Implement OIDC4VCI Credential Endpoint

config/config.go

@@ -12,6 +12,7 @@ import (
 	"github.com/joho/godotenv"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/oauth2/clientcredentials"
 )
 
 const (
@@ -35,6 +36,11 @@ type SSIServiceConfig struct {
 	Services ServicesConfig `toml:"services"`
 }
 
+type OIDCConfig struct {
+	IntrospectEndpoint string                   `toml:"introspect_endpoint" conf:"http://authserver/introspect"`
+	ClientCredentials  clientcredentials.Config `toml:"client_credentials"`
+}
+
 // ServerConfig represents configurable properties for the HTTP server
 type ServerConfig struct {
 	APIHost             string        `toml:"api_host" conf:"default:0.0.0.0:3000"`
@@ -48,6 +54,7 @@ type ServerConfig struct {
 	LogLevel            string        `toml:"log_level" conf:"default:debug"`
 	EnableSchemaCaching bool          `toml:"enable_schema_caching" conf:"default:true"`
 	EnableAllowAllCORS  bool          `toml:"enable_allow_all_cors" conf:"default:false"`
+	OIDCConfig          OIDCConfig    `toml:"oidc_config"`
 }
 
 type IssuingServiceConfig struct {
@@ -61,6 +68,10 @@ func (s *IssuingServiceConfig) IsEmpty() bool {
 	return reflect.DeepEqual(s, &IssuingServiceConfig{})
 }
 
+type OIDCCredentialServiceConfig struct {
+	CNonceExpiresIn *time.Duration `toml:"c_nonce_expired_in,omitempty"`
+}
+
 // ServicesConfig represents configurable properties for the components of the SSI Service
 type ServicesConfig struct {
 	// at present, it is assumed that a single storage provider works for all services
@@ -71,14 +82,15 @@ type ServicesConfig struct {
 	ServiceEndpoint string      `toml:"service_endpoint"`
 
 	// Embed all service-specific configs here. The order matters: from which should be instantiated first, to last
-	KeyStoreConfig       KeyStoreServiceConfig     `toml:"keystore,omitempty"`
-	DIDConfig            DIDServiceConfig          `toml:"did,omitempty"`
-	IssuingServiceConfig IssuingServiceConfig      `toml:"issuing,omitempty"`
-	SchemaConfig         SchemaServiceConfig       `toml:"schema,omitempty"`
-	CredentialConfig     CredentialServiceConfig   `toml:"credential,omitempty"`
-	ManifestConfig       ManifestServiceConfig     `toml:"manifest,omitempty"`
-	PresentationConfig   PresentationServiceConfig `toml:"presentation,omitempty"`
-	WebhookConfig        WebhookServiceConfig      `toml:"webhook,omitempty"`
+	KeyStoreConfig       KeyStoreServiceConfig       `toml:"keystore,omitempty"`
+	DIDConfig            DIDServiceConfig            `toml:"did,omitempty"`
+	IssuingServiceConfig IssuingServiceConfig        `toml:"issuing,omitempty"`
+	SchemaConfig         SchemaServiceConfig         `toml:"schema,omitempty"`
+	CredentialConfig     CredentialServiceConfig     `toml:"credential,omitempty"`
+	ManifestConfig       ManifestServiceConfig       `toml:"manifest,omitempty"`
+	PresentationConfig   PresentationServiceConfig   `toml:"presentation,omitempty"`
+	WebhookConfig        WebhookServiceConfig        `toml:"webhook,omitempty"`
+	OIDCCredentialConfig OIDCCredentialServiceConfig `toml:"oidc,omitempty"`
 }
 
 // BaseServiceConfig represents configurable properties for a specific component of the SSI Service
@@ -277,6 +289,7 @@ func loadDefaultServicesConfig(config *SSIServiceConfig) {
 		WebhookConfig: WebhookServiceConfig{
 			BaseServiceConfig: &BaseServiceConfig{Name: "webhook"},
 		},
+		OIDCCredentialConfig: OIDCCredentialServiceConfig{},
 	}
 
 	config.Services = servicesConfig

go.mod

@@ -18,13 +18,15 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/joho/godotenv v1.5.1
 	github.com/lestrrat-go/jwx v1.2.25
+	github.com/lestrrat-go/jwx/v2 v2.0.9
 	github.com/magefile/mage v1.14.0
 	github.com/mr-tron/base58 v1.2.0
 	github.com/multiformats/go-multibase v0.2.0
 	github.com/multiformats/go-varint v0.0.7
 	github.com/oliveagle/jsonpath v0.0.0-20180606110733-2e52cf6e6852
 	github.com/ory/fosite v0.44.0
 	github.com/pkg/errors v0.9.1
+	github.com/pquerna/otp v1.4.0
 	github.com/redis/go-redis/extra/redisotel/v9 v9.0.2
 	github.com/redis/go-redis/v9 v9.0.2
 	github.com/rs/cors v1.8.3
@@ -38,6 +40,7 @@ require (
 	go.opentelemetry.io/otel/sdk v1.14.0
 	go.opentelemetry.io/otel/trace v1.14.0
 	golang.org/x/crypto v0.7.0
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 	gopkg.in/go-playground/validator.v9 v9.31.0
 )
 
@@ -48,6 +51,7 @@ require (
 	github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
 	github.com/bits-and-blooms/bitset v1.5.0 // indirect
+	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/cristalhq/jwt/v4 v4.0.2 // indirect
 	github.com/dave/jennifer v1.4.0 // indirect
@@ -79,7 +83,6 @@ require (
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/httprc v1.0.4 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
-	github.com/lestrrat-go/jwx/v2 v2.0.9 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/magiconair/properties v1.8.1 // indirect
 	github.com/mattn/goveralls v0.0.6 // indirect
@@ -110,7 +113,6 @@ require (
 	go.opentelemetry.io/otel/metric v0.37.0 // indirect
 	golang.org/x/mod v0.8.0 // indirect
 	golang.org/x/net v0.8.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
 	golang.org/x/sys v0.6.0 // indirect
 	golang.org/x/term v0.6.0 // indirect
 	golang.org/x/text v0.8.0 // indirect

go.sum

@@ -59,6 +59,8 @@ github.com/bits-and-blooms/bitset v1.5.0 h1:NpE8frKRLGHIcEzkR+gZhiioW1+WbYV6fKwD
 github.com/bits-and-blooms/bitset v1.5.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/bmatcuk/doublestar/v2 v2.0.3/go.mod h1:QMmcs3H2AUQICWhfzLXz+IYln8lRQmTZRptLie8RgRw=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bsm/ginkgo/v2 v2.5.0 h1:aOAnND1T40wEdAtkGSkvSICWeQ8L3UASX7YVCqQx+eQ=
 github.com/bsm/ginkgo/v2 v2.5.0/go.mod h1:AiKlXPm7ItEHNc/2+OkrNG4E0ITzojb9/xWzvQ9XZ9w=
 github.com/bsm/gomega v1.20.0 h1:JhAwLmtRzXFTx2AkALSLa8ijZafntmhSoU63Ok18Uq8=
@@ -871,6 +873,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.1.0 h1:yJMy84ti9h/+OEWa752kBTKv4XC30OtVVHYv/8cTqKc=
 github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
+github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
+github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=

pkg/server/middleware/introspect.go

@@ -0,0 +1,122 @@
+package middleware
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/goccy/go-json"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/tbd54566975/ssi-service/pkg/server/framework"
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/clientcredentials"
+)
+
+type introspecter struct {
+	// Introspection endpoint according to https://www.rfc-editor.org/rfc/rfc7662.
+	endpoint string
+
+	// Config of the client credentials to use for authenticating with Endpoint.
+	conf clientcredentials.Config
+}
+
+func newIntrospect(endpoint string, config clientcredentials.Config) *introspecter {
+	return &introspecter{
+		endpoint: endpoint,
+		conf:     config,
+	}
+}
+
+// Introspect extracts a token from the `Authorization` header, and determines whether it's active by using the
+// Endpoint configured. A `nil` error represents an active token.
+func (s introspecter) introspect(ctx context.Context, req *http.Request) error {
+	ctx = context.WithValue(ctx, oauth2.HTTPClient, http.Client{Transport: otelhttp.NewTransport(http.DefaultTransport)})
+	client := s.conf.Client(ctx)
+	// Send a request to the introspect endpoint to decide whether this is allowed.
+	authHeader := req.Header.Get("Authorization")
+	if !strings.HasPrefix(authHeader, "Bearer ") {
+		return errors.New("no bearer")
+	}
+	token := authHeader[len("Bearer "):]
+
+	body := make(url.Values)
+	body.Set("token", token)
+	introspectionReq, err := http.NewRequestWithContext(ctx, http.MethodPost, s.endpoint, strings.NewReader(body.Encode()))
+	if err != nil {
+		return err
+	}
+	introspectionReq.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	introspectionResp, err := client.Do(introspectionReq)
+	if err != nil {
+		return err
+	}
+	defer func(body io.ReadCloser) {
+		err := body.Close()
+		if err != nil {
+			logrus.WithError(err).Warn("closing body")
+		}
+	}(introspectionResp.Body)
+
+	if introspectionResp.StatusCode != http.StatusOK {
+		return fmt.Errorf("status does not indicate success: code: %d, body: %v", introspectionResp.StatusCode, introspectionResp.Body)
+	}
+
+	result, err := extractIntrospectResult(introspectionResp.Body)
+	if err != nil {
+		return err
+	}
+	if !result.Active {
+		return errors.New("invalid token")
+	}
+	return nil
+}
+
+func extractIntrospectResult(r io.Reader) (*result, error) {
+	res := result{
+		Optionals: make(map[string]json.RawMessage),
+	}
+
+	if err := json.NewDecoder(r).Decode(&res.Optionals); err != nil {
+		return nil, err
+	}
+
+	if val, ok := res.Optionals["active"]; ok {
+		if err := json.Unmarshal(val, &res.Active); err != nil {
+			return nil, err
+		}
+
+		delete(res.Optionals, "active")
+	}
+
+	return &res, nil
+}
+
+// result is the OAuth2 Introspection Result
+type result struct {
+	Active bool
+
+	Optionals map[string]json.RawMessage
+}
+
+// Introspect creates a middleware which can be used to gate access to protected resources.
+// This middleware works by extracting the token from the `Authorization` header and then sending a request to the
+// introspect endpoint (which should be compliant with https://www.rfc-editor.org/rfc/rfc7662) to obtain the
+// whether the token is active. A `nil` error represents an active token.
+// config represents the client credentials to use for authenticating with the introspect endpoint.
+func Introspect(endpoint string, config clientcredentials.Config) framework.Middleware {
+	intro := newIntrospect(endpoint, config)
+	return func(handler framework.Handler) framework.Handler {
+		return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
+			if err := intro.introspect(ctx, r); err != nil {
+				frameworkErr := framework.NewRequestErrorMsg("invalid_token", http.StatusUnauthorized)
+				return framework.RespondError(ctx, w, frameworkErr)
+			}
+			return handler(ctx, w, r)
+		}
+	}
+}

pkg/server/middleware/introspect_test.go

@@ -0,0 +1,93 @@
+package middleware
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/tbd54566975/ssi-service/pkg/testutil"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/clientcredentials"
+)
+
+func TestIntrospect(t *testing.T) {
+	mockTokenServer := simpleOauthTokenServer()
+	defer mockTokenServer.Close()
+	conf := newConfig(mockTokenServer)
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"active":true}`))
+	}))
+	defer mockServer.Close()
+
+	introspectMiddleware := Introspect(mockServer.URL, conf)
+
+	handlerCalled := false
+	handler := introspectMiddleware(func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
+		handlerCalled = true
+		return nil
+	})
+	req := httptest.NewRequest(http.MethodPost, "/some_protected_url", strings.NewReader(""))
+	req.Header.Set("Authorization", "Bearer my-awesome-token")
+	require.NoError(t, handler(context.Background(), httptest.NewRecorder(), req))
+	require.True(t, handlerCalled)
+}
+
+func TestIntrospectReturnsError(t *testing.T) {
+	mockTokenServer := simpleOauthTokenServer()
+	defer mockTokenServer.Close()
+	conf := newConfig(mockTokenServer)
+
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"active":false}`))
+	}))
+	defer mockServer.Close()
+
+	introspectMiddleware := Introspect(mockServer.URL, conf)
+
+	handler := introspectMiddleware(noOpHandler)
+	req := httptest.NewRequest(http.MethodPost, "/some_protected_url", strings.NewReader(""))
+	req.Header.Set("Authorization", "Bearer my-awesome-token")
+	w := httptest.NewRecorder()
+	err := handler(testutil.NewRequestContext(), w, req)
+	require.NoError(t, err)
+	assertCredentialErrorResponseEquals(t, w, `{"error":"invalid_token"}`)
+}
+
+func assertCredentialErrorResponseEquals(t *testing.T, w *httptest.ResponseRecorder, s string) {
+	respBody, err := io.ReadAll(w.Body)
+	require.NoError(t, err)
+	require.JSONEq(t, s, string(respBody))
+}
+
+func noOpHandler(context.Context, http.ResponseWriter, *http.Request) error {
+	return nil
+}
+
+func simpleOauthTokenServer() *httptest.Server {
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
+		values := url.Values{}
+		values.Set("access_token", "my-client-token")
+		_, _ = w.Write([]byte(values.Encode()))
+	}))
+}
+
+func newConfig(mockTokenServer *httptest.Server) clientcredentials.Config {
+	conf := clientcredentials.Config{
+		ClientID:       "my-test-client",
+		ClientSecret:   "",
+		TokenURL:       mockTokenServer.URL,
+		Scopes:         []string{"notsurewhatscope"},
+		EndpointParams: nil,
+		AuthStyle:      oauth2.AuthStyleInHeader,
+	}
+	return conf
+}