@pagopa/io-react-native-wallet 0.1.0 → 0.2.0

package/lib/typescript/rp/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/rp/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC;AAEzB,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,CAAC;AAC1D,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAoBxB,CAAC;AAGH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAC1E,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkChC,CAAC"}

package/lib/typescript/sd-jwt/types.d.ts

@@ -22,18 +22,18 @@ export declare const SdJwt4VC: z.ZodObject<{
     header: z.ZodObject<{
         typ: z.ZodLiteral<"vc+sd-jwt">;
         alg: z.ZodString;
-        kid: z.ZodString;
+        kid: z.ZodOptional<z.ZodString>;
         trust_chain: z.ZodArray<z.ZodString, "many">;
     }, "strip", z.ZodTypeAny, {
         alg: string;
-        kid: string;
         typ: "vc+sd-jwt";
         trust_chain: string[];
+        kid?: string | undefined;
     }, {
         alg: string;
-        kid: string;
         typ: "vc+sd-jwt";
         trust_chain: string[];
+        kid?: string | undefined;
     }>;
     payload: z.ZodObject<{
         iss: z.ZodString;
@@ -307,9 +307,9 @@ export declare const SdJwt4VC: z.ZodObject<{
 }, "strip", z.ZodTypeAny, {
     header: {
         alg: string;
-        kid: string;
         typ: "vc+sd-jwt";
         trust_chain: string[];
+        kid?: string | undefined;
     };
     payload: {
         type: "PersonIdentificationData";
@@ -361,9 +361,9 @@ export declare const SdJwt4VC: z.ZodObject<{
 }, {
     header: {
         alg: string;
-        kid: string;
         typ: "vc+sd-jwt";
         trust_chain: string[];
+        kid?: string | undefined;
     };
     payload: {
         type: "PersonIdentificationData";

package/lib/typescript/utils/dpop.d.ts

@@ -0,0 +1,21 @@
+import * as z from "zod";
+import type { JWK } from "./jwk";
+export declare const getUnsignedDPop: (jwk: JWK, payload: DPoPPayload) => string;
+export type DPoPPayload = z.infer<typeof DPoPPayload>;
+export declare const DPoPPayload: z.ZodObject<{
+    jti: z.ZodString;
+    htm: z.ZodUnion<[z.ZodLiteral<"POST">, z.ZodLiteral<"GET">]>;
+    htu: z.ZodString;
+    ath: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    jti: string;
+    htm: "POST" | "GET";
+    htu: string;
+    ath?: string | undefined;
+}, {
+    jti: string;
+    htm: "POST" | "GET";
+    htu: string;
+    ath?: string | undefined;
+}>;
+//# sourceMappingURL=dpop.d.ts.map

package/lib/typescript/utils/dpop.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop.d.ts","sourceRoot":"","sources":["../../../src/utils/dpop.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC;AAGzB,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,OAAO,CAAC;AAEjC,eAAO,MAAM,eAAe,QAAS,GAAG,WAAW,WAAW,KAAG,MAWhE,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AACtD,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;EAKtB,CAAC"}

package/lib/typescript/utils/errors.d.ts

@@ -42,4 +42,30 @@ export declare class WalletInstanceAttestationIssuingError extends IoWalletError
     reason: string;
     constructor(message: string, claim?: string, reason?: string);
 }
+/**
+ * An error subclass thrown when auth request decode fail
+ *
+ */
+export declare class AuthRequestDecodeError extends IoWalletError {
+    static get code(): "ERR_IO_WALLET_AUTHENTICATION_REQUEST_DECODE_FAILED";
+    code: string;
+    /** The Claim for which the validation failed. */
+    claim: string;
+    /** Reason code for the validation failure. */
+    reason: string;
+    constructor(message: string, claim?: string, reason?: string);
+}
+/**
+ * An error subclass thrown when validation fail
+ *
+ */
+export declare class PidIssuingError extends IoWalletError {
+    static get code(): "ERR_IO_WALLET_PID_ISSUING_FAILED";
+    code: string;
+    /** The Claim for which the validation failed. */
+    claim: string;
+    /** Reason code for the validation failure. */
+    reason: string;
+    constructor(message: string, claim?: string, reason?: string);
+}
 //# sourceMappingURL=errors.d.ts.map

package/lib/typescript/utils/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../src/utils/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,qBAAa,aAAc,SAAQ,KAAK;IACtC,6DAA6D;IAC7D,MAAM,KAAK,IAAI,IAAI,MAAM,CAExB;IAED,6DAA6D;IAC7D,IAAI,EAAE,MAAM,CAA2B;gBAE3B,OAAO,CAAC,EAAE,MAAM;CAM7B;AACD;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,aAAa;IACjD,MAAM,KAAK,IAAI,IAAI,iCAAiC,CAEnD;IAED,IAAI,SAAqC;IAEzC,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAC;IAEd,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;gBAEH,OAAO,EAAE,MAAM,EAAE,KAAK,SAAgB,EAAE,MAAM,SAAgB;CAK3E;AAED;;;GAGG;AACH,qBAAa,qCAAsC,SAAQ,aAAa;IACtE,MAAM,KAAK,IAAI,IAAI,mDAAmD,CAErE;IAED,IAAI,SAAuD;IAE3D,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAC;IAEd,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;gBAEH,OAAO,EAAE,MAAM,EAAE,KAAK,SAAgB,EAAE,MAAM,SAAgB;CAK3E"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../src/utils/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,qBAAa,aAAc,SAAQ,KAAK;IACtC,6DAA6D;IAC7D,MAAM,KAAK,IAAI,IAAI,MAAM,CAExB;IAED,6DAA6D;IAC7D,IAAI,EAAE,MAAM,CAA2B;gBAE3B,OAAO,CAAC,EAAE,MAAM;CAM7B;AACD;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,aAAa;IACjD,MAAM,KAAK,IAAI,IAAI,iCAAiC,CAEnD;IAED,IAAI,SAAqC;IAEzC,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAC;IAEd,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;gBAEH,OAAO,EAAE,MAAM,EAAE,KAAK,SAAgB,EAAE,MAAM,SAAgB;CAK3E;AAED;;;GAGG;AACH,qBAAa,qCAAsC,SAAQ,aAAa;IACtE,MAAM,KAAK,IAAI,IAAI,mDAAmD,CAErE;IAED,IAAI,SAAuD;IAE3D,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAC;IAEd,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;gBAEH,OAAO,EAAE,MAAM,EAAE,KAAK,SAAgB,EAAE,MAAM,SAAgB;CAK3E;AAED;;;GAGG;AACH,qBAAa,sBAAuB,SAAQ,aAAa;IACvD,MAAM,KAAK,IAAI,IAAI,oDAAoD,CAEtE;IAED,IAAI,SAAwD;IAE5D,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAC;IAEd,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;gBAEH,OAAO,EAAE,MAAM,EAAE,KAAK,SAAgB,EAAE,MAAM,SAAgB;CAK3E;AAED;;;GAGG;AACH,qBAAa,eAAgB,SAAQ,aAAa;IAChD,MAAM,KAAK,IAAI,IAAI,kCAAkC,CAEpD;IAED,IAAI,SAAsC;IAE1C,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAC;IAEd,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;gBAEH,OAAO,EAAE,MAAM,EAAE,KAAK,SAAgB,EAAE,MAAM,SAAgB;CAK3E"}

package/lib/typescript/wallet-instance-attestation/issuing.d.ts

@@ -1,7 +1,8 @@
 import { JWK } from "../utils/jwk";
 export declare class Issuing {
     walletProviderBaseUrl: string;
-    constructor(walletProviderBaseUrl: string);
+    appFetch: GlobalFetch["fetch"];
+    constructor(walletProviderBaseUrl: string, appFetch?: GlobalFetch["fetch"]);
     /**
      * Get the Wallet Instance Attestation Request to sign
      *
@@ -22,11 +23,10 @@ export declare class Issuing {
      * @param attestationRequest Wallet Instance Attestaion Request
      * obtained with {@link getAttestationRequestToSign}
      * @param signature Signature of the Wallet Instance Attestaion Request
-     * @param appFetch Optional object with fetch function to use
      *
      * @returns {string} Wallet Instance Attestation
      *
      */
-    getAttestation(attestationRequest: string, signature: string, appFetch?: GlobalFetch): Promise<String>;
+    getAttestation(attestationRequest: string, signature: string): Promise<string>;
 }
 //# sourceMappingURL=issuing.d.ts.map

package/lib/typescript/wallet-instance-attestation/issuing.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"issuing.d.ts","sourceRoot":"","sources":["../../../src/wallet-instance-attestation/issuing.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAKnC,qBAAa,OAAO;IAClB,qBAAqB,EAAE,MAAM,CAAC;gBAElB,qBAAqB,EAAE,MAAM;IAIzC;;;;;;;;;OASG;IACG,2BAA2B,CAAC,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;IA0B5D;;;;;;;;;;;;;OAaG;IACG,cAAc,CAClB,kBAAkB,EAAE,MAAM,EAC1B,SAAS,EAAE,MAAM,EACjB,QAAQ,GAAE,WAAuB,GAChC,OAAO,CAAC,MAAM,CAAC;CAqCnB"}
+{"version":3,"file":"issuing.d.ts","sourceRoot":"","sources":["../../../src/wallet-instance-attestation/issuing.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAKnC,qBAAa,OAAO;IAClB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,QAAQ,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;gBAE7B,qBAAqB,EAAE,MAAM,EAC7B,QAAQ,GAAE,WAAW,CAAC,OAAO,CAAS;IAMxC;;;;;;;;;OASG;IACG,2BAA2B,CAAC,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;IA0B5D;;;;;;;;;;;;OAYG;IACG,cAAc,CAClB,kBAAkB,EAAE,MAAM,EAC1B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC;CAqCnB"}

package/lib/typescript/wallet-instance-attestation/types.d.ts

@@ -575,8 +575,8 @@ export declare const WalletInstanceAttestationJwt: z.ZodObject<{
     }, "strip", z.ZodTypeAny, {
         type: "WalletInstanceAttestation";
         policy_uri: string;
-        tos_uri: string;
         logo_uri: string;
+        tos_uri: string;
         asc: string;
         authorization_endpoint: string;
         response_types_supported: string[];
@@ -593,8 +593,8 @@ export declare const WalletInstanceAttestationJwt: z.ZodObject<{
     }, {
         type: "WalletInstanceAttestation";
         policy_uri: string;
-        tos_uri: string;
         logo_uri: string;
+        tos_uri: string;
         asc: string;
         authorization_endpoint: string;
         response_types_supported: string[];
@@ -653,8 +653,8 @@ export declare const WalletInstanceAttestationJwt: z.ZodObject<{
     } & {
         type: "WalletInstanceAttestation";
         policy_uri: string;
-        tos_uri: string;
         logo_uri: string;
+        tos_uri: string;
         asc: string;
         authorization_endpoint: string;
         response_types_supported: string[];
@@ -713,8 +713,8 @@ export declare const WalletInstanceAttestationJwt: z.ZodObject<{
     } & {
         type: "WalletInstanceAttestation";
         policy_uri: string;
-        tos_uri: string;
         logo_uri: string;
+        tos_uri: string;
         asc: string;
         authorization_endpoint: string;
         response_types_supported: string[];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/io-react-native-wallet",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Provide data structures, helpers and API for IO Wallet",
   "main": "lib/commonjs/index",
   "module": "lib/module/index",
@@ -66,13 +66,15 @@
     "react": "18.2.0",
     "react-native": "0.71.8",
     "react-native-builder-bob": "^0.20.0",
-    "typescript": "^5.0.2"
+    "typescript": "^5.0.2",
+    "@pagopa/io-react-native-crypto": "^0.2.3"
   },
   "resolutions": {
     "@types/react": "17.0.21"
   },
   "peerDependencies": {
     "@pagopa/io-react-native-jwt": "*",
+    "@pagopa/io-react-native-crypto": "*",
     "react": "*",
     "react-native": "*"
   },

package/src/index.ts

@@ -1,8 +1,7 @@
 import * as PID from "./pid";
+import * as RP from "./rp";
+import * as Errors from "./utils/errors";
 import * as WalletInstanceAttestation from "./wallet-instance-attestation";
+import { getUnsignedDPop } from "./utils/dpop";
 
-export function multiply(a: number, b: number): Promise<number> {
-  return Promise.resolve(a * b);
-}
-
-export { PID, WalletInstanceAttestation };
+export { PID, RP, WalletInstanceAttestation, Errors, getUnsignedDPop };

package/src/pid/index.ts

@@ -1,2 +1,3 @@
 import * as SdJwt from "./sd-jwt";
-export { SdJwt };
+import { Issuing } from "./issuing";
+export { SdJwt, Issuing };

package/src/pid/issuing.ts

@@ -0,0 +1,305 @@
+import {
+  decode as decodeJwt,
+  sha256ToBase64,
+} from "@pagopa/io-react-native-jwt";
+
+import { SignJWT, thumbprint } from "@pagopa/io-react-native-jwt";
+import { JWK } from "../utils/jwk";
+import uuid from "react-native-uuid";
+import { PidIssuingError } from "../utils/errors";
+import { getUnsignedDPop } from "../utils/dpop";
+import { sign, generate, deleteKey } from "@pagopa/io-react-native-crypto";
+
+// This is a temporary type that will be used for demo purposes only
+export type CieData = {
+  birthDate: string;
+  fiscalCode: string;
+  name: string;
+  surname: string;
+};
+
+export type TokenResponse = { access_token: string; c_nonce: string };
+export type PidResponse = {
+  credential: string;
+  c_nonce: string;
+  c_nonce_expires_in: number;
+  format: string;
+};
+
+export class Issuing {
+  pidProviderBaseUrl: string;
+  walletProviderBaseUrl: string;
+  walletInstanceAttestation: string;
+  codeVerifier: string;
+  clientId: string;
+  state: string;
+  authorizationCode: string;
+  appFetch: GlobalFetch["fetch"];
+
+  constructor(
+    pidProviderBaseUrl: string,
+    walletProviderBaseUrl: string,
+    walletInstanceAttestation: string,
+    clientId: string,
+    appFetch: GlobalFetch["fetch"] = fetch
+  ) {
+    this.pidProviderBaseUrl = pidProviderBaseUrl;
+    this.walletProviderBaseUrl = walletProviderBaseUrl;
+    this.state = `${uuid.v4()}`;
+    this.codeVerifier = `${uuid.v4()}`;
+    this.authorizationCode = `${uuid.v4()}`;
+    this.walletInstanceAttestation = walletInstanceAttestation;
+    this.clientId = clientId;
+    this.appFetch = appFetch;
+  }
+
+  /**
+   * Return the unsigned jwt to call the PAR request.
+   *
+   * @function
+   * @param jwk The wallet instance attestation public JWK
+   *
+   * @returns Unsigned jwt
+   *
+   */
+  async getUnsignedJwtForPar(jwk: JWK): Promise<string> {
+    const parsedJwk = JWK.parse(jwk);
+    const keyThumbprint = await thumbprint(parsedJwk);
+    const publicKey = { ...parsedJwk, kid: keyThumbprint };
+    const codeChallenge = await sha256ToBase64(this.codeVerifier);
+
+    const unsignedJwtForPar = new SignJWT({
+      client_assertion_type:
+        "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+      authorization_details: [
+        {
+          credentialDefinition: {
+            type: ["eu.eudiw.pid.it"],
+          },
+          format: "vc+sd-jwt",
+          type: "type",
+        },
+      ],
+      response_type: "code",
+      code_challenge_method: "s256",
+      redirect_uri: this.walletProviderBaseUrl,
+      state: this.state,
+      client_id: this.clientId,
+      code_challenge: codeChallenge,
+    })
+      .setProtectedHeader({
+        alg: "ES256",
+        kid: publicKey.kid,
+      })
+      .setIssuedAt()
+      .setExpirationTime("1h")
+      .toSign();
+
+    return unsignedJwtForPar;
+  }
+
+  /**
+   * Make a PAR request to the PID issuer and return the response url
+   *
+   * @function
+   * @param unsignedJwtForPar The unsigned JWT for PAR
+   * @param signature The JWT for PAR signature
+   *
+   * @returns Unsigned PAR url
+   *
+   */
+  async getPar(unsignedJwtForPar: string, signature: string): Promise<string> {
+    const codeChallenge = await sha256ToBase64(this.codeVerifier);
+    const signedJwtForPar = await SignJWT.appendSignature(
+      unsignedJwtForPar,
+      signature
+    );
+
+    const parUrl = new URL("/as/par", this.pidProviderBaseUrl).href;
+
+    const requestBody = {
+      response_type: "code",
+      client_id: this.clientId,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256",
+      client_assertion_type:
+        "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+      client_assertion: this.walletInstanceAttestation,
+      request: signedJwtForPar,
+    };
+
+    var formBody = new URLSearchParams(requestBody);
+
+    const response = await this.appFetch(parUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: formBody.toString(),
+    });
+
+    if (response.status === 201) {
+      const result = await response.json();
+      return result.request_uri;
+    }
+
+    throw new PidIssuingError(
+      `Unable to obtain PAR. Response code: ${await response.text()}`
+    );
+  }
+
+  /**
+   * Return the unsigned jwt for a generic DPoP
+   *
+   * @function
+   * @param jwk the public key for which the DPoP is to be created
+   *
+   * @returns Unsigned JWT for DPoP
+   *
+   */
+  async getUnsignedDPoP(jwk: JWK): Promise<string> {
+    const tokenUrl = new URL("/token", this.pidProviderBaseUrl).href;
+    const dPop = getUnsignedDPop(jwk, {
+      htm: "POST",
+      htu: tokenUrl,
+      jti: `${uuid.v4()}`,
+    });
+    return dPop;
+  }
+
+  /**
+   * Make an auth token request to the PID issuer
+   *
+   * @function
+   * @returns a token response
+   *
+   */
+  async getAuthToken(): Promise<TokenResponse> {
+    //Generate fresh keys for DPoP
+    const dPopKeyTag = `${uuid.v4()}`;
+    const dPopKey = await generate(dPopKeyTag);
+    const unsignedDPopForToken = await this.getUnsignedDPoP(dPopKey);
+    const dPopTokenSignature = await sign(unsignedDPopForToken, dPopKeyTag);
+    await deleteKey(dPopKeyTag);
+
+    const signedDPop = await SignJWT.appendSignature(
+      unsignedDPopForToken,
+      dPopTokenSignature
+    );
+    const decodedJwtDPop = decodeJwt(signedDPop);
+    const tokenUrl = decodedJwtDPop.payload.htu as string;
+    const requestBody = {
+      grant_type: "authorization code",
+      client_id: this.clientId,
+      code: this.authorizationCode,
+      code_verifier: this.codeVerifier,
+      client_assertion_type:
+        "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+      client_assertion: this.walletInstanceAttestation,
+      redirect_uri: this.walletProviderBaseUrl,
+    };
+    var formBody = new URLSearchParams(requestBody);
+
+    const response = await this.appFetch(tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        DPoP: signedDPop,
+      },
+      body: formBody.toString(),
+    });
+
+    if (response.status === 200) {
+      return await response.json();
+    }
+
+    throw new PidIssuingError(
+      `Unable to obtain token. Response code: ${await response.text()}`
+    );
+  }
+
+  /**
+   * Return the unsigned jwt for nonce proof of possession
+   *
+   * @function
+   * @param nonce the nonce
+   *
+   * @returns Unsigned JWT for nonce proof
+   *
+   */
+  async getUnsignedNonceProof(nonce: string): Promise<string> {
+    const unsignedProof = new SignJWT({
+      nonce,
+    })
+      .setProtectedHeader({
+        alg: "ES256",
+        type: "openid4vci-proof+jwt",
+      })
+      .setAudience(this.walletProviderBaseUrl)
+      .setIssuer(this.clientId)
+      .setIssuedAt()
+      .setExpirationTime("1h")
+      .toSign();
+    return unsignedProof;
+  }
+
+  /**
+   * Make the credential issuing request to the PID issuer
+   *
+   * @function
+   * @param unsignedDPopForPid The unsigned JWT for PID DPoP
+   * @param dPopPidSignature The JWT for PID DPoP signature
+   * @param unsignedNonceProof The unsigned JWT for nonce proof
+   * @param nonceProofSignature The JWT for nonce proof signature
+   * @param accessToken The access token obtained with getAuthToken
+   * @param cieData Personal data read by the CIE
+   *
+   * @returns a credential
+   *
+   */
+  async getCredential(
+    unsignedDPopForPid: string,
+    dPopPidSignature: string,
+    unsignedNonceProof: string,
+    nonceProofSignature: string,
+    accessToken: string,
+    cieData: CieData
+  ): Promise<PidResponse> {
+    const signedDPopForPid = await SignJWT.appendSignature(
+      unsignedDPopForPid,
+      dPopPidSignature
+    );
+    const signedNonceProof = await SignJWT.appendSignature(
+      unsignedNonceProof,
+      nonceProofSignature
+    );
+    const credentialUrl = new URL("/credential", this.pidProviderBaseUrl).href;
+
+    const requestBody = {
+      credential_definition: JSON.stringify({ type: ["eu.eudiw.pid.it"] }),
+      format: "vc+sd-jwt",
+      proof: JSON.stringify({
+        jwt: signedNonceProof,
+        cieData,
+        proof_type: "jwt",
+      }),
+    };
+    const formBody = new URLSearchParams(requestBody);
+
+    const response = await this.appFetch(credentialUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        DPoP: signedDPopForPid,
+        Authorization: accessToken,
+      },
+      body: formBody.toString(),
+    });
+
+    if (response.status === 200) {
+      return await response.json();
+    }
+
+    throw new PidIssuingError(`Unable to obtain credential!`);
+  }
+}

package/src/rp/__test__/index.test.ts

@@ -0,0 +1,23 @@
+import { RelyingPartySolution } from "..";
+import { AuthRequestDecodeError } from "../../utils/errors";
+
+const walletInstanceAttestation =
+  "eyJhbGciOiJFUzI1NiIsImtpZCI6IjV0NVlZcEJoTi1FZ0lFRUk1aVV6cjZyME1SMDJMblZRME9tZWttTktjalkiLCJ0cnVzdF9jaGFpbiI6WyJleUpoYkdjaU9pSkZVei4uLjZTMEEiLCJleUpoYkdjaU9pSkZVei4uLmpKTEEiLCJleUpoYkdjaU9pSkZVei4uLkg5Z3ciXSwidHlwIjoidmErand0IiwieDVjIjpbIk1JSUJqRENDIC4uLiBYRmVoZ0tRQT09Il19.eyJpc3MiOiJodHRwczovL3dhbGxldC1wcm92aWRlci5leGFtcGxlLm9yZyIsInN1YiI6InZiZVhKa3NNNDV4cGh0QU5uQ2lHNm1DeXVVNGpmR056b3BHdUt2b2dnOWMiLCJ0eXBlIjoiV2FsbGV0SW5zdGFuY2VBdHRlc3RhdGlvbiIsInBvbGljeV91cmkiOiJodHRwczovL3dhbGxldC1wcm92aWRlci5leGFtcGxlLm9yZy9wcml2YWN5X3BvbGljeSIsInRvc191cmkiOiJodHRwczovL3dhbGxldC1wcm92aWRlci5leGFtcGxlLm9yZy9pbmZvX3BvbGljeSIsImxvZ29fdXJpIjoiaHR0cHM6Ly93YWxsZXQtcHJvdmlkZXIuZXhhbXBsZS5vcmcvbG9nby5zdmciLCJhc2MiOiJodHRwczovL3dhbGxldC1wcm92aWRlci5leGFtcGxlLm9yZy9Mb0EvYmFzaWMiLCJjbmYiOnsiandrIjp7ImNydiI6IlAtMjU2Iiwia3R5IjoiRUMiLCJ4IjoiNEhOcHRJLXhyMnBqeVJKS0dNbno0V21kblFEX3VKU3E0Ujk1Tmo5OGI0NCIsInkiOiJMSVpuU0IzOXZGSmhZZ1MzazdqWEU0cjMtQ29HRlF3WnRQQklScXBObHJnIiwia2lkIjoidmJlWEprc000NXhwaHRBTm5DaUc2bUN5dVU0amZHTnpvcEd1S3ZvZ2c5YyJ9fSwiYXV0aG9yaXphdGlvbl9lbmRwb2ludCI6ImV1ZGl3OiIsInJlc3BvbnNlX3R5cGVzX3N1cHBvcnRlZCI6WyJ2cF90b2tlbiJdLCJ2cF9mb3JtYXRzX3N1cHBvcnRlZCI6eyJqd3RfdnBfanNvbiI6eyJhbGdfdmFsdWVzX3N1cHBvcnRlZCI6WyJFUzI1NiJdfSwiand0X3ZjX2pzb24iOnsiYWxnX3ZhbHVlc19zdXBwb3J0ZWQiOlsiRVMyNTYiXX19LCJyZXF1ZXN0X29iamVjdF9zaWduaW5nX2FsZ192YWx1ZXNfc3VwcG9ydGVkIjpbIkVTMjU2Il0sInByZXNlbnRhdGlvbl9kZWZpbml0aW9uX3VyaV9zdXBwb3J0ZWQiOmZhbHNlLCJpYXQiOjE2ODcyODExOTUsImV4cCI6MTY4NzI4ODM5NX0.OTuPik6p3o9j6VOx-uCyxRvHwoh1pDiiZcBQFNQt2uE3dK-8izGNflJVETi_uhGSZOf25Enkq-UvEin9NrbJNw";
+const rp = new RelyingPartySolution(
+  "http://rp.example",
+  walletInstanceAttestation
+);
+describe("decodeAuthRequestQR", () => {
+  it("should return authentication request URL", async () => {
+    const qrcode =
+      "ZXVkaXc6Ly9hdXRob3JpemU/Y2xpZW50X2lkPWh0dHBzOi8vdmVyaWZpZXIuZXhhbXBsZS5vcmcmcmVxdWVzdF91cmk9aHR0cHM6Ly92ZXJpZmllci5leGFtcGxlLm9yZy9yZXF1ZXN0X3VyaQ==";
+    const result = rp.decodeAuthRequestQR(qrcode);
+    expect(result).toEqual("https://verifier.example.org/request_uri");
+  });
+  it("should throw exception with invalid QR", async () => {
+    const qrcode = "aHR0cDovL2dvb2dsZS5pdA==";
+    expect(() => rp.decodeAuthRequestQR(qrcode)).toThrowError(
+      AuthRequestDecodeError
+    );
+  });
+});