@sphereon/oid4vci-client 0.10.3 → 0.10.4-next.14

package/lib/AccessTokenClient.ts

@@ -5,7 +5,9 @@ import {
   assertedUniformCredentialOffer,
   AuthorizationServerOpts,
   AuthzFlowType,
+  convertJsonToURI,
   EndpointMetadata,
+  formPost,
   getIssuerFromCredentialOfferPayload,
   GrantTypes,
   IssuerOpts,
@@ -17,12 +19,9 @@ import {
   UniformCredentialOfferPayload,
 } from '@sphereon/oid4vci-common';
 import { ObjectUtils } from '@sphereon/ssi-types';
-import Debug from 'debug';
 
 import { MetadataClient } from './MetadataClient';
-import { convertJsonToURI, formPost } from './functions';
-
-const debug = Debug('sphereon:oid4vci:token');
+import { LOG } from './types';
 
 export class AccessTokenClient {
   public async acquireAccessToken(opts: AccessTokenRequestOpts): Promise<OpenIDResponse<AccessTokenResponse>> {
@@ -117,7 +116,7 @@ export class AccessTokenClient {
       return request as AccessTokenRequest;
     }
 
-    throw new Error('Credential offer request does not follow neither pre-authorized code nor authorization code flow requirements.');
+    throw new Error('Credential offer request follows neither pre-authorized code nor authorization code flow requirements.');
   }
 
   private assertPreAuthorizedGrantType(grantType: GrantTypes): void {
@@ -141,39 +140,39 @@ export class AccessTokenClient {
     if (requestPayload.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']) {
       isPinRequired = requestPayload.grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ?? false;
     }
-    debug(`Pin required for issuer ${issuer}: ${isPinRequired}`);
+    LOG.warning(`Pin required for issuer ${issuer}: ${isPinRequired}`);
     return isPinRequired;
   }
 
   private assertNumericPin(isPinRequired?: boolean, pin?: string): void {
     if (isPinRequired) {
       if (!pin || !/^\d{1,8}$/.test(pin)) {
-        debug(`Pin is not 1 to 8 digits long`);
+        LOG.warning(`Pin is not 1 to 8 digits long`);
         throw new Error('A valid pin consisting of maximal 8 numeric characters must be present.');
       }
     } else if (pin) {
-      debug(`Pin set, whilst not required`);
+      LOG.warning(`Pin set, whilst not required`);
       throw new Error('Cannot set a pin, when the pin is not required.');
     }
   }
 
   private assertNonEmptyPreAuthorizedCode(accessTokenRequest: AccessTokenRequest): void {
     if (!accessTokenRequest[PRE_AUTH_CODE_LITERAL]) {
-      debug(`No pre-authorized code present, whilst it is required`);
+      LOG.warning(`No pre-authorized code present, whilst it is required`, accessTokenRequest);
       throw new Error('Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.');
     }
   }
 
   private assertNonEmptyCodeVerifier(accessTokenRequest: AccessTokenRequest): void {
     if (!accessTokenRequest.code_verifier) {
-      debug('No code_verifier present, whilst it is required');
+      LOG.warning('No code_verifier present, whilst it is required', accessTokenRequest);
       throw new Error('Authorization flow requires the code_verifier to be present');
     }
   }
 
   private assertNonEmptyCode(accessTokenRequest: AccessTokenRequest): void {
     if (!accessTokenRequest.code) {
-      debug('No code present, whilst it is required');
+      LOG.warning('No code present, whilst it is required');
       throw new Error('Authorization flow requires the code to be present');
     }
   }
@@ -222,7 +221,7 @@ export class AccessTokenClient {
     if (!url || !ObjectUtils.isString(url)) {
       throw new Error('No authorization server token URL present. Cannot acquire access token');
     }
-    debug(`Token endpoint determined to be ${url}`);
+    LOG.debug(`Token endpoint determined to be ${url}`);
     return url;
   }
 
@@ -239,7 +238,7 @@ export class AccessTokenClient {
   }
 
   private throwNotSupportedFlow(): void {
-    debug(`Only pre-authorized or authorization code flows supported.`);
+    LOG.warning(`Only pre-authorized or authorization code flows supported.`);
     throw new Error('Only pre-authorized-code or authorization code flows are supported');
   }
 }

package/lib/CredentialOfferClient.ts

@@ -1,4 +1,6 @@
 import {
+  convertJsonToURI,
+  convertURIToJsonObject,
   CredentialOffer,
   CredentialOfferPayload,
   CredentialOfferPayloadV1_0_09,
@@ -11,8 +13,6 @@ import {
 } from '@sphereon/oid4vci-common';
 import Debug from 'debug';
 
-import { convertJsonToURI, convertURIToJsonObject } from './functions';
-
 const debug = Debug('sphereon:oid4vci:offer');
 
 export class CredentialOfferClient {
@@ -27,18 +27,20 @@ export class CredentialOfferClient {
     const version = determineSpecVersionFromURI(uri);
     let credentialOffer: CredentialOffer;
     let credentialOfferPayload: CredentialOfferPayload;
+    // credential offer was introduced in draft 9 and credential_offer_uri in draft 11
     if (version < OpenId4VCIVersion.VER_1_0_11) {
       credentialOfferPayload = convertURIToJsonObject(uri, {
         arrayTypeProperties: ['credential_type'],
-        requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri'] : ['issuer', 'credential_type'],
+        requiredProperties: uri.includes('credential_offer=') ? ['credential_offer'] : ['issuer', 'credential_type'],
       }) as CredentialOfferPayloadV1_0_09;
       credentialOffer = {
         credential_offer: credentialOfferPayload,
       };
     } else {
       credentialOffer = convertURIToJsonObject(uri, {
-        arrayTypeProperties: ['credentials'],
-        requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri'] : ['credential_offer'],
+        // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
+        arrayTypeProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],
+        requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],
       }) as CredentialOfferV1_0_11;
       if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {
         throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri);

package/lib/CredentialRequestClient.ts

@@ -4,19 +4,25 @@ import {
   getCredentialRequestForVersion,
   getUniformFormat,
   isDeferredCredentialResponse,
+  isValidURL,
+  NotificationErrorResponse,
+  NotificationRequest,
+  NotificationResult,
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
   OpenIDResponse,
+  post,
   ProofOfPossession,
   UniformCredentialRequest,
   URL_NOT_VALID,
 } from '@sphereon/oid4vci-common';
+import { ExperimentalSubjectIssuance } from '@sphereon/oid4vci-common/dist/experimental/holder-vci';
 import { CredentialFormat } from '@sphereon/ssi-types';
 import Debug from 'debug';
 
 import { CredentialRequestClientBuilder } from './CredentialRequestClientBuilder';
 import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
-import { isValidURL, post } from './functions';
+import { LOG } from './types';
 
 const debug = Debug('sphereon:oid4vci:credential');
 
@@ -24,6 +30,7 @@ export interface CredentialRequestOpts {
   deferredCredentialAwait?: boolean;
   deferredCredentialIntervalInMS?: number;
   credentialEndpoint: string;
+  notificationEndpoint?: string;
   deferredCredentialEndpoint?: string;
   credentialTypes: string[];
   format?: CredentialFormat | OID4VCICredentialFormat;
@@ -80,10 +87,11 @@ export class CredentialRequestClient {
     credentialTypes?: string | string[];
     context?: string[];
     format?: CredentialFormat | OID4VCICredentialFormat;
+    subjectIssuance?: ExperimentalSubjectIssuance;
   }): Promise<OpenIDResponse<CredentialResponse>> {
-    const { credentialTypes, proofInput, format, context } = opts;
+    const { credentialTypes, proofInput, format, context, subjectIssuance } = opts;
 
-    const request = await this.createCredentialRequest({ proofInput, credentialTypes, context, format, version: this.version() });
+    const request = await this.createCredentialRequest({ proofInput, credentialTypes, context, format, version: this.version(), subjectIssuance });
     return await this.acquireCredentialsUsingRequest(request);
   }
 
@@ -103,6 +111,11 @@ export class CredentialRequestClient {
       response = await this.acquireDeferredCredential(response.successBody, { bearerToken: this.credentialRequestOpts.token });
     }
 
+    if ((uniformRequest.credential_subject_issuance && response.successBody) || response.successBody?.credential_subject_issuance) {
+      if (uniformRequest.credential_subject_issuance !== response.successBody?.credential_subject_issuance) {
+        throw Error('Subject signing was requested, but issuer did not provide the options in its response');
+      }
+    }
     debug(`Credential endpoint ${credentialEndpoint} response:\r\n${JSON.stringify(response, null, 2)}`);
     return response;
   }
@@ -136,6 +149,7 @@ export class CredentialRequestClient {
     credentialTypes?: string | string[];
     context?: string[];
     format?: CredentialFormat | OID4VCICredentialFormat;
+    subjectIssuance?: ExperimentalSubjectIssuance;
     version: OpenId4VCIVersion;
   }): Promise<UniformCredentialRequest> {
     const { proofInput } = opts;
@@ -165,6 +179,7 @@ export class CredentialRequestClient {
         types,
         format,
         proof,
+        ...opts.subjectIssuance,
       };
     } else if (format === 'jwt_vc_json-ld' || format === 'ldp_vc') {
       if (this.version() >= OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
@@ -174,6 +189,7 @@ export class CredentialRequestClient {
       return {
         format,
         proof,
+        ...opts.subjectIssuance,
 
         // Ignored because v11 does not have the context value, but it is required in v12
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment
@@ -192,12 +208,36 @@ export class CredentialRequestClient {
         format,
         proof,
         vct: types[0],
+        ...opts.subjectIssuance,
       };
     }
 
     throw new Error(`Unsupported format: ${format}`);
   }
 
+  public async sendNotification(request: NotificationRequest, accessToken: string): Promise<NotificationResult> {
+    LOG.info(`Sending status notification event '${request.event}' for id ${request.notification_id}`);
+    if (!this.credentialRequestOpts.notificationEndpoint) {
+      throw Error(`Cannot send notification when no notification endpoint is provided`);
+    }
+    const response = await post<NotificationErrorResponse>(this.credentialRequestOpts.notificationEndpoint, JSON.stringify(request), {
+      bearerToken: accessToken,
+    });
+    const error = response.errorBody?.error !== undefined;
+    const result = {
+      error,
+      response: error ? await response.errorBody?.json() : undefined,
+    };
+    if (error) {
+      LOG.warning(
+        `Notification endpoint returned an error for event '${request.event}' and id ${request.notification_id}: ${await response.errorBody?.json()}`,
+      );
+    } else {
+      LOG.debug(`Notification endpoint returned success for event '${request.event}' and id ${request.notification_id}`);
+    }
+    return result;
+  }
+
   private version(): OpenId4VCIVersion {
     return this.credentialRequestOpts?.version ?? OpenId4VCIVersion.VER_1_0_11;
   }

package/lib/MetadataClient.ts

@@ -6,13 +6,12 @@ import {
   CredentialOfferRequestWithBaseUrl,
   EndpointMetadataResult,
   getIssuerFromCredentialOfferPayload,
+  getJson,
   OpenIDResponse,
   WellKnownEndpoints,
 } from '@sphereon/oid4vci-common';
 import Debug from 'debug';
 
-import { getJson } from './functions';
-
 const debug = Debug('sphereon:oid4vci:metadata');
 
 export class MetadataClient {

package/lib/ProofOfPossessionBuilder.ts

@@ -1,6 +1,7 @@
 import {
   AccessTokenResponse,
   Alg,
+  createProofOfPossession,
   EndpointMetadata,
   JWK,
   Jwt,
@@ -12,8 +13,6 @@ import {
   Typ,
 } from '@sphereon/oid4vci-common';
 
-import { createProofOfPossession } from './functions';
-
 export class ProofOfPossessionBuilder<DIDDoc> {
   private readonly proof?: ProofOfPossession;
   private readonly callbacks?: ProofOfPossessionCallbacks<DIDDoc>;

package/lib/__tests__/CredentialRequestClient.spec.ts

@@ -1,3 +1,6 @@
+// Walt uses a self signed cert
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
 import { KeyObject } from 'crypto';
 
 import {
@@ -164,7 +167,8 @@ describe('Credential Request Client with Walt.id ', () => {
   afterEach(() => {
     nock.cleanAll();
   });
-  it('should have correct metadata endpoints', async function () {
+  // Walt id has cert issue
+  it.skip('should have correct metadata endpoints', async function () {
     nock.cleanAll();
     const WALT_IRR_URI =
       'openid-initiate-issuance://?issuer=https%3A%2F%2Fjff.walt.id%2Fissuer-api%2Foidc%2F&credential_type=OpenBadgeCredential&pre-authorized_code=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhOTUyZjUxNi1jYWVmLTQ4YjMtODIxYy00OTRkYzgyNjljZjAiLCJwcmUtYXV0aG9yaXplZCI6dHJ1ZX0.YE5DlalcLC2ChGEg47CQDaN1gTxbaQqSclIVqsSAUHE&user_pin_required=false';

package/lib/__tests__/HttpUtils.spec.ts

@@ -1,4 +1,4 @@
-import { isValidURL } from '../functions';
+import { isValidURL } from '@sphereon/oid4vci-common';
 
 describe('httputils.isValidURL', () => {
   it('Should return true for http://localhost', () => {

package/lib/__tests__/IT.spec.ts

@@ -50,7 +50,13 @@ describe('OID4VCI-Client should', () => {
   const INITIATE_QR =
     'openid-initiate-issuance://?issuer=https%3A%2F%2Fissuer.research.identiproof.io&credential_type=OpenBadgeCredentialUrl&pre-authorized_code=4jLs9xZHEfqcoow0kHE7d1a8hUk6Sy-5bVSV2MqBUGUgiFFQi-ImL62T-FmLIo8hKA1UdMPH0lM1xAgcFkJfxIw9L-lI3mVs0hRT8YVwsEM1ma6N3wzuCdwtMU4bcwKp&user_pin_required=true';
   const OFFER_QR =
-    'openid-credential-offer://credential_offer=%7B%22credential_issuer%22:%22https://credential-issuer.example.com%22,%22credentials%22:%5B%7B%22format%22:%22jwt_vc_json%22,%22types%22:%5B%22VerifiableCredential%22,%22UniversityDegreeCredential%22%5D%7D%5D,%22issuer_state%22:%22eyJhbGciOiJSU0Et...FYUaBy%22%7D';
+    'openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fissuer.research.identiproof.io%22%2C%22credentials%22%3A%5B%7B%22format%22%3A%22jwt_vc_json%22%2C%22types%22%3A%5B%22VerifiableCredential%22%2C%22UniversityDegreeCredential%22%5D%7D%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22adhjhdjajkdkhjhdj%22%2C%22user_pin_required%22%3Atrue%7D%7D%7D';
+  const HTTPS_INITIATE_QR =
+    'https://issuer.research.identiproof.io?issuer=https%3A%2F%2Fissuer.research.identiproof.io&credential_type=OpenBadgeCredentialUrl&pre-authorized_code=4jLs9xZHEfqcoow0kHE7d1a8hUk6Sy-5bVSV2MqBUGUgiFFQi-ImL62T-FmLIo8hKA1UdMPH0lM1xAgcFkJfxIw9L-lI3mVs0hRT8YVwsEM1ma6N3wzuCdwtMU4bcwKp&user_pin_required=true';
+  const HTTPS_OFFER_QR_AUTHORIZATION_CODE =
+    'https://issuer.research.identiproof.io?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fissuer.research.identiproof.io%22%2C%22credentials%22%3A%5B%7B%22format%22%3A%22jwt_vc_json%22%2C%22types%22%3A%5B%22VerifiableCredential%22%2C%22UniversityDegreeCredential%22%5D%7D%5D%2C%22grants%22%3A%7B%22authorization_code%22%3A%7B%22issuer_state%22%3A%22eyJhbGciOiJSU0Et...FYUaBy%22%7D%7D%7D';
+  const HTTPS_OFFER_QR_PRE_AUTHORIZED =
+    'https://issuer.research.identiproof.io?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fissuer.research.identiproof.io%22%2C%22credentials%22%3A%5B%7B%22format%22%3A%22jwt_vc_json%22%2C%22types%22%3A%5B%22VerifiableCredential%22%2C%22UniversityDegreeCredential%22%5D%7D%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22adhjhdjajkdkhjhdj%22%2C%22user_pin_required%22%3Atrue%7D%7D%7D';
 
   function succeedWithAFullFlowWithClientSetup() {
     nock(IDENTIPROOF_ISSUER_URL).get('/.well-known/openid-credential-issuer').reply(200, JSON.stringify(IDENTIPROOF_OID4VCI_METADATA));
@@ -78,7 +84,7 @@ describe('OID4VCI-Client should', () => {
     await assertionOfsucceedWithAFullFlowWithClient(client);
   });
 
-  test.skip('succeed with a full flow wit the client using OpenID4VCI version 11', async () => {
+  it('succeed with a full flow with the client using OpenID4VCI version 11 and deeplink', async () => {
     succeedWithAFullFlowWithClientSetup();
     const client = await OpenID4VCIClient.fromURI({
       uri: OFFER_QR,
@@ -89,6 +95,39 @@ describe('OID4VCI-Client should', () => {
     await assertionOfsucceedWithAFullFlowWithClient(client);
   });
 
+  it('succeed with a full flow with the client using OpenID4VCI draft < 9 and https', async () => {
+    succeedWithAFullFlowWithClientSetup();
+    const client = await OpenID4VCIClient.fromURI({
+      uri: HTTPS_INITIATE_QR,
+      kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1',
+      alg: Alg.ES256,
+      clientId: 'test-clientId',
+    });
+    await assertionOfsucceedWithAFullFlowWithClient(client);
+  });
+
+  it('should succeed with a full flow with the client using OpenID4VCI draft > 11, https and authorization_code flow', async () => {
+    succeedWithAFullFlowWithClientSetup();
+    const client = await OpenID4VCIClient.fromURI({
+      uri: HTTPS_OFFER_QR_AUTHORIZATION_CODE,
+      kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1',
+      alg: Alg.ES256,
+      clientId: 'test-clientId',
+    });
+    await assertionOfsucceedWithAFullFlowWithClient(client);
+  });
+
+  it('should succeed with a full flow with the client using OpenID4VCI draft > 11, https and preauthorized_code flow', async () => {
+    succeedWithAFullFlowWithClientSetup();
+    const client = await OpenID4VCIClient.fromURI({
+      uri: HTTPS_OFFER_QR_PRE_AUTHORIZED,
+      kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1',
+      alg: Alg.ES256,
+      clientId: 'test-clientId',
+    });
+    await assertionOfsucceedWithAFullFlowWithClient(client);
+  });
+
   async function assertionOfsucceedWithAFullFlowWithClient(client: OpenID4VCIClient) {
     expect(client.credentialOffer).toBeDefined();
     expect(client.endpointMetadata).toBeDefined();
@@ -96,7 +135,7 @@ describe('OID4VCI-Client should', () => {
     expect(client.getCredentialEndpoint()).toEqual('https://issuer.research.identiproof.io/credential');
     expect(client.getAccessTokenEndpoint()).toEqual('https://auth.research.identiproof.io/oauth2/token');
 
-    const accessToken = await client.acquireAccessToken({ pin: '1234' });
+    const accessToken = await client.acquireAccessToken({ pin: '1234', code: 'ABCD' });
     expect(accessToken).toEqual(mockedAccessTokenResponse);
 
     const credentialResponse = await client.acquireCredentials({

package/lib/__tests__/IssuanceInitiation.spec.ts

@@ -58,4 +58,26 @@ describe('Issuance Initiation', () => {
     expect(client.credential_offer.credential_issuer).toEqual('https://launchpad.vii.electron.mattrlabs.io');
     expect(client.preAuthorizedCode).toEqual('UPZohaodPlLBnGsqB02n2tIupCIg8nKRRUEUHWA665X');
   });
+
+  it('Should take an https url as input and return a Credential Offer', async () => {
+    const client = await CredentialOfferClient.fromURI(
+      'https://launchpad.vii.electron.mattrlabs.io?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Flaunchpad.vii.electron.mattrlabs.io%22%2C%22credentials%22%3A%5B%7B%22format%22%3A%22ldp_vc%22%2C%22types%22%3A%5B%22OpenBadgeCredential%22%5D%7D%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22UPZohaodPlLBnGsqB02n2tIupCIg8nKRRUEUHWA665X%22%7D%7D%7D',
+    );
+    expect(client.version).toEqual(OpenId4VCIVersion.VER_1_0_11);
+    expect(client.baseUrl).toEqual('https://launchpad.vii.electron.mattrlabs.io');
+    expect(client.scheme).toEqual('https');
+    expect(client.credential_offer.credential_issuer).toEqual('https://launchpad.vii.electron.mattrlabs.io');
+    expect(client.preAuthorizedCode).toEqual('UPZohaodPlLBnGsqB02n2tIupCIg8nKRRUEUHWA665X');
+  })
+
+  it('Should take an http url as input and return a Credential Offer', async () => {
+    const client = await CredentialOfferClient.fromURI(
+      'http://launchpad.vii.electron.mattrlabs.io?credential_offer=%7B%22credential_issuer%22%3A%22http%3A%2F%2Flaunchpad.vii.electron.mattrlabs.io%22%2C%22credentials%22%3A%5B%7B%22format%22%3A%22ldp_vc%22%2C%22types%22%3A%5B%22OpenBadgeCredential%22%5D%7D%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22UPZohaodPlLBnGsqB02n2tIupCIg8nKRRUEUHWA665X%22%7D%7D%7D',
+    );
+    expect(client.version).toEqual(OpenId4VCIVersion.VER_1_0_11);
+    expect(client.baseUrl).toEqual('http://launchpad.vii.electron.mattrlabs.io');
+    expect(client.scheme).toEqual('http');
+    expect(client.credential_offer.credential_issuer).toEqual('http://launchpad.vii.electron.mattrlabs.io');
+    expect(client.preAuthorizedCode).toEqual('UPZohaodPlLBnGsqB02n2tIupCIg8nKRRUEUHWA665X');
+  })
 });

package/lib/__tests__/ProofOfPossessionBuilder.spec.ts

@@ -9,7 +9,7 @@ import { IDENTIPROOF_ISSUER_URL } from './MetadataMocks';
 
 const jwt: Jwt = {
   header: { alg: Alg.ES256, kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1', typ: 'jwt' },
-  payload: { iss: 'sphereon:wallet', nonce: 'tZignsnFbp', jti: 'tZignsnFbp223', aud: IDENTIPROOF_ISSUER_URL, iat: Date.now()/1000 },
+  payload: { iss: 'sphereon:wallet', nonce: 'tZignsnFbp', jti: 'tZignsnFbp223', aud: IDENTIPROOF_ISSUER_URL, iat: Date.now() / 1000 },
 };
 
 const kid = 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1';

package/lib/__tests__/SdJwt.spec.ts

@@ -43,7 +43,7 @@ const vcIssuer = new VcIssuerBuilder()
         },
         payload: {
           aud: issuerMetadata.credential_issuer,
-          iat: +new Date()/1000,
+          iat: +new Date() / 1000,
           nonce: 'a-c-nonce',
         },
       },
@@ -152,6 +152,7 @@ describe('sd-jwt vc', () => {
       });
 
       expect(credentials).toEqual({
+        notification_id: expect.any(String),
         c_nonce: 'new-c-nonce',
         c_nonce_expires_in: 300,
         credential: 'sd-jwt',

package/lib/__tests__/SphereonE2E.spec.test.ts

@@ -115,7 +115,8 @@ async function proofOfPossessionCallbackFunction(args: Jwt, kid?: string): Promi
 }
 
 describe('ismapolis bug report #63, https://github.com/Sphereon-Opensource/OID4VC-demo/issues/63, should', () => {
-  it('work as expected provided a correct JWT is supplied', async () => {
+  // Sphereon infra is not working currently
+  it.skip('work as expected provided a correct JWT is supplied', async () => {
     debug.enable('*');
     const { uri } = await getCredentialOffer('jwt_vc_json');
     const client = await OpenID4VCIClient.fromURI({ uri: uri, clientId: 'test-clientID' });

package/lib/functions/index.ts

@@ -1,3 +1 @@
-export * from '@sphereon/oid4vci-common/dist/functions/Encoding';
-export * from '@sphereon/oid4vci-common/dist/functions/HttpUtils';
-export * from './ProofUtil';
+export * from './AuthorizationUtil';

package/lib/types/index.ts

@@ -0,0 +1,6 @@
+import { VCI_LOGGERS } from '@sphereon/oid4vci-common';
+import { ISimpleLogger, LogMethod } from '@sphereon/ssi-types';
+
+export const LOG: ISimpleLogger<string> = VCI_LOGGERS.options('sphereon:oid4vci:client', { methods: [LogMethod.EVENT, LogMethod.DEBUG_PKG] }).get(
+  'sphereon:oid4vci:client',
+);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/oid4vci-client",
-  "version": "0.10.3",
+  "version": "0.10.4-next.14+68c89f4",
   "description": "OpenID for Verifiable Credential Issuance (OpenID4VCI) client",
   "source": "lib/index.ts",
   "main": "dist/index.js",
@@ -15,8 +15,8 @@
     "build": "tsc"
   },
   "dependencies": {
-    "@sphereon/oid4vci-common": "0.10.3",
-    "@sphereon/ssi-types": "^0.23.0",
+    "@sphereon/oid4vci-common": "0.10.4-next.14+68c89f4",
+    "@sphereon/ssi-types": "0.24.1-unstable.112",
     "cross-fetch": "^3.1.8",
     "debug": "^4.3.4"
   },
@@ -69,5 +69,5 @@
     "OIDC4VCI",
     "OID4VCI"
   ],
-  "gitHead": "4d46a7282a475c4e78d496f82f24114f700ee5e0"
+  "gitHead": "68c89f45e627577608d1b10ab260f6810a46fe88"
 }

package/dist/functions/ProofUtil.d.ts

@@ -1,30 +0,0 @@
-import { JWK, Jwt, ProofOfPossession, ProofOfPossessionCallbacks, Typ } from '@sphereon/oid4vci-common';
-/**
- *
- *  - proofOfPossessionCallback: JWTSignerCallback
- *    Mandatory if you want to create (sign) ProofOfPossession
- *  - proofOfPossessionVerifierCallback?: JWTVerifyCallback
- *    If exists, verifies the ProofOfPossession
- *  - proofOfPossessionCallbackArgs: ProofOfPossessionCallbackArgs
- *    arguments needed for signing ProofOfPossession
- * @param callbacks:
- *    - proofOfPossessionCallback: JWTSignerCallback
- *      Mandatory to create (sign) ProofOfPossession
- *    - proofOfPossessionVerifierCallback?: JWTVerifyCallback
- *      If exists, verifies the ProofOfPossession
- * @param jwtProps
- * @param existingJwt
- *  - Optional, clientId of the party requesting the credential
- */
-export declare const createProofOfPossession: <DIDDoc>(callbacks: ProofOfPossessionCallbacks<DIDDoc>, jwtProps?: JwtProps, existingJwt?: Jwt) => Promise<ProofOfPossession>;
-export interface JwtProps {
-    typ?: Typ;
-    kid?: string;
-    jwk?: JWK;
-    issuer?: string;
-    clientId?: string;
-    alg?: string;
-    jti?: string;
-    nonce?: string;
-}
-//# sourceMappingURL=ProofUtil.d.ts.map

package/dist/functions/ProofUtil.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"ProofUtil.d.ts","sourceRoot":"","sources":["../../lib/functions/ProofUtil.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,GAAG,EAEH,GAAG,EAGH,iBAAiB,EACjB,0BAA0B,EAC1B,GAAG,EACJ,MAAM,0BAA0B,CAAC;AAKlC;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,uBAAuB,qEAEvB,QAAQ,gBACL,GAAG,KAChB,QAAQ,iBAAiB,CA0B3B,CAAC;AAQF,MAAM,WAAW,QAAQ;IACvB,GAAG,CAAC,EAAE,GAAG,CAAC;IACV,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,GAAG,CAAC;IACV,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB"}

package/dist/functions/ProofUtil.js

@@ -1,106 +0,0 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createProofOfPossession = void 0;
-const oid4vci_common_1 = require("@sphereon/oid4vci-common");
-const debug_1 = __importDefault(require("debug"));
-const debug = (0, debug_1.default)('sphereon:openid4vci:token');
-/**
- *
- *  - proofOfPossessionCallback: JWTSignerCallback
- *    Mandatory if you want to create (sign) ProofOfPossession
- *  - proofOfPossessionVerifierCallback?: JWTVerifyCallback
- *    If exists, verifies the ProofOfPossession
- *  - proofOfPossessionCallbackArgs: ProofOfPossessionCallbackArgs
- *    arguments needed for signing ProofOfPossession
- * @param callbacks:
- *    - proofOfPossessionCallback: JWTSignerCallback
- *      Mandatory to create (sign) ProofOfPossession
- *    - proofOfPossessionVerifierCallback?: JWTVerifyCallback
- *      If exists, verifies the ProofOfPossession
- * @param jwtProps
- * @param existingJwt
- *  - Optional, clientId of the party requesting the credential
- */
-const createProofOfPossession = (callbacks, jwtProps, existingJwt) => __awaiter(void 0, void 0, void 0, function* () {
-    if (!callbacks.signCallback) {
-        debug(`no jwt signer callback or arguments supplied!`);
-        throw new Error(oid4vci_common_1.BAD_PARAMS);
-    }
-    const signerArgs = createJWT(jwtProps, existingJwt);
-    const jwt = yield callbacks.signCallback(signerArgs, signerArgs.header.kid);
-    const proof = {
-        proof_type: 'jwt',
-        jwt,
-    };
-    try {
-        partiallyValidateJWS(jwt);
-        if (callbacks.verifyCallback) {
-            debug(`Calling supplied verify callback....`);
-            yield callbacks.verifyCallback({ jwt, kid: signerArgs.header.kid });
-            debug(`Supplied verify callback return success result`);
-        }
-    }
-    catch (_a) {
-        debug(`JWS was not valid`);
-        throw new Error(oid4vci_common_1.JWS_NOT_VALID);
-    }
-    debug(`Proof of Possession JWT:\r\n${jwt}`);
-    return proof;
-});
-exports.createProofOfPossession = createProofOfPossession;
-const partiallyValidateJWS = (jws) => {
-    if (jws.split('.').length !== 3 || !jws.startsWith('ey')) {
-        throw new Error(oid4vci_common_1.JWS_NOT_VALID);
-    }
-};
-const createJWT = (jwtProps, existingJwt) => {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m;
-    const aud = getJwtProperty('aud', true, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.issuer, (_a = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.payload) === null || _a === void 0 ? void 0 : _a.aud);
-    const iss = getJwtProperty('iss', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.clientId, (_b = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.payload) === null || _b === void 0 ? void 0 : _b.iss);
-    const jti = getJwtProperty('jti', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.jti, (_c = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.payload) === null || _c === void 0 ? void 0 : _c.jti);
-    const typ = getJwtProperty('typ', true, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.typ, (_d = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.header) === null || _d === void 0 ? void 0 : _d.typ, 'jwt');
-    const nonce = getJwtProperty('nonce', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.nonce, (_e = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.payload) === null || _e === void 0 ? void 0 : _e.nonce); // Officially this is required, but some implementations don't have it
-    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    const alg = getJwtProperty('alg', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.alg, (_f = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.header) === null || _f === void 0 ? void 0 : _f.alg, 'ES256');
-    const kid = getJwtProperty('kid', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.kid, (_g = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.header) === null || _g === void 0 ? void 0 : _g.kid);
-    const jwk = getJwtProperty('jwk', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.jwk, (_h = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.header) === null || _h === void 0 ? void 0 : _h.jwk);
-    const jwt = existingJwt ? existingJwt : {};
-    const now = +new Date();
-    const jwtPayload = Object.assign(Object.assign({ aud, iat: (_k = (_j = jwt.payload) === null || _j === void 0 ? void 0 : _j.iat) !== null && _k !== void 0 ? _k : Math.round(now / 1000 - 60), exp: (_m = (_l = jwt.payload) === null || _l === void 0 ? void 0 : _l.exp) !== null && _m !== void 0 ? _m : Math.round(now / 1000 + 10 * 60), nonce }, (iss ? { iss } : {})), (jti ? { jti } : {}));
-    const jwtHeader = {
-        typ,
-        alg,
-        kid,
-        jwk,
-    };
-    return {
-        payload: Object.assign(Object.assign({}, jwt.payload), jwtPayload),
-        header: Object.assign(Object.assign({}, jwt.header), jwtHeader),
-    };
-};
-const getJwtProperty = (propertyName, required, option, jwtProperty, defaultValue) => {
-    if (typeof option === 'string' && option && jwtProperty && option !== jwtProperty) {
-        throw Error(`Cannot have a property '${propertyName}' with value '${option}' and different JWT value '${jwtProperty}' at the same time`);
-    }
-    let result = (jwtProperty ? jwtProperty : option);
-    if (!result) {
-        if (required) {
-            throw Error(`No ${propertyName} property provided either in a JWT or as option`);
-        }
-        result = defaultValue;
-    }
-    return result;
-};
-//# sourceMappingURL=ProofUtil.js.map

package/dist/functions/ProofUtil.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"ProofUtil.js","sourceRoot":"","sources":["../../lib/functions/ProofUtil.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,6DAWkC;AAClC,kDAA0B;AAE1B,MAAM,KAAK,GAAG,IAAA,eAAK,EAAC,2BAA2B,CAAC,CAAC;AAEjD;;;;;;;;;;;;;;;;GAgBG;AACI,MAAM,uBAAuB,GAAG,CACrC,SAA6C,EAC7C,QAAmB,EACnB,WAAiB,EACW,EAAE;IAC9B,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;QAC5B,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,2BAAU,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,YAAY,CAAC,UAAU,EAAE,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5E,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,KAAK;QACjB,GAAG;KACiB,CAAC;IAEvB,IAAI,CAAC;QACH,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,SAAS,CAAC,cAAc,EAAE,CAAC;YAC7B,KAAK,CAAC,sCAAsC,CAAC,CAAC;YAC9C,MAAM,SAAS,CAAC,cAAc,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,UAAU,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;YACpE,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAAC,WAAM,CAAC;QACP,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,8BAAa,CAAC,CAAC;IACjC,CAAC;IACD,KAAK,CAAC,+BAA+B,GAAG,EAAE,CAAC,CAAC;IAC5C,OAAO,KAAK,CAAC;AACf,CAAC,CAAA,CAAC;AA9BW,QAAA,uBAAuB,2BA8BlC;AAEF,MAAM,oBAAoB,GAAG,CAAC,GAAW,EAAQ,EAAE;IACjD,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,8BAAa,CAAC,CAAC;IACjC,CAAC;AACH,CAAC,CAAC;AAaF,MAAM,SAAS,GAAG,CAAC,QAAmB,EAAE,WAAiB,EAAO,EAAE;;IAChE,MAAM,GAAG,GAAG,cAAc,CAAoB,KAAK,EAAE,IAAI,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,MAAM,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,0CAAE,GAAG,CAAC,CAAC;IACxG,MAAM,GAAG,GAAG,cAAc,CAAS,KAAK,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,QAAQ,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,0CAAE,GAAG,CAAC,CAAC;IAChG,MAAM,GAAG,GAAG,cAAc,CAAS,KAAK,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,0CAAE,GAAG,CAAC,CAAC;IAC3F,MAAM,GAAG,GAAG,cAAc,CAAS,KAAK,EAAE,IAAI,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,MAAM,0CAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAChG,MAAM,KAAK,GAAG,cAAc,CAAS,OAAO,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,KAAK,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,0CAAE,KAAK,CAAC,CAAC,CAAC,sEAAsE;IAC1K,oEAAoE;IACpE,MAAM,GAAG,GAAG,cAAc,CAAS,KAAK,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,MAAM,0CAAE,GAAG,EAAE,OAAO,CAAE,CAAC;IACpG,MAAM,GAAG,GAAG,cAAc,CAAS,KAAK,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,MAAM,0CAAE,GAAG,CAAC,CAAC;IAC1F,MAAM,GAAG,GAAG,cAAc,CAAU,KAAK,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,MAAM,0CAAE,GAAG,CAAC,CAAC;IAC3F,MAAM,GAAG,GAAiB,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;IACzD,MAAM,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;IACxB,MAAM,UAAU,iCACd,GAAG,EACH,GAAG,EAAE,MAAA,MAAA,GAAG,CAAC,OAAO,0CAAE,GAAG,mCAAI,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,GAAG,EAAE,CAAC,EACpD,GAAG,EAAE,MAAA,MAAA,GAAG,CAAC,OAAO,0CAAE,GAAG,mCAAI,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC,EACzD,KAAK,IACF,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,GACpB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CACxB,CAAC;IAEF,MAAM,SAAS,GAAc;QAC3B,GAAG;QACH,GAAG;QACH,GAAG;QACH,GAAG;KACJ,CAAC;IACF,OAAO;QACL,OAAO,kCAAO,GAAG,CAAC,OAAO,GAAK,UAAU,CAAE;QAC1C,MAAM,kCAAO,GAAG,CAAC,MAAM,GAAK,SAAS,CAAE;KACxC,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,cAAc,GAAG,CAAI,YAAoB,EAAE,QAAiB,EAAE,MAAqB,EAAE,WAAe,EAAE,YAAgB,EAAiB,EAAE;IAC7I,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,WAAW,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;QAClF,MAAM,KAAK,CAAC,2BAA2B,YAAY,iBAAiB,MAAM,8BAA8B,WAAW,oBAAoB,CAAC,CAAC;IAC3I,CAAC;IACD,IAAI,MAAM,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAkB,CAAC;IACnE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,KAAK,CAAC,MAAM,YAAY,iDAAiD,CAAC,CAAC;QACnF,CAAC;QACD,MAAM,GAAG,YAAY,CAAC;IACxB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC"}