openwallet-foundation
diff --git a/‎oid4vc/README.md‎
Lines changed: 24 additions & 31 deletions b/‎oid4vc/README.md‎
Lines changed: 24 additions & 31 deletions
diff --git a/‎oid4vc/integration/oid4vci_client/client.py‎
Lines changed: 3 additions & 3 deletions b/‎oid4vc/integration/oid4vci_client/client.py‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎oid4vc/jwt_vc_json/cred_processor.py‎
Lines changed: 0 additions & 4 deletions b/‎oid4vc/jwt_vc_json/cred_processor.py‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎oid4vc/oid4vc/__init__.py‎
Lines changed: 4 additions & 1 deletion b/‎oid4vc/oid4vc/__init__.py‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎oid4vc/oid4vc/app_resources.py‎
Lines changed: 73 additions & 0 deletions b/‎oid4vc/oid4vc/app_resources.py‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎oid4vc/oid4vc/config.py‎
Lines changed: 12 additions & 3 deletions b/‎oid4vc/oid4vc/config.py‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎oid4vc/oid4vc/jwt.py‎
Lines changed: 0 additions & 1 deletion b/‎oid4vc/oid4vc/jwt.py‎
Lines changed: 0 additions & 1 deletion
@@ -34,16 +34,17 @@ DOCKER_DEFAULT_PLATFORM=linux/amd64 docker build -f ../docker/Dockerfile --tag o
 
 ### Demo Flow
 
-Navigate to `http://localhost:3002` in your browser. You will start at the landing page. The sidebar has buttons to take you to the issuance and presentation pages. 
+Navigate to `http://localhost:3002` in your browser. You will start at the landing page. The sidebar has buttons to take you to the issuance and presentation pages.
 
 1. Issue Credential
 
    - This page generates a simple `UniversityCredential` for issuance
-       - The demo obscures and automates the necessary `credential-supported/create` call, which is what defines the type and values of a credential that can be issued
+
+     - The demo obscures and automates the necessary `credential-supported/create` call, which is what defines the type and values of a credential that can be issued
 
    - Preparing a credential offer is simple:
-      - Enter your name and email, or use the test value provided, and hit `Register`
-      - Once you hit `Register`, you'll be automatically taken to the Credential Offer Page
+     - Enter your name and email, or use the test value provided, and hit `Register`
+     - Once you hit `Register`, you'll be automatically taken to the Credential Offer Page
 
 2. Credential Offer Page
    - Presents a credential offer in the form of a QR code.
@@ -145,7 +146,9 @@ controller ->> alice: redirect to success page
 end
 end
 ```
+
 ### Credential Presentation
+
 ```mermaid
 sequenceDiagram
 autonumber
@@ -164,13 +167,13 @@ admin ->> acapy: store presentation definition
 admin -->> controller: created presentation definition
 alice ->> controller: Hits web page initiating presentation
 controller ->> admin: POST /oid4vp/request
-admin ->> acapy: save request record associated <br/>with a particular pres def 
+admin ->> acapy: save request record associated <br/>with a particular pres def
 admin -->> controller: request URI
 controller ->> alice: QR Code
 alice ->> holder: Scan QR Code
 holder ->> public: GET /oid4vp/request/{request_id} (request uri in QR code)
 public -> acapy: retrieve stored request
-public -->> holder: request 
+public -->> holder: request
 holder ->> public: POST /oid4vp/response/{presentation_id}
 acapy ->> controller: POST /topic/oid4vp <br/>(state: presentation-valid/invalid)
 controller ->> holder: result
@@ -183,26 +186,26 @@ controller ->> holder: result
 The Plugin expects the following configuration options. These options can either be set by environment variable (`OID4VCI_*`) or by plugin config value (`-o oid4vci.*`).
 
 - `OID4VCI_HOST` or `oid4vci.host`
-    - Host used for the OpenID4VCI public server
+  - Host used for the OpenID4VCI public server
 - `OID4VCI_PORT` or `oid4vci.port`
-    - Port used for the OpenID4VCI public server
+  - Port used for the OpenID4VCI public server
 - `OID4VCI_ENDPOINT` or `oid4vci.endpoint`
-    - `credential_issuer` endpoint, seen in the Credential Offer
+  - `credential_issuer` endpoint, seen in the Credential Offer
 - `OID4VCI_CRED_HANDLER` or `oid4vci.cred_handler`
-    - Dict of credential handlers. e.g. `{"jwt_vc_json": "jwt_vc_json"}`
+  - Dict of credential handlers. e.g. `{"jwt_vc_json": "jwt_vc_json"}`
+- `OID4VCI_AUTH_SERVER_URL` or `oid4vci.auth_server_url`
+  - Optional authorization server URL
+- `OID4VCI_AUTH_SERVER_CLIENT` or `oid4vci.auth_server_client`
+  - Optional authorization server client credential, e.g. `{"auth_type": "client_secret_basic", "client_id": "client_id", "client_secret": "client_secret"}`
 
 ### Creating Supported Credential Records
 
 To issue a credential using OpenID4VCI, the Issuer must first prepare credential issuer metadata including which credentials the Issuer can issue. Below is an example payload to the `POST /oid4vci/credential-supported/create/jwt` endpoint:
 
 ```json
 {
-  "cryptographic_binding_methods_supported": [
-    "did"
-  ],
-  "cryptographic_suites_supported": [
-    "ES256K"
-  ],
+  "cryptographic_binding_methods_supported": ["did"],
+  "cryptographic_suites_supported": ["ES256K"],
   "display": [
     {
       "name": "University Credential",
@@ -242,15 +245,12 @@ To issue a credential using OpenID4VCI, the Issuer must first prepare credential
       ]
     }
   },
-  "type": [
-    "VerifiableCredential",
-    "UniversityDegreeCredential"
-  ],
+  "type": ["VerifiableCredential", "UniversityDegreeCredential"],
   "id": "UniversityDegreeCredential",
   "@context": [
     "https://www.w3.org/2018/credentials/v1",
     "https://www.w3.org/2018/credentials/examples/v1"
-  ],
+  ]
 }
 ```
 
@@ -268,12 +268,8 @@ When the Controller sets up a Supported Credential record using the Admin API, t
   "credentials_supported": [
     {
       "format": "jwt_vc_json",
-      "cryptographic_binding_methods_supported": [
-        "did"
-      ],
-      "cryptographic_suites_supported": [
-        "ES256K"
-      ],
+      "cryptographic_binding_methods_supported": ["did"],
+      "cryptographic_suites_supported": ["ES256K"],
       "display": [
         {
           "name": "University Credential",
@@ -313,10 +309,7 @@ When the Controller sets up a Supported Credential record using the Admin API, t
           ]
         }
       },
-      "types": [
-        "VerifiableCredential",
-        "UniversityDegreeCredential"
-      ]
+      "types": ["VerifiableCredential", "UniversityDegreeCredential"]
     }
   ]
 }
 
@@ -2,7 +2,7 @@
 
 import json
 from dataclasses import dataclass
-from typing import Dict, List, Literal, Optional, Union
+from typing import Dict, List, Literal, Optional, Union, Any
 from urllib.parse import parse_qsl, urlparse
 
 from aiohttp import ClientSession
@@ -61,7 +61,7 @@ class IssuerMetadata:
 
     credential_endpoint: str
     token_endpoint: str
-    credentials_supported: List[dict]
+    credential_configurations_supported: dict[str, Any]
 
 
 @dataclass
@@ -101,7 +101,7 @@ async def get_issuer_metadata(self, issuer_url: str):
         return IssuerMetadata(
             metadata["credential_endpoint"],
             token_endpoint,
-            metadata["credentials_supported"],
+            metadata["credential_configurations_supported"],
         )
 
     async def request_token(self, offer: CredentialOffer, metadata: IssuerMetadata):
 
@@ -10,7 +10,6 @@
 from pydid import DIDUrl
 
 from oid4vc.cred_processor import (
-    CredProcessorError,
     CredVerifier,
     Issuer,
     PresVerifier,
@@ -21,7 +20,6 @@
 from oid4vc.models.presentation import OID4VPPresentation
 from oid4vc.models.supported_cred import SupportedCredential
 from oid4vc.pop_result import PopResult
-from oid4vc.public_routes import types_are_subset
 from oid4vc.status_handler import StatusHandler
 
 LOGGER = logging.getLogger(__name__)
@@ -40,8 +38,6 @@ async def issue(
     ) -> Any:
         """Return signed credential in JWT format."""
         assert supported.format_data
-        if not types_are_subset(body.get("types"), supported.format_data.get("types")):
-            raise CredProcessorError("Requested types does not match offer.")
 
         current_time = datetime.datetime.now(datetime.timezone.utc)
         current_time_unix_timestamp = int(current_time.timestamp())
 
@@ -12,12 +12,13 @@
 
 from jwt_vc_json.cred_processor import JwtVcJsonCredProcessor
 from oid4vc.cred_processor import CredProcessors
-from .status_handler import StatusHandler
 
+from .app_resources import AppResources
 from .config import Config
 from .jwk import DID_JWK, P256
 from .jwk_resolver import JwkResolver
 from .oid4vci_server import Oid4vciServer
+from .status_handler import StatusHandler
 
 LOGGER = logging.getLogger(__name__)
 
@@ -64,6 +65,7 @@ async def startup(profile: Profile, event: Event):
             profile,
         )
         profile.context.injector.bind_instance(Oid4vciServer, oid4vci)
+        await AppResources.startup(config)
     except Exception:
         LOGGER.exception("Unable to register admin server")
         raise
@@ -76,3 +78,4 @@ async def shutdown(context: InjectionContext):
     """Teardown the plugin."""
     oid4vci = context.inject(Oid4vciServer)
     await oid4vci.stop()
+    await AppResources.shutdown()
@@ -0,0 +1,73 @@
+"""App resources."""
+
+import logging
+import aiohttp
+import asyncio
+
+from .config import Config
+
+LOGGER = logging.getLogger(__name__)
+
+
+class AppResources:
+    """Application-wide resources like HTTP client and cleanup tasks."""
+
+    _auth_server_url: str | None = None
+    _http_client: aiohttp.ClientSession | None = None
+    _cleanup_task: asyncio.Task | None = None
+    _client_shutdown: bool = False
+
+    @classmethod
+    async def startup(cls, config: Config | None = None):
+        """Initialize resources."""
+        if config and config.auth_server_url:
+            cls._auth_server_url = config.auth_server_url
+            LOGGER.info("Initializing HTTP client...")
+            cls._http_client = aiohttp.ClientSession()
+            # LOGGER.info("Starting up cleanup task...")
+            # cls._cleanup_task = asyncio.create_task(cls._background_cleanup())
+
+    @classmethod
+    async def shutdown(cls):
+        """Clean up resources."""
+        if cls._cleanup_task:
+            LOGGER.info("Shutting down cleanup task...")
+            cls._cleanup_task.cancel()
+            try:
+                await cls._cleanup_task
+            except asyncio.CancelledError:
+                pass
+            cls._cleanup_task = None
+        if cls._http_client:
+            LOGGER.info("Closing HTTP client...")
+            await cls._http_client.close()
+            cls._http_client = None
+        cls._client_shutdown = True
+
+    @classmethod
+    def get_http_client(cls) -> aiohttp.ClientSession:
+        """Get the initialized HTTP client."""
+        if cls._client_shutdown:
+            raise RuntimeError("HTTP client was shut down and cannot be re-initialized")
+        if cls._auth_server_url and cls._http_client is None:
+            LOGGER.warning("Warning: HTTP client was None, re-initializing.")
+            cls._http_client = aiohttp.ClientSession()
+        if cls._http_client is None:
+            raise RuntimeError("HTTP client is not initialized")
+        return cls._http_client
+
+    @classmethod
+    async def _background_cleanup(cls):
+        """Background task for periodic cleanup."""
+        while True:
+            try:
+                await cleanup_expired_nonces()
+            except Exception as e:
+                LOGGER.exception(f"Nonce cleanup error: {e}")
+
+            await asyncio.sleep(3600)  # Run every hour
+
+
+async def cleanup_expired_nonces():
+    """Cleanup expired nonces from storage."""
+    pass
@@ -25,7 +25,9 @@ class Config:
     host: str
     port: int
     endpoint: str
-    status_handler: str
+    status_handler: str | None = None
+    auth_server_url: str | None = None
+    auth_server_client: str | None = None
 
     @classmethod
     def from_settings(cls, settings: BaseSettings) -> "Config":
@@ -38,12 +40,19 @@ def from_settings(cls, settings: BaseSettings) -> "Config":
         status_handler = plugin_settings.get("status_handler") or getenv(
             "OID4VCI_STATUS_HANDLER"
         )
-
+        auth_server_url = plugin_settings.get("auth_server_url") or getenv(
+            "OID4VCI_AUTH_SERVER_URL"
+        )
+        auth_server_client = plugin_settings.get("auth_server_client") or getenv(
+            "OID4VCI_AUTH_SERVER_CLIENT"
+        )
         if not host:
             raise ConfigError("host", "OID4VCI_HOST")
         if not port:
             raise ConfigError("port", "OID4VCI_PORT")
         if not endpoint:
             raise ConfigError("endpoint", "OID4VCI_ENDPOINT")
 
-        return cls(host, port, endpoint, status_handler)
+        return cls(
+            host, port, endpoint, status_handler, auth_server_url, auth_server_client
+        )
@@ -100,7 +100,6 @@ async def jwt_sign(
         wallet = session.inject(BaseWallet)
         did_info = await wallet.get_local_did(did_lookup_name(did))
 
-        did_info = await wallet.get_local_did(did_lookup_name(did))
         if did_info.key_type == ED25519:
             headers["alg"] = "EdDSA"
         elif did_info.key_type == P256: