[spec] OID4VCI and SD-JWT VC spec changes

- The `user_pin_required` boolean property in a credential offer has been replaced with the `tx_code` JSON object.
- The `credentials` property in a credential offer has been renamed to `credential_configurations`.
- The structure of the supported credential for SD-JWT VC has been changed.
- The structure of the credential request for SD-JWT VC has been changed.

Author: TakahikoKawasaki

pom.xml

@@ -12,7 +12,7 @@
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
-    <authlete.java.common.version>3.88</authlete.java.common.version>
+    <authlete.java.common.version>3.91</authlete.java.common.version>
     <authlete.java.jaxrs.version>2.70</authlete.java.jaxrs.version>
     <authlete.cbor.version>1.14</authlete.cbor.version>
     <javax.servlet-api.version>3.0.1</javax.servlet-api.version>

src/main/java/com/authlete/jaxrs/server/api/vci/CredentialOfferPageModel.java

@@ -47,7 +47,7 @@
  */
 public class CredentialOfferPageModel extends AuthorizationPageModel
 {
-    private static final long serialVersionUID = 1L;
+    private static final long serialVersionUID = 2L;
 
 
     private static final String DEFAULT_ENDPOINT = "openid-credential-offer://";
@@ -57,55 +57,64 @@ public class CredentialOfferPageModel extends AuthorizationPageModel
     public static final int QR_CODE_HEIGHT = 300;
 
 
-    private static final String DEFAULT_CREDENTIALS = "[\n" +
+    private static final String DEFAULT_CREDENTIAL_CONFIGURATIONS =
+            "[\n" +
             "  \"IdentityCredential\",\n" +
-            "  \"mDL\"\n" +
+            "  \"org.iso.18013.5.1.mDL\"\n" +
             "]";
 
 
-    private String credentials;
+    private String credentialConfigurations;
     private boolean authorizationCodeGrantIncluded;
     private boolean issuerStateIncluded;
     private boolean preAuthorizedCodeGrantIncluded;
-    private boolean userPinRequired;
-    private int userPinLength;
+    private String txCode;
+    private String txCodeInputMode;
+    private String txCodeDescription;
     private int duration;
     private String credentialOfferEndpoint;
     private CredentialOfferInfo info;
     private String credentialOfferLink;
     private String credentialOfferQrCode;
     private String credentialOfferContent;
+    private String credentialOfferUri;
     private String credentialOfferUriLink;
     private String credentialOfferUriQrCode;
 
 
     public CredentialOfferPageModel()
     {
         this.authorizationCodeGrantIncluded = false;
-        this.issuerStateIncluded = true;
+        this.issuerStateIncluded            = true;
         this.preAuthorizedCodeGrantIncluded = true;
-        this.userPinRequired = false;
-        this.userPinLength = 0;
         this.duration = 0;
-        this.credentials = DEFAULT_CREDENTIALS;
-        this.credentialOfferEndpoint = DEFAULT_ENDPOINT;
+        this.credentialConfigurations = DEFAULT_CREDENTIAL_CONFIGURATIONS;
+        this.credentialOfferEndpoint  = DEFAULT_ENDPOINT;
     }
 
 
     public CredentialOfferPageModel setValues(final Map<String, String> values)
     {
-        this.credentials = values.getOrDefault("credentials", this.credentials);
-        this.authorizationCodeGrantIncluded = ProcessingUtil.fromFormCheckbox(values, "authorizationCodeGrantIncluded");
-        this.issuerStateIncluded = ProcessingUtil.fromFormCheckbox(values, "issuerStateIncluded");
-        this.preAuthorizedCodeGrantIncluded = ProcessingUtil.fromFormCheckbox(values, "preAuthorizedCodeGrantIncluded");
-        this.userPinRequired = ProcessingUtil.fromFormCheckbox(values, "userPinRequired");
-        this.credentialOfferEndpoint = values.getOrDefault("credentialOfferEndpoint", this.credentialOfferEndpoint);
-        this.userPinLength = extractInt(values, "userPinLength", this.userPinLength);
-        this.duration = extractInt(values, "duration", this.duration);
+        this.credentialConfigurations       = values.getOrDefault("credentialConfigurations", this.credentialConfigurations);
+        this.authorizationCodeGrantIncluded = fromCheckBox(values, "authorizationCodeGrantIncluded");
+        this.issuerStateIncluded            = fromCheckBox(values, "issuerStateIncluded");
+        this.preAuthorizedCodeGrantIncluded = fromCheckBox(values, "preAuthorizedCodeGrantIncluded");
+        this.txCode                         = values.getOrDefault("txCode",            this.txCode);
+        this.txCodeInputMode                = values.getOrDefault("txCodeInputMode",   this.txCodeInputMode);
+        this.txCodeDescription              = values.getOrDefault("txCodeDescription", this.txCodeDescription);
+        this.duration                       = extractInt(values, "duration", this.duration);
+        this.credentialOfferEndpoint        = values.getOrDefault("credentialOfferEndpoint", this.credentialOfferEndpoint);
+
         return this;
     }
 
 
+    private static boolean fromCheckBox(Map<String, String> values, String key)
+    {
+        return ProcessingUtil.fromFormCheckbox(values, key);
+    }
+
+
     private Integer extractInt(final Map<String, String> values,
                                final String key, final Integer def)
     {
@@ -159,10 +168,12 @@ public CredentialOfferCreateRequest toRequest(final User user)
                 .setAuthorizationCodeGrantIncluded(this.authorizationCodeGrantIncluded)
                 .setIssuerStateIncluded(this.issuerStateIncluded)
                 .setPreAuthorizedCodeGrantIncluded(this.preAuthorizedCodeGrantIncluded)
-                .setUserPinRequired(this.userPinRequired)
-                .setUserPinLength(this.userPinLength)
+                .setTxCode(this.txCode)
+                .setTxCodeInputMode(this.txCodeInputMode)
+                .setTxCodeDescription(this.txCodeDescription)
                 .setDuration(this.duration)
-                .setCredentials(parseAsStringArray("credentials", this.credentials))
+                .setCredentialConfigurations(
+                        parseAsStringArray("credentialConfigurations", this.credentialConfigurations))
                 .setSubject(user.getSubject());
     }
 
@@ -209,15 +220,15 @@ private List<?> parseAsList(String name, String json)
     }
 
 
-    public String getCredentials()
+    public String getCredentialConfigurations()
     {
-        return credentials;
+        return credentialConfigurations;
     }
 
 
-    public void setCredentials(String credentials)
+    public void setCredentialConfigurations(String configurations)
     {
-        this.credentials = credentials;
+        this.credentialConfigurations = configurations;
     }
 
 
@@ -257,27 +268,39 @@ public void setPreAuthorizedCodeGrantIncluded(boolean preAuthorizedCodeGrantIncl
     }
 
 
-    public boolean isUserPinRequired()
+    public String getTxCode()
     {
-        return userPinRequired;
+        return txCode;
     }
 
 
-    public void setUserPinRequired(boolean userPinRequired)
+    public void setTxCode(String txCode)
     {
-        this.userPinRequired = userPinRequired;
+        this.txCode = txCode;
     }
 
 
-    public int getUserPinLength()
+    public String getTxCodeInputMode()
     {
-        return userPinLength;
+        return txCodeInputMode;
     }
 
 
-    public void setUserPinLength(int userPinLength)
+    public void setTxCodeInputMode(String inputMode)
     {
-        this.userPinLength = userPinLength;
+        this.txCodeInputMode = inputMode;
+    }
+
+
+    public String getTxCodeDescription()
+    {
+        return txCodeDescription;
+    }
+
+
+    public void setTxCodeDescription(String description)
+    {
+        this.txCodeDescription = description;
     }
 
 
@@ -321,7 +344,7 @@ public void setInfo(CredentialOfferInfo info)
                                                      URLEncoder.encode(info.getCredentialOffer(), "UTF-8"));
             this.credentialOfferQrCode = asQrCode(this.credentialOfferLink);
 
-            final String credentialOfferUri = String.format("%s/api/offer/%s",
+            this.credentialOfferUri = String.format("%s/api/offer/%s",
                                                             info.getCredentialIssuer().toString(),
                                                             info.getIdentifier());
             this.credentialOfferUriLink = String.format(CREDENTIAL_OFFER_URI_QR_PATTERN, credentialOfferEndpoint,
@@ -380,6 +403,18 @@ public void setCredentialOfferContent(String credentialOfferContent)
     }
 
 
+    public String getCredentialOfferUri()
+    {
+        return credentialOfferUri;
+    }
+
+
+    public void setCredentialOfferUri(String credentialOfferUri)
+    {
+        this.credentialOfferUri = credentialOfferUri;
+    }
+
+
     public String getCredentialOfferUriLink()
     {
         return credentialOfferUriLink;

src/main/java/com/authlete/jaxrs/server/vc/SdJwtOrderProcessor.java

@@ -25,13 +25,11 @@
 
 public class SdJwtOrderProcessor extends AbstractOrderProcessor
 {
-    private static final String KEY_CREDENTIAL_DEFINITION = "credential_definition";
-    private static final String KEY_FORMAT                = "format";
-    private static final String KEY_SUB                   = "sub";
-    private static final String KEY_VCT                   = "vct";
+    private static final String KEY_FORMAT = "format";
+    private static final String KEY_SUB    = "sub";
+    private static final String KEY_VCT    = "vct";
 
 
-    @SuppressWarnings("unchecked")
     @Override
     protected void checkPermissions(
             OrderContext context,
@@ -55,12 +53,8 @@ protected void checkPermissions(
         //
         //   https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/
 
-        // The requested credential must contain "credential_definition".
-        Map<String, Object> credentialDefinition =
-                extractCredentialDefinition(requestedCredential);
-
-        // The "credential_definition" object must contain "vct".
-        String vct = extractVct(credentialDefinition);
+        // The requested credential must contain "vct".
+        String vct = extractVct(requestedCredential);
 
         // For each issuable credential.
         for (Map<String, Object> issuableCredential : issuableCredentials)
@@ -75,17 +69,8 @@ protected void checkPermissions(
                 continue;
             }
 
-            // The "credential_definition" in the issuable credential.
-            Object value = issuableCredential.get(KEY_CREDENTIAL_DEFINITION);
-
-            // If the "credential_definition" property is not available as a JSON object.
-            if (!(value instanceof Map))
-            {
-                continue;
-            }
-
-            // The "vct" in the "credential_definition" object of the issuable credential.
-            value = ((Map<String, Object>)value).get(KEY_VCT);
+            // The "vct" in the issuable credential.
+            Object value = issuableCredential.get(KEY_VCT);
 
             // If the "type" property is not available as a string.
             if (!(value instanceof String))
@@ -94,10 +79,9 @@ protected void checkPermissions(
             }
 
             // This implementation of the checkPermissions method is simple.
-            // If "credential_definition.vct" of the requested credential
-            // matches "credential_definition.vct" of any of the issuable
-            // credentials, it is regarded that the credential request is
-            // permitted.
+            // If "vct" of the requested credential matches "vct" of any of
+            // the issuable credentials, it is regarded that the credential
+            // request is permitted.
             if (vct.equals(value))
             {
                 // The credential request is permitted.
@@ -110,49 +94,24 @@ protected void checkPermissions(
     }
 
 
-    @SuppressWarnings("unchecked")
-    private Map<String, Object> extractCredentialDefinition(
-            Map<String, Object> requestedCredential) throws InvalidCredentialRequestException
-    {
-        // If the requested credential does not contain "credential_definition".
-        if (!requestedCredential.containsKey(KEY_CREDENTIAL_DEFINITION))
-        {
-            throw new InvalidCredentialRequestException(
-                    "The credential request does not contain 'credential_definition'.");
-        }
-
-        // The value of the "credential_definition" property.
-        Object value = requestedCredential.get(KEY_CREDENTIAL_DEFINITION);
-
-        // If the value of the "credential_definition" property is not a JSON object.
-        if (!(value instanceof Map))
-        {
-            throw new InvalidCredentialRequestException(
-                    "The value of the 'credential_definition' property in the credential request is not a JSON object.");
-        }
-
-        return (Map<String, Object>)value;
-    }
-
-
     private String extractVct(
-            Map<String, Object> credentialDefinition) throws InvalidCredentialRequestException
+            Map<String, Object> requestedCredential) throws InvalidCredentialRequestException
     {
-        // If the "credential_definition" does not contain "vct".
-        if (!credentialDefinition.containsKey(KEY_VCT))
+        // If the requested credential does not contain "vct".
+        if (!requestedCredential.containsKey(KEY_VCT))
         {
             throw new InvalidCredentialRequestException(
-                    "The 'credential_definition' object does not contain 'vct'.");
+                    "The credential request does not contain 'vct'.");
         }
 
         // The value of the "vct" property.
-        Object value = credentialDefinition.get(KEY_VCT);
+        Object value = requestedCredential.get(KEY_VCT);
 
         // If the value of the "vct" property is not a string.
         if (!(value instanceof String))
         {
             throw new InvalidCredentialRequestException(
-                    "The value of the 'vct' property in the 'credential_definition' object is not a string.");
+                    "The value of the 'vct' property in the credential request is not a string.");
         }
 
         return (String)value;
@@ -164,18 +123,17 @@ protected Map<String, Object> collectClaims(
             OrderContext context, User user, String format,
             Map<String, Object> requestedCredential) throws VerifiableCredentialException
     {
-        // The "credential_definition.vct" in the requested credential.
-        @SuppressWarnings("unchecked")
-        String vct = (String)((Map<String, Object>)requestedCredential.get(KEY_CREDENTIAL_DEFINITION)).get(KEY_VCT);
+        // The "vct" in the requested credential.
+        String vctId = (String)requestedCredential.get(KEY_VCT);
 
-        // Find a CredentialDefinitionType having the vct.
-        CredentialDefinitionType cdType = CredentialDefinitionType.byId(vct);
+        // Find a VerifiableCredentialType corresponding to the vct.
+        VerifiableCredentialType vct = VerifiableCredentialType.byId(vctId);
 
-        if (cdType == null)
+        if (vct == null)
         {
             // The credential type is not supported.
             throw new UnsupportedCredentialTypeException(String.format(
-                    "The credential type '%s' is not supported.", vct));
+                    "The credential type '%s' is not supported.", vctId));
         }
 
         // For testing purposes, the credential issuance for a certain user
@@ -191,14 +149,14 @@ protected Map<String, Object> collectClaims(
         Map<String, Object> claims = new LinkedHashMap<>();
 
         // "vct"
-        claims.put(KEY_VCT, vct);
+        claims.put(KEY_VCT, vctId);
 
         // "sub"
         claims.put(KEY_SUB, user.getSubject());
 
         // The CredentialDefinitionType has a set of claims.
         // For each claim in the set.
-        for (String claimName : cdType.getClaims())
+        for (String claimName : vct.getClaims())
         {
             // The value of the claim.
             Object claimValue = user.getClaim(claimName, null);