@sphereon/oid4vci-client 0.2.0 → 0.4.1-unstable.247

package/lib/__tests__/CredentialRequestClientBuilder.spec.ts

@@ -0,0 +1,103 @@
+import { KeyObject } from 'crypto';
+
+import { Alg, CredentialRequest, IssuerMetadata, Jwt, JWTPayload, ProofOfPossession, Typ } from '@sphereon/oid4vci-common';
+import * as jose from 'jose';
+
+import { CredentialRequestClientBuilderV1_0_09, ProofOfPossessionBuilder } from '..';
+
+import { IDENTIPROOF_ISSUER_URL, IDENTIPROOF_OID4VCI_METADATA, INITIATION_TEST_URI, WALT_ISSUER_URL, WALT_OID4VCI_METADATA } from './MetadataMocks';
+
+const partialJWT = 'eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmN';
+
+const jwt: Jwt = {
+  header: { alg: Alg.ES256, kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1', typ: Typ.JWT },
+  payload: { iss: 'sphereon:wallet', nonce: 'tZignsnFbp', jti: 'tZignsnFbp223', aud: IDENTIPROOF_ISSUER_URL },
+};
+
+const kid = 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1';
+
+let keypair: KeyPair;
+
+beforeAll(async () => {
+  const { privateKey, publicKey } = await jose.generateKeyPair('ES256');
+  keypair = { publicKey: publicKey as KeyObject, privateKey: privateKey as KeyObject };
+});
+
+async function proofOfPossessionCallbackFunction(args: Jwt, kid?: string): Promise<string> {
+  if (!args.payload.aud) {
+    throw Error('aud required');
+  } else if (!kid) {
+    throw Error('kid required');
+  }
+  return await new jose.SignJWT({ ...args.payload })
+    .setProtectedHeader({ alg: 'ES256' })
+    .setIssuedAt()
+    .setIssuer(kid)
+    .setAudience(args.payload.aud)
+    .setExpirationTime('2h')
+    .sign(keypair.privateKey);
+}
+
+interface KeyPair {
+  publicKey: KeyObject;
+  privateKey: KeyObject;
+}
+
+async function proofOfPossessionVerifierCallbackFunction(args: { jwt: string; kid?: string }): Promise<Jwt> {
+  const result = await jose.jwtVerify(args.jwt, keypair.publicKey);
+  return { header: result.protectedHeader, payload: result.payload as unknown as JWTPayload };
+}
+describe('Credential Request Client Builder', () => {
+  it('should build correctly provided with correct params', function () {
+    const credReqClient = CredentialRequestClientBuilderV1_0_09.fromURI({ uri: INITIATION_TEST_URI })
+      .withCredentialEndpoint('https://oidc4vci.demo.spruceid.com/credential')
+      .withFormat('jwt_vc')
+      .withCredentialType('credentialType')
+      .withToken('token')
+      .build();
+    expect(credReqClient.credentialRequestOpts.credentialEndpoint).toBe('https://oidc4vci.demo.spruceid.com/credential');
+    expect(credReqClient.credentialRequestOpts.format).toBe('jwt_vc');
+    expect(credReqClient.credentialRequestOpts.credentialType).toBe('credentialType');
+    expect(credReqClient.credentialRequestOpts.token).toBe('token');
+  });
+
+  it('should build credential request correctly', async () => {
+    const credReqClient = CredentialRequestClientBuilderV1_0_09.fromURI({ uri: INITIATION_TEST_URI })
+      .withCredentialEndpoint('https://oidc4vci.demo.spruceid.com/credential')
+      .withFormat('jwt_vc')
+      .withCredentialType('https://imsglobal.github.io/openbadges-specification/ob_v3p0.html#OpenBadgeCredential')
+      .build();
+    const proof: ProofOfPossession = await ProofOfPossessionBuilder.fromJwt({
+      jwt,
+      callbacks: {
+        signCallback: proofOfPossessionCallbackFunction,
+        verifyCallback: proofOfPossessionVerifierCallbackFunction,
+      },
+    })
+      .withClientId('sphereon:wallet')
+      .withKid(kid)
+      .build();
+    await proofOfPossessionVerifierCallbackFunction({ ...proof, kid });
+    const credentialRequest: CredentialRequest = await credReqClient.createCredentialRequest({ proofInput: proof });
+    expect(credentialRequest.proof.jwt).toContain(partialJWT);
+    expect(credentialRequest.type).toBe('https://imsglobal.github.io/openbadges-specification/ob_v3p0.html#OpenBadgeCredential');
+  });
+
+  it('should build correctly from metadata', async () => {
+    const credReqClient = CredentialRequestClientBuilderV1_0_09.fromURI({
+      uri: INITIATION_TEST_URI,
+      metadata: WALT_OID4VCI_METADATA,
+    })
+      .withFormat('jwt_vc')
+      .build();
+    expect(credReqClient.credentialRequestOpts.credentialEndpoint).toBe(`${WALT_ISSUER_URL}/credential`);
+  });
+
+  it('should build correctly with endpoint from metadata', async () => {
+    const credReqClient = CredentialRequestClientBuilderV1_0_09.fromURI({ uri: INITIATION_TEST_URI })
+      .withFormat('jwt_vc')
+      .withCredentialEndpointFromMetadata(IDENTIPROOF_OID4VCI_METADATA as unknown as IssuerMetadata)
+      .build();
+    expect(credReqClient.credentialRequestOpts.credentialEndpoint).toBe(`${IDENTIPROOF_ISSUER_URL}/credential`);
+  });
+});

package/lib/__tests__/HttpUtils.spec.ts

@@ -0,0 +1,37 @@
+import { isValidURL } from '../functions';
+
+describe('httputils.isValidURL', () => {
+  it('Should return true for http://localhost', () => {
+    expect(isValidURL('http://localhost:4000/some/random/path')).toBeTruthy();
+  });
+  it('Should return false when no scheme is used', () => {
+    expect(isValidURL('sphereon.com/some/random/path')).toBeFalsy();
+  });
+  it('Should return false when a different scheme than http(s) is used', () => {
+    expect(isValidURL('ftp://sphereon.com/some/random/path')).toBeFalsy();
+  });
+  it('Should return false for invalid scheme http:xxx', () => {
+    expect(isValidURL('http:localhost:4000/some/random/path')).toBeFalsy();
+  });
+  it('Should return false for non-localhost hostname with no domain', () => {
+    expect(isValidURL('https://mydomain/some/random/path')).toBeFalsy();
+  });
+  it('Should return true for https://sphereon.com', () => {
+    expect(isValidURL('https://sphereon.com/some/random/path')).toBeTruthy();
+  });
+  it('Should return true for https://sphereon.com:400', () => {
+    expect(isValidURL('https://sphereon.com:400/some/random/path')).toBeTruthy();
+  });
+  it('Should return true when no path is supplied', () => {
+    expect(isValidURL('https://sphereon.com')).toBeTruthy();
+  });
+  it('Should return true for https://sphereon.com:400/some/random/path?query=param', () => {
+    expect(isValidURL('https://sphereon.com:400/some/random/path?query=param')).toBeTruthy();
+  });
+  it('Should return true for https://sphereon.com:400/some/random/path#fragment', () => {
+    expect(isValidURL('https://sphereon.com:400/some/random/path#fragment')).toBeTruthy();
+  });
+  it('Should return true for https://sphereon.com:400/some/random/path?query=param#fragment', () => {
+    expect(isValidURL('https://sphereon.com:400/some/random/path?query=param#fragment')).toBeTruthy();
+  });
+});

package/lib/__tests__/IT.spec.ts

@@ -0,0 +1,155 @@
+import { AccessTokenResponse, Alg, AuthzFlowType, CredentialOfferRequestWithBaseUrl, Jwt, ProofOfPossession, Typ } from '@sphereon/oid4vci-common';
+import nock from 'nock';
+
+import { AccessTokenClient, CredentialRequestClientBuilderV1_0_09, OpenID4VCIClient, ProofOfPossessionBuilder } from '..';
+import { CredentialOffer } from '../CredentialOffer';
+
+import { IDENTIPROOF_AS_METADATA, IDENTIPROOF_AS_URL, IDENTIPROOF_ISSUER_URL, IDENTIPROOF_OID4VCI_METADATA } from './MetadataMocks';
+
+export const UNIT_TEST_TIMEOUT = 30000;
+
+const ISSUER_URL = 'https://issuer.research.identiproof.io';
+const jwt = {
+  header: { alg: Alg.ES256, kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1', typ: Typ.JWT },
+  payload: { iss: 'test-clientId', nonce: 'tZignsnFbp', jti: 'tZignsnFbp223', aud: ISSUER_URL },
+};
+
+describe('OID4VCI-Client should', () => {
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  async function proofOfPossessionCallbackFunction(_args: Jwt, _kid?: string): Promise<string> {
+    return 'ey.val.ue';
+  }
+
+  // Access token mocks
+  const mockedAccessTokenResponse: AccessTokenResponse = {
+    access_token: 'ey6546.546654.64565',
+    authorization_pending: false,
+    c_nonce: 'c_nonce2022101300',
+    c_nonce_expires_in: 2025101300,
+    interval: 2025101300,
+    token_type: 'Bearer',
+  };
+  const mockedVC =
+    'eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL2V4YW1wbGVzL3YxIl0sImlkIjoiaHR0cDovL2V4YW1wbGUuZWR1L2NyZWRlbnRpYWxzLzM3MzIiLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVW5pdmVyc2l0eURlZ3JlZUNyZWRlbnRpYWwiXSwiaXNzdWVyIjoiaHR0cHM6Ly9leGFtcGxlLmVkdS9pc3N1ZXJzLzU2NTA0OSIsImlzc3VhbmNlRGF0ZSI6IjIwMTAtMDEtMDFUMDA6MDA6MDBaIiwiY3JlZGVudGlhbFN1YmplY3QiOnsiaWQiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmNzEyZWJjNmYxYzI3NmUxMmVjMjEiLCJkZWdyZWUiOnsidHlwZSI6IkJhY2hlbG9yRGVncmVlIiwibmFtZSI6IkJhY2hlbG9yIG9mIFNjaWVuY2UgYW5kIEFydHMifX19LCJpc3MiOiJodHRwczovL2V4YW1wbGUuZWR1L2lzc3VlcnMvNTY1MDQ5IiwibmJmIjoxMjYyMzA0MDAwLCJqdGkiOiJodHRwOi8vZXhhbXBsZS5lZHUvY3JlZGVudGlhbHMvMzczMiIsInN1YiI6ImRpZDpleGFtcGxlOmViZmViMWY3MTJlYmM2ZjFjMjc2ZTEyZWMyMSJ9.z5vgMTK1nfizNCg5N-niCOL3WUIAL7nXy-nGhDZYO_-PNGeE-0djCpWAMH8fD8eWSID5PfkPBYkx_dfLJnQ7NA';
+  const INITIATE_QR =
+    'openid-initiate-issuance://?issuer=https%3A%2F%2Fissuer.research.identiproof.io&credential_type=OpenBadgeCredentialUrl&pre-authorized_code=4jLs9xZHEfqcoow0kHE7d1a8hUk6Sy-5bVSV2MqBUGUgiFFQi-ImL62T-FmLIo8hKA1UdMPH0lM1xAgcFkJfxIw9L-lI3mVs0hRT8YVwsEM1ma6N3wzuCdwtMU4bcwKp&user_pin_required=true';
+  const OFFER_QR =
+    'openid-credential-offer://credential_offer=%7B%22credential_issuer%22:%22https://credential-issuer.example.com%22,%22credentials%22:%5B%7B%22format%22:%22jwt_vc_json%22,%22types%22:%5B%22VerifiableCredential%22,%22UniversityDegreeCredential%22%5D%7D%5D,%22issuer_state%22:%22eyJhbGciOiJSU0Et...FYUaBy%22%7D';
+
+  function succeedWithAFullFlowWithClientSetup() {
+    nock(IDENTIPROOF_ISSUER_URL).get('/.well-known/openid-credential-issuer').reply(200, JSON.stringify(IDENTIPROOF_OID4VCI_METADATA));
+    nock(IDENTIPROOF_AS_URL).get('/.well-known/oauth-authorization-server').reply(200, JSON.stringify(IDENTIPROOF_AS_METADATA));
+    nock(IDENTIPROOF_AS_URL)
+      .post(/oauth2\/token.*/)
+      .reply(200, JSON.stringify(mockedAccessTokenResponse));
+    nock(ISSUER_URL)
+      .post(/credential/)
+      .reply(200, {
+        format: 'jwt-vc',
+        credential: mockedVC,
+      });
+  }
+
+  it('succeed with a full flow with the client using OpenID4VCI version 9', async () => {
+    succeedWithAFullFlowWithClientSetup();
+    const client = await OpenID4VCIClient.fromURI({
+      uri: INITIATE_QR,
+      flowType: AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW,
+      kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1',
+      alg: Alg.ES256,
+      clientId: 'test-clientId',
+    });
+    await assertionOfsucceedWithAFullFlowWithClient(client);
+  });
+
+  test.skip('succeed with a full flow wit the client using OpenID4VCI version 11', async () => {
+    succeedWithAFullFlowWithClientSetup();
+    const client = await OpenID4VCIClient.fromURI({
+      uri: OFFER_QR,
+      flowType: AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW,
+      kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1',
+      alg: Alg.ES256,
+      clientId: 'test-clientId',
+    });
+    await assertionOfsucceedWithAFullFlowWithClient(client);
+  });
+
+  async function assertionOfsucceedWithAFullFlowWithClient(client: OpenID4VCIClient) {
+    expect(client.flowType).toEqual(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW);
+    expect(client.credentialOffer).toBeDefined();
+    expect(client.endpointMetadata).toBeDefined();
+    expect(client.getIssuer()).toEqual('https://issuer.research.identiproof.io');
+    expect(client.getCredentialEndpoint()).toEqual('https://issuer.research.identiproof.io/credential');
+    expect(client.getAccessTokenEndpoint()).toEqual('https://auth.research.identiproof.io/oauth2/token');
+
+    const accessToken = await client.acquireAccessToken({ pin: '1234' });
+    expect(accessToken).toEqual(mockedAccessTokenResponse);
+
+    const credentialResponse = await client.acquireCredentials({
+      credentialType: 'OpenBadgeCredential',
+      proofCallbacks: {
+        signCallback: proofOfPossessionCallbackFunction,
+      },
+    });
+    expect(credentialResponse.credential).toEqual(mockedVC);
+  }
+
+  it(
+    'succeed with a full flow without the client',
+    async () => {
+      /* Convert the URI into an object */
+      const credentialOffer: CredentialOfferRequestWithBaseUrl = CredentialOffer.fromURI(INITIATE_QR);
+
+      expect(credentialOffer.baseUrl).toEqual('openid-initiate-issuance://');
+      expect(credentialOffer.request).toEqual({
+        credential_type: 'OpenBadgeCredentialUrl',
+        issuer: ISSUER_URL,
+        'pre-authorized_code':
+          '4jLs9xZHEfqcoow0kHE7d1a8hUk6Sy-5bVSV2MqBUGUgiFFQi-ImL62T-FmLIo8hKA1UdMPH0lM1xAgcFkJfxIw9L-lI3mVs0hRT8YVwsEM1ma6N3wzuCdwtMU4bcwKp',
+        user_pin_required: 'true',
+      });
+
+      nock(ISSUER_URL)
+        .post(/token.*/)
+        .reply(200, JSON.stringify(mockedAccessTokenResponse));
+
+      /* The actual access token calls */
+      const accessTokenClient: AccessTokenClient = new AccessTokenClient();
+      const accessTokenResponse = await accessTokenClient.acquireAccessToken({ credentialOffer: credentialOffer, pin: '1234' });
+      expect(accessTokenResponse.successBody).toEqual(mockedAccessTokenResponse);
+      // Get the credential
+      nock(ISSUER_URL)
+        .post(/credential/)
+        .reply(200, {
+          format: 'jwt-vc',
+          credential: mockedVC,
+        });
+      const credReqClient = CredentialRequestClientBuilderV1_0_09.fromCredentialOffer({ credentialOffer: credentialOffer })
+        .withFormat('jwt_vc')
+
+        .withTokenFromResponse(accessTokenResponse.successBody!)
+        .build();
+
+      //TS2322: Type '(args: ProofOfPossessionCallbackArgs) => Promise<string>'
+      // is not assignable to type 'ProofOfPossessionCallback'.
+      // Types of parameters 'args' and 'args' are incompatible.
+      // Property 'kid' is missing in type '{ header: unknown; payload: unknown; }' but required in type 'ProofOfPossessionCallbackArgs'.
+      const proof: ProofOfPossession = await ProofOfPossessionBuilder.fromJwt({
+        jwt,
+        callbacks: {
+          signCallback: proofOfPossessionCallbackFunction,
+        },
+      })
+        .withEndpointMetadata({
+          issuer: 'https://issuer.research.identiproof.io',
+          credential_endpoint: 'https://issuer.research.identiproof.io/credential',
+          token_endpoint: 'https://issuer.research.identiproof.io/token',
+        })
+        .withKid('did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1')
+        .build();
+      const credResponse = await credReqClient.acquireCredentialsUsingProof({ proofInput: proof });
+      expect(credResponse.successBody?.credential).toEqual(mockedVC);
+    },
+    UNIT_TEST_TIMEOUT
+  );
+});

package/lib/__tests__/IssuanceInitiation.spec.ts

@@ -0,0 +1,37 @@
+import { OpenId4VCIVersion } from '@sphereon/oid4vci-common';
+
+import { CredentialOffer } from '../CredentialOffer';
+
+import { INITIATION_TEST, INITIATION_TEST_HTTPS_URI, INITIATION_TEST_URI } from './MetadataMocks';
+
+describe('Issuance Initiation', () => {
+  it('Should return Issuance Initiation Request with base URL from https URI', () => {
+    expect(CredentialOffer.fromURI(INITIATION_TEST_HTTPS_URI)).toEqual({
+      baseUrl: 'https://server.example.com',
+      request: {
+        credential_type: ['https://did.example.org/healthCard', 'https://did.example.org/driverLicense'],
+        issuer: 'https://server.example.com',
+        op_state: 'eyJhbGciOiJSU0Et...FYUaBy',
+      },
+      version: OpenId4VCIVersion.VER_1_0_09,
+    });
+  });
+
+  it('Should return Issuance Initiation Request with base URL from openid-initiate-issuance URI', () => {
+    expect(CredentialOffer.fromURI(INITIATION_TEST_URI)).toEqual(INITIATION_TEST);
+  });
+
+  it('Should return Issuance Initiation URI from request', () => {
+    expect(CredentialOffer.toURI(INITIATION_TEST)).toEqual(INITIATION_TEST_URI);
+  });
+
+  it('Should return URI from Issuance Initiation Request', () => {
+    const issuanceInitiationClient = CredentialOffer.fromURI(INITIATION_TEST_HTTPS_URI);
+    expect(CredentialOffer.toURI(issuanceInitiationClient)).toEqual(INITIATION_TEST_HTTPS_URI);
+  });
+
+  it('Should throw error on invalid URI', () => {
+    const issuanceInitiationURI = INITIATION_TEST_HTTPS_URI.replace('?', '');
+    expect(() => CredentialOffer.fromURI(issuanceInitiationURI)).toThrowError('Invalid Issuance Initiation Request Payload');
+  });
+});

package/lib/__tests__/JsonURIConversions.spec.ts

@@ -0,0 +1,86 @@
+import { convertJsonToURI, convertURIToJsonObject } from '..';
+
+describe('JSON To URI', () => {
+  it('should parse an object into open-id-URI with a single credential_type', () => {
+    expect(
+      convertJsonToURI(
+        {
+          issuer: 'https://server.example.com',
+          credential_type: 'https://did.example.org/healthCard',
+          op_state: 'eyJhbGciOiJSU0Et...FYUaBy',
+        },
+        {
+          uriTypeProperties: ['issuer', 'credential_type'],
+        }
+      )
+    ).toEqual(
+      'issuer=https%3A%2F%2Fserver%2Eexample%2Ecom&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FhealthCard&op_state=eyJhbGciOiJSU0Et...FYUaBy'
+    );
+  });
+  it('should parse an object into open-id-URI with an array of credential_type', () => {
+    expect(
+      convertJsonToURI(
+        {
+          issuer: 'https://server.example.com',
+          credential_type: ['https://did.example.org/healthCard', 'https://did.example.org/driverLicense'],
+          op_state: 'eyJhbGciOiJSU0Et...FYUaBy',
+        },
+        {
+          arrayTypeProperties: ['credential_type'],
+          uriTypeProperties: ['issuer', 'credential_type'],
+        }
+      )
+    ).toEqual(
+      'issuer=https%3A%2F%2Fserver%2Eexample%2Ecom&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FhealthCard&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FdriverLicense&op_state=eyJhbGciOiJSU0Et...FYUaBy'
+    );
+  });
+  it('should parse an object into open-id-URI with an array of credential_type and json string', () => {
+    expect(
+      convertJsonToURI(
+        JSON.stringify({
+          issuer: 'https://server.example.com',
+          credential_type: ['https://did.example.org/healthCard', 'https://did.example.org/driverLicense'],
+          op_state: 'eyJhbGciOiJSU0Et...FYUaBy',
+        }),
+        {
+          arrayTypeProperties: ['credential_type'],
+          uriTypeProperties: ['issuer', 'credential_type'],
+        }
+      )
+    ).toEqual(
+      'issuer=https%3A%2F%2Fserver%2Eexample%2Ecom&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FhealthCard&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FdriverLicense&op_state=eyJhbGciOiJSU0Et...FYUaBy'
+    );
+  });
+});
+describe('URI To Json Object', () => {
+  it('should parse open-id-URI as json object with a single credential_type', () => {
+    expect(
+      convertURIToJsonObject(
+        'issuer=https%3A%2F%2Fserver%2Eexample%2Ecom&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FhealthCard&op_state=eyJhbGciOiJSU0Et...FYUaBy',
+        {
+          arrayTypeProperties: ['credential_type'],
+          requiredProperties: ['issuer', 'credential_type'],
+        }
+      )
+    ).toEqual({
+      issuer: 'https://server.example.com',
+      credential_type: 'https://did.example.org/healthCard',
+      op_state: 'eyJhbGciOiJSU0Et...FYUaBy',
+    });
+  });
+  it('should parse open-id-URI as json object with an array of credential_type', () => {
+    expect(
+      convertURIToJsonObject(
+        'issuer=https%3A%2F%2Fserver%2Eexample%2Ecom&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FhealthCard&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FdriverLicense&op_state=eyJhbGciOiJSU0Et...FYUaBy',
+        {
+          arrayTypeProperties: ['credential_type'],
+          requiredProperties: ['issuer', 'credential_type'],
+        }
+      )
+    ).toEqual({
+      issuer: 'https://server.example.com',
+      credential_type: ['https://did.example.org/healthCard', 'https://did.example.org/driverLicense'],
+      op_state: 'eyJhbGciOiJSU0Et...FYUaBy',
+    });
+  });
+});

package/lib/__tests__/MetadataClient.spec.ts

@@ -0,0 +1,198 @@
+import { getIssuerFromCredentialOfferPayload, WellKnownEndpoints } from '@sphereon/oid4vci-common';
+import nock from 'nock';
+
+import { CredentialOffer } from '../CredentialOffer';
+import { MetadataClient } from '../MetadataClient';
+
+import {
+  DANUBE_ISSUER_URL,
+  DANUBE_OIDC_METADATA,
+  IDENTIPROOF_AS_METADATA,
+  IDENTIPROOF_AS_URL,
+  IDENTIPROOF_ISSUER_URL,
+  IDENTIPROOF_OID4VCI_METADATA,
+  SPRUCE_ISSUER_URL,
+  SPRUCE_OID4VCI_METADATA,
+  WALT_ISSUER_URL,
+  WALT_OID4VCI_METADATA,
+} from './MetadataMocks';
+
+describe('MetadataClient with IdentiProof Issuer should', () => {
+  beforeAll(() => {
+    nock.cleanAll();
+  });
+  it('succeed with OID4VCI and separate AS metadata', async () => {
+    nock(IDENTIPROOF_ISSUER_URL).get(WellKnownEndpoints.OPENID4VCI_ISSUER).reply(200, JSON.stringify(IDENTIPROOF_OID4VCI_METADATA));
+
+    nock(IDENTIPROOF_AS_URL).get(WellKnownEndpoints.OAUTH_AS).reply(200, JSON.stringify(IDENTIPROOF_AS_METADATA));
+
+    const metadata = await MetadataClient.retrieveAllMetadata(IDENTIPROOF_ISSUER_URL);
+    expect(metadata.credential_endpoint).toEqual('https://issuer.research.identiproof.io/credential');
+    expect(metadata.token_endpoint).toEqual('https://auth.research.identiproof.io/oauth2/token');
+    expect(metadata.issuerMetadata).toEqual(IDENTIPROOF_OID4VCI_METADATA);
+  });
+
+  it('succeed with OID4VCI and separate AS metadata from Initiation', async () => {
+    nock(IDENTIPROOF_ISSUER_URL).get(WellKnownEndpoints.OPENID4VCI_ISSUER).reply(200, JSON.stringify(IDENTIPROOF_OID4VCI_METADATA));
+    nock(IDENTIPROOF_AS_URL).get(WellKnownEndpoints.OAUTH_AS).reply(200, JSON.stringify(IDENTIPROOF_AS_METADATA));
+
+    const INITIATE_URI =
+      'openid-initiate-issuance://?issuer=https%3A%2F%2Fissuer.research.identiproof.io&credential_type=OpenBadgeCredential&pre-authorized_code=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhOTUyZjUxNi1jYWVmLTQ4YjMtODIxYy00OTRkYzgyNjljZjAiLCJwcmUtYXV0aG9yaXplZCI6dHJ1ZX0.YE5DlalcLC2ChGEg47CQDaN1gTxbaQqSclIVqsSAUHE&user_pin_required=false';
+    const initiation = CredentialOffer.fromURI(INITIATE_URI);
+    const metadata = await MetadataClient.retrieveAllMetadata(getIssuerFromCredentialOfferPayload(initiation.request) as string);
+    expect(metadata.credential_endpoint).toEqual('https://issuer.research.identiproof.io/credential');
+    expect(metadata.token_endpoint).toEqual('https://auth.research.identiproof.io/oauth2/token');
+    expect(metadata.issuerMetadata).toEqual(IDENTIPROOF_OID4VCI_METADATA);
+  });
+
+  it('Fail without OID4VCI and only AS metadata (no credential endpoint)', async () => {
+    nock(IDENTIPROOF_ISSUER_URL)
+      .get(WellKnownEndpoints.OPENID4VCI_ISSUER)
+      .reply(404, JSON.stringify({ error: 'does not exist' }));
+
+    nock(IDENTIPROOF_ISSUER_URL)
+      .get(WellKnownEndpoints.OPENID_CONFIGURATION)
+      .reply(404, JSON.stringify({ error: 'does not exist' }));
+
+    nock(IDENTIPROOF_ISSUER_URL)
+      .get(WellKnownEndpoints.OAUTH_AS)
+      .reply(404, JSON.stringify({ error: 'does not exist' }));
+
+    await expect(() => MetadataClient.retrieveAllMetadata(IDENTIPROOF_ISSUER_URL, { errorOnNotFound: true })).rejects.toThrowError(
+      'Could not deduce the token endpoint for https://issuer.research.identiproof.io'
+    );
+  });
+
+  it('Fail with OID4VCI and no AS metadata', async () => {
+    nock(IDENTIPROOF_ISSUER_URL).get(WellKnownEndpoints.OPENID4VCI_ISSUER).reply(200, JSON.stringify(IDENTIPROOF_OID4VCI_METADATA));
+    nock(IDENTIPROOF_ISSUER_URL)
+      .get(WellKnownEndpoints.OPENID_CONFIGURATION)
+      .reply(404, JSON.stringify({ error: 'does not exist' }));
+
+    nock(IDENTIPROOF_AS_URL).get(WellKnownEndpoints.OAUTH_AS).reply(404, JSON.stringify({}));
+    await expect(() => MetadataClient.retrieveAllMetadata(IDENTIPROOF_ISSUER_URL)).rejects.toThrowError('{"error": "not found"}');
+  });
+
+  it('Fail if there is no token endpoint with errors enabled', async () => {
+    nock(IDENTIPROOF_ISSUER_URL).get(WellKnownEndpoints.OPENID4VCI_ISSUER).reply(200, JSON.stringify(IDENTIPROOF_OID4VCI_METADATA));
+    const meta = JSON.parse(JSON.stringify(IDENTIPROOF_AS_METADATA));
+    delete meta.token_endpoint;
+    nock(IDENTIPROOF_AS_URL).get(WellKnownEndpoints.OAUTH_AS).reply(200, JSON.stringify(meta));
+
+    await expect(() => MetadataClient.retrieveAllMetadata(IDENTIPROOF_ISSUER_URL, { errorOnNotFound: true })).rejects.toThrowError(
+      'Could not deduce the token endpoint for https://issuer.research.identiproof.io'
+    );
+  });
+
+  it('Fail if there is no credential endpoint with errors enabled', async () => {
+    const meta = JSON.parse(JSON.stringify(IDENTIPROOF_OID4VCI_METADATA));
+    delete meta.credential_endpoint;
+    nock(IDENTIPROOF_ISSUER_URL).get(WellKnownEndpoints.OPENID4VCI_ISSUER).reply(200, JSON.stringify(meta));
+    nock(IDENTIPROOF_AS_URL).get(WellKnownEndpoints.OAUTH_AS).reply(200, JSON.stringify(IDENTIPROOF_AS_METADATA));
+
+    await expect(() => MetadataClient.retrieveAllMetadata(IDENTIPROOF_ISSUER_URL, { errorOnNotFound: true })).rejects.toThrowError(
+      'Could not deduce the credential endpoint for https://issuer.research.identiproof.io'
+    );
+  });
+
+  it('Succeed with default value if there is no credential endpoint with errors disabled', async () => {
+    nock(IDENTIPROOF_ISSUER_URL).get(WellKnownEndpoints.OPENID4VCI_ISSUER).reply(200, JSON.stringify(IDENTIPROOF_OID4VCI_METADATA));
+    nock(IDENTIPROOF_AS_URL).get(WellKnownEndpoints.OAUTH_AS).reply(200, JSON.stringify(IDENTIPROOF_AS_METADATA));
+
+    const metadata = await MetadataClient.retrieveAllMetadata(IDENTIPROOF_ISSUER_URL);
+    expect(metadata.credential_endpoint).toEqual('https://issuer.research.identiproof.io/credential');
+  });
+
+  it('Succeed with no well-known endpoints and errors disabled', async () => {
+    nock(IDENTIPROOF_ISSUER_URL).get(WellKnownEndpoints.OPENID4VCI_ISSUER).reply(404, {});
+    nock(IDENTIPROOF_ISSUER_URL).get(WellKnownEndpoints.OAUTH_AS).reply(404, {});
+    nock(IDENTIPROOF_ISSUER_URL).get(WellKnownEndpoints.OPENID_CONFIGURATION).reply(404, {});
+
+    const metadata = await MetadataClient.retrieveAllMetadata(IDENTIPROOF_ISSUER_URL);
+    expect(metadata.credential_endpoint).toEqual('https://issuer.research.identiproof.io/credential');
+  });
+
+  it('Fail when specific well-known is not found with errors enabled', async () => {
+    nock(IDENTIPROOF_ISSUER_URL).get(WellKnownEndpoints.OPENID4VCI_ISSUER).reply(404, {});
+    nock(IDENTIPROOF_ISSUER_URL).get(WellKnownEndpoints.OAUTH_AS).reply(404, {});
+    nock(IDENTIPROOF_ISSUER_URL).get(WellKnownEndpoints.OPENID_CONFIGURATION).reply(404, {});
+
+    const metadata = MetadataClient.retrieveWellknown(IDENTIPROOF_ISSUER_URL, WellKnownEndpoints.OPENID4VCI_ISSUER, { errorOnNotFound: true });
+    await expect(metadata).rejects.toThrowError('{"error": "not found"}');
+  });
+});
+
+describe('Metadataclient with Spruce Issuer should', () => {
+  it('succeed with OID4VCI and separate AS metadata', async () => {
+    nock(SPRUCE_ISSUER_URL).get(WellKnownEndpoints.OPENID4VCI_ISSUER).reply(200, JSON.stringify(SPRUCE_OID4VCI_METADATA));
+
+    const metadata = await MetadataClient.retrieveAllMetadata(SPRUCE_ISSUER_URL);
+    expect(metadata.credential_endpoint).toEqual('https://ngi-oidc4vci-test.spruceid.xyz/credential');
+    expect(metadata.token_endpoint).toEqual('https://ngi-oidc4vci-test.spruceid.xyz/token');
+    expect(metadata.issuerMetadata).toEqual(SPRUCE_OID4VCI_METADATA);
+  });
+
+  it('Fail without OID4VCI', async () => {
+    nock(SPRUCE_ISSUER_URL)
+      .get(/.*/)
+      .times(3)
+      .reply(404, JSON.stringify({ error: 'does not exist' }));
+
+    await expect(() => MetadataClient.retrieveAllMetadata(SPRUCE_ISSUER_URL, { errorOnNotFound: true })).rejects.toThrowError(
+      'Could not deduce the token endpoint for https://ngi-oidc4vci-test.spruceid.xyz'
+    );
+  });
+});
+
+describe('Metadataclient with Danubetech should', () => {
+  it('succeed without OID4VCI and with OIDC metadata', async () => {
+    nock(DANUBE_ISSUER_URL).get(WellKnownEndpoints.OPENID_CONFIGURATION).reply(200, JSON.stringify(DANUBE_OIDC_METADATA));
+
+    nock(DANUBE_ISSUER_URL)
+      .get(/.well-known\/.*/)
+      .times(2)
+      .reply(404, JSON.stringify({ error: 'does not exist' }));
+    const metadata = await MetadataClient.retrieveAllMetadata(DANUBE_ISSUER_URL);
+    expect(metadata.credential_endpoint).toEqual('https://oidc4vc.uniissuer.io/credential');
+    expect(metadata.token_endpoint).toEqual('https://oidc4vc.uniissuer.io/token');
+    expect(metadata.issuerMetadata).toEqual(DANUBE_OIDC_METADATA);
+  });
+
+  it('Fail without OID4VCI', async () => {
+    nock(SPRUCE_ISSUER_URL)
+      .get(/.*/)
+      .times(3)
+      .reply(404, JSON.stringify({ error: 'does not exist' }));
+
+    await expect(() => MetadataClient.retrieveAllMetadata(SPRUCE_ISSUER_URL, { errorOnNotFound: true })).rejects.toThrowError(
+      'Could not deduce the token endpoint for https://ngi-oidc4vci-test.spruceid.xyz'
+    );
+  });
+});
+
+describe('Metadataclient with Walt-id should', () => {
+  it('succeed without OID4VCI and with OIDC metadata', async () => {
+    nock(WALT_ISSUER_URL).get(WellKnownEndpoints.OPENID4VCI_ISSUER).reply(200, JSON.stringify(WALT_OID4VCI_METADATA));
+
+    nock(WALT_ISSUER_URL)
+      .get(/.well-known\/.*/)
+      .times(2)
+      .reply(404, JSON.stringify({ error: 'does not exist' }));
+
+    const metadata = await MetadataClient.retrieveAllMetadata(WALT_ISSUER_URL);
+    expect(metadata.credential_endpoint).toEqual('https://jff.walt.id/issuer-api/oidc/credential');
+    expect(metadata.token_endpoint).toEqual('https://jff.walt.id/issuer-api/oidc/token');
+    expect(metadata.issuerMetadata).toEqual(WALT_OID4VCI_METADATA);
+  });
+
+  it('Fail without OID4VCI', async () => {
+    nock(WALT_ISSUER_URL)
+      .get(/.*/)
+      .times(4)
+      .reply(404, JSON.stringify({ error: 'does not exist' }));
+
+    await expect(() => MetadataClient.retrieveAllMetadata(WALT_ISSUER_URL, { errorOnNotFound: true })).rejects.toThrowError(
+      'Could not deduce the token endpoint for https://jff.walt.id/issuer-api/oidc'
+    );
+  });
+});