI: redirectUrl.String(),
Expand Down
25 changes: 0 additions & 25 deletions auth/api/iam/openid4vci_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,31 +78,6 @@ func TestWrapper_RequestOpenid4VCICredentialIssuance(t *testing.T) {
assert.Equal(t, "code", redirectUri.Query().Get("response_type"))
assert.Equal(t, `[{"credential_configuration_id":"UniversityDegreeCredential","format":"vc+sd-jwt","type":"openid_credential"}]`, redirectUri.Query().Get("authorization_details"))
})
t.Run("ok - authorization_request_params merged into authorization request", func(t *testing.T) {
ctx := newTestClient(t)
ctx.openid4vciClient.EXPECT().OpenIDCredentialIssuerMetadata(nil, issuerClientID).Return(&metadata, nil)
ctx.iamClient.EXPECT().AuthorizationServerMetadata(nil, authServer).Return(&authzMetadata, nil)
req := requestCredentials(holderSubjectID, issuerClientID, redirectURI)
req.Body.AuthorizationRequestParams = &map[string]string{"auth_method": "SmartCard"}

response, err := ctx.client.RequestOpenid4VCICredentialIssuance(nil, req)

require.NoError(t, err)
redirectUri, err := url.Parse(response.(RequestOpenid4VCICredentialIssuance200JSONResponse).RedirectURI)
require.NoError(t, err)
assert.Equal(t, "SmartCard", redirectUri.Query().Get("auth_method"))
})
t.Run("error - authorization_request_params may not override a node parameter", func(t *testing.T) {
ctx := newTestClient(t)
ctx.openid4vciClient.EXPECT().OpenIDCredentialIssuerMetadata(nil, issuerClientID).Return(&metadata, nil)
ctx.iamClient.EXPECT().AuthorizationServerMetadata(nil, authServer).Return(&authzMetadata, nil)
req := requestCredentials(holderSubjectID, issuerClientID, redirectURI)
req.Body.AuthorizationRequestParams = &map[string]string{oauth.ClientIDParam: "attacker"}

_, err := ctx.client.RequestOpenid4VCICredentialIssuance(nil, req)

assert.ErrorContains(t, err, "authorization_request_params may not override the 'client_id' parameter")
})
t.Run("ok - credential_request_params persisted into session", func(t *testing.T) {
ctx := newTestClient(t)
ctx.openid4vciClient.EXPECT().OpenIDCredentialIssuerMetadata(nil, issuerClientID).Return(&metadata, nil)
Expand Down
14 changes: 0 additions & 14 deletions docs/_static/auth/v2.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -187,20 +187,6 @@ paths:
{
"some-requested-credential-attribute": "900184590"
}
authorization_request_params:
type: object
additionalProperties:
type: string
description: |
Optional key/value pairs added to the OpenID4VCI authorization request (the redirect to the
Authorization Server's authorization_endpoint). These may only add parameters; they must not
override the OpenID4VCI parameters set by the node (the request is rejected if they do).
Prefer authorization_details (RFC 9396) where the issuer supports it; use this only for issuers
that require non-standard authorization parameters (e.g. auth_method for AET smartcards).
example: |
{
"auth_method": "SmartCard"
}
redirect_uri:
type: string
description: |
Expand Down
7 changes: 0 additions & 7 deletions e2e-tests/browser/client/iam/generated.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading