@pagopa/io-react-native-wallet 3.4.1 → 3.4.3

package/lib/typescript/credential/offer/v1.3.3/03-validate-credential-offer.d.ts

@@ -0,0 +1,15 @@
+import type { OfferApi } from "../api";
+/**
+ * v1.3.3 implementation — validates a resolved Credential Offer against the
+ * Credential Issuer metadata (IT-Wallet spec, Section 12.1.2).
+ *
+ * Performs the IT-Wallet v1.3 structural checks on the offer and, when the
+ * Credential Issuer relies on multiple Authorization Servers, ensures the
+ * `authorization_server` selected by the offer matches one of the advertised
+ * `authorization_servers`.
+ *
+ * Delegates to the SDK's {@link sdkValidateCredentialOffer}; validation errors
+ * are mapped to {@link InvalidCredentialOfferError}.
+ */
+export declare const validateCredentialOffer: OfferApi["validateCredentialOffer"];
+//# sourceMappingURL=03-validate-credential-offer.d.ts.map

package/lib/typescript/credential/offer/v1.3.3/03-validate-credential-offer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"03-validate-credential-offer.d.ts","sourceRoot":"","sources":["../../../../../src/credential/offer/v1.3.3/03-validate-credential-offer.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAGvC;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,EAAE,QAAQ,CAAC,yBAAyB,CAYrE,CAAC"}

package/lib/typescript/credential/offer/v1.3.3/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/credential/offer/v1.3.3/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAIvC,eAAO,MAAM,KAAK,EAAE,QAGnB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/credential/offer/v1.3.3/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAKvC,eAAO,MAAM,KAAK,EAAE,QAInB,CAAC"}

package/lib/typescript/trust/v1.3.3/types.d.ts

@@ -92,7 +92,7 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
         }, z.core.$strip>;
         metadata: z.ZodObject<{
             openid_credential_issuer: z.ZodObject<{
-                authorization_servers: z.ZodOptional<z.ZodArray<z.ZodURL>>;
+                authorization_servers: z.ZodOptional<z.ZodTuple<[z.ZodURL], z.ZodURL>>;
                 batch_credential_issuance: z.ZodOptional<z.ZodObject<{
                     batch_size: z.ZodNumber;
                 }, z.core.$strip>>;
@@ -657,7 +657,7 @@ export declare const EntityConfiguration: z.ZodUnion<readonly [z.ZodIntersection
         }, z.core.$strip>;
         metadata: z.ZodObject<{
             openid_credential_issuer: z.ZodObject<{
-                authorization_servers: z.ZodOptional<z.ZodArray<z.ZodURL>>;
+                authorization_servers: z.ZodOptional<z.ZodTuple<[z.ZodURL], z.ZodURL>>;
                 batch_credential_issuance: z.ZodOptional<z.ZodObject<{
                     batch_size: z.ZodNumber;
                 }, z.core.$strip>>;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/io-react-native-wallet",
-  "version": "3.4.1",
+  "version": "3.4.3",
   "description": "Provide data structures, helpers and API for IO Wallet",
   "main": "lib/commonjs/index",
   "module": "lib/module/index",
@@ -140,11 +140,11 @@
     ]
   },
   "dependencies": {
-    "@pagopa/io-wallet-oauth2": "1.4.2",
-    "@pagopa/io-wallet-oid-federation": "1.4.2",
-    "@pagopa/io-wallet-oid4vci": "1.4.2",
-    "@pagopa/io-wallet-oid4vp": "1.4.2",
-    "@pagopa/io-wallet-utils": "1.4.2",
+    "@pagopa/io-wallet-oauth2": "1.5.2",
+    "@pagopa/io-wallet-oid-federation": "1.5.2",
+    "@pagopa/io-wallet-oid4vci": "1.5.2",
+    "@pagopa/io-wallet-oid4vp": "1.5.2",
+    "@pagopa/io-wallet-utils": "1.5.2",
     "@sd-jwt/core": "^0.19.0",
     "@sd-jwt/crypto-nodejs": "^0.19.0",
     "@sd-jwt/jwt-status-list": "^0.19.0",

package/src/credential/issuance/api/01-evaluate-issuer-trust.ts

@@ -8,10 +8,13 @@ export interface EvaluateIssuerTrustApi {
    *
    * @param issuerUrl The base url of the Issuer
    * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+   * @param context.authorizationServer (optional) Authorization Server URL selected
+   *   from a credential offer. When provided it must match one of the Credential
+   *   Issuer metadata `authorization_servers`. Only honored from v1.3.3 onwards.
    * @returns The Issuer's configuration
    */
   evaluateIssuerTrust(
     issuerUrl: string,
-    ctx?: { appFetch?: GlobalFetch["fetch"] }
+    ctx?: { appFetch?: GlobalFetch["fetch"]; authorizationServer?: string }
   ): Promise<{ issuerConf: IssuerConfig }>;
 }

package/src/credential/issuance/api/02-start-user-authorization.ts

@@ -27,6 +27,8 @@ export interface StartUserAuthorizationApi {
    * @param context.walletInstanceAttestation: the Wallet Instance's attestation
    * @param context.redirectUri: the redirect URI
    * @param context.appFetch: (optional) the fetch implementation
+   * @param context.scope: (optional) the OAuth 2.0 scope, forwarded to the PAR. When the issuance is started from a Credential Offer, it comes from the `authorization_code` grant.
+   * @param context.issuerState: (optional) the issuer state, forwarded to the PAR to correlate the authorization request with the Credential Offer.
    * @returns The URI to which the end user should be redirected to start the authentication flow, along with additional authentication parameters
    */
   startUserAuthorization(
@@ -40,6 +42,8 @@ export interface StartUserAuthorizationApi {
       walletInstanceAttestation: string;
       redirectUri: string;
       appFetch?: GlobalFetch["fetch"];
+      scope?: string;
+      issuerState?: string;
     }
   ): Promise<{
     issuerRequestUri: string;

package/src/credential/issuance/api/03-complete-user-authorization.ts

@@ -52,7 +52,6 @@ export interface CompleteUserAuthorizationApi {
    * @param issuerConfig The issuer configuration returned by {@link evaluateIssuerTrust}
    * @param pid The PID to present as a tuple [keyTag, credential].
    * @param redirectUri The client redirect URI to which the authorization server will redirect after completing the authorization process.
-   * @param appFetch (optional) fetch api implementation. Default: built-in fetch
    * @returns The authorization response which contains code, state and iss
    */
   completeEaaUserAuthorizationWithQueryMode(
@@ -61,7 +60,10 @@ export interface CompleteUserAuthorizationApi {
     pid: [keyTag: string, credential: string],
     redirectUri: string,
     context?: {
+      /** Fetch api implementation. Default: built-in fetch. */
       appFetch?: GlobalFetch["fetch"];
+      /** Function to fetch the final redirect uri; it allows full control on how redirects are handled. If not provided, `appFetch` is used. */
+      fetchFinalRedirectUri?: (url: string) => Promise<string | undefined>;
     }
   ): Promise<AuthorizationResult>;
 

package/src/credential/issuance/api/IssuerConfig.ts

@@ -50,6 +50,12 @@ const CredentialConfig = z.intersection(
 export type IssuerConfig = z.infer<typeof IssuerConfig>;
 export const IssuerConfig = z.object({
   credential_issuer: z.string(),
+  /**
+   * Authorization Servers advertised by the Credential Issuer. Present when the
+   * Issuer relies on one or more external Authorization Servers; used to validate
+   * the `authorization_server` selected by a credential offer.
+   */
+  authorization_servers: z.tuple([z.string()], z.string()).optional(),
   pushed_authorization_request_endpoint: z.string(),
   authorization_endpoint: z.string(),
   token_endpoint: z.string(),

package/src/credential/issuance/v1.3.3/01-evaluate-issuer-trust.ts

@@ -13,6 +13,7 @@ export const evaluateIssuerTrust: IssuanceApi["evaluateIssuerTrust"] = async (
   const issuerMetadata = (await fetchMetadata({
     config: sdkConfigV1_3,
     credentialIssuerUrl: issuerUrl,
+    authorizationServer: context.authorizationServer,
     callbacks: {
       fetch: context.appFetch,
     },

package/src/credential/issuance/v1.3.3/02-start-user-authorization.ts

@@ -22,6 +22,8 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
       walletInstanceAttestation,
       redirectUri,
       appFetch = fetch,
+      scope,
+      issuerState,
     } = ctx;
 
     const clientId = await wiaCryptoContext.getPublicKey().then((_) => _.kid);
@@ -76,6 +78,11 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
       authorization_details: credentialDefinition,
       codeChallengeMethodsSupported: ["S256"],
       redirectUri,
+      // When the issuance is started from a Credential Offer, the `scope` and
+      // `issuer_state` carried by the authorization_code grant are forwarded to
+      // the PAR. They are `undefined` (and thus omitted) for the regular flow.
+      scope,
+      issuerState,
       dpop: {
         signer: wiaSigner,
       },

package/src/credential/issuance/v1.3.3/03-complete-user-authorization.ts

@@ -161,7 +161,7 @@ export const completeEaaUserAuthorizationWithQueryMode: IssuanceApi["completeEaa
     issuerConfig,
     pid,
     clientRedirectUri,
-    { appFetch = fetch } = {}
+    { appFetch = fetch, fetchFinalRedirectUri } = {}
   ) => {
     Logger.log(
       LogLevel.DEBUG,
@@ -195,16 +195,20 @@ export const completeEaaUserAuthorizationWithQueryMode: IssuanceApi["completeEaa
       throw new AuthorizationError(errorMessage);
     }
 
-    const response = await appFetch(redirect_uri).catch(() => null);
-
-    if (!response || !response.ok) {
-      const errorMessage = `An error occurred while completing the authorization flow. Ensure ${clientRedirectUri} is a valid HTTP url for redirect`;
-      Logger.log(LogLevel.ERROR, errorMessage);
-      throw new AuthorizationError(errorMessage);
+    let finalRedirectUri: string | undefined;
+
+    if (fetchFinalRedirectUri) {
+      finalRedirectUri = await fetchFinalRedirectUri(redirect_uri);
+    } else {
+      const response = await appFetch(redirect_uri).catch(() => null);
+      if (!response || !response.ok) {
+        const errorMessage = `An error occurred while completing the authorization flow. Ensure ${clientRedirectUri} is a valid HTTP url for redirect`;
+        Logger.log(LogLevel.ERROR, errorMessage);
+        throw new AuthorizationError(errorMessage);
+      }
+      finalRedirectUri = response.url;
     }
 
-    const finalRedirectUri = response.url;
-
     if (!finalRedirectUri || !finalRedirectUri.startsWith(clientRedirectUri)) {
       const errorMessage = `The authorization server did not redirect to the provided client redirect URI. Expected: ${clientRedirectUri}, got: ${finalRedirectUri}`;
       Logger.log(LogLevel.ERROR, errorMessage);

package/src/credential/issuance/v1.3.3/mappers.ts

@@ -45,8 +45,17 @@ export const mapToIssuerConfig = createMapper<
       federation_entity,
     } = x.metadata;
 
+    // The Issuer's own `oauth_authorization_server` always describes the Issuer
+    // itself. When a credential offer selected a *different* Authorization
+    // Server, its metadata is surfaced separately through that server's
+    // federation claims, and the Authorization Server endpoints must be taken
+    // from there. Fall back to the Issuer's own server otherwise.
+    const oauthAuthorizationServer =
+      x.authorization_server_federation_claims?.metadata
+        ?.oauth_authorization_server ?? oauth_authorization_server;
+
     assert(
-      oauth_authorization_server,
+      oauthAuthorizationServer,
       "oauth_authorization_server is required in Issuer metadata"
     );
     assert(
@@ -55,19 +64,20 @@ export const mapToIssuerConfig = createMapper<
     );
 
     return {
-      authorization_endpoint: oauth_authorization_server.authorization_endpoint,
+      authorization_endpoint: oauthAuthorizationServer.authorization_endpoint,
       credential_endpoint: openid_credential_issuer.credential_endpoint,
       credential_issuer: openid_credential_issuer.credential_issuer,
+      authorization_servers: openid_credential_issuer.authorization_servers,
       credential_configurations_supported: mapCredentialConfigurationsSupported(
         openid_credential_issuer
       ),
       keys: [
         ...openid_credential_issuer.jwks.keys,
-        ...oauth_authorization_server.jwks.keys,
+        ...oauthAuthorizationServer.jwks.keys,
       ] as JWK[],
       pushed_authorization_request_endpoint:
-        oauth_authorization_server.pushed_authorization_request_endpoint,
-      token_endpoint: oauth_authorization_server.token_endpoint,
+        oauthAuthorizationServer.pushed_authorization_request_endpoint,
+      token_endpoint: oauthAuthorizationServer.token_endpoint,
       nonce_endpoint: openid_credential_issuer.nonce_endpoint ?? "",
       federation_entity: federation_entity ?? {},
       credential_issuance_batch_size:

package/src/credential/offer/api/02-extract-grant-details.ts

@@ -4,7 +4,7 @@ export interface ExtractGrantDetailsApi {
   /**
    * Extract grant details from a resolved Credential Offer.
    *
-   * @param offer - A previously resolved {@link CredentialOffer}.
+   * @param offer - A previously resolved Credential Offer.
    * @returns The extracted {@link ExtractGrantDetailsResult} containing
    *   the grant type and its parameters.
    * @throws {InvalidCredentialOfferError} If no supported grant type is found.

package/src/credential/offer/api/03-validate-credential-offer.ts

@@ -0,0 +1,19 @@
+import type { ValidateCredentialOfferOptions } from "@pagopa/io-wallet-oid4vci";
+import type { CredentialOffer } from "./types";
+
+export interface ValidateCredentialOfferApi {
+  /**
+   * Validate a resolved Credential Offer against the Credential Issuer metadata.
+   *
+   * @param options.offer - A previously resolved Credential Offer.
+   * @param options.credentialIssuerMetadata - The Credential Issuer metadata used
+   *   to cross-check the offer (e.g. the `authorization_server` selected by the
+   *   offer against the advertised `authorization_servers`).
+   * @returns A promise that resolves when the Credential Offer is valid.
+   * @throws {InvalidCredentialOfferError} If the Credential Offer fails validation.
+   */
+  validateCredentialOffer(options: {
+    offer: CredentialOffer;
+    credentialIssuerMetadata: ValidateCredentialOfferOptions["credentialIssuerMetadata"];
+  }): Promise<void>;
+}

package/src/credential/offer/api/index.ts

@@ -1,8 +1,10 @@
 import type { ResolveCredentialOfferApi } from "./01-resolve-credential-offer";
 import type { ExtractGrantDetailsApi } from "./02-extract-grant-details";
+import type { ValidateCredentialOfferApi } from "./03-validate-credential-offer";
 
 export interface OfferApi
   extends ResolveCredentialOfferApi,
-    ExtractGrantDetailsApi {}
+    ExtractGrantDetailsApi,
+    ValidateCredentialOfferApi {}
 
 export * from "./types";

package/src/credential/offer/v1.0.0/index.ts

@@ -8,4 +8,7 @@ export const Offer: OfferApi = {
   extractGrantDetails() {
     throw new UnimplementedFeatureError("extractGrantDetails", "1.0.0");
   },
+  validateCredentialOffer() {
+    throw new UnimplementedFeatureError("validateCredentialOffer", "1.0.0");
+  },
 };

package/src/credential/offer/v1.3.3/01-resolve-credential-offer.ts

@@ -1,35 +1,26 @@
 import {
   resolveCredentialOffer as sdkResolveCredentialOffer,
-  validateCredentialOffer,
   CredentialOfferError,
 } from "@pagopa/io-wallet-oid4vci";
-import {
-  InvalidQRCodeError,
-  InvalidCredentialOfferError,
-} from "../common/errors";
+import { InvalidQRCodeError } from "../common/errors";
 import type { OfferApi } from "../api";
+import { sdkConfigV1_3 } from "../../../utils/config";
 
 /**
  * v1.3.3 implementation — first step of the User Request Flow
  * (IT-Wallet spec, Section 12.1.2).
  *
  * Delegates to the SDK's {@link sdkResolveCredentialOffer} for URI parsing
- * and by-reference fetching, then to {@link validateCredentialOffer} for
- * IT-Wallet v1.3 structural checks:
- * - `credential_issuer` must be an HTTPS URL
- * - `grants` object is required
- * - `authorization_code` grant is required
- * - `scope` is required within `authorization_code`
+ * and by-reference fetching of the Credential Offer.
  *
  * Supported URI schemes: `openid-credential-offer://`, `haip-vci://`, `https://`.
  *
- * Cross-validation against Credential Issuer metadata (e.g. matching
- * `credential_configuration_ids` or `authorization_server`) is **not** performed
- * here; per the spec it belongs to the Issuance Flow.
+ * Structural validation and cross-validation against the Credential Issuer
+ * metadata are **not** performed here; they belong to the dedicated
+ * validate-credential-offer step of the flow.
  *
  * Resolution errors (bad scheme, missing params, network failure) are mapped
- * to {@link InvalidQRCodeError}; validation errors are mapped to
- * {@link InvalidCredentialOfferError}.
+ * to {@link InvalidQRCodeError}.
  */
 export const resolveCredentialOffer: OfferApi["resolveCredentialOffer"] =
   async (credentialOffer, callbacks = {}) => {
@@ -37,6 +28,7 @@ export const resolveCredentialOffer: OfferApi["resolveCredentialOffer"] =
 
     // Parse the URI and fetch the offer when transmitted by reference
     const resolved = await sdkResolveCredentialOffer({
+      config: sdkConfigV1_3,
       credentialOffer,
       callbacks: { fetch: fetchFn },
     }).catch((e: unknown) => {
@@ -46,15 +38,5 @@ export const resolveCredentialOffer: OfferApi["resolveCredentialOffer"] =
       throw e;
     });
 
-    // Structural validation (no metadata cross-checks at this stage)
-    await validateCredentialOffer({
-      credentialOffer: resolved,
-    }).catch((e: unknown) => {
-      if (e instanceof CredentialOfferError) {
-        throw new InvalidCredentialOfferError(e.message);
-      }
-      throw e;
-    });
-
     return resolved;
   };

package/src/credential/offer/v1.3.3/02-extract-grant-details.ts

@@ -5,6 +5,7 @@ import {
 import { InvalidCredentialOfferError } from "../common/errors";
 import { withMappedErrors } from "../../../utils/errors";
 import type { OfferApi } from "../api";
+import { sdkConfigV1_3 } from "../../../utils/config";
 
 /**
  * v1.3.3 implementation — second and final step of the User Request Flow
@@ -21,7 +22,11 @@ import type { OfferApi } from "../api";
  */
 export const extractGrantDetails: OfferApi["extractGrantDetails"] = (offer) =>
   withMappedErrors(
-    () => sdkExtractGrantDetails(offer),
+    () =>
+      sdkExtractGrantDetails({
+        config: sdkConfigV1_3,
+        credentialOffer: offer,
+      }),
     CredentialOfferError,
     (e) => new InvalidCredentialOfferError(e.message)
   );

package/src/credential/offer/v1.3.3/03-validate-credential-offer.ts

@@ -0,0 +1,33 @@
+import {
+  validateCredentialOffer as sdkValidateCredentialOffer,
+  CredentialOfferError,
+} from "@pagopa/io-wallet-oid4vci";
+import { InvalidCredentialOfferError } from "../common/errors";
+import type { OfferApi } from "../api";
+import { sdkConfigV1_3 } from "../../../utils/config";
+
+/**
+ * v1.3.3 implementation — validates a resolved Credential Offer against the
+ * Credential Issuer metadata (IT-Wallet spec, Section 12.1.2).
+ *
+ * Performs the IT-Wallet v1.3 structural checks on the offer and, when the
+ * Credential Issuer relies on multiple Authorization Servers, ensures the
+ * `authorization_server` selected by the offer matches one of the advertised
+ * `authorization_servers`.
+ *
+ * Delegates to the SDK's {@link sdkValidateCredentialOffer}; validation errors
+ * are mapped to {@link InvalidCredentialOfferError}.
+ */
+export const validateCredentialOffer: OfferApi["validateCredentialOffer"] =
+  async ({ offer, credentialIssuerMetadata }) => {
+    await sdkValidateCredentialOffer({
+      config: sdkConfigV1_3,
+      credentialOffer: offer,
+      credentialIssuerMetadata,
+    }).catch((e: unknown) => {
+      if (e instanceof CredentialOfferError) {
+        throw new InvalidCredentialOfferError(e.message);
+      }
+      throw e;
+    });
+  };

package/src/credential/offer/v1.3.3/index.ts

@@ -1,8 +1,10 @@
 import type { OfferApi } from "../api";
 import { resolveCredentialOffer } from "./01-resolve-credential-offer";
 import { extractGrantDetails } from "./02-extract-grant-details";
+import { validateCredentialOffer } from "./03-validate-credential-offer";
 
 export const Offer: OfferApi = {
   resolveCredentialOffer,
   extractGrantDetails,
+  validateCredentialOffer,
 };