chore: Many fixes to get VCI working for V13 and lower

Author: nklomp

packages/client/lib/AccessTokenClient.ts

@@ -6,16 +6,12 @@ import {
   AuthorizationServerOpts,
   AuthzFlowType,
   convertJsonToURI,
-  CredentialOfferPayloadV1_0_13,
-  CredentialOfferV1_0_13,
-  determineSpecVersionFromOffer,
   EndpointMetadata,
   formPost,
   getIssuerFromCredentialOfferPayload,
   GrantTypes,
   IssuerOpts,
   JsonURIMode,
-  OpenId4VCIVersion,
   OpenIDResponse,
   PRE_AUTH_CODE_LITERAL,
   TokenErrorResponse,
@@ -91,11 +87,9 @@ export class AccessTokenClient {
 
   public async createAccessTokenRequest(opts: AccessTokenRequestOpts): Promise<AccessTokenRequest> {
     const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
-    const credentialOfferRequest =
-      opts.credentialOffer &&
-      determineSpecVersionFromOffer(opts.credentialOffer as CredentialOfferPayloadV1_0_13).valueOf() <= OpenId4VCIVersion.VER_1_0_13.valueOf()
-        ? await toUniformCredentialOfferRequest(opts.credentialOffer as CredentialOfferV1_0_13)
-        : undefined;
+    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+    // @ts-ignore
+    const credentialOfferRequest = opts.credentialOffer ? await toUniformCredentialOfferRequest(opts.credentialOffer) : undefined;
     const request: Partial<AccessTokenRequest> = {};
 
     if (asOpts?.clientId) {

packages/client/lib/CredentialOfferClient.ts

@@ -1,7 +1,11 @@
 import {
   convertJsonToURI,
   convertURIToJsonObject,
+  CredentialOffer,
+  CredentialOfferPayload,
+  CredentialOfferPayloadV1_0_09,
   CredentialOfferRequestWithBaseUrl,
+  CredentialOfferV1_0_11,
   CredentialOfferV1_0_13,
   determineSpecVersionFromURI,
   getClientIdFromCredentialOfferPayload,
@@ -10,6 +14,8 @@ import {
 } from '@sphereon/oid4vci-common';
 import Debug from 'debug';
 
+import { LOG } from './types';
+
 const debug = Debug('sphereon:oid4vci:offer');
 
 export class CredentialOfferClient {
@@ -22,15 +28,27 @@ export class CredentialOfferClient {
     const scheme = uri.split('://')[0];
     const baseUrl = uri.split('?')[0];
     const version = determineSpecVersionFromURI(uri);
-    const credentialOffer = convertURIToJsonObject(uri, {
-      // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
-      arrayTypeProperties: uri.includes('credential_offer_uri=')
-        ? ['credential_configuration_ids', 'credential_offer_uri=']
-        : ['credential_configuration_ids', 'credential_offer='],
-      requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],
-    }) as CredentialOfferV1_0_13;
-    if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {
-      throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri);
+    LOG.log(`Offer URL determined to be of version ${version}`);
+    let credentialOffer: CredentialOffer;
+    let credentialOfferPayload: CredentialOfferPayload;
+    // credential offer was introduced in draft 9 and credential_offer_uri in draft 11
+    if (version < OpenId4VCIVersion.VER_1_0_11) {
+      credentialOfferPayload = convertURIToJsonObject(uri, {
+        arrayTypeProperties: ['credential_type'],
+        requiredProperties: uri.includes('credential_offer=') ? ['credential_offer'] : ['issuer', 'credential_type'],
+      }) as CredentialOfferPayloadV1_0_09;
+      credentialOffer = {
+        credential_offer: credentialOfferPayload,
+      };
+    } else {
+      credentialOffer = convertURIToJsonObject(uri, {
+        // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
+        arrayTypeProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],
+        requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],
+      }) as CredentialOfferV1_0_11 | CredentialOfferV1_0_13;
+      if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {
+        throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri);
+      }
     }
 
     const request = await toUniformCredentialOfferRequest(credentialOffer, {
@@ -49,6 +67,10 @@ export class CredentialOfferClient {
       ...(grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.['pre-authorized_code'] && {
         preAuthorizedCode: grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']['pre-authorized_code'],
       }),
+      userPinRequired:
+        request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ??
+        !!request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code ??
+        false,
       ...(request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code &&
         {
           // txCode: request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code,

packages/client/lib/CredentialOfferClientV1_0_11.ts

@@ -56,13 +56,13 @@ export class CredentialOfferClientV1_0_11 {
     return {
       scheme,
       baseUrl,
-      clientId,
+      ...(clientId && { clientId }),
       ...request,
       ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
       ...(grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.['pre-authorized_code'] && {
         preAuthorizedCode: grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']['pre-authorized_code'],
       }),
-      userPinRequired: request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ?? false,
+      userPinRequired: !!request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ?? false,
     };
   }
 

packages/client/lib/CredentialOfferClientV1_0_13.ts

@@ -0,0 +1,103 @@
+import {
+  convertJsonToURI,
+  convertURIToJsonObject,
+  CredentialOfferRequestWithBaseUrl,
+  CredentialOfferV1_0_13,
+  determineSpecVersionFromURI,
+  getClientIdFromCredentialOfferPayload,
+  OpenId4VCIVersion,
+  toUniformCredentialOfferRequest,
+} from '@sphereon/oid4vci-common';
+import Debug from 'debug';
+
+const debug = Debug('sphereon:oid4vci:offer');
+
+export class CredentialOfferClientV1_0_13 {
+  public static async fromURI(uri: string, opts?: { resolve?: boolean }): Promise<CredentialOfferRequestWithBaseUrl> {
+    debug(`Credential Offer URI: ${uri}`);
+    if (!uri.includes('?') || !uri.includes('://')) {
+      debug(`Invalid Credential Offer URI: ${uri}`);
+      throw Error(`Invalid Credential Offer Request`);
+    }
+    const scheme = uri.split('://')[0];
+    const baseUrl = uri.split('?')[0];
+    const version = determineSpecVersionFromURI(uri);
+    const credentialOffer = convertURIToJsonObject(uri, {
+      // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
+      arrayTypeProperties: uri.includes('credential_offer_uri=')
+        ? ['credential_configuration_ids', 'credential_offer_uri=']
+        : ['credential_configuration_ids', 'credential_offer='],
+      requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],
+    }) as CredentialOfferV1_0_13;
+    if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {
+      throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri);
+    }
+
+    const request = await toUniformCredentialOfferRequest(credentialOffer, {
+      ...opts,
+      version,
+    });
+    const clientId = getClientIdFromCredentialOfferPayload(request.credential_offer);
+    const grants = request.credential_offer?.grants;
+
+    return {
+      scheme,
+      baseUrl,
+      ...(clientId && { clientId }),
+      ...request,
+      ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
+      ...(grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.['pre-authorized_code'] && {
+        preAuthorizedCode: grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']['pre-authorized_code'],
+      }),
+      userPinRequired: !!request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code ?? false,
+      ...(request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code &&
+        {
+          // txCode: request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code,
+        }),
+    };
+  }
+
+  public static toURI(
+    requestWithBaseUrl: CredentialOfferRequestWithBaseUrl,
+    opts?: {
+      version?: OpenId4VCIVersion;
+    },
+  ): string {
+    debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
+    const version = opts?.version ?? requestWithBaseUrl.version;
+    let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme)
+      ? requestWithBaseUrl.baseUrl
+      : `${requestWithBaseUrl.scheme.replace('://', '')}://${requestWithBaseUrl.baseUrl}`;
+    let param: string | undefined;
+
+    const isUri = requestWithBaseUrl.credential_offer_uri !== undefined;
+
+    if (version.valueOf() >= OpenId4VCIVersion.VER_1_0_11.valueOf()) {
+      // v11 changed from encoding every param to a encoded json object with a credential_offer param key
+      if (!baseUrl.includes('?')) {
+        param = isUri ? 'credential_offer_uri' : 'credential_offer';
+      } else {
+        const split = baseUrl.split('?');
+        if (split.length > 1 && split[1] !== '') {
+          if (baseUrl.endsWith('&')) {
+            param = isUri ? 'credential_offer_uri' : 'credential_offer';
+          } else if (!baseUrl.endsWith('=')) {
+            baseUrl += `&`;
+            param = isUri ? 'credential_offer_uri' : 'credential_offer';
+          }
+        }
+      }
+    }
+    return convertJsonToURI(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
+      baseUrl,
+      arrayTypeProperties: isUri ? [] : ['credential_type'],
+      uriTypeProperties: isUri
+        ? ['credential_offer_uri']
+        : version >= OpenId4VCIVersion.VER_1_0_13
+          ? ['credential_issuer', 'credential_type']
+          : ['issuer', 'credential_type'],
+      param,
+      version,
+    });
+  }
+}

packages/client/lib/CredentialRequestClient.ts

@@ -108,7 +108,7 @@ export class CredentialRequestClient {
     uniformRequest: UniformCredentialRequest,
   ): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
     if (this.version() < OpenId4VCIVersion.VER_1_0_13) {
-      throw new Error('Versions below v1.0.13 (draft 13) are not supported.');
+      throw new Error('Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.');
     }
     const request: CredentialRequestV1_0_13 = getCredentialRequestForVersion(uniformRequest, this.version()) as CredentialRequestV1_0_13;
     const credentialEndpoint: string = this.credentialRequestOpts.credentialEndpoint;

packages/client/lib/CredentialRequestClientBuilderV1_0_11.ts

@@ -6,6 +6,7 @@ import {
   CredentialOfferRequestWithBaseUrl,
   determineSpecVersionFromOffer,
   EndpointMetadata,
+  ExperimentalSubjectIssuance,
   getIssuerFromCredentialOfferPayload,
   getTypesFromOfferV1_0_11,
   OID4VCICredentialFormat,
@@ -26,6 +27,7 @@ export class CredentialRequestClientBuilderV1_0_11 {
   format?: CredentialFormat | OID4VCICredentialFormat;
   token?: string;
   version?: OpenId4VCIVersion;
+  subjectIssuance?: ExperimentalSubjectIssuance;
 
   public static fromCredentialIssuer({
     credentialIssuer,
@@ -132,6 +134,11 @@ export class CredentialRequestClientBuilderV1_0_11 {
     return this;
   }
 
+  public withSubjectIssuance(subjectIssuance: ExperimentalSubjectIssuance): this {
+    this.subjectIssuance = subjectIssuance;
+    return this;
+  }
+
   public withToken(accessToken: string): this {
     this.token = accessToken;
     return this;

packages/client/lib/CredentialRequestClientV1_0_11.ts

@@ -64,14 +64,16 @@ export class CredentialRequestClientV1_0_11 {
     credentialTypes?: string | string[];
     context?: string[];
     format?: CredentialFormat | OID4VCICredentialFormat;
-  }): Promise<OpenIDResponse<CredentialResponse>> {
+  }): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
     const { credentialTypes, proofInput, format, context } = opts;
 
     const request = await this.createCredentialRequest({ proofInput, credentialTypes, context, format, version: this.version() });
     return await this.acquireCredentialsUsingRequest(request);
   }
 
-  public async acquireCredentialsUsingRequest(uniformRequest: UniformCredentialRequest): Promise<OpenIDResponse<CredentialResponse>> {
+  public async acquireCredentialsUsingRequest(
+    uniformRequest: UniformCredentialRequest,
+  ): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
     const request = getCredentialRequestForVersion(uniformRequest, this.version());
     const credentialEndpoint: string = this.credentialRequestOpts.credentialEndpoint;
     if (!isValidURL(credentialEndpoint)) {
@@ -81,11 +83,14 @@ export class CredentialRequestClientV1_0_11 {
     debug(`Acquiring credential(s) from: ${credentialEndpoint}`);
     debug(`request\n: ${JSON.stringify(request, null, 2)}`);
     const requestToken: string = this.credentialRequestOpts.token;
-    let response: OpenIDResponse<CredentialResponse> = await post(credentialEndpoint, JSON.stringify(request), { bearerToken: requestToken });
+    let response = (await post(credentialEndpoint, JSON.stringify(request), { bearerToken: requestToken })) as OpenIDResponse<CredentialResponse> & {
+      access_token: string;
+    };
     this._isDeferred = isDeferredCredentialResponse(response);
     if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
       response = await this.acquireDeferredCredential(response.successBody, { bearerToken: this.credentialRequestOpts.token });
     }
+    response.access_token = requestToken;
 
     debug(`Credential endpoint ${credentialEndpoint} response:\r\n${JSON.stringify(response, null, 2)}`);
     return response;
@@ -96,7 +101,7 @@ export class CredentialRequestClientV1_0_11 {
     opts?: {
       bearerToken?: string;
     },
-  ): Promise<OpenIDResponse<CredentialResponse>> {
+  ): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {
     const transactionId = response.transaction_id;
     const bearerToken = response.acceptance_token ?? opts?.bearerToken;
     const deferredCredentialEndpoint = this.getDeferredCredentialEndpoint();