chore: authorization_details tests passing

Author: sanderPostma

packages/client/lib/AuthorizationCodeClient.ts

@@ -1,7 +1,6 @@
 import {
   AuthorizationChallengeCodeResponse,
-  AuthorizationChallengeRequestOpts,
-  AuthorizationDetails,
+  AuthorizationChallengeRequestOpts, AuthorizationDetailsV1_0_15,
   AuthorizationRequestOpts,
   CodeChallengeMethod,
   CommonAuthorizationChallengeRequest,
@@ -185,7 +184,7 @@ export const createAuthorizationRequestUrl = async ({
         ...(format && { format }),
         ...(vct && { vct, claims: cred.claims ? removeDisplayAndValueTypes(cred.claims) : undefined }),
         ...(doctype && { doctype, claims: cred.claims ? removeDisplayAndValueTypes(cred.claims) : undefined })
-      } as AuthorizationDetails
+      } as AuthorizationDetailsV1_0_15
     })
     if (!authorizationDetails || authorizationDetails.length === 0) {
       throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`)
@@ -278,8 +277,8 @@ const hasCredentialDefinition = (cred: any): cred is {
 
 const handleAuthorizationDetails = (
   endpointMetadata: EndpointMetadataResultV1_0_15,
-  authorizationDetails?: AuthorizationDetails | AuthorizationDetails[]
-): AuthorizationDetails | AuthorizationDetails[] | undefined => {
+  authorizationDetails?: AuthorizationDetailsV1_0_15 | AuthorizationDetailsV1_0_15[]
+): AuthorizationDetailsV1_0_15 | AuthorizationDetailsV1_0_15[] | undefined => {
   if (authorizationDetails) {
     if (typeof authorizationDetails === 'string') {
       // backwards compat for older versions of the lib
@@ -298,7 +297,7 @@ const handleAuthorizationDetails = (
 
 const handleLocations = (
   endpointMetadata: EndpointMetadataResultV1_0_15,
-  authorizationDetails: AuthorizationDetails
+  authorizationDetails: AuthorizationDetailsV1_0_15
 ) => {
   if (typeof authorizationDetails === 'string') {
     // backwards compat for older versions of the lib

packages/client/lib/AuthorizationDetailsBuilder.ts

@@ -1,18 +1,17 @@
-import { AuthorizationDetails, AuthorizationDetailsJwtVcJson, OID4VCICredentialFormat } from '@sphereon/oid4vci-common'
+import {
+  AuthorizationDetailsJwtVcJson,
+  AuthorizationDetailsV1_0_15,
+  OID4VCICredentialFormat
+} from '@sphereon/oid4vci-common'
 
 //todo: refactor this builder to be able to create ldp details as well
 export class AuthorizationDetailsBuilder {
-  private readonly authorizationDetails: Partial<Exclude<AuthorizationDetails, string>>
+  private readonly authorizationDetails: Partial<Exclude<AuthorizationDetailsV1_0_15, string>>
 
   constructor() {
     this.authorizationDetails = {}
   }
 
-  withType(type: string): AuthorizationDetailsBuilder {
-    this.authorizationDetails.type = type
-    return this
-  }
-
   withFormats(format: OID4VCICredentialFormat): AuthorizationDetailsBuilder {
     this.authorizationDetails.format = format
     return this

packages/client/lib/CredentialRequestClient.ts

@@ -1,7 +1,8 @@
 import { createDPoP, CreateDPoPClientOpts, getCreateDPoPOptions } from '@sphereon/oid4vc-common'
 import {
   acquireDeferredCredential,
-  AuthorizationDetails,
+  AuthorizationDetailsV1_0_15,
+  CredentialRequest,
   CredentialRequestV1_0_15,
   CredentialResponse,
   DPoPResponseParams,
@@ -14,7 +15,6 @@ import {
   post,
   ProofOfPossession,
   supportedOID4VCICredentialFormat,
-  CredentialRequest,
   URL_NOT_VALID
 } from '@sphereon/oid4vci-common'
 import { CredentialFormat, Loggers } from '@sphereon/ssi-types'
@@ -40,7 +40,7 @@ export interface CredentialRequestOpts {
   version: OpenId4VCIVersion
   subjectIssuance?: ExperimentalSubjectIssuance
   issuerState?: string
-  authorizationDetails?: AuthorizationDetails[]
+  authorizationDetails?: AuthorizationDetailsV1_0_15[]
 }
 
 export type CreateCredentialRequestOpts = {
@@ -72,14 +72,14 @@ export async function buildProof(
   return await proofInput.build()
 }
 
-function isOpenIdCredentialDetail(ad: AuthorizationDetails): ad is AuthorizationDetails {
+function isOpenIdCredentialDetail(ad: AuthorizationDetailsV1_0_15): ad is AuthorizationDetailsV1_0_15 {
   return typeof ad === 'object' && ad !== null && ad.type === 'openid_credential'
 }
 
 function findAuthorizationDetail(
-  authorizationDetails: AuthorizationDetails[] | undefined,
+  authorizationDetails: AuthorizationDetailsV1_0_15[] | undefined,
   preferredConfigId?: string
-): AuthorizationDetails | undefined {
+): AuthorizationDetailsV1_0_15 | undefined {
   if (!authorizationDetails) {
     return undefined
   }

packages/issuer-rest/lib/oid4vci-api-functions.ts

@@ -313,6 +313,23 @@ export function getCredentialEndpoint(
         if('issuer_state' in tokenClaims && typeof tokenClaims.issuer_state === 'string') {
           issuerCorrelation.issuerState = tokenClaims.issuer_state
         }
+
+        // Handle credential_identifier from authorization_details flow
+        if ('authorization_details' in tokenClaims && Array.isArray(tokenClaims.authorization_details)) {
+          issuerCorrelation.authorizationDetails = tokenClaims.authorization_details
+
+          if (credentialRequest.credential_identifier) {
+            const validIdentifiers = tokenClaims.authorization_details
+              .flatMap((detail: any) => detail.credential_identifiers || [])
+
+            if (!validIdentifiers.includes(credentialRequest.credential_identifier)) {
+              return sendErrorResponse(response, 400, {
+                error: 'invalid_credential_request',
+                error_description: 'credential_identifier not found in authorization_details'
+              })
+            }
+          }
+        }
       } catch (e) {
         LOG.warning(e)
         return sendErrorResponse(response, 400, {
@@ -727,8 +744,22 @@ export function pushedAuthorizationEndpoint(
     // TODO: Both UUID and requestURI need to be configurable for the server
     const uuid = uuidv4()
     const requestUri = `urn:ietf:params:oauth:request_uri:${uuid}`
-    // The redirect_uri is created and set in a map, to keep track of the actual request
-    authRequestsData.set(requestUri, req.body)
+
+    // Store authorization_details in the request for later retrieval
+    let requestData = req.body
+    if (req.body.authorization_details) {
+      const authDetails = Array.isArray(req.body.authorization_details)
+        ? req.body.authorization_details
+        : JSON.parse(req.body.authorization_details)
+
+      requestData = {
+        ...req.body,
+        authorization_details: authDetails // Store parsed authorization details
+      }
+    }
+
+    authRequestsData.set(requestUri, requestData)
+
     // Invalidates the request_uri removing it from the mapping after it is expired, needs to be refactored because
     // some of the properties will be needed in subsequent steps if the authorization succeeds
     // TODO in the /token endpoint the code_challenge must be matched against the hashed code_verifier

packages/issuer/lib/VcIssuer.ts

@@ -394,6 +394,17 @@ export class VcIssuer {
           throw Error(TokenErrorResponse.invalid_request)
         }
       }
+
+      // Validate credential_identifier against authorization_details if present
+      if ('credential_identifier' in credentialRequest && credentialRequest.credential_identifier && issuerCorrelation.authorizationDetails) {
+        const validIdentifiers = issuerCorrelation.authorizationDetails
+          .flatMap((detail: any) => detail.credential_identifiers || [])
+
+        if (!validIdentifiers.includes(credentialRequest.credential_identifier)) {
+          throw Error('credential_identifier not found in authorization_details')
+        }
+      }
+
       let format = this.lookupCredentialFormat(credentialRequest)
       const validated = await this.validateCredentialRequestProof({
         ...opts,