@sphereon/oid4vci-client 0.16.1-next.4 → 0.16.1-next.402

package/lib/OpenID4VCIClient.ts

@@ -3,6 +3,9 @@ import {
   AccessTokenRequestOpts,
   AccessTokenResponse,
   Alg,
+  AuthorizationChallengeCodeResponse,
+  AuthorizationChallengeErrorResponse,
+  AuthorizationChallengeRequestOpts,
   AuthorizationRequestOpts,
   AuthorizationResponse,
   AuthorizationServerOpts,
@@ -28,7 +31,7 @@ import {
   getTypesFromObject,
   KID_JWK_X5C_ERROR,
   NotificationRequest,
-  NotificationResult,
+  NotificationResponseResult,
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
   PKCEOpts,
@@ -40,7 +43,7 @@ import Debug from 'debug';
 
 import { AccessTokenClient } from './AccessTokenClient';
 import { AccessTokenClientV1_0_11 } from './AccessTokenClientV1_0_11';
-import { createAuthorizationRequestUrl } from './AuthorizationCodeClient';
+import { acquireAuthorizationChallengeAuthCode, createAuthorizationRequestUrl } from './AuthorizationCodeClient';
 import { createAuthorizationRequestUrlV1_0_11 } from './AuthorizationCodeClientV1_0_11';
 import { CredentialOfferClient } from './CredentialOfferClient';
 import { CredentialRequestOpts } from './CredentialRequestClient';
@@ -89,7 +92,7 @@ export class OpenID4VCIClient {
     endpointMetadata?: EndpointMetadataResult;
     accessTokenResponse?: AccessTokenResponse;
     authorizationRequestOpts?: AuthorizationRequestOpts;
-    authorizationCodeResponse?: AuthorizationResponse;
+    authorizationCodeResponse?: AuthorizationResponse | AuthorizationChallengeCodeResponse;
     authorizationURL?: string;
   }) {
     const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : undefined);
@@ -130,6 +133,7 @@ export class OpenID4VCIClient {
     pkce,
     authorizationRequest,
     createAuthorizationRequestURL,
+    endpointMetadata,
   }: {
     credentialIssuer: string;
     kid?: string;
@@ -139,6 +143,7 @@ export class OpenID4VCIClient {
     createAuthorizationRequestURL?: boolean;
     authorizationRequest?: AuthorizationRequestOpts; // Can be provided here, or when manually calling createAuthorizationUrl
     pkce?: PKCEOpts;
+    endpointMetadata?: EndpointMetadataResult;
   }) {
     const client = new OpenID4VCIClient({
       kid,
@@ -147,6 +152,7 @@ export class OpenID4VCIClient {
       credentialIssuer,
       pkce,
       authorizationRequest,
+      endpointMetadata,
     });
     if (retrieveServerMetadata === undefined || retrieveServerMetadata) {
       await client.retrieveServerMetadata();
@@ -173,6 +179,7 @@ export class OpenID4VCIClient {
     createAuthorizationRequestURL,
     authorizationRequest,
     resolveOfferUri,
+    endpointMetadata,
   }: {
     uri: string;
     kid?: string;
@@ -183,6 +190,7 @@ export class OpenID4VCIClient {
     pkce?: PKCEOpts;
     clientId?: string;
     authorizationRequest?: AuthorizationRequestOpts; // Can be provided here, or when manually calling createAuthorizationUrl
+    endpointMetadata?: EndpointMetadataResult;
   }): Promise<OpenID4VCIClient> {
     const credentialOfferClient = await CredentialOfferClient.fromURI(uri, { resolve: resolveOfferUri });
     const client = new OpenID4VCIClient({
@@ -192,6 +200,7 @@ export class OpenID4VCIClient {
       clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
       pkce,
       authorizationRequest,
+      endpointMetadata,
     });
 
     if (retrieveServerMetadata === undefined || retrieveServerMetadata) {
@@ -270,21 +279,41 @@ export class OpenID4VCIClient {
     this._state.pkce = generateMissingPKCEOpts({ ...this._state.pkce, ...pkce });
   }
 
+  public async acquireAuthorizationChallengeCode(opts?: AuthorizationChallengeRequestOpts): Promise<AuthorizationChallengeCodeResponse> {
+    const response = await acquireAuthorizationChallengeAuthCode({
+      metadata: this.endpointMetadata,
+      credentialIssuer: this.getIssuer(),
+      clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,
+      ...opts,
+    });
+
+    if (response.errorBody) {
+      debug(`Authorization code error:\r\n${JSON.stringify(response.errorBody)}`);
+      const error = response.errorBody as AuthorizationChallengeErrorResponse;
+      return Promise.reject(error);
+    } else if (!response.successBody) {
+      debug(`Authorization code error. No success body`);
+      return Promise.reject(
+        Error(
+          `Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`,
+        ),
+      );
+    }
+
+    return { ...response.successBody };
+  }
+
   public async acquireAccessToken(
     opts?: Omit<AccessTokenRequestOpts, 'credentialOffer' | 'credentialIssuer' | 'metadata' | 'additionalParams'> & {
       clientId?: string;
-      authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
+      authorizationResponse?: string | AuthorizationResponse | AuthorizationChallengeCodeResponse; // Pass in an auth response, either as URI/redirect, or object
       additionalRequestParams?: Record<string, any>;
     },
-  ): Promise<AccessTokenResponse & DPoPResponseParams> {
+  ): Promise<AccessTokenResponse & { params?: DPoPResponseParams }> {
     const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
     let { redirectUri } = opts ?? {};
-    if (opts?.authorizationResponse) {
-      this._state.authorizationCodeResponse = { ...toAuthorizationResponsePayload(opts.authorizationResponse) };
-    } else if (opts?.code) {
-      this._state.authorizationCodeResponse = { code: opts.code };
-    }
-    const code = this._state.authorizationCodeResponse?.code;
+
+    const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code);
 
     if (opts?.codeVerifier) {
       this._state.pkce.codeVerifier = opts.codeVerifier;
@@ -313,6 +342,10 @@ export class OpenID4VCIClient {
 
     if (clientId) {
       this._state.clientId = clientId;
+      if (!asOpts.clientOpts) {
+        asOpts.clientOpts = { clientId };
+      }
+      asOpts.clientOpts.clientId = clientId;
     }
     if (!this._state.accessTokenResponse) {
       const accessTokenClient = this.version() <= OpenId4VCIVersion.VER_1_0_12 ? new AccessTokenClientV1_0_11() : new AccessTokenClient();
@@ -377,7 +410,7 @@ export class OpenID4VCIClient {
   }: {
     credentialTypes: string | string[];
     context?: string[];
-    proofCallbacks: ProofOfPossessionCallbacks<any>;
+    proofCallbacks: ProofOfPossessionCallbacks;
     format?: CredentialFormat | OID4VCICredentialFormat;
     kid?: string;
     jwk?: JWK;
@@ -422,6 +455,15 @@ export class OpenID4VCIClient {
             version: this.version(),
           });
     }
+    // If we are in an auth code flow, without a c nonce, we return the issuerState back to the issuer in case it is present
+    const issuerState =
+      this.issuerSupportedFlowTypes().includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW) &&
+      this._state.authorizationCodeResponse &&
+      !this.accessTokenResponse?.c_nonce &&
+      this._state.credentialOffer?.issuerState
+        ? this._state.credentialOffer.issuerState
+        : undefined;
+    requestBuilder.withIssuerState(issuerState);
 
     requestBuilder.withTokenFromResponse(this.accessTokenResponse);
     requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
@@ -531,7 +573,7 @@ export class OpenID4VCIClient {
     credentialRequestOpts: Partial<CredentialRequestOpts>,
     request: NotificationRequest,
     accessToken?: string,
-  ): Promise<NotificationResult> {
+  ): Promise<NotificationResponseResult> {
     return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
   }
 
@@ -654,6 +696,15 @@ export class OpenID4VCIClient {
     return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
   }
 
+  public getAuthorizationChallengeEndpoint(): string | undefined {
+    this.assertIssuerData();
+    return this.endpointMetadata?.authorization_challenge_endpoint;
+  }
+
+  public hasAuthorizationChallengeEndpoint(): boolean {
+    return !!this.getAuthorizationChallengeEndpoint();
+  }
+
   public hasDeferredCredentialEndpoint(): boolean {
     return !!this.getAccessTokenEndpoint();
   }
@@ -727,4 +778,20 @@ export class OpenID4VCIClient {
     authorizationRequestOpts.clientId = clientId;
     return authorizationRequestOpts;
   }
+
+  private getAuthorizationCode = (
+    authorizationResponse?: string | AuthorizationResponse | AuthorizationChallengeCodeResponse,
+    code?: string,
+  ): string | undefined => {
+    if (authorizationResponse) {
+      this._state.authorizationCodeResponse = { ...toAuthorizationResponsePayload(authorizationResponse) };
+    } else if (code) {
+      this._state.authorizationCodeResponse = { code };
+    }
+
+    return (
+      (this._state.authorizationCodeResponse as AuthorizationResponse)?.code ??
+      (this._state.authorizationCodeResponse as AuthorizationChallengeCodeResponse)?.authorization_code
+    );
+  };
 }

package/lib/OpenID4VCIClientV1_0_11.ts

@@ -3,6 +3,9 @@ import {
   AccessTokenRequestOpts,
   AccessTokenResponse,
   Alg,
+  AuthorizationChallengeCodeResponse,
+  AuthorizationChallengeErrorResponse,
+  AuthorizationChallengeRequestOpts,
   AuthorizationRequestOpts,
   AuthorizationResponse,
   AuthorizationServerOpts,
@@ -33,6 +36,7 @@ import { CredentialFormat } from '@sphereon/ssi-types';
 import Debug from 'debug';
 
 import { AccessTokenClientV1_0_11 } from './AccessTokenClientV1_0_11';
+import { acquireAuthorizationChallengeAuthCode } from './AuthorizationCodeClient';
 import { createAuthorizationRequestUrlV1_0_11 } from './AuthorizationCodeClientV1_0_11';
 import { CredentialOfferClientV1_0_11 } from './CredentialOfferClientV1_0_11';
 import { CredentialRequestClientBuilderV1_0_11 } from './CredentialRequestClientBuilderV1_0_11';
@@ -53,7 +57,7 @@ export interface OpenID4VCIClientStateV1_0_11 {
   accessTokenResponse?: AccessTokenResponse;
   dpopResponseParams?: DPoPResponseParams;
   authorizationRequestOpts?: AuthorizationRequestOpts;
-  authorizationCodeResponse?: AuthorizationResponse;
+  authorizationCodeResponse?: AuthorizationResponse | AuthorizationChallengeCodeResponse;
   pkce: PKCEOpts;
   accessToken?: string;
   authorizationURL?: string;
@@ -88,7 +92,7 @@ export class OpenID4VCIClientV1_0_11 {
     endpointMetadata?: EndpointMetadataResultV1_0_11;
     accessTokenResponse?: AccessTokenResponse;
     authorizationRequestOpts?: AuthorizationRequestOpts;
-    authorizationCodeResponse?: AuthorizationResponse;
+    authorizationCodeResponse?: AuthorizationResponse | AuthorizationChallengeCodeResponse;
     authorizationURL?: string;
   }) {
     const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : undefined);
@@ -256,29 +260,54 @@ export class OpenID4VCIClientV1_0_11 {
     this._state.pkce = generateMissingPKCEOpts({ ...this._state.pkce, ...pkce });
   }
 
+  public async acquireAuthorizationChallengeCode(opts?: AuthorizationChallengeRequestOpts): Promise<AuthorizationChallengeCodeResponse> {
+    const response = await acquireAuthorizationChallengeAuthCode({
+      metadata: this.endpointMetadata,
+      credentialIssuer: this.getIssuer(),
+      clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,
+      ...opts,
+    });
+
+    if (response.errorBody) {
+      debug(`Authorization code error:\r\n${JSON.stringify(response.errorBody)}`);
+      const error = response.errorBody as AuthorizationChallengeErrorResponse;
+      return Promise.reject(error);
+    } else if (!response.successBody) {
+      debug(`Authorization code error. No success body`);
+      return Promise.reject(
+        Error(
+          `Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`,
+        ),
+      );
+    }
+
+    return { ...response.successBody };
+  }
+
   public async acquireAccessToken(
     opts?: Omit<AccessTokenRequestOpts, 'credentialOffer' | 'credentialIssuer' | 'metadata' | 'additionalParams'> & {
       clientId?: string;
-      authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
+      authorizationResponse?: string | AuthorizationResponse | AuthorizationChallengeCodeResponse; // Pass in an auth response, either as URI/redirect, or object
       additionalRequestParams?: Record<string, any>;
     },
-  ): Promise<AccessTokenResponse> {
+  ): Promise<AccessTokenResponse & { params?: DPoPResponseParams }> {
     const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
     let { redirectUri } = opts ?? {};
-    if (opts?.authorizationResponse) {
-      this._state.authorizationCodeResponse = { ...toAuthorizationResponsePayload(opts.authorizationResponse) };
-    } else if (opts?.code) {
-      this._state.authorizationCodeResponse = { code: opts.code };
-    }
-    const code = this._state.authorizationCodeResponse?.code;
+
+    const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code);
 
     if (opts?.codeVerifier) {
       this._state.pkce.codeVerifier = opts.codeVerifier;
     }
     this.assertIssuerData();
 
+    const asOpts: AuthorizationServerOpts = { ...opts?.asOpts };
     if (clientId) {
       this._state.clientId = clientId;
+      if (!asOpts.clientOpts) {
+        asOpts.clientOpts = { clientId };
+      }
+      asOpts.clientOpts.clientId = clientId;
     }
     if (!this._state.accessTokenResponse) {
       const accessTokenClient = new AccessTokenClientV1_0_11();
@@ -291,7 +320,7 @@ export class OpenID4VCIClientV1_0_11 {
       if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
         redirectUri = this._state.authorizationRequestOpts.redirectUri;
       }
-      const asOpts: AuthorizationServerOpts = { ...opts?.asOpts };
+
       const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
       const clientAssertionType =
         asOpts.clientOpts?.clientAssertionType ??
@@ -362,7 +391,7 @@ export class OpenID4VCIClientV1_0_11 {
   }: {
     credentialTypes: string | string[];
     context?: string[];
-    proofCallbacks: ProofOfPossessionCallbacks<any>;
+    proofCallbacks: ProofOfPossessionCallbacks;
     format?: CredentialFormat | OID4VCICredentialFormat;
     kid?: string;
     jwk?: JWK;
@@ -672,4 +701,20 @@ export class OpenID4VCIClientV1_0_11 {
     authorizationRequestOpts.clientId = clientId;
     return authorizationRequestOpts;
   }
+
+  private getAuthorizationCode = (
+    authorizationResponse?: string | AuthorizationResponse | AuthorizationChallengeCodeResponse,
+    code?: string,
+  ): string | undefined => {
+    if (authorizationResponse) {
+      this._state.authorizationCodeResponse = { ...toAuthorizationResponsePayload(authorizationResponse) };
+    } else if (code) {
+      this._state.authorizationCodeResponse = { code };
+    }
+
+    return (
+      (this._state.authorizationCodeResponse as AuthorizationResponse)?.code ??
+      (this._state.authorizationCodeResponse as AuthorizationChallengeCodeResponse)?.authorization_code
+    );
+  };
 }

package/lib/OpenID4VCIClientV1_0_13.ts

@@ -3,6 +3,9 @@ import {
   AccessTokenRequestOpts,
   AccessTokenResponse,
   Alg,
+  AuthorizationChallengeCodeResponse,
+  AuthorizationChallengeErrorResponse,
+  AuthorizationChallengeRequestOpts,
   AuthorizationRequestOpts,
   AuthorizationResponse,
   AuthorizationServerOpts,
@@ -22,7 +25,7 @@ import {
   getTypesFromCredentialSupported,
   KID_JWK_X5C_ERROR,
   NotificationRequest,
-  NotificationResult,
+  NotificationResponseResult,
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
   PKCEOpts,
@@ -33,10 +36,10 @@ import { CredentialFormat } from '@sphereon/ssi-types';
 import Debug from 'debug';
 
 import { AccessTokenClient } from './AccessTokenClient';
-import { createAuthorizationRequestUrl } from './AuthorizationCodeClient';
+import { acquireAuthorizationChallengeAuthCode, createAuthorizationRequestUrl } from './AuthorizationCodeClient';
 import { CredentialOfferClient } from './CredentialOfferClient';
 import { CredentialRequestOpts } from './CredentialRequestClient';
-import { CredentialRequestClientBuilder } from './CredentialRequestClientBuilder';
+import { CredentialRequestClientBuilderV1_0_13 } from './CredentialRequestClientBuilderV1_0_13';
 import { MetadataClientV1_0_13 } from './MetadataClientV1_0_13';
 import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
 import { generateMissingPKCEOpts, sendNotification } from './functions';
@@ -54,10 +57,11 @@ export interface OpenID4VCIClientStateV1_0_13 {
   accessTokenResponse?: AccessTokenResponse;
   dpopResponseParams?: DPoPResponseParams;
   authorizationRequestOpts?: AuthorizationRequestOpts;
-  authorizationCodeResponse?: AuthorizationResponse;
+  authorizationCodeResponse?: AuthorizationResponse | AuthorizationChallengeCodeResponse;
   pkce: PKCEOpts;
   accessToken?: string;
   authorizationURL?: string;
+  sendIssuerStateIfNoNonce?: boolean;
 }
 
 export class OpenID4VCIClientV1_0_13 {
@@ -91,7 +95,7 @@ export class OpenID4VCIClientV1_0_13 {
     endpointMetadata?: EndpointMetadataResultV1_0_13;
     accessTokenResponse?: AccessTokenResponse;
     authorizationRequestOpts?: AuthorizationRequestOpts;
-    authorizationCodeResponse?: AuthorizationResponse;
+    authorizationCodeResponse?: AuthorizationResponse | AuthorizationChallengeCodeResponse;
     authorizationURL?: string;
   }) {
     const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : undefined);
@@ -261,21 +265,41 @@ export class OpenID4VCIClientV1_0_13 {
     this._state.pkce = generateMissingPKCEOpts({ ...this._state.pkce, ...pkce });
   }
 
+  public async acquireAuthorizationChallengeCode(opts?: AuthorizationChallengeRequestOpts): Promise<AuthorizationChallengeCodeResponse> {
+    const response = await acquireAuthorizationChallengeAuthCode({
+      metadata: this.endpointMetadata,
+      credentialIssuer: this.getIssuer(),
+      clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,
+      ...opts,
+    });
+
+    if (response.errorBody) {
+      debug(`Authorization code error:\r\n${JSON.stringify(response.errorBody)}`);
+      const error = response.errorBody as AuthorizationChallengeErrorResponse;
+      return Promise.reject(error);
+    } else if (!response.successBody) {
+      debug(`Authorization code error. No success body`);
+      return Promise.reject(
+        Error(
+          `Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`,
+        ),
+      );
+    }
+
+    return { ...response.successBody };
+  }
+
   public async acquireAccessToken(
     opts?: Omit<AccessTokenRequestOpts, 'credentialOffer' | 'credentialIssuer' | 'metadata' | 'additionalParams'> & {
       clientId?: string;
-      authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
+      authorizationResponse?: string | AuthorizationResponse | AuthorizationChallengeCodeResponse; // Pass in an auth response, either as URI/redirect, or object
       additionalRequestParams?: Record<string, any>;
     },
-  ): Promise<AccessTokenResponse> {
+  ): Promise<AccessTokenResponse & { params?: DPoPResponseParams }> {
     const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
     let { redirectUri } = opts ?? {};
-    if (opts?.authorizationResponse) {
-      this._state.authorizationCodeResponse = { ...toAuthorizationResponsePayload(opts.authorizationResponse) };
-    } else if (opts?.code) {
-      this._state.authorizationCodeResponse = { code: opts.code };
-    }
-    const code = this._state.authorizationCodeResponse?.code;
+
+    const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code);
 
     if (opts?.codeVerifier) {
       this._state.pkce.codeVerifier = opts.codeVerifier;
@@ -303,6 +327,10 @@ export class OpenID4VCIClientV1_0_13 {
 
     if (clientId) {
       this._state.clientId = clientId;
+      if (!asOpts.clientOpts) {
+        asOpts.clientOpts = { clientId };
+      }
+      asOpts.clientOpts.clientId = clientId;
     }
     if (!this._state.accessTokenResponse) {
       const accessTokenClient = new AccessTokenClient();
@@ -351,7 +379,41 @@ export class OpenID4VCIClientV1_0_13 {
     return { ...this.accessTokenResponse, ...(this.dpopResponseParams && { params: this.dpopResponseParams }) };
   }
 
-  public async acquireCredentials({
+  public async acquireCredentialsWithoutProof(args: {
+    credentialIdentifier?: string;
+    credentialTypes?: string | string[];
+    context?: string[];
+    format?: CredentialFormat | OID4VCICredentialFormat;
+    kid?: string;
+    jwk?: JWK;
+    alg?: Alg | string;
+    jti?: string;
+    deferredCredentialAwait?: boolean;
+    deferredCredentialIntervalInMS?: number;
+    experimentalHolderIssuanceSupported?: boolean;
+    createDPoPOpts?: CreateDPoPClientOpts;
+  }): Promise<CredentialResponse & { access_token: string }> {
+    return await this.acquireCredentialsImpl(args);
+  }
+  public async acquireCredentials(args: {
+    credentialIdentifier?: string;
+    credentialTypes?: string | string[];
+    context?: string[];
+    proofCallbacks: ProofOfPossessionCallbacks;
+    format?: CredentialFormat | OID4VCICredentialFormat;
+    kid?: string;
+    jwk?: JWK;
+    alg?: Alg | string;
+    jti?: string;
+    deferredCredentialAwait?: boolean;
+    deferredCredentialIntervalInMS?: number;
+    experimentalHolderIssuanceSupported?: boolean;
+    createDPoPOpts?: CreateDPoPClientOpts;
+  }): Promise<CredentialResponse & { access_token: string }> {
+    return await this.acquireCredentialsImpl(args);
+  }
+
+  private async acquireCredentialsImpl({
     credentialIdentifier,
     credentialTypes,
     context,
@@ -368,7 +430,7 @@ export class OpenID4VCIClientV1_0_13 {
     credentialIdentifier?: string;
     credentialTypes?: string | string[];
     context?: string[];
-    proofCallbacks: ProofOfPossessionCallbacks<any>;
+    proofCallbacks?: ProofOfPossessionCallbacks;
     format?: CredentialFormat | OID4VCICredentialFormat;
     kid?: string;
     jwk?: JWK;
@@ -388,17 +450,25 @@ export class OpenID4VCIClientV1_0_13 {
     if (kid) this._state.kid = kid;
 
     const requestBuilder = this.credentialOffer
-      ? CredentialRequestClientBuilder.fromCredentialOffer({
+      ? CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
           credentialOffer: this.credentialOffer,
           metadata: this.endpointMetadata,
         })
-      : CredentialRequestClientBuilder.fromCredentialIssuer({
+      : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
           credentialIssuer: this.getIssuer(),
           credentialIdentifier: credentialIdentifier,
           metadata: this.endpointMetadata,
           version: this.version(),
         });
-
+    // If we are in an auth code flow, without a c nonce, we return the issuerState back to the issuer in case it is present
+    const issuerState =
+      this.issuerSupportedFlowTypes().includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW) &&
+      this._state.authorizationCodeResponse &&
+      !this.accessTokenResponse?.c_nonce &&
+      this._state.credentialOffer?.issuerState
+        ? this._state.credentialOffer.issuerState
+        : undefined;
+    requestBuilder.withIssuerState(issuerState);
     requestBuilder.withTokenFromResponse(this.accessTokenResponse);
     requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
     let subjectIssuance: ExperimentalSubjectIssuance | undefined;
@@ -413,7 +483,7 @@ export class OpenID4VCIClientV1_0_13 {
           );
         }
         const credentialsSupported = metadata.credential_configurations_supported;
-        if (!metadata.credential_configurations_supported || !credentialsSupported[credentialIdentifier]) {
+        if (!credentialsSupported || !credentialsSupported[credentialIdentifier]) {
           throw new Error(`Credential type ${credentialIdentifier} is not supported by issuer ${this.getIssuer()}`);
         }
       } else if (!types) {
@@ -438,9 +508,19 @@ export class OpenID4VCIClientV1_0_13 {
           console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
           // throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
         }
-      } else if (metadata.credential_configurations_supported && !Array.isArray(metadata.credential_configurations_supported)) {
-        const credentialsSupported = metadata.credential_configurations_supported;
-        if (types.some((type) => !metadata.credential_configurations_supported || !credentialsSupported[type])) {
+      } else if (metadata.credential_configurations_supported && typeof metadata.credential_configurations_supported === 'object') {
+        let typeSupported = false;
+        Object.values(metadata.credential_configurations_supported).forEach((supportedCredential) => {
+          const subTypes = getTypesFromCredentialSupported(supportedCredential);
+          if (
+            subTypes.every((t, i) => types[i] === t) ||
+            (types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0])))
+          ) {
+            typeSupported = true;
+          }
+        });
+
+        if (!typeSupported) {
           throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
         }
       }
@@ -451,32 +531,50 @@ export class OpenID4VCIClientV1_0_13 {
     }
 
     const credentialRequestClient = requestBuilder.build();
-    const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
-      accessTokenResponse: this.accessTokenResponse,
-      callbacks: proofCallbacks,
-      version: this.version(),
-    })
-      .withIssuer(this.getIssuer())
-      .withAlg(this.alg);
 
-    if (this._state.jwk) {
-      proofBuilder.withJWK(this._state.jwk);
-    }
-    if (this._state.kid) {
-      proofBuilder.withKid(this._state.kid);
-    }
+    let proofBuilder: ProofOfPossessionBuilder<any> | undefined;
+    if (proofCallbacks) {
+      proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
+        accessTokenResponse: this.accessTokenResponse,
+        callbacks: proofCallbacks,
+        version: this.version(),
+      })
+        .withIssuer(this.getIssuer())
+        .withAlg(this.alg);
 
-    if (this.clientId) {
-      proofBuilder.withClientId(this.clientId);
-    }
-    if (jti) {
-      proofBuilder.withJti(jti);
+      if (this._state.jwk) {
+        proofBuilder.withJWK(this._state.jwk);
+      }
+      if (this._state.kid) {
+        proofBuilder.withKid(this._state.kid);
+      }
+
+      if (this.clientId) {
+        proofBuilder.withClientId(this.clientId);
+      }
+      if (jti) {
+        proofBuilder.withJti(jti);
+      }
     }
-    const response = await credentialRequestClient.acquireCredentialsUsingProof({
-      proofInput: proofBuilder,
-      ...(credentialIdentifier ? { credentialIdentifier, subjectIssuance } : { format, context, credentialTypes, subjectIssuance }),
-      createDPoPOpts,
-    });
+    const request = proofBuilder
+      ? await credentialRequestClient.createCredentialRequest({
+          proofInput: proofBuilder,
+          credentialTypes,
+          context,
+          format,
+          version: this.version(),
+          credentialIdentifier,
+          subjectIssuance,
+        })
+      : await credentialRequestClient.createCredentialRequestWithoutProof({
+          credentialTypes,
+          context,
+          format,
+          version: this.version(),
+          credentialIdentifier,
+          subjectIssuance,
+        });
+    const response = await credentialRequestClient.acquireCredentialsUsingRequest(request, createDPoPOpts);
     this._state.dpopResponseParams = response.params;
     if (response.errorBody) {
       debug(`Credential request error:\r\n${JSON.stringify(response.errorBody)}`);
@@ -515,7 +613,7 @@ export class OpenID4VCIClientV1_0_13 {
     credentialRequestOpts: Partial<CredentialRequestOpts>,
     request: NotificationRequest,
     accessToken?: string,
-  ): Promise<NotificationResult> {
+  ): Promise<NotificationResponseResult> {
     return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
   }
 
@@ -711,4 +809,20 @@ export class OpenID4VCIClientV1_0_13 {
     authorizationRequestOpts.clientId = clientId;
     return authorizationRequestOpts;
   }
+
+  private getAuthorizationCode = (
+    authorizationResponse?: string | AuthorizationResponse | AuthorizationChallengeCodeResponse,
+    code?: string,
+  ): string | undefined => {
+    if (authorizationResponse) {
+      this._state.authorizationCodeResponse = { ...toAuthorizationResponsePayload(authorizationResponse) };
+    } else if (code) {
+      this._state.authorizationCodeResponse = { code };
+    }
+
+    return (
+      (this._state.authorizationCodeResponse as AuthorizationResponse)?.code ??
+      (this._state.authorizationCodeResponse as AuthorizationChallengeCodeResponse)?.authorization_code
+    );
+  };
 }