Merge pull request #123 from Sphereon-Opensource/develop

New release

Author: nklomp

package.json

@@ -32,17 +32,17 @@
     "printWidth": 150
   },
   "devDependencies": {
-    "@types/debug": "^4.1.8",
-    "@types/jest": "^29.5.3",
-    "@types/node": "^18.17.3",
+    "@types/debug": "^4.1.12",
+    "@types/jest": "^29.5.12",
+    "@types/node": "^18.19.39",
     "codecov": "^3.8.3",
-    "jest": "^29.6.2",
-    "lerna": "^8.1.2",
+    "jest": "^29.7.0",
+    "lerna": "^8.1.6",
     "lerna-changelog": "^2.2.0",
     "npm-run-all": "^4.1.5",
-    "prettier": "^3.2.5",
-    "rimraf": "^5.0.5",
-    "ts-jest": "^29.1.2",
+    "prettier": "^3.3.2",
+    "rimraf": "^5.0.8",
+    "ts-jest": "^29.1.5",
     "typescript": "5.4.5"
   },
   "keywords": [

packages/callback-example/lib/__tests__/issuerCallback.spec.ts

@@ -119,7 +119,7 @@ describe('issuerCallback', () => {
       lastUpdatedAt: +new Date(),
       status: IssueStatus.OFFER_CREATED,
       notification_id: v4(),
-      userPin: '123456',
+      txCode: '123456',
       credentialOffer: {
         credential_offer: {
           credential_issuer: 'did:key:test',

packages/client/lib/AccessTokenClient.ts

@@ -14,6 +14,7 @@ import {
   JsonURIMode,
   OpenIDResponse,
   PRE_AUTH_CODE_LITERAL,
+  PRE_AUTH_GRANT_LITERAL,
   TokenErrorResponse,
   toUniformCredentialOfferRequest,
   TxCodeAndPinRequired,
@@ -107,8 +108,7 @@ export class AccessTokenClient {
 
       request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
       // we actually know it is there because of the isPreAuthCode call
-      request[PRE_AUTH_CODE_LITERAL] =
-        credentialOfferRequest?.credential_offer.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.[PRE_AUTH_CODE_LITERAL];
+      request[PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL];
 
       return request as AccessTokenRequest;
     }
@@ -146,7 +146,7 @@ export class AccessTokenClient {
     }
     const issuer = getIssuerFromCredentialOfferPayload(requestPayload);
 
-    const grantDetails = requestPayload.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code'];
+    const grantDetails = requestPayload.grants?.[PRE_AUTH_GRANT_LITERAL];
     const isPinRequired = !!grantDetails?.tx_code ?? false;
 
     LOG.warning(`Pin required for issuer ${issuer}: ${isPinRequired}`);
@@ -211,7 +211,7 @@ export class AccessTokenClient {
     if (accessTokenRequest.grant_type === GrantTypes.PRE_AUTHORIZED_CODE) {
       this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
       this.assertNonEmptyPreAuthorizedCode(accessTokenRequest);
-      this.assertAlphanumericPin(pinMeta, accessTokenRequest.user_pin);
+      this.assertAlphanumericPin(pinMeta, accessTokenRequest.tx_code ?? accessTokenRequest.user_pin);
     } else if (accessTokenRequest.grant_type === GrantTypes.AUTHORIZATION_CODE) {
       this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
       this.assertNonEmptyCodeVerifier(accessTokenRequest);

packages/client/lib/AccessTokenClientV1_0_11.ts

@@ -17,6 +17,7 @@ import {
   OpenId4VCIVersion,
   OpenIDResponse,
   PRE_AUTH_CODE_LITERAL,
+  PRE_AUTH_GRANT_LITERAL,
   TokenErrorResponse,
   toUniformCredentialOfferRequest,
   UniformCredentialOfferPayload,
@@ -112,8 +113,7 @@ export class AccessTokenClientV1_0_11 {
 
       request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
       // we actually know it is there because of the isPreAuthCode call
-      request[PRE_AUTH_CODE_LITERAL] =
-        credentialOfferRequest?.credential_offer.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.[PRE_AUTH_CODE_LITERAL];
+      request[PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL];
 
       return request as AccessTokenRequest;
     }
@@ -135,7 +135,7 @@ export class AccessTokenClientV1_0_11 {
 
   private assertPreAuthorizedGrantType(grantType: GrantTypes): void {
     if (GrantTypes.PRE_AUTHORIZED_CODE !== grantType) {
-      throw new Error("grant type must be 'urn:ietf:params:oauth:grant-type:pre-authorized_code'");
+      throw new Error('grant type must be PRE_AUTH_GRANT_LITERAL');
     }
   }
 
@@ -151,8 +151,8 @@ export class AccessTokenClientV1_0_11 {
       throw new Error(TokenErrorResponse.invalid_request);
     }
     const issuer = getIssuerFromCredentialOfferPayload(requestPayload);
-    if (requestPayload.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']) {
-      isPinRequired = requestPayload.grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ?? false;
+    if (requestPayload.grants?.[PRE_AUTH_GRANT_LITERAL]) {
+      isPinRequired = requestPayload.grants[PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? false;
     }
     debug(`Pin required for issuer ${issuer}: ${isPinRequired}`);
     return isPinRequired;

packages/client/lib/CredentialOfferClient.ts

@@ -10,6 +10,8 @@ import {
   determineSpecVersionFromURI,
   getClientIdFromCredentialOfferPayload,
   OpenId4VCIVersion,
+  PRE_AUTH_CODE_LITERAL,
+  PRE_AUTH_GRANT_LITERAL,
   toUniformCredentialOfferRequest,
 } from '@sphereon/oid4vci-common';
 import Debug from 'debug';
@@ -64,17 +66,16 @@ export class CredentialOfferClient {
       ...(clientId && { clientId }),
       ...request,
       ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
-      ...(grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.['pre-authorized_code'] && {
-        preAuthorizedCode: grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']['pre-authorized_code'],
+      ...(grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL] && {
+        preAuthorizedCode: grants[PRE_AUTH_GRANT_LITERAL][PRE_AUTH_CODE_LITERAL],
       }),
       userPinRequired:
-        request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ??
-        !!request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code ??
+        request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.user_pin_required ??
+        !!request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code ??
         false,
-      ...(request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code &&
-        {
-          // txCode: request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code,
-        }),
+      ...(request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code && {
+        txCode: request.credential_offer.grants[PRE_AUTH_GRANT_LITERAL].tx_code,
+      }),
     };
   }
 

packages/client/lib/CredentialOfferClientV1_0_11.ts

@@ -10,6 +10,8 @@ import {
   determineSpecVersionFromURI,
   getClientIdFromCredentialOfferPayload,
   OpenId4VCIVersion,
+  PRE_AUTH_CODE_LITERAL,
+  PRE_AUTH_GRANT_LITERAL,
   toUniformCredentialOfferRequest,
 } from '@sphereon/oid4vci-common';
 import Debug from 'debug';
@@ -59,10 +61,10 @@ export class CredentialOfferClientV1_0_11 {
       ...(clientId && { clientId }),
       ...request,
       ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
-      ...(grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.['pre-authorized_code'] && {
-        preAuthorizedCode: grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']['pre-authorized_code'],
+      ...(grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL] && {
+        preAuthorizedCode: grants[PRE_AUTH_GRANT_LITERAL][PRE_AUTH_CODE_LITERAL],
       }),
-      userPinRequired: !!request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.user_pin_required ?? false,
+      userPinRequired: !!request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? false,
     };
   }
 

packages/client/lib/CredentialOfferClientV1_0_13.ts

@@ -6,6 +6,8 @@ import {
   determineSpecVersionFromURI,
   getClientIdFromCredentialOfferPayload,
   OpenId4VCIVersion,
+  PRE_AUTH_CODE_LITERAL,
+  PRE_AUTH_GRANT_LITERAL,
   toUniformCredentialOfferRequest,
 } from '@sphereon/oid4vci-common';
 import Debug from 'debug';
@@ -46,14 +48,13 @@ export class CredentialOfferClientV1_0_13 {
       ...(clientId && { clientId }),
       ...request,
       ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),
-      ...(grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.['pre-authorized_code'] && {
-        preAuthorizedCode: grants['urn:ietf:params:oauth:grant-type:pre-authorized_code']['pre-authorized_code'],
+      ...(grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL] && {
+        preAuthorizedCode: grants[PRE_AUTH_GRANT_LITERAL][PRE_AUTH_CODE_LITERAL],
+      }),
+      userPinRequired: !!request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false,
+      ...(request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code && {
+        txCode: request.credential_offer.grants[PRE_AUTH_GRANT_LITERAL].tx_code,
       }),
-      userPinRequired: !!request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code ?? false,
-      ...(request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code &&
-        {
-          // txCode: request.credential_offer?.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.tx_code,
-        }),
     };
   }
 

packages/client/lib/__tests__/AccessTokenClient.spec.ts

@@ -1,4 +1,11 @@
-import { AccessTokenRequest, AccessTokenResponse, GrantTypes, OpenIDResponse, WellKnownEndpoints } from '@sphereon/oid4vci-common';
+import {
+  AccessTokenRequest,
+  AccessTokenResponse,
+  GrantTypes,
+  OpenIDResponse,
+  PRE_AUTH_CODE_LITERAL,
+  WellKnownEndpoints,
+} from '@sphereon/oid4vci-common';
 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
 // @ts-ignore
 import nock from 'nock';
@@ -48,7 +55,7 @@ describe('AccessTokenClient should', () => {
         pinMetadata: {
           isPinRequired: true,
           txCode: {
-            length: accessTokenRequest['pre-authorized_code'].length,
+            length: accessTokenRequest[PRE_AUTH_CODE_LITERAL].length,
             input_mode: 'numeric',
           },
         },

packages/client/lib/__tests__/MetadataClient.spec.ts

@@ -1,4 +1,4 @@
-import { getIssuerFromCredentialOfferPayload, WellKnownEndpoints } from '@sphereon/oid4vci-common';
+import { getIssuerFromCredentialOfferPayload, PRE_AUTH_GRANT_LITERAL, WellKnownEndpoints } from '@sphereon/oid4vci-common';
 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
 // @ts-ignore
 import nock from 'nock';
@@ -241,7 +241,7 @@ describe.skip('Metadataclient with SpruceId should', () => {
       credential_endpoint: 'https://ngi-oidc4vci-test.spruceid.xyz/credential',
       token_endpoint: 'https://ngi-oidc4vci-test.spruceid.xyz/token',
       jwks_uri: 'https://ngi-oidc4vci-test.spruceid.xyz/jwks',
-      grant_types_supported: ['urn:ietf:params:oauth:grant-type:pre-authorized_code'],
+      grant_types_supported: [PRE_AUTH_GRANT_LITERAL],
       credentials_supported: {
         OpenBadgeCredential: {
           formats: {
@@ -277,7 +277,7 @@ describe.skip('Metadataclient with SpruceId should', () => {
       credential_endpoint: 'https://ngi-oidc4vci-test.spruceid.xyz/credential',
       token_endpoint: 'https://ngi-oidc4vci-test.spruceid.xyz/token',
       jwks_uri: 'https://ngi-oidc4vci-test.spruceid.xyz/jwks',
-      grant_types_supported: ['urn:ietf:params:oauth:grant-type:pre-authorized_code'],
+      grant_types_supported: [PRE_AUTH_GRANT_LITERAL],
       credentials_supported: {
         OpenBadgeCredential: {
           formats: {

packages/client/lib/__tests__/MetadataMocks.ts

@@ -1,4 +1,4 @@
-import { AuthzFlowType, CredentialOfferPayloadV1_0_13, CredentialOfferRequestWithBaseUrl } from '@sphereon/oid4vci-common';
+import { AuthzFlowType, CredentialOfferPayloadV1_0_13, CredentialOfferRequestWithBaseUrl, PRE_AUTH_GRANT_LITERAL } from '@sphereon/oid4vci-common';
 
 export const IDENTIPROOF_ISSUER_URL = 'https://issuer.research.identiproof.io';
 export const IDENTIPROOF_AS_URL = 'https://auth.research.identiproof.io';
@@ -48,6 +48,11 @@ export const INITIATION_TEST: CredentialOfferRequestWithBaseUrl = {
   scheme: 'openid-credential-offer',
   supportedFlows: [AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW],
   version: 1013,
+  txCode: {
+    description: 'Please provide the one-time code that was sent via e-mail',
+    input_mode: 'numeric',
+    length: 4,
+  },
   userPinRequired: true, // Determined from above tx_code
 };
 export const INITIATION_TEST_V1_0_08: CredentialOfferRequestWithBaseUrl = {
@@ -84,7 +89,7 @@ export const IDENTIPROOF_AS_METADATA = {
   token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt'],
   jwks_uri: 'https://auth.research.identiproof.io/oauth2/jwks',
   response_types_supported: ['code'],
-  grant_types_supported: ['authorization_code', 'urn:ietf:params:oauth:grant-type:pre-authorized_code', 'client_credentials', 'refresh_token'],
+  grant_types_supported: ['authorization_code', PRE_AUTH_GRANT_LITERAL, 'client_credentials', 'refresh_token'],
   revocation_endpoint: 'https://auth.research.identiproof.io/oauth2/revoke',
   revocation_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt'],
   introspection_endpoint: 'https://auth.research.identiproof.io/oauth2/introspect',
@@ -168,7 +173,7 @@ export const SPRUCE_OID4VCI_METADATA = {
   credential_endpoint: 'https://ngi-oidc4vci-test.spruceid.xyz/credential',
   token_endpoint: 'https://ngi-oidc4vci-test.spruceid.xyz/token',
   jwks_uri: 'https://ngi-oidc4vci-test.spruceid.xyz/jwks',
-  grant_types_supported: ['urn:ietf:params:oauth:grant-type:pre-authorized_code'],
+  grant_types_supported: [PRE_AUTH_GRANT_LITERAL],
   credentials_supported: {
     OpenBadgeCredential: {
       formats: {
@@ -232,7 +237,7 @@ export const DANUBE_OIDC_METADATA = {
     ],
   },
   code_challenge_methods_supported: ['plain', 'S256'],
-  grant_types_supported: ['authorization_code', 'urn:ietf:params:oauth:grant-type:pre-authorized_code'],
+  grant_types_supported: ['authorization_code', PRE_AUTH_GRANT_LITERAL],
   token_endpoint_auth_methods_supported: ['client_secret_post', 'client_secret_basic'],
   authorization_endpoint: 'https://oidc4vc.uniissuer.io/authorize',
   token_endpoint: 'https://oidc4vc.uniissuer.io/token',
@@ -245,7 +250,7 @@ export const WALT_OID4VCI_METADATA = {
   pushed_authorization_request_endpoint: 'https://jff.walt.id/issuer-api/oidc/par',
   issuer: 'https://jff.walt.id/issuer-api',
   jwks_uri: 'https://jff.walt.id/issuer-api/oidc',
-  grant_types_supported: ['authorization_code', 'urn:ietf:params:oauth:grant-type:pre-authorized_code'],
+  grant_types_supported: ['authorization_code', PRE_AUTH_GRANT_LITERAL],
   request_uri_parameter_supported: true,
   credentials_supported: {
     VerifiableDiploma: {