vck-openid/at.asitplus.wallet.lib.oidvci/CredentialIssuer

CredentialIssuer

class CredentialIssuer(authorizationService: OAuth2AuthorizationServerAdapter, issuer: Issuer = IssuerAgent(), keyMaterial: Set<KeyMaterial> = setOf(issuer.keyMaterial), cryptoAlgorithms: Set<SignatureAlgorithm> = keyMaterial.map { it.signatureAlgorithm }.toSet(), credentialSchemes: Set<ConstantIndex.CredentialScheme>, publicContext: String = "https://wallet.a-sit.at/credential-issuer", credentialEndpointPath: String = "/credential", nonceEndpointPath: String = "/nonce", credentialProvider: CredentialIssuerDataProvider = FallbackCredentialIssuerDataProvider(), verifyJwsObject: VerifyJwsObjectFun = VerifyJwsObject(), supportedAlgorithms: Collection<JwsAlgorithm.Signature> = listOf(JwsAlgorithm.Signature.ES256), clock: Clock = System, timeLeeway: Duration = 5.minutes, verifyAttestationProof: (JwsSigned<KeyAttestationJwt>) -> Boolean = { true }, requireKeyAttestation: Boolean = false, clientNonceService: NonceService = DefaultNonceService(), encryptCredentialRequest: EncryptJweFun = EncryptJwe(EphemeralKeyWithoutCert()), requireEncryption: Boolean = false, supportedJweAlgorithms: Set<JweAlgorithm> = setOf(JweAlgorithm.ECDH_ES), supportedJweEncryptionAlgorithms: Set<JweEncryption> = setOf(JweEncryption.A256GCM), proofValidator: ProofValidator = ProofValidator( publicContext = publicContext, verifyJwsObject = verifyJwsObject, supportedAlgorithms = supportedAlgorithms, clock = clock, timeLeeway = timeLeeway, verifyAttestationProof = verifyAttestationProof, requireKeyAttestation = requireKeyAttestation, clientNonceService = clientNonceService, ))(source)

Server implementation to issue credentials using OID4VCI.

Implemented from OpenID for Verifiable Credential Issuance , Draft 15, 2024-12-19.

Constructors

Link copied to clipboard
constructor(authorizationService: OAuth2AuthorizationServerAdapter, issuer: Issuer = IssuerAgent(), keyMaterial: Set<KeyMaterial> = setOf(issuer.keyMaterial), cryptoAlgorithms: Set<SignatureAlgorithm> = keyMaterial.map { it.signatureAlgorithm }.toSet(), credentialSchemes: Set<ConstantIndex.CredentialScheme>, publicContext: String = "https://wallet.a-sit.at/credential-issuer", credentialEndpointPath: String = "/credential", nonceEndpointPath: String = "/nonce", credentialProvider: CredentialIssuerDataProvider = FallbackCredentialIssuerDataProvider(), verifyJwsObject: VerifyJwsObjectFun = VerifyJwsObject(), supportedAlgorithms: Collection<JwsAlgorithm.Signature> = listOf(JwsAlgorithm.Signature.ES256), clock: Clock = System, timeLeeway: Duration = 5.minutes, verifyAttestationProof: (JwsSigned<KeyAttestationJwt>) -> Boolean = { true }, requireKeyAttestation: Boolean = false, clientNonceService: NonceService = DefaultNonceService(), encryptCredentialRequest: EncryptJweFun = EncryptJwe(EphemeralKeyWithoutCert()), requireEncryption: Boolean = false, supportedJweAlgorithms: Set<JweAlgorithm> = setOf(JweAlgorithm.ECDH_ES), supportedJweEncryptionAlgorithms: Set<JweEncryption> = setOf(JweEncryption.A256GCM), proofValidator: ProofValidator = ProofValidator( publicContext = publicContext, verifyJwsObject = verifyJwsObject, supportedAlgorithms = supportedAlgorithms, clock = clock, timeLeeway = timeLeeway, verifyAttestationProof = verifyAttestationProof, requireKeyAttestation = requireKeyAttestation, clientNonceService = clientNonceService, ))

Properties

Link copied to clipboard
val jwtVcMetadata: JwtVcIssuerMetadata

Metadata about the credential issuer in SD-JWT VC

Link copied to clipboard
val metadata: IssuerMetadata

Serve this result JSON-serialized under /.well-known/openid-credential-issuer (see OpenIdConstants.PATH_WELL_KNOWN_CREDENTIAL_ISSUER)

Functions

Link copied to clipboard
suspend fun credential(authorizationHeader: String, params: CredentialRequestParameters, request: RequestInfo? = null): KmmResult<CredentialResponseParameters>
suspend fun credential(authorizationHeader: String, params: CredentialRequestParameters, credentialDataProvider: CredentialDataProviderFun, request: RequestInfo? = null): KmmResult<CredentialResponseParameters>

Verifies the authorizationHeader to contain a token from authorizationService, verifies the proof sent by the client (must contain a nonce sent from authorizationService), and issues credentials to the client.

Link copied to clipboard
suspend fun nonce(): KmmResult<ClientNonceResponse>

Provides a fresh nonce to the clients, for incorporating them into the credential proofs.