@sphereon/oid4vci-client 0.8.2-unstable.39 → 0.8.2-unstable.40

package/dist/AccessTokenClient.d.ts

@@ -1,29 +1,29 @@
-import { AccessTokenRequest, AccessTokenRequestOpts, AccessTokenResponse, AuthorizationServerOpts, EndpointMetadata, IssuerOpts, OpenIDResponse } from '@sphereon/oid4vci-common';
-export declare class AccessTokenClient {
-    acquireAccessToken(opts: AccessTokenRequestOpts): Promise<OpenIDResponse<AccessTokenResponse>>;
-    acquireAccessTokenUsingRequest({ accessTokenRequest, isPinRequired, metadata, asOpts, issuerOpts, }: {
-        accessTokenRequest: AccessTokenRequest;
-        isPinRequired?: boolean;
-        metadata?: EndpointMetadata;
-        asOpts?: AuthorizationServerOpts;
-        issuerOpts?: IssuerOpts;
-    }): Promise<OpenIDResponse<AccessTokenResponse>>;
-    createAccessTokenRequest(opts: AccessTokenRequestOpts): Promise<AccessTokenRequest>;
-    private assertPreAuthorizedGrantType;
-    private assertAuthorizationGrantType;
-    private isPinRequiredValue;
-    private assertNumericPin;
-    private assertNonEmptyPreAuthorizedCode;
-    private assertNonEmptyCode;
-    private assertNonEmptyRedirectUri;
-    private validate;
-    private sendAuthCode;
-    static determineTokenURL({ asOpts, issuerOpts, metadata, }: {
-        asOpts?: AuthorizationServerOpts;
-        issuerOpts?: IssuerOpts;
-        metadata?: EndpointMetadata;
-    }): string;
-    private static creatTokenURLFromURL;
-    private throwNotSupportedFlow;
-}
+import { AccessTokenRequest, AccessTokenRequestOpts, AccessTokenResponse, AuthorizationServerOpts, EndpointMetadata, IssuerOpts, OpenIDResponse } from '@sphereon/oid4vci-common';
+export declare class AccessTokenClient {
+    acquireAccessToken(opts: AccessTokenRequestOpts): Promise<OpenIDResponse<AccessTokenResponse>>;
+    acquireAccessTokenUsingRequest({ accessTokenRequest, isPinRequired, metadata, asOpts, issuerOpts, }: {
+        accessTokenRequest: AccessTokenRequest;
+        isPinRequired?: boolean;
+        metadata?: EndpointMetadata;
+        asOpts?: AuthorizationServerOpts;
+        issuerOpts?: IssuerOpts;
+    }): Promise<OpenIDResponse<AccessTokenResponse>>;
+    createAccessTokenRequest(opts: AccessTokenRequestOpts): Promise<AccessTokenRequest>;
+    private assertPreAuthorizedGrantType;
+    private assertAuthorizationGrantType;
+    private isPinRequiredValue;
+    private assertNumericPin;
+    private assertNonEmptyPreAuthorizedCode;
+    private assertNonEmptyCode;
+    private assertNonEmptyRedirectUri;
+    private validate;
+    private sendAuthCode;
+    static determineTokenURL({ asOpts, issuerOpts, metadata, }: {
+        asOpts?: AuthorizationServerOpts;
+        issuerOpts?: IssuerOpts;
+        metadata?: EndpointMetadata;
+    }): string;
+    private static creatTokenURLFromURL;
+    private throwNotSupportedFlow;
+}
 //# sourceMappingURL=AccessTokenClient.d.ts.map

package/dist/AccessTokenClient.js

@@ -1,222 +1,222 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AccessTokenClient = void 0;
-const oid4vci_common_1 = require("@sphereon/oid4vci-common");
-const ssi_types_1 = require("@sphereon/ssi-types");
-const debug_1 = __importDefault(require("debug"));
-const MetadataClient_1 = require("./MetadataClient");
-const functions_1 = require("./functions");
-const debug = (0, debug_1.default)('sphereon:oid4vci:token');
-class AccessTokenClient {
-    acquireAccessToken(opts) {
-        var _a;
-        return __awaiter(this, void 0, void 0, function* () {
-            const { asOpts, pin, codeVerifier, code, redirectUri, metadata } = opts;
-            const credentialOffer = opts.credentialOffer ? yield (0, oid4vci_common_1.assertedUniformCredentialOffer)(opts.credentialOffer) : undefined;
-            const isPinRequired = credentialOffer && this.isPinRequiredValue(credentialOffer.credential_offer);
-            const issuer = (_a = opts.credentialIssuer) !== null && _a !== void 0 ? _a : (credentialOffer ? (0, oid4vci_common_1.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : metadata === null || metadata === void 0 ? void 0 : metadata.issuer);
-            if (!issuer) {
-                throw Error('Issuer required at this point');
-            }
-            const issuerOpts = {
-                issuer,
-            };
-            return yield this.acquireAccessTokenUsingRequest({
-                accessTokenRequest: yield this.createAccessTokenRequest({
-                    credentialOffer,
-                    asOpts,
-                    codeVerifier,
-                    code,
-                    redirectUri,
-                    pin,
-                }),
-                isPinRequired,
-                metadata,
-                asOpts,
-                issuerOpts,
-            });
-        });
-    }
-    acquireAccessTokenUsingRequest({ accessTokenRequest, isPinRequired, metadata, asOpts, issuerOpts, }) {
-        return __awaiter(this, void 0, void 0, function* () {
-            this.validate(accessTokenRequest, isPinRequired);
-            const requestTokenURL = AccessTokenClient.determineTokenURL({
-                asOpts,
-                issuerOpts,
-                metadata: metadata
-                    ? metadata
-                    : (issuerOpts === null || issuerOpts === void 0 ? void 0 : issuerOpts.fetchMetadata)
-                        ? yield MetadataClient_1.MetadataClient.retrieveAllMetadata([issuerOpts.issuer], { errorOnNotFound: false }) // TODO multi-server support?
-                        : undefined,
-            });
-            return this.sendAuthCode(requestTokenURL, accessTokenRequest, asOpts === null || asOpts === void 0 ? void 0 : asOpts.tokenProxyUrl);
-        });
-    }
-    createAccessTokenRequest(opts) {
-        var _a, _b;
-        return __awaiter(this, void 0, void 0, function* () {
-            const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
-            const credentialOfferRequest = opts.credentialOffer ? yield (0, oid4vci_common_1.toUniformCredentialOfferRequest)(opts.credentialOffer) : undefined;
-            const request = {};
-            if (asOpts === null || asOpts === void 0 ? void 0 : asOpts.clientId) {
-                request.client_id = asOpts.clientId;
-            }
-            if (credentialOfferRequest === null || credentialOfferRequest === void 0 ? void 0 : credentialOfferRequest.supportedFlows.includes(oid4vci_common_1.AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
-                this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
-                request.user_pin = pin;
-                request.grant_type = oid4vci_common_1.GrantTypes.PRE_AUTHORIZED_CODE;
-                // we actually know it is there because of the isPreAuthCode call
-                request[oid4vci_common_1.PRE_AUTH_CODE_LITERAL] =
-                    (_b = (_a = credentialOfferRequest === null || credentialOfferRequest === void 0 ? void 0 : credentialOfferRequest.credential_offer.grants) === null || _a === void 0 ? void 0 : _a['urn:ietf:params:oauth:grant-type:pre-authorized_code']) === null || _b === void 0 ? void 0 : _b[oid4vci_common_1.PRE_AUTH_CODE_LITERAL];
-                return request;
-            }
-            if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(oid4vci_common_1.AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
-                request.grant_type = oid4vci_common_1.GrantTypes.AUTHORIZATION_CODE;
-                request.code = code;
-                request.redirect_uri = redirectUri;
-                if (codeVerifier) {
-                    request.code_verifier = codeVerifier;
-                }
-                return request;
-            }
-            throw new Error('Credential offer request does not follow neither pre-authorized code nor authorization code flow requirements.');
-        });
-    }
-    assertPreAuthorizedGrantType(grantType) {
-        if (oid4vci_common_1.GrantTypes.PRE_AUTHORIZED_CODE !== grantType) {
-            throw new Error("grant type must be 'urn:ietf:params:oauth:grant-type:pre-authorized_code'");
-        }
-    }
-    assertAuthorizationGrantType(grantType) {
-        if (oid4vci_common_1.GrantTypes.AUTHORIZATION_CODE !== grantType) {
-            throw new Error("grant type must be 'authorization_code'");
-        }
-    }
-    isPinRequiredValue(requestPayload) {
-        var _a, _b, _c;
-        let isPinRequired = false;
-        if (!requestPayload) {
-            throw new Error(oid4vci_common_1.TokenErrorResponse.invalid_request);
-        }
-        const issuer = (0, oid4vci_common_1.getIssuerFromCredentialOfferPayload)(requestPayload);
-        if ((_a = requestPayload.grants) === null || _a === void 0 ? void 0 : _a['urn:ietf:params:oauth:grant-type:pre-authorized_code']) {
-            isPinRequired = (_c = (_b = requestPayload.grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']) === null || _b === void 0 ? void 0 : _b.user_pin_required) !== null && _c !== void 0 ? _c : false;
-        }
-        debug(`Pin required for issuer ${issuer}: ${isPinRequired}`);
-        return isPinRequired;
-    }
-    assertNumericPin(isPinRequired, pin) {
-        if (isPinRequired) {
-            if (!pin || !/^\d{1,8}$/.test(pin)) {
-                debug(`Pin is not 1 to 8 digits long`);
-                throw new Error('A valid pin consisting of maximal 8 numeric characters must be present.');
-            }
-        }
-        else if (pin) {
-            debug(`Pin set, whilst not required`);
-            throw new Error('Cannot set a pin, when the pin is not required.');
-        }
-    }
-    assertNonEmptyPreAuthorizedCode(accessTokenRequest) {
-        if (!accessTokenRequest[oid4vci_common_1.PRE_AUTH_CODE_LITERAL]) {
-            debug(`No pre-authorized code present, whilst it is required`);
-            throw new Error('Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.');
-        }
-    }
-    /*
-      private assertNonEmptyCodeVerifier(accessTokenRequest: AccessTokenRequest): void {
-        if (!accessTokenRequest.code_verifier) {
-          debug('No code_verifier present, whilst it is required');
-          throw new Error('Authorization flow requires the code_verifier to be present');
-        }
-      }
-    */
-    assertNonEmptyCode(accessTokenRequest) {
-        if (!accessTokenRequest.code) {
-            debug('No code present, whilst it is required');
-            throw new Error('Authorization flow requires the code to be present');
-        }
-    }
-    assertNonEmptyRedirectUri(accessTokenRequest) {
-        if (!accessTokenRequest.redirect_uri) {
-            debug('No redirect_uri present, whilst it is required');
-            throw new Error('Authorization flow requires the redirect_uri to be present');
-        }
-    }
-    validate(accessTokenRequest, isPinRequired) {
-        if (accessTokenRequest.grant_type === oid4vci_common_1.GrantTypes.PRE_AUTHORIZED_CODE) {
-            this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
-            this.assertNonEmptyPreAuthorizedCode(accessTokenRequest);
-            this.assertNumericPin(isPinRequired, accessTokenRequest.user_pin);
-        }
-        else if (accessTokenRequest.grant_type === oid4vci_common_1.GrantTypes.AUTHORIZATION_CODE) {
-            this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
-            // this.assertNonEmptyCodeVerifier(accessTokenRequest); TODO figure out of always required, for MOSIP I do not have it
-            this.assertNonEmptyCode(accessTokenRequest);
-            this.assertNonEmptyRedirectUri(accessTokenRequest);
-        }
-        else {
-            this.throwNotSupportedFlow;
-        }
-    }
-    sendAuthCode(requestTokenURL, accessTokenRequest, tokenProxyUrl) {
-        return __awaiter(this, void 0, void 0, function* () {
-            if (!tokenProxyUrl) {
-                return yield (0, functions_1.formPost)(requestTokenURL, (0, functions_1.convertJsonToURI)(accessTokenRequest));
-            }
-            else {
-                return yield (0, functions_1.formPost)(tokenProxyUrl, JSON.stringify(Object.assign(Object.assign({}, accessTokenRequest), { issuer_url: requestTokenURL })), { contentType: 'application/json' }); // TODO maybe switch to x-www-form-urlencoded in proxy backend ot support both
-            }
-        });
-    }
-    static determineTokenURL({ asOpts, issuerOpts, metadata, }) {
-        if (!asOpts && !(metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint) && !issuerOpts) {
-            throw new Error('Cannot determine token URL if no issuer, metadata and no Authorization Server values are present');
-        }
-        let url;
-        if (asOpts && asOpts.as) {
-            url = this.creatTokenURLFromURL(asOpts.as, asOpts === null || asOpts === void 0 ? void 0 : asOpts.allowInsecureEndpoints, asOpts.tokenEndpoint);
-        }
-        else if (metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint) {
-            url = metadata.token_endpoint;
-        }
-        else {
-            if (!(issuerOpts === null || issuerOpts === void 0 ? void 0 : issuerOpts.issuer)) {
-                throw Error('Either authorization server options, a token endpoint or issuer options are required at this point');
-            }
-            url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts === null || asOpts === void 0 ? void 0 : asOpts.allowInsecureEndpoints, issuerOpts.tokenEndpoint);
-        }
-        if (!url || !ssi_types_1.ObjectUtils.isString(url)) {
-            throw new Error('No authorization server token URL present. Cannot acquire access token');
-        }
-        debug(`Token endpoint determined to be ${url}`);
-        return url;
-    }
-    static creatTokenURLFromURL(url, allowInsecureEndpoints, tokenEndpoint) {
-        if (allowInsecureEndpoints !== true && url.startsWith('http:')) {
-            throw Error(`Unprotected token endpoints are not allowed ${url}. Adjust settings if you really need this (dev/test settings only!!)`);
-        }
-        const hostname = url.replace(/https?:\/\//, '').replace(/\/$/, '');
-        const endpoint = tokenEndpoint ? (tokenEndpoint.startsWith('/') ? tokenEndpoint : tokenEndpoint.substring(1)) : '/token';
-        const scheme = url.split('://')[0];
-        return `${scheme ? scheme + '://' : 'https://'}${hostname}${endpoint}`;
-    }
-    throwNotSupportedFlow() {
-        debug(`Only pre-authorized or authorization code flows supported.`);
-        throw new Error('Only pre-authorized-code or authorization code flows are supported');
-    }
-}
-exports.AccessTokenClient = AccessTokenClient;
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccessTokenClient = void 0;
+const oid4vci_common_1 = require("@sphereon/oid4vci-common");
+const ssi_types_1 = require("@sphereon/ssi-types");
+const debug_1 = __importDefault(require("debug"));
+const MetadataClient_1 = require("./MetadataClient");
+const functions_1 = require("./functions");
+const debug = (0, debug_1.default)('sphereon:oid4vci:token');
+class AccessTokenClient {
+    acquireAccessToken(opts) {
+        var _a;
+        return __awaiter(this, void 0, void 0, function* () {
+            const { asOpts, pin, codeVerifier, code, redirectUri, metadata } = opts;
+            const credentialOffer = opts.credentialOffer ? yield (0, oid4vci_common_1.assertedUniformCredentialOffer)(opts.credentialOffer) : undefined;
+            const isPinRequired = credentialOffer && this.isPinRequiredValue(credentialOffer.credential_offer);
+            const issuer = (_a = opts.credentialIssuer) !== null && _a !== void 0 ? _a : (credentialOffer ? (0, oid4vci_common_1.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : metadata === null || metadata === void 0 ? void 0 : metadata.issuer);
+            if (!issuer) {
+                throw Error('Issuer required at this point');
+            }
+            const issuerOpts = {
+                issuer,
+            };
+            return yield this.acquireAccessTokenUsingRequest({
+                accessTokenRequest: yield this.createAccessTokenRequest({
+                    credentialOffer,
+                    asOpts,
+                    codeVerifier,
+                    code,
+                    redirectUri,
+                    pin,
+                }),
+                isPinRequired,
+                metadata,
+                asOpts,
+                issuerOpts,
+            });
+        });
+    }
+    acquireAccessTokenUsingRequest({ accessTokenRequest, isPinRequired, metadata, asOpts, issuerOpts, }) {
+        return __awaiter(this, void 0, void 0, function* () {
+            this.validate(accessTokenRequest, isPinRequired);
+            const requestTokenURL = AccessTokenClient.determineTokenURL({
+                asOpts,
+                issuerOpts,
+                metadata: metadata
+                    ? metadata
+                    : (issuerOpts === null || issuerOpts === void 0 ? void 0 : issuerOpts.fetchMetadata)
+                        ? yield MetadataClient_1.MetadataClient.retrieveAllMetadata([issuerOpts.issuer], { errorOnNotFound: false }) // TODO multi-server support?
+                        : undefined,
+            });
+            return this.sendAuthCode(requestTokenURL, accessTokenRequest, asOpts === null || asOpts === void 0 ? void 0 : asOpts.tokenProxyUrl);
+        });
+    }
+    createAccessTokenRequest(opts) {
+        var _a, _b;
+        return __awaiter(this, void 0, void 0, function* () {
+            const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
+            const credentialOfferRequest = opts.credentialOffer ? yield (0, oid4vci_common_1.toUniformCredentialOfferRequest)(opts.credentialOffer) : undefined;
+            const request = {};
+            if (asOpts === null || asOpts === void 0 ? void 0 : asOpts.clientId) {
+                request.client_id = asOpts.clientId;
+            }
+            if (credentialOfferRequest === null || credentialOfferRequest === void 0 ? void 0 : credentialOfferRequest.supportedFlows.includes(oid4vci_common_1.AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
+                this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
+                request.user_pin = pin;
+                request.grant_type = oid4vci_common_1.GrantTypes.PRE_AUTHORIZED_CODE;
+                // we actually know it is there because of the isPreAuthCode call
+                request[oid4vci_common_1.PRE_AUTH_CODE_LITERAL] =
+                    (_b = (_a = credentialOfferRequest === null || credentialOfferRequest === void 0 ? void 0 : credentialOfferRequest.credential_offer.grants) === null || _a === void 0 ? void 0 : _a['urn:ietf:params:oauth:grant-type:pre-authorized_code']) === null || _b === void 0 ? void 0 : _b[oid4vci_common_1.PRE_AUTH_CODE_LITERAL];
+                return request;
+            }
+            if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(oid4vci_common_1.AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
+                request.grant_type = oid4vci_common_1.GrantTypes.AUTHORIZATION_CODE;
+                request.code = code;
+                request.redirect_uri = redirectUri;
+                if (codeVerifier) {
+                    request.code_verifier = codeVerifier;
+                }
+                return request;
+            }
+            throw new Error('Credential offer request does not follow neither pre-authorized code nor authorization code flow requirements.');
+        });
+    }
+    assertPreAuthorizedGrantType(grantType) {
+        if (oid4vci_common_1.GrantTypes.PRE_AUTHORIZED_CODE !== grantType) {
+            throw new Error("grant type must be 'urn:ietf:params:oauth:grant-type:pre-authorized_code'");
+        }
+    }
+    assertAuthorizationGrantType(grantType) {
+        if (oid4vci_common_1.GrantTypes.AUTHORIZATION_CODE !== grantType) {
+            throw new Error("grant type must be 'authorization_code'");
+        }
+    }
+    isPinRequiredValue(requestPayload) {
+        var _a, _b, _c;
+        let isPinRequired = false;
+        if (!requestPayload) {
+            throw new Error(oid4vci_common_1.TokenErrorResponse.invalid_request);
+        }
+        const issuer = (0, oid4vci_common_1.getIssuerFromCredentialOfferPayload)(requestPayload);
+        if ((_a = requestPayload.grants) === null || _a === void 0 ? void 0 : _a['urn:ietf:params:oauth:grant-type:pre-authorized_code']) {
+            isPinRequired = (_c = (_b = requestPayload.grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']) === null || _b === void 0 ? void 0 : _b.user_pin_required) !== null && _c !== void 0 ? _c : false;
+        }
+        debug(`Pin required for issuer ${issuer}: ${isPinRequired}`);
+        return isPinRequired;
+    }
+    assertNumericPin(isPinRequired, pin) {
+        if (isPinRequired) {
+            if (!pin || !/^\d{1,8}$/.test(pin)) {
+                debug(`Pin is not 1 to 8 digits long`);
+                throw new Error('A valid pin consisting of maximal 8 numeric characters must be present.');
+            }
+        }
+        else if (pin) {
+            debug(`Pin set, whilst not required`);
+            throw new Error('Cannot set a pin, when the pin is not required.');
+        }
+    }
+    assertNonEmptyPreAuthorizedCode(accessTokenRequest) {
+        if (!accessTokenRequest[oid4vci_common_1.PRE_AUTH_CODE_LITERAL]) {
+            debug(`No pre-authorized code present, whilst it is required`);
+            throw new Error('Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.');
+        }
+    }
+    /*
+      private assertNonEmptyCodeVerifier(accessTokenRequest: AccessTokenRequest): void {
+        if (!accessTokenRequest.code_verifier) {
+          debug('No code_verifier present, whilst it is required');
+          throw new Error('Authorization flow requires the code_verifier to be present');
+        }
+      }
+    */
+    assertNonEmptyCode(accessTokenRequest) {
+        if (!accessTokenRequest.code) {
+            debug('No code present, whilst it is required');
+            throw new Error('Authorization flow requires the code to be present');
+        }
+    }
+    assertNonEmptyRedirectUri(accessTokenRequest) {
+        if (!accessTokenRequest.redirect_uri) {
+            debug('No redirect_uri present, whilst it is required');
+            throw new Error('Authorization flow requires the redirect_uri to be present');
+        }
+    }
+    validate(accessTokenRequest, isPinRequired) {
+        if (accessTokenRequest.grant_type === oid4vci_common_1.GrantTypes.PRE_AUTHORIZED_CODE) {
+            this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
+            this.assertNonEmptyPreAuthorizedCode(accessTokenRequest);
+            this.assertNumericPin(isPinRequired, accessTokenRequest.user_pin);
+        }
+        else if (accessTokenRequest.grant_type === oid4vci_common_1.GrantTypes.AUTHORIZATION_CODE) {
+            this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
+            // this.assertNonEmptyCodeVerifier(accessTokenRequest); TODO figure out of always required, for MOSIP I do not have it
+            this.assertNonEmptyCode(accessTokenRequest);
+            this.assertNonEmptyRedirectUri(accessTokenRequest);
+        }
+        else {
+            this.throwNotSupportedFlow;
+        }
+    }
+    sendAuthCode(requestTokenURL, accessTokenRequest, tokenProxyUrl) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!tokenProxyUrl) {
+                return yield (0, functions_1.formPost)(requestTokenURL, (0, functions_1.convertJsonToURI)(accessTokenRequest));
+            }
+            else {
+                return yield (0, functions_1.formPost)(tokenProxyUrl, JSON.stringify(Object.assign(Object.assign({}, accessTokenRequest), { issuer_url: requestTokenURL })), { contentType: 'application/json' }); // TODO maybe switch to x-www-form-urlencoded in proxy backend ot support both
+            }
+        });
+    }
+    static determineTokenURL({ asOpts, issuerOpts, metadata, }) {
+        if (!asOpts && !(metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint) && !issuerOpts) {
+            throw new Error('Cannot determine token URL if no issuer, metadata and no Authorization Server values are present');
+        }
+        let url;
+        if (asOpts && asOpts.as) {
+            url = this.creatTokenURLFromURL(asOpts.as, asOpts === null || asOpts === void 0 ? void 0 : asOpts.allowInsecureEndpoints, asOpts.tokenEndpoint);
+        }
+        else if (metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint) {
+            url = metadata.token_endpoint;
+        }
+        else {
+            if (!(issuerOpts === null || issuerOpts === void 0 ? void 0 : issuerOpts.issuer)) {
+                throw Error('Either authorization server options, a token endpoint or issuer options are required at this point');
+            }
+            url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts === null || asOpts === void 0 ? void 0 : asOpts.allowInsecureEndpoints, issuerOpts.tokenEndpoint);
+        }
+        if (!url || !ssi_types_1.ObjectUtils.isString(url)) {
+            throw new Error('No authorization server token URL present. Cannot acquire access token');
+        }
+        debug(`Token endpoint determined to be ${url}`);
+        return url;
+    }
+    static creatTokenURLFromURL(url, allowInsecureEndpoints, tokenEndpoint) {
+        if (allowInsecureEndpoints !== true && url.startsWith('http:')) {
+            throw Error(`Unprotected token endpoints are not allowed ${url}. Adjust settings if you really need this (dev/test settings only!!)`);
+        }
+        const hostname = url.replace(/https?:\/\//, '').replace(/\/$/, '');
+        const endpoint = tokenEndpoint ? (tokenEndpoint.startsWith('/') ? tokenEndpoint : tokenEndpoint.substring(1)) : '/token';
+        const scheme = url.split('://')[0];
+        return `${scheme ? scheme + '://' : 'https://'}${hostname}${endpoint}`;
+    }
+    throwNotSupportedFlow() {
+        debug(`Only pre-authorized or authorization code flows supported.`);
+        throw new Error('Only pre-authorized-code or authorization code flows are supported');
+    }
+}
+exports.AccessTokenClient = AccessTokenClient;
 //# sourceMappingURL=AccessTokenClient.js.map

package/dist/AuthorizationDetailsBuilder.d.ts

@@ -1,11 +1,11 @@
-import { AuthorizationDetailsJwtVcJson, OID4VCICredentialFormat } from '@sphereon/oid4vci-common';
-export declare class AuthorizationDetailsBuilder {
-    private readonly authorizationDetails;
-    constructor();
-    withType(type: string): AuthorizationDetailsBuilder;
-    withFormats(format: OID4VCICredentialFormat): AuthorizationDetailsBuilder;
-    withLocations(locations: string[]): AuthorizationDetailsBuilder;
-    addLocation(location: string): AuthorizationDetailsBuilder;
-    buildJwtVcJson(): AuthorizationDetailsJwtVcJson;
-}
+import { AuthorizationDetailsJwtVcJson, OID4VCICredentialFormat } from '@sphereon/oid4vci-common';
+export declare class AuthorizationDetailsBuilder {
+    private readonly authorizationDetails;
+    constructor();
+    withType(type: string): AuthorizationDetailsBuilder;
+    withFormats(format: OID4VCICredentialFormat): AuthorizationDetailsBuilder;
+    withLocations(locations: string[]): AuthorizationDetailsBuilder;
+    addLocation(location: string): AuthorizationDetailsBuilder;
+    buildJwtVcJson(): AuthorizationDetailsJwtVcJson;
+}
 //# sourceMappingURL=AuthorizationDetailsBuilder.d.ts.map

package/dist/AuthorizationDetailsBuilder.js

@@ -1,44 +1,44 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthorizationDetailsBuilder = void 0;
-//todo: refactor this builder to be able to create ldp details as well
-class AuthorizationDetailsBuilder {
-    constructor() {
-        this.authorizationDetails = {};
-    }
-    withType(type) {
-        this.authorizationDetails.type = type;
-        return this;
-    }
-    withFormats(format) {
-        this.authorizationDetails.format = format;
-        return this;
-    }
-    withLocations(locations) {
-        if (this.authorizationDetails.locations) {
-            this.authorizationDetails.locations.push(...locations);
-        }
-        else {
-            this.authorizationDetails.locations = locations;
-        }
-        return this;
-    }
-    addLocation(location) {
-        if (this.authorizationDetails.locations) {
-            this.authorizationDetails.locations.push(location);
-        }
-        else {
-            this.authorizationDetails.locations = [location];
-        }
-        return this;
-    }
-    //todo: we have to consider one thing, if this is a general purpose builder, we want to support ldp types here as well. and for that we need a few checks.
-    buildJwtVcJson() {
-        if (this.authorizationDetails.format && this.authorizationDetails.type) {
-            return this.authorizationDetails;
-        }
-        throw new Error('Type and format are required properties');
-    }
-}
-exports.AuthorizationDetailsBuilder = AuthorizationDetailsBuilder;
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationDetailsBuilder = void 0;
+//todo: refactor this builder to be able to create ldp details as well
+class AuthorizationDetailsBuilder {
+    constructor() {
+        this.authorizationDetails = {};
+    }
+    withType(type) {
+        this.authorizationDetails.type = type;
+        return this;
+    }
+    withFormats(format) {
+        this.authorizationDetails.format = format;
+        return this;
+    }
+    withLocations(locations) {
+        if (this.authorizationDetails.locations) {
+            this.authorizationDetails.locations.push(...locations);
+        }
+        else {
+            this.authorizationDetails.locations = locations;
+        }
+        return this;
+    }
+    addLocation(location) {
+        if (this.authorizationDetails.locations) {
+            this.authorizationDetails.locations.push(location);
+        }
+        else {
+            this.authorizationDetails.locations = [location];
+        }
+        return this;
+    }
+    //todo: we have to consider one thing, if this is a general purpose builder, we want to support ldp types here as well. and for that we need a few checks.
+    buildJwtVcJson() {
+        if (this.authorizationDetails.format && this.authorizationDetails.type) {
+            return this.authorizationDetails;
+        }
+        throw new Error('Type and format are required properties');
+    }
+}
+exports.AuthorizationDetailsBuilder = AuthorizationDetailsBuilder;
 //# sourceMappingURL=AuthorizationDetailsBuilder.js.map

package/dist/CredentialOfferClient.d.ts

@@ -1,10 +1,10 @@
-import { CredentialOfferRequestWithBaseUrl, OpenId4VCIVersion } from '@sphereon/oid4vci-common';
-export declare class CredentialOfferClient {
-    static fromURI(uri: string, opts?: {
-        resolve?: boolean;
-    }): Promise<CredentialOfferRequestWithBaseUrl>;
-    static toURI(requestWithBaseUrl: CredentialOfferRequestWithBaseUrl, opts?: {
-        version?: OpenId4VCIVersion;
-    }): string;
-}
+import { CredentialOfferRequestWithBaseUrl, OpenId4VCIVersion } from '@sphereon/oid4vci-common';
+export declare class CredentialOfferClient {
+    static fromURI(uri: string, opts?: {
+        resolve?: boolean;
+    }): Promise<CredentialOfferRequestWithBaseUrl>;
+    static toURI(requestWithBaseUrl: CredentialOfferRequestWithBaseUrl, opts?: {
+        version?: OpenId4VCIVersion;
+    }): string;
+}
 //# sourceMappingURL=CredentialOfferClient.d.ts.map