From 88633516d1e6ef0d95fb27e028ca684df1a39481 Mon Sep 17 00:00:00 2001 From: Stefan Wiedemann Date: Tue, 10 Mar 2026 13:34:49 +0100 Subject: [PATCH] fix idtoken --- verifier/verifier.go | 14 ++++++++------ verifier/verifier_test.go | 2 +- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/verifier/verifier.go b/verifier/verifier.go index 340fbaa..285abce 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -23,6 +23,7 @@ import ( configModel "github.com/fiware/VCVerifier/config" "github.com/fiware/VCVerifier/gaiax" "github.com/fiware/VCVerifier/tir" + "github.com/google/uuid" "github.com/trustbloc/vc-go/verifiable" logging "github.com/fiware/VCVerifier/logging" @@ -644,7 +645,7 @@ func (v *CredentialVerifier) GenerateToken(clientId, subject, audience string, s logging.Log().Warnf("No valid credential type was provided. Provided credential type: %v", vcTypes) return 0, "", ErrorNoValidCredentialTypeProvided } - token, err := v.generateJWT(credentialsToBeIncluded, holder, audience, flatClaims) + token, err := v.generateJWT(credentialsToBeIncluded, holder, audience, flatClaims, uuid.NewString()) if err != nil { logging.Log().Warnf("Was not able to create the token. Err: %v", err) return 0, "", err @@ -873,9 +874,6 @@ func (v *CredentialVerifier) AuthenticationResponse(state string, verifiablePres } } - // we ignore the error here, since the only consequence is that sub will be empty. - hostname, _ := getHostName(loginSession.callback) - if len(credentialsToBeIncluded) == 0 { vcTypes := []string{} for k := range credentialsByType { @@ -885,7 +883,7 @@ func (v *CredentialVerifier) AuthenticationResponse(state string, verifiablePres return sameDevice, ErrorNoValidCredentialTypeProvided } - token, err := v.generateJWT(credentialsToBeIncluded, verifiablePresentation.Holder, hostname, flatClaims) + token, err := v.generateJWT(credentialsToBeIncluded, verifiablePresentation.Holder, loginSession.clientId, flatClaims, loginSession.nonce) if err != nil { logging.Log().Warnf("Was not able to create a jwt for %s. Err: %v", state, err) return sameDevice, err @@ -1159,7 +1157,7 @@ func (v *CredentialVerifier) generateAuthenticationRequest(base string, clientId } // generate a jwt, containing the credential and mandatory information as defined by the dsba-convergence -func (v *CredentialVerifier) generateJWT(credentials []map[string]interface{}, holder string, audience string, flatValues bool) (generatedJwt jwt.Token, err error) { +func (v *CredentialVerifier) generateJWT(credentials []map[string]interface{}, holder string, audience string, flatValues bool, nonce string) (generatedJwt jwt.Token, err error) { jwtBuilder := jwt.NewBuilder().Issuer(v.GetHost()).Audience([]string{audience}).Expiration(v.clock.Now().Add(v.jwtExpiration)) @@ -1175,6 +1173,10 @@ func (v *CredentialVerifier) generateJWT(credentials []map[string]interface{}, h jwtBuilder.Claim("verifiableCredential", credentials[0]) } + if nonce != "" { + jwtBuilder.Claim("nonce", nonce) + } + token, err := jwtBuilder.Build() if err != nil { logging.Log().Warnf("Was not able to build a token. Err: %v", err) diff --git a/verifier/verifier_test.go b/verifier/verifier_test.go index 7a107e6..2c2206d 100644 --- a/verifier/verifier_test.go +++ b/verifier/verifier_test.go @@ -1398,7 +1398,7 @@ func TestGenerateJWT(t *testing.T) { for _, tc := range tests { t.Run(tc.testName, func(t *testing.T) { - token, err := v.generateJWT(tc.credentials, tc.holder, tc.audience, tc.flat) + token, err := v.generateJWT(tc.credentials, tc.holder, tc.audience, tc.flat, "nonce") if err != nil { t.Fatalf("unexpected error building jwt: %v", err) }