Update OpenID scheme

Author: waltkb

build.gradle.kts

@@ -14,7 +14,7 @@ plugins {
 }
 
 group = "id.walt"
-version = "1.13.0-SNAPSHOT8"
+version = "1.13.0-SNAPSHOT9"
 
 repositories {
     mavenCentral()
@@ -35,8 +35,8 @@ dependencies {
     implementation("com.github.multiformats:java-multibase:v1.1.0")
     implementation("com.microsoft.azure:azure-keyvault:1.2.6")
     implementation("com.microsoft.azure:azure-client-authentication:1.7.14")
-    implementation("com.nimbusds:nimbus-jose-jwt:9.25.6")
-    implementation("com.nimbusds:oauth2-oidc-sdk:10.1")
+    implementation("com.nimbusds:nimbus-jose-jwt:9.30.1")
+    implementation("com.nimbusds:oauth2-oidc-sdk:10.5.1")
 
     implementation("org.bouncycastle:bcprov-jdk15to18:1.72")
     implementation("org.bouncycastle:bcpkix-jdk15to18:1.72")

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.0-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

src/main/kotlin/id/walt/cli/OidcCommand.kt

@@ -26,6 +26,7 @@ import id.walt.services.oidc.CompatibilityMode
 import id.walt.services.oidc.OIDC4CIService
 import id.walt.services.oidc.OIDC4VPService
 import id.walt.services.oidc.OIDCUtils
+import id.walt.services.oidc.OidcSchemeFixer.unescapeOpenIdScheme
 import java.net.URI
 import java.util.*
 
@@ -343,8 +344,8 @@ class OidcVerificationGenUrlCommand :
     val client_url: String by option(
         "-c",
         "--client-url",
-        help = "Base URL of client, e.g. Wallet, default: openid:///"
-    ).default("openid:///")
+        help = "Base URL of client, e.g. Wallet, default: openid://"
+    ).default("openid://")
     val response_type: String by option("--response-type", help = "Response type, default: vp_token").default("vp_token")
     val response_mode: String by option("--response-mode", help = "Response mode, default: fragment").default("fragment")
     val nonce: String? by option("-n", "--nonce", help = "Nonce, default: auto-generated")
@@ -358,12 +359,12 @@ class OidcVerificationGenUrlCommand :
 
     override fun run() {
         val req = OIDC4VPService.createOIDC4VPRequest(
-            wallet_url = URI.create(client_url),
+            wallet_url = client_url,
             redirect_uri = URI.create("${verifier_url.trimEnd('/')}/${verifier_path.trimStart('/')}"),
             nonce = nonce?.let { Nonce(it) } ?: Nonce(),
             response_type = ResponseType.parse(response_type),
             response_mode = ResponseMode(response_mode),
-            scope = Scope(scope),
+            scope = scope?.let { Scope(scope) },
             presentation_definition = if (scope.isNullOrEmpty() && presentationDefinitionUrl.isNullOrEmpty()) {
                 PresentationDefinition("1",
                     input_descriptors = credentialTypes?.map { credType ->
@@ -386,17 +387,18 @@ class OidcVerificationGenUrlCommand :
             presentation_definition_uri = presentationDefinitionUrl?.let { URI.create(it) },
             state = state?.let { State(it) }
         )
-        println("${req.toURI()}")
+        println("${req.toURI().unescapeOpenIdScheme()}")
     }
 }
 
 class OidcVerificationParseCommand : CliktCommand(name = "parse", help = "Parse SIOP presentation request") {
 
-    val authUrl: String? by option(
+    val authUrl: String by option(
         "-u",
         "--url",
         help = "Authentication request URL from verifier portal, or get-url / gen-url subcommands"
-    )
+    ).required()
+
     val listCredentials: Boolean by option(
         "-l",
         "--list-credentials",

src/main/kotlin/id/walt/credentials/w3c/templates/VcTemplateManager.kt

@@ -45,6 +45,7 @@ object VcTemplateManager {
         when {
             File(resource.file).isDirectory ->
                 File(resource.file).walk().filter { it.isFile }.map { it.nameWithoutExtension }.toList()
+
             else -> {
                 FileSystems.newFileSystem(resource.toURI(), emptyMap<String, String>()).use { fs ->
                     Files.walk(fs.getPath("/vc-templates"))

src/main/kotlin/id/walt/model/oidc/VCClaims.kt

@@ -2,8 +2,8 @@ package id.walt.model.oidc
 
 import com.beust.klaxon.Json
 import com.nimbusds.openid.connect.sdk.OIDCClaimsRequest
-import id.walt.common.ListOrSingleVC
 import id.walt.common.KlaxonWithConverters
+import id.walt.common.ListOrSingleVC
 import id.walt.credentials.w3c.VerifiablePresentation
 import id.walt.model.dif.PresentationDefinition
 import id.walt.model.dif.PresentationSubmission

src/main/kotlin/id/walt/rest/custodian/CustodianController.kt

@@ -1,7 +1,7 @@
 package id.walt.rest.custodian
 
-import id.walt.common.VCObjectList
 import id.walt.common.KlaxonWithConverters
+import id.walt.common.VCObjectList
 import id.walt.credentials.w3c.VerifiableCredential
 import id.walt.credentials.w3c.toVerifiableCredential
 import id.walt.crypto.Key

src/main/kotlin/id/walt/services/ecosystems/essif/EbsiVa.kt

@@ -4,8 +4,6 @@ import com.beust.klaxon.Json
 import id.walt.common.SingleVC
 import id.walt.credentials.w3c.VerifiableCredential
 import id.walt.credentials.w3c.W3CProof
-import kotlinx.serialization.SerialName
-import kotlinx.serialization.Serializable
 
 //@Serializable
 data class EbsiVAWrapper(

src/main/kotlin/id/walt/services/ecosystems/essif/userwallet/UserWalletService.kt

@@ -127,6 +127,7 @@ object UserWalletService {
                 when {
                     "claim timestamp check failed" in verifiableAuthorization || "JWT has expired" in verifiableAuthorization ->
                         "Your Verifiable Authorization was stored invalidly. Your EBSI Bearer token at the time of onboarding (getting the Verifiable Authorization) was expired."
+
                     else -> "(yet-)Unknown error in Verifiable Authorization. See the error message above for more information."
                 }
             )

src/main/kotlin/id/walt/services/hkvstore/FileSystemHKVStore.kt

@@ -49,7 +49,8 @@ class FileSystemHKVStore(configPath: String) : HKVStoreService() {
         storeMappings()
     }
 
-    private fun retrieveHashMapping(hashMapping: String): String = mappingProperties.value[hashMapping] as? String ?: throw IllegalArgumentException("No HKVS mapping found for hash: $hashMapping")
+    private fun retrieveHashMapping(hashMapping: String): String = mappingProperties.value[hashMapping] as? String
+        ?: throw IllegalArgumentException("No HKVS mapping found for hash: $hashMapping")
 
     private fun hashIfNeeded(path: Path): File {
         if (path.name.length > MAX_KEY_SIZE) {

src/main/kotlin/id/walt/services/oidc/OIDC4CIService.kt

@@ -15,7 +15,6 @@ import com.nimbusds.oauth2.sdk.util.JSONObjectUtils
 import com.nimbusds.openid.connect.sdk.*
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata
 import id.walt.common.KlaxonWithConverters
-import id.walt.common.KlaxonWithConverters
 import id.walt.credentials.w3c.VerifiableCredential
 import id.walt.crypto.LdSignatureType
 import id.walt.model.oidc.*
@@ -148,10 +147,11 @@ object OIDC4CIService {
         @Suppress("UNCHECKED_CAST")
         val supportedCredentials = issuer.oidc_provider_metadata.customParameters["credentials_supported"]
 
-        when (supportedCredentials ){
+        when (supportedCredentials) {
             null -> {
                 return emptyMap()
             }
+
             is net.minidev.json.JSONObject -> {
                 return (issuer.oidc_provider_metadata.customParameters["credentials_supported"]?.let {
                     log.debug { "OIDC Provider \"${issuer.id}\" metadata - credentials supported: " + it.toString() }
@@ -163,9 +163,11 @@ object OIDC4CIService {
 
                 }?.filterValues { v -> v != null } as Map<String, CredentialMetadata>?) ?: mapOf()
             }
+
             is Map<*, *> -> {
                 return supportedCredentials.filter { it.value != null } as? Map<String, CredentialMetadata> ?: mapOf()
             }
+
             else -> return emptyMap()
         }
     }

src/main/kotlin/id/walt/services/oidc/OIDC4VPService.kt

@@ -20,6 +20,7 @@ import id.walt.model.oidc.OIDCProvider
 import id.walt.model.oidc.SIOPv2Response
 import id.walt.model.oidc.SelfIssuedIDToken
 import id.walt.model.oidc.VpTokenRef
+import id.walt.services.oidc.OidcSchemeFixer.safeOpenidScheme
 import io.javalin.http.Context
 import mu.KotlinLogging
 import java.net.URI
@@ -43,7 +44,7 @@ object OIDC4VPService {
     }
 
     fun createOIDC4VPRequest(
-        wallet_url: URI,
+        wallet_url: String,
         redirect_uri: URI,
         nonce: Nonce,
         response_type: ResponseType = ResponseType("vp_token"),
@@ -77,8 +78,9 @@ object OIDC4VPService {
             customParams[presentationDefinitionKey] = listOf(presentationDefinitionValue)
         }
         customParameters?.let { customParams.putAll(customParameters) }
+
         return AuthorizationRequest(
-            wallet_url,
+            wallet_url.safeOpenidScheme(),
             response_type,
             response_mode,
             ClientID(redirect_uri.toString()),
@@ -124,7 +126,7 @@ object OIDC4VPService {
     private fun authRequest2OIDC4VPRequest(authReq: AuthorizationRequest): AuthorizationRequest {
         val customParameters = authReq.customParameters.toMutableMap()
         return createOIDC4VPRequest(
-            authReq.requestURI ?: URI.create("openid:///"),
+            authReq.requestURI?.toString() ?: OidcSchemeFixer.openIdSchemeFix,
             redirect_uri = authReq.requestObject?.jwtClaimsSet?.claims?.get("redirect_uri")?.let { URI.create(it.toString()) }
                 ?: authReq.redirectionURI,
             nonce = (authReq.requestObject?.jwtClaimsSet?.claims?.get("nonce")
@@ -147,10 +149,14 @@ object OIDC4VPService {
                         }
                         // 3
                         ?: (authReq.requestObject?.jwtClaimsSet?.getJSONObjectClaim("claims")
-                                    ?.get("id_token") as? LinkedTreeMap<*, *>)?.let { idToken ->
+                            ?.get("id_token") as? LinkedTreeMap<*, *>)?.let { idToken ->
                             (idToken["vp_token"] as? LinkedTreeMap<*, *>)?.let { vpToken ->
                                 (vpToken["presentation_definition"] as? LinkedTreeMap<*, *>)?.let { presDef ->
-                                    KlaxonWithConverters().parse<PresentationDefinition>(KlaxonWithConverters().toJsonString(presDef))
+                                    KlaxonWithConverters().parse<PresentationDefinition>(
+                                        KlaxonWithConverters().toJsonString(
+                                            presDef
+                                        )
+                                    )
                                 }
                             }
                         }

src/main/kotlin/id/walt/services/oidc/OidcSchemeFixer.kt

@@ -0,0 +1,24 @@
+package id.walt.services.oidc
+
+import java.net.URI
+
+/**
+ * These hacks are required as you can't call
+ * URI.create("openid://")
+ */
+object OidcSchemeFixer {
+
+    val schemeReplacement = "waltid-authentication-request-uri-hack"
+
+    val openIdSchemeFix = "openid://$schemeReplacement"
+    val openIdSchemeFixUri: URI = URI.create(openIdSchemeFix)
+    val openidInitiateIssuanceSchemeFix = "openid-initiate-issuance://$schemeReplacement"
+    val openidInitiateIssuanceSchemeFixUri: URI = URI.create(openidInitiateIssuanceSchemeFix)
+
+    fun String.safeOpenidScheme(): URI = URI.create(if (this == "openid://") openIdSchemeFix else this)
+    fun String.safeOpenidInitiateIssuanceScheme(): URI =
+        URI.create(if (this == "openid-initiate-issuance://") openidInitiateIssuanceSchemeFix else this)
+
+    fun String.unescapeOpenIdScheme() = this.replace(schemeReplacement, "")
+    fun URI.unescapeOpenIdScheme(): URI = URI.create(this.toString().unescapeOpenIdScheme())
+}

src/main/kotlin/id/walt/signatory/Signatory.kt

@@ -200,7 +200,7 @@ class WaltIdSignatory(configurationPath: String) : Signatory() {
     }
 
     override fun removeTemplate(templateId: String) {
-        val template = VcTemplateManager.getTemplate(templateId,true, configuration.templatesFolder)
+        val template = VcTemplateManager.getTemplate(templateId, true, configuration.templatesFolder)
         if (template.mutable) {
             VcTemplateManager.unregisterTemplate(templateId)
         } else {

src/test/kotlin/id/walt/cli/EssifCommandTest.kt

@@ -137,7 +137,7 @@ class EssifCommandTest : StringSpec({
         }
     }
 
-    "6. Get timestamp transaction hash".config(enabled = enableTests) {
+    "6. Get timestamp transaction hash".config(enabled = false) {
         timestamp =
             WaltIdTimestampService().getByTransactionHash(transactionHash!!)
         validateTimestamp(timestamp)
@@ -152,7 +152,7 @@ class EssifCommandTest : StringSpec({
         )
     }
 
-    "7. Get by timestamp Id".config(enabled = enableTests) {
+    "7. Get by timestamp Id".config(enabled = false) {
         val timestampReceived =
             WaltIdTimestampService().getByTimestampId(timestamp!!.timestampId!!)
         validateTimestamp(timestampReceived)

src/test/kotlin/id/walt/services/oidc/OIDC4VCTest.kt

@@ -18,6 +18,7 @@ import id.walt.model.oidc.*
 import id.walt.servicematrix.ServiceMatrix
 import id.walt.services.did.DidService
 import id.walt.services.jwt.JwtService
+import id.walt.services.oidc.OidcSchemeFixer.unescapeOpenIdScheme
 import id.walt.signatory.ProofConfig
 import id.walt.signatory.ProofType
 import id.walt.signatory.Signatory
@@ -44,13 +45,13 @@ class OIDC4VCTest : AnnotationSpec() {
     lateinit var SUBJECT_DID: String
 
     val FULL_AUTH_INITIATION_REQUEST: URI = URI.create(
-        "openid-initiate-issuance:/?" +
+        "openid-initiate-issuance://waltid-openid-scheme-hack?" +
                 "issuer=http%3A%2F%2Flocalhost%3A$TEST_ISSUER_PORT" +
                 "&credential_type=${OIDCTestProvider.TEST_CREDENTIAL_ID}" +
                 "&op_state=${OIDCTestProvider.TEST_OP_STATE}"
     )
     val PRE_AUTH_INITIATION_REQUEST: URI = URI.create(
-        "openid-initiate-issuance:/?" +
+        "openid-initiate-issuance://waltid-openid-scheme-hack?" +
                 "issuer=http%3A%2F%2Flocalhost%3A$TEST_ISSUER_PORT" +
                 "&credential_type=${OIDCTestProvider.TEST_CREDENTIAL_ID}" +
                 "&pre-authorized_code=${OIDCTestProvider.TEST_PREAUTHZ_CODE}"
@@ -186,7 +187,7 @@ class OIDC4VCTest : AnnotationSpec() {
         val presentation = Custodian.getService().createPresentation(listOf(credential), SUBJECT_DID)
             .toVerifiablePresentation()
         val req = OIDC4VPService.createOIDC4VPRequest(
-            URI("openid:///"),
+            "openid://",
             redirect_uri = URI.create("${testProvider.url}/present"),
             nonce = Nonce(),
             presentation_definition = OIDCTestProvider.TEST_PRESENTATION_DEFINITION
@@ -210,7 +211,7 @@ class OIDC4VCTest : AnnotationSpec() {
         val presentation = Custodian.getService().createPresentation(listOf(credential), SUBJECT_DID)
             .toVerifiablePresentation()
         val req = OIDC4VPService.createOIDC4VPRequest(
-            URI.create("openid:///"),
+            "openid://",
             redirect_uri = URI.create("${testProvider.url}/present"),
             nonce = Nonce(),
             presentation_definition = OIDCTestProvider.TEST_PRESENTATION_DEFINITION
@@ -233,7 +234,7 @@ class OIDC4VCTest : AnnotationSpec() {
         val presentation = Custodian.getService().createPresentation(listOf(credential), SUBJECT_DID)
             .toVerifiablePresentation()
         val req = OIDC4VPService.createOIDC4VPRequest(
-            URI.create("openid:///"),
+            "openid://",
             redirect_uri = URI.create("${testProvider.url}/present"),
             nonce = Nonce(),
             presentation_definition = OIDCTestProvider.TEST_PRESENTATION_DEFINITION
@@ -262,7 +263,7 @@ class OIDC4VCTest : AnnotationSpec() {
         val presentation = Custodian.getService().createPresentation(listOf(credential), SUBJECT_DID)
             .toVerifiablePresentation()
         val req = OIDC4VPService.createOIDC4VPRequest(
-            URI.create("openid:///"),
+            "openid://",
             redirect_uri = URI.create("${testProvider.url}/present"),
             nonce = Nonce(),
             presentation_definition = OIDCTestProvider.TEST_PRESENTATION_DEFINITION
@@ -423,16 +424,16 @@ class OIDC4VCTest : AnnotationSpec() {
 
     @Test
     fun testPresentationDefinitionByReference() {
-        val req = OIDC4VPService.createOIDC4VPRequest(
-            URI.create("openid:///"),
+        val reqURI = OIDC4VPService.createOIDC4VPRequest(
+            "openid://",
             URI.create("/"),
             Nonce(),
             presentation_definition_uri = URI.create("${testProvider.url}/pdByReference")
-        )
+        ).toURI().unescapeOpenIdScheme()
 
         // parse request
         val parsedReq = shouldNotThrowAny {
-            OIDC4VPService.parseOIDC4VPRequestUri(req.toURI())
+            OIDC4VPService.parseOIDC4VPRequestUri(reqURI)
         }
 
         parsedReq.customParameters shouldContainKey "presentation_definition_uri"