@credo-ts/openid4vc 0.6.1-pr-2091-20241119140918 → 0.6.2-alpha-20251210145840

package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.d.ts

@@ -1,56 +0,0 @@
-import type { OpenId4VciAuthorizationServerConfig, OpenId4VciCredentialConfigurationsSupportedWithFormats, OpenId4VciCredentialIssuerMetadataDisplay } from '../../shared';
-import type { OpenId4VciBatchCredentialIssuanceOptions } from '../OpenId4VcIssuerServiceOptions';
-import type { JwaSignatureAlgorithm, RecordTags, TagsBase } from '@credo-ts/core';
-import { BaseRecord } from '@credo-ts/core';
-export type OpenId4VcIssuerRecordTags = RecordTags<OpenId4VcIssuerRecord>;
-export type DefaultOpenId4VcIssuerRecordTags = {
-    issuerId: string;
-};
-export type OpenId4VcIssuerRecordProps = {
-    id?: string;
-    createdAt?: Date;
-    tags?: TagsBase;
-    issuerId: string;
-    /**
-     * The fingerprint (multibase encoded) of the public key used to sign access tokens for
-     * this issuer.
-     */
-    accessTokenPublicKeyFingerprint: string;
-    /**
-     * The DPoP signing algorithms supported by this issuer.
-     * If not provided, dPoP is considered unsupported.
-     */
-    dpopSigningAlgValuesSupported?: [JwaSignatureAlgorithm, ...JwaSignatureAlgorithm[]];
-    display?: OpenId4VciCredentialIssuerMetadataDisplay[];
-    authorizationServerConfigs?: OpenId4VciAuthorizationServerConfig[];
-    credentialConfigurationsSupported: OpenId4VciCredentialConfigurationsSupportedWithFormats;
-    /**
-     * Indicate support for batch issuane of credentials
-     */
-    batchCredentialIssuance?: OpenId4VciBatchCredentialIssuanceOptions;
-};
-/**
- * For OID4VC you need to expose metadata files. Each issuer needs to host this metadata. This is not the case for DIDComm where we can just have one /didcomm endpoint.
- * So we create a record per openid issuer/verifier that you want, and each tenant can create multiple issuers/verifiers which have different endpoints
- * and metadata files
- * */
-export declare class OpenId4VcIssuerRecord extends BaseRecord<DefaultOpenId4VcIssuerRecordTags> {
-    static readonly type = "OpenId4VcIssuerRecord";
-    readonly type = "OpenId4VcIssuerRecord";
-    issuerId: string;
-    accessTokenPublicKeyFingerprint: string;
-    /**
-     * Only here for class transformation. If credentialsSupported is set we transform
-     * it to the new credentialConfigurationsSupported format
-     */
-    private set credentialsSupported(value);
-    credentialConfigurationsSupported: OpenId4VciCredentialConfigurationsSupportedWithFormats;
-    display?: OpenId4VciCredentialIssuerMetadataDisplay[];
-    authorizationServerConfigs?: OpenId4VciAuthorizationServerConfig[];
-    dpopSigningAlgValuesSupported?: [JwaSignatureAlgorithm, ...JwaSignatureAlgorithm[]];
-    batchCredentialIssuance?: OpenId4VciBatchCredentialIssuanceOptions;
-    constructor(props: OpenId4VcIssuerRecordProps);
-    getTags(): {
-        issuerId: string;
-    };
-}

package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.js

@@ -1,83 +0,0 @@
-"use strict";
-var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
-    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-    return c > 3 && r && Object.defineProperty(target, key, r), r;
-};
-var __metadata = (this && this.__metadata) || function (k, v) {
-    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
-};
-var __rest = (this && this.__rest) || function (s, e) {
-    var t = {};
-    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
-        t[p] = s[p];
-    if (s != null && typeof Object.getOwnPropertySymbols === "function")
-        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
-            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
-                t[p[i]] = s[p[i]];
-        }
-    return t;
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.OpenId4VcIssuerRecord = void 0;
-const oid4vci_1 = require("@animo-id/oid4vci");
-const core_1 = require("@credo-ts/core");
-const class_transformer_1 = require("class-transformer");
-/**
- * For OID4VC you need to expose metadata files. Each issuer needs to host this metadata. This is not the case for DIDComm where we can just have one /didcomm endpoint.
- * So we create a record per openid issuer/verifier that you want, and each tenant can create multiple issuers/verifiers which have different endpoints
- * and metadata files
- * */
-class OpenId4VcIssuerRecord extends core_1.BaseRecord {
-    /**
-     * Only here for class transformation. If credentialsSupported is set we transform
-     * it to the new credentialConfigurationsSupported format
-     */
-    set credentialsSupported(credentialsSupported) {
-        if (this.credentialConfigurationsSupported)
-            return;
-        this.credentialConfigurationsSupported =
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            (0, oid4vci_1.credentialsSupportedToCredentialConfigurationsSupported)(credentialsSupported);
-    }
-    constructor(props) {
-        var _a, _b, _c;
-        super();
-        this.type = OpenId4VcIssuerRecord.type;
-        if (props) {
-            this.id = (_a = props.id) !== null && _a !== void 0 ? _a : core_1.utils.uuid();
-            this.createdAt = (_b = props.createdAt) !== null && _b !== void 0 ? _b : new Date();
-            this._tags = (_c = props.tags) !== null && _c !== void 0 ? _c : {};
-            this.issuerId = props.issuerId;
-            this.accessTokenPublicKeyFingerprint = props.accessTokenPublicKeyFingerprint;
-            this.credentialConfigurationsSupported = props.credentialConfigurationsSupported;
-            this.dpopSigningAlgValuesSupported = props.dpopSigningAlgValuesSupported;
-            this.display = props.display;
-            this.authorizationServerConfigs = props.authorizationServerConfigs;
-            this.batchCredentialIssuance = props.batchCredentialIssuance;
-        }
-    }
-    getTags() {
-        return Object.assign(Object.assign({}, this._tags), { issuerId: this.issuerId });
-    }
-}
-exports.OpenId4VcIssuerRecord = OpenId4VcIssuerRecord;
-OpenId4VcIssuerRecord.type = 'OpenId4VcIssuerRecord';
-__decorate([
-    (0, class_transformer_1.Transform)(({ type, value }) => {
-        if (type === class_transformer_1.TransformationType.PLAIN_TO_CLASS && Array.isArray(value)) {
-            return value.map((display) => {
-                var _a, _b;
-                if ((_a = display.logo) === null || _a === void 0 ? void 0 : _a.uri)
-                    return display;
-                const _c = (_b = display.logo) !== null && _b !== void 0 ? _b : {}, { url } = _c, logoRest = __rest(_c, ["url"]);
-                return Object.assign(Object.assign({}, display), { logo: url
-                        ? Object.assign(Object.assign({}, logoRest), { uri: url }) : undefined });
-            });
-        }
-        return value;
-    }),
-    __metadata("design:type", Array)
-], OpenId4VcIssuerRecord.prototype, "display", void 0);
-//# sourceMappingURL=OpenId4VcIssuerRecord.js.map

package/build/openid4vc-issuer/repository/OpenId4VcIssuerRecord.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"OpenId4VcIssuerRecord.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRecord.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAQA,+CAA2F;AAC3F,yCAAkD;AAClD,yDAAiE;AAsCjE;;;;KAIK;AACL,MAAa,qBAAsB,SAAQ,iBAA4C;IAOrF;;;OAGG;IACH,IAAY,oBAAoB,CAAC,oBAAoC;QACnE,IAAI,IAAI,CAAC,iCAAiC;YAAE,OAAM;QAElD,IAAI,CAAC,iCAAiC;YACpC,8DAA8D;YAC9D,IAAA,iEAAuD,EAAC,oBAA2B,CAAQ,CAAA;IAC/F,CAAC;IA8BD,YAAmB,KAAiC;;QAClD,KAAK,EAAE,CAAA;QA9CO,SAAI,GAAG,qBAAqB,CAAC,IAAI,CAAA;QAgD/C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,EAAE,GAAG,MAAA,KAAK,CAAC,EAAE,mCAAI,YAAK,CAAC,IAAI,EAAE,CAAA;YAClC,IAAI,CAAC,SAAS,GAAG,MAAA,KAAK,CAAC,SAAS,mCAAI,IAAI,IAAI,EAAE,CAAA;YAC9C,IAAI,CAAC,KAAK,GAAG,MAAA,KAAK,CAAC,IAAI,mCAAI,EAAE,CAAA;YAE7B,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAA;YAC9B,IAAI,CAAC,+BAA+B,GAAG,KAAK,CAAC,+BAA+B,CAAA;YAC5E,IAAI,CAAC,iCAAiC,GAAG,KAAK,CAAC,iCAAiC,CAAA;YAChF,IAAI,CAAC,6BAA6B,GAAG,KAAK,CAAC,6BAA6B,CAAA;YACxE,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAA;YAC5B,IAAI,CAAC,0BAA0B,GAAG,KAAK,CAAC,0BAA0B,CAAA;YAClE,IAAI,CAAC,uBAAuB,GAAG,KAAK,CAAC,uBAAuB,CAAA;QAC9D,CAAC;IACH,CAAC;IAEM,OAAO;QACZ,uCACK,IAAI,CAAC,KAAK,KACb,QAAQ,EAAE,IAAI,CAAC,QAAQ,IACxB;IACH,CAAC;;AAtEH,sDAuEC;AAtEwB,0BAAI,GAAG,uBAAuB,AAA1B,CAA0B;AAyC9C;IApBN,IAAA,6BAAS,EAAC,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE;QAC7B,IAAI,IAAI,KAAK,sCAAkB,CAAC,cAAc,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACvE,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;;gBAC3B,IAAI,MAAA,OAAO,CAAC,IAAI,0CAAE,GAAG;oBAAE,OAAO,OAAO,CAAA;gBAErC,MAAM,KAAuB,MAAA,OAAO,CAAC,IAAI,mCAAI,EAAE,EAAzC,EAAE,GAAG,OAAoC,EAA/B,QAAQ,cAAlB,OAAoB,CAAqB,CAAA;gBAC/C,uCACK,OAAO,KACV,IAAI,EAAE,GAAG;wBACP,CAAC,iCACM,QAAQ,KACX,GAAG,EAAE,GAAG,IAEZ,CAAC,CAAC,SAAS,IACd;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,KAAK,CAAA;IACd,CAAC,CAAC;;sDAC0D"}

package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.d.ts

@@ -1,8 +0,0 @@
-import type { AgentContext } from '@credo-ts/core';
-import { Repository, StorageService, EventEmitter } from '@credo-ts/core';
-import { OpenId4VcIssuerRecord } from './OpenId4VcIssuerRecord';
-export declare class OpenId4VcIssuerRepository extends Repository<OpenId4VcIssuerRecord> {
-    constructor(storageService: StorageService<OpenId4VcIssuerRecord>, eventEmitter: EventEmitter);
-    findByIssuerId(agentContext: AgentContext, issuerId: string): Promise<OpenId4VcIssuerRecord | null>;
-    getByIssuerId(agentContext: AgentContext, issuerId: string): Promise<OpenId4VcIssuerRecord>;
-}

package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.js

@@ -1,35 +0,0 @@
-"use strict";
-var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
-    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-    return c > 3 && r && Object.defineProperty(target, key, r), r;
-};
-var __metadata = (this && this.__metadata) || function (k, v) {
-    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
-};
-var __param = (this && this.__param) || function (paramIndex, decorator) {
-    return function (target, key) { decorator(target, key, paramIndex); }
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.OpenId4VcIssuerRepository = void 0;
-const core_1 = require("@credo-ts/core");
-const OpenId4VcIssuerRecord_1 = require("./OpenId4VcIssuerRecord");
-let OpenId4VcIssuerRepository = class OpenId4VcIssuerRepository extends core_1.Repository {
-    constructor(storageService, eventEmitter) {
-        super(OpenId4VcIssuerRecord_1.OpenId4VcIssuerRecord, storageService, eventEmitter);
-    }
-    findByIssuerId(agentContext, issuerId) {
-        return this.findSingleByQuery(agentContext, { issuerId });
-    }
-    getByIssuerId(agentContext, issuerId) {
-        return this.getSingleByQuery(agentContext, { issuerId });
-    }
-};
-exports.OpenId4VcIssuerRepository = OpenId4VcIssuerRepository;
-exports.OpenId4VcIssuerRepository = OpenId4VcIssuerRepository = __decorate([
-    (0, core_1.injectable)(),
-    __param(0, (0, core_1.inject)(core_1.InjectionSymbols.StorageService)),
-    __metadata("design:paramtypes", [Object, core_1.EventEmitter])
-], OpenId4VcIssuerRepository);
-//# sourceMappingURL=OpenId4VcIssuerRepository.js.map

package/build/openid4vc-issuer/repository/OpenId4VcIssuerRepository.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"OpenId4VcIssuerRepository.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/repository/OpenId4VcIssuerRepository.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAEA,yCAA+G;AAE/G,mEAA+D;AAGxD,IAAM,yBAAyB,GAA/B,MAAM,yBAA0B,SAAQ,iBAAiC;IAC9E,YAC2C,cAAqD,EAC9F,YAA0B;QAE1B,KAAK,CAAC,6CAAqB,EAAE,cAAc,EAAE,YAAY,CAAC,CAAA;IAC5D,CAAC;IAEM,cAAc,CAAC,YAA0B,EAAE,QAAgB;QAChE,OAAO,IAAI,CAAC,iBAAiB,CAAC,YAAY,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAA;IAC3D,CAAC;IAEM,aAAa,CAAC,YAA0B,EAAE,QAAgB;QAC/D,OAAO,IAAI,CAAC,gBAAgB,CAAC,YAAY,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAA;IAC1D,CAAC;CACF,CAAA;AAfY,8DAAyB;oCAAzB,yBAAyB;IADrC,IAAA,iBAAU,GAAE;IAGR,WAAA,IAAA,aAAM,EAAC,uBAAgB,CAAC,cAAc,CAAC,CAAA;6CAC1B,mBAAY;GAHjB,yBAAyB,CAerC"}

package/build/openid4vc-issuer/repository/index.d.ts

@@ -1,4 +0,0 @@
-export * from './OpenId4VcIssuerRecord';
-export * from './OpenId4VcIssuerRepository';
-export * from './OpenId4VcIssuanceSessionRecord';
-export * from './OpenId4VcIssuanceSessionRepository';

package/build/openid4vc-issuer/repository/index.js

@@ -1,21 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./OpenId4VcIssuerRecord"), exports);
-__exportStar(require("./OpenId4VcIssuerRepository"), exports);
-__exportStar(require("./OpenId4VcIssuanceSessionRecord"), exports);
-__exportStar(require("./OpenId4VcIssuanceSessionRepository"), exports);
-//# sourceMappingURL=index.js.map

package/build/openid4vc-issuer/repository/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/repository/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,0DAAuC;AACvC,8DAA2C;AAC3C,mEAAgD;AAChD,uEAAoD"}

package/build/openid4vc-issuer/router/accessTokenEndpoint.d.ts

@@ -1,5 +0,0 @@
-import type { OpenId4VcIssuanceRequest } from './requestContext';
-import type { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig';
-import type { NextFunction, Response, Router } from 'express';
-export declare function configureAccessTokenEndpoint(router: Router, config: OpenId4VcIssuerModuleConfig): void;
-export declare function handleTokenRequest(config: OpenId4VcIssuerModuleConfig): (request: OpenId4VcIssuanceRequest, response: Response, next: NextFunction) => Promise<void>;

package/build/openid4vc-issuer/router/accessTokenEndpoint.js

@@ -1,164 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.configureAccessTokenEndpoint = configureAccessTokenEndpoint;
-exports.handleTokenRequest = handleTokenRequest;
-const oauth2_1 = require("@animo-id/oauth2");
-const core_1 = require("@credo-ts/core");
-const router_1 = require("../../shared/router");
-const utils_1 = require("../../shared/utils");
-const OpenId4VcIssuanceSessionState_1 = require("../OpenId4VcIssuanceSessionState");
-const OpenId4VcIssuerService_1 = require("../OpenId4VcIssuerService");
-const repository_1 = require("../repository");
-function configureAccessTokenEndpoint(router, config) {
-    router.post(config.accessTokenEndpointPath, handleTokenRequest(config));
-}
-function handleTokenRequest(config) {
-    return async (request, response, next) => {
-        var _a, _b, _c, _d;
-        response.set({ 'Cache-Control': 'no-store', Pragma: 'no-cache' });
-        const requestContext = (0, router_1.getRequestContext)(request);
-        const { agentContext, issuer } = requestContext;
-        const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService_1.OpenId4VcIssuerService);
-        const issuanceSessionRepository = agentContext.dependencyManager.resolve(repository_1.OpenId4VcIssuanceSessionRepository);
-        const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer);
-        const accessTokenSigningKey = core_1.Key.fromFingerprint(issuer.accessTokenPublicKeyFingerprint);
-        const oauth2AuthorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext);
-        const fullRequestUrl = (0, core_1.joinUriParts)(issuerMetadata.credentialIssuer.credential_issuer, [
-            config.accessTokenEndpointPath,
-        ]);
-        const requestLike = {
-            headers: new Headers(request.headers),
-            method: request.method,
-            url: fullRequestUrl,
-        };
-        const { accessTokenRequest, grant, dpopJwt, pkceCodeVerifier } = oauth2AuthorizationServer.parseAccessTokenRequest({
-            accessTokenRequest: request.body,
-            request: requestLike,
-        });
-        const issuanceSession = await issuanceSessionRepository.findSingleByQuery(agentContext, {
-            preAuthorizedCode: grant.grantType === oauth2_1.preAuthorizedCodeGrantIdentifier ? grant.preAuthorizedCode : undefined,
-            authorizationCode: grant.grantType === oauth2_1.authorizationCodeGrantIdentifier ? grant.code : undefined,
-        });
-        const allowedStates = grant.grantType === oauth2_1.preAuthorizedCodeGrantIdentifier
-            ? [OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.OfferCreated, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.OfferUriRetrieved]
-            : [OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.AuthorizationGranted];
-        if (!issuanceSession || !allowedStates.includes(issuanceSession.state)) {
-            throw new oauth2_1.Oauth2ServerErrorResponseError({
-                error: oauth2_1.Oauth2ErrorCodes.InvalidGrant,
-                error_description: 'Invalid authorization code',
-            });
-        }
-        if (Date.now() >
-            (0, utils_1.addSecondsToDate)(issuanceSession.createdAt, config.statefullCredentialOfferExpirationInSeconds).getTime()) {
-            issuanceSession.errorMessage = 'Credential offer has expired';
-            await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.Error);
-            throw new oauth2_1.Oauth2ServerErrorResponseError({
-                // What is the best error here?
-                error: oauth2_1.Oauth2ErrorCodes.InvalidGrant,
-                error_description: 'Session expired',
-            });
-        }
-        let verificationResult;
-        try {
-            if (grant.grantType === oauth2_1.preAuthorizedCodeGrantIdentifier) {
-                if (!issuanceSession.preAuthorizedCode) {
-                    throw new oauth2_1.Oauth2ServerErrorResponseError({
-                        error: oauth2_1.Oauth2ErrorCodes.InvalidGrant,
-                        error_description: 'Invalid authorization code',
-                    }, {
-                        internalMessage: 'Found issuance session without preAuthorizedCode. This should not happen as the issuance session is fetched based on the pre authorized code',
-                    });
-                }
-                verificationResult = await oauth2AuthorizationServer.verifyPreAuthorizedCodeAccessTokenRequest({
-                    accessTokenRequest,
-                    expectedPreAuthorizedCode: issuanceSession.preAuthorizedCode,
-                    grant,
-                    request: requestLike,
-                    dpop: {
-                        jwt: dpopJwt,
-                        // This will only have effect when DPoP is not present.
-                        // If it is present it will always be verified
-                        required: config.dpopRequired,
-                    },
-                    expectedTxCode: issuanceSession.userPin,
-                    preAuthorizedCodeExpiresAt: (0, utils_1.addSecondsToDate)(issuanceSession.createdAt, config.statefullCredentialOfferExpirationInSeconds),
-                });
-            }
-            else if (grant.grantType === oauth2_1.authorizationCodeGrantIdentifier) {
-                if (!((_a = issuanceSession.authorization) === null || _a === void 0 ? void 0 : _a.code) || !((_b = issuanceSession.authorization) === null || _b === void 0 ? void 0 : _b.codeExpiresAt)) {
-                    throw new oauth2_1.Oauth2ServerErrorResponseError({
-                        error: oauth2_1.Oauth2ErrorCodes.InvalidGrant,
-                        error_description: 'Invalid authorization code',
-                    }, {
-                        internalMessage: 'Found issuance session without authorization.code or authorization.codeExpiresAt. This should not happen as the issuance session is fetched based on the authorization code',
-                    });
-                }
-                verificationResult = await oauth2AuthorizationServer.verifyAuthorizationCodeAccessTokenRequest({
-                    accessTokenRequest,
-                    expectedCode: issuanceSession.authorization.code,
-                    codeExpiresAt: issuanceSession.authorization.codeExpiresAt,
-                    grant,
-                    request: requestLike,
-                    dpop: {
-                        jwt: dpopJwt,
-                        // This will only have effect when DPoP is not present.
-                        // If it is present it will always be verified
-                        required: config.dpopRequired,
-                    },
-                    pkce: issuanceSession.pkce
-                        ? {
-                            codeChallenge: issuanceSession.pkce.codeChallenge,
-                            codeChallengeMethod: issuanceSession.pkce.codeChallengeMethod,
-                            codeVerifier: pkceCodeVerifier,
-                        }
-                        : undefined,
-                });
-            }
-            else {
-                throw new oauth2_1.Oauth2ServerErrorResponseError({
-                    error: oauth2_1.Oauth2ErrorCodes.UnsupportedGrantType,
-                    error_description: 'Unsupported grant type',
-                });
-            }
-            await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.AccessTokenRequested);
-            const { cNonce, cNonceExpiresInSeconds } = await openId4VcIssuerService.createNonce(agentContext, issuer);
-            // for authorization code flow we take the authorization scopes. For pre-auth we don't use scopes (we just
-            // use the offered credential configuration ids so a scope is not required)
-            const scopes = grant.grantType === oauth2_1.authorizationCodeGrantIdentifier ? (_c = issuanceSession.authorization) === null || _c === void 0 ? void 0 : _c.scopes : undefined;
-            const subject = `credo:${core_1.utils.uuid()}`;
-            const signerJwk = (0, core_1.getJwkFromKey)(accessTokenSigningKey);
-            const accessTokenResponse = await oauth2AuthorizationServer.createAccessTokenResponse({
-                audience: issuerMetadata.credentialIssuer.credential_issuer,
-                authorizationServer: issuerMetadata.credentialIssuer.credential_issuer,
-                expiresInSeconds: config.accessTokenExpiresInSeconds,
-                signer: {
-                    method: 'jwk',
-                    alg: signerJwk.supportedSignatureAlgorithms[0],
-                    publicJwk: signerJwk.toJson(),
-                },
-                dpopJwk: verificationResult.dpopJwk,
-                scope: scopes === null || scopes === void 0 ? void 0 : scopes.join(' '),
-                clientId: issuanceSession.clientId,
-                additionalAccessTokenPayload: {
-                    'pre-authorized_code': grant.grantType === oauth2_1.preAuthorizedCodeGrantIdentifier ? grant.preAuthorizedCode : undefined,
-                    issuer_state: (_d = issuanceSession.authorization) === null || _d === void 0 ? void 0 : _d.issuerState,
-                },
-                // We generate a random subject for each access token and bind the issuance session to this.
-                subject,
-                // NOTE: these have been removed in newer drafts. Keeping them in for now
-                cNonce,
-                cNonceExpiresIn: cNonceExpiresInSeconds,
-            });
-            issuanceSession.authorization = Object.assign(Object.assign({}, issuanceSession.authorization), { subject });
-            await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.AccessTokenCreated);
-            return (0, router_1.sendJsonResponse)(response, next, accessTokenResponse);
-        }
-        catch (error) {
-            if (error instanceof oauth2_1.Oauth2ServerErrorResponseError) {
-                return (0, router_1.sendOauth2ErrorResponse)(response, next, agentContext.config.logger, error);
-            }
-            return (0, router_1.sendUnknownServerErrorResponse)(response, next, agentContext.config.logger, error);
-        }
-    };
-}
-//# sourceMappingURL=accessTokenEndpoint.js.map

package/build/openid4vc-issuer/router/accessTokenEndpoint.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"accessTokenEndpoint.js","sourceRoot":"","sources":["../../../src/openid4vc-issuer/router/accessTokenEndpoint.ts"],"names":[],"mappings":";;AAwBA,oEAEC;AAED,gDA0LC;AAjND,6CAKyB;AACzB,yCAAwE;AAExE,gDAK4B;AAC5B,8CAAqD;AACrD,oFAAgF;AAChF,sEAAkE;AAClE,8CAAkE;AAElE,SAAgB,4BAA4B,CAAC,MAAc,EAAE,MAAmC;IAC9F,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,uBAAuB,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAA;AACzE,CAAC;AAED,SAAgB,kBAAkB,CAAC,MAAmC;IACpE,OAAO,KAAK,EAAE,OAAiC,EAAE,QAAkB,EAAE,IAAkB,EAAE,EAAE;;QACzF,QAAQ,CAAC,GAAG,CAAC,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAA;QACjE,MAAM,cAAc,GAAG,IAAA,0BAAiB,EAAC,OAAO,CAAC,CAAA;QACjD,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,cAAc,CAAA;QAE/C,MAAM,sBAAsB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAsB,CAAC,CAAA;QAC7F,MAAM,yBAAyB,GAAG,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,+CAAkC,CAAC,CAAA;QAC5G,MAAM,cAAc,GAAG,MAAM,sBAAsB,CAAC,iBAAiB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;QAC3F,MAAM,qBAAqB,GAAG,UAAG,CAAC,eAAe,CAAC,MAAM,CAAC,+BAA+B,CAAC,CAAA;QACzF,MAAM,yBAAyB,GAAG,sBAAsB,CAAC,4BAA4B,CAAC,YAAY,CAAC,CAAA;QAEnG,MAAM,cAAc,GAAG,IAAA,mBAAY,EAAC,cAAc,CAAC,gBAAgB,CAAC,iBAAiB,EAAE;YACrF,MAAM,CAAC,uBAAuB;SAC/B,CAAC,CAAA;QACF,MAAM,WAAW,GAAG;YAClB,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,CAAC,OAAiC,CAAC;YAC/D,MAAM,EAAE,OAAO,CAAC,MAAoB;YACpC,GAAG,EAAE,cAAc;SACX,CAAA;QAEV,MAAM,EAAE,kBAAkB,EAAE,KAAK,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,yBAAyB,CAAC,uBAAuB,CAAC;YACjH,kBAAkB,EAAE,OAAO,CAAC,IAAI;YAChC,OAAO,EAAE,WAAW;SACrB,CAAC,CAAA;QAEF,MAAM,eAAe,GAAG,MAAM,yBAAyB,CAAC,iBAAiB,CAAC,YAAY,EAAE;YACtF,iBAAiB,EAAE,KAAK,CAAC,SAAS,KAAK,yCAAgC,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS;YAC7G,iBAAiB,EAAE,KAAK,CAAC,SAAS,KAAK,yCAAgC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;SACjG,CAAC,CAAA;QACF,MAAM,aAAa,GACjB,KAAK,CAAC,SAAS,KAAK,yCAAgC;YAClD,CAAC,CAAC,CAAC,6DAA6B,CAAC,YAAY,EAAE,6DAA6B,CAAC,iBAAiB,CAAC;YAC/F,CAAC,CAAC,CAAC,6DAA6B,CAAC,oBAAoB,CAAC,CAAA;QAC1D,IAAI,CAAC,eAAe,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;YACvE,MAAM,IAAI,uCAA8B,CAAC;gBACvC,KAAK,EAAE,yBAAgB,CAAC,YAAY;gBACpC,iBAAiB,EAAE,4BAA4B;aAChD,CAAC,CAAA;QACJ,CAAC;QAED,IACE,IAAI,CAAC,GAAG,EAAE;YACV,IAAA,wBAAgB,EAAC,eAAe,CAAC,SAAS,EAAE,MAAM,CAAC,2CAA2C,CAAC,CAAC,OAAO,EAAE,EACzG,CAAC;YACD,eAAe,CAAC,YAAY,GAAG,8BAA8B,CAAA;YAC7D,MAAM,sBAAsB,CAAC,WAAW,CAAC,YAAY,EAAE,eAAe,EAAE,6DAA6B,CAAC,KAAK,CAAC,CAAA;YAC5G,MAAM,IAAI,uCAA8B,CAAC;gBACvC,+BAA+B;gBAC/B,KAAK,EAAE,yBAAgB,CAAC,YAAY;gBACpC,iBAAiB,EAAE,iBAAiB;aACrC,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,kBAAkD,CAAA;QACtD,IAAI,CAAC;YACH,IAAI,KAAK,CAAC,SAAS,KAAK,yCAAgC,EAAE,CAAC;gBACzD,IAAI,CAAC,eAAe,CAAC,iBAAiB,EAAE,CAAC;oBACvC,MAAM,IAAI,uCAA8B,CACtC;wBACE,KAAK,EAAE,yBAAgB,CAAC,YAAY;wBACpC,iBAAiB,EAAE,4BAA4B;qBAChD,EACD;wBACE,eAAe,EACb,8IAA8I;qBACjJ,CACF,CAAA;gBACH,CAAC;gBAED,kBAAkB,GAAG,MAAM,yBAAyB,CAAC,yCAAyC,CAAC;oBAC7F,kBAAkB;oBAClB,yBAAyB,EAAE,eAAe,CAAC,iBAAiB;oBAC5D,KAAK;oBACL,OAAO,EAAE,WAAW;oBACpB,IAAI,EAAE;wBACJ,GAAG,EAAE,OAAO;wBACZ,uDAAuD;wBACvD,8CAA8C;wBAC9C,QAAQ,EAAE,MAAM,CAAC,YAAY;qBAC9B;oBACD,cAAc,EAAE,eAAe,CAAC,OAAO;oBACvC,0BAA0B,EAAE,IAAA,wBAAgB,EAC1C,eAAe,CAAC,SAAS,EACzB,MAAM,CAAC,2CAA2C,CACnD;iBACF,CAAC,CAAA;YACJ,CAAC;iBAAM,IAAI,KAAK,CAAC,SAAS,KAAK,yCAAgC,EAAE,CAAC;gBAChE,IAAI,CAAC,CAAA,MAAA,eAAe,CAAC,aAAa,0CAAE,IAAI,CAAA,IAAI,CAAC,CAAA,MAAA,eAAe,CAAC,aAAa,0CAAE,aAAa,CAAA,EAAE,CAAC;oBAC1F,MAAM,IAAI,uCAA8B,CACtC;wBACE,KAAK,EAAE,yBAAgB,CAAC,YAAY;wBACpC,iBAAiB,EAAE,4BAA4B;qBAChD,EACD;wBACE,eAAe,EACb,6KAA6K;qBAChL,CACF,CAAA;gBACH,CAAC;gBACD,kBAAkB,GAAG,MAAM,yBAAyB,CAAC,yCAAyC,CAAC;oBAC7F,kBAAkB;oBAClB,YAAY,EAAE,eAAe,CAAC,aAAa,CAAC,IAAI;oBAChD,aAAa,EAAE,eAAe,CAAC,aAAa,CAAC,aAAa;oBAC1D,KAAK;oBACL,OAAO,EAAE,WAAW;oBACpB,IAAI,EAAE;wBACJ,GAAG,EAAE,OAAO;wBACZ,uDAAuD;wBACvD,8CAA8C;wBAC9C,QAAQ,EAAE,MAAM,CAAC,YAAY;qBAC9B;oBACD,IAAI,EAAE,eAAe,CAAC,IAAI;wBACxB,CAAC,CAAC;4BACE,aAAa,EAAE,eAAe,CAAC,IAAI,CAAC,aAAa;4BACjD,mBAAmB,EAAE,eAAe,CAAC,IAAI,CAAC,mBAAmB;4BAC7D,YAAY,EAAE,gBAAgB;yBAC/B;wBACH,CAAC,CAAC,SAAS;iBACd,CAAC,CAAA;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,uCAA8B,CAAC;oBACvC,KAAK,EAAE,yBAAgB,CAAC,oBAAoB;oBAC5C,iBAAiB,EAAE,wBAAwB;iBAC5C,CAAC,CAAA;YACJ,CAAC;YAED,MAAM,sBAAsB,CAAC,WAAW,CACtC,YAAY,EACZ,eAAe,EACf,6DAA6B,CAAC,oBAAoB,CACnD,CAAA;YACD,MAAM,EAAE,MAAM,EAAE,sBAAsB,EAAE,GAAG,MAAM,sBAAsB,CAAC,WAAW,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;YAEzG,0GAA0G;YAC1G,2EAA2E;YAC3E,MAAM,MAAM,GACV,KAAK,CAAC,SAAS,KAAK,yCAAgC,CAAC,CAAC,CAAC,MAAA,eAAe,CAAC,aAAa,0CAAE,MAAM,CAAC,CAAC,CAAC,SAAS,CAAA;YAC1G,MAAM,OAAO,GAAG,SAAS,YAAK,CAAC,IAAI,EAAE,EAAE,CAAA;YAEvC,MAAM,SAAS,GAAG,IAAA,oBAAa,EAAC,qBAAqB,CAAC,CAAA;YACtD,MAAM,mBAAmB,GAAG,MAAM,yBAAyB,CAAC,yBAAyB,CAAC;gBACpF,QAAQ,EAAE,cAAc,CAAC,gBAAgB,CAAC,iBAAiB;gBAC3D,mBAAmB,EAAE,cAAc,CAAC,gBAAgB,CAAC,iBAAiB;gBACtE,gBAAgB,EAAE,MAAM,CAAC,2BAA2B;gBACpD,MAAM,EAAE;oBACN,MAAM,EAAE,KAAK;oBACb,GAAG,EAAE,SAAS,CAAC,4BAA4B,CAAC,CAAC,CAAC;oBAC9C,SAAS,EAAE,SAAS,CAAC,MAAM,EAAE;iBAC9B;gBACD,OAAO,EAAE,kBAAkB,CAAC,OAAO;gBACnC,KAAK,EAAE,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,IAAI,CAAC,GAAG,CAAC;gBACxB,QAAQ,EAAE,eAAe,CAAC,QAAQ;gBAElC,4BAA4B,EAAE;oBAC5B,qBAAqB,EACnB,KAAK,CAAC,SAAS,KAAK,yCAAgC,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS;oBAC5F,YAAY,EAAE,MAAA,eAAe,CAAC,aAAa,0CAAE,WAAW;iBACzD;gBACD,4FAA4F;gBAC5F,OAAO;gBAEP,yEAAyE;gBACzE,MAAM;gBACN,eAAe,EAAE,sBAAsB;aACxC,CAAC,CAAA;YAEF,eAAe,CAAC,aAAa,mCACxB,eAAe,CAAC,aAAa,KAChC,OAAO,GACR,CAAA;YACD,MAAM,sBAAsB,CAAC,WAAW,CACtC,YAAY,EACZ,eAAe,EACf,6DAA6B,CAAC,kBAAkB,CACjD,CAAA;YAED,OAAO,IAAA,yBAAgB,EAAC,QAAQ,EAAE,IAAI,EAAE,mBAAmB,CAAC,CAAA;QAC9D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,uCAA8B,EAAE,CAAC;gBACpD,OAAO,IAAA,gCAAuB,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YACnF,CAAC;YAED,OAAO,IAAA,uCAA8B,EAAC,QAAQ,EAAE,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;QAC1F,CAAC;IACH,CAAC,CAAA;AACH,CAAC"}

package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.d.ts

@@ -1,3 +0,0 @@
-import type { Router } from 'express';
-import { OpenId4VcIssuerModuleConfig } from '../OpenId4VcIssuerModuleConfig';
-export declare function configureAuthorizationChallengeEndpoint(router: Router, config: OpenId4VcIssuerModuleConfig): void;

package/build/openid4vc-issuer/router/authorizationChallengeEndpoint.js

@@ -1,213 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.configureAuthorizationChallengeEndpoint = configureAuthorizationChallengeEndpoint;
-const oauth2_1 = require("@animo-id/oauth2");
-const core_1 = require("@credo-ts/core");
-const openid4vc_verifier_1 = require("../../openid4vc-verifier");
-const shared_1 = require("../../shared");
-const router_1 = require("../../shared/router");
-const utils_1 = require("../../shared/utils");
-const OpenId4VcIssuanceSessionState_1 = require("../OpenId4VcIssuanceSessionState");
-const OpenId4VcIssuerModuleConfig_1 = require("../OpenId4VcIssuerModuleConfig");
-const OpenId4VcIssuerService_1 = require("../OpenId4VcIssuerService");
-function configureAuthorizationChallengeEndpoint(router, config) {
-    router.post(config.authorizationChallengeEndpointPath, async (request, response, next) => {
-        const requestContext = (0, router_1.getRequestContext)(request);
-        const { agentContext, issuer } = requestContext;
-        try {
-            const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService_1.OpenId4VcIssuerService);
-            const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext);
-            const { authorizationChallengeRequest } = authorizationServer.parseAuthorizationChallengeRequest({
-                authorizationChallengeRequest: request.body,
-            });
-            if (authorizationChallengeRequest.auth_session) {
-                await handleAuthorizationChallengeWithAuthSession({
-                    response,
-                    next,
-                    authorizationChallengeRequest: Object.assign(Object.assign({}, authorizationChallengeRequest), { auth_session: authorizationChallengeRequest.auth_session }),
-                    agentContext,
-                    issuer,
-                });
-            }
-            else {
-                // First call, no auth_sesion yet
-                await handleAuthorizationChallengeNoAuthSession({
-                    authorizationChallengeRequest,
-                    agentContext,
-                    issuer,
-                });
-            }
-        }
-        catch (error) {
-            if (error instanceof oauth2_1.Oauth2ServerErrorResponseError) {
-                return (0, router_1.sendOauth2ErrorResponse)(response, next, agentContext.config.logger, error);
-            }
-            return (0, router_1.sendUnknownServerErrorResponse)(response, next, agentContext.config.logger, error);
-        }
-    });
-}
-async function handleAuthorizationChallengeNoAuthSession(options) {
-    const { agentContext, issuer, authorizationChallengeRequest } = options;
-    // First call, no auth_sesion yet
-    const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService_1.OpenId4VcIssuerService);
-    const config = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig_1.OpenId4VcIssuerModuleConfig);
-    const issuerMetadata = await openId4VcIssuerService.getIssuerMetadata(agentContext, issuer);
-    const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext);
-    if (!config.getVerificationSessionForIssuanceSessionAuthorization) {
-        throw new oauth2_1.Oauth2ServerErrorResponseError({
-            error: oauth2_1.Oauth2ErrorCodes.ServerError,
-        }, {
-            internalMessage: `Missing required 'getVerificationSessionForIssuanceSessionAuthorization' callback in openid4vc issuer module config. This callback is required for presentation during issuance flows.`,
-        });
-    }
-    if (!authorizationChallengeRequest.scope) {
-        throw new oauth2_1.Oauth2ServerErrorResponseError({
-            error: oauth2_1.Oauth2ErrorCodes.InvalidScope,
-            error_description: `Missing required 'scope' parameter`,
-        });
-    }
-    if (!authorizationChallengeRequest.issuer_state) {
-        throw new oauth2_1.Oauth2ServerErrorResponseError({
-            error: oauth2_1.Oauth2ErrorCodes.InvalidRequest,
-            error_description: `Missing required 'issuer_state' parameter. Only requests initiated by a credential offer are supported for authorization challenge.`,
-        });
-    }
-    // FIXME: we need to authenticate the client. Could be either using client_id/client_secret
-    // but that doesn't make sense for wallets. So for now we just allow any client_id and we will
-    // need OAuth2 Attestation Based Client Auth and dynamically allow client_ids based on wallet providers
-    // we trust. Will add this in a follow up PR (basically we do no client authentication at the moment)
-    // if (!authorizationChallengeRequest.client_id) {
-    //   throw new Oauth2ServerErrorResponseError({
-    //     error: Oauth2ErrorCodes.InvalidRequest,
-    //     error_description: `Missing required 'client_id' parameter..`,
-    //   })
-    // }
-    const issuanceSession = await openId4VcIssuerService.findSingleIssuancSessionByQuery(agentContext, {
-        issuerId: issuer.issuerId,
-        issuerState: authorizationChallengeRequest.issuer_state,
-    });
-    const allowedStates = [OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.OfferCreated, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.OfferUriRetrieved];
-    if (!issuanceSession || !allowedStates.includes(issuanceSession.state)) {
-        throw new oauth2_1.Oauth2ServerErrorResponseError({
-            error: oauth2_1.Oauth2ErrorCodes.InvalidRequest,
-            error_description: `Invalid 'issuer_state' parameter`,
-        }, {
-            internalMessage: !issuanceSession
-                ? `Issuance session not found for 'issuer_state' parameter '${authorizationChallengeRequest.issuer_state}'`
-                : `Issuance session '${issuanceSession.id}' has state '${issuanceSession.state}' but expected one of ${allowedStates.join(', ')}`,
-        });
-    }
-    const offeredCredentialConfigurations = (0, shared_1.getOfferedCredentials)(issuanceSession.credentialOfferPayload.credential_configuration_ids, issuerMetadata.credentialIssuer.credential_configurations_supported);
-    const allowedScopes = (0, shared_1.getScopesFromCredentialConfigurationsSupported)(offeredCredentialConfigurations);
-    const requestedScopes = (0, shared_1.getAllowedAndRequestedScopeValues)({
-        allowedScopes,
-        requestedScope: authorizationChallengeRequest.scope,
-    });
-    const requestedCredentialConfigurations = (0, shared_1.getCredentialConfigurationsSupportedForScopes)(offeredCredentialConfigurations, requestedScopes);
-    if (requestedScopes.length === 0 || Object.keys(requestedCredentialConfigurations).length === 0) {
-        throw new oauth2_1.Oauth2ServerErrorResponseError({
-            error: oauth2_1.Oauth2ErrorCodes.InvalidScope,
-            error_description: `No requested 'scope' values match with offered credential configurations.`,
-        });
-    }
-    const { authorizationRequest, verificationSession, scopes: presentationScopes, } = await config.getVerificationSessionForIssuanceSessionAuthorization({
-        agentContext,
-        issuanceSession,
-        requestedCredentialConfigurations,
-        scopes: requestedScopes,
-    });
-    // Store presentation during issuance session on the record
-    verificationSession.presentationDuringIssuanceSession = core_1.TypedArrayEncoder.toBase64URL(agentContext.wallet.getRandomValues(32));
-    await agentContext.dependencyManager
-        .resolve(openid4vc_verifier_1.OpenId4VcVerificationSessionRepository)
-        .update(agentContext, verificationSession);
-    const authSession = core_1.TypedArrayEncoder.toBase64URL(agentContext.wallet.getRandomValues(32));
-    issuanceSession.authorization = Object.assign(Object.assign({}, issuanceSession.authorization), { scopes: presentationScopes });
-    issuanceSession.presentation = {
-        required: true,
-        authSession,
-        openId4VcVerificationSessionId: verificationSession.id,
-    };
-    // NOTE: should only allow authenticated clients in the future.
-    issuanceSession.clientId = authorizationChallengeRequest.client_id;
-    await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.AuthorizationInitiated);
-    const authorizationChallengeErrorResponse = authorizationServer.createAuthorizationChallengePresentationErrorResponse({
-        authSession,
-        presentation: authorizationRequest,
-        errorDescription: 'Presentation required before issuance',
-    });
-    throw new oauth2_1.Oauth2ServerErrorResponseError(authorizationChallengeErrorResponse);
-}
-async function handleAuthorizationChallengeWithAuthSession(options) {
-    const { agentContext, issuer, authorizationChallengeRequest, response, next } = options;
-    const openId4VcIssuerService = agentContext.dependencyManager.resolve(OpenId4VcIssuerService_1.OpenId4VcIssuerService);
-    const config = agentContext.dependencyManager.resolve(OpenId4VcIssuerModuleConfig_1.OpenId4VcIssuerModuleConfig);
-    const authorizationServer = openId4VcIssuerService.getOauth2AuthorizationServer(agentContext);
-    const verifierApi = agentContext.dependencyManager.resolve(openid4vc_verifier_1.OpenId4VcVerifierApi);
-    // NOTE: we ignore scope, issuer_state etc.. parameters if auth_session is present
-    // should we validate that these are not in the request? I'm not sure what best practive would be here
-    const issuanceSession = await openId4VcIssuerService.findSingleIssuancSessionByQuery(agentContext, {
-        issuerId: issuer.issuerId,
-        presentationAuthSession: authorizationChallengeRequest.auth_session,
-    });
-    const allowedStates = [OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.AuthorizationInitiated];
-    if (!(issuanceSession === null || issuanceSession === void 0 ? void 0 : issuanceSession.presentation) ||
-        !issuanceSession.presentation.openId4VcVerificationSessionId ||
-        !issuanceSession.presentation.authSession ||
-        !allowedStates.includes(issuanceSession.state)) {
-        throw new oauth2_1.Oauth2ServerErrorResponseError({
-            error: oauth2_1.Oauth2ErrorCodes.InvalidSession,
-            error_description: `Invalid 'auth_session'`,
-        }, {
-            internalMessage: !issuanceSession
-                ? `Issuance session not found for 'auth_session' parameter '${authorizationChallengeRequest.auth_session}'`
-                : !(issuanceSession === null || issuanceSession === void 0 ? void 0 : issuanceSession.presentation)
-                    ? `Issuance session '${issuanceSession.id}' has no 'presentation'. This should not happen and means state is corrupted`
-                    : `Issuance session '${issuanceSession.id}' has state '${issuanceSession.state}' but expected one of ${allowedStates.join(', ')}`,
-        });
-    }
-    const { openId4VcVerificationSessionId } = issuanceSession.presentation;
-    await verifierApi
-        .getVerificationSessionById(openId4VcVerificationSessionId)
-        .catch(async () => {
-        // Issuance session is corrupted
-        issuanceSession.errorMessage = `Associated openId4VcVeificationSessionRecord with id '${openId4VcVerificationSessionId}' does not exist`;
-        await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.Error);
-        throw new oauth2_1.Oauth2ServerErrorResponseError({
-            error: oauth2_1.Oauth2ErrorCodes.InvalidSession,
-            error_description: `Invalid 'auth_session'`,
-        }, {
-            internalMessage: `Openid4vc verification session with id '${openId4VcVerificationSessionId}' not found during issuance session with id '${issuanceSession.id}'`,
-        });
-    })
-        .then(async (verificationSession) => {
-        // Issuance session cannot be used anymore
-        if (verificationSession.state === openid4vc_verifier_1.OpenId4VcVerificationSessionState.Error) {
-            issuanceSession.errorMessage = `Associated openId4VcVerificationSessionRecord with id '${openId4VcVerificationSessionId}' has error state`;
-            await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.Error);
-        }
-        if (verificationSession.state !== openid4vc_verifier_1.OpenId4VcVerificationSessionState.ResponseVerified ||
-            authorizationChallengeRequest.presentation_during_issuance_session !==
-                verificationSession.presentationDuringIssuanceSession) {
-            throw new oauth2_1.Oauth2ServerErrorResponseError({
-                error: oauth2_1.Oauth2ErrorCodes.InvalidSession,
-                error_description: `Invalid presentation for 'auth_session'`,
-            }, {
-                internalMessage: verificationSession.state !== openid4vc_verifier_1.OpenId4VcVerificationSessionState.ResponseVerified
-                    ? `Openid4vc verification session with id '${openId4VcVerificationSessionId}' has state '${verificationSession.state}', while '${openid4vc_verifier_1.OpenId4VcVerificationSessionState.ResponseVerified}' was expected.`
-                    : `Openid4vc verification session with id '${openId4VcVerificationSessionId}' has 'presentation_during_issuance_session' '${verificationSession.presentationDuringIssuanceSession}', but authorization challenge request provided value '${authorizationChallengeRequest.presentation_during_issuance_session}'.`,
-            });
-        }
-    });
-    // Grant authorization
-    const authorizationCode = core_1.TypedArrayEncoder.toBase64URL(agentContext.wallet.getRandomValues(32));
-    const authorizationCodeExpiresAt = (0, utils_1.addSecondsToDate)(new Date(), config.authorizationCodeExpiresInSeconds);
-    issuanceSession.authorization = Object.assign(Object.assign({}, issuanceSession.authorization), { code: authorizationCode, codeExpiresAt: authorizationCodeExpiresAt });
-    // TODO: we need to start using locks so we can't get corrupted state
-    await openId4VcIssuerService.updateState(agentContext, issuanceSession, OpenId4VcIssuanceSessionState_1.OpenId4VcIssuanceSessionState.AuthorizationGranted);
-    const { authorizationChallengeResponse } = authorizationServer.createAuthorizationChallengeResponse({
-        authorizationCode,
-    });
-    return (0, router_1.sendJsonResponse)(response, next, authorizationChallengeResponse);
-}
-//# sourceMappingURL=authorizationChallengeEndpoint.js.map