@pagopa/io-react-native-wallet 0.12.0 → 0.13.1

package/src/credential/issuance/06-obtain-credential.ts

@@ -1,161 +1,127 @@
-import * as z from "zod";
-import uuid from "react-native-uuid";
 import { SignJWT, type CryptoContext } from "@pagopa/io-react-native-jwt";
-import { createDPopToken } from "../../utils/dpop";
-
-import type { StartFlow } from "./01-start-flow";
-import { hasStatus, type Out } from "../../utils/misc";
-import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import type { AuthorizeAccess } from "./05-authorize-access";
-import { SupportedCredentialFormat } from "./const";
+import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
+import { hasStatus, type Out } from "../../utils/misc";
+import type { StartUserAuthorization } from "./03-start-user-authorization";
+import { ValidationFailed } from "../../utils/errors";
+import { CredentialResponse } from "./types";
+
+export type ObtainCredential = (
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  accessToken: Out<AuthorizeAccess>["accessToken"],
+  clientId: Out<StartUserAuthorization>["clientId"],
+  credentialDefinition: Out<StartUserAuthorization>["credentialDefinition"],
+  tokenRequestSignedDPop: Out<AuthorizeAccess>["tokenRequestSignedDPop"],
+  context: {
+    credentialCryptoContext: CryptoContext;
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<CredentialResponse>;
 
-/**
- * Return the signed jwt for nonce proof of possession
- */
 export const createNonceProof = async (
   nonce: string,
   issuer: string,
   audience: string,
   ctx: CryptoContext
 ): Promise<string> => {
+  const jwk = await ctx.getPublicKey();
   return new SignJWT(ctx)
     .setPayload({
       nonce,
-      jwk: await ctx.getPublicKey(),
     })
     .setProtectedHeader({
-      type: "openid4vci-proof+jwt",
+      typ: "openid4vci-proof+jwt",
+      jwk,
     })
     .setAudience(audience)
     .setIssuer(issuer)
     .setIssuedAt()
-    .setExpirationTime("1h")
+    .setExpirationTime("5min")
     .sign();
 };
 
-const CredentialEndpointResponse = z.object({
-  credential: z.string(),
-  format: SupportedCredentialFormat,
-  // nonce used to perform multiple credential requests
-  // re-using the same authorization profile
-  c_nonce: z.string(),
-  c_nonce_expires_in: z.number(),
-});
-
-export type ObtainCredential = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
-  accessToken: Out<AuthorizeAccess>["accessToken"],
-  nonce: Out<AuthorizeAccess>["nonce"],
-  clientId: Out<AuthorizeAccess>["clientId"],
-  credentialType: Out<StartFlow>["credentialType"],
-  credentialFormat: SupportedCredentialFormat,
-  context: {
-    credentialCryptoContext: CryptoContext;
-    walletProviderBaseUrl: string;
-    appFetch?: GlobalFetch["fetch"];
-  }
-) => Promise<{
-  credential: string;
-  format: SupportedCredentialFormat;
-  nonce: string;
-}>;
-
-// Checks whether in the Entity confoguration at least one credential
-// is defined for the given type and format
-const isCredentialAvailable = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
-  credentialType: Out<StartFlow>["credentialType"],
-  credentialFormat: SupportedCredentialFormat
-): boolean =>
-  issuerConf.openid_credential_issuer.credentials_supported.some(
-    (c) =>
-      c.format === credentialFormat &&
-      c.credential_definition.type.includes(credentialType)
-  );
-
 /**
- * Fetch a credential from the issuer
- *
- * @param issuerConf The Issuer configuration
- * @param accessToken The access token to grant access to the credential, obtained with the access authorization step
- * @param nonce The nonce value to prevent reply attacks, obtained with the access authorization step
- * @param clientId Identifies the current client across all the requests of the issuing flow
- * @param credentialType The type of the credential to be requested
- * @param credentialFormat The format of the requested credential. @see {SupportedCredentialFormat}
- * @param context.credentialCryptoContext The context to access the key the Credential will be bound to
- * @param context.walletProviderBaseUrl The base url of the Wallet Provider
+ * Obtains the credential from the issuer.
+ * The key pair of the credentialCryptoContext is used for Openid4vci proof JWT to be presented with the Access Token and the DPoP Proof JWT at the Credential Endpoint
+ * of the Credential Issuer to request the issuance of a credential linked to the public key contained in the JWT proof.
+ * The Openid4vci proof JWT incapsulates the nonce extracted from the token response from the {@link authorizeAccess} step.
+ * The credential request is sent to the Credential Endpoint of the Credential Issuer via HTTP POST with the type of the credential, its format, the access token and the JWT proof.
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param accessToken The access token response returned by {@link authorizeAccess}
+ * @param clientId The client id returned by {@link startUserAuthorization}
+ * @param credentialDefinition The credential definition of the credential to be obtained returned by {@link startUserAuthorization}
+ * @param tokenRequestSignedDPop The DPoP signed token request returned by {@link authorizeAccess}
+ * @param context.credentialCryptoContext The crypto context used to obtain the credential
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
- * @returns The signed credential token
+ * @returns The credential response containing the credential
  */
 export const obtainCredential: ObtainCredential = async (
   issuerConf,
   accessToken,
-  nonce,
   clientId,
-  credentialType,
-  credentialFormat,
+  credentialDefinition,
+  tokenRequestSignedDPop,
   context
 ) => {
-  const {
-    credentialCryptoContext,
-    walletProviderBaseUrl,
-    appFetch = fetch,
-  } = context;
-
-  if (!isCredentialAvailable(issuerConf, credentialType, credentialFormat)) {
-    throw new Error(
-      `The Issuer provides no credential for type ${credentialType} and format ${credentialFormat}`
-    );
-  }
+  const { credentialCryptoContext, appFetch = fetch } = context;
 
   const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
 
-  /** DPoP token for demonstating the possession
-      of the key that will bind the holder User with the Credential
-      @see https://datatracker.ietf.org/doc/html/rfc9449 */
-  const signedDPopForPid = await createDPopToken(
-    {
-      htm: "POST",
-      htu: credentialUrl,
-      jti: `${uuid.v4()}`,
-    },
-    credentialCryptoContext
-  );
-
-  /** JWT proof token to bind the request nonce
-      to the key that will bind the holder User with the Credential
-      @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types */
+  /**
+   * JWT proof token to bind the request nonce to the key that will bind the holder User with the Credential
+   * This is presented along with the access token to the Credential Endpoint as proof of possession of the private key used to sign the Access Token.
+   * @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
+   */
   const signedNonceProof = await createNonceProof(
-    nonce,
+    accessToken.c_nonce,
     clientId,
-    walletProviderBaseUrl,
+    credentialUrl,
     credentialCryptoContext
   );
 
+  // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
+  const constainsCredentialDefinition = accessToken.authorization_details.some(
+    (c) =>
+      c.credential_configuration_id ===
+        credentialDefinition.credential_configuration_id &&
+      c.format === credentialDefinition.format &&
+      c.type === credentialDefinition.type
+  );
+
+  if (!constainsCredentialDefinition) {
+    throw new ValidationFailed(
+      "The access token response does not contain the requested credential"
+    );
+  }
+
   /** The credential request body */
-  const formBody = new URLSearchParams({
-    credential_definition: JSON.stringify({
-      type: [credentialType],
-    }),
-    format: credentialFormat,
-    proof: JSON.stringify({
+  const credentialRequestFormBody = {
+    credential_definition: {
+      type: [credentialDefinition.credential_configuration_id],
+    },
+    format: credentialDefinition.format,
+    proof: {
       jwt: signedNonceProof,
       proof_type: "jwt",
-    }),
-  });
+    },
+  };
 
-  const { credential, format, c_nonce } = await appFetch(credentialUrl, {
+  const credentialRes = await appFetch(credentialUrl, {
     method: "POST",
     headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      DPoP: signedDPopForPid,
-      Authorization: accessToken,
+      "Content-Type": "application/json",
+      DPoP: tokenRequestSignedDPop,
+      Authorization: `${accessToken.token_type} ${accessToken.access_token}`,
     },
-    body: formBody.toString(),
+    body: JSON.stringify(credentialRequestFormBody),
   })
     .then(hasStatus(200))
     .then((res) => res.json())
-    .then(CredentialEndpointResponse.parse);
+    .then((body) => CredentialResponse.safeParse(body));
+
+  if (!credentialRes.success) {
+    throw new ValidationFailed(credentialRes.error.message);
+  }
 
-  return { credential, format, nonce: c_nonce };
+  return credentialRes.data;
 };

package/src/credential/issuance/07-verify-and-parse-credential.ts

@@ -1,11 +1,11 @@
 import type { Out } from "../../utils/misc";
 import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
-import type { ObtainCredential } from "./06-obtain-credential";
 import { IoWalletError } from "../../utils/errors";
 import { SdJwt4VC } from "../../sd-jwt/types";
 import { verify as verifySdJwt } from "../../sd-jwt";
 import type { JWK } from "../../utils/jwk";
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
+import type { ObtainCredential } from "./06-obtain-credential";
 
 export type VerifyAndParseCredential = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
@@ -13,7 +13,6 @@ export type VerifyAndParseCredential = (
   format: Out<ObtainCredential>["format"],
   context: {
     credentialCryptoContext: CryptoContext;
-    ignoreMissingAttributes?: boolean;
   }
 ) => Promise<{ parsedCredential: ParsedCredential }>;
 
@@ -28,9 +27,8 @@ type ParsedCredential = Record<
           string /* locale */,
           string /* value */
         >
-      | /* if no i18n is provided */ string;
-    /** If in defined as mandatory by the Issuer */
-    mandatory: boolean;
+      | /* if no i18n is provided */ string
+      | undefined; // Add undefined as a possible value for the name property
     /** The actual value of the attribute */
     value: unknown;
   }
@@ -43,48 +41,34 @@ type DecodedSdJwtCredential = Out<typeof verifySdJwt> & {
 
 const parseCredentialSdJwt = (
   // the list of supported credentials, as defined in the issuer configuration
-  credentials_supported: Out<EvaluateIssuerTrust>["issuerConf"]["openid_credential_issuer"]["credentials_supported"],
-  { sdJwt, disclosures }: DecodedSdJwtCredential,
-  ignoreMissingAttributes: boolean = false
+  credentials_supported: Out<EvaluateIssuerTrust>["issuerConf"]["openid_credential_issuer"]["credential_configurations_supported"],
+  { sdJwt, disclosures }: DecodedSdJwtCredential
 ): ParsedCredential => {
-  // find the definition that matches the received credential's type
-  // warning: if more then a defintion is found, the first is retrieved
-  const credentialSubject = credentials_supported.find(
-    (c) =>
-      c.format === "vc+sd-jwt" &&
-      c.credential_definition.type.includes(sdJwt.payload.type)
-  )?.credential_definition.credentialSubject;
-
-  // the received credential matches no supported credential, throw an exception
+  const credentialSubject = credentials_supported[sdJwt.payload.vct];
+
   if (!credentialSubject) {
-    const expected = credentials_supported
-      .flatMap((_) => _.credential_definition.type)
-      .join(", ");
+    throw new IoWalletError("Credential type not supported by the issuer");
+  }
+
+  if (credentialSubject.format !== sdJwt.header.typ) {
     throw new IoWalletError(
-      `Received credential is of an unknwown type. Expected one of [${expected}], received '${sdJwt.payload.type}', `
+      `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}', `
     );
   }
 
   // transfrom a record { key: value } in an iterable of pairs [key, value]
-  const attrDefinitions = Object.entries(credentialSubject);
+  const attrDefinitions = Object.entries(credentialSubject.claims);
 
-  // every mandatory attribute must be present in the credential's disclosures
   // the key of the attribute defintion must match the disclosure's name
   const attrsNotInDisclosures = attrDefinitions.filter(
-    ([attrKey, { mandatory }]) =>
-      mandatory && !disclosures.some(([, name]) => name === attrKey)
+    ([attrKey]) => !disclosures.some(([, name]) => name === attrKey)
   );
   if (attrsNotInDisclosures.length > 0) {
     const missing = attrsNotInDisclosures.map((_) => _[0 /* key */]).join(", ");
     const received = disclosures.map((_) => _[1 /* name */]).join(", ");
-    // the rationale of this condition is that we may want to be permissive
-    // on incomplete credentials in the test phase of the project.
-    // we might want to be strict once in production, hence remove this condition
-    if (!ignoreMissingAttributes) {
-      throw new IoWalletError(
-        `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
-      );
-    }
+    throw new IoWalletError(
+      `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
+    );
   }
 
   // attributes that are defined in the issuer configuration
@@ -126,7 +110,7 @@ const parseCredentialSdJwt = (
   const undefinedValues = Object.fromEntries(
     disclosures
       .filter((_) => !Object.keys(definedValues).includes(_[1]))
-      .map(([, key, value]) => [key, { value, mandatory: false, name: key }])
+      .map(([, key, value]) => [key, { value, name: key }])
   );
 
   return {
@@ -185,7 +169,7 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
   issuerConf,
   credential,
   _,
-  { credentialCryptoContext, ignoreMissingAttributes }
+  { credentialCryptoContext }
 ) => {
   const decoded = await verifyCredentialSdJwt(
     credential,
@@ -194,36 +178,23 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
   );
 
   const parsedCredential = parseCredentialSdJwt(
-    issuerConf.openid_credential_issuer.credentials_supported,
-    decoded,
-    ignoreMissingAttributes
+    issuerConf.openid_credential_issuer.credential_configurations_supported,
+    decoded
   );
 
   return { parsedCredential };
 };
 
-const verifyAndParseCredentialMdoc: WithFormat<"vc+mdoc-cbor"> = async (
-  _issuerConf,
-  _credential,
-  _,
-  _ctx
-) => {
-  // TODO: [SIW-686] decode MDOC credentials
-  throw new Error("verifyAndParseCredentialMdoc not implemented yet");
-};
-
 /**
- * Verify and parse an encoded credential
- *
- * @param issuerConf The Issuer configuration
- * @param credential The encoded credential
- * @param format The format of the credentual
- * @param context.credentialCryptoContext The context to access the key the Credential will be bound to
- * @param context.ignoreMissingAttributes (optional) Whether to fail if a defined attribute is note present in the credentual. Default: false
+ * Verify and parse an encoded credential.
+ * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param credential The encoded credential returned by {@link obtainCredential}
+ * @param format The format of the credentual returned by {@link obtainCredential}
+ * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
  * @returns A parsed credential with attributes in plain value
- * @throws If the credential signature is not verified with the Issuer key set
- * @throws If the credential is not bound to the provided user key
- * @throws If the credential data fail to parse
+ * @throws {IoWalletError} If the credential signature is not verified with the Issuer key set
+ * @throws {IoWalletError} If the credential is not bound to the provided user key
+ * @throws {IoWalletError} If the credential data fail to parse
  */
 export const verifyAndParseCredential: VerifyAndParseCredential = async (
   issuerConf,
@@ -238,15 +209,7 @@ export const verifyAndParseCredential: VerifyAndParseCredential = async (
       format,
       context
     );
-  } else if (format === "vc+mdoc-cbor") {
-    return verifyAndParseCredentialMdoc(
-      issuerConf,
-      credential,
-      format,
-      context
-    );
   }
 
-  const _: never = format;
-  throw new IoWalletError(`Unsupported credential format: ${_}`);
+  throw new IoWalletError(`Unsupported credential format: ${format}`);
 };

package/src/credential/issuance/index.ts

@@ -7,7 +7,10 @@ import {
   startUserAuthorization,
   type StartUserAuthorization,
 } from "./03-start-user-authorization";
-import { type CompleteUserAuthorization } from "./04-complete-user-authorization";
+import {
+  completeUserAuthorizationWithQueryMode,
+  type CompleteUserAuthorizationWithQueryMode,
+} from "./04-complete-user-authorization";
 import { authorizeAccess, type AuthorizeAccess } from "./05-authorize-access";
 import {
   obtainCredential,
@@ -17,11 +20,11 @@ import {
   verifyAndParseCredential,
   type VerifyAndParseCredential,
 } from "./07-verify-and-parse-credential";
-import type { ConfirmCredential } from "./08-confirm-credential";
 
 export {
   evaluateIssuerTrust,
   startUserAuthorization,
+  completeUserAuthorizationWithQueryMode,
   authorizeAccess,
   obtainCredential,
   verifyAndParseCredential,
@@ -30,9 +33,8 @@ export type {
   StartFlow,
   EvaluateIssuerTrust,
   StartUserAuthorization,
-  CompleteUserAuthorization,
+  CompleteUserAuthorizationWithQueryMode,
   AuthorizeAccess,
   ObtainCredential,
   VerifyAndParseCredential,
-  ConfirmCredential,
 };

package/src/credential/issuance/types.ts

@@ -0,0 +1,25 @@
+import { AuthorizationDetail } from "../../utils/par";
+import * as z from "zod";
+import { SupportedCredentialFormat } from "./const";
+
+export type TokenResponse = z.infer<typeof TokenResponse>;
+
+export const TokenResponse = z.object({
+  access_token: z.string(),
+  authorization_details: z.array(AuthorizationDetail),
+  c_nonce: z.string(),
+  c_nonce_expires_in: z.number(),
+  expires_in: z.number(),
+  token_type: z.string(),
+});
+
+export type CredentialResponse = z.infer<typeof CredentialResponse>;
+
+export const CredentialResponse = z.object({
+  c_nonce: z.string(),
+  c_nonce_expires_in: z.number(),
+  credential: z.string(),
+  format: SupportedCredentialFormat,
+});
+
+export type ResponseMode = "query" | "form_post.jwt";

package/src/index.ts

@@ -1,3 +1,4 @@
+import type { AuthorizationContext } from "./utils/auth";
 import { fixBase64EncodingOnKey } from "./utils/jwk";
 // polyfill due to known bugs on URL implementation for react native
 // https://github.com/facebook/react-native/issues/24428
@@ -28,4 +29,4 @@ export {
   fixBase64EncodingOnKey,
 };
 
-export type { IntegrityContext };
+export type { IntegrityContext, AuthorizationContext };

package/src/pid/sd-jwt/converters.ts

@@ -3,24 +3,18 @@ import type { Disclosure, SdJwt4VC } from "../../sd-jwt/types";
 import { PID } from "./types";
 
 export function pidFromToken(sdJwt: SdJwt4VC, disclosures: Disclosure[]): PID {
+  const placeOfBirth = getValueFromDisclosures(disclosures, "place_of_birth");
   return PID.parse({
     issuer: sdJwt.payload.iss,
-    issuedAt: new Date(sdJwt.payload.iat * 1000),
+    issuedAt: new Date(getValueFromDisclosures(disclosures, "iat") * 1000),
     expiration: new Date(sdJwt.payload.exp * 1000),
-    verification: {
-      trustFramework:
-        sdJwt.payload.verified_claims.verification.trust_framework,
-      assuranceLevel:
-        sdJwt.payload.verified_claims.verification.assurance_level,
-      evidence: getValueFromDisclosures(disclosures, "evidence"),
-    },
     claims: {
       uniqueId: getValueFromDisclosures(disclosures, "unique_id"),
       givenName: getValueFromDisclosures(disclosures, "given_name"),
       familyName: getValueFromDisclosures(disclosures, "family_name"),
-      birthdate: getValueFromDisclosures(disclosures, "birthdate"),
-      placeOfBirth: getValueFromDisclosures(disclosures, "place_of_birth"),
-      taxIdCode: getValueFromDisclosures(disclosures, "tax_id_number"),
+      birthDate: getValueFromDisclosures(disclosures, "birth_date"),
+      ...(placeOfBirth && placeOfBirth),
+      taxIdCode: getValueFromDisclosures(disclosures, "tax_id_code"),
     },
   });
 }

package/src/pid/sd-jwt/types.ts

@@ -29,16 +29,18 @@ export const PID = z.object({
   issuer: z.string(),
   issuedAt: z.date(),
   expiration: z.date(),
-  verification: Verification,
+  verification: Verification.optional(),
   claims: z.object({
     uniqueId: z.string(),
     givenName: z.string(),
     familyName: z.string(),
-    birthdate: z.string(),
-    placeOfBirth: z.object({
-      country: z.string(),
-      locality: z.string(),
-    }),
+    birthDate: z.string(),
+    placeOfBirth: z
+      .object({
+        country: z.string(),
+        locality: z.string(),
+      })
+      .optional(),
     taxIdCode: z.string(),
   }),
 });

package/src/sd-jwt/__test__/converters.test.ts

@@ -3,7 +3,7 @@ import { Disclosure } from "../types";
 
 const disclosures: Disclosure[] = [
   ["6w1_soRXFgaHKfpYn3cvfQ", "given_name", "Mario"],
-  ["fuNp97Hf3wV6y48y-QZhIg", "birthdate", "1980-10-01"],
+  ["fuNp97Hf3wV6y48y-QZhIg", "birth_date", "1980-10-01"],
   [
     "p-9LzyWHZBVDvhXDWkN2xA",
     "place_of_birth",