@sphereon/ssi-sdk.oid4vci-holder 0.34.1-next.3 → 0.34.1-next.322

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.oid4vci-holder",
-  "version": "0.34.1-next.3+6c49ea2f",
+  "version": "0.34.1-next.322+78f8dd31",
   "source": "src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -26,40 +26,41 @@
     "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
   },
   "dependencies": {
-    "@sphereon/did-auth-siop": "0.19.0",
+    "@sphereon/did-auth-siop": "0.19.1-next.234",
     "@sphereon/kmp-mdoc-core": "0.2.0-SNAPSHOT.26",
-    "@sphereon/oid4vci-client": "0.19.0",
-    "@sphereon/oid4vci-common": "0.19.0",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.29.1-next.3",
-    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.29.1-next.3",
-    "@sphereon/ssi-sdk-ext.jwt-service": "0.29.1-next.3",
-    "@sphereon/ssi-sdk-ext.key-utils": "0.29.1-next.3",
-    "@sphereon/ssi-sdk.contact-manager": "0.34.1-next.3+6c49ea2f",
-    "@sphereon/ssi-sdk.core": "0.34.1-next.3+6c49ea2f",
-    "@sphereon/ssi-sdk.credential-store": "0.34.1-next.3+6c49ea2f",
-    "@sphereon/ssi-sdk.credential-validation": "0.34.1-next.3+6c49ea2f",
-    "@sphereon/ssi-sdk.data-store": "0.34.1-next.3+6c49ea2f",
-    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-next.3+6c49ea2f",
-    "@sphereon/ssi-sdk.mdl-mdoc": "0.34.1-next.3+6c49ea2f",
-    "@sphereon/ssi-sdk.oidf-client": "0.34.1-next.3+6c49ea2f",
-    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-next.3+6c49ea2f",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-next.3+6c49ea2f",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth": "0.34.1-next.3+6c49ea2f",
-    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-next.3+6c49ea2f",
-    "@sphereon/ssi-types": "0.34.1-next.3+6c49ea2f",
+    "@sphereon/oid4vci-client": "0.19.1-next.234",
+    "@sphereon/oid4vci-common": "0.19.1-next.234",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk.contact-manager": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk.core": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk.credential-store": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk.credential-validation": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk.data-store-types": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk.mdl-mdoc": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk.oidf-client": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-next.322+78f8dd31",
+    "@sphereon/ssi-types": "0.34.1-next.322+78f8dd31",
     "@veramo/core": "4.2.0",
     "@veramo/data-store": "4.2.0",
     "@veramo/utils": "4.2.0",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
+    "dcql": "1.0.1",
     "i18n-js": "^3.9.2",
     "lodash.memoize": "^4.1.2",
     "uuid": "^9.0.1",
     "xstate": "^4.38.3"
   },
   "devDependencies": {
-    "@sphereon/oid4vc-common": "0.19.0",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.29.1-next.3",
+    "@sphereon/oid4vc-common": "0.19.1-next.234",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-next.322+78f8dd31",
     "@sphereon/ssi-sdk.siopv2-oid4vp-common": "workspace:*",
     "@types/i18n-js": "^3.8.9",
     "@types/lodash.memoize": "^4.1.9",
@@ -89,5 +90,5 @@
     "OID4VCI",
     "State Machine"
   ],
-  "gitHead": "6c49ea2f9c1bc61641ca2c98e3aa0a5b48018d91"
+  "gitHead": "78f8dd3157066ae8cf11d2ae50c8c3d8f43b8ed0"
 }

package/src/agent/OID4VCIHolder.ts

@@ -1,16 +1,14 @@
-import { CredentialOfferClient, MetadataClient, OpenID4VCIClient } from '@sphereon/oid4vci-client'
+import { CredentialOfferClient, MetadataClient, OpenID4VCIClient, OpenID4VCIClientV1_0_15 } from '@sphereon/oid4vci-client'
 import {
-  AuthorizationDetails,
+  AuthorizationDetailsV1_0_15,
   AuthorizationRequestOpts,
   AuthorizationServerClientOpts,
   AuthorizationServerOpts,
-  CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0_13,
-  CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13,
+  CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0_15,
+  CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_15,
   CredentialOfferRequestWithBaseUrl,
   DefaultURISchemes,
   EndpointMetadataResult,
-  getTypesFromAuthorizationDetails,
-  getTypesFromCredentialOffer,
   getTypesFromObject,
   Jwt,
   NotificationRequest,
@@ -30,11 +28,11 @@ import {
 } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { IJwtService, JwsHeader } from '@sphereon/ssi-sdk-ext.jwt-service'
 import { signatureAlgorithmFromKey } from '@sphereon/ssi-sdk-ext.key-utils'
+import { defaultHasher } from '@sphereon/ssi-sdk.core'
 import {
   ConnectionType,
   CorrelationIdentifierType,
   CredentialCorrelationType,
-  CredentialRole,
   ensureRawDocument,
   FindPartyArgs,
   IBasicCredentialLocaleBranding,
@@ -44,17 +42,17 @@ import {
   IIssuerLocaleBranding,
   NonPersistedIdentity,
   Party,
-} from '@sphereon/ssi-sdk.data-store'
+} from '@sphereon/ssi-sdk.data-store-types'
 import {
   CredentialMapper,
   type CredentialProofFormat,
+  CredentialRole,
   HasherSync,
   IVerifiableCredential,
   JoseSignatureAlgorithm,
   JoseSignatureAlgorithmString,
   JwtDecodedVerifiableCredential,
   Loggers,
-  OriginalVerifiableCredential,
   parseDid,
   SdJwtDecodedVerifiableCredentialPayload,
   WrappedW3CVerifiableCredential,
@@ -70,9 +68,22 @@ import {
   W3CVerifiableCredential,
 } from '@veramo/core'
 import { asArray, computeEntryHash } from '@veramo/utils'
+import fetch from 'cross-fetch'
 import { decodeJWT } from 'did-jwt'
 import { v4 as uuidv4 } from 'uuid'
 import { OID4VCIMachine } from '../machines/oid4vciMachine'
+import {
+  extractCredentialFromResponse,
+  getBasicIssuerLocaleBranding,
+  getCredentialBranding,
+  getCredentialConfigsSupportedMerged,
+  getIdentifierOpts,
+  getIssuanceOpts,
+  mapCredentialToAccept,
+  selectCredentialLocaleBranding,
+  startFirstPartApplicationMachine,
+  verifyCredentialToAccept,
+} from '../services/OID4VCIHolderService'
 import {
   AddContactIdentityArgs,
   AssertValidCredentialsArgs,
@@ -98,6 +109,8 @@ import {
   OnContactIdentityCreatedArgs,
   OnCredentialStoredArgs,
   OnIdentifierCreatedArgs,
+  PrepareAuthorizationRequestArgs,
+  PrepareAuthorizationResult,
   PrepareStartArgs,
   RequestType,
   RequiredContext,
@@ -111,19 +124,6 @@ import {
   VerifyEBSICredentialIssuerArgs,
   VerifyEBSICredentialIssuerResult,
 } from '../types/IOID4VCIHolder'
-import {
-  getBasicIssuerLocaleBranding,
-  getCredentialBranding,
-  getCredentialConfigsSupportedMerged,
-  getIdentifierOpts,
-  getIssuanceOpts,
-  mapCredentialToAccept,
-  selectCredentialLocaleBranding,
-  startFirstPartApplicationMachine,
-  verifyCredentialToAccept,
-} from '../services/OID4VCIHolderService'
-import 'cross-fetch/polyfill'
-import { defaultHasher } from '@sphereon/ssi-sdk.core'
 
 /**
  * {@inheritDoc IOID4VCIHolder}
@@ -151,7 +151,7 @@ export function signCallback(
   context: IAgentContext<IKeyManager & IDIDManager & IResolver & IIdentifierResolution & IJwtService>,
   nonce?: string,
 ) {
-  return async (jwt: Jwt, kid?: string) => {
+  return async (jwt: Jwt, kid?: string, noIssPayloadUpdate?: boolean) => {
     let resolution = await context.agent.identifierManagedGet(identifier)
     const jwk = jwt.header.jwk ?? (resolution.method === 'jwk' ? resolution.jwk : undefined)
     if (!resolution.issuer && !jwt.payload.iss) {
@@ -170,7 +170,7 @@ export function signCallback(
     }
     return (
       await context.agent.jwtCreateJwsCompactSignature({
-        issuer: { ...resolution, noIssPayloadUpdate: false },
+        issuer: { ...resolution, noIssPayloadUpdate: noIssPayloadUpdate ?? false },
         protectedHeader: header,
         payload,
       })
@@ -216,6 +216,7 @@ export class OID4VCIHolder implements IAgentPlugin {
     oid4vciHolderStart: this.oid4vciHolderStart.bind(this),
     oid4vciHolderGetIssuerMetadata: this.oid4vciHolderGetIssuerMetadata.bind(this),
     oid4vciHolderGetMachineInterpreter: this.oid4vciHolderGetMachineInterpreter.bind(this),
+    oid4vciHolderPrepareAuthorizationRequest: this.oid4vciHolderPrepareAuthorizationRequest.bind(this),
     oid4vciHolderCreateCredentialsToSelectFrom: this.oid4vciHolderCreateCredentialsToSelectFrom.bind(this),
     oid4vciHolderGetContact: this.oid4vciHolderGetContact.bind(this),
     oid4vciHolderGetCredentials: this.oid4vciHolderGetCredentials.bind(this),
@@ -229,7 +230,7 @@ export class OID4VCIHolder implements IAgentPlugin {
     oid4vciHolderStoreIssuerBranding: this.oid4vciHolderStoreIssuerBranding.bind(this),
   }
 
-  private readonly vcFormatPreferences: Array<string> = ['vc+sd-jwt', 'mso_mdoc', 'jwt_vc_json', 'jwt_vc', 'ldp_vc']
+  private readonly vcFormatPreferences: Array<string> = ['dc+sd-jwt', 'vc+sd-jwt', 'mso_mdoc', 'jwt_vc_json', 'jwt_vc', 'ldp_vc'] // TODO see SSISDK-52 concerning vc+sd-jwt
   private readonly jsonldCryptographicSuitePreferences: Array<string> = [
     'Ed25519Signature2018',
     'EcdsaSecp256k1Signature2019',
@@ -326,6 +327,8 @@ export class OID4VCIHolder implements IAgentPlugin {
         startFirstPartApplicationMachine({ ...args, stateNavigationListener: opts.firstPartyStateNavigationListener }, context),
       [OID4VCIMachineServices.createCredentialsToSelectFrom]: (args: CreateCredentialsToSelectFromArgs) =>
         this.oid4vciHolderCreateCredentialsToSelectFrom(args, context),
+      [OID4VCIMachineServices.prepareAuthorizationRequest]: (args: PrepareAuthorizationRequestArgs) =>
+        this.oid4vciHolderPrepareAuthorizationRequest(args, context),
       [OID4VCIMachineServices.getContact]: (args: GetContactArgs) => this.oid4vciHolderGetContact(args, context),
       [OID4VCIMachineServices.getCredentials]: (args: GetCredentialsArgs) =>
         this.oid4vciHolderGetCredentials({ accessTokenOpts: args.accessTokenOpts ?? opts.accessTokenOpts, ...args }, context),
@@ -375,11 +378,9 @@ export class OID4VCIHolder implements IAgentPlugin {
     }
 
     const authorizationRequestOpts = { ...this.defaultAuthorizationRequestOpts, ...args.authorizationRequestOpts } satisfies AuthorizationRequestOpts
-    // We filter the details first against our vcformat prefs
+    // TODO: Previously we filtered the details first against our vcformat prefs. However auth details does not have the notion of formats anymore
     authorizationRequestOpts.authorizationDetails = authorizationRequestOpts?.authorizationDetails
-      ? asArray(authorizationRequestOpts.authorizationDetails).filter(
-          (detail) => typeof detail === 'string' || this.vcFormatPreferences.includes(detail.format),
-        )
+      ? asArray(authorizationRequestOpts.authorizationDetails)
       : undefined
 
     if (!authorizationRequestOpts.redirectUri) {
@@ -391,19 +392,19 @@ export class OID4VCIHolder implements IAgentPlugin {
       authorizationRequestOpts.clientId = authorizationRequestOpts.redirectUri
     }
 
+    // TODO: This entire filter and formats population should not work anymore, as the auth details no longer have the format property.
     let formats: string[] = this.vcFormatPreferences
     const authFormats = authorizationRequestOpts?.authorizationDetails
-      ?.map((detail: AuthorizationDetails) => (typeof detail === 'object' && 'format' in detail && detail.format ? detail.format : undefined))
+      ?.map((detail: AuthorizationDetailsV1_0_15) => (typeof detail === 'object' && 'format' in detail && detail.format ? detail.format : undefined))
       .filter((format) => !!format)
       .map((format) => format as string)
     if (authFormats && authFormats.length > 0) {
       formats = Array.from(new Set(authFormats))
     }
-    let oid4vciClient: OpenID4VCIClient
-    let types: string[][] | undefined = undefined
+    let oid4vciClient: OpenID4VCIClientV1_0_15
     let offer: CredentialOfferRequestWithBaseUrl | undefined
     if (requestData.existingClientState) {
-      oid4vciClient = await OpenID4VCIClient.fromState({ state: requestData.existingClientState })
+      oid4vciClient = await OpenID4VCIClientV1_0_15.fromState({ state: requestData.existingClientState })
       offer = oid4vciClient.credentialOffer
     } else {
       offer = requestData.credentialOffer
@@ -425,46 +426,44 @@ export class OID4VCIHolder implements IAgentPlugin {
       if (!offer) {
         // else no offer, meaning we have an issuer URL
         logger.log(`Issuer url received (no credential offer): ${uri}`)
-        oid4vciClient = await OpenID4VCIClient.fromCredentialIssuer({
+        oid4vciClient = await OpenID4VCIClientV1_0_15.fromCredentialIssuer({
           credentialIssuer: uri,
           authorizationRequest: authorizationRequestOpts,
           clientId: authorizationRequestOpts.clientId,
-          createAuthorizationRequestURL: requestData.createAuthorizationRequestURL ?? true,
+          createAuthorizationRequestURL: false, // requestData.createAuthorizationRequestURL ?? true,
         })
       } else {
         logger.log(`Credential offer received: ${uri}`)
-        oid4vciClient = await OpenID4VCIClient.fromURI({
+        oid4vciClient = await OpenID4VCIClientV1_0_15.fromURI({
           uri,
           authorizationRequest: authorizationRequestOpts,
           clientId: authorizationRequestOpts.clientId,
-          createAuthorizationRequestURL: requestData.createAuthorizationRequestURL ?? true,
+          createAuthorizationRequestURL: false, // requestData.createAuthorizationRequestURL ?? true,
         })
       }
     }
 
+    let configurationIds: Array<string> = []
     if (offer) {
-      types = getTypesFromCredentialOffer(offer.original_credential_offer)
+      configurationIds = offer.original_credential_offer.credential_configuration_ids
     } else {
-      types = asArray(authorizationRequestOpts.authorizationDetails)
-        .map((authReqOpts) => getTypesFromAuthorizationDetails(authReqOpts) ?? [])
-        .filter((inner) => inner.length > 0)
+      configurationIds = asArray(authorizationRequestOpts.authorizationDetails)
+        // .filter((authDetails): authDetails is Exclude<AuthorizationDetailsV1_0_15, string> => typeof authDetails !== 'string')
+        .map((authReqOpts) => authReqOpts.credential_configuration_id)
+        .filter((id): id is string => !!id)
     }
 
-    const serverMetadata = await oid4vciClient.retrieveServerMetadata()
     const credentialsSupported = await getCredentialConfigsSupportedMerged({
       client: oid4vciClient,
       vcFormatPreferences: formats,
-      types,
+      configurationIds,
     })
+
+    const serverMetadata = await oid4vciClient.retrieveServerMetadata()
     const credentialBranding = await getCredentialBranding({ credentialsSupported, context })
-    const authorizationCodeURL = oid4vciClient.authorizationURL
-    if (authorizationCodeURL) {
-      logger.log(`authorization code URL ${authorizationCodeURL}`)
-    }
     const oid4vciClientState = JSON.parse(await oid4vciClient.exportState())
 
     return {
-      authorizationCodeURL,
       credentialBranding,
       credentialsSupported,
       serverMetadata,
@@ -472,6 +471,42 @@ export class OID4VCIHolder implements IAgentPlugin {
     }
   }
 
+  private async oid4vciHolderPrepareAuthorizationRequest(
+    args: PrepareAuthorizationRequestArgs,
+    context: RequiredContext,
+  ): Promise<PrepareAuthorizationResult> {
+    const { openID4VCIClientState, contact } = args
+    if (!openID4VCIClientState) {
+      return Promise.reject(Error('Missing openID4VCI client state in context'))
+    }
+
+    const clientId = contact?.identities
+      .map((identity) => {
+        const connectionConfig = identity.connection?.config
+        if (connectionConfig && 'clientId' in connectionConfig) {
+          return connectionConfig.clientId
+        }
+        return undefined
+      })
+      .find((clientId) => clientId)
+
+    if (!clientId) {
+      return Promise.reject(Error(`Missing client id in contact's connectionConfig`))
+    }
+    const client = await OpenID4VCIClient.fromState({ state: openID4VCIClientState })
+    const authorizationCodeURL = await client.createAuthorizationRequestUrl({
+      authorizationRequest: {
+        clientId: clientId,
+      } satisfies AuthorizationRequestOpts,
+    })
+    if (authorizationCodeURL) {
+      logger.log(`authorization code URL ${authorizationCodeURL}`)
+    }
+    return {
+      authorizationCodeURL,
+    }
+  }
+
   private async oid4vciHolderCreateCredentialsToSelectFrom(
     args: CreateCredentialsToSelectFromArgs,
     context: RequiredContext,
@@ -587,7 +622,7 @@ export class OID4VCIHolder implements IAgentPlugin {
       return Promise.reject(Error('Missing openID4VCI client state in context'))
     }
 
-    const client = await OpenID4VCIClient.fromState({ state: openID4VCIClientState })
+    const client = await OpenID4VCIClientV1_0_15.fromState({ state: openID4VCIClientState })
     const credentialsSupported = await getCredentialConfigsSupportedMerged({
       client,
       vcFormatPreferences: this.vcFormatPreferences,
@@ -849,11 +884,30 @@ export class OID4VCIHolder implements IAgentPlugin {
 
     let counter = 0
     for (const credentialId of selectedCredentials) {
-      const localeBranding: Array<IBasicCredentialLocaleBranding> | undefined = credentialBranding?.[credentialId]
+      // The selectedCredential from context is the configurationId, whilst we store the branding by type. We need to map
+      const configId = credentialId
+      const types =
+        credentialsToAccept
+          .find((ac) => ac.correlationId === configId || ac.credentialToAccept.id === configId || ac.types.includes(configId))
+          ?.types?.filter((type) => type != 'VerifiableCredential') ?? []
+
+      const localeBranding: Array<IBasicCredentialLocaleBranding> = credentialBranding?.[configId] ?? []
+      if (localeBranding.length === 0) {
+        for (const type of types) {
+          const branding = credentialBranding?.[type] ?? []
+          if (branding.length > 0) {
+            localeBranding.push(...branding)
+          }
+        }
+      }
+
       if (localeBranding && localeBranding.length > 0) {
         const credential = credentialsToAccept.find(
           (credAccept) =>
-            credAccept.credentialToAccept.id === credentialId || JSON.stringify(credAccept.types) === credentialId || credentialsToAccept[counter],
+            credAccept.credentialToAccept.id === credentialId ||
+            JSON.stringify(credAccept.types) === credentialId ||
+            JSON.stringify(credAccept.types.filter((cred) => cred !== 'VerifiableCredential')) === JSON.stringify(types) ||
+            credentialsToAccept[counter],
         )!
         counter++
         await context.agent.ibAddCredentialBranding({
@@ -920,7 +974,8 @@ export class OID4VCIHolder implements IAgentPlugin {
           ? 'credential_accepted_holder_signed'
           : 'credential_deleted_holder_signed'
         logger.log(`Subject issuance/signing will be used, with event`, event)
-        const issuerVC = mappedCredentialToAccept.credentialToAccept.credentialResponse.credential as OriginalVerifiableCredential
+
+        const issuerVC = extractCredentialFromResponse(mappedCredentialToAccept.credentialToAccept.credentialResponse)
         const wrappedIssuerVC = CredentialMapper.toWrappedVerifiableCredential(issuerVC, { hasher: this.hasher ?? defaultHasher })
         console.log(`Wrapped VC: ${wrappedIssuerVC.type}, ${wrappedIssuerVC.format}`)
         // We will use the subject of the VCI Issuer (the holder, as the issuer of the new credential, so the below is not a mistake!)
@@ -1150,9 +1205,9 @@ export class OID4VCIHolder implements IAgentPlugin {
     return undefined
   }
 
-  private getCredentialDefinition(issuanceOpt: IssuanceOpts): CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13 | undefined {
+  private getCredentialDefinition(issuanceOpt: IssuanceOpts): CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_15 | undefined {
     if (issuanceOpt.format == 'ldp_vc' || issuanceOpt.format == 'jwt_vc_json-ld') {
-      return (issuanceOpt as CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0_13).credential_definition
+      return (issuanceOpt as CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0_15).credential_definition
     }
     return undefined
   }

package/src/machines/firstPartyMachine.ts

@@ -1,6 +1,6 @@
 import { assign, createMachine, DoneInvokeEvent, interpret } from 'xstate'
 import { AuthorizationChallengeCodeResponse, AuthorizationChallengeError, AuthorizationChallengeErrorResponse } from '@sphereon/oid4vci-common'
-import { DidAuthConfig } from '@sphereon/ssi-sdk.data-store'
+import { DidAuthConfig } from '@sphereon/ssi-sdk.data-store-types'
 import { CreateConfigResult } from '@sphereon/ssi-sdk.siopv2-oid4vp-op-auth'
 import { createConfig, getSiopRequest, sendAuthorizationChallengeRequest, sendAuthorizationResponse } from '../services/FirstPartyMachineServices'
 import { translate } from '../localization/Localization'

package/src/machines/oid4vciMachine.ts

@@ -1,5 +1,5 @@
 import { AuthorizationChallengeCodeResponse, AuthzFlowType, toAuthorizationResponsePayload } from '@sphereon/oid4vci-common'
-import { IBasicIssuerLocaleBranding, Identity, IIssuerLocaleBranding, Party } from '@sphereon/ssi-sdk.data-store'
+import { IBasicIssuerLocaleBranding, Identity, IIssuerLocaleBranding, Party } from '@sphereon/ssi-sdk.data-store-types'
 import { assign, createMachine, DoneInvokeEvent, interpret } from 'xstate'
 import { translate } from '../localization/Localization'
 import {
@@ -28,6 +28,7 @@ import {
   SelectCredentialsEvent,
   SetAuthorizationCodeURLEvent,
   VerificationCodeEvent,
+  PrepareAuthorizationResult,
 } from '../types/IOID4VCIHolder'
 import { FirstPartyMachineStateTypes } from '../types/FirstPartyMachine'
 
@@ -98,9 +99,7 @@ const oid4vciRequireAuthorizationGuard = (ctx: OID4VCIMachineContext, _event: OI
     throw Error('Missing openID4VCI client state in context')
   }
 
-  if (!openID4VCIClientState.authorizationURL) {
-    return false
-  } else if (openID4VCIClientState.authorizationRequestOpts) {
+  if (openID4VCIClientState.authorizationURL && openID4VCIClientState.authorizationRequestOpts) {
     // We have authz options or there is not credential offer to begin with.
     // We require authz as long as we do not have the authz code response
     return !ctx.openID4VCIClientState?.authorizationCodeResponse
@@ -164,6 +163,9 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
         [OID4VCIMachineServices.start]: {
           data: StartResult
         }
+        [OID4VCIMachineServices.prepareAuthorizationRequest]: {
+          data: PrepareAuthorizationResult
+        }
         [OID4VCIMachineServices.createCredentialsToSelectFrom]: {
           data: Array<CredentialToSelectFromResult>
         }
@@ -208,7 +210,6 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
           onDone: {
             target: OID4VCIMachineStates.createCredentialsToSelectFrom,
             actions: assign({
-              authorizationCodeURL: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<StartResult>) => _event.data.authorizationCodeURL,
               credentialBranding: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<StartResult>) => _event.data.credentialBranding ?? {},
               credentialsSupported: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<StartResult>) => _event.data.credentialsSupported,
               serverMetadata: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<StartResult>) => _event.data.serverMetadata,
@@ -439,6 +440,10 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
             target: OID4VCIMachineStates.startFirstPartApplicationFlow,
             cond: OID4VCIMachineGuards.isFirstPartyApplication,
           },
+          {
+            target: OID4VCIMachineStates.prepareAuthorizationRequest,
+            cond: OID4VCIMachineGuards.requireAuthorizationGuard,
+          },
           {
             target: OID4VCIMachineStates.initiateAuthorizationRequest,
             cond: OID4VCIMachineGuards.requireAuthorizationGuard,
@@ -511,12 +516,16 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
             target: OID4VCIMachineStates.startFirstPartApplicationFlow,
             cond: OID4VCIMachineGuards.isFirstPartyApplication,
           },
+          {
+            target: OID4VCIMachineStates.prepareAuthorizationRequest,
+            cond: OID4VCIMachineGuards.requireAuthorizationGuard,
+          },
           {
             target: OID4VCIMachineStates.verifyPin,
             cond: OID4VCIMachineGuards.requirePinGuard,
           },
           {
-            target: OID4VCIMachineStates.initiateAuthorizationRequest,
+            target: OID4VCIMachineStates.prepareAuthorizationRequest,
             cond: OID4VCIMachineGuards.requireAuthorizationGuard,
           },
           {
@@ -524,6 +533,29 @@ const createOID4VCIMachine = (opts?: CreateOID4VCIMachineOpts): OID4VCIStateMach
           },
         ],
       },
+      [OID4VCIMachineStates.prepareAuthorizationRequest]: {
+        id: OID4VCIMachineStates.prepareAuthorizationRequest,
+        invoke: {
+          src: OID4VCIMachineServices.prepareAuthorizationRequest,
+          onDone: {
+            target: OID4VCIMachineStates.initiateAuthorizationRequest,
+            actions: assign({
+              authorizationCodeURL: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<PrepareAuthorizationResult>) =>
+                _event.data.authorizationCodeURL,
+            }),
+          },
+          onError: {
+            target: OID4VCIMachineStates.handleError,
+            actions: assign({
+              error: (_ctx: OID4VCIMachineContext, _event: DoneInvokeEvent<Error>): ErrorDetails => ({
+                title: translate('oid4vci_machine_prepare_authorization_error_title'),
+                message: _event.data.message,
+                stack: _event.data.stack,
+              }),
+            }),
+          },
+        },
+      },
       [OID4VCIMachineStates.initiateAuthorizationRequest]: {
         id: OID4VCIMachineStates.initiateAuthorizationRequest,
         on: {

package/src/mappers/OIDC4VCIBrandingMapper.ts

@@ -1,5 +1,5 @@
 import { CredentialsSupportedDisplay, NameAndLocale } from '@sphereon/oid4vci-common'
-import { IBasicCredentialClaim, IBasicCredentialLocaleBranding, IBasicIssuerLocaleBranding } from '@sphereon/ssi-sdk.data-store'
+import { IBasicCredentialClaim, IBasicCredentialLocaleBranding, IBasicIssuerLocaleBranding } from '@sphereon/ssi-sdk.data-store-types'
 import { SdJwtClaimDisplayMetadata, SdJwtClaimMetadata, SdJwtClaimPath, SdJwtTypeDisplayMetadata } from '@sphereon/ssi-types'
 import {
   IssuerLocaleBrandingFromArgs,