chore: client assertion fixes

packages/client/lib/AccessTokenClient.ts

@@ -49,8 +49,10 @@ export class AccessTokenClient {
         code,
         redirectUri,
         pin,
-        pinMetadata,
         credentialIssuer: issuer,
+        metadata,
+        additionalParams: opts.additionalParams,
+        pinMetadata,
       }),
       pinMetadata,
       metadata,
@@ -96,7 +98,7 @@ export class AccessTokenClient {
     if (asOpts?.clientOpts?.clientId) {
       request.client_id = asOpts.clientOpts.clientId;
     }
-    const credentialIssuer = opts.credentialIssuer ?? credentialOfferRequest?.credential_offer?.credential_issuer;
+    const credentialIssuer = opts.credentialIssuer ?? credentialOfferRequest?.credential_offer?.credential_issuer ?? opts.metadata?.issuer;
     await createJwtBearerClientAssertion(request, { ...opts, credentialIssuer });
 
     if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {

packages/client/lib/AccessTokenClientV1_0_11.ts

@@ -53,6 +53,10 @@ export class AccessTokenClientV1_0_11 {
         code,
         redirectUri,
         pin,
+        credentialIssuer: issuer,
+        metadata,
+        additionalParams: opts.additionalParams,
+        pinMetadata: opts.pinMetadata,
       }),
       isPinRequired,
       metadata,
@@ -95,7 +99,7 @@ export class AccessTokenClientV1_0_11 {
       ? await toUniformCredentialOfferRequest(opts.credentialOffer as CredentialOfferV1_0_11 | CredentialOfferV1_0_13)
       : undefined;
     const request: Partial<AccessTokenRequest> = { ...opts.additionalParams };
-    const credentialIssuer = opts.credentialIssuer ?? credentialOfferRequest?.credential_offer?.credential_issuer;
+    const credentialIssuer = opts.credentialIssuer ?? credentialOfferRequest?.credential_offer?.credential_issuer ?? opts.metadata?.issuer;
 
     if (asOpts?.clientOpts?.clientId) {
       request.client_id = asOpts.clientOpts.clientId;

packages/client/lib/OpenID4VCIClient.ts

@@ -104,6 +104,7 @@ export class OpenID4VCIClient {
       pkce: { disabled: false, codeChallengeMethod: CodeChallengeMethod.S256, ...pkce },
       authorizationRequestOpts,
       authorizationCodeResponse,
+      accessToken,
       jwk,
       endpointMetadata: endpointMetadata?.credentialIssuerMetadata?.authorization_server
         ? (endpointMetadata as EndpointMetadataResultV1_0_11)
@@ -295,7 +296,7 @@ export class OpenID4VCIClient {
     const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
     const clientAssertionType =
       asOpts.clientOpts?.clientAssertionType ??
-      (kid && clientId && typeof asOpts.clientOpts?.signCallbacks === 'function'
+      (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === 'function'
         ? 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
         : undefined);
     if (this.isEBSI() || (clientId && kid)) {

packages/client/lib/OpenID4VCIClientV1_0_11.ts

@@ -260,9 +260,10 @@ export class OpenID4VCIClientV1_0_11 {
     authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
     code?: string; // Directly pass in a code from an auth response
     redirectUri?: string;
+    additionalRequestParams?: Record<string, any>;
     asOpts?: AuthorizationServerOpts;
   }): Promise<AccessTokenResponse> {
-    const { pin, clientId } = opts ?? {};
+    const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
     let { redirectUri } = opts ?? {};
     if (opts?.authorizationResponse) {
       this._state.authorizationCodeResponse = { ...toAuthorizationResponsePayload(opts.authorizationResponse) };
@@ -294,7 +295,7 @@ export class OpenID4VCIClientV1_0_11 {
       const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
       const clientAssertionType =
         asOpts.clientOpts?.clientAssertionType ??
-        (kid && clientId && typeof asOpts.clientOpts?.signCallbacks === 'function'
+        (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === 'function'
           ? 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
           : undefined);
       if (this.isEBSI() || (clientId && kid)) {
@@ -319,6 +320,7 @@ export class OpenID4VCIClientV1_0_11 {
         code,
         redirectUri,
         asOpts,
+        ...(opts?.additionalRequestParams && { additionalParams: opts.additionalRequestParams }),
       });
 
       if (response.errorBody) {

packages/client/lib/OpenID4VCIClientV1_0_13.ts

@@ -265,9 +265,10 @@ export class OpenID4VCIClientV1_0_13 {
     authorizationResponse?: string | AuthorizationResponse; // Pass in an auth response, either as URI/redirect, or object
     code?: string; // Directly pass in a code from an auth response
     redirectUri?: string;
+    additionalRequestParams?: Record<string, any>;
     asOpts?: AuthorizationServerOpts;
   }): Promise<AccessTokenResponse> {
-    const { pin, clientId } = opts ?? {};
+    const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
     let { redirectUri } = opts ?? {};
     if (opts?.authorizationResponse) {
       this._state.authorizationCodeResponse = { ...toAuthorizationResponsePayload(opts.authorizationResponse) };
@@ -284,7 +285,7 @@ export class OpenID4VCIClientV1_0_13 {
     const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
     const clientAssertionType =
       asOpts.clientOpts?.clientAssertionType ??
-      (kid && clientId && typeof asOpts.clientOpts?.signCallbacks === 'function'
+      (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === 'function'
         ? 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
         : undefined);
     if (this.isEBSI() || (clientId && kid)) {
@@ -323,6 +324,7 @@ export class OpenID4VCIClientV1_0_13 {
         code,
         redirectUri,
         asOpts,
+        ...(opts?.additionalRequestParams && { additionalParams: opts.additionalRequestParams }),
       });
 
       if (response.errorBody) {