Support cNonce endpoint (#321)

* add cNonce service

Signed-off-by: Johannes Tuerk <johannes.tuerk@lissi.id>

* write out cNonce to credentialNonce

Signed-off-by: Johannes Tuerk <johannes.tuerk@lissi.id>

---------

Signed-off-by: Johannes Tuerk <johannes.tuerk@lissi.id>

Author: JoTiTu

src/WalletFramework.Oid4Vc/DependencyInjection/ServiceCollectionExtensions.cs

@@ -15,6 +15,8 @@
 using WalletFramework.Oid4Vc.Oid4Vci.Authorization.DPop.Abstractions;
 using WalletFramework.Oid4Vc.Oid4Vci.Authorization.DPop.Implementations;
 using WalletFramework.Oid4Vc.Oid4Vci.Authorization.Implementations;
+using WalletFramework.Oid4Vc.Oid4Vci.CredentialNonce.Abstractions;
+using WalletFramework.Oid4Vc.Oid4Vci.CredentialNonce.Implementations;
 using WalletFramework.Oid4Vc.Oid4Vci.CredOffer.Abstractions;
 using WalletFramework.Oid4Vc.Oid4Vci.CredOffer.Implementations;
 using WalletFramework.Oid4Vc.Oid4Vci.CredRequest.Abstractions;
@@ -70,6 +72,7 @@ public static IServiceCollection AddOpenIdServices(this IServiceCollection build
         builder.AddSingleton<IStatusListService, StatusListService>();
         builder.AddSingleton<ITokenService, TokenService>();
         builder.AddSingleton<IVctMetadataService, VctMetadataService>();
+        builder.AddSingleton<ICredentialNonceService, CredentialNonceService>();
 
         builder.AddSdJwtVcServices();
 

src/WalletFramework.Oid4Vc/Oid4Vci/Authorization/Abstractions/ITokenService.cs

@@ -1,12 +1,15 @@
+using LanguageExt;
 using OneOf;
 using WalletFramework.Oid4Vc.Oid4Vci.Authorization.DPop.Models;
 using WalletFramework.Oid4Vc.Oid4Vci.Authorization.Models;
+using WalletFramework.Oid4Vc.Oid4Vci.CredentialNonce.Models;
 
 namespace WalletFramework.Oid4Vc.Oid4Vci.Authorization.Abstractions;
 
 public interface ITokenService
 {
     public Task<OneOf<OAuthToken, DPopToken>> RequestToken(
         TokenRequest tokenRequest,
-        AuthorizationServerMetadata metadata);
+        AuthorizationServerMetadata metadata,
+        Option<CredentialNonceEndpoint> credentialNonceEndpoint);
 }

src/WalletFramework.Oid4Vc/Oid4Vci/Authorization/Implementations/TokenService.cs

@@ -1,52 +1,56 @@
+using LanguageExt;
 using OneOf;
 using WalletFramework.Core.Cryptography.Abstractions;
 using WalletFramework.Oid4Vc.Oid4Vci.Authorization.Abstractions;
 using WalletFramework.Oid4Vc.Oid4Vci.Authorization.DPop.Abstractions;
 using WalletFramework.Oid4Vc.Oid4Vci.Authorization.DPop.Models;
 using WalletFramework.Oid4Vc.Oid4Vci.Authorization.Models;
+using WalletFramework.Oid4Vc.Oid4Vci.CredentialNonce.Abstractions;
+using WalletFramework.Oid4Vc.Oid4Vci.CredentialNonce.Models;
 using static Newtonsoft.Json.JsonConvert;
 
 namespace WalletFramework.Oid4Vc.Oid4Vci.Authorization.Implementations;
 
-internal class TokenService : ITokenService
+internal class TokenService(
+    IDPopHttpClient dPopHttpClient,
+    IHttpClientFactory httpClientFactory,
+    ICredentialNonceService credentialNonceService,
+    IKeyStore keyStore)
+    : ITokenService
 {
-    private readonly IDPopHttpClient _dPopHttpClient;
-    private readonly IKeyStore _keyStore;
-    private readonly HttpClient _httpClient;
+    private readonly HttpClient _httpClient = httpClientFactory.CreateClient();
 
-    public TokenService(
-        IDPopHttpClient dPopHttpClient,
-        IHttpClientFactory httpClientFactory,
-        IKeyStore keyStore)
-    {
-        _dPopHttpClient = dPopHttpClient;
-        _keyStore = keyStore;
-        _httpClient = httpClientFactory.CreateClient();
-    }
-    
     public async Task<OneOf<OAuthToken, DPopToken>> RequestToken(
         TokenRequest tokenRequest,
-        AuthorizationServerMetadata metadata)
+        AuthorizationServerMetadata metadata,
+        Option<CredentialNonceEndpoint> credentialNonceEndpoint)
     {
         if (metadata.IsDPoPSupported)
         {
-            var keyId = await _keyStore.GenerateKey(isPermanent: false);
+            var keyId = await keyStore.GenerateKey(isPermanent: false);
 
             var config = new DPopConfig(keyId, metadata.TokenEndpoint);
 
             var uri = new Uri(metadata.TokenEndpoint);
 
-            var result = await _dPopHttpClient.Post(
+            var result = await dPopHttpClient.Post(
                 uri,
                 config,
                 tokenRequest.ToFormUrlEncoded);
 
             var token = DeserializeObject<OAuthToken>(await result.ResponseMessage.Content.ReadAsStringAsync()) 
                         ?? throw new InvalidOperationException("Failed to deserialize the token response");
 
-            var dPop = new DPop.Models.DPop(result.Config);
+            await credentialNonceEndpoint.IfSomeAsync(async endpoint =>
+            {
+                var credentialNonce = await credentialNonceService.GetCredentialNonce(endpoint);
+                token = token with { CNonce = credentialNonce.Value };
+            });
 
-            return new DPopToken(token, dPop);
+            return new DPopToken(
+                token, 
+                new DPop.Models.DPop(result.Config)
+                );
         }
         else
         {
@@ -56,7 +60,13 @@ public async Task<OneOf<OAuthToken, DPopToken>> RequestToken(
 
             var token = DeserializeObject<OAuthToken>(await response.Content.ReadAsStringAsync()) 
                         ?? throw new InvalidOperationException("Failed to deserialize the token response");
-        
+            
+            await credentialNonceEndpoint.IfSomeAsync(async endpoint =>
+            {
+                var credentialNonce = await credentialNonceService.GetCredentialNonce(endpoint);
+                token = token with { CNonce = credentialNonce.Value };
+            });
+            
             return token;
         }
     }

src/WalletFramework.Oid4Vc/Oid4Vci/Authorization/Models/OAuthToken.cs

@@ -46,7 +46,7 @@ public record OAuthToken
     ///     when requesting a Credential.
     /// </summary>
     [JsonProperty("c_nonce")]
-    public string CNonce { get; set; }
+    public string? CNonce { get; set; }
 
     /// <summary>
     ///     Gets or sets the refresh token, which can be used to obtain new access tokens.

src/WalletFramework.Oid4Vc/Oid4Vci/CredentialNonce/Abstractions/ICredentialNonceService.cs

@@ -0,0 +1,8 @@
+using WalletFramework.Oid4Vc.Oid4Vci.CredentialNonce.Models;
+
+namespace WalletFramework.Oid4Vc.Oid4Vci.CredentialNonce.Abstractions;
+
+public interface ICredentialNonceService
+{
+    Task<Models.CredentialNonce> GetCredentialNonce(CredentialNonceEndpoint credentialNonceEndpoint);
+}

src/WalletFramework.Oid4Vc/Oid4Vci/CredentialNonce/Implementations/CredentialNonceService.cs

@@ -0,0 +1,28 @@
+using Newtonsoft.Json.Linq;
+using WalletFramework.Core.Functional;
+using WalletFramework.Core.Json;
+using WalletFramework.Oid4Vc.Oid4Vci.CredentialNonce.Abstractions;
+using WalletFramework.Oid4Vc.Oid4Vci.CredentialNonce.Models;
+
+namespace WalletFramework.Oid4Vc.Oid4Vci.CredentialNonce.Implementations;
+
+public class CredentialNonceService(IHttpClientFactory httpClientFactory) : ICredentialNonceService
+{
+    public async Task<Models.CredentialNonce> GetCredentialNonce(CredentialNonceEndpoint credentialNonceEndpoint)
+    {
+        var client = httpClientFactory.CreateClient();
+        var response = await client.PostAsync(credentialNonceEndpoint.Value, new StringContent(""));
+
+        var message = await response.Content.ReadAsStringAsync();
+        
+        if (!response.IsSuccessStatusCode)
+            throw new HttpRequestException($"Requesting the c_nonce failed. Status Code is {response.StatusCode} with message: {message}");
+        
+        return (from jToken in JObject.Parse(message).GetByKey("c_nonce") 
+                from docType in Models.CredentialNonce.ValidCredentialNonce(jToken.ToString())
+                select docType)
+            .Match(
+                nonce => nonce, 
+                _ => throw new InvalidOperationException("Failed deserialize c_nonce from nonce endpoint response"));
+    }
+}

src/WalletFramework.Oid4Vc/Oid4Vci/CredentialNonce/Models/CredentialNonce.cs

@@ -0,0 +1,22 @@
+using WalletFramework.Core.Functional;
+using WalletFramework.Core.Functional.Errors;
+
+namespace WalletFramework.Oid4Vc.Oid4Vci.CredentialNonce.Models;
+
+public readonly struct CredentialNonce
+{
+    public string Value { get; }
+    
+    private CredentialNonce(string nonce)
+    {
+        Value = nonce;
+    }
+    
+    public static Validation<CredentialNonce> ValidCredentialNonce(string nonce)
+    {
+        if (string.IsNullOrEmpty(nonce))
+            return new StringIsNullOrWhitespaceError<CredentialNonce>();
+
+        return new CredentialNonce(nonce);
+    }
+};

src/WalletFramework.Oid4Vc/Oid4Vci/CredentialNonce/Models/CredentialNonceEndpoint.cs

@@ -0,0 +1,6 @@
+namespace WalletFramework.Oid4Vc.Oid4Vci.CredentialNonce.Models;
+
+public readonly struct CredentialNonceEndpoint(Uri endpoint)
+{
+    public Uri Value { get; } = endpoint;
+};

src/WalletFramework.Oid4Vc/Oid4Vci/Implementations/Oid4VciClientService.cs

@@ -23,6 +23,7 @@
 using WalletFramework.Oid4Vc.CredentialSet;
 using WalletFramework.Oid4Vc.CredentialSet.Models;
 using WalletFramework.Oid4Vc.Oid4Vci.Authorization.DPop.Models;
+using WalletFramework.Oid4Vc.Oid4Vci.CredentialNonce.Abstractions;
 using WalletFramework.Oid4Vc.Oid4Vci.CredResponse;
 using WalletFramework.Oid4Vc.Oid4Vp.Models;
 using WalletFramework.SdJwtVc.Models;
@@ -63,6 +64,7 @@ public Oid4VciClientService(
         IIssuerMetadataService issuerMetadataService,
         IMdocStorage mdocStorage,
         ISdJwtVcHolderService sdJwtService,
+        ICredentialNonceService credentialNonceService,
         ITokenService tokenService)
     {
         _agentProvider = agentProvider;
@@ -74,6 +76,7 @@ public Oid4VciClientService(
         _issuerMetadataService = issuerMetadataService;
         _mdocStorage = mdocStorage;
         _sdJwtService = sdJwtService;
+        _credentialNonceService = credentialNonceService;
         _tokenService = tokenService;
     }
 
@@ -86,6 +89,7 @@ public Oid4VciClientService(
     private readonly IIssuerMetadataService _issuerMetadataService;
     private readonly IMdocStorage _mdocStorage;
     private readonly ISdJwtVcHolderService _sdJwtService;
+    private readonly ICredentialNonceService _credentialNonceService;
     private readonly ITokenService _tokenService;
 
     /// <inheritdoc />
@@ -269,7 +273,8 @@ from preAuthCode in grants.PreAuthorizedCode
 
         var token = await _tokenService.RequestToken(
             tokenRequest,
-            authorizationServerMetadata);
+            authorizationServerMetadata,
+            issuerMetadata.CredentialNonceEndpoint);
 
         var validResponse = await _credentialRequestService.RequestCredentials(
             configuration,
@@ -377,8 +382,9 @@ public async Task<Validation<CredentialSetRecord>> RequestCredentialSet(Issuance
 
         var token = await _tokenService.RequestToken(
             tokenRequest,
-            session.AuthorizationData.AuthorizationServerMetadata);
-
+            session.AuthorizationData.AuthorizationServerMetadata,
+            session.AuthorizationData.IssuerMetadata.CredentialNonceEndpoint);
+        
         var credentialSet = new CredentialSetRecord();
 
         //TODO: Make sure that it does not always request all available credConfigurations
@@ -403,9 +409,26 @@ select credentialsOrTransactionId.Match(
                             await credential.Value.Match(
                                 async sdJwt =>
                                 {
-                                    token = token.Match<OneOf<OAuthToken, DPopToken>>(
-                                        oAuth => oAuth with { CNonce = cNonce.ToNullable() },
-                                        dPop => dPop with { Token = dPop.Token with { CNonce = cNonce.ToNullable() } });
+                                    token = await session.AuthorizationData.IssuerMetadata.CredentialNonceEndpoint.Match(
+                                        Some: async credentialNonceEndpoint =>
+                                        {
+                                            var credentialNonce = await _credentialNonceService.GetCredentialNonce(credentialNonceEndpoint);
+                                            return token.Match<OneOf<OAuthToken, DPopToken>>(
+                                                oAuth => oAuth with { CNonce = credentialNonce.Value },
+                                                dPop => dPop with
+                                                {
+                                                    Token = dPop.Token with { CNonce = credentialNonce.Value }
+                                                });
+                                        },
+                                        None: () =>
+                                        {
+                                            return Task.FromResult<OneOf<OAuthToken, DPopToken>>( token.Match<OneOf<OAuthToken, DPopToken>>(
+                                                oAuth => oAuth with { CNonce = cNonce.ToNullable() },
+                                                dPop => dPop with
+                                                {
+                                                    Token = dPop.Token with { CNonce = cNonce.ToNullable() }
+                                                }));
+                                        });
 
                                     var record = sdJwt.Decoded.ToRecord(
                                         configuration.AsT0,
@@ -419,9 +442,26 @@ await credential.Value.Match(
                                 },
                                 async mdoc =>
                                 {
-                                    token = token.Match<OneOf<OAuthToken, DPopToken>>(
-                                        oAuth => oAuth with { CNonce = cNonce.ToNullable() },
-                                        dPop => dPop with { Token = dPop.Token with { CNonce = cNonce.ToNullable() } });
+                                    token = await session.AuthorizationData.IssuerMetadata.CredentialNonceEndpoint.Match(
+                                        Some: async credentialNonceEndpoint =>
+                                        {
+                                            var credentialNonce = await _credentialNonceService.GetCredentialNonce(credentialNonceEndpoint);
+                                            return token.Match<OneOf<OAuthToken, DPopToken>>(
+                                                oAuth => oAuth with { CNonce = credentialNonce.Value },
+                                                dPop => dPop with
+                                                {
+                                                    Token = dPop.Token with { CNonce = credentialNonce.Value }
+                                                });
+                                        },
+                                        None: () =>
+                                        {
+                                            return Task.FromResult<OneOf<OAuthToken, DPopToken>>( token.Match<OneOf<OAuthToken, DPopToken>>(
+                                                oAuth => oAuth with { CNonce = cNonce.ToNullable() },
+                                                dPop => dPop with
+                                                {
+                                                    Token = dPop.Token with { CNonce = cNonce.ToNullable() }
+                                                }));
+                                        });
 
                                     var displays = MdocFun.CreateMdocDisplays(configuration.AsT1);
 
@@ -484,7 +524,8 @@ public async Task<Validation<OnDemandCredentialSet>> RequestOnDemandCredentialSe
 
         var token = await _tokenService.RequestToken(
             tokenRequest,
-            session.AuthorizationData.AuthorizationServerMetadata);
+            session.AuthorizationData.AuthorizationServerMetadata,
+            session.AuthorizationData.IssuerMetadata.CredentialNonceEndpoint);
 
         var credentialConfigs = credentialType.Match(
             vct => credConfigurations.Where(config => config.Match(