italia · PascalDR · Mar 7, 2025 · Mar 7, 2025 · Mar 7, 2025 · Mar 7, 2025
diff --git a/pyeudiw/openid4vp/authorization_request.py b/pyeudiw/openid4vp/authorization_request.py
@@ -25,6 +25,7 @@ def build_authorization_request_claims(
     response_uri: str,
     authorization_config: dict,
     nonce: str = "",
+    metadata: dict = None,
-    metadata: dict = None,
+    metadata: dict = {},
+
-    metadata: dict = None,
+    metadata: dict = {},
+
 ) -> dict:
     """
     Primitive function to build the payload claims of the (JAR) authorization request.
@@ -41,6 +42,8 @@ def build_authorization_request_claims(
     :param nonce: optional nonce to be inserted in the request object; if not \
         set, a new cryptographically safe uuid v4 nonce is generated.
     :type nonce: str
+    :param metadata: optional metadata to be included in the request object
+    :type metadata: dict
     :raises KeyError: if authorization_config misses mandatory configuration options
     :returns: a dictionary with the *complete* set of jar jwt playload claims
     :rtype: dict
@@ -62,6 +65,10 @@ def build_authorization_request_claims(
         "iat": iat_now(),
         "exp": exp_from_now(minutes=authorization_config["expiration_time"]),
     }
+
+    if metadata:
+        claims["client_metadata"] = metadata
+
     if authorization_config.get("scopes"):
         claims["scope"] = " ".join(authorization_config["scopes"])
     # backend configuration validation should check that at least PE or DCQL must be configured within the authz request conf

diff --git a/pyeudiw/openid4vp/authorization_response.py b/pyeudiw/openid4vp/authorization_response.py
@@ -1,3 +1,4 @@
+from typing import TypeVar
 import cryptojwt.jwe.exception
 import satosa.context
 from pyeudiw.jwt.exceptions import JWEDecryptionError
@@ -14,6 +15,27 @@
 )
 
 
+_S = TypeVar('_S', str, list[str])
+
+
+def normalize_jsonstring_to_string(s: _S) -> _S:
+    """
+    Normalize s from string (or list of string) or JSON String (or list
+    of JSON String) to simply string (or list of string).
+    For example, this would map a vp_token from JSON String "ey...Ui5" to
+    the naitve string ey...Ui5 (note the missing quote ").
+
+    Note that this method is NOT intended to parse JSON String.
+    For that purpose, json.loads should be preferred. Instead, this method
+    should be used when an imput might be a string OR a JSON string.
+    """
+    if isinstance(s, str):
+        return s.strip('"')
+    if isinstance(s, list):
+        return [v.strip('"') for v in s]
+    return s
+
+
 def detect_response_mode(context: satosa.context.Context) -> ResponseMode:
     """
     Try to make inference on which response mode type this is based on the
@@ -67,7 +89,16 @@ def parse_and_validate(
 
         resp_data: dict = context.request
         try:
-            return AuthorizeResponsePayload(**resp_data)
+            d = {}
+            if (vp_token := resp_data.get("vp_token", None)):
+                # vp_token should be a JSON string but caller might not be compliant and use string instead
+                vp_token = normalize_jsonstring_to_string(vp_token)
+                d["vp_token"] = vp_token
+            if (state := resp_data.get("state", None)):
+                d["state"] = state
+            if (presentation_submission := resp_data["presentation_submission"]):
+                d["presentation_submission"] = presentation_submission
+            return AuthorizeResponsePayload(**d)
         except Exception as e:
             raise AuthRespParsingException(
                 "invalid data in direct_post request body", e

diff --git a/pyeudiw/openid4vp/exceptions.py b/pyeudiw/openid4vp/exceptions.py
@@ -32,4 +32,16 @@ class MissingIssuer(Exception):
     """
     Raised when a given VP not contain the issuer
     """
+    pass
+
+class MdocCborValidationError(Exception):
+    """
+    Raised when a given VP not contain the issuer
+    """
+    pass
+
+class VPExpired(Exception):
+    """
+    Raised when a given VP is expired
+    """
     pass
diff --git a/pyeudiw/openid4vp/vp_mdoc_cbor.py b/pyeudiw/openid4vp/vp_mdoc_cbor.py
@@ -1,19 +1,42 @@
 from pymdoccbor.mdoc.verifier import MdocCbor
+from datetime import datetime
+from pyeudiw.openid4vp.exceptions import MdocCborValidationError
+import logging
 
-from pyeudiw.openid4vp.vp import Vp
+logger = logging.getLogger(__name__)
 
 
-class VpMDocCbor(Vp):
+class VpMDocCbor:
     def __init__(self, data: str) -> None:
         self.data = data
         self.mdoc = MdocCbor()
         self.parse_digital_credential()
 
-    def parse_digital_credential(self) -> None:
-        self.mdoc.load(data=self.data)
+    def get_documents(self) -> dict:
+        return self.mdoc.data_as_cbor_dict["documents"]
+
+    def is_revoked(self) -> bool:
+        return False
+
+    def is_expired(self) -> bool:
+        _val_until: str = ""
+        try:
+            _val_until = self.mdoc.data_as_cbor_dict()["issuerSigned"]["issuerAuth"]["validityInfo"].get("validUntil")
+        except KeyError as e:
+            logger.error(f'Unconsitent issuerSigned schema ["issuerSigned"]["issuerAuth"]["validityInfo"], {e}, in mdoc cbor: {self.mdoc.data_as_cbor_dict()}')
+        if _val_until:
+            exp_date = datetime.fromisoformat(_val_until)
+        else:
+            logger.warning(f"Missing issuerSigned velidUntil in mdoc cbor: {self.mdoc.data_as_cbor_dict()}")
 
-    def verify(self, **kwargs) -> bool:
-        return self.mdoc.verify()
+        return exp_date < datetime.now()
+
+    def verify_signature(self) -> None:
+        if self.mdoc.verify() == False:
+            raise MdocCborValidationError("Signature is invalid")
+
+    def parse_digital_credential(self) -> None:
+        self.mdoc.loads(data=self.data)
 
     def _detect_vp_type(self) -> str:
         return "mdoc_cbor"
diff --git a/pyeudiw/openid4vp/vp_sd_jwt_vc.py b/pyeudiw/openid4vp/vp_sd_jwt_vc.py
@@ -5,9 +5,9 @@
 
 from pyeudiw.jwt.helper import is_jwt_expired
 from pyeudiw.openid4vp.interface import VpTokenParser, VpTokenVerifier
-from pyeudiw.sd_jwt.schema import VerifierChallenge, is_sd_jwt_kb_format
+from pyeudiw.sd_jwt.schema import VerifierChallenge
 from pyeudiw.sd_jwt.sd_jwt import SdJwt
-from pyeudiw.openid4vp.exceptions import NotKBJWT, MissingIssuer
+from pyeudiw.openid4vp.exceptions import MissingIssuer
 
 
 class VpVcSdJwtParserVerifier(VpTokenParser, VpTokenVerifier):
@@ -18,10 +18,6 @@ def __init__(
         verifier_nonce: Optional[str] = None,
     ):
         self.token = token
-        if not is_sd_jwt_kb_format(token):
-            raise NotKBJWT(
-                f"input [token]={token} is not an sd-jwt with key binding: maybe it is a regular jwt or key binding jwt is missing?"
-            )
         self.verifier_id = verifier_id
         self.verifier_nonce = verifier_nonce
         # precomputed values
@@ -64,7 +60,7 @@ def is_expired(self) -> bool:
         :returns: if the credential is expired
         :rtype: bool
         """
-        return is_jwt_expired(self.sdjwt.issuer_jwt)
+        return is_jwt_expired(self.sdjwt.issuer_jwt.jwt)
 
     def verify_signature(self, public_key: ECKey | RSAKey | dict) -> None:
         """

diff --git a/pyeudiw/satosa/default/request_handler.py b/pyeudiw/satosa/default/request_handler.py
@@ -28,12 +28,18 @@ def request_endpoint(self, context: Context, *args) -> Response:
                 "request error: missing or invalid parameter [id]",
                 e400
             )
+
+        try:
+            metadata = self.trust_evaluator.get_metadata(self.client_id)
+        except Exception:
+            metadata = None
 
         data = build_authorization_request_claims(
             self.client_id,
             state,
             self.absolute_response_url,
             self.config["authorization"],
+            metadata=metadata,
         )
 
         if _aud := self.config["authorization"].get("aud"):