OID4VCI: Make client attestation optional

Author: nodh

CHANGELOG.md

@@ -43,6 +43,8 @@ Release 5.6.4:
  - OpenID for Verifiable Credential Issuance:
    - Sign authn request as JAR only when AS supports it
    - Support extracting `credential_configuration_id` from server's authorization details
+   - In `OpenId4VciClient` make constructor parameter `loadClientAttestationJwt` optional
+   - In `OpenId4VciClient` make constructor parameter `signClientAttestationPop` optional
 
 Release 5.6.3:
  - OpenID for Verifiable Credential Issuance:

vck-openid-ktor/src/commonMain/kotlin/at/asitplus/wallet/lib/ktor/openid/OpenId4VciClient.kt

@@ -71,9 +71,9 @@ class OpenId4VciClient(
      * the key behind [signClientAttestationPop], see
      * [OAuth 2.0 Attestation-Based Client Authentication](https://www.ietf.org/archive/id/draft-ietf-oauth-attestation-based-client-auth-04.html)
      */
-    private val loadClientAttestationJwt: suspend () -> String,
+    private val loadClientAttestationJwt: (suspend () -> String)? = null,
     /** Used for authenticating the client at the authorization server with client attestation. */
-    private val signClientAttestationPop: SignJwtFun<JsonWebToken> = SignJwt(
+    private val signClientAttestationPop: SignJwtFun<JsonWebToken>? = SignJwt(
         EphemeralKeyWithoutCert(),
         JwsHeaderNone()
     ),
@@ -280,16 +280,17 @@ class OpenId4VciClient(
         Napier.i("postToken: $tokenEndpointUrl with $tokenRequest")
 
         val clientAttestationJwt = if (oauthMetadata.useClientAuth()) {
-            loadClientAttestationJwt.invoke()
-        } else null
-        val clientAttestationPoPJwt = if (oauthMetadata.useClientAuth()) {
-            BuildClientAttestationPoPJwt(
-                signClientAttestationPop,
-                clientId = oid4vciService.clientId,
-                audience = issuerMetadata.credentialIssuer,
-                lifetime = 10.minutes,
-            ).serialize()
+            loadClientAttestationJwt?.invoke()
         } else null
+        val clientAttestationPoPJwt =
+            if (oauthMetadata.useClientAuth() && signClientAttestationPop != null && clientAttestationJwt != null) {
+                BuildClientAttestationPoPJwt(
+                    signClientAttestationPop,
+                    clientId = oid4vciService.clientId,
+                    audience = issuerMetadata.credentialIssuer,
+                    lifetime = 10.minutes,
+                ).serialize()
+            } else null
         val dpopHeader = if (oauthMetadata.hasMatchingDpopAlgorithm()) {
             BuildDPoPHeader(signDpop, url = tokenEndpointUrl)
         } else null
@@ -535,16 +536,17 @@ class OpenId4VciClient(
     ): AuthenticationRequestParameters {
         val shouldIncludeClientAttestation = tokenAuthMethods?.contains(AUTH_METHOD_ATTEST_JWT_CLIENT_AUTH) == true
         val clientAttestationJwt = if (shouldIncludeClientAttestation) {
-            loadClientAttestationJwt.invoke()
-        } else null
-        val clientAttestationPoPJwt = if (shouldIncludeClientAttestation) {
-            BuildClientAttestationPoPJwt(
-                signClientAttestationPop,
-                clientId = oid4vciService.clientId,
-                audience = credentialIssuer,
-                lifetime = 10.minutes,
-            ).serialize()
+            loadClientAttestationJwt?.invoke()
         } else null
+        val clientAttestationPoPJwt =
+            if (shouldIncludeClientAttestation && signClientAttestationPop != null && clientAttestationJwt != null) {
+                BuildClientAttestationPoPJwt(
+                    signClientAttestationPop,
+                    clientId = oid4vciService.clientId,
+                    audience = credentialIssuer,
+                    lifetime = 10.minutes,
+                ).serialize()
+            } else null
         val response = client.submitForm(
             url = url,
             formParameters = parameters {