@sphereon/oid4vci-client 0.2.0 → 0.4.1-next.285

package/lib/__tests__/OpenID4VCIClient.spec.ts

@@ -0,0 +1,166 @@
+import { AuthzFlowType, CodeChallengeMethod } from '@sphereon/oid4vci-common';
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+// @ts-ignore
+import nock from 'nock';
+
+import { OpenID4VCIClient } from '../OpenID4VCIClient';
+
+const MOCK_URL = 'https://server.example.com/';
+
+describe('OpenID4VCIClient should', () => {
+  let client: OpenID4VCIClient;
+
+  beforeEach(async () => {
+    nock(MOCK_URL).get(/.*/).reply(200, {});
+    client = await OpenID4VCIClient.fromURI({
+      uri: 'openid-initiate-issuance://?issuer=https://server.example.com&credential_type=TestCredential',
+      flowType: AuthzFlowType.AUTHORIZATION_CODE_FLOW,
+    });
+  });
+
+  afterEach(() => {
+    nock.cleanAll();
+  });
+
+  it('should create successfully construct an authorization request url', async () => {
+    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+    // @ts-ignore
+    client._endpointMetadata?.issuerMetadata.authorization_endpoint = `${MOCK_URL}v1/auth/authorize`;
+    const url = client.createAuthorizationRequestUrl({
+      clientId: 'test-client',
+      codeChallengeMethod: CodeChallengeMethod.SHA256,
+      codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+      scope: 'openid TestCredential',
+      redirectUri: 'http://localhost:8881/cb',
+    });
+
+    const urlSearchParams = new URLSearchParams(url.split('?')[1]);
+    const scope = urlSearchParams.get('scope')?.split(' ');
+
+    expect(scope?.[0]).toBe('openid');
+  });
+  it('throw an error if authorization endpoint is not set in server metadata', async () => {
+    expect(() => {
+      client.createAuthorizationRequestUrl({
+        clientId: 'test-client',
+        codeChallengeMethod: CodeChallengeMethod.SHA256,
+        codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+        scope: 'openid TestCredential',
+        redirectUri: 'http://localhost:8881/cb',
+      });
+    }).toThrow(Error('Server metadata does not contain authorization endpoint'));
+  });
+  it("injects 'openid' as the first scope if not provided", async () => {
+    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+    // @ts-ignore
+    client._endpointMetadata?.issuerMetadata.authorization_endpoint = `${MOCK_URL}v1/auth/authorize`;
+
+    const url = client.createAuthorizationRequestUrl({
+      clientId: 'test-client',
+      codeChallengeMethod: CodeChallengeMethod.SHA256,
+      codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+      scope: 'TestCredential',
+      redirectUri: 'http://localhost:8881/cb',
+    });
+
+    const urlSearchParams = new URLSearchParams(url.split('?')[1]);
+    const scope = urlSearchParams.get('scope')?.split(' ');
+
+    expect(scope?.[0]).toBe('openid');
+  });
+  it('throw an error if no scope and no authorization_details is provided', async () => {
+    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+    // @ts-ignore
+    client._endpointMetadata?.issuerMetadata.authorization_endpoint = `${MOCK_URL}v1/auth/authorize`;
+
+    expect(() => {
+      client.createAuthorizationRequestUrl({
+        clientId: 'test-client',
+        codeChallengeMethod: CodeChallengeMethod.SHA256,
+        codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+        redirectUri: 'http://localhost:8881/cb',
+      });
+    }).toThrow(Error('Please provide a scope or authorization_details'));
+  });
+  it('create an authorization request url with authorization_details array property', async () => {
+    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+    // @ts-ignore
+    client._endpointMetadata.issuerMetadata.authorization_endpoint = `${MOCK_URL}v1/auth/authorize`;
+
+    expect(
+      client.createAuthorizationRequestUrl({
+        clientId: 'test-client',
+        codeChallengeMethod: CodeChallengeMethod.SHA256,
+        codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+        authorizationDetails: [
+          {
+            type: 'openid_credential',
+            format: 'ldp_vc',
+            credential_definition: {
+              '@context': ['https://www.w3.org/2018/credentials/v1', 'https://www.w3.org/2018/credentials/examples/v1'],
+              types: ['VerifiableCredential', 'UniversityDegreeCredential'],
+            },
+          },
+          {
+            type: 'openid_credential',
+            format: 'mso_mdoc',
+            doctype: 'org.iso.18013.5.1.mDL',
+          },
+        ],
+        redirectUri: 'http://localhost:8881/cb',
+      })
+    ).toEqual(
+      'https://server.example.com/v1/auth/authorize?response_type=code&client_id=test-client&code_challenge_method=S256&code_challenge=mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs&authorization_details=%5B%7B%22type%22%3A%22openid_credential%22%2C%22format%22%3A%22ldp_vc%22%2C%22credential_definition%22%3A%7B%22%40context%22%3A%5B%22https%3A%2F%2Fwww%2Ew3%2Eorg%2F2018%2Fcredentials%2Fv1%22%2C%22https%3A%2F%2Fwww%2Ew3%2Eorg%2F2018%2Fcredentials%2Fexamples%2Fv1%22%5D%2C%22types%22%3A%5B%22VerifiableCredential%22%2C%22UniversityDegreeCredential%22%5D%7D%2C%22locations%22%3A%22https%3A%2F%2Fserver%2Eexample%2Ecom%22%7D%2C%7B%22type%22%3A%22openid_credential%22%2C%22format%22%3A%22mso_mdoc%22%2C%22doctype%22%3A%22org%2Eiso%2E18013%2E5%2E1%2EmDL%22%2C%22locations%22%3A%22https%3A%2F%2Fserver%2Eexample%2Ecom%22%7D%5D&redirect_uri=http%3A%2F%2Flocalhost%3A8881%2Fcb'
+    );
+  });
+  it('create an authorization request url with authorization_details object property', async () => {
+    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+    // @ts-ignore
+    client._endpointMetadata.issuerMetadata.authorization_endpoint = `${MOCK_URL}v1/auth/authorize`;
+
+    expect(
+      client.createAuthorizationRequestUrl({
+        clientId: 'test-client',
+        codeChallengeMethod: CodeChallengeMethod.SHA256,
+        codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+        authorizationDetails: {
+          type: 'openid_credential',
+          format: 'ldp_vc',
+          credential_definition: {
+            '@context': ['https://www.w3.org/2018/credentials/v1', 'https://www.w3.org/2018/credentials/examples/v1'],
+            types: ['VerifiableCredential', 'UniversityDegreeCredential'],
+          },
+        },
+        redirectUri: 'http://localhost:8881/cb',
+      })
+    ).toEqual(
+      'https://server.example.com/v1/auth/authorize?response_type=code&client_id=test-client&code_challenge_method=S256&code_challenge=mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs&authorization_details=%7B%22type%22%3A%22openid_credential%22%2C%22format%22%3A%22ldp_vc%22%2C%22credential_definition%22%3A%7B%22%40context%22%3A%5B%22https%3A%2F%2Fwww%2Ew3%2Eorg%2F2018%2Fcredentials%2Fv1%22%2C%22https%3A%2F%2Fwww%2Ew3%2Eorg%2F2018%2Fcredentials%2Fexamples%2Fv1%22%5D%2C%22types%22%3A%5B%22VerifiableCredential%22%2C%22UniversityDegreeCredential%22%5D%7D%2C%22locations%22%3A%22https%3A%2F%2Fserver%2Eexample%2Ecom%22%7D&redirect_uri=http%3A%2F%2Flocalhost%3A8881%2Fcb'
+    );
+  });
+  it('create an authorization request url with authorization_details and scope', async () => {
+    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+    // @ts-ignore
+    client._endpointMetadata.issuerMetadata.authorization_endpoint = `${MOCK_URL}v1/auth/authorize`;
+
+    expect(
+      client.createAuthorizationRequestUrl({
+        clientId: 'test-client',
+        codeChallengeMethod: CodeChallengeMethod.SHA256,
+        codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+        authorizationDetails: {
+          type: 'openid_credential',
+          format: 'ldp_vc',
+          locations: ['https://test.com'],
+          credential_definition: {
+            '@context': ['https://www.w3.org/2018/credentials/v1', 'https://www.w3.org/2018/credentials/examples/v1'],
+            types: ['VerifiableCredential', 'UniversityDegreeCredential'],
+          },
+        },
+        scope: 'openid',
+        redirectUri: 'http://localhost:8881/cb',
+      })
+    ).toEqual(
+      'https://server.example.com/v1/auth/authorize?response_type=code&client_id=test-client&code_challenge_method=S256&code_challenge=mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs&authorization_details=%7B%22type%22%3A%22openid_credential%22%2C%22format%22%3A%22ldp_vc%22%2C%22locations%22%3A%5B%22https%3A%2F%2Ftest%2Ecom%22%2C%22https%3A%2F%2Fserver%2Eexample%2Ecom%22%5D%2C%22credential_definition%22%3A%7B%22%40context%22%3A%5B%22https%3A%2F%2Fwww%2Ew3%2Eorg%2F2018%2Fcredentials%2Fv1%22%2C%22https%3A%2F%2Fwww%2Ew3%2Eorg%2F2018%2Fcredentials%2Fexamples%2Fv1%22%5D%2C%22types%22%3A%5B%22VerifiableCredential%22%2C%22UniversityDegreeCredential%22%5D%7D%7D&redirect_uri=http%3A%2F%2Flocalhost%3A8881%2Fcb&scope=openid'
+    );
+  });
+});

package/lib/__tests__/OpenID4VCIClientPAR.spec.ts

@@ -0,0 +1,112 @@
+import { AuthzFlowType, CodeChallengeMethod, Oauth2ASWithOID4VCIMetadata } from '@sphereon/oid4vci-common';
+import nock from 'nock';
+
+import { OpenID4VCIClient } from '../OpenID4VCIClient';
+
+const MOCK_URL = 'https://server.example.com/';
+describe('OpenID4VCIClient', () => {
+  let client: OpenID4VCIClient;
+
+  beforeEach(async () => {
+    nock(MOCK_URL).get(/.*/).reply(200, {});
+    nock(`${MOCK_URL}`).post('/v1/auth/par').reply(201, { request_uri: 'test_uri', expires_in: 90 });
+    client = await OpenID4VCIClient.fromURI({
+      uri: 'openid-initiate-issuance://?issuer=https://server.example.com&credential_type=TestCredential',
+      flowType: AuthzFlowType.AUTHORIZATION_CODE_FLOW,
+    });
+  });
+
+  afterEach(() => {
+    nock.cleanAll();
+  });
+
+  it('should successfully retrieve the authorization code using PAR', async () => {
+    (client.endpointMetadata.issuerMetadata! as Oauth2ASWithOID4VCIMetadata).pushed_authorization_request_endpoint = `${MOCK_URL}v1/auth/par`;
+    const actual = await client.acquirePushedAuthorizationRequestURI({
+      clientId: 'test-client',
+      codeChallengeMethod: CodeChallengeMethod.SHA256,
+      codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+      scope: 'openid TestCredential',
+      redirectUri: 'http://localhost:8881/cb',
+    });
+    expect(actual.successBody).toEqual({ request_uri: 'test_uri', expires_in: 90 });
+  });
+
+  it('should fail when pushed_authorization_request_endpoint is not present', async () => {
+    await expect(() =>
+      client.acquirePushedAuthorizationRequestURI({
+        clientId: 'test-client',
+        codeChallengeMethod: CodeChallengeMethod.SHA256,
+        codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+        scope: 'openid TestCredential',
+        redirectUri: 'http://localhost:8881/cb',
+      })
+    ).rejects.toThrow(Error('Server metadata does not contain pushed authorization request endpoint'));
+  });
+
+  it('should fail when authorization_details and scope are not present', async () => {
+    await expect(() =>
+      client.acquirePushedAuthorizationRequestURI({
+        clientId: 'test-client',
+        codeChallengeMethod: CodeChallengeMethod.SHA256,
+        codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+        redirectUri: 'http://localhost:8881/cb',
+      })
+    ).rejects.toThrow(Error('Please provide a scope or authorization_details'));
+  });
+
+  it('should not fail when only authorization_details is present', async () => {
+    (client.endpointMetadata.issuerMetadata! as Oauth2ASWithOID4VCIMetadata).pushed_authorization_request_endpoint = `${MOCK_URL}v1/auth/par`;
+    const actual = await client.acquirePushedAuthorizationRequestURI({
+      clientId: 'test-client',
+      codeChallengeMethod: CodeChallengeMethod.SHA256,
+      codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+      authorizationDetails: [
+        {
+          type: 'openid_credential',
+          format: 'ldp_vc',
+          credential_definition: {
+            '@context': ['https://www.w3.org/2018/credentials/v1', 'https://www.w3.org/2018/credentials/examples/v1'],
+            types: ['VerifiableCredential', 'UniversityDegreeCredential'],
+          },
+        },
+      ],
+      redirectUri: 'http://localhost:8881/cb',
+    });
+    expect(actual.successBody).toEqual({ request_uri: 'test_uri', expires_in: 90 });
+  });
+
+  it('should not fail when only scope is present', async () => {
+    (client.endpointMetadata.issuerMetadata! as Oauth2ASWithOID4VCIMetadata).pushed_authorization_request_endpoint = `${MOCK_URL}v1/auth/par`;
+    const actual = await client.acquirePushedAuthorizationRequestURI({
+      clientId: 'test-client',
+      codeChallengeMethod: CodeChallengeMethod.SHA256,
+      codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+      scope: 'openid TestCredential',
+      redirectUri: 'http://localhost:8881/cb',
+    });
+    expect(actual.successBody).toEqual({ request_uri: 'test_uri', expires_in: 90 });
+  });
+
+  it('should not fail when both authorization_details and scope are present', async () => {
+    (client.endpointMetadata.issuerMetadata! as Oauth2ASWithOID4VCIMetadata).pushed_authorization_request_endpoint = `${MOCK_URL}v1/auth/par`;
+    const actual = await client.acquirePushedAuthorizationRequestURI({
+      clientId: 'test-client',
+      codeChallengeMethod: CodeChallengeMethod.SHA256,
+      codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+      authorizationDetails: [
+        {
+          type: 'openid_credential',
+          format: 'ldp_vc',
+          credential_definition: {
+            '@context': ['https://www.w3.org/2018/credentials/v1', 'https://www.w3.org/2018/credentials/examples/v1'],
+            types: ['VerifiableCredential', 'UniversityDegreeCredential'],
+          },
+        },
+      ],
+      scope: 'openid TestCredential',
+      redirectUri: 'http://localhost:8881/cb',
+    });
+    expect(actual.successBody).toEqual({ request_uri: 'test_uri', expires_in: 90 });
+  });
+});

package/lib/__tests__/ProofOfPossessionBuilder.spec.ts

@@ -0,0 +1,110 @@
+import { KeyObject } from 'crypto';
+
+import { Alg, JWS_NOT_VALID, Jwt, NO_JWT_PROVIDED, OpenId4VCIVersion, PROOF_CANT_BE_CONSTRUCTED, ProofOfPossession } from '@sphereon/oid4vci-common';
+import * as jose from 'jose';
+
+import { ProofOfPossessionBuilder } from '..';
+
+import { IDENTIPROOF_ISSUER_URL } from './MetadataMocks';
+
+const jwt: Jwt = {
+  header: { alg: Alg.ES256, kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1', typ: 'jwt' },
+  payload: { iss: 'sphereon:wallet', nonce: 'tZignsnFbp', jti: 'tZignsnFbp223', aud: IDENTIPROOF_ISSUER_URL, iat: Date.now() },
+};
+
+const kid = 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1';
+
+let keypair: KeyPair;
+
+async function proofOfPossessionCallbackFunction(args: Jwt, kid?: string): Promise<string> {
+  if (!args.payload.aud) {
+    throw Error('aud required');
+  } else if (!kid) {
+    throw Error('kid required');
+  }
+  return await new jose.SignJWT({ ...args.payload })
+    .setProtectedHeader({ alg: 'ES256' })
+    .setIssuedAt(args.payload.iat)
+    .setIssuer(kid)
+    .setAudience(args.payload.aud)
+    .setExpirationTime('2h')
+    .sign(keypair.privateKey);
+}
+
+interface KeyPair {
+  publicKey: KeyObject;
+  privateKey: KeyObject;
+}
+
+beforeAll(async () => {
+  const { privateKey, publicKey } = await jose.generateKeyPair('ES256');
+  keypair = { publicKey: publicKey as KeyObject, privateKey: privateKey as KeyObject };
+});
+
+describe('ProofOfPossession Builder ', () => {
+  it('should fail without supplied proof or callbacks', async function () {
+    await expect(
+      ProofOfPossessionBuilder.fromProof(undefined as never, OpenId4VCIVersion.VER_1_0_11)
+        .withIssuer(IDENTIPROOF_ISSUER_URL)
+        .withClientId('sphereon:wallet')
+        .withKid(kid)
+        .build()
+    ).rejects.toThrow(Error(PROOF_CANT_BE_CONSTRUCTED));
+  });
+
+  it('should fail wit undefined jwt supplied', async function () {
+    await expect(() =>
+      ProofOfPossessionBuilder.fromJwt({ jwt, callbacks: { signCallback: proofOfPossessionCallbackFunction }, version: OpenId4VCIVersion.VER_1_0_08 })
+        .withJwt(undefined as never)
+        .withIssuer(IDENTIPROOF_ISSUER_URL)
+        .withClientId('sphereon:wallet')
+        .withKid(kid)
+        .build()
+    ).toThrow(Error(NO_JWT_PROVIDED));
+  });
+
+  it('should build a proof with all required params present', async function () {
+    const proof: ProofOfPossession = await ProofOfPossessionBuilder.fromJwt({
+      jwt,
+      callbacks: {
+        signCallback: proofOfPossessionCallbackFunction,
+      },
+      version: OpenId4VCIVersion.VER_1_0_08,
+    })
+      .withIssuer(IDENTIPROOF_ISSUER_URL)
+      .withKid(kid)
+      .withClientId('sphereon:wallet')
+      .build();
+    expect(proof).toBeDefined();
+  });
+
+  it('should fail creating a proof of possession with simple verification', async () => {
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    async function proofOfPossessionCallbackFunction(_args: Jwt, _kid?: string): Promise<string> {
+      throw new Error(JWS_NOT_VALID);
+    }
+
+    await expect(
+      ProofOfPossessionBuilder.fromJwt({ jwt, callbacks: { signCallback: proofOfPossessionCallbackFunction }, version: OpenId4VCIVersion.VER_1_0_08 })
+        .withIssuer(IDENTIPROOF_ISSUER_URL)
+        .withClientId('sphereon:wallet')
+        .withKid(kid)
+        .build()
+    ).rejects.toThrow(Error(JWS_NOT_VALID));
+  });
+
+  it('should fail creating a proof of possession without verify callback', async () => {
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    async function proofOfPossessionCallbackFunction(_args: Jwt, _kid?: string): Promise<string> {
+      throw new Error(JWS_NOT_VALID);
+    }
+
+    await expect(
+      ProofOfPossessionBuilder.fromJwt({ jwt, callbacks: { signCallback: proofOfPossessionCallbackFunction }, version: OpenId4VCIVersion.VER_1_0_08 })
+        .withIssuer(IDENTIPROOF_ISSUER_URL)
+        .withClientId('sphereon:wallet')
+        .withKid(kid)
+        .build()
+    ).rejects.toThrow(Error(JWS_NOT_VALID));
+  });
+});