@bedrock/vc-delivery 4.1.2 → 4.3.0

package/lib/openId.js

@@ -8,8 +8,10 @@ import {
 } from '@bedrock/validation';
 import {importJWK, SignJWT} from 'jose';
 import {
-  openIdAuthorizationResponseBody, openIdBatchCredentialBody,
-  openIdCredentialBody, openIdTokenBody,
+  openIdAuthorizationResponseBody,
+  openIdBatchCredentialBody,
+  openIdCredentialBody,
+  openIdTokenBody,
   presentationSubmission as presentationSubmissionSchema
 } from '../schemas/bedrock-vc-exchanger.js';
 import {verify, verifyDidProofJwt} from './verify.js';
@@ -63,7 +65,11 @@ export async function createRoutes({
   const routes = {
     // OID4VCI routes
     asMetadata: `/.well-known/oauth-authorization-server${exchangeRoute}`,
+    asMetadataDraftBug:
+      `${exchangeRoute}/.well-known/oauth-authorization-server`,
     ciMetadata: `/.well-known/openid-credential-issuer${exchangeRoute}`,
+    ciMetadataDraftBug:
+      `${exchangeRoute}/.well-known/openid-credential-issuer`,
     batchCredential: `${openIdRoute}/batch_credential`,
     credential: `${openIdRoute}/credential`,
     token: `${openIdRoute}/token`,
@@ -231,7 +237,7 @@ export async function createRoutes({
 
       {
         "format": "ldp_vc",
-        "credential_description": {
+        "credential_definition": {
           "@context": [
             "https://www.w3.org/2018/credentials/v1",
             "https://www.w3.org/2018/credentials/examples/v1"
@@ -285,7 +291,7 @@ export async function createRoutes({
       {
         credential_requests: [{
           "format": "ldp_vc",
-          "credential_description": {
+          "credential_definition": {
             "@context": [
               "https://www.w3.org/2018/credentials/v1",
               "https://www.w3.org/2018/credentials/examples/v1"
@@ -357,6 +363,57 @@ export async function createRoutes({
         {req, presentation, presentationSubmission});
       res.json(result);
     }));
+
+  /* Note: The following routes are served only because of an OID4VCI draft bug
+  that tells clients to generate `/.well-known` paths in an erroneous way and
+  some implementers have complied. */
+
+  // an authorization server meta data endpoint
+  // serves `.well-known` oauth2 AS config for each exchange; each config is
+  // based on the exchanger used to create the exchange
+  app.get(
+    routes.asMetadataDraftBug,
+    cors(),
+    getConfigMiddleware,
+    asyncHandler(async (req, res) => {
+      // generate well-known oauth2 issuer config
+      const {config: exchanger} = req.serviceObject;
+      const exchangeId = `${exchanger.id}/exchanges/${req.params.exchangeId}`;
+      // note that technically, we should not need to serve any credential
+      // issuer metadata, but we do for backwards compatibility purposes as
+      // previous versions of OID4VCI required it
+      const oauth2Config = {
+        issuer: exchangeId,
+        jwks_uri: `${exchangeId}/openid/jwks`,
+        token_endpoint: `${exchangeId}/openid/token`,
+        credential_endpoint: `${exchangeId}/openid/credential`,
+        batch_credential_endpoint: `${exchangeId}/openid/batch_credential`
+        // FIXME: add `credentials_supported`
+      };
+      res.json(oauth2Config);
+    }));
+
+  // a credential issuer meta data endpoint
+  // serves `.well-known` oauth2 AS / CI config for each exchange; each config
+  // is based on the exchanger used to create the exchange
+  app.get(
+    routes.ciMetadataDraftBug,
+    cors(),
+    getConfigMiddleware,
+    asyncHandler(async (req, res) => {
+      // generate well-known oauth2 issuer config
+      const {config: exchanger} = req.serviceObject;
+      const exchangeId = `${exchanger.id}/exchanges/${req.params.exchangeId}`;
+      const oauth2Config = {
+        issuer: exchangeId,
+        jwks_uri: `${exchangeId}/openid/jwks`,
+        token_endpoint: `${exchangeId}/openid/token`,
+        credential_endpoint: `${exchangeId}/openid/credential`,
+        batch_credential_endpoint: `${exchangeId}/openid/batch_credential`
+        // FIXME: add `credentials_supported`
+      };
+      res.json(oauth2Config);
+    }));
 }
 
 async function _createExchangeAccessToken({exchanger, exchangeRecord}) {
@@ -473,6 +530,11 @@ async function _processCredentialRequests({req, res, isBatchRequest}) {
     }
     credentialRequests = [req.body];
   }
+
+  // before asserting, normalize credential requests to use `type` instead of
+  // `types`; this is to allow for OID4VCI draft 20 implementers that followed
+  // the non-normative examples
+  _normalizeCredentialDefinitionTypes({credentialRequests});
   _assertCredentialRequests(
     {credentialRequests, expectedCredentialRequests});
 
@@ -777,3 +839,15 @@ function _validate(validator, data) {
     throw result.error;
   }
 }
+
+function _normalizeCredentialDefinitionTypes({credentialRequests}) {
+  // normalize credential requests to use `type` instead of `types`
+  for(const cr of credentialRequests) {
+    if(cr?.credential_definition?.types) {
+      if(!cr?.credential_definition?.type) {
+        cr.credential_definition.type = cr.credential_definition.types;
+      }
+      delete cr.credential_definition.types;
+    }
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-delivery",
-  "version": "4.1.2",
+  "version": "4.3.0",
   "type": "module",
   "description": "Bedrock Verifiable Credential Delivery",
   "main": "./lib/index.js",

package/schemas/bedrock-vc-exchanger.js

@@ -22,6 +22,14 @@ const credentialDefinition = {
       item: {
         type: 'string'
       }
+    },
+    // allow `types` to be flexible for OID4VCI draft 20 implementers
+    types: {
+      type: 'array',
+      minItems: 2,
+      item: {
+        type: 'string'
+      }
     }
   }
 };