@sphereon/oid4vci-client 0.20.2-next.2 → 0.21.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +574 -116
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +93 -16
- package/dist/index.d.ts +93 -16
- package/dist/index.js +552 -94
- package/dist/index.js.map +1 -1
- package/package.json +4 -4
package/dist/index.js
CHANGED
|
@@ -86,7 +86,7 @@ import { uuidv4 } from "@sphereon/oid4vc-common";
|
|
|
86
86
|
import { OpenId4VCIVersion } from "@sphereon/oid4vci-common";
|
|
87
87
|
|
|
88
88
|
// lib/ProofOfPossessionBuilder.ts
|
|
89
|
-
import { createProofOfPossession, NO_JWT_PROVIDED, PROOF_CANT_BE_CONSTRUCTED } from "@sphereon/oid4vci-common";
|
|
89
|
+
import { createCwtProofOfPossession, createProofOfPossession, NO_JWT_PROVIDED, PROOF_CANT_BE_CONSTRUCTED } from "@sphereon/oid4vci-common";
|
|
90
90
|
var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
|
|
91
91
|
static {
|
|
92
92
|
__name(this, "ProofOfPossessionBuilder");
|
|
@@ -105,6 +105,8 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
|
|
|
105
105
|
jti;
|
|
106
106
|
cNonce;
|
|
107
107
|
typ;
|
|
108
|
+
proofType = "jwt";
|
|
109
|
+
coseKey;
|
|
108
110
|
constructor({ proof, callbacks, jwt, accessTokenResponse, version, mode = "pop" }) {
|
|
109
111
|
this.mode = mode;
|
|
110
112
|
this.proof = proof;
|
|
@@ -189,6 +191,14 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
|
|
|
189
191
|
this.typ = typ;
|
|
190
192
|
return this;
|
|
191
193
|
}
|
|
194
|
+
withProofType(proofType) {
|
|
195
|
+
this.proofType = proofType;
|
|
196
|
+
return this;
|
|
197
|
+
}
|
|
198
|
+
withCoseKey(coseKey) {
|
|
199
|
+
this.coseKey = coseKey;
|
|
200
|
+
return this;
|
|
201
|
+
}
|
|
192
202
|
withAccessTokenNonce(cNonce) {
|
|
193
203
|
this.cNonce = cNonce;
|
|
194
204
|
return this;
|
|
@@ -238,6 +248,17 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
|
|
|
238
248
|
if (this.proof) {
|
|
239
249
|
return Promise.resolve(this.proof);
|
|
240
250
|
} else if (this.callbacks) {
|
|
251
|
+
if (this.proofType === "cwt" && this.callbacks.cwtSignCallback) {
|
|
252
|
+
return await createCwtProofOfPossession(this.callbacks, {
|
|
253
|
+
iss: this.clientId ?? this.issuer,
|
|
254
|
+
aud: Array.isArray(this.aud) ? this.aud[0] : this.aud ?? this.issuer ?? "",
|
|
255
|
+
nonce: this.cNonce,
|
|
256
|
+
alg: this.alg,
|
|
257
|
+
jwk: this.jwk,
|
|
258
|
+
kid: this.kid,
|
|
259
|
+
coseKey: this.coseKey
|
|
260
|
+
});
|
|
261
|
+
}
|
|
241
262
|
return await createProofOfPossession(this.mode, this.callbacks, {
|
|
242
263
|
typ: this.typ ?? (this.mode === "JWT" ? "JWT" : "openid4vci-proof+jwt"),
|
|
243
264
|
kid: this.kid,
|
|
@@ -258,7 +279,7 @@ var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
|
|
|
258
279
|
|
|
259
280
|
// lib/functions/AccessTokenUtil.ts
|
|
260
281
|
var createJwtBearerClientAssertion = /* @__PURE__ */ __name(async (request, opts) => {
|
|
261
|
-
const { asOpts, credentialIssuer } = opts;
|
|
282
|
+
const { asOpts, credentialIssuer, metadata } = opts;
|
|
262
283
|
if (asOpts?.clientOpts?.clientAssertionType === "urn:ietf:params:oauth:client-assertion-type:jwt-bearer") {
|
|
263
284
|
const { clientId = request.client_id, signCallbacks, alg } = asOpts.clientOpts;
|
|
264
285
|
let { kid } = asOpts.clientOpts;
|
|
@@ -274,6 +295,7 @@ var createJwtBearerClientAssertion = /* @__PURE__ */ __name(async (request, opts
|
|
|
274
295
|
if (clientId.startsWith("http") && kid.includes("#")) {
|
|
275
296
|
kid = kid.split("#")[1];
|
|
276
297
|
}
|
|
298
|
+
const aud = metadata?.token_endpoint ?? asOpts?.tokenEndpoint ?? credentialIssuer;
|
|
277
299
|
const jwt = {
|
|
278
300
|
header: {
|
|
279
301
|
typ: "JWT",
|
|
@@ -283,16 +305,16 @@ var createJwtBearerClientAssertion = /* @__PURE__ */ __name(async (request, opts
|
|
|
283
305
|
payload: {
|
|
284
306
|
iss: clientId,
|
|
285
307
|
sub: clientId,
|
|
286
|
-
aud
|
|
308
|
+
aud,
|
|
287
309
|
jti: uuidv4(),
|
|
288
|
-
exp: Math.floor(Date.now()
|
|
289
|
-
iat: Math.floor(Date.now()
|
|
310
|
+
exp: Math.floor(Date.now() / 1e3) + 60,
|
|
311
|
+
iat: Math.floor(Date.now() / 1e3) - 60
|
|
290
312
|
}
|
|
291
313
|
};
|
|
292
314
|
const pop = await ProofOfPossessionBuilder.fromJwt({
|
|
293
315
|
jwt,
|
|
294
316
|
callbacks: signCallbacks,
|
|
295
|
-
version: opts.version ?? OpenId4VCIVersion.
|
|
317
|
+
version: opts.version ?? OpenId4VCIVersion.VER_1_0,
|
|
296
318
|
mode: "JWT"
|
|
297
319
|
}).build();
|
|
298
320
|
request.client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
|
|
@@ -389,7 +411,7 @@ function shouldRetryResourceRequestWithDPoPNonce(response) {
|
|
|
389
411
|
__name(shouldRetryResourceRequestWithDPoPNonce, "shouldRetryResourceRequestWithDPoPNonce");
|
|
390
412
|
|
|
391
413
|
// lib/MetadataClientV1_0_15.ts
|
|
392
|
-
import { getIssuerFromCredentialOfferPayload, WellKnownEndpoints } from "@sphereon/oid4vci-common";
|
|
414
|
+
import { getIssuerFromCredentialOfferPayload, processSignedMetadata, WellKnownEndpoints } from "@sphereon/oid4vci-common";
|
|
393
415
|
import { Loggers as Loggers2 } from "@sphereon/ssi-types";
|
|
394
416
|
var logger2 = Loggers2.DEFAULT.get("sphereon:oid4vci:metadata");
|
|
395
417
|
var MetadataClientV1_0_15 = class _MetadataClientV1_0_15 {
|
|
@@ -546,9 +568,17 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
546
568
|
},
|
|
547
569
|
...notification_endpoint && {
|
|
548
570
|
notification_endpoint
|
|
571
|
+
},
|
|
572
|
+
...ci.signed_metadata && {
|
|
573
|
+
signed_metadata: ci.signed_metadata
|
|
549
574
|
}
|
|
550
575
|
};
|
|
551
576
|
logger2.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
|
|
577
|
+
const processedMetadata = await processSignedMetadata({
|
|
578
|
+
metadata: v15CredentialIssuerMetadata,
|
|
579
|
+
issuer,
|
|
580
|
+
signedMetadataVerifyCallback: opts?.signedMetadataVerifyCallback
|
|
581
|
+
});
|
|
552
582
|
return {
|
|
553
583
|
issuer,
|
|
554
584
|
token_endpoint,
|
|
@@ -556,7 +586,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
556
586
|
authorization_challenge_endpoint,
|
|
557
587
|
notification_endpoint,
|
|
558
588
|
authorizationServerType,
|
|
559
|
-
credentialIssuerMetadata:
|
|
589
|
+
credentialIssuerMetadata: processedMetadata,
|
|
560
590
|
authorizationServerMetadata: authMetadata
|
|
561
591
|
};
|
|
562
592
|
}
|
|
@@ -666,6 +696,9 @@ var AccessTokenClient = class _AccessTokenClient {
|
|
|
666
696
|
...opts,
|
|
667
697
|
credentialIssuer
|
|
668
698
|
});
|
|
699
|
+
if (request.client_assertion) {
|
|
700
|
+
delete request.client_id;
|
|
701
|
+
}
|
|
669
702
|
if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
|
|
670
703
|
request.grant_type = GrantTypes.AUTHORIZATION_CODE;
|
|
671
704
|
request.code = code;
|
|
@@ -677,8 +710,11 @@ var AccessTokenClient = class _AccessTokenClient {
|
|
|
677
710
|
}
|
|
678
711
|
if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
|
|
679
712
|
this.assertAlphanumericPin(opts.pinMetadata, pin);
|
|
680
|
-
|
|
681
|
-
|
|
713
|
+
if (opts.pinMetadata?.txCode) {
|
|
714
|
+
request.tx_code = pin;
|
|
715
|
+
} else {
|
|
716
|
+
request.user_pin = pin;
|
|
717
|
+
}
|
|
682
718
|
request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
|
|
683
719
|
request[PRE_AUTH_CODE_LITERAL2] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL2]?.[PRE_AUTH_CODE_LITERAL2];
|
|
684
720
|
return request;
|
|
@@ -761,9 +797,11 @@ var AccessTokenClient = class _AccessTokenClient {
|
|
|
761
797
|
}
|
|
762
798
|
}
|
|
763
799
|
async sendAuthCode(requestTokenURL, accessTokenRequest, opts) {
|
|
764
|
-
|
|
800
|
+
const body = convertJsonToURI(accessTokenRequest, {
|
|
765
801
|
mode: JsonURIMode.X_FORM_WWW_URLENCODED
|
|
766
|
-
})
|
|
802
|
+
});
|
|
803
|
+
LOG.info(`Token request to ${requestTokenURL}: ${body}`);
|
|
804
|
+
return await formPost(requestTokenURL, body, {
|
|
767
805
|
customHeaders: opts?.headers ? opts.headers : void 0
|
|
768
806
|
});
|
|
769
807
|
}
|
|
@@ -808,7 +846,7 @@ import { CodeChallengeMethod as CodeChallengeMethod2, convertJsonToURI as conver
|
|
|
808
846
|
import { Loggers as Loggers4 } from "@sphereon/ssi-types";
|
|
809
847
|
|
|
810
848
|
// lib/MetadataClient.ts
|
|
811
|
-
import { determineSpecVersionFromOffer, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload3, OpenId4VCIVersion as OpenId4VCIVersion2, WellKnownEndpoints as WellKnownEndpoints2 } from "@sphereon/oid4vci-common";
|
|
849
|
+
import { determineSpecVersionFromOffer, determineVersionsFromIssuerMetadata, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload3, OpenId4VCIVersion as OpenId4VCIVersion2, processSignedMetadata as processSignedMetadata2, WellKnownEndpoints as WellKnownEndpoints2 } from "@sphereon/oid4vci-common";
|
|
812
850
|
import { Loggers as Loggers3 } from "@sphereon/ssi-types";
|
|
813
851
|
var logger3 = Loggers3.DEFAULT.get("sphereon:oid4vci:metadata");
|
|
814
852
|
var MetadataClient = class _MetadataClient {
|
|
@@ -821,6 +859,10 @@ var MetadataClient = class _MetadataClient {
|
|
|
821
859
|
* @param credentialOffer
|
|
822
860
|
*/
|
|
823
861
|
static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
|
|
862
|
+
const issuer = getIssuerFromCredentialOfferPayload3(credentialOffer.credential_offer);
|
|
863
|
+
if (issuer) {
|
|
864
|
+
return _MetadataClient.retrieveAllMetadata(issuer);
|
|
865
|
+
}
|
|
824
866
|
const openId4VCIVersion = determineSpecVersionFromOffer(credentialOffer.credential_offer);
|
|
825
867
|
if (openId4VCIVersion >= OpenId4VCIVersion2.VER_1_0_15) {
|
|
826
868
|
return await MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOffer(credentialOffer);
|
|
@@ -834,12 +876,7 @@ var MetadataClient = class _MetadataClient {
|
|
|
834
876
|
static async retrieveAllMetadataFromCredentialOfferRequest(request) {
|
|
835
877
|
const issuer = getIssuerFromCredentialOfferPayload3(request);
|
|
836
878
|
if (issuer) {
|
|
837
|
-
|
|
838
|
-
if (openId4VCIVersion >= OpenId4VCIVersion2.VER_1_0_15) {
|
|
839
|
-
return MetadataClientV1_0_15.retrieveAllMetadataFromCredentialOfferRequest(request);
|
|
840
|
-
} else {
|
|
841
|
-
return Promise.reject(Error(`OpenId4VCIVersion ${openId4VCIVersion} is not supported in retrieveAllMetadataFromCredentialOfferRequest`));
|
|
842
|
-
}
|
|
879
|
+
return _MetadataClient.retrieveAllMetadata(issuer);
|
|
843
880
|
}
|
|
844
881
|
throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
|
|
845
882
|
}
|
|
@@ -959,12 +996,20 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
959
996
|
return Promise.reject(Error(`No /.well-known/openid-credential-issuer at ${issuer}.`));
|
|
960
997
|
}
|
|
961
998
|
logger3.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
|
|
999
|
+
const versions = credentialIssuerMetadata ? determineVersionsFromIssuerMetadata(credentialIssuerMetadata) : [];
|
|
1000
|
+
const detectedVersion = versions.length > 0 ? versions[0] : OpenId4VCIVersion2.VER_1_0;
|
|
1001
|
+
logger3.debug(`Detected OID4VCI version ${detectedVersion} for issuer ${issuer}`);
|
|
1002
|
+
const processedMetadata = await processSignedMetadata2({
|
|
1003
|
+
metadata: credentialIssuerMetadata,
|
|
1004
|
+
issuer,
|
|
1005
|
+
signedMetadataVerifyCallback: opts?.signedMetadataVerifyCallback
|
|
1006
|
+
});
|
|
962
1007
|
return {
|
|
963
1008
|
issuer,
|
|
964
1009
|
token_endpoint,
|
|
965
1010
|
credential_endpoint,
|
|
966
1011
|
deferred_credential_endpoint,
|
|
967
|
-
nonce_endpoint: credentialIssuerMetadata
|
|
1012
|
+
nonce_endpoint: credentialIssuerMetadata?.nonce_endpoint,
|
|
968
1013
|
authorization_servers: authorization_server ? [
|
|
969
1014
|
authorization_server
|
|
970
1015
|
] : authorization_servers ?? [
|
|
@@ -973,7 +1018,7 @@ ${JSON.stringify(credentialIssuerMetadata)}`);
|
|
|
973
1018
|
authorization_endpoint,
|
|
974
1019
|
authorization_challenge_endpoint,
|
|
975
1020
|
authorizationServerType,
|
|
976
|
-
credentialIssuerMetadata,
|
|
1021
|
+
credentialIssuerMetadata: processedMetadata,
|
|
977
1022
|
authorizationServerMetadata: authMetadata
|
|
978
1023
|
};
|
|
979
1024
|
}
|
|
@@ -1034,7 +1079,7 @@ async function createSignedAuthRequestWhenNeeded(requestObject, opts) {
|
|
|
1034
1079
|
const pop = await ProofOfPossessionBuilder.fromJwt({
|
|
1035
1080
|
jwt,
|
|
1036
1081
|
callbacks: opts.signCallbacks,
|
|
1037
|
-
version: OpenId4VCIVersion3.
|
|
1082
|
+
version: OpenId4VCIVersion3.VER_1_0,
|
|
1038
1083
|
mode: "JWT"
|
|
1039
1084
|
}).build();
|
|
1040
1085
|
requestObject["request"] = pop.jwt;
|
|
@@ -1091,8 +1136,8 @@ var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpoi
|
|
|
1091
1136
|
if ("credentials" in credentialOffer.credential_offer) {
|
|
1092
1137
|
throw new Error("CredentialOffer format is wrong.");
|
|
1093
1138
|
}
|
|
1094
|
-
const ver = version ?? determineSpecVersionFromOffer2(credentialOffer.credential_offer) ?? OpenId4VCIVersion3.
|
|
1095
|
-
const creds = ver
|
|
1139
|
+
const ver = version ?? determineSpecVersionFromOffer2(credentialOffer.credential_offer) ?? OpenId4VCIVersion3.VER_1_0;
|
|
1140
|
+
const creds = ver >= OpenId4VCIVersion3.VER_1_0_15 ? filterSupportedCredentials(credentialOffer.credential_offer, credentialConfigurationSupported) : [];
|
|
1096
1141
|
authorizationDetails = creds.flatMap((cred) => {
|
|
1097
1142
|
const locations = [
|
|
1098
1143
|
credentialOffer?.credential_offer.credential_issuer ?? endpointMetadata.issuer
|
|
@@ -1523,18 +1568,61 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
1523
1568
|
if (proofInput) {
|
|
1524
1569
|
proof = await buildProof(proofInput, opts);
|
|
1525
1570
|
}
|
|
1526
|
-
|
|
1571
|
+
const issuer_state = this.credentialRequestOpts.issuerState;
|
|
1572
|
+
const commonBody = {
|
|
1573
|
+
...issuer_state && {
|
|
1574
|
+
issuer_state
|
|
1575
|
+
},
|
|
1576
|
+
...proof && {
|
|
1577
|
+
proof
|
|
1578
|
+
},
|
|
1579
|
+
...opts.subjectIssuance
|
|
1580
|
+
};
|
|
1581
|
+
if (this.version() >= OpenId4VCIVersion4.VER_1_0) {
|
|
1527
1582
|
const authDetail = findAuthorizationDetail(this.credentialRequestOpts.authorizationDetails, credentialConfigurationId ?? credentialIdentifier);
|
|
1528
|
-
const
|
|
1529
|
-
const
|
|
1583
|
+
const authDetailObj = authDetail && typeof authDetail === "object" ? authDetail : null;
|
|
1584
|
+
const configId = credentialConfigurationId ?? authDetailObj?.credential_configuration_id ?? this._credentialRequestOpts.credentialConfigurationId;
|
|
1585
|
+
if (!configId) {
|
|
1586
|
+
return Promise.reject(Error("credential_configuration_id is required for 1.0 final credential request"));
|
|
1587
|
+
}
|
|
1588
|
+
const identifiers = this._credentialRequestOpts.credentialIdentifiers ?? (authDetailObj?.credential_identifiers && authDetailObj.credential_identifiers.length > 0 ? authDetailObj.credential_identifiers : credentialIdentifier ? [
|
|
1589
|
+
credentialIdentifier
|
|
1590
|
+
] : void 0);
|
|
1591
|
+
let proofsBody = {};
|
|
1592
|
+
if (proof) {
|
|
1593
|
+
if (proof.proof_type === "cwt" && "cwt" in proof) {
|
|
1594
|
+
proofsBody = {
|
|
1595
|
+
proofs: {
|
|
1596
|
+
cwt: [
|
|
1597
|
+
proof.cwt
|
|
1598
|
+
]
|
|
1599
|
+
}
|
|
1600
|
+
};
|
|
1601
|
+
} else if ("jwt" in proof) {
|
|
1602
|
+
proofsBody = {
|
|
1603
|
+
proofs: {
|
|
1604
|
+
jwt: [
|
|
1605
|
+
proof.jwt
|
|
1606
|
+
]
|
|
1607
|
+
}
|
|
1608
|
+
};
|
|
1609
|
+
}
|
|
1610
|
+
}
|
|
1611
|
+
const request = {
|
|
1612
|
+
credential_configuration_id: configId,
|
|
1613
|
+
...identifiers && identifiers.length > 0 && {
|
|
1614
|
+
credential_identifiers: identifiers
|
|
1615
|
+
},
|
|
1530
1616
|
...issuer_state && {
|
|
1531
1617
|
issuer_state
|
|
1532
1618
|
},
|
|
1533
|
-
...
|
|
1534
|
-
proof
|
|
1535
|
-
},
|
|
1619
|
+
...proofsBody,
|
|
1536
1620
|
...opts.subjectIssuance
|
|
1537
1621
|
};
|
|
1622
|
+
return request;
|
|
1623
|
+
}
|
|
1624
|
+
if (this.version() >= OpenId4VCIVersion4.VER_1_0_15) {
|
|
1625
|
+
const authDetail = findAuthorizationDetail(this.credentialRequestOpts.authorizationDetails, credentialConfigurationId ?? credentialIdentifier);
|
|
1538
1626
|
const authDetailObj = authDetail && typeof authDetail === "object" ? authDetail : null;
|
|
1539
1627
|
if (authDetailObj?.credential_identifier) {
|
|
1540
1628
|
return {
|
|
@@ -1566,7 +1654,7 @@ ${JSON.stringify(response, null, 2)}`);
|
|
|
1566
1654
|
throw new Error(`Unsupported version: ${this.version()}`);
|
|
1567
1655
|
}
|
|
1568
1656
|
version() {
|
|
1569
|
-
return this.credentialRequestOpts?.version ?? OpenId4VCIVersion4.
|
|
1657
|
+
return this.credentialRequestOpts?.version ?? OpenId4VCIVersion4.VER_1_0;
|
|
1570
1658
|
}
|
|
1571
1659
|
};
|
|
1572
1660
|
|
|
@@ -1734,7 +1822,7 @@ var CredentialOfferClientV1_0_15 = class {
|
|
|
1734
1822
|
};
|
|
1735
1823
|
|
|
1736
1824
|
// lib/CredentialRequestClientBuilder.ts
|
|
1737
|
-
import { OpenId4VCIVersion as
|
|
1825
|
+
import { OpenId4VCIVersion as OpenId4VCIVersion8 } from "@sphereon/oid4vci-common";
|
|
1738
1826
|
|
|
1739
1827
|
// lib/CredentialRequestClientBuilderV1_0_15.ts
|
|
1740
1828
|
import { determineSpecVersionFromOffer as determineSpecVersionFromOffer3, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload4, OpenId4VCIVersion as OpenId4VCIVersion6 } from "@sphereon/oid4vci-common";
|
|
@@ -1895,11 +1983,166 @@ var CredentialRequestClientBuilderV1_0_15 = class _CredentialRequestClientBuilde
|
|
|
1895
1983
|
}
|
|
1896
1984
|
};
|
|
1897
1985
|
|
|
1986
|
+
// lib/CredentialRequestClientBuilderV1_0.ts
|
|
1987
|
+
import { determineSpecVersionFromOffer as determineSpecVersionFromOffer4, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload5, OpenId4VCIVersion as OpenId4VCIVersion7 } from "@sphereon/oid4vci-common";
|
|
1988
|
+
var CredentialRequestClientBuilderV1_0 = class _CredentialRequestClientBuilderV1_0 {
|
|
1989
|
+
static {
|
|
1990
|
+
__name(this, "CredentialRequestClientBuilderV1_0");
|
|
1991
|
+
}
|
|
1992
|
+
credentialEndpoint;
|
|
1993
|
+
deferredCredentialEndpoint;
|
|
1994
|
+
nonceEndpoint;
|
|
1995
|
+
deferredCredentialAwait = false;
|
|
1996
|
+
deferredCredentialIntervalInMS = 5e3;
|
|
1997
|
+
credentialIdentifiers;
|
|
1998
|
+
credentialConfigurationId;
|
|
1999
|
+
credentialTypes = [];
|
|
2000
|
+
token;
|
|
2001
|
+
version;
|
|
2002
|
+
subjectIssuance;
|
|
2003
|
+
issuerState;
|
|
2004
|
+
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifiers, credentialConfigurationId, credentialTypes }) {
|
|
2005
|
+
const issuer = credentialIssuer;
|
|
2006
|
+
const builder = new _CredentialRequestClientBuilderV1_0();
|
|
2007
|
+
builder.withVersion(version ?? OpenId4VCIVersion7.VER_1_0);
|
|
2008
|
+
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2009
|
+
if (metadata?.deferred_credential_endpoint) {
|
|
2010
|
+
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
2011
|
+
}
|
|
2012
|
+
if (metadata?.credentialIssuerMetadata?.nonce_endpoint) {
|
|
2013
|
+
builder.withNonceEndpoint(metadata.credentialIssuerMetadata?.nonce_endpoint);
|
|
2014
|
+
}
|
|
2015
|
+
if (credentialIdentifiers) {
|
|
2016
|
+
builder.withCredentialIdentifiers(credentialIdentifiers);
|
|
2017
|
+
}
|
|
2018
|
+
if (credentialConfigurationId) {
|
|
2019
|
+
builder.withCredentialConfigurationId(credentialConfigurationId);
|
|
2020
|
+
}
|
|
2021
|
+
if (credentialTypes) {
|
|
2022
|
+
builder.withCredentialType(credentialTypes);
|
|
2023
|
+
}
|
|
2024
|
+
return builder;
|
|
2025
|
+
}
|
|
2026
|
+
static async fromURI({ uri, metadata }) {
|
|
2027
|
+
const offer = await CredentialOfferClient.fromURI(uri);
|
|
2028
|
+
return _CredentialRequestClientBuilderV1_0.fromCredentialOfferRequest({
|
|
2029
|
+
request: offer,
|
|
2030
|
+
...offer,
|
|
2031
|
+
metadata,
|
|
2032
|
+
version: offer.version
|
|
2033
|
+
});
|
|
2034
|
+
}
|
|
2035
|
+
static fromCredentialOfferRequest(opts) {
|
|
2036
|
+
const { request, metadata } = opts;
|
|
2037
|
+
const version = opts.version ?? request.version ?? determineSpecVersionFromOffer4(request.original_credential_offer);
|
|
2038
|
+
const builder = new _CredentialRequestClientBuilderV1_0();
|
|
2039
|
+
const issuer = getIssuerFromCredentialOfferPayload5(request.credential_offer) ?? (metadata ? metadata.issuer : void 0);
|
|
2040
|
+
if (!issuer && !metadata?.credential_endpoint) {
|
|
2041
|
+
throw Error(`Issuer could not be determined`);
|
|
2042
|
+
}
|
|
2043
|
+
builder.withVersion(version >= OpenId4VCIVersion7.VER_1_0 ? version : OpenId4VCIVersion7.VER_1_0);
|
|
2044
|
+
builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
|
|
2045
|
+
if (metadata?.deferred_credential_endpoint) {
|
|
2046
|
+
builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
|
|
2047
|
+
}
|
|
2048
|
+
if (metadata?.credentialIssuerMetadata?.nonce_endpoint) {
|
|
2049
|
+
builder.withNonceEndpoint(metadata.credentialIssuerMetadata.nonce_endpoint);
|
|
2050
|
+
}
|
|
2051
|
+
const ids = request.credential_offer.credential_configuration_ids;
|
|
2052
|
+
if (ids.length && ids.length === 1) {
|
|
2053
|
+
builder.withCredentialConfigurationId(ids[0]);
|
|
2054
|
+
}
|
|
2055
|
+
return builder;
|
|
2056
|
+
}
|
|
2057
|
+
static fromCredentialOffer({ credentialOffer, metadata }) {
|
|
2058
|
+
return _CredentialRequestClientBuilderV1_0.fromCredentialOfferRequest({
|
|
2059
|
+
request: credentialOffer,
|
|
2060
|
+
metadata,
|
|
2061
|
+
version: credentialOffer.version
|
|
2062
|
+
});
|
|
2063
|
+
}
|
|
2064
|
+
withCredentialEndpointFromMetadata(metadata) {
|
|
2065
|
+
this.credentialEndpoint = metadata.credential_endpoint;
|
|
2066
|
+
return this;
|
|
2067
|
+
}
|
|
2068
|
+
withCredentialEndpoint(credentialEndpoint) {
|
|
2069
|
+
this.credentialEndpoint = credentialEndpoint;
|
|
2070
|
+
return this;
|
|
2071
|
+
}
|
|
2072
|
+
withIssuerState(issuerState) {
|
|
2073
|
+
this.issuerState = issuerState;
|
|
2074
|
+
return this;
|
|
2075
|
+
}
|
|
2076
|
+
withDeferredCredentialEndpointFromMetadata(metadata) {
|
|
2077
|
+
this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
|
|
2078
|
+
return this;
|
|
2079
|
+
}
|
|
2080
|
+
withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
|
|
2081
|
+
this.deferredCredentialEndpoint = deferredCredentialEndpoint;
|
|
2082
|
+
return this;
|
|
2083
|
+
}
|
|
2084
|
+
withNonceEndpointFromMetadata(metadata) {
|
|
2085
|
+
this.nonceEndpoint = metadata.nonce_endpoint;
|
|
2086
|
+
return this;
|
|
2087
|
+
}
|
|
2088
|
+
withNonceEndpoint(nonceEndpoint) {
|
|
2089
|
+
this.nonceEndpoint = nonceEndpoint;
|
|
2090
|
+
return this;
|
|
2091
|
+
}
|
|
2092
|
+
withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
|
|
2093
|
+
this.deferredCredentialAwait = deferredCredentialAwait;
|
|
2094
|
+
this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5e3;
|
|
2095
|
+
return this;
|
|
2096
|
+
}
|
|
2097
|
+
// 1.0 final: credential_identifiers is an OPTIONAL array
|
|
2098
|
+
withCredentialIdentifiers(credentialIdentifiers) {
|
|
2099
|
+
this.credentialIdentifiers = credentialIdentifiers;
|
|
2100
|
+
return this;
|
|
2101
|
+
}
|
|
2102
|
+
// 1.0 final: credential_configuration_id is REQUIRED
|
|
2103
|
+
withCredentialConfigurationId(credentialConfigurationId) {
|
|
2104
|
+
this.credentialConfigurationId = credentialConfigurationId;
|
|
2105
|
+
return this;
|
|
2106
|
+
}
|
|
2107
|
+
withCredentialType(credentialTypes) {
|
|
2108
|
+
this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [
|
|
2109
|
+
credentialTypes
|
|
2110
|
+
];
|
|
2111
|
+
return this;
|
|
2112
|
+
}
|
|
2113
|
+
withSubjectIssuance(subjectIssuance) {
|
|
2114
|
+
this.subjectIssuance = subjectIssuance;
|
|
2115
|
+
return this;
|
|
2116
|
+
}
|
|
2117
|
+
withToken(accessToken) {
|
|
2118
|
+
this.token = accessToken;
|
|
2119
|
+
return this;
|
|
2120
|
+
}
|
|
2121
|
+
withTokenFromResponse(response) {
|
|
2122
|
+
this.token = response.access_token;
|
|
2123
|
+
return this;
|
|
2124
|
+
}
|
|
2125
|
+
withVersion(version) {
|
|
2126
|
+
this.version = version;
|
|
2127
|
+
return this;
|
|
2128
|
+
}
|
|
2129
|
+
build() {
|
|
2130
|
+
if (!this.version) {
|
|
2131
|
+
this.withVersion(OpenId4VCIVersion7.VER_1_0);
|
|
2132
|
+
}
|
|
2133
|
+
return new CredentialRequestClient(this);
|
|
2134
|
+
}
|
|
2135
|
+
};
|
|
2136
|
+
|
|
1898
2137
|
// lib/CredentialRequestClientBuilder.ts
|
|
1899
2138
|
function isV1_0_15(builder) {
|
|
1900
2139
|
return builder.withCredentialIdentifier !== void 0;
|
|
1901
2140
|
}
|
|
1902
2141
|
__name(isV1_0_15, "isV1_0_15");
|
|
2142
|
+
function isV1_0(builder) {
|
|
2143
|
+
return builder.withCredentialIdentifiers !== void 0;
|
|
2144
|
+
}
|
|
2145
|
+
__name(isV1_0, "isV1_0");
|
|
1903
2146
|
var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
1904
2147
|
static {
|
|
1905
2148
|
__name(this, "CredentialRequestClientBuilder");
|
|
@@ -1908,16 +2151,28 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
1908
2151
|
constructor(builder) {
|
|
1909
2152
|
this._builder = builder;
|
|
1910
2153
|
}
|
|
1911
|
-
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
|
|
2154
|
+
static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialIdentifiers, credentialTypes }) {
|
|
2155
|
+
const specVersion = version ?? OpenId4VCIVersion8.VER_1_0;
|
|
1912
2156
|
let builder;
|
|
1913
|
-
|
|
1914
|
-
|
|
1915
|
-
|
|
1916
|
-
|
|
1917
|
-
|
|
1918
|
-
|
|
1919
|
-
|
|
1920
|
-
|
|
2157
|
+
if (specVersion >= OpenId4VCIVersion8.VER_1_0) {
|
|
2158
|
+
builder = CredentialRequestClientBuilderV1_0.fromCredentialIssuer({
|
|
2159
|
+
credentialIssuer,
|
|
2160
|
+
metadata,
|
|
2161
|
+
version: specVersion,
|
|
2162
|
+
credentialIdentifiers: credentialIdentifiers ?? (credentialIdentifier ? [
|
|
2163
|
+
credentialIdentifier
|
|
2164
|
+
] : void 0),
|
|
2165
|
+
credentialTypes
|
|
2166
|
+
});
|
|
2167
|
+
} else {
|
|
2168
|
+
builder = CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
|
|
2169
|
+
credentialIssuer,
|
|
2170
|
+
metadata,
|
|
2171
|
+
version: specVersion,
|
|
2172
|
+
credentialIdentifier,
|
|
2173
|
+
credentialTypes
|
|
2174
|
+
});
|
|
2175
|
+
}
|
|
1921
2176
|
return new _CredentialRequestClientBuilder(builder);
|
|
1922
2177
|
}
|
|
1923
2178
|
static async fromURI({ uri, metadata }) {
|
|
@@ -1968,11 +2223,24 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
1968
2223
|
return this;
|
|
1969
2224
|
}
|
|
1970
2225
|
withCredentialIdentifier(credentialIdentifier) {
|
|
1971
|
-
if (this._builder.version === void 0 || this._builder.version <
|
|
2226
|
+
if (this._builder.version === void 0 || this._builder.version < OpenId4VCIVersion8.VER_1_0_15) {
|
|
1972
2227
|
throw new Error("Version of spec should be equal or higher than v1_0_15");
|
|
1973
2228
|
}
|
|
1974
|
-
|
|
1975
|
-
|
|
2229
|
+
if (isV1_0(this._builder)) {
|
|
2230
|
+
this._builder.withCredentialIdentifiers([
|
|
2231
|
+
credentialIdentifier
|
|
2232
|
+
]);
|
|
2233
|
+
} else if (isV1_0_15(this._builder)) {
|
|
2234
|
+
this._builder.withCredentialIdentifier(credentialIdentifier);
|
|
2235
|
+
}
|
|
2236
|
+
return this;
|
|
2237
|
+
}
|
|
2238
|
+
withCredentialIdentifiers(credentialIdentifiers) {
|
|
2239
|
+
if (isV1_0(this._builder)) {
|
|
2240
|
+
this._builder.withCredentialIdentifiers(credentialIdentifiers);
|
|
2241
|
+
} else if (isV1_0_15(this._builder) && credentialIdentifiers.length > 0) {
|
|
2242
|
+
this._builder.withCredentialIdentifier(credentialIdentifiers[0]);
|
|
2243
|
+
}
|
|
1976
2244
|
return this;
|
|
1977
2245
|
}
|
|
1978
2246
|
withIssuerState(issuerState) {
|
|
@@ -2004,13 +2272,192 @@ var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
|
|
|
2004
2272
|
}
|
|
2005
2273
|
};
|
|
2006
2274
|
|
|
2275
|
+
// lib/MetadataClientV1_0.ts
|
|
2276
|
+
import { getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload6, processSignedMetadata as processSignedMetadata3, WellKnownEndpoints as WellKnownEndpoints3 } from "@sphereon/oid4vci-common";
|
|
2277
|
+
import { Loggers as Loggers7 } from "@sphereon/ssi-types";
|
|
2278
|
+
var logger7 = Loggers7.DEFAULT.get("sphereon:oid4vci:metadata");
|
|
2279
|
+
var MetadataClientV1_0 = class _MetadataClientV1_0 {
|
|
2280
|
+
static {
|
|
2281
|
+
__name(this, "MetadataClientV1_0");
|
|
2282
|
+
}
|
|
2283
|
+
static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
|
|
2284
|
+
return _MetadataClientV1_0.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
|
|
2285
|
+
}
|
|
2286
|
+
static async retrieveAllMetadataFromCredentialOfferRequest(request) {
|
|
2287
|
+
const issuer = getIssuerFromCredentialOfferPayload6(request);
|
|
2288
|
+
if (issuer) {
|
|
2289
|
+
return _MetadataClientV1_0.retrieveAllMetadata(issuer);
|
|
2290
|
+
}
|
|
2291
|
+
throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
|
|
2292
|
+
}
|
|
2293
|
+
static async retrieveAllMetadata(issuer, opts) {
|
|
2294
|
+
let token_endpoint;
|
|
2295
|
+
let credential_endpoint;
|
|
2296
|
+
let nonce_endpoint;
|
|
2297
|
+
let deferred_credential_endpoint;
|
|
2298
|
+
let notification_endpoint;
|
|
2299
|
+
let authorization_endpoint;
|
|
2300
|
+
let authorization_challenge_endpoint;
|
|
2301
|
+
let authorizationServerType = "OID4VCI";
|
|
2302
|
+
let authorization_servers = [
|
|
2303
|
+
issuer
|
|
2304
|
+
];
|
|
2305
|
+
const oid4vciResponse = await _MetadataClientV1_0.retrieveOpenID4VCIServerMetadata(issuer, {
|
|
2306
|
+
errorOnNotFound: false
|
|
2307
|
+
});
|
|
2308
|
+
let credentialIssuerMetadata = oid4vciResponse?.successBody;
|
|
2309
|
+
if (credentialIssuerMetadata) {
|
|
2310
|
+
logger7.debug(`Issuer ${issuer} OID4VCI well-known server metadata\r
|
|
2311
|
+
${JSON.stringify(credentialIssuerMetadata)}`);
|
|
2312
|
+
credential_endpoint = credentialIssuerMetadata.credential_endpoint;
|
|
2313
|
+
nonce_endpoint = credentialIssuerMetadata.nonce_endpoint;
|
|
2314
|
+
deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
|
|
2315
|
+
notification_endpoint = credentialIssuerMetadata.notification_endpoint;
|
|
2316
|
+
if (credentialIssuerMetadata.token_endpoint) {
|
|
2317
|
+
token_endpoint = credentialIssuerMetadata.token_endpoint;
|
|
2318
|
+
}
|
|
2319
|
+
authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
|
|
2320
|
+
if (credentialIssuerMetadata.authorization_servers) {
|
|
2321
|
+
authorization_servers = credentialIssuerMetadata.authorization_servers;
|
|
2322
|
+
}
|
|
2323
|
+
}
|
|
2324
|
+
let response = await retrieveWellknown(authorization_servers[0], WellKnownEndpoints3.OPENID_CONFIGURATION, {
|
|
2325
|
+
errorOnNotFound: false
|
|
2326
|
+
});
|
|
2327
|
+
let authMetadata = response.successBody;
|
|
2328
|
+
if (authMetadata) {
|
|
2329
|
+
logger7.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
|
|
2330
|
+
authorizationServerType = "OIDC";
|
|
2331
|
+
} else {
|
|
2332
|
+
response = await retrieveWellknown(authorization_servers[0], WellKnownEndpoints3.OAUTH_AS, {
|
|
2333
|
+
errorOnNotFound: false
|
|
2334
|
+
});
|
|
2335
|
+
authMetadata = response.successBody;
|
|
2336
|
+
}
|
|
2337
|
+
if (!authMetadata) {
|
|
2338
|
+
if (!authorization_servers.includes(issuer)) {
|
|
2339
|
+
throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
|
|
2340
|
+
}
|
|
2341
|
+
} else {
|
|
2342
|
+
logger7.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
|
|
2343
|
+
if (!authMetadata.authorization_endpoint) {
|
|
2344
|
+
console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
|
|
2345
|
+
} else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
|
|
2346
|
+
throw Error(`Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`);
|
|
2347
|
+
}
|
|
2348
|
+
authorization_endpoint = authMetadata.authorization_endpoint;
|
|
2349
|
+
if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {
|
|
2350
|
+
throw Error(`Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`);
|
|
2351
|
+
}
|
|
2352
|
+
authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
|
|
2353
|
+
if (!authMetadata.token_endpoint) {
|
|
2354
|
+
throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`);
|
|
2355
|
+
} else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
|
|
2356
|
+
throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
|
|
2357
|
+
}
|
|
2358
|
+
token_endpoint = authMetadata.token_endpoint;
|
|
2359
|
+
if (authMetadata.credential_endpoint) {
|
|
2360
|
+
if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
|
|
2361
|
+
logger7.debug(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
|
|
2362
|
+
} else {
|
|
2363
|
+
credential_endpoint = authMetadata.credential_endpoint;
|
|
2364
|
+
}
|
|
2365
|
+
}
|
|
2366
|
+
if (authMetadata.deferred_credential_endpoint) {
|
|
2367
|
+
if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
|
|
2368
|
+
logger7.debug(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
|
|
2369
|
+
} else {
|
|
2370
|
+
deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
|
|
2371
|
+
}
|
|
2372
|
+
}
|
|
2373
|
+
if (authMetadata.notification_endpoint) {
|
|
2374
|
+
if (notification_endpoint && authMetadata.notification_endpoint !== notification_endpoint) {
|
|
2375
|
+
logger7.debug(`Credential issuer has a different notification_endpoint (${notification_endpoint}) from the Authorization Server (${authMetadata.notification_endpoint}). Will use the issuer value`);
|
|
2376
|
+
} else {
|
|
2377
|
+
notification_endpoint = authMetadata.notification_endpoint;
|
|
2378
|
+
}
|
|
2379
|
+
}
|
|
2380
|
+
}
|
|
2381
|
+
if (!authorization_endpoint) {
|
|
2382
|
+
logger7.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
|
|
2383
|
+
}
|
|
2384
|
+
if (!token_endpoint) {
|
|
2385
|
+
logger7.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
|
|
2386
|
+
if (opts?.errorOnNotFound) {
|
|
2387
|
+
throw Error(`Could not deduce the token_endpoint for ${issuer}`);
|
|
2388
|
+
} else {
|
|
2389
|
+
token_endpoint = `${issuer}${issuer.endsWith("/") ? "token" : "/token"}`;
|
|
2390
|
+
}
|
|
2391
|
+
}
|
|
2392
|
+
if (!credential_endpoint) {
|
|
2393
|
+
logger7.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
|
|
2394
|
+
if (opts?.errorOnNotFound) {
|
|
2395
|
+
throw Error(`Could not deduce the credential endpoint for ${issuer}`);
|
|
2396
|
+
} else {
|
|
2397
|
+
credential_endpoint = `${issuer}${issuer.endsWith("/") ? "credential" : "/credential"}`;
|
|
2398
|
+
}
|
|
2399
|
+
}
|
|
2400
|
+
if (!credentialIssuerMetadata && authMetadata) {
|
|
2401
|
+
credentialIssuerMetadata = authMetadata;
|
|
2402
|
+
}
|
|
2403
|
+
const ci = credentialIssuerMetadata ?? {};
|
|
2404
|
+
const ciAuthorizationServers = Array.isArray(ci.authorization_servers) && ci.authorization_servers.length > 0 ? ci.authorization_servers : authorization_servers;
|
|
2405
|
+
const v1_0CredentialIssuerMetadata = {
|
|
2406
|
+
credential_issuer: ci.credential_issuer ?? issuer,
|
|
2407
|
+
credential_endpoint,
|
|
2408
|
+
authorization_servers: ciAuthorizationServers,
|
|
2409
|
+
credential_configurations_supported: ci.credential_configurations_supported ?? {},
|
|
2410
|
+
display: ci.display ?? [],
|
|
2411
|
+
...nonce_endpoint && {
|
|
2412
|
+
nonce_endpoint
|
|
2413
|
+
},
|
|
2414
|
+
...deferred_credential_endpoint && {
|
|
2415
|
+
deferred_credential_endpoint
|
|
2416
|
+
},
|
|
2417
|
+
...notification_endpoint && {
|
|
2418
|
+
notification_endpoint
|
|
2419
|
+
},
|
|
2420
|
+
...ci.batch_credential_issuance_supported !== void 0 && {
|
|
2421
|
+
batch_credential_issuance_supported: ci.batch_credential_issuance_supported
|
|
2422
|
+
},
|
|
2423
|
+
...ci.credential_issuer_public_key && {
|
|
2424
|
+
credential_issuer_public_key: ci.credential_issuer_public_key
|
|
2425
|
+
},
|
|
2426
|
+
...ci.signed_metadata && {
|
|
2427
|
+
signed_metadata: ci.signed_metadata
|
|
2428
|
+
}
|
|
2429
|
+
};
|
|
2430
|
+
logger7.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
|
|
2431
|
+
const processedMetadata = await processSignedMetadata3({
|
|
2432
|
+
metadata: v1_0CredentialIssuerMetadata,
|
|
2433
|
+
issuer,
|
|
2434
|
+
signedMetadataVerifyCallback: opts?.signedMetadataVerifyCallback
|
|
2435
|
+
});
|
|
2436
|
+
return {
|
|
2437
|
+
issuer,
|
|
2438
|
+
token_endpoint,
|
|
2439
|
+
credential_endpoint,
|
|
2440
|
+
authorization_challenge_endpoint,
|
|
2441
|
+
notification_endpoint,
|
|
2442
|
+
authorizationServerType,
|
|
2443
|
+
credentialIssuerMetadata: processedMetadata,
|
|
2444
|
+
authorizationServerMetadata: authMetadata
|
|
2445
|
+
};
|
|
2446
|
+
}
|
|
2447
|
+
static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
|
|
2448
|
+
return retrieveWellknown(issuerHost, WellKnownEndpoints3.OPENID4VCI_ISSUER, {
|
|
2449
|
+
errorOnNotFound: opts?.errorOnNotFound === void 0 ? true : opts.errorOnNotFound
|
|
2450
|
+
});
|
|
2451
|
+
}
|
|
2452
|
+
};
|
|
2453
|
+
|
|
2007
2454
|
// lib/OpenID4VCIClient.ts
|
|
2008
|
-
import { AuthzFlowType as AuthzFlowType3, CodeChallengeMethod as CodeChallengeMethod4, DefaultURISchemes as DefaultURISchemes2, determineVersionsFromIssuerMetadata, getClientIdFromCredentialOfferPayload as getClientIdFromCredentialOfferPayload3, getIssuerFromCredentialOfferPayload as
|
|
2009
|
-
import { Loggers as
|
|
2455
|
+
import { AuthzFlowType as AuthzFlowType3, CodeChallengeMethod as CodeChallengeMethod4, DefaultURISchemes as DefaultURISchemes2, determineVersionsFromIssuerMetadata as determineVersionsFromIssuerMetadata2, getClientIdFromCredentialOfferPayload as getClientIdFromCredentialOfferPayload3, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload8, getSupportedCredentials as getSupportedCredentials2, getTypesFromCredentialSupported, KID_JWK_X5C_ERROR as KID_JWK_X5C_ERROR2, OpenId4VCIVersion as OpenId4VCIVersion10, toAuthorizationResponsePayload as toAuthorizationResponsePayload2 } from "@sphereon/oid4vci-common";
|
|
2456
|
+
import { Loggers as Loggers9 } from "@sphereon/ssi-types";
|
|
2010
2457
|
|
|
2011
2458
|
// lib/OpenID4VCIClientV1_0_15.ts
|
|
2012
|
-
import { AuthzFlowType as AuthzFlowType2, CodeChallengeMethod as CodeChallengeMethod3, DefaultURISchemes, getClientIdFromCredentialOfferPayload as getClientIdFromCredentialOfferPayload2, getIssuerFromCredentialOfferPayload as
|
|
2013
|
-
import { Loggers as
|
|
2459
|
+
import { AuthzFlowType as AuthzFlowType2, CodeChallengeMethod as CodeChallengeMethod3, DefaultURISchemes, getClientIdFromCredentialOfferPayload as getClientIdFromCredentialOfferPayload2, getIssuerFromCredentialOfferPayload as getIssuerFromCredentialOfferPayload7, getSupportedCredentials, KID_JWK_X5C_ERROR, OpenId4VCIVersion as OpenId4VCIVersion9, toAuthorizationResponsePayload } from "@sphereon/oid4vci-common";
|
|
2460
|
+
import { Loggers as Loggers8 } from "@sphereon/ssi-types";
|
|
2014
2461
|
|
|
2015
2462
|
// lib/NonceClient.ts
|
|
2016
2463
|
import { formPost as formPost3 } from "@sphereon/oid4vci-common";
|
|
@@ -2033,14 +2480,14 @@ var acquireNonceFromAuthorizationServer = /* @__PURE__ */ __name(async (opts) =>
|
|
|
2033
2480
|
}, "acquireNonceFromAuthorizationServer");
|
|
2034
2481
|
|
|
2035
2482
|
// lib/OpenID4VCIClientV1_0_15.ts
|
|
2036
|
-
var
|
|
2483
|
+
var logger8 = Loggers8.DEFAULT.get("sphereon:oid4vci:v15");
|
|
2037
2484
|
var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
|
|
2038
2485
|
static {
|
|
2039
2486
|
__name(this, "OpenID4VCIClientV1_0_15");
|
|
2040
2487
|
}
|
|
2041
2488
|
_state;
|
|
2042
2489
|
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL, keyAttestation }) {
|
|
2043
|
-
const issuer = credentialIssuer ?? (credentialOffer ?
|
|
2490
|
+
const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload7(credentialOffer.credential_offer) : void 0);
|
|
2044
2491
|
if (!issuer) {
|
|
2045
2492
|
throw Error("No credential issuer supplied or deduced from offer");
|
|
2046
2493
|
}
|
|
@@ -2066,7 +2513,7 @@ var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
|
|
|
2066
2513
|
if (!this._state.authorizationRequestOpts) {
|
|
2067
2514
|
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
2068
2515
|
}
|
|
2069
|
-
|
|
2516
|
+
logger8.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
2070
2517
|
}
|
|
2071
2518
|
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, keyAttestation }) {
|
|
2072
2519
|
const client = new _OpenID4VCIClientV1_0_15({
|
|
@@ -2114,7 +2561,7 @@ var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
|
|
|
2114
2561
|
authorizationRequest,
|
|
2115
2562
|
pkce
|
|
2116
2563
|
});
|
|
2117
|
-
|
|
2564
|
+
logger8.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
2118
2565
|
}
|
|
2119
2566
|
return client;
|
|
2120
2567
|
}
|
|
@@ -2160,11 +2607,11 @@ var OpenID4VCIClientV1_0_15 = class _OpenID4VCIClientV1_0_15 {
|
|
|
2160
2607
|
}
|
|
2161
2608
|
});
|
|
2162
2609
|
if (response.errorBody) {
|
|
2163
|
-
|
|
2610
|
+
logger8.debug(`Nonce request error:\r
|
|
2164
2611
|
${JSON.stringify(response.errorBody)}`);
|
|
2165
2612
|
return Promise.reject(Error(`Retrieving a nonce from ${this._state.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint} for issuer ${this.getIssuer()} failed with error: ${response.errorBody.error}${response.errorBody.error_description ? ` - ${response.errorBody.error_description}` : ""}`));
|
|
2166
2613
|
} else if (!response.successBody) {
|
|
2167
|
-
|
|
2614
|
+
logger8.debug(`Nonce request error. No success body`);
|
|
2168
2615
|
return Promise.reject(Error(`Retrieving a nonce from ${this._state.endpointMetadata?.credentialIssuerMetadata?.nonce_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
2169
2616
|
}
|
|
2170
2617
|
this._state.cachedCNonce = response.successBody.c_nonce;
|
|
@@ -2184,12 +2631,12 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2184
2631
|
...opts
|
|
2185
2632
|
});
|
|
2186
2633
|
if (response.errorBody) {
|
|
2187
|
-
|
|
2634
|
+
logger8.debug(`Authorization code error:\r
|
|
2188
2635
|
${JSON.stringify(response.errorBody)}`);
|
|
2189
2636
|
const error = response.errorBody;
|
|
2190
2637
|
return Promise.reject(error);
|
|
2191
2638
|
} else if (!response.successBody) {
|
|
2192
|
-
|
|
2639
|
+
logger8.debug(`Authorization code error. No success body`);
|
|
2193
2640
|
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
2194
2641
|
}
|
|
2195
2642
|
return {
|
|
@@ -2261,11 +2708,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2261
2708
|
}
|
|
2262
2709
|
});
|
|
2263
2710
|
if (response.errorBody) {
|
|
2264
|
-
|
|
2711
|
+
logger8.debug(`Access token error:\r
|
|
2265
2712
|
${JSON.stringify(response.errorBody)}`);
|
|
2266
2713
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
2267
2714
|
} else if (!response.successBody) {
|
|
2268
|
-
|
|
2715
|
+
logger8.debug(`Access token error. No success body`);
|
|
2269
2716
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
2270
2717
|
}
|
|
2271
2718
|
this._state.accessTokenResponse = response.successBody;
|
|
@@ -2374,11 +2821,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2374
2821
|
});
|
|
2375
2822
|
this._state.dpopResponseParams = response.params;
|
|
2376
2823
|
if (response.errorBody) {
|
|
2377
|
-
|
|
2824
|
+
logger8.debug(`Credential request error:\r
|
|
2378
2825
|
${JSON.stringify(response.errorBody)}`);
|
|
2379
2826
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
|
|
2380
2827
|
} else if (!response.successBody) {
|
|
2381
|
-
|
|
2828
|
+
logger8.debug(`Credential request error. No success body`);
|
|
2382
2829
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
2383
2830
|
}
|
|
2384
2831
|
return {
|
|
@@ -2429,7 +2876,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2429
2876
|
return this._state.credentialOffer;
|
|
2430
2877
|
}
|
|
2431
2878
|
version() {
|
|
2432
|
-
return
|
|
2879
|
+
return OpenId4VCIVersion9.VER_1_0_15;
|
|
2433
2880
|
}
|
|
2434
2881
|
get endpointMetadata() {
|
|
2435
2882
|
this.assertServerMetadata();
|
|
@@ -2561,14 +3008,14 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2561
3008
|
};
|
|
2562
3009
|
|
|
2563
3010
|
// lib/OpenID4VCIClient.ts
|
|
2564
|
-
var
|
|
3011
|
+
var logger9 = Loggers9.DEFAULT.get("sphereon:oid4vci");
|
|
2565
3012
|
var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
2566
3013
|
static {
|
|
2567
3014
|
__name(this, "OpenID4VCIClient");
|
|
2568
3015
|
}
|
|
2569
3016
|
_state;
|
|
2570
3017
|
constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
|
|
2571
|
-
const issuer = credentialIssuer ?? (credentialOffer ?
|
|
3018
|
+
const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload8(credentialOffer.credential_offer) : void 0);
|
|
2572
3019
|
if (!issuer) {
|
|
2573
3020
|
throw Error("No credential issuer supplied or deduced from offer");
|
|
2574
3021
|
}
|
|
@@ -2595,7 +3042,7 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
2595
3042
|
if (!this._state.authorizationRequestOpts) {
|
|
2596
3043
|
this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
|
|
2597
3044
|
}
|
|
2598
|
-
|
|
3045
|
+
logger9.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
|
|
2599
3046
|
}
|
|
2600
3047
|
static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, endpointMetadata }) {
|
|
2601
3048
|
const client = new _OpenID4VCIClient({
|
|
@@ -2643,7 +3090,7 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
2643
3090
|
authorizationRequest,
|
|
2644
3091
|
pkce
|
|
2645
3092
|
});
|
|
2646
|
-
|
|
3093
|
+
logger9.debug(`Authorization Request URL: ${client._state.authorizationURL}`);
|
|
2647
3094
|
}
|
|
2648
3095
|
return client;
|
|
2649
3096
|
}
|
|
@@ -2700,12 +3147,12 @@ var OpenID4VCIClient = class _OpenID4VCIClient {
|
|
|
2700
3147
|
...opts
|
|
2701
3148
|
});
|
|
2702
3149
|
if (response.errorBody) {
|
|
2703
|
-
|
|
3150
|
+
logger9.debug(`Authorization code error:\r
|
|
2704
3151
|
${JSON.stringify(response.errorBody)}`);
|
|
2705
3152
|
const error = response.errorBody;
|
|
2706
3153
|
return Promise.reject(error);
|
|
2707
3154
|
} else if (!response.successBody) {
|
|
2708
|
-
|
|
3155
|
+
logger9.debug(`Authorization code error. No success body`);
|
|
2709
3156
|
return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
|
|
2710
3157
|
}
|
|
2711
3158
|
return {
|
|
@@ -2777,11 +3224,12 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2777
3224
|
}
|
|
2778
3225
|
});
|
|
2779
3226
|
if (response.errorBody) {
|
|
2780
|
-
|
|
2781
|
-
|
|
2782
|
-
|
|
3227
|
+
const errorDetail = typeof response.errorBody === "object" ? JSON.stringify(response.errorBody) : String(response.errorBody);
|
|
3228
|
+
logger9.error(`Access token error response (status ${response.origResponse.status}):\r
|
|
3229
|
+
${errorDetail}`);
|
|
3230
|
+
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}. Response: ${errorDetail}`);
|
|
2783
3231
|
} else if (!response.successBody) {
|
|
2784
|
-
|
|
3232
|
+
logger9.debug(`Access token error. No success body`);
|
|
2785
3233
|
throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
2786
3234
|
}
|
|
2787
3235
|
this._state.accessTokenResponse = response.successBody;
|
|
@@ -2798,7 +3246,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2798
3246
|
}
|
|
2799
3247
|
};
|
|
2800
3248
|
}
|
|
2801
|
-
async acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
|
|
3249
|
+
async acquireCredentials({ credentialIdentifier, credentialConfigurationId, credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
|
|
2802
3250
|
if ([
|
|
2803
3251
|
jwk,
|
|
2804
3252
|
kid
|
|
@@ -2808,13 +3256,11 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2808
3256
|
if (alg) this._state.alg = alg;
|
|
2809
3257
|
if (jwk) this._state.jwk = jwk;
|
|
2810
3258
|
if (kid) this._state.kid = kid;
|
|
2811
|
-
if (this.
|
|
2812
|
-
|
|
2813
|
-
|
|
2814
|
-
|
|
2815
|
-
|
|
2816
|
-
return Promise.reject(Error(`failed to acquire nonce: ${String(e)}`));
|
|
2817
|
-
}
|
|
3259
|
+
if (!this._state.cachedCNonce && this.hasNonceEndpoint()) {
|
|
3260
|
+
try {
|
|
3261
|
+
await this.acquireNonceViaV15Delegate();
|
|
3262
|
+
} catch (e) {
|
|
3263
|
+
return Promise.reject(Error(`failed to acquire nonce: ${String(e)}`));
|
|
2818
3264
|
}
|
|
2819
3265
|
}
|
|
2820
3266
|
let requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_15.fromCredentialOffer({
|
|
@@ -2823,15 +3269,22 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2823
3269
|
}) : CredentialRequestClientBuilderV1_0_15.fromCredentialIssuer({
|
|
2824
3270
|
credentialIssuer: this.getIssuer(),
|
|
2825
3271
|
credentialTypes,
|
|
3272
|
+
credentialIdentifier,
|
|
3273
|
+
credentialConfigurationId,
|
|
2826
3274
|
metadata: this.endpointMetadata,
|
|
2827
3275
|
version: this.version()
|
|
2828
3276
|
});
|
|
3277
|
+
if (credentialIdentifier) {
|
|
3278
|
+
requestBuilder.withCredentialIdentifier(credentialIdentifier);
|
|
3279
|
+
} else if (credentialConfigurationId) {
|
|
3280
|
+
requestBuilder.withCredentialConfigurationId(credentialConfigurationId);
|
|
3281
|
+
}
|
|
2829
3282
|
const issuerState = this.issuerSupportedFlowTypes().includes(AuthzFlowType3.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
|
|
2830
3283
|
requestBuilder.withIssuerState(issuerState);
|
|
2831
3284
|
requestBuilder.withTokenFromResponse(this.accessTokenResponse);
|
|
2832
3285
|
requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
|
|
2833
3286
|
let subjectIssuance;
|
|
2834
|
-
if (this.endpointMetadata?.credentialIssuerMetadata) {
|
|
3287
|
+
if (this.endpointMetadata?.credentialIssuerMetadata && credentialTypes) {
|
|
2835
3288
|
const metadata = this.endpointMetadata.credentialIssuerMetadata;
|
|
2836
3289
|
const types = Array.isArray(credentialTypes) ? credentialTypes : [
|
|
2837
3290
|
credentialTypes
|
|
@@ -2886,7 +3339,7 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2886
3339
|
}
|
|
2887
3340
|
const response = await credentialRequestClient.acquireCredentialsUsingProof({
|
|
2888
3341
|
proofInput: proofBuilder,
|
|
2889
|
-
credentialTypes,
|
|
3342
|
+
credentialTypes: credentialTypes ?? credentialIdentifier ?? credentialConfigurationId,
|
|
2890
3343
|
context,
|
|
2891
3344
|
format,
|
|
2892
3345
|
subjectIssuance,
|
|
@@ -2894,11 +3347,12 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2894
3347
|
});
|
|
2895
3348
|
this._state.dpopResponseParams = response.params;
|
|
2896
3349
|
if (response.errorBody) {
|
|
2897
|
-
|
|
3350
|
+
logger9.debug(`Credential request error:\r
|
|
2898
3351
|
${JSON.stringify(response.errorBody)}`);
|
|
2899
|
-
|
|
3352
|
+
const errDesc = response.errorBody.error_description ? `: ${response.errorBody.error_description}` : response.errorBody.error ? `: ${response.errorBody.error}` : "";
|
|
3353
|
+
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}${errDesc}`);
|
|
2900
3354
|
} else if (!response.successBody) {
|
|
2901
|
-
|
|
3355
|
+
logger9.debug(`Credential request error. No success body`);
|
|
2902
3356
|
throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
|
|
2903
3357
|
}
|
|
2904
3358
|
return {
|
|
@@ -2946,11 +3400,12 @@ ${JSON.stringify(response.errorBody)}`);
|
|
|
2946
3400
|
});
|
|
2947
3401
|
this._state.dpopResponseParams = response2.params;
|
|
2948
3402
|
if (response2.errorBody) {
|
|
2949
|
-
|
|
3403
|
+
logger9.debug(`Credential request error (after retry):\r
|
|
2950
3404
|
${JSON.stringify(response2.errorBody)}`);
|
|
2951
|
-
|
|
3405
|
+
const errDesc2 = response2.errorBody.error_description ? `: ${response2.errorBody.error_description}` : response2.errorBody.error ? `: ${response2.errorBody.error}` : "";
|
|
3406
|
+
return Promise.reject(Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed after retry with status: ${response2.origResponse.status}${errDesc2}`));
|
|
2952
3407
|
} else if (!response2.successBody) {
|
|
2953
|
-
|
|
3408
|
+
logger9.debug(`Credential request error after retry. No success body`);
|
|
2954
3409
|
return Promise.reject(Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed after retry as there was no success response body`));
|
|
2955
3410
|
}
|
|
2956
3411
|
return {
|
|
@@ -2993,17 +3448,17 @@ ${JSON.stringify(response2.errorBody)}`);
|
|
|
2993
3448
|
return this._state.credentialOffer;
|
|
2994
3449
|
}
|
|
2995
3450
|
version() {
|
|
2996
|
-
if (this.credentialOffer?.version && this.credentialOffer.version !== OpenId4VCIVersion9.VER_UNKNOWN) {
|
|
2997
|
-
return this.credentialOffer.version;
|
|
2998
|
-
}
|
|
2999
3451
|
const metadata = this._state.endpointMetadata;
|
|
3000
3452
|
if (metadata?.credentialIssuerMetadata) {
|
|
3001
|
-
const versions =
|
|
3002
|
-
if (versions.length > 0 && !versions.includes(
|
|
3453
|
+
const versions = determineVersionsFromIssuerMetadata2(metadata.credentialIssuerMetadata);
|
|
3454
|
+
if (versions.length > 0 && !versions.includes(OpenId4VCIVersion10.VER_UNKNOWN)) {
|
|
3003
3455
|
return versions[0];
|
|
3004
3456
|
}
|
|
3005
3457
|
}
|
|
3006
|
-
|
|
3458
|
+
if (this.credentialOffer?.version && this.credentialOffer.version !== OpenId4VCIVersion10.VER_UNKNOWN) {
|
|
3459
|
+
return this.credentialOffer.version;
|
|
3460
|
+
}
|
|
3461
|
+
return OpenId4VCIVersion10.VER_1_0;
|
|
3007
3462
|
}
|
|
3008
3463
|
get endpointMetadata() {
|
|
3009
3464
|
this.assertServerMetadata();
|
|
@@ -3151,7 +3606,8 @@ ${JSON.stringify(response2.errorBody)}`);
|
|
|
3151
3606
|
state.cachedCNonce = v15Client.state.cachedCNonce;
|
|
3152
3607
|
}
|
|
3153
3608
|
shouldRetryWithFreshNonce(err) {
|
|
3154
|
-
|
|
3609
|
+
const canRetry = this.hasNonceEndpoint() || this.version() >= OpenId4VCIVersion10.VER_1_0;
|
|
3610
|
+
if (!canRetry) {
|
|
3155
3611
|
return false;
|
|
3156
3612
|
}
|
|
3157
3613
|
const status = err?.response?.status ?? err?.status;
|
|
@@ -3185,9 +3641,11 @@ export {
|
|
|
3185
3641
|
CredentialOfferClientV1_0_15,
|
|
3186
3642
|
CredentialRequestClient,
|
|
3187
3643
|
CredentialRequestClientBuilder,
|
|
3644
|
+
CredentialRequestClientBuilderV1_0,
|
|
3188
3645
|
CredentialRequestClientBuilderV1_0_15,
|
|
3189
3646
|
LOG2 as LOG,
|
|
3190
3647
|
MetadataClient,
|
|
3648
|
+
MetadataClientV1_0,
|
|
3191
3649
|
MetadataClientV1_0_15,
|
|
3192
3650
|
OpenID4VCIClient,
|
|
3193
3651
|
OpenID4VCIClientV1_0_15,
|