@atrib/verify 0.5.2 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +104 -1
- package/dist/authorization-evidence.d.ts +155 -0
- package/dist/authorization-evidence.d.ts.map +1 -0
- package/dist/authorization-evidence.js +423 -0
- package/dist/authorization-evidence.js.map +1 -0
- package/dist/dpop-replay-cache.d.ts +55 -0
- package/dist/dpop-replay-cache.d.ts.map +1 -0
- package/dist/dpop-replay-cache.js +95 -0
- package/dist/dpop-replay-cache.js.map +1 -0
- package/dist/index.d.ts +7 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +4 -0
- package/dist/index.js.map +1 -1
- package/dist/oauth-introspection.d.ts +38 -0
- package/dist/oauth-introspection.d.ts.map +1 -0
- package/dist/oauth-introspection.js +118 -0
- package/dist/oauth-introspection.js.map +1 -0
- package/dist/types.d.ts +6 -0
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js.map +1 -1
- package/dist/verifier.d.ts +6 -0
- package/dist/verifier.d.ts.map +1 -1
- package/dist/verifier.js +55 -0
- package/dist/verifier.js.map +1 -1
- package/dist/verify-record.d.ts +38 -6
- package/dist/verify-record.d.ts.map +1 -1
- package/dist/verify-record.js +99 -21
- package/dist/verify-record.js.map +1 -1
- package/package.json +3 -3
package/README.md
CHANGED
|
@@ -82,6 +82,8 @@ const result = await verifyRecord(record, {
|
|
|
82
82
|
upstreamCandidate, // optional, for provenance_token resolution
|
|
83
83
|
informedByCandidates: [], // optional, for informed_by[] resolution
|
|
84
84
|
identityClaim, // optional, for capability_check (caller does directory lookup)
|
|
85
|
+
resolvedFacts, // optional, caller-resolved facts for capability_check
|
|
86
|
+
authorizationEvidence, // optional, OAuth/MCP auth evidence blocks
|
|
85
87
|
ap2ViEvidence, // optional, transaction-only AP2 / VI evidence bundle
|
|
86
88
|
ap2ViEvidenceOptions, // optional, passed to verifyAp2ViEvidenceAsync()
|
|
87
89
|
})
|
|
@@ -92,6 +94,7 @@ const result = await verifyRecord(record, {
|
|
|
92
94
|
// provenance?: { token, upstream_record_hash, upstream_resolved }
|
|
93
95
|
// informed_by_resolution?: { resolved: string[], dangling: string[] }
|
|
94
96
|
// capability_check?: { envelope, in_envelope, mismatches, unresolvable }
|
|
97
|
+
// evidence?: EvidenceVerificationBlock[]
|
|
95
98
|
// ap2_vi_evidence?: Ap2ViEvidenceVerification
|
|
96
99
|
// warnings: string[]
|
|
97
100
|
// }
|
|
@@ -102,8 +105,9 @@ const result = await verifyRecord(record, {
|
|
|
102
105
|
- `provenance`: `{ token, upstream_record_hash, upstream_resolved }` per session-genesis record carrying `provenance_token` ([D044](https://github.com/creatornader/atrib/blob/main/DECISIONS.md#d044-provenance_token-field-for-cross-session-causal-anchoring) / [§1.2.6](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#126-provenance_token)). The 16-byte token truncation is irreversible: `upstream_record_hash` populates only when the caller supplies a candidate whose canonical-form SHA-256[:16] matches the token.
|
|
103
106
|
- `informed_by_resolution`: `{ resolved: string[], dangling: string[] }` per record carrying `informed_by` ([D041](https://github.com/creatornader/atrib/blob/main/DECISIONS.md#d041-informed_by-linking-primitive-and-informed_by-edge-type) / [§1.2.5](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#125-informed_by)). Dangling references are flagged but do not fail verification: they signal "the verifier has not seen upstream context," not "the record is invalid."
|
|
104
107
|
- `posture`: `{ timestamp_granularity, timestamp_consistent, timestamp_granularity_explicit, args_commitment_form, result_commitment_form, tool_name_form }` ([D045](https://github.com/creatornader/atrib/blob/main/DECISIONS.md#d045-privacy-postures-normative-spec-section) / [D061](https://github.com/creatornader/atrib/blob/main/DECISIONS.md#d061-add-tool_name-args_hash-result_hash-fields-to-§121) / [§8.2](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#82-opaque-name-posture) / [§8.3](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#83-salted-commitment-posture) / [§8.4](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#84-coarsened-timing-posture)). Always populated. Surfaces (a) the declared timing granularity, whether the timestamp value structurally matches the spec's trailing-zero invariant, and whether the field was explicitly set vs defaulted; (b) the structurally-detected `args_hash` / `result_hash` commitment scheme: `'salted-sha256'` when `args_salt` / `result_salt` is present, `'plain-sha256'` otherwise (the `'hmac-sha256'` variant from [§8.3](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#83-salted-commitment-posture) is signaled out-of-band and is not structurally detectable); and (c) the [§8.2](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#82-opaque-name-posture) `tool_name_form`: `'hashed'` when `tool_name` matches `^sha256:[0-9a-f]{64}$`, `'plain'` for any other present value, `null` when the field is absent. Per [D061](https://github.com/creatornader/atrib/blob/main/DECISIONS.md#d061-add-tool_name-args_hash-result_hash-fields-to-121) the [§8.2](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#82-opaque-name-posture) verbatim-vs-opaque distinction is NOT structurally detectable, both surface as `'plain'`.
|
|
105
|
-
- `capability_check`: `{ envelope, in_envelope, mismatches, unresolvable }` ([D051](https://github.com/creatornader/atrib/blob/main/DECISIONS.md#d051-capability-scoped-records-via-directory-published-envelopes) / [§6.7](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#67-capability-declarations)). Populated only when the caller passes a resolved `identityClaim` in options. Checks the record's `event_type` against the envelope's `event_types` allowlist and the record's `timestamp` against `expires_at`. `tool_names
|
|
108
|
+
- `capability_check`: `{ envelope, in_envelope, mismatches, unresolvable }` ([D051](https://github.com/creatornader/atrib/blob/main/DECISIONS.md#d051-capability-scoped-records-via-directory-published-envelopes) / [§6.7](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#67-capability-declarations)). Populated only when the caller passes a resolved `identityClaim` in options. Checks the record's `event_type` against the envelope's `event_types` allowlist and the record's `timestamp` against `expires_at`. `tool_names`, `max_amount`, and `counterparties` are checked when the caller supplies `resolvedFacts` from the local body or protocol event. Missing facts flag `unresolvable: true` rather than passing silently. Per [§6.7.3](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#673-out-of-envelope-records) out-of-envelope is a signal, not invalidation: mismatches do not flip `valid` to false. The caller is responsible for fetching the active envelope at the record's timestamp via `@atrib/directory`'s `lookup()` (or a cached equivalent); `@atrib/verify` intentionally has no `@atrib/directory` dependency.
|
|
106
109
|
- `cross_attestation`: `{ signers_count, signers_valid, missing }` ([D052](https://github.com/creatornader/atrib/blob/main/DECISIONS.md#d052-cross-attestation-requirement-for-transaction-records) / [§1.7.6](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#176-cross-attestation-requirement-for-transaction-records)). Populated only on transaction records (`event_type = transaction`). Each entry in `signers[]` is verified against the cross-attestation canonical bytes (JCS form with `signers: []` and the top-level `signature` field omitted, per [§1.7.6](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#176-cross-attestation-requirement-for-transaction-records)). `signatureOk` requires a valid signer entry whose `creator_key` matches the record's top-level `creator_key`; unrelated counterparty signers do not validate the record on behalf of its creator. `missing: true` when fewer than 2 distinct signer keys verify, atrib's normative minimum. Duplicate entries from one key do not inflate `signers_valid`. Per [§1.7.6](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#176-cross-attestation-requirement-for-transaction-records) missing is a signal, not invalidation: `valid` stays true if the underlying signature path holds. Agent-side Path 2 fallback records usually surface as `signers_count: 1, missing: true` until a counterparty signs the same bytes. Legacy single-signer transaction records (no `signers[]` array, only top-level `signature`) surface as `signers_count: 0, missing: true` so consumers can flag them while accepting the cryptographic validity.
|
|
110
|
+
- `evidence`: generic tiered external authorization evidence blocks ([D109](https://github.com/creatornader/atrib/blob/main/DECISIONS.md#d109-mcpoauth-authorization-evidence-uses-generic-tiered-evidence-blocks) / [§5.5.6](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#556-generic-authorization-evidence-blocks)). Populated when the caller passes `authorizationEvidence` or when AP2 / VI evidence is mirrored into the generic shape. Each block has `{ valid, protocol, issuer, subject, scope, attenuation_ok, delegation_ok, constraints, errors, warnings }`. These blocks do not alter `valid`, `signatureOk`, or `capability_check`.
|
|
107
111
|
- `ap2_vi_evidence`: the async AP2 / VI verifier result ([D094](https://github.com/creatornader/atrib/blob/main/DECISIONS.md#d094-ap2--vi-evidence-attaches-to-verifier-results-as-a-tiered-block) / [§5.5.4](https://github.com/creatornader/atrib/blob/main/atrib-spec.md#554-ap2--verifiable-intent-evidence-checks)). Populated only when the caller passes `ap2ViEvidence` for a transaction record. It does not alter `valid`, `signatureOk`, or `cross_attestation`; consumers inspect `ap2_vi_evidence.valid` for AP2 authorization evidence.
|
|
108
112
|
|
|
109
113
|
**Pending per-record annotations** (tracked as a Pending decision in [DECISIONS.md P005](https://github.com/creatornader/atrib/blob/main/DECISIONS.md#p005-reconcile-atribverify-readme-per-record-annotations-with-actual-code-surface)):
|
|
@@ -162,6 +166,99 @@ Checks performed:
|
|
|
162
166
|
|
|
163
167
|
The library helper backs the `@atrib/verify-mcp` `atrib-verify` primitive promoted by [D106](https://github.com/creatornader/atrib/blob/main/DECISIONS.md#d106-verify-is-promoted-to-cognitive-primitive-7). The MCP wrapper handles agent-facing use; this package remains the verifier library.
|
|
164
168
|
|
|
169
|
+
### `verifyOAuthAuthorizationEvidence(evidence): Promise<OAuthAuthorizationEvidenceVerification>`
|
|
170
|
+
|
|
171
|
+
Verifier-side OAuth / MCP authorization evidence checking. This runs outside the record signature path and does not fetch tokens, mint credentials, call token-introspection endpoints, or contact authorization servers. Callers supply a compact access-token JWT plus trusted JWKS, caller-verified claims, or a caller-supplied OAuth token-introspection response from a path they control. Hosts that want a library helper for the live step can call `introspectOAuthToken()` first, then pass its result into `verifyRecord()`.
|
|
172
|
+
|
|
173
|
+
```typescript
|
|
174
|
+
import { verifyRecord } from '@atrib/verify'
|
|
175
|
+
|
|
176
|
+
const result = await verifyRecord(record, {
|
|
177
|
+
authorizationEvidence: [
|
|
178
|
+
{
|
|
179
|
+
protocol: 'mcp_oauth',
|
|
180
|
+
accessTokenJwt,
|
|
181
|
+
jwks: [issuerJwk],
|
|
182
|
+
issuer: 'https://auth.example',
|
|
183
|
+
audience: 'https://mcp.example/mcp',
|
|
184
|
+
protectedResourceMetadata: {
|
|
185
|
+
resource: 'https://mcp.example/mcp',
|
|
186
|
+
authorization_servers: ['https://auth.example'],
|
|
187
|
+
},
|
|
188
|
+
requiredScopes: ['files:read'],
|
|
189
|
+
expectedClientId: 'https://client.example/client.json',
|
|
190
|
+
},
|
|
191
|
+
],
|
|
192
|
+
})
|
|
193
|
+
```
|
|
194
|
+
|
|
195
|
+
For opaque access tokens, keep live network policy at the host boundary:
|
|
196
|
+
|
|
197
|
+
```typescript
|
|
198
|
+
import {
|
|
199
|
+
introspectOAuthToken,
|
|
200
|
+
oauthEvidenceFromIntrospectionResult,
|
|
201
|
+
verifyRecord,
|
|
202
|
+
} from '@atrib/verify'
|
|
203
|
+
|
|
204
|
+
const introspection = await introspectOAuthToken({
|
|
205
|
+
endpoint: 'https://auth.example/oauth/introspect',
|
|
206
|
+
token: opaqueAccessToken,
|
|
207
|
+
clientAuthentication: {
|
|
208
|
+
method: 'basic',
|
|
209
|
+
clientId: process.env.OAUTH_CLIENT_ID ?? '',
|
|
210
|
+
clientSecret: process.env.OAUTH_CLIENT_SECRET ?? '',
|
|
211
|
+
},
|
|
212
|
+
expectedIssuer: 'https://auth.example',
|
|
213
|
+
expectedAudience: 'https://mcp.example/mcp',
|
|
214
|
+
})
|
|
215
|
+
|
|
216
|
+
const result = await verifyRecord(record, {
|
|
217
|
+
authorizationEvidence: [
|
|
218
|
+
oauthEvidenceFromIntrospectionResult(introspection, {
|
|
219
|
+
protocol: 'mcp_oauth',
|
|
220
|
+
requiredScopes: ['files:read'],
|
|
221
|
+
}),
|
|
222
|
+
],
|
|
223
|
+
})
|
|
224
|
+
```
|
|
225
|
+
|
|
226
|
+
Checks performed when evidence is present:
|
|
227
|
+
|
|
228
|
+
- JWT signature, `iss`, `aud`, `exp`, `nbf`, and clock-skew checks when `accessTokenJwt` and `jwks` are supplied.
|
|
229
|
+
- MCP protected-resource binding through `aud`, token `resource`, and protected-resource metadata.
|
|
230
|
+
- Required OAuth scopes from `scope` or `scp`.
|
|
231
|
+
- Optional RFC 9396-style `authorization_details` constraints by `type`, `actions`, and `locations`.
|
|
232
|
+
- Optional `client_id`, subject, actor subject, and `cnf.jkt` checks.
|
|
233
|
+
- Optional DPoP proof checks for `htm`, `htu`, `ath`, `jti`, `iat`, nonce when supplied, and `cnf.jkt` binding.
|
|
234
|
+
|
|
235
|
+
The default signature policy is `require`. Missing trusted keys or unverified decoded claims make the evidence block invalid. Use `signaturePolicy: "best-effort"` only for advisory triage. DPoP replay state stays caller-owned: pass `seenJtis` for one-process checks, `MemoryDpopReplayCache` for one-process services, or `createFetchDpopReplayCache()` when a deployment exposes a shared atomic replay-cache endpoint.
|
|
236
|
+
|
|
237
|
+
```typescript
|
|
238
|
+
import { createFetchDpopReplayCache, verifyRecord } from '@atrib/verify'
|
|
239
|
+
|
|
240
|
+
const dpopReplayCache = createFetchDpopReplayCache({
|
|
241
|
+
endpoint: 'https://replay-cache.example.com/v1/dpop/check',
|
|
242
|
+
headers: { Authorization: `Bearer ${process.env.REPLAY_CACHE_TOKEN}` },
|
|
243
|
+
})
|
|
244
|
+
|
|
245
|
+
const result = await verifyRecord(record, {
|
|
246
|
+
authorizationEvidence: [
|
|
247
|
+
{
|
|
248
|
+
protocol: 'mcp_oauth',
|
|
249
|
+
claims,
|
|
250
|
+
claimsVerified: true,
|
|
251
|
+
dpopProof,
|
|
252
|
+
dpopReplayCache,
|
|
253
|
+
},
|
|
254
|
+
],
|
|
255
|
+
})
|
|
256
|
+
```
|
|
257
|
+
|
|
258
|
+
The shared endpoint must atomically remember the posted key until `expires_at_seconds` and return `{ "accepted": true }` for a new proof or `{ "accepted": false }` for replay. The storage backend can be Redis, Durable Objects, Postgres, or another compare-and-set primitive owned by the host.
|
|
259
|
+
|
|
260
|
+
Producer-side MCP capture lives in `@atrib/mcp` behind the opt-in `authorizationEvidence` option. The producer writes evidence into the local-only sidecar without storing raw bearer tokens by default. Verifiers can pass that sidecar's `authorizationEvidence` and `resolvedFacts` to `verifyRecord()`.
|
|
261
|
+
|
|
165
262
|
### `verifyAp2ViEvidence(...)` and `verifyAp2ViEvidenceAsync(...)`
|
|
166
263
|
|
|
167
264
|
AP2 / Verifiable Intent evidence checking for merchants and auditors. This runs outside the transaction detector path. It does not alter the graph, the settlement calculation, or record validity. It answers a narrower question: did the AP2 receipts and VI mandate chain form a coherent evidence bundle?
|
|
@@ -253,6 +350,12 @@ For advanced use (custom calculators, alternative signing flows), the package al
|
|
|
253
350
|
- `evaluateAp2ViConstraints(input, disclosures?)`: decoded AP2 open-mandate constraint checking
|
|
254
351
|
- `verifyAp2ViEvidence(bundle, options?)`: decoded AP2 / VI receipt and mandate-chain evidence checking
|
|
255
352
|
- `verifyAp2ViEvidenceAsync(bundle, options?)`: compact AP2 receipt JWT verification, async VI SD-JWT / VC conformance, plus decoded evidence checks. `verifyRecord()` and `AtribVerifier.verify()` call this when supplied with `ap2ViEvidence`
|
|
353
|
+
- `verifyAuthorizationEvidence(evidence)`: generic external authorization evidence dispatch for `verifyRecord()` evidence blocks
|
|
354
|
+
- `verifyOAuthAuthorizationEvidence(evidence)`: OAuth / MCP authorization evidence checks for access-token JWTs or caller-verified claims
|
|
355
|
+
- `introspectOAuthToken(options)`: host-owned OAuth token introspection helper for opaque-token evidence
|
|
356
|
+
- `oauthEvidenceFromIntrospectionResult(result, base?)`: adapter from host-owned introspection result to OAuth evidence input
|
|
357
|
+
- `createFetchDpopReplayCache(options)`: HTTP-backed DPoP replay-cache adapter for fleet-shared replay checks
|
|
358
|
+
- `MemoryDpopReplayCache`: in-process implementation of the `DpopReplayCache` contract for tests and single-worker deployments
|
|
256
359
|
- `verifyHandoffClaims(claims, options?)`: Pattern 3 handoff claim acceptance before a receiving agent signs an `informed_by` follow-up
|
|
257
360
|
- `recommendationSigningInput(doc)`: the canonical bytes that get signed
|
|
258
361
|
- `distributionsMatch(a, b)`: float-tolerant equality (within `1e-9` per recipient)
|
|
@@ -0,0 +1,155 @@
|
|
|
1
|
+
import type { JWK, JSONWebKeySet, JWTPayload } from 'jose';
|
|
2
|
+
import type { DpopReplayCache } from './dpop-replay-cache.js';
|
|
3
|
+
export type EvidenceCheckStatus = 'passed' | 'failed' | 'unresolved' | 'not_checked';
|
|
4
|
+
export type OAuthSignaturePolicy = 'require' | 'best-effort' | 'off';
|
|
5
|
+
export type OAuthEvidenceProtocol = 'oauth2' | 'mcp_oauth';
|
|
6
|
+
export interface EvidenceConstraintCheck {
|
|
7
|
+
type: string;
|
|
8
|
+
status: EvidenceCheckStatus;
|
|
9
|
+
expected?: unknown;
|
|
10
|
+
actual?: unknown;
|
|
11
|
+
reason?: string;
|
|
12
|
+
}
|
|
13
|
+
export interface EvidenceVerificationBlock<TDetails = unknown> {
|
|
14
|
+
protocol: string;
|
|
15
|
+
valid: boolean;
|
|
16
|
+
issuer: string | null;
|
|
17
|
+
subject: string | null;
|
|
18
|
+
scope: string[];
|
|
19
|
+
attenuation_ok: boolean | null;
|
|
20
|
+
delegation_ok: boolean | null;
|
|
21
|
+
constraints: EvidenceConstraintCheck[];
|
|
22
|
+
errors: string[];
|
|
23
|
+
warnings: string[];
|
|
24
|
+
details?: TDetails;
|
|
25
|
+
}
|
|
26
|
+
export interface OAuthAuthorizationDetailConstraint {
|
|
27
|
+
type: string;
|
|
28
|
+
actions?: string[];
|
|
29
|
+
locations?: string[];
|
|
30
|
+
}
|
|
31
|
+
export interface OAuthProtectedResourceMetadata {
|
|
32
|
+
resource?: string;
|
|
33
|
+
authorization_servers?: string[];
|
|
34
|
+
scopes_supported?: string[];
|
|
35
|
+
}
|
|
36
|
+
export interface OAuthAccessTokenClaims extends JWTPayload {
|
|
37
|
+
client_id?: string;
|
|
38
|
+
scope?: string;
|
|
39
|
+
scp?: string | string[];
|
|
40
|
+
resource?: string | string[];
|
|
41
|
+
authorization_details?: unknown;
|
|
42
|
+
cnf?: {
|
|
43
|
+
jkt?: string;
|
|
44
|
+
jwk?: JWK;
|
|
45
|
+
[key: string]: unknown;
|
|
46
|
+
};
|
|
47
|
+
act?: {
|
|
48
|
+
sub?: string;
|
|
49
|
+
[key: string]: unknown;
|
|
50
|
+
};
|
|
51
|
+
may_act?: {
|
|
52
|
+
sub?: string;
|
|
53
|
+
[key: string]: unknown;
|
|
54
|
+
};
|
|
55
|
+
}
|
|
56
|
+
export interface OAuthTokenIntrospectionResponse {
|
|
57
|
+
active: boolean;
|
|
58
|
+
scope?: string;
|
|
59
|
+
client_id?: string;
|
|
60
|
+
username?: string;
|
|
61
|
+
token_type?: string;
|
|
62
|
+
exp?: number;
|
|
63
|
+
iat?: number;
|
|
64
|
+
nbf?: number;
|
|
65
|
+
sub?: string;
|
|
66
|
+
aud?: string | string[];
|
|
67
|
+
iss?: string;
|
|
68
|
+
jti?: string;
|
|
69
|
+
resource?: string | string[];
|
|
70
|
+
authorization_details?: unknown;
|
|
71
|
+
cnf?: {
|
|
72
|
+
jkt?: string;
|
|
73
|
+
jwk?: JWK;
|
|
74
|
+
[key: string]: unknown;
|
|
75
|
+
};
|
|
76
|
+
act?: {
|
|
77
|
+
sub?: string;
|
|
78
|
+
[key: string]: unknown;
|
|
79
|
+
};
|
|
80
|
+
may_act?: {
|
|
81
|
+
sub?: string;
|
|
82
|
+
[key: string]: unknown;
|
|
83
|
+
};
|
|
84
|
+
[key: string]: unknown;
|
|
85
|
+
}
|
|
86
|
+
export interface OAuthDpopProofInput {
|
|
87
|
+
proofJwt: string;
|
|
88
|
+
method: string;
|
|
89
|
+
url: string;
|
|
90
|
+
accessToken?: string;
|
|
91
|
+
expectedAth?: string;
|
|
92
|
+
expectedNonce?: string;
|
|
93
|
+
seenJtis?: string[];
|
|
94
|
+
maxAgeSeconds?: number;
|
|
95
|
+
nowSeconds?: number;
|
|
96
|
+
clockSkewSeconds?: number;
|
|
97
|
+
}
|
|
98
|
+
export interface OAuthAuthorizationEvidenceInput {
|
|
99
|
+
protocol?: OAuthEvidenceProtocol;
|
|
100
|
+
accessTokenJwt?: string;
|
|
101
|
+
claims?: OAuthAccessTokenClaims;
|
|
102
|
+
claimsVerified?: boolean;
|
|
103
|
+
introspection?: OAuthTokenIntrospectionResponse;
|
|
104
|
+
introspectionVerified?: boolean;
|
|
105
|
+
dpopProof?: OAuthDpopProofInput;
|
|
106
|
+
jwks?: JWK[] | JSONWebKeySet;
|
|
107
|
+
issuer?: string;
|
|
108
|
+
audience?: string | string[];
|
|
109
|
+
resource?: string;
|
|
110
|
+
protectedResourceMetadata?: OAuthProtectedResourceMetadata;
|
|
111
|
+
requiredScopes?: string[];
|
|
112
|
+
requiredAuthorizationDetails?: OAuthAuthorizationDetailConstraint[];
|
|
113
|
+
expectedSubject?: string;
|
|
114
|
+
expectedClientId?: string;
|
|
115
|
+
expectedActorSubject?: string;
|
|
116
|
+
requiredCnfJkt?: string;
|
|
117
|
+
requireCnf?: boolean;
|
|
118
|
+
signaturePolicy?: OAuthSignaturePolicy;
|
|
119
|
+
dpopReplayCache?: DpopReplayCache;
|
|
120
|
+
nowSeconds?: number;
|
|
121
|
+
clockSkewSeconds?: number;
|
|
122
|
+
}
|
|
123
|
+
export interface OAuthTokenCheck {
|
|
124
|
+
jwt_present: boolean;
|
|
125
|
+
introspection_present: boolean;
|
|
126
|
+
verified: boolean | null;
|
|
127
|
+
alg: string | null;
|
|
128
|
+
kid: string | null;
|
|
129
|
+
claims_verified: boolean;
|
|
130
|
+
}
|
|
131
|
+
export interface OAuthAuthorizationEvidenceVerification extends EvidenceVerificationBlock<{
|
|
132
|
+
token: OAuthTokenCheck;
|
|
133
|
+
dpop: OAuthDpopCheck | null;
|
|
134
|
+
audience: string[];
|
|
135
|
+
resource: string[];
|
|
136
|
+
client_id: string | null;
|
|
137
|
+
}> {
|
|
138
|
+
protocol: OAuthEvidenceProtocol;
|
|
139
|
+
}
|
|
140
|
+
export interface OAuthDpopCheck {
|
|
141
|
+
jwt_present: boolean;
|
|
142
|
+
verified: boolean;
|
|
143
|
+
alg: string | null;
|
|
144
|
+
jkt: string | null;
|
|
145
|
+
jti: string | null;
|
|
146
|
+
htm: string | null;
|
|
147
|
+
htu: string | null;
|
|
148
|
+
}
|
|
149
|
+
export declare function verifyOAuthAuthorizationEvidence(input: OAuthAuthorizationEvidenceInput): Promise<OAuthAuthorizationEvidenceVerification>;
|
|
150
|
+
export type AuthorizationEvidenceInput = {
|
|
151
|
+
protocol?: OAuthEvidenceProtocol;
|
|
152
|
+
oauth: OAuthAuthorizationEvidenceInput;
|
|
153
|
+
} | OAuthAuthorizationEvidenceInput;
|
|
154
|
+
export declare function verifyAuthorizationEvidence(evidence: AuthorizationEvidenceInput): Promise<EvidenceVerificationBlock>;
|
|
155
|
+
//# sourceMappingURL=authorization-evidence.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"authorization-evidence.d.ts","sourceRoot":"","sources":["../src/authorization-evidence.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,GAAG,EAAE,aAAa,EAAE,UAAU,EAAoB,MAAM,MAAM,CAAA;AAC5E,OAAO,KAAK,EAAE,eAAe,EAAsB,MAAM,wBAAwB,CAAA;AAEjF,MAAM,MAAM,mBAAmB,GAAG,QAAQ,GAAG,QAAQ,GAAG,YAAY,GAAG,aAAa,CAAA;AACpF,MAAM,MAAM,oBAAoB,GAAG,SAAS,GAAG,aAAa,GAAG,KAAK,CAAA;AACpE,MAAM,MAAM,qBAAqB,GAAG,QAAQ,GAAG,WAAW,CAAA;AAE1D,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,mBAAmB,CAAA;IAC3B,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,yBAAyB,CAAC,QAAQ,GAAG,OAAO;IAC3D,QAAQ,EAAE,MAAM,CAAA;IAChB,KAAK,EAAE,OAAO,CAAA;IACd,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;IACrB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAA;IACtB,KAAK,EAAE,MAAM,EAAE,CAAA;IACf,cAAc,EAAE,OAAO,GAAG,IAAI,CAAA;IAC9B,aAAa,EAAE,OAAO,GAAG,IAAI,CAAA;IAC7B,WAAW,EAAE,uBAAuB,EAAE,CAAA;IACtC,MAAM,EAAE,MAAM,EAAE,CAAA;IAChB,QAAQ,EAAE,MAAM,EAAE,CAAA;IAClB,OAAO,CAAC,EAAE,QAAQ,CAAA;CACnB;AAED,MAAM,WAAW,kCAAkC;IACjD,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAA;CACrB;AAED,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAA;IAChC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC5B;AAED,MAAM,WAAW,sBAAuB,SAAQ,UAAU;IACxD,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAA;IACvB,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAA;IAC5B,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B,GAAG,CAAC,EAAE;QACJ,GAAG,CAAC,EAAE,MAAM,CAAA;QACZ,GAAG,CAAC,EAAE,GAAG,CAAA;QACT,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;KACvB,CAAA;IACD,GAAG,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAA;IAC9C,OAAO,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAA;CACnD;AAED,MAAM,WAAW,+BAA+B;IAC9C,MAAM,EAAE,OAAO,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAA;IACvB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAA;IAC5B,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B,GAAG,CAAC,EAAE;QACJ,GAAG,CAAC,EAAE,MAAM,CAAA;QACZ,GAAG,CAAC,EAAE,GAAG,CAAA;QACT,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;KACvB,CAAA;IACD,GAAG,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAA;IAC9C,OAAO,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAA;IAClD,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,MAAM,CAAA;IACd,GAAG,EAAE,MAAM,CAAA;IACX,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAA;IACnB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAC1B;AAED,MAAM,WAAW,+BAA+B;IAC9C,QAAQ,CAAC,EAAE,qBAAqB,CAAA;IAChC,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,MAAM,CAAC,EAAE,sBAAsB,CAAA;IAC/B,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,aAAa,CAAC,EAAE,+BAA+B,CAAA;IAC/C,qBAAqB,CAAC,EAAE,OAAO,CAAA;IAC/B,SAAS,CAAC,EAAE,mBAAmB,CAAA;IAC/B,IAAI,CAAC,EAAE,GAAG,EAAE,GAAG,aAAa,CAAA;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAA;IAC5B,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,yBAAyB,CAAC,EAAE,8BAA8B,CAAA;IAC1D,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IACzB,4BAA4B,CAAC,EAAE,kCAAkC,EAAE,CAAA;IACnE,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,oBAAoB,CAAC,EAAE,MAAM,CAAA;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,eAAe,CAAC,EAAE,oBAAoB,CAAA;IACtC,eAAe,CAAC,EAAE,eAAe,CAAA;IACjC,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAC1B;AAED,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,OAAO,CAAA;IACpB,qBAAqB,EAAE,OAAO,CAAA;IAC9B,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAA;IACxB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;IAClB,eAAe,EAAE,OAAO,CAAA;CACzB;AAED,MAAM,WAAW,sCAAuC,SAAQ,yBAAyB,CAAC;IACxF,KAAK,EAAE,eAAe,CAAA;IACtB,IAAI,EAAE,cAAc,GAAG,IAAI,CAAA;IAC3B,QAAQ,EAAE,MAAM,EAAE,CAAA;IAClB,QAAQ,EAAE,MAAM,EAAE,CAAA;IAClB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;CACzB,CAAC;IACA,QAAQ,EAAE,qBAAqB,CAAA;CAChC;AAED,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,OAAO,CAAA;IACpB,QAAQ,EAAE,OAAO,CAAA;IACjB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;IAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;CACnB;AA2gBD,wBAAsB,gCAAgC,CACpD,KAAK,EAAE,+BAA+B,GACrC,OAAO,CAAC,sCAAsC,CAAC,CA+FjD;AAED,MAAM,MAAM,0BAA0B,GAClC;IACE,QAAQ,CAAC,EAAE,qBAAqB,CAAA;IAChC,KAAK,EAAE,+BAA+B,CAAA;CACvC,GACD,+BAA+B,CAAA;AAEnC,wBAAsB,2BAA2B,CAC/C,QAAQ,EAAE,0BAA0B,GACnC,OAAO,CAAC,yBAAyB,CAAC,CAQpC"}
|