From 5d84be8e4372c33aaed81fc9d9b1b8620252fbf1 Mon Sep 17 00:00:00 2001 From: mishasizov-SK <109598497+mishasizov-SK@users.noreply.github.com> Date: Wed, 15 Jan 2025 12:57:21 +0200 Subject: [PATCH] feat: krakend: propagate roles header only on necessary endpoints (#1836) Signed-off-by: Misha Sizov --- pkg/restapi/v1/verifier/controller.go | 2 +- pkg/service/oidc4vp/oidc4vp_wallet_notification.go | 10 +++++++++- .../bdd/fixtures/krakend-config/settings/endpoint.json | 1 + .../krakend-config/templates/auth_validator.tmpl | 6 +++++- 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/pkg/restapi/v1/verifier/controller.go b/pkg/restapi/v1/verifier/controller.go index 4f08f8ecd..5769e073c 100644 --- a/pkg/restapi/v1/verifier/controller.go +++ b/pkg/restapi/v1/verifier/controller.go @@ -538,7 +538,7 @@ func (c *Controller) CheckAuthorizationResponse(e echo.Context) error { if rawAuthResp.Error != "" { // Error authorization response - // Spec: https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#section-6.4 + // Spec: https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#section-7.5 return c.oidc4VPService.HandleWalletNotification(ctx, &oidc4vp.WalletNotification{ TxID: oidc4vp.TxID(rawAuthResp.State), Error: rawAuthResp.Error, diff --git a/pkg/service/oidc4vp/oidc4vp_wallet_notification.go b/pkg/service/oidc4vp/oidc4vp_wallet_notification.go index 942681e1c..6ae36d010 100644 --- a/pkg/service/oidc4vp/oidc4vp_wallet_notification.go +++ b/pkg/service/oidc4vp/oidc4vp_wallet_notification.go @@ -107,6 +107,7 @@ func (s *Service) sendWalletNotificationEvent( profile *profileapi.Verifier, notification *WalletNotification, ) error { + // Send event only if notification.Error is known. if _, isValidError := supportedAuthResponseErrTypes[notification.Error]; !isValidError { logger.Infoc(ctx, "Ignoring unsupported error type", zap.String("error", notification.Error)) return nil @@ -114,7 +115,14 @@ func (s *Service) sendWalletNotificationEvent( ep := createBaseTxEventPayload(tx, profile) - ep.Error, ep.ErrorCode, ep.ErrorComponent = notification.ErrorDescription, notification.Error, errorComponentWallet + // error code, e.g. "access_denied". + // List: https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#section-7.5 + ep.ErrorCode = notification.Error + + // error description, e.g. "no_consent", "no_match_found" + ep.Error = notification.ErrorDescription + + ep.ErrorComponent = errorComponentWallet ep.InteractionDetails = notification.InteractionDetails spiEventType := s.getEventType(notification.Error, notification.ErrorDescription) diff --git a/test/bdd/fixtures/krakend-config/settings/endpoint.json b/test/bdd/fixtures/krakend-config/settings/endpoint.json index 114cb18f5..ac328bd41 100644 --- a/test/bdd/fixtures/krakend-config/settings/endpoint.json +++ b/test/bdd/fixtures/krakend-config/settings/endpoint.json @@ -16,6 +16,7 @@ "endpoint": "/issuer/credentials/status", "method": "POST", "protected": true, + "propagate_roles_header": true, "roles_to_validate": [ "revoker", "activator" diff --git a/test/bdd/fixtures/krakend-config/templates/auth_validator.tmpl b/test/bdd/fixtures/krakend-config/templates/auth_validator.tmpl index d6be7a77e..b38b0c1a7 100644 --- a/test/bdd/fixtures/krakend-config/templates/auth_validator.tmpl +++ b/test/bdd/fixtures/krakend-config/templates/auth_validator.tmpl @@ -11,11 +11,15 @@ [ "custom:tenant_id", "x-tenant-id" - ], + ] + {{ if .propagate_roles_header }} + , [ "custom:roles", "x-client-roles" ] + + {{ end }} ] {{ if .roles_to_validate }} ,