@sphereon/oid4vci-client 0.19.1-next.2 → 0.19.1-next.226

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.cjs +971 -2393
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +128 -417
  4. package/dist/index.d.ts +128 -417
  5. package/dist/index.js +944 -2376
  6. package/dist/index.js.map +1 -1
  7. package/package.json +5 -5
package/dist/index.cjs CHANGED
@@ -1,7 +1,9 @@
1
1
  "use strict";
2
+ var __create = Object.create;
2
3
  var __defProp = Object.defineProperty;
3
4
  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
4
5
  var __getOwnPropNames = Object.getOwnPropertyNames;
6
+ var __getProtoOf = Object.getPrototypeOf;
5
7
  var __hasOwnProp = Object.prototype.hasOwnProperty;
6
8
  var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
7
9
  var __export = (target, all) => {
@@ -16,28 +18,30 @@ var __copyProps = (to, from, except, desc) => {
16
18
  }
17
19
  return to;
18
20
  };
21
+ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
22
+ // If the importer is in node compatibility mode or this is not an ESM
23
+ // file that has been converted to a CommonJS file using a Babel-
24
+ // compatible transform (i.e. "__esModule" has not been set), then set
25
+ // "default" to the CommonJS "module.exports" for node compatibility.
26
+ isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
27
+ mod
28
+ ));
19
29
  var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
20
30
 
21
31
  // lib/index.ts
22
32
  var index_exports = {};
23
33
  __export(index_exports, {
24
34
  AccessTokenClient: () => AccessTokenClient,
25
- AccessTokenClientV1_0_11: () => AccessTokenClientV1_0_11,
26
35
  CredentialOfferClient: () => CredentialOfferClient,
27
- CredentialOfferClientV1_0_11: () => CredentialOfferClientV1_0_11,
28
- CredentialOfferClientV1_0_13: () => CredentialOfferClientV1_0_13,
36
+ CredentialOfferClientV1_0_15: () => CredentialOfferClientV1_0_15,
29
37
  CredentialRequestClient: () => CredentialRequestClient,
30
38
  CredentialRequestClientBuilder: () => CredentialRequestClientBuilder,
31
- CredentialRequestClientBuilderV1_0_11: () => CredentialRequestClientBuilderV1_0_11,
32
- CredentialRequestClientBuilderV1_0_13: () => CredentialRequestClientBuilderV1_0_13,
33
- CredentialRequestClientV1_0_11: () => CredentialRequestClientV1_0_11,
39
+ CredentialRequestClientBuilderV1_0_15: () => CredentialRequestClientBuilderV1_0_15,
34
40
  LOG: () => LOG2,
35
41
  MetadataClient: () => MetadataClient,
36
- MetadataClientV1_0_11: () => MetadataClientV1_0_11,
37
- MetadataClientV1_0_13: () => MetadataClientV1_0_13,
42
+ MetadataClientV1_0_15: () => MetadataClientV1_0_15,
38
43
  OpenID4VCIClient: () => OpenID4VCIClient,
39
- OpenID4VCIClientV1_0_11: () => OpenID4VCIClientV1_0_11,
40
- OpenID4VCIClientV1_0_13: () => OpenID4VCIClientV1_0_13,
44
+ OpenID4VCIClientV1_0_15: () => OpenID4VCIClientV1_0_15,
41
45
  ProofOfPossessionBuilder: () => ProofOfPossessionBuilder,
42
46
  acquireAuthorizationChallengeAuthCode: () => acquireAuthorizationChallengeAuthCode,
43
47
  acquireAuthorizationChallengeAuthCodeUsingRequest: () => acquireAuthorizationChallengeAuthCodeUsingRequest,
@@ -45,7 +49,6 @@ __export(index_exports, {
45
49
  constructBaseResponse: () => constructBaseResponse,
46
50
  createAuthorizationChallengeRequest: () => createAuthorizationChallengeRequest,
47
51
  createAuthorizationRequestUrl: () => createAuthorizationRequestUrl,
48
- createAuthorizationRequestUrlV1_0_11: () => createAuthorizationRequestUrlV1_0_11,
49
52
  createJwtBearerClientAssertion: () => createJwtBearerClientAssertion,
50
53
  createSignedAuthRequestWhenNeeded: () => createSignedAuthRequestWhenNeeded,
51
54
  generateMissingPKCEOpts: () => generateMissingPKCEOpts,
@@ -56,17 +59,13 @@ __export(index_exports, {
56
59
  sendNotification: () => sendNotification
57
60
  });
58
61
  module.exports = __toCommonJS(index_exports);
59
- var import_oid4vci_common26 = require("@sphereon/oid4vci-common");
62
+ var import_oid4vci_common20 = require("@sphereon/oid4vci-common");
60
63
 
61
64
  // lib/AccessTokenClient.ts
62
65
  var import_oid4vc_common3 = require("@sphereon/oid4vc-common");
63
66
  var import_oid4vci_common9 = require("@sphereon/oid4vci-common");
64
67
  var import_ssi_types4 = require("@sphereon/ssi-types");
65
68
 
66
- // lib/MetadataClientV1_0_13.ts
67
- var import_oid4vci_common8 = require("@sphereon/oid4vci-common");
68
- var import_ssi_types3 = require("@sphereon/ssi-types");
69
-
70
69
  // lib/functions/AuthorizationUtil.ts
71
70
  var import_oid4vci_common = require("@sphereon/oid4vci-common");
72
71
  var generateMissingPKCEOpts = /* @__PURE__ */ __name((pkce) => {
@@ -151,7 +150,7 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
151
150
  }
152
151
  proof;
153
152
  callbacks;
154
- version;
153
+ // private readonly version: OpenId4VCIVersion
155
154
  mode = "pop";
156
155
  kid;
157
156
  jwk;
@@ -167,11 +166,10 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
167
166
  this.mode = mode;
168
167
  this.proof = proof;
169
168
  this.callbacks = callbacks;
170
- this.version = version;
171
169
  if (jwt) {
172
170
  this.withJwt(jwt);
173
171
  } else {
174
- this.withTyp(version < import_oid4vci_common5.OpenId4VCIVersion.VER_1_0_11 || mode === "JWT" ? "JWT" : "openid4vci-proof+jwt");
172
+ this.withTyp(mode === "JWT" ? "JWT" : "openid4vci-proof+jwt");
175
173
  }
176
174
  if (accessTokenResponse) {
177
175
  this.withAccessTokenResponse(accessTokenResponse);
@@ -236,7 +234,7 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
236
234
  return this;
237
235
  }
238
236
  withTyp(typ) {
239
- if (this.mode === "pop" && this.version >= import_oid4vci_common5.OpenId4VCIVersion.VER_1_0_11) {
237
+ if (this.mode === "pop") {
240
238
  if (!!typ && typ !== "openid4vci-proof+jwt") {
241
239
  throw Error(`typ must be openid4vci-proof+jwt for version 1.0.11 and up. Provided: ${typ}`);
242
240
  }
@@ -278,7 +276,7 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
278
276
  if (jwt.header.typ) {
279
277
  this.withTyp(jwt.header.typ);
280
278
  }
281
- if (!this.typ && this.version >= import_oid4vci_common5.OpenId4VCIVersion.VER_1_0_11) {
279
+ if (!this.typ) {
282
280
  this.withTyp("openid4vci-proof+jwt");
283
281
  }
284
282
  this.withAlg(jwt.header.alg);
@@ -298,7 +296,7 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
298
296
  return Promise.resolve(this.proof);
299
297
  } else if (this.callbacks) {
300
298
  return await (0, import_oid4vci_common5.createProofOfPossession)(this.mode, this.callbacks, {
301
- typ: this.typ ?? (this.version < import_oid4vci_common5.OpenId4VCIVersion.VER_1_0_11 || this.mode === "JWT" ? "JWT" : "openid4vci-proof+jwt"),
299
+ typ: this.typ ?? (this.mode === "JWT" ? "JWT" : "openid4vci-proof+jwt"),
302
300
  kid: this.kid,
303
301
  jwk: this.jwk,
304
302
  jti: this.jti,
@@ -351,7 +349,7 @@ var createJwtBearerClientAssertion = /* @__PURE__ */ __name(async (request, opts
351
349
  const pop = await ProofOfPossessionBuilder.fromJwt({
352
350
  jwt,
353
351
  callbacks: signCallbacks,
354
- version: opts.version ?? import_oid4vci_common6.OpenId4VCIVersion.VER_1_0_13,
352
+ version: opts.version ?? import_oid4vci_common6.OpenId4VCIVersion.VER_1_0_15,
355
353
  mode: "JWT"
356
354
  }).build();
357
355
  request.client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
@@ -361,7 +359,7 @@ var createJwtBearerClientAssertion = /* @__PURE__ */ __name(async (request, opts
361
359
 
362
360
  // lib/functions/CredentialOfferCommons.ts
363
361
  var import_oid4vci_common7 = require("@sphereon/oid4vci-common");
364
- var import_cross_fetch = require("cross-fetch");
362
+ var import_cross_fetch = __toESM(require("cross-fetch"), 1);
365
363
  function isUriEncoded(str) {
366
364
  const pattern = /%[0-9A-F]{2}/i;
367
365
  return pattern.test(str);
@@ -371,7 +369,7 @@ async function handleCredentialOfferUri(uri) {
371
369
  const uriObj = (0, import_oid4vci_common7.getURIComponentsAsArray)(uri);
372
370
  const credentialOfferUri = decodeURIComponent(uriObj["credential_offer_uri"]);
373
371
  const decodedUri = isUriEncoded(credentialOfferUri) ? decodeURIComponent(credentialOfferUri) : credentialOfferUri;
374
- const response = await (0, import_cross_fetch.fetch)(decodedUri);
372
+ const response = await (0, import_cross_fetch.default)(decodedUri);
375
373
  if (!(response && response.status >= 200 && response.status < 400)) {
376
374
  return Promise.reject(Error(`the credential offer URI endpoint call was not successful. http code ${response.status} - reason ${response.statusText}`));
377
375
  }
@@ -406,11 +404,54 @@ function constructBaseResponse(request, scheme, baseUrl) {
406
404
  }
407
405
  __name(constructBaseResponse, "constructBaseResponse");
408
406
 
409
- // lib/MetadataClientV1_0_13.ts
407
+ // lib/functions/dpopUtil.ts
408
+ var import_oid4vc_common2 = require("@sphereon/oid4vc-common");
409
+ function shouldRetryTokenRequestWithDPoPNonce(response) {
410
+ if (!response.errorBody || response.errorBody.error !== import_oid4vc_common2.dpopTokenRequestNonceError) {
411
+ return {
412
+ ok: false
413
+ };
414
+ }
415
+ const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
416
+ if (!dPoPNonce) {
417
+ throw new Error("Missing required DPoP-Nonce header.");
418
+ }
419
+ return {
420
+ ok: true,
421
+ dpopNonce: dPoPNonce
422
+ };
423
+ }
424
+ __name(shouldRetryTokenRequestWithDPoPNonce, "shouldRetryTokenRequestWithDPoPNonce");
425
+ function shouldRetryResourceRequestWithDPoPNonce(response) {
426
+ if (!response.errorBody || response.origResponse.status !== 401) {
427
+ return {
428
+ ok: false
429
+ };
430
+ }
431
+ const wwwAuthenticateHeader = response.origResponse.headers.get("WWW-Authenticate");
432
+ if (!wwwAuthenticateHeader?.includes(import_oid4vc_common2.dpopTokenRequestNonceError)) {
433
+ return {
434
+ ok: false
435
+ };
436
+ }
437
+ const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
438
+ if (!dPoPNonce) {
439
+ throw new Error("Missing required DPoP-Nonce header.");
440
+ }
441
+ return {
442
+ ok: true,
443
+ dpopNonce: dPoPNonce
444
+ };
445
+ }
446
+ __name(shouldRetryResourceRequestWithDPoPNonce, "shouldRetryResourceRequestWithDPoPNonce");
447
+
448
+ // lib/MetadataClientV1_0_15.ts
449
+ var import_oid4vci_common8 = require("@sphereon/oid4vci-common");
450
+ var import_ssi_types3 = require("@sphereon/ssi-types");
410
451
  var logger2 = import_ssi_types3.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
411
- var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
452
+ var MetadataClientV1_0_15 = class _MetadataClientV1_0_15 {
412
453
  static {
413
- __name(this, "MetadataClientV1_0_13");
454
+ __name(this, "MetadataClientV1_0_15");
414
455
  }
415
456
  /**
416
457
  * Retrieve metadata using the Initiation obtained from a previous step
@@ -418,7 +459,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
418
459
  * @param credentialOffer
419
460
  */
420
461
  static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
421
- return _MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
462
+ return _MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
422
463
  }
423
464
  /**
424
465
  * Retrieve the metada using the initiation request obtained from a previous step
@@ -427,7 +468,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
427
468
  static async retrieveAllMetadataFromCredentialOfferRequest(request) {
428
469
  const issuer = (0, import_oid4vci_common8.getIssuerFromCredentialOfferPayload)(request);
429
470
  if (issuer) {
430
- return _MetadataClientV1_0_13.retrieveAllMetadata(issuer);
471
+ return _MetadataClientV1_0_15.retrieveAllMetadata(issuer);
431
472
  }
432
473
  throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
433
474
  }
@@ -439,6 +480,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
439
480
  static async retrieveAllMetadata(issuer, opts) {
440
481
  let token_endpoint;
441
482
  let credential_endpoint;
483
+ let nonce_endpoint;
442
484
  let deferred_credential_endpoint;
443
485
  let authorization_endpoint;
444
486
  let authorization_challenge_endpoint;
@@ -446,7 +488,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
446
488
  let authorization_servers = [
447
489
  issuer
448
490
  ];
449
- const oid4vciResponse = await _MetadataClientV1_0_13.retrieveOpenID4VCIServerMetadata(issuer, {
491
+ const oid4vciResponse = await _MetadataClientV1_0_15.retrieveOpenID4VCIServerMetadata(issuer, {
450
492
  errorOnNotFound: false
451
493
  });
452
494
  let credentialIssuerMetadata = oid4vciResponse?.successBody;
@@ -454,6 +496,7 @@ var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
454
496
  logger2.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
455
497
  ${JSON.stringify(credentialIssuerMetadata)}`);
456
498
  credential_endpoint = credentialIssuerMetadata.credential_endpoint;
499
+ nonce_endpoint = credentialIssuerMetadata.nonce_endpoint;
457
500
  deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
458
501
  if (credentialIssuerMetadata.token_endpoint) {
459
502
  token_endpoint = credentialIssuerMetadata.token_endpoint;
@@ -481,9 +524,6 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
481
524
  throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
482
525
  }
483
526
  } else {
484
- if (!authorizationServerType) {
485
- authorizationServerType = "OAuth 2.0";
486
- }
487
527
  logger2.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
488
528
  if (!authMetadata.authorization_endpoint) {
489
529
  console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
@@ -538,17 +578,29 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
538
578
  if (!credentialIssuerMetadata && authMetadata) {
539
579
  credentialIssuerMetadata = authMetadata;
540
580
  }
581
+ const ci = credentialIssuerMetadata ?? {};
582
+ const ciAuthorizationServers = Array.isArray(ci.authorization_servers) && ci.authorization_servers.length > 0 ? ci.authorization_servers : authorization_servers;
583
+ const v15CredentialIssuerMetadata = {
584
+ credential_issuer: ci.credential_issuer ?? issuer,
585
+ credential_endpoint,
586
+ authorization_servers: ciAuthorizationServers,
587
+ credential_configurations_supported: ci.credential_configurations_supported ?? {},
588
+ display: ci.display ?? [],
589
+ ...nonce_endpoint && {
590
+ nonce_endpoint
591
+ },
592
+ ...deferred_credential_endpoint && {
593
+ deferred_credential_endpoint
594
+ }
595
+ };
541
596
  logger2.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
542
597
  return {
543
598
  issuer,
544
599
  token_endpoint,
545
600
  credential_endpoint,
546
- deferred_credential_endpoint,
547
- authorization_server: authorization_servers[0],
548
- authorization_endpoint,
549
601
  authorization_challenge_endpoint,
550
602
  authorizationServerType,
551
- credentialIssuerMetadata,
603
+ credentialIssuerMetadata: v15CredentialIssuerMetadata,
552
604
  authorizationServerMetadata: authMetadata
553
605
  };
554
606
  }
@@ -565,47 +617,6 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
565
617
  }
566
618
  };
567
619
 
568
- // lib/functions/dpopUtil.ts
569
- var import_oid4vc_common2 = require("@sphereon/oid4vc-common");
570
- function shouldRetryTokenRequestWithDPoPNonce(response) {
571
- if (!response.errorBody || response.errorBody.error !== import_oid4vc_common2.dpopTokenRequestNonceError) {
572
- return {
573
- ok: false
574
- };
575
- }
576
- const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
577
- if (!dPoPNonce) {
578
- throw new Error("Missing required DPoP-Nonce header.");
579
- }
580
- return {
581
- ok: true,
582
- dpopNonce: dPoPNonce
583
- };
584
- }
585
- __name(shouldRetryTokenRequestWithDPoPNonce, "shouldRetryTokenRequestWithDPoPNonce");
586
- function shouldRetryResourceRequestWithDPoPNonce(response) {
587
- if (!response.errorBody || response.origResponse.status !== 401) {
588
- return {
589
- ok: false
590
- };
591
- }
592
- const wwwAuthenticateHeader = response.origResponse.headers.get("WWW-Authenticate");
593
- if (!wwwAuthenticateHeader?.includes(import_oid4vc_common2.dpopTokenRequestNonceError)) {
594
- return {
595
- ok: false
596
- };
597
- }
598
- const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
599
- if (!dPoPNonce) {
600
- throw new Error("Missing required DPoP-Nonce header.");
601
- }
602
- return {
603
- ok: true,
604
- dpopNonce: dPoPNonce
605
- };
606
- }
607
- __name(shouldRetryResourceRequestWithDPoPNonce, "shouldRetryResourceRequestWithDPoPNonce");
608
-
609
620
  // lib/AccessTokenClient.ts
610
621
  var AccessTokenClient = class _AccessTokenClient {
611
622
  static {
@@ -647,7 +658,7 @@ var AccessTokenClient = class _AccessTokenClient {
647
658
  const requestTokenURL = _AccessTokenClient.determineTokenURL({
648
659
  asOpts,
649
660
  issuerOpts,
650
- metadata: metadata ? metadata : issuerOpts?.fetchMetadata ? await MetadataClientV1_0_13.retrieveAllMetadata(issuerOpts.issuer, {
661
+ metadata: metadata ? metadata : issuerOpts?.fetchMetadata ? await MetadataClientV1_0_15.retrieveAllMetadata(issuerOpts.issuer, {
651
662
  errorOnNotFound: false
652
663
  }) : void 0
653
664
  });
@@ -836,319 +847,108 @@ var AccessTokenClient = class _AccessTokenClient {
836
847
  }
837
848
  };
838
849
 
839
- // lib/AccessTokenClientV1_0_11.ts
840
- var import_oid4vc_common4 = require("@sphereon/oid4vc-common");
850
+ // lib/AuthorizationCodeClient.ts
851
+ var import_oid4vci_common11 = require("@sphereon/oid4vci-common");
852
+ var import_ssi_types6 = require("@sphereon/ssi-types");
853
+
854
+ // lib/MetadataClient.ts
841
855
  var import_oid4vci_common10 = require("@sphereon/oid4vci-common");
842
856
  var import_ssi_types5 = require("@sphereon/ssi-types");
843
- var logger3 = import_ssi_types5.Loggers.DEFAULT.get("sphereon:oid4vci:token");
844
- var AccessTokenClientV1_0_11 = class _AccessTokenClientV1_0_11 {
857
+ var logger3 = import_ssi_types5.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
858
+ var MetadataClient = class _MetadataClient {
845
859
  static {
846
- __name(this, "AccessTokenClientV1_0_11");
860
+ __name(this, "MetadataClient");
847
861
  }
848
- async acquireAccessToken(opts) {
849
- const { asOpts, pin, codeVerifier, code, redirectUri, metadata, createDPoPOpts } = opts;
850
- const credentialOffer = opts.credentialOffer ? await (0, import_oid4vci_common10.assertedUniformCredentialOffer)(opts.credentialOffer) : void 0;
851
- const isPinRequired = credentialOffer && this.isPinRequiredValue(credentialOffer.credential_offer);
852
- const issuer = opts.credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common10.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : metadata?.issuer);
853
- if (!issuer) {
854
- throw Error("Issuer required at this point");
862
+ /**
863
+ * Retrieve metadata using the Initiation obtained from a previous step
864
+ *
865
+ * @param credentialOffer
866
+ */
867
+ static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
868
+ const openId4VCIVersion = (0, import_oid4vci_common10.determineSpecVersionFromOffer)(credentialOffer.credential_offer);
869
+ if (openId4VCIVersion >= import_oid4vci_common10.OpenId4VCIVersion.VER_1_0_15) {
870
+ return await MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOffer(credentialOffer);
855
871
  }
856
- const issuerOpts = {
857
- issuer
858
- };
859
- return await this.acquireAccessTokenUsingRequest({
860
- accessTokenRequest: await this.createAccessTokenRequest({
861
- credentialOffer,
862
- asOpts,
863
- codeVerifier,
864
- code,
865
- redirectUri,
866
- pin,
867
- credentialIssuer: issuer,
868
- metadata,
869
- additionalParams: opts.additionalParams,
870
- pinMetadata: opts.pinMetadata
871
- }),
872
- isPinRequired,
873
- metadata,
874
- asOpts,
875
- issuerOpts,
876
- createDPoPOpts
877
- });
872
+ return Promise.reject(Error(`OpenId4VCIVersion ${openId4VCIVersion} is not supported in retrieveAllMetadataFromCredentialOffer`));
878
873
  }
879
- async acquireAccessTokenUsingRequest({ accessTokenRequest, isPinRequired, metadata, asOpts, createDPoPOpts, issuerOpts }) {
880
- this.validate(accessTokenRequest, isPinRequired);
881
- const requestTokenURL = _AccessTokenClientV1_0_11.determineTokenURL({
882
- asOpts,
883
- issuerOpts,
884
- metadata: metadata ? metadata : issuerOpts?.fetchMetadata ? await MetadataClientV1_0_13.retrieveAllMetadata(issuerOpts.issuer, {
885
- errorOnNotFound: false
886
- }) : void 0
887
- });
888
- const useDpop = createDPoPOpts?.dPoPSigningAlgValuesSupported && createDPoPOpts.dPoPSigningAlgValuesSupported.length > 0;
889
- let dPoP = useDpop ? await (0, import_oid4vc_common4.createDPoP)((0, import_oid4vc_common4.getCreateDPoPOptions)(createDPoPOpts, requestTokenURL)) : void 0;
890
- let response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? {
891
- headers: {
892
- dpop: dPoP
874
+ /**
875
+ * Retrieve the metada using the initiation request obtained from a previous step
876
+ * @param request
877
+ */
878
+ static async retrieveAllMetadataFromCredentialOfferRequest(request) {
879
+ const issuer = (0, import_oid4vci_common10.getIssuerFromCredentialOfferPayload)(request);
880
+ if (issuer) {
881
+ const openId4VCIVersion = (0, import_oid4vci_common10.determineSpecVersionFromOffer)(request);
882
+ if (openId4VCIVersion >= import_oid4vci_common10.OpenId4VCIVersion.VER_1_0_15) {
883
+ return MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOfferRequest(request);
884
+ } else {
885
+ return Promise.reject(Error(`OpenId4VCIVersion ${openId4VCIVersion} is not supported in retrieveAllMetadataFromCredentialOfferRequest`));
893
886
  }
894
- } : void 0);
895
- let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
896
- const retryWithNonce = shouldRetryTokenRequestWithDPoPNonce(response);
897
- if (retryWithNonce.ok && createDPoPOpts) {
898
- createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
899
- dPoP = await (0, import_oid4vc_common4.createDPoP)((0, import_oid4vc_common4.getCreateDPoPOptions)(createDPoPOpts, requestTokenURL));
900
- response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? {
901
- headers: {
902
- dpop: dPoP
903
- }
904
- } : void 0);
905
- const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
906
- nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
907
- }
908
- if (response.successBody && createDPoPOpts && response.successBody.token_type !== "DPoP") {
909
- throw new Error("Invalid token type returned. Expected DPoP. Received: " + response.successBody.token_type);
910
887
  }
911
- return {
912
- ...response,
913
- ...nextDPoPNonce && {
914
- params: {
915
- dpop: {
916
- dpopNonce: nextDPoPNonce
917
- }
918
- }
919
- }
920
- };
888
+ throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
921
889
  }
922
- async createAccessTokenRequest(opts) {
923
- const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
924
- const credentialOfferRequest = opts.credentialOffer ? await (0, import_oid4vci_common10.toUniformCredentialOfferRequest)(opts.credentialOffer) : void 0;
925
- const request = {
926
- ...opts.additionalParams
927
- };
928
- const credentialIssuer = opts.credentialIssuer ?? credentialOfferRequest?.credential_offer?.credential_issuer ?? opts.metadata?.issuer;
929
- if (asOpts?.clientOpts?.clientId) {
930
- request.client_id = asOpts.clientOpts.clientId;
931
- }
932
- await createJwtBearerClientAssertion(request, {
933
- ...opts,
934
- version: import_oid4vci_common10.OpenId4VCIVersion.VER_1_0_11,
935
- credentialIssuer
890
+ /**
891
+ * Retrieve all metadata from an issuer
892
+ * @param issuer The issuer URL
893
+ * @param opts
894
+ */
895
+ static async retrieveAllMetadata(issuer, opts) {
896
+ let token_endpoint;
897
+ let credential_endpoint;
898
+ let deferred_credential_endpoint;
899
+ let authorization_endpoint;
900
+ let authorization_challenge_endpoint;
901
+ let authorizationServerType = "OID4VCI";
902
+ let authorization_servers = [
903
+ issuer
904
+ ];
905
+ let authorization_server = void 0;
906
+ const oid4vciResponse = await _MetadataClient.retrieveOpenID4VCIServerMetadata(issuer, {
907
+ errorOnNotFound: false
936
908
  });
937
- if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(import_oid4vci_common10.AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
938
- request.grant_type = import_oid4vci_common10.GrantTypes.AUTHORIZATION_CODE;
939
- request.code = code;
940
- request.redirect_uri = redirectUri;
941
- if (codeVerifier) {
942
- request.code_verifier = codeVerifier;
909
+ let credentialIssuerMetadata = oid4vciResponse?.successBody;
910
+ if (credentialIssuerMetadata) {
911
+ logger3.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
912
+ ${JSON.stringify(credentialIssuerMetadata)}`);
913
+ credential_endpoint = credentialIssuerMetadata.credential_endpoint;
914
+ deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint ? credentialIssuerMetadata.deferred_credential_endpoint : void 0;
915
+ if (credentialIssuerMetadata.token_endpoint) {
916
+ token_endpoint = credentialIssuerMetadata.token_endpoint;
943
917
  }
944
- return request;
945
- }
946
- if (credentialOfferRequest?.supportedFlows.includes(import_oid4vci_common10.AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
947
- this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
948
- request.user_pin = pin;
949
- request.grant_type = import_oid4vci_common10.GrantTypes.PRE_AUTHORIZED_CODE;
950
- request[import_oid4vci_common10.PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[import_oid4vci_common10.PRE_AUTH_GRANT_LITERAL]?.[import_oid4vci_common10.PRE_AUTH_CODE_LITERAL];
951
- return request;
952
- }
953
- throw new Error("Credential offer request does not follow neither pre-authorized code nor authorization code flow requirements.");
954
- }
955
- assertPreAuthorizedGrantType(grantType) {
956
- if (import_oid4vci_common10.GrantTypes.PRE_AUTHORIZED_CODE !== grantType) {
957
- throw new Error("grant type must be PRE_AUTH_GRANT_LITERAL");
958
- }
959
- }
960
- assertAuthorizationGrantType(grantType) {
961
- if (import_oid4vci_common10.GrantTypes.AUTHORIZATION_CODE !== grantType) {
962
- throw new Error("grant type must be 'authorization_code'");
963
- }
964
- }
965
- isPinRequiredValue(requestPayload) {
966
- let isPinRequired = false;
967
- if (!requestPayload) {
968
- throw new Error(import_oid4vci_common10.TokenErrorResponse.invalid_request);
969
- }
970
- const issuer = (0, import_oid4vci_common10.getIssuerFromCredentialOfferPayload)(requestPayload);
971
- if (requestPayload.grants?.[import_oid4vci_common10.PRE_AUTH_GRANT_LITERAL]) {
972
- isPinRequired = requestPayload.grants[import_oid4vci_common10.PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? false;
973
- }
974
- logger3.debug(`Pin required for issuer ${issuer}: ${isPinRequired}`);
975
- return isPinRequired;
976
- }
977
- assertNumericPin(isPinRequired, pin) {
978
- if (isPinRequired) {
979
- if (!pin || !/^\d{1,8}$/.test(pin)) {
980
- logger3.debug(`Pin is not 1 to 8 digits long`);
981
- throw new Error("A valid pin consisting of maximal 8 numeric characters must be present.");
918
+ authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
919
+ if (credentialIssuerMetadata.authorization_servers) {
920
+ authorization_servers = credentialIssuerMetadata.authorization_servers;
921
+ } else if (credentialIssuerMetadata.authorization_server) {
922
+ authorization_server = credentialIssuerMetadata.authorization_server;
923
+ authorization_servers = [
924
+ authorization_server
925
+ ];
982
926
  }
983
- } else if (pin) {
984
- logger3.debug(`Pin set, whilst not required`);
985
- throw new Error("Cannot set a pin, when the pin is not required.");
986
- }
987
- }
988
- assertNonEmptyPreAuthorizedCode(accessTokenRequest) {
989
- if (!accessTokenRequest[import_oid4vci_common10.PRE_AUTH_CODE_LITERAL]) {
990
- logger3.debug(`No pre-authorized code present, whilst it is required`);
991
- throw new Error("Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.");
927
+ } else {
928
+ throw new Error(`Issuer ${issuer} does not expose /.well-known/openid-credential-issuer`);
992
929
  }
993
- }
994
- assertNonEmptyCodeVerifier(accessTokenRequest) {
995
- if (!accessTokenRequest.code_verifier) {
996
- logger3.debug("No code_verifier present, whilst it is required");
997
- throw new Error("Authorization flow requires the code_verifier to be present");
998
- }
999
- }
1000
- assertNonEmptyCode(accessTokenRequest) {
1001
- if (!accessTokenRequest.code) {
1002
- logger3.debug("No code present, whilst it is required");
1003
- throw new Error("Authorization flow requires the code to be present");
1004
- }
1005
- }
1006
- validate(accessTokenRequest, isPinRequired) {
1007
- if (accessTokenRequest.grant_type === import_oid4vci_common10.GrantTypes.PRE_AUTHORIZED_CODE) {
1008
- this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
1009
- this.assertNonEmptyPreAuthorizedCode(accessTokenRequest);
1010
- this.assertNumericPin(isPinRequired, accessTokenRequest.user_pin);
1011
- } else if (accessTokenRequest.grant_type === import_oid4vci_common10.GrantTypes.AUTHORIZATION_CODE) {
1012
- this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
1013
- this.assertNonEmptyCodeVerifier(accessTokenRequest);
1014
- this.assertNonEmptyCode(accessTokenRequest);
1015
- } else {
1016
- this.throwNotSupportedFlow();
1017
- }
1018
- }
1019
- async sendAuthCode(requestTokenURL, accessTokenRequest, opts) {
1020
- return await (0, import_oid4vci_common10.formPost)(requestTokenURL, (0, import_oid4vci_common10.convertJsonToURI)(accessTokenRequest, {
1021
- mode: import_oid4vci_common10.JsonURIMode.X_FORM_WWW_URLENCODED
1022
- }), {
1023
- customHeaders: opts?.headers ? opts.headers : void 0
1024
- });
1025
- }
1026
- static determineTokenURL({ asOpts, issuerOpts, metadata }) {
1027
- if (!asOpts && !metadata?.token_endpoint && !issuerOpts) {
1028
- throw new Error("Cannot determine token URL if no issuer, metadata and no Authorization Server values are present");
1029
- }
1030
- let url;
1031
- if (asOpts && asOpts.as) {
1032
- url = this.creatTokenURLFromURL(asOpts.as, asOpts?.allowInsecureEndpoints, asOpts.tokenEndpoint);
1033
- } else if (metadata?.token_endpoint) {
1034
- url = metadata.token_endpoint;
1035
- } else {
1036
- if (!issuerOpts?.issuer) {
1037
- throw Error("Either authorization server options, a token endpoint or issuer options are required at this point");
1038
- }
1039
- url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts?.allowInsecureEndpoints, issuerOpts.tokenEndpoint);
1040
- }
1041
- if (!url || !import_ssi_types5.ObjectUtils.isString(url)) {
1042
- throw new Error("No authorization server token URL present. Cannot acquire access token");
1043
- }
1044
- logger3.debug(`Token endpoint determined to be ${url}`);
1045
- return url;
1046
- }
1047
- static creatTokenURLFromURL(url, allowInsecureEndpoints, tokenEndpoint) {
1048
- if (allowInsecureEndpoints !== true && url.startsWith("http:")) {
1049
- throw Error(`Unprotected token endpoints are not allowed ${url}. Use the 'allowInsecureEndpoints' param if you really need this for dev/testing!`);
1050
- }
1051
- const hostname = url.replace(/https?:\/\//, "").replace(/\/$/, "");
1052
- const endpoint = tokenEndpoint ? tokenEndpoint.startsWith("/") ? tokenEndpoint : tokenEndpoint.substring(1) : "/token";
1053
- const scheme = url.split("://")[0];
1054
- return `${scheme ? scheme + "://" : "https://"}${hostname}${endpoint}`;
1055
- }
1056
- throwNotSupportedFlow() {
1057
- logger3.debug(`Only pre-authorized or authorization code flows supported.`);
1058
- throw new Error("Only pre-authorized-code or authorization code flows are supported");
1059
- }
1060
- };
1061
-
1062
- // lib/AuthorizationCodeClient.ts
1063
- var import_oid4vci_common13 = require("@sphereon/oid4vci-common");
1064
- var import_ssi_types8 = require("@sphereon/ssi-types");
1065
-
1066
- // lib/MetadataClient.ts
1067
- var import_oid4vci_common12 = require("@sphereon/oid4vci-common");
1068
- var import_ssi_types7 = require("@sphereon/ssi-types");
1069
-
1070
- // lib/MetadataClientV1_0_11.ts
1071
- var import_oid4vci_common11 = require("@sphereon/oid4vci-common");
1072
- var import_ssi_types6 = require("@sphereon/ssi-types");
1073
- var logger4 = import_ssi_types6.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
1074
- var MetadataClientV1_0_11 = class _MetadataClientV1_0_11 {
1075
- static {
1076
- __name(this, "MetadataClientV1_0_11");
1077
- }
1078
- /**
1079
- * Retrieve metadata using the Initiation obtained from a previous step
1080
- *
1081
- * @param credentialOffer
1082
- */
1083
- static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
1084
- return _MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
1085
- }
1086
- /**
1087
- * Retrieve the metada using the initiation request obtained from a previous step
1088
- * @param request
1089
- */
1090
- static async retrieveAllMetadataFromCredentialOfferRequest(request) {
1091
- const issuer = (0, import_oid4vci_common11.getIssuerFromCredentialOfferPayload)(request);
1092
- if (issuer) {
1093
- return _MetadataClientV1_0_11.retrieveAllMetadata(issuer);
1094
- }
1095
- throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
1096
- }
1097
- /**
1098
- * Retrieve all metadata from an issuer
1099
- * @param issuer The issuer URL
1100
- * @param opts
1101
- */
1102
- static async retrieveAllMetadata(issuer, opts) {
1103
- let token_endpoint;
1104
- let credential_endpoint;
1105
- let deferred_credential_endpoint;
1106
- let authorization_endpoint;
1107
- let authorization_challenge_endpoint;
1108
- let authorizationServerType = "OID4VCI";
1109
- let authorization_server = issuer;
1110
- const oid4vciResponse = await _MetadataClientV1_0_11.retrieveOpenID4VCIServerMetadata(issuer, {
1111
- errorOnNotFound: false
1112
- });
1113
- let credentialIssuerMetadata = oid4vciResponse?.successBody;
1114
- if (credentialIssuerMetadata) {
1115
- logger4.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
1116
- ${JSON.stringify(credentialIssuerMetadata)}`);
1117
- credential_endpoint = credentialIssuerMetadata.credential_endpoint;
1118
- deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
1119
- if (credentialIssuerMetadata.token_endpoint) {
1120
- token_endpoint = credentialIssuerMetadata.token_endpoint;
1121
- }
1122
- authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
1123
- if (credentialIssuerMetadata.authorization_server) {
1124
- authorization_server = credentialIssuerMetadata.authorization_server;
1125
- }
1126
- if (credentialIssuerMetadata.authorization_endpoint) {
1127
- authorization_endpoint = credentialIssuerMetadata.authorization_endpoint;
1128
- }
1129
- }
1130
- let response = await retrieveWellknown(authorization_server, import_oid4vci_common11.WellKnownEndpoints.OPENID_CONFIGURATION, {
930
+ let response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common10.WellKnownEndpoints.OPENID_CONFIGURATION, {
1131
931
  errorOnNotFound: false
1132
932
  });
1133
933
  let authMetadata = response.successBody;
1134
934
  if (authMetadata) {
1135
- logger4.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
935
+ logger3.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
1136
936
  authorizationServerType = "OIDC";
1137
937
  } else {
1138
- response = await retrieveWellknown(authorization_server, import_oid4vci_common11.WellKnownEndpoints.OAUTH_AS, {
938
+ response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common10.WellKnownEndpoints.OAUTH_AS, {
1139
939
  errorOnNotFound: false
1140
940
  });
1141
941
  authMetadata = response.successBody;
1142
942
  }
1143
943
  if (!authMetadata) {
1144
- if (issuer !== authorization_server) {
1145
- throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_server}, but that server did not provide metadata`);
944
+ if (!authorization_servers.includes(issuer)) {
945
+ throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
1146
946
  }
1147
947
  } else {
1148
948
  if (!authorizationServerType) {
1149
949
  authorizationServerType = "OAuth 2.0";
1150
950
  }
1151
- logger4.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
951
+ logger3.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
1152
952
  if (!authMetadata.authorization_endpoint) {
1153
953
  console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
1154
954
  } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
@@ -1160,31 +960,31 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
1160
960
  }
1161
961
  authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
1162
962
  if (!authMetadata.token_endpoint) {
1163
- throw Error(`Authorization Server ${authorization_server} did not provide a token_endpoint`);
963
+ throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`);
1164
964
  } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
1165
965
  throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
1166
966
  }
1167
967
  token_endpoint = authMetadata.token_endpoint;
1168
968
  if (authMetadata.credential_endpoint) {
1169
969
  if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
1170
- logger4.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
970
+ logger3.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
1171
971
  } else {
1172
972
  credential_endpoint = authMetadata.credential_endpoint;
1173
973
  }
1174
974
  }
1175
975
  if (authMetadata.deferred_credential_endpoint) {
1176
976
  if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
1177
- logger4.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
977
+ logger3.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
1178
978
  } else {
1179
979
  deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
1180
980
  }
1181
981
  }
1182
982
  }
1183
983
  if (!authorization_endpoint) {
1184
- logger4.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
984
+ logger3.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
1185
985
  }
1186
986
  if (!token_endpoint) {
1187
- logger4.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
987
+ logger3.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
1188
988
  if (opts?.errorOnNotFound) {
1189
989
  throw Error(`Could not deduce the token_endpoint for ${issuer}`);
1190
990
  } else {
@@ -1192,7 +992,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
1192
992
  }
1193
993
  }
1194
994
  if (!credential_endpoint) {
1195
- logger4.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
995
+ logger3.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
1196
996
  if (opts?.errorOnNotFound) {
1197
997
  throw Error(`Could not deduce the credential endpoint for ${issuer}`);
1198
998
  } else {
@@ -1200,15 +1000,20 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
1200
1000
  }
1201
1001
  }
1202
1002
  if (!credentialIssuerMetadata && authMetadata) {
1203
- credentialIssuerMetadata = authMetadata;
1003
+ return Promise.reject(Error(`No /.well-known/openid-credential-issuer at ${issuer}.`));
1204
1004
  }
1205
- logger4.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
1005
+ logger3.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
1206
1006
  return {
1207
1007
  issuer,
1208
1008
  token_endpoint,
1209
1009
  credential_endpoint,
1210
1010
  deferred_credential_endpoint,
1211
- authorization_server,
1011
+ nonce_endpoint: credentialIssuerMetadata.nonce_endpoint,
1012
+ authorization_servers: authorization_server ? [
1013
+ authorization_server
1014
+ ] : authorization_servers ?? [
1015
+ issuer
1016
+ ],
1212
1017
  authorization_endpoint,
1213
1018
  authorization_challenge_endpoint,
1214
1019
  authorizationServerType,
@@ -1220,236 +1025,60 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
1220
1025
  * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
1221
1026
  *
1222
1027
  * @param issuerHost The issuer hostname
1028
+ * @param opts
1223
1029
  */
1224
1030
  static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
1225
- return retrieveWellknown(issuerHost, import_oid4vci_common11.WellKnownEndpoints.OPENID4VCI_ISSUER, {
1031
+ return retrieveWellknown(issuerHost, import_oid4vci_common10.WellKnownEndpoints.OPENID4VCI_ISSUER, {
1226
1032
  errorOnNotFound: opts?.errorOnNotFound === void 0 ? true : opts.errorOnNotFound
1227
1033
  });
1228
1034
  }
1229
1035
  };
1230
1036
 
1231
- // lib/MetadataClient.ts
1232
- var logger5 = import_ssi_types7.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
1233
- var MetadataClient = class _MetadataClient {
1234
- static {
1235
- __name(this, "MetadataClient");
1236
- }
1237
- /**
1238
- * Retrieve metadata using the Initiation obtained from a previous step
1239
- *
1240
- * @param credentialOffer
1241
- */
1242
- static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
1243
- if ((0, import_oid4vci_common12.determineSpecVersionFromOffer)(credentialOffer.credential_offer) >= import_oid4vci_common12.OpenId4VCIVersion.VER_1_0_13) {
1244
- return await MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOffer(credentialOffer);
1245
- } else {
1246
- return await MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOffer(credentialOffer);
1037
+ // lib/AuthorizationCodeClient.ts
1038
+ var logger4 = import_ssi_types6.Loggers.DEFAULT.get("sphereon:oid4vci");
1039
+ async function createSignedAuthRequestWhenNeeded(requestObject, opts) {
1040
+ if (opts.requestObjectMode === import_oid4vci_common11.CreateRequestObjectMode.REQUEST_URI) {
1041
+ throw Error(`Request Object Mode ${opts.requestObjectMode} is not supported yet`);
1042
+ } else if (opts.requestObjectMode === import_oid4vci_common11.CreateRequestObjectMode.REQUEST_OBJECT) {
1043
+ if (typeof opts.signCallbacks?.signCallback !== "function") {
1044
+ throw Error(`No request object sign callback found, whilst request object mode was set to ${opts.requestObjectMode}`);
1045
+ } else if (!opts.kid) {
1046
+ throw Error(`No kid found, whilst request object mode was set to ${opts.requestObjectMode}`);
1247
1047
  }
1248
- }
1249
- /**
1250
- * Retrieve the metada using the initiation request obtained from a previous step
1251
- * @param request
1252
- */
1253
- static async retrieveAllMetadataFromCredentialOfferRequest(request) {
1254
- const issuer = (0, import_oid4vci_common12.getIssuerFromCredentialOfferPayload)(request);
1255
- if (issuer) {
1256
- if ((0, import_oid4vci_common12.determineSpecVersionFromOffer)(request) >= import_oid4vci_common12.OpenId4VCIVersion.VER_1_0_13) {
1257
- return MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOfferRequest(request);
1258
- } else {
1259
- return MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOfferRequest(request);
1048
+ let client_metadata;
1049
+ if (opts.clientMetadata || opts.jwksUri) {
1050
+ client_metadata = opts.clientMetadata ?? {};
1051
+ if (opts.jwksUri) {
1052
+ client_metadata["jwks_uri"] = opts.jwksUri;
1260
1053
  }
1261
1054
  }
1262
- throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
1263
- }
1264
- /**
1265
- * Retrieve all metadata from an issuer
1266
- * @param issuer The issuer URL
1267
- * @param opts
1268
- */
1269
- static async retrieveAllMetadata(issuer, opts) {
1270
- let token_endpoint;
1271
- let credential_endpoint;
1272
- let deferred_credential_endpoint;
1273
- let authorization_endpoint;
1274
- let authorization_challenge_endpoint;
1275
- let authorizationServerType = "OID4VCI";
1276
- let authorization_servers = [
1277
- issuer
1278
- ];
1279
- let authorization_server = void 0;
1280
- const oid4vciResponse = await _MetadataClient.retrieveOpenID4VCIServerMetadata(issuer, {
1281
- errorOnNotFound: false
1282
- });
1283
- let credentialIssuerMetadata = oid4vciResponse?.successBody;
1284
- if (credentialIssuerMetadata) {
1285
- logger5.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
1286
- ${JSON.stringify(credentialIssuerMetadata)}`);
1287
- credential_endpoint = credentialIssuerMetadata.credential_endpoint;
1288
- deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint ? credentialIssuerMetadata.deferred_credential_endpoint : void 0;
1289
- if (credentialIssuerMetadata.token_endpoint) {
1290
- token_endpoint = credentialIssuerMetadata.token_endpoint;
1291
- }
1292
- authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
1293
- if (credentialIssuerMetadata.authorization_servers) {
1294
- authorization_servers = credentialIssuerMetadata.authorization_servers;
1295
- } else if (credentialIssuerMetadata.authorization_server) {
1296
- authorization_server = credentialIssuerMetadata.authorization_server;
1297
- authorization_servers = [
1298
- authorization_server
1299
- ];
1300
- }
1055
+ let authorization_details = requestObject["authorization_details"];
1056
+ if (typeof authorization_details === "string") {
1057
+ authorization_details = JSON.parse(requestObject.authorization_details);
1301
1058
  }
1302
- let response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common12.WellKnownEndpoints.OPENID_CONFIGURATION, {
1303
- errorOnNotFound: false
1304
- });
1305
- let authMetadata = response.successBody;
1306
- if (authMetadata) {
1307
- logger5.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
1308
- authorizationServerType = "OIDC";
1309
- } else {
1310
- response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common12.WellKnownEndpoints.OAUTH_AS, {
1311
- errorOnNotFound: false
1312
- });
1313
- authMetadata = response.successBody;
1059
+ if (!requestObject.aud && opts.aud) {
1060
+ requestObject.aud = opts.aud;
1314
1061
  }
1315
- if (!authMetadata) {
1316
- if (!authorization_servers.includes(issuer)) {
1317
- throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
1318
- }
1319
- } else {
1320
- if (!authorizationServerType) {
1321
- authorizationServerType = "OAuth 2.0";
1322
- }
1323
- logger5.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
1324
- if (!authMetadata.authorization_endpoint) {
1325
- console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
1326
- } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
1327
- throw Error(`Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`);
1328
- }
1329
- authorization_endpoint = authMetadata.authorization_endpoint;
1330
- if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {
1331
- throw Error(`Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`);
1332
- }
1333
- authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
1334
- if (!authMetadata.token_endpoint) {
1335
- throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`);
1336
- } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
1337
- throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
1338
- }
1339
- token_endpoint = authMetadata.token_endpoint;
1340
- if (authMetadata.credential_endpoint) {
1341
- if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
1342
- logger5.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
1343
- } else {
1344
- credential_endpoint = authMetadata.credential_endpoint;
1345
- }
1346
- }
1347
- if (authMetadata.deferred_credential_endpoint) {
1348
- if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
1349
- logger5.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
1350
- } else {
1351
- deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
1352
- }
1353
- }
1354
- }
1355
- if (!authorization_endpoint) {
1356
- logger5.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
1357
- }
1358
- if (!token_endpoint) {
1359
- logger5.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
1360
- if (opts?.errorOnNotFound) {
1361
- throw Error(`Could not deduce the token_endpoint for ${issuer}`);
1362
- } else {
1363
- token_endpoint = `${issuer}${issuer.endsWith("/") ? "token" : "/token"}`;
1364
- }
1365
- }
1366
- if (!credential_endpoint) {
1367
- logger5.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
1368
- if (opts?.errorOnNotFound) {
1369
- throw Error(`Could not deduce the credential endpoint for ${issuer}`);
1370
- } else {
1371
- credential_endpoint = `${issuer}${issuer.endsWith("/") ? "credential" : "/credential"}`;
1372
- }
1373
- }
1374
- if (!credentialIssuerMetadata && authMetadata) {
1375
- credentialIssuerMetadata = authorization_server ? authMetadata : authMetadata;
1376
- }
1377
- logger5.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
1378
- return {
1379
- issuer,
1380
- token_endpoint,
1381
- credential_endpoint,
1382
- deferred_credential_endpoint,
1383
- ...authorization_server ? {
1384
- authorization_server
1385
- } : {
1386
- authorization_servers
1387
- },
1388
- authorization_endpoint,
1389
- authorization_challenge_endpoint,
1390
- authorizationServerType,
1391
- credentialIssuerMetadata: authorization_server ? credentialIssuerMetadata : credentialIssuerMetadata,
1392
- authorizationServerMetadata: authMetadata
1393
- };
1394
- }
1395
- /**
1396
- * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
1397
- *
1398
- * @param issuerHost The issuer hostname
1399
- * @param opts
1400
- */
1401
- static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
1402
- return retrieveWellknown(issuerHost, import_oid4vci_common12.WellKnownEndpoints.OPENID4VCI_ISSUER, {
1403
- errorOnNotFound: opts?.errorOnNotFound === void 0 ? true : opts.errorOnNotFound
1404
- });
1405
- }
1406
- };
1407
-
1408
- // lib/AuthorizationCodeClient.ts
1409
- var logger6 = import_ssi_types8.Loggers.DEFAULT.get("sphereon:oid4vci");
1410
- async function createSignedAuthRequestWhenNeeded(requestObject, opts) {
1411
- if (opts.requestObjectMode === import_oid4vci_common13.CreateRequestObjectMode.REQUEST_URI) {
1412
- throw Error(`Request Object Mode ${opts.requestObjectMode} is not supported yet`);
1413
- } else if (opts.requestObjectMode === import_oid4vci_common13.CreateRequestObjectMode.REQUEST_OBJECT) {
1414
- if (typeof opts.signCallbacks?.signCallback !== "function") {
1415
- throw Error(`No request object sign callback found, whilst request object mode was set to ${opts.requestObjectMode}`);
1416
- } else if (!opts.kid) {
1417
- throw Error(`No kid found, whilst request object mode was set to ${opts.requestObjectMode}`);
1418
- }
1419
- let client_metadata;
1420
- if (opts.clientMetadata || opts.jwksUri) {
1421
- client_metadata = opts.clientMetadata ?? {};
1422
- if (opts.jwksUri) {
1423
- client_metadata["jwks_uri"] = opts.jwksUri;
1424
- }
1425
- }
1426
- let authorization_details = requestObject["authorization_details"];
1427
- if (typeof authorization_details === "string") {
1428
- authorization_details = JSON.parse(requestObject.authorization_details);
1429
- }
1430
- if (!requestObject.aud && opts.aud) {
1431
- requestObject.aud = opts.aud;
1432
- }
1433
- const iss = requestObject.iss ?? opts.iss ?? requestObject.client_id;
1434
- const jwt = {
1435
- header: {
1436
- alg: "ES256",
1437
- kid: opts.kid,
1438
- typ: "JWT"
1439
- },
1440
- payload: {
1441
- ...requestObject,
1442
- iss,
1443
- authorization_details,
1444
- ...client_metadata && {
1445
- client_metadata
1062
+ const iss = requestObject.iss ?? opts.iss ?? requestObject.client_id;
1063
+ const jwt = {
1064
+ header: {
1065
+ alg: "ES256",
1066
+ kid: opts.kid,
1067
+ typ: "JWT"
1068
+ },
1069
+ payload: {
1070
+ ...requestObject,
1071
+ iss,
1072
+ authorization_details,
1073
+ ...client_metadata && {
1074
+ client_metadata
1446
1075
  }
1447
1076
  }
1448
1077
  };
1449
1078
  const pop = await ProofOfPossessionBuilder.fromJwt({
1450
1079
  jwt,
1451
1080
  callbacks: opts.signCallbacks,
1452
- version: import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_11,
1081
+ version: import_oid4vci_common11.OpenId4VCIVersion.VER_1_0_15,
1453
1082
  mode: "JWT"
1454
1083
  }).build();
1455
1084
  requestObject["request"] = pop.jwt;
@@ -1470,6 +1099,12 @@ function filterSupportedCredentials(credentialOffer, credentialsSupported) {
1470
1099
  __name(filterSupportedCredentials, "filterSupportedCredentials");
1471
1100
  var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpointMetadata, authorizationRequest, credentialOffer, credentialConfigurationSupported, clientId, version }) => {
1472
1101
  function removeDisplayAndValueTypes(obj) {
1102
+ if (Array.isArray(obj)) {
1103
+ return obj.map((item) => removeDisplayAndValueTypes(item));
1104
+ }
1105
+ if (typeof obj !== "object" || obj === null) {
1106
+ return obj;
1107
+ }
1473
1108
  const newObj = {
1474
1109
  ...obj
1475
1110
  };
@@ -1479,7 +1114,7 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1479
1114
  "value_type"
1480
1115
  ].includes(prop)) {
1481
1116
  delete newObj[prop];
1482
- } else if (typeof newObj[prop] === "object") {
1117
+ } else if (typeof newObj[prop] === "object" && newObj[prop] !== null) {
1483
1118
  newObj[prop] = removeDisplayAndValueTypes(newObj[prop]);
1484
1119
  }
1485
1120
  }
@@ -1487,12 +1122,12 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1487
1122
  }
1488
1123
  __name(removeDisplayAndValueTypes, "removeDisplayAndValueTypes");
1489
1124
  const { redirectUri, requestObjectOpts = {
1490
- requestObjectMode: import_oid4vci_common13.CreateRequestObjectMode.NONE
1125
+ requestObjectMode: import_oid4vci_common11.CreateRequestObjectMode.NONE
1491
1126
  } } = authorizationRequest;
1492
1127
  const client_id = clientId ?? authorizationRequest.clientId;
1493
1128
  const authorizationMetadata = endpointMetadata.authorizationServerMetadata ?? endpointMetadata.credentialIssuerMetadata;
1494
1129
  let { authorizationDetails } = authorizationRequest;
1495
- const parMode = authorizationMetadata?.require_pushed_authorization_requests ? import_oid4vci_common13.PARMode.REQUIRE : authorizationRequest.parMode ?? (client_id ? import_oid4vci_common13.PARMode.AUTO : import_oid4vci_common13.PARMode.NEVER);
1130
+ const parMode = authorizationMetadata?.require_pushed_authorization_requests ? import_oid4vci_common11.PARMode.REQUIRE : authorizationRequest.parMode ?? (client_id ? import_oid4vci_common11.PARMode.AUTO : import_oid4vci_common11.PARMode.NEVER);
1496
1131
  if (!authorizationRequest.scope && !authorizationDetails) {
1497
1132
  if (!credentialOffer) {
1498
1133
  throw Error("Please provide a scope or authorization_details if no credential offer is present");
@@ -1500,8 +1135,8 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1500
1135
  if ("credentials" in credentialOffer.credential_offer) {
1501
1136
  throw new Error("CredentialOffer format is wrong.");
1502
1137
  }
1503
- const ver = version ?? (0, import_oid4vci_common13.determineSpecVersionFromOffer)(credentialOffer.credential_offer) ?? import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_13;
1504
- const creds = ver === import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_13 ? filterSupportedCredentials(credentialOffer.credential_offer, credentialConfigurationSupported) : [];
1138
+ const ver = version ?? (0, import_oid4vci_common11.determineSpecVersionFromOffer)(credentialOffer.credential_offer) ?? import_oid4vci_common11.OpenId4VCIVersion.VER_1_0_15;
1139
+ const creds = ver === import_oid4vci_common11.OpenId4VCIVersion.VER_1_0_15 ? filterSupportedCredentials(credentialOffer.credential_offer, credentialConfigurationSupported) : [];
1505
1140
  authorizationDetails = creds.flatMap((cred) => {
1506
1141
  const locations = [
1507
1142
  credentialOffer?.credential_offer.credential_issuer ?? endpointMetadata.issuer
@@ -1511,10 +1146,10 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1511
1146
  if (!credential_configuration_id && !cred.format) {
1512
1147
  throw Error("format is required in authorization details");
1513
1148
  }
1514
- const vct = cred.format === "vc+sd-jwt" ? cred.vct : void 0;
1149
+ const vct = cred.format === "dc+sd-jwt" ? cred.vct : void 0;
1515
1150
  const doctype = cred.format === "mso_mdoc" ? cred.doctype : void 0;
1516
1151
  let credential_definition = void 0;
1517
- if ((0, import_oid4vci_common13.isW3cCredentialSupported)(cred)) {
1152
+ if ((0, import_oid4vci_common11.isW3cCredentialSupported)(cred) && hasCredentialDefinition(cred)) {
1518
1153
  credential_definition = {
1519
1154
  ...cred.credential_definition,
1520
1155
  // type: OPTIONAL. Array as defined in Appendix A.1.1.2. This claim contains the type values the Wallet requests authorization for at the Credential Issuer. It MUST be present if the claim format is present in the root of the authorization details object. It MUST not be present otherwise.
@@ -1549,14 +1184,15 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1549
1184
  throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`);
1550
1185
  }
1551
1186
  }
1552
- if (!endpointMetadata?.authorization_endpoint) {
1187
+ const authorizationEndpoint = endpointMetadata.authorization_endpoint ?? endpointMetadata.authorizationServerMetadata?.authorization_endpoint ?? endpointMetadata.credentialIssuerMetadata?.authorization_endpoint;
1188
+ if (!authorizationEndpoint) {
1553
1189
  throw Error("Server metadata does not contain authorization endpoint");
1554
1190
  }
1555
1191
  const parEndpoint = authorizationMetadata?.pushed_authorization_request_endpoint;
1556
1192
  let queryObj = {
1557
- response_type: import_oid4vci_common13.ResponseType.AUTH_CODE,
1193
+ response_type: import_oid4vci_common11.ResponseType.AUTH_CODE,
1558
1194
  ...!pkce.disabled && {
1559
- code_challenge_method: pkce.codeChallengeMethod ?? import_oid4vci_common13.CodeChallengeMethod.S256,
1195
+ code_challenge_method: pkce.codeChallengeMethod ?? import_oid4vci_common11.CodeChallengeMethod.S256,
1560
1196
  code_challenge: pkce.codeChallenge
1561
1197
  },
1562
1198
  authorization_details: JSON.stringify(handleAuthorizationDetails(endpointMetadata, authorizationDetails)),
@@ -1569,17 +1205,17 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1569
1205
  ...credentialOffer?.issuerState && {
1570
1206
  issuer_state: credentialOffer.issuerState
1571
1207
  },
1572
- scope: authorizationRequest.scope
1208
+ scope: authorizationRequest.scope ?? "openid"
1573
1209
  };
1574
1210
  if (credentialOffer?.issuerState) {
1575
1211
  queryObj.state = credentialOffer?.issuerState;
1576
1212
  }
1577
- if (!parEndpoint && parMode === import_oid4vci_common13.PARMode.REQUIRE) {
1213
+ if (!parEndpoint && parMode === import_oid4vci_common11.PARMode.REQUIRE) {
1578
1214
  throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`);
1579
- } else if (parEndpoint && parMode !== import_oid4vci_common13.PARMode.NEVER) {
1580
- logger6.debug(`USING PAR with endpoint ${parEndpoint}`);
1581
- const parResponse = await (0, import_oid4vci_common13.formPost)(parEndpoint, (0, import_oid4vci_common13.convertJsonToURI)(queryObj, {
1582
- mode: import_oid4vci_common13.JsonURIMode.X_FORM_WWW_URLENCODED,
1215
+ } else if (parEndpoint && parMode !== import_oid4vci_common11.PARMode.NEVER) {
1216
+ logger4.debug(`USING PAR with endpoint ${parEndpoint}`);
1217
+ const parBody = (0, import_oid4vci_common11.convertJsonToURI)(queryObj, {
1218
+ mode: import_oid4vci_common11.JsonURIMode.X_FORM_WWW_URLENCODED,
1583
1219
  uriTypeProperties: [
1584
1220
  "client_id",
1585
1221
  "request_uri",
@@ -1589,17 +1225,18 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1589
1225
  "issuer_state",
1590
1226
  "state"
1591
1227
  ]
1592
- }), {
1228
+ });
1229
+ const parResponse = await (0, import_oid4vci_common11.formPost)(parEndpoint, parBody, {
1593
1230
  contentType: "application/x-www-form-urlencoded",
1594
1231
  accept: "application/json"
1595
1232
  });
1596
1233
  if (parResponse.errorBody || !parResponse.successBody) {
1597
- if (parMode === import_oid4vci_common13.PARMode.REQUIRE) {
1234
+ if (parMode === import_oid4vci_common11.PARMode.REQUIRE) {
1598
1235
  throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
1599
1236
  }
1600
- logger6.debug("Falling back to regular request URI, since PAR failed", JSON.stringify(parResponse.errorBody));
1237
+ logger4.debug("Falling back to regular request URI, since PAR failed", JSON.stringify(parResponse.errorBody));
1601
1238
  } else {
1602
- logger6.debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
1239
+ logger4.debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
1603
1240
  queryObj = {
1604
1241
  client_id,
1605
1242
  request_uri: parResponse.successBody.request_uri
@@ -1608,11 +1245,11 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1608
1245
  }
1609
1246
  await createSignedAuthRequestWhenNeeded(queryObj, {
1610
1247
  ...requestObjectOpts,
1611
- aud: endpointMetadata.authorization_server
1248
+ aud: endpointMetadata.authorization_server ?? endpointMetadata.authorizationServerMetadata?.issuer
1612
1249
  });
1613
- logger6.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
1614
- const url = (0, import_oid4vci_common13.convertJsonToURI)(queryObj, {
1615
- baseUrl: endpointMetadata.authorization_endpoint,
1250
+ logger4.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
1251
+ const url = (0, import_oid4vci_common11.convertJsonToURI)(queryObj, {
1252
+ baseUrl: authorizationEndpoint,
1616
1253
  uriTypeProperties: [
1617
1254
  "client_id",
1618
1255
  "request_uri",
@@ -1623,11 +1260,12 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
1623
1260
  "state"
1624
1261
  ],
1625
1262
  // arrayTypeProperties: ['authorization_details'],
1626
- mode: import_oid4vci_common13.JsonURIMode.X_FORM_WWW_URLENCODED
1263
+ mode: import_oid4vci_common11.JsonURIMode.X_FORM_WWW_URLENCODED
1627
1264
  });
1628
- logger6.debug(`Authorization Request URL: ${url}`);
1265
+ logger4.debug(`Authorization Request URL: ${url}`);
1629
1266
  return url;
1630
1267
  }, "createAuthorizationRequestUrl");
1268
+ var hasCredentialDefinition = /* @__PURE__ */ __name((cred) => "credential_definition" in cred && cred.credential_definition && typeof cred.credential_definition === "object" && cred.credential_definition !== null && "type" in cred.credential_definition && Array.isArray(cred.credential_definition.type), "hasCredentialDefinition");
1631
1269
  var handleAuthorizationDetails = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
1632
1270
  if (authorizationDetails) {
1633
1271
  if (typeof authorizationDetails === "string") {
@@ -1649,7 +1287,10 @@ var handleLocations = /* @__PURE__ */ __name((endpointMetadata, authorizationDet
1649
1287
  if (typeof authorizationDetails === "string") {
1650
1288
  return authorizationDetails;
1651
1289
  }
1652
- if (authorizationDetails && (endpointMetadata.credentialIssuerMetadata?.authorization_server || endpointMetadata.authorization_endpoint)) {
1290
+ const ciMeta = endpointMetadata.credentialIssuerMetadata;
1291
+ const hasAuthorizationServers = Array.isArray(ciMeta?.authorization_servers) && ciMeta.authorization_servers.length > 0;
1292
+ const legacyHasAuthzEndpoint = Boolean(endpointMetadata.authorization_endpoint);
1293
+ if (hasAuthorizationServers || legacyHasAuthzEndpoint) {
1653
1294
  if (authorizationDetails.locations) {
1654
1295
  if (Array.isArray(authorizationDetails.locations)) {
1655
1296
  authorizationDetails.locations.push(endpointMetadata.issuer);
@@ -1664,6 +1305,11 @@ var handleLocations = /* @__PURE__ */ __name((endpointMetadata, authorizationDet
1664
1305
  endpointMetadata.issuer
1665
1306
  ];
1666
1307
  }
1308
+ if (Array.isArray(authorizationDetails.locations)) {
1309
+ authorizationDetails.locations = [
1310
+ ...new Set(authorizationDetails.locations)
1311
+ ];
1312
+ }
1667
1313
  }
1668
1314
  return authorizationDetails;
1669
1315
  }, "handleLocations");
@@ -1708,169 +1354,18 @@ var createAuthorizationChallengeRequest = /* @__PURE__ */ __name(async (opts) =>
1708
1354
  return request;
1709
1355
  }, "createAuthorizationChallengeRequest");
1710
1356
  var sendAuthorizationChallengeRequest = /* @__PURE__ */ __name(async (authorizationChallengeCodeUrl, authorizationChallengeRequest, opts) => {
1711
- return await (0, import_oid4vci_common13.formPost)(authorizationChallengeCodeUrl, (0, import_oid4vci_common13.convertJsonToURI)(authorizationChallengeRequest, {
1712
- mode: import_oid4vci_common13.JsonURIMode.X_FORM_WWW_URLENCODED
1357
+ return await (0, import_oid4vci_common11.formPost)(authorizationChallengeCodeUrl, (0, import_oid4vci_common11.convertJsonToURI)(authorizationChallengeRequest, {
1358
+ mode: import_oid4vci_common11.JsonURIMode.X_FORM_WWW_URLENCODED
1713
1359
  }), {
1714
1360
  customHeaders: opts?.headers ? opts.headers : void 0
1715
1361
  });
1716
1362
  }, "sendAuthorizationChallengeRequest");
1717
1363
 
1718
- // lib/AuthorizationCodeClientV1_0_11.ts
1719
- var import_oid4vci_common14 = require("@sphereon/oid4vci-common");
1720
- var import_ssi_types9 = require("@sphereon/ssi-types");
1721
- var logger7 = import_ssi_types9.Loggers.DEFAULT.get("sphereon:oid4vci");
1722
- var createAuthorizationRequestUrlV1_0_11 = /* @__PURE__ */ __name(async ({ pkce, endpointMetadata, authorizationRequest, credentialOffer, credentialsSupported }) => {
1723
- const { redirectUri, clientId, requestObjectOpts = {
1724
- requestObjectMode: import_oid4vci_common14.CreateRequestObjectMode.NONE
1725
- } } = authorizationRequest;
1726
- let { scope, authorizationDetails } = authorizationRequest;
1727
- const parMode = endpointMetadata?.credentialIssuerMetadata?.require_pushed_authorization_requests ? import_oid4vci_common14.PARMode.REQUIRE : authorizationRequest.parMode ?? import_oid4vci_common14.PARMode.AUTO;
1728
- if (!scope && !authorizationDetails) {
1729
- if (!credentialOffer) {
1730
- throw Error("Please provide a scope or authorization_details if no credential offer is present");
1731
- }
1732
- const creds = credentialOffer.credential_offer.credentials;
1733
- authorizationDetails = creds.flatMap((cred) => typeof cred === "string" ? credentialsSupported : cred).filter((cred) => !!cred).map((cred) => {
1734
- return {
1735
- ...cred,
1736
- type: "openid_credential",
1737
- locations: [
1738
- endpointMetadata.issuer
1739
- ],
1740
- // eslint-disable-next-line @typescript-eslint/ban-ts-comment
1741
- // @ts-ignore
1742
- format: cred.format
1743
- };
1744
- });
1745
- if (!authorizationDetails || Array.isArray(authorizationDetails) && authorizationDetails.length === 0) {
1746
- throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`);
1747
- }
1748
- }
1749
- if (!endpointMetadata?.authorization_endpoint) {
1750
- throw Error("Server metadata does not contain authorization endpoint");
1751
- }
1752
- const parEndpoint = endpointMetadata.credentialIssuerMetadata?.pushed_authorization_request_endpoint;
1753
- if (!scope?.includes("openid")) {
1754
- scope = [
1755
- "openid",
1756
- scope
1757
- ].filter((s) => !!s).join(" ");
1758
- }
1759
- let queryObj = {
1760
- response_type: import_oid4vci_common14.ResponseType.AUTH_CODE,
1761
- ...!pkce.disabled && {
1762
- code_challenge_method: pkce.codeChallengeMethod ?? import_oid4vci_common14.CodeChallengeMethod.S256,
1763
- code_challenge: pkce.codeChallenge
1764
- },
1765
- authorization_details: JSON.stringify(handleAuthorizationDetailsV1_0_11(endpointMetadata, authorizationDetails)),
1766
- ...redirectUri && {
1767
- redirect_uri: redirectUri
1768
- },
1769
- ...clientId && {
1770
- client_id: clientId
1771
- },
1772
- ...credentialOffer?.issuerState && {
1773
- issuer_state: credentialOffer.issuerState
1774
- },
1775
- scope
1776
- };
1777
- if (!parEndpoint && parMode === import_oid4vci_common14.PARMode.REQUIRE) {
1778
- throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`);
1779
- } else if (parEndpoint && parMode !== import_oid4vci_common14.PARMode.NEVER) {
1780
- logger7.debug(`USING PAR with endpoint ${parEndpoint}`);
1781
- const parResponse = await (0, import_oid4vci_common14.formPost)(parEndpoint, (0, import_oid4vci_common14.convertJsonToURI)(queryObj, {
1782
- mode: import_oid4vci_common14.JsonURIMode.X_FORM_WWW_URLENCODED,
1783
- uriTypeProperties: [
1784
- "client_id",
1785
- "request_uri",
1786
- "redirect_uri",
1787
- "scope",
1788
- "authorization_details",
1789
- "issuer_state"
1790
- ]
1791
- }), {
1792
- contentType: "application/x-www-form-urlencoded",
1793
- accept: "application/json"
1794
- });
1795
- if (parResponse.errorBody || !parResponse.successBody) {
1796
- console.log(JSON.stringify(parResponse.errorBody));
1797
- console.log("Falling back to regular request URI, since PAR failed");
1798
- if (parMode === import_oid4vci_common14.PARMode.REQUIRE) {
1799
- throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
1800
- }
1801
- } else {
1802
- logger7.debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
1803
- queryObj = {
1804
- request_uri: parResponse.successBody.request_uri
1805
- };
1806
- }
1807
- }
1808
- await createSignedAuthRequestWhenNeeded(queryObj, {
1809
- ...requestObjectOpts,
1810
- aud: endpointMetadata.authorization_server
1811
- });
1812
- logger7.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
1813
- const url = (0, import_oid4vci_common14.convertJsonToURI)(queryObj, {
1814
- baseUrl: endpointMetadata.authorization_endpoint,
1815
- uriTypeProperties: [
1816
- "client_id",
1817
- "request_uri",
1818
- "redirect_uri",
1819
- "scope",
1820
- "authorization_details",
1821
- "issuer_state"
1822
- ],
1823
- // arrayTypeProperties: ['authorization_details'],
1824
- mode: import_oid4vci_common14.JsonURIMode.X_FORM_WWW_URLENCODED
1825
- });
1826
- logger7.debug(`Authorization Request URL: ${url}`);
1827
- return url;
1828
- }, "createAuthorizationRequestUrlV1_0_11");
1829
- var handleAuthorizationDetailsV1_0_11 = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
1830
- if (authorizationDetails) {
1831
- if (typeof authorizationDetails === "string") {
1832
- return authorizationDetails;
1833
- }
1834
- if (Array.isArray(authorizationDetails)) {
1835
- return authorizationDetails.filter((value) => typeof value !== "string").map((value) => handleLocations2(endpointMetadata, typeof value === "string" ? value : {
1836
- ...value
1837
- }));
1838
- } else {
1839
- return handleLocations2(endpointMetadata, {
1840
- ...authorizationDetails
1841
- });
1842
- }
1843
- }
1844
- return authorizationDetails;
1845
- }, "handleAuthorizationDetailsV1_0_11");
1846
- var handleLocations2 = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
1847
- if (typeof authorizationDetails === "string") {
1848
- return authorizationDetails;
1849
- }
1850
- if (authorizationDetails && (endpointMetadata.credentialIssuerMetadata?.authorization_server || endpointMetadata.authorization_endpoint)) {
1851
- if (authorizationDetails.locations) {
1852
- if (Array.isArray(authorizationDetails.locations)) {
1853
- authorizationDetails.locations.push(endpointMetadata.issuer);
1854
- } else {
1855
- authorizationDetails.locations = [
1856
- authorizationDetails.locations,
1857
- endpointMetadata.issuer
1858
- ];
1859
- }
1860
- } else {
1861
- authorizationDetails.locations = [
1862
- endpointMetadata.issuer
1863
- ];
1864
- }
1865
- }
1866
- return authorizationDetails;
1867
- }, "handleLocations");
1868
-
1869
1364
  // lib/CredentialRequestClient.ts
1870
- var import_oid4vc_common5 = require("@sphereon/oid4vc-common");
1871
- var import_oid4vci_common15 = require("@sphereon/oid4vci-common");
1872
- var import_ssi_types10 = require("@sphereon/ssi-types");
1873
- var logger8 = import_ssi_types10.Loggers.DEFAULT.get("sphereon:oid4vci:credential");
1365
+ var import_oid4vc_common4 = require("@sphereon/oid4vc-common");
1366
+ var import_oid4vci_common12 = require("@sphereon/oid4vci-common");
1367
+ var import_ssi_types7 = require("@sphereon/ssi-types");
1368
+ var logger5 = import_ssi_types7.Loggers.DEFAULT.get("sphereon:oid4vci:credential");
1874
1369
  async function buildProof(proofInput, opts) {
1875
1370
  if ("proof_type" in proofInput) {
1876
1371
  if (opts.cNonce) {
@@ -1884,6 +1379,27 @@ async function buildProof(proofInput, opts) {
1884
1379
  return await proofInput.build();
1885
1380
  }
1886
1381
  __name(buildProof, "buildProof");
1382
+ function isOpenIdCredentialDetail(ad) {
1383
+ return typeof ad === "object" && ad !== null && ad.type === "openid_credential";
1384
+ }
1385
+ __name(isOpenIdCredentialDetail, "isOpenIdCredentialDetail");
1386
+ function findAuthorizationDetail(authorizationDetails, preferredConfigId) {
1387
+ if (!authorizationDetails) {
1388
+ return void 0;
1389
+ }
1390
+ const openIdCredentialDetails = authorizationDetails.filter(isOpenIdCredentialDetail);
1391
+ if (openIdCredentialDetails.length === 0) {
1392
+ return void 0;
1393
+ }
1394
+ if (preferredConfigId) {
1395
+ const match = openIdCredentialDetails.find((detail) => typeof detail === "object" && detail !== null && detail.credential_configuration_id === preferredConfigId);
1396
+ if (match) {
1397
+ return match;
1398
+ }
1399
+ }
1400
+ return openIdCredentialDetails[0];
1401
+ }
1402
+ __name(findAuthorizationDetail, "findAuthorizationDetail");
1887
1403
  var CredentialRequestClient = class {
1888
1404
  static {
1889
1405
  __name(this, "CredentialRequestClient");
@@ -1923,7 +1439,10 @@ var CredentialRequestClient = class {
1923
1439
  credentialIdentifier,
1924
1440
  subjectIssuance
1925
1441
  });
1926
- return await this.acquireCredentialsUsingRequestWithoutProof(request, opts.createDPoPOpts);
1442
+ if (!import_oid4vci_common12.supportedOID4VCICredentialFormat.includes(format)) {
1443
+ return Promise.reject(Error(`Unsupported credential format: ${format}`));
1444
+ }
1445
+ return await this.acquireCredentialsUsingRequestWithoutProof(request, format, opts.createDPoPOpts);
1927
1446
  }
1928
1447
  async acquireCredentialsUsingProof(opts) {
1929
1448
  const { credentialIdentifier, credentialTypes, proofInput, format, context, subjectIssuance } = opts;
@@ -1936,32 +1455,28 @@ var CredentialRequestClient = class {
1936
1455
  credentialIdentifier,
1937
1456
  subjectIssuance
1938
1457
  });
1939
- return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
1458
+ return await this.acquireCredentialsUsingRequest(request, format, opts.createDPoPOpts);
1940
1459
  }
1941
- async acquireCredentialsUsingRequestWithoutProof(uniformRequest, createDPoPOpts) {
1942
- return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
1460
+ async acquireCredentialsUsingRequestWithoutProof(uniformRequest, format, createDPoPOpts) {
1461
+ return await this.acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts);
1943
1462
  }
1944
- async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
1945
- return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
1463
+ async acquireCredentialsUsingRequest(uniformRequest, format, createDPoPOpts) {
1464
+ return await this.acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts);
1946
1465
  }
1947
- async acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts) {
1948
- if (this.version() < import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13) {
1949
- throw new Error("Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.");
1950
- }
1951
- const request = (0, import_oid4vci_common15.getCredentialRequestForVersion)(uniformRequest, this.version());
1466
+ async acquireCredentialsUsingRequestImpl(uniformRequest, format, createDPoPOpts) {
1952
1467
  const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
1953
- if (!(0, import_oid4vci_common15.isValidURL)(credentialEndpoint)) {
1954
- logger8.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
1955
- throw new Error(import_oid4vci_common15.URL_NOT_VALID);
1468
+ if (!(0, import_oid4vci_common12.isValidURL)(credentialEndpoint)) {
1469
+ logger5.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
1470
+ throw new Error(import_oid4vci_common12.URL_NOT_VALID);
1956
1471
  }
1957
- logger8.debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
1958
- logger8.debug(`request
1959
- : ${JSON.stringify(request, null, 2)}`);
1472
+ logger5.debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
1473
+ logger5.debug(`request
1474
+ : ${JSON.stringify(uniformRequest, null, 2)}`);
1960
1475
  const requestToken = this.credentialRequestOpts.token;
1961
- let dPoP = createDPoPOpts ? await (0, import_oid4vc_common5.createDPoP)((0, import_oid4vc_common5.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
1476
+ let dPoP = createDPoPOpts ? await (0, import_oid4vc_common4.createDPoP)((0, import_oid4vc_common4.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
1962
1477
  accessToken: requestToken
1963
1478
  })) : void 0;
1964
- let response = await (0, import_oid4vci_common15.post)(credentialEndpoint, JSON.stringify(request), {
1479
+ let response = await (0, import_oid4vci_common12.post)(credentialEndpoint, JSON.stringify(uniformRequest), {
1965
1480
  bearerToken: requestToken,
1966
1481
  ...dPoP && {
1967
1482
  customHeaders: {
@@ -1973,10 +1488,10 @@ var CredentialRequestClient = class {
1973
1488
  const retryWithNonce = shouldRetryResourceRequestWithDPoPNonce(response);
1974
1489
  if (retryWithNonce.ok && createDPoPOpts) {
1975
1490
  createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
1976
- dPoP = await (0, import_oid4vc_common5.createDPoP)((0, import_oid4vc_common5.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
1491
+ dPoP = await (0, import_oid4vc_common4.createDPoP)((0, import_oid4vc_common4.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
1977
1492
  accessToken: requestToken
1978
1493
  }));
1979
- response = await (0, import_oid4vci_common15.post)(credentialEndpoint, JSON.stringify(request), {
1494
+ response = await (0, import_oid4vci_common12.post)(credentialEndpoint, JSON.stringify(uniformRequest), {
1980
1495
  bearerToken: requestToken,
1981
1496
  ...createDPoPOpts && {
1982
1497
  customHeaders: {
@@ -1987,19 +1502,14 @@ var CredentialRequestClient = class {
1987
1502
  const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
1988
1503
  nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
1989
1504
  }
1990
- this._isDeferred = (0, import_oid4vci_common15.isDeferredCredentialResponse)(response);
1505
+ this._isDeferred = (0, import_oid4vci_common12.isDeferredCredentialResponse)(response);
1991
1506
  if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
1992
1507
  response = await this.acquireDeferredCredential(response.successBody, {
1993
1508
  bearerToken: this.credentialRequestOpts.token
1994
1509
  });
1995
1510
  }
1996
1511
  response.access_token = requestToken;
1997
- if (uniformRequest.credential_subject_issuance && response.successBody || response.successBody?.credential_subject_issuance) {
1998
- if (JSON.stringify(uniformRequest.credential_subject_issuance) !== JSON.stringify(response.successBody?.credential_subject_issuance)) {
1999
- throw Error("Subject signing was requested, but issuer did not provide the options in its response");
2000
- }
2001
- }
2002
- logger8.debug(`Credential endpoint ${credentialEndpoint} response:\r
1512
+ logger5.debug(`Credential endpoint ${credentialEndpoint} response:\r
2003
1513
  ${JSON.stringify(response, null, 2)}`);
2004
1514
  return {
2005
1515
  ...response,
@@ -2021,7 +1531,7 @@ ${JSON.stringify(response, null, 2)}`);
2021
1531
  } else if (!bearerToken) {
2022
1532
  throw Error(`No bearer token present and refresh for defered endpoint not supported yet`);
2023
1533
  }
2024
- return await (0, import_oid4vci_common15.acquireDeferredCredential)({
1534
+ return await (0, import_oid4vci_common12.acquireDeferredCredential)({
2025
1535
  bearerToken,
2026
1536
  transactionId,
2027
1537
  deferredCredentialEndpoint,
@@ -2036,44 +1546,15 @@ ${JSON.stringify(response, null, 2)}`);
2036
1546
  return await this.createCredentialRequestImpl(opts);
2037
1547
  }
2038
1548
  async createCredentialRequestImpl(opts) {
2039
- const { proofInput, credentialIdentifier: credential_identifier } = opts;
1549
+ const { proofInput, credentialIdentifier, credentialConfigurationId } = opts;
2040
1550
  let proof = void 0;
2041
1551
  if (proofInput) {
2042
1552
  proof = await buildProof(proofInput, opts);
2043
1553
  }
2044
- if (credential_identifier) {
2045
- if (opts.format || opts.credentialTypes || opts.context) {
2046
- throw Error(`You cannot mix credential_identifier with format, credential types and/or context`);
2047
- }
2048
- return {
2049
- credential_identifier,
2050
- ...proof && {
2051
- proof
2052
- }
2053
- };
2054
- }
2055
- const formatSelection = opts.format ?? this.credentialRequestOpts.format;
2056
- if (!formatSelection) {
2057
- throw Error(`Format of credential to be issued is missing`);
2058
- }
2059
- const format = (0, import_oid4vci_common15.getUniformFormat)(formatSelection);
2060
- const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
2061
- if (!typesSelection) {
2062
- throw Error(`Credential type(s) need to be provided`);
2063
- }
2064
- const types = Array.isArray(typesSelection) ? typesSelection : [
2065
- typesSelection
2066
- ];
2067
- if (types.length === 0) {
2068
- throw Error(`Credential type(s) need to be provided`);
2069
- }
2070
- const issuer_state = this.credentialRequestOpts.issuerState;
2071
- if (format === "jwt_vc_json" || format === "jwt_vc") {
2072
- return {
2073
- credential_definition: {
2074
- type: types
2075
- },
2076
- format,
1554
+ if (this.version() >= import_oid4vci_common12.OpenId4VCIVersion.VER_1_0_15) {
1555
+ const authDetail = findAuthorizationDetail(this.credentialRequestOpts.authorizationDetails, credentialConfigurationId ?? credentialIdentifier);
1556
+ const issuer_state = this.credentialRequestOpts.issuerState;
1557
+ const commonBody = {
2077
1558
  ...issuer_state && {
2078
1559
  issuer_state
2079
1560
  },
@@ -2082,64 +1563,43 @@ ${JSON.stringify(response, null, 2)}`);
2082
1563
  },
2083
1564
  ...opts.subjectIssuance
2084
1565
  };
2085
- } else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
2086
- if (this.version() >= import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
2087
- throw Error("No @context value present, but it is required");
1566
+ const authDetailObj = authDetail && typeof authDetail === "object" ? authDetail : null;
1567
+ if (authDetailObj?.credential_identifier) {
1568
+ return {
1569
+ credential_identifier: authDetailObj.credential_identifier,
1570
+ ...commonBody
1571
+ };
2088
1572
  }
2089
- return {
2090
- format,
2091
- ...issuer_state && {
2092
- issuer_state
2093
- },
2094
- ...proof && {
2095
- proof
2096
- },
2097
- ...opts.subjectIssuance,
2098
- credential_definition: {
2099
- type: types,
2100
- "@context": opts.context
2101
- }
2102
- };
2103
- } else if (format === "vc+sd-jwt") {
2104
- if (types.length > 1) {
2105
- throw Error(`Only a single credential type is supported for ${format}`);
1573
+ if (authDetailObj?.credential_identifiers && authDetailObj.credential_identifiers.length > 0) {
1574
+ return {
1575
+ credential_identifier: authDetailObj.credential_identifiers[0],
1576
+ ...commonBody
1577
+ };
2106
1578
  }
2107
- return {
2108
- format,
2109
- ...issuer_state && {
2110
- issuer_state
2111
- },
2112
- ...proof && {
2113
- proof
2114
- },
2115
- vct: types[0],
2116
- ...opts.subjectIssuance
2117
- };
2118
- } else if (format === "mso_mdoc") {
2119
- if (types.length > 1) {
2120
- throw Error(`Only a single credential type is supported for ${format}`);
1579
+ const configId = credentialConfigurationId ?? authDetailObj?.credential_configuration_id ?? this._credentialRequestOpts.credentialConfigurationId;
1580
+ if (configId) {
1581
+ return {
1582
+ credential_configuration_id: configId,
1583
+ ...commonBody
1584
+ };
2121
1585
  }
2122
- return {
2123
- format,
2124
- ...issuer_state && {
2125
- issuer_state
2126
- },
2127
- ...proof && {
2128
- proof
2129
- },
2130
- doctype: types[0],
2131
- ...opts.subjectIssuance
2132
- };
1586
+ if (credentialIdentifier) {
1587
+ return {
1588
+ credential_identifier: credentialIdentifier,
1589
+ ...commonBody
1590
+ };
1591
+ }
1592
+ return Promise.reject(Error("No credential_identifier or credential_configuration_id available for v1.0-15 request"));
2133
1593
  }
2134
- throw new Error(`Unsupported credential format: ${format}`);
1594
+ throw new Error(`Unsupported version: ${this.version()}`);
2135
1595
  }
2136
1596
  version() {
2137
- return this.credentialRequestOpts?.version ?? import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13;
1597
+ return this.credentialRequestOpts?.version ?? import_oid4vci_common12.OpenId4VCIVersion.VER_1_0_15;
2138
1598
  }
2139
1599
  };
2140
1600
 
2141
1601
  // lib/CredentialOfferClient.ts
2142
- var import_oid4vci_common16 = require("@sphereon/oid4vci-common");
1602
+ var import_oid4vci_common13 = require("@sphereon/oid4vci-common");
2143
1603
  var CredentialOfferClient = class {
2144
1604
  static {
2145
1605
  __name(this, "CredentialOfferClient");
@@ -2152,135 +1612,18 @@ var CredentialOfferClient = class {
2152
1612
  }
2153
1613
  const scheme = uri.split("://")[0];
2154
1614
  const baseUrl = uri.split("?")[0];
2155
- const version = (0, import_oid4vci_common16.determineSpecVersionFromURI)(uri);
1615
+ const version = (0, import_oid4vci_common13.determineSpecVersionFromURI)(uri);
2156
1616
  LOG.log(`Offer URL determined to be of version ${version}`);
2157
1617
  let credentialOffer;
2158
- let credentialOfferPayload;
2159
- if (version < import_oid4vci_common16.OpenId4VCIVersion.VER_1_0_11) {
2160
- credentialOfferPayload = (0, import_oid4vci_common16.convertURIToJsonObject)(uri, {
2161
- arrayTypeProperties: [
2162
- "credential_type"
2163
- ],
2164
- requiredProperties: uri.includes("credential_offer=") ? [
2165
- "credential_offer"
2166
- ] : [
2167
- "issuer",
2168
- "credential_type"
2169
- ]
2170
- });
2171
- credentialOffer = {
2172
- credential_offer: credentialOfferPayload
2173
- };
1618
+ if (uri.includes("credential_offer_uri")) {
1619
+ credentialOffer = await handleCredentialOfferUri(uri);
2174
1620
  } else {
2175
- if (uri.includes("credential_offer_uri")) {
2176
- credentialOffer = await handleCredentialOfferUri(uri);
2177
- } else {
2178
- credentialOffer = (0, import_oid4vci_common16.convertURIToJsonObject)(uri, {
2179
- // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
2180
- arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
2181
- "credential_offer_uri="
2182
- ] : [
2183
- "credential_offer="
2184
- ],
2185
- requiredProperties: uri.includes("credential_offer_uri=") ? [
2186
- "credential_offer_uri="
2187
- ] : [
2188
- "credential_offer="
2189
- ]
2190
- });
2191
- }
2192
- if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
2193
- throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
2194
- }
2195
- }
2196
- const request = await (0, import_oid4vci_common16.toUniformCredentialOfferRequest)(credentialOffer, {
2197
- ...opts,
2198
- version
2199
- });
2200
- return {
2201
- ...constructBaseResponse(request, scheme, baseUrl),
2202
- userPinRequired: request.credential_offer?.grants?.[import_oid4vci_common16.PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? !!request.credential_offer?.grants?.[import_oid4vci_common16.PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false
2203
- };
2204
- }
2205
- static toURI(requestWithBaseUrl, opts) {
2206
- LOG.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
2207
- const version = opts?.version ?? requestWithBaseUrl.version;
2208
- let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
2209
- let param;
2210
- const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
2211
- if (version.valueOf() >= import_oid4vci_common16.OpenId4VCIVersion.VER_1_0_11.valueOf()) {
2212
- if (!baseUrl.includes("?")) {
2213
- param = isUri ? "credential_offer_uri" : "credential_offer";
2214
- } else {
2215
- const split = baseUrl.split("?");
2216
- if (split.length > 1 && split[1] !== "") {
2217
- if (baseUrl.endsWith("&")) {
2218
- param = isUri ? "credential_offer_uri" : "credential_offer";
2219
- } else if (!baseUrl.endsWith("=")) {
2220
- baseUrl += `&`;
2221
- param = isUri ? "credential_offer_uri" : "credential_offer";
2222
- }
2223
- }
2224
- }
2225
- }
2226
- return (0, import_oid4vci_common16.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
2227
- baseUrl,
2228
- arrayTypeProperties: isUri ? [] : [
2229
- "credential_type"
2230
- ],
2231
- uriTypeProperties: isUri ? [
2232
- "credential_offer_uri"
2233
- ] : version >= import_oid4vci_common16.OpenId4VCIVersion.VER_1_0_13 ? [
2234
- "credential_issuer",
2235
- "credential_type"
2236
- ] : [
2237
- "issuer",
2238
- "credential_type"
2239
- ],
2240
- param,
2241
- version
2242
- });
2243
- }
2244
- };
2245
-
2246
- // lib/CredentialOfferClientV1_0_11.ts
2247
- var import_oid4vci_common17 = require("@sphereon/oid4vci-common");
2248
- var import_ssi_types11 = require("@sphereon/ssi-types");
2249
- var logger9 = import_ssi_types11.Loggers.DEFAULT.get("sphereon:oid4vci:offer");
2250
- var CredentialOfferClientV1_0_11 = class {
2251
- static {
2252
- __name(this, "CredentialOfferClientV1_0_11");
2253
- }
2254
- static async fromURI(uri, opts) {
2255
- logger9.debug(`Credential Offer URI: ${uri}`);
2256
- if (!uri.includes("?") || !uri.includes("://")) {
2257
- logger9.debug(`Invalid Credential Offer URI: ${uri}`);
2258
- throw Error(`Invalid Credential Offer Request`);
2259
- }
2260
- const scheme = uri.split("://")[0];
2261
- const baseUrl = uri.split("?")[0];
2262
- const version = (0, import_oid4vci_common17.determineSpecVersionFromURI)(uri);
2263
- let credentialOffer;
2264
- let credentialOfferPayload;
2265
- if (version < import_oid4vci_common17.OpenId4VCIVersion.VER_1_0_11) {
2266
- credentialOfferPayload = (0, import_oid4vci_common17.convertURIToJsonObject)(uri, {
2267
- arrayTypeProperties: [
2268
- "credential_type"
2269
- ],
2270
- requiredProperties: uri.includes("credential_offer_uri=") ? [
1621
+ credentialOffer = (0, import_oid4vci_common13.convertURIToJsonObject)(uri, {
1622
+ // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
1623
+ arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
2271
1624
  "credential_offer_uri="
2272
1625
  ] : [
2273
- "issuer",
2274
- "credential_type="
2275
- ]
2276
- });
2277
- credentialOffer = {
2278
- credential_offer: credentialOfferPayload
2279
- };
2280
- } else {
2281
- credentialOffer = (0, import_oid4vci_common17.convertURIToJsonObject)(uri, {
2282
- arrayTypeProperties: [
2283
- "credentials"
1626
+ "credential_offer="
2284
1627
  ],
2285
1628
  requiredProperties: uri.includes("credential_offer_uri=") ? [
2286
1629
  "credential_offer_uri="
@@ -2288,39 +1631,26 @@ var CredentialOfferClientV1_0_11 = class {
2288
1631
  "credential_offer="
2289
1632
  ]
2290
1633
  });
2291
- if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
2292
- throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
2293
- }
2294
1634
  }
2295
- const request = await (0, import_oid4vci_common17.toUniformCredentialOfferRequest)(credentialOffer, {
1635
+ if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
1636
+ throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
1637
+ }
1638
+ const request = await (0, import_oid4vci_common13.toUniformCredentialOfferRequest)(credentialOffer, {
2296
1639
  ...opts,
2297
1640
  version
2298
1641
  });
2299
- const clientId = (0, import_oid4vci_common17.getClientIdFromCredentialOfferPayload)(request.credential_offer);
2300
- const grants = request.credential_offer?.grants;
2301
1642
  return {
2302
- scheme,
2303
- baseUrl,
2304
- ...clientId && {
2305
- clientId
2306
- },
2307
- ...request,
2308
- ...grants?.authorization_code?.issuer_state && {
2309
- issuerState: grants.authorization_code.issuer_state
2310
- },
2311
- ...grants?.[import_oid4vci_common17.PRE_AUTH_GRANT_LITERAL]?.[import_oid4vci_common17.PRE_AUTH_CODE_LITERAL] && {
2312
- preAuthorizedCode: grants[import_oid4vci_common17.PRE_AUTH_GRANT_LITERAL][import_oid4vci_common17.PRE_AUTH_CODE_LITERAL]
2313
- },
2314
- userPinRequired: !!(request.credential_offer?.grants?.[import_oid4vci_common17.PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? false)
1643
+ ...constructBaseResponse(request, scheme, baseUrl),
1644
+ userPinRequired: request.credential_offer?.grants?.[import_oid4vci_common13.PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? !!request.credential_offer?.grants?.[import_oid4vci_common13.PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false
2315
1645
  };
2316
1646
  }
2317
1647
  static toURI(requestWithBaseUrl, opts) {
2318
- logger9.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
1648
+ LOG.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
2319
1649
  const version = opts?.version ?? requestWithBaseUrl.version;
2320
1650
  let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
2321
1651
  let param;
2322
1652
  const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
2323
- if (version.valueOf() >= import_oid4vci_common17.OpenId4VCIVersion.VER_1_0_11.valueOf()) {
1653
+ if (version.valueOf() >= import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_15.valueOf()) {
2324
1654
  if (!baseUrl.includes("?")) {
2325
1655
  param = isUri ? "credential_offer_uri" : "credential_offer";
2326
1656
  } else {
@@ -2335,14 +1665,14 @@ var CredentialOfferClientV1_0_11 = class {
2335
1665
  }
2336
1666
  }
2337
1667
  }
2338
- return (0, import_oid4vci_common17.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
1668
+ return (0, import_oid4vci_common13.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
2339
1669
  baseUrl,
2340
1670
  arrayTypeProperties: isUri ? [] : [
2341
1671
  "credential_type"
2342
1672
  ],
2343
1673
  uriTypeProperties: isUri ? [
2344
1674
  "credential_offer_uri"
2345
- ] : version >= import_oid4vci_common17.OpenId4VCIVersion.VER_1_0_11 ? [
1675
+ ] : version >= import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_15 ? [
2346
1676
  "credential_issuer",
2347
1677
  "credential_type"
2348
1678
  ] : [
@@ -2355,28 +1685,28 @@ var CredentialOfferClientV1_0_11 = class {
2355
1685
  }
2356
1686
  };
2357
1687
 
2358
- // lib/CredentialOfferClientV1_0_13.ts
2359
- var import_oid4vci_common18 = require("@sphereon/oid4vci-common");
2360
- var import_ssi_types12 = require("@sphereon/ssi-types");
2361
- var logger10 = import_ssi_types12.Loggers.DEFAULT.get("sphereon:oid4vci:offer");
2362
- var CredentialOfferClientV1_0_13 = class {
1688
+ // lib/CredentialOfferClientV1_0_15.ts
1689
+ var import_oid4vci_common14 = require("@sphereon/oid4vci-common");
1690
+ var import_ssi_types8 = require("@sphereon/ssi-types");
1691
+ var logger6 = import_ssi_types8.Loggers.DEFAULT.get("sphereon:oid4vci:offer");
1692
+ var CredentialOfferClientV1_0_15 = class {
2363
1693
  static {
2364
- __name(this, "CredentialOfferClientV1_0_13");
1694
+ __name(this, "CredentialOfferClientV1_0_15");
2365
1695
  }
2366
1696
  static async fromURI(uri, opts) {
2367
- logger10.debug(`Credential Offer URI: ${uri}`);
1697
+ logger6.debug(`Credential Offer URI: ${uri}`);
2368
1698
  if (!uri.includes("?") || !uri.includes("://")) {
2369
- logger10.debug(`Invalid Credential Offer URI: ${uri}`);
2370
- throw Error(`Invalid Credential Offer Request`);
1699
+ logger6.debug(`Invalid Credential Offer URI: ${uri}`);
1700
+ return Promise.reject(Error(`Invalid Credential Offer Request`));
2371
1701
  }
2372
1702
  const scheme = uri.split("://")[0];
2373
1703
  const baseUrl = uri.split("?")[0];
2374
- const version = (0, import_oid4vci_common18.determineSpecVersionFromURI)(uri);
1704
+ const version = (0, import_oid4vci_common14.determineSpecVersionFromURI)(uri);
2375
1705
  let credentialOffer;
2376
1706
  if (uri.includes("credential_offer_uri")) {
2377
1707
  credentialOffer = await handleCredentialOfferUri(uri);
2378
1708
  } else {
2379
- credentialOffer = (0, import_oid4vci_common18.convertURIToJsonObject)(uri, {
1709
+ credentialOffer = (0, import_oid4vci_common14.convertURIToJsonObject)(uri, {
2380
1710
  // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
2381
1711
  arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
2382
1712
  "credential_configuration_ids",
@@ -2393,276 +1723,91 @@ var CredentialOfferClientV1_0_13 = class {
2393
1723
  });
2394
1724
  }
2395
1725
  if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
2396
- throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
1726
+ return Promise.reject(Error("Either a credential_offer or credential_offer_uri should be present in " + uri));
2397
1727
  }
2398
- const request = await (0, import_oid4vci_common18.toUniformCredentialOfferRequest)(credentialOffer, {
1728
+ const request = await (0, import_oid4vci_common14.toUniformCredentialOfferRequest)(credentialOffer, {
2399
1729
  ...opts,
2400
1730
  version
2401
1731
  });
2402
1732
  return {
2403
1733
  ...constructBaseResponse(request, scheme, baseUrl),
2404
- userPinRequired: !!(request.credential_offer?.grants?.[import_oid4vci_common18.PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false)
1734
+ userPinRequired: !!(request.credential_offer?.grants?.[import_oid4vci_common14.PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false)
2405
1735
  };
2406
1736
  }
2407
1737
  static toURI(requestWithBaseUrl, opts) {
2408
- logger10.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
1738
+ logger6.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
2409
1739
  const version = opts?.version ?? requestWithBaseUrl.version;
2410
1740
  let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
2411
- let param;
2412
1741
  const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
2413
- if (version.valueOf() >= import_oid4vci_common18.OpenId4VCIVersion.VER_1_0_11.valueOf()) {
2414
- if (!baseUrl.includes("?")) {
2415
- param = isUri ? "credential_offer_uri" : "credential_offer";
2416
- } else {
2417
- const split = baseUrl.split("?");
2418
- if (split.length > 1 && split[1] !== "") {
2419
- if (baseUrl.endsWith("&")) {
2420
- param = isUri ? "credential_offer_uri" : "credential_offer";
2421
- } else if (!baseUrl.endsWith("=")) {
2422
- baseUrl += `&`;
2423
- param = isUri ? "credential_offer_uri" : "credential_offer";
2424
- }
2425
- }
2426
- }
2427
- }
2428
- return (0, import_oid4vci_common18.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
2429
- baseUrl,
2430
- arrayTypeProperties: isUri ? [] : [
2431
- "credential_type"
2432
- ],
2433
- uriTypeProperties: isUri ? [
2434
- "credential_offer_uri"
2435
- ] : version >= import_oid4vci_common18.OpenId4VCIVersion.VER_1_0_13 ? [
2436
- "credential_issuer",
2437
- "credential_type"
2438
- ] : [
2439
- "issuer",
2440
- "credential_type"
2441
- ],
2442
- param,
2443
- version
2444
- });
2445
- }
2446
- };
2447
-
2448
- // lib/CredentialRequestClientV1_0_11.ts
2449
- var import_oid4vc_common6 = require("@sphereon/oid4vc-common");
2450
- var import_oid4vci_common19 = require("@sphereon/oid4vci-common");
2451
- var import_ssi_types13 = require("@sphereon/ssi-types");
2452
- var logger11 = import_ssi_types13.Loggers.DEFAULT.get("sphereon:oid4vci:credential");
2453
- var CredentialRequestClientV1_0_11 = class {
2454
- static {
2455
- __name(this, "CredentialRequestClientV1_0_11");
2456
- }
2457
- _credentialRequestOpts;
2458
- _isDeferred = false;
2459
- get credentialRequestOpts() {
2460
- return this._credentialRequestOpts;
2461
- }
2462
- isDeferred() {
2463
- return this._isDeferred;
2464
- }
2465
- getCredentialEndpoint() {
2466
- return this.credentialRequestOpts.credentialEndpoint;
2467
- }
2468
- getDeferredCredentialEndpoint() {
2469
- return this.credentialRequestOpts.deferredCredentialEndpoint;
2470
- }
2471
- constructor(builder) {
2472
- this._credentialRequestOpts = {
2473
- ...builder
2474
- };
2475
- }
2476
- async acquireCredentialsUsingProof(opts) {
2477
- const { credentialTypes, proofInput, format, context } = opts;
2478
- const request = await this.createCredentialRequest({
2479
- proofInput,
2480
- credentialTypes,
2481
- context,
2482
- format,
2483
- version: this.version()
2484
- });
2485
- return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
2486
- }
2487
- async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
2488
- const request = (0, import_oid4vci_common19.getCredentialRequestForVersion)(uniformRequest, this.version());
2489
- const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
2490
- if (!(0, import_oid4vci_common19.isValidURL)(credentialEndpoint)) {
2491
- logger11.debug(`Invalid credential endpoint: ${credentialEndpoint}`);
2492
- throw new Error(import_oid4vci_common19.URL_NOT_VALID);
2493
- }
2494
- logger11.debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
2495
- logger11.debug(`request
2496
- : ${JSON.stringify(request, null, 2)}`);
2497
- const requestToken = this.credentialRequestOpts.token;
2498
- let dPoP = createDPoPOpts ? await (0, import_oid4vc_common6.createDPoP)((0, import_oid4vc_common6.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
2499
- accessToken: requestToken
2500
- })) : void 0;
2501
- let response = await (0, import_oid4vci_common19.post)(credentialEndpoint, JSON.stringify(request), {
2502
- bearerToken: requestToken,
2503
- customHeaders: {
2504
- ...createDPoPOpts && {
2505
- dpop: dPoP
2506
- }
2507
- }
2508
- });
2509
- let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
2510
- const retryWithNonce = shouldRetryResourceRequestWithDPoPNonce(response);
2511
- if (retryWithNonce.ok && createDPoPOpts) {
2512
- createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
2513
- dPoP = await (0, import_oid4vc_common6.createDPoP)((0, import_oid4vc_common6.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
2514
- accessToken: requestToken
2515
- }));
2516
- response = await (0, import_oid4vci_common19.post)(credentialEndpoint, JSON.stringify(request), {
2517
- bearerToken: requestToken,
2518
- customHeaders: {
2519
- ...createDPoPOpts && {
2520
- dpop: dPoP
2521
- }
2522
- }
1742
+ if (isUri) {
1743
+ return (0, import_oid4vci_common14.convertJsonToURI)({
1744
+ credential_offer_uri: requestWithBaseUrl.credential_offer_uri
1745
+ }, {
1746
+ baseUrl,
1747
+ uriTypeProperties: [
1748
+ "credential_offer_uri"
1749
+ ],
1750
+ param: "credential_offer_uri",
1751
+ version
2523
1752
  });
2524
- const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
2525
- nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
2526
- }
2527
- this._isDeferred = (0, import_oid4vci_common19.isDeferredCredentialResponse)(response);
2528
- if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
2529
- response = await this.acquireDeferredCredential(response.successBody, {
2530
- bearerToken: this.credentialRequestOpts.token
1753
+ } else {
1754
+ return (0, import_oid4vci_common14.convertJsonToURI)(requestWithBaseUrl.original_credential_offer, {
1755
+ baseUrl,
1756
+ param: "credential_offer",
1757
+ mode: import_oid4vci_common14.JsonURIMode.JSON_STRINGIFY,
1758
+ version
2531
1759
  });
2532
1760
  }
2533
- response.access_token = requestToken;
2534
- logger11.debug(`Credential endpoint ${credentialEndpoint} response:\r
2535
- ${JSON.stringify(response, null, 2)}`);
2536
- return {
2537
- ...response,
2538
- ...nextDPoPNonce && {
2539
- params: {
2540
- dpop: {
2541
- dpopNonce: nextDPoPNonce
2542
- }
2543
- }
2544
- }
2545
- };
2546
- }
2547
- async acquireDeferredCredential(response, opts) {
2548
- const transactionId = response.transaction_id;
2549
- const bearerToken = response.acceptance_token ?? opts?.bearerToken;
2550
- const deferredCredentialEndpoint = this.getDeferredCredentialEndpoint();
2551
- if (!deferredCredentialEndpoint) {
2552
- throw Error(`No deferred credential endpoint supplied.`);
2553
- } else if (!bearerToken) {
2554
- throw Error(`No bearer token present and refresh for defered endpoint not supported yet`);
2555
- }
2556
- return await (0, import_oid4vci_common19.acquireDeferredCredential)({
2557
- bearerToken,
2558
- transactionId,
2559
- deferredCredentialEndpoint,
2560
- deferredCredentialAwait: this.credentialRequestOpts.deferredCredentialAwait,
2561
- deferredCredentialIntervalInMS: this.credentialRequestOpts.deferredCredentialIntervalInMS
2562
- });
2563
- }
2564
- async createCredentialRequest(opts) {
2565
- const { proofInput } = opts;
2566
- const formatSelection = opts.format ?? this.credentialRequestOpts.format;
2567
- if (!formatSelection) {
2568
- throw Error(`Format of credential to be issued is missing`);
2569
- }
2570
- const format = (0, import_oid4vci_common19.getUniformFormat)(formatSelection);
2571
- const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
2572
- const types = Array.isArray(typesSelection) ? typesSelection : [
2573
- typesSelection
2574
- ];
2575
- if (types.length === 0) {
2576
- throw Error(`Credential type(s) need to be provided`);
2577
- } else if (!this.isV11OrHigher() && types.length !== 1) {
2578
- throw Error("Only a single credential type is supported for V8/V9");
2579
- }
2580
- const proof = await buildProof(proofInput, opts);
2581
- if (format === "jwt_vc_json" || format === "jwt_vc") {
2582
- return {
2583
- types,
2584
- format,
2585
- proof
2586
- };
2587
- } else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
2588
- if (this.version() >= import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
2589
- throw Error("No @context value present, but it is required");
2590
- }
2591
- return {
2592
- format,
2593
- proof,
2594
- // Ignored because v11 does not have the context value, but it is required in v12
2595
- // eslint-disable-next-line @typescript-eslint/ban-ts-comment
2596
- // @ts-ignore
2597
- credential_definition: {
2598
- types,
2599
- ...opts.context && {
2600
- "@context": opts.context
2601
- }
2602
- }
2603
- };
2604
- } else if (format === "vc+sd-jwt") {
2605
- if (types.length > 1) {
2606
- throw Error(`Only a single credential type is supported for ${format}`);
2607
- }
2608
- return {
2609
- format,
2610
- proof,
2611
- vct: types[0]
2612
- };
2613
- } else if (format === "mso_mdoc") {
2614
- if (types.length > 1) {
2615
- throw Error(`Only a single credential type is supported for ${format}`);
2616
- }
2617
- return {
2618
- format,
2619
- proof,
2620
- doctype: types[0]
2621
- };
2622
- }
2623
- throw new Error(`Unsupported format: ${format}`);
2624
- }
2625
- version() {
2626
- return this.credentialRequestOpts?.version ?? import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_11;
2627
- }
2628
- isV11OrHigher() {
2629
- return this.version() >= import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_11;
2630
1761
  }
2631
1762
  };
2632
1763
 
2633
1764
  // lib/CredentialRequestClientBuilder.ts
2634
- var import_oid4vci_common22 = require("@sphereon/oid4vci-common");
1765
+ var import_oid4vci_common16 = require("@sphereon/oid4vci-common");
2635
1766
 
2636
- // lib/CredentialRequestClientBuilderV1_0_11.ts
2637
- var import_oid4vci_common20 = require("@sphereon/oid4vci-common");
2638
- var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilderV1_0_11 {
1767
+ // lib/CredentialRequestClientBuilderV1_0_15.ts
1768
+ var import_oid4vci_common15 = require("@sphereon/oid4vci-common");
1769
+ var CredentialRequestClientBuilderV1_0_15 = class _CredentialRequestClientBuilderV1_0_15 {
2639
1770
  static {
2640
- __name(this, "CredentialRequestClientBuilderV1_0_11");
1771
+ __name(this, "CredentialRequestClientBuilderV1_0_15");
2641
1772
  }
2642
1773
  credentialEndpoint;
2643
1774
  deferredCredentialEndpoint;
1775
+ nonceEndpoint;
2644
1776
  deferredCredentialAwait = false;
2645
1777
  deferredCredentialIntervalInMS = 5e3;
1778
+ credentialIdentifier;
1779
+ credentialConfigurationId;
2646
1780
  credentialTypes = [];
2647
- format;
2648
1781
  token;
2649
1782
  version;
2650
1783
  subjectIssuance;
2651
1784
  issuerState;
2652
- static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialTypes }) {
1785
+ // Note: format removed from v15 - credential requests no longer include format parameter
1786
+ static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialConfigurationId, credentialTypes }) {
2653
1787
  const issuer = credentialIssuer;
2654
- const builder = new _CredentialRequestClientBuilderV1_0_11();
2655
- builder.withVersion(version ?? import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11);
1788
+ const builder = new _CredentialRequestClientBuilderV1_0_15();
1789
+ builder.withVersion(version ?? import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_15);
2656
1790
  builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
2657
1791
  if (metadata?.deferred_credential_endpoint) {
2658
1792
  builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
2659
1793
  }
2660
- builder.withCredentialType(credentialTypes);
1794
+ if (metadata?.credentialIssuerMetadata?.nonce_endpoint) {
1795
+ builder.withNonceEndpoint(metadata.credentialIssuerMetadata?.nonce_endpoint);
1796
+ }
1797
+ if (credentialIdentifier) {
1798
+ builder.withCredentialIdentifier(credentialIdentifier);
1799
+ }
1800
+ if (credentialConfigurationId) {
1801
+ builder.withCredentialConfigurationId(credentialConfigurationId);
1802
+ }
1803
+ if (credentialTypes) {
1804
+ builder.withCredentialType(credentialTypes);
1805
+ }
2661
1806
  return builder;
2662
1807
  }
2663
1808
  static async fromURI({ uri, metadata }) {
2664
- const offer = await CredentialOfferClientV1_0_11.fromURI(uri);
2665
- return _CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest({
1809
+ const offer = await CredentialOfferClient.fromURI(uri);
1810
+ return _CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest({
2666
1811
  request: offer,
2667
1812
  ...offer,
2668
1813
  metadata,
@@ -2671,31 +1816,36 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
2671
1816
  }
2672
1817
  static fromCredentialOfferRequest(opts) {
2673
1818
  const { request, metadata } = opts;
2674
- const version = opts.version ?? request.version ?? (0, import_oid4vci_common20.determineSpecVersionFromOffer)(request.original_credential_offer);
2675
- const builder = new _CredentialRequestClientBuilderV1_0_11();
2676
- const issuer = (0, import_oid4vci_common20.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
1819
+ const version = opts.version ?? request.version ?? (0, import_oid4vci_common15.determineSpecVersionFromOffer)(request.original_credential_offer);
1820
+ if (version < import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_15) {
1821
+ throw new Error("Versions below v1.0.15 (draft 15) are not supported.");
1822
+ }
1823
+ const builder = new _CredentialRequestClientBuilderV1_0_15();
1824
+ const issuer = (0, import_oid4vci_common15.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? (metadata ? metadata.issuer : void 0);
1825
+ if (!issuer && !metadata?.credential_endpoint) {
1826
+ throw Error(`Issuer could not be determined`);
1827
+ }
2677
1828
  builder.withVersion(version);
2678
1829
  builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
2679
1830
  if (metadata?.deferred_credential_endpoint) {
2680
1831
  builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
2681
1832
  }
2682
- if (version <= import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_08) {
2683
- builder.withCredentialType(request.original_credential_offer.credential_type);
2684
- } else if (version <= import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11) {
2685
- builder.withCredentialType((0, import_oid4vci_common20.getTypesFromOfferV1_0_11)(request.credential_offer));
1833
+ if (metadata?.credentialIssuerMetadata?.nonce_endpoint) {
1834
+ builder.withNonceEndpoint(metadata.credentialIssuerMetadata.nonce_endpoint);
1835
+ }
1836
+ const ids = request.credential_offer.credential_configuration_ids;
1837
+ if (ids.length && ids.length === 1) {
1838
+ builder.withCredentialConfigurationId(ids[0]);
2686
1839
  }
2687
1840
  return builder;
2688
1841
  }
2689
1842
  static fromCredentialOffer({ credentialOffer, metadata }) {
2690
- return _CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest({
1843
+ const builder = _CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest({
2691
1844
  request: credentialOffer,
2692
1845
  metadata,
2693
1846
  version: credentialOffer.version
2694
1847
  });
2695
- }
2696
- withIssuerState(issuerState) {
2697
- this.issuerState = issuerState;
2698
- return this;
1848
+ return builder;
2699
1849
  }
2700
1850
  withCredentialEndpointFromMetadata(metadata) {
2701
1851
  this.credentialEndpoint = metadata.credential_endpoint;
@@ -2705,6 +1855,10 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
2705
1855
  this.credentialEndpoint = credentialEndpoint;
2706
1856
  return this;
2707
1857
  }
1858
+ withIssuerState(issuerState) {
1859
+ this.issuerState = issuerState;
1860
+ return this;
1861
+ }
2708
1862
  withDeferredCredentialEndpointFromMetadata(metadata) {
2709
1863
  this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
2710
1864
  return this;
@@ -2713,132 +1867,13 @@ var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilde
2713
1867
  this.deferredCredentialEndpoint = deferredCredentialEndpoint;
2714
1868
  return this;
2715
1869
  }
2716
- withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
2717
- this.deferredCredentialAwait = deferredCredentialAwait;
2718
- this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5e3;
2719
- return this;
2720
- }
2721
- withCredentialType(credentialTypes) {
2722
- this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [
2723
- credentialTypes
2724
- ];
2725
- return this;
2726
- }
2727
- withFormat(format) {
2728
- this.format = format;
2729
- return this;
2730
- }
2731
- withSubjectIssuance(subjectIssuance) {
2732
- this.subjectIssuance = subjectIssuance;
2733
- return this;
2734
- }
2735
- withToken(accessToken) {
2736
- this.token = accessToken;
2737
- return this;
2738
- }
2739
- withTokenFromResponse(response) {
2740
- this.token = response.access_token;
2741
- return this;
2742
- }
2743
- withVersion(version) {
2744
- this.version = version;
2745
- return this;
2746
- }
2747
- build() {
2748
- if (!this.version) {
2749
- this.withVersion(import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11);
2750
- }
2751
- return new CredentialRequestClientV1_0_11(this);
2752
- }
2753
- };
2754
-
2755
- // lib/CredentialRequestClientBuilderV1_0_13.ts
2756
- var import_oid4vci_common21 = require("@sphereon/oid4vci-common");
2757
- var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilderV1_0_13 {
2758
- static {
2759
- __name(this, "CredentialRequestClientBuilderV1_0_13");
2760
- }
2761
- credentialEndpoint;
2762
- deferredCredentialEndpoint;
2763
- deferredCredentialAwait = false;
2764
- deferredCredentialIntervalInMS = 5e3;
2765
- credentialIdentifier;
2766
- credentialTypes = [];
2767
- format;
2768
- token;
2769
- version;
2770
- subjectIssuance;
2771
- issuerState;
2772
- static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
2773
- const issuer = credentialIssuer;
2774
- const builder = new _CredentialRequestClientBuilderV1_0_13();
2775
- builder.withVersion(version ?? import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_13);
2776
- builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
2777
- if (metadata?.deferred_credential_endpoint) {
2778
- builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
2779
- }
2780
- if (credentialIdentifier) {
2781
- builder.withCredentialIdentifier(credentialIdentifier);
2782
- }
2783
- if (credentialTypes) {
2784
- builder.withCredentialType(credentialTypes);
2785
- }
2786
- return builder;
2787
- }
2788
- static async fromURI({ uri, metadata }) {
2789
- const offer = await CredentialOfferClient.fromURI(uri);
2790
- return _CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest({
2791
- request: offer,
2792
- ...offer,
2793
- metadata,
2794
- version: offer.version
2795
- });
2796
- }
2797
- static fromCredentialOfferRequest(opts) {
2798
- const { request, metadata } = opts;
2799
- const version = opts.version ?? request.version ?? (0, import_oid4vci_common21.determineSpecVersionFromOffer)(request.original_credential_offer);
2800
- if (version < import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_13) {
2801
- throw new Error("Versions below v1.0.13 (draft 13) are not supported.");
2802
- }
2803
- const builder = new _CredentialRequestClientBuilderV1_0_13();
2804
- const issuer = (0, import_oid4vci_common21.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
2805
- builder.withVersion(version);
2806
- builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
2807
- if (metadata?.deferred_credential_endpoint) {
2808
- builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
2809
- }
2810
- const ids = request.credential_offer.credential_configuration_ids;
2811
- if (ids.length && ids.length === 1) {
2812
- builder.withCredentialIdentifier(ids[0]);
2813
- }
2814
- return builder;
2815
- }
2816
- static fromCredentialOffer({ credentialOffer, metadata }) {
2817
- const builder = _CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest({
2818
- request: credentialOffer,
2819
- metadata,
2820
- version: credentialOffer.version
2821
- });
2822
- return builder;
2823
- }
2824
- withCredentialEndpointFromMetadata(metadata) {
2825
- this.credentialEndpoint = metadata.credential_endpoint;
2826
- return this;
2827
- }
2828
- withCredentialEndpoint(credentialEndpoint) {
2829
- this.credentialEndpoint = credentialEndpoint;
2830
- return this;
2831
- }
2832
- withIssuerState(issuerState) {
2833
- this.issuerState = issuerState;
2834
- return this;
2835
- }
2836
- withDeferredCredentialEndpointFromMetadata(metadata) {
2837
- this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
1870
+ // New in v15: Support for nonce endpoint
1871
+ withNonceEndpointFromMetadata(metadata) {
1872
+ this.nonceEndpoint = metadata.nonce_endpoint;
2838
1873
  return this;
2839
1874
  }
2840
- withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
2841
- this.deferredCredentialEndpoint = deferredCredentialEndpoint;
1875
+ withNonceEndpoint(nonceEndpoint) {
1876
+ this.nonceEndpoint = nonceEndpoint;
2842
1877
  return this;
2843
1878
  }
2844
1879
  withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
@@ -2846,20 +1881,24 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
2846
1881
  this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5e3;
2847
1882
  return this;
2848
1883
  }
1884
+ // New in v15: Support for credential_identifier (used when authorization_details with credential_identifiers was used)
2849
1885
  withCredentialIdentifier(credentialIdentifier) {
2850
1886
  this.credentialIdentifier = credentialIdentifier;
2851
1887
  return this;
2852
1888
  }
1889
+ // New in v15: Support for credential_configuration_id (used when scope was used and no credential_identifiers returned)
1890
+ withCredentialConfigurationId(credentialConfigurationId) {
1891
+ this.credentialConfigurationId = credentialConfigurationId;
1892
+ return this;
1893
+ }
1894
+ // Legacy support for credential types (may be used internally to map to configuration IDs)
2853
1895
  withCredentialType(credentialTypes) {
2854
1896
  this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [
2855
1897
  credentialTypes
2856
1898
  ];
2857
1899
  return this;
2858
1900
  }
2859
- withFormat(format) {
2860
- this.format = format;
2861
- return this;
2862
- }
1901
+ // Note: withFormat() method removed in v15 - format is no longer part of credential requests
2863
1902
  withSubjectIssuance(subjectIssuance) {
2864
1903
  this.subjectIssuance = subjectIssuance;
2865
1904
  return this;
@@ -2878,723 +1917,158 @@ var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilde
2878
1917
  }
2879
1918
  build() {
2880
1919
  if (!this.version) {
2881
- this.withVersion(import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_11);
1920
+ this.withVersion(import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_15);
2882
1921
  }
2883
1922
  return new CredentialRequestClient(this);
2884
1923
  }
2885
1924
  };
2886
1925
 
2887
1926
  // lib/CredentialRequestClientBuilder.ts
2888
- function isV1_0_13(builder) {
1927
+ function isV1_0_15(builder) {
2889
1928
  return builder.withCredentialIdentifier !== void 0;
2890
- }
2891
- __name(isV1_0_13, "isV1_0_13");
2892
- var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
2893
- static {
2894
- __name(this, "CredentialRequestClientBuilder");
2895
- }
2896
- _builder;
2897
- constructor(builder) {
2898
- this._builder = builder;
2899
- }
2900
- static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
2901
- const specVersion = version ?? import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13;
2902
- let builder;
2903
- if (specVersion >= import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
2904
- builder = CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
2905
- credentialIssuer,
2906
- metadata,
2907
- version,
2908
- credentialIdentifier,
2909
- credentialTypes
2910
- });
2911
- } else {
2912
- if (!credentialTypes || credentialTypes.length === 0) {
2913
- throw new Error("CredentialTypes must be provided for v1_0_11");
2914
- }
2915
- builder = CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
2916
- credentialIssuer,
2917
- metadata,
2918
- version,
2919
- credentialTypes
2920
- });
2921
- }
2922
- return new _CredentialRequestClientBuilder(builder);
2923
- }
2924
- static async fromURI({ uri, metadata }) {
2925
- const offer = await CredentialOfferClient.fromURI(uri);
2926
- return _CredentialRequestClientBuilder.fromCredentialOfferRequest({
2927
- request: offer,
2928
- ...offer,
2929
- metadata,
2930
- version: offer.version
2931
- });
2932
- }
2933
- static fromCredentialOfferRequest(opts) {
2934
- const { request } = opts;
2935
- const version = opts.version ?? request.version ?? (0, import_oid4vci_common22.determineSpecVersionFromOffer)(request.original_credential_offer);
2936
- let builder;
2937
- if (version < import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
2938
- builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest(opts);
2939
- } else {
2940
- builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest(opts);
2941
- }
2942
- return new _CredentialRequestClientBuilder(builder);
2943
- }
2944
- static fromCredentialOffer({ credentialOffer, metadata }) {
2945
- const version = (0, import_oid4vci_common22.determineSpecVersionFromOffer)(credentialOffer.credential_offer);
2946
- let builder;
2947
- if (version < import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
2948
- builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
2949
- credentialOffer,
2950
- metadata
2951
- });
2952
- } else {
2953
- builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
2954
- credentialOffer,
2955
- metadata
2956
- });
2957
- }
2958
- return new _CredentialRequestClientBuilder(builder);
2959
- }
2960
- getVersion() {
2961
- return this._builder.version;
2962
- }
2963
- withCredentialEndpointFromMetadata(metadata) {
2964
- if (isV1_0_13(this._builder)) {
2965
- this._builder.withCredentialEndpointFromMetadata(metadata);
2966
- } else {
2967
- this._builder.withCredentialEndpointFromMetadata(metadata);
2968
- }
2969
- return this;
2970
- }
2971
- withCredentialEndpoint(credentialEndpoint) {
2972
- this._builder.withCredentialEndpoint(credentialEndpoint);
2973
- return this;
2974
- }
2975
- withDeferredCredentialEndpointFromMetadata(metadata) {
2976
- if (isV1_0_13(this._builder)) {
2977
- this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
2978
- } else {
2979
- this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
2980
- }
2981
- return this;
2982
- }
2983
- withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
2984
- this._builder.withDeferredCredentialEndpoint(deferredCredentialEndpoint);
2985
- return this;
2986
- }
2987
- withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
2988
- this._builder.withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS);
2989
- return this;
2990
- }
2991
- withCredentialIdentifier(credentialIdentifier) {
2992
- if (this._builder.version === void 0 || this._builder.version < import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
2993
- throw new Error("Version of spec should be equal or higher than v1_0_13");
2994
- }
2995
- ;
2996
- this._builder.withCredentialIdentifier(credentialIdentifier);
2997
- return this;
2998
- }
2999
- withIssuerState(issuerState) {
3000
- this._builder.withIssuerState(issuerState);
3001
- return this;
3002
- }
3003
- withCredentialType(credentialTypes) {
3004
- this._builder.withCredentialType(credentialTypes);
3005
- return this;
3006
- }
3007
- withFormat(format) {
3008
- this._builder.withFormat(format);
3009
- return this;
3010
- }
3011
- withSubjectIssuance(subjectIssuance) {
3012
- this._builder.withSubjectIssuance(subjectIssuance);
3013
- return this;
3014
- }
3015
- withToken(accessToken) {
3016
- this._builder.withToken(accessToken);
3017
- return this;
3018
- }
3019
- withTokenFromResponse(response) {
3020
- this._builder.withTokenFromResponse(response);
3021
- return this;
3022
- }
3023
- withVersion(version) {
3024
- this._builder.withVersion(version);
3025
- return this;
3026
- }
3027
- build() {
3028
- return this._builder.build();
3029
- }
3030
- };
3031
-
3032
- // lib/OpenID4VCIClient.ts
3033
- var import_oid4vci_common23 = require("@sphereon/oid4vci-common");
3034
- var import_ssi_types14 = require("@sphereon/ssi-types");
3035
- var logger12 = import_ssi_types14.Loggers.DEFAULT.get("sphereon:oid4vci");
3036
- var OpenID4VCIClient = class _OpenID4VCIClient {
3037
- static {
3038
- __name(this, "OpenID4VCIClient");
3039
- }
3040
- _state;
3041
- constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
3042
- const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common23.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
3043
- if (!issuer) {
3044
- throw Error("No credential issuer supplied or deduced from offer");
3045
- }
3046
- this._state = {
3047
- credentialOffer,
3048
- credentialIssuer: issuer,
3049
- kid,
3050
- alg,
3051
- // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
3052
- clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common23.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
3053
- pkce: {
3054
- disabled: false,
3055
- codeChallengeMethod: import_oid4vci_common23.CodeChallengeMethod.S256,
3056
- ...pkce
3057
- },
3058
- authorizationRequestOpts,
3059
- authorizationCodeResponse,
3060
- accessToken,
3061
- jwk,
3062
- endpointMetadata: endpointMetadata?.credentialIssuerMetadata?.authorization_server ? endpointMetadata : endpointMetadata,
3063
- accessTokenResponse,
3064
- authorizationURL
3065
- };
3066
- if (!this._state.authorizationRequestOpts) {
3067
- this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
3068
- }
3069
- logger12.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
3070
- }
3071
- static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, endpointMetadata }) {
3072
- const client = new _OpenID4VCIClient({
3073
- kid,
3074
- alg,
3075
- clientId: clientId ?? authorizationRequest?.clientId,
3076
- credentialIssuer,
3077
- pkce,
3078
- authorizationRequest,
3079
- endpointMetadata
3080
- });
3081
- if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
3082
- await client.retrieveServerMetadata();
3083
- }
3084
- if (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL) {
3085
- await client.createAuthorizationRequestUrl({
3086
- authorizationRequest,
3087
- pkce
3088
- });
3089
- }
3090
- return client;
3091
- }
3092
- static async fromState({ state }) {
3093
- const clientState = typeof state === "string" ? JSON.parse(state) : state;
3094
- return new _OpenID4VCIClient(clientState);
3095
- }
3096
- static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, endpointMetadata }) {
3097
- const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
3098
- resolve: resolveOfferUri
3099
- });
3100
- const client = new _OpenID4VCIClient({
3101
- credentialOffer: credentialOfferClient,
3102
- kid,
3103
- alg,
3104
- clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
3105
- pkce,
3106
- authorizationRequest,
3107
- endpointMetadata
3108
- });
3109
- if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
3110
- await client.retrieveServerMetadata();
3111
- }
3112
- if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common23.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
3113
- await client.createAuthorizationRequestUrl({
3114
- authorizationRequest,
3115
- pkce
3116
- });
3117
- logger12.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
3118
- }
3119
- return client;
3120
- }
3121
- /**
3122
- * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
3123
- *
3124
- * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
3125
- * @param opts
3126
- */
3127
- async createAuthorizationRequestUrl(opts) {
3128
- if (!this._state.authorizationURL) {
3129
- this.calculatePKCEOpts(opts?.pkce);
3130
- this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest);
3131
- if (!this._state.authorizationRequestOpts) {
3132
- throw Error(`No Authorization Request options present or provided in this call`);
3133
- }
3134
- if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
3135
- this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
3136
- }
3137
- if (this.version() <= import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_11) {
3138
- this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({
3139
- pkce: this._state.pkce,
3140
- endpointMetadata: this.endpointMetadata,
3141
- authorizationRequest: this._state.authorizationRequestOpts,
3142
- credentialOffer: this.credentialOffer,
3143
- credentialsSupported: Object.values(this.getCredentialsSupported(true))
3144
- });
3145
- } else {
3146
- this._state.authorizationURL = await createAuthorizationRequestUrl({
3147
- pkce: this._state.pkce,
3148
- endpointMetadata: this.endpointMetadata,
3149
- authorizationRequest: this._state.authorizationRequestOpts,
3150
- credentialOffer: this.credentialOffer,
3151
- credentialConfigurationSupported: this.getCredentialsSupported(false)
3152
- });
3153
- }
3154
- }
3155
- return this._state.authorizationURL;
3156
- }
3157
- async retrieveServerMetadata() {
3158
- this.assertIssuerData();
3159
- if (!this._state.endpointMetadata) {
3160
- if (this.credentialOffer) {
3161
- this._state.endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
3162
- } else if (this._state.credentialIssuer) {
3163
- this._state.endpointMetadata = await MetadataClient.retrieveAllMetadata(this._state.credentialIssuer);
3164
- } else {
3165
- throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
3166
- }
3167
- }
3168
- return this.endpointMetadata;
3169
- }
3170
- calculatePKCEOpts(pkce) {
3171
- this._state.pkce = generateMissingPKCEOpts({
3172
- ...this._state.pkce,
3173
- ...pkce
3174
- });
3175
- }
3176
- async acquireAuthorizationChallengeCode(opts) {
3177
- const response = await acquireAuthorizationChallengeAuthCode({
3178
- metadata: this.endpointMetadata,
3179
- credentialIssuer: this.getIssuer(),
3180
- clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,
3181
- ...opts
3182
- });
3183
- if (response.errorBody) {
3184
- logger12.debug(`Authorization code error:\r
3185
- ${JSON.stringify(response.errorBody)}`);
3186
- const error = response.errorBody;
3187
- return Promise.reject(error);
3188
- } else if (!response.successBody) {
3189
- logger12.debug(`Authorization code error. No success body`);
3190
- return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
3191
- }
3192
- return {
3193
- ...response.successBody
3194
- };
3195
- }
3196
- async acquireAccessToken(opts) {
3197
- const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
3198
- let { redirectUri } = opts ?? {};
3199
- const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code);
3200
- if (opts?.codeVerifier) {
3201
- this._state.pkce.codeVerifier = opts.codeVerifier;
3202
- }
3203
- this.assertIssuerData();
3204
- const asOpts = {
3205
- ...opts?.asOpts
3206
- };
3207
- const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
3208
- const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
3209
- if (this.isEBSI() || clientId && kid) {
3210
- if (!clientId) {
3211
- throw Error(`Client id expected for EBSI`);
3212
- }
3213
- asOpts.clientOpts = {
3214
- ...asOpts.clientOpts,
3215
- clientId,
3216
- ...kid && {
3217
- kid
3218
- },
3219
- ...clientAssertionType && {
3220
- clientAssertionType
3221
- },
3222
- signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
3223
- };
3224
- }
3225
- if (clientId) {
3226
- this._state.clientId = clientId;
3227
- if (!asOpts.clientOpts) {
3228
- asOpts.clientOpts = {
3229
- clientId
3230
- };
3231
- }
3232
- asOpts.clientOpts.clientId = clientId;
3233
- }
3234
- if (!this._state.accessTokenResponse) {
3235
- const accessTokenClient = this.version() <= import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_12 ? new AccessTokenClientV1_0_11() : new AccessTokenClient();
3236
- if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
3237
- console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
3238
- }
3239
- if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
3240
- redirectUri = this._state.authorizationRequestOpts.redirectUri;
3241
- }
3242
- const response = await accessTokenClient.acquireAccessToken({
3243
- credentialOffer: this.credentialOffer,
3244
- metadata: this.endpointMetadata,
3245
- credentialIssuer: this.getIssuer(),
3246
- pin,
3247
- ...!this._state.pkce.disabled && {
3248
- codeVerifier: this._state.pkce.codeVerifier
3249
- },
3250
- code,
3251
- redirectUri,
3252
- asOpts,
3253
- ...opts?.createDPoPOpts && {
3254
- createDPoPOpts: opts.createDPoPOpts
3255
- },
3256
- ...opts?.additionalRequestParams && {
3257
- additionalParams: opts.additionalRequestParams
3258
- }
3259
- });
3260
- if (response.errorBody) {
3261
- logger12.debug(`Access token error:\r
3262
- ${JSON.stringify(response.errorBody)}`);
3263
- throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
3264
- } else if (!response.successBody) {
3265
- logger12.debug(`Access token error. No success body`);
3266
- throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
3267
- }
3268
- this._state.accessTokenResponse = response.successBody;
3269
- this._state.dpopResponseParams = response.params;
3270
- this._state.accessToken = response.successBody.access_token;
3271
- }
3272
- return {
3273
- ...this.accessTokenResponse,
3274
- ...this.dpopResponseParams && {
3275
- params: this.dpopResponseParams
3276
- }
3277
- };
3278
- }
3279
- async acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
3280
- if ([
3281
- jwk,
3282
- kid
3283
- ].filter((v) => v !== void 0).length > 1) {
3284
- throw new Error(import_oid4vci_common23.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
3285
- }
3286
- if (alg) this._state.alg = alg;
3287
- if (jwk) this._state.jwk = jwk;
3288
- if (kid) this._state.kid = kid;
3289
- let requestBuilder;
3290
- if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13) {
3291
- requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
3292
- credentialOffer: this.credentialOffer,
3293
- metadata: this.endpointMetadata
3294
- }) : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
3295
- credentialIssuer: this.getIssuer(),
3296
- credentialTypes,
3297
- metadata: this.endpointMetadata,
3298
- version: this.version()
3299
- });
3300
- } else {
3301
- requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
3302
- credentialOffer: this.credentialOffer,
3303
- metadata: this.endpointMetadata
3304
- }) : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
3305
- credentialIssuer: this.getIssuer(),
3306
- credentialTypes,
3307
- metadata: this.endpointMetadata,
3308
- version: this.version()
3309
- });
3310
- }
3311
- const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common23.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
3312
- requestBuilder.withIssuerState(issuerState);
3313
- requestBuilder.withTokenFromResponse(this.accessTokenResponse);
3314
- requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
3315
- let subjectIssuance;
3316
- if (this.endpointMetadata?.credentialIssuerMetadata) {
3317
- const metadata = this.endpointMetadata.credentialIssuerMetadata;
3318
- const types = Array.isArray(credentialTypes) ? credentialTypes : [
3319
- credentialTypes
3320
- ];
3321
- if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
3322
- let typeSupported = false;
3323
- metadata.credentials_supported.forEach((supportedCredential) => {
3324
- const subTypes = (0, import_oid4vci_common23.getTypesFromCredentialSupported)(supportedCredential);
3325
- if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
3326
- typeSupported = true;
3327
- if (supportedCredential.credential_subject_issuance) {
3328
- subjectIssuance = {
3329
- credential_subject_issuance: supportedCredential.credential_subject_issuance
3330
- };
3331
- }
3332
- }
3333
- });
3334
- if (!typeSupported) {
3335
- console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
3336
- }
3337
- } else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
3338
- const credentialsSupported = metadata.credentials_supported;
3339
- if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
3340
- throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
3341
- }
3342
- }
3343
- }
3344
- if (subjectIssuance) {
3345
- requestBuilder.withSubjectIssuance(subjectIssuance);
3346
- }
3347
- const credentialRequestClient = requestBuilder.build();
3348
- const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
3349
- accessTokenResponse: this.accessTokenResponse,
3350
- callbacks: proofCallbacks,
3351
- version: this.version()
3352
- }).withIssuer(this.getIssuer()).withAlg(this.alg);
3353
- if (this._state.jwk) {
3354
- proofBuilder.withJWK(this._state.jwk);
3355
- }
3356
- if (this._state.kid) {
3357
- proofBuilder.withKid(this._state.kid);
3358
- }
3359
- if (this.clientId) {
3360
- proofBuilder.withClientId(this.clientId);
3361
- }
3362
- if (jti) {
3363
- proofBuilder.withJti(jti);
3364
- }
3365
- const response = await credentialRequestClient.acquireCredentialsUsingProof({
3366
- proofInput: proofBuilder,
3367
- credentialTypes,
3368
- context,
3369
- format,
3370
- subjectIssuance,
3371
- createDPoPOpts
3372
- });
3373
- this._state.dpopResponseParams = response.params;
3374
- if (response.errorBody) {
3375
- logger12.debug(`Credential request error:\r
3376
- ${JSON.stringify(response.errorBody)}`);
3377
- throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
3378
- } else if (!response.successBody) {
3379
- logger12.debug(`Credential request error. No success body`);
3380
- throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
3381
- }
3382
- return {
3383
- ...response.successBody,
3384
- ...this.dpopResponseParams && {
3385
- params: this.dpopResponseParams
3386
- },
3387
- access_token: response.access_token
3388
- };
3389
- }
3390
- async exportState() {
3391
- return JSON.stringify(this._state);
3392
- }
3393
- getCredentialsSupported(restrictToInitiationTypes, format) {
3394
- return (0, import_oid4vci_common23.getSupportedCredentials)({
3395
- issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
3396
- version: this.version(),
3397
- format,
3398
- types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : void 0
3399
- });
3400
- }
3401
- async sendNotification(credentialRequestOpts, request, accessToken) {
3402
- return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
3403
- }
3404
- getCredentialOfferTypes() {
3405
- if (!this.credentialOffer) {
3406
- return [];
3407
- } else if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_11) {
3408
- const orig = this.credentialOffer.original_credential_offer;
3409
- const types = typeof orig.credential_type === "string" ? [
3410
- orig.credential_type
3411
- ] : orig.credential_type;
3412
- const result = [];
3413
- result[0] = types;
3414
- return result;
3415
- } else if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13) {
3416
- return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common23.getTypesFromObject)(c) ?? []);
3417
- }
3418
- return void 0;
3419
- }
3420
- issuerSupportedFlowTypes() {
3421
- return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
3422
- import_oid4vci_common23.AuthzFlowType.AUTHORIZATION_CODE_FLOW
3423
- ] : []);
3424
- }
3425
- isFlowTypeSupported(flowType) {
3426
- return this.issuerSupportedFlowTypes().includes(flowType);
3427
- }
3428
- get authorizationURL() {
3429
- return this._state.authorizationURL;
3430
- }
3431
- hasAuthorizationURL() {
3432
- return !!this.authorizationURL;
3433
- }
3434
- get credentialOffer() {
3435
- return this._state.credentialOffer;
3436
- }
3437
- version() {
3438
- if (this.credentialOffer?.version && this.credentialOffer.version !== import_oid4vci_common23.OpenId4VCIVersion.VER_UNKNOWN) {
3439
- return this.credentialOffer.version;
3440
- }
3441
- const metadata = this._state.endpointMetadata;
3442
- if (metadata?.credentialIssuerMetadata) {
3443
- const versions = (0, import_oid4vci_common23.determineVersionsFromIssuerMetadata)(metadata.credentialIssuerMetadata);
3444
- if (versions.length > 0 && !versions.includes(import_oid4vci_common23.OpenId4VCIVersion.VER_UNKNOWN)) {
3445
- return versions[0];
3446
- }
3447
- }
3448
- return import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13;
3449
- }
3450
- get endpointMetadata() {
3451
- this.assertServerMetadata();
3452
- return this._state.endpointMetadata;
1929
+ }
1930
+ __name(isV1_0_15, "isV1_0_15");
1931
+ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
1932
+ static {
1933
+ __name(this, "CredentialRequestClientBuilder");
3453
1934
  }
3454
- get kid() {
3455
- this.assertIssuerData();
3456
- if (!this._state.kid) {
3457
- throw new Error("No value for kid is supplied");
3458
- }
3459
- return this._state.kid;
1935
+ _builder;
1936
+ constructor(builder) {
1937
+ this._builder = builder;
3460
1938
  }
3461
- get alg() {
3462
- this.assertIssuerData();
3463
- if (!this._state.alg) {
3464
- throw new Error("No value for alg is supplied");
3465
- }
3466
- return this._state.alg;
1939
+ static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
1940
+ let builder;
1941
+ const metadataV15 = metadata;
1942
+ builder = CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
1943
+ credentialIssuer,
1944
+ metadata: metadataV15,
1945
+ version,
1946
+ credentialIdentifier,
1947
+ credentialTypes
1948
+ });
1949
+ return new _CredentialRequestClientBuilder(builder);
3467
1950
  }
3468
- set clientId(value) {
3469
- this._state.clientId = value;
1951
+ static async fromURI({ uri, metadata }) {
1952
+ const offer = await CredentialOfferClient.fromURI(uri);
1953
+ return _CredentialRequestClientBuilder.fromCredentialOfferRequest({
1954
+ request: offer,
1955
+ ...offer,
1956
+ metadata,
1957
+ version: offer.version
1958
+ });
3470
1959
  }
3471
- get clientId() {
3472
- return this._state.clientId;
1960
+ static fromCredentialOfferRequest(opts) {
1961
+ const builder = CredentialRequestClientBuilderV1_0_15.fromCredentialOfferRequest(opts);
1962
+ return new _CredentialRequestClientBuilder(builder);
3473
1963
  }
3474
- hasAccessTokenResponse() {
3475
- return !!this._state.accessTokenResponse;
1964
+ static fromCredentialOffer({ credentialOffer, metadata }) {
1965
+ const builder = CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
1966
+ credentialOffer,
1967
+ metadata
1968
+ });
1969
+ return new _CredentialRequestClientBuilder(builder);
3476
1970
  }
3477
- get accessTokenResponse() {
3478
- this.assertAccessToken();
3479
- return this._state.accessTokenResponse;
1971
+ getVersion() {
1972
+ return this._builder.version;
3480
1973
  }
3481
- get dpopResponseParams() {
3482
- return this._state.dpopResponseParams;
1974
+ withCredentialEndpointFromMetadata(metadata) {
1975
+ if (isV1_0_15(this._builder)) {
1976
+ this._builder.withCredentialEndpointFromMetadata(metadata);
1977
+ }
1978
+ return this;
3483
1979
  }
3484
- getIssuer() {
3485
- this.assertIssuerData();
3486
- return this._state.credentialIssuer;
1980
+ withCredentialEndpoint(credentialEndpoint) {
1981
+ this._builder.withCredentialEndpoint(credentialEndpoint);
1982
+ return this;
3487
1983
  }
3488
- getAccessTokenEndpoint() {
3489
- this.assertIssuerData();
3490
- if (this.endpointMetadata) {
3491
- return this.endpointMetadata.token_endpoint;
1984
+ withDeferredCredentialEndpointFromMetadata(metadata) {
1985
+ if (isV1_0_15(this._builder)) {
1986
+ this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
3492
1987
  }
3493
- return this.version() <= import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_12 ? AccessTokenClientV1_0_11.determineTokenURL({
3494
- issuerOpts: {
3495
- issuer: this.getIssuer()
3496
- }
3497
- }) : AccessTokenClient.determineTokenURL({
3498
- issuerOpts: {
3499
- issuer: this.getIssuer()
3500
- }
3501
- });
1988
+ return this;
3502
1989
  }
3503
- getCredentialEndpoint() {
3504
- this.assertIssuerData();
3505
- return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
1990
+ withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
1991
+ this._builder.withDeferredCredentialEndpoint(deferredCredentialEndpoint);
1992
+ return this;
3506
1993
  }
3507
- getAuthorizationChallengeEndpoint() {
3508
- this.assertIssuerData();
3509
- return this.endpointMetadata?.authorization_challenge_endpoint;
1994
+ withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
1995
+ this._builder.withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS);
1996
+ return this;
3510
1997
  }
3511
- hasAuthorizationChallengeEndpoint() {
3512
- return !!this.getAuthorizationChallengeEndpoint();
1998
+ withCredentialIdentifier(credentialIdentifier) {
1999
+ if (this._builder.version === void 0 || this._builder.version < import_oid4vci_common16.OpenId4VCIVersion.VER_1_0_15) {
2000
+ throw new Error("Version of spec should be equal or higher than v1_0_15");
2001
+ }
2002
+ ;
2003
+ this._builder.withCredentialIdentifier(credentialIdentifier);
2004
+ return this;
3513
2005
  }
3514
- hasDeferredCredentialEndpoint() {
3515
- return !!this.getAccessTokenEndpoint();
2006
+ withIssuerState(issuerState) {
2007
+ this._builder.withIssuerState(issuerState);
2008
+ return this;
3516
2009
  }
3517
- getDeferredCredentialEndpoint() {
3518
- this.assertIssuerData();
3519
- return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
2010
+ withCredentialType(credentialTypes) {
2011
+ this._builder.withCredentialType(credentialTypes);
2012
+ return this;
3520
2013
  }
3521
- /**
3522
- * Too bad we need a method like this, but EBSI is not exposing metadata
3523
- */
3524
- isEBSI() {
3525
- if (this.credentialOffer && this.credentialOffer?.credential_offer?.credentials?.find((cred) => (
3526
- // eslint-disable-next-line @typescript-eslint/ban-ts-comment
3527
- // @ts-ignore
3528
- typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
3529
- ))) {
3530
- return true;
3531
- }
3532
- return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
2014
+ withSubjectIssuance(subjectIssuance) {
2015
+ this._builder.withSubjectIssuance(subjectIssuance);
2016
+ return this;
3533
2017
  }
3534
- assertIssuerData() {
3535
- if (!this._state.credentialIssuer) {
3536
- throw Error(`No credential issuer value present`);
3537
- } else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {
3538
- throw Error(`No issuance initiation or credential offer present`);
3539
- }
2018
+ withToken(accessToken) {
2019
+ this._builder.withToken(accessToken);
2020
+ return this;
3540
2021
  }
3541
- assertServerMetadata() {
3542
- if (!this._state.endpointMetadata) {
3543
- throw Error("No server metadata");
3544
- }
2022
+ withTokenFromResponse(response) {
2023
+ this._builder.withTokenFromResponse(response);
2024
+ return this;
3545
2025
  }
3546
- assertAccessToken() {
3547
- if (!this._state.accessTokenResponse) {
3548
- throw Error(`No access token present`);
3549
- }
2026
+ withVersion(version) {
2027
+ this._builder.withVersion(version);
2028
+ return this;
3550
2029
  }
3551
- syncAuthorizationRequestOpts(opts) {
3552
- const requestObjectOpts = {
3553
- ...this._state?.authorizationRequestOpts?.requestObjectOpts,
3554
- ...opts?.requestObjectOpts
3555
- };
3556
- let authorizationRequestOpts = {
3557
- ...this._state?.authorizationRequestOpts,
3558
- ...opts,
3559
- ...requestObjectOpts && {
3560
- requestObjectOpts
3561
- }
3562
- };
3563
- if (!authorizationRequestOpts) {
3564
- authorizationRequestOpts = {
3565
- redirectUri: `${import_oid4vci_common23.DefaultURISchemes.CREDENTIAL_OFFER}://`
3566
- };
3567
- }
3568
- const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
3569
- this._state.clientId = clientId;
3570
- authorizationRequestOpts.clientId = clientId;
3571
- return authorizationRequestOpts;
2030
+ build() {
2031
+ return this._builder.build();
3572
2032
  }
3573
- getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
3574
- if (authorizationResponse) {
3575
- this._state.authorizationCodeResponse = {
3576
- ...(0, import_oid4vci_common23.toAuthorizationResponsePayload)(authorizationResponse)
3577
- };
3578
- } else if (code) {
3579
- this._state.authorizationCodeResponse = {
3580
- code
3581
- };
3582
- }
3583
- return this._state.authorizationCodeResponse?.code ?? this._state.authorizationCodeResponse?.authorization_code;
3584
- }, "getAuthorizationCode");
3585
2033
  };
3586
2034
 
3587
- // lib/OpenID4VCIClientV1_0_13.ts
3588
- var import_oid4vci_common24 = require("@sphereon/oid4vci-common");
3589
- var import_ssi_types15 = require("@sphereon/ssi-types");
3590
- var logger13 = import_ssi_types15.Loggers.DEFAULT.get("sphereon:oid4vci");
3591
- var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
2035
+ // lib/OpenID4VCIClient.ts
2036
+ var import_oid4vci_common19 = require("@sphereon/oid4vci-common");
2037
+ var import_ssi_types10 = require("@sphereon/ssi-types");
2038
+
2039
+ // lib/OpenID4VCIClientV1_0_15.ts
2040
+ var import_oid4vci_common18 = require("@sphereon/oid4vci-common");
2041
+ var import_ssi_types9 = require("@sphereon/ssi-types");
2042
+
2043
+ // lib/NonceClient.ts
2044
+ var import_oid4vci_common17 = require("@sphereon/oid4vci-common");
2045
+ var sendNonceRequest = /* @__PURE__ */ __name(async (nonceEndpointUrl, opts) => {
2046
+ return await (0, import_oid4vci_common17.formPost)(nonceEndpointUrl, new URLSearchParams(), {
2047
+ customHeaders: opts?.headers
2048
+ });
2049
+ }, "sendNonceRequest");
2050
+ var acquireNonceFromAuthorizationServer = /* @__PURE__ */ __name(async (opts) => {
2051
+ const metadata = opts?.metadata ? opts.metadata : opts?.issuerOpts?.fetchMetadata ? await MetadataClient.retrieveAllMetadata(opts.issuerOpts.issuer, {
2052
+ errorOnNotFound: false
2053
+ }) : void 0;
2054
+ const nonceEndpointUrl = metadata?.credentialIssuerMetadata?.nonce_endpoint;
2055
+ if (!nonceEndpointUrl) {
2056
+ return Promise.reject(Error("Cannot determine nonce endpoint URL"));
2057
+ }
2058
+ return await sendNonceRequest(nonceEndpointUrl, {
2059
+ headers: opts?.headers
2060
+ });
2061
+ }, "acquireNonceFromAuthorizationServer");
2062
+
2063
+ // lib/OpenID4VCIClientV1_0_15.ts
2064
+ var logger7 = import_ssi_types9.Loggers.DEFAULT.get("sphereon:oid4vci:v15");
2065
+ var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
3592
2066
  static {
3593
- __name(this, "OpenID4VCIClientV1_0_13");
2067
+ __name(this, "OpenID4VCIClientV1_0_15");
3594
2068
  }
3595
2069
  _state;
3596
- constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
3597
- const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common24.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
2070
+ constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL, keyAttestation }) {
2071
+ const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common18.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
3598
2072
  if (!issuer) {
3599
2073
  throw Error("No credential issuer supplied or deduced from offer");
3600
2074
  }
@@ -3603,39 +2077,39 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
3603
2077
  credentialIssuer: issuer,
3604
2078
  kid,
3605
2079
  alg,
3606
- // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
3607
- clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common24.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
2080
+ clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common18.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
3608
2081
  pkce: {
3609
2082
  disabled: false,
3610
- codeChallengeMethod: import_oid4vci_common24.CodeChallengeMethod.S256,
2083
+ codeChallengeMethod: import_oid4vci_common18.CodeChallengeMethod.S256,
3611
2084
  ...pkce
3612
2085
  },
3613
2086
  authorizationRequestOpts,
3614
2087
  authorizationCodeResponse,
3615
- accessToken,
3616
2088
  jwk,
3617
2089
  endpointMetadata,
3618
2090
  accessTokenResponse,
3619
- authorizationURL
2091
+ authorizationURL,
2092
+ keyAttestation
3620
2093
  };
3621
2094
  if (!this._state.authorizationRequestOpts) {
3622
2095
  this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
3623
2096
  }
3624
- logger13.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
2097
+ logger7.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
3625
2098
  }
3626
- static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
3627
- const client = new _OpenID4VCIClientV1_0_13({
2099
+ static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, keyAttestation }) {
2100
+ const client = new _OpenID4VCIClientV1_0_15({
3628
2101
  kid,
3629
2102
  alg,
3630
2103
  clientId: clientId ?? authorizationRequest?.clientId,
3631
2104
  credentialIssuer,
3632
2105
  pkce,
3633
- authorizationRequest
2106
+ authorizationRequest,
2107
+ keyAttestation
3634
2108
  });
3635
- if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
2109
+ if (retrieveServerMetadata !== false) {
3636
2110
  await client.retrieveServerMetadata();
3637
2111
  }
3638
- if (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL) {
2112
+ if (createAuthorizationRequestURL !== false) {
3639
2113
  await client.createAuthorizationRequestUrl({
3640
2114
  authorizationRequest,
3641
2115
  pkce
@@ -3645,38 +2119,33 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
3645
2119
  }
3646
2120
  static async fromState({ state }) {
3647
2121
  const clientState = typeof state === "string" ? JSON.parse(state) : state;
3648
- return new _OpenID4VCIClientV1_0_13(clientState);
2122
+ return new _OpenID4VCIClientV1_0_15(clientState);
3649
2123
  }
3650
- static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri }) {
3651
- const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
2124
+ static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, keyAttestation }) {
2125
+ const credentialOfferClient = await CredentialOfferClientV1_0_15.fromURI(uri, {
3652
2126
  resolve: resolveOfferUri
3653
2127
  });
3654
- const client = new _OpenID4VCIClientV1_0_13({
2128
+ const client = new _OpenID4VCIClientV1_0_15({
3655
2129
  credentialOffer: credentialOfferClient,
3656
2130
  kid,
3657
2131
  alg,
3658
2132
  clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
3659
2133
  pkce,
3660
- authorizationRequest
2134
+ authorizationRequest,
2135
+ keyAttestation
3661
2136
  });
3662
- if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
2137
+ if (retrieveServerMetadata !== false) {
3663
2138
  await client.retrieveServerMetadata();
3664
2139
  }
3665
- if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common24.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
2140
+ if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common18.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && createAuthorizationRequestURL !== false) {
3666
2141
  await client.createAuthorizationRequestUrl({
3667
2142
  authorizationRequest,
3668
2143
  pkce
3669
2144
  });
3670
- logger13.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
2145
+ logger7.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
3671
2146
  }
3672
2147
  return client;
3673
2148
  }
3674
- /**
3675
- * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
3676
- *
3677
- * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
3678
- * @param opts
3679
- */
3680
2149
  async createAuthorizationRequestUrl(opts) {
3681
2150
  if (!this._state.authorizationURL) {
3682
2151
  this.calculatePKCEOpts(opts?.pkce);
@@ -3692,8 +2161,7 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
3692
2161
  endpointMetadata: this.endpointMetadata,
3693
2162
  authorizationRequest: this._state.authorizationRequestOpts,
3694
2163
  credentialOffer: this.credentialOffer,
3695
- credentialConfigurationSupported: this.getCredentialsSupported(),
3696
- version: this.version()
2164
+ credentialConfigurationSupported: this.getCredentialsSupported(false)
3697
2165
  });
3698
2166
  }
3699
2167
  return this._state.authorizationURL;
@@ -3702,15 +2170,34 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
3702
2170
  this.assertIssuerData();
3703
2171
  if (!this._state.endpointMetadata) {
3704
2172
  if (this.credentialOffer) {
3705
- this._state.endpointMetadata = await MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
2173
+ this._state.endpointMetadata = await MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
3706
2174
  } else if (this._state.credentialIssuer) {
3707
- this._state.endpointMetadata = await MetadataClientV1_0_13.retrieveAllMetadata(this._state.credentialIssuer);
2175
+ this._state.endpointMetadata = await MetadataClientV1_0_15.retrieveAllMetadata(this._state.credentialIssuer);
3708
2176
  } else {
3709
2177
  throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
3710
2178
  }
3711
2179
  }
3712
2180
  return this.endpointMetadata;
3713
2181
  }
2182
+ async acquireNonce() {
2183
+ const response = await acquireNonceFromAuthorizationServer({
2184
+ metadata: this.endpointMetadata,
2185
+ issuerOpts: {
2186
+ issuer: this.getIssuer(),
2187
+ fetchMetadata: false
2188
+ }
2189
+ });
2190
+ if (response.errorBody) {
2191
+ logger7.debug(`Nonce request error:\r
2192
+ ${JSON.stringify(response.errorBody)}`);
2193
+ return Promise.reject(Error(`Retrieving a nonce from ${this._state.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint} for issuer ${this.getIssuer()} failed with error: ${response.errorBody.error}${response.errorBody.error_description ? ` - ${response.errorBody.error_description}` : ""}`));
2194
+ } else if (!response.successBody) {
2195
+ logger7.debug(`Nonce request error. No success body`);
2196
+ return Promise.reject(Error(`Retrieving a nonce from ${this._state.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
2197
+ }
2198
+ this._state.cachedCNonce = response.successBody.c_nonce;
2199
+ return response.successBody.c_nonce;
2200
+ }
3714
2201
  calculatePKCEOpts(pkce) {
3715
2202
  this._state.pkce = generateMissingPKCEOpts({
3716
2203
  ...this._state.pkce,
@@ -3725,12 +2212,12 @@ var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
3725
2212
  ...opts
3726
2213
  });
3727
2214
  if (response.errorBody) {
3728
- logger13.debug(`Authorization code error:\r
2215
+ logger7.debug(`Authorization code error:\r
3729
2216
  ${JSON.stringify(response.errorBody)}`);
3730
2217
  const error = response.errorBody;
3731
2218
  return Promise.reject(error);
3732
2219
  } else if (!response.successBody) {
3733
- logger13.debug(`Authorization code error. No success body`);
2220
+ logger7.debug(`Authorization code error. No success body`);
3734
2221
  return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
3735
2222
  }
3736
2223
  return {
@@ -3802,16 +2289,19 @@ ${JSON.stringify(response.errorBody)}`);
3802
2289
  }
3803
2290
  });
3804
2291
  if (response.errorBody) {
3805
- logger13.debug(`Access token error:\r
2292
+ logger7.debug(`Access token error:\r
3806
2293
  ${JSON.stringify(response.errorBody)}`);
3807
2294
  throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
3808
2295
  } else if (!response.successBody) {
3809
- logger13.debug(`Access token error. No success body`);
2296
+ logger7.debug(`Access token error. No success body`);
3810
2297
  throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
3811
2298
  }
3812
2299
  this._state.accessTokenResponse = response.successBody;
3813
2300
  this._state.dpopResponseParams = response.params;
3814
2301
  this._state.accessToken = response.successBody.access_token;
2302
+ if (response.successBody.c_nonce) {
2303
+ this._state.cachedCNonce = response.successBody.c_nonce;
2304
+ }
3815
2305
  }
3816
2306
  return {
3817
2307
  ...this.accessTokenResponse,
@@ -3820,128 +2310,103 @@ ${JSON.stringify(response.errorBody)}`);
3820
2310
  }
3821
2311
  };
3822
2312
  }
3823
- async acquireCredentialsWithoutProof(args) {
3824
- return await this.acquireCredentialsImpl(args);
3825
- }
3826
- async acquireCredentials(args) {
3827
- return await this.acquireCredentialsImpl(args);
3828
- }
3829
- async acquireCredentialsImpl({ credentialIdentifier, credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
2313
+ async acquireCredentials({ credentialIdentifier, credentialConfigurationId, credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
3830
2314
  if ([
3831
2315
  jwk,
3832
2316
  kid
3833
2317
  ].filter((v) => v !== void 0).length > 1) {
3834
- throw new Error(import_oid4vci_common24.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
2318
+ throw new Error(import_oid4vci_common18.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
3835
2319
  }
3836
2320
  if (alg) this._state.alg = alg;
3837
2321
  if (jwk) this._state.jwk = jwk;
3838
2322
  if (kid) this._state.kid = kid;
3839
- const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
2323
+ const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
3840
2324
  credentialOffer: this.credentialOffer,
3841
2325
  metadata: this.endpointMetadata
3842
- }) : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
2326
+ }) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
3843
2327
  credentialIssuer: this.getIssuer(),
2328
+ credentialTypes,
3844
2329
  credentialIdentifier,
2330
+ credentialConfigurationId,
3845
2331
  metadata: this.endpointMetadata,
3846
2332
  version: this.version()
3847
2333
  });
3848
- const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common24.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
2334
+ if (credentialIdentifier) {
2335
+ requestBuilder.withCredentialIdentifier(credentialIdentifier);
2336
+ } else if (credentialConfigurationId) {
2337
+ requestBuilder.withCredentialConfigurationId(credentialConfigurationId);
2338
+ }
2339
+ const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common18.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this._state.cachedCNonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
3849
2340
  requestBuilder.withIssuerState(issuerState);
3850
2341
  requestBuilder.withTokenFromResponse(this.accessTokenResponse);
3851
2342
  requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
3852
2343
  let subjectIssuance;
3853
2344
  if (this.endpointMetadata?.credentialIssuerMetadata) {
3854
2345
  const metadata = this.endpointMetadata.credentialIssuerMetadata;
3855
- const types = credentialTypes ? Array.isArray(credentialTypes) ? credentialTypes : [
3856
- credentialTypes
3857
- ] : void 0;
3858
- if (credentialIdentifier) {
3859
- if (typeof metadata.credential_configurations_supported !== "object") {
3860
- throw Error(`Credentials_supported should be an object, current ${typeof metadata.credential_configurations_supported} when credential_identifier is used`);
3861
- }
3862
- const credentialsSupported = metadata.credential_configurations_supported;
3863
- if (!credentialsSupported || !credentialsSupported[credentialIdentifier]) {
3864
- throw new Error(`Credential type ${credentialIdentifier} is not supported by issuer ${this.getIssuer()}`);
3865
- }
3866
- } else if (!types) {
3867
- throw Error(`If no credential_identifier is used, we expect types`);
3868
- } else if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
3869
- let typeSupported = false;
3870
- metadata.credentials_supported.forEach((supportedCredential) => {
3871
- const subTypes = (0, import_oid4vci_common24.getTypesFromCredentialSupported)(supportedCredential);
3872
- if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
3873
- typeSupported = true;
3874
- if (supportedCredential.credential_subject_issuance) {
2346
+ if (metadata.credential_configurations_supported) {
2347
+ const configId = credentialConfigurationId ?? credentialIdentifier;
2348
+ if (configId && metadata.credential_configurations_supported[configId]) {
2349
+ const config = metadata.credential_configurations_supported[configId];
2350
+ if (config.credential_subject_issuance) {
2351
+ const subjIssuance = config.credential_subject_issuance;
2352
+ if (subjIssuance.subject_proof_mode && subjIssuance.notification_events_supported) {
3875
2353
  subjectIssuance = {
3876
- credential_subject_issuance: supportedCredential.credential_subject_issuance
2354
+ credential_subject_issuance: {
2355
+ subject_proof_mode: subjIssuance.subject_proof_mode,
2356
+ notification_events_supported: subjIssuance.notification_events_supported
2357
+ }
3877
2358
  };
3878
2359
  }
3879
2360
  }
3880
- });
3881
- if (!typeSupported) {
3882
- console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
3883
- }
3884
- } else if (metadata.credential_configurations_supported && typeof metadata.credential_configurations_supported === "object") {
3885
- let typeSupported = false;
3886
- Object.values(metadata.credential_configurations_supported).forEach((supportedCredential) => {
3887
- const subTypes = (0, import_oid4vci_common24.getTypesFromCredentialSupported)(supportedCredential);
3888
- if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
3889
- typeSupported = true;
3890
- }
3891
- });
3892
- if (!typeSupported) {
3893
- throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
3894
2361
  }
3895
2362
  }
3896
2363
  }
3897
2364
  if (subjectIssuance) {
3898
2365
  requestBuilder.withSubjectIssuance(subjectIssuance);
3899
2366
  }
3900
- const credentialRequestClient = requestBuilder.build();
3901
- let proofBuilder;
3902
- if (proofCallbacks) {
3903
- proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
3904
- accessTokenResponse: this.accessTokenResponse,
3905
- callbacks: proofCallbacks,
3906
- version: this.version()
3907
- }).withIssuer(this.getIssuer()).withAlg(this.alg);
3908
- if (this._state.jwk) {
3909
- proofBuilder.withJWK(this._state.jwk);
3910
- }
3911
- if (this._state.kid) {
3912
- proofBuilder.withKid(this._state.kid);
3913
- }
3914
- if (this.clientId) {
3915
- proofBuilder.withClientId(this.clientId);
3916
- }
3917
- if (jti) {
3918
- proofBuilder.withJti(jti);
3919
- }
2367
+ const credentialRequestClient = requestBuilder.build();
2368
+ if (!this._state.cachedCNonce) {
2369
+ await this.acquireNonce();
2370
+ }
2371
+ const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
2372
+ accessTokenResponse: {
2373
+ ...this.accessTokenResponse,
2374
+ c_nonce: this._state.cachedCNonce
2375
+ },
2376
+ callbacks: proofCallbacks,
2377
+ version: this.version()
2378
+ }).withIssuer(this.getIssuer()).withAlg(this.alg);
2379
+ if (this._state.jwk) {
2380
+ proofBuilder.withJWK(this._state.jwk);
2381
+ }
2382
+ if (this._state.kid) {
2383
+ proofBuilder.withKid(this._state.kid);
2384
+ }
2385
+ if (this.clientId && (!this.credentialOffer || this.credentialOffer.supportedFlows.includes(import_oid4vci_common18.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && !this.credentialOffer.preAuthorizedCode)) {
2386
+ proofBuilder.withClientId(this.clientId);
2387
+ }
2388
+ if (jti) {
2389
+ proofBuilder.withJti(jti);
2390
+ }
2391
+ if (this._state.cachedCNonce) {
2392
+ proofBuilder.withAccessTokenNonce(this._state.cachedCNonce);
3920
2393
  }
3921
- const request = proofBuilder ? await credentialRequestClient.createCredentialRequest({
2394
+ const response = await credentialRequestClient.acquireCredentialsUsingProof({
3922
2395
  proofInput: proofBuilder,
3923
- credentialTypes,
3924
- context,
3925
- format,
3926
- version: this.version(),
3927
2396
  credentialIdentifier,
3928
- subjectIssuance
3929
- }) : await credentialRequestClient.createCredentialRequestWithoutProof({
3930
2397
  credentialTypes,
3931
2398
  context,
3932
2399
  format,
3933
- version: this.version(),
3934
- credentialIdentifier,
3935
- subjectIssuance
2400
+ subjectIssuance,
2401
+ createDPoPOpts
3936
2402
  });
3937
- const response = await credentialRequestClient.acquireCredentialsUsingRequest(request, createDPoPOpts);
3938
2403
  this._state.dpopResponseParams = response.params;
3939
2404
  if (response.errorBody) {
3940
- logger13.debug(`Credential request error:\r
2405
+ logger7.debug(`Credential request error:\r
3941
2406
  ${JSON.stringify(response.errorBody)}`);
3942
2407
  throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
3943
2408
  } else if (!response.successBody) {
3944
- logger13.debug(`Credential request error. No success body`);
2409
+ logger7.debug(`Credential request error. No success body`);
3945
2410
  throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
3946
2411
  }
3947
2412
  return {
@@ -3955,59 +2420,44 @@ ${JSON.stringify(response.errorBody)}`);
3955
2420
  async exportState() {
3956
2421
  return JSON.stringify(this._state);
3957
2422
  }
3958
- getCredentialsSupported(format) {
3959
- return (0, import_oid4vci_common24.getSupportedCredentials)({
2423
+ getCredentialsSupported(restrictToInitiationTypes, format) {
2424
+ return (0, import_oid4vci_common18.getSupportedCredentials)({
3960
2425
  issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
3961
2426
  version: this.version(),
3962
2427
  format,
3963
- types: void 0
2428
+ types: restrictToInitiationTypes ? [
2429
+ this.getCredentialOfferConfigurationIds()
2430
+ ] : void 0
3964
2431
  });
3965
2432
  }
3966
2433
  async sendNotification(credentialRequestOpts, request, accessToken) {
3967
2434
  return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
3968
2435
  }
3969
- /* getCredentialOfferTypes(): string[][] {
2436
+ getCredentialOfferConfigurationIds() {
3970
2437
  if (!this.credentialOffer) {
3971
2438
  return [];
3972
- } else if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_11) {
3973
- const orig = this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08;
3974
- const types: string[] = typeof orig.credential_type === 'string' ? [orig.credential_type] : orig.credential_type;
3975
- const result: string[][] = [];
3976
- result[0] = types;
3977
- return result;
3978
- } else {
3979
- return this.credentialOffer.credential_offer.credentials.map((c) => {
3980
- if (typeof c === 'string') {
3981
- return [c];
3982
- } else if ('types' in c) {
3983
- return c.types;
3984
- } else if ('vct' in c) {
3985
- return [c.vct];
3986
- } else {
3987
- return c.credential_definition.types;
3988
- }
3989
- });
3990
2439
  }
3991
- }*/
2440
+ return this.credentialOffer.credential_offer?.credential_configuration_ids ?? [];
2441
+ }
3992
2442
  issuerSupportedFlowTypes() {
3993
- return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
3994
- import_oid4vci_common24.AuthzFlowType.AUTHORIZATION_CODE_FLOW
2443
+ return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
2444
+ import_oid4vci_common18.AuthzFlowType.AUTHORIZATION_CODE_FLOW
3995
2445
  ] : []);
3996
2446
  }
3997
2447
  isFlowTypeSupported(flowType) {
3998
2448
  return this.issuerSupportedFlowTypes().includes(flowType);
3999
2449
  }
4000
- hasAuthorizationURL() {
4001
- return !!this.authorizationURL;
4002
- }
4003
2450
  get authorizationURL() {
4004
2451
  return this._state.authorizationURL;
4005
2452
  }
2453
+ hasAuthorizationURL() {
2454
+ return !!this.authorizationURL;
2455
+ }
4006
2456
  get credentialOffer() {
4007
2457
  return this._state.credentialOffer;
4008
2458
  }
4009
2459
  version() {
4010
- return this.credentialOffer?.version ?? import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13;
2460
+ return import_oid4vci_common18.OpenId4VCIVersion.VER_1_0_15;
4011
2461
  }
4012
2462
  get endpointMetadata() {
4013
2463
  this.assertServerMetadata();
@@ -4043,13 +2493,16 @@ ${JSON.stringify(response.errorBody)}`);
4043
2493
  get dpopResponseParams() {
4044
2494
  return this._state.dpopResponseParams;
4045
2495
  }
2496
+ get state() {
2497
+ return this._state;
2498
+ }
4046
2499
  getIssuer() {
4047
2500
  this.assertIssuerData();
4048
2501
  return this._state.credentialIssuer;
4049
2502
  }
4050
2503
  getAccessTokenEndpoint() {
4051
2504
  this.assertIssuerData();
4052
- return this.endpointMetadata ? this.endpointMetadata.token_endpoint : AccessTokenClient.determineTokenURL({
2505
+ return this.endpointMetadata?.token_endpoint ?? AccessTokenClient.determineTokenURL({
4053
2506
  issuerOpts: {
4054
2507
  issuer: this.getIssuer()
4055
2508
  }
@@ -4057,34 +2510,30 @@ ${JSON.stringify(response.errorBody)}`);
4057
2510
  }
4058
2511
  getCredentialEndpoint() {
4059
2512
  this.assertIssuerData();
4060
- return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
2513
+ return this.endpointMetadata?.credential_endpoint ?? `${this.getIssuer()}/credential`;
2514
+ }
2515
+ getNonceEndpoint() {
2516
+ return this.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint;
2517
+ }
2518
+ hasNonceEndpoint() {
2519
+ return !!this.getNonceEndpoint();
2520
+ }
2521
+ getAuthorizationChallengeEndpoint() {
2522
+ this.assertIssuerData();
2523
+ return this.endpointMetadata?.authorization_challenge_endpoint;
2524
+ }
2525
+ hasAuthorizationChallengeEndpoint() {
2526
+ return !!this.getAuthorizationChallengeEndpoint();
4061
2527
  }
4062
2528
  hasDeferredCredentialEndpoint() {
4063
- return !!this.getAccessTokenEndpoint();
2529
+ return !!this.endpointMetadata?.deferred_credential_endpoint;
4064
2530
  }
4065
2531
  getDeferredCredentialEndpoint() {
4066
2532
  this.assertIssuerData();
4067
- return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
2533
+ return this.endpointMetadata?.deferred_credential_endpoint;
4068
2534
  }
4069
- /**
4070
- * Too bad we need a method like this, but EBSI is not exposing metadata
4071
- */
4072
2535
  isEBSI() {
4073
- const credentialOffer = this.credentialOffer?.credential_offer;
4074
- if (credentialOffer?.credential_configuration_ids) {
4075
- const credentialConfigurations = this.endpointMetadata.credentialIssuerMetadata?.credential_configurations_supported;
4076
- if (credentialConfigurations) {
4077
- const isEBSITrustFramework = credentialOffer.credential_configuration_ids.map((id) => credentialConfigurations[id]).filter((config) => (
4078
- // eslint-disable-next-line @typescript-eslint/ban-ts-comment
4079
- // @ts-ignore
4080
- config !== void 0 && "trust_framework" in config && "name" in config.trust_framework
4081
- )).some((config) => config.trust_framework.name.includes("ebsi"));
4082
- if (isEBSITrustFramework) {
4083
- return true;
4084
- }
4085
- }
4086
- }
4087
- return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
2536
+ return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata?.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
4088
2537
  }
4089
2538
  assertIssuerData() {
4090
2539
  if (!this._state.credentialIssuer) {
@@ -4104,13 +2553,20 @@ ${JSON.stringify(response.errorBody)}`);
4104
2553
  }
4105
2554
  }
4106
2555
  syncAuthorizationRequestOpts(opts) {
2556
+ const requestObjectOpts = {
2557
+ ...this._state?.authorizationRequestOpts?.requestObjectOpts,
2558
+ ...opts?.requestObjectOpts
2559
+ };
4107
2560
  let authorizationRequestOpts = {
4108
2561
  ...this._state?.authorizationRequestOpts,
4109
- ...opts
2562
+ ...opts,
2563
+ ...requestObjectOpts && {
2564
+ requestObjectOpts
2565
+ }
4110
2566
  };
4111
2567
  if (!authorizationRequestOpts) {
4112
2568
  authorizationRequestOpts = {
4113
- redirectUri: `${import_oid4vci_common24.DefaultURISchemes.CREDENTIAL_OFFER}://`
2569
+ redirectUri: `${import_oid4vci_common18.DefaultURISchemes.CREDENTIAL_OFFER}://`
4114
2570
  };
4115
2571
  }
4116
2572
  const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
@@ -4121,7 +2577,7 @@ ${JSON.stringify(response.errorBody)}`);
4121
2577
  getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
4122
2578
  if (authorizationResponse) {
4123
2579
  this._state.authorizationCodeResponse = {
4124
- ...(0, import_oid4vci_common24.toAuthorizationResponsePayload)(authorizationResponse)
2580
+ ...(0, import_oid4vci_common18.toAuthorizationResponsePayload)(authorizationResponse)
4125
2581
  };
4126
2582
  } else if (code) {
4127
2583
  this._state.authorizationCodeResponse = {
@@ -4132,17 +2588,15 @@ ${JSON.stringify(response.errorBody)}`);
4132
2588
  }, "getAuthorizationCode");
4133
2589
  };
4134
2590
 
4135
- // lib/OpenID4VCIClientV1_0_11.ts
4136
- var import_oid4vci_common25 = require("@sphereon/oid4vci-common");
4137
- var import_ssi_types16 = require("@sphereon/ssi-types");
4138
- var logger14 = import_ssi_types16.Loggers.DEFAULT.get("sphereon:oid4vci");
4139
- var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
2591
+ // lib/OpenID4VCIClient.ts
2592
+ var logger8 = import_ssi_types10.Loggers.DEFAULT.get("sphereon:oid4vci");
2593
+ var OpenID4VCIClient = class _OpenID4VCIClient {
4140
2594
  static {
4141
- __name(this, "OpenID4VCIClientV1_0_11");
2595
+ __name(this, "OpenID4VCIClient");
4142
2596
  }
4143
2597
  _state;
4144
- constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
4145
- const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common25.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
2598
+ constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
2599
+ const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common19.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
4146
2600
  if (!issuer) {
4147
2601
  throw Error("No credential issuer supplied or deduced from offer");
4148
2602
  }
@@ -4152,14 +2606,15 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
4152
2606
  kid,
4153
2607
  alg,
4154
2608
  // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
4155
- clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common25.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
2609
+ clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common19.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
4156
2610
  pkce: {
4157
2611
  disabled: false,
4158
- codeChallengeMethod: import_oid4vci_common25.CodeChallengeMethod.S256,
2612
+ codeChallengeMethod: import_oid4vci_common19.CodeChallengeMethod.S256,
4159
2613
  ...pkce
4160
2614
  },
4161
2615
  authorizationRequestOpts,
4162
2616
  authorizationCodeResponse,
2617
+ accessToken,
4163
2618
  jwk,
4164
2619
  endpointMetadata,
4165
2620
  accessTokenResponse,
@@ -4168,16 +2623,17 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
4168
2623
  if (!this._state.authorizationRequestOpts) {
4169
2624
  this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
4170
2625
  }
4171
- logger14.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
2626
+ logger8.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
4172
2627
  }
4173
- static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
4174
- const client = new _OpenID4VCIClientV1_0_11({
2628
+ static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, endpointMetadata }) {
2629
+ const client = new _OpenID4VCIClient({
4175
2630
  kid,
4176
2631
  alg,
4177
2632
  clientId: clientId ?? authorizationRequest?.clientId,
4178
2633
  credentialIssuer,
4179
2634
  pkce,
4180
- authorizationRequest
2635
+ authorizationRequest,
2636
+ endpointMetadata
4181
2637
  });
4182
2638
  if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
4183
2639
  await client.retrieveServerMetadata();
@@ -4192,29 +2648,30 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
4192
2648
  }
4193
2649
  static async fromState({ state }) {
4194
2650
  const clientState = typeof state === "string" ? JSON.parse(state) : state;
4195
- return new _OpenID4VCIClientV1_0_11(clientState);
2651
+ return new _OpenID4VCIClient(clientState);
4196
2652
  }
4197
- static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri }) {
4198
- const credentialOfferClient = await CredentialOfferClientV1_0_11.fromURI(uri, {
2653
+ static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, endpointMetadata }) {
2654
+ const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
4199
2655
  resolve: resolveOfferUri
4200
2656
  });
4201
- const client = new _OpenID4VCIClientV1_0_11({
2657
+ const client = new _OpenID4VCIClient({
4202
2658
  credentialOffer: credentialOfferClient,
4203
2659
  kid,
4204
2660
  alg,
4205
2661
  clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
4206
2662
  pkce,
4207
- authorizationRequest
2663
+ authorizationRequest,
2664
+ endpointMetadata
4208
2665
  });
4209
2666
  if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
4210
2667
  await client.retrieveServerMetadata();
4211
2668
  }
4212
- if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common25.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
2669
+ if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common19.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
4213
2670
  await client.createAuthorizationRequestUrl({
4214
2671
  authorizationRequest,
4215
2672
  pkce
4216
2673
  });
4217
- logger14.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
2674
+ logger8.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
4218
2675
  }
4219
2676
  return client;
4220
2677
  }
@@ -4234,12 +2691,12 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
4234
2691
  if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
4235
2692
  this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
4236
2693
  }
4237
- this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({
2694
+ this._state.authorizationURL = await createAuthorizationRequestUrl({
4238
2695
  pkce: this._state.pkce,
4239
2696
  endpointMetadata: this.endpointMetadata,
4240
2697
  authorizationRequest: this._state.authorizationRequestOpts,
4241
2698
  credentialOffer: this.credentialOffer,
4242
- credentialsSupported: Object.values(this.getCredentialsSupported())
2699
+ credentialConfigurationSupported: this.getCredentialsSupported()
4243
2700
  });
4244
2701
  }
4245
2702
  return this._state.authorizationURL;
@@ -4248,9 +2705,9 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
4248
2705
  this.assertIssuerData();
4249
2706
  if (!this._state.endpointMetadata) {
4250
2707
  if (this.credentialOffer) {
4251
- this._state.endpointMetadata = await MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
2708
+ this._state.endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
4252
2709
  } else if (this._state.credentialIssuer) {
4253
- this._state.endpointMetadata = await MetadataClientV1_0_11.retrieveAllMetadata(this._state.credentialIssuer);
2710
+ this._state.endpointMetadata = await MetadataClient.retrieveAllMetadata(this._state.credentialIssuer);
4254
2711
  } else {
4255
2712
  throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
4256
2713
  }
@@ -4271,12 +2728,12 @@ var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
4271
2728
  ...opts
4272
2729
  });
4273
2730
  if (response.errorBody) {
4274
- logger14.debug(`Authorization code error:\r
2731
+ logger8.debug(`Authorization code error:\r
4275
2732
  ${JSON.stringify(response.errorBody)}`);
4276
2733
  const error = response.errorBody;
4277
2734
  return Promise.reject(error);
4278
2735
  } else if (!response.successBody) {
4279
- logger14.debug(`Authorization code error. No success body`);
2736
+ logger8.debug(`Authorization code error. No success body`);
4280
2737
  return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
4281
2738
  }
4282
2739
  return {
@@ -4294,6 +2751,24 @@ ${JSON.stringify(response.errorBody)}`);
4294
2751
  const asOpts = {
4295
2752
  ...opts?.asOpts
4296
2753
  };
2754
+ const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
2755
+ const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
2756
+ if (this.isEBSI() || clientId && kid) {
2757
+ if (!clientId) {
2758
+ throw Error(`Client id expected for EBSI`);
2759
+ }
2760
+ asOpts.clientOpts = {
2761
+ ...asOpts.clientOpts,
2762
+ clientId,
2763
+ ...kid && {
2764
+ kid
2765
+ },
2766
+ ...clientAssertionType && {
2767
+ clientAssertionType
2768
+ },
2769
+ signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
2770
+ };
2771
+ }
4297
2772
  if (clientId) {
4298
2773
  this._state.clientId = clientId;
4299
2774
  if (!asOpts.clientOpts) {
@@ -4304,31 +2779,13 @@ ${JSON.stringify(response.errorBody)}`);
4304
2779
  asOpts.clientOpts.clientId = clientId;
4305
2780
  }
4306
2781
  if (!this._state.accessTokenResponse) {
4307
- const accessTokenClient = new AccessTokenClientV1_0_11();
2782
+ const accessTokenClient = new AccessTokenClient();
4308
2783
  if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
4309
2784
  console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
4310
2785
  }
4311
2786
  if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
4312
2787
  redirectUri = this._state.authorizationRequestOpts.redirectUri;
4313
2788
  }
4314
- const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
4315
- const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
4316
- if (this.isEBSI() || clientId && kid) {
4317
- if (!clientId) {
4318
- throw Error(`Client id expected for EBSI`);
4319
- }
4320
- asOpts.clientOpts = {
4321
- ...asOpts.clientOpts,
4322
- clientId,
4323
- ...kid && {
4324
- kid
4325
- },
4326
- ...clientAssertionType && {
4327
- clientAssertionType
4328
- },
4329
- signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
4330
- };
4331
- }
4332
2789
  const response = await accessTokenClient.acquireAccessToken({
4333
2790
  credentialOffer: this.credentialOffer,
4334
2791
  metadata: this.endpointMetadata,
@@ -4348,16 +2805,19 @@ ${JSON.stringify(response.errorBody)}`);
4348
2805
  }
4349
2806
  });
4350
2807
  if (response.errorBody) {
4351
- logger14.debug(`Access token error:\r
2808
+ logger8.debug(`Access token error:\r
4352
2809
  ${JSON.stringify(response.errorBody)}`);
4353
2810
  throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
4354
2811
  } else if (!response.successBody) {
4355
- logger14.debug(`Access token error. No success body`);
2812
+ logger8.debug(`Access token error. No success body`);
4356
2813
  throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
4357
2814
  }
4358
2815
  this._state.accessTokenResponse = response.successBody;
4359
2816
  this._state.dpopResponseParams = response.params;
4360
2817
  this._state.accessToken = response.successBody.access_token;
2818
+ if (response.successBody.c_nonce) {
2819
+ this._state.cachedCNonce = response.successBody.c_nonce;
2820
+ }
4361
2821
  }
4362
2822
  return {
4363
2823
  ...this.accessTokenResponse,
@@ -4371,22 +2831,34 @@ ${JSON.stringify(response.errorBody)}`);
4371
2831
  jwk,
4372
2832
  kid
4373
2833
  ].filter((v) => v !== void 0).length > 1) {
4374
- throw new Error(import_oid4vci_common25.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
2834
+ throw new Error(import_oid4vci_common19.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
4375
2835
  }
4376
2836
  if (alg) this._state.alg = alg;
4377
2837
  if (jwk) this._state.jwk = jwk;
4378
2838
  if (kid) this._state.kid = kid;
4379
- const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
2839
+ if (this.version() === import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_15 && this.hasNonceEndpoint()) {
2840
+ if (!this._state.cachedCNonce) {
2841
+ try {
2842
+ await this.acquireNonceViaV15Delegate();
2843
+ } catch (e) {
2844
+ return Promise.reject(Error(`failed to acquire nonce: ${String(e)}`));
2845
+ }
2846
+ }
2847
+ }
2848
+ let requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
4380
2849
  credentialOffer: this.credentialOffer,
4381
2850
  metadata: this.endpointMetadata
4382
- }) : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
2851
+ }) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
4383
2852
  credentialIssuer: this.getIssuer(),
4384
2853
  credentialTypes,
4385
2854
  metadata: this.endpointMetadata,
4386
2855
  version: this.version()
4387
2856
  });
2857
+ const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common19.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
2858
+ requestBuilder.withIssuerState(issuerState);
4388
2859
  requestBuilder.withTokenFromResponse(this.accessTokenResponse);
4389
2860
  requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
2861
+ let subjectIssuance;
4390
2862
  if (this.endpointMetadata?.credentialIssuerMetadata) {
4391
2863
  const metadata = this.endpointMetadata.credentialIssuerMetadata;
4392
2864
  const types = Array.isArray(credentialTypes) ? credentialTypes : [
@@ -4395,9 +2867,14 @@ ${JSON.stringify(response.errorBody)}`);
4395
2867
  if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
4396
2868
  let typeSupported = false;
4397
2869
  metadata.credentials_supported.forEach((supportedCredential) => {
4398
- const subTypes = (0, import_oid4vci_common25.getTypesFromCredentialSupported)(supportedCredential);
2870
+ const subTypes = (0, import_oid4vci_common19.getTypesFromCredentialSupported)(supportedCredential);
4399
2871
  if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
4400
2872
  typeSupported = true;
2873
+ if (supportedCredential.credential_subject_issuance) {
2874
+ subjectIssuance = {
2875
+ credential_subject_issuance: supportedCredential.credential_subject_issuance
2876
+ };
2877
+ }
4401
2878
  }
4402
2879
  });
4403
2880
  if (!typeSupported) {
@@ -4410,89 +2887,124 @@ ${JSON.stringify(response.errorBody)}`);
4410
2887
  }
4411
2888
  }
4412
2889
  }
4413
- const credentialRequestClient = requestBuilder.build();
4414
- const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
4415
- accessTokenResponse: this.accessTokenResponse,
4416
- callbacks: proofCallbacks,
4417
- version: this.version()
4418
- }).withIssuer(this.getIssuer()).withAlg(this.alg);
4419
- if (this._state.jwk) {
4420
- proofBuilder.withJWK(this._state.jwk);
4421
- }
4422
- if (this._state.kid) {
4423
- proofBuilder.withKid(this._state.kid);
4424
- }
4425
- if (this.clientId) {
4426
- proofBuilder.withClientId(this.clientId);
4427
- }
4428
- if (jti) {
4429
- proofBuilder.withJti(jti);
2890
+ if (subjectIssuance) {
2891
+ requestBuilder.withSubjectIssuance(subjectIssuance);
4430
2892
  }
4431
- const response = await credentialRequestClient.acquireCredentialsUsingProof({
4432
- proofInput: proofBuilder,
4433
- credentialTypes,
4434
- context,
4435
- format,
4436
- createDPoPOpts
4437
- });
4438
- this._state.dpopResponseParams = response.params;
4439
- if (response.errorBody) {
4440
- logger14.debug(`Credential request error:\r
2893
+ const credentialRequestClient = requestBuilder.build();
2894
+ try {
2895
+ const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
2896
+ accessTokenResponse: this.accessTokenResponse,
2897
+ callbacks: proofCallbacks,
2898
+ version: this.version()
2899
+ }).withIssuer(this.getIssuer()).withAlg(this.alg);
2900
+ if (this._state.jwk) {
2901
+ proofBuilder.withJWK(this._state.jwk);
2902
+ }
2903
+ if (this._state.kid) {
2904
+ proofBuilder.withKid(this._state.kid);
2905
+ }
2906
+ if (this.clientId && (!this.credentialOffer || this.credentialOffer.supportedFlows.includes(import_oid4vci_common19.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && !this.credentialOffer.preAuthorizedCode)) {
2907
+ proofBuilder.withClientId(this.clientId);
2908
+ }
2909
+ if (jti) {
2910
+ proofBuilder.withJti(jti);
2911
+ }
2912
+ if ("cachedCNonce" in this._state && this._state.cachedCNonce) {
2913
+ proofBuilder.withAccessTokenNonce(this._state.cachedCNonce);
2914
+ }
2915
+ const response = await credentialRequestClient.acquireCredentialsUsingProof({
2916
+ proofInput: proofBuilder,
2917
+ credentialTypes,
2918
+ context,
2919
+ format,
2920
+ subjectIssuance,
2921
+ createDPoPOpts
2922
+ });
2923
+ this._state.dpopResponseParams = response.params;
2924
+ if (response.errorBody) {
2925
+ logger8.debug(`Credential request error:\r
4441
2926
  ${JSON.stringify(response.errorBody)}`);
4442
- throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
4443
- } else if (!response.successBody) {
4444
- logger14.debug(`Credential request error. No success body`);
4445
- throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
4446
- }
4447
- return {
4448
- ...response.successBody,
4449
- ...this.dpopResponseParams && {
4450
- params: this.dpopResponseParams
2927
+ throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
2928
+ } else if (!response.successBody) {
2929
+ logger8.debug(`Credential request error. No success body`);
2930
+ throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
4451
2931
  }
4452
- };
2932
+ return {
2933
+ ...response.successBody,
2934
+ ...this.dpopResponseParams && {
2935
+ params: this.dpopResponseParams
2936
+ },
2937
+ access_token: response.access_token
2938
+ };
2939
+ } catch (e) {
2940
+ if (!this.shouldRetryWithFreshNonce(e)) {
2941
+ return Promise.reject(e instanceof Error ? e : Error(String(e)));
2942
+ }
2943
+ this._state.cachedCNonce = void 0;
2944
+ try {
2945
+ await this.acquireNonceViaV15Delegate();
2946
+ } catch (e2) {
2947
+ return Promise.reject(Error(`retry nonce fetch failed: ${String(e2)}`));
2948
+ }
2949
+ const proofBuilder2 = ProofOfPossessionBuilder.fromAccessTokenResponse({
2950
+ accessTokenResponse: this.accessTokenResponse,
2951
+ callbacks: proofCallbacks,
2952
+ version: this.version()
2953
+ }).withIssuer(this.getIssuer()).withAlg(this.alg);
2954
+ if (this._state.jwk) {
2955
+ proofBuilder2.withJWK(this._state.jwk);
2956
+ }
2957
+ if (this._state.kid) {
2958
+ proofBuilder2.withKid(this._state.kid);
2959
+ }
2960
+ if (this.clientId) {
2961
+ proofBuilder2.withClientId(this.clientId);
2962
+ }
2963
+ if (jti) {
2964
+ proofBuilder2.withJti(jti);
2965
+ }
2966
+ const response2 = await credentialRequestClient.acquireCredentialsUsingProof({
2967
+ proofInput: proofBuilder2,
2968
+ credentialTypes,
2969
+ context,
2970
+ format,
2971
+ subjectIssuance,
2972
+ createDPoPOpts
2973
+ });
2974
+ this._state.dpopResponseParams = response2.params;
2975
+ if (response2.errorBody) {
2976
+ logger8.debug(`Credential request error (after retry):\r
2977
+ ${JSON.stringify(response2.errorBody)}`);
2978
+ return Promise.reject(Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed after retry with status: ${response2.origResponse.status}`));
2979
+ } else if (!response2.successBody) {
2980
+ logger8.debug(`Credential request error after retry. No success body`);
2981
+ return Promise.reject(Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed after retry as there was no success response body`));
2982
+ }
2983
+ return {
2984
+ ...response2.successBody,
2985
+ ...this.dpopResponseParams && {
2986
+ params: this.dpopResponseParams
2987
+ },
2988
+ access_token: response2.access_token
2989
+ };
2990
+ }
4453
2991
  }
4454
2992
  async exportState() {
4455
2993
  return JSON.stringify(this._state);
4456
2994
  }
4457
- // FIXME: We really should convert <v11 to v12 objects first. Right now the logic doesn't map nicely and is brittle.
4458
- // We should resolve IDs to objects first in case of strings.
4459
- // When < v11 convert into a v12 object. When v12 object retain it.
4460
- // Then match the object array on server metadata
4461
- getCredentialsSupportedV11(restrictToInitiationTypes, format) {
4462
- return (0, import_oid4vci_common25.getSupportedCredentials)({
4463
- issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
4464
- version: this.version(),
4465
- format,
4466
- types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : void 0
4467
- });
4468
- }
4469
2995
  getCredentialsSupported(format) {
4470
- return (0, import_oid4vci_common25.getSupportedCredentials)({
2996
+ return (0, import_oid4vci_common19.getSupportedCredentials)({
4471
2997
  issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
4472
2998
  version: this.version(),
4473
- format,
4474
- types: void 0
2999
+ format
4475
3000
  });
4476
3001
  }
4477
- getCredentialOfferTypes() {
4478
- if (!this.credentialOffer) {
4479
- return [];
4480
- } else if (this.credentialOffer.version < import_oid4vci_common25.OpenId4VCIVersion.VER_1_0_11) {
4481
- const orig = this.credentialOffer.original_credential_offer;
4482
- const types = typeof orig.credential_type === "string" ? [
4483
- orig.credential_type
4484
- ] : orig.credential_type;
4485
- const result = [];
4486
- result[0] = types;
4487
- return result;
4488
- } else if (this.credentialOffer.version < import_oid4vci_common25.OpenId4VCIVersion.VER_1_0_13) {
4489
- return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common25.getTypesFromObject)(c) ?? []);
4490
- }
4491
- throw Error(`This class only supports version 11 and lower! Version: ${this.version()}`);
3002
+ async sendNotification(credentialRequestOpts, request, accessToken) {
3003
+ return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
4492
3004
  }
4493
3005
  issuerSupportedFlowTypes() {
4494
- return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
4495
- import_oid4vci_common25.AuthzFlowType.AUTHORIZATION_CODE_FLOW
3006
+ return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
3007
+ import_oid4vci_common19.AuthzFlowType.AUTHORIZATION_CODE_FLOW
4496
3008
  ] : []);
4497
3009
  }
4498
3010
  isFlowTypeSupported(flowType) {
@@ -4508,7 +3020,17 @@ ${JSON.stringify(response.errorBody)}`);
4508
3020
  return this._state.credentialOffer;
4509
3021
  }
4510
3022
  version() {
4511
- return this.credentialOffer?.version ?? import_oid4vci_common25.OpenId4VCIVersion.VER_1_0_11;
3023
+ if (this.credentialOffer?.version && this.credentialOffer.version !== import_oid4vci_common19.OpenId4VCIVersion.VER_UNKNOWN) {
3024
+ return this.credentialOffer.version;
3025
+ }
3026
+ const metadata = this._state.endpointMetadata;
3027
+ if (metadata?.credentialIssuerMetadata) {
3028
+ const versions = (0, import_oid4vci_common19.determineVersionsFromIssuerMetadata)(metadata.credentialIssuerMetadata);
3029
+ if (versions.length > 0 && !versions.includes(import_oid4vci_common19.OpenId4VCIVersion.VER_UNKNOWN)) {
3030
+ return versions[0];
3031
+ }
3032
+ }
3033
+ return import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_15;
4512
3034
  }
4513
3035
  get endpointMetadata() {
4514
3036
  this.assertServerMetadata();
@@ -4550,7 +3072,10 @@ ${JSON.stringify(response.errorBody)}`);
4550
3072
  }
4551
3073
  getAccessTokenEndpoint() {
4552
3074
  this.assertIssuerData();
4553
- return this.endpointMetadata ? this.endpointMetadata.token_endpoint : AccessTokenClientV1_0_11.determineTokenURL({
3075
+ if (this.endpointMetadata) {
3076
+ return this.endpointMetadata.token_endpoint;
3077
+ }
3078
+ return AccessTokenClient.determineTokenURL({
4554
3079
  issuerOpts: {
4555
3080
  issuer: this.getIssuer()
4556
3081
  }
@@ -4560,6 +3085,13 @@ ${JSON.stringify(response.errorBody)}`);
4560
3085
  this.assertIssuerData();
4561
3086
  return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
4562
3087
  }
3088
+ getAuthorizationChallengeEndpoint() {
3089
+ this.assertIssuerData();
3090
+ return this.endpointMetadata?.authorization_challenge_endpoint;
3091
+ }
3092
+ hasAuthorizationChallengeEndpoint() {
3093
+ return !!this.getAuthorizationChallengeEndpoint();
3094
+ }
4563
3095
  hasDeferredCredentialEndpoint() {
4564
3096
  return !!this.getAccessTokenEndpoint();
4565
3097
  }
@@ -4571,13 +3103,6 @@ ${JSON.stringify(response.errorBody)}`);
4571
3103
  * Too bad we need a method like this, but EBSI is not exposing metadata
4572
3104
  */
4573
3105
  isEBSI() {
4574
- if (this.credentialOffer && this.credentialOffer?.credential_offer?.credentials?.find((cred) => (
4575
- // eslint-disable-next-line @typescript-eslint/ban-ts-comment
4576
- // @ts-ignore
4577
- typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
4578
- ))) {
4579
- return true;
4580
- }
4581
3106
  return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
4582
3107
  }
4583
3108
  assertIssuerData() {
@@ -4598,13 +3123,20 @@ ${JSON.stringify(response.errorBody)}`);
4598
3123
  }
4599
3124
  }
4600
3125
  syncAuthorizationRequestOpts(opts) {
3126
+ const requestObjectOpts = {
3127
+ ...this._state?.authorizationRequestOpts?.requestObjectOpts,
3128
+ ...opts?.requestObjectOpts
3129
+ };
4601
3130
  let authorizationRequestOpts = {
4602
3131
  ...this._state?.authorizationRequestOpts,
4603
- ...opts
3132
+ ...opts,
3133
+ ...requestObjectOpts && {
3134
+ requestObjectOpts
3135
+ }
4604
3136
  };
4605
3137
  if (!authorizationRequestOpts) {
4606
3138
  authorizationRequestOpts = {
4607
- redirectUri: `${import_oid4vci_common25.DefaultURISchemes.CREDENTIAL_OFFER}://`
3139
+ redirectUri: `${import_oid4vci_common19.DefaultURISchemes.CREDENTIAL_OFFER}://`
4608
3140
  };
4609
3141
  }
4610
3142
  const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
@@ -4615,7 +3147,7 @@ ${JSON.stringify(response.errorBody)}`);
4615
3147
  getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
4616
3148
  if (authorizationResponse) {
4617
3149
  this._state.authorizationCodeResponse = {
4618
- ...(0, import_oid4vci_common25.toAuthorizationResponsePayload)(authorizationResponse)
3150
+ ...(0, import_oid4vci_common19.toAuthorizationResponsePayload)(authorizationResponse)
4619
3151
  };
4620
3152
  } else if (code) {
4621
3153
  this._state.authorizationCodeResponse = {
@@ -4624,8 +3156,54 @@ ${JSON.stringify(response.errorBody)}`);
4624
3156
  }
4625
3157
  return this._state.authorizationCodeResponse?.code ?? this._state.authorizationCodeResponse?.authorization_code;
4626
3158
  }, "getAuthorizationCode");
3159
+ hasNonceEndpoint() {
3160
+ const endpoint = this._state.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint;
3161
+ return typeof endpoint === "string" && endpoint.length > 0;
3162
+ }
3163
+ async acquireNonceViaV15Delegate() {
3164
+ const state = this._state;
3165
+ let v15Client;
3166
+ try {
3167
+ v15Client = await OpenID4VCIClientV1_0_15.fromState({
3168
+ state
3169
+ });
3170
+ } catch (e) {
3171
+ return Promise.reject(Error(`failed to init v15 delegate for nonce: ${String(e)}`));
3172
+ }
3173
+ try {
3174
+ await v15Client.acquireNonce();
3175
+ } catch (e) {
3176
+ return Promise.reject(Error(`nonce request failed: ${String(e)}`));
3177
+ }
3178
+ state.cachedCNonce = v15Client.state.cachedCNonce;
3179
+ }
3180
+ shouldRetryWithFreshNonce(err) {
3181
+ if (!this.hasNonceEndpoint() && this.version() !== import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_15) {
3182
+ return false;
3183
+ }
3184
+ const status = err?.response?.status ?? err?.status;
3185
+ const body = err?.response?.data ?? err?.data ?? void 0;
3186
+ const error = typeof body?.error === "string" ? body.error : void 0;
3187
+ const desc = typeof body?.error_description === "string" ? body.error_description : void 0;
3188
+ const text = [
3189
+ error,
3190
+ desc
3191
+ ].filter(Boolean).join(" ").toLowerCase();
3192
+ if (status === 400 || status === 401 || status === 403) {
3193
+ if (text.includes("nonce") || text.includes("c_nonce")) {
3194
+ return true;
3195
+ }
3196
+ if (text.includes("proof") && (text.includes("invalid") || text.includes("expired"))) {
3197
+ return true;
3198
+ }
3199
+ if (error === "invalid_proof" || error === "invalid_request") {
3200
+ return true;
3201
+ }
3202
+ }
3203
+ return false;
3204
+ }
4627
3205
  };
4628
3206
 
4629
3207
  // lib/index.ts
4630
- var LOG2 = import_oid4vci_common26.VCI_LOGGERS.get("sphereon:oid4vci:client");
3208
+ var LOG2 = import_oid4vci_common20.VCI_LOGGERS.get("sphereon:oid4vci:client");
4631
3209
  //# sourceMappingURL=index.cjs.map