Sphereon-Opensource
diff --git a/‎packages/client/lib/AuthorizationCodeClient.ts‎
Lines changed: 47 additions & 8 deletions b/‎packages/client/lib/AuthorizationCodeClient.ts‎
Lines changed: 47 additions & 8 deletions
diff --git a/‎packages/client/lib/AuthorizationCodeClientV1_0_11.ts‎
Lines changed: 8 additions & 6 deletions b/‎packages/client/lib/AuthorizationCodeClientV1_0_11.ts‎
Lines changed: 8 additions & 6 deletions
diff --git a/‎packages/client/lib/OpenID4VCIClient.ts‎
Lines changed: 16 additions & 5 deletions b/‎packages/client/lib/OpenID4VCIClient.ts‎
Lines changed: 16 additions & 5 deletions
diff --git a/‎packages/client/lib/ProofOfPossessionBuilder.ts‎
Lines changed: 40 additions & 9 deletions b/‎packages/client/lib/ProofOfPossessionBuilder.ts‎
Lines changed: 40 additions & 9 deletions
@@ -3,24 +3,64 @@ import {
   AuthorizationRequestOpts,
   CodeChallengeMethod,
   convertJsonToURI,
+  CreateRequestObjectMode,
   CredentialConfigurationSupportedV1_0_13,
   CredentialOfferPayloadV1_0_13,
   CredentialOfferRequestWithBaseUrl,
   determineSpecVersionFromOffer,
   EndpointMetadataResultV1_0_13,
   formPost,
   JsonURIMode,
+  Jwt,
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
   PARMode,
   PKCEOpts,
   PushedAuthorizationResponse,
+  RequestObjectOpts,
   ResponseType,
 } from '@sphereon/oid4vci-common';
 import Debug from 'debug';
 
+import { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder';
+
 const debug = Debug('sphereon:oid4vci');
 
+export async function createSignedAuthRequestWhenNeeded(requestObject: Record<string, any>, opts: RequestObjectOpts & { aud?: string }) {
+  if (opts.requestObjectMode === CreateRequestObjectMode.REQUEST_URI) {
+    throw Error(`Request Object Mode ${opts.requestObjectMode} is not supported yet`);
+  } else if (opts.requestObjectMode === CreateRequestObjectMode.REQUEST_OBJECT) {
+    if (typeof opts.signCallbacks?.signCallback !== 'function') {
+      throw Error(`No request object sign callback found, whilst request object mode was set to ${opts.requestObjectMode}`);
+    } else if (!opts.kid) {
+      throw Error(`No kid found, whilst request object mode was set to ${opts.requestObjectMode}`);
+    }
+    let client_metadata: any
+    if (opts.clientMetadata || opts.jwksUri) {
+      client_metadata = opts.clientMetadata ?? {};
+      if (opts.jwksUri) {
+        client_metadata['jwks_uri'] = opts.jwksUri;
+      }
+    }
+    let authorization_details = requestObject['authorization_details']
+    if (typeof authorization_details === 'string') {
+      authorization_details = JSON.parse(requestObject.authorization_details);
+    }
+    if (!requestObject.aud && opts.aud) {
+      requestObject.aud = opts.aud;
+    }
+    const iss = requestObject.iss ?? opts.iss ?? requestObject.client_id
+
+    const jwt: Jwt = { header: { alg: 'ES256', kid: opts.kid, typ: 'jwt' }, payload: {...requestObject, iss, authorization_details, ...(client_metadata && {client_metadata})} };
+    const pop = await ProofOfPossessionBuilder.fromJwt({
+      jwt,
+      callbacks: opts.signCallbacks,
+      version: OpenId4VCIVersion.VER_1_0_11,
+      mode: 'jwt',
+    }).build();
+    requestObject['request'] = pop.jwt;
+  }
+}
 function filterSupportedCredentials(
   credentialOffer: CredentialOfferPayloadV1_0_13,
   credentialsSupported?: Record<string, CredentialConfigurationSupportedV1_0_13>,
@@ -62,15 +102,13 @@ export const createAuthorizationRequestUrl = async ({
     }
   }
 
-  const { redirectUri } = authorizationRequest;
+  const { redirectUri, requestObjectOpts = { requestObjectMode: CreateRequestObjectMode.NONE } } = authorizationRequest;
   const client_id = clientId ?? authorizationRequest.clientId;
-  if (!client_id) {
-    throw Error(`Cannot use PAR without a client_id value set`);
-  }
+
   let { scope, authorizationDetails } = authorizationRequest;
   const parMode = endpointMetadata?.credentialIssuerMetadata?.require_pushed_authorization_requests
     ? PARMode.REQUIRE
-    : authorizationRequest.parMode ?? PARMode.AUTO;
+    : authorizationRequest.parMode ?? (client_id ? PARMode.AUTO : PARMode.NEVER);
   // Scope and authorization_details can be used in the same authorization request
   // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param
   if (!scope && !authorizationDetails) {
@@ -138,15 +176,15 @@ export const createAuthorizationRequestUrl = async ({
     scope = ['openid', scope].filter((s) => !!s).join(' ');
   }
 
-  let queryObj: { [key: string]: string } | PushedAuthorizationResponse = {
+  let queryObj: Record<string, any> | PushedAuthorizationResponse = {
     response_type: ResponseType.AUTH_CODE,
     ...(!pkce.disabled && {
       code_challenge_method: pkce.codeChallengeMethod ?? CodeChallengeMethod.S256,
       code_challenge: pkce.codeChallenge,
     }),
     authorization_details: JSON.stringify(handleAuthorizationDetails(endpointMetadata, authorizationDetails)),
     ...(redirectUri && { redirect_uri: redirectUri }),
-    client_id,
+    ...(client_id && { client_id }),
     ...(credentialOffer?.issuerState && { issuer_state: credentialOffer.issuerState }),
     scope,
   };
@@ -170,10 +208,11 @@ export const createAuthorizationRequestUrl = async ({
         throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
       }
     } else {
-      debug(`PAR response: ${(parResponse.successBody, null, 2)}`);
+      debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
       queryObj = { /*response_type: ResponseType.AUTH_CODE,*/ client_id, request_uri: parResponse.successBody.request_uri };
     }
   }
+  await createSignedAuthRequestWhenNeeded(queryObj, { ...requestObjectOpts, aud: endpointMetadata.authorization_server });
 
   debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
   const url = convertJsonToURI(queryObj, {
 
@@ -3,7 +3,7 @@ import {
   AuthorizationRequestOpts,
   CodeChallengeMethod,
   convertJsonToURI,
-  CredentialConfigurationSupported,
+  CreateRequestObjectMode,
   CredentialOfferFormat,
   CredentialOfferPayloadV1_0_11,
   CredentialOfferRequestWithBaseUrl,
@@ -18,6 +18,8 @@ import {
 } from '@sphereon/oid4vci-common';
 import Debug from 'debug';
 
+import { createSignedAuthRequestWhenNeeded } from './AuthorizationCodeClient';
+
 const debug = Debug('sphereon:oid4vci');
 
 export const createAuthorizationRequestUrlV1_0_11 = async ({
@@ -33,8 +35,9 @@ export const createAuthorizationRequestUrlV1_0_11 = async ({
   credentialOffer?: CredentialOfferRequestWithBaseUrl;
   credentialsSupported?: CredentialsSupportedLegacy[];
 }): Promise<string> => {
-  const { redirectUri, clientId } = authorizationRequest;
+  const { redirectUri, clientId, requestObjectOpts = { requestObjectMode: CreateRequestObjectMode.NONE } } = authorizationRequest;
   let { scope, authorizationDetails } = authorizationRequest;
+
   const parMode = endpointMetadata?.credentialIssuerMetadata?.require_pushed_authorization_requests
     ? PARMode.REQUIRE
     : authorizationRequest.parMode ?? PARMode.AUTO;
@@ -50,9 +53,7 @@ export const createAuthorizationRequestUrlV1_0_11 = async ({
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-ignore
     authorizationDetails = creds
-      .flatMap((cred) =>
-        typeof cred === 'string' && credentialsSupported ? Object.values(credentialsSupported) : (cred as CredentialConfigurationSupported),
-      )
+      .flatMap((cred) => (typeof cred === 'string' ? credentialsSupported : (cred as CredentialsSupportedLegacy)))
       .filter((cred) => !!cred)
       .map((cred) => {
         return {
@@ -111,10 +112,11 @@ export const createAuthorizationRequestUrlV1_0_11 = async ({
         throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
       }
     } else {
-      debug(`PAR response: ${(parResponse.successBody, null, 2)}`);
+      debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
       queryObj = { request_uri: parResponse.successBody.request_uri };
     }
   }
+  await createSignedAuthRequestWhenNeeded(queryObj, { ...requestObjectOpts, aud: endpointMetadata.authorization_server });
 
   debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
   const url = convertJsonToURI(queryObj, {
 
@@ -524,7 +524,9 @@ export class OpenID4VCIClient {
   issuerSupportedFlowTypes(): AuthzFlowType[] {
     return (
       this.credentialOffer?.supportedFlows ??
-      (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [AuthzFlowType.AUTHORIZATION_CODE_FLOW] : [])
+      (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server
+        ? [AuthzFlowType.AUTHORIZATION_CODE_FLOW]
+        : [])
     );
   }
 
@@ -632,7 +634,8 @@ export class OpenID4VCIClient {
    */
   public isEBSI() {
     if (
-      (this.credentialOffer?.credential_offer as CredentialOfferPayloadV1_0_11).credentials?.find(
+      this.credentialOffer &&
+      (this.credentialOffer?.credential_offer as CredentialOfferPayloadV1_0_11)?.credentials?.find(
         (cred) =>
           // eslint-disable-next-line @typescript-eslint/ban-ts-comment
           // @ts-ignore
@@ -641,8 +644,11 @@ export class OpenID4VCIClient {
     ) {
       return true;
     }
-    this.assertIssuerData();
-    return this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu');
+    // this.assertIssuerData();
+    return (
+      this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu') ||
+      this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes('ebsi.eu')
+    );
   }
 
   private assertIssuerData(): void {
@@ -666,7 +672,12 @@ export class OpenID4VCIClient {
   }
 
   private syncAuthorizationRequestOpts(opts?: AuthorizationRequestOpts): AuthorizationRequestOpts {
-    let authorizationRequestOpts = { ...this._state?.authorizationRequestOpts, ...opts } as AuthorizationRequestOpts;
+    const requestObjectOpts = { ...this._state?.authorizationRequestOpts?.requestObjectOpts, ...opts?.requestObjectOpts };
+    let authorizationRequestOpts = {
+      ...this._state?.authorizationRequestOpts,
+      ...opts,
+      ...(requestObjectOpts && { requestObjectOpts }),
+    } as AuthorizationRequestOpts;
     if (!authorizationRequestOpts) {
       // We only set a redirectUri if no options are provided.
       // Note that this only works for mobile apps, that can handle a code query param on the default openid-credential-offer deeplink.
 
@@ -7,6 +7,7 @@ import {
   Jwt,
   NO_JWT_PROVIDED,
   OpenId4VCIVersion,
+  PoPMode,
   PROOF_CANT_BE_CONSTRUCTED,
   ProofOfPossession,
   ProofOfPossessionCallbacks,
@@ -17,9 +18,11 @@ export class ProofOfPossessionBuilder<DIDDoc> {
   private readonly proof?: ProofOfPossession;
   private readonly callbacks?: ProofOfPossessionCallbacks<DIDDoc>;
   private readonly version: OpenId4VCIVersion;
+  private readonly mode: PoPMode = 'pop';
 
   private kid?: string;
   private jwk?: JWK;
+  private aud?: string | string[];
   private clientId?: string;
   private issuer?: string;
   private jwt?: Jwt;
@@ -34,54 +37,80 @@ export class ProofOfPossessionBuilder<DIDDoc> {
     jwt,
     accessTokenResponse,
     version,
+    mode = 'pop',
   }: {
     proof?: ProofOfPossession;
     callbacks?: ProofOfPossessionCallbacks<DIDDoc>;
     accessTokenResponse?: AccessTokenResponse;
     jwt?: Jwt;
     version: OpenId4VCIVersion;
+    mode?: PoPMode;
   }) {
+    this.mode = mode;
     this.proof = proof;
     this.callbacks = callbacks;
     this.version = version;
     if (jwt) {
       this.withJwt(jwt);
     } else {
-      this.withTyp(version < OpenId4VCIVersion.VER_1_0_11 ? 'jwt' : 'openid4vci-proof+jwt');
+      this.withTyp(version < OpenId4VCIVersion.VER_1_0_11 || mode === 'jwt' ? 'jwt' : 'openid4vci-proof+jwt');
     }
     if (accessTokenResponse) {
       this.withAccessTokenResponse(accessTokenResponse);
     }
   }
 
+  static manual<DIDDoc>({
+    jwt,
+    callbacks,
+    version,
+    mode = 'jwt',
+  }: {
+    jwt?: Jwt;
+    callbacks: ProofOfPossessionCallbacks<DIDDoc>;
+    version: OpenId4VCIVersion;
+    mode?: PoPMode;
+  }): ProofOfPossessionBuilder<DIDDoc> {
+    return new ProofOfPossessionBuilder({ callbacks, jwt, version, mode });
+  }
+
   static fromJwt<DIDDoc>({
     jwt,
     callbacks,
     version,
+    mode = 'pop',
   }: {
     jwt: Jwt;
     callbacks: ProofOfPossessionCallbacks<DIDDoc>;
     version: OpenId4VCIVersion;
+    mode?: PoPMode;
   }): ProofOfPossessionBuilder<DIDDoc> {
-    return new ProofOfPossessionBuilder({ callbacks, jwt, version });
+    return new ProofOfPossessionBuilder({ callbacks, jwt, version, mode });
   }
 
   static fromAccessTokenResponse<DIDDoc>({
     accessTokenResponse,
     callbacks,
     version,
+    mode = 'pop',
   }: {
     accessTokenResponse: AccessTokenResponse;
     callbacks: ProofOfPossessionCallbacks<DIDDoc>;
     version: OpenId4VCIVersion;
+    mode?: PoPMode;
   }): ProofOfPossessionBuilder<DIDDoc> {
-    return new ProofOfPossessionBuilder({ callbacks, accessTokenResponse, version });
+    return new ProofOfPossessionBuilder({ callbacks, accessTokenResponse, version, mode });
   }
 
   static fromProof<DIDDoc>(proof: ProofOfPossession, version: OpenId4VCIVersion): ProofOfPossessionBuilder<DIDDoc> {
     return new ProofOfPossessionBuilder({ proof, version });
   }
 
+  withAud(aud: string | string[]): this {
+    this.aud = aud;
+    return this;
+  }
+
   withClientId(clientId: string): this {
     this.clientId = clientId;
     return this;
@@ -113,7 +142,7 @@ export class ProofOfPossessionBuilder<DIDDoc> {
   }
 
   withTyp(typ: Typ): this {
-    if (this.version >= OpenId4VCIVersion.VER_1_0_11) {
+    if (this.mode === 'pop' && this.version >= OpenId4VCIVersion.VER_1_0_11) {
       if (!!typ && typ !== 'openid4vci-proof+jwt') {
         throw Error('typ must be openid4vci-proof+jwt for version 1.0.11 and up');
       }
@@ -160,7 +189,7 @@ export class ProofOfPossessionBuilder<DIDDoc> {
     if (jwt.header.typ) {
       this.withTyp(jwt.header.typ as Typ);
     }
-    if (this.version >= OpenId4VCIVersion.VER_1_0_11) {
+    if (!this.typ && this.version >= OpenId4VCIVersion.VER_1_0_11) {
       this.withTyp('openid4vci-proof+jwt');
     }
     this.withAlg(jwt.header.alg);
@@ -171,8 +200,8 @@ export class ProofOfPossessionBuilder<DIDDoc> {
     }
 
     if (jwt.payload) {
-      if (jwt.payload.iss) this.withClientId(jwt.payload.iss);
-      if (jwt.payload.aud) this.withIssuer(jwt.payload.aud);
+      if (jwt.payload.iss) this.mode === 'pop' ? this.withClientId(jwt.payload.iss) : this.withIssuer(jwt.payload.iss);
+      if (jwt.payload.aud) this.mode === 'pop' ? this.withIssuer(jwt.payload.aud) : this.withAud(jwt.payload.aud);
       if (jwt.payload.jti) this.withJti(jwt.payload.jti);
       if (jwt.payload.nonce) this.withAccessTokenNonce(jwt.payload.nonce);
     }
@@ -184,16 +213,18 @@ export class ProofOfPossessionBuilder<DIDDoc> {
       return Promise.resolve(this.proof);
     } else if (this.callbacks) {
       return await createProofOfPossession(
+        this.mode,
         this.callbacks,
         {
-          typ: this.typ ?? (this.version < OpenId4VCIVersion.VER_1_0_11 ? 'jwt' : 'openid4vci-proof+jwt'),
+          typ: this.typ ?? (this.version < OpenId4VCIVersion.VER_1_0_11 || this.mode === 'jwt' ? 'jwt' : 'openid4vci-proof+jwt'),
           kid: this.kid,
           jwk: this.jwk,
           jti: this.jti,
           alg: this.alg,
+          aud: this.aud,
           issuer: this.issuer,
           clientId: this.clientId,
-          nonce: this.cNonce,
+          ...(this.cNonce && { nonce: this.cNonce }),
         },
         this.jwt,
       );