@digitalbazaar/oid4-client 3.5.0 → 3.7.0

package/lib/OID4Client.js

@@ -1,7 +1,7 @@
 /*!
  * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
  */
-import {discoverIssuer, generateDIDProofJWT} from './util.js';
+import {generateDIDProofJWT, robustDiscoverIssuer} from './util.js';
 import {httpClient} from '@digitalbazaar/http-client';
 
 const GRANT_TYPES = new Map([
@@ -27,7 +27,9 @@ export class OID4Client {
       if(!offer) {
         throw new TypeError('"credentialDefinition" must be an object.');
       }
-      requests = _createCredentialRequestsFromOffer({issuerConfig, offer});
+      requests = _createCredentialRequestsFromOffer({
+        issuerConfig, offer, format
+      });
       if(requests.length > 1) {
         throw new Error(
           'More than one credential is offered; ' +
@@ -48,7 +50,9 @@ export class OID4Client {
   } = {}) {
     const {issuerConfig, offer} = this;
     if(requests === undefined && offer) {
-      requests = _createCredentialRequestsFromOffer({issuerConfig, offer});
+      requests = _createCredentialRequestsFromOffer({
+        issuerConfig, offer, format
+      });
     } else if(!(Array.isArray(requests) && requests.length > 0)) {
       throw new TypeError('"requests" must be an array of length >= 1.');
     }
@@ -159,7 +163,7 @@ export class OID4Client {
             nonce,
             // the entity identified by the DID is issuing this JWT
             iss: did,
-            // audience MUST be the target issuer per the OID4VC spec
+            // audience MUST be the target issuer per the OID4VCI spec
             aud
           });
 
@@ -206,7 +210,12 @@ export class OID4Client {
   // create a client from a credential offer
   static async fromCredentialOffer({offer, agent} = {}) {
     // validate offer
-    const {credential_issuer, credentials, grants = {}} = offer;
+    const {
+      credential_issuer,
+      credentials,
+      credential_configuration_ids,
+      grants = {}
+    } = offer;
     let parsedIssuer;
     try {
       parsedIssuer = new URL(credential_issuer);
@@ -216,8 +225,20 @@ export class OID4Client {
     } catch(cause) {
       throw new Error('"offer.credential_issuer" is not valid.', {cause});
     }
-    if(!(Array.isArray(credentials) && credentials.length > 0 &&
-      credentials.every(c => c && typeof c === 'object'))) {
+    if(credentials === undefined &&
+      credential_configuration_ids === undefined) {
+      throw new Error(
+        'Either "offer.credential_configuration_ids" or ' +
+        '"offer.credentials" is required.');
+    }
+    if(credential_configuration_ids !== undefined &&
+      !Array.isArray(credential_configuration_ids)) {
+      throw new Error('"offer.credential_configuration_ids" is not valid.');
+    }
+    if(credentials !== undefined &&
+      !(Array.isArray(credentials) && credentials.length > 0 &&
+      credentials.every(c => c && (
+        typeof c === 'object' || typeof c === 'string')))) {
       throw new Error('"offer.credentials" is not valid.');
     }
     const grant = grants[GRANT_TYPES.get('preAuthorizedCode')];
@@ -227,6 +248,7 @@ export class OID4Client {
     }
     const {
       'pre-authorized_code': preAuthorizedCode,
+      // FIXME: update to `tx_code` terminology
       user_pin_required: userPinRequired
     } = grant;
     if(!preAuthorizedCode) {
@@ -238,11 +260,9 @@ export class OID4Client {
 
     try {
       // discover issuer info
-      const issuerConfigUrl =
-        `${parsedIssuer.origin}/.well-known/openid-credential-issuer` +
-        parsedIssuer.pathname;
-      const {issuerConfig, metadata} = await discoverIssuer(
-        {issuerConfigUrl, agent});
+      const {issuerConfig, metadata} = await robustDiscoverIssuer({
+        issuer: credential_issuer, agent
+      });
 
       /* First get access token from AS (Authorization Server), e.g.:
 
@@ -306,8 +326,9 @@ export class OID4Client {
       }
 
       // create client w/access token
-      return new OID4Client(
-        {accessToken, agent, issuerConfig, metadata, offer});
+      return new OID4Client({
+        accessToken, agent, issuerConfig, metadata, offer
+      });
     } catch(cause) {
       const error = new Error('Could not create OID4 client.', {cause});
       error.name = 'OperationError';
@@ -376,9 +397,58 @@ function _isPresentationRequired(error) {
   return error.status === 400 && errorType === 'presentation_required';
 }
 
-function _createCredentialRequestFromId({id, issuerConfig}) {
-  const {credentials_supported: supported = []} = issuerConfig;
-  const meta = supported.find(d => d.id === id);
+function _createCredentialRequestsFromOffer({
+  issuerConfig, offer, format
+}) {
+  // get any supported credential configurations from issuer config
+  const supported = _createSupportedCredentialsMap({issuerConfig});
+
+  // build requests from credentials identified in `offer` and remove any
+  // that do not match the given format
+  const credentials = offer.credential_configuration_ids ?? offer.credentials;
+  const requests = credentials.map(c => {
+    if(typeof c === 'string') {
+      // use supported credential config
+      return _getSupportedCredentialById({id: c, supported});
+    }
+    return c;
+  }).filter(r => r.format === format);
+
+  if(requests.length === 0) {
+    throw new Error(
+      `No supported credential(s) with format "${format}" found.`);
+  }
+
+  return requests;
+}
+
+function _createSupportedCredentialsMap({issuerConfig}) {
+  const {
+    credential_configurations_supported,
+    credentials_supported
+  } = issuerConfig;
+
+  let supported;
+  if(credential_configurations_supported &&
+    typeof credential_configurations_supported === 'object') {
+    supported = new Map(Object.entries(
+      issuerConfig.credential_configurations_supported));
+  } else if(Array.isArray(credentials_supported)) {
+    // handle legacy `credentials_supported` array
+    supported = new Map();
+    for(const entry of issuerConfig.credentials_supported) {
+      supported.set(entry.id, entry);
+    }
+  } else {
+    // no supported credentials from issuer config
+    supported = new Map();
+  }
+
+  return supported;
+}
+
+function _getSupportedCredentialById({id, supported}) {
+  const meta = supported.get(id);
   if(!meta) {
     throw new Error(`No supported credential "${id}" found.`);
   }
@@ -388,21 +458,11 @@ function _createCredentialRequestFromId({id, issuerConfig}) {
       `Invalid supported credential "${id}"; "format" not specified.`);
   }
   if(!(Array.isArray(credential_definition?.['@context']) &&
-    Array.isArray(credential_definition?.types))) {
+    (Array.isArray(credential_definition?.types) ||
+    Array.isArray(credential_definition?.type)))) {
     throw new Error(
       `Invalid supported credential "${id}"; "credential_definition" not ` +
       'fully specified.');
   }
   return {format, credential_definition};
 }
-
-function _createCredentialRequestsFromOffer({issuerConfig, offer}) {
-  // build requests from `offer`
-  return offer.credentials.map(c => {
-    if(typeof c === 'string') {
-      // use issuer config metadata to dereference string
-      return _createCredentialRequestFromId({id: c, issuerConfig});
-    }
-    return c;
-  });
-}

package/lib/index.js

@@ -1,11 +1,13 @@
 /*!
- * Copyright (c) 2022-2023 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
  */
 export * as oid4vp from './oid4vp.js';
 export {
   discoverIssuer,
   generateDIDProofJWT,
+  getCredentialOffer,
   parseCredentialOfferUrl,
+  robustDiscoverIssuer,
   signJWT
 } from './util.js';
 export {OID4Client} from './OID4Client.js';

package/lib/util.js

@@ -1,5 +1,5 @@
 /*!
- * Copyright (c) 2022-2023 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Digital Bazaar, Inc. All rights reserved.
  */
 import * as base64url from 'base64url-universal';
 import {httpClient} from '@digitalbazaar/http-client';
@@ -46,6 +46,14 @@ export async function discoverIssuer({issuerConfigUrl, agent} = {}) {
       throw error;
     }
 
+    // ensure `credential_issuer` matches `issuer`, if present
+    const {credential_issuer} = issuerMetaData;
+    if(credential_issuer !== undefined && credential_issuer !== issuer) {
+      const error = new Error('"credential_issuer" must match "issuer".');
+      error.name = 'DataError';
+      throw error;
+    }
+
     /* Validate `issuer` value against `issuerConfigUrl` (per RFC 8414):
 
     The `origin` and `path` element must be parsed from `issuer` and checked
@@ -64,9 +72,19 @@ export async function discoverIssuer({issuerConfigUrl, agent} = {}) {
       expectedConfigUrl += pathname;
     }
     if(issuerConfigUrl !== expectedConfigUrl) {
-      const error = new Error('"issuer" does not match configuration URL.');
-      error.name = 'DataError';
-      throw error;
+      // alternatively, against RFC 8414, but according to OID4VCI, make sure
+      // the issuer config URL matches:
+      // <origin><path>/.well-known/<any-path-segment>
+      expectedConfigUrl = origin;
+      if(pathname !== '/') {
+        expectedConfigUrl += pathname;
+      }
+      expectedConfigUrl += `/.well-known/${anyPathSegment}`;
+      if(issuerConfigUrl !== expectedConfigUrl) {
+        const error = new Error('"issuer" does not match configuration URL.');
+        error.name = 'DataError';
+        throw error;
+      }
     }
 
     // fetch AS meta data
@@ -144,6 +162,43 @@ export async function generateDIDProofJWT({
   return signJWT({payload, protectedHeader, signer});
 }
 
+export async function getCredentialOffer({url, agent} = {}) {
+  const {protocol, searchParams} = new URL(url);
+  if(protocol !== 'openid-credential-offer:') {
+    throw new SyntaxError(
+      '"url" must express a URL with the ' +
+      '"openid-credential-offer" protocol.');
+  }
+  const offer = searchParams.get('credential_offer');
+  if(offer) {
+    return JSON.parse(offer);
+  }
+
+  // try to fetch offer from URL
+  const offerUrl = searchParams.get('credential_offer_uri');
+  if(!offerUrl) {
+    throw new SyntaxError(
+      'OID4VCI credential offer must have "credential_offer" or ' +
+      '"credential_offer_uri".');
+  }
+
+  if(!offerUrl.startsWith('https://')) {
+    const error = new Error(
+      `"credential_offer_uri" (${offerUrl}) must start with "https://".`);
+    error.name = 'NotSupportedError';
+    throw error;
+  }
+
+  const response = await fetchJSON({url: offerUrl, agent});
+  if(!response.data) {
+    const error = new Error(
+      `Credential offer fetched from "${offerUrl}" is not JSON.`);
+    error.name = 'DataError';
+    throw error;
+  }
+  return response.data;
+}
+
 export function parseCredentialOfferUrl({url} = {}) {
   assert(url, 'url', 'string');
 
@@ -171,6 +226,31 @@ export function parseCredentialOfferUrl({url} = {}) {
   return JSON.parse(searchParams.get('credential_offer'));
 }
 
+export async function robustDiscoverIssuer({issuer, agent} = {}) {
+  // try issuer config URLs based on OID4VCI (first) and RFC 8414 (second)
+  const parsedIssuer = new URL(issuer);
+  const {origin} = parsedIssuer;
+  const path = parsedIssuer.pathname === '/' ? '' : parsedIssuer.pathname;
+
+  const issuerConfigUrls = [
+    // OID4VCI
+    `${origin}${path}/.well-known/openid-credential-issuer`,
+    // RFC 8414
+    `${origin}/.well-known/openid-credential-issuer${path}`
+  ];
+
+  let error;
+  for(const issuerConfigUrl of issuerConfigUrls) {
+    try {
+      const config = await discoverIssuer({issuerConfigUrl, agent});
+      return config;
+    } catch(e) {
+      error = e;
+    }
+  }
+  throw error;
+}
+
 export async function signJWT({payload, protectedHeader, signer} = {}) {
   // encode payload and protected header
   const b64Payload = base64url.encode(JSON.stringify(payload));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@digitalbazaar/oid4-client",
-  "version": "3.5.0",
+  "version": "3.7.0",
   "description": "An OID4 (VC + VP) client",
   "homepage": "https://github.com/digitalbazaar/oid4-client",
   "author": {