Auth v2: support non-root base URL in OAuth2 metadata (#3274)

nuts-foundation · Jul 30, 2024 · 4cc35fb · 4cc35fb
1 parent e8e810d
commit 4cc35fb
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 2 deletions.
diff --git a/auth/api/iam/api.go b/auth/api/iam/api.go
@@ -873,11 +873,22 @@ func (r Wrapper) authzRequestObjectStore() storage.SessionStore {
 }
 
 // createOAuth2BaseURL creates an OAuth2 base URL for an owned did:web DID
-// It creates a URL in the following format: https://<did:web host>/oauth2/<did>
+// It creates a URL in the following format: https://<did:web host>/<base path>/oauth2/<did>
 func createOAuth2BaseURL(webDID did.DID) (*url.URL, error) {
 	didURL, err := didweb.DIDToURL(webDID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to convert DID to URL: %w", err)
 	}
-	return didURL.Parse("/oauth2/" + webDID.String())
+	// Part until /iam/<webDID> is the base path, which we need to prepend
+	tenantIdx := strings.Index(didURL.Path, "/iam/")
+	var basePath string
+	if tenantIdx != -1 {
+		basePath = didURL.Path[:tenantIdx]
+	}
+	result, err := didURL.Parse("/")
+	if err != nil {
+		return nil, err
+	}
+	result = result.JoinPath(basePath, "oauth2", webDID.String())
+	return result, err
 }
diff --git a/auth/api/iam/api_test.go b/auth/api/iam/api_test.go
@@ -85,6 +85,22 @@ func TestWrapper_OAuthAuthorizationServerMetadata(t *testing.T) {
 		assert.IsType(t, OAuthAuthorizationServerMetadata200JSONResponse{}, res)
 	})
 
+	t.Run("base URL (prepended before /iam)", func(t *testing.T) {
+		var webDID = did.MustParseDID("did:web:example.com:base:iam:123")
+		//	200
+		baseURL := test.MustParseURL("https://example.com/base")
+		ctx := newTestClientWithBaseURL(t, baseURL)
+		ctx.documentOwner.EXPECT().IsOwner(nil, webDID).Return(true, nil)
+
+		res, err := ctx.client.OAuthAuthorizationServerMetadata(nil, OAuthAuthorizationServerMetadataRequestObject{Did: webDID.String()})
+
+		require.NoError(t, err)
+		require.IsType(t, OAuthAuthorizationServerMetadata200JSONResponse{}, res)
+		md := res.(OAuthAuthorizationServerMetadata200JSONResponse)
+		assert.Equal(t, "https://example.com/base/oauth2/did:web:example.com:base:iam:123", md.Issuer)
+		assert.Equal(t, "https://example.com/base/oauth2/did:web:example.com:base:iam:123/presentation_definition", md.PresentationDefinitionEndpoint)
+	})
+
 	t.Run("error - DID not managed by this node", func(t *testing.T) {
 		//404
 		ctx := newTestClient(t)
@@ -1286,6 +1302,14 @@ func Test_createOAuth2BaseURL(t *testing.T) {
 		require.NotNil(t, actual)
 		assert.Equal(t, "https://example.com/oauth2/did:web:example.com:iam:holder", actual.String())
 	})
+	t.Run("with non-root base path", func(t *testing.T) {
+		webDID := did.MustParseDID("did:web:example.com:tenant1:iam:holder")
+		actual, err := createOAuth2BaseURL(webDID)
+
+		require.NoError(t, err)
+		require.NotNil(t, actual)
+		assert.Equal(t, "https://example.com/tenant1/oauth2/did:web:example.com:tenant1:iam:holder", actual.String())
+	})
 	t.Run("did:web with port", func(t *testing.T) {
 		const didAsString = "did:web:example.com%3A8080:iam:holder"
 		webDID := did.MustParseDID(didAsString)