@sphereon/oid4vci-client 0.19.0 → 0.19.1-feature.SSISDK.13.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1392 -404
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +235 -22
- package/dist/index.d.ts +235 -22
- package/dist/index.js +1369 -381
- package/dist/index.js.map +1 -1
- package/package.json +5 -5
package/dist/index.cjs
CHANGED
|
@@ -26,18 +26,22 @@ __export(index_exports, {
|
|
|
26
26
|
CredentialOfferClient: () => CredentialOfferClient,
|
|
27
27
|
CredentialOfferClientV1_0_11: () => CredentialOfferClientV1_0_11,
|
|
28
28
|
CredentialOfferClientV1_0_13: () => CredentialOfferClientV1_0_13,
|
|
29
|
+
CredentialOfferClientV1_0_15: () => CredentialOfferClientV1_0_15,
|
|
29
30
|
CredentialRequestClient: () => CredentialRequestClient,
|
|
30
31
|
CredentialRequestClientBuilder: () => CredentialRequestClientBuilder,
|
|
31
32
|
CredentialRequestClientBuilderV1_0_11: () => CredentialRequestClientBuilderV1_0_11,
|
|
32
33
|
CredentialRequestClientBuilderV1_0_13: () => CredentialRequestClientBuilderV1_0_13,
|
|
34
|
+
CredentialRequestClientBuilderV1_0_15: () => CredentialRequestClientBuilderV1_0_15,
|
|
33
35
|
CredentialRequestClientV1_0_11: () => CredentialRequestClientV1_0_11,
|
|
34
36
|
LOG: () => LOG2,
|
|
35
37
|
MetadataClient: () => MetadataClient,
|
|
36
38
|
MetadataClientV1_0_11: () => MetadataClientV1_0_11,
|
|
37
39
|
MetadataClientV1_0_13: () => MetadataClientV1_0_13,
|
|
40
|
+
MetadataClientV1_0_15: () => MetadataClientV1_0_15,
|
|
38
41
|
OpenID4VCIClient: () => OpenID4VCIClient,
|
|
39
42
|
OpenID4VCIClientV1_0_11: () => OpenID4VCIClientV1_0_11,
|
|
40
43
|
OpenID4VCIClientV1_0_13: () => OpenID4VCIClientV1_0_13,
|
|
44
|
+
OpenID4VCIClientV1_0_15: () => OpenID4VCIClientV1_0_15,
|
|
41
45
|
ProofOfPossessionBuilder: () => ProofOfPossessionBuilder,
|
|
42
46
|
acquireAuthorizationChallengeAuthCode: () => acquireAuthorizationChallengeAuthCode,
|
|
43
47
|
acquireAuthorizationChallengeAuthCodeUsingRequest: () => acquireAuthorizationChallengeAuthCodeUsingRequest,
|
|
@@ -56,7 +60,7 @@ __export(index_exports, {
|
|
|
56
60
|
sendNotification: () => sendNotification
|
|
57
61
|
});
|
|
58
62
|
module.exports = __toCommonJS(index_exports);
|
|
59
|
-
var
|
|
63
|
+
var import_oid4vci_common30 = require("@sphereon/oid4vci-common");
|
|
60
64
|
|
|
61
65
|
// lib/AccessTokenClient.ts
|
|
62
66
|
var import_oid4vc_common3 = require("@sphereon/oid4vc-common");
|
|
@@ -373,10 +377,10 @@ async function handleCredentialOfferUri(uri) {
|
|
|
373
377
|
const decodedUri = isUriEncoded(credentialOfferUri) ? decodeURIComponent(credentialOfferUri) : credentialOfferUri;
|
|
374
378
|
const response = await (0, import_cross_fetch.fetch)(decodedUri);
|
|
375
379
|
if (!(response && response.status >= 200 && response.status < 400)) {
|
|
376
|
-
return Promise.reject(`the credential offer URI endpoint call was not successful. http code ${response.status} - reason ${response.statusText}`);
|
|
380
|
+
return Promise.reject(Error(`the credential offer URI endpoint call was not successful. http code ${response.status} - reason ${response.statusText}`));
|
|
377
381
|
}
|
|
378
382
|
if (response.headers.get("Content-Type")?.startsWith("application/json") === false) {
|
|
379
|
-
return Promise.reject("the credential offer URI endpoint did not return content type application/json");
|
|
383
|
+
return Promise.reject(Error("the credential offer URI endpoint did not return content type application/json"));
|
|
380
384
|
}
|
|
381
385
|
return {
|
|
382
386
|
credential_offer: (0, import_oid4vci_common7.decodeJsonProperties)(await response.json())
|
|
@@ -1500,8 +1504,8 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
|
|
|
1500
1504
|
if ("credentials" in credentialOffer.credential_offer) {
|
|
1501
1505
|
throw new Error("CredentialOffer format is wrong.");
|
|
1502
1506
|
}
|
|
1503
|
-
const ver = version ?? (0, import_oid4vci_common13.determineSpecVersionFromOffer)(credentialOffer.credential_offer) ?? import_oid4vci_common13.OpenId4VCIVersion.
|
|
1504
|
-
const creds = ver === import_oid4vci_common13.OpenId4VCIVersion.
|
|
1507
|
+
const ver = version ?? (0, import_oid4vci_common13.determineSpecVersionFromOffer)(credentialOffer.credential_offer) ?? import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_15;
|
|
1508
|
+
const creds = ver === import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_15 ? filterSupportedCredentials(credentialOffer.credential_offer, credentialConfigurationSupported) : [];
|
|
1505
1509
|
authorizationDetails = creds.flatMap((cred) => {
|
|
1506
1510
|
const locations = [
|
|
1507
1511
|
credentialOffer?.credential_offer.credential_issuer ?? endpointMetadata.issuer
|
|
@@ -1511,7 +1515,7 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
|
|
|
1511
1515
|
if (!credential_configuration_id && !cred.format) {
|
|
1512
1516
|
throw Error("format is required in authorization details");
|
|
1513
1517
|
}
|
|
1514
|
-
const vct = cred.format === "
|
|
1518
|
+
const vct = cred.format === "dc+sd-jwt" ? cred.vct : void 0;
|
|
1515
1519
|
const doctype = cred.format === "mso_mdoc" ? cred.doctype : void 0;
|
|
1516
1520
|
let credential_definition = void 0;
|
|
1517
1521
|
if ((0, import_oid4vci_common13.isW3cCredentialSupported)(cred)) {
|
|
@@ -1884,6 +1888,27 @@ async function buildProof(proofInput, opts) {
|
|
|
1884
1888
|
return await proofInput.build();
|
|
1885
1889
|
}
|
|
1886
1890
|
__name(buildProof, "buildProof");
|
|
1891
|
+
function isOpenIdCredentialDetail(ad) {
|
|
1892
|
+
return typeof ad === "object" && ad !== null && ad.type === "openid_credential";
|
|
1893
|
+
}
|
|
1894
|
+
__name(isOpenIdCredentialDetail, "isOpenIdCredentialDetail");
|
|
1895
|
+
function findAuthorizationDetail(authorizationDetails, preferredConfigId) {
|
|
1896
|
+
if (!authorizationDetails) {
|
|
1897
|
+
return void 0;
|
|
1898
|
+
}
|
|
1899
|
+
const openIdCredentialDetails = authorizationDetails.filter(isOpenIdCredentialDetail);
|
|
1900
|
+
if (openIdCredentialDetails.length === 0) {
|
|
1901
|
+
return void 0;
|
|
1902
|
+
}
|
|
1903
|
+
if (preferredConfigId) {
|
|
1904
|
+
const match = openIdCredentialDetails.find((detail) => typeof detail === "object" && detail !== null && detail.credential_configuration_id === preferredConfigId);
|
|
1905
|
+
if (match) {
|
|
1906
|
+
return match;
|
|
1907
|
+
}
|
|
1908
|
+
}
|
|
1909
|
+
return openIdCredentialDetails[0];
|
|
1910
|
+
}
|
|
1911
|
+
__name(findAuthorizationDetail, "findAuthorizationDetail");
|
|
1887
1912
|
var CredentialRequestClient = class {
|
|
1888
1913
|
static {
|
|
1889
1914
|
__name(this, "CredentialRequestClient");
|
|
@@ -1923,7 +1948,10 @@ var CredentialRequestClient = class {
|
|
|
1923
1948
|
credentialIdentifier,
|
|
1924
1949
|
subjectIssuance
|
|
1925
1950
|
});
|
|
1926
|
-
|
|
1951
|
+
if (!import_oid4vci_common15.supportedOID4VCICredentialFormat.includes(format)) {
|
|
1952
|
+
return Promise.reject(Error(`Unsupported credential format: ${format}`));
|
|
1953
|
+
}
|
|
1954
|
+
return await this.acquireCredentialsUsingRequestWithoutProof(request, format, opts.createDPoPOpts);
|
|
1927
1955
|
}
|
|
1928
1956
|
async acquireCredentialsUsingProof(opts) {
|
|
1929
1957
|
const { credentialIdentifier, credentialTypes, proofInput, format, context, subjectIssuance } = opts;
|
|
@@ -1936,19 +1964,22 @@ var CredentialRequestClient = class {
|
|
|
1936
1964
|
credentialIdentifier,
|
|
1937
1965
|
subjectIssuance
|
|
1938
1966
|
});
|
|
1939
|
-
|
|
1967
|
+
if (this.version() <= import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13 && !import_oid4vci_common15.supportedOID4VCICredentialFormat.includes(format)) {
|
|
1968
|
+
return Promise.reject(Error(`Unsupported credential format: ${format}`));
|
|
1969
|
+
}
|
|
1970
|
+
return await this.acquireCredentialsUsingRequest(request, format, opts.createDPoPOpts);
|
|
1940
1971
|
}
|
|
1941
|
-
async acquireCredentialsUsingRequestWithoutProof(uniformRequest, createDPoPOpts) {
|
|
1942
|
-
return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
|
|
1972
|
+
async acquireCredentialsUsingRequestWithoutProof(uniformRequest, format, createDPoPOpts) {
|
|
1973
|
+
return await this.acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts);
|
|
1943
1974
|
}
|
|
1944
|
-
async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
|
|
1945
|
-
return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
|
|
1975
|
+
async acquireCredentialsUsingRequest(uniformRequest, format, createDPoPOpts) {
|
|
1976
|
+
return await this.acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts);
|
|
1946
1977
|
}
|
|
1947
|
-
async acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts) {
|
|
1978
|
+
async acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts) {
|
|
1948
1979
|
if (this.version() < import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13) {
|
|
1949
1980
|
throw new Error("Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.");
|
|
1950
1981
|
}
|
|
1951
|
-
const request = (0, import_oid4vci_common15.getCredentialRequestForVersion)(uniformRequest, this.version());
|
|
1982
|
+
const request = (0, import_oid4vci_common15.getCredentialRequestForVersion)(uniformRequest, format, this.version());
|
|
1952
1983
|
const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
|
|
1953
1984
|
if (!(0, import_oid4vci_common15.isValidURL)(credentialEndpoint)) {
|
|
1954
1985
|
logger8.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
|
|
@@ -2036,27 +2067,64 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2036
2067
|
return await this.createCredentialRequestImpl(opts);
|
|
2037
2068
|
}
|
|
2038
2069
|
async createCredentialRequestImpl(opts) {
|
|
2039
|
-
const { proofInput, credentialIdentifier
|
|
2070
|
+
const { proofInput, credentialIdentifier, credentialConfigurationId } = opts;
|
|
2040
2071
|
let proof = void 0;
|
|
2041
2072
|
if (proofInput) {
|
|
2042
2073
|
proof = await buildProof(proofInput, opts);
|
|
2043
2074
|
}
|
|
2044
|
-
if (
|
|
2045
|
-
|
|
2046
|
-
|
|
2047
|
-
|
|
2048
|
-
|
|
2049
|
-
|
|
2075
|
+
if (this.version() >= import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_15) {
|
|
2076
|
+
const authDetail = findAuthorizationDetail(this.credentialRequestOpts.authorizationDetails, credentialConfigurationId ?? credentialIdentifier);
|
|
2077
|
+
const issuer_state2 = this.credentialRequestOpts.issuerState;
|
|
2078
|
+
const commonBody = {
|
|
2079
|
+
...issuer_state2 && {
|
|
2080
|
+
issuer_state: issuer_state2
|
|
2081
|
+
},
|
|
2050
2082
|
...proof && {
|
|
2051
2083
|
proof
|
|
2052
|
-
}
|
|
2084
|
+
},
|
|
2085
|
+
...opts.subjectIssuance
|
|
2086
|
+
};
|
|
2087
|
+
const authDetailObj = authDetail && typeof authDetail === "object" ? authDetail : null;
|
|
2088
|
+
if (authDetailObj?.credential_identifier) {
|
|
2089
|
+
return {
|
|
2090
|
+
credential_identifier: authDetailObj.credential_identifier,
|
|
2091
|
+
...commonBody
|
|
2092
|
+
};
|
|
2093
|
+
}
|
|
2094
|
+
if (authDetailObj?.credential_identifiers && authDetailObj.credential_identifiers.length > 0) {
|
|
2095
|
+
return {
|
|
2096
|
+
credential_identifier: authDetailObj.credential_identifiers[0],
|
|
2097
|
+
...commonBody
|
|
2098
|
+
};
|
|
2099
|
+
}
|
|
2100
|
+
const configId2 = credentialConfigurationId ?? authDetailObj?.credential_configuration_id ?? this._credentialRequestOpts.credentialConfigurationId;
|
|
2101
|
+
if (configId2) {
|
|
2102
|
+
return {
|
|
2103
|
+
credential_configuration_id: configId2,
|
|
2104
|
+
...commonBody
|
|
2105
|
+
};
|
|
2106
|
+
}
|
|
2107
|
+
if (credentialIdentifier) {
|
|
2108
|
+
return {
|
|
2109
|
+
credential_identifier: credentialIdentifier,
|
|
2110
|
+
...commonBody
|
|
2111
|
+
};
|
|
2112
|
+
}
|
|
2113
|
+
return Promise.reject(Error("No credential_identifier or credential_configuration_id available for v1.0-15 request"));
|
|
2114
|
+
}
|
|
2115
|
+
if (credentialIdentifier) {
|
|
2116
|
+
const proof_obj = proof ? {
|
|
2117
|
+
proof
|
|
2118
|
+
} : {};
|
|
2119
|
+
return {
|
|
2120
|
+
credential_identifier: credentialIdentifier,
|
|
2121
|
+
...proof_obj
|
|
2053
2122
|
};
|
|
2054
2123
|
}
|
|
2055
2124
|
const formatSelection = opts.format ?? this.credentialRequestOpts.format;
|
|
2056
2125
|
if (!formatSelection) {
|
|
2057
2126
|
throw Error(`Format of credential to be issued is missing`);
|
|
2058
2127
|
}
|
|
2059
|
-
const format = (0, import_oid4vci_common15.getUniformFormat)(formatSelection);
|
|
2060
2128
|
const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
|
|
2061
2129
|
if (!typesSelection) {
|
|
2062
2130
|
throw Error(`Credential type(s) need to be provided`);
|
|
@@ -2068,70 +2136,20 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2068
2136
|
throw Error(`Credential type(s) need to be provided`);
|
|
2069
2137
|
}
|
|
2070
2138
|
const issuer_state = this.credentialRequestOpts.issuerState;
|
|
2071
|
-
|
|
2072
|
-
|
|
2073
|
-
|
|
2074
|
-
|
|
2075
|
-
|
|
2076
|
-
|
|
2077
|
-
|
|
2078
|
-
|
|
2079
|
-
|
|
2080
|
-
|
|
2081
|
-
|
|
2082
|
-
|
|
2083
|
-
|
|
2084
|
-
|
|
2085
|
-
} else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
|
|
2086
|
-
if (this.version() >= import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
|
|
2087
|
-
throw Error("No @context value present, but it is required");
|
|
2088
|
-
}
|
|
2089
|
-
return {
|
|
2090
|
-
format,
|
|
2091
|
-
...issuer_state && {
|
|
2092
|
-
issuer_state
|
|
2093
|
-
},
|
|
2094
|
-
...proof && {
|
|
2095
|
-
proof
|
|
2096
|
-
},
|
|
2097
|
-
...opts.subjectIssuance,
|
|
2098
|
-
credential_definition: {
|
|
2099
|
-
type: types,
|
|
2100
|
-
"@context": opts.context
|
|
2101
|
-
}
|
|
2102
|
-
};
|
|
2103
|
-
} else if (format === "vc+sd-jwt") {
|
|
2104
|
-
if (types.length > 1) {
|
|
2105
|
-
throw Error(`Only a single credential type is supported for ${format}`);
|
|
2106
|
-
}
|
|
2107
|
-
return {
|
|
2108
|
-
format,
|
|
2109
|
-
...issuer_state && {
|
|
2110
|
-
issuer_state
|
|
2111
|
-
},
|
|
2112
|
-
...proof && {
|
|
2113
|
-
proof
|
|
2114
|
-
},
|
|
2115
|
-
vct: types[0],
|
|
2116
|
-
...opts.subjectIssuance
|
|
2117
|
-
};
|
|
2118
|
-
} else if (format === "mso_mdoc") {
|
|
2119
|
-
if (types.length > 1) {
|
|
2120
|
-
throw Error(`Only a single credential type is supported for ${format}`);
|
|
2121
|
-
}
|
|
2122
|
-
return {
|
|
2123
|
-
format,
|
|
2124
|
-
...issuer_state && {
|
|
2125
|
-
issuer_state
|
|
2126
|
-
},
|
|
2127
|
-
...proof && {
|
|
2128
|
-
proof
|
|
2129
|
-
},
|
|
2130
|
-
doctype: types[0],
|
|
2131
|
-
...opts.subjectIssuance
|
|
2132
|
-
};
|
|
2133
|
-
}
|
|
2134
|
-
throw new Error(`Unsupported credential format: ${format}`);
|
|
2139
|
+
const baseBody = {
|
|
2140
|
+
...issuer_state && {
|
|
2141
|
+
issuer_state
|
|
2142
|
+
},
|
|
2143
|
+
...proof && {
|
|
2144
|
+
proof
|
|
2145
|
+
},
|
|
2146
|
+
...opts.subjectIssuance
|
|
2147
|
+
};
|
|
2148
|
+
const configId = credentialConfigurationId ?? "default";
|
|
2149
|
+
return {
|
|
2150
|
+
credential_configuration_id: configId,
|
|
2151
|
+
...baseBody
|
|
2152
|
+
};
|
|
2135
2153
|
}
|
|
2136
2154
|
version() {
|
|
2137
2155
|
return this.credentialRequestOpts?.version ?? import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13;
|
|
@@ -2445,11 +2463,101 @@ var CredentialOfferClientV1_0_13 = class {
|
|
|
2445
2463
|
}
|
|
2446
2464
|
};
|
|
2447
2465
|
|
|
2448
|
-
// lib/
|
|
2449
|
-
var import_oid4vc_common6 = require("@sphereon/oid4vc-common");
|
|
2466
|
+
// lib/CredentialOfferClientV1_0_15.ts
|
|
2450
2467
|
var import_oid4vci_common19 = require("@sphereon/oid4vci-common");
|
|
2451
2468
|
var import_ssi_types13 = require("@sphereon/ssi-types");
|
|
2452
|
-
var logger11 = import_ssi_types13.Loggers.DEFAULT.get("sphereon:oid4vci:
|
|
2469
|
+
var logger11 = import_ssi_types13.Loggers.DEFAULT.get("sphereon:oid4vci:offer");
|
|
2470
|
+
var CredentialOfferClientV1_0_15 = class {
|
|
2471
|
+
static {
|
|
2472
|
+
__name(this, "CredentialOfferClientV1_0_15");
|
|
2473
|
+
}
|
|
2474
|
+
static async fromURI(uri, opts) {
|
|
2475
|
+
logger11.debug(`Credential Offer URI: ${uri}`);
|
|
2476
|
+
if (!uri.includes("?") || !uri.includes("://")) {
|
|
2477
|
+
logger11.debug(`Invalid Credential Offer URI: ${uri}`);
|
|
2478
|
+
throw Error(`Invalid Credential Offer Request`);
|
|
2479
|
+
}
|
|
2480
|
+
const scheme = uri.split("://")[0];
|
|
2481
|
+
const baseUrl = uri.split("?")[0];
|
|
2482
|
+
const version = (0, import_oid4vci_common19.determineSpecVersionFromURI)(uri);
|
|
2483
|
+
let credentialOffer;
|
|
2484
|
+
if (uri.includes("credential_offer_uri")) {
|
|
2485
|
+
credentialOffer = await handleCredentialOfferUri(uri);
|
|
2486
|
+
} else {
|
|
2487
|
+
credentialOffer = (0, import_oid4vci_common19.convertURIToJsonObject)(uri, {
|
|
2488
|
+
// It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
|
|
2489
|
+
arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
|
|
2490
|
+
"credential_configuration_ids",
|
|
2491
|
+
"credential_offer_uri="
|
|
2492
|
+
] : [
|
|
2493
|
+
"credential_configuration_ids",
|
|
2494
|
+
"credential_offer="
|
|
2495
|
+
],
|
|
2496
|
+
requiredProperties: uri.includes("credential_offer_uri=") ? [
|
|
2497
|
+
"credential_offer_uri="
|
|
2498
|
+
] : [
|
|
2499
|
+
"credential_offer="
|
|
2500
|
+
]
|
|
2501
|
+
});
|
|
2502
|
+
}
|
|
2503
|
+
if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
|
|
2504
|
+
throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
|
|
2505
|
+
}
|
|
2506
|
+
const request = await (0, import_oid4vci_common19.toUniformCredentialOfferRequest)(credentialOffer, {
|
|
2507
|
+
...opts,
|
|
2508
|
+
version
|
|
2509
|
+
});
|
|
2510
|
+
return {
|
|
2511
|
+
...constructBaseResponse(request, scheme, baseUrl),
|
|
2512
|
+
userPinRequired: !!(request.credential_offer?.grants?.[import_oid4vci_common19.PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false)
|
|
2513
|
+
};
|
|
2514
|
+
}
|
|
2515
|
+
static toURI(requestWithBaseUrl, opts) {
|
|
2516
|
+
logger11.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
|
|
2517
|
+
const version = opts?.version ?? requestWithBaseUrl.version;
|
|
2518
|
+
let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
|
|
2519
|
+
let param;
|
|
2520
|
+
const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
|
|
2521
|
+
if (version.valueOf() >= import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_11.valueOf()) {
|
|
2522
|
+
if (!baseUrl.includes("?")) {
|
|
2523
|
+
param = isUri ? "credential_offer_uri" : "credential_offer";
|
|
2524
|
+
} else {
|
|
2525
|
+
const split = baseUrl.split("?");
|
|
2526
|
+
if (split.length > 1 && split[1] !== "") {
|
|
2527
|
+
if (baseUrl.endsWith("&")) {
|
|
2528
|
+
param = isUri ? "credential_offer_uri" : "credential_offer";
|
|
2529
|
+
} else if (!baseUrl.endsWith("=")) {
|
|
2530
|
+
baseUrl += `&`;
|
|
2531
|
+
param = isUri ? "credential_offer_uri" : "credential_offer";
|
|
2532
|
+
}
|
|
2533
|
+
}
|
|
2534
|
+
}
|
|
2535
|
+
}
|
|
2536
|
+
return (0, import_oid4vci_common19.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
|
|
2537
|
+
baseUrl,
|
|
2538
|
+
arrayTypeProperties: isUri ? [] : [
|
|
2539
|
+
"credential_type"
|
|
2540
|
+
],
|
|
2541
|
+
uriTypeProperties: isUri ? [
|
|
2542
|
+
"credential_offer_uri"
|
|
2543
|
+
] : version >= import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_15 ? [
|
|
2544
|
+
"credential_issuer",
|
|
2545
|
+
"credential_type"
|
|
2546
|
+
] : [
|
|
2547
|
+
"issuer",
|
|
2548
|
+
"credential_type"
|
|
2549
|
+
],
|
|
2550
|
+
param,
|
|
2551
|
+
version
|
|
2552
|
+
});
|
|
2553
|
+
}
|
|
2554
|
+
};
|
|
2555
|
+
|
|
2556
|
+
// lib/CredentialRequestClientV1_0_11.ts
|
|
2557
|
+
var import_oid4vc_common6 = require("@sphereon/oid4vc-common");
|
|
2558
|
+
var import_oid4vci_common20 = require("@sphereon/oid4vci-common");
|
|
2559
|
+
var import_ssi_types14 = require("@sphereon/ssi-types");
|
|
2560
|
+
var logger12 = import_ssi_types14.Loggers.DEFAULT.get("sphereon:oid4vci:credential");
|
|
2453
2561
|
var CredentialRequestClientV1_0_11 = class {
|
|
2454
2562
|
static {
|
|
2455
2563
|
__name(this, "CredentialRequestClientV1_0_11");
|
|
@@ -2485,20 +2593,24 @@ var CredentialRequestClientV1_0_11 = class {
|
|
|
2485
2593
|
return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
|
|
2486
2594
|
}
|
|
2487
2595
|
async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
|
|
2488
|
-
const
|
|
2596
|
+
const uniformRequestV11 = uniformRequest;
|
|
2597
|
+
if (!uniformRequestV11.format) {
|
|
2598
|
+
return Promise.reject(Error("format is missing from the (legacy v11) credential request"));
|
|
2599
|
+
}
|
|
2600
|
+
const request = (0, import_oid4vci_common20.getCredentialRequestForVersion)(uniformRequest, uniformRequestV11.format, this.version());
|
|
2489
2601
|
const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
|
|
2490
|
-
if (!(0,
|
|
2491
|
-
|
|
2492
|
-
throw new Error(
|
|
2602
|
+
if (!(0, import_oid4vci_common20.isValidURL)(credentialEndpoint)) {
|
|
2603
|
+
logger12.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
|
|
2604
|
+
throw new Error(import_oid4vci_common20.URL_NOT_VALID);
|
|
2493
2605
|
}
|
|
2494
|
-
|
|
2495
|
-
|
|
2606
|
+
logger12.debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
|
|
2607
|
+
logger12.debug(`request
|
|
2496
2608
|
: ${JSON.stringify(request, null, 2)}`);
|
|
2497
2609
|
const requestToken = this.credentialRequestOpts.token;
|
|
2498
2610
|
let dPoP = createDPoPOpts ? await (0, import_oid4vc_common6.createDPoP)((0, import_oid4vc_common6.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
|
|
2499
2611
|
accessToken: requestToken
|
|
2500
2612
|
})) : void 0;
|
|
2501
|
-
let response = await (0,
|
|
2613
|
+
let response = await (0, import_oid4vci_common20.post)(credentialEndpoint, JSON.stringify(request), {
|
|
2502
2614
|
bearerToken: requestToken,
|
|
2503
2615
|
customHeaders: {
|
|
2504
2616
|
...createDPoPOpts && {
|
|
@@ -2513,7 +2625,7 @@ var CredentialRequestClientV1_0_11 = class {
|
|
|
2513
2625
|
dPoP = await (0, import_oid4vc_common6.createDPoP)((0, import_oid4vc_common6.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
|
|
2514
2626
|
accessToken: requestToken
|
|
2515
2627
|
}));
|
|
2516
|
-
response = await (0,
|
|
2628
|
+
response = await (0, import_oid4vci_common20.post)(credentialEndpoint, JSON.stringify(request), {
|
|
2517
2629
|
bearerToken: requestToken,
|
|
2518
2630
|
customHeaders: {
|
|
2519
2631
|
...createDPoPOpts && {
|
|
@@ -2524,14 +2636,14 @@ var CredentialRequestClientV1_0_11 = class {
|
|
|
2524
2636
|
const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
|
|
2525
2637
|
nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
|
|
2526
2638
|
}
|
|
2527
|
-
this._isDeferred = (0,
|
|
2639
|
+
this._isDeferred = (0, import_oid4vci_common20.isDeferredCredentialResponse)(response);
|
|
2528
2640
|
if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
|
|
2529
2641
|
response = await this.acquireDeferredCredential(response.successBody, {
|
|
2530
2642
|
bearerToken: this.credentialRequestOpts.token
|
|
2531
2643
|
});
|
|
2532
2644
|
}
|
|
2533
2645
|
response.access_token = requestToken;
|
|
2534
|
-
|
|
2646
|
+
logger12.debug(`Credential endpoint ${credentialEndpoint} response:\r
|
|
2535
2647
|
${JSON.stringify(response, null, 2)}`);
|
|
2536
2648
|
return {
|
|
2537
2649
|
...response,
|
|
@@ -2553,7 +2665,7 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2553
2665
|
} else if (!bearerToken) {
|
|
2554
2666
|
throw Error(`No bearer token present and refresh for defered endpoint not supported yet`);
|
|
2555
2667
|
}
|
|
2556
|
-
return await (0,
|
|
2668
|
+
return await (0, import_oid4vci_common20.acquireDeferredCredential)({
|
|
2557
2669
|
bearerToken,
|
|
2558
2670
|
transactionId,
|
|
2559
2671
|
deferredCredentialEndpoint,
|
|
@@ -2567,7 +2679,7 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2567
2679
|
if (!formatSelection) {
|
|
2568
2680
|
throw Error(`Format of credential to be issued is missing`);
|
|
2569
2681
|
}
|
|
2570
|
-
const format = (0,
|
|
2682
|
+
const format = (0, import_oid4vci_common20.getUniformFormat)(formatSelection);
|
|
2571
2683
|
const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
|
|
2572
2684
|
const types = Array.isArray(typesSelection) ? typesSelection : [
|
|
2573
2685
|
typesSelection
|
|
@@ -2585,7 +2697,7 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2585
2697
|
proof
|
|
2586
2698
|
};
|
|
2587
2699
|
} else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
|
|
2588
|
-
if (this.version() >=
|
|
2700
|
+
if (this.version() >= import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
|
|
2589
2701
|
throw Error("No @context value present, but it is required");
|
|
2590
2702
|
}
|
|
2591
2703
|
return {
|
|
@@ -2623,18 +2735,18 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2623
2735
|
throw new Error(`Unsupported format: ${format}`);
|
|
2624
2736
|
}
|
|
2625
2737
|
version() {
|
|
2626
|
-
return this.credentialRequestOpts?.version ??
|
|
2738
|
+
return this.credentialRequestOpts?.version ?? import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11;
|
|
2627
2739
|
}
|
|
2628
2740
|
isV11OrHigher() {
|
|
2629
|
-
return this.version() >=
|
|
2741
|
+
return this.version() >= import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11;
|
|
2630
2742
|
}
|
|
2631
2743
|
};
|
|
2632
2744
|
|
|
2633
2745
|
// lib/CredentialRequestClientBuilder.ts
|
|
2634
|
-
var
|
|
2746
|
+
var import_oid4vci_common24 = require("@sphereon/oid4vci-common");
|
|
2635
2747
|
|
|
2636
2748
|
// lib/CredentialRequestClientBuilderV1_0_11.ts
|
|
2637
|
-
var
|
|
2749
|
+
var import_oid4vci_common21 = require("@sphereon/oid4vci-common");
|
|
2638
2750
|
var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilderV1_0_11 {
|
|
2639
2751
|
static {
|
|
2640
2752
|
__name(this, "CredentialRequestClientBuilderV1_0_11");
|
|
@@ -2652,7 +2764,7 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
|
|
|
2652
2764
|
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialTypes }) {
|
|
2653
2765
|
const issuer = credentialIssuer;
|
|
2654
2766
|
const builder = new _CredentialRequestClientBuilderV1_0_11();
|
|
2655
|
-
builder.withVersion(version ??
|
|
2767
|
+
builder.withVersion(version ?? import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_11);
|
|
2656
2768
|
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2657
2769
|
if (metadata?.deferred_credential_endpoint) {
|
|
2658
2770
|
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
@@ -2671,18 +2783,18 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
|
|
|
2671
2783
|
}
|
|
2672
2784
|
static fromCredentialOfferRequest(opts) {
|
|
2673
2785
|
const { request, metadata } = opts;
|
|
2674
|
-
const version = opts.version ?? request.version ?? (0,
|
|
2786
|
+
const version = opts.version ?? request.version ?? (0, import_oid4vci_common21.determineSpecVersionFromOffer)(request.original_credential_offer);
|
|
2675
2787
|
const builder = new _CredentialRequestClientBuilderV1_0_11();
|
|
2676
|
-
const issuer = (0,
|
|
2788
|
+
const issuer = (0, import_oid4vci_common21.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
|
|
2677
2789
|
builder.withVersion(version);
|
|
2678
2790
|
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2679
2791
|
if (metadata?.deferred_credential_endpoint) {
|
|
2680
2792
|
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
2681
2793
|
}
|
|
2682
|
-
if (version <=
|
|
2794
|
+
if (version <= import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_08) {
|
|
2683
2795
|
builder.withCredentialType(request.original_credential_offer.credential_type);
|
|
2684
|
-
} else if (version <=
|
|
2685
|
-
builder.withCredentialType((0,
|
|
2796
|
+
} else if (version <= import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_11) {
|
|
2797
|
+
builder.withCredentialType((0, import_oid4vci_common21.getTypesFromOfferV1_0_11)(request.credential_offer));
|
|
2686
2798
|
}
|
|
2687
2799
|
return builder;
|
|
2688
2800
|
}
|
|
@@ -2746,14 +2858,14 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
|
|
|
2746
2858
|
}
|
|
2747
2859
|
build() {
|
|
2748
2860
|
if (!this.version) {
|
|
2749
|
-
this.withVersion(
|
|
2861
|
+
this.withVersion(import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_11);
|
|
2750
2862
|
}
|
|
2751
2863
|
return new CredentialRequestClientV1_0_11(this);
|
|
2752
2864
|
}
|
|
2753
2865
|
};
|
|
2754
2866
|
|
|
2755
2867
|
// lib/CredentialRequestClientBuilderV1_0_13.ts
|
|
2756
|
-
var
|
|
2868
|
+
var import_oid4vci_common22 = require("@sphereon/oid4vci-common");
|
|
2757
2869
|
var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilderV1_0_13 {
|
|
2758
2870
|
static {
|
|
2759
2871
|
__name(this, "CredentialRequestClientBuilderV1_0_13");
|
|
@@ -2772,7 +2884,7 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
|
|
|
2772
2884
|
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
|
|
2773
2885
|
const issuer = credentialIssuer;
|
|
2774
2886
|
const builder = new _CredentialRequestClientBuilderV1_0_13();
|
|
2775
|
-
builder.withVersion(version ??
|
|
2887
|
+
builder.withVersion(version ?? import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13);
|
|
2776
2888
|
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2777
2889
|
if (metadata?.deferred_credential_endpoint) {
|
|
2778
2890
|
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
@@ -2796,12 +2908,12 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
|
|
|
2796
2908
|
}
|
|
2797
2909
|
static fromCredentialOfferRequest(opts) {
|
|
2798
2910
|
const { request, metadata } = opts;
|
|
2799
|
-
const version = opts.version ?? request.version ?? (0,
|
|
2800
|
-
if (version <
|
|
2911
|
+
const version = opts.version ?? request.version ?? (0, import_oid4vci_common22.determineSpecVersionFromOffer)(request.original_credential_offer);
|
|
2912
|
+
if (version < import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
|
|
2801
2913
|
throw new Error("Versions below v1.0.13 (draft 13) are not supported.");
|
|
2802
2914
|
}
|
|
2803
2915
|
const builder = new _CredentialRequestClientBuilderV1_0_13();
|
|
2804
|
-
const issuer = (0,
|
|
2916
|
+
const issuer = (0, import_oid4vci_common22.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
|
|
2805
2917
|
builder.withVersion(version);
|
|
2806
2918
|
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2807
2919
|
if (metadata?.deferred_credential_endpoint) {
|
|
@@ -2878,52 +2990,56 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
|
|
|
2878
2990
|
}
|
|
2879
2991
|
build() {
|
|
2880
2992
|
if (!this.version) {
|
|
2881
|
-
this.withVersion(
|
|
2993
|
+
this.withVersion(import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_11);
|
|
2882
2994
|
}
|
|
2883
2995
|
return new CredentialRequestClient(this);
|
|
2884
2996
|
}
|
|
2885
2997
|
};
|
|
2886
2998
|
|
|
2887
|
-
// lib/
|
|
2888
|
-
|
|
2889
|
-
|
|
2890
|
-
}
|
|
2891
|
-
__name(isV1_0_13, "isV1_0_13");
|
|
2892
|
-
var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
2999
|
+
// lib/CredentialRequestClientBuilderV1_0_15.ts
|
|
3000
|
+
var import_oid4vci_common23 = require("@sphereon/oid4vci-common");
|
|
3001
|
+
var CredentialRequestClientBuilderV1_0_15 = class _CredentialRequestClientBuilderV1_0_15 {
|
|
2893
3002
|
static {
|
|
2894
|
-
__name(this, "
|
|
2895
|
-
}
|
|
2896
|
-
_builder;
|
|
2897
|
-
constructor(builder) {
|
|
2898
|
-
this._builder = builder;
|
|
3003
|
+
__name(this, "CredentialRequestClientBuilderV1_0_15");
|
|
2899
3004
|
}
|
|
2900
|
-
|
|
2901
|
-
|
|
2902
|
-
|
|
2903
|
-
|
|
2904
|
-
|
|
2905
|
-
|
|
2906
|
-
|
|
2907
|
-
|
|
2908
|
-
|
|
2909
|
-
|
|
2910
|
-
|
|
2911
|
-
|
|
2912
|
-
|
|
2913
|
-
|
|
2914
|
-
|
|
2915
|
-
|
|
2916
|
-
|
|
2917
|
-
|
|
2918
|
-
|
|
2919
|
-
|
|
2920
|
-
});
|
|
3005
|
+
credentialEndpoint;
|
|
3006
|
+
deferredCredentialEndpoint;
|
|
3007
|
+
nonceEndpoint;
|
|
3008
|
+
deferredCredentialAwait = false;
|
|
3009
|
+
deferredCredentialIntervalInMS = 5e3;
|
|
3010
|
+
credentialIdentifier;
|
|
3011
|
+
credentialConfigurationId;
|
|
3012
|
+
credentialTypes = [];
|
|
3013
|
+
token;
|
|
3014
|
+
version;
|
|
3015
|
+
subjectIssuance;
|
|
3016
|
+
issuerState;
|
|
3017
|
+
// Note: format removed from v15 - credential requests no longer include format parameter
|
|
3018
|
+
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialConfigurationId, credentialTypes }) {
|
|
3019
|
+
const issuer = credentialIssuer;
|
|
3020
|
+
const builder = new _CredentialRequestClientBuilderV1_0_15();
|
|
3021
|
+
builder.withVersion(version ?? import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_15);
|
|
3022
|
+
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
3023
|
+
if (metadata?.deferred_credential_endpoint) {
|
|
3024
|
+
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
2921
3025
|
}
|
|
2922
|
-
|
|
3026
|
+
if (metadata?.nonce_endpoint) {
|
|
3027
|
+
builder.withNonceEndpoint(metadata.nonce_endpoint);
|
|
3028
|
+
}
|
|
3029
|
+
if (credentialIdentifier) {
|
|
3030
|
+
builder.withCredentialIdentifier(credentialIdentifier);
|
|
3031
|
+
}
|
|
3032
|
+
if (credentialConfigurationId) {
|
|
3033
|
+
builder.withCredentialConfigurationId(credentialConfigurationId);
|
|
3034
|
+
}
|
|
3035
|
+
if (credentialTypes) {
|
|
3036
|
+
builder.withCredentialType(credentialTypes);
|
|
3037
|
+
}
|
|
3038
|
+
return builder;
|
|
2923
3039
|
}
|
|
2924
3040
|
static async fromURI({ uri, metadata }) {
|
|
2925
3041
|
const offer = await CredentialOfferClient.fromURI(uri);
|
|
2926
|
-
return
|
|
3042
|
+
return _CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest({
|
|
2927
3043
|
request: offer,
|
|
2928
3044
|
...offer,
|
|
2929
3045
|
metadata,
|
|
@@ -2931,25 +3047,189 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2931
3047
|
});
|
|
2932
3048
|
}
|
|
2933
3049
|
static fromCredentialOfferRequest(opts) {
|
|
2934
|
-
const { request } = opts;
|
|
2935
|
-
const version = opts.version ?? request.version ?? (0,
|
|
2936
|
-
|
|
2937
|
-
|
|
2938
|
-
builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest(opts);
|
|
2939
|
-
} else {
|
|
2940
|
-
builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest(opts);
|
|
3050
|
+
const { request, metadata } = opts;
|
|
3051
|
+
const version = opts.version ?? request.version ?? (0, import_oid4vci_common23.determineSpecVersionFromOffer)(request.original_credential_offer);
|
|
3052
|
+
if (version < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_15) {
|
|
3053
|
+
throw new Error("Versions below v1.0.15 (draft 15) are not supported.");
|
|
2941
3054
|
}
|
|
2942
|
-
|
|
2943
|
-
|
|
2944
|
-
|
|
2945
|
-
|
|
2946
|
-
|
|
2947
|
-
|
|
2948
|
-
|
|
2949
|
-
|
|
2950
|
-
|
|
2951
|
-
|
|
2952
|
-
|
|
3055
|
+
const builder = new _CredentialRequestClientBuilderV1_0_15();
|
|
3056
|
+
const issuer = (0, import_oid4vci_common23.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
|
|
3057
|
+
builder.withVersion(version);
|
|
3058
|
+
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
3059
|
+
if (metadata?.deferred_credential_endpoint) {
|
|
3060
|
+
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
3061
|
+
}
|
|
3062
|
+
if (metadata?.nonce_endpoint) {
|
|
3063
|
+
builder.withNonceEndpoint(metadata.nonce_endpoint);
|
|
3064
|
+
}
|
|
3065
|
+
const ids = request.credential_offer.credential_configuration_ids;
|
|
3066
|
+
if (ids.length && ids.length === 1) {
|
|
3067
|
+
builder.withCredentialConfigurationId(ids[0]);
|
|
3068
|
+
}
|
|
3069
|
+
return builder;
|
|
3070
|
+
}
|
|
3071
|
+
static fromCredentialOffer({ credentialOffer, metadata }) {
|
|
3072
|
+
const builder = _CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest({
|
|
3073
|
+
request: credentialOffer,
|
|
3074
|
+
metadata,
|
|
3075
|
+
version: credentialOffer.version
|
|
3076
|
+
});
|
|
3077
|
+
return builder;
|
|
3078
|
+
}
|
|
3079
|
+
withCredentialEndpointFromMetadata(metadata) {
|
|
3080
|
+
this.credentialEndpoint = metadata.credential_endpoint;
|
|
3081
|
+
return this;
|
|
3082
|
+
}
|
|
3083
|
+
withCredentialEndpoint(credentialEndpoint) {
|
|
3084
|
+
this.credentialEndpoint = credentialEndpoint;
|
|
3085
|
+
return this;
|
|
3086
|
+
}
|
|
3087
|
+
withIssuerState(issuerState) {
|
|
3088
|
+
this.issuerState = issuerState;
|
|
3089
|
+
return this;
|
|
3090
|
+
}
|
|
3091
|
+
withDeferredCredentialEndpointFromMetadata(metadata) {
|
|
3092
|
+
this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
|
|
3093
|
+
return this;
|
|
3094
|
+
}
|
|
3095
|
+
withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
|
|
3096
|
+
this.deferredCredentialEndpoint = deferredCredentialEndpoint;
|
|
3097
|
+
return this;
|
|
3098
|
+
}
|
|
3099
|
+
// New in v15: Support for nonce endpoint
|
|
3100
|
+
withNonceEndpointFromMetadata(metadata) {
|
|
3101
|
+
this.nonceEndpoint = metadata.nonce_endpoint;
|
|
3102
|
+
return this;
|
|
3103
|
+
}
|
|
3104
|
+
withNonceEndpoint(nonceEndpoint) {
|
|
3105
|
+
this.nonceEndpoint = nonceEndpoint;
|
|
3106
|
+
return this;
|
|
3107
|
+
}
|
|
3108
|
+
withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
|
|
3109
|
+
this.deferredCredentialAwait = deferredCredentialAwait;
|
|
3110
|
+
this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5e3;
|
|
3111
|
+
return this;
|
|
3112
|
+
}
|
|
3113
|
+
// New in v15: Support for credential_identifier (used when authorization_details with credential_identifiers was used)
|
|
3114
|
+
withCredentialIdentifier(credentialIdentifier) {
|
|
3115
|
+
this.credentialIdentifier = credentialIdentifier;
|
|
3116
|
+
return this;
|
|
3117
|
+
}
|
|
3118
|
+
// New in v15: Support for credential_configuration_id (used when scope was used and no credential_identifiers returned)
|
|
3119
|
+
withCredentialConfigurationId(credentialConfigurationId) {
|
|
3120
|
+
this.credentialConfigurationId = credentialConfigurationId;
|
|
3121
|
+
return this;
|
|
3122
|
+
}
|
|
3123
|
+
// Legacy support for credential types (may be used internally to map to configuration IDs)
|
|
3124
|
+
withCredentialType(credentialTypes) {
|
|
3125
|
+
this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [
|
|
3126
|
+
credentialTypes
|
|
3127
|
+
];
|
|
3128
|
+
return this;
|
|
3129
|
+
}
|
|
3130
|
+
// Note: withFormat() method removed in v15 - format is no longer part of credential requests
|
|
3131
|
+
withSubjectIssuance(subjectIssuance) {
|
|
3132
|
+
this.subjectIssuance = subjectIssuance;
|
|
3133
|
+
return this;
|
|
3134
|
+
}
|
|
3135
|
+
withToken(accessToken) {
|
|
3136
|
+
this.token = accessToken;
|
|
3137
|
+
return this;
|
|
3138
|
+
}
|
|
3139
|
+
withTokenFromResponse(response) {
|
|
3140
|
+
this.token = response.access_token;
|
|
3141
|
+
return this;
|
|
3142
|
+
}
|
|
3143
|
+
withVersion(version) {
|
|
3144
|
+
this.version = version;
|
|
3145
|
+
return this;
|
|
3146
|
+
}
|
|
3147
|
+
build() {
|
|
3148
|
+
if (!this.version) {
|
|
3149
|
+
this.withVersion(import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_15);
|
|
3150
|
+
}
|
|
3151
|
+
return new CredentialRequestClient(this);
|
|
3152
|
+
}
|
|
3153
|
+
};
|
|
3154
|
+
|
|
3155
|
+
// lib/CredentialRequestClientBuilder.ts
|
|
3156
|
+
function isV1_0_13(builder) {
|
|
3157
|
+
return builder.withCredentialIdentifier !== void 0;
|
|
3158
|
+
}
|
|
3159
|
+
__name(isV1_0_13, "isV1_0_13");
|
|
3160
|
+
function isV1_0_15(builder) {
|
|
3161
|
+
return builder.withCredentialIdentifier !== void 0;
|
|
3162
|
+
}
|
|
3163
|
+
__name(isV1_0_15, "isV1_0_15");
|
|
3164
|
+
var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
3165
|
+
static {
|
|
3166
|
+
__name(this, "CredentialRequestClientBuilder");
|
|
3167
|
+
}
|
|
3168
|
+
_builder;
|
|
3169
|
+
constructor(builder) {
|
|
3170
|
+
this._builder = builder;
|
|
3171
|
+
}
|
|
3172
|
+
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
|
|
3173
|
+
const specVersion = version ?? import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_15;
|
|
3174
|
+
let builder;
|
|
3175
|
+
if (specVersion >= import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_15) {
|
|
3176
|
+
builder = CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
|
|
3177
|
+
credentialIssuer,
|
|
3178
|
+
metadata,
|
|
3179
|
+
version,
|
|
3180
|
+
credentialIdentifier,
|
|
3181
|
+
credentialTypes
|
|
3182
|
+
});
|
|
3183
|
+
} else if (specVersion >= import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13) {
|
|
3184
|
+
builder = CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
|
|
3185
|
+
credentialIssuer,
|
|
3186
|
+
metadata,
|
|
3187
|
+
version,
|
|
3188
|
+
credentialIdentifier,
|
|
3189
|
+
credentialTypes
|
|
3190
|
+
});
|
|
3191
|
+
} else {
|
|
3192
|
+
if (!credentialTypes || credentialTypes.length === 0) {
|
|
3193
|
+
throw new Error("CredentialTypes must be provided for v1_0_11");
|
|
3194
|
+
}
|
|
3195
|
+
builder = CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
|
|
3196
|
+
credentialIssuer,
|
|
3197
|
+
metadata,
|
|
3198
|
+
version,
|
|
3199
|
+
credentialTypes
|
|
3200
|
+
});
|
|
3201
|
+
}
|
|
3202
|
+
return new _CredentialRequestClientBuilder(builder);
|
|
3203
|
+
}
|
|
3204
|
+
static async fromURI({ uri, metadata }) {
|
|
3205
|
+
const offer = await CredentialOfferClient.fromURI(uri);
|
|
3206
|
+
return _CredentialRequestClientBuilder.fromCredentialOfferRequest({
|
|
3207
|
+
request: offer,
|
|
3208
|
+
...offer,
|
|
3209
|
+
metadata,
|
|
3210
|
+
version: offer.version
|
|
3211
|
+
});
|
|
3212
|
+
}
|
|
3213
|
+
static fromCredentialOfferRequest(opts) {
|
|
3214
|
+
const { request } = opts;
|
|
3215
|
+
const version = opts.version ?? request.version ?? (0, import_oid4vci_common24.determineSpecVersionFromOffer)(request.original_credential_offer);
|
|
3216
|
+
let builder;
|
|
3217
|
+
if (version < import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13) {
|
|
3218
|
+
builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest(opts);
|
|
3219
|
+
} else {
|
|
3220
|
+
builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest(opts);
|
|
3221
|
+
}
|
|
3222
|
+
return new _CredentialRequestClientBuilder(builder);
|
|
3223
|
+
}
|
|
3224
|
+
static fromCredentialOffer({ credentialOffer, metadata }) {
|
|
3225
|
+
const version = (0, import_oid4vci_common24.determineSpecVersionFromOffer)(credentialOffer.credential_offer);
|
|
3226
|
+
let builder;
|
|
3227
|
+
if (version < import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13) {
|
|
3228
|
+
builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
|
|
3229
|
+
credentialOffer,
|
|
3230
|
+
metadata
|
|
3231
|
+
});
|
|
3232
|
+
} else {
|
|
2953
3233
|
builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
|
|
2954
3234
|
credentialOffer,
|
|
2955
3235
|
metadata
|
|
@@ -2961,7 +3241,9 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2961
3241
|
return this._builder.version;
|
|
2962
3242
|
}
|
|
2963
3243
|
withCredentialEndpointFromMetadata(metadata) {
|
|
2964
|
-
if (
|
|
3244
|
+
if (isV1_0_15(this._builder)) {
|
|
3245
|
+
this._builder.withCredentialEndpointFromMetadata(metadata);
|
|
3246
|
+
} else if (isV1_0_13(this._builder)) {
|
|
2965
3247
|
this._builder.withCredentialEndpointFromMetadata(metadata);
|
|
2966
3248
|
} else {
|
|
2967
3249
|
this._builder.withCredentialEndpointFromMetadata(metadata);
|
|
@@ -2973,7 +3255,9 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2973
3255
|
return this;
|
|
2974
3256
|
}
|
|
2975
3257
|
withDeferredCredentialEndpointFromMetadata(metadata) {
|
|
2976
|
-
if (
|
|
3258
|
+
if (isV1_0_15(this._builder)) {
|
|
3259
|
+
this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
|
|
3260
|
+
} else if (isV1_0_13(this._builder)) {
|
|
2977
3261
|
this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
|
|
2978
3262
|
} else {
|
|
2979
3263
|
this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
|
|
@@ -2989,57 +3273,789 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2989
3273
|
return this;
|
|
2990
3274
|
}
|
|
2991
3275
|
withCredentialIdentifier(credentialIdentifier) {
|
|
2992
|
-
if (this._builder.version === void 0 || this._builder.version <
|
|
3276
|
+
if (this._builder.version === void 0 || this._builder.version < import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13) {
|
|
2993
3277
|
throw new Error("Version of spec should be equal or higher than v1_0_13");
|
|
2994
3278
|
}
|
|
2995
3279
|
;
|
|
2996
3280
|
this._builder.withCredentialIdentifier(credentialIdentifier);
|
|
2997
3281
|
return this;
|
|
2998
3282
|
}
|
|
2999
|
-
withIssuerState(issuerState) {
|
|
3000
|
-
this._builder.withIssuerState(issuerState);
|
|
3001
|
-
return this;
|
|
3283
|
+
withIssuerState(issuerState) {
|
|
3284
|
+
this._builder.withIssuerState(issuerState);
|
|
3285
|
+
return this;
|
|
3286
|
+
}
|
|
3287
|
+
withCredentialType(credentialTypes) {
|
|
3288
|
+
this._builder.withCredentialType(credentialTypes);
|
|
3289
|
+
return this;
|
|
3290
|
+
}
|
|
3291
|
+
withFormat(format) {
|
|
3292
|
+
if ("withFormat" in this._builder) {
|
|
3293
|
+
this._builder.withFormat(format);
|
|
3294
|
+
}
|
|
3295
|
+
return this;
|
|
3296
|
+
}
|
|
3297
|
+
withSubjectIssuance(subjectIssuance) {
|
|
3298
|
+
this._builder.withSubjectIssuance(subjectIssuance);
|
|
3299
|
+
return this;
|
|
3300
|
+
}
|
|
3301
|
+
withToken(accessToken) {
|
|
3302
|
+
this._builder.withToken(accessToken);
|
|
3303
|
+
return this;
|
|
3304
|
+
}
|
|
3305
|
+
withTokenFromResponse(response) {
|
|
3306
|
+
this._builder.withTokenFromResponse(response);
|
|
3307
|
+
return this;
|
|
3308
|
+
}
|
|
3309
|
+
withVersion(version) {
|
|
3310
|
+
this._builder.withVersion(version);
|
|
3311
|
+
return this;
|
|
3312
|
+
}
|
|
3313
|
+
build() {
|
|
3314
|
+
return this._builder.build();
|
|
3315
|
+
}
|
|
3316
|
+
};
|
|
3317
|
+
|
|
3318
|
+
// lib/MetadataClientV1_0_15.ts
|
|
3319
|
+
var import_oid4vci_common25 = require("@sphereon/oid4vci-common");
|
|
3320
|
+
var import_ssi_types15 = require("@sphereon/ssi-types");
|
|
3321
|
+
var logger13 = import_ssi_types15.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
|
|
3322
|
+
var MetadataClientV1_0_15 = class _MetadataClientV1_0_15 {
|
|
3323
|
+
static {
|
|
3324
|
+
__name(this, "MetadataClientV1_0_15");
|
|
3325
|
+
}
|
|
3326
|
+
/**
|
|
3327
|
+
* Retrieve metadata using the Initiation obtained from a previous step
|
|
3328
|
+
*
|
|
3329
|
+
* @param credentialOffer
|
|
3330
|
+
*/
|
|
3331
|
+
static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
|
|
3332
|
+
return _MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
|
|
3333
|
+
}
|
|
3334
|
+
/**
|
|
3335
|
+
* Retrieve the metada using the initiation request obtained from a previous step
|
|
3336
|
+
* @param request
|
|
3337
|
+
*/
|
|
3338
|
+
static async retrieveAllMetadataFromCredentialOfferRequest(request) {
|
|
3339
|
+
const issuer = (0, import_oid4vci_common25.getIssuerFromCredentialOfferPayload)(request);
|
|
3340
|
+
if (issuer) {
|
|
3341
|
+
return _MetadataClientV1_0_15.retrieveAllMetadata(issuer);
|
|
3342
|
+
}
|
|
3343
|
+
throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
|
|
3344
|
+
}
|
|
3345
|
+
/**
|
|
3346
|
+
* Retrieve all metadata from an issuer
|
|
3347
|
+
* @param issuer The issuer URL
|
|
3348
|
+
* @param opts
|
|
3349
|
+
*/
|
|
3350
|
+
static async retrieveAllMetadata(issuer, opts) {
|
|
3351
|
+
let token_endpoint;
|
|
3352
|
+
let credential_endpoint;
|
|
3353
|
+
let nonce_endpoint;
|
|
3354
|
+
let deferred_credential_endpoint;
|
|
3355
|
+
let authorization_endpoint;
|
|
3356
|
+
let authorization_challenge_endpoint;
|
|
3357
|
+
let authorizationServerType = "OID4VCI";
|
|
3358
|
+
let authorization_servers = [
|
|
3359
|
+
issuer
|
|
3360
|
+
];
|
|
3361
|
+
const oid4vciResponse = await _MetadataClientV1_0_15.retrieveOpenID4VCIServerMetadata(issuer, {
|
|
3362
|
+
errorOnNotFound: false
|
|
3363
|
+
});
|
|
3364
|
+
let credentialIssuerMetadata = oid4vciResponse?.successBody;
|
|
3365
|
+
if (credentialIssuerMetadata) {
|
|
3366
|
+
logger13.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
|
|
3367
|
+
${JSON.stringify(credentialIssuerMetadata)}`);
|
|
3368
|
+
credential_endpoint = credentialIssuerMetadata.credential_endpoint;
|
|
3369
|
+
nonce_endpoint = credentialIssuerMetadata.nonce_endpoint;
|
|
3370
|
+
deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
|
|
3371
|
+
if (credentialIssuerMetadata.token_endpoint) {
|
|
3372
|
+
token_endpoint = credentialIssuerMetadata.token_endpoint;
|
|
3373
|
+
}
|
|
3374
|
+
authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
|
|
3375
|
+
if (credentialIssuerMetadata.authorization_servers) {
|
|
3376
|
+
authorization_servers = credentialIssuerMetadata.authorization_servers;
|
|
3377
|
+
}
|
|
3378
|
+
}
|
|
3379
|
+
let response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common25.WellKnownEndpoints.OPENID_CONFIGURATION, {
|
|
3380
|
+
errorOnNotFound: false
|
|
3381
|
+
});
|
|
3382
|
+
let authMetadata = response.successBody;
|
|
3383
|
+
if (authMetadata) {
|
|
3384
|
+
logger13.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
|
|
3385
|
+
authorizationServerType = "OIDC";
|
|
3386
|
+
} else {
|
|
3387
|
+
response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common25.WellKnownEndpoints.OAUTH_AS, {
|
|
3388
|
+
errorOnNotFound: false
|
|
3389
|
+
});
|
|
3390
|
+
authMetadata = response.successBody;
|
|
3391
|
+
}
|
|
3392
|
+
if (!authMetadata) {
|
|
3393
|
+
if (!authorization_servers.includes(issuer)) {
|
|
3394
|
+
throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
|
|
3395
|
+
}
|
|
3396
|
+
} else {
|
|
3397
|
+
if (!authorizationServerType) {
|
|
3398
|
+
authorizationServerType = "OAuth 2.0";
|
|
3399
|
+
}
|
|
3400
|
+
logger13.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
|
|
3401
|
+
if (!authMetadata.authorization_endpoint) {
|
|
3402
|
+
console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
|
|
3403
|
+
} else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
|
|
3404
|
+
throw Error(`Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`);
|
|
3405
|
+
}
|
|
3406
|
+
authorization_endpoint = authMetadata.authorization_endpoint;
|
|
3407
|
+
if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {
|
|
3408
|
+
throw Error(`Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`);
|
|
3409
|
+
}
|
|
3410
|
+
authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
|
|
3411
|
+
if (!authMetadata.token_endpoint) {
|
|
3412
|
+
throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`);
|
|
3413
|
+
} else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
|
|
3414
|
+
throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
|
|
3415
|
+
}
|
|
3416
|
+
token_endpoint = authMetadata.token_endpoint;
|
|
3417
|
+
if (authMetadata.credential_endpoint) {
|
|
3418
|
+
if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
|
|
3419
|
+
logger13.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
|
|
3420
|
+
} else {
|
|
3421
|
+
credential_endpoint = authMetadata.credential_endpoint;
|
|
3422
|
+
}
|
|
3423
|
+
}
|
|
3424
|
+
if (authMetadata.deferred_credential_endpoint) {
|
|
3425
|
+
if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
|
|
3426
|
+
logger13.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
|
|
3427
|
+
} else {
|
|
3428
|
+
deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
|
|
3429
|
+
}
|
|
3430
|
+
}
|
|
3431
|
+
}
|
|
3432
|
+
if (!authorization_endpoint) {
|
|
3433
|
+
logger13.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
|
|
3434
|
+
}
|
|
3435
|
+
if (!token_endpoint) {
|
|
3436
|
+
logger13.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
|
|
3437
|
+
if (opts?.errorOnNotFound) {
|
|
3438
|
+
throw Error(`Could not deduce the token_endpoint for ${issuer}`);
|
|
3439
|
+
} else {
|
|
3440
|
+
token_endpoint = `${issuer}${issuer.endsWith("/") ? "token" : "/token"}`;
|
|
3441
|
+
}
|
|
3442
|
+
}
|
|
3443
|
+
if (!credential_endpoint) {
|
|
3444
|
+
logger13.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
|
|
3445
|
+
if (opts?.errorOnNotFound) {
|
|
3446
|
+
throw Error(`Could not deduce the credential endpoint for ${issuer}`);
|
|
3447
|
+
} else {
|
|
3448
|
+
credential_endpoint = `${issuer}${issuer.endsWith("/") ? "credential" : "/credential"}`;
|
|
3449
|
+
}
|
|
3450
|
+
}
|
|
3451
|
+
if (!credentialIssuerMetadata && authMetadata) {
|
|
3452
|
+
credentialIssuerMetadata = authMetadata;
|
|
3453
|
+
}
|
|
3454
|
+
const ci = credentialIssuerMetadata ?? {};
|
|
3455
|
+
const ciAuthorizationServers = Array.isArray(ci.authorization_servers) && ci.authorization_servers.length > 0 ? ci.authorization_servers : authorization_servers;
|
|
3456
|
+
const v15CredentialIssuerMetadata = {
|
|
3457
|
+
credential_issuer: ci.credential_issuer ?? issuer,
|
|
3458
|
+
credential_endpoint,
|
|
3459
|
+
authorization_servers: ciAuthorizationServers,
|
|
3460
|
+
credential_configurations_supported: ci.credential_configurations_supported ?? {},
|
|
3461
|
+
display: ci.display ?? [],
|
|
3462
|
+
...nonce_endpoint && {
|
|
3463
|
+
nonce_endpoint
|
|
3464
|
+
},
|
|
3465
|
+
...deferred_credential_endpoint && {
|
|
3466
|
+
deferred_credential_endpoint
|
|
3467
|
+
}
|
|
3468
|
+
};
|
|
3469
|
+
logger13.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
|
|
3470
|
+
return {
|
|
3471
|
+
issuer,
|
|
3472
|
+
token_endpoint,
|
|
3473
|
+
credential_endpoint,
|
|
3474
|
+
authorization_challenge_endpoint,
|
|
3475
|
+
authorizationServerType,
|
|
3476
|
+
credentialIssuerMetadata: v15CredentialIssuerMetadata,
|
|
3477
|
+
authorizationServerMetadata: authMetadata
|
|
3478
|
+
};
|
|
3479
|
+
}
|
|
3480
|
+
/**
|
|
3481
|
+
* Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
|
|
3482
|
+
*
|
|
3483
|
+
* @param issuerHost The issuer hostname
|
|
3484
|
+
* @param opts
|
|
3485
|
+
*/
|
|
3486
|
+
static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
|
|
3487
|
+
return retrieveWellknown(issuerHost, import_oid4vci_common25.WellKnownEndpoints.OPENID4VCI_ISSUER, {
|
|
3488
|
+
errorOnNotFound: opts?.errorOnNotFound === void 0 ? true : opts.errorOnNotFound
|
|
3489
|
+
});
|
|
3490
|
+
}
|
|
3491
|
+
};
|
|
3492
|
+
|
|
3493
|
+
// lib/OpenID4VCIClient.ts
|
|
3494
|
+
var import_oid4vci_common26 = require("@sphereon/oid4vci-common");
|
|
3495
|
+
var import_ssi_types16 = require("@sphereon/ssi-types");
|
|
3496
|
+
var logger14 = import_ssi_types16.Loggers.DEFAULT.get("sphereon:oid4vci");
|
|
3497
|
+
var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
3498
|
+
static {
|
|
3499
|
+
__name(this, "OpenID4VCIClient");
|
|
3500
|
+
}
|
|
3501
|
+
_state;
|
|
3502
|
+
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
|
|
3503
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common26.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
3504
|
+
if (!issuer) {
|
|
3505
|
+
throw Error("No credential issuer supplied or deduced from offer");
|
|
3506
|
+
}
|
|
3507
|
+
this._state = {
|
|
3508
|
+
credentialOffer,
|
|
3509
|
+
credentialIssuer: issuer,
|
|
3510
|
+
kid,
|
|
3511
|
+
alg,
|
|
3512
|
+
// TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
|
|
3513
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common26.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
3514
|
+
pkce: {
|
|
3515
|
+
disabled: false,
|
|
3516
|
+
codeChallengeMethod: import_oid4vci_common26.CodeChallengeMethod.S256,
|
|
3517
|
+
...pkce
|
|
3518
|
+
},
|
|
3519
|
+
authorizationRequestOpts,
|
|
3520
|
+
authorizationCodeResponse,
|
|
3521
|
+
accessToken,
|
|
3522
|
+
jwk,
|
|
3523
|
+
endpointMetadata: endpointMetadata?.credentialIssuerMetadata?.authorization_server ? endpointMetadata : endpointMetadata,
|
|
3524
|
+
accessTokenResponse,
|
|
3525
|
+
authorizationURL
|
|
3526
|
+
};
|
|
3527
|
+
if (!this._state.authorizationRequestOpts) {
|
|
3528
|
+
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
3529
|
+
}
|
|
3530
|
+
logger14.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
3531
|
+
}
|
|
3532
|
+
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, endpointMetadata }) {
|
|
3533
|
+
const client = new _OpenID4VCIClient({
|
|
3534
|
+
kid,
|
|
3535
|
+
alg,
|
|
3536
|
+
clientId: clientId ?? authorizationRequest?.clientId,
|
|
3537
|
+
credentialIssuer,
|
|
3538
|
+
pkce,
|
|
3539
|
+
authorizationRequest,
|
|
3540
|
+
endpointMetadata
|
|
3541
|
+
});
|
|
3542
|
+
if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
|
|
3543
|
+
await client.retrieveServerMetadata();
|
|
3544
|
+
}
|
|
3545
|
+
if (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL) {
|
|
3546
|
+
await client.createAuthorizationRequestUrl({
|
|
3547
|
+
authorizationRequest,
|
|
3548
|
+
pkce
|
|
3549
|
+
});
|
|
3550
|
+
}
|
|
3551
|
+
return client;
|
|
3552
|
+
}
|
|
3553
|
+
static async fromState({ state }) {
|
|
3554
|
+
const clientState = typeof state === "string" ? JSON.parse(state) : state;
|
|
3555
|
+
return new _OpenID4VCIClient(clientState);
|
|
3556
|
+
}
|
|
3557
|
+
static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, endpointMetadata }) {
|
|
3558
|
+
const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
|
|
3559
|
+
resolve: resolveOfferUri
|
|
3560
|
+
});
|
|
3561
|
+
const client = new _OpenID4VCIClient({
|
|
3562
|
+
credentialOffer: credentialOfferClient,
|
|
3563
|
+
kid,
|
|
3564
|
+
alg,
|
|
3565
|
+
clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
|
|
3566
|
+
pkce,
|
|
3567
|
+
authorizationRequest,
|
|
3568
|
+
endpointMetadata
|
|
3569
|
+
});
|
|
3570
|
+
if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
|
|
3571
|
+
await client.retrieveServerMetadata();
|
|
3572
|
+
}
|
|
3573
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common26.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
|
|
3574
|
+
await client.createAuthorizationRequestUrl({
|
|
3575
|
+
authorizationRequest,
|
|
3576
|
+
pkce
|
|
3577
|
+
});
|
|
3578
|
+
logger14.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
3579
|
+
}
|
|
3580
|
+
return client;
|
|
3581
|
+
}
|
|
3582
|
+
/**
|
|
3583
|
+
* Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
|
|
3584
|
+
*
|
|
3585
|
+
* The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
|
|
3586
|
+
* @param opts
|
|
3587
|
+
*/
|
|
3588
|
+
async createAuthorizationRequestUrl(opts) {
|
|
3589
|
+
if (!this._state.authorizationURL) {
|
|
3590
|
+
this.calculatePKCEOpts(opts?.pkce);
|
|
3591
|
+
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest);
|
|
3592
|
+
if (!this._state.authorizationRequestOpts) {
|
|
3593
|
+
throw Error(`No Authorization Request options present or provided in this call`);
|
|
3594
|
+
}
|
|
3595
|
+
if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
|
|
3596
|
+
this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
|
|
3597
|
+
}
|
|
3598
|
+
if (this.version() <= import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_11) {
|
|
3599
|
+
this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({
|
|
3600
|
+
pkce: this._state.pkce,
|
|
3601
|
+
endpointMetadata: this.endpointMetadata,
|
|
3602
|
+
authorizationRequest: this._state.authorizationRequestOpts,
|
|
3603
|
+
credentialOffer: this.credentialOffer,
|
|
3604
|
+
credentialsSupported: Object.values(this.getCredentialsSupported(true))
|
|
3605
|
+
});
|
|
3606
|
+
} else {
|
|
3607
|
+
this._state.authorizationURL = await createAuthorizationRequestUrl({
|
|
3608
|
+
pkce: this._state.pkce,
|
|
3609
|
+
endpointMetadata: this.endpointMetadata,
|
|
3610
|
+
authorizationRequest: this._state.authorizationRequestOpts,
|
|
3611
|
+
credentialOffer: this.credentialOffer,
|
|
3612
|
+
credentialConfigurationSupported: this.getCredentialsSupported(false)
|
|
3613
|
+
});
|
|
3614
|
+
}
|
|
3615
|
+
}
|
|
3616
|
+
return this._state.authorizationURL;
|
|
3617
|
+
}
|
|
3618
|
+
async retrieveServerMetadata() {
|
|
3619
|
+
this.assertIssuerData();
|
|
3620
|
+
if (!this._state.endpointMetadata) {
|
|
3621
|
+
if (this.credentialOffer) {
|
|
3622
|
+
this._state.endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
|
|
3623
|
+
} else if (this._state.credentialIssuer) {
|
|
3624
|
+
this._state.endpointMetadata = await MetadataClient.retrieveAllMetadata(this._state.credentialIssuer);
|
|
3625
|
+
} else {
|
|
3626
|
+
throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
|
|
3627
|
+
}
|
|
3628
|
+
}
|
|
3629
|
+
return this.endpointMetadata;
|
|
3630
|
+
}
|
|
3631
|
+
calculatePKCEOpts(pkce) {
|
|
3632
|
+
this._state.pkce = generateMissingPKCEOpts({
|
|
3633
|
+
...this._state.pkce,
|
|
3634
|
+
...pkce
|
|
3635
|
+
});
|
|
3636
|
+
}
|
|
3637
|
+
async acquireAuthorizationChallengeCode(opts) {
|
|
3638
|
+
const response = await acquireAuthorizationChallengeAuthCode({
|
|
3639
|
+
metadata: this.endpointMetadata,
|
|
3640
|
+
credentialIssuer: this.getIssuer(),
|
|
3641
|
+
clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,
|
|
3642
|
+
...opts
|
|
3643
|
+
});
|
|
3644
|
+
if (response.errorBody) {
|
|
3645
|
+
logger14.debug(`Authorization code error:\r
|
|
3646
|
+
${JSON.stringify(response.errorBody)}`);
|
|
3647
|
+
const error = response.errorBody;
|
|
3648
|
+
return Promise.reject(error);
|
|
3649
|
+
} else if (!response.successBody) {
|
|
3650
|
+
logger14.debug(`Authorization code error. No success body`);
|
|
3651
|
+
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
3652
|
+
}
|
|
3653
|
+
return {
|
|
3654
|
+
...response.successBody
|
|
3655
|
+
};
|
|
3656
|
+
}
|
|
3657
|
+
async acquireAccessToken(opts) {
|
|
3658
|
+
const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
|
|
3659
|
+
let { redirectUri } = opts ?? {};
|
|
3660
|
+
const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code);
|
|
3661
|
+
if (opts?.codeVerifier) {
|
|
3662
|
+
this._state.pkce.codeVerifier = opts.codeVerifier;
|
|
3663
|
+
}
|
|
3664
|
+
this.assertIssuerData();
|
|
3665
|
+
const asOpts = {
|
|
3666
|
+
...opts?.asOpts
|
|
3667
|
+
};
|
|
3668
|
+
const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
|
|
3669
|
+
const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
|
|
3670
|
+
if (this.isEBSI() || clientId && kid) {
|
|
3671
|
+
if (!clientId) {
|
|
3672
|
+
throw Error(`Client id expected for EBSI`);
|
|
3673
|
+
}
|
|
3674
|
+
asOpts.clientOpts = {
|
|
3675
|
+
...asOpts.clientOpts,
|
|
3676
|
+
clientId,
|
|
3677
|
+
...kid && {
|
|
3678
|
+
kid
|
|
3679
|
+
},
|
|
3680
|
+
...clientAssertionType && {
|
|
3681
|
+
clientAssertionType
|
|
3682
|
+
},
|
|
3683
|
+
signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
|
|
3684
|
+
};
|
|
3685
|
+
}
|
|
3686
|
+
if (clientId) {
|
|
3687
|
+
this._state.clientId = clientId;
|
|
3688
|
+
if (!asOpts.clientOpts) {
|
|
3689
|
+
asOpts.clientOpts = {
|
|
3690
|
+
clientId
|
|
3691
|
+
};
|
|
3692
|
+
}
|
|
3693
|
+
asOpts.clientOpts.clientId = clientId;
|
|
3694
|
+
}
|
|
3695
|
+
if (!this._state.accessTokenResponse) {
|
|
3696
|
+
const accessTokenClient = this.version() <= import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_12 ? new AccessTokenClientV1_0_11() : new AccessTokenClient();
|
|
3697
|
+
if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
|
|
3698
|
+
console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
|
|
3699
|
+
}
|
|
3700
|
+
if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
|
|
3701
|
+
redirectUri = this._state.authorizationRequestOpts.redirectUri;
|
|
3702
|
+
}
|
|
3703
|
+
const response = await accessTokenClient.acquireAccessToken({
|
|
3704
|
+
credentialOffer: this.credentialOffer,
|
|
3705
|
+
metadata: this.endpointMetadata,
|
|
3706
|
+
credentialIssuer: this.getIssuer(),
|
|
3707
|
+
pin,
|
|
3708
|
+
...!this._state.pkce.disabled && {
|
|
3709
|
+
codeVerifier: this._state.pkce.codeVerifier
|
|
3710
|
+
},
|
|
3711
|
+
code,
|
|
3712
|
+
redirectUri,
|
|
3713
|
+
asOpts,
|
|
3714
|
+
...opts?.createDPoPOpts && {
|
|
3715
|
+
createDPoPOpts: opts.createDPoPOpts
|
|
3716
|
+
},
|
|
3717
|
+
...opts?.additionalRequestParams && {
|
|
3718
|
+
additionalParams: opts.additionalRequestParams
|
|
3719
|
+
}
|
|
3720
|
+
});
|
|
3721
|
+
if (response.errorBody) {
|
|
3722
|
+
logger14.debug(`Access token error:\r
|
|
3723
|
+
${JSON.stringify(response.errorBody)}`);
|
|
3724
|
+
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3725
|
+
} else if (!response.successBody) {
|
|
3726
|
+
logger14.debug(`Access token error. No success body`);
|
|
3727
|
+
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3728
|
+
}
|
|
3729
|
+
this._state.accessTokenResponse = response.successBody;
|
|
3730
|
+
this._state.dpopResponseParams = response.params;
|
|
3731
|
+
this._state.accessToken = response.successBody.access_token;
|
|
3732
|
+
}
|
|
3733
|
+
return {
|
|
3734
|
+
...this.accessTokenResponse,
|
|
3735
|
+
...this.dpopResponseParams && {
|
|
3736
|
+
params: this.dpopResponseParams
|
|
3737
|
+
}
|
|
3738
|
+
};
|
|
3739
|
+
}
|
|
3740
|
+
async acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
|
|
3741
|
+
if ([
|
|
3742
|
+
jwk,
|
|
3743
|
+
kid
|
|
3744
|
+
].filter((v) => v !== void 0).length > 1) {
|
|
3745
|
+
throw new Error(import_oid4vci_common26.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
3746
|
+
}
|
|
3747
|
+
if (alg) this._state.alg = alg;
|
|
3748
|
+
if (jwk) this._state.jwk = jwk;
|
|
3749
|
+
if (kid) this._state.kid = kid;
|
|
3750
|
+
let requestBuilder;
|
|
3751
|
+
if (this.version() < import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_13) {
|
|
3752
|
+
requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
|
|
3753
|
+
credentialOffer: this.credentialOffer,
|
|
3754
|
+
metadata: this.endpointMetadata
|
|
3755
|
+
}) : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
|
|
3756
|
+
credentialIssuer: this.getIssuer(),
|
|
3757
|
+
credentialTypes,
|
|
3758
|
+
metadata: this.endpointMetadata,
|
|
3759
|
+
version: this.version()
|
|
3760
|
+
});
|
|
3761
|
+
} else {
|
|
3762
|
+
requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
|
|
3763
|
+
credentialOffer: this.credentialOffer,
|
|
3764
|
+
metadata: this.endpointMetadata
|
|
3765
|
+
}) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
|
|
3766
|
+
credentialIssuer: this.getIssuer(),
|
|
3767
|
+
credentialTypes,
|
|
3768
|
+
metadata: this.endpointMetadata,
|
|
3769
|
+
version: this.version()
|
|
3770
|
+
});
|
|
3771
|
+
}
|
|
3772
|
+
const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common26.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
|
|
3773
|
+
requestBuilder.withIssuerState(issuerState);
|
|
3774
|
+
requestBuilder.withTokenFromResponse(this.accessTokenResponse);
|
|
3775
|
+
requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
|
|
3776
|
+
let subjectIssuance;
|
|
3777
|
+
if (this.endpointMetadata?.credentialIssuerMetadata) {
|
|
3778
|
+
const metadata = this.endpointMetadata.credentialIssuerMetadata;
|
|
3779
|
+
const types = Array.isArray(credentialTypes) ? credentialTypes : [
|
|
3780
|
+
credentialTypes
|
|
3781
|
+
];
|
|
3782
|
+
if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
|
|
3783
|
+
let typeSupported = false;
|
|
3784
|
+
metadata.credentials_supported.forEach((supportedCredential) => {
|
|
3785
|
+
const subTypes = (0, import_oid4vci_common26.getTypesFromCredentialSupported)(supportedCredential);
|
|
3786
|
+
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
3787
|
+
typeSupported = true;
|
|
3788
|
+
if (supportedCredential.credential_subject_issuance) {
|
|
3789
|
+
subjectIssuance = {
|
|
3790
|
+
credential_subject_issuance: supportedCredential.credential_subject_issuance
|
|
3791
|
+
};
|
|
3792
|
+
}
|
|
3793
|
+
}
|
|
3794
|
+
});
|
|
3795
|
+
if (!typeSupported) {
|
|
3796
|
+
console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
|
|
3797
|
+
}
|
|
3798
|
+
} else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
|
|
3799
|
+
const credentialsSupported = metadata.credentials_supported;
|
|
3800
|
+
if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
|
|
3801
|
+
throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
|
|
3802
|
+
}
|
|
3803
|
+
}
|
|
3804
|
+
}
|
|
3805
|
+
if (subjectIssuance) {
|
|
3806
|
+
requestBuilder.withSubjectIssuance(subjectIssuance);
|
|
3807
|
+
}
|
|
3808
|
+
const credentialRequestClient = requestBuilder.build();
|
|
3809
|
+
const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
|
|
3810
|
+
accessTokenResponse: this.accessTokenResponse,
|
|
3811
|
+
callbacks: proofCallbacks,
|
|
3812
|
+
version: this.version()
|
|
3813
|
+
}).withIssuer(this.getIssuer()).withAlg(this.alg);
|
|
3814
|
+
if (this._state.jwk) {
|
|
3815
|
+
proofBuilder.withJWK(this._state.jwk);
|
|
3816
|
+
}
|
|
3817
|
+
if (this._state.kid) {
|
|
3818
|
+
proofBuilder.withKid(this._state.kid);
|
|
3819
|
+
}
|
|
3820
|
+
if (this.clientId) {
|
|
3821
|
+
proofBuilder.withClientId(this.clientId);
|
|
3822
|
+
}
|
|
3823
|
+
if (jti) {
|
|
3824
|
+
proofBuilder.withJti(jti);
|
|
3825
|
+
}
|
|
3826
|
+
const response = await credentialRequestClient.acquireCredentialsUsingProof({
|
|
3827
|
+
proofInput: proofBuilder,
|
|
3828
|
+
credentialTypes,
|
|
3829
|
+
context,
|
|
3830
|
+
format,
|
|
3831
|
+
subjectIssuance,
|
|
3832
|
+
createDPoPOpts
|
|
3833
|
+
});
|
|
3834
|
+
this._state.dpopResponseParams = response.params;
|
|
3835
|
+
if (response.errorBody) {
|
|
3836
|
+
logger14.debug(`Credential request error:\r
|
|
3837
|
+
${JSON.stringify(response.errorBody)}`);
|
|
3838
|
+
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3839
|
+
} else if (!response.successBody) {
|
|
3840
|
+
logger14.debug(`Credential request error. No success body`);
|
|
3841
|
+
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3842
|
+
}
|
|
3843
|
+
return {
|
|
3844
|
+
...response.successBody,
|
|
3845
|
+
...this.dpopResponseParams && {
|
|
3846
|
+
params: this.dpopResponseParams
|
|
3847
|
+
},
|
|
3848
|
+
access_token: response.access_token
|
|
3849
|
+
};
|
|
3850
|
+
}
|
|
3851
|
+
async exportState() {
|
|
3852
|
+
return JSON.stringify(this._state);
|
|
3853
|
+
}
|
|
3854
|
+
getCredentialsSupported(restrictToInitiationTypes, format) {
|
|
3855
|
+
return (0, import_oid4vci_common26.getSupportedCredentials)({
|
|
3856
|
+
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
3857
|
+
version: this.version(),
|
|
3858
|
+
format,
|
|
3859
|
+
types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : void 0
|
|
3860
|
+
});
|
|
3861
|
+
}
|
|
3862
|
+
async sendNotification(credentialRequestOpts, request, accessToken) {
|
|
3863
|
+
return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
|
|
3864
|
+
}
|
|
3865
|
+
getCredentialOfferTypes() {
|
|
3866
|
+
if (!this.credentialOffer) {
|
|
3867
|
+
return [];
|
|
3868
|
+
} else if (this.version() < import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_11) {
|
|
3869
|
+
const orig = this.credentialOffer.original_credential_offer;
|
|
3870
|
+
const types = typeof orig.credential_type === "string" ? [
|
|
3871
|
+
orig.credential_type
|
|
3872
|
+
] : orig.credential_type;
|
|
3873
|
+
const result = [];
|
|
3874
|
+
result[0] = types;
|
|
3875
|
+
return result;
|
|
3876
|
+
} else if (this.version() < import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_13) {
|
|
3877
|
+
return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common26.getTypesFromObject)(c) ?? []);
|
|
3878
|
+
}
|
|
3879
|
+
return void 0;
|
|
3880
|
+
}
|
|
3881
|
+
issuerSupportedFlowTypes() {
|
|
3882
|
+
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
|
|
3883
|
+
import_oid4vci_common26.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
3884
|
+
] : []);
|
|
3885
|
+
}
|
|
3886
|
+
isFlowTypeSupported(flowType) {
|
|
3887
|
+
return this.issuerSupportedFlowTypes().includes(flowType);
|
|
3888
|
+
}
|
|
3889
|
+
get authorizationURL() {
|
|
3890
|
+
return this._state.authorizationURL;
|
|
3891
|
+
}
|
|
3892
|
+
hasAuthorizationURL() {
|
|
3893
|
+
return !!this.authorizationURL;
|
|
3894
|
+
}
|
|
3895
|
+
get credentialOffer() {
|
|
3896
|
+
return this._state.credentialOffer;
|
|
3897
|
+
}
|
|
3898
|
+
version() {
|
|
3899
|
+
if (this.credentialOffer?.version && this.credentialOffer.version !== import_oid4vci_common26.OpenId4VCIVersion.VER_UNKNOWN) {
|
|
3900
|
+
return this.credentialOffer.version;
|
|
3901
|
+
}
|
|
3902
|
+
const metadata = this._state.endpointMetadata;
|
|
3903
|
+
if (metadata?.credentialIssuerMetadata) {
|
|
3904
|
+
const versions = (0, import_oid4vci_common26.determineVersionsFromIssuerMetadata)(metadata.credentialIssuerMetadata);
|
|
3905
|
+
if (versions.length > 0 && !versions.includes(import_oid4vci_common26.OpenId4VCIVersion.VER_UNKNOWN)) {
|
|
3906
|
+
return versions[0];
|
|
3907
|
+
}
|
|
3908
|
+
}
|
|
3909
|
+
return import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_15;
|
|
3910
|
+
}
|
|
3911
|
+
get endpointMetadata() {
|
|
3912
|
+
this.assertServerMetadata();
|
|
3913
|
+
return this._state.endpointMetadata;
|
|
3914
|
+
}
|
|
3915
|
+
get kid() {
|
|
3916
|
+
this.assertIssuerData();
|
|
3917
|
+
if (!this._state.kid) {
|
|
3918
|
+
throw new Error("No value for kid is supplied");
|
|
3919
|
+
}
|
|
3920
|
+
return this._state.kid;
|
|
3921
|
+
}
|
|
3922
|
+
get alg() {
|
|
3923
|
+
this.assertIssuerData();
|
|
3924
|
+
if (!this._state.alg) {
|
|
3925
|
+
throw new Error("No value for alg is supplied");
|
|
3926
|
+
}
|
|
3927
|
+
return this._state.alg;
|
|
3928
|
+
}
|
|
3929
|
+
set clientId(value) {
|
|
3930
|
+
this._state.clientId = value;
|
|
3931
|
+
}
|
|
3932
|
+
get clientId() {
|
|
3933
|
+
return this._state.clientId;
|
|
3934
|
+
}
|
|
3935
|
+
hasAccessTokenResponse() {
|
|
3936
|
+
return !!this._state.accessTokenResponse;
|
|
3937
|
+
}
|
|
3938
|
+
get accessTokenResponse() {
|
|
3939
|
+
this.assertAccessToken();
|
|
3940
|
+
return this._state.accessTokenResponse;
|
|
3941
|
+
}
|
|
3942
|
+
get dpopResponseParams() {
|
|
3943
|
+
return this._state.dpopResponseParams;
|
|
3944
|
+
}
|
|
3945
|
+
getIssuer() {
|
|
3946
|
+
this.assertIssuerData();
|
|
3947
|
+
return this._state.credentialIssuer;
|
|
3948
|
+
}
|
|
3949
|
+
getAccessTokenEndpoint() {
|
|
3950
|
+
this.assertIssuerData();
|
|
3951
|
+
if (this.endpointMetadata) {
|
|
3952
|
+
return this.endpointMetadata.token_endpoint;
|
|
3953
|
+
}
|
|
3954
|
+
return this.version() <= import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_12 ? AccessTokenClientV1_0_11.determineTokenURL({
|
|
3955
|
+
issuerOpts: {
|
|
3956
|
+
issuer: this.getIssuer()
|
|
3957
|
+
}
|
|
3958
|
+
}) : AccessTokenClient.determineTokenURL({
|
|
3959
|
+
issuerOpts: {
|
|
3960
|
+
issuer: this.getIssuer()
|
|
3961
|
+
}
|
|
3962
|
+
});
|
|
3963
|
+
}
|
|
3964
|
+
getCredentialEndpoint() {
|
|
3965
|
+
this.assertIssuerData();
|
|
3966
|
+
return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
|
|
3967
|
+
}
|
|
3968
|
+
getAuthorizationChallengeEndpoint() {
|
|
3969
|
+
this.assertIssuerData();
|
|
3970
|
+
return this.endpointMetadata?.authorization_challenge_endpoint;
|
|
3002
3971
|
}
|
|
3003
|
-
|
|
3004
|
-
this.
|
|
3005
|
-
return this;
|
|
3972
|
+
hasAuthorizationChallengeEndpoint() {
|
|
3973
|
+
return !!this.getAuthorizationChallengeEndpoint();
|
|
3006
3974
|
}
|
|
3007
|
-
|
|
3008
|
-
this.
|
|
3009
|
-
return this;
|
|
3975
|
+
hasDeferredCredentialEndpoint() {
|
|
3976
|
+
return !!this.getAccessTokenEndpoint();
|
|
3010
3977
|
}
|
|
3011
|
-
|
|
3012
|
-
this.
|
|
3013
|
-
return this
|
|
3978
|
+
getDeferredCredentialEndpoint() {
|
|
3979
|
+
this.assertIssuerData();
|
|
3980
|
+
return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
|
|
3014
3981
|
}
|
|
3015
|
-
|
|
3016
|
-
|
|
3017
|
-
|
|
3982
|
+
/**
|
|
3983
|
+
* Too bad we need a method like this, but EBSI is not exposing metadata
|
|
3984
|
+
*/
|
|
3985
|
+
isEBSI() {
|
|
3986
|
+
if (this.credentialOffer && this.credentialOffer?.credential_offer?.credentials?.find((cred) => (
|
|
3987
|
+
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
|
|
3988
|
+
// @ts-ignore
|
|
3989
|
+
typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
|
|
3990
|
+
))) {
|
|
3991
|
+
return true;
|
|
3992
|
+
}
|
|
3993
|
+
return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
|
|
3018
3994
|
}
|
|
3019
|
-
|
|
3020
|
-
this.
|
|
3021
|
-
|
|
3995
|
+
assertIssuerData() {
|
|
3996
|
+
if (!this._state.credentialIssuer) {
|
|
3997
|
+
throw Error(`No credential issuer value present`);
|
|
3998
|
+
} else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {
|
|
3999
|
+
throw Error(`No issuance initiation or credential offer present`);
|
|
4000
|
+
}
|
|
3022
4001
|
}
|
|
3023
|
-
|
|
3024
|
-
this.
|
|
3025
|
-
|
|
4002
|
+
assertServerMetadata() {
|
|
4003
|
+
if (!this._state.endpointMetadata) {
|
|
4004
|
+
throw Error("No server metadata");
|
|
4005
|
+
}
|
|
3026
4006
|
}
|
|
3027
|
-
|
|
3028
|
-
|
|
4007
|
+
assertAccessToken() {
|
|
4008
|
+
if (!this._state.accessTokenResponse) {
|
|
4009
|
+
throw Error(`No access token present`);
|
|
4010
|
+
}
|
|
4011
|
+
}
|
|
4012
|
+
syncAuthorizationRequestOpts(opts) {
|
|
4013
|
+
const requestObjectOpts = {
|
|
4014
|
+
...this._state?.authorizationRequestOpts?.requestObjectOpts,
|
|
4015
|
+
...opts?.requestObjectOpts
|
|
4016
|
+
};
|
|
4017
|
+
let authorizationRequestOpts = {
|
|
4018
|
+
...this._state?.authorizationRequestOpts,
|
|
4019
|
+
...opts,
|
|
4020
|
+
...requestObjectOpts && {
|
|
4021
|
+
requestObjectOpts
|
|
4022
|
+
}
|
|
4023
|
+
};
|
|
4024
|
+
if (!authorizationRequestOpts) {
|
|
4025
|
+
authorizationRequestOpts = {
|
|
4026
|
+
redirectUri: `${import_oid4vci_common26.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
4027
|
+
};
|
|
4028
|
+
}
|
|
4029
|
+
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
4030
|
+
this._state.clientId = clientId;
|
|
4031
|
+
authorizationRequestOpts.clientId = clientId;
|
|
4032
|
+
return authorizationRequestOpts;
|
|
3029
4033
|
}
|
|
4034
|
+
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
4035
|
+
if (authorizationResponse) {
|
|
4036
|
+
this._state.authorizationCodeResponse = {
|
|
4037
|
+
...(0, import_oid4vci_common26.toAuthorizationResponsePayload)(authorizationResponse)
|
|
4038
|
+
};
|
|
4039
|
+
} else if (code) {
|
|
4040
|
+
this._state.authorizationCodeResponse = {
|
|
4041
|
+
code
|
|
4042
|
+
};
|
|
4043
|
+
}
|
|
4044
|
+
return this._state.authorizationCodeResponse?.code ?? this._state.authorizationCodeResponse?.authorization_code;
|
|
4045
|
+
}, "getAuthorizationCode");
|
|
3030
4046
|
};
|
|
3031
4047
|
|
|
3032
|
-
// lib/
|
|
3033
|
-
var
|
|
3034
|
-
var
|
|
3035
|
-
var
|
|
3036
|
-
var
|
|
4048
|
+
// lib/OpenID4VCIClientV1_0_15.ts
|
|
4049
|
+
var import_oid4vci_common27 = require("@sphereon/oid4vci-common");
|
|
4050
|
+
var import_ssi_types17 = require("@sphereon/ssi-types");
|
|
4051
|
+
var logger15 = import_ssi_types17.Loggers.DEFAULT.get("sphereon:oid4vci:v15");
|
|
4052
|
+
var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
|
|
3037
4053
|
static {
|
|
3038
|
-
__name(this, "
|
|
4054
|
+
__name(this, "OpenID4VCIClientV1_0_15");
|
|
3039
4055
|
}
|
|
3040
4056
|
_state;
|
|
3041
|
-
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest,
|
|
3042
|
-
const issuer = credentialIssuer ?? (credentialOffer ? (0,
|
|
4057
|
+
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL, keyAttestation }) {
|
|
4058
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common27.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
3043
4059
|
if (!issuer) {
|
|
3044
4060
|
throw Error("No credential issuer supplied or deduced from offer");
|
|
3045
4061
|
}
|
|
@@ -3048,40 +4064,39 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3048
4064
|
credentialIssuer: issuer,
|
|
3049
4065
|
kid,
|
|
3050
4066
|
alg,
|
|
3051
|
-
|
|
3052
|
-
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common23.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
4067
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common27.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
3053
4068
|
pkce: {
|
|
3054
4069
|
disabled: false,
|
|
3055
|
-
codeChallengeMethod:
|
|
4070
|
+
codeChallengeMethod: import_oid4vci_common27.CodeChallengeMethod.S256,
|
|
3056
4071
|
...pkce
|
|
3057
4072
|
},
|
|
3058
4073
|
authorizationRequestOpts,
|
|
3059
4074
|
authorizationCodeResponse,
|
|
3060
|
-
accessToken,
|
|
3061
4075
|
jwk,
|
|
3062
|
-
endpointMetadata
|
|
4076
|
+
endpointMetadata,
|
|
3063
4077
|
accessTokenResponse,
|
|
3064
|
-
authorizationURL
|
|
4078
|
+
authorizationURL,
|
|
4079
|
+
keyAttestation
|
|
3065
4080
|
};
|
|
3066
4081
|
if (!this._state.authorizationRequestOpts) {
|
|
3067
4082
|
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
3068
4083
|
}
|
|
3069
|
-
|
|
4084
|
+
logger15.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
3070
4085
|
}
|
|
3071
|
-
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL,
|
|
3072
|
-
const client = new
|
|
4086
|
+
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, keyAttestation }) {
|
|
4087
|
+
const client = new _OpenID4VCIClientV1_0_15({
|
|
3073
4088
|
kid,
|
|
3074
4089
|
alg,
|
|
3075
4090
|
clientId: clientId ?? authorizationRequest?.clientId,
|
|
3076
4091
|
credentialIssuer,
|
|
3077
4092
|
pkce,
|
|
3078
4093
|
authorizationRequest,
|
|
3079
|
-
|
|
4094
|
+
keyAttestation
|
|
3080
4095
|
});
|
|
3081
|
-
if (retrieveServerMetadata
|
|
4096
|
+
if (retrieveServerMetadata !== false) {
|
|
3082
4097
|
await client.retrieveServerMetadata();
|
|
3083
4098
|
}
|
|
3084
|
-
if (createAuthorizationRequestURL
|
|
4099
|
+
if (createAuthorizationRequestURL !== false) {
|
|
3085
4100
|
await client.createAuthorizationRequestUrl({
|
|
3086
4101
|
authorizationRequest,
|
|
3087
4102
|
pkce
|
|
@@ -3091,39 +4106,33 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3091
4106
|
}
|
|
3092
4107
|
static async fromState({ state }) {
|
|
3093
4108
|
const clientState = typeof state === "string" ? JSON.parse(state) : state;
|
|
3094
|
-
return new
|
|
4109
|
+
return new _OpenID4VCIClientV1_0_15(clientState);
|
|
3095
4110
|
}
|
|
3096
|
-
static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri,
|
|
3097
|
-
const credentialOfferClient = await
|
|
4111
|
+
static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, keyAttestation }) {
|
|
4112
|
+
const credentialOfferClient = await CredentialOfferClientV1_0_15.fromURI(uri, {
|
|
3098
4113
|
resolve: resolveOfferUri
|
|
3099
4114
|
});
|
|
3100
|
-
const client = new
|
|
4115
|
+
const client = new _OpenID4VCIClientV1_0_15({
|
|
3101
4116
|
credentialOffer: credentialOfferClient,
|
|
3102
4117
|
kid,
|
|
3103
4118
|
alg,
|
|
3104
4119
|
clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
|
|
3105
4120
|
pkce,
|
|
3106
4121
|
authorizationRequest,
|
|
3107
|
-
|
|
4122
|
+
keyAttestation
|
|
3108
4123
|
});
|
|
3109
|
-
if (retrieveServerMetadata
|
|
4124
|
+
if (retrieveServerMetadata !== false) {
|
|
3110
4125
|
await client.retrieveServerMetadata();
|
|
3111
4126
|
}
|
|
3112
|
-
if (credentialOfferClient.supportedFlows.includes(
|
|
4127
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common27.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && createAuthorizationRequestURL !== false) {
|
|
3113
4128
|
await client.createAuthorizationRequestUrl({
|
|
3114
4129
|
authorizationRequest,
|
|
3115
4130
|
pkce
|
|
3116
4131
|
});
|
|
3117
|
-
|
|
4132
|
+
logger15.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
3118
4133
|
}
|
|
3119
4134
|
return client;
|
|
3120
4135
|
}
|
|
3121
|
-
/**
|
|
3122
|
-
* Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
|
|
3123
|
-
*
|
|
3124
|
-
* The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
|
|
3125
|
-
* @param opts
|
|
3126
|
-
*/
|
|
3127
4136
|
async createAuthorizationRequestUrl(opts) {
|
|
3128
4137
|
if (!this._state.authorizationURL) {
|
|
3129
4138
|
this.calculatePKCEOpts(opts?.pkce);
|
|
@@ -3134,23 +4143,13 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3134
4143
|
if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
|
|
3135
4144
|
this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
|
|
3136
4145
|
}
|
|
3137
|
-
|
|
3138
|
-
this._state.
|
|
3139
|
-
|
|
3140
|
-
|
|
3141
|
-
|
|
3142
|
-
|
|
3143
|
-
|
|
3144
|
-
});
|
|
3145
|
-
} else {
|
|
3146
|
-
this._state.authorizationURL = await createAuthorizationRequestUrl({
|
|
3147
|
-
pkce: this._state.pkce,
|
|
3148
|
-
endpointMetadata: this.endpointMetadata,
|
|
3149
|
-
authorizationRequest: this._state.authorizationRequestOpts,
|
|
3150
|
-
credentialOffer: this.credentialOffer,
|
|
3151
|
-
credentialConfigurationSupported: this.getCredentialsSupported(false)
|
|
3152
|
-
});
|
|
3153
|
-
}
|
|
4146
|
+
this._state.authorizationURL = await createAuthorizationRequestUrl({
|
|
4147
|
+
pkce: this._state.pkce,
|
|
4148
|
+
endpointMetadata: this.endpointMetadata,
|
|
4149
|
+
authorizationRequest: this._state.authorizationRequestOpts,
|
|
4150
|
+
credentialOffer: this.credentialOffer,
|
|
4151
|
+
credentialConfigurationSupported: this.getCredentialsSupported(false)
|
|
4152
|
+
});
|
|
3154
4153
|
}
|
|
3155
4154
|
return this._state.authorizationURL;
|
|
3156
4155
|
}
|
|
@@ -3158,15 +4157,34 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3158
4157
|
this.assertIssuerData();
|
|
3159
4158
|
if (!this._state.endpointMetadata) {
|
|
3160
4159
|
if (this.credentialOffer) {
|
|
3161
|
-
this._state.endpointMetadata = await
|
|
4160
|
+
this._state.endpointMetadata = await MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
|
|
3162
4161
|
} else if (this._state.credentialIssuer) {
|
|
3163
|
-
this._state.endpointMetadata = await
|
|
4162
|
+
this._state.endpointMetadata = await MetadataClientV1_0_15.retrieveAllMetadata(this._state.credentialIssuer);
|
|
3164
4163
|
} else {
|
|
3165
4164
|
throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
|
|
3166
4165
|
}
|
|
3167
4166
|
}
|
|
3168
4167
|
return this.endpointMetadata;
|
|
3169
4168
|
}
|
|
4169
|
+
// New in v15: Nonce endpoint support
|
|
4170
|
+
async acquireNonce() {
|
|
4171
|
+
if (!this.endpointMetadata?.nonce_endpoint) {
|
|
4172
|
+
throw Error("Nonce endpoint not available");
|
|
4173
|
+
}
|
|
4174
|
+
const response = await fetch(this.endpointMetadata.nonce_endpoint, {
|
|
4175
|
+
method: "POST",
|
|
4176
|
+
headers: {
|
|
4177
|
+
"Content-Type": "application/json"
|
|
4178
|
+
},
|
|
4179
|
+
body: JSON.stringify({})
|
|
4180
|
+
});
|
|
4181
|
+
if (!response.ok) {
|
|
4182
|
+
throw Error(`Failed to acquire nonce: ${response.status}`);
|
|
4183
|
+
}
|
|
4184
|
+
const nonceResponse = await response.json();
|
|
4185
|
+
this._state.cachedCNonce = nonceResponse.c_nonce;
|
|
4186
|
+
return nonceResponse.c_nonce;
|
|
4187
|
+
}
|
|
3170
4188
|
calculatePKCEOpts(pkce) {
|
|
3171
4189
|
this._state.pkce = generateMissingPKCEOpts({
|
|
3172
4190
|
...this._state.pkce,
|
|
@@ -3181,12 +4199,12 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3181
4199
|
...opts
|
|
3182
4200
|
});
|
|
3183
4201
|
if (response.errorBody) {
|
|
3184
|
-
|
|
4202
|
+
logger15.debug(`Authorization code error:\r
|
|
3185
4203
|
${JSON.stringify(response.errorBody)}`);
|
|
3186
4204
|
const error = response.errorBody;
|
|
3187
4205
|
return Promise.reject(error);
|
|
3188
4206
|
} else if (!response.successBody) {
|
|
3189
|
-
|
|
4207
|
+
logger15.debug(`Authorization code error. No success body`);
|
|
3190
4208
|
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
3191
4209
|
}
|
|
3192
4210
|
return {
|
|
@@ -3232,7 +4250,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3232
4250
|
asOpts.clientOpts.clientId = clientId;
|
|
3233
4251
|
}
|
|
3234
4252
|
if (!this._state.accessTokenResponse) {
|
|
3235
|
-
const accessTokenClient =
|
|
4253
|
+
const accessTokenClient = new AccessTokenClient();
|
|
3236
4254
|
if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
|
|
3237
4255
|
console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
|
|
3238
4256
|
}
|
|
@@ -3258,11 +4276,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3258
4276
|
}
|
|
3259
4277
|
});
|
|
3260
4278
|
if (response.errorBody) {
|
|
3261
|
-
|
|
4279
|
+
logger15.debug(`Access token error:\r
|
|
3262
4280
|
${JSON.stringify(response.errorBody)}`);
|
|
3263
4281
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3264
4282
|
} else if (!response.successBody) {
|
|
3265
|
-
|
|
4283
|
+
logger15.debug(`Access token error. No success body`);
|
|
3266
4284
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3267
4285
|
}
|
|
3268
4286
|
this._state.accessTokenResponse = response.successBody;
|
|
@@ -3276,68 +4294,54 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3276
4294
|
}
|
|
3277
4295
|
};
|
|
3278
4296
|
}
|
|
3279
|
-
async acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
|
|
4297
|
+
async acquireCredentials({ credentialIdentifier, credentialConfigurationId, credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
|
|
3280
4298
|
if ([
|
|
3281
4299
|
jwk,
|
|
3282
4300
|
kid
|
|
3283
4301
|
].filter((v) => v !== void 0).length > 1) {
|
|
3284
|
-
throw new Error(
|
|
4302
|
+
throw new Error(import_oid4vci_common27.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
3285
4303
|
}
|
|
3286
4304
|
if (alg) this._state.alg = alg;
|
|
3287
4305
|
if (jwk) this._state.jwk = jwk;
|
|
3288
4306
|
if (kid) this._state.kid = kid;
|
|
3289
|
-
|
|
3290
|
-
|
|
3291
|
-
|
|
3292
|
-
|
|
3293
|
-
|
|
3294
|
-
|
|
3295
|
-
|
|
3296
|
-
|
|
3297
|
-
|
|
3298
|
-
|
|
3299
|
-
|
|
3300
|
-
|
|
3301
|
-
requestBuilder
|
|
3302
|
-
|
|
3303
|
-
|
|
3304
|
-
}) : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
|
|
3305
|
-
credentialIssuer: this.getIssuer(),
|
|
3306
|
-
credentialTypes,
|
|
3307
|
-
metadata: this.endpointMetadata,
|
|
3308
|
-
version: this.version()
|
|
3309
|
-
});
|
|
4307
|
+
const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
|
|
4308
|
+
credentialOffer: this.credentialOffer,
|
|
4309
|
+
metadata: this.endpointMetadata
|
|
4310
|
+
}) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
|
|
4311
|
+
credentialIssuer: this.getIssuer(),
|
|
4312
|
+
credentialTypes,
|
|
4313
|
+
credentialIdentifier,
|
|
4314
|
+
credentialConfigurationId,
|
|
4315
|
+
metadata: this.endpointMetadata,
|
|
4316
|
+
version: this.version()
|
|
4317
|
+
});
|
|
4318
|
+
if (credentialIdentifier) {
|
|
4319
|
+
requestBuilder.withCredentialIdentifier(credentialIdentifier);
|
|
4320
|
+
} else if (credentialConfigurationId) {
|
|
4321
|
+
requestBuilder.withCredentialConfigurationId(credentialConfigurationId);
|
|
3310
4322
|
}
|
|
3311
|
-
const issuerState = this.issuerSupportedFlowTypes().includes(
|
|
4323
|
+
const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common27.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this._state.cachedCNonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
|
|
3312
4324
|
requestBuilder.withIssuerState(issuerState);
|
|
3313
4325
|
requestBuilder.withTokenFromResponse(this.accessTokenResponse);
|
|
3314
4326
|
requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
|
|
3315
4327
|
let subjectIssuance;
|
|
3316
4328
|
if (this.endpointMetadata?.credentialIssuerMetadata) {
|
|
3317
4329
|
const metadata = this.endpointMetadata.credentialIssuerMetadata;
|
|
3318
|
-
|
|
3319
|
-
|
|
3320
|
-
|
|
3321
|
-
|
|
3322
|
-
|
|
3323
|
-
|
|
3324
|
-
|
|
3325
|
-
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
3326
|
-
typeSupported = true;
|
|
3327
|
-
if (supportedCredential.credential_subject_issuance) {
|
|
4330
|
+
if (metadata.credential_configurations_supported) {
|
|
4331
|
+
const configId = credentialConfigurationId ?? credentialIdentifier;
|
|
4332
|
+
if (configId && metadata.credential_configurations_supported[configId]) {
|
|
4333
|
+
const config = metadata.credential_configurations_supported[configId];
|
|
4334
|
+
if (config.credential_subject_issuance) {
|
|
4335
|
+
const subjIssuance = config.credential_subject_issuance;
|
|
4336
|
+
if (subjIssuance.subject_proof_mode && subjIssuance.notification_events_supported) {
|
|
3328
4337
|
subjectIssuance = {
|
|
3329
|
-
credential_subject_issuance:
|
|
4338
|
+
credential_subject_issuance: {
|
|
4339
|
+
subject_proof_mode: subjIssuance.subject_proof_mode,
|
|
4340
|
+
notification_events_supported: subjIssuance.notification_events_supported
|
|
4341
|
+
}
|
|
3330
4342
|
};
|
|
3331
4343
|
}
|
|
3332
4344
|
}
|
|
3333
|
-
});
|
|
3334
|
-
if (!typeSupported) {
|
|
3335
|
-
console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
|
|
3336
|
-
}
|
|
3337
|
-
} else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
|
|
3338
|
-
const credentialsSupported = metadata.credentials_supported;
|
|
3339
|
-
if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
|
|
3340
|
-
throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
|
|
3341
4345
|
}
|
|
3342
4346
|
}
|
|
3343
4347
|
}
|
|
@@ -3345,8 +4349,14 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3345
4349
|
requestBuilder.withSubjectIssuance(subjectIssuance);
|
|
3346
4350
|
}
|
|
3347
4351
|
const credentialRequestClient = requestBuilder.build();
|
|
4352
|
+
if (!this._state.cachedCNonce) {
|
|
4353
|
+
await this.acquireNonce();
|
|
4354
|
+
}
|
|
3348
4355
|
const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
|
|
3349
|
-
accessTokenResponse:
|
|
4356
|
+
accessTokenResponse: {
|
|
4357
|
+
...this.accessTokenResponse,
|
|
4358
|
+
c_nonce: this._state.cachedCNonce
|
|
4359
|
+
},
|
|
3350
4360
|
callbacks: proofCallbacks,
|
|
3351
4361
|
version: this.version()
|
|
3352
4362
|
}).withIssuer(this.getIssuer()).withAlg(this.alg);
|
|
@@ -3364,6 +4374,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3364
4374
|
}
|
|
3365
4375
|
const response = await credentialRequestClient.acquireCredentialsUsingProof({
|
|
3366
4376
|
proofInput: proofBuilder,
|
|
4377
|
+
credentialIdentifier,
|
|
3367
4378
|
credentialTypes,
|
|
3368
4379
|
context,
|
|
3369
4380
|
format,
|
|
@@ -3372,11 +4383,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3372
4383
|
});
|
|
3373
4384
|
this._state.dpopResponseParams = response.params;
|
|
3374
4385
|
if (response.errorBody) {
|
|
3375
|
-
|
|
4386
|
+
logger15.debug(`Credential request error:\r
|
|
3376
4387
|
${JSON.stringify(response.errorBody)}`);
|
|
3377
4388
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3378
4389
|
} else if (!response.successBody) {
|
|
3379
|
-
|
|
4390
|
+
logger15.debug(`Credential request error. No success body`);
|
|
3380
4391
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3381
4392
|
}
|
|
3382
4393
|
return {
|
|
@@ -3391,35 +4402,27 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3391
4402
|
return JSON.stringify(this._state);
|
|
3392
4403
|
}
|
|
3393
4404
|
getCredentialsSupported(restrictToInitiationTypes, format) {
|
|
3394
|
-
return (0,
|
|
4405
|
+
return (0, import_oid4vci_common27.getSupportedCredentials)({
|
|
3395
4406
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
3396
4407
|
version: this.version(),
|
|
3397
4408
|
format,
|
|
3398
|
-
types: restrictToInitiationTypes ?
|
|
4409
|
+
types: restrictToInitiationTypes ? [
|
|
4410
|
+
this.getCredentialOfferConfigurationIds()
|
|
4411
|
+
] : void 0
|
|
3399
4412
|
});
|
|
3400
4413
|
}
|
|
3401
4414
|
async sendNotification(credentialRequestOpts, request, accessToken) {
|
|
3402
4415
|
return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
|
|
3403
4416
|
}
|
|
3404
|
-
|
|
4417
|
+
getCredentialOfferConfigurationIds() {
|
|
3405
4418
|
if (!this.credentialOffer) {
|
|
3406
4419
|
return [];
|
|
3407
|
-
} else if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_11) {
|
|
3408
|
-
const orig = this.credentialOffer.original_credential_offer;
|
|
3409
|
-
const types = typeof orig.credential_type === "string" ? [
|
|
3410
|
-
orig.credential_type
|
|
3411
|
-
] : orig.credential_type;
|
|
3412
|
-
const result = [];
|
|
3413
|
-
result[0] = types;
|
|
3414
|
-
return result;
|
|
3415
|
-
} else if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13) {
|
|
3416
|
-
return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common23.getTypesFromObject)(c) ?? []);
|
|
3417
4420
|
}
|
|
3418
|
-
return
|
|
4421
|
+
return this.credentialOffer.credential_offer?.credential_configuration_ids ?? [];
|
|
3419
4422
|
}
|
|
3420
4423
|
issuerSupportedFlowTypes() {
|
|
3421
4424
|
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
|
|
3422
|
-
|
|
4425
|
+
import_oid4vci_common27.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
3423
4426
|
] : []);
|
|
3424
4427
|
}
|
|
3425
4428
|
isFlowTypeSupported(flowType) {
|
|
@@ -3435,17 +4438,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3435
4438
|
return this._state.credentialOffer;
|
|
3436
4439
|
}
|
|
3437
4440
|
version() {
|
|
3438
|
-
|
|
3439
|
-
return this.credentialOffer.version;
|
|
3440
|
-
}
|
|
3441
|
-
const metadata = this._state.endpointMetadata;
|
|
3442
|
-
if (metadata?.credentialIssuerMetadata) {
|
|
3443
|
-
const versions = (0, import_oid4vci_common23.determineVersionsFromIssuerMetadata)(metadata.credentialIssuerMetadata);
|
|
3444
|
-
if (versions.length > 0 && !versions.includes(import_oid4vci_common23.OpenId4VCIVersion.VER_UNKNOWN)) {
|
|
3445
|
-
return versions[0];
|
|
3446
|
-
}
|
|
3447
|
-
}
|
|
3448
|
-
return import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13;
|
|
4441
|
+
return import_oid4vci_common27.OpenId4VCIVersion.VER_1_0_15;
|
|
3449
4442
|
}
|
|
3450
4443
|
get endpointMetadata() {
|
|
3451
4444
|
this.assertServerMetadata();
|
|
@@ -3481,20 +4474,16 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3481
4474
|
get dpopResponseParams() {
|
|
3482
4475
|
return this._state.dpopResponseParams;
|
|
3483
4476
|
}
|
|
4477
|
+
get state() {
|
|
4478
|
+
return this._state;
|
|
4479
|
+
}
|
|
3484
4480
|
getIssuer() {
|
|
3485
4481
|
this.assertIssuerData();
|
|
3486
4482
|
return this._state.credentialIssuer;
|
|
3487
4483
|
}
|
|
3488
4484
|
getAccessTokenEndpoint() {
|
|
3489
4485
|
this.assertIssuerData();
|
|
3490
|
-
|
|
3491
|
-
return this.endpointMetadata.token_endpoint;
|
|
3492
|
-
}
|
|
3493
|
-
return this.version() <= import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_12 ? AccessTokenClientV1_0_11.determineTokenURL({
|
|
3494
|
-
issuerOpts: {
|
|
3495
|
-
issuer: this.getIssuer()
|
|
3496
|
-
}
|
|
3497
|
-
}) : AccessTokenClient.determineTokenURL({
|
|
4486
|
+
return this.endpointMetadata?.token_endpoint ?? AccessTokenClient.determineTokenURL({
|
|
3498
4487
|
issuerOpts: {
|
|
3499
4488
|
issuer: this.getIssuer()
|
|
3500
4489
|
}
|
|
@@ -3502,7 +4491,13 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3502
4491
|
}
|
|
3503
4492
|
getCredentialEndpoint() {
|
|
3504
4493
|
this.assertIssuerData();
|
|
3505
|
-
return this.endpointMetadata
|
|
4494
|
+
return this.endpointMetadata?.credential_endpoint ?? `${this.getIssuer()}/credential`;
|
|
4495
|
+
}
|
|
4496
|
+
getNonceEndpoint() {
|
|
4497
|
+
return this.endpointMetadata?.nonce_endpoint;
|
|
4498
|
+
}
|
|
4499
|
+
hasNonceEndpoint() {
|
|
4500
|
+
return !!this.getNonceEndpoint();
|
|
3506
4501
|
}
|
|
3507
4502
|
getAuthorizationChallengeEndpoint() {
|
|
3508
4503
|
this.assertIssuerData();
|
|
@@ -3512,24 +4507,14 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3512
4507
|
return !!this.getAuthorizationChallengeEndpoint();
|
|
3513
4508
|
}
|
|
3514
4509
|
hasDeferredCredentialEndpoint() {
|
|
3515
|
-
return !!this.
|
|
4510
|
+
return !!this.endpointMetadata?.deferred_credential_endpoint;
|
|
3516
4511
|
}
|
|
3517
4512
|
getDeferredCredentialEndpoint() {
|
|
3518
4513
|
this.assertIssuerData();
|
|
3519
|
-
return this.endpointMetadata
|
|
4514
|
+
return this.endpointMetadata?.deferred_credential_endpoint;
|
|
3520
4515
|
}
|
|
3521
|
-
/**
|
|
3522
|
-
* Too bad we need a method like this, but EBSI is not exposing metadata
|
|
3523
|
-
*/
|
|
3524
4516
|
isEBSI() {
|
|
3525
|
-
|
|
3526
|
-
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
|
|
3527
|
-
// @ts-ignore
|
|
3528
|
-
typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
|
|
3529
|
-
))) {
|
|
3530
|
-
return true;
|
|
3531
|
-
}
|
|
3532
|
-
return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
|
|
4517
|
+
return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata?.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
|
|
3533
4518
|
}
|
|
3534
4519
|
assertIssuerData() {
|
|
3535
4520
|
if (!this._state.credentialIssuer) {
|
|
@@ -3562,7 +4547,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3562
4547
|
};
|
|
3563
4548
|
if (!authorizationRequestOpts) {
|
|
3564
4549
|
authorizationRequestOpts = {
|
|
3565
|
-
redirectUri: `${
|
|
4550
|
+
redirectUri: `${import_oid4vci_common27.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
3566
4551
|
};
|
|
3567
4552
|
}
|
|
3568
4553
|
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
@@ -3573,7 +4558,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3573
4558
|
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
3574
4559
|
if (authorizationResponse) {
|
|
3575
4560
|
this._state.authorizationCodeResponse = {
|
|
3576
|
-
...(0,
|
|
4561
|
+
...(0, import_oid4vci_common27.toAuthorizationResponsePayload)(authorizationResponse)
|
|
3577
4562
|
};
|
|
3578
4563
|
} else if (code) {
|
|
3579
4564
|
this._state.authorizationCodeResponse = {
|
|
@@ -3585,16 +4570,16 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3585
4570
|
};
|
|
3586
4571
|
|
|
3587
4572
|
// lib/OpenID4VCIClientV1_0_13.ts
|
|
3588
|
-
var
|
|
3589
|
-
var
|
|
3590
|
-
var
|
|
4573
|
+
var import_oid4vci_common28 = require("@sphereon/oid4vci-common");
|
|
4574
|
+
var import_ssi_types18 = require("@sphereon/ssi-types");
|
|
4575
|
+
var logger16 = import_ssi_types18.Loggers.DEFAULT.get("sphereon:oid4vci");
|
|
3591
4576
|
var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
3592
4577
|
static {
|
|
3593
4578
|
__name(this, "OpenID4VCIClientV1_0_13");
|
|
3594
4579
|
}
|
|
3595
4580
|
_state;
|
|
3596
4581
|
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
|
|
3597
|
-
const issuer = credentialIssuer ?? (credentialOffer ? (0,
|
|
4582
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common28.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
3598
4583
|
if (!issuer) {
|
|
3599
4584
|
throw Error("No credential issuer supplied or deduced from offer");
|
|
3600
4585
|
}
|
|
@@ -3604,10 +4589,10 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
|
3604
4589
|
kid,
|
|
3605
4590
|
alg,
|
|
3606
4591
|
// TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
|
|
3607
|
-
clientId: clientId ?? (credentialOffer && (0,
|
|
4592
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common28.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
3608
4593
|
pkce: {
|
|
3609
4594
|
disabled: false,
|
|
3610
|
-
codeChallengeMethod:
|
|
4595
|
+
codeChallengeMethod: import_oid4vci_common28.CodeChallengeMethod.S256,
|
|
3611
4596
|
...pkce
|
|
3612
4597
|
},
|
|
3613
4598
|
authorizationRequestOpts,
|
|
@@ -3621,7 +4606,7 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
|
3621
4606
|
if (!this._state.authorizationRequestOpts) {
|
|
3622
4607
|
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
3623
4608
|
}
|
|
3624
|
-
|
|
4609
|
+
logger16.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
3625
4610
|
}
|
|
3626
4611
|
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
|
|
3627
4612
|
const client = new _OpenID4VCIClientV1_0_13({
|
|
@@ -3662,12 +4647,12 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
|
3662
4647
|
if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
|
|
3663
4648
|
await client.retrieveServerMetadata();
|
|
3664
4649
|
}
|
|
3665
|
-
if (credentialOfferClient.supportedFlows.includes(
|
|
4650
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common28.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
|
|
3666
4651
|
await client.createAuthorizationRequestUrl({
|
|
3667
4652
|
authorizationRequest,
|
|
3668
4653
|
pkce
|
|
3669
4654
|
});
|
|
3670
|
-
|
|
4655
|
+
logger16.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
3671
4656
|
}
|
|
3672
4657
|
return client;
|
|
3673
4658
|
}
|
|
@@ -3725,12 +4710,12 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
|
3725
4710
|
...opts
|
|
3726
4711
|
});
|
|
3727
4712
|
if (response.errorBody) {
|
|
3728
|
-
|
|
4713
|
+
logger16.debug(`Authorization code error:\r
|
|
3729
4714
|
${JSON.stringify(response.errorBody)}`);
|
|
3730
4715
|
const error = response.errorBody;
|
|
3731
4716
|
return Promise.reject(error);
|
|
3732
4717
|
} else if (!response.successBody) {
|
|
3733
|
-
|
|
4718
|
+
logger16.debug(`Authorization code error. No success body`);
|
|
3734
4719
|
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
3735
4720
|
}
|
|
3736
4721
|
return {
|
|
@@ -3802,11 +4787,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3802
4787
|
}
|
|
3803
4788
|
});
|
|
3804
4789
|
if (response.errorBody) {
|
|
3805
|
-
|
|
4790
|
+
logger16.debug(`Access token error:\r
|
|
3806
4791
|
${JSON.stringify(response.errorBody)}`);
|
|
3807
4792
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3808
4793
|
} else if (!response.successBody) {
|
|
3809
|
-
|
|
4794
|
+
logger16.debug(`Access token error. No success body`);
|
|
3810
4795
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3811
4796
|
}
|
|
3812
4797
|
this._state.accessTokenResponse = response.successBody;
|
|
@@ -3831,7 +4816,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3831
4816
|
jwk,
|
|
3832
4817
|
kid
|
|
3833
4818
|
].filter((v) => v !== void 0).length > 1) {
|
|
3834
|
-
throw new Error(
|
|
4819
|
+
throw new Error(import_oid4vci_common28.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
3835
4820
|
}
|
|
3836
4821
|
if (alg) this._state.alg = alg;
|
|
3837
4822
|
if (jwk) this._state.jwk = jwk;
|
|
@@ -3845,7 +4830,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3845
4830
|
metadata: this.endpointMetadata,
|
|
3846
4831
|
version: this.version()
|
|
3847
4832
|
});
|
|
3848
|
-
const issuerState = this.issuerSupportedFlowTypes().includes(
|
|
4833
|
+
const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common28.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
|
|
3849
4834
|
requestBuilder.withIssuerState(issuerState);
|
|
3850
4835
|
requestBuilder.withTokenFromResponse(this.accessTokenResponse);
|
|
3851
4836
|
requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
|
|
@@ -3868,7 +4853,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3868
4853
|
} else if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
|
|
3869
4854
|
let typeSupported = false;
|
|
3870
4855
|
metadata.credentials_supported.forEach((supportedCredential) => {
|
|
3871
|
-
const subTypes = (0,
|
|
4856
|
+
const subTypes = (0, import_oid4vci_common28.getTypesFromCredentialSupported)(supportedCredential);
|
|
3872
4857
|
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
3873
4858
|
typeSupported = true;
|
|
3874
4859
|
if (supportedCredential.credential_subject_issuance) {
|
|
@@ -3884,7 +4869,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3884
4869
|
} else if (metadata.credential_configurations_supported && typeof metadata.credential_configurations_supported === "object") {
|
|
3885
4870
|
let typeSupported = false;
|
|
3886
4871
|
Object.values(metadata.credential_configurations_supported).forEach((supportedCredential) => {
|
|
3887
|
-
const subTypes = (0,
|
|
4872
|
+
const subTypes = (0, import_oid4vci_common28.getTypesFromCredentialSupported)(supportedCredential);
|
|
3888
4873
|
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
3889
4874
|
typeSupported = true;
|
|
3890
4875
|
}
|
|
@@ -3934,14 +4919,17 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3934
4919
|
credentialIdentifier,
|
|
3935
4920
|
subjectIssuance
|
|
3936
4921
|
});
|
|
3937
|
-
|
|
4922
|
+
if (!import_oid4vci_common28.supportedOID4VCICredentialFormat.includes(format)) {
|
|
4923
|
+
return Promise.reject(Error(`Unsupported credential format: ${format}`));
|
|
4924
|
+
}
|
|
4925
|
+
const response = await credentialRequestClient.acquireCredentialsUsingRequest(request, format, createDPoPOpts);
|
|
3938
4926
|
this._state.dpopResponseParams = response.params;
|
|
3939
4927
|
if (response.errorBody) {
|
|
3940
|
-
|
|
4928
|
+
logger16.debug(`Credential request error:\r
|
|
3941
4929
|
${JSON.stringify(response.errorBody)}`);
|
|
3942
4930
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3943
4931
|
} else if (!response.successBody) {
|
|
3944
|
-
|
|
4932
|
+
logger16.debug(`Credential request error. No success body`);
|
|
3945
4933
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3946
4934
|
}
|
|
3947
4935
|
return {
|
|
@@ -3956,7 +4944,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3956
4944
|
return JSON.stringify(this._state);
|
|
3957
4945
|
}
|
|
3958
4946
|
getCredentialsSupported(format) {
|
|
3959
|
-
return (0,
|
|
4947
|
+
return (0, import_oid4vci_common28.getSupportedCredentials)({
|
|
3960
4948
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
3961
4949
|
version: this.version(),
|
|
3962
4950
|
format,
|
|
@@ -3991,7 +4979,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3991
4979
|
}*/
|
|
3992
4980
|
issuerSupportedFlowTypes() {
|
|
3993
4981
|
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
|
|
3994
|
-
|
|
4982
|
+
import_oid4vci_common28.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
3995
4983
|
] : []);
|
|
3996
4984
|
}
|
|
3997
4985
|
isFlowTypeSupported(flowType) {
|
|
@@ -4007,7 +4995,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4007
4995
|
return this._state.credentialOffer;
|
|
4008
4996
|
}
|
|
4009
4997
|
version() {
|
|
4010
|
-
return this.credentialOffer?.version ??
|
|
4998
|
+
return this.credentialOffer?.version ?? import_oid4vci_common28.OpenId4VCIVersion.VER_1_0_13;
|
|
4011
4999
|
}
|
|
4012
5000
|
get endpointMetadata() {
|
|
4013
5001
|
this.assertServerMetadata();
|
|
@@ -4110,7 +5098,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4110
5098
|
};
|
|
4111
5099
|
if (!authorizationRequestOpts) {
|
|
4112
5100
|
authorizationRequestOpts = {
|
|
4113
|
-
redirectUri: `${
|
|
5101
|
+
redirectUri: `${import_oid4vci_common28.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
4114
5102
|
};
|
|
4115
5103
|
}
|
|
4116
5104
|
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
@@ -4121,7 +5109,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4121
5109
|
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
4122
5110
|
if (authorizationResponse) {
|
|
4123
5111
|
this._state.authorizationCodeResponse = {
|
|
4124
|
-
...(0,
|
|
5112
|
+
...(0, import_oid4vci_common28.toAuthorizationResponsePayload)(authorizationResponse)
|
|
4125
5113
|
};
|
|
4126
5114
|
} else if (code) {
|
|
4127
5115
|
this._state.authorizationCodeResponse = {
|
|
@@ -4133,16 +5121,16 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4133
5121
|
};
|
|
4134
5122
|
|
|
4135
5123
|
// lib/OpenID4VCIClientV1_0_11.ts
|
|
4136
|
-
var
|
|
4137
|
-
var
|
|
4138
|
-
var
|
|
5124
|
+
var import_oid4vci_common29 = require("@sphereon/oid4vci-common");
|
|
5125
|
+
var import_ssi_types19 = require("@sphereon/ssi-types");
|
|
5126
|
+
var logger17 = import_ssi_types19.Loggers.DEFAULT.get("sphereon:oid4vci");
|
|
4139
5127
|
var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
4140
5128
|
static {
|
|
4141
5129
|
__name(this, "OpenID4VCIClientV1_0_11");
|
|
4142
5130
|
}
|
|
4143
5131
|
_state;
|
|
4144
5132
|
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
|
|
4145
|
-
const issuer = credentialIssuer ?? (credentialOffer ? (0,
|
|
5133
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common29.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
4146
5134
|
if (!issuer) {
|
|
4147
5135
|
throw Error("No credential issuer supplied or deduced from offer");
|
|
4148
5136
|
}
|
|
@@ -4152,10 +5140,10 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
|
4152
5140
|
kid,
|
|
4153
5141
|
alg,
|
|
4154
5142
|
// TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
|
|
4155
|
-
clientId: clientId ?? (credentialOffer && (0,
|
|
5143
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common29.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
4156
5144
|
pkce: {
|
|
4157
5145
|
disabled: false,
|
|
4158
|
-
codeChallengeMethod:
|
|
5146
|
+
codeChallengeMethod: import_oid4vci_common29.CodeChallengeMethod.S256,
|
|
4159
5147
|
...pkce
|
|
4160
5148
|
},
|
|
4161
5149
|
authorizationRequestOpts,
|
|
@@ -4168,7 +5156,7 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
|
4168
5156
|
if (!this._state.authorizationRequestOpts) {
|
|
4169
5157
|
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
4170
5158
|
}
|
|
4171
|
-
|
|
5159
|
+
logger17.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
4172
5160
|
}
|
|
4173
5161
|
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
|
|
4174
5162
|
const client = new _OpenID4VCIClientV1_0_11({
|
|
@@ -4209,12 +5197,12 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
|
4209
5197
|
if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
|
|
4210
5198
|
await client.retrieveServerMetadata();
|
|
4211
5199
|
}
|
|
4212
|
-
if (credentialOfferClient.supportedFlows.includes(
|
|
5200
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common29.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
|
|
4213
5201
|
await client.createAuthorizationRequestUrl({
|
|
4214
5202
|
authorizationRequest,
|
|
4215
5203
|
pkce
|
|
4216
5204
|
});
|
|
4217
|
-
|
|
5205
|
+
logger17.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
4218
5206
|
}
|
|
4219
5207
|
return client;
|
|
4220
5208
|
}
|
|
@@ -4271,12 +5259,12 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
|
4271
5259
|
...opts
|
|
4272
5260
|
});
|
|
4273
5261
|
if (response.errorBody) {
|
|
4274
|
-
|
|
5262
|
+
logger17.debug(`Authorization code error:\r
|
|
4275
5263
|
${JSON.stringify(response.errorBody)}`);
|
|
4276
5264
|
const error = response.errorBody;
|
|
4277
5265
|
return Promise.reject(error);
|
|
4278
5266
|
} else if (!response.successBody) {
|
|
4279
|
-
|
|
5267
|
+
logger17.debug(`Authorization code error. No success body`);
|
|
4280
5268
|
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
4281
5269
|
}
|
|
4282
5270
|
return {
|
|
@@ -4348,11 +5336,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4348
5336
|
}
|
|
4349
5337
|
});
|
|
4350
5338
|
if (response.errorBody) {
|
|
4351
|
-
|
|
5339
|
+
logger17.debug(`Access token error:\r
|
|
4352
5340
|
${JSON.stringify(response.errorBody)}`);
|
|
4353
5341
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
4354
5342
|
} else if (!response.successBody) {
|
|
4355
|
-
|
|
5343
|
+
logger17.debug(`Access token error. No success body`);
|
|
4356
5344
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
4357
5345
|
}
|
|
4358
5346
|
this._state.accessTokenResponse = response.successBody;
|
|
@@ -4371,7 +5359,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4371
5359
|
jwk,
|
|
4372
5360
|
kid
|
|
4373
5361
|
].filter((v) => v !== void 0).length > 1) {
|
|
4374
|
-
throw new Error(
|
|
5362
|
+
throw new Error(import_oid4vci_common29.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
4375
5363
|
}
|
|
4376
5364
|
if (alg) this._state.alg = alg;
|
|
4377
5365
|
if (jwk) this._state.jwk = jwk;
|
|
@@ -4395,7 +5383,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4395
5383
|
if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
|
|
4396
5384
|
let typeSupported = false;
|
|
4397
5385
|
metadata.credentials_supported.forEach((supportedCredential) => {
|
|
4398
|
-
const subTypes = (0,
|
|
5386
|
+
const subTypes = (0, import_oid4vci_common29.getTypesFromCredentialSupported)(supportedCredential);
|
|
4399
5387
|
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
4400
5388
|
typeSupported = true;
|
|
4401
5389
|
}
|
|
@@ -4437,11 +5425,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4437
5425
|
});
|
|
4438
5426
|
this._state.dpopResponseParams = response.params;
|
|
4439
5427
|
if (response.errorBody) {
|
|
4440
|
-
|
|
5428
|
+
logger17.debug(`Credential request error:\r
|
|
4441
5429
|
${JSON.stringify(response.errorBody)}`);
|
|
4442
5430
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
4443
5431
|
} else if (!response.successBody) {
|
|
4444
|
-
|
|
5432
|
+
logger17.debug(`Credential request error. No success body`);
|
|
4445
5433
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
4446
5434
|
}
|
|
4447
5435
|
return {
|
|
@@ -4459,7 +5447,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4459
5447
|
// When < v11 convert into a v12 object. When v12 object retain it.
|
|
4460
5448
|
// Then match the object array on server metadata
|
|
4461
5449
|
getCredentialsSupportedV11(restrictToInitiationTypes, format) {
|
|
4462
|
-
return (0,
|
|
5450
|
+
return (0, import_oid4vci_common29.getSupportedCredentials)({
|
|
4463
5451
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
4464
5452
|
version: this.version(),
|
|
4465
5453
|
format,
|
|
@@ -4467,7 +5455,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4467
5455
|
});
|
|
4468
5456
|
}
|
|
4469
5457
|
getCredentialsSupported(format) {
|
|
4470
|
-
return (0,
|
|
5458
|
+
return (0, import_oid4vci_common29.getSupportedCredentials)({
|
|
4471
5459
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
4472
5460
|
version: this.version(),
|
|
4473
5461
|
format,
|
|
@@ -4477,7 +5465,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4477
5465
|
getCredentialOfferTypes() {
|
|
4478
5466
|
if (!this.credentialOffer) {
|
|
4479
5467
|
return [];
|
|
4480
|
-
} else if (this.credentialOffer.version <
|
|
5468
|
+
} else if (this.credentialOffer.version < import_oid4vci_common29.OpenId4VCIVersion.VER_1_0_11) {
|
|
4481
5469
|
const orig = this.credentialOffer.original_credential_offer;
|
|
4482
5470
|
const types = typeof orig.credential_type === "string" ? [
|
|
4483
5471
|
orig.credential_type
|
|
@@ -4485,14 +5473,14 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4485
5473
|
const result = [];
|
|
4486
5474
|
result[0] = types;
|
|
4487
5475
|
return result;
|
|
4488
|
-
} else if (this.credentialOffer.version <
|
|
4489
|
-
return this.credentialOffer.credential_offer.credentials.map((c) => (0,
|
|
5476
|
+
} else if (this.credentialOffer.version < import_oid4vci_common29.OpenId4VCIVersion.VER_1_0_13) {
|
|
5477
|
+
return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common29.getTypesFromObject)(c) ?? []);
|
|
4490
5478
|
}
|
|
4491
5479
|
throw Error(`This class only supports version 11 and lower! Version: ${this.version()}`);
|
|
4492
5480
|
}
|
|
4493
5481
|
issuerSupportedFlowTypes() {
|
|
4494
5482
|
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
|
|
4495
|
-
|
|
5483
|
+
import_oid4vci_common29.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
4496
5484
|
] : []);
|
|
4497
5485
|
}
|
|
4498
5486
|
isFlowTypeSupported(flowType) {
|
|
@@ -4508,7 +5496,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4508
5496
|
return this._state.credentialOffer;
|
|
4509
5497
|
}
|
|
4510
5498
|
version() {
|
|
4511
|
-
return this.credentialOffer?.version ??
|
|
5499
|
+
return this.credentialOffer?.version ?? import_oid4vci_common29.OpenId4VCIVersion.VER_1_0_11;
|
|
4512
5500
|
}
|
|
4513
5501
|
get endpointMetadata() {
|
|
4514
5502
|
this.assertServerMetadata();
|
|
@@ -4604,7 +5592,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4604
5592
|
};
|
|
4605
5593
|
if (!authorizationRequestOpts) {
|
|
4606
5594
|
authorizationRequestOpts = {
|
|
4607
|
-
redirectUri: `${
|
|
5595
|
+
redirectUri: `${import_oid4vci_common29.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
4608
5596
|
};
|
|
4609
5597
|
}
|
|
4610
5598
|
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
@@ -4615,7 +5603,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4615
5603
|
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
4616
5604
|
if (authorizationResponse) {
|
|
4617
5605
|
this._state.authorizationCodeResponse = {
|
|
4618
|
-
...(0,
|
|
5606
|
+
...(0, import_oid4vci_common29.toAuthorizationResponsePayload)(authorizationResponse)
|
|
4619
5607
|
};
|
|
4620
5608
|
} else if (code) {
|
|
4621
5609
|
this._state.authorizationCodeResponse = {
|
|
@@ -4627,5 +5615,5 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4627
5615
|
};
|
|
4628
5616
|
|
|
4629
5617
|
// lib/index.ts
|
|
4630
|
-
var LOG2 =
|
|
5618
|
+
var LOG2 = import_oid4vci_common30.VCI_LOGGERS.get("sphereon:oid4vci:client");
|
|
4631
5619
|
//# sourceMappingURL=index.cjs.map
|