npm - @sphereon/ssi-sdk.siopv2-oid4vp-op-auth - Versions diffs - 0.34.1-feature.SSISDK.45.94 → 0.34.1-feature.SSISDK.46.41 - Mend

@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.SSISDK.45.94 → 0.34.1-feature.SSISDK.46.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/dist/index.cjs +1095 -573
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +111 -709
package/dist/index.d.ts +111 -709
package/dist/index.js +1043 -521
package/dist/index.js.map +1 -1
package/package.json +25 -24
package/src/agent/DidAuthSiopOpAuthenticator.ts +144 -9
package/src/index.ts +1 -2
package/src/machine/Siopv2Machine.ts +4 -4
package/src/services/Siopv2MachineService.ts +265 -133
package/src/session/OID4VP.ts +299 -310
package/src/session/OpSession.ts +114 -22
package/src/types/IDidAuthSiopOpAuthenticator.ts +58 -5
package/src/types/identifier/index.ts +4 -0
package/src/types/siop-service/index.ts +3 -1
package/src/utils/CredentialUtils.ts +39 -1
package/src/utils/dcql.ts +19 -21

package/src/session/OpSession.ts CHANGED Viewed

@@ -2,30 +2,36 @@ import {
   AuthorizationResponsePayload,
   JwksMetadataParams,
   OP,
+  PresentationDefinitionWithLocation,
+  PresentationExchangeResponseOpts,
+  PresentationVerificationResult,
   RequestObjectPayload,
   ResponseIss,
   SupportedVersion,
   URI,
   Verification,
-  VerifiedAuthorizationRequest
+  VerifiedAuthorizationRequest,
 } from '@sphereon/did-auth-siop'
 import { ResolveOpts } from '@sphereon/did-auth-siop-adapter'
 import { JwtIssuer } from '@sphereon/oid4vc-common'
 import { getAgentDIDMethods, getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
 import { JweAlg, JweEnc } from '@sphereon/ssi-sdk-ext.jwt-service'
 import { encodeBase64url } from '@sphereon/ssi-sdk.core'
-import { parseDid } from '@sphereon/ssi-types'
-import { IIdentifier, TKeyType } from '@veramo/core'
-import { v4 } from 'uuid'
 import {
-  IOPOptions,
-  IOpSessionArgs,
-  IOpSessionGetOID4VPArgs,
-  IOpsSendSiopAuthorizationResponseArgs,
-  IRequiredContext
-} from '../types'
+  CompactSdJwtVc,
+  CredentialMapper,
+  HasherSync,
+  OriginalVerifiableCredential,
+  parseDid,
+  PresentationSubmission,
+  W3CVerifiablePresentation,
+} from '@sphereon/ssi-types'
+import { IIdentifier, IVerifyResult, TKeyType } from '@veramo/core'
+import { v4 } from 'uuid'
+import { IOPOptions, IOpSessionArgs, IOpSessionGetOID4VPArgs, IOpsSendSiopAuthorizationResponseArgs, IRequiredContext } from '../types'
 import { createOP } from './functions'
 import { OID4VP } from './OID4VP'
+import { PEX } from '@sphereon/pex'
 import { Loggers } from '@sphereon/ssi-types'
 const logger = Loggers.DEFAULT.get('sphereon:oid4vp:OpSession')
@@ -39,12 +45,14 @@ export class OpSession {
   private verifiedAuthorizationRequest?: VerifiedAuthorizationRequest | undefined
   private _nonce?: string
   private _state?: string
+  private readonly _providedPresentationDefinitions?: PresentationDefinitionWithLocation[]
   private constructor(options: Required<IOpSessionArgs>) {
     this.id = options.sessionId
     this.options = options.op
     this.context = options.context
     this.requestJwtOrUri = options.requestJwtOrUri
+    this._providedPresentationDefinitions = options.providedPresentationDefinitions
   }
   public static async init(options: Required<IOpSessionArgs>): Promise<OpSession> {
@@ -161,7 +169,7 @@ export class OpSession {
     }
     const isEBSI =
       rpMethods.length === 0 &&
-      (authReq.issuer?.includes('.ebsi.eu') || authReq.authorizationRequest.getMergedProperty<string>('client_id')?.includes('.ebsi.eu'))
+      (authReq.issuer?.includes('.ebsi.eu') || (await authReq.authorizationRequest.getMergedProperty<string>('client_id'))?.includes('.ebsi.eu'))
     let codecName: string | undefined = undefined
     if (isEBSI && (!aud || !aud.startsWith('http'))) {
       logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`)
@@ -213,10 +221,51 @@ export class OpSession {
     return Promise.resolve(this.verifiedAuthorizationRequest!.responseURI!)
   }
+  public async hasPresentationDefinitions(): Promise<boolean> {
+    const defs = this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions
+    return defs !== undefined && defs.length > 0
+  }
+  public async getPresentationDefinitions(): Promise<Array<PresentationDefinitionWithLocation> | undefined> {
+    if (!(await this.hasPresentationDefinitions())) {
+      throw Error(`No presentation definitions found`)
+    }
+    return this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions
+  }
   public async getOID4VP(args: IOpSessionGetOID4VPArgs): Promise<OID4VP> {
     return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher)
   }
+  private createPresentationVerificationCallback(context: IRequiredContext) {
+    async function presentationVerificationCallback(
+      args: W3CVerifiablePresentation | CompactSdJwtVc,
+      presentationSubmission?: PresentationSubmission,
+    ): Promise<PresentationVerificationResult> {
+      let result: IVerifyResult
+      if (CredentialMapper.isSdJwtEncoded(args)) {
+        try {
+          const sdJwtResult = await context.agent.verifySdJwtPresentation({ presentation: args })
+          result = {
+            verified: 'header' in sdJwtResult,
+            error: 'header' in sdJwtResult ? undefined : { message: 'could not verify SD JWT presentation' },
+          }
+        } catch (error: any) {
+          result = {
+            verified: false,
+            error: { message: error.message },
+          }
+        }
+      } else {
+        // @ts-ignore TODO IVerifiablePresentation has too many union types for Veramo
+        result = await context.agent.verifyPresentation({ presentation: args })
+      }
+      return result
+    }
+    return presentationVerificationCallback
+  }
   private async createJarmResponseCallback({
     responseOpts,
   }: {
@@ -259,12 +308,6 @@ export class OpSession {
   }
   public async sendAuthorizationResponse(args: IOpsSendSiopAuthorizationResponseArgs): Promise<Response> {
-    const {
-      responseSignerOpts,
-      dcqlResponse,
-      isFirstParty,
-    } = args
     const resolveOpts: ResolveOpts = this.options.resolveOpts ?? {
       resolver: getAgentResolver(this.context, {
         uniresolverResolution: true,
@@ -275,9 +318,30 @@ export class OpSession {
     if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
       resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true)
     }
+    //todo: populate with the right verification params. In did-auth-siop we don't have any test that actually passes this parameter
+    const verification: Verification = {
+      presentationVerificationCallback: this.createPresentationVerificationCallback(this.context),
+    }
     const request = await this.getAuthorizationRequest()
+    const hasDefinitions = await this.hasPresentationDefinitions()
+    if (hasDefinitions) {
+      const totalInputDescriptors = request.presentationDefinitions?.reduce((sum, pd) => {
+        return sum + pd.definition.input_descriptors.length
+      }, 0)
+      const totalVCs = args.verifiablePresentations ? this.countVCsInAllVPs(args.verifiablePresentations, args.hasher) : 0
+      if (!request.presentationDefinitions || !args.verifiablePresentations || totalVCs !== totalInputDescriptors) {
+        throw Error(
+          `Amount of presentations ${args.verifiablePresentations?.length}, doesn't match expected ${request.presentationDefinitions?.length}`,
+        )
+      } else if (!args.presentationSubmission) {
+        throw Error(`Presentation submission is required when verifiable presentations are required`)
+      }
+    }
+    const verifiablePresentations = args.verifiablePresentations
+      ? args.verifiablePresentations.map((vp) => CredentialMapper.storedPresentationToOriginalFormat(vp))
+      : []
     const op = await createOP({
       opOptions: {
         ...this.options,
@@ -287,16 +351,23 @@ export class OpSession {
         wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
         supportedVersions: request.versions,
       },
-      idOpts: responseSignerOpts,
+      idOpts: args.responseSignerOpts,
       context: this.context,
     })
     //TODO change this to use the new functionalities by identifier-resolver and get the jwkIssuer for the responseOpts
-    let issuer = responseSignerOpts.issuer
+    let issuer = args.responseSignerOpts.issuer
     const responseOpts = {
+      verification,
       issuer,
-      ...(isFirstParty && { isFirstParty }),
-      dcqlResponse: dcqlResponse,
+      ...(args.isFirstParty && { isFirstParty: args.isFirstParty }),
+      ...(args.verifiablePresentations && {
+        presentationExchange: {
+          verifiablePresentations,
+          presentationSubmission: args.presentationSubmission,
+        } as PresentationExchangeResponseOpts,
+      }),
+      dcqlQuery: args.dcqlResponse,
     }
     const authResponse = await op.createAuthorizationResponse(request, responseOpts)
@@ -308,6 +379,27 @@ export class OpSession {
       return response
     }
   }
+  private countVCsInAllVPs(verifiablePresentations: W3CVerifiablePresentation[], hasher?: HasherSync) {
+    return verifiablePresentations.reduce((sum, vp) => {
+      if (CredentialMapper.isMsoMdocDecodedPresentation(vp) || CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
+        return sum + 1
+      }
+      const uvp = CredentialMapper.toUniformPresentation(vp, { hasher: hasher ?? this.options.hasher })
+      if (uvp.verifiableCredential?.length) {
+        return sum + uvp.verifiableCredential?.length
+      }
+      const isSdJWT = CredentialMapper.isSdJwtDecodedCredential(uvp)
+      if (
+        isSdJWT ||
+        (uvp.verifiableCredential && !PEX.allowMultipleVCsPerPresentation(uvp.verifiableCredential as Array<OriginalVerifiableCredential>))
+      ) {
+        return sum + 1
+      }
+      return sum
+    }, 0)
+  }
 }
 function convertDidMethod(didMethod: string, didPrefix?: boolean): string {

package/src/types/IDidAuthSiopOpAuthenticator.ts CHANGED Viewed

@@ -1,21 +1,25 @@
 import {
   DcqlResponseOpts,
+  PresentationDefinitionWithLocation,
   PresentationSignCallback,
   ResponseMode,
   SupportedVersion,
   URI,
+  VerifiablePresentationTypeFormat,
   VerifiedAuthorizationRequest,
   VerifyJwtCallback,
+  VPTokenLocation,
 } from '@sphereon/did-auth-siop'
 import { CheckLinkedDomain, ResolveOpts } from '@sphereon/did-auth-siop-adapter'
 import { DIDDocument } from '@sphereon/did-uni-client'
+import { VerifiablePresentationResult } from '@sphereon/pex'
 import { IIdentifierResolution, ManagedIdentifierOptsOrResult } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'
-import { ICredentialStore } from '@sphereon/ssi-sdk.credential-store'
+import { ICredentialStore, UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
 import { Party } from '@sphereon/ssi-sdk.data-store'
 import { IPDManager } from '@sphereon/ssi-sdk.pd-manager'
 import { ISDJwtPlugin } from '@sphereon/ssi-sdk.sd-jwt'
-import { HasherSync, PresentationSubmission, W3CVerifiablePresentation } from '@sphereon/ssi-types'
+import { HasherSync, OriginalVerifiableCredential, PresentationSubmission, W3CVerifiablePresentation } from '@sphereon/ssi-types'
 import { VerifyCallback } from '@sphereon/wellknown-dids-client'
 import {
   IAgentContext,
@@ -45,7 +49,6 @@ import {
   Siopv2AuthorizationResponseData,
 } from './siop-service'
 import { ICredentialValidation } from '@sphereon/ssi-sdk.credential-validation'
-import { DcqlPresentation, DcqlQuery } from 'dcql'
 export const LOGGER_NAMESPACE = 'sphereon:siopv2-oid4vp:op-auth'
@@ -78,7 +81,7 @@ export interface IDidAuthSiopOpAuthenticator extends IPluginMethodMap {
 export interface IOpSessionArgs {
   sessionId?: string
   requestJwtOrUri: string | URI
-  dcqlQuery?: DcqlQuery
+  providedPresentationDefinitions?: Array<PresentationDefinitionWithLocation>
   identifierOptions?: ManagedIdentifierOptsOrResult
   context: IRequiredContext
   op?: IOPOptions
@@ -87,10 +90,17 @@ export interface IOpSessionArgs {
 export interface IAuthRequestDetails {
   rpDIDDocument?: DIDDocument
   id: string
-  verifiablePresentationMatches: DcqlPresentation[]
+  verifiablePresentationMatches: IPresentationWithDefinition[]
   alsoKnownAs?: string[]
 }
+export interface IPresentationWithDefinition {
+  location: VPTokenLocation
+  definition: PresentationDefinitionWithLocation
+  format: VerifiablePresentationTypeFormat
+  presentation: W3CVerifiablePresentation
+}
 export interface IGetSiopSessionArgs {
   sessionId: string
 }
@@ -110,6 +120,7 @@ export interface IRemoveCustomApprovalForSiopArgs {
 export interface IOpsSendSiopAuthorizationResponseArgs {
   responseSignerOpts: ManagedIdentifierOptsOrResult
+  // verifiedAuthorizationRequest: VerifiedAuthorizationRequest
   presentationSubmission?: PresentationSubmission
   verifiablePresentations?: W3CVerifiablePresentation[]
   dcqlResponse?: DcqlResponseOpts
@@ -117,6 +128,10 @@ export interface IOpsSendSiopAuthorizationResponseArgs {
   isFirstParty?: boolean
 }
+export enum events {
+  DID_SIOP_AUTHENTICATED = 'didSiopAuthenticated',
+}
 export type IRequiredContext = IAgentContext<
   IDataStoreORM &
     IResolver &
@@ -140,13 +155,34 @@ export interface IOPOptions {
   skipDidResolution?: boolean
   eventEmitter?: EventEmitter
   supportedDIDMethods?: string[]
   verifyJwtCallback?: VerifyJwtCallback
   wellknownDIDVerifyCallback?: VerifyCallback
   presentationSignCallback?: PresentationSignCallback
   resolveOpts?: ResolveOpts
   hasher?: HasherSync
 }
+/*
+export interface IIdentifierOpts {
+  identifier: IIdentifier
+  verificationMethodSection?: DIDDocumentSection
+  kid?: string
+}*/
+export interface VerifiableCredentialsWithDefinition {
+  definition: PresentationDefinitionWithLocation
+  credentials: (UniqueDigitalCredential | OriginalVerifiableCredential)[]
+}
+export interface VerifiablePresentationWithDefinition extends VerifiablePresentationResult {
+  definition: PresentationDefinitionWithLocation
+  verifiableCredentials: OriginalVerifiableCredential[]
+  idOpts: ManagedIdentifierOptsOrResult
+}
 export interface IOpSessionGetOID4VPArgs {
   allIdentifiers?: string[]
   hasher?: HasherSync
@@ -158,4 +194,21 @@ export interface IOID4VPArgs {
   hasher?: HasherSync
 }
+export interface IGetPresentationExchangeArgs {
+  verifiableCredentials: OriginalVerifiableCredential[]
+  allIdentifiers?: string[]
+  hasher?: HasherSync
+}
+// It was added here because it's not exported from DCQL anymore
+export type Json =
+  | string
+  | number
+  | boolean
+  | null
+  | {
+      [key: string]: Json
+    }
+  | Json[]
 export const DEFAULT_JWT_PROOF_TYPE = 'JwtProof2020'

package/src/types/identifier/index.ts CHANGED Viewed

@@ -2,6 +2,9 @@ import { IDIDManager, IIdentifier, IResolver, TAgent, TKeyType } from '@veramo/c
 import { _ExtendedIKey } from '@veramo/utils'
 import { RequiredContext } from '../siop-service'
 import { SupportedDidMethodEnum } from '@sphereon/ssi-sdk-ext.did-utils'
+import { IContactManager } from '@sphereon/ssi-sdk.contact-manager'
+import { IIssuanceBranding } from '@sphereon/ssi-sdk.issuance-branding'
+import { ICredentialStore } from '@sphereon/ssi-sdk.credential-store'
 export const DID_PREFIX = 'did'
@@ -57,3 +60,4 @@ export type CreateIdentifierOpts = {
 }
 export type DidAgents = TAgent<IResolver & IDIDManager>
+export type SuitableCredentialAgents = TAgent<IContactManager & ICredentialStore & IIssuanceBranding>

package/src/types/siop-service/index.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import {
+  PresentationDefinitionWithLocation,
   PresentationSignCallback,
   RPRegistrationMetadataPayload,
   VerifiedAuthorizationRequest,
@@ -68,7 +69,8 @@ export type Siopv2AuthorizationRequestData = {
   name?: string
   uri?: URL
   clientId?: string
-  dcqlQuery: DcqlQuery
+  presentationDefinitions?: PresentationDefinitionWithLocation[]
+  dcqlQuery?: DcqlQuery
 }
 export type SelectableCredentialsMap = Map<string, Array<SelectableCredential>>

package/src/utils/CredentialUtils.ts CHANGED Viewed

@@ -1,7 +1,45 @@
-import { CredentialMapper, HasherSync, ICredential, OriginalVerifiableCredential } from '@sphereon/ssi-types'
+import { CredentialMapper, HasherSync, ICredential, IVerifiableCredential, OriginalVerifiableCredential } from '@sphereon/ssi-types'
 import { VerifiableCredential } from '@veramo/core'
 import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
+/**
+ * Return the type(s) of a VC minus the VerifiableCredential type which should always be present
+ * @param credential The input credential
+ */
+export const getCredentialTypeAsString = (credential: ICredential | VerifiableCredential): string => {
+  if (!credential.type) {
+    return 'Verifiable Credential'
+  } else if (typeof credential.type === 'string') {
+    return credential.type
+  }
+  return credential.type.filter((type: string): boolean => type !== 'VerifiableCredential').join(', ')
+}
+/**
+ * Returns a Unique Verifiable Credential (with hash) as stored in Veramo, based upon matching the id of the input VC or the proof value of the input VC
+ * @param uniqueVCs The Unique VCs to search in
+ * @param searchVC The VC to search for in the unique VCs array
+ */
+export const getMatchingUniqueDigitalCredential = (
+  uniqueVCs: UniqueDigitalCredential[],
+  searchVC: OriginalVerifiableCredential,
+): UniqueDigitalCredential | undefined => {
+  // Since an ID is optional in a VC according to VCDM, and we really need the matches, we have a fallback match on something which is guaranteed to be unique for any VC (the proof(s))
+  return uniqueVCs.find(
+    (uniqueVC: UniqueDigitalCredential) =>
+      (typeof searchVC !== 'string' &&
+        (uniqueVC.id === (<IVerifiableCredential>searchVC).id ||
+          (uniqueVC.originalVerifiableCredential as VerifiableCredential).proof === (<IVerifiableCredential>searchVC).proof)) ||
+      (typeof searchVC === 'string' && (uniqueVC.uniformVerifiableCredential as VerifiableCredential)?.proof?.jwt === searchVC) ||
+      // We are ignoring the signature of the sd-jwt as PEX signs the vc again and it will not match anymore with the jwt in the proof of the stored jsonld vc
+      (typeof searchVC === 'string' &&
+        CredentialMapper.isSdJwtEncoded(searchVC) &&
+        uniqueVC.uniformVerifiableCredential?.proof &&
+        'jwt' in uniqueVC.uniformVerifiableCredential.proof &&
+        uniqueVC.uniformVerifiableCredential.proof.jwt?.split('.')?.slice(0, 2)?.join('.') === searchVC.split('.')?.slice(0, 2)?.join('.')),
+  )
+}
 type InputCredential = UniqueDigitalCredential | VerifiableCredential | ICredential | OriginalVerifiableCredential
 /**

package/src/utils/dcql.ts CHANGED Viewed

@@ -1,38 +1,36 @@
 import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
-import {
-  CredentialMapper,
-  HasherSync,
-  OriginalVerifiableCredential, WrappedMdocCredential,
-  type WrappedSdJwtVerifiableCredential, type WrappedW3CVerifiableCredential
-} from '@sphereon/ssi-types'
-import { Dcql } from '@sphereon/did-auth-siop'
-import { DcqlCredential } from 'dcql'
+import { DcqlCredential, DcqlSdJwtVcCredential, DcqlW3cVcCredential } from 'dcql'
+import { CredentialMapper, HasherSync, OriginalVerifiableCredential } from '@sphereon/ssi-types'
 import { isUniqueDigitalCredential } from './CredentialUtils'
 export function convertToDcqlCredentials(credential: UniqueDigitalCredential | OriginalVerifiableCredential, hasher?: HasherSync): DcqlCredential {
-  let originalVerifiableCredential
+  let payload
   if (isUniqueDigitalCredential(credential)) {
     if (!credential.originalVerifiableCredential) {
       throw new Error('originalVerifiableCredential is not defined in UniqueDigitalCredential')
     }
-    originalVerifiableCredential = CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher)
+    payload = CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher)
   } else {
-    originalVerifiableCredential = CredentialMapper.decodeVerifiableCredential(credential as OriginalVerifiableCredential, hasher)
+    payload = CredentialMapper.decodeVerifiableCredential(credential as OriginalVerifiableCredential, hasher)
   }
-  if (!originalVerifiableCredential) {
+  if (!payload) {
     throw new Error('No payload found')
   }
-  if (CredentialMapper.isJwtDecodedCredential(originalVerifiableCredential)) {
-    return Dcql.toDcqlJwtCredential(CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential) as WrappedW3CVerifiableCredential)
-  } else if (CredentialMapper.isSdJwtDecodedCredential(originalVerifiableCredential)) {
-    return Dcql.toDcqlSdJwtCredential(CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential) as WrappedSdJwtVerifiableCredential)
-  } else if (CredentialMapper.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
-    return Dcql.toDcqlMdocCredential(CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential) as WrappedMdocCredential)
-  } else if (CredentialMapper.isW3cCredential(originalVerifiableCredential)) {
-    return Dcql.toDcqlJsonLdCredential(CredentialMapper.toWrappedVerifiableCredential(originalVerifiableCredential) as WrappedW3CVerifiableCredential)
+  if ('decodedPayload' in payload && payload.decodedPayload) {
+    payload = payload.decodedPayload
   }
-  throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`)
+  if ('vct' in payload!) {
+    return { vct: payload.vct, claims: payload, credential_format: 'vc+sd-jwt' } satisfies DcqlSdJwtVcCredential // TODO dc+sd-jwt support?
+  } else if ('docType' in payload! && 'namespaces' in payload) {
+    // mdoc
+    return { docType: payload.docType, namespaces: payload.namespaces, claims: payload }
+  } else {
+    return {
+      claims: payload,
+      credential_format: 'jwt_vc_json', // TODO jwt_vc_json-ld support
+    } as DcqlW3cVcCredential
+  }
 }