@pagopa/io-react-native-wallet 1.0.0 → 1.1.1

package/src/credential/issuance/02-get-issuer-config.ts

@@ -0,0 +1,67 @@
+import type { StartFlow } from "./01-start-flow";
+import type { Out } from "../../utils/misc";
+import type { JWK } from "src/utils/jwk";
+import { getCredentialIssuerMetadata } from "../../entity/openid-connect/issuer";
+import type { CredentialConfigurationSupported } from "../../entity/openid-connect/issuer/types";
+
+export type GetIssuerConfig = (
+  issuerUrl: Out<StartFlow>["issuerUrl"],
+  context?: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<{ issuerConf: IssuerConfig }>;
+
+/**
+ * Common configuration for the issuer.
+ * This is needed to have a common configuration for the issuer to be used in our flows.
+ * It allows to support multiple issuers with different configurations, defining a common interface to interact with them.
+ */
+export type IssuerConfig = {
+  credential_configurations_supported: CredentialConfigurationSupported;
+  pushed_authorization_request_endpoint: string;
+  authorization_endpoint: string;
+  token_endpoint: string;
+  credential_endpoint: string;
+  keys: Array<JWK>;
+};
+
+/**
+ * WARNING: This function must be called after {@link startFlow}. The next function to be called is {@link startUserAuthorization}.
+ * Get the Issuer's configuration from the Issuer's metadata.
+ * Currently it only supports a mixed configuration based on OpenID Connect partial implementation.
+ * @param issuerUrl The base url of the Issuer returned by {@link startFlow}
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The Issuer's configuration
+ */
+export const getIssuerConfig: GetIssuerConfig = async (
+  issuerUrl,
+  context = {}
+): ReturnType<GetIssuerConfig> => {
+  const res = await getCredentialIssuerMetadata(issuerUrl, {
+    appFetch: context.appFetch,
+  });
+
+  return credentialIssuerRationalization(res);
+};
+
+/**
+ * Rationalize the issuer's metadata to the issuer's configuration which is then used in our flows to interact with the issuer.
+ * @param issuerMetadata - The issuer's metadata
+ * @returns the isssuer configuration to be used later in our flows
+ */
+const credentialIssuerRationalization = (
+  issuerMetadata: Awaited<ReturnType<typeof getCredentialIssuerMetadata>>
+): Awaited<ReturnType<GetIssuerConfig>> => {
+  return {
+    issuerConf: {
+      credential_configurations_supported:
+        issuerMetadata.credential_configurations_supported,
+      pushed_authorization_request_endpoint:
+        issuerMetadata.pushed_authorization_request_endpoint,
+      authorization_endpoint: issuerMetadata.authorization_endpoint,
+      token_endpoint: issuerMetadata.token_endpoint,
+      credential_endpoint: issuerMetadata.credential_endpoint,
+      keys: issuerMetadata.jwks.keys,
+    },
+  };
+};

package/src/credential/issuance/03-start-user-authorization.ts

@@ -1,13 +1,12 @@
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
 import type { ResponseMode } from "./types";
 import { generateRandomAlphaNumericString, type Out } from "../../utils/misc";
-import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import type { StartFlow } from "./01-start-flow";
 import { AuthorizationDetail, makeParRequest } from "../../utils/par";
-import { ASSERTION_TYPE } from "./const";
+import type { GetIssuerConfig } from "./02-get-issuer-config";
 
 export type StartUserAuthorization = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  issuerConf: Out<GetIssuerConfig>["issuerConf"],
   credentialType: Out<StartFlow>["credentialType"],
   context: {
     wiaCryptoContext: CryptoContext;
@@ -25,7 +24,7 @@ export type StartUserAuthorization = (
 /**
  * Ensures that the credential type requested is supported by the issuer and contained in the
  * issuer configuration.
- * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param issuerConf The issuer configuration returned by {@link getIssuerConfig}
  * @param credentialType The type of the credential to be requested returned by {@link startFlow}
  * @param context.wiaCryptoContext The Wallet Instance's crypto context
  * @param context.walletInstanceAttestation The Wallet Instance's attestation
@@ -34,23 +33,24 @@ export type StartUserAuthorization = (
  * @returns The credential definition to be used in the request which includes the format and the type and its type
  */
 const selectCredentialDefinition = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  issuerConf: Out<GetIssuerConfig>["issuerConf"],
   credentialType: Out<StartFlow>["credentialType"]
 ): AuthorizationDetail => {
   const credential_configurations_supported =
-    issuerConf.openid_credential_issuer.credential_configurations_supported;
+    issuerConf.credential_configurations_supported;
 
-  const [result] = Object.keys(credential_configurations_supported)
-    .filter((e) => e.includes(credentialType))
-    .map((e) => ({
-      credential_configuration_id: credentialType,
-      format: credential_configurations_supported[e]!.format,
-      type: "openid_credential" as const,
-    }));
+  const credential = credential_configurations_supported[credentialType];
 
-  if (!result) {
+  if (!credential) {
     throw new Error(`No credential support the type '${credentialType}'`);
   }
+
+  const result = {
+    credential_configuration_id: credentialType,
+    format: credential.format,
+    type: "openid_credential" as const,
+  };
+
   return result;
 };
 
@@ -58,27 +58,21 @@ const selectCredentialDefinition = (
  * Ensures that the response mode requested is supported by the issuer and contained in the issuer configuration.
  * @param issuerConf The issuer configuration
  * @param credentialType The type of the credential to be requested
- * @returns The response mode to be used in the request, "query" for PersonIdentificationData and "form_post.jwt" for all other types.
+ * @returns The response mode to be used in the request, "query" for urn:eu.europa.ec.eudi:pid:1 and "form_post.jwt" for all other types.
  */
 const selectResponseMode = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
   credentialType: Out<StartFlow>["credentialType"]
 ): ResponseMode => {
-  const responseModeSupported =
-    issuerConf.oauth_authorization_server.response_modes_supported;
-
   const responseMode =
-    credentialType === "PersonIdentificationData" ? "query" : "form_post.jwt";
-
-  if (!responseModeSupported.includes(responseMode)) {
-    throw new Error(`No response mode support the type '${credentialType}'`);
-  }
+    credentialType === "urn:eu.europa.ec.eudi:pid:1"
+      ? "query"
+      : "form_post.jwt";
 
   return responseMode;
 };
 
 /**
- * WARNING: This function must be called after {@link evaluateIssuerTrust} and {@link startFlow}. The next steam is {@link compeUserAuthorizationWithQueryMode} or {@link compeUserAuthorizationWithFormPostJwtMode}
+ * WARNING: This function must be called after {@link getIssuerConfig} and {@link startFlow}. The next steam is {@link compeUserAuthorizationWithQueryMode} or {@link compeUserAuthorizationWithFormPostJwtMode}
  * Creates and sends a PAR request to the /as/par endpoint of the authorization server.
  * This starts the authentication flow to obtain an access token.
  * This token enables the Wallet Instance to request a digital credential from the Credential Endpoint of the Credential Issuer.
@@ -109,13 +103,12 @@ export const startUserAuthorization: StartUserAuthorization = async (
 
   const clientId = await wiaCryptoContext.getPublicKey().then((_) => _.kid);
   const codeVerifier = generateRandomAlphaNumericString(64);
-  const parEndpoint =
-    issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
+  const parEndpoint = issuerConf.pushed_authorization_request_endpoint;
   const credentialDefinition = selectCredentialDefinition(
     issuerConf,
     credentialType
   );
-  const responseMode = selectResponseMode(issuerConf, credentialType);
+  const responseMode = selectResponseMode(credentialType);
 
   const getPar = makeParRequest({ wiaCryptoContext, appFetch });
   const issuerRequestUri = await getPar(
@@ -125,8 +118,7 @@ export const startUserAuthorization: StartUserAuthorization = async (
     responseMode,
     parEndpoint,
     walletInstanceAttestation,
-    [credentialDefinition],
-    ASSERTION_TYPE
+    [credentialDefinition]
   );
 
   return { issuerRequestUri, clientId, codeVerifier, credentialDefinition };

package/src/credential/issuance/04-complete-user-authorization.ts

@@ -7,7 +7,7 @@ import { hasStatusOrThrow, type Out } from "../../utils/misc";
 import type { StartUserAuthorization } from "./03-start-user-authorization";
 import parseUrl from "parse-url";
 import { IssuerResponseError, ValidationFailed } from "../../utils/errors";
-import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
+import type { GetIssuerConfig } from "./02-get-issuer-config";
 import {
   decode,
   encodeBase64,
@@ -21,7 +21,7 @@ import { getJwtFromFormPost } from "../../utils/decoder";
 import { AuthorizationError, AuthorizationIdpError } from "./errors";
 
 /**
- * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
+ * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a urn:eu.europa.ec.eudi:pid:1.
  */
 export type CompleteUserAuthorizationWithQueryMode = (
   authRedirectUrl: string
@@ -41,14 +41,14 @@ export type CompleteUserAuthorizationWithFormPostJwtMode = (
 export type GetRequestedCredentialToBePresented = (
   issuerRequestUri: Out<StartUserAuthorization>["issuerRequestUri"],
   clientId: Out<StartUserAuthorization>["clientId"],
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  issuerConf: Out<GetIssuerConfig>["issuerConf"],
   appFetch?: GlobalFetch["fetch"]
 ) => Promise<RequestObject>;
 
 export type BuildAuthorizationUrl = (
   issuerRequestUri: Out<StartUserAuthorization>["issuerRequestUri"],
   clientId: Out<StartUserAuthorization>["clientId"],
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  issuerConf: Out<GetIssuerConfig>["issuerConf"],
   idpHint: string
 ) => Promise<{
   authUrl: string;
@@ -59,7 +59,7 @@ export type BuildAuthorizationUrl = (
  * Builds the authorization URL to which the end user should be redirected to continue the authentication flow.
  * @param issuerRequestUri the URI of the issuer where the request is sent
  * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
- * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param issuerConf The issuer configuration returned by {@link getIssuerConfig}
  * @param idpHint Unique identifier of the IDP selected by the user
  * @returns An object containing the authorization URL
  */
@@ -69,8 +69,7 @@ export const buildAuthorizationUrl: BuildAuthorizationUrl = async (
   issuerConf,
   idpHint
 ) => {
-  const authzRequestEndpoint =
-    issuerConf.oauth_authorization_server.authorization_endpoint;
+  const authzRequestEndpoint = issuerConf.authorization_endpoint;
 
   const params = new URLSearchParams({
     client_id: clientId,
@@ -85,7 +84,7 @@ export const buildAuthorizationUrl: BuildAuthorizationUrl = async (
 
 /**
  * WARNING: This function must be called after obtaining the authorization redirect URL from the webviews (SPID and CIE L3) or browser for CIEID.
- * Complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
+ * Complete User authorization via strong identification when the response mode is "query" and the request credential is a urn:eu.europa.ec.eudi:pid:1.
  * This function parses the authorization redirect URL to extract the authorization response.
  * @param authRedirectUrl The URL to which the end user should be redirected to start the authentication flow
  * @returns the authorization response which contains code, state and iss
@@ -104,15 +103,14 @@ export const completeUserAuthorizationWithQueryMode: CompleteUserAuthorizationWi
  * The information is obtained by performing a GET request to the authorization endpoint with request_uri and client_id parameters.
  * @param issuerRequestUri the URI of the issuer where the request is sent
  * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
- * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param issuerConf The issuer configuration returned by {@link getIssuerConfig}
  * @param appFetch (optional) fetch api implementation. Default: built-in fetch
  * @throws {ValidationFailed} if an error while validating the response
  * @returns the request object which contains the credential to be presented in order to obtain the requested credential
  */
 export const getRequestedCredentialToBePresented: GetRequestedCredentialToBePresented =
   async (issuerRequestUri, clientId, issuerConf, appFetch = fetch) => {
-    const authzRequestEndpoint =
-      issuerConf.oauth_authorization_server.authorization_endpoint;
+    const authzRequestEndpoint = issuerConf.authorization_endpoint;
     const params = new URLSearchParams({
       client_id: clientId,
       request_uri: issuerRequestUri,
@@ -143,7 +141,7 @@ export const getRequestedCredentialToBePresented: GetRequestedCredentialToBePres
  * The information is obtained by performing a GET request to the authorization endpoint with request_uri and client_id parameters.
  * @param issuerRequestUri the URI of the issuer where the request is sent
  * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
- * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param issuerConf The issuer configuration returned by {@link getIssuerConfig}
  * @param context.walletInstanceAccestation the Wallet Instance's attestation to be presented
  * @param context.pid the PID to be presented
  * @param context.wiaCryptoContext The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
@@ -200,7 +198,7 @@ export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthoriza
       id: `${uuid.v4()}`,
       descriptor_map: [
         {
-          id: "PersonIdentificationData",
+          id: "urn:eu.europa.ec.eudi:pid:1",
           path: "$.vp_token[0].vp",
           format: "vc+sd-jwt",
         },

package/src/credential/issuance/05-authorize-access.ts

@@ -1,18 +1,17 @@
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
-import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
+import type { GetIssuerConfig } from "./02-get-issuer-config";
 import type { StartUserAuthorization } from "./03-start-user-authorization";
 import { createDPopToken } from "../../utils/dpop";
 import uuid from "react-native-uuid";
 import { createPopToken } from "../../utils/pop";
 import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
-import { ASSERTION_TYPE } from "./const";
 import { TokenResponse } from "./types";
 import { IssuerResponseError, ValidationFailed } from "../../utils/errors";
 import type { CompleteUserAuthorizationWithQueryMode } from "./04-complete-user-authorization";
 
 export type AuthorizeAccess = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  issuerConf: Out<GetIssuerConfig>["issuerConf"],
   code: Out<CompleteUserAuthorizationWithQueryMode>["code"],
   redirectUri: string,
   clientId: Out<StartUserAuthorization>["clientId"],
@@ -30,7 +29,7 @@ export type AuthorizeAccess = (
  * for requesting the issuance of an access token bound to the public key of the Wallet Instance contained within the DPoP.
  * This enables the Wallet Instance to request a digital credential.
  * The DPoP Proof JWT is generated according to the section 4.3 of the DPoP RFC 9449 specification.
- * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param issuerConf The issuer configuration returned by {@link getIssuerConfig}
  * @param code The authorization code returned by {@link completeUserAuthorizationWithQueryMode} or {@link completeUserAuthorizationWithFormPost}
  * @param redirectUri The redirect URI which is the custom URL scheme that the Wallet Instance is registered to handle
  * @param clientId The client id returned by {@link startUserAuthorization}
@@ -58,14 +57,13 @@ export const authorizeAccess: AuthorizeAccess = async (
     dPopCryptoContext,
   } = context;
 
-  const parEndpoint =
-    issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
+  const parEndpoint = issuerConf.pushed_authorization_request_endpoint;
   const parUrl = new URL(parEndpoint);
   const aud = `${parUrl.protocol}//${parUrl.hostname}`;
   const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
     .payload.cnf.jwk.kid;
 
-  const tokenUrl = issuerConf.oauth_authorization_server.token_endpoint;
+  const tokenUrl = issuerConf.token_endpoint;
 
   const tokenRequestSignedDPop = await createDPopToken(
     {
@@ -86,13 +84,11 @@ export const authorizeAccess: AuthorizeAccess = async (
   );
 
   const requestBody = {
-    grant_type: "authorization_code",
     client_id: clientId,
+    grant_type: "authorization_code",
     code,
     redirect_uri: redirectUri,
     code_verifier: codeVerifier,
-    client_assertion_type: ASSERTION_TYPE,
-    client_assertion: walletInstanceAttestation + "~" + signedWiaPoP,
   };
 
   const authorizationRequestFormBody = new URLSearchParams(requestBody);
@@ -101,6 +97,8 @@ export const authorizeAccess: AuthorizeAccess = async (
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
       DPoP: tokenRequestSignedDPop,
+      "OAuth-Client-Attestation": walletInstanceAttestation,
+      "OAuth-Client-Attestation-PoP": signedWiaPoP,
     },
     body: authorizationRequestFormBody.toString(),
   })

package/src/credential/issuance/06-obtain-credential.ts

@@ -4,7 +4,7 @@ import {
   SignJWT,
 } from "@pagopa/io-react-native-jwt";
 import type { AuthorizeAccess } from "./05-authorize-access";
-import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
+import type { GetIssuerConfig } from "./02-get-issuer-config";
 import { hasStatusOrThrow, type Out } from "../../utils/misc";
 import type { StartUserAuthorization } from "./03-start-user-authorization";
 import {
@@ -19,7 +19,7 @@ import { createDPopToken } from "../../utils/dpop";
 import uuid from "react-native-uuid";
 
 export type ObtainCredential = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  issuerConf: Out<GetIssuerConfig>["issuerConf"],
   accessToken: Out<AuthorizeAccess>["accessToken"],
   clientId: Out<StartUserAuthorization>["clientId"],
   credentialDefinition: Out<StartUserAuthorization>["credentialDefinition"],
@@ -58,7 +58,7 @@ export const createNonceProof = async (
  * of the Credential Issuer to request the issuance of a credential linked to the public key contained in the JWT proof.
  * The Openid4vci proof JWT incapsulates the nonce extracted from the token response from the {@link authorizeAccess} step.
  * The credential request is sent to the Credential Endpoint of the Credential Issuer via HTTP POST with the type of the credential, its format, the access token and the JWT proof.
- * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param issuerConf The issuer configuration returned by {@link getIssuerConfig}
  * @param accessToken The access token response returned by {@link authorizeAccess}
  * @param clientId The client id returned by {@link startUserAuthorization}
  * @param credentialDefinition The credential definition of the credential to be obtained returned by {@link startUserAuthorization}
@@ -81,7 +81,7 @@ export const obtainCredential: ObtainCredential = async (
     dPopCryptoContext,
   } = context;
 
-  const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
+  const credentialUrl = issuerConf.credential_endpoint;
 
   /**
    * JWT proof token to bind the request nonce to the key that will bind the holder User with the Credential
@@ -95,14 +95,10 @@ export const obtainCredential: ObtainCredential = async (
     credentialCryptoContext
   );
 
-  // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
-  const containsCredentialDefinition = accessToken.authorization_details.some(
-    (c) =>
-      c.credential_configuration_id ===
-        credentialDefinition.credential_configuration_id &&
-      c.format === credentialDefinition.format &&
-      c.type === credentialDefinition.type
-  );
+  const containsCredentialDefinition =
+    accessToken.authorization_details.credential_configuration_id ===
+      credentialDefinition.credential_configuration_id &&
+    accessToken.authorization_details.type === credentialDefinition.type;
 
   if (!containsCredentialDefinition) {
     throw new ValidationFailed({
@@ -111,12 +107,30 @@ export const obtainCredential: ObtainCredential = async (
     });
   }
 
+  const credential =
+    issuerConf.credential_configurations_supported[
+      credentialDefinition.credential_configuration_id
+    ];
+
+  if (!credential) {
+    throw new ValidationFailed({
+      message: "The credential configuration is not supported by the issuer",
+    });
+  }
+
+  const format = credential.format;
+
+  if (!format) {
+    throw new ValidationFailed({
+      message:
+        "The credential doesn't contain the format required by the issuer",
+    });
+  }
+
   /** The credential request body */
   const credentialRequestFormBody = {
-    credential_definition: {
-      type: [credentialDefinition.credential_configuration_id],
-    },
-    format: credentialDefinition.format,
+    vct: credentialDefinition.credential_configuration_id,
+    format,
     proof: {
       jwt: signedNonceProof,
       proof_type: "jwt",
@@ -168,21 +182,6 @@ const handleObtainCredentialError = (e: unknown) => {
   }
 
   throw new ResponseErrorBuilder(IssuerResponseError)
-    .handle(201, {
-      // Although it is technically not an error, we handle it as such to avoid
-      // changing the return type of `obtainCredential` and introduce a breaking change.
-      code: IssuerResponseErrorCodes.CredentialIssuingNotSynchronous,
-      message:
-        "This credential cannot be issued synchronously. It will be available at a later time.",
-    })
-    .handle(403, {
-      code: IssuerResponseErrorCodes.CredentialInvalidStatus,
-      message: "Invalid status found for the given credential",
-    })
-    .handle(404, {
-      code: IssuerResponseErrorCodes.CredentialInvalidStatus,
-      message: "Invalid status found for the given credential",
-    })
     .handle("*", {
       code: IssuerResponseErrorCodes.CredentialRequestFailed,
       message: "Unable to obtain the requested credential",

package/src/credential/issuance/07-verify-and-parse-credential.ts

@@ -1,6 +1,6 @@
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
 import type { Out } from "../../utils/misc";
-import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
+import type { GetIssuerConfig } from "./02-get-issuer-config";
 import { IoWalletError } from "../../utils/errors";
 import { SdJwt4VC } from "../../sd-jwt/types";
 import { verify as verifySdJwt } from "../../sd-jwt";
@@ -9,7 +9,7 @@ import type { JWK } from "../../utils/jwk";
 import type { ObtainCredential } from "./06-obtain-credential";
 
 export type VerifyAndParseCredential = (
-  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  issuerConf: Out<GetIssuerConfig>["issuerConf"],
   credential: Out<ObtainCredential>["credential"],
   format: Out<ObtainCredential>["format"],
   context: {
@@ -54,7 +54,7 @@ type DecodedSdJwtCredential = Out<typeof verifySdJwt> & {
 
 const parseCredentialSdJwt = (
   // the list of supported credentials, as defined in the issuer configuration
-  credentials_supported: Out<EvaluateIssuerTrust>["issuerConf"]["openid_credential_issuer"]["credential_configurations_supported"],
+  credentials_supported: Out<GetIssuerConfig>["issuerConf"]["credential_configurations_supported"],
   { sdJwt, disclosures }: DecodedSdJwtCredential,
   ignoreMissingAttributes: boolean = false,
   includeUndefinedAttributes: boolean = false
@@ -200,12 +200,12 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
 ) => {
   const decoded = await verifyCredentialSdJwt(
     credential,
-    issuerConf.openid_credential_issuer.jwks.keys,
+    issuerConf.keys,
     credentialCryptoContext
   );
 
   const parsedCredential = parseCredentialSdJwt(
-    issuerConf.openid_credential_issuer.credential_configurations_supported,
+    issuerConf.credential_configurations_supported,
     decoded,
     ignoreMissingAttributes,
     includeUndefinedAttributes
@@ -225,7 +225,7 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
 
 /**
  * Verify and parse an encoded credential.
- * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param issuerConf The Issuer configuration returned by {@link getIssuerConfig}
  * @param credential The encoded credential returned by {@link obtainCredential}
  * @param format The format of the credentual returned by {@link obtainCredential}
  * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}

package/src/credential/issuance/README.md

@@ -6,7 +6,7 @@ There's a fork in the flow which is based on the type of the credential that is
 This is due to the fact that eID credentials require a different authorization flow than other credentials, which is accomplished by a strong authentication method like SPID or CIE.
 Credentials instead require a simpler authorization flow and they require other credentials to be presented in order to be issued.
 
-The supported credentials are defined in the entity configuration of the issuer which is evaluted and parsed in the `evaluateIssuerTrust` step.
+The supported credentials are defined in the entity configuration of the issuer which is evaluted and parsed in the `getIssuerConfig` step.
 
 ## Sequence Diagram
 
@@ -14,7 +14,7 @@ The supported credentials are defined in the entity configuration of the issuer
 graph TD;
     0[WalletInstanceAttestation.getAttestation]
     1[startFlow]
-    2[evaluateIssuerTrust]
+    2[getIssuerConfig]
     3[startUserAuthorization]
     C4[getRequestedCredentialToBePresented]
     C4.1[completeUserAuthorizationWithFormPostJwtMode]
@@ -41,12 +41,9 @@ graph TD;
 
 The following errors are mapped to a `IssuerResponseError` with specific codes.
 
-|HTTP Status|Error Code|Description|
-|-----------|----------|-----------|
-|`201 Created`|`ERR_CREDENTIAL_ISSUING_NOT_SYNCHRONOUS`| This response is returned by the credential issuer when the request has been queued because the credential cannot be issued synchronously. The consumer should try to obtain the credential at a later time. Although `201 Created` is not considered an error, it is mapped as an error in this context in order to handle the case where the credential issuance is not synchronous. This allows keeping the flow consistent and handle the case where the credential is not immediately available.|
-|`403 Forbidden`|`ERR_CREDENTIAL_INVALID_STATUS`|This response is returned by the credential issuer when the requested credential has an invalid status. It might contain more details in the `reason` property.|
-|`404 Not Found`|`ERR_CREDENTIAL_INVALID_STATUS`| This response is returned by the credential issuer when the authenticated user is not entitled to receive the requested credential. It might contain more details in the `reason` property.|
-|`*`|`ERR_ISSUER_GENERIC_ERROR`|This is a generic error code to map unexpected errors that occurred when interacting with the Issuer.|
+| HTTP Status | Error Code                 | Description                                                                                           |
+| ----------- | -------------------------- | ----------------------------------------------------------------------------------------------------- |
+| `*`         | `ERR_ISSUER_GENERIC_ERROR` | This is a generic error code to map unexpected errors that occurred when interacting with the Issuer. |
 
 ## Strong authentication for eID issuance (Query Mode)
 
@@ -121,7 +118,7 @@ const startFlow: Credential.Issuance.StartFlow = () => ({
 const { issuerUrl } = startFlow();
 
 // Evaluate issuer trust
-const { issuerConf } = await Credential.Issuance.evaluateIssuerTrust(issuerUrl);
+const { issuerConf } = await Credential.Issuance.getIssuerConfig(issuerUrl);
 
 // Start user authorization
 const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
@@ -251,17 +248,16 @@ const credentialCryptoContext = createCryptoContextFor(credentialKeyTag);
 // Start the issuance flow
 const startFlow: Credential.Issuance.StartFlow = () => ({
   issuerUrl: WALLET_EID_PROVIDER_BASE_URL,
-  credentialType: "PersonIdentificationData",
+  credentialType: "urn:eu.europa.ec.eudi:pid:1",
   appFetch,
 });
 
 const { issuerUrl } = startFlow();
 
 // Evaluate issuer trust
-const { issuerConf } = await Credential.Issuance.evaluateIssuerTrust(
-  issuerUrl,
-  { appFetch }
-);
+const { issuerConf } = await Credential.Issuance.getIssuerConfig(issuerUrl, {
+  appFetch,
+});
 
 // Start user authorization
 const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
@@ -315,12 +311,13 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
 );
 
 // Parse and verify the eID credential
-const { parsedCredential, issuedAt, expiration } = await Credential.Issuance.verifyAndParseCredential(
-  issuerConf,
-  credential,
-  format,
-  { credentialCryptoContext }
-);
+const { parsedCredential, issuedAt, expiration } =
+  await Credential.Issuance.verifyAndParseCredential(
+    issuerConf,
+    credential,
+    format,
+    { credentialCryptoContext }
+  );
 
 return {
   parsedCredential,
@@ -328,7 +325,7 @@ return {
   keyTag: credentialKeyTag,
   credentialType,
   issuedAt,
-  expiration
+  expiration,
 };
 ```
 

package/src/credential/issuance/index.ts

@@ -1,8 +1,5 @@
 import { type StartFlow } from "./01-start-flow";
-import {
-  evaluateIssuerTrust,
-  type EvaluateIssuerTrust,
-} from "./02-evaluate-issuer-trust";
+import { getIssuerConfig, type GetIssuerConfig } from "./02-get-issuer-config";
 import {
   startUserAuthorization,
   type StartUserAuthorization,
@@ -30,7 +27,7 @@ import {
 import * as Errors from "./errors";
 
 export {
-  evaluateIssuerTrust,
+  getIssuerConfig,
   startUserAuthorization,
   buildAuthorizationUrl,
   completeUserAuthorizationWithQueryMode,
@@ -44,7 +41,7 @@ export {
 };
 export type {
   StartFlow,
-  EvaluateIssuerTrust,
+  GetIssuerConfig,
   StartUserAuthorization,
   BuildAuthorizationUrl,
   CompleteUserAuthorizationWithQueryMode,

package/src/credential/issuance/types.ts

@@ -6,7 +6,7 @@ export type TokenResponse = z.infer<typeof TokenResponse>;
 
 export const TokenResponse = z.object({
   access_token: z.string(),
-  authorization_details: z.array(AuthorizationDetail),
+  authorization_details: AuthorizationDetail,
   c_nonce: z.string(),
   c_nonce_expires_in: z.number(),
   expires_in: z.number(),

package/src/credential/presentation/01-start-flow.ts

@@ -29,8 +29,14 @@ export type StartFlow<T extends Array<unknown> = []> = (...args: T) => {
  * @throws If the provided qr code fails to be decoded
  */
 export const startFlowFromQR: StartFlow<[string]> = (qrcode) => {
-  const decoded = decodeBase64(qrcode);
-  const decodedUrl = new URL(decoded);
+  let decodedUrl: URL;
+  try {
+    const decoded = decodeBase64(qrcode);
+    decodedUrl = new URL(decoded);
+  } catch (error) {
+    throw new AuthRequestDecodeError("Failed to decode QR code: ", qrcode);
+  }
+
   const protocol = decodedUrl.protocol;
   const resource = decodedUrl.hostname;
   const requestURI = decodedUrl.searchParams.get("request_uri");