@pagopa/io-react-native-wallet 1.5.0 → 1.6.0

package/src/credential/presentation/07-evaluate-input-descriptor.ts

@@ -5,15 +5,21 @@ import { createCryptoContextFor } from "../../utils/crypto";
 import { JSONPath } from "jsonpath-plus";
 import { MissingDataError, CredentialNotFoundError } from "./errors";
 import Ajv from "ajv";
-import { base64ToBase64Url } from "../../utils/string";
 import { CBOR } from "@pagopa/io-react-native-cbor";
+import { prepareVpTokenMdoc } from "../../mdoc";
+import { generateRandomAlphaNumericString } from "../../utils/misc";
+
 const ajv = new Ajv({ allErrors: true });
-const INDEX_CLAIM_NAME = 1;
 
 type EvaluatedDisclosures = {
-  requiredDisclosures: DisclosureWithEncoded[];
-  optionalDisclosures: DisclosureWithEncoded[];
-  unrequestedDisclosures: DisclosureWithEncoded[];
+  requiredDisclosures: EvaluatedDisclosure[];
+  optionalDisclosures: EvaluatedDisclosure[];
+};
+
+export type EvaluatedDisclosure = {
+  namespace?: string;
+  name: string;
+  value: unknown;
 };
 
 type EvaluateInputDescriptorSdJwt4VC = (
@@ -22,6 +28,11 @@ type EvaluateInputDescriptorSdJwt4VC = (
   disclosures: DisclosureWithEncoded[]
 ) => EvaluatedDisclosures;
 
+type EvaluateInputDescriptorMdoc = (
+  inputDescriptor: InputDescriptor,
+  issuerSigned: CBOR.IssuerSigned
+) => EvaluatedDisclosures;
+
 export type EvaluateInputDescriptors = (
   descriptors: InputDescriptor[],
   credentialsSdJwt: [string /* keyTag */, string /* credential */][],
@@ -42,9 +53,35 @@ export type PrepareRemotePresentations = (
     credential: string;
     keyTag: string;
   }[],
-  nonce: string,
-  client_id: string
-) => Promise<RemotePresentation[]>;
+  authRequestObject: {
+    nonce: string;
+    clientId: string;
+    responseUri: string;
+  }
+) => Promise<RemotePresentation>;
+
+export const disclosureWithEncodedToEvaluatedDisclosure = (
+  disclosure: DisclosureWithEncoded
+): EvaluatedDisclosure => {
+  const [, claimName, claimValue] = disclosure.decoded;
+  return {
+    name: claimName,
+    value: claimValue,
+  };
+};
+
+type DecodedCredentialMdoc = {
+  keyTag: string;
+  credential: string;
+  issuerSigned: CBOR.IssuerSigned;
+};
+
+type DecodedCredentialSdJwt = {
+  keyTag: string;
+  credential: string;
+  sdJwt: SdJwt4VC;
+  disclosures: DisclosureWithEncoded[];
+};
 
 /**
  * Transforms an array of DisclosureWithEncoded objects into a key-value map.
@@ -54,11 +91,39 @@ export type PrepareRemotePresentations = (
 const mapDisclosuresToObject = (
   disclosures: DisclosureWithEncoded[]
 ): Record<string, unknown> => {
-  return disclosures.reduce((obj, { decoded }) => {
-    const [, claimName, claimValue] = decoded;
-    obj[claimName] = claimValue;
-    return obj;
-  }, {} as Record<string, unknown>);
+  return disclosures.reduce(
+    (obj, { decoded }) => {
+      const [, claimName, claimValue] = decoded;
+      obj[claimName] = claimValue;
+      return obj;
+    },
+    {} as Record<string, unknown>
+  );
+};
+
+/**
+ * Transforms the issuer's namespaces from a CBOR structure into a plain JavaScript object.
+ *
+ * @param namespaces - The CBOR-based namespaces object where each key corresponds to a namespace,
+ *                     and each value is an array of elements containing identifiers and values.
+ * @returns A record (plain object) where each key is a namespace, and its value is another object
+ *          mapping element identifiers to their corresponding element values.
+ */
+const mapNamespacesToObject = (
+  namespaces: CBOR.IssuerSigned["nameSpaces"]
+): Record<string, unknown> => {
+  return Object.entries(namespaces).reduce(
+    (obj, [namespace, elements]) => {
+      obj[namespace] = Object.fromEntries(
+        elements.map((element) => [
+          element.elementIdentifier,
+          element.elementValue,
+        ])
+      );
+      return obj;
+    },
+    {} as Record<string, unknown>
+  );
 };
 
 /**
@@ -113,13 +178,110 @@ const extractClaimName = (path: string): string | undefined => {
     return match[1] || match[2];
   }
 
-  // If the input doesn't match any of the expected formats, return null
-
   throw new Error(
     `Invalid input format: "${path}". Expected formats are "$.propertyName", "$['propertyName']", or '$["propertyName"]'.`
   );
 };
 
+/**
+ * Extracts the namespace and claim name from a path in the following format:
+ * $['nameSpace']['propertyName']
+ *
+ * @param path - The path string containing the claim reference.
+ * @returns An object with the extracted namespace and claim name.
+ * @throws An error if the input format is invalid.
+ */
+const extractNamespaceAndClaimName = (
+  path: string
+): { nameSpace?: string; propertyName?: string } => {
+  const regex = /^\$\[(?:'|")([^'"\]]+)(?:'|")\]\[(?:'|")([^'"\]]+)(?:'|")\]$/;
+  const match = path.match(regex);
+  if (match) {
+    return { nameSpace: match[1], propertyName: match[2] };
+  }
+
+  throw new Error(
+    `Invalid input format: "${path}". Expected format is "$['nameSpace']['propertyName']".`
+  );
+};
+/**
+ * Evaluates the input descriptor for an mDoc by verifying that the issuerSigned claims meet
+ * the constraints defined in the input descriptor. It categorizes disclosures as either required
+ * or optional based on the field definitions.
+ *
+ * @param inputDescriptor - Contains constraints and field definitions specifying required/optional claims.
+ * @param issuerSigned - Contains the issuerSigned with namespaces and their associated claims.
+ * @returns An object with two arrays: one for required disclosures and one for optional disclosures.
+ * @throws MissingDataError - If a required field is missing or if a claim fails JSON Schema validation.
+ */
+export const evaluateInputDescriptorForMdoc: EvaluateInputDescriptorMdoc = (
+  inputDescriptor,
+  issuerSigned
+) => {
+  if (!inputDescriptor?.constraints?.fields) {
+    // No validation, no field are required
+    return {
+      requiredDisclosures: [],
+      optionalDisclosures: [],
+    };
+  }
+
+  const requiredDisclosures: EvaluatedDisclosure[] = [];
+  const optionalDisclosures: EvaluatedDisclosure[] = [];
+
+  // Convert issuer's namespaces into an object for easier lookup of claim values.
+  const namespacesAsPayload = mapNamespacesToObject(issuerSigned.nameSpaces);
+
+  const allFieldsValid = inputDescriptor.constraints.fields.every((field) => {
+    const [matchedPath, matchedValue] = findMatchedClaim(
+      field.path,
+      namespacesAsPayload
+    );
+
+    // If no matching claim is found, the field is valid only if it's marked as optional.
+    if (matchedValue === undefined || !matchedPath) {
+      return field?.optional;
+    } else {
+      // Extract the namespace and property name from the matched path.
+      const { nameSpace, propertyName } =
+        extractNamespaceAndClaimName(matchedPath);
+      if (nameSpace && propertyName) {
+        (field?.optional ? optionalDisclosures : requiredDisclosures).push({
+          namespace: nameSpace,
+          name: propertyName,
+          value: matchedValue,
+        });
+      }
+    }
+
+    if (field.filter) {
+      try {
+        const validateSchema = ajv.compile(field.filter);
+        if (!validateSchema(matchedValue)) {
+          throw new MissingDataError(
+            `Claim value "${matchedValue}" for path "${matchedPath}" does not match the provided JSON Schema.`
+          );
+        }
+      } catch (error) {
+        return false;
+      }
+    }
+
+    return true;
+  });
+
+  if (!allFieldsValid) {
+    throw new MissingDataError(
+      "Credential validation failed: Required fields are missing or do not match the input descriptor."
+    );
+  }
+
+  return {
+    requiredDisclosures,
+    optionalDisclosures,
+  };
+};
+
 /**
  * Evaluates an InputDescriptor for an SD-JWT-based verifiable credential.
  *
@@ -128,14 +290,12 @@ const extractClaimName = (path: string): string | undefined => {
  * - Validates whether required fields are present (unless marked optional)
  *   and match any specified JSONPath.
  * - If a field includes a JSON Schema filter, validates the claim value against that schema.
- * - Enforces `limit_disclosure` rules by returning only disclosures, required and optional, matching the specified fields
- *   if set to "required". Otherwise also return the array unrequestedDisclosures with disclosures which can be passed for a particular use case.
  * - Throws an error if a required field is invalid or missing.
  *
  * @param inputDescriptor - Describes constraints (fields, filters, etc.) that must be satisfied.
  * @param payloadCredential - The credential payload to check against.
  * @param disclosures - An array of DisclosureWithEncoded objects representing selective disclosures.
- * @returns A filtered list of disclosures satisfying the descriptor constraints, or throws an error if not.
+ * @returns An object with two arrays: one for required disclosures and one for optional disclosures.
  * @throws Will throw an error if any required constraint fails or if JSONPath lookups are invalid.
  */
 export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC =
@@ -145,13 +305,12 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
       return {
         requiredDisclosures: [],
         optionalDisclosures: [],
-        unrequestedDisclosures: disclosures,
       };
     }
-    const requiredClaimNames: string[] = [];
-    const optionalClaimNames: string[] = [];
+    const requiredDisclosures: EvaluatedDisclosure[] = [];
+    const optionalDisclosures: EvaluatedDisclosure[] = [];
 
-    // Transform disclosures to find claim using JSONPath
+    // Transform disclosures into an object for easier lookup of claim values.
     const disclosuresAsPayload = mapDisclosuresToObject(disclosures);
 
     // For each field, we need at least one matching path
@@ -179,9 +338,10 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
         // if match a disclouse we save which is required or optional
         const claimName = extractClaimName(matchedPath);
         if (claimName) {
-          (field?.optional ? optionalClaimNames : requiredClaimNames).push(
-            claimName
-          );
+          (field?.optional ? optionalDisclosures : requiredDisclosures).push({
+            value: matchedValue,
+            name: claimName,
+          });
         }
       }
 
@@ -211,43 +371,12 @@ export const evaluateInputDescriptorForSdJwt4VC: EvaluateInputDescriptorSdJwt4VC
       );
     }
 
-    // Categorizes disclosures into required and optional based on claim names and disclosure constraints.
-
-    const requiredDisclosures = disclosures.filter((disclosure) =>
-      requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
-    );
-
-    const optionalDisclosures = disclosures.filter((disclosure) =>
-      optionalClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
-    );
-
-    const isNotLimitDisclosure = !(
-      inputDescriptor.constraints.limit_disclosure === "required"
-    );
-
-    const unrequestedDisclosures = isNotLimitDisclosure
-      ? disclosures.filter(
-          (disclosure) =>
-            !optionalClaimNames.includes(
-              disclosure.decoded[INDEX_CLAIM_NAME]
-            ) &&
-            !requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME])
-        )
-      : [];
-
     return {
       requiredDisclosures,
       optionalDisclosures,
-      unrequestedDisclosures,
     };
   };
 
-type DecodedCredentialSdJwt = {
-  keyTag: string;
-  credential: string;
-  sdJwt: SdJwt4VC;
-  disclosures: DisclosureWithEncoded[];
-};
 /**
  * Finds the first credential that satisfies the input descriptor constraints.
  * @param inputDescriptor The input descriptor to evaluate.
@@ -291,6 +420,43 @@ export const findCredentialSdJwt = (
   );
 };
 
+/**
+ * Finds the first credential that satisfies the input descriptor constraints.
+ * @param inputDescriptor The input descriptor to evaluate.
+ * @param decodedMdocCredentials An array of decoded MDOC credentials.
+ * @returns An object containing the matched evaluation, keyTag, and credential.
+ */
+export const findCredentialMDoc = (
+  inputDescriptor: InputDescriptor,
+  decodedMDocCredentials: DecodedCredentialMdoc[]
+): {
+  matchedEvaluation: EvaluatedDisclosures;
+  matchedKeyTag: string;
+  matchedCredential: string;
+} => {
+  for (const { keyTag, credential, issuerSigned } of decodedMDocCredentials) {
+    try {
+      const evaluatedDisclosure = evaluateInputDescriptorForMdoc(
+        inputDescriptor,
+        issuerSigned
+      );
+
+      return {
+        matchedEvaluation: evaluatedDisclosure,
+        matchedKeyTag: keyTag,
+        matchedCredential: credential,
+      };
+    } catch {
+      // skip to next credential
+      continue;
+    }
+  }
+
+  throw new CredentialNotFoundError(
+    "None of the mso_mdoc credentials satisfy the requirements."
+  );
+};
+
 /**
  * Evaluates multiple input descriptors against provided SD-JWT and MDOC credentials.
  *
@@ -318,47 +484,37 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
       return { keyTag, credential, sdJwt, disclosures };
     }) || [];
 
+  // We need decode Mdoc credentials for evaluation
+  const decodedMdocCredentials =
+    (await Promise.all(
+      credentialsMdoc?.map(async ([keyTag, credential]) => {
+        const issuerSigned = await CBOR.decodeIssuerSigned(credential);
+        if (!issuerSigned) {
+          throw new CredentialNotFoundError(
+            "mso_mdoc credential is not present."
+          );
+        }
+        return { keyTag, credential, issuerSigned };
+      })
+    )) || [];
+
   const results = Promise.all(
     inputDescriptors.map(async (descriptor) => {
       if (descriptor.format?.mso_mdoc) {
-        if (!credentialsMdoc || !credentialsMdoc[0]) {
+        if (!credentialsMdoc.length) {
           throw new CredentialNotFoundError(
             "mso_mdoc credential is not supported."
           );
         }
-        /**
-         * The current implementation for the "mso_mdoc" format is temporary and always returns the first credential (mDL).
-         * [WLEO-266] This will be replaced with the real implementation once the evaluateInputDescriptorForMdoc function is available.
-         **/
-        const [keyTag, credential] = credentialsMdoc[0];
-        const mdoc = await CBOR.decodeDocuments(credential);
-        if (!mdoc || !mdoc.documents || !mdoc.documents[0]) {
-          throw new CredentialNotFoundError(
-            "mso_mdoc credential is not present."
-          );
-        }
-        const document = mdoc.documents[0];
-        // We set requiredDisclosures to all the elements in the document, as we don't have a real implementation for this yet.
+
+        const { matchedEvaluation, matchedKeyTag, matchedCredential } =
+          findCredentialMDoc(descriptor, decodedMdocCredentials);
+
         return {
-          evaluatedDisclosure: {
-            requiredDisclosures: Object.entries(
-              document.issuerSigned.nameSpaces
-            ).flatMap(([, elements]) =>
-              elements.map((element) => ({
-                encoded: "",
-                decoded: [
-                  "",
-                  element.elementIdentifier,
-                  element.elementValue,
-                ] as [string, string, unknown],
-              }))
-            ),
-            optionalDisclosures: [],
-            unrequestedDisclosures: [],
-          },
+          evaluatedDisclosure: matchedEvaluation,
           inputDescriptor: descriptor,
-          credential,
-          keyTag,
+          credential: matchedCredential,
+          keyTag: matchedKeyTag,
         };
       }
 
@@ -405,28 +561,48 @@ export const evaluateInputDescriptors: EvaluateInputDescriptors = async (
  */
 export const prepareRemotePresentations: PrepareRemotePresentations = async (
   credentialAndDescriptors,
-  nonce,
-  client_id
+  authRequestObject
 ) => {
-  return Promise.all(
+  /* In case of ISO 18013-7 we need a nonce, it shall have a minimum entropy of 16  */
+  const generatedNonce = generateRandomAlphaNumericString(16);
+
+  const presentations = await Promise.all(
     credentialAndDescriptors.map(async (item) => {
       const descriptor = item.inputDescriptor;
 
       if (descriptor.format?.mso_mdoc) {
+        const { vp_token } = await prepareVpTokenMdoc(
+          authRequestObject.nonce,
+          generatedNonce,
+          authRequestObject.clientId,
+          authRequestObject.responseUri,
+          descriptor.id,
+          item.keyTag,
+          [
+            item.credential,
+            item.requestedClaims,
+            createCryptoContextFor(item.keyTag),
+          ]
+        );
+
         return {
           requestedClaims: item.requestedClaims,
           inputDescriptor: descriptor,
-          vpToken: base64ToBase64Url(item.credential),
+          vpToken: vp_token,
           format: "mso_mdoc",
         };
       }
 
       if (descriptor.format?.["vc+sd-jwt"]) {
-        const { vp_token } = await prepareVpToken(nonce, client_id, [
-          item.credential,
-          item.requestedClaims,
-          createCryptoContextFor(item.keyTag),
-        ]);
+        const { vp_token } = await prepareVpToken(
+          authRequestObject.nonce,
+          authRequestObject.clientId,
+          [
+            item.credential,
+            item.requestedClaims,
+            createCryptoContextFor(item.keyTag),
+          ]
+        );
 
         return {
           requestedClaims: item.requestedClaims,
@@ -441,4 +617,9 @@ export const prepareRemotePresentations: PrepareRemotePresentations = async (
       );
     })
   );
+
+  return {
+    presentations,
+    generatedNonce,
+  };
 };

package/src/credential/presentation/08-send-authorization-response.ts

@@ -11,6 +11,7 @@ import {
 } from "./types";
 import * as z from "zod";
 import type { JWK } from "../../utils/jwk";
+import { Base64 } from "js-base64";
 
 export type AuthorizationResponse = z.infer<typeof AuthorizationResponse>;
 export const AuthorizationResponse = z.object({
@@ -60,7 +61,7 @@ export const buildDirectPostBody = async (
   payload: DirectAuthorizationBodyPayload
 ): Promise<string> => {
   const formUrlEncodedBody = new URLSearchParams({
-    state: requestObject.state,
+    ...(requestObject.state ? { state: requestObject.state } : {}),
     ...Object.fromEntries(
       Object.entries(payload).map(([key, value]) => {
         return [
@@ -82,13 +83,15 @@ export const buildDirectPostBody = async (
  * @param jwkKeys - Array of JWKs from the Relying Party for encryption.
  * @param requestObject - Contains state, nonce, and other relevant info.
  * @param payload - Object that contains either the VP token to encrypt and the mapping of the credential disclosures or the error code
+ * @param generatedNonce - Optional nonce for the `apu` claim in the JWE header, it is used during ISO 18013-7.
  * @returns A URL-encoded string for an `application/x-www-form-urlencoded` POST body,
  *          where `response` contains the encrypted JWE.
  */
 export const buildDirectPostJwtBody = async (
   jwkKeys: Out<FetchJwks>["keys"],
   requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
-  payload: DirectAuthorizationBodyPayload
+  payload: DirectAuthorizationBodyPayload,
+  generatedNonce?: string
 ): Promise<string> => {
   // Prepare the authorization response payload to be encrypted
   const authzResponsePayload = JSON.stringify({
@@ -98,7 +101,6 @@ export const buildDirectPostJwtBody = async (
 
   // Choose a suitable RSA public key for encryption
   const encPublicJwk = choosePublicKeyToEncrypt(jwkKeys);
-
   // Encrypt the authorization payload
   const { client_metadata } = requestObject;
   const encryptedResponse = await new EncryptJwe(authzResponsePayload, {
@@ -111,12 +113,15 @@ export const buildDirectPostJwtBody = async (
         | "A256CBC-HS512"
         | "A128CBC-HS256") || "A256CBC-HS512",
     kid: encPublicJwk.kid,
+    /* ISO 18013-7 */
+    apv: Base64.encodeURI(requestObject.nonce),
+    ...(generatedNonce ? { apu: Base64.encodeURI(generatedNonce) } : {}),
   }).encrypt(encPublicJwk);
 
   // Build the x-www-form-urlencoded form body
   const formBody = new URLSearchParams({
     response: encryptedResponse,
-    state: requestObject.state,
+    ...(requestObject.state ? { state: requestObject.state } : {}),
   });
   return formBody.toString();
 };
@@ -129,7 +134,7 @@ export type SendAuthorizationResponse = (
   requestObject: Out<VerifyRequestObjectSignature>["requestObject"],
   presentationDefinitionId: string,
   jwkKeys: Out<FetchJwks>["keys"],
-  remotePresentations: RemotePresentation[],
+  remotePresentation: RemotePresentation,
   context?: {
     appFetch?: GlobalFetch["fetch"];
   }
@@ -150,28 +155,25 @@ export const sendAuthorizationResponse: SendAuthorizationResponse = async (
   requestObject,
   presentationDefinitionId,
   jwkKeys,
-  remotePresentations,
+  remotePresentation,
   { appFetch = fetch } = {}
 ): Promise<AuthorizationResponse> => {
+  const { generatedNonce, presentations } = remotePresentation;
   /**
    * 1. Prepare the VP token and presentation submission
    * If there is only one credential, `vpToken` is a single string.
    * If there are multiple credential, `vpToken` is an array of string.
    **/
   const vp_token =
-    remotePresentations?.length === 1
-      ? remotePresentations[0]?.vpToken
-      : remotePresentations.map(
-          (remotePresentation) => remotePresentation.vpToken
-        );
-
-  const descriptor_map = remotePresentations.map(
-    (remotePresentation, index) => ({
-      id: remotePresentation.inputDescriptor.id,
-      path: remotePresentations.length === 1 ? `$` : `$[${index}]`,
-      format: remotePresentation.format,
-    })
-  );
+    presentations?.length === 1
+      ? presentations[0]?.vpToken
+      : presentations.map((presentation) => presentation.vpToken);
+
+  const descriptor_map = presentations.map((presentation, index) => ({
+    id: presentation.inputDescriptor.id,
+    path: presentations?.length === 1 ? `$` : `$[${index}]`,
+    format: presentation.format,
+  }));
 
   const presentation_submission = {
     id: uuid.v4(),
@@ -182,17 +184,22 @@ export const sendAuthorizationResponse: SendAuthorizationResponse = async (
   // 2. Choose the appropriate request body builder based on response mode
   const requestBody =
     requestObject.response_mode === "direct_post.jwt"
-      ? await buildDirectPostJwtBody(jwkKeys, requestObject, {
-          vp_token,
-          presentation_submission,
-        })
+      ? await buildDirectPostJwtBody(
+          jwkKeys,
+          requestObject,
+          {
+            vp_token,
+            presentation_submission,
+          },
+          generatedNonce
+        )
       : await buildDirectPostBody(requestObject, {
           vp_token,
           presentation_submission: presentation_submission,
         });
 
   // 3. Send the authorization response via HTTP POST and validate the response
-  return await appFetch(requestObject.response_uri, {
+  const authResponse = await appFetch(requestObject.response_uri, {
     method: "POST",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
@@ -201,7 +208,10 @@ export const sendAuthorizationResponse: SendAuthorizationResponse = async (
   })
     .then(hasStatusOrThrow(200))
     .then((res) => res.json())
-    .then(AuthorizationResponse.parse);
+    .then(AuthorizationResponse.safeParse);
+
+  // Some Relying Parties may return an empty body.
+  return authResponse.success ? authResponse.data : {};
 };
 
 /**

package/src/credential/presentation/types.ts

@@ -9,17 +9,20 @@ import { JWKS } from "../../utils/jwk";
 export type Presentation = [
   /* verified credential token */ string,
   /* claims */ string[],
-  /* the context for the key associated to the credential */ CryptoContext
+  /* the context for the key associated to the credential */ CryptoContext,
 ];
 
 /**
  * A object that associate the information needed to multiple remote presentation
  */
 export type RemotePresentation = {
-  requestedClaims: string[];
-  inputDescriptor: InputDescriptor;
-  format: string;
-  vpToken: string;
+  presentations: {
+    requestedClaims: string[];
+    inputDescriptor: InputDescriptor;
+    format: string;
+    vpToken: string;
+  }[];
+  generatedNonce?: string /* nonce generated by app, used in mdoc presentation */;
 };
 
 const Fields = z.object({
@@ -82,7 +85,7 @@ export const RequestObject = z.object({
   iss: z.string().optional(), //optional by RFC 7519, mandatory for Potential
   iat: UnixTime.optional(),
   exp: UnixTime.optional(),
-  state: z.string(),
+  state: z.string().optional(),
   nonce: z.string(),
   response_uri: z.string(),
   response_type: z.literal("vp_token"),