Skip to content

feat: add directed identity#3889

Open
njlie wants to merge 9 commits intomainfrom
blair/directed-identity
Open

feat: add directed identity#3889
njlie wants to merge 9 commits intomainfrom
blair/directed-identity

Conversation

@njlie
Copy link
Copy Markdown
Contributor

@njlie njlie commented Apr 6, 2026
edited
Loading

Changes proposed in this pull request

Context

This is the feature branch merge into main that will implement Directed Identity in Rafiki.

Checklist

  • Related issues linked using fixes #number
  • Tests added/updated
  • Make sure that all checks pass
  • Bruno collection updated (if necessary)
  • Documentation issue created with user-docs label (if necessary)
  • OpenAPI specs updated (if necessary)

BlairCurrey and others added 6 commits February 18, 2026 12:58
@BlairCurrey @dragosp1011
feat(token-instrospection): widen client spec to include jwk, add typ…
e88b202 
…es (#3834)

* feat(token-instrospection): widen client spec to include jwk, add types

* feat: update typegen package

* fix: rm unused types

* fix(auth): token info type

* Revert "fix(auth): token info type"

This reverts commit 1b28db2.

* fix: resolve asset query issue in mock ase (#3840)

---------

Co-authored-by: dragosp1011 <109967337+dragosp1011@users.noreply.github.com>
@BlairCurrey
feat: support jwk directed identity in auth server (#3842)
9cc964f 
* feat: add jwk support to client/grant

* fix: use grant error

* fix: dont cast, use better types

* chore: format

* chore: dont unecessarily check kid against jwk

* refactor: simplify types, logic for getting client field

* refactor: move logic involving jwk/client into serivice

* test: logic moved into grant service

* fix: tests
@njlie @BlairCurrey
feat(backend): handle JWK as possible client value in auth middleware (
29a008a 
…#3838)

* feat(token-instrospection): widen client spec to include jwk, add types

* feat: update typegen package

* fix: rm unused types

* fix(auth): token info type

* Revert "fix(auth): token info type"

This reverts commit 1b28db2.

* feat(backend): handle JWK as possible client value in auth middleware

---------

Co-authored-by: Blair Currey <12960453+BlairCurrey@users.noreply.github.com>
@njlie
feat(auth, backend): bump to open-payments 7.4.0, fix build errors (#…
de4eb63 
…3868)
@njlie
Merge branch 'main' into blair/directed-identity
093bc11
@njlie
feat(tests): integration tests for directed identity (#3876)
5e8b87c 
* feat(tests): integration tests for directed identity

* chore: formatting
@netlify
Copy link
Copy Markdown

netlify bot commented Apr 6, 2026
edited
Loading

Deploy Preview for brilliant-pasca-3e80ec canceled.

Name Link
🔨 Latest commit 209042c
🔍 Latest deploy log https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/69d6c739232b570008daf3af

@github-actions github-actions bot added type: tests Testing related pkg: backend Changes in the backend package. type: source Changes business logic pkg: auth Changes in the GNAP auth package. labels Apr 6, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 6, 2026
edited
Loading

🚀 Performance Test Results

Test Configuration:

  • VUs: 4
  • Duration: 1m0s

Test Metrics:

  • Requests/s: 49.20
  • Iterations/s: 16.42
  • Failed Requests: 0.00% (0 of 2958)
📜 Logs 

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 1.1 MB 18 kB/s
     data_sent......................: 2.3 MB 38 kB/s
     http_req_blocked...............: avg=7.4µs    min=1.85µs   med=5.04µs   max=1.87ms   p(90)=6.4µs    p(95)=7.18µs  
     http_req_connecting............: avg=431ns    min=0s       med=0s       max=524.26µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=80.71ms  min=6.57ms   med=64.84ms  max=564.57ms p(90)=139.46ms p(95)=158.43ms
       { expected_response:true }...: avg=80.71ms  min=6.57ms   med=64.84ms  max=564.57ms p(90)=139.46ms p(95)=158.43ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2958
     http_req_receiving.............: avg=80.43µs  min=27.55µs  med=72.32µs  max=1.06ms   p(90)=108.44µs p(95)=131.55µs
     http_req_sending...............: avg=33.56µs  min=8.96µs   med=26.9µs   max=1.24ms   p(90)=38.34µs  p(95)=51.79µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=80.59ms  min=6.38ms   med=64.72ms  max=564.47ms p(90)=139.21ms p(95)=158.29ms
     http_reqs......................: 2958   49.196401/s
     iteration_duration.............: avg=243.44ms min=149.85ms med=227.73ms max=752.39ms p(90)=302.34ms p(95)=336.72ms
     iterations.....................: 987    16.415432/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4

@njlie njlie marked this pull request as ready for review April 7, 2026 14:54
BlairCurrey
BlairCurrey reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@BlairCurrey BlairCurrey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on Bruno and it looks good, just a couple of small suggestions. Thanks for closing this one out.

bruno/collections/Rafiki/Examples/Open Payments With Directed Identity/folder.bru Outdated
Copy link
Copy Markdown
Contributor

@BlairCurrey BlairCurrey Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

delete? looks like an erroneous folder

bruno/collections/Rafiki/scripts.js Outdated
@@ -1,4 +1,4 @@
const { createHmac } = require('crypto')
const { createHmac, generateKeyPairSync, createPublicKey } = require('crypto')
Copy link
Copy Markdown
Contributor

@BlairCurrey BlairCurrey Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

createPublicKey appears to be unused

packages/auth/src/grant/routes.ts
const { body } = ctx.request
const { grantService, interactionService, config, logger } = deps
if (!body.interact) {
if (!input.interact) {
Copy link
Copy Markdown
Contributor

@BlairCurrey BlairCurrey Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about changing this to differentiate between missing and invalid (jwk) client? Noticed while trying to create an interactive grant with a jwk using the bruno collection - the error response is "missing required request field 'client'" but it might be important to clarify that it cant be a JWK. Something like:

  if (!input.client) {                                                                          
    if (input.jwk) {                                                                            
      throw new GNAPServerRouteError(                                                           
        400,                                                                 
        GNAPErrorCode.InvalidClient,
        'JWK client identifier cannot be used for interactive grants'                           
      )
    }                                                                                           
    throw new GNAPServerRouteError(                                          
      400,                                                                                      
      GNAPErrorCode.InvalidClient,
      "missing required request field 'client'"                                                 
    )                                                                        
  }

packages/backend/src/open_payments/auth/middleware.ts Outdated
{
client: ctx.client,
keyIdInSignature: keyId,
requestedRoute: `${ctx.client}/jwks.json`,
Copy link
Copy Markdown
Contributor

@BlairCurrey BlairCurrey Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
requestedRoute: `${ctx.client}/jwks.json`,
requestedRoute: `${ctx.client.walletAddress}/jwks.json`,

@njlie njlie requested a review from BlairCurrey April 8, 2026 21:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BlairCurrey BlairCurrey BlairCurrey approved these changes

@mkurapov mkurapov Awaiting requested review from mkurapov

@sanducb sanducb Awaiting requested review from sanducb

@oana-lolea oana-lolea Awaiting requested review from oana-lolea

Assignees

No one assigned

Labels

pkg: auth Changes in the GNAP auth package. pkg: backend Changes in the backend package. type: source Changes business logic type: tests Testing related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@njlie @BlairCurrey