@sphereon/oid4vci-client 0.16.0 → 0.16.1-feature.from.funke.103

package/lib/OpenID4VCIClientV1_0_13.ts

@@ -1,5 +1,6 @@
-import { JWK } from '@sphereon/oid4vc-common';
+import { CreateDPoPClientOpts, JWK } from '@sphereon/oid4vc-common';
 import {
+  AccessTokenRequestOpts,
   AccessTokenResponse,
   Alg,
   AuthorizationRequestOpts,
@@ -12,6 +13,7 @@ import {
   CredentialOfferRequestWithBaseUrl,
   CredentialResponse,
   DefaultURISchemes,
+  DPoPResponseParams,
   EndpointMetadataResultV1_0_13,
   ExperimentalSubjectIssuance,
   getClientIdFromCredentialOfferPayload,
@@ -27,14 +29,14 @@ import {
   ProofOfPossessionCallbacks,
   toAuthorizationResponsePayload,
 } from '@sphereon/oid4vci-common';
-import { CredentialFormat } from '@sphereon/ssi-types';
+import { CredentialFormat, DIDDocument } from '@sphereon/ssi-types';
 import Debug from 'debug';
 
 import { AccessTokenClient } from './AccessTokenClient';
 import { createAuthorizationRequestUrl } from './AuthorizationCodeClient';
 import { CredentialOfferClient } from './CredentialOfferClient';
 import { CredentialRequestOpts } from './CredentialRequestClient';
-import { CredentialRequestClientBuilder } from './CredentialRequestClientBuilder';
+import { CredentialRequestClientBuilderV1_0_13 } from './CredentialRequestClientBuilderV1_0_13';
 import { MetadataClientV1_0_13 } from './MetadataClientV1_0_13';
 import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
 import { generateMissingPKCEOpts, sendNotification } from './functions';
@@ -50,6 +52,7 @@ export interface OpenID4VCIClientStateV1_0_13 {
   alg?: Alg | string;
   endpointMetadata?: EndpointMetadataResultV1_0_13;
   accessTokenResponse?: AccessTokenResponse;
+  dpopResponseParams?: DPoPResponseParams;
   authorizationRequestOpts?: AuthorizationRequestOpts;
   authorizationCodeResponse?: AuthorizationResponse;
   pkce: PKCEOpts;
@@ -258,16 +261,13 @@ export class OpenID4VCIClientV1_0_13 {
     this._state.pkce = generateMissingPKCEOpts({ ...this._state.pkce, ...pkce });
   }
 
-  public async acquireAccessToken(opts?: {
-    pin?: string;
-    clientId?: string;
-    codeVerifier?: string;
-    authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
-    code?: string; // Directly pass in a code from an auth response
-    redirectUri?: string;
-    additionalRequestParams?: Record<string, any>;
-    asOpts?: AuthorizationServerOpts;
-  }): Promise<AccessTokenResponse> {
+  public async acquireAccessToken(
+    opts?: Omit<AccessTokenRequestOpts, 'credentialOffer' | 'credentialIssuer' | 'metadata' | 'additionalParams'> & {
+      clientId?: string;
+      authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
+      additionalRequestParams?: Record<string, any>;
+    },
+  ): Promise<AccessTokenResponse & { params?: DPoPResponseParams }> {
     const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
     let { redirectUri } = opts ?? {};
     if (opts?.authorizationResponse) {
@@ -324,6 +324,7 @@ export class OpenID4VCIClientV1_0_13 {
         code,
         redirectUri,
         asOpts,
+        ...(opts?.createDPoPOpts && { createDPoPOpts: opts.createDPoPOpts }),
         ...(opts?.additionalRequestParams && { additionalParams: opts.additionalRequestParams }),
       });
 
@@ -343,13 +344,48 @@ export class OpenID4VCIClientV1_0_13 {
         );
       }
       this._state.accessTokenResponse = response.successBody;
+      this._state.dpopResponseParams = response.params;
       this._state.accessToken = response.successBody.access_token;
     }
 
-    return this.accessTokenResponse;
+    return { ...this.accessTokenResponse, ...(this.dpopResponseParams && { params: this.dpopResponseParams }) };
+  }
+
+  public async acquireCredentialsWithoutProof(args: {
+    credentialIdentifier?: string;
+    credentialTypes?: string | string[];
+    context?: string[];
+    format?: CredentialFormat | OID4VCICredentialFormat;
+    kid?: string;
+    jwk?: JWK;
+    alg?: Alg | string;
+    jti?: string;
+    deferredCredentialAwait?: boolean;
+    deferredCredentialIntervalInMS?: number;
+    experimentalHolderIssuanceSupported?: boolean;
+    createDPoPOpts?: CreateDPoPClientOpts;
+  }): Promise<CredentialResponse & { access_token: string }> {
+    return await this.acquireCredentialsImpl(args);
+  }
+  public async acquireCredentials(args: {
+    credentialIdentifier?: string;
+    credentialTypes?: string | string[];
+    context?: string[];
+    proofCallbacks: ProofOfPossessionCallbacks<any>;
+    format?: CredentialFormat | OID4VCICredentialFormat;
+    kid?: string;
+    jwk?: JWK;
+    alg?: Alg | string;
+    jti?: string;
+    deferredCredentialAwait?: boolean;
+    deferredCredentialIntervalInMS?: number;
+    experimentalHolderIssuanceSupported?: boolean;
+    createDPoPOpts?: CreateDPoPClientOpts;
+  }): Promise<CredentialResponse & { access_token: string }> {
+    return await this.acquireCredentialsImpl(args);
   }
 
-  public async acquireCredentials({
+  private async acquireCredentialsImpl({
     credentialIdentifier,
     credentialTypes,
     context,
@@ -361,11 +397,12 @@ export class OpenID4VCIClientV1_0_13 {
     jti,
     deferredCredentialAwait,
     deferredCredentialIntervalInMS,
+    createDPoPOpts,
   }: {
     credentialIdentifier?: string;
     credentialTypes?: string | string[];
     context?: string[];
-    proofCallbacks: ProofOfPossessionCallbacks<any>;
+    proofCallbacks?: ProofOfPossessionCallbacks<any>;
     format?: CredentialFormat | OID4VCICredentialFormat;
     kid?: string;
     jwk?: JWK;
@@ -374,6 +411,7 @@ export class OpenID4VCIClientV1_0_13 {
     deferredCredentialAwait?: boolean;
     deferredCredentialIntervalInMS?: number;
     experimentalHolderIssuanceSupported?: boolean;
+    createDPoPOpts?: CreateDPoPClientOpts;
   }): Promise<CredentialResponse & { access_token: string }> {
     if ([jwk, kid].filter((v) => v !== undefined).length > 1) {
       throw new Error(KID_JWK_X5C_ERROR + `. jwk: ${jwk !== undefined}, kid: ${kid !== undefined}`);
@@ -384,11 +422,11 @@ export class OpenID4VCIClientV1_0_13 {
     if (kid) this._state.kid = kid;
 
     const requestBuilder = this.credentialOffer
-      ? CredentialRequestClientBuilder.fromCredentialOffer({
+      ? CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
           credentialOffer: this.credentialOffer,
           metadata: this.endpointMetadata,
         })
-      : CredentialRequestClientBuilder.fromCredentialIssuer({
+      : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
           credentialIssuer: this.getIssuer(),
           credentialIdentifier: credentialIdentifier,
           metadata: this.endpointMetadata,
@@ -434,9 +472,19 @@ export class OpenID4VCIClientV1_0_13 {
           console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
           // throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
         }
-      } else if (metadata.credential_configurations_supported && !Array.isArray(metadata.credential_configurations_supported)) {
-        const credentialsSupported = metadata.credential_configurations_supported;
-        if (types.some((type) => !metadata.credential_configurations_supported || !credentialsSupported[type])) {
+      } else if (metadata.credential_configurations_supported && typeof(metadata.credential_configurations_supported) === 'object') {
+        let typeSupported = false;
+        Object.values(metadata.credential_configurations_supported).forEach((supportedCredential) => {
+          const subTypes = getTypesFromCredentialSupported(supportedCredential);
+          if (
+            subTypes.every((t, i) => types[i] === t) ||
+            (types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0])))
+          ) {
+            typeSupported = true;
+          }
+        })
+
+        if (!typeSupported) {
           throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
         }
       }
@@ -447,31 +495,51 @@ export class OpenID4VCIClientV1_0_13 {
     }
 
     const credentialRequestClient = requestBuilder.build();
-    const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
-      accessTokenResponse: this.accessTokenResponse,
-      callbacks: proofCallbacks,
-      version: this.version(),
-    })
-      .withIssuer(this.getIssuer())
-      .withAlg(this.alg);
 
-    if (this._state.jwk) {
-      proofBuilder.withJWK(this._state.jwk);
-    }
-    if (this._state.kid) {
-      proofBuilder.withKid(this._state.kid);
-    }
+    let proofBuilder: ProofOfPossessionBuilder<any> | undefined;
+    if (proofCallbacks) {
+      proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
+        accessTokenResponse: this.accessTokenResponse,
+        callbacks: proofCallbacks,
+        version: this.version(),
+      })
+        .withIssuer(this.getIssuer())
+        .withAlg(this.alg);
 
-    if (this.clientId) {
-      proofBuilder.withClientId(this.clientId);
-    }
-    if (jti) {
-      proofBuilder.withJti(jti);
+      if (this._state.jwk) {
+        proofBuilder.withJWK(this._state.jwk);
+      }
+      if (this._state.kid) {
+        proofBuilder.withKid(this._state.kid);
+      }
+
+      if (this.clientId) {
+        proofBuilder.withClientId(this.clientId);
+      }
+      if (jti) {
+        proofBuilder.withJti(jti);
+      }
     }
-    const response = await credentialRequestClient.acquireCredentialsUsingProof({
-      proofInput: proofBuilder,
-      ...(credentialIdentifier ? { credentialIdentifier, subjectIssuance } : { format, context, credentialTypes, subjectIssuance }),
-    });
+    const request = proofBuilder
+      ? await credentialRequestClient.createCredentialRequest<DIDDocument>({
+          proofInput: proofBuilder,
+          credentialTypes,
+          context,
+          format,
+          version: this.version(),
+          credentialIdentifier,
+          subjectIssuance,
+        })
+      : await credentialRequestClient.createCredentialRequestWithoutProof<DIDDocument>({
+          credentialTypes,
+          context,
+          format,
+          version: this.version(),
+          credentialIdentifier,
+          subjectIssuance,
+        });
+    const response = await credentialRequestClient.acquireCredentialsUsingRequest(request, createDPoPOpts);
+    this._state.dpopResponseParams = response.params;
     if (response.errorBody) {
       debug(`Credential request error:\r\n${JSON.stringify(response.errorBody)}`);
       throw Error(
@@ -487,7 +555,7 @@ export class OpenID4VCIClientV1_0_13 {
         } for issuer ${this.getIssuer()} failed as there was no success response body`,
       );
     }
-    return { ...response.successBody, access_token: response.access_token };
+    return { ...response.successBody, ...(this.dpopResponseParams && { params: this.dpopResponseParams }), access_token: response.access_token };
   }
 
   public async exportState(): Promise<string> {
@@ -604,6 +672,10 @@ export class OpenID4VCIClientV1_0_13 {
     return this._state.accessTokenResponse!;
   }
 
+  get dpopResponseParams(): DPoPResponseParams | undefined {
+    return this._state.dpopResponseParams;
+  }
+
   public getIssuer(): string {
     this.assertIssuerData();
     return this._state.credentialIssuer;

package/lib/ProofOfPossessionBuilder.ts

@@ -14,7 +14,7 @@ import {
   Typ,
 } from '@sphereon/oid4vci-common';
 
-export class ProofOfPossessionBuilder<DIDDoc> {
+export class ProofOfPossessionBuilder<DIDDoc = never> {
   private readonly proof?: ProofOfPossession;
   private readonly callbacks?: ProofOfPossessionCallbacks<DIDDoc>;
   private readonly version: OpenId4VCIVersion;

package/lib/__tests__/IT.spec.ts

@@ -198,7 +198,7 @@ describe('OID4VCI-Client should', () => {
 
     const credentialResponse = await client.acquireCredentials({
       credentialIdentifier: 'OpenBadgeCredential',
-      format: 'jwt_vc_json-ld',
+      // format: 'jwt_vc_json-ld',
       proofCallbacks: {
         signCallback: proofOfPossessionCallbackFunction,
       },

package/lib/__tests__/SphereonE2E.spec.test.ts

@@ -170,3 +170,4 @@ describe('ismapolis bug report #63, https://github.com/Sphereon-Opensource/OID4V
     console.log(JSON.stringify(credentialResponse.credential));
   });
 });
+

package/lib/functions/AccessTokenUtil.ts

@@ -36,8 +36,8 @@ export const createJwtBearerClientAssertion = async (
         sub: clientId,
         aud: credentialIssuer,
         jti: uuidv4(),
-        exp: Date.now() / 1000 + 60,
-        iat: Date.now() / 1000 - 60,
+        exp: Math.floor(Date.now()) / 1000 + 60,
+        iat: Math.floor(Date.now()) / 1000 - 60,
       },
     };
     const pop = await ProofOfPossessionBuilder.fromJwt({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/oid4vci-client",
-  "version": "0.16.0",
+  "version": "0.16.1-feature.from.funke.103+104a2b5",
   "description": "OpenID for Verifiable Credential Issuance (OpenID4VCI) client",
   "source": "lib/index.ts",
   "main": "dist/index.js",
@@ -15,9 +15,9 @@
     "build": "tsc"
   },
   "dependencies": {
-    "@sphereon/oid4vc-common": "0.16.0",
-    "@sphereon/oid4vci-common": "0.16.0",
-    "@sphereon/ssi-types": "0.28.0",
+    "@sphereon/oid4vc-common": "0.16.1-feature.from.funke.103+104a2b5",
+    "@sphereon/oid4vci-common": "0.16.1-feature.from.funke.103+104a2b5",
+    "@sphereon/ssi-types": "0.30.1",
     "cross-fetch": "^3.1.8",
     "debug": "^4.3.5"
   },
@@ -70,5 +70,5 @@
     "OIDC4VCI",
     "OID4VCI"
   ],
-  "gitHead": "7d938320eba5818dfe2bf6ae5291bb3c614085e1"
+  "gitHead": "104a2b5b69b6d18a43779e35609160b4aa6e81a6"
 }