@sphereon/oid4vci-common/dist/index.cjs.map

OpenID 4 Verifiable Credential Issuance Common Types

{"version":3,"sources":["../../../node_modules/.pnpm/tsup@8.5.0_@swc+core@1.14.0_postcss@8.5.6_tsx@4.20.6_typescript@5.8.3_yaml@2.8.1/node_modules/tsup/assets/cjs_shims.js","../lib/functions/randomBytes.cjs","../lib/index.ts","../lib/functions/index.ts","../lib/functions/CredentialRequestUtil.ts","../lib/functions/CredentialResponseUtil.ts","../lib/functions/HttpUtils.ts","../lib/types/index.ts","../lib/types/OpenIDClient.ts","../lib/types/Authorization.types.ts","../lib/types/Generic.types.ts","../lib/types/CredentialIssuance.types.ts","../lib/types/v1_0_15.types.ts","../lib/types/ServerMetadata.ts","../lib/types/OpenID4VCIErrors.ts","../lib/types/OpenID4VCIVersions.types.ts","../lib/types/StateManager.types.ts","../lib/types/Token.types.ts","../lib/types/QRCode.types.ts","../lib/functions/CredentialOfferUtil.ts","../lib/functions/Encoding.ts","../lib/functions/TypeConversionUtils.ts","../lib/functions/IssuerMetadataUtils.ts","../lib/functions/FormatUtils.ts","../lib/functions/ProofUtil.ts","../lib/functions/AuthorizationResponseUtil.ts","../lib/functions/RandomUtils.ts","../lib/experimental/holder-vci.ts","../lib/events/index.ts"],"sourcesContent":["// Shim globals in cjs bundle\n// There's a weird bug that esbuild will always inject importMetaUrl\n// if we export it as `const importMetaUrl = ... __filename ...`\n// But using a function will not cause this issue\n\nconst getImportMetaUrl = () =>\n  typeof document === 'undefined'\n    ? new URL(`file:${__filename}`).href\n    : (document.currentScript && document.currentScript.src) ||\n      new URL('main.js', document.baseURI).href\n\nexport const importMetaUrl = /* @__PURE__ */ getImportMetaUrl()\n","// limit of Crypto.getRandomValues()\n// https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues\nconst MAX_BYTES = 65536\n\n// Node supports requesting up to this number of bytes\n// https://github.com/nodejs/node/blob/master/lib/internal/crypto/random.js#L48\nconst MAX_UINT32 = 4294967295\n\nfunction oldBrowser() {\n  throw new Error('Secure random number generation is not supported by this browser.\\nUse Chrome, Firefox or Internet Explorer 11')\n}\n\n// eslint-disable-next-line no-undef\nconst _global = typeof globalThis !== 'undefined' ? globalThis : global\n\nlet crypto = _global.crypto || _global.msCrypto\nif (!crypto) {\n  try {\n    // eslint-disable-next-line no-undef\n    crypto = require('crypto')\n  } catch (err) {\n    throw Error('crypto module is not available')\n  }\n}\n\nfunction randomBytes(size) {\n  // phantomjs needs to throw\n  if (size > MAX_UINT32) throw new Error('requested too many random bytes')\n\n  // eslint-disable-next-line no-undef\n  const bytes = Buffer.allocUnsafe(size)\n\n  if (size > 0) {\n    // getRandomValues fails on IE if size == 0\n    if (size > MAX_BYTES) {\n      // this is the max bytes crypto.getRandomValues\n      // can do at once see https://developer.mozilla.org/en-US/docs/Web/API/window.crypto.getRandomValues\n      for (let generated = 0; generated < size; generated += MAX_BYTES) {\n        // buffer.slice automatically checks if the end is past the end of\n        // the buffer so we don't have to here\n        crypto.getRandomValues(bytes.slice(generated, generated + MAX_BYTES))\n      }\n    } else {\n      crypto.getRandomValues(bytes)\n    }\n  }\n  return Uint8Array.from(bytes)\n}\n\n// eslint-disable-next-line no-undef\nmodule.exports = randomBytes\n","import { Loggers } from '@sphereon/ssi-types'\n\nexport const VCI_LOGGERS = Loggers.DEFAULT\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common')\n\nexport * from './functions'\nexport * from './types'\nexport * from './experimental/holder-vci'\nexport * from './events'\n","export * from './CredentialRequestUtil'\nexport * from './CredentialResponseUtil'\nexport * from './CredentialOfferUtil'\nexport * from './Encoding'\nexport * from './TypeConversionUtils'\nexport * from './IssuerMetadataUtils'\nexport * from './FormatUtils'\nexport * from './HttpUtils'\nexport * from './ProofUtil'\nexport * from './AuthorizationResponseUtil'\nexport * from './RandomUtils'\n","//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiJ9","import { CredentialResponse, OpenIDResponse } from '../types'\n\nimport { post } from './HttpUtils'\n\nexport function isDeferredCredentialResponse(credentialResponse: OpenIDResponse<CredentialResponse>) {\n  const orig = credentialResponse.successBody\n  // Specs mention 202, but some implementations like EBSI return 200\n  return credentialResponse.origResponse.status % 200 <= 2 && !!orig && !orig.credentials && (!!orig.acceptance_token || !!orig.transaction_id)\n}\nfunction assertNonFatalError(credentialResponse: OpenIDResponse<CredentialResponse>) {\n  if (credentialResponse.origResponse.status === 400 && credentialResponse.errorBody?.error) {\n    if (credentialResponse.errorBody.error === 'invalid_transaction_id' || credentialResponse.errorBody.error.includes('acceptance_token')) {\n      throw Error('Invalid transaction id. Probably the deferred credential request expired')\n    }\n  }\n}\n\nexport function isDeferredCredentialIssuancePending(credentialResponse: OpenIDResponse<CredentialResponse>) {\n  if (isDeferredCredentialResponse(credentialResponse)) {\n    return credentialResponse?.successBody?.transaction_id ?? !!credentialResponse?.successBody?.acceptance_token\n  }\n  if (credentialResponse.origResponse.status === 400 && credentialResponse.errorBody?.error) {\n    if (credentialResponse.errorBody.error === 'issuance_pending') {\n      return true\n    } else if (credentialResponse.errorBody.error_description?.toLowerCase().includes('not available yet')) {\n      return true\n    }\n  }\n  return false\n}\n\nfunction sleep(ms: number) {\n  return new Promise((resolve) => {\n    setTimeout(resolve, ms)\n  })\n}\n\nexport async function acquireDeferredCredential({\n  bearerToken,\n  transactionId,\n  deferredCredentialEndpoint,\n  deferredCredentialIntervalInMS,\n  deferredCredentialAwait,\n}: {\n  bearerToken: string\n  transactionId?: string\n  deferredCredentialIntervalInMS?: number\n  deferredCredentialAwait?: boolean\n  deferredCredentialEndpoint: string\n}): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {\n  let credentialResponse: OpenIDResponse<CredentialResponse> & { access_token: string } = await acquireDeferredCredentialImpl({\n    bearerToken,\n    transactionId,\n    deferredCredentialEndpoint,\n  })\n\n  const DEFAULT_SLEEP_IN_MS = 5000\n  while (!credentialResponse.successBody?.credentials && deferredCredentialAwait) {\n    assertNonFatalError(credentialResponse)\n    const pending = isDeferredCredentialIssuancePending(credentialResponse)\n    console.log(`Issuance still pending?: ${pending}`)\n    if (!pending) {\n      return Promise.reject(Error(`Issuance isn't pending anymore: ${credentialResponse}`))\n    }\n\n    await sleep(deferredCredentialIntervalInMS ?? DEFAULT_SLEEP_IN_MS)\n    credentialResponse = await acquireDeferredCredentialImpl({ bearerToken, transactionId, deferredCredentialEndpoint })\n  }\n  return credentialResponse\n}\n\nasync function acquireDeferredCredentialImpl({\n  bearerToken,\n  transactionId,\n  deferredCredentialEndpoint,\n}: {\n  bearerToken: string\n  transactionId?: string\n  deferredCredentialEndpoint: string\n}): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {\n  const response: OpenIDResponse<CredentialResponse> = await post(\n    deferredCredentialEndpoint,\n    JSON.stringify(transactionId ? { transaction_id: transactionId } : ''),\n    { bearerToken },\n  )\n  console.log(JSON.stringify(response, null, 2))\n  assertNonFatalError(response)\n\n  return { ...response, access_token: bearerToken }\n}\n","import { Loggers } from '@sphereon/ssi-types'\nimport fetch from 'cross-fetch'\n\nimport { Encoding, OpenIDResponse } from '../types'\n\nconst logger = Loggers.DEFAULT.get('sphereon:openid4vci:http')\n\nexport const getJson = async <T>(\n  URL: string,\n  opts?: {\n    bearerToken?: (() => Promise<string>) | string\n    contentType?: string\n    accept?: string\n    customHeaders?: Record<string, string>\n    exceptionOnHttpErrorStatus?: boolean\n  },\n): Promise<OpenIDResponse<T>> => {\n  return await openIdFetch(URL, undefined, { method: 'GET', ...opts })\n}\n\nexport const formPost = async <T>(\n  url: string,\n  body: BodyInit,\n  opts?: {\n    bearerToken?: (() => Promise<string>) | string\n    contentType?: string\n    accept?: string\n    customHeaders?: Record<string, string>\n    exceptionOnHttpErrorStatus?: boolean\n  },\n): Promise<OpenIDResponse<T>> => {\n  return await post(url, body, opts?.contentType ? { ...opts } : { contentType: Encoding.FORM_URL_ENCODED, ...opts })\n}\n\nexport const post = async <T>(\n  url: string,\n  body?: BodyInit,\n  opts?: {\n    bearerToken?: (() => Promise<string>) | string\n    contentType?: string\n    accept?: string\n    customHeaders?: Record<string, string>\n    exceptionOnHttpErrorStatus?: boolean\n  },\n): Promise<OpenIDResponse<T>> => {\n  return await openIdFetch(url, body, { method: 'POST', ...opts })\n}\n\nconst openIdFetch = async <T>(\n  url: string,\n  body?: BodyInit,\n  opts?: {\n    method?: string\n    bearerToken?: (() => Promise<string>) | string\n    contentType?: string\n    accept?: string\n    customHeaders?: Record<string, string>\n    exceptionOnHttpErrorStatus?: boolean\n  },\n): Promise<OpenIDResponse<T>> => {\n  const headers: Record<string, string> = opts?.customHeaders ?? {}\n  if (opts?.bearerToken) {\n    headers['Authorization'] =\n      `${headers.dpop ? 'DPoP' : 'Bearer'} ${typeof opts.bearerToken === 'function' ? await opts.bearerToken() : opts.bearerToken}`\n  }\n  const method = opts?.method ? opts.method : body ? 'POST' : 'GET'\n  const accept = opts?.accept ? opts.accept : 'application/json'\n  headers['Accept'] = accept\n  if (headers['Content-Type']) {\n    if (opts?.contentType && opts.contentType !== headers['Content-Type']) {\n      throw Error(`Mismatch in content-types from custom headers (${headers['Content-Type']}) and supplied content type option (${opts.contentType})`)\n    }\n  } else {\n    if (opts?.contentType) {\n      headers['Content-Type'] = opts.contentType\n    } else if (method !== 'GET') {\n      headers['Content-Type'] = 'application/json'\n    }\n  }\n\n  const payload: RequestInit = {\n    method,\n    headers,\n    body,\n  }\n\n  logger.debug(`START fetching url: ${url}`)\n  if (body) {\n    logger.debug(`Body:\\r\\n${typeof body == 'string' ? body : JSON.stringify(body)}`)\n  }\n  logger.debug(`Headers:\\r\\n${JSON.stringify(payload.headers)}`)\n  const origResponse = await fetch(url, payload)\n  const isJSONResponse = accept === 'application/json' || origResponse.headers.get('Content-Type') === 'application/json'\n  const success = origResponse && origResponse.status >= 200 && origResponse.status < 400\n  const responseText = await origResponse.text()\n  const responseBody = isJSONResponse && responseText.includes('{') ? JSON.parse(responseText) : responseText\n\n  logger.debug(`${success ? 'success' : 'error'} status: ${origResponse.status}, body:\\r\\n${JSON.stringify(responseBody)}`)\n  if (!success && opts?.exceptionOnHttpErrorStatus) {\n    const error = JSON.stringify(responseBody)\n    throw new Error(error === '{}' ? '{\"error\": \"not found\"}' : error)\n  }\n  logger.debug(`END fetching url: ${url}`)\n\n  return {\n    origResponse,\n    successBody: success ? responseBody : undefined,\n    errorBody: !success ? responseBody : undefined,\n  }\n}\n\nexport const isValidURL = (url: string): boolean => {\n  const urlPattern = new RegExp(\n    '^(https?:\\\\/\\\\/)' + // validate protocol\n      '((([a-z\\\\d]([a-z\\\\d-]*[a-z\\\\d])*)\\\\.)+[a-z]{2,}|' + // validate domain name\n      '((localhost))|' + // validate OR localhost\n      '((\\\\d{1,3}\\\\.){3}\\\\d{1,3}))' + // validate OR ip (v4) address\n      '(\\\\:\\\\d+)?(\\\\/[-a-z\\\\d%_.~+:]*)*' + // validate port and path\n      '(\\\\?[;&a-z\\\\d%_.~+=-]*)?' + // validate query string\n      '(\\\\#[-a-z\\\\d_]*)?$', // validate fragment locator\n    'i',\n  )\n  return urlPattern.test(url)\n}\n\nexport const trimBoth = (value: string, trim: string): string => {\n  return trimEnd(trimStart(value, trim), trim)\n}\n\nexport const trimEnd = (value: string, trim: string): string => {\n  return value.endsWith(trim) ? value.substring(0, value.length - trim.length) : value\n}\n\nexport const trimStart = (value: string, trim: string): string => {\n  return value.startsWith(trim) ? value.substring(trim.length) : value\n}\n\nexport const adjustUrl = <T extends string | URL>(\n  urlOrPath: T,\n  opts?: {\n    stripSlashEnd?: boolean\n    stripSlashStart?: boolean\n    prepend?: string\n    append?: string\n  },\n): T => {\n  let url = typeof urlOrPath === 'object' ? urlOrPath.toString() : (urlOrPath as string)\n  if (opts?.append) {\n    url = trimEnd(url, '/') + '/' + trimStart(opts.append, '/')\n  }\n  if (opts?.prepend) {\n    if (opts.prepend.includes('://')) {\n      // includes domain/hostname\n      if (!url.startsWith(opts.prepend)) {\n        url = trimEnd(opts.prepend, '/') + '/' + trimStart(url, '/')\n      }\n    } else {\n      // path only for prepend\n      let host = ''\n      let path = url\n      if (url.includes('://')) {\n        // includes domain/hostname\n        host = new URL(url).host\n        path = new URL(url).pathname\n      }\n      if (!path.startsWith(opts.prepend)) {\n        if (host && host !== '') {\n          url = trimEnd(host, '/')\n        }\n        url += trimEnd(url, '/') + '/' + trimBoth(opts.prepend, '/') + '/' + trimStart(path, '/')\n      }\n    }\n  }\n  if (opts?.stripSlashStart) {\n    url = trimStart(url, '/')\n  }\n  if (opts?.stripSlashEnd) {\n    url = trimEnd(url, '/')\n  }\n\n  if (typeof urlOrPath === 'string') {\n    return url as T\n  }\n  return new URL(url) as T\n}\n","export * from './OpenIDClient'\nexport * from './Authorization.types'\nexport * from './CredentialIssuance.types'\nexport * from './Generic.types'\nexport * from './v1_0_15.types'\nexport * from './ServerMetadata'\nexport * from './OpenID4VCIErrors'\nexport * from './OpenID4VCIVersions.types'\nexport * from './StateManager.types'\nexport * from './Token.types'\nexport * from './QRCode.types'\n","/**\n * Copied from openid-client\n */\nexport type ClientResponseType = 'code' | 'id_token' | 'code id_token' | 'none' | string\nexport type ClientAuthMethod =\n  | 'client_secret_basic'\n  | 'client_secret_post'\n  | 'client_secret_jwt'\n  | 'private_key_jwt'\n  | 'tls_client_auth'\n  | 'self_signed_tls_client_auth'\n  | 'none'\nexport interface ClientMetadata {\n  // important\n  client_id: string\n  id_token_signed_response_alg?: string\n  token_endpoint_auth_method?: ClientAuthMethod\n  client_secret?: string\n  redirect_uris?: string[]\n  response_types?: ClientResponseType[]\n  post_logout_redirect_uris?: string[]\n  default_max_age?: number\n  require_auth_time?: boolean\n  tls_client_certificate_bound_access_tokens?: boolean\n  request_object_signing_alg?: string\n\n  // less important\n  id_token_encrypted_response_alg?: string\n  id_token_encrypted_response_enc?: string\n  introspection_endpoint_auth_method?: ClientAuthMethod\n  introspection_endpoint_auth_signing_alg?: string\n  request_object_encryption_alg?: string\n  request_object_encryption_enc?: string\n  revocation_endpoint_auth_method?: ClientAuthMethod\n  revocation_endpoint_auth_signing_alg?: string\n  token_endpoint_auth_signing_alg?: string\n  userinfo_encrypted_response_alg?: string\n  userinfo_encrypted_response_enc?: string\n  userinfo_signed_response_alg?: string\n  authorization_encrypted_response_alg?: string\n  authorization_encrypted_response_enc?: string\n  authorization_signed_response_alg?: string\n\n  [key: string]: unknown\n}\n","import { CreateDPoPClientOpts } from '@sphereon/oid4vc-common'\n\nimport { Alg, CredentialOfferPayload, ProofOfPossessionCallbacks, UniformCredentialOffer } from './CredentialIssuance.types'\nimport {\n  ErrorResponse,\n  IssuerCredentialSubject,\n  JsonLdIssuerCredentialDefinition,\n  OID4VCICredentialFormat,\n  PRE_AUTH_CODE_LITERAL,\n  TxCode,\n} from './Generic.types'\nimport { EndpointMetadata } from './ServerMetadata'\nimport { AuthorizationDetailsV1_0_15 } from './v1_0_15.types'\n\nexport interface CommonAuthorizationRequest {\n  /**\n   * REQUIRED.  Value MUST be set to \"code\". for Authorization Code Grant\n   */\n  response_type: ResponseType.AUTH_CODE\n  /**\n   * The authorization server issues the registered client a client\n   *    identifier -- a unique string representing the registration\n   *    information provided by the client.\n   */\n  client_id: string\n  /**\n   * If the \"code_challenge_method\" from Section 4.3 was \"S256\", the\n   *    received \"code_verifier\" is hashed by SHA-256, base64url-encoded, and\n   *    then compared to the \"code_challenge\", i.e.:\n   *    BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge\n   *\n   * If the \"code_challenge_method\" from Section 4.3 was \"plain\", they are\n   *    compared directly, i.e.:\n   *    code_verifier == code_challenge.\n   */\n  code_challenge: string\n  /**\n   * value must be set either to \"S256\" or a value defined by a cryptographically secure\n   */\n  code_challenge_method: CodeChallengeMethod\n  /**\n   * The redirection endpoint URI MUST be an absolute URI as defined by: absolute-URI  = scheme \":\" hier-part [ \"?\" query ]\n   */\n  redirect_uri: string\n  /**\n   * The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings.\n   */\n  scope?: string\n  /**\n   * There are two possible ways to request issuance of a specific Credential type in an Authorization Request.\n   * One way is to use of the authorization_details request parameter as defined in [I-D.ietf-oauth-rar]\n   * with one or more authorization details objects of type openid_credential Section 5.1.1.\n   * (The other is through the use of scopes as defined in Section 5.1.2.)\n   */\n  authorization_details?: AuthorizationDetailsV1_0_15[] | AuthorizationDetailsV1_0_15\n  /**\n   * OPTIONAL. JSON string containing the Wallet's OpenID Connect issuer URL. The Credential Issuer will use the discovery process as defined in\n   * [SIOPv2] to determine the Wallet's capabilities and endpoints. RECOMMENDED in Dynamic Credential Request.\n   */\n  wallet_issuer?: string\n  /**\n   * OPTIONAL. JSON string containing an opaque user hint the Wallet MAY use in subsequent callbacks to optimize the user's experience.\n   * RECOMMENDED in Dynamic Credential Request.\n   */\n  user_hint?: string\n  /**\n   * OPTIONAL. String value identifying a certain processing context at the Credential Issuer. A value for this parameter is typically passed in\n   * an issuance initation request from the Credential Issuer to the Wallet (see (Section 4.1). This request parameter is used to pass the\n   * issuer_state value back to the Credential Issuer.\n   */\n  issuer_state?: string\n}\n\n// https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-02.html#name-authorization-challenge-req\nexport interface CommonAuthorizationChallengeRequest {\n  /**\n   * REQUIRED if the client is not authenticating with the authorization server and if no auth_session is included..\n   */\n  client_id?: string\n  /**\n   * OPTIONAL. String value identifying a certain processing context at the Credential Issuer. A value for this parameter is typically passed in\n   * an issuance initation request from the Credential Issuer to the Wallet. This request parameter is used to pass the\n   * issuer_state value back to the Credential Issuer.\n   */\n  issuer_state?: string\n  /**\n   * The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings.\n   */\n  scope?: string // TODO what we do with this\n  /**\n   * OPTIONAL. A random string or a JWE. The auth session allows the authorization server to associate subsequent\n   * requests by this client with an ongoing authorization request sequence. The client MUST include the\n   * auth_session in follow-up requests to the authorization challenge endpoint if it receives one along with\n   * the error response.\n   */\n  auth_session?: string\n  /**\n   * OPTIONAL. If the \"code_challenge_method\" from Section 4.3 was \"S256\", the\n   *    received \"code_verifier\" is hashed by SHA-256, base64url-encoded, and\n   *    then compared to the \"code_challenge\", i.e.:\n   *    BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge\n   *\n   * If the \"code_challenge_method\" from Section 4.3 was \"plain\", they are\n   *    compared directly, i.e.:\n   *    code_verifier == code_challenge.\n   */\n  code_challenge?: string // TODO what we do with this\n  /**\n   * OPTIONAL. value must be set either to \"S256\" or a value defined by a cryptographically secure\n   */\n  code_challenge_method?: CodeChallengeMethod // TODO what we do with this\n  /**\n   * OPTIONAL. String containing information about the session when credential presentation is happening during issuance of another\n   * credential. The content of this parameter is opaque to the wallet. When this parameter is present the Wallet MUST use this parameter in\n   * the subsequent Authorization Challenge Request. This allows the Issuer to determine which it can be used by to prevent session\n   * fixation attacks. The Response URI MAY return this parameter in response to successful Authorization Responses or for Error\n   * Responses.\n   */\n  presentation_during_issuance_session?: string\n}\n\nexport interface AuthorizationChallengeRequestOpts {\n  clientId?: string\n  issuerState?: string\n  authSession?: string\n  scope?: string\n  codeChallenge?: string\n  codeChallengeMethod?: CodeChallengeMethod\n  presentationDuringIssuanceSession?: string\n  metadata?: EndpointMetadata\n  credentialIssuer?: string\n}\n\n// https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-02.html#name-error-response\nexport interface AuthorizationChallengeErrorResponse {\n  /**\n   * A single ASCII error code of type AuthorizationChallengeError.\n   */\n  error: AuthorizationChallengeError\n  /**\n   * OPTIONAL. OPTIONAL. Human-readable ASCII text providing additional information, used\n   * to assist the client developer in understanding the error that occurred. Values for the error_description\n   * parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.\n   */\n  error_description?: string\n  /**\n   * OPTIONAL. A URI identifying a human-readable web page with information about the error, used\n   * to provide the client developer with additional information about the error. Values for the error_uri\n   * parameter MUST conform to the URI-reference syntax and thus MUST NOT include characters outside the\n   * set %x21 / %x23-5B / %x5D-7E.\n   */\n  error_uri?: string\n  /**\n   * OPTIONAL. A random string or a JWE. The auth session allows the authorization server to associate subsequent\n   * requests by this client with an ongoing authorization request sequence. The client MUST include the\n   * auth_session in follow-up requests to the authorization challenge endpoint if it receives one along with\n   * the error response.\n   */\n  auth_session?: string\n  /**\n   * OPTIONAL. The request URI corresponding to the authorization request posted. This URI is a single-use reference\n   * to the respective request data in the subsequent authorization request.\n   */\n  request_uri?: string\n  /**\n   * OPTIONAL. A JSON number that represents the lifetime of the request URI in seconds as a positive integer.\n   */\n  expires_in?: number\n  /**\n   * String containing the OID4VP request URI. The Wallet will use this URI to start the OID4VP flow.\n   */\n  presentation?: string\n}\n\n// https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-02.html#name-authorization-challenge-res\nexport interface AuthorizationChallengeCodeResponse {\n  /**\n   * The authorization code issued by the authorization server.\n   */\n  authorization_code: string\n  state?: string\n}\n\n// https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-02.html#name-error-response\nexport enum AuthorizationChallengeError {\n  invalid_request = 'invalid_request',\n  invalid_client = 'invalid_client',\n  unauthorized_client = 'unauthorized_client',\n  invalid_session = 'invalid_session',\n  invalid_scope = 'invalid_scope',\n  insufficient_authorization = 'insufficient_authorization',\n  redirect_to_web = 'redirect_to_web',\n}\n\n/**\n * string type added for conformity with our previous code in the client\n */\nexport type credential_identifiers =\n  | (CommonAuthorizationDetails &\n      (AuthorizationDetailsJwtVcJson | AuthorizationDetailsJwtVcJsonLdAndLdpVc | AuthorizationDetailsSdJwtVc | AuthorizationDetailsMsoMdoc))\n  | string\n\nexport type AuthorizationRequest =\n  | AuthorizationRequestJwtVcJson\n  | AuthorizationRequestJwtVcJsonLdAndLdpVc\n  | AuthorizationRequestSdJwtVc\n  | AuthorizationRequestMsoMdoc\n\nexport interface AuthorizationRequestJwtVcJson extends CommonAuthorizationRequest {\n  authorization_details?: AuthorizationDetailsJwtVcJson[]\n}\n\nexport interface AuthorizationRequestJwtVcJsonLdAndLdpVc extends CommonAuthorizationRequest {\n  authorization_details?: AuthorizationDetailsJwtVcJsonLdAndLdpVc[]\n}\n\nexport interface AuthorizationRequestSdJwtVc extends CommonAuthorizationRequest {\n  authorization_details?: AuthorizationDetailsSdJwtVc[]\n}\n\nexport interface AuthorizationRequestMsoMdoc extends CommonAuthorizationRequest {\n  authorization_details?: AuthorizationDetailsMsoMdoc[]\n}\n\n/*\nexport interface AuthDetails {\n  type: 'openid_credential' | string;\n  locations?: string | string[];\n  format: CredentialFormat | CredentialFormat[];\n\n  [s: string]: unknown;\n}\n*/\n\nexport interface CommonAuthorizationDetails {\n  /**\n   * REQUIRED. JSON string that determines the authorization details type.\n   * MUST be set to openid_credential for the purpose of this specification.\n   */\n  type: 'openid_credential'\n\n  /**\n   *  REQUIRED when format parameter is not present. String specifying a unique identifier of the Credential being described in the credential_configurations_supported map in the Credential Issuer Metadata as defined in Section 11.2.3. The referenced object in the credential_configurations_supported map conveys the details, such as the format, for issuance of the requested Credential. This specification defines Credential Format specific Issuer Metadata in Appendix A. It MUST NOT be present if format parameter is present.\n   */\n  credential_configuration_id?: string // FIXME maybe split up and make this & format required again\n\n  /**\n   * REQUIRED. JSON string representing the format in which the Credential is requested to be issued.\n   * This Credential format identifier determines further claims in the authorization details object\n   * specifically used to identify the Credential type to be issued. This specification defines\n   * Credential Format Profiles in Appendix E.\n   */\n  format?: OID4VCICredentialFormat\n  /**\n   * If the Credential Issuer metadata contains an authorization_server parameter,\n   * the authorization detail's locations common data field MUST be set to the Credential Issuer Identifier value.\n   */\n  locations?: string[]\n\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  [key: string]: any\n}\n\nexport interface AuthorizationDetailsJwtVcJson extends CommonAuthorizationDetails {\n  format: 'jwt_vc_json' | 'jwt_vc' // jwt_vc added for backward compat\n\n  /**\n   * A JSON object containing a list of key value pairs, where the key identifies the claim offered in the Credential.\n   * The value MAY be a dictionary, which allows to represent the full (potentially deeply nested) structure of the\n   * verifiable credential to be issued. This object indicates the claims the Wallet would like to turn up in the\n   * credential to be issued.\n   */\n  credentialSubject?: IssuerCredentialSubject\n\n  types: string[] // This claim contains the type values the Wallet requests authorization for at the issuer.\n}\n\nexport interface AuthorizationDetailsJwtVcJsonLdAndLdpVc extends CommonAuthorizationDetails {\n  format: 'ldp_vc' | 'jwt_vc_json-ld'\n\n  /**\n   * REQUIRED. JSON object containing (and isolating) the detailed description of the credential type.\n   * This object MUST be processed using full JSON-LD processing. It consists of the following sub-claims:\n   *   - @context: REQUIRED. JSON array as defined in Appendix E.1.3.2\n   *   - types: REQUIRED. JSON array as defined in Appendix E.1.3.2.\n   *            This claim contains the type values the Wallet shall request in the subsequent Credential Request\n   */\n  credential_definition: JsonLdIssuerCredentialDefinition\n}\n\nexport interface AuthorizationDetailsSdJwtVc extends CommonAuthorizationDetails {\n  format: 'dc+sd-jwt' | 'vc+sd-jwt'\n\n  vct: string\n  claims?: IssuerCredentialSubject\n}\n\nexport interface AuthorizationDetailsMsoMdoc extends CommonAuthorizationDetails {\n  format: 'mso_mdoc'\n\n  doctype: string\n  claims?: IssuerCredentialSubject\n}\n\nexport enum GrantTypes {\n  AUTHORIZATION_CODE = 'authorization_code',\n  PRE_AUTHORIZED_CODE = 'urn:ietf:params:oauth:grant-type:pre-authorized_code',\n  PASSWORD = 'password',\n}\n\nexport enum Encoding {\n  FORM_URL_ENCODED = 'application/x-www-form-urlencoded',\n  UTF_8 = 'UTF-8',\n}\n\nexport enum ResponseType {\n  AUTH_CODE = 'code',\n}\n\nexport enum CodeChallengeMethod {\n  plain = 'plain',\n  S256 = 'S256',\n}\n\nexport interface AuthorizationServerOpts {\n  allowInsecureEndpoints?: boolean\n  as?: string // If not provided the issuer hostname will be used!\n  tokenEndpoint?: string // Allows to override the default '/token' endpoint\n  clientOpts?: AuthorizationServerClientOpts\n}\n\nexport type AuthorizationServerClientOpts = {\n  clientId: string\n  clientAssertionType?: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'\n  kid?: string\n  alg?: Alg\n  signCallbacks?: ProofOfPossessionCallbacks\n}\n\nexport interface IssuerOpts {\n  issuer: string\n  tokenEndpoint?: string\n  fetchMetadata?: boolean\n}\n\nexport interface AccessTokenFromAuthorizationResponseOpts extends AccessTokenRequestOpts {\n  authorizationResponse: AuthorizationResponse\n}\n\nexport type TxCodeAndPinRequired = { isPinRequired?: boolean; txCode?: TxCode }\n\nexport interface AccessTokenRequestOpts {\n  credentialOffer?: UniformCredentialOffer\n  credentialIssuer?: string\n  asOpts?: AuthorizationServerOpts\n  metadata?: EndpointMetadata\n  codeVerifier?: string // only required for authorization flow\n  code?: string // only required for authorization flow\n  redirectUri?: string // only required for authorization flow\n  pin?: string // Pin-number. Only used when required\n  pinMetadata?: TxCodeAndPinRequired // OPTIONAL. String value containing a Transaction Code. This value MUST be present if a tx_code object was present in the Credential Offer (including if the object was empty). This parameter MUST only be used if the grant_type is urn:ietf:params:oauth:grant-type:pre-authorized_code.\n  // if the CreateDPoPOpts are provided, a dPoP will be created using the provided callback,\n  // if the authorization server indicates that it supports dPoP via the dpop_signing_alg_values_supported parameter.\n  createDPoPOpts?: CreateDPoPClientOpts\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  additionalParams?: Record<string, any>\n}\n\n/*export interface AuthorizationRequestOpts {\n  clientId: string;\n  codeChallenge: string;\n  codeChallengeMethod: CodeChallengeMethod;\n  authorizationDetails?: AuthorizationDetails[];\n  redirectUri: string;\n  scope?: string;\n}*/\n\n/**\n * Determinse whether PAR should be used when supported\n *\n * REQUIRE: Require PAR, if AS does not support it throw an error\n * AUTO: Use PAR is the AS supports it, otherwise construct a reqular URI,\n * NEVER: Do not use PAR even if the AS supports it (not recommended)\n */\nexport enum PARMode {\n  REQUIRE,\n  AUTO,\n  NEVER,\n}\n\n/**\n * Optional options to provide PKCE params like code verifier and challenge yourself, or to disable PKCE altogether. If not provide PKCE will still be used! If individual params are not provide, they will be generated/calculated\n */\nexport interface PKCEOpts {\n  /**\n   * PKCE is enabled by default even if you do not provide these options. Set this to true to disable PKCE\n   */\n  disabled?: boolean\n\n  /**\n   * Provide a code_challenge, otherwise it will be calculated using the code_verifier and method\n   */\n  codeChallenge?: string\n\n  /**\n   * The code_challenge_method, should always by S256\n   */\n  codeChallengeMethod?: CodeChallengeMethod\n\n  /**\n   * Provide a code_verifier, otherwise it will be generated\n   */\n  codeVerifier?: string\n}\n\nexport enum CreateRequestObjectMode {\n  NONE,\n  REQUEST_OBJECT,\n  REQUEST_URI,\n}\n\nexport type RequestObjectOpts = {\n  requestObjectMode?: CreateRequestObjectMode\n  signCallbacks?: ProofOfPossessionCallbacks\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  clientMetadata?: Record<string, any> // TODO: Merge SIOP/OID4VP\n  iss?: string\n  jwksUri?: string\n  kid?: string\n}\n\nexport interface AuthorizationRequestOpts {\n  clientId?: string\n  pkce?: PKCEOpts\n  parMode?: PARMode\n  authorizationDetails?: AuthorizationDetailsV1_0_15 | AuthorizationDetailsV1_0_15[]\n  redirectUri?: string\n  scope?: string\n  requestObjectOpts?: RequestObjectOpts\n  holderPreferredAuthzFlowTypeOrder?: AuthzFlowType[]\n}\n\nexport interface AuthorizationResponse {\n  code: string\n  scope?: string\n  state?: string\n}\n\nexport interface AuthorizationGrantResponse extends AuthorizationResponse {\n  grant_type: string\n}\n\nexport interface AccessTokenRequest {\n  client_id?: string\n  code?: string\n  code_verifier?: string\n  grant_type: GrantTypes\n  'pre-authorized_code': string\n  redirect_uri?: string\n  scope?: string\n  user_pin?: string //this is for v11, not required in v13 anymore\n  tx_code?: string //draft 13\n  [s: string]: unknown\n}\n\nexport interface OpenIDResponse<T, P = never> {\n  origResponse: Response\n  successBody?: T\n  errorBody?: ErrorResponse\n  params?: P\n}\n\nexport interface DPoPResponseParams {\n  dpop?: { dpopNonce: string }\n}\n\nexport interface AccessTokenResponse {\n  access_token: string\n  scope?: string\n  token_type?: string\n  expires_in?: number // in seconds\n  c_nonce?: string\n  c_nonce_expires_in?: number // in seconds\n  authorization_pending?: boolean\n  interval?: number // in seconds\n  authorization_details?: AuthorizationDetailsV1_0_15[]\n}\n\nexport enum AuthzFlowType {\n  AUTHORIZATION_CODE_FLOW = 'Authorization Code Flow',\n  PRE_AUTHORIZED_CODE_FLOW = 'Pre-Authorized Code Flow',\n}\n\n// eslint-disable-next-line @typescript-eslint/no-namespace\nexport namespace AuthzFlowType {\n  export function valueOf(request: CredentialOfferPayload): AuthzFlowType {\n    if (PRE_AUTH_CODE_LITERAL in request) {\n      return AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW\n    }\n    return AuthzFlowType.AUTHORIZATION_CODE_FLOW\n  }\n}\n\nexport interface PushedAuthorizationResponse {\n  request_uri: string\n  expires_in: number\n}\n","import { ICredentialContextType, IVerifiableCredential, W3CVerifiableCredential } from '@sphereon/ssi-types'\n\nimport { ExperimentalSubjectIssuance } from '../experimental/holder-vci'\n\nimport { ProofOfPossession } from './CredentialIssuance.types'\nimport { AuthorizationServerMetadata } from './ServerMetadata'\nimport { CredentialOfferSession } from './StateManager.types'\nimport {\n  CredentialConfigurationSupportedV1_0_15,\n  CredentialRequestV1_0_15,\n  EndpointMetadataResultV1_0_15,\n  IssuerMetadataV1_0_15,\n} from './v1_0_15.types'\n\nexport type InputCharSet = 'numeric' | 'text'\nexport type KeyProofType = 'jwt' | 'cwt' | 'ldp_vp'\n\nexport type PoPMode = 'pop' | 'JWT' // Proof of possession, or regular JWT\n\nexport type CredentialOfferMode = 'VALUE' | 'REFERENCE'\n\n/**\n * Important Note: please be aware that these Common interfaces are based on versions v1_0.11 and v1_0.09\n */\nexport interface ImageInfo {\n  uri?: string\n  alt_text?: string\n\n  [key: string]: unknown\n}\n\nexport type OID4VCICredentialFormat = 'jwt_vc_json' | 'jwt_vc_json-ld' | 'ldp_vc' | 'dc+sd-jwt' | 'vc+sd-jwt' | 'jwt_vc' | 'mso_mdoc' // jwt_vc & vc+sd-jwt are added for backwards compat TODO SSISDK-36\n\nexport const supportedOID4VCICredentialFormat: readonly (OID4VCICredentialFormat | string)[] = [\n  'jwt_vc_json',\n  'jwt_vc_json-ld',\n  'ldp_vc',\n  'dc+sd-jwt',\n  'jwt_vc',\n  'mso_mdoc',\n]\n\nexport interface NameAndLocale {\n  name?: string // REQUIRED. String value of a display name for the Credential.\n  locale?: string // OPTIONAL. String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [RFC5646]. Multiple display objects MAY be included for separate languages. There MUST be only one object with the same language identifier.\n  [key: string]: unknown\n}\n\nexport interface LogoAndColor {\n  logo?: ImageInfo // OPTIONAL. A JSON object with information about the logo of the Credential with a following non-exhaustive list of parameters that MAY be included:\n  description?: string // OPTIONAL. String value of a description of the Credential.\n  background_color?: string //OPTIONAL. String value of a background color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color].\n  text_color?: string // OPTIONAL. String value of a text color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color].\n}\n\nexport type CredentialsSupportedDisplay = NameAndLocale &\n  LogoAndColor & {\n    name: string // REQUIRED. String value of a display name for the Credential.\n    background_image?: ImageInfo //OPTIONAL, NON-SPEC compliant!. URL of a background image useful for card views of credentials. Expected to an image that fills the full card-view of a wallet\n  }\n\nexport type MetadataDisplay = NameAndLocale &\n  LogoAndColor & {\n    name?: string //OPTIONAL. String value of a display name for the Credential Issuer.\n  }\n\nexport interface CredentialSupplierConfig {\n  [key: string]: any // This allows additional properties for credential suppliers\n}\n\nexport interface CredentialIssuerMetadataOpts {\n  credential_endpoint?: string // REQUIRED. URL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.\n  batch_credential_endpoint?: string // OPTIONAL. URL of the Credential Issuer's Batch Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components. If omitted, the Credential Issuer does not support the Batch Credential Endpoint.\n  credentials_supported: CredentialsSupportedLegacy[] // REQUIRED in versions below 13. A JSON array containing a list of JSON objects, each of them representing metadata about a separate credential type that the Credential Issuer can issue. The JSON objects in the array MUST conform to the structure of the Section 10.2.3.1.\n  credential_issuer: string // REQUIRED. The Credential Issuer's identifier.\n  authorization_server?: string // OPTIONAL. Identifier of the OAuth 2.0 Authorization Server (as defined in [RFC8414]) the Credential Issuer relies on for authorization. If this element is omitted, the entity providing the Credential Issuer is also acting as the AS, i.e. the Credential Issuer's identifier is used as the OAuth 2.0 Issuer value to obtain the Authorization Server metadata as per [RFC8414].\n  token_endpoint?: string\n  notification_endpoint?: string\n  authorization_challenge_endpoint?: string // OPTIONAL URL of the Credential Issuer's Authorization Challenge Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components. Described on https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-02.html#name-authorization-challenge-end\n  display?: MetadataDisplay[] //  An array of objects, where each object contains display properties of a Credential Issuer for a certain language. Below is a non-exhaustive list of valid parameters that MAY be included:\n  credential_supplier_config?: CredentialSupplierConfig\n}\n\n//todo: investigate if these values are enough.\nexport type AlgValue = 'RS256' | 'ES256' | 'PS256' | 'HS256' | string\nexport type EncValue = 'A128GCM' | 'A256GCM' | 'A128CBC-HS256' | 'A256CBC-HS512' | string\n\nexport interface ResponseEncryption {\n  /**\n   * REQUIRED. Array containing a list of the JWE [RFC7516] encryption algorithms\n   * (alg values) [RFC7518] supported by the Credential and Batch Credential Endpoint to encode the\n   * Credential or Batch Credential Response in a JWT\n   */\n  alg_values_supported: AlgValue[]\n\n  /**\n   * REQUIRED. Array containing a list of the JWE [RFC7516] encryption algorithms\n   * (enc values) [RFC7518] supported by the Credential and Batch Credential Endpoint to encode the\n   * Credential or Batch Credential Response in a JWT\n   */\n  enc_values_supported: EncValue[]\n\n  /**\n   * REQUIRED. Boolean value specifying whether the Credential Issuer requires the\n   * additional encryption on top of TLS for the Credential Response. If the value is true, the Credential\n   * Issuer requires encryption for every Credential Response and therefore the Wallet MUST provide\n   * encryption keys in the Credential Request. If the value is false, the Wallet MAY chose whether it\n   * provides encryption keys or not.\n   */\n  encryption_required: boolean\n}\n\n// For now we extend the opts above. Only difference is that the credential endpoint is optional in the Opts, as it can come from other sources. The value is however required in the eventual Issuer Metadata\nexport interface CredentialIssuerMetadata extends CredentialIssuerMetadataOpts, Partial<AuthorizationServerMetadata> {\n  authorization_servers?: string[] // OPTIONAL. Array of strings that identify the OAuth 2.0 Authorization Servers (as defined in [RFC8414]) the Credential Issuer relies on for authorization. If this element is omitted, the entity providing the Credential Issuer is also acting as the AS, i.e. the Credential Issuer's identifier is used as the OAuth 2.0 Issuer value to obtain the Authorization Server metadata as per [RFC8414].\n  credential_endpoint: string // REQUIRED. URL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.\n  credential_configurations_supported: Record<string, CredentialConfigurationSupported> // REQUIRED. A JSON array containing a list of JSON objects, each of them representing metadata about a separate credential type that the Credential Issuer can issue. The JSON objects in the array MUST conform to the structure of the Section 10.2.3.1.\n  credential_issuer: string // REQUIRED. The Credential Issuer's identifier.\n  credential_response_encryption_alg_values_supported?: string // OPTIONAL. Array containing a list of the JWE [RFC7516] encryption algorithms (alg values) [RFC7518] supported by the Credential and/or Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519].\n  credential_response_encryption_enc_values_supported?: string //OPTIONAL. Array containing a list of the JWE [RFC7516] encryption algorithms (enc values) [RFC7518] supported by the Credential and/or Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519].\n  require_credential_response_encryption?: boolean //OPTIONAL. Boolean value specifying whether the Credential Issuer requires additional encryption on top of TLS for the Credential Response and expects encryption parameters to be present in the Credential Request and/or Batch Credential Request, with true indicating support. When the value is true, credential_response_encryption_alg_values_supported parameter MUST also be provided. If omitted, the default value is false.\n  credential_identifiers_supported?: boolean // OPTIONAL. Boolean value specifying whether the Credential Issuer supports returning credential_identifiers parameter in the authorization_details Token Response parameter, with true indicating support. If omitted, the default value is false.\n}\n\n// For now we extend the opts above. Only difference is that the credential endpoint is optional in the Opts, as it can come from other sources. The value is however required in the eventual Issuer Metadata\n\nexport interface CredentialSupportedBrief {\n  cryptographic_binding_methods_supported?: string[] // OPTIONAL. Array of case sensitive strings that identify how the Credential is bound to the identifier of the End-User who possesses the Credential\n  cryptographic_suites_supported?: string[] // OPTIONAL. Array of case sensitive strings that identify the cryptographic suites that are supported for the cryptographic_binding_methods_supported\n}\n\nexport interface ProofType {\n  proof_signing_alg_values_supported: string[]\n}\n\nexport type ProofTypesSupported = {\n  [key in KeyProofType]?: ProofType\n}\n\nexport type CommonCredentialSupported = CredentialSupportedBrief &\n  ExperimentalSubjectIssuance & {\n    format: OID4VCICredentialFormat | string //REQUIRED. A JSON string identifying the format of this credential, e.g. jwt_vc_json or ldp_vc.\n    id?: string // OPTIONAL. A JSON string identifying the respective object. The value MUST be unique across all credentials_supported entries in the Credential Issuer Metadata\n    display?: CredentialsSupportedDisplay[] // OPTIONAL. An array of objects, where each object contains the display properties of the supported credential for a certain language\n    scope?: string // OPTIONAL. A JSON string identifying the scope value that this Credential Issuer supports for this particular Credential. The value can be the same across multiple credential_configurations_supported objects. The Authorization Server MUST be able to uniquely identify the Credential Issuer based on the scope value. The Wallet can use this value in the Authorization Request as defined in Section 5.1.2. Scope values in this Credential Issuer metadata MAY duplicate those in the scopes_supported parameter of the Authorization Server.\n    proof_types_supported?: ProofTypesSupported\n\n    /**\n     * following properties are non-mso_mdoc specific and we might wanna rethink them when we're going to support mso_mdoc\n     */\n  }\n\nexport interface CredentialSupportedJwtVcJsonLdAndLdpVc extends CommonCredentialSupported {\n  types: string[] // REQUIRED. JSON array designating the types a certain credential type supports\n  '@context': ICredentialContextType[] // REQUIRED. JSON array as defined in [VC_DATA], Section 4.1.\n  credentialSubject?: IssuerCredentialSubject // OPTIONAL. A JSON object containing a list of key value pairs, where the key identifies the claim offered in the Credential. The value MAY be a dictionary, which allows to represent the full (potentially deeply nested) structure of the verifiable credential to be issued.\n  order?: string[] //An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.\n  format: 'ldp_vc' | 'jwt_vc_json-ld'\n}\n\nexport interface CredentialSupportedJwtVcJson extends CommonCredentialSupported {\n  types: string[] // REQUIRED. JSON array designating the types a certain credential type supports\n  credentialSubject?: IssuerCredentialSubject // OPTIONAL. A JSON object containing a list of key value pairs, where the key identifies the claim offered in the Credential. The value MAY be a dictionary, which allows to represent the full (potentially deeply nested) structure of the verifiable credential to be issued.\n  order?: string[] //An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.\n  format: 'jwt_vc_json' | 'jwt_vc' // jwt_vc added for backwards compat\n}\n\nexport interface CredentialSupportedSdJwtVc extends CommonCredentialSupported {\n  format: 'dc+sd-jwt' | 'vc+sd-jwt' // TODO Separate CredentialSupportedSdJwtVc for vcdm2?\n\n  vct: string\n  claims?: IssuerCredentialSubject\n\n  order?: string[] //An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.\n}\n\nexport interface CredentialSupportedSdJwtVcV13 extends CommonCredentialSupported {\n  format: 'vc+sd-jwt' // TODO SSISDK-13\n\n  vct: string\n  claims?: IssuerCredentialSubject\n\n  order?: string[] //An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.\n}\n\nexport interface CredentialSupportedMsoMdoc extends CommonCredentialSupported {\n  format: 'mso_mdoc'\n\n  doctype: string\n  claims?: IssuerCredentialSubject\n\n  order?: string[] //An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.\n}\n\nexport type CredentialConfigurationSupported =\n  | CredentialConfigurationSupportedV1_0_15\n  | (CommonCredentialSupported &\n      (CredentialSupportedJwtVcJson | CredentialSupportedJwtVcJsonLdAndLdpVc | CredentialSupportedSdJwtVc | CredentialSupportedMsoMdoc))\n\nexport type CredentialsSupportedLegacy = CommonCredentialSupported &\n  (\n    | CredentialSupportedJwtVcJson\n    | CredentialSupportedJwtVcJsonLdAndLdpVc\n    | Credenti