draft issuance flow

- fixes nonce endpoint
- fixes credential endpoint
- fixes/improvements

Author: manpace

pyeudiw/oauth2/dpop/verifier.py

@@ -3,6 +3,7 @@
 import logging
 from typing import Optional
 
+from pyeudiw.jwk import JWK
 from pyeudiw.jwk.exceptions import KidError
 from pyeudiw.jwk.schemas.public import JwkSchema
 from pyeudiw.jwt.jws_helper import JWSHelper
@@ -105,8 +106,13 @@ def validate(self) -> bool:
         if self.dpop_authz_token:
             _ath = hashlib.sha256(self.dpop_authz_token.encode())
             _ath_b64 = base64.urlsafe_b64encode(_ath.digest()).rstrip(b"=").decode()
-            proof_valid = _ath_b64 == payload["ath"]
-
-            return proof_valid
-
+            if _ath_b64 != payload["ath"]:
+                logger.warning("ath validaton failed")
+                return False
+
+            token_payload = decode_jwt_payload(self.dpop_authz_token)   #dpop/token binding
+            b64_thumbprint = base64.urlsafe_b64encode(JWK(key=self.public_jwk).thumbprint).decode("utf-8").rstrip("=")
+            if b64_thumbprint != token_payload.get("cnf", {}).get("jkt"):
+                logger.warning("dpop/token binding failed")
+                return False
         return True

pyeudiw/satosa/frontends/openid4vci/endpoints/base_credential_endpoint.py

@@ -1,13 +1,17 @@
 import datetime
 import json
+import time
 from abc import ABC, abstractmethod
 from datetime import timedelta
 from typing import Any
 from uuid import uuid4
 
+from cryptojwt.jwk.jwk import key_from_jwk_dict
 from jinja2 import Template
 from pydantic import ValidationError
 from pymdoccbor.mdoc.issuer import MdocCborIssuer
+
+from pyeudiw.jwt.utils import decode_jwt_header, decode_jwt_payload
 from satosa.context import Context
 from satosa.response import Response
 
@@ -18,11 +22,8 @@
     POST_ACCEPTED_METHODS,
     VCIBaseEndpoint,
 )
-from pyeudiw.satosa.frontends.openid4vci.models.credential_endpoint_request import (
-    CredentialEndpointRequest,
-)
 from pyeudiw.satosa.frontends.openid4vci.models.openid4vci_basemodel import (
-    OpenId4VciBaseModel,
+    OpenId4VciBaseModel, ENDPOINT_CTX, CONFIG_CTX,
 )
 from pyeudiw.satosa.frontends.openid4vci.storage.engine import OpenId4VciDBEngineHandler
 from pyeudiw.satosa.frontends.openid4vci.storage.entity import AuthorizationSession
@@ -37,10 +38,9 @@
     CredentialConfiguration,
     CredentialConfigurationFormatEnum,
 )
-from pyeudiw.satosa.utils.session import get_session_id
 from pyeudiw.satosa.utils.validation import (
     validate_content_type,
-    validate_request_method,
+    validate_request_method, DPOP_HEADER, AUTHORIZATION_HEADER,
 )
 from pyeudiw.sd_jwt.issuer import SDJWTIssuer
 from pyeudiw.sd_jwt.utils.yaml_specification import (
@@ -63,6 +63,8 @@
 
 class BaseCredentialEndpoint(ABC, VCIBaseEndpoint):
 
+    _ENDPOINT_NAME = "credential"
+
     def __init__(
         self,
         config: dict,
@@ -111,15 +113,17 @@ def endpoint(self, context: Context) -> Response:
             if self.dpop_required:
                 if (
                     not context.http_headers
-                    or ("DPoP" not in context.http_headers)
-                    or ("Authorization" not in context.http_headers)
+                    or (DPOP_HEADER not in context.http_headers)
+                    or (AUTHORIZATION_HEADER not in context.http_headers)
                 ):
                     raise InvalidRequestException(
                         "Missing DPoP and/or Authorization header"
                     )
 
-                dpop = context.http_headers.get("DPoP")
-                authz = context.http_headers.get("Authorization")
+                dpop = context.http_headers.get(DPOP_HEADER)
+                authz = context.http_headers.get(AUTHORIZATION_HEADER)
+                if not dpop or not authz:
+                    raise InvalidRequestException("Invalid headers")
 
                 try:
                     dpop_verifier = DPoPVerifier(
@@ -134,14 +138,54 @@ def endpoint(self, context: Context) -> Response:
                     )
                     return self._handle_400(context, str(e), e)
 
-            entity = self.db_engine.get_by_session_id(get_session_id(context))
-            req = self.validate_request(context, entity)
-            credential_id = None
-            if isinstance(req, CredentialEndpointRequest):
-                credential_id = (
-                    req.credential_identifier or req.credential_configuration_id
-                )
-            return self.to_response(context, entity, credential_id)
+            auth_token = decode_jwt_payload(dpop_verifier.dpop_authz_token)
+            entity = self.db_engine.search_session_by_field("access_token_jti", auth_token.get("jti"))
+            auth_session = AuthorizationSession.model_validate(entity, context={
+                ENDPOINT_CTX: self._ENDPOINT_NAME,
+                CONFIG_CTX: self.config
+            })
+
+            data = self._get_body(context) or {}
+            credential_identifier = data.get("credential_identifier") or ""
+            # TODO: check/validate scope
+            if data.get("credential_configuration_id"):
+                credential_configuration_id = data
+            else:  # validate credential_identifier with authorization_details of token
+                if auth_session.authorization_details:
+                    for auth_details in auth_session.authorization_details:
+                        if auth_details.credential_identifiers:
+                            if credential_identifier in auth_details.credential_identifiers:
+                                credential_configuration_id = "_".join(credential_identifier.split("_")[:-1])
+                                break
+                    else:
+                        raise InvalidRequestException(
+                            "credential_identifier not match with token authorization_details")
+                else:
+                    raise InvalidRequestException("Invalid credential_configuration_id")
+
+            self.validate_request(context, entity)
+
+            proof_jwt = data.get("proof", {}).get("jwt") or ""
+            request_header = decode_jwt_header(proof_jwt)
+            request_payload = decode_jwt_payload(proof_jwt)
+            client_id = request_payload.get("iss")
+
+            #validate nonce
+            self._consume_nonce(request_payload.get("nonce"))
+
+            #validate client --> todo: move to self.validate_request
+            if not (key_attestation := request_header.get("key_attestation")):
+                return self._handle_400(context, "invalid key_attestation", InvalidRequestException("invalid_proof"))
+
+            k_payload = decode_jwt_payload(key_attestation)
+            for _k in k_payload.get("attested_keys") or []:
+                t_print = key_from_jwk_dict(_k).thumbprint("SHA-256").decode()
+                if t_print == client_id:
+                    break
+            else:
+                return self._handle_400(context, "client_id mismatch", InvalidRequestException("invalid_proof"))
+
+            return self.to_response(context, auth_session, credential_configuration_id)
 
         except (
             InvalidRequestException,
@@ -160,6 +204,17 @@ def endpoint(self, context: Context) -> Response:
                 context, "error during invoke credential endpoint", e
             )
 
+    def _consume_nonce(self, nonce):
+        if not (found_nonce := self.db_engine.get("get_nonce", nonce)):
+            raise InvalidRequestException("Invalid nonce")
+
+        now = round(time.time() * 1000)
+        if found_nonce["created_at"] + found_nonce["expires_in"] <= now:
+            raise InvalidRequestException("Expired nonce")
+
+        if self.db_engine.write("consume_nonce", nonce, now) < 1:
+            raise Exception("Unable to consume nonce, storage error")
+
     @abstractmethod
     def validate_request(self, context: Context, entity: dict) -> OpenId4VciBaseModel:
         pass
@@ -171,20 +226,16 @@ def to_response(
         pass
 
     def build_credential(
-        self, context: Context, credential_id: str | None
+        self, vci_entity: AuthorizationSession, credential_id: str | None
     ) -> list[str]:
         credential_list = []
-        entity = self.db_engine.get_by_session_id(get_session_id(context))
-
-        if not entity:
+        if not vci_entity:
             self._log_error(
                 self.__class__.__name__, "No entity found for the current session."
             )
             return credential_list
 
-        vci_entity = AuthorizationSession(**entity)
-
-        user = self._db_user_engine.get_by_fields(
+        user = self._db_user_engine.get("get_by_fields",
             self._extract_lookup_identifiers(vci_entity.attributes or {})
         )
         if credential_id:
@@ -315,11 +366,11 @@ def _loader(
                 )
 
     def _build_status_list_payload(self, user_id: str):
-        credential = self._db_credential_engine.get_credential_by_user_id(user_id)
+        # credential = self._db_credential_engine.get("get_credential_by_user_id", user_id) # todo: store credential
         return {
             "status_list": {
-                "idx": credential.incremental_id,
-                "uri": f"{self.status_endpoint}/{credential.incremental_id}",
+                "idx": "credential.incremental_id",
+                "uri": f"{self.status_endpoint}/{"credential.incremental_id"}",
             }
         }
 

pyeudiw/satosa/frontends/openid4vci/endpoints/credential_endpoint.py

@@ -146,21 +146,22 @@ def validate_request(self, context: Context, entity: dict) -> OpenId4VciBaseMode
         if not c_req.proof or not c_req.proof.jwt:
             return c_req
 
-        proof_jws_helper = JWSHelper(self.config["metadata_jwks"])
+        proof_header = decode_jwt_header(c_req.proof.jwt)
+        proof_jws_helper = JWSHelper(proof_header.get("jwk"))
         proof_payload = proof_jws_helper.verify(c_req.proof.jwt)
-        _verify_key_attestation(c_req.proof.jwt, proof_payload, self._trust_evaluator)
+
+        # _verify_key_attestation(c_req.proof.jwt, proof_payload, self._trust_evaluator) #todo check it
         ProofJWT.model_validate(
-            proof_payload,
+            (proof_payload | proof_header), #todo split header and payload for Proof model
             context={
                 CLIENT_ID_CTX: entity["client_id"],
-                ENTITY_ID_CTX: self.entity_id,
-                NONCE_CTX: entity["c_nonce"],
+                ENTITY_ID_CTX: self.entity_id
             },
         )
         return c_req
 
     def to_response(
-        self, context: Context, entity: AuthorizationSession, credential_id: str | None
+        self, context: Context, auth_session: AuthorizationSession, credential_id: str | None
     ) -> Response:
         """
         Generate a response containing the issued credential.
@@ -171,7 +172,7 @@ def to_response(
 
         Args:
             context (Context): The SATOSA context.
-            entity (AuthorizationSession): The entity containing stateful session data.
+            auth_session (AuthorizationSession): session data.
 
         Returns:
             Response: A SATOSA HTTP response with the issued credential.
@@ -180,6 +181,6 @@ def to_response(
         return CredentialEndpointResponse.to_response(
             [
                 CredentialItem(credential=cred)
-                for cred in self.build_credential(context, credential_id)
+                for cred in self.build_credential(auth_session, credential_id)
             ]
         )

pyeudiw/satosa/frontends/openid4vci/endpoints/deferred_credential_endpoint.py

@@ -45,7 +45,7 @@ def validate_request(
         )
 
     def to_response(
-        self, context: Context, entity: AuthorizationSession, credential_id: str | None
+        self, context: Context, auth_session: AuthorizationSession, credential_id: str | None
     ) -> Response:
         """
         Generate a response containing the issued credential.
@@ -56,7 +56,7 @@ def to_response(
 
         Args:
             context (Context): The SATOSA context.
-            entity (AuthorizationSession): The entity containing stateful session data.
+            auth_session (AuthorizationSession): The entity containing stateful session data.
 
         Returns:
             Response: A SATOSA HTTP response with the issued credential.
@@ -65,6 +65,6 @@ def to_response(
         return DeferredCredentialEndpointResponse.to_response(
             [
                 CredentialItem(credential=cred)
-                for cred in self.build_credential(context, credential_id)
+                for cred in self.build_credential(auth_session, credential_id)
             ]
         )

pyeudiw/satosa/frontends/openid4vci/endpoints/nonce_endpoint.py

@@ -1,3 +1,4 @@
+import time
 from uuid import uuid4
 
 from satosa.context import Context
@@ -21,6 +22,8 @@
 
 class NonceHandler(VCIBaseEndpoint):
 
+    _DEFAULT_DURATION = 300
+
     def __init__(
         self,
         config: dict,
@@ -43,6 +46,7 @@ def __init__(
         super().__init__(config, internal_attributes, base_url, name)
         self.jws_helper = JWSHelper(self.config["metadata_jwks"])
         self.db_engine = OpenId4VciDBEngineHandler(config).db_engine
+        self.expired_sec = self.config.get("nonce_duration") or self._DEFAULT_DURATION
 
     def endpoint(self, context: Context) -> Response:
         """
@@ -64,8 +68,11 @@ def endpoint(self, context: Context) -> Response:
                     context, "Request body must be empty for nonce endpoint"
                 )
             c_nonce = str(uuid4())
-            #todo cipher text + cache
+            ts = round(time.time() * 1000)
+            if self.db_engine.write("insert_nonce", nonce=c_nonce, created_at=ts, expires_in=self.expired_sec) < 1:
+                return self._handle_500(context, "error during nonce generating", Exception("Nonce error"))
             return NonceResponse.to_response(c_nonce)
+
         except (InvalidRequestException, InvalidScopeException) as e:
             return self._handle_400(context, e.message, e)
         except Exception as e:

pyeudiw/satosa/frontends/openid4vci/endpoints/token_endpoint.py

@@ -1,4 +1,5 @@
 import base64
+import secrets
 from enum import Enum
 
 from cryptojwt.jwk.jwk import key_from_jwk_dict
@@ -156,14 +157,32 @@ def endpoint(self, context: Context):
             )
             iat = iat_now()
             authorization_details = vci_entity.authorization_details
+
             if authorization_details or len(authorization_details) > 0:
                 for ad in authorization_details:
-                    ad.credential_identifiers = [] #todo fix it
+                    if ad.credential_identifiers is None:
+                        ad.credential_identifiers = []
+
+                    # TODO: review dataset credential identifier
+                    dataset_cred_id = secrets.token_hex(16) #authentic source dataset identifier
+                    cred_type = ad.credential_configuration_id + "_" + dataset_cred_id
+                    ad.credential_identifiers.append(cred_type)
 
             cnf = self._build_dpop_cnf(dpop_verifier) if dpop_verifier else {}
+
+            access_token = self._to_token(iat, vci_entity, TokenTypsEnum.ACCESS_TOKEN_TYP, cnf)
+            refresh_token = self._to_token(iat, vci_entity, TokenTypsEnum.REFRESH_TOKEN_TYP, cnf)
+
+            vci_entity.access_token_jti = access_token.jti
+            vci_entity.refresh_token_jti = refresh_token.jti
+            vci_entity.dpop_jkt = cnf.get("jkt")
+
+            self.db_engine.upsert_session(vci_entity.session_id, vci_entity.model_dump())
+
+
             return TokenResponse.to_created_response(
-                self._to_token(iat, vci_entity, TokenTypsEnum.ACCESS_TOKEN_TYP, cnf),
-                self._to_token(iat, vci_entity, TokenTypsEnum.REFRESH_TOKEN_TYP, cnf),
+                self._sign_token(access_token, TokenTypsEnum.ACCESS_TOKEN_TYP.value),
+                self._sign_token(refresh_token, TokenTypsEnum.REFRESH_TOKEN_TYP.value),
                 iat + self.config_utils.get_jwt().access_token_exp,
                 authorization_details,
             )
@@ -192,7 +211,7 @@ def _build_dpop_cnf(self, dpop_verifier: DPoPVerifier) -> dict:
 
     def _to_token(
         self, iat: int, entity: AuthorizationSession, typ: TokenTypsEnum, cnf: dict = None
-    ) -> str:
+    ) -> AccessToken:
 
         if isinstance(entity, dict):
             entity = AuthorizationSession.model_validate(entity, context={
@@ -223,8 +242,7 @@ def _to_token(
         )
         if typ == TokenTypsEnum.REFRESH_TOKEN_TYP:
             token = RefreshToken(**token.model_dump())
-
-        return self._sign_token(token, typ.value)
+        return token
 
     def _sign_token(self, token: BaseModel, typ: str) -> str:
         jws_headers = {