Merge branch 'feature/DIIPv4' into feature/SSISDK-41_credential_sets

# Conflicts:
#	packages/siop-oid4vp/lib/authorization-response/OpenID4VP.ts
#	packages/siop-oid4vp/lib/types/SIOP.types.ts

Author: Brummos

README.md

@@ -7,7 +7,7 @@
 
 [![CI](https://github.com/Sphereon-Opensource/OID4VC/actions/workflows/build-test-on-pr.yml/badge.svg)](https://github.com/Sphereon-Opensource/OID4VC/actions/workflows/build-test-on-pr.yml) [![codecov](https://codecov.io/gh/Sphereon-Opensource/OID4VC/branch/develop/graph/badge.svg)](https://codecov.io/gh/Sphereon-Opensource/OID4VC) [![NPM Version](https://img.shields.io/npm/v/@sphereon/oid4vci-client.svg)](https://npm.im/@sphereon/oid4vci-client)
 
-_IMPORTANT the packages are still in an early development stage, which means that breaking changes are to be expected_
+_IMPORTANT the packages are still in an early development stage, which means that breaking changes are to be expected The current branch only supports OID4VCI draft v15, for draft v13 and lower use branch archive/draft-v13-support_
 
 # Background
 

package.json

@@ -26,7 +26,7 @@
     "pnpm": ">=10"
   },
   "resolutions": {
-    "@sphereon/ssi-types": "0.34.1-feat.SSISDK.35.61",
+    "@sphereon/ssi-types": "0.34.1-feature.DIIPv4.164",
     "dcql": "1.0.1",
     "node-fetch": "2.6.12",
     "typescript": "5.8.3"

packages/callback-example/package.json

@@ -30,7 +30,7 @@
     "@sphereon/oid4vci-client": "workspace:^",
     "@sphereon/oid4vci-common": "workspace:^",
     "@sphereon/oid4vci-issuer": "workspace:^",
-    "@sphereon/ssi-types": "0.34.1-feat.SSISDK.35.61",
+    "@sphereon/ssi-types": "0.34.1-feature.DIIPv4.164",
     "jose": "^4.10.0"
   },
   "devDependencies": {

packages/client/lib/__tests__/EBSIE2E.spec.test.ts

@@ -4,7 +4,7 @@ import { CredentialMapper } from '@sphereon/ssi-types'
 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
 //@ts-ignore
 import { from } from '@trust/keyto'
-import { fetch } from 'cross-fetch'
+import fetch from 'cross-fetch'
 import pkg from 'debug'
 const { debug: Debug } = pkg
 import { base64url, importJWK, JWK, SignJWT } from 'jose'

packages/client/lib/__tests__/MattrE2E.spec.test.ts

@@ -1,6 +1,6 @@
 import { Alg, Jwt } from '@sphereon/oid4vci-common'
 import { CredentialMapper } from '@sphereon/ssi-types'
-import { fetch } from 'cross-fetch'
+import fetch from 'cross-fetch'
 import { importJWK, JWK, SignJWT } from 'jose'
 import { describe, expect, it } from 'vitest'
 

packages/client/lib/__tests__/SphereonE2E.spec.test.ts

@@ -4,7 +4,7 @@ import { uuidv4 } from '@sphereon/oid4vc-common'
 import { Alg, Jwt, ProofOfPossessionCallbacks } from '@sphereon/oid4vci-common'
 import { CredentialMapper } from '@sphereon/ssi-types'
 import * as didts from '@transmute/did-key.js'
-import { fetch } from 'cross-fetch'
+import fetch from 'cross-fetch'
 import { importJWK, JWK, SignJWT } from 'jose'
 import { describe, expect, it } from 'vitest'
 

packages/client/lib/functions/CredentialOfferCommons.ts

@@ -6,7 +6,7 @@ import {
   PRE_AUTH_GRANT_LITERAL,
   UniformCredentialOfferRequest,
 } from '@sphereon/oid4vci-common'
-import { fetch } from 'cross-fetch'
+import fetch from 'cross-fetch'
 
 export function isUriEncoded(str: string): boolean {
   const pattern = /%[0-9A-F]{2}/i

packages/client/package.json

@@ -29,7 +29,7 @@
   "dependencies": {
     "@sphereon/oid4vc-common": "workspace:^",
     "@sphereon/oid4vci-common": "workspace:^",
-    "@sphereon/ssi-types": "0.34.1-feat.SSISDK.35.61",
+    "@sphereon/ssi-types": "0.34.1-feature.DIIPv4.164",
     "cross-fetch": "^4.1.0",
     "debug": "^4.4.0"
   },

packages/common/package.json

@@ -22,7 +22,7 @@
     "test": "vitest run --config ../../vitest.config.ts --coverage"
   },
   "dependencies": {
-    "@sphereon/ssi-types": "0.34.1-feat.SSISDK.35.61",
+    "@sphereon/ssi-types": "0.34.1-feature.DIIPv4.164",
     "jwt-decode": "^4.0.0",
     "uint8arrays": "^3.1.1",
     "uuid": "^9.0.0"

packages/issuer-rest/lib/OID4VCIServer.ts

@@ -27,7 +27,7 @@ import {
   getCredentialOfferEndpoint,
   getCredentialOfferReferenceEndpoint,
   getIssueStatusEndpoint,
-  getMetadataEndpoints,
+  getMetadataEndpoints, nonceEndpoint,
   pushedAuthorizationEndpoint
 } from './oid4vci-api-functions'
 
@@ -38,7 +38,7 @@ function buildVCIFromEnvironment() {
     .withFormat(process.env.credential_supported_format as unknown as OID4VCICredentialFormat)
     .withCredentialName(process.env.credential_supported_name_1 as string)
     .withCredentialDefinition({
-      type: [process.env.credential_supported_1_definition_type_1 as string, process.env.credential_supported_1_definition_type_2 as string],
+      type: [process.env.credential_supported_1_definition_type_1 as string, process.env.credential_supported_1_definition_type_2 as string]
       // TODO: setup credentialSubject here from env
       // credentialSubject
     })
@@ -47,20 +47,24 @@ function buildVCIFromEnvironment() {
       locale: process.env.credential_display_locale as string,
       logo: {
         url: process.env.credential_display_logo_url as string,
-        alt_text: process.env.credential_display_logo_alt_text as string,
+        alt_text: process.env.credential_display_logo_alt_text as string
       },
       background_color: process.env.credential_display_background_color as string,
-      text_color: process.env.credential_display_text_color as string,
+      text_color: process.env.credential_display_text_color as string
     })
     .build()
   const issuerBuilder = new VcIssuerBuilder()
-    .withTXCode({ length: process.env.user_pin_length as unknown as number, input_mode: process.env.user_pin_input_mode as 'numeric' | 'text' })
+    .withTXCode({
+      length: process.env.user_pin_length as unknown as number,
+      input_mode: process.env.user_pin_input_mode as 'numeric' | 'text'
+    })
     .withAuthorizationServers(process.env.authorization_server as string)
     .withCredentialEndpoint(process.env.credential_endpoint as string)
+    .withNonceEndpoint(process.env.nonce_endpoint as string)
     .withCredentialIssuer(process.env.credential_issuer as string)
     .withIssuerDisplay({
       name: process.env.issuer_name as string,
-      locale: process.env.issuer_locale as string,
+      locale: process.env.issuer_locale as string
     })
     .withCredentialConfigurationsSupported(credentialsSupported)
     .withInMemoryCredentialOfferState()
@@ -73,7 +77,7 @@ function buildVCIFromEnvironment() {
     issuerBuilder.withASClientMetadataParams({
       client_id: process.env.authorization_server_client_id,
       client_secret: process.env.authorization_server_client_secret,
-      redirect_uris: [process.env.authorization_server_redirect_uri],
+      redirect_uris: [process.env.authorization_server_redirect_uri]
     })
   }
 
@@ -133,6 +137,11 @@ export interface IOID4VCIEndpointOpts {
   getIssuePayloadOpts?: IGetIssuePayloadEndpointOpts
   parOpts?: ISingleEndpointOpts
   authorizationChallengeOpts?: IAuthorizationChallengeEndpointOpts
+  nonceOpts?: INonceEndpointOpts
+}
+
+export interface INonceEndpointOpts extends ISingleEndpointOpts {
+  baseUrl: string | URL
 }
 
 export interface IOID4VCIServerOpts extends HasEndpointOpts {
@@ -153,7 +162,9 @@ export class OID4VCIServer {
 
   constructor(
     expressSupport: ExpressSupport,
-    opts: IOID4VCIServerOpts & { issuer?: VcIssuer } /*If not supplied as argument, it will be fully configured from environment variables*/,
+    opts: IOID4VCIServerOpts & {
+      issuer?: VcIssuer
+    } /*If not supplied as argument, it will be fully configured from environment variables*/
   ) {
     this._baseUrl = new URL(opts?.baseUrl ?? process.env.BASE_URL ?? opts?.issuer?.issuerMetadata?.credential_issuer ?? 'http://localhost')
     this._expressSupport = expressSupport
@@ -169,7 +180,7 @@ export class OID4VCIServer {
     if (this.isGetIssuePayloadEndpointEnabled(opts?.endpointOpts?.getIssuePayloadOpts)) {
       issuerPayloadPath = getCredentialOfferReferenceEndpoint(this.router, this.issuer, {
         ...opts?.endpointOpts?.getIssuePayloadOpts,
-        baseUrl: this.baseUrl,
+        baseUrl: this.baseUrl
       })
     }
 
@@ -185,11 +196,11 @@ export class OID4VCIServer {
         opts.endpointOpts?.tokenEndpointOpts?.accessTokenVerificationCallback ??
         (this._asClientOpts
           ? oidcAccessTokenVerifyCallback({
-              clientMetadata: this._asClientOpts,
-              credentialIssuer: this._issuer.issuerMetadata.credential_issuer,
-              authorizationServer: this._issuer.issuerMetadata.authorization_servers![0],
-            })
-          : undefined),
+            clientMetadata: this._asClientOpts,
+            credentialIssuer: this._issuer.issuerMetadata.credential_issuer,
+            authorizationServer: this._issuer.issuerMetadata.authorization_servers![0]
+          })
+          : undefined)
     })
     this.assertAccessTokenHandling()
     if (!this.isTokenEndpointDisabled(opts?.endpointOpts?.tokenEndpointOpts, opts?.asClientOpts)) {
@@ -204,7 +215,17 @@ export class OID4VCIServer {
       } else if (!opts?.endpointOpts?.authorizationChallengeOpts?.verifyAuthResponseCallback) {
         throw Error(`Unable to enable authorization challenge endpoint. No verifyAuthResponseCallback present in authorization challenge options`)
       }
-      authorizationChallengeEndpoint(this.router, this.issuer, { ...opts?.endpointOpts?.authorizationChallengeOpts, baseUrl: this.baseUrl })
+      authorizationChallengeEndpoint(this.router, this.issuer, {
+        ...opts?.endpointOpts?.authorizationChallengeOpts,
+        baseUrl: this.baseUrl
+      })
+    }
+
+    if (this.isNonceEndpointEnabled(opts?.endpointOpts?.nonceOpts)) {
+      nonceEndpoint(this.router, this.issuer, {
+        ...opts?.endpointOpts?.nonceOpts,
+        baseUrl: this.baseUrl,
+      })
     }
     this._app.use(getBasePath(this.baseUrl), this._router)
   }
@@ -253,7 +274,7 @@ export class OID4VCIServer {
     if (this.isTokenEndpointDisabled(tokenEndpointOpts, this.issuer.asClientOpts)) {
       if (!authServer || authServer.length === 0) {
         throw Error(
-          `No Authorization Server (AS) is defined in the issuer metadata and the token endpoint is disabled. An AS or token endpoints needs to be present`,
+          `No Authorization Server (AS) is defined in the issuer metadata and the token endpoint is disabled. An AS or token endpoints needs to be present`
         )
       }
       if (this.issuer.asClientOpts) {
@@ -264,13 +285,18 @@ export class OID4VCIServer {
     } else {
       if (authServer && authServer.some((as) => as !== this.issuer.issuerMetadata.credential_issuer)) {
         throw Error(
-          `An external Authorization Server (AS) was already enabled in the issuer metadata (${authServer}). Cannot both have an AS and enable the token endpoint at the same time `,
+          `An external Authorization Server (AS) was already enabled in the issuer metadata (${authServer}). Cannot both have an AS and enable the token endpoint at the same time `
         )
       } else if (this._asClientOpts) {
         throw Error(`OIDC Client metadata is set, but the token endpoint is not disabled. This is not supported.`)
       }
     }
   }
+
+  private isNonceEndpointEnabled(nonceEndpointOpts?: INonceEndpointOpts) {
+    return nonceEndpointOpts?.enabled !== false || process.env.NONCE_ENDPOINT_ENABLED !== 'false'
+  }
+
   get baseUrl(): URL {
     return this._baseUrl
   }