Feat/sd jwt revocation flow

.env.demo

@@ -252,4 +252,5 @@ NATS_AUTH_TYPE=nkey
 # 'nkey' | 'creds' | 'usernamePassword' | 'none'
 NOTIFICATION_NATS_AUTH_TYPE=
 
-ENABLE_NATS_NOTIFICATION=false
+ENABLE_NATS_NOTIFICATION=false
+STATUS_LIST_HOST=

.env.sample

@@ -280,4 +280,5 @@ NATS_AUTH_TYPE=nkey
 # 'nkey' | 'creds' | 'usernamePassword' | 'none'
 NOTIFICATION_NATS_AUTH_TYPE=
 
-ENABLE_NATS_NOTIFICATION=false
+ENABLE_NATS_NOTIFICATION=false
+STATUS_LIST_HOST=

apps/agent-service/src/agent-service.controller.ts

@@ -390,6 +390,11 @@ export class AgentServiceController {
     return this.agentServiceService.oidcDeleteCredentialOffer(payload.url, payload.orgId);
   }
 
+  @MessagePattern({ cmd: 'agent-service-oid4vc-revoke-credential' })
+  async oidcRevokeCredential(payload: { url: string; orgId: string; statusListDetails?: object }): Promise<object> {
+    return this.agentServiceService.oidcRevokeCredential(payload.url, payload.orgId, payload.statusListDetails);
+  }
+
   @MessagePattern({ cmd: 'agent-create-x509-certificate' })
   async createX509Certificate(payload: {
     options: X509CreateCertificateOptions;

apps/agent-service/src/agent-service.service.ts

@@ -1489,6 +1489,19 @@ export class AgentServiceService {
     }
   }
 
+  async oidcRevokeCredential(url: string, orgId: string, statusListDetails?: object): Promise<object> {
+    try {
+      const getApiKey = await this.getOrgAgentApiKey(orgId);
+      const data = await this.commonService
+        .httpPost(`${url}`, statusListDetails || {}, { headers: { authorization: getApiKey } })
+        .then(async (response) => response);
+      return data;
+    } catch (error) {
+      this.logger.error(`Error in _oidcRevokeCredential in agent service : ${JSON.stringify(error)}`);
+      throw error;
+    }
+  }
+
   async oidcIssuerTemplate(templatePayload, url: string, orgId: string): Promise<object> {
     try {
       const getApiKey = await this.getOrgAgentApiKey(orgId);

apps/api-gateway/src/oid4vc-issuance/dtos/issuer-sessions.dto.ts

@@ -195,6 +195,10 @@ export class CreateOidcCredentialOfferDto {
   noticeUrl?: string;
 
   issuerId?: string;
+
+  @ApiPropertyOptional({ example: true, description: 'Flag to enable revocation for the issued credentials' })
+  @IsOptional()
+  isRevocable?: boolean;
 }
 
 export class GetAllCredentialOfferDto {
@@ -300,7 +304,7 @@ export class CredentialDto {
         },
         iat: 1698151532,
         nbf: dateToSeconds(new Date()),
-        exp: dateToSeconds(new Date(Date.now() + 5 * 365 * 24 * 60 * 60 * 1000))
+        exp: dateToSeconds(new Date(Date.now() + 157680000000))
       }
     ]
   })
@@ -390,6 +394,10 @@ export class CreateCredentialOfferD2ADto {
   @IsOptional()
   issuerId?: string;
 
+  @ApiPropertyOptional({ example: true, description: 'Flag to enable revocation for the issued credentials' })
+  @IsOptional()
+  isRevocable?: boolean;
+
   @ExactlyOneOf(['preAuthorizedCodeFlowConfig', 'authorizationCodeFlowConfig'], {
     message: 'Provide exactly one of preAuthorizedCodeFlowConfig or authorizationCodeFlowConfig.'
   })

apps/api-gateway/src/oid4vc-issuance/oid4vc-issuance.controller.ts

@@ -672,4 +672,28 @@ export class Oid4vcIssuanceController {
 
     return res.status(HttpStatus.CREATED).json(finalResponse);
   }
+
+  @Post('/orgs/:orgId/openid4vc/issuance-sessions/:issuanceSessionId/revoke')
+  @ApiOperation({
+    summary: 'Revoke an OID4VC Credential',
+    description: 'Instantly revokes a credential issued during a specific OID4VC session.'
+  })
+  @ApiResponse({ status: HttpStatus.OK, description: 'Credential revoked successfully.', type: ApiResponseDto })
+  @ApiBearerAuth()
+  @Roles(OrgRoles.OWNER)
+  @UseGuards(AuthGuard('jwt'), OrgRolesGuard)
+  async revokeCredential(
+    @Param('orgId') orgId: string,
+    @Param('issuanceSessionId') issuanceSessionId: string,
+    @Res() res: Response
+  ): Promise<Response> {
+    const revoked = await this.oid4vcIssuanceService.revokeCredential(issuanceSessionId, orgId);
+
+    const finalResponse: IResponse = {
+      statusCode: HttpStatus.OK,
+      message: 'Credential revoked successfully.',
+      data: revoked
+    };
+    return res.status(HttpStatus.OK).json(finalResponse);
+  }
 }

apps/api-gateway/src/oid4vc-issuance/oid4vc-issuance.service.ts

@@ -131,6 +131,11 @@ export class Oid4vcIssuanceService extends BaseService {
     return this.natsClient.sendNatsMessage(this.issuanceProxy, 'oid4vc-credential-offer-delete', payload);
   }
 
+  async revokeCredential(issuanceSessionId: string, orgId: string): Promise<object> {
+    const payload = { issuanceSessionId, orgId };
+    return this.natsClient.sendNatsMessage(this.issuanceProxy, 'oid4vc-revoke-credential', payload);
+  }
+
   oidcIssueCredentialWebhook(
     oidcIssueCredentialDto: OidcIssueCredentialDto,
     id: string

apps/oid4vc-issuance/interfaces/oid4vc-issuer-sessions.interfaces.ts

@@ -48,6 +48,7 @@ export interface CreateOidcCredentialOffer {
   authenticationType: AuthenticationType; // only option selector
   credentials: CredentialRequest[]; // one or more credentials
   noticeUrl?: string;
+  isRevocable?: boolean;
 }
 
 export interface GetAllCredentialOffer {

apps/oid4vc-issuance/libs/helpers/credential-sessions.builder.ts

@@ -33,7 +33,7 @@
 
 export interface DisclosureFrame {
   _sd?: string[];
-  [claim: string]: DisclosureFrame | string[] | undefined;
+  [claim: string]: DisclosureFrame | DisclosureFrame[] | string[] | undefined;
 }
 
 export interface validityInfo {
@@ -58,6 +58,7 @@
     authorizationServerUrl: string;
   };
   publicIssuerId?: string;
+  isRevocable?: boolean;
 }
 
 export interface ResolvedSignerOption {
@@ -84,12 +85,18 @@
   format: CredentialFormat;
   payload: Record<string, unknown>;
   disclosureFrame?: DisclosureFrame;
+  statusListDetails?: {
+    listId: string;
+    index: number;
+    listSize?: number;
+  };
 }
 
 export interface BuiltCredentialOfferBase {
   signerOption?: ResolvedSignerOption;
   credentials: BuiltCredential[];
   publicIssuerId?: string;
+  isRevocable?: boolean;
 }
 
 export type CredentialOfferPayload = BuiltCredentialOfferBase &
@@ -223,36 +230,46 @@
   return { valid: 0 === errors.length, errors };
 }
 
-function buildDisclosureFrameFromTemplate(attributes: CredentialAttribute[]): DisclosureFrame {
+function buildDisclosureFrameFromTemplate(
+  attributes: CredentialAttribute[],
+  payload?: Record<string, any>
+): DisclosureFrame {
   const frame: DisclosureFrame = {};
   const sd: string[] = [];
 
   for (const attr of attributes) {
-    const childFrame =
-      attr.children && 0 < attr.children.length ? buildDisclosureFrameFromTemplate(attr.children) : undefined;
-
-    const hasChildDisclosure =
-      childFrame && (childFrame._sd?.length || Object.keys(childFrame).some((k) => '_sd' !== k));
-
-    // Case 1: this attribute itself is disclosed
-    if (attr.disclose) {
-      // If it has children, children are handled separately
-      if (!attr.children || 0 === attr.children.length) {
-        sd.push(attr.key);
-        continue;
+    const hasChildren = attr.children && 0 < attr.children.length;
+
+    if (hasChildren) {
+      const payloadValue = payload?.[attr.key];
+      //todo:
+      //1) Need to handle the type validation here to ensure payloadValue is in expected format (object or array of objects)
+      //2) Need to add add validation based on template definition (e.g. if template defines an array, payload must be an array, etc.)
+      if (Array.isArray(payloadValue)) {
+        // Array of objects → [{ _sd: [...] }, ...]
+        const childFrame = buildDisclosureFrameFromTemplate(attr.children!);
+        frame[attr.key] = payloadValue.map(() => ({ ...childFrame }));
+      } else {
+        // Plain object → { _sd: [...] }
+        const childFrame = buildDisclosureFrameFromTemplate(attr.children!, payloadValue as Record<string, any>);
+        const hasChildDisclosure = childFrame._sd?.length || Object.keys(childFrame).some((k) => '_sd' !== k);
+        if (hasChildDisclosure) {
+          frame[attr.key] = childFrame;
+        }
       }
+      continue;
     }
 
-    // Case 2: attribute has disclosed children
-    if (hasChildDisclosure) {
-      frame[attr.key] = childFrame!;
+    // Root attribute — add to _sd if disclosed
+    if (attr.disclose) {
+      sd.push(attr.key);
     }
   }
 
   if (0 < sd.length) {
     frame._sd = sd;
   }
-
+  // console.log('Built disclosure frame:', JSON.stringify(frame, null, 2));
   return frame;
 }
 
@@ -366,8 +383,11 @@
   const apiFormat = mapDbFormatToApiFormat(templateRecord.format);
   const idSuffix = formatSuffix(apiFormat);
   const credentialSupportedId = `${templateRecord.name}-${idSuffix}`;
-  const disclosureFrame = buildDisclosureFrameFromTemplate(sdJwtTemplate.attributes);
 
+  const disclosureFrame = buildDisclosureFrameFromTemplate(
+    sdJwtTemplate.attributes,
+    payloadCopy as Record<string, any>
+  );
   return {
     credentialSupportedId,
     signerOptions: templateSignerOption ? templateSignerOption : undefined,
@@ -477,7 +497,8 @@
 
   const baseEnvelope: BuiltCredentialOfferBase = {
     credentials: builtCredentials,
-    ...(finalPublicIssuerId ? { publicIssuerId: finalPublicIssuerId } : {})
+    ...(finalPublicIssuerId ? { publicIssuerId: finalPublicIssuerId } : {}),
+    isRevocable: dto.isRevocable
   };
 
   // Determine which authorization flow to return:

apps/oid4vc-issuance/src/main.ts

@@ -10,6 +10,11 @@ import { Oid4vcIssuanceModule } from './oid4vc-issuance.module';
 const logger = new Logger();
 
 async function bootstrap(): Promise<void> {
+  if (!process.env.STATUS_LIST_HOST) {
+    logger.error('STATUS_LIST_HOST is not configured. Microservice cannot start.');
+    process.exit(1);
+  }
+
   const app = await NestFactory.createMicroservice<MicroserviceOptions>(Oid4vcIssuanceModule, {
     transport: Transport.NATS,
     options: getNatsOptions(

apps/oid4vc-issuance/src/oid4vc-issuance.controller.ts

@@ -165,16 +165,17 @@ export class Oid4vcIssuanceController {
   }
 
   @MessagePattern({ cmd: 'oid4vc-credential-offer-delete' })
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  async deleteCredentialOffers(payload: {
-    orgId: string;
-    credentialId: string;
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  }): Promise<any> {
+  async deleteCredentialOffers(payload: { orgId: string; credentialId: string }): Promise<object> {
     const { orgId, credentialId } = payload;
     return this.oid4vcIssuanceService.deleteCredentialOffers(orgId, credentialId);
   }
 
+  @MessagePattern({ cmd: 'oid4vc-revoke-credential' })
+  async revokeCredential(payload: { issuanceSessionId: string; orgId: string }): Promise<object> {
+    const { issuanceSessionId, orgId } = payload;
+    return this.oid4vcIssuanceService.revokeCredential(issuanceSessionId, orgId);
+  }
+
   @MessagePattern({ cmd: 'webhook-oid4vc-issue-credential' })
   async oidcIssueCredentialWebhook(payload: Oid4vcCredentialOfferWebhookPayload): Promise<object> {
     return this.oid4vcIssuanceService.storeOidcCredentialWebhook(payload);

apps/oid4vc-issuance/src/oid4vc-issuance.module.ts

@@ -13,6 +13,7 @@ import { ConfigModule as PlatformConfig } from '@credebl/config/config.module';
 import { Oid4vcIssuanceRepository } from './oid4vc-issuance.repository';
 import { NATSClient } from '@credebl/common/NATSClient';
 import { PrismaService } from '@credebl/prisma-service';
+import { StatusListAllocatorService } from './status-list-allocator.service';
 
 @Module({
   imports: [
@@ -35,6 +36,13 @@ import { PrismaService } from '@credebl/prisma-service';
     CacheModule.register()
   ],
   controllers: [Oid4vcIssuanceController],
-  providers: [Oid4vcIssuanceService, Oid4vcIssuanceRepository, PrismaService, Logger, NATSClient]
+  providers: [
+    Oid4vcIssuanceService,
+    Oid4vcIssuanceRepository,
+    PrismaService,
+    Logger,
+    NATSClient,
+    StatusListAllocatorService
+  ]
 })
 export class Oid4vcIssuanceModule {}