@pagopa/io-react-native-wallet 3.2.0 → 3.4.0

package/src/credential/issuance/api/03-complete-user-authorization.ts

@@ -39,10 +39,32 @@ export interface CompleteUserAuthorizationApi {
    * @param authRedirectUrl The URL to which the end user should be redirected to start the authentication flow
    * @returns the authorization response which contains code, state and iss
    */
-  completeUserAuthorizationWithQueryMode(
+  completePidUserAuthorizationWithQueryMode(
     authRedirectUrl: string
   ): Promise<AuthorizationResult>;
 
+  /**
+   * Complete user authorization when the response mode is "query" and the requested credential is an Electronic Attestation of Attributes (EAA).
+   * This type of credentials requires a PID to be presented to complete the authorization process and then obtain an access token.
+   * @since 1.3.3
+   *
+   * @param requestObject The request object containing the necessary parameters for authorization.
+   * @param issuerConfig The issuer configuration returned by {@link evaluateIssuerTrust}
+   * @param pid The PID to present as a tuple [keyTag, credential].
+   * @param redirectUri The client redirect URI to which the authorization server will redirect after completing the authorization process.
+   * @param appFetch (optional) fetch api implementation. Default: built-in fetch
+   * @returns The authorization response which contains code, state and iss
+   */
+  completeEaaUserAuthorizationWithQueryMode(
+    requestObject: RequestObject,
+    issuerConf: IssuerConfig,
+    pid: [keyTag: string, credential: string],
+    redirectUri: string,
+    context?: {
+      appFetch?: GlobalFetch["fetch"];
+    }
+  ): Promise<AuthorizationResult>;
+
   /**
    * WARNING: This function must be called after {@link getRequestedCredentialToBePresented}. The next function to be called is {@link authorizeAccess}.
    *
@@ -51,8 +73,8 @@ export interface CompleteUserAuthorizationApi {
    * Following this,the redirect_uri from the response is used to obtain the final authorization response.
    * @since 1.0.0
    *
-   * @param requestObject - The request object containing the necessary parameters for authorization.
-   * @param pid The `PID` that must be presented for the issuance of credentials.
+   * @param requestObject The request object containing the necessary parameters for authorization.
+   * @param pid The PID to present as a tuple [keyTag, credential].
    * @param appFetch (optional) fetch api implementation. Default: built-in fetch
    * @returns the authorization response which contains code, state and iss
    * @throws {ValidationFailed} if an error while validating the response
@@ -60,10 +82,9 @@ export interface CompleteUserAuthorizationApi {
   completeUserAuthorizationWithFormPostJwtMode(
     requestObject: RequestObject,
     issuerConf: IssuerConfig,
-    pid: string,
+    pid: [keyTag: string, credential: string],
     context: {
       wiaCryptoContext: CryptoContext;
-      pidKeyTag: string;
       appFetch?: GlobalFetch["fetch"];
     }
   ): Promise<AuthorizationResult>;

package/src/credential/issuance/api/06-verify-and-parse-credential.ts

@@ -32,6 +32,10 @@ export interface VerifyAndParseCredentialApi {
        * Include attributes that are not explicitly mapped in the issuer configuration.
        */
       includeUndefinedAttributes?: boolean;
+      /**
+       * Validate the certificate chain of the credential against the provided `x509CertRoot`.
+       */
+      validateCertificateChain?: boolean;
     },
     x509CertRoot?: string
   ): Promise<{

package/src/credential/issuance/api/IssuerConfig.ts

@@ -60,6 +60,7 @@ export const IssuerConfig = z.object({
   credential_configurations_supported: z.record(z.string(), CredentialConfig),
   federation_entity: FederationEntityMetadata,
   credential_issuance_batch_size: z.number().optional(),
+  encrypted_response_enc_values_supported: z.array(z.string()).optional(),
   /**
    * @deprecated
    */

package/src/credential/issuance/common/02-start-user-authorization.ts

@@ -1,3 +1,4 @@
+import { IoWalletError } from "../../../utils/errors";
 import { LogLevel, Logger } from "../../../utils/logging";
 import { AuthorizationDetail } from "../../../utils/par";
 import type { IssuerConfig } from "../api";
@@ -30,7 +31,7 @@ export const selectCredentialDefinition = (
       LogLevel.ERROR,
       `Requested credential ${credentialId} is not supported by the issuer according to its configuration ${JSON.stringify(credential_configurations_supported)}`
     );
-    throw new Error(`No credential support the type '${credentialId}'`);
+    throw new IoWalletError(`No credential support the type '${credentialId}'`);
   }
   return result;
 };
@@ -61,7 +62,7 @@ export const selectResponseMode = (
       LogLevel.ERROR,
       `${credentialIds} have incompatible response_mode: ${[...responseModeSet.values()]}`
     );
-    throw new Error(
+    throw new IoWalletError(
       "Requested credentials have incompatible response_mode and cannot be requested with the same PAR request"
     );
   }
@@ -79,7 +80,9 @@ export const selectResponseMode = (
       LogLevel.ERROR,
       `Requested response mode ${responseMode} is not supported by the issuer according to its configuration ${JSON.stringify(responseModeSupported)}`
     );
-    throw new Error(`No response mode support for IDs '${credentialIds}'`);
+    throw new IoWalletError(
+      `No response mode support for IDs '${credentialIds}'`
+    );
   }
 
   return responseMode!;

package/src/credential/issuance/common/06-verify-and-parse-credential.sdjwt.ts

@@ -1,16 +1,18 @@
 import {
-  getJwkFromHeader,
   type CryptoContext,
-  decode,
+  verify as verifyJwt,
 } from "@pagopa/io-react-native-jwt";
-import { type SDJwt, SDJwtInstance } from "@sd-jwt/core";
-import { digest, ES256 } from "@sd-jwt/crypto-nodejs";
+import { type SDJwt, type VerifierOptions, SDJwtInstance } from "@sd-jwt/core";
+import { digest } from "@sd-jwt/crypto-nodejs";
+import type { Verifier } from "@sd-jwt/types";
 import { isPathEqual, isPrefixOf } from "../../../utils/parser";
 import { IoWalletError } from "../../../utils/errors";
 import { LogLevel, Logger } from "../../../utils/logging";
 import { isSameThumbprint, type JWK } from "../../../utils/jwk";
 import type { SdJwt4VCBase } from "../../../sd-jwt/types";
 import { fixLegacyCredentialSdJwt } from "../../../utils/credentials";
+import { verifyX509Chain } from "../../../utils/x509";
+import { MissingX509CertsError } from "../../../trust/common/errors";
 import type { IssuanceApi, IssuerConfig, ParsedCredential } from "../api";
 
 type CredentialConf =
@@ -151,6 +153,31 @@ const parseCredentialSdJwt = (
   return processLevel(parsedCredentialRaw, []) as ParsedCredential;
 };
 
+type SdJwtInstanceVerifier = Verifier<VerifierOptions & { issuerKeys: JWK[] }>;
+
+/**
+ * JWT verifier implementing the interface expected by the SD-JWT library.
+ * Verification is delegated to `io-react-native-jwt` to leverage its support for multiple algorithms.
+ * @returns Boolean indicating whether the verification succeeded or not
+ */
+const sdJwtInstanceVerifier: SdJwtInstanceVerifier = async (
+  data,
+  signature,
+  options
+) => {
+  if (!options?.issuerKeys) {
+    return false;
+  }
+  try {
+    await verifyJwt(`${data}.${signature}`, options.issuerKeys, {
+      clockTolerance: options.skewSeconds,
+    });
+    return true;
+  } catch {
+    return false;
+  }
+};
+
 /**
  * Given a credential, verify it's in the supported format
  * and the credential is correctly signed
@@ -171,16 +198,13 @@ async function verifyCredentialSdJwt(
   issuerKeys: JWK[],
   holderBindingContext: CryptoContext
 ): Promise<SDJwt> {
-  const { protectedHeader } = decode(rawCredential);
-  const verifierJwk = getJwkFromHeader(protectedHeader, issuerKeys);
-
   const sdJwtInstance = new SDJwtInstance({
     hasher: digest,
-    verifier: await ES256.getVerifier(verifierJwk),
+    verifier: sdJwtInstanceVerifier,
   });
 
   const [verifiedCredential, holderBindingKey] = await Promise.all([
-    sdJwtInstance.verify(rawCredential),
+    sdJwtInstance.verify(rawCredential, { issuerKeys, skewSeconds: 30 }),
     holderBindingContext.getPublicKey(),
   ]);
 
@@ -203,7 +227,9 @@ export const verifyAndParseCredentialSdJwt: IssuanceApi["verifyAndParseCredentia
       credentialCryptoContext,
       ignoreMissingAttributes,
       includeUndefinedAttributes,
-    }
+      validateCertificateChain,
+    },
+    x509CertRoot
   ) => {
     const decoded = await verifyCredentialSdJwt(
       credential,
@@ -216,6 +242,17 @@ export const verifyAndParseCredentialSdJwt: IssuanceApi["verifyAndParseCredentia
       `Decoded credential: ${JSON.stringify(decoded)}`
     );
 
+    if (validateCertificateChain) {
+      if (!x509CertRoot) {
+        throw new IoWalletError("Missing x509CertRoot");
+      }
+      const x5c = decoded.jwt?.header?.x5c as string[] | undefined;
+      if (!x5c || !Array.isArray(x5c) || x5c.length === 0) {
+        throw new MissingX509CertsError("Missing x509 certificates");
+      }
+      await verifyX509Chain(x5c, x509CertRoot);
+    }
+
     const credentialConfig =
       issuerConf.credential_configurations_supported[credentialConfigurationId];
 

package/src/credential/issuance/mrtd-pop/02-init-challenge.ts

@@ -1,61 +1,85 @@
-import { v4 as uuidv4 } from "uuid";
-import { fetchMrtdPopInit } from "@pagopa/io-wallet-oauth2";
-import { UnexpectedStatusCodeError as SdkUnexpectedStatusCodeError } from "@pagopa/io-wallet-utils";
-import { createPopToken } from "../../../utils/pop";
+import {
+  createClientAttestationPopJwt,
+  fetchMrtdPopInit,
+} from "@pagopa/io-wallet-oauth2";
+import {
+  IoWalletSdkConfig,
+  UnexpectedStatusCodeError as SdkUnexpectedStatusCodeError,
+} from "@pagopa/io-wallet-utils";
 import { Logger, LogLevel } from "../../../utils/logging";
-import * as WalletInstanceAttestation from "../../../wallet-instance-attestation/v1.0.0/utils"; // TODO: decouple from version 1.0.0
 import {
   IssuerResponseError,
   IssuerResponseErrorCodes,
   ResponseErrorBuilder,
 } from "../../../utils/errors";
 import type { MRTDPoPApi } from "../api/mrtd-pop";
-import { createVerifyJwtFromJwks } from "../../../utils/callbacks";
+import {
+  createSignJwtFromCryptoContext,
+  createVerifyJwtFromJwks,
+  partialCallbacks,
+} from "../../../utils/callbacks";
 
-export const initChallenge: MRTDPoPApi["initChallenge"] = async (
-  issuerConf,
-  initUrl,
-  mrtd_auth_session,
-  mrtd_pop_jwt_nonce,
-  context
-) => {
-  const {
-    appFetch = fetch,
-    walletInstanceAttestation,
-    wiaCryptoContext,
-  } = context;
+type Config = {
+  sdkConfig: IoWalletSdkConfig;
+};
 
-  const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
-    .payload.cnf.jwk.kid;
+/**
+ * Factory function to create `initChallenge` for MRTD PoP flow.
+ * The factory is needed to inject version specific SDK configuration.
+ * @param config Configuration object containing the IO Wallet SDK configuration
+ * @returns `initChallenge` function compliant with the public API
+ */
+export function createInitChallenge(
+  config: Config
+): MRTDPoPApi["initChallenge"] {
+  return async function initChallenge(
+    issuerConf,
+    initUrl,
+    mrtd_auth_session,
+    mrtd_pop_jwt_nonce,
+    context
+  ) {
+    const {
+      appFetch = fetch,
+      walletInstanceAttestation,
+      wiaCryptoContext,
+    } = context;
 
-  const signedWiaPoP = await createPopToken(
-    {
-      jti: uuidv4(),
-      aud: issuerConf.credential_issuer,
-      iss,
-    },
-    wiaCryptoContext
-  );
+    const clientAttestationDPoP = await createClientAttestationPopJwt({
+      config: config.sdkConfig,
+      callbacks: {
+        generateRandom: partialCallbacks.generateRandom,
+        signJwt: createSignJwtFromCryptoContext(wiaCryptoContext),
+      },
+      clientAttestation: walletInstanceAttestation,
+      authorizationServer: issuerConf.credential_issuer,
+      signer: {
+        method: "jwk",
+        alg: "ES256",
+        publicJwk: await wiaCryptoContext.getPublicKey(),
+      },
+    });
 
-  const initResult = await fetchMrtdPopInit({
-    popInitEndpoint: initUrl,
-    mrtdAuthSession: mrtd_auth_session,
-    mrtdPopJwtNonce: mrtd_pop_jwt_nonce,
-    walletAttestation: walletInstanceAttestation,
-    clientAttestationDPoP: signedWiaPoP,
-    callbacks: {
-      verifyJwt: createVerifyJwtFromJwks(issuerConf.keys),
-      fetch: appFetch,
-    },
-  }).catch(handleInitChallengeError);
+    const initResult = await fetchMrtdPopInit({
+      popInitEndpoint: initUrl,
+      mrtdAuthSession: mrtd_auth_session,
+      mrtdPopJwtNonce: mrtd_pop_jwt_nonce,
+      walletAttestation: walletInstanceAttestation,
+      clientAttestationDPoP,
+      callbacks: {
+        verifyJwt: createVerifyJwtFromJwks(issuerConf.keys),
+        fetch: appFetch,
+      },
+    }).catch(handleInitChallengeError);
 
-  return {
-    challenge: initResult.challenge,
-    mrtd_pop_nonce: initResult.mrtdPopNonce,
-    pop_verify_endpoint: initResult.popVerifyEndpoint,
-    mrz: initResult.mrz,
+    return {
+      challenge: initResult.challenge,
+      mrtd_pop_nonce: initResult.mrtdPopNonce,
+      pop_verify_endpoint: initResult.popVerifyEndpoint,
+      mrz: initResult.mrz,
+    };
   };
-};
+}
 
 const handleInitChallengeError = (e: unknown) => {
   Logger.log(LogLevel.ERROR, `Failed to get MRTD challenge: ${e}`);

package/src/credential/issuance/mrtd-pop/03-validate-challenge.ts

@@ -1,76 +1,98 @@
 import { SignJWT } from "@pagopa/io-react-native-jwt";
-import { fetchMrtdPopVerify } from "@pagopa/io-wallet-oauth2";
-import { v4 as uuidv4 } from "uuid";
-import { createPopToken } from "../../../utils/pop";
-import * as WalletInstanceAttestation from "../../../wallet-instance-attestation/v1.0.0/utils"; // TODO: decouple from 1.0.0 version
+import {
+  createClientAttestationPopJwt,
+  fetchMrtdPopVerify,
+} from "@pagopa/io-wallet-oauth2";
+import type { IoWalletSdkConfig } from "@pagopa/io-wallet-utils";
 import { sdkUnexpectedStatusCodeToIssuerError } from "../../../utils/errors";
-import { partialCallbacks } from "../../../utils/callbacks";
+import {
+  createSignJwtFromCryptoContext,
+  partialCallbacks,
+} from "../../../utils/callbacks";
 import type { MRTDPoPApi } from "../api/mrtd-pop";
 
-export const validateChallenge: MRTDPoPApi["validateChallenge"] = async (
-  issuerConf,
-  verifyUrl,
-  mrtd_auth_session,
-  mrtd_pop_nonce,
-  mrtd,
-  ias,
-  context
-) => {
-  const {
-    appFetch = fetch,
-    walletInstanceAttestation,
-    wiaCryptoContext,
-  } = context;
+type Config = {
+  sdkConfig: IoWalletSdkConfig;
+};
+
+/**
+ * Factory function to create `validateChallenge` for MRTD PoP flow.
+ * The factory is needed to inject version specific SDK configuration.
+ * @param config Configuration object containing the IO Wallet SDK configuration
+ * @returns `validateChallenge` function compliant with the public API
+ */
+export function createValidateChallenge(
+  config: Config
+): MRTDPoPApi["validateChallenge"] {
+  return async function validateChallenge(
+    issuerConf,
+    verifyUrl,
+    mrtd_auth_session,
+    mrtd_pop_nonce,
+    mrtd,
+    ias,
+    context
+  ) {
+    const {
+      appFetch = fetch,
+      walletInstanceAttestation,
+      wiaCryptoContext,
+    } = context;
 
-  const aud = issuerConf.credential_issuer;
-  const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
-    .payload.cnf.jwk.kid;
+    const aud = issuerConf.credential_issuer;
 
-  const signedWiaPoP = await createPopToken(
-    {
-      jti: uuidv4(),
-      aud,
-      iss,
-    },
-    wiaCryptoContext
-  );
+    const wiaPublicJwk = await wiaCryptoContext.getPublicKey();
 
-  const { kid } = await wiaCryptoContext.getPublicKey();
+    const clientAttestationDPoP = await createClientAttestationPopJwt({
+      config: config.sdkConfig,
+      callbacks: {
+        generateRandom: partialCallbacks.generateRandom,
+        signJwt: createSignJwtFromCryptoContext(wiaCryptoContext),
+      },
+      clientAttestation: walletInstanceAttestation,
+      authorizationServer: aud,
+      signer: {
+        method: "jwk",
+        alg: "ES256",
+        publicJwk: wiaPublicJwk,
+      },
+    });
 
-  const mrtdValidationJwt = await new SignJWT(wiaCryptoContext)
-    .setProtectedHeader({
-      typ: "mrtd-ias+jwt",
-      kid,
-    })
-    .setPayload({
-      iss,
-      aud,
-      document_type: "cie",
-      mrtd,
-      ias,
-    })
-    .setIssuedAt()
-    .setExpirationTime("5m")
-    .sign();
+    const mrtdValidationJwt = await new SignJWT(wiaCryptoContext)
+      .setProtectedHeader({
+        typ: "mrtd-ias+jwt",
+        kid: wiaPublicJwk.kid,
+      })
+      .setPayload({
+        iss: wiaPublicJwk.kid,
+        aud,
+        document_type: "cie",
+        mrtd,
+        ias,
+      })
+      .setIssuedAt()
+      .setExpirationTime("5m")
+      .sign();
 
-  const verifyResult = await fetchMrtdPopVerify({
-    popVerifyEndpoint: verifyUrl,
-    mrtdAuthSession: mrtd_auth_session,
-    mrtdPopNonce: mrtd_pop_nonce,
-    clientAttestationDPoP: signedWiaPoP,
-    mrtdValidationJwt,
-    walletAttestation: walletInstanceAttestation,
-    callbacks: {
-      fetch: appFetch,
-      ...partialCallbacks,
-    },
-  }).catch(sdkUnexpectedStatusCodeToIssuerError);
+    const verifyResult = await fetchMrtdPopVerify({
+      popVerifyEndpoint: verifyUrl,
+      mrtdAuthSession: mrtd_auth_session,
+      mrtdPopNonce: mrtd_pop_nonce,
+      clientAttestationDPoP,
+      mrtdValidationJwt,
+      walletAttestation: walletInstanceAttestation,
+      callbacks: {
+        fetch: appFetch,
+        ...partialCallbacks,
+      },
+    }).catch(sdkUnexpectedStatusCodeToIssuerError);
 
-  return {
-    redirect_uri: verifyResult.redirectUri,
-    mrtd_val_pop_nonce: verifyResult.mrtdValPopNonce,
+    return {
+      redirect_uri: verifyResult.redirectUri,
+      mrtd_val_pop_nonce: verifyResult.mrtdValPopNonce,
+    };
   };
-};
+}
 
 export const buildChallengeCallbackUrl: MRTDPoPApi["buildChallengeCallbackUrl"] =
   async (redirectUri, valPopNonce, authSession) => {

package/src/credential/issuance/mrtd-pop/index.ts

@@ -1,14 +1,22 @@
+import { sdkConfigV1_0, sdkConfigV1_3 } from "../../../utils/config";
 import type { MRTDPoPApi } from "../api/mrtd-pop";
 import { verifyAndParseChallengeInfo } from "./01-verify-and-parse-challenge-info";
-import { initChallenge } from "./02-init-challenge";
+import { createInitChallenge } from "./02-init-challenge";
 import {
-  validateChallenge,
+  createValidateChallenge,
   buildChallengeCallbackUrl,
 } from "./03-validate-challenge";
 
-export const MRTDPoP: MRTDPoPApi = {
+export const MRTDPoPv1_0: MRTDPoPApi = {
   verifyAndParseChallengeInfo,
-  initChallenge,
-  validateChallenge,
+  initChallenge: createInitChallenge({ sdkConfig: sdkConfigV1_0 }),
+  validateChallenge: createValidateChallenge({ sdkConfig: sdkConfigV1_0 }),
+  buildChallengeCallbackUrl,
+};
+
+export const MRTDPoPv1_3: MRTDPoPApi = {
+  verifyAndParseChallengeInfo,
+  initChallenge: createInitChallenge({ sdkConfig: sdkConfigV1_3 }),
+  validateChallenge: createValidateChallenge({ sdkConfig: sdkConfigV1_3 }),
   buildChallengeCallbackUrl,
 };

package/src/credential/issuance/v1.0.0/02-start-user-authorization.ts

@@ -6,7 +6,7 @@ import type { IssuanceApi } from "../api";
 import {
   selectCredentialDefinition,
   selectResponseMode,
-} from "../common/authorization";
+} from "../common/02-start-user-authorization";
 
 export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
   async (issuerConf, credentialIds, proof, ctx) => {
@@ -64,5 +64,11 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
       }
     );
 
-    return { issuerRequestUri, clientId, codeVerifier, credentialDefinition };
+    return {
+      issuerRequestUri,
+      clientId,
+      codeVerifier,
+      credentialDefinition,
+      responseMode,
+    };
   };

package/src/credential/issuance/v1.0.0/03-complete-user-authorization.ts

@@ -7,7 +7,11 @@ import {
 import { hasStatusOrThrow } from "../../../utils/misc";
 import parseUrl from "parse-url";
 import type { DcqlQuery } from "dcql";
-import { IssuerResponseError, ValidationFailed } from "../../../utils/errors";
+import {
+  IssuerResponseError,
+  UnimplementedFeatureError,
+  ValidationFailed,
+} from "../../../utils/errors";
 import {
   decode,
   SignJWT,
@@ -70,7 +74,7 @@ export const buildAuthorizationUrl: IssuanceApi["buildAuthorizationUrl"] =
     return { authUrl };
   };
 
-export const completeUserAuthorizationWithQueryMode: IssuanceApi["completeUserAuthorizationWithQueryMode"] =
+export const completePidUserAuthorizationWithQueryMode: IssuanceApi["completePidUserAuthorizationWithQueryMode"] =
   async (authRedirectUrl) => {
     Logger.log(
       LogLevel.DEBUG,
@@ -81,6 +85,14 @@ export const completeUserAuthorizationWithQueryMode: IssuanceApi["completeUserAu
     return parseAuthorizationResponse(query);
   };
 
+export const completeEaaUserAuthorizationWithQueryMode: IssuanceApi["completeEaaUserAuthorizationWithQueryMode"] =
+  () => {
+    throw new UnimplementedFeatureError(
+      "completeEaaUserAuthorizationWithQueryMode",
+      "1.0.0"
+    );
+  };
+
 export const getRequestedCredentialToBePresented: IssuanceApi["getRequestedCredentialToBePresented"] =
   async (issuerRequestUri, clientId, issuerConf, appFetch = fetch) => {
     Logger.log(
@@ -130,7 +142,7 @@ export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["complete
     requestObject,
     _issuerConfig,
     pid,
-    { wiaCryptoContext, pidKeyTag, appFetch = fetch }
+    { wiaCryptoContext, appFetch = fetch }
   ) => {
     Logger.log(
       LogLevel.DEBUG,
@@ -139,7 +151,7 @@ export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["complete
 
     const dcqlQueryResult = await RemotePresentationFlow.evaluateDcqlQuery(
       requestObject.dcql_query as DcqlQuery,
-      [[pidKeyTag, pid]]
+      [pid]
     );
 
     const authRequestObject = {

package/src/credential/issuance/v1.0.0/index.ts

@@ -3,7 +3,8 @@ import { evaluateIssuerTrust } from "./01-evaluate-issuer-trust";
 import { startUserAuthorization } from "./02-start-user-authorization";
 import {
   continueUserAuthorizationWithMRTDPoPChallenge,
-  completeUserAuthorizationWithQueryMode,
+  completePidUserAuthorizationWithQueryMode,
+  completeEaaUserAuthorizationWithQueryMode,
   completeUserAuthorizationWithFormPostJwtMode,
   buildAuthorizationUrl,
   getRequestedCredentialToBePresented,
@@ -14,13 +15,14 @@ import {
   obtainCredentialsBatch,
 } from "./05-obtain-credential";
 import { verifyAndParseCredential } from "./06-verify-and-parse-credential";
-import { MRTDPoP } from "../mrtd-pop";
+import { MRTDPoPv1_0 } from "../mrtd-pop";
 
 export const Issuance: IssuanceApi = {
   evaluateIssuerTrust,
   startUserAuthorization,
   buildAuthorizationUrl,
-  completeUserAuthorizationWithQueryMode,
+  completePidUserAuthorizationWithQueryMode,
+  completeEaaUserAuthorizationWithQueryMode,
   continueUserAuthorizationWithMRTDPoPChallenge,
   getRequestedCredentialToBePresented,
   completeUserAuthorizationWithFormPostJwtMode,
@@ -28,5 +30,5 @@ export const Issuance: IssuanceApi = {
   obtainCredential,
   obtainCredentialsBatch,
   verifyAndParseCredential,
-  MRTDPoP,
+  MRTDPoP: MRTDPoPv1_0,
 };