token_endpoint not added to the metadata

[ragnika]

https://github.com/Sphereon-Opensource/OID4VCI/blob/6680088e6cc4c6dc9c7b05732acb7437ca4ddbfe/packages/issuer-rest/lib/oid4vci-api-functions.ts#L109

Hi, in the accessTokenEndpoint function, the above line is commented out so it doesn't add the token_endpoint to the metadata.

So you do not get the token_endpoint in the metadata if you don't use an external Authorization Server.

[nklomp]

Hi @ragnika Sorry for the late reply.

That is on purpose. Given that the url might not necessarily be the same URL that is known to the outside world. In other words, the Issuer could be running behind a reverse proxy or API management solution. Then updating the metadata with the internal url obviously isn't desired.

The solution in current version at least is to explicitly set the value in the metadata, given the code cannot necessarily determine it.

Maybe we could add an option that allows to set it based on the url

[ragnika]

@nklomp no worries.

This was in the oidc4vci-api-functions.ts when I raised the issue

  const tokenEndpoint = issuer.issuerMetadata.token_endpoint
  const externalAS = !!tokenEndpoint
  if (externalAS) {
    console.log(`[OID4VCI] External Authorization Server ${tokenEndpoint} is being used. Not enabling issuer token endpoint`)
    return
  } else if (opts?.enabled === false) {
    console.log(`[OID4VCI] Token endpoint is not enabled`)
    return
  }

I thought it was intentional that if the token_endpoint was provided, it would only expect an external Authorization server.

Looks like it has been fixed since.