added presentation_definition endpoint #2492
Conversation
woutslakhorst
force-pushed
the
feature/2491/presentation_definition_endpoint
branch
4 times, most recently
from
58c449a to
3da08a9
Compare
docs/_static/auth/iam.yaml
Outdated
| type: array | ||
| items: | ||
| "$ref": "#/components/schemas/PresentationDefinition" |
There was a problem hiding this comment.
OpenID4VP flow requires a single PD for a similar request. Perhaps we should combine the different PDs in to single PD and add a group label per PD source. This allows selection of a single group to comply with within the combined PD using Submission Requirements.
There was a problem hiding this comment.
I'd like 1 PE flow instead of 1 per backend as well. I think this example illustrates what we want to do: https://identity.foundation/presentation-exchange/spec/v2.0.0/#submission-requirement-1
{
"presentation_definition": {
"input_descriptors": [
{
"name": "Geregistreede zorgorganisatie",
"purpose": "Verificatie dat de zorgorganisatie erkend is door CIBG",
"group": ["local", "mitz"],
"constraints": "has NutsCareOrganization"
},
{
"name": "Mitz Toestemmingen",
"purpose": "Mag gebruikmaken van toestemmingen in Mitz",
"group": ["mitz"],
"constraints": "has MitzCredential"
}
]
},
"submission_requirements": [
{
"name": "Toegang tot bronsysteem",
"rule": "pick",
"min": 1,
"from_nested": [
{
"rule": "all",
"from": "local"
},
{
"rule": "all",
"from": "mitz"
}
]
}
]
}Note the min property, requesting at least one matching credential set. The PD backends then don't yield presentation definitions, but a list of input descriptors. Or they could still return a PD, but the Nuts node would only use the input descriptors and discard the rest.
Con: more complex on implementation of the PE spec side ("our" side). But also less complex on the XIS vendor's side (our users), and less calls going back and forth (thus, faster).
I checked the PE issue tracker on Github, and there does not seem to be discussion about whether to remove/keep supporting pick or from_nested
auth/api/iam/client.go
Outdated
| // We pass the endpoint url for the presentation definition endpoint because we already retrieved the metadata in a previous step. | ||
| // The scopes are evaluated as raw query params and encoded if needed. | ||
| func (hb HTTPClient) PresentationDefinition(ctx context.Context, definitionEndpoint string, scopes []string) ([]PresentationDefinition, error) { | ||
| presentationDefinitionURL, err := url.Parse(definitionEndpoint) |
There was a problem hiding this comment.
if you want a url.URL, you can just ask for it (string -> url.URL)?
There was a problem hiding this comment.
You get it as a string from the metadata, so it would move the parsing to the caller. That would duplicate parsing code for every call.
There was a problem hiding this comment.
Maybe we should change the type in the metadata to url.URL, then?
There was a problem hiding this comment.
Putting ur.URL in the metadata will require custom marshalling/unmarshalling for the metadata struct.
added tests refactor of http Test TLS Server added comment add a DIDToURL method for webdid added comment added test case PR feedback test fix remove generated client
added implementation of the presentation definition endpoint test fix added API client for presentation definition
woutslakhorst
force-pushed
the
feature/2491/presentation_definition_endpoint
branch
from
1cdae8c to
9b1c8cf
Compare
auth/api/iam/api.go
Outdated
| return PresentationDefinition400JSONResponse{ | ||
| Error: "invalid_scope", | ||
| }, nil |
There was a problem hiding this comment.
| return PresentationDefinition400JSONResponse{ | |
| Error: "invalid_scope", | |
| }, nil | |
| return OAuth2Error{ | |
| Code: InvalidScope, | |
| }, nil |
There was a problem hiding this comment.
Compile error due to missing methods on that type (oapi-codegen specific)
auth/api/iam/client.go
Outdated
| // We pass the endpoint url for the presentation definition endpoint because we already retrieved the metadata in a previous step. | ||
| // The scopes are evaluated as raw query params and encoded if needed. | ||
| func (hb HTTPClient) PresentationDefinition(ctx context.Context, definitionEndpoint string, scopes []string) ([]PresentationDefinition, error) { | ||
| presentationDefinitionURL, err := url.Parse(definitionEndpoint) |
There was a problem hiding this comment.
Maybe we should change the type in the metadata to url.URL, then?
docs/_static/auth/iam.yaml
Outdated
| type: array | ||
| items: | ||
| "$ref": "#/components/schemas/PresentationDefinition" |
There was a problem hiding this comment.
I'd like 1 PE flow instead of 1 per backend as well. I think this example illustrates what we want to do: https://identity.foundation/presentation-exchange/spec/v2.0.0/#submission-requirement-1
{
"presentation_definition": {
"input_descriptors": [
{
"name": "Geregistreede zorgorganisatie",
"purpose": "Verificatie dat de zorgorganisatie erkend is door CIBG",
"group": ["local", "mitz"],
"constraints": "has NutsCareOrganization"
},
{
"name": "Mitz Toestemmingen",
"purpose": "Mag gebruikmaken van toestemmingen in Mitz",
"group": ["mitz"],
"constraints": "has MitzCredential"
}
]
},
"submission_requirements": [
{
"name": "Toegang tot bronsysteem",
"rule": "pick",
"min": 1,
"from_nested": [
{
"rule": "all",
"from": "local"
},
{
"rule": "all",
"from": "mitz"
}
]
}
]
}Note the min property, requesting at least one matching credential set. The PD backends then don't yield presentation definitions, but a list of input descriptors. Or they could still return a PD, but the Nuts node would only use the input descriptors and discard the rest.
Con: more complex on implementation of the PE spec side ("our" side). But also less complex on the XIS vendor's side (our users), and less calls going back and forth (thus, faster).
I checked the PE issue tracker on Github, and there does not seem to be discussion about whether to remove/keep supporting pick or from_nested
|
The PE suggestion won't work since you don't know which one of the backends you pick will actually give you access. The patient specific scope will only be checked after a client submitted a VP. If a client picks the wrong one, it'll fail and does not retry. There's no complexity on the CIS side since it's all handled by the node. |
|
#2540 describes additional features required for Submission Requirement Feature. |
auth/api/iam/client.go
Outdated
|
|
||
| // PresentationDefinition retrieves the presentation definition from the presentation definition endpoint (as specified by RFC021) for the given scope. | ||
| func (hb HTTPClient) PresentationDefinition(ctx context.Context, definitionEndpoint string, scopes []string) (*PresentationDefinition, error) { | ||
| presentationDefinitionURL, err := url.Parse(definitionEndpoint) |
There was a problem hiding this comment.
The URL comes from an external source. Validate using core.ParsePublicURL to require https, and no reserved addresses like localhost.
There was a problem hiding this comment.
I also changed the parsing so it will allow IPs in non-strictmode
auth/api/iam/client.go
Outdated
| @@ -85,7 +85,7 @@ func (hb HTTPClient) OAuthAuthorizationServerMetadata(ctx context.Context, webDI | |||
|
|
|||
| // PresentationDefinition retrieves the presentation definition from the presentation definition endpoint (as specified by RFC021) for the given scope. | |||
| func (hb HTTPClient) PresentationDefinition(ctx context.Context, definitionEndpoint string, scopes []string) (*PresentationDefinition, error) { | |||
| presentationDefinitionURL, err := url.Parse(definitionEndpoint) | |||
| presentationDefinitionURL, err := core.ParsePublicURL(definitionEndpoint, !hb.config.Strictmode) | |||
There was a problem hiding this comment.
The third input was never intended to be optional, but having to add the scheme every time is annoying since strictmode forces the following
if strictmode {
issuerURL, err = core.ParsePublicURL(issuer, false, "https")
} else {
issuerURL, err = core.ParsePublicURL(issuer, true, "https", "http")
}
There was a problem hiding this comment.
Merging #2560 should make this easier
There was a problem hiding this comment.
Hmmmm #2560 flipped the 2nd argument, although the PR build succeeds, after merging it'll fail....
|
@reinkrul waiting for your review |
* refactor ParsePublicURL * add tests
woutslakhorst
deleted the
feature/2491/presentation_definition_endpoint
branch
closes #2491
This RP adds the presentation definition endpoint and client API. A new variable has been added to the OAuth Authorization Server Metadata:
presentation_definition_endpoint