Merge pull request #410 from openwallet-foundation-labs/fix/289

Fix/289

Author: cre8

apps/backend/src/auth/client/adapters/internal-clients.service.ts

@@ -84,6 +84,8 @@ export class InternalClientsProvider
                     description: e.description,
                     tenantId,
                     roles: e.roles,
+                    allowedPresentationConfigs: e.allowedPresentationConfigs,
+                    allowedIssuanceConfigs: e.allowedIssuanceConfigs,
                 })),
             );
     }
@@ -96,9 +98,19 @@ export class InternalClientsProvider
                 description: e.description,
                 tenantId,
                 roles: e.roles,
+                allowedPresentationConfigs: e.allowedPresentationConfigs,
+                allowedIssuanceConfigs: e.allowedIssuanceConfigs,
             }));
     }
 
+    /**
+     * Get a client by its clientId only (without tenant context).
+     * Used for JWT validation to fetch client restrictions.
+     */
+    async getClientById(clientId: string): Promise<ClientEntity | null> {
+        return this.repo.findOne({ where: { clientId } });
+    }
+
     getClientSecret(sub: string, id: string): Promise<string> {
         return this.repo
             .findOneByOrFail({ clientId: id, tenant: { id: sub } })

apps/backend/src/auth/client/adapters/keycloak-clients.service.ts

@@ -101,6 +101,14 @@ export class KeycloakClientsProvider
         });
     }
 
+    /**
+     * Get a client by its clientId only (without tenant context).
+     * Used for JWT validation to fetch client restrictions.
+     */
+    async getClientById(clientId: string): Promise<ClientEntity | null> {
+        return this.clientRepo.findOne({ where: { clientId } });
+    }
+
     getClientSecret(_sub: string, id: string): Promise<string> {
         return this.kc.clients
             .find({ clientId: id })
@@ -173,6 +181,8 @@ export class KeycloakClientsProvider
             clientId: dto.clientId,
             description: dto.description,
             roles: dto.roles,
+            allowedPresentationConfigs: dto.allowedPresentationConfigs,
+            allowedIssuanceConfigs: dto.allowedIssuanceConfigs,
             tenant: { id: tenantId },
         });
         await this.clientRepo.save(entity);
@@ -182,6 +192,8 @@ export class KeycloakClientsProvider
             description: dto.description,
             tenantId,
             roles: dto.roles,
+            allowedPresentationConfigs: dto.allowedPresentationConfigs,
+            allowedIssuanceConfigs: dto.allowedIssuanceConfigs,
             clientSecret: secret.value,
         };
     }

apps/backend/src/auth/client/client.provider.ts

@@ -20,6 +20,15 @@ export abstract class ClientsProvider {
         tenantId: string,
         clientId: string,
     ): Promise<ClientEntity>;
+
+    /**
+     * Get a client by its clientId only (without tenant context).
+     * Used for JWT validation where we need to fetch the client's restrictions.
+     * @param clientId The client ID (may be namespaced with tenant prefix for Keycloak)
+     * @returns The client entity or null if not found
+     */
+    abstract getClientById(clientId: string): Promise<ClientEntity | null>;
+
     abstract addClient(
         tenantId: string,
         dto: CreateClientDto,

apps/backend/src/auth/client/entities/client.entity.ts

@@ -1,4 +1,5 @@
-import { IsEnum, IsOptional, IsString } from "class-validator";
+import { ApiPropertyOptional } from "@nestjs/swagger";
+import { IsArray, IsEnum, IsOptional, IsString } from "class-validator";
 import { Column, Entity, ManyToOne, PrimaryColumn } from "typeorm";
 import { Role } from "../../roles/role.enum";
 import { TenantEntity } from "../../tenant/entitites/tenant.entity";
@@ -19,6 +20,7 @@ export class ClientEntity {
      * The secret key for the client.
      */
     @IsString()
+    @IsOptional()
     @Column({ nullable: true })
     secret?: string;
 
@@ -43,6 +45,40 @@ export class ClientEntity {
     @Column({ type: "json" })
     roles!: Role[];
 
+    /**
+     * Optional list of presentation config IDs this client is allowed to use.
+     * If null or empty, the client can use all presentation configs (backward compatible).
+     * Only relevant if the client has the 'presentation:offer' role.
+     */
+    @ApiPropertyOptional({
+        type: [String],
+        description:
+            "List of presentation config IDs this client can use. If empty/null, all configs are allowed.",
+        example: ["age-verification", "kyc-basic"],
+    })
+    @IsOptional()
+    @IsArray()
+    @IsString({ each: true })
+    @Column({ type: "json", nullable: true })
+    allowedPresentationConfigs?: string[] | null;
+
+    /**
+     * Optional list of issuance config IDs this client is allowed to use.
+     * If null or empty, the client can use all issuance configs (backward compatible).
+     * Only relevant if the client has the 'issuance:offer' role.
+     */
+    @ApiPropertyOptional({
+        type: [String],
+        description:
+            "List of issuance config IDs this client can use. If empty/null, all configs are allowed.",
+        example: ["pid", "mdl"],
+    })
+    @IsOptional()
+    @IsArray()
+    @IsString({ each: true })
+    @Column({ type: "json", nullable: true })
+    allowedIssuanceConfigs?: string[] | null;
+
     /**
      * The tenant that the client belongs to.
      */

apps/backend/src/auth/jwt.strategy.ts

@@ -1,16 +1,19 @@
-import { Injectable } from "@nestjs/common";
+import { Inject, Injectable } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
 import { PassportStrategy } from "@nestjs/passport";
 import { passportJwtSecret } from "jwks-rsa";
 import { ExtractJwt, Strategy } from "passport-jwt";
+import { CLIENTS_PROVIDER, ClientsProvider } from "./client/client.provider";
 import { TenantService } from "./tenant/tenant.service";
-import { InternalTokenPayload } from "./token.decorator";
+import { InternalTokenPayload, TokenPayload } from "./token.decorator";
 
 @Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy, "jwt") {
     constructor(
         private configService: ConfigService,
         private tenantService: TenantService,
+        @Inject(CLIENTS_PROVIDER)
+        private readonly clientsProvider: ClientsProvider,
     ) {
         const useExternalOIDC = configService.get<boolean>("OIDC");
 
@@ -77,10 +80,11 @@ export class JwtStrategy extends PassportStrategy(Strategy, "jwt") {
 
     /**
      * Validate the JWT payload. It will also check if the client is set up.
+     * Fetches client entity to include resource-level restrictions (allowedPresentationConfigs, etc.)
      * @param payload The JWT payload
-     * @returns The validated payload or an error
+     * @returns The validated payload with tenant and client info
      */
-    async validate(payload: InternalTokenPayload): Promise<any> {
+    async validate(payload: InternalTokenPayload): Promise<TokenPayload> {
         const useExternalOIDC =
             this.configService.get<string>("OIDC") !== undefined;
         let sub = payload.tenant_id;
@@ -93,9 +97,21 @@ export class JwtStrategy extends PassportStrategy(Strategy, "jwt") {
             .getTenant(sub)
             .catch(() => null);
 
+        // Fetch client to get resource-level restrictions
+        // For internal auth: sub is the client ID
+        // For Keycloak: azp (authorized party) or client_id contains the client ID
+        const clientId =
+            payload.sub || (payload as any).azp || (payload as any).client_id;
+        const client = clientId
+            ? await this.clientsProvider
+                  .getClientById(clientId)
+                  .catch(() => null)
+            : null;
+
         return {
-            entity: tenantEntity,
+            entity: tenantEntity ?? undefined,
             roles: payload.roles || (payload as any).realm_access?.roles || [],
+            client: client ?? undefined,
         };
     }
 }

apps/backend/src/auth/token.decorator.ts

@@ -1,4 +1,5 @@
 import { createParamDecorator, ExecutionContext } from "@nestjs/common";
+import { ClientEntity } from "./client/entities/client.entity";
 import { Role } from "./roles/role.enum";
 import { TenantEntity } from "./tenant/entitites/tenant.entity";
 
@@ -25,11 +26,21 @@ export interface TokenPayload {
      * Role for the user
      */
     roles: Role[];
+
+    /**
+     * Client entity (includes resource-level restrictions)
+     */
+    client?: ClientEntity;
 }
 
 export interface InternalTokenPayload extends TokenPayload {
     /**
      * Tenant ID
      */
     tenant_id: string;
+
+    /**
+     * Client ID (subject of the token)
+     */
+    sub?: string;
 }

apps/backend/src/issuer/issuance/offer/credential-offer.controller.ts

@@ -1,4 +1,10 @@
-import { Body, Controller, Post, Res } from "@nestjs/common";
+import {
+    Body,
+    Controller,
+    ForbiddenException,
+    Post,
+    Res,
+} from "@nestjs/common";
 import { ApiBody, ApiProduces, ApiResponse, ApiTags } from "@nestjs/swagger";
 import { Response } from "express";
 import * as QRCode from "qrcode";
@@ -62,6 +68,19 @@ export class CredentialOfferController {
         @Body() body: OfferRequestDto,
         @Token() user: TokenPayload,
     ) {
+        // Check if client has restricted issuance configs
+        if (user.client?.allowedIssuanceConfigs?.length) {
+            const unauthorized = body.credentialConfigurationIds.filter(
+                (configId) =>
+                    !user.client!.allowedIssuanceConfigs!.includes(configId),
+            );
+            if (unauthorized.length > 0) {
+                throw new ForbiddenException(
+                    `Client is not authorized to use issuance config(s): ${unauthorized.join(", ")}`,
+                );
+            }
+        }
+
         // For now, we'll just pass the body to the service as before
         // You can modify the service later to accept user information if needed
         const values = await this.oid4vciService.createOffer(

apps/backend/src/verifier/verifier-offer/verifier-offer.controller.ts

@@ -1,4 +1,11 @@
-import { Body, Controller, Post, Req, Res } from "@nestjs/common";
+import {
+    Body,
+    Controller,
+    ForbiddenException,
+    Post,
+    Req,
+    Res,
+} from "@nestjs/common";
 import { ApiBody, ApiProduces, ApiResponse, ApiTags } from "@nestjs/swagger";
 import { Request, Response } from "express";
 import QRCode from "qrcode";
@@ -71,6 +78,17 @@ export class VerifierOfferController {
         @Body() body: PresentationRequest,
         @Token() user: TokenPayload,
     ) {
+        // Check resource-level authorization
+        if (user.client?.allowedPresentationConfigs?.length) {
+            if (
+                !user.client.allowedPresentationConfigs.includes(body.requestId)
+            ) {
+                throw new ForbiddenException(
+                    `Client is not authorized to use presentation config: ${body.requestId}`,
+                );
+            }
+        }
+
         const values = await this.oid4vpService.createRequest(
             body.requestId,
             {