vck-openid/at.asitplus.wallet.lib.openid/OpenId4VpHolder

OpenId4VpHolder

class OpenId4VpHolder(keyMaterial: KeyMaterial = EphemeralKeyWithoutCert(), holder: Holder = HolderAgent(keyMaterial), signIdToken: SignJwtFun<IdToken> = SignJwt(keyMaterial, JwsHeaderCertOrJwk()), encryptJarm: EncryptJweFun = EncryptJwe(keyMaterial), supportedAlgorithms: Set<SignatureAlgorithm> = setOf(SignatureAlgorithm.ECDSAwithSHA256), signDeviceAuthDetached: SignCoseDetachedFun<ByteArray> = SignCoseDetached(keyMaterial, CoseHeaderNone(), CoseHeaderNone()), clock: Clock = Clock.System, clientId: String = "https://wallet.a-sit.at/", authorizationEndpoint: String = "openid4vp:", remoteResourceRetriever: RemoteResourceRetrieverFunction = { null }, requestObjectJwsVerifier: RequestObjectJwsVerifier = RequestObjectJwsVerifier { _ -> true }, walletNonceMapStore: MapStore<String, String> = DefaultMapStore(), randomSource: RandomSource = RandomSource.Secure, lookupJsonWebKeysForClient: (OpenId4VpHolder.JsonWebKeyLookupInput) -> JsonWebKeySet? = { null })(source)

Combines Verifiable Presentations with OAuth 2.0. Implements OpenID4VP (1.0, 2025-07-09) as well as SIOP V2 (D13, 2023-11-28).

The verifier (see OpenId4VpVerifier) creates the Authentication Request, we can parse and validate it in startAuthorizationResponsePreparation, show the information to the user, and create the response in finalizeAuthorizationResponse, and send it back to the verifier.

Constructors

Link copied to clipboard
constructor(keyMaterial: KeyMaterial = EphemeralKeyWithoutCert(), holder: Holder = HolderAgent(keyMaterial), signIdToken: SignJwtFun<IdToken> = SignJwt(keyMaterial, JwsHeaderCertOrJwk()), encryptJarm: EncryptJweFun = EncryptJwe(keyMaterial), supportedAlgorithms: Set<SignatureAlgorithm> = setOf(SignatureAlgorithm.ECDSAwithSHA256), signDeviceAuthDetached: SignCoseDetachedFun<ByteArray> = SignCoseDetached(keyMaterial, CoseHeaderNone(), CoseHeaderNone()), clock: Clock = Clock.System, clientId: String = "https://wallet.a-sit.at/", authorizationEndpoint: String = "openid4vp:", remoteResourceRetriever: RemoteResourceRetrieverFunction = { null }, requestObjectJwsVerifier: RequestObjectJwsVerifier = RequestObjectJwsVerifier { _ -> true }, walletNonceMapStore: MapStore<String, String> = DefaultMapStore(), randomSource: RandomSource = RandomSource.Secure, lookupJsonWebKeysForClient: (OpenId4VpHolder.JsonWebKeyLookupInput) -> JsonWebKeySet? = { null })

Types

Link copied to clipboard
data class JsonWebKeyLookupInput(val clientId: String?)

Properties

Link copied to clipboard

Functions

Link copied to clipboard
suspend fun createAuthnErrorResponse(error: Throwable, request: RequestParametersFrom<AuthenticationRequestParameters>): KmmResult<AuthenticationResponseResult>

Creates an error response for the error, which can be sent to the verifier / relying party.

Link copied to clipboard
suspend fun createAuthnResponse(request: RequestParametersFrom<AuthenticationRequestParameters>): KmmResult<AuthenticationResponseResult>

Pass in the deserialized AuthenticationRequestParameters, which were either encoded as query params, or JSON serialized as a JWT Request Object.

suspend fun createAuthnResponse(input: String): KmmResult<AuthenticationResponseResult>

Pass in the URL sent by the Verifier (containing the AuthenticationRequestParameters as query parameters), to create AuthenticationResponseResult that can be sent back to the Verifier.

Link copied to clipboard
suspend fun finalizeAuthorizationResponse(preparationState: AuthorizationResponsePreparationState, credentialPresentation: CredentialPresentation? = null): KmmResult<AuthenticationResponseResult>

Finalize the authorization response, given the preparationState from startAuthorizationResponsePreparation, and the credentialPresentation selected by the user.

Link copied to clipboard
Link copied to clipboard
suspend fun startAuthorizationResponsePreparation(params: RequestParametersFrom<AuthenticationRequestParameters>): KmmResult<AuthorizationResponsePreparationState>

Validates the AuthenticationRequestParameters from params and loads remote objects (client metadata, keys). Clients need to inform the user, get consent, and resume in finalizeAuthorizationResponse.

suspend fun startAuthorizationResponsePreparation(input: String): KmmResult<AuthorizationResponsePreparationState>

Parses the AuthenticationRequestParameters from input and loads remote objects (client metadata, keys). Clients need to inform the user, get consent, and resume in finalizeAuthorizationResponse.