eu-digital-identity-wallet
diff --git a/‎README.md‎
Lines changed: 66 additions & 0 deletions b/‎README.md‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎docs/index.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/index.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-custom/-custom.md‎
Lines changed: 6 additions & 0 deletions b/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-custom/-custom.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-custom/create-key-settings-builder.md‎
Lines changed: 6 additions & 0 deletions b/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-custom/create-key-settings-builder.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-custom/index.md‎
Lines changed: 75 additions & 0 deletions b/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-custom/index.md‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-custom/key-unlock-data-provider.md‎
Lines changed: 6 additions & 0 deletions b/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-custom/key-unlock-data-provider.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-custom/secure-area.md‎
Lines changed: 6 additions & 0 deletions b/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-custom/secure-area.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-default/index.md‎
Lines changed: 34 additions & 0 deletions b/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-default/index.md‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-disabled/index.md‎
Lines changed: 19 additions & 0 deletions b/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/-disabled/index.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/index.md‎
Lines changed: 60 additions & 0 deletions b/‎docs/wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/-d-pop-config/index.md‎
Lines changed: 60 additions & 0 deletions
@@ -963,6 +963,72 @@ openId4VciManager.issueDeferredDocument(deferredDocument) { result ->
 }
 ```
 
+#### Credential Re-Issuance
+
+The library supports re-issuing previously issued credentials without requiring the user to go
+through the full authorization flow again. After a credential is successfully issued, the library
+automatically stores the authorization context. This metadata
+enables subsequent re-issuance using the stored refresh token.
+
+##### Interactive Re-Issuance (User-Triggered)
+
+Use this when the user explicitly triggers a credential refresh. If the stored tokens have expired, the library falls back to a full OAuth authorization flow:
+
+```kotlin
+val openId4VciManager = wallet.createOpenId4VciManager()
+
+openId4VciManager.reissueDocument(documentId) { event ->
+    when (event) {
+        is IssueEvent.Started -> {
+            // Re-issuance process started
+        }
+        is IssueEvent.DocumentIssued -> {
+            // New credential issued successfully
+            // The old document is automatically deleted
+        }
+        is IssueEvent.DocumentDeferred -> {
+            // Credential issuance is deferred (server-side processing)
+            // Old document remains until the deferred credential is issued
+        }
+        is IssueEvent.Failure -> {
+            // Re-issuance failed
+            val cause = event.cause
+        }
+        is IssueEvent.Finished -> {
+            // Re-issuance process completed
+        }
+        else -> {}
+    }
+}
+```
+
+##### Background Re-Issuance
+
+For performing re-issuance in the background, pass `allowAuthorizationFallback = false` to `reissueDocument()` if you want
+to prevent the library from triggering the authorization flow if the refresh token is no longer valid (default implementation is opening a browser). In this scenario a `ReissuanceAuthorizationException` is delivered via
+`IssueEvent.Failure`:
+
+```kotlin
+openId4VciManager.reissueDocument(
+    documentId = documentId,
+    allowAuthorizationFallback = false,
+) { event ->
+    when (event) {
+        is IssueEvent.Failure -> {
+            if (event.cause is ReissuanceAuthorizationException) {
+                // Tokens expired — ReIssuance failed
+            } else {
+                // Other error
+            }
+        }
+        is IssueEvent.DocumentIssued -> {
+            // Successfully re-issued in background
+        }
+        else -> {}
+    }
+}
+```
+
 #### DPoP Support
 
 DPoP (Demonstrating Proof-of-Possession) is a security mechanism that cryptographically binds OAuth
 
@@ -10,6 +10,8 @@
 | [eu.europa.ec.eudi.wallet.dcapi](wallet-core/eu.europa.ec.eudi.wallet.dcapi/index.md) |
 | [eu.europa.ec.eudi.wallet.document](wallet-core/eu.europa.ec.eudi.wallet.document/index.md) |
 | [eu.europa.ec.eudi.wallet.issue.openid4vci](wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci/index.md) |
+| [eu.europa.ec.eudi.wallet.issue.openid4vci.dpop](wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.dpop/index.md) |
+| [eu.europa.ec.eudi.wallet.issue.openid4vci.reissue](wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.reissue/index.md) |
 | [eu.europa.ec.eudi.wallet.issue.openid4vci.transformations](wallet-core/eu.europa.ec.eudi.wallet.issue.openid4vci.transformations/index.md) |
 | [eu.europa.ec.eudi.wallet.logging](wallet-core/eu.europa.ec.eudi.wallet.logging/index.md) |
 | [eu.europa.ec.eudi.wallet.presentation](wallet-core/eu.europa.ec.eudi.wallet.presentation/index.md) |
 
@@ -0,0 +1,6 @@
+//[wallet-core](../../../../index.md)/[eu.europa.ec.eudi.wallet.issue.openid4vci.dpop](../../index.md)/[DPopConfig](../index.md)/[Custom](index.md)/[Custom](-custom.md)
+
+# Custom
+
+[androidJvm]\
+constructor(secureArea: SecureArea, createKeySettingsBuilder: ([List](https://kotlinlang.org/api/latest/jvm/stdlib/kotlin-stdlib/kotlin.collections/-list/index.html)&lt;Algorithm&gt;) -&gt; CreateKeySettings, keyUnlockDataProvider: [KeyUnlockDataProvider](../../-key-unlock-data-provider/index.md) = KeyUnlockDataProvider.None)
@@ -0,0 +1,6 @@
+//[wallet-core](../../../../index.md)/[eu.europa.ec.eudi.wallet.issue.openid4vci.dpop](../../index.md)/[DPopConfig](../index.md)/[Custom](index.md)/[createKeySettingsBuilder](create-key-settings-builder.md)
+
+# createKeySettingsBuilder
+
+[androidJvm]\
+val [createKeySettingsBuilder](create-key-settings-builder.md): ([List](https://kotlinlang.org/api/latest/jvm/stdlib/kotlin-stdlib/kotlin.collections/-list/index.html)&lt;Algorithm&gt;) -&gt; CreateKeySettings
@@ -0,0 +1,75 @@
+//[wallet-core](../../../../index.md)/[eu.europa.ec.eudi.wallet.issue.openid4vci.dpop](../../index.md)/[DPopConfig](../index.md)/[Custom](index.md)
+
+# Custom
+
+[androidJvm]\
+data class [Custom](index.md)(val secureArea: SecureArea, val createKeySettingsBuilder: ([List](https://kotlinlang.org/api/latest/jvm/stdlib/kotlin-stdlib/kotlin.collections/-list/index.html)&lt;Algorithm&gt;) -&gt; CreateKeySettings, val keyUnlockDataProvider: [KeyUnlockDataProvider](../../-key-unlock-data-provider/index.md) = KeyUnlockDataProvider.None) : [DPopConfig](../index.md)
+
+Custom DPoP configuration using a specific secure area.
+
+This configuration allows full control over how DPoP keys are created and stored. The algorithms for key creation are automatically selected based on what both the authorization server and the secure area support.
+
+## How It Works
+
+1. 
+   The library checks the authorization server's supported DPoP algorithms
+2. 
+   It finds all algorithms supported by both server and [secureArea](secure-area.md)
+3. 
+   The list of matched algorithms is passed to [createKeySettingsBuilder](create-key-settings-builder.md)
+4. 
+   Your builder function selects an appropriate algorithm from the list
+5. 
+   A DPoP key is created using the returned settings
+6. 
+   The key is used to sign all DPoP proofs during issuance
+
+## Example with Custom Secure Area
+
+```kotlin
+val customConfig = DPopConfig.Custom(
+    secureArea = myCloudSecureArea,
+    createKeySettingsBuilder = { algorithms ->
+        val algorithm = algorithms.first() // Select the first supported algorithm
+        CloudKeySettings.Builder()
+            .setAlgorithm(algorithm)
+            .setKeyName("dpop_key")
+            .setRequireUserAuth(true)
+            .build()
+    }
+)
+```
+
+## Example with Android Keystore
+
+```kotlin
+val androidConfig = DPopConfig.Custom(
+    secureArea = AndroidKeystoreSecureArea.create(storage),
+    createKeySettingsBuilder = { algorithms ->
+        // Select the first signing algorithm from the list
+        val algorithm = algorithms.firstOrNull { it.isSigning }
+            ?: throw IllegalStateException("No signing algorithm available")
+        AndroidKeystoreCreateKeySettings.Builder(attestationChallenge)
+            .setAlgorithm(algorithm) // e.g., ES256, ES384, ES512
+            .setUserAuthenticationRequired(true, 30_000, setOf(
+                UserAuthenticationType.BIOMETRIC
+            ))
+            .setUseStrongBox(true)
+            .build()
+    }
+)
+```
+
+## Constructors
+
+| | |
+|---|---|
+| [Custom](-custom.md) | [androidJvm]<br>constructor(secureArea: SecureArea, createKeySettingsBuilder: ([List](https://kotlinlang.org/api/latest/jvm/stdlib/kotlin-stdlib/kotlin.collections/-list/index.html)&lt;Algorithm&gt;) -&gt; CreateKeySettings, keyUnlockDataProvider: [KeyUnlockDataProvider](../../-key-unlock-data-provider/index.md) = KeyUnlockDataProvider.None) |
+
+## Properties
+
+| Name | Summary |
+|---|---|
+| [createKeySettingsBuilder](create-key-settings-builder.md) | [androidJvm]<br>val [createKeySettingsBuilder](create-key-settings-builder.md): ([List](https://kotlinlang.org/api/latest/jvm/stdlib/kotlin-stdlib/kotlin.collections/-list/index.html)&lt;Algorithm&gt;) -&gt; CreateKeySettings<br>A function that creates CreateKeySettings from a list of     supported algorithms. The algorithms parameter contains all algorithms that are     supported by both the authorization server and the secure area. Your implementation     should select an appropriate algorithm from this list and return valid settings for     creating a key with that algorithm. |
+| [keyUnlockDataProvider](key-unlock-data-provider.md) | [androidJvm]<br>val [keyUnlockDataProvider](key-unlock-data-provider.md): [KeyUnlockDataProvider](../../-key-unlock-data-provider/index.md)<br>A [KeyUnlockDataProvider](../../-key-unlock-data-provider/index.md) that provides KeyUnlockData for unlocking     the DPoP key when performing signing operations. This is invoked each time a DPoP proof     needs to be signed. The provider receives the key alias and secure area as parameters     and should return the appropriate unlock data, or null if no unlock is required. |
+| [secureArea](secure-area.md) | [androidJvm]<br>val [secureArea](secure-area.md): SecureArea<br>The secure area where DPoP keys are stored and managed.     Must support at least one signing algorithm (e.g., ES256, ES384, ES512). |
@@ -0,0 +1,6 @@
+//[wallet-core](../../../../index.md)/[eu.europa.ec.eudi.wallet.issue.openid4vci.dpop](../../index.md)/[DPopConfig](../index.md)/[Custom](index.md)/[keyUnlockDataProvider](key-unlock-data-provider.md)
+
+# keyUnlockDataProvider
+
+[androidJvm]\
+val [keyUnlockDataProvider](key-unlock-data-provider.md): [KeyUnlockDataProvider](../../-key-unlock-data-provider/index.md)
@@ -0,0 +1,6 @@
+//[wallet-core](../../../../index.md)/[eu.europa.ec.eudi.wallet.issue.openid4vci.dpop](../../index.md)/[DPopConfig](../index.md)/[Custom](index.md)/[secureArea](secure-area.md)
+
+# secureArea
+
+[androidJvm]\
+val [secureArea](secure-area.md): SecureArea
@@ -0,0 +1,34 @@
+//[wallet-core](../../../../index.md)/[eu.europa.ec.eudi.wallet.issue.openid4vci.dpop](../../index.md)/[DPopConfig](../index.md)/[Default](index.md)
+
+# Default
+
+[androidJvm]\
+data object [Default](index.md) : [DPopConfig](../index.md)
+
+Default DPoP configuration using Android Keystore.
+
+This configuration automatically sets up DPoP with sensible defaults:
+
+- 
+   Keys stored in Android Keystore
+- 
+   Storage in app's no-backup files directory
+- 
+   StrongBox support when available
+- 
+   No user authentication required for key usage
+- 
+   Algorithm automatically negotiated with the server
+
+The actual configuration is created lazily when needed by calling make.
+
+## Example
+
+```kotlin
+val openId4VciConfig = OpenId4VciManager.Config.Builder()
+    .withIssuerUrl("https://issuer.com")
+    .withClientId("client-id")
+    .withAuthFlowRedirectionURI("app://callback")
+    .withDPopConfig(DPopConfig.Default)
+    .build()
+```
@@ -0,0 +1,19 @@
+//[wallet-core](../../../../index.md)/[eu.europa.ec.eudi.wallet.issue.openid4vci.dpop](../../index.md)/[DPopConfig](../index.md)/[Disabled](index.md)
+
+# Disabled
+
+[androidJvm]\
+data object [Disabled](index.md) : [DPopConfig](../index.md)
+
+DPoP is disabled.
+
+When this configuration is used, no DPoP proofs are generated or sent during credential issuance. Access tokens will not be bound to cryptographic keys.
+
+Use this when:
+
+- 
+   The authorization server does not support DPoP
+- 
+   DPoP is not required for your use case
+- 
+   Testing without DPoP protection
@@ -0,0 +1,60 @@
+//[wallet-core](../../../index.md)/[eu.europa.ec.eudi.wallet.issue.openid4vci.dpop](../index.md)/[DPopConfig](index.md)
+
+# DPopConfig
+
+sealed interface [DPopConfig](index.md)
+
+Configuration for DPoP (Demonstrating Proof-of-Possession) in OpenID4VCI credential issuance.
+
+DPoP is a security mechanism that binds OAuth 2.0 access tokens to cryptographic keys, preventing token theft and replay attacks. This sealed interface defines the available DPoP configuration options for credential issuance flows.
+
+## Available Configurations
+
+- 
+   [Disabled](-disabled/index.md) - DPoP is not used
+- 
+   [Default](-default/index.md) - Uses Android Keystore with default settings
+- 
+   [Custom](-custom/index.md) - Uses a custom secure area with custom key settings
+
+## Example Usage
+
+```kotlin
+// Disable DPoP
+val config = DPopConfig.Disabled
+
+// Use default configuration
+val config = DPopConfig.Default
+
+// Use custom secure area
+val config = DPopConfig.Custom(
+    secureArea = mySecureArea,
+    createKeySettingsBuilder = { algorithms ->
+        MyCreateKeySettings(algorithms.first())
+    }
+)
+```
+
+#### See also
+
+| |
+|---|
+| [DPopConfig.Disabled](-disabled/index.md) |
+| [DPopConfig.Default](-default/index.md) |
+| [DPopConfig.Custom](-custom/index.md) |
+
+#### Inheritors
+
+| |
+|---|
+| [Disabled](-disabled/index.md) |
+| [Default](-default/index.md) |
+| [Custom](-custom/index.md) |
+
+## Types
+
+| Name | Summary |
+|---|---|
+| [Custom](-custom/index.md) | [androidJvm]<br>data class [Custom](-custom/index.md)(val secureArea: SecureArea, val createKeySettingsBuilder: ([List](https://kotlinlang.org/api/latest/jvm/stdlib/kotlin-stdlib/kotlin.collections/-list/index.html)&lt;Algorithm&gt;) -&gt; CreateKeySettings, val keyUnlockDataProvider: [KeyUnlockDataProvider](../-key-unlock-data-provider/index.md) = KeyUnlockDataProvider.None) : [DPopConfig](index.md)<br>Custom DPoP configuration using a specific secure area. |
+| [Default](-default/index.md) | [androidJvm]<br>data object [Default](-default/index.md) : [DPopConfig](index.md)<br>Default DPoP configuration using Android Keystore. |
+| [Disabled](-disabled/index.md) | [androidJvm]<br>data object [Disabled](-disabled/index.md) : [DPopConfig](index.md)<br>DPoP is disabled. |