pr feedback 2

auth/api/iam/api.go

@@ -384,6 +384,7 @@ func (r Wrapper) handleAuthorizeRequest(ctx context.Context, ownDID did.DID, req
 // RFC9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR).
 func (r Wrapper) RequestJWTByGet(ctx context.Context, request RequestJWTByGetRequestObject) (RequestJWTByGetResponseObject, error) {
 	ro := new(jarRequest)
+	// TODO: burn request object to prevent DoS through signing requests https://github.com/nuts-foundation/nuts-node/issues/3063
 	err := r.authzRequestObjectStore().Get(request.Id, ro)
 	if err != nil {
 		return nil, oauth.OAuth2Error{
@@ -399,8 +400,7 @@ func (r Wrapper) RequestJWTByGet(ctx context.Context, request RequestJWTByGetReq
 		}
 	}
 	if ro.RequestURIMethod != "get" { // case sensitive
-		// TODO: wallet does not support `request_uri_method=post`. Signing the current jarRequest would leave it without 'aud'.
-		//		 is this acceptable, should it fail, or does it default to using staticAuthorizationServerMetadata.
+		// TODO: wallet does not support `request_uri_method=post`. Unclear if this should fail, or fallback to using staticAuthorizationServerMetadata().
 		return nil, oauth.OAuth2Error{
 			Code:          oauth.InvalidRequest,
 			Description:   "used request_uri_method 'get' on a 'post' request_uri",
@@ -413,8 +413,8 @@ func (r Wrapper) RequestJWTByGet(ctx context.Context, request RequestJWTByGetReq
 	if err != nil {
 		return nil, oauth.OAuth2Error{
 			Code:          oauth.ServerError,
-			Description:   "unable to create RequestObject",
-			InternalError: fmt.Errorf("failed to sign authorization RequestObject :%w", err),
+			Description:   "unable to create Request Object",
+			InternalError: fmt.Errorf("failed to sign authorization Request Object: %w", err),
 		}
 	}
 	return RequestJWTByGet200ApplicationoauthAuthzReqJwtResponse{
@@ -428,6 +428,7 @@ func (r Wrapper) RequestJWTByGet(ctx context.Context, request RequestJWTByGetReq
 // RFC9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR).
 func (r Wrapper) RequestJWTByPost(ctx context.Context, request RequestJWTByPostRequestObject) (RequestJWTByPostResponseObject, error) {
 	ro := new(jarRequest)
+	// TODO: burn request object to prevent DoS through signing requests https://github.com/nuts-foundation/nuts-node/issues/3063
 	err := r.authzRequestObjectStore().Get(request.Id, ro)
 	if err != nil {
 		return nil, oauth.OAuth2Error{
@@ -465,8 +466,8 @@ func (r Wrapper) RequestJWTByPost(ctx context.Context, request RequestJWTByPostR
 	if err != nil {
 		return nil, oauth.OAuth2Error{
 			Code:          oauth.ServerError,
-			Description:   "unable to create RequestObject",
-			InternalError: fmt.Errorf("failed to sign authorization RequestObject :%w", err),
+			Description:   "unable to create Request Object",
+			InternalError: fmt.Errorf("failed to sign authorization Request Object: %w", err),
 		}
 	}
 	return RequestJWTByPost200ApplicationoauthAuthzReqJwtResponse{

auth/api/iam/api_test.go

@@ -997,7 +997,7 @@ func TestWrapper_GetRequestJWT(t *testing.T) {
 		response, err := ctx.client.RequestJWTByGet(cont, RequestJWTByGetRequestObject{Did: webDID.String(), Id: requestID})
 
 		assert.Nil(t, response)
-		assert.EqualError(t, err, "server_error - failed to sign authorization RequestObject :fail - unable to create RequestObject")
+		assert.EqualError(t, err, "server_error - failed to sign authorization Request Object: fail - unable to create Request Object")
 	})
 }
 
@@ -1085,7 +1085,7 @@ func TestWrapper_PostRequestJWT(t *testing.T) {
 		response, err := ctx.client.RequestJWTByPost(cont, RequestJWTByPostRequestObject{Did: webDID.String(), Id: requestID})
 
 		assert.Nil(t, response)
-		assert.EqualError(t, err, "server_error - failed to sign authorization RequestObject :fail - unable to create RequestObject")
+		assert.EqualError(t, err, "server_error - failed to sign authorization Request Object: fail - unable to create Request Object")
 	})
 }
 

auth/api/iam/metadata.go

@@ -31,35 +31,8 @@ import (
 )
 
 func authorizationServerMetadata(ownedDID did.DID) (*oauth.AuthorizationServerMetadata, error) {
-	if ownedDID.Method == "web" {
-		return _authzMetadataDidWeb(ownedDID)
-	}
-	return _authzMetadataBase(ownedDID), nil
-}
-
-// _authzMetadataDidWeb should not be used directly, use authorizationServerMetadata instead.
-func _authzMetadataDidWeb(ownedDID did.DID) (*oauth.AuthorizationServerMetadata, error) {
-	identity, err := didweb.DIDToURL(ownedDID)
-	if err != nil {
-		return nil, err
-	}
-	oauth2BaseURL, err := createOAuth2BaseURL(ownedDID)
-	if err != nil {
-		// can't fail, already did DIDToURL above
-		return nil, err
-	}
-	metadata := _authzMetadataBase(ownedDID)
-	metadata.Issuer = identity.String()
-	metadata.AuthorizationEndpoint = oauth2BaseURL.JoinPath("authorize").String()
-	metadata.PresentationDefinitionEndpoint = oauth2BaseURL.JoinPath("presentation_definition").String()
-	metadata.TokenEndpoint = oauth2BaseURL.JoinPath("token").String()
-	return metadata, nil
-}
-
-// _authzMetadataBase should not be used directly, use authorizationServerMetadata instead.
-func _authzMetadataBase(ownedDID did.DID) *oauth.AuthorizationServerMetadata {
 	presentationDefinitionURISupported := true
-	return &oauth.AuthorizationServerMetadata{
+	metadata := &oauth.AuthorizationServerMetadata{
 		AuthorizationEndpoint:                      "openid4vp:",
 		ClientIdSchemesSupported:                   clientIdSchemesSupported,
 		DPoPSigningAlgValuesSupported:              jwx.SupportedAlgorithmsAsStrings(),
@@ -74,6 +47,23 @@ func _authzMetadataBase(ownedDID did.DID) *oauth.AuthorizationServerMetadata {
 		VPFormatsSupported:                         oauth.DefaultOpenIDSupportedFormats(),
 		RequestObjectSigningAlgValuesSupported:     jwx.SupportedAlgorithmsAsStrings(),
 	}
+	if ownedDID.Method == "web" {
+		// add endpoints for did:web
+		identity, err := didweb.DIDToURL(ownedDID)
+		if err != nil {
+			return nil, err
+		}
+		oauth2BaseURL, err := createOAuth2BaseURL(ownedDID)
+		if err != nil {
+			// can't fail, already did DIDToURL above
+			return nil, err
+		}
+		metadata.Issuer = identity.String()
+		metadata.AuthorizationEndpoint = oauth2BaseURL.JoinPath("authorize").String()
+		metadata.PresentationDefinitionEndpoint = oauth2BaseURL.JoinPath("presentation_definition").String()
+		metadata.TokenEndpoint = oauth2BaseURL.JoinPath("token").String()
+	}
+	return metadata, nil
 }
 
 // staticAuthorizationServerMetadata is used in the OpenID4VP flow when authorization server (wallet) issuer is unknown.