feat: krakend: propagate roles header only on necessary endpoints

Signed-off-by: Misha Sizov <[email protected]>
mishasizov-SK · Jan 15, 2025 · ed20010 · ed20010
1 parent 21d2ee7
commit ed20010
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 3 deletions.
diff --git a/pkg/restapi/v1/verifier/controller.go b/pkg/restapi/v1/verifier/controller.go
@@ -538,7 +538,7 @@ func (c *Controller) CheckAuthorizationResponse(e echo.Context) error {
 
 	if rawAuthResp.Error != "" {
 		// Error authorization response
-		// Spec: https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#section-6.4
+		// Spec: https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#section-7.5
 		return c.oidc4VPService.HandleWalletNotification(ctx, &oidc4vp.WalletNotification{
 			TxID:               oidc4vp.TxID(rawAuthResp.State),
 			Error:              rawAuthResp.Error,

diff --git a/pkg/service/oidc4vp/oidc4vp_wallet_notification.go b/pkg/service/oidc4vp/oidc4vp_wallet_notification.go
@@ -107,14 +107,22 @@ func (s *Service) sendWalletNotificationEvent(
 	profile *profileapi.Verifier,
 	notification *WalletNotification,
 ) error {
+	// Send event only if notification.Error is known.
 	if _, isValidError := supportedAuthResponseErrTypes[notification.Error]; !isValidError {
 		logger.Infoc(ctx, "Ignoring unsupported error type", zap.String("error", notification.Error))
 		return nil
 	}
 
 	ep := createBaseTxEventPayload(tx, profile)
 
-	ep.Error, ep.ErrorCode, ep.ErrorComponent = notification.ErrorDescription, notification.Error, errorComponentWallet
+	// error code, e.g. "access_denied".
+	// List: https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#section-7.5
+	ep.ErrorCode = notification.Error
+
+	// error description, e.g. "no_consent", "no_match_found"
+	ep.Error = notification.ErrorDescription
+
+	ep.ErrorComponent = errorComponentWallet
 	ep.InteractionDetails = notification.InteractionDetails
 
 	spiEventType := s.getEventType(notification.Error, notification.ErrorDescription)

diff --git a/test/bdd/fixtures/krakend-config/settings/endpoint.json b/test/bdd/fixtures/krakend-config/settings/endpoint.json
@@ -16,6 +16,7 @@
       "endpoint": "/issuer/credentials/status",
       "method": "POST",
       "protected": true,
+      "propagate_roles_header": true,
       "roles_to_validate": [
         "revoker",
         "activator"

diff --git a/test/bdd/fixtures/krakend-config/templates/auth_validator.tmpl b/test/bdd/fixtures/krakend-config/templates/auth_validator.tmpl
@@ -11,11 +11,15 @@
     [
       "custom:tenant_id",
       "x-tenant-id"
-    ],
+    ]
+  {{ if .propagate_roles_header }}
+  ,
     [
       "custom:roles",
       "x-client-roles"
     ]
+
+  {{ end }}
   ]
   {{ if .roles_to_validate }}
   ,