@sphereon/oid4vci-client 0.12.1-unstable.9 → 0.13.0

package/lib/__tests__/SdJwt.spec.ts

@@ -215,37 +215,37 @@ describe('sd-jwt vc', () => {
       const offered = supported['SdJwtCredentialId'] as CredentialSupportedSdJwtVc;
 
       nock(issuerMetadata.token_endpoint as string)
-      .post('/')
-      .reply(200, async (_, body: string) => {
-        const parsedBody = Object.fromEntries(body.split('&').map((x) => x.split('=')));
-        return createAccessTokenResponse(parsedBody as AccessTokenRequest, {
-          credentialOfferSessions: vcIssuer.credentialOfferSessions,
-          accessTokenIssuer: 'https://issuer.example.com',
-          cNonces: vcIssuer.cNonces,
-          cNonce: 'a-c-nonce',
-          accessTokenSignerCallback: async () => 'ey.val.ue',
-          tokenExpiresIn: 500,
+        .post('/')
+        .reply(200, async (_, body: string) => {
+          const parsedBody = Object.fromEntries(body.split('&').map((x) => x.split('=')));
+          return createAccessTokenResponse(parsedBody as AccessTokenRequest, {
+            credentialOfferSessions: vcIssuer.credentialOfferSessions,
+            accessTokenIssuer: 'https://issuer.example.com',
+            cNonces: vcIssuer.cNonces,
+            cNonce: 'a-c-nonce',
+            accessTokenSignerCallback: async () => 'ey.val.ue',
+            tokenExpiresIn: 500,
+          });
         });
-      });
 
       await client.acquireAccessToken({ pin: '123' });
       nock(issuerMetadata.credential_endpoint as string)
-      .post('/')
-      .reply(200, async (_, body) =>
-        vcIssuer.issueCredential({
-          credentialRequest: { ...(body as CredentialRequestV1_0_13), credential_identifier: offered.vct },
-          credential: {
-            vct: 'Hello',
-            iss: 'example.com',
-            iat: 123,
-            // Defines what can be disclosed (optional)
-            __disclosureFrame: {
-              name: true,
+        .post('/')
+        .reply(200, async (_, body) =>
+          vcIssuer.issueCredential({
+            credentialRequest: { ...(body as CredentialRequestV1_0_13), credential_identifier: offered.vct },
+            credential: {
+              vct: 'Hello',
+              iss: 'example.com',
+              iat: 123,
+              // Defines what can be disclosed (optional)
+              __disclosureFrame: {
+                name: true,
+              },
             },
-          },
-          newCNonce: 'new-c-nonce',
-        }),
-      );
+            newCNonce: 'new-c-nonce',
+          }),
+        );
 
       const credentials = await client.acquireCredentials({
         credentialIdentifier: offered.vct,

package/lib/functions/AccessTokenUtil.ts

@@ -0,0 +1,52 @@
+import { AccessTokenRequest, AccessTokenRequestOpts, Jwt, OpenId4VCIVersion } from '@sphereon/oid4vci-common';
+import { v4 } from 'uuid';
+
+import { ProofOfPossessionBuilder } from '../ProofOfPossessionBuilder';
+
+export const createJwtBearerClientAssertion = async (
+  request: Partial<AccessTokenRequest>,
+  opts: AccessTokenRequestOpts & {
+    version?: OpenId4VCIVersion;
+  },
+): Promise<void> => {
+  const { asOpts, credentialIssuer } = opts;
+  if (asOpts?.clientOpts?.clientAssertionType === 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer') {
+    const { clientId = request.client_id, signCallbacks, alg } = asOpts.clientOpts;
+    let { kid } = asOpts.clientOpts;
+    if (!clientId) {
+      return Promise.reject(Error(`Not client_id supplied, but client-assertion jwt-bearer requested.`));
+    } else if (!kid) {
+      return Promise.reject(Error(`No kid supplied, but client-assertion jwt-bearer requested.`));
+    } else if (typeof signCallbacks?.signCallback !== 'function') {
+      return Promise.reject(Error(`No sign callback supplied, but client-assertion jwt-bearer requested.`));
+    } else if (!credentialIssuer) {
+      return Promise.reject(Error(`No credential issuer supplied, but client-assertion jwt-bearer requested.`));
+    }
+    if (clientId.startsWith('http') && kid.includes('#')) {
+      kid = kid.split('#')[1];
+    }
+    const jwt: Jwt = {
+      header: {
+        typ: 'JWT',
+        kid,
+        alg: alg ?? 'ES256',
+      },
+      payload: {
+        iss: clientId,
+        sub: clientId,
+        aud: credentialIssuer,
+        jti: v4(),
+        exp: Date.now() / 1000 + 60,
+        iat: Date.now() / 1000 - 60,
+      },
+    };
+    const pop = await ProofOfPossessionBuilder.fromJwt({
+      jwt,
+      callbacks: signCallbacks,
+      version: opts.version ?? OpenId4VCIVersion.VER_1_0_13,
+      mode: 'JWT',
+    }).build();
+    request.client_assertion_type = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
+    request.client_assertion = pop.jwt;
+  }
+};

package/lib/functions/index.ts

@@ -1,2 +1,4 @@
 export * from './AuthorizationUtil';
 export * from './notifications';
+export * from './OpenIDUtils';
+export * from './AccessTokenUtil';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/oid4vci-client",
-  "version": "0.12.1-unstable.9+9db2c63",
+  "version": "0.13.0",
   "description": "OpenID for Verifiable Credential Issuance (OpenID4VCI) client",
   "source": "lib/index.ts",
   "main": "dist/index.js",
@@ -15,8 +15,8 @@
     "build": "tsc"
   },
   "dependencies": {
-    "@sphereon/oid4vci-common": "0.12.1-unstable.9+9db2c63",
-    "@sphereon/ssi-types": "0.25.1-unstable.87",
+    "@sphereon/oid4vci-common": "0.13.0",
+    "@sphereon/ssi-types": "0.26.1-next.6",
     "cross-fetch": "^3.1.8",
     "debug": "^4.3.4"
   },
@@ -69,5 +69,5 @@
     "OIDC4VCI",
     "OID4VCI"
   ],
-  "gitHead": "9db2c63ee201cd6569caa668c82b9a00dedc89fd"
+  "gitHead": "4ae9812531dfb8bd45809127a215cdc5d02c6d4f"
 }