@bedrock/vc-delivery 7.11.3 → 7.13.0

package/lib/ExchangeProcessor.js

@@ -288,10 +288,21 @@ export class ExchangeProcessor {
         // 4.2. Call subalgorithm `prepareStep`, passing `workflow`,
         // `exchange`, `step`, `receivedPresentation`, and
         // `receivedPresentationRequest` to perform any protocol-specific
-        // custom step preparation.
-        await prepareStep?.({
-          workflow, exchange, step, receivedPresentation
+        // custom step preparation. If `prepareStep` returns a `prepareResult`
+        // with `receivedPresentation` and/or `receivedPresentationRequest` set,
+        // then update `receivedPresentation` and/or
+        // `receivedPresentationRequest` accordingly.
+        const prepareResult = await prepareStep?.({
+          workflow, exchange, step,
+          receivedPresentation, receivedPresentationRequest
         });
+        if(prepareResult?.receivedPresentation !== undefined) {
+          receivedPresentation = prepareResult.receivedPresentation;
+        }
+        if(prepareResult?.receivedPresentationRequest) {
+          receivedPresentationRequest =
+            prepareResult.receivedPresentationRequest;
+        }
 
         // 4.3. If `receivedPresentation` is set, then call the
         // `validateReceivedPresentation` sub-algorithm, passing `workflow`,
@@ -312,20 +323,27 @@ export class ExchangeProcessor {
           });
         }
 
-        // 4.5. Set `isInputRequired` to the result of calling
+        // 4.5. If the implementation supports blocking callbacks that can
+        // return results to be added to exchange variables (or return errors),
+        // call the callback and store its results in
+        // `exchange.variables.results[exchange.step].callbackResults` or
+        // throw any error received.
+        // FIXME: to be implemented
+
+        // 4.6. Set `isInputRequired` to the result of calling
         // `inputRequired({step, receivedPresentation})`.
         const isInputRequired = await inputRequired?.({
           workflow, exchange, step, receivedPresentation
         }) ?? false;
 
-        // 4.6. If `isInputRequired` is true:
+        // 4.7. If `isInputRequired` is true:
         if(isInputRequired) {
-          // 4.6.1. If `response` is `null`, set it to an empty object.
+          // 4.7.1. If `response` is `null`, set it to an empty object.
           if(!response) {
             response = {};
           }
 
-          // 4.6.2. If `step.verifiablePresentationRequest` is set, call
+          // 4.7.2. If `step.verifiablePresentationRequest` is set, call
           // the `createVerifiablePresentationRequest` sub-algorithm, passing
           // `workflow`, `exchange`, `step`, and `response`.
           if(step.verifiablePresentationRequest) {
@@ -334,12 +352,13 @@ export class ExchangeProcessor {
             });
           }
 
-          // 4.6.3. Save the exchange and return `response`.
+          // 4.7.3. Save the exchange (and call any non-blocking callback
+          // in the step) and return `response`.
           await _updateExchange({workflow, exchange, meta, step});
           return response;
         }
 
-        // 4.7. Set `issueToClient` to `true` if `step.issueRequests` includes
+        // 4.8. Set `issueToClient` to `true` if `step.issueRequests` includes
         // any issuer requests for VCs that are to be sent to the client
         // (`issueRequest.result` is NOT set), otherwise set it to `false`.
         const issueRequestsParams = getIssueRequestsParams({
@@ -347,27 +366,28 @@ export class ExchangeProcessor {
         });
         const issueToClient = issueRequestsParams.some(p => !p.result);
 
-        // 4.8. If `step.verifiablePresentation` is set or `issueToClient` is
+        // 4.9. If `step.verifiablePresentation` is set or `issueToClient` is
         // `true`:
         if(step.verifiablePresentation || issueToClient) {
-          // 4.8.1. If `response` is not `null`
+          // 4.9.1. If `response` is not `null`
           if(response) {
-            // 4.8.1.1. If `response.verifiablePresentationRequest` is not set,
+            // 4.9.1.1. If `response.verifiablePresentationRequest` is not set,
             // set it to an empty object (to indicate that the exchange is
             // not yet complete).
             if(!response.verifiablePresentationRequest) {
               response.verifiablePresentationRequest = {};
             }
-            // 4.8.1.2. Save the exchange.
+            // 4.9.1.2. Save the exchange (and call any non-blocking callback
+            // in the step).
             await _updateExchange({workflow, exchange, meta, step});
-            // 4.8.1.3. Return `response`.
+            // 4.9.1.3. Return `response`.
             return response;
           }
 
-          // 4.8.2. Set `response` to an empty object.
+          // 4.9.2. Set `response` to an empty object.
           response = {};
 
-          // 4.8.3. If `step.verifiablePresentation` is set, set
+          // 4.9.3. If `step.verifiablePresentation` is set, set
           // `response.verifiablePresentation` to a copy of it, otherwise
           // set `response.verifiablePresentation` to a new, empty,
           // Verifiable Presentation (using VCDM 2.0 by default, but a custom
@@ -380,14 +400,14 @@ export class ExchangeProcessor {
         // issuance has been triggered
         issuanceTriggered = true;
 
-        // 4.9. Perform every issue request (optionally in parallel), returning
-        // an error response to the client if any fails (note: implementations
-        // can optionally implement failure recovery or retry issue requests at
-        // their own discretion):
-        // 4.9.1. For each issue request where `result` is set to an exchange
+        // 4.10. Perform every issue request (optionally in parallel),
+        // returning an error response to the client if any fails (note:
+        // implementations can optionally implement failure recovery or retry
+        // issue requests at their own discretion):
+        // 4.10.1. For each issue request where `result` is set to an exchange
         // variable path or name, save the issued credential in the referenced
         // exchange variable.
-        // 4.9.2. For each issue request where `result` is not specified, save
+        // 4.10.2. For each issue request where `result` is not specified, save
         // the issued credential in `response.verifiablePresentation`, i.e.,
         // for a VCDM presentation, append the issued credential to
         // `response.verifiablePresentation.verifiableCredential`.
@@ -396,44 +416,45 @@ export class ExchangeProcessor {
           verifiablePresentation: response?.verifiablePresentation
         });
 
-        // 4.10. If `response.verifiablePresentation` is set and the step
+        // 4.11. If `response.verifiablePresentation` is set and the step
         // configuration indicates it should be signed, sign the presentation
         // (e.g., by using a VCALM holder instance's `/presentations/create`
         // endpoint).
         // FIXME: implement
         //if(response?.verifiablePresentation) {}
 
-        // 4.11. If `step.redirectUrl` is set:
+        // 4.12. If `step.redirectUrl` is set:
         if(step.redirectUrl) {
-          // 4.11.1. If `response` is `null` then set it to an empty object.
+          // 4.12.1. If `response` is `null` then set it to an empty object.
           if(!response) {
             response = {};
           }
-          // 4.11.2. Set `response.redirectUrl` to `step.redirectUrl`.
+          // 4.12.2. Set `response.redirectUrl` to `step.redirectUrl`.
           response.redirectUrl = step.redirectUrl;
         }
 
-        // 4.12. If `step.nextStep` is not set then set `exchange.state` to
+        // 4.13. If `step.nextStep` is not set then set `exchange.state` to
         // `complete`.
         if(!step.nextStep) {
           exchange.state = 'complete';
         } else {
-          // 4.13. Otherwise, delete `exchange.variables.results[step.nextStep]`
+          // 4.14. Otherwise, delete `exchange.variables.results[step.nextStep]`
           // if it exists, and set `exchange.step` to `step.nextStep`.
           delete exchange.variables.results[step.nextStep];
           exchange.step = step.nextStep;
         }
 
-        // 4.14. Save the exchange.
+        // 4.15. Save the exchange (and call any non-blocking callback in
+        // the step).
         await _updateExchange({workflow, exchange, meta, step});
 
-        // 4.15. If `exchange.state` is `complete`, return `response` if it is
+        // 4.16. If `exchange.state` is `complete`, return `response` if it is
         // not `null`, otherwise return an empty object.
         if(exchange.state === 'complete') {
           return response ?? {};
         }
 
-        // 4.16. Set `receivedPresentation` to `null`.
+        // 4.17. Set `receivedPresentation` to `null`.
         receivedPresentation = null;
       }
     } catch(e) {
@@ -458,7 +479,6 @@ export class ExchangeProcessor {
 
 async function _getStep({workflow, exchange}) {
   const currentStep = exchange.step;
-
   if(!currentStep) {
     // return default empty step and set dummy stepname for exchange
     exchange.step = 'initial';
@@ -541,6 +561,7 @@ function _isInitialStep({workflow, exchange}) {
 
 async function _updateExchange({workflow, exchange, meta, step}) {
   try {
+    exchange.referenceId = globalThis.crypto.randomUUID();
     exchange.sequence++;
     if(exchange.state === 'complete') {
       await exchanges.complete({workflowId: workflow.id, exchange});

package/lib/helpers.js

@@ -2,7 +2,6 @@
  * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import * as vcjwt from './vcjwt.js';
 import {decodeId, generateId} from 'bnid';
 import {compile} from '@bedrock/validation';
 import {Ed25519Signature2020} from '@digitalbazaar/ed25519-signature-2020';
@@ -22,16 +21,6 @@ const ALLOWED_ERROR_KEYS = [
   'status'
 ];
 
-const JWT_FORMAT_ALIASES = new Set([
-  'application/jwt',
-  'application/vc+jwt',
-  'application/vp+jwt',
-  'jwt_vp',
-  'jwt_vp_json',
-  'jwt_vc_json-ld',
-  'jwt_vc_json'
-]);
-
 export function buildPresentationFromResults({
   presentation, verifyResult
 }) {
@@ -126,7 +115,7 @@ export async function evaluateTemplate({
 export async function evaluateExchangeStep({
   workflow, exchange, stepName = exchange.step
 }) {
-  let step = workflow.steps[stepName];
+  let step = workflow.steps[stepName] ?? {};
   if(step.stepTemplate) {
     step = await evaluateTemplate({
       workflow, exchange, typedTemplate: step.stepTemplate
@@ -358,52 +347,8 @@ export function stripStacktrace(error) {
   return error;
 }
 
-export async function unenvelopeCredential({
-  envelopedCredential, format
-} = {}) {
-  const result = _getEnvelope({envelope: envelopedCredential, format});
-
-  // only supported format is VC-JWT at this time
-  const credential = vcjwt.decodeVCJWTCredential({jwt: result.envelope});
-  return {credential, ...result};
-}
-
-export async function unenvelopePresentation({
-  envelopedPresentation, format
-} = {}) {
-  const result = _getEnvelope({envelope: envelopedPresentation, format});
-
-  // only supported format is VC-JWT at this time
-  const presentation = vcjwt.decodeVCJWTPresentation({jwt: result.envelope});
-
-  // unenvelope any VCs in the presentation
-  let {verifiableCredential = []} = presentation;
-  if(!Array.isArray(verifiableCredential)) {
-    verifiableCredential = [verifiableCredential];
-  }
-  if(verifiableCredential.length > 0) {
-    presentation.verifiableCredential = await Promise.all(
-      verifiableCredential.map(async vc => {
-        if(vc?.type !== 'EnvelopedVerifiableCredential') {
-          return vc;
-        }
-        const {credential} = await unenvelopeCredential({
-          envelopedCredential: vc
-        });
-        return credential;
-      }));
-  }
-  return {presentation, ...result};
-}
-
 export async function validateStep({step} = {}) {
   // FIXME: use `ajv` and do JSON schema check
-  if(Object.keys(step).length === 0) {
-    throw new BedrockError('Empty exchange step detected.', {
-      name: 'DataError',
-      details: {httpStatusCode: 500, public: true}
-    });
-  }
   if(step.issueRequests !== undefined && !Array.isArray(step.issueRequests)) {
     throw new BedrockError(
       'Invalid "issueRequests" in step.', {
@@ -423,32 +368,6 @@ export async function validateStep({step} = {}) {
   }
 }
 
-function _getEnvelope({envelope, format}) {
-  const isString = typeof envelope === 'string';
-  if(isString) {
-    // supported formats
-    if(JWT_FORMAT_ALIASES.has(format)) {
-      format = 'application/jwt';
-    }
-  } else {
-    const {id} = envelope;
-    if(id?.startsWith('data:application/jwt,')) {
-      format = 'application/jwt';
-      envelope = id.slice('data:application/jwt,'.length);
-    }
-  }
-
-  if(format === 'application/jwt' && envelope !== undefined) {
-    return {envelope, format};
-  }
-
-  throw new BedrockError(
-    `Unsupported credential or presentation envelope format "${format}".`, {
-      name: 'NotSupportedError',
-      details: {httpStatusCode: 400, public: true}
-    });
-}
-
 export function validateVerifiablePresentation({schema, presentation}) {
   const validate = compile({schema});
   const {valid, error} = validate(presentation);

package/lib/oid4/authorizationRequest.js

@@ -12,7 +12,14 @@ import {randomUUID} from 'node:crypto';
 
 const {util: {BedrockError}} = bedrock;
 
+const ENCRYPTED_RESPONSE_MODES = new Set([
+  'direct_post.jwt', 'dc_api.jwt', 'dc_api'
+]);
 const OID4VP_JWT_TYP = 'oauth-authz-req+jwt';
+const SUPPORTED_CLIENT_ID_SCHEMES = new Set([
+  'redirect_uri', 'x509_san_dns', 'x509_hash', 'decentralized_identifier'
+]);
+
 const TEXT_ENCODER = new TextEncoder();
 
 export async function create({
@@ -27,16 +34,24 @@ export async function create({
 
   // get params from step OID4VP client profile to apply to the AR
   const {
-    client_id, client_id_scheme,
+    client_id,
+    client_id_scheme,
+    dcql_query,
+    expected_origins,
     nonce,
     presentation_definition,
-    response_mode, response_uri
+    response_mode,
+    response_uri
   } = clientProfile;
   const clientBaseUrl = getClientBaseUrl({workflow, exchange, clientProfileId});
 
   // client_id_scheme (draft versions of OID4VP use this param)
   authorizationRequest.client_id_scheme = client_id_scheme ?? 'redirect_uri';
 
+  // dcql_query
+  authorizationRequest.dcql_query = dcql_query ??
+    authorizationRequest.dcql_query;
+
   // presentation_definition
   authorizationRequest.presentation_definition = presentation_definition ??
     authorizationRequest.presentation_definition;
@@ -49,10 +64,13 @@ export async function create({
     `${clientBaseUrl}/authorization/response`;
 
   // client_id (defaults to `response_uri`)
-  // FIXME: newer versions of OID4VP require a prefix of `redirect_uri:` for
-  // the default case -- which is incompatible with some draft versions
-  authorizationRequest.client_id = client_id ??
-    authorizationRequest.response_uri;
+  if(client_id) {
+    authorizationRequest.client_id = client_id;
+  } else if(authorizationRequest.client_id_scheme === 'redirect_uri') {
+    // use prefix; this is compatible with both draft 18 and 1.0+
+    authorizationRequest.client_id =
+      `redirect_uri:${authorizationRequest.response_uri}`;
+  }
 
   // `x509_san_dns` requires the `direct_post.jwt` response mode when using
   // `direct_post`
@@ -63,6 +81,10 @@ export async function create({
     authorizationRequest.response_mode += '.jwt';
   }
 
+  // expected origins; safe to always include
+  authorizationRequest.expected_origins = expected_origins ??
+    [new URL(authorizationRequest.response_uri).origin];
+
   // nonce
   if(nonce) {
     authorizationRequest.nonce = nonce;
@@ -109,6 +131,16 @@ export async function encode({
   return jwt;
 }
 
+export function removeClientIdPrefix({clientId} = {}) {
+  for(const idScheme of SUPPORTED_CLIENT_ID_SCHEMES) {
+    const prefix = `${idScheme}:`;
+    if(clientId.startsWith(prefix)) {
+      return clientId.slice(prefix.length);
+    }
+  }
+  return clientId;
+}
+
 async function _createClientMetaData({
   authorizationRequest, clientProfile
 } = {}) {
@@ -175,8 +207,8 @@ async function _createClientMetaData({
     client_metadata.require_signed_request_object = true;
   }
 
-  // for response mode `direct_post.jwt`, offer encryption options
-  if(authorizationRequest.response_mode === 'direct_post.jwt') {
+  // offer encryption options for encrypted response modes
+  if(ENCRYPTED_RESPONSE_MODES.has(authorizationRequest.response_mode)) {
     // generate ECDH-ES P-256 key
     const kp = await generateKeyPair('ECDH-ES', {
       crv: 'P-256', extractable: true
@@ -239,9 +271,7 @@ async function _createJwt({workflow, clientProfile, authorizationRequest}) {
     const kid = keyDescription.id;
 
     // create the JWT payload and header to be signed
-    const payload = {
-      ...authorizationRequest
-    };
+    const payload = {...authorizationRequest};
     const protectedHeader = {typ: OID4VP_JWT_TYP, alg: 'ES256', kid, x5c};
 
     // create the JWT

package/lib/oid4/authorizationResponse.js

@@ -8,7 +8,6 @@ import {
 } from '../../schemas/bedrock-vc-workflow.js';
 import {compile} from '@bedrock/validation';
 import {oid4vp} from '@digitalbazaar/oid4-client';
-import {unenvelopePresentation} from '../helpers.js';
 
 const {util: {BedrockError}} = bedrock;
 
@@ -27,58 +26,46 @@ bedrock.events.on('bedrock.init', () => {
   });
 });
 
-export async function parse({req, exchange, clientProfileId} = {}) {
+export async function parse({
+  req, exchange, clientProfileId, authorizationRequest
+} = {}) {
   try {
     const {body} = req;
     const {
-      responseMode, parsed, protectedHeader
+      responseMode, parsed, protectedHeader,
+      recipientPublicJwk, recipientPublicJwkThumbprint,
+      vpTokenMediaType
     } = await oid4vp.verifier.parseAuthorizationResponse({
       body,
       getDecryptParameters() {
         return _getDecryptParameters({exchange, clientProfileId});
-      }
+      },
+      authorizationRequest
     });
 
-    // validate parsed presentation submission
+    // validate parsed presentation submission if given
     const {presentationSubmission} = parsed;
-    _validate(VALIDATORS.presentationSubmission, presentationSubmission);
+    if(presentationSubmission) {
+      _validate(VALIDATORS.presentationSubmission, presentationSubmission);
+    }
 
     // obtain `presentation` and optional `envelope` from parsed `vpToken`
     const {vpToken} = parsed;
     let presentation;
     let envelope;
 
-    if(oid4vp.authzResponse.submitsFormat({
-      presentationSubmission, format: 'mso_mdoc'
-    })) {
-      // `vp_token` is declared to be a base64url-encoded mDL device response
-      presentation = {
-        '@context': VC_CONTEXT_2,
-        id: `data:application/mdl-vp-token,${vpToken}`,
-        type: 'EnvelopedVerifiablePresentation'
-      };
-    } else if(typeof vpToken === 'string') {
-      // FIXME: remove unenveloping here and delegate it to VC API verifier;
-      // FIXME: check if envelope matches submission once verified
-      const {
-        envelope: raw, presentation: contents, format
-      } = await unenvelopePresentation({
-        envelopedPresentation: vpToken,
-        // FIXME: check `presentationSubmission` for VP format
-        format: 'application/jwt'
-      });
-      _validate(VALIDATORS.presentation, contents);
+    if(vpTokenMediaType !== 'application/vp') {
+      // `vp_token` contains some enveloped format
       presentation = {
         '@context': VC_CONTEXT_2,
-        id: `data:${format},${raw}`,
+        id: `data:${vpTokenMediaType},${vpToken}`,
         type: 'EnvelopedVerifiablePresentation'
       };
-      envelope = {raw, contents, format};
+      envelope = {mediaType: vpTokenMediaType};
     } else {
-      // simplest case: `vpToken` is a VP; validate it
+      // simplest case: `vpToken` is a VP; validate it against basic schema
       presentation = vpToken;
       _validate(VALIDATORS.presentation, presentation);
-      // FIXME: validate VP against presentation submission
     }
 
     return {
@@ -86,7 +73,9 @@ export async function parse({req, exchange, clientProfileId} = {}) {
       presentationSubmission,
       presentation,
       envelope,
-      protectedHeader
+      protectedHeader,
+      recipientPublicJwk,
+      recipientPublicJwkThumbprint
     };
   } catch(cause) {
     throw new BedrockError(

package/lib/oid4/http.js

@@ -328,21 +328,37 @@ export async function createRoutes({
     }));
 
   // an OID4VP verifier endpoint
-  // serves the authorization request, including presentation definition
+  // serves the authorization request
   // associated with the current step in the exchange
+  app.options(routes.authorizationRequest, cors());
   app.get(
     routes.authorizationRequest,
     cors(),
     getConfigMiddleware,
     getExchange,
     asyncHandler(_handleOid4vpAuthzRequest));
+  // same as above but allows wallet to submit metadata
+  app.post(
+    routes.authorizationRequest,
+    cors(),
+    getConfigMiddleware,
+    getExchange,
+    asyncHandler(_handleOid4vpAuthzRequest));
   // same as above but handling is based on specific client profile
+  app.options(routes.profiledAuthorizationRequest, cors());
   app.get(
     routes.profiledAuthorizationRequest,
     cors(),
     getConfigMiddleware,
     getExchange,
     asyncHandler(_handleOid4vpAuthzRequest));
+  // same as above but allows wallet to submit metadata
+  app.post(
+    routes.profiledAuthorizationRequest,
+    cors(),
+    getConfigMiddleware,
+    getExchange,
+    asyncHandler(_handleOid4vpAuthzRequest));
 
   // an OID4VP verifier endpoint
   // receives an authorization response with vp_token
@@ -375,13 +391,16 @@ async function _handleOid4vpAuthzRequest(req, res) {
   const {clientProfileId} = req.params;
   let result;
   try {
+    // FIXME: consider passing `body` to modulate authz request that is
+    // returned in response; presently any wallet metadata is ignored
     const {
       authorizationRequest,
       clientProfile
     } = await oid4vp.getAuthorizationRequest({req, clientProfileId});
     const {config: workflow} = req.serviceObject;
     result = await oid4vp.encodeAuthorizationRequest({
-      workflow, clientProfile, authorizationRequest
+      workflow, clientProfile, authorizationRequest,
+      requestMethod: req.method.toLowerCase()
     });
     res.set('content-type', 'application/oauth-authz-req+jwt');
   } catch(error) {
@@ -405,7 +424,7 @@ function _normalizeCredentials({verifiablePresentation}) {
   // use raw format for each credential
   const {verifiableCredential} = verifiablePresentation;
   return verifiableCredential.map(vc => {
-    // parse any enveloped VC into its non-VC format
+    // parse any JWT-enveloped VC into its non-VC format
     if(vc.type === 'EnvelopedVerifiableCredential' &&
       vc.id?.startsWith('data:application/jwt,')) {
       return vc.id.slice('data:application/jwt,'.length);

package/lib/oid4/oid4vp.js

@@ -2,13 +2,16 @@
  * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
+import {
+  create as createAuthorizationRequest,
+  removeClientIdPrefix
+} from './authorizationRequest.js';
 import {
   evaluateExchangeStep,
   resolveVariableName,
   setVariable
 } from '../helpers.js';
 import {getClientBaseUrl, getClientProfile} from './clientProfiles.js';
-import {create as createAuthorizationRequest} from './authorizationRequest.js';
 import {verify as defaultVerify} from '../verify.js';
 import {ExchangeProcessor} from '../ExchangeProcessor.js';
 import {oid4vp} from '@digitalbazaar/oid4-client';
@@ -92,27 +95,26 @@ export async function getOID4VPProtocols({workflow, exchange, step}) {
   // profile name
   const protocols = {};
   for(const [clientProfileId, clientProfile] of clientProfiles) {
-    // currently, only changing `name` and `scheme` are supported
-    const {
-      protocolUrlParameters: {
-        name = 'OID4VP',
-        scheme = 'openid4vp'
-      } = {}
-    } = clientProfile;
+    // get supported protocol URL parameters
+    const {name, scheme, version} = _getProtocolUrlParameters({clientProfile});
 
     // generate default OID4VP protocol URL
     const clientBaseUrl = getClientBaseUrl({
       workflow, exchange, clientProfileId
     });
     const {
-      authorizationRequest: {client_id}
+      authorizationRequest
     } = await _getOrCreateStepAuthorizationRequest({
       workflow, exchange, clientProfileId, clientProfile, step
     });
+    const {client_id, request_uri_method} = authorizationRequest;
     const searchParams = new URLSearchParams({
       client_id,
       request_uri: `${clientBaseUrl}/authorization/request`
     });
+    if(request_uri_method && version !== 'OID4VP-draft18') {
+      searchParams.set('request_uri_method', request_uri_method);
+    }
     protocols[name] = `${scheme}://?${searchParams}`;
   }
   return protocols;
@@ -138,15 +140,8 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
   const {config: workflow} = req.serviceObject;
   const exchangeRecord = await req.getExchange();
 
-  // ensure authz response can be parsed
-  const {
-    presentation, envelope, presentationSubmission,
-    responseMode, protectedHeader
-  } = await parseAuthorizationResponse({
-    req, exchange: exchangeRecord.exchange, clientProfileId
-  });
-
   // process exchange and produce result
+  let parseResponseResult;
   const result = {};
   const exchangeProcessor = new ExchangeProcessor({
     workflow, exchangeRecord,
@@ -156,15 +151,11 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
       });
       result.authorizationRequest = authorizationRequest;
 
-      // ensure response mode matches
-      if(responseMode !== authorizationRequest.response_mode) {
-        throw new BedrockError(
-          `The used response mode ("${responseMode}") does not match the ` +
-          `expected response mode ("${authorizationRequest.response_mode}".`, {
-            name: 'ConstraintError',
-            details: {httpStatusCode: 400, public: true}
-          });
-      }
+      // ensure authz response can be parsed
+      parseResponseResult = await parseAuthorizationResponse({
+        req, exchange: exchangeRecord.exchange, clientProfileId,
+        authorizationRequest
+      });
 
       // only mark exchange complete if there is nothing to be issued; this
       // handles same-step OID4VCI+OID4VP case
@@ -178,6 +169,9 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
       if(redirect_uri) {
         result.redirect_uri = redirect_uri;
       }
+
+      const {presentation: receivedPresentation} = parseResponseResult;
+      return {receivedPresentation};
     },
     inputRequired({step}) {
       // indicate input always required to avoid automatically advancing
@@ -199,26 +193,58 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
       verifyPresentationOptions.challenge = authorizationRequest.nonce;
       verifyPresentationOptions.domain = authorizationRequest.response_uri;
 
-      // if `direct_post.jwt` used w/ mDL presentation, include `mDL` options
-      if(responseMode === 'direct_post.jwt' &&
-        oid4vp.authzResponse.submitsFormat({
-          presentationSubmission, format: 'mso_mdoc'
-        })) {
+      const {envelope} = parseResponseResult;
+      if(envelope?.mediaType === 'application/mdl-vp-token') {
+        // generate `handover` for mDL verification
+        let handover;
+
+        // common `handover` parameters:
+        const origin = authorizationRequest?.expected_origins?.[0] ??
+          new URL(authorizationRequest.response_uri).origin;
+        const nonce = authorizationRequest.nonce;
+
+        // `direct_post.jwt` => ISO18013-7 Annex B
+        // FIXME: same response mode is also used for OID4VP 1.0 with
+        // `OpenID4VPHandover` for non-Annex-B; this is not yet supported
+        // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-invocation-via-redirects
+        const {responseMode} = parseResponseResult;
+        if(responseMode === 'direct_post.jwt') {
+          handover = {
+            type: 'AnnexBHandover',
+            // per ISO 18013-7 B the `mdocGeneratedNonce` is base64url-encoded
+            // and put into the `apu` protected header parameter, so parse that
+            // here and convert it to a UTF-8 string instead
+            mdocGeneratedNonce: Buffer
+              .from(parseResponseResult.protectedHeader?.apu ?? '', 'base64url')
+              .toString('utf8'),
+            clientId: authorizationRequest.client_id,
+            responseUri: authorizationRequest.response_uri,
+            verifierGeneratedNonce: nonce
+          };
+        } else if(responseMode === 'dc_api') {
+          // `dc_api` => ISO18013-7 Annex C
+          handover = {
+            type: 'dcapi',
+            origin,
+            nonce,
+            recipientPublicJwk: parseResponseResult.recipientPublicJwk
+          };
+        } else if(responseMode === 'dc_api.jwt') {
+          // `dc_api.jwt` => ISO18013-7 Annex D
+          handover = {
+            type: 'OpenID4VPDCAPIHandover',
+            origin,
+            nonce,
+            jwkThumbprint: parseResponseResult.recipientPublicJwkThumbprint
+          };
+        }
+
         verifyPresentationOptions.mdl = {
           ...verifyPresentationOptions.mdl,
-          // note: in session transcript:
-          // `domain` option above will be used for `responseUri`
-          // `challenge` option above will be used for `verifierGeneratedNonce`
-          // so do not send here to avoid redundancy
-          sessionTranscript: {
-            // per ISO 18013-7 the `mdocGeneratedNonce` is base64url-encoded
-            // and put into the `apu` protected header parameter -- and the
-            // VC API `mdl.sessionTranscript` option expects the
-            // `mdocGeneratedNonce` to be base64url-encoded, so we can pass
-            // it straight through
-            mdocGeneratedNonce: protectedHeader.apu,
-            clientId: authorizationRequest.client_id
-          }
+          // send encoded mDL `sessionTranscript`
+          sessionTranscript: Buffer
+            .from(await oid4vp.mdl.encodeSessionTranscript({handover}))
+            .toString('base64url')
         };
       }
 
@@ -234,6 +260,7 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
       });
 
       // save OID4VP results in exchange
+      const {presentationSubmission} = parseResponseResult;
       exchange.variables.results[exchange.step] = {
         ...exchange.variables.results[exchange.step],
         openId: {
@@ -242,7 +269,7 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
           presentationSubmission
         }
       };
-      if(envelope) {
+      if(parseResponseResult.envelope) {
         // include enveloped VP in step result
         exchange.variables.results[exchange.step]
           .envelopedPresentation = presentation;
@@ -251,7 +278,7 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
       return verifyResult;
     }
   });
-  await exchangeProcessor.process({receivedPresentation: presentation});
+  await exchangeProcessor.process();
 
   return result;
 }
@@ -266,6 +293,21 @@ export async function supportsOID4VP({workflow, exchange, step}) {
   return step.openId !== undefined;
 }
 
+function _getProtocolUrlParameters({clientProfile}) {
+  const protocolUrlParameters = {
+    name: 'OID4VP',
+    scheme: 'openid4vp',
+    version: undefined,
+    ...clientProfile.protocolUrlParameters
+  };
+  if(protocolUrlParameters.version === undefined) {
+    protocolUrlParameters.version =
+      protocolUrlParameters.scheme === 'mdoc-openid4vp' ?
+        'OID4VP-draft18' : 'OID4VP-1.0';
+  }
+  return protocolUrlParameters;
+}
+
 async function _getOrCreateStepAuthorizationRequest({
   workflow, exchange, clientProfileId, clientProfile, step
 }) {
@@ -274,6 +316,9 @@ async function _getOrCreateStepAuthorizationRequest({
   // get authorization request
   authorizationRequest = clientProfile.authorizationRequest;
   if(authorizationRequest) {
+    authorizationRequest = _normalizeAuthorizationRequest({
+      authorizationRequest, exchange, clientProfile
+    });
     return {authorizationRequest, exchangeChanged: false};
   }
 
@@ -298,6 +343,9 @@ async function _getOrCreateStepAuthorizationRequest({
     variables: exchange.variables, name: authzReqVarName
   });
   if(authorizationRequest) {
+    authorizationRequest = _normalizeAuthorizationRequest({
+      authorizationRequest, exchange, clientProfile
+    });
     return {authorizationRequest, exchangeChanged: false};
   }
 
@@ -308,7 +356,9 @@ async function _getOrCreateStepAuthorizationRequest({
     clientProfile, clientProfileId,
     verifiablePresentationRequest
   });
-  authorizationRequest = result.authorizationRequest;
+  authorizationRequest = _normalizeAuthorizationRequest({
+    authorizationRequest: result.authorizationRequest, exchange, clientProfile
+  });
 
   // merge any newly created exchange secrets
   exchange.secrets = {
@@ -335,6 +385,55 @@ async function _getOrCreateStepAuthorizationRequest({
   return {authorizationRequest, exchangeChanged: true};
 }
 
+function _normalizeAuthorizationRequest({
+  authorizationRequest, exchange, clientProfile
+}) {
+  const {
+    client_id, client_id_scheme, request_uri_method, state
+  } = authorizationRequest;
+  authorizationRequest = {...authorizationRequest};
+
+  // get any explicit version to be used with client profile
+  const {version} = _getProtocolUrlParameters({clientProfile});
+
+  // if `version` is OID4VP draft 18, remove any `client_id_scheme` prefix
+  // from the `client_id`; otherwise add it
+  if(version === 'OID4VP-draft18') {
+    authorizationRequest.client_id = removeClientIdPrefix({
+      clientId: client_id
+    });
+    return authorizationRequest;
+  }
+
+  // version is OID4VP 1.0+ or that + compatibility w/Draft18...
+  if(client_id_scheme && client_id && !client_id.startsWith(client_id_scheme)) {
+    // note: for `redirect_uri` `client_id_scheme`, it is ok to always include
+    // `redirect_uri:` prefix in the client ID, even for versions that support
+    // Draft 18 compatibility along with other versions, as the client ID
+    // should be treated as opaque when using `response_mode=direct*` and
+    // omitting the `redirect_uri` parameter; which is the only supported
+    // configuration in this implementation for Draft 18 clients
+    authorizationRequest.client_id = `${client_id_scheme}:${client_id}`;
+  }
+
+  // OID4VP 1.0+ requires `state` to be included for authz requests that do
+  // not require "holder binding", but always including it does not cause any
+  // known issues, so just include `state` using `referenceId` (if set) or
+  // `localExchangeId`
+  if(!state && oid4vp.authzRequest.usesClientIdScheme({
+    authorizationRequest, scheme: 'redirect_uri'
+  })) {
+    authorizationRequest.state = exchange.referenceId ?? exchange.id;
+  }
+
+  // default to `request_uri_method=post` in OID4VP 1.0+
+  if(!request_uri_method) {
+    authorizationRequest.request_uri_method = 'post';
+  }
+
+  return authorizationRequest;
+}
+
 function _throwUnsupportedProtocol() {
   throw new BedrockError('OID4VP is not supported by this exchange.', {
     name: 'NotSupportedError',

package/lib/storage/exchanges.js

@@ -568,6 +568,7 @@ function _buildUpdate({exchange}) {
   const update = {
     $inc: {'exchange.sequence': 1},
     $set: {
+      'exchange.referenceId': exchange.referenceId ?? exchange.id,
       'exchange.state': exchange.state,
       'exchange.secrets': exchange.secrets,
       'exchange.variables': exchange.variables,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-delivery",
-  "version": "7.11.3",
+  "version": "7.13.0",
   "type": "module",
   "description": "Bedrock Verifiable Credential Delivery",
   "main": "./lib/index.js",
@@ -40,7 +40,7 @@
     "@digitalbazaar/ed25519-signature-2020": "^5.4.0",
     "@digitalbazaar/ezcap": "^4.1.0",
     "@digitalbazaar/http-client": "^4.2.0",
-    "@digitalbazaar/oid4-client": "^5.6.3",
+    "@digitalbazaar/oid4-client": "^5.9.0",
     "@digitalbazaar/vc": "^7.2.0",
     "@digitalbazaar/webkms-client": "^14.2.0",
     "assert-plus": "^1.0.0",

package/schemas/bedrock-vc-workflow.js

@@ -460,10 +460,22 @@ const oid4vpClientProfile = {
     client_id: {type: 'string'},
     client_id_scheme: {type: 'string'},
     client_metadata: {type: 'object'},
+    dcql_query: {type: 'object'},
+    expected_origins: {
+      type: 'array',
+      minItems: 1,
+      items: {
+        type: 'string'
+      }
+    },
     nonce: {type: 'string'},
     presentation_definition: {type: 'object'},
     response_mode: {type: 'string'},
     response_uri: {type: 'string'},
+    response_uri_method: {
+      type: 'string',
+      enum: ['get', 'post']
+    },
     // optional parameters for signing authorization requests
     authorizationRequestSigningParameters: {
       type: 'object',
@@ -490,6 +502,10 @@ const oid4vpClientProfile = {
         },
         scheme: {
           type: 'string'
+        },
+        version: {
+          type: 'string',
+          enum: ['OID4VP-draft18', 'OID4VP-1.0']
         }
       }
     },