@sphereon/oid4vci-client 0.19.1-next.2 → 0.19.1-next.220

package/dist/index.js

@@ -9,10 +9,6 @@ import { createDPoP, getCreateDPoPOptions } from "@sphereon/oid4vc-common";
 import { assertedUniformCredentialOffer, AuthzFlowType, convertJsonToURI, formPost, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload2, GrantTypes, JsonURIMode, PRE_AUTH_CODE_LITERAL as PRE_AUTH_CODE_LITERAL2, PRE_AUTH_GRANT_LITERAL as PRE_AUTH_GRANT_LITERAL2, TokenErrorResponse, toUniformCredentialOfferRequest } from "@sphereon/oid4vci-common";
 import { ObjectUtils } from "@sphereon/ssi-types";
 
-// lib/MetadataClientV1_0_13.ts
-import { getIssuerFromCredentialOfferPayload, WellKnownEndpoints } from "@sphereon/oid4vci-common";
-import { Loggers as Loggers2 } from "@sphereon/ssi-types";
-
 // lib/functions/AuthorizationUtil.ts
 import { assertValidCodeVerifier, CodeChallengeMethod, createCodeChallenge, generateCodeVerifier } from "@sphereon/oid4vci-common";
 var generateMissingPKCEOpts = /* @__PURE__ */ __name((pkce) => {
@@ -87,17 +83,17 @@ var retrieveWellknown = /* @__PURE__ */ __name(async (host, endpointType, opts)
 
 // lib/functions/AccessTokenUtil.ts
 import { uuidv4 } from "@sphereon/oid4vc-common";
-import { OpenId4VCIVersion as OpenId4VCIVersion2 } from "@sphereon/oid4vci-common";
+import { OpenId4VCIVersion } from "@sphereon/oid4vci-common";
 
 // lib/ProofOfPossessionBuilder.ts
-import { createProofOfPossession, NO_JWT_PROVIDED, OpenId4VCIVersion, PROOF_CANT_BE_CONSTRUCTED } from "@sphereon/oid4vci-common";
+import { createProofOfPossession, NO_JWT_PROVIDED, PROOF_CANT_BE_CONSTRUCTED } from "@sphereon/oid4vci-common";
 var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
   static {
     __name(this, "ProofOfPossessionBuilder");
   }
   proof;
   callbacks;
-  version;
+  //  private readonly version: OpenId4VCIVersion
   mode = "pop";
   kid;
   jwk;
@@ -113,11 +109,10 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
     this.mode = mode;
     this.proof = proof;
     this.callbacks = callbacks;
-    this.version = version;
     if (jwt) {
       this.withJwt(jwt);
     } else {
-      this.withTyp(version < OpenId4VCIVersion.VER_1_0_11 || mode === "JWT" ? "JWT" : "openid4vci-proof+jwt");
+      this.withTyp(mode === "JWT" ? "JWT" : "openid4vci-proof+jwt");
     }
     if (accessTokenResponse) {
       this.withAccessTokenResponse(accessTokenResponse);
@@ -182,7 +177,7 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
     return this;
   }
   withTyp(typ) {
-    if (this.mode === "pop" && this.version >= OpenId4VCIVersion.VER_1_0_11) {
+    if (this.mode === "pop") {
       if (!!typ && typ !== "openid4vci-proof+jwt") {
         throw Error(`typ must be openid4vci-proof+jwt for version 1.0.11 and up. Provided: ${typ}`);
       }
@@ -224,7 +219,7 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
     if (jwt.header.typ) {
       this.withTyp(jwt.header.typ);
     }
-    if (!this.typ && this.version >= OpenId4VCIVersion.VER_1_0_11) {
+    if (!this.typ) {
       this.withTyp("openid4vci-proof+jwt");
     }
     this.withAlg(jwt.header.alg);
@@ -244,7 +239,7 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
       return Promise.resolve(this.proof);
     } else if (this.callbacks) {
       return await createProofOfPossession(this.mode, this.callbacks, {
-        typ: this.typ ?? (this.version < OpenId4VCIVersion.VER_1_0_11 || this.mode === "JWT" ? "JWT" : "openid4vci-proof+jwt"),
+        typ: this.typ ?? (this.mode === "JWT" ? "JWT" : "openid4vci-proof+jwt"),
         kid: this.kid,
         jwk: this.jwk,
         jti: this.jti,
@@ -297,7 +292,7 @@ var createJwtBearerClientAssertion = /* @__PURE__ */ __name(async (request, opts
     const pop = await ProofOfPossessionBuilder.fromJwt({
       jwt,
       callbacks: signCallbacks,
-      version: opts.version ?? OpenId4VCIVersion2.VER_1_0_13,
+      version: opts.version ?? OpenId4VCIVersion.VER_1_0_15,
       mode: "JWT"
     }).build();
     request.client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
@@ -307,7 +302,7 @@ var createJwtBearerClientAssertion = /* @__PURE__ */ __name(async (request, opts
 
 // lib/functions/CredentialOfferCommons.ts
 import { decodeJsonProperties, getClientIdFromCredentialOfferPayload, getURIComponentsAsArray, PRE_AUTH_CODE_LITERAL, PRE_AUTH_GRANT_LITERAL } from "@sphereon/oid4vci-common";
-import { fetch } from "cross-fetch";
+import fetch from "cross-fetch";
 function isUriEncoded(str) {
   const pattern = /%[0-9A-F]{2}/i;
   return pattern.test(str);
@@ -352,11 +347,54 @@ function constructBaseResponse(request, scheme, baseUrl) {
 }
 __name(constructBaseResponse, "constructBaseResponse");
 
-// lib/MetadataClientV1_0_13.ts
+// lib/functions/dpopUtil.ts
+import { dpopTokenRequestNonceError } from "@sphereon/oid4vc-common";
+function shouldRetryTokenRequestWithDPoPNonce(response) {
+  if (!response.errorBody || response.errorBody.error !== dpopTokenRequestNonceError) {
+    return {
+      ok: false
+    };
+  }
+  const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
+  if (!dPoPNonce) {
+    throw new Error("Missing required DPoP-Nonce header.");
+  }
+  return {
+    ok: true,
+    dpopNonce: dPoPNonce
+  };
+}
+__name(shouldRetryTokenRequestWithDPoPNonce, "shouldRetryTokenRequestWithDPoPNonce");
+function shouldRetryResourceRequestWithDPoPNonce(response) {
+  if (!response.errorBody || response.origResponse.status !== 401) {
+    return {
+      ok: false
+    };
+  }
+  const wwwAuthenticateHeader = response.origResponse.headers.get("WWW-Authenticate");
+  if (!wwwAuthenticateHeader?.includes(dpopTokenRequestNonceError)) {
+    return {
+      ok: false
+    };
+  }
+  const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
+  if (!dPoPNonce) {
+    throw new Error("Missing required DPoP-Nonce header.");
+  }
+  return {
+    ok: true,
+    dpopNonce: dPoPNonce
+  };
+}
+__name(shouldRetryResourceRequestWithDPoPNonce, "shouldRetryResourceRequestWithDPoPNonce");
+
+// lib/MetadataClientV1_0_15.ts
+import { getIssuerFromCredentialOfferPayload, WellKnownEndpoints } from "@sphereon/oid4vci-common";
+import { Loggers as Loggers2 } from "@sphereon/ssi-types";
 var logger2 = Loggers2.DEFAULT.get("sphereon:oid4vci:metadata");
-var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
+var MetadataClientV1_0_15 = class _MetadataClientV1_0_15 {
   static {
-    __name(this, "MetadataClientV1_0_13");
+    __name(this, "MetadataClientV1_0_15");
   }
   /**
   * Retrieve metadata using the Initiation obtained from a previous step
@@ -364,7 +402,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
   * @param credentialOffer
   */
   static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
-    return _MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
+    return _MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
   }
   /**
   * Retrieve the metada using the initiation request obtained from a previous step
@@ -373,7 +411,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
   static async retrieveAllMetadataFromCredentialOfferRequest(request) {
     const issuer = getIssuerFromCredentialOfferPayload(request);
     if (issuer) {
-      return _MetadataClientV1_0_13.retrieveAllMetadata(issuer);
+      return _MetadataClientV1_0_15.retrieveAllMetadata(issuer);
     }
     throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
   }
@@ -385,6 +423,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
   static async retrieveAllMetadata(issuer, opts) {
     let token_endpoint;
     let credential_endpoint;
+    let nonce_endpoint;
     let deferred_credential_endpoint;
     let authorization_endpoint;
     let authorization_challenge_endpoint;
@@ -392,7 +431,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
     let authorization_servers = [
       issuer
     ];
-    const oid4vciResponse = await _MetadataClientV1_0_13.retrieveOpenID4VCIServerMetadata(issuer, {
+    const oid4vciResponse = await _MetadataClientV1_0_15.retrieveOpenID4VCIServerMetadata(issuer, {
       errorOnNotFound: false
     });
     let credentialIssuerMetadata = oid4vciResponse?.successBody;
@@ -400,6 +439,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
       logger2.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
 ${JSON.stringify(credentialIssuerMetadata)}`);
       credential_endpoint = credentialIssuerMetadata.credential_endpoint;
+      nonce_endpoint = credentialIssuerMetadata.nonce_endpoint;
       deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
       if (credentialIssuerMetadata.token_endpoint) {
         token_endpoint = credentialIssuerMetadata.token_endpoint;
@@ -427,9 +467,6 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
         throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
       }
     } else {
-      if (!authorizationServerType) {
-        authorizationServerType = "OAuth 2.0";
-      }
       logger2.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
       if (!authMetadata.authorization_endpoint) {
         console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
@@ -484,17 +521,29 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
     if (!credentialIssuerMetadata && authMetadata) {
       credentialIssuerMetadata = authMetadata;
     }
+    const ci = credentialIssuerMetadata ?? {};
+    const ciAuthorizationServers = Array.isArray(ci.authorization_servers) && ci.authorization_servers.length > 0 ? ci.authorization_servers : authorization_servers;
+    const v15CredentialIssuerMetadata = {
+      credential_issuer: ci.credential_issuer ?? issuer,
+      credential_endpoint,
+      authorization_servers: ciAuthorizationServers,
+      credential_configurations_supported: ci.credential_configurations_supported ?? {},
+      display: ci.display ?? [],
+      ...nonce_endpoint && {
+        nonce_endpoint
+      },
+      ...deferred_credential_endpoint && {
+        deferred_credential_endpoint
+      }
+    };
     logger2.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
     return {
       issuer,
       token_endpoint,
       credential_endpoint,
-      deferred_credential_endpoint,
-      authorization_server: authorization_servers[0],
-      authorization_endpoint,
       authorization_challenge_endpoint,
       authorizationServerType,
-      credentialIssuerMetadata,
+      credentialIssuerMetadata: v15CredentialIssuerMetadata,
       authorizationServerMetadata: authMetadata
     };
   }
@@ -511,47 +560,6 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
   }
 };
 
-// lib/functions/dpopUtil.ts
-import { dpopTokenRequestNonceError } from "@sphereon/oid4vc-common";
-function shouldRetryTokenRequestWithDPoPNonce(response) {
-  if (!response.errorBody || response.errorBody.error !== dpopTokenRequestNonceError) {
-    return {
-      ok: false
-    };
-  }
-  const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
-  if (!dPoPNonce) {
-    throw new Error("Missing required DPoP-Nonce header.");
-  }
-  return {
-    ok: true,
-    dpopNonce: dPoPNonce
-  };
-}
-__name(shouldRetryTokenRequestWithDPoPNonce, "shouldRetryTokenRequestWithDPoPNonce");
-function shouldRetryResourceRequestWithDPoPNonce(response) {
-  if (!response.errorBody || response.origResponse.status !== 401) {
-    return {
-      ok: false
-    };
-  }
-  const wwwAuthenticateHeader = response.origResponse.headers.get("WWW-Authenticate");
-  if (!wwwAuthenticateHeader?.includes(dpopTokenRequestNonceError)) {
-    return {
-      ok: false
-    };
-  }
-  const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
-  if (!dPoPNonce) {
-    throw new Error("Missing required DPoP-Nonce header.");
-  }
-  return {
-    ok: true,
-    dpopNonce: dPoPNonce
-  };
-}
-__name(shouldRetryResourceRequestWithDPoPNonce, "shouldRetryResourceRequestWithDPoPNonce");
-
 // lib/AccessTokenClient.ts
 var AccessTokenClient = class _AccessTokenClient {
   static {
@@ -593,7 +601,7 @@ var AccessTokenClient = class _AccessTokenClient {
     const requestTokenURL = _AccessTokenClient.determineTokenURL({
       asOpts,
       issuerOpts,
-      metadata: metadata ? metadata : issuerOpts?.fetchMetadata ? await MetadataClientV1_0_13.retrieveAllMetadata(issuerOpts.issuer, {
+      metadata: metadata ? metadata : issuerOpts?.fetchMetadata ? await MetadataClientV1_0_15.retrieveAllMetadata(issuerOpts.issuer, {
         errorOnNotFound: false
       }) : void 0
     });
@@ -782,319 +790,108 @@ var AccessTokenClient = class _AccessTokenClient {
   }
 };
 
-// lib/AccessTokenClientV1_0_11.ts
-import { createDPoP as createDPoP2, getCreateDPoPOptions as getCreateDPoPOptions2 } from "@sphereon/oid4vc-common";
-import { assertedUniformCredentialOffer as assertedUniformCredentialOffer2, AuthzFlowType as AuthzFlowType2, convertJsonToURI as convertJsonToURI2, formPost as formPost2, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload3, GrantTypes as GrantTypes2, JsonURIMode as JsonURIMode2, OpenId4VCIVersion as OpenId4VCIVersion3, PRE_AUTH_CODE_LITERAL as PRE_AUTH_CODE_LITERAL3, PRE_AUTH_GRANT_LITERAL as PRE_AUTH_GRANT_LITERAL3, TokenErrorResponse as TokenErrorResponse2, toUniformCredentialOfferRequest as toUniformCredentialOfferRequest2 } from "@sphereon/oid4vci-common";
-import { Loggers as Loggers3, ObjectUtils as ObjectUtils2 } from "@sphereon/ssi-types";
-var logger3 = Loggers3.DEFAULT.get("sphereon:oid4vci:token");
-var AccessTokenClientV1_0_11 = class _AccessTokenClientV1_0_11 {
+// lib/AuthorizationCodeClient.ts
+import { CodeChallengeMethod as CodeChallengeMethod2, convertJsonToURI as convertJsonToURI2, CreateRequestObjectMode, determineSpecVersionFromOffer as determineSpecVersionFromOffer2, formPost as formPost2, isW3cCredentialSupported, JsonURIMode as JsonURIMode2, OpenId4VCIVersion as OpenId4VCIVersion3, PARMode, ResponseType } from "@sphereon/oid4vci-common";
+import { Loggers as Loggers4 } from "@sphereon/ssi-types";
+
+// lib/MetadataClient.ts
+import { determineSpecVersionFromOffer, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload3, OpenId4VCIVersion as OpenId4VCIVersion2, WellKnownEndpoints as WellKnownEndpoints2 } from "@sphereon/oid4vci-common";
+import { Loggers as Loggers3 } from "@sphereon/ssi-types";
+var logger3 = Loggers3.DEFAULT.get("sphereon:oid4vci:metadata");
+var MetadataClient = class _MetadataClient {
   static {
-    __name(this, "AccessTokenClientV1_0_11");
+    __name(this, "MetadataClient");
   }
-  async acquireAccessToken(opts) {
-    const { asOpts, pin, codeVerifier, code, redirectUri, metadata, createDPoPOpts } = opts;
-    const credentialOffer = opts.credentialOffer ? await assertedUniformCredentialOffer2(opts.credentialOffer) : void 0;
-    const isPinRequired = credentialOffer && this.isPinRequiredValue(credentialOffer.credential_offer);
-    const issuer = opts.credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload3(credentialOffer.credential_offer) : metadata?.issuer);
-    if (!issuer) {
-      throw Error("Issuer required at this point");
+  /**
+  * Retrieve metadata using the Initiation obtained from a previous step
+  *
+  * @param credentialOffer
+  */
+  static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
+    const openId4VCIVersion = determineSpecVersionFromOffer(credentialOffer.credential_offer);
+    if (openId4VCIVersion >= OpenId4VCIVersion2.VER_1_0_15) {
+      return await MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOffer(credentialOffer);
     }
-    const issuerOpts = {
-      issuer
-    };
-    return await this.acquireAccessTokenUsingRequest({
-      accessTokenRequest: await this.createAccessTokenRequest({
-        credentialOffer,
-        asOpts,
-        codeVerifier,
-        code,
-        redirectUri,
-        pin,
-        credentialIssuer: issuer,
-        metadata,
-        additionalParams: opts.additionalParams,
-        pinMetadata: opts.pinMetadata
-      }),
-      isPinRequired,
-      metadata,
-      asOpts,
-      issuerOpts,
-      createDPoPOpts
-    });
+    return Promise.reject(Error(`OpenId4VCIVersion ${openId4VCIVersion} is not supported in retrieveAllMetadataFromCredentialOffer`));
   }
-  async acquireAccessTokenUsingRequest({ accessTokenRequest, isPinRequired, metadata, asOpts, createDPoPOpts, issuerOpts }) {
-    this.validate(accessTokenRequest, isPinRequired);
-    const requestTokenURL = _AccessTokenClientV1_0_11.determineTokenURL({
-      asOpts,
-      issuerOpts,
-      metadata: metadata ? metadata : issuerOpts?.fetchMetadata ? await MetadataClientV1_0_13.retrieveAllMetadata(issuerOpts.issuer, {
-        errorOnNotFound: false
-      }) : void 0
-    });
-    const useDpop = createDPoPOpts?.dPoPSigningAlgValuesSupported && createDPoPOpts.dPoPSigningAlgValuesSupported.length > 0;
-    let dPoP = useDpop ? await createDPoP2(getCreateDPoPOptions2(createDPoPOpts, requestTokenURL)) : void 0;
-    let response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? {
-      headers: {
-        dpop: dPoP
+  /**
+  * Retrieve the metada using the initiation request obtained from a previous step
+  * @param request
+  */
+  static async retrieveAllMetadataFromCredentialOfferRequest(request) {
+    const issuer = getIssuerFromCredentialOfferPayload3(request);
+    if (issuer) {
+      const openId4VCIVersion = determineSpecVersionFromOffer(request);
+      if (openId4VCIVersion >= OpenId4VCIVersion2.VER_1_0_15) {
+        return MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOfferRequest(request);
+      } else {
+        return Promise.reject(Error(`OpenId4VCIVersion ${openId4VCIVersion} is not supported in retrieveAllMetadataFromCredentialOfferRequest`));
       }
-    } : void 0);
-    let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
-    const retryWithNonce = shouldRetryTokenRequestWithDPoPNonce(response);
-    if (retryWithNonce.ok && createDPoPOpts) {
-      createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
-      dPoP = await createDPoP2(getCreateDPoPOptions2(createDPoPOpts, requestTokenURL));
-      response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? {
-        headers: {
-          dpop: dPoP
-        }
-      } : void 0);
-      const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
-      nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
     }
-    if (response.successBody && createDPoPOpts && response.successBody.token_type !== "DPoP") {
-      throw new Error("Invalid token type returned. Expected DPoP. Received: " + response.successBody.token_type);
-    }
-    return {
-      ...response,
-      ...nextDPoPNonce && {
-        params: {
-          dpop: {
-            dpopNonce: nextDPoPNonce
-          }
-        }
-      }
-    };
+    throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
   }
-  async createAccessTokenRequest(opts) {
-    const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
-    const credentialOfferRequest = opts.credentialOffer ? await toUniformCredentialOfferRequest2(opts.credentialOffer) : void 0;
-    const request = {
-      ...opts.additionalParams
-    };
-    const credentialIssuer = opts.credentialIssuer ?? credentialOfferRequest?.credential_offer?.credential_issuer ?? opts.metadata?.issuer;
-    if (asOpts?.clientOpts?.clientId) {
-      request.client_id = asOpts.clientOpts.clientId;
-    }
-    await createJwtBearerClientAssertion(request, {
-      ...opts,
-      version: OpenId4VCIVersion3.VER_1_0_11,
-      credentialIssuer
+  /**
+  * Retrieve all metadata from an issuer
+  * @param issuer The issuer URL
+  * @param opts
+  */
+  static async retrieveAllMetadata(issuer, opts) {
+    let token_endpoint;
+    let credential_endpoint;
+    let deferred_credential_endpoint;
+    let authorization_endpoint;
+    let authorization_challenge_endpoint;
+    let authorizationServerType = "OID4VCI";
+    let authorization_servers = [
+      issuer
+    ];
+    let authorization_server = void 0;
+    const oid4vciResponse = await _MetadataClient.retrieveOpenID4VCIServerMetadata(issuer, {
+      errorOnNotFound: false
     });
-    if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(AuthzFlowType2.AUTHORIZATION_CODE_FLOW)) {
-      request.grant_type = GrantTypes2.AUTHORIZATION_CODE;
-      request.code = code;
-      request.redirect_uri = redirectUri;
-      if (codeVerifier) {
-        request.code_verifier = codeVerifier;
+    let credentialIssuerMetadata = oid4vciResponse?.successBody;
+    if (credentialIssuerMetadata) {
+      logger3.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
+${JSON.stringify(credentialIssuerMetadata)}`);
+      credential_endpoint = credentialIssuerMetadata.credential_endpoint;
+      deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint ? credentialIssuerMetadata.deferred_credential_endpoint : void 0;
+      if (credentialIssuerMetadata.token_endpoint) {
+        token_endpoint = credentialIssuerMetadata.token_endpoint;
       }
-      return request;
-    }
-    if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType2.PRE_AUTHORIZED_CODE_FLOW)) {
-      this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
-      request.user_pin = pin;
-      request.grant_type = GrantTypes2.PRE_AUTHORIZED_CODE;
-      request[PRE_AUTH_CODE_LITERAL3] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL3]?.[PRE_AUTH_CODE_LITERAL3];
-      return request;
-    }
-    throw new Error("Credential offer request does not follow neither pre-authorized code nor authorization code flow requirements.");
-  }
-  assertPreAuthorizedGrantType(grantType) {
-    if (GrantTypes2.PRE_AUTHORIZED_CODE !== grantType) {
-      throw new Error("grant type must be PRE_AUTH_GRANT_LITERAL");
-    }
-  }
-  assertAuthorizationGrantType(grantType) {
-    if (GrantTypes2.AUTHORIZATION_CODE !== grantType) {
-      throw new Error("grant type must be 'authorization_code'");
-    }
-  }
-  isPinRequiredValue(requestPayload) {
-    let isPinRequired = false;
-    if (!requestPayload) {
-      throw new Error(TokenErrorResponse2.invalid_request);
+      authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
+      if (credentialIssuerMetadata.authorization_servers) {
+        authorization_servers = credentialIssuerMetadata.authorization_servers;
+      } else if (credentialIssuerMetadata.authorization_server) {
+        authorization_server = credentialIssuerMetadata.authorization_server;
+        authorization_servers = [
+          authorization_server
+        ];
+      }
+    } else {
+      throw new Error(`Issuer ${issuer} does not expose /.well-known/openid-credential-issuer`);
     }
-    const issuer = getIssuerFromCredentialOfferPayload3(requestPayload);
-    if (requestPayload.grants?.[PRE_AUTH_GRANT_LITERAL3]) {
-      isPinRequired = requestPayload.grants[PRE_AUTH_GRANT_LITERAL3]?.user_pin_required ?? false;
+    let response = await retrieveWellknown(authorization_servers[0], WellKnownEndpoints2.OPENID_CONFIGURATION, {
+      errorOnNotFound: false
+    });
+    let authMetadata = response.successBody;
+    if (authMetadata) {
+      logger3.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
+      authorizationServerType = "OIDC";
+    } else {
+      response = await retrieveWellknown(authorization_servers[0], WellKnownEndpoints2.OAUTH_AS, {
+        errorOnNotFound: false
+      });
+      authMetadata = response.successBody;
     }
-    logger3.debug(`Pin required for issuer ${issuer}: ${isPinRequired}`);
-    return isPinRequired;
-  }
-  assertNumericPin(isPinRequired, pin) {
-    if (isPinRequired) {
-      if (!pin || !/^\d{1,8}$/.test(pin)) {
-        logger3.debug(`Pin is not 1 to 8 digits long`);
-        throw new Error("A valid pin consisting of maximal 8 numeric characters must be present.");
-      }
-    } else if (pin) {
-      logger3.debug(`Pin set, whilst not required`);
-      throw new Error("Cannot set a pin, when the pin is not required.");
-    }
-  }
-  assertNonEmptyPreAuthorizedCode(accessTokenRequest) {
-    if (!accessTokenRequest[PRE_AUTH_CODE_LITERAL3]) {
-      logger3.debug(`No pre-authorized code present, whilst it is required`);
-      throw new Error("Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.");
-    }
-  }
-  assertNonEmptyCodeVerifier(accessTokenRequest) {
-    if (!accessTokenRequest.code_verifier) {
-      logger3.debug("No code_verifier present, whilst it is required");
-      throw new Error("Authorization flow requires the code_verifier to be present");
-    }
-  }
-  assertNonEmptyCode(accessTokenRequest) {
-    if (!accessTokenRequest.code) {
-      logger3.debug("No code present, whilst it is required");
-      throw new Error("Authorization flow requires the code to be present");
-    }
-  }
-  validate(accessTokenRequest, isPinRequired) {
-    if (accessTokenRequest.grant_type === GrantTypes2.PRE_AUTHORIZED_CODE) {
-      this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
-      this.assertNonEmptyPreAuthorizedCode(accessTokenRequest);
-      this.assertNumericPin(isPinRequired, accessTokenRequest.user_pin);
-    } else if (accessTokenRequest.grant_type === GrantTypes2.AUTHORIZATION_CODE) {
-      this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
-      this.assertNonEmptyCodeVerifier(accessTokenRequest);
-      this.assertNonEmptyCode(accessTokenRequest);
-    } else {
-      this.throwNotSupportedFlow();
-    }
-  }
-  async sendAuthCode(requestTokenURL, accessTokenRequest, opts) {
-    return await formPost2(requestTokenURL, convertJsonToURI2(accessTokenRequest, {
-      mode: JsonURIMode2.X_FORM_WWW_URLENCODED
-    }), {
-      customHeaders: opts?.headers ? opts.headers : void 0
-    });
-  }
-  static determineTokenURL({ asOpts, issuerOpts, metadata }) {
-    if (!asOpts && !metadata?.token_endpoint && !issuerOpts) {
-      throw new Error("Cannot determine token URL if no issuer, metadata and no Authorization Server values are present");
-    }
-    let url;
-    if (asOpts && asOpts.as) {
-      url = this.creatTokenURLFromURL(asOpts.as, asOpts?.allowInsecureEndpoints, asOpts.tokenEndpoint);
-    } else if (metadata?.token_endpoint) {
-      url = metadata.token_endpoint;
-    } else {
-      if (!issuerOpts?.issuer) {
-        throw Error("Either authorization server options, a token endpoint or issuer options are required at this point");
-      }
-      url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts?.allowInsecureEndpoints, issuerOpts.tokenEndpoint);
-    }
-    if (!url || !ObjectUtils2.isString(url)) {
-      throw new Error("No authorization server token URL present. Cannot acquire access token");
-    }
-    logger3.debug(`Token endpoint determined to be ${url}`);
-    return url;
-  }
-  static creatTokenURLFromURL(url, allowInsecureEndpoints, tokenEndpoint) {
-    if (allowInsecureEndpoints !== true && url.startsWith("http:")) {
-      throw Error(`Unprotected token endpoints are not allowed ${url}. Use the 'allowInsecureEndpoints' param if you really need this for dev/testing!`);
-    }
-    const hostname = url.replace(/https?:\/\//, "").replace(/\/$/, "");
-    const endpoint = tokenEndpoint ? tokenEndpoint.startsWith("/") ? tokenEndpoint : tokenEndpoint.substring(1) : "/token";
-    const scheme = url.split("://")[0];
-    return `${scheme ? scheme + "://" : "https://"}${hostname}${endpoint}`;
-  }
-  throwNotSupportedFlow() {
-    logger3.debug(`Only pre-authorized or authorization code flows supported.`);
-    throw new Error("Only pre-authorized-code or authorization code flows are supported");
-  }
-};
-
-// lib/AuthorizationCodeClient.ts
-import { CodeChallengeMethod as CodeChallengeMethod2, convertJsonToURI as convertJsonToURI3, CreateRequestObjectMode, determineSpecVersionFromOffer as determineSpecVersionFromOffer2, formPost as formPost3, isW3cCredentialSupported, JsonURIMode as JsonURIMode3, OpenId4VCIVersion as OpenId4VCIVersion5, PARMode, ResponseType } from "@sphereon/oid4vci-common";
-import { Loggers as Loggers6 } from "@sphereon/ssi-types";
-
-// lib/MetadataClient.ts
-import { determineSpecVersionFromOffer, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload5, OpenId4VCIVersion as OpenId4VCIVersion4, WellKnownEndpoints as WellKnownEndpoints3 } from "@sphereon/oid4vci-common";
-import { Loggers as Loggers5 } from "@sphereon/ssi-types";
-
-// lib/MetadataClientV1_0_11.ts
-import { getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload4, WellKnownEndpoints as WellKnownEndpoints2 } from "@sphereon/oid4vci-common";
-import { Loggers as Loggers4 } from "@sphereon/ssi-types";
-var logger4 = Loggers4.DEFAULT.get("sphereon:oid4vci:metadata");
-var MetadataClientV1_0_11 = class _MetadataClientV1_0_11 {
-  static {
-    __name(this, "MetadataClientV1_0_11");
-  }
-  /**
-  * Retrieve metadata using the Initiation obtained from a previous step
-  *
-  * @param credentialOffer
-  */
-  static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
-    return _MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
-  }
-  /**
-  * Retrieve the metada using the initiation request obtained from a previous step
-  * @param request
-  */
-  static async retrieveAllMetadataFromCredentialOfferRequest(request) {
-    const issuer = getIssuerFromCredentialOfferPayload4(request);
-    if (issuer) {
-      return _MetadataClientV1_0_11.retrieveAllMetadata(issuer);
-    }
-    throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
-  }
-  /**
-  * Retrieve all metadata from an issuer
-  * @param issuer The issuer URL
-  * @param opts
-  */
-  static async retrieveAllMetadata(issuer, opts) {
-    let token_endpoint;
-    let credential_endpoint;
-    let deferred_credential_endpoint;
-    let authorization_endpoint;
-    let authorization_challenge_endpoint;
-    let authorizationServerType = "OID4VCI";
-    let authorization_server = issuer;
-    const oid4vciResponse = await _MetadataClientV1_0_11.retrieveOpenID4VCIServerMetadata(issuer, {
-      errorOnNotFound: false
-    });
-    let credentialIssuerMetadata = oid4vciResponse?.successBody;
-    if (credentialIssuerMetadata) {
-      logger4.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
-${JSON.stringify(credentialIssuerMetadata)}`);
-      credential_endpoint = credentialIssuerMetadata.credential_endpoint;
-      deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
-      if (credentialIssuerMetadata.token_endpoint) {
-        token_endpoint = credentialIssuerMetadata.token_endpoint;
-      }
-      authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
-      if (credentialIssuerMetadata.authorization_server) {
-        authorization_server = credentialIssuerMetadata.authorization_server;
-      }
-      if (credentialIssuerMetadata.authorization_endpoint) {
-        authorization_endpoint = credentialIssuerMetadata.authorization_endpoint;
-      }
-    }
-    let response = await retrieveWellknown(authorization_server, WellKnownEndpoints2.OPENID_CONFIGURATION, {
-      errorOnNotFound: false
-    });
-    let authMetadata = response.successBody;
-    if (authMetadata) {
-      logger4.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
-      authorizationServerType = "OIDC";
-    } else {
-      response = await retrieveWellknown(authorization_server, WellKnownEndpoints2.OAUTH_AS, {
-        errorOnNotFound: false
-      });
-      authMetadata = response.successBody;
-    }
-    if (!authMetadata) {
-      if (issuer !== authorization_server) {
-        throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_server}, but that server did not provide metadata`);
+    if (!authMetadata) {
+      if (!authorization_servers.includes(issuer)) {
+        throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
       }
     } else {
       if (!authorizationServerType) {
         authorizationServerType = "OAuth 2.0";
       }
-      logger4.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
+      logger3.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
       if (!authMetadata.authorization_endpoint) {
         console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
       } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
@@ -1106,31 +903,31 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
       }
       authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
       if (!authMetadata.token_endpoint) {
-        throw Error(`Authorization Server ${authorization_server} did not provide a token_endpoint`);
+        throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`);
       } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
         throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
       }
       token_endpoint = authMetadata.token_endpoint;
       if (authMetadata.credential_endpoint) {
         if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
-          logger4.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
+          logger3.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
         } else {
           credential_endpoint = authMetadata.credential_endpoint;
         }
       }
       if (authMetadata.deferred_credential_endpoint) {
         if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
-          logger4.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
+          logger3.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
         } else {
           deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
         }
       }
     }
     if (!authorization_endpoint) {
-      logger4.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
+      logger3.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
     }
     if (!token_endpoint) {
-      logger4.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
+      logger3.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
       if (opts?.errorOnNotFound) {
         throw Error(`Could not deduce the token_endpoint for ${issuer}`);
       } else {
@@ -1138,7 +935,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
       }
     }
     if (!credential_endpoint) {
-      logger4.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
+      logger3.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
       if (opts?.errorOnNotFound) {
         throw Error(`Could not deduce the credential endpoint for ${issuer}`);
       } else {
@@ -1146,15 +943,20 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
       }
     }
     if (!credentialIssuerMetadata && authMetadata) {
-      credentialIssuerMetadata = authMetadata;
+      return Promise.reject(Error(`No /.well-known/openid-credential-issuer at ${issuer}.`));
     }
-    logger4.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
+    logger3.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
     return {
       issuer,
       token_endpoint,
       credential_endpoint,
       deferred_credential_endpoint,
-      authorization_server,
+      nonce_endpoint: credentialIssuerMetadata.nonce_endpoint,
+      authorization_servers: authorization_server ? [
+        authorization_server
+      ] : authorization_servers ?? [
+        issuer
+      ],
       authorization_endpoint,
       authorization_challenge_endpoint,
       authorizationServerType,
@@ -1166,6 +968,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
   * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
   *
   * @param issuerHost The issuer hostname
+  * @param opts
   */
   static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
     return retrieveWellknown(issuerHost, WellKnownEndpoints2.OPENID4VCI_ISSUER, {
@@ -1174,228 +977,51 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
   }
 };
 
-// lib/MetadataClient.ts
-var logger5 = Loggers5.DEFAULT.get("sphereon:oid4vci:metadata");
-var MetadataClient = class _MetadataClient {
-  static {
-    __name(this, "MetadataClient");
-  }
-  /**
-  * Retrieve metadata using the Initiation obtained from a previous step
-  *
-  * @param credentialOffer
-  */
-  static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
-    if (determineSpecVersionFromOffer(credentialOffer.credential_offer) >= OpenId4VCIVersion4.VER_1_0_13) {
-      return await MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOffer(credentialOffer);
-    } else {
-      return await MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOffer(credentialOffer);
+// lib/AuthorizationCodeClient.ts
+var logger4 = Loggers4.DEFAULT.get("sphereon:oid4vci");
+async function createSignedAuthRequestWhenNeeded(requestObject, opts) {
+  if (opts.requestObjectMode === CreateRequestObjectMode.REQUEST_URI) {
+    throw Error(`Request Object Mode ${opts.requestObjectMode} is not supported yet`);
+  } else if (opts.requestObjectMode === CreateRequestObjectMode.REQUEST_OBJECT) {
+    if (typeof opts.signCallbacks?.signCallback !== "function") {
+      throw Error(`No request object sign callback found, whilst request object mode was set to ${opts.requestObjectMode}`);
+    } else if (!opts.kid) {
+      throw Error(`No kid found, whilst request object mode was set to ${opts.requestObjectMode}`);
     }
-  }
-  /**
-  * Retrieve the metada using the initiation request obtained from a previous step
-  * @param request
-  */
-  static async retrieveAllMetadataFromCredentialOfferRequest(request) {
-    const issuer = getIssuerFromCredentialOfferPayload5(request);
-    if (issuer) {
-      if (determineSpecVersionFromOffer(request) >= OpenId4VCIVersion4.VER_1_0_13) {
-        return MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOfferRequest(request);
-      } else {
-        return MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOfferRequest(request);
+    let client_metadata;
+    if (opts.clientMetadata || opts.jwksUri) {
+      client_metadata = opts.clientMetadata ?? {};
+      if (opts.jwksUri) {
+        client_metadata["jwks_uri"] = opts.jwksUri;
       }
     }
-    throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
-  }
-  /**
-  * Retrieve all metadata from an issuer
-  * @param issuer The issuer URL
-  * @param opts
-  */
-  static async retrieveAllMetadata(issuer, opts) {
-    let token_endpoint;
-    let credential_endpoint;
-    let deferred_credential_endpoint;
-    let authorization_endpoint;
-    let authorization_challenge_endpoint;
-    let authorizationServerType = "OID4VCI";
-    let authorization_servers = [
-      issuer
-    ];
-    let authorization_server = void 0;
-    const oid4vciResponse = await _MetadataClient.retrieveOpenID4VCIServerMetadata(issuer, {
-      errorOnNotFound: false
-    });
-    let credentialIssuerMetadata = oid4vciResponse?.successBody;
-    if (credentialIssuerMetadata) {
-      logger5.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
-${JSON.stringify(credentialIssuerMetadata)}`);
-      credential_endpoint = credentialIssuerMetadata.credential_endpoint;
-      deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint ? credentialIssuerMetadata.deferred_credential_endpoint : void 0;
-      if (credentialIssuerMetadata.token_endpoint) {
-        token_endpoint = credentialIssuerMetadata.token_endpoint;
-      }
-      authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
-      if (credentialIssuerMetadata.authorization_servers) {
-        authorization_servers = credentialIssuerMetadata.authorization_servers;
-      } else if (credentialIssuerMetadata.authorization_server) {
-        authorization_server = credentialIssuerMetadata.authorization_server;
-        authorization_servers = [
-          authorization_server
-        ];
-      }
+    let authorization_details = requestObject["authorization_details"];
+    if (typeof authorization_details === "string") {
+      authorization_details = JSON.parse(requestObject.authorization_details);
     }
-    let response = await retrieveWellknown(authorization_servers[0], WellKnownEndpoints3.OPENID_CONFIGURATION, {
-      errorOnNotFound: false
-    });
-    let authMetadata = response.successBody;
-    if (authMetadata) {
-      logger5.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
-      authorizationServerType = "OIDC";
-    } else {
-      response = await retrieveWellknown(authorization_servers[0], WellKnownEndpoints3.OAUTH_AS, {
-        errorOnNotFound: false
-      });
-      authMetadata = response.successBody;
+    if (!requestObject.aud && opts.aud) {
+      requestObject.aud = opts.aud;
     }
-    if (!authMetadata) {
-      if (!authorization_servers.includes(issuer)) {
-        throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
-      }
-    } else {
-      if (!authorizationServerType) {
-        authorizationServerType = "OAuth 2.0";
-      }
-      logger5.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
-      if (!authMetadata.authorization_endpoint) {
-        console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
-      } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
-        throw Error(`Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`);
-      }
-      authorization_endpoint = authMetadata.authorization_endpoint;
-      if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {
-        throw Error(`Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`);
-      }
-      authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
-      if (!authMetadata.token_endpoint) {
-        throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`);
-      } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
-        throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
-      }
-      token_endpoint = authMetadata.token_endpoint;
-      if (authMetadata.credential_endpoint) {
-        if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
-          logger5.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
-        } else {
-          credential_endpoint = authMetadata.credential_endpoint;
-        }
-      }
-      if (authMetadata.deferred_credential_endpoint) {
-        if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
-          logger5.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
-        } else {
-          deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
-        }
-      }
-    }
-    if (!authorization_endpoint) {
-      logger5.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
-    }
-    if (!token_endpoint) {
-      logger5.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
-      if (opts?.errorOnNotFound) {
-        throw Error(`Could not deduce the token_endpoint for ${issuer}`);
-      } else {
-        token_endpoint = `${issuer}${issuer.endsWith("/") ? "token" : "/token"}`;
-      }
-    }
-    if (!credential_endpoint) {
-      logger5.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
-      if (opts?.errorOnNotFound) {
-        throw Error(`Could not deduce the credential endpoint for ${issuer}`);
-      } else {
-        credential_endpoint = `${issuer}${issuer.endsWith("/") ? "credential" : "/credential"}`;
-      }
-    }
-    if (!credentialIssuerMetadata && authMetadata) {
-      credentialIssuerMetadata = authorization_server ? authMetadata : authMetadata;
-    }
-    logger5.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
-    return {
-      issuer,
-      token_endpoint,
-      credential_endpoint,
-      deferred_credential_endpoint,
-      ...authorization_server ? {
-        authorization_server
-      } : {
-        authorization_servers
-      },
-      authorization_endpoint,
-      authorization_challenge_endpoint,
-      authorizationServerType,
-      credentialIssuerMetadata: authorization_server ? credentialIssuerMetadata : credentialIssuerMetadata,
-      authorizationServerMetadata: authMetadata
-    };
-  }
-  /**
-  * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
-  *
-  * @param issuerHost The issuer hostname
-  * @param opts
-  */
-  static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
-    return retrieveWellknown(issuerHost, WellKnownEndpoints3.OPENID4VCI_ISSUER, {
-      errorOnNotFound: opts?.errorOnNotFound === void 0 ? true : opts.errorOnNotFound
-    });
-  }
-};
-
-// lib/AuthorizationCodeClient.ts
-var logger6 = Loggers6.DEFAULT.get("sphereon:oid4vci");
-async function createSignedAuthRequestWhenNeeded(requestObject, opts) {
-  if (opts.requestObjectMode === CreateRequestObjectMode.REQUEST_URI) {
-    throw Error(`Request Object Mode ${opts.requestObjectMode} is not supported yet`);
-  } else if (opts.requestObjectMode === CreateRequestObjectMode.REQUEST_OBJECT) {
-    if (typeof opts.signCallbacks?.signCallback !== "function") {
-      throw Error(`No request object sign callback found, whilst request object mode was set to ${opts.requestObjectMode}`);
-    } else if (!opts.kid) {
-      throw Error(`No kid found, whilst request object mode was set to ${opts.requestObjectMode}`);
-    }
-    let client_metadata;
-    if (opts.clientMetadata || opts.jwksUri) {
-      client_metadata = opts.clientMetadata ?? {};
-      if (opts.jwksUri) {
-        client_metadata["jwks_uri"] = opts.jwksUri;
-      }
-    }
-    let authorization_details = requestObject["authorization_details"];
-    if (typeof authorization_details === "string") {
-      authorization_details = JSON.parse(requestObject.authorization_details);
-    }
-    if (!requestObject.aud && opts.aud) {
-      requestObject.aud = opts.aud;
-    }
-    const iss = requestObject.iss ?? opts.iss ?? requestObject.client_id;
-    const jwt = {
-      header: {
-        alg: "ES256",
-        kid: opts.kid,
-        typ: "JWT"
-      },
-      payload: {
-        ...requestObject,
-        iss,
-        authorization_details,
-        ...client_metadata && {
-          client_metadata
-        }
+    const iss = requestObject.iss ?? opts.iss ?? requestObject.client_id;
+    const jwt = {
+      header: {
+        alg: "ES256",
+        kid: opts.kid,
+        typ: "JWT"
+      },
+      payload: {
+        ...requestObject,
+        iss,
+        authorization_details,
+        ...client_metadata && {
+          client_metadata
+        }
       }
     };
     const pop = await ProofOfPossessionBuilder.fromJwt({
       jwt,
       callbacks: opts.signCallbacks,
-      version: OpenId4VCIVersion5.VER_1_0_11,
+      version: OpenId4VCIVersion3.VER_1_0_15,
       mode: "JWT"
     }).build();
     requestObject["request"] = pop.jwt;
@@ -1446,8 +1072,8 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
     if ("credentials" in credentialOffer.credential_offer) {
       throw new Error("CredentialOffer format is wrong.");
     }
-    const ver = version ?? determineSpecVersionFromOffer2(credentialOffer.credential_offer) ?? OpenId4VCIVersion5.VER_1_0_13;
-    const creds = ver === OpenId4VCIVersion5.VER_1_0_13 ? filterSupportedCredentials(credentialOffer.credential_offer, credentialConfigurationSupported) : [];
+    const ver = version ?? determineSpecVersionFromOffer2(credentialOffer.credential_offer) ?? OpenId4VCIVersion3.VER_1_0_15;
+    const creds = ver === OpenId4VCIVersion3.VER_1_0_15 ? filterSupportedCredentials(credentialOffer.credential_offer, credentialConfigurationSupported) : [];
     authorizationDetails = creds.flatMap((cred) => {
       const locations = [
         credentialOffer?.credential_offer.credential_issuer ?? endpointMetadata.issuer
@@ -1457,10 +1083,10 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
       if (!credential_configuration_id && !cred.format) {
         throw Error("format is required in authorization details");
       }
-      const vct = cred.format === "vc+sd-jwt" ? cred.vct : void 0;
+      const vct = cred.format === "dc+sd-jwt" ? cred.vct : void 0;
       const doctype = cred.format === "mso_mdoc" ? cred.doctype : void 0;
       let credential_definition = void 0;
-      if (isW3cCredentialSupported(cred)) {
+      if (isW3cCredentialSupported(cred) && hasCredentialDefinition(cred)) {
         credential_definition = {
           ...cred.credential_definition,
           // type: OPTIONAL. Array as defined in Appendix A.1.1.2. This claim contains the type values the Wallet requests authorization for at the Credential Issuer. It MUST be present if the claim format is present in the root of the authorization details object. It MUST not be present otherwise.
@@ -1495,7 +1121,8 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
       throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`);
     }
   }
-  if (!endpointMetadata?.authorization_endpoint) {
+  const authorizationEndpoint = endpointMetadata.authorization_endpoint ?? endpointMetadata.authorizationServerMetadata?.authorization_endpoint ?? endpointMetadata.credentialIssuerMetadata?.authorization_endpoint;
+  if (!authorizationEndpoint) {
     throw Error("Server metadata does not contain authorization endpoint");
   }
   const parEndpoint = authorizationMetadata?.pushed_authorization_request_endpoint;
@@ -1523,9 +1150,9 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
   if (!parEndpoint && parMode === PARMode.REQUIRE) {
     throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`);
   } else if (parEndpoint && parMode !== PARMode.NEVER) {
-    logger6.debug(`USING PAR with endpoint ${parEndpoint}`);
-    const parResponse = await formPost3(parEndpoint, convertJsonToURI3(queryObj, {
-      mode: JsonURIMode3.X_FORM_WWW_URLENCODED,
+    logger4.debug(`USING PAR with endpoint ${parEndpoint}`);
+    const parResponse = await formPost2(parEndpoint, convertJsonToURI2(queryObj, {
+      mode: JsonURIMode2.X_FORM_WWW_URLENCODED,
       uriTypeProperties: [
         "client_id",
         "request_uri",
@@ -1543,9 +1170,9 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
       if (parMode === PARMode.REQUIRE) {
         throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
       }
-      logger6.debug("Falling back to regular request URI, since PAR failed", JSON.stringify(parResponse.errorBody));
+      logger4.debug("Falling back to regular request URI, since PAR failed", JSON.stringify(parResponse.errorBody));
     } else {
-      logger6.debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
+      logger4.debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
       queryObj = {
         client_id,
         request_uri: parResponse.successBody.request_uri
@@ -1554,11 +1181,11 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
   }
   await createSignedAuthRequestWhenNeeded(queryObj, {
     ...requestObjectOpts,
-    aud: endpointMetadata.authorization_server
+    aud: endpointMetadata.authorization_server ?? endpointMetadata.authorizationServerMetadata?.issuer
   });
-  logger6.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
-  const url = convertJsonToURI3(queryObj, {
-    baseUrl: endpointMetadata.authorization_endpoint,
+  logger4.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
+  const url = convertJsonToURI2(queryObj, {
+    baseUrl: authorizationEndpoint,
     uriTypeProperties: [
       "client_id",
       "request_uri",
@@ -1569,11 +1196,12 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
       "state"
     ],
     // arrayTypeProperties: ['authorization_details'],
-    mode: JsonURIMode3.X_FORM_WWW_URLENCODED
+    mode: JsonURIMode2.X_FORM_WWW_URLENCODED
   });
-  logger6.debug(`Authorization Request URL: ${url}`);
+  logger4.debug(`Authorization Request URL: ${url}`);
   return url;
 }, "createAuthorizationRequestUrl");
+var hasCredentialDefinition = /* @__PURE__ */ __name((cred) => "credential_definition" in cred && cred.credential_definition && typeof cred.credential_definition === "object" && cred.credential_definition !== null && "type" in cred.credential_definition && Array.isArray(cred.credential_definition.type), "hasCredentialDefinition");
 var handleAuthorizationDetails = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
   if (authorizationDetails) {
     if (typeof authorizationDetails === "string") {
@@ -1595,7 +1223,10 @@ var handleLocations = /* @__PURE__ */ __name((endpointMetadata, authorizationDet
   if (typeof authorizationDetails === "string") {
     return authorizationDetails;
   }
-  if (authorizationDetails && (endpointMetadata.credentialIssuerMetadata?.authorization_server || endpointMetadata.authorization_endpoint)) {
+  const ciMeta = endpointMetadata.credentialIssuerMetadata;
+  const hasAuthorizationServers = Array.isArray(ciMeta?.authorization_servers) && ciMeta.authorization_servers.length > 0;
+  const legacyHasAuthzEndpoint = Boolean(endpointMetadata.authorization_endpoint);
+  if (hasAuthorizationServers || legacyHasAuthzEndpoint) {
     if (authorizationDetails.locations) {
       if (Array.isArray(authorizationDetails.locations)) {
         authorizationDetails.locations.push(endpointMetadata.issuer);
@@ -1654,169 +1285,18 @@ var createAuthorizationChallengeRequest = /* @__PURE__ */ __name(async (opts) =>
   return request;
 }, "createAuthorizationChallengeRequest");
 var sendAuthorizationChallengeRequest = /* @__PURE__ */ __name(async (authorizationChallengeCodeUrl, authorizationChallengeRequest, opts) => {
-  return await formPost3(authorizationChallengeCodeUrl, convertJsonToURI3(authorizationChallengeRequest, {
-    mode: JsonURIMode3.X_FORM_WWW_URLENCODED
+  return await formPost2(authorizationChallengeCodeUrl, convertJsonToURI2(authorizationChallengeRequest, {
+    mode: JsonURIMode2.X_FORM_WWW_URLENCODED
   }), {
     customHeaders: opts?.headers ? opts.headers : void 0
   });
 }, "sendAuthorizationChallengeRequest");
 
-// lib/AuthorizationCodeClientV1_0_11.ts
-import { CodeChallengeMethod as CodeChallengeMethod3, convertJsonToURI as convertJsonToURI4, CreateRequestObjectMode as CreateRequestObjectMode2, formPost as formPost4, JsonURIMode as JsonURIMode4, PARMode as PARMode2, ResponseType as ResponseType2 } from "@sphereon/oid4vci-common";
-import { Loggers as Loggers7 } from "@sphereon/ssi-types";
-var logger7 = Loggers7.DEFAULT.get("sphereon:oid4vci");
-var createAuthorizationRequestUrlV1_0_11 = /* @__PURE__ */ __name(async ({ pkce, endpointMetadata, authorizationRequest, credentialOffer, credentialsSupported }) => {
-  const { redirectUri, clientId, requestObjectOpts = {
-    requestObjectMode: CreateRequestObjectMode2.NONE
-  } } = authorizationRequest;
-  let { scope, authorizationDetails } = authorizationRequest;
-  const parMode = endpointMetadata?.credentialIssuerMetadata?.require_pushed_authorization_requests ? PARMode2.REQUIRE : authorizationRequest.parMode ?? PARMode2.AUTO;
-  if (!scope && !authorizationDetails) {
-    if (!credentialOffer) {
-      throw Error("Please provide a scope or authorization_details if no credential offer is present");
-    }
-    const creds = credentialOffer.credential_offer.credentials;
-    authorizationDetails = creds.flatMap((cred) => typeof cred === "string" ? credentialsSupported : cred).filter((cred) => !!cred).map((cred) => {
-      return {
-        ...cred,
-        type: "openid_credential",
-        locations: [
-          endpointMetadata.issuer
-        ],
-        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore
-        format: cred.format
-      };
-    });
-    if (!authorizationDetails || Array.isArray(authorizationDetails) && authorizationDetails.length === 0) {
-      throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`);
-    }
-  }
-  if (!endpointMetadata?.authorization_endpoint) {
-    throw Error("Server metadata does not contain authorization endpoint");
-  }
-  const parEndpoint = endpointMetadata.credentialIssuerMetadata?.pushed_authorization_request_endpoint;
-  if (!scope?.includes("openid")) {
-    scope = [
-      "openid",
-      scope
-    ].filter((s) => !!s).join(" ");
-  }
-  let queryObj = {
-    response_type: ResponseType2.AUTH_CODE,
-    ...!pkce.disabled && {
-      code_challenge_method: pkce.codeChallengeMethod ?? CodeChallengeMethod3.S256,
-      code_challenge: pkce.codeChallenge
-    },
-    authorization_details: JSON.stringify(handleAuthorizationDetailsV1_0_11(endpointMetadata, authorizationDetails)),
-    ...redirectUri && {
-      redirect_uri: redirectUri
-    },
-    ...clientId && {
-      client_id: clientId
-    },
-    ...credentialOffer?.issuerState && {
-      issuer_state: credentialOffer.issuerState
-    },
-    scope
-  };
-  if (!parEndpoint && parMode === PARMode2.REQUIRE) {
-    throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`);
-  } else if (parEndpoint && parMode !== PARMode2.NEVER) {
-    logger7.debug(`USING PAR with endpoint ${parEndpoint}`);
-    const parResponse = await formPost4(parEndpoint, convertJsonToURI4(queryObj, {
-      mode: JsonURIMode4.X_FORM_WWW_URLENCODED,
-      uriTypeProperties: [
-        "client_id",
-        "request_uri",
-        "redirect_uri",
-        "scope",
-        "authorization_details",
-        "issuer_state"
-      ]
-    }), {
-      contentType: "application/x-www-form-urlencoded",
-      accept: "application/json"
-    });
-    if (parResponse.errorBody || !parResponse.successBody) {
-      console.log(JSON.stringify(parResponse.errorBody));
-      console.log("Falling back to regular request URI, since PAR failed");
-      if (parMode === PARMode2.REQUIRE) {
-        throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
-      }
-    } else {
-      logger7.debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
-      queryObj = {
-        request_uri: parResponse.successBody.request_uri
-      };
-    }
-  }
-  await createSignedAuthRequestWhenNeeded(queryObj, {
-    ...requestObjectOpts,
-    aud: endpointMetadata.authorization_server
-  });
-  logger7.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
-  const url = convertJsonToURI4(queryObj, {
-    baseUrl: endpointMetadata.authorization_endpoint,
-    uriTypeProperties: [
-      "client_id",
-      "request_uri",
-      "redirect_uri",
-      "scope",
-      "authorization_details",
-      "issuer_state"
-    ],
-    // arrayTypeProperties: ['authorization_details'],
-    mode: JsonURIMode4.X_FORM_WWW_URLENCODED
-  });
-  logger7.debug(`Authorization Request URL: ${url}`);
-  return url;
-}, "createAuthorizationRequestUrlV1_0_11");
-var handleAuthorizationDetailsV1_0_11 = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
-  if (authorizationDetails) {
-    if (typeof authorizationDetails === "string") {
-      return authorizationDetails;
-    }
-    if (Array.isArray(authorizationDetails)) {
-      return authorizationDetails.filter((value) => typeof value !== "string").map((value) => handleLocations2(endpointMetadata, typeof value === "string" ? value : {
-        ...value
-      }));
-    } else {
-      return handleLocations2(endpointMetadata, {
-        ...authorizationDetails
-      });
-    }
-  }
-  return authorizationDetails;
-}, "handleAuthorizationDetailsV1_0_11");
-var handleLocations2 = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
-  if (typeof authorizationDetails === "string") {
-    return authorizationDetails;
-  }
-  if (authorizationDetails && (endpointMetadata.credentialIssuerMetadata?.authorization_server || endpointMetadata.authorization_endpoint)) {
-    if (authorizationDetails.locations) {
-      if (Array.isArray(authorizationDetails.locations)) {
-        authorizationDetails.locations.push(endpointMetadata.issuer);
-      } else {
-        authorizationDetails.locations = [
-          authorizationDetails.locations,
-          endpointMetadata.issuer
-        ];
-      }
-    } else {
-      authorizationDetails.locations = [
-        endpointMetadata.issuer
-      ];
-    }
-  }
-  return authorizationDetails;
-}, "handleLocations");
-
 // lib/CredentialRequestClient.ts
-import { createDPoP as createDPoP3, getCreateDPoPOptions as getCreateDPoPOptions3 } from "@sphereon/oid4vc-common";
-import { acquireDeferredCredential, getCredentialRequestForVersion, getUniformFormat, isDeferredCredentialResponse, isValidURL, OpenId4VCIVersion as OpenId4VCIVersion6, post as post2, URL_NOT_VALID } from "@sphereon/oid4vci-common";
-import { Loggers as Loggers8 } from "@sphereon/ssi-types";
-var logger8 = Loggers8.DEFAULT.get("sphereon:oid4vci:credential");
+import { createDPoP as createDPoP2, getCreateDPoPOptions as getCreateDPoPOptions2 } from "@sphereon/oid4vc-common";
+import { acquireDeferredCredential, isDeferredCredentialResponse, isValidURL, OpenId4VCIVersion as OpenId4VCIVersion4, post as post2, supportedOID4VCICredentialFormat, URL_NOT_VALID } from "@sphereon/oid4vci-common";
+import { Loggers as Loggers5 } from "@sphereon/ssi-types";
+var logger5 = Loggers5.DEFAULT.get("sphereon:oid4vci:credential");
 async function buildProof(proofInput, opts) {
   if ("proof_type" in proofInput) {
     if (opts.cNonce) {
@@ -1830,6 +1310,27 @@ async function buildProof(proofInput, opts) {
   return await proofInput.build();
 }
 __name(buildProof, "buildProof");
+function isOpenIdCredentialDetail(ad) {
+  return typeof ad === "object" && ad !== null && ad.type === "openid_credential";
+}
+__name(isOpenIdCredentialDetail, "isOpenIdCredentialDetail");
+function findAuthorizationDetail(authorizationDetails, preferredConfigId) {
+  if (!authorizationDetails) {
+    return void 0;
+  }
+  const openIdCredentialDetails = authorizationDetails.filter(isOpenIdCredentialDetail);
+  if (openIdCredentialDetails.length === 0) {
+    return void 0;
+  }
+  if (preferredConfigId) {
+    const match = openIdCredentialDetails.find((detail) => typeof detail === "object" && detail !== null && detail.credential_configuration_id === preferredConfigId);
+    if (match) {
+      return match;
+    }
+  }
+  return openIdCredentialDetails[0];
+}
+__name(findAuthorizationDetail, "findAuthorizationDetail");
 var CredentialRequestClient = class {
   static {
     __name(this, "CredentialRequestClient");
@@ -1869,7 +1370,10 @@ var CredentialRequestClient = class {
       credentialIdentifier,
       subjectIssuance
     });
-    return await this.acquireCredentialsUsingRequestWithoutProof(request, opts.createDPoPOpts);
+    if (!supportedOID4VCICredentialFormat.includes(format)) {
+      return Promise.reject(Error(`Unsupported credential format: ${format}`));
+    }
+    return await this.acquireCredentialsUsingRequestWithoutProof(request, format, opts.createDPoPOpts);
   }
   async acquireCredentialsUsingProof(opts) {
     const { credentialIdentifier, credentialTypes, proofInput, format, context, subjectIssuance } = opts;
@@ -1882,32 +1386,28 @@ var CredentialRequestClient = class {
       credentialIdentifier,
       subjectIssuance
     });
-    return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
+    return await this.acquireCredentialsUsingRequest(request, format, opts.createDPoPOpts);
   }
-  async acquireCredentialsUsingRequestWithoutProof(uniformRequest, createDPoPOpts) {
-    return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
+  async acquireCredentialsUsingRequestWithoutProof(uniformRequest, format, createDPoPOpts) {
+    return await this.acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts);
   }
-  async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
-    return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
+  async acquireCredentialsUsingRequest(uniformRequest, format, createDPoPOpts) {
+    return await this.acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts);
   }
-  async acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts) {
-    if (this.version() < OpenId4VCIVersion6.VER_1_0_13) {
-      throw new Error("Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.");
-    }
-    const request = getCredentialRequestForVersion(uniformRequest, this.version());
+  async acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts) {
     const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
     if (!isValidURL(credentialEndpoint)) {
-      logger8.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
+      logger5.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
       throw new Error(URL_NOT_VALID);
     }
-    logger8.debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
-    logger8.debug(`request
-: ${JSON.stringify(request, null, 2)}`);
+    logger5.debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
+    logger5.debug(`request
+: ${JSON.stringify(uniformRequest, null, 2)}`);
     const requestToken = this.credentialRequestOpts.token;
-    let dPoP = createDPoPOpts ? await createDPoP3(getCreateDPoPOptions3(createDPoPOpts, credentialEndpoint, {
+    let dPoP = createDPoPOpts ? await createDPoP2(getCreateDPoPOptions2(createDPoPOpts, credentialEndpoint, {
       accessToken: requestToken
     })) : void 0;
-    let response = await post2(credentialEndpoint, JSON.stringify(request), {
+    let response = await post2(credentialEndpoint, JSON.stringify(uniformRequest), {
       bearerToken: requestToken,
       ...dPoP && {
         customHeaders: {
@@ -1919,10 +1419,10 @@ var CredentialRequestClient = class {
     const retryWithNonce = shouldRetryResourceRequestWithDPoPNonce(response);
     if (retryWithNonce.ok && createDPoPOpts) {
       createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
-      dPoP = await createDPoP3(getCreateDPoPOptions3(createDPoPOpts, credentialEndpoint, {
+      dPoP = await createDPoP2(getCreateDPoPOptions2(createDPoPOpts, credentialEndpoint, {
         accessToken: requestToken
       }));
-      response = await post2(credentialEndpoint, JSON.stringify(request), {
+      response = await post2(credentialEndpoint, JSON.stringify(uniformRequest), {
         bearerToken: requestToken,
         ...createDPoPOpts && {
           customHeaders: {
@@ -1945,7 +1445,7 @@ var CredentialRequestClient = class {
         throw Error("Subject signing was requested, but issuer did not provide the options in its response");
       }
     }
-    logger8.debug(`Credential endpoint ${credentialEndpoint} response:\r
+    logger5.debug(`Credential endpoint ${credentialEndpoint} response:\r
 ${JSON.stringify(response, null, 2)}`);
     return {
       ...response,
@@ -1982,44 +1482,15 @@ ${JSON.stringify(response, null, 2)}`);
     return await this.createCredentialRequestImpl(opts);
   }
   async createCredentialRequestImpl(opts) {
-    const { proofInput, credentialIdentifier: credential_identifier } = opts;
+    const { proofInput, credentialIdentifier, credentialConfigurationId } = opts;
     let proof = void 0;
     if (proofInput) {
       proof = await buildProof(proofInput, opts);
     }
-    if (credential_identifier) {
-      if (opts.format || opts.credentialTypes || opts.context) {
-        throw Error(`You cannot mix credential_identifier with format, credential types and/or context`);
-      }
-      return {
-        credential_identifier,
-        ...proof && {
-          proof
-        }
-      };
-    }
-    const formatSelection = opts.format ?? this.credentialRequestOpts.format;
-    if (!formatSelection) {
-      throw Error(`Format of credential to be issued is missing`);
-    }
-    const format = getUniformFormat(formatSelection);
-    const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
-    if (!typesSelection) {
-      throw Error(`Credential type(s) need to be provided`);
-    }
-    const types = Array.isArray(typesSelection) ? typesSelection : [
-      typesSelection
-    ];
-    if (types.length === 0) {
-      throw Error(`Credential type(s) need to be provided`);
-    }
-    const issuer_state = this.credentialRequestOpts.issuerState;
-    if (format === "jwt_vc_json" || format === "jwt_vc") {
-      return {
-        credential_definition: {
-          type: types
-        },
-        format,
+    if (this.version() >= OpenId4VCIVersion4.VER_1_0_15) {
+      const authDetail = findAuthorizationDetail(this.credentialRequestOpts.authorizationDetails, credentialConfigurationId ?? credentialIdentifier);
+      const issuer_state = this.credentialRequestOpts.issuerState;
+      const commonBody = {
         ...issuer_state && {
           issuer_state
         },
@@ -2028,64 +1499,43 @@ ${JSON.stringify(response, null, 2)}`);
         },
         ...opts.subjectIssuance
       };
-    } else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
-      if (this.version() >= OpenId4VCIVersion6.VER_1_0_12 && !opts.context) {
-        throw Error("No @context value present, but it is required");
+      const authDetailObj = authDetail && typeof authDetail === "object" ? authDetail : null;
+      if (authDetailObj?.credential_identifier) {
+        return {
+          credential_identifier: authDetailObj.credential_identifier,
+          ...commonBody
+        };
       }
-      return {
-        format,
-        ...issuer_state && {
-          issuer_state
-        },
-        ...proof && {
-          proof
-        },
-        ...opts.subjectIssuance,
-        credential_definition: {
-          type: types,
-          "@context": opts.context
-        }
-      };
-    } else if (format === "vc+sd-jwt") {
-      if (types.length > 1) {
-        throw Error(`Only a single credential type is supported for ${format}`);
+      if (authDetailObj?.credential_identifiers && authDetailObj.credential_identifiers.length > 0) {
+        return {
+          credential_identifier: authDetailObj.credential_identifiers[0],
+          ...commonBody
+        };
       }
-      return {
-        format,
-        ...issuer_state && {
-          issuer_state
-        },
-        ...proof && {
-          proof
-        },
-        vct: types[0],
-        ...opts.subjectIssuance
-      };
-    } else if (format === "mso_mdoc") {
-      if (types.length > 1) {
-        throw Error(`Only a single credential type is supported for ${format}`);
+      const configId = credentialConfigurationId ?? authDetailObj?.credential_configuration_id ?? this._credentialRequestOpts.credentialConfigurationId;
+      if (configId) {
+        return {
+          credential_configuration_id: configId,
+          ...commonBody
+        };
       }
-      return {
-        format,
-        ...issuer_state && {
-          issuer_state
-        },
-        ...proof && {
-          proof
-        },
-        doctype: types[0],
-        ...opts.subjectIssuance
-      };
+      if (credentialIdentifier) {
+        return {
+          credential_identifier: credentialIdentifier,
+          ...commonBody
+        };
+      }
+      return Promise.reject(Error("No credential_identifier or credential_configuration_id available for v1.0-15 request"));
     }
-    throw new Error(`Unsupported credential format: ${format}`);
+    throw new Error(`Unsupported version: ${this.version()}`);
   }
   version() {
-    return this.credentialRequestOpts?.version ?? OpenId4VCIVersion6.VER_1_0_13;
+    return this.credentialRequestOpts?.version ?? OpenId4VCIVersion4.VER_1_0_15;
   }
 };
 
 // lib/CredentialOfferClient.ts
-import { convertJsonToURI as convertJsonToURI5, convertURIToJsonObject, determineSpecVersionFromURI, OpenId4VCIVersion as OpenId4VCIVersion7, PRE_AUTH_GRANT_LITERAL as PRE_AUTH_GRANT_LITERAL4, toUniformCredentialOfferRequest as toUniformCredentialOfferRequest3 } from "@sphereon/oid4vci-common";
+import { convertJsonToURI as convertJsonToURI3, convertURIToJsonObject, determineSpecVersionFromURI, OpenId4VCIVersion as OpenId4VCIVersion5, PRE_AUTH_GRANT_LITERAL as PRE_AUTH_GRANT_LITERAL3, toUniformCredentialOfferRequest as toUniformCredentialOfferRequest2 } from "@sphereon/oid4vci-common";
 var CredentialOfferClient = class {
   static {
     __name(this, "CredentialOfferClient");
@@ -2101,132 +1551,15 @@ var CredentialOfferClient = class {
     const version = determineSpecVersionFromURI(uri);
     LOG.log(`Offer URL determined to be of version ${version}`);
     let credentialOffer;
-    let credentialOfferPayload;
-    if (version < OpenId4VCIVersion7.VER_1_0_11) {
-      credentialOfferPayload = convertURIToJsonObject(uri, {
-        arrayTypeProperties: [
-          "credential_type"
-        ],
-        requiredProperties: uri.includes("credential_offer=") ? [
-          "credential_offer"
-        ] : [
-          "issuer",
-          "credential_type"
-        ]
-      });
-      credentialOffer = {
-        credential_offer: credentialOfferPayload
-      };
+    if (uri.includes("credential_offer_uri")) {
+      credentialOffer = await handleCredentialOfferUri(uri);
     } else {
-      if (uri.includes("credential_offer_uri")) {
-        credentialOffer = await handleCredentialOfferUri(uri);
-      } else {
-        credentialOffer = convertURIToJsonObject(uri, {
-          // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
-          arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
-            "credential_offer_uri="
-          ] : [
-            "credential_offer="
-          ],
-          requiredProperties: uri.includes("credential_offer_uri=") ? [
-            "credential_offer_uri="
-          ] : [
-            "credential_offer="
-          ]
-        });
-      }
-      if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
-        throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
-      }
-    }
-    const request = await toUniformCredentialOfferRequest3(credentialOffer, {
-      ...opts,
-      version
-    });
-    return {
-      ...constructBaseResponse(request, scheme, baseUrl),
-      userPinRequired: request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL4]?.user_pin_required ?? !!request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL4]?.tx_code ?? false
-    };
-  }
-  static toURI(requestWithBaseUrl, opts) {
-    LOG.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
-    const version = opts?.version ?? requestWithBaseUrl.version;
-    let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
-    let param;
-    const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
-    if (version.valueOf() >= OpenId4VCIVersion7.VER_1_0_11.valueOf()) {
-      if (!baseUrl.includes("?")) {
-        param = isUri ? "credential_offer_uri" : "credential_offer";
-      } else {
-        const split = baseUrl.split("?");
-        if (split.length > 1 && split[1] !== "") {
-          if (baseUrl.endsWith("&")) {
-            param = isUri ? "credential_offer_uri" : "credential_offer";
-          } else if (!baseUrl.endsWith("=")) {
-            baseUrl += `&`;
-            param = isUri ? "credential_offer_uri" : "credential_offer";
-          }
-        }
-      }
-    }
-    return convertJsonToURI5(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
-      baseUrl,
-      arrayTypeProperties: isUri ? [] : [
-        "credential_type"
-      ],
-      uriTypeProperties: isUri ? [
-        "credential_offer_uri"
-      ] : version >= OpenId4VCIVersion7.VER_1_0_13 ? [
-        "credential_issuer",
-        "credential_type"
-      ] : [
-        "issuer",
-        "credential_type"
-      ],
-      param,
-      version
-    });
-  }
-};
-
-// lib/CredentialOfferClientV1_0_11.ts
-import { convertJsonToURI as convertJsonToURI6, convertURIToJsonObject as convertURIToJsonObject2, determineSpecVersionFromURI as determineSpecVersionFromURI2, getClientIdFromCredentialOfferPayload as getClientIdFromCredentialOfferPayload2, OpenId4VCIVersion as OpenId4VCIVersion8, PRE_AUTH_CODE_LITERAL as PRE_AUTH_CODE_LITERAL4, PRE_AUTH_GRANT_LITERAL as PRE_AUTH_GRANT_LITERAL5, toUniformCredentialOfferRequest as toUniformCredentialOfferRequest4 } from "@sphereon/oid4vci-common";
-import { Loggers as Loggers9 } from "@sphereon/ssi-types";
-var logger9 = Loggers9.DEFAULT.get("sphereon:oid4vci:offer");
-var CredentialOfferClientV1_0_11 = class {
-  static {
-    __name(this, "CredentialOfferClientV1_0_11");
-  }
-  static async fromURI(uri, opts) {
-    logger9.debug(`Credential Offer URI: ${uri}`);
-    if (!uri.includes("?") || !uri.includes("://")) {
-      logger9.debug(`Invalid Credential Offer URI: ${uri}`);
-      throw Error(`Invalid Credential Offer Request`);
-    }
-    const scheme = uri.split("://")[0];
-    const baseUrl = uri.split("?")[0];
-    const version = determineSpecVersionFromURI2(uri);
-    let credentialOffer;
-    let credentialOfferPayload;
-    if (version < OpenId4VCIVersion8.VER_1_0_11) {
-      credentialOfferPayload = convertURIToJsonObject2(uri, {
-        arrayTypeProperties: [
-          "credential_type"
-        ],
-        requiredProperties: uri.includes("credential_offer_uri=") ? [
+      credentialOffer = convertURIToJsonObject(uri, {
+        // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
+        arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
           "credential_offer_uri="
         ] : [
-          "issuer",
-          "credential_type="
-        ]
-      });
-      credentialOffer = {
-        credential_offer: credentialOfferPayload
-      };
-    } else {
-      credentialOffer = convertURIToJsonObject2(uri, {
-        arrayTypeProperties: [
-          "credentials"
+          "credential_offer="
         ],
         requiredProperties: uri.includes("credential_offer_uri=") ? [
           "credential_offer_uri="
@@ -2234,39 +1567,26 @@ var CredentialOfferClientV1_0_11 = class {
           "credential_offer="
         ]
       });
-      if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
-        throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
-      }
     }
-    const request = await toUniformCredentialOfferRequest4(credentialOffer, {
+    if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
+      throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
+    }
+    const request = await toUniformCredentialOfferRequest2(credentialOffer, {
       ...opts,
       version
     });
-    const clientId = getClientIdFromCredentialOfferPayload2(request.credential_offer);
-    const grants = request.credential_offer?.grants;
     return {
-      scheme,
-      baseUrl,
-      ...clientId && {
-        clientId
-      },
-      ...request,
-      ...grants?.authorization_code?.issuer_state && {
-        issuerState: grants.authorization_code.issuer_state
-      },
-      ...grants?.[PRE_AUTH_GRANT_LITERAL5]?.[PRE_AUTH_CODE_LITERAL4] && {
-        preAuthorizedCode: grants[PRE_AUTH_GRANT_LITERAL5][PRE_AUTH_CODE_LITERAL4]
-      },
-      userPinRequired: !!(request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL5]?.user_pin_required ?? false)
+      ...constructBaseResponse(request, scheme, baseUrl),
+      userPinRequired: request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL3]?.user_pin_required ?? !!request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL3]?.tx_code ?? false
     };
   }
   static toURI(requestWithBaseUrl, opts) {
-    logger9.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
+    LOG.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
     const version = opts?.version ?? requestWithBaseUrl.version;
     let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
     let param;
     const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
-    if (version.valueOf() >= OpenId4VCIVersion8.VER_1_0_11.valueOf()) {
+    if (version.valueOf() >= OpenId4VCIVersion5.VER_1_0_15.valueOf()) {
       if (!baseUrl.includes("?")) {
         param = isUri ? "credential_offer_uri" : "credential_offer";
       } else {
@@ -2281,14 +1601,14 @@ var CredentialOfferClientV1_0_11 = class {
         }
       }
     }
-    return convertJsonToURI6(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
+    return convertJsonToURI3(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
       baseUrl,
       arrayTypeProperties: isUri ? [] : [
         "credential_type"
       ],
       uriTypeProperties: isUri ? [
         "credential_offer_uri"
-      ] : version >= OpenId4VCIVersion8.VER_1_0_11 ? [
+      ] : version >= OpenId4VCIVersion5.VER_1_0_15 ? [
         "credential_issuer",
         "credential_type"
       ] : [
@@ -2301,28 +1621,28 @@ var CredentialOfferClientV1_0_11 = class {
   }
 };
 
-// lib/CredentialOfferClientV1_0_13.ts
-import { convertJsonToURI as convertJsonToURI7, convertURIToJsonObject as convertURIToJsonObject3, determineSpecVersionFromURI as determineSpecVersionFromURI3, OpenId4VCIVersion as OpenId4VCIVersion9, PRE_AUTH_GRANT_LITERAL as PRE_AUTH_GRANT_LITERAL6, toUniformCredentialOfferRequest as toUniformCredentialOfferRequest5 } from "@sphereon/oid4vci-common";
-import { Loggers as Loggers10 } from "@sphereon/ssi-types";
-var logger10 = Loggers10.DEFAULT.get("sphereon:oid4vci:offer");
-var CredentialOfferClientV1_0_13 = class {
+// lib/CredentialOfferClientV1_0_15.ts
+import { convertJsonToURI as convertJsonToURI4, convertURIToJsonObject as convertURIToJsonObject2, determineSpecVersionFromURI as determineSpecVersionFromURI2, JsonURIMode as JsonURIMode3, PRE_AUTH_GRANT_LITERAL as PRE_AUTH_GRANT_LITERAL4, toUniformCredentialOfferRequest as toUniformCredentialOfferRequest3 } from "@sphereon/oid4vci-common";
+import { Loggers as Loggers6 } from "@sphereon/ssi-types";
+var logger6 = Loggers6.DEFAULT.get("sphereon:oid4vci:offer");
+var CredentialOfferClientV1_0_15 = class {
   static {
-    __name(this, "CredentialOfferClientV1_0_13");
+    __name(this, "CredentialOfferClientV1_0_15");
   }
   static async fromURI(uri, opts) {
-    logger10.debug(`Credential Offer URI: ${uri}`);
+    logger6.debug(`Credential Offer URI: ${uri}`);
     if (!uri.includes("?") || !uri.includes("://")) {
-      logger10.debug(`Invalid Credential Offer URI: ${uri}`);
-      throw Error(`Invalid Credential Offer Request`);
+      logger6.debug(`Invalid Credential Offer URI: ${uri}`);
+      return Promise.reject(Error(`Invalid Credential Offer Request`));
     }
     const scheme = uri.split("://")[0];
     const baseUrl = uri.split("?")[0];
-    const version = determineSpecVersionFromURI3(uri);
+    const version = determineSpecVersionFromURI2(uri);
     let credentialOffer;
     if (uri.includes("credential_offer_uri")) {
       credentialOffer = await handleCredentialOfferUri(uri);
     } else {
-      credentialOffer = convertURIToJsonObject3(uri, {
+      credentialOffer = convertURIToJsonObject2(uri, {
         // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
         arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
           "credential_configuration_ids",
@@ -2339,276 +1659,91 @@ var CredentialOfferClientV1_0_13 = class {
       });
     }
     if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
-      throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
+      return Promise.reject(Error("Either a credential_offer or credential_offer_uri should be present in " + uri));
     }
-    const request = await toUniformCredentialOfferRequest5(credentialOffer, {
+    const request = await toUniformCredentialOfferRequest3(credentialOffer, {
       ...opts,
       version
     });
     return {
       ...constructBaseResponse(request, scheme, baseUrl),
-      userPinRequired: !!(request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL6]?.tx_code ?? false)
+      userPinRequired: !!(request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL4]?.tx_code ?? false)
     };
   }
   static toURI(requestWithBaseUrl, opts) {
-    logger10.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
+    logger6.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
     const version = opts?.version ?? requestWithBaseUrl.version;
     let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
-    let param;
     const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
-    if (version.valueOf() >= OpenId4VCIVersion9.VER_1_0_11.valueOf()) {
-      if (!baseUrl.includes("?")) {
-        param = isUri ? "credential_offer_uri" : "credential_offer";
-      } else {
-        const split = baseUrl.split("?");
-        if (split.length > 1 && split[1] !== "") {
-          if (baseUrl.endsWith("&")) {
-            param = isUri ? "credential_offer_uri" : "credential_offer";
-          } else if (!baseUrl.endsWith("=")) {
-            baseUrl += `&`;
-            param = isUri ? "credential_offer_uri" : "credential_offer";
-          }
-        }
-      }
-    }
-    return convertJsonToURI7(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
-      baseUrl,
-      arrayTypeProperties: isUri ? [] : [
-        "credential_type"
-      ],
-      uriTypeProperties: isUri ? [
-        "credential_offer_uri"
-      ] : version >= OpenId4VCIVersion9.VER_1_0_13 ? [
-        "credential_issuer",
-        "credential_type"
-      ] : [
-        "issuer",
-        "credential_type"
-      ],
-      param,
-      version
-    });
-  }
-};
-
-// lib/CredentialRequestClientV1_0_11.ts
-import { createDPoP as createDPoP4, getCreateDPoPOptions as getCreateDPoPOptions4 } from "@sphereon/oid4vc-common";
-import { acquireDeferredCredential as acquireDeferredCredential2, getCredentialRequestForVersion as getCredentialRequestForVersion2, getUniformFormat as getUniformFormat2, isDeferredCredentialResponse as isDeferredCredentialResponse2, isValidURL as isValidURL2, OpenId4VCIVersion as OpenId4VCIVersion10, post as post3, URL_NOT_VALID as URL_NOT_VALID2 } from "@sphereon/oid4vci-common";
-import { Loggers as Loggers11 } from "@sphereon/ssi-types";
-var logger11 = Loggers11.DEFAULT.get("sphereon:oid4vci:credential");
-var CredentialRequestClientV1_0_11 = class {
-  static {
-    __name(this, "CredentialRequestClientV1_0_11");
-  }
-  _credentialRequestOpts;
-  _isDeferred = false;
-  get credentialRequestOpts() {
-    return this._credentialRequestOpts;
-  }
-  isDeferred() {
-    return this._isDeferred;
-  }
-  getCredentialEndpoint() {
-    return this.credentialRequestOpts.credentialEndpoint;
-  }
-  getDeferredCredentialEndpoint() {
-    return this.credentialRequestOpts.deferredCredentialEndpoint;
-  }
-  constructor(builder) {
-    this._credentialRequestOpts = {
-      ...builder
-    };
-  }
-  async acquireCredentialsUsingProof(opts) {
-    const { credentialTypes, proofInput, format, context } = opts;
-    const request = await this.createCredentialRequest({
-      proofInput,
-      credentialTypes,
-      context,
-      format,
-      version: this.version()
-    });
-    return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
-  }
-  async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
-    const request = getCredentialRequestForVersion2(uniformRequest, this.version());
-    const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
-    if (!isValidURL2(credentialEndpoint)) {
-      logger11.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
-      throw new Error(URL_NOT_VALID2);
-    }
-    logger11.debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
-    logger11.debug(`request
-: ${JSON.stringify(request, null, 2)}`);
-    const requestToken = this.credentialRequestOpts.token;
-    let dPoP = createDPoPOpts ? await createDPoP4(getCreateDPoPOptions4(createDPoPOpts, credentialEndpoint, {
-      accessToken: requestToken
-    })) : void 0;
-    let response = await post3(credentialEndpoint, JSON.stringify(request), {
-      bearerToken: requestToken,
-      customHeaders: {
-        ...createDPoPOpts && {
-          dpop: dPoP
-        }
-      }
-    });
-    let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
-    const retryWithNonce = shouldRetryResourceRequestWithDPoPNonce(response);
-    if (retryWithNonce.ok && createDPoPOpts) {
-      createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
-      dPoP = await createDPoP4(getCreateDPoPOptions4(createDPoPOpts, credentialEndpoint, {
-        accessToken: requestToken
-      }));
-      response = await post3(credentialEndpoint, JSON.stringify(request), {
-        bearerToken: requestToken,
-        customHeaders: {
-          ...createDPoPOpts && {
-            dpop: dPoP
-          }
-        }
+    if (isUri) {
+      return convertJsonToURI4({
+        credential_offer_uri: requestWithBaseUrl.credential_offer_uri
+      }, {
+        baseUrl,
+        uriTypeProperties: [
+          "credential_offer_uri"
+        ],
+        param: "credential_offer_uri",
+        version
       });
-      const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
-      nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
-    }
-    this._isDeferred = isDeferredCredentialResponse2(response);
-    if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
-      response = await this.acquireDeferredCredential(response.successBody, {
-        bearerToken: this.credentialRequestOpts.token
+    } else {
+      return convertJsonToURI4(requestWithBaseUrl.original_credential_offer, {
+        baseUrl,
+        param: "credential_offer",
+        mode: JsonURIMode3.JSON_STRINGIFY,
+        version
       });
     }
-    response.access_token = requestToken;
-    logger11.debug(`Credential endpoint ${credentialEndpoint} response:\r
-${JSON.stringify(response, null, 2)}`);
-    return {
-      ...response,
-      ...nextDPoPNonce && {
-        params: {
-          dpop: {
-            dpopNonce: nextDPoPNonce
-          }
-        }
-      }
-    };
-  }
-  async acquireDeferredCredential(response, opts) {
-    const transactionId = response.transaction_id;
-    const bearerToken = response.acceptance_token ?? opts?.bearerToken;
-    const deferredCredentialEndpoint = this.getDeferredCredentialEndpoint();
-    if (!deferredCredentialEndpoint) {
-      throw Error(`No deferred credential endpoint supplied.`);
-    } else if (!bearerToken) {
-      throw Error(`No bearer token present and refresh for defered endpoint not supported yet`);
-    }
-    return await acquireDeferredCredential2({
-      bearerToken,
-      transactionId,
-      deferredCredentialEndpoint,
-      deferredCredentialAwait: this.credentialRequestOpts.deferredCredentialAwait,
-      deferredCredentialIntervalInMS: this.credentialRequestOpts.deferredCredentialIntervalInMS
-    });
-  }
-  async createCredentialRequest(opts) {
-    const { proofInput } = opts;
-    const formatSelection = opts.format ?? this.credentialRequestOpts.format;
-    if (!formatSelection) {
-      throw Error(`Format of credential to be issued is missing`);
-    }
-    const format = getUniformFormat2(formatSelection);
-    const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
-    const types = Array.isArray(typesSelection) ? typesSelection : [
-      typesSelection
-    ];
-    if (types.length === 0) {
-      throw Error(`Credential type(s) need to be provided`);
-    } else if (!this.isV11OrHigher() && types.length !== 1) {
-      throw Error("Only a single credential type is supported for V8/V9");
-    }
-    const proof = await buildProof(proofInput, opts);
-    if (format === "jwt_vc_json" || format === "jwt_vc") {
-      return {
-        types,
-        format,
-        proof
-      };
-    } else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
-      if (this.version() >= OpenId4VCIVersion10.VER_1_0_12 && !opts.context) {
-        throw Error("No @context value present, but it is required");
-      }
-      return {
-        format,
-        proof,
-        // Ignored because v11 does not have the context value, but it is required in v12
-        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore
-        credential_definition: {
-          types,
-          ...opts.context && {
-            "@context": opts.context
-          }
-        }
-      };
-    } else if (format === "vc+sd-jwt") {
-      if (types.length > 1) {
-        throw Error(`Only a single credential type is supported for ${format}`);
-      }
-      return {
-        format,
-        proof,
-        vct: types[0]
-      };
-    } else if (format === "mso_mdoc") {
-      if (types.length > 1) {
-        throw Error(`Only a single credential type is supported for ${format}`);
-      }
-      return {
-        format,
-        proof,
-        doctype: types[0]
-      };
-    }
-    throw new Error(`Unsupported format: ${format}`);
-  }
-  version() {
-    return this.credentialRequestOpts?.version ?? OpenId4VCIVersion10.VER_1_0_11;
-  }
-  isV11OrHigher() {
-    return this.version() >= OpenId4VCIVersion10.VER_1_0_11;
   }
 };
 
 // lib/CredentialRequestClientBuilder.ts
-import { determineSpecVersionFromOffer as determineSpecVersionFromOffer5, OpenId4VCIVersion as OpenId4VCIVersion13 } from "@sphereon/oid4vci-common";
+import { OpenId4VCIVersion as OpenId4VCIVersion7 } from "@sphereon/oid4vci-common";
 
-// lib/CredentialRequestClientBuilderV1_0_11.ts
-import { determineSpecVersionFromOffer as determineSpecVersionFromOffer3, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload6, getTypesFromOfferV1_0_11, OpenId4VCIVersion as OpenId4VCIVersion11 } from "@sphereon/oid4vci-common";
-var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilderV1_0_11 {
+// lib/CredentialRequestClientBuilderV1_0_15.ts
+import { determineSpecVersionFromOffer as determineSpecVersionFromOffer3, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload4, OpenId4VCIVersion as OpenId4VCIVersion6 } from "@sphereon/oid4vci-common";
+var CredentialRequestClientBuilderV1_0_15 = class _CredentialRequestClientBuilderV1_0_15 {
   static {
-    __name(this, "CredentialRequestClientBuilderV1_0_11");
+    __name(this, "CredentialRequestClientBuilderV1_0_15");
   }
   credentialEndpoint;
   deferredCredentialEndpoint;
+  nonceEndpoint;
   deferredCredentialAwait = false;
   deferredCredentialIntervalInMS = 5e3;
+  credentialIdentifier;
+  credentialConfigurationId;
   credentialTypes = [];
-  format;
   token;
   version;
   subjectIssuance;
   issuerState;
-  static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialTypes }) {
+  // Note: format removed from v15 - credential requests no longer include format parameter
+  static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialConfigurationId, credentialTypes }) {
     const issuer = credentialIssuer;
-    const builder = new _CredentialRequestClientBuilderV1_0_11();
-    builder.withVersion(version ?? OpenId4VCIVersion11.VER_1_0_11);
+    const builder = new _CredentialRequestClientBuilderV1_0_15();
+    builder.withVersion(version ?? OpenId4VCIVersion6.VER_1_0_15);
     builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
     if (metadata?.deferred_credential_endpoint) {
       builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
     }
-    builder.withCredentialType(credentialTypes);
+    if (metadata?.credentialIssuerMetadata?.nonce_endpoint) {
+      builder.withNonceEndpoint(metadata.credentialIssuerMetadata?.nonce_endpoint);
+    }
+    if (credentialIdentifier) {
+      builder.withCredentialIdentifier(credentialIdentifier);
+    }
+    if (credentialConfigurationId) {
+      builder.withCredentialConfigurationId(credentialConfigurationId);
+    }
+    if (credentialTypes) {
+      builder.withCredentialType(credentialTypes);
+    }
     return builder;
   }
   static async fromURI({ uri, metadata }) {
-    const offer = await CredentialOfferClientV1_0_11.fromURI(uri);
-    return _CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest({
+    const offer = await CredentialOfferClient.fromURI(uri);
+    return _CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest({
       request: offer,
       ...offer,
       metadata,
@@ -2618,154 +1753,35 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
   static fromCredentialOfferRequest(opts) {
     const { request, metadata } = opts;
     const version = opts.version ?? request.version ?? determineSpecVersionFromOffer3(request.original_credential_offer);
-    const builder = new _CredentialRequestClientBuilderV1_0_11();
-    const issuer = getIssuerFromCredentialOfferPayload6(request.credential_offer) ?? metadata?.issuer;
+    if (version < OpenId4VCIVersion6.VER_1_0_15) {
+      throw new Error("Versions below v1.0.15 (draft 15) are not supported.");
+    }
+    const builder = new _CredentialRequestClientBuilderV1_0_15();
+    const issuer = getIssuerFromCredentialOfferPayload4(request.credential_offer) ?? (metadata ? metadata.issuer : void 0);
+    if (!issuer && !metadata?.credential_endpoint) {
+      throw Error(`Issuer could not be determined`);
+    }
     builder.withVersion(version);
     builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
     if (metadata?.deferred_credential_endpoint) {
       builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
     }
-    if (version <= OpenId4VCIVersion11.VER_1_0_08) {
-      builder.withCredentialType(request.original_credential_offer.credential_type);
-    } else if (version <= OpenId4VCIVersion11.VER_1_0_11) {
-      builder.withCredentialType(getTypesFromOfferV1_0_11(request.credential_offer));
+    if (metadata?.credentialIssuerMetadata?.nonce_endpoint) {
+      builder.withNonceEndpoint(metadata.credentialIssuerMetadata.nonce_endpoint);
+    }
+    const ids = request.credential_offer.credential_configuration_ids;
+    if (ids.length && ids.length === 1) {
+      builder.withCredentialConfigurationId(ids[0]);
     }
     return builder;
   }
   static fromCredentialOffer({ credentialOffer, metadata }) {
-    return _CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest({
+    const builder = _CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest({
       request: credentialOffer,
       metadata,
       version: credentialOffer.version
     });
-  }
-  withIssuerState(issuerState) {
-    this.issuerState = issuerState;
-    return this;
-  }
-  withCredentialEndpointFromMetadata(metadata) {
-    this.credentialEndpoint = metadata.credential_endpoint;
-    return this;
-  }
-  withCredentialEndpoint(credentialEndpoint) {
-    this.credentialEndpoint = credentialEndpoint;
-    return this;
-  }
-  withDeferredCredentialEndpointFromMetadata(metadata) {
-    this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
-    return this;
-  }
-  withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
-    this.deferredCredentialEndpoint = deferredCredentialEndpoint;
-    return this;
-  }
-  withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
-    this.deferredCredentialAwait = deferredCredentialAwait;
-    this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5e3;
-    return this;
-  }
-  withCredentialType(credentialTypes) {
-    this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [
-      credentialTypes
-    ];
-    return this;
-  }
-  withFormat(format) {
-    this.format = format;
-    return this;
-  }
-  withSubjectIssuance(subjectIssuance) {
-    this.subjectIssuance = subjectIssuance;
-    return this;
-  }
-  withToken(accessToken) {
-    this.token = accessToken;
-    return this;
-  }
-  withTokenFromResponse(response) {
-    this.token = response.access_token;
-    return this;
-  }
-  withVersion(version) {
-    this.version = version;
-    return this;
-  }
-  build() {
-    if (!this.version) {
-      this.withVersion(OpenId4VCIVersion11.VER_1_0_11);
-    }
-    return new CredentialRequestClientV1_0_11(this);
-  }
-};
-
-// lib/CredentialRequestClientBuilderV1_0_13.ts
-import { determineSpecVersionFromOffer as determineSpecVersionFromOffer4, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload7, OpenId4VCIVersion as OpenId4VCIVersion12 } from "@sphereon/oid4vci-common";
-var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilderV1_0_13 {
-  static {
-    __name(this, "CredentialRequestClientBuilderV1_0_13");
-  }
-  credentialEndpoint;
-  deferredCredentialEndpoint;
-  deferredCredentialAwait = false;
-  deferredCredentialIntervalInMS = 5e3;
-  credentialIdentifier;
-  credentialTypes = [];
-  format;
-  token;
-  version;
-  subjectIssuance;
-  issuerState;
-  static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
-    const issuer = credentialIssuer;
-    const builder = new _CredentialRequestClientBuilderV1_0_13();
-    builder.withVersion(version ?? OpenId4VCIVersion12.VER_1_0_13);
-    builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
-    if (metadata?.deferred_credential_endpoint) {
-      builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
-    }
-    if (credentialIdentifier) {
-      builder.withCredentialIdentifier(credentialIdentifier);
-    }
-    if (credentialTypes) {
-      builder.withCredentialType(credentialTypes);
-    }
-    return builder;
-  }
-  static async fromURI({ uri, metadata }) {
-    const offer = await CredentialOfferClient.fromURI(uri);
-    return _CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest({
-      request: offer,
-      ...offer,
-      metadata,
-      version: offer.version
-    });
-  }
-  static fromCredentialOfferRequest(opts) {
-    const { request, metadata } = opts;
-    const version = opts.version ?? request.version ?? determineSpecVersionFromOffer4(request.original_credential_offer);
-    if (version < OpenId4VCIVersion12.VER_1_0_13) {
-      throw new Error("Versions below v1.0.13 (draft 13) are not supported.");
-    }
-    const builder = new _CredentialRequestClientBuilderV1_0_13();
-    const issuer = getIssuerFromCredentialOfferPayload7(request.credential_offer) ?? metadata?.issuer;
-    builder.withVersion(version);
-    builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
-    if (metadata?.deferred_credential_endpoint) {
-      builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
-    }
-    const ids = request.credential_offer.credential_configuration_ids;
-    if (ids.length && ids.length === 1) {
-      builder.withCredentialIdentifier(ids[0]);
-    }
-    return builder;
-  }
-  static fromCredentialOffer({ credentialOffer, metadata }) {
-    const builder = _CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest({
-      request: credentialOffer,
-      metadata,
-      version: credentialOffer.version
-    });
-    return builder;
+    return builder;
   }
   withCredentialEndpointFromMetadata(metadata) {
     this.credentialEndpoint = metadata.credential_endpoint;
@@ -2787,25 +1803,38 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
     this.deferredCredentialEndpoint = deferredCredentialEndpoint;
     return this;
   }
+  // New in v15: Support for nonce endpoint
+  withNonceEndpointFromMetadata(metadata) {
+    this.nonceEndpoint = metadata.nonce_endpoint;
+    return this;
+  }
+  withNonceEndpoint(nonceEndpoint) {
+    this.nonceEndpoint = nonceEndpoint;
+    return this;
+  }
   withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
     this.deferredCredentialAwait = deferredCredentialAwait;
     this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5e3;
     return this;
   }
+  // New in v15: Support for credential_identifier (used when authorization_details with credential_identifiers was used)
   withCredentialIdentifier(credentialIdentifier) {
     this.credentialIdentifier = credentialIdentifier;
     return this;
   }
+  // New in v15: Support for credential_configuration_id (used when scope was used and no credential_identifiers returned)
+  withCredentialConfigurationId(credentialConfigurationId) {
+    this.credentialConfigurationId = credentialConfigurationId;
+    return this;
+  }
+  // Legacy support for credential types (may be used internally to map to configuration IDs)
   withCredentialType(credentialTypes) {
     this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [
       credentialTypes
     ];
     return this;
   }
-  withFormat(format) {
-    this.format = format;
-    return this;
-  }
+  // Note: withFormat() method removed in v15 - format is no longer part of credential requests
   withSubjectIssuance(subjectIssuance) {
     this.subjectIssuance = subjectIssuance;
     return this;
@@ -2824,723 +1853,158 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
   }
   build() {
     if (!this.version) {
-      this.withVersion(OpenId4VCIVersion12.VER_1_0_11);
+      this.withVersion(OpenId4VCIVersion6.VER_1_0_15);
     }
     return new CredentialRequestClient(this);
   }
 };
 
 // lib/CredentialRequestClientBuilder.ts
-function isV1_0_13(builder) {
+function isV1_0_15(builder) {
   return builder.withCredentialIdentifier !== void 0;
 }
-__name(isV1_0_13, "isV1_0_13");
+__name(isV1_0_15, "isV1_0_15");
 var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
   static {
     __name(this, "CredentialRequestClientBuilder");
   }
   _builder;
-  constructor(builder) {
-    this._builder = builder;
-  }
-  static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
-    const specVersion = version ?? OpenId4VCIVersion13.VER_1_0_13;
-    let builder;
-    if (specVersion >= OpenId4VCIVersion13.VER_1_0_13) {
-      builder = CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
-        credentialIssuer,
-        metadata,
-        version,
-        credentialIdentifier,
-        credentialTypes
-      });
-    } else {
-      if (!credentialTypes || credentialTypes.length === 0) {
-        throw new Error("CredentialTypes must be provided for v1_0_11");
-      }
-      builder = CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
-        credentialIssuer,
-        metadata,
-        version,
-        credentialTypes
-      });
-    }
-    return new _CredentialRequestClientBuilder(builder);
-  }
-  static async fromURI({ uri, metadata }) {
-    const offer = await CredentialOfferClient.fromURI(uri);
-    return _CredentialRequestClientBuilder.fromCredentialOfferRequest({
-      request: offer,
-      ...offer,
-      metadata,
-      version: offer.version
-    });
-  }
-  static fromCredentialOfferRequest(opts) {
-    const { request } = opts;
-    const version = opts.version ?? request.version ?? determineSpecVersionFromOffer5(request.original_credential_offer);
-    let builder;
-    if (version < OpenId4VCIVersion13.VER_1_0_13) {
-      builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest(opts);
-    } else {
-      builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest(opts);
-    }
-    return new _CredentialRequestClientBuilder(builder);
-  }
-  static fromCredentialOffer({ credentialOffer, metadata }) {
-    const version = determineSpecVersionFromOffer5(credentialOffer.credential_offer);
-    let builder;
-    if (version < OpenId4VCIVersion13.VER_1_0_13) {
-      builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
-        credentialOffer,
-        metadata
-      });
-    } else {
-      builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
-        credentialOffer,
-        metadata
-      });
-    }
-    return new _CredentialRequestClientBuilder(builder);
-  }
-  getVersion() {
-    return this._builder.version;
-  }
-  withCredentialEndpointFromMetadata(metadata) {
-    if (isV1_0_13(this._builder)) {
-      this._builder.withCredentialEndpointFromMetadata(metadata);
-    } else {
-      this._builder.withCredentialEndpointFromMetadata(metadata);
-    }
-    return this;
-  }
-  withCredentialEndpoint(credentialEndpoint) {
-    this._builder.withCredentialEndpoint(credentialEndpoint);
-    return this;
-  }
-  withDeferredCredentialEndpointFromMetadata(metadata) {
-    if (isV1_0_13(this._builder)) {
-      this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
-    } else {
-      this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
-    }
-    return this;
-  }
-  withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
-    this._builder.withDeferredCredentialEndpoint(deferredCredentialEndpoint);
-    return this;
-  }
-  withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
-    this._builder.withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS);
-    return this;
-  }
-  withCredentialIdentifier(credentialIdentifier) {
-    if (this._builder.version === void 0 || this._builder.version < OpenId4VCIVersion13.VER_1_0_13) {
-      throw new Error("Version of spec should be equal or higher than v1_0_13");
-    }
-    ;
-    this._builder.withCredentialIdentifier(credentialIdentifier);
-    return this;
-  }
-  withIssuerState(issuerState) {
-    this._builder.withIssuerState(issuerState);
-    return this;
-  }
-  withCredentialType(credentialTypes) {
-    this._builder.withCredentialType(credentialTypes);
-    return this;
-  }
-  withFormat(format) {
-    this._builder.withFormat(format);
-    return this;
-  }
-  withSubjectIssuance(subjectIssuance) {
-    this._builder.withSubjectIssuance(subjectIssuance);
-    return this;
-  }
-  withToken(accessToken) {
-    this._builder.withToken(accessToken);
-    return this;
-  }
-  withTokenFromResponse(response) {
-    this._builder.withTokenFromResponse(response);
-    return this;
-  }
-  withVersion(version) {
-    this._builder.withVersion(version);
-    return this;
-  }
-  build() {
-    return this._builder.build();
-  }
-};
-
-// lib/OpenID4VCIClient.ts
-import { AuthzFlowType as AuthzFlowType3, CodeChallengeMethod as CodeChallengeMethod4, DefaultURISchemes, determineVersionsFromIssuerMetadata, getClientIdFromCredentialOfferPayload as getClientIdFromCredentialOfferPayload3, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload8, getSupportedCredentials, getTypesFromCredentialSupported, getTypesFromObject, KID_JWK_X5C_ERROR, OpenId4VCIVersion as OpenId4VCIVersion14, toAuthorizationResponsePayload } from "@sphereon/oid4vci-common";
-import { Loggers as Loggers12 } from "@sphereon/ssi-types";
-var logger12 = Loggers12.DEFAULT.get("sphereon:oid4vci");
-var OpenID4VCIClient = class _OpenID4VCIClient {
-  static {
-    __name(this, "OpenID4VCIClient");
-  }
-  _state;
-  constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
-    const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload8(credentialOffer.credential_offer) : void 0);
-    if (!issuer) {
-      throw Error("No credential issuer supplied or deduced from offer");
-    }
-    this._state = {
-      credentialOffer,
-      credentialIssuer: issuer,
-      kid,
-      alg,
-      // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
-      clientId: clientId ?? (credentialOffer && getClientIdFromCredentialOfferPayload3(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
-      pkce: {
-        disabled: false,
-        codeChallengeMethod: CodeChallengeMethod4.S256,
-        ...pkce
-      },
-      authorizationRequestOpts,
-      authorizationCodeResponse,
-      accessToken,
-      jwk,
-      endpointMetadata: endpointMetadata?.credentialIssuerMetadata?.authorization_server ? endpointMetadata : endpointMetadata,
-      accessTokenResponse,
-      authorizationURL
-    };
-    if (!this._state.authorizationRequestOpts) {
-      this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
-    }
-    logger12.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
-  }
-  static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, endpointMetadata }) {
-    const client = new _OpenID4VCIClient({
-      kid,
-      alg,
-      clientId: clientId ?? authorizationRequest?.clientId,
-      credentialIssuer,
-      pkce,
-      authorizationRequest,
-      endpointMetadata
-    });
-    if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
-      await client.retrieveServerMetadata();
-    }
-    if (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL) {
-      await client.createAuthorizationRequestUrl({
-        authorizationRequest,
-        pkce
-      });
-    }
-    return client;
-  }
-  static async fromState({ state }) {
-    const clientState = typeof state === "string" ? JSON.parse(state) : state;
-    return new _OpenID4VCIClient(clientState);
-  }
-  static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, endpointMetadata }) {
-    const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
-      resolve: resolveOfferUri
-    });
-    const client = new _OpenID4VCIClient({
-      credentialOffer: credentialOfferClient,
-      kid,
-      alg,
-      clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
-      pkce,
-      authorizationRequest,
-      endpointMetadata
-    });
-    if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
-      await client.retrieveServerMetadata();
-    }
-    if (credentialOfferClient.supportedFlows.includes(AuthzFlowType3.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
-      await client.createAuthorizationRequestUrl({
-        authorizationRequest,
-        pkce
-      });
-      logger12.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
-    }
-    return client;
-  }
-  /**
-  * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
-  *
-  * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
-  * @param opts
-  */
-  async createAuthorizationRequestUrl(opts) {
-    if (!this._state.authorizationURL) {
-      this.calculatePKCEOpts(opts?.pkce);
-      this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest);
-      if (!this._state.authorizationRequestOpts) {
-        throw Error(`No Authorization Request options present or provided in this call`);
-      }
-      if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
-        this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
-      }
-      if (this.version() <= OpenId4VCIVersion14.VER_1_0_11) {
-        this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({
-          pkce: this._state.pkce,
-          endpointMetadata: this.endpointMetadata,
-          authorizationRequest: this._state.authorizationRequestOpts,
-          credentialOffer: this.credentialOffer,
-          credentialsSupported: Object.values(this.getCredentialsSupported(true))
-        });
-      } else {
-        this._state.authorizationURL = await createAuthorizationRequestUrl({
-          pkce: this._state.pkce,
-          endpointMetadata: this.endpointMetadata,
-          authorizationRequest: this._state.authorizationRequestOpts,
-          credentialOffer: this.credentialOffer,
-          credentialConfigurationSupported: this.getCredentialsSupported(false)
-        });
-      }
-    }
-    return this._state.authorizationURL;
-  }
-  async retrieveServerMetadata() {
-    this.assertIssuerData();
-    if (!this._state.endpointMetadata) {
-      if (this.credentialOffer) {
-        this._state.endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
-      } else if (this._state.credentialIssuer) {
-        this._state.endpointMetadata = await MetadataClient.retrieveAllMetadata(this._state.credentialIssuer);
-      } else {
-        throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
-      }
-    }
-    return this.endpointMetadata;
-  }
-  calculatePKCEOpts(pkce) {
-    this._state.pkce = generateMissingPKCEOpts({
-      ...this._state.pkce,
-      ...pkce
-    });
-  }
-  async acquireAuthorizationChallengeCode(opts) {
-    const response = await acquireAuthorizationChallengeAuthCode({
-      metadata: this.endpointMetadata,
-      credentialIssuer: this.getIssuer(),
-      clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,
-      ...opts
-    });
-    if (response.errorBody) {
-      logger12.debug(`Authorization code error:\r
-${JSON.stringify(response.errorBody)}`);
-      const error = response.errorBody;
-      return Promise.reject(error);
-    } else if (!response.successBody) {
-      logger12.debug(`Authorization code error. No success body`);
-      return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
-    }
-    return {
-      ...response.successBody
-    };
-  }
-  async acquireAccessToken(opts) {
-    const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
-    let { redirectUri } = opts ?? {};
-    const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code);
-    if (opts?.codeVerifier) {
-      this._state.pkce.codeVerifier = opts.codeVerifier;
-    }
-    this.assertIssuerData();
-    const asOpts = {
-      ...opts?.asOpts
-    };
-    const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
-    const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
-    if (this.isEBSI() || clientId && kid) {
-      if (!clientId) {
-        throw Error(`Client id expected for EBSI`);
-      }
-      asOpts.clientOpts = {
-        ...asOpts.clientOpts,
-        clientId,
-        ...kid && {
-          kid
-        },
-        ...clientAssertionType && {
-          clientAssertionType
-        },
-        signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
-      };
-    }
-    if (clientId) {
-      this._state.clientId = clientId;
-      if (!asOpts.clientOpts) {
-        asOpts.clientOpts = {
-          clientId
-        };
-      }
-      asOpts.clientOpts.clientId = clientId;
-    }
-    if (!this._state.accessTokenResponse) {
-      const accessTokenClient = this.version() <= OpenId4VCIVersion14.VER_1_0_12 ? new AccessTokenClientV1_0_11() : new AccessTokenClient();
-      if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
-        console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
-      }
-      if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
-        redirectUri = this._state.authorizationRequestOpts.redirectUri;
-      }
-      const response = await accessTokenClient.acquireAccessToken({
-        credentialOffer: this.credentialOffer,
-        metadata: this.endpointMetadata,
-        credentialIssuer: this.getIssuer(),
-        pin,
-        ...!this._state.pkce.disabled && {
-          codeVerifier: this._state.pkce.codeVerifier
-        },
-        code,
-        redirectUri,
-        asOpts,
-        ...opts?.createDPoPOpts && {
-          createDPoPOpts: opts.createDPoPOpts
-        },
-        ...opts?.additionalRequestParams && {
-          additionalParams: opts.additionalRequestParams
-        }
-      });
-      if (response.errorBody) {
-        logger12.debug(`Access token error:\r
-${JSON.stringify(response.errorBody)}`);
-        throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
-      } else if (!response.successBody) {
-        logger12.debug(`Access token error. No success body`);
-        throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
-      }
-      this._state.accessTokenResponse = response.successBody;
-      this._state.dpopResponseParams = response.params;
-      this._state.accessToken = response.successBody.access_token;
-    }
-    return {
-      ...this.accessTokenResponse,
-      ...this.dpopResponseParams && {
-        params: this.dpopResponseParams
-      }
-    };
-  }
-  async acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
-    if ([
-      jwk,
-      kid
-    ].filter((v) => v !== void 0).length > 1) {
-      throw new Error(KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
-    }
-    if (alg) this._state.alg = alg;
-    if (jwk) this._state.jwk = jwk;
-    if (kid) this._state.kid = kid;
-    let requestBuilder;
-    if (this.version() < OpenId4VCIVersion14.VER_1_0_13) {
-      requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
-        credentialOffer: this.credentialOffer,
-        metadata: this.endpointMetadata
-      }) : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
-        credentialIssuer: this.getIssuer(),
-        credentialTypes,
-        metadata: this.endpointMetadata,
-        version: this.version()
-      });
-    } else {
-      requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
-        credentialOffer: this.credentialOffer,
-        metadata: this.endpointMetadata
-      }) : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
-        credentialIssuer: this.getIssuer(),
-        credentialTypes,
-        metadata: this.endpointMetadata,
-        version: this.version()
-      });
-    }
-    const issuerState = this.issuerSupportedFlowTypes().includes(AuthzFlowType3.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
-    requestBuilder.withIssuerState(issuerState);
-    requestBuilder.withTokenFromResponse(this.accessTokenResponse);
-    requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
-    let subjectIssuance;
-    if (this.endpointMetadata?.credentialIssuerMetadata) {
-      const metadata = this.endpointMetadata.credentialIssuerMetadata;
-      const types = Array.isArray(credentialTypes) ? credentialTypes : [
-        credentialTypes
-      ];
-      if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
-        let typeSupported = false;
-        metadata.credentials_supported.forEach((supportedCredential) => {
-          const subTypes = getTypesFromCredentialSupported(supportedCredential);
-          if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
-            typeSupported = true;
-            if (supportedCredential.credential_subject_issuance) {
-              subjectIssuance = {
-                credential_subject_issuance: supportedCredential.credential_subject_issuance
-              };
-            }
-          }
-        });
-        if (!typeSupported) {
-          console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
-        }
-      } else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
-        const credentialsSupported = metadata.credentials_supported;
-        if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
-          throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
-        }
-      }
-    }
-    if (subjectIssuance) {
-      requestBuilder.withSubjectIssuance(subjectIssuance);
-    }
-    const credentialRequestClient = requestBuilder.build();
-    const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
-      accessTokenResponse: this.accessTokenResponse,
-      callbacks: proofCallbacks,
-      version: this.version()
-    }).withIssuer(this.getIssuer()).withAlg(this.alg);
-    if (this._state.jwk) {
-      proofBuilder.withJWK(this._state.jwk);
-    }
-    if (this._state.kid) {
-      proofBuilder.withKid(this._state.kid);
-    }
-    if (this.clientId) {
-      proofBuilder.withClientId(this.clientId);
-    }
-    if (jti) {
-      proofBuilder.withJti(jti);
-    }
-    const response = await credentialRequestClient.acquireCredentialsUsingProof({
-      proofInput: proofBuilder,
-      credentialTypes,
-      context,
-      format,
-      subjectIssuance,
-      createDPoPOpts
-    });
-    this._state.dpopResponseParams = response.params;
-    if (response.errorBody) {
-      logger12.debug(`Credential request error:\r
-${JSON.stringify(response.errorBody)}`);
-      throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
-    } else if (!response.successBody) {
-      logger12.debug(`Credential request error. No success body`);
-      throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
-    }
-    return {
-      ...response.successBody,
-      ...this.dpopResponseParams && {
-        params: this.dpopResponseParams
-      },
-      access_token: response.access_token
-    };
-  }
-  async exportState() {
-    return JSON.stringify(this._state);
-  }
-  getCredentialsSupported(restrictToInitiationTypes, format) {
-    return getSupportedCredentials({
-      issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
-      version: this.version(),
-      format,
-      types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : void 0
-    });
-  }
-  async sendNotification(credentialRequestOpts, request, accessToken) {
-    return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
-  }
-  getCredentialOfferTypes() {
-    if (!this.credentialOffer) {
-      return [];
-    } else if (this.version() < OpenId4VCIVersion14.VER_1_0_11) {
-      const orig = this.credentialOffer.original_credential_offer;
-      const types = typeof orig.credential_type === "string" ? [
-        orig.credential_type
-      ] : orig.credential_type;
-      const result = [];
-      result[0] = types;
-      return result;
-    } else if (this.version() < OpenId4VCIVersion14.VER_1_0_13) {
-      return this.credentialOffer.credential_offer.credentials.map((c) => getTypesFromObject(c) ?? []);
-    }
-    return void 0;
-  }
-  issuerSupportedFlowTypes() {
-    return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
-      AuthzFlowType3.AUTHORIZATION_CODE_FLOW
-    ] : []);
-  }
-  isFlowTypeSupported(flowType) {
-    return this.issuerSupportedFlowTypes().includes(flowType);
-  }
-  get authorizationURL() {
-    return this._state.authorizationURL;
-  }
-  hasAuthorizationURL() {
-    return !!this.authorizationURL;
-  }
-  get credentialOffer() {
-    return this._state.credentialOffer;
-  }
-  version() {
-    if (this.credentialOffer?.version && this.credentialOffer.version !== OpenId4VCIVersion14.VER_UNKNOWN) {
-      return this.credentialOffer.version;
-    }
-    const metadata = this._state.endpointMetadata;
-    if (metadata?.credentialIssuerMetadata) {
-      const versions = determineVersionsFromIssuerMetadata(metadata.credentialIssuerMetadata);
-      if (versions.length > 0 && !versions.includes(OpenId4VCIVersion14.VER_UNKNOWN)) {
-        return versions[0];
-      }
-    }
-    return OpenId4VCIVersion14.VER_1_0_13;
-  }
-  get endpointMetadata() {
-    this.assertServerMetadata();
-    return this._state.endpointMetadata;
-  }
-  get kid() {
-    this.assertIssuerData();
-    if (!this._state.kid) {
-      throw new Error("No value for kid is supplied");
-    }
-    return this._state.kid;
-  }
-  get alg() {
-    this.assertIssuerData();
-    if (!this._state.alg) {
-      throw new Error("No value for alg is supplied");
-    }
-    return this._state.alg;
+  constructor(builder) {
+    this._builder = builder;
   }
-  set clientId(value) {
-    this._state.clientId = value;
+  static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
+    let builder;
+    const metadataV15 = metadata;
+    builder = CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
+      credentialIssuer,
+      metadata: metadataV15,
+      version,
+      credentialIdentifier,
+      credentialTypes
+    });
+    return new _CredentialRequestClientBuilder(builder);
   }
-  get clientId() {
-    return this._state.clientId;
+  static async fromURI({ uri, metadata }) {
+    const offer = await CredentialOfferClient.fromURI(uri);
+    return _CredentialRequestClientBuilder.fromCredentialOfferRequest({
+      request: offer,
+      ...offer,
+      metadata,
+      version: offer.version
+    });
   }
-  hasAccessTokenResponse() {
-    return !!this._state.accessTokenResponse;
+  static fromCredentialOfferRequest(opts) {
+    const builder = CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest(opts);
+    return new _CredentialRequestClientBuilder(builder);
   }
-  get accessTokenResponse() {
-    this.assertAccessToken();
-    return this._state.accessTokenResponse;
+  static fromCredentialOffer({ credentialOffer, metadata }) {
+    const builder = CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
+      credentialOffer,
+      metadata
+    });
+    return new _CredentialRequestClientBuilder(builder);
   }
-  get dpopResponseParams() {
-    return this._state.dpopResponseParams;
+  getVersion() {
+    return this._builder.version;
   }
-  getIssuer() {
-    this.assertIssuerData();
-    return this._state.credentialIssuer;
+  withCredentialEndpointFromMetadata(metadata) {
+    if (isV1_0_15(this._builder)) {
+      this._builder.withCredentialEndpointFromMetadata(metadata);
+    }
+    return this;
   }
-  getAccessTokenEndpoint() {
-    this.assertIssuerData();
-    if (this.endpointMetadata) {
-      return this.endpointMetadata.token_endpoint;
+  withCredentialEndpoint(credentialEndpoint) {
+    this._builder.withCredentialEndpoint(credentialEndpoint);
+    return this;
+  }
+  withDeferredCredentialEndpointFromMetadata(metadata) {
+    if (isV1_0_15(this._builder)) {
+      this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
     }
-    return this.version() <= OpenId4VCIVersion14.VER_1_0_12 ? AccessTokenClientV1_0_11.determineTokenURL({
-      issuerOpts: {
-        issuer: this.getIssuer()
-      }
-    }) : AccessTokenClient.determineTokenURL({
-      issuerOpts: {
-        issuer: this.getIssuer()
-      }
-    });
+    return this;
   }
-  getCredentialEndpoint() {
-    this.assertIssuerData();
-    return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
+  withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
+    this._builder.withDeferredCredentialEndpoint(deferredCredentialEndpoint);
+    return this;
   }
-  getAuthorizationChallengeEndpoint() {
-    this.assertIssuerData();
-    return this.endpointMetadata?.authorization_challenge_endpoint;
+  withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
+    this._builder.withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS);
+    return this;
   }
-  hasAuthorizationChallengeEndpoint() {
-    return !!this.getAuthorizationChallengeEndpoint();
+  withCredentialIdentifier(credentialIdentifier) {
+    if (this._builder.version === void 0 || this._builder.version < OpenId4VCIVersion7.VER_1_0_15) {
+      throw new Error("Version of spec should be equal or higher than v1_0_15");
+    }
+    ;
+    this._builder.withCredentialIdentifier(credentialIdentifier);
+    return this;
   }
-  hasDeferredCredentialEndpoint() {
-    return !!this.getAccessTokenEndpoint();
+  withIssuerState(issuerState) {
+    this._builder.withIssuerState(issuerState);
+    return this;
   }
-  getDeferredCredentialEndpoint() {
-    this.assertIssuerData();
-    return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
+  withCredentialType(credentialTypes) {
+    this._builder.withCredentialType(credentialTypes);
+    return this;
   }
-  /**
-  * Too bad we need a method like this, but EBSI is not exposing metadata
-  */
-  isEBSI() {
-    if (this.credentialOffer && this.credentialOffer?.credential_offer?.credentials?.find((cred) => (
-      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-      // @ts-ignore
-      typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
-    ))) {
-      return true;
-    }
-    return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
+  withSubjectIssuance(subjectIssuance) {
+    this._builder.withSubjectIssuance(subjectIssuance);
+    return this;
   }
-  assertIssuerData() {
-    if (!this._state.credentialIssuer) {
-      throw Error(`No credential issuer value present`);
-    } else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {
-      throw Error(`No issuance initiation or credential offer present`);
-    }
+  withToken(accessToken) {
+    this._builder.withToken(accessToken);
+    return this;
   }
-  assertServerMetadata() {
-    if (!this._state.endpointMetadata) {
-      throw Error("No server metadata");
-    }
+  withTokenFromResponse(response) {
+    this._builder.withTokenFromResponse(response);
+    return this;
   }
-  assertAccessToken() {
-    if (!this._state.accessTokenResponse) {
-      throw Error(`No access token present`);
-    }
+  withVersion(version) {
+    this._builder.withVersion(version);
+    return this;
   }
-  syncAuthorizationRequestOpts(opts) {
-    const requestObjectOpts = {
-      ...this._state?.authorizationRequestOpts?.requestObjectOpts,
-      ...opts?.requestObjectOpts
-    };
-    let authorizationRequestOpts = {
-      ...this._state?.authorizationRequestOpts,
-      ...opts,
-      ...requestObjectOpts && {
-        requestObjectOpts
-      }
-    };
-    if (!authorizationRequestOpts) {
-      authorizationRequestOpts = {
-        redirectUri: `${DefaultURISchemes.CREDENTIAL_OFFER}://`
-      };
-    }
-    const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
-    this._state.clientId = clientId;
-    authorizationRequestOpts.clientId = clientId;
-    return authorizationRequestOpts;
+  build() {
+    return this._builder.build();
   }
-  getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
-    if (authorizationResponse) {
-      this._state.authorizationCodeResponse = {
-        ...toAuthorizationResponsePayload(authorizationResponse)
-      };
-    } else if (code) {
-      this._state.authorizationCodeResponse = {
-        code
-      };
-    }
-    return this._state.authorizationCodeResponse?.code ?? this._state.authorizationCodeResponse?.authorization_code;
-  }, "getAuthorizationCode");
 };
 
-// lib/OpenID4VCIClientV1_0_13.ts
-import { AuthzFlowType as AuthzFlowType4, CodeChallengeMethod as CodeChallengeMethod5, DefaultURISchemes as DefaultURISchemes2, getClientIdFromCredentialOfferPayload as getClientIdFromCredentialOfferPayload4, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload9, getSupportedCredentials as getSupportedCredentials2, getTypesFromCredentialSupported as getTypesFromCredentialSupported2, KID_JWK_X5C_ERROR as KID_JWK_X5C_ERROR2, OpenId4VCIVersion as OpenId4VCIVersion15, toAuthorizationResponsePayload as toAuthorizationResponsePayload2 } from "@sphereon/oid4vci-common";
-import { Loggers as Loggers13 } from "@sphereon/ssi-types";
-var logger13 = Loggers13.DEFAULT.get("sphereon:oid4vci");
-var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
+// lib/OpenID4VCIClient.ts
+import { AuthzFlowType as AuthzFlowType3, CodeChallengeMethod as CodeChallengeMethod4, DefaultURISchemes as DefaultURISchemes2, determineVersionsFromIssuerMetadata, getClientIdFromCredentialOfferPayload as getClientIdFromCredentialOfferPayload3, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload6, getSupportedCredentials as getSupportedCredentials2, getTypesFromCredentialSupported, KID_JWK_X5C_ERROR as KID_JWK_X5C_ERROR2, OpenId4VCIVersion as OpenId4VCIVersion9, toAuthorizationResponsePayload as toAuthorizationResponsePayload2 } from "@sphereon/oid4vci-common";
+import { Loggers as Loggers8 } from "@sphereon/ssi-types";
+
+// lib/OpenID4VCIClientV1_0_15.ts
+import { AuthzFlowType as AuthzFlowType2, CodeChallengeMethod as CodeChallengeMethod3, DefaultURISchemes, getClientIdFromCredentialOfferPayload as getClientIdFromCredentialOfferPayload2, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload5, getSupportedCredentials, KID_JWK_X5C_ERROR, OpenId4VCIVersion as OpenId4VCIVersion8, toAuthorizationResponsePayload } from "@sphereon/oid4vci-common";
+import { Loggers as Loggers7 } from "@sphereon/ssi-types";
+
+// lib/NonceClient.ts
+import { formPost as formPost3 } from "@sphereon/oid4vci-common";
+var sendNonceRequest = /* @__PURE__ */ __name(async (nonceEndpointUrl, opts) => {
+  return await formPost3(nonceEndpointUrl, new URLSearchParams(), {
+    customHeaders: opts?.headers
+  });
+}, "sendNonceRequest");
+var acquireNonceFromAuthorizationServer = /* @__PURE__ */ __name(async (opts) => {
+  const metadata = opts?.metadata ? opts.metadata : opts?.issuerOpts?.fetchMetadata ? await MetadataClient.retrieveAllMetadata(opts.issuerOpts.issuer, {
+    errorOnNotFound: false
+  }) : void 0;
+  const nonceEndpointUrl = metadata?.credentialIssuerMetadata?.nonce_endpoint;
+  if (!nonceEndpointUrl) {
+    return Promise.reject(Error("Cannot determine nonce endpoint URL"));
+  }
+  return await sendNonceRequest(nonceEndpointUrl, {
+    headers: opts?.headers
+  });
+}, "acquireNonceFromAuthorizationServer");
+
+// lib/OpenID4VCIClientV1_0_15.ts
+var logger7 = Loggers7.DEFAULT.get("sphereon:oid4vci:v15");
+var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
   static {
-    __name(this, "OpenID4VCIClientV1_0_13");
+    __name(this, "OpenID4VCIClientV1_0_15");
   }
   _state;
-  constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
-    const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload9(credentialOffer.credential_offer) : void 0);
+  constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL, keyAttestation }) {
+    const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload5(credentialOffer.credential_offer) : void 0);
     if (!issuer) {
       throw Error("No credential issuer supplied or deduced from offer");
     }
@@ -3549,39 +2013,39 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
       credentialIssuer: issuer,
       kid,
       alg,
-      // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
-      clientId: clientId ?? (credentialOffer && getClientIdFromCredentialOfferPayload4(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
+      clientId: clientId ?? (credentialOffer && getClientIdFromCredentialOfferPayload2(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
       pkce: {
         disabled: false,
-        codeChallengeMethod: CodeChallengeMethod5.S256,
+        codeChallengeMethod: CodeChallengeMethod3.S256,
         ...pkce
       },
       authorizationRequestOpts,
       authorizationCodeResponse,
-      accessToken,
       jwk,
       endpointMetadata,
       accessTokenResponse,
-      authorizationURL
+      authorizationURL,
+      keyAttestation
     };
     if (!this._state.authorizationRequestOpts) {
       this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
     }
-    logger13.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
+    logger7.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
   }
-  static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
-    const client = new _OpenID4VCIClientV1_0_13({
+  static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, keyAttestation }) {
+    const client = new _OpenID4VCIClientV1_0_15({
       kid,
       alg,
       clientId: clientId ?? authorizationRequest?.clientId,
       credentialIssuer,
       pkce,
-      authorizationRequest
+      authorizationRequest,
+      keyAttestation
     });
-    if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
+    if (retrieveServerMetadata !== false) {
       await client.retrieveServerMetadata();
     }
-    if (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL) {
+    if (createAuthorizationRequestURL !== false) {
       await client.createAuthorizationRequestUrl({
         authorizationRequest,
         pkce
@@ -3591,38 +2055,33 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
   }
   static async fromState({ state }) {
     const clientState = typeof state === "string" ? JSON.parse(state) : state;
-    return new _OpenID4VCIClientV1_0_13(clientState);
+    return new _OpenID4VCIClientV1_0_15(clientState);
   }
-  static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri }) {
-    const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
+  static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, keyAttestation }) {
+    const credentialOfferClient = await CredentialOfferClientV1_0_15.fromURI(uri, {
       resolve: resolveOfferUri
     });
-    const client = new _OpenID4VCIClientV1_0_13({
+    const client = new _OpenID4VCIClientV1_0_15({
       credentialOffer: credentialOfferClient,
       kid,
       alg,
       clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
       pkce,
-      authorizationRequest
+      authorizationRequest,
+      keyAttestation
     });
-    if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
+    if (retrieveServerMetadata !== false) {
       await client.retrieveServerMetadata();
     }
-    if (credentialOfferClient.supportedFlows.includes(AuthzFlowType4.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
+    if (credentialOfferClient.supportedFlows.includes(AuthzFlowType2.AUTHORIZATION_CODE_FLOW) && createAuthorizationRequestURL !== false) {
       await client.createAuthorizationRequestUrl({
         authorizationRequest,
         pkce
       });
-      logger13.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
+      logger7.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
     }
     return client;
   }
-  /**
-  * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
-  *
-  * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
-  * @param opts
-  */
   async createAuthorizationRequestUrl(opts) {
     if (!this._state.authorizationURL) {
       this.calculatePKCEOpts(opts?.pkce);
@@ -3638,8 +2097,7 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
         endpointMetadata: this.endpointMetadata,
         authorizationRequest: this._state.authorizationRequestOpts,
         credentialOffer: this.credentialOffer,
-        credentialConfigurationSupported: this.getCredentialsSupported(),
-        version: this.version()
+        credentialConfigurationSupported: this.getCredentialsSupported(false)
       });
     }
     return this._state.authorizationURL;
@@ -3648,15 +2106,34 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
     this.assertIssuerData();
     if (!this._state.endpointMetadata) {
       if (this.credentialOffer) {
-        this._state.endpointMetadata = await MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
+        this._state.endpointMetadata = await MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
       } else if (this._state.credentialIssuer) {
-        this._state.endpointMetadata = await MetadataClientV1_0_13.retrieveAllMetadata(this._state.credentialIssuer);
+        this._state.endpointMetadata = await MetadataClientV1_0_15.retrieveAllMetadata(this._state.credentialIssuer);
       } else {
         throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
       }
     }
     return this.endpointMetadata;
   }
+  async acquireNonce() {
+    const response = await acquireNonceFromAuthorizationServer({
+      metadata: this.endpointMetadata,
+      issuerOpts: {
+        issuer: this.getIssuer(),
+        fetchMetadata: false
+      }
+    });
+    if (response.errorBody) {
+      logger7.debug(`Nonce request error:\r
+${JSON.stringify(response.errorBody)}`);
+      return Promise.reject(Error(`Retrieving a nonce from ${this._state.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint} for issuer ${this.getIssuer()} failed with error: ${response.errorBody.error}${response.errorBody.error_description ? ` - ${response.errorBody.error_description}` : ""}`));
+    } else if (!response.successBody) {
+      logger7.debug(`Nonce request error. No success body`);
+      return Promise.reject(Error(`Retrieving a nonce from ${this._state.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
+    }
+    this._state.cachedCNonce = response.successBody.c_nonce;
+    return response.successBody.c_nonce;
+  }
   calculatePKCEOpts(pkce) {
     this._state.pkce = generateMissingPKCEOpts({
       ...this._state.pkce,
@@ -3671,12 +2148,12 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
       ...opts
     });
     if (response.errorBody) {
-      logger13.debug(`Authorization code error:\r
+      logger7.debug(`Authorization code error:\r
 ${JSON.stringify(response.errorBody)}`);
       const error = response.errorBody;
       return Promise.reject(error);
     } else if (!response.successBody) {
-      logger13.debug(`Authorization code error. No success body`);
+      logger7.debug(`Authorization code error. No success body`);
       return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
     }
     return {
@@ -3748,16 +2225,19 @@ ${JSON.stringify(response.errorBody)}`);
         }
       });
       if (response.errorBody) {
-        logger13.debug(`Access token error:\r
+        logger7.debug(`Access token error:\r
 ${JSON.stringify(response.errorBody)}`);
         throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
       } else if (!response.successBody) {
-        logger13.debug(`Access token error. No success body`);
+        logger7.debug(`Access token error. No success body`);
         throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
       }
       this._state.accessTokenResponse = response.successBody;
       this._state.dpopResponseParams = response.params;
       this._state.accessToken = response.successBody.access_token;
+      if (response.successBody.c_nonce) {
+        this._state.cachedCNonce = response.successBody.c_nonce;
+      }
     }
     return {
       ...this.accessTokenResponse,
@@ -3766,77 +2246,54 @@ ${JSON.stringify(response.errorBody)}`);
       }
     };
   }
-  async acquireCredentialsWithoutProof(args) {
-    return await this.acquireCredentialsImpl(args);
-  }
-  async acquireCredentials(args) {
-    return await this.acquireCredentialsImpl(args);
-  }
-  async acquireCredentialsImpl({ credentialIdentifier, credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
+  async acquireCredentials({ credentialIdentifier, credentialConfigurationId, credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
     if ([
       jwk,
       kid
     ].filter((v) => v !== void 0).length > 1) {
-      throw new Error(KID_JWK_X5C_ERROR2 + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
+      throw new Error(KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
     }
     if (alg) this._state.alg = alg;
     if (jwk) this._state.jwk = jwk;
     if (kid) this._state.kid = kid;
-    const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
+    const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
       credentialOffer: this.credentialOffer,
       metadata: this.endpointMetadata
-    }) : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
+    }) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
       credentialIssuer: this.getIssuer(),
+      credentialTypes,
       credentialIdentifier,
+      credentialConfigurationId,
       metadata: this.endpointMetadata,
       version: this.version()
     });
-    const issuerState = this.issuerSupportedFlowTypes().includes(AuthzFlowType4.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
+    if (credentialIdentifier) {
+      requestBuilder.withCredentialIdentifier(credentialIdentifier);
+    } else if (credentialConfigurationId) {
+      requestBuilder.withCredentialConfigurationId(credentialConfigurationId);
+    }
+    const issuerState = this.issuerSupportedFlowTypes().includes(AuthzFlowType2.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this._state.cachedCNonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
     requestBuilder.withIssuerState(issuerState);
     requestBuilder.withTokenFromResponse(this.accessTokenResponse);
     requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
     let subjectIssuance;
     if (this.endpointMetadata?.credentialIssuerMetadata) {
       const metadata = this.endpointMetadata.credentialIssuerMetadata;
-      const types = credentialTypes ? Array.isArray(credentialTypes) ? credentialTypes : [
-        credentialTypes
-      ] : void 0;
-      if (credentialIdentifier) {
-        if (typeof metadata.credential_configurations_supported !== "object") {
-          throw Error(`Credentials_supported should be an object, current ${typeof metadata.credential_configurations_supported} when credential_identifier is used`);
-        }
-        const credentialsSupported = metadata.credential_configurations_supported;
-        if (!credentialsSupported || !credentialsSupported[credentialIdentifier]) {
-          throw new Error(`Credential type ${credentialIdentifier} is not supported by issuer ${this.getIssuer()}`);
-        }
-      } else if (!types) {
-        throw Error(`If no credential_identifier is used, we expect types`);
-      } else if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
-        let typeSupported = false;
-        metadata.credentials_supported.forEach((supportedCredential) => {
-          const subTypes = getTypesFromCredentialSupported2(supportedCredential);
-          if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
-            typeSupported = true;
-            if (supportedCredential.credential_subject_issuance) {
+      if (metadata.credential_configurations_supported) {
+        const configId = credentialConfigurationId ?? credentialIdentifier;
+        if (configId && metadata.credential_configurations_supported[configId]) {
+          const config = metadata.credential_configurations_supported[configId];
+          if (config.credential_subject_issuance) {
+            const subjIssuance = config.credential_subject_issuance;
+            if (subjIssuance.subject_proof_mode && subjIssuance.notification_events_supported) {
               subjectIssuance = {
-                credential_subject_issuance: supportedCredential.credential_subject_issuance
+                credential_subject_issuance: {
+                  subject_proof_mode: subjIssuance.subject_proof_mode,
+                  notification_events_supported: subjIssuance.notification_events_supported
+                }
               };
             }
           }
-        });
-        if (!typeSupported) {
-          console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
-        }
-      } else if (metadata.credential_configurations_supported && typeof metadata.credential_configurations_supported === "object") {
-        let typeSupported = false;
-        Object.values(metadata.credential_configurations_supported).forEach((supportedCredential) => {
-          const subTypes = getTypesFromCredentialSupported2(supportedCredential);
-          if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
-            typeSupported = true;
-          }
-        });
-        if (!typeSupported) {
-          throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
         }
       }
     }
@@ -3844,50 +2301,48 @@ ${JSON.stringify(response.errorBody)}`);
       requestBuilder.withSubjectIssuance(subjectIssuance);
     }
     const credentialRequestClient = requestBuilder.build();
-    let proofBuilder;
-    if (proofCallbacks) {
-      proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
-        accessTokenResponse: this.accessTokenResponse,
-        callbacks: proofCallbacks,
-        version: this.version()
-      }).withIssuer(this.getIssuer()).withAlg(this.alg);
-      if (this._state.jwk) {
-        proofBuilder.withJWK(this._state.jwk);
-      }
-      if (this._state.kid) {
-        proofBuilder.withKid(this._state.kid);
-      }
-      if (this.clientId) {
-        proofBuilder.withClientId(this.clientId);
-      }
-      if (jti) {
-        proofBuilder.withJti(jti);
-      }
+    if (!this._state.cachedCNonce) {
+      await this.acquireNonce();
+    }
+    const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
+      accessTokenResponse: {
+        ...this.accessTokenResponse,
+        c_nonce: this._state.cachedCNonce
+      },
+      callbacks: proofCallbacks,
+      version: this.version()
+    }).withIssuer(this.getIssuer()).withAlg(this.alg);
+    if (this._state.jwk) {
+      proofBuilder.withJWK(this._state.jwk);
+    }
+    if (this._state.kid) {
+      proofBuilder.withKid(this._state.kid);
+    }
+    if (this.clientId && (!this.credentialOffer || this.credentialOffer.supportedFlows.includes(AuthzFlowType2.AUTHORIZATION_CODE_FLOW) && !this.credentialOffer.preAuthorizedCode)) {
+      proofBuilder.withClientId(this.clientId);
+    }
+    if (jti) {
+      proofBuilder.withJti(jti);
+    }
+    if (this._state.cachedCNonce) {
+      proofBuilder.withAccessTokenNonce(this._state.cachedCNonce);
     }
-    const request = proofBuilder ? await credentialRequestClient.createCredentialRequest({
+    const response = await credentialRequestClient.acquireCredentialsUsingProof({
       proofInput: proofBuilder,
-      credentialTypes,
-      context,
-      format,
-      version: this.version(),
       credentialIdentifier,
-      subjectIssuance
-    }) : await credentialRequestClient.createCredentialRequestWithoutProof({
       credentialTypes,
       context,
       format,
-      version: this.version(),
-      credentialIdentifier,
-      subjectIssuance
+      subjectIssuance,
+      createDPoPOpts
     });
-    const response = await credentialRequestClient.acquireCredentialsUsingRequest(request, createDPoPOpts);
     this._state.dpopResponseParams = response.params;
     if (response.errorBody) {
-      logger13.debug(`Credential request error:\r
+      logger7.debug(`Credential request error:\r
 ${JSON.stringify(response.errorBody)}`);
       throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
     } else if (!response.successBody) {
-      logger13.debug(`Credential request error. No success body`);
+      logger7.debug(`Credential request error. No success body`);
       throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
     }
     return {
@@ -3901,59 +2356,44 @@ ${JSON.stringify(response.errorBody)}`);
   async exportState() {
     return JSON.stringify(this._state);
   }
-  getCredentialsSupported(format) {
-    return getSupportedCredentials2({
+  getCredentialsSupported(restrictToInitiationTypes, format) {
+    return getSupportedCredentials({
       issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
       version: this.version(),
       format,
-      types: void 0
+      types: restrictToInitiationTypes ? [
+        this.getCredentialOfferConfigurationIds()
+      ] : void 0
     });
   }
   async sendNotification(credentialRequestOpts, request, accessToken) {
     return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
   }
-  /* getCredentialOfferTypes(): string[][] {
+  getCredentialOfferConfigurationIds() {
     if (!this.credentialOffer) {
       return [];
-    } else if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_11) {
-      const orig = this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08;
-      const types: string[] = typeof orig.credential_type === 'string' ? [orig.credential_type] : orig.credential_type;
-      const result: string[][] = [];
-      result[0] = types;
-      return result;
-    } else {
-      return this.credentialOffer.credential_offer.credentials.map((c) => {
-        if (typeof c === 'string') {
-          return [c];
-        } else if ('types' in c) {
-          return c.types;
-        } else if ('vct' in c) {
-          return [c.vct];
-        } else {
-          return c.credential_definition.types;
-        }
-      });
     }
-  }*/
+    return this.credentialOffer.credential_offer?.credential_configuration_ids ?? [];
+  }
   issuerSupportedFlowTypes() {
-    return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
-      AuthzFlowType4.AUTHORIZATION_CODE_FLOW
+    return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
+      AuthzFlowType2.AUTHORIZATION_CODE_FLOW
     ] : []);
   }
   isFlowTypeSupported(flowType) {
     return this.issuerSupportedFlowTypes().includes(flowType);
   }
-  hasAuthorizationURL() {
-    return !!this.authorizationURL;
-  }
   get authorizationURL() {
     return this._state.authorizationURL;
   }
+  hasAuthorizationURL() {
+    return !!this.authorizationURL;
+  }
   get credentialOffer() {
     return this._state.credentialOffer;
   }
   version() {
-    return this.credentialOffer?.version ?? OpenId4VCIVersion15.VER_1_0_13;
+    return OpenId4VCIVersion8.VER_1_0_15;
   }
   get endpointMetadata() {
     this.assertServerMetadata();
@@ -3989,13 +2429,16 @@ ${JSON.stringify(response.errorBody)}`);
   get dpopResponseParams() {
     return this._state.dpopResponseParams;
   }
+  get state() {
+    return this._state;
+  }
   getIssuer() {
     this.assertIssuerData();
     return this._state.credentialIssuer;
   }
   getAccessTokenEndpoint() {
     this.assertIssuerData();
-    return this.endpointMetadata ? this.endpointMetadata.token_endpoint : AccessTokenClient.determineTokenURL({
+    return this.endpointMetadata?.token_endpoint ?? AccessTokenClient.determineTokenURL({
       issuerOpts: {
         issuer: this.getIssuer()
       }
@@ -4003,34 +2446,30 @@ ${JSON.stringify(response.errorBody)}`);
   }
   getCredentialEndpoint() {
     this.assertIssuerData();
-    return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
+    return this.endpointMetadata?.credential_endpoint ?? `${this.getIssuer()}/credential`;
+  }
+  getNonceEndpoint() {
+    return this.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint;
+  }
+  hasNonceEndpoint() {
+    return !!this.getNonceEndpoint();
+  }
+  getAuthorizationChallengeEndpoint() {
+    this.assertIssuerData();
+    return this.endpointMetadata?.authorization_challenge_endpoint;
+  }
+  hasAuthorizationChallengeEndpoint() {
+    return !!this.getAuthorizationChallengeEndpoint();
   }
   hasDeferredCredentialEndpoint() {
-    return !!this.getAccessTokenEndpoint();
+    return !!this.endpointMetadata?.deferred_credential_endpoint;
   }
   getDeferredCredentialEndpoint() {
     this.assertIssuerData();
-    return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
+    return this.endpointMetadata?.deferred_credential_endpoint;
   }
-  /**
-  * Too bad we need a method like this, but EBSI is not exposing metadata
-  */
   isEBSI() {
-    const credentialOffer = this.credentialOffer?.credential_offer;
-    if (credentialOffer?.credential_configuration_ids) {
-      const credentialConfigurations = this.endpointMetadata.credentialIssuerMetadata?.credential_configurations_supported;
-      if (credentialConfigurations) {
-        const isEBSITrustFramework = credentialOffer.credential_configuration_ids.map((id) => credentialConfigurations[id]).filter((config) => (
-          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-          // @ts-ignore
-          config !== void 0 && "trust_framework" in config && "name" in config.trust_framework
-        )).some((config) => config.trust_framework.name.includes("ebsi"));
-        if (isEBSITrustFramework) {
-          return true;
-        }
-      }
-    }
-    return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
+    return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata?.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
   }
   assertIssuerData() {
     if (!this._state.credentialIssuer) {
@@ -4050,13 +2489,20 @@ ${JSON.stringify(response.errorBody)}`);
     }
   }
   syncAuthorizationRequestOpts(opts) {
+    const requestObjectOpts = {
+      ...this._state?.authorizationRequestOpts?.requestObjectOpts,
+      ...opts?.requestObjectOpts
+    };
     let authorizationRequestOpts = {
       ...this._state?.authorizationRequestOpts,
-      ...opts
+      ...opts,
+      ...requestObjectOpts && {
+        requestObjectOpts
+      }
     };
     if (!authorizationRequestOpts) {
       authorizationRequestOpts = {
-        redirectUri: `${DefaultURISchemes2.CREDENTIAL_OFFER}://`
+        redirectUri: `${DefaultURISchemes.CREDENTIAL_OFFER}://`
       };
     }
     const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
@@ -4067,7 +2513,7 @@ ${JSON.stringify(response.errorBody)}`);
   getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
     if (authorizationResponse) {
       this._state.authorizationCodeResponse = {
-        ...toAuthorizationResponsePayload2(authorizationResponse)
+        ...toAuthorizationResponsePayload(authorizationResponse)
       };
     } else if (code) {
       this._state.authorizationCodeResponse = {
@@ -4078,17 +2524,15 @@ ${JSON.stringify(response.errorBody)}`);
   }, "getAuthorizationCode");
 };
 
-// lib/OpenID4VCIClientV1_0_11.ts
-import { AuthzFlowType as AuthzFlowType5, CodeChallengeMethod as CodeChallengeMethod6, DefaultURISchemes as DefaultURISchemes3, getClientIdFromCredentialOfferPayload as getClientIdFromCredentialOfferPayload5, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload10, getSupportedCredentials as getSupportedCredentials3, getTypesFromCredentialSupported as getTypesFromCredentialSupported3, getTypesFromObject as getTypesFromObject2, KID_JWK_X5C_ERROR as KID_JWK_X5C_ERROR3, OpenId4VCIVersion as OpenId4VCIVersion16, toAuthorizationResponsePayload as toAuthorizationResponsePayload3 } from "@sphereon/oid4vci-common";
-import { Loggers as Loggers14 } from "@sphereon/ssi-types";
-var logger14 = Loggers14.DEFAULT.get("sphereon:oid4vci");
-var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
+// lib/OpenID4VCIClient.ts
+var logger8 = Loggers8.DEFAULT.get("sphereon:oid4vci");
+var OpenID4VCIClient = class _OpenID4VCIClient {
   static {
-    __name(this, "OpenID4VCIClientV1_0_11");
+    __name(this, "OpenID4VCIClient");
   }
   _state;
-  constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
-    const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload10(credentialOffer.credential_offer) : void 0);
+  constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
+    const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload6(credentialOffer.credential_offer) : void 0);
     if (!issuer) {
       throw Error("No credential issuer supplied or deduced from offer");
     }
@@ -4098,14 +2542,15 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
       kid,
       alg,
       // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
-      clientId: clientId ?? (credentialOffer && getClientIdFromCredentialOfferPayload5(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
+      clientId: clientId ?? (credentialOffer && getClientIdFromCredentialOfferPayload3(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
       pkce: {
         disabled: false,
-        codeChallengeMethod: CodeChallengeMethod6.S256,
+        codeChallengeMethod: CodeChallengeMethod4.S256,
         ...pkce
       },
       authorizationRequestOpts,
       authorizationCodeResponse,
+      accessToken,
       jwk,
       endpointMetadata,
       accessTokenResponse,
@@ -4114,16 +2559,17 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
     if (!this._state.authorizationRequestOpts) {
       this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
     }
-    logger14.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
+    logger8.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
   }
-  static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
-    const client = new _OpenID4VCIClientV1_0_11({
+  static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, endpointMetadata }) {
+    const client = new _OpenID4VCIClient({
       kid,
       alg,
       clientId: clientId ?? authorizationRequest?.clientId,
       credentialIssuer,
       pkce,
-      authorizationRequest
+      authorizationRequest,
+      endpointMetadata
     });
     if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
       await client.retrieveServerMetadata();
@@ -4138,29 +2584,30 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
   }
   static async fromState({ state }) {
     const clientState = typeof state === "string" ? JSON.parse(state) : state;
-    return new _OpenID4VCIClientV1_0_11(clientState);
+    return new _OpenID4VCIClient(clientState);
   }
-  static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri }) {
-    const credentialOfferClient = await CredentialOfferClientV1_0_11.fromURI(uri, {
+  static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, endpointMetadata }) {
+    const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
       resolve: resolveOfferUri
     });
-    const client = new _OpenID4VCIClientV1_0_11({
+    const client = new _OpenID4VCIClient({
       credentialOffer: credentialOfferClient,
       kid,
       alg,
       clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
       pkce,
-      authorizationRequest
+      authorizationRequest,
+      endpointMetadata
     });
     if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
       await client.retrieveServerMetadata();
     }
-    if (credentialOfferClient.supportedFlows.includes(AuthzFlowType5.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
+    if (credentialOfferClient.supportedFlows.includes(AuthzFlowType3.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
       await client.createAuthorizationRequestUrl({
         authorizationRequest,
         pkce
       });
-      logger14.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
+      logger8.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
     }
     return client;
   }
@@ -4180,12 +2627,12 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
       if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
         this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
       }
-      this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({
+      this._state.authorizationURL = await createAuthorizationRequestUrl({
         pkce: this._state.pkce,
         endpointMetadata: this.endpointMetadata,
         authorizationRequest: this._state.authorizationRequestOpts,
         credentialOffer: this.credentialOffer,
-        credentialsSupported: Object.values(this.getCredentialsSupported())
+        credentialConfigurationSupported: this.getCredentialsSupported()
       });
     }
     return this._state.authorizationURL;
@@ -4194,9 +2641,9 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
     this.assertIssuerData();
     if (!this._state.endpointMetadata) {
       if (this.credentialOffer) {
-        this._state.endpointMetadata = await MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
+        this._state.endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
       } else if (this._state.credentialIssuer) {
-        this._state.endpointMetadata = await MetadataClientV1_0_11.retrieveAllMetadata(this._state.credentialIssuer);
+        this._state.endpointMetadata = await MetadataClient.retrieveAllMetadata(this._state.credentialIssuer);
       } else {
         throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
       }
@@ -4217,12 +2664,12 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
       ...opts
     });
     if (response.errorBody) {
-      logger14.debug(`Authorization code error:\r
+      logger8.debug(`Authorization code error:\r
 ${JSON.stringify(response.errorBody)}`);
       const error = response.errorBody;
       return Promise.reject(error);
     } else if (!response.successBody) {
-      logger14.debug(`Authorization code error. No success body`);
+      logger8.debug(`Authorization code error. No success body`);
       return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
     }
     return {
@@ -4240,6 +2687,24 @@ ${JSON.stringify(response.errorBody)}`);
     const asOpts = {
       ...opts?.asOpts
     };
+    const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
+    const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
+    if (this.isEBSI() || clientId && kid) {
+      if (!clientId) {
+        throw Error(`Client id expected for EBSI`);
+      }
+      asOpts.clientOpts = {
+        ...asOpts.clientOpts,
+        clientId,
+        ...kid && {
+          kid
+        },
+        ...clientAssertionType && {
+          clientAssertionType
+        },
+        signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
+      };
+    }
     if (clientId) {
       this._state.clientId = clientId;
       if (!asOpts.clientOpts) {
@@ -4250,31 +2715,13 @@ ${JSON.stringify(response.errorBody)}`);
       asOpts.clientOpts.clientId = clientId;
     }
     if (!this._state.accessTokenResponse) {
-      const accessTokenClient = new AccessTokenClientV1_0_11();
+      const accessTokenClient = new AccessTokenClient();
       if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
         console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
       }
       if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
         redirectUri = this._state.authorizationRequestOpts.redirectUri;
       }
-      const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
-      const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
-      if (this.isEBSI() || clientId && kid) {
-        if (!clientId) {
-          throw Error(`Client id expected for EBSI`);
-        }
-        asOpts.clientOpts = {
-          ...asOpts.clientOpts,
-          clientId,
-          ...kid && {
-            kid
-          },
-          ...clientAssertionType && {
-            clientAssertionType
-          },
-          signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
-        };
-      }
       const response = await accessTokenClient.acquireAccessToken({
         credentialOffer: this.credentialOffer,
         metadata: this.endpointMetadata,
@@ -4294,16 +2741,19 @@ ${JSON.stringify(response.errorBody)}`);
         }
       });
       if (response.errorBody) {
-        logger14.debug(`Access token error:\r
+        logger8.debug(`Access token error:\r
 ${JSON.stringify(response.errorBody)}`);
         throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
       } else if (!response.successBody) {
-        logger14.debug(`Access token error. No success body`);
+        logger8.debug(`Access token error. No success body`);
         throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
       }
       this._state.accessTokenResponse = response.successBody;
       this._state.dpopResponseParams = response.params;
       this._state.accessToken = response.successBody.access_token;
+      if (response.successBody.c_nonce) {
+        this._state.cachedCNonce = response.successBody.c_nonce;
+      }
     }
     return {
       ...this.accessTokenResponse,
@@ -4317,22 +2767,34 @@ ${JSON.stringify(response.errorBody)}`);
       jwk,
       kid
     ].filter((v) => v !== void 0).length > 1) {
-      throw new Error(KID_JWK_X5C_ERROR3 + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
+      throw new Error(KID_JWK_X5C_ERROR2 + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
     }
     if (alg) this._state.alg = alg;
     if (jwk) this._state.jwk = jwk;
     if (kid) this._state.kid = kid;
-    const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
+    if (this.version() === OpenId4VCIVersion9.VER_1_0_15 && this.hasNonceEndpoint()) {
+      if (!this._state.cachedCNonce) {
+        try {
+          await this.acquireNonceViaV15Delegate();
+        } catch (e) {
+          return Promise.reject(Error(`failed to acquire nonce: ${String(e)}`));
+        }
+      }
+    }
+    let requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
       credentialOffer: this.credentialOffer,
       metadata: this.endpointMetadata
-    }) : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
+    }) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
       credentialIssuer: this.getIssuer(),
       credentialTypes,
       metadata: this.endpointMetadata,
       version: this.version()
     });
+    const issuerState = this.issuerSupportedFlowTypes().includes(AuthzFlowType3.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
+    requestBuilder.withIssuerState(issuerState);
     requestBuilder.withTokenFromResponse(this.accessTokenResponse);
     requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
+    let subjectIssuance;
     if (this.endpointMetadata?.credentialIssuerMetadata) {
       const metadata = this.endpointMetadata.credentialIssuerMetadata;
       const types = Array.isArray(credentialTypes) ? credentialTypes : [
@@ -4341,9 +2803,14 @@ ${JSON.stringify(response.errorBody)}`);
       if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
         let typeSupported = false;
         metadata.credentials_supported.forEach((supportedCredential) => {
-          const subTypes = getTypesFromCredentialSupported3(supportedCredential);
+          const subTypes = getTypesFromCredentialSupported(supportedCredential);
           if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
             typeSupported = true;
+            if (supportedCredential.credential_subject_issuance) {
+              subjectIssuance = {
+                credential_subject_issuance: supportedCredential.credential_subject_issuance
+              };
+            }
           }
         });
         if (!typeSupported) {
@@ -4356,89 +2823,124 @@ ${JSON.stringify(response.errorBody)}`);
         }
       }
     }
-    const credentialRequestClient = requestBuilder.build();
-    const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
-      accessTokenResponse: this.accessTokenResponse,
-      callbacks: proofCallbacks,
-      version: this.version()
-    }).withIssuer(this.getIssuer()).withAlg(this.alg);
-    if (this._state.jwk) {
-      proofBuilder.withJWK(this._state.jwk);
-    }
-    if (this._state.kid) {
-      proofBuilder.withKid(this._state.kid);
-    }
-    if (this.clientId) {
-      proofBuilder.withClientId(this.clientId);
-    }
-    if (jti) {
-      proofBuilder.withJti(jti);
+    if (subjectIssuance) {
+      requestBuilder.withSubjectIssuance(subjectIssuance);
     }
-    const response = await credentialRequestClient.acquireCredentialsUsingProof({
-      proofInput: proofBuilder,
-      credentialTypes,
-      context,
-      format,
-      createDPoPOpts
-    });
-    this._state.dpopResponseParams = response.params;
-    if (response.errorBody) {
-      logger14.debug(`Credential request error:\r
+    const credentialRequestClient = requestBuilder.build();
+    try {
+      const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
+        accessTokenResponse: this.accessTokenResponse,
+        callbacks: proofCallbacks,
+        version: this.version()
+      }).withIssuer(this.getIssuer()).withAlg(this.alg);
+      if (this._state.jwk) {
+        proofBuilder.withJWK(this._state.jwk);
+      }
+      if (this._state.kid) {
+        proofBuilder.withKid(this._state.kid);
+      }
+      if (this.clientId && (!this.credentialOffer || this.credentialOffer.supportedFlows.includes(AuthzFlowType3.AUTHORIZATION_CODE_FLOW) && !this.credentialOffer.preAuthorizedCode)) {
+        proofBuilder.withClientId(this.clientId);
+      }
+      if (jti) {
+        proofBuilder.withJti(jti);
+      }
+      if ("cachedCNonce" in this._state && this._state.cachedCNonce) {
+        proofBuilder.withAccessTokenNonce(this._state.cachedCNonce);
+      }
+      const response = await credentialRequestClient.acquireCredentialsUsingProof({
+        proofInput: proofBuilder,
+        credentialTypes,
+        context,
+        format,
+        subjectIssuance,
+        createDPoPOpts
+      });
+      this._state.dpopResponseParams = response.params;
+      if (response.errorBody) {
+        logger8.debug(`Credential request error:\r
 ${JSON.stringify(response.errorBody)}`);
-      throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
-    } else if (!response.successBody) {
-      logger14.debug(`Credential request error. No success body`);
-      throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
-    }
-    return {
-      ...response.successBody,
-      ...this.dpopResponseParams && {
-        params: this.dpopResponseParams
+        throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
+      } else if (!response.successBody) {
+        logger8.debug(`Credential request error. No success body`);
+        throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
       }
-    };
+      return {
+        ...response.successBody,
+        ...this.dpopResponseParams && {
+          params: this.dpopResponseParams
+        },
+        access_token: response.access_token
+      };
+    } catch (e) {
+      if (!this.shouldRetryWithFreshNonce(e)) {
+        return Promise.reject(e instanceof Error ? e : Error(String(e)));
+      }
+      this._state.cachedCNonce = void 0;
+      try {
+        await this.acquireNonceViaV15Delegate();
+      } catch (e2) {
+        return Promise.reject(Error(`retry nonce fetch failed: ${String(e2)}`));
+      }
+      const proofBuilder2 = ProofOfPossessionBuilder.fromAccessTokenResponse({
+        accessTokenResponse: this.accessTokenResponse,
+        callbacks: proofCallbacks,
+        version: this.version()
+      }).withIssuer(this.getIssuer()).withAlg(this.alg);
+      if (this._state.jwk) {
+        proofBuilder2.withJWK(this._state.jwk);
+      }
+      if (this._state.kid) {
+        proofBuilder2.withKid(this._state.kid);
+      }
+      if (this.clientId) {
+        proofBuilder2.withClientId(this.clientId);
+      }
+      if (jti) {
+        proofBuilder2.withJti(jti);
+      }
+      const response2 = await credentialRequestClient.acquireCredentialsUsingProof({
+        proofInput: proofBuilder2,
+        credentialTypes,
+        context,
+        format,
+        subjectIssuance,
+        createDPoPOpts
+      });
+      this._state.dpopResponseParams = response2.params;
+      if (response2.errorBody) {
+        logger8.debug(`Credential request error (after retry):\r
+${JSON.stringify(response2.errorBody)}`);
+        return Promise.reject(Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed after retry with status: ${response2.origResponse.status}`));
+      } else if (!response2.successBody) {
+        logger8.debug(`Credential request error after retry. No success body`);
+        return Promise.reject(Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed after retry as there was no success response body`));
+      }
+      return {
+        ...response2.successBody,
+        ...this.dpopResponseParams && {
+          params: this.dpopResponseParams
+        },
+        access_token: response2.access_token
+      };
+    }
   }
   async exportState() {
     return JSON.stringify(this._state);
   }
-  // FIXME: We really should convert <v11 to v12 objects first. Right now the logic doesn't map nicely and is brittle.
-  // We should resolve IDs to objects first in case of strings.
-  // When < v11 convert into a v12 object. When v12 object retain it.
-  // Then match the object array on server metadata
-  getCredentialsSupportedV11(restrictToInitiationTypes, format) {
-    return getSupportedCredentials3({
-      issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
-      version: this.version(),
-      format,
-      types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : void 0
-    });
-  }
   getCredentialsSupported(format) {
-    return getSupportedCredentials3({
+    return getSupportedCredentials2({
       issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
       version: this.version(),
-      format,
-      types: void 0
+      format
     });
   }
-  getCredentialOfferTypes() {
-    if (!this.credentialOffer) {
-      return [];
-    } else if (this.credentialOffer.version < OpenId4VCIVersion16.VER_1_0_11) {
-      const orig = this.credentialOffer.original_credential_offer;
-      const types = typeof orig.credential_type === "string" ? [
-        orig.credential_type
-      ] : orig.credential_type;
-      const result = [];
-      result[0] = types;
-      return result;
-    } else if (this.credentialOffer.version < OpenId4VCIVersion16.VER_1_0_13) {
-      return this.credentialOffer.credential_offer.credentials.map((c) => getTypesFromObject2(c) ?? []);
-    }
-    throw Error(`This class only supports version 11 and lower! Version: ${this.version()}`);
+  async sendNotification(credentialRequestOpts, request, accessToken) {
+    return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
   }
   issuerSupportedFlowTypes() {
-    return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
-      AuthzFlowType5.AUTHORIZATION_CODE_FLOW
+    return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
+      AuthzFlowType3.AUTHORIZATION_CODE_FLOW
     ] : []);
   }
   isFlowTypeSupported(flowType) {
@@ -4454,7 +2956,17 @@ ${JSON.stringify(response.errorBody)}`);
     return this._state.credentialOffer;
   }
   version() {
-    return this.credentialOffer?.version ?? OpenId4VCIVersion16.VER_1_0_11;
+    if (this.credentialOffer?.version && this.credentialOffer.version !== OpenId4VCIVersion9.VER_UNKNOWN) {
+      return this.credentialOffer.version;
+    }
+    const metadata = this._state.endpointMetadata;
+    if (metadata?.credentialIssuerMetadata) {
+      const versions = determineVersionsFromIssuerMetadata(metadata.credentialIssuerMetadata);
+      if (versions.length > 0 && !versions.includes(OpenId4VCIVersion9.VER_UNKNOWN)) {
+        return versions[0];
+      }
+    }
+    return OpenId4VCIVersion9.VER_1_0_15;
   }
   get endpointMetadata() {
     this.assertServerMetadata();
@@ -4496,7 +3008,10 @@ ${JSON.stringify(response.errorBody)}`);
   }
   getAccessTokenEndpoint() {
     this.assertIssuerData();
-    return this.endpointMetadata ? this.endpointMetadata.token_endpoint : AccessTokenClientV1_0_11.determineTokenURL({
+    if (this.endpointMetadata) {
+      return this.endpointMetadata.token_endpoint;
+    }
+    return AccessTokenClient.determineTokenURL({
       issuerOpts: {
         issuer: this.getIssuer()
       }
@@ -4506,6 +3021,13 @@ ${JSON.stringify(response.errorBody)}`);
     this.assertIssuerData();
     return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
   }
+  getAuthorizationChallengeEndpoint() {
+    this.assertIssuerData();
+    return this.endpointMetadata?.authorization_challenge_endpoint;
+  }
+  hasAuthorizationChallengeEndpoint() {
+    return !!this.getAuthorizationChallengeEndpoint();
+  }
   hasDeferredCredentialEndpoint() {
     return !!this.getAccessTokenEndpoint();
   }
@@ -4517,13 +3039,6 @@ ${JSON.stringify(response.errorBody)}`);
   * Too bad we need a method like this, but EBSI is not exposing metadata
   */
   isEBSI() {
-    if (this.credentialOffer && this.credentialOffer?.credential_offer?.credentials?.find((cred) => (
-      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-      // @ts-ignore
-      typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
-    ))) {
-      return true;
-    }
     return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
   }
   assertIssuerData() {
@@ -4544,13 +3059,20 @@ ${JSON.stringify(response.errorBody)}`);
     }
   }
   syncAuthorizationRequestOpts(opts) {
+    const requestObjectOpts = {
+      ...this._state?.authorizationRequestOpts?.requestObjectOpts,
+      ...opts?.requestObjectOpts
+    };
     let authorizationRequestOpts = {
       ...this._state?.authorizationRequestOpts,
-      ...opts
+      ...opts,
+      ...requestObjectOpts && {
+        requestObjectOpts
+      }
     };
     if (!authorizationRequestOpts) {
       authorizationRequestOpts = {
-        redirectUri: `${DefaultURISchemes3.CREDENTIAL_OFFER}://`
+        redirectUri: `${DefaultURISchemes2.CREDENTIAL_OFFER}://`
       };
     }
     const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
@@ -4561,7 +3083,7 @@ ${JSON.stringify(response.errorBody)}`);
   getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
     if (authorizationResponse) {
       this._state.authorizationCodeResponse = {
-        ...toAuthorizationResponsePayload3(authorizationResponse)
+        ...toAuthorizationResponsePayload2(authorizationResponse)
       };
     } else if (code) {
       this._state.authorizationCodeResponse = {
@@ -4570,28 +3092,68 @@ ${JSON.stringify(response.errorBody)}`);
     }
     return this._state.authorizationCodeResponse?.code ?? this._state.authorizationCodeResponse?.authorization_code;
   }, "getAuthorizationCode");
+  hasNonceEndpoint() {
+    const endpoint = this._state.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint;
+    return typeof endpoint === "string" && endpoint.length > 0;
+  }
+  async acquireNonceViaV15Delegate() {
+    const state = this._state;
+    let v15Client;
+    try {
+      v15Client = await OpenID4VCIClientV1_0_15.fromState({
+        state
+      });
+    } catch (e) {
+      return Promise.reject(Error(`failed to init v15 delegate for nonce: ${String(e)}`));
+    }
+    try {
+      await v15Client.acquireNonce();
+    } catch (e) {
+      return Promise.reject(Error(`nonce request failed: ${String(e)}`));
+    }
+    state.cachedCNonce = v15Client.state.cachedCNonce;
+  }
+  shouldRetryWithFreshNonce(err) {
+    if (!this.hasNonceEndpoint() && this.version() !== OpenId4VCIVersion9.VER_1_0_15) {
+      return false;
+    }
+    const status = err?.response?.status ?? err?.status;
+    const body = err?.response?.data ?? err?.data ?? void 0;
+    const error = typeof body?.error === "string" ? body.error : void 0;
+    const desc = typeof body?.error_description === "string" ? body.error_description : void 0;
+    const text = [
+      error,
+      desc
+    ].filter(Boolean).join(" ").toLowerCase();
+    if (status === 400 || status === 401 || status === 403) {
+      if (text.includes("nonce") || text.includes("c_nonce")) {
+        return true;
+      }
+      if (text.includes("proof") && (text.includes("invalid") || text.includes("expired"))) {
+        return true;
+      }
+      if (error === "invalid_proof" || error === "invalid_request") {
+        return true;
+      }
+    }
+    return false;
+  }
 };
 
 // lib/index.ts
 var LOG2 = VCI_LOGGERS2.get("sphereon:oid4vci:client");
 export {
   AccessTokenClient,
-  AccessTokenClientV1_0_11,
   CredentialOfferClient,
-  CredentialOfferClientV1_0_11,
-  CredentialOfferClientV1_0_13,
+  CredentialOfferClientV1_0_15,
   CredentialRequestClient,
   CredentialRequestClientBuilder,
-  CredentialRequestClientBuilderV1_0_11,
-  CredentialRequestClientBuilderV1_0_13,
-  CredentialRequestClientV1_0_11,
+  CredentialRequestClientBuilderV1_0_15,
   LOG2 as LOG,
   MetadataClient,
-  MetadataClientV1_0_11,
-  MetadataClientV1_0_13,
+  MetadataClientV1_0_15,
   OpenID4VCIClient,
-  OpenID4VCIClientV1_0_11,
-  OpenID4VCIClientV1_0_13,
+  OpenID4VCIClientV1_0_15,
   ProofOfPossessionBuilder,
   acquireAuthorizationChallengeAuthCode,
   acquireAuthorizationChallengeAuthCodeUsingRequest,
@@ -4599,7 +3161,6 @@ export {
   constructBaseResponse,
   createAuthorizationChallengeRequest,
   createAuthorizationRequestUrl,
-  createAuthorizationRequestUrlV1_0_11,
   createJwtBearerClientAssertion,
   createSignedAuthRequestWhenNeeded,
   generateMissingPKCEOpts,