From 510b68f46c59e0847ba9689a2148bbf85057485d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emiliano=20Su=C3=B1=C3=A9?= Date: Fri, 22 Mar 2024 11:59:20 -0700 Subject: [PATCH] Fix OOB proof-request generation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Emiliano Suñé --- docker/docker-compose.yaml | 1 + docker/manage | 6 +++--- docs/ConfigurationGuide.md | 31 ++++++++++++++---------------- oidc-controller/api/core/config.py | 19 ++++++++++++------ 4 files changed, 31 insertions(+), 26 deletions(-) diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml index 5a047463..7aa2d0a6 100644 --- a/docker/docker-compose.yaml +++ b/docker/docker-compose.yaml @@ -33,6 +33,7 @@ services: - ST_ACAPY_ADMIN_API_KEY=${AGENT_ADMIN_API_KEY} - ST_ACAPY_ADMIN_API_KEY_NAME=${ST_ACAPY_ADMIN_API_KEY_NAME} - USE_OOB_PRESENT_PROOF=${USE_OOB_PRESENT_PROOF} + - USE_OOB_LOCAL_DID_SERVICE=${USE_OOB_LOCAL_DID_SERVICE} ports: - ${CONTROLLER_SERVICE_PORT}:5000 - 5678:5678 diff --git a/docker/manage b/docker/manage index fbbe8f9a..d37e8fbe 100755 --- a/docker/manage +++ b/docker/manage @@ -173,9 +173,9 @@ configureEnvironment() { export CONTROLLER_PRESENTATION_EXPIRE_TIME=10 #controller app settings - export SET_NON_REVOKED="True" # both work - export USE_OOB_PRESENT_PROOF="False" #BC wallet kinda supports true. - export USE_OOB_LOCAL_DID_SERVICE="False" #bc wallet does not support true + export SET_NON_REVOKED="True" + export USE_OOB_PRESENT_PROOF=${USE_OOB_PRESENT_PROOF:-"True"} + export USE_OOB_LOCAL_DID_SERVICE=${USE_OOB_LOCAL_DID_SERVICE:-"True"} # agent export AGENT_TENANT_MODE="${AGENT_TENANT_MODE:-single}" diff --git a/docs/ConfigurationGuide.md b/docs/ConfigurationGuide.md index 31664121..7378e7d3 100644 --- a/docs/ConfigurationGuide.md +++ b/docs/ConfigurationGuide.md @@ -7,10 +7,10 @@ The first step is to add VC Authn as a new Identity Provider for our AIM system. The following instructions are built for Keycloak, but should be applicable for any AIM that supports Open ID Connect. 1. Click on the **Identity Providers** tab and select **Open ID Connect v1.0** from the **User-defined** section. -![vc-authn-oidc-flow](img/01-new-idp.png) + ![vc-authn-oidc-flow](img/01-new-idp.png) 2. In the next page, select an alias and a display name for your Idp. The alias will be used to generate a unique URL corresponding to the new provider, while the display name will be used in the Keycloak login screen on the button corresponding to the IdP. -![vc-authn-oidc-flow](img/02-settings-1.png) + ![vc-authn-oidc-flow](img/02-settings-1.png) 3. We will now configure the Open Id Connect parameters for our new provider. @@ -29,7 +29,7 @@ To input settings manually, or review them: - **Default Scopes**: this must be set to `vc_authn` to instruct the AIM broker which scopes to request from the IdP. -- **Validate Signatures**: if you want to have the signature of VC-AuthN validated by Keycloak, turn this on, flip the `Use JWKS URL` to true and set `JWKS URL` to `{PUBLIC_VC_AUTHN_URL}/.well-known/openid-configuration/jwks`. +- **Validate Signatures**: if you want to have the signature of VC-AuthN validated by Keycloak, turn this on, flip the `Use JWKS URL` to true and set `JWKS URL` to `{PUBLIC_VC_AUTHN_URL}/.well-known/openid-configuration/jwks`. - **Forwarded Query Parameters**: set this to `pres_req_conf_id`. This parameter is used by VC Authn to lookup in its database the configuration to generate presentation request to be displayed to the user and the AIM system needs to forward it when initiating the authentication. @@ -42,16 +42,13 @@ Save the settings and take note of the generated **Redirect URI** and **Client I VC-AuthN can be configured by using the API endpoints exposed on Swagger at `VC_AUTHN_PUBLIC_URL}/docs`. The `oidc_clients` namespace provides RESTful APIs to create/delete/update clients. To register a new client, `POST` a request to the `/clients` endpoint with a payload containing the client id/secret and redirect URL noted at the previous step. Example: + ```json { "client_id": "my-new-client", "client_name": "my-keycloak", "client_secret": "super-secret", - "response_types": [ - "code", - "id_token", - "token" - ], + "response_types": ["code", "id_token", "token"], "token_endpoint_auth_method": "client_secret_post", "redirect_uris": [ "http://localhost:8880/auth/realms/vc-authn/broker/vc-authn/endpoint" @@ -69,7 +66,6 @@ Once the new Identity Provider is configured, mappers should be added in order t The following is an example mapper configuration: ![vc-authn-oidc-flow](img/03-mappers.png) - ## Direct Configuration VC-AuthN 2.0 only supports confidential clients, and cannot be configured to be invoked directly from Single-Page applications. For back-end systems, however, the above instructions should still apply. @@ -78,16 +74,17 @@ VC-AuthN 2.0 only supports confidential clients, and cannot be configured to be Several functions in VC-AuthN can be tweaked by using the following environment variables. -| Variable | Type | What it does |NOTES| -| ------------------------ | ---- | ---------------------------------------------- |-| -| SET_NON_REVOKED | bool | if True, the `non_revoked` attributed will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())`|| -| USE_OOB_PRESENT_PROOF | bool | if True, the present-proof request will be provided as a an [out of band](https://github.com/hyperledger/aries-rfcs/tree/main/features/0434-outofband) invitation with a [present-proof](https://github.com/hyperledger/aries-rfcs/tree/main/features/0037-present-proof) request inside. If False, the present-proof request will be use the [service-decorator](https://github.com/hyperledger/aries-rfcs/tree/main/features/0056-service-decorator)|**TRUE:** BC Wallet supports our OOB Message with a minor glitch, BiFold, Lissi, Trinsic, and Estatus all read the QR code as 'Invalid' **FALSE:** Works with| -| LOG_WITH_JSON | bool | If True, logging output should printed as JSON if False it will be pretty printed.| Default behavior will print as JSON. | -| LOG_TIMESTAMP_FORMAT | string | determines the timestamp formatting used in logs | Default is "iso" | -| LOG_LEVEL | "DEBUG", "INFO", "WARNING", or "ERROR" | sets the minimum log level that will be printed to standard out| Defaults to DEBUG | +| Variable | Type | What it does | NOTES | +| ------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | +| SET_NON_REVOKED | bool | if True, the `non_revoked` attributed will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())` | | +| USE_OOB_PRESENT_PROOF | bool | if True, the present-proof request will be provided as a an [out of band](https://github.com/hyperledger/aries-rfcs/tree/main/features/0434-outofband) invitation with a [present-proof](https://github.com/hyperledger/aries-rfcs/tree/main/features/0037-present-proof) request inside. If False, the present-proof request will be use the [service-decorator](https://github.com/hyperledger/aries-rfcs/tree/main/features/0056-service-decorator) | **TRUE:** BC Wallet supports our OOB Message with a minor glitch, BiFold, Lissi, Trinsic, and Estatus all read the QR code as 'Invalid' | +| USE_OOB_LOCAL_DID_SERVICE | bool | Instructs VC-AuthN to use a local DID, useful if the agent service is not registered on the ledger with a public DID | Use this when `ACAPY_WALLET_LOCAL_DID` is set to `true` in the agent. | +| LOG_WITH_JSON | bool | If True, logging output should printed as JSON if False it will be pretty printed. | Default behavior will print as JSON. | +| LOG_TIMESTAMP_FORMAT | string | determines the timestamp formatting used in logs | Default is "iso" | +| LOG_LEVEL | "DEBUG", "INFO", "WARNING", or "ERROR" | sets the minimum log level that will be printed to standard out | Defaults to DEBUG | ## Proof Request Configuration Options The basic structure of a proof-request configuration is described [here](README.md#data-model). Additional options are described via the Swagger document, and listed below: -* `include_v1_attributes`: defaults to `false`, switch to `true` if root-level claims as presented in VC-AuthN v1 are still required for the proof-request. +- `include_v1_attributes`: defaults to `false`, switch to `true` if root-level claims as presented in VC-AuthN v1 are still required for the proof-request. diff --git a/oidc-controller/api/core/config.py b/oidc-controller/api/core/config.py index 2072e848..c9087e96 100644 --- a/oidc-controller/api/core/config.py +++ b/oidc-controller/api/core/config.py @@ -11,8 +11,9 @@ import structlog from pydantic import BaseSettings + # Removed in later versions of python -def strtobool (val: str | bool) -> bool: +def strtobool(val: str | bool) -> bool: """Convert a string representation of truth to a boolean (True or False). True values are 'y', 'yes', 't', 'true', 'on', and '1'; False values are 'n', 'no', 'f', 'false', 'off', and '0'. If val is @@ -23,13 +24,14 @@ def strtobool (val: str | bool) -> bool: return val val = val.lower() - if val in ('y', 'yes', 't', 'true', 'on', '1'): + if val in ("y", "yes", "t", "true", "on", "1"): return True - elif val in ('n', 'no', 'f', 'false', 'off', '0'): + elif val in ("n", "no", "f", "false", "off", "0"): return False else: raise ValueError(f"invalid truth value {val}") + # Use environment variable to determine logging format # default to True # strtobool will convert the results of the environment variable to a bool @@ -150,7 +152,9 @@ class GlobalConfig(BaseSettings): DB_USER: str = os.environ.get("OIDC_CONTROLLER_DB_USER", "oidccontrolleruser") DB_PASS: str = os.environ.get("OIDC_CONTROLLER_DB_USER_PWD", "oidccontrollerpass") - MONGODB_URL: str = f"""mongodb://{DB_USER}:{DB_PASS}@{DB_HOST}:{DB_PORT}/{DB_NAME}?retryWrites=true&w=majority""" # noqa: E501 + MONGODB_URL: str = ( + f"""mongodb://{DB_USER}:{DB_PASS}@{DB_HOST}:{DB_PORT}/{DB_NAME}?retryWrites=true&w=majority""" # noqa: E501 + ) CONTROLLER_URL: Optional[str] = os.environ.get("CONTROLLER_URL") # Where to send users when trying to scan with their mobile camera (not a wallet) @@ -201,11 +205,14 @@ class GlobalConfig(BaseSettings): # OIDC Controller Settings CONTROLLER_API_KEY: str = os.environ.get("CONTROLLER_API_KEY", "") - USE_OOB_PRESENT_PROOF: bool = strtobool(os.environ.get("USE_OOB_PRESENT_PROOF", False)) + USE_OOB_PRESENT_PROOF: bool = strtobool( + os.environ.get("USE_OOB_PRESENT_PROOF", False) + ) USE_OOB_LOCAL_DID_SERVICE: bool = strtobool( - os.environ.get("USE_OOB_LOCAL_DID_SERVICE", False) + os.environ.get("USE_OOB_LOCAL_DID_SERVICE", True) ) SET_NON_REVOKED: bool = strtobool(os.environ.get("SET_NON_REVOKED", True)) + class Config: case_sensitive = True