Support both OID4VCI and RFC 8414 well-known config URLs.

digitalbazaar · Aug 22, 2024 · 4becbe6 · 4becbe6
1 parent 32f87ca
commit 4becbe6
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 14 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # @digitalbazaar/oid4-client Changelog
 
+## 3.6.0 - 2024-08-dd
+
+### Added
+- Add support for issuer configuration URLs that do not match RFC 8414,
+  but instead match the OID4VCI spec, i.e., `<issuer>/.well-known/...` will
+  be accepted and not just `<issuer origin>/.well-known/.../<issuer path>`.
+
 ## 3.5.0 - 2024-08-08
 
 ### Added

diff --git a/lib/OID4Client.js b/lib/OID4Client.js
@@ -1,7 +1,7 @@
 /*!
  * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
  */
-import {discoverIssuer, generateDIDProofJWT} from './util.js';
+import {generateDIDProofJWT, robustDiscoverIssuer} from './util.js';
 import {httpClient} from '@digitalbazaar/http-client';
 
 const GRANT_TYPES = new Map([
@@ -159,7 +159,7 @@ export class OID4Client {
             nonce,
             // the entity identified by the DID is issuing this JWT
             iss: did,
-            // audience MUST be the target issuer per the OID4VC spec
+            // audience MUST be the target issuer per the OID4VCI spec
             aud
           });
 
@@ -227,6 +227,7 @@ export class OID4Client {
     }
     const {
       'pre-authorized_code': preAuthorizedCode,
+      // FIXME: update to `tx_code` terminology
       user_pin_required: userPinRequired
     } = grant;
     if(!preAuthorizedCode) {
@@ -238,11 +239,9 @@ export class OID4Client {
 
     try {
       // discover issuer info
-      const issuerConfigUrl =
-        `${parsedIssuer.origin}/.well-known/openid-credential-issuer` +
-        parsedIssuer.pathname;
-      const {issuerConfig, metadata} = await discoverIssuer(
-        {issuerConfigUrl, agent});
+      const {issuerConfig, metadata} = await robustDiscoverIssuer({
+        issuer: credential_issuer, agent
+      });
 
       /* First get access token from AS (Authorization Server), e.g.:
 
@@ -306,8 +305,9 @@ export class OID4Client {
       }
 
       // create client w/access token
-      return new OID4Client(
-        {accessToken, agent, issuerConfig, metadata, offer});
+      return new OID4Client({
+        accessToken, agent, issuerConfig, metadata, offer
+      });
     } catch(cause) {
       const error = new Error('Could not create OID4 client.', {cause});
       error.name = 'OperationError';

diff --git a/lib/index.js b/lib/index.js
@@ -1,11 +1,12 @@
 /*!
- * Copyright (c) 2022-2023 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
  */
 export * as oid4vp from './oid4vp.js';
 export {
   discoverIssuer,
   generateDIDProofJWT,
   parseCredentialOfferUrl,
+  robustDiscoverIssuer,
   signJWT
 } from './util.js';
 export {OID4Client} from './OID4Client.js';
diff --git a/lib/util.js b/lib/util.js
@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2022-2023 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
  */
 import * as base64url from 'base64url-universal';
 import {httpClient} from '@digitalbazaar/http-client';
@@ -46,6 +46,14 @@ export async function discoverIssuer({issuerConfigUrl, agent} = {}) {
       throw error;
     }
 
+    // ensure `credential_issuer` matches `issuer`, if present
+    const {credential_issuer} = issuerMetaData;
+    if(credential_issuer !== undefined && credential_issuer !== issuer) {
+      const error = new Error('"credential_issuer" must match "issuer".');
+      error.name = 'DataError';
+      throw error;
+    }
+
     /* Validate `issuer` value against `issuerConfigUrl` (per RFC 8414):
 
     The `origin` and `path` element must be parsed from `issuer` and checked
@@ -64,9 +72,19 @@ export async function discoverIssuer({issuerConfigUrl, agent} = {}) {
       expectedConfigUrl += pathname;
     }
     if(issuerConfigUrl !== expectedConfigUrl) {
-      const error = new Error('"issuer" does not match configuration URL.');
-      error.name = 'DataError';
-      throw error;
+      // alternatively, against RFC 8414, but according to OID4VCI, make sure
+      // the issuer config URL matches:
+      // <origin><path>/.well-known/<any-path-segment>
+      expectedConfigUrl = origin;
+      if(pathname !== '/') {
+        expectedConfigUrl += pathname;
+      }
+      expectedConfigUrl += `/.well-known/${anyPathSegment}`;
+      if(issuerConfigUrl !== expectedConfigUrl) {
+        const error = new Error('"issuer" does not match configuration URL.');
+        error.name = 'DataError';
+        throw error;
+      }
     }
 
     // fetch AS meta data
@@ -171,6 +189,31 @@ export function parseCredentialOfferUrl({url} = {}) {
   return JSON.parse(searchParams.get('credential_offer'));
 }
 
+export async function robustDiscoverIssuer({issuer, agent} = {}) {
+  // try issuer config URLs based on OID4VCI (first) and RFC 8414 (second)
+  const parsedIssuer = new URL(issuer);
+  const {origin} = parsedIssuer;
+  const path = parsedIssuer.pathname === '/' ? '' : parsedIssuer.pathname;
+
+  const issuerConfigUrls = [
+    // OID4VCI
+    `${origin}${path}/.well-known/openid-credential-issuer`,
+    // RFC 8414
+    `${origin}/.well-known/openid-credential-issuer${path}`
+  ];
+
+  let error;
+  for(const issuerConfigUrl of issuerConfigUrls) {
+    try {
+      const config = await discoverIssuer({issuerConfigUrl, agent});
+      return config;
+    } catch(e) {
+      error = e;
+    }
+  }
+  throw error;
+}
+
 export async function signJWT({payload, protectedHeader, signer} = {}) {
   // encode payload and protected header
   const b64Payload = base64url.encode(JSON.stringify(payload));