pyeudiw.satosa.backends.openid4vp package

Subpackages

Submodules

pyeudiw.satosa.backends.openid4vp.authorization_request module

pyeudiw.satosa.backends.openid4vp.authorization_request.build_authorization_request_claims(client_id: str, state: str, response_uri: str, default_claims: dict, nonce: str = '', client_metadata: dict | None = None, submission_data: dict | None = None, wallet_nonce: str | None = None) dict[source]

Primitive function to build the payload claims of the (JAR) authorization request.

Parameters:

  • client_id (str) – the client identifier (who issues the JAR token)

  • state (str) – request session identifier

  • response_uri (str) – endpoint accepting authorization responses

  • default_claims (dict) – a dictionary with the default claims to be used in the request object. It must contain the following mandatory keys: - “expiration_time”: the expiration time in minutes of the request object - “response_mode”: the response mode to be used in the request object - “auth_iss_id”: the issuer identifier of the authorization server - “aud”: the audience of the request object

  • nonce (str) – optional nonce to be inserted in the request object; if not set, a new cryptographically safe uuid v4 nonce is generated.

  • client_metadata (dict) – optional client_metadata to be included in the request object

  • submission_data (dict) – optional submission data, such as the duckle query, to be included in the request object. If this parameter is set, the duckle data is used to build the request object.

  • wallet_nonce (str) – optional nonce to be used by the wallet.

Raises:

KeyError – if authorization_config misses mandatory configuration options

Returns:

a dictionary with the complete set of JAR JWT payload claims

Return type:

dict

pyeudiw.satosa.backends.openid4vp.authorization_request.build_authorization_request_url(scheme: str, params: dict) str[source]

Build authorization request URL that let the wallet download the request object. This is loosely realted to RFC9101 [JAR], section 5.2.1. The scheme is either the scheme portion of a deeplink, such as “haip” or “eudiw”, while params is a dictitonary of query parameters not urlencoded.

pyeudiw.satosa.backends.openid4vp.authorization_response module

class pyeudiw.satosa.backends.openid4vp.authorization_response.DirectPostJwtJweParser(jwe_decryptor: JWEHelper, jws_verifier: JWSHelper, enc_alg_supported: list[str] = [], enc_enc_supported: list[str] = [])[source]

Bases: AuthorizationResponseParser

DirectPostJwtJweParser parses authorization responses sent as body of an http post request. The parser expectes a response wrapped in a jwt; more precisely the managed response is x-www-form-urlencoded in the form of response=<jwt> where <jwt> is an encrypted but not signed response. As such, the class required a jwe helper with the correct key able to decrypt the jwe.

The reference specification is defined here

https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-response-mode-direct_postjw

parse_and_validate(context: Context) AuthorizeResponsePayload[source]

Parse (and optionally validate) a satosa http request, wrapped in its own context, in order to extract an auhtorization response. The validation step might include verification tasks; for example if the data is reepresented as a jwt, the validation should perform a check on the jwt validity.

The concrete implementation SHOULD NOT be used to validate the actual content of the response, that is, it SHOULD NOT try to validate vp_tokens, presentation_submissions, etc. This is a delicate task that that is best suited for a different, dedicated object, method or interface.

Parameters:

context (satosa.context.Context) – an http request wrapped in its own satosa context

Raises:
Returns:

the plain openid4vp authorization response; DCQL is not supported yet

Return type:

AuthorizeResponsePayload

class pyeudiw.satosa.backends.openid4vp.authorization_response.DirectPostParser[source]

Bases: AuthorizationResponseParser

DirectPostParser parses authorization responses sent as body of an http post request.

The reference specification is defined here

https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-response-parameters

parse_and_validate(context: Context) AuthorizeResponsePayload[source]

Parse (and optionally validate) a satosa http request, wrapped in its own context, in order to extract an auhtorization response. The validation step might include verification tasks; for example if the data is reepresented as a jwt, the validation should perform a check on the jwt validity.

The concrete implementation SHOULD NOT be used to validate the actual content of the response, that is, it SHOULD NOT try to validate vp_tokens, presentation_submissions, etc. This is a delicate task that that is best suited for a different, dedicated object, method or interface.

Parameters:

context (satosa.context.Context) – an http request wrapped in its own satosa context

Raises:
Returns:

the plain openid4vp authorization response; DCQL is not supported yet

Return type:

AuthorizeResponsePayload

pyeudiw.satosa.backends.openid4vp.authorization_response.detect_response_mode(context: Context) ResponseMode[source]

Try to make inference on which response mode type this is based on the content of an http request body

pyeudiw.satosa.backends.openid4vp.authorization_response.normalize_jsonstring_to_string(s: _S) _S[source]

Normalize s from string (or list of string) or JSON String (or list of JSON String) to simply string (or list of string). For example, this would map a vp_token from JSON String “ey…Ui5” to the naitve string ey…Ui5 (note the missing quote “).

Note that this method is NOT intended to parse JSON String. For that purpose, json.loads should be preferred. Instead, this method should be used when an imput might be a string OR a JSON string.

pyeudiw.satosa.backends.openid4vp.exceptions module

exception pyeudiw.satosa.backends.openid4vp.exceptions.AuthRespParsingException[source]

Bases: Exception

Raised when the http request corresponding to an authorization response is malformed.

exception pyeudiw.satosa.backends.openid4vp.exceptions.AuthRespValidationException[source]

Bases: Exception

Raised when the http request corresponding to an authorization response is well formed, but not valid (for example, it might be wrapped in an expired token).

exception pyeudiw.satosa.backends.openid4vp.exceptions.InvalidVPToken[source]

Bases: Exception

Raised when a given VP is invalid

exception pyeudiw.satosa.backends.openid4vp.exceptions.MdocCborValidationError[source]

Bases: Exception

Raised when a given VP not contain the issuer

exception pyeudiw.satosa.backends.openid4vp.exceptions.MissingIssuer[source]

Bases: Exception

Raised when a given VP not contain the issuer

exception pyeudiw.satosa.backends.openid4vp.exceptions.NotKBJWT[source]

Bases: Exception

Raised when a given VP format is not Key Binding JWT format

exception pyeudiw.satosa.backends.openid4vp.exceptions.VPExpired[source]

Bases: Exception

Raised when a given VP is expired

exception pyeudiw.satosa.backends.openid4vp.exceptions.VPFormatNotSupported[source]

Bases: Exception

Raised when a given VP format is not supported

exception pyeudiw.satosa.backends.openid4vp.exceptions.VPRevoked[source]

Bases: Exception

Raised when a given VP is revoked

pyeudiw.satosa.backends.openid4vp.interface module

class pyeudiw.satosa.backends.openid4vp.interface.AuthorizationResponseParser[source]

Bases: object

AuthorizationResponseParser is an interface intended to parse direct POST http responses.

An authorization parser is meant to just parse and eventually validate the “lower” applicaiton layer of the transmission, that is, it is used to extract an authorization response from the HTTP layer. It SHOULD NOT be used to validate the actual content of the response, that is, it SHOULD NOT try to validate vp_tokens, presentation_submissions, etc. This is a delicate task that that is best suited for a different, dedicated object, method or interface.

parse_and_validate(context: Context) AuthorizeResponsePayload[source]

Parse (and optionally validate) a satosa http request, wrapped in its own context, in order to extract an auhtorization response. The validation step might include verification tasks; for example if the data is reepresented as a jwt, the validation should perform a check on the jwt validity.

The concrete implementation SHOULD NOT be used to validate the actual content of the response, that is, it SHOULD NOT try to validate vp_tokens, presentation_submissions, etc. This is a delicate task that that is best suited for a different, dedicated object, method or interface.

Parameters:

context (satosa.context.Context) – an http request wrapped in its own satosa context

Raises:
Returns:

the plain openid4vp authorization response; DCQL is not supported yet

Return type:

AuthorizeResponsePayload

class pyeudiw.satosa.backends.openid4vp.interface.VpTokenParser[source]

Bases: object

VpTokenParser is an interface that specify that an object is able to extract verifiable credentials from a VP token.

get_credentials() dict[source]
get_issuer_name() str[source]

Get the issuer name from the token payload.

Raises:

MissingIssuer – if the issuer name is missing in the token payload

Returns:

the issuer name

Return type:

str

class pyeudiw.satosa.backends.openid4vp.interface.VpTokenVerifier[source]

Bases: object

VpTokenVerifier is an interface that specify that an object is able to verify a vp token. The interface supposes that the verification process requires a public key (os the token issuer)

is_active() bool[source]
is_expired() bool[source]
is_revoked() bool[source]
Returns:

if the credential is revoked

verify_challenge() None[source]

Verifies the challenge of the jwt.

Raises:
verify_signature(public_key: ECKey | RSAKey | dict) None[source]

Verifies the signature of the jwt.

Parameters:

public_key (ECKey | RSAKey | dict) – the public key to verify the signature

Raises:

JWSVerificationError – if the signature is invalid

pyeudiw.satosa.backends.openid4vp.openid4vp module

class pyeudiw.satosa.backends.openid4vp.openid4vp.OpenID4VPBackend(auth_req_callback_func: Callable[[Context, InternalData], Response], internal_attributes: dict[str, dict[str, str | list[str]]], config: dict[str, Any], base_url: str, name: str)[source]

Bases: BackendModule

get_trust_backend_by_class_name(class_name: str) TrustHandlerInterface | None[source]
register_endpoints(**kwargs)[source]

See super class satosa.backends.base.BackendModule

Return type:

list[(str, ((satosa.context.Context, Any) -> satosa.response.Response, Any))]

Raises:

ValueError – if more than one backend is configured

start_auth(context: Context, internal_request) Response[source]

This is the start up function of the backend authorization.

Parameters:

  • context (satosa.context.Context) – the request context

  • internal_request (satosa.internal.InternalData) – Information about the authorization request

Return type:

satosa.response.Response

Returns:

response

pyeudiw.satosa.backends.openid4vp.utils module

pyeudiw.satosa.backends.openid4vp.vp module

class pyeudiw.satosa.backends.openid4vp.vp.Vp[source]

Bases: BaseLogger

Class for Verifiable Presentation istance.

check_revocation()[source]

Check if the VP is revoked.

Raises:

RevokedVPToken – if the VP is revoked.

parse_digital_credential() None[source]
verify(**kwargs) bool[source]

pyeudiw.satosa.backends.openid4vp.vp_mdoc_cbor module

class pyeudiw.satosa.backends.openid4vp.vp_mdoc_cbor.VpMDocCbor(trust_evaluator: CombinedTrustEvaluator, **kwargs)[source]

Bases: BaseVPParser

parse(token: str) dict[source]

Parses a Verifiable Presentation token.

validate(token: str, verifier_id: str, verifier_nonce: str) None[source]

Validates the content of a Verifiable Presentation.

pyeudiw.satosa.backends.openid4vp.vp_sd_jwt_vc module

class pyeudiw.satosa.backends.openid4vp.vp_sd_jwt_vc.VpVcSdJwtParserVerifier(trust_evaluator: CombinedTrustEvaluator, sig_alg_supported: list[str] = [], **kwargs)[source]

Bases: BaseVPParser

parse(token: str) dict[source]

Parses a Verifiable Presentation token.

validate(token: str, verifier_id: str, verifier_nonce: str) None[source]

Validates the content of a Verifiable Presentation.

Module contents