@sphereon/oid4vci-client 0.19.0 → 0.19.1-feature.SSISDK.13.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +1385 -392
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +235 -22
- package/dist/index.d.ts +235 -22
- package/dist/index.js +1366 -373
- package/dist/index.js.map +1 -1
- package/package.json +5 -5
package/dist/index.cjs
CHANGED
|
@@ -26,18 +26,22 @@ __export(index_exports, {
|
|
|
26
26
|
CredentialOfferClient: () => CredentialOfferClient,
|
|
27
27
|
CredentialOfferClientV1_0_11: () => CredentialOfferClientV1_0_11,
|
|
28
28
|
CredentialOfferClientV1_0_13: () => CredentialOfferClientV1_0_13,
|
|
29
|
+
CredentialOfferClientV1_0_15: () => CredentialOfferClientV1_0_15,
|
|
29
30
|
CredentialRequestClient: () => CredentialRequestClient,
|
|
30
31
|
CredentialRequestClientBuilder: () => CredentialRequestClientBuilder,
|
|
31
32
|
CredentialRequestClientBuilderV1_0_11: () => CredentialRequestClientBuilderV1_0_11,
|
|
32
33
|
CredentialRequestClientBuilderV1_0_13: () => CredentialRequestClientBuilderV1_0_13,
|
|
34
|
+
CredentialRequestClientBuilderV1_0_15: () => CredentialRequestClientBuilderV1_0_15,
|
|
33
35
|
CredentialRequestClientV1_0_11: () => CredentialRequestClientV1_0_11,
|
|
34
36
|
LOG: () => LOG2,
|
|
35
37
|
MetadataClient: () => MetadataClient,
|
|
36
38
|
MetadataClientV1_0_11: () => MetadataClientV1_0_11,
|
|
37
39
|
MetadataClientV1_0_13: () => MetadataClientV1_0_13,
|
|
40
|
+
MetadataClientV1_0_15: () => MetadataClientV1_0_15,
|
|
38
41
|
OpenID4VCIClient: () => OpenID4VCIClient,
|
|
39
42
|
OpenID4VCIClientV1_0_11: () => OpenID4VCIClientV1_0_11,
|
|
40
43
|
OpenID4VCIClientV1_0_13: () => OpenID4VCIClientV1_0_13,
|
|
44
|
+
OpenID4VCIClientV1_0_15: () => OpenID4VCIClientV1_0_15,
|
|
41
45
|
ProofOfPossessionBuilder: () => ProofOfPossessionBuilder,
|
|
42
46
|
acquireAuthorizationChallengeAuthCode: () => acquireAuthorizationChallengeAuthCode,
|
|
43
47
|
acquireAuthorizationChallengeAuthCodeUsingRequest: () => acquireAuthorizationChallengeAuthCodeUsingRequest,
|
|
@@ -56,7 +60,7 @@ __export(index_exports, {
|
|
|
56
60
|
sendNotification: () => sendNotification
|
|
57
61
|
});
|
|
58
62
|
module.exports = __toCommonJS(index_exports);
|
|
59
|
-
var
|
|
63
|
+
var import_oid4vci_common30 = require("@sphereon/oid4vci-common");
|
|
60
64
|
|
|
61
65
|
// lib/AccessTokenClient.ts
|
|
62
66
|
var import_oid4vc_common3 = require("@sphereon/oid4vc-common");
|
|
@@ -373,10 +377,10 @@ async function handleCredentialOfferUri(uri) {
|
|
|
373
377
|
const decodedUri = isUriEncoded(credentialOfferUri) ? decodeURIComponent(credentialOfferUri) : credentialOfferUri;
|
|
374
378
|
const response = await (0, import_cross_fetch.fetch)(decodedUri);
|
|
375
379
|
if (!(response && response.status >= 200 && response.status < 400)) {
|
|
376
|
-
return Promise.reject(`the credential offer URI endpoint call was not successful. http code ${response.status} - reason ${response.statusText}`);
|
|
380
|
+
return Promise.reject(Error(`the credential offer URI endpoint call was not successful. http code ${response.status} - reason ${response.statusText}`));
|
|
377
381
|
}
|
|
378
382
|
if (response.headers.get("Content-Type")?.startsWith("application/json") === false) {
|
|
379
|
-
return Promise.reject("the credential offer URI endpoint did not return content type application/json");
|
|
383
|
+
return Promise.reject(Error("the credential offer URI endpoint did not return content type application/json"));
|
|
380
384
|
}
|
|
381
385
|
return {
|
|
382
386
|
credential_offer: (0, import_oid4vci_common7.decodeJsonProperties)(await response.json())
|
|
@@ -1500,8 +1504,8 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
|
|
|
1500
1504
|
if ("credentials" in credentialOffer.credential_offer) {
|
|
1501
1505
|
throw new Error("CredentialOffer format is wrong.");
|
|
1502
1506
|
}
|
|
1503
|
-
const ver = version ?? (0, import_oid4vci_common13.determineSpecVersionFromOffer)(credentialOffer.credential_offer) ?? import_oid4vci_common13.OpenId4VCIVersion.
|
|
1504
|
-
const creds = ver === import_oid4vci_common13.OpenId4VCIVersion.
|
|
1507
|
+
const ver = version ?? (0, import_oid4vci_common13.determineSpecVersionFromOffer)(credentialOffer.credential_offer) ?? import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_15;
|
|
1508
|
+
const creds = ver === import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_15 ? filterSupportedCredentials(credentialOffer.credential_offer, credentialConfigurationSupported) : [];
|
|
1505
1509
|
authorizationDetails = creds.flatMap((cred) => {
|
|
1506
1510
|
const locations = [
|
|
1507
1511
|
credentialOffer?.credential_offer.credential_issuer ?? endpointMetadata.issuer
|
|
@@ -1511,7 +1515,7 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
|
|
|
1511
1515
|
if (!credential_configuration_id && !cred.format) {
|
|
1512
1516
|
throw Error("format is required in authorization details");
|
|
1513
1517
|
}
|
|
1514
|
-
const vct = cred.format === "
|
|
1518
|
+
const vct = cred.format === "dc+sd-jwt" ? cred.vct : void 0;
|
|
1515
1519
|
const doctype = cred.format === "mso_mdoc" ? cred.doctype : void 0;
|
|
1516
1520
|
let credential_definition = void 0;
|
|
1517
1521
|
if ((0, import_oid4vci_common13.isW3cCredentialSupported)(cred)) {
|
|
@@ -1608,7 +1612,7 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
|
|
|
1608
1612
|
}
|
|
1609
1613
|
await createSignedAuthRequestWhenNeeded(queryObj, {
|
|
1610
1614
|
...requestObjectOpts,
|
|
1611
|
-
aud: endpointMetadata.authorization_server
|
|
1615
|
+
aud: endpointMetadata.authorization_server ?? endpointMetadata.authorizationServerMetadata?.issuer
|
|
1612
1616
|
});
|
|
1613
1617
|
logger6.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
|
|
1614
1618
|
const url = (0, import_oid4vci_common13.convertJsonToURI)(queryObj, {
|
|
@@ -1884,6 +1888,27 @@ async function buildProof(proofInput, opts) {
|
|
|
1884
1888
|
return await proofInput.build();
|
|
1885
1889
|
}
|
|
1886
1890
|
__name(buildProof, "buildProof");
|
|
1891
|
+
function isOpenIdCredentialDetail(ad) {
|
|
1892
|
+
return typeof ad === "object" && ad !== null && ad.type === "openid_credential";
|
|
1893
|
+
}
|
|
1894
|
+
__name(isOpenIdCredentialDetail, "isOpenIdCredentialDetail");
|
|
1895
|
+
function findAuthorizationDetail(authorizationDetails, preferredConfigId) {
|
|
1896
|
+
if (!authorizationDetails) {
|
|
1897
|
+
return void 0;
|
|
1898
|
+
}
|
|
1899
|
+
const openIdCredentialDetails = authorizationDetails.filter(isOpenIdCredentialDetail);
|
|
1900
|
+
if (openIdCredentialDetails.length === 0) {
|
|
1901
|
+
return void 0;
|
|
1902
|
+
}
|
|
1903
|
+
if (preferredConfigId) {
|
|
1904
|
+
const match = openIdCredentialDetails.find((detail) => typeof detail === "object" && detail !== null && detail.credential_configuration_id === preferredConfigId);
|
|
1905
|
+
if (match) {
|
|
1906
|
+
return match;
|
|
1907
|
+
}
|
|
1908
|
+
}
|
|
1909
|
+
return openIdCredentialDetails[0];
|
|
1910
|
+
}
|
|
1911
|
+
__name(findAuthorizationDetail, "findAuthorizationDetail");
|
|
1887
1912
|
var CredentialRequestClient = class {
|
|
1888
1913
|
static {
|
|
1889
1914
|
__name(this, "CredentialRequestClient");
|
|
@@ -1923,7 +1948,10 @@ var CredentialRequestClient = class {
|
|
|
1923
1948
|
credentialIdentifier,
|
|
1924
1949
|
subjectIssuance
|
|
1925
1950
|
});
|
|
1926
|
-
|
|
1951
|
+
if (!import_oid4vci_common15.supportedOID4VCICredentialFormat.includes(format)) {
|
|
1952
|
+
return Promise.reject(Error(`Unsupported credential format: ${format}`));
|
|
1953
|
+
}
|
|
1954
|
+
return await this.acquireCredentialsUsingRequestWithoutProof(request, format, opts.createDPoPOpts);
|
|
1927
1955
|
}
|
|
1928
1956
|
async acquireCredentialsUsingProof(opts) {
|
|
1929
1957
|
const { credentialIdentifier, credentialTypes, proofInput, format, context, subjectIssuance } = opts;
|
|
@@ -1936,19 +1964,22 @@ var CredentialRequestClient = class {
|
|
|
1936
1964
|
credentialIdentifier,
|
|
1937
1965
|
subjectIssuance
|
|
1938
1966
|
});
|
|
1939
|
-
|
|
1967
|
+
if (this.version() <= import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13 && !import_oid4vci_common15.supportedOID4VCICredentialFormat.includes(format)) {
|
|
1968
|
+
return Promise.reject(Error(`Unsupported credential format: ${format}`));
|
|
1969
|
+
}
|
|
1970
|
+
return await this.acquireCredentialsUsingRequest(request, format, opts.createDPoPOpts);
|
|
1940
1971
|
}
|
|
1941
|
-
async acquireCredentialsUsingRequestWithoutProof(uniformRequest, createDPoPOpts) {
|
|
1942
|
-
return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
|
|
1972
|
+
async acquireCredentialsUsingRequestWithoutProof(uniformRequest, format, createDPoPOpts) {
|
|
1973
|
+
return await this.acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts);
|
|
1943
1974
|
}
|
|
1944
|
-
async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
|
|
1945
|
-
return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
|
|
1975
|
+
async acquireCredentialsUsingRequest(uniformRequest, format, createDPoPOpts) {
|
|
1976
|
+
return await this.acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts);
|
|
1946
1977
|
}
|
|
1947
|
-
async acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts) {
|
|
1978
|
+
async acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts) {
|
|
1948
1979
|
if (this.version() < import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13) {
|
|
1949
1980
|
throw new Error("Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.");
|
|
1950
1981
|
}
|
|
1951
|
-
const request = (0, import_oid4vci_common15.getCredentialRequestForVersion)(uniformRequest, this.version());
|
|
1982
|
+
const request = (0, import_oid4vci_common15.getCredentialRequestForVersion)(uniformRequest, format, this.version());
|
|
1952
1983
|
const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
|
|
1953
1984
|
if (!(0, import_oid4vci_common15.isValidURL)(credentialEndpoint)) {
|
|
1954
1985
|
logger8.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
|
|
@@ -2036,27 +2067,64 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2036
2067
|
return await this.createCredentialRequestImpl(opts);
|
|
2037
2068
|
}
|
|
2038
2069
|
async createCredentialRequestImpl(opts) {
|
|
2039
|
-
const { proofInput, credentialIdentifier
|
|
2070
|
+
const { proofInput, credentialIdentifier, credentialConfigurationId } = opts;
|
|
2040
2071
|
let proof = void 0;
|
|
2041
2072
|
if (proofInput) {
|
|
2042
2073
|
proof = await buildProof(proofInput, opts);
|
|
2043
2074
|
}
|
|
2044
|
-
if (
|
|
2045
|
-
|
|
2046
|
-
|
|
2047
|
-
|
|
2048
|
-
|
|
2049
|
-
|
|
2075
|
+
if (this.version() >= import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_15) {
|
|
2076
|
+
const authDetail = findAuthorizationDetail(this.credentialRequestOpts.authorizationDetails, credentialConfigurationId ?? credentialIdentifier);
|
|
2077
|
+
const issuer_state2 = this.credentialRequestOpts.issuerState;
|
|
2078
|
+
const commonBody = {
|
|
2079
|
+
...issuer_state2 && {
|
|
2080
|
+
issuer_state: issuer_state2
|
|
2081
|
+
},
|
|
2050
2082
|
...proof && {
|
|
2051
2083
|
proof
|
|
2052
|
-
}
|
|
2084
|
+
},
|
|
2085
|
+
...opts.subjectIssuance
|
|
2086
|
+
};
|
|
2087
|
+
const authDetailObj = authDetail && typeof authDetail === "object" ? authDetail : null;
|
|
2088
|
+
if (authDetailObj?.credential_identifier) {
|
|
2089
|
+
return {
|
|
2090
|
+
credential_identifier: authDetailObj.credential_identifier,
|
|
2091
|
+
...commonBody
|
|
2092
|
+
};
|
|
2093
|
+
}
|
|
2094
|
+
if (authDetailObj?.credential_identifiers && authDetailObj.credential_identifiers.length > 0) {
|
|
2095
|
+
return {
|
|
2096
|
+
credential_identifier: authDetailObj.credential_identifiers[0],
|
|
2097
|
+
...commonBody
|
|
2098
|
+
};
|
|
2099
|
+
}
|
|
2100
|
+
const configId = credentialConfigurationId ?? authDetailObj?.credential_configuration_id ?? this._credentialRequestOpts.credentialConfigurationId;
|
|
2101
|
+
if (configId) {
|
|
2102
|
+
return {
|
|
2103
|
+
credential_configuration_id: configId,
|
|
2104
|
+
...commonBody
|
|
2105
|
+
};
|
|
2106
|
+
}
|
|
2107
|
+
if (credentialIdentifier) {
|
|
2108
|
+
return {
|
|
2109
|
+
credential_identifier: credentialIdentifier,
|
|
2110
|
+
...commonBody
|
|
2111
|
+
};
|
|
2112
|
+
}
|
|
2113
|
+
return Promise.reject(Error("No credential_identifier or credential_configuration_id available for v1.0-15 request"));
|
|
2114
|
+
}
|
|
2115
|
+
if (credentialIdentifier) {
|
|
2116
|
+
const proof_obj = proof ? {
|
|
2117
|
+
proof
|
|
2118
|
+
} : {};
|
|
2119
|
+
return {
|
|
2120
|
+
credential_identifier: credentialIdentifier,
|
|
2121
|
+
...proof_obj
|
|
2053
2122
|
};
|
|
2054
2123
|
}
|
|
2055
2124
|
const formatSelection = opts.format ?? this.credentialRequestOpts.format;
|
|
2056
2125
|
if (!formatSelection) {
|
|
2057
2126
|
throw Error(`Format of credential to be issued is missing`);
|
|
2058
2127
|
}
|
|
2059
|
-
const format = (0, import_oid4vci_common15.getUniformFormat)(formatSelection);
|
|
2060
2128
|
const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
|
|
2061
2129
|
if (!typesSelection) {
|
|
2062
2130
|
throw Error(`Credential type(s) need to be provided`);
|
|
@@ -2068,70 +2136,25 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2068
2136
|
throw Error(`Credential type(s) need to be provided`);
|
|
2069
2137
|
}
|
|
2070
2138
|
const issuer_state = this.credentialRequestOpts.issuerState;
|
|
2071
|
-
if (
|
|
2072
|
-
return {
|
|
2073
|
-
credential_definition: {
|
|
2074
|
-
type: types
|
|
2075
|
-
},
|
|
2076
|
-
format,
|
|
2077
|
-
...issuer_state && {
|
|
2078
|
-
issuer_state
|
|
2079
|
-
},
|
|
2080
|
-
...proof && {
|
|
2081
|
-
proof
|
|
2082
|
-
},
|
|
2083
|
-
...opts.subjectIssuance
|
|
2084
|
-
};
|
|
2085
|
-
} else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
|
|
2086
|
-
if (this.version() >= import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
|
|
2087
|
-
throw Error("No @context value present, but it is required");
|
|
2088
|
-
}
|
|
2139
|
+
if (formatSelection === "jwt_vc_json" || formatSelection === "ldp_vc") {
|
|
2089
2140
|
return {
|
|
2090
|
-
format,
|
|
2091
|
-
...issuer_state && {
|
|
2092
|
-
issuer_state
|
|
2093
|
-
},
|
|
2094
|
-
...proof && {
|
|
2095
|
-
proof
|
|
2096
|
-
},
|
|
2097
|
-
...opts.subjectIssuance,
|
|
2141
|
+
format: formatSelection,
|
|
2098
2142
|
credential_definition: {
|
|
2099
2143
|
type: types,
|
|
2100
|
-
|
|
2101
|
-
|
|
2102
|
-
|
|
2103
|
-
} else if (format === "vc+sd-jwt") {
|
|
2104
|
-
if (types.length > 1) {
|
|
2105
|
-
throw Error(`Only a single credential type is supported for ${format}`);
|
|
2106
|
-
}
|
|
2107
|
-
return {
|
|
2108
|
-
format,
|
|
2109
|
-
...issuer_state && {
|
|
2110
|
-
issuer_state
|
|
2111
|
-
},
|
|
2112
|
-
...proof && {
|
|
2113
|
-
proof
|
|
2144
|
+
...opts.context && {
|
|
2145
|
+
"@context": opts.context
|
|
2146
|
+
}
|
|
2114
2147
|
},
|
|
2115
|
-
vct: types[0],
|
|
2116
|
-
...opts.subjectIssuance
|
|
2117
|
-
};
|
|
2118
|
-
} else if (format === "mso_mdoc") {
|
|
2119
|
-
if (types.length > 1) {
|
|
2120
|
-
throw Error(`Only a single credential type is supported for ${format}`);
|
|
2121
|
-
}
|
|
2122
|
-
return {
|
|
2123
|
-
format,
|
|
2124
2148
|
...issuer_state && {
|
|
2125
2149
|
issuer_state
|
|
2126
2150
|
},
|
|
2127
2151
|
...proof && {
|
|
2128
2152
|
proof
|
|
2129
2153
|
},
|
|
2130
|
-
doctype: types[0],
|
|
2131
2154
|
...opts.subjectIssuance
|
|
2132
2155
|
};
|
|
2133
2156
|
}
|
|
2134
|
-
|
|
2157
|
+
return Promise.reject(Error(`Format ${formatSelection} is not supported in this protocol version`));
|
|
2135
2158
|
}
|
|
2136
2159
|
version() {
|
|
2137
2160
|
return this.credentialRequestOpts?.version ?? import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13;
|
|
@@ -2445,11 +2468,101 @@ var CredentialOfferClientV1_0_13 = class {
|
|
|
2445
2468
|
}
|
|
2446
2469
|
};
|
|
2447
2470
|
|
|
2448
|
-
// lib/
|
|
2449
|
-
var import_oid4vc_common6 = require("@sphereon/oid4vc-common");
|
|
2471
|
+
// lib/CredentialOfferClientV1_0_15.ts
|
|
2450
2472
|
var import_oid4vci_common19 = require("@sphereon/oid4vci-common");
|
|
2451
2473
|
var import_ssi_types13 = require("@sphereon/ssi-types");
|
|
2452
|
-
var logger11 = import_ssi_types13.Loggers.DEFAULT.get("sphereon:oid4vci:
|
|
2474
|
+
var logger11 = import_ssi_types13.Loggers.DEFAULT.get("sphereon:oid4vci:offer");
|
|
2475
|
+
var CredentialOfferClientV1_0_15 = class {
|
|
2476
|
+
static {
|
|
2477
|
+
__name(this, "CredentialOfferClientV1_0_15");
|
|
2478
|
+
}
|
|
2479
|
+
static async fromURI(uri, opts) {
|
|
2480
|
+
logger11.debug(`Credential Offer URI: ${uri}`);
|
|
2481
|
+
if (!uri.includes("?") || !uri.includes("://")) {
|
|
2482
|
+
logger11.debug(`Invalid Credential Offer URI: ${uri}`);
|
|
2483
|
+
return Promise.reject(Error(`Invalid Credential Offer Request`));
|
|
2484
|
+
}
|
|
2485
|
+
const scheme = uri.split("://")[0];
|
|
2486
|
+
const baseUrl = uri.split("?")[0];
|
|
2487
|
+
const version = (0, import_oid4vci_common19.determineSpecVersionFromURI)(uri);
|
|
2488
|
+
let credentialOffer;
|
|
2489
|
+
if (uri.includes("credential_offer_uri")) {
|
|
2490
|
+
credentialOffer = await handleCredentialOfferUri(uri);
|
|
2491
|
+
} else {
|
|
2492
|
+
credentialOffer = (0, import_oid4vci_common19.convertURIToJsonObject)(uri, {
|
|
2493
|
+
// It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
|
|
2494
|
+
arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
|
|
2495
|
+
"credential_configuration_ids",
|
|
2496
|
+
"credential_offer_uri="
|
|
2497
|
+
] : [
|
|
2498
|
+
"credential_configuration_ids",
|
|
2499
|
+
"credential_offer="
|
|
2500
|
+
],
|
|
2501
|
+
requiredProperties: uri.includes("credential_offer_uri=") ? [
|
|
2502
|
+
"credential_offer_uri="
|
|
2503
|
+
] : [
|
|
2504
|
+
"credential_offer="
|
|
2505
|
+
]
|
|
2506
|
+
});
|
|
2507
|
+
}
|
|
2508
|
+
if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
|
|
2509
|
+
return Promise.reject(Error("Either a credential_offer or credential_offer_uri should be present in " + uri));
|
|
2510
|
+
}
|
|
2511
|
+
const request = await (0, import_oid4vci_common19.toUniformCredentialOfferRequest)(credentialOffer, {
|
|
2512
|
+
...opts,
|
|
2513
|
+
version
|
|
2514
|
+
});
|
|
2515
|
+
return {
|
|
2516
|
+
...constructBaseResponse(request, scheme, baseUrl),
|
|
2517
|
+
userPinRequired: !!(request.credential_offer?.grants?.[import_oid4vci_common19.PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false)
|
|
2518
|
+
};
|
|
2519
|
+
}
|
|
2520
|
+
static toURI(requestWithBaseUrl, opts) {
|
|
2521
|
+
logger11.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
|
|
2522
|
+
const version = opts?.version ?? requestWithBaseUrl.version;
|
|
2523
|
+
let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
|
|
2524
|
+
let param;
|
|
2525
|
+
const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
|
|
2526
|
+
if (version.valueOf() >= import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_11.valueOf()) {
|
|
2527
|
+
if (!baseUrl.includes("?")) {
|
|
2528
|
+
param = isUri ? "credential_offer_uri" : "credential_offer";
|
|
2529
|
+
} else {
|
|
2530
|
+
const split = baseUrl.split("?");
|
|
2531
|
+
if (split.length > 1 && split[1] !== "") {
|
|
2532
|
+
if (baseUrl.endsWith("&")) {
|
|
2533
|
+
param = isUri ? "credential_offer_uri" : "credential_offer";
|
|
2534
|
+
} else if (!baseUrl.endsWith("=")) {
|
|
2535
|
+
baseUrl += `&`;
|
|
2536
|
+
param = isUri ? "credential_offer_uri" : "credential_offer";
|
|
2537
|
+
}
|
|
2538
|
+
}
|
|
2539
|
+
}
|
|
2540
|
+
}
|
|
2541
|
+
return (0, import_oid4vci_common19.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
|
|
2542
|
+
baseUrl,
|
|
2543
|
+
arrayTypeProperties: isUri ? [] : [
|
|
2544
|
+
"credential_configuration_ids"
|
|
2545
|
+
],
|
|
2546
|
+
uriTypeProperties: isUri ? [
|
|
2547
|
+
"credential_offer_uri"
|
|
2548
|
+
] : version >= import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_15 ? [
|
|
2549
|
+
"credential_issuer",
|
|
2550
|
+
"credential_configuration_ids"
|
|
2551
|
+
] : [
|
|
2552
|
+
"issuer",
|
|
2553
|
+
"credential_type"
|
|
2554
|
+
],
|
|
2555
|
+
param,
|
|
2556
|
+
version
|
|
2557
|
+
});
|
|
2558
|
+
}
|
|
2559
|
+
};
|
|
2560
|
+
|
|
2561
|
+
// lib/CredentialRequestClientV1_0_11.ts
|
|
2562
|
+
var import_oid4vc_common6 = require("@sphereon/oid4vc-common");
|
|
2563
|
+
var import_oid4vci_common20 = require("@sphereon/oid4vci-common");
|
|
2564
|
+
var import_ssi_types14 = require("@sphereon/ssi-types");
|
|
2565
|
+
var logger12 = import_ssi_types14.Loggers.DEFAULT.get("sphereon:oid4vci:credential");
|
|
2453
2566
|
var CredentialRequestClientV1_0_11 = class {
|
|
2454
2567
|
static {
|
|
2455
2568
|
__name(this, "CredentialRequestClientV1_0_11");
|
|
@@ -2485,20 +2598,24 @@ var CredentialRequestClientV1_0_11 = class {
|
|
|
2485
2598
|
return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
|
|
2486
2599
|
}
|
|
2487
2600
|
async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
|
|
2488
|
-
const
|
|
2601
|
+
const uniformRequestV11 = uniformRequest;
|
|
2602
|
+
if (!uniformRequestV11.format) {
|
|
2603
|
+
return Promise.reject(Error("format is missing from the (legacy v11) credential request"));
|
|
2604
|
+
}
|
|
2605
|
+
const request = (0, import_oid4vci_common20.getCredentialRequestForVersion)(uniformRequest, uniformRequestV11.format, this.version());
|
|
2489
2606
|
const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
|
|
2490
|
-
if (!(0,
|
|
2491
|
-
|
|
2492
|
-
throw new Error(
|
|
2607
|
+
if (!(0, import_oid4vci_common20.isValidURL)(credentialEndpoint)) {
|
|
2608
|
+
logger12.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
|
|
2609
|
+
throw new Error(import_oid4vci_common20.URL_NOT_VALID);
|
|
2493
2610
|
}
|
|
2494
|
-
|
|
2495
|
-
|
|
2611
|
+
logger12.debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
|
|
2612
|
+
logger12.debug(`request
|
|
2496
2613
|
: ${JSON.stringify(request, null, 2)}`);
|
|
2497
2614
|
const requestToken = this.credentialRequestOpts.token;
|
|
2498
2615
|
let dPoP = createDPoPOpts ? await (0, import_oid4vc_common6.createDPoP)((0, import_oid4vc_common6.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
|
|
2499
2616
|
accessToken: requestToken
|
|
2500
2617
|
})) : void 0;
|
|
2501
|
-
let response = await (0,
|
|
2618
|
+
let response = await (0, import_oid4vci_common20.post)(credentialEndpoint, JSON.stringify(request), {
|
|
2502
2619
|
bearerToken: requestToken,
|
|
2503
2620
|
customHeaders: {
|
|
2504
2621
|
...createDPoPOpts && {
|
|
@@ -2513,7 +2630,7 @@ var CredentialRequestClientV1_0_11 = class {
|
|
|
2513
2630
|
dPoP = await (0, import_oid4vc_common6.createDPoP)((0, import_oid4vc_common6.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
|
|
2514
2631
|
accessToken: requestToken
|
|
2515
2632
|
}));
|
|
2516
|
-
response = await (0,
|
|
2633
|
+
response = await (0, import_oid4vci_common20.post)(credentialEndpoint, JSON.stringify(request), {
|
|
2517
2634
|
bearerToken: requestToken,
|
|
2518
2635
|
customHeaders: {
|
|
2519
2636
|
...createDPoPOpts && {
|
|
@@ -2524,14 +2641,14 @@ var CredentialRequestClientV1_0_11 = class {
|
|
|
2524
2641
|
const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
|
|
2525
2642
|
nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
|
|
2526
2643
|
}
|
|
2527
|
-
this._isDeferred = (0,
|
|
2644
|
+
this._isDeferred = (0, import_oid4vci_common20.isDeferredCredentialResponse)(response);
|
|
2528
2645
|
if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
|
|
2529
2646
|
response = await this.acquireDeferredCredential(response.successBody, {
|
|
2530
2647
|
bearerToken: this.credentialRequestOpts.token
|
|
2531
2648
|
});
|
|
2532
2649
|
}
|
|
2533
2650
|
response.access_token = requestToken;
|
|
2534
|
-
|
|
2651
|
+
logger12.debug(`Credential endpoint ${credentialEndpoint} response:\r
|
|
2535
2652
|
${JSON.stringify(response, null, 2)}`);
|
|
2536
2653
|
return {
|
|
2537
2654
|
...response,
|
|
@@ -2553,7 +2670,7 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2553
2670
|
} else if (!bearerToken) {
|
|
2554
2671
|
throw Error(`No bearer token present and refresh for defered endpoint not supported yet`);
|
|
2555
2672
|
}
|
|
2556
|
-
return await (0,
|
|
2673
|
+
return await (0, import_oid4vci_common20.acquireDeferredCredential)({
|
|
2557
2674
|
bearerToken,
|
|
2558
2675
|
transactionId,
|
|
2559
2676
|
deferredCredentialEndpoint,
|
|
@@ -2567,7 +2684,7 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2567
2684
|
if (!formatSelection) {
|
|
2568
2685
|
throw Error(`Format of credential to be issued is missing`);
|
|
2569
2686
|
}
|
|
2570
|
-
const format = (0,
|
|
2687
|
+
const format = (0, import_oid4vci_common20.getUniformFormat)(formatSelection);
|
|
2571
2688
|
const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
|
|
2572
2689
|
const types = Array.isArray(typesSelection) ? typesSelection : [
|
|
2573
2690
|
typesSelection
|
|
@@ -2585,7 +2702,7 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2585
2702
|
proof
|
|
2586
2703
|
};
|
|
2587
2704
|
} else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
|
|
2588
|
-
if (this.version() >=
|
|
2705
|
+
if (this.version() >= import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
|
|
2589
2706
|
throw Error("No @context value present, but it is required");
|
|
2590
2707
|
}
|
|
2591
2708
|
return {
|
|
@@ -2623,18 +2740,18 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
2623
2740
|
throw new Error(`Unsupported format: ${format}`);
|
|
2624
2741
|
}
|
|
2625
2742
|
version() {
|
|
2626
|
-
return this.credentialRequestOpts?.version ??
|
|
2743
|
+
return this.credentialRequestOpts?.version ?? import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11;
|
|
2627
2744
|
}
|
|
2628
2745
|
isV11OrHigher() {
|
|
2629
|
-
return this.version() >=
|
|
2746
|
+
return this.version() >= import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11;
|
|
2630
2747
|
}
|
|
2631
2748
|
};
|
|
2632
2749
|
|
|
2633
2750
|
// lib/CredentialRequestClientBuilder.ts
|
|
2634
|
-
var
|
|
2751
|
+
var import_oid4vci_common24 = require("@sphereon/oid4vci-common");
|
|
2635
2752
|
|
|
2636
2753
|
// lib/CredentialRequestClientBuilderV1_0_11.ts
|
|
2637
|
-
var
|
|
2754
|
+
var import_oid4vci_common21 = require("@sphereon/oid4vci-common");
|
|
2638
2755
|
var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilderV1_0_11 {
|
|
2639
2756
|
static {
|
|
2640
2757
|
__name(this, "CredentialRequestClientBuilderV1_0_11");
|
|
@@ -2652,7 +2769,7 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
|
|
|
2652
2769
|
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialTypes }) {
|
|
2653
2770
|
const issuer = credentialIssuer;
|
|
2654
2771
|
const builder = new _CredentialRequestClientBuilderV1_0_11();
|
|
2655
|
-
builder.withVersion(version ??
|
|
2772
|
+
builder.withVersion(version ?? import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_11);
|
|
2656
2773
|
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2657
2774
|
if (metadata?.deferred_credential_endpoint) {
|
|
2658
2775
|
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
@@ -2671,18 +2788,18 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
|
|
|
2671
2788
|
}
|
|
2672
2789
|
static fromCredentialOfferRequest(opts) {
|
|
2673
2790
|
const { request, metadata } = opts;
|
|
2674
|
-
const version = opts.version ?? request.version ?? (0,
|
|
2791
|
+
const version = opts.version ?? request.version ?? (0, import_oid4vci_common21.determineSpecVersionFromOffer)(request.original_credential_offer);
|
|
2675
2792
|
const builder = new _CredentialRequestClientBuilderV1_0_11();
|
|
2676
|
-
const issuer = (0,
|
|
2793
|
+
const issuer = (0, import_oid4vci_common21.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
|
|
2677
2794
|
builder.withVersion(version);
|
|
2678
2795
|
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2679
2796
|
if (metadata?.deferred_credential_endpoint) {
|
|
2680
2797
|
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
2681
2798
|
}
|
|
2682
|
-
if (version <=
|
|
2799
|
+
if (version <= import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_08) {
|
|
2683
2800
|
builder.withCredentialType(request.original_credential_offer.credential_type);
|
|
2684
|
-
} else if (version <=
|
|
2685
|
-
builder.withCredentialType((0,
|
|
2801
|
+
} else if (version <= import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_11) {
|
|
2802
|
+
builder.withCredentialType((0, import_oid4vci_common21.getTypesFromOfferV1_0_11)(request.credential_offer));
|
|
2686
2803
|
}
|
|
2687
2804
|
return builder;
|
|
2688
2805
|
}
|
|
@@ -2746,14 +2863,14 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
|
|
|
2746
2863
|
}
|
|
2747
2864
|
build() {
|
|
2748
2865
|
if (!this.version) {
|
|
2749
|
-
this.withVersion(
|
|
2866
|
+
this.withVersion(import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_11);
|
|
2750
2867
|
}
|
|
2751
2868
|
return new CredentialRequestClientV1_0_11(this);
|
|
2752
2869
|
}
|
|
2753
2870
|
};
|
|
2754
2871
|
|
|
2755
2872
|
// lib/CredentialRequestClientBuilderV1_0_13.ts
|
|
2756
|
-
var
|
|
2873
|
+
var import_oid4vci_common22 = require("@sphereon/oid4vci-common");
|
|
2757
2874
|
var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilderV1_0_13 {
|
|
2758
2875
|
static {
|
|
2759
2876
|
__name(this, "CredentialRequestClientBuilderV1_0_13");
|
|
@@ -2772,7 +2889,7 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
|
|
|
2772
2889
|
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
|
|
2773
2890
|
const issuer = credentialIssuer;
|
|
2774
2891
|
const builder = new _CredentialRequestClientBuilderV1_0_13();
|
|
2775
|
-
builder.withVersion(version ??
|
|
2892
|
+
builder.withVersion(version ?? import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13);
|
|
2776
2893
|
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2777
2894
|
if (metadata?.deferred_credential_endpoint) {
|
|
2778
2895
|
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
@@ -2796,12 +2913,12 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
|
|
|
2796
2913
|
}
|
|
2797
2914
|
static fromCredentialOfferRequest(opts) {
|
|
2798
2915
|
const { request, metadata } = opts;
|
|
2799
|
-
const version = opts.version ?? request.version ?? (0,
|
|
2800
|
-
if (version <
|
|
2916
|
+
const version = opts.version ?? request.version ?? (0, import_oid4vci_common22.determineSpecVersionFromOffer)(request.original_credential_offer);
|
|
2917
|
+
if (version < import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
|
|
2801
2918
|
throw new Error("Versions below v1.0.13 (draft 13) are not supported.");
|
|
2802
2919
|
}
|
|
2803
2920
|
const builder = new _CredentialRequestClientBuilderV1_0_13();
|
|
2804
|
-
const issuer = (0,
|
|
2921
|
+
const issuer = (0, import_oid4vci_common22.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
|
|
2805
2922
|
builder.withVersion(version);
|
|
2806
2923
|
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2807
2924
|
if (metadata?.deferred_credential_endpoint) {
|
|
@@ -2878,52 +2995,56 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
|
|
|
2878
2995
|
}
|
|
2879
2996
|
build() {
|
|
2880
2997
|
if (!this.version) {
|
|
2881
|
-
this.withVersion(
|
|
2998
|
+
this.withVersion(import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_11);
|
|
2882
2999
|
}
|
|
2883
3000
|
return new CredentialRequestClient(this);
|
|
2884
3001
|
}
|
|
2885
3002
|
};
|
|
2886
3003
|
|
|
2887
|
-
// lib/
|
|
2888
|
-
|
|
2889
|
-
|
|
2890
|
-
}
|
|
2891
|
-
__name(isV1_0_13, "isV1_0_13");
|
|
2892
|
-
var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
3004
|
+
// lib/CredentialRequestClientBuilderV1_0_15.ts
|
|
3005
|
+
var import_oid4vci_common23 = require("@sphereon/oid4vci-common");
|
|
3006
|
+
var CredentialRequestClientBuilderV1_0_15 = class _CredentialRequestClientBuilderV1_0_15 {
|
|
2893
3007
|
static {
|
|
2894
|
-
__name(this, "
|
|
2895
|
-
}
|
|
2896
|
-
_builder;
|
|
2897
|
-
constructor(builder) {
|
|
2898
|
-
this._builder = builder;
|
|
3008
|
+
__name(this, "CredentialRequestClientBuilderV1_0_15");
|
|
2899
3009
|
}
|
|
2900
|
-
|
|
2901
|
-
|
|
2902
|
-
|
|
2903
|
-
|
|
2904
|
-
|
|
2905
|
-
|
|
2906
|
-
|
|
2907
|
-
|
|
2908
|
-
|
|
2909
|
-
|
|
2910
|
-
|
|
2911
|
-
|
|
2912
|
-
|
|
2913
|
-
|
|
2914
|
-
|
|
2915
|
-
|
|
2916
|
-
|
|
2917
|
-
|
|
2918
|
-
|
|
2919
|
-
|
|
2920
|
-
});
|
|
3010
|
+
credentialEndpoint;
|
|
3011
|
+
deferredCredentialEndpoint;
|
|
3012
|
+
nonceEndpoint;
|
|
3013
|
+
deferredCredentialAwait = false;
|
|
3014
|
+
deferredCredentialIntervalInMS = 5e3;
|
|
3015
|
+
credentialIdentifier;
|
|
3016
|
+
credentialConfigurationId;
|
|
3017
|
+
credentialTypes = [];
|
|
3018
|
+
token;
|
|
3019
|
+
version;
|
|
3020
|
+
subjectIssuance;
|
|
3021
|
+
issuerState;
|
|
3022
|
+
// Note: format removed from v15 - credential requests no longer include format parameter
|
|
3023
|
+
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialConfigurationId, credentialTypes }) {
|
|
3024
|
+
const issuer = credentialIssuer;
|
|
3025
|
+
const builder = new _CredentialRequestClientBuilderV1_0_15();
|
|
3026
|
+
builder.withVersion(version ?? import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_15);
|
|
3027
|
+
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
3028
|
+
if (metadata?.deferred_credential_endpoint) {
|
|
3029
|
+
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
2921
3030
|
}
|
|
2922
|
-
|
|
3031
|
+
if (metadata?.nonce_endpoint) {
|
|
3032
|
+
builder.withNonceEndpoint(metadata.nonce_endpoint);
|
|
3033
|
+
}
|
|
3034
|
+
if (credentialIdentifier) {
|
|
3035
|
+
builder.withCredentialIdentifier(credentialIdentifier);
|
|
3036
|
+
}
|
|
3037
|
+
if (credentialConfigurationId) {
|
|
3038
|
+
builder.withCredentialConfigurationId(credentialConfigurationId);
|
|
3039
|
+
}
|
|
3040
|
+
if (credentialTypes) {
|
|
3041
|
+
builder.withCredentialType(credentialTypes);
|
|
3042
|
+
}
|
|
3043
|
+
return builder;
|
|
2923
3044
|
}
|
|
2924
3045
|
static async fromURI({ uri, metadata }) {
|
|
2925
3046
|
const offer = await CredentialOfferClient.fromURI(uri);
|
|
2926
|
-
return
|
|
3047
|
+
return _CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest({
|
|
2927
3048
|
request: offer,
|
|
2928
3049
|
...offer,
|
|
2929
3050
|
metadata,
|
|
@@ -2931,27 +3052,191 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2931
3052
|
});
|
|
2932
3053
|
}
|
|
2933
3054
|
static fromCredentialOfferRequest(opts) {
|
|
2934
|
-
const { request } = opts;
|
|
2935
|
-
const version = opts.version ?? request.version ?? (0,
|
|
2936
|
-
|
|
2937
|
-
|
|
2938
|
-
builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest(opts);
|
|
2939
|
-
} else {
|
|
2940
|
-
builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest(opts);
|
|
3055
|
+
const { request, metadata } = opts;
|
|
3056
|
+
const version = opts.version ?? request.version ?? (0, import_oid4vci_common23.determineSpecVersionFromOffer)(request.original_credential_offer);
|
|
3057
|
+
if (version < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_15) {
|
|
3058
|
+
throw new Error("Versions below v1.0.15 (draft 15) are not supported.");
|
|
2941
3059
|
}
|
|
2942
|
-
|
|
3060
|
+
const builder = new _CredentialRequestClientBuilderV1_0_15();
|
|
3061
|
+
const issuer = (0, import_oid4vci_common23.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
|
|
3062
|
+
builder.withVersion(version);
|
|
3063
|
+
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
3064
|
+
if (metadata?.deferred_credential_endpoint) {
|
|
3065
|
+
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
3066
|
+
}
|
|
3067
|
+
if (metadata?.nonce_endpoint) {
|
|
3068
|
+
builder.withNonceEndpoint(metadata.nonce_endpoint);
|
|
3069
|
+
}
|
|
3070
|
+
const ids = request.credential_offer.credential_configuration_ids;
|
|
3071
|
+
if (ids.length && ids.length === 1) {
|
|
3072
|
+
builder.withCredentialConfigurationId(ids[0]);
|
|
3073
|
+
}
|
|
3074
|
+
return builder;
|
|
2943
3075
|
}
|
|
2944
3076
|
static fromCredentialOffer({ credentialOffer, metadata }) {
|
|
2945
|
-
const
|
|
2946
|
-
|
|
2947
|
-
|
|
2948
|
-
|
|
2949
|
-
|
|
2950
|
-
|
|
2951
|
-
|
|
2952
|
-
|
|
2953
|
-
|
|
2954
|
-
|
|
3077
|
+
const builder = _CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest({
|
|
3078
|
+
request: credentialOffer,
|
|
3079
|
+
metadata,
|
|
3080
|
+
version: credentialOffer.version
|
|
3081
|
+
});
|
|
3082
|
+
return builder;
|
|
3083
|
+
}
|
|
3084
|
+
withCredentialEndpointFromMetadata(metadata) {
|
|
3085
|
+
this.credentialEndpoint = metadata.credential_endpoint;
|
|
3086
|
+
return this;
|
|
3087
|
+
}
|
|
3088
|
+
withCredentialEndpoint(credentialEndpoint) {
|
|
3089
|
+
this.credentialEndpoint = credentialEndpoint;
|
|
3090
|
+
return this;
|
|
3091
|
+
}
|
|
3092
|
+
withIssuerState(issuerState) {
|
|
3093
|
+
this.issuerState = issuerState;
|
|
3094
|
+
return this;
|
|
3095
|
+
}
|
|
3096
|
+
withDeferredCredentialEndpointFromMetadata(metadata) {
|
|
3097
|
+
this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
|
|
3098
|
+
return this;
|
|
3099
|
+
}
|
|
3100
|
+
withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
|
|
3101
|
+
this.deferredCredentialEndpoint = deferredCredentialEndpoint;
|
|
3102
|
+
return this;
|
|
3103
|
+
}
|
|
3104
|
+
// New in v15: Support for nonce endpoint
|
|
3105
|
+
withNonceEndpointFromMetadata(metadata) {
|
|
3106
|
+
this.nonceEndpoint = metadata.nonce_endpoint;
|
|
3107
|
+
return this;
|
|
3108
|
+
}
|
|
3109
|
+
withNonceEndpoint(nonceEndpoint) {
|
|
3110
|
+
this.nonceEndpoint = nonceEndpoint;
|
|
3111
|
+
return this;
|
|
3112
|
+
}
|
|
3113
|
+
withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
|
|
3114
|
+
this.deferredCredentialAwait = deferredCredentialAwait;
|
|
3115
|
+
this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5e3;
|
|
3116
|
+
return this;
|
|
3117
|
+
}
|
|
3118
|
+
// New in v15: Support for credential_identifier (used when authorization_details with credential_identifiers was used)
|
|
3119
|
+
withCredentialIdentifier(credentialIdentifier) {
|
|
3120
|
+
this.credentialIdentifier = credentialIdentifier;
|
|
3121
|
+
return this;
|
|
3122
|
+
}
|
|
3123
|
+
// New in v15: Support for credential_configuration_id (used when scope was used and no credential_identifiers returned)
|
|
3124
|
+
withCredentialConfigurationId(credentialConfigurationId) {
|
|
3125
|
+
this.credentialConfigurationId = credentialConfigurationId;
|
|
3126
|
+
return this;
|
|
3127
|
+
}
|
|
3128
|
+
// Legacy support for credential types (may be used internally to map to configuration IDs)
|
|
3129
|
+
withCredentialType(credentialTypes) {
|
|
3130
|
+
this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [
|
|
3131
|
+
credentialTypes
|
|
3132
|
+
];
|
|
3133
|
+
return this;
|
|
3134
|
+
}
|
|
3135
|
+
// Note: withFormat() method removed in v15 - format is no longer part of credential requests
|
|
3136
|
+
withSubjectIssuance(subjectIssuance) {
|
|
3137
|
+
this.subjectIssuance = subjectIssuance;
|
|
3138
|
+
return this;
|
|
3139
|
+
}
|
|
3140
|
+
withToken(accessToken) {
|
|
3141
|
+
this.token = accessToken;
|
|
3142
|
+
return this;
|
|
3143
|
+
}
|
|
3144
|
+
withTokenFromResponse(response) {
|
|
3145
|
+
this.token = response.access_token;
|
|
3146
|
+
return this;
|
|
3147
|
+
}
|
|
3148
|
+
withVersion(version) {
|
|
3149
|
+
this.version = version;
|
|
3150
|
+
return this;
|
|
3151
|
+
}
|
|
3152
|
+
build() {
|
|
3153
|
+
if (!this.version) {
|
|
3154
|
+
this.withVersion(import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_15);
|
|
3155
|
+
}
|
|
3156
|
+
return new CredentialRequestClient(this);
|
|
3157
|
+
}
|
|
3158
|
+
};
|
|
3159
|
+
|
|
3160
|
+
// lib/CredentialRequestClientBuilder.ts
|
|
3161
|
+
function isV1_0_13(builder) {
|
|
3162
|
+
return builder.withCredentialIdentifier !== void 0;
|
|
3163
|
+
}
|
|
3164
|
+
__name(isV1_0_13, "isV1_0_13");
|
|
3165
|
+
function isV1_0_15(builder) {
|
|
3166
|
+
return builder.withCredentialIdentifier !== void 0;
|
|
3167
|
+
}
|
|
3168
|
+
__name(isV1_0_15, "isV1_0_15");
|
|
3169
|
+
var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
3170
|
+
static {
|
|
3171
|
+
__name(this, "CredentialRequestClientBuilder");
|
|
3172
|
+
}
|
|
3173
|
+
_builder;
|
|
3174
|
+
constructor(builder) {
|
|
3175
|
+
this._builder = builder;
|
|
3176
|
+
}
|
|
3177
|
+
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
|
|
3178
|
+
const specVersion = version ?? import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_15;
|
|
3179
|
+
let builder;
|
|
3180
|
+
if (specVersion >= import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_15) {
|
|
3181
|
+
builder = CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
|
|
3182
|
+
credentialIssuer,
|
|
3183
|
+
metadata,
|
|
3184
|
+
version,
|
|
3185
|
+
credentialIdentifier,
|
|
3186
|
+
credentialTypes
|
|
3187
|
+
});
|
|
3188
|
+
} else if (specVersion >= import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13) {
|
|
3189
|
+
builder = CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
|
|
3190
|
+
credentialIssuer,
|
|
3191
|
+
metadata,
|
|
3192
|
+
version,
|
|
3193
|
+
credentialIdentifier,
|
|
3194
|
+
credentialTypes
|
|
3195
|
+
});
|
|
3196
|
+
} else {
|
|
3197
|
+
if (!credentialTypes || credentialTypes.length === 0) {
|
|
3198
|
+
throw new Error("CredentialTypes must be provided for v1_0_11");
|
|
3199
|
+
}
|
|
3200
|
+
builder = CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
|
|
3201
|
+
credentialIssuer,
|
|
3202
|
+
metadata,
|
|
3203
|
+
version,
|
|
3204
|
+
credentialTypes
|
|
3205
|
+
});
|
|
3206
|
+
}
|
|
3207
|
+
return new _CredentialRequestClientBuilder(builder);
|
|
3208
|
+
}
|
|
3209
|
+
static async fromURI({ uri, metadata }) {
|
|
3210
|
+
const offer = await CredentialOfferClient.fromURI(uri);
|
|
3211
|
+
return _CredentialRequestClientBuilder.fromCredentialOfferRequest({
|
|
3212
|
+
request: offer,
|
|
3213
|
+
...offer,
|
|
3214
|
+
metadata,
|
|
3215
|
+
version: offer.version
|
|
3216
|
+
});
|
|
3217
|
+
}
|
|
3218
|
+
static fromCredentialOfferRequest(opts) {
|
|
3219
|
+
const { request } = opts;
|
|
3220
|
+
const version = opts.version ?? request.version ?? (0, import_oid4vci_common24.determineSpecVersionFromOffer)(request.original_credential_offer);
|
|
3221
|
+
let builder;
|
|
3222
|
+
if (version < import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13) {
|
|
3223
|
+
builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest(opts);
|
|
3224
|
+
} else {
|
|
3225
|
+
builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest(opts);
|
|
3226
|
+
}
|
|
3227
|
+
return new _CredentialRequestClientBuilder(builder);
|
|
3228
|
+
}
|
|
3229
|
+
static fromCredentialOffer({ credentialOffer, metadata }) {
|
|
3230
|
+
const version = (0, import_oid4vci_common24.determineSpecVersionFromOffer)(credentialOffer.credential_offer);
|
|
3231
|
+
let builder;
|
|
3232
|
+
if (version < import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13) {
|
|
3233
|
+
builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
|
|
3234
|
+
credentialOffer,
|
|
3235
|
+
metadata
|
|
3236
|
+
});
|
|
3237
|
+
} else {
|
|
3238
|
+
builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
|
|
3239
|
+
credentialOffer,
|
|
2955
3240
|
metadata
|
|
2956
3241
|
});
|
|
2957
3242
|
}
|
|
@@ -2961,7 +3246,9 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2961
3246
|
return this._builder.version;
|
|
2962
3247
|
}
|
|
2963
3248
|
withCredentialEndpointFromMetadata(metadata) {
|
|
2964
|
-
if (
|
|
3249
|
+
if (isV1_0_15(this._builder)) {
|
|
3250
|
+
this._builder.withCredentialEndpointFromMetadata(metadata);
|
|
3251
|
+
} else if (isV1_0_13(this._builder)) {
|
|
2965
3252
|
this._builder.withCredentialEndpointFromMetadata(metadata);
|
|
2966
3253
|
} else {
|
|
2967
3254
|
this._builder.withCredentialEndpointFromMetadata(metadata);
|
|
@@ -2973,7 +3260,9 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2973
3260
|
return this;
|
|
2974
3261
|
}
|
|
2975
3262
|
withDeferredCredentialEndpointFromMetadata(metadata) {
|
|
2976
|
-
if (
|
|
3263
|
+
if (isV1_0_15(this._builder)) {
|
|
3264
|
+
this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
|
|
3265
|
+
} else if (isV1_0_13(this._builder)) {
|
|
2977
3266
|
this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
|
|
2978
3267
|
} else {
|
|
2979
3268
|
this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
|
|
@@ -2989,57 +3278,789 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2989
3278
|
return this;
|
|
2990
3279
|
}
|
|
2991
3280
|
withCredentialIdentifier(credentialIdentifier) {
|
|
2992
|
-
if (this._builder.version === void 0 || this._builder.version <
|
|
3281
|
+
if (this._builder.version === void 0 || this._builder.version < import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13) {
|
|
2993
3282
|
throw new Error("Version of spec should be equal or higher than v1_0_13");
|
|
2994
3283
|
}
|
|
2995
3284
|
;
|
|
2996
3285
|
this._builder.withCredentialIdentifier(credentialIdentifier);
|
|
2997
3286
|
return this;
|
|
2998
3287
|
}
|
|
2999
|
-
withIssuerState(issuerState) {
|
|
3000
|
-
this._builder.withIssuerState(issuerState);
|
|
3001
|
-
return this;
|
|
3288
|
+
withIssuerState(issuerState) {
|
|
3289
|
+
this._builder.withIssuerState(issuerState);
|
|
3290
|
+
return this;
|
|
3291
|
+
}
|
|
3292
|
+
withCredentialType(credentialTypes) {
|
|
3293
|
+
this._builder.withCredentialType(credentialTypes);
|
|
3294
|
+
return this;
|
|
3295
|
+
}
|
|
3296
|
+
withFormat(format) {
|
|
3297
|
+
if ("withFormat" in this._builder) {
|
|
3298
|
+
this._builder.withFormat(format);
|
|
3299
|
+
}
|
|
3300
|
+
return this;
|
|
3301
|
+
}
|
|
3302
|
+
withSubjectIssuance(subjectIssuance) {
|
|
3303
|
+
this._builder.withSubjectIssuance(subjectIssuance);
|
|
3304
|
+
return this;
|
|
3305
|
+
}
|
|
3306
|
+
withToken(accessToken) {
|
|
3307
|
+
this._builder.withToken(accessToken);
|
|
3308
|
+
return this;
|
|
3309
|
+
}
|
|
3310
|
+
withTokenFromResponse(response) {
|
|
3311
|
+
this._builder.withTokenFromResponse(response);
|
|
3312
|
+
return this;
|
|
3313
|
+
}
|
|
3314
|
+
withVersion(version) {
|
|
3315
|
+
this._builder.withVersion(version);
|
|
3316
|
+
return this;
|
|
3317
|
+
}
|
|
3318
|
+
build() {
|
|
3319
|
+
return this._builder.build();
|
|
3320
|
+
}
|
|
3321
|
+
};
|
|
3322
|
+
|
|
3323
|
+
// lib/MetadataClientV1_0_15.ts
|
|
3324
|
+
var import_oid4vci_common25 = require("@sphereon/oid4vci-common");
|
|
3325
|
+
var import_ssi_types15 = require("@sphereon/ssi-types");
|
|
3326
|
+
var logger13 = import_ssi_types15.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
|
|
3327
|
+
var MetadataClientV1_0_15 = class _MetadataClientV1_0_15 {
|
|
3328
|
+
static {
|
|
3329
|
+
__name(this, "MetadataClientV1_0_15");
|
|
3330
|
+
}
|
|
3331
|
+
/**
|
|
3332
|
+
* Retrieve metadata using the Initiation obtained from a previous step
|
|
3333
|
+
*
|
|
3334
|
+
* @param credentialOffer
|
|
3335
|
+
*/
|
|
3336
|
+
static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
|
|
3337
|
+
return _MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
|
|
3338
|
+
}
|
|
3339
|
+
/**
|
|
3340
|
+
* Retrieve the metada using the initiation request obtained from a previous step
|
|
3341
|
+
* @param request
|
|
3342
|
+
*/
|
|
3343
|
+
static async retrieveAllMetadataFromCredentialOfferRequest(request) {
|
|
3344
|
+
const issuer = (0, import_oid4vci_common25.getIssuerFromCredentialOfferPayload)(request);
|
|
3345
|
+
if (issuer) {
|
|
3346
|
+
return _MetadataClientV1_0_15.retrieveAllMetadata(issuer);
|
|
3347
|
+
}
|
|
3348
|
+
throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
|
|
3349
|
+
}
|
|
3350
|
+
/**
|
|
3351
|
+
* Retrieve all metadata from an issuer
|
|
3352
|
+
* @param issuer The issuer URL
|
|
3353
|
+
* @param opts
|
|
3354
|
+
*/
|
|
3355
|
+
static async retrieveAllMetadata(issuer, opts) {
|
|
3356
|
+
let token_endpoint;
|
|
3357
|
+
let credential_endpoint;
|
|
3358
|
+
let nonce_endpoint;
|
|
3359
|
+
let deferred_credential_endpoint;
|
|
3360
|
+
let authorization_endpoint;
|
|
3361
|
+
let authorization_challenge_endpoint;
|
|
3362
|
+
let authorizationServerType = "OID4VCI";
|
|
3363
|
+
let authorization_servers = [
|
|
3364
|
+
issuer
|
|
3365
|
+
];
|
|
3366
|
+
const oid4vciResponse = await _MetadataClientV1_0_15.retrieveOpenID4VCIServerMetadata(issuer, {
|
|
3367
|
+
errorOnNotFound: false
|
|
3368
|
+
});
|
|
3369
|
+
let credentialIssuerMetadata = oid4vciResponse?.successBody;
|
|
3370
|
+
if (credentialIssuerMetadata) {
|
|
3371
|
+
logger13.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
|
|
3372
|
+
${JSON.stringify(credentialIssuerMetadata)}`);
|
|
3373
|
+
credential_endpoint = credentialIssuerMetadata.credential_endpoint;
|
|
3374
|
+
nonce_endpoint = credentialIssuerMetadata.nonce_endpoint;
|
|
3375
|
+
deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
|
|
3376
|
+
if (credentialIssuerMetadata.token_endpoint) {
|
|
3377
|
+
token_endpoint = credentialIssuerMetadata.token_endpoint;
|
|
3378
|
+
}
|
|
3379
|
+
authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
|
|
3380
|
+
if (credentialIssuerMetadata.authorization_servers) {
|
|
3381
|
+
authorization_servers = credentialIssuerMetadata.authorization_servers;
|
|
3382
|
+
}
|
|
3383
|
+
}
|
|
3384
|
+
let response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common25.WellKnownEndpoints.OPENID_CONFIGURATION, {
|
|
3385
|
+
errorOnNotFound: false
|
|
3386
|
+
});
|
|
3387
|
+
let authMetadata = response.successBody;
|
|
3388
|
+
if (authMetadata) {
|
|
3389
|
+
logger13.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
|
|
3390
|
+
authorizationServerType = "OIDC";
|
|
3391
|
+
} else {
|
|
3392
|
+
response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common25.WellKnownEndpoints.OAUTH_AS, {
|
|
3393
|
+
errorOnNotFound: false
|
|
3394
|
+
});
|
|
3395
|
+
authMetadata = response.successBody;
|
|
3396
|
+
}
|
|
3397
|
+
if (!authMetadata) {
|
|
3398
|
+
if (!authorization_servers.includes(issuer)) {
|
|
3399
|
+
throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
|
|
3400
|
+
}
|
|
3401
|
+
} else {
|
|
3402
|
+
if (!authorizationServerType) {
|
|
3403
|
+
authorizationServerType = "OAuth 2.0";
|
|
3404
|
+
}
|
|
3405
|
+
logger13.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
|
|
3406
|
+
if (!authMetadata.authorization_endpoint) {
|
|
3407
|
+
console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
|
|
3408
|
+
} else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
|
|
3409
|
+
throw Error(`Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`);
|
|
3410
|
+
}
|
|
3411
|
+
authorization_endpoint = authMetadata.authorization_endpoint;
|
|
3412
|
+
if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {
|
|
3413
|
+
throw Error(`Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`);
|
|
3414
|
+
}
|
|
3415
|
+
authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
|
|
3416
|
+
if (!authMetadata.token_endpoint) {
|
|
3417
|
+
throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`);
|
|
3418
|
+
} else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
|
|
3419
|
+
throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
|
|
3420
|
+
}
|
|
3421
|
+
token_endpoint = authMetadata.token_endpoint;
|
|
3422
|
+
if (authMetadata.credential_endpoint) {
|
|
3423
|
+
if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
|
|
3424
|
+
logger13.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
|
|
3425
|
+
} else {
|
|
3426
|
+
credential_endpoint = authMetadata.credential_endpoint;
|
|
3427
|
+
}
|
|
3428
|
+
}
|
|
3429
|
+
if (authMetadata.deferred_credential_endpoint) {
|
|
3430
|
+
if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
|
|
3431
|
+
logger13.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
|
|
3432
|
+
} else {
|
|
3433
|
+
deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
|
|
3434
|
+
}
|
|
3435
|
+
}
|
|
3436
|
+
}
|
|
3437
|
+
if (!authorization_endpoint) {
|
|
3438
|
+
logger13.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
|
|
3439
|
+
}
|
|
3440
|
+
if (!token_endpoint) {
|
|
3441
|
+
logger13.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
|
|
3442
|
+
if (opts?.errorOnNotFound) {
|
|
3443
|
+
throw Error(`Could not deduce the token_endpoint for ${issuer}`);
|
|
3444
|
+
} else {
|
|
3445
|
+
token_endpoint = `${issuer}${issuer.endsWith("/") ? "token" : "/token"}`;
|
|
3446
|
+
}
|
|
3447
|
+
}
|
|
3448
|
+
if (!credential_endpoint) {
|
|
3449
|
+
logger13.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
|
|
3450
|
+
if (opts?.errorOnNotFound) {
|
|
3451
|
+
throw Error(`Could not deduce the credential endpoint for ${issuer}`);
|
|
3452
|
+
} else {
|
|
3453
|
+
credential_endpoint = `${issuer}${issuer.endsWith("/") ? "credential" : "/credential"}`;
|
|
3454
|
+
}
|
|
3455
|
+
}
|
|
3456
|
+
if (!credentialIssuerMetadata && authMetadata) {
|
|
3457
|
+
credentialIssuerMetadata = authMetadata;
|
|
3458
|
+
}
|
|
3459
|
+
const ci = credentialIssuerMetadata ?? {};
|
|
3460
|
+
const ciAuthorizationServers = Array.isArray(ci.authorization_servers) && ci.authorization_servers.length > 0 ? ci.authorization_servers : authorization_servers;
|
|
3461
|
+
const v15CredentialIssuerMetadata = {
|
|
3462
|
+
credential_issuer: ci.credential_issuer ?? issuer,
|
|
3463
|
+
credential_endpoint,
|
|
3464
|
+
authorization_servers: ciAuthorizationServers,
|
|
3465
|
+
credential_configurations_supported: ci.credential_configurations_supported ?? {},
|
|
3466
|
+
display: ci.display ?? [],
|
|
3467
|
+
...nonce_endpoint && {
|
|
3468
|
+
nonce_endpoint
|
|
3469
|
+
},
|
|
3470
|
+
...deferred_credential_endpoint && {
|
|
3471
|
+
deferred_credential_endpoint
|
|
3472
|
+
}
|
|
3473
|
+
};
|
|
3474
|
+
logger13.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
|
|
3475
|
+
return {
|
|
3476
|
+
issuer,
|
|
3477
|
+
token_endpoint,
|
|
3478
|
+
credential_endpoint,
|
|
3479
|
+
authorization_challenge_endpoint,
|
|
3480
|
+
authorizationServerType,
|
|
3481
|
+
credentialIssuerMetadata: v15CredentialIssuerMetadata,
|
|
3482
|
+
authorizationServerMetadata: authMetadata
|
|
3483
|
+
};
|
|
3484
|
+
}
|
|
3485
|
+
/**
|
|
3486
|
+
* Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
|
|
3487
|
+
*
|
|
3488
|
+
* @param issuerHost The issuer hostname
|
|
3489
|
+
* @param opts
|
|
3490
|
+
*/
|
|
3491
|
+
static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
|
|
3492
|
+
return retrieveWellknown(issuerHost, import_oid4vci_common25.WellKnownEndpoints.OPENID4VCI_ISSUER, {
|
|
3493
|
+
errorOnNotFound: opts?.errorOnNotFound === void 0 ? true : opts.errorOnNotFound
|
|
3494
|
+
});
|
|
3495
|
+
}
|
|
3496
|
+
};
|
|
3497
|
+
|
|
3498
|
+
// lib/OpenID4VCIClient.ts
|
|
3499
|
+
var import_oid4vci_common26 = require("@sphereon/oid4vci-common");
|
|
3500
|
+
var import_ssi_types16 = require("@sphereon/ssi-types");
|
|
3501
|
+
var logger14 = import_ssi_types16.Loggers.DEFAULT.get("sphereon:oid4vci");
|
|
3502
|
+
var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
3503
|
+
static {
|
|
3504
|
+
__name(this, "OpenID4VCIClient");
|
|
3505
|
+
}
|
|
3506
|
+
_state;
|
|
3507
|
+
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
|
|
3508
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common26.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
3509
|
+
if (!issuer) {
|
|
3510
|
+
throw Error("No credential issuer supplied or deduced from offer");
|
|
3511
|
+
}
|
|
3512
|
+
this._state = {
|
|
3513
|
+
credentialOffer,
|
|
3514
|
+
credentialIssuer: issuer,
|
|
3515
|
+
kid,
|
|
3516
|
+
alg,
|
|
3517
|
+
// TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
|
|
3518
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common26.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
3519
|
+
pkce: {
|
|
3520
|
+
disabled: false,
|
|
3521
|
+
codeChallengeMethod: import_oid4vci_common26.CodeChallengeMethod.S256,
|
|
3522
|
+
...pkce
|
|
3523
|
+
},
|
|
3524
|
+
authorizationRequestOpts,
|
|
3525
|
+
authorizationCodeResponse,
|
|
3526
|
+
accessToken,
|
|
3527
|
+
jwk,
|
|
3528
|
+
endpointMetadata: endpointMetadata?.credentialIssuerMetadata?.authorization_server ? endpointMetadata : endpointMetadata,
|
|
3529
|
+
accessTokenResponse,
|
|
3530
|
+
authorizationURL
|
|
3531
|
+
};
|
|
3532
|
+
if (!this._state.authorizationRequestOpts) {
|
|
3533
|
+
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
3534
|
+
}
|
|
3535
|
+
logger14.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
3536
|
+
}
|
|
3537
|
+
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, endpointMetadata }) {
|
|
3538
|
+
const client = new _OpenID4VCIClient({
|
|
3539
|
+
kid,
|
|
3540
|
+
alg,
|
|
3541
|
+
clientId: clientId ?? authorizationRequest?.clientId,
|
|
3542
|
+
credentialIssuer,
|
|
3543
|
+
pkce,
|
|
3544
|
+
authorizationRequest,
|
|
3545
|
+
endpointMetadata
|
|
3546
|
+
});
|
|
3547
|
+
if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
|
|
3548
|
+
await client.retrieveServerMetadata();
|
|
3549
|
+
}
|
|
3550
|
+
if (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL) {
|
|
3551
|
+
await client.createAuthorizationRequestUrl({
|
|
3552
|
+
authorizationRequest,
|
|
3553
|
+
pkce
|
|
3554
|
+
});
|
|
3555
|
+
}
|
|
3556
|
+
return client;
|
|
3557
|
+
}
|
|
3558
|
+
static async fromState({ state }) {
|
|
3559
|
+
const clientState = typeof state === "string" ? JSON.parse(state) : state;
|
|
3560
|
+
return new _OpenID4VCIClient(clientState);
|
|
3561
|
+
}
|
|
3562
|
+
static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, endpointMetadata }) {
|
|
3563
|
+
const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
|
|
3564
|
+
resolve: resolveOfferUri
|
|
3565
|
+
});
|
|
3566
|
+
const client = new _OpenID4VCIClient({
|
|
3567
|
+
credentialOffer: credentialOfferClient,
|
|
3568
|
+
kid,
|
|
3569
|
+
alg,
|
|
3570
|
+
clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
|
|
3571
|
+
pkce,
|
|
3572
|
+
authorizationRequest,
|
|
3573
|
+
endpointMetadata
|
|
3574
|
+
});
|
|
3575
|
+
if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
|
|
3576
|
+
await client.retrieveServerMetadata();
|
|
3577
|
+
}
|
|
3578
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common26.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
|
|
3579
|
+
await client.createAuthorizationRequestUrl({
|
|
3580
|
+
authorizationRequest,
|
|
3581
|
+
pkce
|
|
3582
|
+
});
|
|
3583
|
+
logger14.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
3584
|
+
}
|
|
3585
|
+
return client;
|
|
3586
|
+
}
|
|
3587
|
+
/**
|
|
3588
|
+
* Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
|
|
3589
|
+
*
|
|
3590
|
+
* The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
|
|
3591
|
+
* @param opts
|
|
3592
|
+
*/
|
|
3593
|
+
async createAuthorizationRequestUrl(opts) {
|
|
3594
|
+
if (!this._state.authorizationURL) {
|
|
3595
|
+
this.calculatePKCEOpts(opts?.pkce);
|
|
3596
|
+
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest);
|
|
3597
|
+
if (!this._state.authorizationRequestOpts) {
|
|
3598
|
+
throw Error(`No Authorization Request options present or provided in this call`);
|
|
3599
|
+
}
|
|
3600
|
+
if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
|
|
3601
|
+
this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
|
|
3602
|
+
}
|
|
3603
|
+
if (this.version() <= import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_11) {
|
|
3604
|
+
this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({
|
|
3605
|
+
pkce: this._state.pkce,
|
|
3606
|
+
endpointMetadata: this.endpointMetadata,
|
|
3607
|
+
authorizationRequest: this._state.authorizationRequestOpts,
|
|
3608
|
+
credentialOffer: this.credentialOffer,
|
|
3609
|
+
credentialsSupported: Object.values(this.getCredentialsSupported(true))
|
|
3610
|
+
});
|
|
3611
|
+
} else {
|
|
3612
|
+
this._state.authorizationURL = await createAuthorizationRequestUrl({
|
|
3613
|
+
pkce: this._state.pkce,
|
|
3614
|
+
endpointMetadata: this.endpointMetadata,
|
|
3615
|
+
authorizationRequest: this._state.authorizationRequestOpts,
|
|
3616
|
+
credentialOffer: this.credentialOffer,
|
|
3617
|
+
credentialConfigurationSupported: this.getCredentialsSupported(false)
|
|
3618
|
+
});
|
|
3619
|
+
}
|
|
3620
|
+
}
|
|
3621
|
+
return this._state.authorizationURL;
|
|
3622
|
+
}
|
|
3623
|
+
async retrieveServerMetadata() {
|
|
3624
|
+
this.assertIssuerData();
|
|
3625
|
+
if (!this._state.endpointMetadata) {
|
|
3626
|
+
if (this.credentialOffer) {
|
|
3627
|
+
this._state.endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
|
|
3628
|
+
} else if (this._state.credentialIssuer) {
|
|
3629
|
+
this._state.endpointMetadata = await MetadataClient.retrieveAllMetadata(this._state.credentialIssuer);
|
|
3630
|
+
} else {
|
|
3631
|
+
throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
|
|
3632
|
+
}
|
|
3633
|
+
}
|
|
3634
|
+
return this.endpointMetadata;
|
|
3635
|
+
}
|
|
3636
|
+
calculatePKCEOpts(pkce) {
|
|
3637
|
+
this._state.pkce = generateMissingPKCEOpts({
|
|
3638
|
+
...this._state.pkce,
|
|
3639
|
+
...pkce
|
|
3640
|
+
});
|
|
3641
|
+
}
|
|
3642
|
+
async acquireAuthorizationChallengeCode(opts) {
|
|
3643
|
+
const response = await acquireAuthorizationChallengeAuthCode({
|
|
3644
|
+
metadata: this.endpointMetadata,
|
|
3645
|
+
credentialIssuer: this.getIssuer(),
|
|
3646
|
+
clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,
|
|
3647
|
+
...opts
|
|
3648
|
+
});
|
|
3649
|
+
if (response.errorBody) {
|
|
3650
|
+
logger14.debug(`Authorization code error:\r
|
|
3651
|
+
${JSON.stringify(response.errorBody)}`);
|
|
3652
|
+
const error = response.errorBody;
|
|
3653
|
+
return Promise.reject(error);
|
|
3654
|
+
} else if (!response.successBody) {
|
|
3655
|
+
logger14.debug(`Authorization code error. No success body`);
|
|
3656
|
+
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
3657
|
+
}
|
|
3658
|
+
return {
|
|
3659
|
+
...response.successBody
|
|
3660
|
+
};
|
|
3661
|
+
}
|
|
3662
|
+
async acquireAccessToken(opts) {
|
|
3663
|
+
const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
|
|
3664
|
+
let { redirectUri } = opts ?? {};
|
|
3665
|
+
const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code);
|
|
3666
|
+
if (opts?.codeVerifier) {
|
|
3667
|
+
this._state.pkce.codeVerifier = opts.codeVerifier;
|
|
3668
|
+
}
|
|
3669
|
+
this.assertIssuerData();
|
|
3670
|
+
const asOpts = {
|
|
3671
|
+
...opts?.asOpts
|
|
3672
|
+
};
|
|
3673
|
+
const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
|
|
3674
|
+
const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
|
|
3675
|
+
if (this.isEBSI() || clientId && kid) {
|
|
3676
|
+
if (!clientId) {
|
|
3677
|
+
throw Error(`Client id expected for EBSI`);
|
|
3678
|
+
}
|
|
3679
|
+
asOpts.clientOpts = {
|
|
3680
|
+
...asOpts.clientOpts,
|
|
3681
|
+
clientId,
|
|
3682
|
+
...kid && {
|
|
3683
|
+
kid
|
|
3684
|
+
},
|
|
3685
|
+
...clientAssertionType && {
|
|
3686
|
+
clientAssertionType
|
|
3687
|
+
},
|
|
3688
|
+
signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
|
|
3689
|
+
};
|
|
3690
|
+
}
|
|
3691
|
+
if (clientId) {
|
|
3692
|
+
this._state.clientId = clientId;
|
|
3693
|
+
if (!asOpts.clientOpts) {
|
|
3694
|
+
asOpts.clientOpts = {
|
|
3695
|
+
clientId
|
|
3696
|
+
};
|
|
3697
|
+
}
|
|
3698
|
+
asOpts.clientOpts.clientId = clientId;
|
|
3699
|
+
}
|
|
3700
|
+
if (!this._state.accessTokenResponse) {
|
|
3701
|
+
const accessTokenClient = this.version() <= import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_12 ? new AccessTokenClientV1_0_11() : new AccessTokenClient();
|
|
3702
|
+
if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
|
|
3703
|
+
console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
|
|
3704
|
+
}
|
|
3705
|
+
if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
|
|
3706
|
+
redirectUri = this._state.authorizationRequestOpts.redirectUri;
|
|
3707
|
+
}
|
|
3708
|
+
const response = await accessTokenClient.acquireAccessToken({
|
|
3709
|
+
credentialOffer: this.credentialOffer,
|
|
3710
|
+
metadata: this.endpointMetadata,
|
|
3711
|
+
credentialIssuer: this.getIssuer(),
|
|
3712
|
+
pin,
|
|
3713
|
+
...!this._state.pkce.disabled && {
|
|
3714
|
+
codeVerifier: this._state.pkce.codeVerifier
|
|
3715
|
+
},
|
|
3716
|
+
code,
|
|
3717
|
+
redirectUri,
|
|
3718
|
+
asOpts,
|
|
3719
|
+
...opts?.createDPoPOpts && {
|
|
3720
|
+
createDPoPOpts: opts.createDPoPOpts
|
|
3721
|
+
},
|
|
3722
|
+
...opts?.additionalRequestParams && {
|
|
3723
|
+
additionalParams: opts.additionalRequestParams
|
|
3724
|
+
}
|
|
3725
|
+
});
|
|
3726
|
+
if (response.errorBody) {
|
|
3727
|
+
logger14.debug(`Access token error:\r
|
|
3728
|
+
${JSON.stringify(response.errorBody)}`);
|
|
3729
|
+
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3730
|
+
} else if (!response.successBody) {
|
|
3731
|
+
logger14.debug(`Access token error. No success body`);
|
|
3732
|
+
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3733
|
+
}
|
|
3734
|
+
this._state.accessTokenResponse = response.successBody;
|
|
3735
|
+
this._state.dpopResponseParams = response.params;
|
|
3736
|
+
this._state.accessToken = response.successBody.access_token;
|
|
3737
|
+
}
|
|
3738
|
+
return {
|
|
3739
|
+
...this.accessTokenResponse,
|
|
3740
|
+
...this.dpopResponseParams && {
|
|
3741
|
+
params: this.dpopResponseParams
|
|
3742
|
+
}
|
|
3743
|
+
};
|
|
3744
|
+
}
|
|
3745
|
+
async acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
|
|
3746
|
+
if ([
|
|
3747
|
+
jwk,
|
|
3748
|
+
kid
|
|
3749
|
+
].filter((v) => v !== void 0).length > 1) {
|
|
3750
|
+
throw new Error(import_oid4vci_common26.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
3751
|
+
}
|
|
3752
|
+
if (alg) this._state.alg = alg;
|
|
3753
|
+
if (jwk) this._state.jwk = jwk;
|
|
3754
|
+
if (kid) this._state.kid = kid;
|
|
3755
|
+
let requestBuilder;
|
|
3756
|
+
if (this.version() < import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_13) {
|
|
3757
|
+
requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
|
|
3758
|
+
credentialOffer: this.credentialOffer,
|
|
3759
|
+
metadata: this.endpointMetadata
|
|
3760
|
+
}) : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
|
|
3761
|
+
credentialIssuer: this.getIssuer(),
|
|
3762
|
+
credentialTypes,
|
|
3763
|
+
metadata: this.endpointMetadata,
|
|
3764
|
+
version: this.version()
|
|
3765
|
+
});
|
|
3766
|
+
} else {
|
|
3767
|
+
requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
|
|
3768
|
+
credentialOffer: this.credentialOffer,
|
|
3769
|
+
metadata: this.endpointMetadata
|
|
3770
|
+
}) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
|
|
3771
|
+
credentialIssuer: this.getIssuer(),
|
|
3772
|
+
credentialTypes,
|
|
3773
|
+
metadata: this.endpointMetadata,
|
|
3774
|
+
version: this.version()
|
|
3775
|
+
});
|
|
3776
|
+
}
|
|
3777
|
+
const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common26.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
|
|
3778
|
+
requestBuilder.withIssuerState(issuerState);
|
|
3779
|
+
requestBuilder.withTokenFromResponse(this.accessTokenResponse);
|
|
3780
|
+
requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
|
|
3781
|
+
let subjectIssuance;
|
|
3782
|
+
if (this.endpointMetadata?.credentialIssuerMetadata) {
|
|
3783
|
+
const metadata = this.endpointMetadata.credentialIssuerMetadata;
|
|
3784
|
+
const types = Array.isArray(credentialTypes) ? credentialTypes : [
|
|
3785
|
+
credentialTypes
|
|
3786
|
+
];
|
|
3787
|
+
if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
|
|
3788
|
+
let typeSupported = false;
|
|
3789
|
+
metadata.credentials_supported.forEach((supportedCredential) => {
|
|
3790
|
+
const subTypes = (0, import_oid4vci_common26.getTypesFromCredentialSupported)(supportedCredential);
|
|
3791
|
+
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
3792
|
+
typeSupported = true;
|
|
3793
|
+
if (supportedCredential.credential_subject_issuance) {
|
|
3794
|
+
subjectIssuance = {
|
|
3795
|
+
credential_subject_issuance: supportedCredential.credential_subject_issuance
|
|
3796
|
+
};
|
|
3797
|
+
}
|
|
3798
|
+
}
|
|
3799
|
+
});
|
|
3800
|
+
if (!typeSupported) {
|
|
3801
|
+
console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
|
|
3802
|
+
}
|
|
3803
|
+
} else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
|
|
3804
|
+
const credentialsSupported = metadata.credentials_supported;
|
|
3805
|
+
if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
|
|
3806
|
+
throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
|
|
3807
|
+
}
|
|
3808
|
+
}
|
|
3809
|
+
}
|
|
3810
|
+
if (subjectIssuance) {
|
|
3811
|
+
requestBuilder.withSubjectIssuance(subjectIssuance);
|
|
3812
|
+
}
|
|
3813
|
+
const credentialRequestClient = requestBuilder.build();
|
|
3814
|
+
const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
|
|
3815
|
+
accessTokenResponse: this.accessTokenResponse,
|
|
3816
|
+
callbacks: proofCallbacks,
|
|
3817
|
+
version: this.version()
|
|
3818
|
+
}).withIssuer(this.getIssuer()).withAlg(this.alg);
|
|
3819
|
+
if (this._state.jwk) {
|
|
3820
|
+
proofBuilder.withJWK(this._state.jwk);
|
|
3821
|
+
}
|
|
3822
|
+
if (this._state.kid) {
|
|
3823
|
+
proofBuilder.withKid(this._state.kid);
|
|
3824
|
+
}
|
|
3825
|
+
if (this.clientId) {
|
|
3826
|
+
proofBuilder.withClientId(this.clientId);
|
|
3827
|
+
}
|
|
3828
|
+
if (jti) {
|
|
3829
|
+
proofBuilder.withJti(jti);
|
|
3830
|
+
}
|
|
3831
|
+
const response = await credentialRequestClient.acquireCredentialsUsingProof({
|
|
3832
|
+
proofInput: proofBuilder,
|
|
3833
|
+
credentialTypes,
|
|
3834
|
+
context,
|
|
3835
|
+
format,
|
|
3836
|
+
subjectIssuance,
|
|
3837
|
+
createDPoPOpts
|
|
3838
|
+
});
|
|
3839
|
+
this._state.dpopResponseParams = response.params;
|
|
3840
|
+
if (response.errorBody) {
|
|
3841
|
+
logger14.debug(`Credential request error:\r
|
|
3842
|
+
${JSON.stringify(response.errorBody)}`);
|
|
3843
|
+
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3844
|
+
} else if (!response.successBody) {
|
|
3845
|
+
logger14.debug(`Credential request error. No success body`);
|
|
3846
|
+
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3847
|
+
}
|
|
3848
|
+
return {
|
|
3849
|
+
...response.successBody,
|
|
3850
|
+
...this.dpopResponseParams && {
|
|
3851
|
+
params: this.dpopResponseParams
|
|
3852
|
+
},
|
|
3853
|
+
access_token: response.access_token
|
|
3854
|
+
};
|
|
3855
|
+
}
|
|
3856
|
+
async exportState() {
|
|
3857
|
+
return JSON.stringify(this._state);
|
|
3858
|
+
}
|
|
3859
|
+
getCredentialsSupported(restrictToInitiationTypes, format) {
|
|
3860
|
+
return (0, import_oid4vci_common26.getSupportedCredentials)({
|
|
3861
|
+
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
3862
|
+
version: this.version(),
|
|
3863
|
+
format,
|
|
3864
|
+
types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : void 0
|
|
3865
|
+
});
|
|
3866
|
+
}
|
|
3867
|
+
async sendNotification(credentialRequestOpts, request, accessToken) {
|
|
3868
|
+
return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
|
|
3869
|
+
}
|
|
3870
|
+
getCredentialOfferTypes() {
|
|
3871
|
+
if (!this.credentialOffer) {
|
|
3872
|
+
return [];
|
|
3873
|
+
} else if (this.version() < import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_11) {
|
|
3874
|
+
const orig = this.credentialOffer.original_credential_offer;
|
|
3875
|
+
const types = typeof orig.credential_type === "string" ? [
|
|
3876
|
+
orig.credential_type
|
|
3877
|
+
] : orig.credential_type;
|
|
3878
|
+
const result = [];
|
|
3879
|
+
result[0] = types;
|
|
3880
|
+
return result;
|
|
3881
|
+
} else if (this.version() < import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_13) {
|
|
3882
|
+
return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common26.getTypesFromObject)(c) ?? []);
|
|
3883
|
+
}
|
|
3884
|
+
return void 0;
|
|
3885
|
+
}
|
|
3886
|
+
issuerSupportedFlowTypes() {
|
|
3887
|
+
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
|
|
3888
|
+
import_oid4vci_common26.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
3889
|
+
] : []);
|
|
3890
|
+
}
|
|
3891
|
+
isFlowTypeSupported(flowType) {
|
|
3892
|
+
return this.issuerSupportedFlowTypes().includes(flowType);
|
|
3893
|
+
}
|
|
3894
|
+
get authorizationURL() {
|
|
3895
|
+
return this._state.authorizationURL;
|
|
3896
|
+
}
|
|
3897
|
+
hasAuthorizationURL() {
|
|
3898
|
+
return !!this.authorizationURL;
|
|
3899
|
+
}
|
|
3900
|
+
get credentialOffer() {
|
|
3901
|
+
return this._state.credentialOffer;
|
|
3902
|
+
}
|
|
3903
|
+
version() {
|
|
3904
|
+
if (this.credentialOffer?.version && this.credentialOffer.version !== import_oid4vci_common26.OpenId4VCIVersion.VER_UNKNOWN) {
|
|
3905
|
+
return this.credentialOffer.version;
|
|
3906
|
+
}
|
|
3907
|
+
const metadata = this._state.endpointMetadata;
|
|
3908
|
+
if (metadata?.credentialIssuerMetadata) {
|
|
3909
|
+
const versions = (0, import_oid4vci_common26.determineVersionsFromIssuerMetadata)(metadata.credentialIssuerMetadata);
|
|
3910
|
+
if (versions.length > 0 && !versions.includes(import_oid4vci_common26.OpenId4VCIVersion.VER_UNKNOWN)) {
|
|
3911
|
+
return versions[0];
|
|
3912
|
+
}
|
|
3913
|
+
}
|
|
3914
|
+
return import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_15;
|
|
3915
|
+
}
|
|
3916
|
+
get endpointMetadata() {
|
|
3917
|
+
this.assertServerMetadata();
|
|
3918
|
+
return this._state.endpointMetadata;
|
|
3919
|
+
}
|
|
3920
|
+
get kid() {
|
|
3921
|
+
this.assertIssuerData();
|
|
3922
|
+
if (!this._state.kid) {
|
|
3923
|
+
throw new Error("No value for kid is supplied");
|
|
3924
|
+
}
|
|
3925
|
+
return this._state.kid;
|
|
3926
|
+
}
|
|
3927
|
+
get alg() {
|
|
3928
|
+
this.assertIssuerData();
|
|
3929
|
+
if (!this._state.alg) {
|
|
3930
|
+
throw new Error("No value for alg is supplied");
|
|
3931
|
+
}
|
|
3932
|
+
return this._state.alg;
|
|
3933
|
+
}
|
|
3934
|
+
set clientId(value) {
|
|
3935
|
+
this._state.clientId = value;
|
|
3936
|
+
}
|
|
3937
|
+
get clientId() {
|
|
3938
|
+
return this._state.clientId;
|
|
3939
|
+
}
|
|
3940
|
+
hasAccessTokenResponse() {
|
|
3941
|
+
return !!this._state.accessTokenResponse;
|
|
3942
|
+
}
|
|
3943
|
+
get accessTokenResponse() {
|
|
3944
|
+
this.assertAccessToken();
|
|
3945
|
+
return this._state.accessTokenResponse;
|
|
3946
|
+
}
|
|
3947
|
+
get dpopResponseParams() {
|
|
3948
|
+
return this._state.dpopResponseParams;
|
|
3949
|
+
}
|
|
3950
|
+
getIssuer() {
|
|
3951
|
+
this.assertIssuerData();
|
|
3952
|
+
return this._state.credentialIssuer;
|
|
3953
|
+
}
|
|
3954
|
+
getAccessTokenEndpoint() {
|
|
3955
|
+
this.assertIssuerData();
|
|
3956
|
+
if (this.endpointMetadata) {
|
|
3957
|
+
return this.endpointMetadata.token_endpoint;
|
|
3958
|
+
}
|
|
3959
|
+
return this.version() <= import_oid4vci_common26.OpenId4VCIVersion.VER_1_0_12 ? AccessTokenClientV1_0_11.determineTokenURL({
|
|
3960
|
+
issuerOpts: {
|
|
3961
|
+
issuer: this.getIssuer()
|
|
3962
|
+
}
|
|
3963
|
+
}) : AccessTokenClient.determineTokenURL({
|
|
3964
|
+
issuerOpts: {
|
|
3965
|
+
issuer: this.getIssuer()
|
|
3966
|
+
}
|
|
3967
|
+
});
|
|
3968
|
+
}
|
|
3969
|
+
getCredentialEndpoint() {
|
|
3970
|
+
this.assertIssuerData();
|
|
3971
|
+
return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
|
|
3972
|
+
}
|
|
3973
|
+
getAuthorizationChallengeEndpoint() {
|
|
3974
|
+
this.assertIssuerData();
|
|
3975
|
+
return this.endpointMetadata?.authorization_challenge_endpoint;
|
|
3002
3976
|
}
|
|
3003
|
-
|
|
3004
|
-
this.
|
|
3005
|
-
return this;
|
|
3977
|
+
hasAuthorizationChallengeEndpoint() {
|
|
3978
|
+
return !!this.getAuthorizationChallengeEndpoint();
|
|
3006
3979
|
}
|
|
3007
|
-
|
|
3008
|
-
this.
|
|
3009
|
-
return this;
|
|
3980
|
+
hasDeferredCredentialEndpoint() {
|
|
3981
|
+
return !!this.getAccessTokenEndpoint();
|
|
3010
3982
|
}
|
|
3011
|
-
|
|
3012
|
-
this.
|
|
3013
|
-
return this
|
|
3983
|
+
getDeferredCredentialEndpoint() {
|
|
3984
|
+
this.assertIssuerData();
|
|
3985
|
+
return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
|
|
3014
3986
|
}
|
|
3015
|
-
|
|
3016
|
-
|
|
3017
|
-
|
|
3987
|
+
/**
|
|
3988
|
+
* Too bad we need a method like this, but EBSI is not exposing metadata
|
|
3989
|
+
*/
|
|
3990
|
+
isEBSI() {
|
|
3991
|
+
if (this.credentialOffer && this.credentialOffer?.credential_offer?.credentials?.find((cred) => (
|
|
3992
|
+
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
|
|
3993
|
+
// @ts-ignore
|
|
3994
|
+
typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
|
|
3995
|
+
))) {
|
|
3996
|
+
return true;
|
|
3997
|
+
}
|
|
3998
|
+
return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
|
|
3018
3999
|
}
|
|
3019
|
-
|
|
3020
|
-
this.
|
|
3021
|
-
|
|
4000
|
+
assertIssuerData() {
|
|
4001
|
+
if (!this._state.credentialIssuer) {
|
|
4002
|
+
throw Error(`No credential issuer value present`);
|
|
4003
|
+
} else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {
|
|
4004
|
+
throw Error(`No issuance initiation or credential offer present`);
|
|
4005
|
+
}
|
|
3022
4006
|
}
|
|
3023
|
-
|
|
3024
|
-
this.
|
|
3025
|
-
|
|
4007
|
+
assertServerMetadata() {
|
|
4008
|
+
if (!this._state.endpointMetadata) {
|
|
4009
|
+
throw Error("No server metadata");
|
|
4010
|
+
}
|
|
3026
4011
|
}
|
|
3027
|
-
|
|
3028
|
-
|
|
4012
|
+
assertAccessToken() {
|
|
4013
|
+
if (!this._state.accessTokenResponse) {
|
|
4014
|
+
throw Error(`No access token present`);
|
|
4015
|
+
}
|
|
4016
|
+
}
|
|
4017
|
+
syncAuthorizationRequestOpts(opts) {
|
|
4018
|
+
const requestObjectOpts = {
|
|
4019
|
+
...this._state?.authorizationRequestOpts?.requestObjectOpts,
|
|
4020
|
+
...opts?.requestObjectOpts
|
|
4021
|
+
};
|
|
4022
|
+
let authorizationRequestOpts = {
|
|
4023
|
+
...this._state?.authorizationRequestOpts,
|
|
4024
|
+
...opts,
|
|
4025
|
+
...requestObjectOpts && {
|
|
4026
|
+
requestObjectOpts
|
|
4027
|
+
}
|
|
4028
|
+
};
|
|
4029
|
+
if (!authorizationRequestOpts) {
|
|
4030
|
+
authorizationRequestOpts = {
|
|
4031
|
+
redirectUri: `${import_oid4vci_common26.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
4032
|
+
};
|
|
4033
|
+
}
|
|
4034
|
+
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
4035
|
+
this._state.clientId = clientId;
|
|
4036
|
+
authorizationRequestOpts.clientId = clientId;
|
|
4037
|
+
return authorizationRequestOpts;
|
|
3029
4038
|
}
|
|
4039
|
+
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
4040
|
+
if (authorizationResponse) {
|
|
4041
|
+
this._state.authorizationCodeResponse = {
|
|
4042
|
+
...(0, import_oid4vci_common26.toAuthorizationResponsePayload)(authorizationResponse)
|
|
4043
|
+
};
|
|
4044
|
+
} else if (code) {
|
|
4045
|
+
this._state.authorizationCodeResponse = {
|
|
4046
|
+
code
|
|
4047
|
+
};
|
|
4048
|
+
}
|
|
4049
|
+
return this._state.authorizationCodeResponse?.code ?? this._state.authorizationCodeResponse?.authorization_code;
|
|
4050
|
+
}, "getAuthorizationCode");
|
|
3030
4051
|
};
|
|
3031
4052
|
|
|
3032
|
-
// lib/
|
|
3033
|
-
var
|
|
3034
|
-
var
|
|
3035
|
-
var
|
|
3036
|
-
var
|
|
4053
|
+
// lib/OpenID4VCIClientV1_0_15.ts
|
|
4054
|
+
var import_oid4vci_common27 = require("@sphereon/oid4vci-common");
|
|
4055
|
+
var import_ssi_types17 = require("@sphereon/ssi-types");
|
|
4056
|
+
var logger15 = import_ssi_types17.Loggers.DEFAULT.get("sphereon:oid4vci:v15");
|
|
4057
|
+
var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
|
|
3037
4058
|
static {
|
|
3038
|
-
__name(this, "
|
|
4059
|
+
__name(this, "OpenID4VCIClientV1_0_15");
|
|
3039
4060
|
}
|
|
3040
4061
|
_state;
|
|
3041
|
-
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest,
|
|
3042
|
-
const issuer = credentialIssuer ?? (credentialOffer ? (0,
|
|
4062
|
+
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL, keyAttestation }) {
|
|
4063
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common27.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
3043
4064
|
if (!issuer) {
|
|
3044
4065
|
throw Error("No credential issuer supplied or deduced from offer");
|
|
3045
4066
|
}
|
|
@@ -3048,40 +4069,39 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3048
4069
|
credentialIssuer: issuer,
|
|
3049
4070
|
kid,
|
|
3050
4071
|
alg,
|
|
3051
|
-
|
|
3052
|
-
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common23.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
4072
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common27.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
3053
4073
|
pkce: {
|
|
3054
4074
|
disabled: false,
|
|
3055
|
-
codeChallengeMethod:
|
|
4075
|
+
codeChallengeMethod: import_oid4vci_common27.CodeChallengeMethod.S256,
|
|
3056
4076
|
...pkce
|
|
3057
4077
|
},
|
|
3058
4078
|
authorizationRequestOpts,
|
|
3059
4079
|
authorizationCodeResponse,
|
|
3060
|
-
accessToken,
|
|
3061
4080
|
jwk,
|
|
3062
|
-
endpointMetadata
|
|
4081
|
+
endpointMetadata,
|
|
3063
4082
|
accessTokenResponse,
|
|
3064
|
-
authorizationURL
|
|
4083
|
+
authorizationURL,
|
|
4084
|
+
keyAttestation
|
|
3065
4085
|
};
|
|
3066
4086
|
if (!this._state.authorizationRequestOpts) {
|
|
3067
4087
|
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
3068
4088
|
}
|
|
3069
|
-
|
|
4089
|
+
logger15.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
3070
4090
|
}
|
|
3071
|
-
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL,
|
|
3072
|
-
const client = new
|
|
4091
|
+
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, keyAttestation }) {
|
|
4092
|
+
const client = new _OpenID4VCIClientV1_0_15({
|
|
3073
4093
|
kid,
|
|
3074
4094
|
alg,
|
|
3075
4095
|
clientId: clientId ?? authorizationRequest?.clientId,
|
|
3076
4096
|
credentialIssuer,
|
|
3077
4097
|
pkce,
|
|
3078
4098
|
authorizationRequest,
|
|
3079
|
-
|
|
4099
|
+
keyAttestation
|
|
3080
4100
|
});
|
|
3081
|
-
if (retrieveServerMetadata
|
|
4101
|
+
if (retrieveServerMetadata !== false) {
|
|
3082
4102
|
await client.retrieveServerMetadata();
|
|
3083
4103
|
}
|
|
3084
|
-
if (createAuthorizationRequestURL
|
|
4104
|
+
if (createAuthorizationRequestURL !== false) {
|
|
3085
4105
|
await client.createAuthorizationRequestUrl({
|
|
3086
4106
|
authorizationRequest,
|
|
3087
4107
|
pkce
|
|
@@ -3091,39 +4111,33 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3091
4111
|
}
|
|
3092
4112
|
static async fromState({ state }) {
|
|
3093
4113
|
const clientState = typeof state === "string" ? JSON.parse(state) : state;
|
|
3094
|
-
return new
|
|
4114
|
+
return new _OpenID4VCIClientV1_0_15(clientState);
|
|
3095
4115
|
}
|
|
3096
|
-
static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri,
|
|
3097
|
-
const credentialOfferClient = await
|
|
4116
|
+
static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, keyAttestation }) {
|
|
4117
|
+
const credentialOfferClient = await CredentialOfferClientV1_0_15.fromURI(uri, {
|
|
3098
4118
|
resolve: resolveOfferUri
|
|
3099
4119
|
});
|
|
3100
|
-
const client = new
|
|
4120
|
+
const client = new _OpenID4VCIClientV1_0_15({
|
|
3101
4121
|
credentialOffer: credentialOfferClient,
|
|
3102
4122
|
kid,
|
|
3103
4123
|
alg,
|
|
3104
4124
|
clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
|
|
3105
4125
|
pkce,
|
|
3106
4126
|
authorizationRequest,
|
|
3107
|
-
|
|
4127
|
+
keyAttestation
|
|
3108
4128
|
});
|
|
3109
|
-
if (retrieveServerMetadata
|
|
4129
|
+
if (retrieveServerMetadata !== false) {
|
|
3110
4130
|
await client.retrieveServerMetadata();
|
|
3111
4131
|
}
|
|
3112
|
-
if (credentialOfferClient.supportedFlows.includes(
|
|
4132
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common27.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && createAuthorizationRequestURL !== false) {
|
|
3113
4133
|
await client.createAuthorizationRequestUrl({
|
|
3114
4134
|
authorizationRequest,
|
|
3115
4135
|
pkce
|
|
3116
4136
|
});
|
|
3117
|
-
|
|
4137
|
+
logger15.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
3118
4138
|
}
|
|
3119
4139
|
return client;
|
|
3120
4140
|
}
|
|
3121
|
-
/**
|
|
3122
|
-
* Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
|
|
3123
|
-
*
|
|
3124
|
-
* The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
|
|
3125
|
-
* @param opts
|
|
3126
|
-
*/
|
|
3127
4141
|
async createAuthorizationRequestUrl(opts) {
|
|
3128
4142
|
if (!this._state.authorizationURL) {
|
|
3129
4143
|
this.calculatePKCEOpts(opts?.pkce);
|
|
@@ -3134,23 +4148,13 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3134
4148
|
if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
|
|
3135
4149
|
this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
|
|
3136
4150
|
}
|
|
3137
|
-
|
|
3138
|
-
this._state.
|
|
3139
|
-
|
|
3140
|
-
|
|
3141
|
-
|
|
3142
|
-
|
|
3143
|
-
|
|
3144
|
-
});
|
|
3145
|
-
} else {
|
|
3146
|
-
this._state.authorizationURL = await createAuthorizationRequestUrl({
|
|
3147
|
-
pkce: this._state.pkce,
|
|
3148
|
-
endpointMetadata: this.endpointMetadata,
|
|
3149
|
-
authorizationRequest: this._state.authorizationRequestOpts,
|
|
3150
|
-
credentialOffer: this.credentialOffer,
|
|
3151
|
-
credentialConfigurationSupported: this.getCredentialsSupported(false)
|
|
3152
|
-
});
|
|
3153
|
-
}
|
|
4151
|
+
this._state.authorizationURL = await createAuthorizationRequestUrl({
|
|
4152
|
+
pkce: this._state.pkce,
|
|
4153
|
+
endpointMetadata: this.endpointMetadata,
|
|
4154
|
+
authorizationRequest: this._state.authorizationRequestOpts,
|
|
4155
|
+
credentialOffer: this.credentialOffer,
|
|
4156
|
+
credentialConfigurationSupported: this.getCredentialsSupported(false)
|
|
4157
|
+
});
|
|
3154
4158
|
}
|
|
3155
4159
|
return this._state.authorizationURL;
|
|
3156
4160
|
}
|
|
@@ -3158,15 +4162,34 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3158
4162
|
this.assertIssuerData();
|
|
3159
4163
|
if (!this._state.endpointMetadata) {
|
|
3160
4164
|
if (this.credentialOffer) {
|
|
3161
|
-
this._state.endpointMetadata = await
|
|
4165
|
+
this._state.endpointMetadata = await MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
|
|
3162
4166
|
} else if (this._state.credentialIssuer) {
|
|
3163
|
-
this._state.endpointMetadata = await
|
|
4167
|
+
this._state.endpointMetadata = await MetadataClientV1_0_15.retrieveAllMetadata(this._state.credentialIssuer);
|
|
3164
4168
|
} else {
|
|
3165
4169
|
throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
|
|
3166
4170
|
}
|
|
3167
4171
|
}
|
|
3168
4172
|
return this.endpointMetadata;
|
|
3169
4173
|
}
|
|
4174
|
+
// New in v15: Nonce endpoint support
|
|
4175
|
+
async acquireNonce() {
|
|
4176
|
+
if (!this.endpointMetadata?.nonce_endpoint) {
|
|
4177
|
+
throw Error("Nonce endpoint not available");
|
|
4178
|
+
}
|
|
4179
|
+
const response = await fetch(this.endpointMetadata.nonce_endpoint, {
|
|
4180
|
+
method: "POST",
|
|
4181
|
+
headers: {
|
|
4182
|
+
"Content-Type": "application/json"
|
|
4183
|
+
},
|
|
4184
|
+
body: JSON.stringify({})
|
|
4185
|
+
});
|
|
4186
|
+
if (!response.ok) {
|
|
4187
|
+
throw Error(`Failed to acquire nonce: ${response.status}`);
|
|
4188
|
+
}
|
|
4189
|
+
const nonceResponse = await response.json();
|
|
4190
|
+
this._state.cachedCNonce = nonceResponse.c_nonce;
|
|
4191
|
+
return nonceResponse.c_nonce;
|
|
4192
|
+
}
|
|
3170
4193
|
calculatePKCEOpts(pkce) {
|
|
3171
4194
|
this._state.pkce = generateMissingPKCEOpts({
|
|
3172
4195
|
...this._state.pkce,
|
|
@@ -3181,12 +4204,12 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
3181
4204
|
...opts
|
|
3182
4205
|
});
|
|
3183
4206
|
if (response.errorBody) {
|
|
3184
|
-
|
|
4207
|
+
logger15.debug(`Authorization code error:\r
|
|
3185
4208
|
${JSON.stringify(response.errorBody)}`);
|
|
3186
4209
|
const error = response.errorBody;
|
|
3187
4210
|
return Promise.reject(error);
|
|
3188
4211
|
} else if (!response.successBody) {
|
|
3189
|
-
|
|
4212
|
+
logger15.debug(`Authorization code error. No success body`);
|
|
3190
4213
|
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
3191
4214
|
}
|
|
3192
4215
|
return {
|
|
@@ -3232,7 +4255,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3232
4255
|
asOpts.clientOpts.clientId = clientId;
|
|
3233
4256
|
}
|
|
3234
4257
|
if (!this._state.accessTokenResponse) {
|
|
3235
|
-
const accessTokenClient =
|
|
4258
|
+
const accessTokenClient = new AccessTokenClient();
|
|
3236
4259
|
if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
|
|
3237
4260
|
console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
|
|
3238
4261
|
}
|
|
@@ -3258,11 +4281,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3258
4281
|
}
|
|
3259
4282
|
});
|
|
3260
4283
|
if (response.errorBody) {
|
|
3261
|
-
|
|
4284
|
+
logger15.debug(`Access token error:\r
|
|
3262
4285
|
${JSON.stringify(response.errorBody)}`);
|
|
3263
4286
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3264
4287
|
} else if (!response.successBody) {
|
|
3265
|
-
|
|
4288
|
+
logger15.debug(`Access token error. No success body`);
|
|
3266
4289
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3267
4290
|
}
|
|
3268
4291
|
this._state.accessTokenResponse = response.successBody;
|
|
@@ -3276,68 +4299,54 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3276
4299
|
}
|
|
3277
4300
|
};
|
|
3278
4301
|
}
|
|
3279
|
-
async acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
|
|
4302
|
+
async acquireCredentials({ credentialIdentifier, credentialConfigurationId, credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
|
|
3280
4303
|
if ([
|
|
3281
4304
|
jwk,
|
|
3282
4305
|
kid
|
|
3283
4306
|
].filter((v) => v !== void 0).length > 1) {
|
|
3284
|
-
throw new Error(
|
|
4307
|
+
throw new Error(import_oid4vci_common27.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
3285
4308
|
}
|
|
3286
4309
|
if (alg) this._state.alg = alg;
|
|
3287
4310
|
if (jwk) this._state.jwk = jwk;
|
|
3288
4311
|
if (kid) this._state.kid = kid;
|
|
3289
|
-
|
|
3290
|
-
|
|
3291
|
-
|
|
3292
|
-
|
|
3293
|
-
|
|
3294
|
-
|
|
3295
|
-
|
|
3296
|
-
|
|
3297
|
-
|
|
3298
|
-
|
|
3299
|
-
|
|
3300
|
-
|
|
3301
|
-
requestBuilder
|
|
3302
|
-
|
|
3303
|
-
|
|
3304
|
-
}) : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
|
|
3305
|
-
credentialIssuer: this.getIssuer(),
|
|
3306
|
-
credentialTypes,
|
|
3307
|
-
metadata: this.endpointMetadata,
|
|
3308
|
-
version: this.version()
|
|
3309
|
-
});
|
|
4312
|
+
const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
|
|
4313
|
+
credentialOffer: this.credentialOffer,
|
|
4314
|
+
metadata: this.endpointMetadata
|
|
4315
|
+
}) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
|
|
4316
|
+
credentialIssuer: this.getIssuer(),
|
|
4317
|
+
credentialTypes,
|
|
4318
|
+
credentialIdentifier,
|
|
4319
|
+
credentialConfigurationId,
|
|
4320
|
+
metadata: this.endpointMetadata,
|
|
4321
|
+
version: this.version()
|
|
4322
|
+
});
|
|
4323
|
+
if (credentialIdentifier) {
|
|
4324
|
+
requestBuilder.withCredentialIdentifier(credentialIdentifier);
|
|
4325
|
+
} else if (credentialConfigurationId) {
|
|
4326
|
+
requestBuilder.withCredentialConfigurationId(credentialConfigurationId);
|
|
3310
4327
|
}
|
|
3311
|
-
const issuerState = this.issuerSupportedFlowTypes().includes(
|
|
4328
|
+
const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common27.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this._state.cachedCNonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
|
|
3312
4329
|
requestBuilder.withIssuerState(issuerState);
|
|
3313
4330
|
requestBuilder.withTokenFromResponse(this.accessTokenResponse);
|
|
3314
4331
|
requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
|
|
3315
4332
|
let subjectIssuance;
|
|
3316
4333
|
if (this.endpointMetadata?.credentialIssuerMetadata) {
|
|
3317
4334
|
const metadata = this.endpointMetadata.credentialIssuerMetadata;
|
|
3318
|
-
|
|
3319
|
-
|
|
3320
|
-
|
|
3321
|
-
|
|
3322
|
-
|
|
3323
|
-
|
|
3324
|
-
|
|
3325
|
-
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
3326
|
-
typeSupported = true;
|
|
3327
|
-
if (supportedCredential.credential_subject_issuance) {
|
|
4335
|
+
if (metadata.credential_configurations_supported) {
|
|
4336
|
+
const configId = credentialConfigurationId ?? credentialIdentifier;
|
|
4337
|
+
if (configId && metadata.credential_configurations_supported[configId]) {
|
|
4338
|
+
const config = metadata.credential_configurations_supported[configId];
|
|
4339
|
+
if (config.credential_subject_issuance) {
|
|
4340
|
+
const subjIssuance = config.credential_subject_issuance;
|
|
4341
|
+
if (subjIssuance.subject_proof_mode && subjIssuance.notification_events_supported) {
|
|
3328
4342
|
subjectIssuance = {
|
|
3329
|
-
credential_subject_issuance:
|
|
4343
|
+
credential_subject_issuance: {
|
|
4344
|
+
subject_proof_mode: subjIssuance.subject_proof_mode,
|
|
4345
|
+
notification_events_supported: subjIssuance.notification_events_supported
|
|
4346
|
+
}
|
|
3330
4347
|
};
|
|
3331
4348
|
}
|
|
3332
4349
|
}
|
|
3333
|
-
});
|
|
3334
|
-
if (!typeSupported) {
|
|
3335
|
-
console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
|
|
3336
|
-
}
|
|
3337
|
-
} else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
|
|
3338
|
-
const credentialsSupported = metadata.credentials_supported;
|
|
3339
|
-
if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
|
|
3340
|
-
throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
|
|
3341
4350
|
}
|
|
3342
4351
|
}
|
|
3343
4352
|
}
|
|
@@ -3345,8 +4354,14 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3345
4354
|
requestBuilder.withSubjectIssuance(subjectIssuance);
|
|
3346
4355
|
}
|
|
3347
4356
|
const credentialRequestClient = requestBuilder.build();
|
|
4357
|
+
if (!this._state.cachedCNonce) {
|
|
4358
|
+
await this.acquireNonce();
|
|
4359
|
+
}
|
|
3348
4360
|
const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
|
|
3349
|
-
accessTokenResponse:
|
|
4361
|
+
accessTokenResponse: {
|
|
4362
|
+
...this.accessTokenResponse,
|
|
4363
|
+
c_nonce: this._state.cachedCNonce
|
|
4364
|
+
},
|
|
3350
4365
|
callbacks: proofCallbacks,
|
|
3351
4366
|
version: this.version()
|
|
3352
4367
|
}).withIssuer(this.getIssuer()).withAlg(this.alg);
|
|
@@ -3364,6 +4379,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3364
4379
|
}
|
|
3365
4380
|
const response = await credentialRequestClient.acquireCredentialsUsingProof({
|
|
3366
4381
|
proofInput: proofBuilder,
|
|
4382
|
+
credentialIdentifier,
|
|
3367
4383
|
credentialTypes,
|
|
3368
4384
|
context,
|
|
3369
4385
|
format,
|
|
@@ -3372,11 +4388,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3372
4388
|
});
|
|
3373
4389
|
this._state.dpopResponseParams = response.params;
|
|
3374
4390
|
if (response.errorBody) {
|
|
3375
|
-
|
|
4391
|
+
logger15.debug(`Credential request error:\r
|
|
3376
4392
|
${JSON.stringify(response.errorBody)}`);
|
|
3377
4393
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3378
4394
|
} else if (!response.successBody) {
|
|
3379
|
-
|
|
4395
|
+
logger15.debug(`Credential request error. No success body`);
|
|
3380
4396
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3381
4397
|
}
|
|
3382
4398
|
return {
|
|
@@ -3391,35 +4407,27 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3391
4407
|
return JSON.stringify(this._state);
|
|
3392
4408
|
}
|
|
3393
4409
|
getCredentialsSupported(restrictToInitiationTypes, format) {
|
|
3394
|
-
return (0,
|
|
4410
|
+
return (0, import_oid4vci_common27.getSupportedCredentials)({
|
|
3395
4411
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
3396
4412
|
version: this.version(),
|
|
3397
4413
|
format,
|
|
3398
|
-
types: restrictToInitiationTypes ?
|
|
4414
|
+
types: restrictToInitiationTypes ? [
|
|
4415
|
+
this.getCredentialOfferConfigurationIds()
|
|
4416
|
+
] : void 0
|
|
3399
4417
|
});
|
|
3400
4418
|
}
|
|
3401
4419
|
async sendNotification(credentialRequestOpts, request, accessToken) {
|
|
3402
4420
|
return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
|
|
3403
4421
|
}
|
|
3404
|
-
|
|
4422
|
+
getCredentialOfferConfigurationIds() {
|
|
3405
4423
|
if (!this.credentialOffer) {
|
|
3406
4424
|
return [];
|
|
3407
|
-
} else if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_11) {
|
|
3408
|
-
const orig = this.credentialOffer.original_credential_offer;
|
|
3409
|
-
const types = typeof orig.credential_type === "string" ? [
|
|
3410
|
-
orig.credential_type
|
|
3411
|
-
] : orig.credential_type;
|
|
3412
|
-
const result = [];
|
|
3413
|
-
result[0] = types;
|
|
3414
|
-
return result;
|
|
3415
|
-
} else if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13) {
|
|
3416
|
-
return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common23.getTypesFromObject)(c) ?? []);
|
|
3417
4425
|
}
|
|
3418
|
-
return
|
|
4426
|
+
return this.credentialOffer.credential_offer?.credential_configuration_ids ?? [];
|
|
3419
4427
|
}
|
|
3420
4428
|
issuerSupportedFlowTypes() {
|
|
3421
4429
|
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
|
|
3422
|
-
|
|
4430
|
+
import_oid4vci_common27.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
3423
4431
|
] : []);
|
|
3424
4432
|
}
|
|
3425
4433
|
isFlowTypeSupported(flowType) {
|
|
@@ -3435,17 +4443,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3435
4443
|
return this._state.credentialOffer;
|
|
3436
4444
|
}
|
|
3437
4445
|
version() {
|
|
3438
|
-
|
|
3439
|
-
return this.credentialOffer.version;
|
|
3440
|
-
}
|
|
3441
|
-
const metadata = this._state.endpointMetadata;
|
|
3442
|
-
if (metadata?.credentialIssuerMetadata) {
|
|
3443
|
-
const versions = (0, import_oid4vci_common23.determineVersionsFromIssuerMetadata)(metadata.credentialIssuerMetadata);
|
|
3444
|
-
if (versions.length > 0 && !versions.includes(import_oid4vci_common23.OpenId4VCIVersion.VER_UNKNOWN)) {
|
|
3445
|
-
return versions[0];
|
|
3446
|
-
}
|
|
3447
|
-
}
|
|
3448
|
-
return import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13;
|
|
4446
|
+
return import_oid4vci_common27.OpenId4VCIVersion.VER_1_0_15;
|
|
3449
4447
|
}
|
|
3450
4448
|
get endpointMetadata() {
|
|
3451
4449
|
this.assertServerMetadata();
|
|
@@ -3481,20 +4479,16 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3481
4479
|
get dpopResponseParams() {
|
|
3482
4480
|
return this._state.dpopResponseParams;
|
|
3483
4481
|
}
|
|
4482
|
+
get state() {
|
|
4483
|
+
return this._state;
|
|
4484
|
+
}
|
|
3484
4485
|
getIssuer() {
|
|
3485
4486
|
this.assertIssuerData();
|
|
3486
4487
|
return this._state.credentialIssuer;
|
|
3487
4488
|
}
|
|
3488
4489
|
getAccessTokenEndpoint() {
|
|
3489
4490
|
this.assertIssuerData();
|
|
3490
|
-
|
|
3491
|
-
return this.endpointMetadata.token_endpoint;
|
|
3492
|
-
}
|
|
3493
|
-
return this.version() <= import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_12 ? AccessTokenClientV1_0_11.determineTokenURL({
|
|
3494
|
-
issuerOpts: {
|
|
3495
|
-
issuer: this.getIssuer()
|
|
3496
|
-
}
|
|
3497
|
-
}) : AccessTokenClient.determineTokenURL({
|
|
4491
|
+
return this.endpointMetadata?.token_endpoint ?? AccessTokenClient.determineTokenURL({
|
|
3498
4492
|
issuerOpts: {
|
|
3499
4493
|
issuer: this.getIssuer()
|
|
3500
4494
|
}
|
|
@@ -3502,7 +4496,13 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3502
4496
|
}
|
|
3503
4497
|
getCredentialEndpoint() {
|
|
3504
4498
|
this.assertIssuerData();
|
|
3505
|
-
return this.endpointMetadata
|
|
4499
|
+
return this.endpointMetadata?.credential_endpoint ?? `${this.getIssuer()}/credential`;
|
|
4500
|
+
}
|
|
4501
|
+
getNonceEndpoint() {
|
|
4502
|
+
return this.endpointMetadata?.nonce_endpoint;
|
|
4503
|
+
}
|
|
4504
|
+
hasNonceEndpoint() {
|
|
4505
|
+
return !!this.getNonceEndpoint();
|
|
3506
4506
|
}
|
|
3507
4507
|
getAuthorizationChallengeEndpoint() {
|
|
3508
4508
|
this.assertIssuerData();
|
|
@@ -3512,24 +4512,14 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3512
4512
|
return !!this.getAuthorizationChallengeEndpoint();
|
|
3513
4513
|
}
|
|
3514
4514
|
hasDeferredCredentialEndpoint() {
|
|
3515
|
-
return !!this.
|
|
4515
|
+
return !!this.endpointMetadata?.deferred_credential_endpoint;
|
|
3516
4516
|
}
|
|
3517
4517
|
getDeferredCredentialEndpoint() {
|
|
3518
4518
|
this.assertIssuerData();
|
|
3519
|
-
return this.endpointMetadata
|
|
4519
|
+
return this.endpointMetadata?.deferred_credential_endpoint;
|
|
3520
4520
|
}
|
|
3521
|
-
/**
|
|
3522
|
-
* Too bad we need a method like this, but EBSI is not exposing metadata
|
|
3523
|
-
*/
|
|
3524
4521
|
isEBSI() {
|
|
3525
|
-
|
|
3526
|
-
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
|
|
3527
|
-
// @ts-ignore
|
|
3528
|
-
typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
|
|
3529
|
-
))) {
|
|
3530
|
-
return true;
|
|
3531
|
-
}
|
|
3532
|
-
return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
|
|
4522
|
+
return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata?.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
|
|
3533
4523
|
}
|
|
3534
4524
|
assertIssuerData() {
|
|
3535
4525
|
if (!this._state.credentialIssuer) {
|
|
@@ -3562,7 +4552,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3562
4552
|
};
|
|
3563
4553
|
if (!authorizationRequestOpts) {
|
|
3564
4554
|
authorizationRequestOpts = {
|
|
3565
|
-
redirectUri: `${
|
|
4555
|
+
redirectUri: `${import_oid4vci_common27.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
3566
4556
|
};
|
|
3567
4557
|
}
|
|
3568
4558
|
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
@@ -3573,7 +4563,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3573
4563
|
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
3574
4564
|
if (authorizationResponse) {
|
|
3575
4565
|
this._state.authorizationCodeResponse = {
|
|
3576
|
-
...(0,
|
|
4566
|
+
...(0, import_oid4vci_common27.toAuthorizationResponsePayload)(authorizationResponse)
|
|
3577
4567
|
};
|
|
3578
4568
|
} else if (code) {
|
|
3579
4569
|
this._state.authorizationCodeResponse = {
|
|
@@ -3585,16 +4575,16 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3585
4575
|
};
|
|
3586
4576
|
|
|
3587
4577
|
// lib/OpenID4VCIClientV1_0_13.ts
|
|
3588
|
-
var
|
|
3589
|
-
var
|
|
3590
|
-
var
|
|
4578
|
+
var import_oid4vci_common28 = require("@sphereon/oid4vci-common");
|
|
4579
|
+
var import_ssi_types18 = require("@sphereon/ssi-types");
|
|
4580
|
+
var logger16 = import_ssi_types18.Loggers.DEFAULT.get("sphereon:oid4vci");
|
|
3591
4581
|
var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
3592
4582
|
static {
|
|
3593
4583
|
__name(this, "OpenID4VCIClientV1_0_13");
|
|
3594
4584
|
}
|
|
3595
4585
|
_state;
|
|
3596
4586
|
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
|
|
3597
|
-
const issuer = credentialIssuer ?? (credentialOffer ? (0,
|
|
4587
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common28.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
3598
4588
|
if (!issuer) {
|
|
3599
4589
|
throw Error("No credential issuer supplied or deduced from offer");
|
|
3600
4590
|
}
|
|
@@ -3604,10 +4594,10 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
|
3604
4594
|
kid,
|
|
3605
4595
|
alg,
|
|
3606
4596
|
// TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
|
|
3607
|
-
clientId: clientId ?? (credentialOffer && (0,
|
|
4597
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common28.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
3608
4598
|
pkce: {
|
|
3609
4599
|
disabled: false,
|
|
3610
|
-
codeChallengeMethod:
|
|
4600
|
+
codeChallengeMethod: import_oid4vci_common28.CodeChallengeMethod.S256,
|
|
3611
4601
|
...pkce
|
|
3612
4602
|
},
|
|
3613
4603
|
authorizationRequestOpts,
|
|
@@ -3621,7 +4611,7 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
|
3621
4611
|
if (!this._state.authorizationRequestOpts) {
|
|
3622
4612
|
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
3623
4613
|
}
|
|
3624
|
-
|
|
4614
|
+
logger16.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
3625
4615
|
}
|
|
3626
4616
|
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
|
|
3627
4617
|
const client = new _OpenID4VCIClientV1_0_13({
|
|
@@ -3662,12 +4652,12 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
|
3662
4652
|
if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
|
|
3663
4653
|
await client.retrieveServerMetadata();
|
|
3664
4654
|
}
|
|
3665
|
-
if (credentialOfferClient.supportedFlows.includes(
|
|
4655
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common28.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
|
|
3666
4656
|
await client.createAuthorizationRequestUrl({
|
|
3667
4657
|
authorizationRequest,
|
|
3668
4658
|
pkce
|
|
3669
4659
|
});
|
|
3670
|
-
|
|
4660
|
+
logger16.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
3671
4661
|
}
|
|
3672
4662
|
return client;
|
|
3673
4663
|
}
|
|
@@ -3725,12 +4715,12 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
|
|
|
3725
4715
|
...opts
|
|
3726
4716
|
});
|
|
3727
4717
|
if (response.errorBody) {
|
|
3728
|
-
|
|
4718
|
+
logger16.debug(`Authorization code error:\r
|
|
3729
4719
|
${JSON.stringify(response.errorBody)}`);
|
|
3730
4720
|
const error = response.errorBody;
|
|
3731
4721
|
return Promise.reject(error);
|
|
3732
4722
|
} else if (!response.successBody) {
|
|
3733
|
-
|
|
4723
|
+
logger16.debug(`Authorization code error. No success body`);
|
|
3734
4724
|
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
3735
4725
|
}
|
|
3736
4726
|
return {
|
|
@@ -3802,11 +4792,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3802
4792
|
}
|
|
3803
4793
|
});
|
|
3804
4794
|
if (response.errorBody) {
|
|
3805
|
-
|
|
4795
|
+
logger16.debug(`Access token error:\r
|
|
3806
4796
|
${JSON.stringify(response.errorBody)}`);
|
|
3807
4797
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3808
4798
|
} else if (!response.successBody) {
|
|
3809
|
-
|
|
4799
|
+
logger16.debug(`Access token error. No success body`);
|
|
3810
4800
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3811
4801
|
}
|
|
3812
4802
|
this._state.accessTokenResponse = response.successBody;
|
|
@@ -3831,7 +4821,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3831
4821
|
jwk,
|
|
3832
4822
|
kid
|
|
3833
4823
|
].filter((v) => v !== void 0).length > 1) {
|
|
3834
|
-
throw new Error(
|
|
4824
|
+
throw new Error(import_oid4vci_common28.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
3835
4825
|
}
|
|
3836
4826
|
if (alg) this._state.alg = alg;
|
|
3837
4827
|
if (jwk) this._state.jwk = jwk;
|
|
@@ -3845,7 +4835,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3845
4835
|
metadata: this.endpointMetadata,
|
|
3846
4836
|
version: this.version()
|
|
3847
4837
|
});
|
|
3848
|
-
const issuerState = this.issuerSupportedFlowTypes().includes(
|
|
4838
|
+
const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common28.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
|
|
3849
4839
|
requestBuilder.withIssuerState(issuerState);
|
|
3850
4840
|
requestBuilder.withTokenFromResponse(this.accessTokenResponse);
|
|
3851
4841
|
requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
|
|
@@ -3868,7 +4858,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3868
4858
|
} else if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
|
|
3869
4859
|
let typeSupported = false;
|
|
3870
4860
|
metadata.credentials_supported.forEach((supportedCredential) => {
|
|
3871
|
-
const subTypes = (0,
|
|
4861
|
+
const subTypes = (0, import_oid4vci_common28.getTypesFromCredentialSupported)(supportedCredential);
|
|
3872
4862
|
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
3873
4863
|
typeSupported = true;
|
|
3874
4864
|
if (supportedCredential.credential_subject_issuance) {
|
|
@@ -3884,7 +4874,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3884
4874
|
} else if (metadata.credential_configurations_supported && typeof metadata.credential_configurations_supported === "object") {
|
|
3885
4875
|
let typeSupported = false;
|
|
3886
4876
|
Object.values(metadata.credential_configurations_supported).forEach((supportedCredential) => {
|
|
3887
|
-
const subTypes = (0,
|
|
4877
|
+
const subTypes = (0, import_oid4vci_common28.getTypesFromCredentialSupported)(supportedCredential);
|
|
3888
4878
|
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
3889
4879
|
typeSupported = true;
|
|
3890
4880
|
}
|
|
@@ -3934,14 +4924,17 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3934
4924
|
credentialIdentifier,
|
|
3935
4925
|
subjectIssuance
|
|
3936
4926
|
});
|
|
3937
|
-
|
|
4927
|
+
if (!import_oid4vci_common28.supportedOID4VCICredentialFormat.includes(format)) {
|
|
4928
|
+
return Promise.reject(Error(`Unsupported credential format: ${format}`));
|
|
4929
|
+
}
|
|
4930
|
+
const response = await credentialRequestClient.acquireCredentialsUsingRequest(request, format, createDPoPOpts);
|
|
3938
4931
|
this._state.dpopResponseParams = response.params;
|
|
3939
4932
|
if (response.errorBody) {
|
|
3940
|
-
|
|
4933
|
+
logger16.debug(`Credential request error:\r
|
|
3941
4934
|
${JSON.stringify(response.errorBody)}`);
|
|
3942
4935
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
3943
4936
|
} else if (!response.successBody) {
|
|
3944
|
-
|
|
4937
|
+
logger16.debug(`Credential request error. No success body`);
|
|
3945
4938
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
3946
4939
|
}
|
|
3947
4940
|
return {
|
|
@@ -3956,7 +4949,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3956
4949
|
return JSON.stringify(this._state);
|
|
3957
4950
|
}
|
|
3958
4951
|
getCredentialsSupported(format) {
|
|
3959
|
-
return (0,
|
|
4952
|
+
return (0, import_oid4vci_common28.getSupportedCredentials)({
|
|
3960
4953
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
3961
4954
|
version: this.version(),
|
|
3962
4955
|
format,
|
|
@@ -3991,7 +4984,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3991
4984
|
}*/
|
|
3992
4985
|
issuerSupportedFlowTypes() {
|
|
3993
4986
|
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
|
|
3994
|
-
|
|
4987
|
+
import_oid4vci_common28.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
3995
4988
|
] : []);
|
|
3996
4989
|
}
|
|
3997
4990
|
isFlowTypeSupported(flowType) {
|
|
@@ -4007,7 +5000,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4007
5000
|
return this._state.credentialOffer;
|
|
4008
5001
|
}
|
|
4009
5002
|
version() {
|
|
4010
|
-
return this.credentialOffer?.version ??
|
|
5003
|
+
return this.credentialOffer?.version ?? import_oid4vci_common28.OpenId4VCIVersion.VER_1_0_13;
|
|
4011
5004
|
}
|
|
4012
5005
|
get endpointMetadata() {
|
|
4013
5006
|
this.assertServerMetadata();
|
|
@@ -4110,7 +5103,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4110
5103
|
};
|
|
4111
5104
|
if (!authorizationRequestOpts) {
|
|
4112
5105
|
authorizationRequestOpts = {
|
|
4113
|
-
redirectUri: `${
|
|
5106
|
+
redirectUri: `${import_oid4vci_common28.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
4114
5107
|
};
|
|
4115
5108
|
}
|
|
4116
5109
|
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
@@ -4121,7 +5114,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4121
5114
|
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
4122
5115
|
if (authorizationResponse) {
|
|
4123
5116
|
this._state.authorizationCodeResponse = {
|
|
4124
|
-
...(0,
|
|
5117
|
+
...(0, import_oid4vci_common28.toAuthorizationResponsePayload)(authorizationResponse)
|
|
4125
5118
|
};
|
|
4126
5119
|
} else if (code) {
|
|
4127
5120
|
this._state.authorizationCodeResponse = {
|
|
@@ -4133,16 +5126,16 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4133
5126
|
};
|
|
4134
5127
|
|
|
4135
5128
|
// lib/OpenID4VCIClientV1_0_11.ts
|
|
4136
|
-
var
|
|
4137
|
-
var
|
|
4138
|
-
var
|
|
5129
|
+
var import_oid4vci_common29 = require("@sphereon/oid4vci-common");
|
|
5130
|
+
var import_ssi_types19 = require("@sphereon/ssi-types");
|
|
5131
|
+
var logger17 = import_ssi_types19.Loggers.DEFAULT.get("sphereon:oid4vci");
|
|
4139
5132
|
var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
4140
5133
|
static {
|
|
4141
5134
|
__name(this, "OpenID4VCIClientV1_0_11");
|
|
4142
5135
|
}
|
|
4143
5136
|
_state;
|
|
4144
5137
|
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
|
|
4145
|
-
const issuer = credentialIssuer ?? (credentialOffer ? (0,
|
|
5138
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common29.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
4146
5139
|
if (!issuer) {
|
|
4147
5140
|
throw Error("No credential issuer supplied or deduced from offer");
|
|
4148
5141
|
}
|
|
@@ -4152,10 +5145,10 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
|
4152
5145
|
kid,
|
|
4153
5146
|
alg,
|
|
4154
5147
|
// TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
|
|
4155
|
-
clientId: clientId ?? (credentialOffer && (0,
|
|
5148
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common29.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
4156
5149
|
pkce: {
|
|
4157
5150
|
disabled: false,
|
|
4158
|
-
codeChallengeMethod:
|
|
5151
|
+
codeChallengeMethod: import_oid4vci_common29.CodeChallengeMethod.S256,
|
|
4159
5152
|
...pkce
|
|
4160
5153
|
},
|
|
4161
5154
|
authorizationRequestOpts,
|
|
@@ -4168,7 +5161,7 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
|
4168
5161
|
if (!this._state.authorizationRequestOpts) {
|
|
4169
5162
|
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
4170
5163
|
}
|
|
4171
|
-
|
|
5164
|
+
logger17.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
4172
5165
|
}
|
|
4173
5166
|
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
|
|
4174
5167
|
const client = new _OpenID4VCIClientV1_0_11({
|
|
@@ -4209,12 +5202,12 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
|
4209
5202
|
if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
|
|
4210
5203
|
await client.retrieveServerMetadata();
|
|
4211
5204
|
}
|
|
4212
|
-
if (credentialOfferClient.supportedFlows.includes(
|
|
5205
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common29.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
|
|
4213
5206
|
await client.createAuthorizationRequestUrl({
|
|
4214
5207
|
authorizationRequest,
|
|
4215
5208
|
pkce
|
|
4216
5209
|
});
|
|
4217
|
-
|
|
5210
|
+
logger17.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
4218
5211
|
}
|
|
4219
5212
|
return client;
|
|
4220
5213
|
}
|
|
@@ -4271,12 +5264,12 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
|
|
|
4271
5264
|
...opts
|
|
4272
5265
|
});
|
|
4273
5266
|
if (response.errorBody) {
|
|
4274
|
-
|
|
5267
|
+
logger17.debug(`Authorization code error:\r
|
|
4275
5268
|
${JSON.stringify(response.errorBody)}`);
|
|
4276
5269
|
const error = response.errorBody;
|
|
4277
5270
|
return Promise.reject(error);
|
|
4278
5271
|
} else if (!response.successBody) {
|
|
4279
|
-
|
|
5272
|
+
logger17.debug(`Authorization code error. No success body`);
|
|
4280
5273
|
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
4281
5274
|
}
|
|
4282
5275
|
return {
|
|
@@ -4348,11 +5341,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4348
5341
|
}
|
|
4349
5342
|
});
|
|
4350
5343
|
if (response.errorBody) {
|
|
4351
|
-
|
|
5344
|
+
logger17.debug(`Access token error:\r
|
|
4352
5345
|
${JSON.stringify(response.errorBody)}`);
|
|
4353
5346
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
4354
5347
|
} else if (!response.successBody) {
|
|
4355
|
-
|
|
5348
|
+
logger17.debug(`Access token error. No success body`);
|
|
4356
5349
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
4357
5350
|
}
|
|
4358
5351
|
this._state.accessTokenResponse = response.successBody;
|
|
@@ -4371,7 +5364,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4371
5364
|
jwk,
|
|
4372
5365
|
kid
|
|
4373
5366
|
].filter((v) => v !== void 0).length > 1) {
|
|
4374
|
-
throw new Error(
|
|
5367
|
+
throw new Error(import_oid4vci_common29.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
4375
5368
|
}
|
|
4376
5369
|
if (alg) this._state.alg = alg;
|
|
4377
5370
|
if (jwk) this._state.jwk = jwk;
|
|
@@ -4395,7 +5388,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4395
5388
|
if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
|
|
4396
5389
|
let typeSupported = false;
|
|
4397
5390
|
metadata.credentials_supported.forEach((supportedCredential) => {
|
|
4398
|
-
const subTypes = (0,
|
|
5391
|
+
const subTypes = (0, import_oid4vci_common29.getTypesFromCredentialSupported)(supportedCredential);
|
|
4399
5392
|
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
4400
5393
|
typeSupported = true;
|
|
4401
5394
|
}
|
|
@@ -4437,11 +5430,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4437
5430
|
});
|
|
4438
5431
|
this._state.dpopResponseParams = response.params;
|
|
4439
5432
|
if (response.errorBody) {
|
|
4440
|
-
|
|
5433
|
+
logger17.debug(`Credential request error:\r
|
|
4441
5434
|
${JSON.stringify(response.errorBody)}`);
|
|
4442
5435
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
4443
5436
|
} else if (!response.successBody) {
|
|
4444
|
-
|
|
5437
|
+
logger17.debug(`Credential request error. No success body`);
|
|
4445
5438
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
4446
5439
|
}
|
|
4447
5440
|
return {
|
|
@@ -4459,7 +5452,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4459
5452
|
// When < v11 convert into a v12 object. When v12 object retain it.
|
|
4460
5453
|
// Then match the object array on server metadata
|
|
4461
5454
|
getCredentialsSupportedV11(restrictToInitiationTypes, format) {
|
|
4462
|
-
return (0,
|
|
5455
|
+
return (0, import_oid4vci_common29.getSupportedCredentials)({
|
|
4463
5456
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
4464
5457
|
version: this.version(),
|
|
4465
5458
|
format,
|
|
@@ -4467,7 +5460,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4467
5460
|
});
|
|
4468
5461
|
}
|
|
4469
5462
|
getCredentialsSupported(format) {
|
|
4470
|
-
return (0,
|
|
5463
|
+
return (0, import_oid4vci_common29.getSupportedCredentials)({
|
|
4471
5464
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
4472
5465
|
version: this.version(),
|
|
4473
5466
|
format,
|
|
@@ -4477,7 +5470,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4477
5470
|
getCredentialOfferTypes() {
|
|
4478
5471
|
if (!this.credentialOffer) {
|
|
4479
5472
|
return [];
|
|
4480
|
-
} else if (this.credentialOffer.version <
|
|
5473
|
+
} else if (this.credentialOffer.version < import_oid4vci_common29.OpenId4VCIVersion.VER_1_0_11) {
|
|
4481
5474
|
const orig = this.credentialOffer.original_credential_offer;
|
|
4482
5475
|
const types = typeof orig.credential_type === "string" ? [
|
|
4483
5476
|
orig.credential_type
|
|
@@ -4485,14 +5478,14 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4485
5478
|
const result = [];
|
|
4486
5479
|
result[0] = types;
|
|
4487
5480
|
return result;
|
|
4488
|
-
} else if (this.credentialOffer.version <
|
|
4489
|
-
return this.credentialOffer.credential_offer.credentials.map((c) => (0,
|
|
5481
|
+
} else if (this.credentialOffer.version < import_oid4vci_common29.OpenId4VCIVersion.VER_1_0_13) {
|
|
5482
|
+
return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common29.getTypesFromObject)(c) ?? []);
|
|
4490
5483
|
}
|
|
4491
5484
|
throw Error(`This class only supports version 11 and lower! Version: ${this.version()}`);
|
|
4492
5485
|
}
|
|
4493
5486
|
issuerSupportedFlowTypes() {
|
|
4494
5487
|
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
|
|
4495
|
-
|
|
5488
|
+
import_oid4vci_common29.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
4496
5489
|
] : []);
|
|
4497
5490
|
}
|
|
4498
5491
|
isFlowTypeSupported(flowType) {
|
|
@@ -4508,7 +5501,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4508
5501
|
return this._state.credentialOffer;
|
|
4509
5502
|
}
|
|
4510
5503
|
version() {
|
|
4511
|
-
return this.credentialOffer?.version ??
|
|
5504
|
+
return this.credentialOffer?.version ?? import_oid4vci_common29.OpenId4VCIVersion.VER_1_0_11;
|
|
4512
5505
|
}
|
|
4513
5506
|
get endpointMetadata() {
|
|
4514
5507
|
this.assertServerMetadata();
|
|
@@ -4604,7 +5597,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4604
5597
|
};
|
|
4605
5598
|
if (!authorizationRequestOpts) {
|
|
4606
5599
|
authorizationRequestOpts = {
|
|
4607
|
-
redirectUri: `${
|
|
5600
|
+
redirectUri: `${import_oid4vci_common29.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
4608
5601
|
};
|
|
4609
5602
|
}
|
|
4610
5603
|
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
@@ -4615,7 +5608,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4615
5608
|
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
4616
5609
|
if (authorizationResponse) {
|
|
4617
5610
|
this._state.authorizationCodeResponse = {
|
|
4618
|
-
...(0,
|
|
5611
|
+
...(0, import_oid4vci_common29.toAuthorizationResponsePayload)(authorizationResponse)
|
|
4619
5612
|
};
|
|
4620
5613
|
} else if (code) {
|
|
4621
5614
|
this._state.authorizationCodeResponse = {
|
|
@@ -4627,5 +5620,5 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
4627
5620
|
};
|
|
4628
5621
|
|
|
4629
5622
|
// lib/index.ts
|
|
4630
|
-
var LOG2 =
|
|
5623
|
+
var LOG2 = import_oid4vci_common30.VCI_LOGGERS.get("sphereon:oid4vci:client");
|
|
4631
5624
|
//# sourceMappingURL=index.cjs.map
|