Merge remote-tracking branch 'origin/develop' into feature/MWALL-715

packages/client/lib/OpenID4VCIClient.ts

@@ -130,6 +130,7 @@ export class OpenID4VCIClient {
     pkce,
     authorizationRequest,
     createAuthorizationRequestURL,
+    endpointMetadata
   }: {
     credentialIssuer: string;
     kid?: string;
@@ -139,6 +140,7 @@ export class OpenID4VCIClient {
     createAuthorizationRequestURL?: boolean;
     authorizationRequest?: AuthorizationRequestOpts; // Can be provided here, or when manually calling createAuthorizationUrl
     pkce?: PKCEOpts;
+    endpointMetadata?: EndpointMetadataResult
   }) {
     const client = new OpenID4VCIClient({
       kid,
@@ -147,6 +149,7 @@ export class OpenID4VCIClient {
       credentialIssuer,
       pkce,
       authorizationRequest,
+      endpointMetadata
     });
     if (retrieveServerMetadata === undefined || retrieveServerMetadata) {
       await client.retrieveServerMetadata();
@@ -173,6 +176,7 @@ export class OpenID4VCIClient {
     createAuthorizationRequestURL,
     authorizationRequest,
     resolveOfferUri,
+    endpointMetadata
   }: {
     uri: string;
     kid?: string;
@@ -183,6 +187,7 @@ export class OpenID4VCIClient {
     pkce?: PKCEOpts;
     clientId?: string;
     authorizationRequest?: AuthorizationRequestOpts; // Can be provided here, or when manually calling createAuthorizationUrl
+    endpointMetadata?: EndpointMetadataResult
   }): Promise<OpenID4VCIClient> {
     const credentialOfferClient = await CredentialOfferClient.fromURI(uri, { resolve: resolveOfferUri });
     const client = new OpenID4VCIClient({
@@ -192,6 +197,7 @@ export class OpenID4VCIClient {
       clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
       pkce,
       authorizationRequest,
+      endpointMetadata
     });
 
     if (retrieveServerMetadata === undefined || retrieveServerMetadata) {

packages/jarm/lib/jarm-auth-response-send/jarm-auth-response-send.ts

@@ -1,7 +1,7 @@
-import { appendFragmentParams, appendQueryParams } from '../utils.js';
-import type { JarmResponseMode, Openid4vpJarmResponseMode } from '../v-response-mode-registry.js';
-import { getJarmDefaultResponseMode, validateResponseMode } from '../v-response-mode-registry.js';
-import type { ResponseTypeOut } from '../v-response-type-registry.js';
+import { appendFragmentParams, appendQueryParams } from '../utils.js'
+import type { JarmResponseMode, Openid4vpJarmResponseMode } from '../v-response-mode-registry.js'
+import { getJarmDefaultResponseMode, validateResponseMode } from '../v-response-mode-registry.js'
+import type { ResponseTypeOut } from '../v-response-type-registry.js'
 
 interface JarmAuthResponseSendInput {
   authRequestParams: {
@@ -17,10 +17,11 @@ interface JarmAuthResponseSendInput {
   );
 
   authResponse: string;
+  state: string;
 }
 
 export const jarmAuthResponseSend = async (input: JarmAuthResponseSendInput): Promise<Response> => {
-  const { authRequestParams, authResponse } = input;
+  const { authRequestParams, authResponse, state } = input;
 
   const responseEndpoint = 'response_uri' in authRequestParams ? new URL(authRequestParams.response_uri) : new URL(authRequestParams.redirect_uri);
 
@@ -36,40 +37,39 @@ export const jarmAuthResponseSend = async (input: JarmAuthResponseSendInput): Pr
 
   switch (responseMode) {
     case 'direct_post.jwt':
-      return handleDirectPostJwt(responseEndpoint, authResponse);
+      return handleDirectPostJwt(responseEndpoint, authResponse, state);
     case 'query.jwt':
-      return handleQueryJwt(responseEndpoint, authResponse);
+      return handleQueryJwt(responseEndpoint, authResponse, state);
     case 'fragment.jwt':
-      return handleFragmentJwt(responseEndpoint, authResponse);
+      return handleFragmentJwt(responseEndpoint, authResponse, state);
     case 'form_post.jwt':
       throw new Error('Not implemented. form_post.jwt is not yet supported.');
   }
 };
 
-async function handleDirectPostJwt(responseEndpoint: URL, responseJwt: string) {
-  const response = await fetch(responseEndpoint, {
+async function handleDirectPostJwt(responseEndpoint: URL, responseJwt: string, state: string) {
+  const response =  await fetch(responseEndpoint, {
     method: 'POST',
     headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-    body: `response=${responseJwt}`,
-  });
-
+    body: `response=${responseJwt}&state=${state}`
+  })
   return response;
 }
 
-async function handleQueryJwt(responseEndpoint: URL, responseJwt: string) {
+async function handleQueryJwt(responseEndpoint: URL, responseJwt: string, state: string) {
   const responseUrl = appendQueryParams({
     url: responseEndpoint,
-    params: { response: responseJwt },
+    params: { response: responseJwt, state },
   });
 
   const response = await fetch(responseUrl, { method: 'POST' });
   return response;
 }
 
-async function handleFragmentJwt(responseEndpoint: URL, responseJwt: string) {
+async function handleFragmentJwt(responseEndpoint: URL, responseJwt: string, state: string) {
   const responseUrl = appendFragmentParams({
     url: responseEndpoint,
-    fragments: { response: responseJwt },
+    fragments: { response: responseJwt, state },
   });
   const response = await fetch(responseUrl, { method: 'POST' });
   return response;

packages/siop-oid4vp/lib/authorization-request/URI.ts

@@ -237,16 +237,22 @@ export class URI implements AuthorizationRequestURI {
     return { scheme, authorizationRequestPayload }
   }
 
-  public static async parseAndResolve(uri: string) {
+  public static async parseAndResolve(uri: string, rpRegistrationMetadata?: RPRegistrationMetadataPayload) {
     if (!uri) {
       throw Error(SIOPErrors.BAD_PARAMS)
     }
     const { authorizationRequestPayload, scheme } = this.parse(uri)
+
     const requestObjectJwt = await fetchByReferenceOrUseByValue(authorizationRequestPayload.request_uri, authorizationRequestPayload.request, true)
-    const registrationMetadata: RPRegistrationMetadataPayload = await fetchByReferenceOrUseByValue(
-      authorizationRequestPayload['client_metadata_uri'] ?? authorizationRequestPayload['registration_uri'],
-      authorizationRequestPayload['client_metadata'] ?? authorizationRequestPayload['registration'],
-    )
+    let registrationMetadata: RPRegistrationMetadataPayload
+    if (rpRegistrationMetadata !== undefined && rpRegistrationMetadata !== null) {
+      registrationMetadata = rpRegistrationMetadata
+    } else {
+        registrationMetadata = await fetchByReferenceOrUseByValue(
+        authorizationRequestPayload['client_metadata_uri'] ?? authorizationRequestPayload['registration_uri'],
+        authorizationRequestPayload['client_metadata'] ?? authorizationRequestPayload['registration'],
+      )
+    }
     assertValidRPRegistrationMedataPayload(registrationMetadata)
     return { scheme, authorizationRequestPayload, requestObjectJwt, registrationMetadata }
   }

packages/siop-oid4vp/lib/authorization-response/PresentationExchange.ts

@@ -397,7 +397,8 @@ export class PresentationExchange {
           try {
             verificationResult = await verifyPresentationCallback(presentation as W3CVerifiablePresentation, evaluationResults.value!)
           } catch (error: unknown) {
-            throw new Error(SIOPErrors.VERIFIABLE_PRESENTATION_SIGNATURE_NOT_VALID)
+            const errorMessage = error instanceof Error ? error.message : String(error)
+            throw new Error(`${SIOPErrors.VERIFIABLE_PRESENTATION_SIGNATURE_NOT_VALID}: ${errorMessage}`)
           }
 
           if (!verificationResult.verified) {

packages/siop-oid4vp/lib/op/OP.ts

@@ -25,7 +25,7 @@ import {
   RegisterEventListener,
   RequestObjectPayload,
   ResponseIss,
-  ResponseMode,
+  ResponseMode, RPRegistrationMetadataPayload,
   SIOPErrors,
   SupportedVersion,
   UrlEncodingFormat,
@@ -248,6 +248,7 @@ export class OP {
             response_type: responseType,
           },
           authResponse: response,
+          state: requestObjectPayload.state
         })
         void this.emitEvent(AuthorizationEvents.ON_AUTH_RESPONSE_SENT_SUCCESS, { correlationId, subject: response })
         return jarmResponse
@@ -276,9 +277,10 @@ export class OP {
    * Create an Authentication Request Payload from a URI string
    *
    * @param encodedUri
+   * @param rpRegistrationMetadata
    */
-  public async parseAuthorizationRequestURI(encodedUri: string): Promise<ParsedAuthorizationRequestURI> {
-    const { scheme, requestObjectJwt, authorizationRequestPayload, registrationMetadata } = await URI.parseAndResolve(encodedUri)
+  public async parseAuthorizationRequestURI(encodedUri: string, rpRegistrationMetadata?: RPRegistrationMetadataPayload): Promise<ParsedAuthorizationRequestURI> {
+    const { scheme, requestObjectJwt, authorizationRequestPayload, registrationMetadata } = await URI.parseAndResolve(encodedUri, rpRegistrationMetadata)
 
     return {
       encodedUri,

packages/siop-oid4vp/lib/types/SIOP.types.ts

@@ -1,6 +1,10 @@
 // noinspection JSUnusedGlobalSymbols
 import { JarmClientMetadata } from '@sphereon/jarm'
-import { DynamicRegistrationClientMetadata, JWKS, SigningAlgo } from '@sphereon/oid4vc-common'
+import {
+  DynamicRegistrationClientMetadata,
+  JWKS,
+  SigningAlgo
+} from '@sphereon/oid4vc-common'
 import { Format, PresentationDefinitionV1, PresentationDefinitionV2 } from '@sphereon/pex-models'
 import {
   AdditionalClaims,
@@ -11,23 +15,29 @@ import {
   PresentationSubmission,
   W3CVerifiableCredential,
   W3CVerifiablePresentation,
-  WrappedVerifiablePresentation,
+  WrappedVerifiablePresentation
 } from '@sphereon/ssi-types'
 import { DcqlQuery } from 'dcql'
 
-import { AuthorizationRequest, CreateAuthorizationRequestOpts, PropertyTargets, VerifyAuthorizationRequestOpts } from '../authorization-request'
+import {
+  AuthorizationRequest,
+  CreateAuthorizationRequestOpts,
+  PropertyTargets,
+  VerifyAuthorizationRequestOpts
+} from '../authorization-request'
 import {
   AuthorizationResponse,
   AuthorizationResponseOpts,
   PresentationDefinitionWithLocation,
   PresentationVerificationCallback,
-  VerifyAuthorizationResponseOpts,
+  VerifyAuthorizationResponseOpts
 } from '../authorization-response'
-import { JwksMetadataParams } from '../helpers/ExtractJwks'
+import { JwksMetadataParams } from '../helpers'
 import { RequestObject, RequestObjectOpts } from '../request-object'
 import { IRPSessionManager } from '../rp'
 
 import { JWTPayload, VerifiedJWT } from './index'
+
 export const DEFAULT_EXPIRATION_TIME = 10 * 60
 
 // https://openid.net/specs/openid-connect-core-1_0.html#RequestObject