@credo-ts/openid4vc 0.6.1-pr-2091-20241119140918 → 0.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/OpenId4VcApi.d.mts +24 -0
- package/build/OpenId4VcApi.d.mts.map +1 -0
- package/build/OpenId4VcApi.mjs +35 -0
- package/build/OpenId4VcApi.mjs.map +1 -0
- package/build/OpenId4VcModule.d.mts +30 -0
- package/build/OpenId4VcModule.d.mts.map +1 -0
- package/build/OpenId4VcModule.mjs +42 -0
- package/build/OpenId4VcModule.mjs.map +1 -0
- package/build/OpenId4VcModuleConfig.d.mts +44 -0
- package/build/OpenId4VcModuleConfig.d.mts.map +1 -0
- package/build/OpenId4VcModuleConfig.mjs +24 -0
- package/build/OpenId4VcModuleConfig.mjs.map +1 -0
- package/build/_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs +10 -0
- package/build/_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs +7 -0
- package/build/_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateParam.mjs +9 -0
- package/build/index.d.mts +42 -0
- package/build/index.mjs +37 -0
- package/build/openid4vc-holder/OpenId4VcHolderApi.d.mts +238 -0
- package/build/openid4vc-holder/OpenId4VcHolderApi.d.mts.map +1 -0
- package/build/openid4vc-holder/OpenId4VcHolderApi.mjs +174 -0
- package/build/openid4vc-holder/OpenId4VcHolderApi.mjs.map +1 -0
- package/build/openid4vc-holder/OpenId4VcHolderModule.d.mts +17 -0
- package/build/openid4vc-holder/OpenId4VcHolderModule.d.mts.map +1 -0
- package/build/openid4vc-holder/OpenId4VcHolderModule.mjs +23 -0
- package/build/openid4vc-holder/OpenId4VcHolderModule.mjs.map +1 -0
- package/build/openid4vc-holder/OpenId4VciHolderService.d.mts +69 -0
- package/build/openid4vc-holder/OpenId4VciHolderService.d.mts.map +1 -0
- package/build/openid4vc-holder/OpenId4VciHolderService.mjs +751 -0
- package/build/openid4vc-holder/OpenId4VciHolderService.mjs.map +1 -0
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.mts +398 -0
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.mts.map +1 -0
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.mjs +16 -0
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.mjs.map +1 -0
- package/build/openid4vc-holder/OpenId4vpHolderService.d.mts +130 -0
- package/build/openid4vc-holder/OpenId4vpHolderService.d.mts.map +1 -0
- package/build/openid4vc-holder/OpenId4vpHolderService.mjs +278 -0
- package/build/openid4vc-holder/OpenId4vpHolderService.mjs.map +1 -0
- package/build/openid4vc-holder/OpenId4vpHolderServiceOptions.d.mts +112 -0
- package/build/openid4vc-holder/OpenId4vpHolderServiceOptions.d.mts.map +1 -0
- package/build/openid4vc-holder/index.d.mts +6 -0
- package/build/openid4vc-holder/index.mjs +5 -0
- package/build/openid4vc-issuer/OpenId4VcIssuanceSessionState.d.mts +16 -0
- package/build/openid4vc-issuer/OpenId4VcIssuanceSessionState.d.mts.map +1 -0
- package/build/openid4vc-issuer/OpenId4VcIssuanceSessionState.mjs +18 -0
- package/build/openid4vc-issuer/OpenId4VcIssuanceSessionState.mjs.map +1 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.mts +137 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.mts.map +1 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.mjs +108 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.mjs.map +1 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerEvents.d.mts +19 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerEvents.d.mts.map +1 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerEvents.mjs +9 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerEvents.mjs.map +1 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.d.mts +27 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.d.mts.map +1 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.mjs +150 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.mjs.map +1 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.mts +279 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.mts.map +1 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.mjs +179 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.mjs.map +1 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerService.d.mts +182 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerService.d.mts.map +1 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerService.mjs +881 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerService.mjs.map +1 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.mts +340 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.mts.map +1 -0
- package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.mjs +1 -0
- package/build/openid4vc-issuer/index.d.mts +11 -0
- package/build/openid4vc-issuer/index.mjs +11 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.mts +300 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.mts.map +1 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.mjs +102 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.mjs.map +1 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.d.mts +10 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.d.mts.map +1 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.mjs +22 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.mjs.map +1 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.mts +84 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.mts.map +1 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.mjs +89 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.mjs.map +1 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.d.mts +12 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.d.mts.map +1 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs +28 -0
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.mjs.map +1 -0
- package/build/openid4vc-issuer/repository/index.d.mts +4 -0
- package/build/openid4vc-issuer/repository/index.mjs +4 -0
- package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs +199 -0
- package/build/openid4vc-issuer/router/accessTokenEndpoint.mjs.map +1 -0
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.mjs +241 -0
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.mjs.map +1 -0
- package/build/openid4vc-issuer/router/authorizationEndpoint.mjs +51 -0
- package/build/openid4vc-issuer/router/authorizationEndpoint.mjs.map +1 -0
- package/build/openid4vc-issuer/router/authorizationServerMetadataEndpoint.mjs +25 -0
- package/build/openid4vc-issuer/router/authorizationServerMetadataEndpoint.mjs.map +1 -0
- package/build/openid4vc-issuer/router/credentialEndpoint.mjs +142 -0
- package/build/openid4vc-issuer/router/credentialEndpoint.mjs.map +1 -0
- package/build/openid4vc-issuer/router/credentialOfferEndpoint.mjs +38 -0
- package/build/openid4vc-issuer/router/credentialOfferEndpoint.mjs.map +1 -0
- package/build/openid4vc-issuer/router/deferredCredentialEndpoint.mjs +84 -0
- package/build/openid4vc-issuer/router/deferredCredentialEndpoint.mjs.map +1 -0
- package/build/openid4vc-issuer/router/index.mjs +12 -0
- package/build/openid4vc-issuer/router/issuerMetadataEndpoint.mjs +43 -0
- package/build/openid4vc-issuer/router/issuerMetadataEndpoint.mjs.map +1 -0
- package/build/openid4vc-issuer/router/jwksEndpoint.mjs +18 -0
- package/build/openid4vc-issuer/router/jwksEndpoint.mjs.map +1 -0
- package/build/openid4vc-issuer/router/nonceEndpoint.mjs +29 -0
- package/build/openid4vc-issuer/router/nonceEndpoint.mjs.map +1 -0
- package/build/openid4vc-issuer/router/pushedAuthorizationRequestEndpoint.mjs +164 -0
- package/build/openid4vc-issuer/router/pushedAuthorizationRequestEndpoint.mjs.map +1 -0
- package/build/openid4vc-issuer/router/redirectEndpoint.mjs +124 -0
- package/build/openid4vc-issuer/router/redirectEndpoint.mjs.map +1 -0
- package/build/openid4vc-issuer/util/txCode.mjs +18 -0
- package/build/openid4vc-issuer/util/txCode.mjs.map +1 -0
- package/build/openid4vc-verifier/OpenId4VcVerificationSessionState.d.mts +10 -0
- package/build/openid4vc-verifier/OpenId4VcVerificationSessionState.d.mts.map +1 -0
- package/build/openid4vc-verifier/OpenId4VcVerificationSessionState.mjs +12 -0
- package/build/openid4vc-verifier/OpenId4VcVerificationSessionState.mjs.map +1 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.mts +60 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.mts.map +1 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.mjs +83 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.mjs.map +1 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierEvents.d.mts +19 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierEvents.d.mts.map +1 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierEvents.mjs +9 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierEvents.mjs.map +1 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.d.mts +25 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.d.mts.map +1 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.mjs +91 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.mjs.map +1 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierModuleConfig.d.mts +55 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierModuleConfig.d.mts.map +1 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierModuleConfig.mjs +36 -0
- package/build/openid4vc-verifier/OpenId4VcVerifierModuleConfig.mjs.map +1 -0
- package/build/openid4vc-verifier/OpenId4VpVerifierService.d.mts +60 -0
- package/build/openid4vc-verifier/OpenId4VpVerifierService.d.mts.map +1 -0
- package/build/openid4vc-verifier/OpenId4VpVerifierService.mjs +714 -0
- package/build/openid4vc-verifier/OpenId4VpVerifierService.mjs.map +1 -0
- package/build/openid4vc-verifier/OpenId4VpVerifierServiceOptions.d.mts +194 -0
- package/build/openid4vc-verifier/OpenId4VpVerifierServiceOptions.d.mts.map +1 -0
- package/build/openid4vc-verifier/index.d.mts +12 -0
- package/build/openid4vc-verifier/index.mjs +11 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.mts +129 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.mts.map +1 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.mjs +64 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.mjs.map +1 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.d.mts +10 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.d.mts.map +1 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.mjs +22 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.mjs.map +1 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.d.mts +33 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.d.mts.map +1 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.mjs +32 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.mjs.map +1 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.d.mts +12 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.d.mts.map +1 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.mjs +28 -0
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.mjs.map +1 -0
- package/build/openid4vc-verifier/repository/index.d.mts +4 -0
- package/build/openid4vc-verifier/repository/index.mjs +4 -0
- package/build/openid4vc-verifier/router/authorizationEndpoint.mjs +117 -0
- package/build/openid4vc-verifier/router/authorizationEndpoint.mjs.map +1 -0
- package/build/openid4vc-verifier/router/authorizationRequestEndpoint.mjs +39 -0
- package/build/openid4vc-verifier/router/authorizationRequestEndpoint.mjs.map +1 -0
- package/build/openid4vc-verifier/router/index.mjs +1 -0
- package/build/shared/callbacks.d.mts +47 -0
- package/build/shared/callbacks.d.mts.map +1 -0
- package/build/shared/callbacks.mjs +279 -0
- package/build/shared/callbacks.mjs.map +1 -0
- package/build/shared/index.d.mts +7 -0
- package/build/shared/index.mjs +4 -0
- package/build/shared/issuerMetadataUtils.d.mts +22 -0
- package/build/shared/issuerMetadataUtils.d.mts.map +1 -0
- package/build/shared/issuerMetadataUtils.mjs +30 -0
- package/build/shared/issuerMetadataUtils.mjs.map +1 -0
- package/build/shared/models/CredentialHolderBinding.d.mts +71 -0
- package/build/shared/models/CredentialHolderBinding.d.mts.map +1 -0
- package/build/shared/models/CredentialHolderBinding.mjs +1 -0
- package/build/shared/models/OpenId4VcJwtIssuer.d.mts +46 -0
- package/build/shared/models/OpenId4VcJwtIssuer.d.mts.map +1 -0
- package/build/shared/models/OpenId4VcJwtIssuer.mjs +1 -0
- package/build/shared/models/OpenId4VciAuthorizationServerConfig.d.mts +71 -0
- package/build/shared/models/OpenId4VciAuthorizationServerConfig.d.mts.map +1 -0
- package/build/shared/models/OpenId4VciCredentialFormatProfile.d.mts +12 -0
- package/build/shared/models/OpenId4VciCredentialFormatProfile.d.mts.map +1 -0
- package/build/shared/models/OpenId4VciCredentialFormatProfile.mjs +14 -0
- package/build/shared/models/OpenId4VciCredentialFormatProfile.mjs.map +1 -0
- package/build/shared/models/index.d.mts +30 -0
- package/build/shared/models/index.d.mts.map +1 -0
- package/build/shared/models/index.mjs +6 -0
- package/build/shared/router/context.mjs +52 -0
- package/build/shared/router/context.mjs.map +1 -0
- package/build/shared/router/express.browser.d.mts +5 -0
- package/build/shared/router/express.browser.d.mts.map +1 -0
- package/build/shared/router/express.browser.mjs +8 -0
- package/build/shared/router/express.browser.mjs.map +1 -0
- package/build/shared/router/express.mjs +10 -0
- package/build/shared/router/express.mjs.map +1 -0
- package/build/shared/router/express.native.d.mts +5 -0
- package/build/shared/router/express.native.d.mts.map +1 -0
- package/build/shared/router/express.native.mjs +8 -0
- package/build/shared/router/express.native.mjs.map +1 -0
- package/build/shared/router/index.mjs +3 -0
- package/build/shared/router/tenants.mjs +36 -0
- package/build/shared/router/tenants.mjs.map +1 -0
- package/build/shared/transactionData.mjs +19 -0
- package/build/shared/transactionData.mjs.map +1 -0
- package/build/shared/utils.mjs +90 -0
- package/build/shared/utils.mjs.map +1 -0
- package/package.json +30 -23
- package/build/index.d.ts +0 -4
- package/build/index.js +0 -21
- package/build/index.js.map +0 -1
- package/build/openid4vc-holder/OpenId4VcHolderApi.d.ts +0 -124
- package/build/openid4vc-holder/OpenId4VcHolderApi.js +0 -155
- package/build/openid4vc-holder/OpenId4VcHolderApi.js.map +0 -1
- package/build/openid4vc-holder/OpenId4VcHolderModule.d.ts +0 -13
- package/build/openid4vc-holder/OpenId4VcHolderModule.js +0 -35
- package/build/openid4vc-holder/OpenId4VcHolderModule.js.map +0 -1
- package/build/openid4vc-holder/OpenId4VciHolderService.d.ts +0 -72
- package/build/openid4vc-holder/OpenId4VciHolderService.js +0 -569
- package/build/openid4vc-holder/OpenId4VciHolderService.js.map +0 -1
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.d.ts +0 -238
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.js +0 -14
- package/build/openid4vc-holder/OpenId4VciHolderServiceOptions.js.map +0 -1
- package/build/openid4vc-holder/OpenId4vcSiopHolderService.d.ts +0 -32
- package/build/openid4vc-holder/OpenId4vcSiopHolderService.js +0 -302
- package/build/openid4vc-holder/OpenId4vcSiopHolderService.js.map +0 -1
- package/build/openid4vc-holder/OpenId4vcSiopHolderServiceOptions.d.ts +0 -38
- package/build/openid4vc-holder/OpenId4vcSiopHolderServiceOptions.js +0 -3
- package/build/openid4vc-holder/OpenId4vcSiopHolderServiceOptions.js.map +0 -1
- package/build/openid4vc-holder/index.d.ts +0 -6
- package/build/openid4vc-holder/index.js +0 -23
- package/build/openid4vc-holder/index.js.map +0 -1
- package/build/openid4vc-issuer/OpenId4VcIssuanceSessionState.d.ts +0 -12
- package/build/openid4vc-issuer/OpenId4VcIssuanceSessionState.js +0 -19
- package/build/openid4vc-issuer/OpenId4VcIssuanceSessionState.js.map +0 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.d.ts +0 -101
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.js +0 -110
- package/build/openid4vc-issuer/OpenId4VcIssuerApi.js.map +0 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerEvents.d.ts +0 -13
- package/build/openid4vc-issuer/OpenId4VcIssuerEvents.js +0 -8
- package/build/openid4vc-issuer/OpenId4VcIssuerEvents.js.map +0 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.d.ts +0 -21
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.js +0 -121
- package/build/openid4vc-issuer/OpenId4VcIssuerModule.js.map +0 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.d.ts +0 -190
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.js +0 -141
- package/build/openid4vc-issuer/OpenId4VcIssuerModuleConfig.js.map +0 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerService.d.ts +0 -116
- package/build/openid4vc-issuer/OpenId4VcIssuerService.js +0 -698
- package/build/openid4vc-issuer/OpenId4VcIssuerService.js.map +0 -1
- package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.d.ts +0 -229
- package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.js +0 -3
- package/build/openid4vc-issuer/OpenId4VcIssuerServiceOptions.js.map +0 -1
- package/build/openid4vc-issuer/index.d.ts +0 -8
- package/build/openid4vc-issuer/index.js +0 -27
- package/build/openid4vc-issuer/index.js.map +0 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.d.ts +0 -160
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.js +0 -88
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRecord.js.map +0 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.d.ts +0 -5
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.js +0 -29
- package/build/openid4vc-issuer/repository/OpenId4VcIssuanceSessionRepository.js.map +0 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.ts +0 -56
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.js +0 -83
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.js.map +0 -1
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.d.ts +0 -8
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.js +0 -35
- package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.js.map +0 -1
- package/build/openid4vc-issuer/repository/index.d.ts +0 -4
- package/build/openid4vc-issuer/repository/index.js +0 -21
- package/build/openid4vc-issuer/repository/index.js.map +0 -1
- package/build/openid4vc-issuer/router/accessTokenEndpoint.d.ts +0 -5
- package/build/openid4vc-issuer/router/accessTokenEndpoint.js +0 -164
- package/build/openid4vc-issuer/router/accessTokenEndpoint.js.map +0 -1
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.d.ts +0 -3
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js +0 -213
- package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js.map +0 -1
- package/build/openid4vc-issuer/router/authorizationServerMetadataEndpoint.d.ts +0 -6
- package/build/openid4vc-issuer/router/authorizationServerMetadataEndpoint.js +0 -25
- package/build/openid4vc-issuer/router/authorizationServerMetadataEndpoint.js.map +0 -1
- package/build/openid4vc-issuer/router/credentialEndpoint.d.ts +0 -3
- package/build/openid4vc-issuer/router/credentialEndpoint.js +0 -176
- package/build/openid4vc-issuer/router/credentialEndpoint.js.map +0 -1
- package/build/openid4vc-issuer/router/credentialOfferEndpoint.d.ts +0 -3
- package/build/openid4vc-issuer/router/credentialOfferEndpoint.js +0 -45
- package/build/openid4vc-issuer/router/credentialOfferEndpoint.js.map +0 -1
- package/build/openid4vc-issuer/router/index.d.ts +0 -9
- package/build/openid4vc-issuer/router/index.js +0 -20
- package/build/openid4vc-issuer/router/index.js.map +0 -1
- package/build/openid4vc-issuer/router/issuerMetadataEndpoint.d.ts +0 -2
- package/build/openid4vc-issuer/router/issuerMetadataEndpoint.js +0 -26
- package/build/openid4vc-issuer/router/issuerMetadataEndpoint.js.map +0 -1
- package/build/openid4vc-issuer/router/jwksEndpoint.d.ts +0 -3
- package/build/openid4vc-issuer/router/jwksEndpoint.js +0 -20
- package/build/openid4vc-issuer/router/jwksEndpoint.js.map +0 -1
- package/build/openid4vc-issuer/router/nonceEndpoint.d.ts +0 -3
- package/build/openid4vc-issuer/router/nonceEndpoint.js +0 -26
- package/build/openid4vc-issuer/router/nonceEndpoint.js.map +0 -1
- package/build/openid4vc-issuer/router/requestContext.d.ts +0 -5
- package/build/openid4vc-issuer/router/requestContext.js +0 -3
- package/build/openid4vc-issuer/router/requestContext.js.map +0 -1
- package/build/openid4vc-issuer/util/txCode.d.ts +0 -3
- package/build/openid4vc-issuer/util/txCode.js +0 -18
- package/build/openid4vc-issuer/util/txCode.js.map +0 -1
- package/build/openid4vc-verifier/OpenId4VcSiopVerifierService.d.ts +0 -55
- package/build/openid4vc-verifier/OpenId4VcSiopVerifierService.js +0 -498
- package/build/openid4vc-verifier/OpenId4VcSiopVerifierService.js.map +0 -1
- package/build/openid4vc-verifier/OpenId4VcSiopVerifierServiceOptions.d.ts +0 -77
- package/build/openid4vc-verifier/OpenId4VcSiopVerifierServiceOptions.js +0 -3
- package/build/openid4vc-verifier/OpenId4VcSiopVerifierServiceOptions.js.map +0 -1
- package/build/openid4vc-verifier/OpenId4VcVerificationSessionState.d.ts +0 -6
- package/build/openid4vc-verifier/OpenId4VcVerificationSessionState.js +0 -11
- package/build/openid4vc-verifier/OpenId4VcVerificationSessionState.js.map +0 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.d.ts +0 -61
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.js +0 -108
- package/build/openid4vc-verifier/OpenId4VcVerifierApi.js.map +0 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierEvents.d.ts +0 -13
- package/build/openid4vc-verifier/OpenId4VcVerifierEvents.js +0 -8
- package/build/openid4vc-verifier/OpenId4VcVerifierEvents.js.map +0 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.d.ts +0 -21
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.js +0 -109
- package/build/openid4vc-verifier/OpenId4VcVerifierModule.js.map +0 -1
- package/build/openid4vc-verifier/OpenId4VcVerifierModuleConfig.d.ts +0 -31
- package/build/openid4vc-verifier/OpenId4VcVerifierModuleConfig.js +0 -28
- package/build/openid4vc-verifier/OpenId4VcVerifierModuleConfig.js.map +0 -1
- package/build/openid4vc-verifier/index.d.ts +0 -8
- package/build/openid4vc-verifier/index.js +0 -25
- package/build/openid4vc-verifier/index.js.map +0 -1
- package/build/openid4vc-verifier/repository/OpenId4VcRelyingPartyEventEmitter.d.ts +0 -49
- package/build/openid4vc-verifier/repository/OpenId4VcRelyingPartyEventEmitter.js +0 -234
- package/build/openid4vc-verifier/repository/OpenId4VcRelyingPartyEventEmitter.js.map +0 -1
- package/build/openid4vc-verifier/repository/OpenId4VcRelyingPartySessionManager.d.ts +0 -19
- package/build/openid4vc-verifier/repository/OpenId4VcRelyingPartySessionManager.js +0 -146
- package/build/openid4vc-verifier/repository/OpenId4VcRelyingPartySessionManager.js.map +0 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.d.ts +0 -71
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.js +0 -46
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRecord.js.map +0 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.d.ts +0 -5
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.js +0 -29
- package/build/openid4vc-verifier/repository/OpenId4VcVerificationSessionRepository.js.map +0 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.d.ts +0 -29
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.js +0 -29
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRecord.js.map +0 -1
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.d.ts +0 -8
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.js +0 -35
- package/build/openid4vc-verifier/repository/OpenId4VcVerifierRepository.js.map +0 -1
- package/build/openid4vc-verifier/repository/index.d.ts +0 -4
- package/build/openid4vc-verifier/repository/index.js +0 -21
- package/build/openid4vc-verifier/repository/index.js.map +0 -1
- package/build/openid4vc-verifier/router/authorizationEndpoint.d.ts +0 -11
- package/build/openid4vc-verifier/router/authorizationEndpoint.js +0 -102
- package/build/openid4vc-verifier/router/authorizationEndpoint.js.map +0 -1
- package/build/openid4vc-verifier/router/authorizationRequestEndpoint.d.ts +0 -11
- package/build/openid4vc-verifier/router/authorizationRequestEndpoint.js +0 -63
- package/build/openid4vc-verifier/router/authorizationRequestEndpoint.js.map +0 -1
- package/build/openid4vc-verifier/router/index.d.ts +0 -2
- package/build/openid4vc-verifier/router/index.js +0 -6
- package/build/openid4vc-verifier/router/index.js.map +0 -1
- package/build/openid4vc-verifier/router/requestContext.d.ts +0 -5
- package/build/openid4vc-verifier/router/requestContext.js +0 -3
- package/build/openid4vc-verifier/router/requestContext.js.map +0 -1
- package/build/shared/callbacks.d.ts +0 -18
- package/build/shared/callbacks.js +0 -81
- package/build/shared/callbacks.js.map +0 -1
- package/build/shared/index.d.ts +0 -2
- package/build/shared/index.js +0 -19
- package/build/shared/index.js.map +0 -1
- package/build/shared/issuerMetadataUtils.d.ts +0 -158
- package/build/shared/issuerMetadataUtils.js +0 -38
- package/build/shared/issuerMetadataUtils.js.map +0 -1
- package/build/shared/models/CredentialHolderBinding.d.ts +0 -13
- package/build/shared/models/CredentialHolderBinding.js +0 -3
- package/build/shared/models/CredentialHolderBinding.js.map +0 -1
- package/build/shared/models/OpenId4VcJwtIssuer.d.ts +0 -28
- package/build/shared/models/OpenId4VcJwtIssuer.js +0 -3
- package/build/shared/models/OpenId4VcJwtIssuer.js.map +0 -1
- package/build/shared/models/OpenId4VciAuthorizationServerConfig.d.ts +0 -10
- package/build/shared/models/OpenId4VciAuthorizationServerConfig.js +0 -3
- package/build/shared/models/OpenId4VciAuthorizationServerConfig.js.map +0 -1
- package/build/shared/models/OpenId4VciCredentialFormatProfile.d.ts +0 -7
- package/build/shared/models/OpenId4VciCredentialFormatProfile.js +0 -12
- package/build/shared/models/OpenId4VciCredentialFormatProfile.js.map +0 -1
- package/build/shared/models/index.d.ts +0 -24
- package/build/shared/models/index.js +0 -25
- package/build/shared/models/index.js.map +0 -1
- package/build/shared/router/context.d.ts +0 -17
- package/build/shared/router/context.js +0 -76
- package/build/shared/router/context.js.map +0 -1
- package/build/shared/router/express.d.ts +0 -2
- package/build/shared/router/express.js +0 -15
- package/build/shared/router/express.js.map +0 -1
- package/build/shared/router/express.native.d.ts +0 -1
- package/build/shared/router/express.native.js +0 -7
- package/build/shared/router/express.native.js.map +0 -1
- package/build/shared/router/index.d.ts +0 -3
- package/build/shared/router/index.js +0 -20
- package/build/shared/router/index.js.map +0 -1
- package/build/shared/router/tenants.d.ts +0 -13
- package/build/shared/router/tenants.js +0 -49
- package/build/shared/router/tenants.js.map +0 -1
- package/build/shared/transform.d.ts +0 -5
- package/build/shared/transform.js +0 -73
- package/build/shared/transform.js.map +0 -1
- package/build/shared/utils.d.ts +0 -22
- package/build/shared/utils.js +0 -154
- package/build/shared/utils.js.map +0 -1
|
@@ -0,0 +1,881 @@
|
|
|
1
|
+
import { OpenId4VcIssuerModuleConfig } from "./OpenId4VcIssuerModuleConfig.mjs";
|
|
2
|
+
import { storeActorIdForContextCorrelationId } from "../shared/router/tenants.mjs";
|
|
3
|
+
import "../shared/router/index.mjs";
|
|
4
|
+
import { credoJwtIssuerToOpenId4VcJwtIssuer, decodeJwtIssuer, encodeJwtIssuer, getProofTypeFromPublicJwk, getPublicJwkFromDid, getSupportedJwaSignatureAlgorithms } from "../shared/utils.mjs";
|
|
5
|
+
import { dynamicOid4vciClientAuthentication, getOid4vcCallbacks } from "../shared/callbacks.mjs";
|
|
6
|
+
import { getCredentialConfigurationsSupportedForScopes, getOfferedCredentials } from "../shared/issuerMetadataUtils.mjs";
|
|
7
|
+
import { OpenId4VciCredentialFormatProfile } from "../shared/models/OpenId4VciCredentialFormatProfile.mjs";
|
|
8
|
+
import "../shared/index.mjs";
|
|
9
|
+
import { __decorateMetadata } from "../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorateMetadata.mjs";
|
|
10
|
+
import { __decorate } from "../_virtual/_@oxc-project_runtime@0.99.0/helpers/decorate.mjs";
|
|
11
|
+
import { OpenId4VcIssuanceSessionState } from "./OpenId4VcIssuanceSessionState.mjs";
|
|
12
|
+
import { OpenId4VcVerifierApi } from "../openid4vc-verifier/OpenId4VcVerifierApi.mjs";
|
|
13
|
+
import "../openid4vc-verifier/index.mjs";
|
|
14
|
+
import { OpenId4VcIssuerEvents } from "./OpenId4VcIssuerEvents.mjs";
|
|
15
|
+
import { OpenId4VcIssuanceSessionRecord } from "./repository/OpenId4VcIssuanceSessionRecord.mjs";
|
|
16
|
+
import { OpenId4VcIssuanceSessionRepository } from "./repository/OpenId4VcIssuanceSessionRepository.mjs";
|
|
17
|
+
import { OpenId4VcIssuerRecord } from "./repository/OpenId4VcIssuerRecord.mjs";
|
|
18
|
+
import { OpenId4VcIssuerRepository } from "./repository/OpenId4VcIssuerRepository.mjs";
|
|
19
|
+
import "./repository/index.mjs";
|
|
20
|
+
import { generateTxCode } from "./util/txCode.mjs";
|
|
21
|
+
import { AgentContext, ClaimFormat, CredoError, EventEmitter, JwsService, Jwt, JwtPayload, Kms, MdocApi, SdJwtVcApi, TypedArrayEncoder, W3cCredentialService, W3cV2CredentialService, injectable, joinUriParts, utils } from "@credo-ts/core";
|
|
22
|
+
import { HashAlgorithm, Oauth2AuthorizationServer, Oauth2Client, Oauth2ErrorCodes, Oauth2ResourceServer, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, authorizationCodeGrantIdentifier, calculateJwkThumbprint, preAuthorizedCodeGrantIdentifier } from "@openid4vc/oauth2";
|
|
23
|
+
import { Openid4vciDraftVersion, Openid4vciIssuer, extractScopesForCredentialConfigurationIds, getCredentialConfigurationsMatchingRequestFormat } from "@openid4vc/openid4vci";
|
|
24
|
+
|
|
25
|
+
//#region src/openid4vc-issuer/OpenId4VcIssuerService.ts
|
|
26
|
+
var _ref, _ref2, _ref3, _ref4, _ref5;
|
|
27
|
+
let OpenId4VcIssuerService = class OpenId4VcIssuerService$1 {
|
|
28
|
+
constructor(w3cCredentialService, w3cV2CredentialService, openId4VcIssuerConfig, openId4VcIssuerRepository, openId4VcIssuanceSessionRepository) {
|
|
29
|
+
this.w3cCredentialService = w3cCredentialService;
|
|
30
|
+
this.w3cV2CredentialService = w3cV2CredentialService;
|
|
31
|
+
this.openId4VcIssuerConfig = openId4VcIssuerConfig;
|
|
32
|
+
this.openId4VcIssuerRepository = openId4VcIssuerRepository;
|
|
33
|
+
this.openId4VcIssuanceSessionRepository = openId4VcIssuanceSessionRepository;
|
|
34
|
+
}
|
|
35
|
+
async createStatelessCredentialOffer(agentContext, options) {
|
|
36
|
+
const { authorizationCodeFlowConfig, issuer, credentialConfigurationIds } = options;
|
|
37
|
+
const vcIssuer = this.getIssuer(agentContext);
|
|
38
|
+
const issuerMetadata = await this.getIssuerMetadata(agentContext, issuer);
|
|
39
|
+
if (Array.from(new Set(options.credentialConfigurationIds)).length !== credentialConfigurationIds.length) throw new CredoError("All offered credentials must have unique ids.");
|
|
40
|
+
extractScopesForCredentialConfigurationIds({
|
|
41
|
+
credentialConfigurationIds: options.credentialConfigurationIds,
|
|
42
|
+
issuerMetadata,
|
|
43
|
+
throwOnConfigurationWithoutScope: true
|
|
44
|
+
});
|
|
45
|
+
if (authorizationCodeFlowConfig.authorizationServerUrl === issuerMetadata.credentialIssuer.credential_issuer) throw new CredoError("Stateless offers can only be created for external authorization servers. Make sure to configure an external authorization server on the issuer record, and provide the authoriation server url.");
|
|
46
|
+
const { credentialOffer, credentialOfferObject } = await vcIssuer.createCredentialOffer({
|
|
47
|
+
credentialConfigurationIds: options.credentialConfigurationIds,
|
|
48
|
+
grants: { authorization_code: { authorization_server: authorizationCodeFlowConfig.authorizationServerUrl } },
|
|
49
|
+
credentialOfferScheme: options.baseUri,
|
|
50
|
+
issuerMetadata
|
|
51
|
+
});
|
|
52
|
+
return {
|
|
53
|
+
credentialOffer,
|
|
54
|
+
credentialOfferObject
|
|
55
|
+
};
|
|
56
|
+
}
|
|
57
|
+
async createCredentialOffer(agentContext, options) {
|
|
58
|
+
const { preAuthorizedCodeFlowConfig, authorizationCodeFlowConfig, issuer, credentialConfigurationIds, version = "v1.draft15", authorization } = options;
|
|
59
|
+
if (!preAuthorizedCodeFlowConfig && !authorizationCodeFlowConfig) throw new CredoError("Authorization Config or Pre-Authorized Config must be provided.");
|
|
60
|
+
const vcIssuer = this.getIssuer(agentContext);
|
|
61
|
+
const issuerMetadata = await this.getIssuerMetadata(agentContext, issuer);
|
|
62
|
+
const uniqueOfferedCredentials = Array.from(new Set(options.credentialConfigurationIds));
|
|
63
|
+
if (uniqueOfferedCredentials.length !== credentialConfigurationIds.length) throw new CredoError("All offered credentials must have unique ids.");
|
|
64
|
+
if (uniqueOfferedCredentials.length === 0) throw new CredoError("You need to offer at least one credential.");
|
|
65
|
+
const credentialOfferId = utils.uuid();
|
|
66
|
+
const hostedCredentialOfferUri = joinUriParts(issuerMetadata.credentialIssuer.credential_issuer, [this.openId4VcIssuerConfig.credentialOfferEndpointPath, credentialOfferId]);
|
|
67
|
+
if (options.authorizationCodeFlowConfig) extractScopesForCredentialConfigurationIds({
|
|
68
|
+
credentialConfigurationIds: options.credentialConfigurationIds,
|
|
69
|
+
issuerMetadata,
|
|
70
|
+
throwOnConfigurationWithoutScope: true
|
|
71
|
+
});
|
|
72
|
+
const grants = await this.getGrantsFromConfig(agentContext, {
|
|
73
|
+
issuer,
|
|
74
|
+
issuerMetadata,
|
|
75
|
+
preAuthorizedCodeFlowConfig,
|
|
76
|
+
authorizationCodeFlowConfig
|
|
77
|
+
});
|
|
78
|
+
const { credentialOffer, credentialOfferObject } = await vcIssuer.createCredentialOffer({
|
|
79
|
+
credentialConfigurationIds: options.credentialConfigurationIds,
|
|
80
|
+
grants,
|
|
81
|
+
credentialOfferUri: hostedCredentialOfferUri,
|
|
82
|
+
credentialOfferScheme: options.baseUri,
|
|
83
|
+
issuerMetadata: {
|
|
84
|
+
...issuerMetadata,
|
|
85
|
+
originalDraftVersion: version === "v1.draft11-14" ? Openid4vciDraftVersion.Draft11 : Openid4vciDraftVersion.Draft15
|
|
86
|
+
}
|
|
87
|
+
});
|
|
88
|
+
const createdAt = /* @__PURE__ */ new Date();
|
|
89
|
+
const expiresAt = utils.addSecondsToDate(createdAt, this.openId4VcIssuerConfig.statefulCredentialOfferExpirationInSeconds);
|
|
90
|
+
const chainedAuthorizationServerConfig = issuer.chainedAuthorizationServerConfigs?.find((config) => config.issuer === authorizationCodeFlowConfig?.authorizationServerUrl);
|
|
91
|
+
const issuanceSessionRepository = this.openId4VcIssuanceSessionRepository;
|
|
92
|
+
const issuanceSession = new OpenId4VcIssuanceSessionRecord({
|
|
93
|
+
createdAt,
|
|
94
|
+
expiresAt,
|
|
95
|
+
credentialOfferPayload: credentialOfferObject,
|
|
96
|
+
credentialOfferUri: hostedCredentialOfferUri,
|
|
97
|
+
credentialOfferId,
|
|
98
|
+
issuerId: issuer.issuerId,
|
|
99
|
+
state: OpenId4VcIssuanceSessionState.OfferCreated,
|
|
100
|
+
authorization: credentialOfferObject.grants?.authorization_code?.issuer_state ? { issuerState: credentialOfferObject.grants?.authorization_code?.issuer_state } : void 0,
|
|
101
|
+
presentation: authorizationCodeFlowConfig?.requirePresentationDuringIssuance ? { required: true } : void 0,
|
|
102
|
+
dpop: authorization?.requireDpop ? { required: true } : void 0,
|
|
103
|
+
walletAttestation: authorization?.requireWalletAttestation ? { required: true } : void 0,
|
|
104
|
+
chainedIdentity: chainedAuthorizationServerConfig ? { externalAuthorizationServerUrl: chainedAuthorizationServerConfig.issuer } : void 0,
|
|
105
|
+
preAuthorizedCode: credentialOfferObject.grants?.[preAuthorizedCodeGrantIdentifier]?.["pre-authorized_code"],
|
|
106
|
+
userPin: preAuthorizedCodeFlowConfig?.txCode ? generateTxCode(agentContext, preAuthorizedCodeFlowConfig.txCode) : void 0,
|
|
107
|
+
generateRefreshTokens: options.generateRefreshTokens,
|
|
108
|
+
issuanceMetadata: options.issuanceMetadata,
|
|
109
|
+
openId4VciVersion: version
|
|
110
|
+
});
|
|
111
|
+
await issuanceSessionRepository.save(agentContext, issuanceSession);
|
|
112
|
+
this.emitStateChangedEvent(agentContext, issuanceSession, null);
|
|
113
|
+
return {
|
|
114
|
+
issuanceSession,
|
|
115
|
+
credentialOffer
|
|
116
|
+
};
|
|
117
|
+
}
|
|
118
|
+
async createCredentialResponse(agentContext, options) {
|
|
119
|
+
options.issuanceSession.assertState([
|
|
120
|
+
OpenId4VcIssuanceSessionState.OfferUriRetrieved,
|
|
121
|
+
OpenId4VcIssuanceSessionState.AccessTokenCreated,
|
|
122
|
+
OpenId4VcIssuanceSessionState.CredentialRequestReceived,
|
|
123
|
+
OpenId4VcIssuanceSessionState.CredentialsPartiallyIssued
|
|
124
|
+
]);
|
|
125
|
+
const { issuanceSession } = options;
|
|
126
|
+
const issuer = await this.getIssuerByIssuerId(agentContext, options.issuanceSession.issuerId);
|
|
127
|
+
const vcIssuer = this.getIssuer(agentContext, { issuanceSessionId: issuanceSession.id });
|
|
128
|
+
const issuerMetadata = await this.getIssuerMetadata(agentContext, issuer);
|
|
129
|
+
const parsedCredentialRequest = vcIssuer.parseCredentialRequest({
|
|
130
|
+
issuerMetadata,
|
|
131
|
+
credentialRequest: options.credentialRequest
|
|
132
|
+
});
|
|
133
|
+
const { credentialRequest, credentialIdentifier, format } = parsedCredentialRequest;
|
|
134
|
+
if (credentialIdentifier) throw new Oauth2ServerErrorResponseError({
|
|
135
|
+
error: Oauth2ErrorCodes.InvalidCredentialRequest,
|
|
136
|
+
error_description: `Using unsupported 'credential_identifier'`
|
|
137
|
+
});
|
|
138
|
+
if (credentialRequest.format && !format && !parsedCredentialRequest.credentialConfigurationId) throw new Oauth2ServerErrorResponseError({
|
|
139
|
+
error: Oauth2ErrorCodes.UnsupportedCredentialFormat,
|
|
140
|
+
error_description: `Unsupported credential request based on format '${credentialRequest.format}'`
|
|
141
|
+
});
|
|
142
|
+
if (parsedCredentialRequest.credentialConfigurationId && !parsedCredentialRequest.credentialConfiguration) throw new Oauth2ServerErrorResponseError({
|
|
143
|
+
error: Oauth2ErrorCodes.UnsupportedCredentialFormat,
|
|
144
|
+
error_description: `Unsupported credential request based on credential configuration id ${credentialRequest.credential_configuration_id}`
|
|
145
|
+
});
|
|
146
|
+
const { credentialConfiguration, credentialConfigurationId } = this.getCredentialConfigurationsForRequest({
|
|
147
|
+
issuanceSession,
|
|
148
|
+
issuerMetadata,
|
|
149
|
+
requestFormat: format,
|
|
150
|
+
credentialConfigurations: parsedCredentialRequest.credentialConfiguration && parsedCredentialRequest.credentialConfigurationId ? { [parsedCredentialRequest.credentialConfigurationId]: parsedCredentialRequest.credentialConfiguration } : void 0,
|
|
151
|
+
authorization: options.authorization
|
|
152
|
+
});
|
|
153
|
+
const verifiedCredentialRequestProofs = await this.verifyCredentialRequestProofs(agentContext, {
|
|
154
|
+
issuanceSession,
|
|
155
|
+
issuer,
|
|
156
|
+
parsedCredentialRequest,
|
|
157
|
+
credentialConfiguration,
|
|
158
|
+
credentialConfigurationId
|
|
159
|
+
});
|
|
160
|
+
const mapper = options.credentialRequestToCredentialMapper ?? this.openId4VcIssuerConfig.credentialRequestToCredentialMapper;
|
|
161
|
+
let verification;
|
|
162
|
+
if (issuanceSession.presentation?.openId4VcVerificationSessionId) {
|
|
163
|
+
const verifierApi = agentContext.dependencyManager.resolve(OpenId4VcVerifierApi);
|
|
164
|
+
const session = await verifierApi.getVerificationSessionById(issuanceSession.presentation.openId4VcVerificationSessionId);
|
|
165
|
+
const response = await verifierApi.getVerifiedAuthorizationResponse(issuanceSession.presentation.openId4VcVerificationSessionId);
|
|
166
|
+
if (response.presentationExchange) verification = {
|
|
167
|
+
session,
|
|
168
|
+
presentationExchange: response.presentationExchange
|
|
169
|
+
};
|
|
170
|
+
else if (response.dcql) verification = {
|
|
171
|
+
session,
|
|
172
|
+
dcql: response.dcql
|
|
173
|
+
};
|
|
174
|
+
else throw new CredoError(`Verified authorization response for verification session with id '${session.id}' does not have presentationExchange or dcql defined.`);
|
|
175
|
+
}
|
|
176
|
+
const signOptionsOrDeferral = await mapper({
|
|
177
|
+
agentContext,
|
|
178
|
+
issuanceSession,
|
|
179
|
+
holderBinding: verifiedCredentialRequestProofs,
|
|
180
|
+
credentialOffer: issuanceSession.credentialOfferPayload,
|
|
181
|
+
verification,
|
|
182
|
+
credentialRequest: options.credentialRequest,
|
|
183
|
+
credentialRequestFormat: format,
|
|
184
|
+
credentialConfiguration,
|
|
185
|
+
credentialConfigurationId,
|
|
186
|
+
authorization: options.authorization
|
|
187
|
+
});
|
|
188
|
+
let credentialResponse;
|
|
189
|
+
const { cNonce, cNonceExpiresInSeconds } = await this.createNonce(agentContext, issuer);
|
|
190
|
+
if (signOptionsOrDeferral.type === "deferral") {
|
|
191
|
+
credentialResponse = vcIssuer.createCredentialResponse({
|
|
192
|
+
transactionId: signOptionsOrDeferral.transactionId,
|
|
193
|
+
interval: signOptionsOrDeferral.interval,
|
|
194
|
+
cNonce,
|
|
195
|
+
cNonceExpiresInSeconds,
|
|
196
|
+
credentialRequest: parsedCredentialRequest
|
|
197
|
+
});
|
|
198
|
+
issuanceSession.transactions.push({
|
|
199
|
+
transactionId: signOptionsOrDeferral.transactionId,
|
|
200
|
+
numberOfCredentials: verifiedCredentialRequestProofs.keys.length,
|
|
201
|
+
credentialConfigurationId
|
|
202
|
+
});
|
|
203
|
+
const newState = issuanceSession.state === OpenId4VcIssuanceSessionState.CredentialsPartiallyIssued ? OpenId4VcIssuanceSessionState.CredentialsPartiallyIssued : OpenId4VcIssuanceSessionState.CredentialRequestReceived;
|
|
204
|
+
await this.updateExpiresAt(agentContext, issuanceSession, signOptionsOrDeferral.interval);
|
|
205
|
+
await this.updateState(agentContext, issuanceSession, newState);
|
|
206
|
+
} else {
|
|
207
|
+
const credentials = await this.getSignedCredentials(agentContext, signOptionsOrDeferral, {
|
|
208
|
+
issuanceSession,
|
|
209
|
+
credentialConfiguration,
|
|
210
|
+
expectedLength: verifiedCredentialRequestProofs.keys.length
|
|
211
|
+
});
|
|
212
|
+
credentialResponse = vcIssuer.createCredentialResponse({
|
|
213
|
+
credential: credentialRequest.proof ? credentials.credentials[0] : void 0,
|
|
214
|
+
credentials: credentialRequest.proofs ? issuanceSession.openId4VciVersion === "v1" || issuanceSession.openId4VciVersion === "v1.draft15" ? credentials.credentials.map((c) => ({ credential: c })) : credentials.credentials : void 0,
|
|
215
|
+
cNonce,
|
|
216
|
+
cNonceExpiresInSeconds,
|
|
217
|
+
credentialRequest: parsedCredentialRequest
|
|
218
|
+
});
|
|
219
|
+
issuanceSession.issuedCredentials.push(credentialConfigurationId);
|
|
220
|
+
const newState = issuanceSession.issuedCredentials.length >= issuanceSession.credentialOfferPayload.credential_configuration_ids.length ? OpenId4VcIssuanceSessionState.Completed : OpenId4VcIssuanceSessionState.CredentialsPartiallyIssued;
|
|
221
|
+
await this.updateState(agentContext, issuanceSession, newState);
|
|
222
|
+
}
|
|
223
|
+
return {
|
|
224
|
+
credentialResponse,
|
|
225
|
+
issuanceSession
|
|
226
|
+
};
|
|
227
|
+
}
|
|
228
|
+
async createDeferredCredentialResponse(agentContext, options) {
|
|
229
|
+
options.issuanceSession.assertState([OpenId4VcIssuanceSessionState.CredentialRequestReceived, OpenId4VcIssuanceSessionState.CredentialsPartiallyIssued]);
|
|
230
|
+
const transaction = options.issuanceSession.transactions.find((tx) => tx.transactionId === options.deferredCredentialRequest.transaction_id);
|
|
231
|
+
if (!transaction) throw new CredoError("OpenId4VcIssuanceSessionRecord does not contain transaction with given transaction_id.");
|
|
232
|
+
const { issuanceSession } = options;
|
|
233
|
+
const issuer = await this.getIssuerByIssuerId(agentContext, options.issuanceSession.issuerId);
|
|
234
|
+
const vcIssuer = this.getIssuer(agentContext, { issuanceSessionId: issuanceSession.id });
|
|
235
|
+
const credentialConfigurationId = transaction.credentialConfigurationId;
|
|
236
|
+
const credentialConfiguration = issuer.credentialConfigurationsSupported[transaction.credentialConfigurationId];
|
|
237
|
+
if (!credentialConfiguration) throw new CredoError("Issuer does not contain credential configuration for the given credential configuration id.");
|
|
238
|
+
const mapper = options.deferredCredentialRequestToCredentialMapper ?? this.openId4VcIssuerConfig.deferredCredentialRequestToCredentialMapper;
|
|
239
|
+
if (!mapper) throw new CredoError("OpenId4VcIssuerService does not have a defined deferredCredentialRequestToCredentialMapper.");
|
|
240
|
+
const signOptionsOrDeferral = await mapper({
|
|
241
|
+
agentContext,
|
|
242
|
+
issuanceSession,
|
|
243
|
+
deferredCredentialRequest: options.deferredCredentialRequest,
|
|
244
|
+
authorization: options.authorization
|
|
245
|
+
});
|
|
246
|
+
let deferredCredentialResponse;
|
|
247
|
+
if (signOptionsOrDeferral.type === "deferral") {
|
|
248
|
+
deferredCredentialResponse = vcIssuer.createDeferredCredentialResponse({
|
|
249
|
+
interval: signOptionsOrDeferral.interval,
|
|
250
|
+
transactionId: signOptionsOrDeferral.transactionId
|
|
251
|
+
});
|
|
252
|
+
await this.updateExpiresAt(agentContext, issuanceSession, signOptionsOrDeferral.interval);
|
|
253
|
+
} else {
|
|
254
|
+
const credentials = await this.getSignedCredentials(agentContext, signOptionsOrDeferral, {
|
|
255
|
+
issuanceSession,
|
|
256
|
+
credentialConfiguration,
|
|
257
|
+
expectedLength: transaction.numberOfCredentials
|
|
258
|
+
});
|
|
259
|
+
deferredCredentialResponse = vcIssuer.createDeferredCredentialResponse({ credentials: credentials.credentials.map((c) => ({ credential: c })) });
|
|
260
|
+
issuanceSession.issuedCredentials.push(credentialConfigurationId);
|
|
261
|
+
issuanceSession.transactions = issuanceSession.transactions?.filter((tx) => tx.transactionId !== transaction.transactionId);
|
|
262
|
+
const newState = issuanceSession.issuedCredentials.length >= issuanceSession.credentialOfferPayload.credential_configuration_ids.length ? OpenId4VcIssuanceSessionState.Completed : OpenId4VcIssuanceSessionState.CredentialsPartiallyIssued;
|
|
263
|
+
await this.updateState(agentContext, issuanceSession, newState);
|
|
264
|
+
}
|
|
265
|
+
return {
|
|
266
|
+
deferredCredentialResponse,
|
|
267
|
+
issuanceSession
|
|
268
|
+
};
|
|
269
|
+
}
|
|
270
|
+
async verifyCredentialRequestProofs(agentContext, options) {
|
|
271
|
+
const { parsedCredentialRequest, issuer, issuanceSession, credentialConfiguration, credentialConfigurationId } = options;
|
|
272
|
+
const { proofs } = parsedCredentialRequest;
|
|
273
|
+
const vcIssuer = this.getIssuer(agentContext, { issuanceSessionId: issuanceSession.id });
|
|
274
|
+
const issuerMetadata = await this.getIssuerMetadata(agentContext, issuer);
|
|
275
|
+
const allowedProofTypes = credentialConfiguration.proof_types_supported ?? { jwt: { proof_signing_alg_values_supported: getSupportedJwaSignatureAlgorithms(agentContext) } };
|
|
276
|
+
const [proofType, proofValue] = Object.entries(proofs ?? {})[0] ?? [];
|
|
277
|
+
if (!proofType || !proofValue || proofValue.length === 0) {
|
|
278
|
+
const { cNonce, cNonceExpiresInSeconds } = await this.createNonce(agentContext, issuer);
|
|
279
|
+
throw new Oauth2ServerErrorResponseError({
|
|
280
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
281
|
+
error_description: "Missing required proof(s) in credential request",
|
|
282
|
+
c_nonce: cNonce,
|
|
283
|
+
c_nonce_expires_in: cNonceExpiresInSeconds
|
|
284
|
+
});
|
|
285
|
+
}
|
|
286
|
+
if (proofType !== "jwt" && proofType !== "attestation") throw new Oauth2ServerErrorResponseError({
|
|
287
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
288
|
+
error_description: `Proof type '${proofType}' is not supported `
|
|
289
|
+
});
|
|
290
|
+
const supportedProofType = allowedProofTypes[proofType];
|
|
291
|
+
if (!supportedProofType) throw new Oauth2ServerErrorResponseError({
|
|
292
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
293
|
+
error_description: `Proof type '${proofType}' is not supported for credential configuration '${credentialConfigurationId}'`
|
|
294
|
+
});
|
|
295
|
+
if (proofType === "attestation" && proofValue.length !== 1) throw new Oauth2ServerErrorResponseError({
|
|
296
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
297
|
+
error_description: "Only a single proofs entry is supported for proof type 'attestation'"
|
|
298
|
+
});
|
|
299
|
+
await this.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState.CredentialRequestReceived);
|
|
300
|
+
if (proofType === "attestation") {
|
|
301
|
+
const keyAttestationJwt = proofValue[0];
|
|
302
|
+
const keyAttestation = await vcIssuer.verifyCredentialRequestAttestationProof({
|
|
303
|
+
issuerMetadata,
|
|
304
|
+
keyAttestationJwt
|
|
305
|
+
});
|
|
306
|
+
if (!supportedProofType.proof_signing_alg_values_supported.includes(keyAttestation.header.alg)) throw new Oauth2ServerErrorResponseError({
|
|
307
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
308
|
+
error_description: `Proof signing alg value '${keyAttestation.header.alg}' is not supported for proof type 'attestation' in credential configuration '${credentialConfigurationId}'`
|
|
309
|
+
});
|
|
310
|
+
if (!keyAttestation.payload.nonce) {
|
|
311
|
+
const { cNonce, cNonceExpiresInSeconds } = await this.createNonce(agentContext, issuer);
|
|
312
|
+
throw new Oauth2ServerErrorResponseError({
|
|
313
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
314
|
+
error_description: "Missing nonce in attestation proof in credential request. If no nonce is present in the attestation, use the jwt proof type instead",
|
|
315
|
+
c_nonce: cNonce,
|
|
316
|
+
c_nonce_expires_in: cNonceExpiresInSeconds
|
|
317
|
+
});
|
|
318
|
+
}
|
|
319
|
+
if (supportedProofType.key_attestations_required && keyAttestation) {
|
|
320
|
+
const expectedKeyStorage = supportedProofType.key_attestations_required.key_storage;
|
|
321
|
+
const expectedUserAuthentication = supportedProofType.key_attestations_required.user_authentication;
|
|
322
|
+
if (expectedKeyStorage && !expectedKeyStorage.some((keyStorage) => keyAttestation.payload.key_storage?.includes(keyStorage))) throw new Oauth2ServerErrorResponseError({
|
|
323
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
324
|
+
error_description: `Insufficient key_storage for key attestation. Proof type 'attestation' for credential configuration '${credentialConfigurationId}', expects one of key_storage values ${expectedKeyStorage.join(", ")}`
|
|
325
|
+
});
|
|
326
|
+
if (expectedUserAuthentication && !expectedUserAuthentication.some((userAuthentication) => keyAttestation.payload.user_authentication?.includes(userAuthentication))) throw new Oauth2ServerErrorResponseError({
|
|
327
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
328
|
+
error_description: `Insufficient user_authentication for key attestation. Proof type 'attestation' for credential configuration '${credentialConfigurationId}', expects one of user_authentication values ${expectedUserAuthentication.join(", ")}`
|
|
329
|
+
});
|
|
330
|
+
}
|
|
331
|
+
await this.verifyNonce(agentContext, issuer, keyAttestation.payload.nonce).catch(async (error) => {
|
|
332
|
+
const { cNonce, cNonceExpiresInSeconds } = await this.createNonce(agentContext, issuer);
|
|
333
|
+
throw new Oauth2ServerErrorResponseError({
|
|
334
|
+
error: Oauth2ErrorCodes.InvalidNonce,
|
|
335
|
+
error_description: "Invalid nonce in credential request",
|
|
336
|
+
c_nonce: cNonce,
|
|
337
|
+
c_nonce_expires_in: cNonceExpiresInSeconds
|
|
338
|
+
}, { cause: error });
|
|
339
|
+
});
|
|
340
|
+
return {
|
|
341
|
+
bindingMethod: "jwk",
|
|
342
|
+
keys: keyAttestation.payload.attested_keys.map((attestedKey) => {
|
|
343
|
+
return {
|
|
344
|
+
method: "jwk",
|
|
345
|
+
jwk: Kms.PublicJwk.fromUnknown(attestedKey)
|
|
346
|
+
};
|
|
347
|
+
}),
|
|
348
|
+
proofType: "attestation",
|
|
349
|
+
keyAttestation
|
|
350
|
+
};
|
|
351
|
+
}
|
|
352
|
+
if (proofType === "jwt") {
|
|
353
|
+
let firstNonce;
|
|
354
|
+
const proofSigners = [];
|
|
355
|
+
for (const jwt of proofValue) {
|
|
356
|
+
const { signer, payload, header, keyAttestation } = await vcIssuer.verifyCredentialRequestJwtProof({
|
|
357
|
+
issuerMetadata,
|
|
358
|
+
jwt,
|
|
359
|
+
clientId: options.issuanceSession.clientId
|
|
360
|
+
});
|
|
361
|
+
if (!supportedProofType.proof_signing_alg_values_supported.includes(header.alg)) throw new Oauth2ServerErrorResponseError({
|
|
362
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
363
|
+
error_description: `Proof signing alg value '${header.alg}' is not supported for proof type 'jwt' in credential configuration '${credentialConfigurationId}'`
|
|
364
|
+
});
|
|
365
|
+
if (signer.method !== "jwk" && signer.method !== "did") throw new Oauth2ServerErrorResponseError({
|
|
366
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
367
|
+
error_description: "Only 'jwk' and 'did' binding methods supported for jwt proof"
|
|
368
|
+
});
|
|
369
|
+
if (proofSigners[0] && signer.method !== proofSigners[0].method) throw new Oauth2ServerErrorResponseError({
|
|
370
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
371
|
+
error_description: "All proofs must be signed using the same binding method. Found a mix of 'did' and 'jwk'"
|
|
372
|
+
});
|
|
373
|
+
if (proofSigners[0] && signer.alg !== proofSigners[0].alg) throw new Oauth2ServerErrorResponseError({
|
|
374
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
375
|
+
error_description: "All proofs must be signed using the same alg value. Found a mix of different 'alg' values."
|
|
376
|
+
});
|
|
377
|
+
if (keyAttestation && signer.method === "did") throw new Oauth2ServerErrorResponseError({
|
|
378
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
379
|
+
error_description: "Binding method 'did' is not supported when a key attestation is provided."
|
|
380
|
+
});
|
|
381
|
+
if (supportedProofType.key_attestations_required && !keyAttestation) throw new Oauth2ServerErrorResponseError({
|
|
382
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
383
|
+
error_description: `Missing required key attestation. Key attestations are required for proof type 'jwt' in credential configuration '${credentialConfigurationId}'`
|
|
384
|
+
});
|
|
385
|
+
if (supportedProofType.key_attestations_required && keyAttestation) {
|
|
386
|
+
const expectedKeyStorage = supportedProofType.key_attestations_required.key_storage;
|
|
387
|
+
const expectedUserAuthentication = supportedProofType.key_attestations_required.user_authentication;
|
|
388
|
+
if (expectedKeyStorage && !expectedKeyStorage.some((keyStorage) => keyAttestation.payload.key_storage?.includes(keyStorage))) throw new Oauth2ServerErrorResponseError({
|
|
389
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
390
|
+
error_description: `Insufficient key_storage for key attestation. Proof type 'jwt' for credential configuration '${credentialConfigurationId}', expects one of key_storage values ${expectedKeyStorage.join(", ")}`
|
|
391
|
+
});
|
|
392
|
+
if (expectedUserAuthentication && !expectedUserAuthentication.some((userAuthentication) => keyAttestation.payload.user_authentication?.includes(userAuthentication))) throw new Oauth2ServerErrorResponseError({
|
|
393
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
394
|
+
error_description: `Insufficient user_authentication for key attestation. Proof type 'jwt' for credential configuration '${credentialConfigurationId}', expects one of user_authentication values ${expectedUserAuthentication.join(", ")}`
|
|
395
|
+
});
|
|
396
|
+
}
|
|
397
|
+
if (keyAttestation && proofValue.length > 1) throw new Oauth2ServerErrorResponseError({
|
|
398
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
399
|
+
error_description: "Only a single proofs entry is supported when jwt proof header contains 'key_attestation'"
|
|
400
|
+
});
|
|
401
|
+
if (!payload.nonce) {
|
|
402
|
+
const { cNonce, cNonceExpiresInSeconds } = await this.createNonce(agentContext, issuer);
|
|
403
|
+
throw new Oauth2ServerErrorResponseError({
|
|
404
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
405
|
+
error_description: "Missing nonce in proof(s) in credential request",
|
|
406
|
+
c_nonce: cNonce,
|
|
407
|
+
c_nonce_expires_in: cNonceExpiresInSeconds
|
|
408
|
+
});
|
|
409
|
+
}
|
|
410
|
+
if (!firstNonce) firstNonce = payload.nonce;
|
|
411
|
+
if (firstNonce !== payload.nonce) {
|
|
412
|
+
const { cNonce, cNonceExpiresInSeconds } = await this.createNonce(agentContext, issuer);
|
|
413
|
+
throw new Oauth2ServerErrorResponseError({
|
|
414
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
415
|
+
error_description: "Not all nonce values in proofs are equal",
|
|
416
|
+
c_nonce: cNonce,
|
|
417
|
+
c_nonce_expires_in: cNonceExpiresInSeconds
|
|
418
|
+
});
|
|
419
|
+
}
|
|
420
|
+
if (keyAttestation?.payload.nonce && keyAttestation.payload.nonce !== payload.nonce) throw new Oauth2ServerErrorResponseError({
|
|
421
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
422
|
+
error_description: "If a nonce is present in the key attestation, the nonce in the proof jwt must be equal to the nonce in the key attestation"
|
|
423
|
+
});
|
|
424
|
+
await this.verifyNonce(agentContext, issuer, payload.nonce).catch(async (error) => {
|
|
425
|
+
const { cNonce, cNonceExpiresInSeconds } = await this.createNonce(agentContext, issuer);
|
|
426
|
+
throw new Oauth2ServerErrorResponseError({
|
|
427
|
+
error: Oauth2ErrorCodes.InvalidNonce,
|
|
428
|
+
error_description: "Invalid nonce in credential request",
|
|
429
|
+
c_nonce: cNonce,
|
|
430
|
+
c_nonce_expires_in: cNonceExpiresInSeconds
|
|
431
|
+
}, { cause: error });
|
|
432
|
+
});
|
|
433
|
+
if (keyAttestation) return {
|
|
434
|
+
proofType: "jwt",
|
|
435
|
+
bindingMethod: "jwk",
|
|
436
|
+
keys: keyAttestation.payload.attested_keys.map((attestedKey) => {
|
|
437
|
+
return {
|
|
438
|
+
method: "jwk",
|
|
439
|
+
jwk: Kms.PublicJwk.fromUnknown(attestedKey)
|
|
440
|
+
};
|
|
441
|
+
}),
|
|
442
|
+
keyAttestation
|
|
443
|
+
};
|
|
444
|
+
proofSigners.push(signer);
|
|
445
|
+
}
|
|
446
|
+
if (proofSigners[0].method === "did") return {
|
|
447
|
+
proofType: "jwt",
|
|
448
|
+
bindingMethod: "did",
|
|
449
|
+
keys: proofSigners.map((signer) => ({
|
|
450
|
+
didUrl: signer.didUrl,
|
|
451
|
+
method: "did",
|
|
452
|
+
jwk: Kms.PublicJwk.fromUnknown(signer.publicJwk)
|
|
453
|
+
}))
|
|
454
|
+
};
|
|
455
|
+
return {
|
|
456
|
+
proofType: "jwt",
|
|
457
|
+
bindingMethod: "jwk",
|
|
458
|
+
keys: proofSigners.map((signer) => {
|
|
459
|
+
return {
|
|
460
|
+
method: "jwk",
|
|
461
|
+
jwk: Kms.PublicJwk.fromUnknown(signer.publicJwk)
|
|
462
|
+
};
|
|
463
|
+
})
|
|
464
|
+
};
|
|
465
|
+
}
|
|
466
|
+
throw new Oauth2ServerErrorResponseError({
|
|
467
|
+
error: Oauth2ErrorCodes.InvalidProof,
|
|
468
|
+
error_description: "Missing required proof(s) in credential request"
|
|
469
|
+
});
|
|
470
|
+
}
|
|
471
|
+
async findIssuanceSessionsByQuery(agentContext, query, queryOptions) {
|
|
472
|
+
return this.openId4VcIssuanceSessionRepository.findByQuery(agentContext, query, queryOptions);
|
|
473
|
+
}
|
|
474
|
+
async findSingleIssuanceSessionByQuery(agentContext, query) {
|
|
475
|
+
return this.openId4VcIssuanceSessionRepository.findSingleByQuery(agentContext, query);
|
|
476
|
+
}
|
|
477
|
+
async getIssuanceSessionById(agentContext, issuanceSessionId) {
|
|
478
|
+
return this.openId4VcIssuanceSessionRepository.getById(agentContext, issuanceSessionId);
|
|
479
|
+
}
|
|
480
|
+
async getAllIssuers(agentContext) {
|
|
481
|
+
return this.openId4VcIssuerRepository.getAll(agentContext);
|
|
482
|
+
}
|
|
483
|
+
async getIssuerByIssuerId(agentContext, issuerId) {
|
|
484
|
+
return this.openId4VcIssuerRepository.getByIssuerId(agentContext, issuerId);
|
|
485
|
+
}
|
|
486
|
+
async updateIssuer(agentContext, issuer) {
|
|
487
|
+
if (issuer.signedMetadata) {
|
|
488
|
+
const issuerMetadata = await this.getIssuerMetadata(agentContext, issuer, false);
|
|
489
|
+
issuer.signedMetadata = await this.createSignedMetadata(agentContext, issuerMetadata.credentialIssuer, decodeJwtIssuer(issuer.signedMetadata.signer));
|
|
490
|
+
}
|
|
491
|
+
await this.openId4VcIssuerRepository.update(agentContext, issuer);
|
|
492
|
+
}
|
|
493
|
+
async createIssuer(agentContext, options) {
|
|
494
|
+
const accessTokenSignerKey = await agentContext.resolve(Kms.KeyManagementApi).createKey({ type: options.accessTokenSignerKeyType ?? {
|
|
495
|
+
kty: "OKP",
|
|
496
|
+
crv: "Ed25519"
|
|
497
|
+
} });
|
|
498
|
+
const openId4VcIssuer = new OpenId4VcIssuerRecord({
|
|
499
|
+
issuerId: options.issuerId ?? utils.uuid(),
|
|
500
|
+
display: options.display,
|
|
501
|
+
dpopSigningAlgValuesSupported: options.dpopSigningAlgValuesSupported,
|
|
502
|
+
accessTokenPublicJwk: accessTokenSignerKey.publicJwk,
|
|
503
|
+
authorizationServerConfigs: options.authorizationServerConfigs,
|
|
504
|
+
credentialConfigurationsSupported: options.credentialConfigurationsSupported,
|
|
505
|
+
batchCredentialIssuance: options.batchCredentialIssuance
|
|
506
|
+
});
|
|
507
|
+
if (options.metadataSigner) {
|
|
508
|
+
const issuerMetadata = await this.getIssuerMetadata(agentContext, openId4VcIssuer, false);
|
|
509
|
+
openId4VcIssuer.signedMetadata = await this.createSignedMetadata(agentContext, issuerMetadata.credentialIssuer, options.metadataSigner);
|
|
510
|
+
}
|
|
511
|
+
await this.openId4VcIssuerRepository.save(agentContext, openId4VcIssuer);
|
|
512
|
+
await storeActorIdForContextCorrelationId(agentContext, openId4VcIssuer.issuerId);
|
|
513
|
+
return openId4VcIssuer;
|
|
514
|
+
}
|
|
515
|
+
async createSignedMetadata(agentContext, credentialIssuerMetadata, metadataSigner) {
|
|
516
|
+
return {
|
|
517
|
+
jwt: await this.getIssuer(agentContext).createSignedCredentialIssuerMetadataJwt({
|
|
518
|
+
credentialIssuerMetadata,
|
|
519
|
+
signer: await credoJwtIssuerToOpenId4VcJwtIssuer(agentContext, metadataSigner)
|
|
520
|
+
}),
|
|
521
|
+
signer: encodeJwtIssuer(metadataSigner)
|
|
522
|
+
};
|
|
523
|
+
}
|
|
524
|
+
async rotateAccessTokenSigningKey(agentContext, issuer, options) {
|
|
525
|
+
const kms = agentContext.resolve(Kms.KeyManagementApi);
|
|
526
|
+
const previousKey = issuer.resolvedAccessTokenPublicJwk;
|
|
527
|
+
issuer.accessTokenPublicJwk = (await kms.createKey({ type: options?.accessTokenSignerKeyType ?? {
|
|
528
|
+
kty: "OKP",
|
|
529
|
+
crv: "Ed25519"
|
|
530
|
+
} })).publicJwk;
|
|
531
|
+
await this.openId4VcIssuerRepository.update(agentContext, issuer);
|
|
532
|
+
await kms.deleteKey({ keyId: previousKey.keyId });
|
|
533
|
+
}
|
|
534
|
+
/**
|
|
535
|
+
* @param fetchExternalAuthorizationServerMetadata defaults to false
|
|
536
|
+
*/
|
|
537
|
+
async getIssuerMetadata(agentContext, issuerRecord, fetchExternalAuthorizationServerMetadata = false) {
|
|
538
|
+
const config = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig);
|
|
539
|
+
const issuerUrl = joinUriParts(config.baseUrl, [issuerRecord.issuerId]);
|
|
540
|
+
const oauth2Client = this.getOauth2Client(agentContext);
|
|
541
|
+
const directAuthorizationServerConfigs = issuerRecord.directAuthorizationServerConfigs;
|
|
542
|
+
const extraAuthorizationServers = fetchExternalAuthorizationServerMetadata && directAuthorizationServerConfigs ? await Promise.all(directAuthorizationServerConfigs.map(async (server) => {
|
|
543
|
+
const metadata = await oauth2Client.fetchAuthorizationServerMetadata(server.issuer);
|
|
544
|
+
if (!metadata) throw new CredoError(`Authorization server metadata not found for issuer '${server.issuer}'`);
|
|
545
|
+
return metadata;
|
|
546
|
+
})) : [];
|
|
547
|
+
const authorizationServers = directAuthorizationServerConfigs && directAuthorizationServerConfigs.length > 0 ? [...directAuthorizationServerConfigs.map((authorizationServer) => authorizationServer.issuer), issuerUrl] : void 0;
|
|
548
|
+
const credentialIssuerMetadata = {
|
|
549
|
+
credential_issuer: issuerUrl,
|
|
550
|
+
credential_endpoint: joinUriParts(issuerUrl, [config.credentialEndpointPath]),
|
|
551
|
+
deferred_credential_endpoint: joinUriParts(issuerUrl, [config.deferredCredentialEndpointPath]),
|
|
552
|
+
credential_configurations_supported: issuerRecord.credentialConfigurationsSupported ?? {},
|
|
553
|
+
authorization_servers: authorizationServers,
|
|
554
|
+
display: issuerRecord.display,
|
|
555
|
+
nonce_endpoint: joinUriParts(issuerUrl, [config.nonceEndpointPath]),
|
|
556
|
+
batch_credential_issuance: issuerRecord.batchCredentialIssuance ? { batch_size: issuerRecord.batchCredentialIssuance.batchSize } : void 0
|
|
557
|
+
};
|
|
558
|
+
const issuerAuthorizationServer = {
|
|
559
|
+
issuer: issuerUrl,
|
|
560
|
+
token_endpoint: joinUriParts(issuerUrl, [config.accessTokenEndpointPath]),
|
|
561
|
+
"pre-authorized_grant_anonymous_access_supported": true,
|
|
562
|
+
jwks_uri: joinUriParts(issuerUrl, [config.jwksEndpointPath]),
|
|
563
|
+
grant_types_supported: [authorizationCodeGrantIdentifier, preAuthorizedCodeGrantIdentifier],
|
|
564
|
+
authorization_challenge_endpoint: joinUriParts(issuerUrl, [config.authorizationChallengeEndpointPath]),
|
|
565
|
+
authorization_endpoint: joinUriParts(issuerUrl, [config.authorizationEndpoint]),
|
|
566
|
+
pushed_authorization_request_endpoint: joinUriParts(issuerUrl, [config.pushedAuthorizationRequestEndpoint]),
|
|
567
|
+
require_pushed_authorization_requests: true,
|
|
568
|
+
code_challenge_methods_supported: [PkceCodeChallengeMethod.S256],
|
|
569
|
+
dpop_signing_alg_values_supported: issuerRecord.dpopSigningAlgValuesSupported
|
|
570
|
+
};
|
|
571
|
+
return {
|
|
572
|
+
originalDraftVersion: Openid4vciDraftVersion.V1,
|
|
573
|
+
credentialIssuer: credentialIssuerMetadata,
|
|
574
|
+
authorizationServers: [issuerAuthorizationServer, ...extraAuthorizationServers],
|
|
575
|
+
knownCredentialConfigurations: credentialIssuerMetadata.credential_configurations_supported,
|
|
576
|
+
signedMetadataJwt: issuerRecord.signedMetadata?.jwt
|
|
577
|
+
};
|
|
578
|
+
}
|
|
579
|
+
async createNonce(agentContext, issuer) {
|
|
580
|
+
const issuerMetadata = await this.getIssuerMetadata(agentContext, issuer);
|
|
581
|
+
const jwsService = agentContext.dependencyManager.resolve(JwsService);
|
|
582
|
+
const cNonceExpiresInSeconds = this.openId4VcIssuerConfig.cNonceExpiresInSeconds;
|
|
583
|
+
const cNonceExpiresAt = utils.addSecondsToDate(/* @__PURE__ */ new Date(), cNonceExpiresInSeconds);
|
|
584
|
+
const key = issuer.resolvedAccessTokenPublicJwk;
|
|
585
|
+
return {
|
|
586
|
+
cNonce: await jwsService.createJwsCompact(agentContext, {
|
|
587
|
+
keyId: key.keyId,
|
|
588
|
+
payload: JwtPayload.fromJson({
|
|
589
|
+
iss: issuerMetadata.credentialIssuer.credential_issuer,
|
|
590
|
+
exp: utils.dateToSeconds(cNonceExpiresAt)
|
|
591
|
+
}),
|
|
592
|
+
protectedHeaderOptions: {
|
|
593
|
+
typ: "credo+cnonce",
|
|
594
|
+
kid: key.keyId,
|
|
595
|
+
alg: key.signatureAlgorithm
|
|
596
|
+
}
|
|
597
|
+
}),
|
|
598
|
+
cNonceExpiresAt,
|
|
599
|
+
cNonceExpiresInSeconds
|
|
600
|
+
};
|
|
601
|
+
}
|
|
602
|
+
/**
|
|
603
|
+
* @todo nonces are very short lived (1 min), but it might be nice to also cache the nonces
|
|
604
|
+
* in the cache if we have 'seen' them. They will only be in the cache for a short time
|
|
605
|
+
* and it will prevent replay
|
|
606
|
+
*/
|
|
607
|
+
async verifyNonce(agentContext, issuer, cNonce) {
|
|
608
|
+
const issuerMetadata = await this.getIssuerMetadata(agentContext, issuer);
|
|
609
|
+
const jwsService = agentContext.dependencyManager.resolve(JwsService);
|
|
610
|
+
const key = issuer.resolvedAccessTokenPublicJwk;
|
|
611
|
+
const jwt = Jwt.fromSerializedJwt(cNonce);
|
|
612
|
+
jwt.payload.validate();
|
|
613
|
+
if (jwt.payload.iss !== issuerMetadata.credentialIssuer.credential_issuer) throw new CredoError(`Invalid 'iss' claim in cNonce jwt`);
|
|
614
|
+
if (jwt.header.typ !== "credo+cnonce") throw new CredoError(`Invalid 'typ' claim in cNonce jwt header`);
|
|
615
|
+
if (!(await jwsService.verifyJws(agentContext, {
|
|
616
|
+
jws: cNonce,
|
|
617
|
+
jwsSigner: {
|
|
618
|
+
method: "jwk",
|
|
619
|
+
jwk: key
|
|
620
|
+
}
|
|
621
|
+
})).isValid) throw new CredoError("Invalid nonce");
|
|
622
|
+
}
|
|
623
|
+
async createRefreshToken(agentContext, issuer, options) {
|
|
624
|
+
const issuerMetadata = await this.getIssuerMetadata(agentContext, issuer);
|
|
625
|
+
const jwsService = agentContext.dependencyManager.resolve(JwsService);
|
|
626
|
+
const expiresInSeconds = this.openId4VcIssuerConfig.refreshTokenExpiresInSeconds;
|
|
627
|
+
const expiresAt = utils.addSecondsToDate(/* @__PURE__ */ new Date(), expiresInSeconds);
|
|
628
|
+
const key = issuer.resolvedAccessTokenPublicJwk;
|
|
629
|
+
return await jwsService.createJwsCompact(agentContext, {
|
|
630
|
+
keyId: key.keyId,
|
|
631
|
+
payload: JwtPayload.fromJson({
|
|
632
|
+
iss: issuerMetadata.credentialIssuer.credential_issuer,
|
|
633
|
+
aud: issuerMetadata.credentialIssuer.credential_issuer,
|
|
634
|
+
exp: utils.dateToSeconds(expiresAt),
|
|
635
|
+
issuer_state: options.issuerState,
|
|
636
|
+
"pre-authorized_code": options.preAuthorizedCode,
|
|
637
|
+
cnf: options.dpop ? { jkt: await calculateJwkThumbprint({
|
|
638
|
+
hashAlgorithm: HashAlgorithm.Sha256,
|
|
639
|
+
hashCallback: getOid4vcCallbacks(agentContext).hash,
|
|
640
|
+
jwk: options.dpop.jwk
|
|
641
|
+
}) } : void 0
|
|
642
|
+
}),
|
|
643
|
+
protectedHeaderOptions: {
|
|
644
|
+
typ: "credo+refresh_token",
|
|
645
|
+
kid: key.keyId,
|
|
646
|
+
alg: key.signatureAlgorithm
|
|
647
|
+
}
|
|
648
|
+
});
|
|
649
|
+
}
|
|
650
|
+
parseRefreshToken(token) {
|
|
651
|
+
const jwt = Jwt.fromSerializedJwt(token);
|
|
652
|
+
jwt.payload.validate();
|
|
653
|
+
if (!jwt.payload.exp) throw new CredoError(`Missing 'exp' claim in refresh token jwt`);
|
|
654
|
+
if (jwt.header.typ !== "credo+refresh_token") throw new CredoError(`Invalid 'typ' claim in refresh token jwt header`);
|
|
655
|
+
const { "pre-authorized_code": preAuthorizedCode, issuer_state: issuerState, cnf } = jwt.payload.additionalClaims;
|
|
656
|
+
if (preAuthorizedCode && typeof preAuthorizedCode !== "string") throw new CredoError(`Invalid 'pre-authorized_code' claim in refresh token jwt payload`);
|
|
657
|
+
if (issuerState && typeof issuerState !== "string") throw new CredoError(`Invalid 'issuer_state' claim in refresh token jwt payload`);
|
|
658
|
+
if (!preAuthorizedCode && !issuerState) throw new CredoError(`Missing 'issuer_state' or 'pre-authorized_code' claim in refresh token jwt payload`);
|
|
659
|
+
let jwkThumbprint;
|
|
660
|
+
if (cnf) {
|
|
661
|
+
if (typeof cnf !== "object" || !("jkt" in cnf) || typeof cnf.jkt !== "string") throw new CredoError(`Invalid 'cnf' claim in refresh token jwt payload`);
|
|
662
|
+
jwkThumbprint = cnf.jkt;
|
|
663
|
+
}
|
|
664
|
+
return {
|
|
665
|
+
jwt,
|
|
666
|
+
expiresAt: /* @__PURE__ */ new Date(jwt.payload.exp * 1e3),
|
|
667
|
+
issuerState,
|
|
668
|
+
preAuthorizedCode,
|
|
669
|
+
dpop: jwkThumbprint ? { jwkThumbprint } : void 0
|
|
670
|
+
};
|
|
671
|
+
}
|
|
672
|
+
async verifyRefreshToken(agentContext, issuer, parsedRefreshToken, options = {}) {
|
|
673
|
+
const issuerMetadata = await this.getIssuerMetadata(agentContext, issuer);
|
|
674
|
+
const jwsService = agentContext.dependencyManager.resolve(JwsService);
|
|
675
|
+
const key = issuer.resolvedAccessTokenPublicJwk;
|
|
676
|
+
if (parsedRefreshToken.jwt.payload.iss !== issuerMetadata.credentialIssuer.credential_issuer) throw new CredoError(`Invalid 'iss' claim in refresh token jwt`);
|
|
677
|
+
if (parsedRefreshToken.jwt.payload.aud !== issuerMetadata.credentialIssuer.credential_issuer) throw new CredoError(`Invalid 'aud' claim in refresh token jwt`);
|
|
678
|
+
if (!(await jwsService.verifyJws(agentContext, {
|
|
679
|
+
jws: parsedRefreshToken.jwt.serializedJwt,
|
|
680
|
+
jwsSigner: {
|
|
681
|
+
method: "jwk",
|
|
682
|
+
jwk: key
|
|
683
|
+
}
|
|
684
|
+
})).isValid) throw new CredoError("Invalid refresh token");
|
|
685
|
+
if (options.dpop?.jwkThumbprint) {
|
|
686
|
+
if (parsedRefreshToken.dpop?.jwkThumbprint !== options.dpop.jwkThumbprint) throw new CredoError(`Invalid 'cnf.jkt' claim in refresh token jwt payload`);
|
|
687
|
+
}
|
|
688
|
+
}
|
|
689
|
+
getIssuer(agentContext, options = {}) {
|
|
690
|
+
return new Openid4vciIssuer({ callbacks: getOid4vcCallbacks(agentContext, options) });
|
|
691
|
+
}
|
|
692
|
+
getOauth2Client(agentContext, issuerRecord) {
|
|
693
|
+
return new Oauth2Client({ callbacks: {
|
|
694
|
+
...getOid4vcCallbacks(agentContext),
|
|
695
|
+
...issuerRecord ? { clientAuthentication: dynamicOid4vciClientAuthentication(agentContext, issuerRecord) } : {}
|
|
696
|
+
} });
|
|
697
|
+
}
|
|
698
|
+
getOauth2AuthorizationServer(agentContext, options = {}) {
|
|
699
|
+
return new Oauth2AuthorizationServer({ callbacks: getOid4vcCallbacks(agentContext, options) });
|
|
700
|
+
}
|
|
701
|
+
getResourceServer(agentContext, issuerRecord) {
|
|
702
|
+
return new Oauth2ResourceServer({ callbacks: {
|
|
703
|
+
...getOid4vcCallbacks(agentContext),
|
|
704
|
+
clientAuthentication: dynamicOid4vciClientAuthentication(agentContext, issuerRecord)
|
|
705
|
+
} });
|
|
706
|
+
}
|
|
707
|
+
/**
|
|
708
|
+
* Update the expiresAt field of the issuance session to ensure it remains
|
|
709
|
+
* valid during the deferral process. We set it to the maximum between the
|
|
710
|
+
* current expiresAt and the current time plus the configured expiration
|
|
711
|
+
* time or the interval multiplied by 2. This accounts for the chance of multiple
|
|
712
|
+
* deferrals happening, with longer intervals.
|
|
713
|
+
*/
|
|
714
|
+
async updateExpiresAt(agentContext, issuanceSession, interval) {
|
|
715
|
+
const expiresAt = issuanceSession.expiresAt ?? utils.addSecondsToDate(issuanceSession.createdAt, this.openId4VcIssuerConfig.statefulCredentialOfferExpirationInSeconds);
|
|
716
|
+
issuanceSession.expiresAt = new Date(Math.max(expiresAt.getTime(), utils.addSecondsToDate(/* @__PURE__ */ new Date(), Math.max(this.openId4VcIssuerConfig.statefulCredentialOfferExpirationInSeconds, interval * 2)).getTime()));
|
|
717
|
+
await this.openId4VcIssuanceSessionRepository.update(agentContext, issuanceSession);
|
|
718
|
+
}
|
|
719
|
+
/**
|
|
720
|
+
* Update the record to a new state and emit an state changed event. Also updates the record
|
|
721
|
+
* in storage.
|
|
722
|
+
*/
|
|
723
|
+
async updateState(agentContext, issuanceSession, newState) {
|
|
724
|
+
agentContext.config.logger.debug(`Updating openid4vc issuance session record ${issuanceSession.id} to state ${newState} (previous=${issuanceSession.state})`);
|
|
725
|
+
const previousState = issuanceSession.state;
|
|
726
|
+
issuanceSession.state = newState;
|
|
727
|
+
await this.openId4VcIssuanceSessionRepository.update(agentContext, issuanceSession);
|
|
728
|
+
this.emitStateChangedEvent(agentContext, issuanceSession, previousState);
|
|
729
|
+
}
|
|
730
|
+
emitStateChangedEvent(agentContext, issuanceSession, previousState) {
|
|
731
|
+
agentContext.dependencyManager.resolve(EventEmitter).emit(agentContext, {
|
|
732
|
+
type: OpenId4VcIssuerEvents.IssuanceSessionStateChanged,
|
|
733
|
+
payload: {
|
|
734
|
+
issuanceSession: issuanceSession.clone(),
|
|
735
|
+
previousState
|
|
736
|
+
}
|
|
737
|
+
});
|
|
738
|
+
}
|
|
739
|
+
async getGrantsFromConfig(agentContext, config) {
|
|
740
|
+
const kms = agentContext.resolve(Kms.KeyManagementApi);
|
|
741
|
+
const { preAuthorizedCodeFlowConfig, authorizationCodeFlowConfig, issuer, issuerMetadata } = config;
|
|
742
|
+
const grants = {};
|
|
743
|
+
if (preAuthorizedCodeFlowConfig) {
|
|
744
|
+
const { txCode, authorizationServerUrl, preAuthorizedCode } = preAuthorizedCodeFlowConfig;
|
|
745
|
+
grants[preAuthorizedCodeGrantIdentifier] = {
|
|
746
|
+
"pre-authorized_code": preAuthorizedCode ?? TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 })),
|
|
747
|
+
tx_code: txCode,
|
|
748
|
+
authorization_server: config.issuerMetadata.credentialIssuer.authorization_servers ? authorizationServerUrl : void 0
|
|
749
|
+
};
|
|
750
|
+
}
|
|
751
|
+
if (authorizationCodeFlowConfig) {
|
|
752
|
+
const { requirePresentationDuringIssuance } = authorizationCodeFlowConfig;
|
|
753
|
+
let authorizationServerUrl = authorizationCodeFlowConfig.authorizationServerUrl;
|
|
754
|
+
if (requirePresentationDuringIssuance) {
|
|
755
|
+
if (authorizationServerUrl && authorizationServerUrl !== issuerMetadata.credentialIssuer.credential_issuer) throw new CredoError(`When 'requirePresentationDuringIssuance' is set, 'authorizationServerUrl' must be undefined or match the credential issuer identifier`);
|
|
756
|
+
authorizationServerUrl = issuerMetadata.credentialIssuer.credential_issuer;
|
|
757
|
+
}
|
|
758
|
+
if ((issuer.authorizationServerConfigs?.find((server) => server.issuer === authorizationServerUrl))?.type === "chained") authorizationServerUrl = issuerMetadata.credentialIssuer.credential_issuer;
|
|
759
|
+
grants.authorization_code = {
|
|
760
|
+
issuer_state: authorizationCodeFlowConfig.issuerState ?? TypedArrayEncoder.toBase64URL(kms.randomBytes({ length: 32 })),
|
|
761
|
+
authorization_server: config.issuerMetadata.credentialIssuer.authorization_servers ? authorizationServerUrl : void 0
|
|
762
|
+
};
|
|
763
|
+
}
|
|
764
|
+
return grants;
|
|
765
|
+
}
|
|
766
|
+
getCredentialConfigurationsForRequest(options) {
|
|
767
|
+
const { requestFormat, issuanceSession, issuerMetadata, authorization, credentialConfigurations } = options;
|
|
768
|
+
const configurationsMatchingRequest = credentialConfigurations ? credentialConfigurations : requestFormat ? getCredentialConfigurationsMatchingRequestFormat({
|
|
769
|
+
requestFormat,
|
|
770
|
+
issuerMetadata
|
|
771
|
+
}) : void 0;
|
|
772
|
+
if (!configurationsMatchingRequest) throw new Oauth2ServerErrorResponseError({
|
|
773
|
+
error: Oauth2ErrorCodes.InvalidCredentialRequest,
|
|
774
|
+
error_description: `Either 'credential_configuration_id' or 'format' needs to be defined'`
|
|
775
|
+
});
|
|
776
|
+
if (Object.keys(configurationsMatchingRequest).length === 0) throw new Oauth2ServerErrorResponseError({
|
|
777
|
+
error: Oauth2ErrorCodes.InvalidCredentialRequest,
|
|
778
|
+
error_description: "Credential request does not match any credential configuration"
|
|
779
|
+
});
|
|
780
|
+
const configurationsMatchingRequestAndOffer = getOfferedCredentials(issuanceSession.credentialOfferPayload.credential_configuration_ids, configurationsMatchingRequest, { ignoreNotFoundIds: true });
|
|
781
|
+
if (Object.keys(configurationsMatchingRequestAndOffer).length === 0) throw new Oauth2ServerErrorResponseError({
|
|
782
|
+
error: Oauth2ErrorCodes.InvalidCredentialRequest,
|
|
783
|
+
error_description: "Credential request does not match any credential configurations from credential offer"
|
|
784
|
+
});
|
|
785
|
+
const deferredCredentialConfigurationIds = issuanceSession.transactions.map((tx) => tx.credentialConfigurationId);
|
|
786
|
+
const configurationsMatchingRequestAndOfferNotIssued = getOfferedCredentials(issuanceSession.credentialOfferPayload.credential_configuration_ids.filter((id) => !issuanceSession.issuedCredentials.includes(id) && !deferredCredentialConfigurationIds.includes(id)), configurationsMatchingRequestAndOffer, { ignoreNotFoundIds: true });
|
|
787
|
+
if (Object.keys(configurationsMatchingRequestAndOfferNotIssued).length === 0) throw new Oauth2ServerErrorResponseError({
|
|
788
|
+
error: Oauth2ErrorCodes.InvalidCredentialRequest,
|
|
789
|
+
error_description: "Credential request does not match any credential configurations from credential offer that have not been issued yet"
|
|
790
|
+
});
|
|
791
|
+
if (authorization.accessToken.payload["pre-authorized_code"]) {
|
|
792
|
+
const [credentialConfigurationId$1, credentialConfiguration$1] = Object.entries(configurationsMatchingRequestAndOfferNotIssued)[0];
|
|
793
|
+
return {
|
|
794
|
+
credentialConfigurationId: credentialConfigurationId$1,
|
|
795
|
+
credentialConfiguration: credentialConfiguration$1
|
|
796
|
+
};
|
|
797
|
+
}
|
|
798
|
+
const configurationsMatchingRequestOfferScope = getCredentialConfigurationsSupportedForScopes(configurationsMatchingRequestAndOfferNotIssued, authorization.accessToken.payload.scope?.split(" ") ?? []);
|
|
799
|
+
if (Object.keys(configurationsMatchingRequestOfferScope).length === 0) throw new Oauth2ServerErrorResponseError({
|
|
800
|
+
error: Oauth2ErrorCodes.InsufficientScope,
|
|
801
|
+
error_description: "Scope does not grant issuance for any requested credential configurations from credential offer"
|
|
802
|
+
}, { status: 403 });
|
|
803
|
+
const [credentialConfigurationId, credentialConfiguration] = Object.entries(configurationsMatchingRequestOfferScope)[0];
|
|
804
|
+
return {
|
|
805
|
+
credentialConfigurationId,
|
|
806
|
+
credentialConfiguration
|
|
807
|
+
};
|
|
808
|
+
}
|
|
809
|
+
async getSignedCredentials(agentContext, signOptions, options) {
|
|
810
|
+
const { credentialConfiguration, expectedLength } = options;
|
|
811
|
+
if (signOptions.credentials.length !== expectedLength) throw new CredoError(`Credential request to credential mapper returned '${signOptions.credentials.length}' to be signed, while '${expectedLength}' holder binding entries were provided. Make sure to return one credential for each holder binding entry`);
|
|
812
|
+
if (signOptions.format === ClaimFormat.JwtVc || signOptions.format === ClaimFormat.LdpVc) {
|
|
813
|
+
const expectedClaimFormat = {
|
|
814
|
+
[OpenId4VciCredentialFormatProfile.JwtVcJson]: ClaimFormat.JwtVc,
|
|
815
|
+
[OpenId4VciCredentialFormatProfile.JwtVcJsonLd]: ClaimFormat.JwtVc,
|
|
816
|
+
[OpenId4VciCredentialFormatProfile.LdpVc]: ClaimFormat.LdpVc
|
|
817
|
+
}[credentialConfiguration.format];
|
|
818
|
+
if (signOptions.format !== expectedClaimFormat) throw new CredoError(`Invalid credential format returned by sign options. Expected '${expectedClaimFormat}', received '${signOptions.format}'.`);
|
|
819
|
+
return {
|
|
820
|
+
format: credentialConfiguration.format,
|
|
821
|
+
credentials: await Promise.all(signOptions.credentials.map((credential) => this.signW3cCredential(agentContext, signOptions.format, credential).then((signed) => signed.encoded)))
|
|
822
|
+
};
|
|
823
|
+
}
|
|
824
|
+
if (signOptions.format === ClaimFormat.SdJwtDc) {
|
|
825
|
+
if (credentialConfiguration.format !== OpenId4VciCredentialFormatProfile.SdJwtVc && credentialConfiguration.format !== OpenId4VciCredentialFormatProfile.SdJwtDc) throw new CredoError(`Invalid credential format returned by sign options. Expected '${ClaimFormat.SdJwtDc}', received '${signOptions.format}'.`);
|
|
826
|
+
if (!signOptions.credentials.every((c) => c.payload.vct === credentialConfiguration.vct)) throw new CredoError(`One or more vct values of the offered credential(s) do not match the vct of the requested credential. Offered ${Array.from(new Set(signOptions.credentials.map((c) => `'${c.payload.vct}'`))).join(", ")} Requested '${credentialConfiguration.vct}'.`);
|
|
827
|
+
const sdJwtVcApi = agentContext.dependencyManager.resolve(SdJwtVcApi);
|
|
828
|
+
return {
|
|
829
|
+
format: credentialConfiguration.format,
|
|
830
|
+
credentials: await Promise.all(signOptions.credentials.map((credential) => sdJwtVcApi.sign({
|
|
831
|
+
...credential,
|
|
832
|
+
headerType: credentialConfiguration.format
|
|
833
|
+
}).then((signed) => signed.compact)))
|
|
834
|
+
};
|
|
835
|
+
}
|
|
836
|
+
if (signOptions.format === ClaimFormat.MsoMdoc) {
|
|
837
|
+
if (signOptions.format !== credentialConfiguration.format) throw new CredoError(`Invalid credential format returned by sign options. Expected '${credentialConfiguration.format}', received '${signOptions.format}'.`);
|
|
838
|
+
if (!signOptions.credentials.every((c) => c.docType === credentialConfiguration.doctype)) throw new CredoError(`One or more doctype values of the offered credential(s) do not match the doctype of the requested credential. Offered ${Array.from(new Set(signOptions.credentials.map((c) => `'${c.docType}'`))).join(", ")} Requested '${credentialConfiguration.doctype}'.`);
|
|
839
|
+
const mdocApi = agentContext.dependencyManager.resolve(MdocApi);
|
|
840
|
+
return {
|
|
841
|
+
format: OpenId4VciCredentialFormatProfile.MsoMdoc,
|
|
842
|
+
credentials: await Promise.all(signOptions.credentials.map((credential) => mdocApi.sign(credential).then((signed) => signed.base64Url)))
|
|
843
|
+
};
|
|
844
|
+
}
|
|
845
|
+
if (signOptions.format === ClaimFormat.SdJwtW3cVc) return {
|
|
846
|
+
format: credentialConfiguration.format,
|
|
847
|
+
credentials: await Promise.all(signOptions.credentials.map((credential) => this.w3cV2CredentialService.signCredential(agentContext, {
|
|
848
|
+
format: ClaimFormat.SdJwtW3cVc,
|
|
849
|
+
...credential
|
|
850
|
+
}).then((signed) => signed.encoded)))
|
|
851
|
+
};
|
|
852
|
+
throw new CredoError(`Unsupported credential format ${signOptions.format}`);
|
|
853
|
+
}
|
|
854
|
+
async signW3cCredential(agentContext, format, options) {
|
|
855
|
+
const publicJwk = await getPublicJwkFromDid(agentContext, options.verificationMethod);
|
|
856
|
+
if (format === ClaimFormat.JwtVc) return await this.w3cCredentialService.signCredential(agentContext, {
|
|
857
|
+
format: ClaimFormat.JwtVc,
|
|
858
|
+
credential: options.credential,
|
|
859
|
+
verificationMethod: options.verificationMethod,
|
|
860
|
+
alg: publicJwk.signatureAlgorithm
|
|
861
|
+
});
|
|
862
|
+
const proofType = getProofTypeFromPublicJwk(agentContext, publicJwk);
|
|
863
|
+
return await this.w3cCredentialService.signCredential(agentContext, {
|
|
864
|
+
format: ClaimFormat.LdpVc,
|
|
865
|
+
credential: options.credential,
|
|
866
|
+
verificationMethod: options.verificationMethod,
|
|
867
|
+
proofType
|
|
868
|
+
});
|
|
869
|
+
}
|
|
870
|
+
};
|
|
871
|
+
OpenId4VcIssuerService = __decorate([injectable(), __decorateMetadata("design:paramtypes", [
|
|
872
|
+
typeof (_ref = typeof W3cCredentialService !== "undefined" && W3cCredentialService) === "function" ? _ref : Object,
|
|
873
|
+
typeof (_ref2 = typeof W3cV2CredentialService !== "undefined" && W3cV2CredentialService) === "function" ? _ref2 : Object,
|
|
874
|
+
typeof (_ref3 = typeof OpenId4VcIssuerModuleConfig !== "undefined" && OpenId4VcIssuerModuleConfig) === "function" ? _ref3 : Object,
|
|
875
|
+
typeof (_ref4 = typeof OpenId4VcIssuerRepository !== "undefined" && OpenId4VcIssuerRepository) === "function" ? _ref4 : Object,
|
|
876
|
+
typeof (_ref5 = typeof OpenId4VcIssuanceSessionRepository !== "undefined" && OpenId4VcIssuanceSessionRepository) === "function" ? _ref5 : Object
|
|
877
|
+
])], OpenId4VcIssuerService);
|
|
878
|
+
|
|
879
|
+
//#endregion
|
|
880
|
+
export { OpenId4VcIssuerService };
|
|
881
|
+
//# sourceMappingURL=OpenId4VcIssuerService.mjs.map
|