@pagopa/io-react-native-wallet 2.0.0-next.2 → 2.0.0-next.4

package/lib/module/credential/issuance/04-complete-user-authorization.js

@@ -2,13 +2,13 @@ import { AuthorizationErrorShape, AuthorizationResultShape } from "../../utils/a
 import { hasStatusOrThrow } from "../../utils/misc";
 import parseUrl from "parse-url";
 import { IssuerResponseError, ValidationFailed } from "../../utils/errors";
-import { decode, encodeBase64, SignJWT } from "@pagopa/io-react-native-jwt";
+import { decode, SignJWT } from "@pagopa/io-react-native-jwt";
 import { RequestObject } from "../presentation/types";
-import { v4 as uuidv4 } from "uuid";
 import { ResponseUriResultShape } from "./types";
 import { getJwtFromFormPost } from "../../utils/decoder";
 import { AuthorizationError, AuthorizationIdpError } from "./errors";
 import { LogLevel, Logger } from "../../utils/logging";
+import { Presentation } from "..";
 
 /**
  * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
@@ -86,70 +86,46 @@ export const getRequestedCredentialToBePresented = async function (issuerRequest
 };
 
 /**
- * WARNING: This function must be called after {@link startUserAuthorization}. The next function to be called is {@link completeUserAuthorizationWithFormPostJwtMode}.
+ * WARNING: This function must be called after {@link getRequestedCredentialToBePresented}. The next function to be called is {@link authorizeAccess}.
  * The interface of the phase to complete User authorization via presentation of existing credentials when the response mode is "form_post.jwt".
- * It is used as a first step to complete the user authorization by obtaining the requested credential to be presented from the authorization server.
- * The information is obtained by performing a GET request to the authorization endpoint with request_uri and client_id parameters.
- * @param issuerRequestUri the URI of the issuer where the request is sent
- * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
- * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
- * @param context.walletInstanceAccestation the Wallet Instance's attestation to be presented
- * @param context.pid the PID to be presented
- * @param context.wiaCryptoContext The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
- * @param context.pidCryptoContext The PID crypto context associated with the pid parameter
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * The information is obtained by performing a POST request to the endpoint received in the response_uri field of the requestObject, where the Authorization Response payload is posted.
+ * Following this,the redirect_uri from the response is used to obtain the final authorization response.
+ * @param requestObject - The request object containing the necessary parameters for authorization.
+ * @param pid The `PID` that must be presented for the issuance of credentials.
+ * @param appFetch (optional) fetch api implementation. Default: built-in fetch
  * @throws {ValidationFailed} if an error while validating the response
  * @returns the authorization response which contains code, state and iss
  */
-export const completeUserAuthorizationWithFormPostJwtMode = async (requestObject, ctx) => {
-  Logger.log(LogLevel.DEBUG, `The requeste credential is not a PersonIdentificationData, completing the user authorization with form_post.jwt mode`);
-  const {
+export const completeUserAuthorizationWithFormPostJwtMode = async (requestObject, pid, _ref) => {
+  let {
     wiaCryptoContext,
     pidCryptoContext,
-    pid,
-    walletInstanceAttestation,
     appFetch = fetch
-  } = ctx;
-  const wiaWpToken = await new SignJWT(wiaCryptoContext).setProtectedHeader({
-    alg: "ES256",
-    typ: "JWT"
-  }).setPayload({
-    vp: walletInstanceAttestation,
-    jti: uuidv4().toString(),
-    nonce: requestObject.nonce
-  }).setIssuedAt().setExpirationTime("5m").setAudience(requestObject.response_uri).sign();
-  const pidWpToken = await new SignJWT(pidCryptoContext).setProtectedHeader({
-    alg: "ES256",
-    typ: "JWT"
-  }).setPayload({
-    vp: pid,
-    jti: uuidv4().toString(),
-    nonce: requestObject.nonce
-  }).setIssuedAt().setExpirationTime("5m").setAudience(requestObject.response_uri).sign();
-  Logger.log(LogLevel.DEBUG, `Wallet instance attestation JWT token: ${wiaWpToken}`);
-
-  /* The path parameter refers to the vp_token variable of the authzResponsePayload and must point to the plain credential which
-   * is cointaned in the `vp` property of the signed jwt token payload
-   */
-  const presentationSubmission = {
-    definition_id: `${uuidv4()}`,
-    id: `${uuidv4()}`,
-    descriptor_map: [{
-      id: "PersonIdentificationData",
-      path: "$.vp_token[0].vp",
-      format: "vc+sd-jwt"
-    }, {
-      id: "WalletAttestation",
-      path: "$.vp_token[1].vp",
-      format: "jwt"
-    }]
-  };
-  Logger.log(LogLevel.DEBUG, `Presentation submission: ${JSON.stringify(presentationSubmission)}`);
-  const authzResponsePayload = encodeBase64(JSON.stringify({
+  } = _ref;
+  Logger.log(LogLevel.DEBUG, `The requeste credential is not a PersonIdentificationData, completing the user authorization with form_post.jwt mode`);
+  if (!requestObject.dcql_query) {
+    throw new Error("Invalid request object");
+  }
+  const dcqlQueryResult = Presentation.evaluateDcqlQuery([[pidCryptoContext, pid]], requestObject.dcql_query);
+  const credentialsToPresent = dcqlQueryResult.map(_ref2 => {
+    let {
+      requiredDisclosures,
+      ...rest
+    } = _ref2;
+    return {
+      ...rest,
+      requestedClaims: requiredDisclosures.map(_ref3 => {
+        let [, claimName] = _ref3;
+        return claimName;
+      })
+    };
+  });
+  const remotePresentations = await Presentation.prepareRemotePresentations(credentialsToPresent, requestObject.nonce, requestObject.client_id);
+  const authzResponsePayload = await createAuthzResponsePayload({
     state: requestObject.state,
-    presentation_submission: presentationSubmission,
-    vp_token: [pidWpToken, wiaWpToken]
-  }));
+    remotePresentations,
+    wiaCryptoContext
+  });
   Logger.log(LogLevel.DEBUG, `Authz response payload: ${authzResponsePayload}`);
 
   // Note: according to the spec, the response should be encrypted with the public key of the RP however this is not implemented yet
@@ -203,4 +179,46 @@ export const parseAuthorizationResponse = authRes => {
   }
   return authResParsed.data;
 };
+
+/**
+ * Creates the authorization response payload to be sent.
+ * This payload includes the state and the VP tokens for the presented credentials.
+ * The payload is encoded in Base64.
+ * @param state - The state parameter from the request object (optional).
+ * @param remotePresentations - An array of remote presentations containing credential IDs and their corresponding VP tokens.
+ * @returns The Base64 encoded authorization response payload.
+ */
+const createAuthzResponsePayload = async _ref4 => {
+  let {
+    state,
+    remotePresentations,
+    wiaCryptoContext
+  } = _ref4;
+  const {
+    kid
+  } = await wiaCryptoContext.getPublicKey();
+  return new SignJWT(wiaCryptoContext).setProtectedHeader({
+    typ: "jwt",
+    kid
+  }).setPayload({
+    /**
+     * TODO [SIW-2264]: `state` coming from `requestObject` is marked as `optional`
+     * At the moment, it is not entirely clear whether this value can indeed be omitted
+     * and, if so, what the consequences of its absence might be.
+     */
+    ...(state ? {
+      state
+    } : {}),
+    vp_token: remotePresentations.reduce((vp_token, _ref5) => {
+      let {
+        credentialId,
+        vpToken
+      } = _ref5;
+      return {
+        ...vp_token,
+        [credentialId]: vpToken
+      };
+    }, {})
+  }).setIssuedAt().setExpirationTime("1h").sign();
+};
 //# sourceMappingURL=04-complete-user-authorization.js.map

package/lib/module/credential/issuance/04-complete-user-authorization.js.map

@@ -1 +1 @@
-{"version":3,"names":["AuthorizationErrorShape","AuthorizationResultShape","hasStatusOrThrow","parseUrl","IssuerResponseError","ValidationFailed","decode","encodeBase64","SignJWT","RequestObject","v4","uuidv4","ResponseUriResultShape","getJwtFromFormPost","AuthorizationError","AuthorizationIdpError","LogLevel","Logger","buildAuthorizationUrl","issuerRequestUri","clientId","issuerConf","idpHint","authzRequestEndpoint","oauth_authorization_server","authorization_endpoint","params","URLSearchParams","client_id","request_uri","append","authUrl","completeUserAuthorizationWithQueryMode","authRedirectUrl","log","DEBUG","query","parseAuthorizationResponse","getRequestedCredentialToBePresented","appFetch","arguments","length","undefined","fetch","toString","requestObject","method","then","res","text","jws","reqObj","safeParse","payload","success","ERROR","error","message","reason","data","completeUserAuthorizationWithFormPostJwtMode","ctx","wiaCryptoContext","pidCryptoContext","pid","walletInstanceAttestation","wiaWpToken","setProtectedHeader","alg","typ","setPayload","vp","jti","nonce","setIssuedAt","setExpirationTime","setAudience","response_uri","sign","pidWpToken","presentationSubmission","definition_id","id","descriptor_map","path","format","JSON","stringify","authzResponsePayload","state","presentation_submission","vp_token","body","response","resUriRes","headers","reqUri","json","responseUri","redirect_uri","cbRes","decodedJwt","authRes","authResParsed","authErr","error_description"],"sourceRoot":"../../../../src","sources":["credential/issuance/04-complete-user-authorization.ts"],"mappings":"AAAA,SACEA,uBAAuB,EACvBC,wBAAwB,QAEnB,kBAAkB;AACzB,SAASC,gBAAgB,QAAkB,kBAAkB;AAE7D,OAAOC,QAAQ,MAAM,WAAW;AAChC,SAASC,mBAAmB,EAAEC,gBAAgB,QAAQ,oBAAoB;AAE1E,SACEC,MAAM,EACNC,YAAY,EACZC,OAAO,QAEF,6BAA6B;AACpC,SAASC,aAAa,QAAQ,uBAAuB;AACrD,SAASC,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,sBAAsB,QAAQ,SAAS;AAChD,SAASC,kBAAkB,QAAQ,qBAAqB;AACxD,SAASC,kBAAkB,EAAEC,qBAAqB,QAAQ,UAAU;AACpE,SAASC,QAAQ,EAAEC,MAAM,QAAQ,qBAAqB;;AAEtD;AACA;AACA;;AAgCA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,qBAA4C,GAAG,MAAAA,CAC1DC,gBAAgB,EAChBC,QAAQ,EACRC,UAAU,EACVC,OAAO,KACJ;EACH,MAAMC,oBAAoB,GACxBF,UAAU,CAACG,0BAA0B,CAACC,sBAAsB;EAE9D,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,SAAS,EAAER,QAAQ;IACnBS,WAAW,EAAEV;EACf,CAAC,CAAC;EAEF,IAAIG,OAAO,EAAE;IACXI,MAAM,CAACI,MAAM,CAAC,SAAS,EAAER,OAAO,CAAC;EACnC;EAEA,MAAMS,OAAO,GAAI,GAAER,oBAAqB,IAAGG,MAAO,EAAC;EAEnD,OAAO;IAAEK;EAAQ,CAAC;AACpB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,sCAA8E,GACzF,MAAOC,eAAe,IAAK;EACzBhB,MAAM,CAACiB,GAAG,CACRlB,QAAQ,CAACmB,KAAK,EACb,0GACH,CAAC;EACD,MAAMC,KAAK,GAAGjC,QAAQ,CAAC8B,eAAe,CAAC,CAACG,KAAK;EAE7C,OAAOC,0BAA0B,CAACD,KAAK,CAAC;AAC1C,CAAC;;AAEH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAME,mCAAwE,GACnF,eAAAA,CAAOnB,gBAAgB,EAAEC,QAAQ,EAAEC,UAAU,EAAuB;EAAA,IAArBkB,QAAQ,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAGG,KAAK;EAC7D1B,MAAM,CAACiB,GAAG,CACRlB,QAAQ,CAACmB,KAAK,EACb,sGACH,CAAC;EACD,MAAMZ,oBAAoB,GACxBF,UAAU,CAACG,0BAA0B,CAACC,sBAAsB;EAC9D,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,SAAS,EAAER,QAAQ;IACnBS,WAAW,EAAEV;EACf,CAAC,CAAC;EAEFF,MAAM,CAACiB,GAAG,CACRlB,QAAQ,CAACmB,KAAK,EACb,oCAAmCZ,oBAAqB,IAAGG,MAAM,CAACkB,QAAQ,CAAC,CAAE,EAChF,CAAC;EAED,MAAMC,aAAa,GAAG,MAAMN,QAAQ,CACjC,GAAEhB,oBAAqB,IAAGG,MAAM,CAACkB,QAAQ,CAAC,CAAE,EAAC,EAC9C;IAAEE,MAAM,EAAE;EAAM,CAClB,CAAC,CACEC,IAAI,CAAC7C,gBAAgB,CAAC,GAAG,EAAEE,mBAAmB,CAAC,CAAC,CAChD2C,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEG,GAAG,IAAK5C,MAAM,CAAC4C,GAAG,CAAC,CAAC,CAC1BH,IAAI,CAAEI,MAAM,IAAK1C,aAAa,CAAC2C,SAAS,CAACD,MAAM,CAACE,OAAO,CAAC,CAAC;EAE5D,IAAI,CAACR,aAAa,CAACS,OAAO,EAAE;IAC1BrC,MAAM,CAACiB,GAAG,CACRlB,QAAQ,CAACuC,KAAK,EACb,+CAA8CV,aAAa,CAACW,KAAK,CAACC,OAAQ,EAC7E,CAAC;IACD,MAAM,IAAIpD,gBAAgB,CAAC;MACzBoD,OAAO,EAAE,kCAAkC;MAC3CC,MAAM,EAAEb,aAAa,CAACW,KAAK,CAACC;IAC9B,CAAC,CAAC;EACJ;EACA,OAAOZ,aAAa,CAACc,IAAI;AAC3B,CAAC;;AAEH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,4CAA0F,GACrG,MAAAA,CAAOf,aAAa,EAAEgB,GAAG,KAAK;EAC5B5C,MAAM,CAACiB,GAAG,CACRlB,QAAQ,CAACmB,KAAK,EACb,sHACH,CAAC;EAED,MAAM;IACJ2B,gBAAgB;IAChBC,gBAAgB;IAChBC,GAAG;IACHC,yBAAyB;IACzB1B,QAAQ,GAAGI;EACb,CAAC,GAAGkB,GAAG;EAEP,MAAMK,UAAU,GAAG,MAAM,IAAI1D,OAAO,CAACsD,gBAAgB,CAAC,CACnDK,kBAAkB,CAAC;IAClBC,GAAG,EAAE,OAAO;IACZC,GAAG,EAAE;EACP,CAAC,CAAC,CACDC,UAAU,CAAC;IACVC,EAAE,EAAEN,yBAAyB;IAC7BO,GAAG,EAAE7D,MAAM,CAAC,CAAC,CAACiC,QAAQ,CAAC,CAAC;IACxB6B,KAAK,EAAE5B,aAAa,CAAC4B;EACvB,CAAC,CAAC,CACDC,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,WAAW,CAAC/B,aAAa,CAACgC,YAAY,CAAC,CACvCC,IAAI,CAAC,CAAC;EAET,MAAMC,UAAU,GAAG,MAAM,IAAIvE,OAAO,CAACuD,gBAAgB,CAAC,CACnDI,kBAAkB,CAAC;IAClBC,GAAG,EAAE,OAAO;IACZC,GAAG,EAAE;EACP,CAAC,CAAC,CACDC,UAAU,CAAC;IACVC,EAAE,EAAEP,GAAG;IACPQ,GAAG,EAAE7D,MAAM,CAAC,CAAC,CAACiC,QAAQ,CAAC,CAAC;IACxB6B,KAAK,EAAE5B,aAAa,CAAC4B;EACvB,CAAC,CAAC,CACDC,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,WAAW,CAAC/B,aAAa,CAACgC,YAAY,CAAC,CACvCC,IAAI,CAAC,CAAC;EAET7D,MAAM,CAACiB,GAAG,CACRlB,QAAQ,CAACmB,KAAK,EACb,0CAAyC+B,UAAW,EACvD,CAAC;;EAED;AACJ;AACA;EACI,MAAMc,sBAAsB,GAAG;IAC7BC,aAAa,EAAG,GAAEtE,MAAM,CAAC,CAAE,EAAC;IAC5BuE,EAAE,EAAG,GAAEvE,MAAM,CAAC,CAAE,EAAC;IACjBwE,cAAc,EAAE,CACd;MACED,EAAE,EAAE,0BAA0B;MAC9BE,IAAI,EAAE,kBAAkB;MACxBC,MAAM,EAAE;IACV,CAAC,EACD;MACEH,EAAE,EAAE,mBAAmB;MACvBE,IAAI,EAAE,kBAAkB;MACxBC,MAAM,EAAE;IACV,CAAC;EAEL,CAAC;EAEDpE,MAAM,CAACiB,GAAG,CACRlB,QAAQ,CAACmB,KAAK,EACb,4BAA2BmD,IAAI,CAACC,SAAS,CAACP,sBAAsB,CAAE,EACrE,CAAC;EAED,MAAMQ,oBAAoB,GAAGjF,YAAY,CACvC+E,IAAI,CAACC,SAAS,CAAC;IACbE,KAAK,EAAE5C,aAAa,CAAC4C,KAAK;IAC1BC,uBAAuB,EAAEV,sBAAsB;IAC/CW,QAAQ,EAAE,CAACZ,UAAU,EAAEb,UAAU;EACnC,CAAC,CACH,CAAC;EAEDjD,MAAM,CAACiB,GAAG,CACRlB,QAAQ,CAACmB,KAAK,EACb,2BAA0BqD,oBAAqB,EAClD,CAAC;;EAED;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;EAEA,MAAMI,IAAI,GAAG,IAAIjE,eAAe,CAAC;IAC/BkE,QAAQ,EAAEL;EACZ,CAAC,CAAC,CAAC5C,QAAQ,CAAC,CAAC;EAEb,MAAMkD,SAAS,GAAG,MAAMvD,QAAQ,CAACM,aAAa,CAACgC,YAAY,EAAE;IAC3D/B,MAAM,EAAE,MAAM;IACdiD,OAAO,EAAE;MACP,cAAc,EAAE;IAClB,CAAC;IACDH;EACF,CAAC,CAAC,CACC7C,IAAI,CAAC7C,gBAAgB,CAAC,GAAG,EAAEE,mBAAmB,CAAC,CAAC,CAChD2C,IAAI,CAAEiD,MAAM,IAAKA,MAAM,CAACC,IAAI,CAAC,CAAC,CAAC;EAElC,MAAMC,WAAW,GAAGtF,sBAAsB,CAACwC,SAAS,CAAC0C,SAAS,CAAC;EAC/D,IAAI,CAACI,WAAW,CAAC5C,OAAO,EAAE;IACxBrC,MAAM,CAACiB,GAAG,CACRlB,QAAQ,CAACuC,KAAK,EACb,4CAA2C2C,WAAW,CAAC1C,KAAK,CAACC,OAAQ,EACxE,CAAC;IACD,MAAM,IAAIpD,gBAAgB,CAAC;MACzBoD,OAAO,EAAE,gCAAgC;MACzCC,MAAM,EAAEwC,WAAW,CAAC1C,KAAK,CAACC;IAC5B,CAAC,CAAC;EACJ;EAEA,OAAO,MAAMlB,QAAQ,CAAC2D,WAAW,CAACvC,IAAI,CAACwC,YAAY,CAAC,CACjDpD,IAAI,CAAC7C,gBAAgB,CAAC,GAAG,EAAEE,mBAAmB,CAAC,CAAC,CAChD2C,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAClC,kBAAkB,CAAC,CACxBkC,IAAI,CAAEqD,KAAK,IAAK/D,0BAA0B,CAAC+D,KAAK,CAACC,UAAU,CAAChD,OAAO,CAAC,CAAC;AAC1E,CAAC;;AAEH;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMhB,0BAA0B,GACrCiE,OAAgB,IACQ;EACxB,MAAMC,aAAa,GAAGtG,wBAAwB,CAACmD,SAAS,CAACkD,OAAO,CAAC;EACjE,IAAI,CAACC,aAAa,CAACjD,OAAO,EAAE;IAC1B,MAAMkD,OAAO,GAAGxG,uBAAuB,CAACoD,SAAS,CAACkD,OAAO,CAAC;IAC1D,IAAI,CAACE,OAAO,CAAClD,OAAO,EAAE;MACpBrC,MAAM,CAACiB,GAAG,CACRlB,QAAQ,CAACuC,KAAK,EACb,mDAAkDgD,aAAa,CAAC/C,KAAK,CAACC,OAAQ,EACjF,CAAC;MACD,MAAM,IAAI3C,kBAAkB,CAACyF,aAAa,CAAC/C,KAAK,CAACC,OAAO,CAAC,CAAC,CAAC;IAC7D;;IACAxC,MAAM,CAACiB,GAAG,CACRlB,QAAQ,CAACuC,KAAK,EACb,2CAA0C+B,IAAI,CAACC,SAAS,CAACiB,OAAO,CAAE,EACrE,CAAC;IACD,MAAM,IAAIzF,qBAAqB,CAC7ByF,OAAO,CAAC7C,IAAI,CAACH,KAAK,EAClBgD,OAAO,CAAC7C,IAAI,CAAC8C,iBACf,CAAC;EACH;EACA,OAAOF,aAAa,CAAC5C,IAAI;AAC3B,CAAC"}
+{"version":3,"names":["AuthorizationErrorShape","AuthorizationResultShape","hasStatusOrThrow","parseUrl","IssuerResponseError","ValidationFailed","decode","SignJWT","RequestObject","ResponseUriResultShape","getJwtFromFormPost","AuthorizationError","AuthorizationIdpError","LogLevel","Logger","Presentation","buildAuthorizationUrl","issuerRequestUri","clientId","issuerConf","idpHint","authzRequestEndpoint","oauth_authorization_server","authorization_endpoint","params","URLSearchParams","client_id","request_uri","append","authUrl","completeUserAuthorizationWithQueryMode","authRedirectUrl","log","DEBUG","query","parseAuthorizationResponse","getRequestedCredentialToBePresented","appFetch","arguments","length","undefined","fetch","toString","requestObject","method","then","res","text","jws","reqObj","safeParse","payload","success","ERROR","error","message","reason","data","completeUserAuthorizationWithFormPostJwtMode","pid","_ref","wiaCryptoContext","pidCryptoContext","dcql_query","Error","dcqlQueryResult","evaluateDcqlQuery","credentialsToPresent","map","_ref2","requiredDisclosures","rest","requestedClaims","_ref3","claimName","remotePresentations","prepareRemotePresentations","nonce","authzResponsePayload","createAuthzResponsePayload","state","body","response","resUriRes","response_uri","headers","reqUri","json","responseUri","redirect_uri","cbRes","decodedJwt","authRes","authResParsed","authErr","JSON","stringify","error_description","_ref4","kid","getPublicKey","setProtectedHeader","typ","setPayload","vp_token","reduce","_ref5","credentialId","vpToken","setIssuedAt","setExpirationTime","sign"],"sourceRoot":"../../../../src","sources":["credential/issuance/04-complete-user-authorization.ts"],"mappings":"AAAA,SACEA,uBAAuB,EACvBC,wBAAwB,QAEnB,kBAAkB;AACzB,SAASC,gBAAgB,QAAkB,kBAAkB;AAE7D,OAAOC,QAAQ,MAAM,WAAW;AAChC,SAASC,mBAAmB,EAAEC,gBAAgB,QAAQ,oBAAoB;AAE1E,SACEC,MAAM,EACNC,OAAO,QAEF,6BAA6B;AACpC,SAAkCC,aAAa,QAAQ,uBAAuB;AAC9E,SAASC,sBAAsB,QAAQ,SAAS;AAChD,SAASC,kBAAkB,QAAQ,qBAAqB;AACxD,SAASC,kBAAkB,EAAEC,qBAAqB,QAAQ,UAAU;AACpE,SAASC,QAAQ,EAAEC,MAAM,QAAQ,qBAAqB;AACtD,SAASC,YAAY,QAAQ,IAAI;;AAGjC;AACA;AACA;;AA+BA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,qBAA4C,GAAG,MAAAA,CAC1DC,gBAAgB,EAChBC,QAAQ,EACRC,UAAU,EACVC,OAAO,KACJ;EACH,MAAMC,oBAAoB,GACxBF,UAAU,CAACG,0BAA0B,CAACC,sBAAsB;EAE9D,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,SAAS,EAAER,QAAQ;IACnBS,WAAW,EAAEV;EACf,CAAC,CAAC;EAEF,IAAIG,OAAO,EAAE;IACXI,MAAM,CAACI,MAAM,CAAC,SAAS,EAAER,OAAO,CAAC;EACnC;EAEA,MAAMS,OAAO,GAAI,GAAER,oBAAqB,IAAGG,MAAO,EAAC;EAEnD,OAAO;IAAEK;EAAQ,CAAC;AACpB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,sCAA8E,GACzF,MAAOC,eAAe,IAAK;EACzBjB,MAAM,CAACkB,GAAG,CACRnB,QAAQ,CAACoB,KAAK,EACb,0GACH,CAAC;EACD,MAAMC,KAAK,GAAG/B,QAAQ,CAAC4B,eAAe,CAAC,CAACG,KAAK;EAE7C,OAAOC,0BAA0B,CAACD,KAAK,CAAC;AAC1C,CAAC;;AAEH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAME,mCAAwE,GACnF,eAAAA,CAAOnB,gBAAgB,EAAEC,QAAQ,EAAEC,UAAU,EAAuB;EAAA,IAArBkB,QAAQ,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAGG,KAAK;EAC7D3B,MAAM,CAACkB,GAAG,CACRnB,QAAQ,CAACoB,KAAK,EACb,sGACH,CAAC;EACD,MAAMZ,oBAAoB,GACxBF,UAAU,CAACG,0BAA0B,CAACC,sBAAsB;EAC9D,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,SAAS,EAAER,QAAQ;IACnBS,WAAW,EAAEV;EACf,CAAC,CAAC;EAEFH,MAAM,CAACkB,GAAG,CACRnB,QAAQ,CAACoB,KAAK,EACb,oCAAmCZ,oBAAqB,IAAGG,MAAM,CAACkB,QAAQ,CAAC,CAAE,EAChF,CAAC;EAED,MAAMC,aAAa,GAAG,MAAMN,QAAQ,CACjC,GAAEhB,oBAAqB,IAAGG,MAAM,CAACkB,QAAQ,CAAC,CAAE,EAAC,EAC9C;IAAEE,MAAM,EAAE;EAAM,CAClB,CAAC,CACEC,IAAI,CAAC3C,gBAAgB,CAAC,GAAG,EAAEE,mBAAmB,CAAC,CAAC,CAChDyC,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEG,GAAG,IAAK1C,MAAM,CAAC0C,GAAG,CAAC,CAAC,CAC1BH,IAAI,CAAEI,MAAM,IAAKzC,aAAa,CAAC0C,SAAS,CAACD,MAAM,CAACE,OAAO,CAAC,CAAC;EAE5D,IAAI,CAACR,aAAa,CAACS,OAAO,EAAE;IAC1BtC,MAAM,CAACkB,GAAG,CACRnB,QAAQ,CAACwC,KAAK,EACb,+CAA8CV,aAAa,CAACW,KAAK,CAACC,OAAQ,EAC7E,CAAC;IACD,MAAM,IAAIlD,gBAAgB,CAAC;MACzBkD,OAAO,EAAE,kCAAkC;MAC3CC,MAAM,EAAEb,aAAa,CAACW,KAAK,CAACC;IAC9B,CAAC,CAAC;EACJ;EACA,OAAOZ,aAAa,CAACc,IAAI;AAC3B,CAAC;;AAEH;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,4CAA0F,GACrG,MAAAA,CACEf,aAAa,EACbgB,GAAG,EAAAC,IAAA,KAEA;EAAA,IADH;IAAEC,gBAAgB;IAAEC,gBAAgB;IAAEzB,QAAQ,GAAGI;EAAM,CAAC,GAAAmB,IAAA;EAExD9C,MAAM,CAACkB,GAAG,CACRnB,QAAQ,CAACoB,KAAK,EACb,sHACH,CAAC;EAED,IAAI,CAACU,aAAa,CAACoB,UAAU,EAAE;IAC7B,MAAM,IAAIC,KAAK,CAAC,wBAAwB,CAAC;EAC3C;EAEA,MAAMC,eAAe,GAAGlD,YAAY,CAACmD,iBAAiB,CACpD,CAAC,CAACJ,gBAAgB,EAAEH,GAAG,CAAC,CAAC,EACzBhB,aAAa,CAACoB,UAChB,CAAC;EAED,MAAMI,oBAAoB,GAAGF,eAAe,CAACG,GAAG,CAC9CC,KAAA;IAAA,IAAC;MAAEC,mBAAmB;MAAE,GAAGC;IAAK,CAAC,GAAAF,KAAA;IAAA,OAAM;MACrC,GAAGE,IAAI;MACPC,eAAe,EAAEF,mBAAmB,CAACF,GAAG,CAACK,KAAA;QAAA,IAAC,GAAGC,SAAS,CAAC,GAAAD,KAAA;QAAA,OAAKC,SAAS;MAAA;IACvE,CAAC;EAAA,CACH,CAAC;EAED,MAAMC,mBAAmB,GAAG,MAAM5D,YAAY,CAAC6D,0BAA0B,CACvET,oBAAoB,EACpBxB,aAAa,CAACkC,KAAK,EACnBlC,aAAa,CAACjB,SAChB,CAAC;EAED,MAAMoD,oBAAoB,GAAG,MAAMC,0BAA0B,CAAC;IAC5DC,KAAK,EAAErC,aAAa,CAACqC,KAAK;IAC1BL,mBAAmB;IACnBd;EACF,CAAC,CAAC;EAEF/C,MAAM,CAACkB,GAAG,CACRnB,QAAQ,CAACoB,KAAK,EACb,2BAA0B6C,oBAAqB,EAClD,CAAC;;EAED;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;EAEA,MAAMG,IAAI,GAAG,IAAIxD,eAAe,CAAC;IAC/ByD,QAAQ,EAAEJ;EACZ,CAAC,CAAC,CAACpC,QAAQ,CAAC,CAAC;EAEb,MAAMyC,SAAS,GAAG,MAAM9C,QAAQ,CAACM,aAAa,CAACyC,YAAY,EAAE;IAC3DxC,MAAM,EAAE,MAAM;IACdyC,OAAO,EAAE;MACP,cAAc,EAAE;IAClB,CAAC;IACDJ;EACF,CAAC,CAAC,CACCpC,IAAI,CAAC3C,gBAAgB,CAAC,GAAG,EAAEE,mBAAmB,CAAC,CAAC,CAChDyC,IAAI,CAAEyC,MAAM,IAAKA,MAAM,CAACC,IAAI,CAAC,CAAC,CAAC;EAElC,MAAMC,WAAW,GAAG/E,sBAAsB,CAACyC,SAAS,CAACiC,SAAS,CAAC;EAC/D,IAAI,CAACK,WAAW,CAACpC,OAAO,EAAE;IACxBtC,MAAM,CAACkB,GAAG,CACRnB,QAAQ,CAACwC,KAAK,EACb,4CAA2CmC,WAAW,CAAClC,KAAK,CAACC,OAAQ,EACxE,CAAC;IACD,MAAM,IAAIlD,gBAAgB,CAAC;MACzBkD,OAAO,EAAE,gCAAgC;MACzCC,MAAM,EAAEgC,WAAW,CAAClC,KAAK,CAACC;IAC5B,CAAC,CAAC;EACJ;EAEA,OAAO,MAAMlB,QAAQ,CAACmD,WAAW,CAAC/B,IAAI,CAACgC,YAAY,CAAC,CACjD5C,IAAI,CAAC3C,gBAAgB,CAAC,GAAG,EAAEE,mBAAmB,CAAC,CAAC,CAChDyC,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAACnC,kBAAkB,CAAC,CACxBmC,IAAI,CAAE6C,KAAK,IAAKvD,0BAA0B,CAACuD,KAAK,CAACC,UAAU,CAACxC,OAAO,CAAC,CAAC;AAC1E,CAAC;;AAEH;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMhB,0BAA0B,GACrCyD,OAAgB,IACQ;EACxB,MAAMC,aAAa,GAAG5F,wBAAwB,CAACiD,SAAS,CAAC0C,OAAO,CAAC;EACjE,IAAI,CAACC,aAAa,CAACzC,OAAO,EAAE;IAC1B,MAAM0C,OAAO,GAAG9F,uBAAuB,CAACkD,SAAS,CAAC0C,OAAO,CAAC;IAC1D,IAAI,CAACE,OAAO,CAAC1C,OAAO,EAAE;MACpBtC,MAAM,CAACkB,GAAG,CACRnB,QAAQ,CAACwC,KAAK,EACb,mDAAkDwC,aAAa,CAACvC,KAAK,CAACC,OAAQ,EACjF,CAAC;MACD,MAAM,IAAI5C,kBAAkB,CAACkF,aAAa,CAACvC,KAAK,CAACC,OAAO,CAAC,CAAC,CAAC;IAC7D;;IACAzC,MAAM,CAACkB,GAAG,CACRnB,QAAQ,CAACwC,KAAK,EACb,2CAA0C0C,IAAI,CAACC,SAAS,CAACF,OAAO,CAAE,EACrE,CAAC;IACD,MAAM,IAAIlF,qBAAqB,CAC7BkF,OAAO,CAACrC,IAAI,CAACH,KAAK,EAClBwC,OAAO,CAACrC,IAAI,CAACwC,iBACf,CAAC;EACH;EACA,OAAOJ,aAAa,CAACpC,IAAI;AAC3B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMsB,0BAA0B,GAAG,MAAAmB,KAAA,IAQZ;EAAA,IARmB;IACxClB,KAAK;IACLL,mBAAmB;IACnBd;EAKF,CAAC,GAAAqC,KAAA;EACC,MAAM;IAAEC;EAAI,CAAC,GAAG,MAAMtC,gBAAgB,CAACuC,YAAY,CAAC,CAAC;EAErD,OAAO,IAAI7F,OAAO,CAACsD,gBAAgB,CAAC,CACjCwC,kBAAkB,CAAC;IAClBC,GAAG,EAAE,KAAK;IACVH;EACF,CAAC,CAAC,CACDI,UAAU,CAAC;IACV;AACN;AACA;AACA;AACA;IACM,IAAIvB,KAAK,GAAG;MAAEA;IAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3BwB,QAAQ,EAAE7B,mBAAmB,CAAC8B,MAAM,CAClC,CAACD,QAAQ,EAAAE,KAAA;MAAA,IAAE;QAAEC,YAAY;QAAEC;MAAQ,CAAC,GAAAF,KAAA;MAAA,OAAM;QACxC,GAAGF,QAAQ;QACX,CAACG,YAAY,GAAGC;MAClB,CAAC;IAAA,CAAC,EACF,CAAC,CACH;EACF,CAAC,CAAC,CACDC,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,IAAI,CAAC,CAAC;AACX,CAAC"}

package/lib/module/credential/issuance/05-authorize-access.js

@@ -3,7 +3,6 @@ import { createDPopToken } from "../../utils/dpop";
 import { v4 as uuidv4 } from "uuid";
 import { createPopToken } from "../../utils/pop";
 import * as WalletInstanceAttestation from "../../wallet-instance-attestation";
-import { ASSERTION_TYPE } from "./const";
 import { TokenResponse } from "./types";
 import { IssuerResponseError, ValidationFailed } from "../../utils/errors";
 import { LogLevel, Logger } from "../../utils/logging";
@@ -25,16 +24,14 @@ import { LogLevel, Logger } from "../../utils/logging";
  * @throws {IssuerResponseError} with a specific code for more context
  * @return The token response containing the access token along with the token request signed with DPoP which has to be used in the {@link obtainCredential} step.
  */
-export const authorizeAccess = async (issuerConf, code, clientId, redirectUri, codeVerifier, context) => {
+export const authorizeAccess = async (issuerConf, code, _, redirectUri, codeVerifier, context) => {
   const {
     appFetch = fetch,
     walletInstanceAttestation,
     wiaCryptoContext,
     dPopCryptoContext
   } = context;
-  const parEndpoint = issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
-  const parUrl = new URL(parEndpoint);
-  const aud = `${parUrl.protocol}//${parUrl.hostname}`;
+  const aud = issuerConf.openid_credential_issuer.credential_issuer;
   const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
   const tokenUrl = issuerConf.oauth_authorization_server.token_endpoint;
   const tokenRequestSignedDPop = await createDPopToken({
@@ -51,12 +48,9 @@ export const authorizeAccess = async (issuerConf, code, clientId, redirectUri, c
   Logger.log(LogLevel.DEBUG, `WIA DPoP token: ${signedWiaPoP}`);
   const requestBody = {
     grant_type: "authorization_code",
-    client_id: clientId,
     code,
-    redirect_uri: redirectUri,
     code_verifier: codeVerifier,
-    client_assertion_type: ASSERTION_TYPE,
-    client_assertion: walletInstanceAttestation + "~" + signedWiaPoP
+    redirect_uri: redirectUri
   };
   const authorizationRequestFormBody = new URLSearchParams(requestBody);
   Logger.log(LogLevel.DEBUG, `Auth form request body: ${authorizationRequestFormBody}`);
@@ -64,7 +58,9 @@ export const authorizeAccess = async (issuerConf, code, clientId, redirectUri, c
     method: "POST",
     headers: {
       "Content-Type": "application/x-www-form-urlencoded",
-      DPoP: tokenRequestSignedDPop
+      DPoP: tokenRequestSignedDPop,
+      "OAuth-Client-Attestation": walletInstanceAttestation,
+      "OAuth-Client-Attestation-PoP": signedWiaPoP
     },
     body: authorizationRequestFormBody.toString()
   }).then(hasStatusOrThrow(200, IssuerResponseError)).then(res => res.json()).then(body => TokenResponse.safeParse(body));

package/lib/module/credential/issuance/05-authorize-access.js.map

@@ -1 +1 @@
-{"version":3,"names":["hasStatusOrThrow","createDPopToken","v4","uuidv4","createPopToken","WalletInstanceAttestation","ASSERTION_TYPE","TokenResponse","IssuerResponseError","ValidationFailed","LogLevel","Logger","authorizeAccess","issuerConf","code","clientId","redirectUri","codeVerifier","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","dPopCryptoContext","parEndpoint","oauth_authorization_server","pushed_authorization_request_endpoint","parUrl","URL","aud","protocol","hostname","iss","decode","payload","cnf","jwk","kid","tokenUrl","token_endpoint","tokenRequestSignedDPop","htm","htu","jti","log","DEBUG","signedWiaPoP","requestBody","grant_type","client_id","redirect_uri","code_verifier","client_assertion_type","client_assertion","authorizationRequestFormBody","URLSearchParams","tokenRes","method","headers","DPoP","body","toString","then","res","json","safeParse","success","ERROR","error","message","reason","accessToken","data"],"sourceRoot":"../../../../src","sources":["credential/issuance/05-authorize-access.ts"],"mappings":"AAAA,SAASA,gBAAgB,QAAkB,kBAAkB;AAG7D,SAASC,eAAe,QAAQ,kBAAkB;AAClD,SAASC,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,cAAc,QAAQ,iBAAiB;AAChD,OAAO,KAAKC,yBAAyB,MAAM,mCAAmC;AAE9E,SAASC,cAAc,QAAQ,SAAS;AACxC,SAASC,aAAa,QAAQ,SAAS;AACvC,SAASC,mBAAmB,EAAEC,gBAAgB,QAAQ,oBAAoB;AAE1E,SAASC,QAAQ,EAAEC,MAAM,QAAQ,qBAAqB;AAgBtD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,eAAgC,GAAG,MAAAA,CAC9CC,UAAU,EACVC,IAAI,EACJC,QAAQ,EACRC,WAAW,EACXC,YAAY,EACZC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC,gBAAgB;IAChBC;EACF,CAAC,GAAGL,OAAO;EAEX,MAAMM,WAAW,GACfX,UAAU,CAACY,0BAA0B,CAACC,qCAAqC;EAC7E,MAAMC,MAAM,GAAG,IAAIC,GAAG,CAACJ,WAAW,CAAC;EACnC,MAAMK,GAAG,GAAI,GAAEF,MAAM,CAACG,QAAS,KAAIH,MAAM,CAACI,QAAS,EAAC;EACpD,MAAMC,GAAG,GAAG3B,yBAAyB,CAAC4B,MAAM,CAACZ,yBAAyB,CAAC,CACpEa,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,QAAQ,GAAGzB,UAAU,CAACY,0BAA0B,CAACc,cAAc;EAErE,MAAMC,sBAAsB,GAAG,MAAMvC,eAAe,CAClD;IACEwC,GAAG,EAAE,MAAM;IACXC,GAAG,EAAEJ,QAAQ;IACbK,GAAG,EAAG,GAAExC,MAAM,CAAC,CAAE;EACnB,CAAC,EACDoB,iBACF,CAAC;EAEDZ,MAAM,CAACiC,GAAG,CAAClC,QAAQ,CAACmC,KAAK,EAAG,uBAAsBL,sBAAuB,EAAC,CAAC;EAE3E,MAAMM,YAAY,GAAG,MAAM1C,cAAc,CACvC;IACEuC,GAAG,EAAG,GAAExC,MAAM,CAAC,CAAE,EAAC;IAClB0B,GAAG;IACHG;EACF,CAAC,EACDV,gBACF,CAAC;EAEDX,MAAM,CAACiC,GAAG,CAAClC,QAAQ,CAACmC,KAAK,EAAG,mBAAkBC,YAAa,EAAC,CAAC;EAE7D,MAAMC,WAAW,GAAG;IAClBC,UAAU,EAAE,oBAAoB;IAChCC,SAAS,EAAElC,QAAQ;IACnBD,IAAI;IACJoC,YAAY,EAAElC,WAAW;IACzBmC,aAAa,EAAElC,YAAY;IAC3BmC,qBAAqB,EAAE9C,cAAc;IACrC+C,gBAAgB,EAAEhC,yBAAyB,GAAG,GAAG,GAAGyB;EACtD,CAAC;EAED,MAAMQ,4BAA4B,GAAG,IAAIC,eAAe,CAACR,WAAW,CAAC;EAErEpC,MAAM,CAACiC,GAAG,CACRlC,QAAQ,CAACmC,KAAK,EACb,2BAA0BS,4BAA6B,EAC1D,CAAC;EAED,MAAME,QAAQ,GAAG,MAAMrC,QAAQ,CAACmB,QAAQ,EAAE;IACxCmB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAEnB;IACR,CAAC;IACDoB,IAAI,EAAEN,4BAA4B,CAACO,QAAQ,CAAC;EAC9C,CAAC,CAAC,CACCC,IAAI,CAAC9D,gBAAgB,CAAC,GAAG,EAAEQ,mBAAmB,CAAC,CAAC,CAChDsD,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEF,IAAI,IAAKrD,aAAa,CAAC0D,SAAS,CAACL,IAAI,CAAC,CAAC;EAEhD,IAAI,CAACJ,QAAQ,CAACU,OAAO,EAAE;IACrBvD,MAAM,CAACiC,GAAG,CACRlC,QAAQ,CAACyD,KAAK,EACb,qCAAoCX,QAAQ,CAACY,KAAK,CAACC,OAAQ,EAC9D,CAAC;IAED,MAAM,IAAI5D,gBAAgB,CAAC;MACzB4D,OAAO,EAAE,kCAAkC;MAC3CC,MAAM,EAAEd,QAAQ,CAACY,KAAK,CAACC;IACzB,CAAC,CAAC;EACJ;EAEA,OAAO;IAAEE,WAAW,EAAEf,QAAQ,CAACgB;EAAK,CAAC;AACvC,CAAC"}
+{"version":3,"names":["hasStatusOrThrow","createDPopToken","v4","uuidv4","createPopToken","WalletInstanceAttestation","TokenResponse","IssuerResponseError","ValidationFailed","LogLevel","Logger","authorizeAccess","issuerConf","code","_","redirectUri","codeVerifier","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","dPopCryptoContext","aud","openid_credential_issuer","credential_issuer","iss","decode","payload","cnf","jwk","kid","tokenUrl","oauth_authorization_server","token_endpoint","tokenRequestSignedDPop","htm","htu","jti","log","DEBUG","signedWiaPoP","requestBody","grant_type","code_verifier","redirect_uri","authorizationRequestFormBody","URLSearchParams","tokenRes","method","headers","DPoP","body","toString","then","res","json","safeParse","success","ERROR","error","message","reason","accessToken","data"],"sourceRoot":"../../../../src","sources":["credential/issuance/05-authorize-access.ts"],"mappings":"AAAA,SAASA,gBAAgB,QAAkB,kBAAkB;AAG7D,SAASC,eAAe,QAAQ,kBAAkB;AAClD,SAASC,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,cAAc,QAAQ,iBAAiB;AAChD,OAAO,KAAKC,yBAAyB,MAAM,mCAAmC;AAE9E,SAASC,aAAa,QAAQ,SAAS;AACvC,SAASC,mBAAmB,EAAEC,gBAAgB,QAAQ,oBAAoB;AAE1E,SAASC,QAAQ,EAAEC,MAAM,QAAQ,qBAAqB;AAgBtD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,eAAgC,GAAG,MAAAA,CAC9CC,UAAU,EACVC,IAAI,EACJC,CAAC,EACDC,WAAW,EACXC,YAAY,EACZC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC,gBAAgB;IAChBC;EACF,CAAC,GAAGL,OAAO;EACX,MAAMM,GAAG,GAAGX,UAAU,CAACY,wBAAwB,CAACC,iBAAiB;EACjE,MAAMC,GAAG,GAAGrB,yBAAyB,CAACsB,MAAM,CAACP,yBAAyB,CAAC,CACpEQ,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,QAAQ,GAAGpB,UAAU,CAACqB,0BAA0B,CAACC,cAAc;EAErE,MAAMC,sBAAsB,GAAG,MAAMlC,eAAe,CAClD;IACEmC,GAAG,EAAE,MAAM;IACXC,GAAG,EAAEL,QAAQ;IACbM,GAAG,EAAG,GAAEnC,MAAM,CAAC,CAAE;EACnB,CAAC,EACDmB,iBACF,CAAC;EAEDZ,MAAM,CAAC6B,GAAG,CAAC9B,QAAQ,CAAC+B,KAAK,EAAG,uBAAsBL,sBAAuB,EAAC,CAAC;EAE3E,MAAMM,YAAY,GAAG,MAAMrC,cAAc,CACvC;IACEkC,GAAG,EAAG,GAAEnC,MAAM,CAAC,CAAE,EAAC;IAClBoB,GAAG;IACHG;EACF,CAAC,EACDL,gBACF,CAAC;EAEDX,MAAM,CAAC6B,GAAG,CAAC9B,QAAQ,CAAC+B,KAAK,EAAG,mBAAkBC,YAAa,EAAC,CAAC;EAE7D,MAAMC,WAAW,GAAG;IAClBC,UAAU,EAAE,oBAAoB;IAChC9B,IAAI;IACJ+B,aAAa,EAAE5B,YAAY;IAC3B6B,YAAY,EAAE9B;EAChB,CAAC;EAED,MAAM+B,4BAA4B,GAAG,IAAIC,eAAe,CAACL,WAAW,CAAC;EAErEhC,MAAM,CAAC6B,GAAG,CACR9B,QAAQ,CAAC+B,KAAK,EACb,2BAA0BM,4BAA6B,EAC1D,CAAC;EAED,MAAME,QAAQ,GAAG,MAAM9B,QAAQ,CAACc,QAAQ,EAAE;IACxCiB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAEhB,sBAAsB;MAC5B,0BAA0B,EAAEf,yBAAyB;MACrD,8BAA8B,EAAEqB;IAClC,CAAC;IACDW,IAAI,EAAEN,4BAA4B,CAACO,QAAQ,CAAC;EAC9C,CAAC,CAAC,CACCC,IAAI,CAACtD,gBAAgB,CAAC,GAAG,EAAEO,mBAAmB,CAAC,CAAC,CAChD+C,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEF,IAAI,IAAK9C,aAAa,CAACmD,SAAS,CAACL,IAAI,CAAC,CAAC;EAEhD,IAAI,CAACJ,QAAQ,CAACU,OAAO,EAAE;IACrBhD,MAAM,CAAC6B,GAAG,CACR9B,QAAQ,CAACkD,KAAK,EACb,qCAAoCX,QAAQ,CAACY,KAAK,CAACC,OAAQ,EAC9D,CAAC;IAED,MAAM,IAAIrD,gBAAgB,CAAC;MACzBqD,OAAO,EAAE,kCAAkC;MAC3CC,MAAM,EAAEd,QAAQ,CAACY,KAAK,CAACC;IACzB,CAAC,CAAC;EACJ;EAEA,OAAO;IAAEE,WAAW,EAAEf,QAAQ,CAACgB;EAAK,CAAC;AACvC,CAAC"}

package/lib/module/credential/issuance/06-obtain-credential.js

@@ -1,7 +1,7 @@
 import { sha256ToBase64, SignJWT } from "@pagopa/io-react-native-jwt";
 import { hasStatusOrThrow } from "../../utils/misc";
 import { IssuerResponseError, IssuerResponseErrorCodes, ResponseErrorBuilder, UnexpectedStatusCodeError, ValidationFailed } from "../../utils/errors";
-import { CredentialResponse } from "./types";
+import { CredentialResponse, NonceResponse } from "./types";
 import { createDPopToken } from "../../utils/dpop";
 import { v4 as uuidv4 } from "uuid";
 import { LogLevel, Logger } from "../../utils/logging";
@@ -24,11 +24,11 @@ export const createNonceProof = async (nonce, issuer, audience, ctx) => {
  * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
  * @param accessToken The access token response returned by {@link authorizeAccess}
  * @param clientId The client id returned by {@link startUserAuthorization}
- * @param credentialDefinition The credential definition of the credential to be obtained returned by {@link startUserAuthorization}
- * @param tokenRequestSignedDPop The DPoP signed token request returned by {@link authorizeAccess}
+ * @param credentialDefinition The credential definition of the credential to be obtained returned by {@link authorizeAccess}
  * @param context.credentialCryptoContext The crypto context used to obtain the credential
  * @param context.dPopCryptoContext The DPoP crypto context
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @param operationType Specify the type of credential issuance (used for reissuing)
  * @returns The credential response containing the credential
  */
 export const obtainCredential = async (issuerConf, accessToken, clientId, credentialDefinition, context, operationType) => {
@@ -37,18 +37,34 @@ export const obtainCredential = async (issuerConf, accessToken, clientId, creden
     appFetch = fetch,
     dPopCryptoContext
   } = context;
+  const {
+    credential_configuration_id,
+    credential_identifier
+  } = credentialDefinition;
   const credentialUrl = issuerConf.openid_credential_issuer.credential_endpoint;
+  const issuerUrl = issuerConf.oauth_authorization_server.issuer;
+  const nonceUrl = issuerConf.openid_credential_issuer.nonce_endpoint;
+
+  // Fetch the nonce from the Credential Issuer
+  const {
+    c_nonce
+  } = await appFetch(nonceUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    }
+  }).then(hasStatusOrThrow(200)).then(res => res.json()).then(body => NonceResponse.parse(body));
 
   /**
    * JWT proof token to bind the request nonce to the key that will bind the holder User with the Credential
    * This is presented along with the access token to the Credential Endpoint as proof of possession of the private key used to sign the Access Token.
    * @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
    */
-  const signedNonceProof = await createNonceProof(accessToken.c_nonce, clientId, credentialUrl, credentialCryptoContext);
+  const signedNonceProof = await createNonceProof(c_nonce, clientId, issuerUrl, credentialCryptoContext);
   Logger.log(LogLevel.DEBUG, `Signed nonce proof: ${signedNonceProof}`);
 
   // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
-  const containsCredentialDefinition = accessToken.authorization_details.some(c => c.credential_configuration_id === credentialDefinition.credential_configuration_id && c.format === credentialDefinition.format && c.type === credentialDefinition.type);
+  const containsCredentialDefinition = accessToken.authorization_details.some(c => c.credential_configuration_id === credential_configuration_id && (credential_identifier ? c.credential_identifiers.includes(credential_identifier) : true));
   if (!containsCredentialDefinition) {
     Logger.log(LogLevel.ERROR, `Credential definition not found in the access token response ${accessToken.authorization_details}`);
     throw new ValidationFailed({
@@ -56,12 +72,20 @@ export const obtainCredential = async (issuerConf, accessToken, clientId, creden
     });
   }
 
-  /** The credential request body */
-  const credentialRequestFormBody = {
-    credential_definition: {
-      type: [credentialDefinition.credential_configuration_id]
-    },
-    format: credentialDefinition.format,
+  /**
+   * The credential request body.
+   * We accept both `credential_identifier` (recommended) and `credential_configuration_id`
+   * when the Authorization Server does not support `credential_identifier`.
+   * @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html#section-3.3.4
+   */
+  const credentialRequestFormBody = credential_identifier ? {
+    credential_identifier: credential_identifier,
+    proof: {
+      jwt: signedNonceProof,
+      proof_type: "jwt"
+    }
+  } : {
+    credential_configuration_id: credential_configuration_id,
     proof: {
       jwt: signedNonceProof,
       proof_type: "jwt"
@@ -95,7 +119,15 @@ export const obtainCredential = async (issuerConf, accessToken, clientId, creden
     });
   }
   Logger.log(LogLevel.DEBUG, `Credential Response: ${JSON.stringify(credentialRes.data)}`);
-  return credentialRes.data;
+
+  // Extract the format corresponding to the credential_configuration_id used
+  const issuerCredentialConfig = issuerConf.openid_credential_issuer.credential_configurations_supported[credential_configuration_id];
+
+  // TODO: [SIW-2264] Handle multiple credentials
+  return {
+    credential: credentialRes.data.credentials.at(0).credential,
+    format: issuerCredentialConfig.format
+  };
 };
 
 /**

package/lib/module/credential/issuance/06-obtain-credential.js.map

@@ -1 +1 @@
-{"version":3,"names":["sha256ToBase64","SignJWT","hasStatusOrThrow","IssuerResponseError","IssuerResponseErrorCodes","ResponseErrorBuilder","UnexpectedStatusCodeError","ValidationFailed","CredentialResponse","createDPopToken","v4","uuidv4","LogLevel","Logger","createNonceProof","nonce","issuer","audience","ctx","jwk","getPublicKey","setPayload","setProtectedHeader","typ","setAudience","setIssuer","setIssuedAt","setExpirationTime","sign","obtainCredential","issuerConf","accessToken","clientId","credentialDefinition","context","operationType","credentialCryptoContext","appFetch","fetch","dPopCryptoContext","credentialUrl","openid_credential_issuer","credential_endpoint","signedNonceProof","c_nonce","log","DEBUG","containsCredentialDefinition","authorization_details","some","c","credential_configuration_id","format","type","ERROR","message","credentialRequestFormBody","credential_definition","proof","jwt","proof_type","JSON","stringify","tokenRequestSignedDPop","htm","htu","jti","ath","access_token","credentialRes","method","headers","DPoP","Authorization","token_type","body","then","res","json","safeParse","catch","handleObtainCredentialError","success","error","reason","data","e","handle","code","CredentialIssuingNotSynchronous","CredentialInvalidStatus","CredentialRequestFailed","buildFrom"],"sourceRoot":"../../../../src","sources":["credential/issuance/06-obtain-credential.ts"],"mappings":"AAAA,SAEEA,cAAc,EACdC,OAAO,QACF,6BAA6B;AAGpC,SAASC,gBAAgB,QAAkB,kBAAkB;AAE7D,SACEC,mBAAmB,EACnBC,wBAAwB,EACxBC,oBAAoB,EACpBC,yBAAyB,EACzBC,gBAAgB,QACX,oBAAoB;AAC3B,SAASC,kBAAkB,QAAQ,SAAS;AAC5C,SAASC,eAAe,QAAQ,kBAAkB;AAClD,SAASC,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,QAAQ,EAAEC,MAAM,QAAQ,qBAAqB;AAetD,OAAO,MAAMC,gBAAgB,GAAG,MAAAA,CAC9BC,KAAa,EACbC,MAAc,EACdC,QAAgB,EAChBC,GAAkB,KACE;EACpB,MAAMC,GAAG,GAAG,MAAMD,GAAG,CAACE,YAAY,CAAC,CAAC;EACpC,OAAO,IAAInB,OAAO,CAACiB,GAAG,CAAC,CACpBG,UAAU,CAAC;IACVN;EACF,CAAC,CAAC,CACDO,kBAAkB,CAAC;IAClBC,GAAG,EAAE,sBAAsB;IAC3BJ;EACF,CAAC,CAAC,CACDK,WAAW,CAACP,QAAQ,CAAC,CACrBQ,SAAS,CAACT,MAAM,CAAC,CACjBU,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,MAAM,CAAC,CACzBC,IAAI,CAAC,CAAC;AACX,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,gBAAkC,GAAG,MAAAA,CAChDC,UAAU,EACVC,WAAW,EACXC,QAAQ,EACRC,oBAAoB,EACpBC,OAAO,EACPC,aAAa,KACV;EACH,MAAM;IACJC,uBAAuB;IACvBC,QAAQ,GAAGC,KAAK;IAChBC;EACF,CAAC,GAAGL,OAAO;EAEX,MAAMM,aAAa,GAAGV,UAAU,CAACW,wBAAwB,CAACC,mBAAmB;;EAE7E;AACF;AACA;AACA;AACA;EACE,MAAMC,gBAAgB,GAAG,MAAM7B,gBAAgB,CAC7CiB,WAAW,CAACa,OAAO,EACnBZ,QAAQ,EACRQ,aAAa,EACbJ,uBACF,CAAC;EAEDvB,MAAM,CAACgC,GAAG,CAACjC,QAAQ,CAACkC,KAAK,EAAG,uBAAsBH,gBAAiB,EAAC,CAAC;;EAErE;EACA,MAAMI,4BAA4B,GAAGhB,WAAW,CAACiB,qBAAqB,CAACC,IAAI,CACxEC,CAAC,IACAA,CAAC,CAACC,2BAA2B,KAC3BlB,oBAAoB,CAACkB,2BAA2B,IAClDD,CAAC,CAACE,MAAM,KAAKnB,oBAAoB,CAACmB,MAAM,IACxCF,CAAC,CAACG,IAAI,KAAKpB,oBAAoB,CAACoB,IACpC,CAAC;EAED,IAAI,CAACN,4BAA4B,EAAE;IACjClC,MAAM,CAACgC,GAAG,CACRjC,QAAQ,CAAC0C,KAAK,EACb,gEAA+DvB,WAAW,CAACiB,qBAAsB,EACpG,CAAC;IACD,MAAM,IAAIzC,gBAAgB,CAAC;MACzBgD,OAAO,EACL;IACJ,CAAC,CAAC;EACJ;;EAEA;EACA,MAAMC,yBAAyB,GAAG;IAChCC,qBAAqB,EAAE;MACrBJ,IAAI,EAAE,CAACpB,oBAAoB,CAACkB,2BAA2B;IACzD,CAAC;IACDC,MAAM,EAAEnB,oBAAoB,CAACmB,MAAM;IACnCM,KAAK,EAAE;MACLC,GAAG,EAAEhB,gBAAgB;MACrBiB,UAAU,EAAE;IACd;EACF,CAAC;EAED/C,MAAM,CAACgC,GAAG,CACRjC,QAAQ,CAACkC,KAAK,EACb,4BAA2Be,IAAI,CAACC,SAAS,CAACN,yBAAyB,CAAE,EACxE,CAAC;EAED,MAAMO,sBAAsB,GAAG,MAAMtD,eAAe,CAClD;IACEuD,GAAG,EAAE,MAAM;IACXC,GAAG,EAAEzB,aAAa;IAClB0B,GAAG,EAAG,GAAEvD,MAAM,CAAC,CAAE,EAAC;IAClBwD,GAAG,EAAE,MAAMnE,cAAc,CAAC+B,WAAW,CAACqC,YAAY;EACpD,CAAC,EACD7B,iBACF,CAAC;EAED1B,MAAM,CAACgC,GAAG,CAACjC,QAAQ,CAACkC,KAAK,EAAG,uBAAsBiB,sBAAuB,EAAC,CAAC;EAE3E,MAAMM,aAAa,GAAG,MAAMhC,QAAQ,CAACG,aAAa,EAAE;IAClD8B,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,kBAAkB;MAClCC,IAAI,EAAET,sBAAsB;MAC5BU,aAAa,EAAG,GAAE1C,WAAW,CAAC2C,UAAW,IAAG3C,WAAW,CAACqC,YAAa,EAAC;MACtE,IAAIjC,aAAa,KAAK,WAAW,IAAI;QAAEA;MAAc,CAAC;IACxD,CAAC;IACDwC,IAAI,EAAEd,IAAI,CAACC,SAAS,CAACN,yBAAyB;EAChD,CAAC,CAAC,CACCoB,IAAI,CAAC1E,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3B0E,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAED,IAAI,IAAKnE,kBAAkB,CAACuE,SAAS,CAACJ,IAAI,CAAC,CAAC,CAClDK,KAAK,CAACC,2BAA2B,CAAC;EAErC,IAAI,CAACZ,aAAa,CAACa,OAAO,EAAE;IAC1BrE,MAAM,CAACgC,GAAG,CACRjC,QAAQ,CAAC0C,KAAK,EACb,0CAAyCe,aAAa,CAACc,KAAK,CAAC5B,OAAQ,EACxE,CAAC;IACD,MAAM,IAAIhD,gBAAgB,CAAC;MACzBgD,OAAO,EAAE,uCAAuC;MAChD6B,MAAM,EAAEf,aAAa,CAACc,KAAK,CAAC5B;IAC9B,CAAC,CAAC;EACJ;EAEA1C,MAAM,CAACgC,GAAG,CACRjC,QAAQ,CAACkC,KAAK,EACb,wBAAuBe,IAAI,CAACC,SAAS,CAACO,aAAa,CAACgB,IAAI,CAAE,EAC7D,CAAC;EAED,OAAOhB,aAAa,CAACgB,IAAI;AAC3B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMJ,2BAA2B,GAAIK,CAAU,IAAK;EAClDzE,MAAM,CAACgC,GAAG,CAACjC,QAAQ,CAAC0C,KAAK,EAAG,8CAA6CgC,CAAE,EAAC,CAAC;EAE7E,IAAI,EAAEA,CAAC,YAAYhF,yBAAyB,CAAC,EAAE;IAC7C,MAAMgF,CAAC;EACT;EAEA,MAAM,IAAIjF,oBAAoB,CAACF,mBAAmB,CAAC,CAChDoF,MAAM,CAAC,GAAG,EAAE;IACX;IACA;IACAC,IAAI,EAAEpF,wBAAwB,CAACqF,+BAA+B;IAC9DlC,OAAO,EACL;EACJ,CAAC,CAAC,CACDgC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEpF,wBAAwB,CAACsF,uBAAuB;IACtDnC,OAAO,EAAE;EACX,CAAC,CAAC,CACDgC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEpF,wBAAwB,CAACsF,uBAAuB;IACtDnC,OAAO,EAAE;EACX,CAAC,CAAC,CACDgC,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEpF,wBAAwB,CAACuF,uBAAuB;IACtDpC,OAAO,EAAE;EACX,CAAC,CAAC,CACDqC,SAAS,CAACN,CAAC,CAAC;AACjB,CAAC"}
+{"version":3,"names":["sha256ToBase64","SignJWT","hasStatusOrThrow","IssuerResponseError","IssuerResponseErrorCodes","ResponseErrorBuilder","UnexpectedStatusCodeError","ValidationFailed","CredentialResponse","NonceResponse","createDPopToken","v4","uuidv4","LogLevel","Logger","createNonceProof","nonce","issuer","audience","ctx","jwk","getPublicKey","setPayload","setProtectedHeader","typ","setAudience","setIssuer","setIssuedAt","setExpirationTime","sign","obtainCredential","issuerConf","accessToken","clientId","credentialDefinition","context","operationType","credentialCryptoContext","appFetch","fetch","dPopCryptoContext","credential_configuration_id","credential_identifier","credentialUrl","openid_credential_issuer","credential_endpoint","issuerUrl","oauth_authorization_server","nonceUrl","nonce_endpoint","c_nonce","method","headers","then","res","json","body","parse","signedNonceProof","log","DEBUG","containsCredentialDefinition","authorization_details","some","c","credential_identifiers","includes","ERROR","message","credentialRequestFormBody","proof","jwt","proof_type","JSON","stringify","tokenRequestSignedDPop","htm","htu","jti","ath","access_token","credentialRes","DPoP","Authorization","token_type","safeParse","catch","handleObtainCredentialError","success","error","reason","data","issuerCredentialConfig","credential_configurations_supported","credential","credentials","at","format","e","handle","code","CredentialIssuingNotSynchronous","CredentialInvalidStatus","CredentialRequestFailed","buildFrom"],"sourceRoot":"../../../../src","sources":["credential/issuance/06-obtain-credential.ts"],"mappings":"AAAA,SAEEA,cAAc,EACdC,OAAO,QACF,6BAA6B;AAGpC,SAASC,gBAAgB,QAAkB,kBAAkB;AAE7D,SACEC,mBAAmB,EACnBC,wBAAwB,EACxBC,oBAAoB,EACpBC,yBAAyB,EACzBC,gBAAgB,QACX,oBAAoB;AAC3B,SAASC,kBAAkB,EAAEC,aAAa,QAAQ,SAAS;AAC3D,SAASC,eAAe,QAAQ,kBAAkB;AAClD,SAASC,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,QAAQ,EAAEC,MAAM,QAAQ,qBAAqB;AAqBtD,OAAO,MAAMC,gBAAgB,GAAG,MAAAA,CAC9BC,KAAa,EACbC,MAAc,EACdC,QAAgB,EAChBC,GAAkB,KACE;EACpB,MAAMC,GAAG,GAAG,MAAMD,GAAG,CAACE,YAAY,CAAC,CAAC;EACpC,OAAO,IAAIpB,OAAO,CAACkB,GAAG,CAAC,CACpBG,UAAU,CAAC;IACVN;EACF,CAAC,CAAC,CACDO,kBAAkB,CAAC;IAClBC,GAAG,EAAE,sBAAsB;IAC3BJ;EACF,CAAC,CAAC,CACDK,WAAW,CAACP,QAAQ,CAAC,CACrBQ,SAAS,CAACT,MAAM,CAAC,CACjBU,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,MAAM,CAAC,CACzBC,IAAI,CAAC,CAAC;AACX,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,gBAAkC,GAAG,MAAAA,CAChDC,UAAU,EACVC,WAAW,EACXC,QAAQ,EACRC,oBAAoB,EACpBC,OAAO,EACPC,aAAa,KACV;EACH,MAAM;IACJC,uBAAuB;IACvBC,QAAQ,GAAGC,KAAK;IAChBC;EACF,CAAC,GAAGL,OAAO;EACX,MAAM;IAAEM,2BAA2B;IAAEC;EAAsB,CAAC,GAC1DR,oBAAoB;EAEtB,MAAMS,aAAa,GAAGZ,UAAU,CAACa,wBAAwB,CAACC,mBAAmB;EAC7E,MAAMC,SAAS,GAAGf,UAAU,CAACgB,0BAA0B,CAAC9B,MAAM;EAC9D,MAAM+B,QAAQ,GAAGjB,UAAU,CAACa,wBAAwB,CAACK,cAAc;;EAEnE;EACA,MAAM;IAAEC;EAAQ,CAAC,GAAG,MAAMZ,QAAQ,CAACU,QAAQ,EAAE;IAC3CG,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MAAE,cAAc,EAAE;IAAmB;EAChD,CAAC,CAAC,CACCC,IAAI,CAACnD,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BmD,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEG,IAAI,IAAK/C,aAAa,CAACgD,KAAK,CAACD,IAAI,CAAC,CAAC;;EAE5C;AACF;AACA;AACA;AACA;EACE,MAAME,gBAAgB,GAAG,MAAM3C,gBAAgB,CAC7CmC,OAAO,EACPjB,QAAQ,EACRa,SAAS,EACTT,uBACF,CAAC;EAEDvB,MAAM,CAAC6C,GAAG,CAAC9C,QAAQ,CAAC+C,KAAK,EAAG,uBAAsBF,gBAAiB,EAAC,CAAC;;EAErE;EACA,MAAMG,4BAA4B,GAAG7B,WAAW,CAAC8B,qBAAqB,CAACC,IAAI,CACxEC,CAAC,IACAA,CAAC,CAACvB,2BAA2B,KAAKA,2BAA2B,KAC5DC,qBAAqB,GAClBsB,CAAC,CAACC,sBAAsB,CAACC,QAAQ,CAACxB,qBAAqB,CAAC,GACxD,IAAI,CACZ,CAAC;EAED,IAAI,CAACmB,4BAA4B,EAAE;IACjC/C,MAAM,CAAC6C,GAAG,CACR9C,QAAQ,CAACsD,KAAK,EACb,gEAA+DnC,WAAW,CAAC8B,qBAAsB,EACpG,CAAC;IACD,MAAM,IAAIvD,gBAAgB,CAAC;MACzB6D,OAAO,EACL;IACJ,CAAC,CAAC;EACJ;;EAEA;AACF;AACA;AACA;AACA;AACA;EACE,MAAMC,yBAAyB,GAAG3B,qBAAqB,GACnD;IACEA,qBAAqB,EAAEA,qBAAqB;IAC5C4B,KAAK,EAAE;MAAEC,GAAG,EAAEb,gBAAgB;MAAEc,UAAU,EAAE;IAAM;EACpD,CAAC,GACD;IACE/B,2BAA2B,EAAEA,2BAA2B;IACxD6B,KAAK,EAAE;MAAEC,GAAG,EAAEb,gBAAgB;MAAEc,UAAU,EAAE;IAAM;EACpD,CAAC;EAEL1D,MAAM,CAAC6C,GAAG,CACR9C,QAAQ,CAAC+C,KAAK,EACb,4BAA2Ba,IAAI,CAACC,SAAS,CAACL,yBAAyB,CAAE,EACxE,CAAC;EAED,MAAMM,sBAAsB,GAAG,MAAMjE,eAAe,CAClD;IACEkE,GAAG,EAAE,MAAM;IACXC,GAAG,EAAElC,aAAa;IAClBmC,GAAG,EAAG,GAAElE,MAAM,CAAC,CAAE,EAAC;IAClBmE,GAAG,EAAE,MAAM/E,cAAc,CAACgC,WAAW,CAACgD,YAAY;EACpD,CAAC,EACDxC,iBACF,CAAC;EAED1B,MAAM,CAAC6C,GAAG,CAAC9C,QAAQ,CAAC+C,KAAK,EAAG,uBAAsBe,sBAAuB,EAAC,CAAC;EAE3E,MAAMM,aAAa,GAAG,MAAM3C,QAAQ,CAACK,aAAa,EAAE;IAClDQ,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,kBAAkB;MAClC8B,IAAI,EAAEP,sBAAsB;MAC5BQ,aAAa,EAAG,GAAEnD,WAAW,CAACoD,UAAW,IAAGpD,WAAW,CAACgD,YAAa,EAAC;MACtE,IAAI5C,aAAa,KAAK,WAAW,IAAI;QAAEA;MAAc,CAAC;IACxD,CAAC;IACDoB,IAAI,EAAEiB,IAAI,CAACC,SAAS,CAACL,yBAAyB;EAChD,CAAC,CAAC,CACChB,IAAI,CAACnD,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BmD,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEG,IAAI,IAAKhD,kBAAkB,CAAC6E,SAAS,CAAC7B,IAAI,CAAC,CAAC,CAClD8B,KAAK,CAACC,2BAA2B,CAAC;EAErC,IAAI,CAACN,aAAa,CAACO,OAAO,EAAE;IAC1B1E,MAAM,CAAC6C,GAAG,CACR9C,QAAQ,CAACsD,KAAK,EACb,0CAAyCc,aAAa,CAACQ,KAAK,CAACrB,OAAQ,EACxE,CAAC;IACD,MAAM,IAAI7D,gBAAgB,CAAC;MACzB6D,OAAO,EAAE,uCAAuC;MAChDsB,MAAM,EAAET,aAAa,CAACQ,KAAK,CAACrB;IAC9B,CAAC,CAAC;EACJ;EAEAtD,MAAM,CAAC6C,GAAG,CACR9C,QAAQ,CAAC+C,KAAK,EACb,wBAAuBa,IAAI,CAACC,SAAS,CAACO,aAAa,CAACU,IAAI,CAAE,EAC7D,CAAC;;EAED;EACA,MAAMC,sBAAsB,GAC1B7D,UAAU,CAACa,wBAAwB,CAACiD,mCAAmC,CACrEpD,2BAA2B,CAC5B;;EAEH;EACA,OAAO;IACLqD,UAAU,EAAEb,aAAa,CAACU,IAAI,CAACI,WAAW,CAACC,EAAE,CAAC,CAAC,CAAC,CAAEF,UAAU;IAC5DG,MAAM,EAAEL,sBAAsB,CAAEK;EAClC,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMV,2BAA2B,GAAIW,CAAU,IAAK;EAClDpF,MAAM,CAAC6C,GAAG,CAAC9C,QAAQ,CAACsD,KAAK,EAAG,8CAA6C+B,CAAE,EAAC,CAAC;EAE7E,IAAI,EAAEA,CAAC,YAAY5F,yBAAyB,CAAC,EAAE;IAC7C,MAAM4F,CAAC;EACT;EAEA,MAAM,IAAI7F,oBAAoB,CAACF,mBAAmB,CAAC,CAChDgG,MAAM,CAAC,GAAG,EAAE;IACX;IACA;IACAC,IAAI,EAAEhG,wBAAwB,CAACiG,+BAA+B;IAC9DjC,OAAO,EACL;EACJ,CAAC,CAAC,CACD+B,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEhG,wBAAwB,CAACkG,uBAAuB;IACtDlC,OAAO,EAAE;EACX,CAAC,CAAC,CACD+B,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEhG,wBAAwB,CAACkG,uBAAuB;IACtDlC,OAAO,EAAE;EACX,CAAC,CAAC,CACD+B,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAEhG,wBAAwB,CAACmG,uBAAuB;IACtDnC,OAAO,EAAE;EACX,CAAC,CAAC,CACDoC,SAAS,CAACN,CAAC,CAAC;AACjB,CAAC"}

package/lib/module/credential/issuance/07-verify-and-parse-credential.js

@@ -8,45 +8,39 @@ import { LogLevel, Logger } from "../../utils/logging";
 
 // handy alias
 
-const parseCredentialSdJwt = function (credentials_supported, _ref) {
+const parseCredentialSdJwt = function (credentialConfig, _ref) {
   let {
     sdJwt,
     disclosures
   } = _ref;
   let ignoreMissingAttributes = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : false;
   let includeUndefinedAttributes = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : false;
-  const credentialSubject = credentials_supported[sdJwt.payload.vct];
-  if (!credentialSubject) {
-    Logger.log(LogLevel.ERROR, `Credential type not supported by the issuer: ${sdJwt.payload.vct}`);
-    throw new IoWalletError("Credential type not supported by the issuer");
-  }
-  if (credentialSubject.format !== sdJwt.header.typ) {
-    Logger.log(LogLevel.ERROR, `Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}'`);
-    throw new IoWalletError(`Received credential is of an unknwown type. Expected one of [${credentialSubject.format}], received '${sdJwt.header.typ}', `);
+  if (credentialConfig.format !== sdJwt.header.typ) {
+    const message = `Received credential is of an unknwown type. Expected one of [${credentialConfig.format}], received '${sdJwt.header.typ}'`;
+    Logger.log(LogLevel.ERROR, message);
+    throw new IoWalletError(message);
   }
-
-  // transfrom a record { key: value } in an iterable of pairs [key, value]
-  if (!credentialSubject.claims) {
+  if (!credentialConfig.claims) {
     Logger.log(LogLevel.ERROR, "Missing claims in the credential subject");
     throw new IoWalletError("Missing claims in the credential subject"); // TODO [SIW-1268]: should not be optional
   }
 
-  const attrDefinitions = Object.entries(credentialSubject.claims);
+  const attrDefinitions = credentialConfig.claims;
 
   // the key of the attribute defintion must match the disclosure's name
-  const attrsNotInDisclosures = attrDefinitions.filter(_ref2 => {
-    let [attrKey] = _ref2;
-    return !disclosures.some(_ref3 => {
-      let [, name] = _ref3;
-      return name === attrKey;
-    });
-  });
+  const attrsNotInDisclosures = attrDefinitions.filter(definition => !disclosures.some(_ref2 => {
+    let [, name] = _ref2;
+    return name === definition.path[0];
+  }) // Ignore nested paths for now, see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html#name-claims-path-pointer
+  );
+
   if (attrsNotInDisclosures.length > 0) {
-    const missing = attrsNotInDisclosures.map(_ => _[0 /* key */]).join(", ");
+    const missing = attrsNotInDisclosures.map(_ => _.path[0]).join(", ");
     const received = disclosures.map(_ => _[1 /* name */]).join(", ");
     if (!ignoreMissingAttributes) {
-      Logger.log(LogLevel.ERROR, `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`);
-      throw new IoWalletError(`Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`);
+      const message = `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`;
+      Logger.log(LogLevel.ERROR, message);
+      throw new IoWalletError(message);
     }
   }
 
@@ -54,28 +48,31 @@ const parseCredentialSdJwt = function (credentials_supported, _ref) {
   // and are present in the disclosure set
   const definedValues = Object.fromEntries(attrDefinitions
   // retrieve the value from the disclosure set
-  .map(_ref4 => {
+  .map(_ref3 => {
     var _disclosures$find;
-    let [attrKey, definition] = _ref4;
-    return [attrKey, {
+    let {
+      path,
+      ...definition
+    } = _ref3;
+    return [path[0], {
       ...definition,
-      value: (_disclosures$find = disclosures.find(_ => _[1 /* name */] === attrKey)) === null || _disclosures$find === void 0 ? void 0 : _disclosures$find[2 /* value */]
+      value: (_disclosures$find = disclosures.find(_ => _[1 /* name */] === path[0])) === null || _disclosures$find === void 0 ? void 0 : _disclosures$find[2 /* value */]
     }];
   })
   // add a human readable attribute name, with i18n, in the form { locale: name }
   // example: { "it-IT": "Nome", "en-EN": "Name", "es-ES": "Nombre" }
-  .map(_ref5 => {
+  .map(_ref4 => {
     let [attrKey, {
       display,
       ...definition
-    }] = _ref5;
+    }] = _ref4;
     return [attrKey, {
       ...definition,
-      name: display.reduce((names, _ref6) => {
+      name: display.reduce((names, _ref5) => {
         let {
           locale,
           name
-        } = _ref6;
+        } = _ref5;
         return {
           ...names,
           [locale]: name
@@ -86,8 +83,8 @@ const parseCredentialSdJwt = function (credentials_supported, _ref) {
   if (includeUndefinedAttributes) {
     // attributes that are in the disclosure set
     // but are not defined in the issuer configuration
-    const undefinedValues = Object.fromEntries(disclosures.filter(_ => !Object.keys(definedValues).includes(_[1])).map(_ref7 => {
-      let [, key, value] = _ref7;
+    const undefinedValues = Object.fromEntries(disclosures.filter(_ => !Object.keys(definedValues).includes(_[1])).map(_ref6 => {
+      let [, key, value] = _ref6;
       return [key, {
         value,
         name: key
@@ -124,23 +121,26 @@ async function verifyCredentialSdJwt(rawCredential, issuerKeys, holderBindingCon
     cnf
   } = decodedCredential.sdJwt.payload;
   if (!cnf.jwk.kid || cnf.jwk.kid !== holderBindingKey.kid) {
-    Logger.log(LogLevel.ERROR, `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`);
-    throw new IoWalletError(`Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`);
+    const message = `Failed to verify holder binding, expected kid: ${holderBindingKey.kid}, got: ${decodedCredential.sdJwt.payload.cnf.jwk.kid}`;
+    Logger.log(LogLevel.ERROR, message);
+    throw new IoWalletError(message);
   }
   return decodedCredential;
 }
-
-// utility type that specialize VerifyAndParseCredential for given format
-
-const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) => {
+const verifyAndParseCredentialSdJwt = async (issuerConf, credential, credentialConfigurationId, _ref7) => {
   let {
     credentialCryptoContext,
     ignoreMissingAttributes,
     includeUndefinedAttributes
-  } = _ref8;
+  } = _ref7;
   const decoded = await verifyCredentialSdJwt(credential, issuerConf.openid_credential_issuer.jwks.keys, credentialCryptoContext);
   Logger.log(LogLevel.DEBUG, `Decoded credential: ${JSON.stringify(decoded)}`);
-  const parsedCredential = parseCredentialSdJwt(issuerConf.openid_credential_issuer.credential_configurations_supported, decoded, ignoreMissingAttributes, includeUndefinedAttributes);
+  const credentialConfig = issuerConf.openid_credential_issuer.credential_configurations_supported[credentialConfigurationId];
+  if (!credentialConfig) {
+    Logger.log(LogLevel.ERROR, `Credential type not supported by the issuer: ${credentialConfigurationId}`);
+    throw new IoWalletError("Credential type not supported by the issuer");
+  }
+  const parsedCredential = parseCredentialSdJwt(credentialConfig, decoded, ignoreMissingAttributes, includeUndefinedAttributes);
   const maybeIssuedAt = getValueFromDisclosures(decoded.disclosures, "iat");
   Logger.log(LogLevel.DEBUG, `Parsed credential: ${JSON.stringify(parsedCredential)}\nIssued at: ${maybeIssuedAt}`);
   return {
@@ -154,7 +154,7 @@ const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) =
  * Verify and parse an encoded credential.
  * @param issuerConf The Issuer configuration returned by {@link evaluateIssuerTrust}
  * @param credential The encoded credential returned by {@link obtainCredential}
- * @param format The format of the credentual returned by {@link obtainCredential}
+ * @param credentialConfigurationId The credential configuration ID that defines the provided credential
  * @param context.credentialCryptoContext The crypto context used to obtain the credential in {@link obtainCredential}
  * @param context.ignoreMissingAttributes Skip error when attributes declared in the issuer configuration are not found within disclosures
  * @param context.includeUndefinedAttributes Include attributes not explicitly declared in the issuer configuration
@@ -163,12 +163,15 @@ const verifyAndParseCredentialSdJwt = async (issuerConf, credential, _, _ref8) =
  * @throws {IoWalletError} If the credential is not bound to the provided user key
  * @throws {IoWalletError} If the credential data fail to parse
  */
-export const verifyAndParseCredential = async (issuerConf, credential, format, context) => {
-  if (format === "vc+sd-jwt") {
-    Logger.log(LogLevel.DEBUG, "Parsing credential in vc+sd-jwt format");
-    return verifyAndParseCredentialSdJwt(issuerConf, credential, format, context);
+export const verifyAndParseCredential = async (issuerConf, credential, credentialConfigurationId, context) => {
+  var _issuerConf$openid_cr;
+  const format = (_issuerConf$openid_cr = issuerConf.openid_credential_issuer.credential_configurations_supported[credentialConfigurationId]) === null || _issuerConf$openid_cr === void 0 ? void 0 : _issuerConf$openid_cr.format;
+  if (format === "dc+sd-jwt") {
+    Logger.log(LogLevel.DEBUG, "Parsing credential in dc+sd-jwt format");
+    return verifyAndParseCredentialSdJwt(issuerConf, credential, credentialConfigurationId, context);
   }
-  Logger.log(LogLevel.ERROR, `Unsupported credential format: ${format}`);
-  throw new IoWalletError(`Unsupported credential format: ${format}`);
+  const message = `Unsupported credential format: ${format}`;
+  Logger.log(LogLevel.ERROR, message);
+  throw new IoWalletError(message);
 };
 //# sourceMappingURL=07-verify-and-parse-credential.js.map