@sphereon/ssi-sdk.oid4vci-holder 0.34.1-next.3 → 0.34.1-next.323

package/src/services/OID4VCIHolderService.ts

@@ -1,16 +1,15 @@
 import { LOG } from '@sphereon/oid4vci-client'
 import {
+  AuthorizationChallengeCodeResponse,
   CredentialConfigurationSupported,
-  CredentialSupportedSdJwtVc,
-  CredentialConfigurationSupportedSdJwtVcV1_0_13,
-  CredentialOfferFormatV1_0_11,
+  CredentialConfigurationSupportedSdJwtVcV1_0_15,
   CredentialResponse,
+  CredentialResponseV1_0_15,
+  CredentialSupportedSdJwtVc,
   getSupportedCredentials,
   getTypesFromCredentialSupported,
   getTypesFromObject,
   MetadataDisplay,
-  OpenId4VCIVersion,
-  AuthorizationChallengeCodeResponse,
 } from '@sphereon/oid4vci-common'
 import { KeyUse } from '@sphereon/ssi-sdk-ext.did-resolver-jwk'
 import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
@@ -23,7 +22,8 @@ import {
   managedIdentifierToJwk,
 } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { keyTypeFromCryptographicSuite } from '@sphereon/ssi-sdk-ext.key-utils'
-import { IBasicCredentialLocaleBranding, IBasicIssuerLocaleBranding } from '@sphereon/ssi-sdk.data-store'
+import { defaultHasher } from '@sphereon/ssi-sdk.core'
+import { IBasicCredentialLocaleBranding, IBasicIssuerLocaleBranding } from '@sphereon/ssi-sdk.data-store-types'
 import {
   CredentialMapper,
   Hasher,
@@ -40,8 +40,12 @@ import {
 } from '@sphereon/ssi-types'
 import { asArray } from '@veramo/utils'
 import { translate } from '../localization/Localization'
+import { FirstPartyMachine } from '../machines/firstPartyMachine'
+import { issuerLocaleBrandingFrom, oid4vciGetCredentialBrandingFrom, sdJwtGetCredentialBrandingFrom } from '../mappers/OIDC4VCIBrandingMapper'
+import { FirstPartyMachineState, FirstPartyMachineStateTypes } from '../types/FirstPartyMachine'
 import {
   DidAgents,
+  GetBasicIssuerLocaleBrandingArgs,
   GetCredentialBrandingArgs,
   GetCredentialConfigsSupportedArgs,
   GetCredentialConfigsSupportedBySingleTypeOrIdArgs,
@@ -49,22 +53,17 @@ import {
   GetIssuanceCryptoSuiteArgs,
   GetIssuanceDidMethodArgs,
   GetIssuanceOptsArgs,
-  GetBasicIssuerLocaleBrandingArgs,
   GetPreferredCredentialFormatsArgs,
   IssuanceOpts,
   MapCredentialToAcceptArgs,
   MappedCredentialToAccept,
   OID4VCIHolderEvent,
+  RequiredContext,
   SelectAppLocaleBrandingArgs,
+  StartFirstPartApplicationMachine,
   VerificationResult,
   VerifyCredentialToAcceptArgs,
-  StartFirstPartApplicationMachine,
-  RequiredContext,
 } from '../types/IOID4VCIHolder'
-import { oid4vciGetCredentialBrandingFrom, sdJwtGetCredentialBrandingFrom, issuerLocaleBrandingFrom } from '../mappers/OIDC4VCIBrandingMapper'
-import { FirstPartyMachine } from '../machines/firstPartyMachine'
-import { FirstPartyMachineState, FirstPartyMachineStateTypes } from '../types/FirstPartyMachine'
-import { defaultHasher } from '@sphereon/ssi-sdk.core'
 
 export const getCredentialBranding = async (args: GetCredentialBrandingArgs): Promise<Record<string, Array<IBasicCredentialLocaleBranding>>> => {
   const { credentialsSupported, context } = args
@@ -72,8 +71,8 @@ export const getCredentialBranding = async (args: GetCredentialBrandingArgs): Pr
   await Promise.all(
     Object.entries(credentialsSupported).map(async ([configId, credentialsConfigSupported]): Promise<void> => {
       let sdJwtTypeMetadata: SdJwtTypeMetadata | undefined
-      if (credentialsConfigSupported.format === 'vc+sd-jwt') {
-        const vct = (<CredentialSupportedSdJwtVc | CredentialConfigurationSupportedSdJwtVcV1_0_13>credentialsConfigSupported).vct
+      if (credentialsConfigSupported.format === 'dc+sd-jwt') {
+        const vct = (<CredentialSupportedSdJwtVc | CredentialConfigurationSupportedSdJwtVcV1_0_15>credentialsConfigSupported).vct
         if (vct.startsWith('http')) {
           try {
             sdJwtTypeMetadata = await context.agent.fetchSdJwtTypeMetadataFromVctUrl({ vct })
@@ -153,10 +152,7 @@ export const selectCredentialLocaleBranding = async (
 export const verifyCredentialToAccept = async (args: VerifyCredentialToAcceptArgs): Promise<VerificationResult> => {
   const { mappedCredential, hasher, onVerifyEBSICredentialIssuer, schemaValidation, context } = args
 
-  const credential = mappedCredential.credentialToAccept.credentialResponse.credential as OriginalVerifiableCredential
-  if (!credential) {
-    return Promise.reject(Error('No credential found in credential response'))
-  }
+  const credential = extractCredentialFromResponse(mappedCredential.credentialToAccept.credentialResponse)
 
   const wrappedVC = CredentialMapper.toWrappedVerifiableCredential(credential, { hasher: hasher ?? defaultHasher })
   if (
@@ -205,11 +201,7 @@ export const verifyCredentialToAccept = async (args: VerifyCredentialToAcceptArg
 export const mapCredentialToAccept = async (args: MapCredentialToAcceptArgs): Promise<MappedCredentialToAccept> => {
   const { credentialToAccept, hasher } = args
 
-  const credentialResponse: CredentialResponse = credentialToAccept.credentialResponse
-  const verifiableCredential: W3CVerifiableCredential | undefined = credentialResponse.credential
-  if (!verifiableCredential) {
-    return Promise.reject(Error('No credential found in credential response'))
-  }
+  const verifiableCredential = extractCredentialFromResponse(credentialToAccept.credentialResponse) as W3CVerifiableCredential
 
   const wrappedVerifiableCredential: WrappedVerifiableCredential = CredentialMapper.toWrappedVerifiableCredential(
     verifiableCredential as OriginalVerifiableCredential,
@@ -217,9 +209,7 @@ export const mapCredentialToAccept = async (args: MapCredentialToAcceptArgs): Pr
   )
   let uniformVerifiableCredential: IVerifiableCredential
   if (CredentialMapper.isSdJwtDecodedCredential(wrappedVerifiableCredential.credential)) {
-    uniformVerifiableCredential = await sdJwtDecodedCredentialToUniformCredential(
-      <SdJwtDecodedVerifiableCredential>wrappedVerifiableCredential.credential,
-    )
+    uniformVerifiableCredential = sdJwtDecodedCredentialToUniformCredential(<SdJwtDecodedVerifiableCredential>wrappedVerifiableCredential.credential)
   } else if (CredentialMapper.isSdJwtEncoded(wrappedVerifiableCredential.credential)) {
     if (!hasher) {
       return Promise.reject('a hasher is required for encoded SD-JWT credentials')
@@ -240,6 +230,7 @@ export const mapCredentialToAccept = async (args: MapCredentialToAcceptArgs): Pr
         ? uniformVerifiableCredential.decodedPayload.iss
         : uniformVerifiableCredential.issuer.id
 
+  const credentialResponse = credentialToAccept.credentialResponse as CredentialResponseV1_0_15
   return {
     correlationId,
     credentialToAccept,
@@ -250,6 +241,27 @@ export const mapCredentialToAccept = async (args: MapCredentialToAcceptArgs): Pr
   }
 }
 
+export const extractCredentialFromResponse = (credentialResponse: CredentialResponse): OriginalVerifiableCredential => {
+  let credential: OriginalVerifiableCredential | undefined
+
+  if ('credential' in credentialResponse) {
+    credential = credentialResponse.credential as OriginalVerifiableCredential
+  } else if (
+    'credentials' in credentialResponse &&
+    credentialResponse.credentials &&
+    Array.isArray(credentialResponse.credentials) &&
+    credentialResponse.credentials.length > 0
+  ) {
+    credential = credentialResponse.credentials[0].credential as OriginalVerifiableCredential // FIXME SSISDK-13 (no multi-credential support yet)
+  }
+
+  if (!credential) {
+    throw new Error('No credential found in credential response')
+  }
+
+  return credential
+}
+
 export const getIdentifierOpts = async (args: GetIdentifierArgs): Promise<ManagedIdentifierResult> => {
   const { issuanceOpt, context } = args
   const { identifier: identifierArg } = issuanceOpt
@@ -370,7 +382,7 @@ export const getCredentialConfigsSupportedBySingleTypeOrId = async (
   }
 
   if (configurationId) {
-    const allSupported = client.getCredentialsSupported(false)
+    const allSupported = client.getCredentialsSupported(undefined, format)
     return Object.fromEntries(
       Object.entries(allSupported).filter(
         ([id, supported]) => id === configurationId || supported.id === configurationId || createIdFromTypes(supported) === configurationId,
@@ -378,29 +390,15 @@ export const getCredentialConfigsSupportedBySingleTypeOrId = async (
     )
   }
 
-  if (!types && !client.credentialOffer) {
-    return Promise.reject(Error('openID4VCIClient has no credentialOffer and no types where provided'))
-    /*} else if (!format && !client.credentialOffer) {
-    return Promise.reject(Error('openID4VCIClient has no credentialOffer and no formats where provided'))*/
+  if (!client.credentialOffer) {
+    return Promise.reject(Error('openID4VCIClient has no credentialOffer'))
   }
-  // We should always have a credential offer at this point given the above
-  if (!Array.isArray(format) && client.credentialOffer) {
-    if (
-      client.version() > OpenId4VCIVersion.VER_1_0_09 &&
-      typeof client.credentialOffer.credential_offer === 'object' &&
-      'credentials' in client.credentialOffer.credential_offer
-    ) {
-      format = client.credentialOffer.credential_offer.credentials
-        .filter((cred: CredentialOfferFormatV1_0_11 | string) => typeof cred !== 'string')
-        .map((cred: CredentialOfferFormatV1_0_11 | string) => (cred as CredentialOfferFormatV1_0_11).format)
-      if (format?.length === 0) {
-        format = undefined // Otherwise we would match nothing
-      }
-    }
+  if (!types) {
+    return Promise.reject(Error('openID4VCIClient has no types'))
   }
 
   const offerSupported = getSupportedCredentials({
-    types: types ? [types] : client.getCredentialOfferTypes(),
+    types: [types],
     format,
     version: client.version(),
     issuerMetadata: client.endpointMetadata.credentialIssuerMetadata,
@@ -580,7 +578,8 @@ export const getIssuanceCryptoSuite = async (opts: GetIssuanceCryptoSuiteArgs):
     case 'jwt':
     case 'jwt_vc_json':
     case 'jwt_vc':
-    case 'vc+sd-jwt':
+    //case 'vc+sd-jwt': // TODO see SSISDK-52 concerning vc+sd-jwt
+    case 'dc+sd-jwt':
     case 'mso_mdoc': {
       const supportedPreferences: Array<JoseSignatureAlgorithm | JoseSignatureAlgorithmString> = jwtCryptographicSuitePreferences.filter(
         (suite: JoseSignatureAlgorithm | JoseSignatureAlgorithmString) => signing_algs_supported.includes(suite),

package/src/types/FirstPartyMachine.ts

@@ -1,10 +1,11 @@
-import { BaseActionObject, Interpreter, ResolveTypegenMeta, ServiceMap, State, StateMachine, StatesConfig, TypegenDisabled } from 'xstate'
+import { RPRegistrationMetadataPayload } from '@sphereon/did-auth-siop'
 import { OpenID4VCIClientState } from '@sphereon/oid4vci-client'
-import { DidAuthConfig, Party } from '@sphereon/ssi-sdk.data-store'
-import { PresentationDefinitionWithLocation, RPRegistrationMetadataPayload } from '@sphereon/did-auth-siop'
-import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
 import { AuthorizationChallengeCodeResponse } from '@sphereon/oid4vci-common'
+import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
+import { DidAuthConfig, Party } from '@sphereon/ssi-sdk.data-store-types'
 import { IIdentifier } from '@veramo/core'
+import { DcqlQuery } from 'dcql'
+import { BaseActionObject, Interpreter, ResolveTypegenMeta, ServiceMap, State, StateMachine, StatesConfig, TypegenDisabled } from 'xstate'
 import { ErrorDetails, RequiredContext } from './IOID4VCIHolder'
 
 export enum FirstPartyMachineStateTypes {
@@ -149,7 +150,7 @@ export type SiopV2AuthorizationRequestData = {
   clientIdScheme?: string
   clientId?: string
   entityId?: string
-  presentationDefinitions?: PresentationDefinitionWithLocation[]
+  dcqlQuery: DcqlQuery
 }
 
 export type FirstPartyMachineNavigationArgs = {

package/src/types/IOID4VCIHolder.ts

@@ -1,4 +1,5 @@
-import { OpenID4VCIClient, OpenID4VCIClientState } from '@sphereon/oid4vci-client'
+import { DynamicRegistrationClientMetadata } from '@sphereon/oid4vc-common'
+import { OpenID4VCIClientState, OpenID4VCIClientV1_0_15 } from '@sphereon/oid4vci-client'
 import {
   AuthorizationRequestOpts,
   AuthorizationResponse,
@@ -7,6 +8,7 @@ import {
   CredentialConfigurationSupported,
   CredentialOfferRequestWithBaseUrl,
   CredentialResponse,
+  CredentialResponseV1_0_15,
   CredentialsSupportedDisplay,
   EndpointMetadataResult,
   ExperimentalSubjectIssuance,
@@ -14,7 +16,6 @@ import {
   MetadataDisplay,
   NotificationRequest,
 } from '@sphereon/oid4vci-common'
-import { DynamicRegistrationClientMetadata } from '@sphereon/oid4vc-common'
 import { CreateOrGetIdentifierOpts, IdentifierProviderOpts, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
 import {
   IIdentifierResolution,
@@ -25,6 +26,7 @@ import {
 import { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'
 import { IContactManager } from '@sphereon/ssi-sdk.contact-manager'
 import { ICredentialStore } from '@sphereon/ssi-sdk.credential-store'
+import { ICredentialValidation, SchemaValidation } from '@sphereon/ssi-sdk.credential-validation'
 import {
   DigitalCredential,
   IBasicCredentialClaim,
@@ -33,11 +35,10 @@ import {
   Identity,
   IIssuerLocaleBranding,
   Party,
-} from '@sphereon/ssi-sdk.data-store'
+} from '@sphereon/ssi-sdk.data-store-types'
 import { IIssuanceBranding } from '@sphereon/ssi-sdk.issuance-branding'
 import { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'
 import { ISDJwtPlugin } from '@sphereon/ssi-sdk.sd-jwt'
-import { ICredentialValidation, SchemaValidation } from '@sphereon/ssi-sdk.credential-validation'
 import { IDidAuthSiopOpAuthenticator } from '@sphereon/ssi-sdk.siopv2-oid4vp-op-auth'
 import {
   HasherSync,
@@ -78,6 +79,7 @@ export interface IOID4VCIHolder extends IPluginMethodMap {
     context: RequiredContext,
   ): Promise<Array<CredentialToSelectFromResult>>
 
+  oid4vciHolderPrepareAuthorizationRequest(args: PrepareAuthorizationRequestArgs, context: RequiredContext): Promise<PrepareAuthorizationResult>
   oid4vciHolderGetContact(args: GetContactArgs, context: RequiredContext): Promise<Party | undefined>
 
   oid4vciHolderGetCredentials(args: GetCredentialsArgs, context: RequiredContext): Promise<Array<MappedCredentialToAccept>>
@@ -147,6 +149,7 @@ export type PrepareStartArgs = Pick<
   OID4VCIMachineContext,
   'requestData' | 'authorizationRequestOpts' | 'didMethodPreferences' | 'issuanceOpt' | 'accessTokenOpts'
 >
+export type PrepareAuthorizationRequestArgs = Pick<OID4VCIMachineContext, 'openID4VCIClientState' | 'contact'>
 export type CreateCredentialsToSelectFromArgs = Pick<
   OID4VCIMachineContext,
   'credentialsSupported' | 'credentialBranding' | 'selectedCredentials' | 'locale' | 'openID4VCIClientState'
@@ -255,6 +258,7 @@ export enum OID4VCIMachineStates {
   selectCredentials = 'selectCredentials',
   transitionFromSelectingCredentials = 'transitionFromSelectingCredentials',
   verifyPin = 'verifyPin',
+  prepareAuthorizationRequest = 'prepareAuthorizationRequest',
   initiateAuthorizationRequest = 'initiateAuthorizationRequest',
   waitForAuthorizationResponse = 'waitForAuthorizationResponse',
   getCredentials = 'getCredentials',
@@ -377,6 +381,7 @@ export enum OID4VCIMachineGuards {
   requirePinGuard = 'oid4vciRequirePinGuard',
   requireAuthorizationGuard = 'oid4vciRequireAuthorizationGuard',
   noAuthorizationGuard = 'oid4vciNoAuthorizationGuard',
+  hasNonceEndpointGuard = 'oid4vciHasNonceEndpointGuard ',
   hasAuthorizationResponse = 'oid4vciHasAuthorizationResponse',
   hasNoContactIdentityGuard = 'oid4vciHasNoContactIdentityGuard',
   verificationCodeGuard = 'oid4vciVerificationCodeGuard',
@@ -393,6 +398,7 @@ export enum OID4VCIMachineServices {
   getFederationTrust = 'getFederationTrust',
   addContactIdentity = 'addContactIdentity',
   createCredentialsToSelectFrom = 'createCredentialsToSelectFrom',
+  prepareAuthorizationRequest = 'prepareAuthorizationRequest',
   getIssuerBranding = 'getIssuerBranding',
   storeIssuerBranding = 'storeIssuerBranding',
   getCredentials = 'getCredentials',
@@ -458,13 +464,17 @@ export type OID4VCIMachine = {
 }
 
 export type StartResult = {
-  authorizationCodeURL?: string
   credentialBranding?: Record<string, Array<IBasicCredentialLocaleBranding>>
   credentialsSupported: Record<string, CredentialConfigurationSupported>
   serverMetadata: EndpointMetadataResult
   oid4vciClientState: OpenID4VCIClientState
 }
 
+export type PrepareAuthorizationResult = {
+  authorizationCodeURL?: string
+  oid4vciClientState: OpenID4VCIClientState
+}
+
 export type SelectAppLocaleBrandingArgs = {
   locale?: string
   localeBranding?: Array<IBasicCredentialLocaleBranding | IBasicIssuerLocaleBranding>
@@ -501,11 +511,11 @@ export type CredentialToAccept = {
   id?: string
   types: string[]
   issuanceOpt: IssuanceOpts
-  credentialResponse: CredentialResponse
+  credentialResponse: CredentialResponseV1_0_15 | CredentialResponse
 }
 
 export type GetCredentialConfigsSupportedArgs = {
-  client: OpenID4VCIClient
+  client: OpenID4VCIClientV1_0_15
   vcFormatPreferences: Array<string>
   format?: Array<string>
   types?: Array<Array<string>>
@@ -517,7 +527,7 @@ export type GetCredentialConfigsSupportedArgs = {
  * It can potentially return multiple results mainly because of different formats.
  */
 export type GetCredentialConfigsSupportedBySingleTypeOrIdArgs = {
-  client: OpenID4VCIClient
+  client: OpenID4VCIClientV1_0_15
   vcFormatPreferences: Array<string>
   format?: string[]
   types?: string[]
@@ -552,7 +562,7 @@ export type GetDefaultIssuanceOptsArgs = {
 }
 
 export type DefaultIssuanceOpts = {
-  client: OpenID4VCIClient
+  client: OpenID4VCIClientV1_0_15
 }
 
 export type GetIdentifierArgs = {
@@ -589,7 +599,7 @@ export type CreateIdentifierCreateOpts = {
 }
 
 export type GetIssuanceOptsArgs = {
-  client: OpenID4VCIClient
+  client: OpenID4VCIClientV1_0_15
   credentialsSupported: Record<string, CredentialConfigurationSupported>
   serverMetadata: EndpointMetadataResult
   context: RequiredContext
@@ -601,13 +611,13 @@ export type GetIssuanceOptsArgs = {
 
 export type GetIssuanceDidMethodArgs = {
   credentialSupported: CredentialConfigurationSupported
-  client: OpenID4VCIClient
+  client: OpenID4VCIClientV1_0_15
   didMethodPreferences: Array<SupportedDidMethodEnum>
 }
 
 export type GetIssuanceCryptoSuiteArgs = {
   credentialSupported: CredentialConfigurationSupported
-  client: OpenID4VCIClient
+  client: OpenID4VCIClientV1_0_15
   jwtCryptographicSuitePreferences: Array<JoseSignatureAlgorithm | JoseSignatureAlgorithmString>
   jsonldCryptographicSuitePreferences: Array<string>
 }
@@ -615,7 +625,7 @@ export type GetIssuanceCryptoSuiteArgs = {
 export type GetCredentialArgs = {
   pin?: string
   issuanceOpt: IssuanceOpts
-  client: OpenID4VCIClient
+  client: OpenID4VCIClientV1_0_15
   accessTokenOpts?: AccessTokenOpts
 }