@pagopa/io-react-native-wallet 0.11.1 → 0.13.0

package/src/credential/issuance/04-complete-user-authorization.ts

@@ -1,17 +1,118 @@
-import type { Out } from "../../utils/misc";
+import {
+  AuthorizationErrorShape,
+  AuthorizationResultShape,
+  type AuthorizationContext,
+  type AuthorizationResult,
+} from "../../../src/utils/auth";
+import { until, type Out } from "../../utils/misc";
 import type { StartUserAuthorization } from "./03-start-user-authorization";
+import parseUrl from "parse-url";
+import { AuthorizationError, AuthorizationIdpError } from "../../utils/errors";
+import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
+import { Linking } from "react-native";
 
 /**
- * The interface of the phase to complete User authorization.
- * It may be implemented as a Credential presentation
- * or with a strong User identification
- *
- * @param requestUri The url to reach to complete the user authorization.
- * @param cliendId Identifies the current client across all the requests of the issuing flow
- *
- * @returns the access code to use to request the credental
+ * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
  */
-export type CompleteUserAuthorization = (
-  requestUri: Out<StartUserAuthorization>["requestUri"],
-  clientId: Out<StartUserAuthorization>["clientId"]
-) => Promise<{ code: string }>;
+export type CompleteUserAuthorizationWithQueryMode = (
+  issuerRequestUri: Out<StartUserAuthorization>["issuerRequestUri"],
+  clientId: Out<StartUserAuthorization>["clientId"],
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  idpHint: string,
+  redirectUri: string,
+  authorizationContext?: AuthorizationContext
+) => Promise<AuthorizationResult>;
+
+/**
+ * WARNING: This function must be called after {@link startUserAuthorization}. The next function to be called is {@link authorizeAccess}.
+ * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
+ * It is used to complete the user authorization by catching the redirectSchema from the authorization server which then contains the authorization response.
+ * This function utilizes the authorization context to open an in-app browser capable of catching the redirectSchema to perform a get request to the authorization endpoint.
+ * If the 302 redirect happens and the redirectSchema is caught, the function will return the authorization response after parsing it from the query string.
+ * @param issuerRequestUri the URI of the issuer where the request is sent
+ * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param authorizationContext The context to identify the user which will be used to start the authorization. It's needed only when requesting a PersonalIdentificationData credential. The implementantion should open an in-app browser capable of catching the redirectSchema.
+ * If not specified, the default browser is used
+ * @param idphint Unique identifier of the SPID IDP selected by the user
+ * @param redirectUri The url to reach to complete the user authorization which is the custom URL scheme that the Wallet Instance is registered to handle, usually a custom URL or deeplink
+ * @throws {AuthorizationError} if an error occurs during the authorization process
+ * @throws {AuthorizationIdpError} if an error occurs during the authorization process and the error is related to the IDP
+ * @returns the authorization response which contains code, state and iss
+ */
+export const completeUserAuthorizationWithQueryMode: CompleteUserAuthorizationWithQueryMode =
+  async (
+    issuerRequestUri,
+    clientId,
+    issuerConf,
+    idpHint,
+    redirectUri,
+    authorizationContext
+  ) => {
+    /**
+     * Starts the authorization flow which dependes on the response mode and the request credential.
+     * If the response mode is "query" the authorization flow is handled differently via the authorization context which opens an in-app browser capable of catching the redirectSchema.
+     * The form_post.jwt mode is not currently supported.
+     */
+    const authzRequestEndpoint =
+      issuerConf.oauth_authorization_server.authorization_endpoint;
+    const params = new URLSearchParams({
+      client_id: clientId,
+      request_uri: issuerRequestUri,
+      idphint: idpHint,
+    });
+    const authUrl = `${authzRequestEndpoint}?${params}`;
+    var authRedirectUrl: string | undefined;
+
+    if (authorizationContext) {
+      const redirectSchema = new URL(redirectUri).protocol.replace(":", "");
+      authRedirectUrl = await authorizationContext
+        .authorize(authUrl, redirectSchema)
+        .catch((e) => {
+          throw new AuthorizationError(e.message);
+        });
+    } else {
+      // handler for redirectUri
+      Linking.addEventListener("url", ({ url }) => {
+        if (url.includes(redirectUri)) {
+          authRedirectUrl = url;
+        }
+      });
+
+      const openAuthUrlInBrowser = Linking.openURL(authUrl);
+
+      /*
+       * Waits for 120 seconds for the identificationRedirectUrl variable to be set
+       * by the custom url handler. If the timeout is exceeded, throw an exception
+       */
+      const unitAuthRedirectIsNotUndefined = until(
+        () => authRedirectUrl !== undefined,
+        120
+      );
+
+      await Promise.all([openAuthUrlInBrowser, unitAuthRedirectIsNotUndefined]);
+
+      if (authRedirectUrl === undefined) {
+        throw new AuthorizationError("Invalid authentication redirect url");
+      }
+    }
+
+    const urlParse = parseUrl(authRedirectUrl);
+    const authRes = AuthorizationResultShape.safeParse(urlParse.query);
+    if (!authRes.success) {
+      const authErr = AuthorizationErrorShape.safeParse(urlParse.query);
+      if (!authErr.success) {
+        throw new AuthorizationError(authRes.error.message); // an error occured while parsing the result and the error
+      }
+      throw new AuthorizationIdpError(
+        authErr.data.error,
+        authErr.data.error_description
+      );
+    }
+    return authRes.data;
+  };
+
+// TODO: SIW-1120 implement generic credential issuance flow
+export const completeUserAuthorizationWithFormPostJwtMode = () => {
+  throw new Error("Not implemented");
+};

package/src/credential/issuance/05-authorize-access.ts

@@ -1,92 +1,117 @@
-import uuid from "react-native-uuid";
-import { withEphemeralKey } from "../../utils/crypto";
-import { createDPopToken } from "../../utils/dpop";
-import type { StartUserAuthorization } from "./03-start-user-authorization";
-import { hasStatus, type Out } from "../../utils/misc";
+import { hasStatus, type Out } from "../../../src/utils/misc";
 import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
+import type { StartUserAuthorization } from "./03-start-user-authorization";
+import { withEphemeralKey } from "../../../src/utils/crypto";
+import { createDPopToken } from "../../../src/utils/dpop";
+import uuid from "react-native-uuid";
+import { createPopToken } from "../../../src/utils/pop";
+import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
+import type { CryptoContext } from "@pagopa/io-react-native-jwt";
 import { ASSERTION_TYPE } from "./const";
-import type { CompleteUserAuthorization } from "./04-complete-user-authorization";
+import { TokenResponse } from "./types";
+import { ValidationFailed } from "../../../src/utils/errors";
+import type { CompleteUserAuthorizationWithQueryMode } from "./04-complete-user-authorization";
 
 export type AuthorizeAccess = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
-  code: Out<CompleteUserAuthorization>["code"],
+  code: Out<CompleteUserAuthorizationWithQueryMode>["code"],
+  redirectUri: string,
   clientId: Out<StartUserAuthorization>["clientId"],
+  codeVerifier: Out<StartUserAuthorization>["codeVerifier"],
   context: {
     walletInstanceAttestation: string;
-    walletProviderBaseUrl: string;
     appFetch?: GlobalFetch["fetch"];
+    wiaCryptoContext: CryptoContext;
   }
-) => Promise<{
-  // The access token to grant access to the credential
-  accessToken: string;
-  // The nonce, to prevent reply attacks
-  nonce: string;
-  // Same as input
-  clientId: string;
-}>;
+) => Promise<{ accessToken: TokenResponse; tokenRequestSignedDPop: string }>;
 
 /**
- * Obtain the access token to finally request the credential
- *
- * @param issuerConf The Issuer configuration
- * @param code The access code from the User authorization phase
- * @param clientId Identifies the current client across all the requests of the issuing flow
- * @param context.walletInstanceAttestation The Wallet Instance Attestation token
- * @param context.walletProviderBaseUrl The base url of the Wallet Provider
+ * Creates and sends the DPoP Proof JWT to be presented with the authorization code to the /token endpoint of the authorization server
+ * for requesting the issuance of an access token bound to the public key of the Wallet Instance contained within the DPoP.
+ * This enables the Wallet Instance to request a digital credential.
+ * The DPoP Proof JWT is generated according to the section 4.3 of the DPoP RFC 9449 specification.
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param code The authorization code returned by {@link completeUserAuthorizationWithQueryMode} or {@link completeUserAuthorizationWithFormPost}
+ * @param redirectUri The redirect URI which is the custom URL scheme that the Wallet Instance is registered to handle
+ * @param clientId The client id returned by {@link startUserAuthorization}
+ * @param codeVerifier The code verifier returned by {@link startUserAuthorization}
+ * @param context.walletInstanceAttestation The Wallet Instance's attestation
+ * @param context.wiaCryptoContext The Wallet Instance's crypto context
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @returns
+ * @throws {ValidationFailed} if an error occurs while parsing the token response
+ * @return The token response containing the access token along with the token request signed with DPoP which has to be used in the {@link obtainCredential} step.
  */
 export const authorizeAccess: AuthorizeAccess = async (
   issuerConf,
   code,
   clientId,
+  redirectUri,
+  codeVerifier,
   context
-): Promise<{ accessToken: string; nonce: string; clientId: string }> => {
+) => {
   const {
     appFetch = fetch,
     walletInstanceAttestation,
-    walletProviderBaseUrl,
+    wiaCryptoContext,
   } = context;
 
-  const tokenUrl = issuerConf.openid_credential_issuer.token_endpoint;
+  const parEndpoint =
+    issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
+  const parUrl = new URL(parEndpoint);
+  const aud = `${parUrl.protocol}//${parUrl.hostname}`;
+  const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
+    .payload.cnf.jwk.kid;
 
+  const tokenUrl = issuerConf.oauth_authorization_server.token_endpoint;
   // Use an ephemeral key to be destroyed after use
-  const signedDPop = await withEphemeralKey((ephemeralContext) =>
-    createDPopToken(
-      {
-        htm: "POST",
-        htu: tokenUrl,
-        jti: `${uuid.v4()}`,
-      },
-      ephemeralContext
-    )
+  const tokenRequestSignedDPop = await withEphemeralKey(
+    async (ephimeralContext) => {
+      return await createDPopToken(
+        {
+          htm: "POST",
+          htu: tokenUrl,
+          jti: `${uuid.v4()}`,
+        },
+        ephimeralContext
+      );
+    }
+  );
+
+  const signedWiaPoP = await createPopToken(
+    {
+      jti: `${uuid.v4()}`,
+      aud,
+      iss,
+    },
+    wiaCryptoContext
   );
 
-  const codeVerifier = `${uuid.v4()}`;
   const requestBody = {
-    grant_type: "authorization code",
+    grant_type: "authorization_code",
     client_id: clientId,
     code,
+    redirect_uri: redirectUri,
     code_verifier: codeVerifier,
     client_assertion_type: ASSERTION_TYPE,
-    client_assertion: walletInstanceAttestation,
-    redirect_uri: walletProviderBaseUrl,
+    client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
   };
-  var formBody = new URLSearchParams(requestBody);
 
-  return appFetch(tokenUrl, {
+  const authorizationRequestFormBody = new URLSearchParams(requestBody);
+  const tokenRes = await appFetch(tokenUrl, {
     method: "POST",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
-      DPoP: signedDPop,
+      DPoP: tokenRequestSignedDPop,
     },
-    body: formBody.toString(),
+    body: authorizationRequestFormBody.toString(),
   })
     .then(hasStatus(200))
     .then((res) => res.json())
-    .then((body) => ({
-      accessToken: body.access_token,
-      nonce: body.c_nonce,
-      clientId,
-    }));
+    .then((body) => TokenResponse.safeParse(body));
+
+  if (!tokenRes.success) {
+    throw new ValidationFailed(tokenRes.error.message);
+  }
+
+  return { accessToken: tokenRes.data, tokenRequestSignedDPop };
 };

package/src/credential/issuance/06-obtain-credential.ts

@@ -1,161 +1,127 @@
-import * as z from "zod";
-import uuid from "react-native-uuid";
 import { SignJWT, type CryptoContext } from "@pagopa/io-react-native-jwt";
-import { createDPopToken } from "../../utils/dpop";
-
-import type { StartFlow } from "./01-start-flow";
-import { hasStatus, type Out } from "../../utils/misc";
-import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import type { AuthorizeAccess } from "./05-authorize-access";
-import { SupportedCredentialFormat } from "./const";
+import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
+import { hasStatus, type Out } from "../../../src/utils/misc";
+import type { StartUserAuthorization } from "./03-start-user-authorization";
+import { ValidationFailed } from "../../../src/utils/errors";
+import { CredentialResponse } from "./types";
+
+export type ObtainCredential = (
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  accessToken: Out<AuthorizeAccess>["accessToken"],
+  clientId: Out<StartUserAuthorization>["clientId"],
+  credentialDefinition: Out<StartUserAuthorization>["credentialDefinition"],
+  tokenRequestSignedDPop: Out<AuthorizeAccess>["tokenRequestSignedDPop"],
+  context: {
+    credentialCryptoContext: CryptoContext;
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<CredentialResponse>;
 
-/**
- * Return the signed jwt for nonce proof of possession
- */
 export const createNonceProof = async (
   nonce: string,
   issuer: string,
   audience: string,
   ctx: CryptoContext
 ): Promise<string> => {
+  const jwk = await ctx.getPublicKey();
   return new SignJWT(ctx)
     .setPayload({
       nonce,
-      jwk: await ctx.getPublicKey(),
     })
     .setProtectedHeader({
-      type: "openid4vci-proof+jwt",
+      typ: "openid4vci-proof+jwt",
+      jwk,
     })
     .setAudience(audience)
     .setIssuer(issuer)
     .setIssuedAt()
-    .setExpirationTime("1h")
+    .setExpirationTime("5min")
     .sign();
 };
 
-const CredentialEndpointResponse = z.object({
-  credential: z.string(),
-  format: SupportedCredentialFormat,
-  // nonce used to perform multiple credential requests
-  // re-using the same authorization profile
-  c_nonce: z.string(),
-  c_nonce_expires_in: z.number(),
-});
-
-export type ObtainCredential = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
-  accessToken: Out<AuthorizeAccess>["accessToken"],
-  nonce: Out<AuthorizeAccess>["nonce"],
-  clientId: Out<AuthorizeAccess>["clientId"],
-  credentialType: Out<StartFlow>["credentialType"],
-  credentialFormat: SupportedCredentialFormat,
-  context: {
-    credentialCryptoContext: CryptoContext;
-    walletProviderBaseUrl: string;
-    appFetch?: GlobalFetch["fetch"];
-  }
-) => Promise<{
-  credential: string;
-  format: SupportedCredentialFormat;
-  nonce: string;
-}>;
-
-// Checks whether in the Entity confoguration at least one credential
-// is defined for the given type and format
-const isCredentialAvailable = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
-  credentialType: Out<StartFlow>["credentialType"],
-  credentialFormat: SupportedCredentialFormat
-): boolean =>
-  issuerConf.openid_credential_issuer.credentials_supported.some(
-    (c) =>
-      c.format === credentialFormat &&
-      c.credential_definition.type.includes(credentialType)
-  );
-
 /**
- * Fetch a credential from the issuer
- *
- * @param issuerConf The Issuer configuration
- * @param accessToken The access token to grant access to the credential, obtained with the access authorization step
- * @param nonce The nonce value to prevent reply attacks, obtained with the access authorization step
- * @param clientId Identifies the current client across all the requests of the issuing flow
- * @param credentialType The type of the credential to be requested
- * @param credentialFormat The format of the requested credential. @see {SupportedCredentialFormat}
- * @param context.credentialCryptoContext The context to access the key the Credential will be bound to
- * @param context.walletProviderBaseUrl The base url of the Wallet Provider
+ * Obtains the credential from the issuer.
+ * The key pair of the credentialCryptoContext is used for Openid4vci proof JWT to be presented with the Access Token and the DPoP Proof JWT at the Credential Endpoint
+ * of the Credential Issuer to request the issuance of a credential linked to the public key contained in the JWT proof.
+ * The Openid4vci proof JWT incapsulates the nonce extracted from the token response from the {@link authorizeAccess} step.
+ * The credential request is sent to the Credential Endpoint of the Credential Issuer via HTTP POST with the type of the credential, its format, the access token and the JWT proof.
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param accessToken The access token response returned by {@link authorizeAccess}
+ * @param clientId The client id returned by {@link startUserAuthorization}
+ * @param credentialDefinition The credential definition of the credential to be obtained returned by {@link startUserAuthorization}
+ * @param tokenRequestSignedDPop The DPoP signed token request returned by {@link authorizeAccess}
+ * @param context.credentialCryptoContext The crypto context used to obtain the credential
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @returns The signed credential token
+ * @returns The credential response containing the credential
  */
 export const obtainCredential: ObtainCredential = async (
   issuerConf,
   accessToken,
-  nonce,
   clientId,
-  credentialType,
-  credentialFormat,
+  credentialDefinition,
+  tokenRequestSignedDPop,
   context
 ) => {
-  const {
-    credentialCryptoContext,
-    walletProviderBaseUrl,
-    appFetch = fetch,
-  } = context;
-
-  if (!isCredentialAvailable(issuerConf, credentialType, credentialFormat)) {
-    throw new Error(
-      `The Issuer provides no credential for type ${credentialType} and format ${credentialFormat}`
-    );
-  }
+  const { credentialCryptoContext, appFetch = fetch } = context;
 
   const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
 
-  /** DPoP token for demonstating the possession
-      of the key that will bind the holder User with the Credential
-      @see https://datatracker.ietf.org/doc/html/rfc9449 */
-  const signedDPopForPid = await createDPopToken(
-    {
-      htm: "POST",
-      htu: credentialUrl,
-      jti: `${uuid.v4()}`,
-    },
-    credentialCryptoContext
-  );
-
-  /** JWT proof token to bind the request nonce
-      to the key that will bind the holder User with the Credential
-      @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types */
+  /**
+   * JWT proof token to bind the request nonce to the key that will bind the holder User with the Credential
+   * This is presented along with the access token to the Credential Endpoint as proof of possession of the private key used to sign the Access Token.
+   * @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
+   */
   const signedNonceProof = await createNonceProof(
-    nonce,
+    accessToken.c_nonce,
     clientId,
-    walletProviderBaseUrl,
+    credentialUrl,
     credentialCryptoContext
   );
 
+  // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
+  const constainsCredentialDefinition = accessToken.authorization_details.some(
+    (c) =>
+      c.credential_configuration_id ===
+        credentialDefinition.credential_configuration_id &&
+      c.format === credentialDefinition.format &&
+      c.type === credentialDefinition.type
+  );
+
+  if (!constainsCredentialDefinition) {
+    throw new ValidationFailed(
+      "The access token response does not contain the requested credential"
+    );
+  }
+
   /** The credential request body */
-  const formBody = new URLSearchParams({
-    credential_definition: JSON.stringify({
-      type: [credentialType],
-    }),
-    format: credentialFormat,
-    proof: JSON.stringify({
+  const credentialRequestFormBody = {
+    credential_definition: {
+      type: [credentialDefinition.credential_configuration_id],
+    },
+    format: credentialDefinition.format,
+    proof: {
       jwt: signedNonceProof,
       proof_type: "jwt",
-    }),
-  });
+    },
+  };
 
-  const { credential, format, c_nonce } = await appFetch(credentialUrl, {
+  const credentialRes = await appFetch(credentialUrl, {
     method: "POST",
     headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      DPoP: signedDPopForPid,
-      Authorization: accessToken,
+      "Content-Type": "application/json",
+      DPoP: tokenRequestSignedDPop,
+      Authorization: `${accessToken.token_type} ${accessToken.access_token}`,
     },
-    body: formBody.toString(),
+    body: JSON.stringify(credentialRequestFormBody),
   })
     .then(hasStatus(200))
     .then((res) => res.json())
-    .then(CredentialEndpointResponse.parse);
+    .then((body) => CredentialResponse.safeParse(body));
+
+  if (!credentialRes.success) {
+    throw new ValidationFailed(credentialRes.error.message);
+  }
 
-  return { credential, format, nonce: c_nonce };
+  return credentialRes.data;
 };