inrupt
diff --git a/‎CHANGELOG.md‎
Lines changed: 8 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/common/providerConfig.mock.ts‎
Lines changed: 36 additions & 0 deletions b/‎src/common/providerConfig.mock.ts‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎src/common/providerConfig.test.ts‎
Lines changed: 94 additions & 0 deletions b/‎src/common/providerConfig.test.ts‎
Lines changed: 94 additions & 0 deletions
diff --git a/‎src/common/providerConfig.ts‎
Lines changed: 108 additions & 0 deletions b/‎src/common/providerConfig.ts‎
Lines changed: 108 additions & 0 deletions
diff --git a/‎src/fetch/index.test.ts‎
Lines changed: 1 addition & 4 deletions b/‎src/fetch/index.test.ts‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎src/fetch/index.ts‎
Lines changed: 3 additions & 6 deletions b/‎src/fetch/index.ts‎
Lines changed: 3 additions & 6 deletions
diff --git a/‎src/gConsent/constants.ts‎
Lines changed: 3 additions & 27 deletions b/‎src/gConsent/constants.ts‎
Lines changed: 3 additions & 27 deletions
diff --git a/‎src/gConsent/manage/approveAccessRequest.test.ts‎
Lines changed: 7 additions & 0 deletions b/‎src/gConsent/manage/approveAccessRequest.test.ts‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/gConsent/manage/denyAccessRequest.test.ts‎
Lines changed: 7 additions & 0 deletions b/‎src/gConsent/manage/denyAccessRequest.test.ts‎
Lines changed: 7 additions & 0 deletions
@@ -16,6 +16,14 @@ The following changes are pending, and will be applied on the next major release
 
 ## Unreleased
 
+### New feature
+
+- Passes the v2 of the JSON-LD context for Access Grants when issuing and using the
+  `/derive` endpoint. This allows the server to return all Access Credentials understood
+  by the client, both v1 and v2. Clients prior to this version will issue and retrieve
+  Access Credentials with a v1 context (and will not be able to use features introduced
+  in v2).
+
 ### Bugfix
 
 - Type declarations have been altered so that internal type declarations are no longer
 
@@ -0,0 +1,36 @@
+//
+// Copyright Inrupt Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal in
+// the Software without restriction, including without limitation the rights to use,
+// copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
+// Software, and to permit persons to whom the Software is furnished to do so,
+// subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+// INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+// PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+// HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+
+export const mockProviderConfig = ({ context }: { context?: string }) => ({
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    context ?? "https://schema.inrupt.com/credentials/v2.jsonld",
+  ],
+  issuerService: "https://vc.inrupt.com/issue",
+  statusService: "https://vc.inrupt.com/status",
+  verifierService: "https://vc.inrupt.com/verify",
+  derivationService: "https://vc.inrupt.com/derive",
+  proofService: null,
+  availabilityService: null,
+  submissionService: null,
+  queryService: "https://vc.inrupt.com/query",
+  supportedSignatureTypes: ["https://w3id.org/security#Ed25519Signature2020"],
+});
@@ -0,0 +1,94 @@
+//
+// Copyright Inrupt Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal in
+// the Software without restriction, including without limitation the rights to use,
+// copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
+// Software, and to permit persons to whom the Software is furnished to do so,
+// subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+// INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+// PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+// HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+
+import { jest, it, describe, expect, beforeEach } from "@jest/globals";
+import {
+  buildProviderContext,
+  DEFAULT_CONTEXT,
+  getIssuerContext,
+  clearProviderCache,
+} from "./providerConfig";
+import { mockProviderConfig } from "./providerConfig.mock";
+
+describe("getIssuerContext", () => {
+  beforeEach(() => {
+    clearProviderCache();
+  });
+
+  it("fetches the issuer config to read its context", async () => {
+    const mockedConfig = mockProviderConfig({});
+    jest
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValueOnce(new Response(JSON.stringify(mockedConfig)));
+    const ctx = await getIssuerContext(new URL("https://vc.example.org"));
+    expect(ctx).toBe(mockedConfig["@context"][1]);
+  });
+
+  it("caches the issuer config on subsequent calls", async () => {
+    const mockedConfig = mockProviderConfig({});
+    const mockedFetch = jest
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValueOnce(new Response(JSON.stringify(mockedConfig)));
+    const ctx1 = await getIssuerContext(new URL("https://vc.example.org"));
+    const ctx2 = await getIssuerContext(new URL("https://vc.example.org"));
+    const ctx3 = await getIssuerContext(new URL("https://vc.example.org"));
+    expect(mockedFetch).toHaveBeenCalledTimes(1);
+    expect(ctx1).toBe(mockedConfig["@context"][1]);
+    expect(ctx2).toBe(mockedConfig["@context"][1]);
+    expect(ctx3).toBe(mockedConfig["@context"][1]);
+  });
+});
+
+describe("buildIssuerContext", () => {
+  it("uses the context from the provider if supported", async () => {
+    const mockedConfig1 = mockProviderConfig({
+      context: "https://schema.inrupt.com/credentials/v1.jsonld",
+    });
+    const mockedConfig2 = mockProviderConfig({
+      context: "https://schema.inrupt.com/credentials/v2.jsonld",
+    });
+    jest
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValueOnce(new Response(JSON.stringify(mockedConfig1)))
+      .mockResolvedValueOnce(new Response(JSON.stringify(mockedConfig2)));
+    const v1Ctxs = await buildProviderContext(
+      new URL("https://vc.v1.example.org"),
+    );
+    expect(v1Ctxs).toContain(mockedConfig1["@context"][1]);
+    const v2Ctxs = await buildProviderContext(
+      new URL("https://vc.v2.example.org"),
+    );
+    expect(v2Ctxs).toContain(mockedConfig2["@context"][1]);
+  });
+
+  it("uses the latest supported context if the provider uses an unknown context", async () => {
+    const mockedConfig = mockProviderConfig({
+      context: "https://schema.inrupt.com/credentials/v999.jsonld",
+    });
+
+    jest
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValueOnce(new Response(JSON.stringify(mockedConfig)));
+    const ctxs = await buildProviderContext(new URL("https://vc.example.org"));
+    expect(ctxs).not.toContain(mockedConfig["@context"][1]);
+    expect(ctxs).toContain(DEFAULT_CONTEXT);
+  });
+});
@@ -0,0 +1,108 @@
+//
+// Copyright Inrupt Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal in
+// the Software without restriction, including without limitation the rights to use,
+// copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
+// Software, and to permit persons to whom the Software is furnished to do so,
+// subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+// INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+// PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+// HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+//
+
+import { CONTEXT_VC_W3C } from "../gConsent/constants";
+
+export const SUPPORTED_CONTEXTS = [
+  "https://schema.inrupt.com/credentials/v1.jsonld",
+  "https://schema.inrupt.com/credentials/v2.jsonld",
+] as const;
+
+const SELF_HOSTED_URI_TEMPLATE = "https://{DOMAIN}/credentials/v1";
+const instantiateSelfHosted = (domain: string) =>
+  SELF_HOSTED_URI_TEMPLATE.replace("{DOMAIN}", domain);
+
+// The type assertion is required because TS doesn't validate the const array size vs the index.
+export const DEFAULT_CONTEXT = SUPPORTED_CONTEXTS.at(
+  -1,
+) as (typeof SUPPORTED_CONTEXTS)[number];
+const WELL_KNOWN_CONFIG = "/.well-known/vc-configuration";
+
+export type AccessProvider = {
+  context: (typeof SUPPORTED_CONTEXTS)[number] | string;
+};
+
+const providerCache: Record<string, AccessProvider> = {};
+
+/**
+ * This is an internal function to avoid having to mock fetch on all tests.
+ * @hidden
+ */
+export function cacheProvider(url: string, provider: AccessProvider) {
+  providerCache[url] = provider;
+}
+
+/**
+ * This is an internal function to avoid having to mock fetch on all tests.
+ * @hidden
+ */
+export function clearProviderCache() {
+  Object.keys(providerCache).forEach((url) => {
+    delete providerCache[url];
+  });
+}
+
+/**
+ * This internal function negotiates the most recent context supported by both the provider and the client.
+ * It also caches the result in memory so that the VC provider configuration is only fetched once.
+ * FIXME: use proper caching for eventual eviction.
+ */
+export async function getIssuerContext(
+  issuer: URL,
+): Promise<(typeof SUPPORTED_CONTEXTS)[number] | undefined | string> {
+  if (providerCache[issuer.href] !== undefined) {
+    return providerCache[issuer.href].context;
+  }
+  const configUrl = new URL(WELL_KNOWN_CONFIG, issuer);
+  const response = await fetch(configUrl);
+  try {
+    const config = await response.json();
+    const contexts = config["@context"] as Array<string>;
+    let providerCtx = contexts.find((ctx) =>
+      // Typescript is too strict validating consts.
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      SUPPORTED_CONTEXTS.includes(ctx as any),
+    );
+    const selfHosted = instantiateSelfHosted(issuer.hostname);
+    // If no canonical context is being used, check for self-hosted (applicable to ESS 2.2).
+    if (providerCtx === undefined && contexts.indexOf(selfHosted) !== -1) {
+      // If the well-known config uses a self-hosted context, canonical v1 should be used.
+      [providerCtx] = SUPPORTED_CONTEXTS;
+    }
+    if (providerCtx !== undefined) {
+      providerCache[issuer.href] = { context: providerCtx };
+    }
+    return providerCtx;
+  } catch (e) {
+    // We don't want this issue to be swallowed silently.
+    // eslint-disable-next-line no-console
+    console.error(e);
+  }
+  return undefined;
+}
+
+export const buildProviderContext = async (
+  issuer: URL,
+): Promise<Array<string>> => [
+  CONTEXT_VC_W3C,
+  // If the issuer uses a context we don't support, default to the latest supported.
+  (await getIssuerContext(issuer)) ?? DEFAULT_CONTEXT,
+];
@@ -168,10 +168,7 @@ describe("exchangeTicketForAccessToken", () => {
       body: new URLSearchParams({
         claim_token: isomorphicBtoa(
           JSON.stringify({
-            "@context": [
-              "https://www.w3.org/2018/credentials/v1",
-              "https://schema.inrupt.com/credentials/v1.jsonld",
-            ],
+            "@context": ["https://www.w3.org/2018/credentials/v1"],
             type: ["VerifiablePresentation"],
             verifiableCredential: [MOCK_VC],
           }),
 
@@ -25,11 +25,7 @@ import type {
 } from "@inrupt/solid-client-vc";
 import type { UmaConfiguration } from "../type/UmaConfiguration";
 import type { FetchOptions } from "../type/FetchOptions";
-import {
-  CONTEXT_VC_W3C,
-  CONTEXT_ESS_DEFAULT,
-  PRESENTATION_TYPE_BASE,
-} from "../gConsent/constants";
+import { CONTEXT_VC_W3C, PRESENTATION_TYPE_BASE } from "../gConsent/constants";
 import { UmaError } from "../common/errors/UmaError";
 
 const WWW_AUTH_HEADER = "www-authenticate";
@@ -102,7 +98,8 @@ export async function exchangeTicketForAccessToken(
   authFetch: typeof fetch,
 ): Promise<string | null> {
   const credentialPresentation = {
-    "@context": [CONTEXT_VC_W3C, CONTEXT_ESS_DEFAULT],
+    // This is the presentation context, so only the W3C context is required.
+    "@context": [CONTEXT_VC_W3C],
     type: [PRESENTATION_TYPE_BASE],
     verifiableCredential: [accessGrant],
   };
 
@@ -20,6 +20,7 @@
 //
 
 import { gc } from "../common/constants";
+import { DEFAULT_CONTEXT } from "../common/providerConfig";
 
 export const GC_CONSENT_STATUS_DENIED_ABBREV = "ConsentStatusDenied";
 export const GC_CONSENT_STATUS_EXPLICITLY_GIVEN_ABBREV =
@@ -36,15 +37,6 @@ export const PREFERRED_CONSENT_MANAGEMENT_UI =
   "http://inrupt.com/ns/ess#ConsentManagementUI";
 
 export const CONTEXT_VC_W3C = "https://www.w3.org/2018/credentials/v1" as const;
-// This static context is used from the 2.1 version, instead of having a context
-// specific to the deployment.
-export const CONTEXT_ESS_DEFAULT =
-  "https://schema.inrupt.com/credentials/v1.jsonld" as const;
-
-// According to the [ESS documentation](https://docs.inrupt.com/ess/latest/services/service-vc/#ess-vc-service-endpoints),
-// the JSON-LD context for ESS-issued VCs will match the following template.
-const instanciateContextVcEssTemplate = (essVcDomain: string): string =>
-  `https://${essVcDomain}/credentials/v1`;
 
 const extraContext = [
   "https://w3id.org/security/data-integrity/v1",
@@ -53,28 +45,12 @@ const extraContext = [
   "https://w3id.org/security/suites/ed25519-2020/v1",
 ];
 
-// A default context value is provided for mocking purpose accross the codebase.
-export const ACCESS_GRANT_CONTEXT_DEFAULT = [
-  CONTEXT_VC_W3C,
-  CONTEXT_ESS_DEFAULT,
-  instanciateContextVcEssTemplate("vc.inrupt.com"),
-] as const;
-
 export const MOCK_CONTEXT = [
-  ...ACCESS_GRANT_CONTEXT_DEFAULT,
+  CONTEXT_VC_W3C,
+  DEFAULT_CONTEXT,
   ...extraContext,
 ] as const;
 
-// When issuing a VC using a given service,"https://schema.inrupt.com/credentials/v1.jsonld" be sure to set the context using the following.
-export const instanciateEssAccessGrantContext = (
-  essVcDomain: string,
-): typeof ACCESS_GRANT_CONTEXT_DEFAULT =>
-  [
-    CONTEXT_VC_W3C,
-    CONTEXT_ESS_DEFAULT,
-    instanciateContextVcEssTemplate(essVcDomain),
-  ] as const;
-
 export const CREDENTIAL_TYPE_ACCESS_REQUEST = "SolidAccessRequest";
 export const CREDENTIAL_TYPE_ACCESS_GRANT = "SolidAccessGrant";
 export const CREDENTIAL_TYPE_ACCESS_DENIAL = "SolidAccessDenial";
 
@@ -38,6 +38,7 @@ import {
   mockConsentGrantVc,
   mockConsentRequestVc,
 } from "../util/access.mock";
+import { cacheProvider, DEFAULT_CONTEXT } from "../../common/providerConfig";
 
 jest.mock("@inrupt/solid-client", () => {
   const solidClientModule = jest.requireActual(
@@ -145,6 +146,9 @@ describe("approveAccessRequest", () => {
     accessGrantVc = await mockAccessGrantVc();
     consentRequestVc = await mockConsentRequestVc();
     consentGrantVc = await mockConsentGrantVc();
+    cacheProvider(new URL(MOCKED_ACCESS_ISSUER).href, {
+      context: DEFAULT_CONTEXT,
+    });
   });
 
   // FIXME: This test must run before the other tests mocking the ACP client.
@@ -349,6 +353,9 @@ describe("approveAccessRequest", () => {
 
   it("uses the provided access endpoint, if any", async () => {
     mockAcpClient();
+    cacheProvider(new URL("https://some.consent-endpoint.override/").href, {
+      context: DEFAULT_CONTEXT,
+    });
     const mockedVcModule = jest.requireMock(
       "@inrupt/solid-client-vc",
     ) as typeof VcClient;
 
@@ -44,6 +44,7 @@ import type { AccessGrant } from "../type/AccessGrant";
 import { mockAccessGrantVc, mockAccessRequestVc } from "../util/access.mock";
 import { normalizeAccessGrant } from "./approveAccessRequest";
 import { denyAccessRequest } from "./denyAccessRequest";
+import { cacheProvider, DEFAULT_CONTEXT } from "../../common/providerConfig";
 
 jest.mock("@inrupt/solid-client", () => {
   const solidClientModule = jest.requireActual("@inrupt/solid-client") as any;
@@ -70,6 +71,12 @@ describe("denyAccessRequest", () => {
 
   beforeAll(async () => {
     accessRequestVc = await mockAccessRequestVc();
+    cacheProvider(new URL(MOCKED_ACCESS_ISSUER).href, {
+      context: DEFAULT_CONTEXT,
+    });
+    cacheProvider(new URL("https://some.access-endpoint.override/").href, {
+      context: DEFAULT_CONTEXT,
+    });
   });
 
   afterEach(() => {