require DiscoveryRegistrationCredential in PEX (#3484)

woutslakhorst · web-flow · commit e9f86eec0f8a · 2024-10-16T11:53:39.000+02:00
diff --git a/discovery/client.go b/discovery/client.go
@@ -263,18 +263,6 @@ func (r *defaultClientRegistrationManager) findCredentialsAndBuildPresentation(c
 		return nil, fmt.Errorf(errStr, service.ID, subjectDID, err)
 	}
 
-	// add registration params as credential if not already done so by the Presentation Definition
-	var found bool
-	for _, cred := range matchingCredentials {
-		if cred.ID == registrationCredential.ID {
-			found = true
-			break
-		}
-	}
-	if !found {
-		matchingCredentials = append(matchingCredentials, credential.AutoCorrectSelfAttestedCredential(registrationCredential, subjectDID))
-	}
-
 	return r.buildPresentation(ctx, subjectDID, service, matchingCredentials, nil)
 }
 
diff --git a/discovery/client_test.go b/discovery/client_test.go
@@ -178,8 +178,7 @@ func Test_defaultClientRegistrationManager_activate(t *testing.T) {
 		ctx.didResolver.EXPECT().Resolve(aliceDID, gomock.Any()).Return(nil, nil, nil)
 		ctx.wallet.EXPECT().List(gomock.Any(), gomock.Any()).Return(nil, nil)
 		ctx.wallet.EXPECT().BuildPresentation(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), false).DoAndReturn(func(_ interface{}, credentials []vc.VerifiableCredential, _ interface{}, _ interface{}, _ interface{}) (*vc.VerifiablePresentation, error) {
-			// expect registration credential
-			assert.Len(t, credentials, 1)
+			assert.Len(t, credentials, 0)
 			return &vpAlice, nil
 		})
 		ctx.subjectManager.EXPECT().ListDIDs(gomock.Any(), aliceSubject).Return([]did.DID{aliceDID}, nil)
diff --git a/discovery/module.go b/discovery/module.go
@@ -289,26 +289,6 @@ func (m *Module) validateRegistration(definition ServiceDefinition, presentation
 		return fmt.Errorf("verifiable presentation doesn't match required presentation definition: %w", err)
 	}
 	if len(creds) != len(presentation.VerifiableCredential) {
-		// it could be the case that the VP contains a registration credential and the matching credentials do not.
-		// only return errPresentationDoesNotFulfillDefinition if both contain the registration credential or neither do.
-		vpContainsRegistrationCredential := false
-		for _, cred := range presentation.VerifiableCredential {
-			if slices.Contains(cred.Type, credential.DiscoveryRegistrationCredentialTypeV1URI()) {
-				vpContainsRegistrationCredential = true
-				break
-			}
-		}
-		matchingContainsRegistrationCredential := false
-		for _, cred := range creds {
-			if slices.Contains(cred.Type, credential.DiscoveryRegistrationCredentialTypeV1URI()) {
-				matchingContainsRegistrationCredential = true
-				break
-			}
-		}
-		if vpContainsRegistrationCredential && !matchingContainsRegistrationCredential && len(presentation.VerifiableCredential)-len(creds) == 1 {
-			return nil
-		}
-
 		return errPresentationDoesNotFulfillDefinition
 	}
 	return nil
diff --git a/discovery/module_test.go b/discovery/module_test.go
@@ -464,6 +464,7 @@ func TestModule_Search(t *testing.T) {
 			{
 				Presentation: vpAlice,
 				Fields: map[string]interface{}{
+					"auth_server_url":"https://example.com/oauth2/alice",
 					"issuer_field": authorityDID,
 				},
 				Parameters: defaultRegistrationParams(aliceSubject),
diff --git a/discovery/test.go b/discovery/test.go
@@ -102,6 +102,16 @@ func testDefinitions() map[string]ServiceDefinition {
 								},
 							},
 						},
+					}, {
+						Id: "2",
+						Constraints: &pe.Constraints{
+							Fields: []pe.Field{
+								{
+									Id:   to.Ptr("auth_server_url"),
+									Path: []string{"$.credentialSubject.authServerURL"},
+								},
+							},
+						},
 					},
 				},
 			},
diff --git a/docs/pages/deployment/discovery.rst b/docs/pages/deployment/discovery.rst
@@ -60,6 +60,7 @@ Optionally, a POST body can be provided with registration parameters, e.g.:
 
 This can be used to provide additional information. All registration parameters are returned by the search API.
 The ``authServerURL`` is added automatically by the Nuts node. It's constructed as ``https://<config.url>/oauth2/<subject_id>``.
+Registration parameters can only be used if the specific parameters and/or ``DiscoveryRegistrationCredential`` are required by the Presentation Definition.
 
 Once registered, future refreshes will be done automatically by the Nuts node. These refreshes could fail because of various reasons.
 You can check the status of the refreshes by querying the service, e.g.:
@@ -156,6 +157,18 @@ Service definitions
                 }
               ]
             }
+          }, {
+            "id": "DiscoveryRegistrationCredential",
+            "constraints": {
+              "fields": [
+                {
+                  "id":   "auth_server_url",
+                  "path": [
+                    "$.credentialSubject.authServerURL"
+                  ]
+                }
+              ]
+            }
           }
         ]
       }
diff --git a/e2e-tests/discovery/definitions/definition.json b/e2e-tests/discovery/definitions/definition.json
@@ -46,6 +46,18 @@
             }
           ]
         }
+      },{
+        "id": "DiscoveryRegistrationCredential",
+        "constraints": {
+          "fields": [
+            {
+              "id":   "auth_server_url",
+              "path": [
+                "$.credentialSubject.authServerURL"
+              ]
+            }
+          ]
+        }
       }
     ]
   }

Original file line number	Diff line number	Diff line change
`@@ -464,6 +464,7 @@ func TestModule_Search(t *testing.T) {`
`464`	`464`	`{`
`465`	`465`	`Presentation: vpAlice,`
`466`	`466`	`Fields: map[string]interface{}{`
	`467`	`+ "auth_server_url":"https://example.com/oauth2/alice",`
`467`	`468`	`"issuer_field": authorityDID,`
`468`	`469`	`},`
`469`	`470`	`Parameters: defaultRegistrationParams(aliceSubject),`
Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,7 @@ Optionally, a POST body can be provided with registration parameters, e.g.:`
`60`	`60`
`61`	`61`	`This can be used to provide additional information. All registration parameters are returned by the search API.`
`62`	`62`	The ``authServerURL`` is added automatically by the Nuts node. It's constructed as ``https://<config.url>/oauth2/<subject_id>``.
	`63`	+Registration parameters can only be used if the specific parameters and/or ``DiscoveryRegistrationCredential`` are required by the Presentation Definition.
`63`	`64`
`64`	`65`	`Once registered, future refreshes will be done automatically by the Nuts node. These refreshes could fail because of various reasons.`
`65`	`66`	`You can check the status of the refreshes by querying the service, e.g.:`
`@@ -156,6 +157,18 @@ Service definitions`
`156`	`157`	`}`
`157`	`158`	`]`
`158`	`159`	`}`
	`160`	`+ }, {`
	`161`	`+ "id": "DiscoveryRegistrationCredential",`
	`162`	`+ "constraints": {`
	`163`	`+ "fields": [`
	`164`	`+ {`
	`165`	`+ "id": "auth_server_url",`
	`166`	`+ "path": [`
	`167`	`+ "$.credentialSubject.authServerURL"`
	`168`	`+ ]`
	`169`	`+ }`
	`170`	`+ ]`
	`171`	`+ }`
`159`	`172`	`}`
`160`	`173`	`]`
`161`	`174`	`}`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,18 @@`
`46`	`46`	`}`
`47`	`47`	`]`
`48`	`48`	`}`
	`49`	`+ },{`
	`50`	`+ "id": "DiscoveryRegistrationCredential",`
	`51`	`+ "constraints": {`
	`52`	`+ "fields": [`
	`53`	`+ {`
	`54`	`+ "id": "auth_server_url",`
	`55`	`+ "path": [`
	`56`	`+ "$.credentialSubject.authServerURL"`
	`57`	`+ ]`
	`58`	`+ }`
	`59`	`+ ]`
	`60`	`+ }`
`49`	`61`	`}`
`50`	`62`	`]`
`51`	`63`	`}`