@pagopa/io-react-native-wallet 3.2.0 → 3.4.0

package/src/credential/issuance/v1.0.0/mappers.ts

@@ -9,6 +9,7 @@ export const mapToIssuerConfig = createMapper<
   const {
     oauth_authorization_server,
     openid_credential_issuer,
+    openid_credential_verifier,
     federation_entity,
   } = x.payload.metadata;
   return {
@@ -17,7 +18,10 @@ export const mapToIssuerConfig = createMapper<
     credential_issuer: openid_credential_issuer.credential_issuer,
     credential_configurations_supported:
       openid_credential_issuer.credential_configurations_supported,
-    keys: openid_credential_issuer.jwks.keys,
+    keys: [
+      ...openid_credential_issuer.jwks.keys,
+      ...oauth_authorization_server.jwks.keys,
+    ],
     pushed_authorization_request_endpoint:
       oauth_authorization_server.pushed_authorization_request_endpoint,
     token_endpoint: oauth_authorization_server.token_endpoint,
@@ -25,5 +29,9 @@ export const mapToIssuerConfig = createMapper<
       openid_credential_issuer.status_attestation_endpoint,
     nonce_endpoint: openid_credential_issuer.nonce_endpoint,
     federation_entity,
+    encrypted_response_enc_values_supported:
+      openid_credential_verifier?.authorization_encrypted_response_enc
+        ? [openid_credential_verifier.authorization_encrypted_response_enc]
+        : undefined,
   };
 });

package/src/credential/issuance/v1.3.3/01-evaluate-issuer-trust.ts

@@ -2,7 +2,6 @@ import {
   fetchMetadata,
   type MetadataResponseV1_3,
 } from "@pagopa/io-wallet-oid4vci";
-import { partialCallbacks } from "../../../utils/callbacks";
 import { sdkConfigV1_3 } from "../../../utils/config";
 import type { IssuanceApi } from "../api";
 import { mapToIssuerConfig } from "./mappers";
@@ -15,7 +14,6 @@ export const evaluateIssuerTrust: IssuanceApi["evaluateIssuerTrust"] = async (
     config: sdkConfigV1_3,
     credentialIssuerUrl: issuerUrl,
     callbacks: {
-      ...partialCallbacks,
       fetch: context.appFetch,
     },
   })) as MetadataResponseV1_3;

package/src/credential/issuance/v1.3.3/02-start-user-authorization.ts

@@ -3,16 +3,17 @@ import {
   fetchPushedAuthorizationResponse,
   createClientAttestationPopJwt,
 } from "@pagopa/io-wallet-oauth2";
-import type { CallbackContext } from "@pagopa/io-wallet-oauth2";
+import type { JwtSignerJwk } from "@pagopa/io-wallet-oauth2";
+import { v4 as uuidv4 } from "uuid";
 import { LogLevel, Logger } from "../../../utils/logging";
 import type { IssuanceApi } from "../api";
-import { SignJWT } from "@pagopa/io-react-native-jwt";
-import { partialCallbacks } from "../../../utils/callbacks";
-import { IoWalletError } from "../../../utils/errors";
 import {
-  selectCredentialDefinition,
-  selectResponseMode,
-} from "../common/authorization";
+  createSignJwtFromCryptoContext,
+  partialCallbacks,
+} from "../../../utils/callbacks";
+import { IoWalletError } from "../../../utils/errors";
+import { sdkConfigV1_3 } from "../../../utils/config";
+import { selectCredentialDefinition } from "../common/02-start-user-authorization";
 
 export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
   async (issuerConf, credentialIds, proof, ctx) => {
@@ -33,8 +34,6 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
       throw new IoWalletError("No public key found");
     }
 
-    const responseMode = selectResponseMode(issuerConf, credentialIds);
-
     const credentialDefinition = credentialIds.map((c) =>
       selectCredentialDefinition(issuerConf, c)
     );
@@ -54,13 +53,16 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
       });
     }
 
-    const signerJwk = await wiaCryptoContext.getPublicKey();
-    const signJwt: CallbackContext["signJwt"] = async (_, payload) => ({
-      jwt: await new SignJWT(wiaCryptoContext).setPayload(payload).sign(),
-      signerJwk,
-    });
+    const wiaSigner: JwtSignerJwk = {
+      method: "jwk",
+      alg: "ES256",
+      publicJwk: await wiaCryptoContext.getPublicKey(),
+    };
+
+    const signJwt = createSignJwtFromCryptoContext(wiaCryptoContext);
 
     const parRequest = await createPushedAuthorizationRequest({
+      config: sdkConfigV1_3,
       callbacks: {
         ...partialCallbacks,
         signJwt,
@@ -68,25 +70,27 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
       authorizationServerMetadata: {
         require_signed_request_object: true,
       },
+      jti: uuidv4(),
       clientId,
       audience: issuerConf.credential_issuer,
       authorization_details: credentialDefinition,
       codeChallengeMethodsSupported: ["S256"],
-      responseMode,
       redirectUri,
+      dpop: {
+        signer: wiaSigner,
+      },
     });
 
     const clientAttestationPoP = await createClientAttestationPopJwt({
+      config: sdkConfigV1_3,
       callbacks: {
+        generateRandom: partialCallbacks.generateRandom,
         signJwt,
       },
       clientAttestation: walletInstanceAttestation,
-      authorizationServer: issuerConf.authorization_endpoint,
-      signer: {
-        method: "jwk",
-        alg: "ES256",
-        publicJwk: signerJwk,
-      },
+      authorizationServer: issuerConf.credential_issuer,
+      signer: wiaSigner,
+      jti: uuidv4(),
     });
 
     const { request_uri } = await fetchPushedAuthorizationResponse({

package/src/credential/issuance/v1.3.3/03-complete-user-authorization.ts

@@ -6,30 +6,33 @@ import {
 import parseUrl from "parse-url";
 import type { DcqlQuery } from "dcql";
 import {
-  fetchAuthorizationRequest,
+  createAuthorizationResponse,
   parseAuthorizeRequest,
+  fetchAuthorizationResponse,
+  type CreateAuthorizationResponseResult,
 } from "@pagopa/io-wallet-oid4vp";
 import { sendAuthorizationResponseAndExtractCode } from "@pagopa/io-wallet-oid4vci";
+import type { jsonWebKeySet } from "@pagopa/io-wallet-oid-federation";
 import { parseMrtdChallenge } from "@pagopa/io-wallet-oauth2";
-import { SignJWT, type CryptoContext } from "@pagopa/io-react-native-jwt";
 import { AuthorizationError, AuthorizationIdpError } from "../common/errors";
 import { LogLevel, Logger } from "../../../utils/logging";
 import { RemotePresentation as RemotePresentationFlow } from "../../presentation/v1.3.3";
-import { partialCallbacks } from "../../../utils/callbacks";
-import { sdkConfigV1_3 } from "../../../utils/config";
 import {
-  IoWalletError,
-  sdkUnexpectedStatusCodeToIssuerError,
-} from "../../../utils/errors";
-import type { IssuanceApi } from "../api";
+  createVerifyJwtFromJwks,
+  partialCallbacks,
+} from "../../../utils/callbacks";
+import { sdkConfigV1_3, sdkConfigV1_4 } from "../../../utils/config";
+import { IoWalletError, IssuerResponseError } from "../../../utils/errors";
+import type { IssuanceApi, IssuerConfig } from "../api";
 import { mapToRequestObject } from "./mappers";
-import type { RemotePresentation } from "../../presentation";
+import type { RequestObject } from "../../presentation";
+import { hasStatusOrThrow } from "../../../utils/misc";
 
 export const continueUserAuthorizationWithMRTDPoPChallenge: IssuanceApi["continueUserAuthorizationWithMRTDPoPChallenge"] =
   async (authRedirectUrl) => {
     Logger.log(
       LogLevel.DEBUG,
-      `The requested credential is a PersonIdentificationData and requires MRTD PoP, starting MRTD PoP validation from auth redirect`
+      "The requested credential is a PID and requires MRTD PoP, starting MRTD PoP validation from auth redirect"
     );
     try {
       const parsedChallenge = parseMrtdChallenge({
@@ -65,11 +68,11 @@ export const buildAuthorizationUrl: IssuanceApi["buildAuthorizationUrl"] =
     return { authUrl };
   };
 
-export const completeUserAuthorizationWithQueryMode: IssuanceApi["completeUserAuthorizationWithQueryMode"] =
+export const completePidUserAuthorizationWithQueryMode: IssuanceApi["completePidUserAuthorizationWithQueryMode"] =
   async (authRedirectUrl) => {
     Logger.log(
       LogLevel.DEBUG,
-      `The requested credential is a PersonIdentificationData, completing the user authorization with query mode`
+      "The requested credential is a PID, completing the user authorization with query mode"
     );
     const query = parseUrl(authRedirectUrl).query;
 
@@ -80,7 +83,7 @@ export const getRequestedCredentialToBePresented: IssuanceApi["getRequestedCrede
   async (issuerRequestUri, clientId, issuerConf, appFetch = fetch) => {
     Logger.log(
       LogLevel.DEBUG,
-      `The requeste credential is not a PersonIdentificationData, requesting the credential to be presented`
+      "The requested credential is not a PID, requesting the credential to be presented"
     );
 
     const authzRequestEndpoint = issuerConf.authorization_endpoint;
@@ -94,61 +97,39 @@ export const getRequestedCredentialToBePresented: IssuanceApi["getRequestedCrede
       `Requesting the request object to ${authzRequestEndpoint}?${params.toString()}`
     );
 
-    const authRequest = await fetchAuthorizationRequest({
-      authorizeRequestUrl: `${authzRequestEndpoint}?${params.toString()}`,
-      callbacks: {
-        fetch: appFetch,
-      },
-    }).catch(sdkUnexpectedStatusCodeToIssuerError);
+    const requestObjectJwt = await appFetch(
+      `${authzRequestEndpoint}?${params.toString()}`,
+      { method: "GET" }
+    )
+      .then(hasStatusOrThrow(200, IssuerResponseError))
+      .then((res) => res.text());
 
     const parsedAuthRequest = await parseAuthorizeRequest({
       config: sdkConfigV1_3,
-      requestObjectJwt: authRequest.requestObjectJwt,
-      callbacks: partialCallbacks,
+      requestObjectJwt,
+      callbacks: {
+        verifyJwt: createVerifyJwtFromJwks(issuerConf.keys),
+      },
     });
 
     return mapToRequestObject(parsedAuthRequest);
   };
 
+// NOTE: this function is not used in the 1.3 issuance flow. It may be removed in the future.
 export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["completeUserAuthorizationWithFormPostJwtMode"] =
-  async (
-    requestObject,
-    issuerConfig,
-    pid,
-    { wiaCryptoContext, pidKeyTag, appFetch = fetch }
-  ) => {
+  async (requestObject, issuerConfig, pid, { appFetch = fetch }) => {
     Logger.log(
       LogLevel.DEBUG,
-      `The requeste credential is not a PersonIdentificationData, completing the user authorization with form_post.jwt mode`
-    );
-
-    const dcqlQueryResult = await RemotePresentationFlow.evaluateDcqlQuery(
-      requestObject.dcql_query as DcqlQuery,
-      [[pidKeyTag, pid]]
+      "The requested credential is not a PID, completing the user authorization with form_post.jwt mode"
     );
 
-    const authRequestObject = {
-      nonce: requestObject.nonce,
-      clientId: requestObject.client_id,
-      responseUri: requestObject.response_uri,
-    };
-
-    const remotePresentation =
-      await RemotePresentationFlow.prepareRemotePresentations(
-        dcqlQueryResult,
-        authRequestObject
-      );
-
-    const authzResponsePayload = await createAuthzResponsePayload({
-      state: requestObject.state,
-      remotePresentation,
-      wiaCryptoContext,
+    const authzResponse = await processPidPresentationAndCreateAuthzResponse({
+      requestObject,
+      issuerConfig,
+      pid,
     });
 
-    Logger.log(
-      LogLevel.DEBUG,
-      `Authz response payload: ${authzResponsePayload}`
-    );
+    Logger.log(LogLevel.DEBUG, `Authz response: ${authzResponse}`);
 
     const issuerSigKey = issuerConfig.keys.find((key) => key.use === "sig");
     if (!issuerSigKey) {
@@ -158,13 +139,13 @@ export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["complete
     }
 
     return sendAuthorizationResponseAndExtractCode({
-      authorizationResponseJarm: authzResponsePayload,
+      authorizationResponseJarm: authzResponse.jarm.responseJwe,
       callbacks: {
         ...partialCallbacks,
         fetch: appFetch,
       },
       iss: requestObject.iss,
-      state: requestObject.state!,
+      state: requestObject.state ?? "",
       presentationResponseUri: requestObject.response_uri,
       signer: {
         alg: "ES256",
@@ -174,6 +155,62 @@ export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["complete
     });
   };
 
+export const completeEaaUserAuthorizationWithQueryMode: IssuanceApi["completeEaaUserAuthorizationWithQueryMode"] =
+  async (
+    requestObject,
+    issuerConfig,
+    pid,
+    clientRedirectUri,
+    { appFetch = fetch } = {}
+  ) => {
+    Logger.log(
+      LogLevel.DEBUG,
+      "The requested credential is not a PID, completing the user authorization with query mode"
+    );
+
+    const authzResponse = await processPidPresentationAndCreateAuthzResponse({
+      requestObject,
+      issuerConfig,
+      pid,
+    });
+
+    Logger.log(LogLevel.DEBUG, `Authz response: ${authzResponse}`);
+
+    const { redirect_uri } = await fetchAuthorizationResponse({
+      authorizationResponseJarm: authzResponse.jarm.responseJwe,
+      presentationResponseUri: requestObject.response_uri,
+      callbacks: {
+        ...partialCallbacks,
+        fetch: appFetch,
+      },
+    });
+
+    if (!redirect_uri) {
+      const errorMessage =
+        "The authorization server did not return a redirect_uri to continue the authorization flow";
+      Logger.log(LogLevel.ERROR, errorMessage);
+      throw new AuthorizationError(errorMessage);
+    }
+
+    const response = await appFetch(redirect_uri).catch(() => null);
+
+    if (!response || !response.ok) {
+      const errorMessage = `An error occurred while completing the authorization flow. Ensure ${clientRedirectUri} is a valid HTTP url for redirect`;
+      Logger.log(LogLevel.ERROR, errorMessage);
+      throw new AuthorizationError(errorMessage);
+    }
+
+    const finalRedirectUri = response.url;
+
+    if (!finalRedirectUri || !finalRedirectUri.startsWith(clientRedirectUri)) {
+      const errorMessage = `The authorization server did not redirect to the provided client redirect URI. Expected: ${clientRedirectUri}, got: ${finalRedirectUri}`;
+      Logger.log(LogLevel.ERROR, errorMessage);
+      throw new AuthorizationError(errorMessage);
+    }
+
+    return parseAuthorizationResponse(parseUrl(finalRedirectUri).query);
+  };
+
 /**
  * Parse the authorization response and return the result which contains code, state and iss.
  * @throws {AuthorizationError} if an error occurs during the parsing process
@@ -207,45 +244,52 @@ export const parseAuthorizationResponse = (
 };
 
 /**
- * Creates the authorization response payload to be sent.
- * This payload includes the state and the VP tokens for the presented credentials.
- * The payload is encoded in Base64.
- * @param state - The state parameter from the request object (optional).
- * @param remotePresentation The presentations to send, each with their VP token
- * @returns The Base64 encoded authorization response payload.
+ * Utility function to process the DCQL query for PID presentation and to create the authorization response to send to the Issuer.
+ * @param params.requestObject - The request object containing the DCQL query
+ * @param params.issuerConfig - The Issuer unified configuration
+ * @param params.pid - The PID credential to be presented, as a tuple of [keyTag, credential]
+ * @returns The authorization response containing the JARM to be sent to the Issuer
  */
-const createAuthzResponsePayload = async ({
-  state,
-  remotePresentation,
-  wiaCryptoContext,
+const processPidPresentationAndCreateAuthzResponse = async ({
+  requestObject,
+  issuerConfig,
+  pid,
 }: {
-  state?: string;
-  remotePresentation: RemotePresentation;
-  wiaCryptoContext: CryptoContext;
-}): Promise<string> => {
-  const { kid } = await wiaCryptoContext.getPublicKey();
-
-  return new SignJWT(wiaCryptoContext)
-    .setProtectedHeader({
-      typ: "jwt",
-      kid,
-    })
-    .setPayload({
-      /**
-       * TODO [SIW-2264]: `state` coming from `requestObject` is marked as `optional`
-       * At the moment, it is not entirely clear whether this value can indeed be omitted
-       * and, if so, what the consequences of its absence might be.
-       */
-      ...(state ? { state } : {}),
-      vp_token: remotePresentation.presentations.reduce(
-        (vp_token, { credentialId, vpToken }) => ({
-          ...vp_token,
-          [credentialId]: [vpToken],
-        }),
-        {}
-      ),
-    })
-    .setIssuedAt()
-    .setExpirationTime("1h")
-    .sign();
+  requestObject: RequestObject;
+  issuerConfig: IssuerConfig;
+  pid: [keyTag: string, credential: string];
+}): Promise<CreateAuthorizationResponseResult> => {
+  const dcqlQueryResult = await RemotePresentationFlow.evaluateDcqlQuery(
+    requestObject.dcql_query as DcqlQuery,
+    [pid]
+  );
+
+  const remotePresentation =
+    await RemotePresentationFlow.prepareRemotePresentations(dcqlQueryResult, {
+      clientId: requestObject.client_id,
+      nonce: requestObject.nonce,
+      responseUri: requestObject.response_uri,
+    });
+
+  const vp_token = remotePresentation.presentations.reduce(
+    (acc, { credentialId, vpToken }) => ({ ...acc, [credentialId]: [vpToken] }),
+    {} as Record<string, string[]>
+  );
+
+  return createAuthorizationResponse({
+    // The SDK 1.4 config is used here in order to resolve the encryption data from the Request Object
+    // client_metadata, otherwise OpenID Federation clients always ignore client_metadata as per 1.3.3 specs.
+    config: sdkConfigV1_4,
+    requestObject,
+    rpJwks: {
+      jwks: { keys: issuerConfig.keys } as jsonWebKeySet,
+      encrypted_response_enc_values_supported:
+        issuerConfig.encrypted_response_enc_values_supported,
+    },
+    vp_token,
+    callbacks: {
+      encryptJwe: partialCallbacks.encryptJwe,
+      generateRandom: partialCallbacks.generateRandom,
+    },
+  });
 };

package/src/credential/issuance/v1.3.3/04-authorize-access.ts

@@ -1,10 +1,15 @@
-import { SignJWT } from "@pagopa/io-react-native-jwt";
-import { createTokenDPoP, fetchTokenResponse } from "@pagopa/io-wallet-oauth2";
+import {
+  createClientAttestationPopJwt,
+  createTokenDPoP,
+  fetchTokenResponse,
+} from "@pagopa/io-wallet-oauth2";
 import { v4 as uuidv4 } from "uuid";
-import { createPopToken } from "../../../utils/pop";
-import * as WalletInstanceAttestation from "../../../wallet-instance-attestation/v1.0.0/utils";
-import { partialCallbacks } from "../../../utils/callbacks";
+import {
+  createSignJwtFromCryptoContext,
+  partialCallbacks,
+} from "../../../utils/callbacks";
 import { IoWalletError } from "../../../utils/errors";
+import { sdkConfigV1_3 } from "../../../utils/config";
 import type { IssuanceApi, TokenResponse } from "../api";
 
 export const authorizeAccess: IssuanceApi["authorizeAccess"] = async (
@@ -21,37 +26,37 @@ export const authorizeAccess: IssuanceApi["authorizeAccess"] = async (
     dPopCryptoContext,
   } = context;
 
-  const dPopSignerJwk = await dPopCryptoContext.getPublicKey();
   const tokenDPoP = await createTokenDPoP({
     callbacks: {
       ...partialCallbacks,
-      signJwt: async (_, payload) => ({
-        jwt: await new SignJWT(wiaCryptoContext).setPayload(payload).sign(),
-        signerJwk: dPopSignerJwk,
-      }),
+      signJwt: createSignJwtFromCryptoContext(dPopCryptoContext),
     },
     signer: {
-      alg: "ES256",
       method: "jwk",
-      publicJwk: dPopSignerJwk,
+      alg: "ES256",
+      publicJwk: await dPopCryptoContext.getPublicKey(),
     },
+    jti: uuidv4(),
     tokenRequest: {
       method: "POST",
       url: issuerConf.token_endpoint,
     },
   });
 
-  const iss = WalletInstanceAttestation.decode(walletInstanceAttestation)
-    .payload.cnf.jwk.kid;
-
-  const signedWiaPoP = await createPopToken(
-    {
-      jti: uuidv4(),
-      aud: issuerConf.credential_issuer,
-      iss,
+  const clientAttestationDPoP = await createClientAttestationPopJwt({
+    config: sdkConfigV1_3,
+    callbacks: {
+      generateRandom: partialCallbacks.generateRandom,
+      signJwt: createSignJwtFromCryptoContext(wiaCryptoContext),
     },
-    wiaCryptoContext
-  );
+    clientAttestation: walletInstanceAttestation,
+    authorizationServer: issuerConf.credential_issuer,
+    signer: {
+      method: "jwk",
+      alg: "ES256",
+      publicJwk: await wiaCryptoContext.getPublicKey(),
+    },
+  });
 
   const tokenResponse = await fetchTokenResponse({
     accessTokenEndpoint: issuerConf.token_endpoint,
@@ -61,7 +66,7 @@ export const authorizeAccess: IssuanceApi["authorizeAccess"] = async (
     },
     walletAttestation: walletInstanceAttestation,
     dPoP: tokenDPoP.jwt,
-    clientAttestationDPoP: signedWiaPoP,
+    clientAttestationDPoP,
     accessTokenRequest: {
       code,
       grant_type: "authorization_code",

package/src/credential/issuance/v1.3.3/05-obtain-credential.ts

@@ -9,6 +9,7 @@ import {
   createCredentialRequest,
 } from "@pagopa/io-wallet-oid4vci";
 import { UnexpectedStatusCodeError as SdkUnexpectedStatusCodeError } from "@pagopa/io-wallet-utils";
+import { v4 as uuidv4 } from "uuid";
 import { hasStatusOrThrow, type Out } from "../../../utils/misc";
 import {
   IoWalletError,
@@ -19,7 +20,10 @@ import {
 } from "../../../utils/errors";
 import { LogLevel, Logger } from "../../../utils/logging";
 import { sdkConfigV1_3 } from "../../../utils/config";
-import { partialCallbacks } from "../../../utils/callbacks";
+import {
+  createSignJwtFromCryptoContext,
+  partialCallbacks,
+} from "../../../utils/callbacks";
 import type { IssuanceApi, IssuerConfig } from "../api";
 import { NonceResponse } from "./types";
 import type { AuthorizeAccessApi } from "../api/04-authorize-access";
@@ -108,28 +112,24 @@ export const requestCredentials = async ({
     },
     clientId,
     credential_identifier: credentialIdentifier,
-    issuerIdentifier: issuerConf.credential_issuer,
+    issuerIdentifier: issuerConf.credential_endpoint,
     maxBatchSize: issuerConf.credential_issuance_batch_size,
     nonce: c_nonce,
     keyAttestation: keyAttestationJwt,
     signers,
   });
 
-  const dPopSignerJwk = await dPopCryptoContext.getPublicKey();
-
   const credentialDPoP = await createTokenDPoP({
     callbacks: {
       ...partialCallbacks,
-      signJwt: async (_, payload) => ({
-        jwt: await new SignJWT(dPopCryptoContext).setPayload(payload).sign(),
-        signerJwk: dPopSignerJwk,
-      }),
+      signJwt: createSignJwtFromCryptoContext(dPopCryptoContext),
     },
     signer: {
       method: "jwk",
       alg: "ES256",
-      publicJwk: dPopSignerJwk,
+      publicJwk: await dPopCryptoContext.getPublicKey(),
     },
+    jti: uuidv4(),
     tokenRequest: {
       method: "POST",
       url: issuerConf.credential_endpoint,

package/src/credential/issuance/v1.3.3/06-verify-and-parse-credential.ts

@@ -23,7 +23,8 @@ export const verifyAndParseCredential: IssuanceApi["verifyAndParseCredential"] =
           issuerConf,
           credential,
           credentialConfigurationId,
-          context
+          { validateCertificateChain: true, ...context },
+          x509CertRoot
         );
       }
       case "mso_mdoc": {

package/src/credential/issuance/v1.3.3/index.ts

@@ -3,7 +3,8 @@ import { evaluateIssuerTrust } from "./01-evaluate-issuer-trust";
 import { startUserAuthorization } from "./02-start-user-authorization";
 import {
   continueUserAuthorizationWithMRTDPoPChallenge,
-  completeUserAuthorizationWithQueryMode,
+  completePidUserAuthorizationWithQueryMode,
+  completeEaaUserAuthorizationWithQueryMode,
   completeUserAuthorizationWithFormPostJwtMode,
   buildAuthorizationUrl,
   getRequestedCredentialToBePresented,
@@ -14,13 +15,14 @@ import {
   obtainCredentialsBatch,
 } from "./05-obtain-credential";
 import { verifyAndParseCredential } from "./06-verify-and-parse-credential";
-import { MRTDPoP } from "../mrtd-pop";
+import { MRTDPoPv1_3 } from "../mrtd-pop";
 
 export const Issuance: IssuanceApi = {
   evaluateIssuerTrust,
   startUserAuthorization,
   buildAuthorizationUrl,
-  completeUserAuthorizationWithQueryMode,
+  completePidUserAuthorizationWithQueryMode,
+  completeEaaUserAuthorizationWithQueryMode,
   continueUserAuthorizationWithMRTDPoPChallenge,
   getRequestedCredentialToBePresented,
   completeUserAuthorizationWithFormPostJwtMode,
@@ -28,5 +30,5 @@ export const Issuance: IssuanceApi = {
   obtainCredential,
   obtainCredentialsBatch,
   verifyAndParseCredential,
-  MRTDPoP,
+  MRTDPoP: MRTDPoPv1_3,
 };