@sphereon/oid4vci-client 0.10.4-unstable.98 → 0.12.0

package/lib/CredentialOfferClientV1_0_13.ts

@@ -0,0 +1,103 @@
+import {
+  convertJsonToURI,
+  convertURIToJsonObject,
+  CredentialOfferRequestWithBaseUrl,
+  CredentialOfferV1_0_13,
+  determineSpecVersionFromURI,
+  getClientIdFromCredentialOfferPayload,
+  OpenId4VCIVersion,
+  toUniformCredentialOfferRequest,
+} from '@sphereon/oid4vci-common';
+import Debug from 'debug';
+
+const debug = Debug('sphereon:oid4vci:offer');
+
+export class CredentialOfferClientV1_0_13 {
+  public static async fromURI(uri: string, opts?: { resolve?: boolean }): Promise<CredentialOfferRequestWithBaseUrl> {
+    debug(`Credential Offer URI: ${uri}`);
+    if (!uri.includes('?') || !uri.includes('://')) {
+      debug(`Invalid Credential Offer URI: ${uri}`);
+      throw Error(`Invalid Credential Offer Request`);
+    }
+    const scheme = uri.split('://')[0];
+    const baseUrl = uri.split('?')[0];
+    const version = determineSpecVersionFromURI(uri);
+    const credentialOffer = convertURIToJsonObject(uri, {
+      // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
+      arrayTypeProperties: uri.includes('credential_offer_uri=')
+        ? ['credential_configuration_ids', 'credential_offer_uri=']
+        : ['credential_configuration_ids', 'credential_offer='],
+      requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],
+    }) as CredentialOfferV1_0_13;
+    if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {
+      throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri);
+    }
+
+    const request = await toUniformCredentialOfferRequest(credentialOffer, {
+      ...opts,
+      version,
+    });
+    const clientId = getClientIdFromCredentialOfferPayload(request.credential_offer);
+    const grants = request.credential_offer?.grants;
+
+    return {
+      scheme,
+      baseUrl,
+      ...(clientId && { clientId }),
+      ...request,
+      ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
+      ...(grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.['pre-authorized_code'] && {
+        preAuthorizedCode: grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']['pre-authorized_code'],
+      }),
+      userPinRequired: !!request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code ?? false,
+      ...(request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code &&
+        {
+          // txCode: request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code,
+        }),
+    };
+  }
+
+  public static toURI(
+    requestWithBaseUrl: CredentialOfferRequestWithBaseUrl,
+    opts?: {
+      version?: OpenId4VCIVersion;
+    },
+  ): string {
+    debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
+    const version = opts?.version ?? requestWithBaseUrl.version;
+    let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme)
+      ? requestWithBaseUrl.baseUrl
+      : `${requestWithBaseUrl.scheme.replace('://', '')}://${requestWithBaseUrl.baseUrl}`;
+    let param: string | undefined;
+
+    const isUri = requestWithBaseUrl.credential_offer_uri !== undefined;
+
+    if (version.valueOf() >= OpenId4VCIVersion.VER_1_0_11.valueOf()) {
+      // v11 changed from encoding every param to a encoded json object with a credential_offer param key
+      if (!baseUrl.includes('?')) {
+        param = isUri ? 'credential_offer_uri' : 'credential_offer';
+      } else {
+        const split = baseUrl.split('?');
+        if (split.length > 1 && split[1] !== '') {
+          if (baseUrl.endsWith('&')) {
+            param = isUri ? 'credential_offer_uri' : 'credential_offer';
+          } else if (!baseUrl.endsWith('=')) {
+            baseUrl += `&`;
+            param = isUri ? 'credential_offer_uri' : 'credential_offer';
+          }
+        }
+      }
+    }
+    return convertJsonToURI(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
+      baseUrl,
+      arrayTypeProperties: isUri ? [] : ['credential_type'],
+      uriTypeProperties: isUri
+        ? ['credential_offer_uri']
+        : version >= OpenId4VCIVersion.VER_1_0_13
+          ? ['credential_issuer', 'credential_type']
+          : ['issuer', 'credential_type'],
+      param,
+      version,
+    });
+  }
+}

package/lib/CredentialRequestClient.ts

@@ -108,7 +108,7 @@ export class CredentialRequestClient {
     uniformRequest: UniformCredentialRequest,
   ): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
     if (this.version() < OpenId4VCIVersion.VER_1_0_13) {
-      throw new Error('Versions below v1.0.13 (draft 13) are not supported.');
+      throw new Error('Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.');
     }
     const request: CredentialRequestV1_0_13 = getCredentialRequestForVersion(uniformRequest, this.version()) as CredentialRequestV1_0_13;
     const credentialEndpoint: string = this.credentialRequestOpts.credentialEndpoint;

package/lib/CredentialRequestClientBuilderV1_0_11.ts

@@ -6,6 +6,7 @@ import {
   CredentialOfferRequestWithBaseUrl,
   determineSpecVersionFromOffer,
   EndpointMetadata,
+  ExperimentalSubjectIssuance,
   getIssuerFromCredentialOfferPayload,
   getTypesFromOfferV1_0_11,
   OID4VCICredentialFormat,
@@ -26,6 +27,7 @@ export class CredentialRequestClientBuilderV1_0_11 {
   format?: CredentialFormat | OID4VCICredentialFormat;
   token?: string;
   version?: OpenId4VCIVersion;
+  subjectIssuance?: ExperimentalSubjectIssuance;
 
   public static fromCredentialIssuer({
     credentialIssuer,
@@ -132,6 +134,11 @@ export class CredentialRequestClientBuilderV1_0_11 {
     return this;
   }
 
+  public withSubjectIssuance(subjectIssuance: ExperimentalSubjectIssuance): this {
+    this.subjectIssuance = subjectIssuance;
+    return this;
+  }
+
   public withToken(accessToken: string): this {
     this.token = accessToken;
     return this;

package/lib/CredentialRequestClientV1_0_11.ts

@@ -64,14 +64,16 @@ export class CredentialRequestClientV1_0_11 {
     credentialTypes?: string | string[];
     context?: string[];
     format?: CredentialFormat | OID4VCICredentialFormat;
-  }): Promise<OpenIDResponse<CredentialResponse>> {
+  }): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
     const { credentialTypes, proofInput, format, context } = opts;
 
     const request = await this.createCredentialRequest({ proofInput, credentialTypes, context, format, version: this.version() });
     return await this.acquireCredentialsUsingRequest(request);
   }
 
-  public async acquireCredentialsUsingRequest(uniformRequest: UniformCredentialRequest): Promise<OpenIDResponse<CredentialResponse>> {
+  public async acquireCredentialsUsingRequest(
+    uniformRequest: UniformCredentialRequest,
+  ): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
     const request = getCredentialRequestForVersion(uniformRequest, this.version());
     const credentialEndpoint: string = this.credentialRequestOpts.credentialEndpoint;
     if (!isValidURL(credentialEndpoint)) {
@@ -81,11 +83,14 @@ export class CredentialRequestClientV1_0_11 {
     debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
     debug(`request\n: ${JSON.stringify(request, null, 2)}`);
     const requestToken: string = this.credentialRequestOpts.token;
-    let response: OpenIDResponse<CredentialResponse> = await post(credentialEndpoint, JSON.stringify(request), { bearerToken: requestToken });
+    let response = (await post(credentialEndpoint, JSON.stringify(request), { bearerToken: requestToken })) as OpenIDResponse<CredentialResponse> & {
+      access_token: string;
+    };
     this._isDeferred = isDeferredCredentialResponse(response);
     if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
       response = await this.acquireDeferredCredential(response.successBody, { bearerToken: this.credentialRequestOpts.token });
     }
+    response.access_token = requestToken;
 
     debug(`Credential endpoint ${credentialEndpoint} response:\r\n${JSON.stringify(response, null, 2)}`);
     return response;
@@ -96,7 +101,7 @@ export class CredentialRequestClientV1_0_11 {
     opts?: {
       bearerToken?: string;
     },
-  ): Promise<OpenIDResponse<CredentialResponse>> {
+  ): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
     const transactionId = response.transaction_id;
     const bearerToken = response.acceptance_token ?? opts?.bearerToken;
     const deferredCredentialEndpoint = this.getDeferredCredentialEndpoint();

package/lib/MetadataClient.ts

@@ -1,17 +1,24 @@
 import {
   AuthorizationServerMetadata,
   AuthorizationServerType,
+  CredentialIssuerMetadataV1_0_11,
   CredentialIssuerMetadataV1_0_13,
+  CredentialOfferPayload,
   CredentialOfferPayloadV1_0_13,
   CredentialOfferRequestWithBaseUrl,
+  determineSpecVersionFromOffer,
+  EndpointMetadataResultV1_0_11,
   EndpointMetadataResultV1_0_13,
   getIssuerFromCredentialOfferPayload,
-  IssuerMetadataV1_0_13,
+  IssuerMetadataV1_0_08,
+  OpenId4VCIVersion,
   OpenIDResponse,
   WellKnownEndpoints,
 } from '@sphereon/oid4vci-common';
 import Debug from 'debug';
 
+import { MetadataClientV1_0_11 } from './MetadataClientV1_0_11';
+import { MetadataClientV1_0_13 } from './MetadataClientV1_0_13';
 import { retrieveWellknown } from './functions/OpenIDUtils';
 
 const debug = Debug('sphereon:oid4vci:metadata');
@@ -24,18 +31,28 @@ export class MetadataClient {
    */
   public static async retrieveAllMetadataFromCredentialOffer(
     credentialOffer: CredentialOfferRequestWithBaseUrl,
-  ): Promise<EndpointMetadataResultV1_0_13> {
-    return MetadataClient.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer as CredentialOfferPayloadV1_0_13);
+  ): Promise<EndpointMetadataResultV1_0_13 | EndpointMetadataResultV1_0_11> {
+    if (determineSpecVersionFromOffer(credentialOffer.credential_offer) >= OpenId4VCIVersion.VER_1_0_13) {
+      return await MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOffer(credentialOffer);
+    } else {
+      return await MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOffer(credentialOffer);
+    }
   }
 
   /**
    * Retrieve the metada using the initiation request obtained from a previous step
    * @param request
    */
-  public static async retrieveAllMetadataFromCredentialOfferRequest(request: CredentialOfferPayloadV1_0_13): Promise<EndpointMetadataResultV1_0_13> {
+  public static async retrieveAllMetadataFromCredentialOfferRequest(
+    request: CredentialOfferPayload,
+  ): Promise<EndpointMetadataResultV1_0_13 | EndpointMetadataResultV1_0_11> {
     const issuer = getIssuerFromCredentialOfferPayload(request);
     if (issuer) {
-      return MetadataClient.retrieveAllMetadata(issuer);
+      if (determineSpecVersionFromOffer(request) >= OpenId4VCIVersion.VER_1_0_13) {
+        return MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOfferRequest(request as CredentialOfferPayloadV1_0_13);
+      } else {
+        return MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOfferRequest(request);
+      }
     }
     throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
   }
@@ -45,24 +62,33 @@ export class MetadataClient {
    * @param issuer The issuer URL
    * @param opts
    */
-  public static async retrieveAllMetadata(issuer: string, opts?: { errorOnNotFound: boolean }): Promise<EndpointMetadataResultV1_0_13> {
+  public static async retrieveAllMetadata(
+    issuer: string,
+    opts?: { errorOnNotFound: boolean },
+  ): Promise<EndpointMetadataResultV1_0_13 | EndpointMetadataResultV1_0_11> {
     let token_endpoint: string | undefined;
     let credential_endpoint: string | undefined;
     let deferred_credential_endpoint: string | undefined;
     let authorization_endpoint: string | undefined;
     let authorizationServerType: AuthorizationServerType = 'OID4VCI';
-    let authorization_servers: string[] = [issuer];
+    let authorization_servers: string[] | undefined = [issuer];
+    let authorization_server: string | undefined = undefined;
     const oid4vciResponse = await MetadataClient.retrieveOpenID4VCIServerMetadata(issuer, { errorOnNotFound: false }); // We will handle errors later, given we will also try other metadata locations
     let credentialIssuerMetadata = oid4vciResponse?.successBody;
     if (credentialIssuerMetadata) {
       debug(`Issuer ${issuer} OID4VCI well-known server metadata\r\n${JSON.stringify(credentialIssuerMetadata)}`);
       credential_endpoint = credentialIssuerMetadata.credential_endpoint;
-      deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
+      deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint
+        ? (credentialIssuerMetadata.deferred_credential_endpoint as string)
+        : undefined;
       if (credentialIssuerMetadata.token_endpoint) {
         token_endpoint = credentialIssuerMetadata.token_endpoint;
       }
       if (credentialIssuerMetadata.authorization_servers) {
-        authorization_servers = credentialIssuerMetadata.authorization_servers;
+        authorization_servers = credentialIssuerMetadata.authorization_servers as string[];
+      } else if (credentialIssuerMetadata.authorization_server) {
+        authorization_server = credentialIssuerMetadata.authorization_server as string;
+        authorization_servers = [authorization_server];
       }
     }
     // No specific OID4VCI endpoint. Either can be an OAuth2 AS or an OIDC IDP. Let's start with OIDC first
@@ -154,7 +180,9 @@ export class MetadataClient {
 
     if (!credentialIssuerMetadata && authMetadata) {
       // Apparently everything worked out and the issuer is exposing everything in oAuth2/OIDC well-knowns. Spec is vague about this situation, but we can support it
-      credentialIssuerMetadata = authMetadata as CredentialIssuerMetadataV1_0_13;
+      credentialIssuerMetadata = authorization_server
+        ? (authMetadata as CredentialIssuerMetadataV1_0_11)
+        : (authMetadata as CredentialIssuerMetadataV1_0_13);
     }
     debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
     return {
@@ -162,12 +190,14 @@ export class MetadataClient {
       token_endpoint,
       credential_endpoint,
       deferred_credential_endpoint,
-      authorization_server: authorization_servers[0],
+      ...(authorization_server ? { authorization_server } : { authorization_servers: authorization_servers }),
       authorization_endpoint,
       authorizationServerType,
-      credentialIssuerMetadata: credentialIssuerMetadata,
+      credentialIssuerMetadata: authorization_server
+        ? (credentialIssuerMetadata as IssuerMetadataV1_0_08 & Partial<AuthorizationServerMetadata>)
+        : (credentialIssuerMetadata as CredentialIssuerMetadataV1_0_13),
       authorizationServerMetadata: authMetadata,
-    };
+    } as EndpointMetadataResultV1_0_13 | EndpointMetadataResultV1_0_11;
   }
 
   /**
@@ -180,7 +210,12 @@ export class MetadataClient {
     opts?: {
       errorOnNotFound?: boolean;
     },
-  ): Promise<OpenIDResponse<IssuerMetadataV1_0_13> | undefined> {
+  ): Promise<
+    | OpenIDResponse<
+        CredentialIssuerMetadataV1_0_11 | CredentialIssuerMetadataV1_0_13 | (IssuerMetadataV1_0_08 & Partial<AuthorizationServerMetadata>)
+      >
+    | undefined
+  > {
     return retrieveWellknown(issuerHost, WellKnownEndpoints.OPENID4VCI_ISSUER, {
       errorOnNotFound: opts?.errorOnNotFound === undefined ? true : opts.errorOnNotFound,
     });

package/lib/MetadataClientV1_0_13.ts

@@ -0,0 +1,188 @@
+import {
+  AuthorizationServerMetadata,
+  AuthorizationServerType,
+  CredentialIssuerMetadataV1_0_13,
+  CredentialOfferPayloadV1_0_13,
+  CredentialOfferRequestWithBaseUrl,
+  EndpointMetadataResultV1_0_13,
+  getIssuerFromCredentialOfferPayload,
+  IssuerMetadataV1_0_13,
+  OpenIDResponse,
+  WellKnownEndpoints,
+} from '@sphereon/oid4vci-common';
+import Debug from 'debug';
+
+import { retrieveWellknown } from './functions/OpenIDUtils';
+
+const debug = Debug('sphereon:oid4vci:metadata');
+
+export class MetadataClientV1_0_13 {
+  /**
+   * Retrieve metadata using the Initiation obtained from a previous step
+   *
+   * @param credentialOffer
+   */
+  public static async retrieveAllMetadataFromCredentialOffer(
+    credentialOffer: CredentialOfferRequestWithBaseUrl,
+  ): Promise<EndpointMetadataResultV1_0_13> {
+    return MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer as CredentialOfferPayloadV1_0_13);
+  }
+
+  /**
+   * Retrieve the metada using the initiation request obtained from a previous step
+   * @param request
+   */
+  public static async retrieveAllMetadataFromCredentialOfferRequest(request: CredentialOfferPayloadV1_0_13): Promise<EndpointMetadataResultV1_0_13> {
+    const issuer = getIssuerFromCredentialOfferPayload(request);
+    if (issuer) {
+      return MetadataClientV1_0_13.retrieveAllMetadata(issuer);
+    }
+    throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
+  }
+
+  /**
+   * Retrieve all metadata from an issuer
+   * @param issuer The issuer URL
+   * @param opts
+   */
+  public static async retrieveAllMetadata(issuer: string, opts?: { errorOnNotFound: boolean }): Promise<EndpointMetadataResultV1_0_13> {
+    let token_endpoint: string | undefined;
+    let credential_endpoint: string | undefined;
+    let deferred_credential_endpoint: string | undefined;
+    let authorization_endpoint: string | undefined;
+    let authorizationServerType: AuthorizationServerType = 'OID4VCI';
+    let authorization_servers: string[] = [issuer];
+    const oid4vciResponse = await MetadataClientV1_0_13.retrieveOpenID4VCIServerMetadata(issuer, { errorOnNotFound: false }); // We will handle errors later, given we will also try other metadata locations
+    let credentialIssuerMetadata = oid4vciResponse?.successBody;
+    if (credentialIssuerMetadata) {
+      debug(`Issuer ${issuer} OID4VCI well-known server metadata\r\n${JSON.stringify(credentialIssuerMetadata)}`);
+      credential_endpoint = credentialIssuerMetadata.credential_endpoint;
+      deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
+      if (credentialIssuerMetadata.token_endpoint) {
+        token_endpoint = credentialIssuerMetadata.token_endpoint;
+      }
+      if (credentialIssuerMetadata.authorization_servers) {
+        authorization_servers = credentialIssuerMetadata.authorization_servers;
+      }
+    }
+    // No specific OID4VCI endpoint. Either can be an OAuth2 AS or an OIDC IDP. Let's start with OIDC first
+    // TODO: for now we're taking just the first one
+    let response: OpenIDResponse<AuthorizationServerMetadata> = await retrieveWellknown(
+      authorization_servers[0],
+      WellKnownEndpoints.OPENID_CONFIGURATION,
+      {
+        errorOnNotFound: false,
+      },
+    );
+    let authMetadata = response.successBody;
+    if (authMetadata) {
+      debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
+      authorizationServerType = 'OIDC';
+    } else {
+      // Now let's do OAuth2
+      // TODO: for now we're taking just the first one
+      response = await retrieveWellknown(authorization_servers[0], WellKnownEndpoints.OAUTH_AS, { errorOnNotFound: false });
+      authMetadata = response.successBody;
+    }
+    if (!authMetadata) {
+      // We will always throw an error, no matter whether the user provided the option not to, because this is bad.
+      if (!authorization_servers.includes(issuer)) {
+        throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
+      }
+    } else {
+      if (!authorizationServerType) {
+        authorizationServerType = 'OAuth 2.0';
+      }
+      debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
+      if (!authMetadata.authorization_endpoint) {
+        console.warn(
+          `Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`,
+        );
+      } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
+        throw Error(
+          `Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`,
+        );
+      }
+      authorization_endpoint = authMetadata.authorization_endpoint;
+      if (!authMetadata.token_endpoint) {
+        throw Error(`Authorization Sever ${authorization_servers} did not provide a token_endpoint`);
+      } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
+        throw Error(
+          `Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`,
+        );
+      }
+      token_endpoint = authMetadata.token_endpoint;
+      if (authMetadata.credential_endpoint) {
+        if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
+          debug(
+            `Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`,
+          );
+        } else {
+          credential_endpoint = authMetadata.credential_endpoint;
+        }
+      }
+      if (authMetadata.deferred_credential_endpoint) {
+        if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
+          debug(
+            `Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`,
+          );
+        } else {
+          deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
+        }
+      }
+    }
+
+    if (!authorization_endpoint) {
+      debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
+    }
+    if (!token_endpoint) {
+      debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
+      if (opts?.errorOnNotFound) {
+        throw Error(`Could not deduce the token_endpoint for ${issuer}`);
+      } else {
+        token_endpoint = `${issuer}${issuer.endsWith('/') ? 'token' : '/token'}`;
+      }
+    }
+    if (!credential_endpoint) {
+      debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
+      if (opts?.errorOnNotFound) {
+        throw Error(`Could not deduce the credential endpoint for ${issuer}`);
+      } else {
+        credential_endpoint = `${issuer}${issuer.endsWith('/') ? 'credential' : '/credential'}`;
+      }
+    }
+
+    if (!credentialIssuerMetadata && authMetadata) {
+      // Apparently everything worked out and the issuer is exposing everything in oAuth2/OIDC well-knowns. Spec is vague about this situation, but we can support it
+      credentialIssuerMetadata = authMetadata as CredentialIssuerMetadataV1_0_13;
+    }
+    debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
+    return {
+      issuer,
+      token_endpoint,
+      credential_endpoint,
+      deferred_credential_endpoint,
+      authorization_server: authorization_servers[0],
+      authorization_endpoint,
+      authorizationServerType,
+      credentialIssuerMetadata: credentialIssuerMetadata,
+      authorizationServerMetadata: authMetadata,
+    };
+  }
+
+  /**
+   * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
+   *
+   * @param issuerHost The issuer hostname
+   */
+  public static async retrieveOpenID4VCIServerMetadata(
+    issuerHost: string,
+    opts?: {
+      errorOnNotFound?: boolean;
+    },
+  ): Promise<OpenIDResponse<IssuerMetadataV1_0_13> | undefined> {
+    return retrieveWellknown(issuerHost, WellKnownEndpoints.OPENID4VCI_ISSUER, {
+      errorOnNotFound: opts?.errorOnNotFound === undefined ? true : opts.errorOnNotFound,
+    });
+  }
+}