nuts-foundation · stevenvegt · May 12, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
@@ -704,7 +704,7 @@ func (r Wrapper) PresentationDefinition(ctx context.Context, request Presentatio
 		return PresentationDefinition200JSONResponse(PresentationDefinition{}), nil
 	}
 
-	mapping, err := r.policyBackend.PresentationDefinitions(ctx, request.Params.Scope)
+	match, err := r.policyBackend.FindCredentialProfile(ctx, request.Params.Scope)
 	if err != nil {
 		return nil, oauth.OAuth2Error{
 			Code:        oauth.InvalidScope,
@@ -716,7 +716,7 @@ func (r Wrapper) PresentationDefinition(ctx context.Context, request Presentatio
 	if request.Params.WalletOwnerType != nil {
 		walletOwnerType = *request.Params.WalletOwnerType
 	}
-	result, exists := mapping[walletOwnerType]
+	result, exists := match.WalletOwnerMapping[walletOwnerType]
 	if !exists {
 		return nil, oauthError(oauth.InvalidRequest, fmt.Sprintf("no presentation definition found for '%s' wallet", walletOwnerType))
 	}

@@ -191,7 +191,7 @@ func TestWrapper_PresentationDefinition(t *testing.T) {
 
 	t.Run("ok", func(t *testing.T) {
 		test := newTestClient(t)
-		test.policy.EXPECT().PresentationDefinitions(gomock.Any(), "example-scope").Return(walletOwnerMapping, nil)
+		test.policy.EXPECT().FindCredentialProfile(gomock.Any(), "example-scope").Return(&policy.CredentialProfileMatch{CredentialProfileScope: "example-scope", WalletOwnerMapping: walletOwnerMapping, ScopePolicy: policy.ScopePolicyProfileOnly}, nil)
 
 		response, err := test.client.PresentationDefinition(ctx, PresentationDefinitionRequestObject{SubjectID: verifierSubject, Params: PresentationDefinitionParams{Scope: "example-scope"}})
 
@@ -216,7 +216,7 @@ func TestWrapper_PresentationDefinition(t *testing.T) {
 		walletOwnerMapping := pe.WalletOwnerMapping{pe.WalletOwnerUser: pe.PresentationDefinition{Id: "test"}}
 
 		test := newTestClient(t)
-		test.policy.EXPECT().PresentationDefinitions(gomock.Any(), "example-scope").Return(walletOwnerMapping, nil)
+		test.policy.EXPECT().FindCredentialProfile(gomock.Any(), "example-scope").Return(&policy.CredentialProfileMatch{CredentialProfileScope: "example-scope", WalletOwnerMapping: walletOwnerMapping, ScopePolicy: policy.ScopePolicyProfileOnly}, nil)
 
 		response, err := test.client.PresentationDefinition(ctx, PresentationDefinitionRequestObject{SubjectID: verifierSubject, Params: PresentationDefinitionParams{Scope: "example-scope", WalletOwnerType: &userWalletType}})
 
@@ -228,7 +228,7 @@ func TestWrapper_PresentationDefinition(t *testing.T) {
 
 	t.Run("err - unknown wallet type", func(t *testing.T) {
 		test := newTestClient(t)
-		test.policy.EXPECT().PresentationDefinitions(gomock.Any(), "example-scope").Return(walletOwnerMapping, nil)
+		test.policy.EXPECT().FindCredentialProfile(gomock.Any(), "example-scope").Return(&policy.CredentialProfileMatch{CredentialProfileScope: "example-scope", WalletOwnerMapping: walletOwnerMapping, ScopePolicy: policy.ScopePolicyProfileOnly}, nil)
 
 		response, err := test.client.PresentationDefinition(ctx, PresentationDefinitionRequestObject{SubjectID: verifierSubject, Params: PresentationDefinitionParams{Scope: "example-scope", WalletOwnerType: &userWalletType}})
 
@@ -239,7 +239,7 @@ func TestWrapper_PresentationDefinition(t *testing.T) {
 
 	t.Run("error - unknown scope", func(t *testing.T) {
 		test := newTestClient(t)
-		test.policy.EXPECT().PresentationDefinitions(gomock.Any(), "unknown").Return(nil, policy.ErrNotFound)
+		test.policy.EXPECT().FindCredentialProfile(gomock.Any(), "unknown").Return(nil, policy.ErrNotFound)
 
 		response, err := test.client.PresentationDefinition(ctx, PresentationDefinitionRequestObject{SubjectID: verifierSubject, Params: PresentationDefinitionParams{Scope: "unknown"}})
 
@@ -290,7 +290,7 @@ func TestWrapper_HandleAuthorizeRequest(t *testing.T) {
 				OpenIDProvider: serverMetadata,
 			},
 		}
-		ctx.policy.EXPECT().PresentationDefinitions(gomock.Any(), "test").Return(pe.WalletOwnerMapping{pe.WalletOwnerOrganization: pe.PresentationDefinition{Id: "test"}}, nil)
+		ctx.policy.EXPECT().FindCredentialProfile(gomock.Any(), "test").Return(&policy.CredentialProfileMatch{CredentialProfileScope: "test", WalletOwnerMapping: pe.WalletOwnerMapping{pe.WalletOwnerOrganization: pe.PresentationDefinition{Id: "test"}}, ScopePolicy: policy.ScopePolicyProfileOnly}, nil)
 		ctx.iamClient.EXPECT().OpenIDConfiguration(gomock.Any(), holderURL.String()).Return(&configuration, nil)
 		ctx.jar.EXPECT().Create(verifierDID, verifierURL.String(), holderClientID, gomock.Any()).DoAndReturn(func(client did.DID, clientID string, audience string, modifier requestObjectModifier) jarRequest {
 			req := createJarRequest(client, clientID, audience, modifier)
@@ -1572,23 +1572,24 @@ func statusCodeFrom(err error) int {
 }
 
 type testCtx struct {
-	authnServices  *auth.MockAuthenticationServices
-	ctrl           *gomock.Controller
-	client         *Wrapper
-	documentOwner  *didsubject.MockDocumentOwner
-	iamClient      *iam.MockClient
-	jwtSigner      *cryptoNuts.MockJWTSigner
-	keyResolver    *resolver.MockKeyResolver
-	policy         *policy.MockPDPBackend
-	resolver       *resolver.MockDIDResolver
-	relyingParty   *oauthServices.MockRelyingParty
-	vcr            *vcr.MockVCR
-	vdr            *vdr.MockVDR
-	vcIssuer       *issuer.MockIssuer
-	vcVerifier     *verifier.MockVerifier
-	wallet         *holder.MockWallet
-	subjectManager *didsubject.MockManager
-	jar            *MockJAR
+	authnServices    *auth.MockAuthenticationServices
+	ctrl             *gomock.Controller
+	client           *Wrapper
+	documentOwner    *didsubject.MockDocumentOwner
+	iamClient        *iam.MockClient
+	jwtSigner        *cryptoNuts.MockJWTSigner
+	keyResolver      *resolver.MockKeyResolver
+	policy           *policy.MockPDPBackend
+	scopeEvaluator   *policy.MockScopeEvaluator
+	resolver         *resolver.MockDIDResolver
+	relyingParty     *oauthServices.MockRelyingParty
+	vcr              *vcr.MockVCR
+	vdr              *vdr.MockVDR
+	vcIssuer         *issuer.MockIssuer
+	vcVerifier       *verifier.MockVerifier
+	wallet           *holder.MockWallet
+	subjectManager   *didsubject.MockManager
+	jar              *MockJAR
 	openid4vciClient *openid4vci.MockClient
 }
 
@@ -1602,6 +1603,7 @@ func newCustomTestClient(t testing.TB, publicURL *url.URL, authEndpointEnabled b
 	storageEngine := storage.NewTestStorageEngine(t)
 	authnServices := auth.NewMockAuthenticationServices(ctrl)
 	policyInstance := policy.NewMockPDPBackend(ctrl)
+	scopeEvaluator := policy.NewMockScopeEvaluator(ctrl)
 	mockResolver := resolver.NewMockDIDResolver(ctrl)
 	relyingPary := oauthServices.NewMockRelyingParty(ctrl)
 	vcIssuer := issuer.NewMockIssuer(ctrl)
@@ -1645,22 +1647,23 @@ func newCustomTestClient(t testing.TB, publicURL *url.URL, authEndpointEnabled b
 		jar:            mockJAR,
 	}
 	return &testCtx{
-		ctrl:           ctrl,
-		authnServices:  authnServices,
-		policy:         policyInstance,
-		relyingParty:   relyingPary,
-		vcIssuer:       vcIssuer,
-		vcVerifier:     vcVerifier,
-		resolver:       mockResolver,
-		documentOwner:  mockDocumentOwner,
-		subjectManager: subjectManager,
-		iamClient:      iamClient,
-		vcr:            mockVCR,
-		wallet:         mockWallet,
-		keyResolver:    keyResolver,
-		jwtSigner:      jwtSigner,
-		jar:            mockJAR,
-		client:         client,
+		ctrl:             ctrl,
+		authnServices:    authnServices,
+		policy:           policyInstance,
+		scopeEvaluator:   scopeEvaluator,
+		relyingParty:     relyingPary,
+		vcIssuer:         vcIssuer,
+		vcVerifier:       vcVerifier,
+		resolver:         mockResolver,
+		documentOwner:    mockDocumentOwner,
+		subjectManager:   subjectManager,
+		iamClient:        iamClient,
+		vcr:              mockVCR,
+		wallet:           mockWallet,
+		keyResolver:      keyResolver,
+		jwtSigner:        jwtSigner,
+		jar:              mockJAR,
+		client:           client,
 		openid4vciClient: openid4vciClient,
 	}
 }
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2026 Nuts community
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
+
+package iam
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/nuts-foundation/nuts-node/auth/oauth"
+	"github.com/nuts-foundation/nuts-node/policy"
+	"github.com/nuts-foundation/nuts-node/policy/authzen"
+	"github.com/nuts-foundation/nuts-node/vcr/pe"
+	"github.com/nuts-foundation/nuts-node/vcr/signature/proof"
+	"github.com/nuts-foundation/nuts-node/vcr/test"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/mock/gomock"
+)
+
+// TestIntegration_DynamicScopePolicy_AuthZenEndToEnd exercises the server-side token handler
+// with a real AuthZen HTTP client talking to an httptest server. Unlike the unit tests in
+// s2s_vptoken_test.go which mock the AuthZen evaluator, this test validates the full HTTP
+// roundtrip: request serialization, response parsing, and outcomes that depend on the
+// evaluator actually being called.
+//
+// Scope is intentionally narrow: scenarios covered by policy/authzen/client_test.go (HTTP
+// errors, malformed response, timeouts) or by the s2s unit tests (VP validation, profile-only
+// rejection) are not duplicated here. The tests below cover the outcomes that require the
+// server-side flow + real HTTP together: approved scopes end up in the token, denied extra
+// scopes are excluded, and PDP denial of the credential profile scope blocks token issuance.
+func TestIntegration_DynamicScopePolicy_AuthZenEndToEnd(t *testing.T) {
+	var presentationDefinition pe.PresentationDefinition
+	require.NoError(t, json.Unmarshal([]byte(`{
+		"format": {
+			"ldp_vc": {"proof_type": ["JsonWebSignature2020"]}
+		},
+		"input_descriptors": [{
+			"id": "1",
+			"constraints": {
+				"fields": [{
+					"path": ["$.type"],
+					"filter": {"type": "string", "const": "NutsOrganizationCredential"}
+				}]
+			}
+		}]
+	}`), &presentationDefinition))
+	walletOwnerMapping := pe.WalletOwnerMapping{pe.WalletOwnerOrganization: presentationDefinition}
+
+	var submission pe.PresentationSubmission
+	require.NoError(t, json.Unmarshal([]byte(`{
+		"descriptor_map": [{"id": "1", "path": "$.verifiableCredential", "format": "ldp_vc"}]
+	}`), &submission))
+	submissionJSONBytes, _ := json.Marshal(submission)
+	submissionJSON := string(submissionJSONBytes)
+
+	verifiableCredential := test.ValidNutsOrganizationCredential(t)
+	subjectDID, _ := verifiableCredential.SubjectDID()
+	proofVisitor := test.LDProofVisitor(func(p *proof.LDProof) {
+		p.Domain = &issuerClientID
+	})
+	presentation := test.CreateJSONLDPresentation(t, *subjectDID, proofVisitor, verifiableCredential)
+
+	dpopHeader, _, _ := newSignedTestDPoP()
+	httpRequest := &http.Request{Header: http.Header{"Dpop": []string{dpopHeader.String()}}}
+	contextWithValue := context.WithValue(context.Background(), httpRequestContextKey{}, httpRequest)
+	clientID := "https://example.com/oauth2/holder"
+
+	// startPDP starts an httptest server that responds with the given decisions and captures
+	// the decoded AuthZen request for post-call assertions.
+	startPDP := func(t *testing.T, decisions []authzen.EvaluationResult) (*httptest.Server, *authzen.EvaluationsRequest) {
+		var receivedRequest authzen.EvaluationsRequest
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			assert.Equal(t, "/access/v1/evaluations", r.URL.Path)
+			require.NoError(t, json.NewDecoder(r.Body).Decode(&receivedRequest))
+			w.Header().Set("Content-Type", "application/json")
+			_ = json.NewEncoder(w).Encode(authzen.EvaluationsResponse{Evaluations: decisions})
+		}))
+		t.Cleanup(server.Close)
+		return server, &receivedRequest
+	}
+
+	t.Run("PDP approves all scopes - token issued and request shape correct over the wire", func(t *testing.T) {
+		pdpServer, receivedRequest := startPDP(t, []authzen.EvaluationResult{{Decision: true}, {Decision: true}})
+		realAuthzenClient := authzen.NewClient(pdpServer.URL, http.DefaultClient)
+
+		ctx := newTestClient(t)
+		ctx.vcVerifier.EXPECT().VerifyVP(gomock.Any(), true, true, gomock.Any()).Return(presentation.VerifiableCredential, nil)
+		ctx.policy.EXPECT().FindCredentialProfile(gomock.Any(), "example-scope extra-scope").Return(&policy.CredentialProfileMatch{
+			CredentialProfileScope: "example-scope",
+			WalletOwnerMapping:     walletOwnerMapping,
+			ScopePolicy:            policy.ScopePolicyDynamic,
+			OtherScopes:            []string{"extra-scope"},
+		}, nil)
+		ctx.policy.EXPECT().ScopeEvaluator().Return(policy.NewAuthZenScopeEvaluator(realAuthzenClient))
+
+		resp, err := ctx.client.handleS2SAccessTokenRequest(contextWithValue, clientID, issuerSubjectID, "example-scope extra-scope", submissionJSON, presentation.Raw())
+
+		require.NoError(t, err)
+		tokenResponse := TokenResponse(resp.(HandleTokenRequest200JSONResponse))
+		assert.Equal(t, "example-scope extra-scope", *tokenResponse.Scope)
+
+		// Validate request serialization over the wire (not covered by mock-based unit tests).
+		assert.Equal(t, "organization", receivedRequest.Subject.Type)
+		assert.Equal(t, "request_scope", receivedRequest.Action.Name)
+		assert.Equal(t, "example-scope", receivedRequest.Context.Policy)
+		require.Len(t, receivedRequest.Evaluations, 2)
+		assert.Equal(t, "example-scope", receivedRequest.Evaluations[0].Resource.ID)
+		assert.Equal(t, "extra-scope", receivedRequest.Evaluations[1].Resource.ID)
+	})
+
+	t.Run("PDP partial denial - denied scopes excluded from token", func(t *testing.T) {
+		pdpServer, _ := startPDP(t, []authzen.EvaluationResult{
+			{Decision: true},
+			{Decision: false, Context: &authzen.EvaluationResultContext{Reason: "not permitted"}},
+		})
+		realAuthzenClient := authzen.NewClient(pdpServer.URL, http.DefaultClient)
+
+		ctx := newTestClient(t)
+		ctx.vcVerifier.EXPECT().VerifyVP(gomock.Any(), true, true, gomock.Any()).Return(presentation.VerifiableCredential, nil)
+		ctx.policy.EXPECT().FindCredentialProfile(gomock.Any(), "example-scope extra-scope").Return(&policy.CredentialProfileMatch{
+			CredentialProfileScope: "example-scope",
+			WalletOwnerMapping:     walletOwnerMapping,
+			ScopePolicy:            policy.ScopePolicyDynamic,
+			OtherScopes:            []string{"extra-scope"},
+		}, nil)
+		ctx.policy.EXPECT().ScopeEvaluator().Return(policy.NewAuthZenScopeEvaluator(realAuthzenClient))
+
+		resp, err := ctx.client.handleS2SAccessTokenRequest(contextWithValue, clientID, issuerSubjectID, "example-scope extra-scope", submissionJSON, presentation.Raw())
+
+		require.NoError(t, err)
+		tokenResponse := TokenResponse(resp.(HandleTokenRequest200JSONResponse))
+		assert.Equal(t, "example-scope", *tokenResponse.Scope)
+	})
+
+	t.Run("PDP denies credential profile scope - access_denied, no token issued", func(t *testing.T) {
+		pdpServer, _ := startPDP(t, []authzen.EvaluationResult{
+			{Decision: false},
+			{Decision: true},
+		})
+		realAuthzenClient := authzen.NewClient(pdpServer.URL, http.DefaultClient)
+
+		ctx := newTestClient(t)
+		ctx.vcVerifier.EXPECT().VerifyVP(gomock.Any(), true, true, gomock.Any()).Return(presentation.VerifiableCredential, nil)
+		ctx.policy.EXPECT().FindCredentialProfile(gomock.Any(), "example-scope extra-scope").Return(&policy.CredentialProfileMatch{
+			CredentialProfileScope: "example-scope",
+			WalletOwnerMapping:     walletOwnerMapping,
+			ScopePolicy:            policy.ScopePolicyDynamic,
+			OtherScopes:            []string{"extra-scope"},
+		}, nil)
+		ctx.policy.EXPECT().ScopeEvaluator().Return(policy.NewAuthZenScopeEvaluator(realAuthzenClient))
+
+		resp, err := ctx.client.handleS2SAccessTokenRequest(contextWithValue, clientID, issuerSubjectID, "example-scope extra-scope", submissionJSON, presentation.Raw())
+
+		_ = assertOAuthErrorWithCode(t, err, oauth.AccessDenied, `PDP denied credential profile scope "example-scope"`)
+		assert.Nil(t, resp)
+	})
+}
@@ -111,7 +111,7 @@ func (r Wrapper) handleAuthorizeRequestFromHolder(ctx context.Context, subject s
 	// Determine which PEX Presentation Definitions we want to see fulfilled during authorization through OpenID4VP.
 	// Each Presentation Definition triggers 1 OpenID4VP flow.
 	// TODO: Support multiple scopes?
-	presentationDefinitions, err := r.presentationDefinitionForScope(ctx, params.get(oauth.ScopeParam))
+	match, err := r.findCredentialProfile(ctx, params.get(oauth.ScopeParam))
 	if err != nil {
 		return nil, withCallbackURI(err, redirectURL)
 	}
@@ -122,7 +122,7 @@ func (r Wrapper) handleAuthorizeRequestFromHolder(ctx context.Context, subject s
 		OwnSubject:        &subject,
 		ClientState:       params.get(oauth.StateParam),
 		RedirectURI:       redirectURL.String(),
-		OpenID4VPVerifier: newPEXConsumer(presentationDefinitions),
+		OpenID4VPVerifier: newPEXConsumer(match.WalletOwnerMapping),
 		PKCEParams: PKCEParams{ // store params, when generating authorization code we take the params from the nonceStore and encrypt them in the authorization code
 			Challenge:       params.get(oauth.CodeChallengeParam),
 			ChallengeMethod: params.get(oauth.CodeChallengeMethodParam),

@@ -107,7 +107,7 @@ func TestWrapper_handleAuthorizeRequestFromHolder(t *testing.T) {
 	})
 	t.Run("unknown scope", func(t *testing.T) {
 		ctx := newTestClient(t)
-		ctx.policy.EXPECT().PresentationDefinitions(gomock.Any(), gomock.Any()).Return(pe.WalletOwnerMapping{}, policy.ErrNotFound)
+		ctx.policy.EXPECT().FindCredentialProfile(gomock.Any(), gomock.Any()).Return(nil, policy.ErrNotFound)
 		params := defaultParams()
 		params[oauth.ScopeParam] = "unknown"
 
@@ -126,7 +126,7 @@ func TestWrapper_handleAuthorizeRequestFromHolder(t *testing.T) {
 	})
 	t.Run("failed to generate authorization request", func(t *testing.T) {
 		ctx := newTestClient(t)
-		ctx.policy.EXPECT().PresentationDefinitions(gomock.Any(), "test").Return(pe.WalletOwnerMapping{pe.WalletOwnerOrganization: PresentationDefinition{}}, nil)
+		ctx.policy.EXPECT().FindCredentialProfile(gomock.Any(), "test").Return(&policy.CredentialProfileMatch{CredentialProfileScope: "test", WalletOwnerMapping: pe.WalletOwnerMapping{pe.WalletOwnerOrganization: PresentationDefinition{}}, ScopePolicy: policy.ScopePolicyProfileOnly}, nil)
 		params := defaultParams()
 		ctx.iamClient.EXPECT().OpenIDConfiguration(context.Background(), holderClientID).Return(&oauth.OpenIDConfiguration{
 			Metadata: oauth.EntityStatementMetadata{
@@ -142,7 +142,7 @@ func TestWrapper_handleAuthorizeRequestFromHolder(t *testing.T) {
 	})
 	t.Run("failed to resolve OpenID configuration", func(t *testing.T) {
 		ctx := newTestClient(t)
-		ctx.policy.EXPECT().PresentationDefinitions(gomock.Any(), "test").Return(pe.WalletOwnerMapping{pe.WalletOwnerOrganization: PresentationDefinition{}}, nil)
+		ctx.policy.EXPECT().FindCredentialProfile(gomock.Any(), "test").Return(&policy.CredentialProfileMatch{CredentialProfileScope: "test", WalletOwnerMapping: pe.WalletOwnerMapping{pe.WalletOwnerOrganization: PresentationDefinition{}}, ScopePolicy: policy.ScopePolicyProfileOnly}, nil)
 		params := defaultParams()
 		ctx.iamClient.EXPECT().OpenIDConfiguration(context.Background(), holderClientID).Return(nil, assert.AnError)