diff --git a/lib/oidc4vc/get_authorization_uri_for_issuer.dart b/lib/oidc4vc/get_authorization_uri_for_issuer.dart index fb0d36cce..8bcc1a66b 100644 --- a/lib/oidc4vc/get_authorization_uri_for_issuer.dart +++ b/lib/oidc4vc/get_authorization_uri_for_issuer.dart @@ -77,8 +77,11 @@ Future getAuthorizationUriForIssuer({ late Uri authorizationUri; - final (authorizationEndpoint, authorizationRequestParemeters) = - await oidc4vc.getAuthorizationData( + final ( + authorizationEndpoint, + authorizationRequestParemeters, + openIdConfiguration + ) = await oidc4vc.getAuthorizationData( selectedCredentials: selectedCredentials, clientId: clientId, clientSecret: clientSecret, @@ -98,7 +101,12 @@ Future getAuthorizationUriForIssuer({ dio: client.dio, ); - if (secureAuthorizedFlow) { + final requirePushedAuthorizationRequests = + openIdConfiguration.requirePushedAuthorizationRequests; + + if ((requirePushedAuthorizationRequests != null && + requirePushedAuthorizationRequests) || + (requirePushedAuthorizationRequests == null && secureAuthorizedFlow)) { final headers = { 'Content-Type': 'application/x-www-form-urlencoded', }; diff --git a/packages/oidc4vc/lib/src/models/openid_configuration.dart b/packages/oidc4vc/lib/src/models/openid_configuration.dart index 2eeb54dcb..11425f93e 100644 --- a/packages/oidc4vc/lib/src/models/openid_configuration.dart +++ b/packages/oidc4vc/lib/src/models/openid_configuration.dart @@ -7,6 +7,7 @@ part 'openid_configuration.g.dart'; @JsonSerializable() class OpenIdConfiguration extends Equatable { const OpenIdConfiguration({ + required this.requirePushedAuthorizationRequests, this.authorizationServer, this.credentialsSupported, this.credentialConfigurationsSupported, @@ -60,6 +61,8 @@ class OpenIdConfiguration extends Equatable { final String? issuer; @JsonKey(name: 'jwks_uri') final String? jwksUri; + @JsonKey(name: 'require_pushed_authorization_requests', defaultValue: false) + final bool requirePushedAuthorizationRequests; @JsonKey(name: 'grant_types_supported') final List? grantTypesSupported; @@ -83,6 +86,7 @@ class OpenIdConfiguration extends Equatable { credentialManifests, issuer, jwksUri, + requirePushedAuthorizationRequests, grantTypesSupported, ]; } diff --git a/packages/oidc4vc/lib/src/oidc4vc.dart b/packages/oidc4vc/lib/src/oidc4vc.dart index 6b9f249fa..b242912ab 100644 --- a/packages/oidc4vc/lib/src/oidc4vc.dart +++ b/packages/oidc4vc/lib/src/oidc4vc.dart @@ -128,8 +128,10 @@ class OIDC4VC { /// Received JWT is already filtered on required members /// Received JWT keys are already sorted in lexicographic order - /// authorization endpoint, authorizationRequestParemeters - Future<(String, Map)> getAuthorizationData({ + /// authorization endpoint, authorizationRequestParemeters, + /// OpenIdConfiguration + Future<(String, Map, OpenIdConfiguration)> + getAuthorizationData({ required List selectedCredentials, required String? clientId, required String? clientSecret, @@ -185,7 +187,11 @@ class OIDC4VC { secureAuthorizedFlow: secureAuthorizedFlow, ); - return (authorizationEndpoint, authorizationRequestParemeters); + return ( + authorizationEndpoint, + authorizationRequestParemeters, + openIdConfiguration, + ); } catch (e) { throw Exception('NOT_A_VALID_OPENID_URL'); } @@ -335,8 +341,9 @@ class OIDC4VC { if (secureAuthorizedFlow) { myRequest['client_metadata'] = Uri.encodeComponent(jsonEncode(clientMetaData)); - } else { + } else if (clientAuthentication != ClientAuthentication.clientSecretJwt) { myRequest['client_metadata'] = jsonEncode(clientMetaData); + // paramètre config du portail, on ne met pas si : client authentication : } switch (clientAuthentication) { case ClientAuthentication.none: @@ -351,10 +358,13 @@ class OIDC4VC { myRequest['client_id'] = clientId; case ClientAuthentication.clientSecretJwt: myRequest['client_id'] = clientId; - myRequest['client_assertion'] = clientAssertion; - myRequest['client_assertion_type'] = - // ignore: lines_longer_than_80_chars - 'urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation'; + if (secureAuthorizedFlow || + openIdConfiguration.requirePushedAuthorizationRequests) { + myRequest['client_assertion'] = clientAssertion; + myRequest['client_assertion_type'] = + // ignore: lines_longer_than_80_chars + 'urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation'; + } } if (scope) { diff --git a/packages/oidc4vc/test/src/oidc4vc_test.dart b/packages/oidc4vc/test/src/oidc4vc_test.dart index 8e932d1dc..82d9dac6b 100644 --- a/packages/oidc4vc/test/src/oidc4vc_test.dart +++ b/packages/oidc4vc/test/src/oidc4vc_test.dart @@ -242,7 +242,7 @@ void main() { (request) => request.reply(200, jsonDecode(openIdConfiguration)), ); - final (authorizationEndpoint, authorizationRequestParemeters) = + final (authorizationEndpoint, authorizationRequestParemeters, _) = await oidc4vc.getAuthorizationData( selectedCredentials: selectedCredentials, clientId: clientId, diff --git a/test/app/shared/helper_functions/helper_functions_test.dart b/test/app/shared/helper_functions/helper_functions_test.dart index d4b7764b9..cec8dd02a 100644 --- a/test/app/shared/helper_functions/helper_functions_test.dart +++ b/test/app/shared/helper_functions/helper_functions_test.dart @@ -449,10 +449,12 @@ void main() { () async => handleErrorForOID4VCI( url: 'example', openIdConfiguration: const OpenIdConfiguration( + requirePushedAuthorizationRequests: false, authorizationServer: 'example', tokenEndpoint: null, ), authorizationServerConfiguration: const OpenIdConfiguration( + requirePushedAuthorizationRequests: false, tokenEndpoint: null, ), ), @@ -471,12 +473,14 @@ void main() { () async => handleErrorForOID4VCI( url: 'example', openIdConfiguration: const OpenIdConfiguration( + requirePushedAuthorizationRequests: false, authorizationServer: 'example', tokenEndpoint: null, credentialEndpoint: null, ), authorizationServerConfiguration: const OpenIdConfiguration( tokenEndpoint: 'https://example.com/token', + requirePushedAuthorizationRequests: false, ), ), throwsA( @@ -494,12 +498,14 @@ void main() { () async => handleErrorForOID4VCI( url: 'example', openIdConfiguration: const OpenIdConfiguration( + requirePushedAuthorizationRequests: false, authorizationServer: 'example', tokenEndpoint: null, credentialEndpoint: 'https://example.com/cred', credentialIssuer: null, ), authorizationServerConfiguration: const OpenIdConfiguration( + requirePushedAuthorizationRequests: false, tokenEndpoint: 'https://example.com/token', ), ), @@ -520,6 +526,7 @@ void main() { () async => handleErrorForOID4VCI( url: 'example', openIdConfiguration: const OpenIdConfiguration( + requirePushedAuthorizationRequests: false, authorizationServer: 'example', tokenEndpoint: null, credentialEndpoint: 'https://example.com/cred', @@ -528,6 +535,7 @@ void main() { credentialConfigurationsSupported: null, ), authorizationServerConfiguration: const OpenIdConfiguration( + requirePushedAuthorizationRequests: false, tokenEndpoint: 'https://example.com/token', ), ), @@ -548,6 +556,7 @@ void main() { () async => handleErrorForOID4VCI( url: 'example', openIdConfiguration: const OpenIdConfiguration( + requirePushedAuthorizationRequests: false, authorizationServer: 'example', tokenEndpoint: null, credentialEndpoint: 'https://example.com/cred', @@ -557,6 +566,7 @@ void main() { subjectSyntaxTypesSupported: ['asd'], ), authorizationServerConfiguration: const OpenIdConfiguration( + requirePushedAuthorizationRequests: false, tokenEndpoint: 'https://example.com/token', ), ),