Merge pull request #91 from Sphereon-Opensource/develop

fix: opts passed to getCredentialOfferEndpoint()

chore: add Sphereon E2E test as well as code from #63 to test potential issue

chore: remove duplicate test

feat: add sd-jwt support

feat: Add optional QR code generation

docs: Update README.md for code discrepancies

docs: Update README.md for DIDDocument

feat: update sd-jwt profile from oid4vci


feat: Add initial support for creating a client without credential offer

fix: Add back jwt_vc format support for older versions

feat: EBSI compatibility

chore: test fix

chore: issuer type fix

chore: test fixes

feat: Add deferred  credential support

* chore: update lock file

* fix(sd-jwt): cnf instead of kid

* chore: missed to remove actual es-line line

chore: missed to remove actual es-line line

* Update VcIssuer.ts

* chore: update ssi-types to 0.18

Signed-off-by: Timo Glastra <timo@animo.id>

* feat: ldp issuance

Signed-off-by: Timo Glastra <timo@animo.id>

* feat: Support sd-jwt 0.2.0 library

* chore: update lock file

* chore: update lock file

* fix: add sd-jwt to issuer callback

Signed-off-by: Timo Glastra <timo@animo.id>

* Update packages/client/lib/CredentialRequestClient.ts

* feat: PKCE support improvements.
Now you can omit PKCE code verifier/challenge params for authorization code flows. They will be generated automatically. Be aware the API of the createAuthorizationUrl method changed as a result. It now has a PKCE param

* feat: PAR improvements
The createAuthorizationRequestUrl now automatically handles PAR, instead of having a separate method. There is a new Param to determine whether PAR should be used automatically, never be used, or whether it is required. The latter is also set when the AS has a PAR required metadata value. As a result the createAuthorizationUrl method now is asynchronous

* chore: Use calculated codeVerifier when acquiring the access token

* feat: Allow to create an authorization request URL when initiating the OID4VCI client

 Including support for PAR, when initializing the client from an issuer, or when using a credential offer that supports an authorization code flow. Improvements to create authorization request URL in general. Please be aware that the API for this method has changed

* chore: fix test

* feat: Add support to get a client id from an offer, and from state JWTs. EBSI for instance is using this

* chore: fix clientId from offer

* chore: fix clientId from offer

* chore: fix clientId from offer

* chore: fix clientId from offer

* chore: disable EBSI tests, because of timeout

* chore: investigate req opts not properly filled

* chore: investigate req opts not properly filled

* chore: investigate req opts not properly filled

* feature: Add support to pass in an authorization response to the access token request. The authorization response can either be a JSON or URI

* feat: Make sure redirect_uri is the same for authorization and token endpoint when used and made redirect_uri optional. The redirect_uri is automatically passed to the token request in case one was used for authorization

* fix: Fix uri to json conversion when no required params are provided

* fix: Do not set a default redirect_uri, unless no authorization request options are set at all

* fix: the client_id used in the auth request was not taken into account when requesting access token

* fix: Do not sort credential types, as issuers might rely on their order

* chore: Make sure the body debug log does not confuse people, by not JSON stringifying when the body is already a string. Was only used in logging, not in the actual payload

* chore: Add a default clientId

* fix: disable awesome-qr in rn

Signed-off-by: Timo Glastra <timo@animo.id>

* chore: v11 context fix

* chore: v11 context fix

* chore: allow to set clientId

* chore: fix imports

* feat: Allow to set the clientId at a later point on the VCI client

* chore: Cleanup

* fix: Do not set default client_id

* feat: added state recovery

* chore: move OpenID4VCIClient fields into state object

* chore: constructor fixes

* chore: test fixes

* chore: addressing pr comments

* chore: code cleanup

* chore: code cleanup

* chore: Disable E2E test because of infra issue

* chore: PAR fixes

---------

Signed-off-by: Timo Glastra <timo@animo.id>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Fendy Putra <fendy.putra@meeco.me>
Co-authored-by: Timo Glastra <timo@animo.id>
Co-authored-by: Ron Kreutzer <ron@rktechworks.com>
Co-authored-by: A.G.J. Cate <brummos@gmail.com>

Author: 6 people

.github/workflows/build-test-on-pr.yml

@@ -20,9 +20,9 @@ jobs:
         with:
           fetch-depth: 0
       - name: Use Node.js
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
-          node-version: '16.x'
+          node-version: '18.18.0'
       - uses: pnpm/action-setup@v2
         with:
           version: 8

.github/workflows/build-test-publish-on-push.yml

@@ -34,9 +34,9 @@ jobs:
         with:
           fetch-depth: 0
       - name: Use Node.js
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
-          node-version: '16.x'
+          node-version: '18.18.0'
       - uses: pnpm/action-setup@v2
         with:
           version: 8

package.json

@@ -20,7 +20,7 @@
     "publish:unstable": "lerna publish --conventional-prerelease --force-publish --canary --no-git-tag-version --include-merged-tags --preid unstable --pre-dist-tag unstable --yes --registry https://registry.npmjs.org"
   },
   "engines": {
-    "node": ">=16"
+    "node": ">=18"
   },
   "resolutions": {
     "node-fetch": "2.6.12"
@@ -43,7 +43,7 @@
     "prettier": "^3.0.1",
     "rimraf": "^5.0.1",
     "ts-jest": "^29.1.1",
-    "typescript": "4.9.5"
+    "typescript": "5.3.3"
   },
   "keywords": [
     "Sphereon",

packages/callback-example/CHANGELOG.md

@@ -7,10 +7,6 @@ See [Conventional Commits](https://conventionalcommits.org) for commit guideline
 
 **Note:** Version bump only for package @sphereon/oid4vci-callback-example
 
-
-
-
-
 ## [0.7.3](https://github.com/Sphereon-Opensource/OID4VCI/compare/v0.7.2...v0.7.3) (2023-09-30)
 
 **Note:** Version bump only for package @sphereon/oid4vci-callback-example

packages/callback-example/lib/IssuerCallback.ts

@@ -4,7 +4,8 @@ import { Ed25519VerificationKey2020 } from '@digitalcredentials/ed25519-verifica
 import { securityLoader } from '@digitalcredentials/security-document-loader'
 import vc from '@digitalcredentials/vc'
 import { CredentialRequestV1_0_11 } from '@sphereon/oid4vci-common'
-import { ICredential, W3CVerifiableCredential } from '@sphereon/ssi-types'
+import { CredentialIssuanceInput } from '@sphereon/oid4vci-issuer'
+import { CompactSdJwtVc, W3CVerifiableCredential } from '@sphereon/ssi-types'
 
 // Example on how to generate a did:key to issue a verifiable credential
 export const generateDid = async () => {
@@ -14,12 +15,15 @@ export const generateDid = async () => {
 }
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
-export const getIssuerCallback = (credential: ICredential, keyPair: any, verificationMethod: string) => {
+export const getIssuerCallback = (credential: CredentialIssuanceInput, keyPair: any, verificationMethod: string) => {
   if (!credential) {
     throw new Error('A credential needs to be provided')
   }
   // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  return async (_opts: { credentialRequest?: CredentialRequestV1_0_11; credential?: ICredential }): Promise<W3CVerifiableCredential> => {
+  return async (_opts: {
+    credentialRequest?: CredentialRequestV1_0_11
+    credential?: CredentialIssuanceInput
+  }): Promise<W3CVerifiableCredential | CompactSdJwtVc> => {
     const documentLoader = securityLoader().build()
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     const verificationKey: any = Array.from(keyPair.values())[0]

packages/callback-example/lib/__tests__/issuerCallback.spec.ts

@@ -4,7 +4,6 @@ import { CredentialRequestClient, CredentialRequestClientBuilder, ProofOfPossess
 import {
   Alg,
   CNonceState,
-  CredentialOfferLdpVcV1_0_11,
   CredentialSupported,
   IssuerCredentialSubjectDisplay,
   IssueStatus,
@@ -118,19 +117,24 @@ describe('issuerCallback', () => {
       credentialOffer: {
         credential_offer: {
           credential_issuer: 'did:key:test',
-          credential_definition: {
-            types: ['VerifiableCredential'],
-            '@context': ['https://www.w3.org/2018/credentials/v1'],
-            credentialSubject: {},
-          },
+          credentials: [
+            {
+              format: 'ldp_vc',
+              credential_definition: {
+                types: ['VerifiableCredential'],
+                '@context': ['https://www.w3.org/2018/credentials/v1'],
+                credentialSubject: {},
+              },
+            },
+          ],
           grants: {
             authorization_code: { issuer_state: 'test_code' },
             'urn:ietf:params:oauth:grant-type:pre-authorized_code': {
               'pre-authorized_code': 'test_code',
               user_pin_required: true,
             },
           },
-        } as CredentialOfferLdpVcV1_0_11,
+        },
       },
     })
 
@@ -163,7 +167,7 @@ describe('issuerCallback', () => {
       )
       .withCredentialSignerCallback((opts) =>
         Promise.resolve({
-          ...opts.credential,
+          ...(opts.credential as ICredential),
           proof: {
             type: IProofType.JwtProof2020,
             jwt: 'ye.ye.ye',

packages/callback-example/package.json

@@ -18,7 +18,7 @@
     "@sphereon/oid4vci-client": "workspace:*",
     "@sphereon/oid4vci-common": "workspace:*",
     "@sphereon/oid4vci-issuer": "workspace:*",
-    "@sphereon/ssi-types": "0.17.2",
+    "@sphereon/ssi-types": "^0.18.1",
     "jose": "^4.10.0"
   },
   "devDependencies": {

packages/client/CHANGELOG.md

@@ -7,10 +7,6 @@ See [Conventional Commits](https://conventionalcommits.org) for commit guideline
 
 **Note:** Version bump only for package @sphereon/oid4vci-client
 
-
-
-
-
 ## [0.7.3](https://github.com/Sphereon-Opensource/OID4VCI/compare/v0.7.2...v0.7.3) (2023-09-30)
 
 **Note:** Version bump only for package @sphereon/oid4vci-client

packages/client/README.md

@@ -72,12 +72,10 @@ console.log(client.getAccessTokenEndpoint()); // https://auth.research.identipro
 
 The OID4VCI Server metadata contains information about token endpoints, credential endpoints, as well as additional
 information about supported Credentials, and their cryptographic suites and formats.
-The code above already retrieved the metadata, so it will not be fetched again. If you however not used
+The code above already retrieved the metadata, so it will not be fetched again, and this method places the data in another variable. If you however have not used
 the `retrieveServerMetadata` option, you can use this method to fetch it from the Issuer:
 
 ```typescript
-import { OpenID4VCIClient } from '@sphereon/oid4vci-client';
-
 const metadata = await client.retrieveServerMetadata();
 ```
 
@@ -111,6 +109,9 @@ the [Proof of Posession](#proof-of-possession) chapter for more information.
 The Proof of Possession using a signature callback function. The example uses the `jose` library.
 
 ```typescript
+import * as jose from 'jose';
+import { DIDDocument } from 'did-resolver';
+
 const { privateKey, publicKey } = await jose.generateKeyPair('ES256');
 
 // Must be JWS
@@ -121,10 +122,10 @@ async function signCallback(args: Jwt, kid: string): Promise<string> {
     .setIssuer(kid)
     .setAudience(args.payload.aud)
     .setExpirationTime('2h')
-    .sign(keypair.privateKey);
+    .sign(privateKey);
 }
 
-const callbacks: ProofOfPossessionCallbacks = {
+const callbacks: ProofOfPossessionCallbacks<DIDDocument> = {
   signCallback,
 };
 ```
@@ -133,14 +134,14 @@ Now it is time to get the actual credential
 
 ```typescript
 const credentialResponse = await client.acquireCredentials({
-  credentialType: 'OpenBadgeCredential',
+  credentialTypes: 'OpenBadgeCredential',
   proofCallbacks: callbacks,
-  format: 'jwt_vc',
+  format: 'jwt_vc_json',
   alg: Alg.ES256K,
   kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21#keys-1',
 });
 console.log(credentialResponse.credential);
-// JWT format. (LDP/JSON-LD is also supported by the client)
+// JWT format. (LDP / JSON-LD ('ldp_vc' / 'jwt_vc_json-ld') is also supported by the client)
 // eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL2V4YW1wbGVzL3YxIl0sImlkIjoiaHR0cDovL2V4YW1wbGUuZWR1L2NyZWRlbnRpYWxzLzM3MzIiLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVW5pdmVyc2l0eURlZ3JlZUNyZWRlbnRpYWwiXSwiaXNzdWVyIjoiaHR0cHM6Ly9leGFtcGxlLmVkdS9pc3N1ZXJzLzU2NTA0OSIsImlzc3VhbmNlRGF0ZSI6IjIwMTAtMDEtMDFUMDA6MDA6MDBaIiwiY3JlZGVudGlhbFN1YmplY3QiOnsiaWQiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmNzEyZWJjNmYxYzI3NmUxMmVjMjEiLCJkZWdyZWUiOnsidHlwZSI6IkJhY2hlbG9yRGVncmVlIiwibmFtZSI6IkJhY2hlbG9yIG9mIFNjaWVuY2UgYW5kIEFydHMifX19LCJpc3MiOiJodHRwczovL2V4YW1wbGUuZWR1L2lzc3VlcnMvNTY1MDQ5IiwibmJmIjoxMjYyMzA0MDAwLCJqdGkiOiJodHRwOi8vZXhhbXBsZS5lZHUvY3JlZGVudGlhbHMvMzczMiIsInN1YiI6ImRpZDpleGFtcGxlOmViZmViMWY3MTJlYmM2ZjFjMjc2ZTEyZWMyMSJ9.z5vgMTK1nfizNCg5N-niCOL3WUIAL7nXy-nGhDZYO_-PNGeE-0djCpWAMH8fD8eWSID5PfkPBYkx_dfLJnQ7NA
 ```
 

packages/client/lib/AccessTokenClient.ts

@@ -9,6 +9,7 @@ import {
   getIssuerFromCredentialOfferPayload,
   GrantTypes,
   IssuerOpts,
+  JsonURIMode,
   OpenIDResponse,
   PRE_AUTH_CODE_LITERAL,
   TokenErrorResponse,
@@ -27,9 +28,11 @@ export class AccessTokenClient {
   public async acquireAccessToken(opts: AccessTokenRequestOpts): Promise<OpenIDResponse<AccessTokenResponse>> {
     const { asOpts, pin, codeVerifier, code, redirectUri, metadata } = opts;
 
-    const credentialOffer = await assertedUniformCredentialOffer(opts.credentialOffer);
-    const isPinRequired = this.isPinRequiredValue(credentialOffer.credential_offer);
-    const issuer = getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) ?? (metadata?.issuer as string);
+    const credentialOffer = opts.credentialOffer ? await assertedUniformCredentialOffer(opts.credentialOffer) : undefined;
+    const isPinRequired = credentialOffer && this.isPinRequiredValue(credentialOffer.credential_offer);
+    const issuer =
+      opts.credentialIssuer ??
+      (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : (metadata?.issuer as string));
     if (!issuer) {
       throw Error('Issuer required at this point');
     }
@@ -83,14 +86,14 @@ export class AccessTokenClient {
 
   public async createAccessTokenRequest(opts: AccessTokenRequestOpts): Promise<AccessTokenRequest> {
     const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
-    const credentialOfferRequest = await toUniformCredentialOfferRequest(opts.credentialOffer);
+    const credentialOfferRequest = opts.credentialOffer ? await toUniformCredentialOfferRequest(opts.credentialOffer) : undefined;
     const request: Partial<AccessTokenRequest> = {};
 
     if (asOpts?.clientId) {
       request.client_id = asOpts.clientId;
     }
 
-    if (credentialOfferRequest.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
+    if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
       this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
       request.user_pin = pin;
 
@@ -102,7 +105,7 @@ export class AccessTokenClient {
       return request as AccessTokenRequest;
     }
 
-    if (credentialOfferRequest.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
+    if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
       request.grant_type = GrantTypes.AUTHORIZATION_CODE;
       request.code = code;
       request.redirect_uri = redirectUri;
@@ -174,14 +177,6 @@ export class AccessTokenClient {
       throw new Error('Authorization flow requires the code to be present');
     }
   }
-
-  private assertNonEmptyRedirectUri(accessTokenRequest: AccessTokenRequest): void {
-    if (!accessTokenRequest.redirect_uri) {
-      debug('No redirect_uri present, whilst it is required');
-      throw new Error('Authorization flow requires the redirect_uri to be present');
-    }
-  }
-
   private validate(accessTokenRequest: AccessTokenRequest, isPinRequired?: boolean): void {
     if (accessTokenRequest.grant_type === GrantTypes.PRE_AUTHORIZED_CODE) {
       this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
@@ -191,14 +186,13 @@ export class AccessTokenClient {
       this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
       this.assertNonEmptyCodeVerifier(accessTokenRequest);
       this.assertNonEmptyCode(accessTokenRequest);
-      this.assertNonEmptyRedirectUri(accessTokenRequest);
     } else {
-      this.throwNotSupportedFlow;
+      this.throwNotSupportedFlow();
     }
   }
 
   private async sendAuthCode(requestTokenURL: string, accessTokenRequest: AccessTokenRequest): Promise<OpenIDResponse<AccessTokenResponse>> {
-    return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest));
+    return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest, { mode: JsonURIMode.X_FORM_WWW_URLENCODED }));
   }
 
   public static determineTokenURL({
@@ -234,7 +228,9 @@ export class AccessTokenClient {
 
   private static creatTokenURLFromURL(url: string, allowInsecureEndpoints?: boolean, tokenEndpoint?: string): string {
     if (allowInsecureEndpoints !== true && url.startsWith('http:')) {
-      throw Error(`Unprotected token endpoints are not allowed ${url}. Adjust settings if you really need this (dev/test settings only!!)`);
+      throw Error(
+        `Unprotected token endpoints are not allowed ${url}. Use the 'allowInsecureEndpoints' param if you really need this for dev/testing!`,
+      );
     }
     const hostname = url.replace(/https?:\/\//, '').replace(/\/$/, '');
     const endpoint = tokenEndpoint ? (tokenEndpoint.startsWith('/') ? tokenEndpoint : tokenEndpoint.substring(1)) : '/token';
@@ -243,7 +239,7 @@ export class AccessTokenClient {
   }
 
   private throwNotSupportedFlow(): void {
-    debug(`Only pre-authorized flow supported.`);
-    throw new Error('Only pre-authorized-code flow is supported');
+    debug(`Only pre-authorized or authorization code flows supported.`);
+    throw new Error('Only pre-authorized-code or authorization code flows are supported');
   }
 }