Refactor auth flow session handling (#129)

* use state paramter in PAR for Auth Code Flow session handling

Signed-off-by: Johannes Tuerk <johannes.tuerk@lissi.id>

* remove scheme check to allow verified deeplinks

Signed-off-by: Johannes Tuerk <johannes.tuerk@lissi.id>

* mdoc oid4vci

Signed-off-by: Kevin <kevin.dinh@lissi.id>

* separate integration tests

Signed-off-by: Kevin <kevin.dinh@lissi.id>

* move away from json converters

Signed-off-by: Kevin <kevin.dinh@lissi.id>

* fix credential request json

Signed-off-by: Kevin <kevin.dinh@lissi.id>

* align with framework Refactoring

Signed-off-by: Johannes Tuerk <johannes.tuerk@lissi.id>

* remove JsonSettings

Signed-off-by: Johannes Tuerk <johannes.tuerk@lissi.id>

* rename VciSessionState -> AuthCodeSessionState

Signed-off-by: Johannes Tuerk <johannes.tuerk@lissi.id>

---------

Signed-off-by: Johannes Tuerk <johannes.tuerk@lissi.id>
Signed-off-by: Kevin <kevin.dinh@lissi.id>
Co-authored-by: Kevin <kevin.dinh@lissi.id>

Author: JoTiTu

src/WalletFramework.Oid4Vc/Oid4Vci/AuthFlow/Abstractions/IAuthFlowSessionStorage.cs

@@ -14,17 +14,17 @@ public interface IAuthFlowSessionStorage
     ///     Deletes the authorization session record by the session identifier.
     /// </summary>
     /// <param name="context">Agent Context</param>
-    /// <param name="sessionId">Session Identifier of a Authorization Code Flow session</param>
+    /// <param name="authFlowSessionState">Session State Identifier of a Authorization Code Flow session</param>
     /// <returns></returns>
-    Task<bool> DeleteAsync(IAgentContext context, VciSessionId sessionId);
+    Task<bool> DeleteAsync(IAgentContext context, AuthFlowSessionState authFlowSessionState);
 
     /// <summary>
     ///     Retrieves the authorization session record by the session identifier.
     /// </summary>
     /// <param name="context">Agent Context</param>
-    /// <param name="sessionId">Session Identifier of a Authorization Code Flow session</param>
+    /// <param name="authFlowSessionState">Session State Identifier of a Authorization Code Flow session</param>
     /// <returns></returns>
-    Task<AuthFlowSessionRecord> GetAsync(IAgentContext context, VciSessionId sessionId);
+    Task<AuthFlowSessionRecord> GetAsync(IAgentContext context, AuthFlowSessionState authFlowSessionState);
 
     /// <summary>
     ///     Stores the authorization session record.
@@ -35,11 +35,11 @@ public interface IAuthFlowSessionStorage
     ///     Parameters required for the authorization during the VCI authorization code
     ///     flow.
     /// </param>
-    /// <param name="sessionId"></param>
+    /// <param name="authFlowSessionState">Session State Identifier of a Authorization Code Flow session</param>
     /// <returns></returns>
     Task<string> StoreAsync(
         IAgentContext agentContext,
         AuthorizationData authorizationData,
         AuthorizationCodeParameters authorizationCodeParameters,
-        VciSessionId sessionId);
+        AuthFlowSessionState authFlowSessionState);
 }

src/WalletFramework.Oid4Vc/Oid4Vci/AuthFlow/Errors/AuthFlowSessionStateError.cs

@@ -0,0 +1,5 @@
+using WalletFramework.Core.Functional;
+
+namespace WalletFramework.Oid4Vc.Oid4Vci.AuthFlow.Errors;
+
+public record AuthFlowSessionStateError(string Value) : Error($"Invalid AuthFlowSessionState: {Value}");

src/WalletFramework.Oid4Vc/Oid4Vci/AuthFlow/Errors/VciSessionIdError.cs

@@ -26,26 +26,26 @@ public async Task<string> StoreAsync(
         IAgentContext agentContext,
         AuthorizationData authorizationData,
         AuthorizationCodeParameters authorizationCodeParameters,
-        VciSessionId sessionId)
+        AuthFlowSessionState authFlowSessionState)
     {
         var record = new AuthFlowSessionRecord(
             authorizationData,
             authorizationCodeParameters,
-            sessionId);
+            authFlowSessionState);
 
         await _recordService.AddAsync(agentContext.Wallet, record, AuthFlowSessionRecordFun.EncodeToJson);
 
         return record.Id;
     }
 
     /// <inheritdoc />
-    public async Task<AuthFlowSessionRecord> GetAsync(IAgentContext context, VciSessionId sessionId)
+    public async Task<AuthFlowSessionRecord> GetAsync(IAgentContext context, AuthFlowSessionState authFlowSessionState)
     {
-        var record = await _recordService.GetAsync(context.Wallet, sessionId, AuthFlowSessionRecordFun.DecodeFromJson);
+        var record = await _recordService.GetAsync(context.Wallet, authFlowSessionState, AuthFlowSessionRecordFun.DecodeFromJson);
         return record!;
     }
 
     /// <inheritdoc />
-    public async Task<bool> DeleteAsync(IAgentContext context, VciSessionId sessionId) => 
-        await _recordService.DeleteAsync<AuthFlowSessionRecord>(context.Wallet, sessionId);
+    public async Task<bool> DeleteAsync(IAgentContext context, AuthFlowSessionState authFlowSessionState) => 
+        await _recordService.DeleteAsync<AuthFlowSessionRecord>(context.Wallet, authFlowSessionState);
 }

src/WalletFramework.Oid4Vc/Oid4Vci/AuthFlow/Implementations/AuthFlowSessionStorage.cs

@@ -0,0 +1,49 @@
+using System.Globalization;
+using Newtonsoft.Json.Linq;
+using WalletFramework.Core.Functional;
+using WalletFramework.Oid4Vc.Oid4Vci.AuthFlow.Errors;
+
+namespace WalletFramework.Oid4Vc.Oid4Vci.AuthFlow.Models;
+
+/// <summary>
+///     Identifier of the authorization state during the VCI Authorization Code Flow.
+/// </summary>
+public struct AuthFlowSessionState
+{
+    /// <summary>
+    ///    Gets the value of the state identifier.
+    /// </summary>
+    private string Value { get; }
+        
+    private AuthFlowSessionState(string value) => Value = value;
+        
+    /// <summary>
+    ///     Returns the value of the state identifier.
+    /// </summary>
+    /// <param name="authFlowSessionState"></param>
+    /// <returns></returns>
+    public static implicit operator string(AuthFlowSessionState authFlowSessionState) => authFlowSessionState.Value;
+        
+    public static Validation<AuthFlowSessionState> ValidAuthFlowSessionState(string authFlowSessionState)
+    {
+        if (!Guid.TryParse(authFlowSessionState, out _))
+        {
+            return new AuthFlowSessionStateError(authFlowSessionState);
+        }
+            
+        return new AuthFlowSessionState(authFlowSessionState);
+    }
+    
+    public static AuthFlowSessionState CreateAuthFlowSessionState()
+    {
+        var guid = Guid.NewGuid().ToString();
+        return new AuthFlowSessionState(guid);
+    }
+}
+
+public static class AuthFlowSessionStateFun
+{
+    public static AuthFlowSessionState DecodeFromJson(JValue json) => AuthFlowSessionState
+        .ValidAuthFlowSessionState(json.ToString(CultureInfo.InvariantCulture))
+        .UnwrapOrThrow(new InvalidOperationException("AuthFlowSessionState is corrupt"));
+}

src/WalletFramework.Oid4Vc/Oid4Vci/AuthFlow/Models/AuthFlowSessionState.cs

@@ -11,14 +11,14 @@ public record IssuanceSession
     /// <summary>
     ///   Gets the session identifier.
     /// </summary>
-    public VciSessionId SessionId { get; }
+    public AuthFlowSessionState AuthFlowSessionState { get; }
 
     /// <summary>
     ///  Gets the actual authorization code that is received from the authorization server upon successful authorization.
     /// </summary>
     public string Code { get; }
 
-    private IssuanceSession(VciSessionId sessionId, string code) => (SessionId, Code) = (sessionId, code);
+    private IssuanceSession(AuthFlowSessionState authFlowSessionState, string code) => (AuthFlowSessionState, Code) = (authFlowSessionState, code);
 
     /// <summary>
     ///    Creates a new instance of <see cref="IssuanceSession"/> from the given <see cref="Uri"/>.
@@ -36,9 +36,9 @@ public static IssuanceSession FromUri(Uri uri)
             throw new InvalidOperationException("Query parameter 'code' is missing");
         }
 
-        var sessionIdParam = queryParams.Get("session");
-        var sessionId = VciSessionId.ValidSessionId(sessionIdParam).Fallback(VciSessionId.CreateSessionId());
+        var sessionStateParam = queryParams.Get("state");
+        var authFlowSessionState = AuthFlowSessionState.ValidAuthFlowSessionState(sessionStateParam).Fallback(AuthFlowSessionState.CreateAuthFlowSessionState());
 
-        return new IssuanceSession(sessionId, code);
+        return new IssuanceSession(authFlowSessionState, code);
     }
 }

src/WalletFramework.Oid4Vc/Oid4Vci/AuthFlow/Models/IssuanceSession.cs

@@ -19,6 +19,9 @@ internal record PushedAuthorizationRequest
 
     [JsonProperty("code_challenge_method")]
     public string CodeChallengeMethod { get; }
+    
+    [JsonProperty("state", NullValueHandling = NullValueHandling.Ignore)]
+    public string AuthFlowSessionState { get; }
 
     [JsonProperty("authorization_details", NullValueHandling = NullValueHandling.Ignore)]
     public AuthorizationDetails[]? AuthorizationDetails { get; }
@@ -39,7 +42,7 @@ internal record PushedAuthorizationRequest
     public string? Resource { get; }
 
     public PushedAuthorizationRequest(
-        VciSessionId sessionId,
+        AuthFlowSessionState authFlowSessionState,
         ClientOptions clientOptions,
         AuthorizationCodeParameters authorizationCodeParameters,
         AuthorizationDetails[]? authorizationDetails, 
@@ -49,10 +52,11 @@ public PushedAuthorizationRequest(
         string? resource)
     {
         ClientId = clientOptions.ClientId;
-        RedirectUri = clientOptions.RedirectUri + "?session=" + sessionId;
+        RedirectUri = clientOptions.RedirectUri;
         WalletIssuer = clientOptions.WalletIssuer;
         CodeChallenge = authorizationCodeParameters.Challenge;
         CodeChallengeMethod = authorizationCodeParameters.CodeChallengeMethod;
+        AuthFlowSessionState = authFlowSessionState;
         AuthorizationDetails = authorizationDetails;
         IssuerState = issuerState;
         UserHint = userHint;
@@ -79,6 +83,9 @@ public FormUrlEncodedContent ToFormUrlEncoded()
         if (!string.IsNullOrEmpty(CodeChallengeMethod))
             keyValuePairs.Add(new KeyValuePair<string, string>("code_challenge_method", CodeChallengeMethod));
 
+        if (!string.IsNullOrEmpty(AuthFlowSessionState))
+            keyValuePairs.Add(new KeyValuePair<string, string>("state", AuthFlowSessionState));
+        
         if (AuthorizationDetails != null)
             keyValuePairs.Add(new KeyValuePair<string, string>("authorization_details", SerializeObject(AuthorizationDetails)));
 

src/WalletFramework.Oid4Vc/Oid4Vci/AuthFlow/Models/PushedAuthorizationRequest.cs

@@ -12,14 +12,14 @@ namespace WalletFramework.Oid4Vc.Oid4Vci.AuthFlow.Records;
 public sealed class AuthFlowSessionRecord : RecordBase
 {
     /// <summary>
-    ///     The session specific id.
+    ///     The session specific state id.
     /// </summary>
     [JsonIgnore]
-    public VciSessionId SessionId
+    public AuthFlowSessionState AuthFlowSessionState
     {
-        get => VciSessionId
-            .ValidSessionId(Id)
-            .UnwrapOrThrow(new InvalidOperationException("SessionId is corrupt"));
+        get => AuthFlowSessionState
+            .ValidAuthFlowSessionState(Id)
+            .UnwrapOrThrow(new InvalidOperationException("AuthFlowSessionState is corrupt"));
         set
         {
             string str = value;
@@ -56,13 +56,13 @@ public AuthFlowSessionRecord()
     /// </summary>
     /// <param name="authorizationData"></param>
     /// <param name="authorizationCodeParameters"></param>
-    /// <param name="sessionId"></param>
+    /// <param name="authFlowSessionState"></param>
     public AuthFlowSessionRecord(
         AuthorizationData authorizationData,
         AuthorizationCodeParameters authorizationCodeParameters,
-        VciSessionId sessionId)
+        AuthFlowSessionState authFlowSessionState)
     {
-        SessionId = sessionId;
+        AuthFlowSessionState = authFlowSessionState;
         RecordVersion = 1;
         AuthorizationCodeParameters = authorizationCodeParameters;
         AuthorizationData = authorizationData;
@@ -90,7 +90,7 @@ public static JObject EncodeToJson(this AuthFlowSessionRecord record)
     public static AuthFlowSessionRecord DecodeFromJson(JObject json)
     {
         var idJson = json[nameof(RecordBase.Id)]!.ToObject<JValue>()!;
-        var id = VciSessionIdFun.DecodeFromJson(idJson);
+        var id = AuthFlowSessionStateFun.DecodeFromJson(idJson);
 
         var authCodeParameters = JsonConvert.DeserializeObject<AuthorizationCodeParameters>(
             json[AuthorizationCodeParametersJsonKey]!.ToString()

src/WalletFramework.Oid4Vc/Oid4Vci/AuthFlow/Models/VciSessionId.cs

@@ -46,9 +46,6 @@ public static Option<AuthorizationCode> OptionalAuthorizationCode(JToken authori
             .GetByKey("authorization_server")
             .OnSuccess(token => token.ToString())
             .ToOption();
-
-        if (issuerState.IsNone && authServer.IsNone)
-            return Option<AuthorizationCode>.None;
 
         return new AuthorizationCode(issuerState, authServer);
     }