@bedrock/vc-delivery 7.12.0 → 7.13.0

package/lib/ExchangeProcessor.js

@@ -479,7 +479,6 @@ export class ExchangeProcessor {
 
 async function _getStep({workflow, exchange}) {
   const currentStep = exchange.step;
-
   if(!currentStep) {
     // return default empty step and set dummy stepname for exchange
     exchange.step = 'initial';
@@ -562,6 +561,7 @@ function _isInitialStep({workflow, exchange}) {
 
 async function _updateExchange({workflow, exchange, meta, step}) {
   try {
+    exchange.referenceId = globalThis.crypto.randomUUID();
     exchange.sequence++;
     if(exchange.state === 'complete') {
       await exchanges.complete({workflowId: workflow.id, exchange});

package/lib/helpers.js

@@ -115,7 +115,7 @@ export async function evaluateTemplate({
 export async function evaluateExchangeStep({
   workflow, exchange, stepName = exchange.step
 }) {
-  let step = workflow.steps[stepName];
+  let step = workflow.steps[stepName] ?? {};
   if(step.stepTemplate) {
     step = await evaluateTemplate({
       workflow, exchange, typedTemplate: step.stepTemplate
@@ -349,12 +349,6 @@ export function stripStacktrace(error) {
 
 export async function validateStep({step} = {}) {
   // FIXME: use `ajv` and do JSON schema check
-  if(Object.keys(step).length === 0) {
-    throw new BedrockError('Empty exchange step detected.', {
-      name: 'DataError',
-      details: {httpStatusCode: 500, public: true}
-    });
-  }
   if(step.issueRequests !== undefined && !Array.isArray(step.issueRequests)) {
     throw new BedrockError(
       'Invalid "issueRequests" in step.', {

package/lib/oid4/authorizationRequest.js

@@ -16,6 +16,10 @@ const ENCRYPTED_RESPONSE_MODES = new Set([
   'direct_post.jwt', 'dc_api.jwt', 'dc_api'
 ]);
 const OID4VP_JWT_TYP = 'oauth-authz-req+jwt';
+const SUPPORTED_CLIENT_ID_SCHEMES = new Set([
+  'redirect_uri', 'x509_san_dns', 'x509_hash', 'decentralized_identifier'
+]);
+
 const TEXT_ENCODER = new TextEncoder();
 
 export async function create({
@@ -30,11 +34,14 @@ export async function create({
 
   // get params from step OID4VP client profile to apply to the AR
   const {
-    client_id, client_id_scheme,
+    client_id,
+    client_id_scheme,
     dcql_query,
+    expected_origins,
     nonce,
     presentation_definition,
-    response_mode, response_uri
+    response_mode,
+    response_uri
   } = clientProfile;
   const clientBaseUrl = getClientBaseUrl({workflow, exchange, clientProfileId});
 
@@ -57,10 +64,13 @@ export async function create({
     `${clientBaseUrl}/authorization/response`;
 
   // client_id (defaults to `response_uri`)
-  // FIXME: newer versions of OID4VP require a prefix of `redirect_uri:` for
-  // the default case -- which is incompatible with some draft versions
-  authorizationRequest.client_id = client_id ??
-    authorizationRequest.response_uri;
+  if(client_id) {
+    authorizationRequest.client_id = client_id;
+  } else if(authorizationRequest.client_id_scheme === 'redirect_uri') {
+    // use prefix; this is compatible with both draft 18 and 1.0+
+    authorizationRequest.client_id =
+      `redirect_uri:${authorizationRequest.response_uri}`;
+  }
 
   // `x509_san_dns` requires the `direct_post.jwt` response mode when using
   // `direct_post`
@@ -71,6 +81,10 @@ export async function create({
     authorizationRequest.response_mode += '.jwt';
   }
 
+  // expected origins; safe to always include
+  authorizationRequest.expected_origins = expected_origins ??
+    [new URL(authorizationRequest.response_uri).origin];
+
   // nonce
   if(nonce) {
     authorizationRequest.nonce = nonce;
@@ -117,6 +131,16 @@ export async function encode({
   return jwt;
 }
 
+export function removeClientIdPrefix({clientId} = {}) {
+  for(const idScheme of SUPPORTED_CLIENT_ID_SCHEMES) {
+    const prefix = `${idScheme}:`;
+    if(clientId.startsWith(prefix)) {
+      return clientId.slice(prefix.length);
+    }
+  }
+  return clientId;
+}
+
 async function _createClientMetaData({
   authorizationRequest, clientProfile
 } = {}) {
@@ -247,9 +271,7 @@ async function _createJwt({workflow, clientProfile, authorizationRequest}) {
     const kid = keyDescription.id;
 
     // create the JWT payload and header to be signed
-    const payload = {
-      ...authorizationRequest
-    };
+    const payload = {...authorizationRequest};
     const protectedHeader = {typ: OID4VP_JWT_TYP, alg: 'ES256', kid, x5c};
 
     // create the JWT

package/lib/oid4/http.js

@@ -328,21 +328,37 @@ export async function createRoutes({
     }));
 
   // an OID4VP verifier endpoint
-  // serves the authorization request, including presentation definition
+  // serves the authorization request
   // associated with the current step in the exchange
+  app.options(routes.authorizationRequest, cors());
   app.get(
     routes.authorizationRequest,
     cors(),
     getConfigMiddleware,
     getExchange,
     asyncHandler(_handleOid4vpAuthzRequest));
+  // same as above but allows wallet to submit metadata
+  app.post(
+    routes.authorizationRequest,
+    cors(),
+    getConfigMiddleware,
+    getExchange,
+    asyncHandler(_handleOid4vpAuthzRequest));
   // same as above but handling is based on specific client profile
+  app.options(routes.profiledAuthorizationRequest, cors());
   app.get(
     routes.profiledAuthorizationRequest,
     cors(),
     getConfigMiddleware,
     getExchange,
     asyncHandler(_handleOid4vpAuthzRequest));
+  // same as above but allows wallet to submit metadata
+  app.post(
+    routes.profiledAuthorizationRequest,
+    cors(),
+    getConfigMiddleware,
+    getExchange,
+    asyncHandler(_handleOid4vpAuthzRequest));
 
   // an OID4VP verifier endpoint
   // receives an authorization response with vp_token
@@ -375,13 +391,16 @@ async function _handleOid4vpAuthzRequest(req, res) {
   const {clientProfileId} = req.params;
   let result;
   try {
+    // FIXME: consider passing `body` to modulate authz request that is
+    // returned in response; presently any wallet metadata is ignored
     const {
       authorizationRequest,
       clientProfile
     } = await oid4vp.getAuthorizationRequest({req, clientProfileId});
     const {config: workflow} = req.serviceObject;
     result = await oid4vp.encodeAuthorizationRequest({
-      workflow, clientProfile, authorizationRequest
+      workflow, clientProfile, authorizationRequest,
+      requestMethod: req.method.toLowerCase()
     });
     res.set('content-type', 'application/oauth-authz-req+jwt');
   } catch(error) {

package/lib/oid4/oid4vp.js

@@ -2,13 +2,16 @@
  * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
+import {
+  create as createAuthorizationRequest,
+  removeClientIdPrefix
+} from './authorizationRequest.js';
 import {
   evaluateExchangeStep,
   resolveVariableName,
   setVariable
 } from '../helpers.js';
 import {getClientBaseUrl, getClientProfile} from './clientProfiles.js';
-import {create as createAuthorizationRequest} from './authorizationRequest.js';
 import {verify as defaultVerify} from '../verify.js';
 import {ExchangeProcessor} from '../ExchangeProcessor.js';
 import {oid4vp} from '@digitalbazaar/oid4-client';
@@ -92,27 +95,26 @@ export async function getOID4VPProtocols({workflow, exchange, step}) {
   // profile name
   const protocols = {};
   for(const [clientProfileId, clientProfile] of clientProfiles) {
-    // currently, only changing `name` and `scheme` are supported
-    const {
-      protocolUrlParameters: {
-        name = 'OID4VP',
-        scheme = 'openid4vp'
-      } = {}
-    } = clientProfile;
+    // get supported protocol URL parameters
+    const {name, scheme, version} = _getProtocolUrlParameters({clientProfile});
 
     // generate default OID4VP protocol URL
     const clientBaseUrl = getClientBaseUrl({
       workflow, exchange, clientProfileId
     });
     const {
-      authorizationRequest: {client_id}
+      authorizationRequest
     } = await _getOrCreateStepAuthorizationRequest({
       workflow, exchange, clientProfileId, clientProfile, step
     });
+    const {client_id, request_uri_method} = authorizationRequest;
     const searchParams = new URLSearchParams({
       client_id,
       request_uri: `${clientBaseUrl}/authorization/request`
     });
+    if(request_uri_method && version !== 'OID4VP-draft18') {
+      searchParams.set('request_uri_method', request_uri_method);
+    }
     protocols[name] = `${scheme}://?${searchParams}`;
   }
   return protocols;
@@ -191,8 +193,6 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
       verifyPresentationOptions.challenge = authorizationRequest.nonce;
       verifyPresentationOptions.domain = authorizationRequest.response_uri;
 
-      // FIXME: OID4VP 1.0+ does not have a presentation submission
-      // handle mDL submission
       const {envelope} = parseResponseResult;
       if(envelope?.mediaType === 'application/mdl-vp-token') {
         // generate `handover` for mDL verification
@@ -205,8 +205,7 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
 
         // `direct_post.jwt` => ISO18013-7 Annex B
         // FIXME: same response mode is also used for OID4VP 1.0 with
-        // `OpenID4VPHandover` where `presentationSubmission` will be absent;
-        // this is not yet supported
+        // `OpenID4VPHandover` for non-Annex-B; this is not yet supported
         // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-invocation-via-redirects
         const {responseMode} = parseResponseResult;
         if(responseMode === 'direct_post.jwt') {
@@ -270,8 +269,6 @@ export async function processAuthorizationResponse({req, clientProfileId}) {
           presentationSubmission
         }
       };
-      // FIXME: do w/o `parseResponseResult.envelope` to eliminate envelope
-      // parsing (let verifier do it)
       if(parseResponseResult.envelope) {
         // include enveloped VP in step result
         exchange.variables.results[exchange.step]
@@ -296,6 +293,21 @@ export async function supportsOID4VP({workflow, exchange, step}) {
   return step.openId !== undefined;
 }
 
+function _getProtocolUrlParameters({clientProfile}) {
+  const protocolUrlParameters = {
+    name: 'OID4VP',
+    scheme: 'openid4vp',
+    version: undefined,
+    ...clientProfile.protocolUrlParameters
+  };
+  if(protocolUrlParameters.version === undefined) {
+    protocolUrlParameters.version =
+      protocolUrlParameters.scheme === 'mdoc-openid4vp' ?
+        'OID4VP-draft18' : 'OID4VP-1.0';
+  }
+  return protocolUrlParameters;
+}
+
 async function _getOrCreateStepAuthorizationRequest({
   workflow, exchange, clientProfileId, clientProfile, step
 }) {
@@ -304,6 +316,9 @@ async function _getOrCreateStepAuthorizationRequest({
   // get authorization request
   authorizationRequest = clientProfile.authorizationRequest;
   if(authorizationRequest) {
+    authorizationRequest = _normalizeAuthorizationRequest({
+      authorizationRequest, exchange, clientProfile
+    });
     return {authorizationRequest, exchangeChanged: false};
   }
 
@@ -328,6 +343,9 @@ async function _getOrCreateStepAuthorizationRequest({
     variables: exchange.variables, name: authzReqVarName
   });
   if(authorizationRequest) {
+    authorizationRequest = _normalizeAuthorizationRequest({
+      authorizationRequest, exchange, clientProfile
+    });
     return {authorizationRequest, exchangeChanged: false};
   }
 
@@ -338,7 +356,9 @@ async function _getOrCreateStepAuthorizationRequest({
     clientProfile, clientProfileId,
     verifiablePresentationRequest
   });
-  authorizationRequest = result.authorizationRequest;
+  authorizationRequest = _normalizeAuthorizationRequest({
+    authorizationRequest: result.authorizationRequest, exchange, clientProfile
+  });
 
   // merge any newly created exchange secrets
   exchange.secrets = {
@@ -365,6 +385,55 @@ async function _getOrCreateStepAuthorizationRequest({
   return {authorizationRequest, exchangeChanged: true};
 }
 
+function _normalizeAuthorizationRequest({
+  authorizationRequest, exchange, clientProfile
+}) {
+  const {
+    client_id, client_id_scheme, request_uri_method, state
+  } = authorizationRequest;
+  authorizationRequest = {...authorizationRequest};
+
+  // get any explicit version to be used with client profile
+  const {version} = _getProtocolUrlParameters({clientProfile});
+
+  // if `version` is OID4VP draft 18, remove any `client_id_scheme` prefix
+  // from the `client_id`; otherwise add it
+  if(version === 'OID4VP-draft18') {
+    authorizationRequest.client_id = removeClientIdPrefix({
+      clientId: client_id
+    });
+    return authorizationRequest;
+  }
+
+  // version is OID4VP 1.0+ or that + compatibility w/Draft18...
+  if(client_id_scheme && client_id && !client_id.startsWith(client_id_scheme)) {
+    // note: for `redirect_uri` `client_id_scheme`, it is ok to always include
+    // `redirect_uri:` prefix in the client ID, even for versions that support
+    // Draft 18 compatibility along with other versions, as the client ID
+    // should be treated as opaque when using `response_mode=direct*` and
+    // omitting the `redirect_uri` parameter; which is the only supported
+    // configuration in this implementation for Draft 18 clients
+    authorizationRequest.client_id = `${client_id_scheme}:${client_id}`;
+  }
+
+  // OID4VP 1.0+ requires `state` to be included for authz requests that do
+  // not require "holder binding", but always including it does not cause any
+  // known issues, so just include `state` using `referenceId` (if set) or
+  // `localExchangeId`
+  if(!state && oid4vp.authzRequest.usesClientIdScheme({
+    authorizationRequest, scheme: 'redirect_uri'
+  })) {
+    authorizationRequest.state = exchange.referenceId ?? exchange.id;
+  }
+
+  // default to `request_uri_method=post` in OID4VP 1.0+
+  if(!request_uri_method) {
+    authorizationRequest.request_uri_method = 'post';
+  }
+
+  return authorizationRequest;
+}
+
 function _throwUnsupportedProtocol() {
   throw new BedrockError('OID4VP is not supported by this exchange.', {
     name: 'NotSupportedError',

package/lib/storage/exchanges.js

@@ -568,6 +568,7 @@ function _buildUpdate({exchange}) {
   const update = {
     $inc: {'exchange.sequence': 1},
     $set: {
+      'exchange.referenceId': exchange.referenceId ?? exchange.id,
       'exchange.state': exchange.state,
       'exchange.secrets': exchange.secrets,
       'exchange.variables': exchange.variables,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrock/vc-delivery",
-  "version": "7.12.0",
+  "version": "7.13.0",
   "type": "module",
   "description": "Bedrock Verifiable Credential Delivery",
   "main": "./lib/index.js",
@@ -40,7 +40,7 @@
     "@digitalbazaar/ed25519-signature-2020": "^5.4.0",
     "@digitalbazaar/ezcap": "^4.1.0",
     "@digitalbazaar/http-client": "^4.2.0",
-    "@digitalbazaar/oid4-client": "^5.8.0",
+    "@digitalbazaar/oid4-client": "^5.9.0",
     "@digitalbazaar/vc": "^7.2.0",
     "@digitalbazaar/webkms-client": "^14.2.0",
     "assert-plus": "^1.0.0",

package/schemas/bedrock-vc-workflow.js

@@ -472,6 +472,10 @@ const oid4vpClientProfile = {
     presentation_definition: {type: 'object'},
     response_mode: {type: 'string'},
     response_uri: {type: 'string'},
+    response_uri_method: {
+      type: 'string',
+      enum: ['get', 'post']
+    },
     // optional parameters for signing authorization requests
     authorizationRequestSigningParameters: {
       type: 'object',
@@ -498,6 +502,10 @@ const oid4vpClientProfile = {
         },
         scheme: {
           type: 'string'
+        },
+        version: {
+          type: 'string',
+          enum: ['OID4VP-draft18', 'OID4VP-1.0']
         }
       }
     },