Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Interoperability] Support for unencrypted direct_post authz response mode #310

Open
Zicchio opened this issue Nov 20, 2024 · 4 comments
Open
Assignees
Labels
potential-lsp question Further information is requested
Milestone

Comments

@Zicchio
Copy link
Collaborator

Zicchio commented Nov 20, 2024

Currently in this project, in the opanid4vp flow we provide support exclusively for direct_post.jwt encrypted authorization response (accordingly with italian specs).

It appears that, as of today, the only authorization response mode supported in Potential interoperability D2.2 is the (unecrnytped) direct_post mode.
It is not clear if or when this requirement will be relaxed to also include encrypted direct_post.jwt mode, hence if we want to comply with interoperability goals we might need to support direct_post mode and provide configurations in order to enable it.

I think that no immediate action is required, but I still want to highlighting this fact so that one day we are ready to develope this feature if its necessity actually emerges.

@peppelinux peppelinux added the question Further information is requested label Nov 21, 2024
@peppelinux peppelinux added this to the 0.9.1 milestone Nov 21, 2024
@peppelinux
Copy link
Member

@Zicchio the solution for a proper interoperability is to always encryopt the response if the RP provide the public keys intended fro the encryption usage

the normative language in the italian specs should mandate the RP to have encryption JWKs in their metadata, while wallet units should try to encrypt if the rp allow them to do so

for our implementation we therefore newed to do encryption if the RP provide the public enc material suitable for this

@peppelinux
Copy link
Member

for instance, in our implementation the RP configures its private keys (and intended usage) here:
https://github.com/italia/eudi-wallet-it-python/blob/dev/example/satosa/pyeudiw_backend.yaml#L136

@Zicchio
Copy link
Collaborator Author

Zicchio commented Jan 7, 2025

So, if I understand correctly, we require that the authorization response MUST be encrypted IF AND ONLY IF the relying party has a configured (public) encryption key.

Looks good to me.

@Zicchio
Copy link
Collaborator Author

Zicchio commented Jan 10, 2025

After a discussion, the approach on how to solve this problem has changed. Instead, we support both. To do so, make inference on the response body (giving priority to jwt) in this block of code

# parse and decrypt jwt in response
authz_response: None | AuthorizeResponseDirectPost = None
authz_payload: None | AuthorizeResponsePayload = None

@peppelinux peppelinux moved this from Todo to In Progress in EUDI WALLET IT Python Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
potential-lsp question Further information is requested
Projects
Status: In Progress
Development

No branches or pull requests

2 participants