v0.12.0

Breaking changes and new features

Important

Previously, to obtain an instance of Issuer and use the library, users had to provide a ClientAttestationJWT, a Signer<JWK> for
ClientAttestationPoPJWT, and a Signer<JWK> for DPoP Proof.

This was creating a chicken-and-egg problem to callers, because all of these depend on the Authorization Server of the Credential Issuer.
To solve this, the library now requires function implementations that allow it to provision the above on demand, providing as context the Authorization Server of the Credential Issuer.

Attestation-Based Client Authentication

ClientAuthentication.AttestationBased now requires a ClientId and a ProvisionClientAttestation implementation.

Provisioning of ClientAttestationJWT and Signer<JWK> for the ClientAttestationPoPJWT are now deferred and performed by the library
when first needed. During the operation, the library will provide the Authorization Server being used as well as the preferred_client_status_period advertised by the Credential Issuer. Provisioning is performed only once.

The provisioned ClientAttestationJWT must be a valid Wallet Instance Attestation per ARF's Technical Specification 3.

Users no longer have to provide a ClientAttestationPoPJWTSpec.

DPoP

DPoP users are required to provide a ProvisionDPoPSigner implementation.

Provisioning is now deferred and performed by the library when first needed. During the operation, the library will provide the Authorization Server being used. Provisioning is performed only once.

Supported Proofs

Moving forward, the library will only support:

• JWT Proofs that contain Key Attestation
• Attestation Proofs

Per ARF's Technical Specification 3 only the following JWS Algorithms are supported:

• ES256
• ES384
• ES512

Per ETSI TS 119 472-3 V1.1.1 Credential Issuers must support both JWT Proofs that contain Key Attestation and Attestation Proofs for all advertised Credential Configurations. The library will raise a validation error and abort issuance if the Credential Issuer doesn't abide by this requirement.

Users can configure which Proofs, and JWS Algorithms their Wallet supports using ProofsConfig.

Using ProofsConfig user can configure whether:

• issuance of Attestations that require not proofs is supported
• issuance of Attestations that require JWT Proofs is supported, alongside the supported JWS Algorithms
• issuance of Attestations that require Attestation Proofs is supported, alongside the supported JWS Algorithms

By default, the library uses a ProofsConfig that:

• supports issuance of Attestations that require not proofs
• supports issuance of Attestations that require JWT Proofs using ES256, ES384, or ES512
• supports issuance of Attestations that require Attesation Proofs using ES256, ES384, or ES512

JWT Proofs with Key Attestation (ProofSpecification.JwtProof)

Users:

1. no longer have to provide keyIndex
2. must provide a function to provision a Signer<KeyAttestationJWT>.

The library will call this function when needed, and provide a Nonce value, if the Credential Issuer advertises nonce_endpoint,
alongside the advertised preferred_key_storage_status_period.

Per ETSI TS 119 472-3 V1.1.1, the provisioned Signer must correspond to the first entry in the attested_keys array of the KeyAttestationJWT.

The provisioned KeyAttestationJWT must be a valid Key Attestation per ARF's Technical Specification 3

Attestation Proofs (ProofSpecification.AttestationProof)

Users must provide a function to provision a KeyAttestationJWT.

The library will call this function when needed, and provide a Nonce value, if the Credential Issuer advertises nonce_endpoint,
alongside the advertised preferred_key_storage_status_period.

The provisioned KeyAttestationJWT must be a valid Key Attestation per ARF's Technical Specification 3

Credential Request

Per ETSI TS 119 472-3 V1.1.1, a Credential Request may contain either a single JWT Proof, or a single Attestation Proof.

To request the issuance of multiple instances of a Credential, users must provision a KeyAttestationJWT that contains multiple attested_keys.

Configuration

OpenId4VCIConfig has been updated as follows:

1. dPoPUsage: DPoPUsage is now dPoPUsage: DPoPUsageOption with DPoPUsageOption = DPoPUsage<DPoPConfig>
2. clientAttestationPoPBuilder: ClientAttestationPoPBuilder has been dropped
3. proofs: ProofsConfig has been added to allow user to configure supported Proofs and JWS Algorithms

What's Changed

• Development of release/0.12.0 by @babisRoutis in #536
  • Align ClientAttestation JWT claims with Wallet Instance Attestation by @dzarras in #500
  • Update KeyAttestation according to TS3 v1.5 and IA by @dzarras in #531
  • Refactor ClientAttestation JWT provisioning when ClientAuthentication.AttestationBased is used by @dzarras and @babisRoutis in #528
  • Parse and provide preferred_client_status_period by @dzarras in #532
  • Use Attestation Based Client Authentication in pid-issuer tests by @dzarras in #538
  • Make DPoP independent of ClientAuthentication by @dzarras in #544
  • Defer Client Attestation provisioning by @dzarras in #547
  • Support only JWT Proof + Key Attestation, and Attestation Proof by @dzarras in #512
  • Use Selenium to run PidDevIssuer tests by @dzarras in #549
  • Rename and document default value for ProofsConfig by @dzarras in #550
  • Rename ProofsSpecification to ProofSpecification and update README and examples by @dzarras in #551

Full Changelog: v0.11.1...v0.12.0

v0.11.1

What's Changed

• Bump sonarsource/sonarqube-scan-action from 8.0.0 to 8.1.0 in the actions group by @dependabot[bot] in #537
• Add a configuration option to allow disabling Authorization Code DPoP binding by @dzarras in #548
• Bump sonarsource/sonarqube-scan-action from 8.1.0 to 8.2.0 in the actions group across 1 directory by @dependabot[bot] in #546

Full Changelog: v0.11.0...v0.11.1

v0.11.0

What's Changed

• Implemented credential reuse policies per credential configuration by @gdimtsas in #529
• Limit signing algorithms for WIA to ECDSA by @dzarras #497
• Narrow the encryption algorithms for credential request/response encryption by @atsant in #526

Full Changelog: v0.10.1...v0.11.0

v0.10.1

What's Changed

• Expose a way for clients to manually refresh access tokens by @dzarras in #523

Full Changelog: v0.10.0...v0.10.1

v0.10.0

Important

This release upgrades:

1. Kotlin to 2.2.21
2. Ktor to 3.3.3
3. KotlinX Serialization to 1.9.0
4. Nimbus OIDC SDK to 11.37

More information is available in #513

What's Changed

• Add support in examples for issuing Learning Credentials by @dzarras in #479
• Bump actions/checkout from 5 to 6 in the actions group by @dependabot[bot] in #480
• Ensure credential identifiers are used, if provided by @atsant in #486
• Bump sonarsource/sonarqube-scan-action from 6.0.0 to 7.0.0 in the actions group by @dependabot[bot] in #487
• Remove redundant information from readme by @dzarras in #488
• Cleanup MsoMdocCredential and update credential_signing_alg_values_supported handling by @dzarras in #490
• Update copyright and security dates by @atsant in #493
• Add information about X509Certificates by @dzarras in #495
• Bump the actions group across 1 directory with 2 updates by @dependabot[bot] in #506
• Introduce an explict policy for DPoP usage by @dzarras in #503
• Improve guards around illegal states when using DPoP by @dzarras in #505
• Remove gradle wrapper validation and update setup gradle by @atsant in #511
• Release/0.10.0 by @dzarras in #513

Full Changelog: v0.9.1...v0.10.0

v0.9.1

What's Changed

• Bump the actions group across 1 directory with 2 updates by @dependabot[bot] in #472
• Migrate to Dokka v2 by @dzarras in #474
• Ignore ContentType parameters when checking the ContentType during Credential Issuer Metadata resolution by @dzarras in #477

Full Changelog: v0.9.0...v0.9.1

v0.9.0

What's New

Alignment with OpenID4VCI 1.0 🎉

What's Changed

• Bump the actions group across 1 directory with 2 updates by @dependabot[bot] in #454
• Bump Sonarqube scan GitHub action to 5.3.1 by @atsant in #457
• Improve reliability and maintainability by @atsant in #458
• Bump actions/setup-node from 4 to 5 in the actions group by @dependabot[bot] in #460
• Bump sonarsource/sonarqube-scan-action from 5.3.1 to 6.0.0 in the actions group by @dependabot[bot] in #466
• Draft 17 by @vafeini in #462
  • Issuer metada updates in structure and retrieval by @vafeini in #448
  • Updates on issuance and deferred issuance request and response payloads by @vafeini in #451
  • Dpop nonce from nonce endpoint and algs validation by @vafeini in #453
  • Add TransactionId in DeferredCredentialQueryOutcome.IssuancePending by @dzarras in #461
  • Encrypted Requests by @vafeini in #452
  • Update Attestation-Based Client Authentication support (Draft 7) by @dzarras in #465
  • Replace runCatching by @atsant in #468
  • Update spec links and supported features by @dzarras in #469

Full Changelog: v0.8.2...v0.9.0

v0.8.2

What's Changed

• Set Kotlin API version to 2.1 by @dzarras in #456

Full Changelog: v0.8.1...v0.8.2

v0.8.1

What's Changed

• Upgrade to kotlin 2.1.21 by @babisRoutis in #455

Full Changelog: v0.8.0...v0.8.1

v0.8.0

What's Changed

• Add support for issuing EHIC in examples for pid-issuer by @dzarras in #427
• Improve test cases to allow testing batch issuance multiple times. by @dzarras in #428
• Remove timeout from examples. by @dzarras in #429
• Bump sonarsource/sonarqube-scan-action from 5.2 to 5.3 in the actions group by @dependabot[bot] in #435
• Release 0.8.0 - Support Key Attestation in JWT Proofs and attestation proof type by @gdimtsas in #433

Breaking Changes

• PopSigner interface has been removed and replaced by more generic abstraction of Signer and BatchSigner.
• OpenId4VCIConfig.dPoPSigner is no more a PopSigner.Jwt, it is a Signer<JWK>.
• Public API for issuance requests has been changed. Method RequestIssuance.request() now takes as input a ProofsSpecification instead of a list of PopSigners. ProofsSpecification defines the type of proof(s) the caller intents to create for the specific issuance request along with the required mechanics (signer(s), key attestation providers).
• Creation of an Issuer no more requires an HttpClient factory method but an HttpClient already created from caller.

Full Changelog: v0.7.1...v0.8.0