@pagopa/io-react-native-wallet 2.0.0-next.3 → 2.0.0-next.4

package/lib/typescript/sd-jwt/types.d.ts

@@ -29,20 +29,33 @@ export type DisclosureWithEncoded = {
     decoded: Disclosure;
     encoded: string;
 };
+/**
+ * Type for a Verifiable Credential in SD-JWT format.
+ * It supports both the older and the new data model for backward compatibility.
+ */
 export type SdJwt4VC = z.infer<typeof SdJwt4VC>;
 export declare const SdJwt4VC: z.ZodObject<{
     header: z.ZodObject<{
-        typ: z.ZodLiteral<"dc+sd-jwt">;
+        typ: z.ZodEnum<["vc+sd-jwt", "dc+sd-jwt"]>;
         alg: z.ZodString;
-        kid: z.ZodOptional<z.ZodString>;
+        kid: z.ZodString;
+        trust_chain: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        x5c: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        vctm: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
     }, "strip", z.ZodTypeAny, {
         alg: string;
-        typ: "dc+sd-jwt";
-        kid?: string | undefined;
+        kid: string;
+        typ: "vc+sd-jwt" | "dc+sd-jwt";
+        trust_chain?: string[] | undefined;
+        x5c?: string[] | undefined;
+        vctm?: string[] | undefined;
     }, {
         alg: string;
-        typ: "dc+sd-jwt";
-        kid?: string | undefined;
+        kid: string;
+        typ: "vc+sd-jwt" | "dc+sd-jwt";
+        trust_chain?: string[] | undefined;
+        x5c?: string[] | undefined;
+        vctm?: string[] | undefined;
     }>;
     payload: z.ZodIntersection<z.ZodObject<{
         iss: z.ZodString;
@@ -50,7 +63,7 @@ export declare const SdJwt4VC: z.ZodObject<{
         iat: z.ZodOptional<z.ZodNumber>;
         exp: z.ZodNumber;
         _sd_alg: z.ZodLiteral<"sha-256">;
-        status: z.ZodObject<{
+        status: z.ZodOptional<z.ZodUnion<[z.ZodObject<{
             status_assertion: z.ZodObject<{
                 credential_hash_alg: z.ZodLiteral<"sha-256">;
             }, "strip", z.ZodTypeAny, {
@@ -66,7 +79,23 @@ export declare const SdJwt4VC: z.ZodObject<{
             status_assertion: {
                 credential_hash_alg: "sha-256";
             };
-        }>;
+        }>, z.ZodObject<{
+            status_attestation: z.ZodObject<{
+                credential_hash_alg: z.ZodLiteral<"sha-256">;
+            }, "strip", z.ZodTypeAny, {
+                credential_hash_alg: "sha-256";
+            }, {
+                credential_hash_alg: "sha-256";
+            }>;
+        }, "strip", z.ZodTypeAny, {
+            status_attestation: {
+                credential_hash_alg: "sha-256";
+            };
+        }, {
+            status_attestation: {
+                credential_hash_alg: "sha-256";
+            };
+        }>]>>;
         cnf: z.ZodObject<{
             jwk: z.ZodObject<{
                 alg: z.ZodOptional<z.ZodString>;
@@ -190,16 +219,11 @@ export declare const SdJwt4VC: z.ZodObject<{
             };
         }>;
         vct: z.ZodString;
-        "vct#integrity": z.ZodString;
-        issuing_authority: z.ZodString;
-        issuing_country: z.ZodString;
+        "vct#integrity": z.ZodOptional<z.ZodString>;
+        issuing_authority: z.ZodOptional<z.ZodString>;
+        issuing_country: z.ZodOptional<z.ZodString>;
     }, "strip", z.ZodTypeAny, {
         iss: string;
-        status: {
-            status_assertion: {
-                credential_hash_alg: "sha-256";
-            };
-        };
         sub: string;
         exp: number;
         _sd_alg: "sha-256";
@@ -230,17 +254,21 @@ export declare const SdJwt4VC: z.ZodObject<{
             };
         };
         vct: string;
-        "vct#integrity": string;
-        issuing_authority: string;
-        issuing_country: string;
         iat?: number | undefined;
-    }, {
-        iss: string;
-        status: {
+        status?: {
             status_assertion: {
                 credential_hash_alg: "sha-256";
             };
-        };
+        } | {
+            status_attestation: {
+                credential_hash_alg: "sha-256";
+            };
+        } | undefined;
+        "vct#integrity"?: string | undefined;
+        issuing_authority?: string | undefined;
+        issuing_country?: string | undefined;
+    }, {
+        iss: string;
         sub: string;
         exp: number;
         _sd_alg: "sha-256";
@@ -271,10 +299,19 @@ export declare const SdJwt4VC: z.ZodObject<{
             };
         };
         vct: string;
-        "vct#integrity": string;
-        issuing_authority: string;
-        issuing_country: string;
         iat?: number | undefined;
+        status?: {
+            status_assertion: {
+                credential_hash_alg: "sha-256";
+            };
+        } | {
+            status_attestation: {
+                credential_hash_alg: "sha-256";
+            };
+        } | undefined;
+        "vct#integrity"?: string | undefined;
+        issuing_authority?: string | undefined;
+        issuing_country?: string | undefined;
     }>, z.ZodObject<{
         _sd: z.ZodArray<z.ZodString, "many">;
     }, "strip", z.ZodTypeAny, {
@@ -285,16 +322,14 @@ export declare const SdJwt4VC: z.ZodObject<{
 }, "strip", z.ZodTypeAny, {
     header: {
         alg: string;
-        typ: "dc+sd-jwt";
-        kid?: string | undefined;
+        kid: string;
+        typ: "vc+sd-jwt" | "dc+sd-jwt";
+        trust_chain?: string[] | undefined;
+        x5c?: string[] | undefined;
+        vctm?: string[] | undefined;
     };
     payload: {
         iss: string;
-        status: {
-            status_assertion: {
-                credential_hash_alg: "sha-256";
-            };
-        };
         sub: string;
         exp: number;
         _sd_alg: "sha-256";
@@ -325,26 +360,33 @@ export declare const SdJwt4VC: z.ZodObject<{
             };
         };
         vct: string;
-        "vct#integrity": string;
-        issuing_authority: string;
-        issuing_country: string;
         iat?: number | undefined;
+        status?: {
+            status_assertion: {
+                credential_hash_alg: "sha-256";
+            };
+        } | {
+            status_attestation: {
+                credential_hash_alg: "sha-256";
+            };
+        } | undefined;
+        "vct#integrity"?: string | undefined;
+        issuing_authority?: string | undefined;
+        issuing_country?: string | undefined;
     } & {
         _sd: string[];
     };
 }, {
     header: {
         alg: string;
-        typ: "dc+sd-jwt";
-        kid?: string | undefined;
+        kid: string;
+        typ: "vc+sd-jwt" | "dc+sd-jwt";
+        trust_chain?: string[] | undefined;
+        x5c?: string[] | undefined;
+        vctm?: string[] | undefined;
     };
     payload: {
         iss: string;
-        status: {
-            status_assertion: {
-                credential_hash_alg: "sha-256";
-            };
-        };
         sub: string;
         exp: number;
         _sd_alg: "sha-256";
@@ -375,10 +417,19 @@ export declare const SdJwt4VC: z.ZodObject<{
             };
         };
         vct: string;
-        "vct#integrity": string;
-        issuing_authority: string;
-        issuing_country: string;
         iat?: number | undefined;
+        status?: {
+            status_assertion: {
+                credential_hash_alg: "sha-256";
+            };
+        } | {
+            status_attestation: {
+                credential_hash_alg: "sha-256";
+            };
+        } | undefined;
+        "vct#integrity"?: string | undefined;
+        issuing_authority?: string | undefined;
+        issuing_country?: string | undefined;
     } & {
         _sd: string[];
     };

package/lib/typescript/sd-jwt/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/sd-jwt/types.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,QAAQ,aAAuC,CAAC;AAC7D,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAEhD,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAC1E,eAAO,MAAM,qBAAqB;;;;;;EAAyC,CAAC;AAE5E;;;;;GAKG;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AACpD,eAAO,MAAM,UAAU,4DAIrB,CAAC;AAEH;;;;;;;GAOG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC,OAAO,EAAE,UAAU,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAChD,eAAO,MAAM,QAAQ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA4BnB,CAAC;AAEH;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AACxD,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAevB,CAAC;AAEH;;;;GAIG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AACxD,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAcvB,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/sd-jwt/types.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,QAAQ,aAAuC,CAAC;AAC7D,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAEhD,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAC1E,eAAO,MAAM,qBAAqB;;;;;;EAAyC,CAAC;AAE5E;;;;;GAKG;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AACpD,eAAO,MAAM,UAAU,4DAIrB,CAAC;AAEH;;;;;;;GAOG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC,OAAO,EAAE,UAAU,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAMF;;;GAGG;AACH,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAChD,eAAO,MAAM,QAAQ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkCnB,CAAC;AAEH;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AACxD,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAevB,CAAC;AAEH;;;;GAIG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AACxD,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAcvB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/io-react-native-wallet",
-  "version": "2.0.0-next.3",
+  "version": "2.0.0-next.4",
   "description": "Provide data structures, helpers and API for IO Wallet",
   "main": "lib/commonjs/index",
   "module": "lib/module/index",

package/src/credential/issuance/04-complete-user-authorization.ts

@@ -10,16 +10,16 @@ import { IssuerResponseError, ValidationFailed } from "../../utils/errors";
 import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import {
   decode,
-  encodeBase64,
   SignJWT,
   type CryptoContext,
 } from "@pagopa/io-react-native-jwt";
-import { RequestObject } from "../presentation/types";
-import { v4 as uuidv4 } from "uuid";
+import { type RemotePresentation, RequestObject } from "../presentation/types";
 import { ResponseUriResultShape } from "./types";
 import { getJwtFromFormPost } from "../../utils/decoder";
 import { AuthorizationError, AuthorizationIdpError } from "./errors";
 import { LogLevel, Logger } from "../../utils/logging";
+import { Presentation } from "..";
+import type { DcqlQuery } from "dcql";
 
 /**
  * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
@@ -30,11 +30,10 @@ export type CompleteUserAuthorizationWithQueryMode = (
 
 export type CompleteUserAuthorizationWithFormPostJwtMode = (
   requestObject: Out<GetRequestedCredentialToBePresented>,
+  pid: string,
   context: {
     wiaCryptoContext: CryptoContext;
     pidCryptoContext: CryptoContext;
-    pid: string;
-    walletInstanceAttestation: string;
     appFetch?: GlobalFetch["fetch"];
   }
 ) => Promise<AuthorizationResult>;
@@ -158,103 +157,54 @@ export const getRequestedCredentialToBePresented: GetRequestedCredentialToBePres
   };
 
 /**
- * WARNING: This function must be called after {@link startUserAuthorization}. The next function to be called is {@link completeUserAuthorizationWithFormPostJwtMode}.
+ * WARNING: This function must be called after {@link getRequestedCredentialToBePresented}. The next function to be called is {@link authorizeAccess}.
  * The interface of the phase to complete User authorization via presentation of existing credentials when the response mode is "form_post.jwt".
- * It is used as a first step to complete the user authorization by obtaining the requested credential to be presented from the authorization server.
- * The information is obtained by performing a GET request to the authorization endpoint with request_uri and client_id parameters.
- * @param issuerRequestUri the URI of the issuer where the request is sent
- * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
- * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
- * @param context.walletInstanceAccestation the Wallet Instance's attestation to be presented
- * @param context.pid the PID to be presented
- * @param context.wiaCryptoContext The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
- * @param context.pidCryptoContext The PID crypto context associated with the pid parameter
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * The information is obtained by performing a POST request to the endpoint received in the response_uri field of the requestObject, where the Authorization Response payload is posted.
+ * Following this,the redirect_uri from the response is used to obtain the final authorization response.
+ * @param requestObject - The request object containing the necessary parameters for authorization.
+ * @param pid The `PID` that must be presented for the issuance of credentials.
+ * @param appFetch (optional) fetch api implementation. Default: built-in fetch
  * @throws {ValidationFailed} if an error while validating the response
  * @returns the authorization response which contains code, state and iss
  */
 export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthorizationWithFormPostJwtMode =
-  async (requestObject, ctx) => {
+  async (
+    requestObject,
+    pid,
+    { wiaCryptoContext, pidCryptoContext, appFetch = fetch }
+  ) => {
     Logger.log(
       LogLevel.DEBUG,
       `The requeste credential is not a PersonIdentificationData, completing the user authorization with form_post.jwt mode`
     );
 
-    const {
-      wiaCryptoContext,
-      pidCryptoContext,
-      pid,
-      walletInstanceAttestation,
-      appFetch = fetch,
-    } = ctx;
+    if (!requestObject.dcql_query) {
+      throw new Error("Invalid request object");
+    }
 
-    const wiaWpToken = await new SignJWT(wiaCryptoContext)
-      .setProtectedHeader({
-        alg: "ES256",
-        typ: "JWT",
-      })
-      .setPayload({
-        vp: walletInstanceAttestation,
-        jti: uuidv4().toString(),
-        nonce: requestObject.nonce,
-      })
-      .setIssuedAt()
-      .setExpirationTime("5m")
-      .setAudience(requestObject.response_uri)
-      .sign();
+    const dcqlQueryResult = Presentation.evaluateDcqlQuery(
+      [[pidCryptoContext, pid]],
+      requestObject.dcql_query as DcqlQuery
+    );
 
-    const pidWpToken = await new SignJWT(pidCryptoContext)
-      .setProtectedHeader({
-        alg: "ES256",
-        typ: "JWT",
+    const credentialsToPresent = dcqlQueryResult.map(
+      ({ requiredDisclosures, ...rest }) => ({
+        ...rest,
+        requestedClaims: requiredDisclosures.map(([, claimName]) => claimName),
       })
-      .setPayload({
-        vp: pid,
-        jti: uuidv4().toString(),
-        nonce: requestObject.nonce,
-      })
-      .setIssuedAt()
-      .setExpirationTime("5m")
-      .setAudience(requestObject.response_uri)
-      .sign();
-
-    Logger.log(
-      LogLevel.DEBUG,
-      `Wallet instance attestation JWT token: ${wiaWpToken}`
     );
 
-    /* The path parameter refers to the vp_token variable of the authzResponsePayload and must point to the plain credential which
-     * is cointaned in the `vp` property of the signed jwt token payload
-     */
-    const presentationSubmission = {
-      definition_id: `${uuidv4()}`,
-      id: `${uuidv4()}`,
-      descriptor_map: [
-        {
-          id: "PersonIdentificationData",
-          path: "$.vp_token[0].vp",
-          format: "vc+sd-jwt",
-        },
-        {
-          id: "WalletAttestation",
-          path: "$.vp_token[1].vp",
-          format: "jwt",
-        },
-      ],
-    };
-
-    Logger.log(
-      LogLevel.DEBUG,
-      `Presentation submission: ${JSON.stringify(presentationSubmission)}`
+    const remotePresentations = await Presentation.prepareRemotePresentations(
+      credentialsToPresent,
+      requestObject.nonce,
+      requestObject.client_id
     );
 
-    const authzResponsePayload = encodeBase64(
-      JSON.stringify({
-        state: requestObject.state,
-        presentation_submission: presentationSubmission,
-        vp_token: [pidWpToken, wiaWpToken],
-      })
-    );
+    const authzResponsePayload = await createAuthzResponsePayload({
+      state: requestObject.state,
+      remotePresentations,
+      wiaCryptoContext,
+    });
 
     Logger.log(
       LogLevel.DEBUG,
@@ -334,3 +284,47 @@ export const parseAuthorizationResponse = (
   }
   return authResParsed.data;
 };
+
+/**
+ * Creates the authorization response payload to be sent.
+ * This payload includes the state and the VP tokens for the presented credentials.
+ * The payload is encoded in Base64.
+ * @param state - The state parameter from the request object (optional).
+ * @param remotePresentations - An array of remote presentations containing credential IDs and their corresponding VP tokens.
+ * @returns The Base64 encoded authorization response payload.
+ */
+const createAuthzResponsePayload = async ({
+  state,
+  remotePresentations,
+  wiaCryptoContext,
+}: {
+  state?: string;
+  remotePresentations: RemotePresentation[];
+  wiaCryptoContext: CryptoContext;
+}): Promise<string> => {
+  const { kid } = await wiaCryptoContext.getPublicKey();
+
+  return new SignJWT(wiaCryptoContext)
+    .setProtectedHeader({
+      typ: "jwt",
+      kid,
+    })
+    .setPayload({
+      /**
+       * TODO [SIW-2264]: `state` coming from `requestObject` is marked as `optional`
+       * At the moment, it is not entirely clear whether this value can indeed be omitted
+       * and, if so, what the consequences of its absence might be.
+       */
+      ...(state ? { state } : {}),
+      vp_token: remotePresentations.reduce(
+        (vp_token, { credentialId, vpToken }) => ({
+          ...vp_token,
+          [credentialId]: vpToken,
+        }),
+        {}
+      ),
+    })
+    .setIssuedAt()
+    .setExpirationTime("1h")
+    .sign();
+};

package/src/credential/issuance/06-obtain-credential.ts

@@ -33,7 +33,10 @@ export type ObtainCredential = (
     appFetch?: GlobalFetch["fetch"];
   },
   operationType?: "reissuing"
-) => Promise<{ credential: string; format: string }>;
+) => Promise<{
+  credential: string;
+  format: string;
+}>;
 
 export const createNonceProof = async (
   nonce: string,

package/src/credential/issuance/README.md

@@ -72,8 +72,6 @@ The expected result from the authentication process is in `form_post.jwt` format
   <summary>Credential issuance flow</summary>
 
 ```ts
-// TODO: [SIW-2209] update documentation in PR #219
-
 // Retrieve the integrity key tag from the store and create its context
 const integrityKeyTag = "example"; // Let's assume this is the key tag used to create the wallet instance
 const integrityContext = getIntegrityContext(integrityKeyTag);
@@ -98,17 +96,13 @@ const walletInstanceAttestation =
     appFetch,
   });
 
-const credentialType = "someCredential"; // Let's assume this is the credential type
-
-const eid = {
+const pid = {
   credential: "example",
   parsedCredential: "example"
   keyTag: "example";
-  credentialType: "eid";
+  credentialType: "PersonIdentificationData";
 };
 
-const eidCryptoContext = createCryptoContextFor(eid.keyTag);
-
 // Create credential crypto context
 const credentialKeyTag = uuidv4().toString();
 await generate(credentialKeyTag); // Let's assume this function generates a new hardware-backed key pair
@@ -117,22 +111,26 @@ const credentialCryptoContext = createCryptoContextFor(credentialKeyTag);
 // Start the issuance flow
 const startFlow: Credential.Issuance.StartFlow = () => ({
   issuerUrl: WALLET_EAA_PROVIDER_BASE_URL,
-  credentialType,
+  credentialId: "someCredentialId",
 });
 
-const { issuerUrl } = startFlow();
+const { issuerUrl, credentialId } = startFlow();
 
 // Evaluate issuer trust
 const { issuerConf } = await Credential.Issuance.evaluateIssuerTrust(issuerUrl);
 
 // Start user authorization
-const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
-  await Credential.Issuance.startUserAuthorization(issuerConf, credentialType, {
-    walletInstanceAttestation,
-    redirectUri,
-    wiaCryptoContext,
-    appFetch,
-  });
+const { issuerRequestUri, clientId, codeVerifier } =
+  await Credential.Issuance.startUserAuthorization(
+    issuerConf, 
+    [credentialId], 
+    {
+      walletInstanceAttestation,
+      redirectUri: REDIRECT_URI,
+      wiaCryptoContext,
+      appFetch,
+    }
+  );
 
 const requestObject =
   await Credential.Issuance.getRequestedCredentialToBePresented(
@@ -142,13 +140,12 @@ const requestObject =
     appFetch
   );
 
-// The app here should ask the user to confirm the required data contained in the requestObject
-
 // Complete the user authorization via form_post.jwt mode
 const { code } =
   await Credential.Issuance.completeUserAuthorizationWithFormPostJwtMode(
     requestObject,
-    { wiaCryptoContext, pidCryptoContext, pid, walletInstanceAttestation }
+    pid.credential,
+    { wiaCryptoContext, pidCryptoContext: createCryptoContextFor(pid.keyTag) }
   );
 
 // Generate the DPoP context which will be used for the whole issuance flow
@@ -159,7 +156,7 @@ const { accessToken } = await Credential.Issuance.authorizeAccess(
   issuerConf,
   code,
   clientId,
-  redirectUri,
+  redirectUri: REDIRECT_URI,
   codeVerifier,
   {
     walletInstanceAttestation,
@@ -169,12 +166,19 @@ const { accessToken } = await Credential.Issuance.authorizeAccess(
   }
 );
 
-// Obtain the credential
-const { credential, format } = await Credential.Issuance.obtainCredential(
+// For simplicity, in this example flow we work on a single credential.
+const { credential_configuration_id, credential_identifiers } =
+    accessToken.authorization_details[0]!;
+
+ // Obtain the credential
+const { credential } = await Credential.Issuance.obtainCredential(
   issuerConf,
   accessToken,
   clientId,
-  credentialDefinition,
+  {
+    credential_configuration_id,
+    credential_identifier: credential_identifiers[0],
+  },
   {
     credentialCryptoContext,
     dPopCryptoContext,
@@ -186,22 +190,29 @@ const { credential, format } = await Credential.Issuance.obtainCredential(
  * Parse and verify the credential. The ignoreMissingAttributes flag must be set to false or omitted in production.
  * WARNING: includeUndefinedAttributes should not be set to true in production in order to get only claims explicitly declared by the issuer.
  */
-const { parsedCredential } = await Credential.Issuance.verifyAndParseCredential(
-  issuerConf,
-  credential,
-  format,
-  {
-    credentialCryptoContext,
-    ignoreMissingAttributes: true,
-    includeUndefinedAttributes: false
-  }
-);
+const { parsedCredential } =
+  await Credential.Issuance.verifyAndParseCredential(
+    issuerConf,
+    credential,
+    credential_configuration_id,
+    { 
+      credentialCryptoContext, 
+      ignoreMissingAttributes: true,
+      includeUndefinedAttributes: false 
+    }
+  );
+
+const credentialType =
+  issuerConf.openid_credential_issuer.credential_configurations_supported[
+    credential_configuration_id
+  ].scope;
 
 return {
   parsedCredential,
   credential,
   keyTag: credentialKeyTag,
   credentialType,
+  credentialConfigurationId: credential_configuration_id,
 };
 ```
 

package/src/credential/issuance/types.ts

@@ -11,6 +11,7 @@ export type TokenResponse = z.infer<typeof TokenResponse>;
 
 export const TokenResponse = z.object({
   access_token: z.string(),
+  refresh_token: z.string().optional(),
   authorization_details: z.array(AuthorizationDetail),
   expires_in: z.number(),
   token_type: z.string(),