16 |
23 |
24 |
--------------------------------------------------------------------------------
/.eslintrc.cjs:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | module.exports = {
9 | root: true,
10 | env: {
11 | node: true
12 | },
13 | extends: [
14 | 'plugin:quasar/standard',
15 | 'digitalbazaar',
16 | 'digitalbazaar/module',
17 | 'digitalbazaar/vue3'
18 | ],
19 | ignorePatterns: [
20 | 'node_modules/',
21 | 'dist/'
22 | ],
23 | rules: {
24 | 'linebreak-style': [
25 | 'error',
26 | (process.platform === 'win32' ? 'windows' : 'unix')
27 | ],
28 | 'unicorn/prefer-node-protocol': 'error',
29 | 'vue/no-v-html': 'off'
30 | }
31 | };
32 |
--------------------------------------------------------------------------------
/test/utils/auditVpToken.js:
--------------------------------------------------------------------------------
1 | import fs from 'node:fs';
2 | import {httpClient} from '@digitalbazaar/http-client';
3 |
4 | const main = async () => {
5 | const domain = process.argv[2];
6 | const url = `${domain}/audit-presentation`;
7 | const vpTokenData = JSON.parse(fs.readFileSync(
8 | './test/fixtures/audit/vpToken.json'
9 | ));
10 | const headers = {'Content-Type': 'application/json'};
11 | httpClient.extend({headers});
12 |
13 | let auditResponse;
14 | try {
15 | const response =
16 | await httpClient.post(url, {json: vpTokenData});
17 | auditResponse = response;
18 | } catch(error) {
19 | auditResponse = error;
20 | }
21 |
22 | console.log(JSON.stringify(auditResponse.data, null, 2));
23 | };
24 |
25 | main();
26 |
--------------------------------------------------------------------------------
/web/components/JsonNode.vue:
--------------------------------------------------------------------------------
1 |
7 |
8 |
9 |
10 | {{value.slice(0, 128)}}
11 | ...
14 |
15 |
16 | {{value}}
17 |
18 |
19 |
20 |
36 |
--------------------------------------------------------------------------------
/web/components/YouTubeVideo.vue:
--------------------------------------------------------------------------------
1 |
7 |
8 |
23 |
24 |
25 |
30 |
31 |
32 |
38 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright 2023 - 2024 California Department of Motor Vehicles
2 | # Copyright 2023 - 2024 Digital Bazaar, Inc.
3 | #
4 | # SPDX-License-Identifier: BSD-3-Clause
5 |
6 | FROM node:20-alpine AS base
7 | RUN mkdir -p /home/node/app && chown -R node:node /home/node/app
8 | WORKDIR /home/node/app
9 |
10 | FROM base AS build-setup
11 | RUN apk add --no-cache git bash
12 |
13 | FROM build-setup AS build
14 | ARG NODE_AUTH_TOKEN
15 | USER node
16 | COPY --chown=node:node . .
17 | RUN mv dev.js index.js
18 |
19 | RUN npm i --omit=dev --package-lock
20 | RUN node index.js bundle --webpack-mode production --bundle-mode production
21 |
22 | FROM build AS test
23 | # RUN cd test && npm t
24 | # RUN rm -rf test#
25 |
26 | FROM base AS release
27 | COPY --from=test --chown=node:node /home/node/app ./
28 | EXPOSE 22443
29 | ENV NODE_ENV=production
30 | CMD [ "node", "index", "--bundle-mode", "production"]
31 |
--------------------------------------------------------------------------------
/common/suites.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import {DataIntegrityProof} from '@digitalbazaar/data-integrity';
9 | import {cryptosuite as ecdsaRdfc2019Cryptosuite} from
10 | '@digitalbazaar/ecdsa-rdfc-2019-cryptosuite';
11 | import {Ed25519Signature2018} from '@digitalbazaar/ed25519-signature-2018';
12 | import {Ed25519Signature2020} from '@digitalbazaar/ed25519-signature-2020';
13 | import {
14 | cryptosuite as eddsaRdfc2022Cryptosuite
15 | } from '@digitalbazaar/eddsa-rdfc-2022-cryptosuite';
16 |
17 | export const SUITES = [
18 | new Ed25519Signature2018(),
19 | new Ed25519Signature2020(),
20 | new DataIntegrityProof({cryptosuite: ecdsaRdfc2019Cryptosuite}),
21 | new DataIntegrityProof({cryptosuite: eddsaRdfc2022Cryptosuite}),
22 | ];
23 |
--------------------------------------------------------------------------------
/configs/authorization.js:
--------------------------------------------------------------------------------
1 | import * as bedrock from '@bedrock/core';
2 | const {config} = bedrock;
3 | const c = bedrock.util.config.main;
4 | const cc = c.computer();
5 |
6 | const getOAuthConfigs = workflow => {
7 | const configs = [];
8 | for(const step of Object.keys(workflow.steps ?? {})) {
9 | const {oauth} = workflow.steps[step].callback ?? {};
10 | if(oauth) {
11 | configs.push({
12 | issuer: oauth.issuer,
13 | client_id: oauth.clientId,
14 | client_secret: oauth.clientSecret,
15 | token_endpoint: oauth.tokenUrl,
16 | scope: oauth.scope,
17 | pkce: false,
18 | protocol: 'oauth2_client_grant',
19 | grant_type: 'client_credentials'
20 | });
21 | }
22 | }
23 | return configs;
24 | };
25 |
26 | cc('opencred.authorization', () => config.opencred.relyingParties.flatMap(
27 | rp => getOAuthConfigs(rp.workflow)
28 | ).filter(c => c));
29 |
--------------------------------------------------------------------------------
/test.config.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import {config} from '@bedrock/core';
9 | import {fileURLToPath} from 'node:url';
10 | import path from 'node:path';
11 | import '@bedrock/https-agent';
12 | import '@bedrock/mongodb';
13 |
14 | const __dirname = path.dirname(fileURLToPath(import.meta.url));
15 |
16 | config.mocha.tests.push(path.join(__dirname, 'test', 'mocha'));
17 |
18 | // mongodb config
19 | config.mongodb.name = 'opencred_test';
20 | config.mongodb.host = 'localhost';
21 | config.mongodb.port = 27017;
22 | // drop all collections on initialization
23 | config.mongodb.dropCollections = {};
24 | config.mongodb.dropCollections.onInit = true;
25 | config.mongodb.dropCollections.collections = ['Exchanges'];
26 |
27 | // HTTPS Agent
28 | config['https-agent'].rejectUnauthorized = false;
29 |
--------------------------------------------------------------------------------
/web/components/JsonView.vue:
--------------------------------------------------------------------------------
1 |
7 |
8 |
9 |
17 |
22 |
10 |
21 |
22 |
25 |
26 |
27 |
28 |
40 |
--------------------------------------------------------------------------------
/lib/api.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 | import QRCode from 'qrcode';
8 |
9 | /**
10 | * The middleware for the exchange type will initiate the exchange
11 | * or return an error response. If successful, the exchange data will
12 | * be available on the request object `req.exchange`.
13 | */
14 | export async function initiateExchange(req, res) {
15 | const exchangeData = req.exchange;
16 | if(!exchangeData) {
17 | res.status(500).send(
18 | {message: 'Unexpected server error: no exchange data initiated'}
19 | );
20 | return;
21 | }
22 | res.send({...exchangeData, QR: await QRCode.toDataURL(exchangeData.OID4VP)});
23 | }
24 |
25 | /**
26 | * The middleware for the exchange type will attach the exchange to req.
27 | */
28 | export const getExchangeStatus = async (req, res) => {
29 | const exchange = req.exchange;
30 | res.send({exchange});
31 | };
32 |
--------------------------------------------------------------------------------
/.github/workflows/osv-scanner.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2023 - 2025 California Department of Motor Vehicles
2 | # Copyright 2023 - 2025 Digital Bazaar, Inc.
3 | #
4 | # SPDX-License-Identifier: BSD-3-Clause
5 |
6 | # OSV-Scanner PR scanning reusable workflow, can be used as a PR action to detect new vulnerabilities being introduced.
7 | name: Use OSV to do SCA on main (daily) and PRs
8 |
9 | on:
10 | pull_request:
11 | branches: [main]
12 | merge_group:
13 | branches: [main]
14 | schedule:
15 | - cron: 0 0 * * *
16 | push:
17 | branches: [main]
18 |
19 | jobs:
20 | ## run the following on PRs
21 | osv-scan-pr:
22 | uses: digitalbazaar/github-workflow-shared-action-osv-scanner/.github/workflows/osv-scanner-pr.yaml@a3f075f418e548dc2d55220acd7de23bdf8c4e70
23 | permissions:
24 | contents: read
25 | pull-requests: write
26 |
27 | ## run the following only on the main branch
28 | osv-scan-main:
29 | uses: digitalbazaar/github-workflow-shared-action-osv-scanner/.github/workflows/osv-scanner-main.yaml@a3f075f418e548dc2d55220acd7de23bdf8c4e70
30 | permissions:
31 | contents: read
32 | issues: write
33 |
--------------------------------------------------------------------------------
/cloudbuild.yaml:
--------------------------------------------------------------------------------
1 | # Copyright 2023 - 2024 California Department of Motor Vehicles
2 | # Copyright 2023 - 2024 Digital Bazaar, Inc.
3 | #
4 | # SPDX-License-Identifier: BSD-3-Clause
5 |
6 | steps:
7 | - name: 'gcr.io/cloud-builders/docker'
8 | args: [ 'build',
9 | '--build-arg',
10 | 'NODE_AUTH_TOKEN=${_NODE_AUTH_TOKEN}',
11 | '-t',
12 | '$TAG_NAME',
13 | '.' ]
14 |
15 | - name: 'gcr.io/cloud-builders/docker'
16 | id: 'Push Docker Image to Repository'
17 | args: [ 'push', '$TAG_NAME']
18 |
19 | - name: 'gcr.io/$PROJECT_ID/cloudbuild-attestor'
20 | id: 'Attest Image (Binary Auth)'
21 | entrypoint: 'sh'
22 | args:
23 | - -xe
24 | - -c
25 | - |-
26 | FQ_DIGEST=$(gcloud container images describe --format 'value(image_summary.fully_qualified_digest)' $TAG_NAME)
27 | /scripts/create_attestation.sh \
28 | -p "$PROJECT_ID" \
29 | -i "$${FQ_DIGEST}" \
30 | -a "$_VULNZ_ATTESTOR" \
31 | -v "$_VULNZ_KMS_KEY_VERSION" \
32 | -k "$_VULNZ_KMS_KEY" \
33 | -l "$_KMS_LOCATION" \
34 | -r "$_KMS_KEYRING" \
35 |
--------------------------------------------------------------------------------
/test/mocha/90-utils.test.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import expect from 'expect.js';
9 | import {normalizeVpTokenDataIntegrity} from '../../common/utils.js';
10 |
11 | describe('normalizeVpTokenDataIntegrity', () => {
12 |
13 | it('it should handle a JSON object and return an array with the \
14 | object', () => {
15 | const vpObject = {test: 'data'};
16 | expect(normalizeVpTokenDataIntegrity(vpObject)).to.eql([vpObject]);
17 | });
18 |
19 | it('it should handle an array of JSON objects', () => {
20 | const vpObject1 = {test1: 'data1'};
21 | const vpObject2 = {test2: 'data2'};
22 | const vpArray = [vpObject1, vpObject2];
23 | expect(normalizeVpTokenDataIntegrity(vpArray)).to.eql([
24 | vpObject1,
25 | vpObject2
26 | ]);
27 | });
28 |
29 | it('it should return null for non-string, non-object, and non-array \
30 | inputs', () => {
31 | const numberInput = 123;
32 | expect(normalizeVpTokenDataIntegrity(numberInput)).to.equal(null);
33 | });
34 | });
35 |
--------------------------------------------------------------------------------
/dev.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 | import * as bedrock from '@bedrock/core';
8 | import * as fs from 'node:fs';
9 | import {fileURLToPath} from 'node:url';
10 | import {logger} from './lib/logger.js';
11 | import path from 'node:path';
12 |
13 | const {config} = bedrock;
14 |
15 | const __dirname = path.dirname(fileURLToPath(import.meta.url));
16 | const configPath = path.join(__dirname, 'configs/combined.yaml');
17 |
18 | let localConfig = '';
19 |
20 | if(!process.env.BEDROCK_CONFIG) {
21 | try {
22 | logger.info('Loading config from ' + configPath);
23 | localConfig = fs.readFileSync(configPath, 'utf8');
24 | } catch(e) {
25 | logger.info('Failed to load config from ' + configPath);
26 | }
27 | }
28 |
29 | if(!!localConfig) {
30 | const based = Buffer.from(localConfig).toString('base64');
31 | process.env.BEDROCK_CONFIG = based;
32 | logger.info('Loaded config from ' + configPath);
33 | }
34 | config.paths.config = path.join(__dirname, 'configs');
35 | import './lib/index.js';
36 |
37 | bedrock.start();
38 |
--------------------------------------------------------------------------------
/web/components/LoginView.vue:
--------------------------------------------------------------------------------
1 |
7 |
8 |
33 |
34 |
35 |
11 |
15 |
12 | {{title}}
13 |
14 |
38 |
44 |
45 |
--------------------------------------------------------------------------------
/web/chapi.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | /* global navigator */
9 | import * as polyfill from 'credential-handler-polyfill';
10 |
11 | const recommendedHandlerOrigins = [
12 | 'https://demo.1keep.com/'
13 | ];
14 |
15 | /**
16 | * Gets credentials using CHAPI.
17 | *
18 | * @param {object} options - The options to use.
19 | * @param {object} options.queries - The credential queries to use.
20 | * @param {string} options.challenge - The challenge to use.
21 | * @param {string} options.domain - The domain to use.
22 | * @param {object} options.protocols - The protocol URLs to use (vcapi, OID4VP).
23 | * @returns {Promise} - A promise that resolves after CHAPI has received
24 | * the credentials.
25 | */
26 | export async function getCredentials({protocols}) {
27 | await polyfill.loadOnce();
28 |
29 | if(Object.keys(protocols).length === 0) {
30 | throw new Error(`protocols is a required field`);
31 | }
32 | const options = {
33 | VerifiablePresentation: {},
34 | recommendedHandlerOrigins,
35 | protocols
36 | };
37 | return navigator.credentials.get({
38 | web: options
39 | });
40 | }
41 |
--------------------------------------------------------------------------------
/lib/workflows/common.js:
--------------------------------------------------------------------------------
1 | import {config} from '@bedrock/core';
2 | import {logger} from '../logger.js';
3 | import QRCode from 'qrcode';
4 |
5 | export const newExchangeContext = async (req, res) => {
6 | if(!req.exchange) {
7 | res.status(404).send('Exchange not found');
8 | return;
9 | }
10 | const rp = req.rp;
11 | const context = {
12 | step: rp.workflow.initialStep,
13 | rp: {
14 | clientId: rp.clientId,
15 | redirectUri: rp.redirectUri,
16 | name: rp.name,
17 | primaryLogo: rp.primaryLogo,
18 | primaryLink: rp.primaryLink,
19 | secondaryLogo: rp.secondaryLogo,
20 | secondaryLink: rp.secondaryLink,
21 | homeLink: rp.homeLink,
22 | brand: rp.brand,
23 | backgroundImage: rp.backgroundImage,
24 | explainerVideo: rp.explainerVideo,
25 | workflow: {
26 | type: rp.workflow.type,
27 | id: rp.workflow.id
28 | }
29 | },
30 | options: config.opencred.options,
31 | exchangeData: {
32 | ...req.exchange,
33 | QR: await QRCode.toDataURL(req.exchange.OID4VP)
34 | }
35 | };
36 | try {
37 | res.send(context);
38 | return;
39 | } catch(error) {
40 | logger.error(error.message, {error});
41 | res.status(500).send('Error rendering page');
42 | return;
43 | }
44 | };
45 |
--------------------------------------------------------------------------------
/web/components/ErrorView.vue:
--------------------------------------------------------------------------------
1 |
7 |
8 |
30 |
31 |
32 |
39 |
43 |
33 |
58 |
59 |
--------------------------------------------------------------------------------
/web/components/CountdownDisplay.vue:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | {{Math.round(remainingSeconds / 60)}}
5 | minutes
6 |
7 |
8 | {{remainingSeconds}} seconds
9 |
10 |
11 |
12 |
13 |
55 |
--------------------------------------------------------------------------------
/web/components/TranslateIcon.vue:
--------------------------------------------------------------------------------
1 |
2 |
3 |
13 |
14 |
--------------------------------------------------------------------------------
/configs/configUtils.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | export const applyRpDefaults = (allRps, rp, refs = []) => {
9 | if(rp.workflow) {
10 | const {untrustedVariableAllowList} = rp.workflow;
11 | rp.workflow.untrustedVariableAllowList =
12 | untrustedVariableAllowList ? [...new Set([
13 | ...untrustedVariableAllowList,
14 | 'redirectPath'
15 | ])] : ['redirectPath'];
16 | }
17 | if(rp.configFrom) {
18 | if(typeof rp.configFrom !== 'string') {
19 | throw new Error(`[${rp.clientId}]: configFrom must be a string`);
20 | }
21 | const configFrom = allRps.find(r => r.clientId === rp.configFrom);
22 | if(!configFrom) {
23 | throw new Error(
24 | `[${rp.clientId}]: configFrom client ${rp.configFrom} not found`
25 | );
26 | }
27 | if(configFrom.configFrom && refs.includes(configFrom.clientId)) {
28 | throw new Error(
29 | `[${rp.clientId}]: Circular configFrom reference detected`
30 | );
31 | } else if(configFrom.configFrom) {
32 | return {
33 | ...applyRpDefaults(allRps, configFrom, refs.concat(rp.clientId)),
34 | ...rp
35 | };
36 | }
37 | return {
38 | ...configFrom,
39 | ...rp
40 | };
41 | }
42 | return rp;
43 | };
44 |
--------------------------------------------------------------------------------
/test/fixtures/revoked-cert/root.cer:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
3 | MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
4 | d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
5 | QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
6 | MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
7 | b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
8 | 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
9 | CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
10 | nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
11 | 43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
12 | T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
13 | gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
14 | BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
15 | TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
16 | DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
17 | hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
18 | 06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
19 | PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
20 | YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
21 | CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
22 | -----END CERTIFICATE-----
23 |
--------------------------------------------------------------------------------
/LICENSES/BSD-3-Clause.txt:
--------------------------------------------------------------------------------
1 | Copyright (c) 34 | {{title}} 35 |
36 | 37 |38 | {{subtitle}} 39 |
40 | 41 |42 | {{message}} 43 |
44 | 45 |
48 |
54 | {{$t('exchangeReset')}}
55 |
56 |
57 | 49 | {{$t('exchangeResetTitle')}} 50 |
51 |
56 |
108 |
109 |
--------------------------------------------------------------------------------
/docs/02-how-to-use-oidc.md:
--------------------------------------------------------------------------------
1 | # How to Use OpenCred as an OIDC Identity Provider
2 |
3 | ## Introduction
4 |
5 | In this guide, we will configure OpenCred to function as an OpenID Connect
6 | (OIDC) Identity Provider (IdP). This setup will allow a relying party to
7 | authenticate users using Verifiable Credentials (VCs) verified by OpenCred.
8 |
9 | ## Prerequisites
10 |
11 | Ensure you have:
12 |
13 | - A digital wallet capable of completing OID4VP exchanges
14 | - A `VerifiedEmailCredential` to be presented during authentication
15 | - A locally running OpenCred deployment
16 | [(see tutorial)](./00-configure-relying-party.md)
17 | - For this tutorial the localtunnel URL will be `https://blue-deer-lead.loca.lt`
18 |
19 | ## Basic Steps
20 |
21 | ### 1. Create a new OIDC Relying Party Application
22 |
23 | In your favourite OIDC authentication provider, createa a new application. For
24 | this example we will be using Auth0. These instructions will need to be adjusted
25 | for different providers.
26 |
27 | 1. In the Auth0 dashboard navigate to "Create Application"
28 |
29 | - `Applications > Applications > Create Application`
30 |
31 | 2. Enter a name for the new application and select "Regular Web Applications"
32 |
33 | 3. Add the redirect URI for your application into the "Allowed Callback URLs"
34 | field
35 |
36 | 4. Save the application
37 |
38 | ### 2. Create a new OIDC Enterprise Connection
39 |
40 | 1. In the Auth0 dashboard create a new enterprise connection
41 |
42 | - `Authentication > Enterprise > OpenID Connect > Create Connection`
43 |
44 | 2. Enter a connection name
45 |
46 | 3. Enter the issuer URL of your localtunnel
47 | `https://blue-deer-lead.loca.lt/.well-known/openid-configuration.json`
48 |
49 | 4. Enter the Client ID from the OpenCred relying party configuration
50 | `example-client`
51 |
52 | 5. Copy the Callback URL and enter it in the OpenCred config in the
53 | `redirectURI` field of the relying party.
54 |
55 | **Note: THERE IS A BUG IN AUTH0 DASHBOARD.**
56 |
57 | 6. Open up the network tab, attempt to create the connection (will fail) and
58 | copy the failed HTTP request as cURL. On the command line paste the cURL and
59 | edit the `--data-raw` `options` to include
60 | `"jwks_uri": "https://blue-deer-lead.loca.lt/.well-known/jwks.json",
61 | "authorization_endpoint": "https://blue-deer-lead.loca.lt/authorize",
62 | "issuer": "https://blue-deer-lead.loca.lt"`.
63 |
64 | 7. Once created, open the new connection and edit some of the details:
65 | - Set "Type" to "back channel".
66 | - Set "Client Secret" to the `clientSecret` from OpenCred config.
67 | - Set "scopes" to `openid`.
68 |
69 | 8. Navigate to the "Login Experience" tab and enable the "display connection as
70 | button" and save.
71 |
72 | 9. Navigate to the applications tab and enable the application created in step 1
73 |
74 | ### 3. Configure your desired OAuth2 client library
75 |
76 | From the details in the application you created in step 1 you will find all of
77 | the details required to configure your application for authentication using
78 | OAuth 2.0 Authorization Flow using your favourite OpenID client library.
79 |
80 | ## Summary
81 |
82 | By following these steps, you can use OpenCred as an OIDC Identity Provider to
83 | authenticate users with Verifiable Credentials. Note that you may need to adjust
84 | the instructions slightly for different authentication service providers.
--------------------------------------------------------------------------------
/lib/database.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import * as bedrock from '@bedrock/core';
9 | import * as database from '@bedrock/mongodb';
10 | import {config} from '@bedrock/core';
11 | import {logger} from './logger.js';
12 |
13 | export const saveRootCertificates = async () => {
14 | const certs = config.opencred.caStore;
15 | for(const cert of certs) {
16 | const existingCertificate =
17 | await database.collections.RootCertificates.findOne({
18 | certificate: cert
19 | });
20 | if(!existingCertificate) {
21 | await database.collections.RootCertificates.insertOne({
22 | certificate: cert
23 | });
24 | }
25 | }
26 | };
27 |
28 | bedrock.events.on('bedrock-mongodb.ready', async function() {
29 | /**
30 | * Exchange document structure:
31 | {
32 | id,
33 | sequence: 0,
34 | ttl: 900,
35 | state: 'pending', 'active', 'complete', 'invalid'
36 | variables: {}, // each step name in the workflow is a key in variables
37 | step: {string}, the name of the current step in the workflow
38 | challenge: {string}
39 | workflowId: {string}
40 | accessToken?: {string}
41 | apiAccessToken?: {string}
42 | oidc: {
43 | code?: string,
44 | state?: string,
45 | }
46 | }
47 | */
48 |
49 | /**
50 | * DID document history document structure:
51 | {
52 | did: {string},
53 | history: {
54 | validFrom: Date,
55 | validUntil?: Date, // nullable (for most recent window)
56 | didDocument: {}
57 | }[]
58 | }
59 | // Note: History will be empty for DIDs that support versioning.
60 | // This helps us to know whether a given instance of OpenCred
61 | // has encountered an issuer DID at some point in the past.
62 | */
63 |
64 | /**
65 | * Root certificate document structure:
66 | {
67 | certificate: {string}
68 | }
69 | // Note: History will be empty for DIDs that support versioning.
70 | // This helps us to know whether a given instance of OpenCred
71 | // has encountered an issuer DID at some point in the past.
72 | */
73 | await database.openCollections(
74 | ['Exchanges', 'DidDocumentHistory', 'RootCertificates']);
75 |
76 | await database.collections.Exchanges.createIndex(
77 | {recordExpiresAt: 1}, {expireAfterSeconds: 0}
78 | );
79 | logger.info('Ensured index exists: 24hr record TTL on recordExpiresAt');
80 |
81 | await database.collections.Exchanges.createIndex(
82 | {'oidc.code': 1},
83 | {partialFilterExpression: {'oidc.code': {$exists: true}}}
84 | );
85 | logger.info('Ensured partial index exists: oidc.code');
86 |
87 | await database.collections.Exchanges.createIndex({id: 1}, {unique: true});
88 | logger.info('Ensured exchange id index exists');
89 |
90 | await database.collections.DidDocumentHistory.createIndex(
91 | {did: 1}, {unique: true});
92 | logger.info('Ensured hashed index exists: DidDocumentHistory.did');
93 |
94 | await database.collections.RootCertificates.createIndex(
95 | {certificate: 1}, {unique: true});
96 | logger.info('Ensured hashed index exists: RootCertificates.certificate');
97 |
98 | await saveRootCertificates();
99 | });
100 |
101 | export {database};
102 |
--------------------------------------------------------------------------------
/lib/didWeb.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import {exportJWK, importSPKI} from 'jose';
9 | import {config} from '@bedrock/core';
10 |
11 | /**
12 | * Converts configured domain to DID web format.
13 | * @param {string} domain
14 | * @returns {string}
15 | */
16 | export const domainToDidWeb = domain => {
17 | const didWeb = `did:web:${domain.replace(/^https?:\/\//, '')}`;
18 | return didWeb;
19 | };
20 |
21 | /**
22 | * If there is a "didWeb" section in the config, return the document
23 | * @param {Request} req - Express Request object
24 | * @param {Response} res - Express Response object
25 | */
26 | export const didWebDocument = async (req, res) => {
27 | const {server: {baseUri}} = config;
28 |
29 | if(!config.opencred.didWeb?.mainEnabled) {
30 | res.status(404).send({
31 | message: 'A did:web document is not available for this domain.'
32 | });
33 | return;
34 | }
35 | const authzReqKey = config.opencred.signingKeys
36 | .find(k => k.purpose?.includes('authorization_request'));
37 | if(authzReqKey) {
38 | const key = await importSPKI(authzReqKey.publicKeyPem, authzReqKey.type);
39 | if(Object.keys(config.opencred.didWeb?.mainDocument).length > 0) {
40 | const doc = {
41 | ...config.opencred.didWeb.mainDocument,
42 | verificationMethod: [
43 | ...config.opencred.didWeb.mainDocument.verificationMethod ?? [],
44 | {
45 | id: `${domainToDidWeb(baseUri)}#${authzReqKey.id}`,
46 | controller: domainToDidWeb(baseUri),
47 | type: 'JsonWebKey2020',
48 | publicKeyJwk: {
49 | ...(await exportJWK(key))
50 | }
51 | }
52 | ],
53 | assertionMethod: [
54 | ...config.opencred.didWeb.mainDocument.assertionMethod ?? [],
55 | `${domainToDidWeb(baseUri)}#${authzReqKey.id}`
56 | ]
57 | };
58 | res.send(doc);
59 | return;
60 | }
61 | const doc = {
62 | '@context': ['https://www.w3.org/ns/did/v1'],
63 | id: domainToDidWeb(baseUri),
64 | verificationMethod: [
65 | {
66 | id: `${domainToDidWeb(baseUri)}#${authzReqKey.id}`,
67 | controller: domainToDidWeb(baseUri),
68 | type: 'JsonWebKey2020',
69 | publicKeyJwk: {
70 | ...(await exportJWK(key))
71 | }
72 | }
73 | ],
74 | assertionMethod: [
75 | `${domainToDidWeb(baseUri)}#${authzReqKey.id}`
76 | ]
77 | };
78 | res.send(doc);
79 | return;
80 | } else {
81 | if(config.opencred.didWeb?.mainDocument) {
82 | res.send(config.opencred.didWeb.mainDocument);
83 | return;
84 | }
85 | res.status(404).send({
86 | message: 'A did:web document is not available for this domain.'
87 | });
88 | return;
89 | }
90 | };
91 |
92 | export const didConfigurationDocument = async (req, res) => {
93 | if(!config.opencred.didWeb?.mainEnabled) {
94 | res.status(404).send({
95 | message: 'A did:web document is not available for this domain.'
96 | });
97 | return;
98 | }
99 | if(!config.opencred.didWeb?.linkageEnabled) {
100 | res.send({
101 | '@context':
102 | 'https://identity.foundation/.well-known/did-configuration/v1',
103 | linked_dids: []
104 | });
105 | return;
106 | }
107 |
108 | res.send(config.opencred.didWeb?.linkageDocument);
109 | };
110 |
--------------------------------------------------------------------------------
/web/index.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import * as brQuasar from '@bedrock/quasar';
9 | import * as brVue from '@bedrock/vue';
10 | import * as polyfill from 'credential-handler-polyfill';
11 | import {config, extend} from '@bedrock/web';
12 | import {createRouter, createWebHistory} from 'vue-router';
13 | import App from './App.vue';
14 | import AuditPresentation from './components/AuditPresentation.vue';
15 | import CHAPIView from './components/CHAPIView.vue';
16 | import {createHead} from 'unhead';
17 | import {createI18n} from 'vue-i18n';
18 | import ErrorView from './components/ErrorView.vue';
19 | import {httpClient} from '@digitalbazaar/http-client';
20 | import JsonNode from './components/JsonNode.vue';
21 | import JsonView from './components/JsonView.vue';
22 | import LoginView from './components/LoginView.vue';
23 | import {Notify} from 'quasar';
24 | import OID4VPView from './components/OID4VPView.vue';
25 | import TestPage from './components/TestPage.vue';
26 | import TranslateIcon from './components/TranslateIcon.vue';
27 | import VerificationView from './components/VerificationView.vue';
28 | import VueCookies from 'vue-cookies';
29 | import YouTubeVideo from './components/YouTubeVideo.vue';
30 | import '@quasar/extras/material-icons/material-icons.css';
31 | import './styles.pcss';
32 |
33 | brVue.initialize({
34 | async beforeMount({app}) {
35 | const {data: appConfig} =
36 | await httpClient.get('/config/app.json' + window.location.search);
37 | extend({target: config, source: appConfig, deep: true});
38 |
39 | app.component('LoginView', LoginView);
40 | app.component('AuditPresentation', AuditPresentation);
41 | app.component('OID4VPView', OID4VPView);
42 | app.component('CHAPIView', CHAPIView);
43 | app.component('ErrorView', ErrorView);
44 | app.component('JsonNode', JsonNode);
45 | app.component('JsonView', JsonView);
46 | app.component('YouTubeVideo', YouTubeVideo);
47 | app.component('TranslateIcon', TranslateIcon);
48 | app.component('TestPage', TestPage);
49 | app.component('VerificationView', VerificationView);
50 |
51 | // ensure CHAPI is available
52 | await polyfill.loadOnce();
53 |
54 | const title = appConfig.translations[appConfig.defaultLanguage].pageTitle ??
55 | 'Login';
56 |
57 | // create router
58 | const router = createRouter({
59 | routes: [
60 | {
61 | path: '/',
62 | component: () => import('./components/ExchangeLayout.vue'),
63 | props: true,
64 | children: [
65 | {
66 | path: 'login',
67 | name: 'login',
68 | component: LoginView
69 | },
70 | {
71 | path: 'verification',
72 | name: 'verification',
73 | component: VerificationView
74 | }
75 | ],
76 | meta: {
77 | title
78 | }
79 | },
80 | {
81 | path: '/audit-vp',
82 | component: () => import('./components/AuditPresentation.vue'),
83 | meta: {
84 | title: 'Audit VP'
85 | }
86 | }
87 | ],
88 | history: createWebHistory(),
89 | });
90 | brVue.augmentRouter({app, router});
91 | app.use(router);
92 | const i18n = createI18n({
93 | locale: appConfig.defaultLanguage,
94 | legacy: false,
95 | warnHtmlMessage: false,
96 | messages: appConfig.translations
97 | });
98 | app.use(i18n);
99 | app.use(VueCookies);
100 |
101 | await brQuasar.initialize({app, quasarOptions: {
102 | runMode: 'web-client',
103 | plugins: {
104 | Notify
105 | }
106 | }});
107 | await brQuasar.theme({brand: appConfig.brand});
108 | createHead();
109 | // create root Vue component
110 | return App;
111 | }
112 | });
113 |
--------------------------------------------------------------------------------
/test/mocha/40-documentLoader.test.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import * as sinon from 'sinon';
9 | import expect from 'expect.js';
10 | import {getDocumentLoader} from '../../common/documentLoader.js';
11 | import {httpClient} from '@digitalbazaar/http-client';
12 |
13 | const documentLoader = getDocumentLoader().build();
14 |
15 | const exampleDidKeyId =
16 | 'did:key:z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH';
17 |
18 | describe('Document Loader', async () => {
19 | it('load did:key document', async function() {
20 | const didKeyData = await documentLoader(exampleDidKeyId);
21 | expect(didKeyData).property('document');
22 | expect(didKeyData).property('documentUrl');
23 | expect(didKeyData.document).property('id');
24 | expect(didKeyData.document).property('verificationMethod');
25 | expect(didKeyData.document).property('authentication');
26 | expect(didKeyData.document).property('assertionMethod');
27 | expect(didKeyData.document).property('capabilityDelegation');
28 | expect(didKeyData.document).property('capabilityInvocation');
29 | expect(didKeyData.document).property('keyAgreement');
30 | expect(didKeyData.document.id).equal(didKeyData.documentUrl);
31 | });
32 |
33 | it('load did:jwk document', async function() {
34 | const didJwkData = await documentLoader('did:jwk:eyJraWQiOiJ1cm46aWV0ZjpwYX\
35 | JhbXM6b2F1dGg6andrLXRodW1icHJpbnQ6c2hhLTI1NjpoeGx4RmdnNF9hX202Tk1kVkJmbjVZa0huN\
36 | Td6eDFvanpzVzROalpXalk4Iiwia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsImFsZyI6IkVTMjU2Iiwi\
37 | eCI6IkRpMTZpR1NwU1o4NjBCWTRJZ3ZfcHNkLXkyUjB0cTR2NF92eFZvVXFQVzAiLCJ5IjoidjZRdld\
38 | mZ0JmU1YxeE94SG1WalRQeWlBY2ZqVGF1Znp0N3RpUDZYb0Y2VSJ9');
39 | expect(didJwkData).property('document');
40 | expect(didJwkData).property('documentUrl');
41 | expect(didJwkData.document).property('id');
42 | expect(didJwkData.document).property('verificationMethod');
43 | expect(didJwkData.document).property('authentication');
44 | expect(didJwkData.document).property('assertionMethod');
45 | expect(didJwkData.document).property('capabilityDelegation');
46 | expect(didJwkData.document).property('capabilityInvocation');
47 | expect(didJwkData.document.id).equal(didJwkData.documentUrl);
48 | });
49 |
50 | it('load did:web document', async function() {
51 | const stub = sinon.stub(httpClient, 'get');
52 | stub.withArgs('https://example.com/.well-known/did.json',
53 | sinon.match.any).returns({data: {
54 | '@context': [
55 | 'https://www.w3.org/ns/did/v1',
56 | 'https://w3id.org/security/suites/ed25519-2020/v1',
57 | 'https://w3id.org/security/suites/x25519-2020/v1'
58 | ],
59 | id: 'did:web:example.com',
60 | verificationMethod: [
61 | {
62 | id: 'did:web:example.com#1',
63 | type: 'Ed25519VerificationKey2020',
64 | controller: 'did:web:example.com',
65 | publicKeyMultibase: 'z6Mkpw72M9suPCBv48X2Xj4YKZJH9W7wzEK1aS6JioKSo89C'
66 | }
67 | ],
68 | authentication: [
69 | 'did:web:example.com#1'
70 | ],
71 | assertionMethod: [
72 | 'did:web:example.com#1'
73 | ],
74 | capabilityDelegation: [
75 | 'did:web:example.com#1'
76 | ],
77 | capabilityInvocation: [
78 | 'did:web:example.com#1'
79 | ],
80 | keyAgreement: [
81 | {
82 | id: 'did:web:example.com#0',
83 | type: 'X25519KeyAgreementKey2020',
84 | controller: 'did:web:example.com',
85 | publicKeyMultibase: 'z6LSgxJr5q1pwHPbiK7u8Pw1GvnfMTZSMxkhaorQ1aJYWFz3'
86 | }
87 | ]
88 | }});
89 | const didWebData = await documentLoader('did:web:example.com');
90 | expect(didWebData).property('document');
91 | expect(didWebData).property('documentUrl');
92 | expect(didWebData.document).property('id');
93 | expect(didWebData.document).property('verificationMethod');
94 | expect(didWebData.document).property('authentication');
95 | expect(didWebData.document).property('assertionMethod');
96 | expect(didWebData.document).property('capabilityDelegation');
97 | expect(didWebData.document).property('capabilityInvocation');
98 | expect(didWebData.document.id).equal(didWebData.documentUrl);
99 | stub.restore();
100 | });
101 | });
102 |
--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "opencred-platform",
3 | "version": "9.0.6",
4 | "type": "module",
5 | "license": "BSD-3-Clause",
6 | "engines": {
7 | "node": ">=20"
8 | },
9 | "main": "./lib/index.js",
10 | "browser": {
11 | ".": "./web/index.js"
12 | },
13 | "scripts": {
14 | "generate:prime256v1": "node ./common/generatePrime256v1Key.js",
15 | "generate:rsa256": "node ./common/generateRSA256Key.js",
16 | "tunnel": "lt -p 22080",
17 | "audit-vp": "node ./test/utils/auditVpToken.js",
18 | "lint": "eslint --ext .cjs,.js,.vue .",
19 | "preview": "vite preview",
20 | "start": "node --preserve-symlinks dev.js",
21 | "test": "npm run test-node",
22 | "test-node": "cross-env NODE_ENV=test node --trace-warnings --preserve-symlinks test.js test",
23 | "test:load": "artillery run ./test/load/artillery.yaml",
24 | "test:load:qa": "env-cmd artillery run -e qa ./test/load/artillery.yaml",
25 | "validateConfig": "npx ajv-cli validate -d configs/combined.yaml -s configs/combined.schema.json -c ajv-formats --spec=draft7"
26 | },
27 | "dependencies": {
28 | "@azure/msal-node": "^2.11.0",
29 | "@bedrock/config-yaml": "^4.3.3",
30 | "@bedrock/core": "^6.1.2",
31 | "@bedrock/express": "^8.3.0",
32 | "@bedrock/express-browser-fixes": "^3.1.0",
33 | "@bedrock/health": "^4.1.0",
34 | "@bedrock/https-agent": "^4.1.0",
35 | "@bedrock/mongodb": "^11.0.0",
36 | "@bedrock/oauth2-client": "^7.1.0",
37 | "@bedrock/quasar": "^10.0.0",
38 | "@bedrock/server": "^5.1.0",
39 | "@bedrock/views": "^11.1.0",
40 | "@bedrock/vue": "^5.1.0",
41 | "@bedrock/web": "^3.1.0",
42 | "@bedrock/webpack": "^9.1.0",
43 | "@digitalbazaar/credentials-context": "^3.2.0",
44 | "@digitalbazaar/data-integrity": "^2.5.0",
45 | "@digitalbazaar/data-integrity-context": "^2.0.1",
46 | "@digitalbazaar/did-io": "^2.0.0",
47 | "@digitalbazaar/did-method-jwk": "^2.0.0",
48 | "@digitalbazaar/did-method-key": "^5.2.0",
49 | "@digitalbazaar/did-method-web": "^1.0.1",
50 | "@digitalbazaar/ecdsa-rdfc-2019-cryptosuite": "^1.2.0",
51 | "@digitalbazaar/ed25519-signature-2018": "^4.1.0",
52 | "@digitalbazaar/ed25519-signature-2020": "^5.4.0",
53 | "@digitalbazaar/ed25519-verification-key-2020": "^4.2.0",
54 | "@digitalbazaar/eddsa-rdfc-2022-cryptosuite": "^1.2.0",
55 | "@digitalbazaar/ezcap": "^4.1.0",
56 | "@digitalbazaar/http-client": "^4.2.0",
57 | "@digitalbazaar/minimal-jwt": "^2.1.0",
58 | "@digitalbazaar/oid4-client": "^4.3.0",
59 | "@digitalbazaar/vc": "^7.1.2",
60 | "@digitalbazaar/vc-bitstring-status-list": "^2.0.1",
61 | "@digitalbazaar/vc-status-list-context": "^3.1.1",
62 | "@digitalbazaar/vdl-aamva-context": "^1.0.0",
63 | "@digitalbazaar/vdl-context": "^1.0.0",
64 | "@peculiar/x509": "^1.9.7",
65 | "@quasar/extras": "^1.16.11",
66 | "autoprefixer": "^10.4.17",
67 | "base64url": "^3.0.1",
68 | "bnid": "^3.0.0",
69 | "cors": "^2.8.5",
70 | "credential-handler-polyfill": "^4.0.0",
71 | "did-context": "^3.1.1",
72 | "did-jwt-vc": "^4.0.0",
73 | "dotenv": "^16.4.5",
74 | "ed25519-signature-2020-context": "^1.1.0",
75 | "jose": "^5.2.2",
76 | "json-canonicalize": "^1.0.6",
77 | "jsonld-document-loader": "^2.3.0",
78 | "jsonpath": "^1.1.1",
79 | "ocsp": "^1.2.0",
80 | "pkijs": "^3.0.15",
81 | "postcss": "^8.4.35",
82 | "postcss-loader": "^8.1.1",
83 | "postcss-preset-env": "^9.4.0",
84 | "qrcode": "^1.5.3",
85 | "quasar": "^2.14.7",
86 | "swagger-jsdoc": "^6.2.8",
87 | "swagger-ui-express": "^5.0.0",
88 | "tailwind-clip-path": "^1.0.0",
89 | "tailwindcss": "^3.4.1",
90 | "unhead": "^1.9.7",
91 | "vue": "^3.3.4",
92 | "vue-cookies": "^1.8.4",
93 | "vue-i18n": "^9.9.0",
94 | "vue-json-pretty": "^2.3.0",
95 | "vue-material-design-icons": "^5.3.0",
96 | "vue-router": "^4.3.0",
97 | "x25519-key-agreement-2020-context": "^1.0.0"
98 | },
99 | "devDependencies": {
100 | "@bedrock/test": "^8.2.0",
101 | "@peculiar/webcrypto": "^1.4.5",
102 | "ajv-cli": "^5.0.0",
103 | "ajv-formats": "^3.0.1",
104 | "asn1js": "^3.0.5",
105 | "cross-env": "^7.0.3",
106 | "env-cmd": "^10.1.0",
107 | "eslint": "^8.57.0",
108 | "eslint-config-digitalbazaar": "^5.0.1",
109 | "eslint-plugin-quasar": "^1.1.0",
110 | "eslint-plugin-unicorn": "^51.0.1",
111 | "eslint-plugin-vue": "^9.23.0",
112 | "expect.js": "^0.3.1",
113 | "klona": "^2.0.6",
114 | "sinon": "^17.0.1"
115 | }
116 | }
117 |
--------------------------------------------------------------------------------
/lib/workflows/vc-api-workflow.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import {auditUtils} from '../../common/audit.js';
9 | import {BaseWorkflowService} from './base.js';
10 | import {config} from '@bedrock/core';
11 | import {createId} from '../../common/utils.js';
12 | import {database} from '../database.js';
13 | import {zcapClient} from '../../common/zcap.js';
14 |
15 | export class VCApiWorkflowService extends BaseWorkflowService {
16 | async createWorkflowSpecificExchange(trustedVariables, untrustedVariables) {
17 | const {rp, accessToken, oidc} = trustedVariables;
18 | const duration = config.opencred.recordExpiresDurationMs;
19 | const ttl = Math.min(Math.floor(duration / 1000), 60 * 15);
20 |
21 | if(rp?.workflow?.type !== 'vc-api') {
22 | return;
23 | }
24 | const workflow = rp.workflow;
25 | try {
26 | const verifiablePresentationRequest = JSON.parse(workflow.vpr);
27 | let variables = {};
28 | variables = this.parseUntrustedVariables(
29 | rp.workflow.untrustedVariableAllowList,
30 | untrustedVariables
31 | );
32 | const {result} = await zcapClient.zcapWriteRequest({
33 | endpoint: workflow.baseUrl,
34 | zcap: {
35 | capability: workflow.capability,
36 | clientSecret: workflow.clientSecret
37 | },
38 | json: {
39 | ttl,
40 | variables: {
41 | verifiablePresentationRequest,
42 | openId: {createAuthorizationRequest: 'authorizationRequest'},
43 | ...variables
44 | }
45 | }
46 | });
47 | if(!result || result.status !== 204) {
48 | throw new Error('Error initiating exchange: check workflow ' +
49 | 'configuration.');
50 | }
51 |
52 | const exchangeId = result.headers.get('location');
53 | const authzReqUrl = `${exchangeId}/openid/client/authorization/request`;
54 | const searchParams = new URLSearchParams({
55 | client_id: `${exchangeId}/openid/client/authorization/response`,
56 | request_uri: authzReqUrl
57 | });
58 | const OID4VP = 'openid4vp://authorize?' + searchParams.toString();
59 |
60 | const createdAt = new Date();
61 | const exchange = {
62 | id: encodeURIComponent(exchangeId),
63 | workflowId: workflow.id,
64 | vcapi: exchangeId,
65 | OID4VP,
66 | accessToken,
67 | ttl,
68 | createdAt,
69 | recordExpiresAt:
70 | new Date(createdAt.getTime() + duration),
71 | oidc
72 | };
73 | await database.collections.Exchanges.insertOne(exchange);
74 | return exchange;
75 | } catch(error) {
76 | throw new Error(error.message);
77 | }
78 | }
79 |
80 | async getExchange(
81 | {rp, id, accessToken, allowExpired} = {allowExpired: false}
82 | ) {
83 | if(!rp?.workflow?.type || rp.workflow.type !== 'vc-api') {
84 | return super.getExchange(
85 | {rp, id, accessToken, allowExpired}
86 | );
87 | }
88 | const exchange = await super.getExchange(
89 | {rp, id, accessToken, allowExpired}
90 | );
91 | if(!exchange) {
92 | return null;
93 | }
94 | const workflow = rp.workflow;
95 |
96 | const {data, error} = await zcapClient.zcapReadRequest({
97 | endpoint: decodeURIComponent(exchange.vcapi),
98 | zcap: {
99 | capability: workflow.capability,
100 | clientSecret: workflow.clientSecret
101 | }
102 | });
103 | if(error || !data) {
104 | return null;
105 | } else {
106 | const oidc = {
107 | code: await createId(),
108 | state: exchange.oidc?.state
109 | };
110 | if(data.state === 'complete' && !exchange.oidc?.code) {
111 | await database.collections.Exchanges.replaceOne({id: exchange.id}, {
112 | ...exchange,
113 | variables: data.variables,
114 | state: 'complete',
115 | oidc,
116 |
117 | });
118 | const initialStep = data.initialStep ?? 'default';
119 | // Implmentation may vary for how results are stored in the exchange.
120 | if(
121 | config.opencred.audit.enable &&
122 | data.variables?.[initialStep]?.results?.verifiablePresentation) {
123 | await auditUtils.updateIssuerDidDocumentHistory(
124 | data.variables[initialStep].results.verifiablePresentation
125 | );
126 | }
127 | }
128 |
129 | return {
130 | ...data,
131 | oidc
132 | };
133 | }
134 | }
135 | }
136 |
--------------------------------------------------------------------------------
/common/documentLoader.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import * as DidJwk from '@digitalbazaar/did-method-jwk';
9 | import * as DidKey from '@digitalbazaar/did-method-key';
10 | import * as DidWeb from '@digitalbazaar/did-method-web';
11 | import * as EcdsaMultikey from '@digitalbazaar/ecdsa-multikey';
12 |
13 | import {CachedResolver} from '@digitalbazaar/did-io';
14 | import {
15 | contexts as CRED_CONTEXT_MAP
16 | } from '@digitalbazaar/credentials-context';
17 | import {
18 | contexts as DATA_INTEGRITY_CONTEXT_MAP
19 | } from '@digitalbazaar/data-integrity-context';
20 | import {
21 | contexts as DID_CONTEXT_MAP
22 | } from 'did-context';
23 | import {
24 | contexts as ED25519_SIG_2020_CONTEXT_MAP,
25 | } from 'ed25519-signature-2020-context';
26 | import {Ed25519VerificationKey2020}
27 | from '@digitalbazaar/ed25519-verification-key-2020';
28 | import {JsonLdDocumentLoader} from 'jsonld-document-loader';
29 | import {
30 | contexts as SL_CONTEXT_MAP
31 | } from '@digitalbazaar/vc-status-list-context';
32 | import {
33 | contexts as VDL_AAMVA_CONTEXT_MAP,
34 | } from '@digitalbazaar/vdl-aamva-context';
35 | import {
36 | contexts as VDL_CONTEXT_MAP
37 | } from '@digitalbazaar/vdl-context';
38 | import {
39 | contexts as X25519_KEY_AGREEMENT_CONTEXT_MAP
40 | } from 'x25519-key-agreement-2020-context';
41 |
42 | import {agent} from '@bedrock/https-agent';
43 | import {httpClient} from '@digitalbazaar/http-client';
44 |
45 | const didWebDriver = DidWeb.driver();
46 | const didKeyDriver = DidKey.driver();
47 | didKeyDriver.use({
48 | name: 'Ed25519',
49 | handler: Ed25519VerificationKey2020,
50 | multibaseMultikeyHeader: 'z6Mk',
51 | fromMultibase: DidKey.createFromMultibase(Ed25519VerificationKey2020)
52 | });
53 | const didJwkDriver = DidJwk.driver();
54 | didJwkDriver.use({
55 | algorithm: 'EdDSA',
56 | handler: Ed25519VerificationKey2020.from
57 | });
58 | didJwkDriver.use({
59 | algorithm: 'P-256',
60 | handler: EcdsaMultikey.from
61 | });
62 | didKeyDriver.use({
63 | fromMultibase: EcdsaMultikey.from,
64 | multibaseMultikeyHeader: 'zDna',
65 | });
66 |
67 | export const didResolver = new CachedResolver();
68 | didResolver.use(didKeyDriver);
69 | didResolver.use(didJwkDriver);
70 | didResolver.use(didWebDriver);
71 |
72 | export const getDocumentLoader = () => {
73 | const jsonLdDocLoader = new JsonLdDocumentLoader();
74 |
75 | // handle static contexts
76 | ED25519_SIG_2020_CONTEXT_MAP.forEach((context, url) => {
77 | jsonLdDocLoader.addStatic(url, context);
78 | });
79 | X25519_KEY_AGREEMENT_CONTEXT_MAP.forEach((context, url) => {
80 | jsonLdDocLoader.addStatic(url, context);
81 | });
82 | DATA_INTEGRITY_CONTEXT_MAP.forEach((context, url) => {
83 | jsonLdDocLoader.addStatic(url, context);
84 | });
85 | DID_CONTEXT_MAP.forEach((context, url) => {
86 | jsonLdDocLoader.addStatic(url, context);
87 | });
88 | CRED_CONTEXT_MAP.forEach((context, url) => {
89 | jsonLdDocLoader.addStatic(url, context);
90 | });
91 | SL_CONTEXT_MAP.forEach((context, url) => {
92 | jsonLdDocLoader.addStatic(url, context);
93 | });
94 | VDL_CONTEXT_MAP.forEach((context, url) => {
95 | jsonLdDocLoader.addStatic(url, context);
96 | });
97 | VDL_AAMVA_CONTEXT_MAP.forEach((context, url) => {
98 | jsonLdDocLoader.addStatic(url, context);
99 | });
100 |
101 | // handle DIDs
102 | jsonLdDocLoader.setDidResolver(didResolver);
103 |
104 | // automatically handle all http(s) contexts that are not handled above
105 | const customHandler = {
106 | async get({url}) {
107 | const response = await httpClient.get(url, {agent});
108 | const {data} = response;
109 | return data;
110 | }
111 | };
112 |
113 | jsonLdDocLoader.setProtocolHandler({
114 | protocol: 'https', handler: customHandler
115 | });
116 |
117 | return jsonLdDocLoader;
118 | };
119 |
120 | // DID methods where all cryptographic material is self-contained
121 | const STATIC_DID_METHOD_PATTERNS = [
122 | /^did:(jwk):/,
123 | /^did:(key):/
124 | ];
125 |
126 | // DID requires historical tracking
127 | export const didRequiresHistoricalTracking = async did => {
128 | return STATIC_DID_METHOD_PATTERNS.every(p => !did.match(p));
129 | };
130 |
131 | /**
132 | * Uses default resolver, in tandem with overrides, to resolve DIDs.
133 | * This is necessary for presentation auditing with old DID documents.
134 | */
135 | export const getOverrideDidResolver = overrides => {
136 | const resolve = async did => {
137 | if(overrides[did]) {
138 | return overrides[did];
139 | }
140 | return didResolver.get({did, verificationMethodType: 'JsonWebKey2020'});
141 | };
142 | return {resolve};
143 | };
144 |
--------------------------------------------------------------------------------
/lib/auth.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import {BaseWorkflowService} from './workflows/base.js';
9 | import {config} from '@bedrock/core';
10 |
11 | const getAuthFunction = ({basic, bearer, body}) => {
12 | const ensureAuth = async (req, res, next) => {
13 | const authHeader = req.headers.authorization;
14 | const parts = authHeader?.split(' ') ?? [];
15 | if(body && !req.rp) {
16 | const body_id = req.body?.client_id;
17 | const body_secret = req.body?.client_secret;
18 |
19 | if(body_id && body_secret) {
20 | req.rp = config.opencred.relyingParties.find(
21 | r => r.clientId == body_id && r.clientSecret == body_secret
22 | );
23 | if(req.rp) {
24 | next();
25 | return;
26 | }
27 | }
28 | }
29 |
30 | if(basic && !req.rp && parts.length > 0) {
31 | const val = Buffer.from(parts[1], 'base64').toString('utf-8');
32 | const authValueParts = val.split(':');
33 | if(
34 | authValueParts.length !== 2
35 | ) {
36 | res.status(401).send(
37 | {message: 'Malformed Authorization header'}
38 | );
39 | return;
40 | }
41 | const clientId = authValueParts[0];
42 | const clientSecret = authValueParts[1];
43 | req.rp = config.opencred.relyingParties.find(
44 | r => r.clientId == clientId && r.clientSecret == clientSecret
45 | );
46 | if(req.rp) {
47 | next();
48 | return;
49 | }
50 | }
51 |
52 | if(!req.rp) {
53 | res.status(401).send(
54 | {message: 'Client ID could not be resolved from request.'}
55 | );
56 | return;
57 | }
58 | const clientId = req.rp.clientId;
59 | const clientSecret = req.rp.clientSecret;
60 |
61 | if(!body && !req.headers.authorization) {
62 | res.status(401).send({message: 'Authorization header is required'});
63 | return;
64 | }
65 |
66 | if(!body && parts.length !== 2) {
67 | res.status(401).send(
68 | {message: 'Invalid Authorization format. Basic or Bearer required'}
69 | );
70 | return;
71 | } else if(basic && parts[0] == 'Basic') {
72 | const val = Buffer.from(parts[1], 'base64').toString('utf-8');
73 | const authValueParts = val.split(':');
74 | if(
75 | authValueParts.length !== 2 ||
76 | authValueParts[0] !== clientId ||
77 | authValueParts[1] !== clientSecret
78 | ) {
79 | res.status(401).send(
80 | {message: 'Malformed token or invalid clientId or clientSecret'}
81 | );
82 | return;
83 | }
84 | } else if(bearer && parts[0] == 'Bearer') {
85 | const exchange = await new BaseWorkflowService().getExchange({
86 | rp: req.rp,
87 | ...(req.params.exchangeId ? {id: req.params?.exchangeId} : {}),
88 | accessToken: parts[1],
89 | allowExpired: true
90 | });
91 | if(!exchange) {
92 | res.status(404).send({message: 'Exchange not found'});
93 | return;
94 | }
95 | req.exchange = exchange;
96 | if(exchange.workflowId !== req.rp.workflow.id) {
97 | res.status(401).send({message: 'Invalid token'});
98 | return;
99 | }
100 | } else if(body) {
101 | if(
102 | req.body.client_id !== clientId ||
103 | req.body.client_secret !== clientSecret
104 | ) {
105 | res.status(401).send(
106 | {message: 'Malformed token or invalid clientId or clientSecret'}
107 | );
108 | return;
109 | }
110 | } else {
111 | res.status(401).send(
112 | {message: 'Invalid Authorization header format. Basic auth required'}
113 | );
114 | return;
115 | }
116 |
117 | next();
118 | };
119 | return ensureAuth;
120 | };
121 |
122 | /**
123 | * Augments the app to verify an authentication header is present for
124 | * protected routes. The header must contain a valid Authorization header
125 | * that encodes the client_id and clientSecret with HTTP Basic Auth
126 | * @param {Express} app - Express app instance
127 | */
128 | export default function(app) {
129 | app.post('/workflows/:workflowId/exchanges', getAuthFunction({
130 | basic: true, bearer: true, body: false
131 | }));
132 | app.get(
133 | '/workflows/:workflowId/exchanges/:exchangeId', getAuthFunction({
134 | basic: true, bearer: true, body: false
135 | })
136 | );
137 | app.post(
138 | '/workflows/:workflowId/exchanges/:exchangeId/reset',
139 | getAuthFunction({basic: true, bearer: true, body: false})
140 | );
141 | app.post('/token', getAuthFunction({
142 | basic: true, bearer: false, body: true
143 | }));
144 | }
145 |
--------------------------------------------------------------------------------
/docs/00-configure-relying-party.md:
--------------------------------------------------------------------------------
1 | # How to Configure OpenCred with a Relying Party Using a Native Exchange
2 |
3 | ## Introduction
4 |
5 | In this guide, we will configure OpenCred to set up a relying party that will be
6 | requesting a "VerifiedEmailCredential" from users. We will setup OpenCred to be
7 | run locally using a **native** workflow.
8 |
9 | ## Prerequisites
10 |
11 | Ensure you have:
12 |
13 | - OpenCred cloned from [Github](https://github.com/stateofca/opencred)
14 | - Node.js v20 or higher
15 | - Dependencies installed (`npm install`)
16 | - The necessary `VerifiedEmailCredential` to be presented to the relying party.
17 |
18 | ## Steps
19 |
20 | ### 1. Prepare the Configuration File
21 |
22 | Copy the example configuration file to the required location:
23 |
24 | ```sh
25 | cp configs/config.example.yaml configs/config.yaml
26 | ```
27 |
28 | Whenever changes are made to the `config.yaml` you will need to export an
29 | environment variable:
30 |
31 | ```sh
32 | export BEDROCK_CONFIG=$(cat configs/config.yaml | base64)
33 | ```
34 |
35 | ### 2. Run a Local Tunnel
36 |
37 | For the wallet to communicate with your local OpenCred server, install and run
38 | `localtunnel`:
39 |
40 | ```sh
41 | npm install -g localtunnel
42 | npm run tunnel
43 | ```
44 |
45 | ### 3. Update the Configuration File
46 |
47 | Edit the `configs/config.yaml` file and update the details of the
48 | OpenCred deployment.
49 |
50 | - Input the full local tunnel URI as the `app.server.baseUri` property.
51 | - If the VC to be verified includes an x509 certificate (x5c claim), input the
52 | certificate in the `pem` property under `caStore`. If not, remove the `caStore`
53 | property and its children.
54 |
55 | If you need to keep the `caStore` for other relying parties you can selectively bypass the CA checks
56 |
57 | ### 4. Configure the Relying Party
58 |
59 | Remove all of the example relying parties under the `relyingParties` section and
60 | add a new entry for your relying party with a `native` workflow. Example:
61 |
62 | ```yaml
63 | relyingParties:
64 | - clientId: example-client
65 | clientSecret: example-secret
66 | redirectUri: http://localhost:8080/oidc/callback
67 | scopes:
68 | - name: "openid"
69 | description: "Open ID Connect"
70 | claims:
71 | - name: email
72 | path: credentialSubject.email
73 | workflow:
74 | type: native
75 | id: example-workflow
76 | initialStep: default
77 | steps:
78 | default:
79 | verifiablePresentationRequest: >
80 | {
81 | "query": {
82 | "type": "QueryByExample",
83 | "credentialQuery": {
84 | "reason": "Please present your Verified Email Credential.",
85 | "example": {
86 | "type": [
87 | "VerifiedEmailCredential"
88 | ]
89 | }
90 | }
91 | }
92 | }
93 | ```
94 |
95 | ### 5. Generate and Configure the `id_token` Signing Key
96 |
97 | Generate a new RSA key with purpose `id_token`.
98 |
99 | ```sh
100 | npm run generate:rsa256 id_token
101 | ```
102 |
103 | Add the signing key in the `signingKeys` section:
104 |
105 | ```yaml
106 | signingKeys:
107 | - type: RS256
108 | id: your-key-id
109 | privateKeyPem: |
110 | -----BEGIN PRIVATE KEY-----
111 | ...
112 | -----END PRIVATE KEY-----
113 | publicKeyPem: |
114 | -----BEGIN PUBLIC KEY-----
115 | ...
116 | -----END PUBLIC KEY-----
117 | purpose:
118 | - id_token
119 | ```
120 |
121 | ### 6. Generate and Configure the `authorization_request` Signing Key
122 |
123 | Generate a new P-256 key with purpose `authorization_request`.
124 |
125 | ```sh
126 | npm run generate:prime256v1 authorization_request
127 | ```
128 |
129 | Add the signing key in the `signingKeys` section:
130 |
131 | ```yaml
132 | signingKeys:
133 | ...
134 | - type: ES256
135 | id: your-key-id
136 | privateKeyPem: |
137 | -----BEGIN PRIVATE KEY-----
138 | ...
139 | -----END PRIVATE KEY-----
140 | publicKeyPem: |
141 | -----BEGIN PUBLIC KEY-----
142 | ...
143 | -----END PUBLIC KEY-----
144 | purpose:
145 | - authorization_request
146 | ```
147 |
148 | ### 7. Configure Exchange Protocols
149 |
150 | Specify the exchange protocols in the `options` section:
151 |
152 | ```yaml
153 | options:
154 | exchangeProtocols:
155 | - openid4vp
156 | ```
157 |
158 |
159 | ### 8. Run OpenCred
160 |
161 | ```sh
162 | npm run start
163 | ```
164 |
165 | Congratulations, you now have a locally running OpenCred deployed ready to
166 | receive `VerifiedEmailCredential` Verifiable Credentials!
167 |
168 | ### 9. Verify the Server
169 |
170 | Verify that the server is running and there are no errors.
171 |
172 | ## Summary
173 |
174 | By following these steps, you have configured OpenCred to work with a relying
175 | party using a native exchange workflow. This setup allows the relying party to
176 | request and verify the `VerifiedEmailCredential` from users securely through
177 | their digital wallet.
178 |
--------------------------------------------------------------------------------
/test/fixtures/oid4vp_jwt.json:
--------------------------------------------------------------------------------
1 | {
2 | "exchange": {
3 | "id": "z19k6s2E9wr29gb56t789AmFS",
4 | "sequence": 0,
5 | "ttl": 900,
6 | "state": "pending",
7 | "accessToken": "z19k6s2E9wr30gb56t789AmFS",
8 | "workflowId": "testworkflow",
9 | "variables": {
10 | "authorizationRequest": {
11 | "response_type": "vp_token",
12 | "presentation_definition": {
13 | "id": "ac1ced75-e910-440d-9c00-a3c0d1dfe379",
14 | "input_descriptors": [
15 | {
16 | "id": "c65236cb-89a3-4177-8a56-23d239b4f9a8",
17 | "constraints": {
18 | "fields": [
19 | {
20 | "path": "$['@context']",
21 | "filter": {
22 | "type": "array",
23 | "contains": [
24 | {
25 | "type": "string",
26 | "const": "https://www.w3.org/2018/credentials/v1"
27 | },
28 | {
29 | "type": "string",
30 | "const": "https://www.w3.org/2018/credentials/examples/v1"
31 | }
32 | ]
33 | }
34 | },
35 | {
36 | "path": "$['type']",
37 | "filter": {
38 | "type": "array",
39 | "contains": [
40 | {
41 | "type": "string",
42 | "const": "UniversityDegreeCredential"
43 | }
44 | ]
45 | }
46 | }
47 | ]
48 | }
49 | }
50 | ]
51 | },
52 | "response_mode": "direct_post",
53 | "client_id": "http://localhost:8080/workflows/default/exchanges/z19k6s2E9wr29gb56t789AmFS/openid/client/authorization/response",
54 | "client_id_scheme": "redirect_uri",
55 | "response_uri": "http://localhost:8080/workflows/default/exchanges/z19k6s2E9wr29gb56t789AmFS/openid/client/authorization/response",
56 | "nonce": "z19k6s2E9wr29gb56t789AmFS"
57 | }
58 | },
59 | "step": "default",
60 | "challenge": "z1A6a4Ej1rWXdLfNjJUymAF31",
61 | "createdAt": "2023-11-14T18:56:39.859+00:00",
62 | "recordExpiresAt": "2023-11-14T18:56:39.859+00:00"
63 | },
64 | "vp_token": "eyJhbGciOiAiRVMyNTYiLCJ0eXAiOiAiSldUIiwia2lkIjogImRpZDpleGFtcGxlOjB4YWJjI2tleTEifQ.eyJpc3MiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmNzEyZWJjNmYxYzI3NmUxMmVjMjEiLCJqdGkiOiJ1cm46dXVpZDozOTc4MzQ0Zi04NTk2LTRjM2EtYTk3OC04ZmNhYmEzOTAzYzUiLCJhdWQiOiJkaWQ6ZXhhbXBsZTo0YTU3NTQ2OTczNDM2ZjZmNmM0YTRhNTc1NzMiLCJuYmYiOjE1NDE0OTM3MjQsImlhdCI6MTU0MTQ5MzcyNCwiZXhwIjoxNTczMDI5NzIzLCJub25jZSI6IjM0M3MkRlNGRGEtIiwidnAiOnsiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiLCJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy9leGFtcGxlcy92MSJdLCJ0eXBlIjpbIlZlcmlmaWFibGVQcmVzZW50YXRpb24iLCJDcmVkZW50aWFsTWFuYWdlclByZXNlbnRhdGlvbiJdLCJ2ZXJpZmlhYmxlQ3JlZGVudGlhbCI6WyJleUpoYkdjaU9pSlNVekkxTmlJc0luUjVjQ0k2SWtwWFZDSXNJbXRwWkNJNkltUnBaRHBsZUdGdGNHeGxPbUZpWm1VeE0yWTNNVEl4TWpBME16RmpNamMyWlRFeVpXTmhZaU5yWlhsekxURWlmUS5leUp6ZFdJaU9pSmthV1E2WlhoaGJYQnNaVHBsWW1abFlqRm1OekV5WldKak5tWXhZekkzTm1VeE1tVmpNakVpTENKcWRHa2lPaUpvZEhSd09pOHZaWGhoYlhCc1pTNWxaSFV2WTNKbFpHVnVkR2xoYkhNdk16Y3pNaUlzSW1semN5STZJbWgwZEhCek9pOHZaWGhoYlhCc1pTNWpiMjB2YTJWNWN5OW1iMjh1YW5kcklpd2libUptSWpveE5UUXhORGt6TnpJMExDSnBZWFFpT2pFMU5ERTBPVE0zTWpRc0ltVjRjQ0k2TVRVM016QXlPVGN5TXl3aWJtOXVZMlVpT2lJMk5qQWhOak0wTlVaVFpYSWlMQ0oyWXlJNmV5SkFZMjl1ZEdWNGRDSTZXeUpvZEhSd2N6b3ZMM2QzZHk1M015NXZjbWN2TWpBeE9DOWpjbVZrWlc1MGFXRnNjeTkyTVNJc0ltaDBkSEJ6T2k4dmQzZDNMbmN6TG05eVp5OHlNREU0TDJOeVpXUmxiblJwWVd4ekwyVjRZVzF3YkdWekwzWXhJbDBzSW5SNWNHVWlPbHNpVm1WeWFXWnBZV0pzWlVOeVpXUmxiblJwWVd3aUxDSlZibWwyWlhKemFYUjVSR1ZuY21WbFEzSmxaR1Z1ZEdsaGJDSmRMQ0pqY21Wa1pXNTBhV0ZzVTNWaWFtVmpkQ0k2ZXlKa1pXZHlaV1VpT25zaWRIbHdaU0k2SWtKaFkyaGxiRzl5UkdWbmNtVmxJaXdpYm1GdFpTSTZJanh6Y0dGdUlHeGhibWM5SjJaeUxVTkJKejVDWVdOallXeGhkWExEcVdGMElHVnVJRzExYzJseGRXVnpJRzUxYmNPcGNtbHhkV1Z6UEM5emNHRnVQaUo5ZlgxOS5LTEpvNUdBeUJORDNMRFRuOUg3RlFva0VzVUVpOGpLd1hoR3ZvTjNKdFJhNTF4ck5EZ1hEYjBjcTFVVFlCLXJLNEZ0OVlWbVIxTklfWk9GOG9HY183d0FwOFBIYkYySGFXb2RRSW9PQnh4VC00V05xQXhmdDdFVDZsa0gtNFM2VXgzclNHQW1jek1vaEVFZjhlQ2VOLWpDOFdla2RQbDZ6S1pRajBZUEIxcng2WDAteGxGQnM3Y2w2V3Q4cmZCUF90WjlZZ1ZXclFtVVd5cFNpb2MwTVV5aXBobXlFYkxaYWdUeVBsVXlmbEdsRWRxclpBdjZlU2U2UnR4Snk2TTEtbEQ3YTVIVHphbllUV0JQQVVIRFpHeUdLWGRKdy1XX3gwSVdDaEJ6STh0M2twRzI1M2ZnNlYzdFBnSGVLWEU5NGZ6X1FwWWZnLS03a0xzeUJBZlFHYmciXX19.ft_Eq4IniBrr7gtzRfrYj8Vy1aPXuFZU-6_ai0wvaKcsrzI4JkQEKTvbJwdvIeuGuTqy7ipO-EYi7V4TvonPuTRdpB7ZHOlYlbZ4wA9WJ6mSVSqDACvYRiFvrOFmie8rgm6GacWatgO4m4NqiFKFko3r58LueFfGw47NK9RcfOkVQeHCq4btaDqksDKeoTrNysF4YS89INa-prWomrLRAhnwLOo1Etp3E4ESAxg73CR2kA5AoMbf5KtFueWnMcSbQkMRdWcGC1VssC0tB0JffVjq7ZV6OTyV4kl1-UVgiPLXUTpupFfLRhf9QpqMBjYgP62KvhIvW8BbkGUelYMetA",
65 | "presentation_submission": {
66 | "id": "018815e8-358c-40f2-9648-2edee6908ac4",
67 | "definition_id": "ac1ced75-e910-440d-9c00-a3c0d1dfe379",
68 | "descriptor_map": [
69 | {
70 | "id": "c65236cb-89a3-4177-8a56-23d239b4f9a8",
71 | "path": "$",
72 | "format": "jwt_vp_json",
73 | "path_nested": {
74 | "format": "jwt_vp_json",
75 | "path": "$.vc"
76 | }
77 | }
78 | ]
79 | }
80 | }
--------------------------------------------------------------------------------
/common/zcap.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import * as didMethodKey from '@digitalbazaar/did-method-key';
9 | import {agent} from '@bedrock/https-agent';
10 | import {decodeSecretKeySeed} from 'bnid';
11 | import {Ed25519Signature2020} from '@digitalbazaar/ed25519-signature-2020';
12 | import {
13 | Ed25519VerificationKey2020
14 | } from '@digitalbazaar/ed25519-verification-key-2020';
15 | import {httpClient} from '@digitalbazaar/http-client';
16 | import {logger} from '../lib/logger.js';
17 | import {ZcapClient} from '@digitalbazaar/ezcap';
18 |
19 | const didKeyDriver = didMethodKey.driver();
20 | didKeyDriver.use({
21 | name: 'Ed25519',
22 | handler: Ed25519VerificationKey2020,
23 | multibaseMultikeyHeader: 'z6Mk',
24 | fromMultibase: didMethodKey.createFromMultibase(Ed25519VerificationKey2020)
25 | });
26 |
27 | const defaultHeaders = {
28 | Accept: 'application/json, application/ld+json, */*'
29 | };
30 |
31 | const postHeaders = {
32 | 'Content-Type': 'application/json',
33 | ...defaultHeaders
34 | };
35 |
36 | const _getZcapClient = async ({secretKeySeed}) => {
37 | const seed = await decodeSecretKeySeed({secretKeySeed});
38 | const keyPair = await Ed25519VerificationKey2020.generate({
39 | seed
40 | });
41 | const didKey = await didKeyDriver.fromKeyPair({
42 | verificationKeyPair: keyPair
43 | });
44 |
45 | const capabilityInvocationKeyPair = didKey.methodFor({
46 | purpose: 'capabilityInvocation'
47 | });
48 | // enable signing by adding the private key material
49 | capabilityInvocationKeyPair.privateKeyMultibase = keyPair.privateKeyMultibase;
50 | return new ZcapClient({
51 | SuiteClass: Ed25519Signature2020,
52 | invocationSigner: capabilityInvocationKeyPair.signer(),
53 | agent
54 | });
55 | };
56 |
57 | async function zcapWriteRequest({
58 | endpoint,
59 | json,
60 | zcap,
61 | headers = defaultHeaders
62 | }) {
63 | let result;
64 | let error;
65 | let capability = zcap.capability;
66 | const clientSecret = zcap.clientSecret;
67 | // we are storing the zcaps stringified right now
68 | if(typeof capability === 'string') {
69 | capability = JSON.parse(capability);
70 | }
71 |
72 | try {
73 | const zcapClient = await _getZcapClient({secretKeySeed: clientSecret});
74 | result = await zcapClient.write({
75 | url: endpoint,
76 | json,
77 | headers: {
78 | ...postHeaders,
79 | // passed in headers will overwrite postHeaders
80 | ...headers
81 | },
82 | capability
83 | });
84 | } catch(error) {
85 | logger.error('Error in zcapWriteRequest:', {error});
86 | }
87 | const {data, statusCode} = _getDataAndStatus({result, error});
88 | return {result, error, data, statusCode};
89 | }
90 |
91 | async function zcapReadRequest({
92 | endpoint,
93 | zcap,
94 | headers = defaultHeaders
95 | }) {
96 | let result;
97 | let error;
98 | let capability = zcap.capability;
99 | const clientSecret = zcap.clientSecret;
100 | // we are storing the zcaps stringified right now
101 | if(typeof capability === 'string') {
102 | capability = JSON.parse(capability);
103 | }
104 |
105 | try {
106 | const zcapClient = await _getZcapClient({secretKeySeed: clientSecret});
107 | result = await zcapClient.read({
108 | url: endpoint,
109 | headers: {
110 | ...headers
111 | },
112 | capability
113 | });
114 | } catch(error) {
115 | logger.error('Error in zcapReadRequest:', {error});
116 | }
117 | const {data, statusCode} = _getDataAndStatus({result, error});
118 | return {result, error, data, statusCode};
119 | }
120 |
121 | function _getDataAndStatus({result = {}, error = {}}) {
122 | let data = result.data || error.data;
123 | // FIXME remove this once VC-API returns from the issuer
124 | // are finalized.
125 | if(data && data.verifiableCredential) {
126 | data = data.verifiableCredential;
127 | }
128 | const statusCode = result.status || error.status;
129 | return {data, statusCode};
130 | }
131 |
132 | /**
133 | * Makes an https request.
134 | *
135 | * @param {object} options - Options to use.
136 | * @param {URL} options.url - A url.
137 | * @param {object} [options.json] - JSON for the request.
138 | * @param {object} [options.headers] - Headers for the request.
139 | * @param {string} options.method - The HTTP method for the request.
140 | * @param {object} [options.oauth2] - OAuth2 credentialss.
141 | * @param {object} [options.searchParams] - URL Queries for the request.
142 | *
143 | * @returns {object} The results from the request.
144 | */
145 | async function makeHttpsRequest({
146 | url,
147 | json,
148 | headers,
149 | method,
150 | // oauth2,
151 | searchParams
152 | }) {
153 | let result;
154 | let error;
155 | // if(oauth2) {
156 | // headers.Authorization = await constructOAuthHeader({...oauth2});
157 | // }
158 | try {
159 | result = await httpClient(url, {
160 | method, json, headers, agent, searchParams
161 | });
162 | } catch(e) {
163 | error = e;
164 | }
165 | const {data, statusCode} = _getDataAndStatus({result, error});
166 | return {result, error, data, statusCode};
167 | }
168 |
169 | export const zcapClient = {
170 | zcapReadRequest,
171 | zcapWriteRequest,
172 | makeHttpsRequest
173 | };
174 |
--------------------------------------------------------------------------------
/lib/oidc.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import crypto from 'node:crypto';
9 |
10 | import {config} from '@bedrock/core';
11 | import {database} from './database.js';
12 | import {jwtFromExchange} from '../common/jwt.js';
13 | import {logger} from './logger.js';
14 |
15 | /**
16 | * Augment the app with middleware for OIDC that validates requests prior to
17 | * more in-depth processing.
18 | * @param {Express} app - Express app instance
19 | */
20 | export const OidcValidationMiddleware = function(app) {
21 | app.get('/context/login', async (req, res, next) => {
22 | // Validate Redirect URI is permitted
23 | if(!req.query.redirect_uri) {
24 | res.status(400).send({
25 | error: 'invalid_grant',
26 | error_description: 'redirect_uri is required'
27 | });
28 | return;
29 | } else if(req.rp?.redirectUri != req.query.redirect_uri) {
30 | res.status(400).send({
31 | error: 'invalid_grant',
32 | error_description: 'Unknown redirect_uri'
33 | });
34 | return;
35 | }
36 |
37 | // Validate scope is openid only.
38 | if(!req.query.scope) {
39 | res.status(400).send({
40 | error: 'invalid_scope',
41 | error_description: 'scope is required'
42 | });
43 | return;
44 | } else if(req.query.scope !== 'openid') {
45 | res.status(400).send({
46 | error: 'invalid_scope',
47 | error_description: 'scope must be "openid"'
48 | });
49 | return;
50 | }
51 |
52 | next();
53 | });
54 | };
55 |
56 | export const exchangeCodeForToken = async (req, res) => {
57 | // Client ID and Secret should be validated by ResolveClientMiddleware
58 | const rp = req.rp;
59 | if(!rp) {
60 | res.status(500).send(
61 | {message: 'Unexpected server error. No registered client attached.'}
62 | );
63 | return;
64 | }
65 |
66 | // Validate code is present
67 | if(!req.body.code || typeof req.body.code !== 'string') {
68 | res.status(400).send({message: 'code is required'});
69 | return;
70 | }
71 |
72 | // Validate grant type
73 | if(!req.body.grant_type) {
74 | res.status(400).send({message: 'grant_type is required'});
75 | return;
76 | } else if(req.body.grant_type !== 'authorization_code') {
77 | res.status(400).send(
78 | {
79 | error: 'unsupported_grant_type',
80 | error_description: 'Invalid grant_type. Use authorization_code'}
81 | );
82 | return;
83 | }
84 |
85 | // Look up exchange by code and validate that it is for this RP.
86 | const exchange = await database.collections.Exchanges.findOne({
87 | 'oidc.code': req.body.code
88 | });
89 | if(!exchange) {
90 | res.status(400).send({
91 | error: 'invalid_grant',
92 | error_description: 'Invalid code'
93 | });
94 | return;
95 | } else if(exchange.workflowId !== rp.workflow.id) {
96 | res.status(400).send({
97 | error: 'invalid_grant',
98 | error_description: 'Invalid code or client_id'
99 | });
100 | return;
101 | } else if(exchange.state !== 'complete') {
102 | res.status(400).send({
103 | error: 'invalid_grant',
104 | error_description: `Invalid code: Exchange status ${exchange.state}`
105 | });
106 | return;
107 | }
108 |
109 | try {
110 | const jwt_string = await jwtFromExchange(exchange, rp);
111 | const token = {
112 | access_token: 'NONE',
113 | token_type: 'Bearer',
114 | expires_in: 3600,
115 | id_token: jwt_string
116 | };
117 |
118 | await database.collections.Exchanges.updateOne({id: exchange.id}, {
119 | $set: {oidc: {state: exchange.oidc?.state, code: null}}
120 | });
121 |
122 | res.send(token);
123 | return;
124 | } catch(error) {
125 | logger.error(error.message, {error});
126 | res.status(500).send({
127 | error: 'server_error',
128 | error_description: 'Error creating JWT: ' + error.message
129 | });
130 | return;
131 | }
132 | };
133 |
134 | export const jwksEndpoint = async (req, res) => {
135 | const jwks = config.opencred.signingKeys.filter(
136 | key => key.purpose.includes('id_token')
137 | ).map(key => {
138 | const rehydratedKey = crypto.createPublicKey({
139 | key: key.publicKeyPem,
140 | format: 'pem',
141 | type: 'spki'
142 | });
143 | const jwkFormat = rehydratedKey.export({format: 'jwk', type: 'public'});
144 | return {
145 | kid: key.id,
146 | ...jwkFormat
147 | };
148 | });
149 |
150 | res.send({
151 | keys: jwks
152 | });
153 | };
154 |
155 | export const openIdConfiguration = async (req, res) => {
156 | const {server: {baseUri}} = config;
157 |
158 | const id_token_signing_alg_values_supported = config.opencred.signingKeys
159 | .filter(
160 | key => key.purpose.includes('id_token')
161 | ).map(k => k.type);
162 | const info = {
163 | issuer: baseUri,
164 | authorization_endpoint: `${baseUri}/login`,
165 | token_endpoint: `${baseUri}/token`,
166 | jwks_uri: `${baseUri}/.well-known/jwks.json`,
167 |
168 | grant_types_supported: ['authorization_code'],
169 | response_types_supported: ['code', 'code id_token'],
170 | scopes_supported: ['openid'],
171 | subject_types_supported: ['public'],
172 | token_endpoint_auth_methods_supported: [
173 | 'client_secret_basic',
174 | 'client_secret_post'
175 | ],
176 | id_token_signing_alg_values_supported,
177 |
178 | request_parameter_supported: false,
179 | request_uri_parameter_supported: false,
180 | request_object_signing_alg_values_supported: ['none'],
181 | display_values_supported: ['page', 'touch'],
182 | claim_types_supported: ['normal'],
183 | claims_parameter_supported: false,
184 | service_documentation: 'https://github.com/digitalbazaar/opencred-platform',
185 | ui_locales_supported: Object.keys(config.opencred.translations)
186 | };
187 |
188 | res.send(info);
189 | };
190 |
--------------------------------------------------------------------------------
/test/mocha/30-didWeb.test.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import * as sinon from 'sinon';
9 | import {httpClient} from '@digitalbazaar/http-client';
10 | import https from 'node:https';
11 |
12 | import {baseUrl} from '../mock-data.js';
13 | import {config} from '@bedrock/core';
14 | import {exampleKey2} from '../fixtures/signingKeys.js';
15 | import '../../lib/index.js';
16 |
17 | const agent = new https.Agent({rejectUnauthorized: false});
18 | const client = httpClient.extend({agent});
19 |
20 | const testDidWebDoc = {
21 | id: 'did:web:example.com',
22 | '@context': [
23 | 'https://www.w3.org/ns/did/v1',
24 | {
25 | '@base': 'did:web:example.com'
26 | }
27 | ],
28 | service: [
29 | {
30 | id: '#linkeddomains',
31 | type: 'LinkedDomains',
32 | serviceEndpoint: {
33 | origins: [
34 | 'https://example.com'
35 | ]
36 | }
37 | },
38 | {
39 | id: '#hub',
40 | type: 'IdentityHub',
41 | serviceEndpoint: {
42 | instances: [
43 | 'https://hub.did.msidentity.com/v1.0/test-instance-id'
44 | ]
45 | }
46 | }
47 | ],
48 | verificationMethod: [
49 | {
50 | id: 'test-signing-key',
51 | controller: 'did:web:example.com',
52 | type: 'EcdsaSecp256k1VerificationKey2019',
53 | publicKeyJwk: {
54 | crv: 'secp256k1',
55 | kty: 'EC',
56 | x: 'test-x',
57 | y: 'test-y'
58 | }
59 | }
60 | ],
61 | authentication: [
62 | 'test-signing-key'
63 | ],
64 | assertionMethod: [
65 | 'test-signing-key'
66 | ]
67 | };
68 |
69 | const testLinkageDoc = {
70 | '@context': 'https://identity.foundation/.well-known/did-configuration/v1',
71 | // eslint-disable-next-line max-len
72 | linked_dids: ['eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDprZXk6ejZNa29USHNnTk5yYnk4SnpDTlExaVJMeVc1UVE2UjhYdXU2QUE4aWdHck1WUFVNI3o2TWtvVEhzZ05OcmJ5OEp6Q05RMWlSTHlXNVFRNlI4WHV1NkFBOGlnR3JNVlBVTSJ9.eyJleHAiOjE3NjQ4NzkxMzksImlzcyI6ImRpZDprZXk6ejZNa29USHNnTk5yYnk4SnpDTlExaVJMeVc1UVE2UjhYdXU2QUE4aWdHck1WUFVNIiwibmJmIjoxNjA3MTEyNzM5LCJzdWIiOiJkaWQ6a2V5Ono2TWtvVEhzZ05OcmJ5OEp6Q05RMWlSTHlXNVFRNlI4WHV1NkFBOGlnR3JNVlBVTSIsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIiwiaHR0cHM6Ly9pZGVudGl0eS5mb3VuZGF0aW9uLy53ZWxsLWtub3duL2RpZC1jb25maWd1cmF0aW9uL3YxIl0sImNyZWRlbnRpYWxTdWJqZWN0Ijp7ImlkIjoiZGlkOmtleTp6Nk1rb1RIc2dOTnJieThKekNOUTFpUkx5VzVRUTZSOFh1dTZBQThpZ0dyTVZQVU0iLCJvcmlnaW4iOiJpZGVudGl0eS5mb3VuZGF0aW9uIn0sImV4cGlyYXRpb25EYXRlIjoiMjAyNS0xMi0wNFQxNDoxMjoxOS0wNjowMCIsImlzc3VhbmNlRGF0ZSI6IjIwMjAtMTItMDRUMTQ6MTI6MTktMDY6MDAiLCJpc3N1ZXIiOiJkaWQ6a2V5Ono2TWtvVEhzZ05OcmJ5OEp6Q05RMWlSTHlXNVFRNlI4WHV1NkFBOGlnR3JNVlBVTSIsInR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJEb21haW5MaW5rYWdlQ3JlZGVudGlhbCJdfX0.aUFNReA4R5rcX_oYm3sPXqWtso_gjPHnWZsB6pWcGv6m3K8-4JIAvFov3ZTM8HxPOrOL17Qf4vBFdY9oK0HeCQ']
73 | };
74 |
75 | describe('OpenCred did:web support', function() {
76 | it('should return 404 if not enabled', async function() {
77 | const configStub = sinon.stub(config.opencred, 'didWeb')
78 | .value({mainEnabled: false});
79 | let result;
80 | let err;
81 | try {
82 | result = await client.get(`${baseUrl}/.well-known/did.json`);
83 | } catch(e) {
84 | err = e;
85 | }
86 |
87 | should.not.exist(result);
88 | err.status.should.be.equal(404);
89 | err.data.message.should.be.equal(
90 | 'A did:web document is not available for this domain.'
91 | );
92 |
93 | configStub.restore();
94 | });
95 |
96 | it('should return did:web document', async function() {
97 | const didWebStub = sinon.stub(config.opencred, 'didWeb').value({
98 | mainEnabled: true,
99 | mainDocument: testDidWebDoc
100 | });
101 | const signingKeyStub = sinon.stub(config.opencred, 'signingKeys').value(
102 | [{...exampleKey2, purpose: ['authorization_request']}]
103 | );
104 |
105 | let result;
106 | let err;
107 | try {
108 | result = await client.get(`${baseUrl}/.well-known/did.json`);
109 | } catch(e) {
110 | err = e;
111 | }
112 |
113 | should.not.exist(err);
114 | result.status.should.be.equal(200);
115 | result.data.id.should.be.equal('did:web:example.com');
116 | result.data.verificationMethod.length.should.be.equal(2);
117 |
118 | didWebStub.restore();
119 | signingKeyStub.restore();
120 | });
121 |
122 | it('should return did:web document verificationMethod', async function() {
123 | const didWebStub = sinon.stub(config.opencred, 'didWeb').value({
124 | mainEnabled: true,
125 | mainDocument: testDidWebDoc
126 | });
127 | const signingKeyStub = sinon.stub(config.opencred, 'signingKeys').value(
128 | [{...exampleKey2, purpose: ['authorization_request']}]
129 | );
130 |
131 | let result;
132 | let err;
133 | try {
134 | result = await client.get(`${baseUrl}/.well-known/did.json`);
135 | } catch(e) {
136 | err = e;
137 | }
138 |
139 | should.not.exist(err);
140 | result.status.should.be.equal(200);
141 | result.data.id.should.be.equal('did:web:example.com');
142 | result.data.verificationMethod.length.should.be.equal(2);
143 | result.data.assertionMethod.length.should.be.equal(2);
144 | result.data.verificationMethod[0].id.should.be.equal(
145 | result.data.assertionMethod[0]
146 | );
147 |
148 | didWebStub.restore();
149 | signingKeyStub.restore();
150 | });
151 | });
152 |
153 | describe('DID Linked Domain credential endpoint', () => {
154 | it('should return an empty list if not enabled', async function() {
155 | const configStub = sinon.stub(config.opencred, 'didWeb').value({
156 | mainEnabled: true,
157 | linkageEnabled: false
158 | });
159 |
160 | let result;
161 | let err;
162 | try {
163 | result = await client.get(
164 | `${baseUrl}/.well-known/did-configuration.json`
165 | );
166 | } catch(e) {
167 | err = e;
168 | }
169 |
170 | should.not.exist(err);
171 | result.status.should.be.equal(200);
172 | result.data.linked_dids.length.should.be.equal(0);
173 |
174 | configStub.restore();
175 | });
176 |
177 | it('should return a DomainLinkageCredential', async function() {
178 | const didWebStub = sinon.stub(config.opencred, 'didWeb').value({
179 | mainEnabled: true,
180 | linkageEnabled: true,
181 | mainDocument: testDidWebDoc,
182 | linkageDocument: testLinkageDoc
183 | });
184 |
185 | let result;
186 | let err;
187 | try {
188 | result = await client.get(
189 | `${baseUrl}/.well-known/did-configuration.json`
190 | );
191 | } catch(e) {
192 | err = e;
193 | }
194 |
195 | should.not.exist(err);
196 | result.status.should.be.equal(200);
197 | result.data.linked_dids.length.should.be.equal(1);
198 |
199 | didWebStub.restore();
200 | });
201 | });
202 |
--------------------------------------------------------------------------------
/lib/workflows/base.js:
--------------------------------------------------------------------------------
1 | import base64url from 'base64url';
2 | import {config} from '@bedrock/core';
3 | import {createId} from '../../common/utils.js';
4 | import {database} from '../database.js';
5 | import {domainToDidWeb} from '../didWeb.js';
6 | import {logger} from '../logger.js';
7 |
8 | export class BaseWorkflowService {
9 | constructor(app) {
10 | if(app) {
11 | app.get(
12 | '/context/login',
13 | this.getOrCreateExchange.bind(this)
14 | );
15 | app.get(
16 | '/context/verification',
17 | this.getOrCreateExchange.bind(this)
18 | );
19 | app.post(
20 | '/workflows/:workflowId/exchanges',
21 | this.createExchange.bind(this)
22 | );
23 | app.get(
24 | '/workflows/:workflowId/exchanges/:exchangeId',
25 | this.getStatus.bind(this)
26 | );
27 | app.post(
28 | '/workflows/:workflowId/exchanges/:exchangeId/reset',
29 | this.resetExchange.bind(this)
30 | );
31 | }
32 | }
33 |
34 | // eslint-disable-next-line no-unused-vars
35 | async createWorkflowSpecificExchange(trustedVariables, untrustedVariables) {
36 | // eslint-disable-next-line no-unused-vars
37 | const {rp, accessToken, oidc} = trustedVariables;
38 | throw new Error(
39 | 'Not implemented: createWorkflowSpecificExchange must be implemented ' +
40 | 'in a workflow implementation.');
41 | }
42 |
43 | async resetExchange(req, res) {
44 | const {exchange} = req;
45 |
46 | const updatedExchange = {
47 | ...exchange,
48 | state: 'pending',
49 | step: req.rp.workflow.initialStep,
50 | createdAt: new Date(),
51 | variables: {
52 | ...exchange.variables,
53 | results: {},
54 | authorizationRequest: null,
55 | }
56 | };
57 | await database.collections.Exchanges.replaceOne(
58 | {id: exchange.id},
59 | updatedExchange,
60 | {upsert: false}
61 | );
62 | res.send(this.formatExchange(updatedExchange));
63 | }
64 |
65 | async initExchange(trustedVariables, untrustedVariables) {
66 | const {rp, accessToken, oidc} = trustedVariables;
67 | const duration = config.opencred.options.recordExpiresDurationMs;
68 | const ttl = trustedVariables.ttl ??
69 | config.opencred.options.exchangeTtlSeconds;
70 | const gracePeriod = 60000; // 1 minute
71 |
72 | let variables = {};
73 | if(untrustedVariables && rp.workflow.untrustedVariableAllowList) {
74 | variables = this.parseUntrustedVariables(
75 | rp.workflow.untrustedVariableAllowList,
76 | untrustedVariables
77 | );
78 | }
79 |
80 | const createdAt = new Date();
81 |
82 | return {
83 | id: await createId(),
84 | challenge: await createId(),
85 | workflowId: rp.workflow.id,
86 | state: 'pending',
87 | sequence: 0,
88 | step: rp.workflow.initialStep, // Might be undefined for vc-api
89 | ttl,
90 | createdAt,
91 | recordExpiresAt: new Date(
92 | createdAt.getTime() + Math.max(ttl * 1000 + gracePeriod, duration)),
93 | variables,
94 | oidc,
95 | accessToken
96 | };
97 | }
98 |
99 | async createExchange(req, res, next) {
100 | const accessToken = await createId();
101 | const oidc = {
102 | code: null,
103 | state: req.query?.state ?? req.body?.oidcState ?? ''
104 | };
105 |
106 | let untrustedVariables = {};
107 | if(req.query?.variables || req.body?.variables) {
108 | try {
109 | untrustedVariables = JSON.parse(
110 | base64url.decode(req.query?.variables ?? req.body?.variables)
111 | );
112 | } catch(e) {
113 | res.status(400).send({
114 | message: 'Invalid variables supplied while creating exchange.'
115 | });
116 | return;
117 | }
118 | }
119 | try {
120 | const exchange = await this.createWorkflowSpecificExchange(
121 | {rp: req.rp, accessToken, oidc},
122 | untrustedVariables
123 | );
124 | if(exchange) {
125 | req.exchange = exchange;
126 | }
127 | next();
128 | } catch(e) {
129 | logger.error(e);
130 | res.status(500).send({message: 'Internal Server Error'});
131 | }
132 | }
133 |
134 | async getStatus(req, res, next) {
135 | const rp = req.rp;
136 | if(!rp?.workflow) {
137 | next();
138 | return;
139 | }
140 | if(!req.exchange) {
141 | req.exchange = await this.getExchange({
142 | rp,
143 | id: req.params.exchangeId,
144 | allowExpired: true
145 | });
146 | }
147 | next();
148 | }
149 |
150 | async getOrCreateExchange(req, res, next) {
151 | const {exchangeId, accessToken} = req.cookies;
152 | if(!(exchangeId && accessToken)) {
153 | return this.createExchange(req, res, next);
154 | }
155 | const exchange = await this.getExchange({
156 | rp: req.rp,
157 | id: exchangeId,
158 | accessToken
159 | });
160 | if(exchange) {
161 | req.exchange = this.formatExchange(exchange);
162 | }
163 | next();
164 | }
165 |
166 | async getExchange(
167 | {rp, id, accessToken, allowExpired} = {allowExpired: false}
168 | ) {
169 | const exchange = await database.collections.Exchanges.findOne({
170 | ...(id ? {id} : {}),
171 | ...(accessToken ? {accessToken} : {})
172 | }, {projection: {_id: 0}});
173 | if(!exchange || !rp) {
174 | return null;
175 | }
176 |
177 | const expiry = new Date(exchange.createdAt.getTime() + exchange.ttl * 1000);
178 | if(!allowExpired && new Date() > expiry) {
179 | return null;
180 | }
181 |
182 | // Necessary for hiding secret access token
183 | // from frontend for Entra relying parties
184 | // eslint-disable-next-line no-unused-vars
185 | const {apiAccessToken, ...exchangeData} = exchange;
186 |
187 | return exchangeData;
188 | }
189 |
190 | formatExchange(exchange) {
191 | if(!exchange) {
192 | return null;
193 | }
194 | const {id, accessToken, oidc, workflowId, ttl, createdAt} = exchange;
195 | const domain = config.server.baseUri;
196 | const vcapi = `${domain}/workflows/${workflowId}/exchanges/${id}`;
197 | const authzReqUrl = `${vcapi}/openid/client/authorization/request`;
198 | const searchParams = new URLSearchParams({
199 | client_id: domainToDidWeb(config.server.baseUri),
200 | request_uri: authzReqUrl
201 | });
202 | const OID4VP = exchange.OID4VP ?? 'openid4vp://?' + searchParams.toString();
203 | return {id, vcapi, OID4VP, accessToken, oidc, ttl, createdAt, workflowId};
204 | }
205 |
206 | /**
207 | * Stores variables in an exchange if they are on the allow list
208 | * @param {Array59 | {{$t('loginCta')}} 60 |
61 | 64 | 68 |
69 |
76 |
82 | {{$t('appCta-openid4vp-label') || $t('appCta')}}
83 |
84 |
98 |
91 |
94 | Loading...
95 |
96 |
97 |
99 |
107 | 100 | 105 |
106 |
114 |
253 |
254 |
259 |
264 |
265 |
266 |
267 |
268 |
--------------------------------------------------------------------------------
/lib/audit.js:
--------------------------------------------------------------------------------
1 | /*!
2 | * Copyright 2023 - 2024 California Department of Motor Vehicles
3 | * Copyright 2023 - 2024 Digital Bazaar, Inc.
4 | *
5 | * SPDX-License-Identifier: BSD-3-Clause
6 | */
7 |
8 | import {
9 | getDocumentLoader,
10 | getOverrideDidResolver
11 | } from '../common/documentLoader.js';
12 | import {
13 | getFieldMatches,
14 | getIssuerDidDocumentOverrides,
15 | getVcTokensForVpToken,
16 | getVpTokenMetadata
17 | } from '../common/audit.js';
18 | import {config} from '@bedrock/core';
19 | import {decodeJwt} from 'jose';
20 | import {extractCertsFromX5C} from '../common/x509.js';
21 | import {httpClient} from '@digitalbazaar/http-client';
22 | import {logger} from './logger.js';
23 | import {SUITES} from '../common/suites.js';
24 | import {verifyUtils} from '../common/utils.js';
25 |
26 | export const auditPresentation = async (req, res) => {
27 | const vpToken = req.body.vpToken;
28 | const fields = req.body.fields;
29 | const reCaptchaToken = req.body.reCaptchaToken;
30 |
31 | let errorMessage = 'Error';
32 | const defaultErrorResponse = {
33 | verified: false,
34 | matches: {},
35 | message: 'Error'
36 | };
37 |
38 | if(!config.opencred.audit.enable) {
39 | return res.status(501).send({
40 | ...defaultErrorResponse,
41 | message: 'Auditing is not enabled for this system.'
42 | });
43 | }
44 |
45 | if(!vpToken) {
46 | return res.status(400).send({
47 | ...defaultErrorResponse,
48 | message: 'vpToken is required.'}
49 | );
50 | }
51 |
52 | if(config.opencred.reCaptcha.enable) {
53 | if(!reCaptchaToken) {
54 | return res.status(400).send({
55 | ...defaultErrorResponse,
56 | message: 'A reCAPTCHA token must be provided when reCAPTCHA is enabled.'
57 | });
58 | }
59 |
60 | const reCaptchaParams = new URLSearchParams();
61 | reCaptchaParams.append('secret', config.opencred.reCaptcha.secretKey);
62 | reCaptchaParams.append('response', reCaptchaToken);
63 | try {
64 | const reCaptchaResponse = await httpClient.post(
65 | 'https://www.google.com/recaptcha/api/siteverify', {
66 | headers: {
67 | 'Content-Type': 'application/x-www-form-urlencoded'
68 | },
69 | body: reCaptchaParams
70 | });
71 | if(!reCaptchaResponse.data.success) {
72 | errorMessage =
73 | 'There was an error verifying the reCAPTCHA token provided.\n' +
74 | 'This may happen if your reCAPTCHA session has expired or\n' +
75 | 'reCAPTCHA is improperly configured in your system.';
76 | logger.debug('reCAPTCHA error response:', {
77 | reCaptchaResponse: reCaptchaResponse.data
78 | });
79 | return res.status(400).send({
80 | ...defaultErrorResponse,
81 | message: errorMessage
82 | });
83 | }
84 |
85 | logger.debug('reCAPTCHA success response:', {
86 | reCaptchaResponse: reCaptchaResponse.data
87 | });
88 | } catch(error) {
89 | if(error) {
90 | logger.error(error.message, {error});
91 | return res.status(400).send({
92 | ...defaultErrorResponse,
93 | message: 'There was an error verifying the reCAPTCHA token provided.'
94 | });
95 | }
96 | }
97 | }
98 |
99 | let matches = {};
100 | try {
101 | try {
102 | if(fields && Object.entries(fields).length) {
103 | matches = getFieldMatches(vpToken, fields);
104 | }
105 | } catch(error) {
106 | return res.status(400).send({
107 | verified: false,
108 | matches,
109 | message: error.message
110 | });
111 | }
112 |
113 | const {valid, error, issuerDids} = getVpTokenMetadata(vpToken);
114 | if(!valid) {
115 | return res.status(400).send({
116 | verified: false,
117 | matches,
118 | message: error
119 | });
120 | }
121 |
122 | if(typeof vpToken === 'string') {
123 | const vpJwtPayload = decodeJwt(vpToken);
124 | const presentationDate = vpJwtPayload.iat ?
125 | new Date(vpJwtPayload.iat * 1000) :
126 | null;
127 |
128 | if(!presentationDate) {
129 | return res.status(400).send({
130 | verified: false,
131 | matches,
132 | message: 'Decoded vp token must contain an issuance date at "$.iat"'
133 | });
134 | }
135 |
136 | let didDocumentOverrides;
137 | try {
138 | didDocumentOverrides =
139 | await getIssuerDidDocumentOverrides(issuerDids, presentationDate);
140 | } catch(error) {
141 | return res.status(400).send({
142 | verified: false,
143 | matches,
144 | message: error.message
145 | });
146 | }
147 |
148 | const resolver = getOverrideDidResolver(didDocumentOverrides);
149 |
150 | const vcTokens = getVcTokensForVpToken(vpToken);
151 | let verificationErrors = [];
152 | for(const vcToken of vcTokens) {
153 | const vcResult = await verifyUtils.verifyCredentialJWT(vcToken, {
154 | resolver,
155 | skewTime: presentationDate.getTime()
156 | });
157 | if(!vcResult.verified) {
158 | verificationErrors = verificationErrors.concat(vcResult.errors);
159 | } else {
160 | const certs = await extractCertsFromX5C(
161 | vcResult.signer.publicKeyJwk
162 | );
163 | if(!certs) {
164 | verificationErrors.push(
165 | 'Invalid certificate in x5c claim'
166 | );
167 | } else {
168 | const certResult = await verifyUtils.verifyx509JWT(certs, {
169 | presentationDate,
170 | caSource: 'database'
171 | });
172 | if(!certResult.verified) {
173 | verificationErrors =
174 | verificationErrors.concat(certResult.errors);
175 | }
176 | }
177 | }
178 | }
179 | if(verificationErrors.length > 0) {
180 | return res.status(400).send({
181 | verified: false,
182 | matches,
183 | message: verificationErrors.join('\n')
184 | });
185 | }
186 |
187 | const vpResult = await verifyUtils.verifyPresentationJWT(
188 | vpToken, {
189 | audience: vpJwtPayload.aud,
190 | resolver,
191 | skewTime: presentationDate.getTime()
192 | });
193 | if(!vpResult.verified) {
194 | return res.status(400).send({
195 | verified: false,
196 | matches,
197 | message: vpResult.errors[0]
198 | });
199 | }
200 | } else if(typeof vpToken === 'object') {
201 | const presentationDate = vpToken.proof?.created ?
202 | new Date(vpToken.proof?.created) :
203 | null;
204 |
205 | if(!presentationDate) {
206 | return res.status(400).send({
207 | verified: false,
208 | matches,
209 | message: 'vp token must contain an issuance date at "$.proof.created"'
210 | });
211 | }
212 |
213 | let didDocumentOverrides;
214 | try {
215 | didDocumentOverrides =
216 | await getIssuerDidDocumentOverrides(issuerDids, presentationDate);
217 | } catch(error) {
218 | return res.status(400).send({
219 | verified: false,
220 | matches,
221 | message: error.message
222 | });
223 | }
224 |
225 | let documentLoader = getDocumentLoader();
226 | for(const [did, didDocument] of Object.entries(didDocumentOverrides)) {
227 | documentLoader.addStatic(did, didDocument);
228 | }
229 | documentLoader = documentLoader.build();
230 |
231 | const vpResult = await verifyUtils.verifyPresentationDataIntegrity({
232 | presentation: vpToken,
233 | challenge: vpToken.proof?.challenge,
234 | documentLoader,
235 | suite: SUITES,
236 | now: presentationDate
237 | });
238 | if(!vpResult.verified) {
239 | return res.status(400).send({
240 | verified: false,
241 | matches,
242 | message:
243 | verifyUtils.getVerifyPresentationDataIntegrityErrors(vpResult)
244 | });
245 | }
246 | } else {
247 | return res.status(400).send({
248 | verified: false,
249 | matches,
250 | message: 'Invalid format of "vpToken"'
251 | });
252 | }
253 | } catch(error) {
254 | logger.error(error.message, {error});
255 | return res.status(500).send({
256 | verified: false,
257 | matches,
258 | message: error.message
259 | });
260 | }
261 |
262 | return res.status(200).send({
263 | verified: true,
264 | matches,
265 | message: 'Success'
266 | });
267 | };
268 |
--------------------------------------------------------------------------------
117 | {{$t('qrTitle')}} 118 |
119 |
120 |
123 |
127 |
128 |
131 |
132 |
149 |
133 |
137 |
138 | {{$t('exchangeActiveExpiryMessage')}}
139 |
152 |
153 |
180 |
154 | ![]()
158 |
159 |
160 |
173 | 161 | 162 | 163 | {{$t('openid4vpQrAnotherWayLabel')}} 164 | 165 | 171 |
172 |
174 | {{$t('exchangeActiveExpiryMessage')}}
175 |
183 |
184 |
219 |
185 |
189 | {{$t('appCta')}}
190 |
191 |
200 | 194 | 195 | {{$t('noSchemeHandlerTitle')}} 196 | 197 | {{$t('noSchemeHandlerMessage')}} 198 |
199 |
201 |
205 |
209 |
210 |
211 |
218 |
212 | {{$t('exchangeActiveExpiryMessage')}}
213 |
220 |
246 |
250 |
251 | 221 | 222 | 223 | {{$t('openid4vpAnotherWayLabel')}} 224 | 225 | 231 |
232 | 241 | 245 |