Merge pull request #6 from niscy-eudiw/feature/alternate-issuer-support

Feature/alternate issuer support
eu-digital-identity-wallet · Jan 22, 2024 · 75fed38 · 75fed38
2 parents 3357665 + 7a1471f
commit 75fed38
Show file tree

Hide file tree

Showing 23 changed files with 512 additions and 271 deletions.
diff --git a/Sources/Entities/AccessManagement/AuthorizationServerMetadata.swift b/Sources/Entities/AccessManagement/AuthorizationServerMetadata.swift
@@ -16,27 +16,27 @@
 import Foundation
 
 public struct AuthorizationServerMetadata: Codable, Equatable {
-  public let issuer, authorizationEndpoint, tokenEndpoint, introspectionEndpoint: String
-  public let jwksURI: String
-  public let grantTypesSupported, responseTypesSupported, requestObjectSigningAlgValuesSupported, requestObjectEncryptionAlgValuesSupported: [String]
-  public let requestObjectEncryptionEncValuesSupported, responseModesSupported: [String]
-  public let registrationEndpoint: String
-  public let tokenEndpointAuthMethodsSupported, tokenEndpointAuthSigningAlgValuesSupported, introspectionEndpointAuthMethodsSupported, introspectionEndpointAuthSigningAlgValuesSupported: [String]
-  public let authorizationSigningAlgValuesSupported, authorizationEncryptionAlgValuesSupported, authorizationEncryptionEncValuesSupported, scopesSupported: [String]
-  public let requestParameterSupported, requestURIParameterSupported, requireRequestURIRegistration: Bool
-  public let codeChallengeMethodsSupported: [String]
-  public let tlsClientCertificateBoundAccessTokens: Bool
-  public let dpopSigningAlgValuesSupported: [String]
-  public let revocationEndpoint: String
-  public let revocationEndpointAuthMethodsSupported, revocationEndpointAuthSigningAlgValuesSupported: [String]
-  public let deviceAuthorizationEndpoint: String
-  public let backchannelTokenDeliveryModesSupported: [String]
-  public let backchannelAuthenticationEndpoint: String
-  public let backchannelAuthenticationRequestSigningAlgValuesSupported: [String]
-  public let requirePushedAuthorizationRequests: Bool
-  public let pushedAuthorizationRequestEndpoint: String
-  public let mtlsEndpointAliases: MtlsEndpointAliases
-  public let authorizationResponseIssParameterSupported: Bool
+  public let issuer, authorizationEndpoint, tokenEndpoint, introspectionEndpoint: String?
+  public let jwksURI: String?
+  public let grantTypesSupported, responseTypesSupported, requestObjectSigningAlgValuesSupported, requestObjectEncryptionAlgValuesSupported: [String]?
+  public let requestObjectEncryptionEncValuesSupported, responseModesSupported: [String]?
+  public let registrationEndpoint: String?
+  public let tokenEndpointAuthMethodsSupported, tokenEndpointAuthSigningAlgValuesSupported, introspectionEndpointAuthMethodsSupported, introspectionEndpointAuthSigningAlgValuesSupported: [String]?
+  public let authorizationSigningAlgValuesSupported, authorizationEncryptionAlgValuesSupported, authorizationEncryptionEncValuesSupported, scopesSupported: [String]?
+  public let requestParameterSupported, requestURIParameterSupported, requireRequestURIRegistration: Bool?
+  public let codeChallengeMethodsSupported: [String]?
+  public let tlsClientCertificateBoundAccessTokens: Bool?
+  public let dpopSigningAlgValuesSupported: [String]?
+  public let revocationEndpoint: String?
+  public let revocationEndpointAuthMethodsSupported, revocationEndpointAuthSigningAlgValuesSupported: [String]?
+  public let deviceAuthorizationEndpoint: String?
+  public let backchannelTokenDeliveryModesSupported: [String]?
+  public let backchannelAuthenticationEndpoint: String?
+  public let backchannelAuthenticationRequestSigningAlgValuesSupported: [String]?
+  public let requirePushedAuthorizationRequests: Bool?
+  public let pushedAuthorizationRequestEndpoint: String?
+  public let mtlsEndpointAliases: MtlsEndpointAliases?
+  public let authorizationResponseIssParameterSupported: Bool?
 
   enum CodingKeys: String, CodingKey {
     case issuer
@@ -78,7 +78,45 @@ public struct AuthorizationServerMetadata: Codable, Equatable {
     case authorizationResponseIssParameterSupported = "authorization_response_iss_parameter_supported"
   }
 
-  public init(issuer: String, authorizationEndpoint: String, tokenEndpoint: String, introspectionEndpoint: String, jwksURI: String, grantTypesSupported: [String], responseTypesSupported: [String], requestObjectSigningAlgValuesSupported: [String], requestObjectEncryptionAlgValuesSupported: [String], requestObjectEncryptionEncValuesSupported: [String], responseModesSupported: [String], registrationEndpoint: String, tokenEndpointAuthMethodsSupported: [String], tokenEndpointAuthSigningAlgValuesSupported: [String], introspectionEndpointAuthMethodsSupported: [String], introspectionEndpointAuthSigningAlgValuesSupported: [String], authorizationSigningAlgValuesSupported: [String], authorizationEncryptionAlgValuesSupported: [String], authorizationEncryptionEncValuesSupported: [String], scopesSupported: [String], requestParameterSupported: Bool, requestURIParameterSupported: Bool, requireRequestURIRegistration: Bool, codeChallengeMethodsSupported: [String], tlsClientCertificateBoundAccessTokens: Bool, dpopSigningAlgValuesSupported: [String], revocationEndpoint: String, revocationEndpointAuthMethodsSupported: [String], revocationEndpointAuthSigningAlgValuesSupported: [String], deviceAuthorizationEndpoint: String, backchannelTokenDeliveryModesSupported: [String], backchannelAuthenticationEndpoint: String, backchannelAuthenticationRequestSigningAlgValuesSupported: [String], requirePushedAuthorizationRequests: Bool, pushedAuthorizationRequestEndpoint: String, mtlsEndpointAliases: MtlsEndpointAliases, authorizationResponseIssParameterSupported: Bool) {
+  public init(
+    issuer: String?,
+    authorizationEndpoint: String?,
+    tokenEndpoint: String?,
+    introspectionEndpoint: String?,
+    jwksURI: String?,
+    grantTypesSupported: [String]?,
+    responseTypesSupported: [String]?,
+    requestObjectSigningAlgValuesSupported: [String]?,
+    requestObjectEncryptionAlgValuesSupported: [String]?,
+    requestObjectEncryptionEncValuesSupported: [String]?,
+    responseModesSupported: [String]?,
+    registrationEndpoint: String?,
+    tokenEndpointAuthMethodsSupported: [String]?,
+    tokenEndpointAuthSigningAlgValuesSupported: [String]?,
+    introspectionEndpointAuthMethodsSupported: [String]?,
+    introspectionEndpointAuthSigningAlgValuesSupported: [String]?,
+    authorizationSigningAlgValuesSupported: [String]?,
+    authorizationEncryptionAlgValuesSupported: [String]?,
+    authorizationEncryptionEncValuesSupported: [String]?,
+    scopesSupported: [String]?,
+    requestParameterSupported: Bool?,
+    requestURIParameterSupported: Bool?,
+    requireRequestURIRegistration: Bool?,
+    codeChallengeMethodsSupported: [String]?,
+    tlsClientCertificateBoundAccessTokens: Bool?,
+    dpopSigningAlgValuesSupported: [String]?,
+    revocationEndpoint: String?,
+    revocationEndpointAuthMethodsSupported: [String]?,
+    revocationEndpointAuthSigningAlgValuesSupported: [String]?,
+    deviceAuthorizationEndpoint: String?,
+    backchannelTokenDeliveryModesSupported: [String]?,
+    backchannelAuthenticationEndpoint: String?,
+    backchannelAuthenticationRequestSigningAlgValuesSupported: [String]?,
+    requirePushedAuthorizationRequests: Bool?,
+    pushedAuthorizationRequestEndpoint: String?,
+    mtlsEndpointAliases: MtlsEndpointAliases?,
+    authorizationResponseIssParameterSupported: Bool?
+  ) {
     self.issuer = issuer
     self.authorizationEndpoint = authorizationEndpoint
     self.tokenEndpoint = tokenEndpoint

diff --git a/Sources/Entities/AccessManagement/OIDCProviderMetadata.swift b/Sources/Entities/AccessManagement/OIDCProviderMetadata.swift
@@ -16,36 +16,37 @@
 import Foundation
 
 public struct OIDCProviderMetadata: Codable, Equatable {
-  public let issuer, authorizationEndpoint, tokenEndpoint, introspectionEndpoint: String
-  public let userinfoEndpoint, endSessionEndpoint: String
-  public let frontchannelLogoutSessionSupported, frontchannelLogoutSupported: Bool
-  public let jwksURI: String
-  public let checkSessionIframe: String
-  public let grantTypesSupported, acrValuesSupported, responseTypesSupported, subjectTypesSupported: [String]
-  public let idTokenSigningAlgValuesSupported, idTokenEncryptionAlgValuesSupported, idTokenEncryptionEncValuesSupported, userinfoSigningAlgValuesSupported: [String]
-  public let userinfoEncryptionAlgValuesSupported, userinfoEncryptionEncValuesSupported, requestObjectSigningAlgValuesSupported, requestObjectEncryptionAlgValuesSupported: [String]
-  public let requestObjectEncryptionEncValuesSupported, responseModesSupported: [String]
-  public let registrationEndpoint: String
-  public let tokenEndpointAuthMethodsSupported, tokenEndpointAuthSigningAlgValuesSupported, introspectionEndpointAuthMethodsSupported, introspectionEndpointAuthSigningAlgValuesSupported: [String]
-  public let authorizationSigningAlgValuesSupported, authorizationEncryptionAlgValuesSupported, authorizationEncryptionEncValuesSupported, claimsSupported: [String]
-  public let claimTypesSupported: [String]
-  public let claimsParameterSupported: Bool
-  public let scopesSupported: [String]
-  public let requestParameterSupported, requestURIParameterSupported, requireRequestURIRegistration: Bool
-  public let codeChallengeMethodsSupported: [String]
-  public let tlsClientCertificateBoundAccessTokens: Bool
-  public let dpopSigningAlgValuesSupported: [String]
-  public let revocationEndpoint: String
-  public let revocationEndpointAuthMethodsSupported, revocationEndpointAuthSigningAlgValuesSupported: [String]
-  public let backchannelLogoutSupported, backchannelLogoutSessionSupported: Bool
-  public let deviceAuthorizationEndpoint: String
-  public let backchannelTokenDeliveryModesSupported: [String]
-  public let backchannelAuthenticationEndpoint: String
-  public let backchannelAuthenticationRequestSigningAlgValuesSupported: [String]
-  public let requirePushedAuthorizationRequests: Bool
-  public let pushedAuthorizationRequestEndpoint: String
-  public let mtlsEndpointAliases: MtlsEndpointAliases
-  public let authorizationResponseIssParameterSupported: Bool
+  public let issuer, authorizationEndpoint, tokenEndpoint, introspectionEndpoint: String?
+  public let userinfoEndpoint, endSessionEndpoint: String?
+  public let frontchannelLogoutSessionSupported, frontchannelLogoutSupported: Bool?
+  public let jwksURI: String?
+  public let checkSessionIframe: String?
+  public let acrValuesSupported: [String]?
+  public let grantTypesSupported, responseTypesSupported, subjectTypesSupported: [String]?
+  public let idTokenSigningAlgValuesSupported, idTokenEncryptionAlgValuesSupported, idTokenEncryptionEncValuesSupported, userinfoSigningAlgValuesSupported: [String]?
+  public let userinfoEncryptionAlgValuesSupported, userinfoEncryptionEncValuesSupported, requestObjectSigningAlgValuesSupported, requestObjectEncryptionAlgValuesSupported: [String]?
+  public let requestObjectEncryptionEncValuesSupported, responseModesSupported: [String]?
+  public let registrationEndpoint: String?
+  public let tokenEndpointAuthMethodsSupported, tokenEndpointAuthSigningAlgValuesSupported, introspectionEndpointAuthMethodsSupported, introspectionEndpointAuthSigningAlgValuesSupported: [String]?
+  public let authorizationSigningAlgValuesSupported, authorizationEncryptionAlgValuesSupported, authorizationEncryptionEncValuesSupported, claimsSupported: [String]?
+  public let claimTypesSupported: [String]?
+  public let claimsParameterSupported: Bool?
+  public let scopesSupported: [String]?
+  public let requestParameterSupported, requestURIParameterSupported, requireRequestURIRegistration: Bool?
+  public let codeChallengeMethodsSupported: [String]?
+  public let tlsClientCertificateBoundAccessTokens: Bool?
+  public let dpopSigningAlgValuesSupported: [String]?
+  public let revocationEndpoint: String?
+  public let revocationEndpointAuthMethodsSupported, revocationEndpointAuthSigningAlgValuesSupported: [String]?
+  public let backchannelLogoutSupported, backchannelLogoutSessionSupported: Bool?
+  public let deviceAuthorizationEndpoint: String?
+  public let backchannelTokenDeliveryModesSupported: [String]?
+  public let backchannelAuthenticationEndpoint: String?
+  public let backchannelAuthenticationRequestSigningAlgValuesSupported: [String]?
+  public let requirePushedAuthorizationRequests: Bool?
+  public let pushedAuthorizationRequestEndpoint: String?
+  public let mtlsEndpointAliases: MtlsEndpointAliases?
+  public let authorizationResponseIssParameterSupported: Bool?
 
   enum CodingKeys: String, CodingKey {
     case issuer
@@ -105,7 +106,7 @@ public struct OIDCProviderMetadata: Codable, Equatable {
     case authorizationResponseIssParameterSupported = "authorization_response_iss_parameter_supported"
   }
 
-  public init(issuer: String, authorizationEndpoint: String, tokenEndpoint: String, introspectionEndpoint: String, userinfoEndpoint: String, endSessionEndpoint: String, frontchannelLogoutSessionSupported: Bool, frontchannelLogoutSupported: Bool, jwksURI: String, checkSessionIframe: String, grantTypesSupported: [String], acrValuesSupported: [String], responseTypesSupported: [String], subjectTypesSupported: [String], idTokenSigningAlgValuesSupported: [String], idTokenEncryptionAlgValuesSupported: [String], idTokenEncryptionEncValuesSupported: [String], userinfoSigningAlgValuesSupported: [String], userinfoEncryptionAlgValuesSupported: [String], userinfoEncryptionEncValuesSupported: [String], requestObjectSigningAlgValuesSupported: [String], requestObjectEncryptionAlgValuesSupported: [String], requestObjectEncryptionEncValuesSupported: [String], responseModesSupported: [String], registrationEndpoint: String, tokenEndpointAuthMethodsSupported: [String], tokenEndpointAuthSigningAlgValuesSupported: [String], introspectionEndpointAuthMethodsSupported: [String], introspectionEndpointAuthSigningAlgValuesSupported: [String], authorizationSigningAlgValuesSupported: [String], authorizationEncryptionAlgValuesSupported: [String], authorizationEncryptionEncValuesSupported: [String], claimsSupported: [String], claimTypesSupported: [String], claimsParameterSupported: Bool, scopesSupported: [String], requestParameterSupported: Bool, requestURIParameterSupported: Bool, requireRequestURIRegistration: Bool, codeChallengeMethodsSupported: [String], tlsClientCertificateBoundAccessTokens: Bool, dpopSigningAlgValuesSupported: [String], revocationEndpoint: String, revocationEndpointAuthMethodsSupported: [String], revocationEndpointAuthSigningAlgValuesSupported: [String], backchannelLogoutSupported: Bool, backchannelLogoutSessionSupported: Bool, deviceAuthorizationEndpoint: String, backchannelTokenDeliveryModesSupported: [String], backchannelAuthenticationEndpoint: String, backchannelAuthenticationRequestSigningAlgValuesSupported: [String], requirePushedAuthorizationRequests: Bool, pushedAuthorizationRequestEndpoint: String, mtlsEndpointAliases: MtlsEndpointAliases, authorizationResponseIssParameterSupported: Bool) {
+  public init(issuer: String?, authorizationEndpoint: String?, tokenEndpoint: String?, introspectionEndpoint: String?, userinfoEndpoint: String?, endSessionEndpoint: String?, frontchannelLogoutSessionSupported: Bool?, frontchannelLogoutSupported: Bool?, jwksURI: String?, checkSessionIframe: String?, grantTypesSupported: [String]?, acrValuesSupported: [String]?, responseTypesSupported: [String]?, subjectTypesSupported: [String]?, idTokenSigningAlgValuesSupported: [String]?, idTokenEncryptionAlgValuesSupported: [String]?, idTokenEncryptionEncValuesSupported: [String]?, userinfoSigningAlgValuesSupported: [String]?, userinfoEncryptionAlgValuesSupported: [String]?, userinfoEncryptionEncValuesSupported: [String]?, requestObjectSigningAlgValuesSupported: [String]?, requestObjectEncryptionAlgValuesSupported: [String]?, requestObjectEncryptionEncValuesSupported: [String]?, responseModesSupported: [String]?, registrationEndpoint: String?, tokenEndpointAuthMethodsSupported: [String]?, tokenEndpointAuthSigningAlgValuesSupported: [String]?, introspectionEndpointAuthMethodsSupported: [String]?, introspectionEndpointAuthSigningAlgValuesSupported: [String]?, authorizationSigningAlgValuesSupported: [String]?, authorizationEncryptionAlgValuesSupported: [String]?, authorizationEncryptionEncValuesSupported: [String]?, claimsSupported: [String]?, claimTypesSupported: [String]?, claimsParameterSupported: Bool?, scopesSupported: [String]?, requestParameterSupported: Bool?, requestURIParameterSupported: Bool?, requireRequestURIRegistration: Bool?, codeChallengeMethodsSupported: [String]?, tlsClientCertificateBoundAccessTokens: Bool?, dpopSigningAlgValuesSupported: [String]?, revocationEndpoint: String?, revocationEndpointAuthMethodsSupported: [String]?, revocationEndpointAuthSigningAlgValuesSupported: [String]?, backchannelLogoutSupported: Bool?, backchannelLogoutSessionSupported: Bool?, deviceAuthorizationEndpoint: String?, backchannelTokenDeliveryModesSupported: [String]?, backchannelAuthenticationEndpoint: String?, backchannelAuthenticationRequestSigningAlgValuesSupported: [String]?, requirePushedAuthorizationRequests: Bool?, pushedAuthorizationRequestEndpoint: String?, mtlsEndpointAliases: MtlsEndpointAliases?, authorizationResponseIssParameterSupported: Bool?) {
     self.issuer = issuer
     self.authorizationEndpoint = authorizationEndpoint
     self.tokenEndpoint = tokenEndpoint
@@ -169,6 +170,7 @@ public struct OIDCProviderMetadata: Codable, Equatable {
 }
 
 // MARK: - MtlsEndpointAliases
+
 public struct MtlsEndpointAliases: Codable {
   public let tokenEndpoint, revocationEndpoint, introspectionEndpoint, deviceAuthorizationEndpoint: String
   public let registrationEndpoint, userinfoEndpoint, pushedAuthorizationRequestEndpoint, backchannelAuthenticationEndpoint: String

diff --git a/Sources/Entities/CredentialIssuer/CredentialIssuerMetadata.swift b/Sources/Entities/CredentialIssuer/CredentialIssuerMetadata.swift
@@ -70,7 +70,10 @@ public struct CredentialIssuerMetadata: Codable, Equatable {
 
     // Decode each property as necessary, handling optionals and conversions.
     credentialIssuerIdentifier = try container.decode(CredentialIssuerId.self, forKey: .credentialIssuerIdentifier)
-    authorizationServers = try container.decode([URL].self, forKey: .authorizationServers)
+
+    let servers = try? container.decode([URL].self, forKey: .authorizationServers)
+    authorizationServers = servers ?? [credentialIssuerIdentifier.url]
+
     credentialEndpoint = try container.decode(CredentialIssuerEndpoint.self, forKey: .credentialEndpoint)
     batchCredentialEndpoint = try container.decodeIfPresent(CredentialIssuerEndpoint.self, forKey: .batchCredentialEndpoint)
     deferredCredentialEndpoint = try container.decodeIfPresent(CredentialIssuerEndpoint.self, forKey: .deferredCredentialEndpoint)

diff --git a/Sources/Entities/CredentialIssuer/RequestedCredentialResponseEncryption.swift b/Sources/Entities/CredentialIssuer/RequestedCredentialResponseEncryption.swift
@@ -75,11 +75,6 @@ public enum RequestedCredentialResponseEncryption {
     responseEncryptionAlg: JWEAlgorithm?,
     responseEncryptionMethod: JOSEEncryptionMethod?
   ) throws {
-    try Self.validate(
-      encryptionJwk: encryptionJwk,
-      responseEncryptionAlg: responseEncryptionAlg,
-      responseEncryptionMethod: responseEncryptionMethod
-    )
 
     guard
       let encryptionJwk,
@@ -91,6 +86,12 @@ public enum RequestedCredentialResponseEncryption {
       return
     }
 
+    try Self.validate(
+      encryptionJwk: encryptionJwk,
+      responseEncryptionAlg: responseEncryptionAlg,
+      responseEncryptionMethod: responseEncryptionMethod
+    )
+
     self = .requested(
       encryptionJwk: encryptionJwk,
       encryptionKey: encryptionKey,

diff --git a/Sources/Entities/CredentialOffer/CredentialOffer.swift b/Sources/Entities/CredentialOffer/CredentialOffer.swift
@@ -19,14 +19,14 @@ import SwiftyJSON
 public struct CredentialOffer {
   public let credentialIssuerIdentifier: CredentialIssuerId
   public let credentialIssuerMetadata: CredentialIssuerMetadata
-  public let credentials: [CredentialMetadata]
+  public let credentials: [CredentialIdentifier]
   public let grants: Grants?
   public let authorizationServerMetadata: IdentityAndAccessManagementMetadata
 
   public init(
     credentialIssuerIdentifier: CredentialIssuerId,
     credentialIssuerMetadata: CredentialIssuerMetadata,
-    credentials: [CredentialMetadata],
+    credentials: [CredentialIdentifier],
     grants: Grants? = nil,
     authorizationServerMetadata: IdentityAndAccessManagementMetadata
   ) throws {
@@ -37,7 +37,7 @@ public struct CredentialOffer {
     self.authorizationServerMetadata = authorizationServerMetadata
 
     if credentials.isEmpty {
-      throw CredentialOfferRequestError.genericError
+      throw CredentialOfferRequestError.emptyCredentialsError
     }
   }
 }