@pagopa/io-react-native-wallet 0.12.0 → 0.13.0

package/lib/commonjs/credential/issuance/03-start-user-authorization.js

@@ -4,24 +4,25 @@ Object.defineProperty(exports, "__esModule", {
   value: true
 });
 exports.startUserAuthorization = void 0;
-var z = _interopRequireWildcard(require("zod"));
-var _reactNativeUuid = _interopRequireDefault(require("react-native-uuid"));
-var _par = require("../../utils/par");
-var _decoder = require("../../utils/decoder");
-var _misc = require("../../utils/misc");
+var _misc = require("../../../src/utils/misc");
+var _par = require("../../../src/utils/par");
 var _const = require("./const");
-function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
-function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
-function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
+/**
+ * Ensures that the credential type requested is supported by the issuer and contained in the
+ * issuer configuration.
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param credentialType The type of the credential to be requested returned by {@link startFlow}
+ * @param context.wiaCryptoContext The Wallet Instance's crypto context
+ * @param context.walletInstanceAttestation The Wallet Instance's attestation
+ * @param context.redirectUri The redirect URI which is the custom URL scheme that the Wallet Instance is registered to handle
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The credential definition to be used in the request which includes the format and the type and its type
+ */
 const selectCredentialDefinition = (issuerConf, credentialType) => {
-  const {
-    credentials_supported
-  } = issuerConf.openid_credential_issuer;
-  const [result] = credentials_supported.filter(e => e.credential_definition.type.includes(credentialType)).map(e => ({
-    credential_definition: {
-      type: credentialType
-    },
-    format: e.format,
+  const credential_configurations_supported = issuerConf.openid_credential_issuer.credential_configurations_supported;
+  const [result] = Object.keys(credential_configurations_supported).filter(e => e.includes(credentialType)).map(e => ({
+    credential_configuration_id: credentialType,
+    format: credential_configurations_supported[e].format,
     type: "openid_credential"
   }));
   if (!result) {
@@ -29,90 +30,62 @@ const selectCredentialDefinition = (issuerConf, credentialType) => {
   }
   return result;
 };
-const decodeAuthorizationResponse = async raw => {
-  const {
-    decodedJwt: {
-      payload
-    }
-  } = await (0, _decoder.getJwtFromFormPost)(raw);
 
-  /**
-   * FIXME: [SIW-628] This step must not make any difference on the credential
-   * we are authorizing for, being a PID or any other (Q)EAA.
-   *
-   * Currently, PID issuer is implemented to skip the CompleteUserAuthorization step
-   * thus returning a stubbed (code, state) pair.
-   *
-   * This is a workaround to proceeed the flow anyway.
-   * If the response does not map what expected (CorrectShape),
-   * we try parse into (code, state) to check if we are in the PID scenario.
-   * In that case, a stub value is returned (will not be evaluated anyway).
-   *
-   * This workaround will be obsolete once the PID issuer fixes its implementation
-   */
-  const CorrectShape = z.object({
-    request_uri: z.string()
-  });
-  const WrongShapeForPID = z.object({
-    code: z.string(),
-    state: z.string()
-  });
-  const [correct, wrong] = [CorrectShape.safeParse(payload), WrongShapeForPID.safeParse(payload)];
-  if (correct.success) {
-    return correct.data;
-  } else if (wrong.success) {
-    return {
-      request_uri: "https://fake-request-uri"
-    };
+/**
+ * Ensures that the response mode requested is supported by the issuer and contained in the issuer configuration.
+ * @param issuerConf The issuer configuration
+ * @param credentialType The type of the credential to be requested
+ * @returns The response mode to be used in the request, "query" for PersonIdentificationData and "form_post.jwt" for all other types.
+ */
+const selectResponseMode = (issuerConf, credentialType) => {
+  const responseModeSupported = issuerConf.oauth_authorization_server.response_modes_supported;
+  const responseMode = credentialType === "PersonIdentificationData" ? "query" : "form_post.jwt";
+  if (!responseModeSupported.includes(responseMode)) {
+    throw new Error(`No response mode support the type '${credentialType}'`);
   }
-  throw correct.error;
+  return responseMode;
 };
+
 /**
- * Start the User authorization phase.
- * Perform the Pushed Authorization Request as defined in OAuth 2.0 protocol.
- *
- * @param issuerConf The Issuer configuration
- * @param credentialType The type of the credential to be requested
- * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
- * @param context.walletInstanceAttestation The Wallet Instance Attestation token
- * @param context.walletProviderBaseUrl The base url of the Wallet Provider
- * @param context.additionalParams Hash set of parameters to be passed to the authorization endpoint
- * (used as a temporary fix until we have a proper User identity in the PID token provider)
- * TODO: [SIW-630]
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @returns The request uri to continue the authorization to
+ * WARNING: This function must be called after {@link evaluateIssuerTrust} and {@link startFlow}. The next steam is {@link compeUserAuthorizationWithQueryMode} or {@link compeUserAuthorizationWithFormPostJwtMode}
+ * Creates and sends a PAR request to the /as/par endpoint of the authroization server.
+ * This starts the authentication flow to obtain an access token.
+ * This token enables the Wallet Instance to request a digital credential from the Credential Endpoint of the Credential Issuer.
+ * This is an HTTP POST request containing the Wallet Instance identifier (client id), the code challenge and challenge method as specified by PKCE according to RFC 9126
+ * along with the WTE and its proof of possession (WTE-PoP).
+ * Additionally, it includes a request object, which is a signed JWT encapsulating the type of digital credential requested (authorization_details),
+ * the application session identifier on the Wallet Instance side (state),
+ * the method (query or form_post.jwt) by which the Authorization Server
+ * should transmit the Authorization Response containing the authorization code issued upon the end user's authentication (response_mode)
+ * to the Wallet Instance's Token Endpoint to obtain the Access Token, and the redirect_uri of the Wallet Instance where the Authorization Response
+ * should be delivered. The redirect is achived by using a custom URL scheme that the Wallet Instance is registered to handle.
+ * @param issuerConf The issuer configuration
+ * @param credentialType The type of the credential to be requested returned by {@link selectCredentialDefinition}
+ * @param ctx The context object containing the Wallet Instance's cryptographic context, the Wallet Instance's attestation, the redirect URI and the fetch implementation
+ * @returns The URI to which the end user should be redirected to start the authentication flow, along with the client id, the code verifier and the credential definition
  */
 const startUserAuthorization = async (issuerConf, credentialType, ctx) => {
   const {
     wiaCryptoContext,
     walletInstanceAttestation,
-    walletProviderBaseUrl,
-    additionalParams = {},
+    redirectUri,
     appFetch = fetch
   } = ctx;
   const clientId = await wiaCryptoContext.getPublicKey().then(_ => _.kid);
-  const codeVerifier = `${_reactNativeUuid.default.v4()}`;
-  // Make a PAR request to the credential issuer and return the response url
-  const parUrl = issuerConf.openid_credential_issuer.pushed_authorization_request_endpoint;
+  const codeVerifier = (0, _misc.generateRandomAlphaNumericString)(64);
+  const parEndpoint = issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
+  const credentialDefinition = selectCredentialDefinition(issuerConf, credentialType);
+  const responseMode = selectResponseMode(issuerConf, credentialType);
   const getPar = (0, _par.makeParRequest)({
     wiaCryptoContext,
     appFetch
   });
-  const issuerRequestUri = await getPar(clientId, codeVerifier, walletProviderBaseUrl, parUrl, walletInstanceAttestation, [selectCredentialDefinition(issuerConf, credentialType)], _const.ASSERTION_TYPE);
-
-  // Initialize authorization by requesting the authz request uri
-  const authzRequestEndpoint = issuerConf.openid_credential_issuer.authorization_endpoint;
-  const params = new URLSearchParams({
-    client_id: clientId,
-    request_uri: issuerRequestUri,
-    ...additionalParams
-  });
-  const {
-    request_uri
-  } = await appFetch(`${authzRequestEndpoint}?${params}`).then((0, _misc.hasStatus)(200)).then(res => res.text()).then(decodeAuthorizationResponse);
+  const issuerRequestUri = await getPar(clientId, codeVerifier, redirectUri, responseMode, parEndpoint, walletInstanceAttestation, [credentialDefinition], _const.ASSERTION_TYPE);
   return {
-    requestUri: request_uri,
-    clientId
+    issuerRequestUri,
+    clientId,
+    codeVerifier,
+    credentialDefinition
   };
 };
 exports.startUserAuthorization = startUserAuthorization;

package/lib/commonjs/credential/issuance/03-start-user-authorization.js.map

@@ -1 +1 @@
-{"version":3,"names":["z","_interopRequireWildcard","require","_reactNativeUuid","_interopRequireDefault","_par","_decoder","_misc","_const","obj","__esModule","default","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set","selectCredentialDefinition","issuerConf","credentialType","credentials_supported","openid_credential_issuer","result","filter","e","credential_definition","type","includes","map","format","Error","decodeAuthorizationResponse","raw","decodedJwt","payload","getJwtFromFormPost","CorrectShape","object","request_uri","string","WrongShapeForPID","code","state","correct","wrong","safeParse","success","data","error","startUserAuthorization","ctx","wiaCryptoContext","walletInstanceAttestation","walletProviderBaseUrl","additionalParams","appFetch","fetch","clientId","getPublicKey","then","_","kid","codeVerifier","uuid","v4","parUrl","pushed_authorization_request_endpoint","getPar","makeParRequest","issuerRequestUri","ASSERTION_TYPE","authzRequestEndpoint","authorization_endpoint","params","URLSearchParams","client_id","hasStatus","res","text","requestUri","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/03-start-user-authorization.ts"],"mappings":";;;;;;AAAA,IAAAA,CAAA,GAAAC,uBAAA,CAAAC,OAAA;AACA,IAAAC,gBAAA,GAAAC,sBAAA,CAAAF,OAAA;AACA,IAAAG,IAAA,GAAAH,OAAA;AAEA,IAAAI,QAAA,GAAAJ,OAAA;AACA,IAAAK,KAAA,GAAAL,OAAA;AAGA,IAAAM,MAAA,GAAAN,OAAA;AAAyC,SAAAE,uBAAAK,GAAA,WAAAA,GAAA,IAAAA,GAAA,CAAAC,UAAA,GAAAD,GAAA,KAAAE,OAAA,EAAAF,GAAA;AAAA,SAAAG,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAZ,wBAAAQ,GAAA,EAAAI,WAAA,SAAAA,WAAA,IAAAJ,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAQ,KAAA,GAAAL,wBAAA,CAAAC,WAAA,OAAAI,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAT,GAAA,YAAAQ,KAAA,CAAAE,GAAA,CAAAV,GAAA,SAAAW,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAhB,GAAA,QAAAgB,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAnB,GAAA,EAAAgB,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAf,GAAA,EAAAgB,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAhB,GAAA,CAAAgB,GAAA,SAAAL,MAAA,CAAAT,OAAA,GAAAF,GAAA,MAAAQ,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAArB,GAAA,EAAAW,MAAA,YAAAA,MAAA;AAEzC,MAAMW,0BAA0B,GAAGA,CACjCC,UAAkD,EAClDC,cAAgD,KACxB;EACxB,MAAM;IAAEC;EAAsB,CAAC,GAAGF,UAAU,CAACG,wBAAwB;EAErE,MAAM,CAACC,MAAM,CAAC,GAAGF,qBAAqB,CACnCG,MAAM,CAAEC,CAAC,IAAKA,CAAC,CAACC,qBAAqB,CAACC,IAAI,CAACC,QAAQ,CAACR,cAAc,CAAC,CAAC,CACpES,GAAG,CAAEJ,CAAC,KAAM;IACXC,qBAAqB,EAAE;MAAEC,IAAI,EAAEP;IAAe,CAAC;IAC/CU,MAAM,EAAEL,CAAC,CAACK,MAAM;IAChBH,IAAI,EAAE;EACR,CAAC,CAAC,CAAC;EAEL,IAAI,CAACJ,MAAM,EAAE;IACX,MAAM,IAAIQ,KAAK,CAAE,mCAAkCX,cAAe,GAAE,CAAC;EACvE;EACA,OAAOG,MAAM;AACf,CAAC;AAED,MAAMS,2BAA2B,GAAG,MAClCC,GAAW,IAC0B;EACrC,MAAM;IACJC,UAAU,EAAE;MAAEC;IAAQ;EACxB,CAAC,GAAG,MAAM,IAAAC,2BAAkB,EAACH,GAAG,CAAC;;EAEjC;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;EACE,MAAMI,YAAY,GAAGlD,CAAC,CAACmD,MAAM,CAAC;IAAEC,WAAW,EAAEpD,CAAC,CAACqD,MAAM,CAAC;EAAE,CAAC,CAAC;EAC1D,MAAMC,gBAAgB,GAAGtD,CAAC,CAACmD,MAAM,CAAC;IAAEI,IAAI,EAAEvD,CAAC,CAACqD,MAAM,CAAC,CAAC;IAAEG,KAAK,EAAExD,CAAC,CAACqD,MAAM,CAAC;EAAE,CAAC,CAAC;EAE1E,MAAM,CAACI,OAAO,EAAEC,KAAK,CAAC,GAAG,CACvBR,YAAY,CAACS,SAAS,CAACX,OAAO,CAAC,EAC/BM,gBAAgB,CAACK,SAAS,CAACX,OAAO,CAAC,CACpC;EAED,IAAIS,OAAO,CAACG,OAAO,EAAE;IACnB,OAAOH,OAAO,CAACI,IAAI;EACrB,CAAC,MAAM,IAAIH,KAAK,CAACE,OAAO,EAAE;IACxB,OAAO;MAAER,WAAW,EAAE;IAA2B,CAAC;EACpD;EACA,MAAMK,OAAO,CAACK,KAAK;AACrB,CAAC;AAcD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMC,sBAA8C,GAAG,MAAAA,CAC5D/B,UAAU,EACVC,cAAc,EACd+B,GAAG,KACA;EACH,MAAM;IACJC,gBAAgB;IAChBC,yBAAyB;IACzBC,qBAAqB;IACrBC,gBAAgB,GAAG,CAAC,CAAC;IACrBC,QAAQ,GAAGC;EACb,CAAC,GAAGN,GAAG;EACP,MAAMO,QAAQ,GAAG,MAAMN,gBAAgB,CAACO,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;EACzE,MAAMC,YAAY,GAAI,GAAEC,wBAAI,CAACC,EAAE,CAAC,CAAE,EAAC;EACnC;EACA,MAAMC,MAAM,GACV/C,UAAU,CAACG,wBAAwB,CAAC6C,qCAAqC;EAC3E,MAAMC,MAAM,GAAG,IAAAC,mBAAc,EAAC;IAAEjB,gBAAgB;IAAEI;EAAS,CAAC,CAAC;EAC7D,MAAMc,gBAAgB,GAAG,MAAMF,MAAM,CACnCV,QAAQ,EACRK,YAAY,EACZT,qBAAqB,EACrBY,MAAM,EACNb,yBAAyB,EACzB,CAACnC,0BAA0B,CAACC,UAAU,EAAEC,cAAc,CAAC,CAAC,EACxDmD,qBACF,CAAC;;EAED;EACA,MAAMC,oBAAoB,GACxBrD,UAAU,CAACG,wBAAwB,CAACmD,sBAAsB;EAC5D,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,SAAS,EAAElB,QAAQ;IACnBnB,WAAW,EAAE+B,gBAAgB;IAC7B,GAAGf;EACL,CAAC,CAAC;EAEF,MAAM;IAAEhB;EAAY,CAAC,GAAG,MAAMiB,QAAQ,CAAE,GAAEgB,oBAAqB,IAAGE,MAAO,EAAC,CAAC,CACxEd,IAAI,CAAC,IAAAiB,eAAS,EAAC,GAAG,CAAC,CAAC,CACpBjB,IAAI,CAAEkB,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBnB,IAAI,CAAC5B,2BAA2B,CAAC;EAEpC,OAAO;IAAEgD,UAAU,EAAEzC,WAAW;IAAEmB;EAAS,CAAC;AAC9C,CAAC;AAACuB,OAAA,CAAA/B,sBAAA,GAAAA,sBAAA"}
+{"version":3,"names":["_misc","require","_par","_const","selectCredentialDefinition","issuerConf","credentialType","credential_configurations_supported","openid_credential_issuer","result","Object","keys","filter","e","includes","map","credential_configuration_id","format","type","Error","selectResponseMode","responseModeSupported","oauth_authorization_server","response_modes_supported","responseMode","startUserAuthorization","ctx","wiaCryptoContext","walletInstanceAttestation","redirectUri","appFetch","fetch","clientId","getPublicKey","then","_","kid","codeVerifier","generateRandomAlphaNumericString","parEndpoint","pushed_authorization_request_endpoint","credentialDefinition","getPar","makeParRequest","issuerRequestUri","ASSERTION_TYPE","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/03-start-user-authorization.ts"],"mappings":";;;;;;AAEA,IAAAA,KAAA,GAAAC,OAAA;AAOA,IAAAC,IAAA,GAAAD,OAAA;AACA,IAAAE,MAAA,GAAAF,OAAA;AAkBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMG,0BAA0B,GAAGA,CACjCC,UAAkD,EAClDC,cAAgD,KACxB;EACxB,MAAMC,mCAAmC,GACvCF,UAAU,CAACG,wBAAwB,CAACD,mCAAmC;EAEzE,MAAM,CAACE,MAAM,CAAC,GAAGC,MAAM,CAACC,IAAI,CAACJ,mCAAmC,CAAC,CAC9DK,MAAM,CAAEC,CAAC,IAAKA,CAAC,CAACC,QAAQ,CAACR,cAAc,CAAC,CAAC,CACzCS,GAAG,CAAEF,CAAC,KAAM;IACXG,2BAA2B,EAAEV,cAAc;IAC3CW,MAAM,EAAEV,mCAAmC,CAACM,CAAC,CAAC,CAAEI,MAAM;IACtDC,IAAI,EAAE;EACR,CAAC,CAAC,CAAC;EAEL,IAAI,CAACT,MAAM,EAAE;IACX,MAAM,IAAIU,KAAK,CAAE,mCAAkCb,cAAe,GAAE,CAAC;EACvE;EACA,OAAOG,MAAM;AACf,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMW,kBAAkB,GAAGA,CACzBf,UAAkD,EAClDC,cAAgD,KAC/B;EACjB,MAAMe,qBAAqB,GACzBhB,UAAU,CAACiB,0BAA0B,CAACC,wBAAwB;EAEhE,MAAMC,YAAY,GAChBlB,cAAc,KAAK,0BAA0B,GAAG,OAAO,GAAG,eAAe;EAE3E,IAAI,CAACe,qBAAqB,CAACP,QAAQ,CAACU,YAAY,CAAC,EAAE;IACjD,MAAM,IAAIL,KAAK,CAAE,sCAAqCb,cAAe,GAAE,CAAC;EAC1E;EAEA,OAAOkB,YAAY;AACrB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMC,sBAA8C,GAAG,MAAAA,CAC5DpB,UAAU,EACVC,cAAc,EACdoB,GAAG,KACA;EACH,MAAM;IACJC,gBAAgB;IAChBC,yBAAyB;IACzBC,WAAW;IACXC,QAAQ,GAAGC;EACb,CAAC,GAAGL,GAAG;EAEP,MAAMM,QAAQ,GAAG,MAAML,gBAAgB,CAACM,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;EACzE,MAAMC,YAAY,GAAG,IAAAC,sCAAgC,EAAC,EAAE,CAAC;EACzD,MAAMC,WAAW,GACflC,UAAU,CAACiB,0BAA0B,CAACkB,qCAAqC;EAC7E,MAAMC,oBAAoB,GAAGrC,0BAA0B,CACrDC,UAAU,EACVC,cACF,CAAC;EACD,MAAMkB,YAAY,GAAGJ,kBAAkB,CAACf,UAAU,EAAEC,cAAc,CAAC;EAEnE,MAAMoC,MAAM,GAAG,IAAAC,mBAAc,EAAC;IAAEhB,gBAAgB;IAAEG;EAAS,CAAC,CAAC;EAC7D,MAAMc,gBAAgB,GAAG,MAAMF,MAAM,CACnCV,QAAQ,EACRK,YAAY,EACZR,WAAW,EACXL,YAAY,EACZe,WAAW,EACXX,yBAAyB,EACzB,CAACa,oBAAoB,CAAC,EACtBI,qBACF,CAAC;EAED,OAAO;IAAED,gBAAgB;IAAEZ,QAAQ;IAAEK,YAAY;IAAEI;EAAqB,CAAC;AAC3E,CAAC;AAACK,OAAA,CAAArB,sBAAA,GAAAA,sBAAA"}

package/lib/commonjs/credential/issuance/04-complete-user-authorization.js

@@ -3,4 +3,92 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
+exports.completeUserAuthorizationWithQueryMode = exports.completeUserAuthorizationWithFormPostJwtMode = void 0;
+var _auth = require("../../../src/utils/auth");
+var _misc = require("../../utils/misc");
+var _parseUrl = _interopRequireDefault(require("parse-url"));
+var _errors = require("../../utils/errors");
+var _reactNative = require("react-native");
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+/**
+ * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
+ */
+
+/**
+ * WARNING: This function must be called after {@link startUserAuthorization}. The next function to be called is {@link authorizeAccess}.
+ * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
+ * It is used to complete the user authorization by catching the redirectSchema from the authorization server which then contains the authorization response.
+ * This function utilizes the authorization context to open an in-app browser capable of catching the redirectSchema to perform a get request to the authorization endpoint.
+ * If the 302 redirect happens and the redirectSchema is caught, the function will return the authorization response after parsing it from the query string.
+ * @param issuerRequestUri the URI of the issuer where the request is sent
+ * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param authorizationContext The context to identify the user which will be used to start the authorization. It's needed only when requesting a PersonalIdentificationData credential. The implementantion should open an in-app browser capable of catching the redirectSchema.
+ * If not specified, the default browser is used
+ * @param idphint Unique identifier of the SPID IDP selected by the user
+ * @param redirectUri The url to reach to complete the user authorization which is the custom URL scheme that the Wallet Instance is registered to handle, usually a custom URL or deeplink
+ * @throws {AuthorizationError} if an error occurs during the authorization process
+ * @throws {AuthorizationIdpError} if an error occurs during the authorization process and the error is related to the IDP
+ * @returns the authorization response which contains code, state and iss
+ */
+const completeUserAuthorizationWithQueryMode = async (issuerRequestUri, clientId, issuerConf, idpHint, redirectUri, authorizationContext) => {
+  /**
+   * Starts the authorization flow which dependes on the response mode and the request credential.
+   * If the response mode is "query" the authorization flow is handled differently via the authorization context which opens an in-app browser capable of catching the redirectSchema.
+   * The form_post.jwt mode is not currently supported.
+   */
+  const authzRequestEndpoint = issuerConf.oauth_authorization_server.authorization_endpoint;
+  const params = new URLSearchParams({
+    client_id: clientId,
+    request_uri: issuerRequestUri,
+    idphint: idpHint
+  });
+  const authUrl = `${authzRequestEndpoint}?${params}`;
+  var authRedirectUrl;
+  if (authorizationContext) {
+    const redirectSchema = new URL(redirectUri).protocol.replace(":", "");
+    authRedirectUrl = await authorizationContext.authorize(authUrl, redirectSchema).catch(e => {
+      throw new _errors.AuthorizationError(e.message);
+    });
+  } else {
+    // handler for redirectUri
+    _reactNative.Linking.addEventListener("url", _ref => {
+      let {
+        url
+      } = _ref;
+      if (url.includes(redirectUri)) {
+        authRedirectUrl = url;
+      }
+    });
+    const openAuthUrlInBrowser = _reactNative.Linking.openURL(authUrl);
+
+    /*
+     * Waits for 120 seconds for the identificationRedirectUrl variable to be set
+     * by the custom url handler. If the timeout is exceeded, throw an exception
+     */
+    const unitAuthRedirectIsNotUndefined = (0, _misc.until)(() => authRedirectUrl !== undefined, 120);
+    await Promise.all([openAuthUrlInBrowser, unitAuthRedirectIsNotUndefined]);
+    if (authRedirectUrl === undefined) {
+      throw new _errors.AuthorizationError("Invalid authentication redirect url");
+    }
+  }
+  const urlParse = (0, _parseUrl.default)(authRedirectUrl);
+  const authRes = _auth.AuthorizationResultShape.safeParse(urlParse.query);
+  if (!authRes.success) {
+    const authErr = _auth.AuthorizationErrorShape.safeParse(urlParse.query);
+    if (!authErr.success) {
+      throw new _errors.AuthorizationError(authRes.error.message); // an error occured while parsing the result and the error
+    }
+
+    throw new _errors.AuthorizationIdpError(authErr.data.error, authErr.data.error_description);
+  }
+  return authRes.data;
+};
+
+// TODO: SIW-1120 implement generic credential issuance flow
+exports.completeUserAuthorizationWithQueryMode = completeUserAuthorizationWithQueryMode;
+const completeUserAuthorizationWithFormPostJwtMode = () => {
+  throw new Error("Not implemented");
+};
+exports.completeUserAuthorizationWithFormPostJwtMode = completeUserAuthorizationWithFormPostJwtMode;
 //# sourceMappingURL=04-complete-user-authorization.js.map

package/lib/commonjs/credential/issuance/04-complete-user-authorization.js.map

@@ -1 +1 @@
-{"version":3,"names":[],"sourceRoot":"../../../../src","sources":["credential/issuance/04-complete-user-authorization.ts"],"mappings":""}
+{"version":3,"names":["_auth","require","_misc","_parseUrl","_interopRequireDefault","_errors","_reactNative","obj","__esModule","default","completeUserAuthorizationWithQueryMode","issuerRequestUri","clientId","issuerConf","idpHint","redirectUri","authorizationContext","authzRequestEndpoint","oauth_authorization_server","authorization_endpoint","params","URLSearchParams","client_id","request_uri","idphint","authUrl","authRedirectUrl","redirectSchema","URL","protocol","replace","authorize","catch","e","AuthorizationError","message","Linking","addEventListener","_ref","url","includes","openAuthUrlInBrowser","openURL","unitAuthRedirectIsNotUndefined","until","undefined","Promise","all","urlParse","parseUrl","authRes","AuthorizationResultShape","safeParse","query","success","authErr","AuthorizationErrorShape","error","AuthorizationIdpError","data","error_description","exports","completeUserAuthorizationWithFormPostJwtMode","Error"],"sourceRoot":"../../../../src","sources":["credential/issuance/04-complete-user-authorization.ts"],"mappings":";;;;;;AAAA,IAAAA,KAAA,GAAAC,OAAA;AAMA,IAAAC,KAAA,GAAAD,OAAA;AAEA,IAAAE,SAAA,GAAAC,sBAAA,CAAAH,OAAA;AACA,IAAAI,OAAA,GAAAJ,OAAA;AAEA,IAAAK,YAAA,GAAAL,OAAA;AAAuC,SAAAG,uBAAAG,GAAA,WAAAA,GAAA,IAAAA,GAAA,CAAAC,UAAA,GAAAD,GAAA,KAAAE,OAAA,EAAAF,GAAA;AAEvC;AACA;AACA;;AAUA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMG,sCAA8E,GACzF,MAAAA,CACEC,gBAAgB,EAChBC,QAAQ,EACRC,UAAU,EACVC,OAAO,EACPC,WAAW,EACXC,oBAAoB,KACjB;EACH;AACJ;AACA;AACA;AACA;EACI,MAAMC,oBAAoB,GACxBJ,UAAU,CAACK,0BAA0B,CAACC,sBAAsB;EAC9D,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,SAAS,EAAEV,QAAQ;IACnBW,WAAW,EAAEZ,gBAAgB;IAC7Ba,OAAO,EAAEV;EACX,CAAC,CAAC;EACF,MAAMW,OAAO,GAAI,GAAER,oBAAqB,IAAGG,MAAO,EAAC;EACnD,IAAIM,eAAmC;EAEvC,IAAIV,oBAAoB,EAAE;IACxB,MAAMW,cAAc,GAAG,IAAIC,GAAG,CAACb,WAAW,CAAC,CAACc,QAAQ,CAACC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC;IACrEJ,eAAe,GAAG,MAAMV,oBAAoB,CACzCe,SAAS,CAACN,OAAO,EAAEE,cAAc,CAAC,CAClCK,KAAK,CAAEC,CAAC,IAAK;MACZ,MAAM,IAAIC,0BAAkB,CAACD,CAAC,CAACE,OAAO,CAAC;IACzC,CAAC,CAAC;EACN,CAAC,MAAM;IACL;IACAC,oBAAO,CAACC,gBAAgB,CAAC,KAAK,EAAEC,IAAA,IAAa;MAAA,IAAZ;QAAEC;MAAI,CAAC,GAAAD,IAAA;MACtC,IAAIC,GAAG,CAACC,QAAQ,CAACzB,WAAW,CAAC,EAAE;QAC7BW,eAAe,GAAGa,GAAG;MACvB;IACF,CAAC,CAAC;IAEF,MAAME,oBAAoB,GAAGL,oBAAO,CAACM,OAAO,CAACjB,OAAO,CAAC;;IAErD;AACN;AACA;AACA;IACM,MAAMkB,8BAA8B,GAAG,IAAAC,WAAK,EAC1C,MAAMlB,eAAe,KAAKmB,SAAS,EACnC,GACF,CAAC;IAED,MAAMC,OAAO,CAACC,GAAG,CAAC,CAACN,oBAAoB,EAAEE,8BAA8B,CAAC,CAAC;IAEzE,IAAIjB,eAAe,KAAKmB,SAAS,EAAE;MACjC,MAAM,IAAIX,0BAAkB,CAAC,qCAAqC,CAAC;IACrE;EACF;EAEA,MAAMc,QAAQ,GAAG,IAAAC,iBAAQ,EAACvB,eAAe,CAAC;EAC1C,MAAMwB,OAAO,GAAGC,8BAAwB,CAACC,SAAS,CAACJ,QAAQ,CAACK,KAAK,CAAC;EAClE,IAAI,CAACH,OAAO,CAACI,OAAO,EAAE;IACpB,MAAMC,OAAO,GAAGC,6BAAuB,CAACJ,SAAS,CAACJ,QAAQ,CAACK,KAAK,CAAC;IACjE,IAAI,CAACE,OAAO,CAACD,OAAO,EAAE;MACpB,MAAM,IAAIpB,0BAAkB,CAACgB,OAAO,CAACO,KAAK,CAACtB,OAAO,CAAC,CAAC,CAAC;IACvD;;IACA,MAAM,IAAIuB,6BAAqB,CAC7BH,OAAO,CAACI,IAAI,CAACF,KAAK,EAClBF,OAAO,CAACI,IAAI,CAACC,iBACf,CAAC;EACH;EACA,OAAOV,OAAO,CAACS,IAAI;AACrB,CAAC;;AAEH;AAAAE,OAAA,CAAAnD,sCAAA,GAAAA,sCAAA;AACO,MAAMoD,4CAA4C,GAAGA,CAAA,KAAM;EAChE,MAAM,IAAIC,KAAK,CAAC,iBAAiB,CAAC;AACpC,CAAC;AAACF,OAAA,CAAAC,4CAAA,GAAAA,4CAAA"}

package/lib/commonjs/credential/issuance/05-authorize-access.js

@@ -4,60 +4,83 @@ Object.defineProperty(exports, "__esModule", {
   value: true
 });
 exports.authorizeAccess = void 0;
+var _misc = require("../../../src/utils/misc");
+var _crypto = require("../../../src/utils/crypto");
+var _dpop = require("../../../src/utils/dpop");
 var _reactNativeUuid = _interopRequireDefault(require("react-native-uuid"));
-var _crypto = require("../../utils/crypto");
-var _dpop = require("../../utils/dpop");
-var _misc = require("../../utils/misc");
+var _pop = require("../../../src/utils/pop");
+var WalletInstanceAttestation = _interopRequireWildcard(require("../../wallet-instance-attestation"));
 var _const = require("./const");
+var _types = require("./types");
+var _errors = require("../../../src/utils/errors");
+function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
+function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
 function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
 /**
- * Obtain the access token to finally request the credential
- *
- * @param issuerConf The Issuer configuration
- * @param code The access code from the User authorization phase
- * @param clientId Identifies the current client across all the requests of the issuing flow
- * @param context.walletInstanceAttestation The Wallet Instance Attestation token
- * @param context.walletProviderBaseUrl The base url of the Wallet Provider
+ * Creates and sends the DPoP Proof JWT to be presented with the authorization code to the /token endpoint of the authorization server
+ * for requesting the issuance of an access token bound to the public key of the Wallet Instance contained within the DPoP.
+ * This enables the Wallet Instance to request a digital credential.
+ * The DPoP Proof JWT is generated according to the section 4.3 of the DPoP RFC 9449 specification.
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param code The authorization code returned by {@link completeUserAuthorizationWithQueryMode} or {@link completeUserAuthorizationWithFormPost}
+ * @param redirectUri The redirect URI which is the custom URL scheme that the Wallet Instance is registered to handle
+ * @param clientId The client id returned by {@link startUserAuthorization}
+ * @param codeVerifier The code verifier returned by {@link startUserAuthorization}
+ * @param context.walletInstanceAttestation The Wallet Instance's attestation
+ * @param context.wiaCryptoContext The Wallet Instance's crypto context
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @returns
+ * @throws {ValidationFailed} if an error occurs while parsing the token response
+ * @return The token response containing the access token along with the token request signed with DPoP which has to be used in the {@link obtainCredential} step.
  */
-const authorizeAccess = async (issuerConf, code, clientId, context) => {
+const authorizeAccess = async (issuerConf, code, clientId, redirectUri, codeVerifier, context) => {
   const {
     appFetch = fetch,
     walletInstanceAttestation,
-    walletProviderBaseUrl
+    wiaCryptoContext
   } = context;
-  const tokenUrl = issuerConf.openid_credential_issuer.token_endpoint;
-
+  const parEndpoint = issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
+  const parUrl = new URL(parEndpoint);
+  const aud = `${parUrl.protocol}//${parUrl.hostname}`;
+  const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
+  const tokenUrl = issuerConf.oauth_authorization_server.token_endpoint;
   // Use an ephemeral key to be destroyed after use
-  const signedDPop = await (0, _crypto.withEphemeralKey)(ephemeralContext => (0, _dpop.createDPopToken)({
-    htm: "POST",
-    htu: tokenUrl,
-    jti: `${_reactNativeUuid.default.v4()}`
-  }, ephemeralContext));
-  const codeVerifier = `${_reactNativeUuid.default.v4()}`;
+  const tokenRequestSignedDPop = await (0, _crypto.withEphemeralKey)(async ephimeralContext => {
+    return await (0, _dpop.createDPopToken)({
+      htm: "POST",
+      htu: tokenUrl,
+      jti: `${_reactNativeUuid.default.v4()}`
+    }, ephimeralContext);
+  });
+  const signedWiaPoP = await (0, _pop.createPopToken)({
+    jti: `${_reactNativeUuid.default.v4()}`,
+    aud,
+    iss
+  }, wiaCryptoContext);
   const requestBody = {
-    grant_type: "authorization code",
+    grant_type: "authorization_code",
     client_id: clientId,
     code,
+    redirect_uri: redirectUri,
     code_verifier: codeVerifier,
     client_assertion_type: _const.ASSERTION_TYPE,
-    client_assertion: walletInstanceAttestation,
-    redirect_uri: walletProviderBaseUrl
+    client_assertion: walletInstanceAttestation + "~" + signedWiaPoP
   };
-  var formBody = new URLSearchParams(requestBody);
-  return appFetch(tokenUrl, {
+  const authorizationRequestFormBody = new URLSearchParams(requestBody);
+  const tokenRes = await appFetch(tokenUrl, {
     method: "POST",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
-      DPoP: signedDPop
+      DPoP: tokenRequestSignedDPop
     },
-    body: formBody.toString()
-  }).then((0, _misc.hasStatus)(200)).then(res => res.json()).then(body => ({
-    accessToken: body.access_token,
-    nonce: body.c_nonce,
-    clientId
-  }));
+    body: authorizationRequestFormBody.toString()
+  }).then((0, _misc.hasStatus)(200)).then(res => res.json()).then(body => _types.TokenResponse.safeParse(body));
+  if (!tokenRes.success) {
+    throw new _errors.ValidationFailed(tokenRes.error.message);
+  }
+  return {
+    accessToken: tokenRes.data,
+    tokenRequestSignedDPop
+  };
 };
 exports.authorizeAccess = authorizeAccess;
 //# sourceMappingURL=05-authorize-access.js.map

package/lib/commonjs/credential/issuance/05-authorize-access.js.map

@@ -1 +1 @@
-{"version":3,"names":["_reactNativeUuid","_interopRequireDefault","require","_crypto","_dpop","_misc","_const","obj","__esModule","default","authorizeAccess","issuerConf","code","clientId","context","appFetch","fetch","walletInstanceAttestation","walletProviderBaseUrl","tokenUrl","openid_credential_issuer","token_endpoint","signedDPop","withEphemeralKey","ephemeralContext","createDPopToken","htm","htu","jti","uuid","v4","codeVerifier","requestBody","grant_type","client_id","code_verifier","client_assertion_type","ASSERTION_TYPE","client_assertion","redirect_uri","formBody","URLSearchParams","method","headers","DPoP","body","toString","then","hasStatus","res","json","accessToken","access_token","nonce","c_nonce","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/05-authorize-access.ts"],"mappings":";;;;;;AAAA,IAAAA,gBAAA,GAAAC,sBAAA,CAAAC,OAAA;AACA,IAAAC,OAAA,GAAAD,OAAA;AACA,IAAAE,KAAA,GAAAF,OAAA;AAEA,IAAAG,KAAA,GAAAH,OAAA;AAEA,IAAAI,MAAA,GAAAJ,OAAA;AAAyC,SAAAD,uBAAAM,GAAA,WAAAA,GAAA,IAAAA,GAAA,CAAAC,UAAA,GAAAD,GAAA,KAAAE,OAAA,EAAAF,GAAA;AAqBzC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMG,eAAgC,GAAG,MAAAA,CAC9CC,UAAU,EACVC,IAAI,EACJC,QAAQ,EACRC,OAAO,KAC+D;EACtE,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC;EACF,CAAC,GAAGJ,OAAO;EAEX,MAAMK,QAAQ,GAAGR,UAAU,CAACS,wBAAwB,CAACC,cAAc;;EAEnE;EACA,MAAMC,UAAU,GAAG,MAAM,IAAAC,wBAAgB,EAAEC,gBAAgB,IACzD,IAAAC,qBAAe,EACb;IACEC,GAAG,EAAE,MAAM;IACXC,GAAG,EAAER,QAAQ;IACbS,GAAG,EAAG,GAAEC,wBAAI,CAACC,EAAE,CAAC,CAAE;EACpB,CAAC,EACDN,gBACF,CACF,CAAC;EAED,MAAMO,YAAY,GAAI,GAAEF,wBAAI,CAACC,EAAE,CAAC,CAAE,EAAC;EACnC,MAAME,WAAW,GAAG;IAClBC,UAAU,EAAE,oBAAoB;IAChCC,SAAS,EAAErB,QAAQ;IACnBD,IAAI;IACJuB,aAAa,EAAEJ,YAAY;IAC3BK,qBAAqB,EAAEC,qBAAc;IACrCC,gBAAgB,EAAErB,yBAAyB;IAC3CsB,YAAY,EAAErB;EAChB,CAAC;EACD,IAAIsB,QAAQ,GAAG,IAAIC,eAAe,CAACT,WAAW,CAAC;EAE/C,OAAOjB,QAAQ,CAACI,QAAQ,EAAE;IACxBuB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAEtB;IACR,CAAC;IACDuB,IAAI,EAAEL,QAAQ,CAACM,QAAQ,CAAC;EAC1B,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,eAAS,EAAC,GAAG,CAAC,CAAC,CACpBD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAEF,IAAI,KAAM;IACfM,WAAW,EAAEN,IAAI,CAACO,YAAY;IAC9BC,KAAK,EAAER,IAAI,CAACS,OAAO;IACnBzC;EACF,CAAC,CAAC,CAAC;AACP,CAAC;AAAC0C,OAAA,CAAA7C,eAAA,GAAAA,eAAA"}
+{"version":3,"names":["_misc","require","_crypto","_dpop","_reactNativeUuid","_interopRequireDefault","_pop","WalletInstanceAttestation","_interopRequireWildcard","_const","_types","_errors","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set","authorizeAccess","issuerConf","code","clientId","redirectUri","codeVerifier","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","parEndpoint","oauth_authorization_server","pushed_authorization_request_endpoint","parUrl","URL","aud","protocol","hostname","iss","decode","payload","cnf","jwk","kid","tokenUrl","token_endpoint","tokenRequestSignedDPop","withEphemeralKey","ephimeralContext","createDPopToken","htm","htu","jti","uuid","v4","signedWiaPoP","createPopToken","requestBody","grant_type","client_id","redirect_uri","code_verifier","client_assertion_type","ASSERTION_TYPE","client_assertion","authorizationRequestFormBody","URLSearchParams","tokenRes","method","headers","DPoP","body","toString","then","hasStatus","res","json","TokenResponse","safeParse","success","ValidationFailed","error","message","accessToken","data","exports"],"sourceRoot":"../../../../src","sources":["credential/issuance/05-authorize-access.ts"],"mappings":";;;;;;AAAA,IAAAA,KAAA,GAAAC,OAAA;AAGA,IAAAC,OAAA,GAAAD,OAAA;AACA,IAAAE,KAAA,GAAAF,OAAA;AACA,IAAAG,gBAAA,GAAAC,sBAAA,CAAAJ,OAAA;AACA,IAAAK,IAAA,GAAAL,OAAA;AACA,IAAAM,yBAAA,GAAAC,uBAAA,CAAAP,OAAA;AAEA,IAAAQ,MAAA,GAAAR,OAAA;AACA,IAAAS,MAAA,GAAAT,OAAA;AACA,IAAAU,OAAA,GAAAV,OAAA;AAA6D,SAAAW,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAL,wBAAAS,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA;AAAA,SAAAlB,uBAAAY,GAAA,WAAAA,GAAA,IAAAA,GAAA,CAAAC,UAAA,GAAAD,GAAA,KAAAE,OAAA,EAAAF,GAAA;AAgB7D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,MAAMiB,eAAgC,GAAG,MAAAA,CAC9CC,UAAU,EACVC,IAAI,EACJC,QAAQ,EACRC,WAAW,EACXC,YAAY,EACZC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC;EACF,CAAC,GAAGJ,OAAO;EAEX,MAAMK,WAAW,GACfV,UAAU,CAACW,0BAA0B,CAACC,qCAAqC;EAC7E,MAAMC,MAAM,GAAG,IAAIC,GAAG,CAACJ,WAAW,CAAC;EACnC,MAAMK,GAAG,GAAI,GAAEF,MAAM,CAACG,QAAS,KAAIH,MAAM,CAACI,QAAS,EAAC;EACpD,MAAMC,GAAG,GAAG9C,yBAAyB,CAAC+C,MAAM,CAACX,yBAAyB,CAAC,CACpEY,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,QAAQ,GAAGxB,UAAU,CAACW,0BAA0B,CAACc,cAAc;EACrE;EACA,MAAMC,sBAAsB,GAAG,MAAM,IAAAC,wBAAgB,EACnD,MAAOC,gBAAgB,IAAK;IAC1B,OAAO,MAAM,IAAAC,qBAAe,EAC1B;MACEC,GAAG,EAAE,MAAM;MACXC,GAAG,EAAEP,QAAQ;MACbQ,GAAG,EAAG,GAAEC,wBAAI,CAACC,EAAE,CAAC,CAAE;IACpB,CAAC,EACDN,gBACF,CAAC;EACH,CACF,CAAC;EAED,MAAMO,YAAY,GAAG,MAAM,IAAAC,mBAAc,EACvC;IACEJ,GAAG,EAAG,GAAEC,wBAAI,CAACC,EAAE,CAAC,CAAE,EAAC;IACnBnB,GAAG;IACHG;EACF,CAAC,EACDT,gBACF,CAAC;EAED,MAAM4B,WAAW,GAAG;IAClBC,UAAU,EAAE,oBAAoB;IAChCC,SAAS,EAAErC,QAAQ;IACnBD,IAAI;IACJuC,YAAY,EAAErC,WAAW;IACzBsC,aAAa,EAAErC,YAAY;IAC3BsC,qBAAqB,EAAEC,qBAAc;IACrCC,gBAAgB,EAAEpC,yBAAyB,GAAG,GAAG,GAAG2B;EACtD,CAAC;EAED,MAAMU,4BAA4B,GAAG,IAAIC,eAAe,CAACT,WAAW,CAAC;EACrE,MAAMU,QAAQ,GAAG,MAAMzC,QAAQ,CAACkB,QAAQ,EAAE;IACxCwB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAExB;IACR,CAAC;IACDyB,IAAI,EAAEN,4BAA4B,CAACO,QAAQ,CAAC;EAC9C,CAAC,CAAC,CACCC,IAAI,CAAC,IAAAC,eAAS,EAAC,GAAG,CAAC,CAAC,CACpBD,IAAI,CAAEE,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBH,IAAI,CAAEF,IAAI,IAAKM,oBAAa,CAACC,SAAS,CAACP,IAAI,CAAC,CAAC;EAEhD,IAAI,CAACJ,QAAQ,CAACY,OAAO,EAAE;IACrB,MAAM,IAAIC,wBAAgB,CAACb,QAAQ,CAACc,KAAK,CAACC,OAAO,CAAC;EACpD;EAEA,OAAO;IAAEC,WAAW,EAAEhB,QAAQ,CAACiB,IAAI;IAAEtC;EAAuB,CAAC;AAC/D,CAAC;AAACuC,OAAA,CAAAlE,eAAA,GAAAA,eAAA"}