@sphereon/oid4vci-client 0.6.1-next.8 → 0.7.1-next.10

package/lib/MetadataClient.ts

@@ -1,11 +1,11 @@
 import {
+  AuthorizationServerMetadata,
+  AuthorizationServerType,
   CredentialIssuerMetadata,
   CredentialOfferPayload,
   CredentialOfferRequestWithBaseUrl,
-  EndpointMetadata,
+  EndpointMetadataResult,
   getIssuerFromCredentialOfferPayload,
-  OAuth2ASMetadata,
-  Oauth2ASWithOID4VCIMetadata,
   OpenIDResponse,
   WellKnownEndpoints,
 } from '@sphereon/oid4vci-common';
@@ -21,7 +21,7 @@ export class MetadataClient {
    *
    * @param credentialOffer
    */
-  public static async retrieveAllMetadataFromCredentialOffer(credentialOffer: CredentialOfferRequestWithBaseUrl): Promise<EndpointMetadata> {
+  public static async retrieveAllMetadataFromCredentialOffer(credentialOffer: CredentialOfferRequestWithBaseUrl): Promise<EndpointMetadataResult> {
     return MetadataClient.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
   }
 
@@ -29,9 +29,10 @@ export class MetadataClient {
    * Retrieve the metada using the initiation request obtained from a previous step
    * @param request
    */
-  public static async retrieveAllMetadataFromCredentialOfferRequest(request: CredentialOfferPayload): Promise<EndpointMetadata> {
-    if (getIssuerFromCredentialOfferPayload(request)) {
-      return MetadataClient.retrieveAllMetadata(getIssuerFromCredentialOfferPayload(request) as string);
+  public static async retrieveAllMetadataFromCredentialOfferRequest(request: CredentialOfferPayload): Promise<EndpointMetadataResult> {
+    const issuer = getIssuerFromCredentialOfferPayload(request);
+    if (issuer) {
+      return MetadataClient.retrieveAllMetadata(issuer);
     }
     throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
   }
@@ -41,75 +42,115 @@ export class MetadataClient {
    * @param issuer The issuer URL
    * @param opts
    */
-  public static async retrieveAllMetadata(issuer: string, opts?: { errorOnNotFound: boolean }): Promise<EndpointMetadata> {
-    let token_endpoint;
-    let credential_endpoint;
-    const response = await MetadataClient.retrieveOpenID4VCIServerMetadata(issuer);
-    let issuerMetadata = response?.successBody;
-    if (issuerMetadata) {
-      debug(`Issuer ${issuer} OID4VCI well-known server metadata\r\n${issuerMetadata}`);
-      credential_endpoint = issuerMetadata.credential_endpoint;
-      token_endpoint = issuerMetadata.token_endpoint;
-      if (!token_endpoint && issuerMetadata.authorization_server) {
-        debug(
-          `Issuer ${issuer} OID4VCI metadata has separate authorization_server ${issuerMetadata.authorization_server} that contains the token endpoint`,
-        );
-        // Crossword uses this to separate the AS metadata. We fail when not found, since we now have no way of getting the token endpoint
-        const response: OpenIDResponse<OAuth2ASMetadata> = await this.retrieveWellknown(
-          issuerMetadata.authorization_server,
-          WellKnownEndpoints.OAUTH_AS,
-          {
-            errorOnNotFound: true,
-          },
-        );
-        token_endpoint = response.successBody?.token_endpoint;
+  public static async retrieveAllMetadata(issuer: string, opts?: { errorOnNotFound: boolean }): Promise<EndpointMetadataResult> {
+    let token_endpoint: string | undefined;
+    let credential_endpoint: string | undefined;
+    let authorization_endpoint: string | undefined;
+    let authorizationServerType: AuthorizationServerType = 'OID4VCI';
+    let authorization_server: string = issuer;
+    const oid4vciResponse = await MetadataClient.retrieveOpenID4VCIServerMetadata(issuer, { errorOnNotFound: false }); // We will handle errors later, given we will also try other metadata locations
+    let credentialIssuerMetadata = oid4vciResponse?.successBody;
+    if (credentialIssuerMetadata) {
+      debug(`Issuer ${issuer} OID4VCI well-known server metadata\r\n${JSON.stringify(credentialIssuerMetadata)}`);
+      credential_endpoint = credentialIssuerMetadata.credential_endpoint;
+      if (credentialIssuerMetadata.token_endpoint) {
+        token_endpoint = credentialIssuerMetadata.token_endpoint;
+      }
+      if (credentialIssuerMetadata.authorization_server) {
+        authorization_server = credentialIssuerMetadata.authorization_server;
       }
+      if (credentialIssuerMetadata.authorization_endpoint) {
+        authorization_endpoint = credentialIssuerMetadata.authorization_endpoint;
+      }
+    }
+    // No specific OID4VCI endpoint. Either can be an OAuth2 AS or an OIDC IDP. Let's start with OIDC first
+    let response: OpenIDResponse<AuthorizationServerMetadata> = await MetadataClient.retrieveWellknown(
+      authorization_server,
+      WellKnownEndpoints.OPENID_CONFIGURATION,
+      {
+        errorOnNotFound: false,
+      },
+    );
+    let authMetadata = response.successBody;
+    if (authMetadata) {
+      debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
+      authorizationServerType = 'OIDC';
     } else {
-      // No specific OID4VCI endpoint. Either can be an OAuth2 AS or an OpenID IDP. Let's start with OIDC first
-      let response: OpenIDResponse<Oauth2ASWithOID4VCIMetadata> = await MetadataClient.retrieveWellknown(
-        issuer,
-        WellKnownEndpoints.OPENID_CONFIGURATION,
-        {
-          errorOnNotFound: false,
-        },
-      );
-      let asConfig = response.successBody;
-      if (asConfig) {
-        debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
-      } else {
-        // Now oAuth2
-        response = await MetadataClient.retrieveWellknown(issuer, WellKnownEndpoints.OAUTH_AS, { errorOnNotFound: false });
-        asConfig = response.successBody;
+      // Now let's do OAuth2
+      response = await MetadataClient.retrieveWellknown(authorization_server, WellKnownEndpoints.OAUTH_AS, { errorOnNotFound: false });
+      authMetadata = response.successBody;
+    }
+    if (!authMetadata) {
+      // We will always throw an error, no matter whether the user provided the option not to, because this is bad.
+      if (issuer !== authorization_server) {
+        throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_server}, but that server did not provide metadata`);
+      }
+    } else {
+      if (!authorizationServerType) {
+        authorizationServerType = 'OAuth 2.0';
       }
-      if (asConfig) {
-        debug(`Issuer ${issuer} has oAuth2 Server metadata in well-known location`);
-        issuerMetadata = asConfig;
-        credential_endpoint = issuerMetadata.credential_endpoint;
-        token_endpoint = issuerMetadata.token_endpoint;
+      debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
+      if (!authMetadata.authorization_endpoint) {
+        throw Error(`Authorization Sever ${authorization_server} did not provide an authorization_endpoint`);
+      } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
+        throw Error(
+          `Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`,
+        );
+      }
+      authorization_endpoint = authMetadata.authorization_endpoint;
+      if (!authMetadata.token_endpoint) {
+        throw Error(`Authorization Sever ${authorization_server} did not provide a token_endpoint`);
+      } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
+        throw Error(
+          `Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`,
+        );
+      }
+      token_endpoint = authMetadata.token_endpoint;
+      if (authMetadata.credential_endpoint) {
+        if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
+          debug(
+            `Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.token_endpoint}). Will use the issuer value`,
+          );
+        } else {
+          credential_endpoint = authMetadata.credential_endpoint;
+        }
       }
     }
+
+    if (!authorization_endpoint) {
+      debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
+    }
     if (!token_endpoint) {
       debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
       if (opts?.errorOnNotFound) {
-        throw new Error(`Could not deduce the token endpoint for ${issuer}`);
+        throw Error(`Could not deduce the token_endpoint for ${issuer}`);
       } else {
-        token_endpoint = `${issuer}${issuer.endsWith('/') ? '' : '/'}token`;
+        token_endpoint = `${issuer}${issuer.endsWith('/') ? 'token' : '/token'}`;
       }
     }
     if (!credential_endpoint) {
       debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
       if (opts?.errorOnNotFound) {
-        throw new Error(`Could not deduce the credential endpoint for ${issuer}`);
+        throw Error(`Could not deduce the credential endpoint for ${issuer}`);
       } else {
-        credential_endpoint = `${issuer}${issuer.endsWith('/') ? '' : '/'}credential`;
+        credential_endpoint = `${issuer}${issuer.endsWith('/') ? 'credential' : '/credential'}`;
       }
     }
+
+    if (!credentialIssuerMetadata && authMetadata) {
+      // Apparently everything worked out and the issuer is exposing everything in oAuth2/OIDC well-knowns. Spec is vague about this situation, but we can support it
+      credentialIssuerMetadata = authMetadata as CredentialIssuerMetadata;
+    }
     debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
     return {
       issuer,
       token_endpoint,
       credential_endpoint,
-      issuerMetadata,
+      authorization_server,
+      authorization_endpoint,
+      authorizationServerType,
+      credentialIssuerMetadata: credentialIssuerMetadata,
+      authorizationServerMetadata: authMetadata,
     };
   }
 
@@ -118,9 +159,15 @@ export class MetadataClient {
    *
    * @param issuerHost The issuer hostname
    */
-  public static async retrieveOpenID4VCIServerMetadata(issuerHost: string): Promise<OpenIDResponse<CredentialIssuerMetadata> | undefined> {
-    // Since the server metadata endpoint is optional we are not going to throw an error.
-    return MetadataClient.retrieveWellknown(issuerHost, WellKnownEndpoints.OPENID4VCI_ISSUER, { errorOnNotFound: false });
+  public static async retrieveOpenID4VCIServerMetadata(
+    issuerHost: string,
+    opts?: {
+      errorOnNotFound?: boolean;
+    },
+  ): Promise<OpenIDResponse<CredentialIssuerMetadata> | undefined> {
+    return MetadataClient.retrieveWellknown(issuerHost, WellKnownEndpoints.OPENID4VCI_ISSUER, {
+      errorOnNotFound: opts?.errorOnNotFound === undefined ? true : opts.errorOnNotFound,
+    });
   }
 
   /**
@@ -138,9 +185,9 @@ export class MetadataClient {
     const result: OpenIDResponse<T> = await getJson(`${host.endsWith('/') ? host.slice(0, -1) : host}${endpointType}`, {
       exceptionOnHttpErrorStatus: opts?.errorOnNotFound,
     });
-    if (result.origResponse.status === 404) {
+    if (result.origResponse.status >= 400) {
       // We only get here when error on not found is false
-      debug(`host ${host} with endpoint type ${endpointType} was not found (404)`);
+      debug(`host ${host} with endpoint type ${endpointType} status: ${result.origResponse.status}, ${result.origResponse.statusText}`);
     }
     return result;
   }

package/lib/OpenID4VCIClient.ts

@@ -9,6 +9,7 @@ import {
   CredentialResponse,
   CredentialSupported,
   EndpointMetadata,
+  EndpointMetadataResult,
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
   OpenIDResponse,
@@ -53,7 +54,7 @@ export class OpenID4VCIClient {
   private _clientId?: string;
   private _kid: string | undefined;
   private _alg: Alg | string | undefined;
-  private _endpointMetadata: EndpointMetadata | undefined;
+  private _endpointMetadata: EndpointMetadataResult | undefined;
   private _accessTokenResponse: AccessTokenResponse | undefined;
 
   private constructor(
@@ -119,9 +120,14 @@ export class OpenID4VCIClient {
     if (!scope && !authorizationDetails) {
       throw Error('Please provide a scope or authorization_details');
     }
-    // todo: handling this because of the support for v1_0-08
-    if (this._endpointMetadata && this._endpointMetadata.issuerMetadata && 'authorization_endpoint' in this._endpointMetadata.issuerMetadata) {
-      this._endpointMetadata.authorization_endpoint = this._endpointMetadata.issuerMetadata.authorization_endpoint as string;
+    // todo: Probably can go with current logic in MetadataClient who will always set the authorization_endpoint when found
+    //  handling this because of the support for v1_0-08
+    if (
+      this._endpointMetadata &&
+      this._endpointMetadata.credentialIssuerMetadata &&
+      'authorization_endpoint' in this._endpointMetadata.credentialIssuerMetadata
+    ) {
+      this._endpointMetadata.authorization_endpoint = this._endpointMetadata.credentialIssuerMetadata.authorization_endpoint as string;
     }
     if (!this._endpointMetadata?.authorization_endpoint) {
       throw Error('Server metadata does not contain authorization endpoint');
@@ -169,13 +175,13 @@ export class OpenID4VCIClient {
     // What happens if it doesn't ???
     // let parEndpoint: string
     if (
-      !this._endpointMetadata?.issuerMetadata ||
-      !('pushed_authorization_request_endpoint' in this._endpointMetadata.issuerMetadata) ||
-      typeof this._endpointMetadata.issuerMetadata.pushed_authorization_request_endpoint !== 'string'
+      !this._endpointMetadata?.credentialIssuerMetadata ||
+      !('pushed_authorization_request_endpoint' in this._endpointMetadata.credentialIssuerMetadata) ||
+      typeof this._endpointMetadata.credentialIssuerMetadata.pushed_authorization_request_endpoint !== 'string'
     ) {
       throw Error('Server metadata does not contain pushed authorization request endpoint');
     }
-    const parEndpoint: string = this._endpointMetadata.issuerMetadata.pushed_authorization_request_endpoint;
+    const parEndpoint: string = this._endpointMetadata.credentialIssuerMetadata.pushed_authorization_request_endpoint;
 
     // add 'openid' scope if not present
     if (scope && !scope.includes('openid')) {
@@ -207,7 +213,10 @@ export class OpenID4VCIClient {
   }
 
   private handleLocations(authorizationDetails: AuthDetails) {
-    if (authorizationDetails && (this.endpointMetadata.issuerMetadata?.authorization_server || this.endpointMetadata.authorization_endpoint)) {
+    if (
+      authorizationDetails &&
+      (this.endpointMetadata.credentialIssuerMetadata?.authorization_server || this.endpointMetadata.authorization_endpoint)
+    ) {
       if (authorizationDetails.locations) {
         if (Array.isArray(authorizationDetails.locations)) {
           (authorizationDetails.locations as string[]).push(this.endpointMetadata.issuer);
@@ -293,8 +302,8 @@ export class OpenID4VCIClient {
       metadata: this.endpointMetadata,
     });
     requestBuilder.withTokenFromResponse(this.accessTokenResponse);
-    if (this.endpointMetadata?.issuerMetadata) {
-      const metadata = this.endpointMetadata.issuerMetadata;
+    if (this.endpointMetadata?.credentialIssuerMetadata) {
+      const metadata = this.endpointMetadata.credentialIssuerMetadata;
       const types = Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes];
       if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
         for (const type of types) {
@@ -357,79 +366,29 @@ export class OpenID4VCIClient {
     return response.successBody;
   }
 
-  getCredentialsSupported(restrictToInitiationTypes: boolean, supportedType?: string): CredentialSupported[] {
+  getCredentialsSupported(
+    restrictToInitiationTypes: boolean,
+    format?: (OID4VCICredentialFormat | string) | (OID4VCICredentialFormat | string)[],
+  ): CredentialSupported[] {
     return getSupportedCredentials({
-      issuerMetadata: this.endpointMetadata.issuerMetadata,
+      issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
       version: this.version(),
-      supportedType,
-      credentialTypes: restrictToInitiationTypes ? this.getCredentialTypes() : undefined,
+      format: format,
+      types: restrictToInitiationTypes ? this.getCredentialTypes() : undefined,
     });
-    /*//FIXME: delegate to getCredentialsSupported from IssuerMetadataUtils
-    let credentialsSupported = this.endpointMetadata?.issuerMetadata?.credentials_supported
-
-    if (this.version() === OpenId4VCIVersion.VER_1_0_08 || typeof credentialsSupported === 'object') {
-      const issuerMetadata = this.endpointMetadata.issuerMetadata as IssuerMetadataV1_0_08
-      const v8CredentialsSupported = issuerMetadata.credentials_supported
-      credentialsSupported = []
-      credentialsSupported = Object.entries(v8CredentialsSupported).map((key, value) => )
-
-    }
-
-
-    if (!credentialsSupported) {
-      return []
-    } else if (!restrictToInitiationTypes) {
-      return credentialsSupported
-    }
-
-
-
-    /!**
-     * the following (not array part is a legacy code from version 1_0-08 which jff implementors used)
-     *!/
-    if (!Array.isArray(credentialsSupported)) {
-      const credentialsSupportedV8: CredentialSupportedV1_0_08 = credentialsSupported as CredentialSupportedV1_0_08;
-      const initiationTypes = supportedType ? [supportedType] : this.getCredentialTypes();
-      const supported: IssuerCredentialSubject = {};
-      for (const [key, value] of Object.entries(credentialsSupportedV8)) {
-        if (initiationTypes.includes(key)) {
-          supported[key] = value;
-        }
-      }
-      // todo: fix this later. we're returning CredentialSupportedV1_0_08 as a list of CredentialSupported (for v09 onward)
-      return supported as unknown as CredentialSupported[];
-    }
-    const initiationTypes = supportedType ? [supportedType] : this.getCredentialTypes()
-    const credentialSupportedOverlap: CredentialSupported[] = []
-    for (const supported of credentialsSupported) {
-      const supportedTypeOverlap: string[] = []
-      for (const type of supported.types) {
-        initiationTypes.includes(type)
-        supportedTypeOverlap.push(type)
-      }
-      if (supportedTypeOverlap.length > 0) {
-        credentialSupportedOverlap.push({
-          ...supported,
-          types: supportedTypeOverlap
-        })
-      }
-    }
-    return credentialSupportedOverlap as CredentialSupported[]*/
   }
 
-  getCredentialMetadata(type: string): CredentialSupported[] {
-    return this.getCredentialsSupported(false, type);
-  }
-
-  // todo https://sphereon.atlassian.net/browse/VDX-184
-  getCredentialTypes(): string[] {
+  getCredentialTypes(): string[][] {
     if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_11) {
-      return typeof (this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08).credential_type === 'string'
-        ? [(this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08).credential_type as string]
-        : ((this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08).credential_type as string[]);
+      const orig = this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08;
+      const types: string[] = typeof orig.credential_type === 'string' ? [orig.credential_type] : orig.credential_type;
+      const result: string[][] = [];
+      result[0] = types;
+      return result;
     } else {
-      // FIXME: this for sure isn't correct. It would also include VerifiableCredential. The whole call to this getCredentialsTypes should be changed to begin with
-      return this.credentialOffer.credential_offer.credentials.flatMap((c) => (typeof c === 'string' ? c : c.types));
+      return this.credentialOffer.credential_offer.credentials.map((c, index) => {
+        return typeof c === 'string' ? [c] : c.types;
+      });
     }
   }
 
@@ -449,7 +408,7 @@ export class OpenID4VCIClient {
     return this.credentialOffer.version;
   }
 
-  public get endpointMetadata(): EndpointMetadata {
+  public get endpointMetadata(): EndpointMetadataResult {
     this.assertServerMetadata();
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
     return this._endpointMetadata!;

package/lib/__tests__/AccessTokenClient.spec.ts

@@ -1,4 +1,11 @@
-import { AccessTokenRequest, AccessTokenRequestOpts, AccessTokenResponse, GrantTypes, OpenIDResponse } from '@sphereon/oid4vci-common';
+import {
+  AccessTokenRequest,
+  AccessTokenRequestOpts,
+  AccessTokenResponse,
+  GrantTypes,
+  OpenIDResponse,
+  WellKnownEndpoints,
+} from '@sphereon/oid4vci-common';
 import nock from 'nock';
 
 import { AccessTokenClient } from '../AccessTokenClient';
@@ -11,6 +18,8 @@ const MOCK_URL = 'https://sphereonjunit20221013.com/';
 describe('AccessTokenClient should', () => {
   beforeEach(() => {
     nock.cleanAll();
+    nock(MOCK_URL).get(WellKnownEndpoints.OAUTH_AS).reply(404, {});
+    nock(MOCK_URL).get(WellKnownEndpoints.OPENID_CONFIGURATION).reply(404, {});
   });
 
   afterEach(() => {

package/lib/__tests__/IT.spec.ts

@@ -6,6 +6,7 @@ import {
   Jwt,
   OpenId4VCIVersion,
   ProofOfPossession,
+  WellKnownEndpoints,
 } from '@sphereon/oid4vci-common';
 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
 // @ts-ignore
@@ -55,6 +56,7 @@ describe('OID4VCI-Client should', () => {
   function succeedWithAFullFlowWithClientSetup() {
     nock(IDENTIPROOF_ISSUER_URL).get('/.well-known/openid-credential-issuer').reply(200, JSON.stringify(IDENTIPROOF_OID4VCI_METADATA));
     nock(IDENTIPROOF_AS_URL).get('/.well-known/oauth-authorization-server').reply(200, JSON.stringify(IDENTIPROOF_AS_METADATA));
+    nock(IDENTIPROOF_AS_URL).get(WellKnownEndpoints.OPENID_CONFIGURATION).reply(404, {});
     nock(IDENTIPROOF_AS_URL)
       .post(/oauth2\/token.*/)
       .reply(200, JSON.stringify(mockedAccessTokenResponse));

package/lib/__tests__/IssuanceInitiation.spec.ts

@@ -1,3 +1,5 @@
+import { OpenId4VCIVersion } from '@sphereon/oid4vci-common';
+
 import { CredentialOfferClient } from '../CredentialOfferClient';
 
 import { INITIATION_TEST, INITIATION_TEST_HTTPS_URI, INITIATION_TEST_URI } from './MetadataMocks';
@@ -45,4 +47,15 @@ describe('Issuance Initiation', () => {
     const issuanceInitiationURI = INITIATION_TEST_HTTPS_URI.replace('?', '');
     await expect(async () => CredentialOfferClient.fromURI(issuanceInitiationURI)).rejects.toThrowError('Invalid Credential Offer Request');
   });
+
+  it('Should return Credential Offer', async () => {
+    const client = await CredentialOfferClient.fromURI(
+      'openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Flaunchpad.vii.electron.mattrlabs.io%22%2C%22credentials%22%3A%5B%7B%22format%22%3A%22ldp_vc%22%2C%22types%22%3A%5B%22OpenBadgeCredential%22%5D%7D%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22UPZohaodPlLBnGsqB02n2tIupCIg8nKRRUEUHWA665X%22%7D%7D%7D',
+    );
+    expect(client.version).toEqual(OpenId4VCIVersion.VER_1_0_11);
+    expect(client.baseUrl).toEqual('openid-credential-offer://');
+    expect(client.scheme).toEqual('openid-credential-offer');
+    expect(client.credential_offer.credential_issuer).toEqual('https://launchpad.vii.electron.mattrlabs.io');
+    expect(client.preAuthorizedCode).toEqual('UPZohaodPlLBnGsqB02n2tIupCIg8nKRRUEUHWA665X');
+  });
 });

package/lib/__tests__/MattrE2E.spec.test.ts

@@ -0,0 +1,106 @@
+import { Alg, AuthzFlowType, Jwt } from '@sphereon/oid4vci-common';
+import { CredentialMapper } from '@sphereon/ssi-types';
+import { fetch } from 'cross-fetch';
+import { importJWK, JWK, SignJWT } from 'jose';
+
+import { OpenID4VCIClient } from '..';
+
+export const UNIT_TEST_TIMEOUT = 30000;
+
+const ISSUER_URL = 'https://launchpad.vii.electron.mattrlabs.io';
+
+const jwk: JWK = {
+  crv: 'Ed25519',
+  d: 'kTRm0aONHYwNPA-w_DtjMHUIWjE3K70qgCIhWojZ0eU',
+  x: 'NeA0d8sp86xRh3DczU4m5wPNIbl0HCSwOBcMN3sNmdk',
+  kty: 'OKP',
+};
+
+// pub  hex: 35e03477cb29f3ac518770dccd4e26e703cd21b9741c24b038170c377b0d99d9
+// priv hex: 913466d1a38d1d8c0d3c0fb0fc3b633075085a31372bbd2a8022215a88d9d1e5
+const did = `did:key:z6Mki5ZwZKN1dBQprfJTikUvkDxrHijiiQngkWviMF5gw2Hv`;
+const kid = `${did}#z6Mki5ZwZKN1dBQprfJTikUvkDxrHijiiQngkWviMF5gw2Hv`;
+describe('OID4VCI-Client using Mattr issuer should', () => {
+  async function test(format: 'ldp_vc' | 'jwt_vc_json') {
+    const offer = await getCredentialOffer(format);
+    const client = await OpenID4VCIClient.fromURI({
+      uri: offer.offerUrl,
+      flowType: AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW,
+      kid,
+      alg: Alg.EdDSA,
+    });
+    expect(client.flowType).toEqual(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW);
+    expect(client.credentialOffer).toBeDefined();
+    expect(client.endpointMetadata).toBeDefined();
+    expect(client.getCredentialEndpoint()).toEqual(`${ISSUER_URL}/oidc/v1/auth/credential`);
+    expect(client.getAccessTokenEndpoint()).toEqual('https://launchpad.vii.electron.mattrlabs.io/oidc/v1/auth/token');
+
+    const accessToken = await client.acquireAccessToken();
+    console.log(accessToken);
+    expect(accessToken).toMatchObject({
+      expires_in: 3600,
+      scope: 'OpenBadgeCredential',
+      token_type: 'Bearer',
+    });
+
+    const credentialResponse = await client.acquireCredentials({
+      credentialTypes: 'OpenBadgeCredential',
+      format,
+      proofCallbacks: {
+        signCallback: proofOfPossessionCallbackFunction,
+      },
+    });
+    expect(credentialResponse.credential).toBeDefined();
+    const wrappedVC = CredentialMapper.toWrappedVerifiableCredential(credentialResponse.credential!);
+    expect(format.startsWith(wrappedVC.format)).toEqual(true);
+  }
+
+  it(
+    'succeed in a full flow with the client using OpenID4VCI version 11 and ldp_vc',
+    async () => {
+      await test('ldp_vc');
+    },
+    UNIT_TEST_TIMEOUT,
+  );
+  it(
+    'succeed in a full flow with the client using OpenID4VCI version 11 and jwt_vc_json',
+    async () => {
+      await test('jwt_vc_json');
+    },
+    UNIT_TEST_TIMEOUT,
+  );
+});
+
+interface CreateCredentialOfferResponse {
+  id: string;
+  offerUrl: string;
+}
+
+async function getCredentialOffer(format: 'ldp_vc' | 'jwt_vc_json'): Promise<CreateCredentialOfferResponse> {
+  const credentialOffer = await fetch('https://launchpad.mattrlabs.com/api/credential-offer', {
+    method: 'post',
+    headers: {
+      Accept: 'application/json',
+      'Content-Type': 'application/json',
+    },
+
+    //make sure to serialize your JSON body
+    body: JSON.stringify({
+      format,
+      type: 'OpenBadgeCredential',
+      userId: '622a9f65-21c0-4c0b-9a6a-f7574c2a1549',
+      userAuthenticationRequired: false,
+    }),
+  });
+
+  return (await credentialOffer.json()) as CreateCredentialOfferResponse;
+}
+
+async function proofOfPossessionCallbackFunction(args: Jwt, kid?: string): Promise<string> {
+  const importedJwk = await importJWK(jwk, 'EdDSA');
+  return await new SignJWT({ ...args.payload })
+    .setProtectedHeader({ ...args.header })
+    .setIssuedAt()
+    .setExpirationTime('2h')
+    .sign(importedJwk);
+}