@sphereon/ssi-sdk.ebsi-support 0.26.1-unstable.101

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/LICENSE +201 -0
  2. package/README.md +13 -0
  3. package/dist/agent/EbsiSupport.d.ts +12 -0
  4. package/dist/agent/EbsiSupport.d.ts.map +1 -0
  5. package/dist/agent/EbsiSupport.js +202 -0
  6. package/dist/agent/EbsiSupport.js.map +1 -0
  7. package/dist/did/EbsiDidProvider.d.ts +47 -0
  8. package/dist/did/EbsiDidProvider.d.ts.map +1 -0
  9. package/dist/did/EbsiDidProvider.js +172 -0
  10. package/dist/did/EbsiDidProvider.js.map +1 -0
  11. package/dist/did/EbsiDidResolver.d.ts +5 -0
  12. package/dist/did/EbsiDidResolver.d.ts.map +1 -0
  13. package/dist/did/EbsiDidResolver.js +10 -0
  14. package/dist/did/EbsiDidResolver.js.map +1 -0
  15. package/dist/did/functions.d.ts +66 -0
  16. package/dist/did/functions.d.ts.map +1 -0
  17. package/dist/did/functions.js +416 -0
  18. package/dist/did/functions.js.map +1 -0
  19. package/dist/did/index.d.ts +6 -0
  20. package/dist/did/index.d.ts.map +1 -0
  21. package/dist/did/index.js +6 -0
  22. package/dist/did/index.js.map +1 -0
  23. package/dist/did/services/EbsiRPCService.d.ts +13 -0
  24. package/dist/did/services/EbsiRPCService.d.ts.map +1 -0
  25. package/dist/did/services/EbsiRPCService.js +64 -0
  26. package/dist/did/services/EbsiRPCService.js.map +1 -0
  27. package/dist/did/services/EbsiRestService.d.ts +37 -0
  28. package/dist/did/services/EbsiRestService.d.ts.map +1 -0
  29. package/dist/did/services/EbsiRestService.js +90 -0
  30. package/dist/did/services/EbsiRestService.js.map +1 -0
  31. package/dist/did/types.d.ts +386 -0
  32. package/dist/did/types.d.ts.map +1 -0
  33. package/dist/did/types.js +47 -0
  34. package/dist/did/types.js.map +1 -0
  35. package/dist/functions/Attestation.d.ts +32 -0
  36. package/dist/functions/Attestation.d.ts.map +1 -0
  37. package/dist/functions/Attestation.js +182 -0
  38. package/dist/functions/Attestation.js.map +1 -0
  39. package/dist/functions/AttestationHeadlessCallbacks.d.ts +17 -0
  40. package/dist/functions/AttestationHeadlessCallbacks.d.ts.map +1 -0
  41. package/dist/functions/AttestationHeadlessCallbacks.js +194 -0
  42. package/dist/functions/AttestationHeadlessCallbacks.js.map +1 -0
  43. package/dist/functions/index.d.ts +7 -0
  44. package/dist/functions/index.d.ts.map +1 -0
  45. package/dist/functions/index.js +8 -0
  46. package/dist/functions/index.js.map +1 -0
  47. package/dist/index.d.ts +7 -0
  48. package/dist/index.d.ts.map +1 -0
  49. package/dist/index.js +8 -0
  50. package/dist/index.js.map +1 -0
  51. package/dist/types/IEbsiSupport.d.ts +211 -0
  52. package/dist/types/IEbsiSupport.d.ts.map +1 -0
  53. package/dist/types/IEbsiSupport.js +5 -0
  54. package/dist/types/IEbsiSupport.js.map +1 -0
  55. package/package.json +86 -0
  56. package/src/agent/EbsiSupport.ts +250 -0
  57. package/src/did/EbsiDidProvider.ts +269 -0
  58. package/src/did/EbsiDidResolver.ts +16 -0
  59. package/src/did/functions.ts +528 -0
  60. package/src/did/index.ts +5 -0
  61. package/src/did/services/EbsiRPCService.ts +68 -0
  62. package/src/did/services/EbsiRestService.ts +117 -0
  63. package/src/did/types.ts +449 -0
  64. package/src/functions/Attestation.ts +262 -0
  65. package/src/functions/AttestationHeadlessCallbacks.ts +242 -0
  66. package/src/functions/index.ts +15 -0
  67. package/src/index.ts +8 -0
  68. package/src/types/IEbsiSupport.ts +241 -0
@@ -0,0 +1,211 @@
1
+ import { DiscoveryMetadataPayload, JWK } from '@sphereon/did-auth-siop';
2
+ import { OID4VCICredentialFormat, RequestObjectOpts } from '@sphereon/oid4vci-common';
3
+ import { Format, PresentationDefinitionV2 } from '@sphereon/pex-models';
4
+ import { IIdentifierOpts } from '@sphereon/ssi-sdk-ext.did-utils';
5
+ import { IBasicCredentialLocaleBranding, Party } from '@sphereon/ssi-sdk.data-store';
6
+ import { ErrorDetails, IOID4VCIHolder, MappedCredentialToAccept } from '@sphereon/ssi-sdk.oid4vci-holder';
7
+ import { IPresentationExchange } from '@sphereon/ssi-sdk.presentation-exchange';
8
+ import { IDidAuthSiopOpAuthenticator } from '@sphereon/ssi-sdk.siopv2-oid4vp-op-auth';
9
+ import { PresentationSubmission, W3CVerifiableCredential } from '@sphereon/ssi-types';
10
+ import { IAgentContext, IDIDManager, IIdentifier, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core';
11
+ import { AttestationAuthRequestUrlResult } from '../functions';
12
+ /**
13
+ * The OpenID scope
14
+ * @readonly
15
+ * @enum {string}
16
+ */
17
+ export type EBSIScope = 'didr_write' | 'didr_invite' | 'tir_write' | 'tir_invite' | 'timestamp_write' | 'tnt_authorise' | 'tnt_create' | 'tnt_write' | 'did_authn';
18
+ export declare enum TokenType {
19
+ BEARER = "Bearer"
20
+ }
21
+ export type EbsiEnvironment = 'pilot' | 'conformance' | 'conformance-test';
22
+ export type EbsiApiVersion = 'v3' | 'v4' | 'v5';
23
+ export type WellknownType = 'openid-credential-issuer' | 'openid-configuration';
24
+ export type EbsiMock = 'issuer-mock' | 'auth-mock';
25
+ export type EbsiSystem = 'authorisation' | 'conformance' | 'did-registry';
26
+ export type ApiOpts = {
27
+ environment?: EbsiEnvironment;
28
+ version: EbsiApiVersion;
29
+ };
30
+ export type WellknownOpts = ApiOpts & {
31
+ type: WellknownType;
32
+ system?: EbsiSystem | EbsiEnvironment;
33
+ mock?: EbsiMock;
34
+ };
35
+ export interface IEbsiSupport extends IPluginMethodMap {
36
+ ebsiWellknownMetadata(args?: ApiOpts): Promise<GetOIDProviderMetadataResponse>;
37
+ ebsiAuthorizationServerJwks(args?: ApiOpts): Promise<GetOIDProviderJwksResponse>;
38
+ ebsiPresentationDefinitionGet(args: GetPresentationDefinitionArgs): Promise<GetPresentationDefinitionResponse>;
39
+ ebsiAccessTokenGet(args: EBSIAuthAccessTokenGetArgs, context: IRequiredContext): Promise<GetAccessTokenResult>;
40
+ ebsiCreateAttestationAuthRequestURL(args: CreateAttestationAuthRequestURLArgs, context: IRequiredContext): Promise<AttestationAuthRequestUrlResult>;
41
+ ebsiGetAttestation(args: GetAttestationArgs, context: IRequiredContext): Promise<AttestationResult>;
42
+ }
43
+ /**
44
+ * @typedef EbsiOpenIDMetadata
45
+ * @type {object}
46
+ * @property {(URL | string)} issuer URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
47
+ * @property {(URL | string)} authorization_endpoint URL of the OP's OAuth 2.0 Authorization Endpoint.
48
+ * @property {(URL | string)} token_endpoint URL of the OP's OAuth 2.0 Token Endpoint.
49
+ * @property {(URL | string)} [presentation_definition_endpoint] URL of the OP's presentation definitions endpoint. Non-standard, used in EBSI
50
+ * @property {(URL | string)} jwks_uri URL of the authorization server's JWK Set [JWK] document
51
+ * @property {string[]} scopes_supported JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. (SIOP v2)
52
+ * @property {string[]} response_types_supported JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports (SIOP v2)
53
+ * @property {string[]} [response_mode_supported] JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports
54
+ * @property {string[]} [grant_types_supported] JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports.
55
+ * @property {string[]} subject_types_supported JSON array containing a list of the Subject Identifier types that this OP supports.
56
+ * @property {string[]} id_token_signing_alg_values_supported JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT
57
+ * @property {string[]} [request_object_signing_alg_values_supported] JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects
58
+ * @property {string[]} [request_parameter_supported] Boolean value specifying whether the OP supports use of the request parameter, with true indicating support
59
+ * @property {string[]} [token_endpoint_auth_methods_supported] JSON array containing a list of client authentication methods supported by this token endpoint
60
+ * @property {{ authorization_endpoint: string[] }} [request_authentication_methods_supported] A JSON Object defining the client authentications supported for each endpoint
61
+ * @property {string[]} [vp_formats_supported] An object containing a list of key value pairs, where the key is a string identifying a credential format supported by the AS
62
+ * @property {(URL[] | string[])} [subject_syntax_types_supported] A JSON array of strings representing URI scheme identifiers and optionally method names of supported Subject Syntax Types
63
+ * @property {string[]} [subject_trust_frameworks_supported] A JSON array of supported trust frameworks.
64
+ * @property {string[]} [id_token_types_supported] A JSON array of strings containing the list of ID Token types supported by the OP
65
+ */
66
+ export type EbsiOpenIDMetadata = DiscoveryMetadataPayload & {
67
+ presentation_definition_endpoint?: URL | string;
68
+ };
69
+ /**
70
+ * JSON Web Key Set
71
+ * @typedef GetOIDProviderJwksSuccessResponse
72
+ * @property {JWK[]} keys
73
+ */
74
+ export interface GetOIDProviderJwksSuccessResponse {
75
+ keys: JWK[];
76
+ }
77
+ /**
78
+ * @typedef GetPresentationDefinitionArgs
79
+ * @type {object}
80
+ * @property {EBSIScope} scope
81
+ * @property {ApiOpts} [apiOpts] The environment and version of the API
82
+ */
83
+ export interface GetPresentationDefinitionArgs {
84
+ scope: EBSIScope;
85
+ apiOpts?: WellknownOpts;
86
+ openIDMetadata?: EbsiOpenIDMetadata;
87
+ }
88
+ export type CreateAttestationAuthRequestURLArgs = {
89
+ credentialIssuer: string;
90
+ credentialType: string;
91
+ idOpts: IIdentifierOpts;
92
+ requestObjectOpts: RequestObjectOpts;
93
+ clientId?: string;
94
+ redirectUri?: string;
95
+ formats?: Array<Extract<OID4VCICredentialFormat, 'jwt_vc' | 'jwt_vc_json'>>;
96
+ };
97
+ export type GetAttestationArgs = {
98
+ clientId: string;
99
+ authReqResult: AttestationAuthRequestUrlResult;
100
+ opts?: {
101
+ timeout: number;
102
+ };
103
+ };
104
+ /**
105
+ * Presentation Definition V2
106
+ * @typedef GetPresentationDefinitionSuccessResponse
107
+ * @type {object}
108
+ * @property {string} id A UUID or some other unique ID to identify this Presentation Definition
109
+ * @property {string} [name] A name property is a human-friendly string intended to constitute a distinctive designation of the Presentation Definition.
110
+ * @property {string} [purpose] It describes the purpose for which the Presentation Definition's inputs are being requested.
111
+ * @property {Format} [format] What claim variants Verifiers and Holders support.
112
+ * @property {SubmissionRequirement[]} [submission_requirements] List of requirements for described inputs in input descriptors.
113
+ * @property {InputDescriptor[]} input_descriptors List of descriptions of the required inputs.
114
+ * @property {object} [frame] a JSON LD Framing Document object.
115
+ */
116
+ export type GetPresentationDefinitionSuccessResponse = PresentationDefinitionV2 & {
117
+ format?: Pick<Format, 'jwt_vc' | 'jwt_vc_json' | 'jwt_vp' | 'jwt_vp_json'>;
118
+ };
119
+ /**
120
+ * @typedef GetAccessTokenArgs
121
+ * @type {object}
122
+ * @property {string} grant_type MUST be set to "vp_token"
123
+ * @property {string} vp_token Signed Verifiable Presentation. See also the VP Token schema definition.
124
+ * @property {PresentationSubmission} presentation_submission Descriptor for the vp_token, linked by presentation_definition. See also the Presentation Definition schema.
125
+ * @property {EBSIScope} scope Possible values: [openid didr_write, openid didr_invite, openid tir_write, openid tir_invite, openid timestamp_write, openid tnt_authorise, openid tnt_create, openid tnt_write] OIDC scope
126
+ * @property {ApiOpts} [apiOpts] The environment and the version of the API
127
+ */
128
+ export interface GetAccessTokenArgs {
129
+ grant_type?: string;
130
+ vp_token: string;
131
+ presentation_submission: PresentationSubmission;
132
+ scope: EBSIScope;
133
+ openIDMetadata?: EbsiOpenIDMetadata;
134
+ apiOpts: ApiOpts;
135
+ }
136
+ export type GetAccessTokenResult = {
137
+ identifier: IIdentifier;
138
+ scope: EBSIScope;
139
+ accessTokenResponse: GetAccessTokenSuccessResponse;
140
+ };
141
+ /**
142
+ * @typedef EBSIAuthAccessTokenGetArgs
143
+ * @type {object}
144
+ * @property {string} attestationCredential Verifiable Credential (Verifiable Authorisation to Onboard) JWT format
145
+ // * @property {ScopeByDefinition} definitionId The presentation definition id
146
+ * @property {string} [domain] The domain of the issuer
147
+ * @property {string} did The did of the VP issuer
148
+ * @property {string} kid kid in the format: did#kid
149
+ * @property {EBSIScope} scope Needed to retrieve the authentication request
150
+ * @property {ApiOpts} [apiOpts] The environment and the version of the API
151
+ */
152
+ export interface EBSIAuthAccessTokenGetArgs {
153
+ clientId: string;
154
+ credentialIssuer?: string;
155
+ attestationCredential?: W3CVerifiableCredential;
156
+ allVerifiableCredentials?: W3CVerifiableCredential[];
157
+ redirectUri?: string;
158
+ jwksUri: string;
159
+ idOpts: IIdentifierOpts;
160
+ scope: EBSIScope;
161
+ environment: EbsiEnvironment;
162
+ skipDidResolution?: boolean;
163
+ }
164
+ /**
165
+ * @typedef GetAccessTokenSuccessResponse
166
+ * @type {object}
167
+ * @property {string} access_token ^(([A-Za-z0-9\-_])+\.)([A-Za-z0-9\-_]+)(\.([A-Za-z0-9\-_]+)?$ The access token issued by the authorization server in JWS format. See also the "Access Token" schema definition
168
+ * @property {TokenType} token_type Possible values: [Bearer]/MUST be Bearer
169
+ * @property {number} [expires_in] Possible values: >= 1. The lifetime in seconds of the access token
170
+ * @property {EBSIScope} scope Possible values: [openid didr_write, openid didr_invite, openid tir_invite, openid tir_write, openid timestamp_write, openid tnt_authorise, openid tnt_create, openid tnt_write] The scope of the access token
171
+ * @property {string} id_token ^(([A-Za-z0-9\-_])+\.)([A-Za-z0-9\-_]+)(\.([A-Za-z0-9\-_]+)?$ ID Token value associated with the authenticated session. Presents client's identity. ID Token is issued in a JWS format. See also the "ID Token" schema definition.
172
+ * @property {ApiOpts} apiOpts The environment and the version of the API
173
+ */
174
+ export interface GetAccessTokenSuccessResponse {
175
+ access_token: string;
176
+ token_type: TokenType;
177
+ expires_in?: number;
178
+ scope: EBSIScope;
179
+ id_token: string;
180
+ apiOpts: ApiOpts;
181
+ }
182
+ /**
183
+ * @typedef ExceptionResponse
184
+ * @type {object}
185
+ * @property {(URL | string)} [type] An absolute URI that identifies the problem type. When dereferenced, it SHOULD provide human-readable documentation for the problem type.
186
+ * @property {string} [title] A short summary of the problem type.
187
+ * @property {number} [status] Possible values: >= 400 and <= 600. The HTTP status code generated by the origin server for this occurrence of the problem.
188
+ * @property {string} [detail] A human readable explanation specific to this occurrence of the problem.
189
+ * @property {(URL | string)} [instance] An absolute URI that identifies the specific occurrence of the problem. It may or may not yield further information if dereferenced.
190
+ */
191
+ export interface ExceptionResponse {
192
+ type?: URL | string;
193
+ title?: string;
194
+ status?: number;
195
+ detail?: string;
196
+ instance?: URL | string;
197
+ }
198
+ export type AttestationResult = {
199
+ contactAlias: string;
200
+ contact: Party;
201
+ credentialBranding?: Record<string, Array<IBasicCredentialLocaleBranding>> | undefined;
202
+ identifier: IIdentifier;
203
+ error: ErrorDetails | undefined;
204
+ credentials: Array<MappedCredentialToAccept>;
205
+ };
206
+ export type GetOIDProviderMetadataResponse = EbsiOpenIDMetadata;
207
+ export type GetOIDProviderJwksResponse = GetOIDProviderJwksSuccessResponse | ExceptionResponse;
208
+ export type GetPresentationDefinitionResponse = GetPresentationDefinitionSuccessResponse;
209
+ export type GetAccessTokenResponse = GetAccessTokenSuccessResponse | ExceptionResponse;
210
+ export type IRequiredContext = IAgentContext<IKeyManager & IDIDManager & IResolver & IDidAuthSiopOpAuthenticator & IPresentationExchange & IOID4VCIHolder & IEbsiSupport>;
211
+ //# sourceMappingURL=IEbsiSupport.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"IEbsiSupport.d.ts","sourceRoot":"","sources":["../../src/types/IEbsiSupport.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAA;AACvE,OAAO,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAA;AACrF,OAAO,EAAE,MAAM,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAA;AACvE,OAAO,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAA;AACjE,OAAO,EAAE,8BAA8B,EAAE,KAAK,EAAE,MAAM,8BAA8B,CAAA;AACpF,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,wBAAwB,EAAE,MAAM,kCAAkC,CAAA;AACzG,OAAO,EAAE,qBAAqB,EAAE,MAAM,yCAAyC,CAAA;AAC/E,OAAO,EAAE,2BAA2B,EAAE,MAAM,yCAAyC,CAAA;AACrF,OAAO,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAA;AACrF,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,cAAc,CAAA;AAChH,OAAO,EAAE,+BAA+B,EAAE,MAAM,cAAc,CAAA;AAE9D;;;;GAIG;AACH,MAAM,MAAM,SAAS,GACjB,YAAY,GACZ,aAAa,GACb,WAAW,GACX,YAAY,GACZ,iBAAiB,GACjB,eAAe,GACf,YAAY,GACZ,WAAW,GACX,WAAW,CAAA;AAEf,oBAAY,SAAS;IACnB,MAAM,WAAW;CAClB;AAED,MAAM,MAAM,eAAe,GAAG,OAAO,GAAG,aAAa,GAAG,kBAAkB,CAAA;AAC1E,MAAM,MAAM,cAAc,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAA;AAC/C,MAAM,MAAM,aAAa,GAAG,0BAA0B,GAAG,sBAAsB,CAAA;AAC/E,MAAM,MAAM,QAAQ,GAAG,aAAa,GAAG,WAAW,CAAA;AAClD,MAAM,MAAM,UAAU,GAAG,eAAe,GAAG,aAAa,GAAG,cAAc,CAAA;AAEzE,MAAM,MAAM,OAAO,GAAG;IAAE,WAAW,CAAC,EAAE,eAAe,CAAC;IAAC,OAAO,EAAE,cAAc,CAAA;CAAE,CAAA;AAChF,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,MAAM,CAAC,EAAE,UAAU,GAAG,eAAe,CAAC;IAAC,IAAI,CAAC,EAAE,QAAQ,CAAA;CAAE,CAAA;AAErH,MAAM,WAAW,YAAa,SAAQ,gBAAgB;IACpD,qBAAqB,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,8BAA8B,CAAC,CAAA;IAE9E,2BAA2B,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,0BAA0B,CAAC,CAAA;IAEhF,6BAA6B,CAAC,IAAI,EAAE,6BAA6B,GAAG,OAAO,CAAC,iCAAiC,CAAC,CAAA;IAE9G,kBAAkB,CAAC,IAAI,EAAE,0BAA0B,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAA;IAE9G,mCAAmC,CAAC,IAAI,EAAE,mCAAmC,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,+BAA+B,CAAC,CAAA;IAEnJ,kBAAkB,CAAC,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAA;CACpG;AAID;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,MAAM,kBAAkB,GAAG,wBAAwB,GAAG;IAC1D,gCAAgC,CAAC,EAAE,GAAG,GAAG,MAAM,CAAA;CAChD,CAAA;AAED;;;;GAIG;AACH,MAAM,WAAW,iCAAiC;IAChD,IAAI,EAAE,GAAG,EAAE,CAAA;CACZ;AAED;;;;;GAKG;AACH,MAAM,WAAW,6BAA6B;IAC5C,KAAK,EAAE,SAAS,CAAA;IAChB,OAAO,CAAC,EAAE,aAAa,CAAA;IACvB,cAAc,CAAC,EAAE,kBAAkB,CAAA;CACpC;AAED,MAAM,MAAM,mCAAmC,GAAG;IAChD,gBAAgB,EAAE,MAAM,CAAA;IACxB,cAAc,EAAE,MAAM,CAAA;IACtB,MAAM,EAAE,eAAe,CAAA;IACvB,iBAAiB,EAAE,iBAAiB,CAAA;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,OAAO,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,uBAAuB,EAAE,QAAQ,GAAG,aAAa,CAAC,CAAC,CAAA;CAC5E,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAA;IAChB,aAAa,EAAE,+BAA+B,CAAA;IAC9C,IAAI,CAAC,EAAE;QACL,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;CACF,CAAA;AAED;;;;;;;;;;;GAWG;AACH,MAAM,MAAM,wCAAwC,GAAG,wBAAwB,GAAG;IAChF,MAAM,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,aAAa,GAAG,QAAQ,GAAG,aAAa,CAAC,CAAA;CAC3E,CAAA;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB;IACjC,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,QAAQ,EAAE,MAAM,CAAA;IAChB,uBAAuB,EAAE,sBAAsB,CAAA;IAC/C,KAAK,EAAE,SAAS,CAAA;IAChB,cAAc,CAAC,EAAE,kBAAkB,CAAA;IACnC,OAAO,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,UAAU,EAAE,WAAW,CAAA;IACvB,KAAK,EAAE,SAAS,CAAA;IAGhB,mBAAmB,EAAE,6BAA6B,CAAA;CACnD,CAAA;AACD;;;;;;;;;;GAUG;AACH,MAAM,WAAW,0BAA0B;IACzC,QAAQ,EAAE,MAAM,CAAA;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,qBAAqB,CAAC,EAAE,uBAAuB,CAAA;IAC/C,wBAAwB,CAAC,EAAE,uBAAuB,EAAE,CAAA;IACpD,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,OAAO,EAAE,MAAM,CAAA;IAEf,MAAM,EAAE,eAAe,CAAA;IACvB,KAAK,EAAE,SAAS,CAAA;IAChB,WAAW,EAAE,eAAe,CAAA;IAC5B,iBAAiB,CAAC,EAAE,OAAO,CAAA;CAC5B;AAED;;;;;;;;;GASG;AACH,MAAM,WAAW,6BAA6B;IAC5C,YAAY,EAAE,MAAM,CAAA;IACpB,UAAU,EAAE,SAAS,CAAA;IACrB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,KAAK,EAAE,SAAS,CAAA;IAChB,QAAQ,EAAE,MAAM,CAAA;IAChB,OAAO,EAAE,OAAO,CAAA;CACjB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,iBAAiB;IAChC,IAAI,CAAC,EAAE,GAAG,GAAG,MAAM,CAAA;IACnB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,GAAG,GAAG,MAAM,CAAA;CACxB;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B,YAAY,EAAE,MAAM,CAAA;IACpB,OAAO,EAAE,KAAK,CAAA;IACd,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,8BAA8B,CAAC,CAAC,GAAG,SAAS,CAAA;IACtF,UAAU,EAAE,WAAW,CAAA;IACvB,KAAK,EAAE,YAAY,GAAG,SAAS,CAAA;IAC/B,WAAW,EAAE,KAAK,CAAC,wBAAwB,CAAC,CAAA;CAC7C,CAAA;AAED,MAAM,MAAM,8BAA8B,GAAG,kBAAkB,CAAA;AAC/D,MAAM,MAAM,0BAA0B,GAAG,iCAAiC,GAAG,iBAAiB,CAAA;AAC9F,MAAM,MAAM,iCAAiC,GAAG,wCAAwC,CAAA;AACxF,MAAM,MAAM,sBAAsB,GAAG,6BAA6B,GAAG,iBAAiB,CAAA;AACtF,MAAM,MAAM,gBAAgB,GAAG,aAAa,CAC1C,WAAW,GAAG,WAAW,GAAG,SAAS,GAAG,2BAA2B,GAAG,qBAAqB,GAAG,cAAc,GAAG,YAAY,CAC5H,CAAA"}
@@ -0,0 +1,5 @@
1
+ export var TokenType;
2
+ (function (TokenType) {
3
+ TokenType["BEARER"] = "Bearer";
4
+ })(TokenType || (TokenType = {}));
5
+ //# sourceMappingURL=IEbsiSupport.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"IEbsiSupport.js","sourceRoot":"","sources":["../../src/types/IEbsiSupport.ts"],"names":[],"mappings":"AA4BA,MAAM,CAAN,IAAY,SAEX;AAFD,WAAY,SAAS;IACnB,8BAAiB,CAAA;AACnB,CAAC,EAFW,SAAS,KAAT,SAAS,QAEpB"}
package/package.json ADDED
@@ -0,0 +1,86 @@
1
+ {
2
+ "name": "@sphereon/ssi-sdk.ebsi-support",
3
+ "version": "0.26.1-unstable.101+b11e0f4d",
4
+ "source": "src/index.ts",
5
+ "main": "dist/index.js",
6
+ "types": "dist/index.d.ts",
7
+ "veramo": {
8
+ "pluginInterfaces": {
9
+ "IEbsiSupport": "./src/types/IEbsiSupport.ts"
10
+ }
11
+ },
12
+ "scripts": {
13
+ "build": "tsc --build",
14
+ "build:clean": "tsc --build --clean && tsc --build"
15
+ },
16
+ "dependencies": {
17
+ "@ethersproject/random": "^5.7.0",
18
+ "@sphereon/did-auth-siop": "0.6.4",
19
+ "@sphereon/pex": "^3.3.3",
20
+ "@sphereon/pex-models": "^2.2.4",
21
+ "@sphereon/ssi-sdk-ext.did-resolver-ebsi": "0.22.0",
22
+ "@sphereon/ssi-sdk-ext.did-utils": "0.22.0",
23
+ "@sphereon/ssi-sdk-ext.key-utils": "0.22.0",
24
+ "@sphereon/ssi-sdk.contact-manager": "0.26.1-unstable.101+b11e0f4d",
25
+ "@sphereon/ssi-sdk.core": "0.26.1-unstable.101+b11e0f4d",
26
+ "@sphereon/ssi-sdk.oid4vci-holder": "0.26.1-unstable.101+b11e0f4d",
27
+ "@sphereon/ssi-sdk.presentation-exchange": "0.26.1-unstable.101+b11e0f4d",
28
+ "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth": "0.26.1-unstable.101+b11e0f4d",
29
+ "@sphereon/ssi-types": "0.26.1-unstable.101+b11e0f4d",
30
+ "@veramo/core": "4.2.0",
31
+ "@veramo/did-manager": "4.2.0",
32
+ "@veramo/utils": "4.2.0",
33
+ "cross-fetch": "^3.1.8",
34
+ "debug": "^4.3.4",
35
+ "did-resolver": "^4.1.0",
36
+ "ethers": "^6.11.1",
37
+ "multiformats": "9.9.0",
38
+ "qs": "^6.11.2",
39
+ "uint8arrays": "^3.1.1",
40
+ "uuid": "^10.0.0",
41
+ "xstate": "^4.38.3"
42
+ },
43
+ "devDependencies": {
44
+ "@sphereon/oid4vci-client": "0.12.1-next.29",
45
+ "@sphereon/oid4vci-common": "0.12.1-next.29",
46
+ "@sphereon/ssi-express-support": "0.26.1-unstable.101+b11e0f4d",
47
+ "@sphereon/ssi-sdk-ext.key-manager": "0.22.0",
48
+ "@sphereon/ssi-sdk-ext.kms-local": "0.22.0",
49
+ "@sphereon/ssi-sdk.agent-config": "0.26.1-unstable.101+b11e0f4d",
50
+ "@sphereon/ssi-sdk.data-store": "0.26.1-unstable.101+b11e0f4d",
51
+ "@sphereon/ssi-sdk.public-key-hosting": "0.26.1-unstable.101+b11e0f4d",
52
+ "@transmute/json-web-signature": "0.7.0-unstable.81",
53
+ "@types/cors": "^2.8.17",
54
+ "@types/express": "^4.17.21",
55
+ "@types/express-serve-static-core": "^4.19.1",
56
+ "@types/node": "^20.12.7",
57
+ "@types/qs": "^6.9.7",
58
+ "@types/uuid": "^10.0.0",
59
+ "@veramo/data-store": "4.2.0",
60
+ "@veramo/key-manager": "4.2.0",
61
+ "@veramo/remote-client": "4.2.0",
62
+ "@veramo/remote-server": "4.2.0",
63
+ "cors": "^2.8.5",
64
+ "express": "^4.19.2",
65
+ "jose": "^5.3.0",
66
+ "typeorm": "^0.3.20"
67
+ },
68
+ "files": [
69
+ "dist/**/*",
70
+ "src/**/*",
71
+ "README.md",
72
+ "LICENSE"
73
+ ],
74
+ "private": false,
75
+ "publishConfig": {
76
+ "access": "public"
77
+ },
78
+ "repository": "git@github.com:Sphereon-Opensource/SSI-SDK.git",
79
+ "author": "Sphereon <dev@sphereon.com>",
80
+ "license": "Apache-2.0",
81
+ "keywords": [
82
+ "EBSI",
83
+ "EBSI Authorization Client"
84
+ ],
85
+ "gitHead": "b11e0f4da798c754081f00900051f1b6c6eb2439"
86
+ }
@@ -0,0 +1,250 @@
1
+ import { CheckLinkedDomain, PresentationDefinitionLocation, PresentationDefinitionWithLocation, SupportedVersion } from '@sphereon/did-auth-siop'
2
+ import { CreateRequestObjectMode } from '@sphereon/oid4vci-common'
3
+ import { getIdentifier } from '@sphereon/ssi-sdk-ext.did-utils'
4
+ import { IPEXFilterResult } from '@sphereon/ssi-sdk.presentation-exchange'
5
+ import { CredentialMapper, PresentationSubmission } from '@sphereon/ssi-types'
6
+ import { IAgentPlugin } from '@veramo/core'
7
+ import fetch from 'cross-fetch'
8
+ import { determineWellknownEndpoint, ebsiGetIssuerMock } from '../did/functions'
9
+ import { ebsiCreateAttestationAuthRequestURL, ebsiGetAttestation } from '../functions'
10
+ import {
11
+ ApiOpts,
12
+ EBSIAuthAccessTokenGetArgs,
13
+ EbsiOpenIDMetadata,
14
+ GetAccessTokenResult,
15
+ GetPresentationDefinitionSuccessResponse,
16
+ IRequiredContext,
17
+ schema,
18
+ WellknownOpts,
19
+ } from '../index'
20
+ import {
21
+ ExceptionResponse,
22
+ GetAccessTokenArgs,
23
+ GetAccessTokenResponse,
24
+ GetOIDProviderJwksResponse,
25
+ GetOIDProviderMetadataResponse,
26
+ GetPresentationDefinitionArgs,
27
+ GetPresentationDefinitionResponse,
28
+ IEbsiSupport,
29
+ } from '../types/IEbsiSupport'
30
+
31
+ import { v4 } from 'uuid'
32
+
33
+ export class EbsiSupport implements IAgentPlugin {
34
+ readonly schema = schema.IEbsiSupport
35
+ readonly methods: IEbsiSupport = {
36
+ ebsiWellknownMetadata: this.ebsiWellknownMetadata.bind(this),
37
+ ebsiAuthorizationServerJwks: this.ebsiAuthorizationServerJwks.bind(this),
38
+ ebsiPresentationDefinitionGet: this.ebsiPresentationDefinitionGet.bind(this),
39
+ ebsiAccessTokenGet: this.ebsiAccessTokenGet.bind(this),
40
+ ebsiCreateAttestationAuthRequestURL: ebsiCreateAttestationAuthRequestURL.bind(this),
41
+ ebsiGetAttestation: ebsiGetAttestation.bind(this),
42
+ }
43
+
44
+ private async ebsiWellknownMetadata(args: WellknownOpts): Promise<GetOIDProviderMetadataResponse> {
45
+ const url = determineWellknownEndpoint(args)
46
+ return await (
47
+ await fetch(url, {
48
+ method: 'GET',
49
+ headers: {
50
+ Accept: 'application/json',
51
+ },
52
+ })
53
+ ).json()
54
+ }
55
+
56
+ private async ebsiAuthorizationServerJwks(args: ApiOpts): Promise<GetOIDProviderJwksResponse | ExceptionResponse> {
57
+ const discoveryMetadata: EbsiOpenIDMetadata = await this.ebsiWellknownMetadata({
58
+ ...args,
59
+ type: 'openid-configuration',
60
+ })
61
+ return await (
62
+ await fetch(`${discoveryMetadata.jwks_uri}`, {
63
+ method: 'GET',
64
+ headers: {
65
+ Accept: 'application/jwk-set+json',
66
+ },
67
+ })
68
+ ).json()
69
+ }
70
+
71
+ private async ebsiPresentationDefinitionGet(args: GetPresentationDefinitionArgs): Promise<GetPresentationDefinitionResponse> {
72
+ const { scope, apiOpts, openIDMetadata } = args
73
+ const discoveryMetadata: EbsiOpenIDMetadata =
74
+ openIDMetadata ??
75
+ (await this.ebsiWellknownMetadata({
76
+ ...apiOpts,
77
+ type: 'openid-configuration',
78
+ system: apiOpts?.mock ? 'authorisation' : apiOpts?.system,
79
+ version: apiOpts?.version ?? 'v4',
80
+ }))
81
+ return (await (
82
+ await fetch(`${discoveryMetadata.presentation_definition_endpoint}?scope=openid%20${scope}`, {
83
+ method: 'GET',
84
+ headers: {
85
+ Accept: 'application/json',
86
+ },
87
+ })
88
+ ).json()) satisfies GetPresentationDefinitionSuccessResponse
89
+ }
90
+
91
+ private async ebsiAccessTokenGet(args: EBSIAuthAccessTokenGetArgs, context: IRequiredContext): Promise<GetAccessTokenResult> {
92
+ const { scope, idOpts, jwksUri, clientId, allVerifiableCredentials, redirectUri, environment, skipDidResolution = false } = args
93
+ const identifier = await getIdentifier(idOpts, context)
94
+ const openIDMetadata = await this.ebsiWellknownMetadata({
95
+ environment,
96
+ version: 'v4',
97
+ mock: undefined,
98
+ system: 'authorisation',
99
+ type: 'openid-configuration',
100
+ })
101
+ const definitionResponse = await this.ebsiPresentationDefinitionGet({
102
+ ...args,
103
+ openIDMetadata,
104
+ apiOpts: { environment, version: 'v4', type: 'openid-configuration' },
105
+ })
106
+ const hasInputDescriptors = definitionResponse.input_descriptors.length > 0
107
+
108
+ if (!hasInputDescriptors) {
109
+ // Yes EBSI expects VPs without a VC in some situations. This is not according to the PEX spec!
110
+ // They probably should have used SIOP in these cases. We need to go through hoops as our libs do not expect PDs/VPs without VCs :(
111
+ console.warn(`No INPUT descriptor returned for scope ${scope}`)
112
+ }
113
+
114
+ let attestationCredential = args.attestationCredential
115
+
116
+ if (hasInputDescriptors && !attestationCredential) {
117
+ if (allVerifiableCredentials && allVerifiableCredentials.length > 0) {
118
+ const pexResult = await context.agent.pexDefinitionFilterCredentials({
119
+ presentationDefinition: definitionResponse,
120
+ credentialFilterOpts: { verifiableCredentials: allVerifiableCredentials },
121
+ })
122
+ if (pexResult.filteredCredentials.length > 0) {
123
+ const filtered = pexResult.filteredCredentials
124
+ .map((cred) => CredentialMapper.toUniformCredential(cred))
125
+ .filter((cred) => {
126
+ if (!cred.expirationDate) {
127
+ return cred
128
+ } else if (new Date(cred.expirationDate!).getDate() >= Date.now()) {
129
+ return cred
130
+ }
131
+ return undefined
132
+ })
133
+ .filter((cred) => !!cred)
134
+ if (filtered.length > 0) {
135
+ attestationCredential = filtered[0]
136
+ }
137
+ }
138
+ }
139
+ if (!attestationCredential) {
140
+ const credentialIssuer = args.credentialIssuer ?? ebsiGetIssuerMock({ environment })
141
+ const authReqResult = await context.agent.ebsiCreateAttestationAuthRequestURL({
142
+ credentialIssuer,
143
+ idOpts,
144
+ formats: ['jwt_vc'],
145
+ clientId,
146
+ redirectUri,
147
+ requestObjectOpts: {
148
+ iss: clientId,
149
+ requestObjectMode: CreateRequestObjectMode.REQUEST_OBJECT,
150
+ jwksUri,
151
+ },
152
+ credentialType: 'VerifiableAuthorisationToOnboard',
153
+ })
154
+ const attestationResult = await context.agent.ebsiGetAttestation({
155
+ authReqResult,
156
+ clientId,
157
+ opts: { timeout: 30_000 },
158
+ })
159
+ // @ts-ignore
160
+ attestationCredential = attestationResult.credentials[0]!.rawVerifiableCredential! as W3CVerifiableCredential
161
+ }
162
+ }
163
+
164
+ const definition = {
165
+ definition: definitionResponse,
166
+ location: PresentationDefinitionLocation.TOPLEVEL_PRESENTATION_DEF,
167
+ version: SupportedVersion.SIOPv2_D11,
168
+ } satisfies PresentationDefinitionWithLocation
169
+
170
+ const pexResult = hasInputDescriptors
171
+ ? await context.agent.pexDefinitionFilterCredentials({
172
+ presentationDefinition: definitionResponse,
173
+ credentialFilterOpts: { verifiableCredentials: [attestationCredential!] },
174
+ // LOL, let's see whether we can trick PEX to create a VP without VCs
175
+ })
176
+ : ({
177
+ filteredCredentials: [],
178
+ id: definitionResponse.id,
179
+ selectResults: { verifiableCredential: [], areRequiredCredentialsPresent: 'info' },
180
+ } satisfies IPEXFilterResult)
181
+ const opSesssion = await context.agent.siopRegisterOPSession({
182
+ requestJwtOrUri: '', // Siop assumes we use an auth request, which we don't have in this case
183
+ op: { checkLinkedDomains: CheckLinkedDomain.NEVER },
184
+ providedPresentationDefinitions: [definition],
185
+ })
186
+ const oid4vp = await opSesssion.getOID4VP([identifier.did])
187
+ const vp = await oid4vp.createVerifiablePresentation(
188
+ { definition, credentials: pexResult.filteredCredentials },
189
+ {
190
+ proofOpts: { domain: openIDMetadata.issuer, nonce: v4(), created: new Date(Date.now() - 120_000).toString() },
191
+ holderDID: identifier.did,
192
+ identifierOpts: idOpts,
193
+ skipDidResolution,
194
+ forceNoCredentialsInVP: !hasInputDescriptors,
195
+ },
196
+ )
197
+
198
+ const presentationSubmission = hasInputDescriptors
199
+ ? vp.presentationSubmission
200
+ : ({ id: v4(), definition_id: definitionResponse.id, descriptor_map: [] } satisfies PresentationSubmission)
201
+
202
+ const tokenRequestArgs = {
203
+ grant_type: 'vp_token',
204
+ vp_token: CredentialMapper.toCompactJWT(vp.verifiablePresentation),
205
+ scope,
206
+ presentation_submission: presentationSubmission,
207
+ apiOpts: { environment, version: 'v4' },
208
+ openIDMetadata,
209
+ } satisfies GetAccessTokenArgs
210
+ const accessTokenResponse = await this.getAccessTokenResponse(tokenRequestArgs)
211
+
212
+ if (!('access_token' in accessTokenResponse)) {
213
+ throw Error(`Error response: ${JSON.stringify(accessTokenResponse)}`)
214
+ }
215
+
216
+ return {
217
+ accessTokenResponse,
218
+ // vp,
219
+ scope,
220
+ // definition,
221
+ identifier,
222
+ }
223
+ }
224
+
225
+ private async getAccessTokenResponse(args: GetAccessTokenArgs): Promise<GetAccessTokenResponse> {
226
+ const { grant_type = 'vp_token', scope, vp_token, presentation_submission, apiOpts, openIDMetadata } = args
227
+ const discoveryMetadata: EbsiOpenIDMetadata =
228
+ openIDMetadata ??
229
+ (await this.ebsiWellknownMetadata({
230
+ ...apiOpts,
231
+ type: 'openid-configuration',
232
+ }))
233
+ const request = {
234
+ grant_type,
235
+ scope: `openid ${scope}`,
236
+ vp_token,
237
+ presentation_submission: JSON.stringify(presentation_submission),
238
+ }
239
+ return await (
240
+ await fetch(`${discoveryMetadata.token_endpoint}`, {
241
+ method: 'POST',
242
+ headers: {
243
+ ContentType: 'application/x-www-form-urlencoded',
244
+ Accept: 'application/json',
245
+ },
246
+ body: new URLSearchParams(request),
247
+ })
248
+ ).json()
249
+ }
250
+ }