Enable TrustMarks listing in Entity Configuration (#263)

* Update to OpenIDFed draft 40

* Enable TrustMarks listing in entity configuration

---------

Co-authored-by: Marko Ivančić <[email protected]>

Author: cicnavi

config-templates/module_oidc.php

@@ -355,6 +355,12 @@
         //'https://intermediate.example.org/',
     ],
 
+    // (optional) Federation Trust Mark tokens. An array of tokens (signed JWTs), each representing a Trust Mark
+    // issued to this entity.
+    ModuleConfig::OPTION_FEDERATION_TRUST_MARK_TOKENS => [
+//        'eyJ...GHg',
+    ],
+
     // (optional) Dedicated federation cache adapter, used to cache federation artifacts like trust chains, entity
     // statements, etc. It will also be used for token reuse check in federation context. Setting this option is
     // recommended in production environments. If set to null, no caching will be used. Can be set to any

src/Controller/Federation/EntityStatementController.php

@@ -20,7 +20,7 @@
 use SimpleSAML\OpenID\Codebooks\ErrorsEnum;
 use SimpleSAML\OpenID\Codebooks\HttpHeadersEnum;
 use SimpleSAML\OpenID\Codebooks\JwtTypesEnum;
-use SimpleSAML\OpenID\Codebooks\RequestAuthenticationMethodsEnum;
+use SimpleSAML\OpenID\Federation;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -40,6 +40,7 @@ public function __construct(
         private readonly OpMetadataService $opMetadataService,
         private readonly ClientRepository $clientRepository,
         private readonly Helpers $helpers,
+        private readonly Federation $federation,
         private readonly ?FederationCache $federationCache,
     ) {
         if (!$this->moduleConfig->getFederationEnabled()) {
@@ -53,6 +54,8 @@ public function __construct(
      * @return \Symfony\Component\HttpFoundation\Response
      * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
      * @throws \ReflectionException
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \Psr\SimpleCache\InvalidArgumentException
      */
     public function configuration(): Response
     {
@@ -99,6 +102,7 @@ public function configuration(): Response
                         //'federation_trust_mark_list_endpoint',
                         //'federation_trust_mark_endpoint',
                         //'federation_historical_keys_endpoint',
+                        //'endpoint_auth_signing_alg_values_supported'
                         // Common https://openid.net/specs/openid-federation-1_0.html#name-common-metadata-parameters
                         //'signed_jwks_uri',
                         //'jwks_uri',
@@ -110,14 +114,6 @@ public function configuration(): Response
                         ClaimsEnum::ClientRegistrationTypesSupported->value => [
                             ClientRegistrationTypesEnum::Automatic->value,
                         ],
-                        ClaimsEnum::RequestAuthenticationMethodsSupported->value => [
-                            ClaimsEnum::AuthorizationEndpoint->value => [
-                                RequestAuthenticationMethodsEnum::RequestObject->value,
-                            ],
-                        ],
-                        ClaimsEnum::RequestAuthenticationSigningAlgValuesSupported->value => [
-                            $this->moduleConfig->getProtocolSigner()->algorithmId(),
-                        ],
                     ],
                 ],
             );
@@ -129,14 +125,32 @@ public function configuration(): Response
             $builder = $builder->withClaim(ClaimsEnum::AuthorityHints->value, $authorityHints);
         }
 
+        if (
+            is_array($trustMarkTokens = $this->moduleConfig->getFederationTrustMarkTokens()) &&
+            (!empty($trustMarkTokens))
+        ) {
+            $trustMarks = array_map(function (string $token): array {
+                $trustMarkEntity = $this->federation->trustMarkFactory()->fromToken($token);
+
+                if ($trustMarkEntity->getSubject() !== $this->moduleConfig->getIssuer()) {
+                    throw OidcServerException::serverError(sprintf(
+                        'Trust Mark %s is not intended for this entity.',
+                        $trustMarkEntity->getIdentifier(),
+                    ));
+                }
+
+                return [
+                    ClaimsEnum::Id->value => $trustMarkEntity->getIdentifier(),
+                    ClaimsEnum::TrustMark->value => $token,
+                ];
+            }, $trustMarkTokens);
+
+            $builder = $builder->withClaim(ClaimsEnum::TrustMarks->value, $trustMarks);
+        }
+
+        // TODO mivanci Continue
         // Remaining claims, add if / when ready.
         // * crit
-        // * trust_marks
-        // * trust_mark_issuers
-        // * source_endpoint
-
-        // Note: claims which should only be present in Trust Anchors
-        // * trust_mark_owners
 
         $jws = $this->jsonWebTokenBuilderService->getSignedFederationJwt($builder);
 
@@ -227,6 +241,7 @@ public function fetch(Request $request): Response
                 ],
             );
 
+        // TODO mivanci Continue
         // Note: claims which can be present in subordinate statements:
         // * metadata_policy
         // * constraints