### VP Token Claims Example Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Example of the 'claims' parameter in a SIOP request, specifically for a 'vp_token'. It defines presentation requirements for verifiable credentials. ```json { "id_token": { "email": null }, "vp_token": { "presentation_definition": { "input_descriptors": [ { "schema": [ { "uri": "https://www.w3.org/2018/credentials/examples/v1/IDCardCredential" } ], "constraints": { "limit_disclosure": "required", "fields": [ { "path": [ "$.vc.credentialSubject.given_name" ] } ] } } ] } } } ``` -------------------------------- ### Example DID Key and Registration Data Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md This snippet shows an example of a DID key structure and registration details used in the SIOP OID4VP process. It includes key parameters like 'kid', 'kty', 'crv', and supported algorithms. ```json { "kid": "did:ethr:0x998D43DA5d9d78500898346baf2d9B1E39Eb0Dda#key-1", "kty": "EC", "crv": "secp256k1", "x": "a4IvJILPHe3ddGPi9qvAyXY9qMTEHvQw5DpQYOJVA0c", "y": "IKOy0JfBF8FOlsOJaC41xiKuGc2-_iqTI01jWHYIyJU" }, "nonce": "qBrR7mqnY3Qr49dAZycPF8FzgE83m6H0c2l0bzP4xSg", "state": "b32f0087fc9816eb813fd11f", "registration": { "issuer": "https://self-issued.me/v2", "response_types_supported": "id_token", "authorization_endpoint": "openid:", "scopes_supported": "openid", "id_token_signing_alg_values_supported": [ "ES256K", "EdDSA" ], "request_object_signing_alg_values_supported": [ "ES256K", "EdDSA" ], "subject_types_supported": "pairwise" } } ``` -------------------------------- ### OpenID Connect URI Example Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Example of an OpenID Connect URI used to initiate an authentication request. It includes various parameters like response type, scope, client ID, and redirect URI. ```uri openid://?response_type=id_token &scope=openid &client_id=did%3Aethr%3A0xBC9484414c1DcA4Aa85BadBBd8a36E3973934444 &redirect_uri=https%3A%2F%2Frp.acme.com%2Fsiop%2Fjwts &iss=did%3Aethr%3A0xBC9484414c1DcA4Aa85BadBBd8a36E3973934444 &response_mode=post &claims=... &state=af0ifjsldkj &nonce=qBrR7mqnY3Qr49dAZycPF8FzgE83m6H0c2l0bzP4xSg&state=b32f0087fc9816eb813fd11f ®istration=%5Bobject%20Object%5D &request= ``` -------------------------------- ### Credential Offer Response Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/issuer-rest/README.md Example response received after creating a credential offer. It contains a URI for the offer and transaction code details. ```json { "uri": "openid-credential-offer://?credential_offer=%7B%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22bzCzhpkwFBHPyTF9u6Rfdz%22%2C%22tx_code%22%3A%7B%22input_mode%22%3A%22numeric%22%2C%22length%22%3A4%7D%7D%7D%2C%22credential_configuration_ids%22%3A%5B%22Omzetbelasting%22%5D%2C%22credential_issuer%22%3A%22https%3A%2F%2Fagent.issuer.bd.demo.sphereon.com%22%7D", "txCode": { "input_mode": "numeric", "length": 4 }, "userPin": "0151", "pinLength": 4 } ``` -------------------------------- ### Create Credential Offer Request Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/issuer-rest/README.md Example request payload for creating a credential offer. It includes credential configuration IDs and grant details. ```json { "credential_configuration_ids": ["Omzetbelasting"], "grants": { "urn:ietf:params:oauth:grant-type:pre-authorized_code": { "pre-authorized_code": "bzCzhpkwFBHPyTF9u6Rfdz", "tx_code": { "input_mode": "numeric", "length": 4 } } }, "credentialDataSupplierInput": { "naam": "Example", "rsin": "RSIN-1234", "btwId": "BTW-5678", "obNummer": "OB-abcd" } } ``` -------------------------------- ### Example JWT Verifier Callback using jose Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/client/README.md An example implementation of a JWT verifier callback using the 'jose' library. It verifies the signature of a given JWT against a public key. ```typescript async function verifyCallback(args: { jwt: string; kid: string }): Promise { await jose.compactVerify(args.jwt, keypair.publicKey); } ``` -------------------------------- ### Example JWT Signer Callback using jose Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/client/README.md An example implementation of a JWT signer callback using the 'jose' library. It generates a key pair and signs a JWT with specified payload and headers. ```typescript import { Jwt } from '@sphereon/oid4vci-client'; const { privateKey, publicKey } = await jose.generateKeyPair('ES256'); // Must be JWS async function signCallback(args: Jwt, kid: string): Promise { return await new jose.SignJWT({ ...args.payload }) .setProtectedHeader({ alg: args.header.alg }) .setIssuedAt() .setIssuer(kid) .setAudience(args.payload.aud) .setExpirationTime('2h') .sign(keypair.privateKey); } ``` -------------------------------- ### JWT Header Example Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Example of a JWT header used in SIOP authentication requests. It specifies the signing algorithm, key ID, and token type. ```json { "alg": "ES256K", "kid": "did:ethr:0xcBe71d18b5F1259faA9fEE8f9a5FAbe2372BE8c9#controller", "typ": "JWT" } ``` -------------------------------- ### ID Token Claims Example Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Example of the 'claims' parameter in a SIOP request, specifically for an 'id_token'. It can include requests for userinfo like verifiable presentations and authentication time. ```json { "userinfo": { "verifiable_presentations": [ "presentation_definition": { "input_descriptors": [ { "schema": [ { "uri": "https://did.itsourweb.org:3000/smartcredential/Ontario-Health-Insurance-Plan" } ] } ] } } }, "id_token": { "auth_time": { "essential": true } } } ``` -------------------------------- ### JWT Payload Example Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Example of a JWT payload for a SIOP authentication request. Includes standard OpenID Connect parameters and SIOP-specific fields like registration. ```json { "iat": 1632336634, "exp": 1632337234, "response_type": "id_token", "scope": "openid", "client_id": "did:ethr:0xcBe71d18b5F1259faA9fEE8f9a5FAbe2372BE8c9", "redirect_uri": "https://acme.com/siop/v1/sessions", "iss": "did:ethr:0xcBe71d18b5F1259faA9fEE8f9a5FAbe2372BE8c9", "response_mode": "post", "claims": ..., "nonce": "qBrR7mqnY3Qr49dAZycPF8FzgE83m6H0c2l0bzP4xSg", "state": "b32f0087fc9816eb813fd11f", "registration": { "did_methods_supported": [ "did:ethrவுகளை:", "did:web:" ], "subject_identifiers_supported": "did" } } ``` -------------------------------- ### JWS Compact Serialization Example Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Illustrates the structure of a Signed JWT (JWS) using Compact Serialization, combining base64url encoded header, payload, and signature. ```text BASE64URL(UTF8(JWT Protected Header)) || '.' || BASE64URL(JWT Payload) || '.' || BASE64URL(JWS Signature) ``` -------------------------------- ### Create and Query DCQL Object Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Processes a DCQL query to filter and match verifiable credentials. This involves parsing the query, validating it, and then querying the provided credentials. The verifiable credentials passed in do not get sent to the RP; only the submissionFrom method creates a VP. ```typescript const verifiableCredentials: VerifiableCredential[] = [VC1, VC2, VC3] // This typically comes from your wallet const dcqlQuery = { credentials: [ { id: 'Credentials', format: 'dc+sd-jwt', claims: [ { path: ['given_name'], values: ['John'] } ], require_cryptographic_holder_binding: true }, ], } satisfies DcqlQuery.Input const parsedDcqlQuery = DcqlQuery.parse(dcqlQuery) DcqlQuery.validate(parsedDcqlQuery) const dcqlCredentials = verifiableCredentials.map(vc => ( { credential_format: 'ldp_vc', claims: getVCs()[0].credentialSubject as { [x: string]: Json }, type: getVCs()[0].type, cryptographic_holder_binding: true } satisfies DcqlW3cVcCredential )) const dcqlQueryResult: DcqlQueryResult = DcqlQuery.query(parsedDcqlQuery, dcqlCredentials) ``` -------------------------------- ### JWT Encoded ID Token Example Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Example of a JWT encoded ID Token generated by the OP. It includes issuer, subject, audience, and other relevant claims for authentication. ```json // JWT encoded ID Token // JWT Header { "alg": "ES256K", "kid": "did:ethr:0x998D43DA5d9d78500898346baf2d9B1E39Eb0Dda#keys-1", "typ": "JWT" } // JWT Payload { "iat": 1632343857.084, "exp": 1632344857.084, "iss": "https://self-issued.me/v2", "sub": "did:ethr:0x998D43DA5d9d78500898346baf2d9B1E39Eb0Dda", "aud": "https://acme.com/siop/v1/sessions", "did": "did:ethr:0x998D43DA5d9d78500898346baf2d9B1E39Eb0Dda", "sub_type": "did", "sub_jwk": { ``` -------------------------------- ### Credential Issuance Status Response Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/issuer-rest/README.md Example response indicating the current status of a credential issuance. Includes timestamps and the status code. ```json { "createdAt": 1721768181938, "lastUpdatedAt": 1721768181938, "status": "OFFER_CREATED" } ``` -------------------------------- ### Proof of Possession Callbacks Initialization Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/client/README.md Initializes the ProofOfPossessionCallbacks object with the defined sign and verify callback functions. Also demonstrates key pair generation using 'jose'. ```typescript import { Jwt, ProofOfPossessionCallbacks } from '@sphereon/oid4vci-client'; const callbacks: ProofOfPossessionCallbacks = { signCallback, verifyCallback, }; const keyPair = await jose.generateKeyPair('ES256'); ``` -------------------------------- ### VC Issuer Builder Usage with State Manager Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/issuer/README.md Demonstrates how to initialize the VC Issuer Builder with an in-memory credential offer state manager. ```typescript const vcIssuer = new VcIssuerBuilder() .withAuthorizationServer('https://authorization-server') .withCredentialEndpoint('https://credential-endpoint') .withCredentialIssuer('https://credential-issuer') .withIssuerDisplay({ name: 'example issuer', locale: 'en-US', }) .withCredentialsSupported(credentialsSupported) .withInMemoryCredentialOfferStates(new MemoryCredentialOfferStateManager()) .build() ``` -------------------------------- ### Configure OpenID Provider (OP) Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Build an OP instance with expiration, DID method, JWT callbacks, and client metadata. Ensure JWT signing algorithms and supported scopes are correctly configured. ```typescript const op = OP.builder() .withExpiresIn(6000) .addDidMethod('ethr') .withCreateJwtCallback(createJwtCallback) .withVerifyJwtCallback(verifyJwtCallback) .withClientMetadata({ authorizationEndpoint: 'www.myauthorizationendpoint.com', id_token_signing_alg_values_supported: [SigningAlgo.EDDSA], issuer: ResponseIss.SELF_ISSUED_V2, request_object_signing_alg_values_supported: [SigningAlgo.EDDSA, SigningAlgo.ES256], response_types_supported: [ResponseType.ID_TOKEN], vpFormats: { jwt_vc: { alg: [SigningAlgo.EDDSA] } }, scopes_supported: [Scope.OPENID_DIDAUTHN, Scope.OPENID], subject_types_supported: [SubjectType.PAIRWISE], subjectSyntaxTypesSupported: ['did:ethr'], passBy: PassBy.VALUE, }) .build() ``` -------------------------------- ### Initiate Client from openid-initiate-issuance URI Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/client/README.md Initiates the OpenID4VCI client using a URI obtained from the Issuer via a link or QR code. Server metadata is fetched during initialization. The `kid`, `alg`, and `clientId` can be deferred to later calls. ```typescript import { OpenID4VCIClientV1_0_13 } from '@sphereon/oid4vci-client'; // The client is initiated from a URI. This URI is provided by the Issuer, typically as a URL or QR code. const client = await OpenID4VCIClientV1_0_13.fromURI({ uri: 'openid-initiate-issuance://?issuer=https%3A%2F%2Fissuer.research.identiproof.io&credential_type=OpenBadgeCredentialUrl&pre-authorized_code=4jLs9xZHEfqcoow0kHE7d1a8hUk6Sy-5bVSV2MqBUGUgiFFQi-ImL62T-FmLIo8hKA1UdMPH0lM1xAgcFkJfxIw9L-lI3mVs0hRT8YVwsEM1ma6N3wzuCdwtMU4bcwKp&user_pin_required=true', kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21#key-1', // Our DID. You can defer this also to when the acquireCredential method is called alg: Alg.ES256, // The signing Algorithm we will use. You can defer this also to when the acquireCredential method is called clientId: 'test-clientId', // The clientId if the Authrozation Service requires it. If a clientId is needed you can defer this also to when the acquireAccessToken method is called retrieveServerMetadata: true, // Already retrieve the server metadata. Can also be done afterwards by invoking a method yourself. }); console.log(client.getIssuer()); // https://issuer.research.identiproof.io console.log(client.getCredentialEndpoint()); // https://issuer.research.identiproof.io/credential console.log(client.getAccessTokenEndpoint()); // https://auth.research.identiproof.io/oauth2/token ``` -------------------------------- ### Acquire Credentials Using Proof of Possession Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/client/README.md This snippet shows how to acquire credentials from an issuer using a pre-built Proof of Possession. You can specify the credential type and format. ```typescript import { CredentialRequestClientBuilder, CredentialResponse, ProofOfPossessionArgs } from '@sphereon/oid4vci-client'; const credentialRequestClient = CredentialRequestClientBuilder.fromCredentialOfferRequest(initiationRequestWithUrl, metadata).build(); // In 1 step: const credentialResponse: CredentialResponse = await credentialRequestClient.acquireCredentialsUsingProof({ proofInput, credentialType: 'OpenBadgeCredential', // Needs to match a type from the Initiate Issance Request! format: 'jwt_vc', // Allows us to override the format }); ``` -------------------------------- ### Initiate Client from HTTPS URI Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/client/README.md Initiates the OpenID4VCI client using an HTTPS URI, typically containing a credential offer. Server metadata is fetched during initialization. The `kid`, `alg`, and `clientId` can be deferred to later calls. ```typescript import { OpenID4VCIClientV1_0_13 } from '@sphereon/oid4vci-client'; // The client is initiated from a URI. This URI is provided by the Issuer, typically as a URL or QR code. const client = await OpenID4VCIClientV1_0_13.fromURI({ uri: 'https://launchpad.vii.electron.mattrlabs.io?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Flaunchpad.vii.electron.mattrlabs.io%22%2C%22credentials%22%3A%5B%7B%22format%22%3A%22ldp_vc%22%2C%22types%22%3A%5B%22OpenBadgeCredential%22%5D%7D%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22UPZohaodPlLBnGsqB02n2tIupCIg8nKRRUEUHWA665X%22%7D%7D%7D', kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21#key-1', // Our DID. You can defer this also to when the acquireCredential method is called alg: Alg.ES256, // The signing Algorithm we will use. You can defer this also to when the acquireCredential method is called clientId: 'test-clientId', // The clientId if the Authrozation Service requires it. If a clientId is needed you can defer this also to when the acquireAccessToken method is called retrieveServerMetadata: true, // Already retrieve the server metadata. Can also be done afterwards by invoking a method yourself. }); console.log(client.getIssuer()); // https://launchpad.vii.electron.mattrlabs.io console.log(client.getCredentialEndpoint()); // https://launchpad.vii.electron.mattrlabs.io/credential console.log(client.getAccessTokenEndpoint()); // https://launchpad.vii.electron.mattrlabs.io/oauth2/token ``` -------------------------------- ### ICredentialOfferStateManager Interface Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/issuer/README.md Defines the contract for managing credential offer states, including methods for setting, getting, checking, deleting, and clearing states. ```typescript export interface ICredentialOfferStateManager { setState(state: string, payload: CredentialOfferState): Promise> getState(state: string): Promise hasState(state: string): Promise deleteState(state: string): Promise clearExpiredStates(timestamp?: number): Promise // clears all expired states compared against timestamp if provided, otherwise current timestamp clearAllStates(): Promise // clears all states } ``` -------------------------------- ### Configure RP with Presentation Verification Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Configures the RP (Relying Party) builder to use a custom callback for verifying Verifiable Presentations. ```typescript const rp = RP.builder() .withPresentationVerification((args) => verifyPresentation(args)) ... ``` -------------------------------- ### EOSIO DID Testnet Keys Configuration Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/docs/eosio-dids-testnet.md This JSON file is required for the 'create.test.ts' test to function. It holds the account name, private key, and public key for the DID. ```json { "name": "[ACCOUNT_NAME]", "private": "[PRIV_KEY]", "public": "[PUB_KEY]" } ``` -------------------------------- ### Create Verifiable Presentation Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Generates a Verifiable Presentation (VP) from user-selected Verifiable Credentials (VCs) based on a Presentation Definition. Optional signing of the VP is outside the scope of this library. ```typescript const verifiablePresentation = await pex.submissionFrom(presentationDefs[0], userSelectedCredentials) // Optionally sign the verifiable presentation here (outside of SIOP library scope) ``` -------------------------------- ### Track Credential Issuance Status Request Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/issuer-rest/README.md Example POST request payload to track the status of a credential issuance session. Use the 'id' corresponding to 'issuer_state' or 'pre-authorized_code'. ```json { "id": "bzCzhpkwFBHPyTF9u6Rfdz" } ``` -------------------------------- ### Retrieve OpenID4VCI and OIDC/OAuth2 Metadata Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/client/README.md Retrieves all metadata from a credential offer, checking both OpenID4VCI and OIDC/OAuth2 well-known locations. Use this to get issuer, credential endpoint, token endpoint, and supported credentials. ```typescript import { MetadataClientV1_0_13 } from '@sphereon/oid4vci-client'; const metadata = await MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOffer(initiationRequestWithUrl); console.log(metadata); /** * { * issuer: 'https://server.example.com', * credential_endpoint: 'https://server.example.com/credential', * token_endpoint: 'https://server.example.com/token', * jwks_uri: 'https://server.example.com/jwks', * grant_types_supported: ['urn:ietf:params:oauth:grant-type:pre-authorized_code'], * credentials_supported: { * OpenBadgeCredential: { * formats: { * jwt_vc: { * types: [ * 'https://imsglobal.github.io/openbadges-specification/ob_v3p0.html#OpenBadgeCredential', * 'https://w3id.org/ngi/OpenBadgeExtendedCredential', * ], * binding_methods_supported: ['did'], * cryptographic_suites_supported: ['ES256'], * }, * }, * }, * }, * } */ ``` -------------------------------- ### RP JWT Verification Callbacks Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Provides callback functions for verifying different types of JWTs (did, x5c, jwk) used by the Relying Party. This setup is essential for validating incoming tokens and authorization requests. ```typescript function verifyJwtCallback(): VerifyJwtCallback { return async (jwtVerifier, jwt) => { if (jwtVerifier.method === 'did') { // verify didJwt's } else if (jwtVerifier.method === 'x5c') { // verify x5c certificate protected jwt's } else if (jwtVerifier.method === 'jwk') { // verify jwk certificate protected jwt's } else if (jwtVerifier.method === 'custom') { // Only called if based on the jwt the verification method could not be determined throw new Error(`Unsupported JWT verifier method ${jwtIssuer.method}`) } } } ``` ```typescript function createJwtCallback(): CreateJwtCallback { return async (jwtIssuer, jwt) => { if (jwtIssuer.method === 'did') { // create didJwt } else if (jwtIssuer.method === 'x5c') { // create x5c certificate protected jwt } else if (jwtIssuer.method === 'jwk') { // create a jwk certificate protected jwt } else if (jwtIssuer.method === 'custom') { // Only called if no or a Custom jwtIssuer was passed to the respective methods throw new Error(`Unsupported JWT issuer method ${jwtIssuer.method}`) } } } ``` -------------------------------- ### Create Authorization Response with Verifiable Presentation Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Creates an authorization response including a Verifiable Presentation in the Linked Data Proof format, embedded within the vp_token. Ensure the `verifiablePresentation` object is correctly formatted and the `format` and `location` are set appropriately. ```typescript import { PresentationLocation, VerifiablePresentationTypeFormat } from './SIOP.types' // Example with Verifiabl Presentation in linked data proof format and as part of the vp_token const vpOpt = { format: VerifiablePresentationTypeFormat.LDP_VP, presentation: verifiablePresentation, location: PresentationLocation.VP_TOKEN, } const authRespWithJWT = await op.createAuthorizationResponse(verifiedReq, { vp: [vpOpt] }) ``` -------------------------------- ### RP Configuration for EOSIO DID Testnet Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/docs/eosio-dids-testnet.md This JSON file configures the Relying Party (RP) with its name and associated private and public keys for interacting with the EOSIO DID testnet. ```json { "name": "sioprptest11", "private": "5JoQQVRYuXfEMBMjY9T96bvsHGfwaXMygnwFNA1enLA5coWQKSi", "public": "EOS6kKhHvCuWkJDAoNb35qxHnyGCmFQpe1eBYBj9W18iKEQ82vsKZ" } ``` -------------------------------- ### Relying Party (RP) Builder Configuration Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Configures the Relying Party instance using a builder pattern. This includes setting the redirect URL, how requests are passed, presentation verification, JWT callbacks, revocation verification, client metadata, and presentation definition claims. ```typescript // The relying party (web) private key and DID and DID key (public key) const EXAMPLE_REDIRECT_URL = 'https://acme.com/hello' const rp = RP.builder() .redirect(EXAMPLE_REDIRECT_URL) .requestBy(PassBy.VALUE) .withPresentationVerification(presentationVerificationCallback) .withCreateJwtCallback(createJwtCallback) .withVerifyJwtCallback(verifyJwtCallback) .withRevocationVerification(RevocationVerification.NEVER) .withClientMetadata({ id_token_signing_alg_values_supported: [SigningAlgo.EDDSA], request_object_signing_alg_values_supported: [SigningAlgo.EDDSA, SigningAlgo.ES256], response_types_supported: [ResponseType.ID_TOKEN], vp_formats_supported: { jwt_vc: { alg: [SigningAlgo.EDDSA] } }, scopes_supported: [Scope.OPENID_DIDAUTHN, Scope.OPENID], subject_types_supported: [SubjectType.PAIRWISE], subjectSyntaxTypesSupported: ['did', 'did:ethr'], passBY: PassBy.VALUE, }) .addPresentationDefinitionClaim({ definition: { input_descriptors: [ { schema: [ { uri: 'https://did.itsourweb.org:3000/smartcredential/Ontario-Health-Insurance-Plan', }, ], }, ], }, location: PresentationLocation.VP_TOKEN, // Toplevel vp_token response expected. This also can be ID_TOKEN }) .build() ``` -------------------------------- ### Build Proof of Possession from Access Token Response Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/client/README.md Use this method when you have an access token response and server metadata to build the Proof of Possession. ```typescript import { ProofOfPossessionBuilder } from '@sphereon/oid4vci-client'; const proofInput: ProofOfPossession = await ProofOfPossessionBuilder.fromAccessTokenResponse({ accessTokenResponse, callbacks, }) .withEndpointMetadata(metadata) .withClientId('s6BhdRkqt3') .withKid('did:example:ebfeb1f712ebc6f1c276e12ec21/keys/1') .build(); console.log(proofInput); ``` -------------------------------- ### Acquire Credentials with Client Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/client/README.md Acquires credentials using the OpenID4VCI Client. Supports JWT format for credentials and requires proof of possession callbacks. The 'jwt_vc_json' format is used here, but 'ldp_vc' and 'jwt_vc_json-ld' are also supported. ```typescript const credentialResponse = await client.acquireCredentials({ credentialTypes: 'OpenBadgeCredential', proofCallbacks: callbacks, format: 'jwt_vc', alg: Alg.ES256K, kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21#keys-1', }); console.log(credentialResponse.credential); // JWT format. (LDP / JSON-LD ('ldp_vc' / 'jwt_vc_json-ld') is also supported by the client) // eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL2V4YW1wbGVzL3YxIl0sImlkIjoiaHR0cDovL2V4YW1wbGUuZWR1L2NyZWRlbnRpYWxzLzM3MzIiLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVW5pdmVyc2l0eURlZ3JlZUNyZWRlbnRpYWwiXSwiaXNzdWVyIjoiaHR0cHM6Ly9leGFtcGxlLmVkdS9pc3N1ZXJzLzU2NTA0OSIsImlzc3VhbmNlRGF0ZSI6IjIwMTAtMDEtMDFUMDA6MDA6MDBaIiwiY3JlZGVudGlhbFN1YmplY3QiOnsiaWQiOiJkaWQ6ZXhhbXBsZTplYmZlYjFmNzEyZWJjNmYxYzI3NmUxMmVjMjEiLCJkZWdyZWUiOnsidHlwZSI6IkJhY2hlbG9yRGVncmVlIiwibmFtZSI6IkJhY2hlbG9yIG9mIFNjaWVuY2UgYW5kIEFydHMifX19LCJpc3MiOiJodHRwczovL2V4YW1wbGUuZWR1L2lzc3VlcnMvNTY1MDQ5IiwibmJmIjoxMjYyMzA0MDAwLCJqdGkiOiJodHRwOi8vZXhhbXBsZS5lZHUvY3JlZGVudGlhbHMvMzczMiIsInN1YiI6ImRpZDpleGFtcGxlOmViZmViMWY3MTJlYmM2ZjFjMjc2ZTEyZWMyMSJ9.z5vgMTK1nfizNCg5N-niCOL3WUIAL7nXy-nGhDZYO_-PNGeE-0djCpWAMH8fD8eWSID5PfkPBYkx_dfLJnQ7NA ``` -------------------------------- ### Configure Authorization Response Options Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Defines the options for an authorization response, including redirect URI, registration details, and signature information. ```typescript const responseOpts: AuthorizationResponseOpts = { checkLinkedDomain: CheckLinkedDomain.NEVER, redirectUri: 'https://acme.com/hello', registration: { authorizationEndpoint: 'www.myauthorizationendpoint.com', idTokenSigningAlgValuesSupported: [SigningAlgo.EDDSA, SigningAlgo.ES256], issuer: ResponseIss.SELF_ISSUED_V2, responseTypesSupported: [ResponseType.ID_TOKEN], subjectSyntaxTypesSupported: ['did:ethr:'], vpFormats: { ldp_vc: { proof_type: [IProofType.EcdsaSecp256k1Signature2019, IProofType.EcdsaSecp256k1Signature2019], }, }, registrationBy: { type: PassBy.REFERENCE, referenceUri: 'https://rp.acme.com/siop/jwts', }, }, signature: { did: 'did:ethr:0x0106a2e985b1E1De9B5ddb4aF6dC9e928F4e99D0', hexPrivateKey: 'f857544a9d1097e242ff0b287a7e6e90f19cf973efe2317f2a4678739664420f', kid: 'did:ethr:0x0106a2e985b1E1De9B5ddb4aF6dC9e928F4e99D0#controller', }, did: 'did:ethr:0x0106a2e985b1E1De9B5ddb4aF6dC9e928F4e99D0', responseMode: ResponseMode.POST, } ``` -------------------------------- ### Configure RP with Revocation Verification Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Configures the RP (Relying Party) builder to use a specific revocation verification strategy and provides a custom callback for verification. ```typescript import { verifyRevocation } from './Revocation' const rp = RP.builder() .withRevocationVerification(RevocationVerification.ALWAYS) .withRevocationVerificationCallback((vc, type) => verifyRevocation(vc, type)) ``` -------------------------------- ### Build Proof of Possession from a Self-Created JWT Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/client/README.md Use this method when you have already created a JWT and need to build the Proof of Possession. Ensure the 'nonce' from the Access Token response is used, or provide a custom 'jti'. ```typescript import { Jwt, ProofOfPossessionBuilder, ProofOfPossessionCallbacks } from '@sphereon/oid4vci-client'; const callbacks: ProofOfPossessionCallbacks = { signCallback, verifyCallback, }; const keyPair = await jose.generateKeyPair('ES256'); // If you directly want to use a JWT, instead of using method on the ProofOfPossessionBuilder you can create JWT: const jwt: Jwt = { header: { alg: Alg.ES256, kid: 'did:example:ebfeb1f712ebc6f1c276e12ec21#1', typ: Typ.JWT }, payload: { iss: 's6BhdRkqt3', nonce: 'tZignsnFbp', jti: 'tZignsnFbp223', aud: 'https://issuer.example.com' }, }; const proofInput: ProofOfPossession = await ProofOfPossessionBuilder.fromJwt({ jwt, callbacks, }).build(); console.log(proofInput); ``` -------------------------------- ### Authorization Response Options Interface Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Defines the structure for options when creating an authorization response. Includes fields for redirect URI, registration, domain checking, presentation verification callbacks, signature, nonce, state, response mode, OP's DID, and verifiable presentations. ```typescript export interface AuthorizationResponseOpts { redirectUri?: string; // It's typically comes from the request opts as a measure to prevent hijacking. registration: ResponseRegistrationOpts; // Registration options checkLinkedDomain?: CheckLinkedDomain; // When the link domain should be checked presentationVerificationCallback?: PresentationVerificationCallback; // Callback function to verify the presentations signature: InternalSignature | ExternalSignature; // Using an internal/private key withSignature, or hosted withSignature nonce?: string; // Allows to override the nonce, otherwise the nonce of the request will be used state?: string; // Allows to override the state, otherwise the state of the request will be used responseMode?: ResponseMode; // Response mode should be form in case a mobile device is being used together with a browser did: string; // The DID of the OP vp?: VerifiablePresentationResponseOpts[]; // Verifiable Presentations with location and format expiresIn?: number; // Expiration } export interface VerifiablePresentationResponseOpts extends VerifiablePresentationPayload { location: PresentationLocation; } export enum PresentationLocation { VP_TOKEN = 'vp_token', // VP will be the toplevel vp_token ID_TOKEN = 'id_token', // VP will be part of the id_token in the verifiable_presentations location } export interface VerifyAuthorizationRequestOpts { verification: Verification nonce?: string; // If provided the nonce in the request needs to match verifyCallback?: VerifyCallback // Callback function to verify the domain linkage credential } export interface AuthorizationResponsePayload extends JWTPayload { iss: ResponseIss.SELF_ISSUED_V2 | string; // The SIOP V2 spec mentions this is required sub: string; // did (or thumbprint of sub_jwk key when type is jkt) sub_jwk?: JWK; // JWK containing DID key if subtype is did, or thumbprint if it is JKT aud: string; // redirect_uri from request exp: number; // expiration time iat: number; // issued at state: string; // The state which should match the AuthRequest state nonce: string; // The nonce which should match the AuthRequest nonce did: string; // The DID of the OP registration?: DiscoveryMetadataPayload; // The registration metadata from the OP registration_uri?: string; // The URI of the registration metadata if it is returned by reference/URL verifiable_presentations?: VerifiablePresentationPayload[]; // Verifiable Presentations vp_token?: VerifiablePresentationPayload; // Verifiable Presentation Token } export interface AuthorizationResponseWithJWT { jwt: string; // The signed Response JWT nonce: string; // The nonce which should match the nonce from the request state: string; // The state which should match the state from the request payload: AuthorizationResponsePayload; // The unsigned payload object verifyOpts?: VerifyAuthorizationRequestOpts;// The Auth Request verification parameters that were used responseOpts: AuthorizationResponseOpts; // The Auth Response options used during generation of the Response } ``` -------------------------------- ### MemoryCredentialOfferStateManager Implementation Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/issuer/README.md An in-memory implementation of the ICredentialOfferStateManager interface for managing credential offer states. ```typescript export class MemoryCredentialOfferStateManager implements ICredentialOfferStateManager { private readonly credentialOfferStateManager: Map constructor() { this.credentialOfferStateManager = new Map() } async clearAllStates(): Promise { this.credentialOfferStateManager.clear() } async clearExpiredStates(timestamp?: number): Promise { const states = Array.from(this.credentialOfferStateManager.entries()) timestamp = timestamp ?? +new Date() for (const [issuerState, state] of states) { if (state.createdOn < timestamp) { this.credentialOfferStateManager.delete(issuerState) } } } async deleteState(state: string): Promise { return this.credentialOfferStateManager.delete(state) } async getState(state: string): Promise { return this.credentialOfferStateManager.get(state) } async hasState(state: string): Promise { return this.credentialOfferStateManager.has(state) } async setState(state: string, payload: CredentialOfferState): Promise> { return this.credentialOfferStateManager.set(state, payload) } } ``` -------------------------------- ### CredentialOfferState Interface Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/issuer/README.md Defines the structure for storing credential offer information and its creation timestamp. ```typescript export interface CredentialOfferState { credentialOffer: CredentialOfferPayloadV1_0_15 createdOn: number } ``` -------------------------------- ### Parse Credential Offer URI Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/client/README.md Parses a credential offer URI into a JSON object containing the base URL and request details. This is the first step when using individual classes to initiate credential issuance. ```typescript import { CredentialOffer } from '@sphereon/oid4vci-client'; const initiationURI = 'https://issuer.example.com?issuer=https%3A%2F%2Fserver%2Eexample%2Ecom&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FhealthCard&credential_type=https%3A%2F%2Fdid%2Eexample%2Eorg%2FdriverLicense&op_state=eyJhbGciOiJSU0Et...FYUaBy'; const initiationRequestWithUrl = CredentialOffer.fromURI(initiationURI); console.log(initiationRequestWithUrl); /** * { * "baseUrl": "https://server.example.com", * "request": { * "credential_type": [ * "https://did.example.org/healthCard", * "https://did.example.org/driverLicense" * ], * "issuer": "https://server.example.com", * "op_state": "eyJhbGciOiJSU0Et...FYUaBy" * }, * "version": 9 * } */ ``` -------------------------------- ### Credential Offer REST Request Interface Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/issuer-rest/README.md Defines the structure for the request body when creating a credential offer via REST. Includes optional parameters like `baseUri`, `scheme`, `pinLength`, `qrCodeOpts`, and `credentialDataSupplierInput`. ```typescript export interface CredentialOfferRESTRequest { baseUri?: string scheme?: string pinLength?: number qrCodeOpts?: QRCodeOpts /** * This is just a type alias for `any`. The idea is that the data already is the form of a JSON-LD credential * Optional storage that can help the Credential Data Supplier. For instance to store credential input data during offer creation, if no additional data can be supplied later on */ credentialDataSupplierInput?: CredentialDataSupplierInput } ``` -------------------------------- ### Verify Authorization Request JWT Source: https://github.com/sphereon-opensource/oid4vc/blob/develop/packages/siop-oid4vp/README.md Demonstrates how to use the `verifyJWT` static method to verify an Authorization Request JWT. Ensure the `jwt` variable contains a valid JWT string. ```typescript const verifyOpts: VerifyAuthorizationRequestOpts = { verification: { resolveOpts: { subjectSyntaxTypesSupported: ['did:ethr'], }, }, } const jwt = 'ey..........' // JWT created by RP AuthorizationRequest.verifyJWT(jwt).then((req) => { console.log(`issuer: ${req.issuer}`) console.log(JSON.stringify(req.signer)) }) // issuer: "did:ethr:0x56C4b92D4a6083Fcee825893A29023cDdfff5c66" // "signer": { // "id": "did:ethr:0x56C4b92D4a6083Fcee825893A29023cDdfff5c66#controller", // "type": "EcdsaSecp256k1RecoveryMethod2020", // "controller": "did:ethr:0x56C4b92D4a6083Fcee825893A29023cDdfff5c66", // "blockchainAccountId": "0x56C4b92D4a6083Fcee825893A29023cDdfff5c66@eip155:1" // } ```