@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.32.1-feature.VDX.341.57 → 0.32.1-feature.new.develop.274

package/src/agent/DidAuthSiopOpAuthenticator.ts

@@ -10,13 +10,14 @@ import {
   NonPersistedIdentity,
   Party,
 } from '@sphereon/ssi-sdk.data-store'
-import { Hasher, Loggers } from '@sphereon/ssi-types'
+import { HasherSync, Loggers, SdJwtDecodedVerifiableCredential } from '@sphereon/ssi-types'
 import { IAgentPlugin } from '@veramo/core'
 import { v4 as uuidv4 } from 'uuid'
 import {
   DidAuthSiopOpAuthenticatorOptions,
   GetSelectableCredentialsArgs,
   IOpSessionArgs,
+  Json,
   LOGGER_NAMESPACE,
   RequiredContext,
   schema,
@@ -27,6 +28,10 @@ import {
 import { Siopv2Machine } from '../machine/Siopv2Machine'
 import { getSelectableCredentials, siopSendAuthorizationResponse, translateCorrelationIdToName } from '../services/Siopv2MachineService'
 import { OpSession } from '../session'
+import { PEX, Status } from '@sphereon/pex'
+import { computeEntryHash } from '@veramo/utils'
+import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
+import { EventEmitter } from 'events'
 import {
   IDidAuthSiopOpAuthenticator,
   IGetSiopSessionArgs,
@@ -34,8 +39,7 @@ import {
   IRemoveCustomApprovalForSiopArgs,
   IRemoveSiopSessionArgs,
   IRequiredContext,
-} from '../types/IDidAuthSiopOpAuthenticator'
-import { Siopv2Machine as Siopv2MachineId, Siopv2MachineInstanceOpts } from '../types/machine'
+} from '../types'
 
 import {
   AddIdentityArgs,
@@ -48,12 +52,10 @@ import {
   SendResponseArgs,
   Siopv2AuthorizationRequestData,
   Siopv2HolderEvent,
-} from '../types/siop-service'
-import { PEX, Status } from '@sphereon/pex'
-import { computeEntryHash } from '@veramo/utils'
-import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
-import { EventEmitter } from 'events'
-import { DcqlCredential, DcqlPresentation, DcqlQuery } from 'dcql'
+  Siopv2Machine as Siopv2MachineId,
+  Siopv2MachineInstanceOpts,
+} from '../types'
+import { DcqlCredential, DcqlPresentation, DcqlQuery, DcqlSdJwtVcCredential } from 'dcql'
 
 const logger = Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE)
 
@@ -92,26 +94,20 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
   private readonly sessions: Map<string, OpSession>
   private readonly customApprovals: Record<string, (verifiedAuthorizationRequest: VerifiedAuthorizationRequest, sessionId: string) => Promise<void>>
   private readonly presentationSignCallback?: PresentationSignCallback
-
   private readonly onContactIdentityCreated?: (args: OnContactIdentityCreatedArgs) => Promise<void>
   private readonly onIdentifierCreated?: (args: OnIdentifierCreatedArgs) => Promise<void>
   private readonly eventEmitter?: EventEmitter
-  private readonly hasher: Hasher | undefined
-
-  constructor(
-    presentationSignCallback?: PresentationSignCallback,
-    customApprovals?: Record<string, (verifiedAuthorizationRequest: VerifiedAuthorizationRequest, sessionId: string) => Promise<void>>,
-    options?: DidAuthSiopOpAuthenticatorOptions,
-    hasher?: Hasher, // FIXME BEFORE PR move into DidAuthSiopOpAuthenticatorOptions (move everything into options like we do with the rest of the agent plugins)
-  ) {
-    const { onContactIdentityCreated, onIdentifierCreated } = options ?? {}
+  private readonly hasher?: HasherSync
+
+  constructor(options?: DidAuthSiopOpAuthenticatorOptions) {
+    const { onContactIdentityCreated, onIdentifierCreated, hasher, customApprovals = {}, presentationSignCallback } = { ...options }
+
+    this.hasher = hasher
     this.onContactIdentityCreated = onContactIdentityCreated
     this.onIdentifierCreated = onIdentifierCreated
-
-    this.sessions = new Map<string, OpSession>()
-    this.customApprovals = customApprovals || {}
     this.presentationSignCallback = presentationSignCallback
-    this.hasher = hasher
+    this.sessions = new Map<string, OpSession>()
+    this.customApprovals = customApprovals
   }
 
   public async onEvent(event: any, context: RequiredContext): Promise<void> {
@@ -191,8 +187,8 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
     return Siopv2Machine.newInstance(siopv2MachineOpts)
   }
 
-  private async siopCreateConfig(args: CreateConfigArgs): Promise<CreateConfigResult> {
-    const { url } = args
+  private async siopCreateConfig<TContext extends CreateConfigArgs>(context: TContext): Promise<CreateConfigResult> {
+    const { url } = context
 
     if (!url) {
       return Promise.reject(Error('Missing request uri in context'))
@@ -219,9 +215,14 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
     }
     const { sessionId, redirectUrl } = didAuthConfig
 
-    const session: OpSession = await agent
-      .siopGetOPSession({ sessionId })
-      .catch(async () => await agent.siopRegisterOPSession({ requestJwtOrUri: redirectUrl, sessionId, op: { eventEmitter: this.eventEmitter } }))
+    const session: OpSession = await agent.siopGetOPSession({ sessionId }).catch(
+      async () =>
+        await agent.siopRegisterOPSession({
+          requestJwtOrUri: redirectUrl,
+          sessionId,
+          op: { eventEmitter: this.eventEmitter, hasher: this.hasher },
+        }),
+    )
 
     logger.debug(`session: ${JSON.stringify(session.id, null, 2)}`)
     const verifiedAuthorizationRequest = await session.getAuthorizationRequest()
@@ -339,7 +340,7 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
   }
 
   private async siopSendResponse(args: SendResponseArgs, context: RequiredContext): Promise<Siopv2AuthorizationResponseData> {
-    const { didAuthConfig, authorizationRequestData, selectedCredentials } = args
+    const { didAuthConfig, authorizationRequestData, selectedCredentials, isFirstParty } = args
 
     if (didAuthConfig === undefined) {
       return Promise.reject(Error('Missing config in context'))
@@ -349,65 +350,74 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
       return Promise.reject(Error('Missing authorization request data in context'))
     }
 
-    const pex = new PEX()
+    const pex = new PEX({ hasher: this.hasher })
     const verifiableCredentialsWithDefinition: Array<VerifiableCredentialsWithDefinition> = []
     const dcqlCredentialsWithCredentials: Map<DcqlCredential, UniqueDigitalCredential> = new Map()
 
-    if (authorizationRequestData.presentationDefinitions !== undefined && authorizationRequestData.presentationDefinitions !== null) {
-      authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
-        const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(
-          presentationDefinition.definition,
-          selectedCredentials.map((udc) => udc.originalVerifiableCredential!),
-        )
-
-        if (areRequiredCredentialsPresent !== Status.ERROR && verifiableCredentials) {
-          const uniqueDigitalCredentials: UniqueDigitalCredential[] = verifiableCredentials.map((vc) => {
-            // @ts-ignore FIXME Funke
-            const hash = computeEntryHash(vc)
-            const udc = selectedCredentials.find((udc) => udc.hash == hash)
-
-            if (!udc) {
-              throw Error('UniqueDigitalCredential could not be found')
-            }
-            return udc
-          })
-          verifiableCredentialsWithDefinition.push({
-            definition: presentationDefinition,
-            credentials: uniqueDigitalCredentials,
-          })
-        }
-      })
+    if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
+      try {
+        authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
+          const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(
+            presentationDefinition.definition,
+            selectedCredentials.map((udc) => udc.originalVerifiableCredential!),
+          )
+
+          if (areRequiredCredentialsPresent !== Status.ERROR && verifiableCredentials) {
+            let uniqueDigitalCredentials: UniqueDigitalCredential[] = []
+            uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
+              // @ts-ignore FIXME Funke
+              const hash = typeof vc === 'string' ? computeEntryHash(vc.split('~'[0])) : computeEntryHash(vc)
+              const udc = selectedCredentials.find((udc) => udc.hash == hash || udc.originalVerifiableCredential == vc)
+
+              if (!udc) {
+                throw Error(
+                  `UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`,
+                )
+              }
+              return udc
+            })
+            verifiableCredentialsWithDefinition.push({
+              definition: presentationDefinition,
+              credentials: uniqueDigitalCredentials,
+            })
+          }
+        })
+      } catch (e) {
+        return Promise.reject(e)
+      }
 
       if (verifiableCredentialsWithDefinition.length === 0) {
         return Promise.reject(Error('None of the selected credentials match any of the presentation definitions.'))
       }
-    } else if (authorizationRequestData.dcqlQuery !== undefined && authorizationRequestData.dcqlQuery !== null) {
+    } else if (authorizationRequestData.dcqlQuery) {
       //TODO Only SD-JWT and MSO MDOC are supported at the moment
       if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
-        selectedCredentials.forEach((vc: any) => {
-          const payload =
-            vc['decodedPayload'] !== undefined && vc['decodedPayload'] !== null
-              ? vc.decodedPayload
-              : vc['decoded'] !== undefined && vc['decoded'] !== null
-                ? vc.decoded
-                : undefined
-          const vct = payload?.vct
-          const docType = payload?.docType
-          const namespaces = payload?.namespaces
-          const result: DcqlCredential = {
-            claims: payload,
-            vct,
-            docType,
-            namespaces,
-          }
-          dcqlCredentialsWithCredentials.set(result, vc)
-        })
+        try {
+          selectedCredentials.forEach((vc) => {
+            if (this.isSdJwtCredential(vc)) {
+              const payload = (vc.originalVerifiableCredential as SdJwtDecodedVerifiableCredential).decodedPayload
+              const result: DcqlSdJwtVcCredential = {
+                claims: payload as { [x: string]: Json },
+                vct: payload.vct,
+                credential_format: 'vc+sd-jwt',
+              }
+              dcqlCredentialsWithCredentials.set(result, vc)
+              //FIXME MDoc namespaces are incompatible: array of strings vs complex object - https://sphereon.atlassian.net/browse/SPRIND-143
+            } else {
+              throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`)
+            }
+          })
+        } catch (e) {
+          return Promise.reject(e)
+        }
 
-        const dcqlPresentationRecord: DcqlPresentation = {}
+        const dcqlPresentationRecord: DcqlPresentation.Output = {}
         const queryResult = DcqlQuery.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
         for (const [key, value] of Object.entries(queryResult.credential_matches)) {
           if (value.success) {
-            dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output)!)
+            dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output)!) as
+              | string
+              | { [x: string]: Json }
           }
         }
       }
@@ -419,15 +429,16 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
         sessionId: didAuthConfig.sessionId,
         ...(args.idOpts && { idOpts: args.idOpts }),
         ...(authorizationRequestData.presentationDefinitions !== undefined && { verifiableCredentialsWithDefinition }),
+        isFirstParty,
         hasher: this.hasher,
       },
       context,
     )
 
-    const contentType = response?.headers.get('content-type') || ''
+    const contentType = response.headers.get('content-type') || ''
     let responseBody: any = null
 
-    const text = await response?.text()
+    const text = await response.text()
     if (text) {
       responseBody = contentType.includes('application/json') || text.startsWith('{') ? JSON.parse(text) : text
     }
@@ -435,31 +446,38 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
     return {
       body: responseBody,
       url: response?.url,
-      queryParams: response && decodeUriAsJson(response?.url),
+      queryParams: decodeUriAsJson(response?.url),
     }
   }
 
   private hasMDocCredentials = (credentials: UniqueDigitalCredential[]): boolean => {
-    return credentials.some(
-      (credential) =>
-        credential.digitalCredential.documentFormat === CredentialDocumentFormat.MSO_MDOC &&
-        credential.digitalCredential.documentType === DocumentType.VC,
+    return credentials.some(this.isMDocCredential)
+  }
+
+  private isMDocCredential = (credential: UniqueDigitalCredential) => {
+    return (
+      credential.digitalCredential.documentFormat === CredentialDocumentFormat.MSO_MDOC &&
+      credential.digitalCredential.documentType === DocumentType.VC
     )
   }
 
   private hasSdJwtCredentials = (credentials: UniqueDigitalCredential[]): boolean => {
-    return credentials.some(
-      (credential) =>
-        credential.digitalCredential.documentFormat === CredentialDocumentFormat.SD_JWT &&
-        credential.digitalCredential.documentType === DocumentType.VC,
+    return credentials.some(this.isSdJwtCredential)
+  }
+
+  private isSdJwtCredential = (credential: UniqueDigitalCredential) => {
+    return (
+      credential.digitalCredential.documentFormat === CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === DocumentType.VC
     )
   }
 
   private retrieveEncodedCredential = (credential: UniqueDigitalCredential) => {
-    // FIXME Remove any
-    return (credential as any).original !== undefined && (credential as any).original !== null
-      ? (credential as any).original
-      : (credential as any).compactSdJwtVc
+    return credential.originalVerifiableCredential !== undefined &&
+      credential.originalVerifiableCredential !== null &&
+      (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== undefined &&
+      (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== null
+      ? (credential.originalVerifiableCredential as SdJwtDecodedVerifiableCredential).compactSdJwtVc
+      : credential.originalVerifiableCredential
   }
 
   private async siopGetSelectableCredentials(args: GetSelectableCredentialsArgs, context: RequiredContext): Promise<SelectableCredentialsMap> {

package/src/services/Siopv2MachineService.ts

@@ -4,7 +4,7 @@ import { InputDescriptorV1, InputDescriptorV2, PresentationDefinitionV1, Present
 import { isOID4VCIssuerIdentifier, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
 import { ConnectionType, CredentialRole } from '@sphereon/ssi-sdk.data-store'
-import { CredentialMapper, Hasher, Loggers, OriginalVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'
+import { CredentialMapper, HasherSync, Loggers, OriginalVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'
 import { OID4VP, OpSession } from '../session'
 import {
   DidAgents,
@@ -20,7 +20,7 @@ import {
 import { IAgentContext, IDIDManager } from '@veramo/core'
 import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
 import { encodeJoseBlob } from '@sphereon/ssi-sdk.core'
-import { DcqlCredential, DcqlQuery, DcqlCredentialPresentation, DcqlPresentation } from 'dcql'
+import { DcqlCredential, DcqlCredentialPresentation, DcqlPresentation, DcqlQuery } from 'dcql'
 import { convertToDcqlCredentials } from '../utils/dcql'
 import { getOriginalVerifiableCredential } from '../utils/CredentialUtils'
 
@@ -51,14 +51,15 @@ export const siopSendAuthorizationResponse = async (
     sessionId: string
     verifiableCredentialsWithDefinition?: VerifiableCredentialsWithDefinition[]
     idOpts?: ManagedIdentifierOptsOrResult
+    isFirstParty?: boolean
+    hasher?: HasherSync
     dcqlQuery?: DcqlQuery
-    hasher?: Hasher
   },
   context: RequiredContext,
 ) => {
   const { agent } = context
   const agentContext = { ...context, agent: context.agent as DidAgents }
-  let { idOpts } = args
+  let { idOpts, isFirstParty, hasher } = args
 
   if (connectionType !== ConnectionType.SIOPv2_OpenID4VP) {
     return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`))
@@ -72,7 +73,7 @@ export const siopSendAuthorizationResponse = async (
   let presentationsAndDefs: VerifiablePresentationWithDefinition[] | undefined
   let presentationSubmission: PresentationSubmission | undefined
   if (await session.hasPresentationDefinitions()) {
-    const oid4vp: OID4VP = await session.getOID4VP({})
+    const oid4vp: OID4VP = await session.getOID4VP({ hasher })
 
     const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition
       ? args.verifiableCredentialsWithDefinition
@@ -128,11 +129,18 @@ export const siopSendAuthorizationResponse = async (
           break
         // TODO other implementations?
         default:
-          // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
-          identifier = await session.context.agent.identifierManagedGetByKid({
-            identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
-            kmsKeyRef: digitalCredential.kmsKeyRef,
-          })
+          if (digitalCredential.subjectCorrelationId?.startsWith('did:') || holder?.startsWith('did:')) {
+            identifier = await session.context.agent.identifierManagedGetByDid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+          } else {
+            // Since we are using the kmsKeyRef we will find the KID regardless of the identifier. We set it for later access though
+            identifier = await session.context.agent.identifierManagedGetByKid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+              kmsKeyRef: digitalCredential.kmsKeyRef,
+            })
+          }
       }
     }
 
@@ -167,6 +175,7 @@ export const siopSendAuthorizationResponse = async (
       ...(presentationSubmission && { presentationSubmission }),
       // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
       responseSignerOpts: idOpts!,
+      isFirstParty,
     })
   } else if (request.dcqlQuery) {
     if (args.verifiableCredentialsWithDefinition !== undefined && args.verifiableCredentialsWithDefinition !== null) {
@@ -266,7 +275,7 @@ export const siopSendAuthorizationResponse = async (
       return response
     }
   }
-  return undefined
+  throw Error('Presentation Definition or DCQL is required')
 }
 
 function buildPartialPD(

package/src/session/OID4VP.ts

@@ -2,15 +2,15 @@ import { PresentationDefinitionWithLocation, PresentationExchange } from '@spher
 import { SelectResults, Status, SubmissionRequirementMatch } from '@sphereon/pex'
 import { Format } from '@sphereon/pex-models'
 import {
-  isOID4VCIssuerIdentifier,
   isManagedIdentifierDidResult,
+  isOID4VCIssuerIdentifier,
   ManagedIdentifierOptsOrResult,
   ManagedIdentifierResult,
 } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { ProofOptions } from '@sphereon/ssi-sdk.core'
 import { UniqueDigitalCredential, verifiableCredentialForRoleFilter } from '@sphereon/ssi-sdk.credential-store'
 import { CredentialRole, FindDigitalCredentialArgs } from '@sphereon/ssi-sdk.data-store'
-import { CompactJWT, Hasher, IProof, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import { CompactJWT, HasherSync, IProof, OriginalVerifiableCredential } from '@sphereon/ssi-types'
 import {
   DEFAULT_JWT_PROOF_TYPE,
   IGetPresentationExchangeArgs,
@@ -24,7 +24,7 @@ import { OpSession } from './OpSession'
 export class OID4VP {
   private readonly session: OpSession
   private readonly allIdentifiers: string[]
-  private readonly hasher?: Hasher
+  private readonly hasher?: HasherSync
 
   private constructor(args: IOID4VPArgs) {
     const { session, allIdentifiers, hasher } = args
@@ -34,7 +34,7 @@ export class OID4VP {
     this.hasher = hasher
   }
 
-  public static async init(session: OpSession, allIdentifiers: string[], hasher?: Hasher): Promise<OID4VP> {
+  public static async init(session: OpSession, allIdentifiers: string[], hasher?: HasherSync): Promise<OID4VP> {
     return new OID4VP({ session, allIdentifiers: allIdentifiers ?? (await session.getSupportedDIDs()), hasher })
   }
 
@@ -68,7 +68,7 @@ export class OID4VP {
       skipDidResolution?: boolean
       holderDID?: string
       subjectIsHolder?: boolean
-      hasher?: Hasher
+      hasher?: HasherSync
       applyFilter?: boolean
     },
   ): Promise<VerifiablePresentationWithDefinition[]> {
@@ -88,7 +88,7 @@ export class OID4VP {
       holder?: string
       subjectIsHolder?: boolean
       applyFilter?: boolean
-      hasher?: Hasher
+      hasher?: HasherSync
     },
   ): Promise<VerifiablePresentationWithDefinition> {
     const { subjectIsHolder, holder, forceNoCredentialsInVP = false } = { ...opts }

package/src/session/OpSession.ts

@@ -20,10 +20,11 @@ import { encodeBase64url } from '@sphereon/ssi-sdk.core'
 import {
   CompactSdJwtVc,
   CredentialMapper,
-  Hasher, OriginalVerifiableCredential,
+  HasherSync,
+  OriginalVerifiableCredential,
   parseDid,
   PresentationSubmission,
-  W3CVerifiablePresentation
+  W3CVerifiablePresentation,
 } from '@sphereon/ssi-types'
 import { IIdentifier, IVerifyResult, TKeyType } from '@veramo/core'
 import Debug from 'debug'
@@ -292,8 +293,8 @@ export class OpSession {
         .jwtEncryptJweCompactJwt({
           recipientKey,
           protectedHeader: {},
-          alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg as JweAlg | undefined ?? 'ECDH-ES',
-          enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc as JweEnc | undefined ?? 'A256GCM',
+          alg: (requestObjectPayload.client_metadata.authorization_encrypted_response_alg as JweAlg | undefined) ?? 'ECDH-ES',
+          enc: (requestObjectPayload.client_metadata.authorization_encrypted_response_enc as JweEnc | undefined) ?? 'A256GCM',
           apv: encodeBase64url(opts.requestObjectPayload.nonce),
           apu: encodeBase64url(v4()),
           payload: authResponse,
@@ -359,13 +360,14 @@ export class OpSession {
     const responseOpts = {
       verification,
       issuer,
+      ...(args.isFirstParty && { isFirstParty: args.isFirstParty }),
       ...(args.verifiablePresentations && {
         presentationExchange: {
           verifiablePresentations,
           presentationSubmission: args.presentationSubmission,
         } as PresentationExchangeResponseOpts,
       }),
-      dcqlQuery: args.dcqlQuery
+      dcqlQuery: args.dcqlResponse,
     }
 
     const authResponse = await op.createAuthorizationResponse(request, responseOpts)
@@ -378,7 +380,7 @@ export class OpSession {
     }
   }
 
-  private countVCsInAllVPs(verifiablePresentations: W3CVerifiablePresentation[], hasher?: Hasher) {
+  private countVCsInAllVPs(verifiablePresentations: W3CVerifiablePresentation[], hasher?: HasherSync) {
     return verifiablePresentations.reduce((sum, vp) => {
       if (CredentialMapper.isMsoMdocDecodedPresentation(vp) || CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
         return sum + 1

package/src/types/IDidAuthSiopOpAuthenticator.ts

@@ -1,5 +1,5 @@
 import {
-  DcqlQueryResponseOpts,
+  DcqlResponseOpts,
   PresentationDefinitionWithLocation,
   PresentationSignCallback,
   ResponseMode,
@@ -19,7 +19,7 @@ import { ICredentialStore, UniqueDigitalCredential } from '@sphereon/ssi-sdk.cre
 import { Party } from '@sphereon/ssi-sdk.data-store'
 import { IPDManager } from '@sphereon/ssi-sdk.pd-manager'
 import { ISDJwtPlugin } from '@sphereon/ssi-sdk.sd-jwt'
-import { Hasher, OriginalVerifiableCredential, PresentationSubmission, W3CVerifiablePresentation } from '@sphereon/ssi-types'
+import { HasherSync, OriginalVerifiableCredential, PresentationSubmission, W3CVerifiablePresentation } from '@sphereon/ssi-types'
 import { VerifyCallback } from '@sphereon/wellknown-dids-client'
 import {
   IAgentContext,
@@ -123,8 +123,9 @@ export interface IOpsSendSiopAuthorizationResponseArgs {
   // verifiedAuthorizationRequest: VerifiedAuthorizationRequest
   presentationSubmission?: PresentationSubmission
   verifiablePresentations?: W3CVerifiablePresentation[]
-  dcqlQuery?: DcqlQueryResponseOpts
-  hasher?: Hasher
+  dcqlResponse?: DcqlResponseOpts
+  hasher?: HasherSync
+  isFirstParty?: boolean
 }
 
 export enum events {
@@ -161,7 +162,7 @@ export interface IOPOptions {
   presentationSignCallback?: PresentationSignCallback
 
   resolveOpts?: ResolveOpts
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 /*
@@ -184,19 +185,30 @@ export interface VerifiablePresentationWithDefinition extends VerifiablePresenta
 
 export interface IOpSessionGetOID4VPArgs {
   allIdentifiers?: string[]
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 export interface IOID4VPArgs {
   session: OpSession
   allIdentifiers?: string[]
-  hasher?: Hasher
+  hasher?: HasherSync
 }
 
 export interface IGetPresentationExchangeArgs {
   verifiableCredentials: OriginalVerifiableCredential[]
   allIdentifiers?: string[]
-  hasher?: Hasher
-}
+  hasher?: HasherSync
+}
+
+// It was added here because it's not exported from DCQL anymore
+export type Json =
+  | string
+  | number
+  | boolean
+  | null
+  | {
+      [key: string]: Json
+    }
+  | Json[]
 
 export const DEFAULT_JWT_PROOF_TYPE = 'JwtProof2020'

package/src/types/machine/index.ts

@@ -18,6 +18,7 @@ export type Siopv2MachineContext = {
   contactAlias: string
   selectableCredentialsMap?: SelectableCredentialsMap
   selectedCredentials: Array<UniqueDigitalCredential>
+  isFirstParty?: boolean
   error?: ErrorDetails
 }
 

package/src/types/siop-service/index.ts

@@ -1,4 +1,9 @@
-import { PresentationDefinitionWithLocation, RPRegistrationMetadataPayload } from '@sphereon/did-auth-siop'
+import {
+  PresentationDefinitionWithLocation,
+  PresentationSignCallback,
+  RPRegistrationMetadataPayload,
+  VerifiedAuthorizationRequest,
+} from '@sphereon/did-auth-siop'
 import { IIdentifierResolution, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { IContactManager } from '@sphereon/ssi-sdk.contact-manager'
 import { ICredentialStore, UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
@@ -8,10 +13,14 @@ import { IAgentContext, IDIDManager, IIdentifier, IResolver } from '@veramo/core
 import { IDidAuthSiopOpAuthenticator } from '../IDidAuthSiopOpAuthenticator'
 import { Siopv2MachineContext, Siopv2MachineInterpreter, Siopv2MachineState } from '../machine'
 import { DcqlQuery } from 'dcql'
+import { HasherSync } from '@sphereon/ssi-types'
 
 export type DidAuthSiopOpAuthenticatorOptions = {
+  presentationSignCallback?: PresentationSignCallback
+  customApprovals?: Record<string, (verifiedAuthorizationRequest: VerifiedAuthorizationRequest, sessionId: string) => Promise<void>>
   onContactIdentityCreated?: (args: OnContactIdentityCreatedArgs) => Promise<void>
   onIdentifierCreated?: (args: OnIdentifierCreatedArgs) => Promise<void>
+  hasher?: HasherSync
 }
 
 export type GetMachineArgs = {
@@ -20,12 +29,21 @@ export type GetMachineArgs = {
   stateNavigationListener?: (siopv2Machine: Siopv2MachineInterpreter, state: Siopv2MachineState, navigation?: any) => Promise<void>
 }
 
-export type CreateConfigArgs = Pick<Siopv2MachineContext, 'url'>
+export type CreateConfigArgs = { url: string }
 export type CreateConfigResult = Omit<DidAuthConfig, 'stateId' | 'idOpts'>
-export type GetSiopRequestArgs = Pick<Siopv2MachineContext, 'didAuthConfig' | 'url'>
+export type GetSiopRequestArgs = { didAuthConfig?: Omit<DidAuthConfig, 'identifier'>; url: string }
+// FIXME it would be nicer if these function are not tied to a certain machine so that we can start calling them for anywhere
 export type RetrieveContactArgs = Pick<Siopv2MachineContext, 'url' | 'authorizationRequestData'>
+// FIXME it would be nicer if these function are not tied to a certain machine so that we can start calling them for anywhere
 export type AddIdentityArgs = Pick<Siopv2MachineContext, 'contact' | 'authorizationRequestData'>
-export type SendResponseArgs = Pick<Siopv2MachineContext, 'didAuthConfig' | 'authorizationRequestData' | 'selectedCredentials' | 'idOpts'>
+export type SendResponseArgs = {
+  didAuthConfig?: Omit<DidAuthConfig, 'identifier'>
+  authorizationRequestData?: Siopv2AuthorizationRequestData
+  selectedCredentials: Array<UniqueDigitalCredential>
+  idOpts?: ManagedIdentifierOptsOrResult
+  isFirstParty?: boolean
+}
+// FIXME it would be nicer if these function are not tied to a certain machine so that we can start calling them for anywhere
 export type GetSelectableCredentialsArgs = Pick<Siopv2MachineContext, 'authorizationRequestData'>
 
 export enum Siopv2HolderEvent {
@@ -39,7 +57,7 @@ export enum SupportedLanguage {
 }
 
 export type Siopv2AuthorizationResponseData = {
-  body?: string
+  body?: string | Record<string, any>
   url?: string
   queryParams?: Record<string, any>
 }