Implement OIDC4VCI Credential Endpoint

config/config.go

@@ -12,6 +12,7 @@ import (
  "github.com/joho/godotenv"
  "github.com/pkg/errors"
  "github.com/sirupsen/logrus"
+ "golang.org/x/oauth2/clientcredentials"
 )
 
 const (
@@ -35,6 +36,11 @@ type SSIServiceConfig struct {
  Services ServicesConfig `toml:"services"`
 }
 
+type OIDCConfig struct {
+ IntrospectEndpoint string `toml:"introspect_endpoint" conf:"http://authserver/introspect"`
+ ClientCredentials clientcredentials.Config `toml:"client_credentials"`
+}
+
 // ServerConfig represents configurable properties for the HTTP server
 type ServerConfig struct {
  APIHost string `toml:"api_host" conf:"default:0.0.0.0:3000"`
@@ -48,6 +54,7 @@ type ServerConfig struct {
  LogLevel string `toml:"log_level" conf:"default:debug"`
  EnableSchemaCaching bool `toml:"enable_schema_caching" conf:"default:true"`
  EnableAllowAllCORS bool `toml:"enable_allow_all_cors" conf:"default:false"`
+ OIDCConfig OIDCConfig `toml:"oidc_config"`
 }
 
 type IssuingServiceConfig struct {
@@ -61,6 +68,10 @@ func (s *IssuingServiceConfig) IsEmpty() bool {
  return reflect.DeepEqual(s, &IssuingServiceConfig{})
 }
 
+type OIDCCredentialServiceConfig struct {
+ CNonceExpiresIn *time.Duration `toml:"c_nonce_expired_in,omitempty"`
+}
+
 // ServicesConfig represents configurable properties for the components of the SSI Service
 type ServicesConfig struct {
  // at present, it is assumed that a single storage provider works for all services
@@ -71,14 +82,15 @@ type ServicesConfig struct {
  ServiceEndpoint string `toml:"service_endpoint"`
 
  // Embed all service-specific configs here. The order matters: from which should be instantiated first, to last
- KeyStoreConfig KeyStoreServiceConfig `toml:"keystore,omitempty"`
- DIDConfig DIDServiceConfig `toml:"did,omitempty"`
- IssuingServiceConfig IssuingServiceConfig `toml:"issuing,omitempty"`
- SchemaConfig SchemaServiceConfig `toml:"schema,omitempty"`
- CredentialConfig CredentialServiceConfig `toml:"credential,omitempty"`
- ManifestConfig ManifestServiceConfig `toml:"manifest,omitempty"`
- PresentationConfig PresentationServiceConfig `toml:"presentation,omitempty"`
- WebhookConfig WebhookServiceConfig `toml:"webhook,omitempty"`
+ KeyStoreConfig KeyStoreServiceConfig `toml:"keystore,omitempty"`
+ DIDConfig DIDServiceConfig `toml:"did,omitempty"`
+ IssuingServiceConfig IssuingServiceConfig `toml:"issuing,omitempty"`
+ SchemaConfig SchemaServiceConfig `toml:"schema,omitempty"`
+ CredentialConfig CredentialServiceConfig `toml:"credential,omitempty"`
+ ManifestConfig ManifestServiceConfig `toml:"manifest,omitempty"`
+ PresentationConfig PresentationServiceConfig `toml:"presentation,omitempty"`
+ WebhookConfig WebhookServiceConfig `toml:"webhook,omitempty"`
+ OIDCCredentialConfig OIDCCredentialServiceConfig `toml:"oidc,omitempty"`
 }
 
 // BaseServiceConfig represents configurable properties for a specific component of the SSI Service
@@ -277,6 +289,7 @@ func loadDefaultServicesConfig(config *SSIServiceConfig) {
  WebhookConfig: WebhookServiceConfig{
  BaseServiceConfig: &BaseServiceConfig{Name: "webhook"},
  },
+ OIDCCredentialConfig: OIDCCredentialServiceConfig{},
  }
 
  config.Services = servicesConfig

go.mod

@@ -18,13 +18,15 @@ require (
  github.com/google/uuid v1.3.0
  github.com/joho/godotenv v1.5.1
  github.com/lestrrat-go/jwx v1.2.25
+ github.com/lestrrat-go/jwx/v2 v2.0.9
  github.com/magefile/mage v1.14.0
  github.com/mr-tron/base58 v1.2.0
  github.com/multiformats/go-multibase v0.2.0
  github.com/multiformats/go-varint v0.0.7
  github.com/oliveagle/jsonpath v0.0.0-20180606110733-2e52cf6e6852
  github.com/ory/fosite v0.44.0
  github.com/pkg/errors v0.9.1
+ github.com/pquerna/otp v1.4.0
  github.com/redis/go-redis/extra/redisotel/v9 v9.0.2
  github.com/redis/go-redis/v9 v9.0.2
  github.com/rs/cors v1.8.3
@@ -38,6 +40,7 @@ require (
  go.opentelemetry.io/otel/sdk v1.14.0
  go.opentelemetry.io/otel/trace v1.14.0
  golang.org/x/crypto v0.7.0
+ golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
  gopkg.in/go-playground/validator.v9 v9.31.0
 )
 
@@ -48,6 +51,7 @@ require (
  github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect
  github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
  github.com/bits-and-blooms/bitset v1.5.0 // indirect
+ github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
  github.com/cespare/xxhash/v2 v2.2.0 // indirect
  github.com/cristalhq/jwt/v4 v4.0.2 // indirect
  github.com/dave/jennifer v1.4.0 // indirect
@@ -79,7 +83,6 @@ require (
  github.com/lestrrat-go/httpcc v1.0.1 // indirect
  github.com/lestrrat-go/httprc v1.0.4 // indirect
  github.com/lestrrat-go/iter v1.0.2 // indirect
- github.com/lestrrat-go/jwx/v2 v2.0.9 // indirect
  github.com/lestrrat-go/option v1.0.1 // indirect
  github.com/magiconair/properties v1.8.1 // indirect
  github.com/mattn/goveralls v0.0.6 // indirect
@@ -110,7 +113,6 @@ require (
  go.opentelemetry.io/otel/metric v0.37.0 // indirect
  golang.org/x/mod v0.8.0 // indirect
  golang.org/x/net v0.8.0 // indirect
- golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
  golang.org/x/sys v0.6.0 // indirect
  golang.org/x/term v0.6.0 // indirect
  golang.org/x/text v0.8.0 // indirect

go.sum

@@ -59,6 +59,8 @@ github.com/bits-and-blooms/bitset v1.5.0 h1:NpE8frKRLGHIcEzkR+gZhiioW1+WbYV6fKwD
 github.com/bits-and-blooms/bitset v1.5.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/bmatcuk/doublestar/v2 v2.0.3/go.mod h1:QMmcs3H2AUQICWhfzLXz+IYln8lRQmTZRptLie8RgRw=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bsm/ginkgo/v2 v2.5.0 h1:aOAnND1T40wEdAtkGSkvSICWeQ8L3UASX7YVCqQx+eQ=
 github.com/bsm/ginkgo/v2 v2.5.0/go.mod h1:AiKlXPm7ItEHNc/2+OkrNG4E0ITzojb9/xWzvQ9XZ9w=
 github.com/bsm/gomega v1.20.0 h1:JhAwLmtRzXFTx2AkALSLa8ijZafntmhSoU63Ok18Uq8=
@@ -871,6 +873,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.1.0 h1:yJMy84ti9h/+OEWa752kBTKv4XC30OtVVHYv/8cTqKc=
 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
+github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
+github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=

pkg/server/middleware/introspect.go

@@ -0,0 +1,122 @@
+package middleware
+
+import (
+ "context"
+ "fmt"
+ "io"
+ "net/http"
+ "net/url"
+ "strings"
+
+ "github.com/goccy/go-json"
+ "github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
+ "github.com/tbd54566975/ssi-service/pkg/server/framework"
+ "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
+ "golang.org/x/oauth2"
+ "golang.org/x/oauth2/clientcredentials"
+)
+
+type introspecter struct {
+ // Introspection endpoint according to https://www.rfc-editor.org/rfc/rfc7662.
+ endpoint string
+
+ // Config of the client credentials to use for authenticating with Endpoint.
+ conf clientcredentials.Config
+}
+
+func newIntrospect(endpoint string, config clientcredentials.Config) *introspecter {
+ return &introspecter{
+ endpoint: endpoint,
+ conf: config,
+ }
+}
+
+// Introspect extracts a token from the `Authorization` header, and determines whether it's active by using the
+// Endpoint configured. A `nil` error represents an active token.
+func (s introspecter) introspect(ctx context.Context, req *http.Request) error {
+ ctx = context.WithValue(ctx, oauth2.HTTPClient, http.Client{Transport: otelhttp.NewTransport(http.DefaultTransport)})
+ client := s.conf.Client(ctx)
+ // Send a request to the introspect endpoint to decide whether this is allowed.
+ authHeader := req.Header.Get("Authorization")
+ if !strings.HasPrefix(authHeader, "Bearer ") {
+ return errors.New("no bearer")
+ }
+ token := authHeader[len("Bearer "):]
+
+ body := make(url.Values)
+ body.Set("token", token)
+ introspectionReq, err := http.NewRequestWithContext(ctx, http.MethodPost, s.endpoint, strings.NewReader(body.Encode()))
+ if err != nil {
+ return err
+ }
+ introspectionReq.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+ introspectionResp, err := client.Do(introspectionReq)
+ if err != nil {
+ return err
+ }
+ defer func(body io.ReadCloser) {
+ err := body.Close()
+ if err != nil {
+ logrus.WithError(err).Warn("closing body")
+ }
+ }(introspectionResp.Body)
+
+ if introspectionResp.StatusCode != http.StatusOK {
+ return fmt.Errorf("status does not indicate success: code: %d, body: %v", introspectionResp.StatusCode, introspectionResp.Body)
+ }
+
+ result, err := extractIntrospectResult(introspectionResp.Body)
+ if err != nil {
+ return err
+ }
+ if !result.Active {
+ return errors.New("invalid token")
+ }
+ return nil
+}
+
+func extractIntrospectResult(r io.Reader) (*result, error) {
+ res := result{
+ Optionals: make(map[string]json.RawMessage),
+ }
+
+ if err := json.NewDecoder(r).Decode(&res.Optionals); err != nil {
+ return nil, err
+ }
+
+ if val, ok := res.Optionals["active"]; ok {
+ if err := json.Unmarshal(val, &res.Active); err != nil {
+ return nil, err
+ }
+
+ delete(res.Optionals, "active")
+ }
+
+ return &res, nil
+}
+
+// result is the OAuth2 Introspection Result
+type result struct {
+ Active bool
+
+ Optionals map[string]json.RawMessage
+}
+
+// Introspect creates a middleware which can be used to gate access to protected resources.
+// This middleware works by extracting the token from the `Authorization` header and then sending a request to the
+// introspect endpoint (which should be compliant with https://www.rfc-editor.org/rfc/rfc7662) to obtain the
+// whether the token is active. A `nil` error represents an active token.
+// config represents the client credentials to use for authenticating with the introspect endpoint.
+func Introspect(endpoint string, config clientcredentials.Config) framework.Middleware {
+ intro := newIntrospect(endpoint, config)
+ return func(handler framework.Handler) framework.Handler {
+ return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
+ if err := intro.introspect(ctx, r); err != nil {
+ frameworkErr := framework.NewRequestErrorMsg("invalid_token", http.StatusUnauthorized)
+ return framework.RespondError(ctx, w, frameworkErr)
+ }
+ return handler(ctx, w, r)
+ }
+ }
+}

pkg/server/middleware/introspect_test.go

@@ -0,0 +1,93 @@
+package middleware
+
+import (
+ "context"
+ "io"
+ "net/http"
+ "net/http/httptest"
+ "net/url"
+ "strings"
+ "testing"
+
+ "github.com/stretchr/testify/require"
+ "github.com/tbd54566975/ssi-service/pkg/testutil"
+ "golang.org/x/oauth2"
+ "golang.org/x/oauth2/clientcredentials"
+)
+
+func TestIntrospect(t *testing.T) {
+ mockTokenServer := simpleOauthTokenServer()
+ defer mockTokenServer.Close()
+ conf := newConfig(mockTokenServer)
+
+ mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ w.WriteHeader(http.StatusOK)
+ _, _ = w.Write([]byte(`{"active":true}`))
+ }))
+ defer mockServer.Close()
+
+ introspectMiddleware := Introspect(mockServer.URL, conf)
+
+ handlerCalled := false
+ handler := introspectMiddleware(func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
+ handlerCalled = true
+ return nil
+ })
+ req := httptest.NewRequest(http.MethodPost, "/some_protected_url", strings.NewReader(""))
+ req.Header.Set("Authorization", "Bearer my-awesome-token")
+ require.NoError(t, handler(context.Background(), httptest.NewRecorder(), req))
+ require.True(t, handlerCalled)
+}
+
+func TestIntrospectReturnsError(t *testing.T) {
+ mockTokenServer := simpleOauthTokenServer()
+ defer mockTokenServer.Close()
+ conf := newConfig(mockTokenServer)
+
+ mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ w.WriteHeader(http.StatusOK)
+ _, _ = w.Write([]byte(`{"active":false}`))
+ }))
+ defer mockServer.Close()
+
+ introspectMiddleware := Introspect(mockServer.URL, conf)
+
+ handler := introspectMiddleware(noOpHandler)
+ req := httptest.NewRequest(http.MethodPost, "/some_protected_url", strings.NewReader(""))
+ req.Header.Set("Authorization", "Bearer my-awesome-token")
+ w := httptest.NewRecorder()
+ err := handler(testutil.NewRequestContext(), w, req)
+ require.NoError(t, err)
+ assertCredentialErrorResponseEquals(t, w, `{"error":"invalid_token"}`)
+}
+
+func assertCredentialErrorResponseEquals(t *testing.T, w *httptest.ResponseRecorder, s string) {
+ respBody, err := io.ReadAll(w.Body)
+ require.NoError(t, err)
+ require.JSONEq(t, s, string(respBody))
+}
+
+func noOpHandler(context.Context, http.ResponseWriter, *http.Request) error {
+ return nil
+}
+
+func simpleOauthTokenServer() *httptest.Server {
+ return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
+ values := url.Values{}
+ values.Set("access_token", "my-client-token")
+ _, _ = w.Write([]byte(values.Encode()))
+ }))
+}
+
+func newConfig(mockTokenServer *httptest.Server) clientcredentials.Config {
+ conf := clientcredentials.Config{
+ ClientID: "my-test-client",
+ ClientSecret: "",
+ TokenURL: mockTokenServer.URL,
+ Scopes: []string{"notsurewhatscope"},
+ EndpointParams: nil,
+ AuthStyle: oauth2.AuthStyleInHeader,
+ }
+ return conf
+}