Add oauth/openid config endpoints to support OID4VCI draft bugs.

digitalbazaar · Nov 28, 2023 · 8c7111f · 8c7111f
1 parent f51bcc2
commit 8c7111f
Showing 1 changed file with 55 additions and 0 deletions.
diff --git a/lib/openId.js b/lib/openId.js
@@ -63,7 +63,11 @@ export async function createRoutes({
   const routes = {
     // OID4VCI routes
     asMetadata: `/.well-known/oauth-authorization-server${exchangeRoute}`,
+    asMetadataDraftBug:
+      `${exchangeRoute}/.well-known/oauth-authorization-server`,
     ciMetadata: `/.well-known/openid-credential-issuer${exchangeRoute}`,
+    ciMetadataDraftBug:
+      `${exchangeRoute}/.well-known/openid-credential-issuer`,
     batchCredential: `${openIdRoute}/batch_credential`,
     credential: `${openIdRoute}/credential`,
     token: `${openIdRoute}/token`,
@@ -357,6 +361,57 @@ export async function createRoutes({
         {req, presentation, presentationSubmission});
       res.json(result);
     }));
+
+  /* Note: The following routes are served only because of an OID4VCI draft bug
+  that tells clients to generate `/.well-known` paths in an erroneous way and
+  some implementers have complied. */
+
+  // an authorization server meta data endpoint
+  // serves `.well-known` oauth2 AS config for each exchange; each config is
+  // based on the exchanger used to create the exchange
+  app.get(
+    routes.asMetadataDraftBug,
+    cors(),
+    getConfigMiddleware,
+    asyncHandler(async (req, res) => {
+      // generate well-known oauth2 issuer config
+      const {config: exchanger} = req.serviceObject;
+      const exchangeId = `${exchanger.id}/exchanges/${req.params.exchangeId}`;
+      // note that technically, we should not need to serve any credential
+      // issuer metadata, but we do for backwards compatibility purposes as
+      // previous versions of OID4VCI required it
+      const oauth2Config = {
+        issuer: exchangeId,
+        jwks_uri: `${exchangeId}/openid/jwks`,
+        token_endpoint: `${exchangeId}/openid/token`,
+        credential_endpoint: `${exchangeId}/openid/credential`,
+        batch_credential_endpoint: `${exchangeId}/openid/batch_credential`
+        // FIXME: add `credentials_supported`
+      };
+      res.json(oauth2Config);
+    }));
+
+  // a credential issuer meta data endpoint
+  // serves `.well-known` oauth2 AS / CI config for each exchange; each config
+  // is based on the exchanger used to create the exchange
+  app.get(
+    routes.ciMetadataDraftBug,
+    cors(),
+    getConfigMiddleware,
+    asyncHandler(async (req, res) => {
+      // generate well-known oauth2 issuer config
+      const {config: exchanger} = req.serviceObject;
+      const exchangeId = `${exchanger.id}/exchanges/${req.params.exchangeId}`;
+      const oauth2Config = {
+        issuer: exchangeId,
+        jwks_uri: `${exchangeId}/openid/jwks`,
+        token_endpoint: `${exchangeId}/openid/token`,
+        credential_endpoint: `${exchangeId}/openid/credential`,
+        batch_credential_endpoint: `${exchangeId}/openid/batch_credential`
+        // FIXME: add `credentials_supported`
+      };
+      res.json(oauth2Config);
+    }));
 }
 
 async function _createExchangeAccessToken({exchanger, exchangeRecord}) {