npm - @digitalbazaar/oid4-client - Versions diffs - 5.9.1 → 5.10.0 - Mend

@digitalbazaar/oid4-client 5.9.1 → 5.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/lib/OID4Client.js +467 -286
package/lib/oid4vci/credentialOffer.js +102 -36
package/lib/util.js +1 -1
package/package.json +1 -1

package/lib/OID4Client.js CHANGED Viewed

@@ -1,7 +1,10 @@
 /*!
- * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2026 Digital Bazaar, Inc.
  */
-import {createCredentialRequestsFromOffer} from './oid4vci/credentialOffer.js';
+import {
+  createAuthorizationDetailsFromOffer, createCredentialRequestsFromOffer
+} from './oid4vci/credentialOffer.js';
+import {createNamedError} from './util.js';
 import {generateDIDProofJWT} from './oid4vci/proofs.js';
 import {httpClient} from '@digitalbazaar/http-client';
 import {robustDiscoverIssuer} from './oid4vci/discovery.js';
@@ -12,12 +15,23 @@ const GRANT_TYPES = new Map([
 const HEADERS = {accept: 'application/json'};
 export class OID4Client {
-  constructor({accessToken = null, agent, issuerConfig, metadata, offer} = {}) {
+  constructor({
+    accessToken = null, agent, authorizationDetails,
+    issuerConfig, metadata, offer,
+    // default to "compatible" versions where the client will attempt to
+    // detect and work with whatever version the server supports, for the
+    // versions presently supported by this library
+    oid4vciVersion = 'detect',
+    oid4vpVersion = 'detect'
+  } = {}) {
     this.accessToken = accessToken;
     this.agent = agent;
+    this.authorizationDetails = authorizationDetails;
     this.metadata = metadata;
     this.issuerConfig = issuerConfig;
     this.offer = offer;
+    this.oid4vciVersion = oid4vciVersion;
+    this.oid4vpVersion = oid4vpVersion;
   }
   async getNonce({agent, headers = HEADERS} = {}) {
@@ -26,57 +40,59 @@ export class OID4Client {
       // get nonce endpoint
       const {nonce_endpoint: url} = this.issuerConfig;
       if(url === undefined) {
-        const error = new Error('Credential issuer has no "nonce_endpoint".');
-        error.name = 'DataError';
-        throw error;
+        throw createNamedError({
+          message: 'Credential issuer has no "nonce_endpoint".',
+          name: 'DataError'
+        });
       }
       if(!url?.startsWith('https://')) {
-        const error = new Error(
-          `Nonce endpoint "${url}" does not start with "https://".`);
-        error.name = 'DataError';
-        throw error;
+        throw createNamedError({
+          message: `Nonce endpoint "${url}" does not start with "https://".`,
+          name: 'DataError'
+        });
       }
       // get nonce
       response = await httpClient.post(url, {agent, headers});
       if(!response.data) {
-        const error = new Error('Nonce response format is not JSON.');
-        error.name = 'DataError';
-        throw error;
+        throw createNamedError({
+          message: 'Nonce response format is not JSON.',
+          name: 'DataError'
+        });
       }
       if(response.data.c_nonce === undefined) {
-        const error = new Error('Nonce not provided in response.');
-        error.name = 'DataError';
-        throw error;
+        throw createNamedError({
+          message: 'Nonce not provided in response.',
+          name: 'DataError'
+        });
       }
     } catch(cause) {
-      const error = new Error('Could not get nonce.', {cause});
-      error.name = 'DataError';
-      throw error;
+      throw createNamedError({
+        message: 'Could not get nonce.',
+        name: 'DataError',
+        cause
+      });
     }
     const {c_nonce: nonce} = response.data;
     return {nonce, response};
   }
+  // deprecated; always call `requestCredentials()` instead
   async requestCredential({
     credentialDefinition, did, didProofSigner, nonce, agent, format = 'ldp_vc'
   } = {}) {
-    const {issuerConfig, offer} = this;
+    const {authorizationDetails, issuerConfig, offer, oid4vciVersion} = this;
     let requests;
     if(credentialDefinition === undefined) {
       if(!offer) {
-        throw new TypeError('"credentialDefinition" must be an object.');
+        throw new TypeError('"offer" must be an object.');
       }
       requests = createCredentialRequestsFromOffer({
-        issuerConfig, offer, format
+        issuerConfig, offer, format, authorizationDetails, oid4vciVersion
       });
-      if(requests.length > 1) {
-        throw new Error(
-          'More than one credential is offered; ' +
-          'use "requestCredentials()" instead.');
-      }
     } else {
+      // OID4VCI Draft 13 only
       requests = [{
         format,
         credential_definition: credentialDefinition
@@ -93,292 +109,124 @@ export class OID4Client {
   } = {}) {
     // if `nonce` is given, then `did` and `didProofSigner` must also be
     if(nonce !== undefined && !(did && didProofSigner)) {
-      throw new Error(
-        'If "nonce" is given then "did" and "didProofSigner" are required.');
+      throw createNamedError({
+        message:
+          'If "nonce" is given then "did" and "didProofSigner" are required.',
+        name: 'DataError'
+      });
     }
-    const {issuerConfig, offer} = this;
+    const {authorizationDetails, issuerConfig, offer, oid4vciVersion} = this;
     if(requests === undefined && offer) {
       requests = createCredentialRequestsFromOffer({
-        issuerConfig, offer, format
+        issuerConfig, offer, format, authorizationDetails, oid4vciVersion
       });
     } else if(!(Array.isArray(requests) && requests.length > 0)) {
       throw new TypeError('"requests" must be an array of length >= 1.');
     }
     requests.forEach(_assertRequest);
-    // set default `format`
-    requests = requests.map(r => ({format, ...r}));
-    try {
-      /* First send credential request(s) to DS without DID proof JWT (unless
-      `nonce` is given) e.g.:
-      POST /credential HTTP/1.1
-      Host: server.example.com
-      Content-Type: application/json
-      Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW
-      {
-        "format": "ldp_vc",
-        "credential_definition": {...},
-        // only present on retry after server requests it or if nonce is given
-        "proof": {
-          "proof_type": "jwt",
-          "jwt": "eyJraW..."
-        }
-      }
-      OR (if multiple `requests` were given)
-      POST /batch_credential HTTP/1.1
-      Host: server.example.com
-      Content-Type: application/json
-      Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW
-      {
-        "credential_requests": [{
-          "format": "ldp_vc",
-          "credential_definition": {...},
-          // only present on retry after server requests it
-          "proof": {
-            "proof_type": "jwt",
-            "jwt": "eyJraW..."
-          }
-        }, {
-          ...
-        }]
-      }
-      */
-      let url;
-      let json;
-      if(requests.length > 1 || alwaysUseBatchEndpoint) {
-        ({batch_credential_endpoint: url} = this.issuerConfig);
-        json = {credential_requests: requests};
-      } else {
-        ({credential_endpoint: url} = this.issuerConfig);
-        json = {...requests[0]};
-      }
+    // determine if OID4VCI 1.0+ is to be used
+    const version1Plus = requests.some(r => r.credential_identifier);
-      if(nonce !== undefined) {
-        // add DID proof JWT to json
-        await _addDIDProofJWT({issuerConfig, json, nonce, did, didProofSigner});
-      }
+    if(!version1Plus) {
+      // set default `format` for requests with `credential_definition`
+      // (OID4VCI Draft 13 only)
+      requests = requests.map(
+        r => r.credential_definition ? {format, ...r} : r);
+    }
+    try {
       let result;
-      const headers = {
-        ...HEADERS,
-        authorization: `Bearer ${this.accessToken}`
-      };
-      for(let retries = 0; retries <= 1; ++retries) {
-        try {
-          const response = await httpClient.post(url, {agent, headers, json});
-          result = response.data;
-          if(!result) {
-            const error = new Error('Credential response format is not JSON.');
-            error.name = 'DataError';
-            throw error;
-          }
-          break;
-        } catch(cause) {
-          // presentation is required to continue issuance
-          if(_isPresentationRequired(cause)) {
-            const {data: details} = cause;
-            const error = new Error('Presentation is required.', {cause});
-            error.name = 'NotAllowedError';
-            error.details = details;
-            throw error;
-          }
-          if(!_isMissingProofError(cause)) {
-            // other non-specific error case
-            throw cause;
-          }
-          // if `didProofSigner` is not provided, throw error
-          if(!(did && didProofSigner)) {
-            const {data: details} = cause;
-            const error = new Error('DID authentication is required.', {cause});
-            error.name = 'NotAllowedError';
-            error.details = details;
-            throw error;
-          }
-          // validate that `result` has
-          let {data: {c_nonce: nonce}} = cause;
-          if(!(nonce && typeof nonce === 'string')) {
-            // try to get a nonce
-            ({nonce} = await this.getNonce({agent}));
-          }
-          // add DID proof JWT to json
-          await _addDIDProofJWT({
-            issuerConfig, json, nonce, did, didProofSigner
+      const {accessToken} = this;
+      if(version1Plus) {
+        // OID4VCI 1.0+ ... make N-many requests in parallel, with each one
+        // adding a DID proof, if requested and N-many nonces might be required
+        // FIXME: use p-queue to manage work
+        const {credential_endpoint: url} = issuerConfig;
+        const results = await Promise.all(requests.map(async request => {
+          const json = {...request};
+          return _requestCredential({
+            accessToken, issuerConfig,
+            url, json, nonce, did, didProofSigner, agent
           });
+        }));
+        // for backwards compatibility, return all results independently,
+        // combined, and singular (if applicable)
+        const credentials = results
+          .map(r => r?.credentials?.map(e => e.credential))
+          .flat();
+        result = {credential_responses: results, credentials};
+        // backwards compatibility with common draft 13 credential calls
+        if(credentials.length === 1) {
+          result.credential = credentials[0];
         }
+        if(credentials.every(c => c?.['@context'])) {
+          result.format = 'ldp_vc';
+        }
+      } else {
+        // draft 13...
+        let url;
+        let json;
+        if(requests.length > 1 || alwaysUseBatchEndpoint) {
+          ({batch_credential_endpoint: url} = issuerConfig);
+          json = {credential_requests: requests};
+        } else {
+          ({credential_endpoint: url} = issuerConfig);
+          json = {...requests[0]};
+        }
+        result = await _requestCredential({
+          accessToken, issuerConfig,
+          url, json, nonce, did, didProofSigner, agent
+        });
       }
-      // wallet / client receives credential(s):
-      /* Note: The credential is not wrapped here in a VP in the current spec:
-      HTTP/1.1 200 OK
-        Content-Type: application/json
-        Cache-Control: no-store
-      {
-        "format": "ldp_vc",
-        "credential" : {...}
-      }
-      OR (if multiple VCs *of the same type* were issued)
-      {
-        "format": "ldp_vc",
-        "credentials" : {...}
-      }
-      OR (if multiple `requests` were given)
-      {
-        "credential_responses": [{
-          "format": "ldp_vc",
-          "credential": {...}
-        }]
-      }
-      */
       return result;
     } catch(cause) {
-      const error = new Error('Could not receive credentials.', {cause});
-      error.name = 'OperationError';
-      throw error;
+      throw createNamedError({
+        message: 'Could not receive credentials.',
+        name: 'OperationError',
+        cause
+      });
     }
   }
   // create a client from a credential offer
-  static async fromCredentialOffer({offer, agent} = {}) {
-    // validate offer
-    const {
-      credential_issuer,
-      credentials,
-      credential_configuration_ids,
-      grants = {}
-    } = offer;
-    let parsedIssuer;
-    try {
-      parsedIssuer = new URL(credential_issuer);
-      if(parsedIssuer.protocol !== 'https:') {
-        throw new Error('Only "https" credential issuer URLs are supported.');
-      }
-    } catch(cause) {
-      throw new Error('"offer.credential_issuer" is not valid.', {cause});
-    }
-    if(credentials === undefined &&
-      credential_configuration_ids === undefined) {
-      throw new Error(
-        'Either "offer.credential_configuration_ids" or ' +
-        '"offer.credentials" is required.');
-    }
-    if(credential_configuration_ids !== undefined &&
-      !Array.isArray(credential_configuration_ids)) {
-      throw new Error('"offer.credential_configuration_ids" is not valid.');
-    }
-    if(credentials !== undefined &&
-      !(Array.isArray(credentials) && credentials.length > 0 &&
-      credentials.every(c => c && (
-        typeof c === 'object' || typeof c === 'string')))) {
-      throw new Error('"offer.credentials" is not valid.');
-    }
-    const grant = grants[GRANT_TYPES.get('preAuthorizedCode')];
-    if(!grant) {
-      // FIXME: implement `authorization_code` grant type as well
-      throw new Error('Only "pre-authorized_code" grant type is implemented.');
-    }
-    const {
-      'pre-authorized_code': preAuthorizedCode,
-      // FIXME: update to `tx_code` terminology
-      user_pin_required: userPinRequired
-    } = grant;
-    if(!preAuthorizedCode) {
-      throw new Error('"offer.grant" is missing "pre-authorized_code".');
-    }
-    if(userPinRequired) {
-      throw new Error('User pin is not implemented.');
-    }
+  static async fromCredentialOffer({
+    offer, supportedFormats = ['ldp_vc'],
+    oid4vciVersion = 'detect', oid4vpVersion = 'detect',
+    agent
+  } = {}) {
+    // parse offer
+    const {issuer, preAuthorizedCode} = _parseOffer({offer});
     try {
       // discover issuer info
       const {issuerConfig, metadata} = await robustDiscoverIssuer({
-        issuer: credential_issuer, agent
+        issuer, agent
       });
-      /* First get access token from AS (Authorization Server), e.g.:
-      POST /token HTTP/1.1
-        Host: server.example.com
-        Content-Type: application/x-www-form-urlencoded
-        grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code
-        &pre-authorized_code=SplxlOBeZQQYbYS6WxSbIA
-        &user_pin=493536
-      Note a bad response would look like:
-      /*
-      HTTP/1.1 400 Bad Request
-      Content-Type: application/json
-      Cache-Control: no-store
-      {
-        "error": "invalid_request"
-      }
-      */
-      const body = new URLSearchParams();
-      body.set('grant_type', GRANT_TYPES.get('preAuthorizedCode'));
-      body.set('pre-authorized_code', preAuthorizedCode);
-      const {token_endpoint} = issuerConfig;
-      const response = await httpClient.post(token_endpoint, {
-        agent, body, headers: HEADERS
+      // get access token from AS (Authorization Server)
+      const {accessToken, authorizationDetails} = await _getAccessToken({
+        issuerConfig, preAuthorizedCode,
+        // request authz details if the server supports it
+        authorizationDetails: createAuthorizationDetailsFromOffer({
+          issuerConfig, offer, supportedFormats, oid4vciVersion
+        }),
+        agent
       });
-      const {data: result} = response;
-      if(!result) {
-        const error = new Error(
-          'Could not get access token; response is not JSON.');
-        error.name = 'DataError';
-        throw error;
-      }
-      /* Validate response body (Note: Do not check or use `c_nonce*` here
-      because it conflates AS with DS (Delivery Server)), e.g.:
-      HTTP/1.1 200 OK
-        Content-Type: application/json
-        Cache-Control: no-store
-        {
-          "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp..sHQ",
-          "token_type": "bearer",
-          "expires_in": 86400
-        }
-      */
-      const {access_token: accessToken, token_type} = result;
-      if(!(accessToken && typeof accessToken === 'string')) {
-        const error = new Error(
-          'Invalid access token response; "access_token" must be a string.');
-        error.name = 'DataError';
-        throw error;
-      }
-      if(token_type !== 'bearer') {
-        const error = new Error(
-          'Invalid access token response; "token_type" must be a "bearer".');
-        error.name = 'DataError';
-        throw error;
-      }
       // create client w/access token
       return new OID4Client({
-        accessToken, agent, issuerConfig, metadata, offer
+        accessToken, agent, authorizationDetails,
+        issuerConfig, metadata, offer,
+        oid4vciVersion, oid4vpVersion
       });
     } catch(cause) {
-      const error = new Error('Could not create OID4 client.', {cause});
-      error.name = 'OperationError';
-      throw error;
+      throw createNamedError({
+        message: 'Could not create OID4 client.',
+        name: 'OperationError',
+        cause
+      });
     }
   }
 }
@@ -400,33 +248,289 @@ async function _addDIDProofJWT({
   // add proof to body to be posted and loop to retry
   const proof = {proof_type: 'jwt', jwt};
   if(json.credential_requests) {
+    // OID4VCI Draft 13 only
     json.credential_requests = json.credential_requests.map(
       cr => ({...cr, proof}));
-  } else {
+  } else if(json.credential_definition) {
+    // OID4VCI Draft 13 only
     json.proof = proof;
+  } else {
+    // OID4VCI 1.0+
+    json.proofs = {
+      ...proof,
+      jwt: [proof.jwt]
+    };
+  }
+}
+async function _requestCredential({
+  accessToken, issuerConfig, url, json, nonce, did, didProofSigner, agent
+}) {
+  /* First send credential request(s) to DS without DID proof JWT (unless
+  `nonce` is given) e.g.:
+  POST /credential HTTP/1.1
+  Host: server.example.com
+  Content-Type: application/json
+  Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW
+  {
+    "format": "ldp_vc",
+    "credential_definition": {...},
+    // only present on retry after server requests it or if nonce is given
+    "proof": {
+      "proof_type": "jwt",
+      "jwt": "eyJraW..."
+    }
+  }
+  OR
+  {
+    "credential_identifier": "foo",
+    ...
+  }
+  OR
+  {
+    "credential_configuration_id": "bar",
+    ...
+  }
+  OR (if multiple `requests` were given w/ Draft 13)
+  POST /batch_credential HTTP/1.1
+  Host: server.example.com
+  Content-Type: application/json
+  Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW
+  {
+    "credential_requests": [{
+      "format": "ldp_vc",
+      "credential_definition": {...},
+      // only present on retry after server requests it
+      "proof": {
+        "proof_type": "jwt",
+        "jwt": "eyJraW..."
+      }
+    }, {
+      ...
+    }]
+  }
+  OR (if multiple `requests` were given w/1.0+), N-many requests will be
+  repeated to `/credential`
+  */
+  if(nonce !== undefined) {
+    // add DID proof JWT to json
+    await _addDIDProofJWT({issuerConfig, json, nonce, did, didProofSigner});
+  }
+  let result;
+  const headers = {
+    ...HEADERS,
+    authorization: `Bearer ${accessToken}`
+  };
+  for(let retries = 0; retries <= 1; ++retries) {
+    try {
+      const response = await httpClient.post(url, {agent, headers, json});
+      result = response.data;
+      if(!result) {
+        throw createNamedError({
+          message: 'Credential response format is not JSON.',
+          name: 'DataError'
+        });
+      }
+      break;
+    } catch(cause) {
+      // presentation is required to continue issuance
+      if(_isPresentationRequired(cause)) {
+        throw createNamedError({
+          message: 'Presentation is required.',
+          name: 'NotAllowedError',
+          cause,
+          details: cause.data
+        });
+      }
+      if(!_isMissingProofError(cause)) {
+        // other non-specific error case
+        throw cause;
+      }
+      // if `didProofSigner` is not provided, throw error
+      if(!(did && didProofSigner)) {
+        throw createNamedError({
+          message: 'DID authentication is required.',
+          name: 'NotAllowedError',
+          cause,
+          details: cause.data
+        });
+      }
+      // validate that `result` has a nonce
+      let {data: {c_nonce: nonce}} = cause;
+      if(!(nonce && typeof nonce === 'string')) {
+        // try to get a nonce
+        ({nonce} = await this.getNonce({agent}));
+      }
+      // add DID proof JWT to json
+      await _addDIDProofJWT({
+        issuerConfig, json, nonce, did, didProofSigner
+      });
+    }
+  }
+  // wallet / client receives credential(s):
+  /* Note: The credential is not wrapped here in a VP in the current spec:
+  HTTP/1.1 200 OK
+    Content-Type: application/json
+    Cache-Control: no-store
+  {
+    "format": "ldp_vc",
+    "credential" : {...}
+  }
+  OR (if multiple VCs *of the same type* were issued)
+  {
+    "format": "ldp_vc",
+    "credentials" : {...}
   }
+  OR (if multiple `requests` were given)
+  {
+    "credential_responses": [{
+      "format": "ldp_vc",
+      "credential": {...}
+    }]
+  }
+  */
+  return result;
 }
 function _assertRequest(request) {
+  // all current versions of OID4VCI require `request` to be an object
   if(!(request && typeof request === 'object')) {
     throw new TypeError('"request" must be an object.');
   }
+  // OID4VCI 1.0+ request format
+  if(request.credential_configuration_id) {
+    if(typeof request.credential_configuration_id !== 'string') {
+      throw new TypeError(
+        'Credential request "credential_configuration_id" must be a string.');
+    }
+    return;
+  }
+  // OID4VCI 1.0+ request format
+  if(request.credential_identifier) {
+    if(typeof request.credential_identifier !== 'string') {
+      throw new TypeError(
+        'Credential request "credential_identifier" must be a string.');
+    }
+    return;
+  }
+  // OID4VCI Draft 13 format
   const {credential_definition} = request;
   if(!(credential_definition && typeof credential_definition === 'object')) {
     throw new TypeError(
       'Credential request "credential_definition" must be an object.');
   }
-  const {'@context': context, type: type} = credential_definition;
-  if(!(Array.isArray(context) && context.length > 0)) {
-    throw new TypeError(
-      'Credential definition "@context" must be an array of length >= 1.');
-  }
+  const {type: type} = credential_definition;
   if(!(Array.isArray(type) && type.length > 0)) {
     throw new TypeError(
-      'Credential definition "type" must be an array of length >= 2.');
+      'Credential definition "type" must be an array of length > 0.');
   }
 }
+async function _getAccessToken({
+  issuerConfig, preAuthorizedCode, authorizationDetails, agent
+}) {
+  /* First get access token from AS (Authorization Server), e.g.:
+  POST /token HTTP/1.1
+    Host: server.example.com
+    Content-Type: application/x-www-form-urlencoded
+    grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code
+    &pre-authorized_code=SplxlOBeZQQYbYS6WxSbIA
+    &user_pin=493536
+    &authorization_details=<URI-component-encoded JSON array>
+  Note a bad response would look like:
+  /*
+  HTTP/1.1 400 Bad Request
+  Content-Type: application/json
+  Cache-Control: no-store
+  {
+    "error": "invalid_request"
+  }
+  */
+  const body = new URLSearchParams();
+  body.set('grant_type', GRANT_TYPES.get('preAuthorizedCode'));
+  body.set('pre-authorized_code', preAuthorizedCode);
+  if(authorizationDetails) {
+    body.set('authorization_details', JSON.stringify(authorizationDetails));
+  }
+  const {token_endpoint} = issuerConfig;
+  const response = await httpClient.post(token_endpoint, {
+    agent, body, headers: HEADERS
+  });
+  const {data: result} = response;
+  if(!result) {
+    throw createNamedError({
+      message: 'Could not get access token; response is not JSON.',
+      name: 'DataError'
+    });
+  }
+  /* Validate response body (Note: Do not check or use `c_nonce*` here
+  because it conflates AS with DS (Delivery Server)), e.g.:
+  HTTP/1.1 200 OK
+    Content-Type: application/json
+    Cache-Control: no-store
+    {
+      "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp..sHQ",
+      "token_type": "bearer",
+      "expires_in": 86400
+    }
+  */
+  const {access_token: accessToken, token_type} = result;
+  ({authorization_details: authorizationDetails} = result);
+  if(!(accessToken && typeof accessToken === 'string')) {
+    throw createNamedError({
+      message:
+        'Invalid access token response; "access_token" must be a string.',
+      name: 'DataError'
+    });
+  }
+  if(token_type !== 'bearer') {
+    throw createNamedError({
+      message:
+        'Invalid access token response; "token_type" must be a "bearer".',
+      name: 'DataError'
+    });
+  }
+  if(authorizationDetails !== undefined &&
+    !Array.isArray(authorizationDetails)) {
+    throw createNamedError({
+      message:
+        'Invalid access token response; ' +
+        '"authorization_details" must be an array.',
+      name: 'DataError'
+    });
+  }
+  return {accessToken, authorizationDetails};
+}
 function _isMissingProofError(error) {
   /* If DID authn is required, delivery server sends, e.g.:
@@ -466,3 +570,80 @@ function _isPresentationRequired(error) {
   const errorType = error.data?.error;
   return error.status === 400 && errorType === 'presentation_required';
 }
+function _parseOffer({offer}) {
+  // relevant fields to validate
+  const {
+    credential_issuer,
+    credentials,
+    credential_configuration_ids,
+    grants = {}
+  } = offer;
+  // ensure issuer is a valid URL
+  let parsedIssuer;
+  try {
+    parsedIssuer = new URL(credential_issuer);
+    if(parsedIssuer.protocol !== 'https:') {
+      throw createNamedError({
+        message: 'Only "https" credential issuer URLs are supported.',
+        name: 'NotSupportedError'
+      });
+    }
+  } catch(cause) {
+    throw createNamedError({
+      message: '"offer.credential_issuer" is not valid.',
+      name: 'DataError',
+      cause
+    });
+  }
+  // OID4VCI Draft 13 used `credentials`
+  // 1.0+ uses `credential_configuration_ids`
+  if(credentials === undefined && credential_configuration_ids === undefined) {
+    throw createNamedError({
+      message:
+        'Either "offer.credential_configuration_ids" or ' +
+        '"offer.credentials" is required.',
+      name: 'DataError'
+    });
+  }
+  if(credential_configuration_ids !== undefined &&
+    !Array.isArray(credential_configuration_ids)) {
+    throw createNamedError({
+      message: '"offer.credential_configuration_ids" is not valid.',
+      name: 'DataError'
+    });
+  }
+  if(credentials !== undefined &&
+    !(Array.isArray(credentials) && credentials.length > 0 &&
+    credentials.every(c => c && (
+      typeof c === 'object' || typeof c === 'string')))) {
+    throw createNamedError({
+      message: '"offer.credentials" is not valid.',
+      name: 'DataError'
+    });
+  }
+  // validate grant
+  const grant = grants?.[GRANT_TYPES.get('preAuthorizedCode')];
+  if(!grant) {
+    throw createNamedError({
+      message: 'Only "pre-authorized_code" grant type is supported.',
+      name: 'NotSupportedError'
+    });
+  }
+  const {
+    'pre-authorized_code': preAuthorizedCode
+    // note: `tx_code` is presently ignored/not supported; if required an
+    // error will be thrown by the appropriate software
+  } = grant;
+  if(!preAuthorizedCode) {
+    throw createNamedError({
+      message: '"offer.grant" is missing "pre-authorized_code".',
+      name: 'DataError'
+    });
+  }
+  return {issuer: credential_issuer, preAuthorizedCode};
+}

package/lib/oid4vci/credentialOffer.js CHANGED Viewed

@@ -1,26 +1,69 @@
 /*!
- * Copyright (c) 2022-2025 Digital Bazaar, Inc. All rights reserved.
+ * Copyright (c) 2022-2026 Digital Bazaar, Inc.
  */
 import {assert, fetchJSON} from '../util.js';
+export function createAuthorizationDetailsFromOffer({
+  issuerConfig, offer, supportedFormats, oid4vciVersion
+} = {}) {
+  if(oid4vciVersion === 'draft13' ||
+    !(Array.isArray(issuerConfig.authorization_details_types_supported) &&
+    issuerConfig.authorization_details_types_supported
+      .includes('openid_credential'))) {
+    // issuer does not support authz details
+    return;
+  }
+  // build authz details from configs that match `offer` and `supportedFormats`
+  const configs = getCredentialConfigurations({
+    issuerConfig, offer, supportedFormats
+  });
+  const authorizationDetails = configs.map(
+    c => ({
+      type: 'openid_credential',
+      credential_configuration_id: c.id
+    }));
+  // only return details if there are matching configuration IDs
+  return authorizationDetails.length > 0 ? authorizationDetails : undefined;
+}
 export function createCredentialRequestsFromOffer({
-  issuerConfig, offer, format
+  issuerConfig, offer, format, authorizationDetails, oid4vciVersion
 } = {}) {
-  // get any supported credential configurations from issuer config
-  const supported = _createSupportedCredentialsMap({issuerConfig});
-  // build requests from credentials identified in `offer` and remove any
-  // that do not match the given format
-  const credentials = offer.credential_configuration_ids ?? offer.credentials;
-  const requests = credentials.map(c => {
-    if(typeof c === 'string') {
-      // use supported credential config
-      return _getSupportedCredentialById({id: c, supported});
-    }
-    return c;
-  }).filter(r => r.format === format);
+  // get credential configs that match `offer` and `format`
+  const matchingConfigurations = getCredentialConfigurations({
+    issuerConfig, offer, supportedFormats: [format]
+  });
-  if(requests.length === 0) {
+  // build requests...
+  let requests;
+  // the presence of `authorizationDetails` triggers OID4VCI 1.0+ format,
+  // which uses `credential_identifier` instead of
+  // Draft 13 `format` + `credential_definition`
+  if(authorizationDetails && oid4vciVersion !== 'draft13') {
+    // add a request for each `credential_identifier` mentioned in each
+    // matching configuration
+    requests = [];
+    const matchingIds = new Set(matchingConfigurations.map(({id}) => id));
+    for(const element of authorizationDetails) {
+      const {
+        type, credential_configuration_id, credential_identifiers = []
+      } = element;
+      if(type !== 'openid_credential') {
+        continue;
+      }
+      if(matchingIds.has(credential_configuration_id)) {
+        requests.push(
+          ...credential_identifiers.map(id => ({credential_identifier: id})));
+      }
+    }
+  } else {
+    // OID4VCI Draft 13 request format
+    requests = matchingConfigurations.map(
+      ({format, credential_definition}) => ({format, credential_definition}));
+  }
+  if(!(requests?.length > 0)) {
     throw new Error(
       `No supported credential(s) with format "${format}" found.`);
   }
@@ -65,6 +108,49 @@ export async function getCredentialOffer({url, agent} = {}) {
   return response.data;
 }
+export function getCredentialConfigurations({
+  issuerConfig, offer, credentialConfigurationIds, supportedFormats
+} = {}) {
+  // get all supported credential configurations from issuer config
+  let supported = [
+    ..._createSupportedCredentialsMap({issuerConfig}).entries()]
+    .map(([id, c]) => ({id, ...c}));
+  // compute `credentialConfigurationIds` from `offer` as necessary
+  if(offer && !credentialConfigurationIds) {
+    if(offer.credential_configuration_ids) {
+      credentialConfigurationIds = offer.credential_configuration_ids;
+    } else if(offer.credentials) {
+      // allow legacy `offer.credentials` that express IDs
+      credentialConfigurationIds = offer.credentials
+        .map(c => typeof c === 'string' ? c : undefined)
+        .filter(c => c !== undefined);
+      // if no IDs; handle degenerate case of objects expressed in
+      // `offer.credentials` for pre-draft 13, to be dropped in a future major
+      // release that also drops draft 13 support
+      if(credentialConfigurationIds.length === 0) {
+        supported = offer.credentials.filter(c => typeof c === 'object');
+        credentialConfigurationIds = undefined;
+      }
+    }
+  }
+  // filter by IDs, if given
+  if(credentialConfigurationIds) {
+    const idSet = new Set(credentialConfigurationIds);
+    supported = supported.filter(c => idSet.has(c.id));
+  }
+  // filter by supported formats, if given
+  if(supportedFormats) {
+    const formatSet = new Set(supportedFormats);
+    supported = supported.filter(c => formatSet.has(c.format));
+  }
+  return supported;
+}
 export function parseCredentialOfferUrl({url} = {}) {
   assert(url, 'url', 'string');
@@ -116,23 +202,3 @@ function _createSupportedCredentialsMap({issuerConfig}) {
   return supported;
 }
-function _getSupportedCredentialById({id, supported}) {
-  const meta = supported.get(id);
-  if(!meta) {
-    throw new Error(`No supported credential "${id}" found.`);
-  }
-  const {format, credential_definition} = meta;
-  if(typeof format !== 'string') {
-    throw new Error(
-      `Invalid supported credential "${id}"; "format" not specified.`);
-  }
-  if(!(Array.isArray(credential_definition?.['@context']) &&
-    (Array.isArray(credential_definition?.types) ||
-    Array.isArray(credential_definition?.type)))) {
-    throw new Error(
-      `Invalid supported credential "${id}"; "credential_definition" not ` +
-      'fully specified.');
-  }
-  return {format, credential_definition};
-}

package/lib/util.js CHANGED Viewed

@@ -39,7 +39,7 @@ export function base64Encode(data) {
 }
 export function createNamedError({message, name, details, cause} = {}) {
-  const error = new Error(message, {cause});
+  const error = cause ? new Error(message, {cause}) : new Error(message);
   error.name = name;
   if(details) {
     error.details = details;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@digitalbazaar/oid4-client",
-  "version": "5.9.1",
+  "version": "5.10.0",
   "description": "An OID4 (VC + VP) client",
   "homepage": "https://github.com/digitalbazaar/oid4-client",
   "author": {