@sphereon/oid4vci-client 0.20.2-next.2 → 0.21.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +574 -116
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +93 -16
- package/dist/index.d.ts +93 -16
- package/dist/index.js +552 -94
- package/dist/index.js.map +1 -1
- package/package.json +4 -4
package/dist/index.cjs
CHANGED
|
@@ -36,9 +36,11 @@ __export(index_exports, {
|
|
|
36
36
|
CredentialOfferClientV1_0_15: () => CredentialOfferClientV1_0_15,
|
|
37
37
|
CredentialRequestClient: () => CredentialRequestClient,
|
|
38
38
|
CredentialRequestClientBuilder: () => CredentialRequestClientBuilder,
|
|
39
|
+
CredentialRequestClientBuilderV1_0: () => CredentialRequestClientBuilderV1_0,
|
|
39
40
|
CredentialRequestClientBuilderV1_0_15: () => CredentialRequestClientBuilderV1_0_15,
|
|
40
41
|
LOG: () => LOG2,
|
|
41
42
|
MetadataClient: () => MetadataClient,
|
|
43
|
+
MetadataClientV1_0: () => MetadataClientV1_0,
|
|
42
44
|
MetadataClientV1_0_15: () => MetadataClientV1_0_15,
|
|
43
45
|
OpenID4VCIClient: () => OpenID4VCIClient,
|
|
44
46
|
OpenID4VCIClientV1_0_15: () => OpenID4VCIClientV1_0_15,
|
|
@@ -59,7 +61,7 @@ __export(index_exports, {
|
|
|
59
61
|
sendNotification: () => sendNotification
|
|
60
62
|
});
|
|
61
63
|
module.exports = __toCommonJS(index_exports);
|
|
62
|
-
var
|
|
64
|
+
var import_oid4vci_common22 = require("@sphereon/oid4vci-common");
|
|
63
65
|
|
|
64
66
|
// lib/AccessTokenClient.ts
|
|
65
67
|
var import_oid4vc_common3 = require("@sphereon/oid4vc-common");
|
|
@@ -162,6 +164,8 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
|
|
|
162
164
|
jti;
|
|
163
165
|
cNonce;
|
|
164
166
|
typ;
|
|
167
|
+
proofType = "jwt";
|
|
168
|
+
coseKey;
|
|
165
169
|
constructor({ proof, callbacks, jwt, accessTokenResponse, version, mode = "pop" }) {
|
|
166
170
|
this.mode = mode;
|
|
167
171
|
this.proof = proof;
|
|
@@ -246,6 +250,14 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
|
|
|
246
250
|
this.typ = typ;
|
|
247
251
|
return this;
|
|
248
252
|
}
|
|
253
|
+
withProofType(proofType) {
|
|
254
|
+
this.proofType = proofType;
|
|
255
|
+
return this;
|
|
256
|
+
}
|
|
257
|
+
withCoseKey(coseKey) {
|
|
258
|
+
this.coseKey = coseKey;
|
|
259
|
+
return this;
|
|
260
|
+
}
|
|
249
261
|
withAccessTokenNonce(cNonce) {
|
|
250
262
|
this.cNonce = cNonce;
|
|
251
263
|
return this;
|
|
@@ -295,6 +307,17 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
|
|
|
295
307
|
if (this.proof) {
|
|
296
308
|
return Promise.resolve(this.proof);
|
|
297
309
|
} else if (this.callbacks) {
|
|
310
|
+
if (this.proofType === "cwt" && this.callbacks.cwtSignCallback) {
|
|
311
|
+
return await (0, import_oid4vci_common5.createCwtProofOfPossession)(this.callbacks, {
|
|
312
|
+
iss: this.clientId ?? this.issuer,
|
|
313
|
+
aud: Array.isArray(this.aud) ? this.aud[0] : this.aud ?? this.issuer ?? "",
|
|
314
|
+
nonce: this.cNonce,
|
|
315
|
+
alg: this.alg,
|
|
316
|
+
jwk: this.jwk,
|
|
317
|
+
kid: this.kid,
|
|
318
|
+
coseKey: this.coseKey
|
|
319
|
+
});
|
|
320
|
+
}
|
|
298
321
|
return await (0, import_oid4vci_common5.createProofOfPossession)(this.mode, this.callbacks, {
|
|
299
322
|
typ: this.typ ?? (this.mode === "JWT" ? "JWT" : "openid4vci-proof+jwt"),
|
|
300
323
|
kid: this.kid,
|
|
@@ -315,7 +338,7 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
|
|
|
315
338
|
|
|
316
339
|
// lib/functions/AccessTokenUtil.ts
|
|
317
340
|
var createJwtBearerClientAssertion = /* @__PURE__ */ __name(async (request, opts) => {
|
|
318
|
-
const { asOpts, credentialIssuer } = opts;
|
|
341
|
+
const { asOpts, credentialIssuer, metadata } = opts;
|
|
319
342
|
if (asOpts?.clientOpts?.clientAssertionType === "urn:ietf:params:oauth:client-assertion-type:jwt-bearer") {
|
|
320
343
|
const { clientId = request.client_id, signCallbacks, alg } = asOpts.clientOpts;
|
|
321
344
|
let { kid } = asOpts.clientOpts;
|
|
@@ -331,6 +354,7 @@ var createJwtBearerClientAssertion = /* @__PURE__ */ __name(async (request, opts
|
|
|
331
354
|
if (clientId.startsWith("http") && kid.includes("#")) {
|
|
332
355
|
kid = kid.split("#")[1];
|
|
333
356
|
}
|
|
357
|
+
const aud = metadata?.token_endpoint ?? asOpts?.tokenEndpoint ?? credentialIssuer;
|
|
334
358
|
const jwt = {
|
|
335
359
|
header: {
|
|
336
360
|
typ: "JWT",
|
|
@@ -340,16 +364,16 @@ var createJwtBearerClientAssertion = /* @__PURE__ */ __name(async (request, opts
|
|
|
340
364
|
payload: {
|
|
341
365
|
iss: clientId,
|
|
342
366
|
sub: clientId,
|
|
343
|
-
aud
|
|
367
|
+
aud,
|
|
344
368
|
jti: (0, import_oid4vc_common.uuidv4)(),
|
|
345
|
-
exp: Math.floor(Date.now()
|
|
346
|
-
iat: Math.floor(Date.now()
|
|
369
|
+
exp: Math.floor(Date.now() / 1e3) + 60,
|
|
370
|
+
iat: Math.floor(Date.now() / 1e3) - 60
|
|
347
371
|
}
|
|
348
372
|
};
|
|
349
373
|
const pop = await ProofOfPossessionBuilder.fromJwt({
|
|
350
374
|
jwt,
|
|
351
375
|
callbacks: signCallbacks,
|
|
352
|
-
version: opts.version ?? import_oid4vci_common6.OpenId4VCIVersion.
|
|
376
|
+
version: opts.version ?? import_oid4vci_common6.OpenId4VCIVersion.VER_1_0,
|
|
353
377
|
mode: "JWT"
|
|
354
378
|
}).build();
|
|
355
379
|
request.client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
|
|
@@ -603,9 +627,17 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
603
627
|
},
|
|
604
628
|
...notification_endpoint && {
|
|
605
629
|
notification_endpoint
|
|
630
|
+
},
|
|
631
|
+
...ci.signed_metadata && {
|
|
632
|
+
signed_metadata: ci.signed_metadata
|
|
606
633
|
}
|
|
607
634
|
};
|
|
608
635
|
logger2.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
|
|
636
|
+
const processedMetadata = await (0, import_oid4vci_common8.processSignedMetadata)({
|
|
637
|
+
metadata: v15CredentialIssuerMetadata,
|
|
638
|
+
issuer,
|
|
639
|
+
signedMetadataVerifyCallback: opts?.signedMetadataVerifyCallback
|
|
640
|
+
});
|
|
609
641
|
return {
|
|
610
642
|
issuer,
|
|
611
643
|
token_endpoint,
|
|
@@ -613,7 +645,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
613
645
|
authorization_challenge_endpoint,
|
|
614
646
|
notification_endpoint,
|
|
615
647
|
authorizationServerType,
|
|
616
|
-
credentialIssuerMetadata:
|
|
648
|
+
credentialIssuerMetadata: processedMetadata,
|
|
617
649
|
authorizationServerMetadata: authMetadata
|
|
618
650
|
};
|
|
619
651
|
}
|
|
@@ -723,6 +755,9 @@ var AccessTokenClient = class _AccessTokenClient {
|
|
|
723
755
|
...opts,
|
|
724
756
|
credentialIssuer
|
|
725
757
|
});
|
|
758
|
+
if (request.client_assertion) {
|
|
759
|
+
delete request.client_id;
|
|
760
|
+
}
|
|
726
761
|
if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(import_oid4vci_common9.AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
|
|
727
762
|
request.grant_type = import_oid4vci_common9.GrantTypes.AUTHORIZATION_CODE;
|
|
728
763
|
request.code = code;
|
|
@@ -734,8 +769,11 @@ var AccessTokenClient = class _AccessTokenClient {
|
|
|
734
769
|
}
|
|
735
770
|
if (credentialOfferRequest?.supportedFlows.includes(import_oid4vci_common9.AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
|
|
736
771
|
this.assertAlphanumericPin(opts.pinMetadata, pin);
|
|
737
|
-
|
|
738
|
-
|
|
772
|
+
if (opts.pinMetadata?.txCode) {
|
|
773
|
+
request.tx_code = pin;
|
|
774
|
+
} else {
|
|
775
|
+
request.user_pin = pin;
|
|
776
|
+
}
|
|
739
777
|
request.grant_type = import_oid4vci_common9.GrantTypes.PRE_AUTHORIZED_CODE;
|
|
740
778
|
request[import_oid4vci_common9.PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[import_oid4vci_common9.PRE_AUTH_GRANT_LITERAL]?.[import_oid4vci_common9.PRE_AUTH_CODE_LITERAL];
|
|
741
779
|
return request;
|
|
@@ -818,9 +856,11 @@ var AccessTokenClient = class _AccessTokenClient {
|
|
|
818
856
|
}
|
|
819
857
|
}
|
|
820
858
|
async sendAuthCode(requestTokenURL, accessTokenRequest, opts) {
|
|
821
|
-
|
|
859
|
+
const body = (0, import_oid4vci_common9.convertJsonToURI)(accessTokenRequest, {
|
|
822
860
|
mode: import_oid4vci_common9.JsonURIMode.X_FORM_WWW_URLENCODED
|
|
823
|
-
})
|
|
861
|
+
});
|
|
862
|
+
LOG.info(`Token request to ${requestTokenURL}: ${body}`);
|
|
863
|
+
return await (0, import_oid4vci_common9.formPost)(requestTokenURL, body, {
|
|
824
864
|
customHeaders: opts?.headers ? opts.headers : void 0
|
|
825
865
|
});
|
|
826
866
|
}
|
|
@@ -878,6 +918,10 @@ var MetadataClient = class _MetadataClient {
|
|
|
878
918
|
* @param credentialOffer
|
|
879
919
|
*/
|
|
880
920
|
static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
|
|
921
|
+
const issuer = (0, import_oid4vci_common10.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer);
|
|
922
|
+
if (issuer) {
|
|
923
|
+
return _MetadataClient.retrieveAllMetadata(issuer);
|
|
924
|
+
}
|
|
881
925
|
const openId4VCIVersion = (0, import_oid4vci_common10.determineSpecVersionFromOffer)(credentialOffer.credential_offer);
|
|
882
926
|
if (openId4VCIVersion >= import_oid4vci_common10.OpenId4VCIVersion.VER_1_0_15) {
|
|
883
927
|
return await MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOffer(credentialOffer);
|
|
@@ -891,12 +935,7 @@ var MetadataClient = class _MetadataClient {
|
|
|
891
935
|
static async retrieveAllMetadataFromCredentialOfferRequest(request) {
|
|
892
936
|
const issuer = (0, import_oid4vci_common10.getIssuerFromCredentialOfferPayload)(request);
|
|
893
937
|
if (issuer) {
|
|
894
|
-
|
|
895
|
-
if (openId4VCIVersion >= import_oid4vci_common10.OpenId4VCIVersion.VER_1_0_15) {
|
|
896
|
-
return MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOfferRequest(request);
|
|
897
|
-
} else {
|
|
898
|
-
return Promise.reject(Error(`OpenId4VCIVersion ${openId4VCIVersion} is not supported in retrieveAllMetadataFromCredentialOfferRequest`));
|
|
899
|
-
}
|
|
938
|
+
return _MetadataClient.retrieveAllMetadata(issuer);
|
|
900
939
|
}
|
|
901
940
|
throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
|
|
902
941
|
}
|
|
@@ -1016,12 +1055,20 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1016
1055
|
return Promise.reject(Error(`No /.well-known/openid-credential-issuer at ${issuer}.`));
|
|
1017
1056
|
}
|
|
1018
1057
|
logger3.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
|
|
1058
|
+
const versions = credentialIssuerMetadata ? (0, import_oid4vci_common10.determineVersionsFromIssuerMetadata)(credentialIssuerMetadata) : [];
|
|
1059
|
+
const detectedVersion = versions.length > 0 ? versions[0] : import_oid4vci_common10.OpenId4VCIVersion.VER_1_0;
|
|
1060
|
+
logger3.debug(`Detected OID4VCI version ${detectedVersion} for issuer ${issuer}`);
|
|
1061
|
+
const processedMetadata = await (0, import_oid4vci_common10.processSignedMetadata)({
|
|
1062
|
+
metadata: credentialIssuerMetadata,
|
|
1063
|
+
issuer,
|
|
1064
|
+
signedMetadataVerifyCallback: opts?.signedMetadataVerifyCallback
|
|
1065
|
+
});
|
|
1019
1066
|
return {
|
|
1020
1067
|
issuer,
|
|
1021
1068
|
token_endpoint,
|
|
1022
1069
|
credential_endpoint,
|
|
1023
1070
|
deferred_credential_endpoint,
|
|
1024
|
-
nonce_endpoint: credentialIssuerMetadata
|
|
1071
|
+
nonce_endpoint: credentialIssuerMetadata?.nonce_endpoint,
|
|
1025
1072
|
authorization_servers: authorization_server ? [
|
|
1026
1073
|
authorization_server
|
|
1027
1074
|
] : authorization_servers ?? [
|
|
@@ -1030,7 +1077,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
1030
1077
|
authorization_endpoint,
|
|
1031
1078
|
authorization_challenge_endpoint,
|
|
1032
1079
|
authorizationServerType,
|
|
1033
|
-
credentialIssuerMetadata,
|
|
1080
|
+
credentialIssuerMetadata: processedMetadata,
|
|
1034
1081
|
authorizationServerMetadata: authMetadata
|
|
1035
1082
|
};
|
|
1036
1083
|
}
|
|
@@ -1091,7 +1138,7 @@ async function createSignedAuthRequestWhenNeeded(requestObject, opts) {
|
|
|
1091
1138
|
const pop = await ProofOfPossessionBuilder.fromJwt({
|
|
1092
1139
|
jwt,
|
|
1093
1140
|
callbacks: opts.signCallbacks,
|
|
1094
|
-
version: import_oid4vci_common11.OpenId4VCIVersion.
|
|
1141
|
+
version: import_oid4vci_common11.OpenId4VCIVersion.VER_1_0,
|
|
1095
1142
|
mode: "JWT"
|
|
1096
1143
|
}).build();
|
|
1097
1144
|
requestObject["request"] = pop.jwt;
|
|
@@ -1148,8 +1195,8 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
|
|
|
1148
1195
|
if ("credentials" in credentialOffer.credential_offer) {
|
|
1149
1196
|
throw new Error("CredentialOffer format is wrong.");
|
|
1150
1197
|
}
|
|
1151
|
-
const ver = version ?? (0, import_oid4vci_common11.determineSpecVersionFromOffer)(credentialOffer.credential_offer) ?? import_oid4vci_common11.OpenId4VCIVersion.
|
|
1152
|
-
const creds = ver
|
|
1198
|
+
const ver = version ?? (0, import_oid4vci_common11.determineSpecVersionFromOffer)(credentialOffer.credential_offer) ?? import_oid4vci_common11.OpenId4VCIVersion.VER_1_0;
|
|
1199
|
+
const creds = ver >= import_oid4vci_common11.OpenId4VCIVersion.VER_1_0_15 ? filterSupportedCredentials(credentialOffer.credential_offer, credentialConfigurationSupported) : [];
|
|
1153
1200
|
authorizationDetails = creds.flatMap((cred) => {
|
|
1154
1201
|
const locations = [
|
|
1155
1202
|
credentialOffer?.credential_offer.credential_issuer ?? endpointMetadata.issuer
|
|
@@ -1580,18 +1627,61 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
1580
1627
|
if (proofInput) {
|
|
1581
1628
|
proof = await buildProof(proofInput, opts);
|
|
1582
1629
|
}
|
|
1583
|
-
|
|
1630
|
+
const issuer_state = this.credentialRequestOpts.issuerState;
|
|
1631
|
+
const commonBody = {
|
|
1632
|
+
...issuer_state && {
|
|
1633
|
+
issuer_state
|
|
1634
|
+
},
|
|
1635
|
+
...proof && {
|
|
1636
|
+
proof
|
|
1637
|
+
},
|
|
1638
|
+
...opts.subjectIssuance
|
|
1639
|
+
};
|
|
1640
|
+
if (this.version() >= import_oid4vci_common12.OpenId4VCIVersion.VER_1_0) {
|
|
1584
1641
|
const authDetail = findAuthorizationDetail(this.credentialRequestOpts.authorizationDetails, credentialConfigurationId ?? credentialIdentifier);
|
|
1585
|
-
const
|
|
1586
|
-
const
|
|
1642
|
+
const authDetailObj = authDetail && typeof authDetail === "object" ? authDetail : null;
|
|
1643
|
+
const configId = credentialConfigurationId ?? authDetailObj?.credential_configuration_id ?? this._credentialRequestOpts.credentialConfigurationId;
|
|
1644
|
+
if (!configId) {
|
|
1645
|
+
return Promise.reject(Error("credential_configuration_id is required for 1.0 final credential request"));
|
|
1646
|
+
}
|
|
1647
|
+
const identifiers = this._credentialRequestOpts.credentialIdentifiers ?? (authDetailObj?.credential_identifiers && authDetailObj.credential_identifiers.length > 0 ? authDetailObj.credential_identifiers : credentialIdentifier ? [
|
|
1648
|
+
credentialIdentifier
|
|
1649
|
+
] : void 0);
|
|
1650
|
+
let proofsBody = {};
|
|
1651
|
+
if (proof) {
|
|
1652
|
+
if (proof.proof_type === "cwt" && "cwt" in proof) {
|
|
1653
|
+
proofsBody = {
|
|
1654
|
+
proofs: {
|
|
1655
|
+
cwt: [
|
|
1656
|
+
proof.cwt
|
|
1657
|
+
]
|
|
1658
|
+
}
|
|
1659
|
+
};
|
|
1660
|
+
} else if ("jwt" in proof) {
|
|
1661
|
+
proofsBody = {
|
|
1662
|
+
proofs: {
|
|
1663
|
+
jwt: [
|
|
1664
|
+
proof.jwt
|
|
1665
|
+
]
|
|
1666
|
+
}
|
|
1667
|
+
};
|
|
1668
|
+
}
|
|
1669
|
+
}
|
|
1670
|
+
const request = {
|
|
1671
|
+
credential_configuration_id: configId,
|
|
1672
|
+
...identifiers && identifiers.length > 0 && {
|
|
1673
|
+
credential_identifiers: identifiers
|
|
1674
|
+
},
|
|
1587
1675
|
...issuer_state && {
|
|
1588
1676
|
issuer_state
|
|
1589
1677
|
},
|
|
1590
|
-
...
|
|
1591
|
-
proof
|
|
1592
|
-
},
|
|
1678
|
+
...proofsBody,
|
|
1593
1679
|
...opts.subjectIssuance
|
|
1594
1680
|
};
|
|
1681
|
+
return request;
|
|
1682
|
+
}
|
|
1683
|
+
if (this.version() >= import_oid4vci_common12.OpenId4VCIVersion.VER_1_0_15) {
|
|
1684
|
+
const authDetail = findAuthorizationDetail(this.credentialRequestOpts.authorizationDetails, credentialConfigurationId ?? credentialIdentifier);
|
|
1595
1685
|
const authDetailObj = authDetail && typeof authDetail === "object" ? authDetail : null;
|
|
1596
1686
|
if (authDetailObj?.credential_identifier) {
|
|
1597
1687
|
return {
|
|
@@ -1623,7 +1713,7 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
1623
1713
|
throw new Error(`Unsupported version: ${this.version()}`);
|
|
1624
1714
|
}
|
|
1625
1715
|
version() {
|
|
1626
|
-
return this.credentialRequestOpts?.version ?? import_oid4vci_common12.OpenId4VCIVersion.
|
|
1716
|
+
return this.credentialRequestOpts?.version ?? import_oid4vci_common12.OpenId4VCIVersion.VER_1_0;
|
|
1627
1717
|
}
|
|
1628
1718
|
};
|
|
1629
1719
|
|
|
@@ -1791,7 +1881,7 @@ var CredentialOfferClientV1_0_15 = class {
|
|
|
1791
1881
|
};
|
|
1792
1882
|
|
|
1793
1883
|
// lib/CredentialRequestClientBuilder.ts
|
|
1794
|
-
var
|
|
1884
|
+
var import_oid4vci_common17 = require("@sphereon/oid4vci-common");
|
|
1795
1885
|
|
|
1796
1886
|
// lib/CredentialRequestClientBuilderV1_0_15.ts
|
|
1797
1887
|
var import_oid4vci_common15 = require("@sphereon/oid4vci-common");
|
|
@@ -1952,11 +2042,166 @@ var CredentialRequestClientBuilderV1_0_15 = class _CredentialRequestClientBuilde
|
|
|
1952
2042
|
}
|
|
1953
2043
|
};
|
|
1954
2044
|
|
|
2045
|
+
// lib/CredentialRequestClientBuilderV1_0.ts
|
|
2046
|
+
var import_oid4vci_common16 = require("@sphereon/oid4vci-common");
|
|
2047
|
+
var CredentialRequestClientBuilderV1_0 = class _CredentialRequestClientBuilderV1_0 {
|
|
2048
|
+
static {
|
|
2049
|
+
__name(this, "CredentialRequestClientBuilderV1_0");
|
|
2050
|
+
}
|
|
2051
|
+
credentialEndpoint;
|
|
2052
|
+
deferredCredentialEndpoint;
|
|
2053
|
+
nonceEndpoint;
|
|
2054
|
+
deferredCredentialAwait = false;
|
|
2055
|
+
deferredCredentialIntervalInMS = 5e3;
|
|
2056
|
+
credentialIdentifiers;
|
|
2057
|
+
credentialConfigurationId;
|
|
2058
|
+
credentialTypes = [];
|
|
2059
|
+
token;
|
|
2060
|
+
version;
|
|
2061
|
+
subjectIssuance;
|
|
2062
|
+
issuerState;
|
|
2063
|
+
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifiers, credentialConfigurationId, credentialTypes }) {
|
|
2064
|
+
const issuer = credentialIssuer;
|
|
2065
|
+
const builder = new _CredentialRequestClientBuilderV1_0();
|
|
2066
|
+
builder.withVersion(version ?? import_oid4vci_common16.OpenId4VCIVersion.VER_1_0);
|
|
2067
|
+
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2068
|
+
if (metadata?.deferred_credential_endpoint) {
|
|
2069
|
+
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
2070
|
+
}
|
|
2071
|
+
if (metadata?.credentialIssuerMetadata?.nonce_endpoint) {
|
|
2072
|
+
builder.withNonceEndpoint(metadata.credentialIssuerMetadata?.nonce_endpoint);
|
|
2073
|
+
}
|
|
2074
|
+
if (credentialIdentifiers) {
|
|
2075
|
+
builder.withCredentialIdentifiers(credentialIdentifiers);
|
|
2076
|
+
}
|
|
2077
|
+
if (credentialConfigurationId) {
|
|
2078
|
+
builder.withCredentialConfigurationId(credentialConfigurationId);
|
|
2079
|
+
}
|
|
2080
|
+
if (credentialTypes) {
|
|
2081
|
+
builder.withCredentialType(credentialTypes);
|
|
2082
|
+
}
|
|
2083
|
+
return builder;
|
|
2084
|
+
}
|
|
2085
|
+
static async fromURI({ uri, metadata }) {
|
|
2086
|
+
const offer = await CredentialOfferClient.fromURI(uri);
|
|
2087
|
+
return _CredentialRequestClientBuilderV1_0.fromCredentialOfferRequest({
|
|
2088
|
+
request: offer,
|
|
2089
|
+
...offer,
|
|
2090
|
+
metadata,
|
|
2091
|
+
version: offer.version
|
|
2092
|
+
});
|
|
2093
|
+
}
|
|
2094
|
+
static fromCredentialOfferRequest(opts) {
|
|
2095
|
+
const { request, metadata } = opts;
|
|
2096
|
+
const version = opts.version ?? request.version ?? (0, import_oid4vci_common16.determineSpecVersionFromOffer)(request.original_credential_offer);
|
|
2097
|
+
const builder = new _CredentialRequestClientBuilderV1_0();
|
|
2098
|
+
const issuer = (0, import_oid4vci_common16.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? (metadata ? metadata.issuer : void 0);
|
|
2099
|
+
if (!issuer && !metadata?.credential_endpoint) {
|
|
2100
|
+
throw Error(`Issuer could not be determined`);
|
|
2101
|
+
}
|
|
2102
|
+
builder.withVersion(version >= import_oid4vci_common16.OpenId4VCIVersion.VER_1_0 ? version : import_oid4vci_common16.OpenId4VCIVersion.VER_1_0);
|
|
2103
|
+
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2104
|
+
if (metadata?.deferred_credential_endpoint) {
|
|
2105
|
+
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
2106
|
+
}
|
|
2107
|
+
if (metadata?.credentialIssuerMetadata?.nonce_endpoint) {
|
|
2108
|
+
builder.withNonceEndpoint(metadata.credentialIssuerMetadata.nonce_endpoint);
|
|
2109
|
+
}
|
|
2110
|
+
const ids = request.credential_offer.credential_configuration_ids;
|
|
2111
|
+
if (ids.length && ids.length === 1) {
|
|
2112
|
+
builder.withCredentialConfigurationId(ids[0]);
|
|
2113
|
+
}
|
|
2114
|
+
return builder;
|
|
2115
|
+
}
|
|
2116
|
+
static fromCredentialOffer({ credentialOffer, metadata }) {
|
|
2117
|
+
return _CredentialRequestClientBuilderV1_0.fromCredentialOfferRequest({
|
|
2118
|
+
request: credentialOffer,
|
|
2119
|
+
metadata,
|
|
2120
|
+
version: credentialOffer.version
|
|
2121
|
+
});
|
|
2122
|
+
}
|
|
2123
|
+
withCredentialEndpointFromMetadata(metadata) {
|
|
2124
|
+
this.credentialEndpoint = metadata.credential_endpoint;
|
|
2125
|
+
return this;
|
|
2126
|
+
}
|
|
2127
|
+
withCredentialEndpoint(credentialEndpoint) {
|
|
2128
|
+
this.credentialEndpoint = credentialEndpoint;
|
|
2129
|
+
return this;
|
|
2130
|
+
}
|
|
2131
|
+
withIssuerState(issuerState) {
|
|
2132
|
+
this.issuerState = issuerState;
|
|
2133
|
+
return this;
|
|
2134
|
+
}
|
|
2135
|
+
withDeferredCredentialEndpointFromMetadata(metadata) {
|
|
2136
|
+
this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
|
|
2137
|
+
return this;
|
|
2138
|
+
}
|
|
2139
|
+
withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
|
|
2140
|
+
this.deferredCredentialEndpoint = deferredCredentialEndpoint;
|
|
2141
|
+
return this;
|
|
2142
|
+
}
|
|
2143
|
+
withNonceEndpointFromMetadata(metadata) {
|
|
2144
|
+
this.nonceEndpoint = metadata.nonce_endpoint;
|
|
2145
|
+
return this;
|
|
2146
|
+
}
|
|
2147
|
+
withNonceEndpoint(nonceEndpoint) {
|
|
2148
|
+
this.nonceEndpoint = nonceEndpoint;
|
|
2149
|
+
return this;
|
|
2150
|
+
}
|
|
2151
|
+
withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
|
|
2152
|
+
this.deferredCredentialAwait = deferredCredentialAwait;
|
|
2153
|
+
this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5e3;
|
|
2154
|
+
return this;
|
|
2155
|
+
}
|
|
2156
|
+
// 1.0 final: credential_identifiers is an OPTIONAL array
|
|
2157
|
+
withCredentialIdentifiers(credentialIdentifiers) {
|
|
2158
|
+
this.credentialIdentifiers = credentialIdentifiers;
|
|
2159
|
+
return this;
|
|
2160
|
+
}
|
|
2161
|
+
// 1.0 final: credential_configuration_id is REQUIRED
|
|
2162
|
+
withCredentialConfigurationId(credentialConfigurationId) {
|
|
2163
|
+
this.credentialConfigurationId = credentialConfigurationId;
|
|
2164
|
+
return this;
|
|
2165
|
+
}
|
|
2166
|
+
withCredentialType(credentialTypes) {
|
|
2167
|
+
this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [
|
|
2168
|
+
credentialTypes
|
|
2169
|
+
];
|
|
2170
|
+
return this;
|
|
2171
|
+
}
|
|
2172
|
+
withSubjectIssuance(subjectIssuance) {
|
|
2173
|
+
this.subjectIssuance = subjectIssuance;
|
|
2174
|
+
return this;
|
|
2175
|
+
}
|
|
2176
|
+
withToken(accessToken) {
|
|
2177
|
+
this.token = accessToken;
|
|
2178
|
+
return this;
|
|
2179
|
+
}
|
|
2180
|
+
withTokenFromResponse(response) {
|
|
2181
|
+
this.token = response.access_token;
|
|
2182
|
+
return this;
|
|
2183
|
+
}
|
|
2184
|
+
withVersion(version) {
|
|
2185
|
+
this.version = version;
|
|
2186
|
+
return this;
|
|
2187
|
+
}
|
|
2188
|
+
build() {
|
|
2189
|
+
if (!this.version) {
|
|
2190
|
+
this.withVersion(import_oid4vci_common16.OpenId4VCIVersion.VER_1_0);
|
|
2191
|
+
}
|
|
2192
|
+
return new CredentialRequestClient(this);
|
|
2193
|
+
}
|
|
2194
|
+
};
|
|
2195
|
+
|
|
1955
2196
|
// lib/CredentialRequestClientBuilder.ts
|
|
1956
2197
|
function isV1_0_15(builder) {
|
|
1957
2198
|
return builder.withCredentialIdentifier !== void 0;
|
|
1958
2199
|
}
|
|
1959
2200
|
__name(isV1_0_15, "isV1_0_15");
|
|
2201
|
+
function isV1_0(builder) {
|
|
2202
|
+
return builder.withCredentialIdentifiers !== void 0;
|
|
2203
|
+
}
|
|
2204
|
+
__name(isV1_0, "isV1_0");
|
|
1960
2205
|
var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
1961
2206
|
static {
|
|
1962
2207
|
__name(this, "CredentialRequestClientBuilder");
|
|
@@ -1965,16 +2210,28 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
1965
2210
|
constructor(builder) {
|
|
1966
2211
|
this._builder = builder;
|
|
1967
2212
|
}
|
|
1968
|
-
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
|
|
2213
|
+
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialIdentifiers, credentialTypes }) {
|
|
2214
|
+
const specVersion = version ?? import_oid4vci_common17.OpenId4VCIVersion.VER_1_0;
|
|
1969
2215
|
let builder;
|
|
1970
|
-
|
|
1971
|
-
|
|
1972
|
-
|
|
1973
|
-
|
|
1974
|
-
|
|
1975
|
-
|
|
1976
|
-
|
|
1977
|
-
|
|
2216
|
+
if (specVersion >= import_oid4vci_common17.OpenId4VCIVersion.VER_1_0) {
|
|
2217
|
+
builder = CredentialRequestClientBuilderV1_0.fromCredentialIssuer({
|
|
2218
|
+
credentialIssuer,
|
|
2219
|
+
metadata,
|
|
2220
|
+
version: specVersion,
|
|
2221
|
+
credentialIdentifiers: credentialIdentifiers ?? (credentialIdentifier ? [
|
|
2222
|
+
credentialIdentifier
|
|
2223
|
+
] : void 0),
|
|
2224
|
+
credentialTypes
|
|
2225
|
+
});
|
|
2226
|
+
} else {
|
|
2227
|
+
builder = CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
|
|
2228
|
+
credentialIssuer,
|
|
2229
|
+
metadata,
|
|
2230
|
+
version: specVersion,
|
|
2231
|
+
credentialIdentifier,
|
|
2232
|
+
credentialTypes
|
|
2233
|
+
});
|
|
2234
|
+
}
|
|
1978
2235
|
return new _CredentialRequestClientBuilder(builder);
|
|
1979
2236
|
}
|
|
1980
2237
|
static async fromURI({ uri, metadata }) {
|
|
@@ -2025,11 +2282,24 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2025
2282
|
return this;
|
|
2026
2283
|
}
|
|
2027
2284
|
withCredentialIdentifier(credentialIdentifier) {
|
|
2028
|
-
if (this._builder.version === void 0 || this._builder.version <
|
|
2285
|
+
if (this._builder.version === void 0 || this._builder.version < import_oid4vci_common17.OpenId4VCIVersion.VER_1_0_15) {
|
|
2029
2286
|
throw new Error("Version of spec should be equal or higher than v1_0_15");
|
|
2030
2287
|
}
|
|
2031
|
-
|
|
2032
|
-
|
|
2288
|
+
if (isV1_0(this._builder)) {
|
|
2289
|
+
this._builder.withCredentialIdentifiers([
|
|
2290
|
+
credentialIdentifier
|
|
2291
|
+
]);
|
|
2292
|
+
} else if (isV1_0_15(this._builder)) {
|
|
2293
|
+
this._builder.withCredentialIdentifier(credentialIdentifier);
|
|
2294
|
+
}
|
|
2295
|
+
return this;
|
|
2296
|
+
}
|
|
2297
|
+
withCredentialIdentifiers(credentialIdentifiers) {
|
|
2298
|
+
if (isV1_0(this._builder)) {
|
|
2299
|
+
this._builder.withCredentialIdentifiers(credentialIdentifiers);
|
|
2300
|
+
} else if (isV1_0_15(this._builder) && credentialIdentifiers.length > 0) {
|
|
2301
|
+
this._builder.withCredentialIdentifier(credentialIdentifiers[0]);
|
|
2302
|
+
}
|
|
2033
2303
|
return this;
|
|
2034
2304
|
}
|
|
2035
2305
|
withIssuerState(issuerState) {
|
|
@@ -2061,18 +2331,197 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2061
2331
|
}
|
|
2062
2332
|
};
|
|
2063
2333
|
|
|
2334
|
+
// lib/MetadataClientV1_0.ts
|
|
2335
|
+
var import_oid4vci_common18 = require("@sphereon/oid4vci-common");
|
|
2336
|
+
var import_ssi_types9 = require("@sphereon/ssi-types");
|
|
2337
|
+
var logger7 = import_ssi_types9.Loggers.DEFAULT.get("sphereon:oid4vci:metadata");
|
|
2338
|
+
var MetadataClientV1_0 = class _MetadataClientV1_0 {
|
|
2339
|
+
static {
|
|
2340
|
+
__name(this, "MetadataClientV1_0");
|
|
2341
|
+
}
|
|
2342
|
+
static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
|
|
2343
|
+
return _MetadataClientV1_0.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
|
|
2344
|
+
}
|
|
2345
|
+
static async retrieveAllMetadataFromCredentialOfferRequest(request) {
|
|
2346
|
+
const issuer = (0, import_oid4vci_common18.getIssuerFromCredentialOfferPayload)(request);
|
|
2347
|
+
if (issuer) {
|
|
2348
|
+
return _MetadataClientV1_0.retrieveAllMetadata(issuer);
|
|
2349
|
+
}
|
|
2350
|
+
throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
|
|
2351
|
+
}
|
|
2352
|
+
static async retrieveAllMetadata(issuer, opts) {
|
|
2353
|
+
let token_endpoint;
|
|
2354
|
+
let credential_endpoint;
|
|
2355
|
+
let nonce_endpoint;
|
|
2356
|
+
let deferred_credential_endpoint;
|
|
2357
|
+
let notification_endpoint;
|
|
2358
|
+
let authorization_endpoint;
|
|
2359
|
+
let authorization_challenge_endpoint;
|
|
2360
|
+
let authorizationServerType = "OID4VCI";
|
|
2361
|
+
let authorization_servers = [
|
|
2362
|
+
issuer
|
|
2363
|
+
];
|
|
2364
|
+
const oid4vciResponse = await _MetadataClientV1_0.retrieveOpenID4VCIServerMetadata(issuer, {
|
|
2365
|
+
errorOnNotFound: false
|
|
2366
|
+
});
|
|
2367
|
+
let credentialIssuerMetadata = oid4vciResponse?.successBody;
|
|
2368
|
+
if (credentialIssuerMetadata) {
|
|
2369
|
+
logger7.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
|
|
2370
|
+
${JSON.stringify(credentialIssuerMetadata)}`);
|
|
2371
|
+
credential_endpoint = credentialIssuerMetadata.credential_endpoint;
|
|
2372
|
+
nonce_endpoint = credentialIssuerMetadata.nonce_endpoint;
|
|
2373
|
+
deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
|
|
2374
|
+
notification_endpoint = credentialIssuerMetadata.notification_endpoint;
|
|
2375
|
+
if (credentialIssuerMetadata.token_endpoint) {
|
|
2376
|
+
token_endpoint = credentialIssuerMetadata.token_endpoint;
|
|
2377
|
+
}
|
|
2378
|
+
authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
|
|
2379
|
+
if (credentialIssuerMetadata.authorization_servers) {
|
|
2380
|
+
authorization_servers = credentialIssuerMetadata.authorization_servers;
|
|
2381
|
+
}
|
|
2382
|
+
}
|
|
2383
|
+
let response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common18.WellKnownEndpoints.OPENID_CONFIGURATION, {
|
|
2384
|
+
errorOnNotFound: false
|
|
2385
|
+
});
|
|
2386
|
+
let authMetadata = response.successBody;
|
|
2387
|
+
if (authMetadata) {
|
|
2388
|
+
logger7.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
|
|
2389
|
+
authorizationServerType = "OIDC";
|
|
2390
|
+
} else {
|
|
2391
|
+
response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common18.WellKnownEndpoints.OAUTH_AS, {
|
|
2392
|
+
errorOnNotFound: false
|
|
2393
|
+
});
|
|
2394
|
+
authMetadata = response.successBody;
|
|
2395
|
+
}
|
|
2396
|
+
if (!authMetadata) {
|
|
2397
|
+
if (!authorization_servers.includes(issuer)) {
|
|
2398
|
+
throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
|
|
2399
|
+
}
|
|
2400
|
+
} else {
|
|
2401
|
+
logger7.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
|
|
2402
|
+
if (!authMetadata.authorization_endpoint) {
|
|
2403
|
+
console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
|
|
2404
|
+
} else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
|
|
2405
|
+
throw Error(`Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`);
|
|
2406
|
+
}
|
|
2407
|
+
authorization_endpoint = authMetadata.authorization_endpoint;
|
|
2408
|
+
if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {
|
|
2409
|
+
throw Error(`Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`);
|
|
2410
|
+
}
|
|
2411
|
+
authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
|
|
2412
|
+
if (!authMetadata.token_endpoint) {
|
|
2413
|
+
throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`);
|
|
2414
|
+
} else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
|
|
2415
|
+
throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
|
|
2416
|
+
}
|
|
2417
|
+
token_endpoint = authMetadata.token_endpoint;
|
|
2418
|
+
if (authMetadata.credential_endpoint) {
|
|
2419
|
+
if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
|
|
2420
|
+
logger7.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
|
|
2421
|
+
} else {
|
|
2422
|
+
credential_endpoint = authMetadata.credential_endpoint;
|
|
2423
|
+
}
|
|
2424
|
+
}
|
|
2425
|
+
if (authMetadata.deferred_credential_endpoint) {
|
|
2426
|
+
if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
|
|
2427
|
+
logger7.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
|
|
2428
|
+
} else {
|
|
2429
|
+
deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
|
|
2430
|
+
}
|
|
2431
|
+
}
|
|
2432
|
+
if (authMetadata.notification_endpoint) {
|
|
2433
|
+
if (notification_endpoint && authMetadata.notification_endpoint !== notification_endpoint) {
|
|
2434
|
+
logger7.debug(`Credential issuer has a different notification_endpoint (${notification_endpoint}) from the Authorization Server (${authMetadata.notification_endpoint}). Will use the issuer value`);
|
|
2435
|
+
} else {
|
|
2436
|
+
notification_endpoint = authMetadata.notification_endpoint;
|
|
2437
|
+
}
|
|
2438
|
+
}
|
|
2439
|
+
}
|
|
2440
|
+
if (!authorization_endpoint) {
|
|
2441
|
+
logger7.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
|
|
2442
|
+
}
|
|
2443
|
+
if (!token_endpoint) {
|
|
2444
|
+
logger7.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
|
|
2445
|
+
if (opts?.errorOnNotFound) {
|
|
2446
|
+
throw Error(`Could not deduce the token_endpoint for ${issuer}`);
|
|
2447
|
+
} else {
|
|
2448
|
+
token_endpoint = `${issuer}${issuer.endsWith("/") ? "token" : "/token"}`;
|
|
2449
|
+
}
|
|
2450
|
+
}
|
|
2451
|
+
if (!credential_endpoint) {
|
|
2452
|
+
logger7.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
|
|
2453
|
+
if (opts?.errorOnNotFound) {
|
|
2454
|
+
throw Error(`Could not deduce the credential endpoint for ${issuer}`);
|
|
2455
|
+
} else {
|
|
2456
|
+
credential_endpoint = `${issuer}${issuer.endsWith("/") ? "credential" : "/credential"}`;
|
|
2457
|
+
}
|
|
2458
|
+
}
|
|
2459
|
+
if (!credentialIssuerMetadata && authMetadata) {
|
|
2460
|
+
credentialIssuerMetadata = authMetadata;
|
|
2461
|
+
}
|
|
2462
|
+
const ci = credentialIssuerMetadata ?? {};
|
|
2463
|
+
const ciAuthorizationServers = Array.isArray(ci.authorization_servers) && ci.authorization_servers.length > 0 ? ci.authorization_servers : authorization_servers;
|
|
2464
|
+
const v1_0CredentialIssuerMetadata = {
|
|
2465
|
+
credential_issuer: ci.credential_issuer ?? issuer,
|
|
2466
|
+
credential_endpoint,
|
|
2467
|
+
authorization_servers: ciAuthorizationServers,
|
|
2468
|
+
credential_configurations_supported: ci.credential_configurations_supported ?? {},
|
|
2469
|
+
display: ci.display ?? [],
|
|
2470
|
+
...nonce_endpoint && {
|
|
2471
|
+
nonce_endpoint
|
|
2472
|
+
},
|
|
2473
|
+
...deferred_credential_endpoint && {
|
|
2474
|
+
deferred_credential_endpoint
|
|
2475
|
+
},
|
|
2476
|
+
...notification_endpoint && {
|
|
2477
|
+
notification_endpoint
|
|
2478
|
+
},
|
|
2479
|
+
...ci.batch_credential_issuance_supported !== void 0 && {
|
|
2480
|
+
batch_credential_issuance_supported: ci.batch_credential_issuance_supported
|
|
2481
|
+
},
|
|
2482
|
+
...ci.credential_issuer_public_key && {
|
|
2483
|
+
credential_issuer_public_key: ci.credential_issuer_public_key
|
|
2484
|
+
},
|
|
2485
|
+
...ci.signed_metadata && {
|
|
2486
|
+
signed_metadata: ci.signed_metadata
|
|
2487
|
+
}
|
|
2488
|
+
};
|
|
2489
|
+
logger7.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
|
|
2490
|
+
const processedMetadata = await (0, import_oid4vci_common18.processSignedMetadata)({
|
|
2491
|
+
metadata: v1_0CredentialIssuerMetadata,
|
|
2492
|
+
issuer,
|
|
2493
|
+
signedMetadataVerifyCallback: opts?.signedMetadataVerifyCallback
|
|
2494
|
+
});
|
|
2495
|
+
return {
|
|
2496
|
+
issuer,
|
|
2497
|
+
token_endpoint,
|
|
2498
|
+
credential_endpoint,
|
|
2499
|
+
authorization_challenge_endpoint,
|
|
2500
|
+
notification_endpoint,
|
|
2501
|
+
authorizationServerType,
|
|
2502
|
+
credentialIssuerMetadata: processedMetadata,
|
|
2503
|
+
authorizationServerMetadata: authMetadata
|
|
2504
|
+
};
|
|
2505
|
+
}
|
|
2506
|
+
static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
|
|
2507
|
+
return retrieveWellknown(issuerHost, import_oid4vci_common18.WellKnownEndpoints.OPENID4VCI_ISSUER, {
|
|
2508
|
+
errorOnNotFound: opts?.errorOnNotFound === void 0 ? true : opts.errorOnNotFound
|
|
2509
|
+
});
|
|
2510
|
+
}
|
|
2511
|
+
};
|
|
2512
|
+
|
|
2064
2513
|
// lib/OpenID4VCIClient.ts
|
|
2065
|
-
var
|
|
2066
|
-
var
|
|
2514
|
+
var import_oid4vci_common21 = require("@sphereon/oid4vci-common");
|
|
2515
|
+
var import_ssi_types11 = require("@sphereon/ssi-types");
|
|
2067
2516
|
|
|
2068
2517
|
// lib/OpenID4VCIClientV1_0_15.ts
|
|
2069
|
-
var
|
|
2070
|
-
var
|
|
2518
|
+
var import_oid4vci_common20 = require("@sphereon/oid4vci-common");
|
|
2519
|
+
var import_ssi_types10 = require("@sphereon/ssi-types");
|
|
2071
2520
|
|
|
2072
2521
|
// lib/NonceClient.ts
|
|
2073
|
-
var
|
|
2522
|
+
var import_oid4vci_common19 = require("@sphereon/oid4vci-common");
|
|
2074
2523
|
var sendNonceRequest = /* @__PURE__ */ __name(async (nonceEndpointUrl, opts) => {
|
|
2075
|
-
return await (0,
|
|
2524
|
+
return await (0, import_oid4vci_common19.formPost)(nonceEndpointUrl, new URLSearchParams(), {
|
|
2076
2525
|
customHeaders: opts?.headers
|
|
2077
2526
|
});
|
|
2078
2527
|
}, "sendNonceRequest");
|
|
@@ -2090,14 +2539,14 @@ var acquireNonceFromAuthorizationServer = /* @__PURE__ */ __name(async (opts) =>
|
|
|
2090
2539
|
}, "acquireNonceFromAuthorizationServer");
|
|
2091
2540
|
|
|
2092
2541
|
// lib/OpenID4VCIClientV1_0_15.ts
|
|
2093
|
-
var
|
|
2542
|
+
var logger8 = import_ssi_types10.Loggers.DEFAULT.get("sphereon:oid4vci:v15");
|
|
2094
2543
|
var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
|
|
2095
2544
|
static {
|
|
2096
2545
|
__name(this, "OpenID4VCIClientV1_0_15");
|
|
2097
2546
|
}
|
|
2098
2547
|
_state;
|
|
2099
2548
|
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL, keyAttestation }) {
|
|
2100
|
-
const issuer = credentialIssuer ?? (credentialOffer ? (0,
|
|
2549
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common20.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
2101
2550
|
if (!issuer) {
|
|
2102
2551
|
throw Error("No credential issuer supplied or deduced from offer");
|
|
2103
2552
|
}
|
|
@@ -2106,10 +2555,10 @@ var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
|
|
|
2106
2555
|
credentialIssuer: issuer,
|
|
2107
2556
|
kid,
|
|
2108
2557
|
alg,
|
|
2109
|
-
clientId: clientId ?? (credentialOffer && (0,
|
|
2558
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common20.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
2110
2559
|
pkce: {
|
|
2111
2560
|
disabled: false,
|
|
2112
|
-
codeChallengeMethod:
|
|
2561
|
+
codeChallengeMethod: import_oid4vci_common20.CodeChallengeMethod.S256,
|
|
2113
2562
|
...pkce
|
|
2114
2563
|
},
|
|
2115
2564
|
authorizationRequestOpts,
|
|
@@ -2123,7 +2572,7 @@ var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
|
|
|
2123
2572
|
if (!this._state.authorizationRequestOpts) {
|
|
2124
2573
|
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
2125
2574
|
}
|
|
2126
|
-
|
|
2575
|
+
logger8.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
2127
2576
|
}
|
|
2128
2577
|
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, keyAttestation }) {
|
|
2129
2578
|
const client = new _OpenID4VCIClientV1_0_15({
|
|
@@ -2166,12 +2615,12 @@ var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
|
|
|
2166
2615
|
if (retrieveServerMetadata !== false) {
|
|
2167
2616
|
await client.retrieveServerMetadata();
|
|
2168
2617
|
}
|
|
2169
|
-
if (credentialOfferClient.supportedFlows.includes(
|
|
2618
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common20.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && createAuthorizationRequestURL !== false) {
|
|
2170
2619
|
await client.createAuthorizationRequestUrl({
|
|
2171
2620
|
authorizationRequest,
|
|
2172
2621
|
pkce
|
|
2173
2622
|
});
|
|
2174
|
-
|
|
2623
|
+
logger8.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
2175
2624
|
}
|
|
2176
2625
|
return client;
|
|
2177
2626
|
}
|
|
@@ -2217,11 +2666,11 @@ var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
|
|
|
2217
2666
|
}
|
|
2218
2667
|
});
|
|
2219
2668
|
if (response.errorBody) {
|
|
2220
|
-
|
|
2669
|
+
logger8.debug(`Nonce request error:\r
|
|
2221
2670
|
${JSON.stringify(response.errorBody)}`);
|
|
2222
2671
|
return Promise.reject(Error(`Retrieving a nonce from ${this._state.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint} for issuer ${this.getIssuer()} failed with error: ${response.errorBody.error}${response.errorBody.error_description ? ` - ${response.errorBody.error_description}` : ""}`));
|
|
2223
2672
|
} else if (!response.successBody) {
|
|
2224
|
-
|
|
2673
|
+
logger8.debug(`Nonce request error. No success body`);
|
|
2225
2674
|
return Promise.reject(Error(`Retrieving a nonce from ${this._state.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
2226
2675
|
}
|
|
2227
2676
|
this._state.cachedCNonce = response.successBody.c_nonce;
|
|
@@ -2241,12 +2690,12 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2241
2690
|
...opts
|
|
2242
2691
|
});
|
|
2243
2692
|
if (response.errorBody) {
|
|
2244
|
-
|
|
2693
|
+
logger8.debug(`Authorization code error:\r
|
|
2245
2694
|
${JSON.stringify(response.errorBody)}`);
|
|
2246
2695
|
const error = response.errorBody;
|
|
2247
2696
|
return Promise.reject(error);
|
|
2248
2697
|
} else if (!response.successBody) {
|
|
2249
|
-
|
|
2698
|
+
logger8.debug(`Authorization code error. No success body`);
|
|
2250
2699
|
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
2251
2700
|
}
|
|
2252
2701
|
return {
|
|
@@ -2318,11 +2767,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2318
2767
|
}
|
|
2319
2768
|
});
|
|
2320
2769
|
if (response.errorBody) {
|
|
2321
|
-
|
|
2770
|
+
logger8.debug(`Access token error:\r
|
|
2322
2771
|
${JSON.stringify(response.errorBody)}`);
|
|
2323
2772
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
2324
2773
|
} else if (!response.successBody) {
|
|
2325
|
-
|
|
2774
|
+
logger8.debug(`Access token error. No success body`);
|
|
2326
2775
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
2327
2776
|
}
|
|
2328
2777
|
this._state.accessTokenResponse = response.successBody;
|
|
@@ -2344,7 +2793,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2344
2793
|
jwk,
|
|
2345
2794
|
kid
|
|
2346
2795
|
].filter((v) => v !== void 0).length > 1) {
|
|
2347
|
-
throw new Error(
|
|
2796
|
+
throw new Error(import_oid4vci_common20.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
2348
2797
|
}
|
|
2349
2798
|
if (alg) this._state.alg = alg;
|
|
2350
2799
|
if (jwk) this._state.jwk = jwk;
|
|
@@ -2365,7 +2814,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2365
2814
|
} else if (credentialConfigurationId) {
|
|
2366
2815
|
requestBuilder.withCredentialConfigurationId(credentialConfigurationId);
|
|
2367
2816
|
}
|
|
2368
|
-
const issuerState = this.issuerSupportedFlowTypes().includes(
|
|
2817
|
+
const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common20.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this._state.cachedCNonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
|
|
2369
2818
|
requestBuilder.withIssuerState(issuerState);
|
|
2370
2819
|
requestBuilder.withTokenFromResponse(this.accessTokenResponse);
|
|
2371
2820
|
requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
|
|
@@ -2411,7 +2860,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2411
2860
|
if (this._state.kid) {
|
|
2412
2861
|
proofBuilder.withKid(this._state.kid);
|
|
2413
2862
|
}
|
|
2414
|
-
if (this.clientId && (!this.credentialOffer || this.credentialOffer.supportedFlows.includes(
|
|
2863
|
+
if (this.clientId && (!this.credentialOffer || this.credentialOffer.supportedFlows.includes(import_oid4vci_common20.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && !this.credentialOffer.preAuthorizedCode)) {
|
|
2415
2864
|
proofBuilder.withClientId(this.clientId);
|
|
2416
2865
|
}
|
|
2417
2866
|
if (jti) {
|
|
@@ -2431,11 +2880,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2431
2880
|
});
|
|
2432
2881
|
this._state.dpopResponseParams = response.params;
|
|
2433
2882
|
if (response.errorBody) {
|
|
2434
|
-
|
|
2883
|
+
logger8.debug(`Credential request error:\r
|
|
2435
2884
|
${JSON.stringify(response.errorBody)}`);
|
|
2436
2885
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
2437
2886
|
} else if (!response.successBody) {
|
|
2438
|
-
|
|
2887
|
+
logger8.debug(`Credential request error. No success body`);
|
|
2439
2888
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
2440
2889
|
}
|
|
2441
2890
|
return {
|
|
@@ -2450,7 +2899,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2450
2899
|
return JSON.stringify(this._state);
|
|
2451
2900
|
}
|
|
2452
2901
|
getCredentialsSupported(restrictToInitiationTypes, format) {
|
|
2453
|
-
return (0,
|
|
2902
|
+
return (0, import_oid4vci_common20.getSupportedCredentials)({
|
|
2454
2903
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
2455
2904
|
version: this.version(),
|
|
2456
2905
|
format,
|
|
@@ -2470,7 +2919,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2470
2919
|
}
|
|
2471
2920
|
issuerSupportedFlowTypes() {
|
|
2472
2921
|
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
|
|
2473
|
-
|
|
2922
|
+
import_oid4vci_common20.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
2474
2923
|
] : []);
|
|
2475
2924
|
}
|
|
2476
2925
|
isFlowTypeSupported(flowType) {
|
|
@@ -2486,7 +2935,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2486
2935
|
return this._state.credentialOffer;
|
|
2487
2936
|
}
|
|
2488
2937
|
version() {
|
|
2489
|
-
return
|
|
2938
|
+
return import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_15;
|
|
2490
2939
|
}
|
|
2491
2940
|
get endpointMetadata() {
|
|
2492
2941
|
this.assertServerMetadata();
|
|
@@ -2595,7 +3044,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2595
3044
|
};
|
|
2596
3045
|
if (!authorizationRequestOpts) {
|
|
2597
3046
|
authorizationRequestOpts = {
|
|
2598
|
-
redirectUri: `${
|
|
3047
|
+
redirectUri: `${import_oid4vci_common20.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
2599
3048
|
};
|
|
2600
3049
|
}
|
|
2601
3050
|
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
@@ -2606,7 +3055,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2606
3055
|
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
2607
3056
|
if (authorizationResponse) {
|
|
2608
3057
|
this._state.authorizationCodeResponse = {
|
|
2609
|
-
...(0,
|
|
3058
|
+
...(0, import_oid4vci_common20.toAuthorizationResponsePayload)(authorizationResponse)
|
|
2610
3059
|
};
|
|
2611
3060
|
} else if (code) {
|
|
2612
3061
|
this._state.authorizationCodeResponse = {
|
|
@@ -2618,14 +3067,14 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2618
3067
|
};
|
|
2619
3068
|
|
|
2620
3069
|
// lib/OpenID4VCIClient.ts
|
|
2621
|
-
var
|
|
3070
|
+
var logger9 = import_ssi_types11.Loggers.DEFAULT.get("sphereon:oid4vci");
|
|
2622
3071
|
var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
2623
3072
|
static {
|
|
2624
3073
|
__name(this, "OpenID4VCIClient");
|
|
2625
3074
|
}
|
|
2626
3075
|
_state;
|
|
2627
3076
|
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
|
|
2628
|
-
const issuer = credentialIssuer ?? (credentialOffer ? (0,
|
|
3077
|
+
const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common21.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
|
|
2629
3078
|
if (!issuer) {
|
|
2630
3079
|
throw Error("No credential issuer supplied or deduced from offer");
|
|
2631
3080
|
}
|
|
@@ -2635,10 +3084,10 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
2635
3084
|
kid,
|
|
2636
3085
|
alg,
|
|
2637
3086
|
// TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
|
|
2638
|
-
clientId: clientId ?? (credentialOffer && (0,
|
|
3087
|
+
clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common21.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
|
|
2639
3088
|
pkce: {
|
|
2640
3089
|
disabled: false,
|
|
2641
|
-
codeChallengeMethod:
|
|
3090
|
+
codeChallengeMethod: import_oid4vci_common21.CodeChallengeMethod.S256,
|
|
2642
3091
|
...pkce
|
|
2643
3092
|
},
|
|
2644
3093
|
authorizationRequestOpts,
|
|
@@ -2652,7 +3101,7 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
2652
3101
|
if (!this._state.authorizationRequestOpts) {
|
|
2653
3102
|
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
2654
3103
|
}
|
|
2655
|
-
|
|
3104
|
+
logger9.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
2656
3105
|
}
|
|
2657
3106
|
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, endpointMetadata }) {
|
|
2658
3107
|
const client = new _OpenID4VCIClient({
|
|
@@ -2695,12 +3144,12 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
2695
3144
|
if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
|
|
2696
3145
|
await client.retrieveServerMetadata();
|
|
2697
3146
|
}
|
|
2698
|
-
if (credentialOfferClient.supportedFlows.includes(
|
|
3147
|
+
if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common21.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
|
|
2699
3148
|
await client.createAuthorizationRequestUrl({
|
|
2700
3149
|
authorizationRequest,
|
|
2701
3150
|
pkce
|
|
2702
3151
|
});
|
|
2703
|
-
|
|
3152
|
+
logger9.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
2704
3153
|
}
|
|
2705
3154
|
return client;
|
|
2706
3155
|
}
|
|
@@ -2757,12 +3206,12 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
2757
3206
|
...opts
|
|
2758
3207
|
});
|
|
2759
3208
|
if (response.errorBody) {
|
|
2760
|
-
|
|
3209
|
+
logger9.debug(`Authorization code error:\r
|
|
2761
3210
|
${JSON.stringify(response.errorBody)}`);
|
|
2762
3211
|
const error = response.errorBody;
|
|
2763
3212
|
return Promise.reject(error);
|
|
2764
3213
|
} else if (!response.successBody) {
|
|
2765
|
-
|
|
3214
|
+
logger9.debug(`Authorization code error. No success body`);
|
|
2766
3215
|
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
2767
3216
|
}
|
|
2768
3217
|
return {
|
|
@@ -2834,11 +3283,12 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2834
3283
|
}
|
|
2835
3284
|
});
|
|
2836
3285
|
if (response.errorBody) {
|
|
2837
|
-
|
|
2838
|
-
|
|
2839
|
-
|
|
3286
|
+
const errorDetail = typeof response.errorBody === "object" ? JSON.stringify(response.errorBody) : String(response.errorBody);
|
|
3287
|
+
logger9.error(`Access token error response (status ${response.origResponse.status}):\r
|
|
3288
|
+
${errorDetail}`);
|
|
3289
|
+
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}. Response: ${errorDetail}`);
|
|
2840
3290
|
} else if (!response.successBody) {
|
|
2841
|
-
|
|
3291
|
+
logger9.debug(`Access token error. No success body`);
|
|
2842
3292
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
2843
3293
|
}
|
|
2844
3294
|
this._state.accessTokenResponse = response.successBody;
|
|
@@ -2855,23 +3305,21 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2855
3305
|
}
|
|
2856
3306
|
};
|
|
2857
3307
|
}
|
|
2858
|
-
async acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
|
|
3308
|
+
async acquireCredentials({ credentialIdentifier, credentialConfigurationId, credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
|
|
2859
3309
|
if ([
|
|
2860
3310
|
jwk,
|
|
2861
3311
|
kid
|
|
2862
3312
|
].filter((v) => v !== void 0).length > 1) {
|
|
2863
|
-
throw new Error(
|
|
3313
|
+
throw new Error(import_oid4vci_common21.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
|
|
2864
3314
|
}
|
|
2865
3315
|
if (alg) this._state.alg = alg;
|
|
2866
3316
|
if (jwk) this._state.jwk = jwk;
|
|
2867
3317
|
if (kid) this._state.kid = kid;
|
|
2868
|
-
if (this.
|
|
2869
|
-
|
|
2870
|
-
|
|
2871
|
-
|
|
2872
|
-
|
|
2873
|
-
return Promise.reject(Error(`failed to acquire nonce: ${String(e)}`));
|
|
2874
|
-
}
|
|
3318
|
+
if (!this._state.cachedCNonce && this.hasNonceEndpoint()) {
|
|
3319
|
+
try {
|
|
3320
|
+
await this.acquireNonceViaV15Delegate();
|
|
3321
|
+
} catch (e) {
|
|
3322
|
+
return Promise.reject(Error(`failed to acquire nonce: ${String(e)}`));
|
|
2875
3323
|
}
|
|
2876
3324
|
}
|
|
2877
3325
|
let requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
|
|
@@ -2880,15 +3328,22 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2880
3328
|
}) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
|
|
2881
3329
|
credentialIssuer: this.getIssuer(),
|
|
2882
3330
|
credentialTypes,
|
|
3331
|
+
credentialIdentifier,
|
|
3332
|
+
credentialConfigurationId,
|
|
2883
3333
|
metadata: this.endpointMetadata,
|
|
2884
3334
|
version: this.version()
|
|
2885
3335
|
});
|
|
2886
|
-
|
|
3336
|
+
if (credentialIdentifier) {
|
|
3337
|
+
requestBuilder.withCredentialIdentifier(credentialIdentifier);
|
|
3338
|
+
} else if (credentialConfigurationId) {
|
|
3339
|
+
requestBuilder.withCredentialConfigurationId(credentialConfigurationId);
|
|
3340
|
+
}
|
|
3341
|
+
const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common21.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
|
|
2887
3342
|
requestBuilder.withIssuerState(issuerState);
|
|
2888
3343
|
requestBuilder.withTokenFromResponse(this.accessTokenResponse);
|
|
2889
3344
|
requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
|
|
2890
3345
|
let subjectIssuance;
|
|
2891
|
-
if (this.endpointMetadata?.credentialIssuerMetadata) {
|
|
3346
|
+
if (this.endpointMetadata?.credentialIssuerMetadata && credentialTypes) {
|
|
2892
3347
|
const metadata = this.endpointMetadata.credentialIssuerMetadata;
|
|
2893
3348
|
const types = Array.isArray(credentialTypes) ? credentialTypes : [
|
|
2894
3349
|
credentialTypes
|
|
@@ -2896,7 +3351,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2896
3351
|
if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
|
|
2897
3352
|
let typeSupported = false;
|
|
2898
3353
|
metadata.credentials_supported.forEach((supportedCredential) => {
|
|
2899
|
-
const subTypes = (0,
|
|
3354
|
+
const subTypes = (0, import_oid4vci_common21.getTypesFromCredentialSupported)(supportedCredential);
|
|
2900
3355
|
if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
|
|
2901
3356
|
typeSupported = true;
|
|
2902
3357
|
if (supportedCredential.credential_subject_issuance) {
|
|
@@ -2932,7 +3387,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2932
3387
|
if (this._state.kid) {
|
|
2933
3388
|
proofBuilder.withKid(this._state.kid);
|
|
2934
3389
|
}
|
|
2935
|
-
if (this.clientId && (!this.credentialOffer || this.credentialOffer.supportedFlows.includes(
|
|
3390
|
+
if (this.clientId && (!this.credentialOffer || this.credentialOffer.supportedFlows.includes(import_oid4vci_common21.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && !this.credentialOffer.preAuthorizedCode)) {
|
|
2936
3391
|
proofBuilder.withClientId(this.clientId);
|
|
2937
3392
|
}
|
|
2938
3393
|
if (jti) {
|
|
@@ -2943,7 +3398,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2943
3398
|
}
|
|
2944
3399
|
const response = await credentialRequestClient.acquireCredentialsUsingProof({
|
|
2945
3400
|
proofInput: proofBuilder,
|
|
2946
|
-
credentialTypes,
|
|
3401
|
+
credentialTypes: credentialTypes ?? credentialIdentifier ?? credentialConfigurationId,
|
|
2947
3402
|
context,
|
|
2948
3403
|
format,
|
|
2949
3404
|
subjectIssuance,
|
|
@@ -2951,11 +3406,12 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2951
3406
|
});
|
|
2952
3407
|
this._state.dpopResponseParams = response.params;
|
|
2953
3408
|
if (response.errorBody) {
|
|
2954
|
-
|
|
3409
|
+
logger9.debug(`Credential request error:\r
|
|
2955
3410
|
${JSON.stringify(response.errorBody)}`);
|
|
2956
|
-
|
|
3411
|
+
const errDesc = response.errorBody.error_description ? `: ${response.errorBody.error_description}` : response.errorBody.error ? `: ${response.errorBody.error}` : "";
|
|
3412
|
+
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}${errDesc}`);
|
|
2957
3413
|
} else if (!response.successBody) {
|
|
2958
|
-
|
|
3414
|
+
logger9.debug(`Credential request error. No success body`);
|
|
2959
3415
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
2960
3416
|
}
|
|
2961
3417
|
return {
|
|
@@ -3003,11 +3459,12 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
3003
3459
|
});
|
|
3004
3460
|
this._state.dpopResponseParams = response2.params;
|
|
3005
3461
|
if (response2.errorBody) {
|
|
3006
|
-
|
|
3462
|
+
logger9.debug(`Credential request error (after retry):\r
|
|
3007
3463
|
${JSON.stringify(response2.errorBody)}`);
|
|
3008
|
-
|
|
3464
|
+
const errDesc2 = response2.errorBody.error_description ? `: ${response2.errorBody.error_description}` : response2.errorBody.error ? `: ${response2.errorBody.error}` : "";
|
|
3465
|
+
return Promise.reject(Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed after retry with status: ${response2.origResponse.status}${errDesc2}`));
|
|
3009
3466
|
} else if (!response2.successBody) {
|
|
3010
|
-
|
|
3467
|
+
logger9.debug(`Credential request error after retry. No success body`);
|
|
3011
3468
|
return Promise.reject(Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed after retry as there was no success response body`));
|
|
3012
3469
|
}
|
|
3013
3470
|
return {
|
|
@@ -3023,7 +3480,7 @@ ${JSON.stringify(response2.errorBody)}`);
|
|
|
3023
3480
|
return JSON.stringify(this._state);
|
|
3024
3481
|
}
|
|
3025
3482
|
getCredentialsSupported(format) {
|
|
3026
|
-
return (0,
|
|
3483
|
+
return (0, import_oid4vci_common21.getSupportedCredentials)({
|
|
3027
3484
|
issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
|
|
3028
3485
|
version: this.version(),
|
|
3029
3486
|
format
|
|
@@ -3034,7 +3491,7 @@ ${JSON.stringify(response2.errorBody)}`);
|
|
|
3034
3491
|
}
|
|
3035
3492
|
issuerSupportedFlowTypes() {
|
|
3036
3493
|
return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
|
|
3037
|
-
|
|
3494
|
+
import_oid4vci_common21.AuthzFlowType.AUTHORIZATION_CODE_FLOW
|
|
3038
3495
|
] : []);
|
|
3039
3496
|
}
|
|
3040
3497
|
isFlowTypeSupported(flowType) {
|
|
@@ -3050,17 +3507,17 @@ ${JSON.stringify(response2.errorBody)}`);
|
|
|
3050
3507
|
return this._state.credentialOffer;
|
|
3051
3508
|
}
|
|
3052
3509
|
version() {
|
|
3053
|
-
if (this.credentialOffer?.version && this.credentialOffer.version !== import_oid4vci_common19.OpenId4VCIVersion.VER_UNKNOWN) {
|
|
3054
|
-
return this.credentialOffer.version;
|
|
3055
|
-
}
|
|
3056
3510
|
const metadata = this._state.endpointMetadata;
|
|
3057
3511
|
if (metadata?.credentialIssuerMetadata) {
|
|
3058
|
-
const versions = (0,
|
|
3059
|
-
if (versions.length > 0 && !versions.includes(
|
|
3512
|
+
const versions = (0, import_oid4vci_common21.determineVersionsFromIssuerMetadata)(metadata.credentialIssuerMetadata);
|
|
3513
|
+
if (versions.length > 0 && !versions.includes(import_oid4vci_common21.OpenId4VCIVersion.VER_UNKNOWN)) {
|
|
3060
3514
|
return versions[0];
|
|
3061
3515
|
}
|
|
3062
3516
|
}
|
|
3063
|
-
|
|
3517
|
+
if (this.credentialOffer?.version && this.credentialOffer.version !== import_oid4vci_common21.OpenId4VCIVersion.VER_UNKNOWN) {
|
|
3518
|
+
return this.credentialOffer.version;
|
|
3519
|
+
}
|
|
3520
|
+
return import_oid4vci_common21.OpenId4VCIVersion.VER_1_0;
|
|
3064
3521
|
}
|
|
3065
3522
|
get endpointMetadata() {
|
|
3066
3523
|
this.assertServerMetadata();
|
|
@@ -3166,7 +3623,7 @@ ${JSON.stringify(response2.errorBody)}`);
|
|
|
3166
3623
|
};
|
|
3167
3624
|
if (!authorizationRequestOpts) {
|
|
3168
3625
|
authorizationRequestOpts = {
|
|
3169
|
-
redirectUri: `${
|
|
3626
|
+
redirectUri: `${import_oid4vci_common21.DefaultURISchemes.CREDENTIAL_OFFER}://`
|
|
3170
3627
|
};
|
|
3171
3628
|
}
|
|
3172
3629
|
const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
|
|
@@ -3177,7 +3634,7 @@ ${JSON.stringify(response2.errorBody)}`);
|
|
|
3177
3634
|
getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
|
|
3178
3635
|
if (authorizationResponse) {
|
|
3179
3636
|
this._state.authorizationCodeResponse = {
|
|
3180
|
-
...(0,
|
|
3637
|
+
...(0, import_oid4vci_common21.toAuthorizationResponsePayload)(authorizationResponse)
|
|
3181
3638
|
};
|
|
3182
3639
|
} else if (code) {
|
|
3183
3640
|
this._state.authorizationCodeResponse = {
|
|
@@ -3208,7 +3665,8 @@ ${JSON.stringify(response2.errorBody)}`);
|
|
|
3208
3665
|
state.cachedCNonce = v15Client.state.cachedCNonce;
|
|
3209
3666
|
}
|
|
3210
3667
|
shouldRetryWithFreshNonce(err) {
|
|
3211
|
-
|
|
3668
|
+
const canRetry = this.hasNonceEndpoint() || this.version() >= import_oid4vci_common21.OpenId4VCIVersion.VER_1_0;
|
|
3669
|
+
if (!canRetry) {
|
|
3212
3670
|
return false;
|
|
3213
3671
|
}
|
|
3214
3672
|
const status = err?.response?.status ?? err?.status;
|
|
@@ -3235,5 +3693,5 @@ ${JSON.stringify(response2.errorBody)}`);
|
|
|
3235
3693
|
};
|
|
3236
3694
|
|
|
3237
3695
|
// lib/index.ts
|
|
3238
|
-
var LOG2 =
|
|
3696
|
+
var LOG2 = import_oid4vci_common22.VCI_LOGGERS.get("sphereon:oid4vci:client");
|
|
3239
3697
|
//# sourceMappingURL=index.cjs.map
|