Fix preregistered wallet verifier request

Author: Johan Sellström

STATUS.md

@@ -1,5 +1,9 @@
 # Status
 
+- [x] Add the missing `client_id_scheme=pre-registered` fields to the wallet verifier flow
+- [x] Verify the wallet verifier request shape locally with tests
+- [x] Redeploy the public verifier and confirm the live wallet request JWT includes the preregistered client ID scheme
+
 - [x] Add a local demo-conductor package for the Village speed-build presentation
 - [x] Verify the demo-conductor build and unit tests locally
 - [x] Commit the demo-conductor changes

verifier/src/wallet-rp.ts

@@ -5,6 +5,7 @@ const SESSION_TTL_MS = 15 * 60_000
 const QR_SIZE = 280
 const EUDI_PID_VCTS = ['urn:eudi:pid:1']
 const LAB_AGE_VCTS = ['https://example.org/vct/age-credential']
+const PREREGISTERED_CLIENT_ID_SCHEME = 'pre-registered'
 
 export type WalletVerifierProfile = {
   baseUrl: string
@@ -55,6 +56,7 @@ export type WalletDirectPostBody = {
 
 export type WalletRequestObject = {
   client_id: string
+  client_id_scheme: 'pre-registered'
   response_uri: string
   response_type: 'vp_token'
   response_mode: 'direct_post'
@@ -117,12 +119,13 @@ export function createWalletSession(baseUrl: string, now = Date.now()): WalletRp
 }
 
 export function buildWalletDeepLink(clientId: string, requestUri: string) {
-  return `eudi-openid4vp://${clientId}?client_id=${encodeURIComponent(clientId)}&request_uri=${encodeURIComponent(requestUri)}`
+  return `eudi-openid4vp://${clientId}?client_id=${encodeURIComponent(clientId)}&client_id_scheme=${encodeURIComponent(PREREGISTERED_CLIENT_ID_SCHEME)}&request_uri=${encodeURIComponent(requestUri)}`
 }
 
 export function buildWalletRequestObject(session: WalletRpSession, walletNonce?: string): WalletRequestObject & { wallet_nonce?: string } {
   return {
     client_id: session.clientId,
+    client_id_scheme: PREREGISTERED_CLIENT_ID_SCHEME,
     response_uri: session.responseUri,
     response_type: 'vp_token',
     response_mode: 'direct_post',

verifier/test/wallet-request-signing.test.ts

@@ -28,6 +28,7 @@ test('wallet request signer embeds an x5c certificate for verifier.ipid.me', asy
   })
 
   assert.equal(verified.payload.client_id, 'verifier.ipid.me')
+  assert.equal(verified.payload.client_id_scheme, 'pre-registered')
   assert.equal(verified.payload.response_mode, 'direct_post')
 })
 

verifier/test/wallet-rp.test.ts

@@ -17,7 +17,7 @@ test('createWalletSession builds a preregistered deep link for the public verifi
   assert.match(session.resultUri, /^https:\/\/verifier\.ipid\.me\/wallet\/session\//)
   assert.match(
     session.deepLink,
-    /^eudi-openid4vp:\/\/verifier\.ipid\.me\?client_id=verifier\.ipid\.me&request_uri=https%3A%2F%2Fverifier\.ipid\.me%2Fwallet%2Frequest\.jwt%2F/
+    /^eudi-openid4vp:\/\/verifier\.ipid\.me\?client_id=verifier\.ipid\.me&client_id_scheme=pre-registered&request_uri=https%3A%2F%2Fverifier\.ipid\.me%2Fwallet%2Frequest\.jwt%2F/
   )
 })
 
@@ -26,6 +26,7 @@ test('buildWalletRequestObject asks for over-21 plus nationality with a fallback
   const request = buildWalletRequestObject(session)
 
   assert.equal(request.client_id, 'verifier.ipid.me')
+  assert.equal(request.client_id_scheme, 'pre-registered')
   assert.equal(request.response_uri, session.responseUri)
   assert.equal(request.response_type, 'vp_token')
   assert.equal(request.response_mode, 'direct_post')