chore: merge openid federation

Signed-off-by: Henrique Dias <mail@hacdias.com>

Author: hacdias

.changeset/big-meals-raise.md

@@ -0,0 +1,6 @@
+---
+"@credo-ts/drizzle-storage": minor
+"@credo-ts/openid4vc": minor
+---
+
+Adds support for chained authorization code flows within the OpenID4VCI credential issuance. This means that external authorization servers can be leveraged to authenticate or identify the user. The access token from this external authorization server can be then used during the issuance process in order to, for example, fetch credential data from an external resource server.

.changeset/fluffy-papers-happen.md

@@ -0,0 +1,13 @@
+---
+"@credo-ts/openid4vc": minor
+---
+
+refactor(openid4vc): the OpenID4VC module now requires a top-level `app` property instead of a `router` for the `OpenId4VcVerifierModule` and `OpenId4VcIssuerModule`.
+
+Using the `app` directly simplifies the setup, as you don't have to register the routers at the correct paths anymore on your express app.
+
+We do recommend that you register your custom routes AFTER the Credo OpenID4VC routes have been registered, to ensure your custom middleware does not clash with Credo's routes.
+
+The reason for changing the router to an `app` is that we need to host files at the top-level `.well-known` path of the server, which is not easily doable with the custom router approach.
+
+If no app is provided, and the issuer or verifier module is enabled, a new app instance will be created.

.changeset/proud-dodos-remember.md

@@ -0,0 +1,5 @@
+---
+"@credo-ts/webvh": patch
+---
+
+feat(webvh): support AnonCreds object registration (schema, credential definition, revocation definition, revocation status lists)

.changeset/thirty-crews-retire.md

@@ -0,0 +1,6 @@
+---
+"@credo-ts/anoncreds": patch
+"@credo-ts/didcomm": patch
+---
+
+feat: support DIDComm Out of Band proof proposals

README.md

@@ -51,7 +51,7 @@ See [Supported Features](https://credo.js.org/guides/features) on the Credo webs
 
 - 🏃 **Platform agnostic** - out of the box support for Node.JS and React Native
 - 🔒 **DIDComm and AIP** - Support for [DIDComm v1](https://hyperledger.github.io/aries-rfcs/latest/concepts/0005-didcomm/), and both v1 and v2 of the [Aries Interop Profile](https://github.com/hyperledger/aries-rfcs/blob/main/concepts/0302-aries-interop-profile/README.md).
-- 🛂 **Extendable [DID](https://www.w3.org/TR/did-core/) resolver and registrar** - out of the box support for `did:web`, `did:key`, `did:jwk`, `did:peer`, `did:sov`, `did:indy`, `did:cheqd` and `did:hedera`.
+- 🛂 **Extendable [DID](https://www.w3.org/TR/did-core/) resolver and registrar** - out of the box support for `did:web`, `did:webvh`, `did:key`, `did:jwk`, `did:peer`, `did:sov`, `did:indy`, `did:cheqd` and `did:hedera`.
 - 🔑 **[OpenID4VC](https://openid.net/sg/openid4vc/)** - support for [OpenID for Verifiable Credential Issuance](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html), [OpenID for Verifiable Presentations](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html) and [Self-Issued OpenID Provider v2](https://openid.net/specs/openid-connect-self-issued-v2-1_0.html).
 - 🪪 **Multiple credential formats** - [W3C Verifiable Credential Data Model v1.1](https://www.w3.org/TR/vc-data-model/), [SD-JWT VCs](https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-03.html), and [AnonCreds](https://hyperledger.github.io/anoncreds-spec/).
 - 🏢 **Multi-tenant** - Optional multi-tenant module for managing multiple tenants under a single agent.

demo-openid/README.md

@@ -7,7 +7,7 @@ Alice, a former student of Faber College, connects with the College, is issued a
 ## Features
 
 - ✅ Issuing a credential without authorization (pre-authorized code flow).
-- ✅ Issuing a credenital with external authorization server (authorization code flow)
+- ✅ Issuing a credential with external authorization server (authorization code flow)
 - ✅ Resolving a credential offer.
 - ✅ Accepting a credential offer.
 - ✅ Requesting a credential presentation.
@@ -135,3 +135,20 @@ This will open three proxies. You should then run your demo environments with th
 - `PROVIDER_HOST=https://d404-123-123-123-123.ngrok-free.app ISSUER_HOST=https://d738-123-123-123-123.ngrok-free.app pnpm provider` (ngrok url for port 3042)
 - `PROVIDER_HOST=https://d404-123-123-123-123.ngrok-free.app ISSUER_HOST=https://d738-123-123-123-123.ngrok-free.app pnpm issuer` (ngrok url for port 2000)
 - `VERIFIER_HOST=https://1d91-123-123-123-123.ngrok-free.app pnpm verifier` (ngrok url for port 4000)
+
+### Optional Google Account API for Chained Identity
+
+You can also configure external identity providers in order to be able to use their access tokens to fetch specific data for credentials. In this demo, we have an integration with Google Account OpenID Connect API, which provides an ID Token with information we then use to put on the credential itself.
+
+To set this up, you need to create an account in [Google Cloud](https://console.cloud.google.com/auth/overview) platform, and configure a client with the correct domain. In this case, you need a proxy since the URL is not allowed to be `localhost`.
+
+In addition, the following scopes are necessary:
+
+- `openid`
+- `https://www.googleapis.com/auth/userinfo.email`
+
+Once you have the client ID and client secret from the Google integration, please start the issuer as follows:
+
+```sh
+ISSUER_HOST="<issuer-host>" GOOGLE_CLIENT_ID="<google-client-id>" GOOGLE_CLIENT_SECRET="<google-client-secret>"  pnpm issuer
+```

demo-openid/src/BaseAgent.ts

@@ -26,7 +26,7 @@ export class BaseAgent<AgentModules extends ModulesMap> {
   }: {
     port: number
     name: string
-    modules: AgentModules
+    modules: (app: Express) => AgentModules
   }) {
     this.name = name
     this.port = port
@@ -42,7 +42,7 @@ export class BaseAgent<AgentModules extends ModulesMap> {
     this.agent = new Agent({
       config,
       dependencies: agentDependencies,
-      modules,
+      modules: modules(this.app),
     })
   }
 

demo-openid/src/Holder.ts

@@ -15,6 +15,7 @@ import {
   X509Module,
 } from '@credo-ts/core'
 import type {
+  OpenId4VciDpopRequestOptions,
   OpenId4VciMetadata,
   OpenId4VciResolvedCredentialOffer,
   OpenId4VpResolvedAuthorizationRequest,
@@ -26,18 +27,21 @@ import {
   preAuthorizedCodeGrantIdentifier,
 } from '@credo-ts/openid4vc'
 import { askar } from '@openwallet-foundation/askar-nodejs'
+import type { Express } from 'express'
 import { BaseAgent } from './BaseAgent'
 import { greenText, Output } from './OutputClass'
 
 function getOpenIdHolderModules(askarStorageConfig: AskarModuleConfigStoreOptions) {
-  return {
+  return (app: Express) => ({
     askar: new AskarModule({ askar, store: askarStorageConfig }),
-    openid4vc: new OpenId4VcModule(),
+    openid4vc: new OpenId4VcModule({
+      app,
+    }),
     x509: new X509Module({
       getTrustedCertificatesForVerification: (_agentContext, { certificateChain, verification }) => {
         console.log(
           greenText(
-            `dyncamically trusting certificate ${certificateChain[0].getIssuerNameField('C')} for verification of ${
+            `dynamically trusting certificate ${certificateChain[0].getIssuerNameField('C')} for verification of ${
               verification.type
             }`,
             true
@@ -47,10 +51,10 @@ function getOpenIdHolderModules(askarStorageConfig: AskarModuleConfigStoreOption
         return [certificateChain[0].toString('pem')]
       },
     }),
-  } as const
+  })
 }
 
-export class Holder extends BaseAgent<ReturnType<typeof getOpenIdHolderModules>> {
+export class Holder extends BaseAgent<ReturnType<ReturnType<typeof getOpenIdHolderModules>>> {
   public client = {
     clientId: 'wallet',
     redirectUri: 'http://localhost:3000/redirect',
@@ -87,7 +91,7 @@ export class Holder extends BaseAgent<ReturnType<typeof getOpenIdHolderModules>>
     credentialsToRequest: string[]
   ) {
     const grants = resolvedCredentialOffer.credentialOfferPayload.grants
-    // TODO: extend iniateAuthorization in oid4vci lib? Or not?
+    // TODO: extend initiateAuthorization in oid4vci lib? Or not?
     if (grants?.[preAuthorizedCodeGrantIdentifier]) {
       return {
         authorizationFlow: 'PreAuthorized',
@@ -130,6 +134,7 @@ export class Holder extends BaseAgent<ReturnType<typeof getOpenIdHolderModules>>
       code?: string
       redirectUri?: string
       txCode?: string
+      dpop?: OpenId4VciDpopRequestOptions
     }
   ) {
     const tokenResponse = await this.agent.openid4vc.holder.requestToken(
@@ -140,10 +145,12 @@ export class Holder extends BaseAgent<ReturnType<typeof getOpenIdHolderModules>>
             codeVerifier: options.codeVerifier,
             code: options.code,
             redirectUri: options.redirectUri,
+            dpop: options.dpop,
           }
         : {
             resolvedCredentialOffer,
             txCode: options.txCode,
+            dpop: options.dpop,
           }
     )
 

demo-openid/src/HolderInquirer.ts

@@ -2,6 +2,7 @@ import type { MdocRecord, SdJwtVcRecord, W3cCredentialRecord, W3cV2CredentialRec
 import { Mdoc } from '@credo-ts/core'
 import type {
   OpenId4VciCredentialConfigurationsSupportedWithFormats,
+  OpenId4VciDpopRequestOptions,
   OpenId4VciResolvedCredentialOffer,
   OpenId4VpResolvedAuthorizationRequest,
 } from '@credo-ts/openid4vc'
@@ -153,6 +154,7 @@ export class HolderInquirer extends BaseInquirer {
     let authorizationCode: string | undefined
     let codeVerifier: string | undefined
     let txCode: string | undefined
+    let dpop: OpenId4VciDpopRequestOptions | undefined
 
     if (resolvedAuthorization.authorizationFlow === 'Oauth2Redirect') {
       console.log(redText('Authorization required for credential issuance', true))
@@ -164,12 +166,11 @@ export class HolderInquirer extends BaseInquirer {
           if (req.query.code) {
             resolve(req.query.code as string)
             // Store original routes
-            const originalStack = this.holder.app._router.stack
+            const originalStack = this.holder.app.router.stack
 
             // Remove specific GET route by path
-            this.holder.app._router.stack = originalStack.filter(
-              (layer: { route?: { path: string; methods: { get?: unknown } } }) =>
-                !(layer.route && layer.route.path === '/redirect' && layer.route.methods.get)
+            this.holder.app.router.stack = originalStack.filter(
+              (layer) => !(layer.route && layer.route.path === '/redirect')
             )
             res.send('Success! You can now go back to the terminal')
           } else {
@@ -184,6 +185,7 @@ export class HolderInquirer extends BaseInquirer {
       console.log('\n\n')
       codeVerifier = resolvedAuthorization.codeVerifier
       authorizationCode = await code
+      dpop = resolvedAuthorization.dpop
       console.log(greenText('Authorization complete', true))
     } else if (resolvedAuthorization.authorizationFlow === 'PresentationDuringIssuance') {
       console.log(redText('Presentation during issuance not supported yet', true))
@@ -203,6 +205,7 @@ export class HolderInquirer extends BaseInquirer {
       code: authorizationCode,
       redirectUri: authorizationCode ? this.holder.client.redirectUri : undefined,
       txCode,
+      dpop,
     })
 
     console.log(greenText('Received and stored the following credentials.', true))