npm - @pagopa/io-react-native-wallet - Versions diffs - 2.5.1 → 3.0.0 - Mend

@pagopa/io-react-native-wallet 2.5.1 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1551) hide show

package/lib/commonjs/credential/issuance/v1.3.3/index.js ADDED Viewed

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.Issuance = void 0;
+var _evaluateIssuerTrust = require("./01-evaluate-issuer-trust");
+var _startUserAuthorization = require("./02-start-user-authorization");
+var _completeUserAuthorization = require("./03-complete-user-authorization");
+var _authorizeAccess = require("./04-authorize-access");
+var _obtainCredential = require("./05-obtain-credential");
+var _verifyAndParseCredential = require("./06-verify-and-parse-credential");
+var _mrtdPop = require("../mrtd-pop");
+const Issuance = {
+  evaluateIssuerTrust: _evaluateIssuerTrust.evaluateIssuerTrust,
+  startUserAuthorization: _startUserAuthorization.startUserAuthorization,
+  buildAuthorizationUrl: _completeUserAuthorization.buildAuthorizationUrl,
+  completeUserAuthorizationWithQueryMode: _completeUserAuthorization.completeUserAuthorizationWithQueryMode,
+  continueUserAuthorizationWithMRTDPoPChallenge: _completeUserAuthorization.continueUserAuthorizationWithMRTDPoPChallenge,
+  getRequestedCredentialToBePresented: _completeUserAuthorization.getRequestedCredentialToBePresented,
+  completeUserAuthorizationWithFormPostJwtMode: _completeUserAuthorization.completeUserAuthorizationWithFormPostJwtMode,
+  authorizeAccess: _authorizeAccess.authorizeAccess,
+  obtainCredential: _obtainCredential.obtainCredential,
+  verifyAndParseCredential: _verifyAndParseCredential.verifyAndParseCredential,
+  MRTDPoP: _mrtdPop.MRTDPoP
+};
+exports.Issuance = Issuance;
+//# sourceMappingURL=index.js.map

package/lib/commonjs/credential/issuance/v1.3.3/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["_evaluateIssuerTrust","require","_startUserAuthorization","_completeUserAuthorization","_authorizeAccess","_obtainCredential","_verifyAndParseCredential","_mrtdPop","Issuance","evaluateIssuerTrust","startUserAuthorization","buildAuthorizationUrl","completeUserAuthorizationWithQueryMode","continueUserAuthorizationWithMRTDPoPChallenge","getRequestedCredentialToBePresented","completeUserAuthorizationWithFormPostJwtMode","authorizeAccess","obtainCredential","verifyAndParseCredential","MRTDPoP","exports"],"sourceRoot":"../../../../../src","sources":["credential/issuance/v1.3.3/index.ts"],"mappings":";;;;;;AACA,IAAAA,oBAAA,GAAAC,OAAA;AACA,IAAAC,uBAAA,GAAAD,OAAA;AACA,IAAAE,0BAAA,GAAAF,OAAA;AAOA,IAAAG,gBAAA,GAAAH,OAAA;AACA,IAAAI,iBAAA,GAAAJ,OAAA;AACA,IAAAK,yBAAA,GAAAL,OAAA;AACA,IAAAM,QAAA,GAAAN,OAAA;AAEO,MAAMO,QAAqB,GAAG;EACnCC,mBAAmB,EAAnBA,wCAAmB;EACnBC,sBAAsB,EAAtBA,8CAAsB;EACtBC,qBAAqB,EAArBA,gDAAqB;EACrBC,sCAAsC,EAAtCA,iEAAsC;EACtCC,6CAA6C,EAA7CA,wEAA6C;EAC7CC,mCAAmC,EAAnCA,8DAAmC;EACnCC,4CAA4C,EAA5CA,uEAA4C;EAC5CC,eAAe,EAAfA,gCAAe;EACfC,gBAAgB,EAAhBA,kCAAgB;EAChBC,wBAAwB,EAAxBA,kDAAwB;EACxBC,OAAO,EAAPA;AACF,CAAC;AAACC,OAAA,CAAAZ,QAAA,GAAAA,QAAA"}

package/lib/commonjs/credential/issuance/v1.3.3/mappers.js ADDED Viewed

@@ -0,0 +1,73 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.mapToRequestObject = exports.mapToIssuerConfig = void 0;
+var _misc = require("../../../utils/misc");
+var _mappers = require("../../../utils/mappers");
+var _IssuerConfig = require("../api/IssuerConfig");
+const mapCredentialConfigurationsSupported = oidIssuer => Object.entries(oidIssuer.credential_configurations_supported).reduce((acc, _ref) => {
+  var _config$credential_me;
+  let [key, config] = _ref;
+  acc[key] = {
+    ...(config.format === "dc+sd-jwt" ? {
+      format: config.format,
+      vct: config.vct
+    } : {
+      format: config.format,
+      doctype: config.doctype
+    }),
+    scope: config.scope,
+    display: config.credential_metadata.display,
+    claims: ((_config$credential_me = config.credential_metadata.claims) === null || _config$credential_me === void 0 ? void 0 : _config$credential_me.map(claim => ({
+      path: claim.path,
+      display: claim.display ?? []
+    }))) ?? []
+  };
+  return acc;
+}, {});
+const mapToIssuerConfig = (0, _mappers.createMapper)(x => {
+  var _openid_credential_is;
+  const {
+    oauth_authorization_server,
+    openid_credential_issuer,
+    federation_entity
+  } = x.metadata;
+  (0, _misc.assert)(oauth_authorization_server, "oauth_authorization_server is required in Issuer metadata");
+  (0, _misc.assert)(openid_credential_issuer, "openid_credential_issuer is required in Issuer metadata");
+  return {
+    authorization_endpoint: oauth_authorization_server.authorization_endpoint,
+    credential_endpoint: openid_credential_issuer.credential_endpoint,
+    credential_issuer: openid_credential_issuer.credential_issuer,
+    credential_configurations_supported: mapCredentialConfigurationsSupported(openid_credential_issuer),
+    keys: openid_credential_issuer.jwks.keys,
+    pushed_authorization_request_endpoint: oauth_authorization_server.pushed_authorization_request_endpoint,
+    token_endpoint: oauth_authorization_server.token_endpoint,
+    status_assertion_endpoint: openid_credential_issuer.status_attestation_endpoint,
+    nonce_endpoint: openid_credential_issuer.nonce_endpoint,
+    federation_entity: federation_entity ?? {},
+    credential_issuance_batch_size: (_openid_credential_is = openid_credential_issuer.batch_credential_issuance) === null || _openid_credential_is === void 0 ? void 0 : _openid_credential_is.batch_size
+  };
+}, {
+  outputSchema: _IssuerConfig.IssuerConfig
+} // Output validation for extra-safety
+);
+exports.mapToIssuerConfig = mapToIssuerConfig;
+const mapToRequestObject = (0, _mappers.createMapper)(_ref2 => {
+  let {
+    payload
+  } = _ref2;
+  return {
+    iss: payload.iss ?? "UNKNOWN_ISSUER",
+    client_id: payload.client_id,
+    dcql_query: payload.dcql_query,
+    nonce: payload.nonce,
+    response_uri: payload.response_uri,
+    state: payload.state,
+    response_mode: payload.response_mode,
+    response_type: payload.response_type
+  };
+});
+exports.mapToRequestObject = mapToRequestObject;
+//# sourceMappingURL=mappers.js.map

package/lib/commonjs/credential/issuance/v1.3.3/mappers.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["_misc","require","_mappers","_IssuerConfig","mapCredentialConfigurationsSupported","oidIssuer","Object","entries","credential_configurations_supported","reduce","acc","_ref","_config$credential_me","key","config","format","vct","doctype","scope","display","credential_metadata","claims","map","claim","path","mapToIssuerConfig","createMapper","x","_openid_credential_is","oauth_authorization_server","openid_credential_issuer","federation_entity","metadata","assert","authorization_endpoint","credential_endpoint","credential_issuer","keys","jwks","pushed_authorization_request_endpoint","token_endpoint","status_assertion_endpoint","status_attestation_endpoint","nonce_endpoint","credential_issuance_batch_size","batch_credential_issuance","batch_size","outputSchema","IssuerConfig","exports","mapToRequestObject","_ref2","payload","iss","client_id","dcql_query","nonce","response_uri","state","response_mode","response_type"],"sourceRoot":"../../../../../src","sources":["credential/issuance/v1.3.3/mappers.ts"],"mappings":";;;;;;AAEA,IAAAA,KAAA,GAAAC,OAAA;AACA,IAAAC,QAAA,GAAAD,OAAA;AAGA,IAAAE,aAAA,GAAAF,OAAA;AAOA,MAAMG,oCAAoC,GACxCC,SAAiC,IAEjCC,MAAM,CAACC,OAAO,CAACF,SAAS,CAAEG,mCAAmC,CAAC,CAACC,MAAM,CACnE,CAACC,GAAG,EAAAC,IAAA,KAAoB;EAAA,IAAAC,qBAAA;EAAA,IAAlB,CAACC,GAAG,EAAEC,MAAM,CAAC,GAAAH,IAAA;EACjBD,GAAG,CAACG,GAAG,CAAC,GAAG;IACT,IAAIC,MAAM,CAACC,MAAM,KAAK,WAAW,GAC7B;MAAEA,MAAM,EAAED,MAAM,CAACC,MAAM;MAAEC,GAAG,EAAEF,MAAM,CAACE;IAAI,CAAC,GAC1C;MAAED,MAAM,EAAED,MAAM,CAACC,MAAM;MAAEE,OAAO,EAAEH,MAAM,CAACG;IAAQ,CAAC,CAAC;IACvDC,KAAK,EAAEJ,MAAM,CAACI,KAAK;IACnBC,OAAO,EAAEL,MAAM,CAACM,mBAAmB,CAACD,OAAQ;IAC5CE,MAAM,EACJ,EAAAT,qBAAA,GAAAE,MAAM,CAACM,mBAAmB,CAACC,MAAM,cAAAT,qBAAA,uBAAjCA,qBAAA,CAAmCU,GAAG,CAAEC,KAAK,KAAM;MACjDC,IAAI,EAAED,KAAK,CAACC,IAAI;MAChBL,OAAO,EAAEI,KAAK,CAACJ,OAAO,IAAI;IAC5B,CAAC,CAAC,CAAC,KAAI;EACX,CAAC;EACD,OAAOT,GAAG;AACZ,CAAC,EACD,CAAC,CACH,CAAC;AAEI,MAAMe,iBAAiB,GAAG,IAAAC,qBAAY,EAC1CC,CAAC,IAAK;EAAA,IAAAC,qBAAA;EACL,MAAM;IACJC,0BAA0B;IAC1BC,wBAAwB;IACxBC;EACF,CAAC,GAAGJ,CAAC,CAACK,QAAQ;EAEd,IAAAC,YAAM,EACJJ,0BAA0B,EAC1B,2DACF,CAAC;EACD,IAAAI,YAAM,EACJH,wBAAwB,EACxB,yDACF,CAAC;EAED,OAAO;IACLI,sBAAsB,EAAEL,0BAA0B,CAACK,sBAAsB;IACzEC,mBAAmB,EAAEL,wBAAwB,CAACK,mBAAmB;IACjEC,iBAAiB,EAAEN,wBAAwB,CAACM,iBAAiB;IAC7D5B,mCAAmC,EAAEJ,oCAAoC,CACvE0B,wBACF,CAAC;IACDO,IAAI,EAAEP,wBAAwB,CAACQ,IAAI,CAACD,IAAa;IACjDE,qCAAqC,EACnCV,0BAA0B,CAACU,qCAAqC;IAClEC,cAAc,EAAEX,0BAA0B,CAACW,cAAc;IACzDC,yBAAyB,EACvBX,wBAAwB,CAACY,2BAA2B;IACtDC,cAAc,EAAEb,wBAAwB,CAACa,cAAe;IACxDZ,iBAAiB,EAAEA,iBAAiB,IAAI,CAAC,CAAC;IAC1Ca,8BAA8B,GAAAhB,qBAAA,GAC5BE,wBAAwB,CAACe,yBAAyB,cAAAjB,qBAAA,uBAAlDA,qBAAA,CAAoDkB;EACxD,CAAC;AACH,CAAC,EACD;EAAEC,YAAY,EAAEC;AAAa,CAAC,CAAC;AACjC,CAAC;AAACC,OAAA,CAAAxB,iBAAA,GAAAA,iBAAA;AAEK,MAAMyB,kBAAkB,GAAG,IAAAxB,qBAAY,EAG5CyB,KAAA;EAAA,IAAC;IAAEC;EAAQ,CAAC,GAAAD,KAAA;EAAA,OAAM;IAClBE,GAAG,EAAED,OAAO,CAACC,GAAG,IAAI,gBAAgB;IACpCC,SAAS,EAAEF,OAAO,CAACE,SAAS;IAC5BC,UAAU,EAAEH,OAAO,CAACG,UAAW;IAC/BC,KAAK,EAAEJ,OAAO,CAACI,KAAK;IACpBC,YAAY,EAAEL,OAAO,CAACK,YAAa;IACnCC,KAAK,EAAEN,OAAO,CAACM,KAAK;IACpBC,aAAa,EAAEP,OAAO,CAACO,aAAa;IACpCC,aAAa,EAAER,OAAO,CAACQ;EACzB,CAAC;AAAA,CAAC,CAAC;AAACX,OAAA,CAAAC,kBAAA,GAAAA,kBAAA"}

package/lib/commonjs/credential/issuance/v1.3.3/types.js ADDED Viewed

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.NonceResponse = void 0;
+var z = _interopRequireWildcard(require("zod"));
+function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
+function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
+const NonceResponse = z.object({
+  c_nonce: z.string()
+});
+exports.NonceResponse = NonceResponse;
+//# sourceMappingURL=types.js.map

package/lib/commonjs/credential/issuance/v1.3.3/types.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["z","_interopRequireWildcard","require","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set","NonceResponse","object","c_nonce","string","exports"],"sourceRoot":"../../../../../src","sources":["credential/issuance/v1.3.3/types.ts"],"mappings":";;;;;;AAAA,IAAAA,CAAA,GAAAC,uBAAA,CAAAC,OAAA;AAAyB,SAAAC,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAH,wBAAAO,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA;AAGlB,MAAMW,aAAa,GAAGzB,CAAC,CAAC0B,MAAM,CAAC;EACpCC,OAAO,EAAE3B,CAAC,CAAC4B,MAAM,CAAC;AACpB,CAAC,CAAC;AAACC,OAAA,CAAAJ,aAAA,GAAAA,aAAA"}

package/lib/commonjs/credential/offer/README.md CHANGED Viewed

@@ -1,174 +1,158 @@
 # Credential Offer
-This flow handles the initial step of credential issuance by processing Credential Offers from Credential Issuers. The Credential Offer contains information about what credentials are available and how they can be obtained. Each step in the flow is imported from the related file which is named with a sequential number.
+This module implements the **User Request Flow** for Issuer-Initiated credential issuance, as defined in [IT-Wallet Technical Specifications v1.3.3, Section 12.1.2](https://italia.github.io/eid-wallet-it-docs/) and [OpenID for Verifiable Credential Issuance 1.0, Section 4.1](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-offer-endpoint).
-A Credential Offer can be received by the Wallet in two ways: **by value** (complete offer embedded in the URL) or **by reference** (URL pointing to the offer endpoint). The offer specifies which credentials are available and what authorization flows are supported by the issuer.
+The flow processes a Credential Offer received from a Credential Issuer (or a Third Party / Authentic Source) and extracts the grant details needed to start the Issuance Flow.
-The implementation follows the [OpenID for Verifiable Credential Issuance 1.0](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-offer-endpoint) specification and supports both Authorization Code flow and Pre-Authorized Code flow.
+All operations delegate to the [`@pagopa/io-wallet-oid4vci`](https://github.com/nicolo-ribaudo/io-wallet-oid4vci) SDK.
-## Sequence Diagram
+## Flow overview
 ```mermaid
-sequenceDiagram
-  autonumber
-  participant U as User
-  participant W as Wallet
-  participant CI as Credential Issuer
-  CI->>U: QR Code / Deep Link with Credential Offer
-  U->>W: Scan QR / Click Link
-  W->>W: startFlowFromQR: Parse offer parameters
-  alt Credential Offer by Reference
-    W->>CI: fetchCredentialOffer: Fetch offer from URI
-    CI->>W: Return Credential Offer JSON
-  end
-  W->>W: Validate Credential Offer schema
-  W->>W: Determine available grant types
-  Note over W: Flow continues with credential issuance
+graph TD;
+  QR[QR code / deep link]
+  1[resolveCredentialOffer]
+  2[extractGrantDetails]
+  Issuance[Issuance Flow]
+  QR --> 1
+  1 -->|CredentialOffer| 2
+  2 -->|ExtractGrantDetailsResult| Issuance
 ```
-## Grant Types
+| Step | Function | What it does |
+|------|----------|--------------|
+| 1 | `resolveCredentialOffer` | Parses the URI, fetches the offer if by-reference, validates structure |
+| 2 | `extractGrantDetails` | Extracts the `authorization_code` grant details from the resolved offer |
-The Credential Offer supports two OAuth 2.0 grant types that determine how authorization is handled:
+## Credential Offer transmission
-### Authorization Code Flow
+A Credential Offer can reach the Wallet Instance in two ways (OpenID4VCI Section 4.1):
-Used for interactive flows where user authentication and consent are required at the Authorization Server.
+### By value (`credential_offer`)
-- **`issuer_state`** (optional): Binds the authorization request to a specific issuer context
-- **`authorization_server`** (optional): Identifies which authorization server to use when multiple are available
+The complete Credential Offer JSON is embedded in the URI as an encoded query parameter:
-### Pre-Authorized Code Flow
+```
+openid-credential-offer://?credential_offer=%7B%22credential_issuer%22...%7D
+```
-Used when the user has already been authenticated and authorized out-of-band. The issuer provides a pre-authorized code that can be exchanged directly for credentials.
+### By reference (`credential_offer_uri`)
-- **`pre-authorized_code`**: Short-lived single-use authorization code
-- **`tx_code`** (optional): Additional transaction code requirements for security
-- **`authorization_server`** (optional): Identifies which authorization server to use
+A URL points to a resource serving the Credential Offer. The Wallet fetches it via HTTP GET with `Accept: application/json`. The Credential Issuer or Third Party SHOULD use a unique URI per offer to prevent caching.
-## Transaction Code Requirements
+```
+openid-credential-offer://?credential_offer_uri=https%3A%2F%2Fissuer.example.com%2Foffer
+```
-When a transaction code is required for Pre-Authorized Code flow, the following parameters control the user experience:
+Both modes are handled transparently by `resolveCredentialOffer` (via the SDK).
-| Parameter     | Type                    | Description                                          |
-| ------------- | ----------------------- | ---------------------------------------------------- |
-| `input_mode`  | `"numeric"` \| `"text"` | Character set for the code (default: `"numeric"`)    |
-| `length`      | number                  | Expected code length to optimize input UI            |
-| `description` | string                  | User guidance (max 300 chars) for obtaining the code |
+## Supported URI schemes
-## Credential Offer Transmission
+The QR code or deep link must use one of the following schemes:
-### By Value
+- `openid-credential-offer://` (OpenID4VCI Section 4)
+- `haip-vci://` (OPENID4VC-HAIP Section 4.2)
+- `https://` (Universal Link, if listed in the Wallet's `credential_offer_endpoint`)
-The complete Credential Offer is embedded in the URL parameter:
+## Step 1 — Resolve and validate
-```
-openid-credential-offer://?credential_offer=%7B%22credential_issuer%22...
-```
+`resolveCredentialOffer(uri, { fetch })` performs two operations:
-### By Reference
+1. **Resolution** — parses the URI and, if the offer is by-reference, fetches the JSON from the remote endpoint.
+2. **Structural validation** — checks the resolved offer against IT-Wallet v1.3 rules:
+   - `credential_issuer` must be an HTTPS URL
+   - `grants` object is required
+   - `authorization_code` grant is required
+   - `scope` is required within `authorization_code`
-A URL points to an endpoint serving the Credential Offer:
+> **Note:** cross-validation against Credential Issuer metadata (e.g. verifying `credential_configuration_ids` against `credential_configurations_supported`, or matching `authorization_server` against the metadata's `authorization_servers`) is **not** part of this step. Per the spec, metadata processing happens once the User Request Flow is completed, at the start of the Issuance Flow.
-```
-openid-credential-offer://?credential_offer_uri=https%3A%2F%2Fserver.example.com%2Foffer
+## Step 2 — Extract grant details
+`extractGrantDetails(offer)` reads the `grants` object and returns an `ExtractGrantDetailsResult`:
+```ts
+{
+  grantType: "authorization_code",
+  authorizationCodeGrant: {
+    scope: string,             // REQUIRED — used in the Authorization Request
+    issuerState?: string,      // binds the request to the Credential Issuer session
+    authorizationServer?: string // REQUIRED when the issuer uses multiple AS
+  }
+}
 ```
-When using by reference, the Wallet fetches the offer via HTTP GET with `Accept: application/json`.
+IT-Wallet v1.3 only supports the `authorization_code` grant type.
-## Mapped Results
+## Credential Offer parameters
-The following errors are mapped during credential offer processing:
+Reference: IT-Wallet spec, Section 12.1.2, Credential Offer parameters table.
-| Error                         | Description                                                                        |
-| ----------------------------- | ---------------------------------------------------------------------------------- |
-| `InvalidQRCodeError`          | The QR code format is invalid or doesn't contain valid credential offer parameters |
-| `InvalidCredentialOfferError` | The credential offer schema validation failed or contains invalid data             |
+| Field | Required | Description |
+|-------|----------|-------------|
+| `credential_issuer` | REQUIRED | HTTPS URL that uniquely identifies the Credential Issuer. Used to discover its metadata. |
+| `credential_configuration_ids` | REQUIRED | Array of credential type identifiers. Each must match an entry in the Issuer's `credential_configurations_supported`. |
+| `grants.authorization_code.scope` | REQUIRED | Maps to a specific credential type. The Wallet MUST use this value in the Authorization Request. |
+| `grants.authorization_code.issuer_state` | OPTIONAL | Opaque string from the Issuer. When present the Wallet MUST include it in the Authorization Request. |
+| `grants.authorization_code.authorization_server` | CONDITIONAL | REQUIRED when the Issuer uses more than one Authorization Server. Must match one entry in the Issuer's `authorization_servers` metadata. |
+## Error mapping
+| Error | Code | When |
+|-------|------|------|
+| `InvalidQRCodeError` | `ERR_INVALID_QR_CODE` | URI parsing fails (unsupported scheme, missing params, invalid or malformed query) |
+| `InvalidCredentialOfferError` | `ERR_INVALID_CREDENTIAL_OFFER` | Structural validation fails (missing grant, missing scope, non-HTTPS issuer) or grant extraction fails |
+> Note: Network or other unexpected errors thrown while fetching an offer by reference in `resolveCredentialOffer` are propagated as-is and are not mapped to `InvalidQRCodeError` or `InvalidCredentialOfferError`.
+## Boundary with the Issuance Flow
+The Credential Offer flow ends once `extractGrantDetails` returns. The Issuance Flow then begins with:
+1. Credential Issuer metadata processing (Trust Evaluation / Federation check)
+2. Cross-validation of the offer against metadata
+3. PAR Request, Authorization, Token exchange, Credential Request
 ## Examples
 <details>
-  <summary>Credential Offer processing flow</summary>
+  <summary>Offer by reference</summary>
 ```ts
-// Parse QR code or deep link
-const qrCode =
+import { CredentialOffer } from "@pagopa/io-react-native-wallet";
+const uri =
   "openid-credential-offer://?credential_offer_uri=https%3A%2F%2Fissuer.example.com%2Foffer";
-const { credential_offer_uri } = startFlowFromQR(qrCode);
-// Fetch the credential offer if by reference
-const offer = await fetchCredentialOffer(credential_offer_uri, { appFetch });
+// 1) Resolve — fetches the offer from the URI and validates it
+const offer = await CredentialOffer.V1_3_3.resolveCredentialOffer(uri, {
+  fetch: appFetch,
+});
-console.log(offer);
+// 2) Extract grant details
+const grant = CredentialOffer.V1_3_3.extractGrantDetails(offer);
 // {
-//   credential_issuer: "https://issuer.example.com",
-//   credential_configuration_ids: ["UniversityDegree", "DriverLicense"],
-//   grants: {
-//     authorization_code: {
-//       issuer_state: "xyz123"
-//     },
-//     "urn:ietf:params:oauth:grant-type:pre-authorized_code": {
-//       "pre-authorized_code": "SplxlOBeZQQYbYS6WxSbIA",
-//       tx_code: {
-//         length: 6,
-//         input_mode: "numeric",
-//         description: "Enter the code sent to your email"
-//       }
-//     }
-//   }
+//   grantType: "authorization_code",
+//   authorizationCodeGrant: { scope: "org.iso.18013.5.1.mDL", ... }
 // }
 ```
 </details>
 <details>
-  <summary>Pre-Authorized Code with Transaction Code</summary>
+  <summary>Offer by value</summary>
 ```ts
-const offer: CredentialOffer = {
-  credential_issuer: "https://university.example.edu",
-  credential_configuration_ids: ["DiplomaCredential"],
-  grants: {
-    "urn:ietf:params:oauth:grant-type:pre-authorized_code": {
-      "pre-authorized_code": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9",
-      tx_code: {
-        length: 4,
-        input_mode: "numeric",
-        description: "Check your email for the verification code",
-      },
-    },
-  },
-};
-// The user would need to:
-// 1. Check their email for a 4-digit numeric code
-// 2. Enter it in the wallet when prompted
-// 3. The wallet uses both pre-authorized_code and tx_code in the token request
-```
+import { CredentialOffer } from "@pagopa/io-react-native-wallet";
-</details>
+const uri =
+  "openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fissuer.example.com%22%2C%22credential_configuration_ids%22%3A%5B%22UniversityDegree%22%5D%2C%22grants%22%3A%7B%22authorization_code%22%3A%7B%22scope%22%3A%22UniversityDegree%22%7D%7D%7D";
-<details>
-  <summary>Authorization Code Flow</summary>
+// 1) Resolve — decodes the inline offer and validates it
+const offer = await CredentialOffer.V1_3_3.resolveCredentialOffer(uri);
-```ts
-const offer: CredentialOffer = {
-  credential_issuer: "https://dmv.example.gov",
-  credential_configuration_ids: ["org.iso.18013.5.1.mDL"],
-  grants: {
-    authorization_code: {
-      issuer_state: "af0ifjsldkj",
-      authorization_server: "https://auth.dmv.example.gov",
-    },
-  },
-};
-// This would lead to:
-// 1. User authentication at the authorization server
-// 2. User consent for credential issuance
-// 3. Authorization code returned to wallet
-// 4. Wallet exchanges code for access token
-// 5. Wallet uses access token to request credential
+// 2) Extract grant details
+const grant = CredentialOffer.V1_3_3.extractGrantDetails(offer);
 ```
 </details>

package/lib/commonjs/credential/offer/api/01-resolve-credential-offer.js ADDED Viewed

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+//# sourceMappingURL=01-resolve-credential-offer.js.map

package/lib/commonjs/credential/offer/api/01-resolve-credential-offer.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"names":[],"sourceRoot":"../../../../../src","sources":["credential/offer/api/01-resolve-credential-offer.ts"],"mappings":""}

package/lib/commonjs/credential/offer/api/02-extract-grant-details.js ADDED Viewed

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+//# sourceMappingURL=02-extract-grant-details.js.map

package/lib/commonjs/credential/offer/api/02-extract-grant-details.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"names":[],"sourceRoot":"../../../../../src","sources":["credential/offer/api/02-extract-grant-details.ts"],"mappings":""}

package/lib/commonjs/credential/offer/api/index.js ADDED Viewed

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+var _types = require("./types");
+Object.keys(_types).forEach(function (key) {
+  if (key === "default" || key === "__esModule") return;
+  if (key in exports && exports[key] === _types[key]) return;
+  Object.defineProperty(exports, key, {
+    enumerable: true,
+    get: function () {
+      return _types[key];
+    }
+  });
+});
+//# sourceMappingURL=index.js.map

package/lib/commonjs/credential/offer/api/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["_types","require","Object","keys","forEach","key","exports","defineProperty","enumerable","get"],"sourceRoot":"../../../../../src","sources":["credential/offer/api/index.ts"],"mappings":";;;;;AAOA,IAAAA,MAAA,GAAAC,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAH,MAAA,EAAAI,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAL,MAAA,CAAAK,GAAA;EAAAH,MAAA,CAAAK,cAAA,CAAAD,OAAA,EAAAD,GAAA;IAAAG,UAAA;IAAAC,GAAA,WAAAA,CAAA;MAAA,OAAAT,MAAA,CAAAK,GAAA;IAAA;EAAA;AAAA"}

package/lib/commonjs/credential/offer/api/types.js ADDED Viewed

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+//# sourceMappingURL=types.js.map

package/lib/commonjs/credential/offer/api/types.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"names":[],"sourceRoot":"../../../../../src","sources":["credential/offer/api/types.ts"],"mappings":""}

package/lib/commonjs/credential/offer/common/errors.js ADDED Viewed

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.InvalidQRCodeError = exports.InvalidCredentialOfferError = void 0;
+var _errors = require("../../../utils/errors");
+class InvalidCredentialOfferError extends _errors.IoWalletError {
+  code = "ERR_INVALID_CREDENTIAL_OFFER";
+  constructor(message) {
+    super(message);
+  }
+}
+exports.InvalidCredentialOfferError = InvalidCredentialOfferError;
+class InvalidQRCodeError extends _errors.IoWalletError {
+  code = "ERR_INVALID_QR_CODE";
+  constructor(message) {
+    super(message);
+  }
+}
+exports.InvalidQRCodeError = InvalidQRCodeError;
+//# sourceMappingURL=errors.js.map

package/lib/commonjs/credential/offer/common/errors.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["_errors","require","InvalidCredentialOfferError","IoWalletError","code","constructor","message","exports","InvalidQRCodeError"],"sourceRoot":"../../../../../src","sources":["credential/offer/common/errors.ts"],"mappings":";;;;;;AAAA,IAAAA,OAAA,GAAAC,OAAA;AAEO,MAAMC,2BAA2B,SAASC,qBAAa,CAAC;EAC7DC,IAAI,GAAG,8BAA8B;EAErCC,WAAWA,CAACC,OAAgB,EAAE;IAC5B,KAAK,CAACA,OAAO,CAAC;EAChB;AACF;AAACC,OAAA,CAAAL,2BAAA,GAAAA,2BAAA;AAEM,MAAMM,kBAAkB,SAASL,qBAAa,CAAC;EACpDC,IAAI,GAAG,qBAAqB;EAE5BC,WAAWA,CAACC,OAAgB,EAAE;IAC5B,KAAK,CAACA,OAAO,CAAC;EAChB;AACF;AAACC,OAAA,CAAAC,kBAAA,GAAAA,kBAAA"}

package/lib/commonjs/credential/offer/index.js CHANGED Viewed

@@ -4,22 +4,22 @@ Object.defineProperty(exports, "__esModule", {
   value: true
 });
 exports.Errors = void 0;
-Object.defineProperty(exports, "fetchCredentialOffer", {
+Object.defineProperty(exports, "V1_0_0", {
   enumerable: true,
   get: function () {
-    return _fetchCredentialOffer.fetchCredentialOffer;
+    return _v.Offer;
   }
 });
-Object.defineProperty(exports, "startFlowFromQR", {
+Object.defineProperty(exports, "V1_3_3", {
   enumerable: true,
   get: function () {
-    return _startFlow.startFlowFromQR;
+    return _v2.Offer;
   }
 });
-var _startFlow = require("./01-start-flow");
-var _fetchCredentialOffer = require("./02-fetch-credential-offer");
-var Errors = _interopRequireWildcard(require("./errors"));
+var Errors = _interopRequireWildcard(require("./common/errors"));
 exports.Errors = Errors;
+var _v = require("./v1.0.0");
+var _v2 = require("./v1.3.3");
 function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
 function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
 //# sourceMappingURL=index.js.map

package/lib/commonjs/credential/offer/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["~~_startFlow~~","~~require~~","~~_fetchCredentialOffer~~","~~Errors~~","~~_interopRequireWildcard~~","~~exports~~","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set"],"sourceRoot":"../../../../src","sources":["credential/offer/index.ts"],"mappings":";;;;;;;;;;;;;;;;;;AAAA,IAAAA,~~UAAA~~,GAAAC,OAAA;~~AACA~~,~~IAAAC~~,~~qBAAA~~,~~GAAAD~~,~~OAAA;AAIA~~,~~IAAAE,~~MAAA,~~GAAAC~~,~~uBAAA~~,~~CAAAH~~,OAAA;~~AAAmCI~~,~~OAAA~~,~~CAAAF~~,~~MAAA~~,~~GAAAA,MAAA~~;~~AAAA~~,~~SAAAG~~,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,~~SAAAH~~,~~wBAAAO~~,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA"}
1	+ {"version":3,"names":["Errors","_interopRequireWildcard","require","exports","_v","_v2","_getRequireWildcardCache","nodeInterop","WeakMap","cacheBabelInterop","cacheNodeInterop","obj","__esModule","default","cache","has","get","newObj","hasPropertyDescriptor","Object","defineProperty","getOwnPropertyDescriptor","key","prototype","hasOwnProperty","call","desc","set"],"sourceRoot":"../../../../src","sources":["credential/offer/index.ts"],"mappings":";;;;;;;;;;;;;;;;;;AAAA,IAAAA,MAAA,GAAAC,uBAAA,CAAAC,OAAA;AAA0CC,OAAA,CAAAH,MAAA,GAAAA,MAAA;AAG1C,IAAAI,EAAA,GAAAF,OAAA;AACA,IAAAG,GAAA,GAAAH,OAAA;AAA2C,SAAAI,yBAAAC,WAAA,eAAAC,OAAA,kCAAAC,iBAAA,OAAAD,OAAA,QAAAE,gBAAA,OAAAF,OAAA,YAAAF,wBAAA,YAAAA,CAAAC,WAAA,WAAAA,WAAA,GAAAG,gBAAA,GAAAD,iBAAA,KAAAF,WAAA;AAAA,SAAAN,wBAAAU,GAAA,EAAAJ,WAAA,SAAAA,WAAA,IAAAI,GAAA,IAAAA,GAAA,CAAAC,UAAA,WAAAD,GAAA,QAAAA,GAAA,oBAAAA,GAAA,wBAAAA,GAAA,4BAAAE,OAAA,EAAAF,GAAA,UAAAG,KAAA,GAAAR,wBAAA,CAAAC,WAAA,OAAAO,KAAA,IAAAA,KAAA,CAAAC,GAAA,CAAAJ,GAAA,YAAAG,KAAA,CAAAE,GAAA,CAAAL,GAAA,SAAAM,MAAA,WAAAC,qBAAA,GAAAC,MAAA,CAAAC,cAAA,IAAAD,MAAA,CAAAE,wBAAA,WAAAC,GAAA,IAAAX,GAAA,QAAAW,GAAA,kBAAAH,MAAA,CAAAI,SAAA,CAAAC,cAAA,CAAAC,IAAA,CAAAd,GAAA,EAAAW,GAAA,SAAAI,IAAA,GAAAR,qBAAA,GAAAC,MAAA,CAAAE,wBAAA,CAAAV,GAAA,EAAAW,GAAA,cAAAI,IAAA,KAAAA,IAAA,CAAAV,GAAA,IAAAU,IAAA,CAAAC,GAAA,KAAAR,MAAA,CAAAC,cAAA,CAAAH,MAAA,EAAAK,GAAA,EAAAI,IAAA,YAAAT,MAAA,CAAAK,GAAA,IAAAX,GAAA,CAAAW,GAAA,SAAAL,MAAA,CAAAJ,OAAA,GAAAF,GAAA,MAAAG,KAAA,IAAAA,KAAA,CAAAa,GAAA,CAAAhB,GAAA,EAAAM,MAAA,YAAAA,MAAA"}

package/lib/commonjs/credential/offer/v1.0.0/index.js ADDED Viewed

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.Offer = void 0;
+var _errors = require("../../../utils/errors");
+const Offer = {
+  async resolveCredentialOffer() {
+    throw new _errors.UnimplementedFeatureError("resolveCredentialOffer", "1.0.0");
+  },
+  extractGrantDetails() {
+    throw new _errors.UnimplementedFeatureError("extractGrantDetails", "1.0.0");
+  }
+};
+exports.Offer = Offer;
+//# sourceMappingURL=index.js.map

package/lib/commonjs/credential/offer/v1.0.0/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"names":["_errors","require","Offer","resolveCredentialOffer","UnimplementedFeatureError","extractGrantDetails","exports"],"sourceRoot":"../../../../../src","sources":["credential/offer/v1.0.0/index.ts"],"mappings":";;;;;;AAAA,IAAAA,OAAA,GAAAC,OAAA;AAGO,MAAMC,KAAe,GAAG;EAC7B,MAAMC,sBAAsBA,CAAA,EAAG;IAC7B,MAAM,IAAIC,iCAAyB,CAAC,wBAAwB,EAAE,OAAO,CAAC;EACxE,CAAC;EACDC,mBAAmBA,CAAA,EAAG;IACpB,MAAM,IAAID,iCAAyB,CAAC,qBAAqB,EAAE,OAAO,CAAC;EACrE;AACF,CAAC;AAACE,OAAA,CAAAJ,KAAA,GAAAA,KAAA"}