@bedrock/vc-delivery 7.13.2 → 7.14.0

package/lib/oid4/oid4vci.js

@@ -2,13 +2,18 @@
  * Copyright (c) 2022-2026 Digital Bazaar, Inc. All rights reserved.
  */
 import * as bedrock from '@bedrock/core';
-import {deepEqual, getWorkflowIssuerInstances} from '../helpers.js';
+import * as draft13 from './oid4vciDraft13.js';
+import {issue as defaultIssue, getIssueRequestsParams} from '../issue.js';
+import {getWorkflowIssuerInstances, setVariable} from '../helpers.js';
 import {importJWK, SignJWT} from 'jose';
+import {timingSafeEqual, randomUUID as uuid} from 'node:crypto';
+import {
+  authorizationDetails as authorizationDetailsSchema
+} from '../../schemas/bedrock-vc-workflow.js';
 import {checkAccessToken} from '@bedrock/oauth2-verifier';
-import {issue as defaultIssue} from '../issue.js';
+import {compile} from '@bedrock/validation';
 import {ExchangeProcessor} from '../ExchangeProcessor.js';
 import {getStepAuthorizationRequest} from './oid4vp.js';
-import {timingSafeEqual} from 'node:crypto';
 import {verifyDidProofJwt} from '../verify.js';
 
 const {util: {BedrockError}} = bedrock;
@@ -16,6 +21,17 @@ const {util: {BedrockError}} = bedrock;
 const PRE_AUTH_GRANT_TYPE =
   'urn:ietf:params:oauth:grant-type:pre-authorized_code';
 
+const VALIDATORS = {
+  authorizationDetails: null
+};
+
+bedrock.events.on('bedrock.init', () => {
+  // create validators for x-www-form-urlencoded parsed data
+  VALIDATORS.authorizationDetails = compile({
+    schema: authorizationDetailsSchema()
+  });
+});
+
 export async function getAuthorizationServerConfig({req}) {
   // note that technically, we should not need to serve any credential
   // issuer metadata, but we do for backwards compatibility purposes as
@@ -25,14 +41,21 @@ export async function getAuthorizationServerConfig({req}) {
 
 export async function getCredentialIssuerConfig({req}) {
   const {config: workflow} = req.serviceObject;
-  const {exchange} = await req.getExchange();
+  const exchangeRecord = await req.getExchange();
+  const {exchange} = exchangeRecord;
   _assertOID4VCISupported({exchange});
 
+  // use exchange processor get current step of the exchange
+  const exchangeProcessor = new ExchangeProcessor({workflow, exchangeRecord});
+  const step = await exchangeProcessor.getStep();
+
+  // fetch credential configurations for the step
   const credential_configurations_supported =
-    _createCredentialConfigurationsSupported({workflow, exchange});
+    _getSupportedCredentialConfigurations({workflow, exchange, step});
 
   const exchangeId = `${workflow.id}/exchanges/${exchange.id}`;
   return {
+    authorization_details_types_supported: ['openid_credential'],
     batch_credential_endpoint: `${exchangeId}/openid/batch_credential`,
     credential_configurations_supported,
     credential_endpoint: `${exchangeId}/openid/credential`,
@@ -47,7 +70,8 @@ export async function getCredentialIssuerConfig({req}) {
 
 export async function getCredentialOffer({req}) {
   const {config: workflow} = req.serviceObject;
-  const {exchange} = await req.getExchange();
+  const exchangeRecord = await req.getExchange();
+  const {exchange} = exchangeRecord;
   _assertOID4VCISupported({exchange});
 
   // start building OID4VCI credential offer
@@ -61,13 +85,17 @@ export async function getCredentialOffer({req}) {
     }
   };
 
-  const supported = _createCredentialConfigurationsSupported({
-    workflow, exchange
-  });
+  // use exchange processor get current step of the exchange
+  const exchangeProcessor = new ExchangeProcessor({workflow, exchangeRecord});
+  const step = await exchangeProcessor.getStep();
+
+  // fetch credential configurations for the step
+  const credential_configurations_supported =
+    _getSupportedCredentialConfigurations({workflow, exchange, step});
 
   // offer all configuration IDs and support both spec version ID-1 with
-  // `credentials` and draft 14 with `credential_configuration_ids`
-  const configurationIds = Object.keys(supported);
+  // `credentials` and draft 13 with `credential_configuration_ids`
+  const configurationIds = Object.keys(credential_configurations_supported);
   offer.credentials = configurationIds;
   offer.credential_configuration_ids = configurationIds;
 
@@ -111,6 +139,14 @@ export async function initExchange({workflow, exchange} = {}) {
 }
 
 export async function processAccessTokenRequest({req}) {
+  // parse `authorization_details` from request
+  let authorizationDetails;
+  if(req.body.authorization_details) {
+    authorizationDetails = JSON.parse(req.body.authorization_details);
+    _validate(VALIDATORS.authorizationDetails, authorizationDetails);
+  }
+
+  // check exchange
   const exchangeRecord = await req.getExchange();
   const {exchange} = exchangeRecord;
   _assertOID4VCISupported({exchange});
@@ -119,7 +155,8 @@ export async function processAccessTokenRequest({req}) {
   pre-authz code:
   grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code
   &pre-authorized_code=SplxlOBeZQQYbYS6WxSbIA
-  &user_pin=493536
+  &tx_code=493536
+  &authorization_details=<URI-component-encoded JSON array>
 
   authz code:
   grant_type=authorization_code
@@ -131,9 +168,7 @@ export async function processAccessTokenRequest({req}) {
 
   const {
     grant_type: grantType,
-    'pre-authorized_code': preAuthorizedCode,
-    // FIXME: `user_pin` now called `tx_code`
-    //user_pin: userPin
+    'pre-authorized_code': preAuthorizedCode
   } = req.body;
 
   if(grantType !== PRE_AUTH_GRANT_TYPE) {
@@ -154,15 +189,132 @@ export async function processAccessTokenRequest({req}) {
     }
   }
 
+  // if authorization details provided in request, generate the set of
+  // requested credential configuration IDs
+  let requestedIds;
+  if(authorizationDetails) {
+    // populate token authorization details by matching each requested
+    // credential configuration ID with its credential IDs
+    requestedIds = new Set(authorizationDetails.map(
+      detail => detail.credential_configuration_id));
+  }
+
+  // process exchange to generate supported credential requests
+  let supportedCredentialRequestsStored;
+  let supportedCredentialRequests;
+  const exchangeProcessor = new ExchangeProcessor({
+    workflow, exchangeRecord,
+    async prepareStep({exchange, step}) {
+      // do not generate any VPR yet
+      step.verifiablePresentationRequest = undefined;
+
+      // if not generated, generate supported credential requests and store
+      // in step results
+      const stepResults = exchange.variables.results[exchange.step];
+      supportedCredentialRequests = stepResults
+        ?.openId?.supportedCredentialRequests;
+      if(supportedCredentialRequests) {
+        supportedCredentialRequestsStored = true;
+      } else {
+        // get all possible supported credential requests
+        supportedCredentialRequests = _createSupportedCredentialRequests({
+          workflow, exchange, step
+        });
+
+        // if specific credential configuration IDs were requested, filter
+        // the supported requests by that list, limiting them to what the
+        // client is interested in, thereby disallowing any others in this
+        // exchange and establishing completion conditions for it
+        if(requestedIds) {
+          supportedCredentialRequests = supportedCredentialRequests
+            .filter(r => requestedIds.has(r.credentialConfigurationId));
+
+          // throw an error if *none* of the requested IDs are available
+          if(supportedCredentialRequests.length === 0) {
+            throw new BedrockError(
+              'None of the requested credential(s) are available.', {
+                name: 'NotAllowedError',
+                details: {httpStatusCode: 403, public: true}
+              });
+          }
+        }
+
+        // store supported requests
+        exchange.variables.results[exchange.step] = {
+          ...exchange.variables.results[exchange.step],
+          openId: {
+            ...exchange.variables.results[exchange.step]?.openId,
+            supportedCredentialRequests
+          }
+        };
+      }
+    },
+    inputRequired({step}) {
+      // if the supported credential requests haven't been stored in the
+      // step result yet, then input is not required but issuance needs to
+      // be disabled to allow them to be stored and then the step reprocessed
+      if(!supportedCredentialRequestsStored) {
+        step.issueRequests = [];
+        step.verifiablePresentation = undefined;
+        return false;
+      }
+      // requests stored and input is now required via credential endpoint
+      return true;
+    },
+    isStepComplete() {
+      // getting an access token never completes the step
+      return false;
+    }
+  });
+  await exchangeProcessor.process();
+
+  // process `authorizationDetails` request, if any, to create token
+  // authorization details
+  let tokenAuthorizationDetails;
+  if(authorizationDetails) {
+    // create map of unprocessed credential configuration ID => credential IDs
+    const idMap = new Map();
+    for(const request of supportedCredentialRequests) {
+      if(!supportedCredentialRequests.processed) {
+        let credentialIds = idMap.get(request.credentialConfigurationId);
+        if(!credentialIds) {
+          credentialIds = [];
+          idMap.set(request.credentialConfigurationId, credentialIds);
+        }
+        credentialIds.push(request.credentialIdentifier);
+      }
+    }
+
+    // populate token authorization details by matching each requested
+    // credential configuration ID with its credential IDs
+    tokenAuthorizationDetails = [];
+    for(const credentialConfigurationId of requestedIds) {
+      const credentialIds = idMap.get(credentialConfigurationId);
+      if(credentialIds) {
+        tokenAuthorizationDetails.push({
+          type: 'openid_credential',
+          credential_configuration_id: credentialConfigurationId,
+          credential_identifiers: credentialIds
+        });
+      }
+    }
+  }
+
   // create access token
   const {accessToken, ttl} = await _createExchangeAccessToken({
     workflow, exchangeRecord
   });
-  return {
+
+  // return token info
+  const tokenInfo = {
     access_token: accessToken,
     token_type: 'bearer',
     expires_in: ttl
   };
+  if(tokenAuthorizationDetails) {
+    tokenInfo.authorization_details = tokenAuthorizationDetails;
+  }
+  return tokenInfo;
 }
 
 export async function processCredentialRequests({req, res, isBatchRequest}) {
@@ -174,62 +326,231 @@ export async function processCredentialRequests({req, res, isBatchRequest}) {
   // ensure oauth2 access token is valid
   await _checkAuthz({req, workflow, exchange});
 
-  return _processExchange({req, res, workflow, exchangeRecord, isBatchRequest});
-}
+  // process exchange and capture values to return
+  let didProofRequired = false;
+  let format;
+  let issueResult;
+  let matchingCredentialIdentifiers;
+  let supportedCredentialRequests;
+  const exchangeProcessor = new ExchangeProcessor({
+    workflow, exchangeRecord,
+    async prepareStep({exchange, step}) {
+      // get `supportedCredentialRequests` from step results
+      supportedCredentialRequests = await _getSupportedCredentialRequests({
+        exchangeProcessor, workflow, exchange, step
+      });
 
-export function supportsOID4VCI({exchange}) {
-  return exchange.openId?.expectedCredentialRequests !== undefined;
-}
+      // if the issue result has been generated, return early and allow
+      // `isInputRequired()` to handle further processing
+      if(issueResult) {
+        return;
+      }
 
-function _assertCredentialRequests({
-  workflow, credentialRequests, expectedCredentialRequests
-}) {
-  // ensure that every credential request is for the same format
-  /* credential requests look like:
-  {
-    format: 'ldp_vc',
-    credential_definition: { '@context': [Array], type: [Array] }
-  }
-  */
-  let sharedFormat;
-  if(!credentialRequests.every(({format}) => {
-    if(sharedFormat === undefined) {
-      sharedFormat = format;
-    }
-    return sharedFormat === format;
-  })) {
-    throw new BedrockError(
-      'Credential requests must all use the same format in this workflow.', {
-        name: 'DataError',
-        details: {httpStatusCode: 400, public: true}
-      });
-  }
+      // fetch credential configurations for the step
+      const supportedCredentialConfigurations =
+        _getSupportedCredentialConfigurations({workflow, exchange, step});
+
+      // get credential requests (only more than one w/`isBatchRequest=true`)
+      let credentialRequests = isBatchRequest ?
+        req.body.credential_requests : [req.body];
+
+      // normalize draft 13 requests
+      if(isBatchRequest || req.body?.format) {
+        credentialRequests = draft13.normalizeCredentialRequestsToVersion1({
+          credentialRequests,
+          supportedCredentialConfigurations
+        });
+        // set `format`
+        const configuration = supportedCredentialConfigurations[
+          credentialRequests[0].credential_configuration_id];
+        ({format} = configuration);
+      }
 
-  // ensure that the shared format is supported by the workflow
-  const supportedFormats = _getSupportedFormats({workflow});
-  if(!supportedFormats.has(sharedFormat)) {
-    throw new BedrockError(
-      `Credential request format "${sharedFormat}" is not supported ` +
-      'by this workflow.', {
-        name: 'DataError',
-        details: {httpStatusCode: 400, public: true}
-      });
-  }
+      // map each credential request to an appropriate supported credential
+      // request; for OID4VCI 1.0+ clients, there will be a single request
+      // with a `credential_identifier`; for draft 13, one or more requests,
+      // each with `credential_configuration_id` set will be present and
+      // these must map to *every* matching supported request
+      const unprocessed = supportedCredentialRequests.filter(r => !r.processed);
+      matchingCredentialIdentifiers = new Set();
+      for(const credentialRequest of credentialRequests) {
+        const {
+          credential_identifier, credential_configuration_id
+        } = credentialRequest;
+
+        // OID4VCI 1.0+ case
+        if(credentialRequest.credential_identifier) {
+          const match = unprocessed.find(
+            r => r.credentialIdentifier === credential_identifier);
+          if(match) {
+            matchingCredentialIdentifiers.add(credential_identifier);
+          }
+          break;
+        }
 
-  // ensure every credential request matches against an expected one and none
-  // are missing; `expectedCredentialRequests` formats are ignored based on the
-  // issuer instance supported formats and have already been checked
-  if(!(credentialRequests.length === expectedCredentialRequests.length &&
-    credentialRequests.every(cr => expectedCredentialRequests.some(
-      expected => _matchCredentialRequest(expected, cr))))) {
-    throw new BedrockError(
-      'Unexpected credential request.', {
-        name: 'DataError',
-        details: {httpStatusCode: 400, public: true}
+        // draft 13 case
+        unprocessed.filter(
+          r => r.credentialConfigurationId === credential_configuration_id)
+          .forEach(
+            r => matchingCredentialIdentifiers.add(r.credentialIdentifier));
+      }
+
+      // handle no match case
+      if(matchingCredentialIdentifiers.size === 0) {
+        throw new BedrockError(
+          'The requested credential(s) have already been delivered.', {
+            name: 'NotAllowedError',
+            details: {httpStatusCode: 403, public: true}
+          });
+      }
+
+      // check to see if step supports OID4VP during OID4VCI
+      if(step.openId) {
+        // Note: either OID4VCI 1.1+ w/IAE (interactive authz endpoint) or
+        // OID4VCI-1.0/draft13+OID4VP will have received VP results which will
+        // be stored with this step; OID4VCI 1.0- does not have IAE so if this
+        // call is made, presume such a client and return an error with the
+        // OID4VP request, OID4VCI 1.1+ clients will know to use IAE instead
+
+        // if there is no verified presentation yet, request one
+        const {results} = exchange.variables;
+        if(!results[exchange.step]?.verifyPresentationResults?.verified) {
+          // note: only the "default" `clientProfileId` is supported at this
+          // time because there isn't presently a defined way to specify
+          // alternatives
+          const clientProfileId = step.openId.clientProfiles ?
+            'default' : undefined;
+          // get authorization request
+          const {authorizationRequest} = await getStepAuthorizationRequest({
+            workflow, exchange, step, clientProfileId
+          });
+          return _requestOID4VP({authorizationRequest, res});
+        }
+        return;
+      }
+
+      // check to see if step requires a DID proof
+      if(step.jwtDidProofRequest) {
+        // handle OID4VCI specialized JWT DID Proof request...
+
+        // `proof` must be in every credential request; if any request is
+        // missing `proof` then request a DID proof
+        if(credentialRequests.some(cr => !cr.proofs?.jwt)) {
+          didProofRequired = true;
+          return _requestDidProof({res, exchangeRecord});
+        }
+
+        // verify every DID proof and get resulting DIDs
+        const results = await Promise.all(
+          credentialRequests.map(async cr => {
+            // FIXME: do not support more than one proof at this time
+            const {proofs: {jwt: [jwt]}} = cr;
+            const {did} = await verifyDidProofJwt({workflow, exchange, jwt});
+            return did;
+          }));
+        // require `did` to be the same for every proof
+        // FIXME: determine if this needs to be more flexible
+        const did = results[0];
+        if(results.some(d => did !== d)) {
+          // FIXME: improve error
+          throw new Error('every DID must be the same');
+        }
+        // store did results in variables associated with current step
+        exchange.variables.results[exchange.step] = {
+          ...exchange.variables.results[exchange.step],
+          // common use case of DID Authentication; provide `did` for ease
+          // of use in templates
+          did
+        };
+      }
+    },
+    inputRequired({exchange, step}) {
+      // if issue result has been generated...
+      if(issueResult) {
+        // reapply any stored credentials in case the exchange was concurrently
+        // updated by another credential request call
+        const {storedCredentials, matchingCredentialIdentifiers} = issueResult;
+        if(issueResult.storedCredentials) {
+          for(const stored of storedCredentials) {
+            setVariable({
+              variables: exchange.variables,
+              name: stored.name,
+              value: stored.value
+            });
+          }
+        }
+        // mark all matching `supportedCredentialRequests` as processed
+        supportedCredentialRequests
+          .filter(r =>
+            matchingCredentialIdentifiers.has(r.credentialIdentifier))
+          .forEach(r => r.processed = true);
+
+        // do not generate any VPR or issue anything else, additional requests
+        // must be made when using OID4VCI
+        step.verifiablePresentationRequest = undefined;
+        step.verifiablePresentation = undefined;
+        step.issueRequests = [];
+
+        // if any supported credential requests has not yet been processed,
+        // then input is required in the form of another credential request
+        return supportedCredentialRequests.some(r => !r.processed);
+      }
+
+      // otherwise, input is required if:
+      // 1. a `jwtDidProofRequest` is required and hasn't been provided
+      // 2. OID4VP is enabled and no OID4VP result has been stored yet
+      return didProofRequired || (step.openId && !exchange.variables
+        .results[exchange.step]?.openId?.authorizationRequest);
+    },
+    async issue({
+      workflow, exchange, step, issueRequestsParams,
+      verifiablePresentation
+    }) {
+      // issue result already generated, skip
+      if(issueResult) {
+        return issueResult;
+      }
+      // filter `supportedCredentialRequests` using matching credential
+      // identifiers and map to only those `issueRequestsParams` that are to
+      // be issued now
+      issueRequestsParams = supportedCredentialRequests
+        .filter(r => matchingCredentialIdentifiers.has(r.credentialIdentifier))
+        .map(r => issueRequestsParams[r.issueRequestsParamsIndex])
+        .filter(p => !!p);
+
+      // perform issuance and capture result to return it to the client and
+      // to prevent subsequent reissuance if a concurrent request is made for
+      // other credentials
+      issueResult = await defaultIssue({
+        workflow, exchange, step, issueRequestsParams,
+        verifiablePresentation, format
       });
+      issueResult.matchingCredentialIdentifiers =
+        matchingCredentialIdentifiers;
+      return issueResult;
+    },
+    isStepComplete() {
+      // step complete if all supported credential requests have been processed
+      return supportedCredentialRequests.every(r => r.processed);
+    }
+  });
+  // always allow retrying with OID4VCI; issued VCs will be stored in memory
+  // and an assumption is made that workflow steps WILL NOT change issue
+  // requests in a step once `supportedCredentialRequests` has been created
+  exchangeProcessor.canRetry = true;
+  await exchangeProcessor.process();
+  // use `issueResult` response
+  const response = issueResult?.response;
+  if(!response?.verifiablePresentation) {
+    return null;
   }
+  return {response, format};
+}
 
-  return {format: sharedFormat};
+export function supportsOID4VCI({exchange}) {
+  // FIXME: might want something more explicit/or check in `workflow` and not
+  // exchange
+  return exchange.openId?.preAuthorizedCode !== undefined;
 }
 
 function _assertOID4VCISupported({exchange}) {
@@ -281,6 +602,39 @@ async function _createExchangeAccessToken({workflow, exchangeRecord}) {
   return {accessToken, ttl};
 }
 
+function _createSupportedCredentialRequests({
+  workflow, exchange, step
+}) {
+  let supportedCredentialRequests;
+
+  const issueRequestsParams = getIssueRequestsParams({
+    workflow, exchange, step
+  });
+
+  // determine if issue request params is legacy or modern
+  const isDraft13 = issueRequestsParams.some(
+    p => !p?.oid4vci?.credentialConfigurationId);
+  if(isDraft13) {
+    supportedCredentialRequests =
+      draft13.createSupportedCredentialRequests({
+        workflow, exchange, issueRequestsParams
+      });
+  } else {
+    supportedCredentialRequests = [];
+    for(const [index, params] of issueRequestsParams.entries()) {
+      const {credentialConfigurationId} = params.oid4vci;
+      supportedCredentialRequests.push({
+        credentialConfigurationId,
+        credentialIdentifier: uuid(),
+        issueRequestsParamsIndex: index,
+        processed: false
+      });
+    }
+  }
+
+  return supportedCredentialRequests;
+}
+
 async function _createOAuth2AccessToken({
   privateKeyJwk, audience, action, target, exp, iss, nbf, typ = 'at+jwt'
 }) {
@@ -307,68 +661,6 @@ async function _createOAuth2AccessToken({
   return {accessToken, ttl};
 }
 
-function _createCredentialConfigurationId({format, credential_definition}) {
-  let types = (credential_definition.type ?? credential_definition.types);
-  if(types.length > 1) {
-    types = types.filter(t => t !== 'VerifiableCredential');
-  }
-  return types.join('_') + '_' + format;
-}
-
-function _createCredentialConfigurations({
-  credentialRequest, supportedFormats
-}) {
-  const configurations = [];
-
-  let {format: formats = supportedFormats} = credentialRequest;
-  if(!Array.isArray(formats)) {
-    formats = [formats];
-  }
-
-  for(const format of formats) {
-    const {credential_definition} = credentialRequest;
-    const id = _createCredentialConfigurationId({
-      format, credential_definition
-    });
-    const configuration = {format, credential_definition};
-    // FIXME: if `jwtDidProofRequest` exists in (any) step in the exchange,
-    // then must include:
-    /*
-    "proof_types_supported": {
-      "jwt": {
-        "proof_signing_alg_values_supported": [
-          "ES256"
-        ]
-      }
-    }
-    */
-    configurations.push({id, configuration});
-  }
-
-  return configurations;
-}
-
-function _createCredentialConfigurationsSupported({workflow, exchange}) {
-  // build `credential_configurations_supported`...
-  const {openId: {expectedCredentialRequests}} = exchange;
-  const supportedFormats = [..._getSupportedFormats({workflow})];
-
-  // for every expected credential definition, set `format` default to
-  // `supportedFormats` and for every format, generate a new supported
-  // credential configuration
-  const credential_configurations_supported = {};
-  for(const credentialRequest of expectedCredentialRequests) {
-    const configurations = _createCredentialConfigurations({
-      credentialRequest, supportedFormats
-    });
-    for(const {id, configuration} of configurations) {
-      credential_configurations_supported[id] = configuration;
-    }
-  }
-
-  return credential_configurations_supported;
-}
-
 function _getAlgFromPrivateKey({privateKeyJwk}) {
   if(privateKeyJwk.alg) {
     return privateKeyJwk.alg;
@@ -390,162 +682,68 @@ function _getAlgFromPrivateKey({privateKeyJwk}) {
   return 'invalid';
 }
 
-function _getSupportedFormats({workflow}) {
-  // get all supported formats from available issuer instances; for simple
-  // workflow configs, a single issuer instance is used
-  const supportedFormats = new Set();
-  const issuerInstances = getWorkflowIssuerInstances({workflow});
-  issuerInstances.forEach(
-    instance => instance.supportedFormats.forEach(
-      supportedFormats.add, supportedFormats));
-  return supportedFormats;
-}
+function _getSupportedCredentialConfigurations({workflow, exchange, step}) {
+  // get all OID4VCI credential configuration IDs from issue requests in step
+  const issueRequestsParams = getIssueRequestsParams({
+    workflow, exchange, step
+  });
+  const credentialConfigurationIds = new Set([
+    ...issueRequestsParams
+      .map(p => p?.oid4vci?.credentialConfigurationId)
+      .filter(id => id !== undefined)
+  ]);
 
-function _matchCredentialRequest(expected, cr) {
-  const {credential_definition: {'@context': c1, type: t1}} = expected;
-  const {credential_definition: {'@context': c2, type: t2}} = cr;
-  // contexts must match exactly but types can have different order
-  return (c1.length === c2.length && t1.length === t2.length &&
-    deepEqual(c1, c2) && t1.every(t => t2.some(x => t === x)));
-}
+  // get all issuer instances for the workflow
+  const issuerInstances = getWorkflowIssuerInstances({workflow});
 
-function _normalizeCredentialDefinitionTypes({credentialRequests}) {
-  // normalize credential requests to use `type` instead of `types`
-  for(const cr of credentialRequests) {
-    if(cr?.credential_definition?.types) {
-      if(!cr?.credential_definition?.type) {
-        cr.credential_definition.type = cr.credential_definition.types;
+  // in modern workflows, credential configuration IDs are explicitly provided
+  if(credentialConfigurationIds.size > 0) {
+    // map each ID to a credential configuration in an issuer instance
+    const supported = new Map();
+    for(const id of credentialConfigurationIds) {
+      const match = issuerInstances.find(
+        ii => ii.oid4vci?.supportedCredentialConfigurations?.[id]);
+      if(match) {
+        supported.set(id, match.oid4vci.supportedCredentialConfigurations[id]);
       }
-      delete cr.credential_definition.types;
     }
+    return Object.fromEntries(supported.entries());
   }
+
+  // no explicit IDs; create legacy supported credential configurations
+  return draft13.createSupportedCredentialConfigurations({
+    exchange, issuerInstances
+  });
 }
 
-async function _processExchange({
-  req, res, workflow, exchangeRecord, isBatchRequest
+async function _getSupportedCredentialRequests({
+  exchangeProcessor, workflow, exchange, step
 }) {
-  // process exchange and capture values to return
-  let format;
-  let didProofRequired = false;
-  const exchangeProcessor = new ExchangeProcessor({
-    workflow, exchangeRecord,
-    async prepareStep({exchange, step}) {
-      // FIXME: handle OID4VCI 1.0+ credential request
-
-      // FIXME: OID4VCI Draft 13:
-      // validate body against expected credential requests
-      const {openId: {expectedCredentialRequests}} = exchange;
-      let credentialRequests;
-      if(isBatchRequest) {
-        ({credential_requests: credentialRequests} = req.body);
-      } else {
-        if(expectedCredentialRequests.length > 1) {
-          // FIXME: batch endpoint has been removed in OID4VCI 1.0+; if used,
-          // then it is for a legacy OID4VCI draft 13 request, so this should
-          // be reworked
-          throw new Error('batch_credential_endpoint must be used');
-        }
-        credentialRequests = [req.body];
-      }
-
-      // before asserting, normalize credential requests to use `type` instead
-      // of `types`; this is to allow for OID4VCI draft implementers that
-      // followed the non-normative examples
-      _normalizeCredentialDefinitionTypes({credentialRequests});
-      ({format} = _assertCredentialRequests({
-        workflow, credentialRequests, expectedCredentialRequests
-      }));
-
-      const {jwtDidProofRequest} = step;
-
-      // check to see if step supports OID4VP during OID4VCI
-      if(step.openId) {
-        // FIXME: either OID4VCI 1.1+ w/IAE (interactive authz endpoint) or
-        // OID4VCI-1.0/draft13+OID4VP will have received VP results which will
-        // be stored with this step; OID4VCI 1.0- does not have IAE so if this
-        // call is made, presume such a client and return an error with the
-        // OID4VP request, OID4VCI 1.1+ clients will know to use IAE instead
-
-        // if there is no verified presentation yet, request one
-        const {results} = exchange.variables;
-        if(!results[exchange.step]?.verifyPresentationResults?.verified) {
-          // note: only the "default" `clientProfileId` is supported at this
-          // time because there isn't presently a defined way to specify
-          // alternatives
-          const clientProfileId = step.openId.clientProfiles ?
-            'default' : undefined;
-          // get authorization request
-          const {authorizationRequest} = await getStepAuthorizationRequest({
-            workflow, exchange, step, clientProfileId
-          });
-          return _requestOID4VP({authorizationRequest, res});
-        }
-        // otherwise drop down below to complete exchange...
-      } else if(jwtDidProofRequest) {
-        // handle OID4VCI specialized JWT DID Proof request...
-
-        // `proof` must be in every credential request; if any request is
-        // missing `proof` then request a DID proof
-        if(credentialRequests.some(cr => !cr.proof?.jwt)) {
-          didProofRequired = true;
-          return _requestDidProof({res, exchangeRecord});
-        }
-
-        // verify every DID proof and get resulting DIDs
-        const results = await Promise.all(
-          credentialRequests.map(async cr => {
-            const {proof: {jwt}} = cr;
-            const {did} = await verifyDidProofJwt({workflow, exchange, jwt});
-            return did;
-          }));
-        // require `did` to be the same for every proof
-        // FIXME: determine if this needs to be more flexible
-        const did = results[0];
-        if(results.some(d => did !== d)) {
-          // FIXME: improve error
-          throw new Error('every DID must be the same');
-        }
-        // store did results in variables associated with current step
-        exchange.variables.results[exchange.step] = {
-          ...exchange.variables.results[exchange.step],
-          // common use case of DID Authentication; provide `did` for ease
-          // of use in templates
-          did
-        };
-      }
-    },
-    inputRequired({exchange, step}) {
-      // input is required if:
-      // 1. a `jwtDidProofRequest` is required and hasn't been provided
-      // 2. OID4VP is enabled and no OID4VP result has been stored yet
-      return didProofRequired || (step.openId && !exchange.variables
-        .results[exchange.step]?.openId?.authorizationRequest);
-    },
-    issue({
-      workflow, exchange, step, issueRequestsParams,
-      verifiablePresentation
-    }) {
-      return defaultIssue({
-        workflow, exchange, step, issueRequestsParams,
-        verifiablePresentation, format
-      });
-    },
-    isStepComplete({exchange}) {
-      // FIXME: check step's current `openId` results to see which issue
-      // requests have been processed; if any still exist, then the step is not
-      // yet complete
-      const {results} = exchange.variables;
-      if(!results[exchange.step]?.openId) {
-        // FIXME: implement
+  // get `supportedCredentialRequests` from step results
+  const stepResults = exchange.variables.results[exchange.step];
+  let supportedCredentialRequests = stepResults
+    ?.openId?.supportedCredentialRequests;
+
+  // if `supportedCredentialRequests` is not set, create it; this can only
+  // happen in the degenerate case that an older version of the software
+  // provided the access token to the client
+  if(!supportedCredentialRequests) {
+    supportedCredentialRequests = _createSupportedCredentialRequests({
+      workflow, exchange, step
+    });
+    exchange.variables.results[exchange.step] = {
+      ...exchange.variables.results[exchange.step],
+      openId: {
+        ...exchange.variables.results[exchange.step]?.openId,
+        supportedCredentialRequests
       }
-      return true;
-    }
-  });
-  const response = await exchangeProcessor.process();
-  if(!response.verifiablePresentation) {
-    return null;
+    };
+    // explicitly update exchange to ensure `supportedCredentialRequests`
+    // are committed
+    await exchangeProcessor.updateExchange({step});
   }
-  return {response, format};
+
+  return supportedCredentialRequests;
 }
 
 async function _requestDidProof({res, exchangeRecord}) {
@@ -623,3 +821,10 @@ function _sendOID4Error({res, error, description, status = 400, ...rest}) {
     ...rest
   });
 }
+
+function _validate(validator, data) {
+  const result = validator(data);
+  if(!result.valid) {
+    throw result.error;
+  }
+}