@connectid-tools/rp-nodejs-sdk 4.0.4 → 4.0.5

package/README.md

@@ -0,0 +1,573 @@
+# Relying Party Node.JS SDK
+
+The rp-nodejs-sdk provides an SDK to allows Relying Parties easily integrate with the Digital Identity ecosystem.
+
+# Getting Started
+
+> A minimum of Node JS version 20.x is recommended. Download [here](https://nodejs.org/download/release/v20.9.0/).
+
+Install the package in your nodejs project using:
+
+```shell
+npm install @connectid-tools/rp-nodejs-sdk
+```
+
+Update your `package.json` to use `module`:
+```json
+{
+  .
+  .
+  .
+  "type": "module"
+}
+```
+
+You can then import and instantiate an instance of the rp-nodejs-sdk using:
+
+```javascript
+import { config } from './config.js';
+import RelyingPartyClientSdk from './relying-party-client-sdk';
+
+const rpClient = new RelyingPartyClientSdk(config);
+```
+
+The above code assumes that you have a config file called `config.js` in your project folder that contains
+the configuration required for the sdk, eg: the location of the certificate files, the client details,
+the callback urls, etc. The configuration attributes are described below.
+
+## Using Typescript
+To use Node SDK with Typescript you need to make the following changes in your `tsconfig.json`:
+* Set `"target: "es2016"` or higher 
+* Have `"module": "ES2015"` or higher
+* Have `"moduleResolution": "Bundler"`
+
+Sample tsconfig:
+```json
+{
+  "compilerOptions": {
+    "target": "es2016",
+    "module": "ES2015",
+    "moduleResolution": "Bundler",
+    "strictNullChecks": true,
+    "outDir": "dist/",
+  },
+  "include": ["**/*.ts"]
+}
+```
+### Setting up SDK config options
+`RelyingPartyClientSdkConfig` has some fixed values, specially inside `client` object, to be able to set the config options for the SDK some type gymnastics will be needed as shown below (see `as const`):
+```typescript
+// index.ts
+import RelyingPartyClientSdk from '@connectid-tools/rp-nodejs-sdk'
+import { config } from './config'
+
+const relyingPartyClientSdk = new RelyingPartyClientSdk(config)
+```
+
+```typescript
+// config.ts
+export const config = {
+  data: {
+  .
+  .
+  .
+  log_level: 'info' as const,
+  .
+  .
+  .
+  client: {
+      .
+      .
+      .
+      application_type: 'web' as const,
+      grant_types: ['client_credentials', 'authorization_code', 'implicit'] as  ['client_credentials', 'authorization_code', 'implicit'],
+      id_token_signed_response_alg: 'PS256' as const,
+      post_logout_redirect_uris: [] as [],
+      require_auth_time: false as const,
+      response_types: ['code id_token', 'code'] as ['code id_token', 'code'],
+      subject_type: 'public' as const,
+      token_endpoint_auth_method: 'private_key_jwt' as const,
+      token_endpoint_auth_signing_alg: 'PS256' as const,
+      introspection_endpoint_auth_method: 'private_key_jwt' as const,
+      revocation_endpoint_auth_method: 'private_key_jwt' as const,
+      request_object_signing_alg: 'PS256' as const,
+      require_signed_request_object: true as const,
+      require_pushed_authorization_requests: true as const,
+      authorization_signed_response_alg: 'PS256' as const,
+      tls_client_certificate_bound_access_tokens: true as const,
+      backchannel_user_code_parameter: false as const,
+      scope: 'openid' as const,
+      software_roles: ['RP-CORE'] as ['RP-CORE'],
+    },
+```
+
+# rp-nodejs-sdk Configuration
+
+The following properties can be configured for the sdk. Users of the sdk will need to generate their
+own transport and signing certificates to use with the sdk as per the
+[Relying Party User Guide](https://docs.sandbox.connectid.com.au/docs/relying-parties/).
+
+The configuration must be passed into the `RelyingPartyClient` when it is created. A reference file with the required
+the configuration properties is available from: <https://github.com/connectid-tools/rp-nodejs-sdk/blob/main/src/config.ts>.
+The simplest way to pass in the configuration is shown below (assumes the `config.js` file is in the project directory):
+
+```javascript
+const config = require('./config');
+const RelyingPartyClientSdk = require('@connectid-tools/rp-nodejs-sdk');
+const rpClient = new RelyingPartyClientSdk(config);
+```
+
+| Property                              | Description                                                                                                                                                                                                                                                                                                                                          | Example value                                                                                                                                      |
+|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|
+| `ca_pem`                              | The collection of trusted root certificates that can be used for certification validation. May be an absolute or relative path.                                                                                                                                                                                                                      | `'./conf/ca.pem'  `                                                                                                                                |
+| `ca_pem_content`                      | The collection of trusted root certificates content (string) that can be used for certification validation. Overrides `ca_pem`.                                                                                                                                                                                                                      | `'-----BEGIN CERTIFICATE----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'`                                                |
+| `signing_kid`                         | The id for the signing key in the JWKS. This can be found in the registry via Software Statements -> Client Details -> Certificates                                                                                                                                                                                                                  | `'Xf1Pf-GXyhryOY5wwg0ddL5yzUicIcQrOIxja0yHhpg'`                                                                                                    |
+| `signing_key`                         | The path to the signing key used when signing requests. May be an absolute or relative path. `signing_key` or `signing_key_content` must be used to provide the signing key.                                                                                                                                                                         | `'./conf/signing.key'`                                                                                                                             |
+| `signing_key_content`                 | The signing key content (string) used when signing requests. If supplied, will override the key data supplied via `signing_key`.                                                                                                                                                                                                                     | `'-----BEGIN PRIVATE KEY----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'`                                                |
+| `registry_participants_uri`           | The URI for the registry endpoint that provides the participant list                                                                                                                                                                                                                                                                                 | `https://data.directory.sandbox.connectid.com.au/participants`                                                                                     |
+| `signing_pem`                         | The path to the signing certificate used when signing requests. May be an absolute or relative path.                                                                                                                                                                                                                                                 | `'./conf/signing.pem'`                                                                                                                             |
+| `transport_key`                       | The path to the transport key used for mutual TLS. May be an absolute or relative path. `transport_key` or `transport_key_content` must be used to provide the transport key.                                                                                                                                                                        | `'./conf/transport.key'`                                                                                                                           |
+| `transport_key_content`               | The transport key content (string) used for mutual TLS. If supplied, will override the key data supplied via `transport_key`.                                                                                                                                                                                                                        | `'-----BEGIN PRIVATE KEY----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'`                                                |
+| `transport_pem`                       | The path to the transport certificate used for mutual TLS. May be an absolute or relative path. `tranport_pem` or `transport_pem_content` must be used to provide the transport certificate                                                                                                                                                          | `'./conf/transport.pem'`                                                                                                                           |
+| `transport_pem_content`               | The transport certificate content (string) used for mutual TLS. If supplied, will override the certificate supplied via `transport_pem`.                                                                                                                                                                                                             | `'-----BEGIN CERTIFICATE----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'`                                                |
+| `application_redirect_uri`            | The specific redirect url used for all requests from this rp-nodejs-sdk instance. Must be one of the redirect_urls specified in the registry for the client                                                                                                                                                                                          | `'https://tpp.localhost/cb'`                                                                                                                       |
+| `client.client_id`                    | Identifies the client. This value is available from the Registry via Software Statements -> Client Details -> Client ID                                                                                                                                                                                                                              | `'https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a'`                                        |
+| `client.organisation_id`              | Identifies the organisation. This value is available from the Registry via Organisation Details                                                                                                                                                                                                                                                      | `'ab837240-9618-4953-966e-90fd1fa63999'`                                                                                                           |
+| `client.jwks_uri`                     | The location of the JWKS for this client. Will be in the format: `'https://keystore.directory.sandbox.connectid.com.au/<organisation_id>/<client_id>/application.jwks'`                                                                                                                                                                              | `'https://keystore.directory.sandbox.connectid.com.au/ab837240-9618-4953-966e-90fd1fa63999/090d41c6-fc27-4b1e-91e9-0fecfc240601/application.jwks'` |
+| `client.redirect_uris`                | The list of redirect_uris supported by the client. Must only contain URIs specified in the registry.                                                                                                                                                                                                                                                 | `['https://demo.relyingpart.net/cb', 'https://tpp.localhost/cb',]`                                                                                 |
+| `log_level`                           | The log level to use for console logs, eg: 'info', 'debug'. Enabling 'debug' will cause all requests and responses to remote servers to be logged. 'debug' must not be used in Production as it will log Personal Information.                                                                                                                       | `'info'`                                                                                                                                           |
+| `cache_ttl`                           | TTL for the participants list caching. Optional setting. Defaults to 600 seconds if not configured.                                                                                                                                                                                                                                                  | `600`                                                                                                                                              |
+| `enable_auto_compliance_verification` | When running the OIDC FAPI compliance suite, it requires a call to userInfo after successfully decoding the response claims. If this is set to true, the SDK will automatically make the required call.                                                                                                                                              | `false`                                                                                                                                            |
+| `purpose`                             | The default purpose to be displayed to the consumer on the IDP consent screen to indicate why their data is being requested to be shared                                                                                                                                                                                                             | `'verifying your identity'`                                                                                                                        |
+| `include_uncertified_participants`    | By default the SDK will filter out all authorisation servers that are not fully certified. If you wish to test one of the uncertified auth servers you will need to set this to `true`. If not provided, defaults to 'false'                                                                                                                         | `false`                                                                                                                                            |
+| `required_claims`                     | The list of claims that the RP will be using and requires IDPs to support. If supplied, this will be used to filter the list of IDPs returned from `getParticipants` so that only IDPs supporting the claims are returned. If this value is not supplied, no filtering by claim support will be performed.                                           | `['name', 'address']`                                                                                                                              |
+| `required_participant_certifications` | The list of required certifications a server must support for the IDP use case (eg: TDIF Certification). If supplied, this will be used to filter the list of IDPs returned from `getParticipants` so that only IDPs with the certification are returned. If this value is not supplied, no filtering for specific certifications will be performed. | `[{ profileType: 'TDIF Accreditation', profileVariant: 'Identity Provider'}]`                                                                      |
+
+# Process Overview Sequence Diagram
+
+The expected interactions between the Relying Party and RP Connector as part of a standard flow are shown in the diagram below.
+
+The key steps are:
+
+* Retrieve the list of Participants so the user can be prompted to choose their bank
+* Send a pushed authorisation request to the selected bank with the requested claims and redirect the user to their bank
+* Use the callback querystring to retrieve the access token and identity token with the claims the user has consented to share
+
+```mermaid
+sequenceDiagram
+    Customer->>+Relying Party: Use Digital ID
+    Relying Party->>+rp-nodejs-sdk: getParticipants()
+    rp-nodejs-sdk-->>-Relying Party: Participant metadata
+    Relying Party-->>-Customer: Display Bank Selector 
+    Customer->>+Relying Party: Select Bank
+    Relying Party->>+rp-nodejs-sdk: sendPushedAuthorisationRequest()
+    rp-nodejs-sdk-->>-Relying Party: authUrl, codeVerifier, state, nonce
+    Note right of Relying Party: The RP must associate the codeVerifier,<br/>state and nonce with the user<br/>to use when retrieving claims
+    Relying Party-->>-Customer: redirect to Bank using authUrl         
+    Customer->>+Bank: redirect to AuthUrl
+    Bank->>Bank: Authenticate & Capture Consent
+    Bank-->>-Customer: Redirect customer to RP callback URI
+    Customer->>+Relying Party: redirect to callback URL
+    Relying Party->>+rp-nodejs-sdk: retrievetokens()
+    rp-nodejs-sdk-->>-Relying Party: access and identity tokens
+    Relying Party-->>-Customer: Display outcome
+```
+
+# API Operations
+
+## getParticipants()
+
+This allows the list of Identity Providers within the scheme to be retrieved, so that the Relying Party can display them
+to the user and allow the user to choose which Identity Provider they will use to prove their identity.
+
+Note that by default the SDK is configured to only return Identity Providers that are fully certified. If you wish to test
+one of the uncertified Identity Providers you will need to set the `include_uncertified_participants` configuration option to `true`.
+(This should only be done in a test environment, and should never be done in production.)
+
+You may also set the `required_claims` and `required_participant_certifications` configuration options to filter the list of IDPs returned
+based on the needs of your use case (eg: if you require IDPs to be TDIF certified).
+
+```javascript
+const idps = await rpClient.getParticipants();
+```
+
+The response will contain an array of Organisations and their Authorisation Server, with an object structure similar to below.
+
+They key fields of interest are:
+
+* `CustomerFriendlyName` - this is the name of the Bank to display to the customer
+* `CustomerFriendlyLogoUri` - this is a logo for the Bank that can be displayed alongside the bank name
+* `AuthorisationServerId` - this uniquely identifies the authorisation server. It will be needed as part of the next call
+in the flow to identify the Authorisation Server to send the PAR to.
+
+Note that in the response there may be:
+
+* multiple organisations - each Bank will be its own organisation
+* multiple authorisation servers per bank - a Bank may have different authorisation servers for its different brands (or potentially
+to differentiate Business Banking from Retail Banking)
+
+```json
+    [
+      {
+        "Status": "Active",
+        "OrgDomainRoleClaims": [],
+        "AuthorisationServers": [
+          {
+            "PayloadSigningCertLocationUri": "https://auth.bank4.directory.sandbox.connectid.com.au/na",
+            "ParentAuthorisationServerId": null,
+            "OpenIDDiscoveryDocument": "https://auth.bank4.directory.sandbox.connectid.com.au/.well-known/openid-configuration",
+            "CustomerFriendlyName": "Bank W",
+            "CustomerFriendlyDescription": "Bank4",
+            "TermsOfServiceUri": null,
+            "ApiResources": [],
+            "AutoRegistrationSupported": true,
+            "CustomerFriendlyLogoUri": "https://static.relyingparty.net/BankW.svg",
+            "SupportsDCR": false,
+            "AuthorisationServerCertifications": [],
+            "SupportsCiba": false,
+            "DeveloperPortalUri": null,
+            "NotificationWebhookAddedDate": null,
+            "AuthorisationServerId": "cde44c30-9138-4b58-ba50-221833d14319"
+          },
+          {
+            "PayloadSigningCertLocationUri": "https://auth.bank3.directory.sandbox.connectid.com.au/na",
+            "ParentAuthorisationServerId": null,
+            "OpenIDDiscoveryDocument": "https://auth.bank3.directory.sandbox.connectid.com.au/.well-known/openid-configuration",
+            "CustomerFriendlyName": "Bank N",
+            "CustomerFriendlyDescription": "Bank3",
+            "TermsOfServiceUri": null,
+            "ApiResources": [],
+            "AutoRegistrationSupported": true,
+            "CustomerFriendlyLogoUri": "https://static.relyingparty.net/BankN.svg",
+            "SupportsDCR": false,
+            "AuthorisationServerCertifications": [],
+            "SupportsCiba": false,
+            "DeveloperPortalUri": null,
+            "NotificationWebhookAddedDate": null,
+            "AuthorisationServerId": "22c2d67e-4d95-414a-b51a-ca863e9d691d"
+          }
+        ],
+        "OrgDomainClaims": [],
+        "Size": null,
+        "RegistrationId": null,
+        "OrganisationId": "ed63c5b4-4dcb-4867-bd8b-e2b04a0ab04b",
+        "City": "Banksville",
+        "Postcode": "4103",
+        "AddressLine2": "Bank Town",
+        "RegisteredName": "RefBank",
+        "AddressLine1": "1 Reference Bank Street",
+        "LegalEntityName": "Reference Bank",
+        "OrganisationName": "Reference Banks",
+        "Country": "AU",
+        "RegistrationNumber": "ABN 123 456 7890",
+        "CreatedOn": "2021-12-14T23:09:03.581Z",
+        "Tag": null,
+        "ParentOrganisationReference": "",
+        "CompanyRegister": "ABN",
+        "CountryOfRegistration": "AU"
+      },
+      {
+        "Status": "Active",
+        "OrgDomainRoleClaims": [],
+        "AuthorisationServers": [
+          {
+            "PayloadSigningCertLocationUri": "https://mtls.partner.idp.test.commbank.com.au/pf/JWKS",
+            "ParentAuthorisationServerId": null,
+            "OpenIDDiscoveryDocument": "https://mtls.partner.idp.test.commbank.com.au/.well-known/openid-configuration",
+            "CustomerFriendlyName": "Commonwealth Bank",
+            "CustomerFriendlyDescription": "Test IDP for CBA",
+            "TermsOfServiceUri": null,
+            "ApiResources": [],
+            "AutoRegistrationSupported": true,
+            "CustomerFriendlyLogoUri": "https://www.commbank.com.au/test.svg",
+            "SupportsDCR": false,
+            "AuthorisationServerCertifications": [],
+            "SupportsCiba": false,
+            "DeveloperPortalUri": null,
+            "NotificationWebhookAddedDate": null,
+            "AuthorisationServerId": "355df9aa-bf8f-4cec-aa4d-78b10356762e"
+          }
+        ],
+        "OrgDomainClaims": [],
+        "Size": null,
+        "RegistrationId": "",
+        "OrganisationId": "adf2af89-2782-4058-86d9-ff3a9068e4a5",
+        "City": "Sydney",
+        "Postcode": "2000",
+        "AddressLine2": "201 Sussex Street",
+        "RegisteredName": "Commonwealth Bank of Australia",
+        "AddressLine1": "Ground Floor Tower 1",
+        "LegalEntityName": "Commonwealth Bank of Australia",
+        "OrganisationName": "Commonwealth Bank of Australia",
+        "Country": "AU",
+        "RegistrationNumber": "ABN 48 123 123 124",
+        "CreatedOn": "2022-03-14T00:42:29.202Z",
+        "Tag": null,
+        "ParentOrganisationReference": "",
+        "CompanyRegister": "ABN",
+        "CountryOfRegistration": "AU"
+      }
+    ]
+```
+
+## getFallbackProviderParticipants()
+
+This allows the list of Fallback Identity Providers (ie: manual document based verification) within the scheme to be retrieved, so that the Relying Party can use them as a fallback option if the user does not have a relationship
+with one of the identity providers. Note that there is only expected to be a single Fallback Provider authorisation
+server for the Scheme.
+
+It is expected that clients will only use this method if they are building their own IDP selector and need to
+identify the scheme Fallback Identity Provider.
+
+Note that there is only expected to be a single Fallback Provider for the scheme (so only one participant with one
+auth server should be returned here).
+
+```javascript
+const fallbackProviders = await rpClient.getFallbackProviderParticipants();
+```
+
+The response will contain an array of Organisations and their Authorisation Servers, with the structure the same
+as that for `getParticipants()`.
+
+
+## sendPushedAuthorisationRequest(authServerId: string, essentialClaims: string[], voluntaryClaims: string[] = [], purpose: string = '{default value from config}')
+
+This sends a Pushed Authorisation Request to the specified Identity Server requesting the list of supplied claims. The response
+will include the `authUrl` which is the URL that the user needs to be redirected to so they can complete the authorisation
+process.
+
+The required function parameters are:
+
+* `authorisationServerId` - identifies the authorisation server to send the PAR to
+* `essentialClaims` - a list of the identity essential claim names that being requested for the user. 
+Note that permitted claim names are defined in section 6 of the [Digital ID API Security Profile](https://docs.sandbox.connectid.com.au/docs/network-documentation/technical-specifications/) specification. 
+When the IDP is obtaining user consent, the only method for a user to opt out of consenting to an `essential` claim is to cancel the entire transaction.
+* `voluntaryClaims` - a list of the identity voluntary claim names that are being requested for the user. 
+Note that permitted claim names are defined in section 6 of the [Digital ID API Security Profile](https://docs.sandbox.connectid.com.au/docs/network-documentation/technical-specifications/) specification. 
+When the IDP is obtaining user consent, they may allow the user to opt out of consenting to providing each of the `voluntary` claims, while still consenting to all `essential` claims. 
+If a user does not consent to `voluntary` claims, but does consent to `essential` claims, this will result in a successful transaction.
+* `purpose` - the purpose to be displayed to the consumer on the IDP consent screen to indicate why their data is being requested to be shared. If not supplied, the default purpose configured in the SDK config will be used.
+
+The method will return: `{ authUrl, code_verifier, state, nonce, xFapiInteractionId }`. The fields are:
+
+* `authUrl` - the URL the user must be redirected to in order to complete the authorisation process with their Identity Provider
+* `codeVerifier`
+* `state`
+* `nonce`
+* `xFapiInteractionId` - a unique identifier for this interaction with the Authorisation Server, that was sent in the `x-fapi-interaction-id` request
+header to the server. Intended as a correlation id for diagnosing issues between the client and the authorisation server.
+
+The `codeVerifier`, `state` and `nonce` are all associated with this specific PAR and are required when retrieving the
+token claims when the user has authorised the request. You must securely associate these with your user request
+so that you can use them on the subsequent call.
+
+## retrieveTokens(authorisationServerId: string, requestParams: CallbackParamsType, codeVerifier: string, state: string, nonce: string)
+
+```typescript
+interface CallbackParamsType {
+  access_token?: string;
+  code?: string;
+  error?: string;
+  error_description?: string;
+  error_uri?: string;
+  expires_in?: string;
+  id_token?: string;
+  state?: string;
+  token_type?: string;
+  session_state?: string;
+  response?: string;
+
+  [key: string]: unknown;
+}
+```
+
+This retrieves the access and identity token containing the claims that the user has consented to share with the
+Relying Party. It uses the authorisation code provided in the callback from the IDP and exchanges this for the access and
+identity token with the claims. The tokens are then returned to the API caller.
+
+The required function parameters are:
+
+* `authorisationServerId` - identifies the authorisation server providing the user information
+* `requestParams` - the full querystring from the callback to the Relying Party callback address
+* `codeVerifier` - from the response to the PAR for this identity request
+* `state` - from the response to the PAR for this identity request
+* `nonce` - from the response to the PAR for this identity request
+
+The method will return a `ConsolidatedTokenSet` which extends [Tokenset](https://github.com/panva/node-openid-client/blob/main/docs/README.md#class-tokenset)
+that contains the access_token and id_token. The user identity claims can be retrieved using the utility method `claims()`
+on the TokenSet. The `ConsolidatedTokenSet` provides a new method `consolidatedClaims()`, which will return a single
+object containing all the claims, including the extended claims, as a single object. The tokenset also contains an `xFapiInteractionId` which
+is a correlation id for the request that was sent to the IDP.
+
+## getUserInfo(authorisationServerId: string, accessToken: string)
+
+This will call the userinfo endpoint using the supplied access token and return the parsed user information response.
+
+Note that in the initial steel thread implementation, there is no requirement for the IDPs to support this endpoint.
+All user identity claims will be provided as part of the `id_token` returned by `retrieveTokens`.
+
+The required function parameters are:
+
+* `authorisationServerId` - identifies the authorisation server providing the user information
+* `accessToken` - the access token provided by `retrieveTokens`
+
+# Release Notes
+
+### 4.0.5 (Feb 24, 2024)
+- Add README.md and license files to bundle.
+
+### 4.0.4 (Feb 21, 2024)
+- Remove `declarationMap`.
+
+### 4.0.3 (Nov 29, 2024)
+- Issuer value for aud in private_key_jwt.
+
+### 4.0.2 (Oct 22, 2024)
+- Single string audience in the private key jwt.
+
+### 4.0.1 (Oct 1, 2024)
+- Changed type of `ApiResources` from `str` to `ApiResource`.
+
+### 4.0.0 (Sep 2, 2024)
+- Breaking change: removed essential claims default value. If you are relying on essential claims default value calling `sendPushedAuthorisationRequest` then you need to provide the claims explicitly. Otherwise, no need to change anything.
+
+How it was:
+```typescript
+const defaultClaimList: string[] = ['given_name', 'middle_name', 'family_name', 'phone_number', 'email', 'address', 'birthdate', 'txn']
+
+async sendPushedAuthorisationRequest(authServerId: string, essentialClaims: string[] = defaultClaimList, voluntaryClaims: string[] = [], purpose: string = this.purpose) {
+```
+
+How it is now:
+```typescript
+async sendPushedAuthorisationRequest(authServerId: string, essentialClaims: string[], voluntaryClaims: string[] = [], purpose: string = this.purpose) {
+```
+
+### 4.0.0 (Sep 23, 2024)
+- Updated Node version to 20.x.
+- Removed jest and axios dependencies. 
+
+### 3.0.0 (Aug 27, 2024)
+- Breaking change: removed `name` from essential claims default value. If you are relying on essential claims default value calling `sendPushedAuthorisationRequest` and use `name` claim then you need to provide `name` claim explicitly. Otherwise, no need to change anything.
+
+### 2.15.0 (Jun 20, 2024)
+- Updated purpose statement.
+- Dependencies updated.
+
+### 2.14.1 (Jun 17, 2024)
+- Removed `got` dependency and used `fetch` instead.
+
+### 2.14.0 (Jun 12, 2024)
+- Added cache to `getParticipants()` method. 
+
+### 2.13.0 (April 17, 2024)
+- Updated dependencies
+
+### 2.12.3 (Nov 8, 2023)
+- `nonce` should have 43 chars.
+
+### 2.12.2 (Nov 8, 2023)
+- Updated README.md to include `tsconfig` suggestion.
+
+### 2.12.1 (Nov 7, 2023)
+- Made `ca_pem` optional. Although either `ca_pem` or `ca_pem_content` must be provided.
+- Made `signing_key` optional. Although either `signing_key` or `signing_key_content` must be provided.
+- Made `signing_pem` optional. Although either `signing_pem` or `signing_pem_content` must be provided.
+- Made `transport_key` optional. Although either `transport_key` or `transport_key_content` must be provided.
+- Made `transport_pem` optional. Although either `transport_pem` or `transport_pem_content` must be provided.
+
+### 2.12.0 (October 19, 2023)
+- Added support to Node 18.
+
+### 2.11.2 (August 22, 2023)
+- Conformance test succeed on warnings.
+
+### 2.11.1 (August 3, 2023)
+- Added automated Conformance test.
+
+### 2.11.0 (August 1, 2023)
+- Updated trust_framework in the PAR to contain an object `{ value: 'au_connectid' }` instead of having a string value. This
+is to bring it inline with OIDC4A spec that requires trust_framework to contain an object.
+
+### 2.10.0 (July 31, 2023)
+- Updated documentation to include `registry_participants_uri` parameter.
+- Updated two testcases.
+
+### 2.9.0 (July 17, 2023)
+- Updated `getParticipants()` so it only returns participants that are active in the network by default. Can be
+overridden using config to return all if required. Also allow filtering of Auth Servers by capabilities.
+- Added `getFallbackProviderParticipants()` to return the manual verification authorisation server.
+- Note that `sendPushedAuthorisationRequest()` will require the auth server id to be valid for the current filter config (eg: Active auth servers).
+
+### 2.8.0 (June 7, 2023)
+- Ensured that the `txn` claim is always requested so clients always have a reference for the transaction.
+
+### 2.7.2 (June 6, 2023)
+- Removed `redirect_url` and `response_type` authorization request parameters from the request to the authorization endpoint to comply with FAPI2 Security Profile Implementers Draft 3.
+
+### 2.7.1 (June 5, 2023)
+- Removed `scope` authorization request parameter from the request to the authorization endpoint to comply with FAPI2 Security Profile Implementers Draft 3.
+
+### 2.7.0 (May 31, 2023)
+- Enhanced logging so x-fapi-interaction-id logged for PAR and token requests.
+
+### 2.6.1 (May 29, 2023)
+- Fixed invalid main file definition.
+
+### 2.6.0 (May 29, 2023)
+- Added support for `purpose` as request object parameter on PAR requests. Can be supplied per request or use the default supplied via config.
+
+### 2.5.0 (May 24, 2023)
+- Added support for `x-fapi-interaction-id` headers on PAR, token and userinfo requests.
+
+### 2.4.1 (May 5, 2023)
+- Updated clientId details for testing and documentation to use a federated clientId.
+
+### 2.4.0 (March 28, 2023)
+- Reimplemented extended claims, which now supports the following claims: `over16`, `over18`, `over21`, `over25`, `over65`, `beneficiary_account_au`, `beneficiary_account_au_payid`, `beneficiary_account_international`.
+- Implemented strict mode for TypeScript to prevent the use of `any` type and other unsafe types.
+- Fix for `ClaimsRequest` type to support non-verified claims in the type definition.
+
+### 2.3.0 (March 10, 2023)
+- Added support for the following extended claims: `over16`, `over18`, `over21`, `over25`, `over65`, `beneficiary_account`, `pay_id`.
+
+### 2.2.0 (Feb 20, 2023)
+- Maintenance update of dependencies to address CVE-2022-36083 in JOSE library.
+
+### 2.1.0 (Feb 13, 2023)
+- Moved `prompt=consent` parameter to pushed authorisation request object instead of a URL parameter.
+
+### 2.0.7 (Dec 22, 2022)
+- Run on Node 14 and 16 (openid-client lib does not support Node 18 yet).
+  
+### 2.0.6 (Dec 21, 2022)
+- Removed the need to use `--experimental-specifier-resolution=node` flag when importing the SDK.
+- Log SDK version.
+  
+### 2.0.5 (Dec 20, 2022)
+- Updated documentation.
+
+### 2.0.4 (Dec 20, 2022)
+- Fixed `RelyingPartyClientSdk is not a constructor`.
+
+### 2.0.3 (Dec 20, 2022)
+- Made `ca_pem_content, signing_key_content, signing_pem_content, transport_key_content, transport_pem_content` from `RelyingPartyClientSdkConfig` optional.
+
+### 2.0.2 (Dec 20, 2022)
+- Removed version logging when SDK is created.
+
+### 2.0.1 (Dec 20, 2022)
+- Fixed npm publish.
+
+### 2.0.0 (Dec 19, 2022)
+- Typescript support. 
+- Breaking change: SDK imported using `require` will need to add a `default` at the end of the import.
+```javascript
+const RelyingPartyClientSdk = require('@idmvp/rp-nodejs-sdk').default
+```
+  
+### 1.2.3 (Oct 24, 2022)
+- Code formatting. See `.prettierrc.json`.
+
+### 1.2.2
+\<starting point\>

package/license

@@ -0,0 +1,201 @@
+
+ConnectID(R) SDK Licence Terms 
+Confidential 
+
+Version 
+1.0 
+Date 
+29 November 2022 
+(R)ConnectID is a registered trademark of eftpos Payments Australia Pty Ltd ABN 37 136 180 366 
+(C)2022 eftpos Digital Identity Pty Ltd  
+
+
+1 Introduction 
+(a) eftpos Digital Identity Pty Ltd (trading as ConnectID) (ABN 80 648 970 101) (Network Operator, we, us or our) of Level 1, 255 George Street, Sydney NSW 2000 has made available a software development kit (SDK) which can be used by Participants for the sole purpose of developing applications that integrate with our Digital ID Solution. For clarity, whilst the SDK is designed to assist Participants, Participants are not required to use SDK.
+(b) If you download or choose to use the SDK, these terms describe the basis on which we will licence the SDK to you, so please read these terms carefully.
+(c) By downloading or using the SDK, you agree to be bound by these terms and warrant and represent that you are a Participant. You must not use the SDK, if you do not agree to these terms.
+(d) If you are agreeing to these terms or using the SDK on behalf of a business:
+(i) you confirm that you have authority to agree to these terms on behalf of that business (if you do not have such authority, you must not use the SDK); and
+(ii) while all of these terms apply to that business (and "you" and "your" means that business), clauses 3, 6.1(a), 7 and 10 to 12 also apply to you in your personal capacity (and "you" and "your" in those clauses also means you personally).
+(e) If you are not using the SDK for a business, "you" and "your" means you personally.
+(f) Further requirements applicable to the SDK may be set out in the SDK Documentation for the SDK, which you must comply with. You must also comply with any other agreement that governs your use of, or participation in, the Digital ID Solution.
+(g) Capitalised terms are defined in clause 12.
+
+2 Licence 
+(a) We grant you a non-transferable, non-sublicensable (subject to paragraph (c)) and nonexclusive licence to:
+(i) install, use, copy, reproduce, adapt and modify the SDK; (ii) subject to paragraph (c):
+      (A) integrate Redistributables as part of an Application;
+      (B) copy and distribute Redistributables, solely as integrated in an Application, to third parties; and (iii)	use the SDK Documentation,
+for the purpose set out in section 1(a), provided you are, at all relevant times, a 
+Participant. The licence and the SDK is not for redistribution except the Redistributable as expressly contemplated by paragraph (ii) above and paragraph (c) below.  
+(b) You must not use this SDK to develop another SDK or any applications for a framework, solution, platform, system or service other than our Digital ID Solution, including any other
+digital identity solution or system, or other data sharing platform or system. For clarity, you must not use an Application that includes any Redistributables for such purpose either. 
+(c) You are authorised to distribute the Redistributables, in object code format (except for node.js which may be distributed in source code) as embedded in an Application on a royalty free basis during the term of your licence to the SDK only to the extent that:
+(i) such Redistributables are necessary or desirable for the Application to operate and interface with the Digital ID Solution; and
+(ii) the inclusion of the Redistributables in the Application is either the direct result of the compilation executed by the SDK, when applicable, or is as instructed or recommended by us in the SDK Documentation.
+(d) You shall in no event transfer or purport to transfer to any third party the ownership of any Redistributables.
+
+3 Restrictions 
+(a) You must only use the SDK as described in these terms and SDK Documentation, and you must not:
+(i) use Our IPR in any manner that is not expressly permitted under these terms;
+(ii) use Our IPR for any purpose that is unlawful or that would give rise to any civil or criminal liability for yourself, use or any third party;
+(iii) use Our IPR in any manner that adversely impacts or limits:
+(A) the stability or integrity of our systems or the Digital ID Solution;
+(B) the ability of others to use the SDK or integrate with or use the Digital ID Solution; or
+(C) our interests or reputation, or the reputation of any participant in the Digital ID Solution;
+(iv) reverse engineer or de-compile the SDK, other to the extent provided for as part of the SDK;
+(v) rent, lease, sell, assign, sub-licence, deliver or otherwise distribute the SDK or any accompanying SDK Documentation to any other person except as expressly permitted by these terms;
+(vi) transfer or re-export the SDK or any accompanying SDK Documentation in violation of any applicable export restriction;
+(vii) subject to clause 2, disclose to any third party or permit any third party to have access to, use, execute, alter, modify, customize or improve SDK, or any part thereof, or any alteration, modification, customization or improvement of the SDK;
+(viii) remove, alter or obscure any identification, copyright, trademark or other proprietary notices, labels or Marks (if any) from the SDK or the SDK Documentation;
+(ix) send or store infringing or unlawful material using the SDK;
+(x) attempt to gain unauthorised access to, or disrupt the integrity or performance of, the Digital ID Solution or any data processed or transferred using the SDK or the Digital ID Solution;
+(xi) propagate any virus, worms, Trojan horses, or other programming routine intended to damage any system or data;
+(xii) use Our IPR for high risk activities where the use or failure of Our IPR could lead to death, personal injury or environment damage;
+(xiii) use Our IPR, or permit them to be used, for purposes of evaluation, benchmarking or other comparative analysis of the Digital ID Solution without our prior written consent, or for the purposes of development of any application for such purpose; or
+(xiv) use Our IPR as part of, to integrate with, or to create, a product competitive with the products offered by us, including the Digital ID Solution.
+(b) You acknowledge and agree that where the SDK is provided or made available to you on the basis of another agreement with the Network Operator or any member of the AP+ Group, and that other agreement includes restrictions on use of the SDK, those restrictions will apply in addition to these terms, and to the extent of inconsistency, the most stringent restriction will prevail.
+
+4 Your Obligations 
+4.1 General 
+(a) You are solely responsible for:
+(i) determining how you will use the SDK and ensuring that the SDK is fit for your purposes;
+(ii) installing the SDK and implementing adequate backup procedures to protect against loss or error resulting from the use of the SDK; and
+(iii) developing and managing your systems and any Applications (including providing end-user customer support and warranties in respect of your Applications) and for modifying your systems and Applications if we make any changes to these terms, the Digital ID Solution or the SDK.
+(b) You must:
+(i) from time to time, provide us on our reasonable request, details regarding your activities relating to the SDK, including without limitation, what software you have created or intend to create using the SDK so that we can confirm compliance with these terms;
+(ii) implement appropriate security systems and protocols to ensure that Our IPR are protected at all times from misuse, damage, destruction or any form of unauthorised use, disclosure, copying, duplication or reproduction in whole or in part;
+(iii) comply with applicable laws. Without limiting this paragraph (iii), you must ensure that your Applications are in strict compliance with applicable laws and do not infringe any rights (including intellectual property rights) of any third party; and
+(iv) use the SDK in accordance with the SDK Documentation we provide to you and any other agreement under which the access to the SDK has been made available to you or which governs your use of the Digital ID Solution.
+(c) You must ensure that each of your personnel and any third party who accesses and uses the SDK or any part of it, including any Redistributables, via you complies with all applicable provisions in these terms. You are liable for the acts and omissions of such persons in connection with such access and use as fully as if they were your acts or omissions.
+4.2 Open source software 
+(a) The SDK may contain "open source" or "free software" components which are governed by their own licence terms. The licence terms and conditions for these components are set out in the licence files accompanying the components, as delivered with the SDK
+(Open Source Elements).  You must comply with the licence terms for such Open Source Elements and:
+(i) must not modify the SDK so as to embed or link (in whole or in part) the SDK into or with any Open Source Elements in such a way that the licence terms relating to such Open Source Elements oblige you or the Network Operator to license such SDK (in whole or in part) under the licence terms of those Open Source Elements, and
+(ii) these terms will in no event be deemed to be a permission to do the foregoing.
+(b) The installation of third party components, including as applicable Open Source Elements, may be required to be able to use the SDK (Third Party Elements). You are solely responsible for procuring and obtaining usage rights in respect of any such Third Party Elements. We exclude all liability in connection with Third Party Elements to the maximum extent permitted by law.
+
+5 Liability and warranties 
+(a) You warrant that you will use the SDK in accordance with these terms and the SDK Documentation.
+(b) You acknowledge and agree that the SDK is a standard package provided free of charge to assist with developing Applications and consequently you agree that:
+(i) the SDK has not been written to meet any specific requirements you may have;
+(ii) the SDK and requirements and process for integration to the Digital ID Solution may be updated from time to time by us, and this may require updates or upgrades to Applications;
+(iii) the SDK has not been tested in every possible combination and operating environment;
+(iv) the SDK is provided "as is" and "with all faults";
+(v) the SDK is not necessarily free from defects, errors, viruses or other harmful components; and 
+(vi) it is your responsibility to ensure that the SDK is satisfactory for its purpose and that your Applications are appropriately and securely integrated with the Digital ID Solution, and 
+accordingly, we exclude all liability to you to the extent permitted by law associated with your Applications and selection, use, results and performance of the SDK or any integration between your Application and the Digital ID Solution.  
+(c) Subject to paragraph (e), the SDK is provided without warranty and all express or implied guarantees, warranties, representations, statements, terms and conditions which are not expressly set out in these terms are excluded.  
+(d) In particular, and without limiting paragraph (c), we do not warrant that using the SDK will ensure compliance with the ConnectID Technical Specifications. 
+(e) Nothing in these terms excludes, restricts or modifies any guarantee, term, condition, warranty, or any right or remedy, implied or imposed by any law or legislation which cannot lawfully be excluded or limited, including the Australian Consumer Law which contains guarantees that protect the purchasers of goods and services in certain circumstances. 
+(f) If any guarantee, term, condition or warranty is implied or imposed in relation to these terms under the Australian Consumer Law or any other applicable legislation (a NonExcludable Provision) and we are able to limit your remedy for a breach of the NonExcludable Provision, then our liability for breach of the Non-Excludable Provision is limited to one or more of the following at our option: 
+(i) in the case of goods, the replacement of the goods or the supply of equivalent goods, the repair of the goods, the payment of the cost of replacing the goods or of acquiring equivalent goods, or the payment of the cost of having the goods repaired; or 
+(ii) in the case of services, the supplying of the services again, or the payment of the cost of having the services supplied again. 
+(g) Subject to paragraph (e), and our obligations under the Non-Excludable Provisions, and to the maximum extent permitted by law, our maximum aggregate liability for all claims arising under or relating to these terms or in relation to your use of Our IPR in each calendar year, whether in contract, tort (including negligence), in equity, under statute, under an indemnity, based on fundamental breach or breach of a fundamental term or on any other basis is limited to AUD $100. 
+(h) To the maximum extent permitted by law, we are not liable for  
+(i) any indirect or consequential loss, or loss of business, goodwill, reputation or for business interruption; or 
+(ii) 	any loss, damage, or injury wholly or in part resulting from any cause beyond our control including but not limited to any failure by you to follow any operating instructions in the SDK Documentation, your negligence, any environmental factor, or any damage necessitated or caused by your improper use, installation, repair or alteration of the SDK. 
+(i) A party's liability to the other is diminished to the extent that the acts or omissions (or those of a third party) contribute to or cause the loss or liability.
+(j) You must indemnify us against any claim, proceedings, loss, damage, fine, penalty, interest and expense arising out of or in connection with your breach of clauses 3(a)(iii) or 4.1(b)(iii).
+
+6 Intellectual Property Rights 
+6.1 Our IPR 
+(a) The:
+(i) SDK and SDK Documentation;
+(ii) any adaptions or improvements to the SDK or SDK Documentation (except for an
+Application to the extent it does not include the SDK or SDK Documentation); and
+(iii) all intellectual property rights associated with any of the materials referred to in paragraphs (i) or (ii),
+(Our IPR) are and will at all times remain the sole and exclusive property of us or our licensors. 
+(b) All intellectual property rights and other proprietary rights in any Applications or other materials created by you using the SDK (SDK Outputs) are and remain your property.
+(c) Notwithstanding paragraph (b), you grant to us and each member of the AP+ Group a perpetual, sub-licensable, royalty free, irrevocable licence to any patents held by you or any of your personnel that cover or include the operation of any Applications or other SDK Outputs to the extent necessary or desirable to enable us, any AP+ Group member, and other participants in the Digital ID Solution to continue to utilise, commercialise or develop the SDK and/or the Digital ID Solution, and to otherwise provide, participate in, and integrate with, the Digital ID Solution.
+6.2 System data 
+We may collect system, telemetry and analytical information and data concerning the use and performance of the SDK and Applications. AP+ Group may use, disclose and process this data and information for its business purposes, including development, enhancement and support of the SDK, the Digital ID Solution and other products and services. This does not permit us to disclose your Confidential Information to third parties other than our service providers for the purposes contemplated provided that the data does not relate back to or identify you or any third party. 
+6.3 Use of our Marks 
+(a) When you use Our IPR, you must attribute us as the source of those materials in accordance with the brand guidelines we provide you from time to time, including where required by using our Marks. We grant you a non-transferable, non-sublicensable and non-exclusive licence to use the Marks in accordance with these terms for such purpose.
+(b) You acknowledge that we own or license the Marks, and you acquire no right, title or interest in the Marks.
+(c) You must:
+(i) use the Marks in accordance with the SDK Documentation and any guidelines or directions which we may provide to you from time to time;
+(ii) not contest or in any way impair any of our rights to the Marks; and
+(iii) not adopt "ConnectID" or any other Mark as part of the name of your business or apply it to any goods or services that you offer for sale.
+(d) If we suspend or cancel your right to use the SDK and/or the SDK Documentation under these terms:
+(i) you will lose all rights conferred by these terms with respect to the use of the Marks; and
+(ii) you must immediately cease using the Marks or any marks identical to or deceptively similar to the Marks or the term "ConnectID", and destroy all materials bearing the Marks.
+
+7 Confidentiality 
+(a) Each party may only use the Confidential Information of the other party for the purposes of performing their obligations, and exercising their rights, under these terms, and subject to the following must keep such Confidential Information confidential.
+(b) Each party may disclose the Confidential Information of the other party:
+(i) to the extent required by law;
+(ii) in accordance with any licence and use rights granted under these terms, in which case the disclosing party must ensure that any such recipient keeps such information confidential on the same basis as required by this clause 7; or
+(iii) with the prior written consent of the other party.
+(c) In addition, the Network Operator may disclose your Confidential Information to members of the AP+ Group and its and their service providers and may use your Confidential Information in connection with the provision of the Digital ID Solution.
+(d) Upon termination or expiration of these terms, each party must use commercially reasonable efforts to return to the other party or destroy all Confidential Information of the other party in its possession or control that it does not have an ongoing right to use under these terms.
+(e) Nothing in paragraph (c) requires a party to return or destroy any Confidential Information of the other party to the extent that such Confidential Information:
+(i) needs to be retained for the purpose of actual or potential litigation or other recordkeeping purposes; or
+(ii) is on back-up, archival storage tapes or the like and it is not practical to do so.
+
+8 Privacy 
+(a) In connection with your use of the SDK, you may give us personal information or you may grant us authorisation to access personal information through third parties. We understand that your personal information is important, and we take your privacy very seriously. Our privacy policy contains further details about our privacy handling practices. For clarity, our provision of the SDK in accordance with these terms constitutes an "Other Service" for the purposes of our Privacy Policy.
+(b) You must only disclose personal information to us where you are permitted to do so by law.
+
+9 Suspension and termination 
+(a) You may cease using the SDK at any time.
+(b) We may by notice in writing immediately suspend or cancel your right to use the SDK and/or the SDK Documentation, either temporarily or permanently:
+(i) if you breach any of these terms and such breach is not capable of remedy or is not remedied within 7 days after we notify you of that breach; or
+(ii) if we suspend or discontinue the provision of the SDK as contemplated by section 10 below.
+(c) In addition, your right to use the SDK, Redistributables and the SDK Documentation is immediately cancelled (without the need for notice) on the day you cease to be a Participant.
+(d) If your right to use the SDK is suspended or cancelled:
+(i) you must immediately cease using Our IPR (including Redistributables in an Application) and, in the case of cancellation, these terms will be terminated, including the licence granted to you in clause 2; and
+(ii) you may continue to use and license Applications and SDK Outputs to the extent you own the intellectual property rights in the same, provided that any continued use or development, maintenance and/or enhancement of such Applications or SDK Output after the termination of this Agreement does not involve continued use of any of Our IP, including the SDK itself or any Redistributables.
+(e) Subject to the rest of this clause 9, termination does not affect any accrued rights of either party.
+
+10 Variations 
+(a) We may from time to time:
+(i) amend these terms, the SDK Documentation or any other requirements relating to the SDK, including to introduce, remove or otherwise amend any terms; or
+(ii) modify, suspend or discontinue, temporarily or permanently, the SDK, including to modify the manner of use of the SDK.
+(b) We will provide you with:
+(i) 90 days written notice of any suspension or discontinuance of the SDK or SDK Documentation under paragraph (a)(ii); and
+(ii) 30 days written notice of any other actions under paragraph (a), if we determine in our reasonable discretion that any such action will negatively impact you.
+(c) Your continued use of the SDK or SDK Documentation following any amendment or modification referred to in paragraph (a) will constitute your acceptance of the amendment or modification.
+
+11 General 
+(a) If there is any inconsistency between:
+(i) these terms; and
+(ii) any other documents incorporated into them by reference,
+priority will be given in the order set out above (with an item higher in the list having priority over a lower item). 
+(b) If any part of these terms is held to be unenforceable, the unenforceable part is to be given effect to the greatest extent possible and the remainder will remain in full force and effect.
+(c) You agree to provide us with feedback relating to the SDK upon request. We may freely use any such feedback (including suggestions or ideas), including in future modifications of the SDK and the Digital ID Solution and to develop and market new products and services.
+(d) Neither party will be liable for any failure or delay in performing any of its obligations under these terms if such delay is caused by circumstances beyond that party�s reasonable control.
+(e) These terms are governed by the laws of New South Wales, Australia, and each party submits to the non-exclusive jurisdiction of the courts that exercise jurisdiction in New South Wales, Australia.
+(f) These terms constitute the entire agreement between us and you in relation to your use of the SDK and supersede all other communications or displays whether electronic, oral, or written, between us and you in relation to such use.
+(g) Your use of the SDK is conducted electronically and you agree that we may communicate with you electronically for all aspects of such use, including when sending you written notices. We may send any written notice given under these terms to the primary contact email address you have registered with us, or if you have notified us of any changes to your primary contact email address, to that changed address.
+(h) The provisions of these terms which by their nature survive termination or expiry of these terms will survive termination or expiry of these terms, including clause 6.1 and 6.2.
+(i) No waiver, delay or failure by a party to take any action will constitute or be construed as a waiver of that or any other term, condition, option, privilege or right.
+(j) The word "including" when used in these terms is not a term of limitation.
+(k) A reference to these terms includes any schedules and documents incorporated by reference
+
+12 Definitions 
+Applications means a software application developed, maintained and/or enhanced by you using the SDK.  
+AP+ Group means Australian Payments Plus Limited (ABN: 19 649 744 203) and its related body corporates (as that term is defined in the Corporations Act 2001 (Cth)).  
+ConnectID Technical Specifications means any technical specifications developed or maintained by the Network Operator in connection with the Digital ID Solution. 
+Confidential Information means any information of whatever kind which a party discloses or reveals to the other party under or in relation to these terms that: 
+(a) is by its nature confidential;
+(b) is designate by the disclosing party as confidential; or (c)	the recipient knows or reasonably ought to know is confidential, including (where we are the disclosing party) Our IPR, but does not include information that: 
+(d) is published or has otherwise entered the public domain without a breach of these terms; or
+(e) is independently developed or obtained without a breach of these terms.
+Digital ID Solution means the digital ID solution developed and/or offered by the Network Operator. 
+Marks means the trade and service marks owned by the Network Operator or a member of the AP+ Group and licensed by us from time to time and identified in the Documentation as being licensed for your use. 
+Non-Excludable Provision has the meaning given to that term in clause 5(f) of these terms. 
+Open Source Elements has the meaning given in clause 4.2(a) of these terms. 
+Our IPR has the meaning given in clause 6.1(a) of these terms. 
+ 
+Participant means a:  
+ 
+(a) person with a current registration in the Digital ID Solution;  
+(b) person who warrants that they meet the eligibility criteria for participation in the Digital ID Solution and who has submitted their registration to participate in the Digital ID Solution and whose registration has not been rejected; or 
+(c) person with whom the Network Operator is undertaking a proof of concept in connection with the Digital ID Solution or with whom there are actively engaging in sales or accreditation conversations in respect of the Digital ID Solution. 
+Redistributables means the portion of the SDK which may be required to be incorporated in the Application for the Application to operate and interface with the Digital ID Solution. 
+ 
+SDK has the meaning given in clause 1(a) of these terms. 
+SDK Documentation means any user guides, specifications, policies, guidelines and other documentation provided to you in connection with the SDK. 
+SDK Outputs has the meaning given in clause 6.1(b). 
+Third Party Elements has the meaning given in clause 4.2(b). 

package/package.json

@@ -1,10 +1,11 @@
 {
   "name": "@connectid-tools/rp-nodejs-sdk",
-  "version": "4.0.4",
+  "version": "4.0.5",
   "description": "Digital Identity Relying Party Node SDK",
   "main": "relying-party-client-sdk.js",
   "types": "relying-party-client-sdk.d.ts",
   "type": "module",
+  "license": "SEE LICENSE IN license file",
   "scripts": {
     "format": "npx prettier --write src",
     "test": "node --import tsx --test src/tests/*.test.ts",
@@ -12,7 +13,7 @@
     "test:conformance": "node --import tsx --test src/conformance/conformance.test.ts",
     "prebuild": "rm -rf lib",
     "build": "tsc",
-    "postbuild": "cp package.json lib && cd lib && node ../node_modules/add-js-extension/dist/bin.js . --once && replace-in-files --string='${process.env.SDK_VERSION}' --replacement=$npm_package_version relying-party-client-sdk.js && cd .."
+    "postbuild": "cp package.json README.md license lib && cd lib && node ../node_modules/add-js-extension/dist/bin.js . --once && replace-in-files --string='${process.env.SDK_VERSION}' --replacement=$npm_package_version relying-party-client-sdk.js && cd .."
   },
   "repository": {
     "type": "git",
@@ -37,8 +38,8 @@
     "@types/node": "^20.17.19",
     "@types/openid-client": "^3.7.0",
     "add-js-extension": "^1.0.4",
-    "eslint": "^9.20.1",
-    "prettier": "^3.5.1",
+    "eslint": "^9.21.0",
+    "prettier": "^3.5.2",
     "replace-in-files-cli": "^2.2.0",
     "tsx": "^4.19.3",
     "typescript": "^5.7.3"

package/relying-party-client-sdk.js

@@ -42,7 +42,7 @@ export default class RelyingPartyClientSdk {
         this.signingKey = getCertificate(this.config.data.signing_key, this.config.data.signing_key_content);
         this.caPem = getCertificate(this.config.data.ca_pem, this.config.data.ca_pem_content);
         this.logger = getLogger(this.config.data.log_level);
-        this.logger.info(`Creating RelyingPartyClientSdk - version 4.0.4`);
+        this.logger.info(`Creating RelyingPartyClientSdk - version 4.0.5`);
         if (this.config.data.purpose) {
             const purposeValidation = validatePurpose(this.config.data.purpose);
             if (purposeValidation === 'INVALID_LENGTH') {
@@ -74,7 +74,7 @@ export default class RelyingPartyClientSdk {
         globalAgent.options.key = this.transportKey;
         globalAgent.options.ca = [this.caPem, ...rootCertificates];
         custom.setHttpOptionsDefaults({ timeout: 10000 });
-        // 4.0.4 is replaced with `postbuild` script in package.json (see replace-in-files)
+        // 4.0.5 is replaced with `postbuild` script in package.json (see replace-in-files)
         this.logger.info(`Using ${this.config.data.transport_key_content ? 'transport_key_content' : 'transport_key'} config prop`);
         this.logger.info(`Using ${this.config.data.transport_pem_content ? 'transport_pem_content' : 'transport_pem'} config prop`);
         this.logger.info(`Using ${this.config.data.ca_pem_content ? 'ca_pem_content' : 'ca_pem'} config prop`);