vck-openid/at.asitplus.wallet.lib.oidc/OidcSiopVerifier

OidcSiopVerifier

Combines Verifiable Presentations with OpenId Connect. Implements OIDC for VP (2023-04-21) as well as SIOP V2 (2023-01-01).

This class creates the Authentication Request, verifier verifies the response. See OidcSiopWallet for the holder.

Constructors

OidcSiopVerifier

constructor(keyMaterial: KeyMaterial = EphemeralKeyWithoutCert(), verifier: Verifier = VerifierAgent(keyMaterial), verifierJwsService: VerifierJwsService = DefaultVerifierJwsService(DefaultVerifierCryptoService()), jwsService: JwsService = DefaultJwsService(DefaultCryptoService(keyMaterial)), timeLeewaySeconds: Long = 300, clock: Clock = Clock.System, nonceService: NonceService = DefaultNonceService(), clientIdScheme: OidcSiopVerifier.ClientIdScheme, stateToNonceStore: MapStore<String, String> = DefaultMapStore(), stateToResponseTypeStore: MapStore<String, String> = DefaultMapStore())

Types

AuthnResponseResult

sealed class AuthnResponseResult

ClientIdScheme

sealed class ClientIdScheme

RequestOptions

data class RequestOptions(val credentials: Set<OidcSiopVerifier.RequestOptionsCredential>, val responseMode: OpenIdConstants.ResponseMode = OpenIdConstants.ResponseMode.Fragment, val responseUrl: String? = null, val responseType: String = VP_TOKEN, val state: String = uuid4().toString(), val clientMetadataUrl: String? = null, val encryption: Boolean = false)

RequestOptionsCredential

data class RequestOptionsCredential(val credentialScheme: ConstantIndex.CredentialScheme, val representation: ConstantIndex.CredentialRepresentation = ConstantIndex.CredentialRepresentation.PLAIN_JWT, val requestedAttributes: List<String>? = null)

Properties

metadata

val metadata: RelyingPartyMetadata

metadataWithEncryption

val metadataWithEncryption: RelyingPartyMetadata

Creates the RelyingPartyMetadata, but with parameters set to request encryption of pushed authentication responses, see RelyingPartyMetadata.authorizationEncryptedResponseAlg and RelyingPartyMetadata.authorizationEncryptedResponseEncoding.

Functions

createAuthnRequest

suspend fun createAuthnRequest(requestOptions: OidcSiopVerifier.RequestOptions): AuthenticationRequestParameters

Creates AuthenticationRequestParameters, to be encoded as query params appended to the URL of the Wallet, e.g. https://example.com?repsonse_type=... (see createAuthnRequestUrl)

createAuthnRequestAsSignedRequestObject

suspend fun createAuthnRequestAsSignedRequestObject(requestOptions: OidcSiopVerifier.RequestOptions): KmmResult<JwsSigned>

Creates an JWS Authorization Request (JAR, RFC9101), wrapping the usual AuthenticationRequestParameters.

createAuthnRequestUrl

suspend fun createAuthnRequestUrl(walletUrl: String, requestOptions: OidcSiopVerifier.RequestOptions): String

Creates an OIDC Authentication Request, encoded as query parameters to the walletUrl.

createAuthnRequestUrlWithRequestObject

suspend fun createAuthnRequestUrlWithRequestObject(walletUrl: String, requestOptions: OidcSiopVerifier.RequestOptions): KmmResult<String>

Creates an OIDC Authentication Request, encoded as query parameters to the walletUrl, containing a JWS Authorization Request (JAR, RFC9101) in request, containing the request parameters itself.

createAuthnRequestUrlWithRequestObjectByReference

suspend fun createAuthnRequestUrlWithRequestObjectByReference(walletUrl: String, requestUrl: String, requestOptions: OidcSiopVerifier.RequestOptions): KmmResult<Pair<String, String>>

Creates an OIDC Authentication Request, encoded as query parameters to the walletUrl, containing a reference (request_uri, see AuthenticationRequestParameters.requestUri) to the JWS Authorization Request (JAR, RFC9101), containing the request parameters itself.

createQrCodeUrl

fun createQrCodeUrl(walletUrl: String, clientMetadataUrl: String, requestUrl: String): String

Create a URL to be displayed as a static QR code for Wallet initiation. URL is the walletUrl, with query parameters appended for clientMetadataUrl, requestUrl and clientIdScheme.clientId.

createSignedMetadata

suspend fun createSignedMetadata(): KmmResult<JwsSigned>

Creates a JWS containing signed RelyingPartyMetadata, to be served under a client_metadata_uri at the Verifier.

validateAuthnResponse

suspend fun validateAuthnResponse(params: AuthenticationResponseParameters): OidcSiopVerifier.AuthnResponseResult

Validates AuthenticationResponseParameters from the Wallet

suspend fun validateAuthnResponse(url: String): OidcSiopVerifier.AuthnResponseResult

Validates the OIDC Authentication Response from the Wallet, where url is the whole URL, containing the AuthenticationResponseParameters as the fragment, e.g. https://example.com#id_token=...

validateAuthnResponseFromPost

suspend fun validateAuthnResponseFromPost(content: String): OidcSiopVerifier.AuthnResponseResult

Validates the OIDC Authentication Response from the Wallet, where content are the HTTP POST encoded AuthenticationResponseParameters, e.g. id_token=...&vp_token=...