some leftover stuff from #3333 (#3387)

Author: woutslakhorst

auth/api/iam/api.go

@@ -600,7 +600,7 @@ func (r Wrapper) OAuthAuthorizationServerMetadata(_ context.Context, request OAu
 }
 
 func (r Wrapper) oauthAuthorizationServerMetadata(clientID url.URL) (*oauth.AuthorizationServerMetadata, error) {
-	md := authorizationServerMetadata(clientID, r.vdr.SupportedMethods())
+	md := authorizationServerMetadata(&clientID, r.vdr.SupportedMethods())
 	if !r.auth.AuthorizationEndpointEnabled() {
 		md.AuthorizationEndpoint = ""
 	}
@@ -895,13 +895,7 @@ func (r Wrapper) authzRequestObjectStore() storage.SessionStore {
 }
 
 func (r Wrapper) subjectToBaseURL(subject string) url.URL {
-	u := &url.URL{}
-	publicURL := r.auth.PublicURL()
-	if publicURL == nil {
-		panic("publicURL is nil")
-	}
-	u = publicURL.JoinPath("oauth2", subject)
-	return *u
+	return *r.auth.PublicURL().JoinPath("oauth2", subject)
 }
 
 // subjectExists checks whether the given subject is known on the local node.

auth/api/iam/jar_test.go

@@ -121,7 +121,7 @@ func TestJar_Parse(t *testing.T) {
 	require.NoError(t, err)
 	token := string(bytes)
 	walletIssuerURL := test.MustParseURL(holderDID.String())
-	verifierMetadata := authorizationServerMetadata(*verifierURL, []string{"web"})
+	verifierMetadata := authorizationServerMetadata(verifierURL, []string{"web"})
 	configuration := &oauth.OpenIDConfiguration{
 		JWKs: jwkSet,
 	}
@@ -161,7 +161,7 @@ func TestJar_Parse(t *testing.T) {
 		})
 		t.Run("ok - post", func(t *testing.T) {
 			ctx := newJarTestCtx(t)
-			md := authorizationServerMetadata(*walletIssuerURL, []string{"web"})
+			md := authorizationServerMetadata(walletIssuerURL, []string{"web"})
 			ctx.iamClient.EXPECT().RequestObjectByPost(context.Background(), "request_uri", md).Return(token, nil)
 			ctx.keyResolver.EXPECT().ResolveKeyByID(kid, nil, resolver.AssertionMethod).Return(privateKey.Public(), nil)
 			ctx.iamClient.EXPECT().OpenIDConfiguration(gomock.Any(), holderClientID).Return(configuration, nil)
@@ -217,7 +217,7 @@ func TestJar_Parse(t *testing.T) {
 		})
 		t.Run("post (made by wallet)", func(t *testing.T) {
 			ctx := newJarTestCtx(t)
-			md := authorizationServerMetadata(*walletIssuerURL, []string{"web"})
+			md := authorizationServerMetadata(walletIssuerURL, []string{"web"})
 			ctx.iamClient.EXPECT().RequestObjectByPost(context.Background(), "request_uri", md).Return("", errors.New("server error"))
 			res, err := ctx.jar.Parse(context.Background(), md,
 				map[string][]string{

auth/api/iam/metadata.go

@@ -31,14 +31,14 @@ import (
 	"github.com/nuts-foundation/nuts-node/crypto/jwx"
 )
 
-func authorizationServerMetadata(issuerURL url.URL, supportedDIDMethods []string) oauth.AuthorizationServerMetadata {
+func authorizationServerMetadata(issuerURL *url.URL, supportedDIDMethods []string) oauth.AuthorizationServerMetadata {
 	metadata := &oauth.AuthorizationServerMetadata{
 		AuthorizationEndpoint:                      "openid4vp:",
 		ClientIdSchemesSupported:                   clientIdSchemesSupported,
 		DIDMethodsSupported:                        supportedDIDMethods,
 		DPoPSigningAlgValuesSupported:              jwx.SupportedAlgorithmsAsStrings(),
 		GrantTypesSupported:                        grantTypesSupported,
-		Issuer:                                     issuerURL.String(),
+		Issuer:                                     "https://self-issued.me/v2",
 		PreAuthorizedGrantAnonymousAccessSupported: true,
 		PresentationDefinitionUriSupported:         to.Ptr(true),
 		RequireSignedRequestObject:                 true,
@@ -49,9 +49,12 @@ func authorizationServerMetadata(issuerURL url.URL, supportedDIDMethods []string
 		RequestObjectSigningAlgValuesSupported:     jwx.SupportedAlgorithmsAsStrings(),
 	}
 
-	metadata.AuthorizationEndpoint = issuerURL.JoinPath("authorize").String()
-	metadata.PresentationDefinitionEndpoint = issuerURL.JoinPath("presentation_definition").String()
-	metadata.TokenEndpoint = issuerURL.JoinPath("token").String()
+	if issuerURL != nil {
+		metadata.Issuer = issuerURL.String()
+		metadata.AuthorizationEndpoint = issuerURL.JoinPath("authorize").String()
+		metadata.PresentationDefinitionEndpoint = issuerURL.JoinPath("presentation_definition").String()
+		metadata.TokenEndpoint = issuerURL.JoinPath("token").String()
+	}
 	return *metadata
 }
 
@@ -87,10 +90,11 @@ func clientMetadata(identity url.URL) oauth.OAuthClientMetadata {
 
 func openIDConfiguration(issuerURL url.URL, jwkSet jwk.Set, supportedDIDMethods []string) oauth.OpenIDConfiguration {
 	return oauth.OpenIDConfiguration{
-		Issuer:   issuerURL.String(),
-		IssuedAt: time.Now().Unix(),
-		Subject:  issuerURL.String(),
-		JWKs:     jwkSet,
-		Metadata: oauth.EntityStatementMetadata{OpenIDProvider: authorizationServerMetadata(issuerURL, supportedDIDMethods)},
+		Issuer:     issuerURL.String(),
+		IssuedAt:   time.Now().Unix(),
+		Expiration: time.Now().Add(time.Hour).Unix(), // just a number, data is retrieved runtime. Value must be larger than clock skew to prevent technical problems.
+		Subject:    issuerURL.String(),
+		JWKs:       jwkSet,
+		Metadata:   oauth.EntityStatementMetadata{OpenIDProvider: authorizationServerMetadata(&issuerURL, supportedDIDMethods)},
 	}
 }

auth/api/iam/metadata_test.go

@@ -50,7 +50,7 @@ func Test_authorizationServerMetadata(t *testing.T) {
 		RequestObjectSigningAlgValuesSupported:     jwx.SupportedAlgorithmsAsStrings(),
 	}
 	authServerUrl := test.MustParseURL("https://example.com/oauth2/example")
-	md := authorizationServerMetadata(*authServerUrl, []string{"test"})
+	md := authorizationServerMetadata(authServerUrl, []string{"test"})
 	assert.Equal(t, baseExpected, md)
 }
 

auth/api/iam/openid4vp.go

@@ -384,8 +384,7 @@ func (r Wrapper) sendAndHandleDirectPost(ctx context.Context, subject string, vp
 		// Dispatch a new HTTP request to the local OpenID4VP wallet's authorization endpoint that includes request parameters,
 		// but with openid4vp: as scheme.
 		// The context contains data from the previous request. Usage by the handler will probably result in incorrect behavior.
-		issuerURL := r.subjectToBaseURL(subject)
-		userWalletMetadata := authorizationServerMetadata(issuerURL, r.vdr.SupportedMethods())
+		userWalletMetadata := authorizationServerMetadata(nil, r.vdr.SupportedMethods())
 		response, err := r.handleAuthorizeRequest(ctx, subject, userWalletMetadata, *parsedRedirectURI)
 		if err != nil {
 			return nil, err

auth/oauth/types.go

@@ -415,6 +415,8 @@ type OpenIDConfiguration struct {
 	Subject string `json:"sub"`
 	// IssuedAt: the time the entity statement was issued
 	IssuedAt int64 `json:"iat"`
+	// Expiration: the time after which the entity statement may no longer be processed
+	Expiration int64 `json:"exp"`
 	// JWKs is the JSON Web Key Set of the entity statement. Contains keys of all DIDs for the subject
 	JWKs jwk.Set `json:"jwks"`
 	// Metadata: the metadata of the entity statement
@@ -443,6 +445,9 @@ func (j *OpenIDConfiguration) UnmarshalJSON(bytes []byte) error {
 	if issuedAt, ok := claims["iat"].(float64); ok {
 		j.IssuedAt = int64(issuedAt)
 	}
+	if expiration, ok := claims["exp"].(float64); ok {
+		j.Expiration = int64(expiration)
+	}
 
 	metadataJson, _ := json.Marshal(claims["metadata"])
 	if err := json.Unmarshal(metadataJson, &j.Metadata); err != nil {