@sphereon/oid4vci-client 0.10.4-unstable.98 → 0.12.0

package/lib/OpenID4VCIClient.ts

@@ -5,17 +5,23 @@ import {
   AuthorizationResponse,
   AuthzFlowType,
   CodeChallengeMethod,
+  CredentialConfigurationSupported,
   CredentialConfigurationSupportedV1_0_13,
-  CredentialOfferPayloadV1_0_13,
+  CredentialOfferPayloadV1_0_08,
+  CredentialOfferPayloadV1_0_11,
   CredentialOfferRequestWithBaseUrl,
   CredentialResponse,
+  CredentialsSupportedLegacy,
   DefaultURISchemes,
+  determineVersionsFromIssuerMetadata,
+  EndpointMetadataResultV1_0_11,
   EndpointMetadataResultV1_0_13,
   ExperimentalSubjectIssuance,
   getClientIdFromCredentialOfferPayload,
   getIssuerFromCredentialOfferPayload,
   getSupportedCredentials,
   getTypesFromCredentialSupported,
+  getTypesFromObject,
   JWK,
   KID_JWK_X5C_ERROR,
   NotificationRequest,
@@ -30,32 +36,24 @@ import { CredentialFormat } from '@sphereon/ssi-types';
 import Debug from 'debug';
 
 import { AccessTokenClient } from './AccessTokenClient';
+import { AccessTokenClientV1_0_11 } from './AccessTokenClientV1_0_11';
 import { createAuthorizationRequestUrl } from './AuthorizationCodeClient';
+import { createAuthorizationRequestUrlV1_0_11 } from './AuthorizationCodeClientV1_0_11';
 import { CredentialOfferClient } from './CredentialOfferClient';
 import { CredentialRequestOpts } from './CredentialRequestClient';
 import { CredentialRequestClientBuilder } from './CredentialRequestClientBuilder';
+import { CredentialRequestClientBuilderV1_0_11 } from './CredentialRequestClientBuilderV1_0_11';
 import { MetadataClient } from './MetadataClient';
+import { OpenID4VCIClientStateV1_0_11 } from './OpenID4VCIClientV1_0_11';
+import { OpenID4VCIClientStateV1_0_13 } from './OpenID4VCIClientV1_0_13';
 import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
-import { generateMissingPKCEOpts } from './functions/AuthorizationUtil';
-import { sendNotification } from './functions/notifications';
+import { generateMissingPKCEOpts, sendNotification } from './functions';
 
 const debug = Debug('sphereon:oid4vci');
 
-export interface OpenID4VCIClientState {
-  credentialIssuer: string;
-  credentialOffer?: CredentialOfferRequestWithBaseUrl;
-  clientId?: string;
-  kid?: string;
-  jwk?: JWK;
-  alg?: Alg | string;
-  endpointMetadata?: EndpointMetadataResultV1_0_13;
-  accessTokenResponse?: AccessTokenResponse;
-  authorizationRequestOpts?: AuthorizationRequestOpts;
-  authorizationCodeResponse?: AuthorizationResponse;
-  pkce: PKCEOpts;
-  accessToken?: string;
-  authorizationURL?: string;
-}
+export type OpenID4VCIClientState = OpenID4VCIClientStateV1_0_11 | OpenID4VCIClientStateV1_0_13;
+
+export type EndpointMetadataResult = EndpointMetadataResultV1_0_11 | EndpointMetadataResultV1_0_13;
 
 export class OpenID4VCIClient {
   private readonly _state: OpenID4VCIClientState;
@@ -85,7 +83,7 @@ export class OpenID4VCIClient {
     authorizationRequest?: AuthorizationRequestOpts; // Can be provided here, or when manually calling createAuthorizationUrl
     jwk?: JWK;
     accessToken?: string;
-    endpointMetadata?: EndpointMetadataResultV1_0_13;
+    endpointMetadata?: EndpointMetadataResult;
     accessTokenResponse?: AccessTokenResponse;
     authorizationRequestOpts?: AuthorizationRequestOpts;
     authorizationCodeResponse?: AuthorizationResponse;
@@ -105,12 +103,13 @@ export class OpenID4VCIClient {
       pkce: { disabled: false, codeChallengeMethod: CodeChallengeMethod.S256, ...pkce },
       authorizationRequestOpts,
       authorizationCodeResponse,
-      accessToken,
       jwk,
-      endpointMetadata,
+      endpointMetadata: endpointMetadata?.credentialIssuerMetadata?.authorization_server
+        ? (endpointMetadata as EndpointMetadataResultV1_0_11)
+        : (endpointMetadata as EndpointMetadataResultV1_0_13 | undefined),
       accessTokenResponse,
       authorizationURL,
-    };
+    } as OpenID4VCIClientState;
     // Running syncAuthorizationRequestOpts later as it is using the state
     if (!this._state.authorizationRequestOpts) {
       this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
@@ -227,19 +226,28 @@ export class OpenID4VCIClient {
       ) {
         this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint as string;
       }
-      this._state.authorizationURL = await createAuthorizationRequestUrl({
-        pkce: this._state.pkce,
-        endpointMetadata: this.endpointMetadata,
-        authorizationRequest: this._state.authorizationRequestOpts,
-        credentialOffer: this.credentialOffer,
-        credentialConfigurationSupported: this.getCredentialsSupported(),
-        version: this.version(),
-      });
+      if (this.version() <= OpenId4VCIVersion.VER_1_0_11) {
+        this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({
+          pkce: this._state.pkce,
+          endpointMetadata: this.endpointMetadata as EndpointMetadataResultV1_0_11,
+          authorizationRequest: this._state.authorizationRequestOpts,
+          credentialOffer: this.credentialOffer,
+          credentialsSupported: Object.values(this.getCredentialsSupported(true)) as CredentialsSupportedLegacy[],
+        });
+      } else {
+        this._state.authorizationURL = await createAuthorizationRequestUrl({
+          pkce: this._state.pkce,
+          endpointMetadata: this.endpointMetadata as EndpointMetadataResultV1_0_13,
+          authorizationRequest: this._state.authorizationRequestOpts,
+          credentialOffer: this.credentialOffer,
+          credentialConfigurationSupported: this.getCredentialsSupported(false) as Record<string, CredentialConfigurationSupportedV1_0_13>,
+        });
+      }
     }
     return this._state.authorizationURL;
   }
 
-  public async retrieveServerMetadata(): Promise<EndpointMetadataResultV1_0_13> {
+  public async retrieveServerMetadata(): Promise<EndpointMetadataResult> {
     this.assertIssuerData();
     if (!this._state.endpointMetadata) {
       if (this.credentialOffer) {
@@ -284,7 +292,7 @@ export class OpenID4VCIClient {
       this._state.clientId = clientId;
     }
     if (!this._state.accessTokenResponse) {
-      const accessTokenClient = new AccessTokenClient();
+      const accessTokenClient = this.version() <= OpenId4VCIVersion.VER_1_0_12 ? new AccessTokenClientV1_0_11() : new AccessTokenClient();
 
       if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
         console.log(
@@ -294,6 +302,7 @@ export class OpenID4VCIClient {
       if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
         redirectUri = this._state.authorizationRequestOpts.redirectUri;
       }
+
       const response = await accessTokenClient.acquireAccessToken({
         credentialOffer: this.credentialOffer,
         metadata: this.endpointMetadata,
@@ -328,7 +337,6 @@ export class OpenID4VCIClient {
   }
 
   public async acquireCredentials({
-    credentialIdentifier,
     credentialTypes,
     context,
     proofCallbacks,
@@ -340,8 +348,7 @@ export class OpenID4VCIClient {
     deferredCredentialAwait,
     deferredCredentialIntervalInMS,
   }: {
-    credentialIdentifier?: string;
-    credentialTypes?: string | string[];
+    credentialTypes: string | string[];
     context?: string[];
     proofCallbacks: ProofOfPossessionCallbacks<any>;
     format?: CredentialFormat | OID4VCICredentialFormat;
@@ -361,38 +368,41 @@ export class OpenID4VCIClient {
     if (jwk) this._state.jwk = jwk;
     if (kid) this._state.kid = kid;
 
-    const requestBuilder = this.credentialOffer
-      ? CredentialRequestClientBuilder.fromCredentialOffer({
-          credentialOffer: this.credentialOffer,
-          metadata: this.endpointMetadata,
-        })
-      : CredentialRequestClientBuilder.fromCredentialIssuer({
-          credentialIssuer: this.getIssuer(),
-          credentialIdentifier: credentialIdentifier,
-          metadata: this.endpointMetadata,
-          version: this.version(),
-        });
+    let requestBuilder: CredentialRequestClientBuilder | CredentialRequestClientBuilderV1_0_11;
+    if (this.version() < OpenId4VCIVersion.VER_1_0_13) {
+      requestBuilder = this.credentialOffer
+        ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
+            credentialOffer: this.credentialOffer,
+            metadata: this.endpointMetadata,
+          })
+        : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
+            credentialIssuer: this.getIssuer(),
+            credentialTypes,
+            metadata: this.endpointMetadata,
+            version: this.version(),
+          });
+    } else {
+      requestBuilder = this.credentialOffer
+        ? CredentialRequestClientBuilder.fromCredentialOffer({
+            credentialOffer: this.credentialOffer,
+            metadata: this.endpointMetadata,
+          })
+        : CredentialRequestClientBuilder.fromCredentialIssuer({
+            credentialIssuer: this.getIssuer(),
+            credentialTypes,
+            metadata: this.endpointMetadata,
+            version: this.version(),
+          });
+    }
 
     requestBuilder.withTokenFromResponse(this.accessTokenResponse);
     requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
     let subjectIssuance: ExperimentalSubjectIssuance | undefined;
     if (this.endpointMetadata?.credentialIssuerMetadata) {
       const metadata = this.endpointMetadata.credentialIssuerMetadata;
-      const types = credentialTypes ? (Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes]) : undefined;
+      const types = Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes];
 
-      if (credentialIdentifier) {
-        if (typeof metadata.credential_configurations_supported !== 'object') {
-          throw Error(
-            `Credentials_supported should be an object, current ${typeof metadata.credential_configurations_supported} when credential_identifier is used`,
-          );
-        }
-        const credentialsSupported = metadata.credential_configurations_supported;
-        if (!metadata.credential_configurations_supported || !credentialsSupported[credentialIdentifier]) {
-          throw new Error(`Credential type ${credentialIdentifier} is not supported by issuer ${this.getIssuer()}`);
-        }
-      } else if (!types) {
-        throw Error(`If no credential_identifier is used, we expect types`);
-      } else if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
+      if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
         let typeSupported = false;
 
         metadata.credentials_supported.forEach((supportedCredential) => {
@@ -412,9 +422,9 @@ export class OpenID4VCIClient {
           console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
           // throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
         }
-      } else if (metadata.credential_configurations_supported && !Array.isArray(metadata.credential_configurations_supported)) {
-        const credentialsSupported = metadata.credential_configurations_supported;
-        if (types.some((type) => !metadata.credential_configurations_supported || !credentialsSupported[type])) {
+      } else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
+        const credentialsSupported = metadata.credentials_supported;
+        if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
           throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
         }
       }
@@ -448,7 +458,10 @@ export class OpenID4VCIClient {
     }
     const response = await credentialRequestClient.acquireCredentialsUsingProof({
       proofInput: proofBuilder,
-      ...(credentialIdentifier ? { credentialIdentifier, subjectIssuance } : { format, context, credentialTypes, subjectIssuance }),
+      credentialTypes,
+      context,
+      format,
+      subjectIssuance,
     });
     if (response.errorBody) {
       debug(`Credential request error:\r\n${JSON.stringify(response.errorBody)}`);
@@ -473,13 +486,14 @@ export class OpenID4VCIClient {
   }
 
   getCredentialsSupported(
+    restrictToInitiationTypes?: boolean,
     format?: (OID4VCICredentialFormat | string) | (OID4VCICredentialFormat | string)[],
-  ): Record<string, CredentialConfigurationSupportedV1_0_13> {
+  ): Record<string, CredentialConfigurationSupportedV1_0_13> | Array<CredentialConfigurationSupported> {
     return getSupportedCredentials({
       issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
       version: this.version(),
       format: format,
-      types: undefined,
+      types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : undefined,
     });
   }
 
@@ -491,34 +505,28 @@ export class OpenID4VCIClient {
     return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
   }
 
-  /* getCredentialOfferTypes(): string[][] {
+  getCredentialOfferTypes(): string[][] | undefined {
     if (!this.credentialOffer) {
       return [];
-    } else if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_11) {
+    } else if (this.version() < OpenId4VCIVersion.VER_1_0_11) {
       const orig = this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08;
       const types: string[] = typeof orig.credential_type === 'string' ? [orig.credential_type] : orig.credential_type;
       const result: string[][] = [];
       result[0] = types;
       return result;
-    } else {
-      return this.credentialOffer.credential_offer.credentials.map((c) => {
-        if (typeof c === 'string') {
-          return [c];
-        } else if ('types' in c) {
-          return c.types;
-        } else if ('vct' in c) {
-          return [c.vct];
-        } else {
-          return c.credential_definition.types;
-        }
-      });
+    } else if (this.version() < OpenId4VCIVersion.VER_1_0_13) {
+      return (this.credentialOffer.credential_offer as CredentialOfferPayloadV1_0_11).credentials.map((c) => getTypesFromObject(c) ?? []);
     }
-  }*/
+    // we don't have this for v13. v13 only has credential_configuration_ids which is not translatable to type
+    return undefined;
+  }
 
   issuerSupportedFlowTypes(): AuthzFlowType[] {
     return (
       this.credentialOffer?.supportedFlows ??
-      (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [AuthzFlowType.AUTHORIZATION_CODE_FLOW] : [])
+      (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server
+        ? [AuthzFlowType.AUTHORIZATION_CODE_FLOW]
+        : [])
     );
   }
 
@@ -526,23 +534,33 @@ export class OpenID4VCIClient {
     return this.issuerSupportedFlowTypes().includes(flowType);
   }
 
-  public hasAuthorizationURL(): boolean {
-    return !!this.authorizationURL;
-  }
-
   get authorizationURL(): string | undefined {
     return this._state.authorizationURL;
   }
 
+  public hasAuthorizationURL(): boolean {
+    return !!this.authorizationURL;
+  }
+
   get credentialOffer(): CredentialOfferRequestWithBaseUrl | undefined {
     return this._state.credentialOffer;
   }
 
   public version(): OpenId4VCIVersion {
-    return this.credentialOffer?.version ?? OpenId4VCIVersion.VER_1_0_11;
+    if (this.credentialOffer?.version && this.credentialOffer.version !== OpenId4VCIVersion.VER_UNKNOWN) {
+      return this.credentialOffer.version;
+    }
+    const metadata = this._state.endpointMetadata;
+    if (metadata?.credentialIssuerMetadata) {
+      const versions = determineVersionsFromIssuerMetadata(metadata.credentialIssuerMetadata);
+      if (versions.length > 0 && !versions.includes(OpenId4VCIVersion.VER_UNKNOWN)) {
+        return versions[0];
+      }
+    }
+    return OpenId4VCIVersion.VER_1_0_13;
   }
 
-  public get endpointMetadata(): EndpointMetadataResultV1_0_13 {
+  public get endpointMetadata(): EndpointMetadataResult {
     this.assertServerMetadata();
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
     return this._state.endpointMetadata!;
@@ -589,8 +607,11 @@ export class OpenID4VCIClient {
 
   public getAccessTokenEndpoint(): string {
     this.assertIssuerData();
-    return this.endpointMetadata
-      ? this.endpointMetadata.token_endpoint
+    if (this.endpointMetadata) {
+      return this.endpointMetadata.token_endpoint;
+    }
+    return this.version() <= OpenId4VCIVersion.VER_1_0_12
+      ? AccessTokenClientV1_0_11.determineTokenURL({ issuerOpts: { issuer: this.getIssuer() } })
       : AccessTokenClient.determineTokenURL({ issuerOpts: { issuer: this.getIssuer() } });
   }
 
@@ -611,33 +632,23 @@ export class OpenID4VCIClient {
   /**
    * Too bad we need a method like this, but EBSI is not exposing metadata
    */
-  public isEBSI(): boolean {
-    const credentialOffer = this.credentialOffer?.credential_offer as CredentialOfferPayloadV1_0_13;
-
-    if (credentialOffer?.credential_configuration_ids) {
-      const credentialConfigurations = this.endpointMetadata.credentialIssuerMetadata?.credential_configurations_supported;
-
-      if (credentialConfigurations) {
-        const isEBSITrustFramework = credentialOffer.credential_configuration_ids
-          .map((id) => credentialConfigurations[id])
-          .filter(
-            (config): config is CredentialConfigurationSupportedV1_0_13 =>
-              // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-              // @ts-ignore
-              config !== undefined && 'trust_framework' in config && 'name' in config.trust_framework,
-          )
+  public isEBSI() {
+    if (
+      this.credentialOffer &&
+      (this.credentialOffer?.credential_offer as CredentialOfferPayloadV1_0_11)?.credentials?.find(
+        (cred) =>
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore
-          .some((config) => config.trust_framework.name.includes('ebsi'));
-
-        if (isEBSITrustFramework) {
-          return true;
-        }
-      }
+          typeof cred !== 'string' && 'trust_framework' in cred && 'name' in cred.trust_framework && cred.trust_framework.name.includes('ebsi'),
+      )
+    ) {
+      return true;
     }
-
-    this.assertIssuerData();
-    return this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu') ?? false;
+    // this.assertIssuerData();
+    return (
+      this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu') ||
+      this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes('ebsi.eu')
+    );
   }
 
   private assertIssuerData(): void {
@@ -661,7 +672,12 @@ export class OpenID4VCIClient {
   }
 
   private syncAuthorizationRequestOpts(opts?: AuthorizationRequestOpts): AuthorizationRequestOpts {
-    let authorizationRequestOpts = { ...this._state?.authorizationRequestOpts, ...opts } as AuthorizationRequestOpts;
+    const requestObjectOpts = { ...this._state?.authorizationRequestOpts?.requestObjectOpts, ...opts?.requestObjectOpts };
+    let authorizationRequestOpts = {
+      ...this._state?.authorizationRequestOpts,
+      ...opts,
+      ...(requestObjectOpts && { requestObjectOpts }),
+    } as AuthorizationRequestOpts;
     if (!authorizationRequestOpts) {
       // We only set a redirectUri if no options are provided.
       // Note that this only works for mobile apps, that can handle a code query param on the default openid-credential-offer deeplink.

package/lib/OpenID4VCIClientV1_0_11.ts

@@ -17,6 +17,7 @@ import {
   getIssuerFromCredentialOfferPayload,
   getSupportedCredentials,
   getTypesFromCredentialSupported,
+  getTypesFromObject,
   JWK,
   KID_JWK_X5C_ERROR,
   OID4VCICredentialFormat,
@@ -50,6 +51,7 @@ export interface OpenID4VCIClientStateV1_0_11 {
   authorizationRequestOpts?: AuthorizationRequestOpts;
   authorizationCodeResponse?: AuthorizationResponse;
   pkce: PKCEOpts;
+  accessToken?: string;
   authorizationURL?: string;
 }
 
@@ -212,7 +214,7 @@ export class OpenID4VCIClientV1_0_11 {
         throw Error(`No Authorization Request options present or provided in this call`);
       }
 
-      // todo: Probably can go with current logic in MetadataClient who will always set the authorization_endpoint when found
+      // todo: Probably can go with current logic in MetadataClientV1_0_13 who will always set the authorization_endpoint when found
       //  handling this because of the support for v1_0-08
       if (
         this._state.endpointMetadata?.credentialIssuerMetadata &&
@@ -459,15 +461,13 @@ export class OpenID4VCIClientV1_0_11 {
     }) as Record<string, CredentialConfigurationSupported>;
   }
 
-  getCredentialsSupported(
-    format?: (OID4VCICredentialFormat | string) | (OID4VCICredentialFormat | string)[],
-  ): Record<string, CredentialConfigurationSupported> {
+  getCredentialsSupported(format?: (OID4VCICredentialFormat | string) | (OID4VCICredentialFormat | string)[]): CredentialConfigurationSupported[] {
     return getSupportedCredentials({
       issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
       version: this.version(),
       format: format,
       types: undefined,
-    }) as Record<string, CredentialConfigurationSupported>;
+    }) as CredentialConfigurationSupported[];
   }
 
   getCredentialOfferTypes(): string[][] {
@@ -480,20 +480,10 @@ export class OpenID4VCIClientV1_0_11 {
       result[0] = types;
       return result;
     } else if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_13) {
-      return (this.credentialOffer.credential_offer as CredentialOfferPayloadV1_0_11).credentials.map((c) => {
-        if (typeof c === 'string') {
-          return [c];
-        } else if ('types' in c) {
-          return c.types;
-        } else if ('vct' in c) {
-          return [c.vct];
-        } else {
-          return c.credential_definition.types;
-        }
-      });
+      return (this.credentialOffer.credential_offer as CredentialOfferPayloadV1_0_11).credentials.map((c) => getTypesFromObject(c) ?? []);
     }
-    // we don't have this for v13. v13 only has credential_configuration_ids which is not translatable to type
-    return [];
+    // we don't support > V11
+    throw Error(`This class only supports version 11 and lower! Version: ${this.version()}`);
   }
 
   issuerSupportedFlowTypes(): AuthzFlowType[] {
@@ -605,7 +595,7 @@ export class OpenID4VCIClientV1_0_11 {
       return true;
     }
     this.assertIssuerData();
-    return this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu');
+    return this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu') === true;
   }
 
   private assertIssuerData(): void {