npm - @openid4vc/openid4vci - Versions diffs - 0.3.0-alpha-20251017122507 → 0.3.0-alpha-20251021082313 - Mend

@openid4vc/openid4vci 0.3.0-alpha-20251017122507 → 0.3.0-alpha-20251021082313

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.mjs CHANGED Viewed

@@ -4,7 +4,7 @@ import z from "zod";
 //#region src/version.ts
 let Openid4vciDraftVersion = /* @__PURE__ */ function(Openid4vciDraftVersion$1) {
-	Openid4vciDraftVersion$1["Draft16"] = "Draft16";
+	Openid4vciDraftVersion$1["V1"] = "V1";
 	Openid4vciDraftVersion$1["Draft15"] = "Draft15";
 	Openid4vciDraftVersion$1["Draft14"] = "Draft14";
 	Openid4vciDraftVersion$1["Draft11"] = "Draft11";
@@ -304,7 +304,7 @@ const zLegacySdJwtVcFormatIdentifier = z.literal("vc+sd-jwt");
 * of the OpenID for Verifiable Presentations specification. Please update your
 * implementations accordingly.
 */
-const zLegacySdJwtVcCredentialIssuerMetadataDraft16 = zCredentialConfigurationSupportedCommon.extend({
+const zLegacySdJwtVcCredentialIssuerMetadataV1 = zCredentialConfigurationSupportedCommon.extend({
 	vct: z.string(),
 	format: zLegacySdJwtVcFormatIdentifier,
 	order: z.optional(z.array(z.string())),
@@ -581,7 +581,7 @@ const allCredentialIssuerMetadataFormats = [
 	zJwtVcJsonCredentialIssuerMetadata,
 	zSdJwtW3VcCredentialIssuerMetadata,
 	zSdJwtW3VcCredentialIssuerMetadataDraft15,
-	zLegacySdJwtVcCredentialIssuerMetadataDraft16,
+	zLegacySdJwtVcCredentialIssuerMetadataV1,
 	zSdJwtDcCredentialIssuerMetadataDraft15,
 	zMsoMdocCredentialIssuerMetadataDraft15,
 	zJwtVcJsonLdCredentialIssuerMetadataDraft15,
@@ -613,7 +613,7 @@ const zCredentialIssuerMetadataDisplayEntry = z.object({
 		alt_text: z.string().optional()
 	}).loose().optional()
 }).loose();
-const zCredentialIssuerMetadataDraft14Draft15Draft16 = z.object({
+const zCredentialIssuerMetadataDraft14Draft15V1 = z.object({
 	credential_issuer: zHttpsUrl,
 	authorization_servers: z.array(zHttpsUrl).optional(),
 	credential_endpoint: zHttpsUrl,
@@ -626,7 +626,6 @@ const zCredentialIssuerMetadataDraft14Draft15Draft16 = z.object({
 		encryption_required: z.boolean()
 	}).loose().optional(),
 	batch_credential_issuance: z.object({ batch_size: z.number().positive() }).loose().optional(),
-	signed_metadata: zCompactJwt.optional(),
 	display: z.array(zCredentialIssuerMetadataDisplayEntry).optional(),
 	credential_configurations_supported: z.record(z.string(), zCredentialConfigurationSupportedWithFormats)
 }).loose();
@@ -665,7 +664,7 @@ const zCredentialConfigurationSupportedDraft11To16 = z.object({
 	});
 	return z.NEVER;
 }).pipe(zCredentialConfigurationSupportedWithFormats);
-const zCredentialConfigurationSupportedDraft16To11 = zCredentialConfigurationSupportedWithFormats.transform(({ credential_metadata,...rest }) => ({
+const zCredentialConfigurationSupportedV1ToDraft11 = zCredentialConfigurationSupportedWithFormats.transform(({ credential_metadata,...rest }) => ({
 	...credential_metadata,
 	...rest
 })).and(z.object({ id: z.string() }).loose()).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope,...rest }) => ({
@@ -706,17 +705,17 @@ const zCredentialIssuerMetadataDraft11To16 = z.object({
 		...authorization_server ? { authorization_servers: [authorization_server] } : {},
 		credential_configurations_supported: Object.fromEntries(credentials_supported.map((supported) => supported.id ? [supported.id, supported] : void 0).filter((i) => i !== void 0))
 	};
-}).pipe(z.object({ credential_configurations_supported: z.record(z.string(), zCredentialConfigurationSupportedDraft11To16) }).loose()).pipe(zCredentialIssuerMetadataDraft14Draft15Draft16);
-const zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15Draft16.transform((issuerMetadata) => ({
+}).pipe(z.object({ credential_configurations_supported: z.record(z.string(), zCredentialConfigurationSupportedDraft11To16) }).loose()).pipe(zCredentialIssuerMetadataDraft14Draft15V1);
+const zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15V1.transform((issuerMetadata) => ({
 	...issuerMetadata,
 	...issuerMetadata.authorization_servers ? { authorization_server: issuerMetadata.authorization_servers[0] } : {},
 	credentials_supported: Object.entries(issuerMetadata.credential_configurations_supported).map(([id, value]) => ({
 		...value,
 		id
 	}))
-})).pipe(zCredentialIssuerMetadataDraft14Draft15Draft16.extend({ credentials_supported: z.array(zCredentialConfigurationSupportedDraft16To11) }));
-const zCredentialIssuerMetadata = z.union([zCredentialIssuerMetadataDraft14Draft15Draft16, zCredentialIssuerMetadataDraft11To16]);
-const zCredentialIssuerMetadataWithDraftVersion = z.union([zCredentialIssuerMetadataDraft14Draft15Draft16.transform((credentialIssuerMetadata) => {
+})).pipe(zCredentialIssuerMetadataDraft14Draft15V1.extend({ credentials_supported: z.array(zCredentialConfigurationSupportedV1ToDraft11) }));
+const zCredentialIssuerMetadata = z.union([zCredentialIssuerMetadataDraft14Draft15V1, zCredentialIssuerMetadataDraft11To16]);
+const zCredentialIssuerMetadataWithDraftVersion = z.union([zCredentialIssuerMetadataDraft14Draft15V1.transform((credentialIssuerMetadata) => {
 	const credentialConfigurations = Object.values(credentialIssuerMetadata.credential_configurations_supported);
 	const isDraft15 = credentialConfigurations.some((configuration) => {
 		const knownConfiguration = configuration;
@@ -727,29 +726,83 @@ const zCredentialIssuerMetadataWithDraftVersion = z.union([zCredentialIssuerMeta
 	});
 	return {
 		credentialIssuerMetadata,
-		originalDraftVersion: credentialConfigurations.some((configuration) => {
-			return configuration.credential_metadata;
-		}) ? Openid4vciDraftVersion.Draft16 : isDraft15 ? Openid4vciDraftVersion.Draft15 : Openid4vciDraftVersion.Draft14
+		originalDraftVersion: credentialConfigurations.some((configuration) => configuration.credential_metadata) ? Openid4vciDraftVersion.V1 : isDraft15 ? Openid4vciDraftVersion.Draft15 : Openid4vciDraftVersion.Draft14
 	};
 }), zCredentialIssuerMetadataDraft11To16.transform((credentialIssuerMetadata) => ({
 	credentialIssuerMetadata,
 	originalDraftVersion: Openid4vciDraftVersion.Draft11
 }))]);
+//#endregion
+//#region src/metadata/credential-issuer/z-signed-credential-issuer-metadata.ts
+const zSignedCredentialIssuerMetadataHeader = z.object({
+	...zJwtHeader.shape,
+	typ: z.literal("openidvci-issuer-metadata+jwt")
+}).loose();
+const zSignedCredentialIssuerMetadataPayload = z.object({
+	...zJwtPayload.shape,
+	iat: zInteger,
+	sub: z.string(),
+	...zCredentialIssuerMetadataDraft14Draft15V1.shape
+}).loose();
 //#endregion
 //#region src/metadata/credential-issuer/credential-issuer-metadata.ts
 const wellKnownCredentialIssuerSuffix = ".well-known/openid-credential-issuer";
 /**
 * @inheritdoc {@link fetchWellKnownMetadata}
 */
-async function fetchCredentialIssuerMetadata(credentialIssuer, fetch) {
+async function fetchCredentialIssuerMetadata(credentialIssuer, options) {
 	const parsedIssuerUrl = new URL(credentialIssuer);
 	const legacyWellKnownMetadataUrl = joinUriParts(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
 	const wellKnownMetadataUrl = joinUriParts(parsedIssuerUrl.origin, [wellKnownCredentialIssuerSuffix, parsedIssuerUrl.pathname]);
-	let result = await fetchWellKnownMetadata(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
-	if (!result && legacyWellKnownMetadataUrl !== wellKnownMetadataUrl) result = await fetchWellKnownMetadata(legacyWellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
-	if (result && result.credentialIssuerMetadata.credential_issuer !== credentialIssuer) throw new Oauth2Error(`The 'credential_issuer' parameter '${result.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`);
-	return result;
+	const acceptedContentType = options?.callbacks?.verifyJwt ? [ContentType.Jwt, ContentType.Json] : [ContentType.Json];
+	const responseSchema = zCredentialIssuerMetadataWithDraftVersion.or(zCompactJwt);
+	let result = await fetchWellKnownMetadata(wellKnownMetadataUrl, responseSchema, {
+		fetch: options?.callbacks?.fetch,
+		acceptedContentType
+	});
+	if (!result && legacyWellKnownMetadataUrl !== wellKnownMetadataUrl) result = await fetchWellKnownMetadata(legacyWellKnownMetadataUrl, responseSchema, {
+		fetch: options?.callbacks?.fetch,
+		acceptedContentType
+	});
+	let issuerMetadataWithVersion = null;
+	if (typeof result === "string") {
+		if (!options?.callbacks?.verifyJwt) throw new Oauth2Error(`Unable to verify signed credential issuer metadata, no 'verifyJwt' callback provided to fetch credential issuer metadata method.`);
+		const { header, payload, signature } = decodeJwt({
+			jwt: result,
+			headerSchema: zSignedCredentialIssuerMetadataHeader,
+			payloadSchema: zSignedCredentialIssuerMetadataPayload
+		});
+		if (payload.sub !== credentialIssuer) throw new Oauth2Error(`The 'sub' parameter '${payload.sub}' in the signed well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`);
+		const signer = jwtSignerFromJwt({
+			header,
+			payload
+		});
+		const verifyResult = await verifyJwt({
+			compact: result,
+			header,
+			payload,
+			verifyJwtCallback: options.callbacks.verifyJwt,
+			now: options.now,
+			signer,
+			errorMessage: "signed credential issuer metadata jwt verification failed"
+		});
+		issuerMetadataWithVersion = {
+			...parseWithErrorHandling(zCredentialIssuerMetadataWithDraftVersion, payload, "Unable to determine version for signed issuer metadata"),
+			signed: {
+				signer: verifyResult.signer,
+				jwt: {
+					header,
+					payload,
+					signature,
+					compact: result
+				}
+			}
+		};
+	} else if (result) issuerMetadataWithVersion = result;
+	if (issuerMetadataWithVersion && issuerMetadataWithVersion.credentialIssuerMetadata.credential_issuer !== credentialIssuer) throw new Oauth2Error(`The 'credential_issuer' parameter '${issuerMetadataWithVersion.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`);
+	return issuerMetadataWithVersion;
 }
 /**
 * Extract credential configuration supported entries where the `format` is known to this
@@ -908,7 +961,7 @@ function credentialsSupportedToCredentialConfigurationsSupported(credentialsSupp
 //#region src/credential-request/format-payload.ts
 function getCredentialRequestFormatPayloadForCredentialConfigurationId(options) {
 	const credentialConfiguration = getCredentialConfigurationSupportedById(options.issuerMetadata.credentialIssuer.credential_configurations_supported, options.credentialConfigurationId);
-	if (zIs(zLegacySdJwtVcCredentialIssuerMetadataDraft16, credentialConfiguration) || zIs(zLegacySdJwtVcCredentialIssuerMetadataDraft14, credentialConfiguration)) return {
+	if (zIs(zLegacySdJwtVcCredentialIssuerMetadataV1, credentialConfiguration) || zIs(zLegacySdJwtVcCredentialIssuerMetadataDraft14, credentialConfiguration)) return {
 		format: credentialConfiguration.format,
 		vct: credentialConfiguration.vct
 	};
@@ -1133,12 +1186,12 @@ const zOauth2ErrorResponse = z.object({
 const zCredentialEncoding = z.union([z.string(), z.record(z.string(), z.any())]);
 const zBaseCredentialResponse = z.object({
 	credentials: z.union([z.array(z.object({ credential: zCredentialEncoding })), z.array(zCredentialEncoding)]).optional(),
-	interval: z.number().int().positive().optional(),
-	notification_id: z.string().optional()
+	notification_id: z.string().optional(),
+	transaction_id: z.string().optional(),
+	interval: z.number().int().positive().optional()
 }).loose();
 const zCredentialResponse = zBaseCredentialResponse.extend({
 	credential: z.optional(zCredentialEncoding),
-	transaction_id: z.string().optional(),
 	c_nonce: z.string().optional(),
 	c_nonce_expires_in: z.number().int().optional()
 }).loose().superRefine((value, ctx) => {
@@ -1165,15 +1218,26 @@ const zCredentialErrorResponse = z.object({
 	c_nonce: z.string().optional(),
 	c_nonce_expires_in: z.number().int().optional()
 }).loose();
-const zDeferredCredentialResponse = zBaseCredentialResponse.refine((value) => {
-	const { credentials, interval } = value;
-	return [credentials, interval].filter((i) => i !== void 0).length === 1;
-}, { message: `Exactly one of 'credentials' or 'interval' MUST be defined.` });
+const zDeferredCredentialResponse = zBaseCredentialResponse.superRefine((value, ctx) => {
+	const { credentials, transaction_id, interval, notification_id } = value;
+	if ([credentials, transaction_id].filter((i) => i !== void 0).length !== 1) ctx.addIssue({
+		code: "custom",
+		message: `Exactly one of 'credentials', or 'transaction_id' MUST be defined.`
+	});
+	if (transaction_id && !interval) ctx.addIssue({
+		code: "custom",
+		message: `'interval' MUST be defined when 'transaction_id' is defined.`
+	});
+	if (notification_id && credentials) ctx.addIssue({
+		code: "custom",
+		message: `'notification_id' MUST NOT be defined when 'credentials' is not defined.`
+	});
+});
 //#endregion
 //#region src/credential-request/retrieve-credentials.ts
 async function retrieveCredentialsWithCredentialConfigurationId(options) {
-	if (options.issuerMetadata.originalDraftVersion !== Openid4vciDraftVersion.Draft15 && options.issuerMetadata.originalDraftVersion !== Openid4vciDraftVersion.Draft16) throw new Openid4vciError("Requesting credentials based on credential configuration ID is not supported in OpenID4VCI below draft 15. Make sure to provide the format and format specific claims in the request.");
+	if (options.issuerMetadata.originalDraftVersion !== Openid4vciDraftVersion.Draft15 && options.issuerMetadata.originalDraftVersion !== Openid4vciDraftVersion.V1) throw new Openid4vciError("Requesting credentials based on credential configuration ID is not supported in OpenID4VCI below draft 15. Make sure to provide the format and format specific claims in the request.");
 	getCredentialConfigurationSupportedById(options.issuerMetadata.credentialIssuer.credential_configurations_supported, options.credentialConfigurationId);
 	const credentialRequest = {
 		...options.additionalRequestPayload,
@@ -1190,7 +1254,7 @@ async function retrieveCredentialsWithCredentialConfigurationId(options) {
 	});
 }
 async function retrieveCredentialsWithFormat(options) {
-	if (options.issuerMetadata.originalDraftVersion === Openid4vciDraftVersion.Draft15 || options.issuerMetadata.originalDraftVersion === Openid4vciDraftVersion.Draft16) throw new Openid4vciError("Requesting credentials based on format is not supported in OpenID4VCI draft 15. Provide the credential configuration id directly in the request.");
+	if (options.issuerMetadata.originalDraftVersion === Openid4vciDraftVersion.Draft15 || options.issuerMetadata.originalDraftVersion === Openid4vciDraftVersion.V1) throw new Openid4vciError("Requesting credentials based on format is not supported on OpenID4VCI above draft 15. Provide the credential configuration id directly in the request.");
 	const credentialRequest = {
 		...options.formatPayload,
 		...options.additionalRequestPayload,
@@ -1272,7 +1336,7 @@ async function retrieveDeferredCredentials(options) {
 			deferredCredentialErrorResponseResult
 		};
 	}
-	const deferredCredentialResponseResult = isResponseContentType(ContentType.Json, resourceResponse.response) ? zDeferredCredentialResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
+	const deferredCredentialResponseResult = isResponseContentType(ContentType.Json, resourceResponse.response) ? zDeferredCredentialResponse.refine((response) => response.credentials || response.transaction_id === options.transactionId, { error: `Transaction id in deferred credential response does not match transaction id in deferred credential request '${options.transactionId}'` }).safeParse(await resourceResponse.response.clone().json()) : void 0;
 	if (!deferredCredentialResponseResult?.success) return {
 		...resourceResponse,
 		ok: false,
@@ -1363,14 +1427,17 @@ async function verifyCredentialRequestJwtProof(options) {
 //#region src/metadata/fetch-issuer-metadata.ts
 async function resolveIssuerMetadata(credentialIssuer, options) {
 	const allowAuthorizationMetadataFromCredentialIssuerMetadata = options?.allowAuthorizationMetadataFromCredentialIssuerMetadata ?? true;
-	const credentialIssuerMetadataWithDraftVersion = await fetchCredentialIssuerMetadata(credentialIssuer, options?.fetch);
+	const credentialIssuerMetadataWithDraftVersion = await fetchCredentialIssuerMetadata(credentialIssuer, {
+		callbacks: options?.callbacks,
+		now: options?.now
+	});
 	if (!credentialIssuerMetadataWithDraftVersion) throw new Oauth2Error(`Well known credential issuer metadata for issuer '${credentialIssuer}' not found.`);
-	const { credentialIssuerMetadata, originalDraftVersion } = credentialIssuerMetadataWithDraftVersion;
+	const { credentialIssuerMetadata, originalDraftVersion, signed } = credentialIssuerMetadataWithDraftVersion;
 	const authorizationServers = credentialIssuerMetadata.authorization_servers ?? [credentialIssuer];
 	const authoriationServersMetadata = [];
 	for (const authorizationServer of authorizationServers) {
 		if (options?.restrictToAuthorizationServers && !options.restrictToAuthorizationServers.includes(authorizationServer)) continue;
-		let authorizationServerMetadata = await fetchAuthorizationServerMetadata(authorizationServer, options?.fetch);
+		let authorizationServerMetadata = await fetchAuthorizationServerMetadata(authorizationServer, options?.callbacks.fetch);
 		if (!authorizationServerMetadata && authorizationServer === credentialIssuer && allowAuthorizationMetadataFromCredentialIssuerMetadata) authorizationServerMetadata = parseWithErrorHandling(zAuthorizationServerMetadata, {
 			token_endpoint: credentialIssuerMetadata.token_endpoint,
 			issuer: credentialIssuer
@@ -1381,6 +1448,7 @@ async function resolveIssuerMetadata(credentialIssuer, options) {
 	return {
 		originalDraftVersion,
 		credentialIssuer: credentialIssuerMetadata,
+		signedCredentialIssuer: signed,
 		authorizationServers: authoriationServersMetadata
 	};
 }
@@ -1486,7 +1554,7 @@ var Openid4vciClient = class {
 		return resolveCredentialOffer(credentialOffer, { fetch: this.options.callbacks.fetch });
 	}
 	async resolveIssuerMetadata(credentialIssuer) {
-		return resolveIssuerMetadata(credentialIssuer, { fetch: this.options.callbacks.fetch });
+		return resolveIssuerMetadata(credentialIssuer, { callbacks: this.options.callbacks });
 	}
 	/**
 	* Retrieve an authorization code for a presentation during issuance session
@@ -1690,7 +1758,7 @@ var Openid4vciClient = class {
 	*/
 	async retrieveCredentials({ issuerMetadata, proof, proofs, credentialConfigurationId, additionalRequestPayload, accessToken, dpop }) {
 		let credentialResponse;
-		if (issuerMetadata.originalDraftVersion === Openid4vciDraftVersion.Draft15 || issuerMetadata.originalDraftVersion === Openid4vciDraftVersion.Draft16) credentialResponse = await retrieveCredentialsWithCredentialConfigurationId({
+		if (issuerMetadata.originalDraftVersion === Openid4vciDraftVersion.Draft15 || issuerMetadata.originalDraftVersion === Openid4vciDraftVersion.V1) credentialResponse = await retrieveCredentialsWithCredentialConfigurationId({
 			accessToken,
 			credentialConfigurationId,
 			issuerMetadata,
@@ -1765,6 +1833,7 @@ function createDeferredCredentialResponse(options) {
 	return parseWithErrorHandling(zDeferredCredentialResponse, {
 		credentials: options.credentials,
 		notification_id: options.notificationId,
+		transaction_id: options.transactionId,
 		interval: options.interval,
 		...options.additionalPayload
 	});
@@ -1820,6 +1889,28 @@ async function verifyCredentialRequestAttestationProof(options) {
 	});
 }
+//#endregion
+//#region src/metadata/credential-issuer/signed-credential-issuer-metadata.ts
+async function createSignedCredentialIssuerMetadataJwt(options) {
+	const header = parseWithErrorHandling(zSignedCredentialIssuerMetadataHeader, {
+		...jwtHeaderFromJwtSigner(options.signer),
+		typ: "openidvci-issuer-metadata+jwt"
+	});
+	const payload = parseWithErrorHandling(zSignedCredentialIssuerMetadataPayload, {
+		...options.credentialIssuerMetadata,
+		sub: options.credentialIssuerMetadata.credential_issuer,
+		iat: dateToSeconds(options.issuedAt),
+		exp: options.expiresAt ? dateToSeconds(options.expiresAt) : void 0,
+		iss: options.issuer,
+		...options.additionalPayload
+	});
+	const { jwt } = await options.callbacks.signJwt(options.signer, {
+		header,
+		payload
+	});
+	return jwt;
+}
 //#endregion
 //#region src/Openid4vciIssuer.ts
 var Openid4vciIssuer = class {
@@ -1838,6 +1929,15 @@ var Openid4vciIssuer = class {
 	createCredentialIssuerMetadata(credentialIssuerMetadata) {
 		return parseWithErrorHandling(zCredentialIssuerMetadata, credentialIssuerMetadata, "Error validating credential issuer metadata");
 	}
+	/**
+	* Validates credential issuer metadata structure is correct and creates signed credential issuer metadata JWT
+	*/
+	createSignedCredentialIssuerMetadataJwt(options) {
+		return createSignedCredentialIssuerMetadataJwt({
+			callbacks: this.options.callbacks,
+			...options
+		});
+	}
 	async createCredentialOffer(options) {
 		return createCredentialOffer({
 			callbacks: this.options.callbacks,