@digitalbazaar/oid4-client 5.9.0 → 5.10.0

package/lib/OID4Client.js

@@ -1,7 +1,10 @@
 /*!
- * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2026 Digital Bazaar, Inc.
  */
-import {createCredentialRequestsFromOffer} from './oid4vci/credentialOffer.js';
+import {
+  createAuthorizationDetailsFromOffer, createCredentialRequestsFromOffer
+} from './oid4vci/credentialOffer.js';
+import {createNamedError} from './util.js';
 import {generateDIDProofJWT} from './oid4vci/proofs.js';
 import {httpClient} from '@digitalbazaar/http-client';
 import {robustDiscoverIssuer} from './oid4vci/discovery.js';
@@ -12,12 +15,23 @@ const GRANT_TYPES = new Map([
 const HEADERS = {accept: 'application/json'};
 
 export class OID4Client {
-  constructor({accessToken = null, agent, issuerConfig, metadata, offer} = {}) {
+  constructor({
+    accessToken = null, agent, authorizationDetails,
+    issuerConfig, metadata, offer,
+    // default to "compatible" versions where the client will attempt to
+    // detect and work with whatever version the server supports, for the
+    // versions presently supported by this library
+    oid4vciVersion = 'detect',
+    oid4vpVersion = 'detect'
+  } = {}) {
     this.accessToken = accessToken;
     this.agent = agent;
+    this.authorizationDetails = authorizationDetails;
     this.metadata = metadata;
     this.issuerConfig = issuerConfig;
     this.offer = offer;
+    this.oid4vciVersion = oid4vciVersion;
+    this.oid4vpVersion = oid4vpVersion;
   }
 
   async getNonce({agent, headers = HEADERS} = {}) {
@@ -26,57 +40,59 @@ export class OID4Client {
       // get nonce endpoint
       const {nonce_endpoint: url} = this.issuerConfig;
       if(url === undefined) {
-        const error = new Error('Credential issuer has no "nonce_endpoint".');
-        error.name = 'DataError';
-        throw error;
+        throw createNamedError({
+          message: 'Credential issuer has no "nonce_endpoint".',
+          name: 'DataError'
+        });
       }
       if(!url?.startsWith('https://')) {
-        const error = new Error(
-          `Nonce endpoint "${url}" does not start with "https://".`);
-        error.name = 'DataError';
-        throw error;
+        throw createNamedError({
+          message: `Nonce endpoint "${url}" does not start with "https://".`,
+          name: 'DataError'
+        });
       }
 
       // get nonce
       response = await httpClient.post(url, {agent, headers});
       if(!response.data) {
-        const error = new Error('Nonce response format is not JSON.');
-        error.name = 'DataError';
-        throw error;
+        throw createNamedError({
+          message: 'Nonce response format is not JSON.',
+          name: 'DataError'
+        });
       }
       if(response.data.c_nonce === undefined) {
-        const error = new Error('Nonce not provided in response.');
-        error.name = 'DataError';
-        throw error;
+        throw createNamedError({
+          message: 'Nonce not provided in response.',
+          name: 'DataError'
+        });
       }
     } catch(cause) {
-      const error = new Error('Could not get nonce.', {cause});
-      error.name = 'DataError';
-      throw error;
+      throw createNamedError({
+        message: 'Could not get nonce.',
+        name: 'DataError',
+        cause
+      });
     }
 
     const {c_nonce: nonce} = response.data;
     return {nonce, response};
   }
 
+  // deprecated; always call `requestCredentials()` instead
   async requestCredential({
     credentialDefinition, did, didProofSigner, nonce, agent, format = 'ldp_vc'
   } = {}) {
-    const {issuerConfig, offer} = this;
+    const {authorizationDetails, issuerConfig, offer, oid4vciVersion} = this;
     let requests;
     if(credentialDefinition === undefined) {
       if(!offer) {
-        throw new TypeError('"credentialDefinition" must be an object.');
+        throw new TypeError('"offer" must be an object.');
       }
       requests = createCredentialRequestsFromOffer({
-        issuerConfig, offer, format
+        issuerConfig, offer, format, authorizationDetails, oid4vciVersion
       });
-      if(requests.length > 1) {
-        throw new Error(
-          'More than one credential is offered; ' +
-          'use "requestCredentials()" instead.');
-      }
     } else {
+      // OID4VCI Draft 13 only
       requests = [{
         format,
         credential_definition: credentialDefinition
@@ -93,292 +109,124 @@ export class OID4Client {
   } = {}) {
     // if `nonce` is given, then `did` and `didProofSigner` must also be
     if(nonce !== undefined && !(did && didProofSigner)) {
-      throw new Error(
-        'If "nonce" is given then "did" and "didProofSigner" are required.');
+      throw createNamedError({
+        message:
+          'If "nonce" is given then "did" and "didProofSigner" are required.',
+        name: 'DataError'
+      });
     }
 
-    const {issuerConfig, offer} = this;
+    const {authorizationDetails, issuerConfig, offer, oid4vciVersion} = this;
     if(requests === undefined && offer) {
       requests = createCredentialRequestsFromOffer({
-        issuerConfig, offer, format
+        issuerConfig, offer, format, authorizationDetails, oid4vciVersion
       });
     } else if(!(Array.isArray(requests) && requests.length > 0)) {
       throw new TypeError('"requests" must be an array of length >= 1.');
     }
     requests.forEach(_assertRequest);
-    // set default `format`
-    requests = requests.map(r => ({format, ...r}));
 
-    try {
-      /* First send credential request(s) to DS without DID proof JWT (unless
-      `nonce` is given) e.g.:
-
-      POST /credential HTTP/1.1
-      Host: server.example.com
-      Content-Type: application/json
-      Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW
-
-      {
-        "format": "ldp_vc",
-        "credential_definition": {...},
-        // only present on retry after server requests it or if nonce is given
-        "proof": {
-          "proof_type": "jwt",
-          "jwt": "eyJraW..."
-        }
-      }
-
-      OR (if multiple `requests` were given)
-
-      POST /batch_credential HTTP/1.1
-      Host: server.example.com
-      Content-Type: application/json
-      Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW
-
-      {
-        "credential_requests": [{
-          "format": "ldp_vc",
-          "credential_definition": {...},
-          // only present on retry after server requests it
-          "proof": {
-            "proof_type": "jwt",
-            "jwt": "eyJraW..."
-          }
-        }, {
-          ...
-        }]
-      }
-      */
-      let url;
-      let json;
-      if(requests.length > 1 || alwaysUseBatchEndpoint) {
-        ({batch_credential_endpoint: url} = this.issuerConfig);
-        json = {credential_requests: requests};
-      } else {
-        ({credential_endpoint: url} = this.issuerConfig);
-        json = {...requests[0]};
-      }
+    // determine if OID4VCI 1.0+ is to be used
+    const version1Plus = requests.some(r => r.credential_identifier);
 
-      if(nonce !== undefined) {
-        // add DID proof JWT to json
-        await _addDIDProofJWT({issuerConfig, json, nonce, did, didProofSigner});
-      }
+    if(!version1Plus) {
+      // set default `format` for requests with `credential_definition`
+      // (OID4VCI Draft 13 only)
+      requests = requests.map(
+        r => r.credential_definition ? {format, ...r} : r);
+    }
 
+    try {
       let result;
-      const headers = {
-        ...HEADERS,
-        authorization: `Bearer ${this.accessToken}`
-      };
-      for(let retries = 0; retries <= 1; ++retries) {
-        try {
-          const response = await httpClient.post(url, {agent, headers, json});
-          result = response.data;
-          if(!result) {
-            const error = new Error('Credential response format is not JSON.');
-            error.name = 'DataError';
-            throw error;
-          }
-          break;
-        } catch(cause) {
-          // presentation is required to continue issuance
-          if(_isPresentationRequired(cause)) {
-            const {data: details} = cause;
-            const error = new Error('Presentation is required.', {cause});
-            error.name = 'NotAllowedError';
-            error.details = details;
-            throw error;
-          }
-
-          if(!_isMissingProofError(cause)) {
-            // other non-specific error case
-            throw cause;
-          }
-
-          // if `didProofSigner` is not provided, throw error
-          if(!(did && didProofSigner)) {
-            const {data: details} = cause;
-            const error = new Error('DID authentication is required.', {cause});
-            error.name = 'NotAllowedError';
-            error.details = details;
-            throw error;
-          }
-
-          // validate that `result` has
-          let {data: {c_nonce: nonce}} = cause;
-          if(!(nonce && typeof nonce === 'string')) {
-            // try to get a nonce
-            ({nonce} = await this.getNonce({agent}));
-          }
-
-          // add DID proof JWT to json
-          await _addDIDProofJWT({
-            issuerConfig, json, nonce, did, didProofSigner
+      const {accessToken} = this;
+      if(version1Plus) {
+        // OID4VCI 1.0+ ... make N-many requests in parallel, with each one
+        // adding a DID proof, if requested and N-many nonces might be required
+        // FIXME: use p-queue to manage work
+        const {credential_endpoint: url} = issuerConfig;
+        const results = await Promise.all(requests.map(async request => {
+          const json = {...request};
+          return _requestCredential({
+            accessToken, issuerConfig,
+            url, json, nonce, did, didProofSigner, agent
           });
+        }));
+        // for backwards compatibility, return all results independently,
+        // combined, and singular (if applicable)
+        const credentials = results
+          .map(r => r?.credentials?.map(e => e.credential))
+          .flat();
+        result = {credential_responses: results, credentials};
+        // backwards compatibility with common draft 13 credential calls
+        if(credentials.length === 1) {
+          result.credential = credentials[0];
         }
+        if(credentials.every(c => c?.['@context'])) {
+          result.format = 'ldp_vc';
+        }
+      } else {
+        // draft 13...
+        let url;
+        let json;
+        if(requests.length > 1 || alwaysUseBatchEndpoint) {
+          ({batch_credential_endpoint: url} = issuerConfig);
+          json = {credential_requests: requests};
+        } else {
+          ({credential_endpoint: url} = issuerConfig);
+          json = {...requests[0]};
+        }
+        result = await _requestCredential({
+          accessToken, issuerConfig,
+          url, json, nonce, did, didProofSigner, agent
+        });
       }
-
-      // wallet / client receives credential(s):
-      /* Note: The credential is not wrapped here in a VP in the current spec:
-
-      HTTP/1.1 200 OK
-        Content-Type: application/json
-        Cache-Control: no-store
-
-      {
-        "format": "ldp_vc",
-        "credential" : {...}
-      }
-
-      OR (if multiple VCs *of the same type* were issued)
-
-      {
-        "format": "ldp_vc",
-        "credentials" : {...}
-      }
-
-      OR (if multiple `requests` were given)
-
-      {
-        "credential_responses": [{
-          "format": "ldp_vc",
-          "credential": {...}
-        }]
-      }
-      */
       return result;
     } catch(cause) {
-      const error = new Error('Could not receive credentials.', {cause});
-      error.name = 'OperationError';
-      throw error;
+      throw createNamedError({
+        message: 'Could not receive credentials.',
+        name: 'OperationError',
+        cause
+      });
     }
   }
 
   // create a client from a credential offer
-  static async fromCredentialOffer({offer, agent} = {}) {
-    // validate offer
-    const {
-      credential_issuer,
-      credentials,
-      credential_configuration_ids,
-      grants = {}
-    } = offer;
-    let parsedIssuer;
-    try {
-      parsedIssuer = new URL(credential_issuer);
-      if(parsedIssuer.protocol !== 'https:') {
-        throw new Error('Only "https" credential issuer URLs are supported.');
-      }
-    } catch(cause) {
-      throw new Error('"offer.credential_issuer" is not valid.', {cause});
-    }
-    if(credentials === undefined &&
-      credential_configuration_ids === undefined) {
-      throw new Error(
-        'Either "offer.credential_configuration_ids" or ' +
-        '"offer.credentials" is required.');
-    }
-    if(credential_configuration_ids !== undefined &&
-      !Array.isArray(credential_configuration_ids)) {
-      throw new Error('"offer.credential_configuration_ids" is not valid.');
-    }
-    if(credentials !== undefined &&
-      !(Array.isArray(credentials) && credentials.length > 0 &&
-      credentials.every(c => c && (
-        typeof c === 'object' || typeof c === 'string')))) {
-      throw new Error('"offer.credentials" is not valid.');
-    }
-    const grant = grants[GRANT_TYPES.get('preAuthorizedCode')];
-    if(!grant) {
-      // FIXME: implement `authorization_code` grant type as well
-      throw new Error('Only "pre-authorized_code" grant type is implemented.');
-    }
-    const {
-      'pre-authorized_code': preAuthorizedCode,
-      // FIXME: update to `tx_code` terminology
-      user_pin_required: userPinRequired
-    } = grant;
-    if(!preAuthorizedCode) {
-      throw new Error('"offer.grant" is missing "pre-authorized_code".');
-    }
-    if(userPinRequired) {
-      throw new Error('User pin is not implemented.');
-    }
+  static async fromCredentialOffer({
+    offer, supportedFormats = ['ldp_vc'],
+    oid4vciVersion = 'detect', oid4vpVersion = 'detect',
+    agent
+  } = {}) {
+    // parse offer
+    const {issuer, preAuthorizedCode} = _parseOffer({offer});
 
     try {
       // discover issuer info
       const {issuerConfig, metadata} = await robustDiscoverIssuer({
-        issuer: credential_issuer, agent
+        issuer, agent
       });
 
-      /* First get access token from AS (Authorization Server), e.g.:
-
-      POST /token HTTP/1.1
-        Host: server.example.com
-        Content-Type: application/x-www-form-urlencoded
-        grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code
-        &pre-authorized_code=SplxlOBeZQQYbYS6WxSbIA
-        &user_pin=493536
-
-      Note a bad response would look like:
-
-      /*
-      HTTP/1.1 400 Bad Request
-      Content-Type: application/json
-      Cache-Control: no-store
-      {
-        "error": "invalid_request"
-      }
-      */
-      const body = new URLSearchParams();
-      body.set('grant_type', GRANT_TYPES.get('preAuthorizedCode'));
-      body.set('pre-authorized_code', preAuthorizedCode);
-      const {token_endpoint} = issuerConfig;
-      const response = await httpClient.post(token_endpoint, {
-        agent, body, headers: HEADERS
+      // get access token from AS (Authorization Server)
+      const {accessToken, authorizationDetails} = await _getAccessToken({
+        issuerConfig, preAuthorizedCode,
+        // request authz details if the server supports it
+        authorizationDetails: createAuthorizationDetailsFromOffer({
+          issuerConfig, offer, supportedFormats, oid4vciVersion
+        }),
+        agent
       });
-      const {data: result} = response;
-      if(!result) {
-        const error = new Error(
-          'Could not get access token; response is not JSON.');
-        error.name = 'DataError';
-        throw error;
-      }
-
-      /* Validate response body (Note: Do not check or use `c_nonce*` here
-      because it conflates AS with DS (Delivery Server)), e.g.:
-
-      HTTP/1.1 200 OK
-        Content-Type: application/json
-        Cache-Control: no-store
-
-        {
-          "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp..sHQ",
-          "token_type": "bearer",
-          "expires_in": 86400
-        }
-      */
-      const {access_token: accessToken, token_type} = result;
-      if(!(accessToken && typeof accessToken === 'string')) {
-        const error = new Error(
-          'Invalid access token response; "access_token" must be a string.');
-        error.name = 'DataError';
-        throw error;
-      }
-      if(token_type !== 'bearer') {
-        const error = new Error(
-          'Invalid access token response; "token_type" must be a "bearer".');
-        error.name = 'DataError';
-        throw error;
-      }
 
       // create client w/access token
       return new OID4Client({
-        accessToken, agent, issuerConfig, metadata, offer
+        accessToken, agent, authorizationDetails,
+        issuerConfig, metadata, offer,
+        oid4vciVersion, oid4vpVersion
       });
     } catch(cause) {
-      const error = new Error('Could not create OID4 client.', {cause});
-      error.name = 'OperationError';
-      throw error;
+      throw createNamedError({
+        message: 'Could not create OID4 client.',
+        name: 'OperationError',
+        cause
+      });
     }
   }
 }
@@ -400,33 +248,289 @@ async function _addDIDProofJWT({
   // add proof to body to be posted and loop to retry
   const proof = {proof_type: 'jwt', jwt};
   if(json.credential_requests) {
+    // OID4VCI Draft 13 only
     json.credential_requests = json.credential_requests.map(
       cr => ({...cr, proof}));
-  } else {
+  } else if(json.credential_definition) {
+    // OID4VCI Draft 13 only
     json.proof = proof;
+  } else {
+    // OID4VCI 1.0+
+    json.proofs = {
+      ...proof,
+      jwt: [proof.jwt]
+    };
+  }
+}
+
+async function _requestCredential({
+  accessToken, issuerConfig, url, json, nonce, did, didProofSigner, agent
+}) {
+  /* First send credential request(s) to DS without DID proof JWT (unless
+  `nonce` is given) e.g.:
+
+  POST /credential HTTP/1.1
+  Host: server.example.com
+  Content-Type: application/json
+  Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW
+
+  {
+    "format": "ldp_vc",
+    "credential_definition": {...},
+    // only present on retry after server requests it or if nonce is given
+    "proof": {
+      "proof_type": "jwt",
+      "jwt": "eyJraW..."
+    }
+  }
+  OR
+  {
+    "credential_identifier": "foo",
+    ...
+  }
+  OR
+  {
+    "credential_configuration_id": "bar",
+    ...
+  }
+
+  OR (if multiple `requests` were given w/ Draft 13)
+
+  POST /batch_credential HTTP/1.1
+  Host: server.example.com
+  Content-Type: application/json
+  Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW
+
+  {
+    "credential_requests": [{
+      "format": "ldp_vc",
+      "credential_definition": {...},
+      // only present on retry after server requests it
+      "proof": {
+        "proof_type": "jwt",
+        "jwt": "eyJraW..."
+      }
+    }, {
+      ...
+    }]
+  }
+
+  OR (if multiple `requests` were given w/1.0+), N-many requests will be
+  repeated to `/credential`
+
+  */
+  if(nonce !== undefined) {
+    // add DID proof JWT to json
+    await _addDIDProofJWT({issuerConfig, json, nonce, did, didProofSigner});
+  }
+
+  let result;
+  const headers = {
+    ...HEADERS,
+    authorization: `Bearer ${accessToken}`
+  };
+  for(let retries = 0; retries <= 1; ++retries) {
+    try {
+      const response = await httpClient.post(url, {agent, headers, json});
+      result = response.data;
+      if(!result) {
+        throw createNamedError({
+          message: 'Credential response format is not JSON.',
+          name: 'DataError'
+        });
+      }
+      break;
+    } catch(cause) {
+      // presentation is required to continue issuance
+      if(_isPresentationRequired(cause)) {
+        throw createNamedError({
+          message: 'Presentation is required.',
+          name: 'NotAllowedError',
+          cause,
+          details: cause.data
+        });
+      }
+
+      if(!_isMissingProofError(cause)) {
+        // other non-specific error case
+        throw cause;
+      }
+
+      // if `didProofSigner` is not provided, throw error
+      if(!(did && didProofSigner)) {
+        throw createNamedError({
+          message: 'DID authentication is required.',
+          name: 'NotAllowedError',
+          cause,
+          details: cause.data
+        });
+      }
+
+      // validate that `result` has a nonce
+      let {data: {c_nonce: nonce}} = cause;
+      if(!(nonce && typeof nonce === 'string')) {
+        // try to get a nonce
+        ({nonce} = await this.getNonce({agent}));
+      }
+
+      // add DID proof JWT to json
+      await _addDIDProofJWT({
+        issuerConfig, json, nonce, did, didProofSigner
+      });
+    }
+  }
+
+  // wallet / client receives credential(s):
+  /* Note: The credential is not wrapped here in a VP in the current spec:
+
+  HTTP/1.1 200 OK
+    Content-Type: application/json
+    Cache-Control: no-store
+
+  {
+    "format": "ldp_vc",
+    "credential" : {...}
+  }
+
+  OR (if multiple VCs *of the same type* were issued)
+
+  {
+    "format": "ldp_vc",
+    "credentials" : {...}
   }
+
+  OR (if multiple `requests` were given)
+
+  {
+    "credential_responses": [{
+      "format": "ldp_vc",
+      "credential": {...}
+    }]
+  }
+  */
+  return result;
 }
 
 function _assertRequest(request) {
+  // all current versions of OID4VCI require `request` to be an object
   if(!(request && typeof request === 'object')) {
     throw new TypeError('"request" must be an object.');
   }
+
+  // OID4VCI 1.0+ request format
+  if(request.credential_configuration_id) {
+    if(typeof request.credential_configuration_id !== 'string') {
+      throw new TypeError(
+        'Credential request "credential_configuration_id" must be a string.');
+    }
+    return;
+  }
+
+  // OID4VCI 1.0+ request format
+  if(request.credential_identifier) {
+    if(typeof request.credential_identifier !== 'string') {
+      throw new TypeError(
+        'Credential request "credential_identifier" must be a string.');
+    }
+    return;
+  }
+
+  // OID4VCI Draft 13 format
   const {credential_definition} = request;
   if(!(credential_definition && typeof credential_definition === 'object')) {
     throw new TypeError(
       'Credential request "credential_definition" must be an object.');
   }
-  const {'@context': context, type: type} = credential_definition;
-  if(!(Array.isArray(context) && context.length > 0)) {
-    throw new TypeError(
-      'Credential definition "@context" must be an array of length >= 1.');
-  }
+  const {type: type} = credential_definition;
   if(!(Array.isArray(type) && type.length > 0)) {
     throw new TypeError(
-      'Credential definition "type" must be an array of length >= 2.');
+      'Credential definition "type" must be an array of length > 0.');
   }
 }
 
+async function _getAccessToken({
+  issuerConfig, preAuthorizedCode, authorizationDetails, agent
+}) {
+  /* First get access token from AS (Authorization Server), e.g.:
+
+  POST /token HTTP/1.1
+    Host: server.example.com
+    Content-Type: application/x-www-form-urlencoded
+    grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code
+    &pre-authorized_code=SplxlOBeZQQYbYS6WxSbIA
+    &user_pin=493536
+    &authorization_details=<URI-component-encoded JSON array>
+
+  Note a bad response would look like:
+
+  /*
+  HTTP/1.1 400 Bad Request
+  Content-Type: application/json
+  Cache-Control: no-store
+  {
+    "error": "invalid_request"
+  }
+  */
+  const body = new URLSearchParams();
+  body.set('grant_type', GRANT_TYPES.get('preAuthorizedCode'));
+  body.set('pre-authorized_code', preAuthorizedCode);
+  if(authorizationDetails) {
+    body.set('authorization_details', JSON.stringify(authorizationDetails));
+  }
+  const {token_endpoint} = issuerConfig;
+  const response = await httpClient.post(token_endpoint, {
+    agent, body, headers: HEADERS
+  });
+  const {data: result} = response;
+  if(!result) {
+    throw createNamedError({
+      message: 'Could not get access token; response is not JSON.',
+      name: 'DataError'
+    });
+  }
+
+  /* Validate response body (Note: Do not check or use `c_nonce*` here
+  because it conflates AS with DS (Delivery Server)), e.g.:
+
+  HTTP/1.1 200 OK
+    Content-Type: application/json
+    Cache-Control: no-store
+
+    {
+      "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp..sHQ",
+      "token_type": "bearer",
+      "expires_in": 86400
+    }
+  */
+  const {access_token: accessToken, token_type} = result;
+  ({authorization_details: authorizationDetails} = result);
+  if(!(accessToken && typeof accessToken === 'string')) {
+    throw createNamedError({
+      message:
+        'Invalid access token response; "access_token" must be a string.',
+      name: 'DataError'
+    });
+  }
+  if(token_type !== 'bearer') {
+    throw createNamedError({
+      message:
+        'Invalid access token response; "token_type" must be a "bearer".',
+      name: 'DataError'
+    });
+  }
+  if(authorizationDetails !== undefined &&
+    !Array.isArray(authorizationDetails)) {
+    throw createNamedError({
+      message:
+        'Invalid access token response; ' +
+        '"authorization_details" must be an array.',
+      name: 'DataError'
+    });
+  }
+
+  return {accessToken, authorizationDetails};
+}
+
 function _isMissingProofError(error) {
   /* If DID authn is required, delivery server sends, e.g.:
 
@@ -466,3 +570,80 @@ function _isPresentationRequired(error) {
   const errorType = error.data?.error;
   return error.status === 400 && errorType === 'presentation_required';
 }
+
+function _parseOffer({offer}) {
+  // relevant fields to validate
+  const {
+    credential_issuer,
+    credentials,
+    credential_configuration_ids,
+    grants = {}
+  } = offer;
+
+  // ensure issuer is a valid URL
+  let parsedIssuer;
+  try {
+    parsedIssuer = new URL(credential_issuer);
+    if(parsedIssuer.protocol !== 'https:') {
+      throw createNamedError({
+        message: 'Only "https" credential issuer URLs are supported.',
+        name: 'NotSupportedError'
+      });
+    }
+  } catch(cause) {
+    throw createNamedError({
+      message: '"offer.credential_issuer" is not valid.',
+      name: 'DataError',
+      cause
+    });
+  }
+
+  // OID4VCI Draft 13 used `credentials`
+  // 1.0+ uses `credential_configuration_ids`
+  if(credentials === undefined && credential_configuration_ids === undefined) {
+    throw createNamedError({
+      message:
+        'Either "offer.credential_configuration_ids" or ' +
+        '"offer.credentials" is required.',
+      name: 'DataError'
+    });
+  }
+  if(credential_configuration_ids !== undefined &&
+    !Array.isArray(credential_configuration_ids)) {
+    throw createNamedError({
+      message: '"offer.credential_configuration_ids" is not valid.',
+      name: 'DataError'
+    });
+  }
+  if(credentials !== undefined &&
+    !(Array.isArray(credentials) && credentials.length > 0 &&
+    credentials.every(c => c && (
+      typeof c === 'object' || typeof c === 'string')))) {
+    throw createNamedError({
+      message: '"offer.credentials" is not valid.',
+      name: 'DataError'
+    });
+  }
+
+  // validate grant
+  const grant = grants?.[GRANT_TYPES.get('preAuthorizedCode')];
+  if(!grant) {
+    throw createNamedError({
+      message: 'Only "pre-authorized_code" grant type is supported.',
+      name: 'NotSupportedError'
+    });
+  }
+  const {
+    'pre-authorized_code': preAuthorizedCode
+    // note: `tx_code` is presently ignored/not supported; if required an
+    // error will be thrown by the appropriate software
+  } = grant;
+  if(!preAuthorizedCode) {
+    throw createNamedError({
+      message: '"offer.grant" is missing "pre-authorized_code".',
+      name: 'DataError'
+    });
+  }
+
+  return {issuer: credential_issuer, preAuthorizedCode};
+}

package/lib/convert/index.js

@@ -62,11 +62,18 @@ export function fromVpr({
     if(verifiablePresentationRequest.domain) {
       // since a `domain` was provided, set these defaults:
       authorizationRequest.client_id = verifiablePresentationRequest.domain;
-      authorizationRequest.response_uri = authorizationRequest.client_id;
+      const usesRedirectUriPrefix =
+        authorizationRequest.client_id?.startsWith('redirect_uri:');
+      authorizationRequest.response_uri = usesRedirectUriPrefix ?
+        authorizationRequest.client_id.slice('redirect_uri:'.length) :
+        authorizationRequest.client_id;
       if(useClientIdPrefix) {
-        authorizationRequest.client_id =
-          `redirect_uri:${authorizationRequest.client_id}`;
-      } else {
+        if(!usesRedirectUriPrefix) {
+          authorizationRequest.client_id =
+            `redirect_uri:${authorizationRequest.client_id}`;
+        }
+      }
+      if(usesRedirectUriPrefix) {
         authorizationRequest.client_id_scheme = 'redirect_uri';
       }
     }
@@ -137,6 +144,7 @@ export function toVpr({authorizationRequest, strict = false} = {}) {
 
     const {
       client_id,
+      client_id_scheme,
       client_metadata,
       dcql_query,
       expected_origins,
@@ -188,11 +196,14 @@ export function toVpr({authorizationRequest, strict = false} = {}) {
       verifiablePresentationRequest.query = [didAuthnQuery];
     }
 
-    // map `expected_origins` or `response_uri` to `domain`
+    // map `expected_origins` / `client_id` / `response_uri` to `domain`
     if(response_uri !== undefined || client_id !== undefined) {
       if(response_mode?.startsWith('dc_api') && !response_uri &&
         expected_origins?.length > 0) {
         verifiablePresentationRequest.domain = expected_origins[0];
+      } else if(client_id_scheme === 'redirect_uri' ||
+        client_id?.startsWith('redirect_uri:')) {
+        verifiablePresentationRequest.domain = client_id ?? response_uri;
       } else {
         verifiablePresentationRequest.domain = response_uri;
       }

package/lib/oid4vci/credentialOffer.js

@@ -1,26 +1,69 @@
 /*!
- * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2026 Digital Bazaar, Inc.
  */
 import {assert, fetchJSON} from '../util.js';
 
+export function createAuthorizationDetailsFromOffer({
+  issuerConfig, offer, supportedFormats, oid4vciVersion
+} = {}) {
+  if(oid4vciVersion === 'draft13' ||
+    !(Array.isArray(issuerConfig.authorization_details_types_supported) &&
+    issuerConfig.authorization_details_types_supported
+      .includes('openid_credential'))) {
+    // issuer does not support authz details
+    return;
+  }
+
+  // build authz details from configs that match `offer` and `supportedFormats`
+  const configs = getCredentialConfigurations({
+    issuerConfig, offer, supportedFormats
+  });
+  const authorizationDetails = configs.map(
+    c => ({
+      type: 'openid_credential',
+      credential_configuration_id: c.id
+    }));
+  // only return details if there are matching configuration IDs
+  return authorizationDetails.length > 0 ? authorizationDetails : undefined;
+}
+
 export function createCredentialRequestsFromOffer({
-  issuerConfig, offer, format
+  issuerConfig, offer, format, authorizationDetails, oid4vciVersion
 } = {}) {
-  // get any supported credential configurations from issuer config
-  const supported = _createSupportedCredentialsMap({issuerConfig});
-
-  // build requests from credentials identified in `offer` and remove any
-  // that do not match the given format
-  const credentials = offer.credential_configuration_ids ?? offer.credentials;
-  const requests = credentials.map(c => {
-    if(typeof c === 'string') {
-      // use supported credential config
-      return _getSupportedCredentialById({id: c, supported});
-    }
-    return c;
-  }).filter(r => r.format === format);
+  // get credential configs that match `offer` and `format`
+  const matchingConfigurations = getCredentialConfigurations({
+    issuerConfig, offer, supportedFormats: [format]
+  });
 
-  if(requests.length === 0) {
+  // build requests...
+  let requests;
+
+  // the presence of `authorizationDetails` triggers OID4VCI 1.0+ format,
+  // which uses `credential_identifier` instead of
+  // Draft 13 `format` + `credential_definition`
+  if(authorizationDetails && oid4vciVersion !== 'draft13') {
+    // add a request for each `credential_identifier` mentioned in each
+    // matching configuration
+    requests = [];
+    const matchingIds = new Set(matchingConfigurations.map(({id}) => id));
+    for(const element of authorizationDetails) {
+      const {
+        type, credential_configuration_id, credential_identifiers = []
+      } = element;
+      if(type !== 'openid_credential') {
+        continue;
+      }
+      if(matchingIds.has(credential_configuration_id)) {
+        requests.push(
+          ...credential_identifiers.map(id => ({credential_identifier: id})));
+      }
+    }
+  } else {
+    // OID4VCI Draft 13 request format
+    requests = matchingConfigurations.map(
+      ({format, credential_definition}) => ({format, credential_definition}));
+  }
+  if(!(requests?.length > 0)) {
     throw new Error(
       `No supported credential(s) with format "${format}" found.`);
   }
@@ -65,6 +108,49 @@ export async function getCredentialOffer({url, agent} = {}) {
   return response.data;
 }
 
+export function getCredentialConfigurations({
+  issuerConfig, offer, credentialConfigurationIds, supportedFormats
+} = {}) {
+  // get all supported credential configurations from issuer config
+  let supported = [
+    ..._createSupportedCredentialsMap({issuerConfig}).entries()]
+    .map(([id, c]) => ({id, ...c}));
+
+  // compute `credentialConfigurationIds` from `offer` as necessary
+  if(offer && !credentialConfigurationIds) {
+    if(offer.credential_configuration_ids) {
+      credentialConfigurationIds = offer.credential_configuration_ids;
+    } else if(offer.credentials) {
+      // allow legacy `offer.credentials` that express IDs
+      credentialConfigurationIds = offer.credentials
+        .map(c => typeof c === 'string' ? c : undefined)
+        .filter(c => c !== undefined);
+
+      // if no IDs; handle degenerate case of objects expressed in
+      // `offer.credentials` for pre-draft 13, to be dropped in a future major
+      // release that also drops draft 13 support
+      if(credentialConfigurationIds.length === 0) {
+        supported = offer.credentials.filter(c => typeof c === 'object');
+        credentialConfigurationIds = undefined;
+      }
+    }
+  }
+
+  // filter by IDs, if given
+  if(credentialConfigurationIds) {
+    const idSet = new Set(credentialConfigurationIds);
+    supported = supported.filter(c => idSet.has(c.id));
+  }
+
+  // filter by supported formats, if given
+  if(supportedFormats) {
+    const formatSet = new Set(supportedFormats);
+    supported = supported.filter(c => formatSet.has(c.format));
+  }
+
+  return supported;
+}
+
 export function parseCredentialOfferUrl({url} = {}) {
   assert(url, 'url', 'string');
 
@@ -116,23 +202,3 @@ function _createSupportedCredentialsMap({issuerConfig}) {
 
   return supported;
 }
-
-function _getSupportedCredentialById({id, supported}) {
-  const meta = supported.get(id);
-  if(!meta) {
-    throw new Error(`No supported credential "${id}" found.`);
-  }
-  const {format, credential_definition} = meta;
-  if(typeof format !== 'string') {
-    throw new Error(
-      `Invalid supported credential "${id}"; "format" not specified.`);
-  }
-  if(!(Array.isArray(credential_definition?.['@context']) &&
-    (Array.isArray(credential_definition?.types) ||
-    Array.isArray(credential_definition?.type)))) {
-    throw new Error(
-      `Invalid supported credential "${id}"; "credential_definition" not ` +
-      'fully specified.');
-  }
-  return {format, credential_definition};
-}

package/lib/util.js

@@ -39,7 +39,7 @@ export function base64Encode(data) {
 }
 
 export function createNamedError({message, name, details, cause} = {}) {
-  const error = new Error(message, {cause});
+  const error = cause ? new Error(message, {cause}) : new Error(message);
   error.name = name;
   if(details) {
     error.details = details;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@digitalbazaar/oid4-client",
-  "version": "5.9.0",
+  "version": "5.10.0",
   "description": "An OID4 (VC + VP) client",
   "homepage": "https://github.com/digitalbazaar/oid4-client",
   "author": {