@sphereon/oid4vci-client 0.2.0 → 0.4.1-next.285

package/dist/functions/ProofUtil.js

@@ -0,0 +1,104 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createProofOfPossession = void 0;
+const oid4vci_common_1 = require("@sphereon/oid4vci-common");
+const debug_1 = __importDefault(require("debug"));
+const debug = (0, debug_1.default)('sphereon:openid4vci:token');
+/**
+ *
+ *  - proofOfPossessionCallback: JWTSignerCallback
+ *    Mandatory if you want to create (sign) ProofOfPossession
+ *  - proofOfPossessionVerifierCallback?: JWTVerifyCallback
+ *    If exists, verifies the ProofOfPossession
+ *  - proofOfPossessionCallbackArgs: ProofOfPossessionCallbackArgs
+ *    arguments needed for signing ProofOfPossession
+ * @param callbacks:
+ *    - proofOfPossessionCallback: JWTSignerCallback
+ *      Mandatory to create (sign) ProofOfPossession
+ *    - proofOfPossessionVerifierCallback?: JWTVerifyCallback
+ *      If exists, verifies the ProofOfPossession
+ * @param jwtProps
+ * @param existingJwt
+ *  - Optional, clientId of the party requesting the credential
+ */
+const createProofOfPossession = (callbacks, jwtProps, existingJwt) => __awaiter(void 0, void 0, void 0, function* () {
+    if (!callbacks.signCallback) {
+        debug(`no jwt signer callback or arguments supplied!`);
+        throw new Error(oid4vci_common_1.BAD_PARAMS);
+    }
+    const signerArgs = createJWT(jwtProps, existingJwt);
+    const jwt = yield callbacks.signCallback(signerArgs, signerArgs.header.kid);
+    const proof = {
+        proof_type: 'jwt',
+        jwt,
+    };
+    try {
+        partiallyValidateJWS(jwt);
+        if (callbacks.verifyCallback) {
+            debug(`Calling supplied verify callback....`);
+            yield callbacks.verifyCallback({ jwt, kid: signerArgs.header.kid });
+            debug(`Supplied verify callback return success result`);
+        }
+    }
+    catch (_a) {
+        debug(`JWS was not valid`);
+        throw new Error(oid4vci_common_1.JWS_NOT_VALID);
+    }
+    debug(`Proof of Possession JWT:\r\n${jwt}`);
+    return proof;
+});
+exports.createProofOfPossession = createProofOfPossession;
+const partiallyValidateJWS = (jws) => {
+    if (jws.split('.').length !== 3 || !jws.startsWith('ey')) {
+        throw new Error(oid4vci_common_1.JWS_NOT_VALID);
+    }
+};
+const createJWT = (jwtProps, existingJwt) => {
+    var _a, _b, _c, _d, _e, _f, _g, _h, _j;
+    const aud = getJwtProperty('aud', true, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.issuer, (_a = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.payload) === null || _a === void 0 ? void 0 : _a.aud);
+    const iss = getJwtProperty('iss', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.clientId, (_b = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.payload) === null || _b === void 0 ? void 0 : _b.iss);
+    const jti = getJwtProperty('jti', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.jti, (_c = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.payload) === null || _c === void 0 ? void 0 : _c.jti);
+    const typ = getJwtProperty('typ', true, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.typ, (_d = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.header) === null || _d === void 0 ? void 0 : _d.typ, 'jwt');
+    const nonce = getJwtProperty('nonce', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.nonce, (_e = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.payload) === null || _e === void 0 ? void 0 : _e.nonce); // Officially this is required, but some implementations don't have it
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+    const alg = getJwtProperty('alg', false, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.alg, (_f = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.header) === null || _f === void 0 ? void 0 : _f.alg, 'ES256');
+    const kid = getJwtProperty('kid', true, jwtProps === null || jwtProps === void 0 ? void 0 : jwtProps.kid, (_g = existingJwt === null || existingJwt === void 0 ? void 0 : existingJwt.header) === null || _g === void 0 ? void 0 : _g.kid);
+    const jwt = existingJwt ? existingJwt : {};
+    const now = +new Date();
+    const jwtPayload = Object.assign(Object.assign({ aud, iat: ((_h = jwt.payload) === null || _h === void 0 ? void 0 : _h.iat) ? jwt.payload.iat : now / 1000 - 60, exp: ((_j = jwt.payload) === null || _j === void 0 ? void 0 : _j.exp) ? jwt.payload.exp : now / 1000 + 10 * 60, nonce }, (iss ? { iss } : {})), (jti ? { jti } : {}));
+    const jwtHeader = {
+        typ,
+        alg,
+        kid,
+    };
+    return {
+        payload: Object.assign(Object.assign({}, jwt.payload), jwtPayload),
+        header: Object.assign(Object.assign({}, jwt.header), jwtHeader),
+    };
+};
+const getJwtProperty = (propertyName, required, option, jwtProperty, defaultValue) => {
+    if (option && jwtProperty && option !== jwtProperty) {
+        throw Error(`Cannot have a property '${propertyName}' with value '${option}' and different JWT value '${jwtProperty}' at the same time`);
+    }
+    let result = jwtProperty ? jwtProperty : option;
+    if (!result) {
+        if (required) {
+            throw Error(`No ${propertyName} property provided either in a JWT or as option`);
+        }
+        result = defaultValue;
+    }
+    return result;
+};
+//# sourceMappingURL=ProofUtil.js.map

package/dist/functions/ProofUtil.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ProofUtil.js","sourceRoot":"","sources":["../../lib/functions/ProofUtil.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,6DAAqJ;AACrJ,kDAA0B;AAE1B,MAAM,KAAK,GAAG,IAAA,eAAK,EAAC,2BAA2B,CAAC,CAAC;AAEjD;;;;;;;;;;;;;;;;GAgBG;AACI,MAAM,uBAAuB,GAAG,CACrC,SAAqC,EACrC,QAAmB,EACnB,WAAiB,EACW,EAAE;IAC9B,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE;QAC3B,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,2BAAU,CAAC,CAAC;KAC7B;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,YAAY,CAAC,UAAU,EAAE,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5E,MAAM,KAAK,GAAG;QACZ,UAAU,EAAE,KAAK;QACjB,GAAG;KACiB,CAAC;IAEvB,IAAI;QACF,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,SAAS,CAAC,cAAc,EAAE;YAC5B,KAAK,CAAC,sCAAsC,CAAC,CAAC;YAC9C,MAAM,SAAS,CAAC,cAAc,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,UAAU,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;YACpE,KAAK,CAAC,gDAAgD,CAAC,CAAC;SACzD;KACF;IAAC,WAAM;QACN,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,8BAAa,CAAC,CAAC;KAChC;IACD,KAAK,CAAC,+BAA+B,GAAG,EAAE,CAAC,CAAC;IAC5C,OAAO,KAAK,CAAC;AACf,CAAC,CAAA,CAAC;AA9BW,QAAA,uBAAuB,2BA8BlC;AAEF,MAAM,oBAAoB,GAAG,CAAC,GAAW,EAAQ,EAAE;IACjD,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE;QACxD,MAAM,IAAI,KAAK,CAAC,8BAAa,CAAC,CAAC;KAChC;AACH,CAAC,CAAC;AAYF,MAAM,SAAS,GAAG,CAAC,QAAmB,EAAE,WAAiB,EAAO,EAAE;;IAChE,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,EAAE,IAAI,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,MAAM,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,0CAAE,GAAG,CAAC,CAAC;IACrF,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,QAAQ,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,0CAAE,GAAG,CAAC,CAAC;IACxF,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,0CAAE,GAAG,CAAC,CAAC;IACnF,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,EAAE,IAAI,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,MAAM,0CAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IACxF,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,KAAK,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,0CAAE,KAAK,CAAC,CAAC,CAAC,sEAAsE;IAClK,oEAAoE;IACpE,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,EAAE,KAAK,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,MAAM,0CAAE,GAAG,EAAE,OAAO,CAAE,CAAC;IAC5F,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,EAAE,IAAI,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,MAAM,0CAAE,GAAG,CAAC,CAAC;IACjF,MAAM,GAAG,GAAiB,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;IACzD,MAAM,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;IACxB,MAAM,UAAU,iCACd,GAAG,EACH,GAAG,EAAE,CAAA,MAAA,GAAG,CAAC,OAAO,0CAAE,GAAG,EAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,GAAG,EAAE,EACzD,GAAG,EAAE,CAAA,MAAA,GAAG,CAAC,OAAO,0CAAE,GAAG,EAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,EAC9D,KAAK,IACF,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,GACpB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CACxB,CAAC;IAEF,MAAM,SAAS,GAAc;QAC3B,GAAG;QACH,GAAG;QACH,GAAG;KACJ,CAAC;IACF,OAAO;QACL,OAAO,kCAAO,GAAG,CAAC,OAAO,GAAK,UAAU,CAAE;QAC1C,MAAM,kCAAO,GAAG,CAAC,MAAM,GAAK,SAAS,CAAE;KACxC,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,cAAc,GAAG,CACrB,YAAoB,EACpB,QAAiB,EACjB,MAAe,EACf,WAAoB,EACpB,YAAqB,EACD,EAAE;IACtB,IAAI,MAAM,IAAI,WAAW,IAAI,MAAM,KAAK,WAAW,EAAE;QACnD,MAAM,KAAK,CAAC,2BAA2B,YAAY,iBAAiB,MAAM,8BAA8B,WAAW,oBAAoB,CAAC,CAAC;KAC1I;IACD,IAAI,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC;IAChD,IAAI,CAAC,MAAM,EAAE;QACX,IAAI,QAAQ,EAAE;YACZ,MAAM,KAAK,CAAC,MAAM,YAAY,iDAAiD,CAAC,CAAC;SAClF;QACD,MAAM,GAAG,YAAY,CAAC;KACvB;IACD,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC"}

package/dist/functions/index.d.ts

@@ -0,0 +1,4 @@
+export * from '@sphereon/oid4vci-common/dist/functions/Encoding';
+export * from '@sphereon/oid4vci-common/dist/functions/HttpUtils';
+export * from './ProofUtil';
+//# sourceMappingURL=index.d.ts.map

package/dist/functions/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../lib/functions/index.ts"],"names":[],"mappings":"AAAA,cAAc,kDAAkD,CAAC;AACjE,cAAc,mDAAmD,CAAC;AAClE,cAAc,aAAa,CAAC"}

package/dist/{main → functions}/index.js

@@ -1,18 +1,20 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./lib"), exports);
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7O0FBQUEsd0NBQXFCIn0=
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("@sphereon/oid4vci-common/dist/functions/Encoding"), exports);
+__exportStar(require("@sphereon/oid4vci-common/dist/functions/HttpUtils"), exports);
+__exportStar(require("./ProofUtil"), exports);
+//# sourceMappingURL=index.js.map

package/dist/functions/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/functions/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,mFAAiE;AACjE,oFAAkE;AAClE,8CAA4B"}

package/dist/index.d.ts

@@ -0,0 +1,9 @@
+export * from './AccessTokenClient';
+export * from './CredentialOfferClient';
+export * from './CredentialRequestClient';
+export * from './CredentialRequestClientBuilder';
+export * from './functions';
+export * from './MetadataClient';
+export * from './OpenID4VCIClient';
+export * from './ProofOfPossessionBuilder';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":"AAAA,cAAc,qBAAqB,CAAC;AACpC,cAAc,yBAAyB,CAAC;AACxC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,kCAAkC,CAAC;AACjD,cAAc,aAAa,CAAC;AAC5B,cAAc,kBAAkB,CAAC;AACjC,cAAc,oBAAoB,CAAC;AACnC,cAAc,4BAA4B,CAAC"}

package/dist/{main/lib/index.js → index.js}

@@ -1,24 +1,25 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./functions"), exports);
-__exportStar(require("./types"), exports);
-__exportStar(require("./MetadataClient"), exports);
-__exportStar(require("./IssuanceInitiation"), exports);
-__exportStar(require("./AccessTokenClient"), exports);
-__exportStar(require("./CredentialRequestClient"), exports);
-__exportStar(require("./CredentialRequestClientBuilder"), exports);
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9saWIvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLDhDQUE0QjtBQUM1QiwwQ0FBd0I7QUFDeEIsbURBQWlDO0FBQ2pDLHVEQUFxQztBQUNyQyxzREFBb0M7QUFDcEMsNERBQTBDO0FBQzFDLG1FQUFpRCJ9
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./AccessTokenClient"), exports);
+__exportStar(require("./CredentialOfferClient"), exports);
+__exportStar(require("./CredentialRequestClient"), exports);
+__exportStar(require("./CredentialRequestClientBuilder"), exports);
+__exportStar(require("./functions"), exports);
+__exportStar(require("./MetadataClient"), exports);
+__exportStar(require("./OpenID4VCIClient"), exports);
+__exportStar(require("./ProofOfPossessionBuilder"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,sDAAoC;AACpC,0DAAwC;AACxC,4DAA0C;AAC1C,mEAAiD;AACjD,8CAA4B;AAC5B,mDAAiC;AACjC,qDAAmC;AACnC,6DAA2C"}

package/lib/AccessTokenClient.ts

@@ -0,0 +1,249 @@
+import {
+  AccessTokenRequest,
+  AccessTokenRequestOpts,
+  AccessTokenResponse,
+  assertedUniformCredentialOffer,
+  AuthorizationServerOpts,
+  EndpointMetadata,
+  getIssuerFromCredentialOfferPayload,
+  GrantTypes,
+  isPreAuthCode,
+  IssuerOpts,
+  OpenIDResponse,
+  PRE_AUTH_CODE_LITERAL,
+  TokenErrorResponse,
+  toUniformCredentialOfferRequest,
+  UniformCredentialOfferPayload,
+} from '@sphereon/oid4vci-common';
+import { ObjectUtils } from '@sphereon/ssi-types';
+import Debug from 'debug';
+
+import { MetadataClient } from './MetadataClient';
+import { convertJsonToURI, formPost } from './functions';
+
+const debug = Debug('sphereon:oid4vci:token');
+
+export class AccessTokenClient {
+  public async acquireAccessToken(opts: AccessTokenRequestOpts): Promise<OpenIDResponse<AccessTokenResponse>> {
+    const { asOpts, pin, codeVerifier, code, redirectUri, metadata } = opts;
+
+    const credentialOffer = await assertedUniformCredentialOffer(opts.credentialOffer);
+    const isPinRequired = this.isPinRequiredValue(credentialOffer.credential_offer);
+    const issuer = getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) ?? (metadata?.issuer as string);
+    if (!issuer) {
+      throw Error('Issuer required at this point');
+    }
+    const issuerOpts = {
+      issuer,
+    };
+
+    return await this.acquireAccessTokenUsingRequest({
+      accessTokenRequest: await this.createAccessTokenRequest({
+        credentialOffer,
+        asOpts,
+        codeVerifier,
+        code,
+        redirectUri,
+        pin,
+      }),
+      isPinRequired,
+      metadata,
+      asOpts,
+      issuerOpts,
+    });
+  }
+
+  public async acquireAccessTokenUsingRequest({
+    accessTokenRequest,
+    isPinRequired,
+    metadata,
+    asOpts,
+    issuerOpts,
+  }: {
+    accessTokenRequest: AccessTokenRequest;
+    isPinRequired?: boolean;
+    metadata?: EndpointMetadata;
+    asOpts?: AuthorizationServerOpts;
+    issuerOpts?: IssuerOpts;
+  }): Promise<OpenIDResponse<AccessTokenResponse>> {
+    this.validate(accessTokenRequest, isPinRequired);
+    const requestTokenURL = AccessTokenClient.determineTokenURL({
+      asOpts,
+      issuerOpts,
+      metadata: metadata
+        ? metadata
+        : issuerOpts?.fetchMetadata
+        ? await MetadataClient.retrieveAllMetadata(issuerOpts.issuer, { errorOnNotFound: false })
+        : undefined,
+    });
+    return this.sendAuthCode(requestTokenURL, accessTokenRequest);
+  }
+
+  public async createAccessTokenRequest(opts: AccessTokenRequestOpts): Promise<AccessTokenRequest> {
+    const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
+    const credentialOfferRequest = await toUniformCredentialOfferRequest(opts.credentialOffer);
+    const request: Partial<AccessTokenRequest> = {};
+    if (asOpts?.clientId) {
+      request.client_id = asOpts.clientId;
+    }
+
+    this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
+    request.user_pin = pin;
+
+    const isPreAuth = isPreAuthCode(credentialOfferRequest);
+    if (isPreAuth) {
+      if (codeVerifier) {
+        throw new Error('Cannot pass a code_verifier when flow type is pre-authorized');
+      }
+      request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
+      // we actually know it is there because of the isPreAuthCode call
+      request[PRE_AUTH_CODE_LITERAL] =
+        credentialOfferRequest?.credential_offer.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.[PRE_AUTH_CODE_LITERAL];
+    }
+    if (!isPreAuth && credentialOfferRequest.credential_offer.grants?.authorization_code?.issuer_state) {
+      this.throwNotSupportedFlow(); // not supported yet
+      request.grant_type = GrantTypes.AUTHORIZATION_CODE;
+    }
+    if (codeVerifier) {
+      request.code_verifier = codeVerifier;
+      request.code = code;
+      request.redirect_uri = redirectUri;
+      request.grant_type = GrantTypes.AUTHORIZATION_CODE;
+    }
+    if (request.grant_type === GrantTypes.AUTHORIZATION_CODE && isPreAuth) {
+      throw Error('A pre_authorized_code flow cannot have an issuer state in the credential offer');
+    }
+
+    return request as AccessTokenRequest;
+  }
+
+  private assertPreAuthorizedGrantType(grantType: GrantTypes): void {
+    if (GrantTypes.PRE_AUTHORIZED_CODE !== grantType) {
+      throw new Error("grant type must be 'urn:ietf:params:oauth:grant-type:pre-authorized_code'");
+    }
+  }
+
+  private assertAuthorizationGrantType(grantType: GrantTypes): void {
+    if (GrantTypes.AUTHORIZATION_CODE !== grantType) {
+      throw new Error("grant type must be 'authorization_code'");
+    }
+  }
+
+  private isPinRequiredValue(requestPayload: UniformCredentialOfferPayload): boolean {
+    let isPinRequired = false;
+    if (!requestPayload) {
+      throw new Error(TokenErrorResponse.invalid_request);
+    }
+    const issuer = getIssuerFromCredentialOfferPayload(requestPayload);
+    if (requestPayload.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']) {
+      isPinRequired = requestPayload.grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ?? false;
+    }
+    debug(`Pin required for issuer ${issuer}: ${isPinRequired}`);
+    return isPinRequired;
+  }
+
+  private assertNumericPin(isPinRequired?: boolean, pin?: string): void {
+    if (isPinRequired) {
+      if (!pin || !/^\d{1,8}$/.test(pin)) {
+        debug(`Pin is not 1 to 8 digits long`);
+        throw new Error('A valid pin consisting of maximal 8 numeric characters must be present.');
+      }
+    } else if (pin) {
+      debug(`Pin set, whilst not required`);
+      throw new Error('Cannot set a pin, when the pin is not required.');
+    }
+  }
+
+  private assertNonEmptyPreAuthorizedCode(accessTokenRequest: AccessTokenRequest): void {
+    if (!accessTokenRequest[PRE_AUTH_CODE_LITERAL]) {
+      debug(`No pre-authorized code present, whilst it is required`);
+      throw new Error('Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.');
+    }
+  }
+
+  private assertNonEmptyCodeVerifier(accessTokenRequest: AccessTokenRequest): void {
+    if (!accessTokenRequest.code_verifier) {
+      debug('No code_verifier present, whilst it is required');
+      throw new Error('Authorization flow requires the code_verifier to be present');
+    }
+  }
+
+  private assertNonEmptyCode(accessTokenRequest: AccessTokenRequest): void {
+    if (!accessTokenRequest.code) {
+      debug('No code present, whilst it is required');
+      throw new Error('Authorization flow requires the code to be present');
+    }
+  }
+
+  private assertNonEmptyRedirectUri(accessTokenRequest: AccessTokenRequest): void {
+    if (!accessTokenRequest.redirect_uri) {
+      debug('No redirect_uri present, whilst it is required');
+      throw new Error('Authorization flow requires the redirect_uri to be present');
+    }
+  }
+
+  private validate(accessTokenRequest: AccessTokenRequest, isPinRequired?: boolean): void {
+    if (accessTokenRequest.grant_type === GrantTypes.PRE_AUTHORIZED_CODE) {
+      this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
+      this.assertNonEmptyPreAuthorizedCode(accessTokenRequest);
+      this.assertNumericPin(isPinRequired, accessTokenRequest.user_pin);
+    } else if (accessTokenRequest.grant_type === GrantTypes.AUTHORIZATION_CODE) {
+      this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
+      this.assertNonEmptyCodeVerifier(accessTokenRequest);
+      this.assertNonEmptyCode(accessTokenRequest);
+      this.assertNonEmptyRedirectUri(accessTokenRequest);
+    } else {
+      this.throwNotSupportedFlow;
+    }
+  }
+
+  private async sendAuthCode(requestTokenURL: string, accessTokenRequest: AccessTokenRequest): Promise<OpenIDResponse<AccessTokenResponse>> {
+    return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest));
+  }
+
+  public static determineTokenURL({
+    asOpts,
+    issuerOpts,
+    metadata,
+  }: {
+    asOpts?: AuthorizationServerOpts;
+    issuerOpts?: IssuerOpts;
+    metadata?: EndpointMetadata;
+  }): string {
+    if (!asOpts && !metadata?.token_endpoint && !issuerOpts) {
+      throw new Error('Cannot determine token URL if no issuer, metadata and no Authorization Server values are present');
+    }
+    let url;
+    if (asOpts && asOpts.as) {
+      url = this.creatTokenURLFromURL(asOpts.as, asOpts?.allowInsecureEndpoints, asOpts.tokenEndpoint);
+    } else if (metadata?.token_endpoint) {
+      url = metadata.token_endpoint;
+    } else {
+      if (!issuerOpts?.issuer) {
+        throw Error('Either authorization server options, a token endpoint or issuer options are required at this point');
+      }
+      url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts?.allowInsecureEndpoints, issuerOpts.tokenEndpoint);
+    }
+
+    if (!url || !ObjectUtils.isString(url)) {
+      throw new Error('No authorization server token URL present. Cannot acquire access token');
+    }
+    debug(`Token endpoint determined to be ${url}`);
+    return url;
+  }
+
+  private static creatTokenURLFromURL(url: string, allowInsecureEndpoints?: boolean, tokenEndpoint?: string): string {
+    if (allowInsecureEndpoints !== true && url.startsWith('http:')) {
+      throw Error(`Unprotected token endpoints are not allowed ${url}. Adjust settings if you really need this (dev/test settings only!!)`);
+    }
+    const hostname = url.replace(/https?:\/\//, '').replace(/\/$/, '');
+    const endpoint = tokenEndpoint ? (tokenEndpoint.startsWith('/') ? tokenEndpoint : tokenEndpoint.substring(1)) : '/token';
+    const scheme = url.split('://')[0];
+    return `${scheme ? scheme + '://' : 'https://'}${hostname}${endpoint}`;
+  }
+
+  private throwNotSupportedFlow(): void {
+    debug(`Only pre-authorized flow supported.`);
+    throw new Error('Only pre-authorized-code flow is supported');
+  }
+}

package/lib/AuthorizationDetailsBuilder.ts

@@ -0,0 +1,46 @@
+import { AuthorizationDetailsJwtVcJson, OID4VCICredentialFormat } from '@sphereon/oid4vci-common';
+
+//todo: refactor this builder to be able to create ldp details as well
+export class AuthorizationDetailsBuilder {
+  private readonly authorizationDetails: Partial<AuthorizationDetailsJwtVcJson>;
+
+  constructor() {
+    this.authorizationDetails = {};
+  }
+
+  withType(type: string): AuthorizationDetailsBuilder {
+    this.authorizationDetails.type = type;
+    return this;
+  }
+
+  withFormats(format: OID4VCICredentialFormat): AuthorizationDetailsBuilder {
+    this.authorizationDetails.format = format;
+    return this;
+  }
+
+  withLocations(locations: string[]): AuthorizationDetailsBuilder {
+    if (this.authorizationDetails.locations) {
+      this.authorizationDetails.locations.push(...locations);
+    } else {
+      this.authorizationDetails.locations = locations;
+    }
+    return this;
+  }
+
+  addLocation(location: string): AuthorizationDetailsBuilder {
+    if (this.authorizationDetails.locations) {
+      this.authorizationDetails.locations.push(location);
+    } else {
+      this.authorizationDetails.locations = [location];
+    }
+    return this;
+  }
+
+  //todo: we have to consider one thing, if this is a general purpose builder, we want to support ldp types here as well. and for that we need a few checks.
+  buildJwtVcJson(): AuthorizationDetailsJwtVcJson {
+    if (this.authorizationDetails.format && this.authorizationDetails.type) {
+      return this.authorizationDetails as AuthorizationDetailsJwtVcJson;
+    }
+    throw new Error('Type and format are required properties');
+  }
+}

package/lib/CredentialOfferClient.ts

@@ -0,0 +1,108 @@
+import {
+  CredentialOffer,
+  CredentialOfferPayload,
+  CredentialOfferPayloadV1_0_09,
+  CredentialOfferRequestWithBaseUrl,
+  CredentialOfferV1_0_11,
+  determineSpecVersionFromURI,
+  OpenId4VCIVersion,
+  toUniformCredentialOfferRequest,
+} from '@sphereon/oid4vci-common';
+import Debug from 'debug';
+
+import { convertJsonToURI, convertURIToJsonObject } from './functions';
+
+const debug = Debug('sphereon:oid4vci:offer');
+
+export class CredentialOfferClient {
+  public static async fromURI(uri: string, opts?: { resolve?: boolean }): Promise<CredentialOfferRequestWithBaseUrl> {
+    debug(`Credential Offer URI: ${uri}`);
+    if (!uri.includes('?') || !uri.includes('://')) {
+      debug(`Invalid Credential Offer URI: ${uri}`);
+      throw Error(`Invalid Credential Offer Request`);
+    }
+    const scheme = uri.split('://')[0];
+    const baseUrl = uri.split('?')[0];
+    const version = determineSpecVersionFromURI(uri);
+    let credentialOffer: CredentialOffer;
+    let credentialOfferPayload: CredentialOfferPayload;
+    if (version < OpenId4VCIVersion.VER_1_0_11) {
+      credentialOfferPayload = convertURIToJsonObject(uri, {
+        arrayTypeProperties: ['credential_type'],
+        requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri'] : ['issuer', 'credential_type'],
+      }) as CredentialOfferPayloadV1_0_09;
+      credentialOffer = {
+        credential_offer: credentialOfferPayload,
+      };
+    } else {
+      credentialOffer = convertURIToJsonObject(uri, {
+        arrayTypeProperties: ['credentials'],
+        requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri'] : ['credential_offer'],
+      }) as CredentialOfferV1_0_11;
+      if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {
+        throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri);
+      }
+    }
+    const request = await toUniformCredentialOfferRequest(credentialOffer, {
+      ...opts,
+      version,
+    });
+
+    const grants = request.credential_offer?.grants;
+
+    return {
+      scheme,
+      baseUrl,
+      ...request,
+      ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
+      ...(grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.['pre-authorized_code'] && {
+        preAuthorizedCode: grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']['pre-authorized_code'],
+      }),
+      userPinRequired: request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ?? false,
+    };
+  }
+
+  public static toURI(
+    requestWithBaseUrl: CredentialOfferRequestWithBaseUrl,
+    opts?: {
+      version?: OpenId4VCIVersion;
+    }
+  ): string {
+    debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
+    const version = opts?.version ?? requestWithBaseUrl.version;
+    let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme)
+      ? requestWithBaseUrl.baseUrl
+      : `${requestWithBaseUrl.scheme.replace('://', '')}://${requestWithBaseUrl.baseUrl}`;
+    let param: string | undefined;
+
+    const isUri = requestWithBaseUrl.credential_offer_uri !== undefined;
+
+    if (version.valueOf() >= OpenId4VCIVersion.VER_1_0_11.valueOf()) {
+      // v11 changed from encoding every param to a encoded json object with a credential_offer param key
+      if (!baseUrl.includes('?')) {
+        param = isUri ? 'credential_offer_uri' : 'credential_offer';
+      } else {
+        const split = baseUrl.split('?');
+        if (split.length > 1 && split[1] !== '') {
+          if (baseUrl.endsWith('&')) {
+            param = isUri ? 'credential_offer_uri' : 'credential_offer';
+          } else if (!baseUrl.endsWith('=')) {
+            baseUrl += `&`;
+            param = isUri ? 'credential_offer_uri' : 'credential_offer';
+          }
+        }
+      }
+    }
+    return convertJsonToURI(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
+      baseUrl,
+      arrayTypeProperties: isUri ? [] : ['credential_type'],
+      uriTypeProperties: isUri
+        ? ['credential_offer_uri']
+        : version >= OpenId4VCIVersion.VER_1_0_11
+        ? ['credential_issuer', 'credential_type']
+        : ['issuer', 'credential_type'],
+      param,
+      version,
+    });
+  }
+}