Merge pull request #71 from Sphereon-Opensource/feature/enable-authorization-code-flow-helpers

Feature/enable authorization code flow helpers

Author: nklomp

packages/callback-example/CHANGELOG.md

@@ -7,28 +7,15 @@ See [Conventional Commits](https://conventionalcommits.org) for commit guideline
 
 **Note:** Version bump only for package @sphereon/oid4vci-callback-example
 
-
-
-
-
 ## [0.7.2](https://github.com/Sphereon-Opensource/OID4VCI/compare/v0.7.1...v0.7.2) (2023-09-28)
 
 **Note:** Version bump only for package @sphereon/oid4vci-callback-example
 
-
-
-
-
 ## [0.7.1](https://github.com/Sphereon-Opensource/OID4VCI/compare/v0.7.0...v0.7.1) (2023-09-28)
 
-
 ### Bug Fixes
 
-* Better match credential offer types and formats onto issuer metadata ([4044c21](https://github.com/Sphereon-Opensource/OID4VCI/commit/4044c2175b4cbee16f44c8bb5499bba249ca4993))
-
-
-
-
+- Better match credential offer types and formats onto issuer metadata ([4044c21](https://github.com/Sphereon-Opensource/OID4VCI/commit/4044c2175b4cbee16f44c8bb5499bba249ca4993))
 
 # [0.7.0](https://github.com/Sphereon-Opensource/OID4VCI/compare/v0.6.0...v0.7.0) (2023-08-19)
 

packages/client/CHANGELOG.md

@@ -7,34 +7,20 @@ See [Conventional Commits](https://conventionalcommits.org) for commit guideline
 
 **Note:** Version bump only for package @sphereon/oid4vci-client
 
-
-
-
-
 ## [0.7.2](https://github.com/Sphereon-Opensource/OID4VCI/compare/v0.7.1...v0.7.2) (2023-09-28)
 
-
 ### Bug Fixes
 
-* id lookup against server metadata not working ([592ec4b](https://github.com/Sphereon-Opensource/OID4VCI/commit/592ec4b837898eb3022d19479d79b6065e7a0d9e))
-
-
-
-
+- id lookup against server metadata not working ([592ec4b](https://github.com/Sphereon-Opensource/OID4VCI/commit/592ec4b837898eb3022d19479d79b6065e7a0d9e))
 
 ## [0.7.1](https://github.com/Sphereon-Opensource/OID4VCI/compare/v0.7.0...v0.7.1) (2023-09-28)
 
-
 ### Bug Fixes
 
-* Better match credential offer types and formats onto issuer metadata ([4044c21](https://github.com/Sphereon-Opensource/OID4VCI/commit/4044c2175b4cbee16f44c8bb5499bba249ca4993))
-* clearinterval ([214e3c6](https://github.com/Sphereon-Opensource/OID4VCI/commit/214e3c6d7ced9b27c50186db8ed876330230a6a5))
-* relax auth_endpoint handling. Doesn't have to be available when doing pre-auth flow. Client handles errors anyway in case of auth/par flow ([ce39958](https://github.com/Sphereon-Opensource/OID4VCI/commit/ce39958f21f82243f26111fd14bd2443517eef9c))
-* relax auth_endpoint handling. Doesn't have to be available when doing pre-auth flow. Client handles errors anyway in case of auth/par flow ([cb5f9c1](https://github.com/Sphereon-Opensource/OID4VCI/commit/cb5f9c1c12285508c6d403814d032e8883a59e7d))
-
-
-
-
+- Better match credential offer types and formats onto issuer metadata ([4044c21](https://github.com/Sphereon-Opensource/OID4VCI/commit/4044c2175b4cbee16f44c8bb5499bba249ca4993))
+- clearinterval ([214e3c6](https://github.com/Sphereon-Opensource/OID4VCI/commit/214e3c6d7ced9b27c50186db8ed876330230a6a5))
+- relax auth_endpoint handling. Doesn't have to be available when doing pre-auth flow. Client handles errors anyway in case of auth/par flow ([ce39958](https://github.com/Sphereon-Opensource/OID4VCI/commit/ce39958f21f82243f26111fd14bd2443517eef9c))
+- relax auth_endpoint handling. Doesn't have to be available when doing pre-auth flow. Client handles errors anyway in case of auth/par flow ([cb5f9c1](https://github.com/Sphereon-Opensource/OID4VCI/commit/cb5f9c1c12285508c6d403814d032e8883a59e7d))
 
 # [0.7.0](https://github.com/Sphereon-Opensource/OID4VCI/compare/v0.6.0...v0.7.0) (2023-08-19)
 

packages/client/README.md

@@ -57,7 +57,6 @@ import { OpenID4VCIClient } from '@sphereon/oid4vci-client';
 // The client is initiated from a URI. This URI is provided by the Issuer, typically as a URL or QR code.
 const client = await OpenID4VCIClient.fromURI({
   uri: 'openid-initiate-issuance://?issuer=https%3A%2F%2Fissuer.research.identiproof.io&credential_type=OpenBadgeCredentialUrl&pre-authorized_code=4jLs9xZHEfqcoow0kHE7d1a8hUk6Sy-5bVSV2MqBUGUgiFFQi-ImL62T-FmLIo8hKA1UdMPH0lM1xAgcFkJfxIw9L-lI3mVs0hRT8YVwsEM1ma6N3wzuCdwtMU4bcwKp&user_pin_required=true',
-  flowType: AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW, // The flow to use
   kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21#key-1', // Our DID.  You can defer this also to when the acquireCredential method is called
   alg: Alg.ES256, // The signing Algorithm we will use. You can defer this also to when the acquireCredential method is called
   clientId: 'test-clientId', // The clientId if the Authrozation Service requires it.  If a clientId is needed you can defer this also to when the acquireAccessToken method is called

packages/client/lib/AccessTokenClient.ts

@@ -4,10 +4,10 @@ import {
   AccessTokenResponse,
   assertedUniformCredentialOffer,
   AuthorizationServerOpts,
+  AuthzFlowType,
   EndpointMetadata,
   getIssuerFromCredentialOfferPayload,
   GrantTypes,
-  isPreAuthCode,
   IssuerOpts,
   OpenIDResponse,
   PRE_AUTH_CODE_LITERAL,
@@ -67,6 +67,7 @@ export class AccessTokenClient {
     issuerOpts?: IssuerOpts;
   }): Promise<OpenIDResponse<AccessTokenResponse>> {
     this.validate(accessTokenRequest, isPinRequired);
+
     const requestTokenURL = AccessTokenClient.determineTokenURL({
       asOpts,
       issuerOpts,
@@ -76,45 +77,44 @@ export class AccessTokenClient {
         ? await MetadataClient.retrieveAllMetadata(issuerOpts.issuer, { errorOnNotFound: false })
         : undefined,
     });
+
     return this.sendAuthCode(requestTokenURL, accessTokenRequest);
   }
 
   public async createAccessTokenRequest(opts: AccessTokenRequestOpts): Promise<AccessTokenRequest> {
     const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
     const credentialOfferRequest = await toUniformCredentialOfferRequest(opts.credentialOffer);
     const request: Partial<AccessTokenRequest> = {};
+
     if (asOpts?.clientId) {
       request.client_id = asOpts.clientId;
     }
 
-    this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
-    request.user_pin = pin;
+    if (credentialOfferRequest.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
+      this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
+      request.user_pin = pin;
 
-    const isPreAuth = isPreAuthCode(credentialOfferRequest);
-    if (isPreAuth) {
-      if (codeVerifier) {
-        throw new Error('Cannot pass a code_verifier when flow type is pre-authorized');
-      }
       request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
       // we actually know it is there because of the isPreAuthCode call
       request[PRE_AUTH_CODE_LITERAL] =
         credentialOfferRequest?.credential_offer.grants?.['urn:ietf:params:oauth:grant-type:pre-authorized_code']?.[PRE_AUTH_CODE_LITERAL];
+
+      return request as AccessTokenRequest;
     }
-    if (!isPreAuth && credentialOfferRequest.credential_offer.grants?.authorization_code?.issuer_state) {
-      this.throwNotSupportedFlow(); // not supported yet
+
+    if (credentialOfferRequest.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
       request.grant_type = GrantTypes.AUTHORIZATION_CODE;
-    }
-    if (codeVerifier) {
-      request.code_verifier = codeVerifier;
       request.code = code;
       request.redirect_uri = redirectUri;
-      request.grant_type = GrantTypes.AUTHORIZATION_CODE;
-    }
-    if (request.grant_type === GrantTypes.AUTHORIZATION_CODE && isPreAuth) {
-      throw Error('A pre_authorized_code flow cannot have an issuer state in the credential offer');
+
+      if (codeVerifier) {
+        request.code_verifier = codeVerifier;
+      }
+
+      return request as AccessTokenRequest;
     }
 
-    return request as AccessTokenRequest;
+    throw new Error('Credential offer request does not follow neither pre-authorized code nor authorization code flow requirements.');
   }
 
   private assertPreAuthorizedGrantType(grantType: GrantTypes): void {