Merge pull request #446 from openwallet-foundation-labs/feat/iae

Feat/iae

Author: cre8

apps/backend/src/crypto/crypto.service.ts

@@ -70,7 +70,6 @@ export class CryptoService {
             clientAuthentication: clientAuthenticationNone({
                 clientId: "some-random",
             }),
-            //clientId: 'some-random-client-id', // TODO: Replace with your real clientId if necessary
             signJwt: this.getSignJwtCallback(tenantId),
             verifyJwt: async (signer, { compact, payload }) => {
                 if (signer.method === "jwk") {

apps/backend/src/issuer/configuration/configuration.module.ts

@@ -1,10 +1,10 @@
 import { HttpModule } from "@nestjs/axios";
 import { Module } from "@nestjs/common";
 import { TypeOrmModule } from "@nestjs/typeorm";
-import { ClientModule } from "../../auth/client/client.module";
 import { CryptoModule } from "../../crypto/crypto.module";
 import { SessionModule } from "../../session/session.module";
 import { WebhookService } from "../../shared/utils/webhook/webhook.service";
+import { PresentationsModule } from "../../verifier/presentations/presentations.module";
 import { StatusListModule } from "../lifecycle/status/status-list.module";
 import { CredentialConfigService } from "./credentials/credential-config/credential-config.service";
 import { CredentialConfigController } from "./credentials/credential-config.controller";
@@ -30,6 +30,7 @@ import { IssuanceConfigController } from "./issuance/issuance-config.controller"
         StatusListModule,
         HttpModule,
         SessionModule,
+        PresentationsModule,
         TypeOrmModule.forFeature([IssuanceConfig, CredentialConfig]),
     ],
     controllers: [IssuanceConfigController, CredentialConfigController],

apps/backend/src/issuer/configuration/credentials/credential-config/credential-config.service.ts

@@ -1,5 +1,5 @@
 import { readFileSync } from "node:fs";
-import { Injectable, Logger } from "@nestjs/common";
+import { BadRequestException, Injectable, Logger } from "@nestjs/common";
 import { InjectRepository } from "@nestjs/typeorm";
 import { plainToClass } from "class-transformer";
 import { Repository } from "typeorm";
@@ -11,9 +11,11 @@ import {
     ImportPhase,
 } from "../../../../shared/utils/config-import/config-import-orchestrator.service";
 import { FilesService } from "../../../../storage/files.service";
+import { PresentationsService } from "../../../../verifier/presentations/presentations.service";
 import { CredentialConfigCreate } from "../dto/credential-config-create.dto";
 import { CredentialConfigUpdate } from "../dto/credential-config-update.dto";
 import { CredentialConfig } from "../entities/credential.entity";
+import { IaeActionType } from "../entities/iae-action.dto";
 
 /**
  * Service for managing credential configurations.
@@ -33,6 +35,7 @@ export class CredentialConfigService {
         private readonly filesService: FilesService,
         private readonly configImportService: ConfigImportService,
         private readonly configImportOrchestrator: ConfigImportOrchestratorService,
+        private readonly presentationsService: PresentationsService,
     ) {
         this.configImportOrchestrator.register(
             "credentials",
@@ -76,6 +79,8 @@ export class CredentialConfigService {
 
     /**
      * Process a credential config for import.
+     * Note: IAE action validation is skipped during import because
+     * presentation configs are imported in a later phase (REFERENCES).
      */
     private async processCredentialConfig(
         tenantId: string,
@@ -99,7 +104,8 @@ export class CredentialConfigService {
             (config as CredentialConfig).cert = cert;
         }
 
-        await this.store(tenantId, config);
+        // Skip IAE validation during import - presentation configs are imported later
+        await this.store(tenantId, config, true);
     }
 
     /**
@@ -175,16 +181,60 @@ export class CredentialConfigService {
         });
     }
 
+    /**
+     * Validates IAE actions in a credential configuration.
+     * Checks that all referenced presentation configs exist.
+     * @param tenantId - The ID of the tenant.
+     * @param config - The credential config to validate.
+     * @throws BadRequestException if a referenced presentation config doesn't exist.
+     */
+    private async validateIaeActions(
+        tenantId: string,
+        config: CredentialConfigCreate | CredentialConfigUpdate,
+    ): Promise<void> {
+        if (!config.iaeActions?.length) {
+            return;
+        }
+
+        for (const action of config.iaeActions) {
+            if (action.type === IaeActionType.OPENID4VP_PRESENTATION) {
+                const presentationConfigId = (
+                    action as { presentationConfigId: string }
+                ).presentationConfigId;
+
+                try {
+                    await this.presentationsService.getPresentationConfig(
+                        presentationConfigId,
+                        tenantId,
+                    );
+                } catch {
+                    throw new BadRequestException(
+                        `IAE action references presentation config '${presentationConfigId}' which does not exist`,
+                    );
+                }
+            }
+        }
+    }
+
     /**
      * Stores a credential configuration for a given tenant.
      * If the configuration already exists, it will be overwritten.
      * Automatically replaces image references with public URLs.
+     * Validates IAE action references.
      * @param tenantId - The ID of the tenant.
      * @param config - The CredentialConfig entity to store.
+     * @param skipValidation - Skip IAE action validation (used during file imports).
      * @returns A promise that resolves to the stored CredentialConfig entity.
      */
-    async store(tenantId: string, config: CredentialConfigCreate) {
+    async store(
+        tenantId: string,
+        config: CredentialConfigCreate,
+        skipValidation = false,
+    ) {
         await this.replaceImageReferences(tenantId, config);
+        if (!skipValidation) {
+            await this.validateIaeActions(tenantId, config);
+        }
         return this.credentialConfigRepository.save({
             ...config,
             tenantId,
@@ -196,13 +246,15 @@ export class CredentialConfigService {
      * Only updates fields that are provided in the config.
      * Set fields to null to clear them.
      * Automatically replaces image references with public URLs.
+     * Validates IAE action references.
      * @param tenantId - The ID of the tenant.
      * @param id - The ID of the CredentialConfig entity to update.
      * @param config - The partial CredentialConfig to update.
      * @returns A promise that resolves to the updated CredentialConfig entity.
      */
     async update(tenantId: string, id: string, config: CredentialConfigUpdate) {
         await this.replaceImageReferences(tenantId, config);
+        await this.validateIaeActions(tenantId, config);
         const existing = await this.getById(tenantId, id);
         return this.credentialConfigRepository.save({
             ...existing,

apps/backend/src/issuer/configuration/credentials/credentials.service.ts

@@ -71,6 +71,19 @@ export class CredentialsService {
         private readonly cryptoImplementationService: CryptoImplementationService,
     ) {}
 
+    /**
+     * Returns a single credential configuration by ID.
+     * @param id The credential configuration ID
+     * @param tenantId The tenant ID
+     * @returns The credential configuration or null if not found
+     */
+    async getCredentialConfig(
+        id: string,
+        tenantId: string,
+    ): Promise<CredentialConfig | null> {
+        return this.credentialConfigRepo.findOneBy({ id, tenantId });
+    }
+
     /**
      * Returns the credential configuration that is required for oid4vci
      * @param tenantId

apps/backend/src/issuer/configuration/credentials/entities/credential.entity.ts

@@ -6,6 +6,7 @@ import {
 } from "@nestjs/swagger";
 import { Type } from "class-transformer";
 import {
+    IsArray,
     IsBoolean,
     IsEnum,
     IsNumber,
@@ -20,6 +21,13 @@ import { CertEntity } from "../../../../crypto/key/entities/cert.entity";
 import { WebhookConfig } from "../../../../shared/utils/webhook/webhook.dto";
 import { SchemaResponse } from "../../../issuance/oid4vci/metadata/dto/schema-response.dto";
 import { VCT } from "../../../issuance/oid4vci/metadata/dto/vct.dto";
+import {
+    IaeAction,
+    IaeActionBase,
+    IaeActionOpenid4vpPresentation,
+    IaeActionRedirectToWeb,
+    IaeActionType,
+} from "./iae-action.dto";
 import {
     AllowListPolicy,
     AttestationBasedPolicy,
@@ -108,6 +116,8 @@ export class IssuerMetadataCredentialConfig {
     AllowListPolicy,
     RootOfTrustPolicy,
     VCT,
+    IaeActionOpenid4vpPresentation,
+    IaeActionRedirectToWeb,
 )
 @Entity()
 export class CredentialConfig {
@@ -204,6 +214,57 @@ export class CredentialConfig {
     @IsBoolean()
     statusManagement?: boolean;
 
+    /**
+     * List of Interactive Authorization Endpoint (IAE) actions to execute
+     * before credential issuance. Actions are executed in order.
+     *
+     * Each action can be:
+     * - `openid4vp_presentation`: Request a verifiable presentation from the wallet
+     * - `redirect_to_web`: Redirect user to a web page for additional interaction
+     *
+     * If empty or not set, no interactive authorization is required.
+     *
+     * @example
+     * [
+     *   { "type": "openid4vp_presentation", "presentationConfigId": "pid-config" },
+     *   { "type": "redirect_to_web", "url": "https://example.com/verify", "label": "Additional Verification" }
+     * ]
+     */
+    @IsOptional()
+    @IsArray()
+    @ValidateNested({ each: true })
+    @Type(() => IaeActionBase, {
+        discriminator: {
+            property: "type",
+            subTypes: [
+                {
+                    name: IaeActionType.OPENID4VP_PRESENTATION,
+                    value: IaeActionOpenid4vpPresentation,
+                },
+                {
+                    name: IaeActionType.REDIRECT_TO_WEB,
+                    value: IaeActionRedirectToWeb,
+                },
+            ],
+        },
+        keepDiscriminatorProperty: true,
+    })
+    @ApiProperty({
+        description:
+            "List of IAE actions to execute before credential issuance",
+        type: "array",
+        items: {
+            oneOf: [
+                { $ref: getSchemaPath(IaeActionOpenid4vpPresentation) },
+                { $ref: getSchemaPath(IaeActionRedirectToWeb) },
+            ],
+        },
+        nullable: true,
+        required: false,
+    })
+    @Column("json", { nullable: true })
+    iaeActions?: IaeAction[] | null;
+
     @IsOptional()
     @Column("int", { nullable: true })
     @IsNumber()