@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-next.29 → 0.34.1-next.299

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/ssi-sdk.siopv2-oid4vp-op-auth",
-  "version": "0.34.1-next.29+2593a430",
+  "version": "0.34.1-next.299+9e9f5a50",
   "source": "src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -26,31 +26,31 @@
     "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
   },
   "dependencies": {
-    "@sphereon/did-auth-siop": "0.19.1-next.2",
-    "@sphereon/did-auth-siop-adapter": "0.19.1-next.2",
-    "@sphereon/oid4vc-common": "0.19.1-next.2",
+    "@sphereon/did-auth-siop": "0.19.1-next.220",
+    "@sphereon/did-auth-siop-adapter": "0.19.1-next.220",
+    "@sphereon/oid4vc-common": "0.19.1-next.220",
     "@sphereon/pex": "5.0.0-unstable.28",
     "@sphereon/pex-models": "^2.3.2",
-    "@sphereon/ssi-sdk-ext.did-utils": "0.29.1-next.3",
-    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.29.1-next.3",
-    "@sphereon/ssi-sdk-ext.jwt-service": "0.29.1-next.3",
-    "@sphereon/ssi-sdk.contact-manager": "0.34.1-next.29+2593a430",
-    "@sphereon/ssi-sdk.core": "0.34.1-next.29+2593a430",
-    "@sphereon/ssi-sdk.credential-store": "0.34.1-next.29+2593a430",
-    "@sphereon/ssi-sdk.credential-validation": "0.34.1-next.29+2593a430",
-    "@sphereon/ssi-sdk.data-store": "0.34.1-next.29+2593a430",
-    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-next.29+2593a430",
-    "@sphereon/ssi-sdk.pd-manager": "0.34.1-next.29+2593a430",
-    "@sphereon/ssi-sdk.presentation-exchange": "0.34.1-next.29+2593a430",
-    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-next.29+2593a430",
-    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-next.29+2593a430",
-    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-next.29+2593a430",
-    "@sphereon/ssi-types": "0.34.1-next.29+2593a430",
+    "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk-ext.identifier-resolution": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk-ext.jwt-service": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk.contact-manager": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk.core": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk.credential-store": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk.credential-validation": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk.data-store-types": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk.issuance-branding": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk.pd-manager": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk.presentation-exchange": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk.sd-jwt": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk.siopv2-oid4vp-common": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk.xstate-machine-persistence": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-types": "0.34.1-next.299+9e9f5a50",
     "@sphereon/wellknown-dids-client": "^0.1.3",
     "@veramo/core": "4.2.0",
     "@veramo/credential-w3c": "4.2.0",
-    "cross-fetch": "^3.1.8",
-    "dcql": "0.2.19",
+    "cross-fetch": "^4.1.0",
+    "dcql": "1.0.1",
     "did-jwt-vc": "3.1.3",
     "i18n-js": "^3.9.2",
     "lodash.memoize": "^4.1.2",
@@ -59,8 +59,8 @@
   },
   "devDependencies": {
     "@sphereon/did-uni-client": "^0.6.3",
-    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.29.1-next.3",
-    "@sphereon/ssi-sdk.agent-config": "0.34.1-next.29+2593a430",
+    "@sphereon/ssi-sdk-ext.did-resolver-jwk": "0.34.1-next.299+9e9f5a50",
+    "@sphereon/ssi-sdk.agent-config": "0.34.1-next.299+9e9f5a50",
     "@types/i18n-js": "^3.8.9",
     "@types/lodash.memoize": "^4.1.9",
     "@types/sha.js": "^2.4.4",
@@ -102,5 +102,5 @@
     "OpenID Connect",
     "Authenticator"
   ],
-  "gitHead": "2593a430ac4faca47b620a3e12b297899518f2af"
+  "gitHead": "9e9f5a50ead9373a078cb5291cbc4fb1e7865dc2"
 }

package/src/agent/DidAuthSiopOpAuthenticator.ts

@@ -1,23 +1,9 @@
-import { decodeUriAsJson, PresentationSignCallback, SupportedVersion, VerifiedAuthorizationRequest } from '@sphereon/did-auth-siop'
-import {
-  ConnectionType,
-  CorrelationIdentifierType,
-  CredentialDocumentFormat,
-  CredentialRole,
-  DocumentType,
-  Identity,
-  IdentityOrigin,
-  NonPersistedIdentity,
-  Party,
-} from '@sphereon/ssi-sdk.data-store'
-import { HasherSync, Loggers, SdJwtDecodedVerifiableCredential } from '@sphereon/ssi-types'
+import { decodeUriAsJson, PresentationSignCallback, VerifiedAuthorizationRequest } from '@sphereon/did-auth-siop'
+import { ConnectionType, CorrelationIdentifierType, Identity, IdentityOrigin, NonPersistedIdentity, Party } from '@sphereon/ssi-sdk.data-store-types'
+import { HasherSync, Loggers, CredentialRole } from '@sphereon/ssi-types'
 import { IAgentPlugin } from '@veramo/core'
 import { v4 as uuidv4 } from 'uuid'
-
 import { OpSession } from '../session'
-import { PEX, Status } from '@sphereon/pex'
-import { computeEntryHash } from '@veramo/utils'
-import { UniqueDigitalCredential } from '@sphereon/ssi-sdk.credential-store'
 import { EventEmitter } from 'events'
 import {
   DidAuthSiopOpAuthenticatorOptions,
@@ -29,14 +15,11 @@ import {
   IRemoveCustomApprovalForSiopArgs,
   IRemoveSiopSessionArgs,
   IRequiredContext,
-  Json,
   LOGGER_NAMESPACE,
   RequiredContext,
   SelectableCredentialsMap,
   Siopv2AuthorizationResponseData,
-  VerifiableCredentialsWithDefinition,
 } from '../types'
-
 import {
   AddIdentityArgs,
   CreateConfigArgs,
@@ -51,7 +34,6 @@ import {
   Siopv2Machine as Siopv2MachineId,
   Siopv2MachineInstanceOpts,
 } from '../types'
-import { DcqlCredential, DcqlPresentation, DcqlQuery, DcqlSdJwtVcCredential } from 'dcql'
 import { Siopv2Machine } from '../machine/Siopv2Machine'
 import { getSelectableCredentials, siopSendAuthorizationResponse, translateCorrelationIdToName } from '../services/Siopv2MachineService'
 import { schema } from '..'
@@ -104,7 +86,7 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
     this.hasher = hasher
     this.onContactIdentityCreated = onContactIdentityCreated
     this.onIdentifierCreated = onIdentifierCreated
-    this.presentationSignCallback = presentationSignCallback
+    this.presentationSignCallback = presentationSignCallback // TODO do we still need this?
     this.sessions = new Map<string, OpSession>()
     this.customApprovals = customApprovals
   }
@@ -232,9 +214,9 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
       (args.url.includes('request_uri')
         ? decodeURIComponent(args.url.split('?request_uri=')[1].trim())
         : (verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id))
-    const uri: URL | undefined = url.includes('://') ? new URL(url) : undefined
+    const uri: URL | undefined = url?.includes('://') ? new URL(url) : undefined
     const correlationId: string = uri?.hostname ?? (await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context))
-    const clientId: string | undefined = await verifiedAuthorizationRequest.authorizationRequest.getMergedProperty<string>('client_id')
+    const clientId: string | undefined = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty<string>('client_id')
 
     return {
       issuer: verifiedAuthorizationRequest.issuer,
@@ -243,13 +225,6 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
       uri,
       name: clientName,
       clientId,
-      presentationDefinitions:
-        (await verifiedAuthorizationRequest.authorizationRequest.containsResponseType('vp_token')) ||
-        (verifiedAuthorizationRequest.versions.every((version) => version <= SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) &&
-          verifiedAuthorizationRequest.presentationDefinitions &&
-          verifiedAuthorizationRequest.presentationDefinitions.length > 0)
-          ? verifiedAuthorizationRequest.presentationDefinitions
-          : undefined,
       dcqlQuery: verifiedAuthorizationRequest.dcqlQuery,
     }
   }
@@ -349,87 +324,14 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
       return Promise.reject(Error('Missing authorization request data in context'))
     }
 
-    const pex = new PEX({ hasher: this.hasher })
-    const verifiableCredentialsWithDefinition: Array<VerifiableCredentialsWithDefinition> = []
-    const dcqlCredentialsWithCredentials: Map<DcqlCredential, UniqueDigitalCredential> = new Map()
-
-    if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
-      try {
-        authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
-          const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(
-            presentationDefinition.definition,
-            selectedCredentials.map((udc) => udc.originalVerifiableCredential!),
-          )
-
-          if (areRequiredCredentialsPresent !== Status.ERROR && verifiableCredentials) {
-            let uniqueDigitalCredentials: UniqueDigitalCredential[] = []
-            uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
-              // @ts-ignore FIXME Funke
-              const hash = typeof vc === 'string' ? computeEntryHash(vc.split('~'[0])) : computeEntryHash(vc)
-              const udc = selectedCredentials.find((udc) => udc.hash == hash || udc.originalVerifiableCredential == vc)
-
-              if (!udc) {
-                throw Error(
-                  `UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`,
-                )
-              }
-              return udc
-            })
-            verifiableCredentialsWithDefinition.push({
-              definition: presentationDefinition,
-              credentials: uniqueDigitalCredentials,
-            })
-          }
-        })
-      } catch (e) {
-        return Promise.reject(e)
-      }
-
-      if (verifiableCredentialsWithDefinition.length === 0) {
-        return Promise.reject(Error('None of the selected credentials match any of the presentation definitions.'))
-      }
-    } else if (authorizationRequestData.dcqlQuery) {
-      //TODO Only SD-JWT and MSO MDOC are supported at the moment
-      if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
-        try {
-          selectedCredentials.forEach((vc) => {
-            if (this.isSdJwtCredential(vc)) {
-              const payload = (vc.originalVerifiableCredential as SdJwtDecodedVerifiableCredential).decodedPayload
-              const result: DcqlSdJwtVcCredential = {
-                claims: payload as { [x: string]: Json },
-                vct: payload.vct,
-                credential_format: 'vc+sd-jwt',
-              }
-              dcqlCredentialsWithCredentials.set(result, vc)
-              //FIXME MDoc namespaces are incompatible: array of strings vs complex object - https://sphereon.atlassian.net/browse/SPRIND-143
-            } else {
-              throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`)
-            }
-          })
-        } catch (e) {
-          return Promise.reject(e)
-        }
-
-        const dcqlPresentationRecord: DcqlPresentation.Output = {}
-        const queryResult = DcqlQuery.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()))
-        for (const [key, value] of Object.entries(queryResult.credential_matches)) {
-          if (value.success) {
-            dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output)!) as
-              | string
-              | { [x: string]: Json }
-          }
-        }
-      }
-    }
-
     const response = await siopSendAuthorizationResponse(
       ConnectionType.SIOPv2_OpenID4VP,
       {
         sessionId: didAuthConfig.sessionId,
         ...(args.idOpts && { idOpts: args.idOpts }),
-        ...(authorizationRequestData.presentationDefinitions !== undefined && { verifiableCredentialsWithDefinition }),
         isFirstParty,
         hasher: this.hasher,
+        credentials: selectedCredentials,
       },
       context,
     )
@@ -449,50 +351,13 @@ export class DidAuthSiopOpAuthenticator implements IAgentPlugin {
     }
   }
 
-  private hasMDocCredentials = (credentials: UniqueDigitalCredential[]): boolean => {
-    return credentials.some(this.isMDocCredential)
-  }
-
-  private isMDocCredential = (credential: UniqueDigitalCredential) => {
-    return (
-      credential.digitalCredential.documentFormat === CredentialDocumentFormat.MSO_MDOC &&
-      credential.digitalCredential.documentType === DocumentType.VC
-    )
-  }
-
-  private hasSdJwtCredentials = (credentials: UniqueDigitalCredential[]): boolean => {
-    return credentials.some(this.isSdJwtCredential)
-  }
-
-  private isSdJwtCredential = (credential: UniqueDigitalCredential) => {
-    return (
-      credential.digitalCredential.documentFormat === CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === DocumentType.VC
-    )
-  }
-
-  private retrieveEncodedCredential = (credential: UniqueDigitalCredential) => {
-    return credential.originalVerifiableCredential !== undefined &&
-      credential.originalVerifiableCredential !== null &&
-      (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== undefined &&
-      (credential?.originalVerifiableCredential as SdJwtDecodedVerifiableCredential)?.compactSdJwtVc !== null
-      ? (credential.originalVerifiableCredential as SdJwtDecodedVerifiableCredential).compactSdJwtVc
-      : credential.originalVerifiableCredential
-  }
-
   private async siopGetSelectableCredentials(args: GetSelectableCredentialsArgs, context: RequiredContext): Promise<SelectableCredentialsMap> {
     const { authorizationRequestData } = args
 
-    if (
-      !authorizationRequestData ||
-      !authorizationRequestData.presentationDefinitions ||
-      authorizationRequestData.presentationDefinitions.length === 0
-    ) {
-      return Promise.reject(Error('Missing required fields in arguments or context'))
-    }
-    if (authorizationRequestData.presentationDefinitions.length > 1) {
-      return Promise.reject(Error('Multiple presentation definitions present'))
+    if (!authorizationRequestData?.dcqlQuery) {
+      return Promise.reject(Error('Missing required dcql query in context'))
     }
 
-    return getSelectableCredentials(authorizationRequestData.presentationDefinitions[0].definition, context)
+    return getSelectableCredentials(authorizationRequestData?.dcqlQuery, context)
   }
 }

package/src/index.ts

@@ -1,7 +1,7 @@
 /**
  * @public
  */
-const schema = require('../plugin.schema.json')
+import schema from '../plugin.schema.json'
 export { schema }
 export { DidAuthSiopOpAuthenticator, didAuthSiopOpAuthenticatorMethods } from './agent/DidAuthSiopOpAuthenticator'
 export { Siopv2Machine } from './machine/Siopv2Machine'
@@ -9,3 +9,4 @@ export * from './machine/CallbackStateListener'
 export * from './session'
 export * from './types'
 export * from './link-handler'
+export * from './utils/dcql'

package/src/machine/Siopv2Machine.ts

@@ -1,5 +1,5 @@
 import { VerifiedAuthorizationRequest } from '@sphereon/did-auth-siop'
-import { DidAuthConfig, Identity, Party } from '@sphereon/ssi-sdk.data-store'
+import { DidAuthConfig, Identity, Party } from '@sphereon/ssi-sdk.data-store-types'
 import { assign, createMachine, DoneInvokeEvent, interpret } from 'xstate'
 import { translate } from '../localization/Localization'
 import { ErrorDetails } from '../types'
@@ -51,7 +51,7 @@ const Siopv2HasSelectableCredentialsAndContactGuard = (_ctx: Siopv2MachineContex
     throw new Error('Missing contact request data in context')
   }
 
-  return authorizationRequestData.presentationDefinitions !== undefined
+  return authorizationRequestData.dcqlQuery !== undefined
 }
 
 const Siopv2CreateContactGuard = (_ctx: Siopv2MachineContext, _event: Siopv2MachineEventTypes): boolean => {
@@ -67,7 +67,7 @@ const Siopv2HasSelectedRequiredCredentialsGuard = (_ctx: Siopv2MachineContext, _
     throw new Error('Missing authorization request data in context')
   }
 
-  if (authorizationRequestData.presentationDefinitions === undefined || authorizationRequestData.presentationDefinitions.length === 0) {
+  if (authorizationRequestData.dcqlQuery === undefined) {
     throw Error('No presentation definitions present')
   }
 
@@ -87,7 +87,7 @@ const Siopv2IsSiopOnlyGuard = (_ctx: Siopv2MachineContext, _event: Siopv2Machine
     throw new Error('Missing authorization request data in context')
   }
 
-  return authorizationRequestData.presentationDefinitions === undefined
+  return authorizationRequestData.dcqlQuery === undefined
 }
 
 const Siopv2IsSiopWithOID4VPGuard = (_ctx: Siopv2MachineContext, _event: Siopv2MachineEventTypes): boolean => {
@@ -101,7 +101,7 @@ const Siopv2IsSiopWithOID4VPGuard = (_ctx: Siopv2MachineContext, _event: Siopv2M
     throw new Error('Missing selectableCredentialsMap in context')
   }
 
-  return authorizationRequestData.presentationDefinitions !== undefined
+  return authorizationRequestData.dcqlQuery !== undefined
 }
 
 const createSiopv2Machine = (opts: CreateSiopv2MachineOpts): Siopv2StateMachine => {