Merge pull request #217 from Sphereon-Opensource/develop

nklomp · web-flow · commit ab29ca72586f · 2026-01-30T22:49:06.000+01:00
New release
diff --git a/lerna.json b/lerna.json
@@ -1,10 +1,6 @@
 {
-  "packages": [
-    "packages/*"
-  ],
+  "packages": ["packages/*"],
   "version": "0.20.0",
   "npmClient": "pnpm",
-  "workspaces": [
-    "packages/*"
-  ]
-}
+  "workspaces": ["packages/*"]
+}
diff --git a/package.json b/package.json
@@ -26,7 +26,7 @@
     "pnpm": ">=10"
   },
   "resolutions": {
-    "@sphereon/ssi-types": "0.34.1-feature.SSISDK.78.280",
+    "@sphereon/ssi-types": "0.36.1-next.159",
     "dcql": "1.0.1",
     "node-fetch": "2.6.12",
     "typescript": "5.8.3"
diff --git a/packages/callback-example/package.json b/packages/callback-example/package.json
@@ -30,7 +30,7 @@
     "@sphereon/oid4vci-client": "workspace:^",
     "@sphereon/oid4vci-common": "workspace:^",
     "@sphereon/oid4vci-issuer": "workspace:^",
-    "@sphereon/ssi-types": "0.34.1-feature.SSISDK.78.280",
+    "@sphereon/ssi-types": "0.36.1-next.159",
     "jose": "^4.10.0"
   },
   "devDependencies": {
@@ -46,12 +46,7 @@
   "engines": {
     "node": ">=20.6"
   },
-  "files": [
-    "src",
-    "dist",
-    "README.md",
-    "LICENSE.md"
-  ],
+  "files": ["src", "dist", "README.md", "LICENSE.md"],
   "keywords": [
     "Sphereon",
     "Verifiable Credentials",
diff --git a/packages/client/lib/CredentialRequestClient.ts b/packages/client/lib/CredentialRequestClient.ts
@@ -267,12 +267,11 @@ export class CredentialRequestClient {
     }
     response.access_token = requestToken
 
-    /* TODO SSISDK-85
-  if ((uniformRequest.credential_subject_issuance && response.successBody) || response.successBody?.credential_subject_issuance) {
+    if ((uniformRequest.credential_subject_issuance && response.successBody) || response.successBody?.credential_subject_issuance) {
       if (JSON.stringify(uniformRequest.credential_subject_issuance) !== JSON.stringify(response.successBody?.credential_subject_issuance)) {
         throw Error('Subject signing was requested, but issuer did not provide the options in its response')
       }
-    }*/
+    }
     logger.debug(`Credential endpoint ${credentialEndpoint} response:\r\n${JSON.stringify(response, null, 2)}`)
 
     return {
diff --git a/packages/client/lib/MetadataClientV1_0_15.ts b/packages/client/lib/MetadataClientV1_0_15.ts
@@ -55,6 +55,7 @@ export class MetadataClientV1_0_15 {
     let credential_endpoint: string | undefined
     let nonce_endpoint: string | undefined
     let deferred_credential_endpoint: string | undefined
+    let notification_endpoint: string | undefined
     let authorization_endpoint: string | undefined
     let authorization_challenge_endpoint: string | undefined
     let authorizationServerType: AuthorizationServerType = 'OID4VCI'
@@ -66,6 +67,7 @@ export class MetadataClientV1_0_15 {
       credential_endpoint = credentialIssuerMetadata.credential_endpoint
       nonce_endpoint = credentialIssuerMetadata.nonce_endpoint
       deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint
+      notification_endpoint = credentialIssuerMetadata.notification_endpoint
       if (credentialIssuerMetadata.token_endpoint) {
         token_endpoint = credentialIssuerMetadata.token_endpoint
       }
@@ -140,6 +142,15 @@ export class MetadataClientV1_0_15 {
           deferred_credential_endpoint = authMetadata.deferred_credential_endpoint
         }
       }
+      if (authMetadata.notification_endpoint) {
+        if (notification_endpoint && authMetadata.notification_endpoint !== notification_endpoint) {
+          logger.debug(
+            `Credential issuer has a different notification_endpoint (${notification_endpoint}) from the Authorization Server (${authMetadata.notification_endpoint}). Will use the issuer value`,
+          )
+        } else {
+          notification_endpoint = authMetadata.notification_endpoint
+        }
+      }
     }
 
     if (!authorization_endpoint) {
@@ -182,6 +193,7 @@ export class MetadataClientV1_0_15 {
       display: ci.display ?? [],
       ...(nonce_endpoint && { nonce_endpoint }),
       ...(deferred_credential_endpoint && { deferred_credential_endpoint }),
+      ...(notification_endpoint && { notification_endpoint }),
     }
 
     logger.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`)
@@ -192,6 +204,7 @@ export class MetadataClientV1_0_15 {
       token_endpoint,
       credential_endpoint,
       authorization_challenge_endpoint,
+      notification_endpoint,
       authorizationServerType,
       credentialIssuerMetadata: v15CredentialIssuerMetadata,
       authorizationServerMetadata: authMetadata,
diff --git a/packages/client/lib/OpenID4VCIClient.ts b/packages/client/lib/OpenID4VCIClient.ts
@@ -548,7 +548,6 @@ export class OpenID4VCIClient {
       if (!this.shouldRetryWithFreshNonce(e)) {
         return Promise.reject(e instanceof Error ? e : Error(String(e)))
       }
-
       // one retry with fresh nonce + rebuilt proof
       ;(this._state as OpenID4VCIClientStateV1_0_15).cachedCNonce = undefined
 
diff --git a/packages/client/package.json b/packages/client/package.json
@@ -29,7 +29,7 @@
   "dependencies": {
     "@sphereon/oid4vc-common": "workspace:^",
     "@sphereon/oid4vci-common": "workspace:^",
-    "@sphereon/ssi-types": "0.34.1-feature.SSISDK.78.280",
+    "@sphereon/ssi-types": "0.36.1-next.159",
     "cross-fetch": "^4.1.0",
     "debug": "^4.4.0"
   },
@@ -55,12 +55,7 @@
   "engines": {
     "node": ">=20"
   },
-  "files": [
-    "src",
-    "dist",
-    "README.md",
-    "LICENSE.md"
-  ],
+  "files": ["src", "dist", "README.md", "LICENSE.md"],
   "keywords": [
     "Sphereon",
     "Verifiable Credentials",
diff --git a/packages/common/lib/hasher.ts b/packages/common/lib/hasher.ts
@@ -1,5 +1,5 @@
 import { HasherSync, shaHasher } from '@sphereon/ssi-types'
 
-export const defaultHasher: HasherSync = (data: string | ArrayBuffer, algorithm: string) => {
+export const defaultHasher: HasherSync = (data: string | ArrayBuffer | SharedArrayBuffer, algorithm: string) => {
   return shaHasher(data, algorithm)
 }
diff --git a/packages/common/package.json b/packages/common/package.json
@@ -22,7 +22,7 @@
     "test": "vitest run --config ../../vitest.config.mts --coverage"
   },
   "dependencies": {
-    "@sphereon/ssi-types": "0.34.1-feature.SSISDK.78.280",
+    "@sphereon/ssi-types": "0.36.1-next.159",
     "jwt-decode": "^4.0.0",
     "uint8arrays": "^3.1.1",
     "uuid": "^9.0.0"
@@ -34,12 +34,7 @@
   "engines": {
     "node": ">=20"
   },
-  "files": [
-    "src",
-    "dist",
-    "README.md",
-    "LICENSE.md"
-  ],
+  "files": ["src", "dist", "README.md", "LICENSE.md"],
   "keywords": [
     "Sphereon",
     "Verifiable Credentials",
diff --git a/packages/did-auth-siop-adapter/package.json b/packages/did-auth-siop-adapter/package.json
@@ -36,9 +36,7 @@
   "engines": {
     "node": ">=20"
   },
-  "files": [
-    "dist/**/*"
-  ],
+  "files": ["dist/**/*"],
   "keywords": [
     "Sphereon",
     "SSI",
diff --git a/packages/issuer-rest/package.json b/packages/issuer-rest/package.json
@@ -26,7 +26,7 @@
     "@sphereon/oid4vci-common": "workspace:^",
     "@sphereon/oid4vci-issuer": "workspace:^",
     "@sphereon/ssi-express-support": "0.34.1-next.3",
-    "@sphereon/ssi-types": "0.34.1-feature.SSISDK.78.280",
+    "@sphereon/ssi-types": "0.36.1-next.159",
     "body-parser": "^1.20.2",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.5",
@@ -66,12 +66,7 @@
   "engines": {
     "node": ">=20"
   },
-  "files": [
-    "src",
-    "dist",
-    "README.md",
-    "LICENSE.md"
-  ],
+  "files": ["src", "dist", "README.md", "LICENSE.md"],
   "keywords": [
     "Sphereon",
     "Verifiable Credentials",
diff --git a/packages/issuer/lib/VcIssuer.ts b/packages/issuer/lib/VcIssuer.ts
@@ -34,6 +34,7 @@ import {
   OID4VCICredentialFormat,
   OpenId4VCIVersion,
   PRE_AUTH_GRANT_LITERAL,
+  ProofOfPossession,
   QRCodeOpts,
   StatusListOpts,
   TokenErrorResponse,
@@ -54,7 +55,7 @@ import { LOG } from './index'
 const shortUUID = ShortUUID()
 
 export class VcIssuer {
-  private readonly _issuerMetadata: CredentialIssuerMetadataOptsV1_0_15
+  private _issuerMetadata: CredentialIssuerMetadataOptsV1_0_15 // TODO SSISDK-87 create proper solution to update issuer metadata
   private readonly _authorizationServerMetadata: AuthorizationServerMetadata
   private readonly _defaultCredentialOfferBaseUri?: string
   private readonly _credentialSignerCallback?: CredentialSignerCallback
@@ -675,16 +676,70 @@ export class VcIssuer {
     try {
       if (format && !supportedIssuanceFormats.includes(format)) {
         throw Error(`Format ${format} not supported yet`)
-      } else if (typeof this._jwtVerifyCallback !== 'function' && typeof jwtVerifyCallback !== 'function') {
-        throw new Error(JWT_VERIFY_CONFIG_ERROR)
-      } else if (!credentialRequest.proof) {
-        throw Error('Proof of possession is required. No proof value present in credential request')
       }
 
-      const jwtVerifyResult = jwtVerifyCallback
-        ? await jwtVerifyCallback(credentialRequest.proof)
-        : // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-          await this._jwtVerifyCallback!(credentialRequest.proof)
+      const verifyFn: JWTVerifyCallback | undefined = jwtVerifyCallback ?? this._jwtVerifyCallback
+      if (typeof verifyFn !== 'function') {
+        throw Error(JWT_VERIFY_CONFIG_ERROR)
+      }
+
+      const credReq = credentialRequest as CredentialRequestV1_0_15
+
+      // Validate request structure (mutually exclusive)
+      if (credReq.proof && credReq.proofs) {
+        throw Error('Credential request may not contain both proof and proofs parameters')
+      }
+
+      // Normalize candidates into a single array of ProofOfPossession objects
+      const proofCandidates: Array<ProofOfPossession> = []
+
+      if (credReq.proof) {
+        proofCandidates.push(credReq.proof)
+      } else if (credReq.proofs) {
+        // Handle "proofs": prioritize 'jwt' as it's the only fully supported type
+        if (Array.isArray(credReq.proofs.jwt)) {
+          // Map to ProofOfPossession objects, handling both string and object formats
+          for (const jwtProof of credReq.proofs.jwt) {
+            if (typeof jwtProof === 'string') {
+              // Handle case where jwt array contains strings instead of ProofOfPossession objects
+              proofCandidates.push({
+                proof_type: 'jwt',
+                jwt: jwtProof,
+              })
+            } else if (jwtProof && typeof jwtProof === 'object' && 'jwt' in jwtProof) {
+              // Handle proper ProofOfPossession object
+              proofCandidates.push(jwtProof)
+            }
+          }
+        }
+
+        // Check if there are no supported proofs found
+        if (proofCandidates.length === 0) {
+          const availableTypes = Object.keys(credReq.proofs).join(', ')
+          throw Error(`No supported proof types found in request. Available: [${availableTypes}]`)
+        }
+      } else {
+        throw Error('Proof of possession is required. No proof or proofs value present in credential request')
+      }
+
+      // Execute verification
+      let jwtVerifyResult: JwtVerifyResult | undefined
+      const validationErrors: string[] = []
+
+      for (const proof of proofCandidates) {
+        try {
+          jwtVerifyResult = await verifyFn({ jwt: proof.jwt })
+          break
+        } catch (error) {
+          const msg = error instanceof Error ? error.message : String(error)
+          validationErrors.push(msg)
+        }
+      }
+
+      // Check success
+      if (!jwtVerifyResult) {
+        throw Error(`Unable to verify any provided proofs. Errors: ${validationErrors.join('; ')}`)
+      }
 
       const { didDocument, did, jwt } = jwtVerifyResult
       const { header, payload } = jwt
@@ -863,6 +918,11 @@ export class VcIssuer {
     return this._issuerMetadata
   }
 
+  // TODO SSISDK-87 create proper solution to update issuer metadata
+  public set issuerMetadata(value: CredentialIssuerMetadataOptsV1_0_15) {
+    this._issuerMetadata = value;
+  }
+
   public get authorizationServerMetadata() {
     return this._authorizationServerMetadata
   }
diff --git a/packages/issuer/lib/builder/DisplayBuilder.ts b/packages/issuer/lib/builder/DisplayBuilder.ts
@@ -21,7 +21,7 @@ export class DisplayBuilder {
 
   withLogo(logo: ImageInfo) {
     if (logo) {
-      if (!logo.url) {
+      if (!logo.uri) {
         throw Error(`logo without url will not work`)
       }
     }
diff --git a/packages/issuer/package.json b/packages/issuer/package.json
@@ -24,7 +24,7 @@
     "@sphereon/oid4vc-common": "workspace:^",
     "@sphereon/oid4vci-common": "workspace:^",
     "@sphereon/ssi-express-support": "0.34.1-next.3",
-    "@sphereon/ssi-types": "0.34.1-feature.SSISDK.78.280",
+    "@sphereon/ssi-types": "0.36.1-next.159",
     "short-uuid": "^4.2.2",
     "uuid": "^9.0.0"
   },
@@ -49,12 +49,7 @@
   "engines": {
     "node": ">=20"
   },
-  "files": [
-    "src",
-    "dist",
-    "README.md",
-    "LICENSE.md"
-  ],
+  "files": ["src", "dist", "README.md", "LICENSE.md"],
   "keywords": [
     "Sphereon",
     "Verifiable Credentials",
diff --git a/packages/jarm/package.json b/packages/jarm/package.json
@@ -30,12 +30,7 @@
   "engines": {
     "node": ">=20"
   },
-  "files": [
-    "src",
-    "dist",
-    "README.md",
-    "LICENSE.md"
-  ],
+  "files": ["src", "dist", "README.md", "LICENSE.md"],
   "keywords": [
     "Sphereon",
     "Verifiable Credentials",
diff --git a/packages/oid4vci-common/lib/types/Generic.types.ts b/packages/oid4vci-common/lib/types/Generic.types.ts
@@ -23,7 +23,7 @@ export type CredentialOfferMode = 'VALUE' | 'REFERENCE'
  * Important Note: please be aware that these Common interfaces are based on versions v1_0.11 and v1_0.09
  */
 export interface ImageInfo {
-  url?: string
+  uri?: string
   alt_text?: string
 
   [key: string]: unknown
diff --git a/packages/oid4vci-common/lib/types/ServerMetadata.ts b/packages/oid4vci-common/lib/types/ServerMetadata.ts
@@ -148,6 +148,7 @@ export interface EndpointMetadata {
   token_endpoint: string
   credential_endpoint: string
   deferred_credential_endpoint?: string
+  notification_endpoint?: string
   authorization_server?: string
   authorization_endpoint?: string // Can be undefined in pre-auth flow
   authorization_challenge_endpoint?: string
diff --git a/packages/oid4vci-common/lib/types/v1_0_15.types.ts b/packages/oid4vci-common/lib/types/v1_0_15.types.ts
@@ -73,7 +73,7 @@ export type CredentialConfigurationSupportedCommonV1_0_15 = {
 }
 
 export interface CredentialConfigurationSupportedSdJwtVcV1_0_15 extends CredentialConfigurationSupportedCommonV1_0_15 {
-  format: 'dc+sd-jwt' // REQUIRED. Updated format identifier for SD-JWT VC to align with the media type in draft -06 of [I-D.ietf-oauth-sd-jwt-vc]
+  format: 'dc+sd-jwt' | 'vc+sd-jwt' // REQUIRED. Updated format identifier for SD-JWT VC to align with the media type in draft -06 of [I-D.ietf-oauth-sd-jwt-vc]
   vct: string // REQUIRED. String designating the type of a Credential, as defined in [I-D.ietf-oauth-sd-jwt-vc].
   claims?: ClaimsDescriptionV1_0_15[] // OPTIONAL. Array of claims description objects using claims path pointers as defined in Appendix C.
   order?: string[] // OPTIONAL. An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.
diff --git a/packages/oid4vci-common/package.json b/packages/oid4vci-common/package.json
diff --git a/packages/siop-oid4vp/lib/__tests__/AuthenticationResponse.response.spec.ts b/packages/siop-oid4vp/lib/__tests__/AuthenticationResponse.response.spec.ts
diff --git a/packages/siop-oid4vp/lib/authorization-response/Payload.ts b/packages/siop-oid4vp/lib/authorization-response/Payload.ts
diff --git a/packages/siop-oid4vp/lib/types/SIOP.types.ts b/packages/siop-oid4vp/lib/types/SIOP.types.ts
diff --git a/packages/siop-oid4vp/package.json b/packages/siop-oid4vp/package.json
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

Original file line number	Diff line number	Diff line change
`@@ -267,12 +267,11 @@ export class CredentialRequestClient {`
`267`	`267`	`}`
`268`	`268`	`response.access_token = requestToken`
`269`	`269`
`270`		`- /* TODO SSISDK-85`
`271`		`- if ((uniformRequest.credential_subject_issuance && response.successBody) \|\| response.successBody?.credential_subject_issuance) {`
	`270`	`+ if ((uniformRequest.credential_subject_issuance && response.successBody) \|\| response.successBody?.credential_subject_issuance) {`
`272`	`271`	`if (JSON.stringify(uniformRequest.credential_subject_issuance) !== JSON.stringify(response.successBody?.credential_subject_issuance)) {`
`273`	`272`	`throw Error('Subject signing was requested, but issuer did not provide the options in its response')`
`274`	`273`	`}`
`275`		`- }*/`
	`274`	`+ }`
`276`	`275`	logger.debug(`Credential endpoint ${credentialEndpoint} response:\r\n${JSON.stringify(response, null, 2)}`)
`277`	`276`
`278`	`277`	`return {`
Original file line number	Diff line number	Diff line change
`@@ -548,7 +548,6 @@ export class OpenID4VCIClient {`
`548`	`548`	`if (!this.shouldRetryWithFreshNonce(e)) {`
`549`	`549`	`return Promise.reject(e instanceof Error ? e : Error(String(e)))`
`550`	`550`	`}`
`551`		`-`
`552`	`551`	`// one retry with fresh nonce + rebuilt proof`
`553`	`552`	`;(this._state as OpenID4VCIClientStateV1_0_15).cachedCNonce = undefined`
`554`	`553`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`import { HasherSync, shaHasher } from '@sphereon/ssi-types'`
`2`	`2`
`3`		`-export const defaultHasher: HasherSync = (data: string \| ArrayBuffer, algorithm: string) => {`
	`3`	`+export const defaultHasher: HasherSync = (data: string \| ArrayBuffer \| SharedArrayBuffer, algorithm: string) => {`
`4`	`4`	`return shaHasher(data, algorithm)`
`5`	`5`	`}`