search

open-eid / eudi-qeaa-as-mock

MIT License
0 stars 2 forks source link

MDL-36 Incorrect TokenResponse format #3

Closed ydanneg closed 7 months ago

ydanneg commented 7 months ago

1. According to OpenId4VCI specification authorization_details MUST be an array.

ref: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-6.2

authorization_details: REQUIRED when authorization_details parameter is used to request issuance of a certain Credential type as defined in [Section 5.1.1](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#authorization-details). It MUST NOT be used otherwise. 
It is an array of objects, as defined in Section 7 of [[RFC9396](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#RFC9396)].

Currently it is just an object.

@JsonInclude(JsonInclude.Include.NON_NULL)
@JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
public record TokenResponse(String accessToken,
                            String tokenType,
                            String cNonce,
                            Long cNonceExpiresIn,
                            AuthorizationDetails authorizationDetails) {

}

2. It is RECOMMENDED to have expires_in attribute in this response. ref: https://www.rfc-editor.org/rfc/rfc6749.html#section-4.2.2

expires_in
         RECOMMENDED.  The lifetime in seconds of the access token.  For
         example, the value "3600" denotes that the access token will
         expire in one hour from the time the response was generated.
         If omitted, the authorization server SHOULD provide the
         expiration time via other means or document the default value.
aarmam commented 7 months ago

We are returning access token as jwt, so authorization_details must be added as access token claim. Current EUDI Wallet implementation profile uses long lived sender-constrained access tokens and the expiration time is provided as exp claim.

ydanneg commented 7 months ago 
authorization_details: REQUIRED when authorization_details parameter is used to request issuance of a certain Credential type as defined in Section 5.1.1. It MUST NOT be used otherwise.

What about this spec rule?

I could create a PR (obj -> list(obj))

aarmam commented 7 months ago

What about this spec rule?

I added authorization_details as access token claim:

{
  "sub": "60001019906",
  "aud": "https://eudi-issuer.localhost:13443",
  "authorization_details": [
    {
      "type": "openid_credential",
      "format": "mso_mdoc",
      "doctype": "org.iso.18013.5.1.mDL",
      "locations": [
        "https://eudi-issuer.localhost:13443"
      ]
    }
  ],
  "iss": "https://eudi-as.localhost:12443",
  "cnf": {
    "jkt": "8wGKbD7hG-u2GucSqoQPthH2SFvlBMBQyKoKqjkOTD8"
  },
  "exp": 1745051253,
  "iat": 1713515253,
  "jti": "UViDMBIqnRX2iFfbEpVa7lFCAuoVpv7g1PZ5deb4Wr0AdZ-f-GGzsA",
  "client_id": "eudi-wallet.localhost"
}

If access token is returned as jwt the authorization_details should not be returned as token response parameter and included as access token claim instead?

ydanneg commented 7 months ago

authorization_details

It looks promising now.. Thanks. I will check it later today.

ydanneg commented 7 months ago

authorization_details

It looks promising now.. Thanks. I will check it later today.

lgtm