openidUtils

package
v1.0.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 10, 2023 License: Apache-2.0 Imports: 14 Imported by: 0

README

UHC-Logo

Go to main

OpenID Utils

This package contains funtions, structs and methods to implement OIDC and FAPI.

OIDC (OpenID Connect)

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party OpenID provider service (OP).

OIDC is an identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User. Specifically, a system entity called an OpenID Provider (OP) can issue JSON-formatted identity tokens and verified claims to OIDC relying parties (RP) via a RESTful HTTP API (the OP is the an identity service). The OP establishes trust with other applications and services while using a single digital identity (it can be a DID with a universal health identifier for training and health).

Federated identity is a way to use an account from one identity service (OP) to create an account and log in to a different site. There are two main players in a federated identity system: an OpenID Provider (OP) and a Service Provider (SP), which is a relaying party (RP, e.g.: an API service distinct to the OP).

OIDC Issuer Discovery

OIDC Issuer discovery is the process of determining the location of the OpenID Provider. It is optional in case of a Relying Party (e.g.: a client app) can know the OP's Issuer location through an out-of-band mechanism. For example, a DIDComm OOB message encoded in a QR code can be scanned by a client app to get the configuration information of an OIDC Issuer.

When a client app have to retrieve online the configuration information of an OIDC Issuer, it is required to be accesible in the Issuer's well-known location, e.g.: https://identity.organization-name.example.com/.well-known/openid-configuration. This discovery document has the "issuer" endpoint, which is the OICD Issuer URL (https URL scheme with no query or fragment component, e.g.: https://identity.organization-name.example.com/). Both access tokens and responses issued will contain the Issuer URL in the "iss" payload's field, and all the requests and access tokens accepted by the Issuer (FAPI Security Profile 1.0 - Advanced) will contain at least this Issuer URL in the audience field ("aud").

Financial-grade API (FAPI)

Financial-grade API (FAPI) is an industry-led specification developed by the OpenID Foundation.

While the FAPI 2.0 Security Profile was initially developed with a focus on financial applications, it is designed to be universally applicable for protecting APIs exposing high-value and sensitive (personal and other) data, for example, in e-health and e-government applications.

FAPI utilizes both JWT-secured authorisation request (JAR) and JWT-secured authorisation response (JARM).

JWT-secured authorisation request (JAR)

When using the HTTP protocol and the HTTP POST method, the parameters of the HTTP request are serialized using Form Serialization (OICD Core - Section 13.2).

The HTTP header Content-type is application/x-www-form-urlencoded.

Although different parameters are required as per OAuth 2.0, OpenID and JAR specifications, FAPI ignore all except the "request" parameter, which in FAPI it is a compact JWS containing the Request Object as payload.

The parameters for the HTTP request are explained below:

  • "request": the JWT data container, named "Request Object", in compact JWT serialization.

  • "client_id": duplicated from the Request Object's payload (required by Section 5 of JAR, but ignored by FAPI and UHC).

Additionally, if the client app is not using pushed authentication request (PAR), the client app can send duplicates of the "response_type" and "scope" parameters/values using the OAuth 2.0 request syntax as required by Section 6.1 of the OpenID Connect specification, but they are ignored by FAPI and UHC specifications.

JWT-secured authorisation response (JARM)

The JWT data container is named "Response Document". The Response Document can be sent in an HTTP response in two different ways, depending on the "response_type" property specified in the JAR:

  • As a Redirect URL, with the Response Document in compact JWT as the "response" parameter.

  • As a Form Post Response, where the OP returns an HTML web page containing an HTML form with the Response Document in compact JWT as the "response" parameter in the HTML form. The HTML web page contains a script to cause the auto-submission of the form the Client software application, so the Client will be able to process the message without regard for the mechanism by which the form submission was initiated.

UHC messaging encapsulation

UHC extends OIDC and FAPI with both DIDComm and JSON:API specificactions and uses Post-Quantum Computing (PQC) algorithms instead of the traditional non-PQC resistant ones. See DIDComm Utils.

Documentation

Index

Constants

View Source 
const AccessTokenHeaderType = "at+jwt"

AccessTokenHeaderType definition: https://datatracker.ietf.org/doc/html/rfc9068#section-2 The "typ" value used SHOULD be "at+jwt", preventing OpenID Connect ID Tokens from being accepted as access tokens.

View Source 
const AuthorizationBearerType = "Bearer"
View Source 
const DPoPHeaderType = "dpop+jwt"

Variables

View Source 
var (
	ErrAccessTokenInvalid                    = `invalid access token`
	ErrAccessTokenWrongType                  = `invalid JWT access token type`
	ErrAccessTokenUnsupportedAlgorithm       = `unsupported algorithm for access token`
	ErrAccessTokenMissingIssuerKid           = `the issuer's keyID does not exist in the access token`
	ErrAccessTokenMissingRequiredPayloadData = `required data is missing in the access token`
	ErrAccessTokenExpired                    = `the access token is expired`
)
View Source 
var (
	ErrEmptyData               = errors.New("the data is empty")
	ErrOpenidInvalidRequest    = "invalid_request"
	ErrOpenidInvalidToken      = "invalid_token"
	ErrOpenidInsufficientScope = "insufficient_scope"

	ErrServerError = "server encountered an unexpected condition"

	ErrUnauthorized_client     = "client is not authorized to request"
	ErrAccessDenied            = "resource owner or authorization server denied the request"
	ErrUnsupportedResponseType = "unsupported response type"
	ErrInvalidScope            = "request scope is invalid, unknown or malformed"
	ErrTemporarilyUnavailable  = "authorization server is currently unable to handle the request" //due to a temporary overloading or maintenance of the server
)
View Source 
var (
	ErrDPoPInvalid                    = `invalid DPoP token`
	ErrDPoPMissingRequiredPayloadData = `required "htu", "htm", and/or "iat" data is missing in the DPoP token`
	ErrDPoPAccessTokenHashMissing     = `access token hash "ath" is missing in the DPoP token`
	ErrDPoPAccessTokenMismatch        = `access token hash does not match with the DPoP token`
	ErrDPoPMismatchHttpMethod         = `the HTTP method does not match in the DPoP token`
	ErrDPoPMismatchHttpURL            = `the URL does not match in the DPoP token`
	ErrDPoPExpired                    = `the DPoP token is expired`
	ErrDPoPUnsupportedAlgorithm       = `unsupported algorithm for DPoP token`
	ErrDPoPUnsupportedKey             = `unsupported JSON Web Key for DPoP token`
)
View Source 
var CreateCredentialResponse = func(vc *map[string]interface{}, nonce *string, expiration *int) (*ResponseCredential, error) {
	if vc == nil || expiration == nil || *expiration < time.Now().Second() {
		return nil, errors.New("bad format to create the response")
	}

	responseCredential := &ResponseCredential{
		Format:     "",
		Credential: "",
		Cnonce:     *nonce,
		CnonceExp:  *expiration,
	}

	return responseCredential, nil
}

It returns the standardized OpenID properties. The credential is in JWT format with "jti"="c_nonce" and "nbf"="c_nonce_expires_in" (expiration in UNIX seconds, not ms.) When the organization issues a credential for its employees, the expiration time can be: - none if it is a non limited time relatioship; - or limited to the duration of the contract. The active jti (c_nonce) can be revoked at any time so a third party SHOULD check the validity of the credential.

View Source 
var CreateResponseOAuthToken = func(accessToken, idToken, scope *string, expiration int) (*ResponseOauthAccessToken, error) {
	if accessToken == nil || scope == nil || expiration < time.Now().Second() {
		return nil, errors.New("bad format to create the response")
	}

	responseOAuthAccessToken := &ResponseOauthAccessToken{
		AccessToken:   *accessToken,
		ExpiresIn:     expiration,
		TokenType:     "bearer",
		Scope:         *scope,
		IdentityToken: idToken,
	}

	return responseOAuthAccessToken, nil
}

It returns the standardized OAuth2 properties. expiration (exp) are seconds, not miliseconds.

View Source 
var GetAppAliasByAudience = func(jwtAudience []string) string {
	parts := strings.Split(jwtAudience[0], "/")
	partsLength := len(parts)

	if partsLength == 1 {
		return parts[0]
	}
	if partsLength >= 3 {
		return parts[partsLength-2]
	}
	return ""
}

TODO: review audience

View Source 
var GetSignKeyInHeaderJWT = func(inputHeaderB64URL string) *jwkUtils.JWK {
	headerBytes, _ := base64.RawURLEncoding.DecodeString(inputHeaderB64URL)
	var headerOpenid OpenidHeaders
	_ = json.Unmarshal(headerBytes, &headerOpenid)

	if headerOpenid.HeaderAlgorithm == nil {
		return nil
	}
	algorithm := *headerOpenid.HeaderAlgorithm

	if headerOpenid.HeaderJSONWebKey != nil {
		headerAlg := headerOpenid.HeaderJSONWebKey.Alg
		if headerAlg == algorithm {

			return headerOpenid.HeaderJSONWebKey
		}
	}

	if headerOpenid.HeaderJSONWebKeySet != nil {
		jwkArray := headerOpenid.HeaderJSONWebKeySet.SearchJWKeyByAlg(algorithm)
		if len(*jwkArray) == 1 {

			jwk := *jwkArray
			jwk1 := jwk[0]
			return &jwk1

		}
		if len(*jwkArray) > 1 {
			if headerOpenid.HeaderKeyID != nil {
				for _, jwk := range *jwkArray {
					if jwk.Kid == *headerOpenid.HeaderKeyID {
						return &jwk

					}
				}
			}
		}
	}
	return nil
}
View Source 
var TemplateResponseFormOauth2 = `
	<input {{with .ID}}id="{{.}}"{{end}} 
		type="{{.Type}}" 
		name="{{.Name}}" 
		{{with .Value}}value="{{.}}"{{end}}>
`

https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html#FormPostResponseExample https://github.com/joncalhoun/form

View Source 
var TemplateResponsePageJARM = `` /* 168-byte string literal not displayed */

https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html#FormPostResponseExample https://github.com/joncalhoun/form

Functions

func CheckAudience 

func CheckAudience(audience string, didDocument *didDocumentUtils.DidDoc) bool

CheckAudience checks both the received audience(s) contains URLs ("http://" is allows only for localhost and "https" is required for other URLs) and the audience claim list contains the expected audience (but only it "expected" is not an empty string). The "aud" in UHC identifies at the same time: - the "software_id" (e.g.: professional-app-example), and - the Issuer's URL (e.g.: http://identity.professional-app-example.test-organization.localhost:8006/)

func CheckBearerHeaderDataJWT 

func CheckBearerHeaderDataJWT(dataJWT *joseUtils.DataJWT) (errMsg *string)

CheckBearerHeaderDataJWT returns DataJWT (can be nil) and error message (can be empty) after checking: - mandatory fields exist in the Access Token header ("alg", "jwk", "typ") and are supported. - checks the mandatory fields exist in the Access Token payload ("aud", "iss", "exp", "nbf", "sub") and additionally match with the provided ones (optional).

func CheckBearerPayloadDataJWT 

func CheckBearerPayloadDataJWT(bearerDataJWT *joseUtils.DataJWT, audience, issuer, subject, client *string, expiry, notBefore int64) (errMsg *string)

CheckBearerPayloadDataJWT checks the mandatory fields exist and additionally match with the provided ones (optional):

  • "aud": Audience of the JWT, in UHC it is the "software_id" (app URL) for the "client_id" (profile role)
  • "iss": Issuer organization's identity DID.
  • "sub":Subject in UHC refers to a person (DID of an employee in an organization or a personal DID). When no resource owner is involved "sub" SHOULD correspond to the client application identifier ("client_id").
  • "client_id": cryptographic signature identifier of an employee who performs a role in a department (DID#kid),
  • "exp": Expiry of the JWT. of a patient or of an authorized person: legal guardian, family member or caregiver.
  • "iat": It identifies the time at which the JWT access token was issued.
  • "jti": The ID of the issued JWT.

func CheckCodeChallengeLength 

func CheckCodeChallengeLength(codeChallenge string) bool

CheckCodeChallengeLength checks the "code_challenge" is between 43 and 128 characters as per the OpenID specification (it is the SHA-256 hash result of a random challenge generated by the client application, base64url encoded).

func CheckCompactAccessToken 

func CheckCompactAccessToken(compactJWT *string, audience, issuer, subject, client *string, expiry, notBefore int64) (*joseUtils.DataJWT, string)

CheckCompactAccessToken returns DataJWT (can be nil) and error message (can be empty) after checking: - mandatory fields exist in the DPoP header ("alg", "kid", "typ") and are supported. - checks the mandatory fields exist for the access token ("aud", "iss", "exp", "nbf", "sub").

func CheckCompactDPoP 

func CheckCompactDPoP(dpopCompactJWT *string, accessToken, httpMethod, httpURL *string) (*joseUtils.DataJWT, string)

CheckCompactDPoP returns DataJWT (can be nil) and error message (can be empty) after checking: - mandatory fields exist in the DPoP header ("alg", "jwk", "typ") and are supported. - mandatory fields in the DPoP payload exist and are valid: "jti", "iat" (and not expired), "htm" and "htu" match with the provided ones (optional). Additionally it checks: - the "ath" value which is the SHA-256 [SHS] hash of the ASCII encoding of the access token. - the "nonce" value (the parent function has stored it previously to authorize the request).

func CheckDPoPTokenHeaderDataJWT 

func CheckDPoPTokenHeaderDataJWT(dpopDataJWT *joseUtils.DataJWT) (errMsg *string)

CheckDPoPTokenHeaderDataJWT checks that the mandatory fields exist ("alg", "jwk", "typ") and are supported.

func CheckDPoPTokenPayloadDataJWT 

func CheckDPoPTokenPayloadDataJWT(dpopDataJWT *joseUtils.DataJWT, accessToken, httpMethod, httpURL *string) (errMsg *string)

CheckDPoPTokenPayloadDataJWT checks that the mandatory fields exist ("htm", "htu", "iat", "jti" and additionally: - the "ath" value which is the SHA-256 [SHS] hash of the ASCII encoding of the access token. - the "nonce" value (the parent function has stored it previously to authorize the request).

func CheckDataAccessToken 

func CheckDataAccessToken(compactJWT *joseUtils.DataJWT, audience, issuer, subject, client *string, expiry, notBefore int64) (*joseUtils.DataJWT, string)

CheckDataAccessToken returns DataJWT (can be nil) and error message (can be empty) after checking: - mandatory fields exist in the Access Token header ("alg", "jwk", "typ") and are supported. - checks the mandatory fields exist in the Access Token payload ("aud", "iss", "exp", "nbf", "sub") and additionally match with the provided ones (optional).

func CheckDataDPoP 

func CheckDataDPoP(dpopDataJWT *joseUtils.DataJWT, accessToken, httpMethod, httpURL *string) (*joseUtils.DataJWT, string)

CheckDataDPoP returns DataJWT (can be nil) and error message (can be empty) after checking: - mandatory fields exist in the DPoP header ("alg", "jwk", "typ") and are supported. - mandatory fields in the DPoP payload exist and are valid: "jti", "iat" (and not expired), "htm" and "htu" match with the provided ones (optional). Additionally it checks: - the "ath" value which is the SHA-256 [SHS] hash of the ASCII encoding of the access token. - the "nonce" value (the parent function has stored it previously to authorize the request).

func CheckIssuerDidKidURI 

func CheckIssuerDidKidURI(issuer string, expectedIssuerDidKid string) bool

CheckIssuerDidKidURI checks the "iss" URI is a DID with a keyID fragment (#). (private_key_jwt authentication method as specified in section 9 of OIDC).

func CheckRequiredScopes 

func CheckRequiredScopes(scopeClaim string, requiredScopes []string) bool

CheckRequiredScopes generates an slice (array) with each of the matched scopes and returns true if the length of the resulting slice is equal to the length of the required scopes slice.

func CheckTimeValidation 

func CheckTimeValidation(nbf, exp int64) bool

CheckTimeValidation cheks both: - the "nbf" field is no longer than 60 minutes in the past. - the "exp" field has a lifetime of no longer than 60 minutes after the "nbf" field.

func CreateResponseRedirectUrlFragmentJARM 

func CreateResponseRedirectUrlFragmentJARM(redirectUrl string, compactResponseJWT string) string

CreateResponseRedirectUrlFragmentJARM returns a HTTP Redirect URL with an OpenID Response Object in compact JWT format (JWS/JWE) concatenated to the redirect URI as "<redirect_URI>#response=<the_compact_JWT>" where the JARM Response Object contains the data in the payload. Because the Response Document can be a DIDComm message (it adds "body" and "attachments" properties to the payload), a CRUDS operation API response will set the JSON data in the "body.data" as per both DIDComm and JSON:API specifications. and additional verifiable credentials or detached signatures can be set in the DIDComm "attachments". The JARM Response Object can be signed and optionally encrypted (nested JWT in a JWE) so a signed DIDComm message can be enveloped in a DIDComm encrypted message.

func CreateResponseRedirectedUrlQueryJARM 

func CreateResponseRedirectedUrlQueryJARM(redirectUrl string, compactResponseJWT string) string

CreateResponseRedirectedUrlQueryJARM returns a HTTP Redirect URL with an OpenID Response Object in compact JWT format (JWS/JWE) concatenated to the redirect URI as "<redirect_URI>?response=<the_compact_JWT>" where the JARM Response Object contains the data in the payload. Because the Response Document can be a DIDComm message (it adds "body" and "attachments" properties to the payload), a CRUDS operation API response will set the JSON data in the "body.data" as per both DIDComm and JSON:API specifications. and additional verifiable credentials or detached signatures can be set in the DIDComm "attachments". The JARM Response Object can be signed and optionally encrypted (nested JWT in a JWE) so a signed DIDComm message can be enveloped in a DIDComm encrypted message.

func GetAudiences 

func GetAudiences(audience string) []string

GetAudiences converts audience claim to string slice, with compatibility not only for comma separated but for comma-space and space too.

func GetScopes 

func GetScopes(scope string) []string

GetScopesList converts scope claim to string slice, with compatibility not only for space separated but for comma and comma-space too.

func ParseAudiences 

func ParseAudiences(scopes []string) string

ParseAudiences joins the slice into a whitespace-separated string.

func ParseScopes 

func ParseScopes(scopes []string) string

ParseScopes joins the slice into a whitespace-separated string.

func ResponseDocumentByResponseType 

func ResponseDocumentByResponseType()

ResponseDocumentByResponseType writes an HTTP JARM Response based on the ResponseType sent in the Request - code: it returns a Redirect URI concatenated with fragment ("#") - token: it returns a Redirect URI concatenated with a query ("?") - didcomm-uhc+json: returns a DIDComm v2 message signed and optionally encrypted based on the Registered Client App.

Types

type AccessTokenHeader 

type AccessTokenHeader struct {
	// For JWS: the cryptographic algorithm the issuer used to secure the JWS.
	Algorithm string `json:"alg,omitempty" bson:"alg,omitempty"` // "none" is only allowed for testing purposes.

	// For JWS: indicating which key the issuer used to secure the JWS.
	KeyID string `json:"kid,omitempty" bson:"kid,omitempty"` // JWK Thumbprint.

	// For JWS: used by JWS applications to declare the media type of this complete JWS.
	Type string `json:"typ,omitempty" bson:"typ,omitempty"` // "at+jwt".
}
	OpenidHeadersAccessToken structure.
	The JOSE header of an Access Token JWT MUST contain at least following parameters:
  *  "alg": a digital signature algorithm identifier such as per [RFC7518]. MUST NOT be "none".
  *  "kid": thumbprint of the JWK representing the public key used by the issuer
  *  "typ": with value "at+jwt", preventing OpenID Connect ID Tokens from being accepted as access tokens.
	See  https://datatracker.ietf.org/doc/html/rfc9068#section-2

type AccessTokenPayload 

type AccessTokenPayload struct {
	Audience    string `json:"aud,omitempty" bson:"aud,omitempty"`
	ClientID    string `json:"client_id,omitempty" bson:"client_id,omitempty"`
	Expiry      int64  `json:"exp,omitempty" bson:"exp,omitempty"`
	IssuedAt    int64  `json:"iat,omitempty" bson:"iat,omitempty"`
	Issuer      string `json:"iss,omitempty" bson:"iss,omitempty"`
	JSONTokenID string `json:"jti,omitempty" bson:"jti,omitempty"`
	Scope       string `json:"scope,omitempty" bson:"scope,omitempty"`
	Subject     string `json:"sub,omitempty" bson:"sub,omitempty"`
}
	AccessTokenPayload structure.
	The payload of a JWT access token MUST contain at least the following claims:
	- "iss": REQUIRED. Issuer organization's identity DID.
	- "exp": REQUIRED. Expiry of the JWT.
	- "sub": REQUIRED. Subject in UHC refers to a person (DID of an employee in an organization or a personal DID).
 When no resource owner is involved "sub" SHOULD correspond to the client application identifier ("client_id").
	- "client_id": REQUIRED.
	In UHC, it is the cryptographic signature identifier of an employee who performs a role in a department (DID#kid),
	of a patient or of an authorized person: legal guardian, family member or caregiver.
	- "aud": REQUIRED. Audience of the JWT, it should be the "software_id" for the "client_id" (profile role)
	- "iat":  REQUIRED - as defined in Section 4.1.6 of [RFC7519]. It identifies the time at which the JWT access token was issued.
	- "jti":  REQUIRED - as defined in Section 4.1.7 of [RFC7519].

Authorization claim: If an authorization request includes a scope parameter, it SHOULD include a "scope" claim. - "scope": CONDITIONAL - as defined in Section 4.2 of [RFC8693].

SCIM: System for Cross-domain Identity Management (to be defined in an "id_token" or "vp_token" for the frontend): Memberships in roles and groups that are relevant to the resource being accessed, entitlements assigned to the resource owner for the targeted resource that the authorization server knows about, etc.

  • "groups": OPTIONAL. In UHC, they are the departments (healthcare services) a practitioner role ("sub") belongs to. Example: [{"value": <department DID>, "display": <official name>}]
  • "roles": OPTIONAL. In UHC, it refers to one or more professional SNOMED roles (e.g: generic M.D. and specialty).
  • "entitlements": OPTIONAL. In UHC, they can be the qualifications a practitioner role has. Example: [{"value": <qualification DID>, "display": <official title>}]

See: https://datatracker.ietf.org/doc/html/rfc7643.

Additionally: - "auth_time": OPTIONAL - as defined in Section 2 of [OpenID.Core]. - "acr": OPTIONAL - as defined in Section 2 of [OpenID.Core]. - "amr": OPTIONAL - as defined in Section 2 of [OpenID.Core].

type Claims 

type Claims OpenidPayload

Claims defines JSON Web Token Claims (https://tools.ietf.org/html/rfc7519#section-4)

type DPoPHeader 

type DPoPHeader struct {
	// For JWS: the cryptographic algorithm used to secure the JWS.
	Algorithm string `json:"alg,omitempty" bson:"alg,omitempty"`

	// For JWS: the public key that corresponds to the key used to digitally sign the JWS.
	JSONWebKey jwkUtils.JWK `json:"jwk,omitempty" bson:"jwk,omitempty"` // sender's public verification key

	// For JWS: used by JWS applications to declare the media type of this complete JWS.
	Type string `json:"typ,omitempty" bson:"typ,omitempty"` // "dpop+jwt"
}
	DPoPHeader structure.
	The JOSE header of a DPoP JWT MUST contain at least following parameters:
  *  "alg": a digital signature algorithm identifier such as per [RFC7518].
 	MUST NOT be none or an identifier for a symmetric algorithm (MAC).
  *  "jwk": representing the public key chosen by the client, in JSON Web Key (JWK) [RFC7517] format,
 	as defined in Section 4.1.3 of [RFC7515].  MUST NOT contain a private key.
  *  "typ": with value dpop+jwt, which explicitly types the DPoP proof JWT as recommended in Section 3.11 of [RFC8725].
	See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-11#section-4.2

type DPoPPayload 

type DPoPPayload struct {
	AccessTokenHash string `json:"ath,omitempty" bson:"ath,omitempty"`
	HttpMethod      string `json:"htm,omitempty" bson:"htm,omitempty"`
	HttpURL         string `json:"htu,omitempty" bson:"htu,omitempty"`
	IssuedAt        int64  `json:"iat,omitempty" bson:"iat,omitempty"`
	JSONTokenID     string `json:"jti,omitempty" bson:"jti,omitempty"`
	Nonce           string `json:"nonce,omitempty"  bson:"nonce,omitempty"`
}
	DPoPPayload structure.
  The payload of a DPoP proof MUST contain at least the following claims:
  *  "htm": The HTTP method of the request to which the JWT is attached, as defined in [RFC9110].
  *  "htu": The HTTP target URI (Section 7.1 of [RFC9110]), without query and fragment parts.
  *  "iat": Creation timestamp of the JWT (Section 4.1.6 of [RFC7519]).
  *  "jti": Unique identifier for the DPoP proof JWT (e.g.: by using a version 4 UUID string according to [RFC4122]).
 	The jti can be used by the server for replay detection and prevention, see Section 11.1: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-11#section-11.1

  When the DPoP proof is used in conjunction with the presentation of an access token in protected resource access
  the DPoP proof MUST also contain the following claim:

  *  "ath": hash of the access token.  The value MUST be the result of a base64url encoding (Section 2 of [RFC7515])
 	the SHA-256 [SHS] hash of the ASCII encoding of the associated access token's value.

  When the authentication server or resource server provides a DPoP-Nonce HTTP header in a response (Section 8, Section 9),
  the DPoP proof MUST also contain the following claim:

  *  "nonce": A recent nonce provided via the DPoP-Nonce HTTP header (avoid replay attacks)

type DescriptorMapNested1 

type DescriptorMapNested1 struct {
	ID         string               `json:"id,omitempty" bson:"id,omitempty"`
	Format     string               `json:"format,omitempty" bson:"format,omitempty"`
	Path       string               `json:"path,omitempty" bson:"path,omitempty"`
	PathNested DescriptorMapNested2 `json:"path_nested,omitempty" bson:"path_nested,omitempty"`
}

type DescriptorMapNested2 

type DescriptorMapNested2 struct {
	ID     string `json:"id,omitempty" bson:"id,omitempty"`
	Format string `json:"format,omitempty" bson:"format,omitempty"`
	Path   string `json:"path,omitempty" bson:"path,omitempty"`
}

type DescriptorMapping 

type DescriptorMapping struct {
	ID         string               `json:"id,omitempty" bson:"id,omitempty"`
	Format     string               `json:"format,omitempty" bson:"format,omitempty"`
	Path       string               `json:"path,omitempty" bson:"path,omitempty"`
	PathNested DescriptorMapNested1 `json:"path_nested,omitempty" bson:"path_nested,omitempty"`
}

DescriptorMapping has

  • 'id' property. The value of this property MUST be a string that matches the id property of the Input Descriptor in the Presentation Definition that this Presentation Submission is related to.
  • 'format' property. The value of this property MUST be a string that matches one of the Claim Format Designation. This denotes the data format of the Claim.
  • 'path' property. The value of this property MUST be a JSONPath string expression. The path property indicates the Claim submitted in relation to the identified Input Descriptor, when executed against the top-level of the object the Presentation Submission is embedded within.
  • 'path_nested' object to indicate the presence of a multi-Claim envelope format. This means the Claim indicated is to be decoded separately from its parent enclosure. The format of a path_nested object mirrors that of a descriptor_map property. The nesting may be any number of levels deep. The id property MUST be the same for each level of nesting. The path property inside each path_nested property provides a relative path within a given nested value.

type JARHeader 

type JARHeader struct {
	Bearer joseUtils.DataJWT `json:"bearer,omitempty" bson:"bearer,omitempty"` // decoded Bearer (signature is removed before storage)
	DPoP   joseUtils.DataJWT `json:"dpop,omitempty" bson:"dpop,omitempty"`     // decoded DPoP (signature is removed before storage)
}

JARHeader only contains data that can be sent by bluetooth: - decoded "Bearer" Access Token (to check scopes). - decoded "DPoP" token (to avoid replay attacks), which contains in the payload "nonce", "htm" (HTTP Method), "htu" (target URL without query and fragment parts).

type JWTCredClaims 

type JWTCredClaims struct {
	Claims *OpenidPayload

	VC map[string]interface{} `json:"vc,omitempty"`
}

JWTCredClaims is JWT Claims extension by Verifiable CredentialAries (with custom "vc" claim).

type OpenidAccessTokenResponseData 

type OpenidAccessTokenResponseData struct {
	AccessToken  string  `json:"access_token,omitempty" bson:"access_token,omitempty"` // compactJWS: the access token issued by the authorization server.
	TokenType    string  `json:"type,omitempty" bson:"type,omitempty"`                 // fixed to "bearer"
	ExpiresIn    int64   `json:"expires_in,omitempty" bson:"expires_in,omitempty"`     // The lifetime in seconds of the access token. The recommended value is 300, for a five-minute token lifetime.
	Scope        string  `json:"scope,omitempty" bson:"scope,omitempty"`               // Scope of access authorized. Note that this can be different from the scopes requested by the app.
	RefreshToken *string `json:"refresh_token,omitempty" bson:"refresh_token,omitempty"`
	IDToken      *string `json:"id_token,omitempty" bson:"id_token,omitempty"`
}

using snake_case because of JWT standard claims: https://www.iana.org/assignments/jwt/jwt.xhtml#claims

type OpenidClientAppConfig 

type OpenidClientAppConfig struct {
	ClientID   string
	ReverseDNS string
	Config     OpenidProviderAppMetadata
}

OpenidClientAppConfig TODO: ClientID will be always the ReverseDNS?

type OpenidHeaders 

type OpenidHeaders struct {
	HeaderCompression *string `json:"zip,omitempty" bson:"zip,omitempty"`     // CompressionAlgorithm
	HeaderNonce       *string `json:"nonce,omitempty" bson:"nonce,omitempty"` // string
	HeaderB64         *string `json:"b64"  bson:"b64,omitempty"`              // bool
	HeaderIV          *string `json:"iv" bson:"iv,omitempty"`                 // *byteBuffer
	HeaderTag         *string `json:"tag,omitempty" bson:"tag,omitempty"`     // *byteBuffer

	// HeaderJSONWebKeySet in UHC is:
	// For JWS: array of public keys that corresponds to the sender's signature and encryption keys.
	// For JWE: do not use here
	HeaderJSONWebKeySet *jwkUtils.JWKeySet `json:"jwks,omitempty" bson:"jwks,omitempty"` // JSON

	// HeaderAlgorithm identifies:
	// For JWS: the cryptographic algorithm used to secure the JWS.
	// For JWE: the cryptographic algorithm used to encrypt or determine the value of the CEK.
	HeaderAlgorithm *string `json:"alg,omitempty" bson:"alg,omitempty"` // string

	// HeaderEncryption identifies the JWE content encryption algorithm.
	HeaderEncryption *string `json:"enc,omitempty" bson:"enc,omitempty"` // string

	// HeaderJWKSetURL is a URI that refers to a resource for a set of JSON-encoded public keys, one of which:
	// For JWS: corresponds to the key used to digitally sign the JWS.
	// For JWE: corresponds to the public key to which the JWE was encrypted.
	HeaderJWKSetURL *string `json:"jku,omitempty" bson:"jku,omitempty"` // string

	// HeaderJSONWebKey is:
	// For JWS: the public key that corresponds to the key used to digitally sign the JWS.
	// For JWE: the public key to which the JWE was encrypted.
	HeaderJSONWebKey *jwkUtils.JWK `json:"jwk,omitempty" bson:"jwk,omitempty"` // JSON

	// HeaderKeyID is a hint:
	// For JWS: indicating which key was used to secure the JWS (not used when the payload's "client_id" is a DID#KID URI)
	// For JWE: which references the public key to which the JWE was encrypted.
	HeaderKeyID *string `json:"kid,omitempty" bson:"kid,omitempty"` // string

	// HeaderSenderKeyID is a hint:
	// For JWS: not used.
	// For JWE: which references the (sender) public key used in the JWE key derivation/wrapping to encrypt the CEK.
	HeaderSenderKeyID *string `json:"skid,omitempty" bson:"skid,omitempty"` // string

	// HeaderX509URL is a URI that refers to a resource for the X.509 public key certificate or certificate chain:
	// For JWS: corresponding to the key used to digitally sign the JWS.
	// For JWE: corresponding to the public key to which the JWE was encrypted.
	HeaderX509URL *string `json:"x5u" bson:"x5u,omitempty"`

	// HeaderX509CertificateChain contains the X.509 public key certificate or certificate chain:
	// For JWS: corresponding to the key used to digitally sign the JWS.
	// For JWE: corresponding to the public key to which the JWE was encrypted.
	HeaderX509CertificateChain *string `json:"x5c" bson:"x5c,omitempty"`

	// HeaderX509CertificateDigest (X.509 certificate SHA-1 thumbprint) is a base64url-encoded
	// SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate:
	// For JWS: corresponding to the key used to digitally sign the JWS.
	// For JWE: corresponding to the public key to which the JWE was encrypted.
	HeaderX509CertificateDigestSha1 *string `json:"x5t" bson:"x5t,omitempty"`

	// HeaderX509CertificateDigestSha256 (X.509 certificate SHA-256 thumbprint) is a base64url-encoded SHA-256
	// thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate:
	// For JWS: corresponding to the key used to digitally sign the JWS.
	// For JWE: corresponding to the public key to which the JWE was encrypted.
	HeaderX509CertificateDigestSha256 *string `json:"x5t#S256,omitempty" bson:"x5t#S256,omitempty"` // string

	// HeaderType is:
	// For JWS: used by JWS applications to declare the media type of this complete JWS.
	// For JWE: used by JWE applications to declare the media type of this complete JWE.
	HeaderType *string `json:"typ,omitempty" bson:"typ,omitempty"` // string

	// HeaderContentType is used by JWS applications to declare the media type of:
	// For JWS: the secured content (the payload).
	// For JWE: the secured content (the plaintext).
	HeaderContentType *string `json:"cty,omitempty" bson:"cty,omitempty"` // string

	// HeaderCritical indicates that extensions to:
	// For JWS: this JWS header specification and/or JWA are being used that MUST be understood and processed.
	// For JWE: this JWE header specification and/or JWA are being used that MUST be understood and processed.
	HeaderCritical *[]string `json:"crit,omitempty" bson:"crit,omitempty"` // array

	// HeaderEPK is used by JWE applications to wrap/unwrap the CEK for a recipient.
	HeaderEPK *string `json:"epk,omitempty" bson:"epk,omitempty"` // JSON
}

see https://www.iana.org/assignments/jose/jose.xhtml

func (*OpenidHeaders) GetBytes 

func (headers *OpenidHeaders) GetBytes() (*[]byte, error)

GetBytes method returns the marshall to bytes or nil if error.

func (*OpenidHeaders) GetJSON 

func (headers *OpenidHeaders) GetJSON() (*map[string]interface{}, error)

GetJSON method returns a *map[string]interface{} with the JSON data or nil if error.

func (*OpenidHeaders) SetJSON 

func (headers *OpenidHeaders) SetJSON(headersJSON *map[string]interface{}) error

SetJSON method puts the given JSON data(*map[string]interface{}) to the OpenidHeaders struct

type OpenidPayload 

type OpenidPayload struct {
	// Claims for both request and response flows
	Audience    *string `json:"aud,omitempty" bson:"aud,omitempty"`
	Expiry      *int64  `json:"exp,omitempty" bson:"exp,omitempty"`
	IssuedAt    *int64  `json:"iat,omitempty" bson:"iat,omitempty"`
	Issuer      *string `json:"iss,omitempty" bson:"iss,omitempty"`
	JSONTokenID *string `json:"jti,omitempty"`
	Nonce       *string `json:"nonce,omitempty"  bson:"nonce,omitempty"`
	NotBefore   *int64  `json:"nbf,omitempty" bson:"nbf,omitempty"`
	Subject     *string `json:"sub,omitempty" bson:"sub,omitempty"`
	Scope       *string `json:"scope,omitempty" bson:"scope,omitempty"`
	State       *string `json:"state,omitempty"  bson:"state,omitempty"`
	LocalesUI   *string `json:"ui_locales,omitempty" bson:"ui_locales,omitempty"`
	LoginHint   *string `json:"login_hint,omitempty" bson:"login_hint,omitempty"`

	// Claims for request
	Assertion           *string `json:"assertion,omitempty" bson:"assertion,omitempty"`
	ClientID            *string `json:"client_id,omitempty" bson:"client_id,omitempty"`
	CodeChallenge       *string `json:"code_challenge,omitempty" bson:"code_challenge,omitempty"`     // when requesting a code
	CodeChallengeMethod *string `json:"code_challenge_method" bson:"code_challenge_method,omitempty"` // when requesting a code
	CodeVerifier        *string `json:"code_verifier,omitempty" bson:"code_verifier,omitempty"`       // when requesting a token
	GrantType           *string `json:"grant_type,omitempty" bson:"code_verifier,omitempty"`          // when requesting a code, it MUST be set to "authorization_code".
	RedirectURI         *string `json:"redirect_uri,omitempty" bson:"redirect_uri,omitempty"`
	ResponseType        *string `json:"response_type,omitempty" bson:"response_type,omitempty"` // e.g.: "code" or "access_token",

	// Claims for response
	Code *string `json:"code,omitempty" bson:"code,omitempty"`
}

see https://pkg.go.dev/go.step.sm/crypto and https://www.iana.org/assignments/jwt/jwt.xhtml urn:ietf:params:oauth:token-type:jwt and IANA "application/jwt" OpenidPayload represents public claim values (as specified in RFC 7519). - Client IP Address (cdniip) [optional] - The Client IP Address (cdniip) claim holds an IP address or IP prefix for which the Signed URI is valid. This is represented in CIDR notation with dotted decimal format for IPv4 addresses [RFC0791] or canonical text representation for IPv6 addresses [RFC5952]. The request MUST be rejected if sourced from a client outside the specified IP range. Since the Client IP is considered personally identifiable information, this field MUST be a JSON Web Encryption (JWE [RFC7516]) Object in compact serialization form - Universal Entity ID Claim (ueid): UEIDs are 33 bytes long (1 type byte and 256 bits). Type Byte 0x01 (RAND) is a 128, 192 or 256-bit random number generated once and stored in the entity (or the hash of a unique number). - Semi-permanent UEIDs (sueids) //An SEUID is of the same format as a UEID, but it MAY change to a different value on device life-cycle events. Examples of these events are change of ownership, factory reset and on-boarding into an IoT device management system. An entity MAY have both a UEID and SUEIDs, neither, one or the other. - ProofJSON-of-Possession Intended Use Claim (intended-use): An EAT consumer may require an attestation as part of an accompanying proof-of-possession (PoP) application. More precisely, a PoP transaction is intended to provide to the recipient cryptographically-verifiable proof that the sender has possession of a key. This kind of attestation may be necceesary to verify the security state of the entity storing the private key used in a PoP application.

func (*OpenidPayload) GetBytes 

func (payload *OpenidPayload) GetBytes() (*[]byte, error)

GetBytes method returns the marshall to bytes or nil if error.

func (*OpenidPayload) GetJSON 

func (payload *OpenidPayload) GetJSON() (*map[string]interface{}, error)

GetJSON method returns a *map[string]interface{} with the JSON data or nil if error.

func (*OpenidPayload) SetJSON 

func (payload *OpenidPayload) SetJSON(payloadJSON *map[string]interface{}) error

SetJSON method puts the given JSON data(*map[string]interface{}) to the OpenidHeaders struct

type OpenidProviderAppMetadata 

type OpenidProviderAppMetadata struct {
	Issuer                                    string    `json:"issuer" bson:"issuer"`                                                                                               // REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
	AuthorizationEndpoint                     string    `json:"authorization_endpoint" bson:"authorization_endpoint"`                                                               // REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core].
	TokenEndpoint                             *string   `json:"token_endpoint,omitempty" bson:"token_endpoint,omitempty"`                                                           // URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is used.
	UserinfoEndpoint                          *string   `json:"userinfo_endpoint,omitempty" bson:"userinfo_endpoint,omitempty"`                                                     // RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.
	JwksUri                                   string    `json:"jwks_uri" bson:"jwks_uri"`                                                                                           // REQUIRED.  URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
	RegistrationEndpoint                      *string   `json:"registration_endpoint,omitempty" bson:"registration_endpoint,omitempty"`                                             // RECOMMENDED. URL of the OP's Dynamic Client Registration Endpoint [OpenID.Registration].
	ScopesSupported                           *[]string `json:"scopes_supported,omitempty" bson:"scopes_supported,omitempty"`                                                       // RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported.
	ResponseTypesSupported                    []string  `json:"response_types_supported" bson:"response_types_supported"`                                                           // REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.
	ResponseModesSupported                    *[]string `json:"response_modes_supported,omitempty" bson:"response_modes_supported,omitempty"`                                       // OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic OpenID Providers is ["query", "fragment"].
	GrantTypesSupported                       *[]string `json:"grant_types_supported,omitempty" bson:"grant_types_supported,omitempty"`                                             // OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types. If omitted, the default value is ["authorization_code", "implicit"].
	AcrValuesSupported                        *[]string `json:"acr_values_supported,omitempty" bson:"acr_values_supported,omitempty"`                                               // OPTIONAL. JSON array containing a list of the Authentication Context Class References that this OP supports.
	SubjectTypesSupported                     []string  `json:"subject_types_supported" bson:"subject_types_supported"`                                                             // REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public.
	IdTokenSigningAlgValuesSupported          []string  `json:"id_token_signing_alg_values_supported" bson:"id_token_signing_alg_values_supported"`                                 // REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported, but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint (such as when using the Authorization Code Flow).
	IdTokenEncryptionAlgValuesSupported       *[]string `json:"id_token_encryption_alg_values_supported,omitempty" bson:"id_token_encryption_alg_values_supported,omitempty"`       // OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT].
	IdTokenEncryptionEncValuesSupported       *[]string `json:"id_token_encryption_enc_values_supported,omitempty" bson:"id_token_encryption_enc_values_supported,omitempty"`       // OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT].
	UserinfoSigningAlgValuesSupported         *[]string `json:"userinfo_signing_alg_values_supported,omitempty" bson:"userinfo_signing_alg_values_supported,omitempty"`             // OPTIONAL. JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included.
	UserinfoEncryptionAlgValuesSupported      *[]string `json:"userinfo_encryption_alg_values_supported,omitempty" bson:"userinfo_encryption_alg_values_supported,omitempty"`       // OPTIONAL. JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].
	UserinfoEncryptionEncValuesSupported      *[]string `json:"userinfo_encryption_enc_values_supported,omitempty" bson:"userinfo_encryption_enc_values_supported,omitempty"`       // OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].
	RequestObjectSigningAlgValuesSupported    *[]string `json:"request_object_signing_alg_values_supported,omitempty" bson:"request_object_signing_alg_values_supported,omitempty"` // OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support none and RS256.
	RequestObjectEncryptionAlgValuesSupported *[]string ``                                                                                                                          // OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by reference.
	/* 127-byte string literal not displayed */
	RequestObjectEncryptionEncValuesSupported *[]string `` // OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by reference.
	/* 127-byte string literal not displayed */
	TokenEndpointAuthMethodsSupported          *[]string `json:"token_endpoint_auth_methods_supported,omitempty" bson:"token_endpoint_auth_methods_supported,omitempty"` // OPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HttpHeaders Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749].
	TokenEndpointAuthSigningAlgValuesSupported *[]string ``                                                                                                              // OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used.
	/* 131-byte string literal not displayed */
	DisplayValuesSupported        *[]string `json:"display_values_supported,omitempty" bson:"display_values_supported,omitempty"`                 // OPTIONAL. JSON array containing a list of the display parameter values that the OpenID Provider supports. These values are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core].
	ClaimTypesSupported           *[]string `json:"claim_types_supported,omitempty" bson:"claim_types_supported,omitempty"`                       // OPTIONAL. JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims.
	ClaimsSupported               *[]string `json:"claims_supported,omitempty" bson:"claims_supported,omitempty"`                                 // RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.
	ServiceDocumentation          *string   `json:"service_documentation,omitempty" bson:"service_documentation,omitempty"`                       // OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, then information on how to register Clients needs to be provided in this documentation.
	ClaimsLocalesSupported        *string   `json:"claims_locales_supported,omitempty" bson:"claims_locales_supported,omitempty"`                 // OPTIONAL. Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47 [RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values.
	UiLocalesSupported            *string   `json:"ui_locales_supported,omitempty" bson:"ui_locales_supported,omitempty"`                         // OPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646] language tag values.
	ClaimsParameterSupported      *bool     `json:"claims_parameter_supported,omitempty" bson:"claims_parameter_supported,omitempty"`             // OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. If omitted, the default value is false.
	RequestParameterSupported     *bool     `json:"request_parameter_supported,omitempty" bson:"request_parameter_supported,omitempty"`           // OPTIONAL. Boolean value specifying whether the OP supports use of the request parameter, with true indicating support. If omitted, the default value is false.
	RequestUriParameterSupported  *bool     `json:"request_uri_parameter_supported,omitempty" bson:"request_uri_parameter_supported,omitempty"`   // OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support. If omitted, the default value is true.
	RequireRequestUriRegistration *bool     `json:"require_request_uri_registration,omitempty" bson:"require_request_uri_registration,omitempty"` // OPTIONAL. Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the default value is false.
	OpPolicyUri                   *string   `json:"op_policy_uri,omitempty" bson:"op_policy_uri,omitempty"`                                       // OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about the OP's requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD display this URL to the person registering the Client if it is given.
	OpTosUri                      *string   `json:"op_tos_uri,omitempty" bson:"op_tos_uri,omitempty"`                                             // OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service. The registration process SHOULD display this URL to the person registering the Client if it is given.
}

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata - issuer: REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. - authorization_endpoint: REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core]. - token_endpoint: URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is used. - userinfo_endpoint: RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. - jwks_uri: REQUIRED. URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. - registration_endpoint: RECOMMENDED. URL of the OP's Dynamic Client Registration Endpoint [OpenID.Registration]. - scopes_supported: RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported. - response_types_supported: REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values. - response_modes_supported: OPTIONAL. JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports, as specified in OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]. If omitted, the default for Dynamic OpenID Providers is ["query", "fragment"]. - grant_types_supported: OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types. If omitted, the default value is ["authorization_code", "implicit"]. - acr_values_supported: OPTIONAL. JSON array containing a list of the Authentication Context Class References that this OP supports. - subject_types_supported: REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public. - id_token_signing_alg_values_supported: REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported, but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint (such as when using the Authorization Code Flow). - id_token_encryption_alg_values_supported: OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. - id_token_encryption_enc_values_supported: OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. - userinfo_signing_alg_values_supported: OPTIONAL. JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. - userinfo_encryption_alg_values_supported: OPTIONAL. JSON array containing a list of the JWE [JWE] encryption algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. - userinfo_encryption_enc_values_supported: OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. - request_object_signing_alg_values_supported: OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects, which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support none and RS256. - request_object_encryption_alg_values_supported: OPTIONAL. JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by reference. - request_object_encryption_enc_values_supported: OPTIONAL. JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for Request Objects. These algorithms are used both when the Request Object is passed by value and when it is passed by reference. - token_endpoint_auth_methods_supported: OPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HttpHeaders Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. - token_endpoint_auth_signing_alg_values_supported: OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT [JWT] used to authenticate the Client at the Token Endpoint for the private_key_jwt and client_secret_jwt authentication methods. Servers SHOULD support RS256. The value none MUST NOT be used. - display_values_supported: OPTIONAL. JSON array containing a list of the display parameter values that the OpenID Provider supports. These values are described in Section 3.1.2.1 of OpenID Connect Core 1.0 [OpenID.Core]. - claim_types_supported: OPTIONAL. JSON array containing a list of the Claim Types that the OpenID Provider supports. These Claim Types are described in Section 5.6 of OpenID Connect Core 1.0 [OpenID.Core]. Values defined by this specification are normal, aggregated, and distributed. If omitted, the implementation supports only normal Claims. - claims_supported: RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list. - service_documentation: OPTIONAL. URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, then information on how to register Clients needs to be provided in this documentation. - claims_locales_supported: OPTIONAL. Languages and scripts supported for values in Claims being returned, represented as a JSON array of BCP47 [RFC5646] language tag values. Not all languages and scripts are necessarily supported for all Claim values. - ui_locales_supported: OPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of BCP47 [RFC5646] language tag values. - claims_parameter_supported: OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support. If omitted, the default value is false. - request_parameter_supported: OPTIONAL. Boolean value specifying whether the OP supports use of the request parameter, with true indicating support. If omitted, the default value is false. - request_uri_parameter_supported: OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support. If omitted, the default value is true. - require_request_uri_registration: OPTIONAL. Boolean value specifying whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter. Pre-registration is REQUIRED when the value is true. If omitted, the default value is false. - op_policy_uri: OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about the OP's requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD display this URL to the person registering the Client if it is given. - op_tos_uri: OPTIONAL. URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service. The registration process SHOULD display this URL to the person registering the Client if it is given.

type PractitionerRoleRegistrationRequestObject 

type PractitionerRoleRegistrationRequestObject struct {
}

type PresentationDefinition 

type PresentationDefinition struct {
	ID               string                        `json:"id,omitempty" bson:"id,omitempty"`
	Name             string                        `json:"name,omitempty" bson:"name,omitempty"`
	Purpose          string                        `json:"purpose,omitempty" bson:"purpose,omitempty"`
	Format           []PresentationInputFormat     `json:"format,omitempty" bson:"format,omitempty"`
	InputDescriptors []PresentationInputDescriptor `json:"input_descriptors,omitempty" bson:"input_descriptors,omitempty"`
}

PresentationDefinition properties are for use at the top-level of a Presentation Definition. Any properties that are not defined below MUST be ignored, unless otherwise specified by a Feature.

  • id - The Presentation Definition MUST contain an id string property. The string SHOULD provide a unique ID for the desired context. For example, a UUID such as 32f54163-7166-48f1-93d8-f f217bdb0653 could provide an ID that is unique in a global context, while a simple string such as my_presentation_definition_1 could be suitably unique in a local context.
  • name - The Presentation Definition MAY contain a name property. If present, its value SHOULD be a human-friendly string intended to constitute a distinctive designation of the Presentation Definition.
  • purpose - The Presentation Definition MAY contain a purpose property. If present, its value MUST be a string that describes the purpose for which the Presentation Definition's inputs are being used for.
  • format - Some envelope transport protocols may include the value of this property in other locations and use different property names (See the Format Embed Locations section for details), but regardless of whether it resides at the default location (the format property of the presentation_definition object), the value MUST be an object with one or more properties matching the registered Claim Format Designations (e.g., jwt, jwt_vc, jwt_vp, etc.). The properties inform the Holder of the Claim format configurations the Verifier can process. The value for each claim format property MUST be an object and the object MUST include a format-specific property (i.e., alg or proof_type)
  • 'input_descriptors': The Presentation Definition MUST contain an 'input_descriptors' property. Its value MUST be an array of Input Descriptor Objects, the composition of which are described in the Input Descriptors section below.

type PresentationInputConstraintFields 

type PresentationInputConstraintFields struct {
	ID      string `json:"id,omitempty" bson:"id,omitempty"`
	Path    string `json:"path,omitempty" bson:"path,omitempty"`
	Purpose string `json:"purpose,omitempty" bson:"purpose,omitempty"`
	Filter  string `json:"filter,omitempty" bson:"filter,omitempty"`
}

The PresentationInputConstraintsFields object MAY contain

  • MUST contain a path property. The value of this property MUST be an array of one or more JSONPath string expressions (as defined in the JSONPath Syntax Definition section) that select a target value from the input. The array MUST be evaluated from 0-index forward, breaking as soon as a Field Query Result is found (as described in Input Evaluation), which will be used for the rest of the entry’s evaluation. The ability to declare multiple expressions in this way allows the Verifier to account for format differences, for example: normalizing the differences in structure between JSON-LD/JWT-based Verifiable Credentials and vanilla JSON Web Tokens (JWTs) [RFC7519].
  • MAY contain an id property. If present, its value MUST be a string that is unique from every other field object’s id property, including those contained in other Input Descriptor Objects.
  • MAY contain a purpose property. If present, its value MUST be a string that describes the purpose for which the field is being requested.
  • MAY contain a filter property, and if present its value MUST be a JSON Schema descriptor used to filter against the values returned from evaluation of the JSONPath string expressions in the path array.

type PresentationInputConstraints 

type PresentationInputConstraints struct {
	Fields []PresentationInputConstraintFields `json:"fields,omitempty" bson:"fields,omitempty"`
}

The PresentationInputConstraints object MAY contain

  • fields property: SHALL be processed forward from 0-index, so if a Verifier desires to reduce processing by checking the most defining characteristics of a credential (e.g the type or schema of a credential) implementers SHOULD order these field checks before all others to ensure earliest termination of evaluation. If the fields property is present, its value MUST be an array of objects composed by path, id, purpose, filter properties

type PresentationInputDescriptor 

type PresentationInputDescriptor struct {
	ID          string                       `json:"id,omitempty" bson:"id,omitempty"`
	Name        string                       `json:"name,omitempty" bson:"name,omitempty"`
	Purpose     string                       `json:"purpose,omitempty" bson:"purpose,omitempty"`
	Format      []PresentationInputFormat    `json:"format,omitempty" bson:"format,omitempty"`
	Constraints PresentationInputConstraints `json:"constraints,omitempty" bson:"constraints,omitempty"`
}

PresentationInputDescriptor fields are required for submission, unless otherwise specified by a Feature.

  • MUST contain an 'id' property. The value of the id property MUST be a string that does not conflict with the id of another Input Descriptor Object in the same Presentation Definition.
  • MAY contain a 'name' property. If present, its value SHOULD be a human-friendly name that describes what the target schema represents.
  • MAY contain a 'purpose' property. If present, its value MUST be a string that describes the purpose for which the Claim's data is being requested.
  • MAY contain a 'format' property. If present, its value MUST be an object with one or more properties matching the registered Claim Format Designations (e.g., jwt, jwt_vc, jwt_vp, etc.). This format property is identical in value signature to the top-level format object, but can be used to specifically constrain submission of a single input to a subset of formats or algorithms.
  • MAY contain a 'limit_disclosure' property. If present, its value MUST be 'required' or 'preferred' Omission of the limit_disclosure property indicates the Conformant Consumer MAY submit a response that contains more than the data described in the fields array.
  • required: This indicates that the Conformant Consumer MUST limit submitted fields to those listed in the fields array (if present). Conformant Consumers are not required to implement support for this value, but they MUST understand this value sufficiently to return nothing (or cease the interaction with the Verifier) if they do not implement it.
  • preferred: This indicates that the Conformant Consumer SHOULD limit submitted fields to those listed in the fields array (if present).
  • MAY contain a constraints property. If present, its value MUST be an object composed by , unless otherwise specified by a Feature.

type PresentationInputFormat 

type PresentationInputFormat struct {
	Jwt   *PresentationInputFormatAlg   `json:"jwt,omitempty" bson:"jwt,omitempty"`
	JwtVC *PresentationInputFormatAlg   `json:"jwt_vc,omitempty" bson:"jwt_vc,omitempty"`
	JwtVP *PresentationInputFormatAlg   `json:"jwt_vp,omitempty" bson:"jwt_vp,omitempty"`
	Ldp   *PresentationInputFormatProof `json:"ldp,omitempty" bson:"ldp,omitempty"`
	LdpVC *PresentationInputFormatProof `json:"ldp_vc,omitempty" bson:"ldp_vc,omitempty"`
	LdpVP *PresentationInputFormatProof `json:"ldp_vp,omitempty" bson:"ldp_vp,omitempty"`
}

type PresentationInputFormatAlg 

type PresentationInputFormatAlg struct {
	Alg []string `json:"alg,omitempty" bson:"alg,omitempty"`
}

type PresentationInputFormatProof 

type PresentationInputFormatProof struct {
	Proof []string `json:"proof,omitempty" bson:"proof,omitempty"`
}

type PresentationSubmission 

type PresentationSubmission struct {
	ID            string              `json:"id,omitempty" bson:"id,omitempty"`
	DefinitionID  string              `json:"definition_id,omitempty" bson:"definition_id,omitempty"`
	DescriptorMap []DescriptorMapping `json:"descriptor_map,omitempty" bson:"descriptor_map,omitempty"`
}

PresentationSubmission are objects embedded within target Claim negotiation formats that express how the inputs presented as proofs to a Verifier are provided in accordance with the requirements specified in a Presentation Definition. Embedded Presentation Submission objects MUST be located within target data format as the value of a presentation_submission property, which is composed and embedded as follows: 

The presentation_submission object MUST be included at the top-level of an Embed Target, or in the specific location described in the Embed Locations table in the Embed Target section below.
The presentation_submission object MUST contain an id property. The value of this property MUST be a unique identifier, such as a UUID.
The presentation_submission object MUST contain a definition_id property. The value of this property MUST be the id value of a valid Presentation Definition.
The presentation_submission object MUST include a descriptor_map property. The value of this property MUST be an array of Input Descriptor Mapping Objects.

type RequestCredential 

type RequestCredential struct {
	Type   string                 `json:"type"`             // REQUIRED. Type of credential being requested (schema property in a Credential Manifest obtained in a setup phase.)
	Format *string                `json:"format,omitempty"` // OPTIONAL. Format of the credential to be issued.
	Proof  RequestCredentialProof `json:"proof"`            // OPTIONAL. JSON Object containing Proof of possession of the key material the issued credential shall be bound to.
}

The credential endpoint issues an approved credential to the end user by presenting a valid access token that represents this approval. The client can request the issuance of a credential of a certain type several times, for example, to associate the credential with different DIDs/public keys (e.g.: professional profiles in a client app) or to refresh a given credential.

Issued credential SHOULD be cryptographically bound to the identifier of the End-User who possesses the credential. Cryptographic binding allows the Verifier to verify during presentation that the End-User presenting a credential is the same End-User to whom it was issued.

If the access token is valid to request the issuance of multiple credentials, it is at the discretion of the client to decide the order in which it will request the issuance of multiple credentials requested in the Authorization Request.

The following new endpoints can exist: a)Issuance Initiation Endpoint: An endpoint exposed by the wallet that allows an issuer to initiate the issuance flow. 

	 This can be encoded in a QR code containing a DIDComm Invitation message with the Issuance Initiation Endpoint.
  If no internet connection is available this Invitation message allows to start the DID Exchange protocol.

b)Credential Endpoint: this is the OAuth-protected API to issue verifiable credentials. c)Deferred Credential Endpoint: this endpoint is used for deferred issuance of verifiable credentials

Credential Request: The wallet sends an authorization request to the issuer. This request determines the types of verifiable credentials the wallet (on behalf of the user) wants to obtain. The issuer will typically authenticate the user in the first step of this process; it will have an access token after registering the wallet's JWK. The Access Token is used to request the issuance of the actual credentials. The types of credentials the wallet can request is limited to the types approved in the authorization request. The issuers MAY call back to the wallet to fetch verifiable credentials it needs as prerequisite to issuing the requested credentials. From a protocol perspective, the issuers acts in this case as verifier and sends a request as defined in OIDC4VP to the wallet.

The Client app sends a HttpHeaders POST request to the Issuer's Request Credential Endpoint with the following parameters:

  • "type": REQUIRED. Type of credential being requested. It corresponds to a schema property in a Credential Manifest obtained in a setup phase.
  • "format": OPTIONAL. Format of the credential to be issued. If not present, the issuer will determine the credential format based on the client's format default.
  • "proof" OPTIONAL. JSON Object containing proof of possession of the key material the issued credential shall be bound to.

The proof object MUST contain the following "proof_type" element which determines its structure:

  • "proof_type": REQUIRED. JSON String denoting the proof type.

This specification defines the following values for "proof_type":

  • "jwt": objects of this type contain a single jwt element with a signed JWT as proof of possession. (only jwt is allowed by the specification). The JWT MUST contain the following elements:
  • kid: CONDITIONAL. JWT header containing the key ID. If the credential shall be bound to a DID, the kid refers to a DID URL which identifies a particular key in the DID Document that the credential shall be bound to.
  • jwk: CONDITIONAL. JWT header containing the key material the new credential shall be bound to. MUST NOT be present if kid is present.
  • iss: REQUIRED. MUST contain the client_id of the sender
  • aud: REQUIRED. MUST contain the issuer URL of credential issuer
  • iat: REQUIRED. MUST contain the instant when the proof was created
  • nonce: REQUIRED. MUST contain a fresh nonce as provided by the issuer

The proof element MUST incorporate a fresh nonce value generated by the credential issuer and the credential issuer's identifier (audience) to allow the credential issuer to detect replay.

The way that data is incorporated depends on the proof type. In a JWT, for example, the nonce is conveyed in the nonce claims whereas the audience is conveyed in the aud claim. In a Linked Data proof, for example, the nonce is included as the challenge.

NOTE: the type should have 2 credentials (FHIR Practitioner and FHIR PractitionerRole)

type RequestCredentialJWT 

type RequestCredentialJWT struct {
	// Jwk   map[string]interface{}// CONDITIONAL and removed in UHC. MUST NOT be present if Kid is present.
	Kid      string `json:"kid"`       // REQUIRED in UHC. If the credential shall be bound to a DID, it refers to a DID URL Kid that the credential shall be bound to.
	Issuer   string `json:"iss"`       // REQUIRED. MUST contain the "client_id" of the sender.
	Audience string `json:"aud"`       // REQUIRED. MUST contain the issuer URL of credential issuer.
	IssuedAt int    `json:"issued_at"` // REQUIRED. MUST contain the instant when the proof was created.
	Nonce    string `json:"nonce"`     // REQUIRED. MUST contain a fresh nonce as provided by the issuer.
}

type RequestCredentialProof 

type RequestCredentialProof struct {
	ProofType string               `json:"proof_type"` // REQUIRED. JSON String denoting the proof type.
	Jwt       RequestCredentialJWT `json:"jwt"`        // CONDITIONAL. Signed JWT as proof of possession.
}

type RequestOauthAccessTokenByCodeConfidentialAppPKCE 

type RequestOauthAccessTokenByCodeConfidentialAppPKCE struct {
	GrantType    string `bson:"grant_type,omitempty" json:"grant_type,omitempty"`       // Required: Fixed value is "authorization_code"
	Code         string `bson:"code,omitempty" json:"code,omitempty"`                   // Required: Code that the app received from the authorization server
	RedirectUri  string `bson:"redirect_uri,omitempty" json:"redirect_uri,omitempty"`   // Required: The same RedirectUri used in the initial authorization request
	CodeVerifier string `bson:"code_verifier,omitempty" json:"code_verifier,omitempty"` // Conditional: it is for PKCE. This parameter is used to verify against the code_challenge parameter previously provided in the authorize request.
}

* Step 3.A:

  • App exchanges authorization code for access token
  • After obtaining an authorization code, the app trades the code for an access token via HttpHeaders POST to the EHR authorization server’s token endpoint URL, using content-type application/x-www-form-urlencoded, as described in section 4.1.3 of RFC6749.
  • For public apps or not registered devices, authentication is not possible (since a client with no secret cannot prove its identity when it issues a call).
  • (The end-to-end system can still be secure because the client comes from a known, https protected endpoint specified and enforced by the redirect uri)
  • For confidential apps, authentication is required.
  • Confidential clients SHOULD use Asymmetric Authentication (see 3.B) if available (when confidential app is running in a registered device), and MAY use Symmetric Authentication.

type RequestOauthAccessTokenByNonConfidentialApp 

type RequestOauthAccessTokenByNonConfidentialApp struct {
	RequestOauthAccessTokenByCodeConfidentialAppPKCE
	ClientId string `bson:"client_id,omitempty" json:"client_id,omitempty"` // Only used in non confidential apps.
}

type RequestOauthAccessTokenWithJWS 

type RequestOauthAccessTokenWithJWS struct {
	ClientAssertion     string `bson:"client_assertion,omitempty" json:"client_assertion,omitempty"`           // Signed authentication JWT (NestedJWT generated by the client application)
	ClientAssertionType string `bson:"client_assertion_type,omitempty" json:"client_assertion_type,omitempty"` // Fixed to "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
	GrantType           string `bson:"grant_type,omitempty" json:"grant_type,omitempty"`                       // Fixed to "client_credentials"
	Scope               string `bson:"scope,omitempty" json:"scope,omitempty"`                                 // scopes such as "system/(:resourceType|*).(read|write|*)" which are associated with permissions assigned to an authorized software client rather than to a human end-user.

}

* Step 3.B:

  • Confidential app in a registered device uses Asymmetric Authentication
  • and sends a NestedJWT instead of doing the Authorize Code flow (skip steps from 1 to 3.A)

type RequestOauthAuthorizeWithPKCE 

type RequestOauthAuthorizeWithPKCE struct {
	ResponseType        string `bson:"response_type,omitempty" json:"response_type,omitempty"`                 // Required: Fixed value is "code"
	ClientId            string `bson:"client_id,omitempty" json:"client_id,omitempty"`                         // Required: The client's identifier.
	RedirectUri         string `bson:"redirect_uri,omitempty" json:"redirect_uri,omitempty"`                   // Required: Must match one of the client's pre-registered redirect URIs.
	Launch              string `bson:"launch,omitempty" json:"launch,omitempty"`                               // Optional: When using the EHR Launch flow, this must match the Launch value received from the EHR.
	Scope               string `bson:"scope,omitempty" json:"scope,omitempty"`                                 // Required: Must describe the access that the app needs, including scopes like patient/*.read, openid and fhirUser (if app needs authenticated patient identity) and either see SMART on FHIR Access Scopes details.
	State               string `bson:"state,omitempty" json:"state,omitempty"`                                 // Required: An opaque value used by the client to maintain State between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHALL be used for preventing cross-site request forgery or session fixation attacks. The app SHALL use an unpredictable value for the State parameter with at least 122 bits of entropy (e.g., a properly configured random uuid is suitable).
	Audience            string `bson:"aud,omitempty" json:"aud,omitempty"`                                     // Required: URL of the EHR resource server from which the app wishes to retrieve FHIR data. This parameter prevents leaking a genuine bearer token to a counterfeit resource server. (Note: in the case of an EHR Launch flow, this Audience value is the same as the Launch's iss value.) Note that the Audience parameter is semantically equivalent to the resource parameter defined in RFC8707. SMART's Audience parameter predates RFC8707 for reasons of backwards compatibility.
	CodeChallenge       string `bson:"code_challenge,omitempty" json:"code_challenge,omitempty"`               // Required: This parameter is generated by the app and used for the code challenge, as specified by PKCE. For example, when code_challenge_method is 'S256', this is the S256 hashed version of the code_verifier parameter. See considerations-for-pkce-support.
	CodeChallengeMethod string `bson:"code_challenge_method,omitempty" json:"code_challenge_method,omitempty"` // Required: Method used for the CodeChallenge parameter. Example value: S256. See considerations-for-pkce-support.
}

* Step 1:

  • At launch time, the app constructs a request for authorization by supplying the following parameters to the EHR’s “authorize” endpoint.
  • Note on PKCE Support: the EHR SHALL ensure that the code_verifier is present and valid in Step 3 (“App exchanges authorization code for access token”), at the completion of the OAuth flow.
  • The app SHOULD limit its requested scopes to the minimum necessary (i.e., minimizing the requested data categories and the requested duration of access).
  • If the app needs to authenticate the identify of or retrieve information about the end-user, it should include two OpenID Connect scopes: openid and fhirUser.
  • When these scopes are requested, and the request is granted, the app will receive an id_token along with the access token.
  • For full details, see SMART launch context parameters.
  • The following requirements are adopted from OpenID Connect Core 1.0 Specification section 3.1.2.1:
  • Authorization Servers SHALL support the use of the HttpHeaders GET and POST methods at the Authorization Endpoint.
  • Clients SHALL use either the HttpHeaders GET or the HttpHeaders POST method to send the Authorization Request to the Authorization Server.
  • If using the HttpHeaders GET method, the request parameters are serialized using URI Query String Serialization.
  • If using the HttpHeaders POST method, the request parameters are serialized using Form Serialization and the application/x-www-form-urlencoded content type.

type ResponseCredential 

type ResponseCredential struct {
	Format     string `json:"format"`             // REQUIRED. JSON string denoting the credential's format
	Credential string `json:"credential"`         // REQUIRED in UHC. JSON string that is the base64url encoded representation of the issued credential.
	Cnonce     string `json:"c_nonce"`            // OPTIONAL. JSON string containing a nonce to be used to create a proof of possession of key material when requesting a credential (see Section 6.7.2).
	CnonceExp  int    `json:"c_nonce_expires_in"` // OPTIONAL. JSON integer denoting the lifetime in seconds of the c_nonce.

}

type ResponseFormJARM 

type ResponseFormJARM struct {
	Response string `json:"response" form:"type=hidden;name=response"`
}

func (*ResponseFormJARM) ReturnWebPageFormData 

func (formData *ResponseFormJARM) ReturnWebPageFormData(w http.ResponseWriter)

ReturnWebPageFormData returns a Web page which contains the form data (with automatic form post when loading the body) and HTTP Status 200 (OK).

type ResponseOauthAccessToken 

type ResponseOauthAccessToken struct {
	AccessToken   string  `bson:"access_token,omitempty" json:"access_token,omitempty"`   // Required: The access token issued by the authorization server.
	TokenType     string  `bson:"token_type,omitempty" json:"token_type,omitempty"`       // Required: Fixed value is "Bearer", not "bearer": http://www.hl7.org/fhir/smart-app-launch/
	ExpiresIn     int     `bson:"expires_in,omitempty" json:"expires_in,omitempty"`       // Recommended: Lifetime in seconds of the access token, after which the token SHALL NOT be accepted by the resource server. The recommended value is 300, for a five-minute token lifetime.
	Scope         string  `bson:"scope,omitempty" json:"scope,omitempty"`                 // Required: Scope of access authorized. Note that this can be different from the scopes requested by the app.
	IdentityToken *string `bson:"id_token,omitempty" json:"id_token,omitempty"`           // Optional: Authenticated user identity and user details, if requested.
	RefreshToken  *string `bson:"refresh_token,omitempty" json:"refresh_token,omitempty"` // Optional: Token that can be used to obtain a new access token, using the same or a subset of the original authorization grants.
}

* Step 4:

  • The EHR authorization server SHALL return a JSON object that includes an access token or a message indicating that the authorization request has been denied.

type ResponseOauthAuthorizeWithCode 

type ResponseOauthAuthorizeWithCode struct {
	Code  string `bson:"code,omitempty" json:"code,omitempty"`   // Required: The authorization Code generated by the authorization server. The authorization Code *must* expire shortly after it is issued to mitigate the risk of leaks.
	State string `bson:"state,omitempty" json:"state,omitempty"` // Required: The exact value received from the client.
}

* Step 2:

  • When the EHR decides grant access it is communicated to the app returning an authorization code (or, if denying access, an error response).
  • Authorization codes are short-lived, usually expiring within around one minute.
  • The code is sent when the EHR authorization server causes the browser to navigate to the app’s redirect_uri, with the following URL parameters:

type StandardClaimsJWT 

type StandardClaimsJWT struct {
	// StandardClaims	jwt.Claims 	`bson:",inline" json:",inline"`		// inline, 'AudienceSlice' is the appAliasUrl and 'iss' is UNID
	Issuer    string `json:"iss,omitempty"`
	Subject   string `json:"sub,omitempty"`
	Audience  string `json:"aud,omitempty"`
	Expiry    int64  `json:"exp,omitempty"` // it is int64
	NotBefore int64  `json:"nbf,omitempty"` // it is int64
	IssuedAt  int64  `json:"iat,omitempty"` // it is int64
	ID        string `json:"jti,omitempty"`
}

using snake_case because of JWT standard claims: https://www.iana.org/assignments/jwt/jwt.xhtml#claims

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.