npm - @pagopa/io-react-native-wallet - Versions diffs - 3.4.2 → 3.4.4 - Mend

@pagopa/io-react-native-wallet 3.4.2 → 3.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (98) hide show

package/lib/typescript/credential/offer/v1.3.3/03-validate-credential-offer.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { OfferApi } from "../api";
+/**
+ * v1.3.3 implementation — validates a resolved Credential Offer against the
+ * Credential Issuer metadata (IT-Wallet spec, Section 12.1.2).
+ *
+ * Performs the IT-Wallet v1.3 structural checks on the offer and, when the
+ * Credential Issuer relies on multiple Authorization Servers, ensures the
+ * `authorization_server` selected by the offer matches one of the advertised
+ * `authorization_servers`.
+ *
+ * Delegates to the SDK's {@link sdkValidateCredentialOffer}; validation errors
+ * are mapped to {@link InvalidCredentialOfferError}.
+ */
+export declare const validateCredentialOffer: OfferApi["validateCredentialOffer"];
+//# sourceMappingURL=03-validate-credential-offer.d.ts.map

package/lib/typescript/credential/offer/v1.3.3/03-validate-credential-offer.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"03-validate-credential-offer.d.ts","sourceRoot":"","sources":["../../../../../src/credential/offer/v1.3.3/03-validate-credential-offer.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAGvC;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,EAAE,QAAQ,CAAC,yBAAyB,CAYrE,CAAC"}

package/lib/typescript/credential/offer/v1.3.3/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/credential/offer/v1.3.3/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;~~AAIvC~~,eAAO,MAAM,KAAK,EAAE,~~QAGnB~~,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/credential/offer/v1.3.3/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAKvC,eAAO,MAAM,KAAK,EAAE,QAInB,CAAC"}

package/lib/typescript/credentials-catalogue/v1.3.3/mappers.d.ts CHANGED Viewed

@@ -130,10 +130,10 @@ export declare const mapToCredentialsCatalogue: (input: [{
                 mandatory: boolean;
             }[];
             data_origin_l10n_id: string;
-            integration_endpoint: string;
             integration_method: string;
-            user_information_l10n_id: string;
             domains?: string[] | undefined;
+            integration_endpoint?: string | undefined;
+            user_information_l10n_id?: string | undefined;
             api_specification?: string | undefined;
             background_color?: string | undefined;
             contacts?: string[] | undefined;

package/lib/typescript/credentials-catalogue/v1.3.3/types.d.ts CHANGED Viewed

@@ -27,9 +27,9 @@ export declare const AuthenticSource: z.ZodObject<{
         }, z.core.$strip>>;
         domains: z.ZodOptional<z.ZodArray<z.ZodString>>;
         data_origin_l10n_id: z.ZodString;
-        integration_endpoint: z.ZodString;
+        integration_endpoint: z.ZodOptional<z.ZodString>;
         integration_method: z.ZodString;
-        user_information_l10n_id: z.ZodString;
+        user_information_l10n_id: z.ZodOptional<z.ZodString>;
         api_specification: z.ZodOptional<z.ZodString>;
         background_color: z.ZodOptional<z.ZodString>;
         contacts: z.ZodOptional<z.ZodArray<z.ZodString>>;
@@ -183,9 +183,9 @@ export declare const AuthenticSourceRegistry: z.ZodObject<{
             }, z.core.$strip>>;
             domains: z.ZodOptional<z.ZodArray<z.ZodString>>;
             data_origin_l10n_id: z.ZodString;
-            integration_endpoint: z.ZodString;
+            integration_endpoint: z.ZodOptional<z.ZodString>;
             integration_method: z.ZodString;
-            user_information_l10n_id: z.ZodString;
+            user_information_l10n_id: z.ZodOptional<z.ZodString>;
             api_specification: z.ZodOptional<z.ZodString>;
             background_color: z.ZodOptional<z.ZodString>;
             contacts: z.ZodOptional<z.ZodArray<z.ZodString>>;

package/lib/typescript/trust/v1.3.3/types.d.ts CHANGED Viewed

@@ -92,7 +92,7 @@ export declare const CredentialIssuerEntityConfiguration: z.ZodIntersection<z.Zo
         }, z.core.$strip>;
         metadata: z.ZodObject<{
             openid_credential_issuer: z.ZodObject<{
-                authorization_servers: z.ZodOptional<z.ZodArray<z.ZodURL>>;
+                authorization_servers: z.ZodOptional<z.ZodTuple<[z.ZodURL], z.ZodURL>>;
                 batch_credential_issuance: z.ZodOptional<z.ZodObject<{
                     batch_size: z.ZodNumber;
                 }, z.core.$strip>>;
@@ -657,7 +657,7 @@ export declare const EntityConfiguration: z.ZodUnion<readonly [z.ZodIntersection
         }, z.core.$strip>;
         metadata: z.ZodObject<{
             openid_credential_issuer: z.ZodObject<{
-                authorization_servers: z.ZodOptional<z.ZodArray<z.ZodURL>>;
+                authorization_servers: z.ZodOptional<z.ZodTuple<[z.ZodURL], z.ZodURL>>;
                 batch_credential_issuance: z.ZodOptional<z.ZodObject<{
                     batch_size: z.ZodNumber;
                 }, z.core.$strip>>;

package/lib/typescript/wallet-instance-attestation/v1.3.3/mappers.d.ts CHANGED Viewed

@@ -7,6 +7,7 @@ export declare const mapToDecodedWalletInstanceAttestation: (input: {
         trust_chain?: string[] | undefined;
     } & {
         typ: "oauth-client-attestation+jwt";
+        x5c: string[];
     };
     payload: {
         iss: string;

package/lib/typescript/wallet-instance-attestation/v1.3.3/mappers.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"mappers.d.ts","sourceRoot":"","sources":["../../../../src/wallet-instance-attestation/v1.3.3/mappers.ts"],"names":[],"mappings":"AAIA,eAAO,MAAM,qCAAqC~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~CAKhD,CAAC"}
1	+ {"version":3,"file":"mappers.d.ts","sourceRoot":"","sources":["../../../../src/wallet-instance-attestation/v1.3.3/mappers.ts"],"names":[],"mappings":"AAIA,eAAO,MAAM,qCAAqC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAKhD,CAAC"}

package/lib/typescript/wallet-instance-attestation/v1.3.3/types.d.ts CHANGED Viewed

@@ -9,6 +9,7 @@ export declare const WalletInstanceAttestationJwt: z.ZodObject<{
         trust_chain: z.ZodOptional<z.ZodArray<z.ZodString>>;
     }, z.core.$strip>, z.ZodObject<{
         typ: z.ZodLiteral<"oauth-client-attestation+jwt">;
+        x5c: z.ZodArray<z.ZodString>;
     }, z.core.$strip>>;
     payload: z.ZodIntersection<z.ZodObject<{
         iss: z.ZodString;

package/lib/typescript/wallet-instance-attestation/v1.3.3/types.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/wallet-instance-attestation/v1.3.3/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC;AAGzB,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAChD,OAAO,4BAA4B,CACpC,CAAC;AACF,eAAO,MAAM,4BAA4B~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAevC~~,CAAC;AAEH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CACrD,OAAO,iCAAiC,CACzC,CAAC;AACF,eAAO,MAAM,iCAAiC;;iBAE5C,CAAC"}
1	+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/wallet-instance-attestation/v1.3.3/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC;AAGzB,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAChD,OAAO,4BAA4B,CACpC,CAAC;AACF,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAgBvC,CAAC;AAEH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CACrD,OAAO,iCAAiC,CACzC,CAAC;AACF,eAAO,MAAM,iCAAiC;;iBAE5C,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/io-react-native-wallet",
-  "version": "3.4.2",
+  "version": "3.4.4",
   "description": "Provide data structures, helpers and API for IO Wallet",
   "main": "lib/commonjs/index",
   "module": "lib/module/index",
@@ -140,11 +140,11 @@
     ]
   },
   "dependencies": {
-    "@pagopa/io-wallet-oauth2": "1.4.2",
-    "@pagopa/io-wallet-oid-federation": "1.4.2",
-    "@pagopa/io-wallet-oid4vci": "1.4.2",
-    "@pagopa/io-wallet-oid4vp": "1.4.2",
-    "@pagopa/io-wallet-utils": "1.4.2",
+    "@pagopa/io-wallet-oauth2": "1.5.2",
+    "@pagopa/io-wallet-oid-federation": "1.5.2",
+    "@pagopa/io-wallet-oid4vci": "1.5.2",
+    "@pagopa/io-wallet-oid4vp": "1.5.2",
+    "@pagopa/io-wallet-utils": "1.5.2",
     "@sd-jwt/core": "^0.19.0",
     "@sd-jwt/crypto-nodejs": "^0.19.0",
     "@sd-jwt/jwt-status-list": "^0.19.0",

package/src/credential/issuance/api/01-evaluate-issuer-trust.ts CHANGED Viewed

@@ -8,10 +8,13 @@ export interface EvaluateIssuerTrustApi {
    *
    * @param issuerUrl The base url of the Issuer
    * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+   * @param context.authorizationServer (optional) Authorization Server URL selected
+   *   from a credential offer. When provided it must match one of the Credential
+   *   Issuer metadata `authorization_servers`. Only honored from v1.3.3 onwards.
    * @returns The Issuer's configuration
    */
   evaluateIssuerTrust(
     issuerUrl: string,
-    ctx?: { appFetch?: GlobalFetch["fetch"] }
+    ctx?: { appFetch?: GlobalFetch["fetch"]; authorizationServer?: string }
   ): Promise<{ issuerConf: IssuerConfig }>;
 }

package/src/credential/issuance/api/02-start-user-authorization.ts CHANGED Viewed

@@ -27,6 +27,8 @@ export interface StartUserAuthorizationApi {
    * @param context.walletInstanceAttestation: the Wallet Instance's attestation
    * @param context.redirectUri: the redirect URI
    * @param context.appFetch: (optional) the fetch implementation
+   * @param context.scope: (optional) the OAuth 2.0 scope, forwarded to the PAR. When the issuance is started from a Credential Offer, it comes from the `authorization_code` grant.
+   * @param context.issuerState: (optional) the issuer state, forwarded to the PAR to correlate the authorization request with the Credential Offer.
    * @returns The URI to which the end user should be redirected to start the authentication flow, along with additional authentication parameters
    */
   startUserAuthorization(
@@ -40,6 +42,8 @@ export interface StartUserAuthorizationApi {
       walletInstanceAttestation: string;
       redirectUri: string;
       appFetch?: GlobalFetch["fetch"];
+      scope?: string;
+      issuerState?: string;
     }
   ): Promise<{
     issuerRequestUri: string;

package/src/credential/issuance/api/IssuerConfig.ts CHANGED Viewed

@@ -50,6 +50,12 @@ const CredentialConfig = z.intersection(
 export type IssuerConfig = z.infer<typeof IssuerConfig>;
 export const IssuerConfig = z.object({
   credential_issuer: z.string(),
+  /**
+   * Authorization Servers advertised by the Credential Issuer. Present when the
+   * Issuer relies on one or more external Authorization Servers; used to validate
+   * the `authorization_server` selected by a credential offer.
+   */
+  authorization_servers: z.tuple([z.string()], z.string()).optional(),
   pushed_authorization_request_endpoint: z.string(),
   authorization_endpoint: z.string(),
   token_endpoint: z.string(),

package/src/credential/issuance/v1.3.3/01-evaluate-issuer-trust.ts CHANGED Viewed

@@ -13,6 +13,7 @@ export const evaluateIssuerTrust: IssuanceApi["evaluateIssuerTrust"] = async (
   const issuerMetadata = (await fetchMetadata({
     config: sdkConfigV1_3,
     credentialIssuerUrl: issuerUrl,
+    authorizationServer: context.authorizationServer,
     callbacks: {
       fetch: context.appFetch,
     },

package/src/credential/issuance/v1.3.3/02-start-user-authorization.ts CHANGED Viewed

@@ -22,6 +22,8 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
       walletInstanceAttestation,
       redirectUri,
       appFetch = fetch,
+      scope,
+      issuerState,
     } = ctx;
     const clientId = await wiaCryptoContext.getPublicKey().then((_) => _.kid);
@@ -76,6 +78,11 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
       authorization_details: credentialDefinition,
       codeChallengeMethodsSupported: ["S256"],
       redirectUri,
+      // When the issuance is started from a Credential Offer, the `scope` and
+      // `issuer_state` carried by the authorization_code grant are forwarded to
+      // the PAR. They are `undefined` (and thus omitted) for the regular flow.
+      scope,
+      issuerState,
       dpop: {
         signer: wiaSigner,
       },

package/src/credential/issuance/v1.3.3/mappers.ts CHANGED Viewed

@@ -45,8 +45,17 @@ export const mapToIssuerConfig = createMapper<
       federation_entity,
     } = x.metadata;
+    // The Issuer's own `oauth_authorization_server` always describes the Issuer
+    // itself. When a credential offer selected a *different* Authorization
+    // Server, its metadata is surfaced separately through that server's
+    // federation claims, and the Authorization Server endpoints must be taken
+    // from there. Fall back to the Issuer's own server otherwise.
+    const oauthAuthorizationServer =
+      x.authorization_server_federation_claims?.metadata
+        ?.oauth_authorization_server ?? oauth_authorization_server;
     assert(
-      oauth_authorization_server,
+      oauthAuthorizationServer,
       "oauth_authorization_server is required in Issuer metadata"
     );
     assert(
@@ -55,19 +64,20 @@ export const mapToIssuerConfig = createMapper<
     );
     return {
-      authorization_endpoint: oauth_authorization_server.authorization_endpoint,
+      authorization_endpoint: oauthAuthorizationServer.authorization_endpoint,
       credential_endpoint: openid_credential_issuer.credential_endpoint,
       credential_issuer: openid_credential_issuer.credential_issuer,
+      authorization_servers: openid_credential_issuer.authorization_servers,
       credential_configurations_supported: mapCredentialConfigurationsSupported(
         openid_credential_issuer
       ),
       keys: [
         ...openid_credential_issuer.jwks.keys,
-        ...oauth_authorization_server.jwks.keys,
+        ...oauthAuthorizationServer.jwks.keys,
       ] as JWK[],
       pushed_authorization_request_endpoint:
-        oauth_authorization_server.pushed_authorization_request_endpoint,
-      token_endpoint: oauth_authorization_server.token_endpoint,
+        oauthAuthorizationServer.pushed_authorization_request_endpoint,
+      token_endpoint: oauthAuthorizationServer.token_endpoint,
       nonce_endpoint: openid_credential_issuer.nonce_endpoint ?? "",
       federation_entity: federation_entity ?? {},
       credential_issuance_batch_size:

package/src/credential/offer/api/02-extract-grant-details.ts CHANGED Viewed

@@ -4,7 +4,7 @@ export interface ExtractGrantDetailsApi {
   /**
    * Extract grant details from a resolved Credential Offer.
    *
-   * @param offer - A previously resolved {@link CredentialOffer}.
+   * @param offer - A previously resolved Credential Offer.
    * @returns The extracted {@link ExtractGrantDetailsResult} containing
    *   the grant type and its parameters.
    * @throws {InvalidCredentialOfferError} If no supported grant type is found.

package/src/credential/offer/api/03-validate-credential-offer.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import type { ValidateCredentialOfferOptions } from "@pagopa/io-wallet-oid4vci";
+import type { CredentialOffer } from "./types";
+export interface ValidateCredentialOfferApi {
+  /**
+   * Validate a resolved Credential Offer against the Credential Issuer metadata.
+   *
+   * @param options.offer - A previously resolved Credential Offer.
+   * @param options.credentialIssuerMetadata - The Credential Issuer metadata used
+   *   to cross-check the offer (e.g. the `authorization_server` selected by the
+   *   offer against the advertised `authorization_servers`).
+   * @returns A promise that resolves when the Credential Offer is valid.
+   * @throws {InvalidCredentialOfferError} If the Credential Offer fails validation.
+   */
+  validateCredentialOffer(options: {
+    offer: CredentialOffer;
+    credentialIssuerMetadata: ValidateCredentialOfferOptions["credentialIssuerMetadata"];
+  }): Promise<void>;
+}

package/src/credential/offer/api/index.ts CHANGED Viewed

@@ -1,8 +1,10 @@
 import type { ResolveCredentialOfferApi } from "./01-resolve-credential-offer";
 import type { ExtractGrantDetailsApi } from "./02-extract-grant-details";
+import type { ValidateCredentialOfferApi } from "./03-validate-credential-offer";
 export interface OfferApi
   extends ResolveCredentialOfferApi,
-    ExtractGrantDetailsApi {}
+    ExtractGrantDetailsApi,
+    ValidateCredentialOfferApi {}
 export * from "./types";

package/src/credential/offer/v1.0.0/index.ts CHANGED Viewed

@@ -8,4 +8,7 @@ export const Offer: OfferApi = {
   extractGrantDetails() {
     throw new UnimplementedFeatureError("extractGrantDetails", "1.0.0");
   },
+  validateCredentialOffer() {
+    throw new UnimplementedFeatureError("validateCredentialOffer", "1.0.0");
+  },
 };

package/src/credential/offer/v1.3.3/01-resolve-credential-offer.ts CHANGED Viewed

@@ -1,35 +1,26 @@
 import {
   resolveCredentialOffer as sdkResolveCredentialOffer,
-  validateCredentialOffer,
   CredentialOfferError,
 } from "@pagopa/io-wallet-oid4vci";
-import {
-  InvalidQRCodeError,
-  InvalidCredentialOfferError,
-} from "../common/errors";
+import { InvalidQRCodeError } from "../common/errors";
 import type { OfferApi } from "../api";
+import { sdkConfigV1_3 } from "../../../utils/config";
 /**
  * v1.3.3 implementation — first step of the User Request Flow
  * (IT-Wallet spec, Section 12.1.2).
  *
  * Delegates to the SDK's {@link sdkResolveCredentialOffer} for URI parsing
- * and by-reference fetching, then to {@link validateCredentialOffer} for
- * IT-Wallet v1.3 structural checks:
- * - `credential_issuer` must be an HTTPS URL
- * - `grants` object is required
- * - `authorization_code` grant is required
- * - `scope` is required within `authorization_code`
+ * and by-reference fetching of the Credential Offer.
  *
  * Supported URI schemes: `openid-credential-offer://`, `haip-vci://`, `https://`.
  *
- * Cross-validation against Credential Issuer metadata (e.g. matching
- * `credential_configuration_ids` or `authorization_server`) is **not** performed
- * here; per the spec it belongs to the Issuance Flow.
+ * Structural validation and cross-validation against the Credential Issuer
+ * metadata are **not** performed here; they belong to the dedicated
+ * validate-credential-offer step of the flow.
  *
  * Resolution errors (bad scheme, missing params, network failure) are mapped
- * to {@link InvalidQRCodeError}; validation errors are mapped to
- * {@link InvalidCredentialOfferError}.
+ * to {@link InvalidQRCodeError}.
  */
 export const resolveCredentialOffer: OfferApi["resolveCredentialOffer"] =
   async (credentialOffer, callbacks = {}) => {
@@ -37,6 +28,7 @@ export const resolveCredentialOffer: OfferApi["resolveCredentialOffer"] =
     // Parse the URI and fetch the offer when transmitted by reference
     const resolved = await sdkResolveCredentialOffer({
+      config: sdkConfigV1_3,
       credentialOffer,
       callbacks: { fetch: fetchFn },
     }).catch((e: unknown) => {
@@ -46,15 +38,5 @@ export const resolveCredentialOffer: OfferApi["resolveCredentialOffer"] =
       throw e;
     });
-    // Structural validation (no metadata cross-checks at this stage)
-    await validateCredentialOffer({
-      credentialOffer: resolved,
-    }).catch((e: unknown) => {
-      if (e instanceof CredentialOfferError) {
-        throw new InvalidCredentialOfferError(e.message);
-      }
-      throw e;
-    });
     return resolved;
   };

package/src/credential/offer/v1.3.3/02-extract-grant-details.ts CHANGED Viewed

@@ -5,6 +5,7 @@ import {
 import { InvalidCredentialOfferError } from "../common/errors";
 import { withMappedErrors } from "../../../utils/errors";
 import type { OfferApi } from "../api";
+import { sdkConfigV1_3 } from "../../../utils/config";
 /**
  * v1.3.3 implementation — second and final step of the User Request Flow
@@ -21,7 +22,11 @@ import type { OfferApi } from "../api";
  */
 export const extractGrantDetails: OfferApi["extractGrantDetails"] = (offer) =>
   withMappedErrors(
-    () => sdkExtractGrantDetails(offer),
+    () =>
+      sdkExtractGrantDetails({
+        config: sdkConfigV1_3,
+        credentialOffer: offer,
+      }),
     CredentialOfferError,
     (e) => new InvalidCredentialOfferError(e.message)
   );

package/src/credential/offer/v1.3.3/03-validate-credential-offer.ts ADDED Viewed

@@ -0,0 +1,33 @@
+import {
+  validateCredentialOffer as sdkValidateCredentialOffer,
+  CredentialOfferError,
+} from "@pagopa/io-wallet-oid4vci";
+import { InvalidCredentialOfferError } from "../common/errors";
+import type { OfferApi } from "../api";
+import { sdkConfigV1_3 } from "../../../utils/config";
+/**
+ * v1.3.3 implementation — validates a resolved Credential Offer against the
+ * Credential Issuer metadata (IT-Wallet spec, Section 12.1.2).
+ *
+ * Performs the IT-Wallet v1.3 structural checks on the offer and, when the
+ * Credential Issuer relies on multiple Authorization Servers, ensures the
+ * `authorization_server` selected by the offer matches one of the advertised
+ * `authorization_servers`.
+ *
+ * Delegates to the SDK's {@link sdkValidateCredentialOffer}; validation errors
+ * are mapped to {@link InvalidCredentialOfferError}.
+ */
+export const validateCredentialOffer: OfferApi["validateCredentialOffer"] =
+  async ({ offer, credentialIssuerMetadata }) => {
+    await sdkValidateCredentialOffer({
+      config: sdkConfigV1_3,
+      credentialOffer: offer,
+      credentialIssuerMetadata,
+    }).catch((e: unknown) => {
+      if (e instanceof CredentialOfferError) {
+        throw new InvalidCredentialOfferError(e.message);
+      }
+      throw e;
+    });
+  };

package/src/credential/offer/v1.3.3/index.ts CHANGED Viewed

@@ -1,8 +1,10 @@
 import type { OfferApi } from "../api";
 import { resolveCredentialOffer } from "./01-resolve-credential-offer";
 import { extractGrantDetails } from "./02-extract-grant-details";
+import { validateCredentialOffer } from "./03-validate-credential-offer";
 export const Offer: OfferApi = {
   resolveCredentialOffer,
   extractGrantDetails,
+  validateCredentialOffer,
 };

package/src/credentials-catalogue/v1.3.3/types.ts CHANGED Viewed

@@ -14,9 +14,9 @@ const ASDataCapability = z.object({
   ),
   domains: z.array(z.string()).optional(),
   data_origin_l10n_id: z.string(),
-  integration_endpoint: z.string(),
+  integration_endpoint: z.string().optional(),
   integration_method: z.string(),
-  user_information_l10n_id: z.string(),
+  user_information_l10n_id: z.string().optional(),
   // optional per spec (api_specification required in spec but absent in actual responses)
   api_specification: z.string().optional(),
   background_color: z.string().optional(),

package/src/wallet-instance-attestation/v1.3.3/types.ts CHANGED Viewed

@@ -9,6 +9,7 @@ export const WalletInstanceAttestationJwt = z.object({
     Jwt.shape.header,
     z.object({
       typ: z.literal("oauth-client-attestation+jwt"),
+      x5c: z.array(z.string()),
     })
   ),
   payload: z.intersection(