@sphereon/oid4vci-client 0.15.1 → 0.15.2-next.38

package/dist/functions/dpopUtil.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.shouldRetryTokenRequestWithDPoPNonce = shouldRetryTokenRequestWithDPoPNonce;
+exports.shouldRetryResourceRequestWithDPoPNonce = shouldRetryResourceRequestWithDPoPNonce;
+const oid4vc_common_1 = require("@sphereon/oid4vc-common");
+function shouldRetryTokenRequestWithDPoPNonce(response) {
+    if (!response.errorBody || response.errorBody.error !== oid4vc_common_1.dpopTokenRequestNonceError) {
+        return { ok: false };
+    }
+    const dPoPNonce = response.origResponse.headers.get('DPoP-Nonce');
+    if (!dPoPNonce) {
+        throw new Error('Missing required DPoP-Nonce header.');
+    }
+    return { ok: true, dpopNonce: dPoPNonce };
+}
+function shouldRetryResourceRequestWithDPoPNonce(response) {
+    if (!response.errorBody || response.origResponse.status !== 401) {
+        return { ok: false };
+    }
+    const wwwAuthenticateHeader = response.origResponse.headers.get('WWW-Authenticate');
+    if (!(wwwAuthenticateHeader === null || wwwAuthenticateHeader === void 0 ? void 0 : wwwAuthenticateHeader.includes(oid4vc_common_1.dpopTokenRequestNonceError))) {
+        return { ok: false };
+    }
+    const dPoPNonce = response.origResponse.headers.get('DPoP-Nonce');
+    if (!dPoPNonce) {
+        throw new Error('Missing required DPoP-Nonce header.');
+    }
+    return { ok: true, dpopNonce: dPoPNonce };
+}
+//# sourceMappingURL=dpopUtil.js.map

package/dist/functions/dpopUtil.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpopUtil.js","sourceRoot":"","sources":["../../lib/functions/dpopUtil.ts"],"names":[],"mappings":";;AAKA,oFAWC;AAED,0FAgBC;AAlCD,2DAAqE;AAKrE,SAAgB,oCAAoC,CAAC,QAA0C;IAC7F,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS,CAAC,KAAK,KAAK,0CAA0B,EAAE,CAAC;QACnF,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;IACvB,CAAC;IAED,MAAM,SAAS,GAAG,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAClE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;AAC5C,CAAC;AAED,SAAgB,uCAAuC,CAAC,QAA0C;IAChG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,YAAY,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAChE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;IACvB,CAAC;IAED,MAAM,qBAAqB,GAAG,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IACpF,IAAI,CAAC,CAAA,qBAAqB,aAArB,qBAAqB,uBAArB,qBAAqB,CAAE,QAAQ,CAAC,0CAA0B,CAAC,CAAA,EAAE,CAAC;QACjE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;IACvB,CAAC;IAED,MAAM,SAAS,GAAG,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAClE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;AAC5C,CAAC"}

package/dist/functions/notifications.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"notifications.d.ts","sourceRoot":"","sources":["../../lib/functions/notifications.ts"],"names":[],"mappings":"AAAA,OAAO,EAA6B,mBAAmB,EAAE,kBAAkB,EAAQ,MAAM,0BAA0B,CAAC;AAEpH,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAGnE,wBAAsB,gBAAgB,CACpC,qBAAqB,EAAE,OAAO,CAAC,qBAAqB,CAAC,EACrD,OAAO,EAAE,mBAAmB,EAC5B,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,kBAAkB,CAAC,CAsB7B"}
+{"version":3,"file":"notifications.d.ts","sourceRoot":"","sources":["../../lib/functions/notifications.ts"],"names":[],"mappings":"AAAA,OAAO,EAA6B,mBAAmB,EAAE,kBAAkB,EAAQ,MAAM,0BAA0B,CAAC;AAEpH,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAGnE,wBAAsB,gBAAgB,CACpC,qBAAqB,EAAE,OAAO,CAAC,qBAAqB,CAAC,EACrD,OAAO,EAAE,mBAAmB,EAC5B,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,kBAAkB,CAAC,CAoB7B"}

package/dist/functions/notifications.js

@@ -14,7 +14,7 @@ const oid4vci_common_1 = require("@sphereon/oid4vci-common");
 const types_1 = require("../types");
 function sendNotification(credentialRequestOpts, request, accessToken) {
     return __awaiter(this, void 0, void 0, function* () {
-        var _a, _b, _c;
+        var _a;
         types_1.LOG.info(`Sending status notification event '${request.event}' for id ${request.notification_id}`);
         if (!credentialRequestOpts.notificationEndpoint) {
             throw Error(`Cannot send notification when no notification endpoint is provided`);
@@ -24,10 +24,10 @@ function sendNotification(credentialRequestOpts, request, accessToken) {
         const error = ((_a = response.errorBody) === null || _a === void 0 ? void 0 : _a.error) !== undefined;
         const result = {
             error,
-            response: error ? yield ((_b = response.errorBody) === null || _b === void 0 ? void 0 : _b.json()) : undefined,
+            response: error ? response.errorBody : undefined,
         };
         if (error) {
-            types_1.LOG.warning(`Notification endpoint returned an error for event '${request.event}' and id ${request.notification_id}: ${yield ((_c = response.errorBody) === null || _c === void 0 ? void 0 : _c.json())}`);
+            types_1.LOG.warning(`Notification endpoint returned an error for event '${request.event}' and id ${request.notification_id}: ${response.errorBody}`);
         }
         else {
             types_1.LOG.debug(`Notification endpoint returned success for event '${request.event}' and id ${request.notification_id}`);

package/dist/functions/notifications.js.map

@@ -1 +1 @@
-{"version":3,"file":"notifications.js","sourceRoot":"","sources":["../../lib/functions/notifications.ts"],"names":[],"mappings":";;;;;;;;;;;AAKA,4CA0BC;AA/BD,6DAAoH;AAGpH,oCAA+B;AAE/B,SAAsB,gBAAgB,CACpC,qBAAqD,EACrD,OAA4B,EAC5B,WAAoB;;;QAEpB,WAAG,CAAC,IAAI,CAAC,sCAAsC,OAAO,CAAC,KAAK,YAAY,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;QACnG,IAAI,CAAC,qBAAqB,CAAC,oBAAoB,EAAE,CAAC;YAChD,MAAM,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACpF,CAAC;QACD,MAAM,KAAK,GAAG,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,qBAAqB,CAAC,KAAK,CAAC;QACzD,MAAM,QAAQ,GAAG,MAAM,IAAA,qBAAI,EAA4B,qBAAqB,CAAC,oBAAoB,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,oBACrH,CAAC,KAAK,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,EACpC,CAAC;QACH,MAAM,KAAK,GAAG,CAAA,MAAA,QAAQ,CAAC,SAAS,0CAAE,KAAK,MAAK,SAAS,CAAC;QACtD,MAAM,MAAM,GAAG;YACb,KAAK;YACL,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA,MAAA,QAAQ,CAAC,SAAS,0CAAE,IAAI,EAAE,CAAA,CAAC,CAAC,CAAC,SAAS;SAC/D,CAAC;QACF,IAAI,KAAK,EAAE,CAAC;YACV,WAAG,CAAC,OAAO,CACT,sDAAsD,OAAO,CAAC,KAAK,YAAY,OAAO,CAAC,eAAe,KAAK,MAAM,CAAA,MAAA,QAAQ,CAAC,SAAS,0CAAE,IAAI,EAAE,CAAA,EAAE,CAC9I,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,WAAG,CAAC,KAAK,CAAC,qDAAqD,OAAO,CAAC,KAAK,YAAY,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;QACrH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CAAA"}
+{"version":3,"file":"notifications.js","sourceRoot":"","sources":["../../lib/functions/notifications.ts"],"names":[],"mappings":";;;;;;;;;;;AAKA,4CAwBC;AA7BD,6DAAoH;AAGpH,oCAA+B;AAE/B,SAAsB,gBAAgB,CACpC,qBAAqD,EACrD,OAA4B,EAC5B,WAAoB;;;QAEpB,WAAG,CAAC,IAAI,CAAC,sCAAsC,OAAO,CAAC,KAAK,YAAY,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;QACnG,IAAI,CAAC,qBAAqB,CAAC,oBAAoB,EAAE,CAAC;YAChD,MAAM,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACpF,CAAC;QACD,MAAM,KAAK,GAAG,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,qBAAqB,CAAC,KAAK,CAAC;QACzD,MAAM,QAAQ,GAAG,MAAM,IAAA,qBAAI,EAA4B,qBAAqB,CAAC,oBAAoB,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,oBACrH,CAAC,KAAK,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,EACpC,CAAC;QACH,MAAM,KAAK,GAAG,CAAA,MAAA,QAAQ,CAAC,SAAS,0CAAE,KAAK,MAAK,SAAS,CAAC;QACtD,MAAM,MAAM,GAAG;YACb,KAAK;YACL,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;SACjD,CAAC;QACF,IAAI,KAAK,EAAE,CAAC;YACV,WAAG,CAAC,OAAO,CAAC,sDAAsD,OAAO,CAAC,KAAK,YAAY,OAAO,CAAC,eAAe,KAAK,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/I,CAAC;aAAM,CAAC;YACN,WAAG,CAAC,KAAK,CAAC,qDAAqD,OAAO,CAAC,KAAK,YAAY,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;QACrH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CAAA"}

package/lib/AccessTokenClient.ts

@@ -1,3 +1,4 @@
+import { createDPoP, CreateDPoPClientOpts, getCreateDPoPOptions } from '@sphereon/oid4vc-common';
 import {
   AccessTokenRequest,
   AccessTokenRequestOpts,
@@ -6,6 +7,7 @@ import {
   AuthorizationServerOpts,
   AuthzFlowType,
   convertJsonToURI,
+  DPoPResponseParams,
   EndpointMetadata,
   formPost,
   getIssuerFromCredentialOfferPayload,
@@ -24,11 +26,12 @@ import { ObjectUtils } from '@sphereon/ssi-types';
 
 import { MetadataClientV1_0_13 } from './MetadataClientV1_0_13';
 import { createJwtBearerClientAssertion } from './functions';
+import { shouldRetryTokenRequestWithDPoPNonce } from './functions/dpopUtil';
 import { LOG } from './types';
 
 export class AccessTokenClient {
-  public async acquireAccessToken(opts: AccessTokenRequestOpts): Promise<OpenIDResponse<AccessTokenResponse>> {
-    const { asOpts, pin, codeVerifier, code, redirectUri, metadata } = opts;
+  public async acquireAccessToken(opts: AccessTokenRequestOpts): Promise<OpenIDResponse<AccessTokenResponse, DPoPResponseParams>> {
+    const { asOpts, pin, codeVerifier, code, redirectUri, metadata, createDPoPOpts } = opts;
 
     const credentialOffer = opts.credentialOffer ? await assertedUniformCredentialOffer(opts.credentialOffer) : undefined;
     const pinMetadata: TxCodeAndPinRequired | undefined = credentialOffer && this.getPinMetadata(credentialOffer.credential_offer);
@@ -59,6 +62,7 @@ export class AccessTokenClient {
       metadata,
       asOpts,
       issuerOpts,
+      createDPoPOpts: createDPoPOpts,
     });
   }
 
@@ -68,13 +72,15 @@ export class AccessTokenClient {
     metadata,
     asOpts,
     issuerOpts,
+    createDPoPOpts,
   }: {
     accessTokenRequest: AccessTokenRequest;
     pinMetadata?: TxCodeAndPinRequired;
     metadata?: EndpointMetadata;
     asOpts?: AuthorizationServerOpts;
     issuerOpts?: IssuerOpts;
-  }): Promise<OpenIDResponse<AccessTokenResponse>> {
+    createDPoPOpts?: CreateDPoPClientOpts;
+  }): Promise<OpenIDResponse<AccessTokenResponse, DPoPResponseParams>> {
     this.validate(accessTokenRequest, pinMetadata);
 
     const requestTokenURL = AccessTokenClient.determineTokenURL({
@@ -87,10 +93,34 @@ export class AccessTokenClient {
           : undefined,
     });
 
-    return this.sendAuthCode(requestTokenURL, accessTokenRequest);
+    const useDpop = createDPoPOpts?.dPoPSigningAlgValuesSupported && createDPoPOpts.dPoPSigningAlgValuesSupported.length > 0;
+    let dPoP = useDpop ? await createDPoP(getCreateDPoPOptions(createDPoPOpts, requestTokenURL)) : undefined;
+
+    let response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? { headers: { dpop: dPoP } } : undefined);
+
+    let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
+    const retryWithNonce = shouldRetryTokenRequestWithDPoPNonce(response);
+    if (retryWithNonce.ok && createDPoPOpts) {
+      createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
+
+      dPoP = await createDPoP(getCreateDPoPOptions(createDPoPOpts, requestTokenURL));
+      response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? { headers: { dpop: dPoP } } : undefined);
+      const successDPoPNonce = response.origResponse.headers.get('DPoP-Nonce');
+
+      nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
+    }
+
+    if (response.successBody && createDPoPOpts && response.successBody.token_type !== 'DPoP') {
+      throw new Error('Invalid token type returned. Expected DPoP. Received: ' + response.successBody.token_type);
+    }
+
+    return {
+      ...response,
+      params: { ...(nextDPoPNonce && { dpop: { dpopNonce: nextDPoPNonce } }) },
+    };
   }
 
-  public async createAccessTokenRequest(opts: AccessTokenRequestOpts): Promise<AccessTokenRequest> {
+  public async createAccessTokenRequest(opts: Omit<AccessTokenRequestOpts, 'createDPoPOpts'>): Promise<AccessTokenRequest> {
     const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore
@@ -105,6 +135,7 @@ export class AccessTokenClient {
     if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
       this.assertAlphanumericPin(opts.pinMetadata, pin);
       request.user_pin = pin;
+      request.tx_code = pin;
 
       request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
       // we actually know it is there because of the isPreAuthCode call
@@ -221,8 +252,14 @@ export class AccessTokenClient {
     }
   }
 
-  private async sendAuthCode(requestTokenURL: string, accessTokenRequest: AccessTokenRequest): Promise<OpenIDResponse<AccessTokenResponse>> {
-    return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest, { mode: JsonURIMode.X_FORM_WWW_URLENCODED }));
+  private async sendAuthCode(
+    requestTokenURL: string,
+    accessTokenRequest: AccessTokenRequest,
+    opts?: { headers?: Record<string, string> },
+  ): Promise<OpenIDResponse<AccessTokenResponse, DPoPResponseParams>> {
+    return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest, { mode: JsonURIMode.X_FORM_WWW_URLENCODED }), {
+      customHeaders: opts?.headers ? opts.headers : undefined,
+    });
   }
 
   public static determineTokenURL({

package/lib/AccessTokenClientV1_0_11.ts

@@ -1,3 +1,4 @@
+import { createDPoP, CreateDPoPClientOpts, getCreateDPoPOptions } from '@sphereon/oid4vc-common';
 import {
   AccessTokenRequest,
   AccessTokenRequestOpts,
@@ -8,6 +9,7 @@ import {
   convertJsonToURI,
   CredentialOfferV1_0_11,
   CredentialOfferV1_0_13,
+  DPoPResponseParams,
   EndpointMetadata,
   formPost,
   getIssuerFromCredentialOfferPayload,
@@ -27,12 +29,13 @@ import Debug from 'debug';
 
 import { MetadataClientV1_0_13 } from './MetadataClientV1_0_13';
 import { createJwtBearerClientAssertion } from './functions';
+import { shouldRetryTokenRequestWithDPoPNonce } from './functions/dpopUtil';
 
 const debug = Debug('sphereon:oid4vci:token');
 
 export class AccessTokenClientV1_0_11 {
-  public async acquireAccessToken(opts: AccessTokenRequestOpts): Promise<OpenIDResponse<AccessTokenResponse>> {
-    const { asOpts, pin, codeVerifier, code, redirectUri, metadata } = opts;
+  public async acquireAccessToken(opts: AccessTokenRequestOpts): Promise<OpenIDResponse<AccessTokenResponse, DPoPResponseParams>> {
+    const { asOpts, pin, codeVerifier, code, redirectUri, metadata, createDPoPOpts } = opts;
 
     const credentialOffer = opts.credentialOffer ? await assertedUniformCredentialOffer(opts.credentialOffer) : undefined;
     const isPinRequired = credentialOffer && this.isPinRequiredValue(credentialOffer.credential_offer);
@@ -63,6 +66,7 @@ export class AccessTokenClientV1_0_11 {
       metadata,
       asOpts,
       issuerOpts,
+      createDPoPOpts,
     });
   }
 
@@ -71,6 +75,7 @@ export class AccessTokenClientV1_0_11 {
     isPinRequired,
     metadata,
     asOpts,
+    createDPoPOpts,
     issuerOpts,
   }: {
     accessTokenRequest: AccessTokenRequest;
@@ -78,7 +83,8 @@ export class AccessTokenClientV1_0_11 {
     metadata?: EndpointMetadata;
     asOpts?: AuthorizationServerOpts;
     issuerOpts?: IssuerOpts;
-  }): Promise<OpenIDResponse<AccessTokenResponse>> {
+    createDPoPOpts?: CreateDPoPClientOpts;
+  }): Promise<OpenIDResponse<AccessTokenResponse, DPoPResponseParams>> {
     this.validate(accessTokenRequest, isPinRequired);
 
     const requestTokenURL = AccessTokenClientV1_0_11.determineTokenURL({
@@ -91,10 +97,34 @@ export class AccessTokenClientV1_0_11 {
           : undefined,
     });
 
-    return this.sendAuthCode(requestTokenURL, accessTokenRequest);
+    const useDpop = createDPoPOpts?.dPoPSigningAlgValuesSupported && createDPoPOpts.dPoPSigningAlgValuesSupported.length > 0;
+    let dPoP = useDpop ? await createDPoP(getCreateDPoPOptions(createDPoPOpts, requestTokenURL)) : undefined;
+
+    let response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? { headers: { dpop: dPoP } } : undefined);
+
+    let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
+    const retryWithNonce = shouldRetryTokenRequestWithDPoPNonce(response);
+    if (retryWithNonce.ok && createDPoPOpts) {
+      createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
+
+      dPoP = await createDPoP(getCreateDPoPOptions(createDPoPOpts, requestTokenURL));
+      response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? { headers: { dpop: dPoP } } : undefined);
+      const successDPoPNonce = response.origResponse.headers.get('DPoP-Nonce');
+
+      nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
+    }
+
+    if (response.successBody && createDPoPOpts && response.successBody.token_type !== 'DPoP') {
+      throw new Error('Invalid token type returned. Expected DPoP. Received: ' + response.successBody.token_type);
+    }
+
+    return {
+      ...response,
+      params: { ...(nextDPoPNonce && { dpop: { dpopNonce: nextDPoPNonce } }) },
+    };
   }
 
-  public async createAccessTokenRequest(opts: AccessTokenRequestOpts): Promise<AccessTokenRequest> {
+  public async createAccessTokenRequest(opts: Omit<AccessTokenRequestOpts, 'createDPoPOpts'>): Promise<AccessTokenRequest> {
     const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
     const credentialOfferRequest = opts.credentialOffer
       ? await toUniformCredentialOfferRequest(opts.credentialOffer as CredentialOfferV1_0_11 | CredentialOfferV1_0_13)
@@ -204,8 +234,14 @@ export class AccessTokenClientV1_0_11 {
     }
   }
 
-  private async sendAuthCode(requestTokenURL: string, accessTokenRequest: AccessTokenRequest): Promise<OpenIDResponse<AccessTokenResponse>> {
-    return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest, { mode: JsonURIMode.X_FORM_WWW_URLENCODED }));
+  private async sendAuthCode(
+    requestTokenURL: string,
+    accessTokenRequest: AccessTokenRequest,
+    opts?: { headers?: Record<string, string> },
+  ): Promise<OpenIDResponse<AccessTokenResponse>> {
+    return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest, { mode: JsonURIMode.X_FORM_WWW_URLENCODED }), {
+      customHeaders: opts?.headers ? opts.headers : undefined,
+    });
   }
 
   public static determineTokenURL({

package/lib/AuthorizationCodeClient.ts

@@ -113,13 +113,16 @@ export const createAuthorizationRequestUrl = async ({
   const { redirectUri, requestObjectOpts = { requestObjectMode: CreateRequestObjectMode.NONE } } = authorizationRequest;
   const client_id = clientId ?? authorizationRequest.clientId;
 
-  let { scope, authorizationDetails } = authorizationRequest;
-  const parMode = endpointMetadata?.credentialIssuerMetadata?.require_pushed_authorization_requests
+  // Authorization server metadata takes precedence
+  const authorizationMetadata = endpointMetadata.authorizationServerMetadata ?? endpointMetadata.credentialIssuerMetadata;
+
+  let { authorizationDetails } = authorizationRequest;
+  const parMode = authorizationMetadata?.require_pushed_authorization_requests
     ? PARMode.REQUIRE
-    : authorizationRequest.parMode ?? (client_id ? PARMode.AUTO : PARMode.NEVER);
+    : (authorizationRequest.parMode ?? (client_id ? PARMode.AUTO : PARMode.NEVER));
   // Scope and authorization_details can be used in the same authorization request
   // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param
-  if (!scope && !authorizationDetails) {
+  if (!authorizationRequest.scope && !authorizationDetails) {
     if (!credentialOffer) {
       throw Error('Please provide a scope or authorization_details if no credential offer is present');
     }
@@ -177,12 +180,7 @@ export const createAuthorizationRequestUrl = async ({
   if (!endpointMetadata?.authorization_endpoint) {
     throw Error('Server metadata does not contain authorization endpoint');
   }
-  const parEndpoint = endpointMetadata.credentialIssuerMetadata?.pushed_authorization_request_endpoint;
-
-  // add 'openid' scope if not present
-  if (!scope?.includes('openid')) {
-    scope = ['openid', scope].filter((s) => !!s).join(' ');
-  }
+  const parEndpoint = authorizationMetadata?.pushed_authorization_request_endpoint;
 
   let queryObj: Record<string, any> | PushedAuthorizationResponse = {
     response_type: ResponseType.AUTH_CODE,
@@ -194,7 +192,7 @@ export const createAuthorizationRequestUrl = async ({
     ...(redirectUri && { redirect_uri: redirectUri }),
     ...(client_id && { client_id }),
     ...(credentialOffer?.issuerState && { issuer_state: credentialOffer.issuerState }),
-    scope,
+    scope: authorizationRequest.scope,
   };
 
   if (!parEndpoint && parMode === PARMode.REQUIRE) {
@@ -210,11 +208,11 @@ export const createAuthorizationRequestUrl = async ({
       { contentType: 'application/x-www-form-urlencoded', accept: 'application/json' },
     );
     if (parResponse.errorBody || !parResponse.successBody) {
-      console.log(JSON.stringify(parResponse.errorBody));
-      console.log('Falling back to regular request URI, since PAR failed');
       if (parMode === PARMode.REQUIRE) {
         throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
       }
+
+      debug('Falling back to regular request URI, since PAR failed', JSON.stringify(parResponse.errorBody));
     } else {
       debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
       queryObj = { /*response_type: ResponseType.AUTH_CODE,*/ client_id, request_uri: parResponse.successBody.request_uri };

package/lib/AuthorizationCodeClientV1_0_11.ts

@@ -40,7 +40,7 @@ export const createAuthorizationRequestUrlV1_0_11 = async ({
 
   const parMode = endpointMetadata?.credentialIssuerMetadata?.require_pushed_authorization_requests
     ? PARMode.REQUIRE
-    : authorizationRequest.parMode ?? PARMode.AUTO;
+    : (authorizationRequest.parMode ?? PARMode.AUTO);
   // Scope and authorization_details can be used in the same authorization request
   // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param
   if (!scope && !authorizationDetails) {

package/lib/CredentialRequestClient.ts

@@ -1,7 +1,9 @@
+import { createDPoP, CreateDPoPClientOpts, getCreateDPoPOptions } from '@sphereon/oid4vc-common';
 import {
   acquireDeferredCredential,
   CredentialRequestV1_0_13,
   CredentialResponse,
+  DPoPResponseParams,
   getCredentialRequestForVersion,
   getUniformFormat,
   isDeferredCredentialResponse,
@@ -21,6 +23,7 @@ import Debug from 'debug';
 import { CredentialRequestClientBuilderV1_0_11 } from './CredentialRequestClientBuilderV1_0_11';
 import { CredentialRequestClientBuilderV1_0_13 } from './CredentialRequestClientBuilderV1_0_13';
 import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
+import { shouldRetryResourceRequestWithDPoPNonce } from './functions/dpopUtil';
 
 const debug = Debug('sphereon:oid4vci:credential');
 
@@ -89,7 +92,8 @@ export class CredentialRequestClient {
     context?: string[];
     format?: CredentialFormat | OID4VCICredentialFormat;
     subjectIssuance?: ExperimentalSubjectIssuance;
-  }): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
+    createDPoPOpts?: CreateDPoPClientOpts;
+  }): Promise<OpenIDResponse<CredentialResponse, DPoPResponseParams> & { access_token: string }> {
     const { credentialIdentifier, credentialTypes, proofInput, format, context, subjectIssuance } = opts;
 
     const request = await this.createCredentialRequest({
@@ -101,12 +105,13 @@ export class CredentialRequestClient {
       credentialIdentifier,
       subjectIssuance,
     });
-    return await this.acquireCredentialsUsingRequest(request);
+    return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
   }
 
   public async acquireCredentialsUsingRequest(
     uniformRequest: UniformCredentialRequest,
-  ): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
+    createDPoPOpts?: CreateDPoPClientOpts,
+  ): Promise<OpenIDResponse<CredentialResponse, DPoPResponseParams> & { access_token: string }> {
     if (this.version() < OpenId4VCIVersion.VER_1_0_13) {
       throw new Error('Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.');
     }
@@ -119,9 +124,33 @@ export class CredentialRequestClient {
     debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
     debug(`request\n: ${JSON.stringify(request, null, 2)}`);
     const requestToken: string = this.credentialRequestOpts.token;
-    let response = (await post(credentialEndpoint, JSON.stringify(request), { bearerToken: requestToken })) as OpenIDResponse<CredentialResponse> & {
+
+    let dPoP = createDPoPOpts ? await createDPoP(getCreateDPoPOptions(createDPoPOpts, credentialEndpoint, { accessToken: requestToken })) : undefined;
+
+    let response = (await post(credentialEndpoint, JSON.stringify(request), {
+      bearerToken: requestToken,
+      customHeaders: { ...(dPoP && { dpop: dPoP }) },
+    })) as OpenIDResponse<CredentialResponse> & {
       access_token: string;
     };
+
+    let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
+    const retryWithNonce = shouldRetryResourceRequestWithDPoPNonce(response);
+    if (retryWithNonce.ok && createDPoPOpts) {
+      createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
+      dPoP = await createDPoP(getCreateDPoPOptions(createDPoPOpts, credentialEndpoint, { accessToken: requestToken }));
+
+      response = (await post(credentialEndpoint, JSON.stringify(request), {
+        bearerToken: requestToken,
+        customHeaders: { ...(createDPoPOpts && { dpop: dPoP }) },
+      })) as OpenIDResponse<CredentialResponse> & {
+        access_token: string;
+      };
+
+      const successDPoPNonce = response.origResponse.headers.get('DPoP-Nonce');
+      nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
+    }
+
     this._isDeferred = isDeferredCredentialResponse(response);
     if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
       response = await this.acquireDeferredCredential(response.successBody, { bearerToken: this.credentialRequestOpts.token });
@@ -134,7 +163,11 @@ export class CredentialRequestClient {
       }
     }
     debug(`Credential endpoint ${credentialEndpoint} response:\r\n${JSON.stringify(response, null, 2)}`);
-    return response;
+
+    return {
+      ...response,
+      params: { ...(nextDPoPNonce && { dpop: { dpopNonce: nextDPoPNonce } }) },
+    };
   }
 
   public async acquireDeferredCredential(

package/lib/CredentialRequestClientV1_0_11.ts

@@ -1,6 +1,8 @@
+import { createDPoP, CreateDPoPClientOpts, getCreateDPoPOptions } from '@sphereon/oid4vc-common';
 import {
   acquireDeferredCredential,
   CredentialResponse,
+  DPoPResponseParams,
   getCredentialRequestForVersion,
   getUniformFormat,
   isDeferredCredentialResponse,
@@ -20,6 +22,7 @@ import Debug from 'debug';
 import { buildProof } from './CredentialRequestClient';
 import { CredentialRequestClientBuilderV1_0_11 } from './CredentialRequestClientBuilderV1_0_11';
 import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
+import { shouldRetryResourceRequestWithDPoPNonce } from './functions/dpopUtil';
 
 const debug = Debug('sphereon:oid4vci:credential');
 
@@ -64,16 +67,18 @@ export class CredentialRequestClientV1_0_11 {
     credentialTypes?: string | string[];
     context?: string[];
     format?: CredentialFormat | OID4VCICredentialFormat;
-  }): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
+    createDPoPOpts?: CreateDPoPClientOpts;
+  }): Promise<OpenIDResponse<CredentialResponse, DPoPResponseParams> & { access_token: string }> {
     const { credentialTypes, proofInput, format, context } = opts;
 
     const request = await this.createCredentialRequest({ proofInput, credentialTypes, context, format, version: this.version() });
-    return await this.acquireCredentialsUsingRequest(request);
+    return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
   }
 
   public async acquireCredentialsUsingRequest(
     uniformRequest: UniformCredentialRequest,
-  ): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
+    createDPoPOpts?: CreateDPoPClientOpts,
+  ): Promise<OpenIDResponse<CredentialResponse, DPoPResponseParams> & { access_token: string }> {
     const request = getCredentialRequestForVersion(uniformRequest, this.version());
     const credentialEndpoint: string = this.credentialRequestOpts.credentialEndpoint;
     if (!isValidURL(credentialEndpoint)) {
@@ -83,9 +88,33 @@ export class CredentialRequestClientV1_0_11 {
     debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
     debug(`request\n: ${JSON.stringify(request, null, 2)}`);
     const requestToken: string = this.credentialRequestOpts.token;
-    let response = (await post(credentialEndpoint, JSON.stringify(request), { bearerToken: requestToken })) as OpenIDResponse<CredentialResponse> & {
+
+    let dPoP = createDPoPOpts ? await createDPoP(getCreateDPoPOptions(createDPoPOpts, credentialEndpoint, { accessToken: requestToken })) : undefined;
+
+    let response = (await post(credentialEndpoint, JSON.stringify(request), {
+      bearerToken: requestToken,
+      customHeaders: { ...(createDPoPOpts && { dpop: dPoP }) },
+    })) as OpenIDResponse<CredentialResponse> & {
       access_token: string;
     };
+
+    let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
+    const retryWithNonce = shouldRetryResourceRequestWithDPoPNonce(response);
+    if (retryWithNonce.ok && createDPoPOpts) {
+      createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
+      dPoP = await createDPoP(getCreateDPoPOptions(createDPoPOpts, credentialEndpoint, { accessToken: requestToken }));
+
+      response = (await post(credentialEndpoint, JSON.stringify(request), {
+        bearerToken: requestToken,
+        customHeaders: { ...(createDPoPOpts && { dpop: dPoP }) },
+      })) as OpenIDResponse<CredentialResponse> & {
+        access_token: string;
+      };
+
+      const successDPoPNonce = response.origResponse.headers.get('DPoP-Nonce');
+      nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
+    }
+
     this._isDeferred = isDeferredCredentialResponse(response);
     if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
       response = await this.acquireDeferredCredential(response.successBody, { bearerToken: this.credentialRequestOpts.token });
@@ -93,7 +122,11 @@ export class CredentialRequestClientV1_0_11 {
     response.access_token = requestToken;
 
     debug(`Credential endpoint ${credentialEndpoint} response:\r\n${JSON.stringify(response, null, 2)}`);
-    return response;
+
+    return {
+      ...response,
+      params: { ...(nextDPoPNonce && { dpop: { dpopNonce: nextDPoPNonce } }) },
+    };
   }
 
   public async acquireDeferredCredential(

package/lib/OpenID4VCIClient.ts

@@ -1,3 +1,4 @@
+import { JWK } from '@sphereon/oid4vc-common';
 import {
   AccessTokenResponse,
   Alg,
@@ -23,7 +24,6 @@ import {
   getSupportedCredentials,
   getTypesFromCredentialSupported,
   getTypesFromObject,
-  JWK,
   KID_JWK_X5C_ERROR,
   NotificationRequest,
   NotificationResult,
@@ -549,7 +549,7 @@ export class OpenID4VCIClient {
   issuerSupportedFlowTypes(): AuthzFlowType[] {
     return (
       this.credentialOffer?.supportedFlows ??
-      (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server
+      ((this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server)
         ? [AuthzFlowType.AUTHORIZATION_CODE_FLOW]
         : [])
     );

package/lib/OpenID4VCIClientV1_0_11.ts

@@ -1,3 +1,4 @@
+import { JWK } from '@sphereon/oid4vc-common';
 import {
   AccessTokenResponse,
   Alg,
@@ -19,7 +20,6 @@ import {
   getSupportedCredentials,
   getTypesFromCredentialSupported,
   getTypesFromObject,
-  JWK,
   KID_JWK_X5C_ERROR,
   OID4VCICredentialFormat,
   OpenId4VCIVersion,

package/lib/OpenID4VCIClientV1_0_13.ts

@@ -1,3 +1,4 @@
+import { JWK } from '@sphereon/oid4vc-common';
 import {
   AccessTokenResponse,
   Alg,
@@ -17,7 +18,6 @@ import {
   getIssuerFromCredentialOfferPayload,
   getSupportedCredentials,
   getTypesFromCredentialSupported,
-  JWK,
   KID_JWK_X5C_ERROR,
   NotificationRequest,
   NotificationResult,

package/lib/ProofOfPossessionBuilder.ts

@@ -1,9 +1,9 @@
+import { JWK } from '@sphereon/oid4vc-common';
 import {
   AccessTokenResponse,
   Alg,
   createProofOfPossession,
   EndpointMetadata,
-  JWK,
   Jwt,
   NO_JWT_PROVIDED,
   OpenId4VCIVersion,

package/lib/__tests__/AccessTokenClient.spec.ts

@@ -1,11 +1,4 @@
-import {
-  AccessTokenRequest,
-  AccessTokenResponse,
-  GrantTypes,
-  OpenIDResponse,
-  PRE_AUTH_CODE_LITERAL,
-  WellKnownEndpoints,
-} from '@sphereon/oid4vci-common';
+import { AccessTokenRequest, AccessTokenResponse, GrantTypes, PRE_AUTH_CODE_LITERAL, WellKnownEndpoints } from '@sphereon/oid4vci-common';
 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
 // @ts-ignore
 import nock from 'nock';
@@ -50,7 +43,7 @@ describe('AccessTokenClient should', () => {
       };
       nock(MOCK_URL).post(/.*/).reply(200, JSON.stringify(body));
 
-      const accessTokenResponse: OpenIDResponse<AccessTokenResponse> = await accessTokenClient.acquireAccessTokenUsingRequest({
+      const accessTokenResponse = await accessTokenClient.acquireAccessTokenUsingRequest({
         accessTokenRequest,
         pinMetadata: {
           isPinRequired: true,
@@ -88,7 +81,7 @@ describe('AccessTokenClient should', () => {
       };
       nock(MOCK_URL).post(/.*/).reply(200, JSON.stringify(body));
 
-      const accessTokenResponse: OpenIDResponse<AccessTokenResponse> = await accessTokenClient.acquireAccessTokenUsingRequest({
+      const accessTokenResponse = await accessTokenClient.acquireAccessTokenUsingRequest({
         accessTokenRequest,
         asOpts: { as: MOCK_URL },
       });
@@ -227,7 +220,7 @@ describe('AccessTokenClient should', () => {
       .post(/.*/)
       .reply(200, {});
 
-    const response: OpenIDResponse<AccessTokenResponse> = await accessTokenClient.acquireAccessToken({
+    const response = await accessTokenClient.acquireAccessToken({
       credentialOffer: INITIATION_TEST,
       pin: '1234',
     });