@connectid-tools/rp-nodejs-sdk 4.0.4

package/config.d.ts

@@ -0,0 +1,2 @@
+import { RelyingPartyClientSdkConfig } from './types';
+export declare const config: RelyingPartyClientSdkConfig;

package/config.js

@@ -0,0 +1,75 @@
+export const config = {
+    data: {
+        // Set the signing Key Id based on what is contained in the JWKS
+        signing_kid: 'roHtgBlRFapqTHbc8EzXIIgO_bu5YHlEjx75vIcaxfE',
+        // The location of the signing certificate and key that are used for signing purposes
+        signing_key: './certs/signing.key',
+        signing_pem: './certs/signing.pem', // TODO not being used atm
+        // The location of the transport certificate and key that are used for mutual TLS
+        transport_key: './certs/transport.key',
+        transport_pem: './certs/transport.pem',
+        // The location of the root certificate for the trust authority
+        ca_pem: './certs/connectid-sandbox-ca.pem',
+        // This is the URL that this application is actually running on and using for callbacks (noting that multiple may be registered for the client)
+        application_redirect_uri: 'https://tpp.localhost/cb',
+        // The registry API endpoint that will list all participants with their auth server details
+        registry_participants_uri: 'https://data.directory.sandbox.connectid.com.au/participants',
+        // This will ensure that all participants are returned, regardless of their certification status
+        // and any `required_claims` or `required_participant_certifications` requirements.
+        // This should be set to false in a production environment, only enable for testing.
+        // If not provided, will default to false
+        include_uncertified_participants: false,
+        // Configuring `required_participant_certifications` will ensure that the participants returned are only those
+        // with the required certifications. Participants must have all specified certifications to be included.
+        // Note that if `include_uncertified_participants` is set to true, this will be ignored.
+        // As an example, if you require the IDPs to have TDIF certification as part of your use case, you
+        // can filter for: `[{ profileType: 'TDIF Accreditation', profileVariant: 'Identity Provider' }]
+        // required_participant_certifications: [
+        //   { profileType: 'TDIF Accreditation', profileVariant: 'Identity Provider' }
+        // ],
+        // The list of claims that authorisation servers must support to be included in the list of participants
+        // If this is not provided, no filtering based on claims will be performed
+        // Note that if `include_uncertified_participants` is set to true, this will be ignored.
+        // required_claims: ['name', 'given_name', 'middle_name', 'family_name', 'phone_number', 'email', 'address', 'birthdate'],
+        // The application logging level (info - normal logging, debug - full request/response)
+        // This MUST not be set to debug in a production environment as it will log all personal data received
+        log_level: 'info',
+        // When running the OIDC FAPI compliance suite, it requires a call to user info after successfully decoding the
+        // response claims. If this is set to true, the SDK will automatically make the call.
+        enable_auto_compliance_verification: false,
+        // The purpose to be displayed to the consumer to indicate why their data is being requested to be shared
+        // Must be between 3 and 300 chars and not contain any of the following characters: <>(){}'\
+        purpose: 'verifying your identity',
+        cache_ttl: 600,
+        client: {
+            // Update with your client specific metadata. The client_id and organisation_id can be found in the registry.
+            client_id: 'https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a',
+            organisation_id: 'ab837240-9618-4953-966e-90fd1fa63999',
+            jwks_uri: 'https://keystore.directory.sandbox.connectid.com.au/ab837240-9618-4953-966e-90fd1fa63999/280518db-9807-4824-b080-324d94b45f6a/application.jwks',
+            redirect_uris: ['https://demo.relyingpart.net/cb', 'https://tpp.localhost/cb'],
+            organisation_name: 'ConnectID Developer Tools Sample App',
+            organisation_number: 'ABN123123123',
+            software_description: 'App to demonstrate ConnectID end to end flows.',
+            // The following config is here for reference - you should not need to change any of it
+            application_type: 'web',
+            grant_types: ['client_credentials', 'authorization_code', 'implicit'],
+            id_token_signed_response_alg: 'PS256',
+            post_logout_redirect_uris: [],
+            require_auth_time: false,
+            response_types: ['code id_token', 'code'],
+            subject_type: 'public',
+            token_endpoint_auth_method: 'private_key_jwt',
+            token_endpoint_auth_signing_alg: 'PS256',
+            introspection_endpoint_auth_method: 'private_key_jwt',
+            revocation_endpoint_auth_method: 'private_key_jwt',
+            request_object_signing_alg: 'PS256',
+            require_signed_request_object: true,
+            require_pushed_authorization_requests: true,
+            authorization_signed_response_alg: 'PS256',
+            tls_client_certificate_bound_access_tokens: true,
+            backchannel_user_code_parameter: false,
+            scope: 'openid',
+            software_roles: ['RP-CORE'],
+        },
+    },
+};

package/filter/participant-filters.d.ts

@@ -0,0 +1,12 @@
+import { Participant, CertificationFilter } from '../types';
+export default class ParticipantFilters {
+    removeOutOfDateCertifications(participants: Participant[], referenceDate: Date): Participant[];
+    removeUnofficialCertifications(participants: Participant[]): Participant[];
+    removeInactiveAuthServers(participants: Participant[]): Participant[];
+    removeParticipantsWithoutAuthServers(participants: Participant[]): Participant[];
+    filterAuthServersForSupportedClaims(participants: Participant[], claims: string[]): Participant[];
+    filterForRequiredCertifications(participants: Participant[], certifications: CertificationFilter[]): Participant[];
+    removeFallbackIdentityServiceProvider(participants: Participant[]): Participant[];
+    filterForFallbackIdentityServiceProviders(participants: Participant[]): Participant[];
+    private toDate;
+}

package/filter/participant-filters.js

@@ -0,0 +1,92 @@
+// Set of filters to support filtering Participants and Authorisation Servers based on their status and capabilities.
+export default class ParticipantFilters {
+    removeOutOfDateCertifications(participants, referenceDate) {
+        for (const participant of participants) {
+            for (const authServer of participant.AuthorisationServers) {
+                authServer.AuthorisationServerCertifications = authServer.AuthorisationServerCertifications.filter((certification) => {
+                    return this.toDate(certification.CertificationStartDate) < referenceDate && this.toDate(certification.CertificationExpirationDate) > referenceDate;
+                });
+            }
+        }
+        return participants;
+    }
+    removeUnofficialCertifications(participants) {
+        for (const participant of participants) {
+            for (const authServer of participant.AuthorisationServers) {
+                authServer.AuthorisationServerCertifications = authServer.AuthorisationServerCertifications.filter((certification) => {
+                    return certification.Status === 'Certified';
+                });
+            }
+        }
+        return participants;
+    }
+    // Remove any inactive authorisation servers that do not have a valid "Redirect:FAPI2 Adv. OP w/Private Key, PAR" certification
+    // The filtering assumes any out of date certifications have already been removed
+    removeInactiveAuthServers(participants) {
+        for (const participant of participants) {
+            participant.AuthorisationServers = participant.AuthorisationServers.filter((authServer) => {
+                return authServer.AuthorisationServerCertifications.some((certification) => {
+                    return certification.ProfileType === 'Redirect' && certification.ProfileVariant === 'FAPI2 Adv. OP w/Private Key, PAR';
+                });
+            });
+        }
+        return participants;
+    }
+    removeParticipantsWithoutAuthServers(participants) {
+        return participants.filter((participant) => {
+            return participant.AuthorisationServers.length > 0;
+        });
+    }
+    filterAuthServersForSupportedClaims(participants, claims) {
+        const nameClaims = ['name', 'given_name', 'middle_name', 'family_name'];
+        const hasNameClaims = claims.find((claim) => nameClaims.includes(claim));
+        // All name claims (name, given_name, middle_name, family_name) are mapped to `name` in the authorisation server
+        // So if an authorisation server has any name claim, remove all name claims and leave only `name`
+        const formattedClaims = hasNameClaims
+            ? ['name', ...claims.filter((claim) => !nameClaims.includes(claim))]
+            : claims;
+        for (const participant of participants) {
+            participant.AuthorisationServers = participant.AuthorisationServers.filter((authorisationServer) => {
+                const authorisationServerClaims = authorisationServer.AuthorisationServerCertifications.filter(({ ProfileType }) => ProfileType === 'ConnectID Claims').map((cert) => cert.ProfileVariant);
+                return formattedClaims.every((claim) => authorisationServerClaims.includes(claim));
+            });
+        }
+        return participants;
+    }
+    filterForRequiredCertifications(participants, certifications) {
+        for (const certification of certifications) {
+            for (const participant of participants) {
+                participant.AuthorisationServers = participant.AuthorisationServers.filter((authServer) => {
+                    return authServer.AuthorisationServerCertifications.some((serverCertification) => {
+                        return (serverCertification.ProfileType === certification.profileType && serverCertification.ProfileVariant === certification.profileVariant);
+                    });
+                });
+            }
+        }
+        return participants;
+    }
+    removeFallbackIdentityServiceProvider(participants) {
+        for (const participant of participants) {
+            participant.AuthorisationServers = participant.AuthorisationServers.filter((authServer) => {
+                return authServer.AuthorisationServerCertifications.every((certification) => {
+                    return !(certification.ProfileType === 'ConnectID' && certification.ProfileVariant === 'Fallback Identity Service Provider');
+                });
+            });
+        }
+        return participants;
+    }
+    filterForFallbackIdentityServiceProviders(participants) {
+        for (const participant of participants) {
+            participant.AuthorisationServers = participant.AuthorisationServers.filter((authServer) => {
+                return authServer.AuthorisationServerCertifications.some((certification) => {
+                    return certification.ProfileType === 'ConnectID' && certification.ProfileVariant === 'Fallback Identity Service Provider';
+                });
+            });
+        }
+        return participants;
+    }
+    toDate(dateString) {
+        var dateParts = dateString.split("/");
+        return new Date(+dateParts[2], +dateParts[1] - 1, +dateParts[0]);
+    }
+}

package/logger.d.ts

@@ -0,0 +1 @@
+export declare const getLogger: (logLevel?: "debug" | "info") => import("winston").Logger;

package/logger.js

@@ -0,0 +1,9 @@
+import { createLogger, format, transports } from 'winston';
+export const getLogger = (logLevel = 'info') => {
+    const logFormat = format.printf(({ level, message, timestamp }) => `${timestamp} ${level}: ${message}`);
+    return createLogger({
+        level: logLevel,
+        format: format.combine(format.colorize(), format.timestamp(), logFormat),
+        transports: [new transports.Console()],
+    });
+};

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "@connectid-tools/rp-nodejs-sdk",
+  "version": "4.0.4",
+  "description": "Digital Identity Relying Party Node SDK",
+  "main": "relying-party-client-sdk.js",
+  "types": "relying-party-client-sdk.d.ts",
+  "type": "module",
+  "scripts": {
+    "format": "npx prettier --write src",
+    "test": "node --import tsx --test src/tests/*.test.ts",
+    "test:watch": "node --watch --test --import tsx src/tests/*.test.ts",
+    "test:conformance": "node --import tsx --test src/conformance/conformance.test.ts",
+    "prebuild": "rm -rf lib",
+    "build": "tsc",
+    "postbuild": "cp package.json lib && cd lib && node ../node_modules/add-js-extension/dist/bin.js . --once && replace-in-files --string='${process.env.SDK_VERSION}' --replacement=$npm_package_version relying-party-client-sdk.js && cd .."
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/connectid-tools/rp-nodejs-sdk.git"
+  },
+  "keywords": [
+    "SDK",
+    "DigitalIdentity"
+  ],
+  "author": "ConnectID",
+  "bugs": {
+    "url": "https://github.com/connectid-tools/rp-nodejs-sample-app/issues"
+  },
+  "homepage": "https://github.com/connectid-tools/rp-nodejs-sample-app",
+  "dependencies": {
+    "https": "^1.0.0",
+    "node-jose": "^2.2.0",
+    "openid-client": "^5.7.1",
+    "winston": "^3.17.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.17.19",
+    "@types/openid-client": "^3.7.0",
+    "add-js-extension": "^1.0.4",
+    "eslint": "^9.20.1",
+    "prettier": "^3.5.1",
+    "replace-in-files-cli": "^2.2.0",
+    "tsx": "^4.19.3",
+    "typescript": "^5.7.3"
+  }
+}

package/relying-party-client-sdk.d.ts

@@ -0,0 +1,37 @@
+import { CallbackParamsType } from 'openid-client';
+import { AuthorisationServer, ConsolidatedTokenSet, Participant, RelyingPartyClientSdkConfig } from './types';
+export default class RelyingPartyClientSdk {
+    private readonly logger;
+    private config;
+    private readonly transportKey;
+    private readonly transportPem;
+    private readonly signingKey;
+    private readonly caPem;
+    private readonly purpose;
+    private participantFilters;
+    private readonly default_cache_ttl;
+    private cachedParticipantsExpiry;
+    private cachedParticipants;
+    constructor(config: RelyingPartyClientSdkConfig);
+    getParticipants(): Promise<Participant[]>;
+    getFallbackProviderParticipants(): Promise<Participant[]>;
+    getCurrentDate(): Date;
+    fetchParticipants(participantsUri: string): Promise<Participant[]>;
+    private retrieveFullParticipantsList;
+    sendPushedAuthorisationRequest(authServerId: string, essentialClaims: string[], voluntaryClaims?: string[], purpose?: string): Promise<{
+        authUrl: string;
+        code_verifier: string;
+        state: string;
+        nonce: string;
+        xFapiInteractionId: `${string}-${string}-${string}-${string}-${string}`;
+    }>;
+    retrieveTokens(authorisationServerId: string, requestParams: CallbackParamsType, codeVerifier: string, state: string, nonce: string): Promise<ConsolidatedTokenSet>;
+    private buildConsolidatedTokenSet;
+    getAuthServerDetails(authServerId: string): Promise<AuthorisationServer>;
+    private generateClaimsRequest;
+    getUserInfo(authorisationServerId: string, accessToken: string): Promise<import("openid-client").UserinfoResponse<import("openid-client").UnknownObject, import("openid-client").UnknownObject>>;
+    private getKeyset;
+    private setupClient;
+    private generateRequest;
+    private generateXFapiInteractionId;
+}

package/relying-party-client-sdk.js

@@ -0,0 +1,355 @@
+// Simple API wrapper over the node-openid-client that provides utility methods
+// supporting the specific implementation required for the ConnectID Digital Identity
+// solution.
+//
+// The intent is the Relying Parties can use this as a simple SDK for interacting
+// with the ConnectID solution.
+import { exportJWK } from 'jose';
+import { createPrivateKey, randomUUID } from 'crypto';
+import { globalAgent } from 'node:https';
+import { rootCertificates } from 'node:tls';
+import { custom, Issuer } from 'openid-client';
+import { getCertificate } from './utils/cert-utils.js';
+import { partition } from './utils/functional-utils.js';
+import { getLogger } from './logger.js';
+import ParticipantFilters from './filter/participant-filters.js';
+import { illegalPurposeChars, isValidCertificate, validatePurpose } from './validator.js';
+import { generatePushAuthorisationRequestParams } from './utils/request-utils.js';
+// The extended list of claims which can be requested for a user
+const extendedClaimList = ['over16', 'over18', 'over21', 'over25', 'over65', 'beneficiary_account_au', 'beneficiary_account_au_payid', 'beneficiary_account_international'];
+export default class RelyingPartyClientSdk {
+    constructor(config) {
+        this.purpose = 'verifying your identity';
+        this.participantFilters = new ParticipantFilters();
+        this.default_cache_ttl = 600;
+        this.cachedParticipantsExpiry = 0;
+        this.cachedParticipants = [];
+        this.config = config;
+        if (!isValidCertificate(this.config.data.transport_key, this.config.data.transport_key_content)) {
+            throw new Error('Either transport_key or transport_key_content must be provided');
+        }
+        if (!isValidCertificate(this.config.data.transport_pem, this.config.data.transport_pem_content)) {
+            throw new Error('Either transport_pem or transport_pem_content must be provided');
+        }
+        if (!isValidCertificate(this.config.data.signing_key, this.config.data.signing_key_content)) {
+            throw new Error('Either signing_key or signing_key_content must be provided');
+        }
+        if (!isValidCertificate(this.config.data.ca_pem, this.config.data.ca_pem_content)) {
+            throw new Error('Either ca_pem or ca_pem_content must be provided');
+        }
+        this.transportKey = getCertificate(this.config.data.transport_key, this.config.data.transport_key_content);
+        this.transportPem = getCertificate(this.config.data.transport_pem, this.config.data.transport_pem_content);
+        this.signingKey = getCertificate(this.config.data.signing_key, this.config.data.signing_key_content);
+        this.caPem = getCertificate(this.config.data.ca_pem, this.config.data.ca_pem_content);
+        this.logger = getLogger(this.config.data.log_level);
+        this.logger.info(`Creating RelyingPartyClientSdk - version 4.0.4`);
+        if (this.config.data.purpose) {
+            const purposeValidation = validatePurpose(this.config.data.purpose);
+            if (purposeValidation === 'INVALID_LENGTH') {
+                this.logger.warn('Purpose must be between 3 and 300 characters');
+                throw new Error(`Invalid purpose for supplied in config: ${this.config.data.purpose}`);
+            }
+            if (purposeValidation === 'INVALID_CHARACTERS') {
+                this.logger.warn(`Purpose cannot contain any of the following characters: ${illegalPurposeChars.join(',')}, purpose supplied: [${this.config.data.purpose}]`);
+                throw new Error(`Invalid purpose for supplied in config: ${this.config.data.purpose}`);
+            }
+            this.purpose = this.config.data.purpose;
+            this.logger.info(`Using default purpose supplied in config: ${this.purpose}`);
+        }
+        else {
+            this.logger.info(`Using built in default purpose: ${this.purpose}`);
+        }
+        if (this.config.data.include_uncertified_participants) {
+            this.logger.info(`Identity provider list will not be filtered as include_uncertified_participants=true`);
+        }
+        else {
+            if (this.config.data.required_claims) {
+                this.logger.info(`Identity provider list will be filtered for participants that support the following claims: ${JSON.stringify(this.config.data.required_claims)}`);
+            }
+            if (this.config.data.required_participant_certifications) {
+                this.logger.info(`Identity provider list will be filtered for participants that support the following certifications: ${JSON.stringify(this.config.data.required_participant_certifications)}`);
+            }
+        }
+        globalAgent.options.cert = this.transportPem;
+        globalAgent.options.key = this.transportKey;
+        globalAgent.options.ca = [this.caPem, ...rootCertificates];
+        custom.setHttpOptionsDefaults({ timeout: 10000 });
+        // 4.0.4 is replaced with `postbuild` script in package.json (see replace-in-files)
+        this.logger.info(`Using ${this.config.data.transport_key_content ? 'transport_key_content' : 'transport_key'} config prop`);
+        this.logger.info(`Using ${this.config.data.transport_pem_content ? 'transport_pem_content' : 'transport_pem'} config prop`);
+        this.logger.info(`Using ${this.config.data.ca_pem_content ? 'ca_pem_content' : 'ca_pem'} config prop`);
+        this.logger.info(`Using ${this.config.data.signing_key_content ? 'signing_key_content' : 'signing_key'} config prop`);
+    }
+    // Get the list of Participating DPs within the scheme and their metadata
+    async getParticipants() {
+        const participantsUri = this.config.data.registry_participants_uri;
+        try {
+            const participants = await this.retrieveFullParticipantsList(participantsUri);
+            this.logger.info(`Retrieved identity providers from ${participantsUri}, num orgs found: ${participants.length}`);
+            let filteredParticipants = this.participantFilters.removeFallbackIdentityServiceProvider(participants);
+            if (this.config.data.include_uncertified_participants) {
+                this.logger.info(`Identity provider list has not been filtered as include_uncertified_participants=true`);
+                filteredParticipants = this.participantFilters.removeParticipantsWithoutAuthServers(filteredParticipants);
+                return filteredParticipants;
+            }
+            filteredParticipants = this.participantFilters.removeOutOfDateCertifications(filteredParticipants, this.getCurrentDate());
+            filteredParticipants = this.participantFilters.removeUnofficialCertifications(filteredParticipants);
+            if (this.config.data.required_claims) {
+                this.logger.debug(`Identity provider list filtered for participants that support the following claims: ${JSON.stringify(this.config.data.required_claims)}`);
+                filteredParticipants = this.participantFilters.filterAuthServersForSupportedClaims(filteredParticipants, this.config.data.required_claims);
+            }
+            if (this.config.data.required_participant_certifications) {
+                this.logger.debug(`Identity provider list filtered for participants that support the following certifications: ${JSON.stringify(this.config.data.required_participant_certifications)}`);
+                filteredParticipants = this.participantFilters.filterForRequiredCertifications(filteredParticipants, this.config.data.required_participant_certifications);
+            }
+            filteredParticipants = this.participantFilters.removeInactiveAuthServers(filteredParticipants);
+            filteredParticipants = this.participantFilters.removeParticipantsWithoutAuthServers(filteredParticipants);
+            return filteredParticipants;
+        }
+        catch (e) {
+            throw new Error(`Unable to get participants from ${participantsUri}, ${e}`);
+        }
+    }
+    async getFallbackProviderParticipants() {
+        const participantsUri = this.config.data.registry_participants_uri;
+        try {
+            const participants = await this.retrieveFullParticipantsList(participantsUri);
+            this.logger.info(`Retrieved identity providers, num orgs found: ${participants.length}`);
+            let filteredParticipants = this.participantFilters.removeOutOfDateCertifications(participants, this.getCurrentDate());
+            filteredParticipants = this.participantFilters.removeUnofficialCertifications(filteredParticipants);
+            filteredParticipants = this.participantFilters.filterForFallbackIdentityServiceProviders(filteredParticipants);
+            filteredParticipants = this.participantFilters.removeParticipantsWithoutAuthServers(filteredParticipants);
+            return filteredParticipants;
+        }
+        catch (e) {
+            throw new Error(`Unable to get participants from ${participantsUri}, ${e}`);
+        }
+    }
+    // This method is public, so we can mock the current date in tests
+    getCurrentDate() {
+        return new Date();
+    }
+    async fetchParticipants(participantsUri) {
+        const response = await fetch(participantsUri);
+        if (!response.ok) {
+            throw new Error(`Failed to retrieve participants from ${participantsUri}: status (${response.status})`);
+        }
+        return await response.json();
+    }
+    async retrieveFullParticipantsList(participantsUri) {
+        const currentTime = Date.now();
+        if (currentTime > this.cachedParticipantsExpiry) {
+            this.cachedParticipants = await this.fetchParticipants(participantsUri);
+            this.cachedParticipantsExpiry = currentTime + (this.config.data.cache_ttl ?? this.default_cache_ttl) * 1000;
+        }
+        // ensure the cached value remain untouched down the call stack by returning a deep copy 
+        return this.cachedParticipants.map(participant => Object.assign({}, participant));
+    }
+    // Create and send a pushed authorisation request to the specified authorisation
+    // server to allow the initiation of an OIDC flow.
+    async sendPushedAuthorisationRequest(authServerId, essentialClaims, voluntaryClaims = [], purpose = this.purpose) {
+        const purposeValidation = validatePurpose(purpose);
+        if (purposeValidation === 'INVALID_LENGTH') {
+            this.logger.warn('Purpose must be between 3 and 300 characters');
+            throw new Error(`Invalid purpose for supplied for PAR: ${purpose}`);
+        }
+        if (purposeValidation === 'INVALID_CHARACTERS') {
+            this.logger.warn(`Purpose cannot contain any of the following characters: ${illegalPurposeChars.join(',')}, purpose supplied: [${purpose}]`);
+            throw new Error(`Invalid purpose for supplied for PAR: ${purpose}`);
+        }
+        const xFapiInteractionId = this.generateXFapiInteractionId();
+        try {
+            const essentialClaimsWithTxn = [...new Set([...essentialClaims, 'txn'])];
+            const claimsRequest = this.generateClaimsRequest(essentialClaimsWithTxn, voluntaryClaims);
+            const authServer = await this.getAuthServerDetails(authServerId);
+            const { fapiClient } = await this.setupClient(authServer, xFapiInteractionId);
+            const { authUrl, code_verifier, state, nonce } = await this.generateRequest(fapiClient, claimsRequest, purpose);
+            this.logger.info(`Sent PAR to auth server: ${authServerId} - ${authServer.CustomerFriendlyName}, essential claims: ${essentialClaimsWithTxn}, voluntary claims: ${voluntaryClaims}, x-fapi-interaction-id: ${xFapiInteractionId}`);
+            return { authUrl, code_verifier, state, nonce, xFapiInteractionId };
+        }
+        catch (e) {
+            this.logger.error(`Error sending pushed authorisation request to authorisation server ${authServerId}, x-fapi-interaction-id: ${xFapiInteractionId}.`, e);
+            throw new Error(`Unable to send pushed authorisation request to ${authServerId}, x-fapi-interaction-id: ${xFapiInteractionId} - ${e}`);
+        }
+    }
+    // Process the callback response and return the tokens (access token and id token as a token set)
+    async retrieveTokens(authorisationServerId, requestParams, codeVerifier, state, nonce) {
+        const xFapiInteractionId = this.generateXFapiInteractionId();
+        try {
+            const authServer = await this.getAuthServerDetails(authorisationServerId);
+            const { fapiClient, localIssuer } = await this.setupClient(authServer, xFapiInteractionId);
+            const tokenSet = await fapiClient.callback(this.config.data.application_redirect_uri, requestParams, { code_verifier: codeVerifier, state, nonce, response_type: 'code' }, { clientAssertionPayload: { aud: localIssuer.metadata.issuer } });
+            this.logger.info(`Retrieved tokenSet from auth server: ${authorisationServerId} - ${authServer.CustomerFriendlyName}, x-fapi-interaction-id: ${xFapiInteractionId}, txn: ${tokenSet.claims().txn}`);
+            this.logger.debug(`Tokens returned from: ${authorisationServerId} - ${authServer.CustomerFriendlyName}: ${JSON.stringify(tokenSet)} claims: ${JSON.stringify(tokenSet.claims())}`);
+            // If using the OIDF test suite, need to make a call to userInfo when claims were successfully decoded
+            if (this.config.data.enable_auto_compliance_verification) {
+                this.logger.info('Auto compliance verification mode enabled, making call to userInfo since claims successfully decoded');
+                if (tokenSet.access_token != null) {
+                    await this.getUserInfo(authorisationServerId, tokenSet.access_token);
+                }
+            }
+            return this.buildConsolidatedTokenSet(tokenSet, xFapiInteractionId);
+        }
+        catch (e) {
+            this.logger.error(`Error retrieving tokens with authorisation server ${authorisationServerId}, x-fapi-interaction-id: ${xFapiInteractionId}`, e);
+            throw new Error(`Unable to retrieve tokens with authorisation server ${authorisationServerId}, x-fapi-interaction-id: ${xFapiInteractionId}`);
+        }
+    }
+    buildConsolidatedTokenSet(tokenSet, xFapiInteractionId) {
+        return {
+            ...tokenSet,
+            xFapiInteractionId,
+            expired: () => tokenSet.expired(),
+            claims: () => tokenSet.claims(),
+            // @ts-ignore IdTokenClaims does not have `verified_claims` property (unknown)
+            consolidatedClaims: () => ({ ...tokenSet.claims(), ...tokenSet.claims().verified_claims?.claims }),
+        };
+    }
+    // Get the full details of an authorisation server given its AuthorisationServerId
+    async getAuthServerDetails(authServerId) {
+        const idps = await this.getParticipants();
+        const servers = idps.map(({ AuthorisationServers }) => AuthorisationServers).flat();
+        let found = servers.find(({ AuthorisationServerId }) => AuthorisationServerId === authServerId);
+        if (!found) {
+            // Check if it is one of the fallback servers
+            const fallbackIdps = await this.getFallbackProviderParticipants();
+            const fallbackServers = fallbackIdps.map(({ AuthorisationServers }) => AuthorisationServers).flat();
+            found = fallbackServers.find(({ AuthorisationServerId }) => AuthorisationServerId === authServerId);
+            if (!found) {
+                // Let the user know if was an auth server that was filtered out
+                const allAuthServers = (await this.retrieveFullParticipantsList(this.config.data.registry_participants_uri)).map(({ AuthorisationServers }) => AuthorisationServers).flat();
+                let exists = allAuthServers.find(({ AuthorisationServerId }) => AuthorisationServerId === authServerId);
+                let additionalLogInfo = exists ? ` Server exists but was filtered from results due to config settings for 'include_uncertified_participants', 'required_participant_certifications' and 'required_claims'` : '';
+                throw new Error(`Unable to find specified Authorisation Server: ${authServerId}${additionalLogInfo}`);
+            }
+        }
+        return found;
+    }
+    // Turn the list of claim names into the claims request to use as part of the PAR
+    generateClaimsRequest(essentialClaims, voluntaryClaims) {
+        this.logger.info(`Generating claims request with - essential claims: ${essentialClaims}, voluntary claims: ${voluntaryClaims}`);
+        const formattedVoluntaryClaims = voluntaryClaims.filter((claim) => !essentialClaims.includes(claim));
+        // Find the essential and voluntary claims.
+        const split = (claim) => extendedClaimList.includes(claim);
+        const [essentialExtendedClaims, filteredEssentialClaims] = partition(essentialClaims, split);
+        const [voluntaryExtendedClaims, filteredFormattedVoluntaryClaims] = partition(formattedVoluntaryClaims, split);
+        const buildExtendedClaims = (essentialExtendedClaims, voluntaryExtendedClaims) => [...essentialExtendedClaims, ...voluntaryExtendedClaims].reduce((acc, claim) => {
+            return {
+                ...acc,
+                [claim]: {
+                    essential: essentialExtendedClaims.includes(claim),
+                },
+            };
+        }, {});
+        // If there are any extended claims, add them to the claims request.
+        const claimsRequest = { id_token: {} };
+        if (essentialExtendedClaims.length > 0 || voluntaryExtendedClaims.length > 0) {
+            claimsRequest.id_token.verified_claims = {
+                verification: {
+                    trust_framework: {
+                        value: 'au_connectid',
+                    },
+                },
+                claims: buildExtendedClaims(essentialExtendedClaims, voluntaryExtendedClaims),
+            };
+        }
+        // Add the normal claims to the claims request.
+        filteredEssentialClaims.forEach((claim) => (claimsRequest.id_token[claim] = { essential: true }));
+        filteredFormattedVoluntaryClaims.forEach((claim) => (claimsRequest.id_token[claim] = { essential: false }));
+        this.logger.info(`Claims request: ${JSON.stringify(claimsRequest)}`);
+        return claimsRequest;
+    }
+    // Call the UserInfo endpoint to get the claims for the user
+    // TODO type return?!
+    async getUserInfo(authorisationServerId, accessToken) {
+        const authServer = await this.getAuthServerDetails(authorisationServerId);
+        const { fapiClient } = await this.setupClient(authServer, this.generateXFapiInteractionId());
+        return await fapiClient.userinfo(accessToken);
+    }
+    async getKeyset() {
+        const key = createPrivateKey(this.signingKey);
+        const privateJwk = await exportJWK(key);
+        privateJwk.kid = this.config.data.signing_kid;
+        this.logger.debug(`Create private jwk key ${JSON.stringify(privateJwk)}`);
+        /*
+        SDK bug with Node 16, the error is thrown in this function below because the JWK fails the !isPlainObject(k) condition.
+    
+        // rp-nodejs-sdk/node_modules/openid-client/lib/client.js
+        function getKeystore(jwks) {
+          if (
+            !isPlainObject(jwks) ||
+            !Array.isArray(jwks.keys) ||
+            jwks.keys.some((k) => !isPlainObject(k) || !('kty' in k))
+          ) {
+            throw new TypeError('jwks must be a JSON Web Key Set formatted object');
+          }
+    
+          return KeyStore.fromJWKS(jwks, { onlyPrivate: true });
+        }
+    
+        Interesting that the code for isPlainObject is:
+        module.exports = (a) => !!a && a.constructor === Object;
+    
+        And it returns false for a.constructor === Object. It returns [Function: Object]. So going deeper, I think the private key generated by const privateJwk = await fromKeyLike(key) is not compatible with the constructor even having the same type (JWK) as TS doesn't complain:
+        new (metadata: ClientMetadata, jwks?: { keys: jose.JWK[] }, options?: ClientOptions): TClient;
+    
+        Might be different versions of JWK type (openid-client jose x jose)?!
+        To make it work then I tried recreating the JWK object using JSON.stringify and JSON.parse so the constructor returns an Object (?!)
+        ...and it worked :) So my guess is the way the JWK is generated using fromKeyLike that doesn't match the requirement when validating the JWK (constructor is not Object).
+    
+        Why does it work on Node 14?
+        jwks.keys[0].constructor === Object on Node 14 returns true
+        jwks.keys[0].constructor === Object on Node 16 returns false
+        */
+        return { keys: [JSON.parse(JSON.stringify(privateJwk))] };
+    }
+    // Create a FAPI client for the specified authorisation server
+    async setupClient(authorisationServer, xFapiInteractionId) {
+        const response = await fetch(authorisationServer.OpenIDDiscoveryDocument);
+        if (!response.ok) {
+            throw new Error(`Failed to retrieve metadata from the authorisation server ${authorisationServer.AuthorisationServerId} at ${authorisationServer.OpenIDDiscoveryDocument}`);
+        }
+        const metadata = await response.json();
+        this.logger.debug(`Retrieved metadata for server ${authorisationServer.OpenIDDiscoveryDocument} ${JSON.stringify(metadata)}`);
+        for (const [key, value] of Object.entries(metadata?.mtls_endpoint_aliases)) {
+            metadata[key] = value;
+        }
+        this.logger.debug(`Updated endpoints with mtls alias properties for server ${authorisationServer.OpenIDDiscoveryDocument} ${JSON.stringify(metadata)}`);
+        const localIssuer = new Issuer(metadata);
+        this.logger.debug(`Discovered issuer ${localIssuer.issuer} ${JSON.stringify(localIssuer.metadata)}`);
+        const keyset = await this.getKeyset();
+        const fapiClient = new localIssuer.FAPI1Client(this.config.data.client, keyset);
+        this.logger.debug(`Discovered client ${JSON.stringify(fapiClient)}`);
+        fapiClient[custom.http_options] = () => ({ key: this.transportKey, cert: this.transportPem, headers: { 'x-fapi-interaction-id': xFapiInteractionId } });
+        return { fapiClient, localIssuer };
+    }
+    async generateRequest(fapiClient, claims, purpose) {
+        const { codeChallenge, codeVerifier, nonce, state } = generatePushAuthorisationRequestParams();
+        const request = await fapiClient.requestObject({
+            scope: 'openid',
+            response_type: 'code',
+            redirect_uri: this.config.data.application_redirect_uri,
+            code_challenge: codeChallenge,
+            code_challenge_method: 'S256',
+            response_mode: 'query',
+            state,
+            nonce,
+            claims,
+            prompt: 'consent',
+            max_age: 900,
+            purpose,
+        });
+        const clientAssertionPayload = {
+            clientAssertionPayload: {
+                aud: fapiClient.issuer.issuer
+            }
+        };
+        this.logger.debug('Generated request object: ' + JSON.stringify(request));
+        const { request_uri } = await fapiClient.pushedAuthorizationRequest({ request }, clientAssertionPayload);
+        const authUrl = fapiClient.authorizationUrl({ request_uri, scope: undefined, redirect_uri: undefined, response_type: undefined });
+        return { authUrl, code_verifier: codeVerifier, state, nonce };
+    }
+    generateXFapiInteractionId() {
+        return randomUUID();
+    }
+}

package/types.d.ts

@@ -0,0 +1,168 @@
+import { IdTokenClaims, TokenSet } from 'openid-client';
+export type RelyingPartyClientSdkConfig = {
+    data: {
+        ca_pem?: string;
+        ca_pem_content?: string;
+        signing_kid: string;
+        signing_key?: string;
+        signing_key_content?: string;
+        signing_pem?: string;
+        signing_pem_content?: string;
+        transport_key?: string;
+        transport_key_content?: string;
+        transport_pem?: string;
+        transport_pem_content?: string;
+        application_redirect_uri: string;
+        registry_participants_uri: string;
+        include_uncertified_participants?: boolean;
+        required_participant_certifications?: CertificationFilter[];
+        required_claims?: string[];
+        log_level: 'debug' | 'info';
+        enable_auto_compliance_verification: boolean;
+        purpose?: string;
+        cache_ttl?: number;
+        client: {
+            client_id: string;
+            organisation_id: string;
+            jwks_uri: string;
+            redirect_uris: string[];
+            organisation_name: string;
+            organisation_number: string;
+            software_description: string;
+            software_roles: string[];
+            application_type: 'web';
+            grant_types: ['client_credentials', 'authorization_code', 'implicit'];
+            id_token_signed_response_alg: 'PS256';
+            post_logout_redirect_uris: [];
+            require_auth_time: false;
+            response_types: ['code id_token', 'code'];
+            subject_type: 'public';
+            token_endpoint_auth_method: 'private_key_jwt';
+            token_endpoint_auth_signing_alg: 'PS256';
+            introspection_endpoint_auth_method: 'private_key_jwt';
+            revocation_endpoint_auth_method: 'private_key_jwt';
+            request_object_signing_alg: 'PS256';
+            require_signed_request_object: true;
+            require_pushed_authorization_requests: true;
+            authorization_signed_response_alg: 'PS256';
+            tls_client_certificate_bound_access_tokens: true;
+            backchannel_user_code_parameter: false;
+            scope: 'openid';
+        };
+    };
+};
+export type Participant = {
+    OrganisationId: string;
+    Status: string;
+    OrganisationName: string;
+    CreatedOn: string;
+    LegalEntityName: string;
+    CountryOfRegistration: string;
+    CompanyRegister: string;
+    Tag: string[];
+    Size: string;
+    RegistrationNumber: string;
+    RegistrationId: string | null;
+    RegisteredName: string;
+    AddressLine1: string;
+    AddressLine2: string;
+    City: string;
+    Postcode: string;
+    Country: string;
+    ParentOrganisationReference: string;
+    AuthorisationServers: AuthorisationServer[];
+    OrgDomainClaims: OrgDomainClaim[];
+    OrgDomainRoleClaims: OrgDomainRoleClaim[];
+};
+export type AuthorisationServer = {
+    AuthorisationServerId: string;
+    AutoRegistrationSupported: boolean;
+    AutoRegistrationNotificationWebhook: string;
+    SupportsCiba: boolean;
+    SupportsDCR: boolean;
+    ApiResources: ApiResource[];
+    AuthorisationServerCertifications: AuthorisationServerCertification[];
+    CustomerFriendlyDescription: string;
+    CustomerFriendlyLogoUri: string;
+    CustomerFriendlyName: string;
+    DeveloperPortalUri: string | null;
+    TermsOfServiceUri: string | null;
+    NotificationWebhookAddedDate: string | null;
+    OpenIDDiscoveryDocument: string;
+    Issuer: string;
+    PayloadSigningCertLocationUri: string;
+    ParentAuthorisationServerId: string | null;
+    DeprecatedDate: Date | null;
+    RetirementDate: Date | null;
+    SupersededByAuthorisationServerId: string | null;
+};
+export type ApiResource = {
+    ApiResourceId: string;
+    ApiVersion: string;
+    ApiDiscoveryEndpoints: ApiDiscoveryEndpoint[];
+    FamilyComplete: boolean;
+    ApiCertificationUri: string;
+    CertificationStatus: string;
+    CertificationStartDate?: Date;
+    CertificationExpirationDate?: Date;
+    ApiFamilyType: string;
+};
+export type ApiDiscoveryEndpoint = {
+    ApiDiscoveryId: string;
+    ApiEndpoint: string;
+};
+export type AuthorisationServerCertification = {
+    CertificationStartDate: string;
+    CertificationExpirationDate: string;
+    CertificationId: string;
+    AuthorisationServerId: string;
+    Status: string;
+    ProfileVariant: string;
+    ProfileType: string;
+    ProfileVersion: number;
+    CertificationURI: string;
+};
+export type OrgDomainClaim = {
+    AuthorisationDomainName: string;
+    AuthorityName: string;
+    RegistrationId: string;
+    Status: string;
+};
+export type OrgDomainRoleClaim = {
+    Status: string;
+    AuthorisationDomain: string;
+    Role: string;
+    Authorisations: any[];
+    RegistrationId: string;
+};
+export type ClaimsRequest = {
+    id_token: {
+        [key: string]: any;
+        verified_claims?: {
+            verification: {
+                trust_framework: {
+                    value: string;
+                } | null;
+            };
+            claims?: {
+                [key: string]: {
+                    essential: boolean;
+                };
+            };
+        };
+    };
+};
+export type ConsolidatedTokenSet = TokenSet & {
+    consolidatedClaims(): IdTokenClaims;
+};
+export type CertificationFilter = {
+    profileVariant: string;
+    profileType: string;
+};
+export type PushAuthorisationRequestParams = {
+    state: string;
+    nonce: string;
+    codeVerifier: string;
+    codeChallenge: string;
+};
+export type PurposeValidation = 'INVALID_LENGTH' | 'INVALID_CHARACTERS' | 'VALID';

package/types.js

@@ -0,0 +1 @@
+export {};

package/utils/cert-utils.d.ts

@@ -0,0 +1 @@
+export declare const getCertificate: (certificatePath?: string, certificateContent?: string) => string | Buffer<ArrayBufferLike>;

package/utils/cert-utils.js

@@ -0,0 +1,2 @@
+import { readFileSync } from 'fs';
+export const getCertificate = (certificatePath, certificateContent) => certificateContent || readFileSync(certificatePath);

package/utils/functional-utils.d.ts

@@ -0,0 +1 @@
+export declare function partition<T>(array: T[], predicate: (value: T) => boolean): [T[], T[]];

package/utils/functional-utils.js

@@ -0,0 +1,12 @@
+export function partition(array, predicate) {
+    const [matches, nonMatches] = [[], []];
+    for (const element of array) {
+        if (predicate(element)) {
+            matches.push(element);
+        }
+        else {
+            nonMatches.push(element);
+        }
+    }
+    return [matches, nonMatches];
+}

package/utils/request-utils.d.ts

@@ -0,0 +1,2 @@
+import { PushAuthorisationRequestParams } from '../types';
+export declare const generatePushAuthorisationRequestParams: () => PushAuthorisationRequestParams;

package/utils/request-utils.js

@@ -0,0 +1,8 @@
+import { generators } from 'openid-client';
+export const generatePushAuthorisationRequestParams = () => {
+    const state = generators.state();
+    const nonce = generators.nonce();
+    const codeVerifier = generators.codeVerifier();
+    const codeChallenge = generators.codeChallenge(codeVerifier);
+    return { state, nonce, codeVerifier, codeChallenge };
+};

package/validator.d.ts

@@ -0,0 +1,4 @@
+import { PurposeValidation } from './types';
+export declare const illegalPurposeChars: string[];
+export declare const validatePurpose: (purpose: string) => PurposeValidation;
+export declare const isValidCertificate: (certificateFilePath?: string, certificateContent?: string) => boolean;

package/validator.js

@@ -0,0 +1,12 @@
+export const illegalPurposeChars = ['<', '>', '(', ')', '{', '}', "'", '\\'];
+export const validatePurpose = (purpose) => {
+    if (purpose.length < 3 || purpose.length > 300) {
+        return 'INVALID_LENGTH';
+    }
+    const containsIllegalChar = illegalPurposeChars.some((char) => purpose.includes(char));
+    if (containsIllegalChar) {
+        return 'INVALID_CHARACTERS';
+    }
+    return 'VALID';
+};
+export const isValidCertificate = (certificateFilePath, certificateContent) => !!(certificateFilePath || certificateContent);