@sphereon/oid4vci-client 0.2.0 → 0.4.1-unstable.247

package/lib/AccessTokenClient.ts

@@ -0,0 +1,270 @@
+import {
+  AccessTokenRequest,
+  AccessTokenRequestOpts,
+  AccessTokenResponse,
+  AuthorizationServerOpts,
+  CredentialOfferPayload,
+  CredentialOfferPayloadV1_0_09,
+  CredentialOfferPayloadV1_0_11,
+  EndpointMetadata,
+  getIssuerFromCredentialOfferPayload,
+  GrantTypes,
+  isCredentialOfferV1_0_09,
+  isCredentialOfferV1_0_11,
+  IssuerOpts,
+  OpenIDResponse,
+  PRE_AUTH_CODE_LITERAL,
+  TokenErrorResponse,
+} from '@sphereon/oid4vci-common';
+import { ObjectUtils } from '@sphereon/ssi-types';
+import Debug from 'debug';
+
+import { MetadataClient } from './MetadataClient';
+import { convertJsonToURI, formPost } from './functions';
+
+const debug = Debug('sphereon:openid4vci:token');
+
+export class AccessTokenClient {
+  public async acquireAccessToken({
+    credentialOffer,
+    asOpts,
+    pin,
+    codeVerifier,
+    code,
+    redirectUri,
+    metadata,
+  }: AccessTokenRequestOpts): Promise<OpenIDResponse<AccessTokenResponse>> {
+    const { request } = credentialOffer;
+
+    const isPinRequired = this.isPinRequiredValue(request);
+    const issuerOpts = {
+      issuer: getIssuerFromCredentialOfferPayload(request) ? (getIssuerFromCredentialOfferPayload(request) as string) : (metadata?.issuer as string),
+    };
+
+    return await this.acquireAccessTokenUsingRequest({
+      accessTokenRequest: await this.createAccessTokenRequest({
+        credentialOffer,
+        asOpts,
+        codeVerifier,
+        code,
+        redirectUri,
+        pin,
+      }),
+      isPinRequired,
+      metadata,
+      asOpts,
+      issuerOpts,
+    });
+  }
+
+  public async acquireAccessTokenUsingRequest({
+    accessTokenRequest,
+    isPinRequired,
+    metadata,
+    asOpts,
+    issuerOpts,
+  }: {
+    accessTokenRequest: AccessTokenRequest;
+    isPinRequired?: boolean;
+    metadata?: EndpointMetadata;
+    asOpts?: AuthorizationServerOpts;
+    issuerOpts?: IssuerOpts;
+  }): Promise<OpenIDResponse<AccessTokenResponse>> {
+    this.validate(accessTokenRequest, isPinRequired);
+    const requestTokenURL = AccessTokenClient.determineTokenURL({
+      asOpts,
+      issuerOpts,
+      metadata: metadata
+        ? metadata
+        : issuerOpts?.fetchMetadata
+        ? await MetadataClient.retrieveAllMetadata(issuerOpts.issuer, { errorOnNotFound: false })
+        : undefined,
+    });
+    return this.sendAuthCode(requestTokenURL, accessTokenRequest);
+  }
+
+  public async createAccessTokenRequest({
+    credentialOffer,
+    asOpts,
+    pin,
+    codeVerifier,
+    code,
+    redirectUri,
+  }: AccessTokenRequestOpts): Promise<AccessTokenRequest> {
+    const credentialOfferRequest = credentialOffer.request;
+    const request: Partial<AccessTokenRequest> = {};
+    if (asOpts?.clientId) {
+      request.client_id = asOpts.clientId;
+    }
+
+    this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest), pin);
+    request.user_pin = pin;
+
+    if (credentialOfferRequest[PRE_AUTH_CODE_LITERAL as keyof CredentialOfferPayload]) {
+      if (codeVerifier) {
+        throw new Error('Cannot pass a code_verifier when flow type is pre-authorized');
+      }
+      request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
+      //todo: handle this for v11
+      request[PRE_AUTH_CODE_LITERAL] = (credentialOfferRequest as CredentialOfferPayloadV1_0_09)[PRE_AUTH_CODE_LITERAL];
+    }
+    if ('op_state' in credentialOfferRequest || 'issuer_state' in credentialOfferRequest) {
+      this.throwNotSupportedFlow();
+      request.grant_type = GrantTypes.AUTHORIZATION_CODE;
+    }
+    if (codeVerifier) {
+      request.code_verifier = codeVerifier;
+      request.code = code;
+      request.redirect_uri = redirectUri;
+      request.grant_type = GrantTypes.AUTHORIZATION_CODE;
+    }
+    //todo: handle this for v11
+    if (request.grant_type === GrantTypes.AUTHORIZATION_CODE && (credentialOfferRequest as CredentialOfferPayloadV1_0_09)[PRE_AUTH_CODE_LITERAL]) {
+      throw Error('A pre_authorized_code flow cannot have an op_state in the initiation request');
+    }
+
+    return request as AccessTokenRequest;
+  }
+
+  private assertPreAuthorizedGrantType(grantType: GrantTypes): void {
+    if (GrantTypes.PRE_AUTHORIZED_CODE !== grantType) {
+      throw new Error("grant type must be 'urn:ietf:params:oauth:grant-type:pre-authorized_code'");
+    }
+  }
+
+  private assertAuthorizationGrantType(grantType: GrantTypes): void {
+    if (GrantTypes.AUTHORIZATION_CODE !== grantType) {
+      throw new Error("grant type must be 'authorization_code'");
+    }
+  }
+
+  private isPinRequiredValue(requestPayload: CredentialOfferPayload): boolean {
+    let isPinRequired = false;
+    if (!requestPayload) {
+      throw new Error(TokenErrorResponse.invalid_request);
+    }
+    const issuer = getIssuerFromCredentialOfferPayload(requestPayload);
+    if (isCredentialOfferV1_0_09(requestPayload)) {
+      requestPayload = requestPayload as CredentialOfferPayloadV1_0_09;
+      if (typeof requestPayload.user_pin_required === 'string') {
+        isPinRequired = requestPayload.user_pin_required.toLowerCase() === 'true';
+      } else if (typeof requestPayload.user_pin_required === 'boolean') {
+        isPinRequired = requestPayload.user_pin_required;
+      }
+    } else if (isCredentialOfferV1_0_11(requestPayload)) {
+      requestPayload = requestPayload as CredentialOfferPayloadV1_0_11;
+      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+      if ('grants' in requestPayload && 'urn:ietf:params:oauth:grant-type:pre-authorized_code' in requestPayload.grants!) {
+        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+        isPinRequired = requestPayload!.grants!['urn:ietf:params:oauth:grant-type:pre-authorized_code']!.user_pin_required;
+      }
+    }
+    debug(`Pin required for issuer ${issuer}: ${isPinRequired}`);
+    return isPinRequired;
+  }
+
+  private assertNumericPin(isPinRequired?: boolean, pin?: string): void {
+    if (isPinRequired) {
+      if (!pin || !/^\d{1,8}$/.test(pin)) {
+        debug(`Pin is not 1 to 8 digits long`);
+        throw new Error('A valid pin consisting of maximal 8 numeric characters must be present.');
+      }
+    } else if (pin) {
+      debug(`Pin set, whilst not required`);
+      throw new Error('Cannot set a pin, when the pin is not required.');
+    }
+  }
+
+  private assertNonEmptyPreAuthorizedCode(accessTokenRequest: AccessTokenRequest): void {
+    if (!accessTokenRequest[PRE_AUTH_CODE_LITERAL]) {
+      debug(`No pre-authorized code present, whilst it is required`);
+      throw new Error('Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.');
+    }
+  }
+
+  private assertNonEmptyCodeVerifier(accessTokenRequest: AccessTokenRequest): void {
+    if (!accessTokenRequest.code_verifier) {
+      debug('No code_verifier present, whilst it is required');
+      throw new Error('Authorization flow requires the code_verifier to be present');
+    }
+  }
+
+  private assertNonEmptyCode(accessTokenRequest: AccessTokenRequest): void {
+    if (!accessTokenRequest.code) {
+      debug('No code present, whilst it is required');
+      throw new Error('Authorization flow requires the code to be present');
+    }
+  }
+
+  private assertNonEmptyRedirectUri(accessTokenRequest: AccessTokenRequest): void {
+    if (!accessTokenRequest.redirect_uri) {
+      debug('No redirect_uri present, whilst it is required');
+      throw new Error('Authorization flow requires the redirect_uri to be present');
+    }
+  }
+
+  private validate(accessTokenRequest: AccessTokenRequest, isPinRequired?: boolean): void {
+    if (accessTokenRequest.grant_type === GrantTypes.PRE_AUTHORIZED_CODE) {
+      this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
+      this.assertNonEmptyPreAuthorizedCode(accessTokenRequest);
+      this.assertNumericPin(isPinRequired, accessTokenRequest.user_pin);
+    } else if (accessTokenRequest.grant_type === GrantTypes.AUTHORIZATION_CODE) {
+      this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
+      this.assertNonEmptyCodeVerifier(accessTokenRequest);
+      this.assertNonEmptyCode(accessTokenRequest);
+      this.assertNonEmptyRedirectUri(accessTokenRequest);
+    } else {
+      this.throwNotSupportedFlow;
+    }
+  }
+
+  private async sendAuthCode(requestTokenURL: string, accessTokenRequest: AccessTokenRequest): Promise<OpenIDResponse<AccessTokenResponse>> {
+    return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest));
+  }
+
+  public static determineTokenURL({
+    asOpts,
+    issuerOpts,
+    metadata,
+  }: {
+    asOpts?: AuthorizationServerOpts;
+    issuerOpts?: IssuerOpts;
+    metadata?: EndpointMetadata;
+  }): string {
+    if (!asOpts && !metadata?.token_endpoint && !issuerOpts) {
+      throw new Error('Cannot determine token URL if no issuer, metadata and no Authorization Server values are present');
+    }
+    let url;
+    if (asOpts && asOpts.as) {
+      url = this.creatTokenURLFromURL(asOpts.as, asOpts?.allowInsecureEndpoints, asOpts.tokenEndpoint);
+    } else if (metadata?.token_endpoint) {
+      url = metadata.token_endpoint;
+    } else {
+      if (!issuerOpts) {
+        throw Error('Either authorization server options, a token endpoint or issuer options are required at this point');
+      }
+      url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts?.allowInsecureEndpoints, issuerOpts.tokenEndpoint);
+    }
+
+    if (!url || !ObjectUtils.isString(url)) {
+      throw new Error('No authorization server token URL present. Cannot acquire access token');
+    }
+    debug(`Token endpoint determined to be ${url}`);
+    return url;
+  }
+
+  private static creatTokenURLFromURL(url: string, allowInsecureEndpoints?: boolean, tokenEndpoint?: string): string {
+    if (allowInsecureEndpoints !== true && url.startsWith('http://')) {
+      throw Error(`Unprotected token endpoints are not allowed ${url}`);
+    }
+    const hostname = url.replace(/https?:\/\//, '').replace(/\/$/, '');
+    const endpoint = tokenEndpoint ? (tokenEndpoint.startsWith('/') ? tokenEndpoint : tokenEndpoint.substring(1)) : '/token';
+    // We always require https
+    return `https://${hostname}${endpoint}`;
+  }
+
+  private throwNotSupportedFlow(): void {
+    debug(`Only pre-authorized flow supported.`);
+    throw new Error('Only pre-authorized-code flow is supported');
+  }
+}

package/lib/AuthorizationDetailsBuilder.ts

@@ -0,0 +1,46 @@
+import { AuthorizationDetailsJwtVcJson, CredentialFormatEnum } from '@sphereon/oid4vci-common';
+
+//todo: refactor this builder to be able to create ldp details as well
+export class AuthorizationDetailsBuilder {
+  private readonly authorizationDetails: Partial<AuthorizationDetailsJwtVcJson>;
+
+  constructor() {
+    this.authorizationDetails = {};
+  }
+
+  withType(type: string): AuthorizationDetailsBuilder {
+    this.authorizationDetails.type = type;
+    return this;
+  }
+
+  withFormats(format: CredentialFormatEnum): AuthorizationDetailsBuilder {
+    this.authorizationDetails.format = format;
+    return this;
+  }
+
+  withLocations(locations: string[]): AuthorizationDetailsBuilder {
+    if (this.authorizationDetails.locations) {
+      this.authorizationDetails.locations.push(...locations);
+    } else {
+      this.authorizationDetails.locations = locations;
+    }
+    return this;
+  }
+
+  addLocation(location: string): AuthorizationDetailsBuilder {
+    if (this.authorizationDetails.locations) {
+      this.authorizationDetails.locations.push(location);
+    } else {
+      this.authorizationDetails.locations = [location];
+    }
+    return this;
+  }
+
+  //todo: we have to consider one thing, if this is a general purpose builder, we want to support ldp types here as well. and for that we need a few checks.
+  buildJwtVcJson(): AuthorizationDetailsJwtVcJson {
+    if (this.authorizationDetails.format && this.authorizationDetails.type) {
+      return this.authorizationDetails as AuthorizationDetailsJwtVcJson;
+    }
+    throw new Error('Type and format are required properties');
+  }
+}

package/lib/CredentialOffer.ts

@@ -0,0 +1,55 @@
+import {
+  CredentialOfferPayload,
+  CredentialOfferPayloadV1_0_09,
+  CredentialOfferPayloadV1_0_11,
+  CredentialOfferRequestWithBaseUrl,
+  OpenId4VCIVersion,
+} from '@sphereon/oid4vci-common';
+import { determineSpecVersionFromURI } from '@sphereon/oid4vci-common';
+import Debug from 'debug';
+
+import { convertJsonToURI, convertURIToJsonObject } from './functions';
+
+const debug = Debug('sphereon:openid4vci:initiation');
+
+export class CredentialOffer {
+  public static fromURI(uri: string): CredentialOfferRequestWithBaseUrl {
+    debug(`issuance initiation URI: ${uri}`);
+    if (!uri.includes('?')) {
+      debug(`Invalid issuance initiation URI: ${uri}`);
+      throw new Error('Invalid Issuance Initiation Request Payload');
+    }
+    const baseUrl = uri.split('?')[0];
+    const version = determineSpecVersionFromURI(uri);
+    const issuanceInitiationRequest: CredentialOfferPayload =
+      version < OpenId4VCIVersion.VER_1_0_11
+        ? (convertURIToJsonObject(uri, {
+            arrayTypeProperties: ['credential_type'],
+            requiredProperties: ['issuer', 'credential_type'],
+          }) as CredentialOfferPayloadV1_0_09)
+        : (convertURIToJsonObject(uri, {
+            arrayTypeProperties: ['credentials'],
+            requiredProperties: ['credentials', 'credential_issuer'],
+          }) as CredentialOfferPayloadV1_0_11);
+
+    const request =
+      version < OpenId4VCIVersion.VER_1_0_11.valueOf()
+        ? (issuanceInitiationRequest as CredentialOfferPayloadV1_0_09)
+        : (issuanceInitiationRequest as CredentialOfferPayloadV1_0_11);
+
+    return {
+      baseUrl,
+      request,
+      version,
+    };
+  }
+
+  public static toURI(uri: CredentialOfferRequestWithBaseUrl): string {
+    const request = uri.request;
+    return convertJsonToURI(request, {
+      baseUrl: uri.baseUrl,
+      arrayTypeProperties: ['credential_type'],
+      uriTypeProperties: ['issuer', 'credential_type'],
+    });
+  }
+}

package/lib/CredentialRequestClient.ts

@@ -0,0 +1,77 @@
+import { CredentialRequest, CredentialResponse, OpenIDResponse, ProofOfPossession, URL_NOT_VALID } from '@sphereon/oid4vci-common';
+import { CredentialFormat } from '@sphereon/ssi-types';
+import Debug from 'debug';
+
+import { CredentialRequestClientBuilderV1_0_09 } from './CredentialRequestClientBuilderV1_0_09';
+import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
+import { isValidURL, post } from './functions';
+
+const debug = Debug('sphereon:openid4vci:credential');
+
+export interface CredentialRequestOpts {
+  credentialEndpoint: string;
+  credentialType: string | string[];
+  format: CredentialFormat | CredentialFormat[];
+  proof: ProofOfPossession;
+  token: string;
+}
+
+export class CredentialRequestClient {
+  private readonly _credentialRequestOpts: Partial<CredentialRequestOpts>;
+
+  get credentialRequestOpts(): CredentialRequestOpts {
+    return this._credentialRequestOpts as CredentialRequestOpts;
+  }
+
+  public getCredentialEndpoint(): string {
+    return this.credentialRequestOpts.credentialEndpoint;
+  }
+
+  public constructor(builder: CredentialRequestClientBuilderV1_0_09) {
+    this._credentialRequestOpts = { ...builder };
+  }
+
+  public async acquireCredentialsUsingProof({
+    proofInput,
+    credentialType,
+    format,
+  }: {
+    proofInput: ProofOfPossessionBuilder | ProofOfPossession;
+    credentialType?: string | string[];
+    format?: CredentialFormat | CredentialFormat[];
+  }): Promise<OpenIDResponse<CredentialResponse>> {
+    const request = await this.createCredentialRequest({ proofInput, credentialType, format });
+    return await this.acquireCredentialsUsingRequest(request);
+  }
+
+  public async acquireCredentialsUsingRequest(request: CredentialRequest): Promise<OpenIDResponse<CredentialResponse>> {
+    const credentialEndpoint: string = this.credentialRequestOpts.credentialEndpoint;
+    if (!isValidURL(credentialEndpoint)) {
+      debug(`Invalid credential endpoint: ${credentialEndpoint}`);
+      throw new Error(URL_NOT_VALID);
+    }
+    debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
+    const requestToken: string = this.credentialRequestOpts.token;
+    const response: OpenIDResponse<CredentialResponse> = await post(credentialEndpoint, JSON.stringify(request), { bearerToken: requestToken });
+    debug(`Credential endpoint ${credentialEndpoint} response:\r\n${response}`);
+    return response;
+  }
+
+  public async createCredentialRequest({
+    proofInput,
+    credentialType,
+    format,
+  }: {
+    proofInput: ProofOfPossessionBuilder | ProofOfPossession;
+    credentialType?: string | string[];
+    format?: CredentialFormat | CredentialFormat[];
+  }): Promise<CredentialRequest> {
+    const proof =
+      'proof_type' in proofInput ? await ProofOfPossessionBuilder.fromProof(proofInput as ProofOfPossession).build() : await proofInput.build();
+    return {
+      type: credentialType ? credentialType : this.credentialRequestOpts.credentialType,
+      format: format ? (format as string) : (this.credentialRequestOpts.format as string),
+      proof,
+    };
+  }
+}

package/lib/CredentialRequestClientBuilderV1_0_09.ts

@@ -0,0 +1,99 @@
+import {
+  AccessTokenResponse,
+  CredentialOfferPayload,
+  CredentialOfferPayloadV1_0_09,
+  CredentialOfferRequestWithBaseUrl,
+  EndpointMetadata,
+  getIssuerFromCredentialOfferPayload,
+  IssuerMetadata,
+} from '@sphereon/oid4vci-common';
+import { CredentialFormat } from '@sphereon/ssi-types';
+
+import { CredentialRequestClient } from './CredentialRequestClient';
+import { convertURIToJsonObject } from './functions';
+
+export class CredentialRequestClientBuilderV1_0_09 {
+  credentialEndpoint?: string;
+  credentialType?: string | string[];
+  format?: CredentialFormat | CredentialFormat[];
+  token?: string;
+
+  public static fromURI({ uri, metadata }: { uri: string; metadata?: EndpointMetadata }): CredentialRequestClientBuilderV1_0_09 {
+    return CredentialRequestClientBuilderV1_0_09.fromCredentialOfferRequest({
+      request: convertURIToJsonObject(uri, {
+        arrayTypeProperties: ['credential_type'],
+        requiredProperties: ['issuer', 'credential_type'],
+      }) as CredentialOfferPayload,
+      metadata,
+    });
+  }
+
+  public static fromCredentialOfferRequest({
+    request,
+    metadata,
+  }: {
+    request: CredentialOfferPayload;
+    metadata?: EndpointMetadata;
+  }): CredentialRequestClientBuilderV1_0_09 {
+    const builder = new CredentialRequestClientBuilderV1_0_09();
+    const issuer = getIssuerFromCredentialOfferPayload(request)
+      ? (getIssuerFromCredentialOfferPayload(request) as string)
+      : (metadata?.issuer as string);
+    builder.withCredentialEndpoint(
+      metadata?.credential_endpoint ? metadata.credential_endpoint : issuer.endsWith('/') ? `${issuer}credential` : `${issuer}/credential`
+    );
+
+    //todo: This basically sets all types available during initiation. Probably the user only wants a subset. So do we want to do this?
+    //todo: handle this for v11
+    builder.withCredentialType((request as CredentialOfferPayloadV1_0_09).credential_type);
+
+    return builder;
+  }
+
+  public static fromCredentialOffer({
+    credentialOffer,
+    metadata,
+  }: {
+    credentialOffer: CredentialOfferRequestWithBaseUrl;
+    metadata?: EndpointMetadata;
+  }): CredentialRequestClientBuilderV1_0_09 {
+    return CredentialRequestClientBuilderV1_0_09.fromCredentialOfferRequest({
+      request: credentialOffer.request,
+      metadata,
+    });
+  }
+
+  public withCredentialEndpointFromMetadata(metadata: IssuerMetadata): CredentialRequestClientBuilderV1_0_09 {
+    this.credentialEndpoint = metadata.credential_endpoint;
+    return this;
+  }
+
+  public withCredentialEndpoint(credentialEndpoint: string): CredentialRequestClientBuilderV1_0_09 {
+    this.credentialEndpoint = credentialEndpoint;
+    return this;
+  }
+
+  public withCredentialType(credentialType: string | string[]): CredentialRequestClientBuilderV1_0_09 {
+    this.credentialType = credentialType;
+    return this;
+  }
+
+  public withFormat(format: CredentialFormat | CredentialFormat[]): CredentialRequestClientBuilderV1_0_09 {
+    this.format = format;
+    return this;
+  }
+
+  public withToken(accessToken: string): CredentialRequestClientBuilderV1_0_09 {
+    this.token = accessToken;
+    return this;
+  }
+
+  public withTokenFromResponse(response: AccessTokenResponse): CredentialRequestClientBuilderV1_0_09 {
+    this.token = response.access_token;
+    return this;
+  }
+
+  public build(): CredentialRequestClient {
+    return new CredentialRequestClient(this);
+  }
+}

package/lib/MetadataClient.ts

@@ -0,0 +1,147 @@
+import {
+  CredentialOfferPayload,
+  CredentialOfferRequestWithBaseUrl,
+  EndpointMetadata,
+  getIssuerFromCredentialOfferPayload,
+  IssuerMetadata,
+  OAuth2ASMetadata,
+  Oauth2ASWithOID4VCIMetadata,
+  OpenIDResponse,
+  WellKnownEndpoints,
+} from '@sphereon/oid4vci-common';
+import Debug from 'debug';
+
+import { getJson } from './functions';
+
+const debug = Debug('sphereon:openid4vci:metadata');
+
+export class MetadataClient {
+  /**
+   * Retrieve metadata using the Initiation obtained from a previous step
+   *
+   * @param credentialOffer
+   */
+  public static async retrieveAllMetadataFromCredentialOffer(credentialOffer: CredentialOfferRequestWithBaseUrl): Promise<EndpointMetadata> {
+    return MetadataClient.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.request);
+  }
+
+  /**
+   * Retrieve the metada using the initiation request obtained from a previous step
+   * @param request
+   */
+  public static async retrieveAllMetadataFromCredentialOfferRequest(request: CredentialOfferPayload): Promise<EndpointMetadata> {
+    if (getIssuerFromCredentialOfferPayload(request)) {
+      return MetadataClient.retrieveAllMetadata(getIssuerFromCredentialOfferPayload(request) as string);
+    }
+    throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
+  }
+
+  /**
+   * Retrieve all metadata from an issuer
+   * @param issuer The issuer URL
+   * @param opts
+   */
+  public static async retrieveAllMetadata(issuer: string, opts?: { errorOnNotFound: boolean }): Promise<EndpointMetadata> {
+    let token_endpoint;
+    let credential_endpoint;
+    const response = await MetadataClient.retrieveOpenID4VCIServerMetadata(issuer);
+    let issuerMetadata = response?.successBody;
+    if (issuerMetadata) {
+      debug(`Issuer ${issuer} OID4VCI well-known server metadata\r\n${issuerMetadata}`);
+      credential_endpoint = issuerMetadata.credential_endpoint;
+      token_endpoint = issuerMetadata.token_endpoint;
+      if (!token_endpoint && issuerMetadata.authorization_server) {
+        debug(
+          `Issuer ${issuer} OID4VCI metadata has separate authorization_server ${issuerMetadata.authorization_server} that contains the token endpoint`
+        );
+        // Crossword uses this to separate the AS metadata. We fail when not found, since we now have no way of getting the token endpoint
+        const response: OpenIDResponse<OAuth2ASMetadata> = await this.retrieveWellknown(
+          issuerMetadata.authorization_server,
+          WellKnownEndpoints.OAUTH_AS,
+          {
+            errorOnNotFound: true,
+          }
+        );
+        token_endpoint = response.successBody?.token_endpoint;
+      }
+    } else {
+      // No specific OID4VCI endpoint. Either can be an OAuth2 AS or an OpenID IDP. Let's start with OIDC first
+      let response: OpenIDResponse<Oauth2ASWithOID4VCIMetadata> = await MetadataClient.retrieveWellknown(
+        issuer,
+        WellKnownEndpoints.OPENID_CONFIGURATION,
+        {
+          errorOnNotFound: false,
+        }
+      );
+      let asConfig = response.successBody;
+      if (asConfig) {
+        debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
+      } else {
+        // Now oAuth2
+        response = await MetadataClient.retrieveWellknown(issuer, WellKnownEndpoints.OAUTH_AS, { errorOnNotFound: false });
+        asConfig = response.successBody;
+      }
+      if (asConfig) {
+        debug(`Issuer ${issuer} has oAuth2 Server metadata in well-known location`);
+        issuerMetadata = asConfig;
+        credential_endpoint = issuerMetadata.credential_endpoint;
+        token_endpoint = issuerMetadata.token_endpoint;
+      }
+    }
+    if (!token_endpoint) {
+      debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
+      if (opts?.errorOnNotFound) {
+        throw new Error(`Could not deduce the token endpoint for ${issuer}`);
+      } else {
+        token_endpoint = `${issuer}${issuer.endsWith('/') ? '' : '/'}token`;
+      }
+    }
+    if (!credential_endpoint) {
+      debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
+      if (opts?.errorOnNotFound) {
+        throw new Error(`Could not deduce the credential endpoint for ${issuer}`);
+      } else {
+        credential_endpoint = `${issuer}${issuer.endsWith('/') ? '' : '/'}credential`;
+      }
+    }
+    debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
+    return {
+      issuer,
+      token_endpoint,
+      credential_endpoint,
+      issuerMetadata,
+    };
+  }
+
+  /**
+   * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
+   *
+   * @param issuerHost The issuer hostname
+   */
+  public static async retrieveOpenID4VCIServerMetadata(issuerHost: string): Promise<OpenIDResponse<IssuerMetadata> | undefined> {
+    // Since the server metadata endpoint is optional we are not going to throw an error.
+    return MetadataClient.retrieveWellknown(issuerHost, WellKnownEndpoints.OPENID4VCI_ISSUER, { errorOnNotFound: false });
+  }
+
+  /**
+   * Allows to retrieve information from a well-known location
+   *
+   * @param host The host
+   * @param endpointType The endpoint type, currently supports OID4VCI, OIDC and OAuth2 endpoint types
+   * @param opts Options, like for instance whether an error should be thrown in case the endpoint doesn't exist
+   */
+  public static async retrieveWellknown<T>(
+    host: string,
+    endpointType: WellKnownEndpoints,
+    opts?: { errorOnNotFound?: boolean }
+  ): Promise<OpenIDResponse<T>> {
+    const result: OpenIDResponse<T> = await getJson(`${host.endsWith('/') ? host.slice(0, -1) : host}${endpointType}`, {
+      exceptionOnHttpErrorStatus: opts?.errorOnNotFound,
+    });
+    if (result.origResponse.status === 404) {
+      // We only get here when error on not found is false
+      debug(`host ${host} with endpoint type ${endpointType} was not found (404)`);
+    }
+    return result;
+  }
+}