@sphereon/oid4vci-client 0.8.2-next.48 → 0.8.2-next.87

package/lib/OpenID4VCIClient.ts

@@ -1,62 +1,57 @@
 import {
   AccessTokenResponse,
   Alg,
+  AuthorizationRequestOpts,
+  AuthorizationResponse,
   AuthzFlowType,
   CodeChallengeMethod,
   CredentialOfferPayloadV1_0_08,
   CredentialOfferRequestWithBaseUrl,
   CredentialResponse,
   CredentialSupported,
+  DefaultURISchemes,
   EndpointMetadataResult,
+  getClientIdFromCredentialOfferPayload,
   getIssuerFromCredentialOfferPayload,
   getSupportedCredentials,
   getTypesFromCredentialSupported,
-  JsonURIMode,
   JWK,
   KID_JWK_X5C_ERROR,
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
+  PKCEOpts,
   ProofOfPossessionCallbacks,
-  PushedAuthorizationResponse,
-  ResponseType,
+  toAuthorizationResponsePayload,
 } from '@sphereon/oid4vci-common';
 import { CredentialFormat } from '@sphereon/ssi-types';
 import Debug from 'debug';
 
 import { AccessTokenClient } from './AccessTokenClient';
+import { createAuthorizationRequestUrl } from './AuthorizationCodeClient';
 import { CredentialOfferClient } from './CredentialOfferClient';
 import { CredentialRequestClientBuilder } from './CredentialRequestClientBuilder';
 import { MetadataClient } from './MetadataClient';
 import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
-import { convertJsonToURI, formPost } from './functions';
+import { generateMissingPKCEOpts } from './functions/AuthorizationUtil';
 
 const debug = Debug('sphereon:oid4vci');
 
-interface AuthDetails {
-  type: 'openid_credential' | string;
-  locations?: string | string[];
-  format: CredentialFormat | CredentialFormat[];
-
-  [s: string]: unknown;
-}
-
-interface AuthRequestOpts {
-  codeChallenge: string;
-  codeChallengeMethod?: CodeChallengeMethod;
-  authorizationDetails?: AuthDetails | AuthDetails[];
-  redirectUri: string;
-  scope?: string;
+export interface OpenID4VCIClientState {
+  credentialIssuer: string;
+  credentialOffer?: CredentialOfferRequestWithBaseUrl;
+  clientId?: string;
+  kid?: string;
+  jwk?: JWK;
+  alg?: Alg | string;
+  endpointMetadata?: EndpointMetadataResult;
+  accessTokenResponse?: AccessTokenResponse;
+  authorizationRequestOpts?: AuthorizationRequestOpts;
+  pkce: PKCEOpts;
+  authorizationURL?: string;
 }
 
 export class OpenID4VCIClient {
-  private readonly _credentialOffer?: CredentialOfferRequestWithBaseUrl;
-  private _credentialIssuer: string;
-  private _clientId?: string;
-  private _kid: string | undefined;
-  private _jwk: JWK | undefined;
-  private _alg: Alg | string | undefined;
-  private _endpointMetadata: EndpointMetadataResult | undefined;
-  private _accessTokenResponse: AccessTokenResponse | undefined;
+  private readonly _state: OpenID4VCIClientState;
 
   private constructor({
     credentialOffer,
@@ -64,22 +59,50 @@ export class OpenID4VCIClient {
     kid,
     alg,
     credentialIssuer,
+    pkce,
+    authorizationRequest,
+    jwk,
+    endpointMetadata,
+    accessTokenResponse,
+    authorizationRequestOpts,
+    authorizationURL,
   }: {
     credentialOffer?: CredentialOfferRequestWithBaseUrl;
     kid?: string;
     alg?: Alg | string;
     clientId?: string;
     credentialIssuer?: string;
+    pkce?: PKCEOpts;
+    authorizationRequest?: AuthorizationRequestOpts; // Can be provided here, or when manually calling createAuthorizationUrl
+    jwk?: JWK;
+    endpointMetadata?: EndpointMetadataResult;
+    accessTokenResponse?: AccessTokenResponse;
+    authorizationRequestOpts?: AuthorizationRequestOpts;
+    authorizationURL?: string;
   }) {
-    this._credentialOffer = credentialOffer;
     const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : undefined);
     if (!issuer) {
       throw Error('No credential issuer supplied or deduced from offer');
     }
-    this._credentialIssuer = issuer;
-    this._kid = kid;
-    this._alg = alg;
-    this._clientId = clientId;
+    this._state = {
+      credentialOffer,
+      credentialIssuer: issuer,
+      kid,
+      alg,
+      // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
+      clientId: clientId ?? (credentialOffer && getClientIdFromCredentialOfferPayload(credentialOffer.credential_offer)) ?? kid?.split('#')[0],
+      pkce: { disabled: false, codeChallengeMethod: CodeChallengeMethod.S256, ...pkce },
+      authorizationRequestOpts,
+      jwk,
+      endpointMetadata,
+      accessTokenResponse,
+      authorizationURL,
+    };
+    // Running syncAuthorizationRequestOpts later as it is using the state
+    if (!this._state.authorizationRequestOpts) {
+      this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
+    }
+    debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
   }
 
   public static async fromCredentialIssuer({
@@ -88,263 +111,197 @@ export class OpenID4VCIClient {
     retrieveServerMetadata,
     clientId,
     credentialIssuer,
+    pkce,
+    authorizationRequest,
+    createAuthorizationRequestURL,
   }: {
     credentialIssuer: string;
     kid?: string;
     alg?: Alg | string;
     retrieveServerMetadata?: boolean;
     clientId?: string;
+    createAuthorizationRequestURL?: boolean;
+    authorizationRequest?: AuthorizationRequestOpts; // Can be provided here, or when manually calling createAuthorizationUrl
+    pkce?: PKCEOpts;
   }) {
-    const client = new OpenID4VCIClient({ kid, alg, clientId, credentialIssuer });
+    const client = new OpenID4VCIClient({
+      kid,
+      alg,
+      clientId: clientId ?? authorizationRequest?.clientId,
+      credentialIssuer,
+      pkce,
+      authorizationRequest,
+    });
     if (retrieveServerMetadata === undefined || retrieveServerMetadata) {
       await client.retrieveServerMetadata();
     }
+    if (createAuthorizationRequestURL === undefined || createAuthorizationRequestURL) {
+      await client.createAuthorizationRequestUrl({ authorizationRequest, pkce });
+    }
     return client;
   }
 
+  public static async fromState({ state }: { state: OpenID4VCIClientState | string }): Promise<OpenID4VCIClient> {
+    const clientState = typeof state === 'string' ? JSON.parse(state) : state;
+
+    return new OpenID4VCIClient(clientState);
+  }
+
   public static async fromURI({
     uri,
     kid,
     alg,
     retrieveServerMetadata,
     clientId,
+    pkce,
+    createAuthorizationRequestURL,
+    authorizationRequest,
     resolveOfferUri,
   }: {
     uri: string;
     kid?: string;
     alg?: Alg | string;
     retrieveServerMetadata?: boolean;
+    createAuthorizationRequestURL?: boolean;
     resolveOfferUri?: boolean;
+    pkce?: PKCEOpts;
     clientId?: string;
+    authorizationRequest?: AuthorizationRequestOpts; // Can be provided here, or when manually calling createAuthorizationUrl
   }): Promise<OpenID4VCIClient> {
+    const credentialOfferClient = await CredentialOfferClient.fromURI(uri, { resolve: resolveOfferUri });
     const client = new OpenID4VCIClient({
-      credentialOffer: await CredentialOfferClient.fromURI(uri, { resolve: resolveOfferUri }),
+      credentialOffer: credentialOfferClient,
       kid,
       alg,
-      clientId,
+      clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
+      pkce,
+      authorizationRequest,
     });
 
     if (retrieveServerMetadata === undefined || retrieveServerMetadata) {
       await client.retrieveServerMetadata();
     }
-    return client;
-  }
-
-  public async retrieveServerMetadata(): Promise<EndpointMetadataResult> {
-    this.assertIssuerData();
-    if (!this._endpointMetadata) {
-      if (this.credentialOffer) {
-        this._endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
-      } else if (this._credentialIssuer) {
-        this._endpointMetadata = await MetadataClient.retrieveAllMetadata(this._credentialIssuer);
-      } else {
-        throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
-      }
-    }
-    return this.endpointMetadata;
-  }
-
-  // todo: Unify this method with the par method
-
-  public createAuthorizationRequestUrl({ codeChallengeMethod, codeChallenge, authorizationDetails, redirectUri, scope }: AuthRequestOpts): string {
-    // Scope and authorization_details can be used in the same authorization request
-    // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param
-    if (!scope && !authorizationDetails) {
-      if (!this.credentialOffer) {
-        throw Error('Please provide a scope or authorization_details');
-      }
-      const creds = this.credentialOffer.credential_offer.credentials;
-
-      authorizationDetails = creds
-        .flatMap((cred) => (typeof cred === 'string' ? this.getCredentialsSupported(true) : (cred as CredentialSupported)))
-        .map((cred) => {
-          return {
-            ...cred,
-            type: 'openid_credential',
-            locations: [this._credentialIssuer],
-            format: cred.format,
-          } satisfies AuthDetails;
-        });
-      if (authorizationDetails.length === 0) {
-        throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`);
-      }
-    }
-    // todo: Probably can go with current logic in MetadataClient who will always set the authorization_endpoint when found
-    //  handling this because of the support for v1_0-08
     if (
-      this._endpointMetadata &&
-      this._endpointMetadata.credentialIssuerMetadata &&
-      'authorization_endpoint' in this._endpointMetadata.credentialIssuerMetadata
+      credentialOfferClient.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW) &&
+      (createAuthorizationRequestURL === undefined || createAuthorizationRequestURL)
     ) {
-      this._endpointMetadata.authorization_endpoint = this._endpointMetadata.credentialIssuerMetadata.authorization_endpoint as string;
-    }
-    if (!this._endpointMetadata?.authorization_endpoint) {
-      throw Error('Server metadata does not contain authorization endpoint');
-    }
-
-    // add 'openid' scope if not present
-    if (!scope?.includes('openid')) {
-      scope = ['openid', scope].filter((s) => !!s).join(' ');
+      await client.createAuthorizationRequestUrl({ authorizationRequest, pkce });
+      debug(`Authorization Request URL: ${client._state.authorizationURL}`);
     }
 
-    const queryObj: { [key: string]: string } = {
-      response_type: ResponseType.AUTH_CODE,
-      code_challenge_method: codeChallengeMethod ?? CodeChallengeMethod.SHA256,
-      code_challenge: codeChallenge,
-      authorization_details: JSON.stringify(this.handleAuthorizationDetails(authorizationDetails)),
-      redirect_uri: redirectUri,
-      scope: scope,
-    };
-
-    if (this.clientId) {
-      queryObj['client_id'] = this.clientId;
-    }
-
-    if (this.credentialOffer?.issuerState) {
-      queryObj['issuer_state'] = this.credentialOffer.issuerState;
-    }
-
-    return convertJsonToURI(queryObj, {
-      baseUrl: this._endpointMetadata.authorization_endpoint,
-      uriTypeProperties: ['redirect_uri', 'scope', 'authorization_details', 'issuer_state'],
-      mode: JsonURIMode.X_FORM_WWW_URLENCODED,
-      // We do not add the version here, as this always needs to be form encoded
-    });
+    return client;
   }
 
-  // todo: Unify this method with the create auth request url method
-  public async acquirePushedAuthorizationRequestURI({
-    codeChallengeMethod,
-    codeChallenge,
-    authorizationDetails,
-    redirectUri,
-    scope,
-  }: AuthRequestOpts): Promise<string> {
-    // Scope and authorization_details can be used in the same authorization request
-    // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param
-    if (!scope && !authorizationDetails) {
-      throw Error('Please provide a scope or authorization_details');
-    }
-
-    // Authorization servers supporting PAR SHOULD include the URL of their pushed authorization request endpoint in their authorization server metadata document
-    // Note that the presence of pushed_authorization_request_endpoint is sufficient for a client to determine that it may use the PAR flow.
-    // What happens if it doesn't ???
-    // let parEndpoint: string
-    if (
-      !this._endpointMetadata?.credentialIssuerMetadata ||
-      !('pushed_authorization_request_endpoint' in this._endpointMetadata.credentialIssuerMetadata) ||
-      typeof this._endpointMetadata.credentialIssuerMetadata.pushed_authorization_request_endpoint !== 'string'
-    ) {
-      throw Error('Server metadata does not contain pushed authorization request endpoint');
-    }
-    const parEndpoint: string = this._endpointMetadata.credentialIssuerMetadata.pushed_authorization_request_endpoint;
-
-    // add 'openid' scope if not present
-    if (!scope?.includes('openid')) {
-      scope = ['openid', scope].filter((s) => !!s).join(' ');
-    }
-
-    const queryObj: { [key: string]: string } = {
-      response_type: ResponseType.AUTH_CODE,
-      code_challenge_method: codeChallengeMethod ?? CodeChallengeMethod.SHA256,
-      code_challenge: codeChallenge,
-      authorization_details: JSON.stringify(this.handleAuthorizationDetails(authorizationDetails)),
-      redirect_uri: redirectUri,
-      scope: scope,
-    };
-
-    if (this.clientId) {
-      queryObj['client_id'] = this.clientId;
-    }
+  /**
+   * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
+   *
+   * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
+   * @param opts
+   */
+  public async createAuthorizationRequestUrl(opts?: { authorizationRequest?: AuthorizationRequestOpts; pkce?: PKCEOpts }): Promise<string> {
+    if (!this._state.authorizationURL) {
+      this.calculatePKCEOpts(opts?.pkce);
+      this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest);
+      if (!this._state.authorizationRequestOpts) {
+        throw Error(`No Authorization Request options present or provided in this call`);
+      }
 
-    if (this.credentialOffer?.issuerState) {
-      queryObj['issuer_state'] = this.credentialOffer.issuerState;
+      // todo: Probably can go with current logic in MetadataClient who will always set the authorization_endpoint when found
+      //  handling this because of the support for v1_0-08
+      if (
+        this._state.endpointMetadata?.credentialIssuerMetadata &&
+        'authorization_endpoint' in this._state.endpointMetadata.credentialIssuerMetadata
+      ) {
+        this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint as string;
+      }
+      this._state.authorizationURL = await createAuthorizationRequestUrl({
+        pkce: this._state.pkce,
+        endpointMetadata: this.endpointMetadata,
+        authorizationRequest: this._state.authorizationRequestOpts,
+        credentialOffer: this.credentialOffer,
+        credentialsSupported: this.getCredentialsSupported(true),
+      });
     }
-
-    const response = await formPost<PushedAuthorizationResponse>(parEndpoint, new URLSearchParams(queryObj));
-
-    return convertJsonToURI(
-      { request_uri: response.successBody?.request_uri },
-      {
-        baseUrl: this._endpointMetadata.credentialIssuerMetadata.authorization_endpoint,
-        uriTypeProperties: ['request_uri'],
-        mode: JsonURIMode.X_FORM_WWW_URLENCODED,
-      },
-    );
+    return this._state.authorizationURL;
   }
 
-  public handleAuthorizationDetails(authorizationDetails?: AuthDetails | AuthDetails[]): AuthDetails | AuthDetails[] | undefined {
-    if (authorizationDetails) {
-      if (Array.isArray(authorizationDetails)) {
-        return authorizationDetails.map((value) => this.handleLocations({ ...value }));
+  public async retrieveServerMetadata(): Promise<EndpointMetadataResult> {
+    this.assertIssuerData();
+    if (!this._state.endpointMetadata) {
+      if (this.credentialOffer) {
+        this._state.endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
+      } else if (this._state.credentialIssuer) {
+        this._state.endpointMetadata = await MetadataClient.retrieveAllMetadata(this._state.credentialIssuer);
       } else {
-        return this.handleLocations({ ...authorizationDetails });
+        throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
       }
     }
-    return authorizationDetails;
+
+    return this.endpointMetadata;
   }
 
-  private handleLocations(authorizationDetails: AuthDetails) {
-    if (
-      authorizationDetails &&
-      (this.endpointMetadata.credentialIssuerMetadata?.authorization_server || this.endpointMetadata.authorization_endpoint)
-    ) {
-      if (authorizationDetails.locations) {
-        if (Array.isArray(authorizationDetails.locations)) {
-          (authorizationDetails.locations as string[]).push(this.endpointMetadata.issuer);
-        } else {
-          authorizationDetails.locations = [authorizationDetails.locations as string, this.endpointMetadata.issuer];
-        }
-      } else {
-        authorizationDetails.locations = this.endpointMetadata.issuer;
-      }
-    }
-    return authorizationDetails;
+  private calculatePKCEOpts(pkce?: PKCEOpts) {
+    this._state.pkce = generateMissingPKCEOpts({ ...this._state.pkce, ...pkce });
   }
 
   public async acquireAccessToken(opts?: {
     pin?: string;
     clientId?: string;
     codeVerifier?: string;
-    code?: string;
+    authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
+    code?: string; // Directly pass in a code from an auth response
     redirectUri?: string;
   }): Promise<AccessTokenResponse> {
-    const { pin, clientId, codeVerifier, code, redirectUri } = opts ?? {};
+    const { pin, clientId } = opts ?? {};
+    let { redirectUri } = opts ?? {};
+    const code = opts?.code ?? (opts?.authorizationResponse ? toAuthorizationResponsePayload(opts.authorizationResponse).code : undefined);
 
+    if (opts?.codeVerifier) {
+      this._state.pkce.codeVerifier = opts.codeVerifier;
+    }
     this.assertIssuerData();
 
     if (clientId) {
-      this._clientId = clientId;
+      this._state.clientId = clientId;
     }
-    if (!this._accessTokenResponse) {
+    if (!this._state.accessTokenResponse) {
       const accessTokenClient = new AccessTokenClient();
 
+      if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
+        console.log(
+          `Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`,
+        );
+      }
+      if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
+        redirectUri = this._state.authorizationRequestOpts.redirectUri;
+      }
+
       const response = await accessTokenClient.acquireAccessToken({
         credentialOffer: this.credentialOffer,
         metadata: this.endpointMetadata,
         credentialIssuer: this.getIssuer(),
         pin,
-        codeVerifier,
+        ...(!this._state.pkce.disabled && { codeVerifier: this._state.pkce.codeVerifier }),
         code,
         redirectUri,
-        asOpts: { clientId },
+        asOpts: { clientId: this.clientId },
       });
 
       if (response.errorBody) {
         debug(`Access token error:\r\n${response.errorBody}`);
         throw Error(
-          `Retrieving an access token from ${this._endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${
+          `Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${
             response.origResponse.status
           }`,
         );
       } else if (!response.successBody) {
         debug(`Access token error. No success body`);
         throw Error(
-          `Retrieving an access token from ${this._endpointMetadata
+          `Retrieving an access token from ${this._state.endpointMetadata
             ?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`,
         );
       }
-      this._accessTokenResponse = response.successBody;
+      this._state.accessTokenResponse = response.successBody;
     }
 
     return this.accessTokenResponse;
@@ -352,6 +309,7 @@ export class OpenID4VCIClient {
 
   public async acquireCredentials({
     credentialTypes,
+    context,
     proofCallbacks,
     format,
     kid,
@@ -362,6 +320,7 @@ export class OpenID4VCIClient {
     deferredCredentialIntervalInMS,
   }: {
     credentialTypes: string | string[];
+    context?: string[];
     proofCallbacks: ProofOfPossessionCallbacks<any>;
     format?: CredentialFormat | OID4VCICredentialFormat;
     kid?: string;
@@ -375,9 +334,9 @@ export class OpenID4VCIClient {
       throw new Error(KID_JWK_X5C_ERROR + `. jwk: ${jwk !== undefined}, kid: ${kid !== undefined}`);
     }
 
-    if (alg) this._alg = alg;
-    if (jwk) this._jwk = jwk;
-    if (kid) this._kid = kid;
+    if (alg) this._state.alg = alg;
+    if (jwk) this._state.jwk = jwk;
+    if (kid) this._state.kid = kid;
 
     const requestBuilder = this.credentialOffer
       ? CredentialRequestClientBuilder.fromCredentialOffer({
@@ -395,7 +354,7 @@ export class OpenID4VCIClient {
     requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
     if (this.endpointMetadata?.credentialIssuerMetadata) {
       const metadata = this.endpointMetadata.credentialIssuerMetadata;
-      const types = Array.isArray(credentialTypes) ? [...credentialTypes].sort() : [credentialTypes];
+      const types = Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes];
 
       if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
         let typeSupported = false;
@@ -403,7 +362,7 @@ export class OpenID4VCIClient {
         metadata.credentials_supported.forEach((supportedCredential) => {
           const subTypes = getTypesFromCredentialSupported(supportedCredential);
           if (
-            subTypes.sort().every((t, i) => types[i] === t) ||
+            subTypes.every((t, i) => types[i] === t) ||
             (types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0])))
           ) {
             typeSupported = true;
@@ -431,11 +390,11 @@ export class OpenID4VCIClient {
       .withIssuer(this.getIssuer())
       .withAlg(this.alg);
 
-    if (this._jwk) {
-      proofBuilder.withJWK(this._jwk);
+    if (this._state.jwk) {
+      proofBuilder.withJWK(this._state.jwk);
     }
-    if (this._kid) {
-      proofBuilder.withKid(this._kid);
+    if (this._state.kid) {
+      proofBuilder.withKid(this._state.kid);
     }
 
     if (this.clientId) {
@@ -446,26 +405,31 @@ export class OpenID4VCIClient {
     }
     const response = await credentialRequestClient.acquireCredentialsUsingProof({
       proofInput: proofBuilder,
-      credentialTypes: credentialTypes,
+      credentialTypes,
+      context,
       format,
     });
     if (response.errorBody) {
       debug(`Credential request error:\r\n${JSON.stringify(response.errorBody)}`);
       throw Error(
-        `Retrieving a credential from ${this._endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${
+        `Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${
           response.origResponse.status
         }`,
       );
     } else if (!response.successBody) {
       debug(`Credential request error. No success body`);
       throw Error(
-        `Retrieving a credential from ${this._endpointMetadata
+        `Retrieving a credential from ${this._state.endpointMetadata
           ?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`,
       );
     }
     return response.successBody;
   }
 
+  public async exportState(): Promise<string> {
+    return JSON.stringify(this._state);
+  }
+
   // FIXME: We really should convert <v11 to v12 objects first. Right now the logic doesn't map nicely and is brittle.
   // We should resolve IDs to objects first in case of strings.
   // When < v11 convert into a v12 object. When v12 object retain it.
@@ -507,11 +471,26 @@ export class OpenID4VCIClient {
   }
 
   issuerSupportedFlowTypes(): AuthzFlowType[] {
-    return this.credentialOffer?.supportedFlows ?? [AuthzFlowType.AUTHORIZATION_CODE_FLOW];
+    return (
+      this.credentialOffer?.supportedFlows ??
+      (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [AuthzFlowType.AUTHORIZATION_CODE_FLOW] : [])
+    );
+  }
+
+  isFlowTypeSupported(flowType: AuthzFlowType): boolean {
+    return this.issuerSupportedFlowTypes().includes(flowType);
+  }
+
+  get authorizationURL(): string | undefined {
+    return this._state.authorizationURL;
+  }
+
+  public hasAuthorizationURL(): boolean {
+    return !!this.authorizationURL;
   }
 
   get credentialOffer(): CredentialOfferRequestWithBaseUrl | undefined {
-    return this._credentialOffer;
+    return this._state.credentialOffer;
   }
 
   public version(): OpenId4VCIVersion {
@@ -521,38 +500,46 @@ export class OpenID4VCIClient {
   public get endpointMetadata(): EndpointMetadataResult {
     this.assertServerMetadata();
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    return this._endpointMetadata!;
+    return this._state.endpointMetadata!;
   }
 
   get kid(): string {
     this.assertIssuerData();
-    if (!this._kid) {
+    if (!this._state.kid) {
       throw new Error('No value for kid is supplied');
     }
-    return this._kid;
+    return this._state.kid;
   }
 
   get alg(): string {
     this.assertIssuerData();
-    if (!this._alg) {
+    if (!this._state.alg) {
       throw new Error('No value for alg is supplied');
     }
-    return this._alg;
+    return this._state.alg;
+  }
+
+  set clientId(value: string | undefined) {
+    this._state.clientId = value;
   }
 
   get clientId(): string | undefined {
-    return this._clientId;
+    return this._state.clientId;
+  }
+
+  public hasAccessTokenResponse(): boolean {
+    return !!this._state.accessTokenResponse;
   }
 
   get accessTokenResponse(): AccessTokenResponse {
     this.assertAccessToken();
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    return this._accessTokenResponse!;
+    return this._state.accessTokenResponse!;
   }
 
   public getIssuer(): string {
     this.assertIssuerData();
-    return this._credentialIssuer!;
+    return this._state.credentialIssuer;
   }
 
   public getAccessTokenEndpoint(): string {
@@ -570,27 +557,62 @@ export class OpenID4VCIClient {
   public hasDeferredCredentialEndpoint(): boolean {
     return !!this.getAccessTokenEndpoint();
   }
+
   public getDeferredCredentialEndpoint(): string {
     this.assertIssuerData();
     return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
   }
+
+  /**
+   * Too bad we need a method like this, but EBSI is not exposing metadata
+   */
+  public isEBSI() {
+    if (
+      this.credentialOffer?.credential_offer.credentials.find(
+        (cred) =>
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore
+          typeof cred !== 'string' && 'trust_framework' in cred && 'name' in cred.trust_framework && cred.trust_framework.name.includes('ebsi'),
+      )
+    ) {
+      return true;
+    }
+    this.assertIssuerData();
+    return this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu');
+  }
+
   private assertIssuerData(): void {
-    if (!this._credentialOffer && this.issuerSupportedFlowTypes().includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
-      throw Error(`No issuance initiation or credential offer present`);
-    } else if (!this._credentialIssuer) {
+    if (!this._state.credentialIssuer) {
       throw Error(`No credential issuer value present`);
+    } else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {
+      throw Error(`No issuance initiation or credential offer present`);
     }
   }
 
   private assertServerMetadata(): void {
-    if (!this._endpointMetadata) {
+    if (!this._state.endpointMetadata) {
       throw Error('No server metadata');
     }
   }
 
   private assertAccessToken(): void {
-    if (!this._accessTokenResponse) {
+    if (!this._state.accessTokenResponse) {
       throw Error(`No access token present`);
     }
   }
+
+  private syncAuthorizationRequestOpts(opts?: AuthorizationRequestOpts): AuthorizationRequestOpts {
+    let authorizationRequestOpts = { ...this._state?.authorizationRequestOpts, ...opts } as AuthorizationRequestOpts;
+    if (!authorizationRequestOpts) {
+      // We only set a redirectUri if no options are provided.
+      // Note that this only works for mobile apps, that can handle a code query param on the default openid-credential-offer deeplink.
+      // Provide your own options if that is not desired!
+      authorizationRequestOpts = { redirectUri: `${DefaultURISchemes.CREDENTIAL_OFFER}://` };
+    }
+    const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
+    // sync clientId
+    this._state.clientId = clientId;
+    authorizationRequestOpts.clientId = clientId;
+    return authorizationRequestOpts;
+  }
 }