@sphereon/oid4vci-client 0.0.1-unstable.1

package/lib/types/VCIssuance.types.ts

@@ -0,0 +1,118 @@
+import { KeyObject } from 'crypto';
+
+import { CredentialFormat, W3CVerifiableCredential } from '@sphereon/ssi-types';
+
+export enum AuthzFlowType {
+  AUTHORIZATION_CODE_FLOW = 'Authorization Code Flow',
+  PRE_AUTHORIZED_CODE_FLOW = 'Pre-Authorized Code Flow',
+}
+
+// eslint-disable-next-line @typescript-eslint/no-namespace
+export namespace AuthzFlowType {
+  export function valueOf(request: IssuanceInitiationRequestPayload): AuthzFlowType {
+    if (request.pre_authorized_code) {
+      return AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW;
+    }
+    return AuthzFlowType.AUTHORIZATION_CODE_FLOW;
+  }
+}
+
+export interface CredentialRequest {
+  //TODO: handling list is out of scope for now
+  type: string | string[];
+  //TODO: handling list is out of scope for now
+  format: CredentialFormat | CredentialFormat[];
+  proof: ProofOfPossession;
+}
+
+export interface CredentialResponse {
+  credential: W3CVerifiableCredential;
+  format: CredentialFormat;
+}
+
+export interface IssuanceInitiationWithBaseUrl {
+  baseUrl: string;
+  issuanceInitiationRequest: IssuanceInitiationRequestPayload;
+}
+
+export interface IssuanceInitiationRequestPayload {
+  issuer: string; //(url) REQUIRED The issuer URL of the Credential issuer, the Wallet is requested to obtain one or more Credentials from.
+  credential_type: string[] | string; //(url) REQUIRED A JSON string denoting the type of the Credential the Wallet shall request
+  pre_authorized_code?: string; //CONDITIONAL the code representing the issuer's authorization for the Wallet to obtain Credentials of a certain type. This code MUST be short-lived and single-use. MUST be present in a pre-authorized code flow.
+  user_pin_required?: boolean; //OPTIONAL Boolean value specifying whether the issuer expects presentation of a user PIN along with the Token Request in a pre-authorized code flow. Default is false.
+  op_state?: string; //(JWT) OPTIONAL String value created by the Credential Issuer and opaque to the Wallet that is used to bind the subsequent authentication request with the Credential Issuer to a context set up during previous steps
+}
+
+export enum ProofType {
+  JWT = 'jwt',
+}
+
+export interface ProofOfPossession {
+  proof_type: ProofType;
+  jwt: string;
+
+  [x: string]: unknown;
+}
+
+export type SearchValue = {
+  // eslint-disable-next-line  @typescript-eslint/no-explicit-any
+  [Symbol.replace](string: string, replacer: (substring: string, ...args: any[]) => string): string;
+};
+
+export type EncodeJsonAsURIOpts = { uriTypeProperties?: string[]; arrayTypeProperties?: string[]; baseUrl?: string };
+
+export type DecodeURIAsJsonOpts = { requiredProperties?: string[]; arrayTypeProperties?: string[] };
+
+export interface JWK {
+  kty?: string;
+  crv?: string;
+  x?: string;
+  y?: string;
+  e?: string;
+  n?: string;
+}
+
+export type Alg = 'ES256' | 'EdDSA';
+
+export interface JWTHeader {
+  alg: Alg; // REQUIRED by the JWT signer
+  typ?: string; //JWT always
+  kid?: string; // CONDITIONAL. JWT header containing the key ID. If the Credential shall be bound to a DID, the kid refers to a DID URL which identifies a particular key in the DID Document that the Credential shall be bound to. MUST NOT be present if jwk or x5c is present.
+  jwk?: JWK; // CONDITIONAL. JWT header containing the key material the new Credential shall be bound to. MUST NOT be present if kid or x5c is present.
+  x5c?: string[]; // CONDITIONAL. JWT header containing a certificate or certificate chain corresponding to the key used to sign the JWT. This element may be used to convey a key attestation. In such a case, the actual key certificate will contain attributes related to the key properties. MUST NOT be present if kid or jwk is present.
+}
+
+export interface JWTPayload {
+  iss: string; // REQUIRED (string). The value of this claim MUST be the client_id of the client making the credential request.
+  aud?: string; // REQUIRED (string). The value of this claim MUST be the issuer URL of credential issuer.
+  iat?: number; // REQUIRED (number). The value of this claim MUST be the time at which the proof was issued using the syntax defined in [RFC7519].
+  nonce: string; // REQUIRED (string). The value type of this claim MUST be a string, where the value is a c_nonce provided by the credential issuer.
+  jti: string; // A new nonce chosen by the wallet. Used to prevent replay
+  exp?: number; // Not longer than 5 minutes
+}
+
+export interface JWTSignerArgs {
+  header: JWTHeader;
+  payload: JWTPayload;
+  privateKey: KeyObject;
+  publicKey: KeyObject;
+}
+
+export interface JWTVerifyArgs {
+  jws: string;
+  key: KeyObject;
+  algorithms?: Alg[];
+}
+
+export interface ProofOfPossessionOpts {
+  credentialRequestUrl: string;
+  jwtSignerArgs: JWTSignerArgs;
+  jwtSignerCallback: JWTSignerCallback;
+  jwtVerifyCallback?: JWTVerifyCallback;
+}
+
+export type JWTSignerCallback = (args: JWTSignerArgs) => Promise<string>;
+
+export type JWTVerifyCallback = (args: JWTVerifyArgs) => Promise<void>;
+
+export type Request = CredentialRequest;

package/lib/types/index.ts

@@ -0,0 +1,3 @@
+export * from './OIDC4VCI.types';
+export * from './Oidc4vciErrors';
+export * from './VCIssuance.types';

package/package.json

@@ -0,0 +1,59 @@
+{
+  "name": "@sphereon/oid4vci-client",
+  "version": "0.0.1-unstable.1",
+  "description": "OpenID for Verifiable Credential Issuance (OID4VCI) client",
+  "main": "dist/main/index.js",
+  "author": "Sphereon",
+  "license": "Apache-2.0",
+  "private": false,
+  "scripts": {
+    "build": "run-p build:*",
+    "build:main": "tsc -p tsconfig.build.json",
+    "clean": "rimraf dist coverage",
+    "watch": "tsc -w",
+    "fix": "run-s fix:*",
+    "fix:prettier": "prettier \"{lib,tests}/**/*.ts\" --write",
+    "fix:lint": "eslint . --ext .ts --fix",
+    "test": "run-s build test:*",
+    "test:lint": "eslint . --ext .ts",
+    "test:prettier": "prettier \"{lib,tests}/**/*.ts\" --list-different",
+    "test:cov": "jest --ci --coverage && codecov",
+    "uninstall": "rimraf dist coverage yarn.lock package-lock.json node_modules"
+  },
+  "engines": {
+    "node": ">=14"
+  },
+  "dependencies": {
+    "@sphereon/ssi-types": "0.8.1-next.31",
+    "bs58": "^5.0.0",
+    "cross-fetch": "^3.1.5",
+    "uint8arrays": "^3.1.1"
+  },
+  "devDependencies": {
+    "@types/jest": "^28.1.8",
+    "@typescript-eslint/eslint-plugin": "^5.36.1",
+    "@typescript-eslint/parser": "^5.36.1",
+    "codecov": "^3.8.3",
+    "dotenv": "^16.0.2",
+    "eslint": "^8.23.0",
+    "eslint-config-prettier": "^8.5.0",
+    "eslint-plugin-eslint-comments": "^3.2.0",
+    "eslint-plugin-import": "^2.26.0",
+    "jest": "^29.1.2",
+    "jest-junit": "^14.0.1",
+    "jose": "^4.10.0",
+    "nock": "^13.2.9",
+    "npm-run-all": "^4.1.5",
+    "open-cli": "^7.0.1",
+    "rimraf": "^3.0.2",
+    "prettier": "^2.7.1",
+    "ts-jest": "^29.0.3",
+    "ts-node": "^10.9.1",
+    "typescript": "4.6.4"
+  },
+  "prettier": {
+    "singleQuote": true,
+    "printWidth": 150
+  },
+  "resolutions": {}
+}

package/tests/AccessTokenClient.spec.ts

@@ -0,0 +1,149 @@
+import nock from 'nock';
+
+import { AccessTokenClient, AccessTokenRequest, AccessTokenResponse, GrantTypes } from '../lib';
+
+import { UNIT_TEST_TIMEOUT } from './IT.spec';
+
+const MOCK_URL = 'https://sphereonjunit20221013.com/';
+
+describe('AccessTokenClient should', () => {
+  it(
+    'get Access Token without resulting in errors',
+    async () => {
+      const accessTokenClient: AccessTokenClient = new AccessTokenClient();
+
+      const accessTokenIssuanceRequest: AccessTokenRequest = {
+        grant_type: GrantTypes.PRE_AUTHORIZED_CODE,
+        pre_authorized_code: '20221013',
+        client_id: 'sphereon',
+      } as AccessTokenRequest;
+
+      const body: AccessTokenResponse = {
+        access_token: 20221013,
+        authorization_pending: false,
+        c_nonce: 'c_nonce2022101300',
+        c_nonce_expires_in: 2022101300,
+        interval: 2022101300,
+        token_type: 'Bearer',
+      };
+      nock(MOCK_URL).post(/.*/).reply(200, JSON.stringify(body));
+
+      const accessTokenResponse: AccessTokenResponse = (await accessTokenClient.acquireAccessTokenUsingRequest(accessTokenIssuanceRequest, {
+        asOpts: { as: MOCK_URL },
+      })) as AccessTokenResponse;
+
+      expect(accessTokenResponse).toEqual(body);
+    },
+    UNIT_TEST_TIMEOUT
+  );
+
+  it(
+    'get error',
+    async () => {
+      const accessTokenClient: AccessTokenClient = new AccessTokenClient();
+
+      const accessTokenIssuanceRequest: AccessTokenRequest = {
+        grant_type: GrantTypes.AUTHORIZATION_CODE,
+      } as AccessTokenRequest;
+
+      nock(MOCK_URL).post(/.*/).reply(200, '');
+
+      await expect(accessTokenClient.acquireAccessTokenUsingRequest(accessTokenIssuanceRequest, { asOpts: { as: MOCK_URL } })).rejects.toThrow(
+        'Only pre-authorized-code flow is supported'
+      );
+    },
+    UNIT_TEST_TIMEOUT
+  );
+
+  it(
+    'get error for incorrect code',
+    async () => {
+      const accessTokenClient: AccessTokenClient = new AccessTokenClient();
+
+      const accessTokenIssuanceRequest: AccessTokenRequest = {
+        grant_type: GrantTypes.PRE_AUTHORIZED_CODE,
+        pre_authorized_code: '',
+        user_pin: 1.0,
+      } as AccessTokenRequest;
+
+      nock(MOCK_URL).post(/.*/).reply(200, {});
+
+      await expect(accessTokenClient.acquireAccessTokenUsingRequest(accessTokenIssuanceRequest, { asOpts: { as: MOCK_URL } })).rejects.toThrow(
+        'Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.'
+      );
+    },
+    UNIT_TEST_TIMEOUT
+  );
+
+  it(
+    'get error for incorrect pin',
+    async () => {
+      const accessTokenClient: AccessTokenClient = new AccessTokenClient();
+
+      const accessTokenIssuanceRequest: AccessTokenRequest = {
+        grant_type: GrantTypes.PRE_AUTHORIZED_CODE,
+        pre_authorized_code: '20221013',
+        user_pin: null,
+      } as AccessTokenRequest;
+
+      nock(MOCK_URL).post(/.*/).reply(200, {});
+
+      await expect(
+        accessTokenClient.acquireAccessTokenUsingRequest(accessTokenIssuanceRequest, { isPinRequired: true, asOpts: { as: MOCK_URL } })
+      ).rejects.toThrow('A valid pin consisting of maximal 8 numeric characters must be present.');
+    },
+    UNIT_TEST_TIMEOUT
+  );
+
+  it(
+    'get error for incorrect client id',
+    async () => {
+      const accessTokenClient: AccessTokenClient = new AccessTokenClient();
+
+      const accessTokenIssuanceRequest: AccessTokenRequest = {
+        grant_type: GrantTypes.PRE_AUTHORIZED_CODE,
+        pre_authorized_code: '20221013',
+        user_pin: 20221013,
+      } as AccessTokenRequest;
+
+      nock(MOCK_URL).post(/.*/).reply(200, {});
+
+      await expect(
+        accessTokenClient.acquireAccessTokenUsingRequest(accessTokenIssuanceRequest, { isPinRequired: true, asOpts: { as: MOCK_URL } })
+      ).rejects.toThrow('The client Id must be present.');
+    },
+    UNIT_TEST_TIMEOUT
+  );
+  it(
+    'get error for incorrectly long pin',
+    async () => {
+      const accessTokenClient: AccessTokenClient = new AccessTokenClient();
+
+      const accessTokenIssuanceRequest: AccessTokenRequest = {
+        grant_type: GrantTypes.PRE_AUTHORIZED_CODE,
+        pre_authorized_code: '20221013',
+        client_id: 'spheroen.com',
+        user_pin: 123456789,
+      } as AccessTokenRequest;
+
+      nock(MOCK_URL).post(/.*/).reply(200, {});
+
+      await expect(
+        accessTokenClient.acquireAccessTokenUsingRequest(accessTokenIssuanceRequest, { isPinRequired: true, asOpts: { as: MOCK_URL } })
+      ).rejects.toThrow(Error('A valid pin consisting of maximal 8 numeric characters must be present.'));
+    },
+    UNIT_TEST_TIMEOUT
+  );
+
+  it(
+    'get error for unsupported flow type',
+    async () => {
+      const accessTokenClient: AccessTokenClient = new AccessTokenClient();
+
+      await expect(accessTokenClient.acquireAccessTokenUsingRequest({} as AccessTokenRequest, {})).rejects.toThrow(
+        Error('Only pre-authorized-code flow is supported')
+      );
+    },
+    UNIT_TEST_TIMEOUT
+  );
+});

package/tests/IT.spec.ts

@@ -0,0 +1,11 @@
+export const UNIT_TEST_TIMEOUT = 30000;
+
+describe('oidc4vci client should', () => {
+  it(
+    'succeed in starting',
+    async () => {
+      expect(true).toBeTruthy();
+    },
+    UNIT_TEST_TIMEOUT
+  );
+});

package/tests/IssuanceInitiation.spec.ts

@@ -0,0 +1,141 @@
+import { AuthzFlowType, convertJsonToURI, convertURIToJsonObject } from '../lib';
+import IssuanceInitiation from '../lib/IssuanceInitiation';
+
+describe('JSON To URI', () => {
+  it('should parse an object into open-id-URI with a single credential_type', () => {
+    expect(
+      convertJsonToURI(
+        {
+          issuer: 'https://server.example.com',
+          credential_type: 'https://did.example.org/healthCard',
+          op_state: 'eyJhbGciOiJSU0Et...FYUaBy',
+        },
+        {
+          uriTypeProperties: ['issuer', 'credential_type'],
+        }
+      )
+    ).toEqual(
+      'issuer=https%3A%2F%2Fserver%2Eexample%2Ecom&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FhealthCard&op_state=eyJhbGciOiJSU0Et...FYUaBy'
+    );
+  });
+  it('should parse an object into open-id-URI with an array of credential_type', () => {
+    expect(
+      convertJsonToURI(
+        {
+          issuer: 'https://server.example.com',
+          credential_type: ['https://did.example.org/healthCard', 'https://did.example.org/driverLicense'],
+          op_state: 'eyJhbGciOiJSU0Et...FYUaBy',
+        },
+        {
+          arrayTypeProperties: ['credential_type'],
+          uriTypeProperties: ['issuer', 'credential_type'],
+        }
+      )
+    ).toEqual(
+      'issuer=https%3A%2F%2Fserver%2Eexample%2Ecom&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FhealthCard&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FdriverLicense&op_state=eyJhbGciOiJSU0Et...FYUaBy'
+    );
+  });
+  it('should parse an object into open-id-URI with an array of credential_type and json string', () => {
+    expect(
+      convertJsonToURI(
+        JSON.stringify({
+          issuer: 'https://server.example.com',
+          credential_type: ['https://did.example.org/healthCard', 'https://did.example.org/driverLicense'],
+          op_state: 'eyJhbGciOiJSU0Et...FYUaBy',
+        }),
+        {
+          arrayTypeProperties: ['credential_type'],
+          uriTypeProperties: ['issuer', 'credential_type'],
+        }
+      )
+    ).toEqual(
+      'issuer=https%3A%2F%2Fserver%2Eexample%2Ecom&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FhealthCard&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FdriverLicense&op_state=eyJhbGciOiJSU0Et...FYUaBy'
+    );
+  });
+});
+describe('URI To Json Object', () => {
+  it('should parse open-id-URI as json object with a single credential_type', () => {
+    expect(
+      convertURIToJsonObject(
+        'issuer=https%3A%2F%2Fserver%2Eexample%2Ecom&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FhealthCard&op_state=eyJhbGciOiJSU0Et...FYUaBy',
+        {
+          arrayTypeProperties: ['credential_type'],
+          requiredProperties: ['issuer', 'credential_type'],
+        }
+      )
+    ).toEqual({
+      issuer: 'https://server.example.com',
+      credential_type: 'https://did.example.org/healthCard',
+      op_state: 'eyJhbGciOiJSU0Et...FYUaBy',
+    });
+  });
+  it('should parse open-id-URI as json object with an array of credential_type', () => {
+    expect(
+      convertURIToJsonObject(
+        'issuer=https%3A%2F%2Fserver%2Eexample%2Ecom&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FhealthCard&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FdriverLicense&op_state=eyJhbGciOiJSU0Et...FYUaBy',
+        {
+          arrayTypeProperties: ['credential_type'],
+          requiredProperties: ['issuer', 'credential_type'],
+        }
+      )
+    ).toEqual({
+      issuer: 'https://server.example.com',
+      credential_type: ['https://did.example.org/healthCard', 'https://did.example.org/driverLicense'],
+      op_state: 'eyJhbGciOiJSU0Et...FYUaBy',
+    });
+  });
+});
+
+describe('Authorization Request', () => {
+  it('Should return Issuance Initiation Request with base URL from URI', () => {
+    expect(
+      IssuanceInitiation.fromURI(
+        'https://server.example.com?issuer=https%3A%2F%2Fserver%2Eexample%2Ecom&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FhealthCard&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FdriverLicense&op_state=eyJhbGciOiJSU0Et...FYUaBy'
+      )
+    ).toEqual({
+      baseUrl: 'https://server.example.com',
+      issuanceInitiationRequest: {
+        credential_type: ['https://did.example.org/healthCard', 'https://did.example.org/driverLicense'],
+        issuer: 'https://server.example.com',
+        op_state: 'eyJhbGciOiJSU0Et...FYUaBy',
+      },
+    });
+  });
+});
+
+describe('Authorization Flow Type determination', () => {
+  it('should return authorization code flow type with a single credential_type', () => {
+    expect(
+      AuthzFlowType.valueOf({
+        issuer: 'test',
+        credential_type: 'test',
+      })
+    ).toEqual(AuthzFlowType.AUTHORIZATION_CODE_FLOW);
+  });
+  it('should return authorization code flow type with a credential_type array', () => {
+    expect(
+      AuthzFlowType.valueOf({
+        issuer: 'test',
+        credential_type: ['test', 'test1'],
+      })
+    ).toEqual(AuthzFlowType.AUTHORIZATION_CODE_FLOW);
+  });
+  it('should return pre-authorized code flow with a single credential_type', () => {
+    expect(
+      AuthzFlowType.valueOf({
+        issuer: 'test',
+        credential_type: 'test',
+        pre_authorized_code: 'test',
+      })
+    ).toEqual(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW);
+  });
+  it('should return pre-authorized code flow with a credential_type array', () => {
+    expect(
+      AuthzFlowType.valueOf({
+        issuer: 'test',
+        credential_type: ['test', 'test1'],
+        pre_authorized_code: 'test',
+      })
+    ).toEqual(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW);
+  });
+});

package/tests/VcIssuanceClient.spec.ts

@@ -0,0 +1,159 @@
+import { KeyObject } from 'crypto';
+
+import * as jose from 'jose';
+import { KeyLike, VerifyOptions } from 'jose/dist/types/types';
+import nock from 'nock';
+import * as u8a from 'uint8arrays';
+
+import {
+  createProofOfPossession,
+  CredentialRequest,
+  CredentialRequestClient,
+  CredentialResponse,
+  ErrorResponse,
+  JWS_NOT_VALID,
+  JWTSignerArgs,
+  ProofOfPossession,
+} from '../lib';
+
+const partialJWT =
+  'eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDpleGFtcGxlOmViZmViMWY3MTJlYmM2ZjFjMjc2ZTEyZWMyMS9rZXlzLzEifQ.eyJhdWQiOiJodHRwczovL29pZGM0dmNpLmRlbW8uc3BydWNlaWQuY29tL2NyZWRlbnRpYWwiLCJpYXQiOjE2';
+
+// Must be JWS
+const signJWT = async (args: JWTSignerArgs): Promise<string> => {
+  const { header, payload, privateKey } = args;
+  return await new jose.CompactSign(u8a.fromString(JSON.stringify({ ...payload })))
+    .setProtectedHeader({ ...header, alg: args.header.alg })
+    .sign(privateKey);
+};
+
+const verifyJWT = async (args: { jws: string | Uint8Array; key: KeyLike | Uint8Array; options?: VerifyOptions }): Promise<void> => {
+  await jose.compactVerify(args.jws, args.key, args.options);
+};
+
+const jwtArgs: JWTSignerArgs = {
+  header: {
+    alg: 'ES256',
+    kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1',
+  },
+  payload: {
+    iss: 's6BhdRkqt3',
+    nonce: 'tZignsnFbp',
+    jti: 'tZignsnFbp223',
+  },
+  privateKey: undefined,
+  publicKey: undefined,
+};
+
+beforeAll(async () => {
+  const keyPair = await jose.generateKeyPair('ES256');
+  jwtArgs.privateKey = keyPair.privateKey as KeyObject;
+  jwtArgs.publicKey = keyPair.publicKey as KeyObject;
+});
+
+describe('VcIssuanceClient ', () => {
+  it('should build correctly provided with correct params', function () {
+    const vcIssuanceClient = CredentialRequestClient.builder()
+      .withCredentialRequestUrl('https://oidc4vci.demo.spruceid.com/credential')
+      .withFormat('jwt_vc')
+      .build();
+    expect(vcIssuanceClient._issuanceRequestOpts.credentialRequestUrl).toBe('https://oidc4vci.demo.spruceid.com/credential');
+  });
+
+  it('should build credential request correctly', async () => {
+    const vcIssuanceClient = CredentialRequestClient.builder()
+      .withCredentialRequestUrl('https://oidc4vci.demo.spruceid.com/credential')
+      .withFormat('jwt_vc')
+      .withCredentialType('https://imsglobal.github.io/openbadges-specification/ob_v3p0.html#OpenBadgeCredential')
+      .build();
+    const proof: ProofOfPossession = await createProofOfPossession({
+      credentialRequestUrl: vcIssuanceClient.getCredentialRequestUrl(),
+      jwtSignerArgs: jwtArgs,
+      jwtSignerCallback: (args) => signJWT(args),
+      jwtVerifyCallback: (args) => verifyJWT(args),
+    });
+    const credentialRequest: CredentialRequest = await vcIssuanceClient.createCredentialRequest(proof);
+    expect(credentialRequest.proof.jwt).toContain(partialJWT);
+    expect(credentialRequest.type).toBe('https://imsglobal.github.io/openbadges-specification/ob_v3p0.html#OpenBadgeCredential');
+  });
+
+  it('should get fail credential response', async function () {
+    const basePath = 'https://sphereonjunit2022101301.com/';
+
+    nock(basePath).post(/.*/).reply(200, {
+      error: 'unsupported_format',
+      error_description: 'This is a mock error message',
+    });
+
+    const vcIssuanceClient = CredentialRequestClient.builder()
+      .withCredentialRequestUrl(basePath + '/credential')
+      .withFormat('ldp_vc')
+      .withCredentialType('https://imsglobal.github.io/openbadges-specification/ob_v3p0.html#OpenBadgeCredential')
+      .build();
+    const proof: ProofOfPossession = await createProofOfPossession({
+      credentialRequestUrl: vcIssuanceClient.getCredentialRequestUrl(),
+      jwtSignerArgs: jwtArgs,
+      jwtSignerCallback: (args) => signJWT(args),
+      jwtVerifyCallback: (args) => verifyJWT(args),
+    });
+    const credentialRequest: CredentialRequest = await vcIssuanceClient.createCredentialRequest(proof);
+    expect(credentialRequest.proof.jwt.includes(partialJWT)).toBeTruthy();
+    const result: ErrorResponse | CredentialResponse = await vcIssuanceClient.sendCredentialRequest(credentialRequest);
+    expect(result['error']).toBe('unsupported_format');
+  });
+
+  it('should get success credential response', async function () {
+    nock('https://oidc4vci.demo.spruceid.com')
+      .post(/credential/)
+      .reply(200, {
+        format: 'jwt-vc',
+        credential:
+          'eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL2V4YW1wbGVzL3YxIl0sImlkIjoiaHR0cDovL2V4YW1wbGUuZWR1L2NyZWRlbnRpYWxzLzM3MzIiLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVW5pdmVyc2l0eURlZ3JlZUNyZWRlbnRpYWwiXSwiaXNzdWVyIjoiaHR0cHM6Ly9leGFtcGxlLmVkdS9pc3N1ZXJzLzU2NTA0OSIsImlzc3VhbmNlRGF0ZSI6IjIwMTAtMDEtMDFUMDA6MDA6MDBaIiwiY3JlZGVudGlhbFN1YmplY3QiOnsiaWQiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmNzEyZWJjNmYxYzI3NmUxMmVjMjEiLCJkZWdyZWUiOnsidHlwZSI6IkJhY2hlbG9yRGVncmVlIiwibmFtZSI6IkJhY2hlbG9yIG9mIFNjaWVuY2UgYW5kIEFydHMifX19LCJpc3MiOiJodHRwczovL2V4YW1wbGUuZWR1L2lzc3VlcnMvNTY1MDQ5IiwibmJmIjoxMjYyMzA0MDAwLCJqdGkiOiJodHRwOi8vZXhhbXBsZS5lZHUvY3JlZGVudGlhbHMvMzczMiIsInN1YiI6ImRpZDpleGFtcGxlOmViZmViMWY3MTJlYmM2ZjFjMjc2ZTEyZWMyMSJ9.z5vgMTK1nfizNCg5N-niCOL3WUIAL7nXy-nGhDZYO_-PNGeE-0djCpWAMH8fD8eWSID5PfkPBYkx_dfLJnQ7NA',
+      });
+    const vcIssuanceClient = CredentialRequestClient.builder()
+      .withCredentialRequestUrl('https://oidc4vci.demo.spruceid.com/credential')
+      .withFormat('jwt_vc')
+      .withCredentialType('https://imsglobal.github.io/openbadges-specification/ob_v3p0.html#OpenBadgeCredential')
+      .build();
+    const proof: ProofOfPossession = await createProofOfPossession({
+      credentialRequestUrl: vcIssuanceClient.getCredentialRequestUrl(),
+      jwtSignerArgs: jwtArgs,
+      jwtSignerCallback: (args) => signJWT(args),
+    });
+    const credentialRequest: CredentialRequest = await vcIssuanceClient.createCredentialRequest(proof);
+    expect(credentialRequest.proof.jwt.includes(partialJWT)).toBeTruthy();
+    const result: ErrorResponse | CredentialResponse = await vcIssuanceClient.sendCredentialRequest(credentialRequest);
+    expect(result['credential']).toBeDefined();
+  });
+  it('should fail creating a proof of possession with simple verification', async () => {
+    const vcIssuanceClient = CredentialRequestClient.builder()
+      .withCredentialRequestUrl('https://oidc4vci.demo.spruceid.com/credential')
+      .withFormat('jwt_vc')
+      .withCredentialType('https://imsglobal.github.io/openbadges-specification/ob_v3p0.html#OpenBadgeCredential')
+      .build();
+    await expect(
+      createProofOfPossession({
+        credentialRequestUrl: vcIssuanceClient.getCredentialRequestUrl(),
+        jwtSignerArgs: jwtArgs,
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        jwtSignerCallback: (_args) => Promise.resolve('invalid_jws'),
+      })
+    ).rejects.toThrow(Error(JWS_NOT_VALID));
+  });
+  it('should fail creating a proof of possession with verify callback function', async () => {
+    const vcIssuanceClient = CredentialRequestClient.builder()
+      .withCredentialRequestUrl('https://oidc4vci.demo.spruceid.com/credential')
+      .withFormat('jwt_vc')
+      .withCredentialType('https://imsglobal.github.io/openbadges-specification/ob_v3p0.html#OpenBadgeCredential')
+      .build();
+    await expect(
+      createProofOfPossession({
+        credentialRequestUrl: vcIssuanceClient.getCredentialRequestUrl(),
+        jwtSignerArgs: jwtArgs,
+        // eslint-disable-next-line @typescript-eslint/no-unused-vars
+        jwtSignerCallback: (_args) => Promise.resolve('invalid_jws'),
+        jwtVerifyCallback: (args) => verifyJWT(args),
+      })
+    ).rejects.toThrow(Error(JWS_NOT_VALID));
+  });
+});

package/tsconfig.build.json

@@ -0,0 +1,6 @@
+{
+  "extends": "./tsconfig",
+  "exclude": [
+    "tests/**/*.ts"
+  ]
+}