pyeudiw.satosa.backends.openid4vp package

Subpackages

• pyeudiw.satosa.backends.openid4vp.endpoints package
  • Submodules
  • pyeudiw.satosa.backends.openid4vp.endpoints.get_response_endpoint module
    • GetResponseHandler
      • GetResponseHandler.endpoint()
  • pyeudiw.satosa.backends.openid4vp.endpoints.pre_request_endpoint module
  • pyeudiw.satosa.backends.openid4vp.endpoints.request_endpoint module
  • pyeudiw.satosa.backends.openid4vp.endpoints.response_endpoint module
  • pyeudiw.satosa.backends.openid4vp.endpoints.status_endpoint module
  • pyeudiw.satosa.backends.openid4vp.endpoints.vp_base_endpoint module
  • Module contents
• pyeudiw.satosa.backends.openid4vp.presentation_submission package
  • Submodules
  • pyeudiw.satosa.backends.openid4vp.presentation_submission.base_vp_parser module
    • BaseVPParser
      • BaseVPParser.parse()
      • BaseVPParser.validate()
  • pyeudiw.satosa.backends.openid4vp.presentation_submission.exceptions module
    • MalformedPath
    • MissingHandler
    • ParseError
    • SubmissionValidationError
    • VPTokenDescriptorMapMismatch
    • ValidationError
  • pyeudiw.satosa.backends.openid4vp.presentation_submission.schemas module
    • DescriptorSchema
      • DescriptorSchema.format
      • DescriptorSchema.id
      • DescriptorSchema.model_config
      • DescriptorSchema.path
      • DescriptorSchema.path_nested
    • PresentationSubmissionSchema
      • PresentationSubmissionSchema.check_descriptor_map_size()
      • PresentationSubmissionSchema.definition_id
      • PresentationSubmissionSchema.descriptor_map
      • PresentationSubmissionSchema.id
      • PresentationSubmissionSchema.model_config
  • Module contents
    • PresentationSubmissionHandler
      • PresentationSubmissionHandler.parse()
      • PresentationSubmissionHandler.validate()
• pyeudiw.satosa.backends.openid4vp.schemas package
  • Submodules
  • pyeudiw.satosa.backends.openid4vp.schemas.cnf_schema module
    • CNFSchema
      • CNFSchema.jwk
      • CNFSchema.model_config
  • pyeudiw.satosa.backends.openid4vp.schemas.flow module
    • RemoteFlowType
      • RemoteFlowType.CROSS_DEVICE
      • RemoteFlowType.SAME_DEVICE
  • pyeudiw.satosa.backends.openid4vp.schemas.response module
    • AuthorizeResponseDirectPostJwt
      • AuthorizeResponseDirectPostJwt.response
    • AuthorizeResponsePayload
      • AuthorizeResponsePayload.presentation_submission
      • AuthorizeResponsePayload.state
      • AuthorizeResponsePayload.vp_token
    • ErrorResponsePayload
      • ErrorResponsePayload.error
      • ErrorResponsePayload.error_description
      • ErrorResponsePayload.state
    • ResponseMode
      • ResponseMode.direct_post
      • ResponseMode.direct_post_jwt
      • ResponseMode.error
    • ResponseSchema
      • ResponseSchema.model_config
      • ResponseSchema.nonce
      • ResponseSchema.presentation_submission
      • ResponseSchema.state
      • ResponseSchema.vp_token
  • pyeudiw.satosa.backends.openid4vp.schemas.vp_formats module
    • Algorithms
      • Algorithms.es256
      • Algorithms.es384
      • Algorithms.es512
      • Algorithms.rs256
      • Algorithms.rs384
      • Algorithms.rs512
    • VcSdJwt
      • VcSdJwt.kb_jwt_alg_values
      • VcSdJwt.model_config
      • VcSdJwt.sd_jwt_alg_values
    • VpFormats
      • VpFormats.model_config
      • VpFormats.vc_sd_jwt
  • pyeudiw.satosa.backends.openid4vp.schemas.vp_token module
    • VPTokenHeader
      • VPTokenHeader.alg
      • VPTokenHeader.kid
      • VPTokenHeader.model_config
      • VPTokenHeader.typ
    • VPTokenPayload
      • VPTokenPayload.aud
      • VPTokenPayload.exp
      • VPTokenPayload.iat
      • VPTokenPayload.iss
      • VPTokenPayload.jti
      • VPTokenPayload.model_config
      • VPTokenPayload.nonce
      • VPTokenPayload.vp
  • pyeudiw.satosa.backends.openid4vp.schemas.wallet_instance_attestation module
    • VPFormatSchema
      • VPFormatSchema.jwt_vc_json
      • VPFormatSchema.jwt_vp_json
      • VPFormatSchema.model_config
    • WalletInstanceAttestationHeader
      • WalletInstanceAttestationHeader.alg
      • WalletInstanceAttestationHeader.kid
      • WalletInstanceAttestationHeader.model_config
      • WalletInstanceAttestationHeader.trust_chain
      • WalletInstanceAttestationHeader.typ
    • WalletInstanceAttestationPayload
      • WalletInstanceAttestationPayload.aal
      • WalletInstanceAttestationPayload.authorization_endpoint
      • WalletInstanceAttestationPayload.cnf
      • WalletInstanceAttestationPayload.exp
      • WalletInstanceAttestationPayload.iat
      • WalletInstanceAttestationPayload.iss
      • WalletInstanceAttestationPayload.logo_uri
      • WalletInstanceAttestationPayload.model_config
      • WalletInstanceAttestationPayload.policy_uri
      • WalletInstanceAttestationPayload.presentation_definition_uri_supported
      • WalletInstanceAttestationPayload.request_object_signing_alg_values_supported
      • WalletInstanceAttestationPayload.response_types_supported
      • WalletInstanceAttestationPayload.sub
      • WalletInstanceAttestationPayload.tos_uri
      • WalletInstanceAttestationPayload.type
      • WalletInstanceAttestationPayload.vp_formats_supported
  • pyeudiw.satosa.backends.openid4vp.schemas.wallet_instance_attestation_request module
    • WalletInstanceAttestationRequestHeader
      • WalletInstanceAttestationRequestHeader.alg
      • WalletInstanceAttestationRequestHeader.kid
      • WalletInstanceAttestationRequestHeader.model_config
      • WalletInstanceAttestationRequestHeader.typ
    • WalletInstanceAttestationRequestPayload
      • WalletInstanceAttestationRequestPayload.aud
      • WalletInstanceAttestationRequestPayload.cnf
      • WalletInstanceAttestationRequestPayload.exp
      • WalletInstanceAttestationRequestPayload.iat
      • WalletInstanceAttestationRequestPayload.iss
      • WalletInstanceAttestationRequestPayload.jti
      • WalletInstanceAttestationRequestPayload.model_config
      • WalletInstanceAttestationRequestPayload.nonce
      • WalletInstanceAttestationRequestPayload.type
  • pyeudiw.satosa.backends.openid4vp.schemas.wallet_metadata module
    • WalletMetadata
      • WalletMetadata.alg_values_supported
      • WalletMetadata.authorization_endpoint
      • WalletMetadata.client_id_schemes_supported
      • WalletMetadata.model_config
      • WalletMetadata.request_object_signing_alg_values_supported
      • WalletMetadata.response_modes_supported
      • WalletMetadata.response_types_supported
      • WalletMetadata.validate_alg_values_supported()
      • WalletMetadata.validate_authorization_endpoint()
      • WalletMetadata.validate_client_id_schemes_supported()
      • WalletMetadata.validate_request_object_signing_alg_values_supported_supported()
      • WalletMetadata.validate_response_modes_supported()
      • WalletMetadata.validate_response_types_supported()
      • WalletMetadata.validate_vp_formats_supported()
      • WalletMetadata.vp_formats_supported
    • WalletPostRequest
      • WalletPostRequest.model_config
      • WalletPostRequest.wallet_metadata
      • WalletPostRequest.wallet_nonce
  • Module contents

Submodules

pyeudiw.satosa.backends.openid4vp.authorization_request module

pyeudiw.satosa.backends.openid4vp.authorization_request.build_authorization_request_claims(client_id: str, state: str, response_uri: str, default_claims: dict, nonce: str = '', client_metadata: dict | None = None, submission_data: dict | None = None, wallet_nonce: str | None = None) → dict

Primitive function to build the payload claims of the (JAR) authorization request.

Parameters:

• client_id (str) – the client identifier (who issues the JAR token)

• state (str) – request session identifier

• response_uri (str) – endpoint accepting authorization responses

• default_claims (dict) – a dictionary with the default claims to be used in the request object. It must contain the following mandatory keys: - “expiration_time”: the expiration time in minutes of the request object - “response_mode”: the response mode to be used in the request object - “auth_iss_id”: the issuer identifier of the authorization server - “aud”: the audience of the request object

• nonce (str) – optional nonce to be inserted in the request object; if not set, a new cryptographically safe uuid v4 nonce is generated.

• client_metadata (dict) – optional client_metadata to be included in the request object

• submission_data (dict) – optional submission data, such as the duckle query, to be included in the request object. If this parameter is set, the duckle data is used to build the request object; else the presentation definition retrocompatibility is used.

• wallet_nonce (str) – optional nonce to be used by the wallet.

Raises:

KeyError – if authorization_config misses mandatory configuration options

Returns:

a dictionary with the complete set of JAR JWT payload claims

Return type:

dict

pyeudiw.satosa.backends.openid4vp.authorization_request.build_authorization_request_url(scheme: str, params: dict) → str

Build authorization request URL that let the wallet download the request object. This is loosely realted to RFC9101 [JAR], section 5.2.1. The scheme is either the scheme portion of a deeplink, such as “haip” or “eudiw”, while params is a dictitonary of query parameters not urlencoded.

pyeudiw.satosa.backends.openid4vp.authorization_response module

pyeudiw.satosa.backends.openid4vp.exceptions module

exception pyeudiw.satosa.backends.openid4vp.exceptions.AuthRespParsingException

Bases: Exception

Raised when the http request corresponding to an authorization response is malformed.

exception pyeudiw.satosa.backends.openid4vp.exceptions.AuthRespValidationException

Bases: Exception

Raised when the http request corresponding to an authorization response is well formed, but not valid (for example, it might be wrapped in an expired token).

exception pyeudiw.satosa.backends.openid4vp.exceptions.InvalidVPToken

Bases: Exception

Raised when a given VP is invalid

exception pyeudiw.satosa.backends.openid4vp.exceptions.MdocCborValidationError

Bases: Exception

Raised when a given VP not contain the issuer

exception pyeudiw.satosa.backends.openid4vp.exceptions.MissingIssuer

Bases: Exception

Raised when a given VP not contain the issuer

exception pyeudiw.satosa.backends.openid4vp.exceptions.NotKBJWT

Bases: Exception

Raised when a given VP format is not Key Binding JWT format

exception pyeudiw.satosa.backends.openid4vp.exceptions.VPExpired

Bases: Exception

Raised when a given VP is expired

exception pyeudiw.satosa.backends.openid4vp.exceptions.VPFormatNotSupported

Bases: Exception

Raised when a given VP format is not supported

exception pyeudiw.satosa.backends.openid4vp.exceptions.VPRevoked

Bases: Exception

Raised when a given VP is revoked

pyeudiw.satosa.backends.openid4vp.interface module

class pyeudiw.satosa.backends.openid4vp.interface.AuthorizationResponseParser

Bases: object

AuthorizationResponseParser is an interface intended to parse direct POST http responses.

An authorization parser is meant to just parse and eventually validate the “lower” applicaiton layer of the transmission, that is, it is used to extract an authorization response from the HTTP layer. It SHOULD NOT be used to validate the actual content of the response, that is, it SHOULD NOT try to validate vp_tokens, presentation_submissions, etc. This is a delicate task that that is best suited for a different, dedicated object, method or interface.

parse_and_validate(context: Context) → AuthorizeResponsePayload

Parse (and optionally validate) a satosa http request, wrapped in its own context, in order to extract an auhtorization response. The validation step might include verification tasks; for example if the data is reepresented as a jwt, the validation should perform a check on the jwt validity.

The concrete implementation SHOULD NOT be used to validate the actual content of the response, that is, it SHOULD NOT try to validate vp_tokens, presentation_submissions, etc. This is a delicate task that that is best suited for a different, dedicated object, method or interface.

Parameters:

context (satosa.context.Context) – an http request wrapped in its own satosa context

Raises:

• pyeudiw.satosa.backends.openid4vp.exceptions.AuthRespParsingException – raised when the http response is malformed.

• pyeudiw.satosa.backends.openid4vp.exceptions.AuthRespValidationException – raised when the http response is syntactically correct, but not valid (for example, it might be an expired token).

Returns:

the plain openid4vp authorization response; DCQL is not supported yet

Return type:

AuthorizeResponsePayload

class pyeudiw.satosa.backends.openid4vp.interface.VpTokenParser

Bases: object

VpTokenParser is an interface that specify that an object is able to extract verifiable credentials from a VP token.

get_credentials() → dict

get_issuer_name() → str

Get the issuer name from the token payload.

Raises:

MissingIssuer – if the issuer name is missing in the token payload

Returns:

the issuer name

Return type:

str

class pyeudiw.satosa.backends.openid4vp.interface.VpTokenVerifier

Bases: object

VpTokenVerifier is an interface that specify that an object is able to verify a vp token. The interface supposes that the verification process requires a public key (os the token issuer)

is_active() → bool

is_expired() → bool

is_revoked() → bool

Returns:

if the credential is revoked

verify_challenge() → None

Verifies the challenge of the jwt.

Raises:

• UnsupportedSdAlg – if verification fails due to an unkown _sd_alg

• InvalidKeyBinding – if the verification fails for a known reason

• ValueError – if the iat claim is missing or invalid

• JWSVerificationError – if the verification of a JWS fails

verify_signature(public_key: ECKey | RSAKey | dict) → None

Verifies the signature of the jwt.

Parameters:

public_key (ECKey | RSAKey | dict) – the public key to verify the signature

Raises:

JWSVerificationError – if the signature is invalid

pyeudiw.satosa.backends.openid4vp.openid4vp module

class pyeudiw.satosa.backends.openid4vp.openid4vp.OpenID4VPBackend(auth_req_callback_func: Callable[[Context, InternalData], Response], internal_attributes: dict[str, dict[str, str | list[str]]], config: dict[str, Any], base_url: str, name: str)

Bases: BackendModule

get_trust_backend_by_class_name(class_name: str) → TrustHandlerInterface | None

register_endpoints(**kwargs)

See super class satosa.backends.base.BackendModule

Return type:

list[(str, ((satosa.context.Context, Any) -> satosa.response.Response, Any))]

Raises:

ValueError – if more than one backend is configured

start_auth(context: Context, internal_request) → Response

This is the start up function of the backend authorization.

Parameters:

• context (satosa.context.Context) – the request context

• internal_request (satosa.internal.InternalData) – Information about the authorization request

Return type:

satosa.response.Response

Returns:

response

pyeudiw.satosa.backends.openid4vp.utils module

pyeudiw.satosa.backends.openid4vp.utils.detect_flow_typ(context: Context, force_same_device_flow_referer_criteria: List[str] | None = None) → RemoteFlowType

Identify or guess the remote flow type based on the authentication context. The logic is as follows: If the User-Agent clearly indicates a smartphone -> SAME_DEVICE If the request has sec-fetch-site == “cross-site” AND the Referer matches at least one of the regex patterns in referer_criteria -> SAME_DEVICE Otherwise -> CROSS_DEVICE

Parameters context: the context of the user authentication force_same_device_flow_referer_criteria: optional list of regex patterns (as strings) that, if matched against the HTTP_REFERER header, indicate a wallet-originated request.

Returns the detected remote flow type (RemoteFlowType).

pyeudiw.satosa.backends.openid4vp.vp module

class pyeudiw.satosa.backends.openid4vp.vp.Vp

Bases: BaseLogger

Class for Verifiable Presentation istance.

check_revocation()

Check if the VP is revoked.

Raises:

RevokedVPToken – if the VP is revoked.

parse_digital_credential() → None

verify(**kwargs) → bool

pyeudiw.satosa.backends.openid4vp.vp_mdoc_cbor module

pyeudiw.satosa.backends.openid4vp.vp_sd_jwt_vc module

Module contents