@sphereon/oid4vci-client 0.12.1-next.2 → 0.12.1-next.22

package/lib/__tests__/SdJwt.spec.ts

@@ -166,4 +166,107 @@ describe('sd-jwt vc', () => {
     },
     UNIT_TEST_TIMEOUT,
   );
+
+  it(
+    'succeed with a full flow without did',
+    async () => {
+      const offerUri = await vcIssuer.createCredentialOfferURI({
+        grants: {
+          'urn:ietf:params:oauth:grant-type:pre-authorized_code': {
+            tx_code: {
+              input_mode: 'text',
+              length: 3,
+            },
+            'pre-authorized_code': '123',
+          },
+        },
+        credential_configuration_ids: ['SdJwtCredential'],
+      });
+
+      nock(vcIssuer.issuerMetadata.credential_issuer).get('/.well-known/openid-credential-issuer').reply(200, JSON.stringify(issuerMetadata));
+      nock(vcIssuer.issuerMetadata.credential_issuer).get('/.well-known/openid-configuration').reply(404);
+      nock(vcIssuer.issuerMetadata.credential_issuer).get('/.well-known/oauth-authorization-server').reply(404);
+
+      expect(offerUri.uri).toEqual(
+        'openid-credential-offer://?credential_offer=%7B%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22123%22%2C%22tx_code%22%3A%7B%22input_mode%22%3A%22text%22%2C%22length%22%3A3%7D%7D%7D%2C%22credential_configuration_ids%22%3A%5B%22SdJwtCredential%22%5D%2C%22credential_issuer%22%3A%22https%3A%2F%2Fexample.com%22%7D',
+      );
+
+      const client = await OpenID4VCIClientV1_0_13.fromURI({
+        uri: offerUri.uri,
+      });
+
+      expect(client.credentialOffer?.credential_offer).toEqual({
+        credential_issuer: 'https://example.com',
+        credential_configuration_ids: ['SdJwtCredential'],
+        grants: {
+          'urn:ietf:params:oauth:grant-type:pre-authorized_code': {
+            'pre-authorized_code': '123',
+            tx_code: {
+              input_mode: 'text',
+              length: 3,
+            },
+          },
+        },
+      });
+
+      const supported = client.getCredentialsSupported('vc+sd-jwt');
+      expect(supported).toEqual({ SdJwtCredentialId: { format: 'vc+sd-jwt', id: 'SdJwtCredentialId', vct: 'SdJwtCredentialId' } });
+
+      const offered = supported['SdJwtCredentialId'] as CredentialSupportedSdJwtVc;
+
+      nock(issuerMetadata.token_endpoint as string)
+        .post('/')
+        .reply(200, async (_, body: string) => {
+          const parsedBody = Object.fromEntries(body.split('&').map((x) => x.split('=')));
+          return createAccessTokenResponse(parsedBody as AccessTokenRequest, {
+            credentialOfferSessions: vcIssuer.credentialOfferSessions,
+            accessTokenIssuer: 'https://issuer.example.com',
+            cNonces: vcIssuer.cNonces,
+            cNonce: 'a-c-nonce',
+            accessTokenSignerCallback: async () => 'ey.val.ue',
+            tokenExpiresIn: 500,
+          });
+        });
+
+      await client.acquireAccessToken({ pin: '123' });
+      nock(issuerMetadata.credential_endpoint as string)
+        .post('/')
+        .reply(200, async (_, body) =>
+          vcIssuer.issueCredential({
+            credentialRequest: { ...(body as CredentialRequestV1_0_13), credential_identifier: offered.vct },
+            credential: {
+              vct: 'Hello',
+              iss: 'example.com',
+              iat: 123,
+              // Defines what can be disclosed (optional)
+              __disclosureFrame: {
+                name: true,
+              },
+            },
+            newCNonce: 'new-c-nonce',
+          }),
+        );
+
+      const credentials = await client.acquireCredentials({
+        credentialIdentifier: offered.vct,
+        // format: 'vc+sd-jwt',
+        alg,
+        jwk,
+        proofCallbacks: {
+          // When using sd-jwt for real, this jwt should include a jwk
+          signCallback: async () => 'ey.ja.ja',
+        },
+      });
+
+      expect(credentials).toEqual({
+        notification_id: expect.any(String),
+        access_token: 'ey.val.ue',
+        c_nonce: 'new-c-nonce',
+        c_nonce_expires_in: 300,
+        credential: 'sd-jwt',
+        // format: 'vc+sd-jwt',
+      });
+    },
+    UNIT_TEST_TIMEOUT,
+  );
 });

package/lib/functions/AccessTokenUtil.ts

@@ -0,0 +1,45 @@
+import { AccessTokenRequest, AccessTokenRequestOpts, Jwt, OpenId4VCIVersion } from '@sphereon/oid4vci-common';
+import { v4 } from 'uuid';
+
+import { ProofOfPossessionBuilder } from '../ProofOfPossessionBuilder';
+
+export const createJwtBearerClientAssertion = async (
+  request: Partial<AccessTokenRequest>,
+  opts: AccessTokenRequestOpts & {
+    version?: OpenId4VCIVersion;
+  },
+): Promise<void> => {
+  const { asOpts } = opts;
+  if (asOpts?.clientOpts?.clientAssertionType === 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer') {
+    if (!request.client_id) {
+      throw Error(`Not client_id supplied, but client-assertion jwt-bearer requested.`);
+    } else if (!asOpts.clientOpts.kid) {
+      throw Error(`No kid supplied, but client-assertion jwt-bearer requested.`);
+    } else if (!asOpts.clientOpts.signCallbacks) {
+      throw Error(`No sign callback supplied, but client-assertion jwt-bearer requested.`);
+    }
+    const jwt: Jwt = {
+      header: {
+        typ: 'JWT',
+        kid: asOpts.clientOpts.kid,
+        alg: asOpts.clientOpts.alg ?? 'ES256',
+      },
+      payload: {
+        iss: request.client_id,
+        sub: request.client_id,
+        aud: opts.credentialIssuer,
+        jti: v4(),
+        exp: Date.now() / 1000 + 60,
+        iat: Date.now() / 1000 - 60,
+      },
+    };
+    const pop = await ProofOfPossessionBuilder.fromJwt({
+      jwt,
+      callbacks: asOpts.clientOpts.signCallbacks,
+      version: opts.version ?? OpenId4VCIVersion.VER_1_0_13,
+      mode: 'jwt',
+    }).build();
+    request.client_assertion_type = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
+    request.client_assertion = pop.jwt;
+  }
+};

package/lib/functions/index.ts

@@ -1,2 +1,4 @@
 export * from './AuthorizationUtil';
 export * from './notifications';
+export * from './OpenIDUtils';
+export * from './AccessTokenUtil';

package/lib/index.ts

@@ -13,6 +13,7 @@ export * from './CredentialOfferClientV1_0_11';
 export * from './CredentialOfferClientV1_0_13';
 export * from './CredentialRequestClientV1_0_11';
 export * from './CredentialRequestClientBuilder';
+export * from './CredentialRequestClientBuilderV1_0_13';
 export * from './CredentialRequestClientBuilderV1_0_11';
 export * from './functions';
 export * from './MetadataClient';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/oid4vci-client",
-  "version": "0.12.1-next.2+31597bc",
+  "version": "0.12.1-next.22+2759750",
   "description": "OpenID for Verifiable Credential Issuance (OpenID4VCI) client",
   "source": "lib/index.ts",
   "main": "dist/index.js",
@@ -15,7 +15,7 @@
     "build": "tsc"
   },
   "dependencies": {
-    "@sphereon/oid4vci-common": "0.12.1-next.2+31597bc",
+    "@sphereon/oid4vci-common": "0.12.1-next.22+2759750",
     "@sphereon/ssi-types": "0.25.1-unstable.87",
     "cross-fetch": "^3.1.8",
     "debug": "^4.3.4"
@@ -69,5 +69,5 @@
     "OIDC4VCI",
     "OID4VCI"
   ],
-  "gitHead": "31597bc83f8468af31f294da524781f58b7f5707"
+  "gitHead": "2759750708d523a023b89db337a148299d2abc6d"
 }