@sphereon/ssi-sdk.oid4vci-holder 0.32.1-next.20 → 0.32.1-next.291

package/src/{machine → machines}/oid4vciMachine.ts

@@ -1,4 +1,4 @@
-import { AuthzFlowType, toAuthorizationResponsePayload } from '@sphereon/oid4vci-common'
+import { AuthorizationChallengeCodeResponse, AuthzFlowType, toAuthorizationResponsePayload } from '@sphereon/oid4vci-common'
 import { IBasicIssuerLocaleBranding, Identity, IIssuerLocaleBranding, Party } from '@sphereon/ssi-sdk.data-store'
 import { assign, createMachine, DoneInvokeEvent, interpret } from 'xstate'
 import { translate } from '../localization/Localization'
@@ -29,6 +29,7 @@ import {
   SetAuthorizationCodeURLEvent,
   VerificationCodeEvent,
 } from '../types/IOID4VCIHolder'
+import { FirstPartyMachineStateTypes } from '../types/FirstPartyMachine'
 
 const oid4vciHasNoContactGuard = (_ctx: OID4VCIMachineContext, _event: OID4VCIMachineEventTypes): boolean => {
   const { contact } = _ctx
@@ -117,6 +118,10 @@ const oid4vciHasAuthorizationResponse = (ctx: OID4VCIMachineContext, _event: OID
   return !!ctx.openID4VCIClientState?.authorizationCodeResponse
 }
 
+const oid4vciIsFirstPartyApplication = (ctx: OID4VCIMachineContext, _event: OID4VCIMachineEventTypes): boolean => {
+  return !!ctx.serverMetadata?.authorization_challenge_endpoint
+}
+
 const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMachine => {
   const initialContext: OID4VCIMachineContext = {
     // TODO WAL-671 we need to store the data from OpenIdProvider here in the context and make sure we can restart the machine with it and init the OpenIdProvider
@@ -153,7 +158,8 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
         | { type: OID4VCIMachineGuards.hasSelectedCredentialsGuard }
         | { type: OID4VCIMachineGuards.hasAuthorizationResponse }
         | { type: OID4VCIMachineGuards.isOIDFOriginGuard }
-        | { type: OID4VCIMachineGuards.contactHasLowTrustGuard },
+        | { type: OID4VCIMachineGuards.contactHasLowTrustGuard }
+        | { type: OID4VCIMachineGuards.isFirstPartyApplication },
       services: {} as {
         [OID4VCIMachineServices.start]: {
           data: StartResult
@@ -188,6 +194,9 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
         [OID4VCIMachineServices.getIssuerBranding]: {
           data: Array<IIssuerLocaleBranding | IBasicIssuerLocaleBranding>
         }
+        [OID4VCIMachineServices.startFirstPartApplicationFlow]: {
+          data: void
+        }
       },
     },
     context: initialContext,
@@ -332,6 +341,10 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
             target: OID4VCIMachineStates.selectCredentials,
             cond: OID4VCIMachineGuards.credentialsToSelectRequiredGuard,
           },
+          {
+            target: OID4VCIMachineStates.startFirstPartApplicationFlow,
+            cond: OID4VCIMachineGuards.isFirstPartyApplication,
+          },
           {
             target: OID4VCIMachineStates.initiateAuthorizationRequest,
             cond: OID4VCIMachineGuards.requireAuthorizationGuard,
@@ -422,6 +435,10 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
             target: OID4VCIMachineStates.selectCredentials,
             cond: OID4VCIMachineGuards.credentialsToSelectRequiredGuard,
           },
+          {
+            target: OID4VCIMachineStates.startFirstPartApplicationFlow,
+            cond: OID4VCIMachineGuards.isFirstPartyApplication,
+          },
           {
             target: OID4VCIMachineStates.initiateAuthorizationRequest,
             cond: OID4VCIMachineGuards.requireAuthorizationGuard,
@@ -435,6 +452,43 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
           },
         ],
       },
+      [OID4VCIMachineStates.startFirstPartApplicationFlow]: {
+        id: OID4VCIMachineStates.startFirstPartApplicationFlow,
+        invoke: {
+          src: OID4VCIMachineServices.startFirstPartApplicationFlow,
+          onDone: [
+            {
+              target: OID4VCIMachineStates.aborted,
+              cond: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<FirstPartyMachineStateTypes>): boolean =>
+                _event.data === FirstPartyMachineStateTypes.aborted,
+            },
+            {
+              target: OID4VCIMachineStates.declined,
+              cond: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<FirstPartyMachineStateTypes>): boolean =>
+                _event.data === FirstPartyMachineStateTypes.declined,
+            },
+            {
+              target: OID4VCIMachineStates.getCredentials,
+              actions: assign({
+                openID4VCIClientState: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<AuthorizationChallengeCodeResponse>) => {
+                  const authorizationCodeResponse = toAuthorizationResponsePayload(_event.data)
+                  return { ..._ctx.openID4VCIClientState!, authorizationCodeResponse }
+                },
+              }),
+            },
+          ],
+          onError: {
+            target: OID4VCIMachineStates.handleError,
+            actions: assign({
+              error: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<ErrorDetails>): ErrorDetails => ({
+                title: _event.data.title ?? translate('oid4vci_machine_first_party_error_title'),
+                message: _event.data.message,
+                stack: _event.data.stack,
+              }),
+            }),
+          },
+        },
+      },
       [OID4VCIMachineStates.selectCredentials]: {
         id: OID4VCIMachineStates.selectCredentials,
         on: {
@@ -453,6 +507,10 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
       [OID4VCIMachineStates.transitionFromSelectingCredentials]: {
         id: OID4VCIMachineStates.transitionFromSelectingCredentials,
         always: [
+          {
+            target: OID4VCIMachineStates.startFirstPartApplicationFlow,
+            cond: OID4VCIMachineGuards.isFirstPartyApplication,
+          },
           {
             target: OID4VCIMachineStates.verifyPin,
             cond: OID4VCIMachineGuards.requirePinGuard,
@@ -726,6 +784,7 @@ export class OID4VCIMachine {
           oid4vciHasAuthorizationResponse,
           oid4vciIsOIDFOriginGuard,
           oid4vciContactHasLowTrustGuard,
+          oid4vciIsFirstPartyApplication,
           ...opts?.guards,
         },
       }),
@@ -737,7 +796,7 @@ export class OID4VCIMachine {
     if (opts?.requireCustomNavigationHook !== true) {
       if (typeof opts?.stateNavigationListener === 'function') {
         interpreter.onTransition((snapshot: OID4VCIMachineState): void => {
-          if (opts?.stateNavigationListener !== undefined) {
+          if (opts?.stateNavigationListener) {
             opts.stateNavigationListener(interpreter, snapshot)
           }
         })

package/src/{agent → mappers}/OIDC4VCIBrandingMapper.ts

@@ -1,15 +1,6 @@
 import { CredentialsSupportedDisplay, NameAndLocale } from '@sphereon/oid4vci-common'
-import {
-  IBasicCredentialClaim,
-  IBasicCredentialLocaleBranding,
-  IBasicIssuerLocaleBranding
-} from '@sphereon/ssi-sdk.data-store'
-import {
-  SdJwtClaimDisplayMetadata,
-  SdJwtClaimMetadata,
-  SdJwtClaimPath,
-  SdJwtTypeDisplayMetadata
-} from '@sphereon/ssi-types'
+import { IBasicCredentialClaim, IBasicCredentialLocaleBranding, IBasicIssuerLocaleBranding } from '@sphereon/ssi-sdk.data-store'
+import { SdJwtClaimDisplayMetadata, SdJwtClaimMetadata, SdJwtClaimPath, SdJwtTypeDisplayMetadata } from '@sphereon/ssi-types'
 import {
   IssuerLocaleBrandingFromArgs,
   Oid4vciCombineDisplayLocalesFromArgs,
@@ -26,7 +17,9 @@ import {
 
 // FIXME should we not move this to the branding plugin?
 
-export const oid4vciGetCredentialBrandingFrom = async (args: Oid4vciGetCredentialBrandingFromArgs): Promise<Array<IBasicCredentialLocaleBranding>> => {
+export const oid4vciGetCredentialBrandingFrom = async (
+  args: Oid4vciGetCredentialBrandingFromArgs,
+): Promise<Array<IBasicCredentialLocaleBranding>> => {
   const { credentialDisplay, issuerCredentialSubject } = args
 
   return oid4vciCombineDisplayLocalesFrom({
@@ -35,7 +28,9 @@ export const oid4vciGetCredentialBrandingFrom = async (args: Oid4vciGetCredentia
   })
 }
 
-export const oid4vciCredentialDisplayLocalesFrom = async (args: Oid4vciCredentialDisplayLocalesFromArgs): Promise<Map<string, CredentialsSupportedDisplay>> => {
+export const oid4vciCredentialDisplayLocalesFrom = async (
+  args: Oid4vciCredentialDisplayLocalesFromArgs,
+): Promise<Map<string, CredentialsSupportedDisplay>> => {
   const { credentialDisplay } = args
   return credentialDisplay.reduce((localeDisplays, display) => {
     const localeKey = display.locale || ''
@@ -44,7 +39,9 @@ export const oid4vciCredentialDisplayLocalesFrom = async (args: Oid4vciCredentia
   }, new Map<string, CredentialsSupportedDisplay>())
 }
 
-export const oid4vciIssuerCredentialSubjectLocalesFrom = async (args: Oid4vciIssuerCredentialSubjectLocalesFromArgs): Promise<Map<string, Array<IBasicCredentialClaim>>> => {
+export const oid4vciIssuerCredentialSubjectLocalesFrom = async (
+  args: Oid4vciIssuerCredentialSubjectLocalesFromArgs,
+): Promise<Map<string, Array<IBasicCredentialClaim>>> => {
   const { issuerCredentialSubject } = args
   const localeClaims = new Map<string, Array<IBasicCredentialClaim>>()
 
@@ -125,7 +122,9 @@ export const oid4vciCredentialLocaleBrandingFrom = async (args: Oid4vciCredentia
   }
 }
 
-export const oid4vciCombineDisplayLocalesFrom = async (args: Oid4vciCombineDisplayLocalesFromArgs): Promise<Array<IBasicCredentialLocaleBranding>> => {
+export const oid4vciCombineDisplayLocalesFrom = async (
+  args: Oid4vciCombineDisplayLocalesFromArgs,
+): Promise<Array<IBasicCredentialLocaleBranding>> => {
   const {
     credentialDisplayLocales = new Map<string, CredentialsSupportedDisplay>(),
     issuerCredentialSubjectLocales = new Map<string, Array<IBasicCredentialClaim>>(),
@@ -156,7 +155,9 @@ export const sdJwtGetCredentialBrandingFrom = async (args: SdJwtGetCredentialBra
   })
 }
 
-export const sdJwtCredentialDisplayLocalesFrom = async (args: SdJwtCredentialDisplayLocalesFromArgs): Promise<Map<string, SdJwtTypeDisplayMetadata>> => {
+export const sdJwtCredentialDisplayLocalesFrom = async (
+  args: SdJwtCredentialDisplayLocalesFromArgs,
+): Promise<Map<string, SdJwtTypeDisplayMetadata>> => {
   const { credentialDisplay } = args
   return credentialDisplay.reduce((localeDisplays, display) => {
     const localeKey = display.lang || ''
@@ -165,14 +166,16 @@ export const sdJwtCredentialDisplayLocalesFrom = async (args: SdJwtCredentialDis
   }, new Map<string, SdJwtTypeDisplayMetadata>())
 }
 
-export const sdJwtCredentialClaimLocalesFrom = async (args: SdJwtCredentialClaimLocalesFromArgs): Promise<Map<string, Array<IBasicCredentialClaim>>> => {
+export const sdJwtCredentialClaimLocalesFrom = async (
+  args: SdJwtCredentialClaimLocalesFromArgs,
+): Promise<Map<string, Array<IBasicCredentialClaim>>> => {
   const { claimsMetadata } = args
   const localeClaims = new Map<string, Array<IBasicCredentialClaim>>()
 
   claimsMetadata.forEach((claim: SdJwtClaimMetadata): void => {
     claim.display?.forEach((display: SdJwtClaimDisplayMetadata): void => {
-      const { lang = '', label } = display;
-      const key = claim.path.map((value: SdJwtClaimPath) => String(value)).join('.');
+      const { lang = '', label } = display
+      const key = claim.path.map((value: SdJwtClaimPath) => String(value)).join('.')
       if (!localeClaims.has(lang)) {
         localeClaims.set(lang, [])
       }
@@ -180,7 +183,7 @@ export const sdJwtCredentialClaimLocalesFrom = async (args: SdJwtCredentialClaim
     })
   })
 
-  return localeClaims;
+  return localeClaims
 }
 
 export const sdJwtCredentialLocaleBrandingFrom = async (args: SdJwtCredentialLocaleBrandingFromArgs): Promise<IBasicCredentialLocaleBranding> => {
@@ -213,17 +216,15 @@ export const sdJwtCredentialLocaleBrandingFrom = async (args: SdJwtCredentialLoc
     }),
     ...(credentialDisplay.rendering?.simple?.background_color && {
       background: {
-        color: credentialDisplay.rendering.simple.background_color ,
+        color: credentialDisplay.rendering.simple.background_color,
       },
     }),
   }
 }
 
 export const sdJwtCombineDisplayLocalesFrom = async (args: SdJwtCombineDisplayLocalesFromArgs): Promise<Array<IBasicCredentialLocaleBranding>> => {
-  const {
-    credentialDisplayLocales = new Map<string, SdJwtTypeDisplayMetadata>(),
-    claimsMetadata = new Map<string, Array<IBasicCredentialClaim>>(),
-  } = args
+  const { credentialDisplayLocales = new Map<string, SdJwtTypeDisplayMetadata>(), claimsMetadata = new Map<string, Array<IBasicCredentialClaim>>() } =
+    args
 
   const locales: Array<string> = Array.from(new Set([...claimsMetadata.keys(), ...credentialDisplayLocales.keys()]))
 

package/src/services/FirstPartyMachineServices.ts

@@ -0,0 +1,64 @@
+import { OpenID4VCIClient } from '@sphereon/oid4vci-client'
+import { AuthorizationChallengeValidationResponse } from '@sphereon/ssi-sdk.siopv2-oid4vp-common'
+import { AuthorizationChallengeCodeResponse } from '@sphereon/oid4vci-common'
+import { CreateConfigResult } from '@sphereon/ssi-sdk.siopv2-oid4vp-op-auth'
+import { v4 as uuidv4 } from 'uuid'
+import { RequiredContext } from '../types/IOID4VCIHolder'
+import {
+  CreateConfigArgs,
+  GetSiopRequestArgs,
+  SendAuthorizationChallengeRequestArgs,
+  SendAuthorizationResponseArgs,
+  SiopV2AuthorizationRequestData,
+} from '../types/FirstPartyMachine'
+
+export const sendAuthorizationChallengeRequest = async (args: SendAuthorizationChallengeRequestArgs): Promise<AuthorizationChallengeCodeResponse> => {
+  const { openID4VCIClientState, authSession, presentationDuringIssuanceSession } = args
+
+  const oid4vciClient = await OpenID4VCIClient.fromState({ state: openID4VCIClientState })
+  return oid4vciClient.acquireAuthorizationChallengeCode({
+    clientId: oid4vciClient.clientId ?? uuidv4(),
+    ...(authSession && { authSession }),
+    ...(!authSession &&
+      openID4VCIClientState.credentialOffer?.preAuthorizedCode && { issuerState: openID4VCIClientState.credentialOffer?.preAuthorizedCode }),
+    ...(!authSession && openID4VCIClientState.credentialOffer?.issuerState && { issuerState: openID4VCIClientState.credentialOffer?.issuerState }),
+    ...(presentationDuringIssuanceSession && { presentationDuringIssuanceSession }),
+  })
+}
+
+export const createConfig = async (args: CreateConfigArgs, context: RequiredContext): Promise<CreateConfigResult> => {
+  const { presentationUri } = args
+
+  if (!presentationUri) {
+    return Promise.reject(Error('Missing presentation uri in context'))
+  }
+
+  return context.agent.siopCreateConfig({ url: presentationUri })
+}
+
+export const getSiopRequest = async (args: GetSiopRequestArgs, context: RequiredContext): Promise<SiopV2AuthorizationRequestData> => {
+  const { didAuthConfig, presentationUri } = args
+
+  if (presentationUri === undefined) {
+    return Promise.reject(Error('Missing presentation uri in context'))
+  }
+
+  if (didAuthConfig === undefined) {
+    return Promise.reject(Error('Missing did auth config in context'))
+  }
+
+  return context.agent.siopGetSiopRequest({ didAuthConfig, url: presentationUri })
+}
+
+export const sendAuthorizationResponse = async (args: SendAuthorizationResponseArgs, context: RequiredContext): Promise<string> => {
+  const { didAuthConfig, authorizationRequestData, selectedCredentials } = args
+
+  const responseData = await context.agent.siopSendResponse({
+    authorizationRequestData,
+    selectedCredentials,
+    didAuthConfig,
+    isFirstParty: true,
+  })
+
+  return (<AuthorizationChallengeValidationResponse>responseData.body).presentation_during_issuance_session
+}

package/src/{agent → services}/OID4VCIHolderService.ts

@@ -10,6 +10,7 @@ import {
   getTypesFromObject,
   MetadataDisplay,
   OpenId4VCIVersion,
+  AuthorizationChallengeCodeResponse,
 } from '@sphereon/oid4vci-common'
 import { KeyUse } from '@sphereon/ssi-sdk-ext.did-resolver-jwk'
 import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
@@ -25,6 +26,7 @@ import { keyTypeFromCryptographicSuite } from '@sphereon/ssi-sdk-ext.key-utils'
 import { IBasicCredentialLocaleBranding, IBasicIssuerLocaleBranding } from '@sphereon/ssi-sdk.data-store'
 import {
   CredentialMapper,
+  Hasher,
   IVerifiableCredential,
   JoseSignatureAlgorithm,
   JoseSignatureAlgorithmString,
@@ -56,12 +58,13 @@ import {
   SelectAppLocaleBrandingArgs,
   VerificationResult,
   VerifyCredentialToAcceptArgs,
+  StartFirstPartApplicationMachine,
+  RequiredContext,
 } from '../types/IOID4VCIHolder'
-import {
-  oid4vciGetCredentialBrandingFrom,
-  sdJwtGetCredentialBrandingFrom,
-  issuerLocaleBrandingFrom
-} from './OIDC4VCIBrandingMapper'
+import { oid4vciGetCredentialBrandingFrom, sdJwtGetCredentialBrandingFrom, issuerLocaleBrandingFrom } from '../mappers/OIDC4VCIBrandingMapper'
+import { FirstPartyMachine } from '../machines/firstPartyMachine'
+import { FirstPartyMachineState, FirstPartyMachineStateTypes } from '../types/FirstPartyMachine'
+import { defaultHasher } from '@sphereon/ssi-sdk.core'
 
 export const getCredentialBranding = async (args: GetCredentialBrandingArgs): Promise<Record<string, Array<IBasicCredentialLocaleBranding>>> => {
   const { credentialsSupported, context } = args
@@ -83,14 +86,14 @@ export const getCredentialBranding = async (args: GetCredentialBrandingArgs): Pr
       if (sdJwtTypeMetadata) {
         mappedLocaleBranding = await sdJwtGetCredentialBrandingFrom({
           credentialDisplay: sdJwtTypeMetadata.display,
-          claimsMetadata: sdJwtTypeMetadata.claims
+          claimsMetadata: sdJwtTypeMetadata.claims,
         })
       } else {
         mappedLocaleBranding = await oid4vciGetCredentialBrandingFrom({
           credentialDisplay: credentialsConfigSupported.display,
           issuerCredentialSubject:
-          // @ts-ignore // FIXME SPRIND-123 add proper support for type recognition as claim display can be located elsewhere for v13
-          credentialsSupported.claims !== undefined ? credentialsConfigSupported.claims : credentialsConfigSupported.credentialSubject,
+            // @ts-ignore // FIXME SPRIND-123 add proper support for type recognition as claim display can be located elsewhere for v13
+            credentialsSupported.claims !== undefined ? credentialsConfigSupported.claims : credentialsConfigSupported.credentialSubject,
         })
       }
       // TODO we should make the mapper part of the plugin, so that the logic for getting the branding becomes more clear and easier to use
@@ -155,7 +158,7 @@ export const verifyCredentialToAccept = async (args: VerifyCredentialToAcceptArg
     return Promise.reject(Error('No credential found in credential response'))
   }
 
-  const wrappedVC = CredentialMapper.toWrappedVerifiableCredential(credential, { hasher })
+  const wrappedVC = CredentialMapper.toWrappedVerifiableCredential(credential, { hasher: hasher ?? defaultHasher })
   if (
     wrappedVC.decoded?.iss?.includes('did:ebsi:') ||
     (typeof wrappedVC.decoded?.vc?.issuer === 'string'
@@ -221,7 +224,7 @@ export const mapCredentialToAccept = async (args: MapCredentialToAcceptArgs): Pr
     if (!hasher) {
       return Promise.reject('a hasher is required for encoded SD-JWT credentials')
     }
-    const asyncHasher = (data: string, algorithm: string) => Promise.resolve(hasher(data, algorithm))
+    const asyncHasher: Hasher = (data: string | ArrayBuffer, algorithm: string) => Promise.resolve(hasher(data, algorithm))
     const decodedSdJwt = await CredentialMapper.decodeSdJwtVcAsync(wrappedVerifiableCredential.credential, asyncHasher)
     uniformVerifiableCredential = sdJwtDecodedCredentialToUniformCredential(<SdJwtDecodedVerifiableCredential>decodedSdJwt)
   } else if (CredentialMapper.isMsoMdocDecodedCredential(wrappedVerifiableCredential.credential)) {
@@ -615,3 +618,48 @@ export const getIssuanceCryptoSuite = async (opts: GetIssuanceCryptoSuiteArgs):
       return Promise.reject(Error(`Credential format '${credentialSupported.format}' not supported`))
   }
 }
+
+export const startFirstPartApplicationMachine = async (
+  args: StartFirstPartApplicationMachine,
+  context: RequiredContext,
+): Promise<AuthorizationChallengeCodeResponse | string> => {
+  const { openID4VCIClientState, stateNavigationListener, contact } = args
+
+  if (!openID4VCIClientState) {
+    return Promise.reject(Error('Missing openID4VCI client state in context'))
+  }
+
+  if (!contact) {
+    return Promise.reject(Error('Missing contact in context'))
+  }
+
+  const firstPartyMachineInstance = FirstPartyMachine.newInstance({
+    openID4VCIClientState,
+    contact,
+    agentContext: context,
+    stateNavigationListener,
+  })
+
+  return new Promise((resolve, reject) => {
+    try {
+      firstPartyMachineInstance.onTransition((state: FirstPartyMachineState) => {
+        if (state.matches(FirstPartyMachineStateTypes.done)) {
+          const authorizationCodeResponse = state.context.authorizationCodeResponse
+          if (!authorizationCodeResponse) {
+            reject(Error('No authorizationCodeResponse acquired'))
+          }
+          resolve(authorizationCodeResponse!)
+        } else if (state.matches(FirstPartyMachineStateTypes.aborted)) {
+          resolve(FirstPartyMachineStateTypes.aborted)
+        } else if (state.matches(FirstPartyMachineStateTypes.declined)) {
+          resolve(FirstPartyMachineStateTypes.declined)
+        } else if (state.matches(FirstPartyMachineStateTypes.error)) {
+          reject(state.context.error)
+        }
+      })
+      firstPartyMachineInstance.start()
+    } catch (error) {
+      reject(error)
+    }
+  })
+}

package/src/types/FirstPartyMachine.ts

@@ -0,0 +1,161 @@
+import { BaseActionObject, Interpreter, ResolveTypegenMeta, ServiceMap, State, StateMachine, StatesConfig, TypegenDisabled } from 'xstate'
+import { OpenID4VCIClientState } from '@sphereon/oid4vci-client'
+import { DidAuthConfig, Party } from '@sphereon/ssi-sdk.data-store'
+import { PresentationDefinitionWithLocation, RPRegistrationMetadataPayload } from '@sphereon/did-auth-siop'
+import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
+import { AuthorizationChallengeCodeResponse } from '@sphereon/oid4vci-common'
+import { IIdentifier } from '@veramo/core'
+import { ErrorDetails, RequiredContext } from './IOID4VCIHolder'
+
+export enum FirstPartyMachineStateTypes {
+  sendAuthorizationChallengeRequest = 'sendAuthorizationChallengeRequest',
+  sendAuthorizationResponse = 'sendAuthorizationResponse',
+  selectCredentials = 'selectCredentials',
+  createConfig = 'createConfig',
+  getSiopRequest = 'getSiopRequest',
+  error = 'error',
+  done = 'done',
+  aborted = 'aborted',
+  declined = 'declined',
+}
+
+export enum FirstPartyMachineServices {
+  sendAuthorizationChallengeRequest = 'sendAuthorizationChallengeRequest',
+  sendAuthorizationResponse = 'sendAuthorizationResponse',
+  createConfig = 'createConfig',
+  getSiopRequest = 'getSiopRequest',
+}
+
+export type FirstPartyMachineStates = Record<FirstPartyMachineStateTypes, {}>
+
+export type FirstPartyMachineContext = {
+  openID4VCIClientState: OpenID4VCIClientState
+  selectedCredentials: Array<UniqueDigitalCredential>
+  contact: Party
+  authSession?: string
+  presentationUri?: string
+  identifier?: IIdentifier
+  didAuthConfig?: Omit<DidAuthConfig, 'identifier'>
+  authorizationRequestData?: SiopV2AuthorizationRequestData
+  presentationDuringIssuanceSession?: string
+  authorizationCodeResponse?: AuthorizationChallengeCodeResponse
+  error?: ErrorDetails
+}
+
+export enum FirstPartyMachineEvents {
+  NEXT = 'NEXT',
+  PREVIOUS = 'PREVIOUS',
+  DECLINE = 'DECLINE',
+  SET_SELECTED_CREDENTIALS = 'SET_SELECTED_CREDENTIALS',
+}
+
+export type FirstPartyNextEvent = { type: FirstPartyMachineEvents.NEXT }
+export type FirstPartyPreviousEvent = { type: FirstPartyMachineEvents.PREVIOUS }
+export type FirstPartyDeclineEvent = { type: FirstPartyMachineEvents.DECLINE }
+export type FirstPartySelectCredentialsEvent = {
+  type: FirstPartyMachineEvents.SET_SELECTED_CREDENTIALS
+  data: Array<UniqueDigitalCredential>
+}
+
+export type FirstPartyMachineEventTypes = FirstPartyNextEvent | FirstPartyPreviousEvent | FirstPartyDeclineEvent | FirstPartySelectCredentialsEvent
+
+export type FirstPartyMachineStatesConfig = StatesConfig<
+  FirstPartyMachineContext,
+  {
+    states: FirstPartyMachineStates
+  },
+  FirstPartyMachineEventTypes,
+  any
+>
+
+export type CreateFirstPartyMachineOpts = {
+  openID4VCIClientState: OpenID4VCIClientState
+  contact: Party
+  agentContext: RequiredContext
+  machineId?: string
+}
+
+export type FirstPartyStateMachine = StateMachine<
+  FirstPartyMachineContext,
+  any,
+  FirstPartyMachineEventTypes,
+  {
+    value: any
+    context: FirstPartyMachineContext
+  },
+  BaseActionObject,
+  ServiceMap,
+  ResolveTypegenMeta<TypegenDisabled, FirstPartyMachineEventTypes, BaseActionObject, ServiceMap>
+>
+
+export type FirstPartyMachineInterpreter = Interpreter<
+  FirstPartyMachineContext,
+  any,
+  FirstPartyMachineEventTypes,
+  {
+    value: any
+    context: FirstPartyMachineContext
+  },
+  any
+>
+
+export type FirstPartyMachineStateNavigationListener = (
+  firstPartyMachine: FirstPartyMachineInterpreter,
+  state: FirstPartyMachineState,
+  navigation?: any,
+) => Promise<void>
+
+export type InstanceFirstPartyMachineOpts = {
+  services?: any
+  guards?: any
+  subscription?: () => void
+  requireCustomNavigationHook?: boolean
+  stateNavigationListener?: FirstPartyMachineStateNavigationListener
+} & CreateFirstPartyMachineOpts
+
+export type FirstPartyMachineState = State<
+  FirstPartyMachineContext,
+  FirstPartyMachineEventTypes,
+  any,
+  {
+    value: any
+    context: FirstPartyMachineContext
+  },
+  any
+>
+
+export type FirstPartyMachineServiceDefinitions = Record<keyof typeof FirstPartyMachineServices, (...args: Array<any>) => any>
+
+export type SendAuthorizationChallengeRequestArgs = Pick<
+  FirstPartyMachineContext,
+  'openID4VCIClientState' | 'authSession' | 'presentationDuringIssuanceSession'
+>
+
+export type SendAuthorizationResponseArgs = Pick<
+  FirstPartyMachineContext,
+  'authSession' | 'presentationUri' | 'didAuthConfig' | 'authorizationRequestData' | 'selectedCredentials'
+>
+
+export type CreateConfigArgs = Pick<FirstPartyMachineContext, 'presentationUri' | 'identifier'>
+
+export type GetSiopRequestArgs = Pick<FirstPartyMachineContext, 'didAuthConfig' | 'presentationUri'>
+
+export type SiopV2AuthorizationRequestData = {
+  correlationId: string
+  registrationMetadataPayload: RPRegistrationMetadataPayload
+  issuer?: string
+  name?: string
+  uri?: URL
+  clientIdScheme?: string
+  clientId?: string
+  entityId?: string
+  presentationDefinitions?: PresentationDefinitionWithLocation[]
+}
+
+export type FirstPartyMachineNavigationArgs = {
+  firstPartyMachine: FirstPartyMachineInterpreter
+  state: FirstPartyMachineState
+  navigation: any
+  onNext?: () => void
+  onBack?: () => void
+}