@vidos-id/openid4vc-wallet 0.10.1 → 0.11.0

package/README.md

@@ -43,13 +43,17 @@ This package is currently published as raw TypeScript and is intended for Bun-ba
 - `openid4vp://` authorization URL parsing for by-value DCQL requests
 - selective disclosure presentation building
 - KB-JWT holder binding
-- `direct_post` and `direct_post.jwt` authorization response submission
+- prepared `direct_post` and `direct_post.jwt` authorization response delivery
 
 ## Example
 
 ```ts
 import {
+  createOpenId4VpAuthorizationResponse,
   InMemoryWalletStorage,
+  parseOpenid4VpAuthorizationUrl,
+  prepareOpenId4VpAuthorizationResponseSubmission,
+  submitPreparedOpenId4VpAuthorizationResponse,
   Wallet,
   receiveCredentialFromOffer,
 } from "@vidos-id/openid4vc-wallet";
@@ -92,9 +96,11 @@ await receiveCredentialFromOffer(
 const status = await wallet.getCredentialStatus("credential-id");
 
 // Create a presentation from a DCQL request
-const presentation = await wallet.createPresentation({
+const presentationRequest = {
   client_id: "https://verifier.example",
   nonce: "nonce-123",
+  response_mode: "direct_post",
+  response_uri: "https://verifier.example/response",
   dcql_query: {
     credentials: [
       {
@@ -104,12 +110,53 @@ const presentation = await wallet.createPresentation({
       },
     ],
   },
-});
+};
+
+const presentation = await wallet.createPresentation(presentationRequest);
+
+const authorizationResponse = createOpenId4VpAuthorizationResponse(
+  presentationRequest,
+  presentation,
+);
+
+const preparedSubmission =
+  await prepareOpenId4VpAuthorizationResponseSubmission(
+    presentationRequest,
+    authorizationResponse,
+  );
+
+// Default path: submit exactly as prepared.
+await submitPreparedOpenId4VpAuthorizationResponse(preparedSubmission);
+
+// Local/e2e path: rewrite the destination or deliver in-process.
+await submitPreparedOpenId4VpAuthorizationResponse(
+  {
+    ...preparedSubmission,
+    url: "http://127.0.0.1:3000/response",
+  },
+  {
+    transport: async (submission) => {
+      const body = Object.fromEntries(submission.body.entries());
+      console.log(submission.url, body.vp_token);
+      return Response.json({ redirect_uri: "http://localhost:3000/done" });
+    },
+  },
+);
 
 // Parse an openid4vp:// authorization URL
-const request = Wallet.parseAuthorizationRequestUrl("openid4vp://authorize?...");
+const request = await parseOpenid4VpAuthorizationUrl("openid4vp://authorize?...");
 ```
 
+OID4VP response delivery flow:
+- `createOpenId4VpAuthorizationResponse(...)` builds the protocol response payload
+- `prepareOpenId4VpAuthorizationResponseSubmission(...)` builds the HTTP submission request
+- `submitPreparedOpenId4VpAuthorizationResponse(...)` sends the prepared request with either the default fetch transport or a caller-provided transport
+
+This keeps protocol construction in the wallet while letting callers:
+- inspect the exact outgoing request before submission
+- rewrite the destination URL for localhost or reverse-proxy setups
+- submit in-process during tests without standing up a network proxy
+
 Supported `openid4vp://` subset:
 - by-value only
 - requires `client_id`, `nonce`, and `dcql_query`
@@ -144,7 +191,7 @@ Current limitations:
 ## See also
 
 - [`@vidos-id/openid4vc-issuer`](../issuer/) - issuer library for credential issuance
-- [`scripts/demo-e2e.ts`](../../scripts/demo-e2e.ts) - full programmatic flow using both libraries
+- [`scripts/demo-e2e.ts`](../../scripts/demo-e2e.ts) - full programmatic flow including prepared OID4VP submission with local transport rewriting
 
 ## Test
 

package/dist/index.d.mts

@@ -310,21 +310,38 @@ declare function receiveCredentialFromOffer(wallet: Wallet, offerInput: unknown,
   fetch?: typeof fetch;
 }): Promise<StoredCredentialRecord>;
 //#endregion
-//#region src/openid4vp.d.ts
+//#region src/openid4vp/request.d.ts
+declare function parseOpenid4VpAuthorizationUrl(input: string): Promise<OpenId4VpRequestInput>;
+declare function resolveOpenId4VpRequest(input: unknown): Promise<OpenId4VpRequestInput>;
+//#endregion
+//#region src/openid4vp/response.d.ts
 type OpenId4VpAuthorizationResponse = {
   vp_token: string;
   state?: string;
 };
+declare function createOpenId4VpAuthorizationResponse(request: OpenId4VpRequestInput, presentation: CreatePresentationResult): OpenId4VpAuthorizationResponse;
+//#endregion
+//#region src/openid4vp/submission.d.ts
+type PreparedOpenId4VpAuthorizationResponseSubmission = {
+  responseMode: ResponseMode;
+  url: string;
+  method: "POST";
+  headers: Record<string, string>;
+  body: URLSearchParams;
+};
+type OpenId4VpResponseTransport = (submission: PreparedOpenId4VpAuthorizationResponseSubmission) => Promise<Response>;
 type OpenId4VpResponseSubmissionResult = {
-  responseMode: "direct_post" | "direct_post.jwt";
-  responseUri: string;
+  responseMode: ResponseMode;
+  url: string;
   status: number;
   body?: unknown;
   redirectUri?: string;
 };
-declare function parseOpenid4VpAuthorizationUrl(input: string): Promise<OpenId4VpRequestInput>;
-declare function resolveOpenId4VpRequest(input: unknown): Promise<OpenId4VpRequestInput>;
-declare function createOpenId4VpAuthorizationResponse(request: OpenId4VpRequestInput, presentation: CreatePresentationResult): OpenId4VpAuthorizationResponse;
-declare function submitOpenId4VpAuthorizationResponse(request: OpenId4VpRequestInput, response: OpenId4VpAuthorizationResponse): Promise<OpenId4VpResponseSubmissionResult>;
+type ResponseMode = OpenId4VpRequestInput["response_mode"] extends infer T ? Exclude<T, undefined> : never;
+declare function prepareOpenId4VpAuthorizationResponseSubmission(request: OpenId4VpRequestInput, response: OpenId4VpAuthorizationResponse): Promise<PreparedOpenId4VpAuthorizationResponseSubmission>;
+declare function submitPreparedOpenId4VpAuthorizationResponse(submission: PreparedOpenId4VpAuthorizationResponseSubmission, options?: {
+  transport?: OpenId4VpResponseTransport;
+}): Promise<OpenId4VpResponseSubmissionResult>;
+declare function defaultOpenId4VpResponseTransport(submission: PreparedOpenId4VpAuthorizationResponseSubmission): Promise<Response>;
 //#endregion
-export { CreatePresentationResult, CredentialStatus, CredentialStatusListReference, CredentialStatusListReferenceSchema, CredentialStatusSchema, HOLDER_KEY_ALG, HolderKeyRecord, HolderKeyRecordSchema, ImportCredentialInput, ImportCredentialInputSchema, InMemoryWalletStorage, InspectDcqlQueryResult, IssuerJwkSchema, IssuerJwksSchema, IssuerKeyMaterial, IssuerKeyMaterialSchema, JwkSchema, MatchDcqlQueryResult, MatchedCredential, OpenId4VciCredentialOffer, OpenId4VciIssuerMetadata, OpenId4VpAuthorizationResponse, OpenId4VpRequestInput, OpenId4VpRequestSchema, OpenId4VpResponseSubmissionResult, ParsedDcqlQuery, QueryCredentialMatches, ResolvedCredentialStatus, ResponseModeSchema, SD_JWT_HASH_ALG, StoredCredentialRecord, StoredCredentialRecordSchema, TokenStatusLabel, VerifierClientMetadata, VerifierClientMetadataSchema, Wallet, WalletConfigSchema, WalletError, WalletStorage, createHolderKeyRecord, createKbJwt, createOpenId4VciProofJwt, createOpenId4VpAuthorizationResponse, fetchIssuerMetadata, getJwkThumbprint, importPrivateKey, importPublicKey, issueDemoCredential, parseCredentialOffer, parseOpenid4VpAuthorizationUrl, receiveCredentialFromOffer, resolveOpenId4VpRequest, sdJwtHasher, sha256Base64Url, submitOpenId4VpAuthorizationResponse };
+export { CreatePresentationResult, CredentialStatus, CredentialStatusListReference, CredentialStatusListReferenceSchema, CredentialStatusSchema, HOLDER_KEY_ALG, HolderKeyRecord, HolderKeyRecordSchema, ImportCredentialInput, ImportCredentialInputSchema, InMemoryWalletStorage, InspectDcqlQueryResult, IssuerJwkSchema, IssuerJwksSchema, IssuerKeyMaterial, IssuerKeyMaterialSchema, JwkSchema, MatchDcqlQueryResult, MatchedCredential, OpenId4VciCredentialOffer, OpenId4VciIssuerMetadata, OpenId4VpAuthorizationResponse, OpenId4VpRequestInput, OpenId4VpRequestSchema, OpenId4VpResponseSubmissionResult, OpenId4VpResponseTransport, ParsedDcqlQuery, PreparedOpenId4VpAuthorizationResponseSubmission, QueryCredentialMatches, ResolvedCredentialStatus, ResponseModeSchema, SD_JWT_HASH_ALG, StoredCredentialRecord, StoredCredentialRecordSchema, TokenStatusLabel, VerifierClientMetadata, VerifierClientMetadataSchema, Wallet, WalletConfigSchema, WalletError, WalletStorage, createHolderKeyRecord, createKbJwt, createOpenId4VciProofJwt, createOpenId4VpAuthorizationResponse, defaultOpenId4VpResponseTransport, fetchIssuerMetadata, getJwkThumbprint, importPrivateKey, importPublicKey, issueDemoCredential, parseCredentialOffer, parseOpenid4VpAuthorizationUrl, prepareOpenId4VpAuthorizationResponseSubmission, receiveCredentialFromOffer, resolveOpenId4VpRequest, sdJwtHasher, sha256Base64Url, submitPreparedOpenId4VpAuthorizationResponse };

package/dist/index.mjs

@@ -771,7 +771,7 @@ function getSingleSearchParam$1(url, key) {
 	return values[0] || void 0;
 }
 //#endregion
-//#region src/openid4vp.ts
+//#region src/openid4vp/request.ts
 const openid4vpAuthorizationUrlSchema = z.string().min(1);
 const requestObjectHeaderSchema = z.object({ typ: z.literal("oauth-authz-req+jwt") });
 const requestObjectClaimsSchema = z.object({
@@ -860,38 +860,6 @@ async function resolveOpenId4VpRequest(input) {
 		presentation_definition: request.presentation_definition ?? requestObject?.presentation_definition
 	});
 }
-function createOpenId4VpAuthorizationResponse(request, presentation) {
-	const parsedRequest = OpenId4VpRequestSchema.parse(request);
-	return {
-		vp_token: presentation.vpToken,
-		state: parsedRequest.state
-	};
-}
-async function submitOpenId4VpAuthorizationResponse(request, response) {
-	const parsedRequest = OpenId4VpRequestSchema.parse(request);
-	if (!parsedRequest.response_mode) throw new WalletError("response_mode is required for submission");
-	const responseUrl = parseHttpsUrl(parsedRequest.response_uri, "response_uri must use https");
-	const body = parsedRequest.response_mode === "direct_post" ? createDirectPostBody(response) : await createDirectPostJwtBody(parsedRequest, response);
-	let fetchResponse;
-	try {
-		fetchResponse = await fetch(responseUrl, {
-			method: "POST",
-			headers: { "content-type": "application/x-www-form-urlencoded" },
-			body
-		});
-	} catch {
-		throw new WalletError("Failed to submit authorization response");
-	}
-	const parsedBody = await parseSubmissionBody(fetchResponse);
-	const redirectUri = readRedirectUri(parsedBody);
-	return {
-		responseMode: parsedRequest.response_mode,
-		responseUri: responseUrl.toString(),
-		status: fetchResponse.status,
-		body: parsedBody,
-		redirectUri
-	};
-}
 async function fetchRequestObject(requestUri, clientId) {
 	let url;
 	try {
@@ -945,6 +913,84 @@ function parseClientMetadata(value) {
 		vp_formats_supported: z.unknown().optional()
 	}).passthrough().parse(value);
 }
+function assertRequestUriMatchesClientId(url, clientId) {
+	const clientIdHostname = getClientIdHostname(clientId);
+	if (!clientIdHostname) return;
+	if (url.hostname !== clientIdHostname) throw new WalletError("request_uri hostname must match client_id hostname");
+}
+function getClientIdHostname(clientId) {
+	if (!clientId) return;
+	try {
+		return new URL(clientId).hostname;
+	} catch {}
+	if (clientId.startsWith("x509_san_dns:")) return clientId.slice(13) || void 0;
+	const separator = clientId.indexOf(":");
+	if (separator > 0) try {
+		return new URL(clientId.slice(separator + 1)).hostname;
+	} catch {
+		return;
+	}
+}
+function getSingleSearchParam(url, key) {
+	const values = url.searchParams.getAll(key);
+	if (values.length === 0 || values[0]?.length === 0) throw new WalletError(`Authorization URL is missing ${key}`);
+	if (values.length > 1) throw new WalletError(`Authorization URL must include only one ${key}`);
+	return values[0];
+}
+function getOptionalSingleSearchParam(url, key) {
+	const values = url.searchParams.getAll(key);
+	if (values.length === 0) return;
+	if (values.length > 1) throw new WalletError(`Authorization URL must include only one ${key}`);
+	return values[0] || void 0;
+}
+//#endregion
+//#region src/openid4vp/response.ts
+function createOpenId4VpAuthorizationResponse(request, presentation) {
+	const parsedRequest = OpenId4VpRequestSchema.parse(request);
+	return {
+		vp_token: presentation.vpToken,
+		state: parsedRequest.state
+	};
+}
+//#endregion
+//#region src/openid4vp/submission.ts
+async function prepareOpenId4VpAuthorizationResponseSubmission(request, response) {
+	const parsedRequest = OpenId4VpRequestSchema.parse(request);
+	if (!parsedRequest.response_mode) throw new WalletError("response_mode is required for submission");
+	const responseUrl = parseHttpsUrl(parsedRequest.response_uri, "response_uri must use https");
+	const body = parsedRequest.response_mode === "direct_post" ? createDirectPostBody(response) : await createDirectPostJwtBody(parsedRequest, response);
+	return {
+		responseMode: parsedRequest.response_mode,
+		url: responseUrl.toString(),
+		method: "POST",
+		headers: { "content-type": "application/x-www-form-urlencoded" },
+		body
+	};
+}
+async function submitPreparedOpenId4VpAuthorizationResponse(submission, options) {
+	const transport = options?.transport ?? defaultOpenId4VpResponseTransport;
+	let response;
+	try {
+		response = await transport(submission);
+	} catch {
+		throw new WalletError("Failed to submit authorization response");
+	}
+	const parsedBody = await parseSubmissionBody(response);
+	return {
+		responseMode: submission.responseMode,
+		url: submission.url,
+		status: response.status,
+		body: parsedBody,
+		redirectUri: readRedirectUri(parsedBody)
+	};
+}
+function defaultOpenId4VpResponseTransport(submission) {
+	return fetch(submission.url, {
+		method: submission.method,
+		headers: submission.headers,
+		body: submission.body
+	});
+}
 function parseHttpsUrl(value, errorMessage) {
 	if (!value) throw new WalletError(errorMessage);
 	let url;
@@ -975,10 +1021,7 @@ async function encryptAuthorizationResponse(request, response) {
 		alg,
 		enc,
 		typ: "oauth-authz-resp+jwt"
-	}).setAudience(parsedRequest.client_id).setIssuedAt().encrypt(await importEncryptionKey(jwk, alg));
-}
-async function importEncryptionKey(jwk, alg) {
-	return importJWK(jwk, alg);
+	}).setAudience(parsedRequest.client_id).setIssuedAt().encrypt(await importJWK(jwk, alg));
 }
 function resolveJweAlg(jwk) {
 	if (typeof jwk.alg === "string" && jwk.alg.length > 0) return jwk.alg;
@@ -998,36 +1041,6 @@ function readRedirectUri(body) {
 	const value = body.redirect_uri;
 	return typeof value === "string" && value.length > 0 ? value : void 0;
 }
-function assertRequestUriMatchesClientId(url, clientId) {
-	const clientIdHostname = getClientIdHostname(clientId);
-	if (!clientIdHostname) return;
-	if (url.hostname !== clientIdHostname) throw new WalletError("request_uri hostname must match client_id hostname");
-}
-function getClientIdHostname(clientId) {
-	if (!clientId) return;
-	try {
-		return new URL(clientId).hostname;
-	} catch {}
-	if (clientId.startsWith("x509_san_dns:")) return clientId.slice(13) || void 0;
-	const separator = clientId.indexOf(":");
-	if (separator > 0) try {
-		return new URL(clientId.slice(separator + 1)).hostname;
-	} catch {
-		return;
-	}
-}
-function getSingleSearchParam(url, key) {
-	const values = url.searchParams.getAll(key);
-	if (values.length === 0 || values[0]?.length === 0) throw new WalletError(`Authorization URL is missing ${key}`);
-	if (values.length > 1) throw new WalletError(`Authorization URL must include only one ${key}`);
-	return values[0];
-}
-function getOptionalSingleSearchParam(url, key) {
-	const values = url.searchParams.getAll(key);
-	if (values.length === 0) return;
-	if (values.length > 1) throw new WalletError(`Authorization URL must include only one ${key}`);
-	return values[0] || void 0;
-}
 //#endregion
 //#region src/storage.ts
 var InMemoryWalletStorage = class {
@@ -1052,4 +1065,4 @@ var InMemoryWalletStorage = class {
 	}
 };
 //#endregion
-export { CredentialStatusListReferenceSchema, CredentialStatusSchema, HOLDER_KEY_ALG, HolderKeyRecordSchema, ImportCredentialInputSchema, InMemoryWalletStorage, IssuerJwkSchema, IssuerJwksSchema, IssuerKeyMaterialSchema, JwkSchema, OpenId4VpRequestSchema, ResponseModeSchema, SD_JWT_HASH_ALG, StoredCredentialRecordSchema, VerifierClientMetadataSchema, Wallet, WalletConfigSchema, WalletError, createHolderKeyRecord, createKbJwt, createOpenId4VciProofJwt, createOpenId4VpAuthorizationResponse, fetchIssuerMetadata, getJwkThumbprint, importPrivateKey, importPublicKey, issueDemoCredential, parseCredentialOffer, parseOpenid4VpAuthorizationUrl, receiveCredentialFromOffer, resolveOpenId4VpRequest, sdJwtHasher, sha256Base64Url, submitOpenId4VpAuthorizationResponse };
+export { CredentialStatusListReferenceSchema, CredentialStatusSchema, HOLDER_KEY_ALG, HolderKeyRecordSchema, ImportCredentialInputSchema, InMemoryWalletStorage, IssuerJwkSchema, IssuerJwksSchema, IssuerKeyMaterialSchema, JwkSchema, OpenId4VpRequestSchema, ResponseModeSchema, SD_JWT_HASH_ALG, StoredCredentialRecordSchema, VerifierClientMetadataSchema, Wallet, WalletConfigSchema, WalletError, createHolderKeyRecord, createKbJwt, createOpenId4VciProofJwt, createOpenId4VpAuthorizationResponse, defaultOpenId4VpResponseTransport, fetchIssuerMetadata, getJwkThumbprint, importPrivateKey, importPublicKey, issueDemoCredential, parseCredentialOffer, parseOpenid4VpAuthorizationUrl, prepareOpenId4VpAuthorizationResponseSubmission, receiveCredentialFromOffer, resolveOpenId4VpRequest, sdJwtHasher, sha256Base64Url, submitPreparedOpenId4VpAuthorizationResponse };

package/package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@vidos-id/openid4vc-wallet",
 	"description": "Wallet library for dc+sd-jwt storage and OpenID4VP presentation.",
-	"version": "0.10.1",
+	"version": "0.11.0",
 	"repository": {
 		"type": "git",
 		"url": "git+https://github.com/vidos-id/openid4vc-tools.git",