feat: dcql support

Signed-off-by: Martin Auer <martin.auer97@gmail.com>
openwallet-foundation-labs · Feb 4, 2025 · 3413eb6 · 3413eb6
1 parent 8b84e2c
commit 3413eb6
Show file tree

Hide file tree

Showing 8 changed files with 44 additions and 16 deletions.
diff --git a/packages/oauth2/src/common/jwt/decode-jwt-header.ts b/packages/oauth2/src/common/jwt/decode-jwt-header.ts
@@ -7,7 +7,7 @@ import {
 } from '@openid4vc/utils'
 import { Oauth2JwtParseError } from '../../error/Oauth2JwtParseError'
 import type { InferSchemaOutput } from './decode-jwt'
-import { vJwtHeader } from './v-jwt.js'
+import { vJwtHeader } from './v-jwt'
 
 export interface DecodeJwtHeaderOptions<HeaderSchema extends BaseSchema | undefined> {
   /**

diff --git a/packages/oauth2/src/common/jwt/decode-jwt.ts b/packages/oauth2/src/common/jwt/decode-jwt.ts
@@ -8,7 +8,7 @@ import {
   stringToJsonWithErrorHandling,
 } from '@openid4vc/utils'
 import { Oauth2JwtParseError } from '../../error/Oauth2JwtParseError'
-import { decodeJwtHeader } from './decode-jwt-header.js'
+import { decodeJwtHeader } from './decode-jwt-header'
 import { type JwtSigner, type vJwtHeader, vJwtPayload } from './v-jwt'
 
 export interface DecodeJwtOptions<
@@ -61,7 +61,7 @@ export function decodeJwt<
     throw new Oauth2JwtParseError('Error parsing JWT')
   }
 
-  const { header } = decodeJwtHeader({ jwe: jwtParts[0], headerSchema: options.headerSchema })
+  const { header } = decodeJwtHeader({ jwe: options.jwt, headerSchema: options.headerSchema })
   const payload = parseWithErrorHandling(options.payloadSchema ?? vJwtPayload, payloadJson)
 
   return {

diff --git a/packages/openid4vp/src/client-identifier-scheme/parse-client-identifier-scheme.ts b/packages/openid4vp/src/client-identifier-scheme/parse-client-identifier-scheme.ts
@@ -1,6 +1,6 @@
 import { Oauth2Error } from '@openid4vc/oauth2'
 import type { CallbackContext } from '../../../oauth2/src/callbacks'
-import type { verifyJarRequest } from '../jar/handle-jar-request/verify-jar-request.js'
+import type { verifyJarRequest } from '../jar/handle-jar-request/verify-jar-request'
 import type { ClientMetadata } from '../models/v-client-metadata'
 import type { Openid4vpAuthRequest } from '../openid4vp-auth-request/v-openid4vp-auth-request'
 import { type ClientIdScheme, vClientIdScheme } from './v-client-id-scheme'

diff --git a/packages/openid4vp/src/openid4vp-auth-request/verify-openid4vp-auth-request.ts b/packages/openid4vp/src/openid4vp-auth-request/verify-openid4vp-auth-request.ts
@@ -1,7 +1,7 @@
 import type { CallbackContext } from '@openid4vc/oauth2'
 import * as v from 'valibot'
 import { parseClientIdentifier } from '../client-identifier-scheme/parse-client-identifier-scheme'
-import { verifyJarRequest } from '../jar/handle-jar-request/verify-jar-request.js'
+import { verifyJarRequest } from '../jar/handle-jar-request/verify-jar-request'
 import { type JarAuthRequest, vJarAuthRequest } from '../jar/v-jar-auth-request'
 import type { WalletMetadata } from '../models/v-wallet-metadata'
 import { parseTransactionData } from '../transaction-data/parse-transaction-data'
@@ -41,6 +41,12 @@ export async function verifyOpenid4vpAuthRequest(
       }
     | undefined
 
+  let dcql:
+    | {
+        query: unknown
+      }
+    | undefined
+
   if (authRequestParams.presentation_definition || authRequestParams.presentation_definition_uri) {
     if (authRequestParams.presentation_definition_uri) {
       throw new Error('presentation_definition_uri is not supported')
@@ -51,6 +57,12 @@ export async function verifyOpenid4vpAuthRequest(
     }
   }
 
+  if (authRequestParams.dcql_query) {
+    dcql = {
+      query: authRequestParams.dcql_query,
+    }
+  }
+
   const transactionData = authRequestParams.transaction_data
     ? parseTransactionData(authRequestParams.transaction_data)
     : undefined
@@ -61,6 +73,7 @@ export async function verifyOpenid4vpAuthRequest(
     jar,
     client: { ...clientMeta },
     pex,
+    dcql,
   }
 }
 

diff --git a/packages/openid4vp/src/openid4vp-auth-response/create-openid4vp-auth-response.ts b/packages/openid4vp/src/openid4vp-auth-response/create-openid4vp-auth-response.ts
@@ -1,7 +1,7 @@
 import { type CallbackContext, type JwtSigner, Oauth2Error } from '@openid4vc/oauth2'
 import { createJarmAuthResponse } from '../jarm/jarm-auth-response-create'
 import { extractJwksFromClientMetadata } from '../jarm/jarm-extract-jwks'
-import { jarmAssertMetadataSupported } from '../jarm/metadata/jarm-assert-metadata-supported.js'
+import { jarmAssertMetadataSupported } from '../jarm/metadata/jarm-assert-metadata-supported'
 import type { JarmServerMetadata } from '../jarm/metadata/v-jarm-as-metadata'
 import type { Openid4vpAuthRequest } from '../openid4vp-auth-request/v-openid4vp-auth-request'
 import type { Openid4vpAuthResponse } from './v-openid4vp-auth-response'

diff --git a/packages/openid4vp/src/openid4vp-auth-response/verify-openid4vp-auth-response-result.ts b/packages/openid4vp/src/openid4vp-auth-response/verify-openid4vp-auth-response-result.ts
@@ -14,7 +14,7 @@ export interface VerifyOpenid4VpPexAuthorizationResponseResult {
 export interface VerifyOpenid4VpDcqlAuthorizationResponseResult {
   type: 'dcql'
   dcql: {
-    presentation: VpTokenPresentationParseResult
+    presentation: Record<string, VpTokenPresentationParseResult>
   } & ({ scope: string; query?: never } | { scope?: never; query: unknown })
 }
 

diff --git a/packages/openid4vp/src/openid4vp-auth-response/verify-openid4vp-auth-response.ts b/packages/openid4vp/src/openid4vp-auth-response/verify-openid4vp-auth-response.ts
@@ -1,8 +1,8 @@
 import { Oauth2Error } from '@openid4vc/oauth2'
 import type { Openid4vpAuthRequest } from '../openid4vp-auth-request/v-openid4vp-auth-request'
 import {
+  parseDcqlPresentationFromVpToken,
   parsePresentationsFromVpToken,
-  parseSinglePresentationsFromVpToken,
 } from '../vp-token/parse-presentations-from-vp-token'
 import type { Openid4vpAuthResponse } from './v-openid4vp-auth-response'
 import type { VerifyOpenid4VpAuthorizationResponseResult } from './verify-openid4vp-auth-response-result'
@@ -70,17 +70,12 @@ export function verifyOpenid4vpAuthorizationResponse(options: {
       )
     }
 
-    if (typeof responseParams.vp_token === 'string') {
+    if (typeof responseParams.vp_token !== 'string') {
       throw new Oauth2Error('If DCQL was used the vp_token must be a JSON-encoded object.')
     }
 
-    // TODO: ENABLE THIS CHECK ALL THE TIME ONCE WE KNOW HOW TO GET THE NONCE FOR MDOCS AND ANONCREDS
-    const presentation = parseSinglePresentationsFromVpToken({ vpToken: responseParams.vp_token, path: '$' })
-    if (presentation.nonce && requestParams.nonce !== presentation.nonce) {
-      throw new Oauth2Error(
-        'Presentation nonce mismatch. The nonce of the presentation does not match the nonce of the request.'
-      )
-    }
+    const presentation = parseDcqlPresentationFromVpToken({ vpToken: responseParams.vp_token, path: '$' })
+    // TODO: CHECK ALL THE NONCES ONCE WE KNOW HOW TO GET THE NONCE FOR MDOCS AND ANONCREDS
 
     return {
       type: 'dcql',

diff --git a/packages/openid4vp/src/vp-token/parse-presentations-from-vp-token.ts b/packages/openid4vp/src/vp-token/parse-presentations-from-vp-token.ts
@@ -45,6 +45,26 @@ export function parsePresentationsFromVpToken(options: { vpToken: VpToken }): [
   )
 }
 
+export function parseDcqlPresentationFromVpToken(options: {
+  vpToken: unknown
+  path: string
+}) {
+  const { vpToken: _vpToken } = options
+
+  const vpToken = parseIfJson(_vpToken)
+  if (!v.is(v.looseObject({}), vpToken)) {
+    throw new Oauth2Error(`Could not parse vp_token. Expected a JSON object. Received: ${typeof vpToken}`)
+  }
+
+  const dcqlPresentationRecord = Object.fromEntries(
+    Object.entries(vpToken).map(([key, value]) => {
+      return [key, parseSinglePresentationsFromVpToken({ vpToken: value, path: '$' })]
+    })
+  )
+
+  return dcqlPresentationRecord
+}
+
 export function parseSinglePresentationsFromVpToken(options: {
   vpToken: unknown
   path: string