@pagopa/io-react-native-wallet 2.5.1 → 3.0.0

package/lib/module/credential/issuance/mrtd-pop/index.js

@@ -1,5 +1,10 @@
 import { verifyAndParseChallengeInfo } from "./01-verify-and-parse-challenge-info";
 import { initChallenge } from "./02-init-challenge";
 import { validateChallenge, buildChallengeCallbackUrl } from "./03-validate-challenge";
-export { verifyAndParseChallengeInfo, initChallenge, validateChallenge, buildChallengeCallbackUrl };
+export const MRTDPoP = {
+  verifyAndParseChallengeInfo,
+  initChallenge,
+  validateChallenge,
+  buildChallengeCallbackUrl
+};
 //# sourceMappingURL=index.js.map

package/lib/module/credential/issuance/mrtd-pop/index.js.map

@@ -1 +1 @@
-{"version":3,"names":["verifyAndParseChallengeInfo","initChallenge","validateChallenge","buildChallengeCallbackUrl"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/index.ts"],"mappings":"AAAA,SACEA,2BAA2B,QAEtB,sCAAsC;AAC7C,SAASC,aAAa,QAA4B,qBAAqB;AACvE,SACEC,iBAAiB,EACjBC,yBAAyB,QAGpB,yBAAyB;AAGhC,SACEH,2BAA2B,EAC3BC,aAAa,EACbC,iBAAiB,EACjBC,yBAAyB"}
+{"version":3,"names":["verifyAndParseChallengeInfo","initChallenge","validateChallenge","buildChallengeCallbackUrl","MRTDPoP"],"sourceRoot":"../../../../../src","sources":["credential/issuance/mrtd-pop/index.ts"],"mappings":"AACA,SAASA,2BAA2B,QAAQ,sCAAsC;AAClF,SAASC,aAAa,QAAQ,qBAAqB;AACnD,SACEC,iBAAiB,EACjBC,yBAAyB,QACpB,yBAAyB;AAEhC,OAAO,MAAMC,OAAmB,GAAG;EACjCJ,2BAA2B;EAC3BC,aAAa;EACbC,iBAAiB;EACjBC;AACF,CAAC"}

package/lib/module/credential/issuance/v1.0.0/01-evaluate-issuer-trust.js

@@ -0,0 +1,12 @@
+import { getCredentialIssuerEntityConfiguration } from "../../../trust/v1.0.0/entities";
+import { mapToIssuerConfig } from "./mappers";
+export const evaluateIssuerTrust = async function (issuerUrl) {
+  let context = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
+  const issuerConf = await getCredentialIssuerEntityConfiguration(issuerUrl, {
+    appFetch: context.appFetch
+  });
+  return {
+    issuerConf: mapToIssuerConfig(issuerConf)
+  };
+};
+//# sourceMappingURL=01-evaluate-issuer-trust.js.map

package/lib/module/credential/issuance/v1.0.0/01-evaluate-issuer-trust.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["getCredentialIssuerEntityConfiguration","mapToIssuerConfig","evaluateIssuerTrust","issuerUrl","context","arguments","length","undefined","issuerConf","appFetch"],"sourceRoot":"../../../../../src","sources":["credential/issuance/v1.0.0/01-evaluate-issuer-trust.ts"],"mappings":"AAAA,SAASA,sCAAsC,QAAQ,gCAAgC;AAEvF,SAASC,iBAAiB,QAAQ,WAAW;AAE7C,OAAO,MAAMC,mBAAuD,GAAG,eAAAA,CACrEC,SAAS,EAEN;EAAA,IADHC,OAAO,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAEZ,MAAMG,UAAU,GAAG,MAAMR,sCAAsC,CAACG,SAAS,EAAE;IACzEM,QAAQ,EAAEL,OAAO,CAACK;EACpB,CAAC,CAAC;EAEF,OAAO;IAAED,UAAU,EAAEP,iBAAiB,CAACO,UAAU;EAAE,CAAC;AACtD,CAAC"}

package/lib/module/credential/issuance/v1.0.0/02-start-user-authorization.js

@@ -0,0 +1,56 @@
+import { generateRandomAlphaNumericString } from "../../../utils/misc";
+import { makeParRequest } from "../../../utils/par";
+import { LogLevel, Logger } from "../../../utils/logging";
+import { IoWalletError } from "../../../utils/errors";
+import { selectCredentialDefinition, selectResponseMode } from "../common/authorization";
+export const startUserAuthorization = async (issuerConf, credentialIds, proof, ctx) => {
+  const {
+    wiaCryptoContext,
+    walletInstanceAttestation,
+    redirectUri,
+    appFetch = fetch
+  } = ctx;
+  const clientId = await wiaCryptoContext.getPublicKey().then(_ => _.kid);
+  if (!clientId) {
+    Logger.log(LogLevel.ERROR, `Public key associated with kid ${clientId} not found in the device`);
+    throw new IoWalletError("No public key found");
+  }
+  const codeVerifier = generateRandomAlphaNumericString(64);
+  const parEndpoint = issuerConf.pushed_authorization_request_endpoint;
+  const aud = issuerConf.credential_issuer;
+  const responseMode = selectResponseMode(issuerConf, credentialIds);
+  const getPar = makeParRequest({
+    wiaCryptoContext,
+    appFetch
+  });
+  const credentialDefinition = credentialIds.map(c => selectCredentialDefinition(issuerConf, c));
+  if (proof.proofType === "mrtd-pop") {
+    /**
+     * When we requests a PID using eID Substantial Authentication with MRTD Verification, we must include
+     * an additional Authorization Details Object in the authorization_details
+     *
+     * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/credential-issuance-endpoint.html#pushed-authorization-request-endpoint
+     */
+    credentialDefinition.push({
+      type: "it_l2+document_proof",
+      idphinting: proof.idpHinting,
+      challenge_method: "mrtd+ias",
+      challenge_redirect_uri: redirectUri
+    });
+  }
+  const issuerRequestUri = await getPar(parEndpoint, walletInstanceAttestation, {
+    aud,
+    clientId,
+    codeVerifier,
+    redirectUri,
+    responseMode,
+    authorizationDetails: credentialDefinition
+  });
+  return {
+    issuerRequestUri,
+    clientId,
+    codeVerifier,
+    credentialDefinition
+  };
+};
+//# sourceMappingURL=02-start-user-authorization.js.map

package/lib/module/credential/issuance/v1.0.0/02-start-user-authorization.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["generateRandomAlphaNumericString","makeParRequest","LogLevel","Logger","IoWalletError","selectCredentialDefinition","selectResponseMode","startUserAuthorization","issuerConf","credentialIds","proof","ctx","wiaCryptoContext","walletInstanceAttestation","redirectUri","appFetch","fetch","clientId","getPublicKey","then","_","kid","log","ERROR","codeVerifier","parEndpoint","pushed_authorization_request_endpoint","aud","credential_issuer","responseMode","getPar","credentialDefinition","map","c","proofType","push","type","idphinting","idpHinting","challenge_method","challenge_redirect_uri","issuerRequestUri","authorizationDetails"],"sourceRoot":"../../../../../src","sources":["credential/issuance/v1.0.0/02-start-user-authorization.ts"],"mappings":"AAAA,SAASA,gCAAgC,QAAQ,qBAAqB;AACtE,SAASC,cAAc,QAAQ,oBAAoB;AACnD,SAASC,QAAQ,EAAEC,MAAM,QAAQ,wBAAwB;AACzD,SAASC,aAAa,QAAQ,uBAAuB;AAErD,SACEC,0BAA0B,EAC1BC,kBAAkB,QACb,yBAAyB;AAEhC,OAAO,MAAMC,sBAA6D,GACxE,MAAAA,CAAOC,UAAU,EAAEC,aAAa,EAAEC,KAAK,EAAEC,GAAG,KAAK;EAC/C,MAAM;IACJC,gBAAgB;IAChBC,yBAAyB;IACzBC,WAAW;IACXC,QAAQ,GAAGC;EACb,CAAC,GAAGL,GAAG;EAEP,MAAMM,QAAQ,GAAG,MAAML,gBAAgB,CAACM,YAAY,CAAC,CAAC,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAACC,GAAG,CAAC;EAEzE,IAAI,CAACJ,QAAQ,EAAE;IACbd,MAAM,CAACmB,GAAG,CACRpB,QAAQ,CAACqB,KAAK,EACb,kCAAiCN,QAAS,0BAC7C,CAAC;IACD,MAAM,IAAIb,aAAa,CAAC,qBAAqB,CAAC;EAChD;EACA,MAAMoB,YAAY,GAAGxB,gCAAgC,CAAC,EAAE,CAAC;EACzD,MAAMyB,WAAW,GAAGjB,UAAU,CAACkB,qCAAqC;EACpE,MAAMC,GAAG,GAAGnB,UAAU,CAACoB,iBAAiB;EACxC,MAAMC,YAAY,GAAGvB,kBAAkB,CAACE,UAAU,EAAEC,aAAa,CAAC;EAClE,MAAMqB,MAAM,GAAG7B,cAAc,CAAC;IAAEW,gBAAgB;IAAEG;EAAS,CAAC,CAAC;EAE7D,MAAMgB,oBAAoB,GAAGtB,aAAa,CAACuB,GAAG,CAAEC,CAAC,IAC/C5B,0BAA0B,CAACG,UAAU,EAAEyB,CAAC,CAC1C,CAAC;EAED,IAAIvB,KAAK,CAACwB,SAAS,KAAK,UAAU,EAAE;IAClC;AACN;AACA;AACA;AACA;AACA;IACMH,oBAAoB,CAACI,IAAI,CAAC;MACxBC,IAAI,EAAE,sBAAsB;MAC5BC,UAAU,EAAE3B,KAAK,CAAC4B,UAAU;MAC5BC,gBAAgB,EAAE,UAAU;MAC5BC,sBAAsB,EAAE1B;IAC1B,CAAC,CAAC;EACJ;EAEA,MAAM2B,gBAAgB,GAAG,MAAMX,MAAM,CACnCL,WAAW,EACXZ,yBAAyB,EACzB;IACEc,GAAG;IACHV,QAAQ;IACRO,YAAY;IACZV,WAAW;IACXe,YAAY;IACZa,oBAAoB,EAAEX;EACxB,CACF,CAAC;EAED,OAAO;IAAEU,gBAAgB;IAAExB,QAAQ;IAAEO,YAAY;IAAEO;EAAqB,CAAC;AAC3E,CAAC"}

package/lib/module/credential/issuance/v1.0.0/03-complete-user-authorization.js

@@ -0,0 +1,182 @@
+import { AuthorizationChallengeResultShape, AuthorizationErrorShape, AuthorizationResultShape } from "../../../utils/auth";
+import { hasStatusOrThrow } from "../../../utils/misc";
+import parseUrl from "parse-url";
+import { IssuerResponseError, ValidationFailed } from "../../../utils/errors";
+import { decode, SignJWT } from "@pagopa/io-react-native-jwt";
+import { ResponseUriResultShape } from "./types";
+import { getJwtFromFormPost } from "../../../utils/decoder";
+import { AuthorizationError, AuthorizationIdpError } from "../common/errors";
+import { LogLevel, Logger } from "../../../utils/logging";
+import { RequestObjectPayload } from "../../presentation/v1.0.0/types";
+import { RemotePresentation as RemotePresentationFlow } from "../../presentation/v1.0.0";
+export const continueUserAuthorizationWithMRTDPoPChallenge = async authRedirectUrl => {
+  Logger.log(LogLevel.DEBUG, `The requested credential is a PersonIdentificationData and requires MRTD PoP, starting MRTD PoP validation from auth redirect`);
+  const query = parseUrl(authRedirectUrl).query;
+  const authResParsed = AuthorizationChallengeResultShape.safeParse(query);
+  if (!authResParsed.success) {
+    const authErr = AuthorizationErrorShape.safeParse(query);
+    if (!authErr.success) {
+      Logger.log(LogLevel.ERROR, `Error while parsing the authorization response: ${authResParsed.error.message}`);
+      throw new AuthorizationError(authResParsed.error.message); // an error occured while parsing the result and the error
+    }
+
+    Logger.log(LogLevel.ERROR, `Error while authorizating with the idp: ${JSON.stringify(authErr)}`);
+    throw new AuthorizationIdpError(authErr.data.error, authErr.data.error_description);
+  }
+  return authResParsed.data;
+};
+export const buildAuthorizationUrl = async (issuerRequestUri, clientId, issuerConf, idpHint) => {
+  const authzRequestEndpoint = issuerConf.authorization_endpoint;
+  const params = new URLSearchParams({
+    client_id: clientId,
+    request_uri: issuerRequestUri
+  });
+  if (idpHint) {
+    params.append("idphint", idpHint);
+  }
+  const authUrl = `${authzRequestEndpoint}?${params}`;
+  return {
+    authUrl
+  };
+};
+export const completeUserAuthorizationWithQueryMode = async authRedirectUrl => {
+  Logger.log(LogLevel.DEBUG, `The requested credential is a PersonIdentificationData, completing the user authorization with query mode`);
+  const query = parseUrl(authRedirectUrl).query;
+  return parseAuthorizationResponse(query);
+};
+export const getRequestedCredentialToBePresented = async function (issuerRequestUri, clientId, issuerConf) {
+  let appFetch = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : fetch;
+  Logger.log(LogLevel.DEBUG, `The requeste credential is not a PersonIdentificationData, requesting the credential to be presented`);
+  const authzRequestEndpoint = issuerConf.authorization_endpoint;
+  const params = new URLSearchParams({
+    client_id: clientId,
+    request_uri: issuerRequestUri
+  });
+  Logger.log(LogLevel.DEBUG, `Requesting the request object to ${authzRequestEndpoint}?${params.toString()}`);
+  const requestObject = await appFetch(`${authzRequestEndpoint}?${params.toString()}`, {
+    method: "GET"
+  }).then(hasStatusOrThrow(200, IssuerResponseError)).then(res => res.text()).then(jws => decode(jws)).then(reqObj => RequestObjectPayload.safeParse(reqObj.payload));
+  if (!requestObject.success) {
+    Logger.log(LogLevel.ERROR, `Error while validating the response object: ${requestObject.error.message}`);
+    throw new ValidationFailed({
+      message: "Request Object validation failed",
+      reason: requestObject.error.message
+    });
+  }
+  return requestObject.data;
+};
+export const completeUserAuthorizationWithFormPostJwtMode = async (requestObject, _issuerConfig, pid, _ref) => {
+  let {
+    wiaCryptoContext,
+    pidKeyTag,
+    appFetch = fetch
+  } = _ref;
+  Logger.log(LogLevel.DEBUG, `The requeste credential is not a PersonIdentificationData, completing the user authorization with form_post.jwt mode`);
+  const dcqlQueryResult = await RemotePresentationFlow.evaluateDcqlQuery(requestObject.dcql_query, [[pidKeyTag, pid]]);
+  const authRequestObject = {
+    nonce: requestObject.nonce,
+    clientId: requestObject.client_id,
+    responseUri: requestObject.response_uri
+  };
+  const remotePresentation = await RemotePresentationFlow.prepareRemotePresentations(dcqlQueryResult, authRequestObject);
+  const authzResponsePayload = await createAuthzResponsePayload({
+    state: requestObject.state,
+    remotePresentation,
+    wiaCryptoContext
+  });
+  Logger.log(LogLevel.DEBUG, `Authz response payload: ${authzResponsePayload}`);
+
+  // Note: according to the spec, the response should be encrypted with the public key of the RP however this is not implemented yet
+  // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-signed-and-encrypted-response
+  // const rsaPublicJwk = chooseRSAPublicKeyToEncrypt(rpConf);
+  // const encrypted = await new EncryptJwe(authzResponsePayload, {
+  //   alg: "RSA-OAEP-256",
+  //   enc: "A256CBC-HS512",
+  //   kid: rsaPublicJwk.kid,
+  // }).encrypt(rsaPublicJwk);
+
+  const body = new URLSearchParams({
+    response: authzResponsePayload
+  }).toString();
+  const resUriRes = await appFetch(requestObject.response_uri, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body
+  }).then(hasStatusOrThrow(200, IssuerResponseError)).then(reqUri => reqUri.json());
+  const responseUri = ResponseUriResultShape.safeParse(resUriRes);
+  if (!responseUri.success) {
+    Logger.log(LogLevel.ERROR, `Error while validating the response uri: ${responseUri.error.message}`);
+    throw new ValidationFailed({
+      message: "Response Uri validation failed",
+      reason: responseUri.error.message
+    });
+  }
+  return await appFetch(responseUri.data.redirect_uri).then(hasStatusOrThrow(200, IssuerResponseError)).then(res => res.text()).then(getJwtFromFormPost).then(cbRes => parseAuthorizationResponse(cbRes.decodedJwt.payload));
+};
+
+/**
+ * Parse the authorization response and return the result which contains code, state and iss.
+ * @throws {AuthorizationError} if an error occurs during the parsing process
+ * @throws {AuthorizationIdpError} if an error occurs during the parsing process and the error is related to the IDP
+ * @param authRes the authorization response to be parsed
+ * @returns the authorization result which contains code, state and iss
+ */
+export const parseAuthorizationResponse = authRes => {
+  const authResParsed = AuthorizationResultShape.safeParse(authRes);
+  if (!authResParsed.success) {
+    const authErr = AuthorizationErrorShape.safeParse(authRes);
+    if (!authErr.success) {
+      Logger.log(LogLevel.ERROR, `Error while parsing the authorization response: ${authResParsed.error.message}`);
+      throw new AuthorizationError(authResParsed.error.message); // an error occured while parsing the result and the error
+    }
+
+    Logger.log(LogLevel.ERROR, `Error while authorizating with the idp: ${JSON.stringify(authErr)}`);
+    throw new AuthorizationIdpError(authErr.data.error, authErr.data.error_description);
+  }
+  return authResParsed.data;
+};
+
+/**
+ * Creates the authorization response payload to be sent.
+ * This payload includes the state and the VP tokens for the presented credentials.
+ * The payload is encoded in Base64.
+ * @param state - The state parameter from the request object (optional).
+ * @param remotePresentations - An array of remote presentations containing credential IDs and their corresponding VP tokens.
+ * @returns The Base64 encoded authorization response payload.
+ */
+const createAuthzResponsePayload = async _ref2 => {
+  let {
+    state,
+    remotePresentation,
+    wiaCryptoContext
+  } = _ref2;
+  const {
+    kid
+  } = await wiaCryptoContext.getPublicKey();
+  return new SignJWT(wiaCryptoContext).setProtectedHeader({
+    typ: "jwt",
+    kid
+  }).setPayload({
+    /**
+     * TODO [SIW-2264]: `state` coming from `requestObject` is marked as `optional`
+     * At the moment, it is not entirely clear whether this value can indeed be omitted
+     * and, if so, what the consequences of its absence might be.
+     */
+    ...(state ? {
+      state
+    } : {}),
+    vp_token: remotePresentation.presentations.reduce((vp_token, _ref3) => {
+      let {
+        credentialId,
+        vpToken
+      } = _ref3;
+      return {
+        ...vp_token,
+        [credentialId]: vpToken
+      };
+    }, {})
+  }).setIssuedAt().setExpirationTime("1h").sign();
+};
+//# sourceMappingURL=03-complete-user-authorization.js.map

package/lib/module/credential/issuance/v1.0.0/03-complete-user-authorization.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["AuthorizationChallengeResultShape","AuthorizationErrorShape","AuthorizationResultShape","hasStatusOrThrow","parseUrl","IssuerResponseError","ValidationFailed","decode","SignJWT","ResponseUriResultShape","getJwtFromFormPost","AuthorizationError","AuthorizationIdpError","LogLevel","Logger","RequestObjectPayload","RemotePresentation","RemotePresentationFlow","continueUserAuthorizationWithMRTDPoPChallenge","authRedirectUrl","log","DEBUG","query","authResParsed","safeParse","success","authErr","ERROR","error","message","JSON","stringify","data","error_description","buildAuthorizationUrl","issuerRequestUri","clientId","issuerConf","idpHint","authzRequestEndpoint","authorization_endpoint","params","URLSearchParams","client_id","request_uri","append","authUrl","completeUserAuthorizationWithQueryMode","parseAuthorizationResponse","getRequestedCredentialToBePresented","appFetch","arguments","length","undefined","fetch","toString","requestObject","method","then","res","text","jws","reqObj","payload","reason","completeUserAuthorizationWithFormPostJwtMode","_issuerConfig","pid","_ref","wiaCryptoContext","pidKeyTag","dcqlQueryResult","evaluateDcqlQuery","dcql_query","authRequestObject","nonce","responseUri","response_uri","remotePresentation","prepareRemotePresentations","authzResponsePayload","createAuthzResponsePayload","state","body","response","resUriRes","headers","reqUri","json","redirect_uri","cbRes","decodedJwt","authRes","_ref2","kid","getPublicKey","setProtectedHeader","typ","setPayload","vp_token","presentations","reduce","_ref3","credentialId","vpToken","setIssuedAt","setExpirationTime","sign"],"sourceRoot":"../../../../../src","sources":["credential/issuance/v1.0.0/03-complete-user-authorization.ts"],"mappings":"AAAA,SACEA,iCAAiC,EACjCC,uBAAuB,EACvBC,wBAAwB,QAEnB,qBAAqB;AAC5B,SAASC,gBAAgB,QAAQ,qBAAqB;AACtD,OAAOC,QAAQ,MAAM,WAAW;AAEhC,SAASC,mBAAmB,EAAEC,gBAAgB,QAAQ,uBAAuB;AAC7E,SACEC,MAAM,EACNC,OAAO,QAEF,6BAA6B;AACpC,SAASC,sBAAsB,QAAQ,SAAS;AAChD,SAASC,kBAAkB,QAAQ,wBAAwB;AAC3D,SAASC,kBAAkB,EAAEC,qBAAqB,QAAQ,kBAAkB;AAC5E,SAASC,QAAQ,EAAEC,MAAM,QAAQ,wBAAwB;AACzD,SAASC,oBAAoB,QAAQ,iCAAiC;AACtE,SAASC,kBAAkB,IAAIC,sBAAsB,QAAQ,2BAA2B;AAIxF,OAAO,MAAMC,6CAA2G,GACtH,MAAOC,eAAe,IAAK;EACzBL,MAAM,CAACM,GAAG,CACRP,QAAQ,CAACQ,KAAK,EACb,+HACH,CAAC;EACD,MAAMC,KAAK,GAAGlB,QAAQ,CAACe,eAAe,CAAC,CAACG,KAAK;EAE7C,MAAMC,aAAa,GAAGvB,iCAAiC,CAACwB,SAAS,CAACF,KAAK,CAAC;EACxE,IAAI,CAACC,aAAa,CAACE,OAAO,EAAE;IAC1B,MAAMC,OAAO,GAAGzB,uBAAuB,CAACuB,SAAS,CAACF,KAAK,CAAC;IACxD,IAAI,CAACI,OAAO,CAACD,OAAO,EAAE;MACpBX,MAAM,CAACM,GAAG,CACRP,QAAQ,CAACc,KAAK,EACb,mDAAkDJ,aAAa,CAACK,KAAK,CAACC,OAAQ,EACjF,CAAC;MACD,MAAM,IAAIlB,kBAAkB,CAACY,aAAa,CAACK,KAAK,CAACC,OAAO,CAAC,CAAC,CAAC;IAC7D;;IACAf,MAAM,CAACM,GAAG,CACRP,QAAQ,CAACc,KAAK,EACb,2CAA0CG,IAAI,CAACC,SAAS,CAACL,OAAO,CAAE,EACrE,CAAC;IACD,MAAM,IAAId,qBAAqB,CAC7Bc,OAAO,CAACM,IAAI,CAACJ,KAAK,EAClBF,OAAO,CAACM,IAAI,CAACC,iBACf,CAAC;EACH;EACA,OAAOV,aAAa,CAACS,IAAI;AAC3B,CAAC;AAEH,OAAO,MAAME,qBAA2D,GACtE,MAAAA,CAAOC,gBAAgB,EAAEC,QAAQ,EAAEC,UAAU,EAAEC,OAAO,KAAK;EACzD,MAAMC,oBAAoB,GAAGF,UAAU,CAACG,sBAAsB;EAE9D,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,SAAS,EAAEP,QAAQ;IACnBQ,WAAW,EAAET;EACf,CAAC,CAAC;EAEF,IAAIG,OAAO,EAAE;IACXG,MAAM,CAACI,MAAM,CAAC,SAAS,EAAEP,OAAO,CAAC;EACnC;EAEA,MAAMQ,OAAO,GAAI,GAAEP,oBAAqB,IAAGE,MAAO,EAAC;EAEnD,OAAO;IAAEK;EAAQ,CAAC;AACpB,CAAC;AAEH,OAAO,MAAMC,sCAA6F,GACxG,MAAO5B,eAAe,IAAK;EACzBL,MAAM,CAACM,GAAG,CACRP,QAAQ,CAACQ,KAAK,EACb,2GACH,CAAC;EACD,MAAMC,KAAK,GAAGlB,QAAQ,CAACe,eAAe,CAAC,CAACG,KAAK;EAE7C,OAAO0B,0BAA0B,CAAC1B,KAAK,CAAC;AAC1C,CAAC;AAEH,OAAO,MAAM2B,mCAAuF,GAClG,eAAAA,CAAOd,gBAAgB,EAAEC,QAAQ,EAAEC,UAAU,EAAuB;EAAA,IAArBa,QAAQ,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAGG,KAAK;EAC7DxC,MAAM,CAACM,GAAG,CACRP,QAAQ,CAACQ,KAAK,EACb,sGACH,CAAC;EACD,MAAMkB,oBAAoB,GAAGF,UAAU,CAACG,sBAAsB;EAC9D,MAAMC,MAAM,GAAG,IAAIC,eAAe,CAAC;IACjCC,SAAS,EAAEP,QAAQ;IACnBQ,WAAW,EAAET;EACf,CAAC,CAAC;EAEFrB,MAAM,CAACM,GAAG,CACRP,QAAQ,CAACQ,KAAK,EACb,oCAAmCkB,oBAAqB,IAAGE,MAAM,CAACc,QAAQ,CAAC,CAAE,EAChF,CAAC;EAED,MAAMC,aAAa,GAAG,MAAMN,QAAQ,CACjC,GAAEX,oBAAqB,IAAGE,MAAM,CAACc,QAAQ,CAAC,CAAE,EAAC,EAC9C;IAAEE,MAAM,EAAE;EAAM,CAClB,CAAC,CACEC,IAAI,CAACvD,gBAAgB,CAAC,GAAG,EAAEE,mBAAmB,CAAC,CAAC,CAChDqD,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEG,GAAG,IAAKtD,MAAM,CAACsD,GAAG,CAAC,CAAC,CAC1BH,IAAI,CAAEI,MAAM,IAAK/C,oBAAoB,CAACS,SAAS,CAACsC,MAAM,CAACC,OAAO,CAAC,CAAC;EAEnE,IAAI,CAACP,aAAa,CAAC/B,OAAO,EAAE;IAC1BX,MAAM,CAACM,GAAG,CACRP,QAAQ,CAACc,KAAK,EACb,+CAA8C6B,aAAa,CAAC5B,KAAK,CAACC,OAAQ,EAC7E,CAAC;IACD,MAAM,IAAIvB,gBAAgB,CAAC;MACzBuB,OAAO,EAAE,kCAAkC;MAC3CmC,MAAM,EAAER,aAAa,CAAC5B,KAAK,CAACC;IAC9B,CAAC,CAAC;EACJ;EACA,OAAO2B,aAAa,CAACxB,IAAI;AAC3B,CAAC;AAEH,OAAO,MAAMiC,4CAAyG,GACpH,MAAAA,CACET,aAAa,EACbU,aAAa,EACbC,GAAG,EAAAC,IAAA,KAEA;EAAA,IADH;IAAEC,gBAAgB;IAAEC,SAAS;IAAEpB,QAAQ,GAAGI;EAAM,CAAC,GAAAc,IAAA;EAEjDtD,MAAM,CAACM,GAAG,CACRP,QAAQ,CAACQ,KAAK,EACb,sHACH,CAAC;EAED,MAAMkD,eAAe,GAAG,MAAMtD,sBAAsB,CAACuD,iBAAiB,CACpEhB,aAAa,CAACiB,UAAU,EACxB,CAAC,CAACH,SAAS,EAAEH,GAAG,CAAC,CACnB,CAAC;EAED,MAAMO,iBAAiB,GAAG;IACxBC,KAAK,EAAEnB,aAAa,CAACmB,KAAK;IAC1BvC,QAAQ,EAAEoB,aAAa,CAACb,SAAS;IACjCiC,WAAW,EAAEpB,aAAa,CAACqB;EAC7B,CAAC;EAED,MAAMC,kBAAkB,GACtB,MAAM7D,sBAAsB,CAAC8D,0BAA0B,CACrDR,eAAe,EACfG,iBACF,CAAC;EAEH,MAAMM,oBAAoB,GAAG,MAAMC,0BAA0B,CAAC;IAC5DC,KAAK,EAAE1B,aAAa,CAAC0B,KAAK;IAC1BJ,kBAAkB;IAClBT;EACF,CAAC,CAAC;EAEFvD,MAAM,CAACM,GAAG,CACRP,QAAQ,CAACQ,KAAK,EACb,2BAA0B2D,oBAAqB,EAClD,CAAC;;EAED;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;EAEA,MAAMG,IAAI,GAAG,IAAIzC,eAAe,CAAC;IAC/B0C,QAAQ,EAAEJ;EACZ,CAAC,CAAC,CAACzB,QAAQ,CAAC,CAAC;EAEb,MAAM8B,SAAS,GAAG,MAAMnC,QAAQ,CAACM,aAAa,CAACqB,YAAY,EAAE;IAC3DpB,MAAM,EAAE,MAAM;IACd6B,OAAO,EAAE;MACP,cAAc,EAAE;IAClB,CAAC;IACDH;EACF,CAAC,CAAC,CACCzB,IAAI,CAACvD,gBAAgB,CAAC,GAAG,EAAEE,mBAAmB,CAAC,CAAC,CAChDqD,IAAI,CAAE6B,MAAM,IAAKA,MAAM,CAACC,IAAI,CAAC,CAAC,CAAC;EAElC,MAAMZ,WAAW,GAAGnE,sBAAsB,CAACe,SAAS,CAAC6D,SAAS,CAAC;EAC/D,IAAI,CAACT,WAAW,CAACnD,OAAO,EAAE;IACxBX,MAAM,CAACM,GAAG,CACRP,QAAQ,CAACc,KAAK,EACb,4CAA2CiD,WAAW,CAAChD,KAAK,CAACC,OAAQ,EACxE,CAAC;IACD,MAAM,IAAIvB,gBAAgB,CAAC;MACzBuB,OAAO,EAAE,gCAAgC;MACzCmC,MAAM,EAAEY,WAAW,CAAChD,KAAK,CAACC;IAC5B,CAAC,CAAC;EACJ;EAEA,OAAO,MAAMqB,QAAQ,CAAC0B,WAAW,CAAC5C,IAAI,CAACyD,YAAY,CAAC,CACjD/B,IAAI,CAACvD,gBAAgB,CAAC,GAAG,EAAEE,mBAAmB,CAAC,CAAC,CAChDqD,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAChD,kBAAkB,CAAC,CACxBgD,IAAI,CAAEgC,KAAK,IAAK1C,0BAA0B,CAAC0C,KAAK,CAACC,UAAU,CAAC5B,OAAO,CAAC,CAAC;AAC1E,CAAC;;AAEH;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMf,0BAA0B,GACrC4C,OAAgB,IACQ;EACxB,MAAMrE,aAAa,GAAGrB,wBAAwB,CAACsB,SAAS,CAACoE,OAAO,CAAC;EACjE,IAAI,CAACrE,aAAa,CAACE,OAAO,EAAE;IAC1B,MAAMC,OAAO,GAAGzB,uBAAuB,CAACuB,SAAS,CAACoE,OAAO,CAAC;IAC1D,IAAI,CAAClE,OAAO,CAACD,OAAO,EAAE;MACpBX,MAAM,CAACM,GAAG,CACRP,QAAQ,CAACc,KAAK,EACb,mDAAkDJ,aAAa,CAACK,KAAK,CAACC,OAAQ,EACjF,CAAC;MACD,MAAM,IAAIlB,kBAAkB,CAACY,aAAa,CAACK,KAAK,CAACC,OAAO,CAAC,CAAC,CAAC;IAC7D;;IACAf,MAAM,CAACM,GAAG,CACRP,QAAQ,CAACc,KAAK,EACb,2CAA0CG,IAAI,CAACC,SAAS,CAACL,OAAO,CAAE,EACrE,CAAC;IACD,MAAM,IAAId,qBAAqB,CAC7Bc,OAAO,CAACM,IAAI,CAACJ,KAAK,EAClBF,OAAO,CAACM,IAAI,CAACC,iBACf,CAAC;EACH;EACA,OAAOV,aAAa,CAACS,IAAI;AAC3B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMiD,0BAA0B,GAAG,MAAAY,KAAA,IAQZ;EAAA,IARmB;IACxCX,KAAK;IACLJ,kBAAkB;IAClBT;EAKF,CAAC,GAAAwB,KAAA;EACC,MAAM;IAAEC;EAAI,CAAC,GAAG,MAAMzB,gBAAgB,CAAC0B,YAAY,CAAC,CAAC;EAErD,OAAO,IAAIvF,OAAO,CAAC6D,gBAAgB,CAAC,CACjC2B,kBAAkB,CAAC;IAClBC,GAAG,EAAE,KAAK;IACVH;EACF,CAAC,CAAC,CACDI,UAAU,CAAC;IACV;AACN;AACA;AACA;AACA;IACM,IAAIhB,KAAK,GAAG;MAAEA;IAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3BiB,QAAQ,EAAErB,kBAAkB,CAACsB,aAAa,CAACC,MAAM,CAC/C,CAACF,QAAQ,EAAAG,KAAA;MAAA,IAAE;QAAEC,YAAY;QAAEC;MAAQ,CAAC,GAAAF,KAAA;MAAA,OAAM;QACxC,GAAGH,QAAQ;QACX,CAACI,YAAY,GAAGC;MAClB,CAAC;IAAA,CAAC,EACF,CAAC,CACH;EACF,CAAC,CAAC,CACDC,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,IAAI,CAAC,CACvBC,IAAI,CAAC,CAAC;AACX,CAAC"}

package/lib/module/credential/issuance/v1.0.0/04-authorize-access.js

@@ -0,0 +1,60 @@
+import { v4 as uuidv4 } from "uuid";
+import { hasStatusOrThrow } from "../../../utils/misc";
+import { createDPopToken } from "../../../utils/dpop";
+import { createPopToken } from "../../../utils/pop";
+import { TokenResponse } from "./types";
+import { IssuerResponseError, ValidationFailed } from "../../../utils/errors";
+import { LogLevel, Logger } from "../../../utils/logging";
+import * as WalletInstanceAttestation from "../../../wallet-instance-attestation/v1.0.0/utils";
+export const authorizeAccess = async (issuerConf, code, redirectUri, codeVerifier, context) => {
+  const {
+    appFetch = fetch,
+    walletInstanceAttestation,
+    wiaCryptoContext,
+    dPopCryptoContext
+  } = context;
+  const aud = issuerConf.credential_issuer;
+  const iss = WalletInstanceAttestation.decode(walletInstanceAttestation).payload.cnf.jwk.kid;
+  const tokenUrl = issuerConf.token_endpoint;
+  const tokenRequestSignedDPop = await createDPopToken({
+    htm: "POST",
+    htu: tokenUrl,
+    jti: `${uuidv4()}`
+  }, dPopCryptoContext);
+  Logger.log(LogLevel.DEBUG, `Token request DPoP: ${tokenRequestSignedDPop}`);
+  const signedWiaPoP = await createPopToken({
+    jti: `${uuidv4()}`,
+    aud,
+    iss
+  }, wiaCryptoContext);
+  Logger.log(LogLevel.DEBUG, `WIA DPoP token: ${signedWiaPoP}`);
+  const requestBody = {
+    grant_type: "authorization_code",
+    code,
+    code_verifier: codeVerifier,
+    redirect_uri: redirectUri
+  };
+  const authorizationRequestFormBody = new URLSearchParams(requestBody);
+  Logger.log(LogLevel.DEBUG, `Auth form request body: ${authorizationRequestFormBody}`);
+  const tokenRes = await appFetch(tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      DPoP: tokenRequestSignedDPop,
+      "OAuth-Client-Attestation": walletInstanceAttestation,
+      "OAuth-Client-Attestation-PoP": signedWiaPoP
+    },
+    body: authorizationRequestFormBody.toString()
+  }).then(hasStatusOrThrow(200, IssuerResponseError)).then(res => res.json()).then(body => TokenResponse.safeParse(body));
+  if (!tokenRes.success) {
+    Logger.log(LogLevel.ERROR, `Token Response validation failed: ${tokenRes.error.message}`);
+    throw new ValidationFailed({
+      message: "Token Response validation failed",
+      reason: tokenRes.error.message
+    });
+  }
+  return {
+    accessToken: tokenRes.data
+  };
+};
+//# sourceMappingURL=04-authorize-access.js.map

package/lib/module/credential/issuance/v1.0.0/04-authorize-access.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["v4","uuidv4","hasStatusOrThrow","createDPopToken","createPopToken","TokenResponse","IssuerResponseError","ValidationFailed","LogLevel","Logger","WalletInstanceAttestation","authorizeAccess","issuerConf","code","redirectUri","codeVerifier","context","appFetch","fetch","walletInstanceAttestation","wiaCryptoContext","dPopCryptoContext","aud","credential_issuer","iss","decode","payload","cnf","jwk","kid","tokenUrl","token_endpoint","tokenRequestSignedDPop","htm","htu","jti","log","DEBUG","signedWiaPoP","requestBody","grant_type","code_verifier","redirect_uri","authorizationRequestFormBody","URLSearchParams","tokenRes","method","headers","DPoP","body","toString","then","res","json","safeParse","success","ERROR","error","message","reason","accessToken","data"],"sourceRoot":"../../../../../src","sources":["credential/issuance/v1.0.0/04-authorize-access.ts"],"mappings":"AAAA,SAASA,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,gBAAgB,QAAQ,qBAAqB;AACtD,SAASC,eAAe,QAAQ,qBAAqB;AACrD,SAASC,cAAc,QAAQ,oBAAoB;AACnD,SAASC,aAAa,QAAQ,SAAS;AACvC,SAASC,mBAAmB,EAAEC,gBAAgB,QAAQ,uBAAuB;AAC7E,SAASC,QAAQ,EAAEC,MAAM,QAAQ,wBAAwB;AAEzD,OAAO,KAAKC,yBAAyB,MAAM,mDAAmD;AAE9F,OAAO,MAAMC,eAA+C,GAAG,MAAAA,CAC7DC,UAAU,EACVC,IAAI,EACJC,WAAW,EACXC,YAAY,EACZC,OAAO,KACJ;EACH,MAAM;IACJC,QAAQ,GAAGC,KAAK;IAChBC,yBAAyB;IACzBC,gBAAgB;IAChBC;EACF,CAAC,GAAGL,OAAO;EACX,MAAMM,GAAG,GAAGV,UAAU,CAACW,iBAAiB;EACxC,MAAMC,GAAG,GAAGd,yBAAyB,CAACe,MAAM,CAACN,yBAAyB,CAAC,CACpEO,OAAO,CAACC,GAAG,CAACC,GAAG,CAACC,GAAG;EAEtB,MAAMC,QAAQ,GAAGlB,UAAU,CAACmB,cAAc;EAE1C,MAAMC,sBAAsB,GAAG,MAAM7B,eAAe,CAClD;IACE8B,GAAG,EAAE,MAAM;IACXC,GAAG,EAAEJ,QAAQ;IACbK,GAAG,EAAG,GAAElC,MAAM,CAAC,CAAE;EACnB,CAAC,EACDoB,iBACF,CAAC;EAEDZ,MAAM,CAAC2B,GAAG,CAAC5B,QAAQ,CAAC6B,KAAK,EAAG,uBAAsBL,sBAAuB,EAAC,CAAC;EAE3E,MAAMM,YAAY,GAAG,MAAMlC,cAAc,CACvC;IACE+B,GAAG,EAAG,GAAElC,MAAM,CAAC,CAAE,EAAC;IAClBqB,GAAG;IACHE;EACF,CAAC,EACDJ,gBACF,CAAC;EAEDX,MAAM,CAAC2B,GAAG,CAAC5B,QAAQ,CAAC6B,KAAK,EAAG,mBAAkBC,YAAa,EAAC,CAAC;EAE7D,MAAMC,WAAW,GAAG;IAClBC,UAAU,EAAE,oBAAoB;IAChC3B,IAAI;IACJ4B,aAAa,EAAE1B,YAAY;IAC3B2B,YAAY,EAAE5B;EAChB,CAAC;EAED,MAAM6B,4BAA4B,GAAG,IAAIC,eAAe,CAACL,WAAW,CAAC;EAErE9B,MAAM,CAAC2B,GAAG,CACR5B,QAAQ,CAAC6B,KAAK,EACb,2BAA0BM,4BAA6B,EAC1D,CAAC;EAED,MAAME,QAAQ,GAAG,MAAM5B,QAAQ,CAACa,QAAQ,EAAE;IACxCgB,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,mCAAmC;MACnDC,IAAI,EAAEhB,sBAAsB;MAC5B,0BAA0B,EAAEb,yBAAyB;MACrD,8BAA8B,EAAEmB;IAClC,CAAC;IACDW,IAAI,EAAEN,4BAA4B,CAACO,QAAQ,CAAC;EAC9C,CAAC,CAAC,CACCC,IAAI,CAACjD,gBAAgB,CAAC,GAAG,EAAEI,mBAAmB,CAAC,CAAC,CAChD6C,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEF,IAAI,IAAK5C,aAAa,CAACiD,SAAS,CAACL,IAAI,CAAC,CAAC;EAEhD,IAAI,CAACJ,QAAQ,CAACU,OAAO,EAAE;IACrB9C,MAAM,CAAC2B,GAAG,CACR5B,QAAQ,CAACgD,KAAK,EACb,qCAAoCX,QAAQ,CAACY,KAAK,CAACC,OAAQ,EAC9D,CAAC;IAED,MAAM,IAAInD,gBAAgB,CAAC;MACzBmD,OAAO,EAAE,kCAAkC;MAC3CC,MAAM,EAAEd,QAAQ,CAACY,KAAK,CAACC;IACzB,CAAC,CAAC;EACJ;EAEA,OAAO;IAAEE,WAAW,EAAEf,QAAQ,CAACgB;EAAK,CAAC;AACvC,CAAC"}

package/lib/module/credential/issuance/v1.0.0/05-obtain-credential.js

@@ -0,0 +1,140 @@
+import { sha256ToBase64, SignJWT } from "@pagopa/io-react-native-jwt";
+import { v4 as uuidv4 } from "uuid";
+import { hasStatusOrThrow } from "../../../utils/misc";
+import { IssuerResponseError, IssuerResponseErrorCodes, ResponseErrorBuilder, UnexpectedStatusCodeError, ValidationFailed } from "../../../utils/errors";
+import { createDPopToken } from "../../../utils/dpop";
+import { LogLevel, Logger } from "../../../utils/logging";
+import { CredentialResponse, NonceResponse } from "./types";
+export const createNonceProof = async (nonce, issuer, audience, ctx) => {
+  const jwk = await ctx.getPublicKey();
+  return new SignJWT(ctx).setPayload({
+    nonce
+  }).setProtectedHeader({
+    typ: "openid4vci-proof+jwt",
+    jwk
+  }).setAudience(audience).setIssuer(issuer).setIssuedAt().setExpirationTime("5min").sign();
+};
+export const obtainCredential = async (issuerConf, accessToken, clientId, credentialDefinition, context) => {
+  const {
+    credentialCryptoContext,
+    appFetch = fetch,
+    dPopCryptoContext
+  } = context;
+  const {
+    credential_configuration_id,
+    credential_identifier
+  } = credentialDefinition;
+  const credentialUrl = issuerConf.credential_endpoint;
+  const issuerUrl = issuerConf.credential_issuer;
+  const nonceUrl = issuerConf.nonce_endpoint;
+
+  // Fetch the nonce from the Credential Issuer
+  const {
+    c_nonce
+  } = await appFetch(nonceUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    }
+  }).then(hasStatusOrThrow(200)).then(res => res.json()).then(body => NonceResponse.parse(body));
+
+  /**
+   * JWT proof token to bind the request nonce to the key that will bind the holder User with the Credential
+   * This is presented along with the access token to the Credential Endpoint as proof of possession of the private key used to sign the Access Token.
+   * @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-proof-types
+   */
+  const signedNonceProof = await createNonceProof(c_nonce, clientId, issuerUrl, credentialCryptoContext);
+  Logger.log(LogLevel.DEBUG, `Signed nonce proof: ${signedNonceProof}`);
+
+  // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
+  const containsCredentialDefinition = accessToken.authorization_details.some(c => c.credential_configuration_id === credential_configuration_id && (credential_identifier ? c.credential_identifiers.includes(credential_identifier) : true));
+  if (!containsCredentialDefinition) {
+    Logger.log(LogLevel.ERROR, `Credential definition not found in the access token response ${accessToken.authorization_details}`);
+    throw new ValidationFailed({
+      message: "The access token response does not contain the requested credential"
+    });
+  }
+
+  /**
+   * The credential request body.
+   * We accept both `credential_identifier` (recommended) and `credential_configuration_id`
+   * when the Authorization Server does not support `credential_identifier`.
+   * @see https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html#section-3.3.4
+   */
+  const credentialRequestFormBody = credential_identifier ? {
+    credential_identifier: credential_identifier,
+    proof: {
+      jwt: signedNonceProof,
+      proof_type: "jwt"
+    }
+  } : {
+    credential_configuration_id: credential_configuration_id,
+    proof: {
+      jwt: signedNonceProof,
+      proof_type: "jwt"
+    }
+  };
+  Logger.log(LogLevel.DEBUG, `Credential request body: ${JSON.stringify(credentialRequestFormBody)}`);
+  const tokenRequestSignedDPop = await createDPopToken({
+    htm: "POST",
+    htu: credentialUrl,
+    jti: `${uuidv4()}`,
+    ath: await sha256ToBase64(accessToken.access_token)
+  }, dPopCryptoContext);
+  Logger.log(LogLevel.DEBUG, `Token request DPoP: ${tokenRequestSignedDPop}`);
+  const credentialRes = await appFetch(credentialUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      DPoP: tokenRequestSignedDPop,
+      Authorization: `${accessToken.token_type} ${accessToken.access_token}`
+    },
+    body: JSON.stringify(credentialRequestFormBody)
+  }).then(hasStatusOrThrow(200)).then(res => res.json()).then(body => CredentialResponse.safeParse(body)).catch(handleObtainCredentialError);
+  if (!credentialRes.success) {
+    Logger.log(LogLevel.ERROR, `Credential Response validation failed: ${credentialRes.error.message}`);
+    throw new ValidationFailed({
+      message: "Credential Response validation failed",
+      reason: credentialRes.error.message
+    });
+  }
+  Logger.log(LogLevel.DEBUG, `Credential Response: ${JSON.stringify(credentialRes.data)}`);
+
+  // Extract the format corresponding to the credential_configuration_id used
+  const issuerCredentialConfig = issuerConf.credential_configurations_supported[credential_configuration_id];
+
+  // TODO: [SIW-2264] Handle multiple credentials
+  return {
+    credential: credentialRes.data.credentials.at(0).credential,
+    format: issuerCredentialConfig.format
+  };
+};
+
+/**
+ * Handle the credential error by mapping it to a custom exception.
+ * If the error is not an instance of {@link UnexpectedStatusCodeError}, it is thrown as is.
+ * @param e - The error to be handled
+ * @throws {IssuerResponseError} with a specific code for more context
+ */
+const handleObtainCredentialError = e => {
+  Logger.log(LogLevel.ERROR, `Error occurred while obtaining credential: ${e}`);
+  if (!(e instanceof UnexpectedStatusCodeError)) {
+    throw e;
+  }
+  throw new ResponseErrorBuilder(IssuerResponseError).handle(201, {
+    // Although it is technically not an error, we handle it as such to avoid
+    // changing the return type of `obtainCredential` and introduce a breaking change.
+    code: IssuerResponseErrorCodes.CredentialIssuingNotSynchronous,
+    message: "This credential cannot be issued synchronously. It will be available at a later time."
+  }).handle(403, {
+    code: IssuerResponseErrorCodes.CredentialInvalidStatus,
+    message: "Invalid status found for the given credential"
+  }).handle(404, {
+    code: IssuerResponseErrorCodes.CredentialInvalidStatus,
+    message: "Invalid status found for the given credential"
+  }).handle("*", {
+    code: IssuerResponseErrorCodes.CredentialRequestFailed,
+    message: "Unable to obtain the requested credential"
+  }).buildFrom(e);
+};
+//# sourceMappingURL=05-obtain-credential.js.map

package/lib/module/credential/issuance/v1.0.0/05-obtain-credential.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["sha256ToBase64","SignJWT","v4","uuidv4","hasStatusOrThrow","IssuerResponseError","IssuerResponseErrorCodes","ResponseErrorBuilder","UnexpectedStatusCodeError","ValidationFailed","createDPopToken","LogLevel","Logger","CredentialResponse","NonceResponse","createNonceProof","nonce","issuer","audience","ctx","jwk","getPublicKey","setPayload","setProtectedHeader","typ","setAudience","setIssuer","setIssuedAt","setExpirationTime","sign","obtainCredential","issuerConf","accessToken","clientId","credentialDefinition","context","credentialCryptoContext","appFetch","fetch","dPopCryptoContext","credential_configuration_id","credential_identifier","credentialUrl","credential_endpoint","issuerUrl","credential_issuer","nonceUrl","nonce_endpoint","c_nonce","method","headers","then","res","json","body","parse","signedNonceProof","log","DEBUG","containsCredentialDefinition","authorization_details","some","c","credential_identifiers","includes","ERROR","message","credentialRequestFormBody","proof","jwt","proof_type","JSON","stringify","tokenRequestSignedDPop","htm","htu","jti","ath","access_token","credentialRes","DPoP","Authorization","token_type","safeParse","catch","handleObtainCredentialError","success","error","reason","data","issuerCredentialConfig","credential_configurations_supported","credential","credentials","at","format","e","handle","code","CredentialIssuingNotSynchronous","CredentialInvalidStatus","CredentialRequestFailed","buildFrom"],"sourceRoot":"../../../../../src","sources":["credential/issuance/v1.0.0/05-obtain-credential.ts"],"mappings":"AAAA,SAEEA,cAAc,EACdC,OAAO,QACF,6BAA6B;AACpC,SAASC,EAAE,IAAIC,MAAM,QAAQ,MAAM;AACnC,SAASC,gBAAgB,QAAQ,qBAAqB;AACtD,SACEC,mBAAmB,EACnBC,wBAAwB,EACxBC,oBAAoB,EACpBC,yBAAyB,EACzBC,gBAAgB,QACX,uBAAuB;AAC9B,SAASC,eAAe,QAAQ,qBAAqB;AACrD,SAASC,QAAQ,EAAEC,MAAM,QAAQ,wBAAwB;AAEzD,SAASC,kBAAkB,EAAEC,aAAa,QAAQ,SAAS;AAE3D,OAAO,MAAMC,gBAAgB,GAAG,MAAAA,CAC9BC,KAAa,EACbC,MAAc,EACdC,QAAgB,EAChBC,GAAkB,KACE;EACpB,MAAMC,GAAG,GAAG,MAAMD,GAAG,CAACE,YAAY,CAAC,CAAC;EACpC,OAAO,IAAIpB,OAAO,CAACkB,GAAG,CAAC,CACpBG,UAAU,CAAC;IACVN;EACF,CAAC,CAAC,CACDO,kBAAkB,CAAC;IAClBC,GAAG,EAAE,sBAAsB;IAC3BJ;EACF,CAAC,CAAC,CACDK,WAAW,CAACP,QAAQ,CAAC,CACrBQ,SAAS,CAACT,MAAM,CAAC,CACjBU,WAAW,CAAC,CAAC,CACbC,iBAAiB,CAAC,MAAM,CAAC,CACzBC,IAAI,CAAC,CAAC;AACX,CAAC;AAED,OAAO,MAAMC,gBAAiD,GAAG,MAAAA,CAC/DC,UAAU,EACVC,WAAW,EACXC,QAAQ,EACRC,oBAAoB,EACpBC,OAAO,KACJ;EACH,MAAM;IACJC,uBAAuB;IACvBC,QAAQ,GAAGC,KAAK;IAChBC;EACF,CAAC,GAAGJ,OAAO;EACX,MAAM;IAAEK,2BAA2B;IAAEC;EAAsB,CAAC,GAC1DP,oBAAoB;EAEtB,MAAMQ,aAAa,GAAGX,UAAU,CAACY,mBAAmB;EACpD,MAAMC,SAAS,GAAGb,UAAU,CAACc,iBAAiB;EAC9C,MAAMC,QAAQ,GAAGf,UAAU,CAACgB,cAAc;;EAE1C;EACA,MAAM;IAAEC;EAAQ,CAAC,GAAG,MAAMX,QAAQ,CAACS,QAAQ,EAAE;IAC3CG,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MAAE,cAAc,EAAE;IAAmB;EAChD,CAAC,CAAC,CACCC,IAAI,CAAC/C,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3B+C,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEG,IAAI,IAAKxC,aAAa,CAACyC,KAAK,CAACD,IAAI,CAAC,CAAC;;EAE5C;AACF;AACA;AACA;AACA;EACE,MAAME,gBAAgB,GAAG,MAAMzC,gBAAgB,CAC7CiC,OAAO,EACPf,QAAQ,EACRW,SAAS,EACTR,uBACF,CAAC;EAEDxB,MAAM,CAAC6C,GAAG,CAAC9C,QAAQ,CAAC+C,KAAK,EAAG,uBAAsBF,gBAAiB,EAAC,CAAC;;EAErE;EACA,MAAMG,4BAA4B,GAAG3B,WAAW,CAAC4B,qBAAqB,CAACC,IAAI,CACxEC,CAAC,IACAA,CAAC,CAACtB,2BAA2B,KAAKA,2BAA2B,KAC5DC,qBAAqB,GAClBqB,CAAC,CAACC,sBAAsB,CAACC,QAAQ,CAACvB,qBAAqB,CAAC,GACxD,IAAI,CACZ,CAAC;EAED,IAAI,CAACkB,4BAA4B,EAAE;IACjC/C,MAAM,CAAC6C,GAAG,CACR9C,QAAQ,CAACsD,KAAK,EACb,gEAA+DjC,WAAW,CAAC4B,qBAAsB,EACpG,CAAC;IACD,MAAM,IAAInD,gBAAgB,CAAC;MACzByD,OAAO,EACL;IACJ,CAAC,CAAC;EACJ;;EAEA;AACF;AACA;AACA;AACA;AACA;EACE,MAAMC,yBAAyB,GAAG1B,qBAAqB,GACnD;IACEA,qBAAqB,EAAEA,qBAAqB;IAC5C2B,KAAK,EAAE;MAAEC,GAAG,EAAEb,gBAAgB;MAAEc,UAAU,EAAE;IAAM;EACpD,CAAC,GACD;IACE9B,2BAA2B,EAAEA,2BAA2B;IACxD4B,KAAK,EAAE;MAAEC,GAAG,EAAEb,gBAAgB;MAAEc,UAAU,EAAE;IAAM;EACpD,CAAC;EAEL1D,MAAM,CAAC6C,GAAG,CACR9C,QAAQ,CAAC+C,KAAK,EACb,4BAA2Ba,IAAI,CAACC,SAAS,CAACL,yBAAyB,CAAE,EACxE,CAAC;EAED,MAAMM,sBAAsB,GAAG,MAAM/D,eAAe,CAClD;IACEgE,GAAG,EAAE,MAAM;IACXC,GAAG,EAAEjC,aAAa;IAClBkC,GAAG,EAAG,GAAEzE,MAAM,CAAC,CAAE,EAAC;IAClB0E,GAAG,EAAE,MAAM7E,cAAc,CAACgC,WAAW,CAAC8C,YAAY;EACpD,CAAC,EACDvC,iBACF,CAAC;EAED3B,MAAM,CAAC6C,GAAG,CAAC9C,QAAQ,CAAC+C,KAAK,EAAG,uBAAsBe,sBAAuB,EAAC,CAAC;EAE3E,MAAMM,aAAa,GAAG,MAAM1C,QAAQ,CAACK,aAAa,EAAE;IAClDO,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE,kBAAkB;MAClC8B,IAAI,EAAEP,sBAAsB;MAC5BQ,aAAa,EAAG,GAAEjD,WAAW,CAACkD,UAAW,IAAGlD,WAAW,CAAC8C,YAAa;IACvE,CAAC;IACDxB,IAAI,EAAEiB,IAAI,CAACC,SAAS,CAACL,yBAAyB;EAChD,CAAC,CAAC,CACChB,IAAI,CAAC/C,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3B+C,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEG,IAAI,IAAKzC,kBAAkB,CAACsE,SAAS,CAAC7B,IAAI,CAAC,CAAC,CAClD8B,KAAK,CAACC,2BAA2B,CAAC;EAErC,IAAI,CAACN,aAAa,CAACO,OAAO,EAAE;IAC1B1E,MAAM,CAAC6C,GAAG,CACR9C,QAAQ,CAACsD,KAAK,EACb,0CAAyCc,aAAa,CAACQ,KAAK,CAACrB,OAAQ,EACxE,CAAC;IACD,MAAM,IAAIzD,gBAAgB,CAAC;MACzByD,OAAO,EAAE,uCAAuC;MAChDsB,MAAM,EAAET,aAAa,CAACQ,KAAK,CAACrB;IAC9B,CAAC,CAAC;EACJ;EAEAtD,MAAM,CAAC6C,GAAG,CACR9C,QAAQ,CAAC+C,KAAK,EACb,wBAAuBa,IAAI,CAACC,SAAS,CAACO,aAAa,CAACU,IAAI,CAAE,EAC7D,CAAC;;EAED;EACA,MAAMC,sBAAsB,GAC1B3D,UAAU,CAAC4D,mCAAmC,CAACnD,2BAA2B,CAAC;;EAE7E;EACA,OAAO;IACLoD,UAAU,EAAEb,aAAa,CAACU,IAAI,CAACI,WAAW,CAACC,EAAE,CAAC,CAAC,CAAC,CAAEF,UAAU;IAC5DG,MAAM,EAAEL,sBAAsB,CAAEK;EAClC,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMV,2BAA2B,GAAIW,CAAU,IAAK;EAClDpF,MAAM,CAAC6C,GAAG,CAAC9C,QAAQ,CAACsD,KAAK,EAAG,8CAA6C+B,CAAE,EAAC,CAAC;EAE7E,IAAI,EAAEA,CAAC,YAAYxF,yBAAyB,CAAC,EAAE;IAC7C,MAAMwF,CAAC;EACT;EAEA,MAAM,IAAIzF,oBAAoB,CAACF,mBAAmB,CAAC,CAChD4F,MAAM,CAAC,GAAG,EAAE;IACX;IACA;IACAC,IAAI,EAAE5F,wBAAwB,CAAC6F,+BAA+B;IAC9DjC,OAAO,EACL;EACJ,CAAC,CAAC,CACD+B,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAE5F,wBAAwB,CAAC8F,uBAAuB;IACtDlC,OAAO,EAAE;EACX,CAAC,CAAC,CACD+B,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAE5F,wBAAwB,CAAC8F,uBAAuB;IACtDlC,OAAO,EAAE;EACX,CAAC,CAAC,CACD+B,MAAM,CAAC,GAAG,EAAE;IACXC,IAAI,EAAE5F,wBAAwB,CAAC+F,uBAAuB;IACtDnC,OAAO,EAAE;EACX,CAAC,CAAC,CACDoC,SAAS,CAACN,CAAC,CAAC;AACjB,CAAC"}

package/lib/module/credential/issuance/v1.0.0/06-verify-and-parse-credential.js

@@ -0,0 +1,27 @@
+import { IoWalletError } from "../../../utils/errors";
+import { Logger, LogLevel } from "../../../utils/logging";
+import { verifyAndParseCredentialMDoc } from "../common/06-verify-and-parse-credential.mdoc";
+import { verifyAndParseCredentialSdJwt } from "../common/06-verify-and-parse-credential.sdjwt";
+export const verifyAndParseCredential = async (issuerConf, credential, credentialConfigurationId, context, x509CertRoot) => {
+  var _issuerConf$credentia;
+  const format = (_issuerConf$credentia = issuerConf.credential_configurations_supported[credentialConfigurationId]) === null || _issuerConf$credentia === void 0 ? void 0 : _issuerConf$credentia.format;
+  switch (format) {
+    case "dc+sd-jwt":
+      {
+        Logger.log(LogLevel.DEBUG, "Parsing credential in dc+sd-jwt format");
+        return verifyAndParseCredentialSdJwt(issuerConf, credential, credentialConfigurationId, context);
+      }
+    case "mso_mdoc":
+      {
+        Logger.log(LogLevel.DEBUG, "Parsing credential in mso_mdoc format");
+        return verifyAndParseCredentialMDoc(issuerConf, credential, credentialConfigurationId, context, x509CertRoot);
+      }
+    default:
+      {
+        const message = `Unsupported credential format: ${format}`;
+        Logger.log(LogLevel.ERROR, message);
+        throw new IoWalletError(message);
+      }
+  }
+};
+//# sourceMappingURL=06-verify-and-parse-credential.js.map

package/lib/module/credential/issuance/v1.0.0/06-verify-and-parse-credential.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["IoWalletError","Logger","LogLevel","verifyAndParseCredentialMDoc","verifyAndParseCredentialSdJwt","verifyAndParseCredential","issuerConf","credential","credentialConfigurationId","context","x509CertRoot","_issuerConf$credentia","format","credential_configurations_supported","log","DEBUG","message","ERROR"],"sourceRoot":"../../../../../src","sources":["credential/issuance/v1.0.0/06-verify-and-parse-credential.ts"],"mappings":"AAAA,SAASA,aAAa,QAAQ,uBAAuB;AACrD,SAASC,MAAM,EAAEC,QAAQ,QAAQ,wBAAwB;AACzD,SAASC,4BAA4B,QAAQ,+CAA+C;AAC5F,SAASC,6BAA6B,QAAQ,gDAAgD;AAG9F,OAAO,MAAMC,wBAAiE,GAC5E,MAAAA,CACEC,UAAU,EACVC,UAAU,EACVC,yBAAyB,EACzBC,OAAO,EACPC,YAAY,KACT;EAAA,IAAAC,qBAAA;EACH,MAAMC,MAAM,IAAAD,qBAAA,GACVL,UAAU,CAACO,mCAAmC,CAACL,yBAAyB,CAAC,cAAAG,qBAAA,uBAAzEA,qBAAA,CACIC,MAAM;EAEZ,QAAQA,MAAM;IACZ,KAAK,WAAW;MAAE;QAChBX,MAAM,CAACa,GAAG,CAACZ,QAAQ,CAACa,KAAK,EAAE,wCAAwC,CAAC;QACpE,OAAOX,6BAA6B,CAClCE,UAAU,EACVC,UAAU,EACVC,yBAAyB,EACzBC,OACF,CAAC;MACH;IACA,KAAK,UAAU;MAAE;QACfR,MAAM,CAACa,GAAG,CAACZ,QAAQ,CAACa,KAAK,EAAE,uCAAuC,CAAC;QACnE,OAAOZ,4BAA4B,CACjCG,UAAU,EACVC,UAAU,EACVC,yBAAyB,EACzBC,OAAO,EACPC,YACF,CAAC;MACH;IAEA;MAAS;QACP,MAAMM,OAAO,GAAI,kCAAiCJ,MAAO,EAAC;QAC1DX,MAAM,CAACa,GAAG,CAACZ,QAAQ,CAACe,KAAK,EAAED,OAAO,CAAC;QACnC,MAAM,IAAIhB,aAAa,CAACgB,OAAO,CAAC;MAClC;EACF;AACF,CAAC"}

package/lib/module/credential/issuance/v1.0.0/index.js

@@ -0,0 +1,21 @@
+import { evaluateIssuerTrust } from "./01-evaluate-issuer-trust";
+import { startUserAuthorization } from "./02-start-user-authorization";
+import { continueUserAuthorizationWithMRTDPoPChallenge, completeUserAuthorizationWithQueryMode, completeUserAuthorizationWithFormPostJwtMode, buildAuthorizationUrl, getRequestedCredentialToBePresented } from "./03-complete-user-authorization";
+import { authorizeAccess } from "./04-authorize-access";
+import { obtainCredential } from "./05-obtain-credential";
+import { verifyAndParseCredential } from "./06-verify-and-parse-credential";
+import { MRTDPoP } from "../mrtd-pop";
+export const Issuance = {
+  evaluateIssuerTrust,
+  startUserAuthorization,
+  buildAuthorizationUrl,
+  completeUserAuthorizationWithQueryMode,
+  continueUserAuthorizationWithMRTDPoPChallenge,
+  getRequestedCredentialToBePresented,
+  completeUserAuthorizationWithFormPostJwtMode,
+  authorizeAccess,
+  obtainCredential,
+  verifyAndParseCredential,
+  MRTDPoP
+};
+//# sourceMappingURL=index.js.map

package/lib/module/credential/issuance/v1.0.0/index.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["evaluateIssuerTrust","startUserAuthorization","continueUserAuthorizationWithMRTDPoPChallenge","completeUserAuthorizationWithQueryMode","completeUserAuthorizationWithFormPostJwtMode","buildAuthorizationUrl","getRequestedCredentialToBePresented","authorizeAccess","obtainCredential","verifyAndParseCredential","MRTDPoP","Issuance"],"sourceRoot":"../../../../../src","sources":["credential/issuance/v1.0.0/index.ts"],"mappings":"AACA,SAASA,mBAAmB,QAAQ,4BAA4B;AAChE,SAASC,sBAAsB,QAAQ,+BAA+B;AACtE,SACEC,6CAA6C,EAC7CC,sCAAsC,EACtCC,4CAA4C,EAC5CC,qBAAqB,EACrBC,mCAAmC,QAC9B,kCAAkC;AACzC,SAASC,eAAe,QAAQ,uBAAuB;AACvD,SAASC,gBAAgB,QAAQ,wBAAwB;AACzD,SAASC,wBAAwB,QAAQ,kCAAkC;AAC3E,SAASC,OAAO,QAAQ,aAAa;AAErC,OAAO,MAAMC,QAAqB,GAAG;EACnCX,mBAAmB;EACnBC,sBAAsB;EACtBI,qBAAqB;EACrBF,sCAAsC;EACtCD,6CAA6C;EAC7CI,mCAAmC;EACnCF,4CAA4C;EAC5CG,eAAe;EACfC,gBAAgB;EAChBC,wBAAwB;EACxBC;AACF,CAAC"}

package/lib/module/credential/issuance/v1.0.0/mappers.js

@@ -0,0 +1,21 @@
+import { createMapper } from "../../../utils/mappers";
+export const mapToIssuerConfig = createMapper(x => {
+  const {
+    oauth_authorization_server,
+    openid_credential_issuer,
+    federation_entity
+  } = x.payload.metadata;
+  return {
+    authorization_endpoint: oauth_authorization_server.authorization_endpoint,
+    credential_endpoint: openid_credential_issuer.credential_endpoint,
+    credential_issuer: openid_credential_issuer.credential_issuer,
+    credential_configurations_supported: openid_credential_issuer.credential_configurations_supported,
+    keys: openid_credential_issuer.jwks.keys,
+    pushed_authorization_request_endpoint: oauth_authorization_server.pushed_authorization_request_endpoint,
+    token_endpoint: oauth_authorization_server.token_endpoint,
+    status_assertion_endpoint: openid_credential_issuer.status_attestation_endpoint,
+    nonce_endpoint: openid_credential_issuer.nonce_endpoint,
+    federation_entity
+  };
+});
+//# sourceMappingURL=mappers.js.map

package/lib/module/credential/issuance/v1.0.0/mappers.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["createMapper","mapToIssuerConfig","x","oauth_authorization_server","openid_credential_issuer","federation_entity","payload","metadata","authorization_endpoint","credential_endpoint","credential_issuer","credential_configurations_supported","keys","jwks","pushed_authorization_request_endpoint","token_endpoint","status_assertion_endpoint","status_attestation_endpoint","nonce_endpoint"],"sourceRoot":"../../../../../src","sources":["credential/issuance/v1.0.0/mappers.ts"],"mappings":"AACA,SAASA,YAAY,QAAQ,wBAAwB;AAGrD,OAAO,MAAMC,iBAAiB,GAAGD,YAAY,CAG1CE,CAAC,IAAK;EACP,MAAM;IACJC,0BAA0B;IAC1BC,wBAAwB;IACxBC;EACF,CAAC,GAAGH,CAAC,CAACI,OAAO,CAACC,QAAQ;EACtB,OAAO;IACLC,sBAAsB,EAAEL,0BAA0B,CAACK,sBAAsB;IACzEC,mBAAmB,EAAEL,wBAAwB,CAACK,mBAAmB;IACjEC,iBAAiB,EAAEN,wBAAwB,CAACM,iBAAiB;IAC7DC,mCAAmC,EACjCP,wBAAwB,CAACO,mCAAmC;IAC9DC,IAAI,EAAER,wBAAwB,CAACS,IAAI,CAACD,IAAI;IACxCE,qCAAqC,EACnCX,0BAA0B,CAACW,qCAAqC;IAClEC,cAAc,EAAEZ,0BAA0B,CAACY,cAAc;IACzDC,yBAAyB,EACvBZ,wBAAwB,CAACa,2BAA2B;IACtDC,cAAc,EAAEd,wBAAwB,CAACc,cAAc;IACvDb;EACF,CAAC;AACH,CAAC,CAAC"}

package/lib/module/credential/issuance/v1.0.0/types.js

@@ -0,0 +1,22 @@
+import * as z from "zod";
+import { AuthorizationDetail, TokenResponse } from "../api/types";
+
+// Reusing the following API types because they are the same in v1.0.0
+export { AuthorizationDetail, TokenResponse };
+export const CredentialResponse = z.object({
+  credentials: z.array(z.object({
+    credential: z.string()
+  })),
+  notification_id: z.string().optional()
+});
+
+/**
+ * Shape from parsing a response given by a request uri during the EAA credential issuance flow with response mode "form_post.jwt".
+ */
+export const ResponseUriResultShape = z.object({
+  redirect_uri: z.string()
+});
+export const NonceResponse = z.object({
+  c_nonce: z.string()
+});
+//# sourceMappingURL=types.js.map