@credo-ts/openid4vc 0.6.0-pr-2195-20250322195244 → 0.6.0-pr-2324-20250625125220
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/openid4vc-holder/OpenId4VcHolderApi.d.ts +10 -6
- package/build/openid4vc-holder/OpenId4VcHolderApi.js +2 -4
- package/build/openid4vc-holder/OpenId4VcHolderApi.js.map +1 -1
- package/build/openid4vc-holder/OpenId4VciHolderService.d.ts +14 -19
- package/build/openid4vc-holder/OpenId4VciHolderService.js +425 -203
- package/build/openid4vc-holder/OpenId4VciHolderService.js.map +1 -1
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.ts +117 -37
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.js +1 -0
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.js.map +1 -1
- package/build/openid4vc-holder/OpenId4vpHolderService.js +24 -15
- package/build/openid4vc-holder/OpenId4vpHolderService.js.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.ts +21 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.js +11 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.js.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerService.d.ts +7 -3
- package/build/openid4vc-issuer/OpenId4VcIssuerService.js +387 -167
- package/build/openid4vc-issuer/OpenId4VcIssuerService.js.map +1 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.ts +67 -27
- package/build/openid4vc-issuer/index.d.ts +1 -1
- package/build/openid4vc-issuer/index.js +2 -1
- package/build/openid4vc-issuer/index.js.map +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.ts +29 -5
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.js +2 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.js.map +1 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.ts +12 -7
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.js +15 -3
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.js.map +1 -1
- package/build/openid4vc-issuer/router/accessTokenEndpoint.js +41 -13
- package/build/openid4vc-issuer/router/accessTokenEndpoint.js.map +1 -1
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js +102 -33
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js.map +1 -1
- package/build/openid4vc-issuer/router/credentialEndpoint.js +42 -10
- package/build/openid4vc-issuer/router/credentialEndpoint.js.map +1 -1
- package/build/openid4vc-issuer/router/jwksEndpoint.js +2 -2
- package/build/openid4vc-issuer/router/jwksEndpoint.js.map +1 -1
- package/build/openid4vc-issuer/util/txCode.d.ts +1 -1
- package/build/openid4vc-issuer/util/txCode.js +3 -1
- package/build/openid4vc-issuer/util/txCode.js.map +1 -1
- package/build/openid4vc-verifier/OpenId4VpVerifierService.d.ts +1 -1
- package/build/openid4vc-verifier/OpenId4VpVerifierService.js +70 -65
- package/build/openid4vc-verifier/OpenId4VpVerifierService.js.map +1 -1
- package/build/openid4vc-verifier/OpenId4VpVerifierServiceOptions.d.ts +7 -1
- package/build/shared/callbacks.d.ts +6 -4
- package/build/shared/callbacks.js +212 -69
- package/build/shared/callbacks.js.map +1 -1
- package/build/shared/models/CredentialHolderBinding.d.ts +65 -11
- package/build/shared/models/OpenId4VcJwtIssuer.d.ts +10 -5
- package/build/shared/models/OpenId4VciCredentialFormatProfile.d.ts +1 -0
- package/build/shared/models/OpenId4VciCredentialFormatProfile.js +1 -0
- package/build/shared/models/OpenId4VciCredentialFormatProfile.js.map +1 -1
- package/build/shared/router/tenants.js +2 -2
- package/build/shared/router/tenants.js.map +1 -1
- package/build/shared/utils.d.ts +4 -9
- package/build/shared/utils.js +27 -44
- package/build/shared/utils.js.map +1 -1
- package/package.json +14 -14
|
@@ -20,8 +20,8 @@ function handleTokenRequest(config) {
|
|
|
20
20
|
const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService_1.OpenId4VcIssuerService);
|
|
21
21
|
const issuanceSessionRepository = agentContext.dependencyManager.resolve(repository_1.OpenId4VcIssuanceSessionRepository);
|
|
22
22
|
const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer);
|
|
23
|
-
const accessTokenSigningKey =
|
|
24
|
-
|
|
23
|
+
const accessTokenSigningKey = issuer.resolvedAccessTokenPublicJwk;
|
|
24
|
+
let oauth2AuthorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext);
|
|
25
25
|
const fullRequestUrl = (0, core_1.joinUriParts)(issuerMetadata.credentialIssuer.credential_issuer, [
|
|
26
26
|
config.accessTokenEndpointPath,
|
|
27
27
|
]);
|
|
@@ -30,7 +30,7 @@ function handleTokenRequest(config) {
|
|
|
30
30
|
method: request.method,
|
|
31
31
|
url: fullRequestUrl,
|
|
32
32
|
};
|
|
33
|
-
const { accessTokenRequest, grant,
|
|
33
|
+
const { accessTokenRequest, grant, dpop, clientAttestation, pkceCodeVerifier } = oauth2AuthorizationServer.parseAccessTokenRequest({
|
|
34
34
|
accessTokenRequest: request.body,
|
|
35
35
|
request: requestLike,
|
|
36
36
|
});
|
|
@@ -57,6 +57,9 @@ function handleTokenRequest(config) {
|
|
|
57
57
|
error_description: 'Session expired',
|
|
58
58
|
});
|
|
59
59
|
}
|
|
60
|
+
oauth2AuthorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext, {
|
|
61
|
+
issuanceSessionId: issuanceSession.id,
|
|
62
|
+
});
|
|
60
63
|
let verificationResult;
|
|
61
64
|
try {
|
|
62
65
|
if (grant.grantType === oauth2_1.preAuthorizedCodeGrantIdentifier) {
|
|
@@ -73,11 +76,18 @@ function handleTokenRequest(config) {
|
|
|
73
76
|
expectedPreAuthorizedCode: issuanceSession.preAuthorizedCode,
|
|
74
77
|
grant,
|
|
75
78
|
request: requestLike,
|
|
79
|
+
authorizationServerMetadata: issuerMetadata.authorizationServers[0],
|
|
80
|
+
clientAttestation: {
|
|
81
|
+
...clientAttestation,
|
|
82
|
+
// First session config, fall back to global config
|
|
83
|
+
required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired,
|
|
84
|
+
// NOTE: we might want to enforce this? Not sure
|
|
85
|
+
// ensureConfirmationKeyMatchesDpopKey: true
|
|
86
|
+
},
|
|
76
87
|
dpop: {
|
|
77
|
-
|
|
78
|
-
//
|
|
79
|
-
|
|
80
|
-
required: config.dpopRequired,
|
|
88
|
+
...dpop,
|
|
89
|
+
// First session config, fall back to global config
|
|
90
|
+
required: issuanceSession.dpop?.required ?? config.dpopRequired,
|
|
81
91
|
},
|
|
82
92
|
expectedTxCode: issuanceSession.userPin,
|
|
83
93
|
preAuthorizedCodeExpiresAt: (0, utils_1.addSecondsToDate)(issuanceSession.createdAt, config.statefulCredentialOfferExpirationInSeconds),
|
|
@@ -97,12 +107,26 @@ function handleTokenRequest(config) {
|
|
|
97
107
|
expectedCode: issuanceSession.authorization.code,
|
|
98
108
|
codeExpiresAt: issuanceSession.authorization.codeExpiresAt,
|
|
99
109
|
grant,
|
|
110
|
+
authorizationServerMetadata: issuerMetadata.authorizationServers[0],
|
|
100
111
|
request: requestLike,
|
|
112
|
+
clientAttestation: {
|
|
113
|
+
...clientAttestation,
|
|
114
|
+
// Ensure it matches the previously provided client id
|
|
115
|
+
// FIXME: we don't verify that the attestation is issued by the same party
|
|
116
|
+
expectedClientId: issuanceSession.clientId,
|
|
117
|
+
// NOTE: we don't look at the global config here. As we already checked and
|
|
118
|
+
// set required to true previously if client attestations were provided or required.
|
|
119
|
+
required: issuanceSession.walletAttestation?.required,
|
|
120
|
+
// NOTE: we might want to enforce this? Not sure
|
|
121
|
+
// ensureConfirmationKeyMatchesDpopKey: true
|
|
122
|
+
},
|
|
101
123
|
dpop: {
|
|
102
|
-
|
|
103
|
-
//
|
|
104
|
-
//
|
|
105
|
-
required:
|
|
124
|
+
...dpop,
|
|
125
|
+
// NOTE: we don't look at the global config here. As we already checked and
|
|
126
|
+
// set required to true previously if client attestations were provided or required.
|
|
127
|
+
required: issuanceSession.dpop?.required,
|
|
128
|
+
// Ensure it matches previously provided jwk thumbprint
|
|
129
|
+
expectedJwkThumbprint: issuanceSession.dpop?.dpopJkt,
|
|
106
130
|
},
|
|
107
131
|
pkce: issuanceSession.pkce
|
|
108
132
|
? {
|
|
@@ -125,7 +149,7 @@ function handleTokenRequest(config) {
|
|
|
125
149
|
// use the offered credential configuration ids so a scope is not required)
|
|
126
150
|
const scopes = grant.grantType === oauth2_1.authorizationCodeGrantIdentifier ? issuanceSession.authorization?.scopes : undefined;
|
|
127
151
|
const subject = `credo:${core_1.utils.uuid()}`;
|
|
128
|
-
const signerJwk =
|
|
152
|
+
const signerJwk = accessTokenSigningKey;
|
|
129
153
|
const accessTokenResponse = await oauth2AuthorizationServer.createAccessTokenResponse({
|
|
130
154
|
audience: issuerMetadata.credentialIssuer.credential_issuer,
|
|
131
155
|
authorizationServer: issuerMetadata.credentialIssuer.credential_issuer,
|
|
@@ -135,7 +159,11 @@ function handleTokenRequest(config) {
|
|
|
135
159
|
alg: signerJwk.supportedSignatureAlgorithms[0],
|
|
136
160
|
publicJwk: signerJwk.toJson(),
|
|
137
161
|
},
|
|
138
|
-
|
|
162
|
+
dpop: verificationResult.dpop
|
|
163
|
+
? {
|
|
164
|
+
jwk: verificationResult.dpop?.jwk,
|
|
165
|
+
}
|
|
166
|
+
: undefined,
|
|
139
167
|
scope: scopes?.join(' '),
|
|
140
168
|
clientId: issuanceSession.clientId,
|
|
141
169
|
additionalAccessTokenPayload: {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"accessTokenEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/accessTokenEndpoint.ts"],"names":[],"mappings":";;AAwBA,oEAEC;AAED,
|
|
1
|
+
{"version":3,"file":"accessTokenEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/accessTokenEndpoint.ts"],"names":[],"mappings":";;AAwBA,oEAEC;AAED,gDA4NC;AAnPD,yCAAoD;AACpD,8CAK0B;AAE1B,gDAK4B;AAC5B,8CAAqD;AACrD,oFAAgF;AAChF,sEAAkE;AAClE,8CAAkE;AAElE,SAAgB,4BAA4B,CAAC,MAAc,EAAE,MAAmC;IAC9F,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,uBAAuB,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAA;AACzE,CAAC;AAED,SAAgB,kBAAkB,CAAC,MAAmC;IACpE,OAAO,KAAK,EAAE,OAAiC,EAAE,QAAkB,EAAE,IAAkB,EAAE,EAAE;QACzF,QAAQ,CAAC,GAAG,CAAC,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAA;QACjE,MAAM,cAAc,GAAG,IAAA,0BAAiB,EAAC,OAAO,CAAC,CAAA;QACjD,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,cAAc,CAAA;QAE/C,MAAM,sBAAsB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAsB,CAAC,CAAA;QAC7F,MAAM,yBAAyB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAkC,CAAC,CAAA;QAC5G,MAAM,cAAc,GAAG,MAAM,sBAAsB,CAAC,iBAAiB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;QAC3F,MAAM,qBAAqB,GAAG,MAAM,CAAC,4BAA4B,CAAA;QACjE,IAAI,yBAAyB,GAAG,sBAAsB,CAAC,4BAA4B,CAAC,YAAY,CAAC,CAAA;QAEjG,MAAM,cAAc,GAAG,IAAA,mBAAY,EAAC,cAAc,CAAC,gBAAgB,CAAC,iBAAiB,EAAE;YACrF,MAAM,CAAC,uBAAuB;SAC/B,CAAC,CAAA;QACF,MAAM,WAAW,GAAG;YAClB,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC,OAAiC,CAAC;YAC/D,MAAM,EAAE,OAAO,CAAC,MAAoB;YACpC,GAAG,EAAE,cAAc;SACX,CAAA;QAEV,MAAM,EAAE,kBAAkB,EAAE,KAAK,EAAE,IAAI,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,GAC5E,yBAAyB,CAAC,uBAAuB,CAAC;YAChD,kBAAkB,EAAE,OAAO,CAAC,IAAI;YAChC,OAAO,EAAE,WAAW;SACrB,CAAC,CAAA;QAEJ,MAAM,eAAe,GAAG,MAAM,yBAAyB,CAAC,iBAAiB,CAAC,YAAY,EAAE;YACtF,iBAAiB,EAAE,KAAK,CAAC,SAAS,KAAK,yCAAgC,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS;YAC7G,iBAAiB,EAAE,KAAK,CAAC,SAAS,KAAK,yCAAgC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;SACjG,CAAC,CAAA;QACF,MAAM,aAAa,GACjB,KAAK,CAAC,SAAS,KAAK,yCAAgC;YAClD,CAAC,CAAC,CAAC,6DAA6B,CAAC,YAAY,EAAE,6DAA6B,CAAC,iBAAiB,CAAC;YAC/F,CAAC,CAAC,CAAC,6DAA6B,CAAC,oBAAoB,CAAC,CAAA;QAC1D,IAAI,CAAC,eAAe,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;YACvE,MAAM,IAAI,uCAA8B,CAAC;gBACvC,KAAK,EAAE,yBAAgB,CAAC,YAAY;gBACpC,iBAAiB,EAAE,4BAA4B;aAChD,CAAC,CAAA;QACJ,CAAC;QAED,IACE,IAAI,CAAC,GAAG,EAAE;YACV,IAAA,wBAAgB,EAAC,eAAe,CAAC,SAAS,EAAE,MAAM,CAAC,0CAA0C,CAAC,CAAC,OAAO,EAAE,EACxG,CAAC;YACD,eAAe,CAAC,YAAY,GAAG,8BAA8B,CAAA;YAC7D,MAAM,sBAAsB,CAAC,WAAW,CAAC,YAAY,EAAE,eAAe,EAAE,6DAA6B,CAAC,KAAK,CAAC,CAAA;YAC5G,MAAM,IAAI,uCAA8B,CAAC;gBACvC,+BAA+B;gBAC/B,KAAK,EAAE,yBAAgB,CAAC,YAAY;gBACpC,iBAAiB,EAAE,iBAAiB;aACrC,CAAC,CAAA;QACJ,CAAC;QAED,yBAAyB,GAAG,sBAAsB,CAAC,4BAA4B,CAAC,YAAY,EAAE;YAC5F,iBAAiB,EAAE,eAAe,CAAC,EAAE;SACtC,CAAC,CAAA;QACF,IAAI,kBAAkD,CAAA;QACtD,IAAI,CAAC;YACH,IAAI,KAAK,CAAC,SAAS,KAAK,yCAAgC,EAAE,CAAC;gBACzD,IAAI,CAAC,eAAe,CAAC,iBAAiB,EAAE,CAAC;oBACvC,MAAM,IAAI,uCAA8B,CACtC;wBACE,KAAK,EAAE,yBAAgB,CAAC,YAAY;wBACpC,iBAAiB,EAAE,4BAA4B;qBAChD,EACD;wBACE,eAAe,EACb,8IAA8I;qBACjJ,CACF,CAAA;gBACH,CAAC;gBAED,kBAAkB,GAAG,MAAM,yBAAyB,CAAC,yCAAyC,CAAC;oBAC7F,kBAAkB;oBAClB,yBAAyB,EAAE,eAAe,CAAC,iBAAiB;oBAC5D,KAAK;oBACL,OAAO,EAAE,WAAW;oBACpB,2BAA2B,EAAE,cAAc,CAAC,oBAAoB,CAAC,CAAC,CAAC;oBACnE,iBAAiB,EAAE;wBACjB,GAAG,iBAAiB;wBACpB,mDAAmD;wBACnD,QAAQ,EAAE,eAAe,CAAC,iBAAiB,EAAE,QAAQ,IAAI,MAAM,CAAC,0BAA0B;wBAE1F,gDAAgD;wBAChD,4CAA4C;qBAC7C;oBACD,IAAI,EAAE;wBACJ,GAAG,IAAI;wBACP,mDAAmD;wBACnD,QAAQ,EAAE,eAAe,CAAC,IAAI,EAAE,QAAQ,IAAI,MAAM,CAAC,YAAY;qBAChE;oBACD,cAAc,EAAE,eAAe,CAAC,OAAO;oBACvC,0BAA0B,EAAE,IAAA,wBAAgB,EAC1C,eAAe,CAAC,SAAS,EACzB,MAAM,CAAC,0CAA0C,CAClD;iBACF,CAAC,CAAA;YACJ,CAAC;iBAAM,IAAI,KAAK,CAAC,SAAS,KAAK,yCAAgC,EAAE,CAAC;gBAChE,IAAI,CAAC,eAAe,CAAC,aAAa,EAAE,IAAI,IAAI,CAAC,eAAe,CAAC,aAAa,EAAE,aAAa,EAAE,CAAC;oBAC1F,MAAM,IAAI,uCAA8B,CACtC;wBACE,KAAK,EAAE,yBAAgB,CAAC,YAAY;wBACpC,iBAAiB,EAAE,4BAA4B;qBAChD,EACD;wBACE,eAAe,EACb,6KAA6K;qBAChL,CACF,CAAA;gBACH,CAAC;gBACD,kBAAkB,GAAG,MAAM,yBAAyB,CAAC,yCAAyC,CAAC;oBAC7F,kBAAkB;oBAClB,YAAY,EAAE,eAAe,CAAC,aAAa,CAAC,IAAI;oBAChD,aAAa,EAAE,eAAe,CAAC,aAAa,CAAC,aAAa;oBAC1D,KAAK;oBACL,2BAA2B,EAAE,cAAc,CAAC,oBAAoB,CAAC,CAAC,CAAC;oBACnE,OAAO,EAAE,WAAW;oBACpB,iBAAiB,EAAE;wBACjB,GAAG,iBAAiB;wBAEpB,sDAAsD;wBACtD,0EAA0E;wBAC1E,gBAAgB,EAAE,eAAe,CAAC,QAAQ;wBAE1C,2EAA2E;wBAC3E,oFAAoF;wBACpF,QAAQ,EAAE,eAAe,CAAC,iBAAiB,EAAE,QAAQ;wBAErD,gDAAgD;wBAChD,4CAA4C;qBAC7C;oBACD,IAAI,EAAE;wBACJ,GAAG,IAAI;wBACP,2EAA2E;wBAC3E,oFAAoF;wBACpF,QAAQ,EAAE,eAAe,CAAC,IAAI,EAAE,QAAQ;wBAExC,uDAAuD;wBACvD,qBAAqB,EAAE,eAAe,CAAC,IAAI,EAAE,OAAO;qBACrD;oBACD,IAAI,EAAE,eAAe,CAAC,IAAI;wBACxB,CAAC,CAAC;4BACE,aAAa,EAAE,eAAe,CAAC,IAAI,CAAC,aAAa;4BACjD,mBAAmB,EAAE,eAAe,CAAC,IAAI,CAAC,mBAAmB;4BAC7D,YAAY,EAAE,gBAAgB;yBAC/B;wBACH,CAAC,CAAC,SAAS;iBACd,CAAC,CAAA;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,uCAA8B,CAAC;oBACvC,KAAK,EAAE,yBAAgB,CAAC,oBAAoB;oBAC5C,iBAAiB,EAAE,wBAAwB;iBAC5C,CAAC,CAAA;YACJ,CAAC;YAED,MAAM,sBAAsB,CAAC,WAAW,CACtC,YAAY,EACZ,eAAe,EACf,6DAA6B,CAAC,oBAAoB,CACnD,CAAA;YACD,MAAM,EAAE,MAAM,EAAE,sBAAsB,EAAE,GAAG,MAAM,sBAAsB,CAAC,WAAW,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;YAEzG,0GAA0G;YAC1G,2EAA2E;YAC3E,MAAM,MAAM,GACV,KAAK,CAAC,SAAS,KAAK,yCAAgC,CAAC,CAAC,CAAC,eAAe,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,CAAA;YAC1G,MAAM,OAAO,GAAG,SAAS,YAAK,CAAC,IAAI,EAAE,EAAE,CAAA;YAEvC,MAAM,SAAS,GAAG,qBAAqB,CAAA;YACvC,MAAM,mBAAmB,GAAG,MAAM,yBAAyB,CAAC,yBAAyB,CAAC;gBACpF,QAAQ,EAAE,cAAc,CAAC,gBAAgB,CAAC,iBAAiB;gBAC3D,mBAAmB,EAAE,cAAc,CAAC,gBAAgB,CAAC,iBAAiB;gBACtE,gBAAgB,EAAE,MAAM,CAAC,2BAA2B;gBACpD,MAAM,EAAE;oBACN,MAAM,EAAE,KAAK;oBACb,GAAG,EAAE,SAAS,CAAC,4BAA4B,CAAC,CAAC,CAAC;oBAC9C,SAAS,EAAE,SAAS,CAAC,MAAM,EAAS;iBACrC;gBACD,IAAI,EAAE,kBAAkB,CAAC,IAAI;oBAC3B,CAAC,CAAC;wBACE,GAAG,EAAE,kBAAkB,CAAC,IAAI,EAAE,GAAG;qBAClC;oBACH,CAAC,CAAC,SAAS;gBACb,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC;gBACxB,QAAQ,EAAE,eAAe,CAAC,QAAQ;gBAElC,4BAA4B,EAAE;oBAC5B,qBAAqB,EACnB,KAAK,CAAC,SAAS,KAAK,yCAAgC,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS;oBAC5F,YAAY,EAAE,eAAe,CAAC,aAAa,EAAE,WAAW;iBACzD;gBACD,4FAA4F;gBAC5F,OAAO;gBAEP,yEAAyE;gBACzE,MAAM;gBACN,eAAe,EAAE,sBAAsB;aACxC,CAAC,CAAA;YAEF,eAAe,CAAC,aAAa,GAAG;gBAC9B,GAAG,eAAe,CAAC,aAAa;gBAChC,OAAO;aACR,CAAA;YACD,MAAM,sBAAsB,CAAC,WAAW,CACtC,YAAY,EACZ,eAAe,EACf,6DAA6B,CAAC,kBAAkB,CACjD,CAAA;YAED,OAAO,IAAA,yBAAgB,EAAC,QAAQ,EAAE,IAAI,EAAE,mBAAmB,CAAC,CAAA;QAC9D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,uCAA8B,EAAE,CAAC;gBACpD,OAAO,IAAA,gCAAuB,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YACnF,CAAC;YAED,OAAO,IAAA,uCAA8B,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;QAC1F,CAAC;IACH,CAAC,CAAA;AACH,CAAC"}
|
|
@@ -16,19 +16,27 @@ function configureAuthorizationChallengeEndpoint(router, config) {
|
|
|
16
16
|
const { agentContext, issuer } = requestContext;
|
|
17
17
|
try {
|
|
18
18
|
const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService_1.OpenId4VcIssuerService);
|
|
19
|
+
const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer);
|
|
19
20
|
const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext);
|
|
20
|
-
const
|
|
21
|
+
const fullRequestUrl = (0, core_1.joinUriParts)(issuerMetadata.credentialIssuer.credential_issuer, [
|
|
22
|
+
config.authorizationChallengeEndpointPath,
|
|
23
|
+
]);
|
|
24
|
+
const requestLike = {
|
|
25
|
+
headers: new Headers(request.headers),
|
|
26
|
+
method: request.method,
|
|
27
|
+
url: fullRequestUrl,
|
|
28
|
+
};
|
|
29
|
+
const parseResult = authorizationServer.parseAuthorizationChallengeRequest({
|
|
21
30
|
authorizationChallengeRequest: request.body,
|
|
31
|
+
request: requestLike,
|
|
22
32
|
});
|
|
33
|
+
const { authorizationChallengeRequest } = parseResult;
|
|
23
34
|
if (authorizationChallengeRequest.auth_session) {
|
|
24
35
|
await handleAuthorizationChallengeWithAuthSession({
|
|
25
36
|
response,
|
|
26
37
|
next,
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
...authorizationChallengeRequest,
|
|
30
|
-
auth_session: authorizationChallengeRequest.auth_session,
|
|
31
|
-
},
|
|
38
|
+
parseResult,
|
|
39
|
+
request: requestLike,
|
|
32
40
|
agentContext,
|
|
33
41
|
issuer,
|
|
34
42
|
});
|
|
@@ -36,9 +44,10 @@ function configureAuthorizationChallengeEndpoint(router, config) {
|
|
|
36
44
|
else {
|
|
37
45
|
// First call, no auth_sesion yet
|
|
38
46
|
await handleAuthorizationChallengeNoAuthSession({
|
|
39
|
-
authorizationChallengeRequest,
|
|
40
47
|
agentContext,
|
|
41
48
|
issuer,
|
|
49
|
+
parseResult,
|
|
50
|
+
request: requestLike,
|
|
42
51
|
});
|
|
43
52
|
}
|
|
44
53
|
}
|
|
@@ -51,12 +60,12 @@ function configureAuthorizationChallengeEndpoint(router, config) {
|
|
|
51
60
|
});
|
|
52
61
|
}
|
|
53
62
|
async function handleAuthorizationChallengeNoAuthSession(options) {
|
|
54
|
-
const { agentContext, issuer,
|
|
63
|
+
const { agentContext, issuer, parseResult, request } = options;
|
|
64
|
+
const { authorizationChallengeRequest } = parseResult;
|
|
55
65
|
// First call, no auth_sesion yet
|
|
56
66
|
const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService_1.OpenId4VcIssuerService);
|
|
57
67
|
const config = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig_1.OpenId4VcIssuerModuleConfig);
|
|
58
68
|
const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer);
|
|
59
|
-
const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext);
|
|
60
69
|
if (!config.getVerificationSessionForIssuanceSessionAuthorization) {
|
|
61
70
|
throw new oauth2_1.Oauth2ServerErrorResponseError({
|
|
62
71
|
error: oauth2_1.Oauth2ErrorCodes.ServerError,
|
|
@@ -64,28 +73,18 @@ async function handleAuthorizationChallengeNoAuthSession(options) {
|
|
|
64
73
|
internalMessage: `Missing required 'getVerificationSessionForIssuanceSessionAuthorization' callback in openid4vc issuer module config. This callback is required for presentation during issuance flows.`,
|
|
65
74
|
});
|
|
66
75
|
}
|
|
67
|
-
if (!authorizationChallengeRequest.scope) {
|
|
68
|
-
throw new oauth2_1.Oauth2ServerErrorResponseError({
|
|
69
|
-
error: oauth2_1.Oauth2ErrorCodes.InvalidScope,
|
|
70
|
-
error_description: `Missing required 'scope' parameter`,
|
|
71
|
-
});
|
|
72
|
-
}
|
|
73
76
|
if (!authorizationChallengeRequest.issuer_state) {
|
|
74
77
|
throw new oauth2_1.Oauth2ServerErrorResponseError({
|
|
75
78
|
error: oauth2_1.Oauth2ErrorCodes.InvalidRequest,
|
|
76
79
|
error_description: `Missing required 'issuer_state' parameter. Only requests initiated by a credential offer are supported for authorization challenge.`,
|
|
77
80
|
});
|
|
78
81
|
}
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
// error: Oauth2ErrorCodes.InvalidRequest,
|
|
86
|
-
// error_description: `Missing required 'client_id' parameter..`,
|
|
87
|
-
// })
|
|
88
|
-
// }
|
|
82
|
+
if (!authorizationChallengeRequest.scope) {
|
|
83
|
+
throw new oauth2_1.Oauth2ServerErrorResponseError({
|
|
84
|
+
error: oauth2_1.Oauth2ErrorCodes.InvalidScope,
|
|
85
|
+
error_description: `Missing required 'scope' parameter`,
|
|
86
|
+
});
|
|
87
|
+
}
|
|
89
88
|
const issuanceSession = await openId4VcIssuerService.findSingleIssuancSessionByQuery(agentContext, {
|
|
90
89
|
issuerId: issuer.issuerId,
|
|
91
90
|
issuerState: authorizationChallengeRequest.issuer_state,
|
|
@@ -101,6 +100,36 @@ async function handleAuthorizationChallengeNoAuthSession(options) {
|
|
|
101
100
|
: `Issuance session '${issuanceSession.id}' has state '${issuanceSession.state}' but expected one of ${allowedStates.join(', ')}`,
|
|
102
101
|
});
|
|
103
102
|
}
|
|
103
|
+
const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext, {
|
|
104
|
+
issuanceSessionId: issuanceSession.id,
|
|
105
|
+
});
|
|
106
|
+
const { clientAttestation, dpop } = await authorizationServer.verifyAuthorizationChallengeRequest({
|
|
107
|
+
authorizationChallengeRequest,
|
|
108
|
+
authorizationServerMetadata: issuerMetadata.authorizationServers[0],
|
|
109
|
+
request,
|
|
110
|
+
clientAttestation: {
|
|
111
|
+
...parseResult.clientAttestation,
|
|
112
|
+
// First session config, fall back to global config
|
|
113
|
+
required: issuanceSession.walletAttestation?.required ?? config.walletAttestationsRequired,
|
|
114
|
+
},
|
|
115
|
+
dpop: {
|
|
116
|
+
...parseResult.dpop,
|
|
117
|
+
// First session config, fall back to global config
|
|
118
|
+
required: issuanceSession.dpop?.required ?? config.dpopRequired,
|
|
119
|
+
},
|
|
120
|
+
});
|
|
121
|
+
// Bind dpop jwk thumbprint to session
|
|
122
|
+
if (dpop)
|
|
123
|
+
issuanceSession.dpop = {
|
|
124
|
+
// If dpop is provided at the start, it's required from now on.
|
|
125
|
+
required: true,
|
|
126
|
+
dpopJkt: dpop.jwkThumbprint,
|
|
127
|
+
};
|
|
128
|
+
if (clientAttestation)
|
|
129
|
+
issuanceSession.walletAttestation = {
|
|
130
|
+
// If dpop is provided at the start, it's required from now on.
|
|
131
|
+
required: true,
|
|
132
|
+
};
|
|
104
133
|
const offeredCredentialConfigurations = (0, shared_1.getOfferedCredentials)(issuanceSession.credentialOfferPayload.credential_configuration_ids, issuerMetadata.credentialIssuer.credential_configurations_supported);
|
|
105
134
|
const allowedScopes = (0, shared_1.getScopesFromCredentialConfigurationsSupported)(offeredCredentialConfigurations);
|
|
106
135
|
const requestedScopes = (0, shared_1.getAllowedAndRequestedScopeValues)({
|
|
@@ -120,12 +149,13 @@ async function handleAuthorizationChallengeNoAuthSession(options) {
|
|
|
120
149
|
requestedCredentialConfigurations,
|
|
121
150
|
scopes: requestedScopes,
|
|
122
151
|
});
|
|
152
|
+
const kms = agentContext.resolve(core_1.Kms.KeyManagementApi);
|
|
123
153
|
// Store presentation during issuance session on the record
|
|
124
|
-
verificationSession.presentationDuringIssuanceSession = core_1.TypedArrayEncoder.toBase64URL(
|
|
154
|
+
verificationSession.presentationDuringIssuanceSession = core_1.TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }));
|
|
125
155
|
await agentContext.dependencyManager
|
|
126
156
|
.resolve(openid4vc_verifier_1.OpenId4VcVerificationSessionRepository)
|
|
127
157
|
.update(agentContext, verificationSession);
|
|
128
|
-
const authSession = core_1.TypedArrayEncoder.toBase64URL(
|
|
158
|
+
const authSession = core_1.TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }));
|
|
129
159
|
issuanceSession.authorization = {
|
|
130
160
|
...issuanceSession.authorization,
|
|
131
161
|
scopes: presentationScopes,
|
|
@@ -135,8 +165,9 @@ async function handleAuthorizationChallengeNoAuthSession(options) {
|
|
|
135
165
|
authSession,
|
|
136
166
|
openId4VcVerificationSessionId: verificationSession.id,
|
|
137
167
|
};
|
|
138
|
-
//
|
|
139
|
-
|
|
168
|
+
// If client attestation is used we have verified this client_id matches with the sub
|
|
169
|
+
// of the wallet attestation
|
|
170
|
+
issuanceSession.clientId = clientAttestation?.clientAttestation.payload.sub ?? authorizationChallengeRequest.client_id;
|
|
140
171
|
await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.AuthorizationInitiated);
|
|
141
172
|
const authorizationChallengeErrorResponse = authorizationServer.createAuthorizationChallengePresentationErrorResponse({
|
|
142
173
|
authSession,
|
|
@@ -146,13 +177,14 @@ async function handleAuthorizationChallengeNoAuthSession(options) {
|
|
|
146
177
|
throw new oauth2_1.Oauth2ServerErrorResponseError(authorizationChallengeErrorResponse);
|
|
147
178
|
}
|
|
148
179
|
async function handleAuthorizationChallengeWithAuthSession(options) {
|
|
149
|
-
const { agentContext, issuer,
|
|
180
|
+
const { agentContext, issuer, parseResult, request, response, next } = options;
|
|
181
|
+
const { authorizationChallengeRequest } = parseResult;
|
|
150
182
|
const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService_1.OpenId4VcIssuerService);
|
|
151
183
|
const config = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig_1.OpenId4VcIssuerModuleConfig);
|
|
152
|
-
const
|
|
184
|
+
const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer);
|
|
153
185
|
const verifierApi = agentContext.dependencyManager.resolve(openid4vc_verifier_1.OpenId4VcVerifierApi);
|
|
154
186
|
// NOTE: we ignore scope, issuer_state etc.. parameters if auth_session is present
|
|
155
|
-
// should we validate that these are not in the request? I'm not sure what best
|
|
187
|
+
// should we validate that these are not in the request? I'm not sure what best practice would be here
|
|
156
188
|
const issuanceSession = await openId4VcIssuerService.findSingleIssuancSessionByQuery(agentContext, {
|
|
157
189
|
issuerId: issuer.issuerId,
|
|
158
190
|
presentationAuthSession: authorizationChallengeRequest.auth_session,
|
|
@@ -173,6 +205,42 @@ async function handleAuthorizationChallengeWithAuthSession(options) {
|
|
|
173
205
|
: `Issuance session '${issuanceSession.id}' has state '${issuanceSession.state}' but expected one of ${allowedStates.join(', ')}`,
|
|
174
206
|
});
|
|
175
207
|
}
|
|
208
|
+
const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext, {
|
|
209
|
+
issuanceSessionId: issuanceSession.id,
|
|
210
|
+
});
|
|
211
|
+
const { clientAttestation, dpop } = await authorizationServer.verifyAuthorizationChallengeRequest({
|
|
212
|
+
authorizationChallengeRequest,
|
|
213
|
+
authorizationServerMetadata: issuerMetadata.authorizationServers[0],
|
|
214
|
+
request,
|
|
215
|
+
clientAttestation: {
|
|
216
|
+
...parseResult.clientAttestation,
|
|
217
|
+
// We only look at the issuance session here. If it is required
|
|
218
|
+
// it will be defined on the issuance session now.
|
|
219
|
+
required: issuanceSession.walletAttestation?.required,
|
|
220
|
+
},
|
|
221
|
+
dpop: {
|
|
222
|
+
...parseResult.dpop,
|
|
223
|
+
// We only look at the issuance session here. If it is required
|
|
224
|
+
// it will be defined on the issuance session now.
|
|
225
|
+
required: issuanceSession.dpop?.required,
|
|
226
|
+
},
|
|
227
|
+
});
|
|
228
|
+
if (dpop && dpop.jwkThumbprint !== issuanceSession.dpop?.dpopJkt) {
|
|
229
|
+
throw new oauth2_1.Oauth2ServerErrorResponseError({
|
|
230
|
+
error: oauth2_1.Oauth2ErrorCodes.InvalidDpopProof,
|
|
231
|
+
error_description: 'Invalid jwk thubmprint',
|
|
232
|
+
}, {
|
|
233
|
+
internalMessage: `DPoP JWK thumbprint '${dpop.jwkThumbprint}' does not match expected value '${issuanceSession.dpop?.dpopJkt}'`,
|
|
234
|
+
});
|
|
235
|
+
}
|
|
236
|
+
if (clientAttestation && clientAttestation.clientAttestation.payload.sub !== issuanceSession.clientId) {
|
|
237
|
+
throw new oauth2_1.Oauth2ServerErrorResponseError({
|
|
238
|
+
error: oauth2_1.Oauth2ErrorCodes.InvalidClient,
|
|
239
|
+
error_description: 'Invalid client',
|
|
240
|
+
}, {
|
|
241
|
+
internalMessage: `Client id '${authorizationChallengeRequest.client_id}' from authorization challenge request does not match client id '${issuanceSession.clientId}' on issuance session`,
|
|
242
|
+
});
|
|
243
|
+
}
|
|
176
244
|
const { openId4VcVerificationSessionId } = issuanceSession.presentation;
|
|
177
245
|
await verifierApi
|
|
178
246
|
.getVerificationSessionById(openId4VcVerificationSessionId)
|
|
@@ -207,7 +275,8 @@ async function handleAuthorizationChallengeWithAuthSession(options) {
|
|
|
207
275
|
}
|
|
208
276
|
});
|
|
209
277
|
// Grant authorization
|
|
210
|
-
const
|
|
278
|
+
const kms = agentContext.resolve(core_1.Kms.KeyManagementApi);
|
|
279
|
+
const authorizationCode = core_1.TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 }));
|
|
211
280
|
const authorizationCodeExpiresAt = (0, utils_1.addSecondsToDate)(new Date(), config.authorizationCodeExpiresInSeconds);
|
|
212
281
|
issuanceSession.authorization = {
|
|
213
282
|
...issuanceSession.authorization,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorizationChallengeEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/authorizationChallengeEndpoint.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"authorizationChallengeEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/authorizationChallengeEndpoint.ts"],"names":[],"mappings":";;AAoCA,0FAqDC;AA9ED,yCAAqE;AACrE,8CAAoF;AAEpF,iEAIiC;AACjC,yCAKqB;AACrB,gDAK4B;AAC5B,8CAAqD;AACrD,oFAAgF;AAChF,gFAA4E;AAC5E,sEAAkE;AAElE,SAAgB,uCAAuC,CAAC,MAAc,EAAE,MAAmC;IACzG,MAAM,CAAC,IAAI,CACT,MAAM,CAAC,kCAAkC,EACzC,KAAK,EAAE,OAAiC,EAAE,QAAkB,EAAE,IAAkB,EAAE,EAAE;QAClF,MAAM,cAAc,GAAG,IAAA,0BAAiB,EAAC,OAAO,CAAC,CAAA;QACjD,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,cAAc,CAAA;QAE/C,IAAI,CAAC;YACH,MAAM,sBAAsB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAsB,CAAC,CAAA;YAC7F,MAAM,cAAc,GAAG,MAAM,sBAAsB,CAAC,iBAAiB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;YAC3F,MAAM,mBAAmB,GAAG,sBAAsB,CAAC,4BAA4B,CAAC,YAAY,CAAC,CAAA;YAC7F,MAAM,cAAc,GAAG,IAAA,mBAAY,EAAC,cAAc,CAAC,gBAAgB,CAAC,iBAAiB,EAAE;gBACrF,MAAM,CAAC,kCAAkC;aAC1C,CAAC,CAAA;YAEF,MAAM,WAAW,GAAG;gBAClB,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC,OAAiC,CAAC;gBAC/D,MAAM,EAAE,OAAO,CAAC,MAAoB;gBACpC,GAAG,EAAE,cAAc;aACX,CAAA;YAEV,MAAM,WAAW,GAAG,mBAAmB,CAAC,kCAAkC,CAAC;gBACzE,6BAA6B,EAAE,OAAO,CAAC,IAAI;gBAC3C,OAAO,EAAE,WAAW;aACrB,CAAC,CAAA;YACF,MAAM,EAAE,6BAA6B,EAAE,GAAG,WAAW,CAAA;YAErD,IAAI,6BAA6B,CAAC,YAAY,EAAE,CAAC;gBAC/C,MAAM,2CAA2C,CAAC;oBAChD,QAAQ;oBACR,IAAI;oBACJ,WAAW;oBACX,OAAO,EAAE,WAAW;oBACpB,YAAY;oBACZ,MAAM;iBACP,CAAC,CAAA;YACJ,CAAC;iBAAM,CAAC;gBACN,iCAAiC;gBACjC,MAAM,yCAAyC,CAAC;oBAC9C,YAAY;oBACZ,MAAM;oBACN,WAAW;oBACX,OAAO,EAAE,WAAW;iBACrB,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,uCAA8B,EAAE,CAAC;gBACpD,OAAO,IAAA,gCAAuB,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YACnF,CAAC;YACD,OAAO,IAAA,uCAA8B,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;QAC1F,CAAC;IACH,CAAC,CACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,yCAAyC,CAAC,OAMxD;IACC,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,OAAO,CAAA;IAC9D,MAAM,EAAE,6BAA6B,EAAE,GAAG,WAAW,CAAA;IAErD,iCAAiC;IAEjC,MAAM,sBAAsB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAsB,CAAC,CAAA;IAC7F,MAAM,MAAM,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,yDAA2B,CAAC,CAAA;IAClF,MAAM,cAAc,GAAG,MAAM,sBAAsB,CAAC,iBAAiB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;IAE3F,IAAI,CAAC,MAAM,CAAC,qDAAqD,EAAE,CAAC;QAClE,MAAM,IAAI,uCAA8B,CACtC;YACE,KAAK,EAAE,yBAAgB,CAAC,WAAW;SACpC,EACD;YACE,eAAe,EAAE,wLAAwL;SAC1M,CACF,CAAA;IACH,CAAC;IAED,IAAI,CAAC,6BAA6B,CAAC,YAAY,EAAE,CAAC;QAChD,MAAM,IAAI,uCAA8B,CAAC;YACvC,KAAK,EAAE,yBAAgB,CAAC,cAAc;YACtC,iBAAiB,EAAE,qIAAqI;SACzJ,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,CAAC,6BAA6B,CAAC,KAAK,EAAE,CAAC;QACzC,MAAM,IAAI,uCAA8B,CAAC;YACvC,KAAK,EAAE,yBAAgB,CAAC,YAAY;YACpC,iBAAiB,EAAE,oCAAoC;SACxD,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,sBAAsB,CAAC,+BAA+B,CAAC,YAAY,EAAE;QACjG,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,6BAA6B,CAAC,YAAY;KACxD,CAAC,CAAA;IACF,MAAM,aAAa,GAAG,CAAC,6DAA6B,CAAC,YAAY,EAAE,6DAA6B,CAAC,iBAAiB,CAAC,CAAA;IACnH,IAAI,CAAC,eAAe,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;QACvE,MAAM,IAAI,uCAA8B,CACtC;YACE,KAAK,EAAE,yBAAgB,CAAC,cAAc;YACtC,iBAAiB,EAAE,kCAAkC;SACtD,EACD;YACE,eAAe,EAAE,CAAC,eAAe;gBAC/B,CAAC,CAAC,4DAA4D,6BAA6B,CAAC,YAAY,GAAG;gBAC3G,CAAC,CAAC,qBAAqB,eAAe,CAAC,EAAE,gBACrC,eAAe,CAAC,KAClB,yBAAyB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SACxD,CACF,CAAA;IACH,CAAC;IAED,MAAM,mBAAmB,GAAG,sBAAsB,CAAC,4BAA4B,CAAC,YAAY,EAAE;QAC5F,iBAAiB,EAAE,eAAe,CAAC,EAAE;KACtC,CAAC,CAAA;IACF,MAAM,EAAE,iBAAiB,EAAE,IAAI,EAAE,GAAG,MAAM,mBAAmB,CAAC,mCAAmC,CAAC;QAChG,6BAA6B;QAC7B,2BAA2B,EAAE,cAAc,CAAC,oBAAoB,CAAC,CAAC,CAAC;QACnE,OAAO;QACP,iBAAiB,EAAE;YACjB,GAAG,WAAW,CAAC,iBAAiB;YAChC,mDAAmD;YACnD,QAAQ,EAAE,eAAe,CAAC,iBAAiB,EAAE,QAAQ,IAAI,MAAM,CAAC,0BAA0B;SAC3F;QACD,IAAI,EAAE;YACJ,GAAG,WAAW,CAAC,IAAI;YACnB,mDAAmD;YACnD,QAAQ,EAAE,eAAe,CAAC,IAAI,EAAE,QAAQ,IAAI,MAAM,CAAC,YAAY;SAChE;KACF,CAAC,CAAA;IAEF,sCAAsC;IACtC,IAAI,IAAI;QACN,eAAe,CAAC,IAAI,GAAG;YACrB,+DAA+D;YAC/D,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,IAAI,CAAC,aAAa;SAC5B,CAAA;IACH,IAAI,iBAAiB;QACnB,eAAe,CAAC,iBAAiB,GAAG;YAClC,+DAA+D;YAC/D,QAAQ,EAAE,IAAI;SACf,CAAA;IAEH,MAAM,+BAA+B,GAAG,IAAA,8BAAqB,EAC3D,eAAe,CAAC,sBAAsB,CAAC,4BAA4B,EACnE,cAAc,CAAC,gBAAgB,CAAC,mCAAmC,CACpE,CAAA;IAED,MAAM,aAAa,GAAG,IAAA,uDAA8C,EAAC,+BAA+B,CAAC,CAAA;IACrG,MAAM,eAAe,GAAG,IAAA,0CAAiC,EAAC;QACxD,aAAa;QACb,cAAc,EAAE,6BAA6B,CAAC,KAAK;KACpD,CAAC,CAAA;IACF,MAAM,iCAAiC,GAAG,IAAA,sDAA6C,EACrF,+BAA+B,EAC/B,eAAe,CAC0C,CAAA;IAE3D,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChG,MAAM,IAAI,uCAA8B,CAAC;YACvC,KAAK,EAAE,yBAAgB,CAAC,YAAY;YACpC,iBAAiB,EAAE,2EAA2E;SAC/F,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,EACJ,oBAAoB,EACpB,mBAAmB,EACnB,MAAM,EAAE,kBAAkB,GAC3B,GAAG,MAAM,MAAM,CAAC,qDAAqD,CAAC;QACrE,YAAY;QACZ,eAAe;QACf,iCAAiC;QACjC,MAAM,EAAE,eAAe;KACxB,CAAC,CAAA;IAEF,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,UAAG,CAAC,gBAAgB,CAAC,CAAA;IACtD,2DAA2D;IAC3D,mBAAmB,CAAC,iCAAiC,GAAG,wBAAiB,CAAC,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC,CAAA;IACtH,MAAM,YAAY,CAAC,iBAAiB;SACjC,OAAO,CAAC,2DAAsC,CAAC;SAC/C,MAAM,CAAC,YAAY,EAAE,mBAAmB,CAAC,CAAA;IAE5C,MAAM,WAAW,GAAG,wBAAiB,CAAC,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC,CAAA;IAClF,eAAe,CAAC,aAAa,GAAG;QAC9B,GAAG,eAAe,CAAC,aAAa;QAChC,MAAM,EAAE,kBAAkB;KAC3B,CAAA;IACD,eAAe,CAAC,YAAY,GAAG;QAC7B,QAAQ,EAAE,IAAI;QACd,WAAW;QACX,8BAA8B,EAAE,mBAAmB,CAAC,EAAE;KACvD,CAAA;IAED,qFAAqF;IACrF,4BAA4B;IAC5B,eAAe,CAAC,QAAQ,GAAG,iBAAiB,EAAE,iBAAiB,CAAC,OAAO,CAAC,GAAG,IAAI,6BAA6B,CAAC,SAAS,CAAA;IAEtH,MAAM,sBAAsB,CAAC,WAAW,CACtC,YAAY,EACZ,eAAe,EACf,6DAA6B,CAAC,sBAAsB,CACrD,CAAA;IAED,MAAM,mCAAmC,GAAG,mBAAmB,CAAC,qDAAqD,CACnH;QACE,WAAW;QACX,YAAY,EAAE,oBAAoB;QAClC,gBAAgB,EAAE,uCAAuC;KAC1D,CACF,CAAA;IACD,MAAM,IAAI,uCAA8B,CAAC,mCAAmC,CAAC,CAAA;AAC/E,CAAC;AAED,KAAK,UAAU,2CAA2C,CAAC,OAQ1D;IACC,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,OAAO,CAAA;IAC9E,MAAM,EAAE,6BAA6B,EAAE,GAAG,WAAW,CAAA;IAErD,MAAM,sBAAsB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAsB,CAAC,CAAA;IAC7F,MAAM,MAAM,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,yDAA2B,CAAC,CAAA;IAClF,MAAM,cAAc,GAAG,MAAM,sBAAsB,CAAC,iBAAiB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;IAE3F,MAAM,WAAW,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,yCAAoB,CAAC,CAAA;IAEhF,kFAAkF;IAClF,sGAAsG;IAEtG,MAAM,eAAe,GAAG,MAAM,sBAAsB,CAAC,+BAA+B,CAAC,YAAY,EAAE;QACjG,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,uBAAuB,EAAE,6BAA6B,CAAC,YAAY;KACpE,CAAC,CAAA;IACF,MAAM,aAAa,GAAG,CAAC,6DAA6B,CAAC,sBAAsB,CAAC,CAAA;IAC5E,IACE,CAAC,eAAe,EAAE,YAAY;QAC9B,CAAC,eAAe,CAAC,YAAY,CAAC,8BAA8B;QAC5D,CAAC,eAAe,CAAC,YAAY,CAAC,WAAW;QACzC,CAAC,aAAa,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,EAC9C,CAAC;QACD,MAAM,IAAI,uCAA8B,CACtC;YACE,KAAK,EAAE,yBAAgB,CAAC,cAAc;YACtC,iBAAiB,EAAE,wBAAwB;SAC5C,EACD;YACE,eAAe,EAAE,CAAC,eAAe;gBAC/B,CAAC,CAAC,4DAA4D,6BAA6B,CAAC,YAAY,GAAG;gBAC3G,CAAC,CAAC,CAAC,eAAe,EAAE,YAAY;oBAC9B,CAAC,CAAC,qBAAqB,eAAe,CAAC,EAAE,8EAA8E;oBACvH,CAAC,CAAC,qBAAqB,eAAe,CAAC,EAAE,gBACrC,eAAe,CAAC,KAClB,yBAAyB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SAC1D,CACF,CAAA;IACH,CAAC;IAED,MAAM,mBAAmB,GAAG,sBAAsB,CAAC,4BAA4B,CAAC,YAAY,EAAE;QAC5F,iBAAiB,EAAE,eAAe,CAAC,EAAE;KACtC,CAAC,CAAA;IACF,MAAM,EAAE,iBAAiB,EAAE,IAAI,EAAE,GAAG,MAAM,mBAAmB,CAAC,mCAAmC,CAAC;QAChG,6BAA6B;QAC7B,2BAA2B,EAAE,cAAc,CAAC,oBAAoB,CAAC,CAAC,CAAC;QACnE,OAAO;QACP,iBAAiB,EAAE;YACjB,GAAG,WAAW,CAAC,iBAAiB;YAChC,+DAA+D;YAC/D,kDAAkD;YAClD,QAAQ,EAAE,eAAe,CAAC,iBAAiB,EAAE,QAAQ;SACtD;QACD,IAAI,EAAE;YACJ,GAAG,WAAW,CAAC,IAAI;YACnB,+DAA+D;YAC/D,kDAAkD;YAClD,QAAQ,EAAE,eAAe,CAAC,IAAI,EAAE,QAAQ;SACzC;KACF,CAAC,CAAA;IAEF,IAAI,IAAI,IAAI,IAAI,CAAC,aAAa,KAAK,eAAe,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;QACjE,MAAM,IAAI,uCAA8B,CACtC;YACE,KAAK,EAAE,yBAAgB,CAAC,gBAAgB;YACxC,iBAAiB,EAAE,wBAAwB;SAC5C,EACD;YACE,eAAe,EAAE,wBAAwB,IAAI,CAAC,aAAa,oCAAoC,eAAe,CAAC,IAAI,EAAE,OAAO,GAAG;SAChI,CACF,CAAA;IACH,CAAC;IAED,IAAI,iBAAiB,IAAI,iBAAiB,CAAC,iBAAiB,CAAC,OAAO,CAAC,GAAG,KAAK,eAAe,CAAC,QAAQ,EAAE,CAAC;QACtG,MAAM,IAAI,uCAA8B,CACtC;YACE,KAAK,EAAE,yBAAgB,CAAC,aAAa;YACrC,iBAAiB,EAAE,gBAAgB;SACpC,EACD;YACE,eAAe,EAAE,cAAc,6BAA6B,CAAC,SAAS,oEAAoE,eAAe,CAAC,QAAQ,uBAAuB;SAC1L,CACF,CAAA;IACH,CAAC;IAED,MAAM,EAAE,8BAA8B,EAAE,GAAG,eAAe,CAAC,YAAY,CAAA;IAEvE,MAAM,WAAW;SACd,0BAA0B,CAAC,8BAA8B,CAAC;SAC1D,KAAK,CAAC,KAAK,IAAI,EAAE;QAChB,gCAAgC;QAChC,eAAe,CAAC,YAAY,GAAG,yDAAyD,8BAA8B,kBAAkB,CAAA;QACxI,MAAM,sBAAsB,CAAC,WAAW,CAAC,YAAY,EAAE,eAAe,EAAE,6DAA6B,CAAC,KAAK,CAAC,CAAA;QAE5G,MAAM,IAAI,uCAA8B,CACtC;YACE,KAAK,EAAE,yBAAgB,CAAC,cAAc;YACtC,iBAAiB,EAAE,wBAAwB;SAC5C,EACD;YACE,eAAe,EAAE,2CAA2C,8BAA8B,gDAAgD,eAAe,CAAC,EAAE,GAAG;SAChK,CACF,CAAA;IACH,CAAC,CAAC;SACD,IAAI,CAAC,KAAK,EAAE,mBAAmB,EAAE,EAAE;QAClC,0CAA0C;QAC1C,IAAI,mBAAmB,CAAC,KAAK,KAAK,sDAAiC,CAAC,KAAK,EAAE,CAAC;YAC1E,eAAe,CAAC,YAAY,GAAG,0DAA0D,8BAA8B,mBAAmB,CAAA;YAC1I,MAAM,sBAAsB,CAAC,WAAW,CAAC,YAAY,EAAE,eAAe,EAAE,6DAA6B,CAAC,KAAK,CAAC,CAAA;QAC9G,CAAC;QAED,IACE,mBAAmB,CAAC,KAAK,KAAK,sDAAiC,CAAC,gBAAgB;YAChF,6BAA6B,CAAC,oCAAoC;gBAChE,mBAAmB,CAAC,iCAAiC,EACvD,CAAC;YACD,MAAM,IAAI,uCAA8B,CACtC;gBACE,KAAK,EAAE,yBAAgB,CAAC,cAAc;gBACtC,iBAAiB,EAAE,yCAAyC;aAC7D,EACD;gBACE,eAAe,EACb,mBAAmB,CAAC,KAAK,KAAK,sDAAiC,CAAC,gBAAgB;oBAC9E,CAAC,CAAC,2CAA2C,8BAA8B,gBAAgB,mBAAmB,CAAC,KAAK,aAAa,sDAAiC,CAAC,gBAAgB,iBAAiB;oBACpM,CAAC,CAAC,2CAA2C,8BAA8B,iDAAiD,mBAAmB,CAAC,iCAAiC,0DAA0D,6BAA6B,CAAC,oCAAoC,IAAI;aACtT,CACF,CAAA;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEJ,sBAAsB;IACtB,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,UAAG,CAAC,gBAAgB,CAAC,CAAA;IACtD,MAAM,iBAAiB,GAAG,wBAAiB,CAAC,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC,CAAA;IACxF,MAAM,0BAA0B,GAAG,IAAA,wBAAgB,EAAC,IAAI,IAAI,EAAE,EAAE,MAAM,CAAC,iCAAiC,CAAC,CAAA;IAEzG,eAAe,CAAC,aAAa,GAAG;QAC9B,GAAG,eAAe,CAAC,aAAa;QAChC,IAAI,EAAE,iBAAiB;QACvB,aAAa,EAAE,0BAA0B;KAC1C,CAAA;IAED,qEAAqE;IACrE,MAAM,sBAAsB,CAAC,WAAW,CACtC,YAAY,EACZ,eAAe,EACf,6DAA6B,CAAC,oBAAoB,CACnD,CAAA;IAED,MAAM,EAAE,8BAA8B,EAAE,GAAG,mBAAmB,CAAC,oCAAoC,CAAC;QAClG,iBAAiB;KAClB,CAAC,CAAA;IAEF,OAAO,IAAA,yBAAgB,EAAC,QAAQ,EAAE,IAAI,EAAE,8BAA8B,CAAC,CAAA;AACzE,CAAC"}
|
|
@@ -24,7 +24,6 @@ function configureCredentialEndpoint(router, config) {
|
|
|
24
24
|
.verifyResourceRequest({
|
|
25
25
|
authorizationServers: issuerMetadata.authorizationServers,
|
|
26
26
|
resourceServer: issuerMetadata.credentialIssuer.credential_issuer,
|
|
27
|
-
allowedAuthenticationSchemes: config.dpopRequired ? [oauth2_1.SupportedAuthenticationScheme.DPoP] : undefined,
|
|
28
27
|
request: {
|
|
29
28
|
headers: new Headers(request.headers),
|
|
30
29
|
method: request.method,
|
|
@@ -41,6 +40,7 @@ function configureCredentialEndpoint(router, config) {
|
|
|
41
40
|
const issuanceSessionRepository = agentContext.dependencyManager.resolve(repository_1.OpenId4VcIssuanceSessionRepository);
|
|
42
41
|
const parsedCredentialRequest = vcIssuer.parseCredentialRequest({
|
|
43
42
|
credentialRequest,
|
|
43
|
+
issuerMetadata,
|
|
44
44
|
});
|
|
45
45
|
let issuanceSession = null;
|
|
46
46
|
const preAuthorizedCode = typeof tokenPayload['pre-authorized_code'] === 'string' ? tokenPayload['pre-authorized_code'] : undefined;
|
|
@@ -53,15 +53,17 @@ function configureCredentialEndpoint(router, config) {
|
|
|
53
53
|
internalMessage: `Received token without 'sub' claim. Subject is required for binding issuance session`,
|
|
54
54
|
}));
|
|
55
55
|
}
|
|
56
|
-
// Already handle request without format. Simplifies next code sections
|
|
57
|
-
if (!parsedCredentialRequest.format) {
|
|
56
|
+
// Already handle request without format/credential_configuration_id. Simplifies next code sections
|
|
57
|
+
if (!parsedCredentialRequest.format && !parsedCredentialRequest.credentialConfiguration) {
|
|
58
58
|
return (0, router_1.sendOauth2ErrorResponse)(response, next, agentContext.config.logger, new oauth2_1.Oauth2ServerErrorResponseError({
|
|
59
59
|
error: parsedCredentialRequest.credentialIdentifier
|
|
60
60
|
? oauth2_1.Oauth2ErrorCodes.InvalidCredentialRequest
|
|
61
61
|
: oauth2_1.Oauth2ErrorCodes.UnsupportedCredentialFormat,
|
|
62
62
|
error_description: parsedCredentialRequest.credentialIdentifier
|
|
63
63
|
? `Credential request containing 'credential_identifier' not supported`
|
|
64
|
-
:
|
|
64
|
+
: parsedCredentialRequest.credentialConfigurationId
|
|
65
|
+
? `Credential configuration '${parsedCredentialRequest.credentialConfigurationId}' not supported`
|
|
66
|
+
: `Credential format '${parsedCredentialRequest.credentialRequest.format}' not supported`,
|
|
65
67
|
}));
|
|
66
68
|
}
|
|
67
69
|
if (preAuthorizedCode || issuerState) {
|
|
@@ -80,6 +82,13 @@ function configureCredentialEndpoint(router, config) {
|
|
|
80
82
|
internalMessage: `No issuance session found for incoming credential request for issuer ${issuer.issuerId} and access token data`,
|
|
81
83
|
}));
|
|
82
84
|
}
|
|
85
|
+
// Use issuance session dpop config
|
|
86
|
+
if (issuanceSession.dpop?.required && !resourceRequestResult.dpop) {
|
|
87
|
+
return (0, router_1.sendUnauthorizedError)(response, next, agentContext.config.logger, new oauth2_1.Oauth2ResourceUnauthorizedError('Missing required DPoP proof', {
|
|
88
|
+
scheme,
|
|
89
|
+
error: oauth2_1.Oauth2ErrorCodes.InvalidDpopProof,
|
|
90
|
+
}));
|
|
91
|
+
}
|
|
83
92
|
// Verify the issuance session subject
|
|
84
93
|
if (issuanceSession.authorization?.subject) {
|
|
85
94
|
if (issuanceSession.authorization.subject !== tokenPayload.sub) {
|
|
@@ -113,13 +122,31 @@ function configureCredentialEndpoint(router, config) {
|
|
|
113
122
|
agentContext.config.logger.warn(`No issuance session found for incoming credential request for issuer ${issuer.issuerId} and access token data has no issuer_state or pre-authorized_code. Creating on-demand issuance session`, {
|
|
114
123
|
tokenPayload,
|
|
115
124
|
});
|
|
125
|
+
// Use global config when creating a dynamic session
|
|
126
|
+
if (config.dpopRequired && !resourceRequestResult.dpop) {
|
|
127
|
+
return (0, router_1.sendUnauthorizedError)(response, next, agentContext.config.logger, new oauth2_1.Oauth2ResourceUnauthorizedError('Missing required DPoP proof', {
|
|
128
|
+
scheme,
|
|
129
|
+
error: oauth2_1.Oauth2ErrorCodes.InvalidDpopProof,
|
|
130
|
+
}));
|
|
131
|
+
}
|
|
132
|
+
const configurationsForScope = (0, shared_1.getCredentialConfigurationsSupportedForScopes)(issuerMetadata.credentialIssuer.credential_configurations_supported, tokenPayload.scope?.split(' ') ?? []);
|
|
116
133
|
// All credential configurations that match the request scope and credential request
|
|
117
134
|
// This is just so we don't create an issuance session that will fail immediately after
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
135
|
+
let configurationsForToken = {};
|
|
136
|
+
if (parsedCredentialRequest.credentialConfigurationId && parsedCredentialRequest.credentialConfiguration) {
|
|
137
|
+
if (configurationsForScope[parsedCredentialRequest.credentialConfigurationId]) {
|
|
138
|
+
configurationsForToken = {
|
|
139
|
+
[parsedCredentialRequest.credentialConfigurationId]: parsedCredentialRequest.credentialConfiguration,
|
|
140
|
+
};
|
|
141
|
+
}
|
|
142
|
+
}
|
|
143
|
+
else if (parsedCredentialRequest.format) {
|
|
144
|
+
configurationsForToken = (0, openid4vci_1.getCredentialConfigurationsMatchingRequestFormat)({
|
|
145
|
+
credentialConfigurations: configurationsForScope,
|
|
146
|
+
requestFormat: parsedCredentialRequest.format,
|
|
147
|
+
});
|
|
148
|
+
}
|
|
149
|
+
if (Object.keys(configurationsForToken).length === 0) {
|
|
123
150
|
return (0, router_1.sendUnauthorizedError)(response, next, agentContext.config.logger, new oauth2_1.Oauth2ResourceUnauthorizedError('No credential configurationss match credential request and access token scope', {
|
|
124
151
|
scheme,
|
|
125
152
|
error: oauth2_1.Oauth2ErrorCodes.InsufficientScope,
|
|
@@ -129,13 +156,18 @@ function configureCredentialEndpoint(router, config) {
|
|
|
129
156
|
}
|
|
130
157
|
issuanceSession = new repository_1.OpenId4VcIssuanceSessionRecord({
|
|
131
158
|
credentialOfferPayload: {
|
|
132
|
-
credential_configuration_ids: Object.keys(
|
|
159
|
+
credential_configuration_ids: Object.keys(configurationsForToken),
|
|
133
160
|
credential_issuer: issuerMetadata.credentialIssuer.credential_issuer,
|
|
134
161
|
},
|
|
135
162
|
credentialOfferId: core_1.utils.uuid(),
|
|
136
163
|
issuerId: issuer.issuerId,
|
|
137
164
|
state: OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.CredentialRequestReceived,
|
|
138
165
|
clientId: tokenPayload.client_id,
|
|
166
|
+
dpop: config.dpopRequired
|
|
167
|
+
? {
|
|
168
|
+
required: true,
|
|
169
|
+
}
|
|
170
|
+
: undefined,
|
|
139
171
|
authorization: {
|
|
140
172
|
subject: tokenPayload.sub,
|
|
141
173
|
},
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"credentialEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/credentialEndpoint.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"credentialEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/credentialEndpoint.ts"],"names":[],"mappings":";;AAyBA,kEA8RC;AAlTD,yCAAoD;AACpD,8CAAqH;AACrH,sDAG8B;AAE9B,yCAA4E;AAC5E,gDAM4B;AAC5B,8CAAqD;AACrD,oFAAgF;AAChF,sEAAkE;AAClE,8CAAkG;AAElG,SAAgB,2BAA2B,CAAC,MAAc,EAAE,MAAmC;IAC7F,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,KAAK,EAAE,OAAiC,EAAE,QAAkB,EAAE,IAAI,EAAE,EAAE;QAC/G,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,IAAA,0BAAiB,EAAC,OAAO,CAAC,CAAA;QAC3D,MAAM,sBAAsB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAsB,CAAC,CAAA;QAC7F,MAAM,cAAc,GAAG,MAAM,sBAAsB,CAAC,iBAAiB,CAAC,YAAY,EAAE,MAAM,EAAE,IAAI,CAAC,CAAA;QACjG,MAAM,QAAQ,GAAG,sBAAsB,CAAC,SAAS,CAAC,YAAY,CAAC,CAAA;QAC/D,MAAM,cAAc,GAAG,sBAAsB,CAAC,iBAAiB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;QAErF,MAAM,cAAc,GAAG,IAAA,mBAAY,EAAC,cAAc,CAAC,gBAAgB,CAAC,iBAAiB,EAAE;YACrF,MAAM,CAAC,sBAAsB;SAC9B,CAAC,CAAA;QACF,MAAM,qBAAqB,GAAG,MAAM,cAAc;aAC/C,qBAAqB,CAAC;YACrB,oBAAoB,EAAE,cAAc,CAAC,oBAAoB;YACzD,cAAc,EAAE,cAAc,CAAC,gBAAgB,CAAC,iBAAiB;YACjE,OAAO,EAAE;gBACP,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC,OAAiC,CAAC;gBAC/D,MAAM,EAAE,OAAO,CAAC,MAAoB;gBACpC,GAAG,EAAE,cAAc;aACpB;SACF,CAAC;aACD,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACf,IAAA,8BAAqB,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;QAC1E,CAAC,CAAC,CAAA;QACJ,IAAI,CAAC,qBAAqB;YAAE,OAAM;QAClC,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,EAAE,mBAAmB,EAAE,GAAG,qBAAqB,CAAA;QAExF,MAAM,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAA;QACtC,MAAM,yBAAyB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAkC,CAAC,CAAA;QAE5G,MAAM,uBAAuB,GAAG,QAAQ,CAAC,sBAAsB,CAAC;YAC9D,iBAAiB;YACjB,cAAc;SACf,CAAC,CAAA;QAEF,IAAI,eAAe,GAA0C,IAAI,CAAA;QACjE,MAAM,iBAAiB,GACrB,OAAO,YAAY,CAAC,qBAAqB,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QAC3G,MAAM,WAAW,GAAG,OAAO,YAAY,CAAC,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,CAAA;QAEzG,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAA;QAChC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAA,gCAAuB,EAC5B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,uCAA8B,CAChC;gBACE,KAAK,EAAE,yBAAgB,CAAC,WAAW;aACpC,EACD;gBACE,eAAe,EAAE,sFAAsF;aACxG,CACF,CACF,CAAA;QACH,CAAC;QAED,mGAAmG;QACnG,IAAI,CAAC,uBAAuB,CAAC,MAAM,IAAI,CAAC,uBAAuB,CAAC,uBAAuB,EAAE,CAAC;YACxF,OAAO,IAAA,gCAAuB,EAC5B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,uCAA8B,CAAC;gBACjC,KAAK,EAAE,uBAAuB,CAAC,oBAAoB;oBACjD,CAAC,CAAC,yBAAgB,CAAC,wBAAwB;oBAC3C,CAAC,CAAC,yBAAgB,CAAC,2BAA2B;gBAChD,iBAAiB,EAAE,uBAAuB,CAAC,oBAAoB;oBAC7D,CAAC,CAAC,qEAAqE;oBACvE,CAAC,CAAC,uBAAuB,CAAC,yBAAyB;wBACjD,CAAC,CAAC,6BAA6B,uBAAuB,CAAC,yBAAyB,iBAAiB;wBACjG,CAAC,CAAC,sBAAsB,uBAAuB,CAAC,iBAAiB,CAAC,MAAM,iBAAiB;aAC9F,CAAC,CACH,CAAA;QACH,CAAC;QAED,IAAI,iBAAiB,IAAI,WAAW,EAAE,CAAC;YACrC,eAAe,GAAG,MAAM,yBAAyB,CAAC,iBAAiB,CAAC,YAAY,EAAE;gBAChF,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,iBAAiB;gBACjB,WAAW;aACZ,CAAC,CAAA;YAEF,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAC7B,wEACE,MAAM,CAAC,QACT,8BACE,WAAW,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,qBACjC,4BAA4B,EAC5B;oBACE,YAAY;iBACb,CACF,CAAA;gBAED,OAAO,IAAA,gCAAuB,EAC5B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,uCAA8B,CAChC;oBACE,KAAK,EAAE,yBAAgB,CAAC,uBAAuB;iBAChD,EACD;oBACE,eAAe,EAAE,wEAAwE,MAAM,CAAC,QAAQ,wBAAwB;iBACjI,CACF,CACF,CAAA;YACH,CAAC;YAED,mCAAmC;YACnC,IAAI,eAAe,CAAC,IAAI,EAAE,QAAQ,IAAI,CAAC,qBAAqB,CAAC,IAAI,EAAE,CAAC;gBAClE,OAAO,IAAA,8BAAqB,EAC1B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,wCAA+B,CAAC,6BAA6B,EAAE;oBACjE,MAAM;oBACN,KAAK,EAAE,yBAAgB,CAAC,gBAAgB;iBACzC,CAAC,CACH,CAAA;YACH,CAAC;YAED,sCAAsC;YACtC,IAAI,eAAe,CAAC,aAAa,EAAE,OAAO,EAAE,CAAC;gBAC3C,IAAI,eAAe,CAAC,aAAa,CAAC,OAAO,KAAK,YAAY,CAAC,GAAG,EAAE,CAAC;oBAC/D,OAAO,IAAA,gCAAuB,EAC5B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,uCAA8B,CAChC;wBACE,KAAK,EAAE,yBAAgB,CAAC,uBAAuB;qBAChD,EACD;wBACE,eAAe,EAAE,8GAA8G,eAAe,CAAC,EAAE,6BAA6B;qBAC/K,CACF,CACF,CAAA;gBACH,CAAC;YACH,CAAC;YAED,2BAA2B;iBACtB,IACH,IAAI,CAAC,GAAG,EAAE;gBACV,IAAA,wBAAgB,EAAC,eAAe,CAAC,SAAS,EAAE,MAAM,CAAC,0CAA0C,CAAC,CAAC,OAAO,EAAE,EACxG,CAAC;gBACD,eAAe,CAAC,YAAY,GAAG,8BAA8B,CAAA;gBAC7D,MAAM,sBAAsB,CAAC,WAAW,CAAC,YAAY,EAAE,eAAe,EAAE,6DAA6B,CAAC,KAAK,CAAC,CAAA;gBAC5G,MAAM,IAAI,uCAA8B,CAAC;oBACvC,+BAA+B;oBAC/B,KAAK,EAAE,yBAAgB,CAAC,uBAAuB;oBAC/C,iBAAiB,EAAE,iBAAiB;iBACrC,CAAC,CAAA;YACJ,CAAC;iBAAM,CAAC;gBACN,eAAe,CAAC,aAAa,GAAG;oBAC9B,GAAG,eAAe,CAAC,aAAa;oBAChC,OAAO,EAAE,YAAY,CAAC,GAAG;iBAC1B,CAAA;gBACD,MAAM,yBAAyB,CAAC,MAAM,CAAC,YAAY,EAAE,eAAe,CAAC,CAAA;YACvE,CAAC;QACH,CAAC;QAED,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC,4BAA4B,EAAE,CAAC;YAC5D,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAC7B,wEAAwE,MAAM,CAAC,QAAQ,wGAAwG,EAC/L;gBACE,YAAY;aACb,CACF,CAAA;YAED,oDAAoD;YACpD,IAAI,MAAM,CAAC,YAAY,IAAI,CAAC,qBAAqB,CAAC,IAAI,EAAE,CAAC;gBACvD,OAAO,IAAA,8BAAqB,EAC1B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,wCAA+B,CAAC,6BAA6B,EAAE;oBACjE,MAAM;oBACN,KAAK,EAAE,yBAAgB,CAAC,gBAAgB;iBACzC,CAAC,CACH,CAAA;YACH,CAAC;YAED,MAAM,sBAAsB,GAAG,IAAA,sDAA6C,EAC1E,cAAc,CAAC,gBAAgB,CAAC,mCAAmC,EACnE,YAAY,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,CACrC,CAAA;YAED,oFAAoF;YACpF,uFAAuF;YACvF,IAAI,sBAAsB,GAAiD,EAAE,CAAA;YAE7E,IAAI,uBAAuB,CAAC,yBAAyB,IAAI,uBAAuB,CAAC,uBAAuB,EAAE,CAAC;gBACzG,IAAI,sBAAsB,CAAC,uBAAuB,CAAC,yBAAyB,CAAC,EAAE,CAAC;oBAC9E,sBAAsB,GAAG;wBACvB,CAAC,uBAAuB,CAAC,yBAAyB,CAAC,EAAE,uBAAuB,CAAC,uBAAuB;qBACrG,CAAA;gBACH,CAAC;YACH,CAAC;iBAAM,IAAI,uBAAuB,CAAC,MAAM,EAAE,CAAC;gBAC1C,sBAAsB,GAAG,IAAA,6DAAgD,EAAC;oBACxE,wBAAwB,EAAE,sBAAsB;oBAChD,aAAa,EAAE,uBAAuB,CAAC,MAAM;iBAC9C,CAAC,CAAA;YACJ,CAAC;YAED,IAAI,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACrD,OAAO,IAAA,8BAAqB,EAC1B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,wCAA+B,CACjC,+EAA+E,EAC/E;oBACE,MAAM;oBACN,KAAK,EAAE,yBAAgB,CAAC,iBAAiB;iBAC1C,CACF;gBACD,kCAAkC;gBAClC,GAAG,CACJ,CAAA;YACH,CAAC;YAED,eAAe,GAAG,IAAI,2CAA8B,CAAC;gBACnD,sBAAsB,EAAE;oBACtB,4BAA4B,EAAE,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC;oBACjE,iBAAiB,EAAE,cAAc,CAAC,gBAAgB,CAAC,iBAAiB;iBACrE;gBACD,iBAAiB,EAAE,YAAK,CAAC,IAAI,EAAE;gBAC/B,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,KAAK,EAAE,6DAA6B,CAAC,yBAAyB;gBAC9D,QAAQ,EAAE,YAAY,CAAC,SAAS;gBAChC,IAAI,EAAE,MAAM,CAAC,YAAY;oBACvB,CAAC,CAAC;wBACE,QAAQ,EAAE,IAAI;qBACf;oBACH,CAAC,CAAC,SAAS;gBACb,aAAa,EAAE;oBACb,OAAO,EAAE,YAAY,CAAC,GAAG;iBAC1B;aACF,CAAC,CAAA;YAEF,kBAAkB;YAClB,MAAM,yBAAyB,CAAC,IAAI,CAAC,YAAY,EAAE,eAAe,CAAC,CAAA;YACnE,sBAAsB,CAAC,qBAAqB,CAAC,YAAY,EAAE,eAAe,EAAE,IAAI,CAAC,CAAA;QACnF,CAAC;aAAM,IAAI,CAAC,eAAe,EAAE,CAAC;YAC5B,OAAO,IAAA,gCAAuB,EAC5B,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,MAAM,CAAC,MAAM,EAC1B,IAAI,uCAA8B,CAChC;gBACE,KAAK,EAAE,yBAAgB,CAAC,uBAAuB;aAChD,EACD;gBACE,eAAe,EAAE,uQAAuQ;aACzR,CACF,CACF,CAAA;QACH,CAAC;QAED,IAAI,CAAC;YACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,sBAAsB,CAAC,wBAAwB,CAAC,YAAY,EAAE;gBACjG,eAAe;gBACf,iBAAiB;gBACjB,aAAa,EAAE;oBACb,mBAAmB;oBACnB,WAAW,EAAE;wBACX,OAAO,EAAE,YAAY;wBACrB,KAAK,EAAE,WAAW;qBACnB;iBACF;aACF,CAAC,CAAA;YAEF,OAAO,IAAA,yBAAgB,EAAC,QAAQ,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAA;QAC7D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,uCAA8B,EAAE,CAAC;gBACpD,OAAO,IAAA,gCAAuB,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YACnF,CAAC;YACD,IAAI,KAAK,YAAY,wCAA+B,EAAE,CAAC;gBACrD,OAAO,IAAA,8BAAqB,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YACjF,CAAC;YAED,OAAO,IAAA,uCAA8B,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;QAC1F,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC"}
|
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.configureJwksEndpoint = configureJwksEndpoint;
|
|
4
|
-
const core_1 = require("@credo-ts/core");
|
|
5
4
|
const router_1 = require("../../shared/router");
|
|
6
5
|
function configureJwksEndpoint(router, config) {
|
|
7
6
|
router.get(config.jwksEndpointPath, async (_request, response, next) => {
|
|
8
7
|
const { agentContext, issuer } = (0, router_1.getRequestContext)(_request);
|
|
9
8
|
try {
|
|
10
9
|
const jwks = {
|
|
11
|
-
|
|
10
|
+
// Not needed to include kid in public facing JWKs
|
|
11
|
+
keys: [issuer.resolvedAccessTokenPublicJwk.toJson({ includeKid: false })],
|
|
12
12
|
};
|
|
13
13
|
return (0, router_1.sendJsonResponse)(response, next, jwks, 'application/jwk-set+json');
|
|
14
14
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"jwksEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/jwksEndpoint.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"jwksEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/jwksEndpoint.ts"],"names":[],"mappings":";;AAOA,sDAcC;AAhBD,gDAAyG;AAEzG,SAAgB,qBAAqB,CAAC,MAAc,EAAE,MAAmC;IACvF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,gBAAgB,EAAE,KAAK,EAAE,QAAkC,EAAE,QAAkB,EAAE,IAAI,EAAE,EAAE;QACzG,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,IAAA,0BAAiB,EAAC,QAAQ,CAAC,CAAA;QAC5D,IAAI,CAAC;YACH,MAAM,IAAI,GAAG;gBACX,kDAAkD;gBAClD,IAAI,EAAE,CAAC,MAAM,CAAC,4BAA4B,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,CAAQ,CAAC;aAChE,CAAA;YAElB,OAAO,IAAA,yBAAgB,EAAC,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,0BAA0B,CAAC,CAAA;QAC3E,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAA,uCAA8B,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAA;QACtF,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC"}
|
|
@@ -1,13 +1,15 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.generateTxCode = generateTxCode;
|
|
4
|
+
const core_1 = require("@credo-ts/core");
|
|
4
5
|
function generateTxCode(agentContext, txCode) {
|
|
6
|
+
const kms = agentContext.resolve(core_1.Kms.KeyManagementApi);
|
|
5
7
|
const length = txCode.length ?? 4;
|
|
6
8
|
const inputMode = txCode.input_mode ?? 'numeric';
|
|
7
9
|
const numbers = '0123456789';
|
|
8
10
|
const letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
|
|
9
11
|
const characters = inputMode === 'numeric' ? numbers : numbers + letters;
|
|
10
|
-
const random =
|
|
12
|
+
const random = kms.randomBytes({ length });
|
|
11
13
|
let result = '';
|
|
12
14
|
for (let i = 0; i < length; i++) {
|
|
13
15
|
result += characters[random[i] % characters.length];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"txCode.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/util/txCode.ts"],"names":[],"mappings":";;AAGA,
|
|
1
|
+
{"version":3,"file":"txCode.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/util/txCode.ts"],"names":[],"mappings":";;AAGA,wCAiBC;AApBD,yCAAuD;AAGvD,SAAgB,cAAc,CAAC,YAA0B,EAAE,MAAwB;IACjF,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,UAAG,CAAC,gBAAgB,CAAC,CAAA;IAEtD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,CAAC,CAAA;IACjC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,IAAI,SAAS,CAAA;IAEhD,MAAM,OAAO,GAAG,YAAY,CAAA;IAC5B,MAAM,OAAO,GAAG,sDAAsD,CAAA;IACtE,MAAM,UAAU,GAAG,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,GAAG,OAAO,CAAA;IACxE,MAAM,MAAM,GAAG,GAAG,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC,CAAA;IAE1C,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,MAAM,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,UAAU,CAAC,MAAM,CAAC,CAAA;IACrD,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC"}
|