@sphereon/oid4vci-client 0.16.1-next.3 → 0.16.1-next.48

package/lib/CredentialRequestClient.ts

@@ -2,6 +2,7 @@ import { createDPoP, CreateDPoPClientOpts, getCreateDPoPOptions } from '@sphereo
 import {
   acquireDeferredCredential,
   CredentialRequestV1_0_13,
+  CredentialRequestWithoutProofV1_0_13,
   CredentialResponse,
   DPoPResponseParams,
   getCredentialRequestForVersion,
@@ -16,8 +17,8 @@ import {
   UniformCredentialRequest,
   URL_NOT_VALID,
 } from '@sphereon/oid4vci-common';
-import { ExperimentalSubjectIssuance } from '@sphereon/oid4vci-common/dist/experimental/holder-vci';
-import { CredentialFormat } from '@sphereon/ssi-types';
+import { ExperimentalSubjectIssuance } from '@sphereon/oid4vci-common';
+import { CredentialFormat, DIDDocument } from '@sphereon/ssi-types';
 import Debug from 'debug';
 
 import { CredentialRequestClientBuilderV1_0_11 } from './CredentialRequestClientBuilderV1_0_11';
@@ -42,7 +43,16 @@ export interface CredentialRequestOpts {
   subjectIssuance?: ExperimentalSubjectIssuance;
 }
 
-export async function buildProof<DIDDoc>(
+export type CreateCredentialRequestOpts<DIDDoc = DIDDocument> = {
+  credentialIdentifier?: string;
+  credentialTypes?: string | string[];
+  context?: string[];
+  format?: CredentialFormat | OID4VCICredentialFormat;
+  subjectIssuance?: ExperimentalSubjectIssuance;
+  version: OpenId4VCIVersion;
+};
+
+export async function buildProof<DIDDoc = DIDDocument>(
   proofInput: ProofOfPossessionBuilder<DIDDoc> | ProofOfPossession,
   opts: {
     version: OpenId4VCIVersion;
@@ -85,7 +95,34 @@ export class CredentialRequestClient {
     this._credentialRequestOpts = { ...builder };
   }
 
-  public async acquireCredentialsUsingProof<DIDDoc>(opts: {
+  /**
+   * Typically you should not use this method, as it omits a proof from the request.
+   * There are certain issuers that in specific circumstances can do without this proof, because they have other means of user binding
+   * like using DPoP together with an authorization code flow. These are however rare, so you should be using the acquireCredentialsUsingProof normally
+   * @param opts
+   */
+  public async acquireCredentialsWithoutProof<DIDDoc = DIDDocument>(opts: {
+    credentialIdentifier?: string;
+    credentialTypes?: string | string[];
+    context?: string[];
+    format?: CredentialFormat | OID4VCICredentialFormat;
+    subjectIssuance?: ExperimentalSubjectIssuance;
+    createDPoPOpts?: CreateDPoPClientOpts;
+  }): Promise<OpenIDResponse<CredentialResponse, DPoPResponseParams> & { access_token: string }> {
+    const { credentialIdentifier, credentialTypes, format, context, subjectIssuance } = opts;
+
+    const request = await this.createCredentialRequestWithoutProof<DIDDoc>({
+      credentialTypes,
+      context,
+      format,
+      version: this.version(),
+      credentialIdentifier,
+      subjectIssuance,
+    });
+    return await this.acquireCredentialsUsingRequestWithoutProof(request, opts.createDPoPOpts);
+  }
+
+  public async acquireCredentialsUsingProof<DIDDoc = DIDDocument>(opts: {
     proofInput: ProofOfPossessionBuilder<DIDDoc> | ProofOfPossession;
     credentialIdentifier?: string;
     credentialTypes?: string | string[];
@@ -96,7 +133,7 @@ export class CredentialRequestClient {
   }): Promise<OpenIDResponse<CredentialResponse, DPoPResponseParams> & { access_token: string }> {
     const { credentialIdentifier, credentialTypes, proofInput, format, context, subjectIssuance } = opts;
 
-    const request = await this.createCredentialRequest({
+    const request = await this.createCredentialRequest<DIDDoc>({
       proofInput,
       credentialTypes,
       context,
@@ -108,9 +145,23 @@ export class CredentialRequestClient {
     return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
   }
 
+  public async acquireCredentialsUsingRequestWithoutProof(
+    uniformRequest: UniformCredentialRequest,
+    createDPoPOpts?: CreateDPoPClientOpts,
+  ): Promise<OpenIDResponse<CredentialResponse, DPoPResponseParams> & { access_token: string }> {
+    return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
+  }
+
   public async acquireCredentialsUsingRequest(
     uniformRequest: UniformCredentialRequest,
     createDPoPOpts?: CreateDPoPClientOpts,
+  ): Promise<OpenIDResponse<CredentialResponse, DPoPResponseParams> & { access_token: string }> {
+    return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
+  }
+
+  private async acquireCredentialsUsingRequestImpl(
+    uniformRequest: UniformCredentialRequest & { proof?: ProofOfPossession },
+    createDPoPOpts?: CreateDPoPClientOpts,
   ): Promise<OpenIDResponse<CredentialResponse, DPoPResponseParams> & { access_token: string }> {
     if (this.version() < OpenId4VCIVersion.VER_1_0_13) {
       throw new Error('Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.');
@@ -129,7 +180,7 @@ export class CredentialRequestClient {
 
     let response = (await post(credentialEndpoint, JSON.stringify(request), {
       bearerToken: requestToken,
-      customHeaders: { ...(dPoP && { dpop: dPoP }) },
+      ...(dPoP && { customHeaders: { dpop: dPoP } }),
     })) as OpenIDResponse<CredentialResponse> & {
       access_token: string;
     };
@@ -142,7 +193,7 @@ export class CredentialRequestClient {
 
       response = (await post(credentialEndpoint, JSON.stringify(request), {
         bearerToken: requestToken,
-        customHeaders: { ...(createDPoPOpts && { dpop: dPoP }) },
+        ...(createDPoPOpts && { customHeaders: { dpop: dPoP } }),
       })) as OpenIDResponse<CredentialResponse> & {
         access_token: string;
       };
@@ -166,7 +217,7 @@ export class CredentialRequestClient {
 
     return {
       ...response,
-      params: { ...(nextDPoPNonce && { dpop: { dpopNonce: nextDPoPNonce } }) },
+      ...(nextDPoPNonce && { params: { dpop: { dpopNonce: nextDPoPNonce } } }),
     };
   }
 
@@ -194,24 +245,37 @@ export class CredentialRequestClient {
     });
   }
 
-  public async createCredentialRequest<DIDDoc>(opts: {
-    proofInput: ProofOfPossessionBuilder<DIDDoc> | ProofOfPossession;
-    credentialIdentifier?: string;
-    credentialTypes?: string | string[];
-    context?: string[];
-    format?: CredentialFormat | OID4VCICredentialFormat;
-    subjectIssuance?: ExperimentalSubjectIssuance;
-    version: OpenId4VCIVersion;
-  }): Promise<CredentialRequestV1_0_13> {
+  public async createCredentialRequestWithoutProof<DIDDoc = DIDDocument>(
+    opts: CreateCredentialRequestOpts<DIDDoc>,
+  ): Promise<CredentialRequestWithoutProofV1_0_13> {
+    return await this.createCredentialRequestImpl(opts);
+  }
+
+  public async createCredentialRequest<DIDDoc = DIDDocument>(
+    opts: CreateCredentialRequestOpts<DIDDoc> & {
+      proofInput: ProofOfPossessionBuilder<DIDDoc> | ProofOfPossession;
+    },
+  ): Promise<CredentialRequestV1_0_13> {
+    return await this.createCredentialRequestImpl(opts);
+  }
+
+  private async createCredentialRequestImpl<DIDDoc = DIDDocument>(
+    opts: CreateCredentialRequestOpts<DIDDoc> & {
+      proofInput?: ProofOfPossessionBuilder<DIDDoc> | ProofOfPossession;
+    },
+  ): Promise<CredentialRequestV1_0_13> {
     const { proofInput, credentialIdentifier: credential_identifier } = opts;
-    const proof = await buildProof(proofInput, opts);
+    let proof: ProofOfPossession | undefined = undefined;
+    if (proofInput) {
+      proof = await buildProof(proofInput, opts);
+    }
     if (credential_identifier) {
       if (opts.format || opts.credentialTypes || opts.context) {
         throw Error(`You cannot mix credential_identifier with format, credential types and/or context`);
       }
       return {
         credential_identifier,
-        proof,
+        ...(proof && { proof }),
       };
     }
     const formatSelection = opts.format ?? this.credentialRequestOpts.format;
@@ -239,7 +303,7 @@ export class CredentialRequestClient {
           type: types,
         },
         format,
-        proof,
+        ...(proof && { proof }),
         ...opts.subjectIssuance,
       };
     } else if (format === 'jwt_vc_json-ld' || format === 'ldp_vc') {
@@ -249,7 +313,7 @@ export class CredentialRequestClient {
 
       return {
         format,
-        proof,
+        ...(proof && { proof }),
         ...opts.subjectIssuance,
 
         credential_definition: {
@@ -261,16 +325,25 @@ export class CredentialRequestClient {
       if (types.length > 1) {
         throw Error(`Only a single credential type is supported for ${format}`);
       }
-      // fixme: this isn't up to the CredentialRequest that we see in the version v1_0_13
       return {
         format,
-        proof,
+        ...(proof && { proof }),
         vct: types[0],
         ...opts.subjectIssuance,
       };
+    } else if (format === 'mso_mdoc') {
+      if (types.length > 1) {
+        throw Error(`Only a single credential type is supported for ${format}`);
+      }
+      return {
+        format,
+        ...(proof && { proof }),
+        doctype: types[0],
+        ...opts.subjectIssuance,
+      };
     }
 
-    throw new Error(`Unsupported format: ${format}`);
+    throw new Error(`Unsupported credential format: ${format}`);
   }
 
   private version(): OpenId4VCIVersion {

package/lib/CredentialRequestClientV1_0_11.ts

@@ -125,7 +125,7 @@ export class CredentialRequestClientV1_0_11 {
 
     return {
       ...response,
-      params: { ...(nextDPoPNonce && { dpop: { dpopNonce: nextDPoPNonce } }) },
+      ...(nextDPoPNonce && { params: { dpop: { dpopNonce: nextDPoPNonce } } }),
     };
   }
 
@@ -215,6 +215,16 @@ export class CredentialRequestClientV1_0_11 {
         proof,
         vct: types[0],
       };
+    } else if (format === 'mso_mdoc') {
+      if (types.length > 1) {
+        throw Error(`Only a single credential type is supported for ${format}`);
+      }
+
+      return {
+        format,
+        proof,
+        doctype: types[0],
+      };
     }
 
     throw new Error(`Unsupported format: ${format}`);

package/lib/MetadataClient.ts

@@ -19,7 +19,7 @@ import Debug from 'debug';
 
 import { MetadataClientV1_0_11 } from './MetadataClientV1_0_11';
 import { MetadataClientV1_0_13 } from './MetadataClientV1_0_13';
-import { retrieveWellknown } from './functions/OpenIDUtils';
+import { retrieveWellknown } from './functions';
 
 const debug = Debug('sphereon:oid4vci:metadata');
 
@@ -204,6 +204,7 @@ export class MetadataClient {
    * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
    *
    * @param issuerHost The issuer hostname
+   * @param opts
    */
   public static async retrieveOpenID4VCIServerMetadata(
     issuerHost: string,

package/lib/MetadataClientV1_0_13.ts

@@ -12,7 +12,7 @@ import {
 } from '@sphereon/oid4vci-common';
 import Debug from 'debug';
 
-import { retrieveWellknown } from './functions/OpenIDUtils';
+import { retrieveWellknown } from './functions';
 
 const debug = Debug('sphereon:oid4vci:metadata');
 
@@ -174,6 +174,7 @@ export class MetadataClientV1_0_13 {
    * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
    *
    * @param issuerHost The issuer hostname
+   * @param opts
    */
   public static async retrieveOpenID4VCIServerMetadata(
     issuerHost: string,

package/lib/OpenID4VCIClient.ts

@@ -1,5 +1,6 @@
-import { JWK } from '@sphereon/oid4vc-common';
+import { CreateDPoPClientOpts, JWK } from '@sphereon/oid4vc-common';
 import {
+  AccessTokenRequestOpts,
   AccessTokenResponse,
   Alg,
   AuthorizationRequestOpts,
@@ -16,6 +17,7 @@ import {
   CredentialsSupportedLegacy,
   DefaultURISchemes,
   determineVersionsFromIssuerMetadata,
+  DPoPResponseParams,
   EndpointMetadataResultV1_0_11,
   EndpointMetadataResultV1_0_13,
   ExperimentalSubjectIssuance,
@@ -268,16 +270,13 @@ export class OpenID4VCIClient {
     this._state.pkce = generateMissingPKCEOpts({ ...this._state.pkce, ...pkce });
   }
 
-  public async acquireAccessToken(opts?: {
-    pin?: string;
-    clientId?: string;
-    codeVerifier?: string;
-    authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
-    code?: string; // Directly pass in a code from an auth response
-    redirectUri?: string;
-    additionalRequestParams?: Record<string, any>;
-    asOpts?: AuthorizationServerOpts;
-  }): Promise<AccessTokenResponse> {
+  public async acquireAccessToken(
+    opts?: Omit<AccessTokenRequestOpts, 'credentialOffer' | 'credentialIssuer' | 'metadata' | 'additionalParams'> & {
+      clientId?: string;
+      authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
+      additionalRequestParams?: Record<string, any>;
+    },
+  ): Promise<AccessTokenResponse & { params?: DPoPResponseParams }> {
     const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
     let { redirectUri } = opts ?? {};
     if (opts?.authorizationResponse) {
@@ -336,6 +335,7 @@ export class OpenID4VCIClient {
         code,
         redirectUri,
         asOpts,
+        ...(opts?.createDPoPOpts && { createDPoPOpts: opts.createDPoPOpts }),
         ...(opts?.additionalRequestParams && { additionalParams: opts.additionalRequestParams }),
       });
 
@@ -355,10 +355,11 @@ export class OpenID4VCIClient {
         );
       }
       this._state.accessTokenResponse = response.successBody;
+      this._state.dpopResponseParams = response.params;
       this._state.accessToken = response.successBody.access_token;
     }
 
-    return this.accessTokenResponse;
+    return { ...this.accessTokenResponse, ...(this.dpopResponseParams && { params: this.dpopResponseParams }) };
   }
 
   public async acquireCredentials({
@@ -372,6 +373,7 @@ export class OpenID4VCIClient {
     jti,
     deferredCredentialAwait,
     deferredCredentialIntervalInMS,
+    createDPoPOpts,
   }: {
     credentialTypes: string | string[];
     context?: string[];
@@ -384,7 +386,8 @@ export class OpenID4VCIClient {
     deferredCredentialAwait?: boolean;
     deferredCredentialIntervalInMS?: number;
     experimentalHolderIssuanceSupported?: boolean;
-  }): Promise<CredentialResponse & { access_token: string }> {
+    createDPoPOpts?: CreateDPoPClientOpts;
+  }): Promise<CredentialResponse & { params?: DPoPResponseParams; access_token: string }> {
     if ([jwk, kid].filter((v) => v !== undefined).length > 1) {
       throw new Error(KID_JWK_X5C_ERROR + `. jwk: ${jwk !== undefined}, kid: ${kid !== undefined}`);
     }
@@ -487,7 +490,9 @@ export class OpenID4VCIClient {
       context,
       format,
       subjectIssuance,
+      createDPoPOpts,
     });
+    this._state.dpopResponseParams = response.params;
     if (response.errorBody) {
       debug(`Credential request error:\r\n${JSON.stringify(response.errorBody)}`);
       throw Error(
@@ -503,7 +508,7 @@ export class OpenID4VCIClient {
         } for issuer ${this.getIssuer()} failed as there was no success response body`,
       );
     }
-    return { ...response.successBody, access_token: response.access_token };
+    return { ...response.successBody, ...(this.dpopResponseParams && { params: this.dpopResponseParams }), access_token: response.access_token };
   }
 
   public async exportState(): Promise<string> {
@@ -625,6 +630,10 @@ export class OpenID4VCIClient {
     return this._state.accessTokenResponse!;
   }
 
+  get dpopResponseParams(): DPoPResponseParams | undefined {
+    return this._state.dpopResponseParams;
+  }
+
   public getIssuer(): string {
     this.assertIssuerData();
     return this._state.credentialIssuer;

package/lib/OpenID4VCIClientV1_0_11.ts

@@ -1,5 +1,6 @@
-import { JWK } from '@sphereon/oid4vc-common';
+import { CreateDPoPClientOpts, JWK } from '@sphereon/oid4vc-common';
 import {
+  AccessTokenRequestOpts,
   AccessTokenResponse,
   Alg,
   AuthorizationRequestOpts,
@@ -14,6 +15,7 @@ import {
   CredentialResponse,
   CredentialsSupportedLegacy,
   DefaultURISchemes,
+  DPoPResponseParams,
   EndpointMetadataResultV1_0_11,
   getClientIdFromCredentialOfferPayload,
   getIssuerFromCredentialOfferPayload,
@@ -36,7 +38,7 @@ import { CredentialOfferClientV1_0_11 } from './CredentialOfferClientV1_0_11';
 import { CredentialRequestClientBuilderV1_0_11 } from './CredentialRequestClientBuilderV1_0_11';
 import { MetadataClientV1_0_11 } from './MetadataClientV1_0_11';
 import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
-import { generateMissingPKCEOpts } from './functions/AuthorizationUtil';
+import { generateMissingPKCEOpts } from './functions';
 
 const debug = Debug('sphereon:oid4vci');
 
@@ -49,6 +51,7 @@ export interface OpenID4VCIClientStateV1_0_11 {
   alg?: Alg | string;
   endpointMetadata?: EndpointMetadataResultV1_0_11;
   accessTokenResponse?: AccessTokenResponse;
+  dpopResponseParams?: DPoPResponseParams;
   authorizationRequestOpts?: AuthorizationRequestOpts;
   authorizationCodeResponse?: AuthorizationResponse;
   pkce: PKCEOpts;
@@ -253,16 +256,13 @@ export class OpenID4VCIClientV1_0_11 {
     this._state.pkce = generateMissingPKCEOpts({ ...this._state.pkce, ...pkce });
   }
 
-  public async acquireAccessToken(opts?: {
-    pin?: string;
-    clientId?: string;
-    codeVerifier?: string;
-    authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
-    code?: string; // Directly pass in a code from an auth response
-    redirectUri?: string;
-    additionalRequestParams?: Record<string, any>;
-    asOpts?: AuthorizationServerOpts;
-  }): Promise<AccessTokenResponse> {
+  public async acquireAccessToken(
+    opts?: Omit<AccessTokenRequestOpts, 'credentialOffer' | 'credentialIssuer' | 'metadata' | 'additionalParams'> & {
+      clientId?: string;
+      authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
+      additionalRequestParams?: Record<string, any>;
+    },
+  ): Promise<AccessTokenResponse & { params?: DPoPResponseParams }> {
     const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
     let { redirectUri } = opts ?? {};
     if (opts?.authorizationResponse) {
@@ -320,6 +320,7 @@ export class OpenID4VCIClientV1_0_11 {
         code,
         redirectUri,
         asOpts,
+        ...(opts?.createDPoPOpts && { createDPoPOpts: opts.createDPoPOpts }),
         ...(opts?.additionalRequestParams && { additionalParams: opts.additionalRequestParams }),
       });
 
@@ -339,9 +340,11 @@ export class OpenID4VCIClientV1_0_11 {
         );
       }
       this._state.accessTokenResponse = response.successBody;
+      this._state.dpopResponseParams = response.params;
+      this._state.accessToken = response.successBody.access_token;
     }
 
-    return this.accessTokenResponse;
+    return { ...this.accessTokenResponse, ...(this.dpopResponseParams && { params: this.dpopResponseParams }) };
   }
 
   public async acquireCredentials({
@@ -355,6 +358,7 @@ export class OpenID4VCIClientV1_0_11 {
     jti,
     deferredCredentialAwait,
     deferredCredentialIntervalInMS,
+    createDPoPOpts,
   }: {
     credentialTypes: string | string[];
     context?: string[];
@@ -366,6 +370,7 @@ export class OpenID4VCIClientV1_0_11 {
     jti?: string;
     deferredCredentialAwait?: boolean;
     deferredCredentialIntervalInMS?: number;
+    createDPoPOpts?: CreateDPoPClientOpts;
   }): Promise<CredentialResponse> {
     if ([jwk, kid].filter((v) => v !== undefined).length > 1) {
       throw new Error(KID_JWK_X5C_ERROR + `. jwk: ${jwk !== undefined}, kid: ${kid !== undefined}`);
@@ -445,7 +450,9 @@ export class OpenID4VCIClientV1_0_11 {
       credentialTypes,
       context,
       format,
+      createDPoPOpts,
     });
+    this._state.dpopResponseParams = response.params;
     if (response.errorBody) {
       debug(`Credential request error:\r\n${JSON.stringify(response.errorBody)}`);
       throw Error(
@@ -461,7 +468,7 @@ export class OpenID4VCIClientV1_0_11 {
         } for issuer ${this.getIssuer()} failed as there was no success response body`,
       );
     }
-    return response.successBody;
+    return { ...response.successBody, ...(this.dpopResponseParams && { params: this.dpopResponseParams }) };
   }
 
   public async exportState(): Promise<string> {
@@ -576,6 +583,10 @@ export class OpenID4VCIClientV1_0_11 {
     return this._state.accessTokenResponse!;
   }
 
+  get dpopResponseParams(): DPoPResponseParams | undefined {
+    return this._state.dpopResponseParams;
+  }
+
   public getIssuer(): string {
     this.assertIssuerData();
     return this._state.credentialIssuer;