npm - @sphereon/ssi-sdk.siopv2-oid4vp-op-auth - Versions diffs - 0.34.1-feature.SSISDK.26.74 → 0.34.1-feature.SSISDK.26.75 - Mend

@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.SSISDK.26.74 → 0.34.1-feature.SSISDK.26.75

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.cjs +833 -831
package/dist/index.cjs.map +1 -1
package/dist/index.js +1006 -1004
package/dist/index.js.map +1 -1
package/package.json +19 -19
package/src/agent/DidAuthSiopOpAuthenticator.ts +14 -24

package/dist/index.js CHANGED Viewed

@@ -371,650 +371,221 @@ import { ConnectionType as ConnectionType2, CorrelationIdentifierType, Credentia
 import { Loggers as Loggers4 } from "@sphereon/ssi-types";
 import { v4 as uuidv4 } from "uuid";
-// src/session/functions.ts
-import { OP, PassBy, ResponseMode, SupportedVersion } from "@sphereon/did-auth-siop";
-import { SigningAlgo } from "@sphereon/oid4vc-common";
-import { isManagedIdentifierDidOpts, isManagedIdentifierX5cOpts } from "@sphereon/ssi-sdk-ext.identifier-resolution";
-import { createPEXPresentationSignCallback } from "@sphereon/ssi-sdk.presentation-exchange";
-import { EventEmitter } from "events";
-async function createOID4VPPresentationSignCallback({ presentationSignCallback, idOpts: idOpts1, domain, fetchRemoteContexts, challenge, format, context, skipDidResolution }) {
-  if (typeof presentationSignCallback === "function") {
-    return presentationSignCallback;
+// src/machine/Siopv2Machine.ts
+import { assign, createMachine, interpret } from "xstate";
+// src/localization/Localization.ts
+import i18n from "i18n-js";
+import memoize from "lodash.memoize";
+// src/types/IDidAuthSiopOpAuthenticator.ts
+var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
+var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
+// src/types/siop-service/index.ts
+var Siopv2HolderEvent = /* @__PURE__ */ function(Siopv2HolderEvent2) {
+  Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
+  Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
+  return Siopv2HolderEvent2;
+}({});
+var SupportedLanguage = /* @__PURE__ */ function(SupportedLanguage2) {
+  SupportedLanguage2["ENGLISH"] = "en";
+  SupportedLanguage2["DUTCH"] = "nl";
+  return SupportedLanguage2;
+}({});
+// src/types/machine/index.ts
+var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
+  Siopv2MachineStates2["createConfig"] = "createConfig";
+  Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
+  Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
+  Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
+  Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
+  Siopv2MachineStates2["addContact"] = "addContact";
+  Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
+  Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
+  Siopv2MachineStates2["sendResponse"] = "sendResponse";
+  Siopv2MachineStates2["handleError"] = "handleError";
+  Siopv2MachineStates2["aborted"] = "aborted";
+  Siopv2MachineStates2["declined"] = "declined";
+  Siopv2MachineStates2["error"] = "error";
+  Siopv2MachineStates2["done"] = "done";
+  return Siopv2MachineStates2;
+}({});
+var Siopv2MachineAddContactStates = /* @__PURE__ */ function(Siopv2MachineAddContactStates2) {
+  Siopv2MachineAddContactStates2["idle"] = "idle";
+  Siopv2MachineAddContactStates2["executing"] = "executing";
+  Siopv2MachineAddContactStates2["next"] = "next";
+  return Siopv2MachineAddContactStates2;
+}({});
+var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
+  Siopv2MachineEvents2["NEXT"] = "NEXT";
+  Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
+  Siopv2MachineEvents2["DECLINE"] = "DECLINE";
+  Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
+  Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
+  Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
+  Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
+  return Siopv2MachineEvents2;
+}({});
+var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
+  Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
+  Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
+  Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
+  Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
+  Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
+  Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
+  Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
+  Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
+  return Siopv2MachineGuards2;
+}({});
+var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
+  Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
+  Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
+  Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
+  Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
+  Siopv2MachineServices2["sendResponse"] = "sendResponse";
+  Siopv2MachineServices2["createConfig"] = "createConfig";
+  return Siopv2MachineServices2;
+}({});
+// src/types/identifier/index.ts
+var DID_PREFIX = "did";
+// src/localization/Localization.ts
+var Localization = class Localization2 {
+  static {
+    __name(this, "Localization");
   }
-  return createPEXPresentationSignCallback({
-    idOpts: idOpts1,
-    fetchRemoteContexts,
-    domain,
-    challenge,
-    format,
-    skipDidResolution
-  }, context);
-}
-__name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallback");
-async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
-  const eventEmitter = opOptions.eventEmitter ?? new EventEmitter();
-  const builder = OP.builder().withResponseMode(opOptions.responseMode ?? ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
-    SupportedVersion.SIOPv2_ID1,
-    SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
-    SupportedVersion.SIOPv2_D11,
-    SupportedVersion.SIOPv2_D12_OID4VP_D18
-  ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
-    passBy: PassBy.VALUE
-  });
-  const wellknownDIDVerifyCallback = opOptions.wellknownDIDVerifyCallback ? opOptions.wellknownDIDVerifyCallback : async (args) => {
-    const result = await context.agent.cvVerifyCredential({
-      credential: args.credential,
-      fetchRemoteContexts: true
-    });
-    return {
-      verified: result.result
-    };
+  static translationGetters = {
+    [SupportedLanguage.ENGLISH]: () => require_en(),
+    [SupportedLanguage.DUTCH]: () => require_nl()
   };
-  builder.withVerifyJwtCallback(opOptions.verifyJwtCallback ? opOptions.verifyJwtCallback : getVerifyJwtCallback({
-    verifyOpts: {
-      wellknownDIDVerifyCallback,
-      checkLinkedDomain: "if_present"
-    }
-  }, context));
-  if (idOpts1) {
-    if (opOptions.skipDidResolution && isManagedIdentifierDidOpts(idOpts1)) {
-      idOpts1.offlineWhenNoDIDRegistered = true;
-    }
-    const createJwtCallback = createJwtCallbackWithIdOpts(idOpts1, context);
-    builder.withCreateJwtCallback(createJwtCallback);
-    builder.withPresentationSignCallback(await createOID4VPPresentationSignCallback({
-      presentationSignCallback: opOptions.presentationSignCallback,
-      skipDidResolution: opOptions.skipDidResolution ?? false,
-      idOpts: idOpts1,
-      context
-    }));
-  } else {
-    const createJwtCallback = createJwtCallbackWithOpOpts(opOptions, context);
-    builder.withCreateJwtCallback(createJwtCallback);
-  }
-  return builder;
-}
-__name(createOPBuilder, "createOPBuilder");
-function createJwtCallbackWithIdOpts(idOpts1, context) {
-  return async (jwtIssuer, jwt) => {
-    let issuer;
-    if (isManagedIdentifierDidOpts(idOpts1)) {
-      issuer = {
-        ...idOpts1,
-        method: idOpts1.method,
-        noIdentifierInHeader: false
-      };
-    } else if (isManagedIdentifierX5cOpts(idOpts1)) {
-      issuer = {
-        ...idOpts1,
-        method: idOpts1.method,
-        noIdentifierInHeader: false
+  static translate = memoize((key, config) => {
+    if (Object.keys(i18n.translations).length === 0) {
+      i18n.translations = {
+        [SupportedLanguage.ENGLISH]: Localization2.translationGetters[SupportedLanguage.ENGLISH]()
       };
+      i18n.locale = SupportedLanguage.ENGLISH;
     } else {
-      return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
+      i18n.translations = {
+        [i18n.locale]: {
+          ...i18n.translations[i18n.locale],
+          ...Localization2.translationGetters[this.findSupportedLanguage(i18n.locale) || SupportedLanguage.ENGLISH]()
+        }
+      };
     }
-    const result = await context.agent.jwtCreateJwsCompactSignature({
-      issuer,
-      protectedHeader: jwt.header,
-      payload: jwt.payload
-    });
-    return result.jwt;
-  };
-}
-__name(createJwtCallbackWithIdOpts, "createJwtCallbackWithIdOpts");
-function createJwtCallbackWithOpOpts(opOpts, context) {
-  return async (jwtIssuer, jwt) => {
-    let identifier;
-    if (jwtIssuer.method == "did") {
-      identifier = jwtIssuer.didUrl;
-    } else if (jwtIssuer.method == "x5c") {
-      identifier = jwtIssuer.x5c;
-    } else {
-      return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
+    return i18n.t(key, config);
+  }, (key, config) => config ? key + JSON.stringify(config) : key);
+  static findSupportedLanguage = /* @__PURE__ */ __name((locale) => {
+    for (const language of Object.values(SupportedLanguage)) {
+      if (language === locale) {
+        return language;
+      }
     }
-    const result = await context.agent.jwtCreateJwsCompactSignature({
-      // FIXME fix cose-key inference
-      // @ts-ignore
-      issuer: {
-        identifier,
-        kmsKeyRef: idOpts.kmsKeyRef,
-        noIdentifierInHeader: false
-      },
-      // FIXME fix JWK key_ops
-      // @ts-ignore
-      protectedHeader: jwt.header,
-      payload: jwt.payload
-    });
-    return result.jwt;
-  };
-}
-__name(createJwtCallbackWithOpOpts, "createJwtCallbackWithOpOpts");
-function getVerifyJwtCallback(_opts, context) {
-  return async (_jwtVerifier, jwt) => {
-    const result = await context.agent.jwtVerifyJwsSignature({
-      jws: jwt.raw
-    });
-    console.log(result.message);
-    return !result.error;
-  };
-}
-__name(getVerifyJwtCallback, "getVerifyJwtCallback");
-async function createOP({ opOptions, idOpts: idOpts1, context }) {
-  return (await createOPBuilder({
-    opOptions,
-    idOpts: idOpts1,
-    context
-  })).build();
-}
-__name(createOP, "createOP");
-function getSigningAlgo(type) {
-  switch (type) {
-    case "Ed25519":
-      return SigningAlgo.EDDSA;
-    case "Secp256k1":
-      return SigningAlgo.ES256K;
-    case "Secp256r1":
-      return SigningAlgo.ES256;
-    // @ts-ignore
-    case "RSA":
-      return SigningAlgo.RS256;
-    default:
-      throw Error("Key type not yet supported");
-  }
-}
-__name(getSigningAlgo, "getSigningAlgo");
+    return void 0;
+  }, "findSupportedLanguage");
+  static getLocale = /* @__PURE__ */ __name(() => {
+    return i18n.locale || SupportedLanguage.ENGLISH;
+  }, "getLocale");
+};
+var translate = Localization.translate;
-// src/session/OID4VP.ts
-var OID4VP = class _OID4VP {
-  static {
-    __name(this, "OID4VP");
-  }
-  //private readonly session: OpSession
-  // private readonly allIdentifiers: string[]
-  // private readonly hasher?: HasherSync
-  constructor(args) {
-  }
-  static async init(session, allIdentifiers, hasher) {
-    return new _OID4VP({
-      session,
-      allIdentifiers: allIdentifiers ?? await session.getSupportedDIDs(),
-      hasher
-    });
-  }
-};
-// src/session/OpSession.ts
-import { OP as OP2, URI } from "@sphereon/did-auth-siop";
-import { getAgentDIDMethods, getAgentResolver } from "@sphereon/ssi-sdk-ext.did-utils";
-import { encodeBase64url } from "@sphereon/ssi-sdk.core";
-import { parseDid } from "@sphereon/ssi-types";
-import { v4 } from "uuid";
+// src/machine/Siopv2Machine.ts
 import { Loggers } from "@sphereon/ssi-types";
-var logger = Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
-var OpSession = class _OpSession {
-  static {
-    __name(this, "OpSession");
-  }
-  ts = (/* @__PURE__ */ new Date()).getDate();
-  id;
-  options;
-  context;
-  requestJwtOrUri;
-  verifiedAuthorizationRequest;
-  _nonce;
-  _state;
-  constructor(options) {
-    this.id = options.sessionId;
-    this.options = options.op;
-    this.context = options.context;
-    this.requestJwtOrUri = options.requestJwtOrUri;
-  }
-  static async init(options) {
-    return new _OpSession(options);
-  }
-  async getAuthorizationRequest() {
-    if (!this.verifiedAuthorizationRequest) {
-      const op = await createOP({
-        opOptions: this.options,
-        context: this.context
-      });
-      this.verifiedAuthorizationRequest = await op.verifyAuthorizationRequest(this.requestJwtOrUri);
-      this._nonce = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("nonce");
-      this._state = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("state");
-      await this.getSupportedDIDMethods();
-    }
-    return this.verifiedAuthorizationRequest;
-  }
-  async getAuthorizationRequestURI() {
-    return await URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
-  }
-  get nonce() {
-    if (!this._nonce) {
-      throw Error("No nonce available. Please get authorization request first");
-    }
-    return this._nonce;
+var logger = Loggers.DEFAULT.get(LOGGER_NAMESPACE);
+var Siopv2HasNoContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { contact } = _ctx;
+  return contact === void 0;
+}, "Siopv2HasNoContactGuard");
+var Siopv2HasContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { contact } = _ctx;
+  return contact !== void 0;
+}, "Siopv2HasContactGuard");
+var Siopv2HasAuthorizationRequestGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { authorizationRequestData } = _ctx;
+  return authorizationRequestData !== void 0;
+}, "Siopv2HasAuthorizationRequestGuard");
+var Siopv2HasSelectableCredentialsAndContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { authorizationRequestData, contact } = _ctx;
+  if (!authorizationRequestData) {
+    throw new Error("Missing authorization request data in context");
   }
-  get state() {
-    if (!this._state) {
-      throw Error("No state available. Please get authorization request first");
-    }
-    return this._state;
+  if (!contact) {
+    throw new Error("Missing contact request data in context");
   }
-  clear() {
-    this._nonce = void 0;
-    this._state = void 0;
-    this.verifiedAuthorizationRequest = void 0;
-    return this;
+  return authorizationRequestData.dcqlQuery !== void 0;
+}, "Siopv2HasSelectableCredentialsAndContactGuard");
+var Siopv2CreateContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { contactAlias, hasContactConsent } = _ctx;
+  return hasContactConsent && contactAlias !== void 0 && contactAlias.length > 0;
+}, "Siopv2CreateContactGuard");
+var Siopv2HasSelectedRequiredCredentialsGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { authorizationRequestData } = _ctx;
+  if (authorizationRequestData === void 0) {
+    throw new Error("Missing authorization request data in context");
   }
-  async getSupportedDIDMethods(didPrefix) {
-    const agentMethods = this.getAgentDIDMethodsSupported({
-      didPrefix
-    });
-    let rpMethods = await this.getRPDIDMethodsSupported({
-      didPrefix,
-      agentMethods
-    });
-    logger.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
-    if (rpMethods.dids.length === 0) {
-      logger.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
-      return [];
-    }
-    let intersection;
-    if (rpMethods.dids.includes("did")) {
-      intersection = agentMethods && agentMethods.length > 0 ? agentMethods : (await getAgentDIDMethods(this.context)).map((method) => convertDidMethod(method, didPrefix));
-    } else if (!agentMethods || agentMethods.length === 0) {
-      intersection = rpMethods.dids?.map((method) => convertDidMethod(method, didPrefix));
-    } else {
-      intersection = agentMethods.filter((value) => rpMethods.dids.includes(value));
-    }
-    if (intersection.length === 0) {
-      throw Error("No matching DID methods between agent and relying party");
-    }
-    return intersection.map((value) => convertDidMethod(value, didPrefix));
+  if (authorizationRequestData.dcqlQuery === void 0) {
+    throw Error("No presentation definitions present");
   }
-  getAgentDIDMethodsSupported(opts) {
-    const agentMethods = this.options.supportedDIDMethods?.map((method) => convertDidMethod(method, opts.didPrefix));
-    logger.debug(`agent methods: ${JSON.stringify(agentMethods)}`);
-    return agentMethods;
+  return _ctx.selectedCredentials.length > 0;
+}, "Siopv2HasSelectedRequiredCredentialsGuard");
+var Siopv2IsSiopOnlyGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { authorizationRequestData } = _ctx;
+  if (authorizationRequestData === void 0) {
+    throw new Error("Missing authorization request data in context");
   }
-  async getSubjectSyntaxTypesSupported() {
-    const authReq = await this.getAuthorizationRequest();
-    const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported;
-    return subjectSyntaxTypesSupported ?? [];
+  return authorizationRequestData.dcqlQuery === void 0;
+}, "Siopv2IsSiopOnlyGuard");
+var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { authorizationRequestData, selectableCredentialsMap } = _ctx;
+  if (!authorizationRequestData) {
+    throw new Error("Missing authorization request data in context");
   }
-  async getRPDIDMethodsSupported(opts) {
-    let keyType;
-    const agentMethods = (opts.agentMethods ?? this.getAgentDIDMethodsSupported(opts))?.map((method) => convertDidMethod(method, opts.didPrefix)) ?? [];
-    logger.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`);
-    const authReq = await this.getAuthorizationRequest();
-    const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported?.map((method) => convertDidMethod(method, opts.didPrefix)).filter((val) => !val.startsWith("did"));
-    logger.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`);
-    const aud = await authReq.authorizationRequest.getMergedProperty("aud");
-    let rpMethods = [];
-    if (aud && aud.startsWith("did:")) {
-      const didMethod = convertDidMethod(parseDid(aud).method, opts.didPrefix);
-      logger.debug(`aud did method: ${didMethod}`);
-      if (subjectSyntaxTypesSupported && subjectSyntaxTypesSupported.length > 0 && !subjectSyntaxTypesSupported.includes("did") && !subjectSyntaxTypesSupported.includes(didMethod)) {
-        throw Error(`The aud DID method ${didMethod} is not in the supported types ${subjectSyntaxTypesSupported}`);
-      }
-      rpMethods = [
-        didMethod
-      ];
-    } else if (subjectSyntaxTypesSupported) {
-      rpMethods = (Array.isArray(subjectSyntaxTypesSupported) ? subjectSyntaxTypesSupported : [
-        subjectSyntaxTypesSupported
-      ]).map((method) => convertDidMethod(method, opts.didPrefix));
-    }
-    const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
-    let codecName = void 0;
-    if (isEBSI && (!aud || !aud.startsWith("http"))) {
-      logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
-      const didKeyMethod = convertDidMethod("did:key", opts.didPrefix);
-      if (!agentMethods?.includes(didKeyMethod)) {
-        throw Error(`EBSI detected, but agent did not support did:key. Please reconfigure agent`);
-      }
-      rpMethods = [
-        didKeyMethod
-      ];
-      keyType = "Secp256r1";
-      codecName = "jwk_jcs-pub";
-    }
-    return {
-      dids: rpMethods,
-      codecName,
-      keyType
-    };
+  if (!selectableCredentialsMap) {
+    throw new Error("Missing selectableCredentialsMap in context");
   }
-  async getSupportedIdentifiers(opts) {
-    const methods = await this.getSupportedDIDMethods(true);
-    logger.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`);
-    if (methods.length === 0) {
-      throw Error(`No DID methods are supported`);
-    }
-    const identifiers = await this.context.agent.didManagerFind().then((ids) => ids.filter((id) => methods.includes(id.provider)));
-    if (identifiers.length === 0) {
-      logger.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`);
-      if (opts?.createInCaseNoDIDFound !== false) {
-        const { codecName, keyType } = await this.getRPDIDMethodsSupported({
-          didPrefix: true,
-          agentMethods: methods
-        });
-        const identifier = await this.context.agent.didManagerCreate({
-          provider: methods[0],
-          options: {
-            codecName,
-            keyType,
-            type: keyType
-          }
-        });
-        logger.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`);
-        identifiers.push(identifier);
-      }
-    }
-    logger.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`);
-    return identifiers;
-  }
-  async getSupportedDIDs() {
-    return (await this.getSupportedIdentifiers()).map((id) => id.did);
-  }
-  async getRedirectUri() {
-    return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
-  }
-  async getOID4VP(args) {
-    return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
-  }
-  async createJarmResponseCallback({ responseOpts }) {
-    const agent = this.context.agent;
-    return /* @__PURE__ */ __name(async function jarmResponse(opts) {
-      const { clientMetadata, requestObjectPayload, authorizationResponsePayload: authResponse } = opts;
-      const jwk = await OP2.extractEncJwksFromClientMetadata(clientMetadata);
-      const recipientKey = await agent.identifierExternalResolveByJwk({
-        identifier: jwk
-      });
-      return await agent.jwtEncryptJweCompactJwt({
-        recipientKey,
-        protectedHeader: {},
-        alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg ?? "ECDH-ES",
-        enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc ?? "A256GCM",
-        apv: encodeBase64url(opts.requestObjectPayload.nonce),
-        apu: encodeBase64url(v4()),
-        payload: authResponse,
-        issuer: responseOpts.issuer,
-        audience: responseOpts.audience
-      }).then((result) => {
-        return {
-          response: result.jwt
-        };
-      });
-    }, "jarmResponse");
-  }
-  async sendAuthorizationResponse(args) {
-    const { responseSignerOpts, dcqlResponse, isFirstParty } = args;
-    const resolveOpts = this.options.resolveOpts ?? {
-      resolver: getAgentResolver(this.context, {
-        uniresolverResolution: true,
-        localResolution: true,
-        resolverResolution: true
-      })
-    };
-    if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
-      resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
-    }
-    const request = await this.getAuthorizationRequest();
-    const op = await createOP({
-      opOptions: {
-        ...this.options,
-        resolveOpts: {
-          ...this.options.resolveOpts
-        },
-        eventEmitter: this.options.eventEmitter,
-        presentationSignCallback: this.options.presentationSignCallback,
-        wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
-        supportedVersions: request.versions
-      },
-      idOpts: responseSignerOpts,
-      context: this.context
-    });
-    let issuer = responseSignerOpts.issuer;
-    const responseOpts = {
-      issuer,
-      ...isFirstParty && {
-        isFirstParty
-      },
-      dcqlResponse
-    };
-    const authResponse = await op.createAuthorizationResponse(request, responseOpts);
-    const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
-      responseOpts
-    }));
-    if (response.status >= 400) {
-      throw Error(`Error ${response.status}: ${response.statusText || await response.text()}`);
-    } else {
-      return response;
-    }
-  }
-};
-function convertDidMethod(didMethod, didPrefix) {
-  if (didPrefix === false) {
-    return didMethod.startsWith("did:") ? didMethod.toLowerCase().replace("did:", "") : didMethod.toLowerCase();
-  }
-  return didMethod.startsWith("did:") ? didMethod.toLowerCase() : `did:${didMethod.toLowerCase().replace("did:", "")}`;
-}
-__name(convertDidMethod, "convertDidMethod");
-// src/types/IDidAuthSiopOpAuthenticator.ts
-var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
-var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
-// src/types/siop-service/index.ts
-var Siopv2HolderEvent = /* @__PURE__ */ function(Siopv2HolderEvent2) {
-  Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
-  Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
-  return Siopv2HolderEvent2;
-}({});
-var SupportedLanguage = /* @__PURE__ */ function(SupportedLanguage2) {
-  SupportedLanguage2["ENGLISH"] = "en";
-  SupportedLanguage2["DUTCH"] = "nl";
-  return SupportedLanguage2;
-}({});
-// src/types/machine/index.ts
-var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
-  Siopv2MachineStates2["createConfig"] = "createConfig";
-  Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
-  Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
-  Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
-  Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
-  Siopv2MachineStates2["addContact"] = "addContact";
-  Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
-  Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
-  Siopv2MachineStates2["sendResponse"] = "sendResponse";
-  Siopv2MachineStates2["handleError"] = "handleError";
-  Siopv2MachineStates2["aborted"] = "aborted";
-  Siopv2MachineStates2["declined"] = "declined";
-  Siopv2MachineStates2["error"] = "error";
-  Siopv2MachineStates2["done"] = "done";
-  return Siopv2MachineStates2;
-}({});
-var Siopv2MachineAddContactStates = /* @__PURE__ */ function(Siopv2MachineAddContactStates2) {
-  Siopv2MachineAddContactStates2["idle"] = "idle";
-  Siopv2MachineAddContactStates2["executing"] = "executing";
-  Siopv2MachineAddContactStates2["next"] = "next";
-  return Siopv2MachineAddContactStates2;
-}({});
-var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
-  Siopv2MachineEvents2["NEXT"] = "NEXT";
-  Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
-  Siopv2MachineEvents2["DECLINE"] = "DECLINE";
-  Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
-  Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
-  Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
-  Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
-  return Siopv2MachineEvents2;
-}({});
-var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
-  Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
-  Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
-  Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
-  Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
-  Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
-  Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
-  Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
-  Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
-  return Siopv2MachineGuards2;
-}({});
-var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
-  Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
-  Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
-  Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
-  Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
-  Siopv2MachineServices2["sendResponse"] = "sendResponse";
-  Siopv2MachineServices2["createConfig"] = "createConfig";
-  return Siopv2MachineServices2;
-}({});
-// src/types/identifier/index.ts
-var DID_PREFIX = "did";
-// src/machine/Siopv2Machine.ts
-import { assign, createMachine, interpret } from "xstate";
-// src/localization/Localization.ts
-import i18n from "i18n-js";
-import memoize from "lodash.memoize";
-var Localization = class Localization2 {
-  static {
-    __name(this, "Localization");
-  }
-  static translationGetters = {
-    [SupportedLanguage.ENGLISH]: () => require_en(),
-    [SupportedLanguage.DUTCH]: () => require_nl()
-  };
-  static translate = memoize((key, config) => {
-    if (Object.keys(i18n.translations).length === 0) {
-      i18n.translations = {
-        [SupportedLanguage.ENGLISH]: Localization2.translationGetters[SupportedLanguage.ENGLISH]()
-      };
-      i18n.locale = SupportedLanguage.ENGLISH;
-    } else {
-      i18n.translations = {
-        [i18n.locale]: {
-          ...i18n.translations[i18n.locale],
-          ...Localization2.translationGetters[this.findSupportedLanguage(i18n.locale) || SupportedLanguage.ENGLISH]()
-        }
-      };
-    }
-    return i18n.t(key, config);
-  }, (key, config) => config ? key + JSON.stringify(config) : key);
-  static findSupportedLanguage = /* @__PURE__ */ __name((locale) => {
-    for (const language of Object.values(SupportedLanguage)) {
-      if (language === locale) {
-        return language;
-      }
-    }
-    return void 0;
-  }, "findSupportedLanguage");
-  static getLocale = /* @__PURE__ */ __name(() => {
-    return i18n.locale || SupportedLanguage.ENGLISH;
-  }, "getLocale");
-};
-var translate = Localization.translate;
-// src/machine/Siopv2Machine.ts
-import { Loggers as Loggers2 } from "@sphereon/ssi-types";
-var logger2 = Loggers2.DEFAULT.get(LOGGER_NAMESPACE);
-var Siopv2HasNoContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
-  const { contact } = _ctx;
-  return contact === void 0;
-}, "Siopv2HasNoContactGuard");
-var Siopv2HasContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
-  const { contact } = _ctx;
-  return contact !== void 0;
-}, "Siopv2HasContactGuard");
-var Siopv2HasAuthorizationRequestGuard = /* @__PURE__ */ __name((_ctx, _event) => {
-  const { authorizationRequestData } = _ctx;
-  return authorizationRequestData !== void 0;
-}, "Siopv2HasAuthorizationRequestGuard");
-var Siopv2HasSelectableCredentialsAndContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
-  const { authorizationRequestData, contact } = _ctx;
-  if (!authorizationRequestData) {
-    throw new Error("Missing authorization request data in context");
-  }
-  if (!contact) {
-    throw new Error("Missing contact request data in context");
-  }
-  return authorizationRequestData.dcqlQuery !== void 0;
-}, "Siopv2HasSelectableCredentialsAndContactGuard");
-var Siopv2CreateContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
-  const { contactAlias, hasContactConsent } = _ctx;
-  return hasContactConsent && contactAlias !== void 0 && contactAlias.length > 0;
-}, "Siopv2CreateContactGuard");
-var Siopv2HasSelectedRequiredCredentialsGuard = /* @__PURE__ */ __name((_ctx, _event) => {
-  const { authorizationRequestData } = _ctx;
-  if (authorizationRequestData === void 0) {
-    throw new Error("Missing authorization request data in context");
-  }
-  if (authorizationRequestData.dcqlQuery === void 0) {
-    throw Error("No presentation definitions present");
-  }
-  return _ctx.selectedCredentials.length > 0;
-}, "Siopv2HasSelectedRequiredCredentialsGuard");
-var Siopv2IsSiopOnlyGuard = /* @__PURE__ */ __name((_ctx, _event) => {
-  const { authorizationRequestData } = _ctx;
-  if (authorizationRequestData === void 0) {
-    throw new Error("Missing authorization request data in context");
-  }
-  return authorizationRequestData.dcqlQuery === void 0;
-}, "Siopv2IsSiopOnlyGuard");
-var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
-  const { authorizationRequestData, selectableCredentialsMap } = _ctx;
-  if (!authorizationRequestData) {
-    throw new Error("Missing authorization request data in context");
-  }
-  if (!selectableCredentialsMap) {
-    throw new Error("Missing selectableCredentialsMap in context");
-  }
-  return authorizationRequestData.dcqlQuery !== void 0;
-}, "Siopv2IsSiopWithOID4VPGuard");
-var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
-  const { url, idOpts: idOpts2 } = opts;
-  const initialContext = {
-    url: new URL(url).toString(),
-    hasContactConsent: true,
-    contactAlias: "",
-    selectedCredentials: [],
-    idOpts: idOpts2
-  };
-  return createMachine({
-    id: opts?.machineId ?? "Siopv2",
-    predictableActionArguments: true,
-    initial: Siopv2MachineStates.createConfig,
-    schema: {
-      events: {},
-      guards: {},
-      services: {}
-    },
-    context: initialContext,
-    states: {
-      [Siopv2MachineStates.createConfig]: {
-        id: Siopv2MachineStates.createConfig,
-        invoke: {
-          src: Siopv2MachineServices.createConfig,
-          onDone: {
-            target: Siopv2MachineStates.getSiopRequest,
-            actions: assign({
-              didAuthConfig: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "didAuthConfig")
-            })
-          },
-          onError: {
-            target: Siopv2MachineStates.handleError,
-            actions: assign({
-              error: /* @__PURE__ */ __name((_ctx, _event) => ({
-                title: translate("siopv2_machine_create_config_error_title"),
-                message: _event.data.message,
-                stack: _event.data.stack
-              }), "error")
-            })
+  return authorizationRequestData.dcqlQuery !== void 0;
+}, "Siopv2IsSiopWithOID4VPGuard");
+var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
+  const { url, idOpts: idOpts2 } = opts;
+  const initialContext = {
+    url: new URL(url).toString(),
+    hasContactConsent: true,
+    contactAlias: "",
+    selectedCredentials: [],
+    idOpts: idOpts2
+  };
+  return createMachine({
+    id: opts?.machineId ?? "Siopv2",
+    predictableActionArguments: true,
+    initial: Siopv2MachineStates.createConfig,
+    schema: {
+      events: {},
+      guards: {},
+      services: {}
+    },
+    context: initialContext,
+    states: {
+      [Siopv2MachineStates.createConfig]: {
+        id: Siopv2MachineStates.createConfig,
+        invoke: {
+          src: Siopv2MachineServices.createConfig,
+          onDone: {
+            target: Siopv2MachineStates.getSiopRequest,
+            actions: assign({
+              didAuthConfig: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "didAuthConfig")
+            })
+          },
+          onError: {
+            target: Siopv2MachineStates.handleError,
+            actions: assign({
+              error: /* @__PURE__ */ __name((_ctx, _event) => ({
+                title: translate("siopv2_machine_create_config_error_title"),
+                message: _event.data.message,
+                stack: _event.data.stack
+              }), "error")
+            })
           }
         }
       },
@@ -1096,420 +667,851 @@ var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
             actions: assign({
               contactAlias: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "contactAlias")
             })
-          },
-          [Siopv2MachineEvents.CREATE_CONTACT]: {
-            target: `.${Siopv2MachineAddContactStates.next}`,
-            actions: assign({
-              contact: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "contact")
-            }),
-            cond: Siopv2MachineGuards.createContactGuard
-          },
-          [Siopv2MachineEvents.DECLINE]: {
-            target: Siopv2MachineStates.declined
+          },
+          [Siopv2MachineEvents.CREATE_CONTACT]: {
+            target: `.${Siopv2MachineAddContactStates.next}`,
+            actions: assign({
+              contact: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "contact")
+            }),
+            cond: Siopv2MachineGuards.createContactGuard
+          },
+          [Siopv2MachineEvents.DECLINE]: {
+            target: Siopv2MachineStates.declined
+          },
+          [Siopv2MachineEvents.PREVIOUS]: {
+            target: Siopv2MachineStates.aborted
+          }
+        },
+        states: {
+          [Siopv2MachineAddContactStates.idle]: {},
+          [Siopv2MachineAddContactStates.next]: {
+            always: {
+              target: `#${Siopv2MachineStates.transitionFromSetup}`,
+              cond: Siopv2MachineGuards.hasContactGuard
+            }
+          }
+        }
+      },
+      [Siopv2MachineStates.addContactIdentity]: {
+        id: Siopv2MachineStates.addContactIdentity,
+        invoke: {
+          src: Siopv2MachineServices.addContactIdentity,
+          onDone: [
+            {
+              target: Siopv2MachineStates.getSelectableCredentials,
+              actions: /* @__PURE__ */ __name((_ctx, _event) => {
+                _ctx.contact?.identities.push(_event.data);
+              }, "actions"),
+              cond: Siopv2MachineGuards.hasSelectableCredentialsAndContactGuard
+            },
+            {
+              target: Siopv2MachineStates.sendResponse,
+              actions: /* @__PURE__ */ __name((_ctx, _event) => {
+                _ctx.contact?.identities.push(_event.data);
+              }, "actions"),
+              cond: Siopv2MachineGuards.siopOnlyGuard
+            }
+          ],
+          onError: {
+            target: Siopv2MachineStates.handleError,
+            actions: assign({
+              error: /* @__PURE__ */ __name((_ctx, _event) => ({
+                title: translate("siopv2_machine_add_contact_identity_error_title"),
+                message: _event.data.message,
+                stack: _event.data.stack
+              }), "error")
+            })
+          }
+        }
+      },
+      [Siopv2MachineStates.getSelectableCredentials]: {
+        id: Siopv2MachineStates.getSelectableCredentials,
+        invoke: {
+          src: Siopv2MachineServices.getSelectableCredentials,
+          onDone: {
+            target: Siopv2MachineStates.selectCredentials,
+            actions: assign({
+              selectableCredentialsMap: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "selectableCredentialsMap")
+            })
+          },
+          onError: {
+            target: Siopv2MachineStates.handleError,
+            actions: assign({
+              error: /* @__PURE__ */ __name((_ctx, _event) => ({
+                title: translate("siopv2_machine_get_selectable_credentials_error_title"),
+                message: _event.data.message,
+                stack: _event.data.stack
+              }), "error")
+            })
+          }
+        }
+      },
+      [Siopv2MachineStates.selectCredentials]: {
+        id: Siopv2MachineStates.selectCredentials,
+        on: {
+          [Siopv2MachineEvents.SET_SELECTED_CREDENTIALS]: {
+            actions: assign({
+              selectedCredentials: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "selectedCredentials")
+            })
+          },
+          [Siopv2MachineEvents.NEXT]: {
+            target: Siopv2MachineStates.sendResponse,
+            cond: Siopv2MachineGuards.hasSelectedRequiredCredentialsGuard
+          },
+          [Siopv2MachineEvents.DECLINE]: {
+            target: Siopv2MachineStates.declined
+          },
+          [Siopv2MachineEvents.PREVIOUS]: {
+            target: Siopv2MachineStates.aborted
+          }
+        }
+      },
+      [Siopv2MachineStates.sendResponse]: {
+        id: Siopv2MachineStates.sendResponse,
+        invoke: {
+          src: Siopv2MachineServices.sendResponse,
+          onDone: {
+            target: Siopv2MachineStates.done,
+            actions: assign({
+              authorizationResponseData: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "authorizationResponseData")
+            })
+          },
+          onError: {
+            target: Siopv2MachineStates.handleError,
+            actions: assign({
+              error: /* @__PURE__ */ __name((_ctx, _event) => ({
+                title: translate("siopv2_machine_send_response_error_title"),
+                message: _event.data.message,
+                stack: _event.data.stack
+              }), "error")
+            })
+          }
+        }
+      },
+      [Siopv2MachineStates.handleError]: {
+        id: Siopv2MachineStates.handleError,
+        on: {
+          [Siopv2MachineEvents.NEXT]: {
+            target: Siopv2MachineStates.error
           },
           [Siopv2MachineEvents.PREVIOUS]: {
-            target: Siopv2MachineStates.aborted
-          }
-        },
-        states: {
-          [Siopv2MachineAddContactStates.idle]: {},
-          [Siopv2MachineAddContactStates.next]: {
-            always: {
-              target: `#${Siopv2MachineStates.transitionFromSetup}`,
-              cond: Siopv2MachineGuards.hasContactGuard
-            }
+            target: Siopv2MachineStates.error
           }
         }
       },
-      [Siopv2MachineStates.addContactIdentity]: {
-        id: Siopv2MachineStates.addContactIdentity,
-        invoke: {
-          src: Siopv2MachineServices.addContactIdentity,
-          onDone: [
-            {
-              target: Siopv2MachineStates.getSelectableCredentials,
-              actions: /* @__PURE__ */ __name((_ctx, _event) => {
-                _ctx.contact?.identities.push(_event.data);
-              }, "actions"),
-              cond: Siopv2MachineGuards.hasSelectableCredentialsAndContactGuard
-            },
-            {
-              target: Siopv2MachineStates.sendResponse,
-              actions: /* @__PURE__ */ __name((_ctx, _event) => {
-                _ctx.contact?.identities.push(_event.data);
-              }, "actions"),
-              cond: Siopv2MachineGuards.siopOnlyGuard
+      [Siopv2MachineStates.aborted]: {
+        id: Siopv2MachineStates.aborted,
+        type: "final"
+      },
+      [Siopv2MachineStates.declined]: {
+        id: Siopv2MachineStates.declined,
+        type: "final"
+      },
+      [Siopv2MachineStates.error]: {
+        id: Siopv2MachineStates.error,
+        type: "final"
+      },
+      [Siopv2MachineStates.done]: {
+        id: Siopv2MachineStates.done,
+        type: "final"
+      }
+    }
+  });
+}, "createSiopv2Machine");
+var Siopv2Machine = class {
+  static {
+    __name(this, "Siopv2Machine");
+  }
+  static newInstance(opts) {
+    logger.info("New Siopv2Machine instance");
+    const interpreter = interpret(createSiopv2Machine(opts).withConfig({
+      services: {
+        ...opts?.services
+      },
+      guards: {
+        Siopv2HasNoContactGuard,
+        Siopv2HasContactGuard,
+        Siopv2HasAuthorizationRequestGuard,
+        Siopv2HasSelectableCredentialsAndContactGuard,
+        Siopv2HasSelectedRequiredCredentialsGuard,
+        Siopv2IsSiopOnlyGuard,
+        Siopv2IsSiopWithOID4VPGuard,
+        Siopv2CreateContactGuard,
+        ...opts?.guards
+      }
+    }));
+    if (typeof opts?.subscription === "function") {
+      interpreter.onTransition(opts.subscription);
+    }
+    if (opts?.requireCustomNavigationHook !== true) {
+      interpreter.onTransition((snapshot) => {
+        if (opts.stateNavigationListener !== void 0) {
+          void opts.stateNavigationListener(interpreter, snapshot);
+        }
+      });
+    }
+    interpreter.onTransition((snapshot) => {
+      logger.info("onTransition to new state", snapshot.value);
+    });
+    return {
+      interpreter
+    };
+  }
+};
+// src/services/Siopv2MachineService.ts
+import { SupportedVersion } from "@sphereon/did-auth-siop";
+import { isOID4VCIssuerIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
+import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
+import { ConnectionType, CredentialRole } from "@sphereon/ssi-sdk.data-store";
+import { CredentialMapper as CredentialMapper3, Loggers as Loggers2 } from "@sphereon/ssi-types";
+import { encodeJoseBlob } from "@sphereon/ssi-sdk.core";
+import { DcqlPresentation, DcqlQuery } from "dcql";
+// src/utils/dcql.ts
+import { CredentialMapper as CredentialMapper2 } from "@sphereon/ssi-types";
+import { Dcql } from "@sphereon/did-auth-siop";
+// src/utils/CredentialUtils.ts
+import { CredentialMapper } from "@sphereon/ssi-types";
+var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
+  return credential.digitalCredential !== void 0;
+}, "isUniqueDigitalCredential");
+// src/utils/dcql.ts
+function convertToDcqlCredentials(credential, hasher) {
+  let originalVerifiableCredential;
+  if (isUniqueDigitalCredential(credential)) {
+    if (!credential.originalVerifiableCredential) {
+      throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
+    }
+    originalVerifiableCredential = CredentialMapper2.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
+  } else {
+    originalVerifiableCredential = CredentialMapper2.decodeVerifiableCredential(credential, hasher);
+  }
+  if (!originalVerifiableCredential) {
+    throw new Error("No payload found");
+  }
+  if (CredentialMapper2.isJwtDecodedCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlJwtCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
+  } else if (CredentialMapper2.isSdJwtDecodedCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlSdJwtCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
+  } else if (CredentialMapper2.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlMdocCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
+  } else if (CredentialMapper2.isW3cCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlJsonLdCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
+  }
+  throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
+}
+__name(convertToDcqlCredentials, "convertToDcqlCredentials");
+// src/services/Siopv2MachineService.ts
+import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from "@sphereon/ssi-sdk-ext.did-utils";
+var logger2 = Loggers2.DEFAULT.get(LOGGER_NAMESPACE);
+var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
+  const { agent } = context;
+  const { credentials } = args;
+  if (connectionType !== ConnectionType.SIOPv2_OpenID4VP) {
+    return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
+  }
+  const session = await agent.siopGetOPSession({
+    sessionId: args.sessionId
+  });
+  const request = await session.getAuthorizationRequest();
+  const aud = request.authorizationRequest.getMergedProperty("aud");
+  logger2.debug(`AUD: ${aud}`);
+  logger2.debug(JSON.stringify(request.authorizationRequest));
+  const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
+  logger2.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
+  const firstUniqueDC = credentials[0];
+  if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
+    return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
+  }
+  let identifier;
+  const digitalCredential = firstUniqueDC.digitalCredential;
+  const firstVC = firstUniqueDC.uniformVerifiableCredential;
+  const holder = CredentialMapper3.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
+    //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+    `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
+  ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
+  if (!digitalCredential.kmsKeyRef) {
+    if (!holder) {
+      return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
+    }
+    try {
+      identifier = await session.context.agent.identifierManagedGet({
+        identifier: holder
+      });
+    } catch (e) {
+      logger2.debug(`Holder DID not found: ${holder}`);
+      throw e;
+    }
+  } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
+    identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+      identifier: firstUniqueDC.digitalCredential.kmsKeyRef
+    });
+  } else {
+    switch (digitalCredential.subjectCorrelationType) {
+      case "DID":
+        identifier = await session.context.agent.identifierManagedGetByDid({
+          identifier: digitalCredential.subjectCorrelationId ?? holder,
+          kmsKeyRef: digitalCredential.kmsKeyRef
+        });
+        break;
+      // TODO other implementations?
+      default:
+        identifier = await session.context.agent.identifierManagedGetByKid({
+          identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+          kmsKeyRef: digitalCredential.kmsKeyRef
+        });
+    }
+  }
+  const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [
+    convertToDcqlCredentials(vc),
+    vc
+  ]));
+  const queryResult = DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
+  if (!queryResult.can_be_satisfied) {
+    return Promise.reject(Error("Credentials do not match required query request"));
+  }
+  const presentation = {};
+  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
+  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+    if (value.success) {
+      const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index]);
+      const vc = matchedCredentials[0];
+      if (!vc) {
+        continue;
+      }
+      const originalVc = retrieveEncodedCredential(vc);
+      if (!originalVc) {
+        continue;
+      }
+      if (originalVc) {
+        presentation[key] = originalVc;
+      }
+    }
+  }
+  const dcqlPresentation = DcqlPresentation.parse(presentation);
+  const response = session.sendAuthorizationResponse({
+    responseSignerOpts: identifier,
+    dcqlResponse: {
+      dcqlPresentation
+    }
+  });
+  logger2.debug(`Response: `, response);
+  return response;
+}, "siopSendAuthorizationResponse");
+var retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
+  return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
+}, "retrieveEncodedCredential");
+var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
+  const agentContext = {
+    ...context,
+    agent: context.agent
+  };
+  const { agent } = agentContext;
+  const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
+    filter: verifiableCredentialForRoleFilter(CredentialRole.HOLDER)
+  });
+  const branding = await agent.ibGetCredentialBranding();
+  const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
+    convertToDcqlCredentials(vc),
+    vc
+  ]));
+  const queryResult = DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
+  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
+  const selectableCredentialsMap = /* @__PURE__ */ new Map();
+  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+    if (!value.valid_credentials) {
+      continue;
+    }
+    const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
+      const matchedCredential = uniqueCredentials[cred.input_credential_index];
+      const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash);
+      const issuerPartyIdentity = await agent.cmGetContacts({
+        filter: [
+          {
+            identities: {
+              identifier: {
+                correlationId: matchedCredential.uniformVerifiableCredential.issuerDid
+              }
             }
-          ],
-          onError: {
-            target: Siopv2MachineStates.handleError,
-            actions: assign({
-              error: /* @__PURE__ */ __name((_ctx, _event) => ({
-                title: translate("siopv2_machine_add_contact_identity_error_title"),
-                message: _event.data.message,
-                stack: _event.data.stack
-              }), "error")
-            })
-          }
-        }
-      },
-      [Siopv2MachineStates.getSelectableCredentials]: {
-        id: Siopv2MachineStates.getSelectableCredentials,
-        invoke: {
-          src: Siopv2MachineServices.getSelectableCredentials,
-          onDone: {
-            target: Siopv2MachineStates.selectCredentials,
-            actions: assign({
-              selectableCredentialsMap: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "selectableCredentialsMap")
-            })
-          },
-          onError: {
-            target: Siopv2MachineStates.handleError,
-            actions: assign({
-              error: /* @__PURE__ */ __name((_ctx, _event) => ({
-                title: translate("siopv2_machine_get_selectable_credentials_error_title"),
-                message: _event.data.message,
-                stack: _event.data.stack
-              }), "error")
-            })
-          }
-        }
-      },
-      [Siopv2MachineStates.selectCredentials]: {
-        id: Siopv2MachineStates.selectCredentials,
-        on: {
-          [Siopv2MachineEvents.SET_SELECTED_CREDENTIALS]: {
-            actions: assign({
-              selectedCredentials: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "selectedCredentials")
-            })
-          },
-          [Siopv2MachineEvents.NEXT]: {
-            target: Siopv2MachineStates.sendResponse,
-            cond: Siopv2MachineGuards.hasSelectedRequiredCredentialsGuard
-          },
-          [Siopv2MachineEvents.DECLINE]: {
-            target: Siopv2MachineStates.declined
-          },
-          [Siopv2MachineEvents.PREVIOUS]: {
-            target: Siopv2MachineStates.aborted
           }
-        }
-      },
-      [Siopv2MachineStates.sendResponse]: {
-        id: Siopv2MachineStates.sendResponse,
-        invoke: {
-          src: Siopv2MachineServices.sendResponse,
-          onDone: {
-            target: Siopv2MachineStates.done,
-            actions: assign({
-              authorizationResponseData: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "authorizationResponseData")
-            })
-          },
-          onError: {
-            target: Siopv2MachineStates.handleError,
-            actions: assign({
-              error: /* @__PURE__ */ __name((_ctx, _event) => ({
-                title: translate("siopv2_machine_send_response_error_title"),
-                message: _event.data.message,
-                stack: _event.data.stack
-              }), "error")
-            })
+        ]
+      });
+      const subjectPartyIdentity = await agent.cmGetContacts({
+        filter: [
+          {
+            identities: {
+              identifier: {
+                correlationId: matchedCredential.uniformVerifiableCredential.subjectDid
+              }
+            }
           }
-        }
-      },
-      [Siopv2MachineStates.handleError]: {
-        id: Siopv2MachineStates.handleError,
-        on: {
-          [Siopv2MachineEvents.NEXT]: {
-            target: Siopv2MachineStates.error
-          },
-          [Siopv2MachineEvents.PREVIOUS]: {
-            target: Siopv2MachineStates.error
+        ]
+      });
+      return {
+        credential: matchedCredential,
+        credentialBranding: credentialBranding[0]?.localeBranding,
+        issuerParty: issuerPartyIdentity?.[0],
+        subjectParty: subjectPartyIdentity?.[0]
+      };
+    });
+    const selectableCredentials = await Promise.all(mapSelectableCredentialPromises);
+    selectableCredentialsMap.set(key, selectableCredentials);
+  }
+  return selectableCredentialsMap;
+}, "getSelectableCredentials");
+var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId, context) => {
+  const { agent } = context;
+  const contacts = await agent.cmGetContacts({
+    filter: [
+      {
+        identities: {
+          identifier: {
+            correlationId
           }
         }
+      }
+    ]
+  });
+  if (contacts.length === 0) {
+    return void 0;
+  }
+  return contacts[0].contact.displayName;
+}, "translateCorrelationIdToName");
+// src/session/functions.ts
+import { OP, PassBy, ResponseMode, SupportedVersion as SupportedVersion2 } from "@sphereon/did-auth-siop";
+import { SigningAlgo } from "@sphereon/oid4vc-common";
+import { isManagedIdentifierDidOpts, isManagedIdentifierX5cOpts } from "@sphereon/ssi-sdk-ext.identifier-resolution";
+import { createPEXPresentationSignCallback } from "@sphereon/ssi-sdk.presentation-exchange";
+import { EventEmitter } from "events";
+async function createOID4VPPresentationSignCallback({ presentationSignCallback, idOpts: idOpts1, domain, fetchRemoteContexts, challenge, format, context, skipDidResolution }) {
+  if (typeof presentationSignCallback === "function") {
+    return presentationSignCallback;
+  }
+  return createPEXPresentationSignCallback({
+    idOpts: idOpts1,
+    fetchRemoteContexts,
+    domain,
+    challenge,
+    format,
+    skipDidResolution
+  }, context);
+}
+__name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallback");
+async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
+  const eventEmitter = opOptions.eventEmitter ?? new EventEmitter();
+  const builder = OP.builder().withResponseMode(opOptions.responseMode ?? ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
+    SupportedVersion2.SIOPv2_ID1,
+    SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1,
+    SupportedVersion2.SIOPv2_D11,
+    SupportedVersion2.SIOPv2_D12_OID4VP_D18
+  ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
+    passBy: PassBy.VALUE
+  });
+  const wellknownDIDVerifyCallback = opOptions.wellknownDIDVerifyCallback ? opOptions.wellknownDIDVerifyCallback : async (args) => {
+    const result = await context.agent.cvVerifyCredential({
+      credential: args.credential,
+      fetchRemoteContexts: true
+    });
+    return {
+      verified: result.result
+    };
+  };
+  builder.withVerifyJwtCallback(opOptions.verifyJwtCallback ? opOptions.verifyJwtCallback : getVerifyJwtCallback({
+    verifyOpts: {
+      wellknownDIDVerifyCallback,
+      checkLinkedDomain: "if_present"
+    }
+  }, context));
+  if (idOpts1) {
+    if (opOptions.skipDidResolution && isManagedIdentifierDidOpts(idOpts1)) {
+      idOpts1.offlineWhenNoDIDRegistered = true;
+    }
+    const createJwtCallback = createJwtCallbackWithIdOpts(idOpts1, context);
+    builder.withCreateJwtCallback(createJwtCallback);
+    builder.withPresentationSignCallback(await createOID4VPPresentationSignCallback({
+      presentationSignCallback: opOptions.presentationSignCallback,
+      skipDidResolution: opOptions.skipDidResolution ?? false,
+      idOpts: idOpts1,
+      context
+    }));
+  } else {
+    const createJwtCallback = createJwtCallbackWithOpOpts(opOptions, context);
+    builder.withCreateJwtCallback(createJwtCallback);
+  }
+  return builder;
+}
+__name(createOPBuilder, "createOPBuilder");
+function createJwtCallbackWithIdOpts(idOpts1, context) {
+  return async (jwtIssuer, jwt) => {
+    let issuer;
+    if (isManagedIdentifierDidOpts(idOpts1)) {
+      issuer = {
+        ...idOpts1,
+        method: idOpts1.method,
+        noIdentifierInHeader: false
+      };
+    } else if (isManagedIdentifierX5cOpts(idOpts1)) {
+      issuer = {
+        ...idOpts1,
+        method: idOpts1.method,
+        noIdentifierInHeader: false
+      };
+    } else {
+      return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
+    }
+    const result = await context.agent.jwtCreateJwsCompactSignature({
+      issuer,
+      protectedHeader: jwt.header,
+      payload: jwt.payload
+    });
+    return result.jwt;
+  };
+}
+__name(createJwtCallbackWithIdOpts, "createJwtCallbackWithIdOpts");
+function createJwtCallbackWithOpOpts(opOpts, context) {
+  return async (jwtIssuer, jwt) => {
+    let identifier;
+    if (jwtIssuer.method == "did") {
+      identifier = jwtIssuer.didUrl;
+    } else if (jwtIssuer.method == "x5c") {
+      identifier = jwtIssuer.x5c;
+    } else {
+      return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
+    }
+    const result = await context.agent.jwtCreateJwsCompactSignature({
+      // FIXME fix cose-key inference
+      // @ts-ignore
+      issuer: {
+        identifier,
+        kmsKeyRef: idOpts.kmsKeyRef,
+        noIdentifierInHeader: false
       },
-      [Siopv2MachineStates.aborted]: {
-        id: Siopv2MachineStates.aborted,
-        type: "final"
-      },
-      [Siopv2MachineStates.declined]: {
-        id: Siopv2MachineStates.declined,
-        type: "final"
-      },
-      [Siopv2MachineStates.error]: {
-        id: Siopv2MachineStates.error,
-        type: "final"
-      },
-      [Siopv2MachineStates.done]: {
-        id: Siopv2MachineStates.done,
-        type: "final"
-      }
-    }
-  });
-}, "createSiopv2Machine");
-var Siopv2Machine = class {
+      // FIXME fix JWK key_ops
+      // @ts-ignore
+      protectedHeader: jwt.header,
+      payload: jwt.payload
+    });
+    return result.jwt;
+  };
+}
+__name(createJwtCallbackWithOpOpts, "createJwtCallbackWithOpOpts");
+function getVerifyJwtCallback(_opts, context) {
+  return async (_jwtVerifier, jwt) => {
+    const result = await context.agent.jwtVerifyJwsSignature({
+      jws: jwt.raw
+    });
+    console.log(result.message);
+    return !result.error;
+  };
+}
+__name(getVerifyJwtCallback, "getVerifyJwtCallback");
+async function createOP({ opOptions, idOpts: idOpts1, context }) {
+  return (await createOPBuilder({
+    opOptions,
+    idOpts: idOpts1,
+    context
+  })).build();
+}
+__name(createOP, "createOP");
+function getSigningAlgo(type) {
+  switch (type) {
+    case "Ed25519":
+      return SigningAlgo.EDDSA;
+    case "Secp256k1":
+      return SigningAlgo.ES256K;
+    case "Secp256r1":
+      return SigningAlgo.ES256;
+    // @ts-ignore
+    case "RSA":
+      return SigningAlgo.RS256;
+    default:
+      throw Error("Key type not yet supported");
+  }
+}
+__name(getSigningAlgo, "getSigningAlgo");
+// src/session/OID4VP.ts
+var OID4VP = class _OID4VP {
   static {
-    __name(this, "Siopv2Machine");
+    __name(this, "OID4VP");
   }
-  static newInstance(opts) {
-    logger2.info("New Siopv2Machine instance");
-    const interpreter = interpret(createSiopv2Machine(opts).withConfig({
-      services: {
-        ...opts?.services
-      },
-      guards: {
-        Siopv2HasNoContactGuard,
-        Siopv2HasContactGuard,
-        Siopv2HasAuthorizationRequestGuard,
-        Siopv2HasSelectableCredentialsAndContactGuard,
-        Siopv2HasSelectedRequiredCredentialsGuard,
-        Siopv2IsSiopOnlyGuard,
-        Siopv2IsSiopWithOID4VPGuard,
-        Siopv2CreateContactGuard,
-        ...opts?.guards
-      }
-    }));
-    if (typeof opts?.subscription === "function") {
-      interpreter.onTransition(opts.subscription);
-    }
-    if (opts?.requireCustomNavigationHook !== true) {
-      interpreter.onTransition((snapshot) => {
-        if (opts.stateNavigationListener !== void 0) {
-          void opts.stateNavigationListener(interpreter, snapshot);
-        }
-      });
-    }
-    interpreter.onTransition((snapshot) => {
-      logger2.info("onTransition to new state", snapshot.value);
+  //private readonly session: OpSession
+  // private readonly allIdentifiers: string[]
+  // private readonly hasher?: HasherSync
+  constructor(args) {
+  }
+  static async init(session, allIdentifiers, hasher) {
+    return new _OID4VP({
+      session,
+      allIdentifiers: allIdentifiers ?? await session.getSupportedDIDs(),
+      hasher
     });
-    return {
-      interpreter
-    };
   }
 };
-// src/services/Siopv2MachineService.ts
-import { SupportedVersion as SupportedVersion2 } from "@sphereon/did-auth-siop";
-import { isOID4VCIssuerIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
-import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
-import { ConnectionType, CredentialRole } from "@sphereon/ssi-sdk.data-store";
-import { CredentialMapper as CredentialMapper3, Loggers as Loggers3 } from "@sphereon/ssi-types";
-import { encodeJoseBlob } from "@sphereon/ssi-sdk.core";
-import { DcqlPresentation, DcqlQuery } from "dcql";
-// src/utils/dcql.ts
-import { CredentialMapper as CredentialMapper2 } from "@sphereon/ssi-types";
-import { Dcql } from "@sphereon/did-auth-siop";
-// src/utils/CredentialUtils.ts
-import { CredentialMapper } from "@sphereon/ssi-types";
-var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
-  return credential.digitalCredential !== void 0;
-}, "isUniqueDigitalCredential");
-// src/utils/dcql.ts
-function convertToDcqlCredentials(credential, hasher) {
-  let originalVerifiableCredential;
-  if (isUniqueDigitalCredential(credential)) {
-    if (!credential.originalVerifiableCredential) {
-      throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
-    }
-    originalVerifiableCredential = CredentialMapper2.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
-  } else {
-    originalVerifiableCredential = CredentialMapper2.decodeVerifiableCredential(credential, hasher);
+// src/session/OpSession.ts
+import { OP as OP2, URI } from "@sphereon/did-auth-siop";
+import { getAgentDIDMethods, getAgentResolver } from "@sphereon/ssi-sdk-ext.did-utils";
+import { encodeBase64url } from "@sphereon/ssi-sdk.core";
+import { parseDid } from "@sphereon/ssi-types";
+import { v4 } from "uuid";
+import { Loggers as Loggers3 } from "@sphereon/ssi-types";
+var logger3 = Loggers3.DEFAULT.get("sphereon:oid4vp:OpSession");
+var OpSession = class _OpSession {
+  static {
+    __name(this, "OpSession");
   }
-  if (!originalVerifiableCredential) {
-    throw new Error("No payload found");
+  ts = (/* @__PURE__ */ new Date()).getDate();
+  id;
+  options;
+  context;
+  requestJwtOrUri;
+  verifiedAuthorizationRequest;
+  _nonce;
+  _state;
+  constructor(options) {
+    this.id = options.sessionId;
+    this.options = options.op;
+    this.context = options.context;
+    this.requestJwtOrUri = options.requestJwtOrUri;
   }
-  if (CredentialMapper2.isJwtDecodedCredential(originalVerifiableCredential)) {
-    return Dcql.toDcqlJwtCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
-  } else if (CredentialMapper2.isSdJwtDecodedCredential(originalVerifiableCredential)) {
-    return Dcql.toDcqlSdJwtCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
-  } else if (CredentialMapper2.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
-    return Dcql.toDcqlMdocCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
-  } else if (CredentialMapper2.isW3cCredential(originalVerifiableCredential)) {
-    return Dcql.toDcqlJsonLdCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
+  static async init(options) {
+    return new _OpSession(options);
   }
-  throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
-}
-__name(convertToDcqlCredentials, "convertToDcqlCredentials");
-// src/services/Siopv2MachineService.ts
-import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from "@sphereon/ssi-sdk-ext.did-utils";
-var logger3 = Loggers3.DEFAULT.get(LOGGER_NAMESPACE);
-var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
-  const { agent } = context;
-  const { credentials } = args;
-  if (connectionType !== ConnectionType.SIOPv2_OpenID4VP) {
-    return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
+  async getAuthorizationRequest() {
+    if (!this.verifiedAuthorizationRequest) {
+      const op = await createOP({
+        opOptions: this.options,
+        context: this.context
+      });
+      this.verifiedAuthorizationRequest = await op.verifyAuthorizationRequest(this.requestJwtOrUri);
+      this._nonce = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("nonce");
+      this._state = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("state");
+      await this.getSupportedDIDMethods();
+    }
+    return this.verifiedAuthorizationRequest;
   }
-  const session = await agent.siopGetOPSession({
-    sessionId: args.sessionId
-  });
-  const request = await session.getAuthorizationRequest();
-  const aud = request.authorizationRequest.getMergedProperty("aud");
-  logger3.debug(`AUD: ${aud}`);
-  logger3.debug(JSON.stringify(request.authorizationRequest));
-  const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
-  logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
-  const firstUniqueDC = credentials[0];
-  if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
-    return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
+  async getAuthorizationRequestURI() {
+    return await URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
   }
-  let identifier;
-  const digitalCredential = firstUniqueDC.digitalCredential;
-  const firstVC = firstUniqueDC.uniformVerifiableCredential;
-  const holder = CredentialMapper3.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
-    //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
-    `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
-  ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
-  if (!digitalCredential.kmsKeyRef) {
-    if (!holder) {
-      return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
+  get nonce() {
+    if (!this._nonce) {
+      throw Error("No nonce available. Please get authorization request first");
     }
-    try {
-      identifier = await session.context.agent.identifierManagedGet({
-        identifier: holder
-      });
-    } catch (e) {
-      logger3.debug(`Holder DID not found: ${holder}`);
-      throw e;
+    return this._nonce;
+  }
+  get state() {
+    if (!this._state) {
+      throw Error("No state available. Please get authorization request first");
     }
-  } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
-    identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
-      identifier: firstUniqueDC.digitalCredential.kmsKeyRef
+    return this._state;
+  }
+  clear() {
+    this._nonce = void 0;
+    this._state = void 0;
+    this.verifiedAuthorizationRequest = void 0;
+    return this;
+  }
+  async getSupportedDIDMethods(didPrefix) {
+    const agentMethods = this.getAgentDIDMethodsSupported({
+      didPrefix
     });
-  } else {
-    switch (digitalCredential.subjectCorrelationType) {
-      case "DID":
-        identifier = await session.context.agent.identifierManagedGetByDid({
-          identifier: digitalCredential.subjectCorrelationId ?? holder,
-          kmsKeyRef: digitalCredential.kmsKeyRef
-        });
-        break;
-      // TODO other implementations?
-      default:
-        identifier = await session.context.agent.identifierManagedGetByKid({
-          identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
-          kmsKeyRef: digitalCredential.kmsKeyRef
-        });
+    let rpMethods = await this.getRPDIDMethodsSupported({
+      didPrefix,
+      agentMethods
+    });
+    logger3.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
+    if (rpMethods.dids.length === 0) {
+      logger3.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
+      return [];
+    }
+    let intersection;
+    if (rpMethods.dids.includes("did")) {
+      intersection = agentMethods && agentMethods.length > 0 ? agentMethods : (await getAgentDIDMethods(this.context)).map((method) => convertDidMethod(method, didPrefix));
+    } else if (!agentMethods || agentMethods.length === 0) {
+      intersection = rpMethods.dids?.map((method) => convertDidMethod(method, didPrefix));
+    } else {
+      intersection = agentMethods.filter((value) => rpMethods.dids.includes(value));
+    }
+    if (intersection.length === 0) {
+      throw Error("No matching DID methods between agent and relying party");
     }
+    return intersection.map((value) => convertDidMethod(value, didPrefix));
   }
-  const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [
-    convertToDcqlCredentials(vc),
-    vc
-  ]));
-  const queryResult = DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
-  if (!queryResult.can_be_satisfied) {
-    return Promise.reject(Error("Credentials do not match required query request"));
+  getAgentDIDMethodsSupported(opts) {
+    const agentMethods = this.options.supportedDIDMethods?.map((method) => convertDidMethod(method, opts.didPrefix));
+    logger3.debug(`agent methods: ${JSON.stringify(agentMethods)}`);
+    return agentMethods;
   }
-  const presentation = {};
-  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
-  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
-    if (value.success) {
-      const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index]);
-      const vc = matchedCredentials[0];
-      if (!vc) {
-        continue;
-      }
-      const originalVc = retrieveEncodedCredential(vc);
-      if (!originalVc) {
-        continue;
+  async getSubjectSyntaxTypesSupported() {
+    const authReq = await this.getAuthorizationRequest();
+    const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported;
+    return subjectSyntaxTypesSupported ?? [];
+  }
+  async getRPDIDMethodsSupported(opts) {
+    let keyType;
+    const agentMethods = (opts.agentMethods ?? this.getAgentDIDMethodsSupported(opts))?.map((method) => convertDidMethod(method, opts.didPrefix)) ?? [];
+    logger3.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`);
+    const authReq = await this.getAuthorizationRequest();
+    const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported?.map((method) => convertDidMethod(method, opts.didPrefix)).filter((val) => !val.startsWith("did"));
+    logger3.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`);
+    const aud = await authReq.authorizationRequest.getMergedProperty("aud");
+    let rpMethods = [];
+    if (aud && aud.startsWith("did:")) {
+      const didMethod = convertDidMethod(parseDid(aud).method, opts.didPrefix);
+      logger3.debug(`aud did method: ${didMethod}`);
+      if (subjectSyntaxTypesSupported && subjectSyntaxTypesSupported.length > 0 && !subjectSyntaxTypesSupported.includes("did") && !subjectSyntaxTypesSupported.includes(didMethod)) {
+        throw Error(`The aud DID method ${didMethod} is not in the supported types ${subjectSyntaxTypesSupported}`);
       }
-      if (originalVc) {
-        presentation[key] = originalVc;
+      rpMethods = [
+        didMethod
+      ];
+    } else if (subjectSyntaxTypesSupported) {
+      rpMethods = (Array.isArray(subjectSyntaxTypesSupported) ? subjectSyntaxTypesSupported : [
+        subjectSyntaxTypesSupported
+      ]).map((method) => convertDidMethod(method, opts.didPrefix));
+    }
+    const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
+    let codecName = void 0;
+    if (isEBSI && (!aud || !aud.startsWith("http"))) {
+      logger3.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
+      const didKeyMethod = convertDidMethod("did:key", opts.didPrefix);
+      if (!agentMethods?.includes(didKeyMethod)) {
+        throw Error(`EBSI detected, but agent did not support did:key. Please reconfigure agent`);
       }
+      rpMethods = [
+        didKeyMethod
+      ];
+      keyType = "Secp256r1";
+      codecName = "jwk_jcs-pub";
     }
+    return {
+      dids: rpMethods,
+      codecName,
+      keyType
+    };
   }
-  const dcqlPresentation = DcqlPresentation.parse(presentation);
-  const response = session.sendAuthorizationResponse({
-    responseSignerOpts: identifier,
-    dcqlResponse: {
-      dcqlPresentation
-    }
-  });
-  logger3.debug(`Response: `, response);
-  return response;
-}, "siopSendAuthorizationResponse");
-var retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
-  return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
-}, "retrieveEncodedCredential");
-var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
-  const agentContext = {
-    ...context,
-    agent: context.agent
-  };
-  const { agent } = agentContext;
-  const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
-    filter: verifiableCredentialForRoleFilter(CredentialRole.HOLDER)
-  });
-  const branding = await agent.ibGetCredentialBranding();
-  const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
-    convertToDcqlCredentials(vc),
-    vc
-  ]));
-  const queryResult = DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
-  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
-  const selectableCredentialsMap = /* @__PURE__ */ new Map();
-  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
-    if (!value.valid_credentials) {
-      continue;
+  async getSupportedIdentifiers(opts) {
+    const methods = await this.getSupportedDIDMethods(true);
+    logger3.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`);
+    if (methods.length === 0) {
+      throw Error(`No DID methods are supported`);
     }
-    const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
-      const matchedCredential = uniqueCredentials[cred.input_credential_index];
-      const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash);
-      const issuerPartyIdentity = await agent.cmGetContacts({
-        filter: [
-          {
-            identities: {
-              identifier: {
-                correlationId: matchedCredential.uniformVerifiableCredential.issuerDid
-              }
-            }
+    const identifiers = await this.context.agent.didManagerFind().then((ids) => ids.filter((id) => methods.includes(id.provider)));
+    if (identifiers.length === 0) {
+      logger3.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`);
+      if (opts?.createInCaseNoDIDFound !== false) {
+        const { codecName, keyType } = await this.getRPDIDMethodsSupported({
+          didPrefix: true,
+          agentMethods: methods
+        });
+        const identifier = await this.context.agent.didManagerCreate({
+          provider: methods[0],
+          options: {
+            codecName,
+            keyType,
+            type: keyType
           }
-        ]
+        });
+        logger3.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`);
+        identifiers.push(identifier);
+      }
+    }
+    logger3.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`);
+    return identifiers;
+  }
+  async getSupportedDIDs() {
+    return (await this.getSupportedIdentifiers()).map((id) => id.did);
+  }
+  async getRedirectUri() {
+    return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
+  }
+  async getOID4VP(args) {
+    return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
+  }
+  async createJarmResponseCallback({ responseOpts }) {
+    const agent = this.context.agent;
+    return /* @__PURE__ */ __name(async function jarmResponse(opts) {
+      const { clientMetadata, requestObjectPayload, authorizationResponsePayload: authResponse } = opts;
+      const jwk = await OP2.extractEncJwksFromClientMetadata(clientMetadata);
+      const recipientKey = await agent.identifierExternalResolveByJwk({
+        identifier: jwk
       });
-      const subjectPartyIdentity = await agent.cmGetContacts({
-        filter: [
-          {
-            identities: {
-              identifier: {
-                correlationId: matchedCredential.uniformVerifiableCredential.subjectDid
-              }
-            }
-          }
-        ]
+      return await agent.jwtEncryptJweCompactJwt({
+        recipientKey,
+        protectedHeader: {},
+        alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg ?? "ECDH-ES",
+        enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc ?? "A256GCM",
+        apv: encodeBase64url(opts.requestObjectPayload.nonce),
+        apu: encodeBase64url(v4()),
+        payload: authResponse,
+        issuer: responseOpts.issuer,
+        audience: responseOpts.audience
+      }).then((result) => {
+        return {
+          response: result.jwt
+        };
       });
-      return {
-        credential: matchedCredential,
-        credentialBranding: credentialBranding[0]?.localeBranding,
-        issuerParty: issuerPartyIdentity?.[0],
-        subjectParty: subjectPartyIdentity?.[0]
-      };
+    }, "jarmResponse");
+  }
+  async sendAuthorizationResponse(args) {
+    const { responseSignerOpts, dcqlResponse, isFirstParty } = args;
+    const resolveOpts = this.options.resolveOpts ?? {
+      resolver: getAgentResolver(this.context, {
+        uniresolverResolution: true,
+        localResolution: true,
+        resolverResolution: true
+      })
+    };
+    if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
+      resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
+    }
+    const request = await this.getAuthorizationRequest();
+    const op = await createOP({
+      opOptions: {
+        ...this.options,
+        resolveOpts: {
+          ...this.options.resolveOpts
+        },
+        eventEmitter: this.options.eventEmitter,
+        presentationSignCallback: this.options.presentationSignCallback,
+        wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
+        supportedVersions: request.versions
+      },
+      idOpts: responseSignerOpts,
+      context: this.context
     });
-    const selectableCredentials = await Promise.all(mapSelectableCredentialPromises);
-    selectableCredentialsMap.set(key, selectableCredentials);
+    let issuer = responseSignerOpts.issuer;
+    const responseOpts = {
+      issuer,
+      ...isFirstParty && {
+        isFirstParty
+      },
+      dcqlResponse
+    };
+    const authResponse = await op.createAuthorizationResponse(request, responseOpts);
+    const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
+      responseOpts
+    }));
+    if (response.status >= 400) {
+      throw Error(`Error ${response.status}: ${response.statusText || await response.text()}`);
+    } else {
+      return response;
+    }
   }
-  return selectableCredentialsMap;
-}, "getSelectableCredentials");
-var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId, context) => {
-  const { agent } = context;
-  const contacts = await agent.cmGetContacts({
-    filter: [
-      {
-        identities: {
-          identifier: {
-            correlationId
-          }
-        }
-      }
-    ]
-  });
-  if (contacts.length === 0) {
-    return void 0;
+};
+function convertDidMethod(didMethod, didPrefix) {
+  if (didPrefix === false) {
+    return didMethod.startsWith("did:") ? didMethod.toLowerCase().replace("did:", "") : didMethod.toLowerCase();
   }
-  return contacts[0].contact.displayName;
-}, "translateCorrelationIdToName");
+  return didMethod.startsWith("did:") ? didMethod.toLowerCase() : `did:${didMethod.toLowerCase().replace("did:", "")}`;
+}
+__name(convertDidMethod, "convertDidMethod");
 // src/agent/DidAuthSiopOpAuthenticator.ts
 var logger4 = Loggers4.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);