@connectid-tools/rp-nodejs-sdk 4.2.0 → 5.0.0

package/README.md

@@ -1,18 +1,19 @@
-# Relying Party Node.JS SDK
+# Relying Party Node.js SDK
 
 The rp-nodejs-sdk provides an SDK to allows Relying Parties easily integrate with the Digital Identity ecosystem.
 
 # Getting Started
 
-> A minimum of Node JS version 20.x is recommended. Download [here](https://nodejs.org/download/release/v20.9.0/).
+> A minimum of Node.js version 20.x is recommended. Download [here](https://nodejs.org/download/release/v20.9.0/).
 
-Install the package in your nodejs project using:
+Install the package in your Node.js project using:
 
 ```shell
 npm install @connectid-tools/rp-nodejs-sdk
 ```
 
 Update your `package.json` to use `module`:
+
 ```json
 {
   .
@@ -25,23 +26,26 @@ Update your `package.json` to use `module`:
 You can then import and instantiate an instance of the rp-nodejs-sdk using:
 
 ```javascript
-import { config } from './config.js';
-import RelyingPartyClientSdk from './relying-party-client-sdk';
+import { config } from './config.js'
+import RelyingPartyClientSdk from './relying-party-client-sdk'
 
-const rpClient = new RelyingPartyClientSdk(config);
+const rpClient = new RelyingPartyClientSdk(config)
 ```
 
 The above code assumes that you have a config file called `config.js` in your project folder that contains
 the configuration required for the sdk, eg: the location of the certificate files, the client details,
 the callback urls, etc. The configuration attributes are described below.
 
-## Using Typescript
-To use Node SDK with Typescript you need to make the following changes in your `tsconfig.json`:
-* Set `"target: "es2016"` or higher 
-* Have `"module": "ES2015"` or higher
-* Have `"moduleResolution": "Bundler"`
+## Using TypeScript
+
+To use the Node.js SDK with TypeScript you'll need to make the following changes in your `tsconfig.json`:
+
+- Set `"target: "es2016"` or higher
+- Have `"module": "ES2015"` or higher
+- Have `"moduleResolution": "Bundler"`
 
 Sample tsconfig:
+
 ```json
 {
   "compilerOptions": {
@@ -49,13 +53,17 @@ Sample tsconfig:
     "module": "ES2015",
     "moduleResolution": "Bundler",
     "strictNullChecks": true,
-    "outDir": "dist/",
+    "outDir": "dist/"
   },
   "include": ["**/*.ts"]
 }
 ```
+
 ### Setting up SDK config options
-`RelyingPartyClientSdkConfig` has some fixed values, specially inside `client` object, to be able to set the config options for the SDK some type gymnastics will be needed as shown below (see `as const`):
+
+`RelyingPartyClientSdkConfig` has some fixed values. To be able to set the config 
+options for the SDK you can use the example as below:
+
 ```typescript
 // index.ts
 import RelyingPartyClientSdk from '@connectid-tools/rp-nodejs-sdk'
@@ -68,37 +76,11 @@ const relyingPartyClientSdk = new RelyingPartyClientSdk(config)
 // config.ts
 export const config = {
   data: {
-  .
-  .
-  .
-  log_level: 'info' as const,
-  .
-  .
-  .
-  client: {
-      .
-      .
-      .
-      application_type: 'web' as const,
-      grant_types: ['client_credentials', 'authorization_code', 'implicit'] as  ['client_credentials', 'authorization_code', 'implicit'],
-      id_token_signed_response_alg: 'PS256' as const,
-      post_logout_redirect_uris: [] as [],
-      require_auth_time: false as const,
-      response_types: ['code id_token', 'code'] as ['code id_token', 'code'],
-      subject_type: 'public' as const,
-      token_endpoint_auth_method: 'private_key_jwt' as const,
-      token_endpoint_auth_signing_alg: 'PS256' as const,
-      introspection_endpoint_auth_method: 'private_key_jwt' as const,
-      revocation_endpoint_auth_method: 'private_key_jwt' as const,
-      request_object_signing_alg: 'PS256' as const,
-      require_signed_request_object: true as const,
-      require_pushed_authorization_requests: true as const,
-      authorization_signed_response_alg: 'PS256' as const,
-      tls_client_certificate_bound_access_tokens: true as const,
-      backchannel_user_code_parameter: false as const,
-      scope: 'openid' as const,
-      software_roles: ['RP-CORE'] as ['RP-CORE'],
-    },
+    .
+    .
+    .
+    log_level: 'info' as const,
+  }
 ```
 
 # rp-nodejs-sdk Configuration
@@ -112,36 +94,32 @@ the configuration properties is available from: <https://github.com/connectid-to
 The simplest way to pass in the configuration is shown below (assumes the `config.js` file is in the project directory):
 
 ```javascript
-const config = require('./config');
-const RelyingPartyClientSdk = require('@connectid-tools/rp-nodejs-sdk');
-const rpClient = new RelyingPartyClientSdk(config);
+const config = require('./config')
+const RelyingPartyClientSdk = require('@connectid-tools/rp-nodejs-sdk')
+const rpClient = new RelyingPartyClientSdk(config)
 ```
 
-| Property                              | Description                                                                                                                                                                                                                                                                                                                                          | Example value                                                                                                                                      |
-|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|
-| `ca_pem`                              | The collection of trusted root certificates that can be used for certification validation. May be an absolute or relative path.                                                                                                                                                                                                                      | `'./conf/ca.pem'  `                                                                                                                                |
-| `ca_pem_content`                      | The collection of trusted root certificates content (string) that can be used for certification validation. Overrides `ca_pem`.                                                                                                                                                                                                                      | `'-----BEGIN CERTIFICATE----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'`                                                |
-| `signing_kid`                         | The id for the signing key in the JWKS. This can be found in the registry via Software Statements -> Client Details -> Certificates                                                                                                                                                                                                                  | `'Xf1Pf-GXyhryOY5wwg0ddL5yzUicIcQrOIxja0yHhpg'`                                                                                                    |
-| `signing_key`                         | The path to the signing key used when signing requests. May be an absolute or relative path. `signing_key` or `signing_key_content` must be used to provide the signing key.                                                                                                                                                                         | `'./conf/signing.key'`                                                                                                                             |
-| `signing_key_content`                 | The signing key content (string) used when signing requests. If supplied, will override the key data supplied via `signing_key`.                                                                                                                                                                                                                     | `'-----BEGIN PRIVATE KEY----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'`                                                |
-| `registry_participants_uri`           | The URI for the registry endpoint that provides the participant list                                                                                                                                                                                                                                                                                 | `https://data.directory.sandbox.connectid.com.au/participants`                                                                                     |
-| `signing_pem`                         | The path to the signing certificate used when signing requests. May be an absolute or relative path.                                                                                                                                                                                                                                                 | `'./conf/signing.pem'`                                                                                                                             |
-| `transport_key`                       | The path to the transport key used for mutual TLS. May be an absolute or relative path. `transport_key` or `transport_key_content` must be used to provide the transport key.                                                                                                                                                                        | `'./conf/transport.key'`                                                                                                                           |
-| `transport_key_content`               | The transport key content (string) used for mutual TLS. If supplied, will override the key data supplied via `transport_key`.                                                                                                                                                                                                                        | `'-----BEGIN PRIVATE KEY----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'`                                                |
-| `transport_pem`                       | The path to the transport certificate used for mutual TLS. May be an absolute or relative path. `tranport_pem` or `transport_pem_content` must be used to provide the transport certificate                                                                                                                                                          | `'./conf/transport.pem'`                                                                                                                           |
-| `transport_pem_content`               | The transport certificate content (string) used for mutual TLS. If supplied, will override the certificate supplied via `transport_pem`.                                                                                                                                                                                                             | `'-----BEGIN CERTIFICATE----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'`                                                |
-| `application_redirect_uri`            | The specific redirect url used for all requests from this rp-nodejs-sdk instance. Must be one of the redirect_urls specified in the registry for the client                                                                                                                                                                                          | `'https://tpp.localhost/cb'`                                                                                                                       |
-| `client.client_id`                    | Identifies the client. This value is available from the Registry via Software Statements -> Client Details -> Client ID                                                                                                                                                                                                                              | `'https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a'`                                        |
-| `client.organisation_id`              | Identifies the organisation. This value is available from the Registry via Organisation Details                                                                                                                                                                                                                                                      | `'ab837240-9618-4953-966e-90fd1fa63999'`                                                                                                           |
-| `client.jwks_uri`                     | The location of the JWKS for this client. Will be in the format: `'https://keystore.directory.sandbox.connectid.com.au/<organisation_id>/<client_id>/application.jwks'`                                                                                                                                                                              | `'https://keystore.directory.sandbox.connectid.com.au/ab837240-9618-4953-966e-90fd1fa63999/090d41c6-fc27-4b1e-91e9-0fecfc240601/application.jwks'` |
-| `client.redirect_uris`                | The list of redirect_uris supported by the client. Must only contain URIs specified in the registry.                                                                                                                                                                                                                                                 | `['https://demo.relyingpart.net/cb', 'https://tpp.localhost/cb',]`                                                                                 |
-| `log_level`                           | The log level to use for console logs, eg: 'info', 'debug'. Enabling 'debug' will cause all requests and responses to remote servers to be logged. 'debug' must not be used in Production as it will log Personal Information.                                                                                                                       | `'info'`                                                                                                                                           |
-| `cache_ttl`                           | TTL for the participants list caching. Optional setting. Defaults to 600 seconds if not configured.                                                                                                                                                                                                                                                  | `600`                                                                                                                                              |
-| `enable_auto_compliance_verification` | When running the OIDC FAPI compliance suite, it requires a call to userInfo after successfully decoding the response claims. If this is set to true, the SDK will automatically make the required call.                                                                                                                                              | `false`                                                                                                                                            |
-| `purpose`                             | The default purpose to be displayed to the consumer on the IDP consent screen to indicate why their data is being requested to be shared                                                                                                                                                                                                             | `'verifying your identity'`                                                                                                                        |
-| `include_uncertified_participants`    | By default the SDK will filter out all authorisation servers that are not fully certified. If you wish to test one of the uncertified auth servers you will need to set this to `true`. If not provided, defaults to 'false'                                                                                                                         | `false`                                                                                                                                            |
-| `required_claims`                     | The list of claims that the RP will be using and requires IDPs to support. If supplied, this will be used to filter the list of IDPs returned from `getParticipants` so that only IDPs supporting the claims are returned. If this value is not supplied, no filtering by claim support will be performed.                                           | `['name', 'address']`                                                                                                                              |
-| `required_participant_certifications` | The list of required certifications a server must support for the IDP use case (eg: TDIF Certification). If supplied, this will be used to filter the list of IDPs returned from `getParticipants` so that only IDPs with the certification are returned. If this value is not supplied, no filtering for specific certifications will be performed. | `[{ profileType: 'TDIF Accreditation', profileVariant: 'Identity Provider'}]`                                                                      |
+| Property                              | Description                                                                                                                                                                                                                                                                                                                                          | Example value                                                                                               |
+|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| `ca_pem`                              | The collection of trusted root certificates that can be used for certification validation. May be an absolute or relative path.                                                                                                                                                                                                                      | `'./conf/ca.pem'  `                                                                                         |
+| `ca_pem_content`                      | The collection of trusted root certificates content (string) that can be used for certification validation. Overrides `ca_pem`.                                                                                                                                                                                                                      | `'-----BEGIN CERTIFICATE----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'`         |
+| `signing_kid`                         | The id for the signing key in the JWKS. This can be found in the registry via Software Statements -> Client Details -> Certificates                                                                                                                                                                                                                  | `'Xf1Pf-GXyhryOY5wwg0ddL5yzUicIcQrOIxja0yHhpg'`                                                             |
+| `signing_key`                         | The path to the signing key used when signing requests. May be an absolute or relative path. `signing_key` or `signing_key_content` must be used to provide the signing key.                                                                                                                                                                         | `'./conf/signing.key'`                                                                                      |
+| `signing_key_content`                 | The signing key content (string) used when signing requests. If supplied, will override the key data supplied via `signing_key`.                                                                                                                                                                                                                     | `'-----BEGIN PRIVATE KEY----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'`         |
+| `registry_participants_uri`           | The URI for the registry endpoint that provides the participant list                                                                                                                                                                                                                                                                                 | `https://data.directory.sandbox.connectid.com.au/participants`                                              |
+| `signing_pem`                         | The path to the signing certificate used when signing requests. May be an absolute or relative path.                                                                                                                                                                                                                                                 | `'./conf/signing.pem'`                                                                                      |
+| `transport_key`                       | The path to the transport key used for mutual TLS. May be an absolute or relative path. `transport_key` or `transport_key_content` must be used to provide the transport key.                                                                                                                                                                        | `'./conf/transport.key'`                                                                                    |
+| `transport_key_content`               | The transport key content (string) used for mutual TLS. If supplied, will override the key data supplied via `transport_key`.                                                                                                                                                                                                                        | `'-----BEGIN PRIVATE KEY----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'`         |
+| `transport_pem`                       | The path to the transport certificate used for mutual TLS. May be an absolute or relative path. `tranport_pem` or `transport_pem_content` must be used to provide the transport certificate                                                                                                                                                          | `'./conf/transport.pem'`                                                                                    |
+| `transport_pem_content`               | The transport certificate content (string) used for mutual TLS. If supplied, will override the certificate supplied via `transport_pem`.                                                                                                                                                                                                             | `'-----BEGIN CERTIFICATE----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'`         |
+| `application_redirect_uri`            | The specific redirect url used for all requests from this rp-nodejs-sdk instance. Must be one of the redirect_urls specified in the registry for the client                                                                                                                                                                                          | `'https://tpp.localhost/cb'`                                                                                |
+| `client_id`                           | Identifies the client. This value is available from the Registry via Software Statements -> Client Details -> Client ID                                                                                                                                                                                                                              | `'https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a'` |
+| `log_level`                           | The log level to use for console logs, eg: 'info', 'debug'. Enabling 'debug' will cause all requests and responses to remote servers to be logged. 'debug' must not be used in Production as it will log Personal Information.                                                                                                                       | `'info'`                                                                                                    |
+| `enable_auto_compliance_verification` | When running the OIDC FAPI compliance suite, it requires a call to userInfo after successfully decoding the response claims. If this is set to true, the SDK will automatically make the required call.                                                                                                                                              | `false`                                                                                                     |
+| `purpose`                             | The default purpose to be displayed to the consumer on the IDP consent screen to indicate why their data is being requested to be shared                                                                                                                                                                                                             | `'verifying your identity'`                                                                                 |
+| `include_uncertified_participants`    | By default the SDK will filter out all authorisation servers that are not fully certified. If you wish to test one of the uncertified auth servers you will need to set this to `true`. If not provided, defaults to 'false'                                                                                                                         | `false`                                                                                                     |
+| `required_claims`                     | The list of claims that the RP will be using and requires IDPs to support. If supplied, this will be used to filter the list of IDPs returned from `getParticipants` so that only IDPs supporting the claims are returned. If this value is not supplied, no filtering by claim support will be performed.                                           | `['name', 'address']`                                                                                       |
+| `required_participant_certifications` | The list of required certifications a server must support for the IDP use case (eg: TDIF Certification). If supplied, this will be used to filter the list of IDPs returned from `getParticipants` so that only IDPs with the certification are returned. If this value is not supplied, no filtering for specific certifications will be performed. | `[{ profileType: 'TDIF Accreditation', profileVariant: 'Identity Provider'}]`                               |
 
 # Process Overview Sequence Diagram
 
@@ -149,21 +127,21 @@ The expected interactions between the Relying Party and RP Connector as part of
 
 The key steps are:
 
-* Retrieve the list of Participants so the user can be prompted to choose their bank
-* Send a pushed authorisation request to the selected bank with the requested claims and redirect the user to their bank
-* Use the callback querystring to retrieve the access token and identity token with the claims the user has consented to share
+- Retrieve the list of Participants so the user can be prompted to choose their bank
+- Send a pushed authorisation request to the selected bank with the requested claims and redirect the user to their bank
+- Use the callback querystring to retrieve the access token and identity token with the claims the user has consented to share
 
 ```mermaid
 sequenceDiagram
     Customer->>+Relying Party: Use Digital ID
     Relying Party->>+rp-nodejs-sdk: getParticipants()
     rp-nodejs-sdk-->>-Relying Party: Participant metadata
-    Relying Party-->>-Customer: Display Bank Selector 
+    Relying Party-->>-Customer: Display Bank Selector
     Customer->>+Relying Party: Select Bank
     Relying Party->>+rp-nodejs-sdk: sendPushedAuthorisationRequest()
     rp-nodejs-sdk-->>-Relying Party: authUrl, codeVerifier, state, nonce
     Note right of Relying Party: The RP must associate the codeVerifier,<br/>state and nonce with the user<br/>to use when retrieving claims
-    Relying Party-->>-Customer: redirect to Bank using authUrl         
+    Relying Party-->>-Customer: redirect to Bank using authUrl
     Customer->>+Bank: redirect to AuthUrl
     Bank->>Bank: Authenticate & Capture Consent
     Bank-->>-Customer: Redirect customer to RP callback URI
@@ -188,126 +166,126 @@ You may also set the `required_claims` and `required_participant_certifications`
 based on the needs of your use case (eg: if you require IDPs to be TDIF certified).
 
 ```javascript
-const idps = await rpClient.getParticipants();
+const idps = await rpClient.getParticipants()
 ```
 
 The response will contain an array of Organisations and their Authorisation Server, with an object structure similar to below.
 
 They key fields of interest are:
 
-* `CustomerFriendlyName` - this is the name of the Bank to display to the customer
-* `CustomerFriendlyLogoUri` - this is a logo for the Bank that can be displayed alongside the bank name
-* `AuthorisationServerId` - this uniquely identifies the authorisation server. It will be needed as part of the next call
-in the flow to identify the Authorisation Server to send the PAR to.
+- `CustomerFriendlyName` - this is the name of the Bank to display to the customer
+- `CustomerFriendlyLogoUri` - this is a logo for the Bank that can be displayed alongside the bank name
+- `AuthorisationServerId` - this uniquely identifies the authorisation server. It will be needed as part of the next call
+  in the flow to identify the Authorisation Server to send the PAR to.
 
 Note that in the response there may be:
 
-* multiple organisations - each Bank will be its own organisation
-* multiple authorisation servers per bank - a Bank may have different authorisation servers for its different brands (or potentially
-to differentiate Business Banking from Retail Banking)
+- multiple organisations - each Bank will be its own organisation
+- multiple authorisation servers per bank - a Bank may have different authorisation servers for its different brands (or potentially
+  to differentiate Business Banking from Retail Banking)
 
 ```json
-    [
+[
+  {
+    "Status": "Active",
+    "OrgDomainRoleClaims": [],
+    "AuthorisationServers": [
       {
-        "Status": "Active",
-        "OrgDomainRoleClaims": [],
-        "AuthorisationServers": [
-          {
-            "PayloadSigningCertLocationUri": "https://auth.bank4.directory.sandbox.connectid.com.au/na",
-            "ParentAuthorisationServerId": null,
-            "OpenIDDiscoveryDocument": "https://auth.bank4.directory.sandbox.connectid.com.au/.well-known/openid-configuration",
-            "CustomerFriendlyName": "Bank W",
-            "CustomerFriendlyDescription": "Bank4",
-            "TermsOfServiceUri": null,
-            "ApiResources": [],
-            "AutoRegistrationSupported": true,
-            "CustomerFriendlyLogoUri": "https://static.relyingparty.net/BankW.svg",
-            "SupportsDCR": false,
-            "AuthorisationServerCertifications": [],
-            "SupportsCiba": false,
-            "DeveloperPortalUri": null,
-            "NotificationWebhookAddedDate": null,
-            "AuthorisationServerId": "cde44c30-9138-4b58-ba50-221833d14319"
-          },
-          {
-            "PayloadSigningCertLocationUri": "https://auth.bank3.directory.sandbox.connectid.com.au/na",
-            "ParentAuthorisationServerId": null,
-            "OpenIDDiscoveryDocument": "https://auth.bank3.directory.sandbox.connectid.com.au/.well-known/openid-configuration",
-            "CustomerFriendlyName": "Bank N",
-            "CustomerFriendlyDescription": "Bank3",
-            "TermsOfServiceUri": null,
-            "ApiResources": [],
-            "AutoRegistrationSupported": true,
-            "CustomerFriendlyLogoUri": "https://static.relyingparty.net/BankN.svg",
-            "SupportsDCR": false,
-            "AuthorisationServerCertifications": [],
-            "SupportsCiba": false,
-            "DeveloperPortalUri": null,
-            "NotificationWebhookAddedDate": null,
-            "AuthorisationServerId": "22c2d67e-4d95-414a-b51a-ca863e9d691d"
-          }
-        ],
-        "OrgDomainClaims": [],
-        "Size": null,
-        "RegistrationId": null,
-        "OrganisationId": "ed63c5b4-4dcb-4867-bd8b-e2b04a0ab04b",
-        "City": "Banksville",
-        "Postcode": "4103",
-        "AddressLine2": "Bank Town",
-        "RegisteredName": "RefBank",
-        "AddressLine1": "1 Reference Bank Street",
-        "LegalEntityName": "Reference Bank",
-        "OrganisationName": "Reference Banks",
-        "Country": "AU",
-        "RegistrationNumber": "ABN 123 456 7890",
-        "CreatedOn": "2021-12-14T23:09:03.581Z",
-        "Tag": null,
-        "ParentOrganisationReference": "",
-        "CompanyRegister": "ABN",
-        "CountryOfRegistration": "AU"
+        "PayloadSigningCertLocationUri": "https://auth.bank4.directory.sandbox.connectid.com.au/na",
+        "ParentAuthorisationServerId": null,
+        "OpenIDDiscoveryDocument": "https://auth.bank4.directory.sandbox.connectid.com.au/.well-known/openid-configuration",
+        "CustomerFriendlyName": "Bank W",
+        "CustomerFriendlyDescription": "Bank4",
+        "TermsOfServiceUri": null,
+        "ApiResources": [],
+        "AutoRegistrationSupported": true,
+        "CustomerFriendlyLogoUri": "https://static.relyingparty.net/BankW.svg",
+        "SupportsDCR": false,
+        "AuthorisationServerCertifications": [],
+        "SupportsCiba": false,
+        "DeveloperPortalUri": null,
+        "NotificationWebhookAddedDate": null,
+        "AuthorisationServerId": "cde44c30-9138-4b58-ba50-221833d14319"
       },
       {
-        "Status": "Active",
-        "OrgDomainRoleClaims": [],
-        "AuthorisationServers": [
-          {
-            "PayloadSigningCertLocationUri": "https://mtls.partner.idp.test.commbank.com.au/pf/JWKS",
-            "ParentAuthorisationServerId": null,
-            "OpenIDDiscoveryDocument": "https://mtls.partner.idp.test.commbank.com.au/.well-known/openid-configuration",
-            "CustomerFriendlyName": "Commonwealth Bank",
-            "CustomerFriendlyDescription": "Test IDP for CBA",
-            "TermsOfServiceUri": null,
-            "ApiResources": [],
-            "AutoRegistrationSupported": true,
-            "CustomerFriendlyLogoUri": "https://www.commbank.com.au/test.svg",
-            "SupportsDCR": false,
-            "AuthorisationServerCertifications": [],
-            "SupportsCiba": false,
-            "DeveloperPortalUri": null,
-            "NotificationWebhookAddedDate": null,
-            "AuthorisationServerId": "355df9aa-bf8f-4cec-aa4d-78b10356762e"
-          }
-        ],
-        "OrgDomainClaims": [],
-        "Size": null,
-        "RegistrationId": "",
-        "OrganisationId": "adf2af89-2782-4058-86d9-ff3a9068e4a5",
-        "City": "Sydney",
-        "Postcode": "2000",
-        "AddressLine2": "201 Sussex Street",
-        "RegisteredName": "Commonwealth Bank of Australia",
-        "AddressLine1": "Ground Floor Tower 1",
-        "LegalEntityName": "Commonwealth Bank of Australia",
-        "OrganisationName": "Commonwealth Bank of Australia",
-        "Country": "AU",
-        "RegistrationNumber": "ABN 48 123 123 124",
-        "CreatedOn": "2022-03-14T00:42:29.202Z",
-        "Tag": null,
-        "ParentOrganisationReference": "",
-        "CompanyRegister": "ABN",
-        "CountryOfRegistration": "AU"
+        "PayloadSigningCertLocationUri": "https://auth.bank3.directory.sandbox.connectid.com.au/na",
+        "ParentAuthorisationServerId": null,
+        "OpenIDDiscoveryDocument": "https://auth.bank3.directory.sandbox.connectid.com.au/.well-known/openid-configuration",
+        "CustomerFriendlyName": "Bank N",
+        "CustomerFriendlyDescription": "Bank3",
+        "TermsOfServiceUri": null,
+        "ApiResources": [],
+        "AutoRegistrationSupported": true,
+        "CustomerFriendlyLogoUri": "https://static.relyingparty.net/BankN.svg",
+        "SupportsDCR": false,
+        "AuthorisationServerCertifications": [],
+        "SupportsCiba": false,
+        "DeveloperPortalUri": null,
+        "NotificationWebhookAddedDate": null,
+        "AuthorisationServerId": "22c2d67e-4d95-414a-b51a-ca863e9d691d"
       }
-    ]
+    ],
+    "OrgDomainClaims": [],
+    "Size": null,
+    "RegistrationId": null,
+    "OrganisationId": "ed63c5b4-4dcb-4867-bd8b-e2b04a0ab04b",
+    "City": "Banksville",
+    "Postcode": "4103",
+    "AddressLine2": "Bank Town",
+    "RegisteredName": "RefBank",
+    "AddressLine1": "1 Reference Bank Street",
+    "LegalEntityName": "Reference Bank",
+    "OrganisationName": "Reference Banks",
+    "Country": "AU",
+    "RegistrationNumber": "ABN 123 456 7890",
+    "CreatedOn": "2021-12-14T23:09:03.581Z",
+    "Tag": null,
+    "ParentOrganisationReference": "",
+    "CompanyRegister": "ABN",
+    "CountryOfRegistration": "AU"
+  },
+  {
+    "Status": "Active",
+    "OrgDomainRoleClaims": [],
+    "AuthorisationServers": [
+      {
+        "PayloadSigningCertLocationUri": "https://mtls.partner.idp.test.commbank.com.au/pf/JWKS",
+        "ParentAuthorisationServerId": null,
+        "OpenIDDiscoveryDocument": "https://mtls.partner.idp.test.commbank.com.au/.well-known/openid-configuration",
+        "CustomerFriendlyName": "Commonwealth Bank",
+        "CustomerFriendlyDescription": "Test IDP for CBA",
+        "TermsOfServiceUri": null,
+        "ApiResources": [],
+        "AutoRegistrationSupported": true,
+        "CustomerFriendlyLogoUri": "https://www.commbank.com.au/test.svg",
+        "SupportsDCR": false,
+        "AuthorisationServerCertifications": [],
+        "SupportsCiba": false,
+        "DeveloperPortalUri": null,
+        "NotificationWebhookAddedDate": null,
+        "AuthorisationServerId": "355df9aa-bf8f-4cec-aa4d-78b10356762e"
+      }
+    ],
+    "OrgDomainClaims": [],
+    "Size": null,
+    "RegistrationId": "",
+    "OrganisationId": "adf2af89-2782-4058-86d9-ff3a9068e4a5",
+    "City": "Sydney",
+    "Postcode": "2000",
+    "AddressLine2": "201 Sussex Street",
+    "RegisteredName": "Commonwealth Bank of Australia",
+    "AddressLine1": "Ground Floor Tower 1",
+    "LegalEntityName": "Commonwealth Bank of Australia",
+    "OrganisationName": "Commonwealth Bank of Australia",
+    "Country": "AU",
+    "RegistrationNumber": "ABN 48 123 123 124",
+    "CreatedOn": "2022-03-14T00:42:29.202Z",
+    "Tag": null,
+    "ParentOrganisationReference": "",
+    "CompanyRegister": "ABN",
+    "CountryOfRegistration": "AU"
+  }
+]
 ```
 
 ## getFallbackProviderParticipants()
@@ -323,13 +301,12 @@ Note that there is only expected to be a single Fallback Provider for the scheme
 auth server should be returned here).
 
 ```javascript
-const fallbackProviders = await rpClient.getFallbackProviderParticipants();
+const fallbackProviders = await rpClient.getFallbackProviderParticipants()
 ```
 
 The response will contain an array of Organisations and their Authorisation Servers, with the structure the same
 as that for `getParticipants()`.
 
-
 ## sendPushedAuthorisationRequest(authServerId: string, essentialClaims: string[], voluntaryClaims: string[] = [], purpose: string = '{default value from config}')
 
 This sends a Pushed Authorisation Request to the specified Identity Server requesting the list of supplied claims. The response
@@ -338,24 +315,24 @@ process.
 
 The required function parameters are:
 
-* `authorisationServerId` - identifies the authorisation server to send the PAR to
-* `essentialClaims` - a list of the identity essential claim names that being requested for the user. 
-Note that permitted claim names are defined in section 6 of the [Digital ID API Security Profile](https://docs.sandbox.connectid.com.au/docs/network-documentation/technical-specifications/) specification. 
-When the IDP is obtaining user consent, the only method for a user to opt out of consenting to an `essential` claim is to cancel the entire transaction.
-* `voluntaryClaims` - a list of the identity voluntary claim names that are being requested for the user. 
-Note that permitted claim names are defined in section 6 of the [Digital ID API Security Profile](https://docs.sandbox.connectid.com.au/docs/network-documentation/technical-specifications/) specification. 
-When the IDP is obtaining user consent, they may allow the user to opt out of consenting to providing each of the `voluntary` claims, while still consenting to all `essential` claims. 
-If a user does not consent to `voluntary` claims, but does consent to `essential` claims, this will result in a successful transaction.
-* `purpose` - the purpose to be displayed to the consumer on the IDP consent screen to indicate why their data is being requested to be shared. If not supplied, the default purpose configured in the SDK config will be used.
-
-The method will return: `{ authUrl, code_verifier, state, nonce, xFapiInteractionId }`. The fields are:
-
-* `authUrl` - the URL the user must be redirected to in order to complete the authorisation process with their Identity Provider
-* `codeVerifier`
-* `state`
-* `nonce`
-* `xFapiInteractionId` - a unique identifier for this interaction with the Authorisation Server, that was sent in the `x-fapi-interaction-id` request
-header to the server. Intended as a correlation id for diagnosing issues between the client and the authorisation server.
+- `authorisationServerId` - identifies the authorisation server to send the PAR to
+- `essentialClaims` - a list of the identity essential claim names that being requested for the user.
+  Note that permitted claim names are defined in section 6 of the [Digital ID API Security Profile](https://docs.sandbox.connectid.com.au/docs/network-documentation/technical-specifications/) specification.
+  When the IDP is obtaining user consent, the only method for a user to opt out of consenting to an `essential` claim is to cancel the entire transaction.
+- `voluntaryClaims` - a list of the identity voluntary claim names that are being requested for the user.
+  Note that permitted claim names are defined in section 6 of the [Digital ID API Security Profile](https://docs.sandbox.connectid.com.au/docs/network-documentation/technical-specifications/) specification.
+  When the IDP is obtaining user consent, they may allow the user to opt out of consenting to providing each of the `voluntary` claims, while still consenting to all `essential` claims.
+  If a user does not consent to `voluntary` claims, but does consent to `essential` claims, this will result in a successful transaction.
+- `purpose` - the purpose to be displayed to the consumer on the IDP consent screen to indicate why their data is being requested to be shared. If not supplied, the default purpose configured in the SDK config will be used.
+
+The method will return: `{ authUrl, codeVerifier, state, nonce, xFapiInteractionId }`. The fields are:
+
+- `authUrl` - the URL the user must be redirected to in order to complete the authorisation process with their Identity Provider
+- `codeVerifier`
+- `state`
+- `nonce`
+- `xFapiInteractionId` - a unique identifier for this interaction with the Authorisation Server, that was sent in the `x-fapi-interaction-id` request
+  header to the server. Intended as a correlation id for diagnosing issues between the client and the authorisation server.
 
 The `codeVerifier`, `state` and `nonce` are all associated with this specific PAR and are required when retrieving the
 token claims when the user has authorised the request. You must securely associate these with your user request
@@ -365,19 +342,19 @@ so that you can use them on the subsequent call.
 
 ```typescript
 interface CallbackParamsType {
-  access_token?: string;
-  code?: string;
-  error?: string;
-  error_description?: string;
-  error_uri?: string;
-  expires_in?: string;
-  id_token?: string;
-  state?: string;
-  token_type?: string;
-  session_state?: string;
-  response?: string;
-
-  [key: string]: unknown;
+  access_token?: string
+  code?: string
+  error?: string
+  error_description?: string
+  error_uri?: string
+  expires_in?: string
+  id_token?: string
+  state?: string
+  token_type?: string
+  session_state?: string
+  response?: string
+
+  [key: string]: unknown
 }
 ```
 
@@ -387,15 +364,14 @@ identity token with the claims. The tokens are then returned to the API caller.
 
 The required function parameters are:
 
-* `authorisationServerId` - identifies the authorisation server providing the user information
-* `requestParams` - the full querystring from the callback to the Relying Party callback address
-* `codeVerifier` - from the response to the PAR for this identity request
-* `state` - from the response to the PAR for this identity request
-* `nonce` - from the response to the PAR for this identity request
+- `authorisationServerId` - identifies the authorisation server providing the user information
+- `requestParams` - the full querystring from the callback to the Relying Party callback address
+- `codeVerifier` - from the response to the PAR for this identity request
+- `state` - from the response to the PAR for this identity request
+- `nonce` - from the response to the PAR for this identity request
 
-The method will return a `ConsolidatedTokenSet` which extends [Tokenset](https://github.com/panva/node-openid-client/blob/main/docs/README.md#class-tokenset)
-that contains the access_token and id_token. The user identity claims can be retrieved using the utility method `claims()`
-on the TokenSet. The `ConsolidatedTokenSet` provides a new method `consolidatedClaims()`, which will return a single
+The method will return a `ConsolidatedTokenSet` that contains the access_token and id_token. The user identity claims can be retrieved using the utility method `claims()`
+on the ConsolidatedTokenSet. The `ConsolidatedTokenSet` provides a method `consolidatedClaims()`, which will return a single
 object containing all the claims, including the extended claims, as a single object. The tokenset also contains an `xFapiInteractionId` which
 is a correlation id for the request that was sent to the IDP.
 
@@ -408,36 +384,68 @@ All user identity claims will be provided as part of the `id_token` returned by
 
 The required function parameters are:
 
-* `authorisationServerId` - identifies the authorisation server providing the user information
-* `accessToken` - the access token provided by `retrieveTokens`
+- `authorisationServerId` - identifies the authorisation server providing the user information
+- `accessToken` - the access token provided by `retrieveTokens`
 
 # Release Notes
 
+### 5.0.0 (Dec 21, 2025)
+
+**Major architectural refactoring - Breaking Changes**
+
+This release removes the dependency on `openid-client` and implements custom OIDC/FAPI flow logic to align with the Java and .NET SDKs.
+
+**Breaking Changes:**
+- **Removed `cache_ttl` configuration parameter**: Participant list caching has been removed to align with Java/.NET SDKs.
+- **Internal architecture changes**: The SDK now uses a modular endpoint-based architecture with separate classes for each OIDC operation (PAR, token retrieval, userinfo, etc.).
+- **Configuration changes**: The `client_id` parameter is no longer part of the `client` config, but moved up 1 level.  
+- **Configuration changes**: The configuration block for `client` with it's associated parameters is no longer required and has been removed. Please review the `config.ts` for the correct structure and update your configuration accordingly. 
+
+**Internal Improvements:**
+- Replaced `openid-client` dependency with custom implementation using `jose` library for JWT operations
+- Implemented custom HTTP client with mTLS support
+
+**Note:** The public API remains mostly unchanged - all existing public methods maintain the same signatures and behavior, but some of the return types may have become stricter. 
+Note that the field `codeVerifier` has been renamed from `code_verifier` to `codeVerifier` to be more in line with TypeScript naming conventions.
+
+### 4.2.1 (Nov 27, 2025)
+
+- Updated dependencies.
+
 ### 4.2.0 (Aug 8, 2025)
+
 - `cba_loyalty` claim.
 
 ### 4.1.0 (Feb 25, 2025)
+
 - Implemented user-agent support.
 
 ### 4.0.5 (Feb 24, 2025)
-- Add README.md and license files to bundle.
+
+- Add README.md and licence files to bundle.
 
 ### 4.0.4 (Feb 21, 2025)
+
 - Remove `declarationMap`.
 
 ### 4.0.3 (Nov 29, 2024)
+
 - Issuer value for aud in private_key_jwt.
 
 ### 4.0.2 (Oct 22, 2024)
+
 - Single string audience in the private key jwt.
 
 ### 4.0.1 (Oct 1, 2024)
+
 - Changed type of `ApiResources` from `str` to `ApiResource`.
 
 ### 4.0.0 (Sep 2, 2024)
+
 - Breaking change: removed essential claims default value. If you are relying on essential claims default value calling `sendPushedAuthorisationRequest` then you need to provide the claims explicitly. Otherwise, no need to change anything.
 
 How it was:
+
 ```typescript
 const defaultClaimList: string[] = ['given_name', 'middle_name', 'family_name', 'phone_number', 'email', 'address', 'birthdate', 'txn']
 
@@ -445,37 +453,47 @@ async sendPushedAuthorisationRequest(authServerId: string, essentialClaims: stri
 ```
 
 How it is now:
+
 ```typescript
 async sendPushedAuthorisationRequest(authServerId: string, essentialClaims: string[], voluntaryClaims: string[] = [], purpose: string = this.purpose) {
 ```
 
 ### 4.0.0 (Sep 23, 2024)
-- Updated Node version to 20.x.
-- Removed jest and axios dependencies. 
+
+- Updated Node.js version to 20.x.
+- Removed jest and axios dependencies.
 
 ### 3.0.0 (Aug 27, 2024)
+
 - Breaking change: removed `name` from essential claims default value. If you are relying on essential claims default value calling `sendPushedAuthorisationRequest` and use `name` claim then you need to provide `name` claim explicitly. Otherwise, no need to change anything.
 
 ### 2.15.0 (Jun 20, 2024)
+
 - Updated purpose statement.
 - Dependencies updated.
 
 ### 2.14.1 (Jun 17, 2024)
+
 - Removed `got` dependency and used `fetch` instead.
 
 ### 2.14.0 (Jun 12, 2024)
-- Added cache to `getParticipants()` method. 
+
+- Added cache to `getParticipants()` method.
 
 ### 2.13.0 (April 17, 2024)
+
 - Updated dependencies
 
 ### 2.12.3 (Nov 8, 2023)
+
 - `nonce` should have 43 chars.
 
 ### 2.12.2 (Nov 8, 2023)
+
 - Updated README.md to include `tsconfig` suggestion.
 
 ### 2.12.1 (Nov 7, 2023)
+
 - Made `ca_pem` optional. Although either `ca_pem` or `ca_pem_content` must be provided.
 - Made `signing_key` optional. Although either `signing_key` or `signing_key_content` must be provided.
 - Made `signing_pem` optional. Although either `signing_pem` or `signing_pem_content` must be provided.
@@ -483,97 +501,126 @@ async sendPushedAuthorisationRequest(authServerId: string, essentialClaims: stri
 - Made `transport_pem` optional. Although either `transport_pem` or `transport_pem_content` must be provided.
 
 ### 2.12.0 (October 19, 2023)
-- Added support to Node 18.
+
+- Added support to Node.js 18.
 
 ### 2.11.2 (August 22, 2023)
+
 - Conformance test succeed on warnings.
 
 ### 2.11.1 (August 3, 2023)
+
 - Added automated Conformance test.
 
 ### 2.11.0 (August 1, 2023)
+
 - Updated trust_framework in the PAR to contain an object `{ value: 'au_connectid' }` instead of having a string value. This
-is to bring it inline with OIDC4A spec that requires trust_framework to contain an object.
+  is to bring it inline with OIDC4A spec that requires trust_framework to contain an object.
 
 ### 2.10.0 (July 31, 2023)
+
 - Updated documentation to include `registry_participants_uri` parameter.
 - Updated two testcases.
 
 ### 2.9.0 (July 17, 2023)
+
 - Updated `getParticipants()` so it only returns participants that are active in the network by default. Can be
-overridden using config to return all if required. Also allow filtering of Auth Servers by capabilities.
+  overridden using config to return all if required. Also allow filtering of Auth Servers by capabilities.
 - Added `getFallbackProviderParticipants()` to return the manual verification authorisation server.
 - Note that `sendPushedAuthorisationRequest()` will require the auth server id to be valid for the current filter config (eg: Active auth servers).
 
 ### 2.8.0 (June 7, 2023)
+
 - Ensured that the `txn` claim is always requested so clients always have a reference for the transaction.
 
 ### 2.7.2 (June 6, 2023)
+
 - Removed `redirect_url` and `response_type` authorization request parameters from the request to the authorization endpoint to comply with FAPI2 Security Profile Implementers Draft 3.
 
 ### 2.7.1 (June 5, 2023)
+
 - Removed `scope` authorization request parameter from the request to the authorization endpoint to comply with FAPI2 Security Profile Implementers Draft 3.
 
 ### 2.7.0 (May 31, 2023)
+
 - Enhanced logging so x-fapi-interaction-id logged for PAR and token requests.
 
 ### 2.6.1 (May 29, 2023)
+
 - Fixed invalid main file definition.
 
 ### 2.6.0 (May 29, 2023)
+
 - Added support for `purpose` as request object parameter on PAR requests. Can be supplied per request or use the default supplied via config.
 
 ### 2.5.0 (May 24, 2023)
+
 - Added support for `x-fapi-interaction-id` headers on PAR, token and userinfo requests.
 
 ### 2.4.1 (May 5, 2023)
+
 - Updated clientId details for testing and documentation to use a federated clientId.
 
 ### 2.4.0 (March 28, 2023)
+
 - Reimplemented extended claims, which now supports the following claims: `over16`, `over18`, `over21`, `over25`, `over65`, `beneficiary_account_au`, `beneficiary_account_au_payid`, `beneficiary_account_international`.
 - Implemented strict mode for TypeScript to prevent the use of `any` type and other unsafe types.
 - Fix for `ClaimsRequest` type to support non-verified claims in the type definition.
 
 ### 2.3.0 (March 10, 2023)
+
 - Added support for the following extended claims: `over16`, `over18`, `over21`, `over25`, `over65`, `beneficiary_account`, `pay_id`.
 
 ### 2.2.0 (Feb 20, 2023)
+
 - Maintenance update of dependencies to address CVE-2022-36083 in JOSE library.
 
 ### 2.1.0 (Feb 13, 2023)
+
 - Moved `prompt=consent` parameter to pushed authorisation request object instead of a URL parameter.
 
 ### 2.0.7 (Dec 22, 2022)
-- Run on Node 14 and 16 (openid-client lib does not support Node 18 yet).
-  
+
+- Run on Node.js 14 and 16 (openid-client lib does not support Node.js 18 yet).
+
 ### 2.0.6 (Dec 21, 2022)
+
 - Removed the need to use `--experimental-specifier-resolution=node` flag when importing the SDK.
 - Log SDK version.
-  
+
 ### 2.0.5 (Dec 20, 2022)
+
 - Updated documentation.
 
 ### 2.0.4 (Dec 20, 2022)
+
 - Fixed `RelyingPartyClientSdk is not a constructor`.
 
 ### 2.0.3 (Dec 20, 2022)
+
 - Made `ca_pem_content, signing_key_content, signing_pem_content, transport_key_content, transport_pem_content` from `RelyingPartyClientSdkConfig` optional.
 
 ### 2.0.2 (Dec 20, 2022)
+
 - Removed version logging when SDK is created.
 
 ### 2.0.1 (Dec 20, 2022)
+
 - Fixed npm publish.
 
 ### 2.0.0 (Dec 19, 2022)
-- Typescript support. 
+
+- TypeScript support.
 - Breaking change: SDK imported using `require` will need to add a `default` at the end of the import.
+
 ```javascript
 const RelyingPartyClientSdk = require('@idmvp/rp-nodejs-sdk').default
 ```
-  
+
 ### 1.2.3 (Oct 24, 2022)
+
 - Code formatting. See `.prettierrc.json`.
 
 ### 1.2.2
+
 \<starting point\>