feat: SPOCP-based issuance policy evaluation with dynamic OIDC params

[leifj]

Summary

Implements conditional credential issuance using the SPOCP policy engine, allowing authentic source business systems to pass dynamic parameters through the OIDC authorization flow.

Closes #379

Changes

New: pkg/issuance/ — Policy engine and S-expression parser

• policy.go: PolicyEngine wrapping spocp.AdaptiveEngine with Evaluate(scope, claims, queryTemplate) for checking OIDC claims against SPOCP rules. BuildQuery() constructs S-expression queries from claims.
• parser.go: Human-readable S-expression parser (ParseAdvancedSExp) supporting star forms: wildcard (*), prefix (* prefix urn:example:), suffix (* suffix @example.com), set (* set loa3 loa4).
• policy_test.go + parser_test.go: 27 tests covering simple match/deny, wrong scope, wildcard rules, prefix/suffix/set star forms, multiple rules, missing claims, boolean coercion, query building, and parser edge cases.

Model types in pkg/model/data_sources.go

• OIDCRequestParams — per-scope OIDC authorization request customization (acr_values, claims, extra_scopes, custom_params)
• IssuancePolicy — SPOCP rules (inline + file) with query template mapping
• ScopePolicyConfig — combined config struct
• LookupScopePolicyConfig() helper on DataSources

Integration

• OIDC RP service (service.go): InitiateAuth/InitiateAuthForVCI accept OIDCRequestParams + DynamicParams; resolveOIDCRequestParams() builds oauth2.AuthCodeOption list with Go template resolution for dynamic values
• OIDC callback (handlers_oidcrp.go): Policy evaluation block after claims retrieval — denied claims return hard error
• PAR handler (handlers_oauth.go): Stores DynamicParams from PARRequest into AuthorizationContext
• Consent flow (endpoints_oauth.go): Forwards dynamic params from AuthorizationContext to InitiateAuthForVCI
• Session/cache: DynamicParams field added to OIDC session and AuthorizationContext

Configuration Example

data_sources:
  assertion:
    scopes:
      org_credential:
        oidc_request_params:
          acr_values: "urn:example:loa3"
          claims: '{"id_token":{"org_id":{"value":"{{.org_id}}"}}}'

[Copilot]

Pull request overview

Implements per-credential-scope issuance gating and OIDC authorization-request customization by introducing (1) dynamic parameter propagation from PAR → auth context/session and (2) SPOCP-based post-login policy evaluation of OIDC claims in the OIDC RP callback.

Changes:

• Adds DynamicParams to PAR requests, authorization context, and OIDC sessions; forwards them into OIDC auth initiation for template substitution.
• Introduces OIDCRequestParams and IssuancePolicy scope configuration (plus a cross-data-source lookup helper) to drive OIDC request customization and SPOCP rules.
• Adds a new pkg/issuance package with an “advanced-form” S-expression parser and policy engine wrapper; integrates evaluation into the OIDC callback path.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
pkg/openid4vci/authoriziation.go	Extends PAR request model with DynamicParams.
pkg/model/data_sources.go	Adds per-scope OIDCRequestParams + IssuancePolicy config models and LookupScopePolicyConfig().
pkg/issuance/policy.go	New SPOCP policy engine wrapper + query builder + optional rules file loading.
pkg/issuance/policy_test.go	Unit tests for policy engine behavior and query building.
pkg/issuance/parser.go	New “advanced form” S-expression parser with star-form support.
pkg/issuance/parser_test.go	Unit tests for the advanced S-expression parser.
pkg/cache/authcontext_types.go	Adds DynamicParams persistence to AuthorizationContext.
internal/apigw/httpserver/endpoints_oauth.go	Forwards per-scope OIDC params and stored dynamic params into OIDC auth initiation (VCI consent flow).
internal/apigw/auth_providers/oidcrp/session.go	Persists DynamicParams into the OIDC RP session model.
internal/apigw/auth_providers/oidcrp/service.go	Extends OIDC initiation to accept per-scope params + dynamic params; resolves templates into AuthCodeURL options.
internal/apigw/apiv1/handlers_oidcrp.go	Evaluates issuance policy after claims retrieval (pre-issuance).
internal/apigw/apiv1/handlers_oauth.go	Stores DynamicParams from PAR into the authorization context.

Comments suppressed due to low confidence (1)

internal/apigw/auth_providers/oidcrp/service.go:152

• InitiateAuth’s signature change is a breaking API change; current repo call sites still use the old signature (e.g., internal/apigw/integration/oidc_integration_test.go calls InitiateAuth(ctx, "pid")). Update those callers (and any external consumers) or provide a backward-compatible wrapper to avoid build failures.

// InitiateAuth initiates an OIDC authentication flow.
// oidcParams and dynamicParams are optional: when non-nil, they customize the
// authorization request (e.g., acr_values, claims parameter, extra scopes).
func (s *Service) InitiateAuth(ctx context.Context, credentialType string, oidcParams *model.OIDCRequestParams, dynamicParams map[string]string) (*AuthRequest, error) {
	s.log.Debug("Initiating OIDC auth",
		"credential_type", credentialType)

	// Create session with state, nonce, and PKCE verifier
	session, err := s.createSession(ctx, credentialType)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud