Initial access token support

Author: cicnavi

config/module_oidc.php.dist

@@ -1037,10 +1037,27 @@ $config = [
 
     /**
      * (optional) Enable or disable API capabilities. Default is disabled
-     * (false).
+     * (false). If API capabilities are enabled, you can enable or disable
+     * specific API endpoints as needed and set up API tokens to allow
+     * access to those endpoints. If API capabilities are disabled, all API
+     * endpoints will be inaccessible regardless of the settings for
+     * specific endpoints and API tokens.
+     *
      */
     ModuleConfig::OPTION_API_ENABLED => false,
 
+    /**
+     * (optional) API Enable VCI Credential Offer API endpoint. Default is
+     * disabled (false). Only relevant if API capabilities are enabled.
+     */
+    ModuleConfig::OPTION_API_VCI_CREDENTIAL_OFFER_ENDPOINT_ENABLED => false,
+
+    /**
+     * (optional) API Enable OAuth2 Token Introspection API endpoint. Default
+     * is disabled (false). Only relevant if API capabilities are enabled.
+     */
+    ModuleConfig::OPTION_API_OAUTH2_TOKEN_INTROSPECTION_ENDPOINT_ENABLED => false,
+
     /**
      * List of API tokens which can be used to access API endpoints based on
      * given scopes. The format is: ['token' => [ApiScopesEnum]]
@@ -1050,6 +1067,11 @@ $config = [
 //            \SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum::All, // Gives access to the whole API.
 //            \SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum::VciAll, // Gives access to all VCI-related endpoints.
 //            \SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum::VciCredentialOffer, // Gives access to the credential offer endpoint.
+//        ],
+//        'strong-random-token-string-2' => [
+//            \SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum::All, // Gives access to the whole API.
+//            \SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum::OAuth2All, // Gives access to all OAuth2-related endpoints.
+//            \SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum::OAuth2TokenIntrospection, // Gives access to the token introspection endpoint.
 //        ],
     ],
 ];

routing/routes/routes.php

@@ -19,7 +19,7 @@
 use SimpleSAML\Module\oidc\Controllers\Federation\EntityStatementController;
 use SimpleSAML\Module\oidc\Controllers\JwksController;
 use SimpleSAML\Module\oidc\Controllers\OAuth2\OAuth2ServerConfigurationController;
-use SimpleSAML\Module\oidc\Controllers\TokenIntrospectionController;
+use SimpleSAML\Module\oidc\Controllers\OAuth2\TokenIntrospectionController;
 use SimpleSAML\Module\oidc\Controllers\UserInfoController;
 use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\CredentialIssuerConfigurationController;
 use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\CredentialIssuerCredentialController;
@@ -105,8 +105,6 @@
 
     $routes->add(RoutesEnum::OAuth2Configuration->name, RoutesEnum::OAuth2Configuration->value)
         ->controller(OAuth2ServerConfigurationController::class);
-    $routes->add(RoutesEnum::TokenIntrospection->name, RoutesEnum::TokenIntrospection->value)
-        ->controller(TokenIntrospectionController::class);
 
     /*****************************************************************************************************************
      * OpenID Federation
@@ -145,4 +143,10 @@
         RoutesEnum::ApiVciCredentialOffer->value,
     )->controller([VciCredentialOfferApiController::class, 'credentialOffer'])
         ->methods([HttpMethodsEnum::POST->value]);
+
+    $routes->add(
+        RoutesEnum::ApiOAuth2TokenIntrospection->name,
+        RoutesEnum::ApiOAuth2TokenIntrospection->value,
+    )->controller(TokenIntrospectionController::class)
+        ->methods([HttpMethodsEnum::POST->value]);
 };

routing/services/services.yml

@@ -97,6 +97,7 @@ services:
   SimpleSAML\Module\oidc\Utils\ClassInstanceBuilder: ~
   SimpleSAML\Module\oidc\Utils\JwksResolver: ~
   SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor:
+  SimpleSAML\Module\oidc\Utils\AuthenticatedOAuth2ClientResolver:
     factory: ['@SimpleSAML\Module\oidc\Factories\ClaimTranslatorExtractorFactory', 'build']
   SimpleSAML\Module\oidc\Utils\FederationCache:
     factory: ['@SimpleSAML\Module\oidc\Factories\CacheFactory', 'forFederation'] # Can return null

src/Codebooks/ApiScopesEnum.php

@@ -11,4 +11,8 @@ enum ApiScopesEnum: string
     // Verifiable Credential Issuance related scopes.
     case VciAll = 'vci_all'; // Gives access to all VCI-related endpoints.
     case VciCredentialOffer = 'vci_credential_offer'; // Gives access to the credential offer endpoint.
+
+    // OAuth2 related scopes.
+    case OAuth2All = 'oauth2_all'; // Gives access to all OAuth2-related endpoints.
+    case OAuth2TokenIntrospection = 'oauth2_token_introspection'; // Gives access to the token introspection endpoint.
 }

src/Codebooks/RoutesEnum.php

@@ -42,8 +42,6 @@ enum RoutesEnum: string
     case Jwks = 'jwks';
     case EndSession = 'end-session';
 
-    case TokenIntrospection = 'introspect';
-
     /*****************************************************************************************************************
      * OAuth 2.0 Authorization Server
      ****************************************************************************************************************/
@@ -77,4 +75,5 @@ enum RoutesEnum: string
      ****************************************************************************************************************/
 
     case ApiVciCredentialOffer = 'api/vci/credential-offer';
+    case ApiOAuth2TokenIntrospection = 'api/oauth2/token-introspection';
 }

src/Controllers/Api/VciCredentialOfferApiController.php

@@ -40,9 +40,15 @@ public function __construct(
     }
 
     /**
+     * @throws OidcServerException
      */
     public function credentialOffer(Request $request): Response
     {
+        if (!$this->moduleConfig->getApiVciCredentialOfferEndpointEnabled()) {
+            $this->loggerService->warning('Credential Offer API endpoint not enabled.');
+            throw OidcServerException::forbidden('Credential Offer API endpoint not enabled.');
+        }
+
         $this->loggerService->debug('VciCredentialOfferApiController::credentialOffer');
 
         $this->loggerService->debug(

src/Controllers/OAuth2/TokenIntrospectionController.php

@@ -0,0 +1,156 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Controllers\OAuth2;
+
+use SimpleSAML\Module\oidc\Codebooks\ApiScopesEnum;
+use SimpleSAML\Module\oidc\Exceptions\AuthorizationException;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+use SimpleSAML\Module\oidc\Server\Validators\BearerTokenValidator;
+use SimpleSAML\Module\oidc\Services\Api\Authorization;
+use SimpleSAML\Module\oidc\Services\LoggerService;
+use SimpleSAML\Module\oidc\Utils\AuthenticatedOAuth2ClientResolver;
+use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
+use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\Module\oidc\ValueAbstracts\ResolvedClientAuthenticationMethod;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
+use SimpleSAML\OpenID\Codebooks\ParamsEnum;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class TokenIntrospectionController
+{
+    /**
+     * @throws OidcServerException
+     */
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly AuthenticatedOAuth2ClientResolver $authenticatedOAuth2ClientResolver,
+        protected readonly Routes $routes,
+        protected readonly LoggerService $loggerService,
+        protected readonly Authorization $apiAuthorization,
+        protected readonly RequestParamsResolver $requestParamsResolver,
+        protected readonly BearerTokenValidator $bearerTokenValidator,
+    ) {
+        if (!$this->moduleConfig->getApiEnabled()) {
+            $this->loggerService->warning('API capabilities not enabled.');
+            throw OidcServerException::forbidden('API capabilities not enabled.');
+        }
+
+        if (!$this->moduleConfig->getApiOAuth2TokenIntrospectionEndpointEnabled()) {
+            $this->loggerService->warning('OAuth2 Token Introspection API endpoint not enabled.');
+            throw OidcServerException::forbidden('OAuth2 Token Introspection API endpoint not enabled.');
+        }
+    }
+
+    public function __invoke(Request $request): Response
+    {
+        // TODO mivanci Add support for Refresh Tokens.
+        // TODO mivanci Add endpoint to OAuth2 discovery document.
+
+        try {
+            $this->ensureAuthenticatedClient($request);
+        } catch (AuthorizationException $e) {
+            $this->loggerService->error(
+                'TokenIntrospectionController::invoke: AuthorizationException: ' . $e->getMessage(),
+            );
+            return $this->routes->newJsonErrorResponse(
+                error: 'unauthorized',
+                description: $e->getMessage(),
+                httpCode: Response::HTTP_UNAUTHORIZED,
+            );
+        }
+
+        $allowedMethods = [HttpMethodsEnum::POST];
+
+        $tokenParam = $this->requestParamsResolver->getFromRequestBasedOnAllowedMethods(
+            ParamsEnum::Token->value,
+            $request,
+            $allowedMethods,
+        );
+
+        if (!$tokenParam) {
+            return $this->routes->newJsonErrorResponse(
+                error: 'invalid_request',
+                description: 'Missing token parameter.',
+                httpCode: Response::HTTP_BAD_REQUEST,
+            );
+        }
+
+        // For now, we will only support Access Tokens.
+//        $tokenTypeHintParam = $this->requestParamsResolver->getFromRequestBasedOnAllowedMethods(
+//            ParamsEnum::TokenTypeHint->value,
+//            $request,
+//            $allowedMethods,
+//        );
+
+        try {
+            $accessToken = $this->bearerTokenValidator->ensureValidAccessToken($tokenParam);
+        } catch (\Throwable $e) {
+            $this->loggerService->error('Token validation failed: ' . $e->getMessage());
+            return $this->routes->newJsonResponse(['active' => false]);
+        }
+        $scopeClaim = null;
+        /** @psalm-suppress MixedAssignment */
+        $accessTokenScopes = $accessToken->getPayloadClaim('scopes');
+        if (is_array($accessTokenScopes)) {
+            $accessTokenScopes = array_filter(
+                $accessTokenScopes,
+                static fn($scope) => is_string($scope) && !empty($scope),
+            );
+            $scopeClaim = implode(' ', $accessTokenScopes);
+        }
+
+        $audience = is_array($audience = $accessToken->getAudience()) ? $audience[0] ?? null : null;
+
+        $payload = array_filter([
+            'active' => true,
+            'scope' => $scopeClaim,
+            'token_type' => 'Bearer',
+            ClaimsEnum::Exp->value => $accessToken->getExpirationTime(),
+            ClaimsEnum::Iat->value => $accessToken->getIssuedAt(),
+            ClaimsEnum::Nbf->value => $accessToken->getNotBefore(),
+            ClaimsEnum::Sub->value => $accessToken->getSubject(),
+            ClaimsEnum::Aud->value => $audience,
+            ClaimsEnum::Iss->value => $accessToken->getIssuer(),
+            ClaimsEnum::Jti->value => $accessToken->getJwtId(),
+        ]);
+
+        return $this->routes->newJsonResponse($payload);
+    }
+
+    /**
+     * @throws AuthorizationException
+     */
+    protected function ensureAuthenticatedClient(Request $request): void
+    {
+        $this->loggerService->debug('TokenIntrospectionController::ensureAuthenticatedClient - start');
+        $this->loggerService->debug('Trying supported OAuth2 client authentication methods.');
+
+        // First, try regular OAuth2 client authentication methods.
+        $resolvedClientAuthenticationMethod = $this->authenticatedOAuth2ClientResolver->forAnySupportedMethod($request);
+
+        if (
+            $resolvedClientAuthenticationMethod instanceof ResolvedClientAuthenticationMethod &&
+            $resolvedClientAuthenticationMethod->getClientAuthenticationMethod()->isNotNone()
+        ) {
+            $this->loggerService->debug(
+                'Client authenticated using supported OAuth2 client authentication method: ' .
+                $resolvedClientAuthenticationMethod->getClientAuthenticationMethod()->value,
+            );
+            return;
+        }
+
+        $this->loggerService->debug('No regular OAuth2 client authentication method found.');
+        $this->loggerService->debug('Trying API client authentication method.');
+
+
+        $this->apiAuthorization->requireTokenForAnyOfScope(
+            $request,
+            [ApiScopesEnum::OAuth2TokenIntrospection, ApiScopesEnum::OAuth2All, ApiScopesEnum::All],
+        );
+    }
+}