Package-level declarations

Serves "OAuth 2.0 for First-Party Applications" workflow.

Handle user's authorization and redirect to FinishAuthorizationServlet.

Issues a credential based on DPoP authentication with access token.

Generates request for Digital Credential for the browser-based authorization workflow.

Serves HTTP request by fetching a resource.

Finish web-based authorization and hand off the session back to the Wallet App (or Wallet Server).

Endpoint to obtain fresh c_nonce (challenge for device binding key attestation).

Handles presentation-during-issuance OpenId4VP response from the wallet/client.

Pushed Authorization Request, which is the first request to be sent to our OpenID4VCI server if authorize challenge path is not used. In theory, other, simpler (and less secure) forms of client authorization are possible, but our implementation requires Pushed Authorization Request.

Encodes text string (passed as q parameter) into a QR code.

Takes control over authentication session after web-based user authentication. This is a counterpart of the pushedAuthorizationRequest. It checks that (1) hash of code_verifier supplied here matches code_challenge supplied to push authorization, (2) performs DPoP authorization using the key established in push authorization. Once all the checks are done it issues access token that can be used to request a credential and possibly a refresh token that can be used to request more access tokens.

Generates .well-known/oauth-authorization-server metadata file.

Generates .well-known/openid-credential-issuer metadata file.