@sphereon/oid4vci-client 0.19.1-fix.37 → 0.19.1-next.220

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.cjs +961 -2390
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +128 -417
  4. package/dist/index.d.ts +128 -417
  5. package/dist/index.js +940 -2379
  6. package/dist/index.js.map +1 -1
  7. package/package.json +5 -5
package/dist/index.cjs CHANGED
@@ -1,7 +1,9 @@
1
1
  "use strict";
2
+ var __create = Object.create;
2
3
  var __defProp = Object.defineProperty;
3
4
  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
4
5
  var __getOwnPropNames = Object.getOwnPropertyNames;
6
+ var __getProtoOf = Object.getPrototypeOf;
5
7
  var __hasOwnProp = Object.prototype.hasOwnProperty;
6
8
  var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
7
9
  var __export = (target, all) => {
@@ -16,28 +18,30 @@ var __copyProps = (to, from, except, desc) => {
16
18
  }
17
19
  return to;
18
20
  };
21
+ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
22
+ // If the importer is in node compatibility mode or this is not an ESM
23
+ // file that has been converted to a CommonJS file using a Babel-
24
+ // compatible transform (i.e. "__esModule" has not been set), then set
25
+ // "default" to the CommonJS "module.exports" for node compatibility.
26
+ isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
27
+ mod
28
+ ));
19
29
  var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
20
30
 
21
31
  // lib/index.ts
22
32
  var index_exports = {};
23
33
  __export(index_exports, {
24
34
  AccessTokenClient: () => AccessTokenClient,
25
- AccessTokenClientV1_0_11: () => AccessTokenClientV1_0_11,
26
35
  CredentialOfferClient: () => CredentialOfferClient,
27
- CredentialOfferClientV1_0_11: () => CredentialOfferClientV1_0_11,
28
- CredentialOfferClientV1_0_13: () => CredentialOfferClientV1_0_13,
36
+ CredentialOfferClientV1_0_15: () => CredentialOfferClientV1_0_15,
29
37
  CredentialRequestClient: () => CredentialRequestClient,
30
38
  CredentialRequestClientBuilder: () => CredentialRequestClientBuilder,
31
- CredentialRequestClientBuilderV1_0_11: () => CredentialRequestClientBuilderV1_0_11,
32
- CredentialRequestClientBuilderV1_0_13: () => CredentialRequestClientBuilderV1_0_13,
33
- CredentialRequestClientV1_0_11: () => CredentialRequestClientV1_0_11,
39
+ CredentialRequestClientBuilderV1_0_15: () => CredentialRequestClientBuilderV1_0_15,
34
40
  LOG: () => LOG2,
35
41
  MetadataClient: () => MetadataClient,
36
- MetadataClientV1_0_11: () => MetadataClientV1_0_11,
37
- MetadataClientV1_0_13: () => MetadataClientV1_0_13,
42
+ MetadataClientV1_0_15: () => MetadataClientV1_0_15,
38
43
  OpenID4VCIClient: () => OpenID4VCIClient,
39
- OpenID4VCIClientV1_0_11: () => OpenID4VCIClientV1_0_11,
40
- OpenID4VCIClientV1_0_13: () => OpenID4VCIClientV1_0_13,
44
+ OpenID4VCIClientV1_0_15: () => OpenID4VCIClientV1_0_15,
41
45
  ProofOfPossessionBuilder: () => ProofOfPossessionBuilder,
42
46
  acquireAuthorizationChallengeAuthCode: () => acquireAuthorizationChallengeAuthCode,
43
47
  acquireAuthorizationChallengeAuthCodeUsingRequest: () => acquireAuthorizationChallengeAuthCodeUsingRequest,
@@ -45,7 +49,6 @@ __export(index_exports, {
45
49
  constructBaseResponse: () => constructBaseResponse,
46
50
  createAuthorizationChallengeRequest: () => createAuthorizationChallengeRequest,
47
51
  createAuthorizationRequestUrl: () => createAuthorizationRequestUrl,
48
- createAuthorizationRequestUrlV1_0_11: () => createAuthorizationRequestUrlV1_0_11,
49
52
  createJwtBearerClientAssertion: () => createJwtBearerClientAssertion,
50
53
  createSignedAuthRequestWhenNeeded: () => createSignedAuthRequestWhenNeeded,
51
54
  generateMissingPKCEOpts: () => generateMissingPKCEOpts,
@@ -56,17 +59,13 @@ __export(index_exports, {
56
59
  sendNotification: () => sendNotification
57
60
  });
58
61
  module.exports = __toCommonJS(index_exports);
59
- var import_oid4vci_common26 = require("@sphereon/oid4vci-common");
62
+ var import_oid4vci_common20 = require("@sphereon/oid4vci-common");
60
63
 
61
64
  // lib/AccessTokenClient.ts
62
65
  var import_oid4vc_common3 = require("@sphereon/oid4vc-common");
63
66
  var import_oid4vci_common9 = require("@sphereon/oid4vci-common");
64
67
  var import_ssi_types4 = require("@sphereon/ssi-types");
65
68
 
66
- // lib/MetadataClientV1_0_13.ts
67
- var import_oid4vci_common8 = require("@sphereon/oid4vci-common");
68
- var import_ssi_types3 = require("@sphereon/ssi-types");
69
-
70
69
  // lib/functions/AuthorizationUtil.ts
71
70
  var import_oid4vci_common = require("@sphereon/oid4vci-common");
72
71
  var generateMissingPKCEOpts = /* @__PURE__ */ __name((pkce) => {
@@ -151,7 +150,7 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
151
150
  }
152
151
  proof;
153
152
  callbacks;
154
- version;
153
+ // private readonly version: OpenId4VCIVersion
155
154
  mode = "pop";
156
155
  kid;
157
156
  jwk;
@@ -167,11 +166,10 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
167
166
  this.mode = mode;
168
167
  this.proof = proof;
169
168
  this.callbacks = callbacks;
170
- this.version = version;
171
169
  if (jwt) {
172
170
  this.withJwt(jwt);
173
171
  } else {
174
- this.withTyp(version < import_oid4vci_common5.OpenId4VCIVersion.VER_1_0_11 || mode === "JWT" ? "JWT" : "openid4vci-proof+jwt");
172
+ this.withTyp(mode === "JWT" ? "JWT" : "openid4vci-proof+jwt");
175
173
  }
176
174
  if (accessTokenResponse) {
177
175
  this.withAccessTokenResponse(accessTokenResponse);
@@ -236,7 +234,7 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
236
234
  return this;
237
235
  }
238
236
  withTyp(typ) {
239
- if (this.mode === "pop" && this.version >= import_oid4vci_common5.OpenId4VCIVersion.VER_1_0_11) {
237
+ if (this.mode === "pop") {
240
238
  if (!!typ && typ !== "openid4vci-proof+jwt") {
241
239
  throw Error(`typ must be openid4vci-proof+jwt for version 1.0.11 and up. Provided: ${typ}`);
242
240
  }
@@ -278,7 +276,7 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
278
276
  if (jwt.header.typ) {
279
277
  this.withTyp(jwt.header.typ);
280
278
  }
281
- if (!this.typ && this.version >= import_oid4vci_common5.OpenId4VCIVersion.VER_1_0_11) {
279
+ if (!this.typ) {
282
280
  this.withTyp("openid4vci-proof+jwt");
283
281
  }
284
282
  this.withAlg(jwt.header.alg);
@@ -298,7 +296,7 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
298
296
  return Promise.resolve(this.proof);
299
297
  } else if (this.callbacks) {
300
298
  return await (0, import_oid4vci_common5.createProofOfPossession)(this.mode, this.callbacks, {
301
- typ: this.typ ?? (this.version < import_oid4vci_common5.OpenId4VCIVersion.VER_1_0_11 || this.mode === "JWT" ? "JWT" : "openid4vci-proof+jwt"),
299
+ typ: this.typ ?? (this.mode === "JWT" ? "JWT" : "openid4vci-proof+jwt"),
302
300
  kid: this.kid,
303
301
  jwk: this.jwk,
304
302
  jti: this.jti,
@@ -351,7 +349,7 @@ var createJwtBearerClientAssertion = /* @__PURE__ */ __name(async (request, opts
351
349
  const pop = await ProofOfPossessionBuilder.fromJwt({
352
350
  jwt,
353
351
  callbacks: signCallbacks,
354
- version: opts.version ?? import_oid4vci_common6.OpenId4VCIVersion.VER_1_0_13,
352
+ version: opts.version ?? import_oid4vci_common6.OpenId4VCIVersion.VER_1_0_15,
355
353
  mode: "JWT"
356
354
  }).build();
357
355
  request.client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
@@ -361,7 +359,7 @@ var createJwtBearerClientAssertion = /* @__PURE__ */ __name(async (request, opts
361
359
 
362
360
  // lib/functions/CredentialOfferCommons.ts
363
361
  var import_oid4vci_common7 = require("@sphereon/oid4vci-common");
364
- var import_cross_fetch = require("cross-fetch");
362
+ var import_cross_fetch = __toESM(require("cross-fetch"), 1);
365
363
  function isUriEncoded(str) {
366
364
  const pattern = /%[0-9A-F]{2}/i;
367
365
  return pattern.test(str);
@@ -371,7 +369,7 @@ async function handleCredentialOfferUri(uri) {
371
369
  const uriObj = (0, import_oid4vci_common7.getURIComponentsAsArray)(uri);
372
370
  const credentialOfferUri = decodeURIComponent(uriObj["credential_offer_uri"]);
373
371
  const decodedUri = isUriEncoded(credentialOfferUri) ? decodeURIComponent(credentialOfferUri) : credentialOfferUri;
374
- const response = await (0, import_cross_fetch.fetch)(decodedUri);
372
+ const response = await (0, import_cross_fetch.default)(decodedUri);
375
373
  if (!(response && response.status >= 200 && response.status < 400)) {
376
374
  return Promise.reject(Error(`the credential offer URI endpoint call was not successful. http code ${response.status} - reason ${response.statusText}`));
377
375
  }
@@ -406,11 +404,54 @@ function constructBaseResponse(request, scheme, baseUrl) {
406
404
  }
407
405
  __name(constructBaseResponse, "constructBaseResponse");
408
406
 
409
- // lib/MetadataClientV1_0_13.ts
407
+ // lib/functions/dpopUtil.ts
408
+ var import_oid4vc_common2 = require("@sphereon/oid4vc-common");
409
+ function shouldRetryTokenRequestWithDPoPNonce(response) {
410
+ if (!response.errorBody || response.errorBody.error !== import_oid4vc_common2.dpopTokenRequestNonceError) {
411
+ return {
412
+ ok: false
413
+ };
414
+ }
415
+ const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
416
+ if (!dPoPNonce) {
417
+ throw new Error("Missing required DPoP-Nonce header.");
418
+ }
419
+ return {
420
+ ok: true,
421
+ dpopNonce: dPoPNonce
422
+ };
423
+ }
424
+ __name(shouldRetryTokenRequestWithDPoPNonce, "shouldRetryTokenRequestWithDPoPNonce");
425
+ function shouldRetryResourceRequestWithDPoPNonce(response) {
426
+ if (!response.errorBody || response.origResponse.status !== 401) {
427
+ return {
428
+ ok: false
429
+ };
430
+ }
431
+ const wwwAuthenticateHeader = response.origResponse.headers.get("WWW-Authenticate");
432
+ if (!wwwAuthenticateHeader?.includes(import_oid4vc_common2.dpopTokenRequestNonceError)) {
433
+ return {
434
+ ok: false
435
+ };
436
+ }
437
+ const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
438
+ if (!dPoPNonce) {
439
+ throw new Error("Missing required DPoP-Nonce header.");
440
+ }
441
+ return {
442
+ ok: true,
443
+ dpopNonce: dPoPNonce
444
+ };
445
+ }
446
+ __name(shouldRetryResourceRequestWithDPoPNonce, "shouldRetryResourceRequestWithDPoPNonce");
447
+
448
+ // lib/MetadataClientV1_0_15.ts
449
+ var import_oid4vci_common8 = require("@sphereon/oid4vci-common");
450
+ var import_ssi_types3 = require("@sphereon/ssi-types");
410
451
  var logger2 = import_ssi_types3.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
411
- var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
452
+ var MetadataClientV1_0_15 = class _MetadataClientV1_0_15 {
412
453
  static {
413
- __name(this, "MetadataClientV1_0_13");
454
+ __name(this, "MetadataClientV1_0_15");
414
455
  }
415
456
  /**
416
457
  * Retrieve metadata using the Initiation obtained from a previous step
@@ -418,7 +459,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
418
459
  * @param credentialOffer
419
460
  */
420
461
  static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
421
- return _MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
462
+ return _MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
422
463
  }
423
464
  /**
424
465
  * Retrieve the metada using the initiation request obtained from a previous step
@@ -427,7 +468,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
427
468
  static async retrieveAllMetadataFromCredentialOfferRequest(request) {
428
469
  const issuer = (0, import_oid4vci_common8.getIssuerFromCredentialOfferPayload)(request);
429
470
  if (issuer) {
430
- return _MetadataClientV1_0_13.retrieveAllMetadata(issuer);
471
+ return _MetadataClientV1_0_15.retrieveAllMetadata(issuer);
431
472
  }
432
473
  throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
433
474
  }
@@ -439,6 +480,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
439
480
  static async retrieveAllMetadata(issuer, opts) {
440
481
  let token_endpoint;
441
482
  let credential_endpoint;
483
+ let nonce_endpoint;
442
484
  let deferred_credential_endpoint;
443
485
  let authorization_endpoint;
444
486
  let authorization_challenge_endpoint;
@@ -446,7 +488,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
446
488
  let authorization_servers = [
447
489
  issuer
448
490
  ];
449
- const oid4vciResponse = await _MetadataClientV1_0_13.retrieveOpenID4VCIServerMetadata(issuer, {
491
+ const oid4vciResponse = await _MetadataClientV1_0_15.retrieveOpenID4VCIServerMetadata(issuer, {
450
492
  errorOnNotFound: false
451
493
  });
452
494
  let credentialIssuerMetadata = oid4vciResponse?.successBody;
@@ -454,6 +496,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
454
496
  logger2.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
455
497
  ${JSON.stringify(credentialIssuerMetadata)}`);
456
498
  credential_endpoint = credentialIssuerMetadata.credential_endpoint;
499
+ nonce_endpoint = credentialIssuerMetadata.nonce_endpoint;
457
500
  deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
458
501
  if (credentialIssuerMetadata.token_endpoint) {
459
502
  token_endpoint = credentialIssuerMetadata.token_endpoint;
@@ -481,9 +524,6 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
481
524
  throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
482
525
  }
483
526
  } else {
484
- if (!authorizationServerType) {
485
- authorizationServerType = "OAuth 2.0";
486
- }
487
527
  logger2.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
488
528
  if (!authMetadata.authorization_endpoint) {
489
529
  console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
@@ -538,17 +578,29 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
538
578
  if (!credentialIssuerMetadata && authMetadata) {
539
579
  credentialIssuerMetadata = authMetadata;
540
580
  }
581
+ const ci = credentialIssuerMetadata ?? {};
582
+ const ciAuthorizationServers = Array.isArray(ci.authorization_servers) && ci.authorization_servers.length > 0 ? ci.authorization_servers : authorization_servers;
583
+ const v15CredentialIssuerMetadata = {
584
+ credential_issuer: ci.credential_issuer ?? issuer,
585
+ credential_endpoint,
586
+ authorization_servers: ciAuthorizationServers,
587
+ credential_configurations_supported: ci.credential_configurations_supported ?? {},
588
+ display: ci.display ?? [],
589
+ ...nonce_endpoint && {
590
+ nonce_endpoint
591
+ },
592
+ ...deferred_credential_endpoint && {
593
+ deferred_credential_endpoint
594
+ }
595
+ };
541
596
  logger2.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
542
597
  return {
543
598
  issuer,
544
599
  token_endpoint,
545
600
  credential_endpoint,
546
- deferred_credential_endpoint,
547
- authorization_server: authorization_servers[0],
548
- authorization_endpoint,
549
601
  authorization_challenge_endpoint,
550
602
  authorizationServerType,
551
- credentialIssuerMetadata,
603
+ credentialIssuerMetadata: v15CredentialIssuerMetadata,
552
604
  authorizationServerMetadata: authMetadata
553
605
  };
554
606
  }
@@ -565,47 +617,6 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
565
617
  }
566
618
  };
567
619
 
568
- // lib/functions/dpopUtil.ts
569
- var import_oid4vc_common2 = require("@sphereon/oid4vc-common");
570
- function shouldRetryTokenRequestWithDPoPNonce(response) {
571
- if (!response.errorBody || response.errorBody.error !== import_oid4vc_common2.dpopTokenRequestNonceError) {
572
- return {
573
- ok: false
574
- };
575
- }
576
- const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
577
- if (!dPoPNonce) {
578
- throw new Error("Missing required DPoP-Nonce header.");
579
- }
580
- return {
581
- ok: true,
582
- dpopNonce: dPoPNonce
583
- };
584
- }
585
- __name(shouldRetryTokenRequestWithDPoPNonce, "shouldRetryTokenRequestWithDPoPNonce");
586
- function shouldRetryResourceRequestWithDPoPNonce(response) {
587
- if (!response.errorBody || response.origResponse.status !== 401) {
588
- return {
589
- ok: false
590
- };
591
- }
592
- const wwwAuthenticateHeader = response.origResponse.headers.get("WWW-Authenticate");
593
- if (!wwwAuthenticateHeader?.includes(import_oid4vc_common2.dpopTokenRequestNonceError)) {
594
- return {
595
- ok: false
596
- };
597
- }
598
- const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
599
- if (!dPoPNonce) {
600
- throw new Error("Missing required DPoP-Nonce header.");
601
- }
602
- return {
603
- ok: true,
604
- dpopNonce: dPoPNonce
605
- };
606
- }
607
- __name(shouldRetryResourceRequestWithDPoPNonce, "shouldRetryResourceRequestWithDPoPNonce");
608
-
609
620
  // lib/AccessTokenClient.ts
610
621
  var AccessTokenClient = class _AccessTokenClient {
611
622
  static {
@@ -647,7 +658,7 @@ var AccessTokenClient = class _AccessTokenClient {
647
658
  const requestTokenURL = _AccessTokenClient.determineTokenURL({
648
659
  asOpts,
649
660
  issuerOpts,
650
- metadata: metadata ? metadata : issuerOpts?.fetchMetadata ? await MetadataClientV1_0_13.retrieveAllMetadata(issuerOpts.issuer, {
661
+ metadata: metadata ? metadata : issuerOpts?.fetchMetadata ? await MetadataClientV1_0_15.retrieveAllMetadata(issuerOpts.issuer, {
651
662
  errorOnNotFound: false
652
663
  }) : void 0
653
664
  });
@@ -836,319 +847,108 @@ var AccessTokenClient = class _AccessTokenClient {
836
847
  }
837
848
  };
838
849
 
839
- // lib/AccessTokenClientV1_0_11.ts
840
- var import_oid4vc_common4 = require("@sphereon/oid4vc-common");
850
+ // lib/AuthorizationCodeClient.ts
851
+ var import_oid4vci_common11 = require("@sphereon/oid4vci-common");
852
+ var import_ssi_types6 = require("@sphereon/ssi-types");
853
+
854
+ // lib/MetadataClient.ts
841
855
  var import_oid4vci_common10 = require("@sphereon/oid4vci-common");
842
856
  var import_ssi_types5 = require("@sphereon/ssi-types");
843
- var logger3 = import_ssi_types5.Loggers.DEFAULT.get("sphereon:oid4vci:token");
844
- var AccessTokenClientV1_0_11 = class _AccessTokenClientV1_0_11 {
857
+ var logger3 = import_ssi_types5.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
858
+ var MetadataClient = class _MetadataClient {
845
859
  static {
846
- __name(this, "AccessTokenClientV1_0_11");
860
+ __name(this, "MetadataClient");
847
861
  }
848
- async acquireAccessToken(opts) {
849
- const { asOpts, pin, codeVerifier, code, redirectUri, metadata, createDPoPOpts } = opts;
850
- const credentialOffer = opts.credentialOffer ? await (0, import_oid4vci_common10.assertedUniformCredentialOffer)(opts.credentialOffer) : void 0;
851
- const isPinRequired = credentialOffer && this.isPinRequiredValue(credentialOffer.credential_offer);
852
- const issuer = opts.credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common10.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : metadata?.issuer);
853
- if (!issuer) {
854
- throw Error("Issuer required at this point");
862
+ /**
863
+ * Retrieve metadata using the Initiation obtained from a previous step
864
+ *
865
+ * @param credentialOffer
866
+ */
867
+ static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
868
+ const openId4VCIVersion = (0, import_oid4vci_common10.determineSpecVersionFromOffer)(credentialOffer.credential_offer);
869
+ if (openId4VCIVersion >= import_oid4vci_common10.OpenId4VCIVersion.VER_1_0_15) {
870
+ return await MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOffer(credentialOffer);
855
871
  }
856
- const issuerOpts = {
857
- issuer
858
- };
859
- return await this.acquireAccessTokenUsingRequest({
860
- accessTokenRequest: await this.createAccessTokenRequest({
861
- credentialOffer,
862
- asOpts,
863
- codeVerifier,
864
- code,
865
- redirectUri,
866
- pin,
867
- credentialIssuer: issuer,
868
- metadata,
869
- additionalParams: opts.additionalParams,
870
- pinMetadata: opts.pinMetadata
871
- }),
872
- isPinRequired,
873
- metadata,
874
- asOpts,
875
- issuerOpts,
876
- createDPoPOpts
877
- });
872
+ return Promise.reject(Error(`OpenId4VCIVersion ${openId4VCIVersion} is not supported in retrieveAllMetadataFromCredentialOffer`));
878
873
  }
879
- async acquireAccessTokenUsingRequest({ accessTokenRequest, isPinRequired, metadata, asOpts, createDPoPOpts, issuerOpts }) {
880
- this.validate(accessTokenRequest, isPinRequired);
881
- const requestTokenURL = _AccessTokenClientV1_0_11.determineTokenURL({
882
- asOpts,
883
- issuerOpts,
884
- metadata: metadata ? metadata : issuerOpts?.fetchMetadata ? await MetadataClientV1_0_13.retrieveAllMetadata(issuerOpts.issuer, {
885
- errorOnNotFound: false
886
- }) : void 0
887
- });
888
- const useDpop = createDPoPOpts?.dPoPSigningAlgValuesSupported && createDPoPOpts.dPoPSigningAlgValuesSupported.length > 0;
889
- let dPoP = useDpop ? await (0, import_oid4vc_common4.createDPoP)((0, import_oid4vc_common4.getCreateDPoPOptions)(createDPoPOpts, requestTokenURL)) : void 0;
890
- let response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? {
891
- headers: {
892
- dpop: dPoP
874
+ /**
875
+ * Retrieve the metada using the initiation request obtained from a previous step
876
+ * @param request
877
+ */
878
+ static async retrieveAllMetadataFromCredentialOfferRequest(request) {
879
+ const issuer = (0, import_oid4vci_common10.getIssuerFromCredentialOfferPayload)(request);
880
+ if (issuer) {
881
+ const openId4VCIVersion = (0, import_oid4vci_common10.determineSpecVersionFromOffer)(request);
882
+ if (openId4VCIVersion >= import_oid4vci_common10.OpenId4VCIVersion.VER_1_0_15) {
883
+ return MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOfferRequest(request);
884
+ } else {
885
+ return Promise.reject(Error(`OpenId4VCIVersion ${openId4VCIVersion} is not supported in retrieveAllMetadataFromCredentialOfferRequest`));
893
886
  }
894
- } : void 0);
895
- let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
896
- const retryWithNonce = shouldRetryTokenRequestWithDPoPNonce(response);
897
- if (retryWithNonce.ok && createDPoPOpts) {
898
- createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
899
- dPoP = await (0, import_oid4vc_common4.createDPoP)((0, import_oid4vc_common4.getCreateDPoPOptions)(createDPoPOpts, requestTokenURL));
900
- response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? {
901
- headers: {
902
- dpop: dPoP
903
- }
904
- } : void 0);
905
- const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
906
- nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
907
- }
908
- if (response.successBody && createDPoPOpts && response.successBody.token_type !== "DPoP") {
909
- throw new Error("Invalid token type returned. Expected DPoP. Received: " + response.successBody.token_type);
910
887
  }
911
- return {
912
- ...response,
913
- ...nextDPoPNonce && {
914
- params: {
915
- dpop: {
916
- dpopNonce: nextDPoPNonce
917
- }
918
- }
919
- }
920
- };
888
+ throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
921
889
  }
922
- async createAccessTokenRequest(opts) {
923
- const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
924
- const credentialOfferRequest = opts.credentialOffer ? await (0, import_oid4vci_common10.toUniformCredentialOfferRequest)(opts.credentialOffer) : void 0;
925
- const request = {
926
- ...opts.additionalParams
927
- };
928
- const credentialIssuer = opts.credentialIssuer ?? credentialOfferRequest?.credential_offer?.credential_issuer ?? opts.metadata?.issuer;
929
- if (asOpts?.clientOpts?.clientId) {
930
- request.client_id = asOpts.clientOpts.clientId;
931
- }
932
- await createJwtBearerClientAssertion(request, {
933
- ...opts,
934
- version: import_oid4vci_common10.OpenId4VCIVersion.VER_1_0_11,
935
- credentialIssuer
890
+ /**
891
+ * Retrieve all metadata from an issuer
892
+ * @param issuer The issuer URL
893
+ * @param opts
894
+ */
895
+ static async retrieveAllMetadata(issuer, opts) {
896
+ let token_endpoint;
897
+ let credential_endpoint;
898
+ let deferred_credential_endpoint;
899
+ let authorization_endpoint;
900
+ let authorization_challenge_endpoint;
901
+ let authorizationServerType = "OID4VCI";
902
+ let authorization_servers = [
903
+ issuer
904
+ ];
905
+ let authorization_server = void 0;
906
+ const oid4vciResponse = await _MetadataClient.retrieveOpenID4VCIServerMetadata(issuer, {
907
+ errorOnNotFound: false
936
908
  });
937
- if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(import_oid4vci_common10.AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
938
- request.grant_type = import_oid4vci_common10.GrantTypes.AUTHORIZATION_CODE;
939
- request.code = code;
940
- request.redirect_uri = redirectUri;
941
- if (codeVerifier) {
942
- request.code_verifier = codeVerifier;
909
+ let credentialIssuerMetadata = oid4vciResponse?.successBody;
910
+ if (credentialIssuerMetadata) {
911
+ logger3.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
912
+ ${JSON.stringify(credentialIssuerMetadata)}`);
913
+ credential_endpoint = credentialIssuerMetadata.credential_endpoint;
914
+ deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint ? credentialIssuerMetadata.deferred_credential_endpoint : void 0;
915
+ if (credentialIssuerMetadata.token_endpoint) {
916
+ token_endpoint = credentialIssuerMetadata.token_endpoint;
943
917
  }
944
- return request;
945
- }
946
- if (credentialOfferRequest?.supportedFlows.includes(import_oid4vci_common10.AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
947
- this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
948
- request.user_pin = pin;
949
- request.grant_type = import_oid4vci_common10.GrantTypes.PRE_AUTHORIZED_CODE;
950
- request[import_oid4vci_common10.PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[import_oid4vci_common10.PRE_AUTH_GRANT_LITERAL]?.[import_oid4vci_common10.PRE_AUTH_CODE_LITERAL];
951
- return request;
952
- }
953
- throw new Error("Credential offer request does not follow neither pre-authorized code nor authorization code flow requirements.");
954
- }
955
- assertPreAuthorizedGrantType(grantType) {
956
- if (import_oid4vci_common10.GrantTypes.PRE_AUTHORIZED_CODE !== grantType) {
957
- throw new Error("grant type must be PRE_AUTH_GRANT_LITERAL");
958
- }
959
- }
960
- assertAuthorizationGrantType(grantType) {
961
- if (import_oid4vci_common10.GrantTypes.AUTHORIZATION_CODE !== grantType) {
962
- throw new Error("grant type must be 'authorization_code'");
963
- }
964
- }
965
- isPinRequiredValue(requestPayload) {
966
- let isPinRequired = false;
967
- if (!requestPayload) {
968
- throw new Error(import_oid4vci_common10.TokenErrorResponse.invalid_request);
969
- }
970
- const issuer = (0, import_oid4vci_common10.getIssuerFromCredentialOfferPayload)(requestPayload);
971
- if (requestPayload.grants?.[import_oid4vci_common10.PRE_AUTH_GRANT_LITERAL]) {
972
- isPinRequired = requestPayload.grants[import_oid4vci_common10.PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? false;
973
- }
974
- logger3.debug(`Pin required for issuer ${issuer}: ${isPinRequired}`);
975
- return isPinRequired;
976
- }
977
- assertNumericPin(isPinRequired, pin) {
978
- if (isPinRequired) {
979
- if (!pin || !/^\d{1,8}$/.test(pin)) {
980
- logger3.debug(`Pin is not 1 to 8 digits long`);
981
- throw new Error("A valid pin consisting of maximal 8 numeric characters must be present.");
918
+ authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
919
+ if (credentialIssuerMetadata.authorization_servers) {
920
+ authorization_servers = credentialIssuerMetadata.authorization_servers;
921
+ } else if (credentialIssuerMetadata.authorization_server) {
922
+ authorization_server = credentialIssuerMetadata.authorization_server;
923
+ authorization_servers = [
924
+ authorization_server
925
+ ];
982
926
  }
983
- } else if (pin) {
984
- logger3.debug(`Pin set, whilst not required`);
985
- throw new Error("Cannot set a pin, when the pin is not required.");
986
- }
987
- }
988
- assertNonEmptyPreAuthorizedCode(accessTokenRequest) {
989
- if (!accessTokenRequest[import_oid4vci_common10.PRE_AUTH_CODE_LITERAL]) {
990
- logger3.debug(`No pre-authorized code present, whilst it is required`);
991
- throw new Error("Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.");
927
+ } else {
928
+ throw new Error(`Issuer ${issuer} does not expose /.well-known/openid-credential-issuer`);
992
929
  }
993
- }
994
- assertNonEmptyCodeVerifier(accessTokenRequest) {
995
- if (!accessTokenRequest.code_verifier) {
996
- logger3.debug("No code_verifier present, whilst it is required");
997
- throw new Error("Authorization flow requires the code_verifier to be present");
998
- }
999
- }
1000
- assertNonEmptyCode(accessTokenRequest) {
1001
- if (!accessTokenRequest.code) {
1002
- logger3.debug("No code present, whilst it is required");
1003
- throw new Error("Authorization flow requires the code to be present");
1004
- }
1005
- }
1006
- validate(accessTokenRequest, isPinRequired) {
1007
- if (accessTokenRequest.grant_type === import_oid4vci_common10.GrantTypes.PRE_AUTHORIZED_CODE) {
1008
- this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
1009
- this.assertNonEmptyPreAuthorizedCode(accessTokenRequest);
1010
- this.assertNumericPin(isPinRequired, accessTokenRequest.user_pin);
1011
- } else if (accessTokenRequest.grant_type === import_oid4vci_common10.GrantTypes.AUTHORIZATION_CODE) {
1012
- this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
1013
- this.assertNonEmptyCodeVerifier(accessTokenRequest);
1014
- this.assertNonEmptyCode(accessTokenRequest);
1015
- } else {
1016
- this.throwNotSupportedFlow();
1017
- }
1018
- }
1019
- async sendAuthCode(requestTokenURL, accessTokenRequest, opts) {
1020
- return await (0, import_oid4vci_common10.formPost)(requestTokenURL, (0, import_oid4vci_common10.convertJsonToURI)(accessTokenRequest, {
1021
- mode: import_oid4vci_common10.JsonURIMode.X_FORM_WWW_URLENCODED
1022
- }), {
1023
- customHeaders: opts?.headers ? opts.headers : void 0
1024
- });
1025
- }
1026
- static determineTokenURL({ asOpts, issuerOpts, metadata }) {
1027
- if (!asOpts && !metadata?.token_endpoint && !issuerOpts) {
1028
- throw new Error("Cannot determine token URL if no issuer, metadata and no Authorization Server values are present");
1029
- }
1030
- let url;
1031
- if (asOpts && asOpts.as) {
1032
- url = this.creatTokenURLFromURL(asOpts.as, asOpts?.allowInsecureEndpoints, asOpts.tokenEndpoint);
1033
- } else if (metadata?.token_endpoint) {
1034
- url = metadata.token_endpoint;
1035
- } else {
1036
- if (!issuerOpts?.issuer) {
1037
- throw Error("Either authorization server options, a token endpoint or issuer options are required at this point");
1038
- }
1039
- url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts?.allowInsecureEndpoints, issuerOpts.tokenEndpoint);
1040
- }
1041
- if (!url || !import_ssi_types5.ObjectUtils.isString(url)) {
1042
- throw new Error("No authorization server token URL present. Cannot acquire access token");
1043
- }
1044
- logger3.debug(`Token endpoint determined to be ${url}`);
1045
- return url;
1046
- }
1047
- static creatTokenURLFromURL(url, allowInsecureEndpoints, tokenEndpoint) {
1048
- if (allowInsecureEndpoints !== true && url.startsWith("http:")) {
1049
- throw Error(`Unprotected token endpoints are not allowed ${url}. Use the 'allowInsecureEndpoints' param if you really need this for dev/testing!`);
1050
- }
1051
- const hostname = url.replace(/https?:\/\//, "").replace(/\/$/, "");
1052
- const endpoint = tokenEndpoint ? tokenEndpoint.startsWith("/") ? tokenEndpoint : tokenEndpoint.substring(1) : "/token";
1053
- const scheme = url.split("://")[0];
1054
- return `${scheme ? scheme + "://" : "https://"}${hostname}${endpoint}`;
1055
- }
1056
- throwNotSupportedFlow() {
1057
- logger3.debug(`Only pre-authorized or authorization code flows supported.`);
1058
- throw new Error("Only pre-authorized-code or authorization code flows are supported");
1059
- }
1060
- };
1061
-
1062
- // lib/AuthorizationCodeClient.ts
1063
- var import_oid4vci_common13 = require("@sphereon/oid4vci-common");
1064
- var import_ssi_types8 = require("@sphereon/ssi-types");
1065
-
1066
- // lib/MetadataClient.ts
1067
- var import_oid4vci_common12 = require("@sphereon/oid4vci-common");
1068
- var import_ssi_types7 = require("@sphereon/ssi-types");
1069
-
1070
- // lib/MetadataClientV1_0_11.ts
1071
- var import_oid4vci_common11 = require("@sphereon/oid4vci-common");
1072
- var import_ssi_types6 = require("@sphereon/ssi-types");
1073
- var logger4 = import_ssi_types6.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
1074
- var MetadataClientV1_0_11 = class _MetadataClientV1_0_11 {
1075
- static {
1076
- __name(this, "MetadataClientV1_0_11");
1077
- }
1078
- /**
1079
- * Retrieve metadata using the Initiation obtained from a previous step
1080
- *
1081
- * @param credentialOffer
1082
- */
1083
- static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
1084
- return _MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
1085
- }
1086
- /**
1087
- * Retrieve the metada using the initiation request obtained from a previous step
1088
- * @param request
1089
- */
1090
- static async retrieveAllMetadataFromCredentialOfferRequest(request) {
1091
- const issuer = (0, import_oid4vci_common11.getIssuerFromCredentialOfferPayload)(request);
1092
- if (issuer) {
1093
- return _MetadataClientV1_0_11.retrieveAllMetadata(issuer);
1094
- }
1095
- throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
1096
- }
1097
- /**
1098
- * Retrieve all metadata from an issuer
1099
- * @param issuer The issuer URL
1100
- * @param opts
1101
- */
1102
- static async retrieveAllMetadata(issuer, opts) {
1103
- let token_endpoint;
1104
- let credential_endpoint;
1105
- let deferred_credential_endpoint;
1106
- let authorization_endpoint;
1107
- let authorization_challenge_endpoint;
1108
- let authorizationServerType = "OID4VCI";
1109
- let authorization_server = issuer;
1110
- const oid4vciResponse = await _MetadataClientV1_0_11.retrieveOpenID4VCIServerMetadata(issuer, {
1111
- errorOnNotFound: false
1112
- });
1113
- let credentialIssuerMetadata = oid4vciResponse?.successBody;
1114
- if (credentialIssuerMetadata) {
1115
- logger4.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
1116
- ${JSON.stringify(credentialIssuerMetadata)}`);
1117
- credential_endpoint = credentialIssuerMetadata.credential_endpoint;
1118
- deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
1119
- if (credentialIssuerMetadata.token_endpoint) {
1120
- token_endpoint = credentialIssuerMetadata.token_endpoint;
1121
- }
1122
- authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
1123
- if (credentialIssuerMetadata.authorization_server) {
1124
- authorization_server = credentialIssuerMetadata.authorization_server;
1125
- }
1126
- if (credentialIssuerMetadata.authorization_endpoint) {
1127
- authorization_endpoint = credentialIssuerMetadata.authorization_endpoint;
1128
- }
1129
- }
1130
- let response = await retrieveWellknown(authorization_server, import_oid4vci_common11.WellKnownEndpoints.OPENID_CONFIGURATION, {
930
+ let response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common10.WellKnownEndpoints.OPENID_CONFIGURATION, {
1131
931
  errorOnNotFound: false
1132
932
  });
1133
933
  let authMetadata = response.successBody;
1134
934
  if (authMetadata) {
1135
- logger4.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
935
+ logger3.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
1136
936
  authorizationServerType = "OIDC";
1137
937
  } else {
1138
- response = await retrieveWellknown(authorization_server, import_oid4vci_common11.WellKnownEndpoints.OAUTH_AS, {
938
+ response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common10.WellKnownEndpoints.OAUTH_AS, {
1139
939
  errorOnNotFound: false
1140
940
  });
1141
941
  authMetadata = response.successBody;
1142
942
  }
1143
943
  if (!authMetadata) {
1144
- if (issuer !== authorization_server) {
1145
- throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_server}, but that server did not provide metadata`);
944
+ if (!authorization_servers.includes(issuer)) {
945
+ throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
1146
946
  }
1147
947
  } else {
1148
948
  if (!authorizationServerType) {
1149
949
  authorizationServerType = "OAuth 2.0";
1150
950
  }
1151
- logger4.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
951
+ logger3.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
1152
952
  if (!authMetadata.authorization_endpoint) {
1153
953
  console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
1154
954
  } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
@@ -1160,31 +960,31 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
1160
960
  }
1161
961
  authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
1162
962
  if (!authMetadata.token_endpoint) {
1163
- throw Error(`Authorization Server ${authorization_server} did not provide a token_endpoint`);
963
+ throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`);
1164
964
  } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
1165
965
  throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
1166
966
  }
1167
967
  token_endpoint = authMetadata.token_endpoint;
1168
968
  if (authMetadata.credential_endpoint) {
1169
969
  if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
1170
- logger4.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
970
+ logger3.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
1171
971
  } else {
1172
972
  credential_endpoint = authMetadata.credential_endpoint;
1173
973
  }
1174
974
  }
1175
975
  if (authMetadata.deferred_credential_endpoint) {
1176
976
  if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
1177
- logger4.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
977
+ logger3.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
1178
978
  } else {
1179
979
  deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
1180
980
  }
1181
981
  }
1182
982
  }
1183
983
  if (!authorization_endpoint) {
1184
- logger4.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
984
+ logger3.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
1185
985
  }
1186
986
  if (!token_endpoint) {
1187
- logger4.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
987
+ logger3.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
1188
988
  if (opts?.errorOnNotFound) {
1189
989
  throw Error(`Could not deduce the token_endpoint for ${issuer}`);
1190
990
  } else {
@@ -1192,7 +992,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
1192
992
  }
1193
993
  }
1194
994
  if (!credential_endpoint) {
1195
- logger4.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
995
+ logger3.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
1196
996
  if (opts?.errorOnNotFound) {
1197
997
  throw Error(`Could not deduce the credential endpoint for ${issuer}`);
1198
998
  } else {
@@ -1200,15 +1000,20 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
1200
1000
  }
1201
1001
  }
1202
1002
  if (!credentialIssuerMetadata && authMetadata) {
1203
- credentialIssuerMetadata = authMetadata;
1003
+ return Promise.reject(Error(`No /.well-known/openid-credential-issuer at ${issuer}.`));
1204
1004
  }
1205
- logger4.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
1005
+ logger3.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
1206
1006
  return {
1207
1007
  issuer,
1208
1008
  token_endpoint,
1209
1009
  credential_endpoint,
1210
1010
  deferred_credential_endpoint,
1211
- authorization_server,
1011
+ nonce_endpoint: credentialIssuerMetadata.nonce_endpoint,
1012
+ authorization_servers: authorization_server ? [
1013
+ authorization_server
1014
+ ] : authorization_servers ?? [
1015
+ issuer
1016
+ ],
1212
1017
  authorization_endpoint,
1213
1018
  authorization_challenge_endpoint,
1214
1019
  authorizationServerType,
@@ -1220,236 +1025,60 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
1220
1025
  * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
1221
1026
  *
1222
1027
  * @param issuerHost The issuer hostname
1028
+ * @param opts
1223
1029
  */
1224
1030
  static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
1225
- return retrieveWellknown(issuerHost, import_oid4vci_common11.WellKnownEndpoints.OPENID4VCI_ISSUER, {
1031
+ return retrieveWellknown(issuerHost, import_oid4vci_common10.WellKnownEndpoints.OPENID4VCI_ISSUER, {
1226
1032
  errorOnNotFound: opts?.errorOnNotFound === void 0 ? true : opts.errorOnNotFound
1227
1033
  });
1228
1034
  }
1229
1035
  };
1230
1036
 
1231
- // lib/MetadataClient.ts
1232
- var logger5 = import_ssi_types7.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
1233
- var MetadataClient = class _MetadataClient {
1234
- static {
1235
- __name(this, "MetadataClient");
1236
- }
1237
- /**
1238
- * Retrieve metadata using the Initiation obtained from a previous step
1239
- *
1240
- * @param credentialOffer
1241
- */
1242
- static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
1243
- if ((0, import_oid4vci_common12.determineSpecVersionFromOffer)(credentialOffer.credential_offer) >= import_oid4vci_common12.OpenId4VCIVersion.VER_1_0_13) {
1244
- return await MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOffer(credentialOffer);
1245
- } else {
1246
- return await MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOffer(credentialOffer);
1037
+ // lib/AuthorizationCodeClient.ts
1038
+ var logger4 = import_ssi_types6.Loggers.DEFAULT.get("sphereon:oid4vci");
1039
+ async function createSignedAuthRequestWhenNeeded(requestObject, opts) {
1040
+ if (opts.requestObjectMode === import_oid4vci_common11.CreateRequestObjectMode.REQUEST_URI) {
1041
+ throw Error(`Request Object Mode ${opts.requestObjectMode} is not supported yet`);
1042
+ } else if (opts.requestObjectMode === import_oid4vci_common11.CreateRequestObjectMode.REQUEST_OBJECT) {
1043
+ if (typeof opts.signCallbacks?.signCallback !== "function") {
1044
+ throw Error(`No request object sign callback found, whilst request object mode was set to ${opts.requestObjectMode}`);
1045
+ } else if (!opts.kid) {
1046
+ throw Error(`No kid found, whilst request object mode was set to ${opts.requestObjectMode}`);
1247
1047
  }
1248
- }
1249
- /**
1250
- * Retrieve the metada using the initiation request obtained from a previous step
1251
- * @param request
1252
- */
1253
- static async retrieveAllMetadataFromCredentialOfferRequest(request) {
1254
- const issuer = (0, import_oid4vci_common12.getIssuerFromCredentialOfferPayload)(request);
1255
- if (issuer) {
1256
- if ((0, import_oid4vci_common12.determineSpecVersionFromOffer)(request) >= import_oid4vci_common12.OpenId4VCIVersion.VER_1_0_13) {
1257
- return MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOfferRequest(request);
1258
- } else {
1259
- return MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOfferRequest(request);
1048
+ let client_metadata;
1049
+ if (opts.clientMetadata || opts.jwksUri) {
1050
+ client_metadata = opts.clientMetadata ?? {};
1051
+ if (opts.jwksUri) {
1052
+ client_metadata["jwks_uri"] = opts.jwksUri;
1260
1053
  }
1261
1054
  }
1262
- throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
1263
- }
1264
- /**
1265
- * Retrieve all metadata from an issuer
1266
- * @param issuer The issuer URL
1267
- * @param opts
1268
- */
1269
- static async retrieveAllMetadata(issuer, opts) {
1270
- let token_endpoint;
1271
- let credential_endpoint;
1272
- let deferred_credential_endpoint;
1273
- let authorization_endpoint;
1274
- let authorization_challenge_endpoint;
1275
- let authorizationServerType = "OID4VCI";
1276
- let authorization_servers = [
1277
- issuer
1278
- ];
1279
- let authorization_server = void 0;
1280
- const oid4vciResponse = await _MetadataClient.retrieveOpenID4VCIServerMetadata(issuer, {
1281
- errorOnNotFound: false
1282
- });
1283
- let credentialIssuerMetadata = oid4vciResponse?.successBody;
1284
- if (credentialIssuerMetadata) {
1285
- logger5.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
1286
- ${JSON.stringify(credentialIssuerMetadata)}`);
1287
- credential_endpoint = credentialIssuerMetadata.credential_endpoint;
1288
- deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint ? credentialIssuerMetadata.deferred_credential_endpoint : void 0;
1289
- if (credentialIssuerMetadata.token_endpoint) {
1290
- token_endpoint = credentialIssuerMetadata.token_endpoint;
1291
- }
1292
- authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
1293
- if (credentialIssuerMetadata.authorization_servers) {
1294
- authorization_servers = credentialIssuerMetadata.authorization_servers;
1295
- } else if (credentialIssuerMetadata.authorization_server) {
1296
- authorization_server = credentialIssuerMetadata.authorization_server;
1297
- authorization_servers = [
1298
- authorization_server
1299
- ];
1300
- }
1055
+ let authorization_details = requestObject["authorization_details"];
1056
+ if (typeof authorization_details === "string") {
1057
+ authorization_details = JSON.parse(requestObject.authorization_details);
1301
1058
  }
1302
- let response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common12.WellKnownEndpoints.OPENID_CONFIGURATION, {
1303
- errorOnNotFound: false
1304
- });
1305
- let authMetadata = response.successBody;
1306
- if (authMetadata) {
1307
- logger5.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
1308
- authorizationServerType = "OIDC";
1309
- } else {
1310
- response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common12.WellKnownEndpoints.OAUTH_AS, {
1311
- errorOnNotFound: false
1312
- });
1313
- authMetadata = response.successBody;
1059
+ if (!requestObject.aud && opts.aud) {
1060
+ requestObject.aud = opts.aud;
1314
1061
  }
1315
- if (!authMetadata) {
1316
- if (!authorization_servers.includes(issuer)) {
1317
- throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
1318
- }
1319
- } else {
1320
- if (!authorizationServerType) {
1321
- authorizationServerType = "OAuth 2.0";
1322
- }
1323
- logger5.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
1324
- if (!authMetadata.authorization_endpoint) {
1325
- console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
1326
- } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
1327
- throw Error(`Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`);
1328
- }
1329
- authorization_endpoint = authMetadata.authorization_endpoint;
1330
- if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {
1331
- throw Error(`Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`);
1332
- }
1333
- authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
1334
- if (!authMetadata.token_endpoint) {
1335
- throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`);
1336
- } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
1337
- throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
1338
- }
1339
- token_endpoint = authMetadata.token_endpoint;
1340
- if (authMetadata.credential_endpoint) {
1341
- if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
1342
- logger5.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
1343
- } else {
1344
- credential_endpoint = authMetadata.credential_endpoint;
1345
- }
1346
- }
1347
- if (authMetadata.deferred_credential_endpoint) {
1348
- if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
1349
- logger5.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
1350
- } else {
1351
- deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
1352
- }
1353
- }
1354
- }
1355
- if (!authorization_endpoint) {
1356
- logger5.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
1357
- }
1358
- if (!token_endpoint) {
1359
- logger5.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
1360
- if (opts?.errorOnNotFound) {
1361
- throw Error(`Could not deduce the token_endpoint for ${issuer}`);
1362
- } else {
1363
- token_endpoint = `${issuer}${issuer.endsWith("/") ? "token" : "/token"}`;
1364
- }
1365
- }
1366
- if (!credential_endpoint) {
1367
- logger5.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
1368
- if (opts?.errorOnNotFound) {
1369
- throw Error(`Could not deduce the credential endpoint for ${issuer}`);
1370
- } else {
1371
- credential_endpoint = `${issuer}${issuer.endsWith("/") ? "credential" : "/credential"}`;
1372
- }
1373
- }
1374
- if (!credentialIssuerMetadata && authMetadata) {
1375
- credentialIssuerMetadata = authorization_server ? authMetadata : authMetadata;
1376
- }
1377
- logger5.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
1378
- return {
1379
- issuer,
1380
- token_endpoint,
1381
- credential_endpoint,
1382
- deferred_credential_endpoint,
1383
- ...authorization_server ? {
1384
- authorization_server
1385
- } : {
1386
- authorization_servers
1387
- },
1388
- authorization_endpoint,
1389
- authorization_challenge_endpoint,
1390
- authorizationServerType,
1391
- credentialIssuerMetadata: authorization_server ? credentialIssuerMetadata : credentialIssuerMetadata,
1392
- authorizationServerMetadata: authMetadata
1393
- };
1394
- }
1395
- /**
1396
- * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
1397
- *
1398
- * @param issuerHost The issuer hostname
1399
- * @param opts
1400
- */
1401
- static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
1402
- return retrieveWellknown(issuerHost, import_oid4vci_common12.WellKnownEndpoints.OPENID4VCI_ISSUER, {
1403
- errorOnNotFound: opts?.errorOnNotFound === void 0 ? true : opts.errorOnNotFound
1404
- });
1405
- }
1406
- };
1407
-
1408
- // lib/AuthorizationCodeClient.ts
1409
- var logger6 = import_ssi_types8.Loggers.DEFAULT.get("sphereon:oid4vci");
1410
- async function createSignedAuthRequestWhenNeeded(requestObject, opts) {
1411
- if (opts.requestObjectMode === import_oid4vci_common13.CreateRequestObjectMode.REQUEST_URI) {
1412
- throw Error(`Request Object Mode ${opts.requestObjectMode} is not supported yet`);
1413
- } else if (opts.requestObjectMode === import_oid4vci_common13.CreateRequestObjectMode.REQUEST_OBJECT) {
1414
- if (typeof opts.signCallbacks?.signCallback !== "function") {
1415
- throw Error(`No request object sign callback found, whilst request object mode was set to ${opts.requestObjectMode}`);
1416
- } else if (!opts.kid) {
1417
- throw Error(`No kid found, whilst request object mode was set to ${opts.requestObjectMode}`);
1418
- }
1419
- let client_metadata;
1420
- if (opts.clientMetadata || opts.jwksUri) {
1421
- client_metadata = opts.clientMetadata ?? {};
1422
- if (opts.jwksUri) {
1423
- client_metadata["jwks_uri"] = opts.jwksUri;
1424
- }
1425
- }
1426
- let authorization_details = requestObject["authorization_details"];
1427
- if (typeof authorization_details === "string") {
1428
- authorization_details = JSON.parse(requestObject.authorization_details);
1429
- }
1430
- if (!requestObject.aud && opts.aud) {
1431
- requestObject.aud = opts.aud;
1432
- }
1433
- const iss = requestObject.iss ?? opts.iss ?? requestObject.client_id;
1434
- const jwt = {
1435
- header: {
1436
- alg: "ES256",
1437
- kid: opts.kid,
1438
- typ: "JWT"
1439
- },
1440
- payload: {
1441
- ...requestObject,
1442
- iss,
1443
- authorization_details,
1444
- ...client_metadata && {
1445
- client_metadata
1062
+ const iss = requestObject.iss ?? opts.iss ?? requestObject.client_id;
1063
+ const jwt = {
1064
+ header: {
1065
+ alg: "ES256",
1066
+ kid: opts.kid,
1067
+ typ: "JWT"
1068
+ },
1069
+ payload: {
1070
+ ...requestObject,
1071
+ iss,
1072
+ authorization_details,
1073
+ ...client_metadata && {
1074
+ client_metadata
1446
1075
  }
1447
1076
  }
1448
1077
  };
1449
1078
  const pop = await ProofOfPossessionBuilder.fromJwt({
1450
1079
  jwt,
1451
1080
  callbacks: opts.signCallbacks,
1452
- version: import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_11,
1081
+ version: import_oid4vci_common11.OpenId4VCIVersion.VER_1_0_15,
1453
1082
  mode: "JWT"
1454
1083
  }).build();
1455
1084
  requestObject["request"] = pop.jwt;
@@ -1487,12 +1116,12 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1487
1116
  }
1488
1117
  __name(removeDisplayAndValueTypes, "removeDisplayAndValueTypes");
1489
1118
  const { redirectUri, requestObjectOpts = {
1490
- requestObjectMode: import_oid4vci_common13.CreateRequestObjectMode.NONE
1119
+ requestObjectMode: import_oid4vci_common11.CreateRequestObjectMode.NONE
1491
1120
  } } = authorizationRequest;
1492
1121
  const client_id = clientId ?? authorizationRequest.clientId;
1493
1122
  const authorizationMetadata = endpointMetadata.authorizationServerMetadata ?? endpointMetadata.credentialIssuerMetadata;
1494
1123
  let { authorizationDetails } = authorizationRequest;
1495
- const parMode = authorizationMetadata?.require_pushed_authorization_requests ? import_oid4vci_common13.PARMode.REQUIRE : authorizationRequest.parMode ?? (client_id ? import_oid4vci_common13.PARMode.AUTO : import_oid4vci_common13.PARMode.NEVER);
1124
+ const parMode = authorizationMetadata?.require_pushed_authorization_requests ? import_oid4vci_common11.PARMode.REQUIRE : authorizationRequest.parMode ?? (client_id ? import_oid4vci_common11.PARMode.AUTO : import_oid4vci_common11.PARMode.NEVER);
1496
1125
  if (!authorizationRequest.scope && !authorizationDetails) {
1497
1126
  if (!credentialOffer) {
1498
1127
  throw Error("Please provide a scope or authorization_details if no credential offer is present");
@@ -1500,8 +1129,8 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1500
1129
  if ("credentials" in credentialOffer.credential_offer) {
1501
1130
  throw new Error("CredentialOffer format is wrong.");
1502
1131
  }
1503
- const ver = version ?? (0, import_oid4vci_common13.determineSpecVersionFromOffer)(credentialOffer.credential_offer) ?? import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_13;
1504
- const creds = ver === import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_13 ? filterSupportedCredentials(credentialOffer.credential_offer, credentialConfigurationSupported) : [];
1132
+ const ver = version ?? (0, import_oid4vci_common11.determineSpecVersionFromOffer)(credentialOffer.credential_offer) ?? import_oid4vci_common11.OpenId4VCIVersion.VER_1_0_15;
1133
+ const creds = ver === import_oid4vci_common11.OpenId4VCIVersion.VER_1_0_15 ? filterSupportedCredentials(credentialOffer.credential_offer, credentialConfigurationSupported) : [];
1505
1134
  authorizationDetails = creds.flatMap((cred) => {
1506
1135
  const locations = [
1507
1136
  credentialOffer?.credential_offer.credential_issuer ?? endpointMetadata.issuer
@@ -1511,10 +1140,10 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1511
1140
  if (!credential_configuration_id && !cred.format) {
1512
1141
  throw Error("format is required in authorization details");
1513
1142
  }
1514
- const vct = cred.format === "vc+sd-jwt" ? cred.vct : void 0;
1143
+ const vct = cred.format === "dc+sd-jwt" ? cred.vct : void 0;
1515
1144
  const doctype = cred.format === "mso_mdoc" ? cred.doctype : void 0;
1516
1145
  let credential_definition = void 0;
1517
- if ((0, import_oid4vci_common13.isW3cCredentialSupported)(cred)) {
1146
+ if ((0, import_oid4vci_common11.isW3cCredentialSupported)(cred) && hasCredentialDefinition(cred)) {
1518
1147
  credential_definition = {
1519
1148
  ...cred.credential_definition,
1520
1149
  // type: OPTIONAL. Array as defined in Appendix A.1.1.2. This claim contains the type values the Wallet requests authorization for at the Credential Issuer. It MUST be present if the claim format is present in the root of the authorization details object. It MUST not be present otherwise.
@@ -1549,14 +1178,15 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1549
1178
  throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`);
1550
1179
  }
1551
1180
  }
1552
- if (!endpointMetadata?.authorization_endpoint) {
1181
+ const authorizationEndpoint = endpointMetadata.authorization_endpoint ?? endpointMetadata.authorizationServerMetadata?.authorization_endpoint ?? endpointMetadata.credentialIssuerMetadata?.authorization_endpoint;
1182
+ if (!authorizationEndpoint) {
1553
1183
  throw Error("Server metadata does not contain authorization endpoint");
1554
1184
  }
1555
1185
  const parEndpoint = authorizationMetadata?.pushed_authorization_request_endpoint;
1556
1186
  let queryObj = {
1557
- response_type: import_oid4vci_common13.ResponseType.AUTH_CODE,
1187
+ response_type: import_oid4vci_common11.ResponseType.AUTH_CODE,
1558
1188
  ...!pkce.disabled && {
1559
- code_challenge_method: pkce.codeChallengeMethod ?? import_oid4vci_common13.CodeChallengeMethod.S256,
1189
+ code_challenge_method: pkce.codeChallengeMethod ?? import_oid4vci_common11.CodeChallengeMethod.S256,
1560
1190
  code_challenge: pkce.codeChallenge
1561
1191
  },
1562
1192
  authorization_details: JSON.stringify(handleAuthorizationDetails(endpointMetadata, authorizationDetails)),
@@ -1574,12 +1204,12 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1574
1204
  if (credentialOffer?.issuerState) {
1575
1205
  queryObj.state = credentialOffer?.issuerState;
1576
1206
  }
1577
- if (!parEndpoint && parMode === import_oid4vci_common13.PARMode.REQUIRE) {
1207
+ if (!parEndpoint && parMode === import_oid4vci_common11.PARMode.REQUIRE) {
1578
1208
  throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`);
1579
- } else if (parEndpoint && parMode !== import_oid4vci_common13.PARMode.NEVER) {
1580
- logger6.debug(`USING PAR with endpoint ${parEndpoint}`);
1581
- const parResponse = await (0, import_oid4vci_common13.formPost)(parEndpoint, (0, import_oid4vci_common13.convertJsonToURI)(queryObj, {
1582
- mode: import_oid4vci_common13.JsonURIMode.X_FORM_WWW_URLENCODED,
1209
+ } else if (parEndpoint && parMode !== import_oid4vci_common11.PARMode.NEVER) {
1210
+ logger4.debug(`USING PAR with endpoint ${parEndpoint}`);
1211
+ const parResponse = await (0, import_oid4vci_common11.formPost)(parEndpoint, (0, import_oid4vci_common11.convertJsonToURI)(queryObj, {
1212
+ mode: import_oid4vci_common11.JsonURIMode.X_FORM_WWW_URLENCODED,
1583
1213
  uriTypeProperties: [
1584
1214
  "client_id",
1585
1215
  "request_uri",
@@ -1594,12 +1224,12 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1594
1224
  accept: "application/json"
1595
1225
  });
1596
1226
  if (parResponse.errorBody || !parResponse.successBody) {
1597
- if (parMode === import_oid4vci_common13.PARMode.REQUIRE) {
1227
+ if (parMode === import_oid4vci_common11.PARMode.REQUIRE) {
1598
1228
  throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
1599
1229
  }
1600
- logger6.debug("Falling back to regular request URI, since PAR failed", JSON.stringify(parResponse.errorBody));
1230
+ logger4.debug("Falling back to regular request URI, since PAR failed", JSON.stringify(parResponse.errorBody));
1601
1231
  } else {
1602
- logger6.debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
1232
+ logger4.debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
1603
1233
  queryObj = {
1604
1234
  client_id,
1605
1235
  request_uri: parResponse.successBody.request_uri
@@ -1608,11 +1238,11 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1608
1238
  }
1609
1239
  await createSignedAuthRequestWhenNeeded(queryObj, {
1610
1240
  ...requestObjectOpts,
1611
- aud: endpointMetadata.authorization_server
1241
+ aud: endpointMetadata.authorization_server ?? endpointMetadata.authorizationServerMetadata?.issuer
1612
1242
  });
1613
- logger6.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
1614
- const url = (0, import_oid4vci_common13.convertJsonToURI)(queryObj, {
1615
- baseUrl: endpointMetadata.authorization_endpoint,
1243
+ logger4.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
1244
+ const url = (0, import_oid4vci_common11.convertJsonToURI)(queryObj, {
1245
+ baseUrl: authorizationEndpoint,
1616
1246
  uriTypeProperties: [
1617
1247
  "client_id",
1618
1248
  "request_uri",
@@ -1623,11 +1253,12 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1623
1253
  "state"
1624
1254
  ],
1625
1255
  // arrayTypeProperties: ['authorization_details'],
1626
- mode: import_oid4vci_common13.JsonURIMode.X_FORM_WWW_URLENCODED
1256
+ mode: import_oid4vci_common11.JsonURIMode.X_FORM_WWW_URLENCODED
1627
1257
  });
1628
- logger6.debug(`Authorization Request URL: ${url}`);
1258
+ logger4.debug(`Authorization Request URL: ${url}`);
1629
1259
  return url;
1630
1260
  }, "createAuthorizationRequestUrl");
1261
+ var hasCredentialDefinition = /* @__PURE__ */ __name((cred) => "credential_definition" in cred && cred.credential_definition && typeof cred.credential_definition === "object" && cred.credential_definition !== null && "type" in cred.credential_definition && Array.isArray(cred.credential_definition.type), "hasCredentialDefinition");
1631
1262
  var handleAuthorizationDetails = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
1632
1263
  if (authorizationDetails) {
1633
1264
  if (typeof authorizationDetails === "string") {
@@ -1649,7 +1280,10 @@ var handleLocations = /* @__PURE__ */ __name((endpointMetadata, authorizationDet
1649
1280
  if (typeof authorizationDetails === "string") {
1650
1281
  return authorizationDetails;
1651
1282
  }
1652
- if (authorizationDetails && (endpointMetadata.credentialIssuerMetadata?.authorization_server || endpointMetadata.authorization_endpoint)) {
1283
+ const ciMeta = endpointMetadata.credentialIssuerMetadata;
1284
+ const hasAuthorizationServers = Array.isArray(ciMeta?.authorization_servers) && ciMeta.authorization_servers.length > 0;
1285
+ const legacyHasAuthzEndpoint = Boolean(endpointMetadata.authorization_endpoint);
1286
+ if (hasAuthorizationServers || legacyHasAuthzEndpoint) {
1653
1287
  if (authorizationDetails.locations) {
1654
1288
  if (Array.isArray(authorizationDetails.locations)) {
1655
1289
  authorizationDetails.locations.push(endpointMetadata.issuer);
@@ -1708,169 +1342,18 @@ var createAuthorizationChallengeRequest = /* @__PURE__ */ __name(async (opts) =>
1708
1342
  return request;
1709
1343
  }, "createAuthorizationChallengeRequest");
1710
1344
  var sendAuthorizationChallengeRequest = /* @__PURE__ */ __name(async (authorizationChallengeCodeUrl, authorizationChallengeRequest, opts) => {
1711
- return await (0, import_oid4vci_common13.formPost)(authorizationChallengeCodeUrl, (0, import_oid4vci_common13.convertJsonToURI)(authorizationChallengeRequest, {
1712
- mode: import_oid4vci_common13.JsonURIMode.X_FORM_WWW_URLENCODED
1345
+ return await (0, import_oid4vci_common11.formPost)(authorizationChallengeCodeUrl, (0, import_oid4vci_common11.convertJsonToURI)(authorizationChallengeRequest, {
1346
+ mode: import_oid4vci_common11.JsonURIMode.X_FORM_WWW_URLENCODED
1713
1347
  }), {
1714
1348
  customHeaders: opts?.headers ? opts.headers : void 0
1715
1349
  });
1716
1350
  }, "sendAuthorizationChallengeRequest");
1717
1351
 
1718
- // lib/AuthorizationCodeClientV1_0_11.ts
1719
- var import_oid4vci_common14 = require("@sphereon/oid4vci-common");
1720
- var import_ssi_types9 = require("@sphereon/ssi-types");
1721
- var logger7 = import_ssi_types9.Loggers.DEFAULT.get("sphereon:oid4vci");
1722
- var createAuthorizationRequestUrlV1_0_11 = /* @__PURE__ */ __name(async ({ pkce, endpointMetadata, authorizationRequest, credentialOffer, credentialsSupported }) => {
1723
- const { redirectUri, clientId, requestObjectOpts = {
1724
- requestObjectMode: import_oid4vci_common14.CreateRequestObjectMode.NONE
1725
- } } = authorizationRequest;
1726
- let { scope, authorizationDetails } = authorizationRequest;
1727
- const parMode = endpointMetadata?.credentialIssuerMetadata?.require_pushed_authorization_requests ? import_oid4vci_common14.PARMode.REQUIRE : authorizationRequest.parMode ?? import_oid4vci_common14.PARMode.AUTO;
1728
- if (!scope && !authorizationDetails) {
1729
- if (!credentialOffer) {
1730
- throw Error("Please provide a scope or authorization_details if no credential offer is present");
1731
- }
1732
- const creds = credentialOffer.credential_offer.credentials;
1733
- authorizationDetails = creds.flatMap((cred) => typeof cred === "string" ? credentialsSupported : cred).filter((cred) => !!cred).map((cred) => {
1734
- return {
1735
- ...cred,
1736
- type: "openid_credential",
1737
- locations: [
1738
- endpointMetadata.issuer
1739
- ],
1740
- // eslint-disable-next-line @typescript-eslint/ban-ts-comment
1741
- // @ts-ignore
1742
- format: cred.format
1743
- };
1744
- });
1745
- if (!authorizationDetails || Array.isArray(authorizationDetails) && authorizationDetails.length === 0) {
1746
- throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`);
1747
- }
1748
- }
1749
- if (!endpointMetadata?.authorization_endpoint) {
1750
- throw Error("Server metadata does not contain authorization endpoint");
1751
- }
1752
- const parEndpoint = endpointMetadata.credentialIssuerMetadata?.pushed_authorization_request_endpoint;
1753
- if (!scope?.includes("openid")) {
1754
- scope = [
1755
- "openid",
1756
- scope
1757
- ].filter((s) => !!s).join(" ");
1758
- }
1759
- let queryObj = {
1760
- response_type: import_oid4vci_common14.ResponseType.AUTH_CODE,
1761
- ...!pkce.disabled && {
1762
- code_challenge_method: pkce.codeChallengeMethod ?? import_oid4vci_common14.CodeChallengeMethod.S256,
1763
- code_challenge: pkce.codeChallenge
1764
- },
1765
- authorization_details: JSON.stringify(handleAuthorizationDetailsV1_0_11(endpointMetadata, authorizationDetails)),
1766
- ...redirectUri && {
1767
- redirect_uri: redirectUri
1768
- },
1769
- ...clientId && {
1770
- client_id: clientId
1771
- },
1772
- ...credentialOffer?.issuerState && {
1773
- issuer_state: credentialOffer.issuerState
1774
- },
1775
- scope
1776
- };
1777
- if (!parEndpoint && parMode === import_oid4vci_common14.PARMode.REQUIRE) {
1778
- throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`);
1779
- } else if (parEndpoint && parMode !== import_oid4vci_common14.PARMode.NEVER) {
1780
- logger7.debug(`USING PAR with endpoint ${parEndpoint}`);
1781
- const parResponse = await (0, import_oid4vci_common14.formPost)(parEndpoint, (0, import_oid4vci_common14.convertJsonToURI)(queryObj, {
1782
- mode: import_oid4vci_common14.JsonURIMode.X_FORM_WWW_URLENCODED,
1783
- uriTypeProperties: [
1784
- "client_id",
1785
- "request_uri",
1786
- "redirect_uri",
1787
- "scope",
1788
- "authorization_details",
1789
- "issuer_state"
1790
- ]
1791
- }), {
1792
- contentType: "application/x-www-form-urlencoded",
1793
- accept: "application/json"
1794
- });
1795
- if (parResponse.errorBody || !parResponse.successBody) {
1796
- console.log(JSON.stringify(parResponse.errorBody));
1797
- console.log("Falling back to regular request URI, since PAR failed");
1798
- if (parMode === import_oid4vci_common14.PARMode.REQUIRE) {
1799
- throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
1800
- }
1801
- } else {
1802
- logger7.debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
1803
- queryObj = {
1804
- request_uri: parResponse.successBody.request_uri
1805
- };
1806
- }
1807
- }
1808
- await createSignedAuthRequestWhenNeeded(queryObj, {
1809
- ...requestObjectOpts,
1810
- aud: endpointMetadata.authorization_server
1811
- });
1812
- logger7.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
1813
- const url = (0, import_oid4vci_common14.convertJsonToURI)(queryObj, {
1814
- baseUrl: endpointMetadata.authorization_endpoint,
1815
- uriTypeProperties: [
1816
- "client_id",
1817
- "request_uri",
1818
- "redirect_uri",
1819
- "scope",
1820
- "authorization_details",
1821
- "issuer_state"
1822
- ],
1823
- // arrayTypeProperties: ['authorization_details'],
1824
- mode: import_oid4vci_common14.JsonURIMode.X_FORM_WWW_URLENCODED
1825
- });
1826
- logger7.debug(`Authorization Request URL: ${url}`);
1827
- return url;
1828
- }, "createAuthorizationRequestUrlV1_0_11");
1829
- var handleAuthorizationDetailsV1_0_11 = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
1830
- if (authorizationDetails) {
1831
- if (typeof authorizationDetails === "string") {
1832
- return authorizationDetails;
1833
- }
1834
- if (Array.isArray(authorizationDetails)) {
1835
- return authorizationDetails.filter((value) => typeof value !== "string").map((value) => handleLocations2(endpointMetadata, typeof value === "string" ? value : {
1836
- ...value
1837
- }));
1838
- } else {
1839
- return handleLocations2(endpointMetadata, {
1840
- ...authorizationDetails
1841
- });
1842
- }
1843
- }
1844
- return authorizationDetails;
1845
- }, "handleAuthorizationDetailsV1_0_11");
1846
- var handleLocations2 = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
1847
- if (typeof authorizationDetails === "string") {
1848
- return authorizationDetails;
1849
- }
1850
- if (authorizationDetails && (endpointMetadata.credentialIssuerMetadata?.authorization_server || endpointMetadata.authorization_endpoint)) {
1851
- if (authorizationDetails.locations) {
1852
- if (Array.isArray(authorizationDetails.locations)) {
1853
- authorizationDetails.locations.push(endpointMetadata.issuer);
1854
- } else {
1855
- authorizationDetails.locations = [
1856
- authorizationDetails.locations,
1857
- endpointMetadata.issuer
1858
- ];
1859
- }
1860
- } else {
1861
- authorizationDetails.locations = [
1862
- endpointMetadata.issuer
1863
- ];
1864
- }
1865
- }
1866
- return authorizationDetails;
1867
- }, "handleLocations");
1868
-
1869
1352
  // lib/CredentialRequestClient.ts
1870
- var import_oid4vc_common5 = require("@sphereon/oid4vc-common");
1871
- var import_oid4vci_common15 = require("@sphereon/oid4vci-common");
1872
- var import_ssi_types10 = require("@sphereon/ssi-types");
1873
- var logger8 = import_ssi_types10.Loggers.DEFAULT.get("sphereon:oid4vci:credential");
1353
+ var import_oid4vc_common4 = require("@sphereon/oid4vc-common");
1354
+ var import_oid4vci_common12 = require("@sphereon/oid4vci-common");
1355
+ var import_ssi_types7 = require("@sphereon/ssi-types");
1356
+ var logger5 = import_ssi_types7.Loggers.DEFAULT.get("sphereon:oid4vci:credential");
1874
1357
  async function buildProof(proofInput, opts) {
1875
1358
  if ("proof_type" in proofInput) {
1876
1359
  if (opts.cNonce) {
@@ -1884,6 +1367,27 @@ async function buildProof(proofInput, opts) {
1884
1367
  return await proofInput.build();
1885
1368
  }
1886
1369
  __name(buildProof, "buildProof");
1370
+ function isOpenIdCredentialDetail(ad) {
1371
+ return typeof ad === "object" && ad !== null && ad.type === "openid_credential";
1372
+ }
1373
+ __name(isOpenIdCredentialDetail, "isOpenIdCredentialDetail");
1374
+ function findAuthorizationDetail(authorizationDetails, preferredConfigId) {
1375
+ if (!authorizationDetails) {
1376
+ return void 0;
1377
+ }
1378
+ const openIdCredentialDetails = authorizationDetails.filter(isOpenIdCredentialDetail);
1379
+ if (openIdCredentialDetails.length === 0) {
1380
+ return void 0;
1381
+ }
1382
+ if (preferredConfigId) {
1383
+ const match = openIdCredentialDetails.find((detail) => typeof detail === "object" && detail !== null && detail.credential_configuration_id === preferredConfigId);
1384
+ if (match) {
1385
+ return match;
1386
+ }
1387
+ }
1388
+ return openIdCredentialDetails[0];
1389
+ }
1390
+ __name(findAuthorizationDetail, "findAuthorizationDetail");
1887
1391
  var CredentialRequestClient = class {
1888
1392
  static {
1889
1393
  __name(this, "CredentialRequestClient");
@@ -1923,7 +1427,10 @@ var CredentialRequestClient = class {
1923
1427
  credentialIdentifier,
1924
1428
  subjectIssuance
1925
1429
  });
1926
- return await this.acquireCredentialsUsingRequestWithoutProof(request, opts.createDPoPOpts);
1430
+ if (!import_oid4vci_common12.supportedOID4VCICredentialFormat.includes(format)) {
1431
+ return Promise.reject(Error(`Unsupported credential format: ${format}`));
1432
+ }
1433
+ return await this.acquireCredentialsUsingRequestWithoutProof(request, format, opts.createDPoPOpts);
1927
1434
  }
1928
1435
  async acquireCredentialsUsingProof(opts) {
1929
1436
  const { credentialIdentifier, credentialTypes, proofInput, format, context, subjectIssuance } = opts;
@@ -1936,32 +1443,28 @@ var CredentialRequestClient = class {
1936
1443
  credentialIdentifier,
1937
1444
  subjectIssuance
1938
1445
  });
1939
- return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
1446
+ return await this.acquireCredentialsUsingRequest(request, format, opts.createDPoPOpts);
1940
1447
  }
1941
- async acquireCredentialsUsingRequestWithoutProof(uniformRequest, createDPoPOpts) {
1942
- return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
1448
+ async acquireCredentialsUsingRequestWithoutProof(uniformRequest, format, createDPoPOpts) {
1449
+ return await this.acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts);
1943
1450
  }
1944
- async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
1945
- return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
1451
+ async acquireCredentialsUsingRequest(uniformRequest, format, createDPoPOpts) {
1452
+ return await this.acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts);
1946
1453
  }
1947
- async acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts) {
1948
- if (this.version() < import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13) {
1949
- throw new Error("Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.");
1950
- }
1951
- const request = (0, import_oid4vci_common15.getCredentialRequestForVersion)(uniformRequest, this.version());
1454
+ async acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts) {
1952
1455
  const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
1953
- if (!(0, import_oid4vci_common15.isValidURL)(credentialEndpoint)) {
1954
- logger8.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
1955
- throw new Error(import_oid4vci_common15.URL_NOT_VALID);
1456
+ if (!(0, import_oid4vci_common12.isValidURL)(credentialEndpoint)) {
1457
+ logger5.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
1458
+ throw new Error(import_oid4vci_common12.URL_NOT_VALID);
1956
1459
  }
1957
- logger8.debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
1958
- logger8.debug(`request
1959
- : ${JSON.stringify(request, null, 2)}`);
1460
+ logger5.debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
1461
+ logger5.debug(`request
1462
+ : ${JSON.stringify(uniformRequest, null, 2)}`);
1960
1463
  const requestToken = this.credentialRequestOpts.token;
1961
- let dPoP = createDPoPOpts ? await (0, import_oid4vc_common5.createDPoP)((0, import_oid4vc_common5.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
1464
+ let dPoP = createDPoPOpts ? await (0, import_oid4vc_common4.createDPoP)((0, import_oid4vc_common4.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
1962
1465
  accessToken: requestToken
1963
1466
  })) : void 0;
1964
- let response = await (0, import_oid4vci_common15.post)(credentialEndpoint, JSON.stringify(request), {
1467
+ let response = await (0, import_oid4vci_common12.post)(credentialEndpoint, JSON.stringify(uniformRequest), {
1965
1468
  bearerToken: requestToken,
1966
1469
  ...dPoP && {
1967
1470
  customHeaders: {
@@ -1973,10 +1476,10 @@ var CredentialRequestClient = class {
1973
1476
  const retryWithNonce = shouldRetryResourceRequestWithDPoPNonce(response);
1974
1477
  if (retryWithNonce.ok && createDPoPOpts) {
1975
1478
  createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
1976
- dPoP = await (0, import_oid4vc_common5.createDPoP)((0, import_oid4vc_common5.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
1479
+ dPoP = await (0, import_oid4vc_common4.createDPoP)((0, import_oid4vc_common4.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
1977
1480
  accessToken: requestToken
1978
1481
  }));
1979
- response = await (0, import_oid4vci_common15.post)(credentialEndpoint, JSON.stringify(request), {
1482
+ response = await (0, import_oid4vci_common12.post)(credentialEndpoint, JSON.stringify(uniformRequest), {
1980
1483
  bearerToken: requestToken,
1981
1484
  ...createDPoPOpts && {
1982
1485
  customHeaders: {
@@ -1987,7 +1490,7 @@ var CredentialRequestClient = class {
1987
1490
  const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
1988
1491
  nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
1989
1492
  }
1990
- this._isDeferred = (0, import_oid4vci_common15.isDeferredCredentialResponse)(response);
1493
+ this._isDeferred = (0, import_oid4vci_common12.isDeferredCredentialResponse)(response);
1991
1494
  if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
1992
1495
  response = await this.acquireDeferredCredential(response.successBody, {
1993
1496
  bearerToken: this.credentialRequestOpts.token
@@ -1999,7 +1502,7 @@ var CredentialRequestClient = class {
1999
1502
  throw Error("Subject signing was requested, but issuer did not provide the options in its response");
2000
1503
  }
2001
1504
  }
2002
- logger8.debug(`Credential endpoint ${credentialEndpoint} response:\r
1505
+ logger5.debug(`Credential endpoint ${credentialEndpoint} response:\r
2003
1506
  ${JSON.stringify(response, null, 2)}`);
2004
1507
  return {
2005
1508
  ...response,
@@ -2021,7 +1524,7 @@ ${JSON.stringify(response, null, 2)}`);
2021
1524
  } else if (!bearerToken) {
2022
1525
  throw Error(`No bearer token present and refresh for defered endpoint not supported yet`);
2023
1526
  }
2024
- return await (0, import_oid4vci_common15.acquireDeferredCredential)({
1527
+ return await (0, import_oid4vci_common12.acquireDeferredCredential)({
2025
1528
  bearerToken,
2026
1529
  transactionId,
2027
1530
  deferredCredentialEndpoint,
@@ -2036,44 +1539,15 @@ ${JSON.stringify(response, null, 2)}`);
2036
1539
  return await this.createCredentialRequestImpl(opts);
2037
1540
  }
2038
1541
  async createCredentialRequestImpl(opts) {
2039
- const { proofInput, credentialIdentifier: credential_identifier } = opts;
1542
+ const { proofInput, credentialIdentifier, credentialConfigurationId } = opts;
2040
1543
  let proof = void 0;
2041
1544
  if (proofInput) {
2042
1545
  proof = await buildProof(proofInput, opts);
2043
1546
  }
2044
- if (credential_identifier) {
2045
- if (opts.format || opts.credentialTypes || opts.context) {
2046
- throw Error(`You cannot mix credential_identifier with format, credential types and/or context`);
2047
- }
2048
- return {
2049
- credential_identifier,
2050
- ...proof && {
2051
- proof
2052
- }
2053
- };
2054
- }
2055
- const formatSelection = opts.format ?? this.credentialRequestOpts.format;
2056
- if (!formatSelection) {
2057
- throw Error(`Format of credential to be issued is missing`);
2058
- }
2059
- const format = (0, import_oid4vci_common15.getUniformFormat)(formatSelection);
2060
- const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
2061
- if (!typesSelection) {
2062
- throw Error(`Credential type(s) need to be provided`);
2063
- }
2064
- const types = Array.isArray(typesSelection) ? typesSelection : [
2065
- typesSelection
2066
- ];
2067
- if (types.length === 0) {
2068
- throw Error(`Credential type(s) need to be provided`);
2069
- }
2070
- const issuer_state = this.credentialRequestOpts.issuerState;
2071
- if (format === "jwt_vc_json" || format === "jwt_vc") {
2072
- return {
2073
- credential_definition: {
2074
- type: types
2075
- },
2076
- format,
1547
+ if (this.version() >= import_oid4vci_common12.OpenId4VCIVersion.VER_1_0_15) {
1548
+ const authDetail = findAuthorizationDetail(this.credentialRequestOpts.authorizationDetails, credentialConfigurationId ?? credentialIdentifier);
1549
+ const issuer_state = this.credentialRequestOpts.issuerState;
1550
+ const commonBody = {
2077
1551
  ...issuer_state && {
2078
1552
  issuer_state
2079
1553
  },
@@ -2082,64 +1556,43 @@ ${JSON.stringify(response, null, 2)}`);
2082
1556
  },
2083
1557
  ...opts.subjectIssuance
2084
1558
  };
2085
- } else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
2086
- if (this.version() >= import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
2087
- throw Error("No @context value present, but it is required");
1559
+ const authDetailObj = authDetail && typeof authDetail === "object" ? authDetail : null;
1560
+ if (authDetailObj?.credential_identifier) {
1561
+ return {
1562
+ credential_identifier: authDetailObj.credential_identifier,
1563
+ ...commonBody
1564
+ };
2088
1565
  }
2089
- return {
2090
- format,
2091
- ...issuer_state && {
2092
- issuer_state
2093
- },
2094
- ...proof && {
2095
- proof
2096
- },
2097
- ...opts.subjectIssuance,
2098
- credential_definition: {
2099
- type: types,
2100
- "@context": opts.context
2101
- }
2102
- };
2103
- } else if (format === "vc+sd-jwt") {
2104
- if (types.length > 1) {
2105
- throw Error(`Only a single credential type is supported for ${format}`);
1566
+ if (authDetailObj?.credential_identifiers && authDetailObj.credential_identifiers.length > 0) {
1567
+ return {
1568
+ credential_identifier: authDetailObj.credential_identifiers[0],
1569
+ ...commonBody
1570
+ };
2106
1571
  }
2107
- return {
2108
- format,
2109
- ...issuer_state && {
2110
- issuer_state
2111
- },
2112
- ...proof && {
2113
- proof
2114
- },
2115
- vct: types[0],
2116
- ...opts.subjectIssuance
2117
- };
2118
- } else if (format === "mso_mdoc") {
2119
- if (types.length > 1) {
2120
- throw Error(`Only a single credential type is supported for ${format}`);
1572
+ const configId = credentialConfigurationId ?? authDetailObj?.credential_configuration_id ?? this._credentialRequestOpts.credentialConfigurationId;
1573
+ if (configId) {
1574
+ return {
1575
+ credential_configuration_id: configId,
1576
+ ...commonBody
1577
+ };
2121
1578
  }
2122
- return {
2123
- format,
2124
- ...issuer_state && {
2125
- issuer_state
2126
- },
2127
- ...proof && {
2128
- proof
2129
- },
2130
- doctype: types[0],
2131
- ...opts.subjectIssuance
2132
- };
1579
+ if (credentialIdentifier) {
1580
+ return {
1581
+ credential_identifier: credentialIdentifier,
1582
+ ...commonBody
1583
+ };
1584
+ }
1585
+ return Promise.reject(Error("No credential_identifier or credential_configuration_id available for v1.0-15 request"));
2133
1586
  }
2134
- throw new Error(`Unsupported credential format: ${format}`);
1587
+ throw new Error(`Unsupported version: ${this.version()}`);
2135
1588
  }
2136
1589
  version() {
2137
- return this.credentialRequestOpts?.version ?? import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13;
1590
+ return this.credentialRequestOpts?.version ?? import_oid4vci_common12.OpenId4VCIVersion.VER_1_0_15;
2138
1591
  }
2139
1592
  };
2140
1593
 
2141
1594
  // lib/CredentialOfferClient.ts
2142
- var import_oid4vci_common16 = require("@sphereon/oid4vci-common");
1595
+ var import_oid4vci_common13 = require("@sphereon/oid4vci-common");
2143
1596
  var CredentialOfferClient = class {
2144
1597
  static {
2145
1598
  __name(this, "CredentialOfferClient");
@@ -2152,175 +1605,45 @@ var CredentialOfferClient = class {
2152
1605
  }
2153
1606
  const scheme = uri.split("://")[0];
2154
1607
  const baseUrl = uri.split("?")[0];
2155
- const version = (0, import_oid4vci_common16.determineSpecVersionFromURI)(uri);
1608
+ const version = (0, import_oid4vci_common13.determineSpecVersionFromURI)(uri);
2156
1609
  LOG.log(`Offer URL determined to be of version ${version}`);
2157
1610
  let credentialOffer;
2158
- let credentialOfferPayload;
2159
- if (version < import_oid4vci_common16.OpenId4VCIVersion.VER_1_0_11) {
2160
- credentialOfferPayload = (0, import_oid4vci_common16.convertURIToJsonObject)(uri, {
2161
- arrayTypeProperties: [
2162
- "credential_type"
1611
+ if (uri.includes("credential_offer_uri")) {
1612
+ credentialOffer = await handleCredentialOfferUri(uri);
1613
+ } else {
1614
+ credentialOffer = (0, import_oid4vci_common13.convertURIToJsonObject)(uri, {
1615
+ // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
1616
+ arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
1617
+ "credential_offer_uri="
1618
+ ] : [
1619
+ "credential_offer="
2163
1620
  ],
2164
- requiredProperties: uri.includes("credential_offer=") ? [
2165
- "credential_offer"
1621
+ requiredProperties: uri.includes("credential_offer_uri=") ? [
1622
+ "credential_offer_uri="
2166
1623
  ] : [
2167
- "issuer",
2168
- "credential_type"
1624
+ "credential_offer="
2169
1625
  ]
2170
1626
  });
2171
- credentialOffer = {
2172
- credential_offer: credentialOfferPayload
2173
- };
2174
- } else {
2175
- if (uri.includes("credential_offer_uri")) {
2176
- credentialOffer = await handleCredentialOfferUri(uri);
2177
- } else {
2178
- credentialOffer = (0, import_oid4vci_common16.convertURIToJsonObject)(uri, {
2179
- // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
2180
- arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
2181
- "credential_offer_uri="
2182
- ] : [
2183
- "credential_offer="
2184
- ],
2185
- requiredProperties: uri.includes("credential_offer_uri=") ? [
2186
- "credential_offer_uri="
2187
- ] : [
2188
- "credential_offer="
2189
- ]
2190
- });
2191
- }
2192
- if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
2193
- throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
2194
- }
2195
1627
  }
2196
- const request = await (0, import_oid4vci_common16.toUniformCredentialOfferRequest)(credentialOffer, {
2197
- ...opts,
2198
- version
2199
- });
2200
- return {
2201
- ...constructBaseResponse(request, scheme, baseUrl),
2202
- userPinRequired: request.credential_offer?.grants?.[import_oid4vci_common16.PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? !!request.credential_offer?.grants?.[import_oid4vci_common16.PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false
2203
- };
2204
- }
2205
- static toURI(requestWithBaseUrl, opts) {
2206
- LOG.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
2207
- const version = opts?.version ?? requestWithBaseUrl.version;
2208
- let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
2209
- let param;
2210
- const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
2211
- if (version.valueOf() >= import_oid4vci_common16.OpenId4VCIVersion.VER_1_0_11.valueOf()) {
2212
- if (!baseUrl.includes("?")) {
2213
- param = isUri ? "credential_offer_uri" : "credential_offer";
2214
- } else {
2215
- const split = baseUrl.split("?");
2216
- if (split.length > 1 && split[1] !== "") {
2217
- if (baseUrl.endsWith("&")) {
2218
- param = isUri ? "credential_offer_uri" : "credential_offer";
2219
- } else if (!baseUrl.endsWith("=")) {
2220
- baseUrl += `&`;
2221
- param = isUri ? "credential_offer_uri" : "credential_offer";
2222
- }
2223
- }
2224
- }
2225
- }
2226
- return (0, import_oid4vci_common16.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
2227
- baseUrl,
2228
- arrayTypeProperties: isUri ? [] : [
2229
- "credential_type"
2230
- ],
2231
- uriTypeProperties: isUri ? [
2232
- "credential_offer_uri"
2233
- ] : version >= import_oid4vci_common16.OpenId4VCIVersion.VER_1_0_13 ? [
2234
- "credential_issuer",
2235
- "credential_type"
2236
- ] : [
2237
- "issuer",
2238
- "credential_type"
2239
- ],
2240
- param,
2241
- version
2242
- });
2243
- }
2244
- };
2245
-
2246
- // lib/CredentialOfferClientV1_0_11.ts
2247
- var import_oid4vci_common17 = require("@sphereon/oid4vci-common");
2248
- var import_ssi_types11 = require("@sphereon/ssi-types");
2249
- var logger9 = import_ssi_types11.Loggers.DEFAULT.get("sphereon:oid4vci:offer");
2250
- var CredentialOfferClientV1_0_11 = class {
2251
- static {
2252
- __name(this, "CredentialOfferClientV1_0_11");
2253
- }
2254
- static async fromURI(uri, opts) {
2255
- logger9.debug(`Credential Offer URI: ${uri}`);
2256
- if (!uri.includes("?") || !uri.includes("://")) {
2257
- logger9.debug(`Invalid Credential Offer URI: ${uri}`);
2258
- throw Error(`Invalid Credential Offer Request`);
2259
- }
2260
- const scheme = uri.split("://")[0];
2261
- const baseUrl = uri.split("?")[0];
2262
- const version = (0, import_oid4vci_common17.determineSpecVersionFromURI)(uri);
2263
- let credentialOffer;
2264
- let credentialOfferPayload;
2265
- if (version < import_oid4vci_common17.OpenId4VCIVersion.VER_1_0_11) {
2266
- credentialOfferPayload = (0, import_oid4vci_common17.convertURIToJsonObject)(uri, {
2267
- arrayTypeProperties: [
2268
- "credential_type"
2269
- ],
2270
- requiredProperties: uri.includes("credential_offer_uri=") ? [
2271
- "credential_offer_uri="
2272
- ] : [
2273
- "issuer",
2274
- "credential_type="
2275
- ]
2276
- });
2277
- credentialOffer = {
2278
- credential_offer: credentialOfferPayload
2279
- };
2280
- } else {
2281
- credentialOffer = (0, import_oid4vci_common17.convertURIToJsonObject)(uri, {
2282
- arrayTypeProperties: [
2283
- "credentials"
2284
- ],
2285
- requiredProperties: uri.includes("credential_offer_uri=") ? [
2286
- "credential_offer_uri="
2287
- ] : [
2288
- "credential_offer="
2289
- ]
2290
- });
2291
- if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
2292
- throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
2293
- }
1628
+ if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
1629
+ throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
2294
1630
  }
2295
- const request = await (0, import_oid4vci_common17.toUniformCredentialOfferRequest)(credentialOffer, {
1631
+ const request = await (0, import_oid4vci_common13.toUniformCredentialOfferRequest)(credentialOffer, {
2296
1632
  ...opts,
2297
1633
  version
2298
1634
  });
2299
- const clientId = (0, import_oid4vci_common17.getClientIdFromCredentialOfferPayload)(request.credential_offer);
2300
- const grants = request.credential_offer?.grants;
2301
1635
  return {
2302
- scheme,
2303
- baseUrl,
2304
- ...clientId && {
2305
- clientId
2306
- },
2307
- ...request,
2308
- ...grants?.authorization_code?.issuer_state && {
2309
- issuerState: grants.authorization_code.issuer_state
2310
- },
2311
- ...grants?.[import_oid4vci_common17.PRE_AUTH_GRANT_LITERAL]?.[import_oid4vci_common17.PRE_AUTH_CODE_LITERAL] && {
2312
- preAuthorizedCode: grants[import_oid4vci_common17.PRE_AUTH_GRANT_LITERAL][import_oid4vci_common17.PRE_AUTH_CODE_LITERAL]
2313
- },
2314
- userPinRequired: !!(request.credential_offer?.grants?.[import_oid4vci_common17.PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? false)
1636
+ ...constructBaseResponse(request, scheme, baseUrl),
1637
+ userPinRequired: request.credential_offer?.grants?.[import_oid4vci_common13.PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? !!request.credential_offer?.grants?.[import_oid4vci_common13.PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false
2315
1638
  };
2316
1639
  }
2317
1640
  static toURI(requestWithBaseUrl, opts) {
2318
- logger9.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
1641
+ LOG.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
2319
1642
  const version = opts?.version ?? requestWithBaseUrl.version;
2320
1643
  let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
2321
1644
  let param;
2322
1645
  const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
2323
- if (version.valueOf() >= import_oid4vci_common17.OpenId4VCIVersion.VER_1_0_11.valueOf()) {
1646
+ if (version.valueOf() >= import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_15.valueOf()) {
2324
1647
  if (!baseUrl.includes("?")) {
2325
1648
  param = isUri ? "credential_offer_uri" : "credential_offer";
2326
1649
  } else {
@@ -2335,14 +1658,14 @@ var CredentialOfferClientV1_0_11 = class {
2335
1658
  }
2336
1659
  }
2337
1660
  }
2338
- return (0, import_oid4vci_common17.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
1661
+ return (0, import_oid4vci_common13.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
2339
1662
  baseUrl,
2340
1663
  arrayTypeProperties: isUri ? [] : [
2341
1664
  "credential_type"
2342
1665
  ],
2343
1666
  uriTypeProperties: isUri ? [
2344
1667
  "credential_offer_uri"
2345
- ] : version >= import_oid4vci_common17.OpenId4VCIVersion.VER_1_0_11 ? [
1668
+ ] : version >= import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_15 ? [
2346
1669
  "credential_issuer",
2347
1670
  "credential_type"
2348
1671
  ] : [
@@ -2355,28 +1678,28 @@ var CredentialOfferClientV1_0_11 = class {
2355
1678
  }
2356
1679
  };
2357
1680
 
2358
- // lib/CredentialOfferClientV1_0_13.ts
2359
- var import_oid4vci_common18 = require("@sphereon/oid4vci-common");
2360
- var import_ssi_types12 = require("@sphereon/ssi-types");
2361
- var logger10 = import_ssi_types12.Loggers.DEFAULT.get("sphereon:oid4vci:offer");
2362
- var CredentialOfferClientV1_0_13 = class {
1681
+ // lib/CredentialOfferClientV1_0_15.ts
1682
+ var import_oid4vci_common14 = require("@sphereon/oid4vci-common");
1683
+ var import_ssi_types8 = require("@sphereon/ssi-types");
1684
+ var logger6 = import_ssi_types8.Loggers.DEFAULT.get("sphereon:oid4vci:offer");
1685
+ var CredentialOfferClientV1_0_15 = class {
2363
1686
  static {
2364
- __name(this, "CredentialOfferClientV1_0_13");
1687
+ __name(this, "CredentialOfferClientV1_0_15");
2365
1688
  }
2366
1689
  static async fromURI(uri, opts) {
2367
- logger10.debug(`Credential Offer URI: ${uri}`);
1690
+ logger6.debug(`Credential Offer URI: ${uri}`);
2368
1691
  if (!uri.includes("?") || !uri.includes("://")) {
2369
- logger10.debug(`Invalid Credential Offer URI: ${uri}`);
2370
- throw Error(`Invalid Credential Offer Request`);
1692
+ logger6.debug(`Invalid Credential Offer URI: ${uri}`);
1693
+ return Promise.reject(Error(`Invalid Credential Offer Request`));
2371
1694
  }
2372
1695
  const scheme = uri.split("://")[0];
2373
1696
  const baseUrl = uri.split("?")[0];
2374
- const version = (0, import_oid4vci_common18.determineSpecVersionFromURI)(uri);
1697
+ const version = (0, import_oid4vci_common14.determineSpecVersionFromURI)(uri);
2375
1698
  let credentialOffer;
2376
1699
  if (uri.includes("credential_offer_uri")) {
2377
1700
  credentialOffer = await handleCredentialOfferUri(uri);
2378
1701
  } else {
2379
- credentialOffer = (0, import_oid4vci_common18.convertURIToJsonObject)(uri, {
1702
+ credentialOffer = (0, import_oid4vci_common14.convertURIToJsonObject)(uri, {
2380
1703
  // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
2381
1704
  arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
2382
1705
  "credential_configuration_ids",
@@ -2393,276 +1716,91 @@ var CredentialOfferClientV1_0_13 = class {
2393
1716
  });
2394
1717
  }
2395
1718
  if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
2396
- throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
1719
+ return Promise.reject(Error("Either a credential_offer or credential_offer_uri should be present in " + uri));
2397
1720
  }
2398
- const request = await (0, import_oid4vci_common18.toUniformCredentialOfferRequest)(credentialOffer, {
1721
+ const request = await (0, import_oid4vci_common14.toUniformCredentialOfferRequest)(credentialOffer, {
2399
1722
  ...opts,
2400
1723
  version
2401
1724
  });
2402
1725
  return {
2403
1726
  ...constructBaseResponse(request, scheme, baseUrl),
2404
- userPinRequired: !!(request.credential_offer?.grants?.[import_oid4vci_common18.PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false)
1727
+ userPinRequired: !!(request.credential_offer?.grants?.[import_oid4vci_common14.PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false)
2405
1728
  };
2406
1729
  }
2407
1730
  static toURI(requestWithBaseUrl, opts) {
2408
- logger10.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
1731
+ logger6.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
2409
1732
  const version = opts?.version ?? requestWithBaseUrl.version;
2410
1733
  let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
2411
- let param;
2412
1734
  const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
2413
- if (version.valueOf() >= import_oid4vci_common18.OpenId4VCIVersion.VER_1_0_11.valueOf()) {
2414
- if (!baseUrl.includes("?")) {
2415
- param = isUri ? "credential_offer_uri" : "credential_offer";
2416
- } else {
2417
- const split = baseUrl.split("?");
2418
- if (split.length > 1 && split[1] !== "") {
2419
- if (baseUrl.endsWith("&")) {
2420
- param = isUri ? "credential_offer_uri" : "credential_offer";
2421
- } else if (!baseUrl.endsWith("=")) {
2422
- baseUrl += `&`;
2423
- param = isUri ? "credential_offer_uri" : "credential_offer";
2424
- }
2425
- }
2426
- }
2427
- }
2428
- return (0, import_oid4vci_common18.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
2429
- baseUrl,
2430
- arrayTypeProperties: isUri ? [] : [
2431
- "credential_type"
2432
- ],
2433
- uriTypeProperties: isUri ? [
2434
- "credential_offer_uri"
2435
- ] : version >= import_oid4vci_common18.OpenId4VCIVersion.VER_1_0_13 ? [
2436
- "credential_issuer",
2437
- "credential_type"
2438
- ] : [
2439
- "issuer",
2440
- "credential_type"
2441
- ],
2442
- param,
2443
- version
2444
- });
2445
- }
2446
- };
2447
-
2448
- // lib/CredentialRequestClientV1_0_11.ts
2449
- var import_oid4vc_common6 = require("@sphereon/oid4vc-common");
2450
- var import_oid4vci_common19 = require("@sphereon/oid4vci-common");
2451
- var import_ssi_types13 = require("@sphereon/ssi-types");
2452
- var logger11 = import_ssi_types13.Loggers.DEFAULT.get("sphereon:oid4vci:credential");
2453
- var CredentialRequestClientV1_0_11 = class {
2454
- static {
2455
- __name(this, "CredentialRequestClientV1_0_11");
2456
- }
2457
- _credentialRequestOpts;
2458
- _isDeferred = false;
2459
- get credentialRequestOpts() {
2460
- return this._credentialRequestOpts;
2461
- }
2462
- isDeferred() {
2463
- return this._isDeferred;
2464
- }
2465
- getCredentialEndpoint() {
2466
- return this.credentialRequestOpts.credentialEndpoint;
2467
- }
2468
- getDeferredCredentialEndpoint() {
2469
- return this.credentialRequestOpts.deferredCredentialEndpoint;
2470
- }
2471
- constructor(builder) {
2472
- this._credentialRequestOpts = {
2473
- ...builder
2474
- };
2475
- }
2476
- async acquireCredentialsUsingProof(opts) {
2477
- const { credentialTypes, proofInput, format, context } = opts;
2478
- const request = await this.createCredentialRequest({
2479
- proofInput,
2480
- credentialTypes,
2481
- context,
2482
- format,
2483
- version: this.version()
2484
- });
2485
- return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
2486
- }
2487
- async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
2488
- const request = (0, import_oid4vci_common19.getCredentialRequestForVersion)(uniformRequest, this.version());
2489
- const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
2490
- if (!(0, import_oid4vci_common19.isValidURL)(credentialEndpoint)) {
2491
- logger11.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
2492
- throw new Error(import_oid4vci_common19.URL_NOT_VALID);
2493
- }
2494
- logger11.debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
2495
- logger11.debug(`request
2496
- : ${JSON.stringify(request, null, 2)}`);
2497
- const requestToken = this.credentialRequestOpts.token;
2498
- let dPoP = createDPoPOpts ? await (0, import_oid4vc_common6.createDPoP)((0, import_oid4vc_common6.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
2499
- accessToken: requestToken
2500
- })) : void 0;
2501
- let response = await (0, import_oid4vci_common19.post)(credentialEndpoint, JSON.stringify(request), {
2502
- bearerToken: requestToken,
2503
- customHeaders: {
2504
- ...createDPoPOpts && {
2505
- dpop: dPoP
2506
- }
2507
- }
2508
- });
2509
- let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
2510
- const retryWithNonce = shouldRetryResourceRequestWithDPoPNonce(response);
2511
- if (retryWithNonce.ok && createDPoPOpts) {
2512
- createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
2513
- dPoP = await (0, import_oid4vc_common6.createDPoP)((0, import_oid4vc_common6.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
2514
- accessToken: requestToken
2515
- }));
2516
- response = await (0, import_oid4vci_common19.post)(credentialEndpoint, JSON.stringify(request), {
2517
- bearerToken: requestToken,
2518
- customHeaders: {
2519
- ...createDPoPOpts && {
2520
- dpop: dPoP
2521
- }
2522
- }
1735
+ if (isUri) {
1736
+ return (0, import_oid4vci_common14.convertJsonToURI)({
1737
+ credential_offer_uri: requestWithBaseUrl.credential_offer_uri
1738
+ }, {
1739
+ baseUrl,
1740
+ uriTypeProperties: [
1741
+ "credential_offer_uri"
1742
+ ],
1743
+ param: "credential_offer_uri",
1744
+ version
2523
1745
  });
2524
- const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
2525
- nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
2526
- }
2527
- this._isDeferred = (0, import_oid4vci_common19.isDeferredCredentialResponse)(response);
2528
- if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
2529
- response = await this.acquireDeferredCredential(response.successBody, {
2530
- bearerToken: this.credentialRequestOpts.token
1746
+ } else {
1747
+ return (0, import_oid4vci_common14.convertJsonToURI)(requestWithBaseUrl.original_credential_offer, {
1748
+ baseUrl,
1749
+ param: "credential_offer",
1750
+ mode: import_oid4vci_common14.JsonURIMode.JSON_STRINGIFY,
1751
+ version
2531
1752
  });
2532
1753
  }
2533
- response.access_token = requestToken;
2534
- logger11.debug(`Credential endpoint ${credentialEndpoint} response:\r
2535
- ${JSON.stringify(response, null, 2)}`);
2536
- return {
2537
- ...response,
2538
- ...nextDPoPNonce && {
2539
- params: {
2540
- dpop: {
2541
- dpopNonce: nextDPoPNonce
2542
- }
2543
- }
2544
- }
2545
- };
2546
- }
2547
- async acquireDeferredCredential(response, opts) {
2548
- const transactionId = response.transaction_id;
2549
- const bearerToken = response.acceptance_token ?? opts?.bearerToken;
2550
- const deferredCredentialEndpoint = this.getDeferredCredentialEndpoint();
2551
- if (!deferredCredentialEndpoint) {
2552
- throw Error(`No deferred credential endpoint supplied.`);
2553
- } else if (!bearerToken) {
2554
- throw Error(`No bearer token present and refresh for defered endpoint not supported yet`);
2555
- }
2556
- return await (0, import_oid4vci_common19.acquireDeferredCredential)({
2557
- bearerToken,
2558
- transactionId,
2559
- deferredCredentialEndpoint,
2560
- deferredCredentialAwait: this.credentialRequestOpts.deferredCredentialAwait,
2561
- deferredCredentialIntervalInMS: this.credentialRequestOpts.deferredCredentialIntervalInMS
2562
- });
2563
- }
2564
- async createCredentialRequest(opts) {
2565
- const { proofInput } = opts;
2566
- const formatSelection = opts.format ?? this.credentialRequestOpts.format;
2567
- if (!formatSelection) {
2568
- throw Error(`Format of credential to be issued is missing`);
2569
- }
2570
- const format = (0, import_oid4vci_common19.getUniformFormat)(formatSelection);
2571
- const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
2572
- const types = Array.isArray(typesSelection) ? typesSelection : [
2573
- typesSelection
2574
- ];
2575
- if (types.length === 0) {
2576
- throw Error(`Credential type(s) need to be provided`);
2577
- } else if (!this.isV11OrHigher() && types.length !== 1) {
2578
- throw Error("Only a single credential type is supported for V8/V9");
2579
- }
2580
- const proof = await buildProof(proofInput, opts);
2581
- if (format === "jwt_vc_json" || format === "jwt_vc") {
2582
- return {
2583
- types,
2584
- format,
2585
- proof
2586
- };
2587
- } else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
2588
- if (this.version() >= import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
2589
- throw Error("No @context value present, but it is required");
2590
- }
2591
- return {
2592
- format,
2593
- proof,
2594
- // Ignored because v11 does not have the context value, but it is required in v12
2595
- // eslint-disable-next-line @typescript-eslint/ban-ts-comment
2596
- // @ts-ignore
2597
- credential_definition: {
2598
- types,
2599
- ...opts.context && {
2600
- "@context": opts.context
2601
- }
2602
- }
2603
- };
2604
- } else if (format === "vc+sd-jwt") {
2605
- if (types.length > 1) {
2606
- throw Error(`Only a single credential type is supported for ${format}`);
2607
- }
2608
- return {
2609
- format,
2610
- proof,
2611
- vct: types[0]
2612
- };
2613
- } else if (format === "mso_mdoc") {
2614
- if (types.length > 1) {
2615
- throw Error(`Only a single credential type is supported for ${format}`);
2616
- }
2617
- return {
2618
- format,
2619
- proof,
2620
- doctype: types[0]
2621
- };
2622
- }
2623
- throw new Error(`Unsupported format: ${format}`);
2624
- }
2625
- version() {
2626
- return this.credentialRequestOpts?.version ?? import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_11;
2627
- }
2628
- isV11OrHigher() {
2629
- return this.version() >= import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_11;
2630
1754
  }
2631
1755
  };
2632
1756
 
2633
1757
  // lib/CredentialRequestClientBuilder.ts
2634
- var import_oid4vci_common22 = require("@sphereon/oid4vci-common");
1758
+ var import_oid4vci_common16 = require("@sphereon/oid4vci-common");
2635
1759
 
2636
- // lib/CredentialRequestClientBuilderV1_0_11.ts
2637
- var import_oid4vci_common20 = require("@sphereon/oid4vci-common");
2638
- var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilderV1_0_11 {
1760
+ // lib/CredentialRequestClientBuilderV1_0_15.ts
1761
+ var import_oid4vci_common15 = require("@sphereon/oid4vci-common");
1762
+ var CredentialRequestClientBuilderV1_0_15 = class _CredentialRequestClientBuilderV1_0_15 {
2639
1763
  static {
2640
- __name(this, "CredentialRequestClientBuilderV1_0_11");
1764
+ __name(this, "CredentialRequestClientBuilderV1_0_15");
2641
1765
  }
2642
1766
  credentialEndpoint;
2643
1767
  deferredCredentialEndpoint;
1768
+ nonceEndpoint;
2644
1769
  deferredCredentialAwait = false;
2645
1770
  deferredCredentialIntervalInMS = 5e3;
1771
+ credentialIdentifier;
1772
+ credentialConfigurationId;
2646
1773
  credentialTypes = [];
2647
- format;
2648
1774
  token;
2649
1775
  version;
2650
1776
  subjectIssuance;
2651
1777
  issuerState;
2652
- static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialTypes }) {
1778
+ // Note: format removed from v15 - credential requests no longer include format parameter
1779
+ static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialConfigurationId, credentialTypes }) {
2653
1780
  const issuer = credentialIssuer;
2654
- const builder = new _CredentialRequestClientBuilderV1_0_11();
2655
- builder.withVersion(version ?? import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11);
1781
+ const builder = new _CredentialRequestClientBuilderV1_0_15();
1782
+ builder.withVersion(version ?? import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_15);
2656
1783
  builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
2657
1784
  if (metadata?.deferred_credential_endpoint) {
2658
1785
  builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
2659
1786
  }
2660
- builder.withCredentialType(credentialTypes);
1787
+ if (metadata?.credentialIssuerMetadata?.nonce_endpoint) {
1788
+ builder.withNonceEndpoint(metadata.credentialIssuerMetadata?.nonce_endpoint);
1789
+ }
1790
+ if (credentialIdentifier) {
1791
+ builder.withCredentialIdentifier(credentialIdentifier);
1792
+ }
1793
+ if (credentialConfigurationId) {
1794
+ builder.withCredentialConfigurationId(credentialConfigurationId);
1795
+ }
1796
+ if (credentialTypes) {
1797
+ builder.withCredentialType(credentialTypes);
1798
+ }
2661
1799
  return builder;
2662
1800
  }
2663
1801
  static async fromURI({ uri, metadata }) {
2664
- const offer = await CredentialOfferClientV1_0_11.fromURI(uri);
2665
- return _CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest({
1802
+ const offer = await CredentialOfferClient.fromURI(uri);
1803
+ return _CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest({
2666
1804
  request: offer,
2667
1805
  ...offer,
2668
1806
  metadata,
@@ -2671,155 +1809,36 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
2671
1809
  }
2672
1810
  static fromCredentialOfferRequest(opts) {
2673
1811
  const { request, metadata } = opts;
2674
- const version = opts.version ?? request.version ?? (0, import_oid4vci_common20.determineSpecVersionFromOffer)(request.original_credential_offer);
2675
- const builder = new _CredentialRequestClientBuilderV1_0_11();
2676
- const issuer = (0, import_oid4vci_common20.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
1812
+ const version = opts.version ?? request.version ?? (0, import_oid4vci_common15.determineSpecVersionFromOffer)(request.original_credential_offer);
1813
+ if (version < import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_15) {
1814
+ throw new Error("Versions below v1.0.15 (draft 15) are not supported.");
1815
+ }
1816
+ const builder = new _CredentialRequestClientBuilderV1_0_15();
1817
+ const issuer = (0, import_oid4vci_common15.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? (metadata ? metadata.issuer : void 0);
1818
+ if (!issuer && !metadata?.credential_endpoint) {
1819
+ throw Error(`Issuer could not be determined`);
1820
+ }
2677
1821
  builder.withVersion(version);
2678
1822
  builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
2679
1823
  if (metadata?.deferred_credential_endpoint) {
2680
1824
  builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
2681
1825
  }
2682
- if (version <= import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_08) {
2683
- builder.withCredentialType(request.original_credential_offer.credential_type);
2684
- } else if (version <= import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11) {
2685
- builder.withCredentialType((0, import_oid4vci_common20.getTypesFromOfferV1_0_11)(request.credential_offer));
1826
+ if (metadata?.credentialIssuerMetadata?.nonce_endpoint) {
1827
+ builder.withNonceEndpoint(metadata.credentialIssuerMetadata.nonce_endpoint);
1828
+ }
1829
+ const ids = request.credential_offer.credential_configuration_ids;
1830
+ if (ids.length && ids.length === 1) {
1831
+ builder.withCredentialConfigurationId(ids[0]);
2686
1832
  }
2687
1833
  return builder;
2688
1834
  }
2689
1835
  static fromCredentialOffer({ credentialOffer, metadata }) {
2690
- return _CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest({
1836
+ const builder = _CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest({
2691
1837
  request: credentialOffer,
2692
1838
  metadata,
2693
1839
  version: credentialOffer.version
2694
1840
  });
2695
- }
2696
- withIssuerState(issuerState) {
2697
- this.issuerState = issuerState;
2698
- return this;
2699
- }
2700
- withCredentialEndpointFromMetadata(metadata) {
2701
- this.credentialEndpoint = metadata.credential_endpoint;
2702
- return this;
2703
- }
2704
- withCredentialEndpoint(credentialEndpoint) {
2705
- this.credentialEndpoint = credentialEndpoint;
2706
- return this;
2707
- }
2708
- withDeferredCredentialEndpointFromMetadata(metadata) {
2709
- this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
2710
- return this;
2711
- }
2712
- withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
2713
- this.deferredCredentialEndpoint = deferredCredentialEndpoint;
2714
- return this;
2715
- }
2716
- withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
2717
- this.deferredCredentialAwait = deferredCredentialAwait;
2718
- this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5e3;
2719
- return this;
2720
- }
2721
- withCredentialType(credentialTypes) {
2722
- this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [
2723
- credentialTypes
2724
- ];
2725
- return this;
2726
- }
2727
- withFormat(format) {
2728
- this.format = format;
2729
- return this;
2730
- }
2731
- withSubjectIssuance(subjectIssuance) {
2732
- this.subjectIssuance = subjectIssuance;
2733
- return this;
2734
- }
2735
- withToken(accessToken) {
2736
- this.token = accessToken;
2737
- return this;
2738
- }
2739
- withTokenFromResponse(response) {
2740
- this.token = response.access_token;
2741
- return this;
2742
- }
2743
- withVersion(version) {
2744
- this.version = version;
2745
- return this;
2746
- }
2747
- build() {
2748
- if (!this.version) {
2749
- this.withVersion(import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11);
2750
- }
2751
- return new CredentialRequestClientV1_0_11(this);
2752
- }
2753
- };
2754
-
2755
- // lib/CredentialRequestClientBuilderV1_0_13.ts
2756
- var import_oid4vci_common21 = require("@sphereon/oid4vci-common");
2757
- var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilderV1_0_13 {
2758
- static {
2759
- __name(this, "CredentialRequestClientBuilderV1_0_13");
2760
- }
2761
- credentialEndpoint;
2762
- deferredCredentialEndpoint;
2763
- deferredCredentialAwait = false;
2764
- deferredCredentialIntervalInMS = 5e3;
2765
- credentialIdentifier;
2766
- credentialTypes = [];
2767
- format;
2768
- token;
2769
- version;
2770
- subjectIssuance;
2771
- issuerState;
2772
- static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
2773
- const issuer = credentialIssuer;
2774
- const builder = new _CredentialRequestClientBuilderV1_0_13();
2775
- builder.withVersion(version ?? import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_13);
2776
- builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
2777
- if (metadata?.deferred_credential_endpoint) {
2778
- builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
2779
- }
2780
- if (credentialIdentifier) {
2781
- builder.withCredentialIdentifier(credentialIdentifier);
2782
- }
2783
- if (credentialTypes) {
2784
- builder.withCredentialType(credentialTypes);
2785
- }
2786
- return builder;
2787
- }
2788
- static async fromURI({ uri, metadata }) {
2789
- const offer = await CredentialOfferClient.fromURI(uri);
2790
- return _CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest({
2791
- request: offer,
2792
- ...offer,
2793
- metadata,
2794
- version: offer.version
2795
- });
2796
- }
2797
- static fromCredentialOfferRequest(opts) {
2798
- const { request, metadata } = opts;
2799
- const version = opts.version ?? request.version ?? (0, import_oid4vci_common21.determineSpecVersionFromOffer)(request.original_credential_offer);
2800
- if (version < import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_13) {
2801
- throw new Error("Versions below v1.0.13 (draft 13) are not supported.");
2802
- }
2803
- const builder = new _CredentialRequestClientBuilderV1_0_13();
2804
- const issuer = (0, import_oid4vci_common21.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
2805
- builder.withVersion(version);
2806
- builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
2807
- if (metadata?.deferred_credential_endpoint) {
2808
- builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
2809
- }
2810
- const ids = request.credential_offer.credential_configuration_ids;
2811
- if (ids.length && ids.length === 1) {
2812
- builder.withCredentialIdentifier(ids[0]);
2813
- }
2814
- return builder;
2815
- }
2816
- static fromCredentialOffer({ credentialOffer, metadata }) {
2817
- const builder = _CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest({
2818
- request: credentialOffer,
2819
- metadata,
2820
- version: credentialOffer.version
2821
- });
2822
- return builder;
1841
+ return builder;
2823
1842
  }
2824
1843
  withCredentialEndpointFromMetadata(metadata) {
2825
1844
  this.credentialEndpoint = metadata.credential_endpoint;
@@ -2841,25 +1860,38 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
2841
1860
  this.deferredCredentialEndpoint = deferredCredentialEndpoint;
2842
1861
  return this;
2843
1862
  }
1863
+ // New in v15: Support for nonce endpoint
1864
+ withNonceEndpointFromMetadata(metadata) {
1865
+ this.nonceEndpoint = metadata.nonce_endpoint;
1866
+ return this;
1867
+ }
1868
+ withNonceEndpoint(nonceEndpoint) {
1869
+ this.nonceEndpoint = nonceEndpoint;
1870
+ return this;
1871
+ }
2844
1872
  withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
2845
1873
  this.deferredCredentialAwait = deferredCredentialAwait;
2846
1874
  this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5e3;
2847
1875
  return this;
2848
1876
  }
1877
+ // New in v15: Support for credential_identifier (used when authorization_details with credential_identifiers was used)
2849
1878
  withCredentialIdentifier(credentialIdentifier) {
2850
1879
  this.credentialIdentifier = credentialIdentifier;
2851
1880
  return this;
2852
1881
  }
1882
+ // New in v15: Support for credential_configuration_id (used when scope was used and no credential_identifiers returned)
1883
+ withCredentialConfigurationId(credentialConfigurationId) {
1884
+ this.credentialConfigurationId = credentialConfigurationId;
1885
+ return this;
1886
+ }
1887
+ // Legacy support for credential types (may be used internally to map to configuration IDs)
2853
1888
  withCredentialType(credentialTypes) {
2854
1889
  this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [
2855
1890
  credentialTypes
2856
1891
  ];
2857
1892
  return this;
2858
1893
  }
2859
- withFormat(format) {
2860
- this.format = format;
2861
- return this;
2862
- }
1894
+ // Note: withFormat() method removed in v15 - format is no longer part of credential requests
2863
1895
  withSubjectIssuance(subjectIssuance) {
2864
1896
  this.subjectIssuance = subjectIssuance;
2865
1897
  return this;
@@ -2878,723 +1910,158 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
2878
1910
  }
2879
1911
  build() {
2880
1912
  if (!this.version) {
2881
- this.withVersion(import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_11);
1913
+ this.withVersion(import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_15);
2882
1914
  }
2883
1915
  return new CredentialRequestClient(this);
2884
1916
  }
2885
1917
  };
2886
1918
 
2887
1919
  // lib/CredentialRequestClientBuilder.ts
2888
- function isV1_0_13(builder) {
1920
+ function isV1_0_15(builder) {
2889
1921
  return builder.withCredentialIdentifier !== void 0;
2890
- }
2891
- __name(isV1_0_13, "isV1_0_13");
2892
- var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
2893
- static {
2894
- __name(this, "CredentialRequestClientBuilder");
2895
- }
2896
- _builder;
2897
- constructor(builder) {
2898
- this._builder = builder;
2899
- }
2900
- static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
2901
- const specVersion = version ?? import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13;
2902
- let builder;
2903
- if (specVersion >= import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
2904
- builder = CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
2905
- credentialIssuer,
2906
- metadata,
2907
- version,
2908
- credentialIdentifier,
2909
- credentialTypes
2910
- });
2911
- } else {
2912
- if (!credentialTypes || credentialTypes.length === 0) {
2913
- throw new Error("CredentialTypes must be provided for v1_0_11");
2914
- }
2915
- builder = CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
2916
- credentialIssuer,
2917
- metadata,
2918
- version,
2919
- credentialTypes
2920
- });
2921
- }
2922
- return new _CredentialRequestClientBuilder(builder);
2923
- }
2924
- static async fromURI({ uri, metadata }) {
2925
- const offer = await CredentialOfferClient.fromURI(uri);
2926
- return _CredentialRequestClientBuilder.fromCredentialOfferRequest({
2927
- request: offer,
2928
- ...offer,
2929
- metadata,
2930
- version: offer.version
2931
- });
2932
- }
2933
- static fromCredentialOfferRequest(opts) {
2934
- const { request } = opts;
2935
- const version = opts.version ?? request.version ?? (0, import_oid4vci_common22.determineSpecVersionFromOffer)(request.original_credential_offer);
2936
- let builder;
2937
- if (version < import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
2938
- builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest(opts);
2939
- } else {
2940
- builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest(opts);
2941
- }
2942
- return new _CredentialRequestClientBuilder(builder);
2943
- }
2944
- static fromCredentialOffer({ credentialOffer, metadata }) {
2945
- const version = (0, import_oid4vci_common22.determineSpecVersionFromOffer)(credentialOffer.credential_offer);
2946
- let builder;
2947
- if (version < import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
2948
- builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
2949
- credentialOffer,
2950
- metadata
2951
- });
2952
- } else {
2953
- builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
2954
- credentialOffer,
2955
- metadata
2956
- });
2957
- }
2958
- return new _CredentialRequestClientBuilder(builder);
2959
- }
2960
- getVersion() {
2961
- return this._builder.version;
2962
- }
2963
- withCredentialEndpointFromMetadata(metadata) {
2964
- if (isV1_0_13(this._builder)) {
2965
- this._builder.withCredentialEndpointFromMetadata(metadata);
2966
- } else {
2967
- this._builder.withCredentialEndpointFromMetadata(metadata);
2968
- }
2969
- return this;
2970
- }
2971
- withCredentialEndpoint(credentialEndpoint) {
2972
- this._builder.withCredentialEndpoint(credentialEndpoint);
2973
- return this;
2974
- }
2975
- withDeferredCredentialEndpointFromMetadata(metadata) {
2976
- if (isV1_0_13(this._builder)) {
2977
- this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
2978
- } else {
2979
- this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
2980
- }
2981
- return this;
2982
- }
2983
- withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
2984
- this._builder.withDeferredCredentialEndpoint(deferredCredentialEndpoint);
2985
- return this;
2986
- }
2987
- withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
2988
- this._builder.withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS);
2989
- return this;
2990
- }
2991
- withCredentialIdentifier(credentialIdentifier) {
2992
- if (this._builder.version === void 0 || this._builder.version < import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
2993
- throw new Error("Version of spec should be equal or higher than v1_0_13");
2994
- }
2995
- ;
2996
- this._builder.withCredentialIdentifier(credentialIdentifier);
2997
- return this;
2998
- }
2999
- withIssuerState(issuerState) {
3000
- this._builder.withIssuerState(issuerState);
3001
- return this;
3002
- }
3003
- withCredentialType(credentialTypes) {
3004
- this._builder.withCredentialType(credentialTypes);
3005
- return this;
3006
- }
3007
- withFormat(format) {
3008
- this._builder.withFormat(format);
3009
- return this;
3010
- }
3011
- withSubjectIssuance(subjectIssuance) {
3012
- this._builder.withSubjectIssuance(subjectIssuance);
3013
- return this;
3014
- }
3015
- withToken(accessToken) {
3016
- this._builder.withToken(accessToken);
3017
- return this;
3018
- }
3019
- withTokenFromResponse(response) {
3020
- this._builder.withTokenFromResponse(response);
3021
- return this;
3022
- }
3023
- withVersion(version) {
3024
- this._builder.withVersion(version);
3025
- return this;
3026
- }
3027
- build() {
3028
- return this._builder.build();
3029
- }
3030
- };
3031
-
3032
- // lib/OpenID4VCIClient.ts
3033
- var import_oid4vci_common23 = require("@sphereon/oid4vci-common");
3034
- var import_ssi_types14 = require("@sphereon/ssi-types");
3035
- var logger12 = import_ssi_types14.Loggers.DEFAULT.get("sphereon:oid4vci");
3036
- var OpenID4VCIClient = class _OpenID4VCIClient {
3037
- static {
3038
- __name(this, "OpenID4VCIClient");
3039
- }
3040
- _state;
3041
- constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
3042
- const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common23.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
3043
- if (!issuer) {
3044
- throw Error("No credential issuer supplied or deduced from offer");
3045
- }
3046
- this._state = {
3047
- credentialOffer,
3048
- credentialIssuer: issuer,
3049
- kid,
3050
- alg,
3051
- // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
3052
- clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common23.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
3053
- pkce: {
3054
- disabled: false,
3055
- codeChallengeMethod: import_oid4vci_common23.CodeChallengeMethod.S256,
3056
- ...pkce
3057
- },
3058
- authorizationRequestOpts,
3059
- authorizationCodeResponse,
3060
- accessToken,
3061
- jwk,
3062
- endpointMetadata: endpointMetadata?.credentialIssuerMetadata?.authorization_server ? endpointMetadata : endpointMetadata,
3063
- accessTokenResponse,
3064
- authorizationURL
3065
- };
3066
- if (!this._state.authorizationRequestOpts) {
3067
- this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
3068
- }
3069
- logger12.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
3070
- }
3071
- static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, endpointMetadata }) {
3072
- const client = new _OpenID4VCIClient({
3073
- kid,
3074
- alg,
3075
- clientId: clientId ?? authorizationRequest?.clientId,
3076
- credentialIssuer,
3077
- pkce,
3078
- authorizationRequest,
3079
- endpointMetadata
3080
- });
3081
- if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
3082
- await client.retrieveServerMetadata();
3083
- }
3084
- if (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL) {
3085
- await client.createAuthorizationRequestUrl({
3086
- authorizationRequest,
3087
- pkce
3088
- });
3089
- }
3090
- return client;
3091
- }
3092
- static async fromState({ state }) {
3093
- const clientState = typeof state === "string" ? JSON.parse(state) : state;
3094
- return new _OpenID4VCIClient(clientState);
3095
- }
3096
- static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, endpointMetadata }) {
3097
- const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
3098
- resolve: resolveOfferUri
3099
- });
3100
- const client = new _OpenID4VCIClient({
3101
- credentialOffer: credentialOfferClient,
3102
- kid,
3103
- alg,
3104
- clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
3105
- pkce,
3106
- authorizationRequest,
3107
- endpointMetadata
3108
- });
3109
- if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
3110
- await client.retrieveServerMetadata();
3111
- }
3112
- if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common23.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
3113
- await client.createAuthorizationRequestUrl({
3114
- authorizationRequest,
3115
- pkce
3116
- });
3117
- logger12.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
3118
- }
3119
- return client;
3120
- }
3121
- /**
3122
- * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
3123
- *
3124
- * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
3125
- * @param opts
3126
- */
3127
- async createAuthorizationRequestUrl(opts) {
3128
- if (!this._state.authorizationURL) {
3129
- this.calculatePKCEOpts(opts?.pkce);
3130
- this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest);
3131
- if (!this._state.authorizationRequestOpts) {
3132
- throw Error(`No Authorization Request options present or provided in this call`);
3133
- }
3134
- if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
3135
- this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
3136
- }
3137
- if (this.version() <= import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_11) {
3138
- this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({
3139
- pkce: this._state.pkce,
3140
- endpointMetadata: this.endpointMetadata,
3141
- authorizationRequest: this._state.authorizationRequestOpts,
3142
- credentialOffer: this.credentialOffer,
3143
- credentialsSupported: Object.values(this.getCredentialsSupported(true))
3144
- });
3145
- } else {
3146
- this._state.authorizationURL = await createAuthorizationRequestUrl({
3147
- pkce: this._state.pkce,
3148
- endpointMetadata: this.endpointMetadata,
3149
- authorizationRequest: this._state.authorizationRequestOpts,
3150
- credentialOffer: this.credentialOffer,
3151
- credentialConfigurationSupported: this.getCredentialsSupported(false)
3152
- });
3153
- }
3154
- }
3155
- return this._state.authorizationURL;
3156
- }
3157
- async retrieveServerMetadata() {
3158
- this.assertIssuerData();
3159
- if (!this._state.endpointMetadata) {
3160
- if (this.credentialOffer) {
3161
- this._state.endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
3162
- } else if (this._state.credentialIssuer) {
3163
- this._state.endpointMetadata = await MetadataClient.retrieveAllMetadata(this._state.credentialIssuer);
3164
- } else {
3165
- throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
3166
- }
3167
- }
3168
- return this.endpointMetadata;
3169
- }
3170
- calculatePKCEOpts(pkce) {
3171
- this._state.pkce = generateMissingPKCEOpts({
3172
- ...this._state.pkce,
3173
- ...pkce
3174
- });
3175
- }
3176
- async acquireAuthorizationChallengeCode(opts) {
3177
- const response = await acquireAuthorizationChallengeAuthCode({
3178
- metadata: this.endpointMetadata,
3179
- credentialIssuer: this.getIssuer(),
3180
- clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,
3181
- ...opts
3182
- });
3183
- if (response.errorBody) {
3184
- logger12.debug(`Authorization code error:\r
3185
- ${JSON.stringify(response.errorBody)}`);
3186
- const error = response.errorBody;
3187
- return Promise.reject(error);
3188
- } else if (!response.successBody) {
3189
- logger12.debug(`Authorization code error. No success body`);
3190
- return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
3191
- }
3192
- return {
3193
- ...response.successBody
3194
- };
3195
- }
3196
- async acquireAccessToken(opts) {
3197
- const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
3198
- let { redirectUri } = opts ?? {};
3199
- const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code);
3200
- if (opts?.codeVerifier) {
3201
- this._state.pkce.codeVerifier = opts.codeVerifier;
3202
- }
3203
- this.assertIssuerData();
3204
- const asOpts = {
3205
- ...opts?.asOpts
3206
- };
3207
- const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
3208
- const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
3209
- if (this.isEBSI() || clientId && kid) {
3210
- if (!clientId) {
3211
- throw Error(`Client id expected for EBSI`);
3212
- }
3213
- asOpts.clientOpts = {
3214
- ...asOpts.clientOpts,
3215
- clientId,
3216
- ...kid && {
3217
- kid
3218
- },
3219
- ...clientAssertionType && {
3220
- clientAssertionType
3221
- },
3222
- signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
3223
- };
3224
- }
3225
- if (clientId) {
3226
- this._state.clientId = clientId;
3227
- if (!asOpts.clientOpts) {
3228
- asOpts.clientOpts = {
3229
- clientId
3230
- };
3231
- }
3232
- asOpts.clientOpts.clientId = clientId;
3233
- }
3234
- if (!this._state.accessTokenResponse) {
3235
- const accessTokenClient = this.version() <= import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_12 ? new AccessTokenClientV1_0_11() : new AccessTokenClient();
3236
- if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
3237
- console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
3238
- }
3239
- if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
3240
- redirectUri = this._state.authorizationRequestOpts.redirectUri;
3241
- }
3242
- const response = await accessTokenClient.acquireAccessToken({
3243
- credentialOffer: this.credentialOffer,
3244
- metadata: this.endpointMetadata,
3245
- credentialIssuer: this.getIssuer(),
3246
- pin,
3247
- ...!this._state.pkce.disabled && {
3248
- codeVerifier: this._state.pkce.codeVerifier
3249
- },
3250
- code,
3251
- redirectUri,
3252
- asOpts,
3253
- ...opts?.createDPoPOpts && {
3254
- createDPoPOpts: opts.createDPoPOpts
3255
- },
3256
- ...opts?.additionalRequestParams && {
3257
- additionalParams: opts.additionalRequestParams
3258
- }
3259
- });
3260
- if (response.errorBody) {
3261
- logger12.debug(`Access token error:\r
3262
- ${JSON.stringify(response.errorBody)}`);
3263
- throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
3264
- } else if (!response.successBody) {
3265
- logger12.debug(`Access token error. No success body`);
3266
- throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
3267
- }
3268
- this._state.accessTokenResponse = response.successBody;
3269
- this._state.dpopResponseParams = response.params;
3270
- this._state.accessToken = response.successBody.access_token;
3271
- }
3272
- return {
3273
- ...this.accessTokenResponse,
3274
- ...this.dpopResponseParams && {
3275
- params: this.dpopResponseParams
3276
- }
3277
- };
3278
- }
3279
- async acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
3280
- if ([
3281
- jwk,
3282
- kid
3283
- ].filter((v) => v !== void 0).length > 1) {
3284
- throw new Error(import_oid4vci_common23.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
3285
- }
3286
- if (alg) this._state.alg = alg;
3287
- if (jwk) this._state.jwk = jwk;
3288
- if (kid) this._state.kid = kid;
3289
- let requestBuilder;
3290
- if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13) {
3291
- requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
3292
- credentialOffer: this.credentialOffer,
3293
- metadata: this.endpointMetadata
3294
- }) : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
3295
- credentialIssuer: this.getIssuer(),
3296
- credentialTypes,
3297
- metadata: this.endpointMetadata,
3298
- version: this.version()
3299
- });
3300
- } else {
3301
- requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
3302
- credentialOffer: this.credentialOffer,
3303
- metadata: this.endpointMetadata
3304
- }) : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
3305
- credentialIssuer: this.getIssuer(),
3306
- credentialTypes,
3307
- metadata: this.endpointMetadata,
3308
- version: this.version()
3309
- });
3310
- }
3311
- const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common23.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
3312
- requestBuilder.withIssuerState(issuerState);
3313
- requestBuilder.withTokenFromResponse(this.accessTokenResponse);
3314
- requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
3315
- let subjectIssuance;
3316
- if (this.endpointMetadata?.credentialIssuerMetadata) {
3317
- const metadata = this.endpointMetadata.credentialIssuerMetadata;
3318
- const types = Array.isArray(credentialTypes) ? credentialTypes : [
3319
- credentialTypes
3320
- ];
3321
- if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
3322
- let typeSupported = false;
3323
- metadata.credentials_supported.forEach((supportedCredential) => {
3324
- const subTypes = (0, import_oid4vci_common23.getTypesFromCredentialSupported)(supportedCredential);
3325
- if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
3326
- typeSupported = true;
3327
- if (supportedCredential.credential_subject_issuance) {
3328
- subjectIssuance = {
3329
- credential_subject_issuance: supportedCredential.credential_subject_issuance
3330
- };
3331
- }
3332
- }
3333
- });
3334
- if (!typeSupported) {
3335
- console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
3336
- }
3337
- } else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
3338
- const credentialsSupported = metadata.credentials_supported;
3339
- if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
3340
- throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
3341
- }
3342
- }
3343
- }
3344
- if (subjectIssuance) {
3345
- requestBuilder.withSubjectIssuance(subjectIssuance);
3346
- }
3347
- const credentialRequestClient = requestBuilder.build();
3348
- const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
3349
- accessTokenResponse: this.accessTokenResponse,
3350
- callbacks: proofCallbacks,
3351
- version: this.version()
3352
- }).withIssuer(this.getIssuer()).withAlg(this.alg);
3353
- if (this._state.jwk) {
3354
- proofBuilder.withJWK(this._state.jwk);
3355
- }
3356
- if (this._state.kid) {
3357
- proofBuilder.withKid(this._state.kid);
3358
- }
3359
- if (this.clientId) {
3360
- proofBuilder.withClientId(this.clientId);
3361
- }
3362
- if (jti) {
3363
- proofBuilder.withJti(jti);
3364
- }
3365
- const response = await credentialRequestClient.acquireCredentialsUsingProof({
3366
- proofInput: proofBuilder,
3367
- credentialTypes,
3368
- context,
3369
- format,
3370
- subjectIssuance,
3371
- createDPoPOpts
3372
- });
3373
- this._state.dpopResponseParams = response.params;
3374
- if (response.errorBody) {
3375
- logger12.debug(`Credential request error:\r
3376
- ${JSON.stringify(response.errorBody)}`);
3377
- throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
3378
- } else if (!response.successBody) {
3379
- logger12.debug(`Credential request error. No success body`);
3380
- throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
3381
- }
3382
- return {
3383
- ...response.successBody,
3384
- ...this.dpopResponseParams && {
3385
- params: this.dpopResponseParams
3386
- },
3387
- access_token: response.access_token
3388
- };
3389
- }
3390
- async exportState() {
3391
- return JSON.stringify(this._state);
3392
- }
3393
- getCredentialsSupported(restrictToInitiationTypes, format) {
3394
- return (0, import_oid4vci_common23.getSupportedCredentials)({
3395
- issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
3396
- version: this.version(),
3397
- format,
3398
- types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : void 0
3399
- });
3400
- }
3401
- async sendNotification(credentialRequestOpts, request, accessToken) {
3402
- return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
3403
- }
3404
- getCredentialOfferTypes() {
3405
- if (!this.credentialOffer) {
3406
- return [];
3407
- } else if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_11) {
3408
- const orig = this.credentialOffer.original_credential_offer;
3409
- const types = typeof orig.credential_type === "string" ? [
3410
- orig.credential_type
3411
- ] : orig.credential_type;
3412
- const result = [];
3413
- result[0] = types;
3414
- return result;
3415
- } else if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13) {
3416
- return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common23.getTypesFromObject)(c) ?? []);
3417
- }
3418
- return void 0;
3419
- }
3420
- issuerSupportedFlowTypes() {
3421
- return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
3422
- import_oid4vci_common23.AuthzFlowType.AUTHORIZATION_CODE_FLOW
3423
- ] : []);
3424
- }
3425
- isFlowTypeSupported(flowType) {
3426
- return this.issuerSupportedFlowTypes().includes(flowType);
3427
- }
3428
- get authorizationURL() {
3429
- return this._state.authorizationURL;
3430
- }
3431
- hasAuthorizationURL() {
3432
- return !!this.authorizationURL;
3433
- }
3434
- get credentialOffer() {
3435
- return this._state.credentialOffer;
3436
- }
3437
- version() {
3438
- if (this.credentialOffer?.version && this.credentialOffer.version !== import_oid4vci_common23.OpenId4VCIVersion.VER_UNKNOWN) {
3439
- return this.credentialOffer.version;
3440
- }
3441
- const metadata = this._state.endpointMetadata;
3442
- if (metadata?.credentialIssuerMetadata) {
3443
- const versions = (0, import_oid4vci_common23.determineVersionsFromIssuerMetadata)(metadata.credentialIssuerMetadata);
3444
- if (versions.length > 0 && !versions.includes(import_oid4vci_common23.OpenId4VCIVersion.VER_UNKNOWN)) {
3445
- return versions[0];
3446
- }
3447
- }
3448
- return import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13;
3449
- }
3450
- get endpointMetadata() {
3451
- this.assertServerMetadata();
3452
- return this._state.endpointMetadata;
1922
+ }
1923
+ __name(isV1_0_15, "isV1_0_15");
1924
+ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
1925
+ static {
1926
+ __name(this, "CredentialRequestClientBuilder");
3453
1927
  }
3454
- get kid() {
3455
- this.assertIssuerData();
3456
- if (!this._state.kid) {
3457
- throw new Error("No value for kid is supplied");
3458
- }
3459
- return this._state.kid;
1928
+ _builder;
1929
+ constructor(builder) {
1930
+ this._builder = builder;
3460
1931
  }
3461
- get alg() {
3462
- this.assertIssuerData();
3463
- if (!this._state.alg) {
3464
- throw new Error("No value for alg is supplied");
3465
- }
3466
- return this._state.alg;
1932
+ static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
1933
+ let builder;
1934
+ const metadataV15 = metadata;
1935
+ builder = CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
1936
+ credentialIssuer,
1937
+ metadata: metadataV15,
1938
+ version,
1939
+ credentialIdentifier,
1940
+ credentialTypes
1941
+ });
1942
+ return new _CredentialRequestClientBuilder(builder);
3467
1943
  }
3468
- set clientId(value) {
3469
- this._state.clientId = value;
1944
+ static async fromURI({ uri, metadata }) {
1945
+ const offer = await CredentialOfferClient.fromURI(uri);
1946
+ return _CredentialRequestClientBuilder.fromCredentialOfferRequest({
1947
+ request: offer,
1948
+ ...offer,
1949
+ metadata,
1950
+ version: offer.version
1951
+ });
3470
1952
  }
3471
- get clientId() {
3472
- return this._state.clientId;
1953
+ static fromCredentialOfferRequest(opts) {
1954
+ const builder = CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest(opts);
1955
+ return new _CredentialRequestClientBuilder(builder);
3473
1956
  }
3474
- hasAccessTokenResponse() {
3475
- return !!this._state.accessTokenResponse;
1957
+ static fromCredentialOffer({ credentialOffer, metadata }) {
1958
+ const builder = CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
1959
+ credentialOffer,
1960
+ metadata
1961
+ });
1962
+ return new _CredentialRequestClientBuilder(builder);
3476
1963
  }
3477
- get accessTokenResponse() {
3478
- this.assertAccessToken();
3479
- return this._state.accessTokenResponse;
1964
+ getVersion() {
1965
+ return this._builder.version;
3480
1966
  }
3481
- get dpopResponseParams() {
3482
- return this._state.dpopResponseParams;
1967
+ withCredentialEndpointFromMetadata(metadata) {
1968
+ if (isV1_0_15(this._builder)) {
1969
+ this._builder.withCredentialEndpointFromMetadata(metadata);
1970
+ }
1971
+ return this;
3483
1972
  }
3484
- getIssuer() {
3485
- this.assertIssuerData();
3486
- return this._state.credentialIssuer;
1973
+ withCredentialEndpoint(credentialEndpoint) {
1974
+ this._builder.withCredentialEndpoint(credentialEndpoint);
1975
+ return this;
3487
1976
  }
3488
- getAccessTokenEndpoint() {
3489
- this.assertIssuerData();
3490
- if (this.endpointMetadata) {
3491
- return this.endpointMetadata.token_endpoint;
1977
+ withDeferredCredentialEndpointFromMetadata(metadata) {
1978
+ if (isV1_0_15(this._builder)) {
1979
+ this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
3492
1980
  }
3493
- return this.version() <= import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_12 ? AccessTokenClientV1_0_11.determineTokenURL({
3494
- issuerOpts: {
3495
- issuer: this.getIssuer()
3496
- }
3497
- }) : AccessTokenClient.determineTokenURL({
3498
- issuerOpts: {
3499
- issuer: this.getIssuer()
3500
- }
3501
- });
1981
+ return this;
3502
1982
  }
3503
- getCredentialEndpoint() {
3504
- this.assertIssuerData();
3505
- return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
1983
+ withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
1984
+ this._builder.withDeferredCredentialEndpoint(deferredCredentialEndpoint);
1985
+ return this;
3506
1986
  }
3507
- getAuthorizationChallengeEndpoint() {
3508
- this.assertIssuerData();
3509
- return this.endpointMetadata?.authorization_challenge_endpoint;
1987
+ withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
1988
+ this._builder.withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS);
1989
+ return this;
3510
1990
  }
3511
- hasAuthorizationChallengeEndpoint() {
3512
- return !!this.getAuthorizationChallengeEndpoint();
1991
+ withCredentialIdentifier(credentialIdentifier) {
1992
+ if (this._builder.version === void 0 || this._builder.version < import_oid4vci_common16.OpenId4VCIVersion.VER_1_0_15) {
1993
+ throw new Error("Version of spec should be equal or higher than v1_0_15");
1994
+ }
1995
+ ;
1996
+ this._builder.withCredentialIdentifier(credentialIdentifier);
1997
+ return this;
3513
1998
  }
3514
- hasDeferredCredentialEndpoint() {
3515
- return !!this.getAccessTokenEndpoint();
1999
+ withIssuerState(issuerState) {
2000
+ this._builder.withIssuerState(issuerState);
2001
+ return this;
3516
2002
  }
3517
- getDeferredCredentialEndpoint() {
3518
- this.assertIssuerData();
3519
- return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
2003
+ withCredentialType(credentialTypes) {
2004
+ this._builder.withCredentialType(credentialTypes);
2005
+ return this;
3520
2006
  }
3521
- /**
3522
- * Too bad we need a method like this, but EBSI is not exposing metadata
3523
- */
3524
- isEBSI() {
3525
- if (this.credentialOffer && this.credentialOffer?.credential_offer?.credentials?.find((cred) => (
3526
- // eslint-disable-next-line @typescript-eslint/ban-ts-comment
3527
- // @ts-ignore
3528
- typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
3529
- ))) {
3530
- return true;
3531
- }
3532
- return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
2007
+ withSubjectIssuance(subjectIssuance) {
2008
+ this._builder.withSubjectIssuance(subjectIssuance);
2009
+ return this;
3533
2010
  }
3534
- assertIssuerData() {
3535
- if (!this._state.credentialIssuer) {
3536
- throw Error(`No credential issuer value present`);
3537
- } else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {
3538
- throw Error(`No issuance initiation or credential offer present`);
3539
- }
2011
+ withToken(accessToken) {
2012
+ this._builder.withToken(accessToken);
2013
+ return this;
3540
2014
  }
3541
- assertServerMetadata() {
3542
- if (!this._state.endpointMetadata) {
3543
- throw Error("No server metadata");
3544
- }
2015
+ withTokenFromResponse(response) {
2016
+ this._builder.withTokenFromResponse(response);
2017
+ return this;
3545
2018
  }
3546
- assertAccessToken() {
3547
- if (!this._state.accessTokenResponse) {
3548
- throw Error(`No access token present`);
3549
- }
2019
+ withVersion(version) {
2020
+ this._builder.withVersion(version);
2021
+ return this;
3550
2022
  }
3551
- syncAuthorizationRequestOpts(opts) {
3552
- const requestObjectOpts = {
3553
- ...this._state?.authorizationRequestOpts?.requestObjectOpts,
3554
- ...opts?.requestObjectOpts
3555
- };
3556
- let authorizationRequestOpts = {
3557
- ...this._state?.authorizationRequestOpts,
3558
- ...opts,
3559
- ...requestObjectOpts && {
3560
- requestObjectOpts
3561
- }
3562
- };
3563
- if (!authorizationRequestOpts) {
3564
- authorizationRequestOpts = {
3565
- redirectUri: `${import_oid4vci_common23.DefaultURISchemes.CREDENTIAL_OFFER}://`
3566
- };
3567
- }
3568
- const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
3569
- this._state.clientId = clientId;
3570
- authorizationRequestOpts.clientId = clientId;
3571
- return authorizationRequestOpts;
2023
+ build() {
2024
+ return this._builder.build();
3572
2025
  }
3573
- getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
3574
- if (authorizationResponse) {
3575
- this._state.authorizationCodeResponse = {
3576
- ...(0, import_oid4vci_common23.toAuthorizationResponsePayload)(authorizationResponse)
3577
- };
3578
- } else if (code) {
3579
- this._state.authorizationCodeResponse = {
3580
- code
3581
- };
3582
- }
3583
- return this._state.authorizationCodeResponse?.code ?? this._state.authorizationCodeResponse?.authorization_code;
3584
- }, "getAuthorizationCode");
3585
2026
  };
3586
2027
 
3587
- // lib/OpenID4VCIClientV1_0_13.ts
3588
- var import_oid4vci_common24 = require("@sphereon/oid4vci-common");
3589
- var import_ssi_types15 = require("@sphereon/ssi-types");
3590
- var logger13 = import_ssi_types15.Loggers.DEFAULT.get("sphereon:oid4vci");
3591
- var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
2028
+ // lib/OpenID4VCIClient.ts
2029
+ var import_oid4vci_common19 = require("@sphereon/oid4vci-common");
2030
+ var import_ssi_types10 = require("@sphereon/ssi-types");
2031
+
2032
+ // lib/OpenID4VCIClientV1_0_15.ts
2033
+ var import_oid4vci_common18 = require("@sphereon/oid4vci-common");
2034
+ var import_ssi_types9 = require("@sphereon/ssi-types");
2035
+
2036
+ // lib/NonceClient.ts
2037
+ var import_oid4vci_common17 = require("@sphereon/oid4vci-common");
2038
+ var sendNonceRequest = /* @__PURE__ */ __name(async (nonceEndpointUrl, opts) => {
2039
+ return await (0, import_oid4vci_common17.formPost)(nonceEndpointUrl, new URLSearchParams(), {
2040
+ customHeaders: opts?.headers
2041
+ });
2042
+ }, "sendNonceRequest");
2043
+ var acquireNonceFromAuthorizationServer = /* @__PURE__ */ __name(async (opts) => {
2044
+ const metadata = opts?.metadata ? opts.metadata : opts?.issuerOpts?.fetchMetadata ? await MetadataClient.retrieveAllMetadata(opts.issuerOpts.issuer, {
2045
+ errorOnNotFound: false
2046
+ }) : void 0;
2047
+ const nonceEndpointUrl = metadata?.credentialIssuerMetadata?.nonce_endpoint;
2048
+ if (!nonceEndpointUrl) {
2049
+ return Promise.reject(Error("Cannot determine nonce endpoint URL"));
2050
+ }
2051
+ return await sendNonceRequest(nonceEndpointUrl, {
2052
+ headers: opts?.headers
2053
+ });
2054
+ }, "acquireNonceFromAuthorizationServer");
2055
+
2056
+ // lib/OpenID4VCIClientV1_0_15.ts
2057
+ var logger7 = import_ssi_types9.Loggers.DEFAULT.get("sphereon:oid4vci:v15");
2058
+ var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
3592
2059
  static {
3593
- __name(this, "OpenID4VCIClientV1_0_13");
2060
+ __name(this, "OpenID4VCIClientV1_0_15");
3594
2061
  }
3595
2062
  _state;
3596
- constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
3597
- const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common24.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
2063
+ constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL, keyAttestation }) {
2064
+ const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common18.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
3598
2065
  if (!issuer) {
3599
2066
  throw Error("No credential issuer supplied or deduced from offer");
3600
2067
  }
@@ -3603,39 +2070,39 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
3603
2070
  credentialIssuer: issuer,
3604
2071
  kid,
3605
2072
  alg,
3606
- // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
3607
- clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common24.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
2073
+ clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common18.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
3608
2074
  pkce: {
3609
2075
  disabled: false,
3610
- codeChallengeMethod: import_oid4vci_common24.CodeChallengeMethod.S256,
2076
+ codeChallengeMethod: import_oid4vci_common18.CodeChallengeMethod.S256,
3611
2077
  ...pkce
3612
2078
  },
3613
2079
  authorizationRequestOpts,
3614
2080
  authorizationCodeResponse,
3615
- accessToken,
3616
2081
  jwk,
3617
2082
  endpointMetadata,
3618
2083
  accessTokenResponse,
3619
- authorizationURL
2084
+ authorizationURL,
2085
+ keyAttestation
3620
2086
  };
3621
2087
  if (!this._state.authorizationRequestOpts) {
3622
2088
  this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
3623
2089
  }
3624
- logger13.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
2090
+ logger7.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
3625
2091
  }
3626
- static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
3627
- const client = new _OpenID4VCIClientV1_0_13({
2092
+ static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, keyAttestation }) {
2093
+ const client = new _OpenID4VCIClientV1_0_15({
3628
2094
  kid,
3629
2095
  alg,
3630
2096
  clientId: clientId ?? authorizationRequest?.clientId,
3631
2097
  credentialIssuer,
3632
2098
  pkce,
3633
- authorizationRequest
2099
+ authorizationRequest,
2100
+ keyAttestation
3634
2101
  });
3635
- if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
2102
+ if (retrieveServerMetadata !== false) {
3636
2103
  await client.retrieveServerMetadata();
3637
2104
  }
3638
- if (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL) {
2105
+ if (createAuthorizationRequestURL !== false) {
3639
2106
  await client.createAuthorizationRequestUrl({
3640
2107
  authorizationRequest,
3641
2108
  pkce
@@ -3645,38 +2112,33 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
3645
2112
  }
3646
2113
  static async fromState({ state }) {
3647
2114
  const clientState = typeof state === "string" ? JSON.parse(state) : state;
3648
- return new _OpenID4VCIClientV1_0_13(clientState);
2115
+ return new _OpenID4VCIClientV1_0_15(clientState);
3649
2116
  }
3650
- static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri }) {
3651
- const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
2117
+ static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, keyAttestation }) {
2118
+ const credentialOfferClient = await CredentialOfferClientV1_0_15.fromURI(uri, {
3652
2119
  resolve: resolveOfferUri
3653
2120
  });
3654
- const client = new _OpenID4VCIClientV1_0_13({
2121
+ const client = new _OpenID4VCIClientV1_0_15({
3655
2122
  credentialOffer: credentialOfferClient,
3656
2123
  kid,
3657
2124
  alg,
3658
2125
  clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
3659
2126
  pkce,
3660
- authorizationRequest
2127
+ authorizationRequest,
2128
+ keyAttestation
3661
2129
  });
3662
- if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
2130
+ if (retrieveServerMetadata !== false) {
3663
2131
  await client.retrieveServerMetadata();
3664
2132
  }
3665
- if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common24.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
2133
+ if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common18.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && createAuthorizationRequestURL !== false) {
3666
2134
  await client.createAuthorizationRequestUrl({
3667
2135
  authorizationRequest,
3668
2136
  pkce
3669
2137
  });
3670
- logger13.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
2138
+ logger7.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
3671
2139
  }
3672
2140
  return client;
3673
2141
  }
3674
- /**
3675
- * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
3676
- *
3677
- * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
3678
- * @param opts
3679
- */
3680
2142
  async createAuthorizationRequestUrl(opts) {
3681
2143
  if (!this._state.authorizationURL) {
3682
2144
  this.calculatePKCEOpts(opts?.pkce);
@@ -3692,8 +2154,7 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
3692
2154
  endpointMetadata: this.endpointMetadata,
3693
2155
  authorizationRequest: this._state.authorizationRequestOpts,
3694
2156
  credentialOffer: this.credentialOffer,
3695
- credentialConfigurationSupported: this.getCredentialsSupported(),
3696
- version: this.version()
2157
+ credentialConfigurationSupported: this.getCredentialsSupported(false)
3697
2158
  });
3698
2159
  }
3699
2160
  return this._state.authorizationURL;
@@ -3702,15 +2163,34 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
3702
2163
  this.assertIssuerData();
3703
2164
  if (!this._state.endpointMetadata) {
3704
2165
  if (this.credentialOffer) {
3705
- this._state.endpointMetadata = await MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
2166
+ this._state.endpointMetadata = await MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
3706
2167
  } else if (this._state.credentialIssuer) {
3707
- this._state.endpointMetadata = await MetadataClientV1_0_13.retrieveAllMetadata(this._state.credentialIssuer);
2168
+ this._state.endpointMetadata = await MetadataClientV1_0_15.retrieveAllMetadata(this._state.credentialIssuer);
3708
2169
  } else {
3709
2170
  throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
3710
2171
  }
3711
2172
  }
3712
2173
  return this.endpointMetadata;
3713
2174
  }
2175
+ async acquireNonce() {
2176
+ const response = await acquireNonceFromAuthorizationServer({
2177
+ metadata: this.endpointMetadata,
2178
+ issuerOpts: {
2179
+ issuer: this.getIssuer(),
2180
+ fetchMetadata: false
2181
+ }
2182
+ });
2183
+ if (response.errorBody) {
2184
+ logger7.debug(`Nonce request error:\r
2185
+ ${JSON.stringify(response.errorBody)}`);
2186
+ return Promise.reject(Error(`Retrieving a nonce from ${this._state.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint} for issuer ${this.getIssuer()} failed with error: ${response.errorBody.error}${response.errorBody.error_description ? ` - ${response.errorBody.error_description}` : ""}`));
2187
+ } else if (!response.successBody) {
2188
+ logger7.debug(`Nonce request error. No success body`);
2189
+ return Promise.reject(Error(`Retrieving a nonce from ${this._state.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
2190
+ }
2191
+ this._state.cachedCNonce = response.successBody.c_nonce;
2192
+ return response.successBody.c_nonce;
2193
+ }
3714
2194
  calculatePKCEOpts(pkce) {
3715
2195
  this._state.pkce = generateMissingPKCEOpts({
3716
2196
  ...this._state.pkce,
@@ -3725,12 +2205,12 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
3725
2205
  ...opts
3726
2206
  });
3727
2207
  if (response.errorBody) {
3728
- logger13.debug(`Authorization code error:\r
2208
+ logger7.debug(`Authorization code error:\r
3729
2209
  ${JSON.stringify(response.errorBody)}`);
3730
2210
  const error = response.errorBody;
3731
2211
  return Promise.reject(error);
3732
2212
  } else if (!response.successBody) {
3733
- logger13.debug(`Authorization code error. No success body`);
2213
+ logger7.debug(`Authorization code error. No success body`);
3734
2214
  return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
3735
2215
  }
3736
2216
  return {
@@ -3802,16 +2282,19 @@ ${JSON.stringify(response.errorBody)}`);
3802
2282
  }
3803
2283
  });
3804
2284
  if (response.errorBody) {
3805
- logger13.debug(`Access token error:\r
2285
+ logger7.debug(`Access token error:\r
3806
2286
  ${JSON.stringify(response.errorBody)}`);
3807
2287
  throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
3808
2288
  } else if (!response.successBody) {
3809
- logger13.debug(`Access token error. No success body`);
2289
+ logger7.debug(`Access token error. No success body`);
3810
2290
  throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
3811
2291
  }
3812
2292
  this._state.accessTokenResponse = response.successBody;
3813
2293
  this._state.dpopResponseParams = response.params;
3814
2294
  this._state.accessToken = response.successBody.access_token;
2295
+ if (response.successBody.c_nonce) {
2296
+ this._state.cachedCNonce = response.successBody.c_nonce;
2297
+ }
3815
2298
  }
3816
2299
  return {
3817
2300
  ...this.accessTokenResponse,
@@ -3820,128 +2303,103 @@ ${JSON.stringify(response.errorBody)}`);
3820
2303
  }
3821
2304
  };
3822
2305
  }
3823
- async acquireCredentialsWithoutProof(args) {
3824
- return await this.acquireCredentialsImpl(args);
3825
- }
3826
- async acquireCredentials(args) {
3827
- return await this.acquireCredentialsImpl(args);
3828
- }
3829
- async acquireCredentialsImpl({ credentialIdentifier, credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
2306
+ async acquireCredentials({ credentialIdentifier, credentialConfigurationId, credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
3830
2307
  if ([
3831
2308
  jwk,
3832
2309
  kid
3833
2310
  ].filter((v) => v !== void 0).length > 1) {
3834
- throw new Error(import_oid4vci_common24.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
2311
+ throw new Error(import_oid4vci_common18.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
3835
2312
  }
3836
2313
  if (alg) this._state.alg = alg;
3837
2314
  if (jwk) this._state.jwk = jwk;
3838
2315
  if (kid) this._state.kid = kid;
3839
- const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
2316
+ const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
3840
2317
  credentialOffer: this.credentialOffer,
3841
2318
  metadata: this.endpointMetadata
3842
- }) : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
2319
+ }) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
3843
2320
  credentialIssuer: this.getIssuer(),
2321
+ credentialTypes,
3844
2322
  credentialIdentifier,
2323
+ credentialConfigurationId,
3845
2324
  metadata: this.endpointMetadata,
3846
2325
  version: this.version()
3847
2326
  });
3848
- const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common24.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
2327
+ if (credentialIdentifier) {
2328
+ requestBuilder.withCredentialIdentifier(credentialIdentifier);
2329
+ } else if (credentialConfigurationId) {
2330
+ requestBuilder.withCredentialConfigurationId(credentialConfigurationId);
2331
+ }
2332
+ const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common18.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this._state.cachedCNonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
3849
2333
  requestBuilder.withIssuerState(issuerState);
3850
2334
  requestBuilder.withTokenFromResponse(this.accessTokenResponse);
3851
2335
  requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
3852
2336
  let subjectIssuance;
3853
2337
  if (this.endpointMetadata?.credentialIssuerMetadata) {
3854
2338
  const metadata = this.endpointMetadata.credentialIssuerMetadata;
3855
- const types = credentialTypes ? Array.isArray(credentialTypes) ? credentialTypes : [
3856
- credentialTypes
3857
- ] : void 0;
3858
- if (credentialIdentifier) {
3859
- if (typeof metadata.credential_configurations_supported !== "object") {
3860
- throw Error(`Credentials_supported should be an object, current ${typeof metadata.credential_configurations_supported} when credential_identifier is used`);
3861
- }
3862
- const credentialsSupported = metadata.credential_configurations_supported;
3863
- if (!credentialsSupported || !credentialsSupported[credentialIdentifier]) {
3864
- throw new Error(`Credential type ${credentialIdentifier} is not supported by issuer ${this.getIssuer()}`);
3865
- }
3866
- } else if (!types) {
3867
- throw Error(`If no credential_identifier is used, we expect types`);
3868
- } else if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
3869
- let typeSupported = false;
3870
- metadata.credentials_supported.forEach((supportedCredential) => {
3871
- const subTypes = (0, import_oid4vci_common24.getTypesFromCredentialSupported)(supportedCredential);
3872
- if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
3873
- typeSupported = true;
3874
- if (supportedCredential.credential_subject_issuance) {
2339
+ if (metadata.credential_configurations_supported) {
2340
+ const configId = credentialConfigurationId ?? credentialIdentifier;
2341
+ if (configId && metadata.credential_configurations_supported[configId]) {
2342
+ const config = metadata.credential_configurations_supported[configId];
2343
+ if (config.credential_subject_issuance) {
2344
+ const subjIssuance = config.credential_subject_issuance;
2345
+ if (subjIssuance.subject_proof_mode && subjIssuance.notification_events_supported) {
3875
2346
  subjectIssuance = {
3876
- credential_subject_issuance: supportedCredential.credential_subject_issuance
2347
+ credential_subject_issuance: {
2348
+ subject_proof_mode: subjIssuance.subject_proof_mode,
2349
+ notification_events_supported: subjIssuance.notification_events_supported
2350
+ }
3877
2351
  };
3878
2352
  }
3879
2353
  }
3880
- });
3881
- if (!typeSupported) {
3882
- console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
3883
- }
3884
- } else if (metadata.credential_configurations_supported && typeof metadata.credential_configurations_supported === "object") {
3885
- let typeSupported = false;
3886
- Object.values(metadata.credential_configurations_supported).forEach((supportedCredential) => {
3887
- const subTypes = (0, import_oid4vci_common24.getTypesFromCredentialSupported)(supportedCredential);
3888
- if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
3889
- typeSupported = true;
3890
- }
3891
- });
3892
- if (!typeSupported) {
3893
- throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
3894
2354
  }
3895
2355
  }
3896
2356
  }
3897
2357
  if (subjectIssuance) {
3898
2358
  requestBuilder.withSubjectIssuance(subjectIssuance);
3899
2359
  }
3900
- const credentialRequestClient = requestBuilder.build();
3901
- let proofBuilder;
3902
- if (proofCallbacks) {
3903
- proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
3904
- accessTokenResponse: this.accessTokenResponse,
3905
- callbacks: proofCallbacks,
3906
- version: this.version()
3907
- }).withIssuer(this.getIssuer()).withAlg(this.alg);
3908
- if (this._state.jwk) {
3909
- proofBuilder.withJWK(this._state.jwk);
3910
- }
3911
- if (this._state.kid) {
3912
- proofBuilder.withKid(this._state.kid);
3913
- }
3914
- if (this.clientId) {
3915
- proofBuilder.withClientId(this.clientId);
3916
- }
3917
- if (jti) {
3918
- proofBuilder.withJti(jti);
3919
- }
2360
+ const credentialRequestClient = requestBuilder.build();
2361
+ if (!this._state.cachedCNonce) {
2362
+ await this.acquireNonce();
2363
+ }
2364
+ const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
2365
+ accessTokenResponse: {
2366
+ ...this.accessTokenResponse,
2367
+ c_nonce: this._state.cachedCNonce
2368
+ },
2369
+ callbacks: proofCallbacks,
2370
+ version: this.version()
2371
+ }).withIssuer(this.getIssuer()).withAlg(this.alg);
2372
+ if (this._state.jwk) {
2373
+ proofBuilder.withJWK(this._state.jwk);
2374
+ }
2375
+ if (this._state.kid) {
2376
+ proofBuilder.withKid(this._state.kid);
2377
+ }
2378
+ if (this.clientId && (!this.credentialOffer || this.credentialOffer.supportedFlows.includes(import_oid4vci_common18.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && !this.credentialOffer.preAuthorizedCode)) {
2379
+ proofBuilder.withClientId(this.clientId);
2380
+ }
2381
+ if (jti) {
2382
+ proofBuilder.withJti(jti);
2383
+ }
2384
+ if (this._state.cachedCNonce) {
2385
+ proofBuilder.withAccessTokenNonce(this._state.cachedCNonce);
3920
2386
  }
3921
- const request = proofBuilder ? await credentialRequestClient.createCredentialRequest({
2387
+ const response = await credentialRequestClient.acquireCredentialsUsingProof({
3922
2388
  proofInput: proofBuilder,
3923
- credentialTypes,
3924
- context,
3925
- format,
3926
- version: this.version(),
3927
2389
  credentialIdentifier,
3928
- subjectIssuance
3929
- }) : await credentialRequestClient.createCredentialRequestWithoutProof({
3930
2390
  credentialTypes,
3931
2391
  context,
3932
2392
  format,
3933
- version: this.version(),
3934
- credentialIdentifier,
3935
- subjectIssuance
2393
+ subjectIssuance,
2394
+ createDPoPOpts
3936
2395
  });
3937
- const response = await credentialRequestClient.acquireCredentialsUsingRequest(request, createDPoPOpts);
3938
2396
  this._state.dpopResponseParams = response.params;
3939
2397
  if (response.errorBody) {
3940
- logger13.debug(`Credential request error:\r
2398
+ logger7.debug(`Credential request error:\r
3941
2399
  ${JSON.stringify(response.errorBody)}`);
3942
2400
  throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
3943
2401
  } else if (!response.successBody) {
3944
- logger13.debug(`Credential request error. No success body`);
2402
+ logger7.debug(`Credential request error. No success body`);
3945
2403
  throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
3946
2404
  }
3947
2405
  return {
@@ -3955,59 +2413,44 @@ ${JSON.stringify(response.errorBody)}`);
3955
2413
  async exportState() {
3956
2414
  return JSON.stringify(this._state);
3957
2415
  }
3958
- getCredentialsSupported(format) {
3959
- return (0, import_oid4vci_common24.getSupportedCredentials)({
2416
+ getCredentialsSupported(restrictToInitiationTypes, format) {
2417
+ return (0, import_oid4vci_common18.getSupportedCredentials)({
3960
2418
  issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
3961
2419
  version: this.version(),
3962
2420
  format,
3963
- types: void 0
2421
+ types: restrictToInitiationTypes ? [
2422
+ this.getCredentialOfferConfigurationIds()
2423
+ ] : void 0
3964
2424
  });
3965
2425
  }
3966
2426
  async sendNotification(credentialRequestOpts, request, accessToken) {
3967
2427
  return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
3968
2428
  }
3969
- /* getCredentialOfferTypes(): string[][] {
2429
+ getCredentialOfferConfigurationIds() {
3970
2430
  if (!this.credentialOffer) {
3971
2431
  return [];
3972
- } else if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_11) {
3973
- const orig = this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08;
3974
- const types: string[] = typeof orig.credential_type === 'string' ? [orig.credential_type] : orig.credential_type;
3975
- const result: string[][] = [];
3976
- result[0] = types;
3977
- return result;
3978
- } else {
3979
- return this.credentialOffer.credential_offer.credentials.map((c) => {
3980
- if (typeof c === 'string') {
3981
- return [c];
3982
- } else if ('types' in c) {
3983
- return c.types;
3984
- } else if ('vct' in c) {
3985
- return [c.vct];
3986
- } else {
3987
- return c.credential_definition.types;
3988
- }
3989
- });
3990
2432
  }
3991
- }*/
2433
+ return this.credentialOffer.credential_offer?.credential_configuration_ids ?? [];
2434
+ }
3992
2435
  issuerSupportedFlowTypes() {
3993
- return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
3994
- import_oid4vci_common24.AuthzFlowType.AUTHORIZATION_CODE_FLOW
2436
+ return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
2437
+ import_oid4vci_common18.AuthzFlowType.AUTHORIZATION_CODE_FLOW
3995
2438
  ] : []);
3996
2439
  }
3997
2440
  isFlowTypeSupported(flowType) {
3998
2441
  return this.issuerSupportedFlowTypes().includes(flowType);
3999
2442
  }
4000
- hasAuthorizationURL() {
4001
- return !!this.authorizationURL;
4002
- }
4003
2443
  get authorizationURL() {
4004
2444
  return this._state.authorizationURL;
4005
2445
  }
2446
+ hasAuthorizationURL() {
2447
+ return !!this.authorizationURL;
2448
+ }
4006
2449
  get credentialOffer() {
4007
2450
  return this._state.credentialOffer;
4008
2451
  }
4009
2452
  version() {
4010
- return this.credentialOffer?.version ?? import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13;
2453
+ return import_oid4vci_common18.OpenId4VCIVersion.VER_1_0_15;
4011
2454
  }
4012
2455
  get endpointMetadata() {
4013
2456
  this.assertServerMetadata();
@@ -4043,13 +2486,16 @@ ${JSON.stringify(response.errorBody)}`);
4043
2486
  get dpopResponseParams() {
4044
2487
  return this._state.dpopResponseParams;
4045
2488
  }
2489
+ get state() {
2490
+ return this._state;
2491
+ }
4046
2492
  getIssuer() {
4047
2493
  this.assertIssuerData();
4048
2494
  return this._state.credentialIssuer;
4049
2495
  }
4050
2496
  getAccessTokenEndpoint() {
4051
2497
  this.assertIssuerData();
4052
- return this.endpointMetadata ? this.endpointMetadata.token_endpoint : AccessTokenClient.determineTokenURL({
2498
+ return this.endpointMetadata?.token_endpoint ?? AccessTokenClient.determineTokenURL({
4053
2499
  issuerOpts: {
4054
2500
  issuer: this.getIssuer()
4055
2501
  }
@@ -4057,34 +2503,30 @@ ${JSON.stringify(response.errorBody)}`);
4057
2503
  }
4058
2504
  getCredentialEndpoint() {
4059
2505
  this.assertIssuerData();
4060
- return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
2506
+ return this.endpointMetadata?.credential_endpoint ?? `${this.getIssuer()}/credential`;
2507
+ }
2508
+ getNonceEndpoint() {
2509
+ return this.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint;
2510
+ }
2511
+ hasNonceEndpoint() {
2512
+ return !!this.getNonceEndpoint();
2513
+ }
2514
+ getAuthorizationChallengeEndpoint() {
2515
+ this.assertIssuerData();
2516
+ return this.endpointMetadata?.authorization_challenge_endpoint;
2517
+ }
2518
+ hasAuthorizationChallengeEndpoint() {
2519
+ return !!this.getAuthorizationChallengeEndpoint();
4061
2520
  }
4062
2521
  hasDeferredCredentialEndpoint() {
4063
- return !!this.getAccessTokenEndpoint();
2522
+ return !!this.endpointMetadata?.deferred_credential_endpoint;
4064
2523
  }
4065
2524
  getDeferredCredentialEndpoint() {
4066
2525
  this.assertIssuerData();
4067
- return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
2526
+ return this.endpointMetadata?.deferred_credential_endpoint;
4068
2527
  }
4069
- /**
4070
- * Too bad we need a method like this, but EBSI is not exposing metadata
4071
- */
4072
2528
  isEBSI() {
4073
- const credentialOffer = this.credentialOffer?.credential_offer;
4074
- if (credentialOffer?.credential_configuration_ids) {
4075
- const credentialConfigurations = this.endpointMetadata.credentialIssuerMetadata?.credential_configurations_supported;
4076
- if (credentialConfigurations) {
4077
- const isEBSITrustFramework = credentialOffer.credential_configuration_ids.map((id) => credentialConfigurations[id]).filter((config) => (
4078
- // eslint-disable-next-line @typescript-eslint/ban-ts-comment
4079
- // @ts-ignore
4080
- config !== void 0 && "trust_framework" in config && "name" in config.trust_framework
4081
- )).some((config) => config.trust_framework.name.includes("ebsi"));
4082
- if (isEBSITrustFramework) {
4083
- return true;
4084
- }
4085
- }
4086
- }
4087
- return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
2529
+ return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata?.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
4088
2530
  }
4089
2531
  assertIssuerData() {
4090
2532
  if (!this._state.credentialIssuer) {
@@ -4104,13 +2546,20 @@ ${JSON.stringify(response.errorBody)}`);
4104
2546
  }
4105
2547
  }
4106
2548
  syncAuthorizationRequestOpts(opts) {
2549
+ const requestObjectOpts = {
2550
+ ...this._state?.authorizationRequestOpts?.requestObjectOpts,
2551
+ ...opts?.requestObjectOpts
2552
+ };
4107
2553
  let authorizationRequestOpts = {
4108
2554
  ...this._state?.authorizationRequestOpts,
4109
- ...opts
2555
+ ...opts,
2556
+ ...requestObjectOpts && {
2557
+ requestObjectOpts
2558
+ }
4110
2559
  };
4111
2560
  if (!authorizationRequestOpts) {
4112
2561
  authorizationRequestOpts = {
4113
- redirectUri: `${import_oid4vci_common24.DefaultURISchemes.CREDENTIAL_OFFER}://`
2562
+ redirectUri: `${import_oid4vci_common18.DefaultURISchemes.CREDENTIAL_OFFER}://`
4114
2563
  };
4115
2564
  }
4116
2565
  const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
@@ -4121,7 +2570,7 @@ ${JSON.stringify(response.errorBody)}`);
4121
2570
  getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
4122
2571
  if (authorizationResponse) {
4123
2572
  this._state.authorizationCodeResponse = {
4124
- ...(0, import_oid4vci_common24.toAuthorizationResponsePayload)(authorizationResponse)
2573
+ ...(0, import_oid4vci_common18.toAuthorizationResponsePayload)(authorizationResponse)
4125
2574
  };
4126
2575
  } else if (code) {
4127
2576
  this._state.authorizationCodeResponse = {
@@ -4132,17 +2581,15 @@ ${JSON.stringify(response.errorBody)}`);
4132
2581
  }, "getAuthorizationCode");
4133
2582
  };
4134
2583
 
4135
- // lib/OpenID4VCIClientV1_0_11.ts
4136
- var import_oid4vci_common25 = require("@sphereon/oid4vci-common");
4137
- var import_ssi_types16 = require("@sphereon/ssi-types");
4138
- var logger14 = import_ssi_types16.Loggers.DEFAULT.get("sphereon:oid4vci");
4139
- var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
2584
+ // lib/OpenID4VCIClient.ts
2585
+ var logger8 = import_ssi_types10.Loggers.DEFAULT.get("sphereon:oid4vci");
2586
+ var OpenID4VCIClient = class _OpenID4VCIClient {
4140
2587
  static {
4141
- __name(this, "OpenID4VCIClientV1_0_11");
2588
+ __name(this, "OpenID4VCIClient");
4142
2589
  }
4143
2590
  _state;
4144
- constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
4145
- const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common25.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
2591
+ constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
2592
+ const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common19.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
4146
2593
  if (!issuer) {
4147
2594
  throw Error("No credential issuer supplied or deduced from offer");
4148
2595
  }
@@ -4152,14 +2599,15 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
4152
2599
  kid,
4153
2600
  alg,
4154
2601
  // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
4155
- clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common25.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
2602
+ clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common19.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
4156
2603
  pkce: {
4157
2604
  disabled: false,
4158
- codeChallengeMethod: import_oid4vci_common25.CodeChallengeMethod.S256,
2605
+ codeChallengeMethod: import_oid4vci_common19.CodeChallengeMethod.S256,
4159
2606
  ...pkce
4160
2607
  },
4161
2608
  authorizationRequestOpts,
4162
2609
  authorizationCodeResponse,
2610
+ accessToken,
4163
2611
  jwk,
4164
2612
  endpointMetadata,
4165
2613
  accessTokenResponse,
@@ -4168,16 +2616,17 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
4168
2616
  if (!this._state.authorizationRequestOpts) {
4169
2617
  this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
4170
2618
  }
4171
- logger14.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
2619
+ logger8.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
4172
2620
  }
4173
- static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
4174
- const client = new _OpenID4VCIClientV1_0_11({
2621
+ static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, endpointMetadata }) {
2622
+ const client = new _OpenID4VCIClient({
4175
2623
  kid,
4176
2624
  alg,
4177
2625
  clientId: clientId ?? authorizationRequest?.clientId,
4178
2626
  credentialIssuer,
4179
2627
  pkce,
4180
- authorizationRequest
2628
+ authorizationRequest,
2629
+ endpointMetadata
4181
2630
  });
4182
2631
  if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
4183
2632
  await client.retrieveServerMetadata();
@@ -4192,29 +2641,30 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
4192
2641
  }
4193
2642
  static async fromState({ state }) {
4194
2643
  const clientState = typeof state === "string" ? JSON.parse(state) : state;
4195
- return new _OpenID4VCIClientV1_0_11(clientState);
2644
+ return new _OpenID4VCIClient(clientState);
4196
2645
  }
4197
- static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri }) {
4198
- const credentialOfferClient = await CredentialOfferClientV1_0_11.fromURI(uri, {
2646
+ static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, endpointMetadata }) {
2647
+ const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
4199
2648
  resolve: resolveOfferUri
4200
2649
  });
4201
- const client = new _OpenID4VCIClientV1_0_11({
2650
+ const client = new _OpenID4VCIClient({
4202
2651
  credentialOffer: credentialOfferClient,
4203
2652
  kid,
4204
2653
  alg,
4205
2654
  clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
4206
2655
  pkce,
4207
- authorizationRequest
2656
+ authorizationRequest,
2657
+ endpointMetadata
4208
2658
  });
4209
2659
  if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
4210
2660
  await client.retrieveServerMetadata();
4211
2661
  }
4212
- if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common25.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
2662
+ if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common19.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
4213
2663
  await client.createAuthorizationRequestUrl({
4214
2664
  authorizationRequest,
4215
2665
  pkce
4216
2666
  });
4217
- logger14.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
2667
+ logger8.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
4218
2668
  }
4219
2669
  return client;
4220
2670
  }
@@ -4234,12 +2684,12 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
4234
2684
  if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
4235
2685
  this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
4236
2686
  }
4237
- this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({
2687
+ this._state.authorizationURL = await createAuthorizationRequestUrl({
4238
2688
  pkce: this._state.pkce,
4239
2689
  endpointMetadata: this.endpointMetadata,
4240
2690
  authorizationRequest: this._state.authorizationRequestOpts,
4241
2691
  credentialOffer: this.credentialOffer,
4242
- credentialsSupported: Object.values(this.getCredentialsSupported())
2692
+ credentialConfigurationSupported: this.getCredentialsSupported()
4243
2693
  });
4244
2694
  }
4245
2695
  return this._state.authorizationURL;
@@ -4248,9 +2698,9 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
4248
2698
  this.assertIssuerData();
4249
2699
  if (!this._state.endpointMetadata) {
4250
2700
  if (this.credentialOffer) {
4251
- this._state.endpointMetadata = await MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
2701
+ this._state.endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
4252
2702
  } else if (this._state.credentialIssuer) {
4253
- this._state.endpointMetadata = await MetadataClientV1_0_11.retrieveAllMetadata(this._state.credentialIssuer);
2703
+ this._state.endpointMetadata = await MetadataClient.retrieveAllMetadata(this._state.credentialIssuer);
4254
2704
  } else {
4255
2705
  throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
4256
2706
  }
@@ -4271,12 +2721,12 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
4271
2721
  ...opts
4272
2722
  });
4273
2723
  if (response.errorBody) {
4274
- logger14.debug(`Authorization code error:\r
2724
+ logger8.debug(`Authorization code error:\r
4275
2725
  ${JSON.stringify(response.errorBody)}`);
4276
2726
  const error = response.errorBody;
4277
2727
  return Promise.reject(error);
4278
2728
  } else if (!response.successBody) {
4279
- logger14.debug(`Authorization code error. No success body`);
2729
+ logger8.debug(`Authorization code error. No success body`);
4280
2730
  return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
4281
2731
  }
4282
2732
  return {
@@ -4294,6 +2744,24 @@ ${JSON.stringify(response.errorBody)}`);
4294
2744
  const asOpts = {
4295
2745
  ...opts?.asOpts
4296
2746
  };
2747
+ const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
2748
+ const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
2749
+ if (this.isEBSI() || clientId && kid) {
2750
+ if (!clientId) {
2751
+ throw Error(`Client id expected for EBSI`);
2752
+ }
2753
+ asOpts.clientOpts = {
2754
+ ...asOpts.clientOpts,
2755
+ clientId,
2756
+ ...kid && {
2757
+ kid
2758
+ },
2759
+ ...clientAssertionType && {
2760
+ clientAssertionType
2761
+ },
2762
+ signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
2763
+ };
2764
+ }
4297
2765
  if (clientId) {
4298
2766
  this._state.clientId = clientId;
4299
2767
  if (!asOpts.clientOpts) {
@@ -4304,31 +2772,13 @@ ${JSON.stringify(response.errorBody)}`);
4304
2772
  asOpts.clientOpts.clientId = clientId;
4305
2773
  }
4306
2774
  if (!this._state.accessTokenResponse) {
4307
- const accessTokenClient = new AccessTokenClientV1_0_11();
2775
+ const accessTokenClient = new AccessTokenClient();
4308
2776
  if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
4309
2777
  console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
4310
2778
  }
4311
2779
  if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
4312
2780
  redirectUri = this._state.authorizationRequestOpts.redirectUri;
4313
2781
  }
4314
- const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
4315
- const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
4316
- if (this.isEBSI() || clientId && kid) {
4317
- if (!clientId) {
4318
- throw Error(`Client id expected for EBSI`);
4319
- }
4320
- asOpts.clientOpts = {
4321
- ...asOpts.clientOpts,
4322
- clientId,
4323
- ...kid && {
4324
- kid
4325
- },
4326
- ...clientAssertionType && {
4327
- clientAssertionType
4328
- },
4329
- signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
4330
- };
4331
- }
4332
2782
  const response = await accessTokenClient.acquireAccessToken({
4333
2783
  credentialOffer: this.credentialOffer,
4334
2784
  metadata: this.endpointMetadata,
@@ -4348,16 +2798,19 @@ ${JSON.stringify(response.errorBody)}`);
4348
2798
  }
4349
2799
  });
4350
2800
  if (response.errorBody) {
4351
- logger14.debug(`Access token error:\r
2801
+ logger8.debug(`Access token error:\r
4352
2802
  ${JSON.stringify(response.errorBody)}`);
4353
2803
  throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
4354
2804
  } else if (!response.successBody) {
4355
- logger14.debug(`Access token error. No success body`);
2805
+ logger8.debug(`Access token error. No success body`);
4356
2806
  throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
4357
2807
  }
4358
2808
  this._state.accessTokenResponse = response.successBody;
4359
2809
  this._state.dpopResponseParams = response.params;
4360
2810
  this._state.accessToken = response.successBody.access_token;
2811
+ if (response.successBody.c_nonce) {
2812
+ this._state.cachedCNonce = response.successBody.c_nonce;
2813
+ }
4361
2814
  }
4362
2815
  return {
4363
2816
  ...this.accessTokenResponse,
@@ -4371,22 +2824,34 @@ ${JSON.stringify(response.errorBody)}`);
4371
2824
  jwk,
4372
2825
  kid
4373
2826
  ].filter((v) => v !== void 0).length > 1) {
4374
- throw new Error(import_oid4vci_common25.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
2827
+ throw new Error(import_oid4vci_common19.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
4375
2828
  }
4376
2829
  if (alg) this._state.alg = alg;
4377
2830
  if (jwk) this._state.jwk = jwk;
4378
2831
  if (kid) this._state.kid = kid;
4379
- const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
2832
+ if (this.version() === import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_15 && this.hasNonceEndpoint()) {
2833
+ if (!this._state.cachedCNonce) {
2834
+ try {
2835
+ await this.acquireNonceViaV15Delegate();
2836
+ } catch (e) {
2837
+ return Promise.reject(Error(`failed to acquire nonce: ${String(e)}`));
2838
+ }
2839
+ }
2840
+ }
2841
+ let requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
4380
2842
  credentialOffer: this.credentialOffer,
4381
2843
  metadata: this.endpointMetadata
4382
- }) : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
2844
+ }) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
4383
2845
  credentialIssuer: this.getIssuer(),
4384
2846
  credentialTypes,
4385
2847
  metadata: this.endpointMetadata,
4386
2848
  version: this.version()
4387
2849
  });
2850
+ const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common19.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
2851
+ requestBuilder.withIssuerState(issuerState);
4388
2852
  requestBuilder.withTokenFromResponse(this.accessTokenResponse);
4389
2853
  requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
2854
+ let subjectIssuance;
4390
2855
  if (this.endpointMetadata?.credentialIssuerMetadata) {
4391
2856
  const metadata = this.endpointMetadata.credentialIssuerMetadata;
4392
2857
  const types = Array.isArray(credentialTypes) ? credentialTypes : [
@@ -4395,9 +2860,14 @@ ${JSON.stringify(response.errorBody)}`);
4395
2860
  if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
4396
2861
  let typeSupported = false;
4397
2862
  metadata.credentials_supported.forEach((supportedCredential) => {
4398
- const subTypes = (0, import_oid4vci_common25.getTypesFromCredentialSupported)(supportedCredential);
2863
+ const subTypes = (0, import_oid4vci_common19.getTypesFromCredentialSupported)(supportedCredential);
4399
2864
  if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
4400
2865
  typeSupported = true;
2866
+ if (supportedCredential.credential_subject_issuance) {
2867
+ subjectIssuance = {
2868
+ credential_subject_issuance: supportedCredential.credential_subject_issuance
2869
+ };
2870
+ }
4401
2871
  }
4402
2872
  });
4403
2873
  if (!typeSupported) {
@@ -4410,89 +2880,124 @@ ${JSON.stringify(response.errorBody)}`);
4410
2880
  }
4411
2881
  }
4412
2882
  }
4413
- const credentialRequestClient = requestBuilder.build();
4414
- const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
4415
- accessTokenResponse: this.accessTokenResponse,
4416
- callbacks: proofCallbacks,
4417
- version: this.version()
4418
- }).withIssuer(this.getIssuer()).withAlg(this.alg);
4419
- if (this._state.jwk) {
4420
- proofBuilder.withJWK(this._state.jwk);
4421
- }
4422
- if (this._state.kid) {
4423
- proofBuilder.withKid(this._state.kid);
4424
- }
4425
- if (this.clientId) {
4426
- proofBuilder.withClientId(this.clientId);
4427
- }
4428
- if (jti) {
4429
- proofBuilder.withJti(jti);
2883
+ if (subjectIssuance) {
2884
+ requestBuilder.withSubjectIssuance(subjectIssuance);
4430
2885
  }
4431
- const response = await credentialRequestClient.acquireCredentialsUsingProof({
4432
- proofInput: proofBuilder,
4433
- credentialTypes,
4434
- context,
4435
- format,
4436
- createDPoPOpts
4437
- });
4438
- this._state.dpopResponseParams = response.params;
4439
- if (response.errorBody) {
4440
- logger14.debug(`Credential request error:\r
2886
+ const credentialRequestClient = requestBuilder.build();
2887
+ try {
2888
+ const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
2889
+ accessTokenResponse: this.accessTokenResponse,
2890
+ callbacks: proofCallbacks,
2891
+ version: this.version()
2892
+ }).withIssuer(this.getIssuer()).withAlg(this.alg);
2893
+ if (this._state.jwk) {
2894
+ proofBuilder.withJWK(this._state.jwk);
2895
+ }
2896
+ if (this._state.kid) {
2897
+ proofBuilder.withKid(this._state.kid);
2898
+ }
2899
+ if (this.clientId && (!this.credentialOffer || this.credentialOffer.supportedFlows.includes(import_oid4vci_common19.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && !this.credentialOffer.preAuthorizedCode)) {
2900
+ proofBuilder.withClientId(this.clientId);
2901
+ }
2902
+ if (jti) {
2903
+ proofBuilder.withJti(jti);
2904
+ }
2905
+ if ("cachedCNonce" in this._state && this._state.cachedCNonce) {
2906
+ proofBuilder.withAccessTokenNonce(this._state.cachedCNonce);
2907
+ }
2908
+ const response = await credentialRequestClient.acquireCredentialsUsingProof({
2909
+ proofInput: proofBuilder,
2910
+ credentialTypes,
2911
+ context,
2912
+ format,
2913
+ subjectIssuance,
2914
+ createDPoPOpts
2915
+ });
2916
+ this._state.dpopResponseParams = response.params;
2917
+ if (response.errorBody) {
2918
+ logger8.debug(`Credential request error:\r
4441
2919
  ${JSON.stringify(response.errorBody)}`);
4442
- throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
4443
- } else if (!response.successBody) {
4444
- logger14.debug(`Credential request error. No success body`);
4445
- throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
4446
- }
4447
- return {
4448
- ...response.successBody,
4449
- ...this.dpopResponseParams && {
4450
- params: this.dpopResponseParams
2920
+ throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
2921
+ } else if (!response.successBody) {
2922
+ logger8.debug(`Credential request error. No success body`);
2923
+ throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
4451
2924
  }
4452
- };
2925
+ return {
2926
+ ...response.successBody,
2927
+ ...this.dpopResponseParams && {
2928
+ params: this.dpopResponseParams
2929
+ },
2930
+ access_token: response.access_token
2931
+ };
2932
+ } catch (e) {
2933
+ if (!this.shouldRetryWithFreshNonce(e)) {
2934
+ return Promise.reject(e instanceof Error ? e : Error(String(e)));
2935
+ }
2936
+ this._state.cachedCNonce = void 0;
2937
+ try {
2938
+ await this.acquireNonceViaV15Delegate();
2939
+ } catch (e2) {
2940
+ return Promise.reject(Error(`retry nonce fetch failed: ${String(e2)}`));
2941
+ }
2942
+ const proofBuilder2 = ProofOfPossessionBuilder.fromAccessTokenResponse({
2943
+ accessTokenResponse: this.accessTokenResponse,
2944
+ callbacks: proofCallbacks,
2945
+ version: this.version()
2946
+ }).withIssuer(this.getIssuer()).withAlg(this.alg);
2947
+ if (this._state.jwk) {
2948
+ proofBuilder2.withJWK(this._state.jwk);
2949
+ }
2950
+ if (this._state.kid) {
2951
+ proofBuilder2.withKid(this._state.kid);
2952
+ }
2953
+ if (this.clientId) {
2954
+ proofBuilder2.withClientId(this.clientId);
2955
+ }
2956
+ if (jti) {
2957
+ proofBuilder2.withJti(jti);
2958
+ }
2959
+ const response2 = await credentialRequestClient.acquireCredentialsUsingProof({
2960
+ proofInput: proofBuilder2,
2961
+ credentialTypes,
2962
+ context,
2963
+ format,
2964
+ subjectIssuance,
2965
+ createDPoPOpts
2966
+ });
2967
+ this._state.dpopResponseParams = response2.params;
2968
+ if (response2.errorBody) {
2969
+ logger8.debug(`Credential request error (after retry):\r
2970
+ ${JSON.stringify(response2.errorBody)}`);
2971
+ return Promise.reject(Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed after retry with status: ${response2.origResponse.status}`));
2972
+ } else if (!response2.successBody) {
2973
+ logger8.debug(`Credential request error after retry. No success body`);
2974
+ return Promise.reject(Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed after retry as there was no success response body`));
2975
+ }
2976
+ return {
2977
+ ...response2.successBody,
2978
+ ...this.dpopResponseParams && {
2979
+ params: this.dpopResponseParams
2980
+ },
2981
+ access_token: response2.access_token
2982
+ };
2983
+ }
4453
2984
  }
4454
2985
  async exportState() {
4455
2986
  return JSON.stringify(this._state);
4456
2987
  }
4457
- // FIXME: We really should convert <v11 to v12 objects first. Right now the logic doesn't map nicely and is brittle.
4458
- // We should resolve IDs to objects first in case of strings.
4459
- // When < v11 convert into a v12 object. When v12 object retain it.
4460
- // Then match the object array on server metadata
4461
- getCredentialsSupportedV11(restrictToInitiationTypes, format) {
4462
- return (0, import_oid4vci_common25.getSupportedCredentials)({
4463
- issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
4464
- version: this.version(),
4465
- format,
4466
- types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : void 0
4467
- });
4468
- }
4469
2988
  getCredentialsSupported(format) {
4470
- return (0, import_oid4vci_common25.getSupportedCredentials)({
2989
+ return (0, import_oid4vci_common19.getSupportedCredentials)({
4471
2990
  issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
4472
2991
  version: this.version(),
4473
- format,
4474
- types: void 0
2992
+ format
4475
2993
  });
4476
2994
  }
4477
- getCredentialOfferTypes() {
4478
- if (!this.credentialOffer) {
4479
- return [];
4480
- } else if (this.credentialOffer.version < import_oid4vci_common25.OpenId4VCIVersion.VER_1_0_11) {
4481
- const orig = this.credentialOffer.original_credential_offer;
4482
- const types = typeof orig.credential_type === "string" ? [
4483
- orig.credential_type
4484
- ] : orig.credential_type;
4485
- const result = [];
4486
- result[0] = types;
4487
- return result;
4488
- } else if (this.credentialOffer.version < import_oid4vci_common25.OpenId4VCIVersion.VER_1_0_13) {
4489
- return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common25.getTypesFromObject)(c) ?? []);
4490
- }
4491
- throw Error(`This class only supports version 11 and lower! Version: ${this.version()}`);
2995
+ async sendNotification(credentialRequestOpts, request, accessToken) {
2996
+ return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
4492
2997
  }
4493
2998
  issuerSupportedFlowTypes() {
4494
- return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
4495
- import_oid4vci_common25.AuthzFlowType.AUTHORIZATION_CODE_FLOW
2999
+ return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
3000
+ import_oid4vci_common19.AuthzFlowType.AUTHORIZATION_CODE_FLOW
4496
3001
  ] : []);
4497
3002
  }
4498
3003
  isFlowTypeSupported(flowType) {
@@ -4508,7 +3013,17 @@ ${JSON.stringify(response.errorBody)}`);
4508
3013
  return this._state.credentialOffer;
4509
3014
  }
4510
3015
  version() {
4511
- return this.credentialOffer?.version ?? import_oid4vci_common25.OpenId4VCIVersion.VER_1_0_11;
3016
+ if (this.credentialOffer?.version && this.credentialOffer.version !== import_oid4vci_common19.OpenId4VCIVersion.VER_UNKNOWN) {
3017
+ return this.credentialOffer.version;
3018
+ }
3019
+ const metadata = this._state.endpointMetadata;
3020
+ if (metadata?.credentialIssuerMetadata) {
3021
+ const versions = (0, import_oid4vci_common19.determineVersionsFromIssuerMetadata)(metadata.credentialIssuerMetadata);
3022
+ if (versions.length > 0 && !versions.includes(import_oid4vci_common19.OpenId4VCIVersion.VER_UNKNOWN)) {
3023
+ return versions[0];
3024
+ }
3025
+ }
3026
+ return import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_15;
4512
3027
  }
4513
3028
  get endpointMetadata() {
4514
3029
  this.assertServerMetadata();
@@ -4550,7 +3065,10 @@ ${JSON.stringify(response.errorBody)}`);
4550
3065
  }
4551
3066
  getAccessTokenEndpoint() {
4552
3067
  this.assertIssuerData();
4553
- return this.endpointMetadata ? this.endpointMetadata.token_endpoint : AccessTokenClientV1_0_11.determineTokenURL({
3068
+ if (this.endpointMetadata) {
3069
+ return this.endpointMetadata.token_endpoint;
3070
+ }
3071
+ return AccessTokenClient.determineTokenURL({
4554
3072
  issuerOpts: {
4555
3073
  issuer: this.getIssuer()
4556
3074
  }
@@ -4560,6 +3078,13 @@ ${JSON.stringify(response.errorBody)}`);
4560
3078
  this.assertIssuerData();
4561
3079
  return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
4562
3080
  }
3081
+ getAuthorizationChallengeEndpoint() {
3082
+ this.assertIssuerData();
3083
+ return this.endpointMetadata?.authorization_challenge_endpoint;
3084
+ }
3085
+ hasAuthorizationChallengeEndpoint() {
3086
+ return !!this.getAuthorizationChallengeEndpoint();
3087
+ }
4563
3088
  hasDeferredCredentialEndpoint() {
4564
3089
  return !!this.getAccessTokenEndpoint();
4565
3090
  }
@@ -4571,13 +3096,6 @@ ${JSON.stringify(response.errorBody)}`);
4571
3096
  * Too bad we need a method like this, but EBSI is not exposing metadata
4572
3097
  */
4573
3098
  isEBSI() {
4574
- if (this.credentialOffer && this.credentialOffer?.credential_offer?.credentials?.find((cred) => (
4575
- // eslint-disable-next-line @typescript-eslint/ban-ts-comment
4576
- // @ts-ignore
4577
- typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
4578
- ))) {
4579
- return true;
4580
- }
4581
3099
  return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
4582
3100
  }
4583
3101
  assertIssuerData() {
@@ -4598,13 +3116,20 @@ ${JSON.stringify(response.errorBody)}`);
4598
3116
  }
4599
3117
  }
4600
3118
  syncAuthorizationRequestOpts(opts) {
3119
+ const requestObjectOpts = {
3120
+ ...this._state?.authorizationRequestOpts?.requestObjectOpts,
3121
+ ...opts?.requestObjectOpts
3122
+ };
4601
3123
  let authorizationRequestOpts = {
4602
3124
  ...this._state?.authorizationRequestOpts,
4603
- ...opts
3125
+ ...opts,
3126
+ ...requestObjectOpts && {
3127
+ requestObjectOpts
3128
+ }
4604
3129
  };
4605
3130
  if (!authorizationRequestOpts) {
4606
3131
  authorizationRequestOpts = {
4607
- redirectUri: `${import_oid4vci_common25.DefaultURISchemes.CREDENTIAL_OFFER}://`
3132
+ redirectUri: `${import_oid4vci_common19.DefaultURISchemes.CREDENTIAL_OFFER}://`
4608
3133
  };
4609
3134
  }
4610
3135
  const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
@@ -4615,7 +3140,7 @@ ${JSON.stringify(response.errorBody)}`);
4615
3140
  getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
4616
3141
  if (authorizationResponse) {
4617
3142
  this._state.authorizationCodeResponse = {
4618
- ...(0, import_oid4vci_common25.toAuthorizationResponsePayload)(authorizationResponse)
3143
+ ...(0, import_oid4vci_common19.toAuthorizationResponsePayload)(authorizationResponse)
4619
3144
  };
4620
3145
  } else if (code) {
4621
3146
  this._state.authorizationCodeResponse = {
@@ -4624,8 +3149,54 @@ ${JSON.stringify(response.errorBody)}`);
4624
3149
  }
4625
3150
  return this._state.authorizationCodeResponse?.code ?? this._state.authorizationCodeResponse?.authorization_code;
4626
3151
  }, "getAuthorizationCode");
3152
+ hasNonceEndpoint() {
3153
+ const endpoint = this._state.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint;
3154
+ return typeof endpoint === "string" && endpoint.length > 0;
3155
+ }
3156
+ async acquireNonceViaV15Delegate() {
3157
+ const state = this._state;
3158
+ let v15Client;
3159
+ try {
3160
+ v15Client = await OpenID4VCIClientV1_0_15.fromState({
3161
+ state
3162
+ });
3163
+ } catch (e) {
3164
+ return Promise.reject(Error(`failed to init v15 delegate for nonce: ${String(e)}`));
3165
+ }
3166
+ try {
3167
+ await v15Client.acquireNonce();
3168
+ } catch (e) {
3169
+ return Promise.reject(Error(`nonce request failed: ${String(e)}`));
3170
+ }
3171
+ state.cachedCNonce = v15Client.state.cachedCNonce;
3172
+ }
3173
+ shouldRetryWithFreshNonce(err) {
3174
+ if (!this.hasNonceEndpoint() && this.version() !== import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_15) {
3175
+ return false;
3176
+ }
3177
+ const status = err?.response?.status ?? err?.status;
3178
+ const body = err?.response?.data ?? err?.data ?? void 0;
3179
+ const error = typeof body?.error === "string" ? body.error : void 0;
3180
+ const desc = typeof body?.error_description === "string" ? body.error_description : void 0;
3181
+ const text = [
3182
+ error,
3183
+ desc
3184
+ ].filter(Boolean).join(" ").toLowerCase();
3185
+ if (status === 400 || status === 401 || status === 403) {
3186
+ if (text.includes("nonce") || text.includes("c_nonce")) {
3187
+ return true;
3188
+ }
3189
+ if (text.includes("proof") && (text.includes("invalid") || text.includes("expired"))) {
3190
+ return true;
3191
+ }
3192
+ if (error === "invalid_proof" || error === "invalid_request") {
3193
+ return true;
3194
+ }
3195
+ }
3196
+ return false;
3197
+ }
4627
3198
  };
4628
3199
 
4629
3200
  // lib/index.ts
4630
- var LOG2 = import_oid4vci_common26.VCI_LOGGERS.get("sphereon:oid4vci:client");
3201
+ var LOG2 = import_oid4vci_common20.VCI_LOGGERS.get("sphereon:oid4vci:client");
4631
3202
  //# sourceMappingURL=index.cjs.map