@sphereon/oid4vci-client

import * as crypto from 'crypto'; import { uuidv4 } from '@sphereon/oid4vc-common'; import { Alg, Jwt, ProofOfPossessionCallbacks } from '@sphereon/oid4vci-common'; import { CredentialMapper } from '@sphereon/ssi-types'; import * as didts from '@transmute/did-key.js'; import { fetch } from 'cross-fetch'; import debug from 'debug'; import { importJWK, JWK, SignJWT } from 'jose'; import { OpenID4VCIClientV1_0_11 } from '..'; export const UNIT_TEST_TIMEOUT = 60000; const ISSUER_URL = 'https://ssi.sphereon.com/pf3'; const jwk: JWK = { crv: 'Ed25519', d: 'kTRm0aONHYwNPA-w_DtjMHUIWjE3K70qgCIhWojZ0eU', x: 'NeA0d8sp86xRh3DczU4m5wPNIbl0HCSwOBcMN3sNmdk', kty: 'OKP', }; // pub hex: 35e03477cb29f3ac518770dccd4e26e703cd21b9741c24b038170c377b0d99d9 // priv hex: 913466d1a38d1d8c0d3c0fb0fc3b633075085a31372bbd2a8022215a88d9d1e5 const did = `did:key:z6Mki5ZwZKN1dBQprfJTikUvkDxrHijiiQngkWviMF5gw2Hv`; const kid = `${did}#z6Mki5ZwZKN1dBQprfJTikUvkDxrHijiiQngkWviMF5gw2Hv`; // Sphereon infra down rn describe.skip('OID4VCI-Client using Sphereon issuer should', () => { async function test(format: 'ldp_vc' | 'jwt_vc_json') { debug.enable('*'); const offer = await getCredentialOffer(format); const client = await OpenID4VCIClientV1_0_11.fromURI({ uri: offer.uri, kid, alg: Alg.EdDSA, }); expect(client.credentialOffer).toBeDefined(); expect(client.endpointMetadata).toBeDefined(); expect(client.getCredentialEndpoint()).toEqual(`${ISSUER_URL}/credentials`); expect(client.getAccessTokenEndpoint()).toEqual(`${ISSUER_URL}/token`); const accessToken = await client.acquireAccessToken(); // console.log(accessToken); expect(accessToken).toMatchObject({ expires_in: 300, // scope: 'GuestCredential', token_type: 'bearer', }); const credentialResponse = await client.acquireCredentials({ credentialTypes: 'GuestCredential', format, proofCallbacks: { signCallback: proofOfPossessionCallbackFunction, }, }); expect(credentialResponse.credential).toBeDefined(); const wrappedVC = CredentialMapper.toWrappedVerifiableCredential(credentialResponse.credential!); expect(format.startsWith(wrappedVC.format)).toEqual(true); } it( 'succeed in a full flow with the client using OpenID4VCI version 11 and ldp_vc', async () => { await test('ldp_vc'); }, UNIT_TEST_TIMEOUT, ); it( 'succeed in a full flow with the client using OpenID4VCI version 11 and jwt_vc_json', async () => { await test('jwt_vc_json'); }, UNIT_TEST_TIMEOUT, ); }); interface CreateCredentialOfferResponse { uri: string; userPinRequired: boolean; } async function getCredentialOffer(format: 'ldp_vc' | 'jwt_vc_json'): Promise<CreateCredentialOfferResponse> { const credentialOffer = await fetch('https://ssi.sphereon.com/pf3/webapp/credential-offers', { method: 'post', headers: { Accept: 'application/json', 'Content-Type': 'application/json', }, //make sure to serialize your JSON body body: JSON.stringify({ credentials: ['GuestCredential'], grants: { 'urn:ietf:params:oauth:grant-type:pre-authorized_code': { 'pre-authorized_code': uuidv4().substring(0, 10), user_pin_required: false, }, }, credentialDataSupplierInput: { firstName: 'Hello', lastName: 'World', email: 'hello.world@example.com' }, }), }); return (await credentialOffer.json()) as CreateCredentialOfferResponse; } async function proofOfPossessionCallbackFunction(args: Jwt, kid?: string): Promise<string> { const importedJwk = await importJWK(jwk, 'EdDSA'); return await new SignJWT({ ...args.payload }) .setProtectedHeader({ ...args.header, kid: kid! }) .setIssuer(kid!) .setIssuedAt() .setExpirationTime('2h') .sign(importedJwk); } //fixme: bring back this test describe('ismapolis bug report #63, https://github.com/Sphereon-Opensource/OID4VC-demo/issues/63, should', () => { // Sphereon infra is not working currently it.skip('work as expected provided a correct JWT is supplied', async () => { debug.enable('*'); const { uri } = await getCredentialOffer('jwt_vc_json'); const client = await OpenID4VCIClientV1_0_11.fromURI({ uri: uri, clientId: 'test-clientID' }); const metadata = await client.retrieveServerMetadata(); console.log(JSON.stringify(metadata)); //2. Adquire acces token from authorization server endpoint const accessToken = await client.acquireAccessToken({}); console.log(`Access token: ${JSON.stringify(accessToken)}`); //3. Create DID needed for later proof of possession const { keys, didDocument } = await didts.jwk.generate({ type: 'secp256k1', // 'P-256', 'P-384', 'X25519', 'secp256k1' accept: 'application/did+json', secureRandom: () => { return crypto.randomBytes(32); }, }); const edPrivateKey = await importJWK(keys[0].privateKeyJwk); async function signCallback(args: Jwt, kid?: string): Promise<string> { if (!args.payload.aud) { throw Error('aud required'); } else if (!kid) { throw Error('kid required'); } return await new SignJWT({ ...args.payload }) .setProtectedHeader({ alg: args.header.alg, kid, typ: 'openid4vci-proof+jwt' }) .setIssuedAt() .setIssuer(kid) .setAudience(args.payload.aud) .setExpirationTime('2h') .sign(edPrivateKey); } const callbacks: ProofOfPossessionCallbacks = { signCallback: signCallback, }; const credentialResponse = await client.acquireCredentials({ credentialTypes: 'GuestCredential', proofCallbacks: callbacks, format: 'jwt_vc_json', alg: Alg.ES256K, kid: didDocument.verificationMethod[0].id, jti: uuidv4(), }); console.log(JSON.stringify(credentialResponse.credential)); }); });