@sphereon/oid4vci-client 0.8.1 → 0.8.2-next.26

package/lib/__tests__/EBSIE2E.spec.test.ts

@@ -0,0 +1,138 @@
+import { Alg, CodeChallengeMethod, Jwt } from '@sphereon/oid4vci-common';
+import { toJwk } from '@sphereon/ssi-sdk-ext.key-utils';
+import { CredentialMapper } from '@sphereon/ssi-types';
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+//@ts-ignore
+import { from } from '@trust/keyto';
+import { fetch } from 'cross-fetch';
+import debug from 'debug';
+import { base64url, importJWK, JWK, SignJWT } from 'jose';
+import * as u8a from 'uint8arrays';
+
+import { OpenID4VCIClient } from '..';
+
+export const UNIT_TEST_TIMEOUT = 30000;
+
+const ISSUER_URL = 'https://conformance-test.ebsi.eu/conformance/v3/issuer-mock';
+const AUTH_URL = 'https://conformance-test.ebsi.eu/conformance/v3/auth-mock';
+
+const jwk: JWK = {
+  alg: 'ES256',
+  use: 'sig',
+  kty: 'EC',
+  crv: 'P-256',
+  x: 'hUWYK06qFvdudydiqnEhVJhZ-73jcLtuzH8kIyNOSHE',
+  y: 'UZf7oUkJdo65SQekMD5ssiRclEimG2SmlsjXf3QwQJo',
+  d: 'zDeeo3K0Pk8dofeKcajvJYxMZ1vijx_cVDJQl1IpbAM',
+};
+
+console.log(`JWK (private/orig): ${JSON.stringify(jwk, null, 2)}`);
+
+const privateKey = from(jwk, 'jwk').toString('blk', 'private');
+const publicKey = from(jwk, 'jwk').toString('blk', 'public');
+console.log(`Private key: ${privateKey}`);
+console.log(`Public key: ${publicKey}`);
+console.log(`Private key (b64): ${base64url.encode(u8a.fromString(privateKey, 'base16'))}`);
+console.log(`JWK (private 2) ${JSON.stringify(toJwk(privateKey, 'Secp256r1', { isPrivateKey: true }))}`);
+console.log(`JWK (public  2) ${JSON.stringify(toJwk(publicKey, 'Secp256r1', { isPrivateKey: false }))}`);
+
+// const DID_METHOD = 'did:key'
+const DID =
+  'did:key:z2dmzD81cgPx8Vki7JbuuMmFYrWPgYoytykUZ3eyqht1j9Kbrm54tL4pRrDDhR1QJ5RHPMXUq5MzYpZL2k35vya5eMiNxschNy9AJ74CC3MmcYiZJGZfyhWQ6qDgTVcDSHdquwPYvLDut383JbrgYdZYYSC2merTMgmQtUi3huYhaky1qE';
+const DID_URL_ENCODED =
+  'did%3Akey%3Az2dmzD81cgPx8Vki7JbuuMmFYrWPgYoytykUZ3eyqht1j9Kbrm54tL4pRrDDhR1QJ5RHPMXUq5MzYpZL2k35vya5eMiNxschNy9AJ74CC3MmcYiZJGZfyhWQ6qDgTVcDSHdquwPYvLDut383JbrgYdZYYSC2merTMgmQtUi3huYhaky1qE';
+// const PRIVATE_KEY_HEX = '7dd923e40f4615ac496119f7e793cc2899e99b64b88ca8603db986700089532b'
+
+// const PUBLIC_KEY_HEX =
+//   '04a23cb4c83901acc2eb0f852599610de0caeac260bf8ed05e7f902eaac0f9c8d74dd4841b94d13424d32af8ec0e9976db9abfa7e3a59e10d565c5d4d901b4be63'
+
+// pub  hex: 35e03477cb29f3ac518770dccd4e26e703cd21b9741c24b038170c377b0d99d9
+// priv hex: 913466d1a38d1d8c0d3c0fb0fc3b633075085a31372bbd2a8022215a88d9d1e5
+// const did = `did:key:z6Mki5ZwZKN1dBQprfJTikUvkDxrHijiiQngkWviMF5gw2Hv`;
+const kid = `${DID}#z2dmzD81cgPx8Vki7JbuuMmFYrWPgYoytykUZ3eyqht1j9Kbrm54tL4pRrDDhR1QJ5RHPMXUq5MzYpZL2k35vya5eMiNxschNy9AJ74CC3MmcYiZJGZfyhWQ6qDgTVcDSHdquwPYvLDut383JbrgYdZYYSC2merTMgmQtUi3huYhaky1qE`;
+
+// const jw = jose.importKey()
+describe('OID4VCI-Client using Sphereon issuer should', () => {
+  async function test(credentialType: 'CTWalletCrossPreAuthorisedInTime' | 'CTWalletCrossAuthorisedInTime') {
+    debug.enable('*');
+    const offer = await getCredentialOffer(credentialType);
+    const client = await OpenID4VCIClient.fromURI({
+      uri: offer,
+      kid,
+      alg: Alg.ES256,
+      clientId: DID_URL_ENCODED,
+    });
+    expect(client.credentialOffer).toBeDefined();
+    expect(client.endpointMetadata).toBeDefined();
+    expect(client.getCredentialEndpoint()).toEqual(`${ISSUER_URL}/credential`);
+    expect(client.getAccessTokenEndpoint()).toEqual(`${AUTH_URL}/token`);
+
+    if (credentialType !== 'CTWalletCrossPreAuthorisedInTime') {
+      const url = client.createAuthorizationRequestUrl({
+        redirectUri: 'openid4vc%3A',
+        codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+        codeChallengeMethod: CodeChallengeMethod.SHA256,
+      });
+      const result = await fetch(url);
+      console.log(result.text());
+    }
+
+    const accessToken = await client.acquireAccessToken({ pin: '0891' });
+    // console.log(accessToken);
+    expect(accessToken).toMatchObject({
+      expires_in: 86400,
+      // scope: 'GuestCredential',
+      token_type: 'Bearer',
+    });
+
+    const format = 'jwt_vc';
+    const credentialResponse = await client.acquireCredentials({
+      credentialTypes: client.getCredentialOfferTypes()[0],
+      format,
+      proofCallbacks: {
+        signCallback: proofOfPossessionCallbackFunction,
+      },
+      kid,
+    });
+    console.log(JSON.stringify(credentialResponse, null, 2));
+    expect(credentialResponse.credential).toBeDefined();
+    const wrappedVC = CredentialMapper.toWrappedVerifiableCredential(credentialResponse.credential!);
+    expect(format.startsWith(wrappedVC.format)).toEqual(true);
+  }
+
+  // Current conformance tests is not stable as changes are being applied it seems
+
+  it.skip(
+    'succeed in a full flow with the client using OpenID4VCI version 11 and jwt_vc_json',
+    async () => {
+      await test('CTWalletCrossPreAuthorisedInTime');
+      // await test('CTWalletCrossAuthorisedInTime');
+    },
+    UNIT_TEST_TIMEOUT,
+  );
+});
+
+async function getCredentialOffer(credentialType: 'CTWalletCrossPreAuthorisedInTime' | 'CTWalletCrossAuthorisedInTime'): Promise<string> {
+  const credentialOffer = await fetch(
+    `https://conformance-test.ebsi.eu/conformance/v3/issuer-mock/initiate-credential-offer?credential_type=${credentialType}&client_id=${DID_URL_ENCODED}&credential_offer_endpoint=openid-credential-offer%3A%2F%2F`,
+    {
+      method: 'GET',
+      headers: {
+        Accept: 'application/json',
+        'Content-Type': 'application/json',
+      },
+    },
+  );
+
+  return await credentialOffer.text();
+}
+
+async function proofOfPossessionCallbackFunction(args: Jwt, kid?: string): Promise<string> {
+  const importedJwk = await importJWK(jwk);
+  return await new SignJWT({ ...args.payload })
+    .setProtectedHeader({ ...args.header, kid: kid! })
+    .setIssuer(DID)
+    .setIssuedAt()
+    .setExpirationTime('2m')
+    .sign(importedJwk);
+}

package/lib/__tests__/MattrE2E.spec.test.ts

@@ -20,7 +20,7 @@ const jwk: JWK = {
 // priv hex: 913466d1a38d1d8c0d3c0fb0fc3b633075085a31372bbd2a8022215a88d9d1e5
 const did = `did:key:z6Mki5ZwZKN1dBQprfJTikUvkDxrHijiiQngkWviMF5gw2Hv`;
 const kid = `${did}#z6Mki5ZwZKN1dBQprfJTikUvkDxrHijiiQngkWviMF5gw2Hv`;
-describe('OID4VCI-Client using Mattr issuer should', () => {
+describe.skip('OID4VCI-Client using Mattr issuer should', () => {
   async function test(format: 'ldp_vc' | 'jwt_vc_json') {
     const offer = await getCredentialOffer(format);
     const client = await OpenID4VCIClient.fromURI({

package/lib/__tests__/MetadataClient.spec.ts

@@ -1,4 +1,6 @@
 import { getIssuerFromCredentialOfferPayload, WellKnownEndpoints } from '@sphereon/oid4vci-common';
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+// @ts-ignore
 import nock from 'nock';
 
 import { CredentialOfferClient } from '../CredentialOfferClient';
@@ -211,7 +213,8 @@ describe('Metadataclient with Walt-id should', () => {
   });
 });
 
-describe('Metadataclient with SpruceId should', () => {
+// Spruce gives back 404's these days, so test is disabled
+describe.skip('Metadataclient with SpruceId should', () => {
   beforeAll(() => {
     nock.cleanAll();
   });

package/lib/__tests__/OpenID4VCIClient.spec.ts

@@ -68,6 +68,11 @@ describe('OpenID4VCIClient should', () => {
     expect(scope?.[0]).toBe('openid');
   });
   it('throw an error if no scope and no authorization_details is provided', async () => {
+    nock(MOCK_URL).get(/.*/).reply(200, {});
+    nock(MOCK_URL).get(WellKnownEndpoints.OAUTH_AS).reply(404, {});
+    nock(MOCK_URL).get(WellKnownEndpoints.OPENID_CONFIGURATION).reply(404, {});
+    // Use a client with issuer only to trigger the error
+    client = await OpenID4VCIClient.fromCredentialIssuer({ credentialIssuer: 'https://server.example.com' });
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore
     client._endpointMetadata?.credentialIssuerMetadata.authorization_endpoint = `${MOCK_URL}v1/auth/authorize`;

package/lib/__tests__/SdJwt.spec.ts

@@ -0,0 +1,161 @@
+import { AccessTokenRequest, CredentialRequestV1_0_11, CredentialSupportedSdJwtVc } from '@sphereon/oid4vci-common';
+import nock from 'nock';
+
+import { OpenID4VCIClient } from '..';
+import { createAccessTokenResponse, IssuerMetadataBuilderV1_11, VcIssuerBuilder } from '../../../issuer';
+
+export const UNIT_TEST_TIMEOUT = 30000;
+
+const alg = 'ES256';
+const jwk = { kty: 'EC', crv: 'P-256', x: 'zQOowIC1gWJtdddB5GAt4lau6Lt8Ihy771iAfam-1pc', y: 'cjD_7o3gdQ1vgiQy3_sMGs7WrwCMU9FQYimA3HxnMlw' };
+
+const issuerMetadata = new IssuerMetadataBuilderV1_11()
+  .withCredentialIssuer('https://example.com')
+  .withCredentialEndpoint('https://credenital-endpoint.example.com')
+  .withTokenEndpoint('https://token-endpoint.example.com')
+  .addSupportedCredential({
+    format: 'vc+sd-jwt',
+    vct: 'SdJwtCredential',
+    id: 'SdJwtCredentialId',
+  })
+  .build();
+
+const vcIssuer = new VcIssuerBuilder()
+  .withIssuerMetadata(issuerMetadata)
+  .withInMemoryCNonceState()
+  .withInMemoryCredentialOfferState()
+  .withInMemoryCredentialOfferURIState()
+  // TODO: see if we can construct an sd-jwt vc based on the input
+  .withCredentialSignerCallback(async () => {
+    return 'sd-jwt';
+  })
+  .withJWTVerifyCallback(() =>
+    Promise.resolve({
+      alg,
+      jwk,
+      jwt: {
+        header: {
+          typ: 'openid4vci-proof+jwt',
+          alg,
+          jwk,
+        },
+        payload: {
+          aud: issuerMetadata.credential_issuer,
+          iat: +new Date(),
+          nonce: 'a-c-nonce',
+        },
+      },
+    }),
+  )
+  .build();
+
+describe('sd-jwt vc', () => {
+  beforeEach(() => {
+    nock.cleanAll();
+  });
+  afterEach(() => {
+    nock.cleanAll();
+  });
+
+  it(
+    'succeed with a full flow',
+    async () => {
+      const offerUri = await vcIssuer.createCredentialOfferURI({
+        grants: {
+          'urn:ietf:params:oauth:grant-type:pre-authorized_code': {
+            'pre-authorized_code': '123',
+            user_pin_required: false,
+          },
+        },
+        credentials: ['SdJwtCredentialId'],
+      });
+
+      nock(vcIssuer.issuerMetadata.credential_issuer).get('/.well-known/openid-credential-issuer').reply(200, JSON.stringify(issuerMetadata));
+      nock(vcIssuer.issuerMetadata.credential_issuer).get('/.well-known/openid-configuration').reply(404);
+      nock(vcIssuer.issuerMetadata.credential_issuer).get('/.well-known/oauth-authorization-server').reply(404);
+
+      expect(offerUri.uri).toEqual(
+        'openid-credential-offer://?credential_offer=%7B%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22123%22%2C%22user_pin_required%22%3Afalse%7D%7D%2C%22credentials%22%3A%5B%22SdJwtCredentialId%22%5D%2C%22credential_issuer%22%3A%22https%3A%2F%2Fexample.com%22%7D',
+      );
+
+      const client = await OpenID4VCIClient.fromURI({
+        uri: offerUri.uri,
+      });
+
+      expect(client.credentialOffer?.credential_offer).toEqual({
+        credential_issuer: 'https://example.com',
+        credentials: ['SdJwtCredentialId'],
+        grants: {
+          'urn:ietf:params:oauth:grant-type:pre-authorized_code': {
+            'pre-authorized_code': '123',
+            user_pin_required: false,
+          },
+        },
+      });
+
+      const supported = client.getCredentialsSupported(true, 'vc+sd-jwt');
+      expect(supported).toEqual([
+        {
+          vct: 'SdJwtCredential',
+          format: 'vc+sd-jwt',
+          id: 'SdJwtCredentialId',
+        },
+      ]);
+
+      const offered = supported[0] as CredentialSupportedSdJwtVc;
+
+      nock(issuerMetadata.token_endpoint as string)
+        .post('/')
+        .reply(200, async (_, body: string) => {
+          const parsedBody = Object.fromEntries(body.split('&').map((x) => x.split('=')));
+          return createAccessTokenResponse(parsedBody as AccessTokenRequest, {
+            credentialOfferSessions: vcIssuer.credentialOfferSessions,
+            accessTokenIssuer: 'https://issuer.example.com',
+            cNonces: vcIssuer.cNonces,
+            cNonce: 'a-c-nonce',
+            accessTokenSignerCallback: async () => 'ey.val.ue',
+            tokenExpiresIn: 500,
+          });
+        });
+
+      await client.acquireAccessToken({});
+
+      nock(issuerMetadata.credential_endpoint as string)
+        .post('/')
+        .reply(200, async (_, body) =>
+          vcIssuer.issueCredential({
+            credentialRequest: body as CredentialRequestV1_0_11,
+            credential: {
+              vct: 'Hello',
+              iss: 'did:example:123',
+              iat: 123,
+              // Defines what can be disclosed (optional)
+              __disclosureFrame: {
+                name: true,
+              },
+            },
+            newCNonce: 'new-c-nonce',
+          }),
+        );
+
+      const credentials = await client.acquireCredentials({
+        credentialTypes: [offered.vct],
+        format: 'vc+sd-jwt',
+        alg,
+        jwk,
+        proofCallbacks: {
+          // When using sd-jwt for real, this jwt should include a jwk
+          signCallback: async () => 'ey.ja.ja',
+        },
+      });
+
+      expect(credentials).toEqual({
+        c_nonce: 'new-c-nonce',
+        c_nonce_expires_in: 300000,
+        credential: 'sd-jwt',
+        format: 'vc+sd-jwt',
+      });
+    },
+    UNIT_TEST_TIMEOUT,
+  );
+});

package/lib/__tests__/SphereonE2E.spec.test.ts

@@ -0,0 +1,169 @@
+import * as crypto from 'crypto';
+
+import { Alg, Jwt, ProofOfPossessionCallbacks } from '@sphereon/oid4vci-common';
+import { CredentialMapper } from '@sphereon/ssi-types';
+import * as didts from '@transmute/did-key.js';
+import { fetch } from 'cross-fetch';
+import debug from 'debug';
+import { importJWK, JWK, SignJWT } from 'jose';
+import { v4 } from 'uuid';
+
+import { OpenID4VCIClient } from '..';
+
+export const UNIT_TEST_TIMEOUT = 30000;
+
+const ISSUER_URL = 'https://ssi.sphereon.com/pf3';
+
+const jwk: JWK = {
+  crv: 'Ed25519',
+  d: 'kTRm0aONHYwNPA-w_DtjMHUIWjE3K70qgCIhWojZ0eU',
+  x: 'NeA0d8sp86xRh3DczU4m5wPNIbl0HCSwOBcMN3sNmdk',
+  kty: 'OKP',
+};
+
+// pub  hex: 35e03477cb29f3ac518770dccd4e26e703cd21b9741c24b038170c377b0d99d9
+// priv hex: 913466d1a38d1d8c0d3c0fb0fc3b633075085a31372bbd2a8022215a88d9d1e5
+const did = `did:key:z6Mki5ZwZKN1dBQprfJTikUvkDxrHijiiQngkWviMF5gw2Hv`;
+const kid = `${did}#z6Mki5ZwZKN1dBQprfJTikUvkDxrHijiiQngkWviMF5gw2Hv`;
+describe('OID4VCI-Client using Sphereon issuer should', () => {
+  async function test(format: 'ldp_vc' | 'jwt_vc_json') {
+    debug.enable('*');
+    const offer = await getCredentialOffer(format);
+    const client = await OpenID4VCIClient.fromURI({
+      uri: offer.uri,
+      kid,
+      alg: Alg.EdDSA,
+    });
+    expect(client.credentialOffer).toBeDefined();
+    expect(client.endpointMetadata).toBeDefined();
+    expect(client.getCredentialEndpoint()).toEqual(`${ISSUER_URL}/credentials`);
+    expect(client.getAccessTokenEndpoint()).toEqual(`${ISSUER_URL}/token`);
+
+    const accessToken = await client.acquireAccessToken();
+    // console.log(accessToken);
+    expect(accessToken).toMatchObject({
+      expires_in: 300,
+      // scope: 'GuestCredential',
+      token_type: 'bearer',
+    });
+
+    const credentialResponse = await client.acquireCredentials({
+      credentialTypes: 'GuestCredential',
+      format,
+      proofCallbacks: {
+        signCallback: proofOfPossessionCallbackFunction,
+      },
+    });
+    expect(credentialResponse.credential).toBeDefined();
+    const wrappedVC = CredentialMapper.toWrappedVerifiableCredential(credentialResponse.credential!);
+    expect(format.startsWith(wrappedVC.format)).toEqual(true);
+  }
+
+  xit(
+    'succeed in a full flow with the client using OpenID4VCI version 11 and ldp_vc',
+    async () => {
+      await test('ldp_vc');
+    },
+    UNIT_TEST_TIMEOUT,
+  );
+  it(
+    'succeed in a full flow with the client using OpenID4VCI version 11 and jwt_vc_json',
+    async () => {
+      await test('jwt_vc_json');
+    },
+    UNIT_TEST_TIMEOUT,
+  );
+});
+
+interface CreateCredentialOfferResponse {
+  uri: string;
+  userPinRequired: boolean;
+}
+
+async function getCredentialOffer(format: 'ldp_vc' | 'jwt_vc_json'): Promise<CreateCredentialOfferResponse> {
+  const credentialOffer = await fetch('https://ssi.sphereon.com/pf3/webapp/credential-offers', {
+    method: 'post',
+    headers: {
+      Accept: 'application/json',
+      'Content-Type': 'application/json',
+    },
+
+    //make sure to serialize your JSON body
+    body: JSON.stringify({
+      credentials: ['GuestCredential'],
+      grants: {
+        'urn:ietf:params:oauth:grant-type:pre-authorized_code': {
+          'pre-authorized_code': v4().substring(0, 10),
+          user_pin_required: false,
+        },
+      },
+      credentialDataSupplierInput: { firstName: 'Hello', lastName: 'World', email: 'hello.world@example.com' },
+    }),
+  });
+
+  return (await credentialOffer.json()) as CreateCredentialOfferResponse;
+}
+
+async function proofOfPossessionCallbackFunction(args: Jwt, kid?: string): Promise<string> {
+  const importedJwk = await importJWK(jwk, 'EdDSA');
+  return await new SignJWT({ ...args.payload })
+    .setProtectedHeader({ ...args.header, kid: kid! })
+    .setIssuer(kid!)
+    .setIssuedAt()
+    .setExpirationTime('2h')
+    .sign(importedJwk);
+}
+
+describe('ismapolis bug report #63, https://github.com/Sphereon-Opensource/OID4VC-demo/issues/63, should', () => {
+  it('work as expected provided a correct JWT is supplied', async () => {
+    debug.enable('*');
+    const { uri } = await getCredentialOffer('jwt_vc_json');
+    const client = await OpenID4VCIClient.fromURI({ uri: uri, clientId: 'test-clientID' });
+    const metadata = await client.retrieveServerMetadata();
+    console.log(JSON.stringify(metadata));
+
+    //2. Adquire acces token from authorization server endpoint
+
+    const accessToken = await client.acquireAccessToken({});
+    console.log(`Access token: ${JSON.stringify(accessToken)}`);
+
+    //3. Create DID needed for later proof of possession
+    const { keys, didDocument } = await didts.jwk.generate({
+      type: 'secp256k1', // 'P-256', 'P-384', 'X25519', 'secp256k1'
+      accept: 'application/did+json',
+      secureRandom: () => {
+        return crypto.randomBytes(32);
+      },
+    });
+    const edPrivateKey = await importJWK(keys[0].privateKeyJwk);
+
+    async function signCallback(args: Jwt, kid?: string): Promise<string> {
+      if (!args.payload.aud) {
+        throw Error('aud required');
+      } else if (!kid) {
+        throw Error('kid required');
+      }
+      return await new SignJWT({ ...args.payload })
+        .setProtectedHeader({ alg: args.header.alg, kid, typ: 'openid4vci-proof+jwt' })
+        .setIssuedAt()
+        .setIssuer(kid)
+        .setAudience(args.payload.aud)
+        .setExpirationTime('2h')
+        .sign(edPrivateKey);
+    }
+
+    const callbacks: ProofOfPossessionCallbacks<never> = {
+      signCallback: signCallback,
+    };
+
+    const credentialResponse = await client.acquireCredentials({
+      credentialTypes: 'GuestCredential',
+      proofCallbacks: callbacks,
+      format: 'jwt_vc_json',
+      alg: Alg.ES256K,
+      kid: didDocument.verificationMethod[0].id,
+      jti: v4(),
+    });
+    console.log(JSON.stringify(credentialResponse.credential));
+  });
+});

package/lib/__tests__/data/VciDataFixtures.ts

@@ -1,4 +1,4 @@
-import { CredentialSupportedBrief, IssuerCredentialSubjectDisplay, IssuerMetadataV1_0_08 } from '@sphereon/oid4vci-common';
+import { CredentialSupportedFormatV1_0_08, IssuerCredentialSubjectDisplay, IssuerMetadataV1_0_08 } from '@sphereon/oid4vci-common';
 import { ICredentialStatus, W3CVerifiableCredential } from '@sphereon/ssi-types';
 
 export function getMockData(issuerName: string): IssuerMockData | null {
@@ -42,7 +42,8 @@ export interface IssuerMockData {
     url: string;
     deeplink: string;
     request: {
-      types: [string];
+      types?: [string];
+      type?: string;
       format: 'jwt_vc' | 'ldp_vc' | 'jwt_vc_json-ld' | string;
       proof: {
         proof_type: 'jwt' | string;
@@ -110,8 +111,8 @@ const mockData: VciMockDataStructure = {
       deeplink:
         'openid-initiate-issuance://?issuer=https%3A%2F%2Fngi%2Doidc4vci%2Dtest%2Espruceid%2Exyz&credential_type=OpenBadgeCredential&pre-authorized_code=eyJhbGciOiJFUzI1NiJ9.eyJjcmVkZW50aWFsX3R5cGUiOlsiT3BlbkJhZGdlQ3JlZGVudGlhbCJdLCJleHAiOiIyMDIzLTA0LTIwVDA5OjA0OjM2WiIsIm5vbmNlIjoibWFibmVpT0VSZVB3V3BuRFFweEt3UnRsVVRFRlhGUEwifQ.qOZRPN8sTv_knhp7WaWte2-aDULaPZX--2i9unF6QDQNUllqDhvxgIHMDCYHCV8O2_Gj-T2x1J84fDMajE3asg&user_pin_required=false',
       request: {
-        types: ['OpenBadgeCredential'],
-        format: 'jwt_vc_json-ld',
+        type: 'OpenBadgeCredential',
+        format: 'jwt_vc',
         proof: {
           proof_type: 'jwt',
           jwt: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksiLCJraWQiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOa3NpTENKMWMyVWlPaUp6YVdjaUxDSnJkSGtpT2lKRlF5SXNJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbmdpT2lKclpuVmpTa0V0VEhKck9VWjBPRmx5TFVkMlQzSmpia3N3YjNkc2RqUlhNblUwU3pJeFNHZHZTVlIzSWl3aWVTSTZJalozY0ZCUE1rOUNRVXBTU0ZFMVRXdEtXVlJaV0dsQlJFUXdOMU5OTlV0amVXcDNYMkUzVUUxWmVGa2lmUSMwIn0.eyJhdWQiOiJodHRwczovL25naS1vaWRjNHZjaS10ZXN0LnNwcnVjZWlkLnh5eiIsImlhdCI6MTY4MTkxMTA2MC45NDIsImV4cCI6MTY4MTkxMTcyMC45NDIsImlzcyI6InNwaGVyZW9uOnNzaS13YWxsZXQiLCJqdGkiOiJhNjA4MzMxZi02ZmE0LTQ0ZjAtYWNkZWY5NmFjMjdmNmQ3MCJ9.NwF3_41gwnlIdd_6Uk9CczeQHzIQt6UcvTT5Cxv72j9S1vNwiY9annA2kLsjsTiR5-WMBdUhJCO7wYCtZ15mxw',
@@ -357,7 +358,7 @@ const mockData: VciMockDataStructure = {
       url: 'https://jff.walt.id/issuer-api/default/oidc/credential',
       request: {
         types: ['OpenBadgeCredential'],
-        format: 'jwt_vc_json',
+        format: 'jwt_vc',
         proof: {
           proof_type: 'jwt',
           jwt: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksiLCJraWQiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOa3NpTENKMWMyVWlPaUp6YVdjaUxDSnJkSGtpT2lKRlF5SXNJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbmdpT2lKclpuVmpTa0V0VEhKck9VWjBPRmx5TFVkMlQzSmpia3N3YjNkc2RqUlhNblUwU3pJeFNHZHZTVlIzSWl3aWVTSTZJalozY0ZCUE1rOUNRVXBTU0ZFMVRXdEtXVlJaV0dsQlJFUXdOMU5OTlV0amVXcDNYMkUzVUUxWmVGa2lmUSMwIn0.eyJhdWQiOiJodHRwczovL2pmZi53YWx0LmlkL2lzc3Vlci1hcGkvZGVmYXVsdC9vaWRjLyIsImlhdCI6MTY4MTkxMTk0Mi4yMzgsImV4cCI6MTY4MTkxMjYwMi4yMzgsIm5vbmNlIjoiZjA2YTMxMDUtYTJlZC00NGZjLTk1NGItNGEyNTk3MDM0OTNiIiwiaXNzIjoic3BoZXJlb246c3NpLXdhbGxldCIsImp0aSI6IjA1OWM3ODA5LTlmOGYtNGE3ZS1hZDI4YTNhMTNhMGIzNmViIn0.RfiWyybxpe3nkx3b0yIsqDHQtvB1WwhDW4t0X-kijy2dsSfv2cYhSEmAzs1shg7OV4EW8fSzt_Te79xiVl6jCw',
@@ -514,7 +515,7 @@ const mockData: VciMockDataStructure = {
                 types: ['PermanentResidentCard'],
                 binding_methods_supported: ['did'],
                 cryptographic_suites_supported: ['Ed25519Signature2018'],
-              } as CredentialSupportedBrief,
+              } as CredentialSupportedFormatV1_0_08,
             },
           },
           AcademicAward: {
@@ -525,7 +526,7 @@ const mockData: VciMockDataStructure = {
                 types: ['AcademicAward'],
                 binding_methods_supported: ['did'],
                 cryptographic_suites_supported: ['Ed25519Signature2018'],
-              } as CredentialSupportedBrief,
+              } as CredentialSupportedFormatV1_0_08,
             },
           },
           LearnerProfile: {
@@ -536,7 +537,7 @@ const mockData: VciMockDataStructure = {
                 types: ['LearnerProfile'],
                 binding_methods_supported: ['did'],
                 cryptographic_suites_supported: ['Ed25519Signature2018'],
-              } as CredentialSupportedBrief,
+              } as CredentialSupportedFormatV1_0_08,
             },
           },
           OpenBadgeCredential: {
@@ -547,7 +548,7 @@ const mockData: VciMockDataStructure = {
                 types: ['OpenBadgeCredential'],
                 binding_methods_supported: ['did'],
                 cryptographic_suites_supported: ['Ed25519Signature2018'],
-              } as CredentialSupportedBrief,
+              } as CredentialSupportedFormatV1_0_08,
             },
           },
         },
@@ -573,8 +574,8 @@ const mockData: VciMockDataStructure = {
         'openid-initiate-issuance://?issuer=https://launchpad.mattrlabs.com&credential_type=OpenBadgeCredential&pre-authorized_code=g0UCOj6RAN5AwHU6gczm_GzB4_lH6GW39Z0Dl2DOOiO',
       url: 'https://launchpad.vii.electron.mattrlabs.io/oidc/v1/auth/credential',
       request: {
-        types: ['OpenBadgeCredential'],
-        format: 'jwt_vc_json-ld',
+        type: 'OpenBadgeCredential',
+        format: 'ldp_vc',
         proof: {
           proof_type: 'jwt',
           jwt: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSIsImtpZCI6ImRpZDprZXk6ejZNa3AxM3N6QUFMVFN0cDV1OGtMcnl5YW5vYWtrVWtFUGZXazdvOHY3dms0RW1KI3o2TWtwMTNzekFBTFRTdHA1dThrTHJ5eWFub2Fra1VrRVBmV2s3bzh2N3ZrNEVtSiJ9.eyJhdWQiOiJodHRwczovL2xhdW5jaHBhZC5tYXR0cmxhYnMuY29tIiwiaWF0IjoxNjgxOTE0NDgyLjUxOSwiZXhwIjoxNjgxOTE1MTQyLjUxOSwiaXNzIjoic3BoZXJlb246c3NpLXdhbGxldCIsImp0aSI6ImI5NDY1ZGE5LTY4OGYtNDdjNi04MjUwNDA0ZGNiOWI5Y2E5In0.uQ8ewOfIjy_1p_Gk6PjeEWccBJnjOca1pwbTWiCAFMQX9wlIsfeUdGtXUoHjH5_PQtpwytodx7WU456_CT9iBQ',
@@ -687,8 +688,8 @@ const mockData: VciMockDataStructure = {
         'openid-initiate-issuance://?issuer=https://oidc4vc.diwala.io&credential_type=OpenBadgeCredential&pre-authorized_code=eyJhbGciOiJIUzI1NiJ9.eyJjcmVkZW50aWFsX3R5cGUiOiJPcGVuQmFkZ2VDcmVkZW50aWFsIiwiZXhwIjoxNjgxOTg0NDY3fQ.fEAHKz2nuWfiYHw406iNxr-81pWkNkbi31bWsYSf6Ng',
       url: 'https://oidc4vc.diwala.io/credential',
       request: {
-        types: ['OpenBadgeCredential'],
-        format: 'jwt_vc_json-ld',
+        type: 'OpenBadgeCredential',
+        format: 'ldp_vc',
         proof: {
           proof_type: 'jwt',
           jwt: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSIsImtpZCI6ImRpZDprZXk6ejZNa3AxM3N6QUFMVFN0cDV1OGtMcnl5YW5vYWtrVWtFUGZXazdvOHY3dms0RW1KI3o2TWtwMTNzekFBTFRTdHA1dThrTHJ5eWFub2Fra1VrRVBmV2s3bzh2N3ZrNEVtSiJ9.eyJhdWQiOiJodHRwczovL29pZGM0dmMuZGl3YWxhLmlvIiwiaWF0IjoxNjgxOTE1MDk1LjIwMiwiZXhwIjoxNjgxOTE1NzU1LjIwMiwiaXNzIjoic3BoZXJlb246c3NpLXdhbGxldCIsImp0aSI6IjYxN2MwM2EzLTM3MTUtNGJlMy1hYjkxNzM4MTlmYzYxNTYzIn0.KA-cHjecaYp9FSaWHkz5cqtNyhBIVT_0I7cJnpHn03T4UWFvdhjhn8Hpe-BU247enFyWOWJ6v3NQZyZgle7xBA',

package/lib/functions/ProofUtil.ts

@@ -1,4 +1,15 @@
-import { BAD_PARAMS, JWS_NOT_VALID, Jwt, JWTHeader, JWTPayload, ProofOfPossession, ProofOfPossessionCallbacks, Typ } from '@sphereon/oid4vci-common';
+import {
+  BAD_PARAMS,
+  BaseJWK,
+  JWK,
+  JWS_NOT_VALID,
+  Jwt,
+  JWTHeader,
+  JWTPayload,
+  ProofOfPossession,
+  ProofOfPossessionCallbacks,
+  Typ,
+} from '@sphereon/oid4vci-common';
 import Debug from 'debug';
 
 const debug = Debug('sphereon:openid4vci:token');
@@ -61,6 +72,7 @@ const partiallyValidateJWS = (jws: string): void => {
 export interface JwtProps {
   typ?: Typ;
   kid?: string;
+  jwk?: JWK;
   issuer?: string;
   clientId?: string;
   alg?: string;
@@ -76,7 +88,8 @@ const createJWT = (jwtProps?: JwtProps, existingJwt?: Jwt): Jwt => {
   const nonce = getJwtProperty<string>('nonce', false, jwtProps?.nonce, existingJwt?.payload?.nonce); // Officially this is required, but some implementations don't have it
   // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
   const alg = getJwtProperty<string>('alg', false, jwtProps?.alg, existingJwt?.header?.alg, 'ES256')!;
-  const kid = getJwtProperty<string>('kid', true, jwtProps?.kid, existingJwt?.header?.kid);
+  const kid = getJwtProperty<string>('kid', false, jwtProps?.kid, existingJwt?.header?.kid);
+  const jwk = getJwtProperty<BaseJWK>('jwk', false, jwtProps?.jwk, existingJwt?.header?.jwk);
   const jwt: Partial<Jwt> = existingJwt ? existingJwt : {};
   const now = +new Date();
   const jwtPayload: Partial<JWTPayload> = {
@@ -92,6 +105,7 @@ const createJWT = (jwtProps?: JwtProps, existingJwt?: Jwt): Jwt => {
     typ,
     alg,
     kid,
+    jwk,
   };
   return {
     payload: { ...jwt.payload, ...jwtPayload },
@@ -99,8 +113,8 @@ const createJWT = (jwtProps?: JwtProps, existingJwt?: Jwt): Jwt => {
   };
 };
 
-const getJwtProperty = <T>(propertyName: string, required: boolean, option?: string, jwtProperty?: T, defaultValue?: T): T | undefined => {
-  if (option && jwtProperty && option !== jwtProperty) {
+const getJwtProperty = <T>(propertyName: string, required: boolean, option?: string | JWK, jwtProperty?: T, defaultValue?: T): T | undefined => {
+  if (typeof option === 'string' && option && jwtProperty && option !== jwtProperty) {
     throw Error(`Cannot have a property '${propertyName}' with value '${option}' and different JWT value '${jwtProperty}' at the same time`);
   }
   let result = (jwtProperty ? jwtProperty : option) as T | undefined;