vck-openid/at.asitplus.wallet.lib.oauth2/SimpleAuthorizationService

SimpleAuthorizationService

class SimpleAuthorizationService(strategy: AuthorizationServiceStrategy, codeService: CodeService = DefaultCodeService(), val publicContext: String = "https://wallet.a-sit.at/authorization-server", authorizationEndpointPath: String = "/authorize", tokenEndpointPath: String = "/token", pushedAuthorizationRequestEndpointPath: String = "/par", userInfoEndpointPath: String = "/userinfo", introspectionEndpointPath: String = "/introspect", issuerStateToCredentialOffer: MapStore<String, CredentialOffer> = DefaultMapStore(), codeToClientAuthRequest: MapStore<String, ClientAuthRequest> = DefaultMapStore(), refreshTokenToAuthRequest: MapStore<String, ClientAuthRequest> = DefaultMapStore(), requestUriToPushedAuthorizationRequest: MapStore<String, AuthenticationRequestParameters> = DefaultMapStore(), tokenService: TokenService = TokenService.bearer(nonceService = DefaultNonceService()), clientAuthenticationService: ClientAuthenticationService = ClientAuthenticationService( enforceClientAuthentication = false, verifyClientAttestationJwt = { true } ), requestParser: RequestParser = RequestParser( /** By default, do not retrieve authn requests referenced by `request_uri`. */ remoteResourceRetriever = { null }, /** Trust all JWS signatures, client will be authenticated anyway. */ requestObjectJwsVerifier = { true }, /** Not necessary to load the authn request referenced by `request_uri`. */ buildRequestObjectParameters = { null } ), requirePushedAuthorizationRequests: Boolean = true, requestObjectSigningAlgorithms: Set<JwsAlgorithm.Signature>? = setOf(JwsAlgorithm.Signature.ES256)) : OAuth2AuthorizationServerAdapter, AuthorizationService(source)

Simple authorization server implementation, to be used for CredentialIssuer, with the actual authentication and authorization logic for credential schemes implemented in strategy.

Implemented from OpenID for Verifiable Credential Issuance 1.0 from 2025-09-16. Also implements necessary parts of OpenID4VC HAIP , Draft 03, 2025-02-07, e.g. OAuth 2.0 Pushed Authorization Requests, Proof Key for Code Exchange by OAuth Public Clients, OAuth 2.0 Demonstrating Proof of Possession (DPoP), OAuth 2.0 Attestation-Based Client Authentication OAuth 2.0 Token Introspection OAuth 2.0 Token Exchange

Constructors

Link copied to clipboard
constructor(strategy: AuthorizationServiceStrategy, codeService: CodeService = DefaultCodeService(), publicContext: String = "https://wallet.a-sit.at/authorization-server", authorizationEndpointPath: String = "/authorize", tokenEndpointPath: String = "/token", pushedAuthorizationRequestEndpointPath: String = "/par", userInfoEndpointPath: String = "/userinfo", introspectionEndpointPath: String = "/introspect", issuerStateToCredentialOffer: MapStore<String, CredentialOffer> = DefaultMapStore(), codeToClientAuthRequest: MapStore<String, ClientAuthRequest> = DefaultMapStore(), refreshTokenToAuthRequest: MapStore<String, ClientAuthRequest> = DefaultMapStore(), requestUriToPushedAuthorizationRequest: MapStore<String, AuthenticationRequestParameters> = DefaultMapStore(), tokenService: TokenService = TokenService.bearer(nonceService = DefaultNonceService()), clientAuthenticationService: ClientAuthenticationService = ClientAuthenticationService( enforceClientAuthentication = false, verifyClientAttestationJwt = { true } ), requestParser: RequestParser = RequestParser( /** By default, do not retrieve authn requests referenced by `request_uri`. */ remoteResourceRetriever = { null }, /** Trust all JWS signatures, client will be authenticated anyway. */ requestObjectJwsVerifier = { true }, /** Not necessary to load the authn request referenced by `request_uri`. */ buildRequestObjectParameters = { null } ), requirePushedAuthorizationRequests: Boolean = true, requestObjectSigningAlgorithms: Set<JwsAlgorithm.Signature>? = setOf(JwsAlgorithm.Signature.ES256))

Properties

Link copied to clipboard
open override val publicContext: String

Used in several fields in OAuth2AuthorizationServerMetadata, to provide endpoint URLs to clients.

Functions

Link copied to clipboard
open suspend override fun authorize(input: RequestParameters, loadUserFun: OAuth2LoadUserFun): KmmResult<AuthenticationResponseResult.Redirect>

Builds the authentication response for this specific user from loadUserFun. Send this result as HTTP Header Location in a 302 response to the client.

Link copied to clipboard
suspend fun credentialOfferWithAuthorizationCode(credentialIssuer: String): CredentialOffer

Offer all available schemes from strategy to clients.

Link copied to clipboard
suspend fun credentialOfferWithPreAuthnForUser(user: OidcUserInfoExtended, credentialIssuer: String, configurationIds: Collection<String> = this.strategy.allCredentialIdentifier()): CredentialOffer

Offer all available schemes from strategy to clients.

Link copied to clipboard
open suspend override fun getDpopNonce(): String?

If this is an internal AS, provide a fresh DPoP nonce for clients.

Link copied to clipboard
open suspend override fun getTokenInfo(authorizationHeader: String, httpRequest: RequestInfo?): KmmResult<TokenInfo>

Obtains information about the token, since we're in-memory here (as an OAuth2AuthorizationServerAdapter, we can directly access our tokenService.

Link copied to clipboard
open suspend override fun getUserInfo(authorizationHeader: String, httpRequest: RequestInfo?): KmmResult<JsonObject>

Obtains a JSON object representing at.asitplus.openid.OidcUserInfo from the Authorization Server, and since we're implementing OAuth2AuthorizationServerAdapter here, this is the same as userInfo.

Link copied to clipboard
open suspend override fun metadata(): OAuth2AuthorizationServerMetadata

Serve this result JSON-serialized under /.well-known/openid-configuration, see OpenIdConstants.WellKnownPaths.OpenidConfiguration, and under /.well-known/oauth-authorization-server, see OpenIdConstants.WellKnownPaths.OauthAuthorizationServer.

Link copied to clipboard
open suspend override fun par(request: RequestParameters, httpRequest: RequestInfo?): KmmResult<PushedAuthenticationResponseParameters>
open suspend override fun par(input: String, httpRequest: RequestInfo?): KmmResult<PushedAuthenticationResponseParameters>

Pushed authorization request endpoint as defined in RFC 9126. Clients send their authorization request as HTTP POST with application/x-www-form-urlencoded to the AS.

Link copied to clipboard
Link copied to clipboard
open suspend override fun token(request: TokenRequestParameters, httpRequest: RequestInfo?): KmmResult<TokenResponseParameters>

Verifies the authorization code sent by the client and issues an access token, uses tokenService. Send this value JSON-serialized back to the client.

Link copied to clipboard
open suspend override fun tokenIntrospection(request: TokenIntrospectionRequest, httpRequest: RequestInfo?): KmmResult<TokenIntrospectionResponse>

RFC7662: OAuth 2.0 Token Introspection

Link copied to clipboard
open suspend override fun userInfo(authorizationHeader: String, httpRequest: RequestInfo?): KmmResult<JsonObject>

Returns the user info associated with this access token, when the token in authorizationHeader is correct.

Link copied to clipboard
open suspend override fun validateAccessToken(authorizationHeader: String, httpRequest: RequestInfo?): KmmResult<Boolean>

Validates the access token sent to CredentialIssuer.credential.