@sphereon/ssi-sdk.siopv2-oid4vp-rp-auth 0.34.1-fix.171 → 0.34.1-fix.223

package/src/agent/SIOPv2RP.ts

@@ -10,6 +10,8 @@ import {
 } from '@sphereon/did-auth-siop'
 import { getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
 import { shaHasher as defaultHasher } from '@sphereon/ssi-sdk.core'
+import { validate as isValidUUID } from 'uuid'
+import type { ImportDcqlQueryItem } from '@sphereon/ssi-sdk.pd-manager'
 import {
   AdditionalClaims,
   CredentialMapper,
@@ -25,7 +27,7 @@ import {
   SdJwtDecodedVerifiableCredential
 } from '@sphereon/ssi-types'
 import { IAgentPlugin } from '@veramo/core'
-import { DcqlPresentation, DcqlQuery } from 'dcql'
+import { DcqlQuery } from 'dcql'
 import {
   IAuthorizationRequestPayloads,
   ICreateAuthRequestArgs,
@@ -84,7 +86,14 @@ export class SIOPv2RP implements IAgentPlugin {
   }
 
   private async createAuthorizationRequestURI(createArgs: ICreateAuthRequestArgs, context: IRequiredContext): Promise<string> {
-    return await this.getRPInstance({ responseRedirectURI: createArgs.responseRedirectURI, ...(createArgs.useQueryIdInstance === true && { queryId: createArgs.queryId } ) }, context)
+    return await this.getRPInstance(
+      {
+        createWhenNotPresent: true,
+        responseRedirectURI: createArgs.responseRedirectURI,
+        ...(createArgs.useQueryIdInstance === true && { queryId: createArgs.queryId } ),
+      },
+      context,
+    )
       .then((rp) => rp.createAuthorizationRequestURI(createArgs, context))
       .then((URI) => URI.encodedUri)
   }
@@ -93,7 +102,7 @@ export class SIOPv2RP implements IAgentPlugin {
     createArgs: ICreateAuthRequestArgs,
     context: IRequiredContext,
   ): Promise<IAuthorizationRequestPayloads> {
-    return await this.getRPInstance({ queryId: createArgs.queryId }, context)
+    return await this.getRPInstance({ createWhenNotPresent: true, queryId: createArgs.queryId }, context)
       .then((rp) => rp.createAuthorizationRequest(createArgs, context))
       .then(async (request) => {
         const authRequest: IAuthorizationRequestPayloads = {
@@ -106,7 +115,7 @@ export class SIOPv2RP implements IAgentPlugin {
   }
 
   private async siopGetRequestState(args: IGetAuthRequestStateArgs, context: IRequiredContext): Promise<AuthorizationRequestState | undefined> {
-    return await this.getRPInstance({ queryId: args.queryId }, context).then((rp) =>
+    return await this.getRPInstance({ createWhenNotPresent: false, queryId: args.queryId }, context).then((rp) =>
       rp.get(context).then((rp) =>
         rp.sessionManager.getRequestStateByCorrelationId(args.correlationId, args.errorOnNotFound)
       ),
@@ -117,7 +126,7 @@ export class SIOPv2RP implements IAgentPlugin {
     args: IGetAuthResponseStateArgs,
     context: IRequiredContext,
   ): Promise<AuthorizationResponseStateWithVerifiedData | undefined> {
-    const rpInstance: RPInstance = await this.getRPInstance({ queryId: args.queryId }, context)
+    const rpInstance: RPInstance = await this.getRPInstance({ createWhenNotPresent: false, queryId: args.queryId }, context)
     const authorizationResponseState: AuthorizationResponseState | undefined = await rpInstance
       .get(context)
       .then((rp) => rp.sessionManager.getResponseStateByCorrelationId(args.correlationId, args.errorOnNotFound))
@@ -135,10 +144,8 @@ export class SIOPv2RP implements IAgentPlugin {
         hasher = defaultHasher
       }
 
-
+      // FIXME SSISDK-64 currently assuming that all vp tokens are or type EncodedDcqlPresentationVpToken as we only work with DCQL now. But the types still indicate it can be another type of vp token
       const vpToken = responseState.response.payload.vp_token && JSON.parse(responseState.response.payload.vp_token as EncodedDcqlPresentationVpToken)
-      const xx = DcqlPresentation.parse(vpToken)
-      console.log(`IS DCQL PRESENTATION: ${JSON.stringify(xx)}`)
       const claims = []
       for (const [key, value] of Object.entries(vpToken)) {
         // todo this should also include mdl-mdoc
@@ -223,7 +230,7 @@ export class SIOPv2RP implements IAgentPlugin {
     if (args.state !== 'authorization_request_created') {
       throw Error(`Only 'authorization_request_created' status is supported for this method at this point`)
     }
-    return await this.getRPInstance({ queryId: args.queryId }, context)
+    return await this.getRPInstance({ createWhenNotPresent: false, queryId: args.queryId }, context)
       // todo: In the SIOP library we need to update the signal method to be more like this method
       .then((rp) =>
         rp.get(context).then(async (rp) => {
@@ -237,7 +244,7 @@ export class SIOPv2RP implements IAgentPlugin {
   }
 
   private async siopDeleteState(args: IGetAuthResponseStateArgs, context: IRequiredContext): Promise<boolean> {
-    return await this.getRPInstance({ queryId: args.queryId }, context)
+    return await this.getRPInstance({ createWhenNotPresent: false, queryId: args.queryId }, context)
       .then((rp) => rp.get(context).then((rp) => rp.sessionManager.deleteStateForCorrelationId(args.correlationId)))
       .then(() => true)
   }
@@ -250,45 +257,30 @@ export class SIOPv2RP implements IAgentPlugin {
       typeof args.authorizationResponse === 'string'
         ? (decodeUriAsJson(args.authorizationResponse) as AuthorizationResponsePayload)
         : args.authorizationResponse
-    return await this.getRPInstance({ queryId: args.queryId }, context).then((rp) =>
+    return await this.getRPInstance({ createWhenNotPresent: false, queryId: args.queryId }, context).then((rp) =>
       rp.get(context).then((rp) =>
         rp.verifyAuthorizationResponse(authResponse, {
           correlationId: args.correlationId,
-          ...(args.dcqlQueryPayload ? { dcqlQuery: args.dcqlQueryPayload.dcqlQuery } : {}),
-          audience: args.audience,
+            ...(args.dcqlQuery && { dcqlQuery: args.dcqlQuery }),
+            audience: args.audience,
         }),
       ),
     )
   }
 
   private async siopImportDefinitions(args: ImportDefinitionsArgs, context: IRequiredContext): Promise<void> {
-    const { queries, tenantId, version, versionControlMode } = args
+    const { importItems, tenantId, version, versionControlMode } = args
     await Promise.all(
-      queries.map(async (definitionPair) => {
-        const definitionPayload = definitionPair.definitionPayload
-        if (!definitionPayload && !definitionPair.dcqlPayload) {
-          return Promise.reject(Error('Either dcqlPayload or definitionPayload must be suppplied'))
-        }
-
-        let definitionId: string
-        if (definitionPair.dcqlPayload) {
-          DcqlQuery.validate(definitionPair.dcqlPayload.dcqlQuery)
-          console.log(`persisting DCQL definition ${definitionPair.dcqlPayload.queryId} with versionControlMode ${versionControlMode}`)
-          definitionId = definitionPair.dcqlPayload.queryId
-        }
-        if (definitionPayload) {
-          await context.agent.pexValidateDefinition({ definition: definitionPayload })
-          console.log(`persisting PEX definition ${definitionPayload.id} / ${definitionPayload.name} with versionControlMode ${versionControlMode}`)
-          definitionId = definitionPayload.id
-        }
+      importItems.map(async (importItem: ImportDcqlQueryItem) => {
+        DcqlQuery.validate(importItem.query)
+        console.log(`persisting DCQL definition ${importItem.queryId} with versionControlMode ${versionControlMode}`)
 
         return context.agent.pdmPersistDefinition({
           definitionItem: {
-            definitionId: definitionId!,
+            queryId: importItem.queryId!,
             tenantId: tenantId,
             version: version,
-            definitionPayload,
-            dcqlPayload: definitionPair.dcqlPayload,
+            query: importItem.query,
           },
           opts: { versionControlMode: versionControlMode },
         })
@@ -312,9 +304,36 @@ export class SIOPv2RP implements IAgentPlugin {
     return undefined
   }
 
-  async getRPInstance({ queryId, responseRedirectURI }: ISiopRPInstanceArgs, context: IRequiredContext): Promise<RPInstance> {
-    const instanceId = queryId ?? SIOPv2RP._DEFAULT_OPTS_KEY
-    if (!this.instances.has(instanceId)) {
+  async getRPInstance({ createWhenNotPresent, queryId, responseRedirectURI }: ISiopRPInstanceArgs, context: IRequiredContext): Promise<RPInstance> {
+    let rpInstanceId: string = SIOPv2RP._DEFAULT_OPTS_KEY
+    let rpInstance: RPInstance | undefined
+    if (queryId) {
+      if (this.instances.has(queryId)) {
+        rpInstanceId = queryId
+        rpInstance = this.instances.get(rpInstanceId)!
+      } else if (isValidUUID(queryId)) {
+        try {
+          // Check whether queryId is actually the PD item id
+          const pd = await context.agent.pdmGetDefinition({ itemId: queryId })
+          if (this.instances.has(pd.queryId)) {
+            rpInstanceId = pd.queryId
+            rpInstance = this.instances.get(rpInstanceId)!
+          }
+        } catch (ignore) {}
+      }
+      if (createWhenNotPresent) {
+        rpInstanceId = queryId
+      } else {
+        rpInstance = this.instances.get(rpInstanceId)
+      }
+    } else {
+      rpInstance = this.instances.get(rpInstanceId)
+    }
+
+    if (!rpInstance) {
+      if (!createWhenNotPresent) {
+        return Promise.reject(`No RP instance found for key ${rpInstanceId}`)
+      }
       const instanceOpts = this.getInstanceOpts(queryId)
       const rpOpts = await this.getRPOptions(context, { queryId, responseRedirectURI: responseRedirectURI })
       if (!rpOpts.identifierOpts.resolveOpts?.resolver || typeof rpOpts.identifierOpts.resolveOpts.resolver.resolve !== 'function') {
@@ -329,9 +348,9 @@ export class SIOPv2RP implements IAgentPlugin {
           resolverResolution: true,
         })
       }
-      this.instances.set(instanceId, new RPInstance({ rpOpts, pexOpts: instanceOpts }))
+      rpInstance = new RPInstance({ rpOpts, pexOpts: instanceOpts })
+      this.instances.set(rpInstanceId, rpInstance)
     }
-    const rpInstance = this.instances.get(instanceId)!
     if (responseRedirectURI) {
       rpInstance.rpOptions.responseRedirectUri = responseRedirectURI
     }
@@ -373,22 +392,22 @@ export class SIOPv2RP implements IAgentPlugin {
     return options
   }
 
-  getInstanceOpts(definitionId?: string): IPEXInstanceOptions | undefined {
+  getInstanceOpts(queryId?: string): IPEXInstanceOptions | undefined {
     if (!this.opts.instanceOpts) return undefined
 
-    const instanceOpt = definitionId ? this.opts.instanceOpts.find((i) => i.queryId === definitionId) : undefined
+    const instanceOpt = queryId ? this.opts.instanceOpts.find((i) => i.queryId === queryId) : undefined
 
-    return instanceOpt ?? this.getDefaultOptions(definitionId)
+    return instanceOpt ?? this.getDefaultOptions(queryId)
   }
 
-  private getDefaultOptions(definitionId: string | undefined) {
+  private getDefaultOptions(queryId: string | undefined) {
     if (!this.opts.instanceOpts) return undefined
 
     const defaultOptions = this.opts.instanceOpts.find((i) => i.queryId === 'default')
     if (defaultOptions) {
       const clonedOptions = { ...defaultOptions }
-      if (definitionId !== undefined) {
-        clonedOptions.queryId = definitionId
+      if (queryId !== undefined) {
+        clonedOptions.queryId = queryId
       }
       return clonedOptions
     }

package/src/functions.ts

@@ -1,6 +1,7 @@
 import {
   ClientIdentifierPrefix,
   ClientMetadataOpts,
+  DcqlQueryLookupCallback,
   InMemoryRPSessionManager,
   PassBy,
   PresentationVerificationCallback,
@@ -14,7 +15,7 @@ import {
   Scope,
   SubjectType,
   SupportedVersion,
-  VerifyJwtCallback
+  VerifyJwtCallback,
 } from '@sphereon/did-auth-siop'
 import { CreateJwtCallback, JwtHeader, JwtIssuer, JwtPayload, SigningAlgo } from '@sphereon/oid4vc-common'
 import { IPresentationDefinition } from '@sphereon/pex'
@@ -28,18 +29,13 @@ import {
 } from '@sphereon/ssi-sdk-ext.identifier-resolution'
 import { JwtCompactResult } from '@sphereon/ssi-sdk-ext.jwt-service'
 import { IVerifySdJwtPresentationResult } from '@sphereon/ssi-sdk.sd-jwt'
-import {
-  CredentialMapper,
-  HasherSync,
-  OriginalVerifiableCredential,
-  PresentationSubmission
-} from '@sphereon/ssi-types'
+import { CredentialMapper, HasherSync, OriginalVerifiableCredential, PresentationSubmission } from '@sphereon/ssi-types'
 import { IVerifyCallbackArgs, IVerifyCredentialResult, VerifyCallback } from '@sphereon/wellknown-dids-client'
 import { TKeyType } from '@veramo/core'
 import { JWTVerifyOptions } from 'did-jwt'
 import { Resolvable } from 'did-resolver'
 import { EventEmitter } from 'events'
-import { IPEXOptions, IRequiredContext, IRPOptions, ISIOPIdentifierOptions } from './types/ISIOPv2RP'
+import { IRequiredContext, IRPOptions, ISIOPIdentifierOptions } from './types/ISIOPv2RP'
 import { DcqlQuery } from 'dcql'
 import { defaultHasher } from '@sphereon/ssi-sdk.core'
 
@@ -47,7 +43,7 @@ export function getRequestVersion(rpOptions: IRPOptions): SupportedVersion {
   if (Array.isArray(rpOptions.supportedVersions) && rpOptions.supportedVersions.length > 0) {
     return rpOptions.supportedVersions[0]
   }
-  return SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1
+  return SupportedVersion.OID4VP_v1
 }
 
 function getWellKnownDIDVerifyCallback(siopIdentifierOpts: ISIOPIdentifierOptions, context: IRequiredContext) {
@@ -62,6 +58,31 @@ function getWellKnownDIDVerifyCallback(siopIdentifierOpts: ISIOPIdentifierOption
       }
 }
 
+export function getDcqlQueryLookupCallback(context: IRequiredContext): DcqlQueryLookupCallback {
+  async function dcqlQueryLookup(queryId: string, version?: string, tenantId?: string): Promise<DcqlQuery> {
+    // TODO Add caching?
+    const result = await context.agent.pdmGetDefinitions({
+      filter: [
+        {
+          queryId,
+          ...(tenantId && { tenantId }),
+          ...(version && { version }),
+        },
+        {
+          id: queryId,
+        },
+      ],
+    })
+    if (result && result.length > 0) {
+      return result[0].query
+    }
+
+    return Promise.reject(Error(`No dcql query found for queryId ${queryId}`))
+  }
+
+  return dcqlQueryLookup
+}
+
 export function getPresentationVerificationCallback(
   idOpts: ManagedIdentifierOptsOrResult,
   context: IRequiredContext,
@@ -72,7 +93,7 @@ export function getPresentationVerificationCallback(
   ): Promise<PresentationVerificationResult> {
     if (CredentialMapper.isSdJwtEncoded(args)) {
       const result: IVerifySdJwtPresentationResult = await context.agent.verifySdJwtPresentation({
-        presentation: args
+        presentation: args,
       })
       // fixme: investigate the correct way to handle this
       return { verified: !!result.payload }
@@ -106,34 +127,11 @@ export function getPresentationVerificationCallback(
 
 export async function createRPBuilder(args: {
   rpOpts: IRPOptions
-  pexOpts?: IPEXOptions | undefined
   definition?: IPresentationDefinition
-  dcql?: DcqlQuery
   context: IRequiredContext
 }): Promise<RPBuilder> {
-  const { rpOpts, pexOpts, context } = args
+  const { rpOpts, context } = args
   const { identifierOpts } = rpOpts
-  let definition: IPresentationDefinition | undefined = args.definition
-  let dcqlQuery: DcqlQuery | undefined = args.dcql
-
-  if (!definition && pexOpts && pexOpts.queryId) {
-    const presentationDefinitionItems = await context.agent.pdmGetDefinitions({
-      filter: [
-        {
-          definitionId: pexOpts.queryId,
-          version: pexOpts.version,
-          tenantId: pexOpts.tenantId,
-        },
-      ],
-    })
-
-    if (presentationDefinitionItems.length > 0) {
-      const presentationDefinitionItem = presentationDefinitionItems[0]
-      if (!dcqlQuery && presentationDefinitionItem.dcqlPayload) {
-        dcqlQuery = presentationDefinitionItem.dcqlPayload.dcqlQuery as DcqlQuery // cast from DcqlQueryREST back to valibot DcqlQuery
-      }
-    }
-  }
 
   const didMethods = identifierOpts.supportedDIDMethods ?? (await getAgentDIDMethods(context))
   const eventEmitter = rpOpts.eventEmitter ?? new EventEmitter()
@@ -173,9 +171,7 @@ export async function createRPBuilder(args: {
     .withResponseMode(rpOpts.responseMode ?? ResponseMode.POST)
     .withResponseType(ResponseType.VP_TOKEN, PropertyTarget.REQUEST_OBJECT)
     // todo: move to options fill/correct method
-    .withSupportedVersions(
-      rpOpts.supportedVersions ?? [SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1, SupportedVersion.SIOPv2_ID1, SupportedVersion.SIOPv2_D11],
-    )
+    .withSupportedVersions(rpOpts.supportedVersions ?? [SupportedVersion.OID4VP_v1, SupportedVersion.SIOPv2_OID4VP_D28])
 
     .withEventEmitter(eventEmitter)
     .withSessionManager(rpOpts.sessionManager ?? new InMemoryRPSessionManager(eventEmitter))
@@ -194,6 +190,7 @@ export async function createRPBuilder(args: {
             context,
           ),
     )
+    .withDcqlQueryLookup(getDcqlQueryLookupCallback(context))
     .withRevocationVerification(RevocationVerification.NEVER)
     .withPresentationVerification(getPresentationVerificationCallback(identifierOpts.idOpts, context))
 
@@ -202,7 +199,10 @@ export async function createRPBuilder(args: {
     builder.withEntityId(oidfOpts.identifier, PropertyTarget.REQUEST_OBJECT)
   } else {
     const resolution = await context.agent.identifierManagedGet(identifierOpts.idOpts)
-    const clientId: string = rpOpts.clientMetadataOpts?.client_id ?? resolution.issuer ?? (isManagedIdentifierDidResult(resolution) ? resolution.did : resolution.jwkThumbprint)
+    const clientId: string =
+      rpOpts.clientMetadataOpts?.client_id ??
+      resolution.issuer ??
+      (isManagedIdentifierDidResult(resolution) ? resolution.did : resolution.jwkThumbprint)
     const clientIdPrefixed = prefixClientId(clientId)
     builder.withClientId(clientIdPrefixed, PropertyTarget.REQUEST_OBJECT)
   }
@@ -218,10 +218,6 @@ export async function createRPBuilder(args: {
   //fixme: this has been removed in the new version of did-auth-siop
   // builder.withWellknownDIDVerifyCallback(getWellKnownDIDVerifyCallback(didOpts, context))
 
-  if (dcqlQuery) {
-    builder.withDcqlQuery(dcqlQuery)
-  }
-
   if (rpOpts.responseRedirectUri) {
     builder.withResponseRedirectUri(rpOpts.responseRedirectUri)
   }
@@ -306,8 +302,8 @@ export function getSigningAlgo(type: TKeyType): SigningAlgo {
 export function prefixClientId(clientId: string): string {
   // FIXME SSISDK-60
   if (clientId.startsWith('did:')) {
-    return `${ClientIdentifierPrefix.DECENTRALIZED_IDENTIFIER}:${clientId}`;
+    return `${ClientIdentifierPrefix.DECENTRALIZED_IDENTIFIER}:${clientId}`
   }
 
-  return clientId;
+  return clientId
 }

package/src/types/ISIOPv2RP.ts

@@ -24,23 +24,17 @@ import { ExternalIdentifierOIDFEntityIdOpts, IIdentifierResolution, ManagedIdent
 import { IJwtService } from '@sphereon/ssi-sdk-ext.jwt-service'
 import { ICredentialValidation, SchemaValidation } from '@sphereon/ssi-sdk.credential-validation'
 import { ImDLMdoc } from '@sphereon/ssi-sdk.mdl-mdoc'
-import { IPDManager, VersionControlMode } from '@sphereon/ssi-sdk.pd-manager'
+import { ImportDcqlQueryItem, IPDManager, VersionControlMode } from '@sphereon/ssi-sdk.pd-manager'
 import { IPresentationExchange } from '@sphereon/ssi-sdk.presentation-exchange'
 import { ISDJwtPlugin } from '@sphereon/ssi-sdk.sd-jwt'
 import { AuthorizationRequestStateStatus } from '@sphereon/ssi-sdk.siopv2-oid4vp-common'
-import { DcqlQueryPayload, HasherSync } from '@sphereon/ssi-types'
+import { HasherSync } from '@sphereon/ssi-types'
 import { VerifyCallback } from '@sphereon/wellknown-dids-client'
 import { IAgentContext, ICredentialVerifier, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'
-
+import { DcqlQuery } from 'dcql'
 import { Resolvable } from 'did-resolver'
 import { EventEmitter } from 'events'
 
-export enum VerifiedDataMode {
-  NONE = 'none',
-  VERIFIED_PRESENTATION = 'vp',
-  CREDENTIAL_SUBJECT_FLATTENED = 'cs-flat',
-}
-
 export interface ISIOPv2RP extends IPluginMethodMap {
   siopCreateAuthRequestURI(createArgs: ICreateAuthRequestArgs, context: IRequiredContext): Promise<string>
   siopCreateAuthRequestPayloads(createArgs: ICreateAuthRequestArgs, context: IRequiredContext): Promise<IAuthorizationRequestPayloads>
@@ -89,7 +83,6 @@ export interface IGetAuthResponseStateArgs {
   queryId?: string
   errorOnNotFound?: boolean
   progressRequestStateTo?: AuthorizationRequestStateStatus
-  //includeVerifiedData?: VerifiedDataMode
 }
 
 export interface IUpdateRequestStateArgs {
@@ -109,16 +102,10 @@ export interface IVerifyAuthResponseStateArgs {
   queryId?: string
   correlationId: string
   audience?: string
-  dcqlQueryPayload?: DcqlQueryPayload
-}
-
-export interface IDefinitionPair {
-  definitionPayload?: IPresentationDefinition
-  dcqlPayload?: DcqlQueryPayload
+  dcqlQuery?: DcqlQuery
 }
-
 export interface ImportDefinitionsArgs {
-  queries: Array<IDefinitionPair>
+  importItems: Array<ImportDcqlQueryItem>
   tenantId?: string
   version?: string
   versionControlMode?: VersionControlMode
@@ -142,11 +129,12 @@ export interface IPEXDefinitionPersistArgs extends IPEXInstanceOptions {
 }
 
 export interface ISiopRPInstanceArgs {
+  createWhenNotPresent: boolean
   queryId?: string
   responseRedirectURI?: string
 }
 
-export interface IPEXInstanceOptions extends IPEXOptions {
+export interface IPEXInstanceOptions extends IPresentationOptions {
   rpOpts?: IRPOptions
 }
 
@@ -164,12 +152,9 @@ export interface IRPOptions {
   responseRedirectUri?: string
 }
 
-export interface IPEXOptions {
-  presentationVerifyCallback?: PresentationVerificationCallback
-  // definition?: IPresentationDefinition
+export interface IPresentationOptions {
   queryId: string
-  version?: string
-  tenantId?: string
+  presentationVerifyCallback?: PresentationVerificationCallback
 }
 
 export type VerificationPolicies = {