pagopa
diff --git a/‎example/src/store/types.ts
Lines changed: 1 addition & 0 deletions b/‎example/src/store/types.ts
Lines changed: 1 addition & 0 deletions
diff --git a/‎example/src/thunks/pid.ts
Lines changed: 26 additions & 5 deletions b/‎example/src/thunks/pid.ts
Lines changed: 26 additions & 5 deletions
diff --git a/‎example/src/thunks/pidCieID.ts
Lines changed: 1 addition & 2 deletions b/‎example/src/thunks/pidCieID.ts
Lines changed: 1 addition & 2 deletions
diff --git a/‎example/src/utils/credential.ts
Lines changed: 29 additions & 13 deletions b/‎example/src/utils/credential.ts
Lines changed: 29 additions & 13 deletions
diff --git a/‎src/credential/issuance/03-start-user-authorization.ts
Lines changed: 51 additions & 33 deletions b/‎src/credential/issuance/03-start-user-authorization.ts
Lines changed: 51 additions & 33 deletions
@@ -58,6 +58,7 @@ type CredentialResultBase = {
   >["parsedCredential"];
   keyTag: string;
   credentialType: SupportedCredentials;
+  credentialConfigurationId: string;
 };
 
 /**
 
@@ -108,7 +108,7 @@ export const preparePidFlowParamsThunk = createAppAsyncThunk<
   // Start the issuance flow
   const startFlow: Credential.Issuance.StartFlow = () => ({
     issuerUrl: WALLET_PID_PROVIDER_BASE_URL,
-    credentialType: "PersonIdentificationData",
+    credentialType: "dc_sd_jwt_PersonIdentificationData",
   });
 
   const { issuerUrl, credentialType } = startFlow();
@@ -123,7 +123,7 @@ export const preparePidFlowParamsThunk = createAppAsyncThunk<
   const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
     await Credential.Issuance.startUserAuthorization(
       issuerConf,
-      credentialType,
+      [credentialType],
       {
         walletInstanceAttestation,
         redirectUri: redirectUri,
@@ -213,11 +213,31 @@ export const continuePidFlowThunk = createAppAsyncThunk<
     }
   );
 
-  const { credential, format } = await Credential.Issuance.obtainCredential(
+  const [pidCredentialDefinition] = credentialDefinition;
+
+  const { credential_configuration_id, credential_identifiers } =
+    accessToken.authorization_details.find(
+      (authDetails) =>
+        authDetails.credential_configuration_id ===
+        pidCredentialDefinition?.credential_configuration_id
+    ) ?? {};
+
+  // Get the first credential_identifier from the access token's authorization details
+  const [credential_identifier] = credential_identifiers ?? [];
+
+  if (!credential_configuration_id) {
+    throw new Error("No credential configuration ID found for PID");
+  }
+
+  // Get the credential identifier that was authorized
+  const { credential } = await Credential.Issuance.obtainCredential(
     issuerConf,
     accessToken,
     clientId,
-    credentialDefinition,
+    {
+      credential_configuration_id,
+      credential_identifier,
+    },
     {
       credentialCryptoContext,
       dPopCryptoContext,
@@ -229,7 +249,7 @@ export const continuePidFlowThunk = createAppAsyncThunk<
     await Credential.Issuance.verifyAndParseCredential(
       issuerConf,
       credential,
-      format,
+      credential_configuration_id,
       { credentialCryptoContext }
     );
 
@@ -238,5 +258,6 @@ export const continuePidFlowThunk = createAppAsyncThunk<
     credential,
     keyTag: credentialKeyTag,
     credentialType: "PersonIdentificationData",
+    credentialConfigurationId: credential_configuration_id,
   };
 });
@@ -53,7 +53,7 @@ export const getPidCieIDThunk = createAppAsyncThunk<
   const env = selectEnv(getState());
   const { WALLET_PID_PROVIDER_BASE_URL, REDIRECT_URI } = getEnv(env);
 
-  const { idpHint, credentialType } = args;
+  const { idpHint } = args;
   // Resets the credential state before obtaining a new PID
   dispatch(credentialReset());
   return await getPidCieID({
@@ -62,6 +62,5 @@ export const getPidCieIDThunk = createAppAsyncThunk<
     idpHint,
     walletInstanceAttestation,
     wiaCryptoContext,
-    credentialType,
   });
 });
@@ -29,15 +29,13 @@ export const getPidCieID = async ({
   redirectUri,
   idpHint,
   walletInstanceAttestation,
-  credentialType,
   wiaCryptoContext,
 }: {
   pidIssuerUrl: string;
   redirectUri: string;
   idpHint: string;
   walletInstanceAttestation: string;
   wiaCryptoContext: CryptoContext;
-  credentialType: "PersonIdentificationData";
 }): Promise<PidResult> => {
   /*
    * Create credential crypto context for the PID
@@ -50,11 +48,10 @@ export const getPidCieID = async ({
   // Start the issuance flow
   const startFlow: Credential.Issuance.StartFlow = () => ({
     issuerUrl: pidIssuerUrl,
-    credentialType: "PersonIdentificationData",
-    appFetch,
+    credentialType: "dc_sd_jwt_PersonIdentificationData",
   });
 
-  const { issuerUrl } = startFlow();
+  const { issuerUrl, credentialType } = startFlow();
 
   // Evaluate issuer trust
   const { issuerConf } = await Credential.Issuance.evaluateIssuerTrust(
@@ -66,7 +63,7 @@ export const getPidCieID = async ({
   const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
     await Credential.Issuance.startUserAuthorization(
       issuerConf,
-      credentialType,
+      [credentialType],
       {
         walletInstanceAttestation,
         redirectUri,
@@ -113,12 +110,28 @@ export const getPidCieID = async ({
     }
   );
 
+  const [pidCredentialDefinition] = credentialDefinition;
+
+  const { credential_configuration_id, credential_identifiers } =
+    accessToken.authorization_details.find(
+      (authDetails) =>
+        authDetails.credential_configuration_id ===
+        pidCredentialDefinition?.credential_configuration_id
+    ) ?? {};
+
+  // Get the first credential_identifier from the access token's authorization details
+  const [credential_identifier] = credential_identifiers ?? [];
+
+  if (!credential_configuration_id) {
+    throw new Error("No credential configuration ID found for PID");
+  }
+
   // Obtain che eID credential
-  const { credential, format } = await Credential.Issuance.obtainCredential(
+  const { credential } = await Credential.Issuance.obtainCredential(
     issuerConf,
     accessToken,
     clientId,
-    credentialDefinition,
+    { credential_configuration_id, credential_identifier },
     {
       credentialCryptoContext,
       dPopCryptoContext,
@@ -131,15 +144,16 @@ export const getPidCieID = async ({
     await Credential.Issuance.verifyAndParseCredential(
       issuerConf,
       credential,
-      format,
+      credential_configuration_id,
       { credentialCryptoContext }
     );
 
   return {
     parsedCredential,
     credential,
     keyTag: credentialKeyTag,
-    credentialType,
+    credentialType: "PersonIdentificationData",
+    credentialConfigurationId: credential_configuration_id,
   };
 };
 
@@ -189,10 +203,10 @@ export const getCredential = async ({
     await Credential.Issuance.evaluateIssuerTrust(issuerUrl);
 
   // Start user authorization
-  const { issuerRequestUri, clientId, codeVerifier, credentialDefinition } =
+  const { issuerRequestUri, clientId, codeVerifier } =
     await Credential.Issuance.startUserAuthorization(
       issuerConf,
-      credentialType,
+      [credentialType],
       {
         walletInstanceAttestation,
         redirectUri,
@@ -241,7 +255,8 @@ export const getCredential = async ({
     issuerConf,
     accessToken,
     clientId,
-    credentialDefinition,
+    // TODO: [SIW-2209] to fix in PR #219
+    { credential_configuration_id: "", credential_identifier: "" },
     {
       credentialCryptoContext,
       dPopCryptoContext,
@@ -263,6 +278,7 @@ export const getCredential = async ({
     credential,
     keyTag: credentialKeyTag,
     credentialType,
+    credentialConfigurationId: "", // TODO: [SIW-2209] to fix in PR #219
   };
 };
 
 
@@ -4,12 +4,11 @@ import { generateRandomAlphaNumericString, type Out } from "../../utils/misc";
 import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import type { StartFlow } from "./01-start-flow";
 import { AuthorizationDetail, makeParRequest } from "../../utils/par";
-import { ASSERTION_TYPE } from "./const";
 import { LogLevel, Logger } from "../../utils/logging";
 
 export type StartUserAuthorization = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
-  credentialType: Out<StartFlow>["credentialType"],
+  credentialTypes: string[],
   context: {
     wiaCryptoContext: CryptoContext;
     walletInstanceAttestation: string;
@@ -20,18 +19,14 @@ export type StartUserAuthorization = (
   issuerRequestUri: string;
   clientId: string;
   codeVerifier: string;
-  credentialDefinition: AuthorizationDetail;
+  credentialDefinition: AuthorizationDetail[];
 }>;
 
 /**
  * Ensures that the credential type requested is supported by the issuer and contained in the
  * issuer configuration.
  * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
- * @param credentialType The type of the credential to be requested returned by {@link startFlow}
- * @param context.wiaCryptoContext The Wallet Instance's crypto context
- * @param context.walletInstanceAttestation The Wallet Instance's attestation
- * @param context.redirectUri The redirect URI which is the custom URL scheme that the Wallet Instance is registered to handle
- * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @param credentialType The type of the credential to be requested;
  * @returns The credential definition to be used in the request which includes the format and the type and its type
  */
 const selectCredentialDefinition = (
@@ -43,9 +38,8 @@ const selectCredentialDefinition = (
 
   const [result] = Object.keys(credential_configurations_supported)
     .filter((e) => e.includes(credentialType))
-    .map((e) => ({
+    .map(() => ({
       credential_configuration_id: credentialType,
-      format: credential_configurations_supported[e]!.format,
       type: "openid_credential" as const,
     }));
 
@@ -62,40 +56,61 @@ const selectCredentialDefinition = (
 /**
  * Ensures that the response mode requested is supported by the issuer and contained in the issuer configuration.
  * @param issuerConf The issuer configuration
- * @param credentialType The type of the credential to be requested
+ * @param credentialType The type of the credential(s) to be requested
  * @returns The response mode to be used in the request, "query" for PersonIdentificationData and "form_post.jwt" for all other types.
  */
 const selectResponseMode = (
   issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
-  credentialType: Out<StartFlow>["credentialType"]
+  credentialTypes: string[]
 ): ResponseMode => {
   const responseModeSupported =
     issuerConf.oauth_authorization_server.response_modes_supported;
 
-  const responseMode =
-    credentialType === "PersonIdentificationData" ? "query" : "form_post.jwt";
+  const responseModeSet = new Set<ResponseMode>();
+
+  for (const credentialType of credentialTypes) {
+    responseModeSet.add(
+      credentialType.match(/PersonIdentificationData/i)
+        ? "query"
+        : "form_post.jwt"
+    );
+  }
+
+  if (responseModeSet.size !== 1) {
+    Logger.log(
+      LogLevel.ERROR,
+      `${credentialTypes} have incompatible response_mode: ${[...responseModeSet.values()]}`
+    );
+    throw new Error(
+      "Requested credentials have incompatible response_mode and cannot be requested with the same PAR request"
+    );
+  }
+
+  const [responseMode] = responseModeSet.values();
 
   Logger.log(
     LogLevel.DEBUG,
-    `Selected response mode ${responseMode} for credential type ${credentialType}`
+    `Selected response mode ${responseMode} for credential type ${credentialTypes}`
   );
 
-  if (!responseModeSupported.includes(responseMode)) {
+  if (!responseModeSupported.includes(responseMode!)) {
     Logger.log(
       LogLevel.ERROR,
       `Requested response mode ${responseMode} is not supported by the issuer according to its configuration ${JSON.stringify(responseModeSupported)}`
     );
-    throw new Error(`No response mode support the type '${credentialType}'`);
+    throw new Error(`No response mode support the type '${credentialTypes}'`);
   }
 
-  return responseMode;
+  return responseMode!;
 };
 
 /**
  * WARNING: This function must be called after {@link evaluateIssuerTrust} and {@link startFlow}. The next steam is {@link compeUserAuthorizationWithQueryMode} or {@link compeUserAuthorizationWithFormPostJwtMode}
+ *
  * Creates and sends a PAR request to the /as/par endpoint of the authorization server.
  * This starts the authentication flow to obtain an access token.
- * This token enables the Wallet Instance to request a digital credential from the Credential Endpoint of the Credential Issuer.
+ * This token enables the Wallet Instance to request a digital credential from the Credential Endpoint of the Credential Issuer; when multiple credential types are passed,
+ * it is possible to use the same access token for the issuance of all requested credentials.
  * This is an HTTP POST request containing the Wallet Instance identifier (client id), the code challenge and challenge method as specified by PKCE according to RFC 9126
  * along with the WTE and its proof of possession (WTE-PoP).
  * Additionally, it includes a request object, which is a signed JWT encapsulating the type of digital credential requested (authorization_details),
@@ -105,13 +120,14 @@ const selectResponseMode = (
  * to the Wallet Instance's Token Endpoint to obtain the Access Token, and the redirectUri of the Wallet Instance where the Authorization Response
  * should be delivered. The redirect is achived by using a custom URL scheme that the Wallet Instance is registered to handle.
  * @param issuerConf The issuer configuration
- * @param credentialType The type of the credential to be requested returned by {@link selectCredentialDefinition}
+ * @param credentialTypes The type of the credential(s) to be requested
  * @param ctx The context object containing the Wallet Instance's cryptographic context, the Wallet Instance's attestation, the redirect URI and the fetch implementation
- * @returns The URI to which the end user should be redirected to start the authentication flow, along with the client id, the code verifier and the credential definition
+ * @returns The URI to which the end user should be redirected to start the authentication flow, along with the client id, the code verifier and the credential definition(s)
  */
+
 export const startUserAuthorization: StartUserAuthorization = async (
   issuerConf,
-  credentialType,
+  credentialTypes,
   ctx
 ) => {
   const {
@@ -122,6 +138,7 @@ export const startUserAuthorization: StartUserAuthorization = async (
   } = ctx;
 
   const clientId = await wiaCryptoContext.getPublicKey().then((_) => _.kid);
+
   if (!clientId) {
     Logger.log(
       LogLevel.ERROR,
@@ -132,22 +149,23 @@ export const startUserAuthorization: StartUserAuthorization = async (
   const codeVerifier = generateRandomAlphaNumericString(64);
   const parEndpoint =
     issuerConf.oauth_authorization_server.pushed_authorization_request_endpoint;
-  const credentialDefinition = selectCredentialDefinition(
-    issuerConf,
-    credentialType
+  const aud = issuerConf.openid_credential_issuer.credential_issuer;
+  const credentialDefinition = credentialTypes.map((c) =>
+    selectCredentialDefinition(issuerConf, c)
   );
-  const responseMode = selectResponseMode(issuerConf, credentialType);
-
+  const responseMode = selectResponseMode(issuerConf, credentialTypes);
   const getPar = makeParRequest({ wiaCryptoContext, appFetch });
   const issuerRequestUri = await getPar(
-    clientId,
-    codeVerifier,
-    redirectUri,
-    responseMode,
     parEndpoint,
     walletInstanceAttestation,
-    [credentialDefinition],
-    ASSERTION_TYPE
+    {
+      aud,
+      clientId,
+      codeVerifier,
+      redirectUri,
+      responseMode,
+      authorizationDetails: credentialDefinition,
+    }
   );
 
   return { issuerRequestUri, clientId, codeVerifier, credentialDefinition };