@sphereon/oid4vci-client 0.10.4-unstable.2 → 0.10.4-unstable.21

package/lib/AccessTokenClient.ts

@@ -5,15 +5,20 @@ import {
   assertedUniformCredentialOffer,
   AuthorizationServerOpts,
   AuthzFlowType,
+  CredentialOfferPayloadV1_0_13,
+  CredentialOfferV1_0_13,
+  determineSpecVersionFromOffer,
   EndpointMetadata,
   getIssuerFromCredentialOfferPayload,
   GrantTypes,
   IssuerOpts,
   JsonURIMode,
+  OpenId4VCIVersion,
   OpenIDResponse,
   PRE_AUTH_CODE_LITERAL,
   TokenErrorResponse,
   toUniformCredentialOfferRequest,
+  TxCodeAndPinRequired,
   UniformCredentialOfferPayload,
 } from '@sphereon/oid4vci-common';
 import { ObjectUtils } from '@sphereon/ssi-types';
@@ -29,7 +34,7 @@ export class AccessTokenClient {
     const { asOpts, pin, codeVerifier, code, redirectUri, metadata } = opts;
 
     const credentialOffer = opts.credentialOffer ? await assertedUniformCredentialOffer(opts.credentialOffer) : undefined;
-    const isPinRequired = credentialOffer && this.isPinRequiredValue(credentialOffer.credential_offer);
+    const pinMetadata: TxCodeAndPinRequired | undefined = credentialOffer && this.getPinMetadata(credentialOffer.credential_offer);
     const issuer =
       opts.credentialIssuer ??
       (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : (metadata?.issuer as string));
@@ -48,8 +53,9 @@ export class AccessTokenClient {
         code,
         redirectUri,
         pin,
+        pinMetadata,
       }),
-      isPinRequired,
+      pinMetadata,
       metadata,
       asOpts,
       issuerOpts,
@@ -58,18 +64,18 @@ export class AccessTokenClient {
 
   public async acquireAccessTokenUsingRequest({
     accessTokenRequest,
-    isPinRequired,
+    pinMetadata,
     metadata,
     asOpts,
     issuerOpts,
   }: {
     accessTokenRequest: AccessTokenRequest;
-    isPinRequired?: boolean;
+    pinMetadata?: TxCodeAndPinRequired;
     metadata?: EndpointMetadata;
     asOpts?: AuthorizationServerOpts;
     issuerOpts?: IssuerOpts;
   }): Promise<OpenIDResponse<AccessTokenResponse>> {
-    this.validate(accessTokenRequest, isPinRequired);
+    this.validate(accessTokenRequest, pinMetadata);
 
     const requestTokenURL = AccessTokenClient.determineTokenURL({
       asOpts,
@@ -86,7 +92,11 @@ export class AccessTokenClient {
 
   public async createAccessTokenRequest(opts: AccessTokenRequestOpts): Promise<AccessTokenRequest> {
     const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
-    const credentialOfferRequest = opts.credentialOffer ? await toUniformCredentialOfferRequest(opts.credentialOffer) : undefined;
+    const credentialOfferRequest =
+      opts.credentialOffer &&
+      determineSpecVersionFromOffer(opts.credentialOffer as CredentialOfferPayloadV1_0_13).valueOf() <= OpenId4VCIVersion.VER_1_0_13.valueOf()
+        ? await toUniformCredentialOfferRequest(opts.credentialOffer as CredentialOfferV1_0_13)
+        : undefined;
     const request: Partial<AccessTokenRequest> = {};
 
     if (asOpts?.clientId) {
@@ -94,7 +104,7 @@ export class AccessTokenClient {
     }
 
     if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
-      this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
+      this.assertAlphanumericPin(opts.pinMetadata, pin);
       request.user_pin = pin;
 
       request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
@@ -132,28 +142,50 @@ export class AccessTokenClient {
     }
   }
 
-  private isPinRequiredValue(requestPayload: UniformCredentialOfferPayload): boolean {
-    let isPinRequired = false;
+  private getPinMetadata(requestPayload: UniformCredentialOfferPayload): TxCodeAndPinRequired {
     if (!requestPayload) {
       throw new Error(TokenErrorResponse.invalid_request);
     }
     const issuer = getIssuerFromCredentialOfferPayload(requestPayload);
-    if (requestPayload.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']) {
-      isPinRequired = requestPayload.grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ?? false;
-    }
+
+    const grantDetails = requestPayload.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code'];
+    const isPinRequired = !!grantDetails?.tx_code || !!grantDetails?.['pre-authorized_code'];
+
     debug(`Pin required for issuer ${issuer}: ${isPinRequired}`);
-    return isPinRequired;
+    return {
+      txCode: grantDetails?.tx_code,
+      isPinRequired,
+    };
   }
 
-  private assertNumericPin(isPinRequired?: boolean, pin?: string): void {
-    if (isPinRequired) {
-      if (!pin || !/^\d{1,8}$/.test(pin)) {
-        debug(`Pin is not 1 to 8 digits long`);
-        throw new Error('A valid pin consisting of maximal 8 numeric characters must be present.');
+  private assertAlphanumericPin(pinMeta?: TxCodeAndPinRequired, pin?: string): void {
+    if (pinMeta?.isPinRequired) {
+      let regex;
+
+      if (pinMeta.txCode) {
+        const { input_mode, length } = pinMeta.txCode;
+
+        if (input_mode === 'numeric') {
+          // Create a regex for numeric input. If no length specified, allow any length of numeric input.
+          regex = length ? new RegExp(`^\\d{1,${length}}$`) : /^\d+$/;
+        } else if (input_mode === 'text') {
+          // Create a regex for text input. If no length specified, allow any length of alphanumeric input.
+          regex = length ? new RegExp(`^[a-zA-Z0-9]{1,${length}}$`) : /^[a-zA-Z0-9]+$/;
+        }
+      }
+
+      // Default regex for alphanumeric with no specific length limit if no input_mode is specified.
+      regex = regex || /^[a-zA-Z0-9]+$|^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+$/;
+
+      if (!pin || !regex.test(pin)) {
+        debug(
+          `Pin is not valid. Expected format: ${pinMeta?.txCode?.input_mode || 'alphanumeric'}, Length: up to ${pinMeta?.txCode?.length || 'any number of'} characters`,
+        );
+        throw new Error('A valid pin must be present according to the specified transaction code requirements.');
       }
     } else if (pin) {
-      debug(`Pin set, whilst not required`);
-      throw new Error('Cannot set a pin, when the pin is not required.');
+      debug('Pin set, whilst not required');
+      throw new Error('Cannot set a pin when the pin is not required.');
     }
   }
 
@@ -177,11 +209,11 @@ export class AccessTokenClient {
       throw new Error('Authorization flow requires the code to be present');
     }
   }
-  private validate(accessTokenRequest: AccessTokenRequest, isPinRequired?: boolean): void {
+  private validate(accessTokenRequest: AccessTokenRequest, pinMeta?: TxCodeAndPinRequired): void {
     if (accessTokenRequest.grant_type === GrantTypes.PRE_AUTHORIZED_CODE) {
       this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
       this.assertNonEmptyPreAuthorizedCode(accessTokenRequest);
-      this.assertNumericPin(isPinRequired, accessTokenRequest.user_pin);
+      this.assertAlphanumericPin(pinMeta, accessTokenRequest['pre-authorized_code']);
     } else if (accessTokenRequest.grant_type === GrantTypes.AUTHORIZATION_CODE) {
       this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
       this.assertNonEmptyCodeVerifier(accessTokenRequest);

package/lib/AccessTokenClientV1_0_11.ts

@@ -0,0 +1,255 @@
+import {
+  AccessTokenRequest,
+  AccessTokenRequestOpts,
+  AccessTokenResponse,
+  assertedUniformCredentialOffer,
+  AuthorizationServerOpts,
+  AuthzFlowType,
+  CredentialOfferPayloadV1_0_11,
+  CredentialOfferV1_0_11,
+  CredentialOfferV1_0_13,
+  determineSpecVersionFromOffer,
+  EndpointMetadata,
+  getIssuerFromCredentialOfferPayload,
+  GrantTypes,
+  IssuerOpts,
+  JsonURIMode,
+  OpenId4VCIVersion,
+  OpenIDResponse,
+  PRE_AUTH_CODE_LITERAL,
+  TokenErrorResponse,
+  toUniformCredentialOfferRequest,
+  toUniformCredentialOfferRequestV1_0_11,
+  UniformCredentialOfferPayload,
+} from '@sphereon/oid4vci-common';
+import { ObjectUtils } from '@sphereon/ssi-types';
+import Debug from 'debug';
+
+import { MetadataClient } from './MetadataClient';
+import { convertJsonToURI, formPost } from './functions';
+
+const debug = Debug('sphereon:oid4vci:token');
+
+export class AccessTokenClientV1_0_11 {
+  public async acquireAccessToken(opts: AccessTokenRequestOpts): Promise<OpenIDResponse<AccessTokenResponse>> {
+    const { asOpts, pin, codeVerifier, code, redirectUri, metadata } = opts;
+
+    const credentialOffer = opts.credentialOffer ? await assertedUniformCredentialOffer(opts.credentialOffer) : undefined;
+    const isPinRequired = credentialOffer && this.isPinRequiredValue(credentialOffer.credential_offer);
+    const issuer =
+      opts.credentialIssuer ??
+      (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : (metadata?.issuer as string));
+    if (!issuer) {
+      throw Error('Issuer required at this point');
+    }
+    const issuerOpts = {
+      issuer,
+    };
+
+    return await this.acquireAccessTokenUsingRequest({
+      accessTokenRequest: await this.createAccessTokenRequest({
+        credentialOffer,
+        asOpts,
+        codeVerifier,
+        code,
+        redirectUri,
+        pin,
+      }),
+      isPinRequired,
+      metadata,
+      asOpts,
+      issuerOpts,
+    });
+  }
+
+  public async acquireAccessTokenUsingRequest({
+    accessTokenRequest,
+    isPinRequired,
+    metadata,
+    asOpts,
+    issuerOpts,
+  }: {
+    accessTokenRequest: AccessTokenRequest;
+    isPinRequired?: boolean;
+    metadata?: EndpointMetadata;
+    asOpts?: AuthorizationServerOpts;
+    issuerOpts?: IssuerOpts;
+  }): Promise<OpenIDResponse<AccessTokenResponse>> {
+    this.validate(accessTokenRequest, isPinRequired);
+
+    const requestTokenURL = AccessTokenClientV1_0_11.determineTokenURL({
+      asOpts,
+      issuerOpts,
+      metadata: metadata
+        ? metadata
+        : issuerOpts?.fetchMetadata
+          ? await MetadataClient.retrieveAllMetadata(issuerOpts.issuer, { errorOnNotFound: false })
+          : undefined,
+    });
+
+    return this.sendAuthCode(requestTokenURL, accessTokenRequest);
+  }
+
+  public async createAccessTokenRequest(opts: AccessTokenRequestOpts): Promise<AccessTokenRequest> {
+    const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
+    const credentialOfferRequest = opts.credentialOffer
+      ? determineSpecVersionFromOffer(opts.credentialOffer as CredentialOfferPayloadV1_0_11).valueOf() <= OpenId4VCIVersion.VER_1_0_11.valueOf()
+        ? await toUniformCredentialOfferRequestV1_0_11(opts.credentialOffer as CredentialOfferV1_0_11)
+        : await toUniformCredentialOfferRequest(opts.credentialOffer as CredentialOfferV1_0_13)
+      : undefined;
+    const request: Partial<AccessTokenRequest> = {};
+
+    if (asOpts?.clientId) {
+      request.client_id = asOpts.clientId;
+    }
+
+    if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
+      this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
+      request.user_pin = pin;
+
+      request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
+      // we actually know it is there because of the isPreAuthCode call
+      request[PRE_AUTH_CODE_LITERAL] =
+        credentialOfferRequest?.credential_offer.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.[PRE_AUTH_CODE_LITERAL];
+
+      return request as AccessTokenRequest;
+    }
+
+    if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
+      request.grant_type = GrantTypes.AUTHORIZATION_CODE;
+      request.code = code;
+      request.redirect_uri = redirectUri;
+
+      if (codeVerifier) {
+        request.code_verifier = codeVerifier;
+      }
+
+      return request as AccessTokenRequest;
+    }
+
+    throw new Error('Credential offer request does not follow neither pre-authorized code nor authorization code flow requirements.');
+  }
+
+  private assertPreAuthorizedGrantType(grantType: GrantTypes): void {
+    if (GrantTypes.PRE_AUTHORIZED_CODE !== grantType) {
+      throw new Error("grant type must be 'urn:ietf:params:oauth:grant-type:pre-authorized_code'");
+    }
+  }
+
+  private assertAuthorizationGrantType(grantType: GrantTypes): void {
+    if (GrantTypes.AUTHORIZATION_CODE !== grantType) {
+      throw new Error("grant type must be 'authorization_code'");
+    }
+  }
+
+  private isPinRequiredValue(requestPayload: UniformCredentialOfferPayload): boolean {
+    let isPinRequired = false;
+    if (!requestPayload) {
+      throw new Error(TokenErrorResponse.invalid_request);
+    }
+    const issuer = getIssuerFromCredentialOfferPayload(requestPayload);
+    if (requestPayload.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']) {
+      isPinRequired = requestPayload.grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ?? false;
+    }
+    debug(`Pin required for issuer ${issuer}: ${isPinRequired}`);
+    return isPinRequired;
+  }
+
+  private assertNumericPin(isPinRequired?: boolean, pin?: string): void {
+    if (isPinRequired) {
+      if (!pin || !/^\d{1,8}$/.test(pin)) {
+        debug(`Pin is not 1 to 8 digits long`);
+        throw new Error('A valid pin consisting of maximal 8 numeric characters must be present.');
+      }
+    } else if (pin) {
+      debug(`Pin set, whilst not required`);
+      throw new Error('Cannot set a pin, when the pin is not required.');
+    }
+  }
+
+  private assertNonEmptyPreAuthorizedCode(accessTokenRequest: AccessTokenRequest): void {
+    if (!accessTokenRequest[PRE_AUTH_CODE_LITERAL]) {
+      debug(`No pre-authorized code present, whilst it is required`);
+      throw new Error('Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.');
+    }
+  }
+
+  private assertNonEmptyCodeVerifier(accessTokenRequest: AccessTokenRequest): void {
+    if (!accessTokenRequest.code_verifier) {
+      debug('No code_verifier present, whilst it is required');
+      throw new Error('Authorization flow requires the code_verifier to be present');
+    }
+  }
+
+  private assertNonEmptyCode(accessTokenRequest: AccessTokenRequest): void {
+    if (!accessTokenRequest.code) {
+      debug('No code present, whilst it is required');
+      throw new Error('Authorization flow requires the code to be present');
+    }
+  }
+  private validate(accessTokenRequest: AccessTokenRequest, isPinRequired?: boolean): void {
+    if (accessTokenRequest.grant_type === GrantTypes.PRE_AUTHORIZED_CODE) {
+      this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
+      this.assertNonEmptyPreAuthorizedCode(accessTokenRequest);
+      this.assertNumericPin(isPinRequired, accessTokenRequest.user_pin);
+    } else if (accessTokenRequest.grant_type === GrantTypes.AUTHORIZATION_CODE) {
+      this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
+      this.assertNonEmptyCodeVerifier(accessTokenRequest);
+      this.assertNonEmptyCode(accessTokenRequest);
+    } else {
+      this.throwNotSupportedFlow();
+    }
+  }
+
+  private async sendAuthCode(requestTokenURL: string, accessTokenRequest: AccessTokenRequest): Promise<OpenIDResponse<AccessTokenResponse>> {
+    return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest, { mode: JsonURIMode.X_FORM_WWW_URLENCODED }));
+  }
+
+  public static determineTokenURL({
+    asOpts,
+    issuerOpts,
+    metadata,
+  }: {
+    asOpts?: AuthorizationServerOpts;
+    issuerOpts?: IssuerOpts;
+    metadata?: EndpointMetadata;
+  }): string {
+    if (!asOpts && !metadata?.token_endpoint && !issuerOpts) {
+      throw new Error('Cannot determine token URL if no issuer, metadata and no Authorization Server values are present');
+    }
+    let url;
+    if (asOpts && asOpts.as) {
+      url = this.creatTokenURLFromURL(asOpts.as, asOpts?.allowInsecureEndpoints, asOpts.tokenEndpoint);
+    } else if (metadata?.token_endpoint) {
+      url = metadata.token_endpoint;
+    } else {
+      if (!issuerOpts?.issuer) {
+        throw Error('Either authorization server options, a token endpoint or issuer options are required at this point');
+      }
+      url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts?.allowInsecureEndpoints, issuerOpts.tokenEndpoint);
+    }
+
+    if (!url || !ObjectUtils.isString(url)) {
+      throw new Error('No authorization server token URL present. Cannot acquire access token');
+    }
+    debug(`Token endpoint determined to be ${url}`);
+    return url;
+  }
+
+  private static creatTokenURLFromURL(url: string, allowInsecureEndpoints?: boolean, tokenEndpoint?: string): string {
+    if (allowInsecureEndpoints !== true && url.startsWith('http:')) {
+      throw Error(
+        `Unprotected token endpoints are not allowed ${url}. Use the 'allowInsecureEndpoints' param if you really need this for dev/testing!`,
+      );
+    }
+    const hostname = url.replace(/https?:\/\//, '').replace(/\/$/, '');
+    const endpoint = tokenEndpoint ? (tokenEndpoint.startsWith('/') ? tokenEndpoint : tokenEndpoint.substring(1)) : '/token';
+    const scheme = url.split('://')[0];
+    return `${scheme ? scheme + '://' : 'https://'}${hostname}${endpoint}`;
+  }
+
+  private throwNotSupportedFlow(): void {
+    debug(`Only pre-authorized or authorization code flows supported.`);
+    throw new Error('Only pre-authorized-code or authorization code flows are supported');
+  }
+}

package/lib/AuthorizationCodeClient.ts

@@ -3,32 +3,46 @@ import {
   AuthorizationRequestOpts,
   CodeChallengeMethod,
   convertJsonToURI,
+  CredentialOfferFormat,
+  CredentialOfferPayloadV1_0_13,
   CredentialOfferRequestWithBaseUrl,
   CredentialSupported,
-  EndpointMetadataResult,
+  determineSpecVersionFromOffer,
+  EndpointMetadataResultV1_0_13,
   formPost,
   JsonURIMode,
+  OpenId4VCIVersion,
   PARMode,
   PKCEOpts,
-  PushedAuthorizationResponse,
-  ResponseType,
-} from '@sphereon/oid4vci-common';
+  PushedAuthorizationResponse, 
+  ResponseType
+} from '@sphereon/oid4vci-common'
 import Debug from 'debug';
 
 const debug = Debug('sphereon:oid4vci');
 
+function filterSupportedCredentials(
+  credentialOffer: CredentialOfferPayloadV1_0_13,
+  credentialsSupported?: Record<string, CredentialSupported>,
+): CredentialSupported[] {
+  if (!credentialOffer.credential_configuration_ids || !credentialsSupported) {
+    return [];
+  }
+  return credentialOffer.credential_configuration_ids.map((id) => credentialsSupported[id]).filter((cred) => cred !== undefined);
+}
+
 export const createAuthorizationRequestUrl = async ({
   pkce,
   endpointMetadata,
   authorizationRequest,
   credentialOffer,
-  credentialsSupported,
+  credentialConfigurationSupported,
 }: {
   pkce: PKCEOpts;
-  endpointMetadata: EndpointMetadataResult;
+  endpointMetadata: EndpointMetadataResultV1_0_13;
   authorizationRequest: AuthorizationRequestOpts;
   credentialOffer?: CredentialOfferRequestWithBaseUrl;
-  credentialsSupported?: CredentialSupported[];
+  credentialConfigurationSupported?: Record<string, CredentialSupported>;
 }): Promise<string> => {
   const { redirectUri, clientId } = authorizationRequest;
   let { scope, authorizationDetails } = authorizationRequest;
@@ -41,13 +55,19 @@ export const createAuthorizationRequestUrl = async ({
     if (!credentialOffer) {
       throw Error('Please provide a scope or authorization_details if no credential offer is present');
     }
-    const creds = credentialOffer.credential_offer.credentials;
+    if ('credentials' in credentialOffer.credential_offer) {
+      throw new Error('CredentialOffer format is wrong.');
+    }
+    const creds: (CredentialSupported | CredentialOfferFormat | string)[] =
+      determineSpecVersionFromOffer(credentialOffer.credential_offer) === OpenId4VCIVersion.VER_1_0_13
+        ? filterSupportedCredentials(credentialOffer.credential_offer as CredentialOfferPayloadV1_0_13, credentialConfigurationSupported)
+        : [];
 
     // FIXME: complains about VCT for sd-jwt
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore
     authorizationDetails = creds
-      .flatMap((cred) => (typeof cred === 'string' ? credentialsSupported : (cred as CredentialSupported)))
+      .flatMap((cred) => cred as CredentialSupported)
       .filter((cred) => !!cred)
       .map((cred) => {
         return {
@@ -124,7 +144,7 @@ export const createAuthorizationRequestUrl = async ({
 };
 
 const handleAuthorizationDetails = (
-  endpointMetadata: EndpointMetadataResult,
+  endpointMetadata: EndpointMetadataResultV1_0_13,
   authorizationDetails?: AuthorizationDetails | AuthorizationDetails[],
 ): AuthorizationDetails | AuthorizationDetails[] | undefined => {
   if (authorizationDetails) {
@@ -143,7 +163,7 @@ const handleAuthorizationDetails = (
   return authorizationDetails;
 };
 
-const handleLocations = (endpointMetadata: EndpointMetadataResult, authorizationDetails: AuthorizationDetails) => {
+const handleLocations = (endpointMetadata: EndpointMetadataResultV1_0_13, authorizationDetails: AuthorizationDetails) => {
   if (typeof authorizationDetails === 'string') {
     // backwards compat for older versions of the lib
     return authorizationDetails;

package/lib/AuthorizationCodeClientV1_0_11.ts

@@ -0,0 +1,167 @@
+import {
+  AuthorizationDetails,
+  AuthorizationRequestOpts,
+  CodeChallengeMethod,
+  convertJsonToURI,
+  CredentialSupported,
+  CredentialOfferFormat,
+  CredentialOfferPayloadV1_0_11,
+  CredentialOfferRequestWithBaseUrl,
+  EndpointMetadataResultV1_0_11,
+  formPost,
+  JsonURIMode,
+  PARMode,
+  PKCEOpts,
+  PushedAuthorizationResponse,
+  ResponseType,
+} from '@sphereon/oid4vci-common';
+import Debug from 'debug';
+
+const debug = Debug('sphereon:oid4vci');
+
+export const createAuthorizationRequestUrlV1_0_11 = async ({
+  pkce,
+  endpointMetadata,
+  authorizationRequest,
+  credentialOffer,
+  credentialsSupported,
+}: {
+  pkce: PKCEOpts;
+  endpointMetadata: EndpointMetadataResultV1_0_11;
+  authorizationRequest: AuthorizationRequestOpts;
+  credentialOffer?: CredentialOfferRequestWithBaseUrl;
+  credentialsSupported?: CredentialSupported[];
+}): Promise<string> => {
+  const { redirectUri, clientId } = authorizationRequest;
+  let { scope, authorizationDetails } = authorizationRequest;
+  const parMode = endpointMetadata?.credentialIssuerMetadata?.require_pushed_authorization_requests
+    ? PARMode.REQUIRE
+    : authorizationRequest.parMode ?? PARMode.AUTO;
+  // Scope and authorization_details can be used in the same authorization request
+  // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param
+  if (!scope && !authorizationDetails) {
+    if (!credentialOffer) {
+      throw Error('Please provide a scope or authorization_details if no credential offer is present');
+    }
+    const creds: (CredentialOfferFormat | string)[] = (credentialOffer.credential_offer as CredentialOfferPayloadV1_0_11).credentials;
+
+    // FIXME: complains about VCT for sd-jwt
+    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+    // @ts-ignore
+    authorizationDetails = creds
+      .flatMap((cred) =>
+        typeof cred === 'string' && credentialsSupported ? Object.values(credentialsSupported) : (cred as CredentialSupported),
+      )
+      .filter((cred) => !!cred)
+      .map((cred) => {
+        return {
+          ...cred,
+          type: 'openid_credential',
+          locations: [endpointMetadata.issuer],
+
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore
+          format: cred!.format,
+        } satisfies AuthorizationDetails;
+      });
+    if (!authorizationDetails || authorizationDetails.length === 0) {
+      throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`);
+    }
+  }
+  if (!endpointMetadata?.authorization_endpoint) {
+    throw Error('Server metadata does not contain authorization endpoint');
+  }
+  const parEndpoint = endpointMetadata.credentialIssuerMetadata?.pushed_authorization_request_endpoint;
+
+  // add 'openid' scope if not present
+  if (!scope?.includes('openid')) {
+    scope = ['openid', scope].filter((s) => !!s).join(' ');
+  }
+
+  let queryObj: { [key: string]: string } | PushedAuthorizationResponse = {
+    response_type: ResponseType.AUTH_CODE,
+    ...(!pkce.disabled && {
+      code_challenge_method: pkce.codeChallengeMethod ?? CodeChallengeMethod.S256,
+      code_challenge: pkce.codeChallenge,
+    }),
+    authorization_details: JSON.stringify(handleAuthorizationDetailsV1_0_11(endpointMetadata, authorizationDetails)),
+    ...(redirectUri && { redirect_uri: redirectUri }),
+    ...(clientId && { client_id: clientId }),
+    ...(credentialOffer?.issuerState && { issuer_state: credentialOffer.issuerState }),
+    scope,
+  };
+
+  if (!parEndpoint && parMode === PARMode.REQUIRE) {
+    throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`);
+  } else if (parEndpoint && parMode !== PARMode.NEVER) {
+    debug(`USING PAR with endpoint ${parEndpoint}`);
+    const parResponse = await formPost<PushedAuthorizationResponse>(
+      parEndpoint,
+      convertJsonToURI(queryObj, {
+        mode: JsonURIMode.X_FORM_WWW_URLENCODED,
+        uriTypeProperties: ['client_id', 'request_uri', 'redirect_uri', 'scope', 'authorization_details', 'issuer_state'],
+      }),
+      { contentType: 'application/x-www-form-urlencoded', accept: 'application/json' },
+    );
+    if (parResponse.errorBody || !parResponse.successBody) {
+      console.log(JSON.stringify(parResponse.errorBody));
+      console.log('Falling back to regular request URI, since PAR failed');
+      if (parMode === PARMode.REQUIRE) {
+        throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
+      }
+    } else {
+      debug(`PAR response: ${(parResponse.successBody, null, 2)}`);
+      queryObj = { request_uri: parResponse.successBody.request_uri };
+    }
+  }
+
+  debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
+  const url = convertJsonToURI(queryObj, {
+    baseUrl: endpointMetadata.authorization_endpoint,
+    uriTypeProperties: ['client_id', 'request_uri', 'redirect_uri', 'scope', 'authorization_details', 'issuer_state'],
+    // arrayTypeProperties: ['authorization_details'],
+    mode: JsonURIMode.X_FORM_WWW_URLENCODED,
+    // We do not add the version here, as this always needs to be form encoded
+  });
+  debug(`Authorization Request URL: ${url}`);
+  return url;
+};
+
+const handleAuthorizationDetailsV1_0_11 = (
+  endpointMetadata: EndpointMetadataResultV1_0_11,
+  authorizationDetails?: AuthorizationDetails | AuthorizationDetails[],
+): AuthorizationDetails | AuthorizationDetails[] | undefined => {
+  if (authorizationDetails) {
+    if (typeof authorizationDetails === 'string') {
+      // backwards compat for older versions of the lib
+      return authorizationDetails;
+    }
+    if (Array.isArray(authorizationDetails)) {
+      return authorizationDetails
+        .filter((value) => typeof value !== 'string')
+        .map((value) => handleLocations(endpointMetadata, typeof value === 'string' ? value : { ...value }));
+    } else {
+      return handleLocations(endpointMetadata, { ...authorizationDetails });
+    }
+  }
+  return authorizationDetails;
+};
+
+const handleLocations = (endpointMetadata: EndpointMetadataResultV1_0_11, authorizationDetails: AuthorizationDetails) => {
+  if (typeof authorizationDetails === 'string') {
+    // backwards compat for older versions of the lib
+    return authorizationDetails;
+  }
+  if (authorizationDetails && (endpointMetadata.credentialIssuerMetadata?.authorization_server || endpointMetadata.authorization_endpoint)) {
+    if (authorizationDetails.locations) {
+      if (Array.isArray(authorizationDetails.locations)) {
+        authorizationDetails.locations.push(endpointMetadata.issuer);
+      } else {
+        authorizationDetails.locations = [authorizationDetails.locations as string, endpointMetadata.issuer];
+      }
+    } else {
+      authorizationDetails.locations = [endpointMetadata.issuer];
+    }
+  }
+  return authorizationDetails;
+};