@pagopa/io-react-native-wallet 3.3.0 → 3.4.1

package/src/credential/issuance/api/03-complete-user-authorization.ts

@@ -39,10 +39,32 @@ export interface CompleteUserAuthorizationApi {
    * @param authRedirectUrl The URL to which the end user should be redirected to start the authentication flow
    * @returns the authorization response which contains code, state and iss
    */
-  completeUserAuthorizationWithQueryMode(
+  completePidUserAuthorizationWithQueryMode(
     authRedirectUrl: string
   ): Promise<AuthorizationResult>;
 
+  /**
+   * Complete user authorization when the response mode is "query" and the requested credential is an Electronic Attestation of Attributes (EAA).
+   * This type of credentials requires a PID to be presented to complete the authorization process and then obtain an access token.
+   * @since 1.3.3
+   *
+   * @param requestObject The request object containing the necessary parameters for authorization.
+   * @param issuerConfig The issuer configuration returned by {@link evaluateIssuerTrust}
+   * @param pid The PID to present as a tuple [keyTag, credential].
+   * @param redirectUri The client redirect URI to which the authorization server will redirect after completing the authorization process.
+   * @param appFetch (optional) fetch api implementation. Default: built-in fetch
+   * @returns The authorization response which contains code, state and iss
+   */
+  completeEaaUserAuthorizationWithQueryMode(
+    requestObject: RequestObject,
+    issuerConf: IssuerConfig,
+    pid: [keyTag: string, credential: string],
+    redirectUri: string,
+    context?: {
+      appFetch?: GlobalFetch["fetch"];
+    }
+  ): Promise<AuthorizationResult>;
+
   /**
    * WARNING: This function must be called after {@link getRequestedCredentialToBePresented}. The next function to be called is {@link authorizeAccess}.
    *
@@ -51,8 +73,8 @@ export interface CompleteUserAuthorizationApi {
    * Following this,the redirect_uri from the response is used to obtain the final authorization response.
    * @since 1.0.0
    *
-   * @param requestObject - The request object containing the necessary parameters for authorization.
-   * @param pid The `PID` that must be presented for the issuance of credentials.
+   * @param requestObject The request object containing the necessary parameters for authorization.
+   * @param pid The PID to present as a tuple [keyTag, credential].
    * @param appFetch (optional) fetch api implementation. Default: built-in fetch
    * @returns the authorization response which contains code, state and iss
    * @throws {ValidationFailed} if an error while validating the response
@@ -60,10 +82,9 @@ export interface CompleteUserAuthorizationApi {
   completeUserAuthorizationWithFormPostJwtMode(
     requestObject: RequestObject,
     issuerConf: IssuerConfig,
-    pid: string,
+    pid: [keyTag: string, credential: string],
     context: {
       wiaCryptoContext: CryptoContext;
-      pidKeyTag: string;
       appFetch?: GlobalFetch["fetch"];
     }
   ): Promise<AuthorizationResult>;

package/src/credential/issuance/api/IssuerConfig.ts

@@ -60,6 +60,7 @@ export const IssuerConfig = z.object({
   credential_configurations_supported: z.record(z.string(), CredentialConfig),
   federation_entity: FederationEntityMetadata,
   credential_issuance_batch_size: z.number().optional(),
+  encrypted_response_enc_values_supported: z.array(z.string()).optional(),
   /**
    * @deprecated
    */

package/src/credential/issuance/common/06-verify-and-parse-credential.mdoc.ts

@@ -1,12 +1,10 @@
 import type { CBOR } from "@pagopa/io-react-native-iso18013";
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
 import type { PublicKey } from "@pagopa/io-react-native-crypto";
-import { extractElementValueAsDate } from "../../../mdoc/converter";
 import {
   getParsedCredentialClaimKey,
   verify as verifyMdoc,
 } from "../../../mdoc";
-import { MDOC_DEFAULT_NAMESPACE } from "../../../mdoc/const";
 import { IoWalletError } from "../../../utils/errors";
 import type { Out } from "../../../utils/misc";
 import { isSameThumbprint } from "../../../utils/jwk";
@@ -209,28 +207,14 @@ export const verifyAndParseCredentialMDoc: IssuanceApi["verifyAndParseCredential
       ignoreMissingAttributes
     );
 
-    const expirationDate = extractElementValueAsDate(
-      parsedCredential?.[
-        getParsedCredentialClaimKey(MDOC_DEFAULT_NAMESPACE, "expiry_date")
-      ]?.value as string
-    );
-    if (!expirationDate) {
-      throw new IoWalletError(`expirationDate must be present!!`);
-    }
-    expirationDate.setDate(expirationDate.getDate() + 1);
-
-    const maybeIssuedAt = extractElementValueAsDate(
-      parsedCredential?.[
-        getParsedCredentialClaimKey(MDOC_DEFAULT_NAMESPACE, "issue_date")
-      ]?.value as string
-    );
-    maybeIssuedAt?.setDate(maybeIssuedAt.getDate() + 1);
+    const { signed, validUntil } =
+      decoded.issuerSigned.issuerAuth.payload.validityInfo;
 
     return {
       parsedCredential,
       credential,
       credentialConfigurationId,
-      expiration: expirationDate,
-      issuedAt: maybeIssuedAt ?? undefined,
+      expiration: validUntil,
+      issuedAt: signed,
     };
   };

package/src/credential/issuance/common/06-verify-and-parse-credential.sdjwt.ts

@@ -2,7 +2,7 @@ import {
   type CryptoContext,
   verify as verifyJwt,
 } from "@pagopa/io-react-native-jwt";
-import { type SDJwt, SDJwtInstance } from "@sd-jwt/core";
+import { type SDJwt, type VerifierOptions, SDJwtInstance } from "@sd-jwt/core";
 import { digest } from "@sd-jwt/crypto-nodejs";
 import type { Verifier } from "@sd-jwt/types";
 import { isPathEqual, isPrefixOf } from "../../../utils/parser";
@@ -153,12 +153,14 @@ const parseCredentialSdJwt = (
   return processLevel(parsedCredentialRaw, []) as ParsedCredential;
 };
 
+type SdJwtInstanceVerifier = Verifier<VerifierOptions & { issuerKeys: JWK[] }>;
+
 /**
  * JWT verifier implementing the interface expected by the SD-JWT library.
  * Verification is delegated to `io-react-native-jwt` to leverage its support for multiple algorithms.
  * @returns Boolean indicating whether the verification succeeded or not
  */
-const sdJwtInstanceVerifier: Verifier<{ issuerKeys: JWK[] }> = async (
+const sdJwtInstanceVerifier: SdJwtInstanceVerifier = async (
   data,
   signature,
   options
@@ -167,7 +169,9 @@ const sdJwtInstanceVerifier: Verifier<{ issuerKeys: JWK[] }> = async (
     return false;
   }
   try {
-    await verifyJwt(`${data}.${signature}`, options.issuerKeys);
+    await verifyJwt(`${data}.${signature}`, options.issuerKeys, {
+      clockTolerance: options.skewSeconds,
+    });
     return true;
   } catch {
     return false;
@@ -200,7 +204,7 @@ async function verifyCredentialSdJwt(
   });
 
   const [verifiedCredential, holderBindingKey] = await Promise.all([
-    sdJwtInstance.verify(rawCredential, { issuerKeys }),
+    sdJwtInstance.verify(rawCredential, { issuerKeys, skewSeconds: 30 }),
     holderBindingContext.getPublicKey(),
   ]);
 

package/src/credential/issuance/v1.0.0/02-start-user-authorization.ts

@@ -64,5 +64,11 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
       }
     );
 
-    return { issuerRequestUri, clientId, codeVerifier, credentialDefinition };
+    return {
+      issuerRequestUri,
+      clientId,
+      codeVerifier,
+      credentialDefinition,
+      responseMode,
+    };
   };

package/src/credential/issuance/v1.0.0/03-complete-user-authorization.ts

@@ -7,7 +7,11 @@ import {
 import { hasStatusOrThrow } from "../../../utils/misc";
 import parseUrl from "parse-url";
 import type { DcqlQuery } from "dcql";
-import { IssuerResponseError, ValidationFailed } from "../../../utils/errors";
+import {
+  IssuerResponseError,
+  UnimplementedFeatureError,
+  ValidationFailed,
+} from "../../../utils/errors";
 import {
   decode,
   SignJWT,
@@ -70,7 +74,7 @@ export const buildAuthorizationUrl: IssuanceApi["buildAuthorizationUrl"] =
     return { authUrl };
   };
 
-export const completeUserAuthorizationWithQueryMode: IssuanceApi["completeUserAuthorizationWithQueryMode"] =
+export const completePidUserAuthorizationWithQueryMode: IssuanceApi["completePidUserAuthorizationWithQueryMode"] =
   async (authRedirectUrl) => {
     Logger.log(
       LogLevel.DEBUG,
@@ -81,6 +85,14 @@ export const completeUserAuthorizationWithQueryMode: IssuanceApi["completeUserAu
     return parseAuthorizationResponse(query);
   };
 
+export const completeEaaUserAuthorizationWithQueryMode: IssuanceApi["completeEaaUserAuthorizationWithQueryMode"] =
+  () => {
+    throw new UnimplementedFeatureError(
+      "completeEaaUserAuthorizationWithQueryMode",
+      "1.0.0"
+    );
+  };
+
 export const getRequestedCredentialToBePresented: IssuanceApi["getRequestedCredentialToBePresented"] =
   async (issuerRequestUri, clientId, issuerConf, appFetch = fetch) => {
     Logger.log(
@@ -130,7 +142,7 @@ export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["complete
     requestObject,
     _issuerConfig,
     pid,
-    { wiaCryptoContext, pidKeyTag, appFetch = fetch }
+    { wiaCryptoContext, appFetch = fetch }
   ) => {
     Logger.log(
       LogLevel.DEBUG,
@@ -139,7 +151,7 @@ export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["complete
 
     const dcqlQueryResult = await RemotePresentationFlow.evaluateDcqlQuery(
       requestObject.dcql_query as DcqlQuery,
-      [[pidKeyTag, pid]]
+      [pid]
     );
 
     const authRequestObject = {

package/src/credential/issuance/v1.0.0/index.ts

@@ -3,7 +3,8 @@ import { evaluateIssuerTrust } from "./01-evaluate-issuer-trust";
 import { startUserAuthorization } from "./02-start-user-authorization";
 import {
   continueUserAuthorizationWithMRTDPoPChallenge,
-  completeUserAuthorizationWithQueryMode,
+  completePidUserAuthorizationWithQueryMode,
+  completeEaaUserAuthorizationWithQueryMode,
   completeUserAuthorizationWithFormPostJwtMode,
   buildAuthorizationUrl,
   getRequestedCredentialToBePresented,
@@ -20,7 +21,8 @@ export const Issuance: IssuanceApi = {
   evaluateIssuerTrust,
   startUserAuthorization,
   buildAuthorizationUrl,
-  completeUserAuthorizationWithQueryMode,
+  completePidUserAuthorizationWithQueryMode,
+  completeEaaUserAuthorizationWithQueryMode,
   continueUserAuthorizationWithMRTDPoPChallenge,
   getRequestedCredentialToBePresented,
   completeUserAuthorizationWithFormPostJwtMode,

package/src/credential/issuance/v1.0.0/mappers.ts

@@ -9,6 +9,7 @@ export const mapToIssuerConfig = createMapper<
   const {
     oauth_authorization_server,
     openid_credential_issuer,
+    openid_credential_verifier,
     federation_entity,
   } = x.payload.metadata;
   return {
@@ -28,5 +29,9 @@ export const mapToIssuerConfig = createMapper<
       openid_credential_issuer.status_attestation_endpoint,
     nonce_endpoint: openid_credential_issuer.nonce_endpoint,
     federation_entity,
+    encrypted_response_enc_values_supported:
+      openid_credential_verifier?.authorization_encrypted_response_enc
+        ? [openid_credential_verifier.authorization_encrypted_response_enc]
+        : undefined,
   };
 });

package/src/credential/issuance/v1.3.3/02-start-user-authorization.ts

@@ -88,7 +88,7 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
         signJwt,
       },
       clientAttestation: walletInstanceAttestation,
-      authorizationServer: issuerConf.authorization_endpoint,
+      authorizationServer: issuerConf.credential_issuer,
       signer: wiaSigner,
       jti: uuidv4(),
     });

package/src/credential/issuance/v1.3.3/03-complete-user-authorization.ts

@@ -6,30 +6,33 @@ import {
 import parseUrl from "parse-url";
 import type { DcqlQuery } from "dcql";
 import {
-  fetchAuthorizationRequest,
+  createAuthorizationResponse,
   parseAuthorizeRequest,
+  fetchAuthorizationResponse,
+  type CreateAuthorizationResponseResult,
 } from "@pagopa/io-wallet-oid4vp";
 import { sendAuthorizationResponseAndExtractCode } from "@pagopa/io-wallet-oid4vci";
+import type { jsonWebKeySet } from "@pagopa/io-wallet-oid-federation";
 import { parseMrtdChallenge } from "@pagopa/io-wallet-oauth2";
-import { SignJWT, type CryptoContext } from "@pagopa/io-react-native-jwt";
 import { AuthorizationError, AuthorizationIdpError } from "../common/errors";
 import { LogLevel, Logger } from "../../../utils/logging";
 import { RemotePresentation as RemotePresentationFlow } from "../../presentation/v1.3.3";
-import { partialCallbacks } from "../../../utils/callbacks";
-import { sdkConfigV1_3 } from "../../../utils/config";
 import {
-  IoWalletError,
-  sdkUnexpectedStatusCodeToIssuerError,
-} from "../../../utils/errors";
-import type { IssuanceApi } from "../api";
+  createVerifyJwtFromJwks,
+  partialCallbacks,
+} from "../../../utils/callbacks";
+import { sdkConfigV1_3, sdkConfigV1_4 } from "../../../utils/config";
+import { IoWalletError, IssuerResponseError } from "../../../utils/errors";
+import type { IssuanceApi, IssuerConfig } from "../api";
 import { mapToRequestObject } from "./mappers";
-import type { RemotePresentation } from "../../presentation";
+import type { RequestObject } from "../../presentation";
+import { hasStatusOrThrow } from "../../../utils/misc";
 
 export const continueUserAuthorizationWithMRTDPoPChallenge: IssuanceApi["continueUserAuthorizationWithMRTDPoPChallenge"] =
   async (authRedirectUrl) => {
     Logger.log(
       LogLevel.DEBUG,
-      `The requested credential is a PersonIdentificationData and requires MRTD PoP, starting MRTD PoP validation from auth redirect`
+      "The requested credential is a PID and requires MRTD PoP, starting MRTD PoP validation from auth redirect"
     );
     try {
       const parsedChallenge = parseMrtdChallenge({
@@ -65,11 +68,11 @@ export const buildAuthorizationUrl: IssuanceApi["buildAuthorizationUrl"] =
     return { authUrl };
   };
 
-export const completeUserAuthorizationWithQueryMode: IssuanceApi["completeUserAuthorizationWithQueryMode"] =
+export const completePidUserAuthorizationWithQueryMode: IssuanceApi["completePidUserAuthorizationWithQueryMode"] =
   async (authRedirectUrl) => {
     Logger.log(
       LogLevel.DEBUG,
-      `The requested credential is a PersonIdentificationData, completing the user authorization with query mode`
+      "The requested credential is a PID, completing the user authorization with query mode"
     );
     const query = parseUrl(authRedirectUrl).query;
 
@@ -80,7 +83,7 @@ export const getRequestedCredentialToBePresented: IssuanceApi["getRequestedCrede
   async (issuerRequestUri, clientId, issuerConf, appFetch = fetch) => {
     Logger.log(
       LogLevel.DEBUG,
-      `The requeste credential is not a PersonIdentificationData, requesting the credential to be presented`
+      "The requested credential is not a PID, requesting the credential to be presented"
     );
 
     const authzRequestEndpoint = issuerConf.authorization_endpoint;
@@ -94,61 +97,39 @@ export const getRequestedCredentialToBePresented: IssuanceApi["getRequestedCrede
       `Requesting the request object to ${authzRequestEndpoint}?${params.toString()}`
     );
 
-    const authRequest = await fetchAuthorizationRequest({
-      authorizeRequestUrl: `${authzRequestEndpoint}?${params.toString()}`,
-      callbacks: {
-        fetch: appFetch,
-      },
-    }).catch(sdkUnexpectedStatusCodeToIssuerError);
+    const requestObjectJwt = await appFetch(
+      `${authzRequestEndpoint}?${params.toString()}`,
+      { method: "GET" }
+    )
+      .then(hasStatusOrThrow(200, IssuerResponseError))
+      .then((res) => res.text());
 
     const parsedAuthRequest = await parseAuthorizeRequest({
       config: sdkConfigV1_3,
-      requestObjectJwt: authRequest.requestObjectJwt,
-      callbacks: partialCallbacks,
+      requestObjectJwt,
+      callbacks: {
+        verifyJwt: createVerifyJwtFromJwks(issuerConf.keys),
+      },
     });
 
     return mapToRequestObject(parsedAuthRequest);
   };
 
+// NOTE: this function is not used in the 1.3 issuance flow. It may be removed in the future.
 export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["completeUserAuthorizationWithFormPostJwtMode"] =
-  async (
-    requestObject,
-    issuerConfig,
-    pid,
-    { wiaCryptoContext, pidKeyTag, appFetch = fetch }
-  ) => {
+  async (requestObject, issuerConfig, pid, { appFetch = fetch }) => {
     Logger.log(
       LogLevel.DEBUG,
-      `The requeste credential is not a PersonIdentificationData, completing the user authorization with form_post.jwt mode`
-    );
-
-    const dcqlQueryResult = await RemotePresentationFlow.evaluateDcqlQuery(
-      requestObject.dcql_query as DcqlQuery,
-      [[pidKeyTag, pid]]
+      "The requested credential is not a PID, completing the user authorization with form_post.jwt mode"
     );
 
-    const authRequestObject = {
-      nonce: requestObject.nonce,
-      clientId: requestObject.client_id,
-      responseUri: requestObject.response_uri,
-    };
-
-    const remotePresentation =
-      await RemotePresentationFlow.prepareRemotePresentations(
-        dcqlQueryResult,
-        authRequestObject
-      );
-
-    const authzResponsePayload = await createAuthzResponsePayload({
-      state: requestObject.state,
-      remotePresentation,
-      wiaCryptoContext,
+    const authzResponse = await processPidPresentationAndCreateAuthzResponse({
+      requestObject,
+      issuerConfig,
+      pid,
     });
 
-    Logger.log(
-      LogLevel.DEBUG,
-      `Authz response payload: ${authzResponsePayload}`
-    );
+    Logger.log(LogLevel.DEBUG, `Authz response: ${authzResponse}`);
 
     const issuerSigKey = issuerConfig.keys.find((key) => key.use === "sig");
     if (!issuerSigKey) {
@@ -158,13 +139,13 @@ export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["complete
     }
 
     return sendAuthorizationResponseAndExtractCode({
-      authorizationResponseJarm: authzResponsePayload,
+      authorizationResponseJarm: authzResponse.jarm.responseJwe,
       callbacks: {
         ...partialCallbacks,
         fetch: appFetch,
       },
       iss: requestObject.iss,
-      state: requestObject.state!,
+      state: requestObject.state ?? "",
       presentationResponseUri: requestObject.response_uri,
       signer: {
         alg: "ES256",
@@ -174,6 +155,65 @@ export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["complete
     });
   };
 
+export const completeEaaUserAuthorizationWithQueryMode: IssuanceApi["completeEaaUserAuthorizationWithQueryMode"] =
+  async (
+    requestObject,
+    issuerConfig,
+    pid,
+    clientRedirectUri,
+    { appFetch = fetch } = {}
+  ) => {
+    Logger.log(
+      LogLevel.DEBUG,
+      "The requested credential is not a PID, completing the user authorization with query mode"
+    );
+
+    const authzResponse = await processPidPresentationAndCreateAuthzResponse({
+      requestObject,
+      issuerConfig,
+      pid,
+    });
+
+    Logger.log(
+      LogLevel.DEBUG,
+      `Authz response: ${JSON.stringify(authzResponse)}`
+    );
+
+    const { redirect_uri } = await fetchAuthorizationResponse({
+      authorizationResponseJarm: authzResponse.jarm.responseJwe,
+      presentationResponseUri: requestObject.response_uri,
+      callbacks: {
+        ...partialCallbacks,
+        fetch: appFetch,
+      },
+    });
+
+    if (!redirect_uri) {
+      const errorMessage =
+        "The authorization server did not return a redirect_uri to continue the authorization flow";
+      Logger.log(LogLevel.ERROR, errorMessage);
+      throw new AuthorizationError(errorMessage);
+    }
+
+    const response = await appFetch(redirect_uri).catch(() => null);
+
+    if (!response || !response.ok) {
+      const errorMessage = `An error occurred while completing the authorization flow. Ensure ${clientRedirectUri} is a valid HTTP url for redirect`;
+      Logger.log(LogLevel.ERROR, errorMessage);
+      throw new AuthorizationError(errorMessage);
+    }
+
+    const finalRedirectUri = response.url;
+
+    if (!finalRedirectUri || !finalRedirectUri.startsWith(clientRedirectUri)) {
+      const errorMessage = `The authorization server did not redirect to the provided client redirect URI. Expected: ${clientRedirectUri}, got: ${finalRedirectUri}`;
+      Logger.log(LogLevel.ERROR, errorMessage);
+      throw new AuthorizationError(errorMessage);
+    }
+
+    return parseAuthorizationResponse(parseUrl(finalRedirectUri).query);
+  };
+
 /**
  * Parse the authorization response and return the result which contains code, state and iss.
  * @throws {AuthorizationError} if an error occurs during the parsing process
@@ -207,45 +247,52 @@ export const parseAuthorizationResponse = (
 };
 
 /**
- * Creates the authorization response payload to be sent.
- * This payload includes the state and the VP tokens for the presented credentials.
- * The payload is encoded in Base64.
- * @param state - The state parameter from the request object (optional).
- * @param remotePresentation The presentations to send, each with their VP token
- * @returns The Base64 encoded authorization response payload.
+ * Utility function to process the DCQL query for PID presentation and to create the authorization response to send to the Issuer.
+ * @param params.requestObject - The request object containing the DCQL query
+ * @param params.issuerConfig - The Issuer unified configuration
+ * @param params.pid - The PID credential to be presented, as a tuple of [keyTag, credential]
+ * @returns The authorization response containing the JARM to be sent to the Issuer
  */
-const createAuthzResponsePayload = async ({
-  state,
-  remotePresentation,
-  wiaCryptoContext,
+const processPidPresentationAndCreateAuthzResponse = async ({
+  requestObject,
+  issuerConfig,
+  pid,
 }: {
-  state?: string;
-  remotePresentation: RemotePresentation;
-  wiaCryptoContext: CryptoContext;
-}): Promise<string> => {
-  const { kid } = await wiaCryptoContext.getPublicKey();
-
-  return new SignJWT(wiaCryptoContext)
-    .setProtectedHeader({
-      typ: "jwt",
-      kid,
-    })
-    .setPayload({
-      /**
-       * TODO [SIW-2264]: `state` coming from `requestObject` is marked as `optional`
-       * At the moment, it is not entirely clear whether this value can indeed be omitted
-       * and, if so, what the consequences of its absence might be.
-       */
-      ...(state ? { state } : {}),
-      vp_token: remotePresentation.presentations.reduce(
-        (vp_token, { credentialId, vpToken }) => ({
-          ...vp_token,
-          [credentialId]: [vpToken],
-        }),
-        {}
-      ),
-    })
-    .setIssuedAt()
-    .setExpirationTime("1h")
-    .sign();
+  requestObject: RequestObject;
+  issuerConfig: IssuerConfig;
+  pid: [keyTag: string, credential: string];
+}): Promise<CreateAuthorizationResponseResult> => {
+  const dcqlQueryResult = await RemotePresentationFlow.evaluateDcqlQuery(
+    requestObject.dcql_query as DcqlQuery,
+    [pid]
+  );
+
+  const remotePresentation =
+    await RemotePresentationFlow.prepareRemotePresentations(dcqlQueryResult, {
+      clientId: requestObject.client_id,
+      nonce: requestObject.nonce,
+      responseUri: requestObject.response_uri,
+    });
+
+  const vp_token = remotePresentation.presentations.reduce(
+    (acc, { credentialId, vpToken }) => ({ ...acc, [credentialId]: [vpToken] }),
+    {} as Record<string, string[]>
+  );
+
+  return createAuthorizationResponse({
+    // The SDK 1.4 config is used here in order to resolve the encryption data from the Request Object
+    // client_metadata, otherwise OpenID Federation clients always ignore client_metadata as per 1.3.3 specs.
+    config: sdkConfigV1_4,
+    requestObject,
+    rpJwks: {
+      jwks: { keys: issuerConfig.keys } as jsonWebKeySet,
+      encrypted_response_enc_values_supported:
+        issuerConfig.encrypted_response_enc_values_supported,
+    },
+    vp_token,
+    callbacks: {
+      encryptJwe: partialCallbacks.encryptJwe,
+      generateRandom: partialCallbacks.generateRandom,
+    },
+  });
 };

package/src/credential/issuance/v1.3.3/05-obtain-credential.ts

@@ -112,7 +112,7 @@ export const requestCredentials = async ({
     },
     clientId,
     credential_identifier: credentialIdentifier,
-    issuerIdentifier: issuerConf.credential_issuer,
+    issuerIdentifier: issuerConf.credential_endpoint,
     maxBatchSize: issuerConf.credential_issuance_batch_size,
     nonce: c_nonce,
     keyAttestation: keyAttestationJwt,
@@ -261,6 +261,12 @@ export const obtainCredentialsBatch: IssuanceApi["obtainCredentialsBatch"] =
       throw new IoWalletError("Deferred issuance is not currently supported");
     }
 
+    if (credentialRes.credentials.length !== credentialCryptoContexts.length) {
+      throw new IoWalletError(
+        `Batch size mismatch: expected ${credentialCryptoContexts.length} credentials, but got ${credentialRes.credentials.length}`
+      );
+    }
+
     return credentialRes.credentials.map(({ credential }) => ({
       credential,
       format: issuerCredentialConfig!.format,

package/src/credential/issuance/v1.3.3/index.ts

@@ -3,7 +3,8 @@ import { evaluateIssuerTrust } from "./01-evaluate-issuer-trust";
 import { startUserAuthorization } from "./02-start-user-authorization";
 import {
   continueUserAuthorizationWithMRTDPoPChallenge,
-  completeUserAuthorizationWithQueryMode,
+  completePidUserAuthorizationWithQueryMode,
+  completeEaaUserAuthorizationWithQueryMode,
   completeUserAuthorizationWithFormPostJwtMode,
   buildAuthorizationUrl,
   getRequestedCredentialToBePresented,
@@ -20,7 +21,8 @@ export const Issuance: IssuanceApi = {
   evaluateIssuerTrust,
   startUserAuthorization,
   buildAuthorizationUrl,
-  completeUserAuthorizationWithQueryMode,
+  completePidUserAuthorizationWithQueryMode,
+  completeEaaUserAuthorizationWithQueryMode,
   continueUserAuthorizationWithMRTDPoPChallenge,
   getRequestedCredentialToBePresented,
   completeUserAuthorizationWithFormPostJwtMode,