@sphereon/oid4vci-client 0.10.3 → 0.10.4-next.119

package/lib/CredentialOfferClient.ts

@@ -1,9 +1,12 @@
 import {
+  convertJsonToURI,
+  convertURIToJsonObject,
   CredentialOffer,
   CredentialOfferPayload,
   CredentialOfferPayloadV1_0_09,
   CredentialOfferRequestWithBaseUrl,
   CredentialOfferV1_0_11,
+  CredentialOfferV1_0_13,
   determineSpecVersionFromURI,
   getClientIdFromCredentialOfferPayload,
   OpenId4VCIVersion,
@@ -11,7 +14,7 @@ import {
 } from '@sphereon/oid4vci-common';
 import Debug from 'debug';
 
-import { convertJsonToURI, convertURIToJsonObject } from './functions';
+import { LOG } from './types';
 
 const debug = Debug('sphereon:oid4vci:offer');
 
@@ -25,21 +28,24 @@ export class CredentialOfferClient {
     const scheme = uri.split('://')[0];
     const baseUrl = uri.split('?')[0];
     const version = determineSpecVersionFromURI(uri);
+    LOG.log(`Offer URL determined to be of version ${version}`);
     let credentialOffer: CredentialOffer;
     let credentialOfferPayload: CredentialOfferPayload;
+    // credential offer was introduced in draft 9 and credential_offer_uri in draft 11
     if (version < OpenId4VCIVersion.VER_1_0_11) {
       credentialOfferPayload = convertURIToJsonObject(uri, {
         arrayTypeProperties: ['credential_type'],
-        requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri'] : ['issuer', 'credential_type'],
+        requiredProperties: uri.includes('credential_offer=') ? ['credential_offer'] : ['issuer', 'credential_type'],
       }) as CredentialOfferPayloadV1_0_09;
       credentialOffer = {
         credential_offer: credentialOfferPayload,
       };
     } else {
       credentialOffer = convertURIToJsonObject(uri, {
-        arrayTypeProperties: ['credentials'],
-        requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri'] : ['credential_offer'],
-      }) as CredentialOfferV1_0_11;
+        // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
+        arrayTypeProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],
+        requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],
+      }) as CredentialOfferV1_0_11 | CredentialOfferV1_0_13;
       if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {
         throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri);
       }
@@ -55,13 +61,20 @@ export class CredentialOfferClient {
     return {
       scheme,
       baseUrl,
-      clientId,
+      ...(clientId && { clientId }),
       ...request,
       ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
       ...(grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.['pre-authorized_code'] && {
         preAuthorizedCode: grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']['pre-authorized_code'],
       }),
-      userPinRequired: request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ?? false,
+      userPinRequired:
+        request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ??
+        !!request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code ??
+        false,
+      ...(request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code &&
+        {
+          // txCode: request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code,
+        }),
     };
   }
 
@@ -101,7 +114,7 @@ export class CredentialOfferClient {
       arrayTypeProperties: isUri ? [] : ['credential_type'],
       uriTypeProperties: isUri
         ? ['credential_offer_uri']
-        : version >= OpenId4VCIVersion.VER_1_0_11
+        : version >= OpenId4VCIVersion.VER_1_0_13
           ? ['credential_issuer', 'credential_type']
           : ['issuer', 'credential_type'],
       param,

package/lib/CredentialOfferClientV1_0_11.ts

@@ -0,0 +1,112 @@
+import {
+  convertJsonToURI,
+  convertURIToJsonObject,
+  CredentialOffer,
+  CredentialOfferPayload,
+  CredentialOfferPayloadV1_0_09,
+  CredentialOfferRequestWithBaseUrl,
+  CredentialOfferRequestWithBaseUrlV1_0_11,
+  CredentialOfferV1_0_11,
+  determineSpecVersionFromURI,
+  getClientIdFromCredentialOfferPayload,
+  OpenId4VCIVersion,
+  toUniformCredentialOfferRequest,
+} from '@sphereon/oid4vci-common';
+import Debug from 'debug';
+
+const debug = Debug('sphereon:oid4vci:offer');
+
+export class CredentialOfferClientV1_0_11 {
+  public static async fromURI(uri: string, opts?: { resolve?: boolean }): Promise<CredentialOfferRequestWithBaseUrlV1_0_11> {
+    debug(`Credential Offer URI: ${uri}`);
+    if (!uri.includes('?') || !uri.includes('://')) {
+      debug(`Invalid Credential Offer URI: ${uri}`);
+      throw Error(`Invalid Credential Offer Request`);
+    }
+    const scheme = uri.split('://')[0];
+    const baseUrl = uri.split('?')[0];
+    const version = determineSpecVersionFromURI(uri);
+    let credentialOffer: CredentialOffer;
+    let credentialOfferPayload: CredentialOfferPayload;
+    if (version < OpenId4VCIVersion.VER_1_0_11) {
+      credentialOfferPayload = convertURIToJsonObject(uri, {
+        arrayTypeProperties: ['credential_type'],
+        requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['issuer', 'credential_type='],
+      }) as CredentialOfferPayloadV1_0_09;
+      credentialOffer = {
+        credential_offer: credentialOfferPayload,
+      };
+    } else {
+      credentialOffer = convertURIToJsonObject(uri, {
+        arrayTypeProperties: ['credentials'],
+        requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],
+      }) as CredentialOfferV1_0_11;
+      if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {
+        throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri);
+      }
+    }
+
+    const request = await toUniformCredentialOfferRequest(credentialOffer, {
+      ...opts,
+      version,
+    });
+    const clientId = getClientIdFromCredentialOfferPayload(request.credential_offer);
+    const grants = request.credential_offer?.grants;
+
+    return {
+      scheme,
+      baseUrl,
+      ...(clientId && { clientId }),
+      ...request,
+      ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
+      ...(grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.['pre-authorized_code'] && {
+        preAuthorizedCode: grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']['pre-authorized_code'],
+      }),
+      userPinRequired: !!request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ?? false,
+    };
+  }
+
+  public static toURI(
+    requestWithBaseUrl: CredentialOfferRequestWithBaseUrl,
+    opts?: {
+      version?: OpenId4VCIVersion;
+    },
+  ): string {
+    debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
+    const version = opts?.version ?? requestWithBaseUrl.version;
+    let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme)
+      ? requestWithBaseUrl.baseUrl
+      : `${requestWithBaseUrl.scheme.replace('://', '')}://${requestWithBaseUrl.baseUrl}`;
+    let param: string | undefined;
+
+    const isUri = requestWithBaseUrl.credential_offer_uri !== undefined;
+
+    if (version.valueOf() >= OpenId4VCIVersion.VER_1_0_11.valueOf()) {
+      // v11 changed from encoding every param to a encoded json object with a credential_offer param key
+      if (!baseUrl.includes('?')) {
+        param = isUri ? 'credential_offer_uri' : 'credential_offer';
+      } else {
+        const split = baseUrl.split('?');
+        if (split.length > 1 && split[1] !== '') {
+          if (baseUrl.endsWith('&')) {
+            param = isUri ? 'credential_offer_uri' : 'credential_offer';
+          } else if (!baseUrl.endsWith('=')) {
+            baseUrl += `&`;
+            param = isUri ? 'credential_offer_uri' : 'credential_offer';
+          }
+        }
+      }
+    }
+    return convertJsonToURI(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
+      baseUrl,
+      arrayTypeProperties: isUri ? [] : ['credential_type'],
+      uriTypeProperties: isUri
+        ? ['credential_offer_uri']
+        : version >= OpenId4VCIVersion.VER_1_0_11
+          ? ['credential_issuer', 'credential_type']
+          : ['issuer', 'credential_type'],
+      param,
+      version,
+    });
+  }
+}

package/lib/CredentialOfferClientV1_0_13.ts

@@ -0,0 +1,103 @@
+import {
+  convertJsonToURI,
+  convertURIToJsonObject,
+  CredentialOfferRequestWithBaseUrl,
+  CredentialOfferV1_0_13,
+  determineSpecVersionFromURI,
+  getClientIdFromCredentialOfferPayload,
+  OpenId4VCIVersion,
+  toUniformCredentialOfferRequest,
+} from '@sphereon/oid4vci-common';
+import Debug from 'debug';
+
+const debug = Debug('sphereon:oid4vci:offer');
+
+export class CredentialOfferClientV1_0_13 {
+  public static async fromURI(uri: string, opts?: { resolve?: boolean }): Promise<CredentialOfferRequestWithBaseUrl> {
+    debug(`Credential Offer URI: ${uri}`);
+    if (!uri.includes('?') || !uri.includes('://')) {
+      debug(`Invalid Credential Offer URI: ${uri}`);
+      throw Error(`Invalid Credential Offer Request`);
+    }
+    const scheme = uri.split('://')[0];
+    const baseUrl = uri.split('?')[0];
+    const version = determineSpecVersionFromURI(uri);
+    const credentialOffer = convertURIToJsonObject(uri, {
+      // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
+      arrayTypeProperties: uri.includes('credential_offer_uri=')
+        ? ['credential_configuration_ids', 'credential_offer_uri=']
+        : ['credential_configuration_ids', 'credential_offer='],
+      requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],
+    }) as CredentialOfferV1_0_13;
+    if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {
+      throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri);
+    }
+
+    const request = await toUniformCredentialOfferRequest(credentialOffer, {
+      ...opts,
+      version,
+    });
+    const clientId = getClientIdFromCredentialOfferPayload(request.credential_offer);
+    const grants = request.credential_offer?.grants;
+
+    return {
+      scheme,
+      baseUrl,
+      ...(clientId && { clientId }),
+      ...request,
+      ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
+      ...(grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.['pre-authorized_code'] && {
+        preAuthorizedCode: grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']['pre-authorized_code'],
+      }),
+      userPinRequired: !!request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code ?? false,
+      ...(request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code &&
+        {
+          // txCode: request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code,
+        }),
+    };
+  }
+
+  public static toURI(
+    requestWithBaseUrl: CredentialOfferRequestWithBaseUrl,
+    opts?: {
+      version?: OpenId4VCIVersion;
+    },
+  ): string {
+    debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
+    const version = opts?.version ?? requestWithBaseUrl.version;
+    let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme)
+      ? requestWithBaseUrl.baseUrl
+      : `${requestWithBaseUrl.scheme.replace('://', '')}://${requestWithBaseUrl.baseUrl}`;
+    let param: string | undefined;
+
+    const isUri = requestWithBaseUrl.credential_offer_uri !== undefined;
+
+    if (version.valueOf() >= OpenId4VCIVersion.VER_1_0_11.valueOf()) {
+      // v11 changed from encoding every param to a encoded json object with a credential_offer param key
+      if (!baseUrl.includes('?')) {
+        param = isUri ? 'credential_offer_uri' : 'credential_offer';
+      } else {
+        const split = baseUrl.split('?');
+        if (split.length > 1 && split[1] !== '') {
+          if (baseUrl.endsWith('&')) {
+            param = isUri ? 'credential_offer_uri' : 'credential_offer';
+          } else if (!baseUrl.endsWith('=')) {
+            baseUrl += `&`;
+            param = isUri ? 'credential_offer_uri' : 'credential_offer';
+          }
+        }
+      }
+    }
+    return convertJsonToURI(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
+      baseUrl,
+      arrayTypeProperties: isUri ? [] : ['credential_type'],
+      uriTypeProperties: isUri
+        ? ['credential_offer_uri']
+        : version >= OpenId4VCIVersion.VER_1_0_13
+          ? ['credential_issuer', 'credential_type']
+          : ['issuer', 'credential_type'],
+      param,
+      version,
+    });
+  }
+}

package/lib/CredentialRequestClient.ts

@@ -1,22 +1,26 @@
 import {
   acquireDeferredCredential,
+  CredentialRequestV1_0_13,
   CredentialResponse,
   getCredentialRequestForVersion,
   getUniformFormat,
   isDeferredCredentialResponse,
+  isValidURL,
+  JsonLdIssuerCredentialDefinition,
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
   OpenIDResponse,
+  post,
   ProofOfPossession,
   UniformCredentialRequest,
   URL_NOT_VALID,
 } from '@sphereon/oid4vci-common';
+import { ExperimentalSubjectIssuance } from '@sphereon/oid4vci-common/dist/experimental/holder-vci';
 import { CredentialFormat } from '@sphereon/ssi-types';
 import Debug from 'debug';
 
 import { CredentialRequestClientBuilder } from './CredentialRequestClientBuilder';
 import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
-import { isValidURL, post } from './functions';
 
 const debug = Debug('sphereon:oid4vci:credential');
 
@@ -24,12 +28,15 @@ export interface CredentialRequestOpts {
   deferredCredentialAwait?: boolean;
   deferredCredentialIntervalInMS?: number;
   credentialEndpoint: string;
+  notificationEndpoint?: string;
   deferredCredentialEndpoint?: string;
-  credentialTypes: string[];
+  credentialTypes?: string[];
+  credentialIdentifier?: string;
   format?: CredentialFormat | OID4VCICredentialFormat;
   proof: ProofOfPossession;
   token: string;
   version: OpenId4VCIVersion;
+  subjectIssuance?: ExperimentalSubjectIssuance;
 }
 
 export async function buildProof<DIDDoc>(
@@ -41,7 +48,7 @@ export async function buildProof<DIDDoc>(
 ) {
   if ('proof_type' in proofInput) {
     if (opts.cNonce) {
-      throw Error(`Cnonce param is only supported when using a Proof of Posession builder`);
+      throw Error(`Cnonce param is only supported when using a Proof of possession builder`);
     }
     return await ProofOfPossessionBuilder.fromProof(proofInput as ProofOfPossession, opts.version).build();
   }
@@ -77,18 +84,33 @@ export class CredentialRequestClient {
 
   public async acquireCredentialsUsingProof<DIDDoc>(opts: {
     proofInput: ProofOfPossessionBuilder<DIDDoc> | ProofOfPossession;
+    credentialIdentifier?: string;
     credentialTypes?: string | string[];
     context?: string[];
     format?: CredentialFormat | OID4VCICredentialFormat;
-  }): Promise<OpenIDResponse<CredentialResponse>> {
-    const { credentialTypes, proofInput, format, context } = opts;
-
-    const request = await this.createCredentialRequest({ proofInput, credentialTypes, context, format, version: this.version() });
+    subjectIssuance?: ExperimentalSubjectIssuance;
+  }): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
+    const { credentialIdentifier, credentialTypes, proofInput, format, context, subjectIssuance } = opts;
+
+    const request = await this.createCredentialRequest({
+      proofInput,
+      credentialTypes,
+      context,
+      format,
+      version: this.version(),
+      credentialIdentifier,
+      subjectIssuance,
+    });
     return await this.acquireCredentialsUsingRequest(request);
   }
 
-  public async acquireCredentialsUsingRequest(uniformRequest: UniformCredentialRequest): Promise<OpenIDResponse<CredentialResponse>> {
-    const request = getCredentialRequestForVersion(uniformRequest, this.version());
+  public async acquireCredentialsUsingRequest(
+    uniformRequest: UniformCredentialRequest,
+  ): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
+    if (this.version() < OpenId4VCIVersion.VER_1_0_13) {
+      throw new Error('Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.');
+    }
+    const request: CredentialRequestV1_0_13 = getCredentialRequestForVersion(uniformRequest, this.version()) as CredentialRequestV1_0_13;
     const credentialEndpoint: string = this.credentialRequestOpts.credentialEndpoint;
     if (!isValidURL(credentialEndpoint)) {
       debug(`Invalid credential endpoint: ${credentialEndpoint}`);
@@ -97,12 +119,20 @@ export class CredentialRequestClient {
     debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
     debug(`request\n: ${JSON.stringify(request, null, 2)}`);
     const requestToken: string = this.credentialRequestOpts.token;
-    let response: OpenIDResponse<CredentialResponse> = await post(credentialEndpoint, JSON.stringify(request), { bearerToken: requestToken });
+    let response = (await post(credentialEndpoint, JSON.stringify(request), { bearerToken: requestToken })) as OpenIDResponse<CredentialResponse> & {
+      access_token: string;
+    };
     this._isDeferred = isDeferredCredentialResponse(response);
     if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
       response = await this.acquireDeferredCredential(response.successBody, { bearerToken: this.credentialRequestOpts.token });
     }
+    response.access_token = requestToken;
 
+    if ((uniformRequest.credential_subject_issuance && response.successBody) || response.successBody?.credential_subject_issuance) {
+      if (JSON.stringify(uniformRequest.credential_subject_issuance) !== JSON.stringify(response.successBody?.credential_subject_issuance)) {
+        throw Error('Subject signing was requested, but issuer did not provide the options in its response');
+      }
+    }
     debug(`Credential endpoint ${credentialEndpoint} response:\r\n${JSON.stringify(response, null, 2)}`);
     return response;
   }
@@ -112,7 +142,7 @@ export class CredentialRequestClient {
     opts?: {
       bearerToken?: string;
     },
-  ): Promise<OpenIDResponse<CredentialResponse>> {
+  ): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
     const transactionId = response.transaction_id;
     const bearerToken = response.acceptance_token ?? opts?.bearerToken;
     const deferredCredentialEndpoint = this.getDeferredCredentialEndpoint();
@@ -133,12 +163,24 @@ export class CredentialRequestClient {
 
   public async createCredentialRequest<DIDDoc>(opts: {
     proofInput: ProofOfPossessionBuilder<DIDDoc> | ProofOfPossession;
+    credentialIdentifier?: string;
     credentialTypes?: string | string[];
     context?: string[];
     format?: CredentialFormat | OID4VCICredentialFormat;
+    subjectIssuance?: ExperimentalSubjectIssuance;
     version: OpenId4VCIVersion;
-  }): Promise<UniformCredentialRequest> {
-    const { proofInput } = opts;
+  }): Promise<CredentialRequestV1_0_13> {
+    const { proofInput, credentialIdentifier: credential_identifier } = opts;
+    const proof = await buildProof(proofInput, opts);
+    if (credential_identifier) {
+      if (opts.format || opts.credentialTypes || opts.context) {
+        throw Error(`You cannot mix credential_identifier with format, credential types and/or context`);
+      }
+      return {
+        credential_identifier,
+        proof,
+      };
+    }
     const formatSelection = opts.format ?? this.credentialRequestOpts.format;
 
     if (!formatSelection) {
@@ -149,15 +191,13 @@ export class CredentialRequestClient {
       opts?.credentialTypes && (typeof opts.credentialTypes === 'string' || opts.credentialTypes.length > 0)
         ? opts.credentialTypes
         : this.credentialRequestOpts.credentialTypes;
+    if (!typesSelection) {
+      throw Error(`Credential type(s) need to be provided`);
+    }
     const types = Array.isArray(typesSelection) ? typesSelection : [typesSelection];
     if (types.length === 0) {
       throw Error(`Credential type(s) need to be provided`);
     }
-    // FIXME: this is mixing up the type (as id) from v8/v9 and the types (from the vc.type) from v11
-    else if (!this.isV11OrHigher() && types.length !== 1) {
-      throw Error('Only a single credential type is supported for V8/V9');
-    }
-    const proof = await buildProof(proofInput, opts);
 
     // TODO: we should move format specific logic
     if (format === 'jwt_vc_json' || format === 'jwt_vc') {
@@ -165,6 +205,7 @@ export class CredentialRequestClient {
         types,
         format,
         proof,
+        ...opts.subjectIssuance,
       };
     } else if (format === 'jwt_vc_json-ld' || format === 'ldp_vc') {
       if (this.version() >= OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
@@ -174,6 +215,7 @@ export class CredentialRequestClient {
       return {
         format,
         proof,
+        ...opts.subjectIssuance,
 
         // Ignored because v11 does not have the context value, but it is required in v12
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment
@@ -181,28 +223,25 @@ export class CredentialRequestClient {
         credential_definition: {
           types,
           ...(opts.context && { '@context': opts.context }),
-        },
+        } as JsonLdIssuerCredentialDefinition,
       };
     } else if (format === 'vc+sd-jwt') {
       if (types.length > 1) {
         throw Error(`Only a single credential type is supported for ${format}`);
       }
-
+      // fixme: this isn't up to the CredentialRequest that we see in the version v1_0_13
       return {
         format,
         proof,
         vct: types[0],
-      };
+        ...opts.subjectIssuance,
+      } as CredentialRequestV1_0_13;
     }
 
     throw new Error(`Unsupported format: ${format}`);
   }
 
   private version(): OpenId4VCIVersion {
-    return this.credentialRequestOpts?.version ?? OpenId4VCIVersion.VER_1_0_11;
-  }
-
-  private isV11OrHigher(): boolean {
-    return this.version() >= OpenId4VCIVersion.VER_1_0_11;
+    return this.credentialRequestOpts?.version ?? OpenId4VCIVersion.VER_1_0_13;
   }
 }

package/lib/CredentialRequestClientBuilder.ts

@@ -1,12 +1,12 @@
 import {
   AccessTokenResponse,
-  CredentialIssuerMetadata,
-  CredentialOfferPayloadV1_0_08,
+  CredentialIssuerMetadataV1_0_13,
+  CredentialOfferPayloadV1_0_13,
   CredentialOfferRequestWithBaseUrl,
   determineSpecVersionFromOffer,
   EndpointMetadata,
+  ExperimentalSubjectIssuance,
   getIssuerFromCredentialOfferPayload,
-  getTypesFromOffer,
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
   UniformCredentialOfferRequest,
@@ -21,21 +21,25 @@ export class CredentialRequestClientBuilder {
   deferredCredentialEndpoint?: string;
   deferredCredentialAwait = false;
   deferredCredentialIntervalInMS = 5000;
-  credentialTypes: string[] = [];
+  credentialIdentifier?: string;
+  credentialTypes?: string[] = [];
   format?: CredentialFormat | OID4VCICredentialFormat;
   token?: string;
   version?: OpenId4VCIVersion;
+  subjectIssuance?: ExperimentalSubjectIssuance;
 
   public static fromCredentialIssuer({
     credentialIssuer,
     metadata,
     version,
+    credentialIdentifier,
     credentialTypes,
   }: {
     credentialIssuer: string;
     metadata?: EndpointMetadata;
     version?: OpenId4VCIVersion;
-    credentialTypes: string | string[];
+    credentialIdentifier?: string;
+    credentialTypes?: string | string[];
   }): CredentialRequestClientBuilder {
     const issuer = credentialIssuer;
     const builder = new CredentialRequestClientBuilder();
@@ -44,7 +48,12 @@ export class CredentialRequestClientBuilder {
     if (metadata?.deferred_credential_endpoint) {
       builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
     }
-    builder.withCredentialType(credentialTypes);
+    if (credentialIdentifier) {
+      builder.withCredentialIdentifier(credentialIdentifier);
+    }
+    if (credentialTypes) {
+      builder.withCredentialType(credentialTypes);
+    }
     return builder;
   }
 
@@ -62,6 +71,9 @@ export class CredentialRequestClientBuilder {
   }): CredentialRequestClientBuilder {
     const { request, metadata } = opts;
     const version = opts.version ?? request.version ?? determineSpecVersionFromOffer(request.original_credential_offer);
+    if (version < OpenId4VCIVersion.VER_1_0_13) {
+      throw new Error('Versions below v1.0.13 (draft 13) are not supported.');
+    }
     const builder = new CredentialRequestClientBuilder();
     const issuer = getIssuerFromCredentialOfferPayload(request.credential_offer) ?? (metadata?.issuer as string);
     builder.withVersion(version);
@@ -69,15 +81,11 @@ export class CredentialRequestClientBuilder {
     if (metadata?.deferred_credential_endpoint) {
       builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
     }
-
-    if (version <= OpenId4VCIVersion.VER_1_0_08) {
-      //todo: This basically sets all types available during initiation. Probably the user only wants a subset. So do we want to do this?
-      builder.withCredentialType((request.original_credential_offer as CredentialOfferPayloadV1_0_08).credential_type);
-    } else {
-      // todo: look whether this is correct
-      builder.withCredentialType(getTypesFromOffer(request.credential_offer));
+    const ids: string[] = (request.credential_offer as CredentialOfferPayloadV1_0_13).credential_configuration_ids;
+    // if there's only one in the offer, we pre-select it. if not, you should provide the credentialType
+    if (ids.length && ids.length === 1) {
+      builder.withCredentialIdentifier(ids[0]);
     }
-
     return builder;
   }
 
@@ -95,7 +103,7 @@ export class CredentialRequestClientBuilder {
     });
   }
 
-  public withCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadata): this {
+  public withCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadataV1_0_13): this {
     this.credentialEndpoint = metadata.credential_endpoint;
     return this;
   }
@@ -105,7 +113,7 @@ export class CredentialRequestClientBuilder {
     return this;
   }
 
-  public withDeferredCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadata): this {
+  public withDeferredCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadataV1_0_13): this {
     this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
     return this;
   }
@@ -121,6 +129,11 @@ export class CredentialRequestClientBuilder {
     return this;
   }
 
+  public withCredentialIdentifier(credentialIdentifier: string): this {
+    this.credentialIdentifier = credentialIdentifier;
+    return this;
+  }
+
   public withCredentialType(credentialTypes: string | string[]): this {
     this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes];
     return this;
@@ -131,6 +144,11 @@ export class CredentialRequestClientBuilder {
     return this;
   }
 
+  public withSubjectIssuance(subjectIssuance: ExperimentalSubjectIssuance): this {
+    this.subjectIssuance = subjectIssuance;
+    return this;
+  }
+
   public withToken(accessToken: string): this {
     this.token = accessToken;
     return this;