From 0a6c8e3b94ddf6a3942ec03eaf2fabbf4100ff41 Mon Sep 17 00:00:00 2001
From: sanderPostma <spostma@sphereon.com>
Date: Fri, 6 Sep 2024 14:24:31 +0200
Subject: [PATCH] chore: Prefer AUTHORIZATION_CODE over
 PRE_AUTHORIZED_CODE_FLOW

---
 packages/client/lib/AccessTokenClient.ts      | 25 ++++++++++---------
 .../client/lib/AccessTokenClientV1_0_11.ts    | 22 ++++++++--------
 .../lib/types/Authorization.types.ts          |  1 +
 3 files changed, 25 insertions(+), 23 deletions(-)

diff --git a/packages/client/lib/AccessTokenClient.ts b/packages/client/lib/AccessTokenClient.ts
index 7c6011b9..18fb74ca 100644
--- a/packages/client/lib/AccessTokenClient.ts
+++ b/packages/client/lib/AccessTokenClient.ts
@@ -132,18 +132,7 @@ export class AccessTokenClient {
     const credentialIssuer = opts.credentialIssuer ?? credentialOfferRequest?.credential_offer?.credential_issuer ?? opts.metadata?.issuer;
     await createJwtBearerClientAssertion(request, { ...opts, credentialIssuer });
 
-    if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
-      this.assertAlphanumericPin(opts.pinMetadata, pin);
-      request.user_pin = pin;
-      request.tx_code = pin;
-
-      request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
-      // we actually know it is there because of the isPreAuthCode call
-      request[PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL];
-
-      return request as AccessTokenRequest;
-    }
-
+    // Prefer AUTHORIZATION_CODE over PRE_AUTHORIZED_CODE_FLOW
     if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
       request.grant_type = GrantTypes.AUTHORIZATION_CODE;
       request.code = code;
@@ -156,6 +145,18 @@ export class AccessTokenClient {
       return request as AccessTokenRequest;
     }
 
+    if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
+      this.assertAlphanumericPin(opts.pinMetadata, pin);
+      request.user_pin = pin;
+      request.tx_code = pin;
+
+      request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
+      // we actually know it is there because of the isPreAuthCode call
+      request[PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL];
+
+      return request as AccessTokenRequest;
+    }
+    
     throw new Error('Credential offer request follows neither pre-authorized code nor authorization code flow requirements.');
   }
 
diff --git a/packages/client/lib/AccessTokenClientV1_0_11.ts b/packages/client/lib/AccessTokenClientV1_0_11.ts
index 6835897f..76e25163 100644
--- a/packages/client/lib/AccessTokenClientV1_0_11.ts
+++ b/packages/client/lib/AccessTokenClientV1_0_11.ts
@@ -137,17 +137,7 @@ export class AccessTokenClientV1_0_11 {
     }
     await createJwtBearerClientAssertion(request, { ...opts, version: OpenId4VCIVersion.VER_1_0_11, credentialIssuer });
 
-    if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
-      this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
-      request.user_pin = pin;
-
-      request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
-      // we actually know it is there because of the isPreAuthCode call
-      request[PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL];
-
-      return request as AccessTokenRequest;
-    }
-
+    // Prefer AUTHORIZATION_CODE over PRE_AUTHORIZED_CODE_FLOW
     if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
       request.grant_type = GrantTypes.AUTHORIZATION_CODE;
       request.code = code;
@@ -160,6 +150,16 @@ export class AccessTokenClientV1_0_11 {
       return request as AccessTokenRequest;
     }
 
+    if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
+      this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
+      request.user_pin = pin;
+
+      request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE;
+      // we actually know it is there because of the isPreAuthCode call
+      request[PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL];
+
+      return request as AccessTokenRequest;
+    }
     throw new Error('Credential offer request does not follow neither pre-authorized code nor authorization code flow requirements.');
   }
 
diff --git a/packages/oid4vci-common/lib/types/Authorization.types.ts b/packages/oid4vci-common/lib/types/Authorization.types.ts
index f8544d54..bc16c5a4 100644
--- a/packages/oid4vci-common/lib/types/Authorization.types.ts
+++ b/packages/oid4vci-common/lib/types/Authorization.types.ts
@@ -315,6 +315,7 @@ export interface AuthorizationRequestOpts {
   redirectUri?: string;
   scope?: string;
   requestObjectOpts?: RequestObjectOpts;
+  holderPreferredAuthzFlowTypeOrder?: AuthzFlowType[]
 }
 
 export interface AuthorizationResponse {