@sphereon/oid4vci-client 0.12.1-next.2 → 0.12.1-next.22

package/lib/CredentialRequestClientBuilder.ts

@@ -1,12 +1,11 @@
 import {
   AccessTokenResponse,
+  CredentialIssuerMetadata,
   CredentialIssuerMetadataV1_0_13,
-  CredentialOfferPayloadV1_0_13,
   CredentialOfferRequestWithBaseUrl,
   determineSpecVersionFromOffer,
   EndpointMetadata,
   ExperimentalSubjectIssuance,
-  getIssuerFromCredentialOfferPayload,
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
   UniformCredentialOfferRequest,
@@ -14,19 +13,21 @@ import {
 import { CredentialFormat } from '@sphereon/ssi-types';
 
 import { CredentialOfferClient } from './CredentialOfferClient';
-import { CredentialRequestClient } from './CredentialRequestClient';
+import { CredentialRequestClientBuilderV1_0_11 } from './CredentialRequestClientBuilderV1_0_11';
+import { CredentialRequestClientBuilderV1_0_13 } from './CredentialRequestClientBuilderV1_0_13';
+
+type CredentialRequestClientBuilderVersionSpecific = CredentialRequestClientBuilderV1_0_11 | CredentialRequestClientBuilderV1_0_13;
+
+function isV1_0_13(builder: CredentialRequestClientBuilderVersionSpecific): builder is CredentialRequestClientBuilderV1_0_13 {
+  return (builder as CredentialRequestClientBuilderV1_0_13).withCredentialIdentifier !== undefined;
+}
 
 export class CredentialRequestClientBuilder {
-  credentialEndpoint?: string;
-  deferredCredentialEndpoint?: string;
-  deferredCredentialAwait = false;
-  deferredCredentialIntervalInMS = 5000;
-  credentialIdentifier?: string;
-  credentialTypes?: string[] = [];
-  format?: CredentialFormat | OID4VCICredentialFormat;
-  token?: string;
-  version?: OpenId4VCIVersion;
-  subjectIssuance?: ExperimentalSubjectIssuance;
+  private _builder: CredentialRequestClientBuilderVersionSpecific;
+
+  private constructor(builder: CredentialRequestClientBuilderVersionSpecific) {
+    this._builder = builder;
+  }
 
   public static fromCredentialIssuer({
     credentialIssuer,
@@ -41,25 +42,40 @@ export class CredentialRequestClientBuilder {
     credentialIdentifier?: string;
     credentialTypes?: string | string[];
   }): CredentialRequestClientBuilder {
-    const issuer = credentialIssuer;
-    const builder = new CredentialRequestClientBuilder();
-    builder.withVersion(version ?? OpenId4VCIVersion.VER_1_0_11);
-    builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith('/') ? `${issuer}credential` : `${issuer}/credential`));
-    if (metadata?.deferred_credential_endpoint) {
-      builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
-    }
-    if (credentialIdentifier) {
-      builder.withCredentialIdentifier(credentialIdentifier);
-    }
-    if (credentialTypes) {
-      builder.withCredentialType(credentialTypes);
+    const specVersion = version ?? OpenId4VCIVersion.VER_1_0_13;
+    let builder;
+
+    if (specVersion >= OpenId4VCIVersion.VER_1_0_13) {
+      builder = CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
+        credentialIssuer,
+        metadata,
+        version,
+        credentialIdentifier,
+        credentialTypes,
+      });
+    } else {
+      if (!credentialTypes || credentialTypes.length === 0) {
+        throw new Error('CredentialTypes must be provided for v1_0_11');
+      }
+      builder = CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
+        credentialIssuer,
+        metadata,
+        version,
+        credentialTypes,
+      });
     }
-    return builder;
+
+    return new CredentialRequestClientBuilder(builder);
   }
 
   public static async fromURI({ uri, metadata }: { uri: string; metadata?: EndpointMetadata }): Promise<CredentialRequestClientBuilder> {
     const offer = await CredentialOfferClient.fromURI(uri);
-    return CredentialRequestClientBuilder.fromCredentialOfferRequest({ request: offer, ...offer, metadata, version: offer.version });
+    return CredentialRequestClientBuilder.fromCredentialOfferRequest({
+      request: offer,
+      ...offer,
+      metadata,
+      version: offer.version,
+    });
   }
 
   public static fromCredentialOfferRequest(opts: {
@@ -69,24 +85,17 @@ export class CredentialRequestClientBuilder {
     version?: OpenId4VCIVersion;
     metadata?: EndpointMetadata;
   }): CredentialRequestClientBuilder {
-    const { request, metadata } = opts;
+    const { request } = opts;
     const version = opts.version ?? request.version ?? determineSpecVersionFromOffer(request.original_credential_offer);
+    let builder;
+
     if (version < OpenId4VCIVersion.VER_1_0_13) {
-      throw new Error('Versions below v1.0.13 (draft 13) are not supported.');
-    }
-    const builder = new CredentialRequestClientBuilder();
-    const issuer = getIssuerFromCredentialOfferPayload(request.credential_offer) ?? (metadata?.issuer as string);
-    builder.withVersion(version);
-    builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith('/') ? `${issuer}credential` : `${issuer}/credential`));
-    if (metadata?.deferred_credential_endpoint) {
-      builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
-    }
-    const ids: string[] = (request.credential_offer as CredentialOfferPayloadV1_0_13).credential_configuration_ids;
-    // if there's only one in the offer, we pre-select it. if not, you should provide the credentialType
-    if (ids.length && ids.length === 1) {
-      builder.withCredentialIdentifier(ids[0]);
+      builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest(opts);
+    } else {
+      builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest(opts);
     }
-    return builder;
+
+    return new CredentialRequestClientBuilder(builder);
   }
 
   public static fromCredentialOffer({
@@ -96,78 +105,100 @@ export class CredentialRequestClientBuilder {
     credentialOffer: CredentialOfferRequestWithBaseUrl;
     metadata?: EndpointMetadata;
   }): CredentialRequestClientBuilder {
-    return CredentialRequestClientBuilder.fromCredentialOfferRequest({
-      request: credentialOffer,
-      metadata,
-      version: credentialOffer.version,
-    });
+    const version = determineSpecVersionFromOffer(credentialOffer.credential_offer);
+    let builder;
+
+    if (version < OpenId4VCIVersion.VER_1_0_13) {
+      builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
+        credentialOffer,
+        metadata,
+      });
+    } else {
+      builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
+        credentialOffer,
+        metadata,
+      });
+    }
+
+    return new CredentialRequestClientBuilder(builder);
+  }
+
+  public getVersion(): OpenId4VCIVersion | undefined {
+    return this._builder.version;
   }
 
-  public withCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadataV1_0_13): this {
-    this.credentialEndpoint = metadata.credential_endpoint;
+  public withCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadata | CredentialIssuerMetadataV1_0_13): this {
+    if (isV1_0_13(this._builder)) {
+      this._builder.withCredentialEndpointFromMetadata(metadata as CredentialIssuerMetadataV1_0_13);
+    } else {
+      this._builder.withCredentialEndpointFromMetadata(metadata as CredentialIssuerMetadata);
+    }
     return this;
   }
 
   public withCredentialEndpoint(credentialEndpoint: string): this {
-    this.credentialEndpoint = credentialEndpoint;
+    this._builder.withCredentialEndpoint(credentialEndpoint);
     return this;
   }
 
-  public withDeferredCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadataV1_0_13): this {
-    this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
+  public withDeferredCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadata | CredentialIssuerMetadataV1_0_13): this {
+    if (isV1_0_13(this._builder)) {
+      this._builder.withDeferredCredentialEndpointFromMetadata(metadata as CredentialIssuerMetadataV1_0_13);
+    } else {
+      this._builder.withDeferredCredentialEndpointFromMetadata(metadata as CredentialIssuerMetadata);
+    }
     return this;
   }
 
   public withDeferredCredentialEndpoint(deferredCredentialEndpoint: string): this {
-    this.deferredCredentialEndpoint = deferredCredentialEndpoint;
+    this._builder.withDeferredCredentialEndpoint(deferredCredentialEndpoint);
     return this;
   }
 
   public withDeferredCredentialAwait(deferredCredentialAwait: boolean, deferredCredentialIntervalInMS?: number): this {
-    this.deferredCredentialAwait = deferredCredentialAwait;
-    this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5000;
+    this._builder.withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS);
     return this;
   }
 
   public withCredentialIdentifier(credentialIdentifier: string): this {
-    this.credentialIdentifier = credentialIdentifier;
+    if (this._builder.version === undefined || this._builder.version < OpenId4VCIVersion.VER_1_0_13) {
+      throw new Error('Version of spec should be equal or higher than v1_0_13');
+    }
+    (this._builder as CredentialRequestClientBuilderV1_0_13).withCredentialIdentifier(credentialIdentifier);
     return this;
   }
 
   public withCredentialType(credentialTypes: string | string[]): this {
-    this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes];
+    this._builder.withCredentialType(credentialTypes);
     return this;
   }
 
   public withFormat(format: CredentialFormat | OID4VCICredentialFormat): this {
-    this.format = format;
+    this._builder.withFormat(format);
     return this;
   }
 
   public withSubjectIssuance(subjectIssuance: ExperimentalSubjectIssuance): this {
-    this.subjectIssuance = subjectIssuance;
+    this._builder.withSubjectIssuance(subjectIssuance);
     return this;
   }
 
   public withToken(accessToken: string): this {
-    this.token = accessToken;
+    this._builder.withToken(accessToken);
     return this;
   }
 
   public withTokenFromResponse(response: AccessTokenResponse): this {
-    this.token = response.access_token;
+    this._builder.withTokenFromResponse(response);
     return this;
   }
 
   public withVersion(version: OpenId4VCIVersion): this {
-    this.version = version;
+    this._builder.withVersion(version);
     return this;
   }
 
-  public build(): CredentialRequestClient {
-    if (!this.version) {
-      this.withVersion(OpenId4VCIVersion.VER_1_0_11);
-    }
-    return new CredentialRequestClient(this);
+  public build() {
+    return this._builder.build();
   }
 }

package/lib/CredentialRequestClientBuilderV1_0_13.ts

@@ -0,0 +1,173 @@
+import {
+  AccessTokenResponse,
+  CredentialIssuerMetadataV1_0_13,
+  CredentialOfferPayloadV1_0_13,
+  CredentialOfferRequestWithBaseUrl,
+  determineSpecVersionFromOffer,
+  EndpointMetadata,
+  ExperimentalSubjectIssuance,
+  getIssuerFromCredentialOfferPayload,
+  OID4VCICredentialFormat,
+  OpenId4VCIVersion,
+  UniformCredentialOfferRequest,
+} from '@sphereon/oid4vci-common';
+import { CredentialFormat } from '@sphereon/ssi-types';
+
+import { CredentialOfferClient } from './CredentialOfferClient';
+import { CredentialRequestClient } from './CredentialRequestClient';
+
+export class CredentialRequestClientBuilderV1_0_13 {
+  credentialEndpoint?: string;
+  deferredCredentialEndpoint?: string;
+  deferredCredentialAwait = false;
+  deferredCredentialIntervalInMS = 5000;
+  credentialIdentifier?: string;
+  credentialTypes?: string[] = [];
+  format?: CredentialFormat | OID4VCICredentialFormat;
+  token?: string;
+  version?: OpenId4VCIVersion;
+  subjectIssuance?: ExperimentalSubjectIssuance;
+
+  public static fromCredentialIssuer({
+    credentialIssuer,
+    metadata,
+    version,
+    credentialIdentifier,
+    credentialTypes,
+  }: {
+    credentialIssuer: string;
+    metadata?: EndpointMetadata;
+    version?: OpenId4VCIVersion;
+    credentialIdentifier?: string;
+    credentialTypes?: string | string[];
+  }): CredentialRequestClientBuilderV1_0_13 {
+    const issuer = credentialIssuer;
+    const builder = new CredentialRequestClientBuilderV1_0_13();
+    builder.withVersion(version ?? OpenId4VCIVersion.VER_1_0_13);
+    builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith('/') ? `${issuer}credential` : `${issuer}/credential`));
+    if (metadata?.deferred_credential_endpoint) {
+      builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
+    }
+    if (credentialIdentifier) {
+      builder.withCredentialIdentifier(credentialIdentifier);
+    }
+    if (credentialTypes) {
+      builder.withCredentialType(credentialTypes);
+    }
+    return builder;
+  }
+
+  public static async fromURI({ uri, metadata }: { uri: string; metadata?: EndpointMetadata }): Promise<CredentialRequestClientBuilderV1_0_13> {
+    const offer = await CredentialOfferClient.fromURI(uri);
+    return CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest({ request: offer, ...offer, metadata, version: offer.version });
+  }
+
+  public static fromCredentialOfferRequest(opts: {
+    request: UniformCredentialOfferRequest;
+    scheme?: string;
+    baseUrl?: string;
+    version?: OpenId4VCIVersion;
+    metadata?: EndpointMetadata;
+  }): CredentialRequestClientBuilderV1_0_13 {
+    const { request, metadata } = opts;
+    const version = opts.version ?? request.version ?? determineSpecVersionFromOffer(request.original_credential_offer);
+    if (version < OpenId4VCIVersion.VER_1_0_13) {
+      throw new Error('Versions below v1.0.13 (draft 13) are not supported.');
+    }
+    const builder = new CredentialRequestClientBuilderV1_0_13();
+    const issuer = getIssuerFromCredentialOfferPayload(request.credential_offer) ?? (metadata?.issuer as string);
+    builder.withVersion(version);
+    builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith('/') ? `${issuer}credential` : `${issuer}/credential`));
+    if (metadata?.deferred_credential_endpoint) {
+      builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
+    }
+    const ids: string[] = (request.credential_offer as CredentialOfferPayloadV1_0_13).credential_configuration_ids;
+    // if there's only one in the offer, we pre-select it. if not, you should provide the credentialType
+    if (ids.length && ids.length === 1) {
+      builder.withCredentialIdentifier(ids[0]);
+    }
+    return builder;
+  }
+
+  public static fromCredentialOffer({
+    credentialOffer,
+    metadata,
+  }: {
+    credentialOffer: CredentialOfferRequestWithBaseUrl;
+    metadata?: EndpointMetadata;
+  }): CredentialRequestClientBuilderV1_0_13 {
+    return CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest({
+      request: credentialOffer,
+      metadata,
+      version: credentialOffer.version,
+    });
+  }
+
+  public withCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadataV1_0_13): this {
+    this.credentialEndpoint = metadata.credential_endpoint;
+    return this;
+  }
+
+  public withCredentialEndpoint(credentialEndpoint: string): this {
+    this.credentialEndpoint = credentialEndpoint;
+    return this;
+  }
+
+  public withDeferredCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadataV1_0_13): this {
+    this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
+    return this;
+  }
+
+  public withDeferredCredentialEndpoint(deferredCredentialEndpoint: string): this {
+    this.deferredCredentialEndpoint = deferredCredentialEndpoint;
+    return this;
+  }
+
+  public withDeferredCredentialAwait(deferredCredentialAwait: boolean, deferredCredentialIntervalInMS?: number): this {
+    this.deferredCredentialAwait = deferredCredentialAwait;
+    this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5000;
+    return this;
+  }
+
+  public withCredentialIdentifier(credentialIdentifier: string): this {
+    this.credentialIdentifier = credentialIdentifier;
+    return this;
+  }
+
+  public withCredentialType(credentialTypes: string | string[]): this {
+    this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes];
+    return this;
+  }
+
+  public withFormat(format: CredentialFormat | OID4VCICredentialFormat): this {
+    this.format = format;
+    return this;
+  }
+
+  public withSubjectIssuance(subjectIssuance: ExperimentalSubjectIssuance): this {
+    this.subjectIssuance = subjectIssuance;
+    return this;
+  }
+
+  public withToken(accessToken: string): this {
+    this.token = accessToken;
+    return this;
+  }
+
+  public withTokenFromResponse(response: AccessTokenResponse): this {
+    this.token = response.access_token;
+    return this;
+  }
+
+  public withVersion(version: OpenId4VCIVersion): this {
+    this.version = version;
+    return this;
+  }
+
+  public build(): CredentialRequestClient {
+    if (!this.version) {
+      this.withVersion(OpenId4VCIVersion.VER_1_0_11);
+    }
+    return new CredentialRequestClient(this);
+  }
+}

package/lib/OpenID4VCIClient.ts

@@ -3,6 +3,7 @@ import {
   Alg,
   AuthorizationRequestOpts,
   AuthorizationResponse,
+  AuthorizationServerOpts,
   AuthzFlowType,
   CodeChallengeMethod,
   CredentialConfigurationSupported,
@@ -41,8 +42,8 @@ import { createAuthorizationRequestUrl } from './AuthorizationCodeClient';
 import { createAuthorizationRequestUrlV1_0_11 } from './AuthorizationCodeClientV1_0_11';
 import { CredentialOfferClient } from './CredentialOfferClient';
 import { CredentialRequestOpts } from './CredentialRequestClient';
-import { CredentialRequestClientBuilder } from './CredentialRequestClientBuilder';
 import { CredentialRequestClientBuilderV1_0_11 } from './CredentialRequestClientBuilderV1_0_11';
+import { CredentialRequestClientBuilderV1_0_13 } from './CredentialRequestClientBuilderV1_0_13';
 import { MetadataClient } from './MetadataClient';
 import { OpenID4VCIClientStateV1_0_11 } from './OpenID4VCIClientV1_0_11';
 import { OpenID4VCIClientStateV1_0_13 } from './OpenID4VCIClientV1_0_13';
@@ -273,8 +274,10 @@ export class OpenID4VCIClient {
     authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
     code?: string; // Directly pass in a code from an auth response
     redirectUri?: string;
+    additionalRequestParams?: Record<string, any>;
+    asOpts?: AuthorizationServerOpts;
   }): Promise<AccessTokenResponse> {
-    const { pin, clientId } = opts ?? {};
+    const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
     let { redirectUri } = opts ?? {};
     if (opts?.authorizationResponse) {
       this._state.authorizationCodeResponse = { ...toAuthorizationResponsePayload(opts.authorizationResponse) };
@@ -288,6 +291,26 @@ export class OpenID4VCIClient {
     }
     this.assertIssuerData();
 
+    const asOpts: AuthorizationServerOpts = { ...opts?.asOpts };
+    const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
+    const clientAssertionType =
+      asOpts.clientOpts?.clientAssertionType ??
+      (kid && clientId && typeof asOpts.clientOpts?.signCallbacks === 'function'
+        ? 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+        : undefined);
+    if (this.isEBSI() || (clientId && kid)) {
+      if (!clientId) {
+        throw Error(`Client id expected for EBSI`);
+      }
+      asOpts.clientOpts = {
+        ...asOpts.clientOpts,
+        clientId,
+        ...(kid && { kid }),
+        ...(clientAssertionType && { clientAssertionType }),
+        signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks,
+      };
+    }
+
     if (clientId) {
       this._state.clientId = clientId;
     }
@@ -311,7 +334,8 @@ export class OpenID4VCIClient {
         ...(!this._state.pkce.disabled && { codeVerifier: this._state.pkce.codeVerifier }),
         code,
         redirectUri,
-        asOpts: { clientId: this.clientId },
+        asOpts,
+        ...(opts?.additionalRequestParams && { additionalParams: opts.additionalRequestParams }),
       });
 
       if (response.errorBody) {
@@ -368,7 +392,7 @@ export class OpenID4VCIClient {
     if (jwk) this._state.jwk = jwk;
     if (kid) this._state.kid = kid;
 
-    let requestBuilder: CredentialRequestClientBuilder | CredentialRequestClientBuilderV1_0_11;
+    let requestBuilder: CredentialRequestClientBuilderV1_0_13 | CredentialRequestClientBuilderV1_0_11;
     if (this.version() < OpenId4VCIVersion.VER_1_0_13) {
       requestBuilder = this.credentialOffer
         ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
@@ -383,11 +407,11 @@ export class OpenID4VCIClient {
           });
     } else {
       requestBuilder = this.credentialOffer
-        ? CredentialRequestClientBuilder.fromCredentialOffer({
+        ? CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
             credentialOffer: this.credentialOffer,
             metadata: this.endpointMetadata,
           })
-        : CredentialRequestClientBuilder.fromCredentialIssuer({
+        : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
             credentialIssuer: this.getIssuer(),
             credentialTypes,
             metadata: this.endpointMetadata,
@@ -646,6 +670,9 @@ export class OpenID4VCIClient {
     }
     // this.assertIssuerData();
     return (
+      this.clientId?.includes('ebsi') ||
+      this._state.kid?.includes('did:ebsi:') ||
+      this.getIssuer().includes('ebsi') ||
       this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu') ||
       this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes('ebsi.eu')
     );

package/lib/OpenID4VCIClientV1_0_11.ts

@@ -3,6 +3,7 @@ import {
   Alg,
   AuthorizationRequestOpts,
   AuthorizationResponse,
+  AuthorizationServerOpts,
   AuthzFlowType,
   CodeChallengeMethod,
   CredentialConfigurationSupported,
@@ -259,6 +260,7 @@ export class OpenID4VCIClientV1_0_11 {
     authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
     code?: string; // Directly pass in a code from an auth response
     redirectUri?: string;
+    asOpts?: AuthorizationServerOpts;
   }): Promise<AccessTokenResponse> {
     const { pin, clientId } = opts ?? {};
     let { redirectUri } = opts ?? {};
@@ -288,6 +290,25 @@ export class OpenID4VCIClientV1_0_11 {
       if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
         redirectUri = this._state.authorizationRequestOpts.redirectUri;
       }
+      const asOpts: AuthorizationServerOpts = { ...opts?.asOpts };
+      const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
+      const clientAssertionType =
+        asOpts.clientOpts?.clientAssertionType ??
+        (kid && clientId && typeof asOpts.clientOpts?.signCallbacks === 'function'
+          ? 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+          : undefined);
+      if (this.isEBSI() || (clientId && kid)) {
+        if (!clientId) {
+          throw Error(`Client id expected for EBSI`);
+        }
+        asOpts.clientOpts = {
+          ...asOpts.clientOpts,
+          clientId,
+          ...(kid && { kid }),
+          ...(clientAssertionType && { clientAssertionType }),
+          signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks,
+        };
+      }
 
       const response = await accessTokenClient.acquireAccessToken({
         credentialOffer: this.credentialOffer,
@@ -297,7 +318,7 @@ export class OpenID4VCIClientV1_0_11 {
         ...(!this._state.pkce.disabled && { codeVerifier: this._state.pkce.codeVerifier }),
         code,
         redirectUri,
-        asOpts: { clientId: this.clientId },
+        asOpts,
       });
 
       if (response.errorBody) {
@@ -584,8 +605,8 @@ export class OpenID4VCIClientV1_0_11 {
    */
   public isEBSI() {
     if (
-      (this.credentialOffer?.credential_offer as CredentialOfferPayloadV1_0_11)['credentials'] &&
-      (this.credentialOffer?.credential_offer as CredentialOfferPayloadV1_0_11).credentials.find(
+      this.credentialOffer &&
+      (this.credentialOffer?.credential_offer as CredentialOfferPayloadV1_0_11)?.credentials?.find(
         (cred) =>
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore
@@ -594,8 +615,14 @@ export class OpenID4VCIClientV1_0_11 {
     ) {
       return true;
     }
-    this.assertIssuerData();
-    return this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu') === true;
+    // this.assertIssuerData();
+    return (
+      this.clientId?.includes('ebsi') ||
+      this._state.kid?.includes('did:ebsi:') ||
+      this.getIssuer().includes('ebsi') ||
+      this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu') ||
+      this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes('ebsi.eu')
+    );
   }
 
   private assertIssuerData(): void {

package/lib/OpenID4VCIClientV1_0_13.ts

@@ -3,6 +3,7 @@ import {
   Alg,
   AuthorizationRequestOpts,
   AuthorizationResponse,
+  AuthorizationServerOpts,
   AuthzFlowType,
   CodeChallengeMethod,
   CredentialConfigurationSupportedV1_0_13,
@@ -36,8 +37,7 @@ import { CredentialRequestOpts } from './CredentialRequestClient';
 import { CredentialRequestClientBuilder } from './CredentialRequestClientBuilder';
 import { MetadataClientV1_0_13 } from './MetadataClientV1_0_13';
 import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
-import { generateMissingPKCEOpts } from './functions';
-import { sendNotification } from './functions';
+import { generateMissingPKCEOpts, sendNotification } from './functions';
 
 const debug = Debug('sphereon:oid4vci');
 
@@ -265,6 +265,7 @@ export class OpenID4VCIClientV1_0_13 {
     authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
     code?: string; // Directly pass in a code from an auth response
     redirectUri?: string;
+    asOpts?: AuthorizationServerOpts;
   }): Promise<AccessTokenResponse> {
     const { pin, clientId } = opts ?? {};
     let { redirectUri } = opts ?? {};
@@ -279,6 +280,25 @@ export class OpenID4VCIClientV1_0_13 {
       this._state.pkce.codeVerifier = opts.codeVerifier;
     }
     this.assertIssuerData();
+    const asOpts: AuthorizationServerOpts = { ...opts?.asOpts };
+    const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
+    const clientAssertionType =
+      asOpts.clientOpts?.clientAssertionType ??
+      (kid && clientId && typeof asOpts.clientOpts?.signCallbacks === 'function'
+        ? 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+        : undefined);
+    if (this.isEBSI() || (clientId && kid)) {
+      if (!clientId) {
+        throw Error(`Client id expected for EBSI`);
+      }
+      asOpts.clientOpts = {
+        ...asOpts.clientOpts,
+        clientId,
+        ...(kid && { kid }),
+        ...(clientAssertionType && { clientAssertionType }),
+        signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks,
+      };
+    }
 
     if (clientId) {
       this._state.clientId = clientId;
@@ -302,7 +322,7 @@ export class OpenID4VCIClientV1_0_13 {
         ...(!this._state.pkce.disabled && { codeVerifier: this._state.pkce.codeVerifier }),
         code,
         redirectUri,
-        asOpts: { clientId: this.clientId },
+        asOpts,
       });
 
       if (response.errorBody) {
@@ -636,8 +656,13 @@ export class OpenID4VCIClientV1_0_13 {
       }
     }
 
-    this.assertIssuerData();
-    return this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu') ?? false;
+    return (
+      this.clientId?.includes('ebsi') ||
+      this._state.kid?.includes('did:ebsi:') ||
+      this.getIssuer().includes('ebsi') ||
+      this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu') ||
+      this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes('ebsi.eu')
+    );
   }
 
   private assertIssuerData(): void {