Change remaining DIDs in API path to subject and use client_id (from …

…url) (#3333) * the client_id in JAR uses the tenant URL (ex: https://example.com/oauth2/tenant) and not a client_id from the app. This is done so the JAR validate can use the OpenID federation configuration endpoint to resolve the JWKs. Future changes could generate a deployment specific client_id and keys. * there are 3 or 4 instances of subject.ListDIDs()[0]. It does not take into account which methods the other side supports. This is a general todo for us. * I removed did client_id scheme which interferes with PoCs
nuts-foundation · Sep 4, 2024 · 6c12bf4 · 6c12bf4
1 parent 72be55e
commit 6c12bf4
Show file tree

Hide file tree

Showing 43 changed files with 1,577 additions and 1,090 deletions.
diff --git a/auth/api/iam/access_token.go b/auth/api/iam/access_token.go
@@ -20,7 +20,6 @@ package iam
 
 import (
 	"fmt"
-	"github.com/nuts-foundation/go-did/did"
 	"github.com/nuts-foundation/nuts-node/auth/oauth"
 	"github.com/nuts-foundation/nuts-node/crypto"
 	"time"
@@ -60,7 +59,7 @@ type AccessToken struct {
 }
 
 // createAccessToken is used in both the s2s and openid4vp flows
-func (r Wrapper) createAccessToken(issuer did.DID, walletDID did.DID, issueTime time.Time, scope string, pexState PEXConsumer, dpopToken *dpop.DPoP) (*oauth.TokenResponse, error) {
+func (r Wrapper) createAccessToken(issuerURL string, clientID string, issueTime time.Time, scope string, pexState PEXConsumer, dpopToken *dpop.DPoP) (*oauth.TokenResponse, error) {
 	credentialMap, err := pexState.credentialMap()
 	if err != nil {
 		return nil, err
@@ -73,9 +72,9 @@ func (r Wrapper) createAccessToken(issuer did.DID, walletDID did.DID, issueTime
 	accessToken := AccessToken{
 		DPoP:                           dpopToken,
 		Token:                          crypto.GenerateNonce(),
-		Issuer:                         issuer.String(),
+		Issuer:                         issuerURL,
 		IssuedAt:                       issueTime,
-		ClientId:                       walletDID.String(),
+		ClientId:                       clientID,
 		Expiration:                     issueTime.Add(accessTokenValidity),
 		Scope:                          scope,
 		PresentationSubmissions:        pexState.Submissions,

diff --git a/auth/api/iam/api.go b/auth/api/iam/api.go
diff --git a/auth/api/iam/api_test.go b/auth/api/iam/api_test.go
diff --git a/auth/api/iam/dpop_test.go b/auth/api/iam/dpop_test.go
@@ -49,19 +49,19 @@ func TestWrapper_CreateDPoPProof(t *testing.T) {
 	}
 	requestObject := CreateDPoPProofRequestObject{
 		Body: &requestBody,
-		Did:  webDID.String(),
+		Did:  holderDID.String(),
 	}
 	didDocument := did.Document{ID: holderDID}
-	vmId := did.MustParseDIDURL(webDID.String() + "#key1")
+	vmId := did.MustParseDIDURL(holderDID.String() + "#key1")
 	key, _ := spi.GenerateKeyPair()
-	vm, _ := did.NewVerificationMethod(vmId, ssi.JsonWebKey2020, webDID, key.Public())
+	vm, _ := did.NewVerificationMethod(vmId, ssi.JsonWebKey2020, holderDID, key.Public())
 	didDocument.AddAssertionMethod(vm)
 	dpopToken := dpop.New(*request)
 	dpopToken.GenerateProof(accesstoken)
 	t.Run("ok", func(t *testing.T) {
 		ctx := newTestClient(t)
-		ctx.documentOwner.EXPECT().IsOwner(gomock.Any(), webDID).Return(true, nil)
-		ctx.resolver.EXPECT().Resolve(webDID, gomock.Any()).Return(&didDocument, nil, nil)
+		ctx.documentOwner.EXPECT().IsOwner(gomock.Any(), holderDID).Return(true, nil)
+		ctx.resolver.EXPECT().Resolve(holderDID, gomock.Any()).Return(&didDocument, nil, nil)
 		ctx.jwtSigner.EXPECT().SignDPoP(gomock.Any(), gomock.Any(), vmId.String()).DoAndReturn(func(_ context.Context, token dpop.DPoP, _ string) (string, error) {
 			assert.Equal(t, dpopToken.String(), token.String())
 			return "dpop", nil
@@ -83,7 +83,7 @@ func TestWrapper_CreateDPoPProof(t *testing.T) {
 	})
 	t.Run("invalid method", func(t *testing.T) {
 		ctx := newTestClient(t)
-		ctx.documentOwner.EXPECT().IsOwner(gomock.Any(), webDID).Return(true, nil)
+		ctx.documentOwner.EXPECT().IsOwner(gomock.Any(), holderDID).Return(true, nil)
 		requestBody.Htm = "\\"
 		defer (func() { requestBody.Htm = "GET" })()
 
@@ -111,16 +111,16 @@ func TestWrapper_CreateDPoPProof(t *testing.T) {
 	})
 	t.Run("did not owned", func(t *testing.T) {
 		ctx := newTestClient(t)
-		ctx.documentOwner.EXPECT().IsOwner(gomock.Any(), webDID).Return(false, nil)
+		ctx.documentOwner.EXPECT().IsOwner(gomock.Any(), holderDID).Return(false, nil)
 
 		_, err := ctx.client.CreateDPoPProof(context.Background(), requestObject)
 
 		assert.EqualError(t, err, "DID document not managed by this node")
 	})
 	t.Run("proof error", func(t *testing.T) {
 		ctx := newTestClient(t)
-		ctx.documentOwner.EXPECT().IsOwner(gomock.Any(), webDID).Return(true, nil)
-		ctx.resolver.EXPECT().Resolve(webDID, gomock.Any()).Return(&didDocument, nil, nil)
+		ctx.documentOwner.EXPECT().IsOwner(gomock.Any(), holderDID).Return(true, nil)
+		ctx.resolver.EXPECT().Resolve(holderDID, gomock.Any()).Return(&didDocument, nil, nil)
 		ctx.jwtSigner.EXPECT().SignDPoP(gomock.Any(), gomock.Any(), vmId.String()).Return("dpop", assert.AnError)
 
 		_, err := ctx.client.CreateDPoPProof(context.Background(), requestObject)