Test the authorization code flow based on current tests inside kc codebase

[IngridPuppet]

No description provided.

[IngridPuppet]

I did not find a specific integration test in OID4VCSdJwtIssuingEndpointTest along the Authorized Code flow. And I'm not particularly surprised because once you have the grant code, pre-authorized or not, the rest of the flow is very similar.

I managed to retrieve a credential along the Authorized Code flow, but I had to adjust a thing I believe to be a bug. The OID4VCIssuerEndpoint class validates the scope of the access token against an expected one configured in the client under consideration. When the latter is null, the validation ultimately fails, while that should logically mean to accept anything.

    private void checkScope(CredentialRequest credentialRequestVO) {
        AuthenticatedClientSessionModel clientSession = getAuthenticatedClientSession();
        String vcIssuanceFlow = clientSession.getNote(PreAuthorizedCodeGrantType.VC_ISSUANCE_FLOW);
        if (vcIssuanceFlow == null || !vcIssuanceFlow.equals(PreAuthorizedCodeGrantTypeFactory.GRANT_TYPE)) {
            // authz code flow
            ClientModel client = clientSession.getClient();
            String credentialIdentifier = credentialRequestVO.getCredentialIdentifier();
            String scope = client.getAttributes().get("vc." + credentialIdentifier + ".scope"); // following credential identifier in client attribute
            AccessToken accessToken = bearerTokenAuthenticator.authenticate().getToken();
            if (Arrays.stream(accessToken.getScope().split(" ")).sequential().noneMatch(i -> i.equals(scope))) {
                LOGGER.debugf("Scope check failure: credentialIdentifier = %s, required scope = %s, scope in access token = %s.", credentialIdentifier, scope, accessToken.getScope());
                throw new CorsErrorResponseException(cors, ErrorType.UNSUPPORTED_CREDENTIAL_TYPE.toString(), "Scope check failure", Response.Status.BAD_REQUEST);
            } else {
                LOGGER.debugf("Scope check success: credentialIdentifier = %s, required scope = %s, scope in access token = %s.", credentialIdentifier, scope, accessToken.getScope());
            }
        } else {
            clientSession.removeNote(PreAuthorizedCodeGrantType.VC_ISSUANCE_FLOW);
        }
    }

Note that I used our openid4vc-rest-api client, which is created on the OpenID Connect protocol. It does not even seem possible to retrieve a grant code from the oid4vci-client created on the OpenID for Verifiable Credentials protocol, which sounds really strange. I could not find a scope that is accepted.

However, I think there is no need to change anything since this scope-based approach, and the location of these attributes, will soon be re-examined.

[IngridPuppet]

@francis-pouatcha - Please check the above comment.

[francis-pouatcha]

I can explain all this:

• First, I was not aware that they also configure VC inside client. It is agains the statement of Hitachi, that a special client is not needed.
• The unit test are using the same client.
• So if you drop the VC configuration inside the openid4vc-rest-api

[nitch2019]

@francis-pouatcha what are the next steps

[nitch2019]

This ticket will be closed here and we will proceed with #77

[nitch2019]

done