@sphereon/ssi-sdk.siopv2-oid4vp-rp-auth 0.34.1-fix.171 → 0.34.1-fix.182

package/src/agent/SIOPv2RP.ts

@@ -5,11 +5,11 @@ import {
   AuthorizationResponseStateStatus,
   AuthorizationResponseStateWithVerifiedData,
   decodeUriAsJson,
-  EncodedDcqlPresentationVpToken,
-  VerifiedAuthorizationResponse
+  VerifiedAuthorizationResponse,
 } from '@sphereon/did-auth-siop'
 import { getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
 import { shaHasher as defaultHasher } from '@sphereon/ssi-sdk.core'
+import type { ImportDcqlQueryItem } from '@sphereon/ssi-sdk.pd-manager'
 import {
   AdditionalClaims,
   CredentialMapper,
@@ -22,10 +22,10 @@ import {
   MdocDeviceResponse,
   MdocOid4vpMdocVpToken,
   OriginalVerifiablePresentation,
-  SdJwtDecodedVerifiableCredential
+  SdJwtDecodedVerifiableCredential,
 } from '@sphereon/ssi-types'
 import { IAgentPlugin } from '@veramo/core'
-import { DcqlPresentation, DcqlQuery } from 'dcql'
+import { DcqlQuery } from 'dcql'
 import {
   IAuthorizationRequestPayloads,
   ICreateAuthRequestArgs,
@@ -41,7 +41,8 @@ import {
   ISiopv2RPOpts,
   IUpdateRequestStateArgs,
   IVerifyAuthResponseStateArgs,
-  schema
+  schema,
+  VerifiedDataMode,
 } from '../index'
 import { RPInstance } from '../RPInstance'
 import { ISIOPv2RP } from '../types/ISIOPv2RP'
@@ -84,7 +85,10 @@ export class SIOPv2RP implements IAgentPlugin {
   }
 
   private async createAuthorizationRequestURI(createArgs: ICreateAuthRequestArgs, context: IRequiredContext): Promise<string> {
-    return await this.getRPInstance({ responseRedirectURI: createArgs.responseRedirectURI, ...(createArgs.useQueryIdInstance === true && { queryId: createArgs.queryId } ) }, context)
+    return await this.getRPInstance(
+      { responseRedirectURI: createArgs.responseRedirectURI, ...(createArgs.useQueryIdInstance === true && { queryId: createArgs.queryId }) },
+      context,
+    )
       .then((rp) => rp.createAuthorizationRequestURI(createArgs, context))
       .then((URI) => URI.encodedUri)
   }
@@ -107,9 +111,7 @@ export class SIOPv2RP implements IAgentPlugin {
 
   private async siopGetRequestState(args: IGetAuthRequestStateArgs, context: IRequiredContext): Promise<AuthorizationRequestState | undefined> {
     return await this.getRPInstance({ queryId: args.queryId }, context).then((rp) =>
-      rp.get(context).then((rp) =>
-        rp.sessionManager.getRequestStateByCorrelationId(args.correlationId, args.errorOnNotFound)
-      ),
+      rp.get(context).then((rp) => rp.sessionManager.getRequestStateByCorrelationId(args.correlationId, args.errorOnNotFound)),
     )
   }
 
@@ -126,7 +128,11 @@ export class SIOPv2RP implements IAgentPlugin {
     }
 
     const responseState = authorizationResponseState as AuthorizationResponseStateWithVerifiedData
-    if (responseState.status === AuthorizationResponseStateStatus.VERIFIED) {
+    if (
+      responseState.status === AuthorizationResponseStateStatus.VERIFIED &&
+      args.includeVerifiedData &&
+      args.includeVerifiedData !== VerifiedDataMode.NONE
+    ) {
       let hasher: HasherSync | undefined
       if (
         CredentialMapper.isSdJwtEncoded(responseState.response.payload.vp_token as OriginalVerifiablePresentation) &&
@@ -134,25 +140,19 @@ export class SIOPv2RP implements IAgentPlugin {
       ) {
         hasher = defaultHasher
       }
-
-
-      const vpToken = responseState.response.payload.vp_token && JSON.parse(responseState.response.payload.vp_token as EncodedDcqlPresentationVpToken)
-      const xx = DcqlPresentation.parse(vpToken)
-      console.log(`IS DCQL PRESENTATION: ${JSON.stringify(xx)}`)
-      const claims = []
-      for (const [key, value] of Object.entries(vpToken)) {
-        // todo this should also include mdl-mdoc
-        const presentationDecoded = CredentialMapper.decodeVerifiablePresentation(
-          value as OriginalVerifiablePresentation,
-          //todo: later we want to conditionally pass in options for mdl-mdoc here
-          hasher,
-        )
-        console.log(`presentationDecoded: ${JSON.stringify(presentationDecoded)}`)
-
-        const allClaims: AdditionalClaims = {}
-        const presentationOrClaims = this.presentationOrClaimsFrom(presentationDecoded)
-        if ('verifiableCredential' in presentationOrClaims) {
-          for (const credential of presentationOrClaims.verifiableCredential) {
+      // todo this should also include mdl-mdoc
+      const presentationDecoded = CredentialMapper.decodeVerifiablePresentation(
+        responseState.response.payload.vp_token as OriginalVerifiablePresentation,
+        //todo: later we want to conditionally pass in options for mdl-mdoc here
+        hasher,
+      )
+      switch (args.includeVerifiedData) {
+        case VerifiedDataMode.VERIFIED_PRESENTATION:
+          responseState.response.payload.verifiedData = this.presentationOrClaimsFrom(presentationDecoded)
+          break
+        case VerifiedDataMode.CREDENTIAL_SUBJECT_FLATTENED: // TODO debug cs-flat for SD-JWT
+          const allClaims: AdditionalClaims = {}
+          for (const credential of this.presentationOrClaimsFrom(presentationDecoded).verifiableCredential || []) {
             const vc = credential as IVerifiableCredential
             const schemaValidationResult = await context.agent.cvVerifySchema({
               credential,
@@ -175,34 +175,11 @@ export class SIOPv2RP implements IAgentPlugin {
                 allClaims[key] = value
               }
             })
-
-            claims.push({
-              id: key,
-              type: vc.type[0],
-              claims: allClaims
-            })
           }
-        } else {
-          claims.push({
-            id: key,
-            type: (presentationDecoded as SdJwtDecodedVerifiableCredential).decodedPayload.vct,
-            claims: presentationOrClaims
-          })
-        }
-      }
-
-      responseState.verifiedData = {
-        ...(responseState.response.payload.vp_token && {
-          authorization_response: {
-            vp_token: typeof responseState.response.payload.vp_token === 'string'
-                ? JSON.parse(responseState.response.payload.vp_token)
-                : responseState.response.payload.vp_token
-          }
-        }),
-        ...(claims.length > 0 && { credential_claims: claims })
+          responseState.verifiedData = allClaims
+          break
       }
     }
-
     return responseState
   }
 
@@ -212,12 +189,11 @@ export class SIOPv2RP implements IAgentPlugin {
       | IVerifiablePresentation
       | SdJwtDecodedVerifiableCredential
       | MdocOid4vpMdocVpToken
-      | MdocDeviceResponse
-  ): AdditionalClaims | IPresentation => {
-    return CredentialMapper.isSdJwtDecodedCredential(presentationDecoded)
+      | MdocDeviceResponse,
+  ): AdditionalClaims | IPresentation =>
+    CredentialMapper.isSdJwtDecodedCredential(presentationDecoded)
       ? presentationDecoded.decodedPayload
       : CredentialMapper.toUniformPresentation(presentationDecoded as OriginalVerifiablePresentation)
-  }
 
   private async siopUpdateRequestState(args: IUpdateRequestStateArgs, context: IRequiredContext): Promise<AuthorizationRequestState> {
     if (args.state !== 'authorization_request_created') {
@@ -254,7 +230,7 @@ export class SIOPv2RP implements IAgentPlugin {
       rp.get(context).then((rp) =>
         rp.verifyAuthorizationResponse(authResponse, {
           correlationId: args.correlationId,
-          ...(args.dcqlQueryPayload ? { dcqlQuery: args.dcqlQueryPayload.dcqlQuery } : {}),
+          ...(args.dcqlQuery ? { dcqlQuery: args.dcqlQuery } : {}),
           audience: args.audience,
         }),
       ),
@@ -262,33 +238,18 @@ export class SIOPv2RP implements IAgentPlugin {
   }
 
   private async siopImportDefinitions(args: ImportDefinitionsArgs, context: IRequiredContext): Promise<void> {
-    const { queries, tenantId, version, versionControlMode } = args
+    const { importItems, tenantId, version, versionControlMode } = args
     await Promise.all(
-      queries.map(async (definitionPair) => {
-        const definitionPayload = definitionPair.definitionPayload
-        if (!definitionPayload && !definitionPair.dcqlPayload) {
-          return Promise.reject(Error('Either dcqlPayload or definitionPayload must be suppplied'))
-        }
-
-        let definitionId: string
-        if (definitionPair.dcqlPayload) {
-          DcqlQuery.validate(definitionPair.dcqlPayload.dcqlQuery)
-          console.log(`persisting DCQL definition ${definitionPair.dcqlPayload.queryId} with versionControlMode ${versionControlMode}`)
-          definitionId = definitionPair.dcqlPayload.queryId
-        }
-        if (definitionPayload) {
-          await context.agent.pexValidateDefinition({ definition: definitionPayload })
-          console.log(`persisting PEX definition ${definitionPayload.id} / ${definitionPayload.name} with versionControlMode ${versionControlMode}`)
-          definitionId = definitionPayload.id
-        }
+      importItems.map(async (importItem: ImportDcqlQueryItem) => {
+        DcqlQuery.validate(importItem.query)
+        console.log(`persisting DCQL definition ${importItem.queryId} with versionControlMode ${versionControlMode}`)
 
         return context.agent.pdmPersistDefinition({
           definitionItem: {
-            definitionId: definitionId!,
+            queryId: importItem.queryId!,
             tenantId: tenantId,
             version: version,
-            definitionPayload,
-            dcqlPayload: definitionPair.dcqlPayload,
+            query: importItem.query,
           },
           opts: { versionControlMode: versionControlMode },
         })

package/src/functions.ts

@@ -28,12 +28,7 @@ import {
 } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { JwtCompactResult } from '@sphereon/ssi-sdk-ext.jwt-service'
 import { IVerifySdJwtPresentationResult } from '@sphereon/ssi-sdk.sd-jwt'
-import {
-  CredentialMapper,
-  HasherSync,
-  OriginalVerifiableCredential,
-  PresentationSubmission
-} from '@sphereon/ssi-types'
+import { CredentialMapper, HasherSync, OriginalVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'
 import { IVerifyCallbackArgs, IVerifyCredentialResult, VerifyCallback } from '@sphereon/wellknown-dids-client'
 import { TKeyType } from '@veramo/core'
 import { JWTVerifyOptions } from 'did-jwt'
@@ -72,7 +67,7 @@ export function getPresentationVerificationCallback(
   ): Promise<PresentationVerificationResult> {
     if (CredentialMapper.isSdJwtEncoded(args)) {
       const result: IVerifySdJwtPresentationResult = await context.agent.verifySdJwtPresentation({
-        presentation: args
+        presentation: args,
       })
       // fixme: investigate the correct way to handle this
       return { verified: !!result.payload }
@@ -120,7 +115,7 @@ export async function createRPBuilder(args: {
     const presentationDefinitionItems = await context.agent.pdmGetDefinitions({
       filter: [
         {
-          definitionId: pexOpts.queryId,
+          queryId: pexOpts.queryId,
           version: pexOpts.version,
           tenantId: pexOpts.tenantId,
         },
@@ -202,9 +197,11 @@ export async function createRPBuilder(args: {
     builder.withEntityId(oidfOpts.identifier, PropertyTarget.REQUEST_OBJECT)
   } else {
     const resolution = await context.agent.identifierManagedGet(identifierOpts.idOpts)
-    const clientId: string = rpOpts.clientMetadataOpts?.client_id ?? resolution.issuer ?? (isManagedIdentifierDidResult(resolution) ? resolution.did : resolution.jwkThumbprint)
-    const clientIdPrefixed = prefixClientId(clientId)
-    builder.withClientId(clientIdPrefixed, PropertyTarget.REQUEST_OBJECT)
+    const clientId: string = rpOpts.clientMetadataOpts?.client_id ??
+      resolution.issuer ?? (isManagedIdentifierDidResult(resolution) ? resolution.did : resolution.jwkThumbprint)
+     const clientIdPrefixed = prefixClientId(clientId)
+    builder.withClientId(clientIdPrefixed, PropertyTarget.REQUEST_OBJECT
+    )
   }
 
   if (hasher) {

package/src/types/ISIOPv2RP.ts

@@ -24,13 +24,14 @@ import { ExternalIdentifierOIDFEntityIdOpts, IIdentifierResolution, ManagedIdent
 import { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'
 import { ICredentialValidation, SchemaValidation } from '@sphereon/ssi-sdk.credential-validation'
 import { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'
-import { IPDManager, VersionControlMode } from '@sphereon/ssi-sdk.pd-manager'
+import { ImportDcqlQueryItem, IPDManager, VersionControlMode } from '@sphereon/ssi-sdk.pd-manager'
 import { IPresentationExchange } from '@sphereon/ssi-sdk.presentation-exchange'
 import { ISDJwtPlugin } from '@sphereon/ssi-sdk.sd-jwt'
 import { AuthorizationRequestStateStatus } from '@sphereon/ssi-sdk.siopv2-oid4vp-common'
-import { DcqlQueryPayload, HasherSync } from '@sphereon/ssi-types'
+import { HasherSync } from '@sphereon/ssi-types'
 import { VerifyCallback } from '@sphereon/wellknown-dids-client'
 import { IAgentContext, ICredentialVerifier, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'
+import { DcqlQuery } from 'dcql'
 
 import { Resolvable } from 'did-resolver'
 import { EventEmitter } from 'events'
@@ -89,11 +90,11 @@ export interface IGetAuthResponseStateArgs {
   queryId?: string
   errorOnNotFound?: boolean
   progressRequestStateTo?: AuthorizationRequestStateStatus
-  //includeVerifiedData?: VerifiedDataMode
+  includeVerifiedData?: VerifiedDataMode
 }
 
 export interface IUpdateRequestStateArgs {
-  queryId?: string
+  queryId: string
   correlationId: string
   state: AuthorizationRequestStateStatus
   error?: string
@@ -109,16 +110,10 @@ export interface IVerifyAuthResponseStateArgs {
   queryId?: string
   correlationId: string
   audience?: string
-  dcqlQueryPayload?: DcqlQueryPayload
+  dcqlQuery?: DcqlQuery
 }
-
-export interface IDefinitionPair {
-  definitionPayload?: IPresentationDefinition
-  dcqlPayload?: DcqlQueryPayload
-}
-
 export interface ImportDefinitionsArgs {
-  queries: Array<IDefinitionPair>
+  importItems: Array<ImportDcqlQueryItem>
   tenantId?: string
   version?: string
   versionControlMode?: VersionControlMode