npm - @pagopa/io-react-native-wallet - Versions diffs - 3.1.2 → 3.3.0 - Mend

@pagopa/io-react-native-wallet 3.1.2 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (360) hide show

package/src/credential/issuance/mrtd-pop/index.ts CHANGED Viewed

@@ -1,14 +1,22 @@
+import { sdkConfigV1_0, sdkConfigV1_3 } from "../../../utils/config";
 import type { MRTDPoPApi } from "../api/mrtd-pop";
 import { verifyAndParseChallengeInfo } from "./01-verify-and-parse-challenge-info";
-import { initChallenge } from "./02-init-challenge";
+import { createInitChallenge } from "./02-init-challenge";
 import {
-  validateChallenge,
+  createValidateChallenge,
   buildChallengeCallbackUrl,
 } from "./03-validate-challenge";
-export const MRTDPoP: MRTDPoPApi = {
+export const MRTDPoPv1_0: MRTDPoPApi = {
   verifyAndParseChallengeInfo,
-  initChallenge,
-  validateChallenge,
+  initChallenge: createInitChallenge({ sdkConfig: sdkConfigV1_0 }),
+  validateChallenge: createValidateChallenge({ sdkConfig: sdkConfigV1_0 }),
+  buildChallengeCallbackUrl,
+};
+export const MRTDPoPv1_3: MRTDPoPApi = {
+  verifyAndParseChallengeInfo,
+  initChallenge: createInitChallenge({ sdkConfig: sdkConfigV1_3 }),
+  validateChallenge: createValidateChallenge({ sdkConfig: sdkConfigV1_3 }),
   buildChallengeCallbackUrl,
 };

package/src/credential/issuance/v1.0.0/02-start-user-authorization.ts CHANGED Viewed

@@ -6,7 +6,7 @@ import type { IssuanceApi } from "../api";
 import {
   selectCredentialDefinition,
   selectResponseMode,
-} from "../common/authorization";
+} from "../common/02-start-user-authorization";
 export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
   async (issuerConf, credentialIds, proof, ctx) => {

package/src/credential/issuance/v1.0.0/03-complete-user-authorization.ts CHANGED Viewed

@@ -17,7 +17,7 @@ import { ResponseUriResultShape } from "./types";
 import { getJwtFromFormPost } from "../../../utils/decoder";
 import { AuthorizationError, AuthorizationIdpError } from "../common/errors";
 import { LogLevel, Logger } from "../../../utils/logging";
-import { RequestObjectPayload } from "../../presentation/v1.0.0/types";
+import { RawRequestObject } from "../../presentation/v1.0.0/types";
 import { RemotePresentation as RemotePresentationFlow } from "../../presentation/v1.0.0";
 import type { IssuanceApi } from "../api";
 import type { RemotePresentation } from "../../presentation";
@@ -105,7 +105,12 @@ export const getRequestedCredentialToBePresented: IssuanceApi["getRequestedCrede
       .then(hasStatusOrThrow(200, IssuerResponseError))
       .then((res) => res.text())
       .then((jws) => decode(jws))
-      .then((reqObj) => RequestObjectPayload.safeParse(reqObj.payload));
+      .then((reqObj) =>
+        RawRequestObject.safeParse({
+          header: reqObj.protectedHeader,
+          payload: reqObj.payload,
+        })
+      );
     if (!requestObject.success) {
       Logger.log(
@@ -117,7 +122,7 @@ export const getRequestedCredentialToBePresented: IssuanceApi["getRequestedCrede
         reason: requestObject.error.message,
       });
     }
-    return requestObject.data;
+    return requestObject.data.payload;
   };
 export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["completeUserAuthorizationWithFormPostJwtMode"] =

package/src/credential/issuance/v1.0.0/05-obtain-credential.ts CHANGED Viewed

@@ -10,6 +10,7 @@ import {
   IssuerResponseErrorCodes,
   ResponseErrorBuilder,
   UnexpectedStatusCodeError,
+  UnimplementedFeatureError,
   ValidationFailed,
 } from "../../../utils/errors";
 import { createDPopToken } from "../../../utils/dpop";
@@ -210,3 +211,8 @@ const handleObtainCredentialError = (e: unknown) => {
     })
     .buildFrom(e);
 };
+export const obtainCredentialsBatch: IssuanceApi["obtainCredentialsBatch"] =
+  () => {
+    throw new UnimplementedFeatureError("obtainCredentialsBatch", "1.0.0");
+  };

package/src/credential/issuance/v1.0.0/index.ts CHANGED Viewed

@@ -9,9 +9,12 @@ import {
   getRequestedCredentialToBePresented,
 } from "./03-complete-user-authorization";
 import { authorizeAccess } from "./04-authorize-access";
-import { obtainCredential } from "./05-obtain-credential";
+import {
+  obtainCredential,
+  obtainCredentialsBatch,
+} from "./05-obtain-credential";
 import { verifyAndParseCredential } from "./06-verify-and-parse-credential";
-import { MRTDPoP } from "../mrtd-pop";
+import { MRTDPoPv1_0 } from "../mrtd-pop";
 export const Issuance: IssuanceApi = {
   evaluateIssuerTrust,
@@ -23,6 +26,7 @@ export const Issuance: IssuanceApi = {
   completeUserAuthorizationWithFormPostJwtMode,
   authorizeAccess,
   obtainCredential,
+  obtainCredentialsBatch,
   verifyAndParseCredential,
-  MRTDPoP,
+  MRTDPoP: MRTDPoPv1_0,
 };

package/src/credential/issuance/v1.0.0/mappers.ts CHANGED Viewed

@@ -17,7 +17,10 @@ export const mapToIssuerConfig = createMapper<
     credential_issuer: openid_credential_issuer.credential_issuer,
     credential_configurations_supported:
       openid_credential_issuer.credential_configurations_supported,
-    keys: openid_credential_issuer.jwks.keys,
+    keys: [
+      ...openid_credential_issuer.jwks.keys,
+      ...oauth_authorization_server.jwks.keys,
+    ],
     pushed_authorization_request_endpoint:
       oauth_authorization_server.pushed_authorization_request_endpoint,
     token_endpoint: oauth_authorization_server.token_endpoint,

package/src/credential/issuance/v1.3.3/01-evaluate-issuer-trust.ts CHANGED Viewed

@@ -2,7 +2,6 @@ import {
   fetchMetadata,
   type MetadataResponseV1_3,
 } from "@pagopa/io-wallet-oid4vci";
-import { partialCallbacks } from "../../../utils/callbacks";
 import { sdkConfigV1_3 } from "../../../utils/config";
 import type { IssuanceApi } from "../api";
 import { mapToIssuerConfig } from "./mappers";
@@ -15,7 +14,6 @@ export const evaluateIssuerTrust: IssuanceApi["evaluateIssuerTrust"] = async (
     config: sdkConfigV1_3,
     credentialIssuerUrl: issuerUrl,
     callbacks: {
-      ...partialCallbacks,
       fetch: context.appFetch,
     },
   })) as MetadataResponseV1_3;

package/src/credential/issuance/v1.3.3/02-start-user-authorization.ts CHANGED Viewed

@@ -3,16 +3,17 @@ import {
   fetchPushedAuthorizationResponse,
   createClientAttestationPopJwt,
 } from "@pagopa/io-wallet-oauth2";
-import type { CallbackContext } from "@pagopa/io-wallet-oauth2";
+import type { JwtSignerJwk } from "@pagopa/io-wallet-oauth2";
+import { v4 as uuidv4 } from "uuid";
 import { LogLevel, Logger } from "../../../utils/logging";
 import type { IssuanceApi } from "../api";
-import { SignJWT } from "@pagopa/io-react-native-jwt";
-import { partialCallbacks } from "../../../utils/callbacks";
-import { IoWalletError } from "../../../utils/errors";
 import {
-  selectCredentialDefinition,
-  selectResponseMode,
-} from "../common/authorization";
+  createSignJwtFromCryptoContext,
+  partialCallbacks,
+} from "../../../utils/callbacks";
+import { IoWalletError } from "../../../utils/errors";
+import { sdkConfigV1_3 } from "../../../utils/config";
+import { selectCredentialDefinition } from "../common/02-start-user-authorization";
 export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
   async (issuerConf, credentialIds, proof, ctx) => {
@@ -33,8 +34,6 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
       throw new IoWalletError("No public key found");
     }
-    const responseMode = selectResponseMode(issuerConf, credentialIds);
     const credentialDefinition = credentialIds.map((c) =>
       selectCredentialDefinition(issuerConf, c)
     );
@@ -54,13 +53,16 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
       });
     }
-    const signerJwk = await wiaCryptoContext.getPublicKey();
-    const signJwt: CallbackContext["signJwt"] = async (_, payload) => ({
-      jwt: await new SignJWT(wiaCryptoContext).setPayload(payload).sign(),
-      signerJwk,
-    });
+    const wiaSigner: JwtSignerJwk = {
+      method: "jwk",
+      alg: "ES256",
+      publicJwk: await wiaCryptoContext.getPublicKey(),
+    };
+    const signJwt = createSignJwtFromCryptoContext(wiaCryptoContext);
     const parRequest = await createPushedAuthorizationRequest({
+      config: sdkConfigV1_3,
       callbacks: {
         ...partialCallbacks,
         signJwt,
@@ -68,25 +70,27 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
       authorizationServerMetadata: {
         require_signed_request_object: true,
       },
+      jti: uuidv4(),
       clientId,
       audience: issuerConf.credential_issuer,
       authorization_details: credentialDefinition,
       codeChallengeMethodsSupported: ["S256"],
-      responseMode,
       redirectUri,
+      dpop: {
+        signer: wiaSigner,
+      },
     });
     const clientAttestationPoP = await createClientAttestationPopJwt({
+      config: sdkConfigV1_3,
       callbacks: {
+        generateRandom: partialCallbacks.generateRandom,
         signJwt,
       },
       clientAttestation: walletInstanceAttestation,
       authorizationServer: issuerConf.authorization_endpoint,
-      signer: {
-        method: "jwk",
-        alg: "ES256",
-        publicJwk: signerJwk,
-      },
+      signer: wiaSigner,
+      jti: uuidv4(),
     });
     const { request_uri } = await fetchPushedAuthorizationResponse({

package/src/credential/issuance/v1.3.3/03-complete-user-authorization.ts CHANGED Viewed

@@ -16,11 +16,11 @@ import { AuthorizationError, AuthorizationIdpError } from "../common/errors";
 import { LogLevel, Logger } from "../../../utils/logging";
 import { RemotePresentation as RemotePresentationFlow } from "../../presentation/v1.3.3";
 import { partialCallbacks } from "../../../utils/callbacks";
+import { sdkConfigV1_3 } from "../../../utils/config";
 import {
   IoWalletError,
   sdkUnexpectedStatusCodeToIssuerError,
 } from "../../../utils/errors";
-import { sdkConfigV1_3 } from "../../../utils/config";
 import type { IssuanceApi } from "../api";
 import { mapToRequestObject } from "./mappers";
 import type { RemotePresentation } from "../../presentation";

package/src/credential/issuance/v1.3.3/04-authorize-access.ts CHANGED Viewed

@@ -1,10 +1,15 @@
-import { SignJWT } from "@pagopa/io-react-native-jwt";
-import { createTokenDPoP, fetchTokenResponse } from "@pagopa/io-wallet-oauth2";
+import {
+  createClientAttestationPopJwt,
+  createTokenDPoP,
+  fetchTokenResponse,
+} from "@pagopa/io-wallet-oauth2";
 import { v4 as uuidv4 } from "uuid";
-import { createPopToken } from "../../../utils/pop";
-import * as WalletInstanceAttestation from "../../../wallet-instance-attestation/v1.0.0/utils";
-import { partialCallbacks } from "../../../utils/callbacks";
+import {
+  createSignJwtFromCryptoContext,
+  partialCallbacks,
+} from "../../../utils/callbacks";
 import { IoWalletError } from "../../../utils/errors";
+import { sdkConfigV1_3 } from "../../../utils/config";
 import type { IssuanceApi, TokenResponse } from "../api";
 export const authorizeAccess: IssuanceApi["authorizeAccess"] = async (
@@ -21,37 +26,37 @@ export const authorizeAccess: IssuanceApi["authorizeAccess"] = async (
     dPopCryptoContext,
   } = context;
-  const dPopSignerJwk = await dPopCryptoContext.getPublicKey();
   const tokenDPoP = await createTokenDPoP({
     callbacks: {
       ...partialCallbacks,
-      signJwt: async (_, payload) => ({
-        jwt: await new SignJWT(wiaCryptoContext).setPayload(payload).sign(),
-        signerJwk: dPopSignerJwk,
-      }),
+      signJwt: createSignJwtFromCryptoContext(dPopCryptoContext),
     },
     signer: {
-      alg: "ES256",
       method: "jwk",
-      publicJwk: dPopSignerJwk,
+      alg: "ES256",
+      publicJwk: await dPopCryptoContext.getPublicKey(),
     },
+    jti: uuidv4(),
     tokenRequest: {
       method: "POST",
       url: issuerConf.token_endpoint,
     },
   });
-  const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
-    .payload.cnf.jwk.kid;
-  const signedWiaPoP = await createPopToken(
-    {
-      jti: uuidv4(),
-      aud: issuerConf.credential_issuer,
-      iss,
+  const clientAttestationDPoP = await createClientAttestationPopJwt({
+    config: sdkConfigV1_3,
+    callbacks: {
+      generateRandom: partialCallbacks.generateRandom,
+      signJwt: createSignJwtFromCryptoContext(wiaCryptoContext),
     },
-    wiaCryptoContext
-  );
+    clientAttestation: walletInstanceAttestation,
+    authorizationServer: issuerConf.credential_issuer,
+    signer: {
+      method: "jwk",
+      alg: "ES256",
+      publicJwk: await wiaCryptoContext.getPublicKey(),
+    },
+  });
   const tokenResponse = await fetchTokenResponse({
     accessTokenEndpoint: issuerConf.token_endpoint,
@@ -61,7 +66,7 @@ export const authorizeAccess: IssuanceApi["authorizeAccess"] = async (
     },
     walletAttestation: walletInstanceAttestation,
     dPoP: tokenDPoP.jwt,
-    clientAttestationDPoP: signedWiaPoP,
+    clientAttestationDPoP,
     accessTokenRequest: {
       code,
       grant_type: "authorization_code",

package/src/credential/issuance/v1.3.3/05-obtain-credential.ts CHANGED Viewed

@@ -1,11 +1,16 @@
 import { type CryptoContext, SignJWT } from "@pagopa/io-react-native-jwt";
-import { createTokenDPoP } from "@pagopa/io-wallet-oauth2";
+import {
+  createTokenDPoP,
+  type CallbackContext,
+  type JwtSignerJwk,
+} from "@pagopa/io-wallet-oauth2";
 import {
   fetchCredentialResponse,
   createCredentialRequest,
 } from "@pagopa/io-wallet-oid4vci";
 import { UnexpectedStatusCodeError as SdkUnexpectedStatusCodeError } from "@pagopa/io-wallet-utils";
-import { hasStatusOrThrow } from "../../../utils/misc";
+import { v4 as uuidv4 } from "uuid";
+import { hasStatusOrThrow, type Out } from "../../../utils/misc";
 import {
   IoWalletError,
   IssuerResponseError,
@@ -15,126 +20,116 @@ import {
 } from "../../../utils/errors";
 import { LogLevel, Logger } from "../../../utils/logging";
 import { sdkConfigV1_3 } from "../../../utils/config";
-import { partialCallbacks } from "../../../utils/callbacks";
-import type { IssuanceApi } from "../api";
+import {
+  createSignJwtFromCryptoContext,
+  partialCallbacks,
+} from "../../../utils/callbacks";
+import type { IssuanceApi, IssuerConfig } from "../api";
 import { NonceResponse } from "./types";
+import type { AuthorizeAccessApi } from "../api/04-authorize-access";
-export const createNonceProof = async (
-  nonce: string,
-  issuer: string,
-  audience: string,
-  ctx: CryptoContext
-): Promise<string> => {
-  const jwk = await ctx.getPublicKey();
-  return new SignJWT(ctx)
-    .setPayload({
-      nonce,
-    })
-    .setProtectedHeader({
-      typ: "openid4vci-proof+jwt",
-      jwk,
-    })
-    .setAudience(audience)
-    .setIssuer(issuer)
-    .setIssuedAt()
-    .setExpirationTime("5min")
-    .sign();
+type CreateRequestParams = {
+  clientId: string;
+  credentialIdentifier: string;
+  accessToken: Out<AuthorizeAccessApi["authorizeAccess"]>["accessToken"];
+  issuerConf: IssuerConfig;
+  dPopCryptoContext: CryptoContext;
+  credentialCryptoContexts: CryptoContext[];
+  keyAttestationJwt: string;
+  appFetch?: GlobalFetch["fetch"];
 };
-export const obtainCredential: IssuanceApi["obtainCredential"] = async (
+/**
+ * Helper to create a credential request and fetch it from the issuer.
+ *
+ * When multiple keys are provided as {@link CryptoContext}, a batch is requested.
+ *
+ * @returns The raw credential response
+ */
+export const requestCredentials = async ({
   issuerConf,
   accessToken,
+  credentialIdentifier,
   clientId,
-  credentialDefinition,
-  context
-) => {
-  const {
-    credentialCryptoContext,
-    dPopCryptoContext,
-    walletUnitAttestation,
-    appFetch = fetch,
-  } = context;
-  if (!walletUnitAttestation) {
-    throw new ValidationFailed({
-      message:
-        "The Wallet Unit Attestation is required to obtain the credential",
-    });
-  }
-  const { credential_configuration_id, credential_identifier } =
-    credentialDefinition;
-  // Fetch the nonce from the Credential Issuer
+  keyAttestationJwt,
+  credentialCryptoContexts,
+  dPopCryptoContext,
+  appFetch = fetch,
+}: CreateRequestParams) => {
   const { c_nonce } = await appFetch(issuerConf.nonce_endpoint, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
   })
     .then(hasStatusOrThrow(200))
     .then((res) => res.json())
-    .then((body) => NonceResponse.parse(body));
+    .then(NonceResponse.parse);
-  // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
-  const containsCredentialDefinition = accessToken.authorization_details.some(
-    (c) =>
-      c.credential_configuration_id === credential_configuration_id &&
-      (credential_identifier
-        ? c.credential_identifiers.includes(credential_identifier)
-        : true)
+  const keys = await Promise.all(
+    credentialCryptoContexts.map(async (ctx) => {
+      const publicJwk = await ctx.getPublicKey();
+      return { publicJwk, cryptoContext: ctx };
+    })
   );
-  if (!containsCredentialDefinition) {
-    Logger.log(
-      LogLevel.ERROR,
-      `Credential definition not found in the access token response ${accessToken.authorization_details}`
-    );
-    throw new ValidationFailed({
-      message:
-        "The access token response does not contain the requested credential",
-    });
-  }
+  const signJwt: CallbackContext["signJwt"] = async (
+    jwtSigner,
+    { header, payload }
+  ) => {
+    if (jwtSigner.method !== "jwk") {
+      throw new IoWalletError(`Unsupported signer method: ${jwtSigner.method}`);
+    }
-  const signerJwk = await credentialCryptoContext.getPublicKey();
+    const { cryptoContext } =
+      keys.find(({ publicJwk }) => publicJwk.kid === jwtSigner.publicJwk.kid) ??
+      {};
+    if (!cryptoContext) {
+      throw new IoWalletError(
+        `Could not find CryptoContext for key ${jwtSigner.publicJwk.kid}`
+      );
+    }
+    return {
+      jwt: await new SignJWT(cryptoContext)
+        .setProtectedHeader(header)
+        .setPayload(payload)
+        .sign(),
+      signerJwk: jwtSigner.publicJwk,
+    };
+  };
+  const signers = keys.map<JwtSignerJwk>(({ publicJwk }) => ({
+    alg: "ES256",
+    method: "jwk",
+    publicJwk,
+  }));
   const credentialRequest = await createCredentialRequest({
     config: sdkConfigV1_3,
     callbacks: {
       hash: partialCallbacks.hash,
-      signJwt: async (_, payload) => ({
-        jwt: await new SignJWT(credentialCryptoContext)
-          .setPayload(payload)
-          .sign(),
-        signerJwk,
-      }),
+      signJwt,
     },
     clientId,
-    credential_identifier: credentialDefinition.credential_identifier!,
+    credential_identifier: credentialIdentifier,
     issuerIdentifier: issuerConf.credential_issuer,
+    maxBatchSize: issuerConf.credential_issuance_batch_size,
     nonce: c_nonce,
-    keyAttestation: walletUnitAttestation,
-    signers: [
-      {
-        alg: "ES256",
-        method: "jwk",
-        publicJwk: signerJwk,
-      },
-    ],
+    keyAttestation: keyAttestationJwt,
+    signers,
   });
-  const dPopSignerJwk = await dPopCryptoContext.getPublicKey();
   const credentialDPoP = await createTokenDPoP({
     callbacks: {
       ...partialCallbacks,
-      signJwt: async (_, payload) => ({
-        jwt: await new SignJWT(dPopCryptoContext).setPayload(payload).sign(),
-        signerJwk,
-      }),
+      signJwt: createSignJwtFromCryptoContext(dPopCryptoContext),
     },
     signer: {
       method: "jwk",
       alg: "ES256",
-      publicJwk: dPopSignerJwk,
+      publicJwk: await dPopCryptoContext.getPublicKey(),
     },
+    jti: uuidv4(),
     tokenRequest: {
       method: "POST",
       url: issuerConf.credential_endpoint,
@@ -142,7 +137,7 @@ export const obtainCredential: IssuanceApi["obtainCredential"] = async (
     accessToken: accessToken.access_token,
   });
-  const credentialRes = await fetchCredentialResponse({
+  return await fetchCredentialResponse({
     callbacks: {
       fetch: appFetch,
     },
@@ -151,6 +146,61 @@ export const obtainCredential: IssuanceApi["obtainCredential"] = async (
     accessToken: accessToken.access_token,
     dPoP: credentialDPoP.jwt,
   }).catch(handleObtainCredentialError);
+};
+export const obtainCredential: IssuanceApi["obtainCredential"] = async (
+  issuerConf,
+  accessToken,
+  clientId,
+  credentialDefinition,
+  context
+) => {
+  const {
+    credentialCryptoContext,
+    dPopCryptoContext,
+    walletUnitAttestation,
+    appFetch = fetch,
+  } = context;
+  if (!walletUnitAttestation) {
+    throw new ValidationFailed({
+      message:
+        "The Wallet Unit Attestation is required to obtain the credential",
+    });
+  }
+  const { credential_configuration_id, credential_identifier } =
+    credentialDefinition;
+  // Validation of accessTokenResponse.authorization_details if contain credentialDefinition
+  const containsCredentialDefinition = accessToken.authorization_details.some(
+    (c) =>
+      c.credential_configuration_id === credential_configuration_id &&
+      (credential_identifier
+        ? c.credential_identifiers.includes(credential_identifier)
+        : true)
+  );
+  if (!containsCredentialDefinition) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Credential definition not found in the access token response ${accessToken.authorization_details}`
+    );
+    throw new ValidationFailed({
+      message:
+        "The access token response does not contain the requested credential",
+    });
+  }
+  const credentialRes = await requestCredentials({
+    issuerConf,
+    accessToken,
+    clientId,
+    credentialCryptoContexts: [credentialCryptoContext],
+    credentialIdentifier: credential_identifier!,
+    dPopCryptoContext,
+    keyAttestationJwt: walletUnitAttestation,
+    appFetch,
+  });
   Logger.log(
     LogLevel.DEBUG,
@@ -172,6 +222,51 @@ export const obtainCredential: IssuanceApi["obtainCredential"] = async (
   };
 };
+export const obtainCredentialsBatch: IssuanceApi["obtainCredentialsBatch"] =
+  async (issuerConf, accessToken, clientId, credentialDefinition, context) => {
+    const {
+      credentialCryptoContexts,
+      dPopCryptoContext,
+      walletUnitAttestation,
+      appFetch = fetch,
+    } = context;
+    if (!walletUnitAttestation) {
+      throw new ValidationFailed({
+        message:
+          "The Wallet Unit Attestation is required to obtain the credential",
+      });
+    }
+    const { credential_configuration_id, credential_identifier } =
+      credentialDefinition;
+    const credentialRes = await requestCredentials({
+      issuerConf,
+      accessToken,
+      clientId,
+      credentialCryptoContexts,
+      credentialIdentifier: credential_identifier,
+      dPopCryptoContext,
+      keyAttestationJwt: walletUnitAttestation,
+      appFetch,
+    });
+    // Extract the format corresponding to the credential_configuration_id used
+    const issuerCredentialConfig =
+      issuerConf.credential_configurations_supported[
+        credential_configuration_id
+      ];
+    if ("transaction_id" in credentialRes) {
+      throw new IoWalletError("Deferred issuance is not currently supported");
+    }
+    return credentialRes.credentials.map(({ credential }) => ({
+      credential,
+      format: issuerCredentialConfig!.format,
+    }));
+  };
 /**
  * Handle the credential error by mapping it to a custom exception.
  * If the error is not an instance of {@link SdkUnexpectedStatusCodeError}, it is thrown as is.