Use credential configuration to determine proof type in OID4VCI.

Author: dlongley

lib/OID4Client.js

@@ -2,7 +2,7 @@
  * Copyright (c) 2022-2026 Digital Bazaar, Inc.
  */
 import {
-  createAuthorizationDetailsFromOffer, createCredentialRequestsFromOffer
+  createAuthorizationDetailsFromOffer, createConfiguredRequestsFromOffer
 } from './oid4vci/credentialOffer.js';
 import {generateDIDProofDIVP, generateDIDProofJWT} from './oid4vci/proofs.js';
 import {createNamedError} from './util.js';
@@ -82,24 +82,16 @@ export class OID4Client {
   async requestCredential({
     credentialDefinition, did, didProofSigner, nonce, agent, format = 'ldp_vc'
   } = {}) {
-    const {authorizationDetails, issuerConfig, offer, oid4vciVersion} = this;
     let requests;
-    if(credentialDefinition === undefined) {
-      if(!offer) {
-        throw new TypeError('"offer" must be an object.');
-      }
-      requests = createCredentialRequestsFromOffer({
-        issuerConfig, offer, format, authorizationDetails, oid4vciVersion
-      });
-    } else {
-      // OID4VCI Draft 13 only
+    if(credentialDefinition !== undefined) {
+      // OID4VCI Draft 13 only...
       requests = [{
         format,
         credential_definition: credentialDefinition
       }];
     }
     return this.requestCredentials({
-      requests, did, didProofSigner, nonce, agent
+      requests, did, didProofSigner, nonce, agent, format
     });
   }
 
@@ -116,24 +108,51 @@ export class OID4Client {
       });
     }
 
+    // generate configured requests...
+    let configuredRequests;
+
+    // if `requests` given (deprecated style), validate them
+    // note: `offer` is preferred instead of `requests`
     const {authorizationDetails, issuerConfig, offer, oid4vciVersion} = this;
-    if(requests === undefined && offer) {
-      requests = createCredentialRequestsFromOffer({
+    if(requests) {
+      // OID4VCI Draft 13 only...
+      if(!(Array.isArray(requests) && requests.length > 0)) {
+        throw new TypeError('"requests" must be an array of length >= 1.');
+      }
+      requests.forEach(_assertRequest);
+      // map requests to `configuredRequests`; use `undefined` credential
+      // configuration unless only a single configuration is mentioned; a
+      // future revision might try to match `credential_definition`, but this
+      // is probably not worth the effort since this is for draft 13 only
+      let configuration;
+      const supportedConfigIds = Object.keys(
+        issuerConfig.credential_configurations_supported ?? {});
+      if(supportedConfigIds.length > 0) {
+        configuration = issuerConfig
+          .credential_configurations_supported[supportedConfigIds[0]];
+      }
+      configuredRequests = requests.map(
+        request => ({configuration, request}));
+    } else if(offer) {
+      configuredRequests = createConfiguredRequestsFromOffer({
         issuerConfig, offer, format, authorizationDetails, oid4vciVersion
       });
-    } else if(!(Array.isArray(requests) && requests.length > 0)) {
-      throw new TypeError('"requests" must be an array of length >= 1.');
+    } else {
+      throw new TypeError('"offer" must be an object.');
     }
-    requests.forEach(_assertRequest);
 
     // determine if OID4VCI 1.0+ is to be used
-    const version1Plus = requests.some(r => r.credential_identifier);
-
+    const version1Plus = configuredRequests.some(
+      ({request}) => request.credential_identifier);
     if(!version1Plus) {
       // set default `format` for requests with `credential_definition`
       // (OID4VCI Draft 13 only)
-      requests = requests.map(
-        r => r.credential_definition ? {format, ...r} : r);
+      configuredRequests = configuredRequests.map(
+        ({configuration, request}) => ({
+          configuration,
+          request: request.credential_definition ?
+            {format, ...request} : request
+        }));
     }
 
     try {
@@ -144,13 +163,15 @@ export class OID4Client {
         // adding a DID proof, if requested and N-many nonces might be required
         // FIXME: use p-queue to manage work
         const {credential_endpoint: url} = issuerConfig;
-        const results = await Promise.all(requests.map(async request => {
-          const json = {...request};
-          return _requestCredential({
-            accessToken, issuerConfig,
-            url, json, nonce, did, didProofSigner, agent
-          });
-        }));
+        const results = await Promise.all(configuredRequests.map(
+          async ({configuration, request}) => {
+            const json = {...request};
+            return _requestCredential({
+              accessToken, issuerConfig,
+              credentialConfiguration: configuration,
+              url, json, nonce, did, didProofSigner, agent
+            });
+          }));
         // for backwards compatibility, return all results independently,
         // combined, and singular (if applicable)
         const credentials = results
@@ -168,6 +189,9 @@ export class OID4Client {
         // draft 13...
         let url;
         let json;
+        requests = configuredRequests.map(({request}) => request);
+        // same configuration has to be used for all requested credentials
+        const configuration = configuredRequests[0]?.configuration;
         if(requests.length > 1 || alwaysUseBatchEndpoint) {
           ({batch_credential_endpoint: url} = issuerConfig);
           json = {credential_requests: requests};
@@ -177,6 +201,7 @@ export class OID4Client {
         }
         result = await _requestCredential({
           accessToken, issuerConfig,
+          credentialConfiguration: configuration,
           url, json, nonce, did, didProofSigner, agent
         });
       }
@@ -232,26 +257,27 @@ export class OID4Client {
 }
 
 async function _addDIDProof({
-  issuerConfig, json, nonce, did, didProofSigner
+  issuerConfig, credentialConfiguration, json, nonce, did, didProofSigner
 }) {
-  // FIXME: allow these to combine; and choose just one based on
-  // `proof_types_supported`, defaulting to `jwt` if nothing is specified
-  await _addDIDProofDIVP({issuerConfig, json, nonce, did, didProofSigner});
-  // add DID proof `jwt` to json
-  await _addDIDProofJWT({issuerConfig, json, nonce, did, didProofSigner});
+  if(credentialConfiguration?.proof_types_supported?.di_vp) {
+    return _addDIDProofDIVP({issuerConfig, json, nonce, did, didProofSigner});
+  }
+
+  // default to JWT
+  return _addDIDProofJWT({issuerConfig, json, nonce, did, didProofSigner});
 }
 
 async function _addDIDProofDIVP({
   issuerConfig, json, nonce, did, didProofSigner
 }) {
   // generate a DID proof DI VP
   const {issuer: domain} = issuerConfig;
-  const di_vp = [await generateDIDProofDIVP({
+  const di_vp = await generateDIDProofDIVP({
     did,
     signer: didProofSigner,
     domain,
     challenge: nonce
-  })];
+  });
 
   // add proof to body to be posted and loop to retry
   const proof = {proof_type: 'di_vp', di_vp};
@@ -304,7 +330,8 @@ async function _addDIDProofJWT({
 }
 
 async function _requestCredential({
-  accessToken, issuerConfig, url, json, nonce, did, didProofSigner, agent
+  accessToken, issuerConfig, credentialConfiguration,
+  url, json, nonce, did, didProofSigner, agent
 }) {
   /* First send credential request(s) to DS without DID proof JWT (unless
   `nonce` is given) e.g.:
@@ -373,7 +400,9 @@ async function _requestCredential({
   */
   if(nonce !== undefined) {
     // add DID proof to json
-    await _addDIDProof({issuerConfig, json, nonce, did, didProofSigner});
+    await _addDIDProof({
+      issuerConfig, credentialConfiguration, json, nonce, did, didProofSigner
+    });
   }
 
   let result;
@@ -426,7 +455,9 @@ async function _requestCredential({
       }
 
       // add DID proof to json
-      await _addDIDProof({issuerConfig, json, nonce, did, didProofSigner});
+      await _addDIDProof({
+        issuerConfig, credentialConfiguration, json, nonce, did, didProofSigner
+      });
     }
   }
 

lib/oid4vci/credentialOffer.js

@@ -27,48 +27,59 @@ export function createAuthorizationDetailsFromOffer({
   return authorizationDetails.length > 0 ? authorizationDetails : undefined;
 }
 
-export function createCredentialRequestsFromOffer({
+export function createConfiguredRequestsFromOffer({
   issuerConfig, offer, format, authorizationDetails, oid4vciVersion
 } = {}) {
   // get credential configs that match `offer` and `format`
   const matchingConfigurations = getCredentialConfigurations({
     issuerConfig, offer, supportedFormats: [format]
   });
 
-  // build requests...
-  let requests;
+  // build requests and matching meta data...
+  let configuredRequests;
 
   // the presence of `authorizationDetails` triggers OID4VCI 1.0+ format,
   // which uses `credential_identifier` instead of
   // Draft 13 `format` + `credential_definition`
   if(authorizationDetails && oid4vciVersion !== 'draft13') {
-    // add a request for each `credential_identifier` mentioned in each
-    // matching configuration
-    requests = [];
-    const matchingIds = new Set(matchingConfigurations.map(({id}) => id));
+    // add a configured request for each `credential_identifier` mentioned in
+    // each matching configuration
+    configuredRequests = [];
+    const matchMap = new Map(matchingConfigurations.map(
+      configuration => [configuration.id, configuration]));
     for(const element of authorizationDetails) {
       const {
         type, credential_configuration_id, credential_identifiers = []
       } = element;
       if(type !== 'openid_credential') {
         continue;
       }
-      if(matchingIds.has(credential_configuration_id)) {
-        requests.push(
-          ...credential_identifiers.map(id => ({credential_identifier: id})));
+      const configuration = matchMap.get(credential_configuration_id);
+      if(configuration) {
+        for(const credential_identifier of credential_identifiers) {
+          configuredRequests.push({
+            configuration,
+            request: {credential_identifier}
+          });
+        }
       }
     }
   } else {
     // OID4VCI Draft 13 request format
-    requests = matchingConfigurations.map(
-      ({format, credential_definition}) => ({format, credential_definition}));
+    configuredRequests = matchingConfigurations.map(configuration => {
+      const {format, credential_definition} = configuration;
+      return {
+        configuration,
+        request: {format, credential_definition}
+      };
+    });
   }
-  if(!(requests?.length > 0)) {
+  if(!(configuredRequests?.length > 0)) {
     throw new Error(
       `No supported credential(s) with format "${format}" found.`);
   }
 
-  return requests;
+  return configuredRequests;
 }
 
 export async function getCredentialOffer({url, agent} = {}) {