vck-openid/at.asitplus.wallet.lib.oidvci/CredentialIssuer

CredentialIssuer

class CredentialIssuer(authorizationService: OAuth2AuthorizationServerAdapter, issuer: Issuer, keyMaterial: Set<KeyMaterial> = setOf(issuer.keyMaterial), cryptoAlgorithms: Set<SignatureAlgorithm> = keyMaterial.map { it.signatureAlgorithm }.toSet(), credentialSchemes: Set<ConstantIndex.CredentialScheme>, publicContext: String = "https://wallet.a-sit.at/credential-issuer", credentialEndpointPath: String = "/credential", nonceEndpointPath: String = "/nonce", requireKeyAttestation: Boolean = false, proofValidator: ProofValidator = ProofValidator( publicContext = publicContext, requireKeyAttestation = requireKeyAttestation, ), signMetadata: SignJwtFun<IssuerMetadata> = SignJwt(EphemeralKeyWithoutCert(), JwsHeaderCertOrJwk()), encryptionService: IssuerEncryptionService = IssuerEncryptionService())(source)

Server implementation to issue credentials using OID4VCI.

Implemented from OpenID for Verifiable Credential Issuance 1.0 from 2025-09-16.

Constructors

Link copied to clipboard
constructor(authorizationService: OAuth2AuthorizationServerAdapter, issuer: Issuer, keyMaterial: Set<KeyMaterial> = setOf(issuer.keyMaterial), cryptoAlgorithms: Set<SignatureAlgorithm> = keyMaterial.map { it.signatureAlgorithm }.toSet(), credentialSchemes: Set<ConstantIndex.CredentialScheme>, publicContext: String = "https://wallet.a-sit.at/credential-issuer", credentialEndpointPath: String = "/credential", nonceEndpointPath: String = "/nonce", requireKeyAttestation: Boolean = false, proofValidator: ProofValidator = ProofValidator( publicContext = publicContext, requireKeyAttestation = requireKeyAttestation, ), signMetadata: SignJwtFun<IssuerMetadata> = SignJwt(EphemeralKeyWithoutCert(), JwsHeaderCertOrJwk()), encryptionService: IssuerEncryptionService = IssuerEncryptionService())

Types

Link copied to clipboard
sealed interface CredentialResponse
Link copied to clipboard
data class Nonce(val response: ClientNonceResponse, val dpopNonce: String? = null)

MUST be delivered with HTTP header Cache-Control: no-store (see io.ktor.http.HttpHeaders.CacheControl). Include response as the JSON-serialized body, and dpopNonce in HTTP header DPoP-Nonce when present.

Properties

Link copied to clipboard
val jwtVcMetadata: JwtVcIssuerMetadata

Metadata about the credential issuer in SD-JWT VC

Link copied to clipboard
val metadata: IssuerMetadata

Serve this result serialized at the path formed by inserting the string /.well-known/openid-credential-issuer (see OpenIdConstants.WellKnownPaths.CredentialIssuer) into the Credential Issuer Identifier between the host component and the path component, if any. Use application/json (see at.asitplus.wallet.lib.data.MediaTypes.Application.JSON) as the Content-Type header (see io.ktor.http.HttpHeaders.ContentType) in the response. See also signedMetadata.

Functions

Link copied to clipboard
suspend fun credential(authorizationHeader: String, params: CredentialRequestParameters, credentialDataProvider: CredentialDataProviderFun, request: RequestInfo? = null): KmmResult<CredentialResponseParameters>

suspend fun credential(authorizationHeader: String, params: WalletService.CredentialRequest, credentialDataProvider: CredentialDataProviderFun, request: RequestInfo? = null): KmmResult<CredentialIssuer.CredentialResponse>

Verifies the authorizationHeader to contain a token from authorizationService, verifies the proof sent by the client (must contain a nonce sent from authorizationService), and issues credentials to the client by calling credentialDataProvider.

Link copied to clipboard
suspend fun credentialEncryptedRequest(authorizationHeader: String, input: String, credentialDataProvider: CredentialDataProviderFun, request: RequestInfo? = null): KmmResult<CredentialResponseParameters>
Link copied to clipboard
suspend fun nonceWithDpopNonce(): KmmResult<CredentialIssuer.Nonce>

Provides a fresh nonce for credential proofs and a DPoP nonce for DPoP proofs. Requests from the client are HTTP POST.

Link copied to clipboard
suspend fun signedMetadata(): KmmResult<JwsSigned<IssuerMetadata>>

Serve this result serialized at the path formed by inserting the string /.well-known/openid-credential-issuer (see OpenIdConstants.WellKnownPaths.CredentialIssuer) into the Credential Issuer Identifier between the host component and the path component, if any. Use this only when the client accepts (see Accept header io.ktor.http.HttpHeaders.Accept) the media type application/jwt (see at.asitplus.wallet.lib.data.MediaTypes.Application.JWT), otherwise serve metadata.