@sphereon/oid4vci-client 0.8.2-next.6 → 0.8.2-next.88

package/dist/OpenID4VCIClient.js

@@ -14,217 +14,218 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OpenID4VCIClient = void 0;
 const oid4vci_common_1 = require("@sphereon/oid4vci-common");
-const IssuerMetadataUtils_1 = require("@sphereon/oid4vci-common/dist/functions/IssuerMetadataUtils");
 const debug_1 = __importDefault(require("debug"));
 const AccessTokenClient_1 = require("./AccessTokenClient");
+const AuthorizationCodeClient_1 = require("./AuthorizationCodeClient");
 const CredentialOfferClient_1 = require("./CredentialOfferClient");
 const CredentialRequestClientBuilder_1 = require("./CredentialRequestClientBuilder");
 const MetadataClient_1 = require("./MetadataClient");
 const ProofOfPossessionBuilder_1 = require("./ProofOfPossessionBuilder");
-const functions_1 = require("./functions");
+const AuthorizationUtil_1 = require("./functions/AuthorizationUtil");
 const debug = (0, debug_1.default)('sphereon:oid4vci');
 class OpenID4VCIClient {
-    constructor(credentialOffer, kid, alg, clientId) {
-        this._credentialOffer = credentialOffer;
-        this._kid = kid;
-        this._alg = alg;
-        this._clientId = clientId;
+    constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationURL, }) {
+        var _a;
+        const issuer = credentialIssuer !== null && credentialIssuer !== void 0 ? credentialIssuer : (credentialOffer ? (0, oid4vci_common_1.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : undefined);
+        if (!issuer) {
+            throw Error('No credential issuer supplied or deduced from offer');
+        }
+        this._state = {
+            credentialOffer,
+            credentialIssuer: issuer,
+            kid,
+            alg,
+            // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
+            clientId: (_a = clientId !== null && clientId !== void 0 ? clientId : (credentialOffer && (0, oid4vci_common_1.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer))) !== null && _a !== void 0 ? _a : kid === null || kid === void 0 ? void 0 : kid.split('#')[0],
+            pkce: Object.assign({ disabled: false, codeChallengeMethod: oid4vci_common_1.CodeChallengeMethod.S256 }, pkce),
+            authorizationRequestOpts,
+            jwk,
+            endpointMetadata,
+            accessTokenResponse,
+            authorizationURL,
+        };
+        // Running syncAuthorizationRequestOpts later as it is using the state
+        if (!this._state.authorizationRequestOpts) {
+            this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
+        }
+        debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
     }
-    static fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, resolveOfferUri, }) {
+    static fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, }) {
         return __awaiter(this, void 0, void 0, function* () {
-            const client = new OpenID4VCIClient(yield CredentialOfferClient_1.CredentialOfferClient.fromURI(uri, { resolve: resolveOfferUri }), kid, alg, clientId);
+            const client = new OpenID4VCIClient({
+                kid,
+                alg,
+                clientId: clientId !== null && clientId !== void 0 ? clientId : authorizationRequest === null || authorizationRequest === void 0 ? void 0 : authorizationRequest.clientId,
+                credentialIssuer,
+                pkce,
+                authorizationRequest,
+            });
             if (retrieveServerMetadata === undefined || retrieveServerMetadata) {
                 yield client.retrieveServerMetadata();
             }
+            if (createAuthorizationRequestURL === undefined || createAuthorizationRequestURL) {
+                yield client.createAuthorizationRequestUrl({ authorizationRequest, pkce });
+            }
             return client;
         });
     }
-    retrieveServerMetadata() {
+    static fromState({ state }) {
         return __awaiter(this, void 0, void 0, function* () {
-            this.assertIssuerData();
-            if (!this._endpointMetadata) {
-                this._endpointMetadata = yield MetadataClient_1.MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
-            }
-            return this.endpointMetadata;
+            const clientState = typeof state === 'string' ? JSON.parse(state) : state;
+            return new OpenID4VCIClient(clientState);
         });
     }
-    createAuthorizationRequestUrl({ codeChallengeMethod, codeChallenge, authorizationDetails, redirectUri, scope }) {
+    static fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, }) {
         var _a;
-        // Scope and authorization_details can be used in the same authorization request
-        // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param
-        if (!scope && !authorizationDetails) {
-            throw Error('Please provide a scope or authorization_details');
-        }
-        // todo: Probably can go with current logic in MetadataClient who will always set the authorization_endpoint when found
-        //  handling this because of the support for v1_0-08
-        if (this._endpointMetadata &&
-            this._endpointMetadata.credentialIssuerMetadata &&
-            'authorization_endpoint' in this._endpointMetadata.credentialIssuerMetadata) {
-            this._endpointMetadata.authorization_endpoint = this._endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
-        }
-        if (!((_a = this._endpointMetadata) === null || _a === void 0 ? void 0 : _a.authorization_endpoint)) {
-            throw Error('Server metadata does not contain authorization endpoint');
-        }
-        // add 'openid' scope if not present
-        if (!(scope === null || scope === void 0 ? void 0 : scope.includes('openid'))) {
-            scope = ['openid', scope].filter((s) => !!s).join(' ');
-        }
-        const queryObj = {
-            response_type: oid4vci_common_1.ResponseType.AUTH_CODE,
-            code_challenge_method: codeChallengeMethod,
-            code_challenge: codeChallenge,
-            authorization_details: JSON.stringify(this.handleAuthorizationDetails(authorizationDetails)),
-            redirect_uri: redirectUri,
-            scope: scope,
-        };
-        if (this.clientId) {
-            queryObj['client_id'] = this.clientId;
-        }
-        if (this.credentialOffer.issuerState) {
-            queryObj['issuer_state'] = this.credentialOffer.issuerState;
-        }
-        return (0, functions_1.convertJsonToURI)(queryObj, {
-            baseUrl: this._endpointMetadata.authorization_endpoint,
-            uriTypeProperties: ['redirect_uri', 'scope', 'authorization_details', 'issuer_state'],
-            mode: oid4vci_common_1.JsonURIMode.X_FORM_WWW_URLENCODED,
-            // We do not add the version here, as this always needs to be form encoded
-        });
-    }
-    acquirePushedAuthorizationRequestURI({ codeChallengeMethod, codeChallenge, authorizationDetails, redirectUri, scope, }) {
-        var _a, _b;
         return __awaiter(this, void 0, void 0, function* () {
-            // Scope and authorization_details can be used in the same authorization request
-            // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param
-            if (!scope && !authorizationDetails) {
-                throw Error('Please provide a scope or authorization_details');
-            }
-            // Authorization servers supporting PAR SHOULD include the URL of their pushed authorization request endpoint in their authorization server metadata document
-            // Note that the presence of pushed_authorization_request_endpoint is sufficient for a client to determine that it may use the PAR flow.
-            // What happens if it doesn't ???
-            // let parEndpoint: string
-            if (!((_a = this._endpointMetadata) === null || _a === void 0 ? void 0 : _a.credentialIssuerMetadata) ||
-                !('pushed_authorization_request_endpoint' in this._endpointMetadata.credentialIssuerMetadata) ||
-                typeof this._endpointMetadata.credentialIssuerMetadata.pushed_authorization_request_endpoint !== 'string') {
-                throw Error('Server metadata does not contain pushed authorization request endpoint');
-            }
-            const parEndpoint = this._endpointMetadata.credentialIssuerMetadata.pushed_authorization_request_endpoint;
-            // add 'openid' scope if not present
-            if (!(scope === null || scope === void 0 ? void 0 : scope.includes('openid'))) {
-                scope = ['openid', scope].filter((s) => !!s).join(' ');
-            }
-            const queryObj = {
-                response_type: oid4vci_common_1.ResponseType.AUTH_CODE,
-                code_challenge_method: codeChallengeMethod,
-                code_challenge: codeChallenge,
-                authorization_details: JSON.stringify(this.handleAuthorizationDetails(authorizationDetails)),
-                redirect_uri: redirectUri,
-                scope: scope,
-            };
-            if (this.clientId) {
-                queryObj['client_id'] = this.clientId;
+            const credentialOfferClient = yield CredentialOfferClient_1.CredentialOfferClient.fromURI(uri, { resolve: resolveOfferUri });
+            const client = new OpenID4VCIClient({
+                credentialOffer: credentialOfferClient,
+                kid,
+                alg,
+                clientId: (_a = clientId !== null && clientId !== void 0 ? clientId : authorizationRequest === null || authorizationRequest === void 0 ? void 0 : authorizationRequest.clientId) !== null && _a !== void 0 ? _a : credentialOfferClient.clientId,
+                pkce,
+                authorizationRequest,
+            });
+            if (retrieveServerMetadata === undefined || retrieveServerMetadata) {
+                yield client.retrieveServerMetadata();
             }
-            if (this.credentialOffer.issuerState) {
-                queryObj['issuer_state'] = this.credentialOffer.issuerState;
+            if (credentialOfferClient.supportedFlows.includes(oid4vci_common_1.AuthzFlowType.AUTHORIZATION_CODE_FLOW) &&
+                (createAuthorizationRequestURL === undefined || createAuthorizationRequestURL)) {
+                yield client.createAuthorizationRequestUrl({ authorizationRequest, pkce });
+                debug(`Authorization Request URL: ${client._state.authorizationURL}`);
             }
-            const response = yield (0, functions_1.formPost)(parEndpoint, new URLSearchParams(queryObj));
-            return (0, functions_1.convertJsonToURI)({ request_uri: (_b = response.successBody) === null || _b === void 0 ? void 0 : _b.request_uri }, {
-                baseUrl: this._endpointMetadata.credentialIssuerMetadata.authorization_endpoint,
-                uriTypeProperties: ['request_uri'],
-                mode: oid4vci_common_1.JsonURIMode.X_FORM_WWW_URLENCODED,
-            });
+            return client;
         });
     }
-    handleAuthorizationDetails(authorizationDetails) {
-        if (authorizationDetails) {
-            if (Array.isArray(authorizationDetails)) {
-                return authorizationDetails.map((value) => this.handleLocations(Object.assign({}, value)));
-            }
-            else {
-                return this.handleLocations(Object.assign({}, authorizationDetails));
+    /**
+     * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
+     *
+     * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
+     * @param opts
+     */
+    createAuthorizationRequestUrl(opts) {
+        var _a;
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!this._state.authorizationURL) {
+                this.calculatePKCEOpts(opts === null || opts === void 0 ? void 0 : opts.pkce);
+                this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts === null || opts === void 0 ? void 0 : opts.authorizationRequest);
+                if (!this._state.authorizationRequestOpts) {
+                    throw Error(`No Authorization Request options present or provided in this call`);
+                }
+                // todo: Probably can go with current logic in MetadataClient who will always set the authorization_endpoint when found
+                //  handling this because of the support for v1_0-08
+                if (((_a = this._state.endpointMetadata) === null || _a === void 0 ? void 0 : _a.credentialIssuerMetadata) &&
+                    'authorization_endpoint' in this._state.endpointMetadata.credentialIssuerMetadata) {
+                    this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
+                }
+                this._state.authorizationURL = yield (0, AuthorizationCodeClient_1.createAuthorizationRequestUrl)({
+                    pkce: this._state.pkce,
+                    endpointMetadata: this.endpointMetadata,
+                    authorizationRequest: this._state.authorizationRequestOpts,
+                    credentialOffer: this.credentialOffer,
+                    credentialsSupported: this.getCredentialsSupported(true),
+                });
             }
-        }
-        return authorizationDetails;
+            return this._state.authorizationURL;
+        });
     }
-    handleLocations(authorizationDetails) {
-        var _a;
-        if (authorizationDetails &&
-            (((_a = this.endpointMetadata.credentialIssuerMetadata) === null || _a === void 0 ? void 0 : _a.authorization_server) || this.endpointMetadata.authorization_endpoint)) {
-            if (authorizationDetails.locations) {
-                if (Array.isArray(authorizationDetails.locations)) {
-                    authorizationDetails.locations.push(this.endpointMetadata.issuer);
+    retrieveServerMetadata() {
+        return __awaiter(this, void 0, void 0, function* () {
+            this.assertIssuerData();
+            if (!this._state.endpointMetadata) {
+                if (this.credentialOffer) {
+                    this._state.endpointMetadata = yield MetadataClient_1.MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
+                }
+                else if (this._state.credentialIssuer) {
+                    this._state.endpointMetadata = yield MetadataClient_1.MetadataClient.retrieveAllMetadata(this._state.credentialIssuer);
                 }
                 else {
-                    authorizationDetails.locations = [authorizationDetails.locations, this.endpointMetadata.issuer];
+                    throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
                 }
             }
-            else {
-                authorizationDetails.locations = this.endpointMetadata.issuer;
-            }
-        }
-        return authorizationDetails;
+            return this.endpointMetadata;
+        });
+    }
+    calculatePKCEOpts(pkce) {
+        this._state.pkce = (0, AuthorizationUtil_1.generateMissingPKCEOpts)(Object.assign(Object.assign({}, this._state.pkce), pkce));
     }
     acquireAccessToken(opts) {
-        var _a, _b;
+        var _a, _b, _c, _d, _e, _f;
         return __awaiter(this, void 0, void 0, function* () {
-            const { pin, clientId, codeVerifier, code, redirectUri } = opts !== null && opts !== void 0 ? opts : {};
+            const { pin, clientId } = opts !== null && opts !== void 0 ? opts : {};
+            let { redirectUri } = opts !== null && opts !== void 0 ? opts : {};
+            const code = (_a = opts === null || opts === void 0 ? void 0 : opts.code) !== null && _a !== void 0 ? _a : ((opts === null || opts === void 0 ? void 0 : opts.authorizationResponse) ? (0, oid4vci_common_1.toAuthorizationResponsePayload)(opts.authorizationResponse).code : undefined);
+            if (opts === null || opts === void 0 ? void 0 : opts.codeVerifier) {
+                this._state.pkce.codeVerifier = opts.codeVerifier;
+            }
             this.assertIssuerData();
             if (clientId) {
-                this._clientId = clientId;
+                this._state.clientId = clientId;
             }
-            if (!this._accessTokenResponse) {
+            if (!this._state.accessTokenResponse) {
                 const accessTokenClient = new AccessTokenClient_1.AccessTokenClient();
-                const response = yield accessTokenClient.acquireAccessToken({
-                    credentialOffer: this.credentialOffer,
-                    metadata: this.endpointMetadata,
-                    pin,
-                    codeVerifier,
-                    code,
-                    redirectUri,
-                    asOpts: { clientId },
-                });
+                if (redirectUri && redirectUri !== ((_b = this._state.authorizationRequestOpts) === null || _b === void 0 ? void 0 : _b.redirectUri)) {
+                    console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${(_c = this._state.authorizationRequestOpts) === null || _c === void 0 ? void 0 : _c.redirectUri}). According to the specification that is not allowed.`);
+                }
+                if (((_d = this._state.authorizationRequestOpts) === null || _d === void 0 ? void 0 : _d.redirectUri) && !redirectUri) {
+                    redirectUri = this._state.authorizationRequestOpts.redirectUri;
+                }
+                const response = yield accessTokenClient.acquireAccessToken(Object.assign(Object.assign({ credentialOffer: this.credentialOffer, metadata: this.endpointMetadata, credentialIssuer: this.getIssuer(), pin }, (!this._state.pkce.disabled && { codeVerifier: this._state.pkce.codeVerifier })), { code,
+                    redirectUri, asOpts: { clientId: this.clientId } }));
                 if (response.errorBody) {
                     debug(`Access token error:\r\n${response.errorBody}`);
-                    throw Error(`Retrieving an access token from ${(_a = this._endpointMetadata) === null || _a === void 0 ? void 0 : _a.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
+                    throw Error(`Retrieving an access token from ${(_e = this._state.endpointMetadata) === null || _e === void 0 ? void 0 : _e.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
                 }
                 else if (!response.successBody) {
                     debug(`Access token error. No success body`);
-                    throw Error(`Retrieving an access token from ${(_b = this._endpointMetadata) === null || _b === void 0 ? void 0 : _b.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
+                    throw Error(`Retrieving an access token from ${(_f = this._state.endpointMetadata) === null || _f === void 0 ? void 0 : _f.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
                 }
-                this._accessTokenResponse = response.successBody;
+                this._state.accessTokenResponse = response.successBody;
             }
             return this.accessTokenResponse;
         });
     }
-    acquireCredentials({ credentialTypes, proofCallbacks, format, kid, alg, jti, }) {
+    acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, }) {
         var _a, _b, _c;
         return __awaiter(this, void 0, void 0, function* () {
-            if (alg) {
-                this._alg = alg;
+            if ([jwk, kid].filter((v) => v !== undefined).length > 1) {
+                throw new Error(oid4vci_common_1.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== undefined}, kid: ${kid !== undefined}`);
             }
-            if (kid) {
-                this._kid = kid;
-            }
-            const requestBuilder = CredentialRequestClientBuilder_1.CredentialRequestClientBuilder.fromCredentialOffer({
-                credentialOffer: this.credentialOffer,
-                metadata: this.endpointMetadata,
-            });
+            if (alg)
+                this._state.alg = alg;
+            if (jwk)
+                this._state.jwk = jwk;
+            if (kid)
+                this._state.kid = kid;
+            const requestBuilder = this.credentialOffer
+                ? CredentialRequestClientBuilder_1.CredentialRequestClientBuilder.fromCredentialOffer({
+                    credentialOffer: this.credentialOffer,
+                    metadata: this.endpointMetadata,
+                })
+                : CredentialRequestClientBuilder_1.CredentialRequestClientBuilder.fromCredentialIssuer({
+                    credentialIssuer: this.getIssuer(),
+                    credentialTypes,
+                    metadata: this.endpointMetadata,
+                    version: this.version(),
+                });
             requestBuilder.withTokenFromResponse(this.accessTokenResponse);
+            requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait !== null && deferredCredentialAwait !== void 0 ? deferredCredentialAwait : false, deferredCredentialIntervalInMS);
             if ((_a = this.endpointMetadata) === null || _a === void 0 ? void 0 : _a.credentialIssuerMetadata) {
                 const metadata = this.endpointMetadata.credentialIssuerMetadata;
-                const types = Array.isArray(credentialTypes) ? credentialTypes.sort() : [credentialTypes];
+                const types = Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes];
                 if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
                     let typeSupported = false;
                     metadata.credentials_supported.forEach((supportedCredential) => {
-                        if (!supportedCredential.types || supportedCredential.types.length === 0) {
-                            throw Error('types is required in the credentials supported');
-                        }
-                        if (supportedCredential.types.sort().every((t, i) => types[i] === t) ||
-                            (types.length === 1 && (types[0] === supportedCredential.id || supportedCredential.types.includes(types[0])))) {
+                        const subTypes = (0, oid4vci_common_1.getTypesFromCredentialSupported)(supportedCredential);
+                        if (subTypes.every((t, i) => types[i] === t) ||
+                            (types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0])))) {
                             typeSupported = true;
                         }
                     });
                     if (!typeSupported) {
-                        throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
+                        console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
+                        // throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
                     }
                 }
                 else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
@@ -242,8 +243,13 @@ class OpenID4VCIClient {
                 version: this.version(),
             })
                 .withIssuer(this.getIssuer())
-                .withAlg(this.alg)
-                .withKid(this.kid);
+                .withAlg(this.alg);
+            if (this._state.jwk) {
+                proofBuilder.withJWK(this._state.jwk);
+            }
+            if (this._state.kid) {
+                proofBuilder.withKid(this._state.kid);
+            }
             if (this.clientId) {
                 proofBuilder.withClientId(this.clientId);
             }
@@ -252,26 +258,32 @@ class OpenID4VCIClient {
             }
             const response = yield credentialRequestClient.acquireCredentialsUsingProof({
                 proofInput: proofBuilder,
-                credentialTypes: credentialTypes,
+                credentialTypes,
+                context,
                 format,
             });
             if (response.errorBody) {
-                debug(`Credential request error:\r\n${response.errorBody}`);
-                throw Error(`Retrieving a credential from ${(_b = this._endpointMetadata) === null || _b === void 0 ? void 0 : _b.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
+                debug(`Credential request error:\r\n${JSON.stringify(response.errorBody)}`);
+                throw Error(`Retrieving a credential from ${(_b = this._state.endpointMetadata) === null || _b === void 0 ? void 0 : _b.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
             }
             else if (!response.successBody) {
                 debug(`Credential request error. No success body`);
-                throw Error(`Retrieving a credential from ${(_c = this._endpointMetadata) === null || _c === void 0 ? void 0 : _c.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
+                throw Error(`Retrieving a credential from ${(_c = this._state.endpointMetadata) === null || _c === void 0 ? void 0 : _c.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
             }
             return response.successBody;
         });
     }
+    exportState() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return JSON.stringify(this._state);
+        });
+    }
     // FIXME: We really should convert <v11 to v12 objects first. Right now the logic doesn't map nicely and is brittle.
     // We should resolve IDs to objects first in case of strings.
     // When < v11 convert into a v12 object. When v12 object retain it.
     // Then match the object array on server metadata
     getCredentialsSupported(restrictToInitiationTypes, format) {
-        return (0, IssuerMetadataUtils_1.getSupportedCredentials)({
+        return (0, oid4vci_common_1.getSupportedCredentials)({
             issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
             version: this.version(),
             format: format,
@@ -279,7 +291,10 @@ class OpenID4VCIClient {
         });
     }
     getCredentialOfferTypes() {
-        if (this.credentialOffer.version < oid4vci_common_1.OpenId4VCIVersion.VER_1_0_11) {
+        if (!this.credentialOffer) {
+            return [];
+        }
+        else if (this.credentialOffer.version < oid4vci_common_1.OpenId4VCIVersion.VER_1_0_11) {
             const orig = this.credentialOffer.original_credential_offer;
             const types = typeof orig.credential_type === 'string' ? [orig.credential_type] : orig.credential_type;
             const result = [];
@@ -288,52 +303,77 @@ class OpenID4VCIClient {
         }
         else {
             return this.credentialOffer.credential_offer.credentials.map((c) => {
-                return typeof c === 'string' ? [c] : c.types;
+                if (typeof c === 'string') {
+                    return [c];
+                }
+                else if ('types' in c) {
+                    return c.types;
+                }
+                else if ('vct' in c) {
+                    return [c.vct];
+                }
+                else {
+                    return c.credential_definition.types;
+                }
             });
         }
     }
     issuerSupportedFlowTypes() {
-        return this.credentialOffer.supportedFlows;
+        var _a, _b, _c, _d;
+        return ((_b = (_a = this.credentialOffer) === null || _a === void 0 ? void 0 : _a.supportedFlows) !== null && _b !== void 0 ? _b : (((_d = (_c = this._state.endpointMetadata) === null || _c === void 0 ? void 0 : _c.credentialIssuerMetadata) === null || _d === void 0 ? void 0 : _d.authorization_endpoint) ? [oid4vci_common_1.AuthzFlowType.AUTHORIZATION_CODE_FLOW] : []));
+    }
+    isFlowTypeSupported(flowType) {
+        return this.issuerSupportedFlowTypes().includes(flowType);
+    }
+    get authorizationURL() {
+        return this._state.authorizationURL;
+    }
+    hasAuthorizationURL() {
+        return !!this.authorizationURL;
     }
     get credentialOffer() {
-        return this._credentialOffer;
+        return this._state.credentialOffer;
     }
     version() {
-        return this.credentialOffer.version;
+        var _a, _b;
+        return (_b = (_a = this.credentialOffer) === null || _a === void 0 ? void 0 : _a.version) !== null && _b !== void 0 ? _b : oid4vci_common_1.OpenId4VCIVersion.VER_1_0_11;
     }
     get endpointMetadata() {
         this.assertServerMetadata();
         // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-        return this._endpointMetadata;
+        return this._state.endpointMetadata;
     }
     get kid() {
         this.assertIssuerData();
-        if (!this._kid) {
+        if (!this._state.kid) {
             throw new Error('No value for kid is supplied');
         }
-        return this._kid;
+        return this._state.kid;
     }
     get alg() {
         this.assertIssuerData();
-        if (!this._alg) {
+        if (!this._state.alg) {
             throw new Error('No value for alg is supplied');
         }
-        return this._alg;
+        return this._state.alg;
+    }
+    set clientId(value) {
+        this._state.clientId = value;
     }
     get clientId() {
-        /*if (!this._clientId) {
-          throw Error('No client id present');
-        }*/
-        return this._clientId;
+        return this._state.clientId;
+    }
+    hasAccessTokenResponse() {
+        return !!this._state.accessTokenResponse;
     }
     get accessTokenResponse() {
         this.assertAccessToken();
         // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-        return this._accessTokenResponse;
+        return this._state.accessTokenResponse;
     }
     getIssuer() {
         this.assertIssuerData();
-        return this._endpointMetadata ? this.endpointMetadata.issuer : this.getIssuer();
+        return this._state.credentialIssuer;
     }
     getAccessTokenEndpoint() {
         this.assertIssuerData();
@@ -345,21 +385,60 @@ class OpenID4VCIClient {
         this.assertIssuerData();
         return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
     }
+    hasDeferredCredentialEndpoint() {
+        return !!this.getAccessTokenEndpoint();
+    }
+    getDeferredCredentialEndpoint() {
+        this.assertIssuerData();
+        return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
+    }
+    /**
+     * Too bad we need a method like this, but EBSI is not exposing metadata
+     */
+    isEBSI() {
+        var _a, _b, _c;
+        if ((_a = this.credentialOffer) === null || _a === void 0 ? void 0 : _a.credential_offer.credentials.find((cred) => 
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore
+        typeof cred !== 'string' && 'trust_framework' in cred && 'name' in cred.trust_framework && cred.trust_framework.name.includes('ebsi'))) {
+            return true;
+        }
+        this.assertIssuerData();
+        return (_c = (_b = this.endpointMetadata.credentialIssuerMetadata) === null || _b === void 0 ? void 0 : _b.authorization_endpoint) === null || _c === void 0 ? void 0 : _c.includes('ebsi.eu');
+    }
     assertIssuerData() {
-        if (!this._credentialOffer) {
+        if (!this._state.credentialIssuer) {
+            throw Error(`No credential issuer value present`);
+        }
+        else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {
             throw Error(`No issuance initiation or credential offer present`);
         }
     }
     assertServerMetadata() {
-        if (!this._endpointMetadata) {
+        if (!this._state.endpointMetadata) {
             throw Error('No server metadata');
         }
     }
     assertAccessToken() {
-        if (!this._accessTokenResponse) {
+        if (!this._state.accessTokenResponse) {
             throw Error(`No access token present`);
         }
     }
+    syncAuthorizationRequestOpts(opts) {
+        var _a, _b;
+        let authorizationRequestOpts = Object.assign(Object.assign({}, (_a = this._state) === null || _a === void 0 ? void 0 : _a.authorizationRequestOpts), opts);
+        if (!authorizationRequestOpts) {
+            // We only set a redirectUri if no options are provided.
+            // Note that this only works for mobile apps, that can handle a code query param on the default openid-credential-offer deeplink.
+            // Provide your own options if that is not desired!
+            authorizationRequestOpts = { redirectUri: `${oid4vci_common_1.DefaultURISchemes.CREDENTIAL_OFFER}://` };
+        }
+        const clientId = (_b = authorizationRequestOpts.clientId) !== null && _b !== void 0 ? _b : this._state.clientId;
+        // sync clientId
+        this._state.clientId = clientId;
+        authorizationRequestOpts.clientId = clientId;
+        return authorizationRequestOpts;
+    }
 }
 exports.OpenID4VCIClient = OpenID4VCIClient;
 //# sourceMappingURL=OpenID4VCIClient.js.map