chore: v11 context fix

Author: nklomp

packages/client/lib/CredentialRequestClient.ts

@@ -78,11 +78,12 @@ export class CredentialRequestClient {
   public async acquireCredentialsUsingProof<DIDDoc>(opts: {
     proofInput: ProofOfPossessionBuilder<DIDDoc> | ProofOfPossession;
     credentialTypes?: string | string[];
+    context?: string[];
     format?: CredentialFormat | OID4VCICredentialFormat;
   }): Promise<OpenIDResponse<CredentialResponse>> {
-    const { credentialTypes, proofInput, format } = opts;
+    const { credentialTypes, proofInput, format, context } = opts;
 
-    const request = await this.createCredentialRequest({ proofInput, credentialTypes, format, version: this.version() });
+    const request = await this.createCredentialRequest({ proofInput, credentialTypes, context, format, version: this.version() });
     return await this.acquireCredentialsUsingRequest(request);
   }
 
@@ -133,6 +134,7 @@ export class CredentialRequestClient {
   public async createCredentialRequest<DIDDoc>(opts: {
     proofInput: ProofOfPossessionBuilder<DIDDoc> | ProofOfPossession;
     credentialTypes?: string | string[];
+    context?: string[];
     format?: CredentialFormat | OID4VCICredentialFormat;
     version: OpenId4VCIVersion;
   }): Promise<UniformCredentialRequest> {
@@ -165,13 +167,20 @@ export class CredentialRequestClient {
         proof,
       };
     } else if (format === 'jwt_vc_json-ld' || format === 'ldp_vc') {
+      if (this.version() >= OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
+        throw Error('No @context value present, but it is required');
+      }
+
       return {
         format,
         proof,
+
+        // Ignored because v11 does not have the context value, but it is required in v12
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore
         credential_definition: {
           types,
-          // FIXME: this was not included in the original code, but it is required
-          '@context': [],
+          ...(opts.context && { '@context': opts.context }),
         },
       };
     } else if (format === 'vc+sd-jwt') {

packages/client/lib/OpenID4VCIClient.ts

@@ -281,6 +281,7 @@ export class OpenID4VCIClient {
 
   public async acquireCredentials({
     credentialTypes,
+    context,
     proofCallbacks,
     format,
     kid,
@@ -291,6 +292,7 @@ export class OpenID4VCIClient {
     deferredCredentialIntervalInMS,
   }: {
     credentialTypes: string | string[];
+    context?: string[];
     proofCallbacks: ProofOfPossessionCallbacks<any>;
     format?: CredentialFormat | OID4VCICredentialFormat;
     kid?: string;
@@ -375,7 +377,8 @@ export class OpenID4VCIClient {
     }
     const response = await credentialRequestClient.acquireCredentialsUsingProof({
       proofInput: proofBuilder,
-      credentialTypes: credentialTypes,
+      credentialTypes,
+      context,
       format,
     });
     if (response.errorBody) {

packages/common/lib/functions/CredentialOfferUtil.ts

@@ -113,7 +113,9 @@ export const getStateFromCredentialOfferPayload = (credentialOffer: CredentialOf
 };
 
 export function determineSpecVersionFromOffer(offer: CredentialOfferPayload | CredentialOffer): OpenId4VCIVersion {
-  if (isCredentialOfferV1_0_11(offer)) {
+  if (isCredentialOfferV1_0_12(offer)) {
+    return OpenId4VCIVersion.VER_1_0_12;
+  } else if (isCredentialOfferV1_0_11(offer)) {
     return OpenId4VCIVersion.VER_1_0_11;
   } else if (isCredentialOfferV1_0_09(offer)) {
     return OpenId4VCIVersion.VER_1_0_09;
@@ -183,6 +185,21 @@ function isCredentialOfferV1_0_11(offer: CredentialOfferPayload | CredentialOffe
   return 'credential_offer_uri' in offer;
 }
 
+function isCredentialOfferV1_0_12(offer: CredentialOfferPayload | CredentialOffer): boolean {
+  if (!offer) {
+    return false;
+  }
+  if ('credential_issuer' in offer && 'credentials' in offer) {
+    // payload
+    return true;
+  }
+  if ('credential_offer' in offer && offer['credential_offer']) {
+    // offer, so check payload
+    return isCredentialOfferV1_0_12(offer['credential_offer']);
+  }
+  return 'credential_offer_uri' in offer;
+}
+
 export async function toUniformCredentialOfferRequest(
   offer: CredentialOffer,
   opts?: {

packages/common/lib/functions/CredentialRequestUtil.ts

@@ -1,4 +1,9 @@
-import { CredentialRequestV1_0_08, OpenId4VCIVersion, UniformCredentialRequest } from '../types';
+import {
+  CredentialRequestV1_0_08,
+  CredentialRequestV1_0_11,
+  OpenId4VCIVersion,
+  UniformCredentialRequest,
+} from '../types';
 
 import { getFormatForVersion } from './FormatUtils';
 
@@ -7,7 +12,9 @@ export function getTypesFromRequest(credentialRequest: UniformCredentialRequest,
   if (credentialRequest.format === 'jwt_vc_json' || credentialRequest.format === 'jwt_vc') {
     types = credentialRequest.types;
   } else if (credentialRequest.format === 'jwt_vc_json-ld' || credentialRequest.format === 'ldp_vc') {
-    types = credentialRequest.credential_definition.types;
+    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+    // @ts-ignore
+    types = 'credential_definition' in credentialRequest && credentialRequest.credential_definition ? credentialRequest.credential_definition.types : credentialRequest.types;
   } else if (credentialRequest.format === 'vc+sd-jwt') {
     types = [credentialRequest.vct];
   }
@@ -24,7 +31,7 @@ export function getTypesFromRequest(credentialRequest: UniformCredentialRequest,
 export function getCredentialRequestForVersion(
   credentialRequest: UniformCredentialRequest,
   version: OpenId4VCIVersion,
-): UniformCredentialRequest | CredentialRequestV1_0_08 {
+): UniformCredentialRequest | CredentialRequestV1_0_08 | CredentialRequestV1_0_11 {
   if (version === OpenId4VCIVersion.VER_1_0_08) {
     const draft8Format = getFormatForVersion(credentialRequest.format, version);
     const types = getTypesFromRequest(credentialRequest, { filterVerifiableCredential: true });
@@ -34,6 +41,14 @@ export function getCredentialRequestForVersion(
       proof: credentialRequest.proof,
       type: types[0],
     } satisfies CredentialRequestV1_0_08;
+ /* } else if (version === OpenId4VCIVersion.VER_1_0_11) {
+    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+    // @ts-ignore
+    const { credential_definition = undefined, ...requestv11 } = credentialRequest;
+    return {
+      ...requestv11,
+      ...credential_definition,
+    } as CredentialRequestV1_0_11;*/
   }
 
   return credentialRequest;

packages/common/lib/types/Generic.types.ts

@@ -3,7 +3,7 @@ import { ICredentialContextType, IVerifiableCredential, W3CVerifiableCredential
 import { ProofOfPossession } from './CredentialIssuance.types';
 import { AuthorizationServerMetadata } from './ServerMetadata';
 import { CredentialOfferSession } from './StateManager.types';
-import { CredentialRequestV1_0_11 } from './v1_0_11.types';
+import { CredentialRequestV1_0_11 } from './v1_0_11.types'
 
 /**
  * Important Note: please be aware that these Common interfaces are based on versions v1_0.11 and v1_0.09
@@ -51,16 +51,24 @@ export interface CredentialIssuerMetadataOpts {
   credentials_supported: CredentialSupported[]; // REQUIRED. A JSON array containing a list of JSON objects, each of them representing metadata about a separate credential type that the Credential Issuer can issue. The JSON objects in the array MUST conform to the structure of the Section 10.2.3.1.
   credential_issuer: string; // REQUIRED. The Credential Issuer's identifier.
   authorization_server?: string; // OPTIONAL. Identifier of the OAuth 2.0 Authorization Server (as defined in [RFC8414]) the Credential Issuer relies on for authorization. If this element is omitted, the entity providing the Credential Issuer is also acting as the AS, i.e. the Credential Issuer's identifier is used as the OAuth 2.0 Issuer value to obtain the Authorization Server metadata as per [RFC8414].
+  // authorization_servers?: string[]; // OPTIONAL. Array of strings that identify the OAuth 2.0 Authorization Servers (as defined in [RFC8414]) the Credential Issuer relies on for authorization. If this element is omitted, the entity providing the Credential Issuer is also acting as the AS, i.e. the Credential Issuer's identifier is used as the OAuth 2.0 Issuer value to obtain the Authorization Server metadata as per [RFC8414].
   token_endpoint?: string;
   display?: MetadataDisplay[]; //  An array of objects, where each object contains display properties of a Credential Issuer for a certain language. Below is a non-exhaustive list of valid parameters that MAY be included:
   credential_supplier_config?: CredentialSupplierConfig;
 }
 
 // For now we extend the opts above. Only difference is that the credential endpoint is optional in the Opts, as it can come from other sources. The value is however required in the eventual Issuer Metadata
 export interface CredentialIssuerMetadata extends CredentialIssuerMetadataOpts, Partial<AuthorizationServerMetadata> {
+  authorization_servers?: string[]; // OPTIONAL. Array of strings that identify the OAuth 2.0 Authorization Servers (as defined in [RFC8414]) the Credential Issuer relies on for authorization. If this element is omitted, the entity providing the Credential Issuer is also acting as the AS, i.e. the Credential Issuer's identifier is used as the OAuth 2.0 Issuer value to obtain the Authorization Server metadata as per [RFC8414].
   credential_endpoint: string; // REQUIRED. URL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.
+  credential_response_encryption_alg_values_supported?: string; // OPTIONAL. Array containing a list of the JWE [RFC7516] encryption algorithms (alg values) [RFC7518] supported by the Credential and/or Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519].
+  credential_response_encryption_enc_values_supported?: string; //OPTIONAL. Array containing a list of the JWE [RFC7516] encryption algorithms (enc values) [RFC7518] supported by the Credential and/or Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519].
+  require_credential_response_encryption?: boolean; //OPTIONAL. Boolean value specifying whether the Credential Issuer requires additional encryption on top of TLS for the Credential Response and expects encryption parameters to be present in the Credential Request and/or Batch Credential Request, with true indicating support. When the value is true, credential_response_encryption_alg_values_supported parameter MUST also be provided. If omitted, the default value is false.
+  credential_identifiers_supported?: boolean; // OPTIONAL. Boolean value specifying whether the Credential Issuer supports returning credential_identifiers parameter in the authorization_details Token Response parameter, with true indicating support. If omitted, the default value is false.
 }
 
+// For now we extend the opts above. Only difference is that the credential endpoint is optional in the Opts, as it can come from other sources. The value is however required in the eventual Issuer Metadata
+
 export interface CredentialSupportedBrief {
   cryptographic_binding_methods_supported?: string[]; // OPTIONAL. Array of case sensitive strings that identify how the Credential is bound to the identifier of the End-User who possesses the Credential
   cryptographic_suites_supported?: string[]; // OPTIONAL. Array of case sensitive strings that identify the cryptographic suites that are supported for the cryptographic_binding_methods_supported
@@ -229,6 +237,12 @@ export interface GrantAuthorizationCode {
    * Authorization Request with the Credential Issuer to a context set up during previous steps.
    */
   issuer_state?: string;
+
+  // v12 feature
+  /**
+   * OPTIONAL string that the Wallet can use to identify the Authorization Server to use with this grant type when authorization_servers parameter in the Credential Issuer metadata has multiple entries. MUST NOT be used otherwise. The value of this parameter MUST match with one of the values in the authorization_servers array obtained from the Credential Issuer metadata
+   */
+  authorization_server?: string;
 }
 
 export interface GrantUrnIetf {
@@ -241,6 +255,18 @@ export interface GrantUrnIetf {
    * in a Pre-Authorized Code Flow. Default is false.
    */
   user_pin_required: boolean;
+
+  //v12
+  /**
+   * OPTIONAL. The minimum amount of time in seconds that the Wallet SHOULD wait between polling requests to the token endpoint (in case the Authorization Server responds with error code authorization_pending - see Section 6.3). If no value is provided, Wallets MUST use 5 as the default.
+   */
+  interval?: number;
+
+  // v12 feature
+  /**
+   * OPTIONAL string that the Wallet can use to identify the Authorization Server to use with this grant type when authorization_servers parameter in the Credential Issuer metadata has multiple entries. MUST NOT be used otherwise. The value of this parameter MUST match with one of the values in the authorization_servers array obtained from the Credential Issuer metadata
+   */
+  authorization_server?: string;
 }
 
 export const PRE_AUTH_CODE_LITERAL = 'pre-authorized_code';

packages/common/lib/types/OpenID4VCIVersions.types.ts

@@ -2,7 +2,8 @@ export enum OpenId4VCIVersion {
   VER_1_0_08 = 1008,
   VER_1_0_09 = 1009,
   VER_1_0_11 = 1011,
-  VER_UNKNOWN = Number.MIN_VALUE,
+  VER_1_0_12 = 1012,
+  VER_UNKNOWN = Number.MAX_VALUE,
 }
 
 export enum DefaultURISchemes {

packages/common/lib/types/v1_0_11.types.ts

@@ -2,13 +2,15 @@ import { AuthorizationDetailsJwtVcJson, CommonAuthorizationRequest } from './Aut
 import {
   CommonCredentialRequest,
   CredentialDataSupplierInput,
+  CredentialIssuerMetadataOpts,
   CredentialOfferFormat,
   CredentialRequestJwtVcJson,
-  CredentialRequestJwtVcJsonLdAndLdpVc,
   CredentialRequestSdJwtVc,
   Grant,
+  JsonLdIssuerCredentialDefinition,
 } from './Generic.types';
 import { QRCodeOpts } from './QRCode.types';
+import { AuthorizationServerMetadata } from './ServerMetadata';
 
 export interface CredentialOfferV1_0_11 {
   credential_offer?: CredentialOfferPayloadV1_0_11;
@@ -56,7 +58,17 @@ export interface CredentialOfferPayloadV1_0_11 {
 }
 
 export type CredentialRequestV1_0_11 = CommonCredentialRequest &
-  (CredentialRequestJwtVcJson | CredentialRequestJwtVcJsonLdAndLdpVc | CredentialRequestSdJwtVc);
+  (CredentialRequestJwtVcJson | CredentialRequestJwtVcJsonLdAndLdpVcV1_0_11 | CredentialRequestSdJwtVc);
+
+export interface CredentialRequestJwtVcJsonLdAndLdpVcV1_0_11
+  extends CommonCredentialRequest,
+    Pick<JsonLdIssuerCredentialDefinition, 'credentialSubject' | 'types'> {
+  format: 'ldp_vc' | 'jwt_vc_json-ld';
+}
+export interface CredentialIssuerMetadataV1_0_11 extends CredentialIssuerMetadataOpts, Partial<AuthorizationServerMetadata> {
+  credential_endpoint: string; // REQUIRED. URL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.
+  authorization_server?: string;
+}
 
 export interface AuthorizationRequestV1_0_11 extends AuthorizationDetailsJwtVcJson, AuthorizationDetailsJwtVcJson {
   issuer_state?: string;

packages/common/lib/types/v1_0_12.types.ts

@@ -0,0 +1,4 @@
+import { CommonCredentialRequest, CredentialRequestJwtVcJson, CredentialRequestJwtVcJsonLdAndLdpVc, CredentialRequestSdJwtVc } from './Generic.types';
+
+export type CredentialRequestV1_0_12 = CommonCredentialRequest &
+  (CredentialRequestJwtVcJson | CredentialRequestJwtVcJsonLdAndLdpVc | CredentialRequestSdJwtVc);