chore: store authorization response in state

Author: nklomp

packages/client/lib/OpenID4VCIClient.ts

@@ -46,6 +46,7 @@ export interface OpenID4VCIClientState {
   endpointMetadata?: EndpointMetadataResult;
   accessTokenResponse?: AccessTokenResponse;
   authorizationRequestOpts?: AuthorizationRequestOpts;
+  authorizationCodeResponse?: AuthorizationResponse;
   pkce: PKCEOpts;
   authorizationURL?: string;
 }
@@ -65,6 +66,7 @@ export class OpenID4VCIClient {
     endpointMetadata,
     accessTokenResponse,
     authorizationRequestOpts,
+    authorizationCodeResponse,
     authorizationURL,
   }: {
     credentialOffer?: CredentialOfferRequestWithBaseUrl;
@@ -78,6 +80,7 @@ export class OpenID4VCIClient {
     endpointMetadata?: EndpointMetadataResult;
     accessTokenResponse?: AccessTokenResponse;
     authorizationRequestOpts?: AuthorizationRequestOpts;
+    authorizationCodeResponse?: AuthorizationResponse;
     authorizationURL?: string;
   }) {
     const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : undefined);
@@ -93,6 +96,7 @@ export class OpenID4VCIClient {
       clientId: clientId ?? (credentialOffer && getClientIdFromCredentialOfferPayload(credentialOffer.credential_offer)) ?? kid?.split('#')[0],
       pkce: { disabled: false, codeChallengeMethod: CodeChallengeMethod.S256, ...pkce },
       authorizationRequestOpts,
+      authorizationCodeResponse,
       jwk,
       endpointMetadata,
       accessTokenResponse,
@@ -254,7 +258,12 @@ export class OpenID4VCIClient {
   }): Promise<AccessTokenResponse> {
     const { pin, clientId } = opts ?? {};
     let { redirectUri } = opts ?? {};
-    const code = opts?.code ?? (opts?.authorizationResponse ? toAuthorizationResponsePayload(opts.authorizationResponse).code : undefined);
+    if (opts?.authorizationResponse) {
+      this._state.authorizationCodeResponse = { ...toAuthorizationResponsePayload(opts.authorizationResponse) };
+    } else if (opts?.code) {
+      this._state.authorizationCodeResponse = { code: opts.code };
+    }
+    const code = this._state.authorizationCodeResponse?.code;
 
     if (opts?.codeVerifier) {
       this._state.pkce.codeVerifier = opts.codeVerifier;

packages/common/lib/types/OpenID4VCIErrors.ts

@@ -1,12 +1,14 @@
-import { Alg } from './CredentialIssuance.types'
+import { Alg } from './CredentialIssuance.types';
 
 export const BAD_PARAMS = 'Wrong parameters provided';
 export const URL_NOT_VALID = 'Request url is not valid';
 export const JWS_NOT_VALID = 'JWS is not valid';
 export const PROOF_CANT_BE_CONSTRUCTED = "Proof can't be constructed.";
 export const NO_JWT_PROVIDED = 'No JWT provided';
 export const TYP_ERROR = 'Typ must be "openid4vci-proof+jwt"';
-export const ALG_ERROR = `Algorithm is a required field, you are free to use the signing algorithm of your choice or one of the following: ${Object.keys(Alg).join(', ')}`;
+export const ALG_ERROR = `Algorithm is a required field, you are free to use the signing algorithm of your choice or one of the following: ${Object.keys(
+  Alg,
+).join(', ')}`;
 export const KID_JWK_X5C_ERROR = 'Only one must be present: kid, jwk or x5c';
 export const KID_DID_NO_DID_ERROR = 'A DID value needs to be returned when kid is present';
 export const DID_NO_DIDDOC_ERROR = 'A DID Document needs to be resolved when a DID is encountered';

packages/issuer/lib/VcIssuer.ts

@@ -32,19 +32,14 @@ import {
   toUniformCredentialOfferRequest,
   TYP_ERROR,
   UniformCredentialRequest,
-  URIState
+  URIState,
 } from '@sphereon/oid4vci-common'
 import { CompactSdJwtVc, CredentialMapper, W3CVerifiableCredential } from '@sphereon/ssi-types'
 import { v4 } from 'uuid'
 
 import { assertValidPinNumber, createCredentialOfferObject, createCredentialOfferURIFromObject } from './functions'
 import { LookupStateManager } from './state-manager'
-import {
-  CredentialDataSupplier,
-  CredentialDataSupplierArgs,
-  CredentialIssuanceInput,
-  CredentialSignerCallback
-} from './types'
+import { CredentialDataSupplier, CredentialDataSupplierArgs, CredentialIssuanceInput, CredentialSignerCallback } from './types'
 
 const SECOND = 1000
 

packages/issuer/lib/__tests__/VcIssuer.spec.ts

@@ -6,7 +6,7 @@ import {
   CredentialSupported,
   IssuerCredentialSubjectDisplay,
   IssueStatus,
-  STATE_MISSING_ERROR
+  STATE_MISSING_ERROR,
 } from '@sphereon/oid4vci-common'
 import { IProofPurpose, IProofType } from '@sphereon/ssi-types'
 import { DIDDocument } from 'did-resolver'
@@ -18,24 +18,18 @@ import { MemoryStates } from '../state-manager'
 const IDENTIPROOF_ISSUER_URL = 'https://issuer.research.identiproof.io'
 
 const verifiableCredential = {
-  '@context': [
-    'https://www.w3.org/2018/credentials/v1',
-    'https://w3id.org/security/suites/jws-2020/v1'
-  ],
+  '@context': ['https://www.w3.org/2018/credentials/v1', 'https://w3id.org/security/suites/jws-2020/v1'],
   id: 'http://university.example/credentials/1872',
-  type: [
-    'VerifiableCredential',
-    'ExampleAlumniCredential'
-  ],
+  type: ['VerifiableCredential', 'ExampleAlumniCredential'],
   issuer: 'https://university.example/issuers/565049',
   issuanceDate: new Date().toISOString(),
   credentialSubject: {
     id: 'did:example:ebfeb1f712ebc6f1c276e12ec21',
     alumniOf: {
       id: 'did:example:c276e12ec21ebfeb1f712ebc6f1',
-      name: 'Example University'
-    }
-  }
+      name: 'Example University',
+    },
+  },
 }
 
 describe('VcIssuer', () => {
@@ -275,27 +269,26 @@ describe('VcIssuer', () => {
   // Of course this doesn't work. The state is part of the proof to begin with
   it('should fail issuing credential if an invalid state is used', async () => {
     jwtVerifyCallback.mockResolvedValue({
-        did: 'did:example:1234',
-        kid: 'did:example:1234#auth',
-        alg: Alg.ES256K,
-        didDocument: {
-          '@context': 'https://www.w3.org/ns/did/v1',
-          id: 'did:example:1234',
+      did: 'did:example:1234',
+      kid: 'did:example:1234#auth',
+      alg: Alg.ES256K,
+      didDocument: {
+        '@context': 'https://www.w3.org/ns/did/v1',
+        id: 'did:example:1234',
+      },
+      jwt: {
+        header: {
+          typ: 'openid4vci-proof+jwt',
+          alg: Alg.ES256K,
+          kid: 'test-kid',
         },
-        jwt: {
-          header: {
-            typ: 'openid4vci-proof+jwt',
-            alg: Alg.ES256K,
-            kid: 'test-kid',
-          },
-          payload: {
-            aud: IDENTIPROOF_ISSUER_URL,
-            iat: +new Date(),
-            nonce: 'test-nonce',
-          },
-        }
-      }
-    )
+        payload: {
+          aud: IDENTIPROOF_ISSUER_URL,
+          iat: +new Date(),
+          nonce: 'test-nonce',
+        },
+      },
+    })
 
     await expect(
       vcIssuer.issueCredential({
@@ -314,45 +307,44 @@ describe('VcIssuer', () => {
 
   it.each([...Object.values<string>(Alg), 'CUSTOM'])('should issue %s signed credential if a valid state is passed in', async (alg: string) => {
     jwtVerifyCallback.mockResolvedValue({
-        did: 'did:example:1234',
-        kid: 'did:example:1234#auth',
-        alg: alg,
-        didDocument: {
-          '@context': 'https://www.w3.org/ns/did/v1',
-          id: 'did:example:1234',
+      did: 'did:example:1234',
+      kid: 'did:example:1234#auth',
+      alg: alg,
+      didDocument: {
+        '@context': 'https://www.w3.org/ns/did/v1',
+        id: 'did:example:1234',
+      },
+      jwt: {
+        header: {
+          typ: 'openid4vci-proof+jwt',
+          alg: alg,
+          kid: 'test-kid',
         },
-        jwt: {
-          header: {
-            typ: 'openid4vci-proof+jwt',
-            alg: alg,
-            kid: 'test-kid',
-          },
-          payload: {
-            aud: IDENTIPROOF_ISSUER_URL,
-            iat: +new Date(),
-            nonce: 'test-nonce',
-          },
-        }
-      }
-    )
+        payload: {
+          aud: IDENTIPROOF_ISSUER_URL,
+          iat: +new Date(),
+          nonce: 'test-nonce',
+        },
+      },
+    })
 
-    let createdAt = +new Date()
+    const createdAt = +new Date()
     await vcIssuer.cNonces.set('test-nonce', {
       cNonce: 'test-nonce',
       preAuthorizedCode: 'test-pre-authorized-code',
-      createdAt: createdAt
+      createdAt: createdAt,
     })
     await vcIssuer.credentialOfferSessions.set('test-pre-authorized-code', {
       createdAt: createdAt,
       preAuthorizedCode: 'test-pre-authorized-code',
       credentialOffer: {
         credential_offer: {
           credential_issuer: 'did:key:test',
-          credentials: []
-        }
+          credentials: [],
+        },
       },
       lastUpdatedAt: createdAt,
-      status: IssueStatus.ACCESS_TOKEN_CREATED
+      status: IssueStatus.ACCESS_TOKEN_CREATED,
     })
 
     expect(
@@ -363,11 +355,11 @@ describe('VcIssuer', () => {
           format: 'jwt_vc_json',
           proof: {
             proof_type: 'jwt',
-            jwt: 'ye.ye.ye'
-          }
+            jwt: 'ye.ye.ye',
+          },
         },
-        newCNonce: 'new-test-nonce'
-      })
+        newCNonce: 'new-test-nonce',
+      }),
     ).resolves.toEqual({
       c_nonce: 'new-test-nonce',
       c_nonce_expires_in: 300000,
@@ -381,54 +373,55 @@ describe('VcIssuer', () => {
           jwt: 'ye.ye.ye',
           proofPurpose: 'assertionMethod',
           type: 'JwtProof2020',
-          verificationMethod: 'sdfsdfasdfasdfasdfasdfassdfasdf'
+          verificationMethod: 'sdfsdfasdfasdfasdfasdfassdfasdf',
         },
-        type: ['VerifiableCredential']
+        type: ['VerifiableCredential'],
       },
-      format: 'jwt_vc_json'
+      format: 'jwt_vc_json',
     })
   })
 
   it('should fail issuing credential if the signing algorithm is missing', async () => {
-    let createdAt = +new Date()
+    const createdAt = +new Date()
     await vcIssuer.cNonces.set('test-nonce', {
       cNonce: 'test-nonce',
       preAuthorizedCode: 'test-pre-authorized-code',
-      createdAt: createdAt
+      createdAt: createdAt,
     })
 
     jwtVerifyCallback.mockResolvedValue({
-        did: 'did:example:1234',
-        kid: 'did:example:1234#auth',
-        alg: undefined,
-        didDocument: {
-          '@context': 'https://www.w3.org/ns/did/v1',
-          id: 'did:example:1234',
+      did: 'did:example:1234',
+      kid: 'did:example:1234#auth',
+      alg: undefined,
+      didDocument: {
+        '@context': 'https://www.w3.org/ns/did/v1',
+        id: 'did:example:1234',
+      },
+      jwt: {
+        header: {
+          typ: 'openid4vci-proof+jwt',
+          alg: undefined,
+          kid: 'test-kid',
         },
-        jwt: {
-          header: {
-            typ: 'openid4vci-proof+jwt',
-            alg: undefined,
-            kid: 'test-kid',
-          },
-          payload: {
-            aud: IDENTIPROOF_ISSUER_URL,
-            iat: +new Date(),
-            nonce: 'test-nonce',
-          },
-        }
-      }
-    )
-
-    expect(vcIssuer.issueCredential({
-      credentialRequest: {
-        types: ['VerifiableCredential'],
-        format: 'jwt_vc_json',
-        proof: {
-          proof_type: 'jwt',
-          jwt: 'ye.ye.ye',
+        payload: {
+          aud: IDENTIPROOF_ISSUER_URL,
+          iat: +new Date(),
+          nonce: 'test-nonce',
         },
       },
-    })).rejects.toThrow(Error(ALG_ERROR))
+    })
+
+    expect(
+      vcIssuer.issueCredential({
+        credentialRequest: {
+          types: ['VerifiableCredential'],
+          format: 'jwt_vc_json',
+          proof: {
+            proof_type: 'jwt',
+            jwt: 'ye.ye.ye',
+          },
+        },
+      }),
+    ).rejects.toThrow(Error(ALG_ERROR))
   })
 })