@sphereon/oid4vci-client 0.18.2 → 0.19.1-feature.SSISDK.13.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +201 -201
- package/README.md +1 -1
- package/dist/index.cjs +1481 -541
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +235 -22
- package/dist/index.d.ts +235 -22
- package/dist/index.js +1459 -473
- package/dist/index.js.map +1 -1
- package/package.json +14 -20
package/dist/index.cjs
CHANGED
|
@@ -1,9 +1,7 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __create = Object.create;
|
|
3
2
|
var __defProp = Object.defineProperty;
|
|
4
3
|
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
5
4
|
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
6
|
-
var __getProtoOf = Object.getPrototypeOf;
|
|
7
5
|
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
8
6
|
var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
|
|
9
7
|
var __export = (target, all) => {
|
|
@@ -18,14 +16,6 @@ var __copyProps = (to, from, except, desc) => {
|
|
|
18
16
|
}
|
|
19
17
|
return to;
|
|
20
18
|
};
|
|
21
|
-
var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
|
|
22
|
-
// If the importer is in node compatibility mode or this is not an ESM
|
|
23
|
-
// file that has been converted to a CommonJS file using a Babel-
|
|
24
|
-
// compatible transform (i.e. "__esModule" has not been set), then set
|
|
25
|
-
// "default" to the CommonJS "module.exports" for node compatibility.
|
|
26
|
-
isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
|
|
27
|
-
mod
|
|
28
|
-
));
|
|
29
19
|
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
30
20
|
|
|
31
21
|
// lib/index.ts
|
|
@@ -36,18 +26,22 @@ __export(index_exports, {
|
|
|
36
26
|
CredentialOfferClient: () => CredentialOfferClient,
|
|
37
27
|
CredentialOfferClientV1_0_11: () => CredentialOfferClientV1_0_11,
|
|
38
28
|
CredentialOfferClientV1_0_13: () => CredentialOfferClientV1_0_13,
|
|
29
|
+
CredentialOfferClientV1_0_15: () => CredentialOfferClientV1_0_15,
|
|
39
30
|
CredentialRequestClient: () => CredentialRequestClient,
|
|
40
31
|
CredentialRequestClientBuilder: () => CredentialRequestClientBuilder,
|
|
41
32
|
CredentialRequestClientBuilderV1_0_11: () => CredentialRequestClientBuilderV1_0_11,
|
|
42
33
|
CredentialRequestClientBuilderV1_0_13: () => CredentialRequestClientBuilderV1_0_13,
|
|
34
|
+
CredentialRequestClientBuilderV1_0_15: () => CredentialRequestClientBuilderV1_0_15,
|
|
43
35
|
CredentialRequestClientV1_0_11: () => CredentialRequestClientV1_0_11,
|
|
44
36
|
LOG: () => LOG2,
|
|
45
37
|
MetadataClient: () => MetadataClient,
|
|
46
38
|
MetadataClientV1_0_11: () => MetadataClientV1_0_11,
|
|
47
39
|
MetadataClientV1_0_13: () => MetadataClientV1_0_13,
|
|
40
|
+
MetadataClientV1_0_15: () => MetadataClientV1_0_15,
|
|
48
41
|
OpenID4VCIClient: () => OpenID4VCIClient,
|
|
49
42
|
OpenID4VCIClientV1_0_11: () => OpenID4VCIClientV1_0_11,
|
|
50
43
|
OpenID4VCIClientV1_0_13: () => OpenID4VCIClientV1_0_13,
|
|
44
|
+
OpenID4VCIClientV1_0_15: () => OpenID4VCIClientV1_0_15,
|
|
51
45
|
ProofOfPossessionBuilder: () => ProofOfPossessionBuilder,
|
|
52
46
|
acquireAuthorizationChallengeAuthCode: () => acquireAuthorizationChallengeAuthCode,
|
|
53
47
|
acquireAuthorizationChallengeAuthCodeUsingRequest: () => acquireAuthorizationChallengeAuthCodeUsingRequest,
|
|
@@ -66,16 +60,16 @@ __export(index_exports, {
|
|
|
66
60
|
sendNotification: () => sendNotification
|
|
67
61
|
});
|
|
68
62
|
module.exports = __toCommonJS(index_exports);
|
|
69
|
-
var
|
|
63
|
+
var import_oid4vci_common30 = require("@sphereon/oid4vci-common");
|
|
70
64
|
|
|
71
65
|
// lib/AccessTokenClient.ts
|
|
72
66
|
var import_oid4vc_common3 = require("@sphereon/oid4vc-common");
|
|
73
67
|
var import_oid4vci_common9 = require("@sphereon/oid4vci-common");
|
|
74
|
-
var
|
|
68
|
+
var import_ssi_types4 = require("@sphereon/ssi-types");
|
|
75
69
|
|
|
76
70
|
// lib/MetadataClientV1_0_13.ts
|
|
77
71
|
var import_oid4vci_common8 = require("@sphereon/oid4vci-common");
|
|
78
|
-
var
|
|
72
|
+
var import_ssi_types3 = require("@sphereon/ssi-types");
|
|
79
73
|
|
|
80
74
|
// lib/functions/AuthorizationUtil.ts
|
|
81
75
|
var import_oid4vci_common = require("@sphereon/oid4vci-common");
|
|
@@ -137,14 +131,14 @@ __name(sendNotification, "sendNotification");
|
|
|
137
131
|
|
|
138
132
|
// lib/functions/OpenIDUtils.ts
|
|
139
133
|
var import_oid4vci_common4 = require("@sphereon/oid4vci-common");
|
|
140
|
-
var
|
|
141
|
-
var
|
|
134
|
+
var import_ssi_types2 = require("@sphereon/ssi-types");
|
|
135
|
+
var logger = import_ssi_types2.Loggers.DEFAULT.get("sphereon:openid4vci:openid-utils");
|
|
142
136
|
var retrieveWellknown = /* @__PURE__ */ __name(async (host, endpointType, opts) => {
|
|
143
137
|
const result = await (0, import_oid4vci_common4.getJson)(`${host.endsWith("/") ? host.slice(0, -1) : host}${endpointType}`, {
|
|
144
138
|
exceptionOnHttpErrorStatus: opts?.errorOnNotFound
|
|
145
139
|
});
|
|
146
140
|
if (result.origResponse.status >= 400) {
|
|
147
|
-
debug(`host ${host} with endpoint type ${endpointType} status: ${result.origResponse.status}, ${result.origResponse.statusText}`);
|
|
141
|
+
logger.debug(`host ${host} with endpoint type ${endpointType} status: ${result.origResponse.status}, ${result.origResponse.statusText}`);
|
|
148
142
|
}
|
|
149
143
|
return result;
|
|
150
144
|
}, "retrieveWellknown");
|
|
@@ -383,10 +377,10 @@ async function handleCredentialOfferUri(uri) {
|
|
|
383
377
|
const decodedUri = isUriEncoded(credentialOfferUri) ? decodeURIComponent(credentialOfferUri) : credentialOfferUri;
|
|
384
378
|
const response = await (0, import_cross_fetch.fetch)(decodedUri);
|
|
385
379
|
if (!(response && response.status >= 200 && response.status < 400)) {
|
|
386
|
-
return Promise.reject(`the credential offer URI endpoint call was not successful. http code ${response.status} - reason ${response.statusText}`);
|
|
380
|
+
return Promise.reject(Error(`the credential offer URI endpoint call was not successful. http code ${response.status} - reason ${response.statusText}`));
|
|
387
381
|
}
|
|
388
382
|
if (response.headers.get("Content-Type")?.startsWith("application/json") === false) {
|
|
389
|
-
return Promise.reject("the credential offer URI endpoint did not return content type application/json");
|
|
383
|
+
return Promise.reject(Error("the credential offer URI endpoint did not return content type application/json"));
|
|
390
384
|
}
|
|
391
385
|
return {
|
|
392
386
|
credential_offer: (0, import_oid4vci_common7.decodeJsonProperties)(await response.json())
|
|
@@ -417,7 +411,7 @@ function constructBaseResponse(request, scheme, baseUrl) {
|
|
|
417
411
|
__name(constructBaseResponse, "constructBaseResponse");
|
|
418
412
|
|
|
419
413
|
// lib/MetadataClientV1_0_13.ts
|
|
420
|
-
var
|
|
414
|
+
var logger2 = import_ssi_types3.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
|
|
421
415
|
var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
|
|
422
416
|
static {
|
|
423
417
|
__name(this, "MetadataClientV1_0_13");
|
|
@@ -461,7 +455,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
|
|
|
461
455
|
});
|
|
462
456
|
let credentialIssuerMetadata = oid4vciResponse?.successBody;
|
|
463
457
|
if (credentialIssuerMetadata) {
|
|
464
|
-
|
|
458
|
+
logger2.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
|
|
465
459
|
${JSON.stringify(credentialIssuerMetadata)}`);
|
|
466
460
|
credential_endpoint = credentialIssuerMetadata.credential_endpoint;
|
|
467
461
|
deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
|
|
@@ -478,7 +472,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
478
472
|
});
|
|
479
473
|
let authMetadata = response.successBody;
|
|
480
474
|
if (authMetadata) {
|
|
481
|
-
|
|
475
|
+
logger2.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
|
|
482
476
|
authorizationServerType = "OIDC";
|
|
483
477
|
} else {
|
|
484
478
|
response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common8.WellKnownEndpoints.OAUTH_AS, {
|
|
@@ -494,7 +488,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
494
488
|
if (!authorizationServerType) {
|
|
495
489
|
authorizationServerType = "OAuth 2.0";
|
|
496
490
|
}
|
|
497
|
-
|
|
491
|
+
logger2.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
|
|
498
492
|
if (!authMetadata.authorization_endpoint) {
|
|
499
493
|
console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
|
|
500
494
|
} else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
|
|
@@ -513,24 +507,24 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
513
507
|
token_endpoint = authMetadata.token_endpoint;
|
|
514
508
|
if (authMetadata.credential_endpoint) {
|
|
515
509
|
if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
|
|
516
|
-
|
|
510
|
+
logger2.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
|
|
517
511
|
} else {
|
|
518
512
|
credential_endpoint = authMetadata.credential_endpoint;
|
|
519
513
|
}
|
|
520
514
|
}
|
|
521
515
|
if (authMetadata.deferred_credential_endpoint) {
|
|
522
516
|
if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
|
|
523
|
-
|
|
517
|
+
logger2.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
|
|
524
518
|
} else {
|
|
525
519
|
deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
|
|
526
520
|
}
|
|
527
521
|
}
|
|
528
522
|
}
|
|
529
523
|
if (!authorization_endpoint) {
|
|
530
|
-
|
|
524
|
+
logger2.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
|
|
531
525
|
}
|
|
532
526
|
if (!token_endpoint) {
|
|
533
|
-
|
|
527
|
+
logger2.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
|
|
534
528
|
if (opts?.errorOnNotFound) {
|
|
535
529
|
throw Error(`Could not deduce the token_endpoint for ${issuer}`);
|
|
536
530
|
} else {
|
|
@@ -538,7 +532,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
538
532
|
}
|
|
539
533
|
}
|
|
540
534
|
if (!credential_endpoint) {
|
|
541
|
-
|
|
535
|
+
logger2.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
|
|
542
536
|
if (opts?.errorOnNotFound) {
|
|
543
537
|
throw Error(`Could not deduce the credential endpoint for ${issuer}`);
|
|
544
538
|
} else {
|
|
@@ -548,7 +542,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
548
542
|
if (!credentialIssuerMetadata && authMetadata) {
|
|
549
543
|
credentialIssuerMetadata = authMetadata;
|
|
550
544
|
}
|
|
551
|
-
|
|
545
|
+
logger2.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
|
|
552
546
|
return {
|
|
553
547
|
issuer,
|
|
554
548
|
token_endpoint,
|
|
@@ -825,7 +819,7 @@ var AccessTokenClient = class _AccessTokenClient {
|
|
|
825
819
|
}
|
|
826
820
|
url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts?.allowInsecureEndpoints, issuerOpts.tokenEndpoint);
|
|
827
821
|
}
|
|
828
|
-
if (!url || !
|
|
822
|
+
if (!url || !import_ssi_types4.ObjectUtils.isString(url)) {
|
|
829
823
|
throw new Error("No authorization server token URL present. Cannot acquire access token");
|
|
830
824
|
}
|
|
831
825
|
LOG.debug(`Token endpoint determined to be ${url}`);
|
|
@@ -849,9 +843,8 @@ var AccessTokenClient = class _AccessTokenClient {
|
|
|
849
843
|
// lib/AccessTokenClientV1_0_11.ts
|
|
850
844
|
var import_oid4vc_common4 = require("@sphereon/oid4vc-common");
|
|
851
845
|
var import_oid4vci_common10 = require("@sphereon/oid4vci-common");
|
|
852
|
-
var
|
|
853
|
-
var
|
|
854
|
-
var debug3 = (0, import_debug3.default)("sphereon:oid4vci:token");
|
|
846
|
+
var import_ssi_types5 = require("@sphereon/ssi-types");
|
|
847
|
+
var logger3 = import_ssi_types5.Loggers.DEFAULT.get("sphereon:oid4vci:token");
|
|
855
848
|
var AccessTokenClientV1_0_11 = class _AccessTokenClientV1_0_11 {
|
|
856
849
|
static {
|
|
857
850
|
__name(this, "AccessTokenClientV1_0_11");
|
|
@@ -982,35 +975,35 @@ var AccessTokenClientV1_0_11 = class _AccessTokenClientV1_0_11 {
|
|
|
982
975
|
if (requestPayload.grants?.[import_oid4vci_common10.PRE_AUTH_GRANT_LITERAL]) {
|
|
983
976
|
isPinRequired = requestPayload.grants[import_oid4vci_common10.PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? false;
|
|
984
977
|
}
|
|
985
|
-
|
|
978
|
+
logger3.debug(`Pin required for issuer ${issuer}: ${isPinRequired}`);
|
|
986
979
|
return isPinRequired;
|
|
987
980
|
}
|
|
988
981
|
assertNumericPin(isPinRequired, pin) {
|
|
989
982
|
if (isPinRequired) {
|
|
990
983
|
if (!pin || !/^\d{1,8}$/.test(pin)) {
|
|
991
|
-
|
|
984
|
+
logger3.debug(`Pin is not 1 to 8 digits long`);
|
|
992
985
|
throw new Error("A valid pin consisting of maximal 8 numeric characters must be present.");
|
|
993
986
|
}
|
|
994
987
|
} else if (pin) {
|
|
995
|
-
|
|
988
|
+
logger3.debug(`Pin set, whilst not required`);
|
|
996
989
|
throw new Error("Cannot set a pin, when the pin is not required.");
|
|
997
990
|
}
|
|
998
991
|
}
|
|
999
992
|
assertNonEmptyPreAuthorizedCode(accessTokenRequest) {
|
|
1000
993
|
if (!accessTokenRequest[import_oid4vci_common10.PRE_AUTH_CODE_LITERAL]) {
|
|
1001
|
-
|
|
994
|
+
logger3.debug(`No pre-authorized code present, whilst it is required`);
|
|
1002
995
|
throw new Error("Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.");
|
|
1003
996
|
}
|
|
1004
997
|
}
|
|
1005
998
|
assertNonEmptyCodeVerifier(accessTokenRequest) {
|
|
1006
999
|
if (!accessTokenRequest.code_verifier) {
|
|
1007
|
-
|
|
1000
|
+
logger3.debug("No code_verifier present, whilst it is required");
|
|
1008
1001
|
throw new Error("Authorization flow requires the code_verifier to be present");
|
|
1009
1002
|
}
|
|
1010
1003
|
}
|
|
1011
1004
|
assertNonEmptyCode(accessTokenRequest) {
|
|
1012
1005
|
if (!accessTokenRequest.code) {
|
|
1013
|
-
|
|
1006
|
+
logger3.debug("No code present, whilst it is required");
|
|
1014
1007
|
throw new Error("Authorization flow requires the code to be present");
|
|
1015
1008
|
}
|
|
1016
1009
|
}
|
|
@@ -1049,10 +1042,10 @@ var AccessTokenClientV1_0_11 = class _AccessTokenClientV1_0_11 {
|
|
|
1049
1042
|
}
|
|
1050
1043
|
url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts?.allowInsecureEndpoints, issuerOpts.tokenEndpoint);
|
|
1051
1044
|
}
|
|
1052
|
-
if (!url || !
|
|
1045
|
+
if (!url || !import_ssi_types5.ObjectUtils.isString(url)) {
|
|
1053
1046
|
throw new Error("No authorization server token URL present. Cannot acquire access token");
|
|
1054
1047
|
}
|
|
1055
|
-
|
|
1048
|
+
logger3.debug(`Token endpoint determined to be ${url}`);
|
|
1056
1049
|
return url;
|
|
1057
1050
|
}
|
|
1058
1051
|
static creatTokenURLFromURL(url, allowInsecureEndpoints, tokenEndpoint) {
|
|
@@ -1065,23 +1058,23 @@ var AccessTokenClientV1_0_11 = class _AccessTokenClientV1_0_11 {
|
|
|
1065
1058
|
return `${scheme ? scheme + "://" : "https://"}${hostname}${endpoint}`;
|
|
1066
1059
|
}
|
|
1067
1060
|
throwNotSupportedFlow() {
|
|
1068
|
-
|
|
1061
|
+
logger3.debug(`Only pre-authorized or authorization code flows supported.`);
|
|
1069
1062
|
throw new Error("Only pre-authorized-code or authorization code flows are supported");
|
|
1070
1063
|
}
|
|
1071
1064
|
};
|
|
1072
1065
|
|
|
1073
1066
|
// lib/AuthorizationCodeClient.ts
|
|
1074
1067
|
var import_oid4vci_common13 = require("@sphereon/oid4vci-common");
|
|
1075
|
-
var
|
|
1068
|
+
var import_ssi_types8 = require("@sphereon/ssi-types");
|
|
1076
1069
|
|
|
1077
1070
|
// lib/MetadataClient.ts
|
|
1078
1071
|
var import_oid4vci_common12 = require("@sphereon/oid4vci-common");
|
|
1079
|
-
var
|
|
1072
|
+
var import_ssi_types7 = require("@sphereon/ssi-types");
|
|
1080
1073
|
|
|
1081
1074
|
// lib/MetadataClientV1_0_11.ts
|
|
1082
1075
|
var import_oid4vci_common11 = require("@sphereon/oid4vci-common");
|
|
1083
|
-
var
|
|
1084
|
-
var
|
|
1076
|
+
var import_ssi_types6 = require("@sphereon/ssi-types");
|
|
1077
|
+
var logger4 = import_ssi_types6.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
|
|
1085
1078
|
var MetadataClientV1_0_11 = class _MetadataClientV1_0_11 {
|
|
1086
1079
|
static {
|
|
1087
1080
|
__name(this, "MetadataClientV1_0_11");
|
|
@@ -1123,7 +1116,7 @@ var MetadataClientV1_0_11 = class _MetadataClientV1_0_11 {
|
|
|
1123
1116
|
});
|
|
1124
1117
|
let credentialIssuerMetadata = oid4vciResponse?.successBody;
|
|
1125
1118
|
if (credentialIssuerMetadata) {
|
|
1126
|
-
|
|
1119
|
+
logger4.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
|
|
1127
1120
|
${JSON.stringify(credentialIssuerMetadata)}`);
|
|
1128
1121
|
credential_endpoint = credentialIssuerMetadata.credential_endpoint;
|
|
1129
1122
|
deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
|
|
@@ -1143,7 +1136,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1143
1136
|
});
|
|
1144
1137
|
let authMetadata = response.successBody;
|
|
1145
1138
|
if (authMetadata) {
|
|
1146
|
-
|
|
1139
|
+
logger4.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
|
|
1147
1140
|
authorizationServerType = "OIDC";
|
|
1148
1141
|
} else {
|
|
1149
1142
|
response = await retrieveWellknown(authorization_server, import_oid4vci_common11.WellKnownEndpoints.OAUTH_AS, {
|
|
@@ -1159,7 +1152,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1159
1152
|
if (!authorizationServerType) {
|
|
1160
1153
|
authorizationServerType = "OAuth 2.0";
|
|
1161
1154
|
}
|
|
1162
|
-
|
|
1155
|
+
logger4.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
|
|
1163
1156
|
if (!authMetadata.authorization_endpoint) {
|
|
1164
1157
|
console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
|
|
1165
1158
|
} else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
|
|
@@ -1178,24 +1171,24 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1178
1171
|
token_endpoint = authMetadata.token_endpoint;
|
|
1179
1172
|
if (authMetadata.credential_endpoint) {
|
|
1180
1173
|
if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
|
|
1181
|
-
|
|
1174
|
+
logger4.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
|
|
1182
1175
|
} else {
|
|
1183
1176
|
credential_endpoint = authMetadata.credential_endpoint;
|
|
1184
1177
|
}
|
|
1185
1178
|
}
|
|
1186
1179
|
if (authMetadata.deferred_credential_endpoint) {
|
|
1187
1180
|
if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
|
|
1188
|
-
|
|
1181
|
+
logger4.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
|
|
1189
1182
|
} else {
|
|
1190
1183
|
deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
|
|
1191
1184
|
}
|
|
1192
1185
|
}
|
|
1193
1186
|
}
|
|
1194
1187
|
if (!authorization_endpoint) {
|
|
1195
|
-
|
|
1188
|
+
logger4.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
|
|
1196
1189
|
}
|
|
1197
1190
|
if (!token_endpoint) {
|
|
1198
|
-
|
|
1191
|
+
logger4.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
|
|
1199
1192
|
if (opts?.errorOnNotFound) {
|
|
1200
1193
|
throw Error(`Could not deduce the token_endpoint for ${issuer}`);
|
|
1201
1194
|
} else {
|
|
@@ -1203,7 +1196,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1203
1196
|
}
|
|
1204
1197
|
}
|
|
1205
1198
|
if (!credential_endpoint) {
|
|
1206
|
-
|
|
1199
|
+
logger4.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
|
|
1207
1200
|
if (opts?.errorOnNotFound) {
|
|
1208
1201
|
throw Error(`Could not deduce the credential endpoint for ${issuer}`);
|
|
1209
1202
|
} else {
|
|
@@ -1213,7 +1206,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1213
1206
|
if (!credentialIssuerMetadata && authMetadata) {
|
|
1214
1207
|
credentialIssuerMetadata = authMetadata;
|
|
1215
1208
|
}
|
|
1216
|
-
|
|
1209
|
+
logger4.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
|
|
1217
1210
|
return {
|
|
1218
1211
|
issuer,
|
|
1219
1212
|
token_endpoint,
|
|
@@ -1240,7 +1233,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1240
1233
|
};
|
|
1241
1234
|
|
|
1242
1235
|
// lib/MetadataClient.ts
|
|
1243
|
-
var
|
|
1236
|
+
var logger5 = import_ssi_types7.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
|
|
1244
1237
|
var MetadataClient = class _MetadataClient {
|
|
1245
1238
|
static {
|
|
1246
1239
|
__name(this, "MetadataClient");
|
|
@@ -1293,7 +1286,7 @@ var MetadataClient = class _MetadataClient {
|
|
|
1293
1286
|
});
|
|
1294
1287
|
let credentialIssuerMetadata = oid4vciResponse?.successBody;
|
|
1295
1288
|
if (credentialIssuerMetadata) {
|
|
1296
|
-
|
|
1289
|
+
logger5.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
|
|
1297
1290
|
${JSON.stringify(credentialIssuerMetadata)}`);
|
|
1298
1291
|
credential_endpoint = credentialIssuerMetadata.credential_endpoint;
|
|
1299
1292
|
deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint ? credentialIssuerMetadata.deferred_credential_endpoint : void 0;
|
|
@@ -1315,7 +1308,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1315
1308
|
});
|
|
1316
1309
|
let authMetadata = response.successBody;
|
|
1317
1310
|
if (authMetadata) {
|
|
1318
|
-
|
|
1311
|
+
logger5.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
|
|
1319
1312
|
authorizationServerType = "OIDC";
|
|
1320
1313
|
} else {
|
|
1321
1314
|
response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common12.WellKnownEndpoints.OAUTH_AS, {
|
|
@@ -1331,7 +1324,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1331
1324
|
if (!authorizationServerType) {
|
|
1332
1325
|
authorizationServerType = "OAuth 2.0";
|
|
1333
1326
|
}
|
|
1334
|
-
|
|
1327
|
+
logger5.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
|
|
1335
1328
|
if (!authMetadata.authorization_endpoint) {
|
|
1336
1329
|
console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
|
|
1337
1330
|
} else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
|
|
@@ -1350,24 +1343,24 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1350
1343
|
token_endpoint = authMetadata.token_endpoint;
|
|
1351
1344
|
if (authMetadata.credential_endpoint) {
|
|
1352
1345
|
if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
|
|
1353
|
-
|
|
1346
|
+
logger5.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
|
|
1354
1347
|
} else {
|
|
1355
1348
|
credential_endpoint = authMetadata.credential_endpoint;
|
|
1356
1349
|
}
|
|
1357
1350
|
}
|
|
1358
1351
|
if (authMetadata.deferred_credential_endpoint) {
|
|
1359
1352
|
if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
|
|
1360
|
-
|
|
1353
|
+
logger5.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
|
|
1361
1354
|
} else {
|
|
1362
1355
|
deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
|
|
1363
1356
|
}
|
|
1364
1357
|
}
|
|
1365
1358
|
}
|
|
1366
1359
|
if (!authorization_endpoint) {
|
|
1367
|
-
|
|
1360
|
+
logger5.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
|
|
1368
1361
|
}
|
|
1369
1362
|
if (!token_endpoint) {
|
|
1370
|
-
|
|
1363
|
+
logger5.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
|
|
1371
1364
|
if (opts?.errorOnNotFound) {
|
|
1372
1365
|
throw Error(`Could not deduce the token_endpoint for ${issuer}`);
|
|
1373
1366
|
} else {
|
|
@@ -1375,7 +1368,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1375
1368
|
}
|
|
1376
1369
|
}
|
|
1377
1370
|
if (!credential_endpoint) {
|
|
1378
|
-
|
|
1371
|
+
logger5.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
|
|
1379
1372
|
if (opts?.errorOnNotFound) {
|
|
1380
1373
|
throw Error(`Could not deduce the credential endpoint for ${issuer}`);
|
|
1381
1374
|
} else {
|
|
@@ -1385,7 +1378,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1385
1378
|
if (!credentialIssuerMetadata && authMetadata) {
|
|
1386
1379
|
credentialIssuerMetadata = authorization_server ? authMetadata : authMetadata;
|
|
1387
1380
|
}
|
|
1388
|
-
|
|
1381
|
+
logger5.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
|
|
1389
1382
|
return {
|
|
1390
1383
|
issuer,
|
|
1391
1384
|
token_endpoint,
|
|
@@ -1417,7 +1410,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1417
1410
|
};
|
|
1418
1411
|
|
|
1419
1412
|
// lib/AuthorizationCodeClient.ts
|
|
1420
|
-
var
|
|
1413
|
+
var logger6 = import_ssi_types8.Loggers.DEFAULT.get("sphereon:oid4vci");
|
|
1421
1414
|
async function createSignedAuthRequestWhenNeeded(requestObject, opts) {
|
|
1422
1415
|
if (opts.requestObjectMode === import_oid4vci_common13.CreateRequestObjectMode.REQUEST_URI) {
|
|
1423
1416
|
throw Error(`Request Object Mode ${opts.requestObjectMode} is not supported yet`);
|
|
@@ -1511,8 +1504,8 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
|
|
|
1511
1504
|
if ("credentials" in credentialOffer.credential_offer) {
|
|
1512
1505
|
throw new Error("CredentialOffer format is wrong.");
|
|
1513
1506
|
}
|
|
1514
|
-
const ver = version ?? (0, import_oid4vci_common13.determineSpecVersionFromOffer)(credentialOffer.credential_offer) ?? import_oid4vci_common13.OpenId4VCIVersion.
|
|
1515
|
-
const creds = ver === import_oid4vci_common13.OpenId4VCIVersion.
|
|
1507
|
+
const ver = version ?? (0, import_oid4vci_common13.determineSpecVersionFromOffer)(credentialOffer.credential_offer) ?? import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_15;
|
|
1508
|
+
const creds = ver === import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_15 ? filterSupportedCredentials(credentialOffer.credential_offer, credentialConfigurationSupported) : [];
|
|
1516
1509
|
authorizationDetails = creds.flatMap((cred) => {
|
|
1517
1510
|
const locations = [
|
|
1518
1511
|
credentialOffer?.credential_offer.credential_issuer ?? endpointMetadata.issuer
|
|
@@ -1522,7 +1515,7 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
|
|
|
1522
1515
|
if (!credential_configuration_id && !cred.format) {
|
|
1523
1516
|
throw Error("format is required in authorization details");
|
|
1524
1517
|
}
|
|
1525
|
-
const vct = cred.format === "
|
|
1518
|
+
const vct = cred.format === "dc+sd-jwt" ? cred.vct : void 0;
|
|
1526
1519
|
const doctype = cred.format === "mso_mdoc" ? cred.doctype : void 0;
|
|
1527
1520
|
let credential_definition = void 0;
|
|
1528
1521
|
if ((0, import_oid4vci_common13.isW3cCredentialSupported)(cred)) {
|
|
@@ -1588,7 +1581,7 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
|
|
|
1588
1581
|
if (!parEndpoint && parMode === import_oid4vci_common13.PARMode.REQUIRE) {
|
|
1589
1582
|
throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`);
|
|
1590
1583
|
} else if (parEndpoint && parMode !== import_oid4vci_common13.PARMode.NEVER) {
|
|
1591
|
-
|
|
1584
|
+
logger6.debug(`USING PAR with endpoint ${parEndpoint}`);
|
|
1592
1585
|
const parResponse = await (0, import_oid4vci_common13.formPost)(parEndpoint, (0, import_oid4vci_common13.convertJsonToURI)(queryObj, {
|
|
1593
1586
|
mode: import_oid4vci_common13.JsonURIMode.X_FORM_WWW_URLENCODED,
|
|
1594
1587
|
uriTypeProperties: [
|
|
@@ -1608,9 +1601,9 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
|
|
|
1608
1601
|
if (parMode === import_oid4vci_common13.PARMode.REQUIRE) {
|
|
1609
1602
|
throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
|
|
1610
1603
|
}
|
|
1611
|
-
|
|
1604
|
+
logger6.debug("Falling back to regular request URI, since PAR failed", JSON.stringify(parResponse.errorBody));
|
|
1612
1605
|
} else {
|
|
1613
|
-
|
|
1606
|
+
logger6.debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
|
|
1614
1607
|
queryObj = {
|
|
1615
1608
|
client_id,
|
|
1616
1609
|
request_uri: parResponse.successBody.request_uri
|
|
@@ -1621,7 +1614,7 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
|
|
|
1621
1614
|
...requestObjectOpts,
|
|
1622
1615
|
aud: endpointMetadata.authorization_server
|
|
1623
1616
|
});
|
|
1624
|
-
|
|
1617
|
+
logger6.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
|
|
1625
1618
|
const url = (0, import_oid4vci_common13.convertJsonToURI)(queryObj, {
|
|
1626
1619
|
baseUrl: endpointMetadata.authorization_endpoint,
|
|
1627
1620
|
uriTypeProperties: [
|
|
@@ -1636,7 +1629,7 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
|
|
|
1636
1629
|
// arrayTypeProperties: ['authorization_details'],
|
|
1637
1630
|
mode: import_oid4vci_common13.JsonURIMode.X_FORM_WWW_URLENCODED
|
|
1638
1631
|
});
|
|
1639
|
-
|
|
1632
|
+
logger6.debug(`Authorization Request URL: ${url}`);
|
|
1640
1633
|
return url;
|
|
1641
1634
|
}, "createAuthorizationRequestUrl");
|
|
1642
1635
|
var handleAuthorizationDetails = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
|
|
@@ -1728,8 +1721,8 @@ var sendAuthorizationChallengeRequest = /* @__PURE__ */ __name(async (authorizat
|
|
|
1728
1721
|
|
|
1729
1722
|
// lib/AuthorizationCodeClientV1_0_11.ts
|
|
1730
1723
|
var import_oid4vci_common14 = require("@sphereon/oid4vci-common");
|
|
1731
|
-
var
|
|
1732
|
-
var
|
|
1724
|
+
var import_ssi_types9 = require("@sphereon/ssi-types");
|
|
1725
|
+
var logger7 = import_ssi_types9.Loggers.DEFAULT.get("sphereon:oid4vci");
|
|
1733
1726
|
var createAuthorizationRequestUrlV1_0_11 = /* @__PURE__ */ __name(async ({ pkce, endpointMetadata, authorizationRequest, credentialOffer, credentialsSupported }) => {
|
|
1734
1727
|
const { redirectUri, clientId, requestObjectOpts = {
|
|
1735
1728
|
requestObjectMode: import_oid4vci_common14.CreateRequestObjectMode.NONE
|
|
@@ -1788,7 +1781,7 @@ var createAuthorizationRequestUrlV1_0_11 = /* @__PURE__ */ __name(async ({ pkce,
|
|
|
1788
1781
|
if (!parEndpoint && parMode === import_oid4vci_common14.PARMode.REQUIRE) {
|
|
1789
1782
|
throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`);
|
|
1790
1783
|
} else if (parEndpoint && parMode !== import_oid4vci_common14.PARMode.NEVER) {
|
|
1791
|
-
|
|
1784
|
+
logger7.debug(`USING PAR with endpoint ${parEndpoint}`);
|
|
1792
1785
|
const parResponse = await (0, import_oid4vci_common14.formPost)(parEndpoint, (0, import_oid4vci_common14.convertJsonToURI)(queryObj, {
|
|
1793
1786
|
mode: import_oid4vci_common14.JsonURIMode.X_FORM_WWW_URLENCODED,
|
|
1794
1787
|
uriTypeProperties: [
|
|
@@ -1810,7 +1803,7 @@ var createAuthorizationRequestUrlV1_0_11 = /* @__PURE__ */ __name(async ({ pkce,
|
|
|
1810
1803
|
throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
|
|
1811
1804
|
}
|
|
1812
1805
|
} else {
|
|
1813
|
-
|
|
1806
|
+
logger7.debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
|
|
1814
1807
|
queryObj = {
|
|
1815
1808
|
request_uri: parResponse.successBody.request_uri
|
|
1816
1809
|
};
|
|
@@ -1820,7 +1813,7 @@ var createAuthorizationRequestUrlV1_0_11 = /* @__PURE__ */ __name(async ({ pkce,
|
|
|
1820
1813
|
...requestObjectOpts,
|
|
1821
1814
|
aud: endpointMetadata.authorization_server
|
|
1822
1815
|
});
|
|
1823
|
-
|
|
1816
|
+
logger7.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
|
|
1824
1817
|
const url = (0, import_oid4vci_common14.convertJsonToURI)(queryObj, {
|
|
1825
1818
|
baseUrl: endpointMetadata.authorization_endpoint,
|
|
1826
1819
|
uriTypeProperties: [
|
|
@@ -1834,7 +1827,7 @@ var createAuthorizationRequestUrlV1_0_11 = /* @__PURE__ */ __name(async ({ pkce,
|
|
|
1834
1827
|
// arrayTypeProperties: ['authorization_details'],
|
|
1835
1828
|
mode: import_oid4vci_common14.JsonURIMode.X_FORM_WWW_URLENCODED
|
|
1836
1829
|
});
|
|
1837
|
-
|
|
1830
|
+
logger7.debug(`Authorization Request URL: ${url}`);
|
|
1838
1831
|
return url;
|
|
1839
1832
|
}, "createAuthorizationRequestUrlV1_0_11");
|
|
1840
1833
|
var handleAuthorizationDetailsV1_0_11 = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
|
|
@@ -1880,8 +1873,8 @@ var handleLocations2 = /* @__PURE__ */ __name((endpointMetadata, authorizationDe
|
|
|
1880
1873
|
// lib/CredentialRequestClient.ts
|
|
1881
1874
|
var import_oid4vc_common5 = require("@sphereon/oid4vc-common");
|
|
1882
1875
|
var import_oid4vci_common15 = require("@sphereon/oid4vci-common");
|
|
1883
|
-
var
|
|
1884
|
-
var
|
|
1876
|
+
var import_ssi_types10 = require("@sphereon/ssi-types");
|
|
1877
|
+
var logger8 = import_ssi_types10.Loggers.DEFAULT.get("sphereon:oid4vci:credential");
|
|
1885
1878
|
async function buildProof(proofInput, opts) {
|
|
1886
1879
|
if ("proof_type" in proofInput) {
|
|
1887
1880
|
if (opts.cNonce) {
|
|
@@ -1895,6 +1888,27 @@ async function buildProof(proofInput, opts) {
|
|
|
1895
1888
|
return await proofInput.build();
|
|
1896
1889
|
}
|
|
1897
1890
|
__name(buildProof, "buildProof");
|
|
1891
|
+
function isOpenIdCredentialDetail(ad) {
|
|
1892
|
+
return typeof ad === "object" && ad !== null && ad.type === "openid_credential";
|
|
1893
|
+
}
|
|
1894
|
+
__name(isOpenIdCredentialDetail, "isOpenIdCredentialDetail");
|
|
1895
|
+
function findAuthorizationDetail(authorizationDetails, preferredConfigId) {
|
|
1896
|
+
if (!authorizationDetails) {
|
|
1897
|
+
return void 0;
|
|
1898
|
+
}
|
|
1899
|
+
const openIdCredentialDetails = authorizationDetails.filter(isOpenIdCredentialDetail);
|
|
1900
|
+
if (openIdCredentialDetails.length === 0) {
|
|
1901
|
+
return void 0;
|
|
1902
|
+
}
|
|
1903
|
+
if (preferredConfigId) {
|
|
1904
|
+
const match = openIdCredentialDetails.find((detail) => typeof detail === "object" && detail !== null && detail.credential_configuration_id === preferredConfigId);
|
|
1905
|
+
if (match) {
|
|
1906
|
+
return match;
|
|
1907
|
+
}
|
|
1908
|
+
}
|
|
1909
|
+
return openIdCredentialDetails[0];
|
|
1910
|
+
}
|
|
1911
|
+
__name(findAuthorizationDetail, "findAuthorizationDetail");
|
|
1898
1912
|
var CredentialRequestClient = class {
|
|
1899
1913
|
static {
|
|
1900
1914
|
__name(this, "CredentialRequestClient");
|
|
@@ -1934,7 +1948,10 @@ var CredentialRequestClient = class {
|
|
|
1934
1948
|
credentialIdentifier,
|
|
1935
1949
|
subjectIssuance
|
|
1936
1950
|
});
|
|
1937
|
-
|
|
1951
|
+
if (!import_oid4vci_common15.supportedOID4VCICredentialFormat.includes(format)) {
|
|
1952
|
+
return Promise.reject(Error(`Unsupported credential format: ${format}`));
|
|
1953
|
+
}
|
|
1954
|
+
return await this.acquireCredentialsUsingRequestWithoutProof(request, format, opts.createDPoPOpts);
|
|
1938
1955
|
}
|
|
1939
1956
|
async acquireCredentialsUsingProof(opts) {
|
|
1940
1957
|
const { credentialIdentifier, credentialTypes, proofInput, format, context, subjectIssuance } = opts;
|
|
@@ -1947,26 +1964,29 @@ var CredentialRequestClient = class {
|
|
|
1947
1964
|
credentialIdentifier,
|
|
1948
1965
|
subjectIssuance
|
|
1949
1966
|
});
|
|
1950
|
-
|
|
1967
|
+
if (this.version() <= import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13 && !import_oid4vci_common15.supportedOID4VCICredentialFormat.includes(format)) {
|
|
1968
|
+
return Promise.reject(Error(`Unsupported credential format: ${format}`));
|
|
1969
|
+
}
|
|
1970
|
+
return await this.acquireCredentialsUsingRequest(request, format, opts.createDPoPOpts);
|
|
1951
1971
|
}
|
|
1952
|
-
async acquireCredentialsUsingRequestWithoutProof(uniformRequest, createDPoPOpts) {
|
|
1953
|
-
return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
|
|
1972
|
+
async acquireCredentialsUsingRequestWithoutProof(uniformRequest, format, createDPoPOpts) {
|
|
1973
|
+
return await this.acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts);
|
|
1954
1974
|
}
|
|
1955
|
-
async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
|
|
1956
|
-
return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
|
|
1975
|
+
async acquireCredentialsUsingRequest(uniformRequest, format, createDPoPOpts) {
|
|
1976
|
+
return await this.acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts);
|
|
1957
1977
|
}
|
|
1958
|
-
async acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts) {
|
|
1978
|
+
async acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts) {
|
|
1959
1979
|
if (this.version() < import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13) {
|
|
1960
1980
|
throw new Error("Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.");
|
|
1961
1981
|
}
|
|
1962
|
-
const request = (0, import_oid4vci_common15.getCredentialRequestForVersion)(uniformRequest, this.version());
|
|
1982
|
+
const request = (0, import_oid4vci_common15.getCredentialRequestForVersion)(uniformRequest, format, this.version());
|
|
1963
1983
|
const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
|
|
1964
1984
|
if (!(0, import_oid4vci_common15.isValidURL)(credentialEndpoint)) {
|
|
1965
|
-
|
|
1985
|
+
logger8.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
|
|
1966
1986
|
throw new Error(import_oid4vci_common15.URL_NOT_VALID);
|
|
1967
1987
|
}
|
|
1968
|
-
|
|
1969
|
-
|
|
1988
|
+
logger8.debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
|
|
1989
|
+
logger8.debug(`request
|
|
1970
1990
|
: ${JSON.stringify(request, null, 2)}`);
|
|
1971
1991
|
const requestToken = this.credentialRequestOpts.token;
|
|
1972
1992
|
let dPoP = createDPoPOpts ? await (0, import_oid4vc_common5.createDPoP)((0, import_oid4vc_common5.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
|
|
@@ -2010,7 +2030,7 @@ var CredentialRequestClient = class {
|
|
|
2010
2030
|
throw Error("Subject signing was requested, but issuer did not provide the options in its response");
|
|
2011
2031
|
}
|
|
2012
2032
|
}
|
|
2013
|
-
|
|
2033
|
+
logger8.debug(`Credential endpoint ${credentialEndpoint} response:\r
|
|
2014
2034
|
${JSON.stringify(response, null, 2)}`);
|
|
2015
2035
|
return {
|
|
2016
2036
|
...response,
|
|
@@ -2047,27 +2067,64 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2047
2067
|
return await this.createCredentialRequestImpl(opts);
|
|
2048
2068
|
}
|
|
2049
2069
|
async createCredentialRequestImpl(opts) {
|
|
2050
|
-
const { proofInput, credentialIdentifier
|
|
2070
|
+
const { proofInput, credentialIdentifier, credentialConfigurationId } = opts;
|
|
2051
2071
|
let proof = void 0;
|
|
2052
2072
|
if (proofInput) {
|
|
2053
2073
|
proof = await buildProof(proofInput, opts);
|
|
2054
2074
|
}
|
|
2055
|
-
if (
|
|
2056
|
-
|
|
2057
|
-
|
|
2058
|
-
|
|
2059
|
-
|
|
2060
|
-
|
|
2075
|
+
if (this.version() >= import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_15) {
|
|
2076
|
+
const authDetail = findAuthorizationDetail(this.credentialRequestOpts.authorizationDetails, credentialConfigurationId ?? credentialIdentifier);
|
|
2077
|
+
const issuer_state2 = this.credentialRequestOpts.issuerState;
|
|
2078
|
+
const commonBody = {
|
|
2079
|
+
...issuer_state2 && {
|
|
2080
|
+
issuer_state: issuer_state2
|
|
2081
|
+
},
|
|
2061
2082
|
...proof && {
|
|
2062
2083
|
proof
|
|
2063
|
-
}
|
|
2084
|
+
},
|
|
2085
|
+
...opts.subjectIssuance
|
|
2086
|
+
};
|
|
2087
|
+
const authDetailObj = authDetail && typeof authDetail === "object" ? authDetail : null;
|
|
2088
|
+
if (authDetailObj?.credential_identifier) {
|
|
2089
|
+
return {
|
|
2090
|
+
credential_identifier: authDetailObj.credential_identifier,
|
|
2091
|
+
...commonBody
|
|
2092
|
+
};
|
|
2093
|
+
}
|
|
2094
|
+
if (authDetailObj?.credential_identifiers && authDetailObj.credential_identifiers.length > 0) {
|
|
2095
|
+
return {
|
|
2096
|
+
credential_identifier: authDetailObj.credential_identifiers[0],
|
|
2097
|
+
...commonBody
|
|
2098
|
+
};
|
|
2099
|
+
}
|
|
2100
|
+
const configId2 = credentialConfigurationId ?? authDetailObj?.credential_configuration_id ?? this._credentialRequestOpts.credentialConfigurationId;
|
|
2101
|
+
if (configId2) {
|
|
2102
|
+
return {
|
|
2103
|
+
credential_configuration_id: configId2,
|
|
2104
|
+
...commonBody
|
|
2105
|
+
};
|
|
2106
|
+
}
|
|
2107
|
+
if (credentialIdentifier) {
|
|
2108
|
+
return {
|
|
2109
|
+
credential_identifier: credentialIdentifier,
|
|
2110
|
+
...commonBody
|
|
2111
|
+
};
|
|
2112
|
+
}
|
|
2113
|
+
return Promise.reject(Error("No credential_identifier or credential_configuration_id available for v1.0-15 request"));
|
|
2114
|
+
}
|
|
2115
|
+
if (credentialIdentifier) {
|
|
2116
|
+
const proof_obj = proof ? {
|
|
2117
|
+
proof
|
|
2118
|
+
} : {};
|
|
2119
|
+
return {
|
|
2120
|
+
credential_identifier: credentialIdentifier,
|
|
2121
|
+
...proof_obj
|
|
2064
2122
|
};
|
|
2065
2123
|
}
|
|
2066
2124
|
const formatSelection = opts.format ?? this.credentialRequestOpts.format;
|
|
2067
2125
|
if (!formatSelection) {
|
|
2068
2126
|
throw Error(`Format of credential to be issued is missing`);
|
|
2069
2127
|
}
|
|
2070
|
-
const format = (0, import_oid4vci_common15.getUniformFormat)(formatSelection);
|
|
2071
2128
|
const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
|
|
2072
2129
|
if (!typesSelection) {
|
|
2073
2130
|
throw Error(`Credential type(s) need to be provided`);
|
|
@@ -2079,70 +2136,20 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2079
2136
|
throw Error(`Credential type(s) need to be provided`);
|
|
2080
2137
|
}
|
|
2081
2138
|
const issuer_state = this.credentialRequestOpts.issuerState;
|
|
2082
|
-
|
|
2083
|
-
|
|
2084
|
-
|
|
2085
|
-
|
|
2086
|
-
|
|
2087
|
-
|
|
2088
|
-
|
|
2089
|
-
|
|
2090
|
-
|
|
2091
|
-
|
|
2092
|
-
|
|
2093
|
-
|
|
2094
|
-
|
|
2095
|
-
|
|
2096
|
-
} else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
|
|
2097
|
-
if (this.version() >= import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
|
|
2098
|
-
throw Error("No @context value present, but it is required");
|
|
2099
|
-
}
|
|
2100
|
-
return {
|
|
2101
|
-
format,
|
|
2102
|
-
...issuer_state && {
|
|
2103
|
-
issuer_state
|
|
2104
|
-
},
|
|
2105
|
-
...proof && {
|
|
2106
|
-
proof
|
|
2107
|
-
},
|
|
2108
|
-
...opts.subjectIssuance,
|
|
2109
|
-
credential_definition: {
|
|
2110
|
-
type: types,
|
|
2111
|
-
"@context": opts.context
|
|
2112
|
-
}
|
|
2113
|
-
};
|
|
2114
|
-
} else if (format === "vc+sd-jwt") {
|
|
2115
|
-
if (types.length > 1) {
|
|
2116
|
-
throw Error(`Only a single credential type is supported for ${format}`);
|
|
2117
|
-
}
|
|
2118
|
-
return {
|
|
2119
|
-
format,
|
|
2120
|
-
...issuer_state && {
|
|
2121
|
-
issuer_state
|
|
2122
|
-
},
|
|
2123
|
-
...proof && {
|
|
2124
|
-
proof
|
|
2125
|
-
},
|
|
2126
|
-
vct: types[0],
|
|
2127
|
-
...opts.subjectIssuance
|
|
2128
|
-
};
|
|
2129
|
-
} else if (format === "mso_mdoc") {
|
|
2130
|
-
if (types.length > 1) {
|
|
2131
|
-
throw Error(`Only a single credential type is supported for ${format}`);
|
|
2132
|
-
}
|
|
2133
|
-
return {
|
|
2134
|
-
format,
|
|
2135
|
-
...issuer_state && {
|
|
2136
|
-
issuer_state
|
|
2137
|
-
},
|
|
2138
|
-
...proof && {
|
|
2139
|
-
proof
|
|
2140
|
-
},
|
|
2141
|
-
doctype: types[0],
|
|
2142
|
-
...opts.subjectIssuance
|
|
2143
|
-
};
|
|
2144
|
-
}
|
|
2145
|
-
throw new Error(`Unsupported credential format: ${format}`);
|
|
2139
|
+
const baseBody = {
|
|
2140
|
+
...issuer_state && {
|
|
2141
|
+
issuer_state
|
|
2142
|
+
},
|
|
2143
|
+
...proof && {
|
|
2144
|
+
proof
|
|
2145
|
+
},
|
|
2146
|
+
...opts.subjectIssuance
|
|
2147
|
+
};
|
|
2148
|
+
const configId = credentialConfigurationId ?? "default";
|
|
2149
|
+
return {
|
|
2150
|
+
credential_configuration_id: configId,
|
|
2151
|
+
...baseBody
|
|
2152
|
+
};
|
|
2146
2153
|
}
|
|
2147
2154
|
version() {
|
|
2148
2155
|
return this.credentialRequestOpts?.version ?? import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13;
|
|
@@ -2151,16 +2158,14 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2151
2158
|
|
|
2152
2159
|
// lib/CredentialOfferClient.ts
|
|
2153
2160
|
var import_oid4vci_common16 = require("@sphereon/oid4vci-common");
|
|
2154
|
-
var import_debug9 = __toESM(require("debug"), 1);
|
|
2155
|
-
var debug9 = (0, import_debug9.default)("sphereon:oid4vci:offer");
|
|
2156
2161
|
var CredentialOfferClient = class {
|
|
2157
2162
|
static {
|
|
2158
2163
|
__name(this, "CredentialOfferClient");
|
|
2159
2164
|
}
|
|
2160
2165
|
static async fromURI(uri, opts) {
|
|
2161
|
-
|
|
2166
|
+
LOG.debug(`Credential Offer URI: ${uri}`);
|
|
2162
2167
|
if (!uri.includes("?") || !uri.includes("://")) {
|
|
2163
|
-
|
|
2168
|
+
LOG.debug(`Invalid Credential Offer URI: ${uri}`);
|
|
2164
2169
|
throw Error(`Invalid Credential Offer Request`);
|
|
2165
2170
|
}
|
|
2166
2171
|
const scheme = uri.split("://")[0];
|
|
@@ -2216,7 +2221,7 @@ var CredentialOfferClient = class {
|
|
|
2216
2221
|
};
|
|
2217
2222
|
}
|
|
2218
2223
|
static toURI(requestWithBaseUrl, opts) {
|
|
2219
|
-
|
|
2224
|
+
LOG.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
|
|
2220
2225
|
const version = opts?.version ?? requestWithBaseUrl.version;
|
|
2221
2226
|
let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
|
|
2222
2227
|
let param;
|
|
@@ -2258,16 +2263,16 @@ var CredentialOfferClient = class {
|
|
|
2258
2263
|
|
|
2259
2264
|
// lib/CredentialOfferClientV1_0_11.ts
|
|
2260
2265
|
var import_oid4vci_common17 = require("@sphereon/oid4vci-common");
|
|
2261
|
-
var
|
|
2262
|
-
var
|
|
2266
|
+
var import_ssi_types11 = require("@sphereon/ssi-types");
|
|
2267
|
+
var logger9 = import_ssi_types11.Loggers.DEFAULT.get("sphereon:oid4vci:offer");
|
|
2263
2268
|
var CredentialOfferClientV1_0_11 = class {
|
|
2264
2269
|
static {
|
|
2265
2270
|
__name(this, "CredentialOfferClientV1_0_11");
|
|
2266
2271
|
}
|
|
2267
2272
|
static async fromURI(uri, opts) {
|
|
2268
|
-
|
|
2273
|
+
logger9.debug(`Credential Offer URI: ${uri}`);
|
|
2269
2274
|
if (!uri.includes("?") || !uri.includes("://")) {
|
|
2270
|
-
|
|
2275
|
+
logger9.debug(`Invalid Credential Offer URI: ${uri}`);
|
|
2271
2276
|
throw Error(`Invalid Credential Offer Request`);
|
|
2272
2277
|
}
|
|
2273
2278
|
const scheme = uri.split("://")[0];
|
|
@@ -2328,7 +2333,7 @@ var CredentialOfferClientV1_0_11 = class {
|
|
|
2328
2333
|
};
|
|
2329
2334
|
}
|
|
2330
2335
|
static toURI(requestWithBaseUrl, opts) {
|
|
2331
|
-
|
|
2336
|
+
logger9.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
|
|
2332
2337
|
const version = opts?.version ?? requestWithBaseUrl.version;
|
|
2333
2338
|
let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
|
|
2334
2339
|
let param;
|
|
@@ -2370,16 +2375,16 @@ var CredentialOfferClientV1_0_11 = class {
|
|
|
2370
2375
|
|
|
2371
2376
|
// lib/CredentialOfferClientV1_0_13.ts
|
|
2372
2377
|
var import_oid4vci_common18 = require("@sphereon/oid4vci-common");
|
|
2373
|
-
var
|
|
2374
|
-
var
|
|
2378
|
+
var import_ssi_types12 = require("@sphereon/ssi-types");
|
|
2379
|
+
var logger10 = import_ssi_types12.Loggers.DEFAULT.get("sphereon:oid4vci:offer");
|
|
2375
2380
|
var CredentialOfferClientV1_0_13 = class {
|
|
2376
2381
|
static {
|
|
2377
2382
|
__name(this, "CredentialOfferClientV1_0_13");
|
|
2378
2383
|
}
|
|
2379
2384
|
static async fromURI(uri, opts) {
|
|
2380
|
-
|
|
2385
|
+
logger10.debug(`Credential Offer URI: ${uri}`);
|
|
2381
2386
|
if (!uri.includes("?") || !uri.includes("://")) {
|
|
2382
|
-
|
|
2387
|
+
logger10.debug(`Invalid Credential Offer URI: ${uri}`);
|
|
2383
2388
|
throw Error(`Invalid Credential Offer Request`);
|
|
2384
2389
|
}
|
|
2385
2390
|
const scheme = uri.split("://")[0];
|
|
@@ -2418,7 +2423,7 @@ var CredentialOfferClientV1_0_13 = class {
|
|
|
2418
2423
|
};
|
|
2419
2424
|
}
|
|
2420
2425
|
static toURI(requestWithBaseUrl, opts) {
|
|
2421
|
-
|
|
2426
|
+
logger10.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
|
|
2422
2427
|
const version = opts?.version ?? requestWithBaseUrl.version;
|
|
2423
2428
|
let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
|
|
2424
2429
|
let param;
|
|
@@ -2458,11 +2463,101 @@ var CredentialOfferClientV1_0_13 = class {
|
|
|
2458
2463
|
}
|
|
2459
2464
|
};
|
|
2460
2465
|
|
|
2466
|
+
// lib/CredentialOfferClientV1_0_15.ts
|
|
2467
|
+
var import_oid4vci_common19 = require("@sphereon/oid4vci-common");
|
|
2468
|
+
var import_ssi_types13 = require("@sphereon/ssi-types");
|
|
2469
|
+
var logger11 = import_ssi_types13.Loggers.DEFAULT.get("sphereon:oid4vci:offer");
|
|
2470
|
+
var CredentialOfferClientV1_0_15 = class {
|
|
2471
|
+
static {
|
|
2472
|
+
__name(this, "CredentialOfferClientV1_0_15");
|
|
2473
|
+
}
|
|
2474
|
+
static async fromURI(uri, opts) {
|
|
2475
|
+
logger11.debug(`Credential Offer URI: ${uri}`);
|
|
2476
|
+
if (!uri.includes("?") || !uri.includes("://")) {
|
|
2477
|
+
logger11.debug(`Invalid Credential Offer URI: ${uri}`);
|
|
2478
|
+
throw Error(`Invalid Credential Offer Request`);
|
|
2479
|
+
}
|
|
2480
|
+
const scheme = uri.split("://")[0];
|
|
2481
|
+
const baseUrl = uri.split("?")[0];
|
|
2482
|
+
const version = (0, import_oid4vci_common19.determineSpecVersionFromURI)(uri);
|
|
2483
|
+
let credentialOffer;
|
|
2484
|
+
if (uri.includes("credential_offer_uri")) {
|
|
2485
|
+
credentialOffer = await handleCredentialOfferUri(uri);
|
|
2486
|
+
} else {
|
|
2487
|
+
credentialOffer = (0, import_oid4vci_common19.convertURIToJsonObject)(uri, {
|
|
2488
|
+
// It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
|
|
2489
|
+
arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
|
|
2490
|
+
"credential_configuration_ids",
|
|
2491
|
+
"credential_offer_uri="
|
|
2492
|
+
] : [
|
|
2493
|
+
"credential_configuration_ids",
|
|
2494
|
+
"credential_offer="
|
|
2495
|
+
],
|
|
2496
|
+
requiredProperties: uri.includes("credential_offer_uri=") ? [
|
|
2497
|
+
"credential_offer_uri="
|
|
2498
|
+
] : [
|
|
2499
|
+
"credential_offer="
|
|
2500
|
+
]
|
|
2501
|
+
});
|
|
2502
|
+
}
|
|
2503
|
+
if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
|
|
2504
|
+
throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
|
|
2505
|
+
}
|
|
2506
|
+
const request = await (0, import_oid4vci_common19.toUniformCredentialOfferRequest)(credentialOffer, {
|
|
2507
|
+
...opts,
|
|
2508
|
+
version
|
|
2509
|
+
});
|
|
2510
|
+
return {
|
|
2511
|
+
...constructBaseResponse(request, scheme, baseUrl),
|
|
2512
|
+
userPinRequired: !!(request.credential_offer?.grants?.[import_oid4vci_common19.PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false)
|
|
2513
|
+
};
|
|
2514
|
+
}
|
|
2515
|
+
static toURI(requestWithBaseUrl, opts) {
|
|
2516
|
+
logger11.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
|
|
2517
|
+
const version = opts?.version ?? requestWithBaseUrl.version;
|
|
2518
|
+
let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
|
|
2519
|
+
let param;
|
|
2520
|
+
const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
|
|
2521
|
+
if (version.valueOf() >= import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_11.valueOf()) {
|
|
2522
|
+
if (!baseUrl.includes("?")) {
|
|
2523
|
+
param = isUri ? "credential_offer_uri" : "credential_offer";
|
|
2524
|
+
} else {
|
|
2525
|
+
const split = baseUrl.split("?");
|
|
2526
|
+
if (split.length > 1 && split[1] !== "") {
|
|
2527
|
+
if (baseUrl.endsWith("&")) {
|
|
2528
|
+
param = isUri ? "credential_offer_uri" : "credential_offer";
|
|
2529
|
+
} else if (!baseUrl.endsWith("=")) {
|
|
2530
|
+
baseUrl += `&`;
|
|
2531
|
+
param = isUri ? "credential_offer_uri" : "credential_offer";
|
|
2532
|
+
}
|
|
2533
|
+
}
|
|
2534
|
+
}
|
|
2535
|
+
}
|
|
2536
|
+
return (0, import_oid4vci_common19.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
|
|
2537
|
+
baseUrl,
|
|
2538
|
+
arrayTypeProperties: isUri ? [] : [
|
|
2539
|
+
"credential_type"
|
|
2540
|
+
],
|
|
2541
|
+
uriTypeProperties: isUri ? [
|
|
2542
|
+
"credential_offer_uri"
|
|
2543
|
+
] : version >= import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_15 ? [
|
|
2544
|
+
"credential_issuer",
|
|
2545
|
+
"credential_type"
|
|
2546
|
+
] : [
|
|
2547
|
+
"issuer",
|
|
2548
|
+
"credential_type"
|
|
2549
|
+
],
|
|
2550
|
+
param,
|
|
2551
|
+
version
|
|
2552
|
+
});
|
|
2553
|
+
}
|
|
2554
|
+
};
|
|
2555
|
+
|
|
2461
2556
|
// lib/CredentialRequestClientV1_0_11.ts
|
|
2462
2557
|
var import_oid4vc_common6 = require("@sphereon/oid4vc-common");
|
|
2463
|
-
var
|
|
2464
|
-
var
|
|
2465
|
-
var
|
|
2558
|
+
var import_oid4vci_common20 = require("@sphereon/oid4vci-common");
|
|
2559
|
+
var import_ssi_types14 = require("@sphereon/ssi-types");
|
|
2560
|
+
var logger12 = import_ssi_types14.Loggers.DEFAULT.get("sphereon:oid4vci:credential");
|
|
2466
2561
|
var CredentialRequestClientV1_0_11 = class {
|
|
2467
2562
|
static {
|
|
2468
2563
|
__name(this, "CredentialRequestClientV1_0_11");
|
|
@@ -2498,20 +2593,24 @@ var CredentialRequestClientV1_0_11 = class {
|
|
|
2498
2593
|
return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
|
|
2499
2594
|
}
|
|
2500
2595
|
async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
|
|
2501
|
-
const
|
|
2596
|
+
const uniformRequestV11 = uniformRequest;
|
|
2597
|
+
if (!uniformRequestV11.format) {
|
|
2598
|
+
return Promise.reject(Error("format is missing from the (legacy v11) credential request"));
|
|
2599
|
+
}
|
|
2600
|
+
const request = (0, import_oid4vci_common20.getCredentialRequestForVersion)(uniformRequest, uniformRequestV11.format, this.version());
|
|
2502
2601
|
const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
|
|
2503
|
-
if (!(0,
|
|
2504
|
-
|
|
2505
|
-
throw new Error(
|
|
2602
|
+
if (!(0, import_oid4vci_common20.isValidURL)(credentialEndpoint)) {
|
|
2603
|
+
logger12.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
|
|
2604
|
+
throw new Error(import_oid4vci_common20.URL_NOT_VALID);
|
|
2506
2605
|
}
|
|
2507
|
-
|
|
2508
|
-
|
|
2606
|
+
logger12.debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
|
|
2607
|
+
logger12.debug(`request
|
|
2509
2608
|
: ${JSON.stringify(request, null, 2)}`);
|
|
2510
2609
|
const requestToken = this.credentialRequestOpts.token;
|
|
2511
2610
|
let dPoP = createDPoPOpts ? await (0, import_oid4vc_common6.createDPoP)((0, import_oid4vc_common6.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
|
|
2512
2611
|
accessToken: requestToken
|
|
2513
2612
|
})) : void 0;
|
|
2514
|
-
let response = await (0,
|
|
2613
|
+
let response = await (0, import_oid4vci_common20.post)(credentialEndpoint, JSON.stringify(request), {
|
|
2515
2614
|
bearerToken: requestToken,
|
|
2516
2615
|
customHeaders: {
|
|
2517
2616
|
...createDPoPOpts && {
|
|
@@ -2526,7 +2625,7 @@ var CredentialRequestClientV1_0_11 = class {
|
|
|
2526
2625
|
dPoP = await (0, import_oid4vc_common6.createDPoP)((0, import_oid4vc_common6.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
|
|
2527
2626
|
accessToken: requestToken
|
|
2528
2627
|
}));
|
|
2529
|
-
response = await (0,
|
|
2628
|
+
response = await (0, import_oid4vci_common20.post)(credentialEndpoint, JSON.stringify(request), {
|
|
2530
2629
|
bearerToken: requestToken,
|
|
2531
2630
|
customHeaders: {
|
|
2532
2631
|
...createDPoPOpts && {
|
|
@@ -2537,14 +2636,14 @@ var CredentialRequestClientV1_0_11 = class {
|
|
|
2537
2636
|
const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
|
|
2538
2637
|
nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
|
|
2539
2638
|
}
|
|
2540
|
-
this._isDeferred = (0,
|
|
2639
|
+
this._isDeferred = (0, import_oid4vci_common20.isDeferredCredentialResponse)(response);
|
|
2541
2640
|
if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
|
|
2542
2641
|
response = await this.acquireDeferredCredential(response.successBody, {
|
|
2543
2642
|
bearerToken: this.credentialRequestOpts.token
|
|
2544
2643
|
});
|
|
2545
2644
|
}
|
|
2546
2645
|
response.access_token = requestToken;
|
|
2547
|
-
|
|
2646
|
+
logger12.debug(`Credential endpoint ${credentialEndpoint} response:\r
|
|
2548
2647
|
${JSON.stringify(response, null, 2)}`);
|
|
2549
2648
|
return {
|
|
2550
2649
|
...response,
|
|
@@ -2566,7 +2665,7 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2566
2665
|
} else if (!bearerToken) {
|
|
2567
2666
|
throw Error(`No bearer token present and refresh for defered endpoint not supported yet`);
|
|
2568
2667
|
}
|
|
2569
|
-
return await (0,
|
|
2668
|
+
return await (0, import_oid4vci_common20.acquireDeferredCredential)({
|
|
2570
2669
|
bearerToken,
|
|
2571
2670
|
transactionId,
|
|
2572
2671
|
deferredCredentialEndpoint,
|
|
@@ -2580,7 +2679,7 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2580
2679
|
if (!formatSelection) {
|
|
2581
2680
|
throw Error(`Format of credential to be issued is missing`);
|
|
2582
2681
|
}
|
|
2583
|
-
const format = (0,
|
|
2682
|
+
const format = (0, import_oid4vci_common20.getUniformFormat)(formatSelection);
|
|
2584
2683
|
const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
|
|
2585
2684
|
const types = Array.isArray(typesSelection) ? typesSelection : [
|
|
2586
2685
|
typesSelection
|
|
@@ -2598,7 +2697,7 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2598
2697
|
proof
|
|
2599
2698
|
};
|
|
2600
2699
|
} else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
|
|
2601
|
-
if (this.version() >=
|
|
2700
|
+
if (this.version() >= import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
|
|
2602
2701
|
throw Error("No @context value present, but it is required");
|
|
2603
2702
|
}
|
|
2604
2703
|
return {
|
|
@@ -2636,18 +2735,18 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2636
2735
|
throw new Error(`Unsupported format: ${format}`);
|
|
2637
2736
|
}
|
|
2638
2737
|
version() {
|
|
2639
|
-
return this.credentialRequestOpts?.version ??
|
|
2738
|
+
return this.credentialRequestOpts?.version ?? import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11;
|
|
2640
2739
|
}
|
|
2641
2740
|
isV11OrHigher() {
|
|
2642
|
-
return this.version() >=
|
|
2741
|
+
return this.version() >= import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11;
|
|
2643
2742
|
}
|
|
2644
2743
|
};
|
|
2645
2744
|
|
|
2646
2745
|
// lib/CredentialRequestClientBuilder.ts
|
|
2647
|
-
var
|
|
2746
|
+
var import_oid4vci_common24 = require("@sphereon/oid4vci-common");
|
|
2648
2747
|
|
|
2649
2748
|
// lib/CredentialRequestClientBuilderV1_0_11.ts
|
|
2650
|
-
var
|
|
2749
|
+
var import_oid4vci_common21 = require("@sphereon/oid4vci-common");
|
|
2651
2750
|
var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilderV1_0_11 {
|
|
2652
2751
|
static {
|
|
2653
2752
|
__name(this, "CredentialRequestClientBuilderV1_0_11");
|
|
@@ -2665,7 +2764,7 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
|
|
|
2665
2764
|
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialTypes }) {
|
|
2666
2765
|
const issuer = credentialIssuer;
|
|
2667
2766
|
const builder = new _CredentialRequestClientBuilderV1_0_11();
|
|
2668
|
-
builder.withVersion(version ??
|
|
2767
|
+
builder.withVersion(version ?? import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_11);
|
|
2669
2768
|
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2670
2769
|
if (metadata?.deferred_credential_endpoint) {
|
|
2671
2770
|
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
@@ -2684,18 +2783,18 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
|
|
|
2684
2783
|
}
|
|
2685
2784
|
static fromCredentialOfferRequest(opts) {
|
|
2686
2785
|
const { request, metadata } = opts;
|
|
2687
|
-
const version = opts.version ?? request.version ?? (0,
|
|
2786
|
+
const version = opts.version ?? request.version ?? (0, import_oid4vci_common21.determineSpecVersionFromOffer)(request.original_credential_offer);
|
|
2688
2787
|
const builder = new _CredentialRequestClientBuilderV1_0_11();
|
|
2689
|
-
const issuer = (0,
|
|
2788
|
+
const issuer = (0, import_oid4vci_common21.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
|
|
2690
2789
|
builder.withVersion(version);
|
|
2691
2790
|
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2692
2791
|
if (metadata?.deferred_credential_endpoint) {
|
|
2693
2792
|
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
2694
2793
|
}
|
|
2695
|
-
if (version <=
|
|
2794
|
+
if (version <= import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_08) {
|
|
2696
2795
|
builder.withCredentialType(request.original_credential_offer.credential_type);
|
|
2697
|
-
} else if (version <=
|
|
2698
|
-
builder.withCredentialType((0,
|
|
2796
|
+
} else if (version <= import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_11) {
|
|
2797
|
+
builder.withCredentialType((0, import_oid4vci_common21.getTypesFromOfferV1_0_11)(request.credential_offer));
|
|
2699
2798
|
}
|
|
2700
2799
|
return builder;
|
|
2701
2800
|
}
|
|
@@ -2759,14 +2858,14 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
|
|
|
2759
2858
|
}
|
|
2760
2859
|
build() {
|
|
2761
2860
|
if (!this.version) {
|
|
2762
|
-
this.withVersion(
|
|
2861
|
+
this.withVersion(import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_11);
|
|
2763
2862
|
}
|
|
2764
2863
|
return new CredentialRequestClientV1_0_11(this);
|
|
2765
2864
|
}
|
|
2766
2865
|
};
|
|
2767
2866
|
|
|
2768
2867
|
// lib/CredentialRequestClientBuilderV1_0_13.ts
|
|
2769
|
-
var
|
|
2868
|
+
var import_oid4vci_common22 = require("@sphereon/oid4vci-common");
|
|
2770
2869
|
var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilderV1_0_13 {
|
|
2771
2870
|
static {
|
|
2772
2871
|
__name(this, "CredentialRequestClientBuilderV1_0_13");
|
|
@@ -2785,7 +2884,7 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
|
|
|
2785
2884
|
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
|
|
2786
2885
|
const issuer = credentialIssuer;
|
|
2787
2886
|
const builder = new _CredentialRequestClientBuilderV1_0_13();
|
|
2788
|
-
builder.withVersion(version ??
|
|
2887
|
+
builder.withVersion(version ?? import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13);
|
|
2789
2888
|
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2790
2889
|
if (metadata?.deferred_credential_endpoint) {
|
|
2791
2890
|
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
@@ -2809,12 +2908,12 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
|
|
|
2809
2908
|
}
|
|
2810
2909
|
static fromCredentialOfferRequest(opts) {
|
|
2811
2910
|
const { request, metadata } = opts;
|
|
2812
|
-
const version = opts.version ?? request.version ?? (0,
|
|
2813
|
-
if (version <
|
|
2911
|
+
const version = opts.version ?? request.version ?? (0, import_oid4vci_common22.determineSpecVersionFromOffer)(request.original_credential_offer);
|
|
2912
|
+
if (version < import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
|
|
2814
2913
|
throw new Error("Versions below v1.0.13 (draft 13) are not supported.");
|
|
2815
2914
|
}
|
|
2816
2915
|
const builder = new _CredentialRequestClientBuilderV1_0_13();
|
|
2817
|
-
const issuer = (0,
|
|
2916
|
+
const issuer = (0, import_oid4vci_common22.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
|
|
2818
2917
|
builder.withVersion(version);
|
|
2819
2918
|
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2820
2919
|
if (metadata?.deferred_credential_endpoint) {
|
|
@@ -2891,52 +2990,56 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
|
|
|
2891
2990
|
}
|
|
2892
2991
|
build() {
|
|
2893
2992
|
if (!this.version) {
|
|
2894
|
-
this.withVersion(
|
|
2993
|
+
this.withVersion(import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_11);
|
|
2895
2994
|
}
|
|
2896
2995
|
return new CredentialRequestClient(this);
|
|
2897
2996
|
}
|
|
2898
2997
|
};
|
|
2899
2998
|
|
|
2900
|
-
// lib/
|
|
2901
|
-
|
|
2902
|
-
|
|
2903
|
-
}
|
|
2904
|
-
__name(isV1_0_13, "isV1_0_13");
|
|
2905
|
-
var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
2999
|
+
// lib/CredentialRequestClientBuilderV1_0_15.ts
|
|
3000
|
+
var import_oid4vci_common23 = require("@sphereon/oid4vci-common");
|
|
3001
|
+
var CredentialRequestClientBuilderV1_0_15 = class _CredentialRequestClientBuilderV1_0_15 {
|
|
2906
3002
|
static {
|
|
2907
|
-
__name(this, "
|
|
2908
|
-
}
|
|
2909
|
-
_builder;
|
|
2910
|
-
constructor(builder) {
|
|
2911
|
-
this._builder = builder;
|
|
3003
|
+
__name(this, "CredentialRequestClientBuilderV1_0_15");
|
|
2912
3004
|
}
|
|
2913
|
-
|
|
2914
|
-
|
|
2915
|
-
|
|
2916
|
-
|
|
2917
|
-
|
|
2918
|
-
|
|
2919
|
-
|
|
2920
|
-
|
|
2921
|
-
|
|
2922
|
-
|
|
2923
|
-
|
|
2924
|
-
|
|
2925
|
-
|
|
2926
|
-
|
|
2927
|
-
|
|
2928
|
-
|
|
2929
|
-
|
|
2930
|
-
|
|
2931
|
-
|
|
2932
|
-
|
|
2933
|
-
});
|
|
3005
|
+
credentialEndpoint;
|
|
3006
|
+
deferredCredentialEndpoint;
|
|
3007
|
+
nonceEndpoint;
|
|
3008
|
+
deferredCredentialAwait = false;
|
|
3009
|
+
deferredCredentialIntervalInMS = 5e3;
|
|
3010
|
+
credentialIdentifier;
|
|
3011
|
+
credentialConfigurationId;
|
|
3012
|
+
credentialTypes = [];
|
|
3013
|
+
token;
|
|
3014
|
+
version;
|
|
3015
|
+
subjectIssuance;
|
|
3016
|
+
issuerState;
|
|
3017
|
+
// Note: format removed from v15 - credential requests no longer include format parameter
|
|
3018
|
+
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialConfigurationId, credentialTypes }) {
|
|
3019
|
+
const issuer = credentialIssuer;
|
|
3020
|
+
const builder = new _CredentialRequestClientBuilderV1_0_15();
|
|
3021
|
+
builder.withVersion(version ?? import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_15);
|
|
3022
|
+
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
3023
|
+
if (metadata?.deferred_credential_endpoint) {
|
|
3024
|
+
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
2934
3025
|
}
|
|
2935
|
-
|
|
3026
|
+
if (metadata?.nonce_endpoint) {
|
|
3027
|
+
builder.withNonceEndpoint(metadata.nonce_endpoint);
|
|
3028
|
+
}
|
|
3029
|
+
if (credentialIdentifier) {
|
|
3030
|
+
builder.withCredentialIdentifier(credentialIdentifier);
|
|
3031
|
+
}
|
|
3032
|
+
if (credentialConfigurationId) {
|
|
3033
|
+
builder.withCredentialConfigurationId(credentialConfigurationId);
|
|
3034
|
+
}
|
|
3035
|
+
if (credentialTypes) {
|
|
3036
|
+
builder.withCredentialType(credentialTypes);
|
|
3037
|
+
}
|
|
3038
|
+
return builder;
|
|
2936
3039
|
}
|
|
2937
3040
|
static async fromURI({ uri, metadata }) {
|
|
2938
3041
|
const offer = await CredentialOfferClient.fromURI(uri);
|
|
2939
|
-
return
|
|
3042
|
+
return _CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest({
|
|
2940
3043
|
request: offer,
|
|
2941
3044
|
...offer,
|
|
2942
3045
|
metadata,
|
|
@@ -2944,24 +3047,188 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2944
3047
|
});
|
|
2945
3048
|
}
|
|
2946
3049
|
static fromCredentialOfferRequest(opts) {
|
|
2947
|
-
const { request } = opts;
|
|
2948
|
-
const version = opts.version ?? request.version ?? (0,
|
|
2949
|
-
|
|
2950
|
-
|
|
2951
|
-
builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest(opts);
|
|
2952
|
-
} else {
|
|
2953
|
-
builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest(opts);
|
|
3050
|
+
const { request, metadata } = opts;
|
|
3051
|
+
const version = opts.version ?? request.version ?? (0, import_oid4vci_common23.determineSpecVersionFromOffer)(request.original_credential_offer);
|
|
3052
|
+
if (version < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_15) {
|
|
3053
|
+
throw new Error("Versions below v1.0.15 (draft 15) are not supported.");
|
|
2954
3054
|
}
|
|
2955
|
-
|
|
2956
|
-
|
|
2957
|
-
|
|
2958
|
-
|
|
2959
|
-
|
|
2960
|
-
|
|
2961
|
-
|
|
2962
|
-
|
|
2963
|
-
|
|
2964
|
-
|
|
3055
|
+
const builder = new _CredentialRequestClientBuilderV1_0_15();
|
|
3056
|
+
const issuer = (0, import_oid4vci_common23.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
|
|
3057
|
+
builder.withVersion(version);
|
|
3058
|
+
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
3059
|
+
if (metadata?.deferred_credential_endpoint) {
|
|
3060
|
+
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
3061
|
+
}
|
|
3062
|
+
if (metadata?.nonce_endpoint) {
|
|
3063
|
+
builder.withNonceEndpoint(metadata.nonce_endpoint);
|
|
3064
|
+
}
|
|
3065
|
+
const ids = request.credential_offer.credential_configuration_ids;
|
|
3066
|
+
if (ids.length && ids.length === 1) {
|
|
3067
|
+
builder.withCredentialConfigurationId(ids[0]);
|
|
3068
|
+
}
|
|
3069
|
+
return builder;
|
|
3070
|
+
}
|
|
3071
|
+
static fromCredentialOffer({ credentialOffer, metadata }) {
|
|
3072
|
+
const builder = _CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest({
|
|
3073
|
+
request: credentialOffer,
|
|
3074
|
+
metadata,
|
|
3075
|
+
version: credentialOffer.version
|
|
3076
|
+
});
|
|
3077
|
+
return builder;
|
|
3078
|
+
}
|
|
3079
|
+
withCredentialEndpointFromMetadata(metadata) {
|
|
3080
|
+
this.credentialEndpoint = metadata.credential_endpoint;
|
|
3081
|
+
return this;
|
|
3082
|
+
}
|
|
3083
|
+
withCredentialEndpoint(credentialEndpoint) {
|
|
3084
|
+
this.credentialEndpoint = credentialEndpoint;
|
|
3085
|
+
return this;
|
|
3086
|
+
}
|
|
3087
|
+
withIssuerState(issuerState) {
|
|
3088
|
+
this.issuerState = issuerState;
|
|
3089
|
+
return this;
|
|
3090
|
+
}
|
|
3091
|
+
withDeferredCredentialEndpointFromMetadata(metadata) {
|
|
3092
|
+
this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
|
|
3093
|
+
return this;
|
|
3094
|
+
}
|
|
3095
|
+
withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
|
|
3096
|
+
this.deferredCredentialEndpoint = deferredCredentialEndpoint;
|
|
3097
|
+
return this;
|
|
3098
|
+
}
|
|
3099
|
+
// New in v15: Support for nonce endpoint
|
|
3100
|
+
withNonceEndpointFromMetadata(metadata) {
|
|
3101
|
+
this.nonceEndpoint = metadata.nonce_endpoint;
|
|
3102
|
+
return this;
|
|
3103
|
+
}
|
|
3104
|
+
withNonceEndpoint(nonceEndpoint) {
|
|
3105
|
+
this.nonceEndpoint = nonceEndpoint;
|
|
3106
|
+
return this;
|
|
3107
|
+
}
|
|
3108
|
+
withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
|
|
3109
|
+
this.deferredCredentialAwait = deferredCredentialAwait;
|
|
3110
|
+
this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5e3;
|
|
3111
|
+
return this;
|
|
3112
|
+
}
|
|
3113
|
+
// New in v15: Support for credential_identifier (used when authorization_details with credential_identifiers was used)
|
|
3114
|
+
withCredentialIdentifier(credentialIdentifier) {
|
|
3115
|
+
this.credentialIdentifier = credentialIdentifier;
|
|
3116
|
+
return this;
|
|
3117
|
+
}
|
|
3118
|
+
// New in v15: Support for credential_configuration_id (used when scope was used and no credential_identifiers returned)
|
|
3119
|
+
withCredentialConfigurationId(credentialConfigurationId) {
|
|
3120
|
+
this.credentialConfigurationId = credentialConfigurationId;
|
|
3121
|
+
return this;
|
|
3122
|
+
}
|
|
3123
|
+
// Legacy support for credential types (may be used internally to map to configuration IDs)
|
|
3124
|
+
withCredentialType(credentialTypes) {
|
|
3125
|
+
this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [
|
|
3126
|
+
credentialTypes
|
|
3127
|
+
];
|
|
3128
|
+
return this;
|
|
3129
|
+
}
|
|
3130
|
+
// Note: withFormat() method removed in v15 - format is no longer part of credential requests
|
|
3131
|
+
withSubjectIssuance(subjectIssuance) {
|
|
3132
|
+
this.subjectIssuance = subjectIssuance;
|
|
3133
|
+
return this;
|
|
3134
|
+
}
|
|
3135
|
+
withToken(accessToken) {
|
|
3136
|
+
this.token = accessToken;
|
|
3137
|
+
return this;
|
|
3138
|
+
}
|
|
3139
|
+
withTokenFromResponse(response) {
|
|
3140
|
+
this.token = response.access_token;
|
|
3141
|
+
return this;
|
|
3142
|
+
}
|
|
3143
|
+
withVersion(version) {
|
|
3144
|
+
this.version = version;
|
|
3145
|
+
return this;
|
|
3146
|
+
}
|
|
3147
|
+
build() {
|
|
3148
|
+
if (!this.version) {
|
|
3149
|
+
this.withVersion(import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_15);
|
|
3150
|
+
}
|
|
3151
|
+
return new CredentialRequestClient(this);
|
|
3152
|
+
}
|
|
3153
|
+
};
|
|
3154
|
+
|
|
3155
|
+
// lib/CredentialRequestClientBuilder.ts
|
|
3156
|
+
function isV1_0_13(builder) {
|
|
3157
|
+
return builder.withCredentialIdentifier !== void 0;
|
|
3158
|
+
}
|
|
3159
|
+
__name(isV1_0_13, "isV1_0_13");
|
|
3160
|
+
function isV1_0_15(builder) {
|
|
3161
|
+
return builder.withCredentialIdentifier !== void 0;
|
|
3162
|
+
}
|
|
3163
|
+
__name(isV1_0_15, "isV1_0_15");
|
|
3164
|
+
var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
3165
|
+
static {
|
|
3166
|
+
__name(this, "CredentialRequestClientBuilder");
|
|
3167
|
+
}
|
|
3168
|
+
_builder;
|
|
3169
|
+
constructor(builder) {
|
|
3170
|
+
this._builder = builder;
|
|
3171
|
+
}
|
|
3172
|
+
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
|
|
3173
|
+
const specVersion = version ?? import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_15;
|
|
3174
|
+
let builder;
|
|
3175
|
+
if (specVersion >= import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_15) {
|
|
3176
|
+
builder = CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
|
|
3177
|
+
credentialIssuer,
|
|
3178
|
+
metadata,
|
|
3179
|
+
version,
|
|
3180
|
+
credentialIdentifier,
|
|
3181
|
+
credentialTypes
|
|
3182
|
+
});
|
|
3183
|
+
} else if (specVersion >= import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13) {
|
|
3184
|
+
builder = CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
|
|
3185
|
+
credentialIssuer,
|
|
3186
|
+
metadata,
|
|
3187
|
+
version,
|
|
3188
|
+
credentialIdentifier,
|
|
3189
|
+
credentialTypes
|
|
3190
|
+
});
|
|
3191
|
+
} else {
|
|
3192
|
+
if (!credentialTypes || credentialTypes.length === 0) {
|
|
3193
|
+
throw new Error("CredentialTypes must be provided for v1_0_11");
|
|
3194
|
+
}
|
|
3195
|
+
builder = CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
|
|
3196
|
+
credentialIssuer,
|
|
3197
|
+
metadata,
|
|
3198
|
+
version,
|
|
3199
|
+
credentialTypes
|
|
3200
|
+
});
|
|
3201
|
+
}
|
|
3202
|
+
return new _CredentialRequestClientBuilder(builder);
|
|
3203
|
+
}
|
|
3204
|
+
static async fromURI({ uri, metadata }) {
|
|
3205
|
+
const offer = await CredentialOfferClient.fromURI(uri);
|
|
3206
|
+
return _CredentialRequestClientBuilder.fromCredentialOfferRequest({
|
|
3207
|
+
request: offer,
|
|
3208
|
+
...offer,
|
|
3209
|
+
metadata,
|
|
3210
|
+
version: offer.version
|
|
3211
|
+
});
|
|
3212
|
+
}
|
|
3213
|
+
static fromCredentialOfferRequest(opts) {
|
|
3214
|
+
const { request } = opts;
|
|
3215
|
+
const version = opts.version ?? request.version ?? (0, import_oid4vci_common24.determineSpecVersionFromOffer)(request.original_credential_offer);
|
|
3216
|
+
let builder;
|
|
3217
|
+
if (version < import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13) {
|
|
3218
|
+
builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest(opts);
|
|
3219
|
+
} else {
|
|
3220
|
+
builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest(opts);
|
|
3221
|
+
}
|
|
3222
|
+
return new _CredentialRequestClientBuilder(builder);
|
|
3223
|
+
}
|
|
3224
|
+
static fromCredentialOffer({ credentialOffer, metadata }) {
|
|
3225
|
+
const version = (0, import_oid4vci_common24.determineSpecVersionFromOffer)(credentialOffer.credential_offer);
|
|
3226
|
+
let builder;
|
|
3227
|
+
if (version < import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13) {
|
|
3228
|
+
builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
|
|
3229
|
+
credentialOffer,
|
|
3230
|
+
metadata
|
|
3231
|
+
});
|
|
2965
3232
|
} else {
|
|
2966
3233
|
builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
|
|
2967
3234
|
credentialOffer,
|
|
@@ -2974,7 +3241,9 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2974
3241
|
return this._builder.version;
|
|
2975
3242
|
}
|
|
2976
3243
|
withCredentialEndpointFromMetadata(metadata) {
|
|
2977
|
-
if (
|
|
3244
|
+
if (isV1_0_15(this._builder)) {
|
|
3245
|
+
this._builder.withCredentialEndpointFromMetadata(metadata);
|
|
3246
|
+
} else if (isV1_0_13(this._builder)) {
|
|
2978
3247
|
this._builder.withCredentialEndpointFromMetadata(metadata);
|
|
2979
3248
|
} else {
|
|
2980
3249
|
this._builder.withCredentialEndpointFromMetadata(metadata);
|
|
@@ -2986,7 +3255,9 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2986
3255
|
return this;
|
|
2987
3256
|
}
|
|
2988
3257
|
withDeferredCredentialEndpointFromMetadata(metadata) {
|
|
2989
|
-
if (
|
|
3258
|
+
if (isV1_0_15(this._builder)) {
|
|
3259
|
+
this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
|
|
3260
|
+
} else if (isV1_0_13(this._builder)) {
|
|
2990
3261
|
this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
|
|
2991
3262
|
} else {
|
|
2992
3263
|
this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
|
|
@@ -2997,61 +3268,794 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2997
3268
|
this._builder.withDeferredCredentialEndpoint(deferredCredentialEndpoint);
|
|
2998
3269
|
return this;
|
|
2999
3270
|
}
|
|
3000
|
-
withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
|
|
3001
|
-
this._builder.withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS);
|
|
3002
|
-
return this;
|
|
3271
|
+
withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
|
|
3272
|
+
this._builder.withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS);
|
|
3273
|
+
return this;
|
|
3274
|
+
}
|
|
3275
|
+
withCredentialIdentifier(credentialIdentifier) {
|
|
3276
|
+
if (this._builder.version === void 0 || this._builder.version < import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13) {
|
|
3277
|
+
throw new Error("Version of spec should be equal or higher than v1_0_13");
|
|
3278
|
+
}
|
|
3279
|
+
;
|
|
3280
|
+
this._builder.withCredentialIdentifier(credentialIdentifier);
|
|
3281
|
+
return this;
|
|
3282
|
+
}
|
|
3283
|
+
withIssuerState(issuerState) {
|
|
3284
|
+
this._builder.withIssuerState(issuerState);
|
|
3285
|
+
return this;
|
|
3286
|
+
}
|
|
3287
|
+
withCredentialType(credentialTypes) {
|
|
3288
|
+
this._builder.withCredentialType(credentialTypes);
|
|
3289
|
+
return this;
|
|
3290
|
+
}
|
|
3291
|
+
withFormat(format) {
|
|
3292
|
+
if ("withFormat" in this._builder) {
|
|
3293
|
+
this._builder.withFormat(format);
|
|
3294
|
+
}
|
|
3295
|
+
return this;
|
|
3296
|
+
}
|
|
3297
|
+
withSubjectIssuance(subjectIssuance) {
|
|
3298
|
+
this._builder.withSubjectIssuance(subjectIssuance);
|
|
3299
|
+
return this;
|
|
3300
|
+
}
|
|
3301
|
+
withToken(accessToken) {
|
|
3302
|
+
this._builder.withToken(accessToken);
|
|
3303
|
+
return this;
|
|
3304
|
+
}
|
|
3305
|
+
withTokenFromResponse(response) {
|
|
3306
|
+
this._builder.withTokenFromResponse(response);
|
|
3307
|
+
return this;
|
|
3308
|
+
}
|
|
3309
|
+
withVersion(version) {
|
|
3310
|
+
this._builder.withVersion(version);
|
|
3311
|
+
return this;
|
|
3312
|
+
}
|
|
3313
|
+
build() {
|
|
3314
|
+
return this._builder.build();
|
|
3315
|
+
}
|
|
3316
|
+
};
|
|
3317
|
+
|
|
3318
|
+
// lib/MetadataClientV1_0_15.ts
|
|
3319
|
+
var import_oid4vci_common25 = require("@sphereon/oid4vci-common");
|
|
3320
|
+
var import_ssi_types15 = require("@sphereon/ssi-types");
|
|
3321
|
+
var logger13 = import_ssi_types15.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
|
|
3322
|
+
var MetadataClientV1_0_15 = class _MetadataClientV1_0_15 {
|
|
3323
|
+
static {
|
|
3324
|
+
__name(this, "MetadataClientV1_0_15");
|
|
3325
|
+
}
|
|
3326
|
+
/**
|
|
3327
|
+
* Retrieve metadata using the Initiation obtained from a previous step
|
|
3328
|
+
*
|
|
3329
|
+
* @param credentialOffer
|
|
3330
|
+
*/
|
|
3331
|
+
static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
|
|
3332
|
+
return _MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
|
|
3333
|
+
}
|
|
3334
|
+
/**
|
|
3335
|
+
* Retrieve the metada using the initiation request obtained from a previous step
|
|
3336
|
+
* @param request
|
|
3337
|
+
*/
|
|
3338
|
+
static async retrieveAllMetadataFromCredentialOfferRequest(request) {
|
|
3339
|
+
const issuer = (0, import_oid4vci_common25.getIssuerFromCredentialOfferPayload)(request);
|
|
3340
|
+
if (issuer) {
|
|
3341
|
+
return _MetadataClientV1_0_15.retrieveAllMetadata(issuer);
|
|
3342
|
+
}
|
|
3343
|
+
throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
|
|
3344
|
+
}
|
|
3345
|
+
/**
|
|
3346
|
+
* Retrieve all metadata from an issuer
|
|
3347
|
+
* @param issuer The issuer URL
|
|
3348
|
+
* @param opts
|
|
3349
|
+
*/
|
|
3350
|
+
static async retrieveAllMetadata(issuer, opts) {
|
|
3351
|
+
let token_endpoint;
|
|
3352
|
+
let credential_endpoint;
|
|
3353
|
+
let nonce_endpoint;
|
|
3354
|
+
let deferred_credential_endpoint;
|
|
3355
|
+
let authorization_endpoint;
|
|
3356
|
+
let authorization_challenge_endpoint;
|
|
3357
|
+
let authorizationServerType = "OID4VCI";
|
|
3358
|
+
let authorization_servers = [
|
|
3359
|
+
issuer
|
|
3360
|
+
];
|
|
3361
|
+
const oid4vciResponse = await _MetadataClientV1_0_15.retrieveOpenID4VCIServerMetadata(issuer, {
|
|
3362
|
+
errorOnNotFound: false
|
|
3363
|
+
});
|
|
3364
|
+
let credentialIssuerMetadata = oid4vciResponse?.successBody;
|
|
3365
|
+
if (credentialIssuerMetadata) {
|
|
3366
|
+
logger13.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
|
|
3367
|
+
${JSON.stringify(credentialIssuerMetadata)}`);
|
|
3368
|
+
credential_endpoint = credentialIssuerMetadata.credential_endpoint;
|
|
3369
|
+
nonce_endpoint = credentialIssuerMetadata.nonce_endpoint;
|
|
3370
|
+
deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
|
|
3371
|
+
if (credentialIssuerMetadata.token_endpoint) {
|
|
3372
|
+
token_endpoint = credentialIssuerMetadata.token_endpoint;
|
|
3373
|
+
}
|
|
3374
|
+
authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
|
|
3375
|
+
if (credentialIssuerMetadata.authorization_servers) {
|
|
3376
|
+
authorization_servers = credentialIssuerMetadata.authorization_servers;
|
|
3377
|
+
}
|
|
3378
|
+
}
|
|
3379
|
+
let response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common25.WellKnownEndpoints.OPENID_CONFIGURATION, {
|
|
3380
|
+
errorOnNotFound: false
|
|
3381
|
+
});
|
|
3382
|
+
let authMetadata = response.successBody;
|
|
3383
|
+
if (authMetadata) {
|
|
3384
|
+
logger13.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
|
|
3385
|
+
authorizationServerType = "OIDC";
|
|
3386
|
+
} else {
|
|
3387
|
+
response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common25.WellKnownEndpoints.OAUTH_AS, {
|
|
3388
|
+
errorOnNotFound: false
|
|
3389
|
+
});
|
|
3390
|
+
authMetadata = response.successBody;
|
|
3391
|
+
}
|
|
3392
|
+
if (!authMetadata) {
|
|
3393
|
+
if (!authorization_servers.includes(issuer)) {
|
|
3394
|
+
throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
|
|
3395
|
+
}
|
|
3396
|
+
} else {
|
|
3397
|
+
if (!authorizationServerType) {
|
|
3398
|
+
authorizationServerType = "OAuth 2.0";
|
|
3399
|
+
}
|
|
3400
|
+
logger13.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
|
|
3401
|
+
if (!authMetadata.authorization_endpoint) {
|
|
3402
|
+
console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
|
|
3403
|
+
} else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
|
|
3404
|
+
throw Error(`Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`);
|
|
3405
|
+
}
|
|
3406
|
+
authorization_endpoint = authMetadata.authorization_endpoint;
|
|
3407
|
+
if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {
|
|
3408
|
+
throw Error(`Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`);
|
|
3409
|
+
}
|
|
3410
|
+
authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
|
|
3411
|
+
if (!authMetadata.token_endpoint) {
|
|
3412
|
+
throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`);
|
|
3413
|
+
} else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
|
|
3414
|
+
throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
|
|
3415
|
+
}
|
|
3416
|
+
token_endpoint = authMetadata.token_endpoint;
|
|
3417
|
+
if (authMetadata.credential_endpoint) {
|
|
3418
|
+
if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
|
|
3419
|
+
logger13.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
|
|
3420
|
+
} else {
|
|
3421
|
+
credential_endpoint = authMetadata.credential_endpoint;
|
|
3422
|
+
}
|
|
3423
|
+
}
|
|
3424
|
+
if (authMetadata.deferred_credential_endpoint) {
|
|
3425
|
+
if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
|
|
3426
|
+
logger13.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
|
|
3427
|
+
} else {
|
|
3428
|
+
deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
|
|
3429
|
+
}
|
|
3430
|
+
}
|
|
3431
|
+
}
|
|
3432
|
+
if (!authorization_endpoint) {
|
|
3433
|
+
logger13.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
|
|
3434
|
+
}
|
|
3435
|
+
if (!token_endpoint) {
|
|
3436
|
+
logger13.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
|
|
3437
|
+
if (opts?.errorOnNotFound) {
|
|
3438
|
+
throw Error(`Could not deduce the token_endpoint for ${issuer}`);
|
|
3439
|
+
} else {
|
|
3440
|
+
token_endpoint = `${issuer}${issuer.endsWith("/") ? "token" : "/token"}`;
|
|
3441
|
+
}
|
|
3442
|
+
}
|
|
3443
|
+
if (!credential_endpoint) {
|
|
3444
|
+
logger13.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
|
|
3445
|
+
if (opts?.errorOnNotFound) {
|
|
3446
|
+
throw Error(`Could not deduce the credential endpoint for ${issuer}`);
|
|
3447
|
+
} else {
|
|
3448
|
+
credential_endpoint = `${issuer}${issuer.endsWith("/") ? "credential" : "/credential"}`;
|
|
3449
|
+
}
|
|
3450
|
+
}
|
|
3451
|
+
if (!credentialIssuerMetadata && authMetadata) {
|
|
3452
|
+
credentialIssuerMetadata = authMetadata;
|
|
3453
|
+
}
|
|
3454
|
+
const ci = credentialIssuerMetadata ?? {};
|
|
3455
|
+
const ciAuthorizationServers = Array.isArray(ci.authorization_servers) && ci.authorization_servers.length > 0 ? ci.authorization_servers : authorization_servers;
|
|
3456
|
+
const v15CredentialIssuerMetadata = {
|
|
3457
|
+
credential_issuer: ci.credential_issuer ?? issuer,
|
|
3458
|
+
credential_endpoint,
|
|
3459
|
+
authorization_servers: ciAuthorizationServers,
|
|
3460
|
+
credential_configurations_supported: ci.credential_configurations_supported ?? {},
|
|
3461
|
+
display: ci.display ?? [],
|
|
3462
|
+
...nonce_endpoint && {
|
|
3463
|
+
nonce_endpoint
|
|
3464
|
+
},
|
|
3465
|
+
...deferred_credential_endpoint && {
|
|
3466
|
+
deferred_credential_endpoint
|
|
3467
|
+
}
|
|
3468
|
+
};
|
|
3469
|
+
logger13.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
|
|
3470
|
+
return {
|
|
3471
|
+
issuer,
|
|
3472
|
+
token_endpoint,
|
|
3473
|
+
credential_endpoint,
|
|
3474
|
+
authorization_challenge_endpoint,
|
|
3475
|
+
authorizationServerType,
|
|
3476
|
+
credentialIssuerMetadata: v15CredentialIssuerMetadata,
|
|
3477
|
+
authorizationServerMetadata: authMetadata
|
|
3478
|
+
};
|
|
3479
|
+
}
|
|
3480
|
+
/**
|
|
3481
|
+
* Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
|
|
3482
|
+
*
|
|
3483
|
+
* @param issuerHost The issuer hostname
|
|
3484
|
+
* @param opts
|
|
3485
|
+
*/
|
|
3486
|
+
static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
|
|
3487
|
+
return retrieveWellknown(issuerHost, import_oid4vci_common25.WellKnownEndpoints.OPENID4VCI_ISSUER, {
|
|
3488
|
+
errorOnNotFound: opts?.errorOnNotFound === void 0 ? true : opts.errorOnNotFound
|
|
3489
|
+
});
|
|
3490
|
+
}
|
|
3491
|
+
};
|
|
3492
|
+
|
|
3493
|
+
// lib/OpenID4VCIClient.ts
|
|
3494
|
+
var import_oid4vci_common26 = require("@sphereon/oid4vci-common");
|
|
3495
|
+
var import_ssi_types16 = require("@sphereon/ssi-types");
|
|
3496
|
+
var logger14 = import_ssi_types16.Loggers.DEFAULT.get("sphereon:oid4vci");
|
|
3497
|
+
var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
3498
|
+
static {
|
|
3499
|
+
__name(this, "OpenID4VCIClient");
|
|
3500
|
+
}
|
|
3501
|
+
_state;
|
|
3502
|
+
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
|
|
3503
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common26.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
3504
|
+
if (!issuer) {
|
|
3505
|
+
throw Error("No credential issuer supplied or deduced from offer");
|
|
3506
|
+
}
|
|
3507
|
+
this._state = {
|
|
3508
|
+
credentialOffer,
|
|
3509
|
+
credentialIssuer: issuer,
|
|
3510
|
+
kid,
|
|
3511
|
+
alg,
|
|
3512
|
+
// TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
|
|
3513
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common26.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
3514
|
+
pkce: {
|
|
3515
|
+
disabled: false,
|
|
3516
|
+
codeChallengeMethod: import_oid4vci_common26.CodeChallengeMethod.S256,
|
|
3517
|
+
...pkce
|
|
3518
|
+
},
|
|
3519
|
+
authorizationRequestOpts,
|
|
3520
|
+
authorizationCodeResponse,
|
|
3521
|
+
accessToken,
|
|
3522
|
+
jwk,
|
|
3523
|
+
endpointMetadata: endpointMetadata?.credentialIssuerMetadata?.authorization_server ? endpointMetadata : endpointMetadata,
|
|
3524
|
+
accessTokenResponse,
|
|
3525
|
+
authorizationURL
|
|
3526
|
+
};
|
|
3527
|
+
if (!this._state.authorizationRequestOpts) {
|
|
3528
|
+
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
3529
|
+
}
|
|
3530
|
+
logger14.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
3531
|
+
}
|
|
3532
|
+
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, endpointMetadata }) {
|
|
3533
|
+
const client = new _OpenID4VCIClient({
|
|
3534
|
+
kid,
|
|
3535
|
+
alg,
|
|
3536
|
+
clientId: clientId ?? authorizationRequest?.clientId,
|
|
3537
|
+
credentialIssuer,
|
|
3538
|
+
pkce,
|
|
3539
|
+
authorizationRequest,
|
|
3540
|
+
endpointMetadata
|
|
3541
|
+
});
|
|
3542
|
+
if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
|
|
3543
|
+
await client.retrieveServerMetadata();
|
|
3544
|
+
}
|
|
3545
|
+
if (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL) {
|
|
3546
|
+
await client.createAuthorizationRequestUrl({
|
|
3547
|
+
authorizationRequest,
|
|
3548
|
+
pkce
|
|
3549
|
+
});
|
|
3550
|
+
}
|
|
3551
|
+
return client;
|
|
3552
|
+
}
|
|
3553
|
+
static async fromState({ state }) {
|
|
3554
|
+
const clientState = typeof state === "string" ? JSON.parse(state) : state;
|
|
3555
|
+
return new _OpenID4VCIClient(clientState);
|
|
3556
|
+
}
|
|
3557
|
+
static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, endpointMetadata }) {
|
|
3558
|
+
const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
|
|
3559
|
+
resolve: resolveOfferUri
|
|
3560
|
+
});
|
|
3561
|
+
const client = new _OpenID4VCIClient({
|
|
3562
|
+
credentialOffer: credentialOfferClient,
|
|
3563
|
+
kid,
|
|
3564
|
+
alg,
|
|
3565
|
+
clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
|
|
3566
|
+
pkce,
|
|
3567
|
+
authorizationRequest,
|
|
3568
|
+
endpointMetadata
|
|
3569
|
+
});
|
|
3570
|
+
if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
|
|
3571
|
+
await client.retrieveServerMetadata();
|
|
3572
|
+
}
|
|
3573
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common26.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
|
|
3574
|
+
await client.createAuthorizationRequestUrl({
|
|
3575
|
+
authorizationRequest,
|
|
3576
|
+
pkce
|
|
3577
|
+
});
|
|
3578
|
+
logger14.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
3579
|
+
}
|
|
3580
|
+
return client;
|
|
3581
|
+
}
|
|
3582
|
+
/**
|
|
3583
|
+
* Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
|
|
3584
|
+
*
|
|
3585
|
+
* The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
|
|
3586
|
+
* @param opts
|
|
3587
|
+
*/
|
|
3588
|
+
async createAuthorizationRequestUrl(opts) {
|
|
3589
|
+
if (!this._state.authorizationURL) {
|
|
3590
|
+
this.calculatePKCEOpts(opts?.pkce);
|
|
3591
|
+
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest);
|
|
3592
|
+
if (!this._state.authorizationRequestOpts) {
|
|
3593
|
+
throw Error(`No Authorization Request options present or provided in this call`);
|
|
3594
|
+
}
|
|
3595
|
+
if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
|
|
3596
|
+
this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
|
|
3597
|
+
}
|
|
3598
|
+
if (this.version() <= import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_11) {
|
|
3599
|
+
this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({
|
|
3600
|
+
pkce: this._state.pkce,
|
|
3601
|
+
endpointMetadata: this.endpointMetadata,
|
|
3602
|
+
authorizationRequest: this._state.authorizationRequestOpts,
|
|
3603
|
+
credentialOffer: this.credentialOffer,
|
|
3604
|
+
credentialsSupported: Object.values(this.getCredentialsSupported(true))
|
|
3605
|
+
});
|
|
3606
|
+
} else {
|
|
3607
|
+
this._state.authorizationURL = await createAuthorizationRequestUrl({
|
|
3608
|
+
pkce: this._state.pkce,
|
|
3609
|
+
endpointMetadata: this.endpointMetadata,
|
|
3610
|
+
authorizationRequest: this._state.authorizationRequestOpts,
|
|
3611
|
+
credentialOffer: this.credentialOffer,
|
|
3612
|
+
credentialConfigurationSupported: this.getCredentialsSupported(false)
|
|
3613
|
+
});
|
|
3614
|
+
}
|
|
3615
|
+
}
|
|
3616
|
+
return this._state.authorizationURL;
|
|
3617
|
+
}
|
|
3618
|
+
async retrieveServerMetadata() {
|
|
3619
|
+
this.assertIssuerData();
|
|
3620
|
+
if (!this._state.endpointMetadata) {
|
|
3621
|
+
if (this.credentialOffer) {
|
|
3622
|
+
this._state.endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
|
|
3623
|
+
} else if (this._state.credentialIssuer) {
|
|
3624
|
+
this._state.endpointMetadata = await MetadataClient.retrieveAllMetadata(this._state.credentialIssuer);
|
|
3625
|
+
} else {
|
|
3626
|
+
throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
|
|
3627
|
+
}
|
|
3628
|
+
}
|
|
3629
|
+
return this.endpointMetadata;
|
|
3630
|
+
}
|
|
3631
|
+
calculatePKCEOpts(pkce) {
|
|
3632
|
+
this._state.pkce = generateMissingPKCEOpts({
|
|
3633
|
+
...this._state.pkce,
|
|
3634
|
+
...pkce
|
|
3635
|
+
});
|
|
3636
|
+
}
|
|
3637
|
+
async acquireAuthorizationChallengeCode(opts) {
|
|
3638
|
+
const response = await acquireAuthorizationChallengeAuthCode({
|
|
3639
|
+
metadata: this.endpointMetadata,
|
|
3640
|
+
credentialIssuer: this.getIssuer(),
|
|
3641
|
+
clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,
|
|
3642
|
+
...opts
|
|
3643
|
+
});
|
|
3644
|
+
if (response.errorBody) {
|
|
3645
|
+
logger14.debug(`Authorization code error:\r
|
|
3646
|
+
${JSON.stringify(response.errorBody)}`);
|
|
3647
|
+
const error = response.errorBody;
|
|
3648
|
+
return Promise.reject(error);
|
|
3649
|
+
} else if (!response.successBody) {
|
|
3650
|
+
logger14.debug(`Authorization code error. No success body`);
|
|
3651
|
+
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
3652
|
+
}
|
|
3653
|
+
return {
|
|
3654
|
+
...response.successBody
|
|
3655
|
+
};
|
|
3656
|
+
}
|
|
3657
|
+
async acquireAccessToken(opts) {
|
|
3658
|
+
const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
|
|
3659
|
+
let { redirectUri } = opts ?? {};
|
|
3660
|
+
const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code);
|
|
3661
|
+
if (opts?.codeVerifier) {
|
|
3662
|
+
this._state.pkce.codeVerifier = opts.codeVerifier;
|
|
3663
|
+
}
|
|
3664
|
+
this.assertIssuerData();
|
|
3665
|
+
const asOpts = {
|
|
3666
|
+
...opts?.asOpts
|
|
3667
|
+
};
|
|
3668
|
+
const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
|
|
3669
|
+
const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
|
|
3670
|
+
if (this.isEBSI() || clientId && kid) {
|
|
3671
|
+
if (!clientId) {
|
|
3672
|
+
throw Error(`Client id expected for EBSI`);
|
|
3673
|
+
}
|
|
3674
|
+
asOpts.clientOpts = {
|
|
3675
|
+
...asOpts.clientOpts,
|
|
3676
|
+
clientId,
|
|
3677
|
+
...kid && {
|
|
3678
|
+
kid
|
|
3679
|
+
},
|
|
3680
|
+
...clientAssertionType && {
|
|
3681
|
+
clientAssertionType
|
|
3682
|
+
},
|
|
3683
|
+
signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
|
|
3684
|
+
};
|
|
3685
|
+
}
|
|
3686
|
+
if (clientId) {
|
|
3687
|
+
this._state.clientId = clientId;
|
|
3688
|
+
if (!asOpts.clientOpts) {
|
|
3689
|
+
asOpts.clientOpts = {
|
|
3690
|
+
clientId
|
|
3691
|
+
};
|
|
3692
|
+
}
|
|
3693
|
+
asOpts.clientOpts.clientId = clientId;
|
|
3694
|
+
}
|
|
3695
|
+
if (!this._state.accessTokenResponse) {
|
|
3696
|
+
const accessTokenClient = this.version() <= import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_12 ? new AccessTokenClientV1_0_11() : new AccessTokenClient();
|
|
3697
|
+
if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
|
|
3698
|
+
console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
|
|
3699
|
+
}
|
|
3700
|
+
if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
|
|
3701
|
+
redirectUri = this._state.authorizationRequestOpts.redirectUri;
|
|
3702
|
+
}
|
|
3703
|
+
const response = await accessTokenClient.acquireAccessToken({
|
|
3704
|
+
credentialOffer: this.credentialOffer,
|
|
3705
|
+
metadata: this.endpointMetadata,
|
|
3706
|
+
credentialIssuer: this.getIssuer(),
|
|
3707
|
+
pin,
|
|
3708
|
+
...!this._state.pkce.disabled && {
|
|
3709
|
+
codeVerifier: this._state.pkce.codeVerifier
|
|
3710
|
+
},
|
|
3711
|
+
code,
|
|
3712
|
+
redirectUri,
|
|
3713
|
+
asOpts,
|
|
3714
|
+
...opts?.createDPoPOpts && {
|
|
3715
|
+
createDPoPOpts: opts.createDPoPOpts
|
|
3716
|
+
},
|
|
3717
|
+
...opts?.additionalRequestParams && {
|
|
3718
|
+
additionalParams: opts.additionalRequestParams
|
|
3719
|
+
}
|
|
3720
|
+
});
|
|
3721
|
+
if (response.errorBody) {
|
|
3722
|
+
logger14.debug(`Access token error:\r
|
|
3723
|
+
${JSON.stringify(response.errorBody)}`);
|
|
3724
|
+
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3725
|
+
} else if (!response.successBody) {
|
|
3726
|
+
logger14.debug(`Access token error. No success body`);
|
|
3727
|
+
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3728
|
+
}
|
|
3729
|
+
this._state.accessTokenResponse = response.successBody;
|
|
3730
|
+
this._state.dpopResponseParams = response.params;
|
|
3731
|
+
this._state.accessToken = response.successBody.access_token;
|
|
3732
|
+
}
|
|
3733
|
+
return {
|
|
3734
|
+
...this.accessTokenResponse,
|
|
3735
|
+
...this.dpopResponseParams && {
|
|
3736
|
+
params: this.dpopResponseParams
|
|
3737
|
+
}
|
|
3738
|
+
};
|
|
3739
|
+
}
|
|
3740
|
+
async acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
|
|
3741
|
+
if ([
|
|
3742
|
+
jwk,
|
|
3743
|
+
kid
|
|
3744
|
+
].filter((v) => v !== void 0).length > 1) {
|
|
3745
|
+
throw new Error(import_oid4vci_common26.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
3746
|
+
}
|
|
3747
|
+
if (alg) this._state.alg = alg;
|
|
3748
|
+
if (jwk) this._state.jwk = jwk;
|
|
3749
|
+
if (kid) this._state.kid = kid;
|
|
3750
|
+
let requestBuilder;
|
|
3751
|
+
if (this.version() < import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_13) {
|
|
3752
|
+
requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
|
|
3753
|
+
credentialOffer: this.credentialOffer,
|
|
3754
|
+
metadata: this.endpointMetadata
|
|
3755
|
+
}) : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
|
|
3756
|
+
credentialIssuer: this.getIssuer(),
|
|
3757
|
+
credentialTypes,
|
|
3758
|
+
metadata: this.endpointMetadata,
|
|
3759
|
+
version: this.version()
|
|
3760
|
+
});
|
|
3761
|
+
} else {
|
|
3762
|
+
requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
|
|
3763
|
+
credentialOffer: this.credentialOffer,
|
|
3764
|
+
metadata: this.endpointMetadata
|
|
3765
|
+
}) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
|
|
3766
|
+
credentialIssuer: this.getIssuer(),
|
|
3767
|
+
credentialTypes,
|
|
3768
|
+
metadata: this.endpointMetadata,
|
|
3769
|
+
version: this.version()
|
|
3770
|
+
});
|
|
3771
|
+
}
|
|
3772
|
+
const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common26.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
|
|
3773
|
+
requestBuilder.withIssuerState(issuerState);
|
|
3774
|
+
requestBuilder.withTokenFromResponse(this.accessTokenResponse);
|
|
3775
|
+
requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
|
|
3776
|
+
let subjectIssuance;
|
|
3777
|
+
if (this.endpointMetadata?.credentialIssuerMetadata) {
|
|
3778
|
+
const metadata = this.endpointMetadata.credentialIssuerMetadata;
|
|
3779
|
+
const types = Array.isArray(credentialTypes) ? credentialTypes : [
|
|
3780
|
+
credentialTypes
|
|
3781
|
+
];
|
|
3782
|
+
if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
|
|
3783
|
+
let typeSupported = false;
|
|
3784
|
+
metadata.credentials_supported.forEach((supportedCredential) => {
|
|
3785
|
+
const subTypes = (0, import_oid4vci_common26.getTypesFromCredentialSupported)(supportedCredential);
|
|
3786
|
+
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
3787
|
+
typeSupported = true;
|
|
3788
|
+
if (supportedCredential.credential_subject_issuance) {
|
|
3789
|
+
subjectIssuance = {
|
|
3790
|
+
credential_subject_issuance: supportedCredential.credential_subject_issuance
|
|
3791
|
+
};
|
|
3792
|
+
}
|
|
3793
|
+
}
|
|
3794
|
+
});
|
|
3795
|
+
if (!typeSupported) {
|
|
3796
|
+
console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
|
|
3797
|
+
}
|
|
3798
|
+
} else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
|
|
3799
|
+
const credentialsSupported = metadata.credentials_supported;
|
|
3800
|
+
if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
|
|
3801
|
+
throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
|
|
3802
|
+
}
|
|
3803
|
+
}
|
|
3804
|
+
}
|
|
3805
|
+
if (subjectIssuance) {
|
|
3806
|
+
requestBuilder.withSubjectIssuance(subjectIssuance);
|
|
3807
|
+
}
|
|
3808
|
+
const credentialRequestClient = requestBuilder.build();
|
|
3809
|
+
const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
|
|
3810
|
+
accessTokenResponse: this.accessTokenResponse,
|
|
3811
|
+
callbacks: proofCallbacks,
|
|
3812
|
+
version: this.version()
|
|
3813
|
+
}).withIssuer(this.getIssuer()).withAlg(this.alg);
|
|
3814
|
+
if (this._state.jwk) {
|
|
3815
|
+
proofBuilder.withJWK(this._state.jwk);
|
|
3816
|
+
}
|
|
3817
|
+
if (this._state.kid) {
|
|
3818
|
+
proofBuilder.withKid(this._state.kid);
|
|
3819
|
+
}
|
|
3820
|
+
if (this.clientId) {
|
|
3821
|
+
proofBuilder.withClientId(this.clientId);
|
|
3822
|
+
}
|
|
3823
|
+
if (jti) {
|
|
3824
|
+
proofBuilder.withJti(jti);
|
|
3825
|
+
}
|
|
3826
|
+
const response = await credentialRequestClient.acquireCredentialsUsingProof({
|
|
3827
|
+
proofInput: proofBuilder,
|
|
3828
|
+
credentialTypes,
|
|
3829
|
+
context,
|
|
3830
|
+
format,
|
|
3831
|
+
subjectIssuance,
|
|
3832
|
+
createDPoPOpts
|
|
3833
|
+
});
|
|
3834
|
+
this._state.dpopResponseParams = response.params;
|
|
3835
|
+
if (response.errorBody) {
|
|
3836
|
+
logger14.debug(`Credential request error:\r
|
|
3837
|
+
${JSON.stringify(response.errorBody)}`);
|
|
3838
|
+
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3839
|
+
} else if (!response.successBody) {
|
|
3840
|
+
logger14.debug(`Credential request error. No success body`);
|
|
3841
|
+
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3842
|
+
}
|
|
3843
|
+
return {
|
|
3844
|
+
...response.successBody,
|
|
3845
|
+
...this.dpopResponseParams && {
|
|
3846
|
+
params: this.dpopResponseParams
|
|
3847
|
+
},
|
|
3848
|
+
access_token: response.access_token
|
|
3849
|
+
};
|
|
3850
|
+
}
|
|
3851
|
+
async exportState() {
|
|
3852
|
+
return JSON.stringify(this._state);
|
|
3853
|
+
}
|
|
3854
|
+
getCredentialsSupported(restrictToInitiationTypes, format) {
|
|
3855
|
+
return (0, import_oid4vci_common26.getSupportedCredentials)({
|
|
3856
|
+
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
3857
|
+
version: this.version(),
|
|
3858
|
+
format,
|
|
3859
|
+
types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : void 0
|
|
3860
|
+
});
|
|
3861
|
+
}
|
|
3862
|
+
async sendNotification(credentialRequestOpts, request, accessToken) {
|
|
3863
|
+
return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
|
|
3864
|
+
}
|
|
3865
|
+
getCredentialOfferTypes() {
|
|
3866
|
+
if (!this.credentialOffer) {
|
|
3867
|
+
return [];
|
|
3868
|
+
} else if (this.version() < import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_11) {
|
|
3869
|
+
const orig = this.credentialOffer.original_credential_offer;
|
|
3870
|
+
const types = typeof orig.credential_type === "string" ? [
|
|
3871
|
+
orig.credential_type
|
|
3872
|
+
] : orig.credential_type;
|
|
3873
|
+
const result = [];
|
|
3874
|
+
result[0] = types;
|
|
3875
|
+
return result;
|
|
3876
|
+
} else if (this.version() < import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_13) {
|
|
3877
|
+
return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common26.getTypesFromObject)(c) ?? []);
|
|
3878
|
+
}
|
|
3879
|
+
return void 0;
|
|
3880
|
+
}
|
|
3881
|
+
issuerSupportedFlowTypes() {
|
|
3882
|
+
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
|
|
3883
|
+
import_oid4vci_common26.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
3884
|
+
] : []);
|
|
3885
|
+
}
|
|
3886
|
+
isFlowTypeSupported(flowType) {
|
|
3887
|
+
return this.issuerSupportedFlowTypes().includes(flowType);
|
|
3888
|
+
}
|
|
3889
|
+
get authorizationURL() {
|
|
3890
|
+
return this._state.authorizationURL;
|
|
3891
|
+
}
|
|
3892
|
+
hasAuthorizationURL() {
|
|
3893
|
+
return !!this.authorizationURL;
|
|
3894
|
+
}
|
|
3895
|
+
get credentialOffer() {
|
|
3896
|
+
return this._state.credentialOffer;
|
|
3897
|
+
}
|
|
3898
|
+
version() {
|
|
3899
|
+
if (this.credentialOffer?.version && this.credentialOffer.version !== import_oid4vci_common26.OpenId4VCIVersion.VER_UNKNOWN) {
|
|
3900
|
+
return this.credentialOffer.version;
|
|
3901
|
+
}
|
|
3902
|
+
const metadata = this._state.endpointMetadata;
|
|
3903
|
+
if (metadata?.credentialIssuerMetadata) {
|
|
3904
|
+
const versions = (0, import_oid4vci_common26.determineVersionsFromIssuerMetadata)(metadata.credentialIssuerMetadata);
|
|
3905
|
+
if (versions.length > 0 && !versions.includes(import_oid4vci_common26.OpenId4VCIVersion.VER_UNKNOWN)) {
|
|
3906
|
+
return versions[0];
|
|
3907
|
+
}
|
|
3908
|
+
}
|
|
3909
|
+
return import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_15;
|
|
3910
|
+
}
|
|
3911
|
+
get endpointMetadata() {
|
|
3912
|
+
this.assertServerMetadata();
|
|
3913
|
+
return this._state.endpointMetadata;
|
|
3914
|
+
}
|
|
3915
|
+
get kid() {
|
|
3916
|
+
this.assertIssuerData();
|
|
3917
|
+
if (!this._state.kid) {
|
|
3918
|
+
throw new Error("No value for kid is supplied");
|
|
3919
|
+
}
|
|
3920
|
+
return this._state.kid;
|
|
3921
|
+
}
|
|
3922
|
+
get alg() {
|
|
3923
|
+
this.assertIssuerData();
|
|
3924
|
+
if (!this._state.alg) {
|
|
3925
|
+
throw new Error("No value for alg is supplied");
|
|
3926
|
+
}
|
|
3927
|
+
return this._state.alg;
|
|
3928
|
+
}
|
|
3929
|
+
set clientId(value) {
|
|
3930
|
+
this._state.clientId = value;
|
|
3931
|
+
}
|
|
3932
|
+
get clientId() {
|
|
3933
|
+
return this._state.clientId;
|
|
3934
|
+
}
|
|
3935
|
+
hasAccessTokenResponse() {
|
|
3936
|
+
return !!this._state.accessTokenResponse;
|
|
3937
|
+
}
|
|
3938
|
+
get accessTokenResponse() {
|
|
3939
|
+
this.assertAccessToken();
|
|
3940
|
+
return this._state.accessTokenResponse;
|
|
3941
|
+
}
|
|
3942
|
+
get dpopResponseParams() {
|
|
3943
|
+
return this._state.dpopResponseParams;
|
|
3944
|
+
}
|
|
3945
|
+
getIssuer() {
|
|
3946
|
+
this.assertIssuerData();
|
|
3947
|
+
return this._state.credentialIssuer;
|
|
3948
|
+
}
|
|
3949
|
+
getAccessTokenEndpoint() {
|
|
3950
|
+
this.assertIssuerData();
|
|
3951
|
+
if (this.endpointMetadata) {
|
|
3952
|
+
return this.endpointMetadata.token_endpoint;
|
|
3953
|
+
}
|
|
3954
|
+
return this.version() <= import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_12 ? AccessTokenClientV1_0_11.determineTokenURL({
|
|
3955
|
+
issuerOpts: {
|
|
3956
|
+
issuer: this.getIssuer()
|
|
3957
|
+
}
|
|
3958
|
+
}) : AccessTokenClient.determineTokenURL({
|
|
3959
|
+
issuerOpts: {
|
|
3960
|
+
issuer: this.getIssuer()
|
|
3961
|
+
}
|
|
3962
|
+
});
|
|
3963
|
+
}
|
|
3964
|
+
getCredentialEndpoint() {
|
|
3965
|
+
this.assertIssuerData();
|
|
3966
|
+
return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
|
|
3003
3967
|
}
|
|
3004
|
-
|
|
3005
|
-
|
|
3006
|
-
|
|
3007
|
-
}
|
|
3008
|
-
this._builder.withCredentialIdentifier(credentialIdentifier);
|
|
3009
|
-
return this;
|
|
3968
|
+
getAuthorizationChallengeEndpoint() {
|
|
3969
|
+
this.assertIssuerData();
|
|
3970
|
+
return this.endpointMetadata?.authorization_challenge_endpoint;
|
|
3010
3971
|
}
|
|
3011
|
-
|
|
3012
|
-
this.
|
|
3013
|
-
return this;
|
|
3972
|
+
hasAuthorizationChallengeEndpoint() {
|
|
3973
|
+
return !!this.getAuthorizationChallengeEndpoint();
|
|
3014
3974
|
}
|
|
3015
|
-
|
|
3016
|
-
this.
|
|
3017
|
-
return this;
|
|
3975
|
+
hasDeferredCredentialEndpoint() {
|
|
3976
|
+
return !!this.getAccessTokenEndpoint();
|
|
3018
3977
|
}
|
|
3019
|
-
|
|
3020
|
-
this.
|
|
3021
|
-
return this
|
|
3978
|
+
getDeferredCredentialEndpoint() {
|
|
3979
|
+
this.assertIssuerData();
|
|
3980
|
+
return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
|
|
3022
3981
|
}
|
|
3023
|
-
|
|
3024
|
-
|
|
3025
|
-
|
|
3982
|
+
/**
|
|
3983
|
+
* Too bad we need a method like this, but EBSI is not exposing metadata
|
|
3984
|
+
*/
|
|
3985
|
+
isEBSI() {
|
|
3986
|
+
if (this.credentialOffer && this.credentialOffer?.credential_offer?.credentials?.find((cred) => (
|
|
3987
|
+
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
|
|
3988
|
+
// @ts-ignore
|
|
3989
|
+
typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
|
|
3990
|
+
))) {
|
|
3991
|
+
return true;
|
|
3992
|
+
}
|
|
3993
|
+
return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
|
|
3026
3994
|
}
|
|
3027
|
-
|
|
3028
|
-
this.
|
|
3029
|
-
|
|
3995
|
+
assertIssuerData() {
|
|
3996
|
+
if (!this._state.credentialIssuer) {
|
|
3997
|
+
throw Error(`No credential issuer value present`);
|
|
3998
|
+
} else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {
|
|
3999
|
+
throw Error(`No issuance initiation or credential offer present`);
|
|
4000
|
+
}
|
|
3030
4001
|
}
|
|
3031
|
-
|
|
3032
|
-
this.
|
|
3033
|
-
|
|
4002
|
+
assertServerMetadata() {
|
|
4003
|
+
if (!this._state.endpointMetadata) {
|
|
4004
|
+
throw Error("No server metadata");
|
|
4005
|
+
}
|
|
3034
4006
|
}
|
|
3035
|
-
|
|
3036
|
-
this.
|
|
3037
|
-
|
|
4007
|
+
assertAccessToken() {
|
|
4008
|
+
if (!this._state.accessTokenResponse) {
|
|
4009
|
+
throw Error(`No access token present`);
|
|
4010
|
+
}
|
|
3038
4011
|
}
|
|
3039
|
-
|
|
3040
|
-
|
|
4012
|
+
syncAuthorizationRequestOpts(opts) {
|
|
4013
|
+
const requestObjectOpts = {
|
|
4014
|
+
...this._state?.authorizationRequestOpts?.requestObjectOpts,
|
|
4015
|
+
...opts?.requestObjectOpts
|
|
4016
|
+
};
|
|
4017
|
+
let authorizationRequestOpts = {
|
|
4018
|
+
...this._state?.authorizationRequestOpts,
|
|
4019
|
+
...opts,
|
|
4020
|
+
...requestObjectOpts && {
|
|
4021
|
+
requestObjectOpts
|
|
4022
|
+
}
|
|
4023
|
+
};
|
|
4024
|
+
if (!authorizationRequestOpts) {
|
|
4025
|
+
authorizationRequestOpts = {
|
|
4026
|
+
redirectUri: `${import_oid4vci_common26.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
4027
|
+
};
|
|
4028
|
+
}
|
|
4029
|
+
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
4030
|
+
this._state.clientId = clientId;
|
|
4031
|
+
authorizationRequestOpts.clientId = clientId;
|
|
4032
|
+
return authorizationRequestOpts;
|
|
3041
4033
|
}
|
|
4034
|
+
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
4035
|
+
if (authorizationResponse) {
|
|
4036
|
+
this._state.authorizationCodeResponse = {
|
|
4037
|
+
...(0, import_oid4vci_common26.toAuthorizationResponsePayload)(authorizationResponse)
|
|
4038
|
+
};
|
|
4039
|
+
} else if (code) {
|
|
4040
|
+
this._state.authorizationCodeResponse = {
|
|
4041
|
+
code
|
|
4042
|
+
};
|
|
4043
|
+
}
|
|
4044
|
+
return this._state.authorizationCodeResponse?.code ?? this._state.authorizationCodeResponse?.authorization_code;
|
|
4045
|
+
}, "getAuthorizationCode");
|
|
3042
4046
|
};
|
|
3043
4047
|
|
|
3044
|
-
// lib/
|
|
3045
|
-
var
|
|
3046
|
-
var
|
|
3047
|
-
var
|
|
3048
|
-
var
|
|
4048
|
+
// lib/OpenID4VCIClientV1_0_15.ts
|
|
4049
|
+
var import_oid4vci_common27 = require("@sphereon/oid4vci-common");
|
|
4050
|
+
var import_ssi_types17 = require("@sphereon/ssi-types");
|
|
4051
|
+
var logger15 = import_ssi_types17.Loggers.DEFAULT.get("sphereon:oid4vci:v15");
|
|
4052
|
+
var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
|
|
3049
4053
|
static {
|
|
3050
|
-
__name(this, "
|
|
4054
|
+
__name(this, "OpenID4VCIClientV1_0_15");
|
|
3051
4055
|
}
|
|
3052
4056
|
_state;
|
|
3053
|
-
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest,
|
|
3054
|
-
const issuer = credentialIssuer ?? (credentialOffer ? (0,
|
|
4057
|
+
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL, keyAttestation }) {
|
|
4058
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common27.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
3055
4059
|
if (!issuer) {
|
|
3056
4060
|
throw Error("No credential issuer supplied or deduced from offer");
|
|
3057
4061
|
}
|
|
@@ -3060,40 +4064,39 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3060
4064
|
credentialIssuer: issuer,
|
|
3061
4065
|
kid,
|
|
3062
4066
|
alg,
|
|
3063
|
-
|
|
3064
|
-
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common23.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
4067
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common27.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
3065
4068
|
pkce: {
|
|
3066
4069
|
disabled: false,
|
|
3067
|
-
codeChallengeMethod:
|
|
4070
|
+
codeChallengeMethod: import_oid4vci_common27.CodeChallengeMethod.S256,
|
|
3068
4071
|
...pkce
|
|
3069
4072
|
},
|
|
3070
4073
|
authorizationRequestOpts,
|
|
3071
4074
|
authorizationCodeResponse,
|
|
3072
|
-
accessToken,
|
|
3073
4075
|
jwk,
|
|
3074
|
-
endpointMetadata
|
|
4076
|
+
endpointMetadata,
|
|
3075
4077
|
accessTokenResponse,
|
|
3076
|
-
authorizationURL
|
|
4078
|
+
authorizationURL,
|
|
4079
|
+
keyAttestation
|
|
3077
4080
|
};
|
|
3078
4081
|
if (!this._state.authorizationRequestOpts) {
|
|
3079
4082
|
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
3080
4083
|
}
|
|
3081
|
-
|
|
4084
|
+
logger15.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
3082
4085
|
}
|
|
3083
|
-
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL,
|
|
3084
|
-
const client = new
|
|
4086
|
+
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, keyAttestation }) {
|
|
4087
|
+
const client = new _OpenID4VCIClientV1_0_15({
|
|
3085
4088
|
kid,
|
|
3086
4089
|
alg,
|
|
3087
4090
|
clientId: clientId ?? authorizationRequest?.clientId,
|
|
3088
4091
|
credentialIssuer,
|
|
3089
4092
|
pkce,
|
|
3090
4093
|
authorizationRequest,
|
|
3091
|
-
|
|
4094
|
+
keyAttestation
|
|
3092
4095
|
});
|
|
3093
|
-
if (retrieveServerMetadata
|
|
4096
|
+
if (retrieveServerMetadata !== false) {
|
|
3094
4097
|
await client.retrieveServerMetadata();
|
|
3095
4098
|
}
|
|
3096
|
-
if (createAuthorizationRequestURL
|
|
4099
|
+
if (createAuthorizationRequestURL !== false) {
|
|
3097
4100
|
await client.createAuthorizationRequestUrl({
|
|
3098
4101
|
authorizationRequest,
|
|
3099
4102
|
pkce
|
|
@@ -3103,39 +4106,33 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3103
4106
|
}
|
|
3104
4107
|
static async fromState({ state }) {
|
|
3105
4108
|
const clientState = typeof state === "string" ? JSON.parse(state) : state;
|
|
3106
|
-
return new
|
|
4109
|
+
return new _OpenID4VCIClientV1_0_15(clientState);
|
|
3107
4110
|
}
|
|
3108
|
-
static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri,
|
|
3109
|
-
const credentialOfferClient = await
|
|
4111
|
+
static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, keyAttestation }) {
|
|
4112
|
+
const credentialOfferClient = await CredentialOfferClientV1_0_15.fromURI(uri, {
|
|
3110
4113
|
resolve: resolveOfferUri
|
|
3111
4114
|
});
|
|
3112
|
-
const client = new
|
|
4115
|
+
const client = new _OpenID4VCIClientV1_0_15({
|
|
3113
4116
|
credentialOffer: credentialOfferClient,
|
|
3114
4117
|
kid,
|
|
3115
4118
|
alg,
|
|
3116
4119
|
clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
|
|
3117
4120
|
pkce,
|
|
3118
4121
|
authorizationRequest,
|
|
3119
|
-
|
|
4122
|
+
keyAttestation
|
|
3120
4123
|
});
|
|
3121
|
-
if (retrieveServerMetadata
|
|
4124
|
+
if (retrieveServerMetadata !== false) {
|
|
3122
4125
|
await client.retrieveServerMetadata();
|
|
3123
4126
|
}
|
|
3124
|
-
if (credentialOfferClient.supportedFlows.includes(
|
|
4127
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common27.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && createAuthorizationRequestURL !== false) {
|
|
3125
4128
|
await client.createAuthorizationRequestUrl({
|
|
3126
4129
|
authorizationRequest,
|
|
3127
4130
|
pkce
|
|
3128
4131
|
});
|
|
3129
|
-
|
|
4132
|
+
logger15.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
3130
4133
|
}
|
|
3131
4134
|
return client;
|
|
3132
4135
|
}
|
|
3133
|
-
/**
|
|
3134
|
-
* Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
|
|
3135
|
-
*
|
|
3136
|
-
* The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
|
|
3137
|
-
* @param opts
|
|
3138
|
-
*/
|
|
3139
4136
|
async createAuthorizationRequestUrl(opts) {
|
|
3140
4137
|
if (!this._state.authorizationURL) {
|
|
3141
4138
|
this.calculatePKCEOpts(opts?.pkce);
|
|
@@ -3146,23 +4143,13 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3146
4143
|
if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
|
|
3147
4144
|
this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
|
|
3148
4145
|
}
|
|
3149
|
-
|
|
3150
|
-
this._state.
|
|
3151
|
-
|
|
3152
|
-
|
|
3153
|
-
|
|
3154
|
-
|
|
3155
|
-
|
|
3156
|
-
});
|
|
3157
|
-
} else {
|
|
3158
|
-
this._state.authorizationURL = await createAuthorizationRequestUrl({
|
|
3159
|
-
pkce: this._state.pkce,
|
|
3160
|
-
endpointMetadata: this.endpointMetadata,
|
|
3161
|
-
authorizationRequest: this._state.authorizationRequestOpts,
|
|
3162
|
-
credentialOffer: this.credentialOffer,
|
|
3163
|
-
credentialConfigurationSupported: this.getCredentialsSupported(false)
|
|
3164
|
-
});
|
|
3165
|
-
}
|
|
4146
|
+
this._state.authorizationURL = await createAuthorizationRequestUrl({
|
|
4147
|
+
pkce: this._state.pkce,
|
|
4148
|
+
endpointMetadata: this.endpointMetadata,
|
|
4149
|
+
authorizationRequest: this._state.authorizationRequestOpts,
|
|
4150
|
+
credentialOffer: this.credentialOffer,
|
|
4151
|
+
credentialConfigurationSupported: this.getCredentialsSupported(false)
|
|
4152
|
+
});
|
|
3166
4153
|
}
|
|
3167
4154
|
return this._state.authorizationURL;
|
|
3168
4155
|
}
|
|
@@ -3170,15 +4157,34 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3170
4157
|
this.assertIssuerData();
|
|
3171
4158
|
if (!this._state.endpointMetadata) {
|
|
3172
4159
|
if (this.credentialOffer) {
|
|
3173
|
-
this._state.endpointMetadata = await
|
|
4160
|
+
this._state.endpointMetadata = await MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
|
|
3174
4161
|
} else if (this._state.credentialIssuer) {
|
|
3175
|
-
this._state.endpointMetadata = await
|
|
4162
|
+
this._state.endpointMetadata = await MetadataClientV1_0_15.retrieveAllMetadata(this._state.credentialIssuer);
|
|
3176
4163
|
} else {
|
|
3177
4164
|
throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
|
|
3178
4165
|
}
|
|
3179
4166
|
}
|
|
3180
4167
|
return this.endpointMetadata;
|
|
3181
4168
|
}
|
|
4169
|
+
// New in v15: Nonce endpoint support
|
|
4170
|
+
async acquireNonce() {
|
|
4171
|
+
if (!this.endpointMetadata?.nonce_endpoint) {
|
|
4172
|
+
throw Error("Nonce endpoint not available");
|
|
4173
|
+
}
|
|
4174
|
+
const response = await fetch(this.endpointMetadata.nonce_endpoint, {
|
|
4175
|
+
method: "POST",
|
|
4176
|
+
headers: {
|
|
4177
|
+
"Content-Type": "application/json"
|
|
4178
|
+
},
|
|
4179
|
+
body: JSON.stringify({})
|
|
4180
|
+
});
|
|
4181
|
+
if (!response.ok) {
|
|
4182
|
+
throw Error(`Failed to acquire nonce: ${response.status}`);
|
|
4183
|
+
}
|
|
4184
|
+
const nonceResponse = await response.json();
|
|
4185
|
+
this._state.cachedCNonce = nonceResponse.c_nonce;
|
|
4186
|
+
return nonceResponse.c_nonce;
|
|
4187
|
+
}
|
|
3182
4188
|
calculatePKCEOpts(pkce) {
|
|
3183
4189
|
this._state.pkce = generateMissingPKCEOpts({
|
|
3184
4190
|
...this._state.pkce,
|
|
@@ -3193,12 +4199,12 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3193
4199
|
...opts
|
|
3194
4200
|
});
|
|
3195
4201
|
if (response.errorBody) {
|
|
3196
|
-
|
|
4202
|
+
logger15.debug(`Authorization code error:\r
|
|
3197
4203
|
${JSON.stringify(response.errorBody)}`);
|
|
3198
4204
|
const error = response.errorBody;
|
|
3199
4205
|
return Promise.reject(error);
|
|
3200
4206
|
} else if (!response.successBody) {
|
|
3201
|
-
|
|
4207
|
+
logger15.debug(`Authorization code error. No success body`);
|
|
3202
4208
|
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
3203
4209
|
}
|
|
3204
4210
|
return {
|
|
@@ -3244,7 +4250,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3244
4250
|
asOpts.clientOpts.clientId = clientId;
|
|
3245
4251
|
}
|
|
3246
4252
|
if (!this._state.accessTokenResponse) {
|
|
3247
|
-
const accessTokenClient =
|
|
4253
|
+
const accessTokenClient = new AccessTokenClient();
|
|
3248
4254
|
if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
|
|
3249
4255
|
console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
|
|
3250
4256
|
}
|
|
@@ -3270,11 +4276,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3270
4276
|
}
|
|
3271
4277
|
});
|
|
3272
4278
|
if (response.errorBody) {
|
|
3273
|
-
|
|
4279
|
+
logger15.debug(`Access token error:\r
|
|
3274
4280
|
${JSON.stringify(response.errorBody)}`);
|
|
3275
4281
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3276
4282
|
} else if (!response.successBody) {
|
|
3277
|
-
|
|
4283
|
+
logger15.debug(`Access token error. No success body`);
|
|
3278
4284
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3279
4285
|
}
|
|
3280
4286
|
this._state.accessTokenResponse = response.successBody;
|
|
@@ -3288,68 +4294,54 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3288
4294
|
}
|
|
3289
4295
|
};
|
|
3290
4296
|
}
|
|
3291
|
-
async acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
|
|
4297
|
+
async acquireCredentials({ credentialIdentifier, credentialConfigurationId, credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
|
|
3292
4298
|
if ([
|
|
3293
4299
|
jwk,
|
|
3294
4300
|
kid
|
|
3295
4301
|
].filter((v) => v !== void 0).length > 1) {
|
|
3296
|
-
throw new Error(
|
|
4302
|
+
throw new Error(import_oid4vci_common27.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
3297
4303
|
}
|
|
3298
4304
|
if (alg) this._state.alg = alg;
|
|
3299
4305
|
if (jwk) this._state.jwk = jwk;
|
|
3300
4306
|
if (kid) this._state.kid = kid;
|
|
3301
|
-
|
|
3302
|
-
|
|
3303
|
-
|
|
3304
|
-
|
|
3305
|
-
|
|
3306
|
-
|
|
3307
|
-
|
|
3308
|
-
|
|
3309
|
-
|
|
3310
|
-
|
|
3311
|
-
|
|
3312
|
-
|
|
3313
|
-
requestBuilder
|
|
3314
|
-
|
|
3315
|
-
|
|
3316
|
-
}) : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
|
|
3317
|
-
credentialIssuer: this.getIssuer(),
|
|
3318
|
-
credentialTypes,
|
|
3319
|
-
metadata: this.endpointMetadata,
|
|
3320
|
-
version: this.version()
|
|
3321
|
-
});
|
|
4307
|
+
const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
|
|
4308
|
+
credentialOffer: this.credentialOffer,
|
|
4309
|
+
metadata: this.endpointMetadata
|
|
4310
|
+
}) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
|
|
4311
|
+
credentialIssuer: this.getIssuer(),
|
|
4312
|
+
credentialTypes,
|
|
4313
|
+
credentialIdentifier,
|
|
4314
|
+
credentialConfigurationId,
|
|
4315
|
+
metadata: this.endpointMetadata,
|
|
4316
|
+
version: this.version()
|
|
4317
|
+
});
|
|
4318
|
+
if (credentialIdentifier) {
|
|
4319
|
+
requestBuilder.withCredentialIdentifier(credentialIdentifier);
|
|
4320
|
+
} else if (credentialConfigurationId) {
|
|
4321
|
+
requestBuilder.withCredentialConfigurationId(credentialConfigurationId);
|
|
3322
4322
|
}
|
|
3323
|
-
const issuerState = this.issuerSupportedFlowTypes().includes(
|
|
4323
|
+
const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common27.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this._state.cachedCNonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
|
|
3324
4324
|
requestBuilder.withIssuerState(issuerState);
|
|
3325
4325
|
requestBuilder.withTokenFromResponse(this.accessTokenResponse);
|
|
3326
4326
|
requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
|
|
3327
4327
|
let subjectIssuance;
|
|
3328
4328
|
if (this.endpointMetadata?.credentialIssuerMetadata) {
|
|
3329
4329
|
const metadata = this.endpointMetadata.credentialIssuerMetadata;
|
|
3330
|
-
|
|
3331
|
-
|
|
3332
|
-
|
|
3333
|
-
|
|
3334
|
-
|
|
3335
|
-
|
|
3336
|
-
|
|
3337
|
-
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
3338
|
-
typeSupported = true;
|
|
3339
|
-
if (supportedCredential.credential_subject_issuance) {
|
|
4330
|
+
if (metadata.credential_configurations_supported) {
|
|
4331
|
+
const configId = credentialConfigurationId ?? credentialIdentifier;
|
|
4332
|
+
if (configId && metadata.credential_configurations_supported[configId]) {
|
|
4333
|
+
const config = metadata.credential_configurations_supported[configId];
|
|
4334
|
+
if (config.credential_subject_issuance) {
|
|
4335
|
+
const subjIssuance = config.credential_subject_issuance;
|
|
4336
|
+
if (subjIssuance.subject_proof_mode && subjIssuance.notification_events_supported) {
|
|
3340
4337
|
subjectIssuance = {
|
|
3341
|
-
credential_subject_issuance:
|
|
4338
|
+
credential_subject_issuance: {
|
|
4339
|
+
subject_proof_mode: subjIssuance.subject_proof_mode,
|
|
4340
|
+
notification_events_supported: subjIssuance.notification_events_supported
|
|
4341
|
+
}
|
|
3342
4342
|
};
|
|
3343
4343
|
}
|
|
3344
4344
|
}
|
|
3345
|
-
});
|
|
3346
|
-
if (!typeSupported) {
|
|
3347
|
-
console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
|
|
3348
|
-
}
|
|
3349
|
-
} else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
|
|
3350
|
-
const credentialsSupported = metadata.credentials_supported;
|
|
3351
|
-
if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
|
|
3352
|
-
throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
|
|
3353
4345
|
}
|
|
3354
4346
|
}
|
|
3355
4347
|
}
|
|
@@ -3357,8 +4349,14 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3357
4349
|
requestBuilder.withSubjectIssuance(subjectIssuance);
|
|
3358
4350
|
}
|
|
3359
4351
|
const credentialRequestClient = requestBuilder.build();
|
|
4352
|
+
if (!this._state.cachedCNonce) {
|
|
4353
|
+
await this.acquireNonce();
|
|
4354
|
+
}
|
|
3360
4355
|
const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
|
|
3361
|
-
accessTokenResponse:
|
|
4356
|
+
accessTokenResponse: {
|
|
4357
|
+
...this.accessTokenResponse,
|
|
4358
|
+
c_nonce: this._state.cachedCNonce
|
|
4359
|
+
},
|
|
3362
4360
|
callbacks: proofCallbacks,
|
|
3363
4361
|
version: this.version()
|
|
3364
4362
|
}).withIssuer(this.getIssuer()).withAlg(this.alg);
|
|
@@ -3376,6 +4374,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3376
4374
|
}
|
|
3377
4375
|
const response = await credentialRequestClient.acquireCredentialsUsingProof({
|
|
3378
4376
|
proofInput: proofBuilder,
|
|
4377
|
+
credentialIdentifier,
|
|
3379
4378
|
credentialTypes,
|
|
3380
4379
|
context,
|
|
3381
4380
|
format,
|
|
@@ -3384,11 +4383,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3384
4383
|
});
|
|
3385
4384
|
this._state.dpopResponseParams = response.params;
|
|
3386
4385
|
if (response.errorBody) {
|
|
3387
|
-
|
|
4386
|
+
logger15.debug(`Credential request error:\r
|
|
3388
4387
|
${JSON.stringify(response.errorBody)}`);
|
|
3389
4388
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3390
4389
|
} else if (!response.successBody) {
|
|
3391
|
-
|
|
4390
|
+
logger15.debug(`Credential request error. No success body`);
|
|
3392
4391
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3393
4392
|
}
|
|
3394
4393
|
return {
|
|
@@ -3403,35 +4402,27 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3403
4402
|
return JSON.stringify(this._state);
|
|
3404
4403
|
}
|
|
3405
4404
|
getCredentialsSupported(restrictToInitiationTypes, format) {
|
|
3406
|
-
return (0,
|
|
4405
|
+
return (0, import_oid4vci_common27.getSupportedCredentials)({
|
|
3407
4406
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
3408
4407
|
version: this.version(),
|
|
3409
4408
|
format,
|
|
3410
|
-
types: restrictToInitiationTypes ?
|
|
4409
|
+
types: restrictToInitiationTypes ? [
|
|
4410
|
+
this.getCredentialOfferConfigurationIds()
|
|
4411
|
+
] : void 0
|
|
3411
4412
|
});
|
|
3412
4413
|
}
|
|
3413
4414
|
async sendNotification(credentialRequestOpts, request, accessToken) {
|
|
3414
4415
|
return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
|
|
3415
4416
|
}
|
|
3416
|
-
|
|
4417
|
+
getCredentialOfferConfigurationIds() {
|
|
3417
4418
|
if (!this.credentialOffer) {
|
|
3418
4419
|
return [];
|
|
3419
|
-
} else if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_11) {
|
|
3420
|
-
const orig = this.credentialOffer.original_credential_offer;
|
|
3421
|
-
const types = typeof orig.credential_type === "string" ? [
|
|
3422
|
-
orig.credential_type
|
|
3423
|
-
] : orig.credential_type;
|
|
3424
|
-
const result = [];
|
|
3425
|
-
result[0] = types;
|
|
3426
|
-
return result;
|
|
3427
|
-
} else if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13) {
|
|
3428
|
-
return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common23.getTypesFromObject)(c) ?? []);
|
|
3429
4420
|
}
|
|
3430
|
-
return
|
|
4421
|
+
return this.credentialOffer.credential_offer?.credential_configuration_ids ?? [];
|
|
3431
4422
|
}
|
|
3432
4423
|
issuerSupportedFlowTypes() {
|
|
3433
4424
|
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
|
|
3434
|
-
|
|
4425
|
+
import_oid4vci_common27.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
3435
4426
|
] : []);
|
|
3436
4427
|
}
|
|
3437
4428
|
isFlowTypeSupported(flowType) {
|
|
@@ -3447,17 +4438,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3447
4438
|
return this._state.credentialOffer;
|
|
3448
4439
|
}
|
|
3449
4440
|
version() {
|
|
3450
|
-
|
|
3451
|
-
return this.credentialOffer.version;
|
|
3452
|
-
}
|
|
3453
|
-
const metadata = this._state.endpointMetadata;
|
|
3454
|
-
if (metadata?.credentialIssuerMetadata) {
|
|
3455
|
-
const versions = (0, import_oid4vci_common23.determineVersionsFromIssuerMetadata)(metadata.credentialIssuerMetadata);
|
|
3456
|
-
if (versions.length > 0 && !versions.includes(import_oid4vci_common23.OpenId4VCIVersion.VER_UNKNOWN)) {
|
|
3457
|
-
return versions[0];
|
|
3458
|
-
}
|
|
3459
|
-
}
|
|
3460
|
-
return import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13;
|
|
4441
|
+
return import_oid4vci_common27.OpenId4VCIVersion.VER_1_0_15;
|
|
3461
4442
|
}
|
|
3462
4443
|
get endpointMetadata() {
|
|
3463
4444
|
this.assertServerMetadata();
|
|
@@ -3493,20 +4474,16 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3493
4474
|
get dpopResponseParams() {
|
|
3494
4475
|
return this._state.dpopResponseParams;
|
|
3495
4476
|
}
|
|
4477
|
+
get state() {
|
|
4478
|
+
return this._state;
|
|
4479
|
+
}
|
|
3496
4480
|
getIssuer() {
|
|
3497
4481
|
this.assertIssuerData();
|
|
3498
4482
|
return this._state.credentialIssuer;
|
|
3499
4483
|
}
|
|
3500
4484
|
getAccessTokenEndpoint() {
|
|
3501
4485
|
this.assertIssuerData();
|
|
3502
|
-
|
|
3503
|
-
return this.endpointMetadata.token_endpoint;
|
|
3504
|
-
}
|
|
3505
|
-
return this.version() <= import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_12 ? AccessTokenClientV1_0_11.determineTokenURL({
|
|
3506
|
-
issuerOpts: {
|
|
3507
|
-
issuer: this.getIssuer()
|
|
3508
|
-
}
|
|
3509
|
-
}) : AccessTokenClient.determineTokenURL({
|
|
4486
|
+
return this.endpointMetadata?.token_endpoint ?? AccessTokenClient.determineTokenURL({
|
|
3510
4487
|
issuerOpts: {
|
|
3511
4488
|
issuer: this.getIssuer()
|
|
3512
4489
|
}
|
|
@@ -3514,7 +4491,13 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3514
4491
|
}
|
|
3515
4492
|
getCredentialEndpoint() {
|
|
3516
4493
|
this.assertIssuerData();
|
|
3517
|
-
return this.endpointMetadata
|
|
4494
|
+
return this.endpointMetadata?.credential_endpoint ?? `${this.getIssuer()}/credential`;
|
|
4495
|
+
}
|
|
4496
|
+
getNonceEndpoint() {
|
|
4497
|
+
return this.endpointMetadata?.nonce_endpoint;
|
|
4498
|
+
}
|
|
4499
|
+
hasNonceEndpoint() {
|
|
4500
|
+
return !!this.getNonceEndpoint();
|
|
3518
4501
|
}
|
|
3519
4502
|
getAuthorizationChallengeEndpoint() {
|
|
3520
4503
|
this.assertIssuerData();
|
|
@@ -3524,24 +4507,14 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3524
4507
|
return !!this.getAuthorizationChallengeEndpoint();
|
|
3525
4508
|
}
|
|
3526
4509
|
hasDeferredCredentialEndpoint() {
|
|
3527
|
-
return !!this.
|
|
4510
|
+
return !!this.endpointMetadata?.deferred_credential_endpoint;
|
|
3528
4511
|
}
|
|
3529
4512
|
getDeferredCredentialEndpoint() {
|
|
3530
4513
|
this.assertIssuerData();
|
|
3531
|
-
return this.endpointMetadata
|
|
4514
|
+
return this.endpointMetadata?.deferred_credential_endpoint;
|
|
3532
4515
|
}
|
|
3533
|
-
/**
|
|
3534
|
-
* Too bad we need a method like this, but EBSI is not exposing metadata
|
|
3535
|
-
*/
|
|
3536
4516
|
isEBSI() {
|
|
3537
|
-
|
|
3538
|
-
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
|
|
3539
|
-
// @ts-ignore
|
|
3540
|
-
typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
|
|
3541
|
-
))) {
|
|
3542
|
-
return true;
|
|
3543
|
-
}
|
|
3544
|
-
return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
|
|
4517
|
+
return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata?.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
|
|
3545
4518
|
}
|
|
3546
4519
|
assertIssuerData() {
|
|
3547
4520
|
if (!this._state.credentialIssuer) {
|
|
@@ -3574,7 +4547,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3574
4547
|
};
|
|
3575
4548
|
if (!authorizationRequestOpts) {
|
|
3576
4549
|
authorizationRequestOpts = {
|
|
3577
|
-
redirectUri: `${
|
|
4550
|
+
redirectUri: `${import_oid4vci_common27.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
3578
4551
|
};
|
|
3579
4552
|
}
|
|
3580
4553
|
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
@@ -3585,7 +4558,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3585
4558
|
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
3586
4559
|
if (authorizationResponse) {
|
|
3587
4560
|
this._state.authorizationCodeResponse = {
|
|
3588
|
-
...(0,
|
|
4561
|
+
...(0, import_oid4vci_common27.toAuthorizationResponsePayload)(authorizationResponse)
|
|
3589
4562
|
};
|
|
3590
4563
|
} else if (code) {
|
|
3591
4564
|
this._state.authorizationCodeResponse = {
|
|
@@ -3597,16 +4570,16 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3597
4570
|
};
|
|
3598
4571
|
|
|
3599
4572
|
// lib/OpenID4VCIClientV1_0_13.ts
|
|
3600
|
-
var
|
|
3601
|
-
var
|
|
3602
|
-
var
|
|
4573
|
+
var import_oid4vci_common28 = require("@sphereon/oid4vci-common");
|
|
4574
|
+
var import_ssi_types18 = require("@sphereon/ssi-types");
|
|
4575
|
+
var logger16 = import_ssi_types18.Loggers.DEFAULT.get("sphereon:oid4vci");
|
|
3603
4576
|
var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
3604
4577
|
static {
|
|
3605
4578
|
__name(this, "OpenID4VCIClientV1_0_13");
|
|
3606
4579
|
}
|
|
3607
4580
|
_state;
|
|
3608
4581
|
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
|
|
3609
|
-
const issuer = credentialIssuer ?? (credentialOffer ? (0,
|
|
4582
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common28.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
3610
4583
|
if (!issuer) {
|
|
3611
4584
|
throw Error("No credential issuer supplied or deduced from offer");
|
|
3612
4585
|
}
|
|
@@ -3616,10 +4589,10 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
|
3616
4589
|
kid,
|
|
3617
4590
|
alg,
|
|
3618
4591
|
// TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
|
|
3619
|
-
clientId: clientId ?? (credentialOffer && (0,
|
|
4592
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common28.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
3620
4593
|
pkce: {
|
|
3621
4594
|
disabled: false,
|
|
3622
|
-
codeChallengeMethod:
|
|
4595
|
+
codeChallengeMethod: import_oid4vci_common28.CodeChallengeMethod.S256,
|
|
3623
4596
|
...pkce
|
|
3624
4597
|
},
|
|
3625
4598
|
authorizationRequestOpts,
|
|
@@ -3633,7 +4606,7 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
|
3633
4606
|
if (!this._state.authorizationRequestOpts) {
|
|
3634
4607
|
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
3635
4608
|
}
|
|
3636
|
-
|
|
4609
|
+
logger16.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
3637
4610
|
}
|
|
3638
4611
|
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
|
|
3639
4612
|
const client = new _OpenID4VCIClientV1_0_13({
|
|
@@ -3674,12 +4647,12 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
|
3674
4647
|
if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
|
|
3675
4648
|
await client.retrieveServerMetadata();
|
|
3676
4649
|
}
|
|
3677
|
-
if (credentialOfferClient.supportedFlows.includes(
|
|
4650
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common28.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
|
|
3678
4651
|
await client.createAuthorizationRequestUrl({
|
|
3679
4652
|
authorizationRequest,
|
|
3680
4653
|
pkce
|
|
3681
4654
|
});
|
|
3682
|
-
|
|
4655
|
+
logger16.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
3683
4656
|
}
|
|
3684
4657
|
return client;
|
|
3685
4658
|
}
|
|
@@ -3737,12 +4710,12 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
|
3737
4710
|
...opts
|
|
3738
4711
|
});
|
|
3739
4712
|
if (response.errorBody) {
|
|
3740
|
-
|
|
4713
|
+
logger16.debug(`Authorization code error:\r
|
|
3741
4714
|
${JSON.stringify(response.errorBody)}`);
|
|
3742
4715
|
const error = response.errorBody;
|
|
3743
4716
|
return Promise.reject(error);
|
|
3744
4717
|
} else if (!response.successBody) {
|
|
3745
|
-
|
|
4718
|
+
logger16.debug(`Authorization code error. No success body`);
|
|
3746
4719
|
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
3747
4720
|
}
|
|
3748
4721
|
return {
|
|
@@ -3814,11 +4787,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3814
4787
|
}
|
|
3815
4788
|
});
|
|
3816
4789
|
if (response.errorBody) {
|
|
3817
|
-
|
|
4790
|
+
logger16.debug(`Access token error:\r
|
|
3818
4791
|
${JSON.stringify(response.errorBody)}`);
|
|
3819
4792
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3820
4793
|
} else if (!response.successBody) {
|
|
3821
|
-
|
|
4794
|
+
logger16.debug(`Access token error. No success body`);
|
|
3822
4795
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3823
4796
|
}
|
|
3824
4797
|
this._state.accessTokenResponse = response.successBody;
|
|
@@ -3843,7 +4816,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3843
4816
|
jwk,
|
|
3844
4817
|
kid
|
|
3845
4818
|
].filter((v) => v !== void 0).length > 1) {
|
|
3846
|
-
throw new Error(
|
|
4819
|
+
throw new Error(import_oid4vci_common28.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
3847
4820
|
}
|
|
3848
4821
|
if (alg) this._state.alg = alg;
|
|
3849
4822
|
if (jwk) this._state.jwk = jwk;
|
|
@@ -3857,7 +4830,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3857
4830
|
metadata: this.endpointMetadata,
|
|
3858
4831
|
version: this.version()
|
|
3859
4832
|
});
|
|
3860
|
-
const issuerState = this.issuerSupportedFlowTypes().includes(
|
|
4833
|
+
const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common28.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
|
|
3861
4834
|
requestBuilder.withIssuerState(issuerState);
|
|
3862
4835
|
requestBuilder.withTokenFromResponse(this.accessTokenResponse);
|
|
3863
4836
|
requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
|
|
@@ -3880,7 +4853,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3880
4853
|
} else if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
|
|
3881
4854
|
let typeSupported = false;
|
|
3882
4855
|
metadata.credentials_supported.forEach((supportedCredential) => {
|
|
3883
|
-
const subTypes = (0,
|
|
4856
|
+
const subTypes = (0, import_oid4vci_common28.getTypesFromCredentialSupported)(supportedCredential);
|
|
3884
4857
|
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
3885
4858
|
typeSupported = true;
|
|
3886
4859
|
if (supportedCredential.credential_subject_issuance) {
|
|
@@ -3896,7 +4869,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3896
4869
|
} else if (metadata.credential_configurations_supported && typeof metadata.credential_configurations_supported === "object") {
|
|
3897
4870
|
let typeSupported = false;
|
|
3898
4871
|
Object.values(metadata.credential_configurations_supported).forEach((supportedCredential) => {
|
|
3899
|
-
const subTypes = (0,
|
|
4872
|
+
const subTypes = (0, import_oid4vci_common28.getTypesFromCredentialSupported)(supportedCredential);
|
|
3900
4873
|
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
3901
4874
|
typeSupported = true;
|
|
3902
4875
|
}
|
|
@@ -3946,14 +4919,17 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3946
4919
|
credentialIdentifier,
|
|
3947
4920
|
subjectIssuance
|
|
3948
4921
|
});
|
|
3949
|
-
|
|
4922
|
+
if (!import_oid4vci_common28.supportedOID4VCICredentialFormat.includes(format)) {
|
|
4923
|
+
return Promise.reject(Error(`Unsupported credential format: ${format}`));
|
|
4924
|
+
}
|
|
4925
|
+
const response = await credentialRequestClient.acquireCredentialsUsingRequest(request, format, createDPoPOpts);
|
|
3950
4926
|
this._state.dpopResponseParams = response.params;
|
|
3951
4927
|
if (response.errorBody) {
|
|
3952
|
-
|
|
4928
|
+
logger16.debug(`Credential request error:\r
|
|
3953
4929
|
${JSON.stringify(response.errorBody)}`);
|
|
3954
4930
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3955
4931
|
} else if (!response.successBody) {
|
|
3956
|
-
|
|
4932
|
+
logger16.debug(`Credential request error. No success body`);
|
|
3957
4933
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3958
4934
|
}
|
|
3959
4935
|
return {
|
|
@@ -3968,7 +4944,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3968
4944
|
return JSON.stringify(this._state);
|
|
3969
4945
|
}
|
|
3970
4946
|
getCredentialsSupported(format) {
|
|
3971
|
-
return (0,
|
|
4947
|
+
return (0, import_oid4vci_common28.getSupportedCredentials)({
|
|
3972
4948
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
3973
4949
|
version: this.version(),
|
|
3974
4950
|
format,
|
|
@@ -4003,7 +4979,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4003
4979
|
}*/
|
|
4004
4980
|
issuerSupportedFlowTypes() {
|
|
4005
4981
|
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
|
|
4006
|
-
|
|
4982
|
+
import_oid4vci_common28.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
4007
4983
|
] : []);
|
|
4008
4984
|
}
|
|
4009
4985
|
isFlowTypeSupported(flowType) {
|
|
@@ -4019,7 +4995,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4019
4995
|
return this._state.credentialOffer;
|
|
4020
4996
|
}
|
|
4021
4997
|
version() {
|
|
4022
|
-
return this.credentialOffer?.version ??
|
|
4998
|
+
return this.credentialOffer?.version ?? import_oid4vci_common28.OpenId4VCIVersion.VER_1_0_13;
|
|
4023
4999
|
}
|
|
4024
5000
|
get endpointMetadata() {
|
|
4025
5001
|
this.assertServerMetadata();
|
|
@@ -4122,7 +5098,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4122
5098
|
};
|
|
4123
5099
|
if (!authorizationRequestOpts) {
|
|
4124
5100
|
authorizationRequestOpts = {
|
|
4125
|
-
redirectUri: `${
|
|
5101
|
+
redirectUri: `${import_oid4vci_common28.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
4126
5102
|
};
|
|
4127
5103
|
}
|
|
4128
5104
|
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
@@ -4133,7 +5109,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4133
5109
|
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
4134
5110
|
if (authorizationResponse) {
|
|
4135
5111
|
this._state.authorizationCodeResponse = {
|
|
4136
|
-
...(0,
|
|
5112
|
+
...(0, import_oid4vci_common28.toAuthorizationResponsePayload)(authorizationResponse)
|
|
4137
5113
|
};
|
|
4138
5114
|
} else if (code) {
|
|
4139
5115
|
this._state.authorizationCodeResponse = {
|
|
@@ -4145,16 +5121,16 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4145
5121
|
};
|
|
4146
5122
|
|
|
4147
5123
|
// lib/OpenID4VCIClientV1_0_11.ts
|
|
4148
|
-
var
|
|
4149
|
-
var
|
|
4150
|
-
var
|
|
5124
|
+
var import_oid4vci_common29 = require("@sphereon/oid4vci-common");
|
|
5125
|
+
var import_ssi_types19 = require("@sphereon/ssi-types");
|
|
5126
|
+
var logger17 = import_ssi_types19.Loggers.DEFAULT.get("sphereon:oid4vci");
|
|
4151
5127
|
var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
4152
5128
|
static {
|
|
4153
5129
|
__name(this, "OpenID4VCIClientV1_0_11");
|
|
4154
5130
|
}
|
|
4155
5131
|
_state;
|
|
4156
5132
|
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
|
|
4157
|
-
const issuer = credentialIssuer ?? (credentialOffer ? (0,
|
|
5133
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common29.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
4158
5134
|
if (!issuer) {
|
|
4159
5135
|
throw Error("No credential issuer supplied or deduced from offer");
|
|
4160
5136
|
}
|
|
@@ -4164,10 +5140,10 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
|
4164
5140
|
kid,
|
|
4165
5141
|
alg,
|
|
4166
5142
|
// TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
|
|
4167
|
-
clientId: clientId ?? (credentialOffer && (0,
|
|
5143
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common29.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
4168
5144
|
pkce: {
|
|
4169
5145
|
disabled: false,
|
|
4170
|
-
codeChallengeMethod:
|
|
5146
|
+
codeChallengeMethod: import_oid4vci_common29.CodeChallengeMethod.S256,
|
|
4171
5147
|
...pkce
|
|
4172
5148
|
},
|
|
4173
5149
|
authorizationRequestOpts,
|
|
@@ -4180,7 +5156,7 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
|
4180
5156
|
if (!this._state.authorizationRequestOpts) {
|
|
4181
5157
|
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
4182
5158
|
}
|
|
4183
|
-
|
|
5159
|
+
logger17.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
4184
5160
|
}
|
|
4185
5161
|
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
|
|
4186
5162
|
const client = new _OpenID4VCIClientV1_0_11({
|
|
@@ -4221,12 +5197,12 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
|
4221
5197
|
if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
|
|
4222
5198
|
await client.retrieveServerMetadata();
|
|
4223
5199
|
}
|
|
4224
|
-
if (credentialOfferClient.supportedFlows.includes(
|
|
5200
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common29.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
|
|
4225
5201
|
await client.createAuthorizationRequestUrl({
|
|
4226
5202
|
authorizationRequest,
|
|
4227
5203
|
pkce
|
|
4228
5204
|
});
|
|
4229
|
-
|
|
5205
|
+
logger17.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
4230
5206
|
}
|
|
4231
5207
|
return client;
|
|
4232
5208
|
}
|
|
@@ -4283,12 +5259,12 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
|
4283
5259
|
...opts
|
|
4284
5260
|
});
|
|
4285
5261
|
if (response.errorBody) {
|
|
4286
|
-
|
|
5262
|
+
logger17.debug(`Authorization code error:\r
|
|
4287
5263
|
${JSON.stringify(response.errorBody)}`);
|
|
4288
5264
|
const error = response.errorBody;
|
|
4289
5265
|
return Promise.reject(error);
|
|
4290
5266
|
} else if (!response.successBody) {
|
|
4291
|
-
|
|
5267
|
+
logger17.debug(`Authorization code error. No success body`);
|
|
4292
5268
|
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
4293
5269
|
}
|
|
4294
5270
|
return {
|
|
@@ -4360,11 +5336,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4360
5336
|
}
|
|
4361
5337
|
});
|
|
4362
5338
|
if (response.errorBody) {
|
|
4363
|
-
|
|
5339
|
+
logger17.debug(`Access token error:\r
|
|
4364
5340
|
${JSON.stringify(response.errorBody)}`);
|
|
4365
5341
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
4366
5342
|
} else if (!response.successBody) {
|
|
4367
|
-
|
|
5343
|
+
logger17.debug(`Access token error. No success body`);
|
|
4368
5344
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
4369
5345
|
}
|
|
4370
5346
|
this._state.accessTokenResponse = response.successBody;
|
|
@@ -4383,7 +5359,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4383
5359
|
jwk,
|
|
4384
5360
|
kid
|
|
4385
5361
|
].filter((v) => v !== void 0).length > 1) {
|
|
4386
|
-
throw new Error(
|
|
5362
|
+
throw new Error(import_oid4vci_common29.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
4387
5363
|
}
|
|
4388
5364
|
if (alg) this._state.alg = alg;
|
|
4389
5365
|
if (jwk) this._state.jwk = jwk;
|
|
@@ -4407,7 +5383,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4407
5383
|
if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
|
|
4408
5384
|
let typeSupported = false;
|
|
4409
5385
|
metadata.credentials_supported.forEach((supportedCredential) => {
|
|
4410
|
-
const subTypes = (0,
|
|
5386
|
+
const subTypes = (0, import_oid4vci_common29.getTypesFromCredentialSupported)(supportedCredential);
|
|
4411
5387
|
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
4412
5388
|
typeSupported = true;
|
|
4413
5389
|
}
|
|
@@ -4449,11 +5425,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4449
5425
|
});
|
|
4450
5426
|
this._state.dpopResponseParams = response.params;
|
|
4451
5427
|
if (response.errorBody) {
|
|
4452
|
-
|
|
5428
|
+
logger17.debug(`Credential request error:\r
|
|
4453
5429
|
${JSON.stringify(response.errorBody)}`);
|
|
4454
5430
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
4455
5431
|
} else if (!response.successBody) {
|
|
4456
|
-
|
|
5432
|
+
logger17.debug(`Credential request error. No success body`);
|
|
4457
5433
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
4458
5434
|
}
|
|
4459
5435
|
return {
|
|
@@ -4471,7 +5447,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4471
5447
|
// When < v11 convert into a v12 object. When v12 object retain it.
|
|
4472
5448
|
// Then match the object array on server metadata
|
|
4473
5449
|
getCredentialsSupportedV11(restrictToInitiationTypes, format) {
|
|
4474
|
-
return (0,
|
|
5450
|
+
return (0, import_oid4vci_common29.getSupportedCredentials)({
|
|
4475
5451
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
4476
5452
|
version: this.version(),
|
|
4477
5453
|
format,
|
|
@@ -4479,7 +5455,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4479
5455
|
});
|
|
4480
5456
|
}
|
|
4481
5457
|
getCredentialsSupported(format) {
|
|
4482
|
-
return (0,
|
|
5458
|
+
return (0, import_oid4vci_common29.getSupportedCredentials)({
|
|
4483
5459
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
4484
5460
|
version: this.version(),
|
|
4485
5461
|
format,
|
|
@@ -4489,7 +5465,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4489
5465
|
getCredentialOfferTypes() {
|
|
4490
5466
|
if (!this.credentialOffer) {
|
|
4491
5467
|
return [];
|
|
4492
|
-
} else if (this.credentialOffer.version <
|
|
5468
|
+
} else if (this.credentialOffer.version < import_oid4vci_common29.OpenId4VCIVersion.VER_1_0_11) {
|
|
4493
5469
|
const orig = this.credentialOffer.original_credential_offer;
|
|
4494
5470
|
const types = typeof orig.credential_type === "string" ? [
|
|
4495
5471
|
orig.credential_type
|
|
@@ -4497,14 +5473,14 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4497
5473
|
const result = [];
|
|
4498
5474
|
result[0] = types;
|
|
4499
5475
|
return result;
|
|
4500
|
-
} else if (this.credentialOffer.version <
|
|
4501
|
-
return this.credentialOffer.credential_offer.credentials.map((c) => (0,
|
|
5476
|
+
} else if (this.credentialOffer.version < import_oid4vci_common29.OpenId4VCIVersion.VER_1_0_13) {
|
|
5477
|
+
return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common29.getTypesFromObject)(c) ?? []);
|
|
4502
5478
|
}
|
|
4503
5479
|
throw Error(`This class only supports version 11 and lower! Version: ${this.version()}`);
|
|
4504
5480
|
}
|
|
4505
5481
|
issuerSupportedFlowTypes() {
|
|
4506
5482
|
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
|
|
4507
|
-
|
|
5483
|
+
import_oid4vci_common29.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
4508
5484
|
] : []);
|
|
4509
5485
|
}
|
|
4510
5486
|
isFlowTypeSupported(flowType) {
|
|
@@ -4520,7 +5496,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4520
5496
|
return this._state.credentialOffer;
|
|
4521
5497
|
}
|
|
4522
5498
|
version() {
|
|
4523
|
-
return this.credentialOffer?.version ??
|
|
5499
|
+
return this.credentialOffer?.version ?? import_oid4vci_common29.OpenId4VCIVersion.VER_1_0_11;
|
|
4524
5500
|
}
|
|
4525
5501
|
get endpointMetadata() {
|
|
4526
5502
|
this.assertServerMetadata();
|
|
@@ -4616,7 +5592,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4616
5592
|
};
|
|
4617
5593
|
if (!authorizationRequestOpts) {
|
|
4618
5594
|
authorizationRequestOpts = {
|
|
4619
|
-
redirectUri: `${
|
|
5595
|
+
redirectUri: `${import_oid4vci_common29.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
4620
5596
|
};
|
|
4621
5597
|
}
|
|
4622
5598
|
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
@@ -4627,7 +5603,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4627
5603
|
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
4628
5604
|
if (authorizationResponse) {
|
|
4629
5605
|
this._state.authorizationCodeResponse = {
|
|
4630
|
-
...(0,
|
|
5606
|
+
...(0, import_oid4vci_common29.toAuthorizationResponsePayload)(authorizationResponse)
|
|
4631
5607
|
};
|
|
4632
5608
|
} else if (code) {
|
|
4633
5609
|
this._state.authorizationCodeResponse = {
|
|
@@ -4639,41 +5615,5 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4639
5615
|
};
|
|
4640
5616
|
|
|
4641
5617
|
// lib/index.ts
|
|
4642
|
-
var LOG2 =
|
|
4643
|
-
// Annotate the CommonJS export names for ESM import in node:
|
|
4644
|
-
0 && (module.exports = {
|
|
4645
|
-
AccessTokenClient,
|
|
4646
|
-
AccessTokenClientV1_0_11,
|
|
4647
|
-
CredentialOfferClient,
|
|
4648
|
-
CredentialOfferClientV1_0_11,
|
|
4649
|
-
CredentialOfferClientV1_0_13,
|
|
4650
|
-
CredentialRequestClient,
|
|
4651
|
-
CredentialRequestClientBuilder,
|
|
4652
|
-
CredentialRequestClientBuilderV1_0_11,
|
|
4653
|
-
CredentialRequestClientBuilderV1_0_13,
|
|
4654
|
-
CredentialRequestClientV1_0_11,
|
|
4655
|
-
LOG,
|
|
4656
|
-
MetadataClient,
|
|
4657
|
-
MetadataClientV1_0_11,
|
|
4658
|
-
MetadataClientV1_0_13,
|
|
4659
|
-
OpenID4VCIClient,
|
|
4660
|
-
OpenID4VCIClientV1_0_11,
|
|
4661
|
-
OpenID4VCIClientV1_0_13,
|
|
4662
|
-
ProofOfPossessionBuilder,
|
|
4663
|
-
acquireAuthorizationChallengeAuthCode,
|
|
4664
|
-
acquireAuthorizationChallengeAuthCodeUsingRequest,
|
|
4665
|
-
buildProof,
|
|
4666
|
-
constructBaseResponse,
|
|
4667
|
-
createAuthorizationChallengeRequest,
|
|
4668
|
-
createAuthorizationRequestUrl,
|
|
4669
|
-
createAuthorizationRequestUrlV1_0_11,
|
|
4670
|
-
createJwtBearerClientAssertion,
|
|
4671
|
-
createSignedAuthRequestWhenNeeded,
|
|
4672
|
-
generateMissingPKCEOpts,
|
|
4673
|
-
handleCredentialOfferUri,
|
|
4674
|
-
isUriEncoded,
|
|
4675
|
-
retrieveWellknown,
|
|
4676
|
-
sendAuthorizationChallengeRequest,
|
|
4677
|
-
sendNotification
|
|
4678
|
-
});
|
|
5618
|
+
var LOG2 = import_oid4vci_common30.VCI_LOGGERS.get("sphereon:oid4vci:client");
|
|
4679
5619
|
//# sourceMappingURL=index.cjs.map
|