DO NOT MERGE: Project branch for Generic Functions (Pilot Phase)#4308
Draft
reinkrul wants to merge 123 commits into
Draft
DO NOT MERGE: Project branch for Generic Functions (Pilot Phase)#4308reinkrul wants to merge 123 commits into
reinkrul wants to merge 123 commits into
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
When using mCSD for addressing, the OAuth token endpoint must be provided to the AT-Request instead of being resolved via a DID-Document. This commit adds a request param for this.
…l Request
Adds an optional credential_details JSON object to POST /internal/auth/v2/{subjectID}/request-credential.
The node uses it as the base body of the outgoing OpenID4VCI Credential Request and overlays its own
JWT proof on top. Lets the wallet integrate with issuers (e.g. AET SDK) that accept additional fields
in the Credential Request body beyond what OpenID4VCI v1.0 defines.
Closes #4233
Assisted by AI
Switch VerifiableCredentials to TestResponseCodeWithLog so the upstream response body is surfaced in the logs, making it possible to diagnose 4xx/5xx responses from the credential endpoint. Assisted by AI
The 1.0 spec wraps credentials in a "credentials" array; pre-1.0 drafts returned a single "credential" string. Custom UnmarshalJSON on CredentialResponse handles both, taking the first entry from the array form and warning if the issuer returned more. Assisted by AI
; Conflicts: ; auth/api/iam/bearer_token.go ; auth/api/iam/s2s_vptoken_test.go ; auth/auth.go ; auth/client/iam/client.go ; auth/client/iam/openid4vp.go ; auth/client/iam/openid4vp_test.go ; auth/services/oauth/authz_server_test.go ; auth/test.go ; crypto/jwx/algorithm.go ; crypto/jwx_test.go
; Conflicts: ; auth/api/iam/openid4vci.go ; auth/api/iam/openid4vci_test.go ; auth/api/iam/session.go ; auth/client/iam/client.go ; docs/_static/auth/v2.yaml ; docs/pages/release_notes.rst
When the OpenID4VCI credential endpoint returns a non-2xx status, log the status code and response body (Warn) so issuance failures (e.g. 400) can be diagnosed without enabling debug. The body is already buffered for structured-error parsing, so no extra read. Assisted by AI
Pilot branch carrying the master merge so project-gf stays untouched. Conflict resolution (overlapping RFC 7523 jwt-bearer work on both sides): - jwt-bearer flow: adopted master's design (two-VP flow gated by service_provider_subject_id + auth.experimental.jwtbearerclient). Dropped project-gf's single-VP grant negotiation. - Consolidated grant-type constant to oauth.JwtBearerGrantType. - Dropped policy_id (request param, client signature, OpenAPI field); the presentation definition is resolved from scope. Regenerated API. - Preserved project-gf-only behavior: disabled access-token cache (credential-revocation testing), OpenIdCredentialIssuerMetadata / VerifiableCredentials client methods, server-side jwt-bearer handler, GrantTypes config, gorm pinned at v1.30.2. - Regenerated mocks and IAM API after resolving. Assisted by AI
Contributor
|
Coverage Impact ⬇️ Merging this pull request will decrease total coverage on Modified Files with Diff Coverage (35) 🤖 Increase coverage with AI coding...🚦 See full report on Qlty Cloud » 🛟 Help
|
Add project-gf-pilot to the build-images push/pull_request triggers so it builds and pushes a branch-tagged image, same as project-gf. Assisted by AI
…uth-code flow Add experimental auth.experimental.clients config so the node can present a configured client_id (and client_secret via client_secret_post) to external authorization servers that do not understand the Nuts-specific entity_id client_id scheme. Entries are matched against the OAuth Authorization Server issuer; when no entry matches, behavior is unchanged (did:web + entity_id). Client secrets are redacted from the logged/printed configuration. Implements #4316. Assisted by AI
Configurable OAuth client authentication for the OpenID4VCI authorization code flow (#4316). Assisted by AI ; Conflicts: ; auth/auth.go
Allows callers to merge issuer-specific query parameters (e.g. auth_method=SmartCard) into the OpenID4VCI authorization request, mirroring the credential_request_params escape hatch. Caller-supplied values override node defaults for the same key. Assisted by AI
…params Align the OpenID4VCI requestCredential field name with the sibling credential_request_params. See #4328. Assisted by AI
Adds a configurable log level for outgoing HTTP requests/responses made by the node, mirroring http.log for incoming traffic. Reuses the existing http.LogLevel enum (nothing/metadata/metadata-and-body) and defaults to nothing. Wired up in http.configureClient() via a transport-wrapping hook on the http client package. Assisted by AI
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Caller-supplied authorization_request_params may only add parameters to the OpenID4VCI authorization request; attempting to override a parameter the node sets (client_id, state, code_challenge, etc.) now fails loud with a 400 instead of silently winning. Assisted by AI ; Conflicts: ; auth/api/iam/openid4vci.go
The logging transport wrapper was decided when the HTTP client was created. Engines that build their clients before the HTTP engine is configured (e.g. auth's OpenID4VCI client) never got the wrapper, since client.RequestLogger was still nil at construction. The HTTP engine is registered/configured last, so http.client.log had no effect on those clients. Always install a thin loggingTransport indirection in getTransport that reads RequestLogger per request, mirroring how StrictMode is read at request time. Clients created before logging is configured now log. Assisted by AI
Make the log level the single control instead of also depending on the global debug verbosity: - Log request and response headers at both 'metadata' and 'metadata-and-body' (previously headers required debug verbosity). - Mask credential-bearing request headers (Authorization, Proxy-Authorization) so they don't leak into the logs. Response WWW-Authenticate is a challenge, not a credential, so it is not masked. Assisted by AI
Relocate the outgoing-request logger from the http package to http/client, where the rest of the client transport code lives, and address naming: - The round tripper is now loggingTransport (it logs both request and response), gated by client.LogRequests / client.LogRequestBodies which are read at request time. This replaces the clientRequestLogger type and the RequestLogger func indirection. - Extract the loggable-content-types list to http/log.IsLoggableContentType as the single source of truth, used by both the client logger and the server-side body logger (previously duplicated). Assisted by AI
…T profile Add auth.experimental.profile.<name>.authrequest: named bundles of authorization request parameters. A new 'profile' field on requestCredential selects one by name; the node ships a built-in 'aet' profile (AET UZI smartcard issuer) and operator config of the same name is merged over it. Profiles are trusted config and may override node parameters; the raw authorization_request_params escape hatch still may not. Implements #4338. Assisted by AI
TEMPORARY test hack for project-gf-pilot so AET issuance can be exercised without wiring a request profile into the caller. To be reverted once the profile mechanism is wired up. See #4338. Assisted by AI
…faultConfig Revert the temporary hardcoded AET scope on the OpenID4VCI authorization request (issuance now relies on the request profile). Move the built-in 'aet' profile from a separate builtinProfiles var into DefaultConfig and simplify AuthorizationRequestProfile to a plain lookup, matching the master-targeting implementation (#4338 / #4340). Assisted by AI
Metadata discovery derived URLs using only the RFC 8414 insert convention (well-known segment at the authority root, issuer/AS path appended). Servers that publish metadata only under the OIDC Discovery append convention (well-known after the path) returned 404 and could not complete issuance or token flows without per-deployment nginx rewrites. Discovery now tries candidate locations in priority order and takes the first matching document: 1. insert (RFC 8414, unchanged happy path) 2. append (OIDC Discovery) 3. append openid-configuration (AS metadata only) When the identifier has no path both forms collapse to one URL, so spec-compliant servers still make a single request. Each candidate shares the identifier's host and is SSRF-validated via core.ParsePublicURL, and the existing identifier-match check (credential_issuer / issuer must equal the requested identifier) is enforced on the accepted document, so the fallback cannot be steered to an attacker-chosen file. On exhaustion the error names the identifier and reports only non-404 failures; a >= 500 failure still maps to 502 Bad Gateway. Assisted by AI
Some authorization servers (e.g. IdentityServer) normalize the metadata issuer with a trailing slash, so a server reached at the append location with issuer "https://host/oauth/" was rejected against the requested identifier "https://host/oauth". Discovery then fell back to the credential issuer and surfaced an unrelated 404. Compare issuer / credential_issuer with a trailing-slash tolerance via oauth.IdentifiersMatch. Still rejects genuinely different identifiers, so the fallback cannot be steered to another document. Assisted by AI
The `display` field on OpenIDCredentialIssuerMetadata was not conform the OpenID4VCI spec (section 12.2.4). Its values were never consumed and it caused issues with the AET integration. Since nothing reads it, removal is safe. Assisted by AI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pilot Phase branch for Generic Functions, branched from
project-gfwithmastermerged in. Kept separate fromproject-gfso the PoC branch's backwards compatibility stays untouched.Changes vs
project-gfFeature work added on top of
project-gfthat is not yet onmaster. Each item has its own PR open againstmaster; merge order there is independent of this branch.http.client.log— log outgoing HTTP requestsDefaultConfig(temporary scope hardcode added then removed); not yet reflected in #4340Displayfrom issuer metadataReverted (net no change vs
project-gf)authorization_request_paramson the OpenID4VCIrequestCredentialAPI — added then reverted on this branch (7d571120) to track master. It merged to master as feat(auth): add authorization_request_params to OpenID4VCI requestCredential API #4333 and is being reverted there via Revert "feat(auth): add authorization_request_params to OpenID4VCI requestCredential API (#4333)" #4349. The AETauth_method=SmartCarduse case is covered by request profiles (feat(auth): configurable OpenID4VCI request profiles with built-in AET profile #4340) instead.Branch infrastructure (pilot-only)
project-gf-pilotbranch.Merge resolution notes
Both
project-gfandmasterindependently implemented an RFC 7523 jwt-bearer flow; resolved as follows:service_provider_subject_id+auth.experimental.jwtbearerclient. Dropped project-gf's single-VP grant negotiation.oauth.JwtBearerGrantType.policy_id— dropped (request param, client signature, and OpenAPI field); the presentation definition is resolved fromscope. API regenerated.OpenIdCredentialIssuerMetadata/VerifiableCredentialsclient methods, server-side jwt-bearer handler,GrantTypesconfig,gormpinned at v1.30.2.go mod tidyreconciled dependencies.Full test suite passes.
Assisted by AI