@sphereon/oid4vci-client 0.8.2-next.6 → 0.8.2-unstable.16

package/lib/OpenID4VCIClient.ts

@@ -8,6 +8,9 @@ import {
   CredentialResponse,
   CredentialSupported,
   EndpointMetadataResult,
+  getIssuerFromCredentialOfferPayload,
+  getSupportedCredentials,
+  getTypesFromCredentialSupported,
   JsonURIMode,
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
@@ -15,8 +18,6 @@ import {
   PushedAuthorizationResponse,
   ResponseType,
 } from '@sphereon/oid4vci-common';
-import { getSupportedCredentials } from '@sphereon/oid4vci-common/dist/functions/IssuerMetadataUtils';
-import { CredentialSupportedTypeV1_0_08 } from '@sphereon/oid4vci-common/dist/types/v1_0_08.types';
 import { CredentialFormat } from '@sphereon/ssi-types';
 import Debug from 'debug';
 
@@ -39,27 +40,65 @@ interface AuthDetails {
 
 interface AuthRequestOpts {
   codeChallenge: string;
-  codeChallengeMethod: CodeChallengeMethod;
+  codeChallengeMethod?: CodeChallengeMethod;
   authorizationDetails?: AuthDetails | AuthDetails[];
   redirectUri: string;
   scope?: string;
 }
 
 export class OpenID4VCIClient {
-  private readonly _credentialOffer: CredentialOfferRequestWithBaseUrl;
+  private readonly _credentialOffer?: CredentialOfferRequestWithBaseUrl;
+  private _credentialIssuer: string;
   private _clientId?: string;
   private _kid: string | undefined;
   private _alg: Alg | string | undefined;
   private _endpointMetadata: EndpointMetadataResult | undefined;
   private _accessTokenResponse: AccessTokenResponse | undefined;
 
-  private constructor(credentialOffer: CredentialOfferRequestWithBaseUrl, kid?: string, alg?: Alg | string, clientId?: string) {
+  private constructor({
+    credentialOffer,
+    clientId,
+    kid,
+    alg,
+    credentialIssuer,
+  }: {
+    credentialOffer?: CredentialOfferRequestWithBaseUrl;
+    kid?: string;
+    alg?: Alg | string;
+    clientId?: string;
+    credentialIssuer?: string;
+  }) {
     this._credentialOffer = credentialOffer;
+    const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : undefined);
+    if (!issuer) {
+      throw Error('No credential issuer supplied or deduced from offer');
+    }
+    this._credentialIssuer = issuer;
     this._kid = kid;
     this._alg = alg;
     this._clientId = clientId;
   }
 
+  public static async fromCredentialIssuer({
+    kid,
+    alg,
+    retrieveServerMetadata,
+    clientId,
+    credentialIssuer,
+  }: {
+    credentialIssuer: string;
+    kid?: string;
+    alg?: Alg | string;
+    retrieveServerMetadata?: boolean;
+    clientId?: string;
+  }) {
+    const client = new OpenID4VCIClient({ kid, alg, clientId, credentialIssuer });
+    if (retrieveServerMetadata === undefined || retrieveServerMetadata) {
+      await client.retrieveServerMetadata();
+    }
+    return client;
+  }
+
   public static async fromURI({
     uri,
     kid,
@@ -75,7 +114,12 @@ export class OpenID4VCIClient {
     resolveOfferUri?: boolean;
     clientId?: string;
   }): Promise<OpenID4VCIClient> {
-    const client = new OpenID4VCIClient(await CredentialOfferClient.fromURI(uri, { resolve: resolveOfferUri }), kid, alg, clientId);
+    const client = new OpenID4VCIClient({
+      credentialOffer: await CredentialOfferClient.fromURI(uri, { resolve: resolveOfferUri }),
+      kid,
+      alg,
+      clientId,
+    });
 
     if (retrieveServerMetadata === undefined || retrieveServerMetadata) {
       await client.retrieveServerMetadata();
@@ -86,16 +130,41 @@ export class OpenID4VCIClient {
   public async retrieveServerMetadata(): Promise<EndpointMetadataResult> {
     this.assertIssuerData();
     if (!this._endpointMetadata) {
-      this._endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
+      if (this.credentialOffer) {
+        this._endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
+      } else if (this._credentialIssuer) {
+        this._endpointMetadata = await MetadataClient.retrieveAllMetadata(this._credentialIssuer);
+      } else {
+        throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
+      }
     }
     return this.endpointMetadata;
   }
 
+  // todo: Unify this method with the par method
+
   public createAuthorizationRequestUrl({ codeChallengeMethod, codeChallenge, authorizationDetails, redirectUri, scope }: AuthRequestOpts): string {
     // Scope and authorization_details can be used in the same authorization request
     // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param
     if (!scope && !authorizationDetails) {
-      throw Error('Please provide a scope or authorization_details');
+      if (!this.credentialOffer) {
+        throw Error('Please provide a scope or authorization_details');
+      }
+      const creds = this.credentialOffer.credential_offer.credentials;
+
+      authorizationDetails = creds
+        .flatMap((cred) => (typeof cred === 'string' ? this.getCredentialsSupported(true) : (cred as CredentialSupported)))
+        .map((cred) => {
+          return {
+            ...cred,
+            type: 'openid_credential',
+            locations: [this._credentialIssuer],
+            format: cred.format,
+          } satisfies AuthDetails;
+        });
+      if (authorizationDetails.length === 0) {
+        throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`);
+      }
     }
     // todo: Probably can go with current logic in MetadataClient who will always set the authorization_endpoint when found
     //  handling this because of the support for v1_0-08
@@ -117,7 +186,7 @@ export class OpenID4VCIClient {
 
     const queryObj: { [key: string]: string } = {
       response_type: ResponseType.AUTH_CODE,
-      code_challenge_method: codeChallengeMethod,
+      code_challenge_method: codeChallengeMethod ?? CodeChallengeMethod.SHA256,
       code_challenge: codeChallenge,
       authorization_details: JSON.stringify(this.handleAuthorizationDetails(authorizationDetails)),
       redirect_uri: redirectUri,
@@ -128,7 +197,7 @@ export class OpenID4VCIClient {
       queryObj['client_id'] = this.clientId;
     }
 
-    if (this.credentialOffer.issuerState) {
+    if (this.credentialOffer?.issuerState) {
       queryObj['issuer_state'] = this.credentialOffer.issuerState;
     }
 
@@ -140,6 +209,7 @@ export class OpenID4VCIClient {
     });
   }
 
+  // todo: Unify this method with the create auth request url method
   public async acquirePushedAuthorizationRequestURI({
     codeChallengeMethod,
     codeChallenge,
@@ -173,7 +243,7 @@ export class OpenID4VCIClient {
 
     const queryObj: { [key: string]: string } = {
       response_type: ResponseType.AUTH_CODE,
-      code_challenge_method: codeChallengeMethod,
+      code_challenge_method: codeChallengeMethod ?? CodeChallengeMethod.SHA256,
       code_challenge: codeChallenge,
       authorization_details: JSON.stringify(this.handleAuthorizationDetails(authorizationDetails)),
       redirect_uri: redirectUri,
@@ -184,7 +254,7 @@ export class OpenID4VCIClient {
       queryObj['client_id'] = this.clientId;
     }
 
-    if (this.credentialOffer.issuerState) {
+    if (this.credentialOffer?.issuerState) {
       queryObj['issuer_state'] = this.credentialOffer.issuerState;
     }
 
@@ -249,6 +319,7 @@ export class OpenID4VCIClient {
       const response = await accessTokenClient.acquireAccessToken({
         credentialOffer: this.credentialOffer,
         metadata: this.endpointMetadata,
+        credentialIssuer: this.getIssuer(),
         pin,
         codeVerifier,
         code,
@@ -298,36 +369,42 @@ export class OpenID4VCIClient {
       this._kid = kid;
     }
 
-    const requestBuilder = CredentialRequestClientBuilder.fromCredentialOffer({
-      credentialOffer: this.credentialOffer,
-      metadata: this.endpointMetadata,
-    });
+    const requestBuilder = this.credentialOffer
+      ? CredentialRequestClientBuilder.fromCredentialOffer({
+          credentialOffer: this.credentialOffer,
+          metadata: this.endpointMetadata,
+        })
+      : CredentialRequestClientBuilder.fromCredentialIssuer({
+          credentialIssuer: this.getIssuer(),
+          credentialTypes,
+          metadata: this.endpointMetadata,
+          version: this.version(),
+        });
 
     requestBuilder.withTokenFromResponse(this.accessTokenResponse);
     if (this.endpointMetadata?.credentialIssuerMetadata) {
       const metadata = this.endpointMetadata.credentialIssuerMetadata;
-      const types = Array.isArray(credentialTypes) ? credentialTypes.sort() : [credentialTypes];
+      const types = Array.isArray(credentialTypes) ? [...credentialTypes].sort() : [credentialTypes];
 
       if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
         let typeSupported = false;
 
         metadata.credentials_supported.forEach((supportedCredential) => {
-          if (!supportedCredential.types || supportedCredential.types.length === 0) {
-            throw Error('types is required in the credentials supported');
-          }
+          const subTypes = getTypesFromCredentialSupported(supportedCredential);
           if (
-            supportedCredential.types.sort().every((t, i) => types[i] === t) ||
-            (types.length === 1 && (types[0] === supportedCredential.id || supportedCredential.types.includes(types[0])))
+            subTypes.sort().every((t, i) => types[i] === t) ||
+            (types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0])))
           ) {
             typeSupported = true;
           }
         });
 
         if (!typeSupported) {
-          throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
+          console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
+          // throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
         }
       } else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
-        const credentialsSupported = metadata.credentials_supported as CredentialSupportedTypeV1_0_08;
+        const credentialsSupported = metadata.credentials_supported;
         if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
           throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
         }
@@ -356,7 +433,7 @@ export class OpenID4VCIClient {
       format,
     });
     if (response.errorBody) {
-      debug(`Credential request error:\r\n${response.errorBody}`);
+      debug(`Credential request error:\r\n${JSON.stringify(response.errorBody)}`);
       throw Error(
         `Retrieving a credential from ${this._endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${
           response.origResponse.status
@@ -389,7 +466,9 @@ export class OpenID4VCIClient {
   }
 
   getCredentialOfferTypes(): string[][] {
-    if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_11) {
+    if (!this.credentialOffer) {
+      return [];
+    } else if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_11) {
       const orig = this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08;
       const types: string[] = typeof orig.credential_type === 'string' ? [orig.credential_type] : orig.credential_type;
       const result: string[][] = [];
@@ -397,21 +476,29 @@ export class OpenID4VCIClient {
       return result;
     } else {
       return this.credentialOffer.credential_offer.credentials.map((c) => {
-        return typeof c === 'string' ? [c] : c.types;
+        if (typeof c === 'string') {
+          return [c];
+        } else if ('types' in c) {
+          return c.types;
+        } else if ('vct' in c.credential_definition) {
+          return [c.credential_definition.vct];
+        } else {
+          return c.credential_definition.types;
+        }
       });
     }
   }
 
   issuerSupportedFlowTypes(): AuthzFlowType[] {
-    return this.credentialOffer.supportedFlows;
+    return this.credentialOffer?.supportedFlows ?? [AuthzFlowType.AUTHORIZATION_CODE_FLOW];
   }
 
-  get credentialOffer(): CredentialOfferRequestWithBaseUrl {
+  get credentialOffer(): CredentialOfferRequestWithBaseUrl | undefined {
     return this._credentialOffer;
   }
 
   public version(): OpenId4VCIVersion {
-    return this.credentialOffer.version;
+    return this.credentialOffer?.version ?? OpenId4VCIVersion.VER_1_0_11;
   }
 
   public get endpointMetadata(): EndpointMetadataResult {
@@ -437,9 +524,6 @@ export class OpenID4VCIClient {
   }
 
   get clientId(): string | undefined {
-    /*if (!this._clientId) {
-      throw Error('No client id present');
-    }*/
     return this._clientId;
   }
 
@@ -451,7 +535,7 @@ export class OpenID4VCIClient {
 
   public getIssuer(): string {
     this.assertIssuerData();
-    return this._endpointMetadata ? this.endpointMetadata.issuer : this.getIssuer();
+    return this._credentialIssuer!;
   }
 
   public getAccessTokenEndpoint(): string {
@@ -467,8 +551,10 @@ export class OpenID4VCIClient {
   }
 
   private assertIssuerData(): void {
-    if (!this._credentialOffer) {
+    if (!this._credentialOffer && this.issuerSupportedFlowTypes().includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
       throw Error(`No issuance initiation or credential offer present`);
+    } else if (!this._credentialIssuer) {
+      throw Error(`No credential issuer value present`);
     }
   }
 

package/lib/__tests__/CredentialRequestClient.spec.ts

@@ -3,6 +3,7 @@ import { KeyObject } from 'crypto';
 import {
   Alg,
   EndpointMetadata,
+  getCredentialRequestForVersion,
   getIssuerFromCredentialOfferPayload,
   Jwt,
   OpenId4VCIVersion,
@@ -127,7 +128,7 @@ describe('Credential Request Client ', () => {
       version: OpenId4VCIVersion.VER_1_0_08,
     });
     expect(credentialRequest.proof?.jwt?.includes(partialJWT)).toBeTruthy();
-    expect(credentialRequest.format).toEqual('jwt_vc_json');
+    expect(credentialRequest.format).toEqual('jwt_vc');
     const result = await credReqClient.acquireCredentialsUsingRequest(credentialRequest);
     expect(result?.successBody?.credential).toEqual(mockedVC);
   });
@@ -149,9 +150,7 @@ describe('Credential Request Client ', () => {
       .withKid(kid)
       .withClientId('sphereon:wallet')
       .build();
-    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-    // @ts-ignore
-    await expect(credReqClient.acquireCredentialsUsingRequest({ format: 'jwt_vc_json-ld', types: ['random'], proof })).rejects.toThrow(
+    await expect(credReqClient.acquireCredentialsUsingRequest({ format: 'jwt_vc_json', types: ['random'], proof })).rejects.toThrow(
       Error(URL_NOT_VALID),
     );
   });
@@ -194,10 +193,11 @@ describe('Credential Request Client with different issuers ', () => {
           jwt: getMockData('spruce')?.credential.request.proof.jwt as string,
         },
         credentialTypes: ['OpenBadgeCredential'],
-        format: 'jwt_vc_json-ld',
+        format: 'jwt_vc',
         version: OpenId4VCIVersion.VER_1_0_08,
       });
-    expect(credentialRequest).toEqual(getMockData('spruce')?.credential.request);
+    const draft8CredentialRequest = getCredentialRequestForVersion(credentialRequest, OpenId4VCIVersion.VER_1_0_08);
+    expect(draft8CredentialRequest).toEqual(getMockData('spruce')?.credential.request);
   });
 
   it('should create correct CredentialRequest for Walt', async () => {
@@ -264,7 +264,8 @@ describe('Credential Request Client with different issuers ', () => {
         format: 'ldp_vc',
         version: OpenId4VCIVersion.VER_1_0_08,
       });
-    expect(credentialOffer).toEqual(getMockData('mattr')?.credential.request);
+    const credentialRequest = getCredentialRequestForVersion(credentialOffer, OpenId4VCIVersion.VER_1_0_08);
+    expect(credentialRequest).toEqual(getMockData('mattr')?.credential.request);
   });
 
   it('should create correct CredentialRequest for diwala', async () => {
@@ -286,6 +287,10 @@ describe('Credential Request Client with different issuers ', () => {
         format: 'ldp_vc',
         version: OpenId4VCIVersion.VER_1_0_08,
       });
-    expect(credentialOffer).toEqual(getMockData('diwala')?.credential.request);
+
+    // createCredentialRequest returns uniform format in draft 11
+    const credentialRequest = getCredentialRequestForVersion(credentialOffer, OpenId4VCIVersion.VER_1_0_08);
+
+    expect(credentialRequest).toEqual(getMockData('diwala')?.credential.request);
   });
 });

package/lib/__tests__/EBSIE2E.spec.test.ts

@@ -0,0 +1,136 @@
+import { Alg, CodeChallengeMethod, Jwt } from '@sphereon/oid4vci-common';
+import { toJwk } from '@sphereon/ssi-sdk-ext.key-utils';
+import { CredentialMapper } from '@sphereon/ssi-types';
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
+//@ts-ignore
+import { from } from '@trust/keyto';
+import { fetch } from 'cross-fetch';
+import debug from 'debug';
+import { base64url, importJWK, JWK, SignJWT } from 'jose';
+import * as u8a from 'uint8arrays';
+
+import { OpenID4VCIClient } from '..';
+
+export const UNIT_TEST_TIMEOUT = 30000;
+
+const ISSUER_URL = 'https://conformance-test.ebsi.eu/conformance/v3/issuer-mock';
+const AUTH_URL = 'https://conformance-test.ebsi.eu/conformance/v3/auth-mock';
+
+const jwk: JWK = {
+  alg: 'ES256',
+  use: 'sig',
+  kty: 'EC',
+  crv: 'P-256',
+  x: 'hUWYK06qFvdudydiqnEhVJhZ-73jcLtuzH8kIyNOSHE',
+  y: 'UZf7oUkJdo65SQekMD5ssiRclEimG2SmlsjXf3QwQJo',
+  d: 'zDeeo3K0Pk8dofeKcajvJYxMZ1vijx_cVDJQl1IpbAM',
+};
+
+console.log(`JWK (private/orig): ${JSON.stringify(jwk, null, 2)}`);
+
+const privateKey = from(jwk, 'jwk').toString('blk', 'private');
+const publicKey = from(jwk, 'jwk').toString('blk', 'public');
+console.log(`Private key: ${privateKey}`);
+console.log(`Public key: ${publicKey}`);
+console.log(`Private key (b64): ${base64url.encode(u8a.fromString(privateKey, 'base16'))}`);
+console.log(`JWK (private 2) ${JSON.stringify(toJwk(privateKey, 'Secp256r1', { isPrivateKey: true }))}`);
+console.log(`JWK (public  2) ${JSON.stringify(toJwk(publicKey, 'Secp256r1', { isPrivateKey: false }))}`);
+
+// const DID_METHOD = 'did:key'
+const DID =
+  'did:key:z2dmzD81cgPx8Vki7JbuuMmFYrWPgYoytykUZ3eyqht1j9Kbrm54tL4pRrDDhR1QJ5RHPMXUq5MzYpZL2k35vya5eMiNxschNy9AJ74CC3MmcYiZJGZfyhWQ6qDgTVcDSHdquwPYvLDut383JbrgYdZYYSC2merTMgmQtUi3huYhaky1qE';
+const DID_URL_ENCODED =
+  'did%3Akey%3Az2dmzD81cgPx8Vki7JbuuMmFYrWPgYoytykUZ3eyqht1j9Kbrm54tL4pRrDDhR1QJ5RHPMXUq5MzYpZL2k35vya5eMiNxschNy9AJ74CC3MmcYiZJGZfyhWQ6qDgTVcDSHdquwPYvLDut383JbrgYdZYYSC2merTMgmQtUi3huYhaky1qE';
+// const PRIVATE_KEY_HEX = '7dd923e40f4615ac496119f7e793cc2899e99b64b88ca8603db986700089532b'
+
+// const PUBLIC_KEY_HEX =
+//   '04a23cb4c83901acc2eb0f852599610de0caeac260bf8ed05e7f902eaac0f9c8d74dd4841b94d13424d32af8ec0e9976db9abfa7e3a59e10d565c5d4d901b4be63'
+
+// pub  hex: 35e03477cb29f3ac518770dccd4e26e703cd21b9741c24b038170c377b0d99d9
+// priv hex: 913466d1a38d1d8c0d3c0fb0fc3b633075085a31372bbd2a8022215a88d9d1e5
+// const did = `did:key:z6Mki5ZwZKN1dBQprfJTikUvkDxrHijiiQngkWviMF5gw2Hv`;
+const kid = `${DID}#z2dmzD81cgPx8Vki7JbuuMmFYrWPgYoytykUZ3eyqht1j9Kbrm54tL4pRrDDhR1QJ5RHPMXUq5MzYpZL2k35vya5eMiNxschNy9AJ74CC3MmcYiZJGZfyhWQ6qDgTVcDSHdquwPYvLDut383JbrgYdZYYSC2merTMgmQtUi3huYhaky1qE`;
+
+// const jw = jose.importKey()
+describe('OID4VCI-Client using Sphereon issuer should', () => {
+  async function test(credentialType: 'CTWalletCrossPreAuthorised' | 'CTWalletCrossInTime') {
+    debug.enable('*');
+    const offer = await getCredentialOffer(credentialType);
+    const client = await OpenID4VCIClient.fromURI({
+      uri: offer,
+      kid,
+      alg: Alg.ES256,
+      clientId: DID_URL_ENCODED,
+    });
+    expect(client.credentialOffer).toBeDefined();
+    expect(client.endpointMetadata).toBeDefined();
+    expect(client.getCredentialEndpoint()).toEqual(`${ISSUER_URL}/credential`);
+    expect(client.getAccessTokenEndpoint()).toEqual(`${AUTH_URL}/token`);
+
+    if (credentialType !== 'CTWalletCrossPreAuthorised') {
+      const url = client.createAuthorizationRequestUrl({
+        redirectUri: 'openid4vc%3A',
+        codeChallenge: 'mE2kPHmIprOqtkaYmESWj35yz-PB5vzdiSu0tAZ8sqs',
+        codeChallengeMethod: CodeChallengeMethod.SHA256,
+      });
+      const result = await fetch(url);
+      console.log(result.text());
+    }
+
+    const accessToken = await client.acquireAccessToken({ pin: '0891' });
+    // console.log(accessToken);
+    expect(accessToken).toMatchObject({
+      expires_in: 86400,
+      // scope: 'GuestCredential',
+      token_type: 'Bearer',
+    });
+
+    const format = 'jwt_vc';
+    const credentialResponse = await client.acquireCredentials({
+      credentialTypes: client.getCredentialOfferTypes()[0],
+      format,
+      proofCallbacks: {
+        signCallback: proofOfPossessionCallbackFunction,
+      },
+      kid,
+    });
+    console.log(JSON.stringify(credentialResponse, null, 2));
+    expect(credentialResponse.credential).toBeDefined();
+    const wrappedVC = CredentialMapper.toWrappedVerifiableCredential(credentialResponse.credential!);
+    expect(format.startsWith(wrappedVC.format)).toEqual(true);
+  }
+
+  it(
+    'succeed in a full flow with the client using OpenID4VCI version 11 and jwt_vc_json',
+    async () => {
+      await test('CTWalletCrossPreAuthorised');
+      // await test('CTWalletCrossInTime');
+    },
+    UNIT_TEST_TIMEOUT,
+  );
+});
+
+async function getCredentialOffer(credentialType: 'CTWalletCrossPreAuthorised' | 'CTWalletCrossInTime'): Promise<string> {
+  const credentialOffer = await fetch(
+    `https://conformance-test.ebsi.eu/conformance/v3/issuer-mock/initiate-credential-offer?credential_type=${credentialType}&client_id=${DID_URL_ENCODED}&credential_offer_endpoint=openid-credential-offer%3A%2F%2F`,
+    {
+      method: 'GET',
+      headers: {
+        Accept: 'application/json',
+        'Content-Type': 'application/json',
+      },
+    },
+  );
+
+  return await credentialOffer.text();
+}
+
+async function proofOfPossessionCallbackFunction(args: Jwt, kid?: string): Promise<string> {
+  const importedJwk = await importJWK(jwk);
+  return await new SignJWT({ ...args.payload })
+    .setProtectedHeader({ ...args.header, kid: kid! })
+    .setIssuer(DID)
+    .setIssuedAt()
+    .setExpirationTime('2m')
+    .sign(importedJwk);
+}

package/lib/__tests__/OpenID4VCIClient.spec.ts

@@ -68,6 +68,11 @@ describe('OpenID4VCIClient should', () => {
     expect(scope?.[0]).toBe('openid');
   });
   it('throw an error if no scope and no authorization_details is provided', async () => {
+    nock(MOCK_URL).get(/.*/).reply(200, {});
+    nock(MOCK_URL).get(WellKnownEndpoints.OAUTH_AS).reply(404, {});
+    nock(MOCK_URL).get(WellKnownEndpoints.OPENID_CONFIGURATION).reply(404, {});
+    // Use a client with issuer only to trigger the error
+    client = await OpenID4VCIClient.fromCredentialIssuer({ credentialIssuer: 'https://server.example.com' });
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore
     client._endpointMetadata?.credentialIssuerMetadata.authorization_endpoint = `${MOCK_URL}v1/auth/authorize`;

package/lib/__tests__/data/VciDataFixtures.ts

@@ -1,4 +1,4 @@
-import { CredentialSupportedBrief, IssuerCredentialSubjectDisplay, IssuerMetadataV1_0_08 } from '@sphereon/oid4vci-common';
+import { CredentialSupportedFormatV1_0_08, IssuerCredentialSubjectDisplay, IssuerMetadataV1_0_08 } from '@sphereon/oid4vci-common';
 import { ICredentialStatus, W3CVerifiableCredential } from '@sphereon/ssi-types';
 
 export function getMockData(issuerName: string): IssuerMockData | null {
@@ -42,7 +42,8 @@ export interface IssuerMockData {
     url: string;
     deeplink: string;
     request: {
-      types: [string];
+      types?: [string];
+      type?: string;
       format: 'jwt_vc' | 'ldp_vc' | 'jwt_vc_json-ld' | string;
       proof: {
         proof_type: 'jwt' | string;
@@ -110,8 +111,8 @@ const mockData: VciMockDataStructure = {
       deeplink:
         'openid-initiate-issuance://?issuer=https%3A%2F%2Fngi%2Doidc4vci%2Dtest%2Espruceid%2Exyz&credential_type=OpenBadgeCredential&pre-authorized_code=eyJhbGciOiJFUzI1NiJ9.eyJjcmVkZW50aWFsX3R5cGUiOlsiT3BlbkJhZGdlQ3JlZGVudGlhbCJdLCJleHAiOiIyMDIzLTA0LTIwVDA5OjA0OjM2WiIsIm5vbmNlIjoibWFibmVpT0VSZVB3V3BuRFFweEt3UnRsVVRFRlhGUEwifQ.qOZRPN8sTv_knhp7WaWte2-aDULaPZX--2i9unF6QDQNUllqDhvxgIHMDCYHCV8O2_Gj-T2x1J84fDMajE3asg&user_pin_required=false',
       request: {
-        types: ['OpenBadgeCredential'],
-        format: 'jwt_vc_json-ld',
+        type: 'OpenBadgeCredential',
+        format: 'jwt_vc',
         proof: {
           proof_type: 'jwt',
           jwt: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksiLCJraWQiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOa3NpTENKMWMyVWlPaUp6YVdjaUxDSnJkSGtpT2lKRlF5SXNJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbmdpT2lKclpuVmpTa0V0VEhKck9VWjBPRmx5TFVkMlQzSmpia3N3YjNkc2RqUlhNblUwU3pJeFNHZHZTVlIzSWl3aWVTSTZJalozY0ZCUE1rOUNRVXBTU0ZFMVRXdEtXVlJaV0dsQlJFUXdOMU5OTlV0amVXcDNYMkUzVUUxWmVGa2lmUSMwIn0.eyJhdWQiOiJodHRwczovL25naS1vaWRjNHZjaS10ZXN0LnNwcnVjZWlkLnh5eiIsImlhdCI6MTY4MTkxMTA2MC45NDIsImV4cCI6MTY4MTkxMTcyMC45NDIsImlzcyI6InNwaGVyZW9uOnNzaS13YWxsZXQiLCJqdGkiOiJhNjA4MzMxZi02ZmE0LTQ0ZjAtYWNkZWY5NmFjMjdmNmQ3MCJ9.NwF3_41gwnlIdd_6Uk9CczeQHzIQt6UcvTT5Cxv72j9S1vNwiY9annA2kLsjsTiR5-WMBdUhJCO7wYCtZ15mxw',
@@ -357,7 +358,7 @@ const mockData: VciMockDataStructure = {
       url: 'https://jff.walt.id/issuer-api/default/oidc/credential',
       request: {
         types: ['OpenBadgeCredential'],
-        format: 'jwt_vc_json',
+        format: 'jwt_vc',
         proof: {
           proof_type: 'jwt',
           jwt: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksiLCJraWQiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOa3NpTENKMWMyVWlPaUp6YVdjaUxDSnJkSGtpT2lKRlF5SXNJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbmdpT2lKclpuVmpTa0V0VEhKck9VWjBPRmx5TFVkMlQzSmpia3N3YjNkc2RqUlhNblUwU3pJeFNHZHZTVlIzSWl3aWVTSTZJalozY0ZCUE1rOUNRVXBTU0ZFMVRXdEtXVlJaV0dsQlJFUXdOMU5OTlV0amVXcDNYMkUzVUUxWmVGa2lmUSMwIn0.eyJhdWQiOiJodHRwczovL2pmZi53YWx0LmlkL2lzc3Vlci1hcGkvZGVmYXVsdC9vaWRjLyIsImlhdCI6MTY4MTkxMTk0Mi4yMzgsImV4cCI6MTY4MTkxMjYwMi4yMzgsIm5vbmNlIjoiZjA2YTMxMDUtYTJlZC00NGZjLTk1NGItNGEyNTk3MDM0OTNiIiwiaXNzIjoic3BoZXJlb246c3NpLXdhbGxldCIsImp0aSI6IjA1OWM3ODA5LTlmOGYtNGE3ZS1hZDI4YTNhMTNhMGIzNmViIn0.RfiWyybxpe3nkx3b0yIsqDHQtvB1WwhDW4t0X-kijy2dsSfv2cYhSEmAzs1shg7OV4EW8fSzt_Te79xiVl6jCw',
@@ -514,7 +515,7 @@ const mockData: VciMockDataStructure = {
                 types: ['PermanentResidentCard'],
                 binding_methods_supported: ['did'],
                 cryptographic_suites_supported: ['Ed25519Signature2018'],
-              } as CredentialSupportedBrief,
+              } as CredentialSupportedFormatV1_0_08,
             },
           },
           AcademicAward: {
@@ -525,7 +526,7 @@ const mockData: VciMockDataStructure = {
                 types: ['AcademicAward'],
                 binding_methods_supported: ['did'],
                 cryptographic_suites_supported: ['Ed25519Signature2018'],
-              } as CredentialSupportedBrief,
+              } as CredentialSupportedFormatV1_0_08,
             },
           },
           LearnerProfile: {
@@ -536,7 +537,7 @@ const mockData: VciMockDataStructure = {
                 types: ['LearnerProfile'],
                 binding_methods_supported: ['did'],
                 cryptographic_suites_supported: ['Ed25519Signature2018'],
-              } as CredentialSupportedBrief,
+              } as CredentialSupportedFormatV1_0_08,
             },
           },
           OpenBadgeCredential: {
@@ -547,7 +548,7 @@ const mockData: VciMockDataStructure = {
                 types: ['OpenBadgeCredential'],
                 binding_methods_supported: ['did'],
                 cryptographic_suites_supported: ['Ed25519Signature2018'],
-              } as CredentialSupportedBrief,
+              } as CredentialSupportedFormatV1_0_08,
             },
           },
         },
@@ -573,8 +574,8 @@ const mockData: VciMockDataStructure = {
         'openid-initiate-issuance://?issuer=https://launchpad.mattrlabs.com&credential_type=OpenBadgeCredential&pre-authorized_code=g0UCOj6RAN5AwHU6gczm_GzB4_lH6GW39Z0Dl2DOOiO',
       url: 'https://launchpad.vii.electron.mattrlabs.io/oidc/v1/auth/credential',
       request: {
-        types: ['OpenBadgeCredential'],
-        format: 'jwt_vc_json-ld',
+        type: 'OpenBadgeCredential',
+        format: 'ldp_vc',
         proof: {
           proof_type: 'jwt',
           jwt: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSIsImtpZCI6ImRpZDprZXk6ejZNa3AxM3N6QUFMVFN0cDV1OGtMcnl5YW5vYWtrVWtFUGZXazdvOHY3dms0RW1KI3o2TWtwMTNzekFBTFRTdHA1dThrTHJ5eWFub2Fra1VrRVBmV2s3bzh2N3ZrNEVtSiJ9.eyJhdWQiOiJodHRwczovL2xhdW5jaHBhZC5tYXR0cmxhYnMuY29tIiwiaWF0IjoxNjgxOTE0NDgyLjUxOSwiZXhwIjoxNjgxOTE1MTQyLjUxOSwiaXNzIjoic3BoZXJlb246c3NpLXdhbGxldCIsImp0aSI6ImI5NDY1ZGE5LTY4OGYtNDdjNi04MjUwNDA0ZGNiOWI5Y2E5In0.uQ8ewOfIjy_1p_Gk6PjeEWccBJnjOca1pwbTWiCAFMQX9wlIsfeUdGtXUoHjH5_PQtpwytodx7WU456_CT9iBQ',
@@ -687,8 +688,8 @@ const mockData: VciMockDataStructure = {
         'openid-initiate-issuance://?issuer=https://oidc4vc.diwala.io&credential_type=OpenBadgeCredential&pre-authorized_code=eyJhbGciOiJIUzI1NiJ9.eyJjcmVkZW50aWFsX3R5cGUiOiJPcGVuQmFkZ2VDcmVkZW50aWFsIiwiZXhwIjoxNjgxOTg0NDY3fQ.fEAHKz2nuWfiYHw406iNxr-81pWkNkbi31bWsYSf6Ng',
       url: 'https://oidc4vc.diwala.io/credential',
       request: {
-        types: ['OpenBadgeCredential'],
-        format: 'jwt_vc_json-ld',
+        type: 'OpenBadgeCredential',
+        format: 'ldp_vc',
         proof: {
           proof_type: 'jwt',
           jwt: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSIsImtpZCI6ImRpZDprZXk6ejZNa3AxM3N6QUFMVFN0cDV1OGtMcnl5YW5vYWtrVWtFUGZXazdvOHY3dms0RW1KI3o2TWtwMTNzekFBTFRTdHA1dThrTHJ5eWFub2Fra1VrRVBmV2s3bzh2N3ZrNEVtSiJ9.eyJhdWQiOiJodHRwczovL29pZGM0dmMuZGl3YWxhLmlvIiwiaWF0IjoxNjgxOTE1MDk1LjIwMiwiZXhwIjoxNjgxOTE1NzU1LjIwMiwiaXNzIjoic3BoZXJlb246c3NpLXdhbGxldCIsImp0aSI6IjYxN2MwM2EzLTM3MTUtNGJlMy1hYjkxNzM4MTlmYzYxNTYzIn0.KA-cHjecaYp9FSaWHkz5cqtNyhBIVT_0I7cJnpHn03T4UWFvdhjhn8Hpe-BU247enFyWOWJ6v3NQZyZgle7xBA',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/oid4vci-client",
-  "version": "0.8.2-next.6+094ebfc",
+  "version": "0.8.2-unstable.16+a504fb2",
   "description": "OpenID for Verifiable Credential Issuance (OpenID4VCI) client",
   "source": "lib/index.ts",
   "main": "dist/index.js",
@@ -15,13 +15,15 @@
     "build": "tsc"
   },
   "dependencies": {
-    "@sphereon/oid4vci-common": "0.8.2-next.6+094ebfc",
-    "@sphereon/ssi-types": "0.17.2",
+    "@sphereon/oid4vci-common": "0.8.2-unstable.16+a504fb2",
+    "@sphereon/ssi-types": "0.17.6-unstable.23",
     "cross-fetch": "^3.1.8",
     "debug": "^4.3.4"
   },
   "devDependencies": {
+    "@sphereon/ssi-sdk-ext.key-utils": "^0.15.1-next.7",
     "@transmute/did-key.js": "^0.3.0-unstable.10",
+    "@trust/keyto": "^2.0.0-alpha1",
     "@types/jest": "^29.5.3",
     "@types/node": "^18.17.4",
     "@types/uuid": "^9.0.6",
@@ -67,5 +69,5 @@
     "OIDC4VCI",
     "OID4VCI"
   ],
-  "gitHead": "094ebfc61e1650e3c7bb32e4a22ec576d7049f18"
+  "gitHead": "a504fb24a8d6127624e3e5497f1a6633e816253d"
 }