Merge remote-tracking branch 'origin/feature/SSISDK-73_auth_detail_fix' into develop

Author: nklomp

packages/client/lib/AuthorizationCodeClient.ts

@@ -1,7 +1,6 @@
 import {
   AuthorizationChallengeCodeResponse,
-  AuthorizationChallengeRequestOpts,
-  AuthorizationDetails,
+  AuthorizationChallengeRequestOpts, AuthorizationDetailsV1_0_15,
   AuthorizationRequestOpts,
   CodeChallengeMethod,
   CommonAuthorizationChallengeRequest,
@@ -194,7 +193,7 @@ export const createAuthorizationRequestUrl = async ({
         ...(format && { format }),
         ...(vct && { vct, claims: cred.claims ? removeDisplayAndValueTypes(cred.claims) : undefined }),
         ...(doctype && { doctype, claims: cred.claims ? removeDisplayAndValueTypes(cred.claims) : undefined })
-      } as AuthorizationDetails
+      } as AuthorizationDetailsV1_0_15
     })
     if (!authorizationDetails || authorizationDetails.length === 0) {
       throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`)
@@ -286,8 +285,8 @@ const hasCredentialDefinition = (cred: any): cred is {
 
 const handleAuthorizationDetails = (
   endpointMetadata: EndpointMetadataResultV1_0_15,
-  authorizationDetails?: AuthorizationDetails | AuthorizationDetails[]
-): AuthorizationDetails | AuthorizationDetails[] | undefined => {
+  authorizationDetails?: AuthorizationDetailsV1_0_15 | AuthorizationDetailsV1_0_15[]
+): AuthorizationDetailsV1_0_15 | AuthorizationDetailsV1_0_15[] | undefined => {
   if (authorizationDetails) {
     if (typeof authorizationDetails === 'string') {
       // backwards compat for older versions of the lib
@@ -306,7 +305,7 @@ const handleAuthorizationDetails = (
 
 const handleLocations = (
   endpointMetadata: EndpointMetadataResultV1_0_15,
-  authorizationDetails: AuthorizationDetails
+  authorizationDetails: AuthorizationDetailsV1_0_15
 ) => {
   if (typeof authorizationDetails === 'string') {
     // backwards compat for older versions of the lib

packages/client/lib/AuthorizationDetailsBuilder.ts

@@ -1,16 +1,15 @@
-import { AuthorizationDetails, AuthorizationDetailsJwtVcJson, OID4VCICredentialFormat } from '@sphereon/oid4vci-common'
+import {
+  AuthorizationDetailsJwtVcJson,
+  AuthorizationDetailsV1_0_15,
+  OID4VCICredentialFormat
+} from '@sphereon/oid4vci-common'
 
 //todo: refactor this builder to be able to create ldp details as well
 export class AuthorizationDetailsBuilder {
-  private readonly authorizationDetails: Partial<Exclude<AuthorizationDetails, string>>
+  private readonly authorizationDetails: Partial<Exclude<AuthorizationDetailsV1_0_15, string>>
 
   constructor() {
-    this.authorizationDetails = {}
-  }
-
-  withType(type: string): AuthorizationDetailsBuilder {
-    this.authorizationDetails.type = type
-    return this
+    this.authorizationDetails = { type: 'openid_credential' }
   }
 
   withFormats(format: OID4VCICredentialFormat): AuthorizationDetailsBuilder {

packages/client/lib/CredentialRequestClient.ts

@@ -1,7 +1,8 @@
 import { createDPoP, CreateDPoPClientOpts, getCreateDPoPOptions } from '@sphereon/oid4vc-common'
 import {
   acquireDeferredCredential,
-  AuthorizationDetails,
+  AuthorizationDetailsV1_0_15,
+  CredentialRequest,
   CredentialRequestV1_0_15,
   CredentialResponse,
   DPoPResponseParams,
@@ -14,7 +15,6 @@ import {
   post,
   ProofOfPossession,
   supportedOID4VCICredentialFormat,
-  CredentialRequest,
   URL_NOT_VALID
 } from '@sphereon/oid4vci-common'
 import { CredentialFormat, Loggers } from '@sphereon/ssi-types'
@@ -40,7 +40,7 @@ export interface CredentialRequestOpts {
   version: OpenId4VCIVersion
   subjectIssuance?: ExperimentalSubjectIssuance
   issuerState?: string
-  authorizationDetails?: AuthorizationDetails[]
+  authorizationDetails?: AuthorizationDetailsV1_0_15[]
 }
 
 export type CreateCredentialRequestOpts = {
@@ -72,15 +72,14 @@ export async function buildProof(
   return await proofInput.build()
 }
 
-function isOpenIdCredentialDetail(ad: AuthorizationDetails): ad is AuthorizationDetails {
+function isOpenIdCredentialDetail(ad: AuthorizationDetailsV1_0_15): ad is AuthorizationDetailsV1_0_15 {
   return typeof ad === 'object' && ad !== null && ad.type === 'openid_credential'
 }
 
-// Update the helper function:
 function findAuthorizationDetail(
-  authorizationDetails: AuthorizationDetails[] | undefined,
+  authorizationDetails: AuthorizationDetailsV1_0_15[] | undefined,
   preferredConfigId?: string
-): AuthorizationDetails | undefined {
+): AuthorizationDetailsV1_0_15 | undefined {
   if (!authorizationDetails) {
     return undefined
   }
@@ -93,10 +92,20 @@ function findAuthorizationDetail(
 
   // If a preferred config ID is specified, try to find a match
   if (preferredConfigId) {
-    const match = openIdCredentialDetails.find(detail =>
-      typeof detail === 'object' && detail !== null &&
-      (detail as any).credential_configuration_id === preferredConfigId
-    )
+    const match = openIdCredentialDetails.find(detail => {
+      if (typeof detail !== 'object' || detail === null) return false
+
+      const detailObj = detail as any
+
+      if (detailObj.credential_configuration_id === preferredConfigId) {
+        return true
+      }
+      if (detailObj.credential_identifier === preferredConfigId) {
+        return true
+      }
+      return Array.isArray(detailObj.credential_identifiers) && detailObj.credential_identifiers.includes(preferredConfigId)
+    })
+
     if (match) {
       return match
     }

packages/client/lib/__tests__/AuthorizationDetailsBuilder.spec.ts

@@ -8,7 +8,6 @@ describe('AuthorizationDetailsBuilder test', () => {
     const actual = new AuthorizationDetailsBuilder()
       .withFormats('jwt_vc' as OID4VCICredentialFormat)
       .withLocations(['test1', 'test2'])
-      .withType('openid_credential')
       .buildJwtVcJson()
     expect(actual).toEqual({
       type: 'openid_credential',
@@ -20,7 +19,6 @@ describe('AuthorizationDetailsBuilder test', () => {
     const actual = new AuthorizationDetailsBuilder()
       .withFormats('jwt_vc' as OID4VCICredentialFormat)
       .withLocations(['test1'])
-      .withType('openid_credential')
       .buildJwtVcJson()
     expect(actual).toEqual({
       type: 'openid_credential',
@@ -31,24 +29,16 @@ describe('AuthorizationDetailsBuilder test', () => {
   it('should create AuthorizationDetails object if locations is missing', () => {
     const actual = new AuthorizationDetailsBuilder()
       .withFormats('jwt_vc' as OID4VCICredentialFormat)
-      .withType('openid_credential')
       .buildJwtVcJson()
     expect(actual).toEqual({
       type: 'openid_credential',
       format: 'jwt_vc',
     })
   })
-  it('should fail if type is missing', () => {
-    expect(() => {
-      new AuthorizationDetailsBuilder()
-        .withFormats('jwt_vc' as OID4VCICredentialFormat)
-        .withLocations(['test1'])
-        .buildJwtVcJson()
-    }).toThrow(Error('Type and format are required properties'))
-  })
+
   it('should fail if format is missing', () => {
     expect(() => {
-      new AuthorizationDetailsBuilder().withType('openid_credential').withLocations(['test1']).buildJwtVcJson()
+      new AuthorizationDetailsBuilder().withLocations(['test1']).buildJwtVcJson()
     }).toThrow(Error('Type and format are required properties'))
   })
 })

packages/issuer-rest/lib/IssuerTokenEndpoint.ts

@@ -1,5 +1,11 @@
 import { DPoPVerifyJwtCallback, JWK, uuidv4, verifyDPoP } from '@sphereon/oid4vc-common'
-import { GrantTypes, PRE_AUTHORIZED_CODE_REQUIRED_ERROR, TokenError, TokenErrorResponse } from '@sphereon/oid4vci-common'
+import {
+  AuthorizationRequest,
+  GrantTypes,
+  PRE_AUTHORIZED_CODE_REQUIRED_ERROR,
+  TokenError,
+  TokenErrorResponse
+} from '@sphereon/oid4vci-common'
 import { assertValidAccessTokenRequest, createAccessTokenResponse, ITokenEndpointOpts, VcIssuer } from '@sphereon/oid4vci-issuer'
 import { sendErrorResponse } from '@sphereon/ssi-express-support'
 import { NextFunction, Request, Response } from 'express'
@@ -29,7 +35,7 @@ export const handleTokenRequest = ({
     dPoPVerifyJwtCallback: DPoPVerifyJwtCallback
   }
   // The full URL of the access token endpoint
-  accessTokenEndpoint?: string
+  accessTokenEndpoint?: string,
 }) => {
   return async (request: Request, response: Response) => {
     response.set({
@@ -115,14 +121,19 @@ export const handleTokenRequest = ({
 }
 
 export const verifyTokenRequest = ({
-  preAuthorizedCodeExpirationDuration,
-  issuer,
-}: Required<Pick<ITokenEndpointOpts, 'preAuthorizedCodeExpirationDuration'> & { issuer: VcIssuer }>) => {
+                                     preAuthorizedCodeExpirationDuration,
+                                     issuer,
+                                     authRequestsData
+                                   }: Required<Pick<ITokenEndpointOpts, 'preAuthorizedCodeExpirationDuration'>> & {
+  issuer: VcIssuer,
+  authRequestsData?: Map<string, AuthorizationRequest>
+}) => {
   return async (request: Request, response: Response, next: NextFunction) => {
     try {
       await assertValidAccessTokenRequest(request.body, {
         expirationDuration: preAuthorizedCodeExpirationDuration,
         credentialOfferSessions: issuer.credentialOfferSessions,
+        authRequestsData
       })
     } catch (error) {
       if (error instanceof TokenError) {

packages/issuer-rest/lib/OID4VCIServer.ts

@@ -226,7 +226,11 @@ export class OID4VCIServer {
     })
     this.assertAccessTokenHandling()
     if (!this.isTokenEndpointDisabled(opts?.endpointOpts?.tokenEndpointOpts, opts?.asClientOpts)) {
-      accessTokenEndpoint(this.router, this.issuer, { ...opts?.endpointOpts?.tokenEndpointOpts, baseUrl: this.baseUrl })
+      accessTokenEndpoint(this.router, this.issuer, {
+        ...opts?.endpointOpts?.tokenEndpointOpts,
+        baseUrl: this.baseUrl,
+        authRequestsData: this.authRequestsData
+      })
     }
     if (this.isStatusEndpointEnabled(opts?.endpointOpts?.getStatusOpts)) {
       getIssueStatusEndpoint(this.router, this.issuer, { ...opts?.endpointOpts?.getStatusOpts, baseUrl: this.baseUrl })

packages/issuer-rest/lib/oid4vci-api-functions.ts

@@ -220,7 +220,8 @@ export function authorizationChallengeEndpoint(
 }
 
 export function accessTokenEndpoint(router: Router, issuer: VcIssuer, opts: ITokenEndpointOpts & ISingleEndpointOpts & {
-  baseUrl: string | URL
+  baseUrl: string | URL,
+  authRequestsData?: Map<string, AuthorizationRequest>
 }) {
   const externalAS = isExternalAS(issuer.issuerMetadata) || issuer.asClientOpts
   if (externalAS || (opts.accessTokenProvider && opts.accessTokenProvider !== 'internal')) {
@@ -263,12 +264,14 @@ export function accessTokenEndpoint(router: Router, issuer: VcIssuer, opts: ITok
 
   LOG.log(`[OID4VCI] Token endpoint enabled at ${url.toString()}`)
 
+
   // this.issuer.issuerMetadata.token_endpoint = url.toString()
   router.post(
     determinePath(baseUrl, url.pathname, { stripBasePath: true }),
     verifyTokenRequest({
       issuer,
-      preAuthorizedCodeExpirationDuration
+      preAuthorizedCodeExpirationDuration,
+      authRequestsData: opts.authRequestsData
     }),
     handleTokenRequest({
       issuer,
@@ -313,6 +316,23 @@ export function getCredentialEndpoint(
         if('issuer_state' in tokenClaims && typeof tokenClaims.issuer_state === 'string') {
           issuerCorrelation.issuerState = tokenClaims.issuer_state
         }
+
+        // Handle credential_identifier from authorization_details flow
+        if ('authorization_details' in tokenClaims && Array.isArray(tokenClaims.authorization_details)) {
+          issuerCorrelation.authorizationDetails = tokenClaims.authorization_details
+
+          if (credentialRequest.credential_identifier) {
+            const validIdentifiers = tokenClaims.authorization_details
+              .flatMap((detail: any) => detail.credential_identifiers || [])
+
+            if (!validIdentifiers.includes(credentialRequest.credential_identifier)) {
+              return sendErrorResponse(response, 400, {
+                error: 'invalid_credential_request',
+                error_description: 'credential_identifier not found in authorization_details'
+              })
+            }
+          }
+        }
       } catch (e) {
         LOG.warning(e)
         return sendErrorResponse(response, 400, {
@@ -670,13 +690,51 @@ export function pushedAuthorizationEndpoint(
       })
     }
 
-    //TODO Implement authorization_details verification
+    // Add the authorization_details validation here:
+    if (req.body.authorization_details) {
+      const authDetails = Array.isArray(req.body.authorization_details)
+        ? req.body.authorization_details
+        : JSON.parse(req.body.authorization_details)
+
+      // Validate each authorization detail
+      for (const detail of authDetails) {
+        if (detail.type !== 'openid_credential') {
+          return sendErrorResponse(res, 400, {
+            error: 'invalid_authorization_details',
+            error_description: 'Only openid_credential type is supported'
+          })
+        }
+
+        // Validate credential_configuration_id exists in issuer metadata
+        if (detail.credential_configuration_id &&
+            !issuer.issuerMetadata.credential_configurations_supported[detail.credential_configuration_id]) {
+          return sendErrorResponse(res, 400, {
+            error: 'invalid_credential_request',
+            error_description: `Unsupported credential configuration: ${detail.credential_configuration_id}`
+          })
+        }
+      }
+    }
 
     // TODO: Both UUID and requestURI need to be configurable for the server
     const uuid = uuidv4()
     const requestUri = `urn:ietf:params:oauth:request_uri:${uuid}`
-    // The redirect_uri is created and set in a map, to keep track of the actual request
-    authRequestsData.set(requestUri, req.body)
+
+    // Store authorization_details in the request for later retrieval
+    let requestData = req.body
+    if (req.body.authorization_details) {
+      const authDetails = Array.isArray(req.body.authorization_details)
+        ? req.body.authorization_details
+        : JSON.parse(req.body.authorization_details)
+
+      requestData = {
+        ...req.body,
+        authorization_details: authDetails // Store parsed authorization details
+      }
+    }
+
+    authRequestsData.set(requestUri, requestData)
+
     // Invalidates the request_uri removing it from the mapping after it is expired, needs to be refactored because
     // some of the properties will be needed in subsequent steps if the authorization succeeds
     // TODO in the /token endpoint the code_challenge must be matched against the hashed code_verifier

packages/issuer/lib/VcIssuer.ts

@@ -394,6 +394,17 @@ export class VcIssuer {
           throw Error(TokenErrorResponse.invalid_request)
         }
       }
+
+      // Validate credential_identifier against authorization_details if present
+      if ('credential_identifier' in credentialRequest && credentialRequest.credential_identifier && issuerCorrelation.authorizationDetails) {
+        const validIdentifiers = issuerCorrelation.authorizationDetails
+          .flatMap((detail: any) => detail.credential_identifiers || [])
+
+        if (!validIdentifiers.includes(credentialRequest.credential_identifier)) {
+          throw Error('credential_identifier not found in authorization_details')
+        }
+      }
+
       let format = this.lookupCredentialFormat(credentialRequest)
       const validated = await this.validateCredentialRequestProof({
         ...opts,