npm - @sphereon/ssi-sdk.siopv2-oid4vp-op-auth - Versions diffs - 0.34.1-feature.SSISDK.26.74 → 0.34.1-feature.SSISDK.26.75 - Mend

@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.SSISDK.26.74 → 0.34.1-feature.SSISDK.26.75

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.cjs +833 -831
package/dist/index.cjs.map +1 -1
package/dist/index.js +1006 -1004
package/dist/index.js.map +1 -1
package/package.json +19 -19
package/src/agent/DidAuthSiopOpAuthenticator.ts +14 -24

package/dist/index.cjs CHANGED Viewed

@@ -428,436 +428,12 @@ var import_ssi_sdk6 = require("@sphereon/ssi-sdk.data-store");
 var import_ssi_types7 = require("@sphereon/ssi-types");
 var import_uuid2 = require("uuid");
-// src/session/functions.ts
-var import_did_auth_siop = require("@sphereon/did-auth-siop");
-var import_oid4vc_common = require("@sphereon/oid4vc-common");
-var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.identifier-resolution");
-var import_ssi_sdk = require("@sphereon/ssi-sdk.presentation-exchange");
-var import_events = require("events");
-async function createOID4VPPresentationSignCallback({ presentationSignCallback, idOpts: idOpts1, domain, fetchRemoteContexts, challenge, format, context, skipDidResolution }) {
-  if (typeof presentationSignCallback === "function") {
-    return presentationSignCallback;
-  }
-  return (0, import_ssi_sdk.createPEXPresentationSignCallback)({
-    idOpts: idOpts1,
-    fetchRemoteContexts,
-    domain,
-    challenge,
-    format,
-    skipDidResolution
-  }, context);
-}
-__name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallback");
-async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
-  const eventEmitter = opOptions.eventEmitter ?? new import_events.EventEmitter();
-  const builder = import_did_auth_siop.OP.builder().withResponseMode(opOptions.responseMode ?? import_did_auth_siop.ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
-    import_did_auth_siop.SupportedVersion.SIOPv2_ID1,
-    import_did_auth_siop.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
-    import_did_auth_siop.SupportedVersion.SIOPv2_D11,
-    import_did_auth_siop.SupportedVersion.SIOPv2_D12_OID4VP_D18
-  ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
-    passBy: import_did_auth_siop.PassBy.VALUE
-  });
-  const wellknownDIDVerifyCallback = opOptions.wellknownDIDVerifyCallback ? opOptions.wellknownDIDVerifyCallback : async (args) => {
-    const result = await context.agent.cvVerifyCredential({
-      credential: args.credential,
-      fetchRemoteContexts: true
-    });
-    return {
-      verified: result.result
-    };
-  };
-  builder.withVerifyJwtCallback(opOptions.verifyJwtCallback ? opOptions.verifyJwtCallback : getVerifyJwtCallback({
-    verifyOpts: {
-      wellknownDIDVerifyCallback,
-      checkLinkedDomain: "if_present"
-    }
-  }, context));
-  if (idOpts1) {
-    if (opOptions.skipDidResolution && (0, import_ssi_sdk_ext.isManagedIdentifierDidOpts)(idOpts1)) {
-      idOpts1.offlineWhenNoDIDRegistered = true;
-    }
-    const createJwtCallback = createJwtCallbackWithIdOpts(idOpts1, context);
-    builder.withCreateJwtCallback(createJwtCallback);
-    builder.withPresentationSignCallback(await createOID4VPPresentationSignCallback({
-      presentationSignCallback: opOptions.presentationSignCallback,
-      skipDidResolution: opOptions.skipDidResolution ?? false,
-      idOpts: idOpts1,
-      context
-    }));
-  } else {
-    const createJwtCallback = createJwtCallbackWithOpOpts(opOptions, context);
-    builder.withCreateJwtCallback(createJwtCallback);
-  }
-  return builder;
-}
-__name(createOPBuilder, "createOPBuilder");
-function createJwtCallbackWithIdOpts(idOpts1, context) {
-  return async (jwtIssuer, jwt) => {
-    let issuer;
-    if ((0, import_ssi_sdk_ext.isManagedIdentifierDidOpts)(idOpts1)) {
-      issuer = {
-        ...idOpts1,
-        method: idOpts1.method,
-        noIdentifierInHeader: false
-      };
-    } else if ((0, import_ssi_sdk_ext.isManagedIdentifierX5cOpts)(idOpts1)) {
-      issuer = {
-        ...idOpts1,
-        method: idOpts1.method,
-        noIdentifierInHeader: false
-      };
-    } else {
-      return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
-    }
-    const result = await context.agent.jwtCreateJwsCompactSignature({
-      issuer,
-      protectedHeader: jwt.header,
-      payload: jwt.payload
-    });
-    return result.jwt;
-  };
-}
-__name(createJwtCallbackWithIdOpts, "createJwtCallbackWithIdOpts");
-function createJwtCallbackWithOpOpts(opOpts, context) {
-  return async (jwtIssuer, jwt) => {
-    let identifier;
-    if (jwtIssuer.method == "did") {
-      identifier = jwtIssuer.didUrl;
-    } else if (jwtIssuer.method == "x5c") {
-      identifier = jwtIssuer.x5c;
-    } else {
-      return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
-    }
-    const result = await context.agent.jwtCreateJwsCompactSignature({
-      // FIXME fix cose-key inference
-      // @ts-ignore
-      issuer: {
-        identifier,
-        kmsKeyRef: idOpts.kmsKeyRef,
-        noIdentifierInHeader: false
-      },
-      // FIXME fix JWK key_ops
-      // @ts-ignore
-      protectedHeader: jwt.header,
-      payload: jwt.payload
-    });
-    return result.jwt;
-  };
-}
-__name(createJwtCallbackWithOpOpts, "createJwtCallbackWithOpOpts");
-function getVerifyJwtCallback(_opts, context) {
-  return async (_jwtVerifier, jwt) => {
-    const result = await context.agent.jwtVerifyJwsSignature({
-      jws: jwt.raw
-    });
-    console.log(result.message);
-    return !result.error;
-  };
-}
-__name(getVerifyJwtCallback, "getVerifyJwtCallback");
-async function createOP({ opOptions, idOpts: idOpts1, context }) {
-  return (await createOPBuilder({
-    opOptions,
-    idOpts: idOpts1,
-    context
-  })).build();
-}
-__name(createOP, "createOP");
-function getSigningAlgo(type) {
-  switch (type) {
-    case "Ed25519":
-      return import_oid4vc_common.SigningAlgo.EDDSA;
-    case "Secp256k1":
-      return import_oid4vc_common.SigningAlgo.ES256K;
-    case "Secp256r1":
-      return import_oid4vc_common.SigningAlgo.ES256;
-    // @ts-ignore
-    case "RSA":
-      return import_oid4vc_common.SigningAlgo.RS256;
-    default:
-      throw Error("Key type not yet supported");
-  }
-}
-__name(getSigningAlgo, "getSigningAlgo");
-// src/session/OID4VP.ts
-var OID4VP = class _OID4VP {
-  static {
-    __name(this, "OID4VP");
-  }
-  //private readonly session: OpSession
-  // private readonly allIdentifiers: string[]
-  // private readonly hasher?: HasherSync
-  constructor(args) {
-  }
-  static async init(session, allIdentifiers, hasher) {
-    return new _OID4VP({
-      session,
-      allIdentifiers: allIdentifiers ?? await session.getSupportedDIDs(),
-      hasher
-    });
-  }
-};
-// src/session/OpSession.ts
-var import_did_auth_siop2 = require("@sphereon/did-auth-siop");
-var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.did-utils");
-var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
-var import_ssi_types = require("@sphereon/ssi-types");
-var import_uuid = require("uuid");
-var import_ssi_types2 = require("@sphereon/ssi-types");
-var logger = import_ssi_types2.Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
-var OpSession = class _OpSession {
-  static {
-    __name(this, "OpSession");
-  }
-  ts = (/* @__PURE__ */ new Date()).getDate();
-  id;
-  options;
-  context;
-  requestJwtOrUri;
-  verifiedAuthorizationRequest;
-  _nonce;
-  _state;
-  constructor(options) {
-    this.id = options.sessionId;
-    this.options = options.op;
-    this.context = options.context;
-    this.requestJwtOrUri = options.requestJwtOrUri;
-  }
-  static async init(options) {
-    return new _OpSession(options);
-  }
-  async getAuthorizationRequest() {
-    if (!this.verifiedAuthorizationRequest) {
-      const op = await createOP({
-        opOptions: this.options,
-        context: this.context
-      });
-      this.verifiedAuthorizationRequest = await op.verifyAuthorizationRequest(this.requestJwtOrUri);
-      this._nonce = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("nonce");
-      this._state = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("state");
-      await this.getSupportedDIDMethods();
-    }
-    return this.verifiedAuthorizationRequest;
-  }
-  async getAuthorizationRequestURI() {
-    return await import_did_auth_siop2.URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
-  }
-  get nonce() {
-    if (!this._nonce) {
-      throw Error("No nonce available. Please get authorization request first");
-    }
-    return this._nonce;
-  }
-  get state() {
-    if (!this._state) {
-      throw Error("No state available. Please get authorization request first");
-    }
-    return this._state;
-  }
-  clear() {
-    this._nonce = void 0;
-    this._state = void 0;
-    this.verifiedAuthorizationRequest = void 0;
-    return this;
-  }
-  async getSupportedDIDMethods(didPrefix) {
-    const agentMethods = this.getAgentDIDMethodsSupported({
-      didPrefix
-    });
-    let rpMethods = await this.getRPDIDMethodsSupported({
-      didPrefix,
-      agentMethods
-    });
-    logger.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
-    if (rpMethods.dids.length === 0) {
-      logger.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
-      return [];
-    }
-    let intersection;
-    if (rpMethods.dids.includes("did")) {
-      intersection = agentMethods && agentMethods.length > 0 ? agentMethods : (await (0, import_ssi_sdk_ext2.getAgentDIDMethods)(this.context)).map((method) => convertDidMethod(method, didPrefix));
-    } else if (!agentMethods || agentMethods.length === 0) {
-      intersection = rpMethods.dids?.map((method) => convertDidMethod(method, didPrefix));
-    } else {
-      intersection = agentMethods.filter((value) => rpMethods.dids.includes(value));
-    }
-    if (intersection.length === 0) {
-      throw Error("No matching DID methods between agent and relying party");
-    }
-    return intersection.map((value) => convertDidMethod(value, didPrefix));
-  }
-  getAgentDIDMethodsSupported(opts) {
-    const agentMethods = this.options.supportedDIDMethods?.map((method) => convertDidMethod(method, opts.didPrefix));
-    logger.debug(`agent methods: ${JSON.stringify(agentMethods)}`);
-    return agentMethods;
-  }
-  async getSubjectSyntaxTypesSupported() {
-    const authReq = await this.getAuthorizationRequest();
-    const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported;
-    return subjectSyntaxTypesSupported ?? [];
-  }
-  async getRPDIDMethodsSupported(opts) {
-    let keyType;
-    const agentMethods = (opts.agentMethods ?? this.getAgentDIDMethodsSupported(opts))?.map((method) => convertDidMethod(method, opts.didPrefix)) ?? [];
-    logger.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`);
-    const authReq = await this.getAuthorizationRequest();
-    const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported?.map((method) => convertDidMethod(method, opts.didPrefix)).filter((val) => !val.startsWith("did"));
-    logger.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`);
-    const aud = await authReq.authorizationRequest.getMergedProperty("aud");
-    let rpMethods = [];
-    if (aud && aud.startsWith("did:")) {
-      const didMethod = convertDidMethod((0, import_ssi_types.parseDid)(aud).method, opts.didPrefix);
-      logger.debug(`aud did method: ${didMethod}`);
-      if (subjectSyntaxTypesSupported && subjectSyntaxTypesSupported.length > 0 && !subjectSyntaxTypesSupported.includes("did") && !subjectSyntaxTypesSupported.includes(didMethod)) {
-        throw Error(`The aud DID method ${didMethod} is not in the supported types ${subjectSyntaxTypesSupported}`);
-      }
-      rpMethods = [
-        didMethod
-      ];
-    } else if (subjectSyntaxTypesSupported) {
-      rpMethods = (Array.isArray(subjectSyntaxTypesSupported) ? subjectSyntaxTypesSupported : [
-        subjectSyntaxTypesSupported
-      ]).map((method) => convertDidMethod(method, opts.didPrefix));
-    }
-    const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
-    let codecName = void 0;
-    if (isEBSI && (!aud || !aud.startsWith("http"))) {
-      logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
-      const didKeyMethod = convertDidMethod("did:key", opts.didPrefix);
-      if (!agentMethods?.includes(didKeyMethod)) {
-        throw Error(`EBSI detected, but agent did not support did:key. Please reconfigure agent`);
-      }
-      rpMethods = [
-        didKeyMethod
-      ];
-      keyType = "Secp256r1";
-      codecName = "jwk_jcs-pub";
-    }
-    return {
-      dids: rpMethods,
-      codecName,
-      keyType
-    };
-  }
-  async getSupportedIdentifiers(opts) {
-    const methods = await this.getSupportedDIDMethods(true);
-    logger.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`);
-    if (methods.length === 0) {
-      throw Error(`No DID methods are supported`);
-    }
-    const identifiers = await this.context.agent.didManagerFind().then((ids) => ids.filter((id) => methods.includes(id.provider)));
-    if (identifiers.length === 0) {
-      logger.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`);
-      if (opts?.createInCaseNoDIDFound !== false) {
-        const { codecName, keyType } = await this.getRPDIDMethodsSupported({
-          didPrefix: true,
-          agentMethods: methods
-        });
-        const identifier = await this.context.agent.didManagerCreate({
-          provider: methods[0],
-          options: {
-            codecName,
-            keyType,
-            type: keyType
-          }
-        });
-        logger.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`);
-        identifiers.push(identifier);
-      }
-    }
-    logger.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`);
-    return identifiers;
-  }
-  async getSupportedDIDs() {
-    return (await this.getSupportedIdentifiers()).map((id) => id.did);
-  }
-  async getRedirectUri() {
-    return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
-  }
-  async getOID4VP(args) {
-    return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
-  }
-  async createJarmResponseCallback({ responseOpts }) {
-    const agent = this.context.agent;
-    return /* @__PURE__ */ __name(async function jarmResponse(opts) {
-      const { clientMetadata, requestObjectPayload, authorizationResponsePayload: authResponse } = opts;
-      const jwk = await import_did_auth_siop2.OP.extractEncJwksFromClientMetadata(clientMetadata);
-      const recipientKey = await agent.identifierExternalResolveByJwk({
-        identifier: jwk
-      });
-      return await agent.jwtEncryptJweCompactJwt({
-        recipientKey,
-        protectedHeader: {},
-        alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg ?? "ECDH-ES",
-        enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc ?? "A256GCM",
-        apv: (0, import_ssi_sdk2.encodeBase64url)(opts.requestObjectPayload.nonce),
-        apu: (0, import_ssi_sdk2.encodeBase64url)((0, import_uuid.v4)()),
-        payload: authResponse,
-        issuer: responseOpts.issuer,
-        audience: responseOpts.audience
-      }).then((result) => {
-        return {
-          response: result.jwt
-        };
-      });
-    }, "jarmResponse");
-  }
-  async sendAuthorizationResponse(args) {
-    const { responseSignerOpts, dcqlResponse, isFirstParty } = args;
-    const resolveOpts = this.options.resolveOpts ?? {
-      resolver: (0, import_ssi_sdk_ext2.getAgentResolver)(this.context, {
-        uniresolverResolution: true,
-        localResolution: true,
-        resolverResolution: true
-      })
-    };
-    if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
-      resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
-    }
-    const request = await this.getAuthorizationRequest();
-    const op = await createOP({
-      opOptions: {
-        ...this.options,
-        resolveOpts: {
-          ...this.options.resolveOpts
-        },
-        eventEmitter: this.options.eventEmitter,
-        presentationSignCallback: this.options.presentationSignCallback,
-        wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
-        supportedVersions: request.versions
-      },
-      idOpts: responseSignerOpts,
-      context: this.context
-    });
-    let issuer = responseSignerOpts.issuer;
-    const responseOpts = {
-      issuer,
-      ...isFirstParty && {
-        isFirstParty
-      },
-      dcqlResponse
-    };
-    const authResponse = await op.createAuthorizationResponse(request, responseOpts);
-    const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
-      responseOpts
-    }));
-    if (response.status >= 400) {
-      throw Error(`Error ${response.status}: ${response.statusText || await response.text()}`);
-    } else {
-      return response;
-    }
-  }
-};
-function convertDidMethod(didMethod, didPrefix) {
-  if (didPrefix === false) {
-    return didMethod.startsWith("did:") ? didMethod.toLowerCase().replace("did:", "") : didMethod.toLowerCase();
-  }
-  return didMethod.startsWith("did:") ? didMethod.toLowerCase() : `did:${didMethod.toLowerCase().replace("did:", "")}`;
-}
-__name(convertDidMethod, "convertDidMethod");
+// src/machine/Siopv2Machine.ts
+var import_xstate = require("xstate");
+// src/localization/Localization.ts
+var import_i18n_js = __toESM(require("i18n-js"), 1);
+var import_lodash = __toESM(require("lodash.memoize"), 1);
 // src/types/IDidAuthSiopOpAuthenticator.ts
 var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
@@ -933,12 +509,7 @@ var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
 // src/types/identifier/index.ts
 var DID_PREFIX = "did";
-// src/machine/Siopv2Machine.ts
-var import_xstate = require("xstate");
 // src/localization/Localization.ts
-var import_i18n_js = __toESM(require("i18n-js"), 1);
-var import_lodash = __toESM(require("lodash.memoize"), 1);
 var Localization = class Localization2 {
   static {
     __name(this, "Localization");
@@ -978,8 +549,8 @@ var Localization = class Localization2 {
 var translate = Localization.translate;
 // src/machine/Siopv2Machine.ts
-var import_ssi_types3 = require("@sphereon/ssi-types");
-var logger2 = import_ssi_types3.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
+var import_ssi_types = require("@sphereon/ssi-types");
+var logger = import_ssi_types.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
 var Siopv2HasNoContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
   const { contact } = _ctx;
   return contact === void 0;
@@ -1111,7 +682,120 @@ var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
             target: Siopv2MachineStates.handleError,
             actions: (0, import_xstate.assign)({
               error: /* @__PURE__ */ __name((_ctx, _event) => ({
-                title: translate("siopv2_machine_retrieve_contact_error_title"),
+                title: translate("siopv2_machine_retrieve_contact_error_title"),
+                message: _event.data.message,
+                stack: _event.data.stack
+              }), "error")
+            })
+          }
+        }
+      },
+      [Siopv2MachineStates.transitionFromSetup]: {
+        id: Siopv2MachineStates.transitionFromSetup,
+        always: [
+          {
+            target: Siopv2MachineStates.addContact,
+            cond: Siopv2MachineGuards.hasNoContactGuard
+          },
+          {
+            target: Siopv2MachineStates.sendResponse,
+            cond: Siopv2MachineGuards.siopOnlyGuard
+          },
+          {
+            target: Siopv2MachineStates.getSelectableCredentials,
+            cond: Siopv2MachineGuards.hasSelectableCredentialsAndContactGuard
+          },
+          {
+            target: Siopv2MachineStates.selectCredentials,
+            cond: Siopv2MachineGuards.siopWithOID4VPGuard
+          }
+        ]
+      },
+      [Siopv2MachineStates.addContact]: {
+        id: Siopv2MachineStates.addContact,
+        initial: Siopv2MachineAddContactStates.idle,
+        on: {
+          [Siopv2MachineEvents.SET_CONTACT_CONSENT]: {
+            actions: (0, import_xstate.assign)({
+              hasContactConsent: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "hasContactConsent")
+            })
+          },
+          [Siopv2MachineEvents.SET_CONTACT_ALIAS]: {
+            actions: (0, import_xstate.assign)({
+              contactAlias: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "contactAlias")
+            })
+          },
+          [Siopv2MachineEvents.CREATE_CONTACT]: {
+            target: `.${Siopv2MachineAddContactStates.next}`,
+            actions: (0, import_xstate.assign)({
+              contact: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "contact")
+            }),
+            cond: Siopv2MachineGuards.createContactGuard
+          },
+          [Siopv2MachineEvents.DECLINE]: {
+            target: Siopv2MachineStates.declined
+          },
+          [Siopv2MachineEvents.PREVIOUS]: {
+            target: Siopv2MachineStates.aborted
+          }
+        },
+        states: {
+          [Siopv2MachineAddContactStates.idle]: {},
+          [Siopv2MachineAddContactStates.next]: {
+            always: {
+              target: `#${Siopv2MachineStates.transitionFromSetup}`,
+              cond: Siopv2MachineGuards.hasContactGuard
+            }
+          }
+        }
+      },
+      [Siopv2MachineStates.addContactIdentity]: {
+        id: Siopv2MachineStates.addContactIdentity,
+        invoke: {
+          src: Siopv2MachineServices.addContactIdentity,
+          onDone: [
+            {
+              target: Siopv2MachineStates.getSelectableCredentials,
+              actions: /* @__PURE__ */ __name((_ctx, _event) => {
+                _ctx.contact?.identities.push(_event.data);
+              }, "actions"),
+              cond: Siopv2MachineGuards.hasSelectableCredentialsAndContactGuard
+            },
+            {
+              target: Siopv2MachineStates.sendResponse,
+              actions: /* @__PURE__ */ __name((_ctx, _event) => {
+                _ctx.contact?.identities.push(_event.data);
+              }, "actions"),
+              cond: Siopv2MachineGuards.siopOnlyGuard
+            }
+          ],
+          onError: {
+            target: Siopv2MachineStates.handleError,
+            actions: (0, import_xstate.assign)({
+              error: /* @__PURE__ */ __name((_ctx, _event) => ({
+                title: translate("siopv2_machine_add_contact_identity_error_title"),
+                message: _event.data.message,
+                stack: _event.data.stack
+              }), "error")
+            })
+          }
+        }
+      },
+      [Siopv2MachineStates.getSelectableCredentials]: {
+        id: Siopv2MachineStates.getSelectableCredentials,
+        invoke: {
+          src: Siopv2MachineServices.getSelectableCredentials,
+          onDone: {
+            target: Siopv2MachineStates.selectCredentials,
+            actions: (0, import_xstate.assign)({
+              selectableCredentialsMap: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "selectableCredentialsMap")
+            })
+          },
+          onError: {
+            target: Siopv2MachineStates.handleError,
+            actions: (0, import_xstate.assign)({
+              error: /* @__PURE__ */ __name((_ctx, _event) => ({
+                title: translate("siopv2_machine_get_selectable_credentials_error_title"),
                 message: _event.data.message,
                 stack: _event.data.stack
               }), "error")
@@ -1119,454 +803,772 @@ var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
           }
         }
       },
-      [Siopv2MachineStates.transitionFromSetup]: {
-        id: Siopv2MachineStates.transitionFromSetup,
-        always: [
-          {
-            target: Siopv2MachineStates.addContact,
-            cond: Siopv2MachineGuards.hasNoContactGuard
+      [Siopv2MachineStates.selectCredentials]: {
+        id: Siopv2MachineStates.selectCredentials,
+        on: {
+          [Siopv2MachineEvents.SET_SELECTED_CREDENTIALS]: {
+            actions: (0, import_xstate.assign)({
+              selectedCredentials: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "selectedCredentials")
+            })
           },
-          {
+          [Siopv2MachineEvents.NEXT]: {
             target: Siopv2MachineStates.sendResponse,
-            cond: Siopv2MachineGuards.siopOnlyGuard
+            cond: Siopv2MachineGuards.hasSelectedRequiredCredentialsGuard
           },
-          {
-            target: Siopv2MachineStates.getSelectableCredentials,
-            cond: Siopv2MachineGuards.hasSelectableCredentialsAndContactGuard
+          [Siopv2MachineEvents.DECLINE]: {
+            target: Siopv2MachineStates.declined
           },
-          {
-            target: Siopv2MachineStates.selectCredentials,
-            cond: Siopv2MachineGuards.siopWithOID4VPGuard
+          [Siopv2MachineEvents.PREVIOUS]: {
+            target: Siopv2MachineStates.aborted
           }
-        ]
+        }
       },
-      [Siopv2MachineStates.addContact]: {
-        id: Siopv2MachineStates.addContact,
-        initial: Siopv2MachineAddContactStates.idle,
-        on: {
-          [Siopv2MachineEvents.SET_CONTACT_CONSENT]: {
+      [Siopv2MachineStates.sendResponse]: {
+        id: Siopv2MachineStates.sendResponse,
+        invoke: {
+          src: Siopv2MachineServices.sendResponse,
+          onDone: {
+            target: Siopv2MachineStates.done,
             actions: (0, import_xstate.assign)({
-              hasContactConsent: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "hasContactConsent")
+              authorizationResponseData: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "authorizationResponseData")
             })
           },
-          [Siopv2MachineEvents.SET_CONTACT_ALIAS]: {
+          onError: {
+            target: Siopv2MachineStates.handleError,
             actions: (0, import_xstate.assign)({
-              contactAlias: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "contactAlias")
+              error: /* @__PURE__ */ __name((_ctx, _event) => ({
+                title: translate("siopv2_machine_send_response_error_title"),
+                message: _event.data.message,
+                stack: _event.data.stack
+              }), "error")
             })
-          },
-          [Siopv2MachineEvents.CREATE_CONTACT]: {
-            target: `.${Siopv2MachineAddContactStates.next}`,
-            actions: (0, import_xstate.assign)({
-              contact: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "contact")
-            }),
-            cond: Siopv2MachineGuards.createContactGuard
-          },
-          [Siopv2MachineEvents.DECLINE]: {
-            target: Siopv2MachineStates.declined
+          }
+        }
+      },
+      [Siopv2MachineStates.handleError]: {
+        id: Siopv2MachineStates.handleError,
+        on: {
+          [Siopv2MachineEvents.NEXT]: {
+            target: Siopv2MachineStates.error
           },
           [Siopv2MachineEvents.PREVIOUS]: {
-            target: Siopv2MachineStates.aborted
+            target: Siopv2MachineStates.error
           }
-        },
-        states: {
-          [Siopv2MachineAddContactStates.idle]: {},
-          [Siopv2MachineAddContactStates.next]: {
-            always: {
-              target: `#${Siopv2MachineStates.transitionFromSetup}`,
-              cond: Siopv2MachineGuards.hasContactGuard
+        }
+      },
+      [Siopv2MachineStates.aborted]: {
+        id: Siopv2MachineStates.aborted,
+        type: "final"
+      },
+      [Siopv2MachineStates.declined]: {
+        id: Siopv2MachineStates.declined,
+        type: "final"
+      },
+      [Siopv2MachineStates.error]: {
+        id: Siopv2MachineStates.error,
+        type: "final"
+      },
+      [Siopv2MachineStates.done]: {
+        id: Siopv2MachineStates.done,
+        type: "final"
+      }
+    }
+  });
+}, "createSiopv2Machine");
+var Siopv2Machine = class {
+  static {
+    __name(this, "Siopv2Machine");
+  }
+  static newInstance(opts) {
+    logger.info("New Siopv2Machine instance");
+    const interpreter = (0, import_xstate.interpret)(createSiopv2Machine(opts).withConfig({
+      services: {
+        ...opts?.services
+      },
+      guards: {
+        Siopv2HasNoContactGuard,
+        Siopv2HasContactGuard,
+        Siopv2HasAuthorizationRequestGuard,
+        Siopv2HasSelectableCredentialsAndContactGuard,
+        Siopv2HasSelectedRequiredCredentialsGuard,
+        Siopv2IsSiopOnlyGuard,
+        Siopv2IsSiopWithOID4VPGuard,
+        Siopv2CreateContactGuard,
+        ...opts?.guards
+      }
+    }));
+    if (typeof opts?.subscription === "function") {
+      interpreter.onTransition(opts.subscription);
+    }
+    if (opts?.requireCustomNavigationHook !== true) {
+      interpreter.onTransition((snapshot) => {
+        if (opts.stateNavigationListener !== void 0) {
+          void opts.stateNavigationListener(interpreter, snapshot);
+        }
+      });
+    }
+    interpreter.onTransition((snapshot) => {
+      logger.info("onTransition to new state", snapshot.value);
+    });
+    return {
+      interpreter
+    };
+  }
+};
+// src/services/Siopv2MachineService.ts
+var import_did_auth_siop2 = require("@sphereon/did-auth-siop");
+var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.identifier-resolution");
+var import_ssi_sdk = require("@sphereon/ssi-sdk.credential-store");
+var import_ssi_sdk2 = require("@sphereon/ssi-sdk.data-store");
+var import_ssi_types4 = require("@sphereon/ssi-types");
+var import_ssi_sdk3 = require("@sphereon/ssi-sdk.core");
+var import_dcql = require("dcql");
+// src/utils/dcql.ts
+var import_ssi_types3 = require("@sphereon/ssi-types");
+var import_did_auth_siop = require("@sphereon/did-auth-siop");
+// src/utils/CredentialUtils.ts
+var import_ssi_types2 = require("@sphereon/ssi-types");
+var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
+  return credential.digitalCredential !== void 0;
+}, "isUniqueDigitalCredential");
+// src/utils/dcql.ts
+function convertToDcqlCredentials(credential, hasher) {
+  let originalVerifiableCredential;
+  if (isUniqueDigitalCredential(credential)) {
+    if (!credential.originalVerifiableCredential) {
+      throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
+    }
+    originalVerifiableCredential = import_ssi_types3.CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
+  } else {
+    originalVerifiableCredential = import_ssi_types3.CredentialMapper.decodeVerifiableCredential(credential, hasher);
+  }
+  if (!originalVerifiableCredential) {
+    throw new Error("No payload found");
+  }
+  if (import_ssi_types3.CredentialMapper.isJwtDecodedCredential(originalVerifiableCredential)) {
+    return import_did_auth_siop.Dcql.toDcqlJwtCredential(import_ssi_types3.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
+  } else if (import_ssi_types3.CredentialMapper.isSdJwtDecodedCredential(originalVerifiableCredential)) {
+    return import_did_auth_siop.Dcql.toDcqlSdJwtCredential(import_ssi_types3.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
+  } else if (import_ssi_types3.CredentialMapper.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
+    return import_did_auth_siop.Dcql.toDcqlMdocCredential(import_ssi_types3.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
+  } else if (import_ssi_types3.CredentialMapper.isW3cCredential(originalVerifiableCredential)) {
+    return import_did_auth_siop.Dcql.toDcqlJsonLdCredential(import_ssi_types3.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
+  }
+  throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
+}
+__name(convertToDcqlCredentials, "convertToDcqlCredentials");
+// src/services/Siopv2MachineService.ts
+var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.did-utils");
+var logger2 = import_ssi_types4.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
+var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
+  const { agent } = context;
+  const { credentials } = args;
+  if (connectionType !== import_ssi_sdk2.ConnectionType.SIOPv2_OpenID4VP) {
+    return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
+  }
+  const session = await agent.siopGetOPSession({
+    sessionId: args.sessionId
+  });
+  const request = await session.getAuthorizationRequest();
+  const aud = request.authorizationRequest.getMergedProperty("aud");
+  logger2.debug(`AUD: ${aud}`);
+  logger2.debug(JSON.stringify(request.authorizationRequest));
+  const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop2.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
+  logger2.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
+  const firstUniqueDC = credentials[0];
+  if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
+    return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
+  }
+  let identifier;
+  const digitalCredential = firstUniqueDC.digitalCredential;
+  const firstVC = firstUniqueDC.uniformVerifiableCredential;
+  const holder = import_ssi_types4.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
+    //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+    `did:jwk:${(0, import_ssi_sdk3.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
+  ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
+  if (!digitalCredential.kmsKeyRef) {
+    if (!holder) {
+      return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
+    }
+    try {
+      identifier = await session.context.agent.identifierManagedGet({
+        identifier: holder
+      });
+    } catch (e) {
+      logger2.debug(`Holder DID not found: ${holder}`);
+      throw e;
+    }
+  } else if ((0, import_ssi_sdk_ext.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
+    identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+      identifier: firstUniqueDC.digitalCredential.kmsKeyRef
+    });
+  } else {
+    switch (digitalCredential.subjectCorrelationType) {
+      case "DID":
+        identifier = await session.context.agent.identifierManagedGetByDid({
+          identifier: digitalCredential.subjectCorrelationId ?? holder,
+          kmsKeyRef: digitalCredential.kmsKeyRef
+        });
+        break;
+      // TODO other implementations?
+      default:
+        identifier = await session.context.agent.identifierManagedGetByKid({
+          identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+          kmsKeyRef: digitalCredential.kmsKeyRef
+        });
+    }
+  }
+  const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [
+    convertToDcqlCredentials(vc),
+    vc
+  ]));
+  const queryResult = import_dcql.DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
+  if (!queryResult.can_be_satisfied) {
+    return Promise.reject(Error("Credentials do not match required query request"));
+  }
+  const presentation = {};
+  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
+  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+    if (value.success) {
+      const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index]);
+      const vc = matchedCredentials[0];
+      if (!vc) {
+        continue;
+      }
+      const originalVc = retrieveEncodedCredential(vc);
+      if (!originalVc) {
+        continue;
+      }
+      if (originalVc) {
+        presentation[key] = originalVc;
+      }
+    }
+  }
+  const dcqlPresentation = import_dcql.DcqlPresentation.parse(presentation);
+  const response = session.sendAuthorizationResponse({
+    responseSignerOpts: identifier,
+    dcqlResponse: {
+      dcqlPresentation
+    }
+  });
+  logger2.debug(`Response: `, response);
+  return response;
+}, "siopSendAuthorizationResponse");
+var retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
+  return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
+}, "retrieveEncodedCredential");
+var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
+  const agentContext = {
+    ...context,
+    agent: context.agent
+  };
+  const { agent } = agentContext;
+  const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
+    filter: (0, import_ssi_sdk.verifiableCredentialForRoleFilter)(import_ssi_sdk2.CredentialRole.HOLDER)
+  });
+  const branding = await agent.ibGetCredentialBranding();
+  const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
+    convertToDcqlCredentials(vc),
+    vc
+  ]));
+  const queryResult = import_dcql.DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
+  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
+  const selectableCredentialsMap = /* @__PURE__ */ new Map();
+  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+    if (!value.valid_credentials) {
+      continue;
+    }
+    const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
+      const matchedCredential = uniqueCredentials[cred.input_credential_index];
+      const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash);
+      const issuerPartyIdentity = await agent.cmGetContacts({
+        filter: [
+          {
+            identities: {
+              identifier: {
+                correlationId: matchedCredential.uniformVerifiableCredential.issuerDid
+              }
             }
           }
-        }
-      },
-      [Siopv2MachineStates.addContactIdentity]: {
-        id: Siopv2MachineStates.addContactIdentity,
-        invoke: {
-          src: Siopv2MachineServices.addContactIdentity,
-          onDone: [
-            {
-              target: Siopv2MachineStates.getSelectableCredentials,
-              actions: /* @__PURE__ */ __name((_ctx, _event) => {
-                _ctx.contact?.identities.push(_event.data);
-              }, "actions"),
-              cond: Siopv2MachineGuards.hasSelectableCredentialsAndContactGuard
-            },
-            {
-              target: Siopv2MachineStates.sendResponse,
-              actions: /* @__PURE__ */ __name((_ctx, _event) => {
-                _ctx.contact?.identities.push(_event.data);
-              }, "actions"),
-              cond: Siopv2MachineGuards.siopOnlyGuard
+        ]
+      });
+      const subjectPartyIdentity = await agent.cmGetContacts({
+        filter: [
+          {
+            identities: {
+              identifier: {
+                correlationId: matchedCredential.uniformVerifiableCredential.subjectDid
+              }
             }
-          ],
-          onError: {
-            target: Siopv2MachineStates.handleError,
-            actions: (0, import_xstate.assign)({
-              error: /* @__PURE__ */ __name((_ctx, _event) => ({
-                title: translate("siopv2_machine_add_contact_identity_error_title"),
-                message: _event.data.message,
-                stack: _event.data.stack
-              }), "error")
-            })
-          }
-        }
-      },
-      [Siopv2MachineStates.getSelectableCredentials]: {
-        id: Siopv2MachineStates.getSelectableCredentials,
-        invoke: {
-          src: Siopv2MachineServices.getSelectableCredentials,
-          onDone: {
-            target: Siopv2MachineStates.selectCredentials,
-            actions: (0, import_xstate.assign)({
-              selectableCredentialsMap: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "selectableCredentialsMap")
-            })
-          },
-          onError: {
-            target: Siopv2MachineStates.handleError,
-            actions: (0, import_xstate.assign)({
-              error: /* @__PURE__ */ __name((_ctx, _event) => ({
-                title: translate("siopv2_machine_get_selectable_credentials_error_title"),
-                message: _event.data.message,
-                stack: _event.data.stack
-              }), "error")
-            })
-          }
-        }
-      },
-      [Siopv2MachineStates.selectCredentials]: {
-        id: Siopv2MachineStates.selectCredentials,
-        on: {
-          [Siopv2MachineEvents.SET_SELECTED_CREDENTIALS]: {
-            actions: (0, import_xstate.assign)({
-              selectedCredentials: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "selectedCredentials")
-            })
-          },
-          [Siopv2MachineEvents.NEXT]: {
-            target: Siopv2MachineStates.sendResponse,
-            cond: Siopv2MachineGuards.hasSelectedRequiredCredentialsGuard
-          },
-          [Siopv2MachineEvents.DECLINE]: {
-            target: Siopv2MachineStates.declined
-          },
-          [Siopv2MachineEvents.PREVIOUS]: {
-            target: Siopv2MachineStates.aborted
-          }
-        }
-      },
-      [Siopv2MachineStates.sendResponse]: {
-        id: Siopv2MachineStates.sendResponse,
-        invoke: {
-          src: Siopv2MachineServices.sendResponse,
-          onDone: {
-            target: Siopv2MachineStates.done,
-            actions: (0, import_xstate.assign)({
-              authorizationResponseData: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "authorizationResponseData")
-            })
-          },
-          onError: {
-            target: Siopv2MachineStates.handleError,
-            actions: (0, import_xstate.assign)({
-              error: /* @__PURE__ */ __name((_ctx, _event) => ({
-                title: translate("siopv2_machine_send_response_error_title"),
-                message: _event.data.message,
-                stack: _event.data.stack
-              }), "error")
-            })
           }
-        }
-      },
-      [Siopv2MachineStates.handleError]: {
-        id: Siopv2MachineStates.handleError,
-        on: {
-          [Siopv2MachineEvents.NEXT]: {
-            target: Siopv2MachineStates.error
-          },
-          [Siopv2MachineEvents.PREVIOUS]: {
-            target: Siopv2MachineStates.error
+        ]
+      });
+      return {
+        credential: matchedCredential,
+        credentialBranding: credentialBranding[0]?.localeBranding,
+        issuerParty: issuerPartyIdentity?.[0],
+        subjectParty: subjectPartyIdentity?.[0]
+      };
+    });
+    const selectableCredentials = await Promise.all(mapSelectableCredentialPromises);
+    selectableCredentialsMap.set(key, selectableCredentials);
+  }
+  return selectableCredentialsMap;
+}, "getSelectableCredentials");
+var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId, context) => {
+  const { agent } = context;
+  const contacts = await agent.cmGetContacts({
+    filter: [
+      {
+        identities: {
+          identifier: {
+            correlationId
           }
         }
-      },
-      [Siopv2MachineStates.aborted]: {
-        id: Siopv2MachineStates.aborted,
-        type: "final"
-      },
-      [Siopv2MachineStates.declined]: {
-        id: Siopv2MachineStates.declined,
-        type: "final"
-      },
-      [Siopv2MachineStates.error]: {
-        id: Siopv2MachineStates.error,
-        type: "final"
-      },
-      [Siopv2MachineStates.done]: {
-        id: Siopv2MachineStates.done,
-        type: "final"
       }
-    }
+    ]
   });
-}, "createSiopv2Machine");
-var Siopv2Machine = class {
-  static {
-    __name(this, "Siopv2Machine");
+  if (contacts.length === 0) {
+    return void 0;
   }
-  static newInstance(opts) {
-    logger2.info("New Siopv2Machine instance");
-    const interpreter = (0, import_xstate.interpret)(createSiopv2Machine(opts).withConfig({
-      services: {
-        ...opts?.services
-      },
-      guards: {
-        Siopv2HasNoContactGuard,
-        Siopv2HasContactGuard,
-        Siopv2HasAuthorizationRequestGuard,
-        Siopv2HasSelectableCredentialsAndContactGuard,
-        Siopv2HasSelectedRequiredCredentialsGuard,
-        Siopv2IsSiopOnlyGuard,
-        Siopv2IsSiopWithOID4VPGuard,
-        Siopv2CreateContactGuard,
-        ...opts?.guards
-      }
+  return contacts[0].contact.displayName;
+}, "translateCorrelationIdToName");
+// src/session/functions.ts
+var import_did_auth_siop3 = require("@sphereon/did-auth-siop");
+var import_oid4vc_common = require("@sphereon/oid4vc-common");
+var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
+var import_ssi_sdk4 = require("@sphereon/ssi-sdk.presentation-exchange");
+var import_events = require("events");
+async function createOID4VPPresentationSignCallback({ presentationSignCallback, idOpts: idOpts1, domain, fetchRemoteContexts, challenge, format, context, skipDidResolution }) {
+  if (typeof presentationSignCallback === "function") {
+    return presentationSignCallback;
+  }
+  return (0, import_ssi_sdk4.createPEXPresentationSignCallback)({
+    idOpts: idOpts1,
+    fetchRemoteContexts,
+    domain,
+    challenge,
+    format,
+    skipDidResolution
+  }, context);
+}
+__name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallback");
+async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
+  const eventEmitter = opOptions.eventEmitter ?? new import_events.EventEmitter();
+  const builder = import_did_auth_siop3.OP.builder().withResponseMode(opOptions.responseMode ?? import_did_auth_siop3.ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
+    import_did_auth_siop3.SupportedVersion.SIOPv2_ID1,
+    import_did_auth_siop3.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
+    import_did_auth_siop3.SupportedVersion.SIOPv2_D11,
+    import_did_auth_siop3.SupportedVersion.SIOPv2_D12_OID4VP_D18
+  ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
+    passBy: import_did_auth_siop3.PassBy.VALUE
+  });
+  const wellknownDIDVerifyCallback = opOptions.wellknownDIDVerifyCallback ? opOptions.wellknownDIDVerifyCallback : async (args) => {
+    const result = await context.agent.cvVerifyCredential({
+      credential: args.credential,
+      fetchRemoteContexts: true
+    });
+    return {
+      verified: result.result
+    };
+  };
+  builder.withVerifyJwtCallback(opOptions.verifyJwtCallback ? opOptions.verifyJwtCallback : getVerifyJwtCallback({
+    verifyOpts: {
+      wellknownDIDVerifyCallback,
+      checkLinkedDomain: "if_present"
+    }
+  }, context));
+  if (idOpts1) {
+    if (opOptions.skipDidResolution && (0, import_ssi_sdk_ext3.isManagedIdentifierDidOpts)(idOpts1)) {
+      idOpts1.offlineWhenNoDIDRegistered = true;
+    }
+    const createJwtCallback = createJwtCallbackWithIdOpts(idOpts1, context);
+    builder.withCreateJwtCallback(createJwtCallback);
+    builder.withPresentationSignCallback(await createOID4VPPresentationSignCallback({
+      presentationSignCallback: opOptions.presentationSignCallback,
+      skipDidResolution: opOptions.skipDidResolution ?? false,
+      idOpts: idOpts1,
+      context
     }));
-    if (typeof opts?.subscription === "function") {
-      interpreter.onTransition(opts.subscription);
+  } else {
+    const createJwtCallback = createJwtCallbackWithOpOpts(opOptions, context);
+    builder.withCreateJwtCallback(createJwtCallback);
+  }
+  return builder;
+}
+__name(createOPBuilder, "createOPBuilder");
+function createJwtCallbackWithIdOpts(idOpts1, context) {
+  return async (jwtIssuer, jwt) => {
+    let issuer;
+    if ((0, import_ssi_sdk_ext3.isManagedIdentifierDidOpts)(idOpts1)) {
+      issuer = {
+        ...idOpts1,
+        method: idOpts1.method,
+        noIdentifierInHeader: false
+      };
+    } else if ((0, import_ssi_sdk_ext3.isManagedIdentifierX5cOpts)(idOpts1)) {
+      issuer = {
+        ...idOpts1,
+        method: idOpts1.method,
+        noIdentifierInHeader: false
+      };
+    } else {
+      return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
     }
-    if (opts?.requireCustomNavigationHook !== true) {
-      interpreter.onTransition((snapshot) => {
-        if (opts.stateNavigationListener !== void 0) {
-          void opts.stateNavigationListener(interpreter, snapshot);
-        }
-      });
+    const result = await context.agent.jwtCreateJwsCompactSignature({
+      issuer,
+      protectedHeader: jwt.header,
+      payload: jwt.payload
+    });
+    return result.jwt;
+  };
+}
+__name(createJwtCallbackWithIdOpts, "createJwtCallbackWithIdOpts");
+function createJwtCallbackWithOpOpts(opOpts, context) {
+  return async (jwtIssuer, jwt) => {
+    let identifier;
+    if (jwtIssuer.method == "did") {
+      identifier = jwtIssuer.didUrl;
+    } else if (jwtIssuer.method == "x5c") {
+      identifier = jwtIssuer.x5c;
+    } else {
+      return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
     }
-    interpreter.onTransition((snapshot) => {
-      logger2.info("onTransition to new state", snapshot.value);
+    const result = await context.agent.jwtCreateJwsCompactSignature({
+      // FIXME fix cose-key inference
+      // @ts-ignore
+      issuer: {
+        identifier,
+        kmsKeyRef: idOpts.kmsKeyRef,
+        noIdentifierInHeader: false
+      },
+      // FIXME fix JWK key_ops
+      // @ts-ignore
+      protectedHeader: jwt.header,
+      payload: jwt.payload
+    });
+    return result.jwt;
+  };
+}
+__name(createJwtCallbackWithOpOpts, "createJwtCallbackWithOpOpts");
+function getVerifyJwtCallback(_opts, context) {
+  return async (_jwtVerifier, jwt) => {
+    const result = await context.agent.jwtVerifyJwsSignature({
+      jws: jwt.raw
+    });
+    console.log(result.message);
+    return !result.error;
+  };
+}
+__name(getVerifyJwtCallback, "getVerifyJwtCallback");
+async function createOP({ opOptions, idOpts: idOpts1, context }) {
+  return (await createOPBuilder({
+    opOptions,
+    idOpts: idOpts1,
+    context
+  })).build();
+}
+__name(createOP, "createOP");
+function getSigningAlgo(type) {
+  switch (type) {
+    case "Ed25519":
+      return import_oid4vc_common.SigningAlgo.EDDSA;
+    case "Secp256k1":
+      return import_oid4vc_common.SigningAlgo.ES256K;
+    case "Secp256r1":
+      return import_oid4vc_common.SigningAlgo.ES256;
+    // @ts-ignore
+    case "RSA":
+      return import_oid4vc_common.SigningAlgo.RS256;
+    default:
+      throw Error("Key type not yet supported");
+  }
+}
+__name(getSigningAlgo, "getSigningAlgo");
+// src/session/OID4VP.ts
+var OID4VP = class _OID4VP {
+  static {
+    __name(this, "OID4VP");
+  }
+  //private readonly session: OpSession
+  // private readonly allIdentifiers: string[]
+  // private readonly hasher?: HasherSync
+  constructor(args) {
+  }
+  static async init(session, allIdentifiers, hasher) {
+    return new _OID4VP({
+      session,
+      allIdentifiers: allIdentifiers ?? await session.getSupportedDIDs(),
+      hasher
     });
-    return {
-      interpreter
-    };
   }
 };
-// src/services/Siopv2MachineService.ts
+// src/session/OpSession.ts
 var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
-var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
-var import_ssi_sdk3 = require("@sphereon/ssi-sdk.credential-store");
-var import_ssi_sdk4 = require("@sphereon/ssi-sdk.data-store");
-var import_ssi_types6 = require("@sphereon/ssi-types");
+var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.did-utils");
 var import_ssi_sdk5 = require("@sphereon/ssi-sdk.core");
-var import_dcql = require("dcql");
-// src/utils/dcql.ts
 var import_ssi_types5 = require("@sphereon/ssi-types");
-var import_did_auth_siop3 = require("@sphereon/did-auth-siop");
-// src/utils/CredentialUtils.ts
-var import_ssi_types4 = require("@sphereon/ssi-types");
-var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
-  return credential.digitalCredential !== void 0;
-}, "isUniqueDigitalCredential");
-// src/utils/dcql.ts
-function convertToDcqlCredentials(credential, hasher) {
-  let originalVerifiableCredential;
-  if (isUniqueDigitalCredential(credential)) {
-    if (!credential.originalVerifiableCredential) {
-      throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
-    }
-    originalVerifiableCredential = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
-  } else {
-    originalVerifiableCredential = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential, hasher);
+var import_uuid = require("uuid");
+var import_ssi_types6 = require("@sphereon/ssi-types");
+var logger3 = import_ssi_types6.Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
+var OpSession = class _OpSession {
+  static {
+    __name(this, "OpSession");
   }
-  if (!originalVerifiableCredential) {
-    throw new Error("No payload found");
+  ts = (/* @__PURE__ */ new Date()).getDate();
+  id;
+  options;
+  context;
+  requestJwtOrUri;
+  verifiedAuthorizationRequest;
+  _nonce;
+  _state;
+  constructor(options) {
+    this.id = options.sessionId;
+    this.options = options.op;
+    this.context = options.context;
+    this.requestJwtOrUri = options.requestJwtOrUri;
   }
-  if (import_ssi_types5.CredentialMapper.isJwtDecodedCredential(originalVerifiableCredential)) {
-    return import_did_auth_siop3.Dcql.toDcqlJwtCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
-  } else if (import_ssi_types5.CredentialMapper.isSdJwtDecodedCredential(originalVerifiableCredential)) {
-    return import_did_auth_siop3.Dcql.toDcqlSdJwtCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
-  } else if (import_ssi_types5.CredentialMapper.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
-    return import_did_auth_siop3.Dcql.toDcqlMdocCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
-  } else if (import_ssi_types5.CredentialMapper.isW3cCredential(originalVerifiableCredential)) {
-    return import_did_auth_siop3.Dcql.toDcqlJsonLdCredential(import_ssi_types5.CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential));
+  static async init(options) {
+    return new _OpSession(options);
   }
-  throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
-}
-__name(convertToDcqlCredentials, "convertToDcqlCredentials");
-// src/services/Siopv2MachineService.ts
-var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.did-utils");
-var logger3 = import_ssi_types6.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
-var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
-  const { agent } = context;
-  const { credentials } = args;
-  if (connectionType !== import_ssi_sdk4.ConnectionType.SIOPv2_OpenID4VP) {
-    return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
+  async getAuthorizationRequest() {
+    if (!this.verifiedAuthorizationRequest) {
+      const op = await createOP({
+        opOptions: this.options,
+        context: this.context
+      });
+      this.verifiedAuthorizationRequest = await op.verifyAuthorizationRequest(this.requestJwtOrUri);
+      this._nonce = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("nonce");
+      this._state = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("state");
+      await this.getSupportedDIDMethods();
+    }
+    return this.verifiedAuthorizationRequest;
   }
-  const session = await agent.siopGetOPSession({
-    sessionId: args.sessionId
-  });
-  const request = await session.getAuthorizationRequest();
-  const aud = request.authorizationRequest.getMergedProperty("aud");
-  logger3.debug(`AUD: ${aud}`);
-  logger3.debug(JSON.stringify(request.authorizationRequest));
-  const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
-  logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
-  const firstUniqueDC = credentials[0];
-  if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
-    return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
+  async getAuthorizationRequestURI() {
+    return await import_did_auth_siop4.URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
   }
-  let identifier;
-  const digitalCredential = firstUniqueDC.digitalCredential;
-  const firstVC = firstUniqueDC.uniformVerifiableCredential;
-  const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
-    //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
-    `did:jwk:${(0, import_ssi_sdk5.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
-  ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
-  if (!digitalCredential.kmsKeyRef) {
-    if (!holder) {
-      return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
+  get nonce() {
+    if (!this._nonce) {
+      throw Error("No nonce available. Please get authorization request first");
     }
-    try {
-      identifier = await session.context.agent.identifierManagedGet({
-        identifier: holder
-      });
-    } catch (e) {
-      logger3.debug(`Holder DID not found: ${holder}`);
-      throw e;
+    return this._nonce;
+  }
+  get state() {
+    if (!this._state) {
+      throw Error("No state available. Please get authorization request first");
     }
-  } else if ((0, import_ssi_sdk_ext3.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
-    identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
-      identifier: firstUniqueDC.digitalCredential.kmsKeyRef
+    return this._state;
+  }
+  clear() {
+    this._nonce = void 0;
+    this._state = void 0;
+    this.verifiedAuthorizationRequest = void 0;
+    return this;
+  }
+  async getSupportedDIDMethods(didPrefix) {
+    const agentMethods = this.getAgentDIDMethodsSupported({
+      didPrefix
     });
-  } else {
-    switch (digitalCredential.subjectCorrelationType) {
-      case "DID":
-        identifier = await session.context.agent.identifierManagedGetByDid({
-          identifier: digitalCredential.subjectCorrelationId ?? holder,
-          kmsKeyRef: digitalCredential.kmsKeyRef
-        });
-        break;
-      // TODO other implementations?
-      default:
-        identifier = await session.context.agent.identifierManagedGetByKid({
-          identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
-          kmsKeyRef: digitalCredential.kmsKeyRef
-        });
+    let rpMethods = await this.getRPDIDMethodsSupported({
+      didPrefix,
+      agentMethods
+    });
+    logger3.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
+    if (rpMethods.dids.length === 0) {
+      logger3.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
+      return [];
+    }
+    let intersection;
+    if (rpMethods.dids.includes("did")) {
+      intersection = agentMethods && agentMethods.length > 0 ? agentMethods : (await (0, import_ssi_sdk_ext4.getAgentDIDMethods)(this.context)).map((method) => convertDidMethod(method, didPrefix));
+    } else if (!agentMethods || agentMethods.length === 0) {
+      intersection = rpMethods.dids?.map((method) => convertDidMethod(method, didPrefix));
+    } else {
+      intersection = agentMethods.filter((value) => rpMethods.dids.includes(value));
     }
+    if (intersection.length === 0) {
+      throw Error("No matching DID methods between agent and relying party");
+    }
+    return intersection.map((value) => convertDidMethod(value, didPrefix));
   }
-  const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [
-    convertToDcqlCredentials(vc),
-    vc
-  ]));
-  const queryResult = import_dcql.DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
-  if (!queryResult.can_be_satisfied) {
-    return Promise.reject(Error("Credentials do not match required query request"));
+  getAgentDIDMethodsSupported(opts) {
+    const agentMethods = this.options.supportedDIDMethods?.map((method) => convertDidMethod(method, opts.didPrefix));
+    logger3.debug(`agent methods: ${JSON.stringify(agentMethods)}`);
+    return agentMethods;
   }
-  const presentation = {};
-  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
-  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
-    if (value.success) {
-      const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index]);
-      const vc = matchedCredentials[0];
-      if (!vc) {
-        continue;
-      }
-      const originalVc = retrieveEncodedCredential(vc);
-      if (!originalVc) {
-        continue;
+  async getSubjectSyntaxTypesSupported() {
+    const authReq = await this.getAuthorizationRequest();
+    const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported;
+    return subjectSyntaxTypesSupported ?? [];
+  }
+  async getRPDIDMethodsSupported(opts) {
+    let keyType;
+    const agentMethods = (opts.agentMethods ?? this.getAgentDIDMethodsSupported(opts))?.map((method) => convertDidMethod(method, opts.didPrefix)) ?? [];
+    logger3.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`);
+    const authReq = await this.getAuthorizationRequest();
+    const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported?.map((method) => convertDidMethod(method, opts.didPrefix)).filter((val) => !val.startsWith("did"));
+    logger3.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`);
+    const aud = await authReq.authorizationRequest.getMergedProperty("aud");
+    let rpMethods = [];
+    if (aud && aud.startsWith("did:")) {
+      const didMethod = convertDidMethod((0, import_ssi_types5.parseDid)(aud).method, opts.didPrefix);
+      logger3.debug(`aud did method: ${didMethod}`);
+      if (subjectSyntaxTypesSupported && subjectSyntaxTypesSupported.length > 0 && !subjectSyntaxTypesSupported.includes("did") && !subjectSyntaxTypesSupported.includes(didMethod)) {
+        throw Error(`The aud DID method ${didMethod} is not in the supported types ${subjectSyntaxTypesSupported}`);
       }
-      if (originalVc) {
-        presentation[key] = originalVc;
+      rpMethods = [
+        didMethod
+      ];
+    } else if (subjectSyntaxTypesSupported) {
+      rpMethods = (Array.isArray(subjectSyntaxTypesSupported) ? subjectSyntaxTypesSupported : [
+        subjectSyntaxTypesSupported
+      ]).map((method) => convertDidMethod(method, opts.didPrefix));
+    }
+    const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
+    let codecName = void 0;
+    if (isEBSI && (!aud || !aud.startsWith("http"))) {
+      logger3.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
+      const didKeyMethod = convertDidMethod("did:key", opts.didPrefix);
+      if (!agentMethods?.includes(didKeyMethod)) {
+        throw Error(`EBSI detected, but agent did not support did:key. Please reconfigure agent`);
       }
+      rpMethods = [
+        didKeyMethod
+      ];
+      keyType = "Secp256r1";
+      codecName = "jwk_jcs-pub";
     }
+    return {
+      dids: rpMethods,
+      codecName,
+      keyType
+    };
   }
-  const dcqlPresentation = import_dcql.DcqlPresentation.parse(presentation);
-  const response = session.sendAuthorizationResponse({
-    responseSignerOpts: identifier,
-    dcqlResponse: {
-      dcqlPresentation
-    }
-  });
-  logger3.debug(`Response: `, response);
-  return response;
-}, "siopSendAuthorizationResponse");
-var retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
-  return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
-}, "retrieveEncodedCredential");
-var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
-  const agentContext = {
-    ...context,
-    agent: context.agent
-  };
-  const { agent } = agentContext;
-  const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
-    filter: (0, import_ssi_sdk3.verifiableCredentialForRoleFilter)(import_ssi_sdk4.CredentialRole.HOLDER)
-  });
-  const branding = await agent.ibGetCredentialBranding();
-  const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
-    convertToDcqlCredentials(vc),
-    vc
-  ]));
-  const queryResult = import_dcql.DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
-  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
-  const selectableCredentialsMap = /* @__PURE__ */ new Map();
-  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
-    if (!value.valid_credentials) {
-      continue;
+  async getSupportedIdentifiers(opts) {
+    const methods = await this.getSupportedDIDMethods(true);
+    logger3.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`);
+    if (methods.length === 0) {
+      throw Error(`No DID methods are supported`);
     }
-    const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
-      const matchedCredential = uniqueCredentials[cred.input_credential_index];
-      const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash);
-      const issuerPartyIdentity = await agent.cmGetContacts({
-        filter: [
-          {
-            identities: {
-              identifier: {
-                correlationId: matchedCredential.uniformVerifiableCredential.issuerDid
-              }
-            }
+    const identifiers = await this.context.agent.didManagerFind().then((ids) => ids.filter((id) => methods.includes(id.provider)));
+    if (identifiers.length === 0) {
+      logger3.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`);
+      if (opts?.createInCaseNoDIDFound !== false) {
+        const { codecName, keyType } = await this.getRPDIDMethodsSupported({
+          didPrefix: true,
+          agentMethods: methods
+        });
+        const identifier = await this.context.agent.didManagerCreate({
+          provider: methods[0],
+          options: {
+            codecName,
+            keyType,
+            type: keyType
           }
-        ]
+        });
+        logger3.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`);
+        identifiers.push(identifier);
+      }
+    }
+    logger3.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`);
+    return identifiers;
+  }
+  async getSupportedDIDs() {
+    return (await this.getSupportedIdentifiers()).map((id) => id.did);
+  }
+  async getRedirectUri() {
+    return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
+  }
+  async getOID4VP(args) {
+    return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
+  }
+  async createJarmResponseCallback({ responseOpts }) {
+    const agent = this.context.agent;
+    return /* @__PURE__ */ __name(async function jarmResponse(opts) {
+      const { clientMetadata, requestObjectPayload, authorizationResponsePayload: authResponse } = opts;
+      const jwk = await import_did_auth_siop4.OP.extractEncJwksFromClientMetadata(clientMetadata);
+      const recipientKey = await agent.identifierExternalResolveByJwk({
+        identifier: jwk
       });
-      const subjectPartyIdentity = await agent.cmGetContacts({
-        filter: [
-          {
-            identities: {
-              identifier: {
-                correlationId: matchedCredential.uniformVerifiableCredential.subjectDid
-              }
-            }
-          }
-        ]
+      return await agent.jwtEncryptJweCompactJwt({
+        recipientKey,
+        protectedHeader: {},
+        alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg ?? "ECDH-ES",
+        enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc ?? "A256GCM",
+        apv: (0, import_ssi_sdk5.encodeBase64url)(opts.requestObjectPayload.nonce),
+        apu: (0, import_ssi_sdk5.encodeBase64url)((0, import_uuid.v4)()),
+        payload: authResponse,
+        issuer: responseOpts.issuer,
+        audience: responseOpts.audience
+      }).then((result) => {
+        return {
+          response: result.jwt
+        };
       });
-      return {
-        credential: matchedCredential,
-        credentialBranding: credentialBranding[0]?.localeBranding,
-        issuerParty: issuerPartyIdentity?.[0],
-        subjectParty: subjectPartyIdentity?.[0]
-      };
+    }, "jarmResponse");
+  }
+  async sendAuthorizationResponse(args) {
+    const { responseSignerOpts, dcqlResponse, isFirstParty } = args;
+    const resolveOpts = this.options.resolveOpts ?? {
+      resolver: (0, import_ssi_sdk_ext4.getAgentResolver)(this.context, {
+        uniresolverResolution: true,
+        localResolution: true,
+        resolverResolution: true
+      })
+    };
+    if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
+      resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
+    }
+    const request = await this.getAuthorizationRequest();
+    const op = await createOP({
+      opOptions: {
+        ...this.options,
+        resolveOpts: {
+          ...this.options.resolveOpts
+        },
+        eventEmitter: this.options.eventEmitter,
+        presentationSignCallback: this.options.presentationSignCallback,
+        wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
+        supportedVersions: request.versions
+      },
+      idOpts: responseSignerOpts,
+      context: this.context
     });
-    const selectableCredentials = await Promise.all(mapSelectableCredentialPromises);
-    selectableCredentialsMap.set(key, selectableCredentials);
+    let issuer = responseSignerOpts.issuer;
+    const responseOpts = {
+      issuer,
+      ...isFirstParty && {
+        isFirstParty
+      },
+      dcqlResponse
+    };
+    const authResponse = await op.createAuthorizationResponse(request, responseOpts);
+    const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
+      responseOpts
+    }));
+    if (response.status >= 400) {
+      throw Error(`Error ${response.status}: ${response.statusText || await response.text()}`);
+    } else {
+      return response;
+    }
   }
-  return selectableCredentialsMap;
-}, "getSelectableCredentials");
-var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId, context) => {
-  const { agent } = context;
-  const contacts = await agent.cmGetContacts({
-    filter: [
-      {
-        identities: {
-          identifier: {
-            correlationId
-          }
-        }
-      }
-    ]
-  });
-  if (contacts.length === 0) {
-    return void 0;
+};
+function convertDidMethod(didMethod, didPrefix) {
+  if (didPrefix === false) {
+    return didMethod.startsWith("did:") ? didMethod.toLowerCase().replace("did:", "") : didMethod.toLowerCase();
   }
-  return contacts[0].contact.displayName;
-}, "translateCorrelationIdToName");
+  return didMethod.startsWith("did:") ? didMethod.toLowerCase() : `did:${didMethod.toLowerCase().replace("did:", "")}`;
+}
+__name(convertDidMethod, "convertDidMethod");
 // src/agent/DidAuthSiopOpAuthenticator.ts
 var logger4 = import_ssi_types7.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);