vck-openid/at.asitplus.wallet.lib.oauth2/SimpleAuthorizationService

SimpleAuthorizationService

class SimpleAuthorizationService( strategy: AuthorizationServiceStrategy, dataProvider: OAuth2DataProvider, codeService: CodeService = DefaultCodeService(), val publicContext: String = "https://wallet.a-sit.at/authorization-server", authorizationEndpointPath: String = "/authorize", tokenEndpointPath: String = "/token", pushedAuthorizationRequestEndpointPath: String = "/par", issuerStateToCredentialOffer: MapStore<String, CredentialOffer> = DefaultMapStore(), codeToClientAuthRequest: MapStore<String, ClientAuthRequest> = DefaultMapStore(), refreshTokenToAuthRequest: MapStore<String, ClientAuthRequest> = DefaultMapStore(), requestUriToPushedAuthorizationRequest: MapStore<String, AuthenticationRequestParameters> = DefaultMapStore(), tokenService: TokenService = TokenService.bearer( nonceService = DefaultNonceService(), ), clientAuthenticationService: ClientAuthenticationService = ClientAuthenticationService( enforceClientAuthentication = false, verifierJwsService = DefaultVerifierJwsService(), verifyClientAttestationJwt = { true } ), requestParser: RequestParser = RequestParser( /** By default, do not retrieve authn requests referenced by `request_uri`. */ remoteResourceRetriever = { null }, /** Trust all JWS signatures, client will be authenticated anyway. */ requestObjectJwsVerifier = { true }, /** Not necessary to load the authn request referenced by `request_uri`. */ buildRequestObjectParameters = { null } )) : OAuth2AuthorizationServerAdapter(source)

Simple authorization server implementation, to be used for CredentialIssuer, with the actual authentication and authorization logic implemented in strategy.

Implemented from OpenID for Verifiable Credential Issuance , Draft 15, 2024-12-19. Also implements necessary parts of OpenID4VC HAIP , Draft 03, 2025-02-07, e.g. OAuth 2.0 Pushed Authorization Requests, Proof Key for Code Exchange by OAuth Public Clients, OAuth 2.0 Demonstrating Proof of Possession (DPoP), OAuth 2.0 Attestation-Based Client Authentication

Constructors

constructor( strategy: AuthorizationServiceStrategy, dataProvider: OAuth2DataProvider, codeService: CodeService = DefaultCodeService(), publicContext: String = "https://wallet.a-sit.at/authorization-server", authorizationEndpointPath: String = "/authorize", tokenEndpointPath: String = "/token", pushedAuthorizationRequestEndpointPath: String = "/par", issuerStateToCredentialOffer: MapStore<String, CredentialOffer> = DefaultMapStore(), codeToClientAuthRequest: MapStore<String, ClientAuthRequest> = DefaultMapStore(), refreshTokenToAuthRequest: MapStore<String, ClientAuthRequest> = DefaultMapStore(), requestUriToPushedAuthorizationRequest: MapStore<String, AuthenticationRequestParameters> = DefaultMapStore(), tokenService: TokenService = TokenService.bearer( nonceService = DefaultNonceService(), ), clientAuthenticationService: ClientAuthenticationService = ClientAuthenticationService( enforceClientAuthentication = false, verifierJwsService = DefaultVerifierJwsService(), verifyClientAttestationJwt = { true } ), requestParser: RequestParser = RequestParser( /** By default, do not retrieve authn requests referenced by `request_uri`. */ remoteResourceRetriever = { null }, /** Trust all JWS signatures, client will be authenticated anyway. */ requestObjectJwsVerifier = { true }, /** Not necessary to load the authn request referenced by `request_uri`. */ buildRequestObjectParameters = { null } ))

Properties

metadata

open override val metadata: OAuth2AuthorizationServerMetadata

Serve this result JSON-serialized under /.well-known/openid-configuration, see OpenIdConstants.PATH_WELL_KNOWN_OPENID_CONFIGURATION, and under /.well-known/oauth-authorization-server, see OpenIdConstants.PATH_WELL_KNOWN_OAUTH_AUTHORIZATION_SERVER

publicContext

open override val publicContext: String

Used in several fields in OAuth2AuthorizationServerMetadata, to provide endpoint URLs to clients.

tokenVerificationService

open override val tokenVerificationService: TokenVerificationService

How to verify the access tokens that CredentialIssuer needs to verify before issuing credentials.

Functions

authorize

suspend fun authorize(input: AuthenticationRequestParameters): KmmResult<AuthenticationResponseResult.Redirect>

suspend fun authorize(input: String): KmmResult<KmmResult<AuthenticationResponseResult.Redirect>>

Builds the authentication response. Send this result as HTTP Header Location in a 302 response to the client.

credentialOfferWithAuthorizationCode

suspend fun credentialOfferWithAuthorizationCode(credentialIssuer: String): CredentialOffer

Offer all available schemes from strategy to clients.

credentialOfferWithPreAuthnForUser

suspend fun credentialOfferWithPreAuthnForUser(user: OidcUserInfoExtended, credentialIssuer: String): CredentialOffer

Offer all available schemes from strategy to clients.

par

suspend fun par( request: AuthenticationRequestParameters, clientAttestation: String? = null, clientAttestationPop: String? = null): KmmResult<PushedAuthenticationResponseParameters>

suspend fun par( input: String, clientAttestation: String? = null, clientAttestationPop: String? = null): KmmResult<KmmResult<PushedAuthenticationResponseParameters>>

Pushed authorization request endpoint as defined in RFC 9126. Clients send their authorization request as HTTP POST with application/x-www-form-urlencoded to the AS.

providePreAuthorizedCode

open suspend override fun providePreAuthorizedCode(user: OidcUserInfoExtended): String

Provide a pre-authorized code (for flow defined in OID4VCI), to be used by the Wallet implementation to load credentials.

token

suspend fun token(request: TokenRequestParameters, httpRequest: RequestInfo? = null): KmmResult<TokenResponseParameters>

Verifies the authorization code sent by the client and issues an access token. Send this value JSON-serialized back to the client.