vck-openid/at.asitplus.wallet.lib.oauth2

Package-level declarations

Types

Provides interface for implementing an OAuth 2.0 Authorization Server, which may be used with an at.asitplus.wallet.lib.oidvci.OAuth2AuthorizationServerAdapter for a at.asitplus.wallet.lib.oidvci.CredentialIssuer.

AuthorizationServiceStrategy

interface AuthorizationServiceStrategy

Strategy to implement authorization for credential requests (with scope or OpenIdAuthorizationDetails) in SimpleAuthorizationService.

BearerTokenGenerationService

class BearerTokenGenerationService(nonceService: NonceService = DefaultNonceService(), accessTokenToValidatedAccessToken: MapStore<String, ValidatedAccessToken> = DefaultMapStore()) : TokenGenerationService

Simple bearer token generation (just a nonce) for an OAuth 2.0 authorization server.

BearerTokenService

class BearerTokenService(val generation: BearerTokenGenerationService, val verification: BearerTokenVerificationService, val dpopSigningAlgValuesSupportedStrings: Set<String>?, val supportsRefreshTokens: Boolean) : TokenService

Combines simple bearer tokens from BearerTokenGenerationService and BearerTokenVerificationService.

BearerTokenVerificationService

class BearerTokenVerificationService(tokenGenerationService: BearerTokenGenerationService) : TokenVerificationService

Verifies Bearer tokens that have been generated by BearerTokenGenerationService. This does only work for internal authorization servers, because we could not store the actual user data otherwise.

ClientAuthenticationService

class ClientAuthenticationService(enforceClientAuthentication: Boolean = false, verifyJwsObject: VerifyJwsObjectFun = VerifyJwsObject(), verifyJwsSignatureWithCnf: VerifyJwsSignatureWithCnfFun = VerifyJwsSignatureWithCnf(), verifyClientAttestationJwt: suspend (JwsSigned<JsonWebToken>) -> Boolean = { true })

Simple client authentication service for an OAuth2.0 AS.

ClientAuthRequest

data class ClientAuthRequest(val issuedCode: String, val userInfo: OidcUserInfoExtended, val scope: String? = null, val authnDetails: Collection<AuthorizationDetails>? = null, val codeChallenge: String? = null)

Extracted information from at.asitplus.openid.AuthenticationRequestParameters, to store what the client has initially requested (which scope and/or authnDetails), and which userInfo is associated with that request.

JwtTokenGenerationService

class JwtTokenGenerationService(nonceService: NonceService = DefaultNonceService(), dpopNonceService: NonceService = DefaultNonceService(), publicContext: String = "https://wallet.a-sit.at/authorization-server", keyMaterial: KeyMaterial = EphemeralKeyWithoutCert(), signToken: SignJwtFun<OpenId4VciAccessToken> = SignJwt(keyMaterial, JwsHeaderCertOrJwk()), clock: Clock = System, issueRefreshToken: Boolean = false, jwtIdToUserInfoExtended: MapStore<String, OidcUserInfoExtended> = DefaultMapStore()) : TokenGenerationService

Simple DPoP token generation for an OAuth 2.0 authorization server, with OpenId4VciAccessToken as payload.

JwtTokenService

class JwtTokenService(val generation: JwtTokenGenerationService, val verification: JwtTokenVerificationService, val dpopSigningAlgValuesSupportedStrings: Set<String>?, val supportsRefreshTokens: Boolean) : TokenService

Combines sender-constrained JWT tokens from JwtTokenGenerationService and JwtTokenVerificationService.

JwtTokenVerificationService

class JwtTokenVerificationService(nonceService: NonceService, dpopNonceService: NonceService = DefaultNonceService(), issuerKey: JsonWebKey, verifyJwsObject: VerifyJwsObjectFun = VerifyJwsObject(), verifyJwsSignatureWithKey: VerifyJwsSignatureWithKeyFun = VerifyJwsSignatureWithKey(), clock: Clock = System, timeLeeway: Duration = 5.minutes) : TokenVerificationService

Verifies JWT tokens that have been generated by JwtTokenGenerationService, as OpenId4VciAccessToken.

OAuth2Client

class OAuth2Client(val clientId: String = "https://wallet.a-sit.at/app", val redirectUrl: String = "/callback", stateToCodeStore: MapStore<String, String> = DefaultMapStore(), val signPushedAuthorizationRequest: SignJwtFun<AuthenticationRequestParameters>? = SignJwt(EphemeralKeyWithSelfSignedCert(), JwsHeaderCertOrJwk()), randomSource: RandomSource = RandomSource.Default)

Simple OAuth 2.0 client to authorize the client against an OAuth 2.0 Authorization Server and request tokens.

OAuth2Utils

object OAuth2Utils

OpenId4VciAccessToken

@Serializable

data class OpenId4VciAccessToken(val issuer: String? = null, val audience: String? = null, val notBefore: Instant? = null, val expiration: Instant? = null, val jwtId: String? = null, val confirmationClaim: ConfirmationClaim? = null, val scope: String? = null, val authorizationDetails: Set<AuthorizationDetails>? = null)

RequestInfo

data class RequestInfo(val url: String, val method: HttpMethod, val dpop: String? = null, val clientAttestation: String? = null, val clientAttestationPop: String? = null)

Holds information about the HTTP request the client has made, to validate client authentication.

SimpleAuthorizationService

class SimpleAuthorizationService(strategy: AuthorizationServiceStrategy, codeService: CodeService = DefaultCodeService(), val publicContext: String = "https://wallet.a-sit.at/authorization-server", authorizationEndpointPath: String = "/authorize", tokenEndpointPath: String = "/token", pushedAuthorizationRequestEndpointPath: String = "/par", userInfoEndpointPath: String = "/userinfo", introspectionEndpointPath: String = "/introspect", issuerStateToCredentialOffer: MapStore<String, CredentialOffer> = DefaultMapStore(), codeToClientAuthRequest: MapStore<String, ClientAuthRequest> = DefaultMapStore(), refreshTokenToAuthRequest: MapStore<String, ClientAuthRequest> = DefaultMapStore(), requestUriToPushedAuthorizationRequest: MapStore<String, AuthenticationRequestParameters> = DefaultMapStore(), tokenService: TokenService = TokenService.bearer(nonceService = DefaultNonceService()), clientAuthenticationService: ClientAuthenticationService = ClientAuthenticationService( enforceClientAuthentication = false, verifyClientAttestationJwt = { true } ), requestParser: RequestParser = RequestParser( /** By default, do not retrieve authn requests referenced by `request_uri`. */ remoteResourceRetriever = { null }, /** Trust all JWS signatures, client will be authenticated anyway. */ requestObjectJwsVerifier = { true }, /** Not necessary to load the authn request referenced by `request_uri`. */ buildRequestObjectParameters = { null } ), requirePushedAuthorizationRequests: Boolean = true, requestObjectSigningAlgorithms: Set<JwsAlgorithm.Signature>? = setOf(JwsAlgorithm.Signature.ES256)) : OAuth2AuthorizationServerAdapter, AuthorizationService

Simple authorization server implementation, to be used for CredentialIssuer, with the actual authentication and authorization logic for credential schemes implemented in strategy.

TokenGenerationService

interface TokenGenerationService

Strategy to generate access tokens, to use in SimpleAuthorizationService.

TokenService

interface TokenService

Access token service that combines generation and verification, i.e., it is suitable to be used in an implementation of an OAuth 2.0 Authorization Server.

TokenVerificationService

interface TokenVerificationService

Verifies access tokens and refresh tokens, that may have been generated by a TokenGenerationService, or by any other OAuth 2.0 authorization server.

ValidatedAccessToken

@Serializable

data class ValidatedAccessToken(val token: String, val userInfoExtended: OidcUserInfoExtended? = null, val authorizationDetails: Set<AuthorizationDetails>? = null, val scope: String? = null)

Internal class representing issued tokens.