@sphereon/oid4vci-client 0.8.2-next.48 → 0.8.2-next.87

package/dist/functions/AuthorizationUtil.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateMissingPKCEOpts = void 0;
+const oid4vci_common_1 = require("@sphereon/oid4vci-common");
+const generateMissingPKCEOpts = (pkce) => {
+    if (pkce.disabled) {
+        return pkce;
+    }
+    if (!pkce.codeChallengeMethod) {
+        pkce.codeChallengeMethod = oid4vci_common_1.CodeChallengeMethod.S256;
+    }
+    if (!pkce.codeVerifier) {
+        pkce.codeVerifier = (0, oid4vci_common_1.generateCodeVerifier)();
+    }
+    (0, oid4vci_common_1.assertValidCodeVerifier)(pkce.codeVerifier);
+    if (!pkce.codeChallenge) {
+        pkce.codeChallenge = (0, oid4vci_common_1.createCodeChallenge)(pkce.codeVerifier, pkce.codeChallengeMethod);
+    }
+    return pkce;
+};
+exports.generateMissingPKCEOpts = generateMissingPKCEOpts;
+//# sourceMappingURL=AuthorizationUtil.js.map

package/dist/functions/AuthorizationUtil.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthorizationUtil.js","sourceRoot":"","sources":["../../lib/functions/AuthorizationUtil.ts"],"names":[],"mappings":";;;AAAA,6DAA6I;AAEtI,MAAM,uBAAuB,GAAG,CAAC,IAAc,EAAE,EAAE;IACxD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAC9B,IAAI,CAAC,mBAAmB,GAAG,oCAAmB,CAAC,IAAI,CAAC;IACtD,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QACvB,IAAI,CAAC,YAAY,GAAG,IAAA,qCAAoB,GAAE,CAAC;IAC7C,CAAC;IACD,IAAA,wCAAuB,EAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC3C,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;QACxB,IAAI,CAAC,aAAa,GAAG,IAAA,oCAAmB,EAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC,CAAC;AAfW,QAAA,uBAAuB,2BAelC"}

package/dist/index.d.ts

@@ -1,4 +1,5 @@
 export * from './AccessTokenClient';
+export * from './CredentialRequestClient';
 export * from './CredentialOfferClient';
 export * from './CredentialRequestClient';
 export * from './CredentialRequestClientBuilder';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":"AAAA,cAAc,qBAAqB,CAAC;AACpC,cAAc,yBAAyB,CAAC;AACxC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,kCAAkC,CAAC;AACjD,cAAc,aAAa,CAAC;AAC5B,cAAc,kBAAkB,CAAC;AACjC,cAAc,oBAAoB,CAAC;AACnC,cAAc,4BAA4B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":"AAAA,cAAc,qBAAqB,CAAC;AACpC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,yBAAyB,CAAC;AACxC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,kCAAkC,CAAC;AACjD,cAAc,aAAa,CAAC;AAC5B,cAAc,kBAAkB,CAAC;AACjC,cAAc,oBAAoB,CAAC;AACnC,cAAc,4BAA4B,CAAC"}

package/dist/index.js

@@ -15,6 +15,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./AccessTokenClient"), exports);
+__exportStar(require("./CredentialRequestClient"), exports);
 __exportStar(require("./CredentialOfferClient"), exports);
 __exportStar(require("./CredentialRequestClient"), exports);
 __exportStar(require("./CredentialRequestClientBuilder"), exports);

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,sDAAoC;AACpC,0DAAwC;AACxC,4DAA0C;AAC1C,mEAAiD;AACjD,8CAA4B;AAC5B,mDAAiC;AACjC,qDAAmC;AACnC,6DAA2C"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,sDAAoC;AACpC,4DAA0C;AAC1C,0DAAwC;AACxC,4DAA0C;AAC1C,mEAAiD;AACjD,8CAA4B;AAC5B,mDAAiC;AACjC,qDAAmC;AACnC,6DAA2C"}

package/dist/types/index.d.ts

@@ -0,0 +1 @@
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../lib/types/index.ts"],"names":[],"mappings":""}

package/dist/types/index.js

@@ -0,0 +1,2 @@
+"use strict";
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/types/index.ts"],"names":[],"mappings":""}

package/lib/AccessTokenClient.ts

@@ -9,6 +9,7 @@ import {
   getIssuerFromCredentialOfferPayload,
   GrantTypes,
   IssuerOpts,
+  JsonURIMode,
   OpenIDResponse,
   PRE_AUTH_CODE_LITERAL,
   TokenErrorResponse,
@@ -176,14 +177,6 @@ export class AccessTokenClient {
       throw new Error('Authorization flow requires the code to be present');
     }
   }
-
-  private assertNonEmptyRedirectUri(accessTokenRequest: AccessTokenRequest): void {
-    if (!accessTokenRequest.redirect_uri) {
-      debug('No redirect_uri present, whilst it is required');
-      throw new Error('Authorization flow requires the redirect_uri to be present');
-    }
-  }
-
   private validate(accessTokenRequest: AccessTokenRequest, isPinRequired?: boolean): void {
     if (accessTokenRequest.grant_type === GrantTypes.PRE_AUTHORIZED_CODE) {
       this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
@@ -193,14 +186,13 @@ export class AccessTokenClient {
       this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
       this.assertNonEmptyCodeVerifier(accessTokenRequest);
       this.assertNonEmptyCode(accessTokenRequest);
-      this.assertNonEmptyRedirectUri(accessTokenRequest);
     } else {
       this.throwNotSupportedFlow();
     }
   }
 
   private async sendAuthCode(requestTokenURL: string, accessTokenRequest: AccessTokenRequest): Promise<OpenIDResponse<AccessTokenResponse>> {
-    return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest));
+    return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest, { mode: JsonURIMode.X_FORM_WWW_URLENCODED }));
   }
 
   public static determineTokenURL({
@@ -236,7 +228,9 @@ export class AccessTokenClient {
 
   private static creatTokenURLFromURL(url: string, allowInsecureEndpoints?: boolean, tokenEndpoint?: string): string {
     if (allowInsecureEndpoints !== true && url.startsWith('http:')) {
-      throw Error(`Unprotected token endpoints are not allowed ${url}. Adjust settings if you really need this (dev/test settings only!!)`);
+      throw Error(
+        `Unprotected token endpoints are not allowed ${url}. Use the 'allowInsecureEndpoints' param if you really need this for dev/testing!`,
+      );
     }
     const hostname = url.replace(/https?:\/\//, '').replace(/\/$/, '');
     const endpoint = tokenEndpoint ? (tokenEndpoint.startsWith('/') ? tokenEndpoint : tokenEndpoint.substring(1)) : '/token';

package/lib/AuthorizationCodeClient.ts

@@ -0,0 +1,151 @@
+import {
+  AuthorizationDetails,
+  AuthorizationRequestOpts,
+  CodeChallengeMethod,
+  convertJsonToURI,
+  CredentialOfferRequestWithBaseUrl,
+  CredentialSupported,
+  EndpointMetadataResult,
+  JsonURIMode,
+  PARMode,
+  PKCEOpts,
+  PushedAuthorizationResponse,
+  ResponseType,
+} from '@sphereon/oid4vci-common';
+import { formPost } from '@sphereon/oid4vci-common';
+import Debug from 'debug';
+
+const debug = Debug('sphereon:oid4vci');
+
+export const createAuthorizationRequestUrl = async ({
+  pkce,
+  endpointMetadata,
+  authorizationRequest,
+  credentialOffer,
+  credentialsSupported,
+}: {
+  pkce: PKCEOpts;
+  endpointMetadata: EndpointMetadataResult;
+  authorizationRequest: AuthorizationRequestOpts;
+  credentialOffer?: CredentialOfferRequestWithBaseUrl;
+  credentialsSupported?: CredentialSupported[];
+}): Promise<string> => {
+  const { redirectUri, clientId } = authorizationRequest;
+  let { scope, authorizationDetails } = authorizationRequest;
+  const parMode = endpointMetadata?.credentialIssuerMetadata?.require_pushed_authorization_requests
+    ? PARMode.REQUIRE
+    : authorizationRequest.parMode ?? PARMode.AUTO;
+  // Scope and authorization_details can be used in the same authorization request
+  // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param
+  if (!scope && !authorizationDetails) {
+    if (!credentialOffer) {
+      throw Error('Please provide a scope or authorization_details if no credential offer is present');
+    }
+    const creds = credentialOffer.credential_offer.credentials;
+
+    // FIXME: complains about VCT for sd-jwt
+    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+    // @ts-ignore
+    authorizationDetails = creds
+      .flatMap((cred) => (typeof cred === 'string' ? credentialsSupported : (cred as CredentialSupported)))
+      .filter((cred) => !!cred)
+      .map((cred) => {
+        return {
+          ...cred,
+          type: 'openid_credential',
+          locations: [endpointMetadata.issuer],
+
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore
+          format: cred!.format,
+        } satisfies AuthorizationDetails;
+      });
+    if (!authorizationDetails || authorizationDetails.length === 0) {
+      throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`);
+    }
+  }
+  if (!endpointMetadata?.authorization_endpoint) {
+    throw Error('Server metadata does not contain authorization endpoint');
+  }
+  const parEndpoint = endpointMetadata.credentialIssuerMetadata?.pushed_authorization_request_endpoint;
+
+  // add 'openid' scope if not present
+  if (!scope?.includes('openid')) {
+    scope = ['openid', scope].filter((s) => !!s).join(' ');
+  }
+
+  let queryObj: { [key: string]: string } | PushedAuthorizationResponse = {
+    response_type: ResponseType.AUTH_CODE,
+    ...(!pkce.disabled && {
+      code_challenge_method: pkce.codeChallengeMethod ?? CodeChallengeMethod.S256,
+      code_challenge: pkce.codeChallenge,
+    }),
+    authorization_details: JSON.stringify(handleAuthorizationDetails(endpointMetadata, authorizationDetails)),
+    ...(redirectUri && { redirect_uri: redirectUri }),
+    ...(clientId && { client_id: clientId }),
+    ...(credentialOffer?.issuerState && { issuer_state: credentialOffer.issuerState }),
+    scope,
+  };
+
+  if (!parEndpoint && parMode === PARMode.REQUIRE) {
+    throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`);
+  } else if (parEndpoint && parMode !== PARMode.NEVER) {
+    debug(`USING PAR with endpoint ${parEndpoint}`);
+    const parResponse = await formPost<PushedAuthorizationResponse>(parEndpoint, new URLSearchParams(queryObj));
+    if (parResponse.errorBody || !parResponse.successBody) {
+      throw Error(`PAR error`);
+    }
+    debug(`PAR response: ${(parResponse.successBody, null, 2)}`);
+    queryObj = { request_uri: parResponse.successBody.request_uri };
+  }
+
+  debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
+  const url = convertJsonToURI(queryObj, {
+    baseUrl: endpointMetadata.authorization_endpoint,
+    uriTypeProperties: ['client_id', 'request_uri', 'redirect_uri', 'scope', 'authorization_details', 'issuer_state'],
+    // arrayTypeProperties: ['authorization_details'],
+    mode: JsonURIMode.X_FORM_WWW_URLENCODED,
+    // We do not add the version here, as this always needs to be form encoded
+  });
+  debug(`Authorization Request URL: ${url}`);
+  return url;
+};
+
+const handleAuthorizationDetails = (
+  endpointMetadata: EndpointMetadataResult,
+  authorizationDetails?: AuthorizationDetails | AuthorizationDetails[],
+): AuthorizationDetails | AuthorizationDetails[] | undefined => {
+  if (authorizationDetails) {
+    if (typeof authorizationDetails === 'string') {
+      // backwards compat for older versions of the lib
+      return authorizationDetails;
+    }
+    if (Array.isArray(authorizationDetails)) {
+      return authorizationDetails
+        .filter((value) => typeof value !== 'string')
+        .map((value) => handleLocations(endpointMetadata, typeof value === 'string' ? value : { ...value }));
+    } else {
+      return handleLocations(endpointMetadata, { ...authorizationDetails });
+    }
+  }
+  return authorizationDetails;
+};
+
+const handleLocations = (endpointMetadata: EndpointMetadataResult, authorizationDetails: AuthorizationDetails) => {
+  if (typeof authorizationDetails === 'string') {
+    // backwards compat for older versions of the lib
+    return authorizationDetails;
+  }
+  if (authorizationDetails && (endpointMetadata.credentialIssuerMetadata?.authorization_server || endpointMetadata.authorization_endpoint)) {
+    if (authorizationDetails.locations) {
+      if (Array.isArray(authorizationDetails.locations)) {
+        authorizationDetails.locations.push(endpointMetadata.issuer);
+      } else {
+        authorizationDetails.locations = [authorizationDetails.locations as string, endpointMetadata.issuer];
+      }
+    } else {
+      authorizationDetails.locations = [endpointMetadata.issuer];
+    }
+  }
+  return authorizationDetails;
+};

package/lib/CredentialOfferClient.ts

@@ -5,6 +5,7 @@ import {
   CredentialOfferRequestWithBaseUrl,
   CredentialOfferV1_0_11,
   determineSpecVersionFromURI,
+  getClientIdFromCredentialOfferPayload,
   OpenId4VCIVersion,
   toUniformCredentialOfferRequest,
 } from '@sphereon/oid4vci-common';
@@ -43,16 +44,18 @@ export class CredentialOfferClient {
         throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri);
       }
     }
+
     const request = await toUniformCredentialOfferRequest(credentialOffer, {
       ...opts,
       version,
     });
-
+    const clientId = getClientIdFromCredentialOfferPayload(request.credential_offer);
     const grants = request.credential_offer?.grants;
 
     return {
       scheme,
       baseUrl,
+      clientId,
       ...request,
       ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
       ...(grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.['pre-authorized_code'] && {

package/lib/CredentialRequestClient.ts

@@ -78,11 +78,12 @@ export class CredentialRequestClient {
   public async acquireCredentialsUsingProof<DIDDoc>(opts: {
     proofInput: ProofOfPossessionBuilder<DIDDoc> | ProofOfPossession;
     credentialTypes?: string | string[];
+    context?: string[];
     format?: CredentialFormat | OID4VCICredentialFormat;
   }): Promise<OpenIDResponse<CredentialResponse>> {
-    const { credentialTypes, proofInput, format } = opts;
+    const { credentialTypes, proofInput, format, context } = opts;
 
-    const request = await this.createCredentialRequest({ proofInput, credentialTypes, format, version: this.version() });
+    const request = await this.createCredentialRequest({ proofInput, credentialTypes, context, format, version: this.version() });
     return await this.acquireCredentialsUsingRequest(request);
   }
 
@@ -133,6 +134,7 @@ export class CredentialRequestClient {
   public async createCredentialRequest<DIDDoc>(opts: {
     proofInput: ProofOfPossessionBuilder<DIDDoc> | ProofOfPossession;
     credentialTypes?: string | string[];
+    context?: string[];
     format?: CredentialFormat | OID4VCICredentialFormat;
     version: OpenId4VCIVersion;
   }): Promise<UniformCredentialRequest> {
@@ -165,13 +167,20 @@ export class CredentialRequestClient {
         proof,
       };
     } else if (format === 'jwt_vc_json-ld' || format === 'ldp_vc') {
+      if (this.version() >= OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
+        throw Error('No @context value present, but it is required');
+      }
+
       return {
         format,
         proof,
+
+        // Ignored because v11 does not have the context value, but it is required in v12
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore
         credential_definition: {
           types,
-          // FIXME: this was not included in the original code, but it is required
-          '@context': [],
+          ...(opts.context && { '@context': opts.context }),
         },
       };
     } else if (format === 'vc+sd-jwt') {