@sphereon/ssi-sdk.oid4vci-holder 0.34.1-feature.SSISDK.65.redirect.fix.260 → 0.34.1-feature.SSISDK.70.integrate.digidentity.306

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.oid4vci-holder",
-  "version": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
+  "version": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
   "source": "src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -26,27 +26,27 @@
     "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
   },
   "dependencies": {
-    "@sphereon/did-auth-siop": "0.19.1-feature.SSISDK.65.redirect.fix.194",
+    "@sphereon/did-auth-siop": "0.19.1-next.220",
     "@sphereon/kmp-mdoc-core": "0.2.0-SNAPSHOT.26",
-    "@sphereon/oid4vci-client": "0.19.1-feature.SSISDK.65.redirect.fix.194",
-    "@sphereon/oid4vci-common": "0.19.1-feature.SSISDK.65.redirect.fix.194",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk.contact-manager": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk.core": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk.credential-store": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk.credential-validation": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk.data-store-types": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk.mdl-mdoc": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk.oidf-client": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
-    "@sphereon/ssi-types": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
+    "@sphereon/oid4vci-client": "0.19.1-next.220",
+    "@sphereon/oid4vci-common": "0.19.1-next.220",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk.contact-manager": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk.core": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk.credential-store": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk.credential-validation": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk.data-store-types": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk.mdl-mdoc": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk.oidf-client": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
+    "@sphereon/ssi-types": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
     "@veramo/core": "4.2.0",
     "@veramo/data-store": "4.2.0",
     "@veramo/utils": "4.2.0",
@@ -59,8 +59,8 @@
     "xstate": "^4.38.3"
   },
   "devDependencies": {
-    "@sphereon/oid4vc-common": "0.19.1-feature.SSISDK.65.redirect.fix.194",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-feature.SSISDK.65.redirect.fix.260+6e576ccc",
+    "@sphereon/oid4vc-common": "0.19.1-next.220",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
     "@sphereon/ssi-sdk.siopv2-oid4vp-common": "workspace:*",
     "@types/i18n-js": "^3.8.9",
     "@types/lodash.memoize": "^4.1.9",
@@ -90,5 +90,5 @@
     "OID4VCI",
     "State Machine"
   ],
-  "gitHead": "6e576ccc1d43004dbedfd8c958193a0ff5884fae"
+  "gitHead": "4491185688c3daa30f33d7f435ff75c9b0a853cb"
 }

package/src/agent/OID4VCIHolder.ts

@@ -29,11 +29,11 @@ import {
 import { IJwtService, JwsHeader } from '@sphereon/ssi-sdk-ext.jwt-service'
 import { signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'
 import { defaultHasher } from '@sphereon/ssi-sdk.core'
-import { ensureRawDocument } from '@sphereon/ssi-sdk.data-store-types'
 import {
   ConnectionType,
   CorrelationIdentifierType,
   CredentialCorrelationType,
+  ensureRawDocument,
   FindPartyArgs,
   IBasicCredentialLocaleBranding,
   IBasicIssuerLocaleBranding,
@@ -109,6 +109,8 @@ import {
   OnContactIdentityCreatedArgs,
   OnCredentialStoredArgs,
   OnIdentifierCreatedArgs,
+  PrepareAuthorizationRequestArgs,
+  PrepareAuthorizationResult,
   PrepareStartArgs,
   RequestType,
   RequiredContext,
@@ -214,6 +216,7 @@ export class OID4VCIHolder implements IAgentPlugin {
     oid4vciHolderStart: this.oid4vciHolderStart.bind(this),
     oid4vciHolderGetIssuerMetadata: this.oid4vciHolderGetIssuerMetadata.bind(this),
     oid4vciHolderGetMachineInterpreter: this.oid4vciHolderGetMachineInterpreter.bind(this),
+    oid4vciHolderPrepareAuthorizationRequest: this.oid4vciHolderPrepareAuthorizationRequest.bind(this),
     oid4vciHolderCreateCredentialsToSelectFrom: this.oid4vciHolderCreateCredentialsToSelectFrom.bind(this),
     oid4vciHolderGetContact: this.oid4vciHolderGetContact.bind(this),
     oid4vciHolderGetCredentials: this.oid4vciHolderGetCredentials.bind(this),
@@ -324,6 +327,8 @@ export class OID4VCIHolder implements IAgentPlugin {
         startFirstPartApplicationMachine({ ...args, stateNavigationListener: opts.firstPartyStateNavigationListener }, context),
       [OID4VCIMachineServices.createCredentialsToSelectFrom]: (args: CreateCredentialsToSelectFromArgs) =>
         this.oid4vciHolderCreateCredentialsToSelectFrom(args, context),
+      [OID4VCIMachineServices.prepareAuthorizationRequest]: (args: PrepareAuthorizationRequestArgs) =>
+        this.oid4vciHolderPrepareAuthorizationRequest(args, context),
       [OID4VCIMachineServices.getContact]: (args: GetContactArgs) => this.oid4vciHolderGetContact(args, context),
       [OID4VCIMachineServices.getCredentials]: (args: GetCredentialsArgs) =>
         this.oid4vciHolderGetCredentials({ accessTokenOpts: args.accessTokenOpts ?? opts.accessTokenOpts, ...args }, context),
@@ -426,7 +431,7 @@ export class OID4VCIHolder implements IAgentPlugin {
           credentialIssuer: uri,
           authorizationRequest: authorizationRequestOpts,
           clientId: authorizationRequestOpts.clientId,
-          createAuthorizationRequestURL: requestData.createAuthorizationRequestURL ?? true,
+          createAuthorizationRequestURL: false, // requestData.createAuthorizationRequestURL ?? true,
         })
       } else {
         logger.log(`Credential offer received: ${uri}`)
@@ -434,7 +439,7 @@ export class OID4VCIHolder implements IAgentPlugin {
           uri,
           authorizationRequest: authorizationRequestOpts,
           clientId: authorizationRequestOpts.clientId,
-          createAuthorizationRequestURL: requestData.createAuthorizationRequestURL ?? true,
+          createAuthorizationRequestURL: false, // requestData.createAuthorizationRequestURL ?? true,
         })
       }
     }
@@ -457,14 +462,9 @@ export class OID4VCIHolder implements IAgentPlugin {
 
     const serverMetadata = await oid4vciClient.retrieveServerMetadata()
     const credentialBranding = await getCredentialBranding({ credentialsSupported, context })
-    const authorizationCodeURL = oid4vciClient.authorizationURL
-    if (authorizationCodeURL) {
-      logger.log(`authorization code URL ${authorizationCodeURL}`)
-    }
     const oid4vciClientState = JSON.parse(await oid4vciClient.exportState())
 
     return {
-      authorizationCodeURL,
       credentialBranding,
       credentialsSupported,
       serverMetadata,
@@ -472,6 +472,42 @@ export class OID4VCIHolder implements IAgentPlugin {
     }
   }
 
+  private async oid4vciHolderPrepareAuthorizationRequest(
+    args: PrepareAuthorizationRequestArgs,
+    context: RequiredContext,
+  ): Promise<PrepareAuthorizationResult> {
+    const { openID4VCIClientState, contact } = args
+    if (!openID4VCIClientState) {
+      return Promise.reject(Error('Missing openID4VCI client state in context'))
+    }
+
+    const clientId = contact?.identities
+      .map((identity) => {
+        const connectionConfig = identity.connection?.config
+        if (connectionConfig && 'clientId' in connectionConfig) {
+          return connectionConfig.clientId
+        }
+        return undefined
+      })
+      .find((clientId) => clientId)
+
+    if (!clientId) {
+      return Promise.reject(Error(`Missing client id in contact's connectionConfig`))
+    }
+    const client = await OpenID4VCIClient.fromState({ state: openID4VCIClientState })
+    const authorizationCodeURL = await client.createAuthorizationRequestUrl({
+      authorizationRequest: {
+        clientId: clientId,
+      } satisfies AuthorizationRequestOpts,
+    })
+    if (authorizationCodeURL) {
+      logger.log(`authorization code URL ${authorizationCodeURL}`)
+    }
+    return {
+      authorizationCodeURL,
+    }
+  }
+
   private async oid4vciHolderCreateCredentialsToSelectFrom(
     args: CreateCredentialsToSelectFromArgs,
     context: RequiredContext,

package/src/machines/oid4vciMachine.ts

@@ -28,6 +28,7 @@ import {
   SelectCredentialsEvent,
   SetAuthorizationCodeURLEvent,
   VerificationCodeEvent,
+  PrepareAuthorizationResult,
 } from '../types/IOID4VCIHolder'
 import { FirstPartyMachineStateTypes } from '../types/FirstPartyMachine'
 
@@ -98,9 +99,7 @@ const oid4vciRequireAuthorizationGuard = (ctx: OID4VCIMachineContext, _event: OI
     throw Error('Missing openID4VCI client state in context')
   }
 
-  if (!openID4VCIClientState.authorizationURL) {
-    return false
-  } else if (openID4VCIClientState.authorizationRequestOpts) {
+  if (openID4VCIClientState.authorizationURL && openID4VCIClientState.authorizationRequestOpts) {
     // We have authz options or there is not credential offer to begin with.
     // We require authz as long as we do not have the authz code response
     return !ctx.openID4VCIClientState?.authorizationCodeResponse
@@ -164,6 +163,9 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
         [OID4VCIMachineServices.start]: {
           data: StartResult
         }
+        [OID4VCIMachineServices.prepareAuthorizationRequest]: {
+          data: PrepareAuthorizationResult
+        }
         [OID4VCIMachineServices.createCredentialsToSelectFrom]: {
           data: Array<CredentialToSelectFromResult>
         }
@@ -208,7 +210,6 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
           onDone: {
             target: OID4VCIMachineStates.createCredentialsToSelectFrom,
             actions: assign({
-              authorizationCodeURL: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<StartResult>) => _event.data.authorizationCodeURL,
               credentialBranding: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<StartResult>) => _event.data.credentialBranding ?? {},
               credentialsSupported: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<StartResult>) => _event.data.credentialsSupported,
               serverMetadata: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<StartResult>) => _event.data.serverMetadata,
@@ -439,6 +440,10 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
             target: OID4VCIMachineStates.startFirstPartApplicationFlow,
             cond: OID4VCIMachineGuards.isFirstPartyApplication,
           },
+          {
+            target: OID4VCIMachineStates.prepareAuthorizationRequest,
+            cond: OID4VCIMachineGuards.requireAuthorizationGuard,
+          },
           {
             target: OID4VCIMachineStates.initiateAuthorizationRequest,
             cond: OID4VCIMachineGuards.requireAuthorizationGuard,
@@ -511,12 +516,16 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
             target: OID4VCIMachineStates.startFirstPartApplicationFlow,
             cond: OID4VCIMachineGuards.isFirstPartyApplication,
           },
+          {
+            target: OID4VCIMachineStates.prepareAuthorizationRequest,
+            cond: OID4VCIMachineGuards.requireAuthorizationGuard,
+          },
           {
             target: OID4VCIMachineStates.verifyPin,
             cond: OID4VCIMachineGuards.requirePinGuard,
           },
           {
-            target: OID4VCIMachineStates.initiateAuthorizationRequest,
+            target: OID4VCIMachineStates.prepareAuthorizationRequest,
             cond: OID4VCIMachineGuards.requireAuthorizationGuard,
           },
           {
@@ -524,6 +533,29 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
           },
         ],
       },
+      [OID4VCIMachineStates.prepareAuthorizationRequest]: {
+        id: OID4VCIMachineStates.prepareAuthorizationRequest,
+        invoke: {
+          src: OID4VCIMachineServices.prepareAuthorizationRequest,
+          onDone: {
+            target: OID4VCIMachineStates.initiateAuthorizationRequest,
+            actions: assign({
+              authorizationCodeURL: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<PrepareAuthorizationResult>) =>
+                _event.data.authorizationCodeURL,
+            }),
+          },
+          onError: {
+            target: OID4VCIMachineStates.handleError,
+            actions: assign({
+              error: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<Error>): ErrorDetails => ({
+                title: translate('oid4vci_machine_prepare_authorization_error_title'),
+                message: _event.data.message,
+                stack: _event.data.stack,
+              }),
+            }),
+          },
+        },
+      },
       [OID4VCIMachineStates.initiateAuthorizationRequest]: {
         id: OID4VCIMachineStates.initiateAuthorizationRequest,
         on: {

package/src/services/OID4VCIHolderService.ts

@@ -209,9 +209,7 @@ export const mapCredentialToAccept = async (args: MapCredentialToAcceptArgs): Pr
   )
   let uniformVerifiableCredential: IVerifiableCredential
   if (CredentialMapper.isSdJwtDecodedCredential(wrappedVerifiableCredential.credential)) {
-    uniformVerifiableCredential = await sdJwtDecodedCredentialToUniformCredential(
-      <SdJwtDecodedVerifiableCredential>wrappedVerifiableCredential.credential,
-    )
+    uniformVerifiableCredential = sdJwtDecodedCredentialToUniformCredential(<SdJwtDecodedVerifiableCredential>wrappedVerifiableCredential.credential)
   } else if (CredentialMapper.isSdJwtEncoded(wrappedVerifiableCredential.credential)) {
     if (!hasher) {
       return Promise.reject('a hasher is required for encoded SD-JWT credentials')

package/src/types/IOID4VCIHolder.ts

@@ -79,6 +79,7 @@ export interface IOID4VCIHolder extends IPluginMethodMap {
     context: RequiredContext,
   ): Promise<Array<CredentialToSelectFromResult>>
 
+  oid4vciHolderPrepareAuthorizationRequest(args: PrepareAuthorizationRequestArgs, context: RequiredContext): Promise<PrepareAuthorizationResult>
   oid4vciHolderGetContact(args: GetContactArgs, context: RequiredContext): Promise<Party | undefined>
 
   oid4vciHolderGetCredentials(args: GetCredentialsArgs, context: RequiredContext): Promise<Array<MappedCredentialToAccept>>
@@ -148,6 +149,7 @@ export type PrepareStartArgs = Pick<
   OID4VCIMachineContext,
   'requestData' | 'authorizationRequestOpts' | 'didMethodPreferences' | 'issuanceOpt' | 'accessTokenOpts'
 >
+export type PrepareAuthorizationRequestArgs = Pick<OID4VCIMachineContext, 'openID4VCIClientState' | 'contact'>
 export type CreateCredentialsToSelectFromArgs = Pick<
   OID4VCIMachineContext,
   'credentialsSupported' | 'credentialBranding' | 'selectedCredentials' | 'locale' | 'openID4VCIClientState'
@@ -256,6 +258,7 @@ export enum OID4VCIMachineStates {
   selectCredentials = 'selectCredentials',
   transitionFromSelectingCredentials = 'transitionFromSelectingCredentials',
   verifyPin = 'verifyPin',
+  prepareAuthorizationRequest = 'prepareAuthorizationRequest',
   initiateAuthorizationRequest = 'initiateAuthorizationRequest',
   waitForAuthorizationResponse = 'waitForAuthorizationResponse',
   getCredentials = 'getCredentials',
@@ -395,6 +398,7 @@ export enum OID4VCIMachineServices {
   getFederationTrust = 'getFederationTrust',
   addContactIdentity = 'addContactIdentity',
   createCredentialsToSelectFrom = 'createCredentialsToSelectFrom',
+  prepareAuthorizationRequest = 'prepareAuthorizationRequest',
   getIssuerBranding = 'getIssuerBranding',
   storeIssuerBranding = 'storeIssuerBranding',
   getCredentials = 'getCredentials',
@@ -460,13 +464,16 @@ export type OID4VCIMachine = {
 }
 
 export type StartResult = {
-  authorizationCodeURL?: string
   credentialBranding?: Record<string, Array<IBasicCredentialLocaleBranding>>
   credentialsSupported: Record<string, CredentialConfigurationSupported>
   serverMetadata: EndpointMetadataResult
   oid4vciClientState: OpenID4VCIClientState
 }
 
+export type PrepareAuthorizationResult = {
+  authorizationCodeURL?: string
+}
+
 export type SelectAppLocaleBrandingArgs = {
   locale?: string
   localeBranding?: Array<IBasicCredentialLocaleBranding | IBasicIssuerLocaleBranding>