Merge branch 'main' into embedded-vue

demo/vue/app/frontend/package.json

@@ -17,10 +17,10 @@
     "reinstall": "npm run purge && npm install"
   },
   "dependencies": {
-    "@babel/eslint-parser": "^7.23.10",
+    "@babel/eslint-parser": "^7.24.1",
     "@bcgov/bc-sans": "^2.1.0",
     "axios": "^1.6.8",
-    "core-js": "^3.36.0",
+    "core-js": "^3.36.1",
     "eslint": "^8.57.0",
     "keycloak-js": "^15.0.2",
     "nprogress": "^0.2.0",

demo/vue/app/package.json

@@ -38,14 +38,14 @@
     "compression": "^1.7.4",
     "config": "^3.3.11",
     "crypto": "^1.0.1",
-    "express": "^4.18.3",
+    "express": "^4.19.2",
     "express-winston": "^4.2.0",
     "form-data": "^4.0.0",
     "fs-extra": "^11.2.0",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.2",
-    "keycloak-connect": "^24.0.1",
-    "winston": "^3.12.0",
+    "keycloak-connect": "^24.0.2",
+    "winston": "^3.13.0",
     "winston-transport": "^4.7.0"
   },
   "devDependencies": {

docker/docker-compose.yaml

@@ -33,6 +33,7 @@ services:
       - ST_ACAPY_ADMIN_API_KEY=${AGENT_ADMIN_API_KEY}
       - ST_ACAPY_ADMIN_API_KEY_NAME=${ST_ACAPY_ADMIN_API_KEY_NAME}
       - USE_OOB_PRESENT_PROOF=${USE_OOB_PRESENT_PROOF}
+      - USE_OOB_LOCAL_DID_SERVICE=${USE_OOB_LOCAL_DID_SERVICE}
     ports:
       - ${CONTROLLER_SERVICE_PORT}:5000
       - 5678:5678

docker/manage

@@ -173,9 +173,9 @@ configureEnvironment() {
   export CONTROLLER_PRESENTATION_EXPIRE_TIME=10
 
   #controller app settings
-  export SET_NON_REVOKED="True" # both work
-  export USE_OOB_PRESENT_PROOF="False" #BC wallet kinda supports true.
-  export USE_OOB_LOCAL_DID_SERVICE="False" #bc wallet does not support true
+  export SET_NON_REVOKED="True"
+  export USE_OOB_PRESENT_PROOF=${USE_OOB_PRESENT_PROOF:-"false"}
+  export USE_OOB_LOCAL_DID_SERVICE=${USE_OOB_LOCAL_DID_SERVICE:-"true"}
 
   # agent
   export AGENT_TENANT_MODE="${AGENT_TENANT_MODE:-single}"

docs/ConfigurationGuide.md

@@ -7,10 +7,10 @@
 The first step is to add VC Authn as a new Identity Provider for our AIM system. The following instructions are built for Keycloak, but should be applicable for any AIM that supports Open ID Connect.
 
 1. Click on the **Identity Providers** tab and select **Open ID Connect v1.0** from the **User-defined** section.
-![vc-authn-oidc-flow](img/01-new-idp.png)
+   ![vc-authn-oidc-flow](img/01-new-idp.png)
 
 2. In the next page, select an alias and a display name for your Idp. The alias will be used to generate a unique URL corresponding to the new provider, while the display name will be used in the Keycloak login screen on the button corresponding to the IdP.
-![vc-authn-oidc-flow](img/02-settings-1.png)
+   ![vc-authn-oidc-flow](img/02-settings-1.png)
 
 3. We will now configure the Open Id Connect parameters for our new provider.
 
@@ -29,7 +29,7 @@ To input settings manually, or review them:
 
 - **Default Scopes**: this must be set to `vc_authn` to instruct the AIM broker which scopes to request from the IdP.
 
-- **Validate Signatures**: if you want to have the signature of VC-AuthN validated by Keycloak, turn this on, flip the `Use JWKS URL` to true and set `JWKS URL` to  `{PUBLIC_VC_AUTHN_URL}/.well-known/openid-configuration/jwks`.
+- **Validate Signatures**: if you want to have the signature of VC-AuthN validated by Keycloak, turn this on, flip the `Use JWKS URL` to true and set `JWKS URL` to `{PUBLIC_VC_AUTHN_URL}/.well-known/openid-configuration/jwks`.
 
 - **Forwarded Query Parameters**: set this to `pres_req_conf_id`. This parameter is used by VC Authn to lookup in its database the configuration to generate presentation request to be displayed to the user and the AIM system needs to forward it when initiating the authentication.
 
@@ -42,16 +42,13 @@ Save the settings and take note of the generated **Redirect URI** and **Client I
 VC-AuthN can be configured by using the API endpoints exposed on Swagger at `VC_AUTHN_PUBLIC_URL}/docs`. The `oidc_clients` namespace provides RESTful APIs to create/delete/update clients.
 
 To register a new client, `POST` a request to the `/clients` endpoint with a payload containing the client id/secret and redirect URL noted at the previous step. Example:
+
 ```json
 {
   "client_id": "my-new-client",
   "client_name": "my-keycloak",
   "client_secret": "super-secret",
-  "response_types": [
-    "code",
-    "id_token",
-    "token"
-  ],
+  "response_types": ["code", "id_token", "token"],
   "token_endpoint_auth_method": "client_secret_post",
   "redirect_uris": [
     "http://localhost:8880/auth/realms/vc-authn/broker/vc-authn/endpoint"
@@ -69,7 +66,6 @@ Once the new Identity Provider is configured, mappers should be added in order t
 The following is an example mapper configuration:
 ![vc-authn-oidc-flow](img/03-mappers.png)
 
-
 ## Direct Configuration
 
 VC-AuthN 2.0 only supports confidential clients, and cannot be configured to be invoked directly from Single-Page applications. For back-end systems, however, the above instructions should still apply.
@@ -78,16 +74,17 @@ VC-AuthN 2.0 only supports confidential clients, and cannot be configured to be
 
 Several functions in VC-AuthN can be tweaked by using the following environment variables.
 
-| Variable                 | Type | What it does                                                |NOTES|
-| ------------------------ | ---- | ---------------------------------------------- |-|
-| SET_NON_REVOKED          | bool | if True, the `non_revoked` attributed  will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())`||
-| USE_OOB_PRESENT_PROOF    | bool | if True, the present-proof request will be provided as a an [out of band](https://github.com/hyperledger/aries-rfcs/tree/main/features/0434-outofband) invitation with a [present-proof](https://github.com/hyperledger/aries-rfcs/tree/main/features/0037-present-proof) request inside. If False, the present-proof request will be use the [service-decorator](https://github.com/hyperledger/aries-rfcs/tree/main/features/0056-service-decorator)|**TRUE:** BC Wallet supports our OOB Message with a minor glitch, BiFold, Lissi, Trinsic, and Estatus all read the QR code as 'Invalid' **FALSE:** Works with|
-| LOG_WITH_JSON            | bool | If True, logging output should printed as JSON if False it will be pretty printed.| Default behavior will print as JSON. |
-| LOG_TIMESTAMP_FORMAT     | string | determines the timestamp formatting used in logs | Default is "iso" |
-| LOG_LEVEL                | "DEBUG", "INFO", "WARNING", or "ERROR" | sets the minimum log level that will be printed to standard out| Defaults to DEBUG |
+| Variable                  | Type                                   | What it does                                                                                                                                                                                                                                                                                                                                                                                                                                           | NOTES                                                                                                                                   |
+| ------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- |
+| SET_NON_REVOKED           | bool                                   | if True, the `non_revoked` attributed will be added to each of the present-proof request `requested_attribute` and `requested_predicate` with 'from=0' and'to=`int(time.time())`                                                                                                                                                                                                                                                                       |                                                                                                                                         |
+| USE_OOB_PRESENT_PROOF     | bool                                   | if True, the present-proof request will be provided as a an [out of band](https://github.com/hyperledger/aries-rfcs/tree/main/features/0434-outofband) invitation with a [present-proof](https://github.com/hyperledger/aries-rfcs/tree/main/features/0037-present-proof) request inside. If False, the present-proof request will be use the [service-decorator](https://github.com/hyperledger/aries-rfcs/tree/main/features/0056-service-decorator) | **TRUE:** BC Wallet supports our OOB Message with a minor glitch, BiFold, Lissi, Trinsic, and Estatus all read the QR code as 'Invalid' |
+| USE_OOB_LOCAL_DID_SERVICE | bool                                   | Instructs VC-AuthN to use a local DID, it must be used when the agent service is not registered on the ledger with a public DID                                                                                                                                                                                                                                                                                                                        | Use this when `ACAPY_WALLET_LOCAL_DID` is set to `true` in the agent.                                                                   |
+| LOG_WITH_JSON             | bool                                   | If True, logging output should printed as JSON if False it will be pretty printed.                                                                                                                                                                                                                                                                                                                                                                     | Default behavior will print as JSON.                                                                                                    |
+| LOG_TIMESTAMP_FORMAT      | string                                 | determines the timestamp formatting used in logs                                                                                                                                                                                                                                                                                                                                                                                                       | Default is "iso"                                                                                                                        |
+| LOG_LEVEL                 | "DEBUG", "INFO", "WARNING", or "ERROR" | sets the minimum log level that will be printed to standard out                                                                                                                                                                                                                                                                                                                                                                                        | Defaults to DEBUG                                                                                                                       |
 
 ## Proof Request Configuration Options
 
 The basic structure of a proof-request configuration is described [here](README.md#data-model). Additional options are described via the Swagger document, and listed below:
-* `include_v1_attributes`: defaults to `false`, switch to `true` if root-level claims as presented in VC-AuthN v1 are still required for the proof-request.
 
+- `include_v1_attributes`: defaults to `false`, switch to `true` if root-level claims as presented in VC-AuthN v1 are still required for the proof-request.

oidc-controller/api/core/config.py

@@ -11,8 +11,9 @@
 import structlog
 from pydantic import BaseSettings
 
+
 # Removed in later versions of python
-def strtobool (val: str | bool) -> bool:
+def strtobool(val: str | bool) -> bool:
     """Convert a string representation of truth to a boolean (True or False).
     True values are 'y', 'yes', 't', 'true', 'on', and '1'; False
     values are 'n', 'no', 'f', 'false', 'off', and '0'. If val is
@@ -23,13 +24,14 @@ def strtobool (val: str | bool) -> bool:
         return val
 
     val = val.lower()
-    if val in ('y', 'yes', 't', 'true', 'on', '1'):
+    if val in ("y", "yes", "t", "true", "on", "1"):
         return True
-    elif val in ('n', 'no', 'f', 'false', 'off', '0'):
+    elif val in ("n", "no", "f", "false", "off", "0"):
         return False
     else:
         raise ValueError(f"invalid truth value {val}")
 
+
 # Use environment variable to determine logging format
 # default to True
 # strtobool will convert the results of the environment variable to a bool
@@ -150,7 +152,9 @@ class GlobalConfig(BaseSettings):
     DB_USER: str = os.environ.get("OIDC_CONTROLLER_DB_USER", "oidccontrolleruser")
     DB_PASS: str = os.environ.get("OIDC_CONTROLLER_DB_USER_PWD", "oidccontrollerpass")
 
-    MONGODB_URL: str = f"""mongodb://{DB_USER}:{DB_PASS}@{DB_HOST}:{DB_PORT}/{DB_NAME}?retryWrites=true&w=majority"""  # noqa: E501
+    MONGODB_URL: str = (
+        f"""mongodb://{DB_USER}:{DB_PASS}@{DB_HOST}:{DB_PORT}/{DB_NAME}?retryWrites=true&w=majority"""  # noqa: E501
+    )
 
     CONTROLLER_URL: Optional[str] = os.environ.get("CONTROLLER_URL")
     # Where to send users when trying to scan with their mobile camera (not a wallet)
@@ -201,11 +205,14 @@ class GlobalConfig(BaseSettings):
 
     # OIDC Controller Settings
     CONTROLLER_API_KEY: str = os.environ.get("CONTROLLER_API_KEY", "")
-    USE_OOB_PRESENT_PROOF: bool = strtobool(os.environ.get("USE_OOB_PRESENT_PROOF", False))
+    USE_OOB_PRESENT_PROOF: bool = strtobool(
+        os.environ.get("USE_OOB_PRESENT_PROOF", False)
+    )
     USE_OOB_LOCAL_DID_SERVICE: bool = strtobool(
-        os.environ.get("USE_OOB_LOCAL_DID_SERVICE", False)
+        os.environ.get("USE_OOB_LOCAL_DID_SERVICE", True)
     )
     SET_NON_REVOKED: bool = strtobool(os.environ.get("SET_NON_REVOKED", True))
+
     class Config:
         case_sensitive = True