@pagopa/io-react-native-wallet 2.3.0 → 2.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/commonjs/credential/issuance/03-start-user-authorization.js +24 -6
- package/lib/commonjs/credential/issuance/03-start-user-authorization.js.map +1 -1
- package/lib/commonjs/credential/issuance/04-complete-user-authorization.js +26 -2
- package/lib/commonjs/credential/issuance/04-complete-user-authorization.js.map +1 -1
- package/lib/commonjs/credential/issuance/README.md +155 -18
- package/lib/commonjs/credential/issuance/index.js +9 -1
- package/lib/commonjs/credential/issuance/index.js.map +1 -1
- package/lib/commonjs/credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.js +57 -0
- package/lib/commonjs/credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.js.map +1 -0
- package/lib/commonjs/credential/issuance/mrtd-pop/02-init-challenge.js +61 -0
- package/lib/commonjs/credential/issuance/mrtd-pop/02-init-challenge.js.map +1 -0
- package/lib/commonjs/credential/issuance/mrtd-pop/03-validate-challenge.js +95 -0
- package/lib/commonjs/credential/issuance/mrtd-pop/03-validate-challenge.js.map +1 -0
- package/lib/commonjs/credential/issuance/mrtd-pop/README.md +92 -0
- package/lib/commonjs/credential/issuance/mrtd-pop/index.js +33 -0
- package/lib/commonjs/credential/issuance/mrtd-pop/index.js.map +1 -0
- package/lib/commonjs/credential/issuance/mrtd-pop/types.js +57 -0
- package/lib/commonjs/credential/issuance/mrtd-pop/types.js.map +1 -0
- package/lib/commonjs/utils/auth.js +9 -1
- package/lib/commonjs/utils/auth.js.map +1 -1
- package/lib/commonjs/utils/par.js +7 -2
- package/lib/commonjs/utils/par.js.map +1 -1
- package/lib/module/credential/issuance/03-start-user-authorization.js +24 -6
- package/lib/module/credential/issuance/03-start-user-authorization.js.map +1 -1
- package/lib/module/credential/issuance/04-complete-user-authorization.js +25 -2
- package/lib/module/credential/issuance/04-complete-user-authorization.js.map +1 -1
- package/lib/module/credential/issuance/README.md +155 -18
- package/lib/module/credential/issuance/index.js +3 -2
- package/lib/module/credential/issuance/index.js.map +1 -1
- package/lib/module/credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.js +50 -0
- package/lib/module/credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.js.map +1 -0
- package/lib/module/credential/issuance/mrtd-pop/02-init-challenge.js +52 -0
- package/lib/module/credential/issuance/mrtd-pop/02-init-challenge.js.map +1 -0
- package/lib/module/credential/issuance/mrtd-pop/03-validate-challenge.js +85 -0
- package/lib/module/credential/issuance/mrtd-pop/03-validate-challenge.js.map +1 -0
- package/lib/module/credential/issuance/mrtd-pop/README.md +92 -0
- package/lib/module/credential/issuance/mrtd-pop/index.js +5 -0
- package/lib/module/credential/issuance/mrtd-pop/index.js.map +1 -0
- package/lib/module/credential/issuance/mrtd-pop/types.js +46 -0
- package/lib/module/credential/issuance/mrtd-pop/types.js.map +1 -0
- package/lib/module/utils/auth.js +8 -0
- package/lib/module/utils/auth.js.map +1 -1
- package/lib/module/utils/par.js +7 -2
- package/lib/module/utils/par.js.map +1 -1
- package/lib/typescript/credential/issuance/03-start-user-authorization.d.ts +14 -4
- package/lib/typescript/credential/issuance/03-start-user-authorization.d.ts.map +1 -1
- package/lib/typescript/credential/issuance/04-complete-user-authorization.d.ts +9 -1
- package/lib/typescript/credential/issuance/04-complete-user-authorization.d.ts.map +1 -1
- package/lib/typescript/credential/issuance/index.d.ts +4 -3
- package/lib/typescript/credential/issuance/index.d.ts.map +1 -1
- package/lib/typescript/credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.d.ts +25 -0
- package/lib/typescript/credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.d.ts.map +1 -0
- package/lib/typescript/credential/issuance/mrtd-pop/02-init-challenge.d.ts +23 -0
- package/lib/typescript/credential/issuance/mrtd-pop/02-init-challenge.d.ts.map +1 -0
- package/lib/typescript/credential/issuance/mrtd-pop/03-validate-challenge.d.ts +39 -0
- package/lib/typescript/credential/issuance/mrtd-pop/03-validate-challenge.d.ts.map +1 -0
- package/lib/typescript/credential/issuance/mrtd-pop/index.d.ts +7 -0
- package/lib/typescript/credential/issuance/mrtd-pop/index.d.ts.map +1 -0
- package/lib/typescript/credential/issuance/mrtd-pop/types.d.ts +201 -0
- package/lib/typescript/credential/issuance/mrtd-pop/types.d.ts.map +1 -0
- package/lib/typescript/utils/auth.d.ts +11 -0
- package/lib/typescript/utils/auth.d.ts.map +1 -1
- package/lib/typescript/utils/par.d.ts +34 -4
- package/lib/typescript/utils/par.d.ts.map +1 -1
- package/package.json +1 -1
- package/src/credential/issuance/03-start-user-authorization.ts +30 -7
- package/src/credential/issuance/04-complete-user-authorization.ts +43 -1
- package/src/credential/issuance/README.md +155 -18
- package/src/credential/issuance/index.ts +7 -1
- package/src/credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.ts +70 -0
- package/src/credential/issuance/mrtd-pop/02-init-challenge.ts +82 -0
- package/src/credential/issuance/mrtd-pop/03-validate-challenge.ts +140 -0
- package/src/credential/issuance/mrtd-pop/README.md +92 -0
- package/src/credential/issuance/mrtd-pop/index.ts +27 -0
- package/src/credential/issuance/mrtd-pop/types.ts +65 -0
- package/src/utils/auth.ts +12 -0
- package/src/utils/par.ts +12 -4
|
@@ -62,19 +62,23 @@ const selectResponseMode = (issuerConf, credentialIds) => {
|
|
|
62
62
|
* it is possible to use the same access token for the issuance of all requested credentials.
|
|
63
63
|
* This is an HTTP POST request containing the Wallet Instance identifier (client id), the code challenge and challenge method as specified by PKCE according to RFC 9126
|
|
64
64
|
* along with the WTE and its proof of possession (WTE-PoP).
|
|
65
|
-
* Additionally, it includes a request object, which is a signed JWT encapsulating the type of digital credential requested (authorization_details),
|
|
66
|
-
* the application session identifier on the Wallet Instance side (state),
|
|
65
|
+
* Additionally, it includes a request object, which is a signed JWT encapsulating the type of digital credential requested (authorization_details), challenge method and
|
|
66
|
+
* redirect URI for the document proof step (if L2 flow), the application session identifier on the Wallet Instance side (state),
|
|
67
67
|
* the method (query or form_post.jwt) by which the Authorization Server
|
|
68
68
|
* should transmit the Authorization Response containing the authorization code issued upon the end user's authentication (response_mode)
|
|
69
69
|
* to the Wallet Instance's Token Endpoint to obtain the Access Token, and the redirectUri of the Wallet Instance where the Authorization Response
|
|
70
70
|
* should be delivered. The redirect is achived by using a custom URL scheme that the Wallet Instance is registered to handle.
|
|
71
71
|
* @param issuerConf The issuer configuration
|
|
72
72
|
* @param credentialIds The credential configuration IDs to be requested
|
|
73
|
-
* @param
|
|
73
|
+
* @param proof The configuration for the proof to be used in the request: "none" for standard flows, "document" for L2+ with MRTD verification.
|
|
74
|
+
* @param ctx The context object containing;
|
|
75
|
+
* - wiaCryptoContext: the Wallet Instance's cryptographic context
|
|
76
|
+
* - walletInstanceAttestation: the Wallet Instance's attestation
|
|
77
|
+
* - redirectUri: the redirect URI
|
|
78
|
+
* - appFetch: (optional) the fetch implementation
|
|
74
79
|
* @returns The URI to which the end user should be redirected to start the authentication flow, along with the client id, the code verifier and the credential definition(s)
|
|
75
80
|
*/
|
|
76
|
-
|
|
77
|
-
const startUserAuthorization = async (issuerConf, credentialIds, ctx) => {
|
|
81
|
+
const startUserAuthorization = async (issuerConf, credentialIds, proof, ctx) => {
|
|
78
82
|
const {
|
|
79
83
|
wiaCryptoContext,
|
|
80
84
|
walletInstanceAttestation,
|
|
@@ -89,12 +93,26 @@ const startUserAuthorization = async (issuerConf, credentialIds, ctx) => {
|
|
|
89
93
|
const codeVerifier = (0, _misc.generateRandomAlphaNumericString)(64);
|
|
90
94
|
const parEndpoint = issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
|
|
91
95
|
const aud = issuerConf.openid_credential_issuer.credential_issuer;
|
|
92
|
-
const credentialDefinition = credentialIds.map(c => selectCredentialDefinition(issuerConf, c));
|
|
93
96
|
const responseMode = selectResponseMode(issuerConf, credentialIds);
|
|
94
97
|
const getPar = (0, _par.makeParRequest)({
|
|
95
98
|
wiaCryptoContext,
|
|
96
99
|
appFetch
|
|
97
100
|
});
|
|
101
|
+
const credentialDefinition = [...credentialIds.map(c => selectCredentialDefinition(issuerConf, c))];
|
|
102
|
+
if (proof.proofType === "mrtd-pop") {
|
|
103
|
+
/**
|
|
104
|
+
* When we requests a PID using eID Substantial Authentication with MRTD Verification, we must include
|
|
105
|
+
* an additional Authorization Details Object in the authorization_details
|
|
106
|
+
*
|
|
107
|
+
* See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-endpoint.html#pushed-authorization-request-endpoint
|
|
108
|
+
*/
|
|
109
|
+
credentialDefinition.push({
|
|
110
|
+
type: "it_l2+document_proof",
|
|
111
|
+
idphinting: proof.idpHinting,
|
|
112
|
+
challenge_method: "mrtd+ias",
|
|
113
|
+
challenge_redirect_uri: redirectUri
|
|
114
|
+
});
|
|
115
|
+
}
|
|
98
116
|
const issuerRequestUri = await getPar(parEndpoint, walletInstanceAttestation, {
|
|
99
117
|
aud,
|
|
100
118
|
clientId,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["_misc","require","_par","_logging","selectCredentialDefinition","issuerConf","credentialId","credential_configurations_supported","openid_credential_issuer","result","Object","keys","filter","e","includes","map","credential_configuration_id","type","Logger","log","LogLevel","ERROR","JSON","stringify","Error","selectResponseMode","credentialIds","responseModeSupported","oauth_authorization_server","response_modes_supported","responseModeSet","Set","add","match","size","values","responseMode","DEBUG","startUserAuthorization","ctx","wiaCryptoContext","walletInstanceAttestation","redirectUri","appFetch","fetch","clientId","getPublicKey","then","_","kid","codeVerifier","generateRandomAlphaNumericString","parEndpoint","pushed_authorization_request_endpoint","aud","credential_issuer","credentialDefinition","c","
|
|
1
|
+
{"version":3,"names":["_misc","require","_par","_logging","selectCredentialDefinition","issuerConf","credentialId","credential_configurations_supported","openid_credential_issuer","result","Object","keys","filter","e","includes","map","credential_configuration_id","type","Logger","log","LogLevel","ERROR","JSON","stringify","Error","selectResponseMode","credentialIds","responseModeSupported","oauth_authorization_server","response_modes_supported","responseModeSet","Set","add","match","size","values","responseMode","DEBUG","startUserAuthorization","proof","ctx","wiaCryptoContext","walletInstanceAttestation","redirectUri","appFetch","fetch","clientId","getPublicKey","then","_","kid","codeVerifier","generateRandomAlphaNumericString","parEndpoint","pushed_authorization_request_endpoint","aud","credential_issuer","getPar","makeParRequest","credentialDefinition","c","proofType","push","idphinting","idpHinting","challenge_method","challenge_redirect_uri","issuerRequestUri","authorizationDetails","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/03-start-user-authorization.ts"],"mappings":";;;;;;AAEA,IAAAA,KAAA,GAAAC,OAAA;AAGA,IAAAC,IAAA,GAAAD,OAAA;AACA,IAAAE,QAAA,GAAAF,OAAA;AAmBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMG,0BAA0B,GAAGA,CACjCC,UAAkD,EAClDC,YAA4C,KACpB;EACxB,MAAMC,mCAAmC,GACvCF,UAAU,CAACG,wBAAwB,CAACD,mCAAmC;EAEzE,MAAM,CAACE,MAAM,CAAC,GAAGC,MAAM,CAACC,IAAI,CAACJ,mCAAmC,CAAC,CAC9DK,MAAM,CAAEC,CAAC,IAAKA,CAAC,CAACC,QAAQ,CAACR,YAAY,CAAC,CAAC,CACvCS,GAAG,CAAC,OAAO;IACVC,2BAA2B,EAAEV,YAAY;IACzCW,IAAI,EAAE;EACR,CAAC,CAAC,CAAC;EAEL,IAAI,CAACR,MAAM,EAAE;IACXS,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,wBAAuBf,YAAa,kEAAiEgB,IAAI,CAACC,SAAS,CAAChB,mCAAmC,CAAE,EAC5J,CAAC;IACD,MAAM,IAAIiB,KAAK,CAAE,mCAAkClB,YAAa,GAAE,CAAC;EACrE;EACA,OAAOG,MAAM;AACf,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMgB,kBAAkB,GAAGA,CACzBpB,UAAkD,EAClDqB,aAAuB,KACN;EACjB,MAAMC,qBAAqB,GACzBtB,UAAU,CAACuB,0BAA0B,CAACC,wBAAwB;EAEhE,MAAMC,eAAe,GAAG,IAAIC,GAAG,CAAe,CAAC;EAE/C,KAAK,MAAMzB,YAAY,IAAIoB,aAAa,EAAE;IACxCI,eAAe,CAACE,GAAG,CACjB1B,YAAY,CAAC2B,KAAK,CAAC,2BAA2B,CAAC,GAC3C,OAAO,GACP,eACN,CAAC;EACH;EAEA,IAAIH,eAAe,CAACI,IAAI,KAAK,CAAC,EAAE;IAC9BhB,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,GAAEK,aAAc,qCAAoC,CAAC,GAAGI,eAAe,CAACK,MAAM,CAAC,CAAC,CAAE,EACrF,CAAC;IACD,MAAM,IAAIX,KAAK,CACb,yGACF,CAAC;EACH;EAEA,MAAM,CAACY,YAAY,CAAC,GAAGN,eAAe,CAACK,MAAM,CAAC,CAAC;EAE/CjB,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACiB,KAAK,EACb,0BAAyBD,YAAa,uBAAsBV,aAAc,EAC7E,CAAC;EAED,IAAI,CAACC,qBAAqB,CAACb,QAAQ,CAACsB,YAAa,CAAC,EAAE;IAClDlB,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,2BAA0Be,YAAa,kEAAiEd,IAAI,CAACC,SAAS,CAACI,qBAAqB,CAAE,EACjJ,CAAC;IACD,MAAM,IAAIH,KAAK,CAAE,qCAAoCE,aAAc,GAAE,CAAC;EACxE;EAEA,OAAOU,YAAY;AACrB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAME,sBAA8C,GAAG,MAAAA,CAC5DjC,UAAU,EACVqB,aAAa,EACba,KAAK,EACLC,GAAG,KACA;EACH,MAAM;IACJC,gBAAgB;IAChBC,yBAAyB;IACzBC,WAAW;IACXC,QAAQ,GAAGC;EACb,CAAC,GAAGL,GAAG;EAEP,MAAMM,QAAQ,GAAG,MAAML,gBAAgB,CAACM,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;EAEzE,IAAI,CAACJ,QAAQ,EAAE;IACb5B,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,kCAAiCyB,QAAS,0BAC7C,CAAC;IACD,MAAM,IAAItB,KAAK,CAAC,qBAAqB,CAAC;EACxC;EACA,MAAM2B,YAAY,GAAG,IAAAC,sCAAgC,EAAC,EAAE,CAAC;EACzD,MAAMC,WAAW,GACfhD,UAAU,CAACuB,0BAA0B,CAAC0B,qCAAqC;EAC7E,MAAMC,GAAG,GAAGlD,UAAU,CAACG,wBAAwB,CAACgD,iBAAiB;EACjE,MAAMpB,YAAY,GAAGX,kBAAkB,CAACpB,UAAU,EAAEqB,aAAa,CAAC;EAClE,MAAM+B,MAAM,GAAG,IAAAC,mBAAc,EAAC;IAAEjB,gBAAgB;IAAEG;EAAS,CAAC,CAAC;EAE7D,MAAMe,oBAAoB,GAAG,CAC3B,GAAGjC,aAAa,CAACX,GAAG,CAAE6C,CAAC,IAAKxD,0BAA0B,CAACC,UAAU,EAAEuD,CAAC,CAAC,CAAC,CACvE;EAED,IAAIrB,KAAK,CAACsB,SAAS,KAAK,UAAU,EAAE;IAClC;AACJ;AACA;AACA;AACA;AACA;IACIF,oBAAoB,CAACG,IAAI,CAAC;MACxB7C,IAAI,EAAE,sBAAsB;MAC5B8C,UAAU,EAAExB,KAAK,CAACyB,UAAU;MAC5BC,gBAAgB,EAAE,UAAU;MAC5BC,sBAAsB,EAAEvB;IAC1B,CAAC,CAAC;EACJ;EAEA,MAAMwB,gBAAgB,GAAG,MAAMV,MAAM,CACnCJ,WAAW,EACXX,yBAAyB,EACzB;IACEa,GAAG;IACHT,QAAQ;IACRK,YAAY;IACZR,WAAW;IACXP,YAAY;IACZgC,oBAAoB,EAAET;EACxB,CACF,CAAC;EAED,OAAO;IAAEQ,gBAAgB;IAAErB,QAAQ;IAAEK,YAAY;IAAEQ;EAAqB,CAAC;AAC3E,CAAC;AAACU,OAAA,CAAA/B,sBAAA,GAAAA,sBAAA"}
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
Object.defineProperty(exports, "__esModule", {
|
|
4
4
|
value: true
|
|
5
5
|
});
|
|
6
|
-
exports.parseAuthorizationResponse = exports.getRequestedCredentialToBePresented = exports.completeUserAuthorizationWithQueryMode = exports.completeUserAuthorizationWithFormPostJwtMode = exports.buildAuthorizationUrl = void 0;
|
|
6
|
+
exports.parseAuthorizationResponse = exports.getRequestedCredentialToBePresented = exports.continueUserAuthorizationWithMRTDPoPChallenge = exports.completeUserAuthorizationWithQueryMode = exports.completeUserAuthorizationWithFormPostJwtMode = exports.buildAuthorizationUrl = void 0;
|
|
7
7
|
var _auth = require("../../utils/auth");
|
|
8
8
|
var _misc = require("../../utils/misc");
|
|
9
9
|
var _parseUrl = _interopRequireDefault(require("parse-url"));
|
|
@@ -20,6 +20,29 @@ function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { de
|
|
|
20
20
|
* The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
|
|
21
21
|
*/
|
|
22
22
|
|
|
23
|
+
/**
|
|
24
|
+
* WARNING: this function must be called after obtaining the authorization redirect URL from the webviews (SPID and CIE L3) or browser for CIEID, and the PID
|
|
25
|
+
* issuance requires a MRTD PoP challenge.
|
|
26
|
+
* @param authRedirectUrl The URL to which the end user should be redirected to start the MRTD PoP validation flow
|
|
27
|
+
* @returns the authorization response which contains the challenge
|
|
28
|
+
*/
|
|
29
|
+
const continueUserAuthorizationWithMRTDPoPChallenge = async authRedirectUrl => {
|
|
30
|
+
_logging.Logger.log(_logging.LogLevel.DEBUG, `The requested credential is a PersonIdentificationData and requires MRTD PoP, starting MRTD PoP validation from auth redirect`);
|
|
31
|
+
const query = (0, _parseUrl.default)(authRedirectUrl).query;
|
|
32
|
+
const authResParsed = _auth.AuthorizationChallengeResultShape.safeParse(query);
|
|
33
|
+
if (!authResParsed.success) {
|
|
34
|
+
const authErr = _auth.AuthorizationErrorShape.safeParse(query);
|
|
35
|
+
if (!authErr.success) {
|
|
36
|
+
_logging.Logger.log(_logging.LogLevel.ERROR, `Error while parsing the authorization response: ${authResParsed.error.message}`);
|
|
37
|
+
throw new _errors2.AuthorizationError(authResParsed.error.message); // an error occured while parsing the result and the error
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
_logging.Logger.log(_logging.LogLevel.ERROR, `Error while authorizating with the idp: ${JSON.stringify(authErr)}`);
|
|
41
|
+
throw new _errors2.AuthorizationIdpError(authErr.data.error, authErr.data.error_description);
|
|
42
|
+
}
|
|
43
|
+
return authResParsed.data;
|
|
44
|
+
};
|
|
45
|
+
|
|
23
46
|
/**
|
|
24
47
|
* WARNING: This function must be called after {@link startUserAuthorization}. The generated authUrl must be used to open a browser or webview capable of catching the redirectSchema to perform a get request to the authorization endpoint.
|
|
25
48
|
* Builds the authorization URL to which the end user should be redirected to continue the authentication flow.
|
|
@@ -29,6 +52,7 @@ function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { de
|
|
|
29
52
|
* @param idpHint Unique identifier of the IDP selected by the user (optional)
|
|
30
53
|
* @returns An object containing the authorization URL
|
|
31
54
|
*/
|
|
55
|
+
exports.continueUserAuthorizationWithMRTDPoPChallenge = continueUserAuthorizationWithMRTDPoPChallenge;
|
|
32
56
|
const buildAuthorizationUrl = async (issuerRequestUri, clientId, issuerConf, idpHint) => {
|
|
33
57
|
const authzRequestEndpoint = issuerConf.oauth_authorization_server.authorization_endpoint;
|
|
34
58
|
const params = new URLSearchParams({
|
|
@@ -53,7 +77,7 @@ const buildAuthorizationUrl = async (issuerRequestUri, clientId, issuerConf, idp
|
|
|
53
77
|
*/
|
|
54
78
|
exports.buildAuthorizationUrl = buildAuthorizationUrl;
|
|
55
79
|
const completeUserAuthorizationWithQueryMode = async authRedirectUrl => {
|
|
56
|
-
_logging.Logger.log(_logging.LogLevel.DEBUG, `The
|
|
80
|
+
_logging.Logger.log(_logging.LogLevel.DEBUG, `The requested credential is a PersonIdentificationData, completing the user authorization with query mode`);
|
|
57
81
|
const query = (0, _parseUrl.default)(authRedirectUrl).query;
|
|
58
82
|
return parseAuthorizationResponse(query);
|
|
59
83
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["_auth","require","_misc","_parseUrl","_interopRequireDefault","_errors","_ioReactNativeJwt","_types","_types2","_decoder","_errors2","_logging","_","obj","__esModule","default","
|
|
1
|
+
{"version":3,"names":["_auth","require","_misc","_parseUrl","_interopRequireDefault","_errors","_ioReactNativeJwt","_types","_types2","_decoder","_errors2","_logging","_","obj","__esModule","default","continueUserAuthorizationWithMRTDPoPChallenge","authRedirectUrl","Logger","log","LogLevel","DEBUG","query","parseUrl","authResParsed","AuthorizationChallengeResultShape","safeParse","success","authErr","AuthorizationErrorShape","ERROR","error","message","AuthorizationError","JSON","stringify","AuthorizationIdpError","data","error_description","exports","buildAuthorizationUrl","issuerRequestUri","clientId","issuerConf","idpHint","authzRequestEndpoint","oauth_authorization_server","authorization_endpoint","params","URLSearchParams","client_id","request_uri","append","authUrl","completeUserAuthorizationWithQueryMode","parseAuthorizationResponse","getRequestedCredentialToBePresented","appFetch","arguments","length","undefined","fetch","toString","requestObject","method","then","hasStatusOrThrow","IssuerResponseError","res","text","jws","decode","reqObj","RequestObject","payload","ValidationFailed","reason","completeUserAuthorizationWithFormPostJwtMode","pid","_ref","wiaCryptoContext","pidCryptoContext","dcql_query","Error","dcqlQueryResult","Presentation","evaluateDcqlQuery","credentialsToPresent","map","_ref2","requiredDisclosures","rest","requestedClaims","_ref3","claimName","remotePresentations","prepareRemotePresentations","nonce","authzResponsePayload","createAuthzResponsePayload","state","body","response","resUriRes","response_uri","headers","reqUri","json","responseUri","ResponseUriResultShape","redirect_uri","getJwtFromFormPost","cbRes","decodedJwt","authRes","AuthorizationResultShape","_ref4","kid","getPublicKey","SignJWT","setProtectedHeader","typ","setPayload","vp_token","reduce","_ref5","credentialId","vpToken","setIssuedAt","setExpirationTime","sign"],"sourceRoot":"../../../../src","sources":["credential/issuance/04-complete-user-authorization.ts"],"mappings":";;;;;;AAAA,IAAAA,KAAA,GAAAC,OAAA;AAOA,IAAAC,KAAA,GAAAD,OAAA;AAEA,IAAAE,SAAA,GAAAC,sBAAA,CAAAH,OAAA;AACA,IAAAI,OAAA,GAAAJ,OAAA;AAEA,IAAAK,iBAAA,GAAAL,OAAA;AAKA,IAAAM,MAAA,GAAAN,OAAA;AACA,IAAAO,OAAA,GAAAP,OAAA;AACA,IAAAQ,QAAA,GAAAR,OAAA;AACA,IAAAS,QAAA,GAAAT,OAAA;AACA,IAAAU,QAAA,GAAAV,OAAA;AACA,IAAAW,CAAA,GAAAX,OAAA;AAAkC,SAAAG,uBAAAS,GAAA,WAAAA,GAAA,IAAAA,GAAA,CAAAC,UAAA,GAAAD,GAAA,KAAAE,OAAA,EAAAF,GAAA;AAGlC;AACA;AACA;;AAmCA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMG,6CAA4F,GACvG,MAAOC,eAAe,IAAK;EACzBC,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,+HACH,CAAC;EACD,MAAMC,KAAK,GAAG,IAAAC,iBAAQ,EAACN,eAAe,CAAC,CAACK,KAAK;EAE7C,MAAME,aAAa,GAAGC,uCAAiC,CAACC,SAAS,CAACJ,KAAK,CAAC;EACxE,IAAI,CAACE,aAAa,CAACG,OAAO,EAAE;IAC1B,MAAMC,OAAO,GAAGC,6BAAuB,CAACH,SAAS,CAACJ,KAAK,CAAC;IACxD,IAAI,CAACM,OAAO,CAACD,OAAO,EAAE;MACpBT,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACU,KAAK,EACb,mDAAkDN,aAAa,CAACO,KAAK,CAACC,OAAQ,EACjF,CAAC;MACD,MAAM,IAAIC,2BAAkB,CAACT,aAAa,CAACO,KAAK,CAACC,OAAO,CAAC,CAAC,CAAC;IAC7D;;IACAd,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACU,KAAK,EACb,2CAA0CI,IAAI,CAACC,SAAS,CAACP,OAAO,CAAE,EACrE,CAAC;IACD,MAAM,IAAIQ,8BAAqB,CAC7BR,OAAO,CAACS,IAAI,CAACN,KAAK,EAClBH,OAAO,CAACS,IAAI,CAACC,iBACf,CAAC;EACH;EACA,OAAOd,aAAa,CAACa,IAAI;AAC3B,CAAC;;AAEH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AARAE,OAAA,CAAAvB,6CAAA,GAAAA,6CAAA;AASO,MAAMwB,qBAA4C,GAAG,MAAAA,CAC1DC,gBAAgB,EAChBC,QAAQ,EACRC,UAAU,EACVC,OAAO,KACJ;EACH,MAAMC,oBAAoB,GACxBF,UAAU,CAACG,0BAA0B,CAACC,sBAAsB;EAE9D,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,SAAS,EAAER,QAAQ;IACnBS,WAAW,EAAEV;EACf,CAAC,CAAC;EAEF,IAAIG,OAAO,EAAE;IACXI,MAAM,CAACI,MAAM,CAAC,SAAS,EAAER,OAAO,CAAC;EACnC;EAEA,MAAMS,OAAO,GAAI,GAAER,oBAAqB,IAAGG,MAAO,EAAC;EAEnD,OAAO;IAAEK;EAAQ,CAAC;AACpB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AANAd,OAAA,CAAAC,qBAAA,GAAAA,qBAAA;AAOO,MAAMc,sCAA8E,GACzF,MAAOrC,eAAe,IAAK;EACzBC,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,2GACH,CAAC;EACD,MAAMC,KAAK,GAAG,IAAAC,iBAAQ,EAACN,eAAe,CAAC,CAACK,KAAK;EAE7C,OAAOiC,0BAA0B,CAACjC,KAAK,CAAC;AAC1C,CAAC;;AAEH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAXAiB,OAAA,CAAAe,sCAAA,GAAAA,sCAAA;AAYO,MAAME,mCAAwE,GACnF,eAAAA,CAAOf,gBAAgB,EAAEC,QAAQ,EAAEC,UAAU,EAAuB;EAAA,IAArBc,QAAQ,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAGG,KAAK;EAC7D3C,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,sGACH,CAAC;EACD,MAAMwB,oBAAoB,GACxBF,UAAU,CAACG,0BAA0B,CAACC,sBAAsB;EAC9D,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,SAAS,EAAER,QAAQ;IACnBS,WAAW,EAAEV;EACf,CAAC,CAAC;EAEFvB,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,oCAAmCwB,oBAAqB,IAAGG,MAAM,CAACc,QAAQ,CAAC,CAAE,EAChF,CAAC;EAED,MAAMC,aAAa,GAAG,MAAMN,QAAQ,CACjC,GAAEZ,oBAAqB,IAAGG,MAAM,CAACc,QAAQ,CAAC,CAAE,EAAC,EAC9C;IAAEE,MAAM,EAAE;EAAM,CAClB,CAAC,CACEC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,EAAEC,2BAAmB,CAAC,CAAC,CAChDF,IAAI,CAAEG,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBJ,IAAI,CAAEK,GAAG,IAAK,IAAAC,wBAAM,EAACD,GAAG,CAAC,CAAC,CAC1BL,IAAI,CAAEO,MAAM,IAAKC,oBAAa,CAAC/C,SAAS,CAAC8C,MAAM,CAACE,OAAO,CAAC,CAAC;EAE5D,IAAI,CAACX,aAAa,CAACpC,OAAO,EAAE;IAC1BT,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACU,KAAK,EACb,+CAA8CiC,aAAa,CAAChC,KAAK,CAACC,OAAQ,EAC7E,CAAC;IACD,MAAM,IAAI2C,wBAAgB,CAAC;MACzB3C,OAAO,EAAE,kCAAkC;MAC3C4C,MAAM,EAAEb,aAAa,CAAChC,KAAK,CAACC;IAC9B,CAAC,CAAC;EACJ;EACA,OAAO+B,aAAa,CAAC1B,IAAI;AAC3B,CAAC;;AAEH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAVAE,OAAA,CAAAiB,mCAAA,GAAAA,mCAAA;AAWO,MAAMqB,4CAA0F,GACrG,MAAAA,CACEd,aAAa,EACbe,GAAG,EAAAC,IAAA,KAEA;EAAA,IADH;IAAEC,gBAAgB;IAAEC,gBAAgB;IAAExB,QAAQ,GAAGI;EAAM,CAAC,GAAAkB,IAAA;EAExD7D,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,sHACH,CAAC;EAED,IAAI,CAAC0C,aAAa,CAACmB,UAAU,EAAE;IAC7B,MAAM,IAAIC,KAAK,CAAC,wBAAwB,CAAC;EAC3C;EAEA,MAAMC,eAAe,GAAGC,cAAY,CAACC,iBAAiB,CACpD,CAAC,CAACL,gBAAgB,EAAEH,GAAG,CAAC,CAAC,EACzBf,aAAa,CAACmB,UAChB,CAAC;EAED,MAAMK,oBAAoB,GAAGH,eAAe,CAACI,GAAG,CAC9CC,KAAA;IAAA,IAAC;MAAEC,mBAAmB;MAAE,GAAGC;IAAK,CAAC,GAAAF,KAAA;IAAA,OAAM;MACrC,GAAGE,IAAI;MACPC,eAAe,EAAEF,mBAAmB,CAACF,GAAG,CAACK,KAAA;QAAA,IAAC,GAAGC,SAAS,CAAC,GAAAD,KAAA;QAAA,OAAKC,SAAS;MAAA;IACvE,CAAC;EAAA,CACH,CAAC;EAED,MAAMC,mBAAmB,GAAG,MAAMV,cAAY,CAACW,0BAA0B,CACvET,oBAAoB,EACpBxB,aAAa,CAACkC,KAAK,EACnBlC,aAAa,CAACb,SAChB,CAAC;EAED,MAAMgD,oBAAoB,GAAG,MAAMC,0BAA0B,CAAC;IAC5DC,KAAK,EAAErC,aAAa,CAACqC,KAAK;IAC1BL,mBAAmB;IACnBf;EACF,CAAC,CAAC;EAEF9D,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACC,KAAK,EACb,2BAA0B6E,oBAAqB,EAClD,CAAC;;EAED;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;EAEA,MAAMG,IAAI,GAAG,IAAIpD,eAAe,CAAC;IAC/BqD,QAAQ,EAAEJ;EACZ,CAAC,CAAC,CAACpC,QAAQ,CAAC,CAAC;EAEb,MAAMyC,SAAS,GAAG,MAAM9C,QAAQ,CAACM,aAAa,CAACyC,YAAY,EAAE;IAC3DxC,MAAM,EAAE,MAAM;IACdyC,OAAO,EAAE;MACP,cAAc,EAAE;IAClB,CAAC;IACDJ;EACF,CAAC,CAAC,CACCpC,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,EAAEC,2BAAmB,CAAC,CAAC,CAChDF,IAAI,CAAEyC,MAAM,IAAKA,MAAM,CAACC,IAAI,CAAC,CAAC,CAAC;EAElC,MAAMC,WAAW,GAAGC,8BAAsB,CAACnF,SAAS,CAAC6E,SAAS,CAAC;EAC/D,IAAI,CAACK,WAAW,CAACjF,OAAO,EAAE;IACxBT,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACU,KAAK,EACb,4CAA2C8E,WAAW,CAAC7E,KAAK,CAACC,OAAQ,EACxE,CAAC;IACD,MAAM,IAAI2C,wBAAgB,CAAC;MACzB3C,OAAO,EAAE,gCAAgC;MACzC4C,MAAM,EAAEgC,WAAW,CAAC7E,KAAK,CAACC;IAC5B,CAAC,CAAC;EACJ;EAEA,OAAO,MAAMyB,QAAQ,CAACmD,WAAW,CAACvE,IAAI,CAACyE,YAAY,CAAC,CACjD7C,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,EAAEC,2BAAmB,CAAC,CAAC,CAChDF,IAAI,CAAEG,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBJ,IAAI,CAAC8C,2BAAkB,CAAC,CACxB9C,IAAI,CAAE+C,KAAK,IAAKzD,0BAA0B,CAACyD,KAAK,CAACC,UAAU,CAACvC,OAAO,CAAC,CAAC;AAC1E,CAAC;;AAEH;AACA;AACA;AACA;AACA;AACA;AACA;AANAnC,OAAA,CAAAsC,4CAAA,GAAAA,4CAAA;AAOO,MAAMtB,0BAA0B,GACrC2D,OAAgB,IACQ;EACxB,MAAM1F,aAAa,GAAG2F,8BAAwB,CAACzF,SAAS,CAACwF,OAAO,CAAC;EACjE,IAAI,CAAC1F,aAAa,CAACG,OAAO,EAAE;IAC1B,MAAMC,OAAO,GAAGC,6BAAuB,CAACH,SAAS,CAACwF,OAAO,CAAC;IAC1D,IAAI,CAACtF,OAAO,CAACD,OAAO,EAAE;MACpBT,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACU,KAAK,EACb,mDAAkDN,aAAa,CAACO,KAAK,CAACC,OAAQ,EACjF,CAAC;MACD,MAAM,IAAIC,2BAAkB,CAACT,aAAa,CAACO,KAAK,CAACC,OAAO,CAAC,CAAC,CAAC;IAC7D;;IACAd,eAAM,CAACC,GAAG,CACRC,iBAAQ,CAACU,KAAK,EACb,2CAA0CI,IAAI,CAACC,SAAS,CAACP,OAAO,CAAE,EACrE,CAAC;IACD,MAAM,IAAIQ,8BAAqB,CAC7BR,OAAO,CAACS,IAAI,CAACN,KAAK,EAClBH,OAAO,CAACS,IAAI,CAACC,iBACf,CAAC;EACH;EACA,OAAOd,aAAa,CAACa,IAAI;AAC3B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAPAE,OAAA,CAAAgB,0BAAA,GAAAA,0BAAA;AAQA,MAAM4C,0BAA0B,GAAG,MAAAiB,KAAA,IAQZ;EAAA,IARmB;IACxChB,KAAK;IACLL,mBAAmB;IACnBf;EAKF,CAAC,GAAAoC,KAAA;EACC,MAAM;IAAEC;EAAI,CAAC,GAAG,MAAMrC,gBAAgB,CAACsC,YAAY,CAAC,CAAC;EAErD,OAAO,IAAIC,yBAAO,CAACvC,gBAAgB,CAAC,CACjCwC,kBAAkB,CAAC;IAClBC,GAAG,EAAE,KAAK;IACVJ;EACF,CAAC,CAAC,CACDK,UAAU,CAAC;IACV;AACN;AACA;AACA;AACA;IACM,IAAItB,KAAK,GAAG;MAAEA;IAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3BuB,QAAQ,EAAE5B,mBAAmB,CAAC6B,MAAM,CAClC,CAACD,QAAQ,EAAAE,KAAA;MAAA,IAAE;QAAEC,YAAY;QAAEC;MAAQ,CAAC,GAAAF,KAAA;MAAA,OAAM;QACxC,GAAGF,QAAQ;QACX,CAACG,YAAY,GAAGC;MAClB,CAAC;IAAA,CAAC,EACF,CAAC,CACH;EACF,CAAC,CAAC,CACDC,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,IAAI,CAAC,CAAC;AACX,CAAC"}
|
|
@@ -23,30 +23,45 @@ graph TD;
|
|
|
23
23
|
6[obtainCredential]
|
|
24
24
|
7[verifyAndParseCredential]
|
|
25
25
|
credSel{Is credential an eID?}
|
|
26
|
+
proofSel{Requires MRTD PoP?}
|
|
27
|
+
M1[continueUserAuthorizationWithMRTDPoPChallenge]
|
|
28
|
+
subgraph MRTD PoP flow
|
|
29
|
+
M2[verifyAndParseChallengeInfo]
|
|
30
|
+
M3[initChallenge]
|
|
31
|
+
M4[validateChallenge]
|
|
32
|
+
end
|
|
26
33
|
|
|
27
34
|
0 --> 1
|
|
28
35
|
1 --> 2
|
|
29
36
|
2 --> 3
|
|
30
37
|
3 --> credSel
|
|
31
|
-
credSel -->|Yes|
|
|
38
|
+
credSel -->|Yes| proofSel
|
|
32
39
|
credSel -->|No| C4
|
|
40
|
+
proofSel --> |Yes| M1
|
|
41
|
+
proofSel --> |No| E4
|
|
33
42
|
C4 --> C4.1
|
|
34
43
|
C4.1 --> 5
|
|
35
44
|
E4 --> 5
|
|
36
45
|
5 --> 6
|
|
37
46
|
6 --> 7
|
|
47
|
+
|
|
48
|
+
M1 --> M2
|
|
49
|
+
M2 --> M3
|
|
50
|
+
M3 --> M4
|
|
51
|
+
M4 --> E4
|
|
52
|
+
|
|
38
53
|
```
|
|
39
54
|
|
|
40
55
|
## Mapped results
|
|
41
56
|
|
|
42
57
|
The following errors are mapped to a `IssuerResponseError` with specific codes.
|
|
43
58
|
|
|
44
|
-
|HTTP Status|Error Code|Description|
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
59
|
+
| HTTP Status | Error Code | Description |
|
|
60
|
+
| --------------- | ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
61
|
+
| `201 Created` | `ERR_CREDENTIAL_ISSUING_NOT_SYNCHRONOUS` | This response is returned by the credential issuer when the request has been queued because the credential cannot be issued synchronously. The consumer should try to obtain the credential at a later time. Although `201 Created` is not considered an error, it is mapped as an error in this context in order to handle the case where the credential issuance is not synchronous. This allows keeping the flow consistent and handle the case where the credential is not immediately available. |
|
|
62
|
+
| `403 Forbidden` | `ERR_CREDENTIAL_INVALID_STATUS` | This response is returned by the credential issuer when the requested credential has an invalid status. It might contain more details in the `reason` property. |
|
|
63
|
+
| `404 Not Found` | `ERR_CREDENTIAL_INVALID_STATUS` | This response is returned by the credential issuer when the authenticated user is not entitled to receive the requested credential. It might contain more details in the `reason` property. |
|
|
64
|
+
| `*` | `ERR_ISSUER_GENERIC_ERROR` | This is a generic error code to map unexpected errors that occurred when interacting with the Issuer. |
|
|
50
65
|
|
|
51
66
|
## Strong authentication for eID issuance (Query Mode)
|
|
52
67
|
|
|
@@ -60,6 +75,17 @@ CIE+PIN(L3) requires a different flow due to the physical card presence. Helper
|
|
|
60
75
|
|
|
61
76
|
The expected result from the authentication process is in provided in the query string as defined in the [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/oauth-v2-jarm.html#name-response-mode-queryjwt).
|
|
62
77
|
|
|
78
|
+
#### eID Substantial Authentication (L2+) with MRTD Verification
|
|
79
|
+
|
|
80
|
+
MRTD Verification is a sub-flow of the Issuance flow and is used when the requested eID requires **eID Substantial Authentication (LoA3) with MRTD (Machine Readable Travel Document) Verification**. This method provides an alternative to CIEid LoA High authentication, requiring two distinct steps to complete the authorization:
|
|
81
|
+
|
|
82
|
+
1. **Primary Authentication**: LoA3 electronic identification (SPID or CIEid L2).
|
|
83
|
+
2. **MRTD Proof of Possession (PoP)**: Electronic document reading and cryptographic verification.
|
|
84
|
+
|
|
85
|
+
This process is initiated by the Authorization Server responding to the primary authentication step with a redirect that includes a challenge in the query string, which is handled by the `continueUserAuthorizationWithMRTDPoPChallenge` function. Once the MRTD PoP is completed, the user must continue the PID issuance flow with the `completeUserAuthorizationWithQueryMode` function.
|
|
86
|
+
|
|
87
|
+
Complete documentation for the MRTD PoP flow can be found here: [mrtd-pop](./mrtd-pop/README.md)
|
|
88
|
+
|
|
63
89
|
## Authentication through credentials (Form Post JWT Mode)
|
|
64
90
|
|
|
65
91
|
When the credential is different than an eID, the flow requires the user to present other credentials in order to obtain the requested one. This is done through the `getRequestedCredentialToBePresented` followed by the `completeUserAuthorizationWithFormPostJwtMode`.
|
|
@@ -122,8 +148,9 @@ const { issuerConf } = await Credential.Issuance.evaluateIssuerTrust(issuerUrl);
|
|
|
122
148
|
// Start user authorization
|
|
123
149
|
const { issuerRequestUri, clientId, codeVerifier } =
|
|
124
150
|
await Credential.Issuance.startUserAuthorization(
|
|
125
|
-
issuerConf,
|
|
126
|
-
[credentialId],
|
|
151
|
+
issuerConf,
|
|
152
|
+
[credentialId],
|
|
153
|
+
{ proofType: "none" },
|
|
127
154
|
{
|
|
128
155
|
walletInstanceAttestation,
|
|
129
156
|
redirectUri: REDIRECT_URI,
|
|
@@ -199,10 +226,10 @@ const { parsedCredential } =
|
|
|
199
226
|
issuerConf,
|
|
200
227
|
credential,
|
|
201
228
|
credential_configuration_id,
|
|
202
|
-
{
|
|
203
|
-
credentialCryptoContext,
|
|
229
|
+
{
|
|
230
|
+
credentialCryptoContext,
|
|
204
231
|
ignoreMissingAttributes: true,
|
|
205
|
-
includeUndefinedAttributes: false
|
|
232
|
+
includeUndefinedAttributes: false
|
|
206
233
|
},
|
|
207
234
|
mockX509CertRoot
|
|
208
235
|
);
|
|
@@ -285,6 +312,7 @@ const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
|
|
|
285
312
|
await Credential.Issuance.startUserAuthorization(
|
|
286
313
|
issuerConf,
|
|
287
314
|
[credentialId], // Request authorization for one or more credentials
|
|
315
|
+
{ proofType: "none" },
|
|
288
316
|
{
|
|
289
317
|
walletInstanceAttestation,
|
|
290
318
|
redirectUri,
|
|
@@ -296,12 +324,7 @@ const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
|
|
|
296
324
|
// Complete the authorization process with query mode with the authorizationContext which opens the browser
|
|
297
325
|
const { code } =
|
|
298
326
|
await Credential.Issuance.completeUserAuthorizationWithQueryMode(
|
|
299
|
-
issuerRequestUri
|
|
300
|
-
clientId,
|
|
301
|
-
issuerConf,
|
|
302
|
-
idpHint,
|
|
303
|
-
redirectUri,
|
|
304
|
-
authorizationContext
|
|
327
|
+
issuerRequestUri
|
|
305
328
|
);
|
|
306
329
|
|
|
307
330
|
// Create DPoP context which will be used for the whole issuance flow
|
|
@@ -372,3 +395,117 @@ return {
|
|
|
372
395
|
The result of this flow is a raw credential and a parsed credential which must be stored securely in the wallet along with its crypto key.
|
|
373
396
|
|
|
374
397
|
</details>
|
|
398
|
+
|
|
399
|
+
<details>
|
|
400
|
+
<summary>eID issuance flow with MRTD PoP validation</summary>
|
|
401
|
+
|
|
402
|
+
```ts
|
|
403
|
+
/**
|
|
404
|
+
*
|
|
405
|
+
* Previous steps are the sames as the "eID issuance flow" example
|
|
406
|
+
*
|
|
407
|
+
*/
|
|
408
|
+
|
|
409
|
+
// Start user authorization indicating "mrtd-pop" as the proof type with the idpHint of the
|
|
410
|
+
// chosen identification method
|
|
411
|
+
const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
|
|
412
|
+
await Credential.Issuance.startUserAuthorization(
|
|
413
|
+
issuerConf,
|
|
414
|
+
[credentialId],
|
|
415
|
+
{ proofType: "mrtd-pop", idpHinting: idpHint },
|
|
416
|
+
{
|
|
417
|
+
walletInstanceAttestation,
|
|
418
|
+
redirectUri: redirectUri,
|
|
419
|
+
wiaCryptoContext,
|
|
420
|
+
appFetch,
|
|
421
|
+
}
|
|
422
|
+
);
|
|
423
|
+
|
|
424
|
+
// Obtain the Authorization URL
|
|
425
|
+
const { authUrl } = await Credential.Issuance.buildAuthorizationUrl(
|
|
426
|
+
issuerRequestUri,
|
|
427
|
+
clientId,
|
|
428
|
+
issuerConf,
|
|
429
|
+
idpHint
|
|
430
|
+
);
|
|
431
|
+
|
|
432
|
+
// Extract challenge info from the Authorization URL
|
|
433
|
+
const { challenge_info } =
|
|
434
|
+
await Credential.Issuance.continueUserAuthorizationWithMRTDPoPChallenge(
|
|
435
|
+
authUrl
|
|
436
|
+
);
|
|
437
|
+
|
|
438
|
+
// Verify and parse challenge info and extract challenge data: initialization url, session and nonce
|
|
439
|
+
const {
|
|
440
|
+
htu: initUrl,
|
|
441
|
+
mrtd_auth_session,
|
|
442
|
+
mrtd_pop_jwt_nonce,
|
|
443
|
+
} = await Credential.Issuance.MRTDPoP.verifyAndParseChallengeInfo(
|
|
444
|
+
issuerConf,
|
|
445
|
+
challenge_info,
|
|
446
|
+
{ wiaCryptoContext }
|
|
447
|
+
);
|
|
448
|
+
|
|
449
|
+
// Initialize challenge and obtain the challenge text to sign the CIE PACE protocol and validation url
|
|
450
|
+
const {
|
|
451
|
+
htu: validationUrl,
|
|
452
|
+
challenge,
|
|
453
|
+
mrtd_pop_nonce,
|
|
454
|
+
} = await Credential.Issuance.MRTDPoP.initChallenge(
|
|
455
|
+
issuerConf,
|
|
456
|
+
initUrl,
|
|
457
|
+
mrtd_auth_session,
|
|
458
|
+
mrtd_pop_jwt_nonce,
|
|
459
|
+
{
|
|
460
|
+
walletInstanceAttestation,
|
|
461
|
+
wiaCryptoContext,
|
|
462
|
+
appFetch,
|
|
463
|
+
}
|
|
464
|
+
);
|
|
465
|
+
|
|
466
|
+
// CIE cryptographic interaction: you need to sign the challenge with the CIE through NFC interaction
|
|
467
|
+
const { nis, mrtds } = /* NFC interactions functions */
|
|
468
|
+
|
|
469
|
+
// Validate challenge
|
|
470
|
+
const { mrtd_val_pop_nonce, redirect_uri } =
|
|
471
|
+
await Credential.Issuance.MRTDPoP.validateChallenge(
|
|
472
|
+
issuerConf,
|
|
473
|
+
validationUrl,
|
|
474
|
+
mrtd_auth_session,
|
|
475
|
+
mrtd_pop_nonce,
|
|
476
|
+
mrtd,
|
|
477
|
+
ias,
|
|
478
|
+
{
|
|
479
|
+
walletInstanceAttestation,
|
|
480
|
+
wiaCryptoContext,
|
|
481
|
+
appFetch,
|
|
482
|
+
}
|
|
483
|
+
);
|
|
484
|
+
|
|
485
|
+
// Build the callback url
|
|
486
|
+
const { callbackUrl } = await Credential.Issuance.buildChallengeCallbackUrl(
|
|
487
|
+
redirect_uri,
|
|
488
|
+
mrtd_val_pop_nonce,
|
|
489
|
+
mrtd_auth_session
|
|
490
|
+
);
|
|
491
|
+
|
|
492
|
+
// The generated authUrl must be used to open a browser or webview capable of catching the redirectSchema to perform a get request to the authorization endpoint.
|
|
493
|
+
const authRedirectUrl = /* From a browser or webview redirect */
|
|
494
|
+
|
|
495
|
+
// Complete the authorization process with query mode using the returned callback url
|
|
496
|
+
const { code } =
|
|
497
|
+
await Credential.Issuance.completeUserAuthorizationWithQueryMode(
|
|
498
|
+
authRedirectUrl
|
|
499
|
+
);
|
|
500
|
+
|
|
501
|
+
/**
|
|
502
|
+
*
|
|
503
|
+
* The next steps are the same as the "eID issuance flow" example
|
|
504
|
+
*
|
|
505
|
+
*/
|
|
506
|
+
};
|
|
507
|
+
```
|
|
508
|
+
|
|
509
|
+
The result of this flow is a raw credential and a parsed credential which must be stored securely in the wallet along with its crypto key.
|
|
510
|
+
|
|
511
|
+
</details>
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
Object.defineProperty(exports, "__esModule", {
|
|
4
4
|
value: true
|
|
5
5
|
});
|
|
6
|
-
exports.Errors = void 0;
|
|
6
|
+
exports.MRTDPoP = exports.Errors = void 0;
|
|
7
7
|
Object.defineProperty(exports, "authorizeAccess", {
|
|
8
8
|
enumerable: true,
|
|
9
9
|
get: function () {
|
|
@@ -28,6 +28,12 @@ Object.defineProperty(exports, "completeUserAuthorizationWithQueryMode", {
|
|
|
28
28
|
return _completeUserAuthorization.completeUserAuthorizationWithQueryMode;
|
|
29
29
|
}
|
|
30
30
|
});
|
|
31
|
+
Object.defineProperty(exports, "continueUserAuthorizationWithMRTDPoPChallenge", {
|
|
32
|
+
enumerable: true,
|
|
33
|
+
get: function () {
|
|
34
|
+
return _completeUserAuthorization.continueUserAuthorizationWithMRTDPoPChallenge;
|
|
35
|
+
}
|
|
36
|
+
});
|
|
31
37
|
Object.defineProperty(exports, "evaluateIssuerTrust", {
|
|
32
38
|
enumerable: true,
|
|
33
39
|
get: function () {
|
|
@@ -72,6 +78,8 @@ var _obtainCredential = require("./06-obtain-credential");
|
|
|
72
78
|
var _verifyAndParseCredential = require("./07-verify-and-parse-credential");
|
|
73
79
|
var Errors = _interopRequireWildcard(require("./errors"));
|
|
74
80
|
exports.Errors = Errors;
|
|
81
|
+
var MRTDPoP = _interopRequireWildcard(require("./mrtd-pop"));
|
|
82
|
+
exports.MRTDPoP = MRTDPoP;
|
|
75
83
|
function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
|
|
76
84
|
function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
|
|
77
85
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"names":["_evaluateIssuerTrust","require","_startUserAuthorization","_completeUserAuthorization","_authorizeAccess","_obtainCredential","_verifyAndParseCredential","Errors","_interopRequireWildcard","exports","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set"],"sourceRoot":"../../../../src","sources":["credential/issuance/index.ts"],"mappings":"
|
|
1
|
+
{"version":3,"names":["_evaluateIssuerTrust","require","_startUserAuthorization","_completeUserAuthorization","_authorizeAccess","_obtainCredential","_verifyAndParseCredential","Errors","_interopRequireWildcard","exports","MRTDPoP","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set"],"sourceRoot":"../../../../src","sources":["credential/issuance/index.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,IAAAA,oBAAA,GAAAC,OAAA;AAIA,IAAAC,uBAAA,GAAAD,OAAA;AAIA,IAAAE,0BAAA,GAAAF,OAAA;AAaA,IAAAG,gBAAA,GAAAH,OAAA;AACA,IAAAI,iBAAA,GAAAJ,OAAA;AAIA,IAAAK,yBAAA,GAAAL,OAAA;AAIA,IAAAM,MAAA,GAAAC,uBAAA,CAAAP,OAAA;AAAmCQ,OAAA,CAAAF,MAAA,GAAAA,MAAA;AACnC,IAAAG,OAAA,GAAAF,uBAAA,CAAAP,OAAA;AAAsCQ,OAAA,CAAAC,OAAA,GAAAA,OAAA;AAAA,SAAAC,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAJ,wBAAAQ,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA"}
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
|
|
3
|
+
Object.defineProperty(exports, "__esModule", {
|
|
4
|
+
value: true
|
|
5
|
+
});
|
|
6
|
+
exports.verifyAndParseChallengeInfo = void 0;
|
|
7
|
+
var _ioReactNativeJwt = require("@pagopa/io-react-native-jwt");
|
|
8
|
+
var _types = require("./types");
|
|
9
|
+
var _errors = require("../../../utils/errors");
|
|
10
|
+
/**
|
|
11
|
+
* Verifies and parses the payload of a MRTD Proof Challenge Info JWT obtained after the primary authentication.
|
|
12
|
+
*
|
|
13
|
+
* This function performs the following steps:
|
|
14
|
+
* 1. Validates the JWT signature using the issuer's JWKS.
|
|
15
|
+
* 2. Decodes the JWT and parses its structure according to the {@link MrtdProofChallengeInfo} schema.
|
|
16
|
+
* 3. Verifies that the `aud` claim matches the client's public key ID.
|
|
17
|
+
* 4. Checks that the JWT is not expired and was not issued in the future.
|
|
18
|
+
*
|
|
19
|
+
* @param issuerConf - The issuer configuration containing the JWKS for signature verification.
|
|
20
|
+
* @param challengeInfoJwt - The JWT string representing the MRTD Proof Challenge Info.
|
|
21
|
+
* @param context - The context containing the WIA crypto context used to retrieve the client public key.
|
|
22
|
+
* @returns The parsed payload of the MRTD Proof Challenge Info JWT.
|
|
23
|
+
* @throws {Error} If the JWT signature is invalid, the structure is malformed, the `aud` claim does not match,
|
|
24
|
+
* or the JWT is expired/not yet valid.
|
|
25
|
+
*/
|
|
26
|
+
const verifyAndParseChallengeInfo = async (issuerConf, challengeInfoJwt, _ref) => {
|
|
27
|
+
let {
|
|
28
|
+
wiaCryptoContext
|
|
29
|
+
} = _ref;
|
|
30
|
+
// Verify JWT signature
|
|
31
|
+
await (0, _ioReactNativeJwt.verify)(challengeInfoJwt, issuerConf.oauth_authorization_server.jwks.keys);
|
|
32
|
+
|
|
33
|
+
// Decode JWT
|
|
34
|
+
const challengeInfoDecoded = (0, _ioReactNativeJwt.decode)(challengeInfoJwt);
|
|
35
|
+
|
|
36
|
+
// Parse and validate structure
|
|
37
|
+
const challengeInfoParsed = _types.MrtdProofChallengeInfo.safeParse(challengeInfoDecoded);
|
|
38
|
+
if (!challengeInfoParsed.success) {
|
|
39
|
+
throw new _errors.IoWalletError("Malformed challenge info.");
|
|
40
|
+
}
|
|
41
|
+
const payload = challengeInfoParsed.data.payload;
|
|
42
|
+
|
|
43
|
+
// Verify aud claim
|
|
44
|
+
const clientId = await wiaCryptoContext.getPublicKey().then(_ => _.kid);
|
|
45
|
+
if (payload.aud !== clientId) {
|
|
46
|
+
throw new _errors.IoWalletError("aud claim does not match client_id.");
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
// Verify iat and exp
|
|
50
|
+
const now = Math.floor(Date.now() / 1000);
|
|
51
|
+
if (payload.iat > now || payload.exp < now) {
|
|
52
|
+
throw new _errors.IoWalletError("JWT is not valid (issued in future or expired).");
|
|
53
|
+
}
|
|
54
|
+
return payload;
|
|
55
|
+
};
|
|
56
|
+
exports.verifyAndParseChallengeInfo = verifyAndParseChallengeInfo;
|
|
57
|
+
//# sourceMappingURL=01-verify-and-parse-challenge-info.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"names":["_ioReactNativeJwt","require","_types","_errors","verifyAndParseChallengeInfo","issuerConf","challengeInfoJwt","_ref","wiaCryptoContext","verifyJwt","oauth_authorization_server","jwks","keys","challengeInfoDecoded","decodeJwt","challengeInfoParsed","MrtdProofChallengeInfo","safeParse","success","IoWalletError","payload","data","clientId","getPublicKey","then","_","kid","aud","now","Math","floor","Date","iat","exp","exports"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/01-verify-and-parse-challenge-info.ts"],"mappings":";;;;;;AAAA,IAAAA,iBAAA,GAAAC,OAAA;AAKA,IAAAC,MAAA,GAAAD,OAAA;AAGA,IAAAE,OAAA,GAAAF,OAAA;AAUA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMG,2BAAwD,GAAG,MAAAA,CACtEC,UAAU,EACVC,gBAAwB,EAAAC,IAAA,KAErB;EAAA,IADH;IAAEC;EAAiB,CAAC,GAAAD,IAAA;EAEpB;EACA,MAAM,IAAAE,wBAAS,EACbH,gBAAgB,EAChBD,UAAU,CAACK,0BAA0B,CAACC,IAAI,CAACC,IAC7C,CAAC;;EAED;EACA,MAAMC,oBAAoB,GAAG,IAAAC,wBAAS,EAACR,gBAAgB,CAAC;;EAExD;EACA,MAAMS,mBAAmB,GACvBC,6BAAsB,CAACC,SAAS,CAACJ,oBAAoB,CAAC;EACxD,IAAI,CAACE,mBAAmB,CAACG,OAAO,EAAE;IAChC,MAAM,IAAIC,qBAAa,CAAC,2BAA2B,CAAC;EACtD;EACA,MAAMC,OAAO,GAAGL,mBAAmB,CAACM,IAAI,CAACD,OAAO;;EAEhD;EACA,MAAME,QAAQ,GAAG,MAAMd,gBAAgB,CAACe,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;EACzE,IAAIN,OAAO,CAACO,GAAG,KAAKL,QAAQ,EAAE;IAC5B,MAAM,IAAIH,qBAAa,CAAC,qCAAqC,CAAC;EAChE;;EAEA;EACA,MAAMS,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;EACzC,IAAIR,OAAO,CAACY,GAAG,GAAGJ,GAAG,IAAIR,OAAO,CAACa,GAAG,GAAGL,GAAG,EAAE;IAC1C,MAAM,IAAIT,qBAAa,CAAC,iDAAiD,CAAC;EAC5E;EAEA,OAAOC,OAAO;AAChB,CAAC;AAACc,OAAA,CAAA9B,2BAAA,GAAAA,2BAAA"}
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
|
|
3
|
+
Object.defineProperty(exports, "__esModule", {
|
|
4
|
+
value: true
|
|
5
|
+
});
|
|
6
|
+
exports.initChallenge = void 0;
|
|
7
|
+
var _misc = require("../../../utils/misc");
|
|
8
|
+
var _uuid = require("uuid");
|
|
9
|
+
var _pop = require("../../../utils/pop");
|
|
10
|
+
var WalletInstanceAttestation = _interopRequireWildcard(require("../../../wallet-instance-attestation"));
|
|
11
|
+
var _errors = require("../../../utils/errors");
|
|
12
|
+
var _ioReactNativeJwt = require("@pagopa/io-react-native-jwt");
|
|
13
|
+
var _types = require("./types");
|
|
14
|
+
function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
|
|
15
|
+
function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
|
|
16
|
+
/**
|
|
17
|
+
* Initialaizes the MRTD challenge with the data received from the issuer after the primary authentication.
|
|
18
|
+
* This function must be called after {@link verifyAndParseChallengeInfo}.
|
|
19
|
+
*
|
|
20
|
+
* @param issuerConf - The issuer configuration containing the JWKS for signature verification.
|
|
21
|
+
* @param initUrl - The endpoint to call to initialize the challenge.
|
|
22
|
+
* @param mrtd_auth_session - Session identifier for session binding obtained from the MRTD Proof JWT.
|
|
23
|
+
* @param mrtd_pop_jwt_nonce - Nonce value obtained from the MRTD Proof JWT.
|
|
24
|
+
* @param context - The context containing the WIA crypto context used to retrieve the client public key,
|
|
25
|
+
* the wallet instance attestation and an optional fetch implementation.
|
|
26
|
+
* @returns The payload of the MRTD PoP Challenge JWT.
|
|
27
|
+
*/
|
|
28
|
+
const initChallenge = async (issuerConf, initUrl, mrtd_auth_session, mrtd_pop_jwt_nonce, context) => {
|
|
29
|
+
const {
|
|
30
|
+
appFetch = fetch,
|
|
31
|
+
walletInstanceAttestation,
|
|
32
|
+
wiaCryptoContext
|
|
33
|
+
} = context;
|
|
34
|
+
const aud = issuerConf.openid_credential_issuer.credential_issuer;
|
|
35
|
+
const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
|
|
36
|
+
const signedWiaPoP = await (0, _pop.createPopToken)({
|
|
37
|
+
jti: `${(0, _uuid.v4)()}`,
|
|
38
|
+
aud,
|
|
39
|
+
iss
|
|
40
|
+
}, wiaCryptoContext);
|
|
41
|
+
const requestBody = {
|
|
42
|
+
mrtd_auth_session,
|
|
43
|
+
mrtd_pop_jwt_nonce
|
|
44
|
+
};
|
|
45
|
+
const mrtdPoPChallengeJwt = await appFetch(initUrl, {
|
|
46
|
+
method: "POST",
|
|
47
|
+
headers: {
|
|
48
|
+
"Content-Type": "application/json",
|
|
49
|
+
"OAuth-Client-Attestation": walletInstanceAttestation,
|
|
50
|
+
"OAuth-Client-Attestation-PoP": signedWiaPoP
|
|
51
|
+
},
|
|
52
|
+
body: JSON.stringify(requestBody)
|
|
53
|
+
}).then((0, _misc.hasStatusOrThrow)(202, _errors.IssuerResponseError)).then(res => res.text());
|
|
54
|
+
const mrtdPoPChallengeDecoded = (0, _ioReactNativeJwt.decode)(mrtdPoPChallengeJwt);
|
|
55
|
+
const {
|
|
56
|
+
payload
|
|
57
|
+
} = _types.MrtdPoPChallenge.parse(mrtdPoPChallengeDecoded);
|
|
58
|
+
return payload;
|
|
59
|
+
};
|
|
60
|
+
exports.initChallenge = initChallenge;
|
|
61
|
+
//# sourceMappingURL=02-init-challenge.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"names":["_misc","require","_uuid","_pop","WalletInstanceAttestation","_interopRequireWildcard","_errors","_ioReactNativeJwt","_types","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set","initChallenge","issuerConf","initUrl","mrtd_auth_session","mrtd_pop_jwt_nonce","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","aud","openid_credential_issuer","credential_issuer","iss","decode","payload","cnf","jwk","kid","signedWiaPoP","createPopToken","jti","uuidv4","requestBody","mrtdPoPChallengeJwt","method","headers","body","JSON","stringify","then","hasStatusOrThrow","IssuerResponseError","res","text","mrtdPoPChallengeDecoded","decodeJwt","MrtdPoPChallenge","parse","exports"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/02-init-challenge.ts"],"mappings":";;;;;;AAAA,IAAAA,KAAA,GAAAC,OAAA;AAEA,IAAAC,KAAA,GAAAD,OAAA;AACA,IAAAE,IAAA,GAAAF,OAAA;AACA,IAAAG,yBAAA,GAAAC,uBAAA,CAAAJ,OAAA;AAEA,IAAAK,OAAA,GAAAL,OAAA;AACA,IAAAM,iBAAA,GAAAN,OAAA;AACA,IAAAO,MAAA,GAAAP,OAAA;AAA2C,SAAAQ,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAL,wBAAAS,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA;AAc3C;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMW,aAA4B,GAAG,MAAAA,CAC1CC,UAAU,EACVC,OAAO,EACPC,iBAAiB,EACjBC,kBAAkB,EAClBC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC;EACF,CAAC,GAAGJ,OAAO;EAEX,MAAMK,GAAG,GAAGT,UAAU,CAACU,wBAAwB,CAACC,iBAAiB;EACjE,MAAMC,GAAG,GAAGxC,yBAAyB,CAACyC,MAAM,CAACN,yBAAyB,CAAC,CACpEO,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,YAAY,GAAG,MAAM,IAAAC,mBAAc,EACvC;IACEC,GAAG,EAAG,GAAE,IAAAC,QAAM,EAAC,CAAE,EAAC;IAClBZ,GAAG;IACHG;EACF,CAAC,EACDJ,gBACF,CAAC;EAED,MAAMc,WAAW,GAAG;IAClBpB,iBAAiB;IACjBC;EACF,CAAC;EAED,MAAMoB,mBAAmB,GAAG,MAAMlB,QAAQ,CAACJ,OAAO,EAAE;IAClDuB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,kBAAkB;MAClC,0BAA0B,EAAElB,yBAAyB;MACrD,8BAA8B,EAAEW;IAClC,CAAC;IACDQ,IAAI,EAAEC,IAAI,CAACC,SAAS,CAACN,WAAW;EAClC,CAAC,CAAC,CACCO,IAAI,CAAC,IAAAC,sBAAgB,EAAC,GAAG,EAAEC,2BAAmB,CAAC,CAAC,CAChDF,IAAI,CAAEG,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;EAE5B,MAAMC,uBAAuB,GAAG,IAAAC,wBAAS,EAACZ,mBAAmB,CAAC;EAC9D,MAAM;IAAET;EAAQ,CAAC,GAAGsB,uBAAgB,CAACC,KAAK,CAACH,uBAAuB,CAAC;EAEnE,OAAOpB,OAAO;AAChB,CAAC;AAACwB,OAAA,CAAAvC,aAAA,GAAAA,aAAA"}
|