multipaz-openid4vci-server/org.multipaz.openid4vci.util

Package-level declarations

Types

data class IssuanceState(var clientId: String?, val scope: String, var clientAttestationKey: EcPublicKey?, var dpopKey: EcPublicKey?, var redirectUri: String?, var codeChallenge: ByteString?, val configurationId: String?, var clientState: String? = null, var authorized: Boolean? = null, var openid4VpVerifierModel: Openid4VpVerifierModel? = null, var systemOfRecordAuthCode: String? = null, var systemOfRecordCodeVerifier: ByteString? = null, var systemOfRecordAccess: SystemOfRecordAccess? = null, var txCodeSpec: SecretCodeRequest? = null, var txCodeHash: ByteString? = null, val urlSchema: String? = null)

OpaqueIdType

enum OpaqueIdType : Enum<OpaqueIdType>

Types of opaque session ids for client-server communication.

OpenID4VCIRequestError

class OpenID4VCIRequestError(val code: String, val description: String) : Exception

Represents an error as it commonly formatted in OpenID specs: error code and description.

SystemOfRecordAccess

data class SystemOfRecordAccess(val accessToken: String, val accessTokenExpiration: Instant, val refreshToken: String?)

Authentication information to access System of Record.

Properties

AUTHZ_REQ

val AUTHZ_REQ: ContentType

MULTIPAZ_PRE_AUTHORIZE_URI

const val MULTIPAZ_PRE_AUTHORIZE_URI: String

OAUTH_REQUEST_URI_PREFIX

const val OAUTH_REQUEST_URI_PREFIX: String

OPENID4VP_REQUEST_URI_PREFIX

const val OPENID4VP_REQUEST_URI_PREFIX: String

Functions

addFreshNonceHeaders

suspend fun addFreshNonceHeaders(call: ApplicationCall)

authorizeWithDpop

suspend fun authorizeWithDpop(request: ApplicationRequest, publicKey: EcPublicKey, clientId: String, accessToken: String?, initial: Boolean = false)

DPoP Authorization validation.

codeToId

suspend fun codeToId(type: OpaqueIdType, code: String): String

Decodes opaque session id ("code") into server-side id, validating code purpose (type) and expiration time.

createSession

suspend fun createSession(request: ApplicationRequest, parameters: Parameters, requireAuthentication: Boolean = true): String

Creates issuance session based on the given HTTP request and returns a unique id for it.

extractAccessToken

fun extractAccessToken(request: ApplicationRequest): String

Extract access token for a DPoP-protected requests.

generatePreauthorizedOffer

suspend fun generatePreauthorizedOffer(offerSchema: String, id: String, state: IssuanceState, expiresIn: Duration = 100.days): String

generateRandom

fun SecretCodeRequest.generateRandom(): String

getReaderIdentity

suspend fun getReaderIdentity(): Openid4VpVerifierModel.ReaderIdentity

getScopeAndCredentialId

suspend fun getScopeAndCredentialId(parameters: Parameters): Pair<String, String?>

getSystemOfRecordUrl

suspend fun BackendEnvironment.Companion.getSystemOfRecordUrl(): String?

idToCode

suspend fun idToCode(type: OpaqueIdType, id: String, expiresIn: Duration): String

Creates an opaque session id ("code") that can be safely given to the client. On the server the session is just identified by its id, which stays the same. When referencing the session from the client, we do not want the client to be able to play any games, thus the actual server-side id and a small amount of metadata is encrypted using server secret key.

parseTxKind

fun parseTxKind(txKind: String?, txPrompt: String?): SecretCodeRequest?

processInitialDPoP

fun processInitialDPoP(request: ApplicationRequest): EcPublicKey?

Process the initial DPoP header (that establishes the key for the rest of the session).

respondWithNewClientAttestationChallenge

suspend fun respondWithNewClientAttestationChallenge(call: ApplicationCall)

respondWithNewDPoPNonce

suspend fun respondWithNewDPoPNonce(call: ApplicationCall)

validateClientAssertion

suspend fun validateClientAssertion(parameters: Parameters, clientId: String): Boolean

Validates Oauth client assertion.

validateClientAttestation

suspend fun validateClientAttestation(request: ApplicationRequest, clientId: String): EcPublicKey?

Ensures Oauth client attestation attached to the given HTTP request is valid.

validateClientAttestationPoP

suspend fun validateClientAttestationPoP(request: ApplicationRequest, clientId: String, attestationKey: EcPublicKey)

Ensures Oauth client attestation proof-of-possession attached to the given HTTP request is valid.