@pagopa/io-react-native-wallet 0.11.1 → 0.13.0

package/lib/module/credential/issuance/03-start-user-authorization.js

@@ -1,18 +1,22 @@
-import * as z from "zod";
-import uuid from "react-native-uuid";
-import { makeParRequest } from "../../utils/par";
-import { getJwtFromFormPost } from "../../utils/decoder";
-import { hasStatus } from "../../utils/misc";
+import { generateRandomAlphaNumericString } from "../../../src/utils/misc";
+import { makeParRequest } from "../../../src/utils/par";
 import { ASSERTION_TYPE } from "./const";
+/**
+ * Ensures that the credential type requested is supported by the issuer and contained in the
+ * issuer configuration.
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param credentialType The type of the credential to be requested returned by {@link startFlow}
+ * @param context.wiaCryptoContext The Wallet Instance's crypto context
+ * @param context.walletInstanceAttestation The Wallet Instance's attestation
+ * @param context.redirectUri The redirect URI which is the custom URL scheme that the Wallet Instance is registered to handle
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The credential definition to be used in the request which includes the format and the type and its type
+ */
 const selectCredentialDefinition = (issuerConf, credentialType) => {
-  const {
-    credentials_supported
-  } = issuerConf.openid_credential_issuer;
-  const [result] = credentials_supported.filter(e => e.credential_definition.type.includes(credentialType)).map(e => ({
-    credential_definition: {
-      type: credentialType
-    },
-    format: e.format,
+  const credential_configurations_supported = issuerConf.openid_credential_issuer.credential_configurations_supported;
+  const [result] = Object.keys(credential_configurations_supported).filter(e => e.includes(credentialType)).map(e => ({
+    credential_configuration_id: credentialType,
+    format: credential_configurations_supported[e].format,
     type: "openid_credential"
   }));
   if (!result) {
@@ -20,90 +24,62 @@ const selectCredentialDefinition = (issuerConf, credentialType) => {
   }
   return result;
 };
-const decodeAuthorizationResponse = async raw => {
-  const {
-    decodedJwt: {
-      payload
-    }
-  } = await getJwtFromFormPost(raw);
 
-  /**
-   * FIXME: [SIW-628] This step must not make any difference on the credential
-   * we are authorizing for, being a PID or any other (Q)EAA.
-   *
-   * Currently, PID issuer is implemented to skip the CompleteUserAuthorization step
-   * thus returning a stubbed (code, state) pair.
-   *
-   * This is a workaround to proceeed the flow anyway.
-   * If the response does not map what expected (CorrectShape),
-   * we try parse into (code, state) to check if we are in the PID scenario.
-   * In that case, a stub value is returned (will not be evaluated anyway).
-   *
-   * This workaround will be obsolete once the PID issuer fixes its implementation
-   */
-  const CorrectShape = z.object({
-    request_uri: z.string()
-  });
-  const WrongShapeForPID = z.object({
-    code: z.string(),
-    state: z.string()
-  });
-  const [correct, wrong] = [CorrectShape.safeParse(payload), WrongShapeForPID.safeParse(payload)];
-  if (correct.success) {
-    return correct.data;
-  } else if (wrong.success) {
-    return {
-      request_uri: "https://fake-request-uri"
-    };
+/**
+ * Ensures that the response mode requested is supported by the issuer and contained in the issuer configuration.
+ * @param issuerConf The issuer configuration
+ * @param credentialType The type of the credential to be requested
+ * @returns The response mode to be used in the request, "query" for PersonIdentificationData and "form_post.jwt" for all other types.
+ */
+const selectResponseMode = (issuerConf, credentialType) => {
+  const responseModeSupported = issuerConf.oauth_authorization_server.response_modes_supported;
+  const responseMode = credentialType === "PersonIdentificationData" ? "query" : "form_post.jwt";
+  if (!responseModeSupported.includes(responseMode)) {
+    throw new Error(`No response mode support the type '${credentialType}'`);
   }
-  throw correct.error;
+  return responseMode;
 };
+
 /**
- * Start the User authorization phase.
- * Perform the Pushed Authorization Request as defined in OAuth 2.0 protocol.
- *
- * @param issuerConf The Issuer configuration
- * @param credentialType The type of the credential to be requested
- * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
- * @param context.walletInstanceAttestation The Wallet Instance Attestation token
- * @param context.walletProviderBaseUrl The base url of the Wallet Provider
- * @param context.additionalParams Hash set of parameters to be passed to the authorization endpoint
- * (used as a temporary fix until we have a proper User identity in the PID token provider)
- * TODO: [SIW-630]
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @returns The request uri to continue the authorization to
+ * WARNING: This function must be called after {@link evaluateIssuerTrust} and {@link startFlow}. The next steam is {@link compeUserAuthorizationWithQueryMode} or {@link compeUserAuthorizationWithFormPostJwtMode}
+ * Creates and sends a PAR request to the /as/par endpoint of the authroization server.
+ * This starts the authentication flow to obtain an access token.
+ * This token enables the Wallet Instance to request a digital credential from the Credential Endpoint of the Credential Issuer.
+ * This is an HTTP POST request containing the Wallet Instance identifier (client id), the code challenge and challenge method as specified by PKCE according to RFC 9126
+ * along with the WTE and its proof of possession (WTE-PoP).
+ * Additionally, it includes a request object, which is a signed JWT encapsulating the type of digital credential requested (authorization_details),
+ * the application session identifier on the Wallet Instance side (state),
+ * the method (query or form_post.jwt) by which the Authorization Server
+ * should transmit the Authorization Response containing the authorization code issued upon the end user's authentication (response_mode)
+ * to the Wallet Instance's Token Endpoint to obtain the Access Token, and the redirect_uri of the Wallet Instance where the Authorization Response
+ * should be delivered. The redirect is achived by using a custom URL scheme that the Wallet Instance is registered to handle.
+ * @param issuerConf The issuer configuration
+ * @param credentialType The type of the credential to be requested returned by {@link selectCredentialDefinition}
+ * @param ctx The context object containing the Wallet Instance's cryptographic context, the Wallet Instance's attestation, the redirect URI and the fetch implementation
+ * @returns The URI to which the end user should be redirected to start the authentication flow, along with the client id, the code verifier and the credential definition
  */
 export const startUserAuthorization = async (issuerConf, credentialType, ctx) => {
   const {
     wiaCryptoContext,
     walletInstanceAttestation,
-    walletProviderBaseUrl,
-    additionalParams = {},
+    redirectUri,
     appFetch = fetch
   } = ctx;
   const clientId = await wiaCryptoContext.getPublicKey().then(_ => _.kid);
-  const codeVerifier = `${uuid.v4()}`;
-  // Make a PAR request to the credential issuer and return the response url
-  const parUrl = issuerConf.openid_credential_issuer.pushed_authorization_request_endpoint;
+  const codeVerifier = generateRandomAlphaNumericString(64);
+  const parEndpoint = issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
+  const credentialDefinition = selectCredentialDefinition(issuerConf, credentialType);
+  const responseMode = selectResponseMode(issuerConf, credentialType);
   const getPar = makeParRequest({
     wiaCryptoContext,
     appFetch
   });
-  const issuerRequestUri = await getPar(clientId, codeVerifier, walletProviderBaseUrl, parUrl, walletInstanceAttestation, [selectCredentialDefinition(issuerConf, credentialType)], ASSERTION_TYPE);
-
-  // Initialize authorization by requesting the authz request uri
-  const authzRequestEndpoint = issuerConf.openid_credential_issuer.authorization_endpoint;
-  const params = new URLSearchParams({
-    client_id: clientId,
-    request_uri: issuerRequestUri,
-    ...additionalParams
-  });
-  const {
-    request_uri
-  } = await appFetch(`${authzRequestEndpoint}?${params}`).then(hasStatus(200)).then(res => res.text()).then(decodeAuthorizationResponse);
+  const issuerRequestUri = await getPar(clientId, codeVerifier, redirectUri, responseMode, parEndpoint, walletInstanceAttestation, [credentialDefinition], ASSERTION_TYPE);
   return {
-    requestUri: request_uri,
-    clientId
+    issuerRequestUri,
+    clientId,
+    codeVerifier,
+    credentialDefinition
   };
 };
 //# sourceMappingURL=03-start-user-authorization.js.map

package/lib/module/credential/issuance/03-start-user-authorization.js.map

@@ -1 +1 @@
-{"version":3,"names":["z","uuid","makeParRequest","getJwtFromFormPost","hasStatus","ASSERTION_TYPE","selectCredentialDefinition","issuerConf","credentialType","credentials_supported","openid_credential_issuer","result","filter","e","credential_definition","type","includes","map","format","Error","decodeAuthorizationResponse","raw","decodedJwt","payload","CorrectShape","object","request_uri","string","WrongShapeForPID","code","state","correct","wrong","safeParse","success","data","error","startUserAuthorization","ctx","wiaCryptoContext","walletInstanceAttestation","walletProviderBaseUrl","additionalParams","appFetch","fetch","clientId","getPublicKey","then","_","kid","codeVerifier","v4","parUrl","pushed_authorization_request_endpoint","getPar","issuerRequestUri","authzRequestEndpoint","authorization_endpoint","params","URLSearchParams","client_id","res","text","requestUri"],"sourceRoot":"../../../../src","sources":["credential/issuance/03-start-user-authorization.ts"],"mappings":"AAAA,OAAO,KAAKA,CAAC,MAAM,KAAK;AACxB,OAAOC,IAAI,MAAM,mBAAmB;AACpC,SAA8BC,cAAc,QAAQ,iBAAiB;AAErE,SAASC,kBAAkB,QAAQ,qBAAqB;AACxD,SAASC,SAAS,QAAkB,kBAAkB;AAGtD,SAASC,cAAc,QAAQ,SAAS;AAExC,MAAMC,0BAA0B,GAAGA,CACjCC,UAAkD,EAClDC,cAAgD,KACxB;EACxB,MAAM;IAAEC;EAAsB,CAAC,GAAGF,UAAU,CAACG,wBAAwB;EAErE,MAAM,CAACC,MAAM,CAAC,GAAGF,qBAAqB,CACnCG,MAAM,CAAEC,CAAC,IAAKA,CAAC,CAACC,qBAAqB,CAACC,IAAI,CAACC,QAAQ,CAACR,cAAc,CAAC,CAAC,CACpES,GAAG,CAAEJ,CAAC,KAAM;IACXC,qBAAqB,EAAE;MAAEC,IAAI,EAAEP;IAAe,CAAC;IAC/CU,MAAM,EAAEL,CAAC,CAACK,MAAM;IAChBH,IAAI,EAAE;EACR,CAAC,CAAC,CAAC;EAEL,IAAI,CAACJ,MAAM,EAAE;IACX,MAAM,IAAIQ,KAAK,CAAE,mCAAkCX,cAAe,GAAE,CAAC;EACvE;EACA,OAAOG,MAAM;AACf,CAAC;AAED,MAAMS,2BAA2B,GAAG,MAClCC,GAAW,IAC0B;EACrC,MAAM;IACJC,UAAU,EAAE;MAAEC;IAAQ;EACxB,CAAC,GAAG,MAAMpB,kBAAkB,CAACkB,GAAG,CAAC;;EAEjC;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE,MAAMG,YAAY,GAAGxB,CAAC,CAACyB,MAAM,CAAC;IAAEC,WAAW,EAAE1B,CAAC,CAAC2B,MAAM,CAAC;EAAE,CAAC,CAAC;EAC1D,MAAMC,gBAAgB,GAAG5B,CAAC,CAACyB,MAAM,CAAC;IAAEI,IAAI,EAAE7B,CAAC,CAAC2B,MAAM,CAAC,CAAC;IAAEG,KAAK,EAAE9B,CAAC,CAAC2B,MAAM,CAAC;EAAE,CAAC,CAAC;EAE1E,MAAM,CAACI,OAAO,EAAEC,KAAK,CAAC,GAAG,CACvBR,YAAY,CAACS,SAAS,CAACV,OAAO,CAAC,EAC/BK,gBAAgB,CAACK,SAAS,CAACV,OAAO,CAAC,CACpC;EAED,IAAIQ,OAAO,CAACG,OAAO,EAAE;IACnB,OAAOH,OAAO,CAACI,IAAI;EACrB,CAAC,MAAM,IAAIH,KAAK,CAACE,OAAO,EAAE;IACxB,OAAO;MAAER,WAAW,EAAE;IAA2B,CAAC;EACpD;EACA,MAAMK,OAAO,CAACK,KAAK;AACrB,CAAC;AAcD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,sBAA8C,GAAG,MAAAA,CAC5D9B,UAAU,EACVC,cAAc,EACd8B,GAAG,KACA;EACH,MAAM;IACJC,gBAAgB;IAChBC,yBAAyB;IACzBC,qBAAqB;IACrBC,gBAAgB,GAAG,CAAC,CAAC;IACrBC,QAAQ,GAAGC;EACb,CAAC,GAAGN,GAAG;EACP,MAAMO,QAAQ,GAAG,MAAMN,gBAAgB,CAACO,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;EACzE,MAAMC,YAAY,GAAI,GAAEjD,IAAI,CAACkD,EAAE,CAAC,CAAE,EAAC;EACnC;EACA,MAAMC,MAAM,GACV7C,UAAU,CAACG,wBAAwB,CAAC2C,qCAAqC;EAC3E,MAAMC,MAAM,GAAGpD,cAAc,CAAC;IAAEqC,gBAAgB;IAAEI;EAAS,CAAC,CAAC;EAC7D,MAAMY,gBAAgB,GAAG,MAAMD,MAAM,CACnCT,QAAQ,EACRK,YAAY,EACZT,qBAAqB,EACrBW,MAAM,EACNZ,yBAAyB,EACzB,CAAClC,0BAA0B,CAACC,UAAU,EAAEC,cAAc,CAAC,CAAC,EACxDH,cACF,CAAC;;EAED;EACA,MAAMmD,oBAAoB,GACxBjD,UAAU,CAACG,wBAAwB,CAAC+C,sBAAsB;EAC5D,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,SAAS,EAAEf,QAAQ;IACnBnB,WAAW,EAAE6B,gBAAgB;IAC7B,GAAGb;EACL,CAAC,CAAC;EAEF,MAAM;IAAEhB;EAAY,CAAC,GAAG,MAAMiB,QAAQ,CAAE,GAAEa,oBAAqB,IAAGE,MAAO,EAAC,CAAC,CACxEX,IAAI,CAAC3C,SAAS,CAAC,GAAG,CAAC,CAAC,CACpB2C,IAAI,CAAEc,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBf,IAAI,CAAC3B,2BAA2B,CAAC;EAEpC,OAAO;IAAE2C,UAAU,EAAErC,WAAW;IAAEmB;EAAS,CAAC;AAC9C,CAAC"}
+{"version":3,"names":["generateRandomAlphaNumericString","makeParRequest","ASSERTION_TYPE","selectCredentialDefinition","issuerConf","credentialType","credential_configurations_supported","openid_credential_issuer","result","Object","keys","filter","e","includes","map","credential_configuration_id","format","type","Error","selectResponseMode","responseModeSupported","oauth_authorization_server","response_modes_supported","responseMode","startUserAuthorization","ctx","wiaCryptoContext","walletInstanceAttestation","redirectUri","appFetch","fetch","clientId","getPublicKey","then","_","kid","codeVerifier","parEndpoint","pushed_authorization_request_endpoint","credentialDefinition","getPar","issuerRequestUri"],"sourceRoot":"../../../../src","sources":["credential/issuance/03-start-user-authorization.ts"],"mappings":"AAEA,SACEA,gCAAgC,QAE3B,yBAAyB;AAIhC,SAA8BC,cAAc,QAAQ,wBAAwB;AAC5E,SAASC,cAAc,QAAQ,SAAS;AAkBxC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMC,0BAA0B,GAAGA,CACjCC,UAAkD,EAClDC,cAAgD,KACxB;EACxB,MAAMC,mCAAmC,GACvCF,UAAU,CAACG,wBAAwB,CAACD,mCAAmC;EAEzE,MAAM,CAACE,MAAM,CAAC,GAAGC,MAAM,CAACC,IAAI,CAACJ,mCAAmC,CAAC,CAC9DK,MAAM,CAAEC,CAAC,IAAKA,CAAC,CAACC,QAAQ,CAACR,cAAc,CAAC,CAAC,CACzCS,GAAG,CAAEF,CAAC,KAAM;IACXG,2BAA2B,EAAEV,cAAc;IAC3CW,MAAM,EAAEV,mCAAmC,CAACM,CAAC,CAAC,CAAEI,MAAM;IACtDC,IAAI,EAAE;EACR,CAAC,CAAC,CAAC;EAEL,IAAI,CAACT,MAAM,EAAE;IACX,MAAM,IAAIU,KAAK,CAAE,mCAAkCb,cAAe,GAAE,CAAC;EACvE;EACA,OAAOG,MAAM;AACf,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMW,kBAAkB,GAAGA,CACzBf,UAAkD,EAClDC,cAAgD,KAC/B;EACjB,MAAMe,qBAAqB,GACzBhB,UAAU,CAACiB,0BAA0B,CAACC,wBAAwB;EAEhE,MAAMC,YAAY,GAChBlB,cAAc,KAAK,0BAA0B,GAAG,OAAO,GAAG,eAAe;EAE3E,IAAI,CAACe,qBAAqB,CAACP,QAAQ,CAACU,YAAY,CAAC,EAAE;IACjD,MAAM,IAAIL,KAAK,CAAE,sCAAqCb,cAAe,GAAE,CAAC;EAC1E;EAEA,OAAOkB,YAAY;AACrB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,sBAA8C,GAAG,MAAAA,CAC5DpB,UAAU,EACVC,cAAc,EACdoB,GAAG,KACA;EACH,MAAM;IACJC,gBAAgB;IAChBC,yBAAyB;IACzBC,WAAW;IACXC,QAAQ,GAAGC;EACb,CAAC,GAAGL,GAAG;EAEP,MAAMM,QAAQ,GAAG,MAAML,gBAAgB,CAACM,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;EACzE,MAAMC,YAAY,GAAGpC,gCAAgC,CAAC,EAAE,CAAC;EACzD,MAAMqC,WAAW,GACfjC,UAAU,CAACiB,0BAA0B,CAACiB,qCAAqC;EAC7E,MAAMC,oBAAoB,GAAGpC,0BAA0B,CACrDC,UAAU,EACVC,cACF,CAAC;EACD,MAAMkB,YAAY,GAAGJ,kBAAkB,CAACf,UAAU,EAAEC,cAAc,CAAC;EAEnE,MAAMmC,MAAM,GAAGvC,cAAc,CAAC;IAAEyB,gBAAgB;IAAEG;EAAS,CAAC,CAAC;EAC7D,MAAMY,gBAAgB,GAAG,MAAMD,MAAM,CACnCT,QAAQ,EACRK,YAAY,EACZR,WAAW,EACXL,YAAY,EACZc,WAAW,EACXV,yBAAyB,EACzB,CAACY,oBAAoB,CAAC,EACtBrC,cACF,CAAC;EAED,OAAO;IAAEuC,gBAAgB;IAAEV,QAAQ;IAAEK,YAAY;IAAEG;EAAqB,CAAC;AAC3E,CAAC"}

package/lib/module/credential/issuance/04-complete-user-authorization.js

@@ -1,2 +1,86 @@
-export {};
+import { AuthorizationErrorShape, AuthorizationResultShape } from "../../../src/utils/auth";
+import { until } from "../../utils/misc";
+import parseUrl from "parse-url";
+import { AuthorizationError, AuthorizationIdpError } from "../../utils/errors";
+import { Linking } from "react-native";
+
+/**
+ * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
+ */
+
+/**
+ * WARNING: This function must be called after {@link startUserAuthorization}. The next function to be called is {@link authorizeAccess}.
+ * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
+ * It is used to complete the user authorization by catching the redirectSchema from the authorization server which then contains the authorization response.
+ * This function utilizes the authorization context to open an in-app browser capable of catching the redirectSchema to perform a get request to the authorization endpoint.
+ * If the 302 redirect happens and the redirectSchema is caught, the function will return the authorization response after parsing it from the query string.
+ * @param issuerRequestUri the URI of the issuer where the request is sent
+ * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param authorizationContext The context to identify the user which will be used to start the authorization. It's needed only when requesting a PersonalIdentificationData credential. The implementantion should open an in-app browser capable of catching the redirectSchema.
+ * If not specified, the default browser is used
+ * @param idphint Unique identifier of the SPID IDP selected by the user
+ * @param redirectUri The url to reach to complete the user authorization which is the custom URL scheme that the Wallet Instance is registered to handle, usually a custom URL or deeplink
+ * @throws {AuthorizationError} if an error occurs during the authorization process
+ * @throws {AuthorizationIdpError} if an error occurs during the authorization process and the error is related to the IDP
+ * @returns the authorization response which contains code, state and iss
+ */
+export const completeUserAuthorizationWithQueryMode = async (issuerRequestUri, clientId, issuerConf, idpHint, redirectUri, authorizationContext) => {
+  /**
+   * Starts the authorization flow which dependes on the response mode and the request credential.
+   * If the response mode is "query" the authorization flow is handled differently via the authorization context which opens an in-app browser capable of catching the redirectSchema.
+   * The form_post.jwt mode is not currently supported.
+   */
+  const authzRequestEndpoint = issuerConf.oauth_authorization_server.authorization_endpoint;
+  const params = new URLSearchParams({
+    client_id: clientId,
+    request_uri: issuerRequestUri,
+    idphint: idpHint
+  });
+  const authUrl = `${authzRequestEndpoint}?${params}`;
+  var authRedirectUrl;
+  if (authorizationContext) {
+    const redirectSchema = new URL(redirectUri).protocol.replace(":", "");
+    authRedirectUrl = await authorizationContext.authorize(authUrl, redirectSchema).catch(e => {
+      throw new AuthorizationError(e.message);
+    });
+  } else {
+    // handler for redirectUri
+    Linking.addEventListener("url", _ref => {
+      let {
+        url
+      } = _ref;
+      if (url.includes(redirectUri)) {
+        authRedirectUrl = url;
+      }
+    });
+    const openAuthUrlInBrowser = Linking.openURL(authUrl);
+
+    /*
+     * Waits for 120 seconds for the identificationRedirectUrl variable to be set
+     * by the custom url handler. If the timeout is exceeded, throw an exception
+     */
+    const unitAuthRedirectIsNotUndefined = until(() => authRedirectUrl !== undefined, 120);
+    await Promise.all([openAuthUrlInBrowser, unitAuthRedirectIsNotUndefined]);
+    if (authRedirectUrl === undefined) {
+      throw new AuthorizationError("Invalid authentication redirect url");
+    }
+  }
+  const urlParse = parseUrl(authRedirectUrl);
+  const authRes = AuthorizationResultShape.safeParse(urlParse.query);
+  if (!authRes.success) {
+    const authErr = AuthorizationErrorShape.safeParse(urlParse.query);
+    if (!authErr.success) {
+      throw new AuthorizationError(authRes.error.message); // an error occured while parsing the result and the error
+    }
+
+    throw new AuthorizationIdpError(authErr.data.error, authErr.data.error_description);
+  }
+  return authRes.data;
+};
+
+// TODO: SIW-1120 implement generic credential issuance flow
+export const completeUserAuthorizationWithFormPostJwtMode = () => {
+  throw new Error("Not implemented");
+};
 //# sourceMappingURL=04-complete-user-authorization.js.map

package/lib/module/credential/issuance/04-complete-user-authorization.js.map

@@ -1 +1 @@
-{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/04-complete-user-authorization.ts"],"mappings":""}
+{"version":3,"names":["AuthorizationErrorShape","AuthorizationResultShape","until","parseUrl","AuthorizationError","AuthorizationIdpError","Linking","completeUserAuthorizationWithQueryMode","issuerRequestUri","clientId","issuerConf","idpHint","redirectUri","authorizationContext","authzRequestEndpoint","oauth_authorization_server","authorization_endpoint","params","URLSearchParams","client_id","request_uri","idphint","authUrl","authRedirectUrl","redirectSchema","URL","protocol","replace","authorize","catch","e","message","addEventListener","_ref","url","includes","openAuthUrlInBrowser","openURL","unitAuthRedirectIsNotUndefined","undefined","Promise","all","urlParse","authRes","safeParse","query","success","authErr","error","data","error_description","completeUserAuthorizationWithFormPostJwtMode","Error"],"sourceRoot":"../../../../src","sources":["credential/issuance/04-complete-user-authorization.ts"],"mappings":"AAAA,SACEA,uBAAuB,EACvBC,wBAAwB,QAGnB,yBAAyB;AAChC,SAASC,KAAK,QAAkB,kBAAkB;AAElD,OAAOC,QAAQ,MAAM,WAAW;AAChC,SAASC,kBAAkB,EAAEC,qBAAqB,QAAQ,oBAAoB;AAE9E,SAASC,OAAO,QAAQ,cAAc;;AAEtC;AACA;AACA;;AAUA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,sCAA8E,GACzF,MAAAA,CACEC,gBAAgB,EAChBC,QAAQ,EACRC,UAAU,EACVC,OAAO,EACPC,WAAW,EACXC,oBAAoB,KACjB;EACH;AACJ;AACA;AACA;AACA;EACI,MAAMC,oBAAoB,GACxBJ,UAAU,CAACK,0BAA0B,CAACC,sBAAsB;EAC9D,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,SAAS,EAAEV,QAAQ;IACnBW,WAAW,EAAEZ,gBAAgB;IAC7Ba,OAAO,EAAEV;EACX,CAAC,CAAC;EACF,MAAMW,OAAO,GAAI,GAAER,oBAAqB,IAAGG,MAAO,EAAC;EACnD,IAAIM,eAAmC;EAEvC,IAAIV,oBAAoB,EAAE;IACxB,MAAMW,cAAc,GAAG,IAAIC,GAAG,CAACb,WAAW,CAAC,CAACc,QAAQ,CAACC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC;IACrEJ,eAAe,GAAG,MAAMV,oBAAoB,CACzCe,SAAS,CAACN,OAAO,EAAEE,cAAc,CAAC,CAClCK,KAAK,CAAEC,CAAC,IAAK;MACZ,MAAM,IAAI1B,kBAAkB,CAAC0B,CAAC,CAACC,OAAO,CAAC;IACzC,CAAC,CAAC;EACN,CAAC,MAAM;IACL;IACAzB,OAAO,CAAC0B,gBAAgB,CAAC,KAAK,EAAEC,IAAA,IAAa;MAAA,IAAZ;QAAEC;MAAI,CAAC,GAAAD,IAAA;MACtC,IAAIC,GAAG,CAACC,QAAQ,CAACvB,WAAW,CAAC,EAAE;QAC7BW,eAAe,GAAGW,GAAG;MACvB;IACF,CAAC,CAAC;IAEF,MAAME,oBAAoB,GAAG9B,OAAO,CAAC+B,OAAO,CAACf,OAAO,CAAC;;IAErD;AACN;AACA;AACA;IACM,MAAMgB,8BAA8B,GAAGpC,KAAK,CAC1C,MAAMqB,eAAe,KAAKgB,SAAS,EACnC,GACF,CAAC;IAED,MAAMC,OAAO,CAACC,GAAG,CAAC,CAACL,oBAAoB,EAAEE,8BAA8B,CAAC,CAAC;IAEzE,IAAIf,eAAe,KAAKgB,SAAS,EAAE;MACjC,MAAM,IAAInC,kBAAkB,CAAC,qCAAqC,CAAC;IACrE;EACF;EAEA,MAAMsC,QAAQ,GAAGvC,QAAQ,CAACoB,eAAe,CAAC;EAC1C,MAAMoB,OAAO,GAAG1C,wBAAwB,CAAC2C,SAAS,CAACF,QAAQ,CAACG,KAAK,CAAC;EAClE,IAAI,CAACF,OAAO,CAACG,OAAO,EAAE;IACpB,MAAMC,OAAO,GAAG/C,uBAAuB,CAAC4C,SAAS,CAACF,QAAQ,CAACG,KAAK,CAAC;IACjE,IAAI,CAACE,OAAO,CAACD,OAAO,EAAE;MACpB,MAAM,IAAI1C,kBAAkB,CAACuC,OAAO,CAACK,KAAK,CAACjB,OAAO,CAAC,CAAC,CAAC;IACvD;;IACA,MAAM,IAAI1B,qBAAqB,CAC7B0C,OAAO,CAACE,IAAI,CAACD,KAAK,EAClBD,OAAO,CAACE,IAAI,CAACC,iBACf,CAAC;EACH;EACA,OAAOP,OAAO,CAACM,IAAI;AACrB,CAAC;;AAEH;AACA,OAAO,MAAME,4CAA4C,GAAGA,CAAA,KAAM;EAChE,MAAM,IAAIC,KAAK,CAAC,iBAAiB,CAAC;AACpC,CAAC"}

package/lib/module/credential/issuance/05-authorize-access.js

@@ -1,55 +1,76 @@
+import { hasStatus } from "../../../src/utils/misc";
+import { withEphemeralKey } from "../../../src/utils/crypto";
+import { createDPopToken } from "../../../src/utils/dpop";
 import uuid from "react-native-uuid";
-import { withEphemeralKey } from "../../utils/crypto";
-import { createDPopToken } from "../../utils/dpop";
-import { hasStatus } from "../../utils/misc";
+import { createPopToken } from "../../../src/utils/pop";
+import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
 import { ASSERTION_TYPE } from "./const";
+import { TokenResponse } from "./types";
+import { ValidationFailed } from "../../../src/utils/errors";
 /**
- * Obtain the access token to finally request the credential
- *
- * @param issuerConf The Issuer configuration
- * @param code The access code from the User authorization phase
- * @param clientId Identifies the current client across all the requests of the issuing flow
- * @param context.walletInstanceAttestation The Wallet Instance Attestation token
- * @param context.walletProviderBaseUrl The base url of the Wallet Provider
+ * Creates and sends the DPoP Proof JWT to be presented with the authorization code to the /token endpoint of the authorization server
+ * for requesting the issuance of an access token bound to the public key of the Wallet Instance contained within the DPoP.
+ * This enables the Wallet Instance to request a digital credential.
+ * The DPoP Proof JWT is generated according to the section 4.3 of the DPoP RFC 9449 specification.
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param code The authorization code returned by {@link completeUserAuthorizationWithQueryMode} or {@link completeUserAuthorizationWithFormPost}
+ * @param redirectUri The redirect URI which is the custom URL scheme that the Wallet Instance is registered to handle
+ * @param clientId The client id returned by {@link startUserAuthorization}
+ * @param codeVerifier The code verifier returned by {@link startUserAuthorization}
+ * @param context.walletInstanceAttestation The Wallet Instance's attestation
+ * @param context.wiaCryptoContext The Wallet Instance's crypto context
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @returns
+ * @throws {ValidationFailed} if an error occurs while parsing the token response
+ * @return The token response containing the access token along with the token request signed with DPoP which has to be used in the {@link obtainCredential} step.
  */
-export const authorizeAccess = async (issuerConf, code, clientId, context) => {
+export const authorizeAccess = async (issuerConf, code, clientId, redirectUri, codeVerifier, context) => {
   const {
     appFetch = fetch,
     walletInstanceAttestation,
-    walletProviderBaseUrl
+    wiaCryptoContext
   } = context;
-  const tokenUrl = issuerConf.openid_credential_issuer.token_endpoint;
-
+  const parEndpoint = issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
+  const parUrl = new URL(parEndpoint);
+  const aud = `${parUrl.protocol}//${parUrl.hostname}`;
+  const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
+  const tokenUrl = issuerConf.oauth_authorization_server.token_endpoint;
   // Use an ephemeral key to be destroyed after use
-  const signedDPop = await withEphemeralKey(ephemeralContext => createDPopToken({
-    htm: "POST",
-    htu: tokenUrl,
-    jti: `${uuid.v4()}`
-  }, ephemeralContext));
-  const codeVerifier = `${uuid.v4()}`;
+  const tokenRequestSignedDPop = await withEphemeralKey(async ephimeralContext => {
+    return await createDPopToken({
+      htm: "POST",
+      htu: tokenUrl,
+      jti: `${uuid.v4()}`
+    }, ephimeralContext);
+  });
+  const signedWiaPoP = await createPopToken({
+    jti: `${uuid.v4()}`,
+    aud,
+    iss
+  }, wiaCryptoContext);
   const requestBody = {
-    grant_type: "authorization code",
+    grant_type: "authorization_code",
     client_id: clientId,
     code,
+    redirect_uri: redirectUri,
     code_verifier: codeVerifier,
     client_assertion_type: ASSERTION_TYPE,
-    client_assertion: walletInstanceAttestation,
-    redirect_uri: walletProviderBaseUrl
+    client_assertion: walletInstanceAttestation + "~" + signedWiaPoP
   };
-  var formBody = new URLSearchParams(requestBody);
-  return appFetch(tokenUrl, {
+  const authorizationRequestFormBody = new URLSearchParams(requestBody);
+  const tokenRes = await appFetch(tokenUrl, {
     method: "POST",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
-      DPoP: signedDPop
+      DPoP: tokenRequestSignedDPop
     },
-    body: formBody.toString()
-  }).then(hasStatus(200)).then(res => res.json()).then(body => ({
-    accessToken: body.access_token,
-    nonce: body.c_nonce,
-    clientId
-  }));
+    body: authorizationRequestFormBody.toString()
+  }).then(hasStatus(200)).then(res => res.json()).then(body => TokenResponse.safeParse(body));
+  if (!tokenRes.success) {
+    throw new ValidationFailed(tokenRes.error.message);
+  }
+  return {
+    accessToken: tokenRes.data,
+    tokenRequestSignedDPop
+  };
 };
 //# sourceMappingURL=05-authorize-access.js.map

package/lib/module/credential/issuance/05-authorize-access.js.map

@@ -1 +1 @@
-{"version":3,"names":["uuid","withEphemeralKey","createDPopToken","hasStatus","ASSERTION_TYPE","authorizeAccess","issuerConf","code","clientId","context","appFetch","fetch","walletInstanceAttestation","walletProviderBaseUrl","tokenUrl","openid_credential_issuer","token_endpoint","signedDPop","ephemeralContext","htm","htu","jti","v4","codeVerifier","requestBody","grant_type","client_id","code_verifier","client_assertion_type","client_assertion","redirect_uri","formBody","URLSearchParams","method","headers","DPoP","body","toString","then","res","json","accessToken","access_token","nonce","c_nonce"],"sourceRoot":"../../../../src","sources":["credential/issuance/05-authorize-access.ts"],"mappings":"AAAA,OAAOA,IAAI,MAAM,mBAAmB;AACpC,SAASC,gBAAgB,QAAQ,oBAAoB;AACrD,SAASC,eAAe,QAAQ,kBAAkB;AAElD,SAASC,SAAS,QAAkB,kBAAkB;AAEtD,SAASC,cAAc,QAAQ,SAAS;AAqBxC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,eAAgC,GAAG,MAAAA,CAC9CC,UAAU,EACVC,IAAI,EACJC,QAAQ,EACRC,OAAO,KAC+D;EACtE,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC;EACF,CAAC,GAAGJ,OAAO;EAEX,MAAMK,QAAQ,GAAGR,UAAU,CAACS,wBAAwB,CAACC,cAAc;;EAEnE;EACA,MAAMC,UAAU,GAAG,MAAMhB,gBAAgB,CAAEiB,gBAAgB,IACzDhB,eAAe,CACb;IACEiB,GAAG,EAAE,MAAM;IACXC,GAAG,EAAEN,QAAQ;IACbO,GAAG,EAAG,GAAErB,IAAI,CAACsB,EAAE,CAAC,CAAE;EACpB,CAAC,EACDJ,gBACF,CACF,CAAC;EAED,MAAMK,YAAY,GAAI,GAAEvB,IAAI,CAACsB,EAAE,CAAC,CAAE,EAAC;EACnC,MAAME,WAAW,GAAG;IAClBC,UAAU,EAAE,oBAAoB;IAChCC,SAAS,EAAElB,QAAQ;IACnBD,IAAI;IACJoB,aAAa,EAAEJ,YAAY;IAC3BK,qBAAqB,EAAExB,cAAc;IACrCyB,gBAAgB,EAAEjB,yBAAyB;IAC3CkB,YAAY,EAAEjB;EAChB,CAAC;EACD,IAAIkB,QAAQ,GAAG,IAAIC,eAAe,CAACR,WAAW,CAAC;EAE/C,OAAOd,QAAQ,CAACI,QAAQ,EAAE;IACxBmB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAElB;IACR,CAAC;IACDmB,IAAI,EAAEL,QAAQ,CAACM,QAAQ,CAAC;EAC1B,CAAC,CAAC,CACCC,IAAI,CAACnC,SAAS,CAAC,GAAG,CAAC,CAAC,CACpBmC,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEF,IAAI,KAAM;IACfK,WAAW,EAAEL,IAAI,CAACM,YAAY;IAC9BC,KAAK,EAAEP,IAAI,CAACQ,OAAO;IACnBpC;EACF,CAAC,CAAC,CAAC;AACP,CAAC"}
+{"version":3,"names":["hasStatus","withEphemeralKey","createDPopToken","uuid","createPopToken","WalletInstanceAttestation","ASSERTION_TYPE","TokenResponse","ValidationFailed","authorizeAccess","issuerConf","code","clientId","redirectUri","codeVerifier","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","parEndpoint","oauth_authorization_server","pushed_authorization_request_endpoint","parUrl","URL","aud","protocol","hostname","iss","decode","payload","cnf","jwk","kid","tokenUrl","token_endpoint","tokenRequestSignedDPop","ephimeralContext","htm","htu","jti","v4","signedWiaPoP","requestBody","grant_type","client_id","redirect_uri","code_verifier","client_assertion_type","client_assertion","authorizationRequestFormBody","URLSearchParams","tokenRes","method","headers","DPoP","body","toString","then","res","json","safeParse","success","error","message","accessToken","data"],"sourceRoot":"../../../../src","sources":["credential/issuance/05-authorize-access.ts"],"mappings":"AAAA,SAASA,SAAS,QAAkB,yBAAyB;AAG7D,SAASC,gBAAgB,QAAQ,2BAA2B;AAC5D,SAASC,eAAe,QAAQ,yBAAyB;AACzD,OAAOC,IAAI,MAAM,mBAAmB;AACpC,SAASC,cAAc,QAAQ,wBAAwB;AACvD,OAAO,KAAKC,yBAAyB,MAAM,mCAAmC;AAE9E,SAASC,cAAc,QAAQ,SAAS;AACxC,SAASC,aAAa,QAAQ,SAAS;AACvC,SAASC,gBAAgB,QAAQ,2BAA2B;AAgB5D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,eAAgC,GAAG,MAAAA,CAC9CC,UAAU,EACVC,IAAI,EACJC,QAAQ,EACRC,WAAW,EACXC,YAAY,EACZC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC;EACF,CAAC,GAAGJ,OAAO;EAEX,MAAMK,WAAW,GACfV,UAAU,CAACW,0BAA0B,CAACC,qCAAqC;EAC7E,MAAMC,MAAM,GAAG,IAAIC,GAAG,CAACJ,WAAW,CAAC;EACnC,MAAMK,GAAG,GAAI,GAAEF,MAAM,CAACG,QAAS,KAAIH,MAAM,CAACI,QAAS,EAAC;EACpD,MAAMC,GAAG,GAAGvB,yBAAyB,CAACwB,MAAM,CAACX,yBAAyB,CAAC,CACpEY,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,QAAQ,GAAGxB,UAAU,CAACW,0BAA0B,CAACc,cAAc;EACrE;EACA,MAAMC,sBAAsB,GAAG,MAAMnC,gBAAgB,CACnD,MAAOoC,gBAAgB,IAAK;IAC1B,OAAO,MAAMnC,eAAe,CAC1B;MACEoC,GAAG,EAAE,MAAM;MACXC,GAAG,EAAEL,QAAQ;MACbM,GAAG,EAAG,GAAErC,IAAI,CAACsC,EAAE,CAAC,CAAE;IACpB,CAAC,EACDJ,gBACF,CAAC;EACH,CACF,CAAC;EAED,MAAMK,YAAY,GAAG,MAAMtC,cAAc,CACvC;IACEoC,GAAG,EAAG,GAAErC,IAAI,CAACsC,EAAE,CAAC,CAAE,EAAC;IACnBhB,GAAG;IACHG;EACF,CAAC,EACDT,gBACF,CAAC;EAED,MAAMwB,WAAW,GAAG;IAClBC,UAAU,EAAE,oBAAoB;IAChCC,SAAS,EAAEjC,QAAQ;IACnBD,IAAI;IACJmC,YAAY,EAAEjC,WAAW;IACzBkC,aAAa,EAAEjC,YAAY;IAC3BkC,qBAAqB,EAAE1C,cAAc;IACrC2C,gBAAgB,EAAE/B,yBAAyB,GAAG,GAAG,GAAGwB;EACtD,CAAC;EAED,MAAMQ,4BAA4B,GAAG,IAAIC,eAAe,CAACR,WAAW,CAAC;EACrE,MAAMS,QAAQ,GAAG,MAAMpC,QAAQ,CAACkB,QAAQ,EAAE;IACxCmB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAEnB;IACR,CAAC;IACDoB,IAAI,EAAEN,4BAA4B,CAACO,QAAQ,CAAC;EAC9C,CAAC,CAAC,CACCC,IAAI,CAAC1D,SAAS,CAAC,GAAG,CAAC,CAAC,CACpB0D,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEF,IAAI,IAAKjD,aAAa,CAACsD,SAAS,CAACL,IAAI,CAAC,CAAC;EAEhD,IAAI,CAACJ,QAAQ,CAACU,OAAO,EAAE;IACrB,MAAM,IAAItD,gBAAgB,CAAC4C,QAAQ,CAACW,KAAK,CAACC,OAAO,CAAC;EACpD;EAEA,OAAO;IAAEC,WAAW,EAAEb,QAAQ,CAACc,IAAI;IAAE9B;EAAuB,CAAC;AAC/D,CAAC"}

package/lib/module/credential/issuance/06-obtain-credential.js

@@ -1,100 +1,75 @@
-import * as z from "zod";
-import uuid from "react-native-uuid";
 import { SignJWT } from "@pagopa/io-react-native-jwt";
-import { createDPopToken } from "../../utils/dpop";
-import { hasStatus } from "../../utils/misc";
-import { SupportedCredentialFormat } from "./const";
-
-/**
- * Return the signed jwt for nonce proof of possession
- */
+import { hasStatus } from "../../../src/utils/misc";
+import { ValidationFailed } from "../../../src/utils/errors";
+import { CredentialResponse } from "./types";
 export const createNonceProof = async (nonce, issuer, audience, ctx) => {
+  const jwk = await ctx.getPublicKey();
   return new SignJWT(ctx).setPayload({
-    nonce,
-    jwk: await ctx.getPublicKey()
+    nonce
   }).setProtectedHeader({
-    type: "openid4vci-proof+jwt"
-  }).setAudience(audience).setIssuer(issuer).setIssuedAt().setExpirationTime("1h").sign();
+    typ: "openid4vci-proof+jwt",
+    jwk
+  }).setAudience(audience).setIssuer(issuer).setIssuedAt().setExpirationTime("5min").sign();
 };
-const CredentialEndpointResponse = z.object({
-  credential: z.string(),
-  format: SupportedCredentialFormat,
-  // nonce used to perform multiple credential requests
-  // re-using the same authorization profile
-  c_nonce: z.string(),
-  c_nonce_expires_in: z.number()
-});
-// Checks whether in the Entity confoguration at least one credential
-// is defined for the given type and format
-const isCredentialAvailable = (issuerConf, credentialType, credentialFormat) => issuerConf.openid_credential_issuer.credentials_supported.some(c => c.format === credentialFormat && c.credential_definition.type.includes(credentialType));
 
 /**
- * Fetch a credential from the issuer
- *
- * @param issuerConf The Issuer configuration
- * @param accessToken The access token to grant access to the credential, obtained with the access authorization step
- * @param nonce The nonce value to prevent reply attacks, obtained with the access authorization step
- * @param clientId Identifies the current client across all the requests of the issuing flow
- * @param credentialType The type of the credential to be requested
- * @param credentialFormat The format of the requested credential. @see {SupportedCredentialFormat}
- * @param context.credentialCryptoContext The context to access the key the Credential will be bound to
- * @param context.walletProviderBaseUrl The base url of the Wallet Provider
+ * Obtains the credential from the issuer.
+ * The key pair of the credentialCryptoContext is used for Openid4vci proof JWT to be presented with the Access Token and the DPoP Proof JWT at the Credential Endpoint
+ * of the Credential Issuer to request the issuance of a credential linked to the public key contained in the JWT proof.
+ * The Openid4vci proof JWT incapsulates the nonce extracted from the token response from the {@link authorizeAccess} step.
+ * The credential request is sent to the Credential Endpoint of the Credential Issuer via HTTP POST with the type of the credential, its format, the access token and the JWT proof.
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param accessToken The access token response returned by {@link authorizeAccess}
+ * @param clientId The client id returned by {@link startUserAuthorization}
+ * @param credentialDefinition The credential definition of the credential to be obtained returned by {@link startUserAuthorization}
+ * @param tokenRequestSignedDPop The DPoP signed token request returned by {@link authorizeAccess}
+ * @param context.credentialCryptoContext The crypto context used to obtain the credential
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @returns The signed credential token
+ * @returns The credential response containing the credential
  */
-export const obtainCredential = async (issuerConf, accessToken, nonce, clientId, credentialType, credentialFormat, context) => {
+export const obtainCredential = async (issuerConf, accessToken, clientId, credentialDefinition, tokenRequestSignedDPop, context) => {
   const {
     credentialCryptoContext,
-    walletProviderBaseUrl,
     appFetch = fetch
   } = context;
-  if (!isCredentialAvailable(issuerConf, credentialType, credentialFormat)) {
-    throw new Error(`The Issuer provides no credential for type ${credentialType} and format ${credentialFormat}`);
-  }
   const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
 
-  /** DPoP token for demonstating the possession
-      of the key that will bind the holder User with the Credential
-      @see https://datatracker.ietf.org/doc/html/rfc9449 */
-  const signedDPopForPid = await createDPopToken({
-    htm: "POST",
-    htu: credentialUrl,
-    jti: `${uuid.v4()}`
-  }, credentialCryptoContext);
+  /**
+   * JWT proof token to bind the request nonce to the key that will bind the holder User with the Credential
+   * This is presented along with the access token to the Credential Endpoint as proof of possession of the private key used to sign the Access Token.
+   * @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
+   */
+  const signedNonceProof = await createNonceProof(accessToken.c_nonce, clientId, credentialUrl, credentialCryptoContext);
 
-  /** JWT proof token to bind the request nonce
-      to the key that will bind the holder User with the Credential
-      @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types */
-  const signedNonceProof = await createNonceProof(nonce, clientId, walletProviderBaseUrl, credentialCryptoContext);
+  // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
+  const constainsCredentialDefinition = accessToken.authorization_details.some(c => c.credential_configuration_id === credentialDefinition.credential_configuration_id && c.format === credentialDefinition.format && c.type === credentialDefinition.type);
+  if (!constainsCredentialDefinition) {
+    throw new ValidationFailed("The access token response does not contain the requested credential");
+  }
 
   /** The credential request body */
-  const formBody = new URLSearchParams({
-    credential_definition: JSON.stringify({
-      type: [credentialType]
-    }),
-    format: credentialFormat,
-    proof: JSON.stringify({
+  const credentialRequestFormBody = {
+    credential_definition: {
+      type: [credentialDefinition.credential_configuration_id]
+    },
+    format: credentialDefinition.format,
+    proof: {
       jwt: signedNonceProof,
       proof_type: "jwt"
-    })
-  });
-  const {
-    credential,
-    format,
-    c_nonce
-  } = await appFetch(credentialUrl, {
+    }
+  };
+  const credentialRes = await appFetch(credentialUrl, {
     method: "POST",
     headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      DPoP: signedDPopForPid,
-      Authorization: accessToken
+      "Content-Type": "application/json",
+      DPoP: tokenRequestSignedDPop,
+      Authorization: `${accessToken.token_type} ${accessToken.access_token}`
     },
-    body: formBody.toString()
-  }).then(hasStatus(200)).then(res => res.json()).then(CredentialEndpointResponse.parse);
-  return {
-    credential,
-    format,
-    nonce: c_nonce
-  };
+    body: JSON.stringify(credentialRequestFormBody)
+  }).then(hasStatus(200)).then(res => res.json()).then(body => CredentialResponse.safeParse(body));
+  if (!credentialRes.success) {
+    throw new ValidationFailed(credentialRes.error.message);
+  }
+  return credentialRes.data;
 };
 //# sourceMappingURL=06-obtain-credential.js.map

package/lib/module/credential/issuance/06-obtain-credential.js.map

@@ -1 +1 @@
-{"version":3,"names":["z","uuid","SignJWT","createDPopToken","hasStatus","SupportedCredentialFormat","createNonceProof","nonce","issuer","audience","ctx","setPayload","jwk","getPublicKey","setProtectedHeader","type","setAudience","setIssuer","setIssuedAt","setExpirationTime","sign","CredentialEndpointResponse","object","credential","string","format","c_nonce","c_nonce_expires_in","number","isCredentialAvailable","issuerConf","credentialType","credentialFormat","openid_credential_issuer","credentials_supported","some","c","credential_definition","includes","obtainCredential","accessToken","clientId","context","credentialCryptoContext","walletProviderBaseUrl","appFetch","fetch","Error","credentialUrl","credential_endpoint","signedDPopForPid","htm","htu","jti","v4","signedNonceProof","formBody","URLSearchParams","JSON","stringify","proof","jwt","proof_type","method","headers","DPoP","Authorization","body","toString","then","res","json","parse"],"sourceRoot":"../../../../src","sources":["credential/issuance/06-obtain-credential.ts"],"mappings":"AAAA,OAAO,KAAKA,CAAC,MAAM,KAAK;AACxB,OAAOC,IAAI,MAAM,mBAAmB;AACpC,SAASC,OAAO,QAA4B,6BAA6B;AACzE,SAASC,eAAe,QAAQ,kBAAkB;AAGlD,SAASC,SAAS,QAAkB,kBAAkB;AAGtD,SAASC,yBAAyB,QAAQ,SAAS;;AAEnD;AACA;AACA;AACA,OAAO,MAAMC,gBAAgB,GAAG,MAAAA,CAC9BC,KAAa,EACbC,MAAc,EACdC,QAAgB,EAChBC,GAAkB,KACE;EACpB,OAAO,IAAIR,OAAO,CAACQ,GAAG,CAAC,CACpBC,UAAU,CAAC;IACVJ,KAAK;IACLK,GAAG,EAAE,MAAMF,GAAG,CAACG,YAAY,CAAC;EAC9B,CAAC,CAAC,CACDC,kBAAkB,CAAC;IAClBC,IAAI,EAAE;EACR,CAAC,CAAC,CACDC,WAAW,CAACP,QAAQ,CAAC,CACrBQ,SAAS,CAACT,MAAM,CAAC,CACjBU,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,IAAI,CAAC,CAAC;AACX,CAAC;AAED,MAAMC,0BAA0B,GAAGrB,CAAC,CAACsB,MAAM,CAAC;EAC1CC,UAAU,EAAEvB,CAAC,CAACwB,MAAM,CAAC,CAAC;EACtBC,MAAM,EAAEpB,yBAAyB;EACjC;EACA;EACAqB,OAAO,EAAE1B,CAAC,CAACwB,MAAM,CAAC,CAAC;EACnBG,kBAAkB,EAAE3B,CAAC,CAAC4B,MAAM,CAAC;AAC/B,CAAC,CAAC;AAoBF;AACA;AACA,MAAMC,qBAAqB,GAAGA,CAC5BC,UAAkD,EAClDC,cAAgD,EAChDC,gBAA2C,KAE3CF,UAAU,CAACG,wBAAwB,CAACC,qBAAqB,CAACC,IAAI,CAC3DC,CAAC,IACAA,CAAC,CAACX,MAAM,KAAKO,gBAAgB,IAC7BI,CAAC,CAACC,qBAAqB,CAACtB,IAAI,CAACuB,QAAQ,CAACP,cAAc,CACxD,CAAC;;AAEH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMQ,gBAAkC,GAAG,MAAAA,CAChDT,UAAU,EACVU,WAAW,EACXjC,KAAK,EACLkC,QAAQ,EACRV,cAAc,EACdC,gBAAgB,EAChBU,OAAO,KACJ;EACH,MAAM;IACJC,uBAAuB;IACvBC,qBAAqB;IACrBC,QAAQ,GAAGC;EACb,CAAC,GAAGJ,OAAO;EAEX,IAAI,CAACb,qBAAqB,CAACC,UAAU,EAAEC,cAAc,EAAEC,gBAAgB,CAAC,EAAE;IACxE,MAAM,IAAIe,KAAK,CACZ,8CAA6ChB,cAAe,eAAcC,gBAAiB,EAC9F,CAAC;EACH;EAEA,MAAMgB,aAAa,GAAGlB,UAAU,CAACG,wBAAwB,CAACgB,mBAAmB;;EAE7E;AACF;AACA;EACE,MAAMC,gBAAgB,GAAG,MAAM/C,eAAe,CAC5C;IACEgD,GAAG,EAAE,MAAM;IACXC,GAAG,EAAEJ,aAAa;IAClBK,GAAG,EAAG,GAAEpD,IAAI,CAACqD,EAAE,CAAC,CAAE;EACpB,CAAC,EACDX,uBACF,CAAC;;EAED;AACF;AACA;EACE,MAAMY,gBAAgB,GAAG,MAAMjD,gBAAgB,CAC7CC,KAAK,EACLkC,QAAQ,EACRG,qBAAqB,EACrBD,uBACF,CAAC;;EAED;EACA,MAAMa,QAAQ,GAAG,IAAIC,eAAe,CAAC;IACnCpB,qBAAqB,EAAEqB,IAAI,CAACC,SAAS,CAAC;MACpC5C,IAAI,EAAE,CAACgB,cAAc;IACvB,CAAC,CAAC;IACFN,MAAM,EAAEO,gBAAgB;IACxB4B,KAAK,EAAEF,IAAI,CAACC,SAAS,CAAC;MACpBE,GAAG,EAAEN,gBAAgB;MACrBO,UAAU,EAAE;IACd,CAAC;EACH,CAAC,CAAC;EAEF,MAAM;IAAEvC,UAAU;IAAEE,MAAM;IAAEC;EAAQ,CAAC,GAAG,MAAMmB,QAAQ,CAACG,aAAa,EAAE;IACpEe,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAEf,gBAAgB;MACtBgB,aAAa,EAAE1B;IACjB,CAAC;IACD2B,IAAI,EAAEX,QAAQ,CAACY,QAAQ,CAAC;EAC1B,CAAC,CAAC,CACCC,IAAI,CAACjE,SAAS,CAAC,GAAG,CAAC,CAAC,CACpBiE,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAChD,0BAA0B,CAACmD,KAAK,CAAC;EAEzC,OAAO;IAAEjD,UAAU;IAAEE,MAAM;IAAElB,KAAK,EAAEmB;EAAQ,CAAC;AAC/C,CAAC"}
+{"version":3,"names":["SignJWT","hasStatus","ValidationFailed","CredentialResponse","createNonceProof","nonce","issuer","audience","ctx","jwk","getPublicKey","setPayload","setProtectedHeader","typ","setAudience","setIssuer","setIssuedAt","setExpirationTime","sign","obtainCredential","issuerConf","accessToken","clientId","credentialDefinition","tokenRequestSignedDPop","context","credentialCryptoContext","appFetch","fetch","credentialUrl","openid_credential_issuer","credential_endpoint","signedNonceProof","c_nonce","constainsCredentialDefinition","authorization_details","some","c","credential_configuration_id","format","type","credentialRequestFormBody","credential_definition","proof","jwt","proof_type","credentialRes","method","headers","DPoP","Authorization","token_type","access_token","body","JSON","stringify","then","res","json","safeParse","success","error","message","data"],"sourceRoot":"../../../../src","sources":["credential/issuance/06-obtain-credential.ts"],"mappings":"AAAA,SAASA,OAAO,QAA4B,6BAA6B;AAGzE,SAASC,SAAS,QAAkB,yBAAyB;AAE7D,SAASC,gBAAgB,QAAQ,2BAA2B;AAC5D,SAASC,kBAAkB,QAAQ,SAAS;AAc5C,OAAO,MAAMC,gBAAgB,GAAG,MAAAA,CAC9BC,KAAa,EACbC,MAAc,EACdC,QAAgB,EAChBC,GAAkB,KACE;EACpB,MAAMC,GAAG,GAAG,MAAMD,GAAG,CAACE,YAAY,CAAC,CAAC;EACpC,OAAO,IAAIV,OAAO,CAACQ,GAAG,CAAC,CACpBG,UAAU,CAAC;IACVN;EACF,CAAC,CAAC,CACDO,kBAAkB,CAAC;IAClBC,GAAG,EAAE,sBAAsB;IAC3BJ;EACF,CAAC,CAAC,CACDK,WAAW,CAACP,QAAQ,CAAC,CACrBQ,SAAS,CAACT,MAAM,CAAC,CACjBU,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,MAAM,CAAC,CACzBC,IAAI,CAAC,CAAC;AACX,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,gBAAkC,GAAG,MAAAA,CAChDC,UAAU,EACVC,WAAW,EACXC,QAAQ,EACRC,oBAAoB,EACpBC,sBAAsB,EACtBC,OAAO,KACJ;EACH,MAAM;IAAEC,uBAAuB;IAAEC,QAAQ,GAAGC;EAAM,CAAC,GAAGH,OAAO;EAE7D,MAAMI,aAAa,GAAGT,UAAU,CAACU,wBAAwB,CAACC,mBAAmB;;EAE7E;AACF;AACA;AACA;AACA;EACE,MAAMC,gBAAgB,GAAG,MAAM5B,gBAAgB,CAC7CiB,WAAW,CAACY,OAAO,EACnBX,QAAQ,EACRO,aAAa,EACbH,uBACF,CAAC;;EAED;EACA,MAAMQ,6BAA6B,GAAGb,WAAW,CAACc,qBAAqB,CAACC,IAAI,CACzEC,CAAC,IACAA,CAAC,CAACC,2BAA2B,KAC3Bf,oBAAoB,CAACe,2BAA2B,IAClDD,CAAC,CAACE,MAAM,KAAKhB,oBAAoB,CAACgB,MAAM,IACxCF,CAAC,CAACG,IAAI,KAAKjB,oBAAoB,CAACiB,IACpC,CAAC;EAED,IAAI,CAACN,6BAA6B,EAAE;IAClC,MAAM,IAAIhC,gBAAgB,CACxB,qEACF,CAAC;EACH;;EAEA;EACA,MAAMuC,yBAAyB,GAAG;IAChCC,qBAAqB,EAAE;MACrBF,IAAI,EAAE,CAACjB,oBAAoB,CAACe,2BAA2B;IACzD,CAAC;IACDC,MAAM,EAAEhB,oBAAoB,CAACgB,MAAM;IACnCI,KAAK,EAAE;MACLC,GAAG,EAAEZ,gBAAgB;MACrBa,UAAU,EAAE;IACd;EACF,CAAC;EAED,MAAMC,aAAa,GAAG,MAAMnB,QAAQ,CAACE,aAAa,EAAE;IAClDkB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,kBAAkB;MAClCC,IAAI,EAAEzB,sBAAsB;MAC5B0B,aAAa,EAAG,GAAE7B,WAAW,CAAC8B,UAAW,IAAG9B,WAAW,CAAC+B,YAAa;IACvE,CAAC;IACDC,IAAI,EAAEC,IAAI,CAACC,SAAS,CAACd,yBAAyB;EAChD,CAAC,CAAC,CACCe,IAAI,CAACvD,SAAS,CAAC,GAAG,CAAC,CAAC,CACpBuD,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEH,IAAI,IAAKlD,kBAAkB,CAACwD,SAAS,CAACN,IAAI,CAAC,CAAC;EAErD,IAAI,CAACP,aAAa,CAACc,OAAO,EAAE;IAC1B,MAAM,IAAI1D,gBAAgB,CAAC4C,aAAa,CAACe,KAAK,CAACC,OAAO,CAAC;EACzD;EAEA,OAAOhB,aAAa,CAACiB,IAAI;AAC3B,CAAC"}