Sphereon-Opensource · nklomp · Aug 16, 2024 · Aug 16, 2024
diff --git a/packages/oid4vci-common/package.json b/packages/oid4vci-common/package.json
@@ -13,11 +13,13 @@
     "@sphereon/oid4vc-common": "workspace:*",
     "@sphereon/ssi-types": "0.29.0",
     "cross-fetch": "^3.1.8",
+    "debug": "^4.3.5",
     "jwt-decode": "^4.0.0",
     "uint8arrays": "3.1.1",
     "uuid": "^9.0.0"
   },
   "devDependencies": {
+    "@types/debug": "^4.1.12",
     "@types/jest": "^29.5.12",
     "@types/uuid": "^9.0.1",
     "typescript": "5.4.5"

diff --git a/packages/siop-oid4vp/lib/authorization-request/Payload.ts b/packages/siop-oid4vp/lib/authorization-request/Payload.ts
@@ -45,7 +45,7 @@ export const createAuthorizationRequestPayload = async (
   const state = payload?.state ?? undefined
   const nonce = payload?.nonce ? getNonce(state, payload.nonce) : undefined
   // TODO: if opts['registration] throw Error to get rid of test code using that key
-  const clientMetadata = opts['registration'] ? opts['registration'] : (opts.clientMetadata as ClientMetadataOpts)
+  const clientMetadata = opts['registration'] ?? (opts.clientMetadata as ClientMetadataOpts)
   const registration = await createRequestRegistration(clientMetadata, opts)
   const claims = opts.version >= SupportedVersion.SIOPv2_ID1 ? opts.payload.claims : createPresentationDefinitionClaimsProperties(opts.payload.claims)
   const isRequestTarget = isTargetOrNoTargets(PropertyTarget.AUTHORIZATION_REQUEST, opts.requestObject.targets)
@@ -59,6 +59,7 @@ export const createAuthorizationRequestPayload = async (
   const authRequestPayload = {
     ...payload,
     //TODO implement /.well-known/openid-federation support in the OP side to resolve the client_id (URL) and retrieve the metadata
+    ...(clientMetadata.client_id && { client_id: clientMetadata.client_id }),
     ...(isRequestTarget && opts.requestObject.passBy === PassBy.REFERENCE ? { request_uri: opts.requestObject.reference_uri } : {}),
     ...(isRequestTarget && isRequestByValue && { request }),
     ...(nonce && { nonce }),

diff --git a/packages/siop-oid4vp/lib/authorization-request/types.ts b/packages/siop-oid4vp/lib/authorization-request/types.ts
@@ -42,6 +42,7 @@ export interface RequestObjectPayloadOpts<CT extends ClaimPayloadCommonOpts> {
   claims?: CT // from openid-connect-self-issued-v2-1_0-ID1 look at https://openid.net/specs/openid-connect-core-1_0.html#Claims
   nonce?: string // An optional nonce, will be generated if not provided
   state?: string // An optional state, will be generated if not provided
+  aud?: string // The audience of the request
   authorization_endpoint?: string
   response_mode?: ResponseMode // How the URI should be returned. This is not being used by the library itself, allows an implementor to make a decision
   response_types_supported?: ResponseType[] | ResponseType

diff --git a/packages/siop-oid4vp/lib/request-object/Payload.ts b/packages/siop-oid4vp/lib/request-object/Payload.ts
@@ -28,6 +28,7 @@ export const createRequestObjectPayload = async (opts: CreateAuthorizationReques
   const iat = payload.iat ?? now
   const nbf = payload.nbf ?? iat
   const exp = payload.exp ?? iat + validInSec
+  const aud = payload.aud
   const jti = payload.jti ?? uuidv4()
 
   return removeNullUndefined({
@@ -51,6 +52,7 @@ export const createRequestObjectPayload = async (opts: CreateAuthorizationReques
     nbf,
     exp,
     jti,
+    aud,
   })
 }
 

diff --git a/packages/siop-oid4vp/lib/request-object/RequestObject.ts b/packages/siop-oid4vp/lib/request-object/RequestObject.ts
@@ -3,7 +3,7 @@ import { JwtIssuer, parseJWT } from '@sphereon/oid4vc-common'
 import { ClaimPayloadCommonOpts, ClaimPayloadOptsVID1, CreateAuthorizationRequestOpts } from '../authorization-request'
 import { assertValidAuthorizationRequestOpts } from '../authorization-request/Opts'
 import { fetchByReferenceOrUseByValue, removeNullUndefined } from '../helpers'
-import { AuthorizationRequestPayload, JwtIssuerWithContext, RequestObjectJwt, RequestObjectPayload, ResponseMode, SIOPErrors } from '../types'
+import { AuthorizationRequestPayload, JwtIssuerWithContext, RequestObjectJwt, RequestObjectPayload, SIOPErrors } from '../types'
 
 import { assertValidRequestObjectOpts } from './Opts'
 import { assertValidRequestObjectPayload, createRequestObjectPayload } from './Payload'
@@ -74,6 +74,7 @@ export class RequestObject {
       if (this.payload.registration_uri) {
         delete this.payload.registration
       }
+
       assertValidRequestObjectPayload(this.payload)
 
       const jwtIssuer: JwtIssuerWithContext = this.opts.jwtIssuer
@@ -92,12 +93,6 @@ export class RequestObject {
         this.jwt = await this.opts.createJwtCallback(jwtIssuer, { header, payload: this.payload })
       } else if (jwtIssuer.method === 'x5c') {
         this.payload.iss = jwtIssuer.issuer
-        this.payload.client_id = jwtIssuer.issuer
-
-        if (this.opts.payload.response_mode !== ResponseMode.DIRECT_POST) {
-          this.payload.redirect_uri = jwtIssuer.issuer
-        }
-
         this.payload.client_id_scheme = jwtIssuer.clientIdScheme
 
         const header = { x5c: jwtIssuer.x5c, typ: 'JWT' }

diff --git a/packages/siop-oid4vp/lib/rp/RPBuilder.ts b/packages/siop-oid4vp/lib/rp/RPBuilder.ts
@@ -5,7 +5,7 @@ import { Hasher } from '@sphereon/ssi-types'
 
 import { PropertyTarget, PropertyTargets } from '../authorization-request'
 import { PresentationVerificationCallback } from '../authorization-response'
-import { CreateJwtCallback, VerifyJwtCallback } from '../types'
+import { CreateJwtCallback, RequestAud, VerifyJwtCallback } from '../types'
 import {
   AuthorizationRequestPayload,
   ClientMetadataOpts,
@@ -80,6 +80,12 @@ export class RPBuilder {
     return this
   }
 
+  withAudience(issuer: RequestAud, targets?: PropertyTargets): RPBuilder {
+    this._authorizationRequestPayload.aud = assignIfAuth({ propertyValue: issuer, targets }, false)
+    this._requestObjectPayload.aud = assignIfRequestObject({ propertyValue: issuer, targets }, true)
+    return this
+  }
+
   withPresentationVerification(presentationVerificationCallback: PresentationVerificationCallback): RPBuilder {
     this.presentationVerificationCallback = presentationVerificationCallback
     return this
@@ -119,6 +125,12 @@ export class RPBuilder {
     return this
   }
 
+  withResponsetUri(redirectUri: string, targets?: PropertyTargets): RPBuilder {
+    this._authorizationRequestPayload.response_uri = assignIfAuth({ propertyValue: redirectUri, targets }, false)
+    this._requestObjectPayload.response_uri = assignIfRequestObject({ propertyValue: redirectUri, targets }, true)
+    return this
+  }
+
   withRequestByReference(referenceUri: string): RPBuilder {
     return this.withRequestBy(PassBy.REFERENCE, referenceUri /*, PropertyTarget.AUTHORIZATION_REQUEST*/)
   }

diff --git a/packages/siop-oid4vp/lib/types/SIOP.types.ts b/packages/siop-oid4vp/lib/types/SIOP.types.ts
@@ -634,6 +634,10 @@ export enum ResponseIss {
   JWT_VC_PRESENTATION_V1 = 'https://self-issued.me/v2/openid-vc',
 }
 
+export enum RequestAud {
+  SELF_ISSUED_V2 = 'https://self-issued.me/v2',
+}
+
 export const isRequestOpts = (object: CreateAuthorizationRequestOpts | AuthorizationResponseOpts): object is CreateAuthorizationRequestOpts =>
   'requestBy' in object
 

diff --git a/packages/siop-oid4vp/package.json b/packages/siop-oid4vp/package.json
@@ -21,6 +21,7 @@
     "@sphereon/ssi-types": "0.22.0",
     "@sphereon/wellknown-dids-client": "^0.1.3",
     "cross-fetch": "^4.0.0",
+    "debug": "^4.3.5",
     "events": "^3.3.0",
     "jwt-decode": "^4.0.0",
     "language-tags": "^1.0.9",
@@ -45,6 +46,7 @@
     "@transmute/did-key-ed25519": "^0.3.0-unstable.10",
     "@transmute/ed25519-key-pair": "0.7.0-unstable.82",
     "@transmute/ed25519-signature-2018": "^0.7.0-unstable.82",
+    "@types/debug": "^4.1.12",
     "@types/jest": "^29.5.11",
     "@types/jwt-decode": "^3.1.0",
     "@types/language-tags": "^1.0.4",