@sphereon/oid4vci-client 0.8.2-next.6 → 0.8.2-next.88

package/lib/OpenID4VCIClient.ts

@@ -1,276 +1,307 @@
 import {
   AccessTokenResponse,
   Alg,
+  AuthorizationRequestOpts,
+  AuthorizationResponse,
   AuthzFlowType,
   CodeChallengeMethod,
   CredentialOfferPayloadV1_0_08,
   CredentialOfferRequestWithBaseUrl,
   CredentialResponse,
   CredentialSupported,
+  DefaultURISchemes,
   EndpointMetadataResult,
-  JsonURIMode,
+  getClientIdFromCredentialOfferPayload,
+  getIssuerFromCredentialOfferPayload,
+  getSupportedCredentials,
+  getTypesFromCredentialSupported,
+  JWK,
+  KID_JWK_X5C_ERROR,
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
+  PKCEOpts,
   ProofOfPossessionCallbacks,
-  PushedAuthorizationResponse,
-  ResponseType,
+  toAuthorizationResponsePayload,
 } from '@sphereon/oid4vci-common';
-import { getSupportedCredentials } from '@sphereon/oid4vci-common/dist/functions/IssuerMetadataUtils';
-import { CredentialSupportedTypeV1_0_08 } from '@sphereon/oid4vci-common/dist/types/v1_0_08.types';
 import { CredentialFormat } from '@sphereon/ssi-types';
 import Debug from 'debug';
 
 import { AccessTokenClient } from './AccessTokenClient';
+import { createAuthorizationRequestUrl } from './AuthorizationCodeClient';
 import { CredentialOfferClient } from './CredentialOfferClient';
 import { CredentialRequestClientBuilder } from './CredentialRequestClientBuilder';
 import { MetadataClient } from './MetadataClient';
 import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
-import { convertJsonToURI, formPost } from './functions';
+import { generateMissingPKCEOpts } from './functions/AuthorizationUtil';
 
 const debug = Debug('sphereon:oid4vci');
 
-interface AuthDetails {
-  type: 'openid_credential' | string;
-  locations?: string | string[];
-  format: CredentialFormat | CredentialFormat[];
-
-  [s: string]: unknown;
-}
-
-interface AuthRequestOpts {
-  codeChallenge: string;
-  codeChallengeMethod: CodeChallengeMethod;
-  authorizationDetails?: AuthDetails | AuthDetails[];
-  redirectUri: string;
-  scope?: string;
+export interface OpenID4VCIClientState {
+  credentialIssuer: string;
+  credentialOffer?: CredentialOfferRequestWithBaseUrl;
+  clientId?: string;
+  kid?: string;
+  jwk?: JWK;
+  alg?: Alg | string;
+  endpointMetadata?: EndpointMetadataResult;
+  accessTokenResponse?: AccessTokenResponse;
+  authorizationRequestOpts?: AuthorizationRequestOpts;
+  pkce: PKCEOpts;
+  authorizationURL?: string;
 }
 
 export class OpenID4VCIClient {
-  private readonly _credentialOffer: CredentialOfferRequestWithBaseUrl;
-  private _clientId?: string;
-  private _kid: string | undefined;
-  private _alg: Alg | string | undefined;
-  private _endpointMetadata: EndpointMetadataResult | undefined;
-  private _accessTokenResponse: AccessTokenResponse | undefined;
+  private readonly _state: OpenID4VCIClientState;
 
-  private constructor(credentialOffer: CredentialOfferRequestWithBaseUrl, kid?: string, alg?: Alg | string, clientId?: string) {
-    this._credentialOffer = credentialOffer;
-    this._kid = kid;
-    this._alg = alg;
-    this._clientId = clientId;
+  private constructor({
+    credentialOffer,
+    clientId,
+    kid,
+    alg,
+    credentialIssuer,
+    pkce,
+    authorizationRequest,
+    jwk,
+    endpointMetadata,
+    accessTokenResponse,
+    authorizationRequestOpts,
+    authorizationURL,
+  }: {
+    credentialOffer?: CredentialOfferRequestWithBaseUrl;
+    kid?: string;
+    alg?: Alg | string;
+    clientId?: string;
+    credentialIssuer?: string;
+    pkce?: PKCEOpts;
+    authorizationRequest?: AuthorizationRequestOpts; // Can be provided here, or when manually calling createAuthorizationUrl
+    jwk?: JWK;
+    endpointMetadata?: EndpointMetadataResult;
+    accessTokenResponse?: AccessTokenResponse;
+    authorizationRequestOpts?: AuthorizationRequestOpts;
+    authorizationURL?: string;
+  }) {
+    const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : undefined);
+    if (!issuer) {
+      throw Error('No credential issuer supplied or deduced from offer');
+    }
+    this._state = {
+      credentialOffer,
+      credentialIssuer: issuer,
+      kid,
+      alg,
+      // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
+      clientId: clientId ?? (credentialOffer && getClientIdFromCredentialOfferPayload(credentialOffer.credential_offer)) ?? kid?.split('#')[0],
+      pkce: { disabled: false, codeChallengeMethod: CodeChallengeMethod.S256, ...pkce },
+      authorizationRequestOpts,
+      jwk,
+      endpointMetadata,
+      accessTokenResponse,
+      authorizationURL,
+    };
+    // Running syncAuthorizationRequestOpts later as it is using the state
+    if (!this._state.authorizationRequestOpts) {
+      this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
+    }
+    debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
   }
 
-  public static async fromURI({
-    uri,
+  public static async fromCredentialIssuer({
     kid,
     alg,
     retrieveServerMetadata,
     clientId,
-    resolveOfferUri,
+    credentialIssuer,
+    pkce,
+    authorizationRequest,
+    createAuthorizationRequestURL,
   }: {
-    uri: string;
+    credentialIssuer: string;
     kid?: string;
     alg?: Alg | string;
     retrieveServerMetadata?: boolean;
-    resolveOfferUri?: boolean;
     clientId?: string;
-  }): Promise<OpenID4VCIClient> {
-    const client = new OpenID4VCIClient(await CredentialOfferClient.fromURI(uri, { resolve: resolveOfferUri }), kid, alg, clientId);
-
+    createAuthorizationRequestURL?: boolean;
+    authorizationRequest?: AuthorizationRequestOpts; // Can be provided here, or when manually calling createAuthorizationUrl
+    pkce?: PKCEOpts;
+  }) {
+    const client = new OpenID4VCIClient({
+      kid,
+      alg,
+      clientId: clientId ?? authorizationRequest?.clientId,
+      credentialIssuer,
+      pkce,
+      authorizationRequest,
+    });
     if (retrieveServerMetadata === undefined || retrieveServerMetadata) {
       await client.retrieveServerMetadata();
     }
-    return client;
-  }
-
-  public async retrieveServerMetadata(): Promise<EndpointMetadataResult> {
-    this.assertIssuerData();
-    if (!this._endpointMetadata) {
-      this._endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
+    if (createAuthorizationRequestURL === undefined || createAuthorizationRequestURL) {
+      await client.createAuthorizationRequestUrl({ authorizationRequest, pkce });
     }
-    return this.endpointMetadata;
+    return client;
   }
 
-  public createAuthorizationRequestUrl({ codeChallengeMethod, codeChallenge, authorizationDetails, redirectUri, scope }: AuthRequestOpts): string {
-    // Scope and authorization_details can be used in the same authorization request
-    // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param
-    if (!scope && !authorizationDetails) {
-      throw Error('Please provide a scope or authorization_details');
-    }
-    // todo: Probably can go with current logic in MetadataClient who will always set the authorization_endpoint when found
-    //  handling this because of the support for v1_0-08
-    if (
-      this._endpointMetadata &&
-      this._endpointMetadata.credentialIssuerMetadata &&
-      'authorization_endpoint' in this._endpointMetadata.credentialIssuerMetadata
-    ) {
-      this._endpointMetadata.authorization_endpoint = this._endpointMetadata.credentialIssuerMetadata.authorization_endpoint as string;
-    }
-    if (!this._endpointMetadata?.authorization_endpoint) {
-      throw Error('Server metadata does not contain authorization endpoint');
-    }
+  public static async fromState({ state }: { state: OpenID4VCIClientState | string }): Promise<OpenID4VCIClient> {
+    const clientState = typeof state === 'string' ? JSON.parse(state) : state;
 
-    // add 'openid' scope if not present
-    if (!scope?.includes('openid')) {
-      scope = ['openid', scope].filter((s) => !!s).join(' ');
-    }
-
-    const queryObj: { [key: string]: string } = {
-      response_type: ResponseType.AUTH_CODE,
-      code_challenge_method: codeChallengeMethod,
-      code_challenge: codeChallenge,
-      authorization_details: JSON.stringify(this.handleAuthorizationDetails(authorizationDetails)),
-      redirect_uri: redirectUri,
-      scope: scope,
-    };
-
-    if (this.clientId) {
-      queryObj['client_id'] = this.clientId;
-    }
-
-    if (this.credentialOffer.issuerState) {
-      queryObj['issuer_state'] = this.credentialOffer.issuerState;
-    }
+    return new OpenID4VCIClient(clientState);
+  }
 
-    return convertJsonToURI(queryObj, {
-      baseUrl: this._endpointMetadata.authorization_endpoint,
-      uriTypeProperties: ['redirect_uri', 'scope', 'authorization_details', 'issuer_state'],
-      mode: JsonURIMode.X_FORM_WWW_URLENCODED,
-      // We do not add the version here, as this always needs to be form encoded
+  public static async fromURI({
+    uri,
+    kid,
+    alg,
+    retrieveServerMetadata,
+    clientId,
+    pkce,
+    createAuthorizationRequestURL,
+    authorizationRequest,
+    resolveOfferUri,
+  }: {
+    uri: string;
+    kid?: string;
+    alg?: Alg | string;
+    retrieveServerMetadata?: boolean;
+    createAuthorizationRequestURL?: boolean;
+    resolveOfferUri?: boolean;
+    pkce?: PKCEOpts;
+    clientId?: string;
+    authorizationRequest?: AuthorizationRequestOpts; // Can be provided here, or when manually calling createAuthorizationUrl
+  }): Promise<OpenID4VCIClient> {
+    const credentialOfferClient = await CredentialOfferClient.fromURI(uri, { resolve: resolveOfferUri });
+    const client = new OpenID4VCIClient({
+      credentialOffer: credentialOfferClient,
+      kid,
+      alg,
+      clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
+      pkce,
+      authorizationRequest,
     });
-  }
 
-  public async acquirePushedAuthorizationRequestURI({
-    codeChallengeMethod,
-    codeChallenge,
-    authorizationDetails,
-    redirectUri,
-    scope,
-  }: AuthRequestOpts): Promise<string> {
-    // Scope and authorization_details can be used in the same authorization request
-    // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param
-    if (!scope && !authorizationDetails) {
-      throw Error('Please provide a scope or authorization_details');
+    if (retrieveServerMetadata === undefined || retrieveServerMetadata) {
+      await client.retrieveServerMetadata();
     }
-
-    // Authorization servers supporting PAR SHOULD include the URL of their pushed authorization request endpoint in their authorization server metadata document
-    // Note that the presence of pushed_authorization_request_endpoint is sufficient for a client to determine that it may use the PAR flow.
-    // What happens if it doesn't ???
-    // let parEndpoint: string
     if (
-      !this._endpointMetadata?.credentialIssuerMetadata ||
-      !('pushed_authorization_request_endpoint' in this._endpointMetadata.credentialIssuerMetadata) ||
-      typeof this._endpointMetadata.credentialIssuerMetadata.pushed_authorization_request_endpoint !== 'string'
+      credentialOfferClient.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW) &&
+      (createAuthorizationRequestURL === undefined || createAuthorizationRequestURL)
     ) {
-      throw Error('Server metadata does not contain pushed authorization request endpoint');
+      await client.createAuthorizationRequestUrl({ authorizationRequest, pkce });
+      debug(`Authorization Request URL: ${client._state.authorizationURL}`);
     }
-    const parEndpoint: string = this._endpointMetadata.credentialIssuerMetadata.pushed_authorization_request_endpoint;
 
-    // add 'openid' scope if not present
-    if (!scope?.includes('openid')) {
-      scope = ['openid', scope].filter((s) => !!s).join(' ');
-    }
-
-    const queryObj: { [key: string]: string } = {
-      response_type: ResponseType.AUTH_CODE,
-      code_challenge_method: codeChallengeMethod,
-      code_challenge: codeChallenge,
-      authorization_details: JSON.stringify(this.handleAuthorizationDetails(authorizationDetails)),
-      redirect_uri: redirectUri,
-      scope: scope,
-    };
+    return client;
+  }
 
-    if (this.clientId) {
-      queryObj['client_id'] = this.clientId;
-    }
+  /**
+   * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
+   *
+   * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
+   * @param opts
+   */
+  public async createAuthorizationRequestUrl(opts?: { authorizationRequest?: AuthorizationRequestOpts; pkce?: PKCEOpts }): Promise<string> {
+    if (!this._state.authorizationURL) {
+      this.calculatePKCEOpts(opts?.pkce);
+      this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest);
+      if (!this._state.authorizationRequestOpts) {
+        throw Error(`No Authorization Request options present or provided in this call`);
+      }
 
-    if (this.credentialOffer.issuerState) {
-      queryObj['issuer_state'] = this.credentialOffer.issuerState;
+      // todo: Probably can go with current logic in MetadataClient who will always set the authorization_endpoint when found
+      //  handling this because of the support for v1_0-08
+      if (
+        this._state.endpointMetadata?.credentialIssuerMetadata &&
+        'authorization_endpoint' in this._state.endpointMetadata.credentialIssuerMetadata
+      ) {
+        this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint as string;
+      }
+      this._state.authorizationURL = await createAuthorizationRequestUrl({
+        pkce: this._state.pkce,
+        endpointMetadata: this.endpointMetadata,
+        authorizationRequest: this._state.authorizationRequestOpts,
+        credentialOffer: this.credentialOffer,
+        credentialsSupported: this.getCredentialsSupported(true),
+      });
     }
-
-    const response = await formPost<PushedAuthorizationResponse>(parEndpoint, new URLSearchParams(queryObj));
-
-    return convertJsonToURI(
-      { request_uri: response.successBody?.request_uri },
-      {
-        baseUrl: this._endpointMetadata.credentialIssuerMetadata.authorization_endpoint,
-        uriTypeProperties: ['request_uri'],
-        mode: JsonURIMode.X_FORM_WWW_URLENCODED,
-      },
-    );
+    return this._state.authorizationURL;
   }
 
-  public handleAuthorizationDetails(authorizationDetails?: AuthDetails | AuthDetails[]): AuthDetails | AuthDetails[] | undefined {
-    if (authorizationDetails) {
-      if (Array.isArray(authorizationDetails)) {
-        return authorizationDetails.map((value) => this.handleLocations({ ...value }));
+  public async retrieveServerMetadata(): Promise<EndpointMetadataResult> {
+    this.assertIssuerData();
+    if (!this._state.endpointMetadata) {
+      if (this.credentialOffer) {
+        this._state.endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
+      } else if (this._state.credentialIssuer) {
+        this._state.endpointMetadata = await MetadataClient.retrieveAllMetadata(this._state.credentialIssuer);
       } else {
-        return this.handleLocations({ ...authorizationDetails });
+        throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
       }
     }
-    return authorizationDetails;
+
+    return this.endpointMetadata;
   }
 
-  private handleLocations(authorizationDetails: AuthDetails) {
-    if (
-      authorizationDetails &&
-      (this.endpointMetadata.credentialIssuerMetadata?.authorization_server || this.endpointMetadata.authorization_endpoint)
-    ) {
-      if (authorizationDetails.locations) {
-        if (Array.isArray(authorizationDetails.locations)) {
-          (authorizationDetails.locations as string[]).push(this.endpointMetadata.issuer);
-        } else {
-          authorizationDetails.locations = [authorizationDetails.locations as string, this.endpointMetadata.issuer];
-        }
-      } else {
-        authorizationDetails.locations = this.endpointMetadata.issuer;
-      }
-    }
-    return authorizationDetails;
+  private calculatePKCEOpts(pkce?: PKCEOpts) {
+    this._state.pkce = generateMissingPKCEOpts({ ...this._state.pkce, ...pkce });
   }
 
   public async acquireAccessToken(opts?: {
     pin?: string;
     clientId?: string;
     codeVerifier?: string;
-    code?: string;
+    authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
+    code?: string; // Directly pass in a code from an auth response
     redirectUri?: string;
   }): Promise<AccessTokenResponse> {
-    const { pin, clientId, codeVerifier, code, redirectUri } = opts ?? {};
+    const { pin, clientId } = opts ?? {};
+    let { redirectUri } = opts ?? {};
+    const code = opts?.code ?? (opts?.authorizationResponse ? toAuthorizationResponsePayload(opts.authorizationResponse).code : undefined);
 
+    if (opts?.codeVerifier) {
+      this._state.pkce.codeVerifier = opts.codeVerifier;
+    }
     this.assertIssuerData();
 
     if (clientId) {
-      this._clientId = clientId;
+      this._state.clientId = clientId;
     }
-    if (!this._accessTokenResponse) {
+    if (!this._state.accessTokenResponse) {
       const accessTokenClient = new AccessTokenClient();
 
+      if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
+        console.log(
+          `Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`,
+        );
+      }
+      if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
+        redirectUri = this._state.authorizationRequestOpts.redirectUri;
+      }
+
       const response = await accessTokenClient.acquireAccessToken({
         credentialOffer: this.credentialOffer,
         metadata: this.endpointMetadata,
+        credentialIssuer: this.getIssuer(),
         pin,
-        codeVerifier,
+        ...(!this._state.pkce.disabled && { codeVerifier: this._state.pkce.codeVerifier }),
         code,
         redirectUri,
-        asOpts: { clientId },
+        asOpts: { clientId: this.clientId },
       });
 
       if (response.errorBody) {
         debug(`Access token error:\r\n${response.errorBody}`);
         throw Error(
-          `Retrieving an access token from ${this._endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${
+          `Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${
             response.origResponse.status
           }`,
         );
       } else if (!response.successBody) {
         debug(`Access token error. No success body`);
         throw Error(
-          `Retrieving an access token from ${this._endpointMetadata
+          `Retrieving an access token from ${this._state.endpointMetadata
             ?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`,
         );
       }
-      this._accessTokenResponse = response.successBody;
+      this._state.accessTokenResponse = response.successBody;
     }
 
     return this.accessTokenResponse;
@@ -278,56 +309,72 @@ export class OpenID4VCIClient {
 
   public async acquireCredentials({
     credentialTypes,
+    context,
     proofCallbacks,
     format,
     kid,
+    jwk,
     alg,
     jti,
+    deferredCredentialAwait,
+    deferredCredentialIntervalInMS,
   }: {
     credentialTypes: string | string[];
+    context?: string[];
     proofCallbacks: ProofOfPossessionCallbacks<any>;
     format?: CredentialFormat | OID4VCICredentialFormat;
     kid?: string;
+    jwk?: JWK;
     alg?: Alg | string;
     jti?: string;
+    deferredCredentialAwait?: boolean;
+    deferredCredentialIntervalInMS?: number;
   }): Promise<CredentialResponse> {
-    if (alg) {
-      this._alg = alg;
-    }
-    if (kid) {
-      this._kid = kid;
+    if ([jwk, kid].filter((v) => v !== undefined).length > 1) {
+      throw new Error(KID_JWK_X5C_ERROR + `. jwk: ${jwk !== undefined}, kid: ${kid !== undefined}`);
     }
 
-    const requestBuilder = CredentialRequestClientBuilder.fromCredentialOffer({
-      credentialOffer: this.credentialOffer,
-      metadata: this.endpointMetadata,
-    });
+    if (alg) this._state.alg = alg;
+    if (jwk) this._state.jwk = jwk;
+    if (kid) this._state.kid = kid;
+
+    const requestBuilder = this.credentialOffer
+      ? CredentialRequestClientBuilder.fromCredentialOffer({
+          credentialOffer: this.credentialOffer,
+          metadata: this.endpointMetadata,
+        })
+      : CredentialRequestClientBuilder.fromCredentialIssuer({
+          credentialIssuer: this.getIssuer(),
+          credentialTypes,
+          metadata: this.endpointMetadata,
+          version: this.version(),
+        });
 
     requestBuilder.withTokenFromResponse(this.accessTokenResponse);
+    requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
     if (this.endpointMetadata?.credentialIssuerMetadata) {
       const metadata = this.endpointMetadata.credentialIssuerMetadata;
-      const types = Array.isArray(credentialTypes) ? credentialTypes.sort() : [credentialTypes];
+      const types = Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes];
 
       if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
         let typeSupported = false;
 
         metadata.credentials_supported.forEach((supportedCredential) => {
-          if (!supportedCredential.types || supportedCredential.types.length === 0) {
-            throw Error('types is required in the credentials supported');
-          }
+          const subTypes = getTypesFromCredentialSupported(supportedCredential);
           if (
-            supportedCredential.types.sort().every((t, i) => types[i] === t) ||
-            (types.length === 1 && (types[0] === supportedCredential.id || supportedCredential.types.includes(types[0])))
+            subTypes.every((t, i) => types[i] === t) ||
+            (types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0])))
           ) {
             typeSupported = true;
           }
         });
 
         if (!typeSupported) {
-          throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
+          console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
+          // throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
         }
       } else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
-        const credentialsSupported = metadata.credentials_supported as CredentialSupportedTypeV1_0_08;
+        const credentialsSupported = metadata.credentials_supported;
         if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
           throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
         }
@@ -341,8 +388,14 @@ export class OpenID4VCIClient {
       version: this.version(),
     })
       .withIssuer(this.getIssuer())
-      .withAlg(this.alg)
-      .withKid(this.kid);
+      .withAlg(this.alg);
+
+    if (this._state.jwk) {
+      proofBuilder.withJWK(this._state.jwk);
+    }
+    if (this._state.kid) {
+      proofBuilder.withKid(this._state.kid);
+    }
 
     if (this.clientId) {
       proofBuilder.withClientId(this.clientId);
@@ -352,26 +405,31 @@ export class OpenID4VCIClient {
     }
     const response = await credentialRequestClient.acquireCredentialsUsingProof({
       proofInput: proofBuilder,
-      credentialTypes: credentialTypes,
+      credentialTypes,
+      context,
       format,
     });
     if (response.errorBody) {
-      debug(`Credential request error:\r\n${response.errorBody}`);
+      debug(`Credential request error:\r\n${JSON.stringify(response.errorBody)}`);
       throw Error(
-        `Retrieving a credential from ${this._endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${
+        `Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${
           response.origResponse.status
         }`,
       );
     } else if (!response.successBody) {
       debug(`Credential request error. No success body`);
       throw Error(
-        `Retrieving a credential from ${this._endpointMetadata
+        `Retrieving a credential from ${this._state.endpointMetadata
           ?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`,
       );
     }
     return response.successBody;
   }
 
+  public async exportState(): Promise<string> {
+    return JSON.stringify(this._state);
+  }
+
   // FIXME: We really should convert <v11 to v12 objects first. Right now the logic doesn't map nicely and is brittle.
   // We should resolve IDs to objects first in case of strings.
   // When < v11 convert into a v12 object. When v12 object retain it.
@@ -389,7 +447,9 @@ export class OpenID4VCIClient {
   }
 
   getCredentialOfferTypes(): string[][] {
-    if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_11) {
+    if (!this.credentialOffer) {
+      return [];
+    } else if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_11) {
       const orig = this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08;
       const types: string[] = typeof orig.credential_type === 'string' ? [orig.credential_type] : orig.credential_type;
       const result: string[][] = [];
@@ -397,61 +457,89 @@ export class OpenID4VCIClient {
       return result;
     } else {
       return this.credentialOffer.credential_offer.credentials.map((c) => {
-        return typeof c === 'string' ? [c] : c.types;
+        if (typeof c === 'string') {
+          return [c];
+        } else if ('types' in c) {
+          return c.types;
+        } else if ('vct' in c) {
+          return [c.vct];
+        } else {
+          return c.credential_definition.types;
+        }
       });
     }
   }
 
   issuerSupportedFlowTypes(): AuthzFlowType[] {
-    return this.credentialOffer.supportedFlows;
+    return (
+      this.credentialOffer?.supportedFlows ??
+      (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [AuthzFlowType.AUTHORIZATION_CODE_FLOW] : [])
+    );
+  }
+
+  isFlowTypeSupported(flowType: AuthzFlowType): boolean {
+    return this.issuerSupportedFlowTypes().includes(flowType);
+  }
+
+  get authorizationURL(): string | undefined {
+    return this._state.authorizationURL;
+  }
+
+  public hasAuthorizationURL(): boolean {
+    return !!this.authorizationURL;
   }
 
-  get credentialOffer(): CredentialOfferRequestWithBaseUrl {
-    return this._credentialOffer;
+  get credentialOffer(): CredentialOfferRequestWithBaseUrl | undefined {
+    return this._state.credentialOffer;
   }
 
   public version(): OpenId4VCIVersion {
-    return this.credentialOffer.version;
+    return this.credentialOffer?.version ?? OpenId4VCIVersion.VER_1_0_11;
   }
 
   public get endpointMetadata(): EndpointMetadataResult {
     this.assertServerMetadata();
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    return this._endpointMetadata!;
+    return this._state.endpointMetadata!;
   }
 
   get kid(): string {
     this.assertIssuerData();
-    if (!this._kid) {
+    if (!this._state.kid) {
       throw new Error('No value for kid is supplied');
     }
-    return this._kid;
+    return this._state.kid;
   }
 
   get alg(): string {
     this.assertIssuerData();
-    if (!this._alg) {
+    if (!this._state.alg) {
       throw new Error('No value for alg is supplied');
     }
-    return this._alg;
+    return this._state.alg;
+  }
+
+  set clientId(value: string | undefined) {
+    this._state.clientId = value;
   }
 
   get clientId(): string | undefined {
-    /*if (!this._clientId) {
-      throw Error('No client id present');
-    }*/
-    return this._clientId;
+    return this._state.clientId;
+  }
+
+  public hasAccessTokenResponse(): boolean {
+    return !!this._state.accessTokenResponse;
   }
 
   get accessTokenResponse(): AccessTokenResponse {
     this.assertAccessToken();
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    return this._accessTokenResponse!;
+    return this._state.accessTokenResponse!;
   }
 
   public getIssuer(): string {
     this.assertIssuerData();
-    return this._endpointMetadata ? this.endpointMetadata.issuer : this.getIssuer();
+    return this._state.credentialIssuer;
   }
 
   public getAccessTokenEndpoint(): string {
@@ -466,21 +554,65 @@ export class OpenID4VCIClient {
     return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
   }
 
+  public hasDeferredCredentialEndpoint(): boolean {
+    return !!this.getAccessTokenEndpoint();
+  }
+
+  public getDeferredCredentialEndpoint(): string {
+    this.assertIssuerData();
+    return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
+  }
+
+  /**
+   * Too bad we need a method like this, but EBSI is not exposing metadata
+   */
+  public isEBSI() {
+    if (
+      this.credentialOffer?.credential_offer.credentials.find(
+        (cred) =>
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore
+          typeof cred !== 'string' && 'trust_framework' in cred && 'name' in cred.trust_framework && cred.trust_framework.name.includes('ebsi'),
+      )
+    ) {
+      return true;
+    }
+    this.assertIssuerData();
+    return this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu');
+  }
+
   private assertIssuerData(): void {
-    if (!this._credentialOffer) {
+    if (!this._state.credentialIssuer) {
+      throw Error(`No credential issuer value present`);
+    } else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {
       throw Error(`No issuance initiation or credential offer present`);
     }
   }
 
   private assertServerMetadata(): void {
-    if (!this._endpointMetadata) {
+    if (!this._state.endpointMetadata) {
       throw Error('No server metadata');
     }
   }
 
   private assertAccessToken(): void {
-    if (!this._accessTokenResponse) {
+    if (!this._state.accessTokenResponse) {
       throw Error(`No access token present`);
     }
   }
+
+  private syncAuthorizationRequestOpts(opts?: AuthorizationRequestOpts): AuthorizationRequestOpts {
+    let authorizationRequestOpts = { ...this._state?.authorizationRequestOpts, ...opts } as AuthorizationRequestOpts;
+    if (!authorizationRequestOpts) {
+      // We only set a redirectUri if no options are provided.
+      // Note that this only works for mobile apps, that can handle a code query param on the default openid-credential-offer deeplink.
+      // Provide your own options if that is not desired!
+      authorizationRequestOpts = { redirectUri: `${DefaultURISchemes.CREDENTIAL_OFFER}://` };
+    }
+    const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
+    // sync clientId
+    this._state.clientId = clientId;
+    authorizationRequestOpts.clientId = clientId;
+    return authorizationRequestOpts;
+  }
 }