@pagopa/io-react-native-wallet 0.28.2 → 0.29.0

package/src/credential/issuance/04-complete-user-authorization.ts

@@ -19,6 +19,7 @@ import { v4 as uuidv4 } from "uuid";
 import { ResponseUriResultShape } from "./types";
 import { getJwtFromFormPost } from "../../utils/decoder";
 import { AuthorizationError, AuthorizationIdpError } from "./errors";
+import { LogLevel, Logger } from "../../utils/logging";
 
 /**
  * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
@@ -95,6 +96,10 @@ export const buildAuthorizationUrl: BuildAuthorizationUrl = async (
  */
 export const completeUserAuthorizationWithQueryMode: CompleteUserAuthorizationWithQueryMode =
   async (authRedirectUrl) => {
+    Logger.log(
+      LogLevel.DEBUG,
+      `The requeste credential is a PersonIdentificationData, completing the user authorization with query mode`
+    );
     const query = parseUrl(authRedirectUrl).query;
 
     return parseAuthorizationResponse(query);
@@ -114,6 +119,10 @@ export const completeUserAuthorizationWithQueryMode: CompleteUserAuthorizationWi
  */
 export const getRequestedCredentialToBePresented: GetRequestedCredentialToBePresented =
   async (issuerRequestUri, clientId, issuerConf, appFetch = fetch) => {
+    Logger.log(
+      LogLevel.DEBUG,
+      `The requeste credential is not a PersonIdentificationData, requesting the credential to be presented`
+    );
     const authzRequestEndpoint =
       issuerConf.oauth_authorization_server.authorization_endpoint;
     const params = new URLSearchParams({
@@ -121,6 +130,11 @@ export const getRequestedCredentialToBePresented: GetRequestedCredentialToBePres
       request_uri: issuerRequestUri,
     });
 
+    Logger.log(
+      LogLevel.DEBUG,
+      `Requesting the request object to ${authzRequestEndpoint}?${params.toString()}`
+    );
+
     const requestObject = await appFetch(
       `${authzRequestEndpoint}?${params.toString()}`,
       { method: "GET" }
@@ -131,6 +145,10 @@ export const getRequestedCredentialToBePresented: GetRequestedCredentialToBePres
       .then((reqObj) => RequestObject.safeParse(reqObj.payload));
 
     if (!requestObject.success) {
+      Logger.log(
+        LogLevel.ERROR,
+        `Error while validating the response object: ${requestObject.error.message}`
+      );
       throw new ValidationFailed({
         message: "Request Object validation failed",
         reason: requestObject.error.message,
@@ -157,6 +175,11 @@ export const getRequestedCredentialToBePresented: GetRequestedCredentialToBePres
  */
 export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthorizationWithFormPostJwtMode =
   async (requestObject, ctx) => {
+    Logger.log(
+      LogLevel.DEBUG,
+      `The requeste credential is not a PersonIdentificationData, completing the user authorization with form_post.jwt mode`
+    );
+
     const {
       wiaCryptoContext,
       pidCryptoContext,
@@ -195,6 +218,11 @@ export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthoriza
       .setAudience(requestObject.response_uri)
       .sign();
 
+    Logger.log(
+      LogLevel.DEBUG,
+      `Wallet instance attestation JWT token: ${wiaWpToken}`
+    );
+
     /* The path parameter refers to the vp_token variable of the authzResponsePayload and must point to the plain credential which
      * is cointaned in the `vp` property of the signed jwt token payload
      */
@@ -215,6 +243,11 @@ export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthoriza
       ],
     };
 
+    Logger.log(
+      LogLevel.DEBUG,
+      `Presentation submission: ${JSON.stringify(presentationSubmission)}`
+    );
+
     const authzResponsePayload = encodeBase64(
       JSON.stringify({
         state: requestObject.state,
@@ -223,6 +256,11 @@ export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthoriza
       })
     );
 
+    Logger.log(
+      LogLevel.DEBUG,
+      `Authz response payload: ${authzResponsePayload}`
+    );
+
     // Note: according to the spec, the response should be encrypted with the public key of the RP however this is not implemented yet
     // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-signed-and-encrypted-response
     // const rsaPublicJwk = chooseRSAPublicKeyToEncrypt(rpConf);
@@ -235,6 +273,7 @@ export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthoriza
     const body = new URLSearchParams({
       response: authzResponsePayload,
     }).toString();
+
     const resUriRes = await appFetch(requestObject.response_uri, {
       method: "POST",
       headers: {
@@ -247,6 +286,10 @@ export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthoriza
 
     const responseUri = ResponseUriResultShape.safeParse(resUriRes);
     if (!responseUri.success) {
+      Logger.log(
+        LogLevel.ERROR,
+        `Error while validating the response uri: ${responseUri.error.message}`
+      );
       throw new ValidationFailed({
         message: "Response Uri validation failed",
         reason: responseUri.error.message,
@@ -274,8 +317,16 @@ export const parseAuthorizationResponse = (
   if (!authResParsed.success) {
     const authErr = AuthorizationErrorShape.safeParse(authRes);
     if (!authErr.success) {
+      Logger.log(
+        LogLevel.ERROR,
+        `Error while parsing the authorization response: ${authResParsed.error.message}`
+      );
       throw new AuthorizationError(authResParsed.error.message); // an error occured while parsing the result and the error
     }
+    Logger.log(
+      LogLevel.ERROR,
+      `Error while authorizating with the idp: ${JSON.stringify(authErr)}`
+    );
     throw new AuthorizationIdpError(
       authErr.data.error,
       authErr.data.error_description

package/src/credential/issuance/05-authorize-access.ts

@@ -10,6 +10,7 @@ import { ASSERTION_TYPE } from "./const";
 import { TokenResponse } from "./types";
 import { IssuerResponseError, ValidationFailed } from "../../utils/errors";
 import type { CompleteUserAuthorizationWithQueryMode } from "./04-complete-user-authorization";
+import { LogLevel, Logger } from "../../utils/logging";
 
 export type AuthorizeAccess = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
@@ -76,6 +77,8 @@ export const authorizeAccess: AuthorizeAccess = async (
     dPopCryptoContext
   );
 
+  Logger.log(LogLevel.DEBUG, `Token request DPoP: ${tokenRequestSignedDPop}`);
+
   const signedWiaPoP = await createPopToken(
     {
       jti: `${uuidv4()}`,
@@ -85,6 +88,8 @@ export const authorizeAccess: AuthorizeAccess = async (
     wiaCryptoContext
   );
 
+  Logger.log(LogLevel.DEBUG, `WIA DPoP token: ${signedWiaPoP}`);
+
   const requestBody = {
     grant_type: "authorization_code",
     client_id: clientId,
@@ -96,6 +101,12 @@ export const authorizeAccess: AuthorizeAccess = async (
   };
 
   const authorizationRequestFormBody = new URLSearchParams(requestBody);
+
+  Logger.log(
+    LogLevel.DEBUG,
+    `Auth form request body: ${authorizationRequestFormBody}`
+  );
+
   const tokenRes = await appFetch(tokenUrl, {
     method: "POST",
     headers: {
@@ -109,6 +120,11 @@ export const authorizeAccess: AuthorizeAccess = async (
     .then((body) => TokenResponse.safeParse(body));
 
   if (!tokenRes.success) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Token Response validation failed: ${tokenRes.error.message}`
+    );
+
     throw new ValidationFailed({
       message: "Token Response validation failed",
       reason: tokenRes.error.message,

package/src/credential/issuance/06-obtain-credential.ts

@@ -17,6 +17,7 @@ import {
 import { CredentialResponse } from "./types";
 import { createDPopToken } from "../../utils/dpop";
 import { v4 as uuidv4 } from "uuid";
+import { LogLevel, Logger } from "../../utils/logging";
 
 export type ObtainCredential = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
@@ -27,7 +28,8 @@ export type ObtainCredential = (
     dPopCryptoContext: CryptoContext;
     credentialCryptoContext: CryptoContext;
     appFetch?: GlobalFetch["fetch"];
-  }
+  },
+  operationType?: "reissuing"
 ) => Promise<CredentialResponse>;
 
 export const createNonceProof = async (
@@ -73,7 +75,8 @@ export const obtainCredential: ObtainCredential = async (
   accessToken,
   clientId,
   credentialDefinition,
-  context
+  context,
+  operationType
 ) => {
   const {
     credentialCryptoContext,
@@ -95,6 +98,8 @@ export const obtainCredential: ObtainCredential = async (
     credentialCryptoContext
   );
 
+  Logger.log(LogLevel.DEBUG, `Signed nonce proof: ${signedNonceProof}`);
+
   // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
   const containsCredentialDefinition = accessToken.authorization_details.some(
     (c) =>
@@ -105,6 +110,10 @@ export const obtainCredential: ObtainCredential = async (
   );
 
   if (!containsCredentialDefinition) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Credential definition not found in the access token response ${accessToken.authorization_details}`
+    );
     throw new ValidationFailed({
       message:
         "The access token response does not contain the requested credential",
@@ -123,6 +132,11 @@ export const obtainCredential: ObtainCredential = async (
     },
   };
 
+  Logger.log(
+    LogLevel.DEBUG,
+    `Credential request body: ${JSON.stringify(credentialRequestFormBody)}`
+  );
+
   const tokenRequestSignedDPop = await createDPopToken(
     {
       htm: "POST",
@@ -132,12 +146,16 @@ export const obtainCredential: ObtainCredential = async (
     },
     dPopCryptoContext
   );
+
+  Logger.log(LogLevel.DEBUG, `Token request DPoP: ${tokenRequestSignedDPop}`);
+
   const credentialRes = await appFetch(credentialUrl, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
       DPoP: tokenRequestSignedDPop,
       Authorization: `${accessToken.token_type} ${accessToken.access_token}`,
+      ...(operationType === "reissuing" && { operationType }),
     },
     body: JSON.stringify(credentialRequestFormBody),
   })
@@ -147,12 +165,21 @@ export const obtainCredential: ObtainCredential = async (
     .catch(handleObtainCredentialError);
 
   if (!credentialRes.success) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Credential Response validation failed: ${credentialRes.error.message}`
+    );
     throw new ValidationFailed({
       message: "Credential Response validation failed",
       reason: credentialRes.error.message,
     });
   }
 
+  Logger.log(
+    LogLevel.DEBUG,
+    `Credential Response: ${JSON.stringify(credentialRes.data)}`
+  );
+
   return credentialRes.data;
 };
 
@@ -163,6 +190,8 @@ export const obtainCredential: ObtainCredential = async (
  * @throws {IssuerResponseError} with a specific code for more context
  */
 const handleObtainCredentialError = (e: unknown) => {
+  Logger.log(LogLevel.ERROR, `Error occurred while obtaining credential: ${e}`);
+
   if (!(e instanceof UnexpectedStatusCodeError)) {
     throw e;
   }

package/src/credential/issuance/07-verify-and-parse-credential.ts

@@ -7,6 +7,7 @@ import { verify as verifySdJwt } from "../../sd-jwt";
 import { getValueFromDisclosures } from "../../sd-jwt/converters";
 import type { JWK } from "../../utils/jwk";
 import type { ObtainCredential } from "./06-obtain-credential";
+import { LogLevel, Logger } from "../../utils/logging";
 
 export type VerifyAndParseCredential = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
@@ -62,10 +63,18 @@ const parseCredentialSdJwt = (
   const credentialSubject = credentials_supported[sdJwt.payload.vct];
 
   if (!credentialSubject) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Credential type not supported by the issuer: ${sdJwt.payload.vct}`
+    );
     throw new IoWalletError("Credential type not supported by the issuer");
   }
 
   if (credentialSubject.format !== sdJwt.header.typ) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}'`
+    );
     throw new IoWalletError(
       `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}', `
     );
@@ -73,6 +82,7 @@ const parseCredentialSdJwt = (
 
   // transfrom a record { key: value } in an iterable of pairs [key, value]
   if (!credentialSubject.claims) {
+    Logger.log(LogLevel.ERROR, "Missing claims in the credential subject");
     throw new IoWalletError("Missing claims in the credential subject"); // TODO [SIW-1268]: should not be optional
   }
   const attrDefinitions = Object.entries(credentialSubject.claims);
@@ -85,6 +95,10 @@ const parseCredentialSdJwt = (
     const missing = attrsNotInDisclosures.map((_) => _[0 /* key */]).join(", ");
     const received = disclosures.map((_) => _[1 /* name */]).join(", ");
     if (!ignoreMissingAttributes) {
+      Logger.log(
+        LogLevel.ERROR,
+        `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
+      );
       throw new IoWalletError(
         `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
       );
@@ -172,6 +186,10 @@ async function verifyCredentialSdJwt(
   const { cnf } = decodedCredential.sdJwt.payload;
 
   if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`
+    );
     throw new IoWalletError(
       `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`
     );
@@ -204,15 +222,21 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
     credentialCryptoContext
   );
 
+  Logger.log(LogLevel.DEBUG, `Decoded credential: ${JSON.stringify(decoded)}`);
+
   const parsedCredential = parseCredentialSdJwt(
     issuerConf.openid_credential_issuer.credential_configurations_supported,
     decoded,
     ignoreMissingAttributes,
     includeUndefinedAttributes
   );
-
   const maybeIssuedAt = getValueFromDisclosures(decoded.disclosures, "iat");
 
+  Logger.log(
+    LogLevel.DEBUG,
+    `Parsed credential: ${JSON.stringify(parsedCredential)}\nIssued at: ${maybeIssuedAt}`
+  );
+
   return {
     parsedCredential,
     expiration: new Date(decoded.sdJwt.payload.exp * 1000),
@@ -243,6 +267,7 @@ export const verifyAndParseCredential: VerifyAndParseCredential = async (
   context
 ) => {
   if (format === "vc+sd-jwt") {
+    Logger.log(LogLevel.DEBUG, "Parsing credential in vc+sd-jwt format");
     return verifyAndParseCredentialSdJwt(
       issuerConf,
       credential,
@@ -251,5 +276,6 @@ export const verifyAndParseCredential: VerifyAndParseCredential = async (
     );
   }
 
+  Logger.log(LogLevel.ERROR, `Unsupported credential format: ${format}`);
   throw new IoWalletError(`Unsupported credential format: ${format}`);
 };

package/src/credential/presentation/01-start-flow.ts

@@ -2,9 +2,9 @@ import * as z from "zod";
 import { InvalidQRCodeError } from "./errors";
 
 const PresentationParams = z.object({
-  clientId: z.string().nonempty(),
-  requestUri: z.string().url(),
-  requestUriMethod: z.enum(["get", "post"]),
+  client_id: z.string().nonempty(),
+  request_uri: z.string().url(),
+  request_uri_method: z.enum(["get", "post"]),
   state: z.string().optional(),
 });
 export type PresentationParams = z.infer<typeof PresentationParams>;
@@ -13,24 +13,25 @@ export type PresentationParams = z.infer<typeof PresentationParams>;
  * The beginning of the presentation flow.
  * To be implemented accordind to the user touchpoint
  *
- * @param params Presentation parameters, depending on the starting touchoint
+ * @param params Presentation parameters, depending on the starting touchpoint
  * @returns The url for the Relying Party to connect with
  */
-export type StartFlow = (
-  params: Partial<PresentationParams>
-) => PresentationParams;
+export type StartFlow = (params: {
+  [K in keyof PresentationParams]?: PresentationParams[K] | null;
+}) => PresentationParams;
 
 /**
- * Start a presentation flow by decoding an incoming QR-code
+ * Start a presentation flow by validating the required parameters.
+ * Parameters are extracted from a url encoded in a QR code or in a deep link.
  *
- * @param params The encoded QR-code content
+ * @param params The parameters to be validated
  * @returns The url for the Relying Party to connect with
- * @throws If the provided qr code fails to be decoded
+ * @throws If the provided parameters are not valid
  */
 export const startFlowFromQR: StartFlow = (params) => {
   const result = PresentationParams.safeParse({
     ...params,
-    requestUriMethod: params.requestUriMethod ?? "get",
+    request_uri_method: params.request_uri_method ?? "get",
   });
 
   if (result.success) {

package/src/credential/presentation/03-get-request-object.ts

@@ -1,9 +1,8 @@
-import { hasStatusOrThrow, type Out } from "../../utils/misc";
-import type { StartFlow } from "./01-start-flow";
+import { hasStatusOrThrow } from "../../utils/misc";
 import { RequestObjectWalletCapabilities } from "./types";
 
 export type GetRequestObject = (
-  requestUri: Out<StartFlow>["requestUri"],
+  requestUri: string,
   context?: {
     appFetch?: GlobalFetch["fetch"];
     walletCapabilities?: RequestObjectWalletCapabilities;

package/src/credential/presentation/07-evaluate-dcql-query.ts

@@ -10,6 +10,7 @@ import type { Disclosure } from "../../sd-jwt/types";
 import { ValidationFailed } from "../../utils/errors";
 import { createCryptoContextFor } from "../../utils/crypto";
 import type { RemotePresentation } from "./types";
+import { CredentialsNotFoundError, type NotFoundDetail } from "./errors";
 
 /**
  * The purpose for the credential request by the RP.
@@ -47,6 +48,11 @@ type DcqlMatchSuccess = Extract<
   { success: true }
 >;
 
+type DcqlMatchFailure = Extract<
+  DcqlQueryResult.CredentialMatch,
+  { success: false }
+>;
+
 /**
  * Convert a credential in JWT format to an object with claims
  * for correct parsing by the `dcql` library.
@@ -81,6 +87,32 @@ const getDcqlQueryMatches = (result: DcqlQueryResult) =>
     ([, match]) => match.success === true
   ) as [string, DcqlMatchSuccess][];
 
+/**
+ * Extract only failed matches from the DCQL query result.
+ */
+const getDcqlQueryFailedMatches = (result: DcqlQueryResult) =>
+  Object.entries(result.credential_matches).filter(
+    ([, match]) => match.success === false
+  ) as [string, DcqlMatchFailure][];
+
+/**
+ * Extract missing credentials from the DCQL query result.
+ * Note: here we are assuming a failed match is a missing credential,
+ * but there might be other reasons for its failure.
+ */
+const extractMissingCredentials = (
+  queryResult: DcqlQueryResult,
+  originalQuery: DcqlQuery
+): NotFoundDetail[] => {
+  return getDcqlQueryFailedMatches(queryResult).map(([id]) => {
+    const credential = originalQuery.credentials.find((c) => c.id === id);
+    if (credential?.format !== "vc+sd-jwt") {
+      throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
+    }
+    return { id, vctValues: credential.meta?.vct_values };
+  });
+};
+
 export const evaluateDcqlQuery: EvaluateDcqlQuery = (
   credentialsSdJwt,
   query
@@ -97,8 +129,11 @@ export const evaluateDcqlQuery: EvaluateDcqlQuery = (
     const queryResult = DcqlQuery.query(parsedQuery, credentials);
 
     if (!queryResult.canBeSatisfied) {
-      throw new Error("No credential can satisfy the provided DCQL query");
+      throw new CredentialsNotFoundError(
+        extractMissingCredentials(queryResult, parsedQuery)
+      );
     }
+
     // Build an object vct:credentialJwt to map matched credentials to their JWT
     const credentialsSdJwtByVct = credentials.reduce(
       (acc, c, i) => ({ ...acc, [c.vct]: credentialsSdJwt[i]! }),

package/src/credential/presentation/07-evaluate-input-descriptor.ts

@@ -3,7 +3,7 @@ import { SdJwt4VC, type DisclosureWithEncoded } from "../../sd-jwt/types";
 import { decode, prepareVpToken } from "../../sd-jwt";
 import { createCryptoContextFor } from "../../utils/crypto";
 import { JSONPath } from "jsonpath-plus";
-import { CredentialNotFoundError, MissingDataError } from "./errors";
+import { CredentialsNotFoundError, MissingDataError } from "./errors";
 import Ajv from "ajv";
 
 const ajv = new Ajv({ allErrors: true });
@@ -291,9 +291,12 @@ export const findCredentialSdJwt = (
     }
   }
 
-  throw new CredentialNotFoundError(
-    "None of the vc+sd-jwt credentials satisfy the requirements."
-  );
+  throw new CredentialsNotFoundError([
+    {
+      id: "",
+      reason: "None of the vc+sd-jwt credentials satisfy the requirements.",
+    },
+  ]);
 };
 
 /**
@@ -325,9 +328,12 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
     inputDescriptors.map(async (descriptor) => {
       if (descriptor.format?.["vc+sd-jwt"]) {
         if (!decodedSdJwtCredentials.length) {
-          throw new CredentialNotFoundError(
-            "vc+sd-jwt credential is not supported."
-          );
+          throw new CredentialsNotFoundError([
+            {
+              id: descriptor.id,
+              reason: "vc+sd-jwt credential is not supported.",
+            },
+          ]);
         }
 
         const { matchedEvaluation, matchedKeyTag, matchedCredential } =
@@ -341,9 +347,12 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
         };
       }
 
-      throw new CredentialNotFoundError(
-        `${descriptor.format} format is not supported.`
-      );
+      throw new CredentialsNotFoundError([
+        {
+          id: descriptor.id,
+          reason: `${descriptor.format} format is not supported.`,
+        },
+      ]);
     })
   );
 };
@@ -385,9 +394,12 @@ export const prepareLegacyRemotePresentations: PrepareLegacyRemotePresentations
           };
         }
 
-        throw new CredentialNotFoundError(
-          `${descriptor.format} format is not supported.`
-        );
+        throw new CredentialsNotFoundError([
+          {
+            id: descriptor.id,
+            reason: `${descriptor.format} format is not supported.`,
+          },
+        ]);
       })
     );
   };

package/src/credential/presentation/README.md

@@ -15,12 +15,20 @@ sequenceDiagram
   O->>+I: QR-CODE: Authorization Request (`request_uri`)
   I->>+O: GET: Verifier's Entity Configuration
   O->>+I: Respond with metadata (including public keys)
-  I->>+O: GET: Request Object, resolved from the `request_uri`
+  I->>+O: GET: Request Object, resolved from `request_uri`
   O->>+I: Respond with the Request Object
-  I->>+O: POST: VP token encrypted response
-  O->>+I: Redirect: Authorization Response
+  I->>+I: Validate Request Object and give consent
+  I->>+O: POST: Authorization Response with encrypted VP token
+  O->>+I: Respond with optional `redirect_uri`
 ```
 
+## Mapped results
+
+|Error|Description|
+|-----|-----------|
+|`ValidationFailed`|The presentation request is not valid, for instance the DCQL query is invalid.|
+|`CredentialsNotFoundError`|The presentation cannot be completed because the Wallet does not contain all requested credentials. The missing credentials can be found in `details`.|
+
 
 ## Examples
 
@@ -35,23 +43,23 @@ const qrCodeParams = decodeQrCode(qrCode)
 
 // Start the issuance flow
 const {
-  requestUri,
-  clientId,
-  requestUriMethod,
+  request_uri,
+  client_id,
+  request_uri_method,
   state
 } = Credential.Presentation.startFlowFromQR(qrCodeParams);
 
 // Get the Relying Party's Entity Configuration and evaluate trust
-const { rpConf } = await Credential.Presentation.evaluateRelyingPartyTrust(clientId);
+const { rpConf } = await Credential.Presentation.evaluateRelyingPartyTrust(client_id);
 
 // Get the Request Object from the RP
 const { requestObjectEncodedJwt } =
-  await Credential.Presentation.getRequestObject(requestUri);
+  await Credential.Presentation.getRequestObject(request_uri);
 
 // Validate the Request Object
 const { requestObject } = await Credential.Presentation.verifyRequestObject(
   requestObjectEncodedJwt,
-  { clientId, rpConf }
+  { clientId: client_id, rpConf }
 );
 
 // All the credentials that might be requested by the Relying Party

package/src/credential/presentation/errors.ts

@@ -88,18 +88,25 @@ export class MissingDataError extends IoWalletError {
   }
 }
 
+export type NotFoundDetail = {
+  id: string;
+  reason?: string;
+  vctValues?: string[];
+};
+
 /**
- * When a credential is not found in the wallet.
- *
+ * Error thrown when one or more credentials cannot be found in the wallet
+ * and the presentation request cannot be satisfied.
  */
-export class CredentialNotFoundError extends IoWalletError {
-  code = "ERR_CREDENTIAL_NOT_FOUND";
+export class CredentialsNotFoundError extends IoWalletError {
+  code = "ERR_CREDENTIALS_NOT_FOUND";
+  details: NotFoundDetail[];
 
   /**
-   * @param credentialId The ID of the credential that was not found.
+   * @param details The details of the credentials that could not be found.
    */
-  constructor(credentialId: string) {
-    const message = `Credential not found: ${credentialId}.`;
-    super(message);
+  constructor(details: NotFoundDetail[]) {
+    super("One or more credentials cannot be found in the wallet");
+    this.details = details;
   }
 }