VCR: Deduplicate AccessToken functions in IAM client (#3077)

Author: reinkrul

auth/api/auth/v1/api_test.go

@@ -598,7 +598,7 @@ func TestWrapper_CreateAccessToken(t *testing.T) {
 		params := CreateAccessTokenRequest{GrantType: "urn:ietf:params:oauth:grant-type:jwt-bearer", Assertion: validJwt}
 
 		in800000 := 800000
-		pkgResponse := &oauth2.TokenResponse{AccessToken: "foo", ExpiresIn: &in800000}
+		pkgResponse := oauth2.NewTokenResponse("foo", "Bearer", in800000, "")
 		ctx.authzServerMock.EXPECT().CreateAccessToken(gomock.Any(), services.CreateAccessTokenRequest{RawJwtBearerToken: validJwt}).Return(pkgResponse, nil)
 
 		expectedResponse := CreateAccessToken200JSONResponse{

auth/api/iam/api.go

@@ -220,7 +220,7 @@ func (r Wrapper) RetrieveAccessToken(_ context.Context, request RetrieveAccessTo
 	if err != nil {
 		return nil, err
 	}
-	if token.Status != nil && *token.Status == oauth.AccessTokenRequestStatusPending {
+	if token.Get("status") == oauth.AccessTokenRequestStatusPending {
 		// return pending status
 		return RetrieveAccessToken200JSONResponse(token), nil
 	}
@@ -625,10 +625,10 @@ func (r Wrapper) RequestUserAccessToken(ctx context.Context, request RequestUser
 	if err != nil {
 		return nil, err
 	}
-	status := oauth.AccessTokenRequestStatusPending
-	err = r.accessTokenClientStore().Put(sessionID, TokenResponse{
-		Status: &status,
-	})
+	tokenResponse := (&TokenResponse{}).With("status", oauth.AccessTokenRequestStatusPending)
+	if err = r.accessTokenClientStore().Put(sessionID, tokenResponse); err != nil {
+		return nil, err
+	}
 
 	// generate a link to the redirect endpoint
 	webURL, err := createOAuth2BaseURL(*requestHolder)
@@ -786,12 +786,13 @@ func (r Wrapper) CallbackOid4vciCredentialIssuance(ctx context.Context, request
 		log.Logger().WithError(err).Error("cannot fetch the right endpoints")
 		return nil, withCallbackURI(oauthError(oauth.ServerError, fmt.Sprintf("cannot fetch the right endpoints: %s", err.Error())), oid4vciSession.remoteRedirectUri())
 	}
-	response, err := r.auth.IAMClient().AccessTokenOid4vci(ctx, holderDid.String(), tokenEndpoint, oid4vciSession.RedirectUri, code, &pkceParams.Verifier)
+	response, err := r.auth.IAMClient().AccessToken(ctx, code, *issuerDid, oid4vciSession.RedirectUri, *holderDid, pkceParams.Verifier)
 	if err != nil {
 		log.Logger().WithError(err).Errorf("error while fetching the access_token from endpoint: %s", tokenEndpoint)
 		return nil, withCallbackURI(oauthError(oauth.AccessDenied, fmt.Sprintf("error while fetching the access_token from endpoint: %s, error: %s", tokenEndpoint, err.Error())), oid4vciSession.remoteRedirectUri())
 	}
-	proofJWT, err := r.proofJwt(ctx, *holderDid, *issuerDid, response.CNonce)
+	cNonce := response.Get(oauth.CNonceParam)
+	proofJWT, err := r.proofJwt(ctx, *holderDid, *issuerDid, &cNonce)
 	if err != nil {
 		log.Logger().WithError(err).Error("error while building proof")
 		return nil, withCallbackURI(oauthError(oauth.ServerError, fmt.Sprintf("error while fetching the credential from endpoint %s, error: %s", credentialEndpoint, err.Error())), oid4vciSession.remoteRedirectUri())

auth/api/iam/api_test.go

@@ -588,7 +588,7 @@ func TestWrapper_Callback(t *testing.T) {
 		var tokenResponse TokenResponse
 		err = ctx.client.accessTokenClientStore().Get(token, &tokenResponse)
 		require.NoError(t, err)
-		assert.Equal(t, oauth.AccessTokenRequestStatusActive, *tokenResponse.Status)
+		assert.Equal(t, oauth.AccessTokenRequestStatusActive, tokenResponse.Get("status"))
 		assert.Equal(t, "access", tokenResponse.AccessToken)
 	})
 	t.Run("unknown did", func(t *testing.T) {
@@ -904,7 +904,7 @@ func TestWrapper_RequestUserAccessToken(t *testing.T) {
 		var tokenResponse TokenResponse
 		require.NotNil(t, redirectResponse.SessionId)
 		err = ctx.client.accessTokenClientStore().Get(redirectResponse.SessionId, &tokenResponse)
-		assert.Equal(t, oauth.AccessTokenRequestStatusPending, *tokenResponse.Status)
+		assert.Equal(t, oauth.AccessTokenRequestStatusPending, tokenResponse.Get("status"))
 	})
 	t.Run("preauthorized_user", func(t *testing.T) {
 		ctx := newTestClient(t)
@@ -1288,19 +1288,15 @@ func TestWrapper_CallbackOid4vciCredentialIssuance(t *testing.T) {
 		IssuerTokenEndpoint:      tokenEndpoint,
 		IssuerCredentialEndpoint: credEndpoint,
 	}
-	tokenResponse := oauth.Oid4vciTokenResponse{
-		AccessToken: accessToken,
-		TokenType:   "Bearer",
-		CNonce:      &cNonce,
-	}
+	tokenResponse := oauth.NewTokenResponse(accessToken, "Bearer", 0, "").With("c_nonce", cNonce)
 	credentialResponse := iam.CredentialResponse{
 		Format:     "jwt_vc",
 		Credential: verifiableCredential.Raw(),
 	}
 	t.Run("ok", func(t *testing.T) {
 		ctx := newTestClient(t)
 		ctx.client.storageEngine.GetSessionDatabase().GetStore(15*time.Minute, "oid4vci").Put(state, &session)
-		ctx.iamClient.EXPECT().AccessTokenOid4vci(nil, holderDID.String(), tokenEndpoint, redirectURI, code, &pkceParams.Verifier).Return(&tokenResponse, nil)
+		ctx.iamClient.EXPECT().AccessToken(nil, code, issuerDID, redirectURI, holderDID, pkceParams.Verifier).Return(tokenResponse, nil)
 		ctx.keyResolver.EXPECT().ResolveKey(holderDID, nil, resolver.NutsSigningKeyType).Return(ssi.MustParseURI("kid"), nil, nil)
 		ctx.jwtSigner.EXPECT().SignJWT(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return("signed-proof", nil)
 		ctx.iamClient.EXPECT().VerifiableCredentials(nil, credEndpoint, accessToken, "signed-proof").Return(&credentialResponse, nil)
@@ -1352,7 +1348,7 @@ func TestWrapper_CallbackOid4vciCredentialIssuance(t *testing.T) {
 	t.Run("fail_access_token", func(t *testing.T) {
 		ctx := newTestClient(t)
 		ctx.client.storageEngine.GetSessionDatabase().GetStore(15*time.Minute, "oid4vci").Put(state, &session)
-		ctx.iamClient.EXPECT().AccessTokenOid4vci(nil, holderDID.String(), tokenEndpoint, redirectURI, code, &pkceParams.Verifier).Return(nil, errors.New("FAIL"))
+		ctx.iamClient.EXPECT().AccessToken(nil, code, issuerDID, redirectURI, holderDID, pkceParams.Verifier).Return(nil, errors.New("FAIL"))
 
 		callback, err := ctx.client.CallbackOid4vciCredentialIssuance(nil, CallbackOid4vciCredentialIssuanceRequestObject{
 			Params: CallbackOid4vciCredentialIssuanceParams{
@@ -1368,7 +1364,7 @@ func TestWrapper_CallbackOid4vciCredentialIssuance(t *testing.T) {
 	t.Run("fail_credential_response", func(t *testing.T) {
 		ctx := newTestClient(t)
 		require.NoError(t, ctx.client.storageEngine.GetSessionDatabase().GetStore(15*time.Minute, "oid4vci").Put(state, &session))
-		ctx.iamClient.EXPECT().AccessTokenOid4vci(nil, holderDID.String(), tokenEndpoint, redirectURI, code, &pkceParams.Verifier).Return(&tokenResponse, nil)
+		ctx.iamClient.EXPECT().AccessToken(nil, code, issuerDID, redirectURI, holderDID, pkceParams.Verifier).Return(tokenResponse, nil)
 		ctx.keyResolver.EXPECT().ResolveKey(holderDID, nil, resolver.NutsSigningKeyType).Return(ssi.MustParseURI("kid"), nil, nil)
 		ctx.jwtSigner.EXPECT().SignJWT(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return("signed-proof", nil)
 		ctx.iamClient.EXPECT().VerifiableCredentials(nil, credEndpoint, accessToken, "signed-proof").Return(nil, errors.New("FAIL"))
@@ -1387,7 +1383,7 @@ func TestWrapper_CallbackOid4vciCredentialIssuance(t *testing.T) {
 	t.Run("fail_verify", func(t *testing.T) {
 		ctx := newTestClient(t)
 		require.NoError(t, ctx.client.storageEngine.GetSessionDatabase().GetStore(15*time.Minute, "oid4vci").Put(state, &session))
-		ctx.iamClient.EXPECT().AccessTokenOid4vci(nil, holderDID.String(), tokenEndpoint, redirectURI, code, &pkceParams.Verifier).Return(&tokenResponse, nil)
+		ctx.iamClient.EXPECT().AccessToken(nil, code, issuerDID, redirectURI, holderDID, pkceParams.Verifier).Return(tokenResponse, nil)
 		ctx.keyResolver.EXPECT().ResolveKey(holderDID, nil, resolver.NutsSigningKeyType).Return(ssi.MustParseURI("kid"), nil, nil)
 		ctx.jwtSigner.EXPECT().SignJWT(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return("signed-proof", nil)
 		ctx.iamClient.EXPECT().VerifiableCredentials(nil, credEndpoint, accessToken, "signed-proof").Return(&credentialResponse, nil)
@@ -1406,7 +1402,7 @@ func TestWrapper_CallbackOid4vciCredentialIssuance(t *testing.T) {
 	t.Run("error - key not found", func(t *testing.T) {
 		ctx := newTestClient(t)
 		require.NoError(t, ctx.client.storageEngine.GetSessionDatabase().GetStore(15*time.Minute, "oid4vci").Put(state, &session))
-		ctx.iamClient.EXPECT().AccessTokenOid4vci(nil, holderDID.String(), tokenEndpoint, redirectURI, code, &pkceParams.Verifier).Return(&tokenResponse, nil)
+		ctx.iamClient.EXPECT().AccessToken(nil, code, issuerDID, redirectURI, holderDID, pkceParams.Verifier).Return(tokenResponse, nil)
 		ctx.keyResolver.EXPECT().ResolveKey(holderDID, nil, resolver.NutsSigningKeyType).Return(ssi.URI{}, nil, resolver.ErrKeyNotFound)
 
 		callback, err := ctx.client.CallbackOid4vciCredentialIssuance(nil, CallbackOid4vciCredentialIssuanceRequestObject{
@@ -1423,7 +1419,7 @@ func TestWrapper_CallbackOid4vciCredentialIssuance(t *testing.T) {
 	t.Run("error - signature failure", func(t *testing.T) {
 		ctx := newTestClient(t)
 		require.NoError(t, ctx.client.storageEngine.GetSessionDatabase().GetStore(15*time.Minute, "oid4vci").Put(state, &session))
-		ctx.iamClient.EXPECT().AccessTokenOid4vci(nil, holderDID.String(), tokenEndpoint, redirectURI, code, &pkceParams.Verifier).Return(&tokenResponse, nil)
+		ctx.iamClient.EXPECT().AccessToken(nil, code, issuerDID, redirectURI, holderDID, pkceParams.Verifier).Return(tokenResponse, nil)
 		ctx.keyResolver.EXPECT().ResolveKey(holderDID, nil, resolver.NutsSigningKeyType).Return(ssi.MustParseURI("kid"), nil, nil)
 		ctx.jwtSigner.EXPECT().SignJWT(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return("", errors.New("signature failed"))
 

auth/api/iam/openid4vp.go

@@ -689,8 +689,7 @@ func (r Wrapper) handleCallback(ctx context.Context, request CallbackRequestObje
 		return nil, withCallbackURI(oauthError(oauth.ServerError, fmt.Sprintf("failed to retrieve access token: %s", err.Error())), appCallbackURI)
 	}
 	// update TokenResponse using session.SessionID
-	statusActive := oauth.AccessTokenRequestStatusActive
-	tokenResponse.Status = &statusActive
+	tokenResponse = tokenResponse.With("status", oauth.AccessTokenRequestStatusActive)
 	if err = r.accessTokenClientStore().Put(oauthSession.SessionID, tokenResponse); err != nil {
 		return nil, withCallbackURI(oauthError(oauth.ServerError, fmt.Sprintf("failed to store access token: %s", err.Error())), appCallbackURI)
 	}

auth/client/iam/client.go

@@ -211,51 +211,6 @@ func (hb HTTPClient) OpenIdCredentialIssuerMetadata(ctx context.Context, webDID
 	return &metadata, err
 }
 
-func (hb HTTPClient) AccessTokenOid4vci(ctx context.Context, presentationDefinitionURL url.URL, data url.Values) (*oauth.Oid4vciTokenResponse, error) {
-	// create a POST request with x-www-form-urlencoded body
-	request, err := http.NewRequestWithContext(ctx, http.MethodPost, presentationDefinitionURL.String(), strings.NewReader(data.Encode()))
-	request.Header.Add("Accept", "application/json")
-	request.Header.Add("Content-Type", "application/x-www-form-urlencoded")
-	if err != nil {
-		return nil, err
-	}
-	response, err := hb.httpClient.Do(request.WithContext(ctx))
-	if err != nil {
-		return nil, fmt.Errorf("failed to call endpoint: %w", err)
-	}
-	if err = core.TestResponseCode(http.StatusOK, response); err != nil {
-		// check for oauth error
-		if innerErr := core.TestResponseCode(http.StatusBadRequest, response); innerErr != nil {
-			// a non oauth error, the response body could contain a lot of stuff. We'll log and return the entire error
-			log.Logger().Debugf("authorization server token endpoint returned non oauth error (statusCode=%d)", response.StatusCode)
-			return nil, err
-		}
-		httpErr := err.(core.HttpError)
-		oauthError := oauth.OAuth2Error{}
-		if err := json.Unmarshal(httpErr.ResponseBody, &oauthError); err != nil {
-			return nil, fmt.Errorf("unable to unmarshal OAuth error response: %w", err)
-		}
-
-		return nil, oauthError
-	}
-
-	var responseData []byte
-	if responseData, err = core.LimitedReadAll(response.Body); err != nil {
-		return nil, fmt.Errorf("unable to read response: %w", err)
-	}
-
-	var token oauth.Oid4vciTokenResponse
-	if err = json.Unmarshal(responseData, &token); err != nil {
-		// Cut off the response body to 100 characters max to prevent logging of large responses
-		responseBodyString := string(responseData)
-		if len(responseBodyString) > 100 {
-			responseBodyString = responseBodyString[:100] + "...(clipped)"
-		}
-		return nil, fmt.Errorf("unable to unmarshal response: %w, %s", err, string(responseData))
-	}
-	return &token, nil
-}
-
 // CredentialRequest represents ths request to fetch a credential, the JSON object holds the proof as
 // CredentialRequestProof.
 type CredentialRequest struct {

auth/client/iam/interface.go

@@ -28,7 +28,9 @@ import (
 
 // Client defines OpenID4VP client methods using the IAM OpenAPI Spec.
 type Client interface {
-	// AccessToken requests an access token at the oauth2 token endpoint.
+	// AccessToken requests an access token at the OAuth2 Token Endpoint.
+	// The token endpoint can be a regular OAuth2 token endpoint or OpenID4VCI-related endpoint.
+	// The response will be unmarshalled into the given tokenResponseOut parameter.
 	AccessToken(ctx context.Context, code string, verifier did.DID, callbackURI string, clientID did.DID, codeVerifier string) (*oauth.TokenResponse, error)
 	// AuthorizationServerMetadata returns the metadata of the remote wallet.
 	AuthorizationServerMetadata(ctx context.Context, webdid did.DID) (*oauth.AuthorizationServerMetadata, error)
@@ -47,8 +49,6 @@ type Client interface {
 
 	OpenIdCredentialIssuerMetadata(ctx context.Context, webDID did.DID) (*oauth.OpenIDCredentialIssuerMetadata, error)
 
-	AccessTokenOid4vci(ctx context.Context, clientId string, tokenEndpoint string, redirectUri string, code string, pkceCodeVerifier *string) (*oauth.Oid4vciTokenResponse, error)
-
 	VerifiableCredentials(ctx context.Context, credentialEndpoint string, accessToken string, proofJWT string) (*CredentialResponse, error)
 	// RequestObject is returned from the authorization request's 'request_uri' defined in RFC9101.
 	RequestObject(ctx context.Context, requestURI string) (string, error)

auth/client/iam/mock.go

@@ -231,28 +231,6 @@ func (c *OpenID4VPClient) OpenIdCredentialIssuerMetadata(ctx context.Context, we
 	return rsp, nil
 }
 
-func (c *OpenID4VPClient) AccessTokenOid4vci(ctx context.Context, clientId string, tokenEndpoint string, redirectUri string, code string, pkceCodeVerifier *string) (*oauth.Oid4vciTokenResponse, error) {
-	iamClient := c.httpClient
-	data := url.Values{}
-	data.Set("client_id", clientId)
-	data.Set(oauth.GrantTypeParam, oauth.AuthorizationCodeGrantType)
-	data.Set(oauth.CodeParam, code)
-	data.Set("redirect_uri", redirectUri)
-	if pkceCodeVerifier != nil {
-		data.Set("code_verifier", *pkceCodeVerifier)
-	}
-	presentationDefinitionURL, err := url.Parse(tokenEndpoint)
-	if err != nil {
-		return nil, err
-	}
-
-	rsp, err := iamClient.AccessTokenOid4vci(ctx, *presentationDefinitionURL, data)
-	if err != nil {
-		return nil, fmt.Errorf("remote server: failed to retrieve an access_token: %w", err)
-	}
-	return rsp, nil
-}
-
 func (c *OpenID4VPClient) VerifiableCredentials(ctx context.Context, credentialEndpoint string, accessToken string, proofJWT string) (*CredentialResponse, error) {
 	iamClient := c.httpClient
 	rsp, err := iamClient.VerifiableCredentials(ctx, credentialEndpoint, accessToken, proofJWT)

auth/client/iam/openid4vp.go

@@ -539,31 +539,7 @@ func TestIAMClient_OpenIdCredentialIssuerMetadata(t *testing.T) {
 	})
 
 }
-func TestIAMClient_AccessTokenOid4vci(t *testing.T) {
-	code := "code"
-	redirectUri := "https://test.test/callback"
-	pkceCodeVerifier := "verifier"
-
-	t.Run("ok", func(t *testing.T) {
-		ctx := createClientServerTestContext(t)
-
-		response, err := ctx.client.AccessTokenOid4vci(context.Background(), ctx.verifierDID.String(), ctx.openIDConfigurationMetadata.TokenEndpoint, redirectUri, code, &pkceCodeVerifier)
-
-		require.NoError(t, err)
-		require.NotNil(t, response)
-		assert.Equal(t, "token", response.AccessToken)
-		assert.Equal(t, "bearer", response.TokenType)
-	})
-	t.Run("error - failed to get access token", func(t *testing.T) {
-		ctx := createClientServerTestContext(t)
-		ctx.token = nil
 
-		response, err := ctx.client.AccessTokenOid4vci(context.Background(), ctx.verifierDID.String(), ctx.openIDConfigurationMetadata.TokenEndpoint, redirectUri, code, &pkceCodeVerifier)
-
-		assert.EqualError(t, err, "remote server: failed to retrieve an access_token: server returned HTTP 404 (expected: 200)")
-		assert.Nil(t, response)
-	})
-}
 func TestIAMClient_VerifiableCredentials(t *testing.T) {
 	//walletDID := did.MustParseDID("did:web:test.test:iam:123")
 	accessToken := "code"

auth/client/iam/openid4vp_test.go

@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2024 Nuts community
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
+
+package oauth
+
+// NewTokenResponse is a convenience function for creating a TokenResponse with the given parameters.
+// expires_in and scope are only set if they are passed a valid value.
+func NewTokenResponse(accessToken, tokenType string, expiresIn int, scope string) *TokenResponse {
+	tr := &TokenResponse{
+		AccessToken: accessToken,
+		TokenType:   tokenType,
+	}
+	if expiresIn > 0 {
+		tr.ExpiresIn = &expiresIn
+	}
+	if scope != "" {
+		tr.Scope = &scope
+	}
+	return tr
+}