chore: authorization_details tests passing

Author: sanderPostma

packages/issuer-rest/lib/IssuerTokenEndpoint.ts

@@ -1,5 +1,11 @@
 import { DPoPVerifyJwtCallback, JWK, uuidv4, verifyDPoP } from '@sphereon/oid4vc-common'
-import { GrantTypes, PRE_AUTHORIZED_CODE_REQUIRED_ERROR, TokenError, TokenErrorResponse } from '@sphereon/oid4vci-common'
+import {
+  AuthorizationRequest,
+  GrantTypes,
+  PRE_AUTHORIZED_CODE_REQUIRED_ERROR,
+  TokenError,
+  TokenErrorResponse
+} from '@sphereon/oid4vci-common'
 import { assertValidAccessTokenRequest, createAccessTokenResponse, ITokenEndpointOpts, VcIssuer } from '@sphereon/oid4vci-issuer'
 import { sendErrorResponse } from '@sphereon/ssi-express-support'
 import { NextFunction, Request, Response } from 'express'
@@ -29,7 +35,7 @@ export const handleTokenRequest = ({
     dPoPVerifyJwtCallback: DPoPVerifyJwtCallback
   }
   // The full URL of the access token endpoint
-  accessTokenEndpoint?: string
+  accessTokenEndpoint?: string,
 }) => {
   return async (request: Request, response: Response) => {
     response.set({
@@ -115,14 +121,19 @@ export const handleTokenRequest = ({
 }
 
 export const verifyTokenRequest = ({
-  preAuthorizedCodeExpirationDuration,
-  issuer,
-}: Required<Pick<ITokenEndpointOpts, 'preAuthorizedCodeExpirationDuration'> & { issuer: VcIssuer }>) => {
+                                     preAuthorizedCodeExpirationDuration,
+                                     issuer,
+                                     authRequestsData
+                                   }: Required<Pick<ITokenEndpointOpts, 'preAuthorizedCodeExpirationDuration'>> & {
+  issuer: VcIssuer,
+  authRequestsData?: Map<string, AuthorizationRequest>
+}) => {
   return async (request: Request, response: Response, next: NextFunction) => {
     try {
       await assertValidAccessTokenRequest(request.body, {
         expirationDuration: preAuthorizedCodeExpirationDuration,
         credentialOfferSessions: issuer.credentialOfferSessions,
+        authRequestsData
       })
     } catch (error) {
       if (error instanceof TokenError) {

packages/issuer-rest/lib/OID4VCIServer.ts

@@ -204,7 +204,11 @@ export class OID4VCIServer {
     })
     this.assertAccessTokenHandling()
     if (!this.isTokenEndpointDisabled(opts?.endpointOpts?.tokenEndpointOpts, opts?.asClientOpts)) {
-      accessTokenEndpoint(this.router, this.issuer, { ...opts?.endpointOpts?.tokenEndpointOpts, baseUrl: this.baseUrl })
+      accessTokenEndpoint(this.router, this.issuer, {
+        ...opts?.endpointOpts?.tokenEndpointOpts,
+        baseUrl: this.baseUrl,
+        authRequestsData: this.authRequestsData
+      })
     }
     if (this.isStatusEndpointEnabled(opts?.endpointOpts?.getStatusOpts)) {
       getIssueStatusEndpoint(this.router, this.issuer, { ...opts?.endpointOpts?.getStatusOpts, baseUrl: this.baseUrl })

packages/issuer-rest/lib/oid4vci-api-functions.ts

@@ -220,7 +220,8 @@ export function authorizationChallengeEndpoint(
 }
 
 export function accessTokenEndpoint(router: Router, issuer: VcIssuer, opts: ITokenEndpointOpts & ISingleEndpointOpts & {
-  baseUrl: string | URL
+  baseUrl: string | URL,
+  authRequestsData?: Map<string, AuthorizationRequest>
 }) {
   const externalAS = isExternalAS(issuer.issuerMetadata) || issuer.asClientOpts
   if (externalAS || (opts.accessTokenProvider && opts.accessTokenProvider !== 'internal')) {
@@ -263,12 +264,14 @@ export function accessTokenEndpoint(router: Router, issuer: VcIssuer, opts: ITok
 
   LOG.log(`[OID4VCI] Token endpoint enabled at ${url.toString()}`)
 
+
   // this.issuer.issuerMetadata.token_endpoint = url.toString()
   router.post(
     determinePath(baseUrl, url.pathname, { stripBasePath: true }),
     verifyTokenRequest({
       issuer,
-      preAuthorizedCodeExpirationDuration
+      preAuthorizedCodeExpirationDuration,
+      authRequestsData: opts.authRequestsData
     }),
     handleTokenRequest({
       issuer,

packages/issuer/lib/__tests__/VcIssuer.spec.ts

@@ -8,12 +8,16 @@ import { VcIssuer } from '../VcIssuer'
 import { AuthorizationServerMetadataBuilder, CredentialSupportedBuilderV1_15, VcIssuerBuilder } from '../builder'
 import { MemoryStates } from '../state-manager'
 import {
-  Alg, ALG_ERROR,
+  Alg,
+  ALG_ERROR,
   AuthorizationDetailsV1_0_15,
   CredentialConfigurationSupportedV1_0_15,
   CredentialOfferSession,
-  IssueStatus, STATE_MISSING_ERROR
+  GrantTypes,
+  IssueStatus,
+  STATE_MISSING_ERROR
 } from '@sphereon/oid4vci-common'
+import { createAccessTokenResponse } from '../tokens'
 
 const IDENTIPROOF_ISSUER_URL = 'https://issuer.research.identiproof.io'
 
@@ -334,6 +338,105 @@ describe('VcIssuer', () => {
     expect(typeof result.credentials[0].credential).toBe('object')
   })
 
+  it('should generate credential_identifiers in token response and accept them in credential request', async () => {
+    const createdAt = +new Date()
+
+    // Setup session with authorization_details
+    const authorizationDetails: AuthorizationDetailsV1_0_15[] = [{
+      type: 'openid_credential',
+      credential_configuration_id: 'UniversityDegree_JWT',
+      format: 'jwt_vc_json' as const,
+      types: ['VerifiableCredential', 'UniversityDegree_JWT']
+    }]
+
+    await vcIssuer.credentialOfferSessions.set('test-pre-authorized-code', {
+      createdAt: createdAt,
+      notification_id: '43243',
+      preAuthorizedCode: 'test-pre-authorized-code',
+      credentialOffer: {
+        credential_offer: {
+          credential_issuer: 'did:key:test',
+          credential_configuration_ids: ['UniversityDegree_JWT']
+        }
+      },
+      authorizationDetails: authorizationDetails,
+      lastUpdatedAt: createdAt,
+      status: IssueStatus.ACCESS_TOKEN_CREATED
+    })
+
+    const tokenResponse = await createAccessTokenResponse({
+      grant_type: GrantTypes.PRE_AUTHORIZED_CODE,
+      'pre-authorized_code': 'test-pre-authorized-code'
+    }, {
+      credentialOfferSessions: vcIssuer.credentialOfferSessions,
+      cNonces: vcIssuer.cNonces,
+      tokenExpiresIn: 300,
+      accessTokenSignerCallback: async () => 'mock-access-token',
+      accessTokenIssuer: 'test-issuer'
+    })
+
+    // Verify token response includes authorization_details with generated credential_identifiers
+    expect(tokenResponse.authorization_details).toBeDefined()
+    expect(tokenResponse.authorization_details).toHaveLength(1)
+    expect(tokenResponse.authorization_details![0]).toHaveProperty('credential_identifiers')
+    expect(tokenResponse.authorization_details![0].credential_identifiers).toHaveLength(1)
+
+    const generatedIdentifier = tokenResponse.authorization_details![0].credential_identifiers![0]
+    expect(generatedIdentifier).toMatch(/UniversityDegree_JWT_/)
+
+    // Step 2: Mock JWT verification for credential request
+    jwtVerifyCallback.mockResolvedValue({
+      did: 'did:example:1234',
+      kid: 'did:example:1234#auth',
+      alg: Alg.ES256K,
+      didDocument: {
+        '@context': 'https://www.w3.org/ns/did/v1',
+        id: 'did:example:1234'
+      },
+      jwt: {
+        header: {
+          typ: 'openid4vci-proof+jwt',
+          alg: Alg.ES256K,
+          kid: 'test-kid'
+        },
+        payload: {
+          aud: IDENTIPROOF_ISSUER_URL,
+          iat: +new Date() / 1000,
+          nonce: 'test-nonce',
+          // Include authorization_details from token response
+          authorization_details: tokenResponse.authorization_details
+        }
+      }
+    })
+
+    await vcIssuer.cNonces.set('test-nonce', {
+      cNonce: 'test-nonce',
+      createdAt: createdAt
+    })
+
+    // Step 3: Use generated credential_identifier in credential request
+    const credentialResult = await vcIssuer.issueCredential({
+      credential: verifiableCredential,
+      credentialRequest: {
+        credential_identifier: generatedIdentifier,
+        proof: {
+          proof_type: 'jwt',
+          jwt: 'ye.ye.ye'
+        }
+      } as any,
+      issuerCorrelation: {
+        preAuthorizedCode: 'test-pre-authorized-code',
+        authorizationDetails: tokenResponse.authorization_details
+      },
+      newCNonce: 'new-test-nonce'
+    })
+
+    // Verify credential was issued successfully
+    expect(credentialResult.credentials).toHaveLength(1)
+    expect(credentialResult.credentials[0].credential).toBeDefined()
+    expect(credentialResult.notification_id).toBe('43243')
+  })
+
   it('should reject invalid credential_identifier', async () => {
     jwtVerifyCallback.mockResolvedValue({
       did: 'did:example:1234',

packages/issuer/lib/tokens/index.ts

@@ -2,7 +2,7 @@ import { calculateJwkThumbprint, JWK, uuidv4 } from '@sphereon/oid4vc-common'
 import {
   AccessTokenRequest,
   AccessTokenResponse,
-  Alg,
+  Alg, AuthorizationRequest,
   CNonceState,
   CredentialOfferSession,
   EXPIRED_PRE_AUTHORIZED_CODE,
@@ -22,7 +22,7 @@ import {
   UNSUPPORTED_GRANT_TYPE_ERROR,
   USER_PIN_NOT_REQUIRED_ERROR,
   USER_PIN_REQUIRED_ERROR,
-  USER_PIN_TX_CODE_SPEC_ERROR,
+  USER_PIN_TX_CODE_SPEC_ERROR
 } from '@sphereon/oid4vci-common'
 
 import { generateCredentialIdentifiers, isPreAuthorizedCodeExpired } from '../functions'
@@ -105,7 +105,7 @@ export const assertValidAccessTokenRequest = async (
   opts: {
     credentialOfferSessions: IStateManager<CredentialOfferSession>
     expirationDuration: number
-    authRequestsData?: Map<string, any> // Add this for authorization code flow
+    authRequestsData?: Map<string, any>
   }
 ) => {
   const { credentialOfferSessions, expirationDuration, authRequestsData } = opts
@@ -118,7 +118,7 @@ export const assertValidAccessTokenRequest = async (
 
     // Find the authorization request data by code
     // This is simplified - you'll need to implement proper code->request mapping
-    const authRequestData = Array.from(authRequestsData.values())
+    const authRequestData:AuthorizationRequest | undefined = Array.from(authRequestsData.values())
       .find(data => data.authorization_code === request.code)
 
     if (!authRequestData) {
@@ -143,12 +143,12 @@ export const assertValidAccessTokenRequest = async (
             grants: {}
           }
         },
-        authorizationDetails: authRequestData.authorization_details,
+        authorizationDetails: authRequestData?.authorization_details,
         authorizationCode: request.code
       }
       await credentialOfferSessions.set(sessionId, credentialOfferSession)
     } else {
-      credentialOfferSession.authorizationDetails = authRequestData.authorization_details
+      credentialOfferSession.authorizationDetails = authRequestData?.authorization_details
       credentialOfferSession.authorizationCode = request.code
       credentialOfferSession.status = IssueStatus.ACCESS_TOKEN_REQUESTED
       credentialOfferSession.lastUpdatedAt = Date.now()