feat: [SIW-2209] Update credentials data model and issuance flow to 1.0.0

example/src/thunks/credential.ts

@@ -34,7 +34,7 @@
  */
 type GetCredentialStatusAttestationThunkInput = {
   credentialType: SupportedCredentialsWithoutPid;
   credential: Out<Credential.Issuance.ObtainCredential>["credential"];
   keyTag: string;
 };
 
@@ -81,15 +81,14 @@
   if (!pid) {
     throw new Error("PID not found");
   }
-  const pidCryptoContext = createCryptoContextFor(pid.keyTag);
   return await getCredential({
     credentialIssuerUrl: WALLET_EAA_PROVIDER_BASE_URL,
     redirectUri: REDIRECT_URI,
     credentialType,
+    pid: pid,
+    // TODO handle like PID
     walletInstanceAttestation,
     wiaCryptoContext,
-    pid: pid.credential,
-    pidCryptoContext,
   });
 });
 

example/src/utils/credential.ts

@@ -5,14 +5,15 @@
 import { v4 as uuidv4 } from "uuid";
 import { generate } from "@pagopa/io-react-native-crypto";
 import appFetch from "../utils/fetch";
-import { DPOP_KEYTAG, regenerateCryptoKey } from "../utils/crypto";
+import { DPOP_KEYTAG, regenerateCryptoKey, WIA_KEYTAG } from "../utils/crypto";
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
 import type {
   CredentialResult,
   PidResult,
   SupportedCredentialsWithoutPid,
 } from "../store/types";
 import { openUrlAndListenForAuthRedirect } from "./openUrlAndListenForRedirect";
+import { DcqlQuery } from "dcql";
 
 /**
  * Implements a flow to obtain a PID credential.
@@ -114,11 +115,11 @@
   );
 
   // Obtain che eID credential
   const { credential, format } = await Credential.Issuance.obtainCredential(
     issuerConf,
     accessToken,
     clientId,
     credentialDefinition,
     {
       credentialCryptoContext,
       dPopCryptoContext,
@@ -148,28 +149,25 @@
  * @param credentialIssuerUrl - The credential issuer URL
  * @param redirectUri - The redirect URI for the authorization flow
  * @param credentialType - The type of the credential to obtain, which must be `PersonIdentificationData`
+ * @param pid - The PID credential
  * @param walletInstanceAttestation - The Wallet Instance Attestation
  * @param wiaCryptoContext - The Wallet Instance Attestation crypto context
- * @param pid - The PID credential
- * @param pidCryptoContext - The PID credential crypto context
  * @returns The obtained credential result
  */
 export const getCredential = async ({
   credentialIssuerUrl,
   redirectUri,
   credentialType,
+  pid,
   walletInstanceAttestation,
   wiaCryptoContext,
-  pid,
-  pidCryptoContext,
 }: {
   credentialIssuerUrl: string;
   redirectUri: string;
   credentialType: SupportedCredentialsWithoutPid;
+  pid: PidResult;
   walletInstanceAttestation: string;
   wiaCryptoContext: CryptoContext;
-  pid: string;
-  pidCryptoContext: CryptoContext;
 }): Promise<CredentialResult> => {
   // Create credential crypto context
   const credentialKeyTag = uuidv4().toString();
@@ -209,13 +207,38 @@
       appFetch
     );
 
+  // The credentials to be presented will always include the PID and WIA
+  // in a credential issuance flow
+  const credentialsSdJwt = [
+    [pid.keyTag, pid.credential],
+    [WIA_KEYTAG, walletInstanceAttestation],
+  ] as [string, string][];
+
+  if (!requestObject.dcql_query) {
+    throw new Error("Invalid request object");
+  }
+
+  // Assuming that WIA is a SD-JWT
+  const dcqlQueryResult = Credential.Presentation.evaluateDcqlQuery(
+    credentialsSdJwt,
+    requestObject.dcql_query as DcqlQuery
+  );
+
+  const credentialsToPresent = dcqlQueryResult.map(
+    ({ requiredDisclosures, ...rest }) => ({
+      ...rest,
+      requestedClaims: requiredDisclosures.map(([, claimName]) => claimName),
+    })
+  );
+
   // The app here should ask the user to confirm the required data contained in the requestObject
 
   // Complete the user authorization via form_post.jwt mode
   const { code } =
     await Credential.Issuance.completeUserAuthorizationWithFormPostJwtMode(
       requestObject,
-      { wiaCryptoContext, pidCryptoContext, pid, walletInstanceAttestation }
+      credentialsToPresent,
+      { wiaCryptoContext }
     );
 
   // Generate the DPoP context which will be used for the whole issuance flow
@@ -237,7 +260,7 @@
   );
 
   // Obtain the credential
   const { credential, format } = await Credential.Issuance.obtainCredential(
     issuerConf,
     accessToken,
     clientId,

src/credential/issuance/04-complete-user-authorization.ts

@@ -10,16 +10,15 @@ import { IssuerResponseError, ValidationFailed } from "../../utils/errors";
 import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import {
   decode,
-  encodeBase64,
   SignJWT,
   type CryptoContext,
 } from "@pagopa/io-react-native-jwt";
-import { RequestObject } from "../presentation/types";
-import { v4 as uuidv4 } from "uuid";
+import { type RemotePresentation, RequestObject } from "../presentation/types";
 import { ResponseUriResultShape } from "./types";
 import { getJwtFromFormPost } from "../../utils/decoder";
 import { AuthorizationError, AuthorizationIdpError } from "./errors";
 import { LogLevel, Logger } from "../../utils/logging";
+import { Presentation } from "..";
 
 /**
  * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
@@ -30,11 +29,14 @@ export type CompleteUserAuthorizationWithQueryMode = (
 
 export type CompleteUserAuthorizationWithFormPostJwtMode = (
   requestObject: Out<GetRequestedCredentialToBePresented>,
+  credentials: {
+    id: string;
+    credential: string;
+    keyTag: string;
+    requestedClaims: string[];
+  }[],
   context: {
     wiaCryptoContext: CryptoContext;
-    pidCryptoContext: CryptoContext;
-    pid: string;
-    walletInstanceAttestation: string;
     appFetch?: GlobalFetch["fetch"];
   }
 ) => Promise<AuthorizationResult>;
@@ -160,101 +162,36 @@ export const getRequestedCredentialToBePresented: GetRequestedCredentialToBePres
 /**
  * WARNING: This function must be called after {@link startUserAuthorization}. The next function to be called is {@link completeUserAuthorizationWithFormPostJwtMode}.
  * The interface of the phase to complete User authorization via presentation of existing credentials when the response mode is "form_post.jwt".
- * It is used as a first step to complete the user authorization by obtaining the requested credential to be presented from the authorization server.
- * The information is obtained by performing a GET request to the authorization endpoint with request_uri and client_id parameters.
- * @param issuerRequestUri the URI of the issuer where the request is sent
- * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
- * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
- * @param context.walletInstanceAccestation the Wallet Instance's attestation to be presented
- * @param context.pid the PID to be presented
- * @param context.wiaCryptoContext The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
- * @param context.pidCryptoContext The PID crypto context associated with the pid parameter
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * The information is obtained by performing a POST request to the endpoint received in the response_uri field of the requestObject, where the Authorization Response payload is posted.
+ * Following this,the redirect_uri from the response is used to obtain the final authorization response.
+ * @param requestObject - The request object containing the necessary parameters for authorization.
+ * @param credentialsToPresent the credentials to be presented, which will always include the PID and WIA in a credential issuance flow
+ * @param appFetch (optional) fetch api implementation. Default: built-in fetch
  * @throws {ValidationFailed} if an error while validating the response
  * @returns the authorization response which contains code, state and iss
  */
 export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthorizationWithFormPostJwtMode =
-  async (requestObject, ctx) => {
+  async (
+    requestObject,
+    credentialsToPresent,
+    { wiaCryptoContext, appFetch = fetch }
+  ) => {
     Logger.log(
       LogLevel.DEBUG,
       `The requeste credential is not a PersonIdentificationData, completing the user authorization with form_post.jwt mode`
     );
 
-    const {
-      wiaCryptoContext,
-      pidCryptoContext,
-      pid,
-      walletInstanceAttestation,
-      appFetch = fetch,
-    } = ctx;
-
-    const wiaWpToken = await new SignJWT(wiaCryptoContext)
-      .setProtectedHeader({
-        alg: "ES256",
-        typ: "JWT",
-      })
-      .setPayload({
-        vp: walletInstanceAttestation,
-        jti: uuidv4().toString(),
-        nonce: requestObject.nonce,
-      })
-      .setIssuedAt()
-      .setExpirationTime("5m")
-      .setAudience(requestObject.response_uri)
-      .sign();
-
-    const pidWpToken = await new SignJWT(pidCryptoContext)
-      .setProtectedHeader({
-        alg: "ES256",
-        typ: "JWT",
-      })
-      .setPayload({
-        vp: pid,
-        jti: uuidv4().toString(),
-        nonce: requestObject.nonce,
-      })
-      .setIssuedAt()
-      .setExpirationTime("5m")
-      .setAudience(requestObject.response_uri)
-      .sign();
-
-    Logger.log(
-      LogLevel.DEBUG,
-      `Wallet instance attestation JWT token: ${wiaWpToken}`
+    const remotePresentations = await Presentation.prepareRemotePresentations(
+      credentialsToPresent,
+      requestObject.nonce,
+      requestObject.client_id
     );
 
-    /* The path parameter refers to the vp_token variable of the authzResponsePayload and must point to the plain credential which
-     * is cointaned in the `vp` property of the signed jwt token payload
-     */
-    const presentationSubmission = {
-      definition_id: `${uuidv4()}`,
-      id: `${uuidv4()}`,
-      descriptor_map: [
-        {
-          id: "PersonIdentificationData",
-          path: "$.vp_token[0].vp",
-          format: "vc+sd-jwt",
-        },
-        {
-          id: "WalletAttestation",
-          path: "$.vp_token[1].vp",
-          format: "jwt",
-        },
-      ],
-    };
-
-    Logger.log(
-      LogLevel.DEBUG,
-      `Presentation submission: ${JSON.stringify(presentationSubmission)}`
-    );
-
-    const authzResponsePayload = encodeBase64(
-      JSON.stringify({
-        state: requestObject.state,
-        presentation_submission: presentationSubmission,
-        vp_token: [pidWpToken, wiaWpToken],
-      })
-    );
+    const authzResponsePayload = await createAuthzResponsePayload({
+      state: requestObject.state,
+      remotePresentations,
+      wiaCryptoContext,
+    });
 
     Logger.log(
       LogLevel.DEBUG,
@@ -334,3 +271,47 @@ export const parseAuthorizationResponse = (
   }
   return authResParsed.data;
 };
+
+/**
+ * Creates the authorization response payload to be sent.
+ * This payload includes the state and the VP tokens for the presented credentials.
+ * The payload is encoded in Base64.
+ * @param state - The state parameter from the request object (optional).
+ * @param remotePresentations - An array of remote presentations containing credential IDs and their corresponding VP tokens.
+ * @returns The Base64 encoded authorization response payload.
+ */
+const createAuthzResponsePayload = async ({
+  state,
+  remotePresentations,
+  wiaCryptoContext,
+}: {
+  state?: string;
+  remotePresentations: RemotePresentation[];
+  wiaCryptoContext: CryptoContext;
+}): Promise<string> => {
+  const { kid } = await wiaCryptoContext.getPublicKey();
+
+  return new SignJWT(wiaCryptoContext)
+    .setProtectedHeader({
+      typ: "jwt",
+      kid,
+    })
+    .setPayload({
+      /**
+       * TODO [SIW-2264]: `state` coming from `requestObject` is marked as `optional`
+       * At the moment, it is not entirely clear whether this value can indeed be omitted
+       * and, if so, what the consequences of its absence might be.
+       */
+      ...(state ? { state } : {}),
+      vp_token: remotePresentations.reduce(
+        (vp_token, { credentialId, vpToken }) => ({
+          ...vp_token,
+          [credentialId]: vpToken,
+        }),
+        {}
+      ),
+    })
+    .setIssuedAt()
+    .setExpirationTime("1h")
+    .sign();
+};

src/credential/issuance/README.md

@@ -140,13 +140,37 @@ const requestObject =
     appFetch
   );
 
+// The credentials to be presented will always include the PID and WIA
+// in a credential issuance flow
+const credentialsSdJwt = [
+  [pid.keyTag, pid.credential],
+  [WIA_KEYTAG, walletInstanceAttestation],
+] as [string, string][];
+
+if (!requestObject.dcql_query) {
+  throw new Error("Invalid request object");
+}
+
+// Assuming that WIA is a SD-JWT
+const dcqlQueryResult = Credential.Presentation.evaluateDcqlQuery(
+  credentialsSdJwt,
+  requestObject.dcql_query as DcqlQuery
+);
+
+const credentialsToPresent = dcqlQueryResult.map(
+  ({ requiredDisclosures, ...rest }) => ({
+    ...rest,
+    requestedClaims: requiredDisclosures.map(([, claimName]) => claimName),
+  })
+);
+
 // The app here should ask the user to confirm the required data contained in the requestObject
 
 // Complete the user authorization via form_post.jwt mode
 const { code } =
   await Credential.Issuance.completeUserAuthorizationWithFormPostJwtMode(
     requestObject,
-    { wiaCryptoContext, pidCryptoContext, pid, walletInstanceAttestation }
+    credentialsToPresent
   );
 
 // Generate the DPoP context which will be used for the whole issuance flow

src/credential/issuance/types.ts

@@ -11,6 +11,7 @@ export type TokenResponse = z.infer<typeof TokenResponse>;
 
 export const TokenResponse = z.object({
   access_token: z.string(),
+  refresh_token: z.string().optional(),
   authorization_details: z.array(AuthorizationDetail),
   expires_in: z.number(),
   token_type: z.string(),
@@ -24,7 +25,7 @@ export const CredentialResponse = z.object({
       credential: z.string(),
     })
   ),
-  notification_id: z.string(),
+  notification_id: z.string().optional(),
 });
 
 /**

src/credential/presentation/types.ts

@@ -97,7 +97,7 @@ export const RequestObject = z.object({
   state: z.string().optional(),
   nonce: z.string(),
   response_uri: z.string(),
-  response_uri_method: z.string().optional(),
+  request_uri_method: z.string().optional(),
   response_type: z.literal("vp_token"),
   response_mode: z.literal("direct_post.jwt"),
   client_id: z.string(),