@pagopa/io-react-native-wallet 1.7.1 → 2.0.0-next.0

package/src/credential/issuance/07-verify-and-parse-credential.ts

@@ -1,25 +1,18 @@
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
-import { CBOR } from "@pagopa/io-react-native-cbor";
 import type { Out } from "../../utils/misc";
-import type { GetIssuerConfig } from "./02-get-issuer-config";
+import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import { IoWalletError } from "../../utils/errors";
 import { SdJwt4VC } from "../../sd-jwt/types";
 import { verify as verifySdJwt } from "../../sd-jwt";
-import { verify as verifyMdoc } from "../../mdoc";
 import { getValueFromDisclosures } from "../../sd-jwt/converters";
 import type { JWK } from "../../utils/jwk";
 import type { ObtainCredential } from "./06-obtain-credential";
-import {
-  CredentialSdJwtClaims,
-  CredentialClaim,
-} from "../../entity/openid-connect/issuer/types";
-import { extractElementValueAsDate } from "../../mdoc/converters";
+import { LogLevel, Logger } from "../../utils/logging";
 
 export type VerifyAndParseCredential = (
-  issuerConf: Out<GetIssuerConfig>["issuerConf"],
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
   credential: Out<ObtainCredential>["credential"],
   format: Out<ObtainCredential>["format"],
-  credentialType: string,
   context: {
     credentialCryptoContext: CryptoContext;
     /**
@@ -60,14 +53,9 @@ type DecodedSdJwtCredential = Out<typeof verifySdJwt> & {
   sdJwt: SdJwt4VC;
 };
 
-type DecodedMDocCredential = Out<typeof verifyMdoc> & {
-  issuerSigned: CBOR.IssuerSigned;
-};
-
-//Exported for testing purposes
-export const parseCredentialSdJwt = (
+const parseCredentialSdJwt = (
   // the list of supported credentials, as defined in the issuer configuration
-  credentials_supported: Out<GetIssuerConfig>["issuerConf"]["credential_configurations_supported"],
+  credentials_supported: Out<EvaluateIssuerTrust>["issuerConf"]["openid_credential_issuer"]["credential_configurations_supported"],
   { sdJwt, disclosures }: DecodedSdJwtCredential,
   ignoreMissingAttributes: boolean = false,
   includeUndefinedAttributes: boolean = false
@@ -75,10 +63,18 @@ export const parseCredentialSdJwt = (
   const credentialSubject = credentials_supported[sdJwt.payload.vct];
 
   if (!credentialSubject) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Credential type not supported by the issuer: ${sdJwt.payload.vct}`
+    );
     throw new IoWalletError("Credential type not supported by the issuer");
   }
 
   if (credentialSubject.format !== sdJwt.header.typ) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}'`
+    );
     throw new IoWalletError(
       `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}', `
     );
@@ -86,20 +82,23 @@ export const parseCredentialSdJwt = (
 
   // transfrom a record { key: value } in an iterable of pairs [key, value]
   if (!credentialSubject.claims) {
+    Logger.log(LogLevel.ERROR, "Missing claims in the credential subject");
     throw new IoWalletError("Missing claims in the credential subject"); // TODO [SIW-1268]: should not be optional
   }
-  const claims = credentialSubject.claims as CredentialSdJwtClaims;
-  const attrDefinitions = Object.entries(claims);
+  const attrDefinitions = Object.entries(credentialSubject.claims);
 
   // the key of the attribute defintion must match the disclosure's name
   const attrsNotInDisclosures = attrDefinitions.filter(
-    ([attrKey, definition]) =>
-      !disclosures.some(([, name]) => name === attrKey) && definition.mandatory
+    ([attrKey]) => !disclosures.some(([, name]) => name === attrKey)
   );
   if (attrsNotInDisclosures.length > 0) {
     const missing = attrsNotInDisclosures.map((_) => _[0 /* key */]).join(", ");
     const received = disclosures.map((_) => _[1 /* name */]).join(", ");
     if (!ignoreMissingAttributes) {
+      Logger.log(
+        LogLevel.ERROR,
+        `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
+      );
       throw new IoWalletError(
         `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
       );
@@ -123,8 +122,6 @@ export const parseCredentialSdJwt = (
             },
           ] as const
       )
-      //filter the not found elements
-      .filter(([_, definition]) => definition.value !== undefined)
       // add a human readable attribute name, with i18n, in the form { locale: name }
       // example: { "it-IT": "Nome", "en-EN": "Name", "es-ES": "Nombre" }
       .map(
@@ -159,136 +156,6 @@ export const parseCredentialSdJwt = (
   return definedValues;
 };
 
-//Exported for testing purposes
-export const parseCredentialMDoc = (
-  // the list of supported credentials, as defined in the issuer configuration
-  credentials_supported: Out<GetIssuerConfig>["issuerConf"]["credential_configurations_supported"],
-  credential_type: string,
-  { issuerSigned }: DecodedMDocCredential,
-  ignoreMissingAttributes: boolean = false,
-  includeUndefinedAttributes: boolean = false
-): ParsedCredential => {
-  const credentialSubject = credentials_supported[credential_type];
-
-  if (!credentialSubject) {
-    throw new IoWalletError("Credential type not supported by the issuer");
-  }
-
-  // transfrom a record { key: value } in an iterable of pairs [key, value]
-  if (!credentialSubject.claims) {
-    throw new IoWalletError("Missing claims in the credential subject"); // TODO [SIW-1268]: should not be optional
-  }
-
-  const claims = credentialSubject.claims as Record<
-    string,
-    CredentialSdJwtClaims
-  >;
-
-  const attrDefinitions: [string, string, CredentialClaim][] = Object.entries(
-    claims
-  ).flatMap(([namespace, claimName]) =>
-    Object.entries(claimName).map(
-      ([claimNameKey, definition]) =>
-        [namespace, claimNameKey, definition] as [
-          string,
-          string,
-          CredentialClaim,
-        ]
-    )
-  );
-
-  if (!issuerSigned.nameSpaces) {
-    throw new IoWalletError("Missing claims in the credential");
-  }
-
-  const flatNamespaces: [string, string, string][] = Object.entries(
-    issuerSigned.nameSpaces
-  ).flatMap(([namespace, values]) =>
-    values.map(
-      (v) =>
-        [namespace, v.elementIdentifier, v.elementValue] as [
-          string,
-          string,
-          string,
-        ]
-    )
-  );
-
-  // Check that all mandatory attributes defined in the issuer configuration are present in the disclosure set
-  // and filter the non present ones
-  const attrsNotInDisclosures = attrDefinitions.filter(
-    ([attrDefNamespace, attrKey, definition]) => {
-      const isClaimPresent = flatNamespaces.find(
-        ([namespace, name]) =>
-          attrDefNamespace === namespace && name === attrKey
-      );
-      return isClaimPresent === undefined && definition.mandatory;
-    }
-  );
-  if (attrsNotInDisclosures.length > 0) {
-    const missing = attrsNotInDisclosures
-      .map((_) => _[1 /* claim key */])
-      .join(", ");
-    const received = flatNamespaces.map((_) => _[1 /*name*/]);
-    if (!ignoreMissingAttributes) {
-      throw new IoWalletError(
-        `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
-      );
-    }
-  }
-
-  // Attributes defined in the issuer configuration and present in the disclosure set
-  const definedValues = Object.fromEntries(
-    attrDefinitions
-      // Retrieve the value from the corresponding disclosure
-      .map(
-        ([attrDefNamespace, attrKey, definition]) =>
-          [
-            attrKey,
-            {
-              ...definition,
-              value: flatNamespaces.find(
-                ([namespace, name]) =>
-                  attrDefNamespace === namespace && name === attrKey
-              )?.[2],
-            },
-          ] as const
-      )
-      //filter the not found elements
-      .filter(([_, definition]) => definition.value !== undefined)
-      // Add a human-readable attribute name, with i18n, in the form { locale: name }
-      // Example: { "it-IT": "Nome", "en-EN": "Name", "es-ES": "Nombre" }
-      .map(
-        ([attrKey, { display, ...definition }]) =>
-          [
-            attrKey,
-            {
-              ...definition,
-              name: display.reduce(
-                (names, { locale, name }) => ({ ...names, [locale]: name }),
-                {} as Record<string, string>
-              ),
-            },
-          ] as const
-      )
-  );
-
-  if (includeUndefinedAttributes) {
-    // Attributes that are present in the disclosure set but not defined in the issuer configuration
-    const undefinedValues = Object.fromEntries(
-      flatNamespaces
-        .filter(([, key]) => !Object.keys(definedValues).includes(key))
-        .map(([, key, value]) => [key, { value, name: key }])
-    );
-    return {
-      ...definedValues,
-      ...undefinedValues,
-    };
-  }
-
-  return definedValues;
-};
-
 /**
  * Given a credential, verify it's in the supported format
  * and the credential is correctly signed
@@ -319,6 +186,10 @@ async function verifyCredentialSdJwt(
   const { cnf } = decodedCredential.sdJwt.payload;
 
   if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`
+    );
     throw new IoWalletError(
       `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`
     );
@@ -327,72 +198,18 @@ async function verifyCredentialSdJwt(
   return decodedCredential;
 }
 
-/**
- * Given a credential, verify it's in the supported format
- * and the credential is correctly signed
- * and it's bound to the given key
- *
- * @param rawCredential The received credential
- * @param issuerKeys The set of public keys of the issuer,
- * which will be used to verify the signature
- * @param holderBindingContext The access to the holder's key
- *
- * @throws If the signature verification fails
- * @throws If the credential is not in the SdJwt4VC format
- * @throws If the holder binding is not properly configured
- *
- */
-async function verifyCredentialMDoc(
-  rawCredential: string,
-  issuerKeys: JWK[],
-  holderBindingContext: CryptoContext
-): Promise<DecodedMDocCredential> {
-  /**
-   * For the moment, being that issues in the crypto key generation
-   * have been found on Android, the check for the deviceKey inside
-   * of the mDoc is skipped, so we are not interested in the holderBindingKey
-   */
-  const [decodedCredential, _] =
-    // parallel for optimization
-    await Promise.all([
-      verifyMdoc(rawCredential, issuerKeys),
-      holderBindingContext.getPublicKey(),
-    ]);
-
-  if (!decodedCredential) {
-    throw new IoWalletError("No MDOC credentials found!");
-  }
-
-  /**
-   * For the moment, being that issues in the crypto key generation
-   * have been found on Android, the check for the deviceKey inside
-   * of the mDoc is skipped.
-   */
-  //const key = decodedCredential.mDoc.issuerSigned.issuerAuth.payload.deviceKeyInfo.deviceKey;
-  //
-  //if (!compareKeysByThumbprint(key, holderBindingKey as PublicKey)) {
-  //  throw new IoWalletError(
-  //    `Failed to verify holder binding, holder binding key and mDoc deviceKey don't match`
-  //  );
-  //}
-
-  return decodedCredential;
-}
-
 // utility type that specialize VerifyAndParseCredential for given format
 type WithFormat<Format extends Parameters<VerifyAndParseCredential>[2]> = (
   _0: Parameters<VerifyAndParseCredential>[0],
   _1: Parameters<VerifyAndParseCredential>[1],
   _2: Format,
-  _3: Parameters<VerifyAndParseCredential>[3],
-  _4: Parameters<VerifyAndParseCredential>[4]
+  _3: Parameters<VerifyAndParseCredential>[3]
 ) => ReturnType<VerifyAndParseCredential>;
 
 const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
   issuerConf,
   credential,
   _,
-  __,
   {
     credentialCryptoContext,
     ignoreMissingAttributes,
@@ -401,19 +218,25 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
 ) => {
   const decoded = await verifyCredentialSdJwt(
     credential,
-    issuerConf.keys,
+    issuerConf.openid_credential_issuer.jwks.keys,
     credentialCryptoContext
   );
 
+  Logger.log(LogLevel.DEBUG, `Decoded credential: ${JSON.stringify(decoded)}`);
+
   const parsedCredential = parseCredentialSdJwt(
-    issuerConf.credential_configurations_supported,
+    issuerConf.openid_credential_issuer.credential_configurations_supported,
     decoded,
     ignoreMissingAttributes,
     includeUndefinedAttributes
   );
-
   const maybeIssuedAt = getValueFromDisclosures(decoded.disclosures, "iat");
 
+  Logger.log(
+    LogLevel.DEBUG,
+    `Parsed credential: ${JSON.stringify(parsedCredential)}\nIssued at: ${maybeIssuedAt}`
+  );
+
   return {
     parsedCredential,
     expiration: new Date(decoded.sdJwt.payload.exp * 1000),
@@ -424,50 +247,9 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
   };
 };
 
-const verifyAndParseCredentialMDoc: WithFormat<"mso_mdoc"> = async (
-  issuerConf,
-  credential,
-  _,
-  credentialType,
-  { credentialCryptoContext, ignoreMissingAttributes }
-) => {
-  const decoded = await verifyCredentialMDoc(
-    credential,
-    issuerConf.keys,
-    credentialCryptoContext
-  );
-
-  const parsedCredential = parseCredentialMDoc(
-    issuerConf.credential_configurations_supported,
-    credentialType,
-    decoded,
-    undefined,
-    ignoreMissingAttributes
-  );
-
-  const expirationDate = extractElementValueAsDate(
-    parsedCredential?.expiry_date?.value as string
-  );
-  if (!expirationDate) {
-    throw new IoWalletError(`expirationDate must be present!!`);
-  }
-  expirationDate?.setDate(expirationDate.getDate() + 1);
-
-  const maybeIssuedAt = extractElementValueAsDate(
-    parsedCredential?.issue_date?.value as string
-  );
-  maybeIssuedAt?.setDate(maybeIssuedAt.getDate() + 1);
-
-  return {
-    parsedCredential,
-    expiration: expirationDate ?? new Date(),
-    issuedAt: maybeIssuedAt ?? undefined,
-  };
-};
-
 /**
  * Verify and parse an encoded credential.
- * @param issuerConf The Issuer configuration returned by {@link getIssuerConfig}
+ * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
  * @param credential The encoded credential returned by {@link obtainCredential}
  * @param format The format of the credentual returned by {@link obtainCredential}
  * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
@@ -482,27 +264,18 @@ export const verifyAndParseCredential: VerifyAndParseCredential = async (
   issuerConf,
   credential,
   format,
-  credentialType,
   context
 ) => {
   if (format === "vc+sd-jwt") {
+    Logger.log(LogLevel.DEBUG, "Parsing credential in vc+sd-jwt format");
     return verifyAndParseCredentialSdJwt(
       issuerConf,
       credential,
       format,
-      credentialType,
-      context
-    );
-  }
-  if (format === "mso_mdoc") {
-    return verifyAndParseCredentialMDoc(
-      issuerConf,
-      credential,
-      format,
-      credentialType,
       context
     );
   }
 
+  Logger.log(LogLevel.ERROR, `Unsupported credential format: ${format}`);
   throw new IoWalletError(`Unsupported credential format: ${format}`);
 };

package/src/credential/issuance/README.md

@@ -6,7 +6,7 @@ There's a fork in the flow which is based on the type of the credential that is
 This is due to the fact that eID credentials require a different authorization flow than other credentials, which is accomplished by a strong authentication method like SPID or CIE.
 Credentials instead require a simpler authorization flow and they require other credentials to be presented in order to be issued.
 
-The supported credentials are defined in the entity configuration of the issuer which is evaluted and parsed in the `getIssuerConfig` step.
+The supported credentials are defined in the entity configuration of the issuer which is evaluted and parsed in the `evaluateIssuerTrust` step.
 
 ## Sequence Diagram
 
@@ -14,7 +14,7 @@ The supported credentials are defined in the entity configuration of the issuer
 graph TD;
     0[WalletInstanceAttestation.getAttestation]
     1[startFlow]
-    2[getIssuerConfig]
+    2[evaluateIssuerTrust]
     3[startUserAuthorization]
     C4[getRequestedCredentialToBePresented]
     C4.1[completeUserAuthorizationWithFormPostJwtMode]
@@ -41,9 +41,12 @@ graph TD;
 
 The following errors are mapped to a `IssuerResponseError` with specific codes.
 
-| HTTP Status | Error Code                 | Description                                                                                           |
-| ----------- | -------------------------- | ----------------------------------------------------------------------------------------------------- |
-| `*`         | `ERR_ISSUER_GENERIC_ERROR` | This is a generic error code to map unexpected errors that occurred when interacting with the Issuer. |
+|HTTP Status|Error Code|Description|
+|-----------|----------|-----------|
+|`201 Created`|`ERR_CREDENTIAL_ISSUING_NOT_SYNCHRONOUS`| This response is returned by the credential issuer when the request has been queued because the credential cannot be issued synchronously. The consumer should try to obtain the credential at a later time. Although `201 Created` is not considered an error, it is mapped as an error in this context in order to handle the case where the credential issuance is not synchronous. This allows keeping the flow consistent and handle the case where the credential is not immediately available.|
+|`403 Forbidden`|`ERR_CREDENTIAL_INVALID_STATUS`|This response is returned by the credential issuer when the requested credential has an invalid status. It might contain more details in the `reason` property.|
+|`404 Not Found`|`ERR_CREDENTIAL_INVALID_STATUS`| This response is returned by the credential issuer when the authenticated user is not entitled to receive the requested credential. It might contain more details in the `reason` property.|
+|`*`|`ERR_ISSUER_GENERIC_ERROR`|This is a generic error code to map unexpected errors that occurred when interacting with the Issuer.|
 
 ## Strong authentication for eID issuance (Query Mode)
 
@@ -105,7 +108,7 @@ const eid = {
 const eidCryptoContext = createCryptoContextFor(eid.keyTag);
 
 // Create credential crypto context
-const credentialKeyTag = uuid.v4().toString();
+const credentialKeyTag = uuidv4().toString();
 await generate(credentialKeyTag); // Let's assume this function generates a new hardware-backed key pair
 const credentialCryptoContext = createCryptoContextFor(credentialKeyTag);
 
@@ -118,7 +121,7 @@ const startFlow: Credential.Issuance.StartFlow = () => ({
 const { issuerUrl } = startFlow();
 
 // Evaluate issuer trust
-const { issuerConf } = await Credential.Issuance.getIssuerConfig(issuerUrl);
+const { issuerConf } = await Credential.Issuance.evaluateIssuerTrust(issuerUrl);
 
 // Start user authorization
 const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
@@ -241,23 +244,24 @@ const authorizationContext = idpHint.includes("servizicie")
  * Create credential crypto context for the PID
  * WARNING: The eID keytag must be persisted and later used when requesting a credential which requires a eID presentation
  */
-const credentialKeyTag = uuid.v4().toString();
+const credentialKeyTag = uuidv4().toString();
 await generate(credentialKeyTag);
 const credentialCryptoContext = createCryptoContextFor(credentialKeyTag);
 
 // Start the issuance flow
 const startFlow: Credential.Issuance.StartFlow = () => ({
   issuerUrl: WALLET_EID_PROVIDER_BASE_URL,
-  credentialType: "urn:eu.europa.ec.eudi:pid:1",
+  credentialType: "PersonIdentificationData",
   appFetch,
 });
 
 const { issuerUrl } = startFlow();
 
 // Evaluate issuer trust
-const { issuerConf } = await Credential.Issuance.getIssuerConfig(issuerUrl, {
-  appFetch,
-});
+const { issuerConf } = await Credential.Issuance.evaluateIssuerTrust(
+  issuerUrl,
+  { appFetch }
+);
 
 // Start user authorization
 const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
@@ -311,13 +315,12 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
 );
 
 // Parse and verify the eID credential
-const { parsedCredential, issuedAt, expiration } =
-  await Credential.Issuance.verifyAndParseCredential(
-    issuerConf,
-    credential,
-    format,
-    { credentialCryptoContext }
-  );
+const { parsedCredential, issuedAt, expiration } = await Credential.Issuance.verifyAndParseCredential(
+  issuerConf,
+  credential,
+  format,
+  { credentialCryptoContext }
+);
 
 return {
   parsedCredential,
@@ -325,7 +328,7 @@ return {
   keyTag: credentialKeyTag,
   credentialType,
   issuedAt,
-  expiration,
+  expiration
 };
 ```
 

package/src/credential/issuance/const.ts

@@ -7,5 +7,5 @@ export type SupportedCredentialFormat = z.infer<
 >;
 export const SupportedCredentialFormat = z.union([
   z.literal("vc+sd-jwt"),
-  z.literal("mso_mdoc"),
+  z.literal("vc+mdoc-cbor"),
 ]);

package/src/credential/issuance/index.ts

@@ -1,5 +1,8 @@
 import { type StartFlow } from "./01-start-flow";
-import { getIssuerConfig, type GetIssuerConfig } from "./02-get-issuer-config";
+import {
+  evaluateIssuerTrust,
+  type EvaluateIssuerTrust,
+} from "./02-evaluate-issuer-trust";
 import {
   startUserAuthorization,
   type StartUserAuthorization,
@@ -27,7 +30,7 @@ import {
 import * as Errors from "./errors";
 
 export {
-  getIssuerConfig,
+  evaluateIssuerTrust,
   startUserAuthorization,
   buildAuthorizationUrl,
   completeUserAuthorizationWithQueryMode,
@@ -41,7 +44,7 @@ export {
 };
 export type {
   StartFlow,
-  GetIssuerConfig,
+  EvaluateIssuerTrust,
   StartUserAuthorization,
   BuildAuthorizationUrl,
   CompleteUserAuthorizationWithQueryMode,

package/src/credential/presentation/01-start-flow.ts

@@ -1,45 +1,42 @@
 import * as z from "zod";
-import { ValidationFailed } from "../../utils/errors";
+import { InvalidQRCodeError } from "./errors";
 
 const PresentationParams = z.object({
-  clientId: z.string().nonempty(),
-  requestUri: z.string().url(),
+  client_id: z.string().nonempty(),
+  request_uri: z.string().url(),
+  request_uri_method: z.enum(["get", "post"]),
+  state: z.string().optional(),
 });
+export type PresentationParams = z.infer<typeof PresentationParams>;
 
 /**
  * The beginning of the presentation flow.
  * To be implemented accordind to the user touchpoint
  *
- * @param Optional parameters, depending on the starting touchoint
+ * @param params Presentation parameters, depending on the starting touchpoint
  * @returns The url for the Relying Party to connect with
  */
-export type StartFlow<T extends Array<unknown> = []> = (...args: T) => {
-  requestUri: string;
-  clientId: string;
-};
+export type StartFlow = (params: {
+  [K in keyof PresentationParams]?: PresentationParams[K] | null;
+}) => PresentationParams;
 
 /**
- * Start a presentation flow by decoding the parameters needed to start the presentation flow.
+ * Start a presentation flow by validating the required parameters.
+ * Parameters are extracted from a url encoded in a QR code or in a deep link.
  *
- * @param qrcode The encoded QR-code content
+ * @param params The parameters to be validated
  * @returns The url for the Relying Party to connect with
- * @throws If the provided qr code fails to be decoded
+ * @throws If the provided parameters are not valid
  */
-export const startFlowFromQR: StartFlow<[string, string]> = (
-  requestUri: string,
-  clientId: string
-) => {
+export const startFlowFromQR: StartFlow = (params) => {
   const result = PresentationParams.safeParse({
-    requestUri,
-    clientId,
+    ...params,
+    request_uri_method: params.request_uri_method ?? "get",
   });
 
   if (result.success) {
     return result.data;
-  } else {
-    throw new ValidationFailed({
-      message: "Invalid parameters provided",
-      reason: result.error.message,
-    });
   }
+
+  throw new InvalidQRCodeError(result.error.message);
 };

package/src/credential/presentation/02-evaluate-rp-trust.ts

@@ -1,5 +1,5 @@
-import { getRelyingPartyEntityConfiguration } from "../../entity/trust/index";
-import { RelyingPartyEntityConfiguration } from "../../entity/trust/types";
+import { getRelyingPartyEntityConfiguration } from "../../trust";
+import { RelyingPartyEntityConfiguration } from "../../trust/types";
 import type { StartFlow } from "../issuance/01-start-flow";
 import type { Out } from "../../utils/misc";
 
@@ -10,6 +10,7 @@ export type EvaluateRelyingPartyTrust = (
   }
 ) => Promise<{
   rpConf: RelyingPartyEntityConfiguration["payload"]["metadata"];
+  subject: string;
 }>;
 
 /**
@@ -25,9 +26,9 @@ export const evaluateRelyingPartyTrust: EvaluateRelyingPartyTrust = async (
   { appFetch = fetch } = {}
 ) => {
   const {
-    payload: { metadata: rpConf },
+    payload: { metadata: rpConf, sub },
   } = await getRelyingPartyEntityConfiguration(rpUrl, {
     appFetch,
   });
-  return { rpConf };
+  return { rpConf, subject: sub };
 };