@sphereon/ssi-sdk.siopv2-oid4vp-rp-auth 0.34.1-fix.182 → 0.34.1-fix.223

package/src/agent/SIOPv2RP.ts

@@ -5,10 +5,12 @@ import {
   AuthorizationResponseStateStatus,
   AuthorizationResponseStateWithVerifiedData,
   decodeUriAsJson,
-  VerifiedAuthorizationResponse,
+  EncodedDcqlPresentationVpToken,
+  VerifiedAuthorizationResponse
 } from '@sphereon/did-auth-siop'
 import { getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
 import { shaHasher as defaultHasher } from '@sphereon/ssi-sdk.core'
+import { validate as isValidUUID } from 'uuid'
 import type { ImportDcqlQueryItem } from '@sphereon/ssi-sdk.pd-manager'
 import {
   AdditionalClaims,
@@ -22,7 +24,7 @@ import {
   MdocDeviceResponse,
   MdocOid4vpMdocVpToken,
   OriginalVerifiablePresentation,
-  SdJwtDecodedVerifiableCredential,
+  SdJwtDecodedVerifiableCredential
 } from '@sphereon/ssi-types'
 import { IAgentPlugin } from '@veramo/core'
 import { DcqlQuery } from 'dcql'
@@ -41,8 +43,7 @@ import {
   ISiopv2RPOpts,
   IUpdateRequestStateArgs,
   IVerifyAuthResponseStateArgs,
-  schema,
-  VerifiedDataMode,
+  schema
 } from '../index'
 import { RPInstance } from '../RPInstance'
 import { ISIOPv2RP } from '../types/ISIOPv2RP'
@@ -86,7 +87,11 @@ export class SIOPv2RP implements IAgentPlugin {
 
   private async createAuthorizationRequestURI(createArgs: ICreateAuthRequestArgs, context: IRequiredContext): Promise<string> {
     return await this.getRPInstance(
-      { responseRedirectURI: createArgs.responseRedirectURI, ...(createArgs.useQueryIdInstance === true && { queryId: createArgs.queryId }) },
+      {
+        createWhenNotPresent: true,
+        responseRedirectURI: createArgs.responseRedirectURI,
+        ...(createArgs.useQueryIdInstance === true && { queryId: createArgs.queryId } ),
+      },
       context,
     )
       .then((rp) => rp.createAuthorizationRequestURI(createArgs, context))
@@ -97,7 +102,7 @@ export class SIOPv2RP implements IAgentPlugin {
     createArgs: ICreateAuthRequestArgs,
     context: IRequiredContext,
   ): Promise<IAuthorizationRequestPayloads> {
-    return await this.getRPInstance({ queryId: createArgs.queryId }, context)
+    return await this.getRPInstance({ createWhenNotPresent: true, queryId: createArgs.queryId }, context)
       .then((rp) => rp.createAuthorizationRequest(createArgs, context))
       .then(async (request) => {
         const authRequest: IAuthorizationRequestPayloads = {
@@ -110,8 +115,10 @@ export class SIOPv2RP implements IAgentPlugin {
   }
 
   private async siopGetRequestState(args: IGetAuthRequestStateArgs, context: IRequiredContext): Promise<AuthorizationRequestState | undefined> {
-    return await this.getRPInstance({ queryId: args.queryId }, context).then((rp) =>
-      rp.get(context).then((rp) => rp.sessionManager.getRequestStateByCorrelationId(args.correlationId, args.errorOnNotFound)),
+    return await this.getRPInstance({ createWhenNotPresent: false, queryId: args.queryId }, context).then((rp) =>
+      rp.get(context).then((rp) =>
+        rp.sessionManager.getRequestStateByCorrelationId(args.correlationId, args.errorOnNotFound)
+      ),
     )
   }
 
@@ -119,7 +126,7 @@ export class SIOPv2RP implements IAgentPlugin {
     args: IGetAuthResponseStateArgs,
     context: IRequiredContext,
   ): Promise<AuthorizationResponseStateWithVerifiedData | undefined> {
-    const rpInstance: RPInstance = await this.getRPInstance({ queryId: args.queryId }, context)
+    const rpInstance: RPInstance = await this.getRPInstance({ createWhenNotPresent: false, queryId: args.queryId }, context)
     const authorizationResponseState: AuthorizationResponseState | undefined = await rpInstance
       .get(context)
       .then((rp) => rp.sessionManager.getResponseStateByCorrelationId(args.correlationId, args.errorOnNotFound))
@@ -128,11 +135,7 @@ export class SIOPv2RP implements IAgentPlugin {
     }
 
     const responseState = authorizationResponseState as AuthorizationResponseStateWithVerifiedData
-    if (
-      responseState.status === AuthorizationResponseStateStatus.VERIFIED &&
-      args.includeVerifiedData &&
-      args.includeVerifiedData !== VerifiedDataMode.NONE
-    ) {
+    if (responseState.status === AuthorizationResponseStateStatus.VERIFIED) {
       let hasher: HasherSync | undefined
       if (
         CredentialMapper.isSdJwtEncoded(responseState.response.payload.vp_token as OriginalVerifiablePresentation) &&
@@ -140,19 +143,23 @@ export class SIOPv2RP implements IAgentPlugin {
       ) {
         hasher = defaultHasher
       }
-      // todo this should also include mdl-mdoc
-      const presentationDecoded = CredentialMapper.decodeVerifiablePresentation(
-        responseState.response.payload.vp_token as OriginalVerifiablePresentation,
-        //todo: later we want to conditionally pass in options for mdl-mdoc here
-        hasher,
-      )
-      switch (args.includeVerifiedData) {
-        case VerifiedDataMode.VERIFIED_PRESENTATION:
-          responseState.response.payload.verifiedData = this.presentationOrClaimsFrom(presentationDecoded)
-          break
-        case VerifiedDataMode.CREDENTIAL_SUBJECT_FLATTENED: // TODO debug cs-flat for SD-JWT
-          const allClaims: AdditionalClaims = {}
-          for (const credential of this.presentationOrClaimsFrom(presentationDecoded).verifiableCredential || []) {
+
+      // FIXME SSISDK-64 currently assuming that all vp tokens are or type EncodedDcqlPresentationVpToken as we only work with DCQL now. But the types still indicate it can be another type of vp token
+      const vpToken = responseState.response.payload.vp_token && JSON.parse(responseState.response.payload.vp_token as EncodedDcqlPresentationVpToken)
+      const claims = []
+      for (const [key, value] of Object.entries(vpToken)) {
+        // todo this should also include mdl-mdoc
+        const presentationDecoded = CredentialMapper.decodeVerifiablePresentation(
+          value as OriginalVerifiablePresentation,
+          //todo: later we want to conditionally pass in options for mdl-mdoc here
+          hasher,
+        )
+        console.log(`presentationDecoded: ${JSON.stringify(presentationDecoded)}`)
+
+        const allClaims: AdditionalClaims = {}
+        const presentationOrClaims = this.presentationOrClaimsFrom(presentationDecoded)
+        if ('verifiableCredential' in presentationOrClaims) {
+          for (const credential of presentationOrClaims.verifiableCredential) {
             const vc = credential as IVerifiableCredential
             const schemaValidationResult = await context.agent.cvVerifySchema({
               credential,
@@ -175,11 +182,34 @@ export class SIOPv2RP implements IAgentPlugin {
                 allClaims[key] = value
               }
             })
+
+            claims.push({
+              id: key,
+              type: vc.type[0],
+              claims: allClaims
+            })
+          }
+        } else {
+          claims.push({
+            id: key,
+            type: (presentationDecoded as SdJwtDecodedVerifiableCredential).decodedPayload.vct,
+            claims: presentationOrClaims
+          })
+        }
+      }
+
+      responseState.verifiedData = {
+        ...(responseState.response.payload.vp_token && {
+          authorization_response: {
+            vp_token: typeof responseState.response.payload.vp_token === 'string'
+                ? JSON.parse(responseState.response.payload.vp_token)
+                : responseState.response.payload.vp_token
           }
-          responseState.verifiedData = allClaims
-          break
+        }),
+        ...(claims.length > 0 && { credential_claims: claims })
       }
     }
+
     return responseState
   }
 
@@ -189,17 +219,18 @@ export class SIOPv2RP implements IAgentPlugin {
       | IVerifiablePresentation
       | SdJwtDecodedVerifiableCredential
       | MdocOid4vpMdocVpToken
-      | MdocDeviceResponse,
-  ): AdditionalClaims | IPresentation =>
-    CredentialMapper.isSdJwtDecodedCredential(presentationDecoded)
+      | MdocDeviceResponse
+  ): AdditionalClaims | IPresentation => {
+    return CredentialMapper.isSdJwtDecodedCredential(presentationDecoded)
       ? presentationDecoded.decodedPayload
       : CredentialMapper.toUniformPresentation(presentationDecoded as OriginalVerifiablePresentation)
+  }
 
   private async siopUpdateRequestState(args: IUpdateRequestStateArgs, context: IRequiredContext): Promise<AuthorizationRequestState> {
     if (args.state !== 'authorization_request_created') {
       throw Error(`Only 'authorization_request_created' status is supported for this method at this point`)
     }
-    return await this.getRPInstance({ queryId: args.queryId }, context)
+    return await this.getRPInstance({ createWhenNotPresent: false, queryId: args.queryId }, context)
       // todo: In the SIOP library we need to update the signal method to be more like this method
       .then((rp) =>
         rp.get(context).then(async (rp) => {
@@ -213,7 +244,7 @@ export class SIOPv2RP implements IAgentPlugin {
   }
 
   private async siopDeleteState(args: IGetAuthResponseStateArgs, context: IRequiredContext): Promise<boolean> {
-    return await this.getRPInstance({ queryId: args.queryId }, context)
+    return await this.getRPInstance({ createWhenNotPresent: false, queryId: args.queryId }, context)
       .then((rp) => rp.get(context).then((rp) => rp.sessionManager.deleteStateForCorrelationId(args.correlationId)))
       .then(() => true)
   }
@@ -226,12 +257,12 @@ export class SIOPv2RP implements IAgentPlugin {
       typeof args.authorizationResponse === 'string'
         ? (decodeUriAsJson(args.authorizationResponse) as AuthorizationResponsePayload)
         : args.authorizationResponse
-    return await this.getRPInstance({ queryId: args.queryId }, context).then((rp) =>
+    return await this.getRPInstance({ createWhenNotPresent: false, queryId: args.queryId }, context).then((rp) =>
       rp.get(context).then((rp) =>
         rp.verifyAuthorizationResponse(authResponse, {
           correlationId: args.correlationId,
-          ...(args.dcqlQuery ? { dcqlQuery: args.dcqlQuery } : {}),
-          audience: args.audience,
+            ...(args.dcqlQuery && { dcqlQuery: args.dcqlQuery }),
+            audience: args.audience,
         }),
       ),
     )
@@ -273,9 +304,36 @@ export class SIOPv2RP implements IAgentPlugin {
     return undefined
   }
 
-  async getRPInstance({ queryId, responseRedirectURI }: ISiopRPInstanceArgs, context: IRequiredContext): Promise<RPInstance> {
-    const instanceId = queryId ?? SIOPv2RP._DEFAULT_OPTS_KEY
-    if (!this.instances.has(instanceId)) {
+  async getRPInstance({ createWhenNotPresent, queryId, responseRedirectURI }: ISiopRPInstanceArgs, context: IRequiredContext): Promise<RPInstance> {
+    let rpInstanceId: string = SIOPv2RP._DEFAULT_OPTS_KEY
+    let rpInstance: RPInstance | undefined
+    if (queryId) {
+      if (this.instances.has(queryId)) {
+        rpInstanceId = queryId
+        rpInstance = this.instances.get(rpInstanceId)!
+      } else if (isValidUUID(queryId)) {
+        try {
+          // Check whether queryId is actually the PD item id
+          const pd = await context.agent.pdmGetDefinition({ itemId: queryId })
+          if (this.instances.has(pd.queryId)) {
+            rpInstanceId = pd.queryId
+            rpInstance = this.instances.get(rpInstanceId)!
+          }
+        } catch (ignore) {}
+      }
+      if (createWhenNotPresent) {
+        rpInstanceId = queryId
+      } else {
+        rpInstance = this.instances.get(rpInstanceId)
+      }
+    } else {
+      rpInstance = this.instances.get(rpInstanceId)
+    }
+
+    if (!rpInstance) {
+      if (!createWhenNotPresent) {
+        return Promise.reject(`No RP instance found for key ${rpInstanceId}`)
+      }
       const instanceOpts = this.getInstanceOpts(queryId)
       const rpOpts = await this.getRPOptions(context, { queryId, responseRedirectURI: responseRedirectURI })
       if (!rpOpts.identifierOpts.resolveOpts?.resolver || typeof rpOpts.identifierOpts.resolveOpts.resolver.resolve !== 'function') {
@@ -290,9 +348,9 @@ export class SIOPv2RP implements IAgentPlugin {
           resolverResolution: true,
         })
       }
-      this.instances.set(instanceId, new RPInstance({ rpOpts, pexOpts: instanceOpts }))
+      rpInstance = new RPInstance({ rpOpts, pexOpts: instanceOpts })
+      this.instances.set(rpInstanceId, rpInstance)
     }
-    const rpInstance = this.instances.get(instanceId)!
     if (responseRedirectURI) {
       rpInstance.rpOptions.responseRedirectUri = responseRedirectURI
     }
@@ -334,22 +392,22 @@ export class SIOPv2RP implements IAgentPlugin {
     return options
   }
 
-  getInstanceOpts(definitionId?: string): IPEXInstanceOptions | undefined {
+  getInstanceOpts(queryId?: string): IPEXInstanceOptions | undefined {
     if (!this.opts.instanceOpts) return undefined
 
-    const instanceOpt = definitionId ? this.opts.instanceOpts.find((i) => i.queryId === definitionId) : undefined
+    const instanceOpt = queryId ? this.opts.instanceOpts.find((i) => i.queryId === queryId) : undefined
 
-    return instanceOpt ?? this.getDefaultOptions(definitionId)
+    return instanceOpt ?? this.getDefaultOptions(queryId)
   }
 
-  private getDefaultOptions(definitionId: string | undefined) {
+  private getDefaultOptions(queryId: string | undefined) {
     if (!this.opts.instanceOpts) return undefined
 
     const defaultOptions = this.opts.instanceOpts.find((i) => i.queryId === 'default')
     if (defaultOptions) {
       const clonedOptions = { ...defaultOptions }
-      if (definitionId !== undefined) {
-        clonedOptions.queryId = definitionId
+      if (queryId !== undefined) {
+        clonedOptions.queryId = queryId
       }
       return clonedOptions
     }

package/src/functions.ts

@@ -1,6 +1,7 @@
 import {
   ClientIdentifierPrefix,
   ClientMetadataOpts,
+  DcqlQueryLookupCallback,
   InMemoryRPSessionManager,
   PassBy,
   PresentationVerificationCallback,
@@ -14,7 +15,7 @@ import {
   Scope,
   SubjectType,
   SupportedVersion,
-  VerifyJwtCallback
+  VerifyJwtCallback,
 } from '@sphereon/did-auth-siop'
 import { CreateJwtCallback, JwtHeader, JwtIssuer, JwtPayload, SigningAlgo } from '@sphereon/oid4vc-common'
 import { IPresentationDefinition } from '@sphereon/pex'
@@ -34,7 +35,7 @@ import { TKeyType } from '@veramo/core'
 import { JWTVerifyOptions } from 'did-jwt'
 import { Resolvable } from 'did-resolver'
 import { EventEmitter } from 'events'
-import { IPEXOptions, IRequiredContext, IRPOptions, ISIOPIdentifierOptions } from './types/ISIOPv2RP'
+import { IRequiredContext, IRPOptions, ISIOPIdentifierOptions } from './types/ISIOPv2RP'
 import { DcqlQuery } from 'dcql'
 import { defaultHasher } from '@sphereon/ssi-sdk.core'
 
@@ -42,7 +43,7 @@ export function getRequestVersion(rpOptions: IRPOptions): SupportedVersion {
   if (Array.isArray(rpOptions.supportedVersions) && rpOptions.supportedVersions.length > 0) {
     return rpOptions.supportedVersions[0]
   }
-  return SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1
+  return SupportedVersion.OID4VP_v1
 }
 
 function getWellKnownDIDVerifyCallback(siopIdentifierOpts: ISIOPIdentifierOptions, context: IRequiredContext) {
@@ -57,6 +58,31 @@ function getWellKnownDIDVerifyCallback(siopIdentifierOpts: ISIOPIdentifierOption
       }
 }
 
+export function getDcqlQueryLookupCallback(context: IRequiredContext): DcqlQueryLookupCallback {
+  async function dcqlQueryLookup(queryId: string, version?: string, tenantId?: string): Promise<DcqlQuery> {
+    // TODO Add caching?
+    const result = await context.agent.pdmGetDefinitions({
+      filter: [
+        {
+          queryId,
+          ...(tenantId && { tenantId }),
+          ...(version && { version }),
+        },
+        {
+          id: queryId,
+        },
+      ],
+    })
+    if (result && result.length > 0) {
+      return result[0].query
+    }
+
+    return Promise.reject(Error(`No dcql query found for queryId ${queryId}`))
+  }
+
+  return dcqlQueryLookup
+}
+
 export function getPresentationVerificationCallback(
   idOpts: ManagedIdentifierOptsOrResult,
   context: IRequiredContext,
@@ -101,34 +127,11 @@ export function getPresentationVerificationCallback(
 
 export async function createRPBuilder(args: {
   rpOpts: IRPOptions
-  pexOpts?: IPEXOptions | undefined
   definition?: IPresentationDefinition
-  dcql?: DcqlQuery
   context: IRequiredContext
 }): Promise<RPBuilder> {
-  const { rpOpts, pexOpts, context } = args
+  const { rpOpts, context } = args
   const { identifierOpts } = rpOpts
-  let definition: IPresentationDefinition | undefined = args.definition
-  let dcqlQuery: DcqlQuery | undefined = args.dcql
-
-  if (!definition && pexOpts && pexOpts.queryId) {
-    const presentationDefinitionItems = await context.agent.pdmGetDefinitions({
-      filter: [
-        {
-          queryId: pexOpts.queryId,
-          version: pexOpts.version,
-          tenantId: pexOpts.tenantId,
-        },
-      ],
-    })
-
-    if (presentationDefinitionItems.length > 0) {
-      const presentationDefinitionItem = presentationDefinitionItems[0]
-      if (!dcqlQuery && presentationDefinitionItem.dcqlPayload) {
-        dcqlQuery = presentationDefinitionItem.dcqlPayload.dcqlQuery as DcqlQuery // cast from DcqlQueryREST back to valibot DcqlQuery
-      }
-    }
-  }
 
   const didMethods = identifierOpts.supportedDIDMethods ?? (await getAgentDIDMethods(context))
   const eventEmitter = rpOpts.eventEmitter ?? new EventEmitter()
@@ -168,9 +171,7 @@ export async function createRPBuilder(args: {
     .withResponseMode(rpOpts.responseMode ?? ResponseMode.POST)
     .withResponseType(ResponseType.VP_TOKEN, PropertyTarget.REQUEST_OBJECT)
     // todo: move to options fill/correct method
-    .withSupportedVersions(
-      rpOpts.supportedVersions ?? [SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1, SupportedVersion.SIOPv2_ID1, SupportedVersion.SIOPv2_D11],
-    )
+    .withSupportedVersions(rpOpts.supportedVersions ?? [SupportedVersion.OID4VP_v1, SupportedVersion.SIOPv2_OID4VP_D28])
 
     .withEventEmitter(eventEmitter)
     .withSessionManager(rpOpts.sessionManager ?? new InMemoryRPSessionManager(eventEmitter))
@@ -189,6 +190,7 @@ export async function createRPBuilder(args: {
             context,
           ),
     )
+    .withDcqlQueryLookup(getDcqlQueryLookupCallback(context))
     .withRevocationVerification(RevocationVerification.NEVER)
     .withPresentationVerification(getPresentationVerificationCallback(identifierOpts.idOpts, context))
 
@@ -197,11 +199,12 @@ export async function createRPBuilder(args: {
     builder.withEntityId(oidfOpts.identifier, PropertyTarget.REQUEST_OBJECT)
   } else {
     const resolution = await context.agent.identifierManagedGet(identifierOpts.idOpts)
-    const clientId: string = rpOpts.clientMetadataOpts?.client_id ??
-      resolution.issuer ?? (isManagedIdentifierDidResult(resolution) ? resolution.did : resolution.jwkThumbprint)
-     const clientIdPrefixed = prefixClientId(clientId)
-    builder.withClientId(clientIdPrefixed, PropertyTarget.REQUEST_OBJECT
-    )
+    const clientId: string =
+      rpOpts.clientMetadataOpts?.client_id ??
+      resolution.issuer ??
+      (isManagedIdentifierDidResult(resolution) ? resolution.did : resolution.jwkThumbprint)
+    const clientIdPrefixed = prefixClientId(clientId)
+    builder.withClientId(clientIdPrefixed, PropertyTarget.REQUEST_OBJECT)
   }
 
   if (hasher) {
@@ -215,10 +218,6 @@ export async function createRPBuilder(args: {
   //fixme: this has been removed in the new version of did-auth-siop
   // builder.withWellknownDIDVerifyCallback(getWellKnownDIDVerifyCallback(didOpts, context))
 
-  if (dcqlQuery) {
-    builder.withDcqlQuery(dcqlQuery)
-  }
-
   if (rpOpts.responseRedirectUri) {
     builder.withResponseRedirectUri(rpOpts.responseRedirectUri)
   }
@@ -303,8 +302,8 @@ export function getSigningAlgo(type: TKeyType): SigningAlgo {
 export function prefixClientId(clientId: string): string {
   // FIXME SSISDK-60
   if (clientId.startsWith('did:')) {
-    return `${ClientIdentifierPrefix.DECENTRALIZED_IDENTIFIER}:${clientId}`;
+    return `${ClientIdentifierPrefix.DECENTRALIZED_IDENTIFIER}:${clientId}`
   }
 
-  return clientId;
+  return clientId
 }

package/src/types/ISIOPv2RP.ts

@@ -32,16 +32,9 @@ import { HasherSync } from '@sphereon/ssi-types'
 import { VerifyCallback } from '@sphereon/wellknown-dids-client'
 import { IAgentContext, ICredentialVerifier, IDIDManager, IKeyManager, IPluginMethodMap, IResolver } from '@veramo/core'
 import { DcqlQuery } from 'dcql'
-
 import { Resolvable } from 'did-resolver'
 import { EventEmitter } from 'events'
 
-export enum VerifiedDataMode {
-  NONE = 'none',
-  VERIFIED_PRESENTATION = 'vp',
-  CREDENTIAL_SUBJECT_FLATTENED = 'cs-flat',
-}
-
 export interface ISIOPv2RP extends IPluginMethodMap {
   siopCreateAuthRequestURI(createArgs: ICreateAuthRequestArgs, context: IRequiredContext): Promise<string>
   siopCreateAuthRequestPayloads(createArgs: ICreateAuthRequestArgs, context: IRequiredContext): Promise<IAuthorizationRequestPayloads>
@@ -90,11 +83,10 @@ export interface IGetAuthResponseStateArgs {
   queryId?: string
   errorOnNotFound?: boolean
   progressRequestStateTo?: AuthorizationRequestStateStatus
-  includeVerifiedData?: VerifiedDataMode
 }
 
 export interface IUpdateRequestStateArgs {
-  queryId: string
+  queryId?: string
   correlationId: string
   state: AuthorizationRequestStateStatus
   error?: string
@@ -137,11 +129,12 @@ export interface IPEXDefinitionPersistArgs extends IPEXInstanceOptions {
 }
 
 export interface ISiopRPInstanceArgs {
+  createWhenNotPresent: boolean
   queryId?: string
   responseRedirectURI?: string
 }
 
-export interface IPEXInstanceOptions extends IPEXOptions {
+export interface IPEXInstanceOptions extends IPresentationOptions {
   rpOpts?: IRPOptions
 }
 
@@ -159,12 +152,9 @@ export interface IRPOptions {
   responseRedirectUri?: string
 }
 
-export interface IPEXOptions {
-  presentationVerifyCallback?: PresentationVerificationCallback
-  // definition?: IPresentationDefinition
+export interface IPresentationOptions {
   queryId: string
-  version?: string
-  tenantId?: string
+  presentationVerifyCallback?: PresentationVerificationCallback
 }
 
 export type VerificationPolicies = {