@connectid-tools/rp-nodejs-sdk 4.2.0 → 5.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@connectid-tools/rp-nodejs-sdk",
-  "version": "4.2.0",
+  "version": "5.0.0",
   "description": "Digital Identity Relying Party Node SDK",
   "main": "relying-party-client-sdk.js",
   "types": "relying-party-client-sdk.d.ts",
@@ -31,18 +31,20 @@
   "homepage": "https://github.com/connectid-tools/rp-nodejs-sample-app",
   "dependencies": {
     "https": "^1.0.0",
-    "node-jose": "^2.2.0",
-    "openid-client": "^5.7.1",
+    "jose": "^6.0.0",
+    "undici": "^7.16.0",
     "winston": "^3.17.0"
   },
   "devDependencies": {
     "@types/node": "^20.19.9",
-    "@types/openid-client": "^3.7.0",
     "add-js-extension": "^1.0.4",
     "eslint": "^9.32.0",
     "prettier": "^3.6.2",
-    "replace-in-files-cli": "^2.2.0",
+    "replace-in-files-cli": "^4.0.0",
     "tsx": "^4.20.3",
     "typescript": "^5.9.2"
+  },
+  "overrides": {
+    "node-forge": "^1.3.2"
   }
 }

package/{config.js → src/config.js}

@@ -40,36 +40,7 @@ export const config = {
         // The purpose to be displayed to the consumer to indicate why their data is being requested to be shared
         // Must be between 3 and 300 chars and not contain any of the following characters: <>(){}'\
         purpose: 'verifying your identity',
-        cache_ttl: 600,
-        client: {
-            // Update with your client specific metadata. The client_id and organisation_id can be found in the registry.
-            client_id: 'https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a',
-            organisation_id: 'ab837240-9618-4953-966e-90fd1fa63999',
-            jwks_uri: 'https://keystore.directory.sandbox.connectid.com.au/ab837240-9618-4953-966e-90fd1fa63999/280518db-9807-4824-b080-324d94b45f6a/application.jwks',
-            redirect_uris: ['https://demo.relyingpart.net/cb', 'https://tpp.localhost/cb'],
-            organisation_name: 'ConnectID Developer Tools Sample App',
-            organisation_number: 'ABN123123123',
-            software_description: 'App to demonstrate ConnectID end to end flows.',
-            // The following config is here for reference - you should not need to change any of it
-            application_type: 'web',
-            grant_types: ['client_credentials', 'authorization_code', 'implicit'],
-            id_token_signed_response_alg: 'PS256',
-            post_logout_redirect_uris: [],
-            require_auth_time: false,
-            response_types: ['code id_token', 'code'],
-            subject_type: 'public',
-            token_endpoint_auth_method: 'private_key_jwt',
-            token_endpoint_auth_signing_alg: 'PS256',
-            introspection_endpoint_auth_method: 'private_key_jwt',
-            revocation_endpoint_auth_method: 'private_key_jwt',
-            request_object_signing_alg: 'PS256',
-            require_signed_request_object: true,
-            require_pushed_authorization_requests: true,
-            authorization_signed_response_alg: 'PS256',
-            tls_client_certificate_bound_access_tokens: true,
-            backchannel_user_code_parameter: false,
-            scope: 'openid',
-            software_roles: ['RP-CORE'],
-        },
+        // Update with your client specific metadata. The client_id can be found in the registry.
+        client_id: 'https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a',
     },
 };

package/src/conformance/api/conformance-api.d.ts

@@ -0,0 +1,38 @@
+interface TestModuleInstance {
+    id: string;
+    name: string;
+    url: string;
+}
+interface PlanInfo {
+    id: string;
+    name: string;
+    modules: Module[];
+}
+interface Module {
+    testModule: string;
+}
+interface TestInformation {
+    planId: string;
+    testId: string;
+    testName: string;
+    started: string;
+    status: string;
+    result: string;
+    version: string;
+}
+interface ErrorResponse {
+    error: string;
+    message: string;
+}
+declare class ConformanceApi {
+    private readonly bearerToken;
+    private readonly baseUrl;
+    constructor(bearerToken: string, baseUrl?: string);
+    createPlan(planName: string, variant: string, config: ConformanceConfig): Promise<PlanInfo>;
+    createTestFromPlan(planId: string, testName: string): Promise<TestModuleInstance>;
+    getPlanInfo(planId: string): Promise<PlanInfo>;
+    getTestInformation(testId: string): Promise<TestInformation>;
+}
+declare class ConformanceConfig {
+}
+export { ConformanceApi, ConformanceConfig, TestModuleInstance, PlanInfo, Module, TestInformation, ErrorResponse };

package/src/conformance/api/conformance-api.js

@@ -0,0 +1,53 @@
+import { URLSearchParams } from 'url';
+class ConformanceApi {
+    constructor(bearerToken, baseUrl = 'https://www.certification.openid.net/') {
+        this.baseUrl = baseUrl;
+        this.bearerToken = bearerToken;
+    }
+    async createPlan(planName, variant, config) {
+        const urlSearchParams = new URLSearchParams({ planName, variant }).toString();
+        console.log('bearerToken', this.bearerToken);
+        console.log('baseUrl', this.baseUrl);
+        const response = await fetch(`${this.baseUrl}api/plan?${urlSearchParams}`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${this.bearerToken}`,
+            },
+            body: JSON.stringify(config),
+        });
+        return await response.json();
+    }
+    async createTestFromPlan(planId, testName) {
+        const urlSearchParams = new URLSearchParams({ test: testName, plan: planId }).toString();
+        const response = await fetch(`${this.baseUrl}api/runner?${urlSearchParams}`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${this.bearerToken}`,
+            },
+        });
+        return await response.json();
+    }
+    async getPlanInfo(planId) {
+        const response = await fetch(`${this.baseUrl}api/plan/${planId}`, {
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${this.bearerToken}`,
+            },
+        });
+        return await response.json();
+    }
+    async getTestInformation(testId) {
+        const response = await fetch(`${this.baseUrl}api/info/${testId}`, {
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${this.bearerToken}`,
+            },
+        });
+        return await response.json();
+    }
+}
+class ConformanceConfig {
+}
+export { ConformanceApi, ConformanceConfig };

package/src/conformance/config.json

@@ -0,0 +1,60 @@
+{
+    "alias": "conformancetest",
+    "client": {
+        "certificate": "-----BEGIN CERTIFICATE-----\nMIIGbjCCBVagAwIBAgIUf1OixaHH1iH+CVnP/HuYkNduJMYwDQYJKoZIhvcNAQEL\nBQAwdzELMAkGA1UEBhMCQVUxKDAmBgNVBAoTH2VmdHBvcyBEaWdpdGFsIElkZW50\naXR5IFB0eSBMdGQxEjAQBgNVBAsTCWNvbm5lY3RpZDEqMCgGA1UEAxMhY29ubmVj\ndGlkIFNBTkRCT1ggSXNzdWluZyBDQSAtIEcxMB4XDTI1MDYzMDA5NDYwMFoXDTI2\nMDczMDA5NDYwMFowfzELMAkGA1UEBhMCQVUxEjAQBgNVBAoTCWNvbm5lY3RpZDEt\nMCsGA1UECxMkYWI4MzcyNDAtOTYxOC00OTUzLTk2NmUtOTBmZDFmYTYzOTk5MS0w\nKwYDVQQDEyQyODA1MThkYi05ODA3LTQ4MjQtYjA4MC0zMjRkOTRiNDVmNmEwggEi\nMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDjIRxuBVItK1P9hPzF93ecY6I1\niUSYF5OL0KKsHaVJvZhG3l2UDkZldUP6mwzhIgo3TwEdiJD7aDen6ZjN98drBKJ/\nPpruDd+R+DP0ZoIbyFph3AbOywtqx3h8YuWGrwmVlVt+vXuXsPmD49/lVtodSvIe\nDP/qrXVsbcsq1kKm2DRjn4APPdpDLlt/cRCYqsISYb+ln1NEBp7kkUVhZR9BIlPS\nsHBCO4p2J7eMk7ZPVs9S6ZihL0bSg32tbatBL8sg3N1m5SjW6CMlHd0WTI+dRMPU\nNgjB05vvRLkH6dC2/lmJJl3Lx+PYAWvc/7jClmulRT61dD1cQBgOkSLVw1vzAgMB\nAAGjggLoMIIC5DAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUHAwEG\nCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFC5fWr82Dx5ZO+AxsGnK\nYFY14xD8MB8GA1UdIwQYMBaAFCID4FOkkmygH6/lwRVx+ZS6Dk9xMEQGCCsGAQUF\nBwEBBDgwNjA0BggrBgEFBQcwAYYoaHR0cDovL29jc3AucGtpLnNhbmRib3guY29u\nbmVjdGlkLmNvbS5hdTBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnBraS5z\nYW5kYm94LmNvbm5lY3RpZC5jb20uYXUvaXNzdWVyLmNybDCCAdgGA1UdIASCAc8w\nggHLMIIBxwYLKwYBBAGDui9sAQIwggG2MIIBbQYIKwYBBQUHAgIwggFfDIIBW1Ro\naXMgQ2VydGlmaWNhdGUgaXMgc29sZWx5IGZvciB1c2Ugd2l0aCBlZnRwb3MgRGln\naXRhbCBJZGVudGl0eSBQdHkgTHRkIGFuZCBvdGhlciBwYXJ0aWNpcGF0aW5nIG9y\nZ2FuaXNhdGlvbnMgdXNpbmcgZWZ0cG9zIERpZ2l0YWwgSWRlbnRpdHkgUHR5IEx0\nZCBzZXJ2aWNlcywgYXMgcHJvdmlkZWQgYnkgdGhlIGJ1c2luZXNzIGZyb20gdGlt\nZSB0byB0aW1lLiBJdHMgcmVjZWlwdCwgcG9zc2Vzc2lvbiBvciB1c2UgY29uc3Rp\ndHV0ZXMgYWNjZXB0YW5jZSBvZiB0aGUgZWZ0cG9zIERpZ2l0YWwgSWRlbnRpdHkg\nUHR5IEx0ZCBDZXJ0aWZpY2F0ZSBQb2xpY3kgYW5kIHJlbGF0ZWQgZG9jdW1lbnRz\nIHRoZXJlaW4uMEMGCCsGAQUFBwIBFjdodHRwOi8vcmVwb3NpdG9yeS5wa2kuc2Fu\nZGJveC5jb25uZWN0aWQuY29tLmF1L3BvbGljaWVzMA0GCSqGSIb3DQEBCwUAA4IB\nAQBSi9yE4wF7iTym+HVqKzGfCP2cl7HWJey0zEMUnmLW6s0FcHlxuU5Qw7+L2OTD\nIOCEKwyBNddCC/gnlXkrqC0/71JLbOrtEdZls9DsO1P+BQG3OuDnlo3xSaPNVRXM\naCB3lrl4MGo3q9du2rOivlD0/aof8D6aLapkOsNgtwJLW4ntnpOgRTxPgI8HHfXr\nsmUmmdz2RiJ8UjYffl8or9XSlBz4nOsLrPPUy+T/eiLZsooEvmqvz+ptlX49e+pl\npfMWZX8UBNZbp4wd3lw89A/BMBsSLCmQ/prJyw5FDEMvxTg9wUhs/+pLFpaCFc6J\nX5lsYKc5Hf4Dll4t8Hb/fhjV\n-----END CERTIFICATE-----",
+        "client_id": "https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a",
+        "jwks": {
+            "keys": [
+                {
+                    "kty": "RSA",
+                    "use": "sig",
+                    "x5c": [
+                        "MIIGTzCCBTegAwIBAgIUGFmcYfeY/2xuP2RRwBwNDdijwEYwDQYJKoZIhvcNAQELBQAwdzELMAkGA1UEBhMCQVUxKDAmBgNVBAoTH2VmdHBvcyBEaWdpdGFsIElkZW50aXR5IFB0eSBMdGQxEjAQBgNVBAsTCWNvbm5lY3RpZDEqMCgGA1UEAxMhY29ubmVjdGlkIFNBTkRCT1ggSXNzdWluZyBDQSAtIEcxMB4XDTI1MDYzMDA5NDUwMFoXDTI2MDczMDA5NDUwMFowfzELMAkGA1UEBhMCQVUxEjAQBgNVBAoTCWNvbm5lY3RpZDEtMCsGA1UECxMkYWI4MzcyNDAtOTYxOC00OTUzLTk2NmUtOTBmZDFmYTYzOTk5MS0wKwYDVQQDEyQyODA1MThkYi05ODA3LTQ4MjQtYjA4MC0zMjRkOTRiNDVmNmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3Z5vutMgWpAfMWbMuta8OXmqpWoU6Dm66CImoot2HhdhOk4T4ijZpntUHbU1k3Lz2hXijj9F1DBVwU5H3g7JuKanw+5uPPz1aLZ1rhHtb7NI+QPx56FoC4VPMw81ZtLeHBda3ah7DX0q0vfkeSTPpULJNVq56NkRcyaFZUz5jgeyVRkZwz3OBVbqO4tFaUR1tF+3m9CXZJLA864bP9L9/4wTYJG6BDz1SjX2qoXWm1eUnCVlqrZBAUx3/eKgaksmRJGNTify6BcbubIYxfLchwCt0W3lZDPknBVZKu7ahUvq0VlbVvwiA+1Nnjw9VDP975jm8qruwJxMjQuCvGJ7bAgMBAAGjggLJMIICxTAOBgNVHQ8BAf8EBAMCA7gwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUTtU+nUL63TcTDLnxn89lhudPa4IwHwYDVR0jBBgwFoAUIgPgU6SSbKAfr+XBFXH5lLoOT3EwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5wa2kuc2FuZGJveC5jb25uZWN0aWQuY29tLmF1MEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwucGtpLnNhbmRib3guY29ubmVjdGlkLmNvbS5hdS9pc3N1ZXIuY3JsMIIB2AYDVR0gBIIBzzCCAcswggHHBgsrBgEEAYO6L2wBAjCCAbYwggFtBggrBgEFBQcCAjCCAV8MggFbVGhpcyBDZXJ0aWZpY2F0ZSBpcyBzb2xlbHkgZm9yIHVzZSB3aXRoIGVmdHBvcyBEaWdpdGFsIElkZW50aXR5IFB0eSBMdGQgYW5kIG90aGVyIHBhcnRpY2lwYXRpbmcgb3JnYW5pc2F0aW9ucyB1c2luZyBlZnRwb3MgRGlnaXRhbCBJZGVudGl0eSBQdHkgTHRkIHNlcnZpY2VzLCBhcyBwcm92aWRlZCBieSB0aGUgYnVzaW5lc3MgZnJvbSB0aW1lIHRvIHRpbWUuIEl0cyByZWNlaXB0LCBwb3NzZXNzaW9uIG9yIHVzZSBjb25zdGl0dXRlcyBhY2NlcHRhbmNlIG9mIHRoZSBlZnRwb3MgRGlnaXRhbCBJZGVudGl0eSBQdHkgTHRkIENlcnRpZmljYXRlIFBvbGljeSBhbmQgcmVsYXRlZCBkb2N1bWVudHMgdGhlcmVpbi4wQwYIKwYBBQUHAgEWN2h0dHA6Ly9yZXBvc2l0b3J5LnBraS5zYW5kYm94LmNvbm5lY3RpZC5jb20uYXUvcG9saWNpZXMwDQYJKoZIhvcNAQELBQADggEBAJCvUcPNxrnYow+Xnb7MsPIHrMY8T16nG+3iQqtdJXJw5QoWJ2PnuoCQltleU9ilvO++5Uh5PswGLoNiCCtj7aQmOW9w1CL4b2FSgL4nuWfjgQzpNMQtb+dqL928R7GiksK++apW759sunDB/VlFUjypADpZHaLfc0VvtX8nq/o/lmwsycONLV1IKnuWZp0VmY5BsGpnlx57DHqVx2OPu0zu4rkxz9Rmdzdg619vpRYApnbepMiN6NyylF+Et0/qDmK7xMSKNm4JNGldSSh+D43/ccKYFVORcsLKPH4DE+VnWEA+z2DF72BSyLZuS4gD0QP3ZG0XAWktHHrn46PyINo="
+                    ],
+                    "n": "t2eb7rTIFqQHzFmzLrWvDl5qqVqFOg5uugiJqKLdh4XYTpOE-Io2aZ7VB21NZNy89oV4o4_RdQwVcFOR94Oybimp8Pubjz89Wi2da4R7W-zSPkD8eehaAuFTzMPNWbS3hwXWt2oew19KtL35Hkkz6VCyTVauejZEXMmhWVM-Y4HslUZGcM9zgVW6juLRWlEdbRft5vQl2SSwPOuGz_S_f-ME2CRugQ89Uo19qqF1ptXlJwlZaq2QQFMd_3ioGpLJkSRjU4n8ugXG7myGMXy3IcArdFt5WQz5JwVWSru2oVL6tFZW1b8IgPtTZ48PVQz_e-Y5vKq7sCcTI0Lgrxie2w",
+                    "e": "AQAB",
+                    "kid": "lHf9shwoF1wEES2sB9TBafbs0AVrLiU-1_ntzCrBo8A",
+                    "x5u": "https://keystore.directory.sandbox.connectid.com.au/ab837240-9618-4953-966e-90fd1fa63999/280518db-9807-4824-b080-324d94b45f6a/lHf9shwoF1wEES2sB9TBafbs0AVrLiU-1_ntzCrBo8A.pem",
+                    "x5t#S256": "lHf9shwoF1wEES2sB9TBafbs0AVrLiU-1_ntzCrBo8A",
+                    "x5dn": "CN=280518db-9807-4824-b080-324d94b45f6a,OU=ab837240-9618-4953-966e-90fd1fa63999,O=connectid,C=AU"
+                },
+                {
+                    "kty": "RSA",
+                    "use": "sig",
+                    "x5c": [
+                        "MIIGTzCCBTegAwIBAgIUZHU0UKT4j2dX8RABTZJThsk1CJAwDQYJKoZIhvcNAQELBQAwdzELMAkGA1UEBhMCQVUxKDAmBgNVBAoTH2VmdHBvcyBEaWdpdGFsIElkZW50aXR5IFB0eSBMdGQxEjAQBgNVBAsTCWNvbm5lY3RpZDEqMCgGA1UEAxMhY29ubmVjdGlkIFNBTkRCT1ggSXNzdWluZyBDQSAtIEcxMB4XDTI0MTExODIzNTAwMFoXDTI1MTIxODIzNTAwMFowfzELMAkGA1UEBhMCQVUxEjAQBgNVBAoTCWNvbm5lY3RpZDEtMCsGA1UECxMkYWI4MzcyNDAtOTYxOC00OTUzLTk2NmUtOTBmZDFmYTYzOTk5MS0wKwYDVQQDEyQyODA1MThkYi05ODA3LTQ4MjQtYjA4MC0zMjRkOTRiNDVmNmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKSS7ryzeiSovnkMsR+JHTaXRIxSf1R9l2E5RIZ+SsQYEpG5/Zl5QmoYHqMb9tQ668AvUdCN510I2RrGkJN9EYpIjcPSnZ+v4CzCr8yzgnaO2Qn9sMvRl2mOx/SF6Qp/WPVYK8IkrvMVDo3s4DmhWnpQW1MW5PrzKZ4cHmW5sotKSMvh/lJtkFn6MfD7OgjKKm13TLUqJdcKgjERt3djlv8PHlobZhNXOJ0HRX5FQOgAolhBskxVjOWrfQ/dORdYPmrAhroZmv8JmnDpKdxuQ2pkwNDOCoWF3wnQpzNVOFd/6qVzgs2HSDTBtiM1yJ1DoUMIckRLMOJnAQJdP9cVz/AgMBAAGjggLJMIICxTAOBgNVHQ8BAf8EBAMCA7gwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQULURGy9NOzra9slvrL+EzYzzlsJUwHwYDVR0jBBgwFoAUIgPgU6SSbKAfr+XBFXH5lLoOT3EwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5wa2kuc2FuZGJveC5jb25uZWN0aWQuY29tLmF1MEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwucGtpLnNhbmRib3guY29ubmVjdGlkLmNvbS5hdS9pc3N1ZXIuY3JsMIIB2AYDVR0gBIIBzzCCAcswggHHBgsrBgEEAYO6L2wBAjCCAbYwggFtBggrBgEFBQcCAjCCAV8MggFbVGhpcyBDZXJ0aWZpY2F0ZSBpcyBzb2xlbHkgZm9yIHVzZSB3aXRoIGVmdHBvcyBEaWdpdGFsIElkZW50aXR5IFB0eSBMdGQgYW5kIG90aGVyIHBhcnRpY2lwYXRpbmcgb3JnYW5pc2F0aW9ucyB1c2luZyBlZnRwb3MgRGlnaXRhbCBJZGVudGl0eSBQdHkgTHRkIHNlcnZpY2VzLCBhcyBwcm92aWRlZCBieSB0aGUgYnVzaW5lc3MgZnJvbSB0aW1lIHRvIHRpbWUuIEl0cyByZWNlaXB0LCBwb3NzZXNzaW9uIG9yIHVzZSBjb25zdGl0dXRlcyBhY2NlcHRhbmNlIG9mIHRoZSBlZnRwb3MgRGlnaXRhbCBJZGVudGl0eSBQdHkgTHRkIENlcnRpZmljYXRlIFBvbGljeSBhbmQgcmVsYXRlZCBkb2N1bWVudHMgdGhlcmVpbi4wQwYIKwYBBQUHAgEWN2h0dHA6Ly9yZXBvc2l0b3J5LnBraS5zYW5kYm94LmNvbm5lY3RpZC5jb20uYXUvcG9saWNpZXMwDQYJKoZIhvcNAQELBQADggEBAKeYw2dKjYMW1ms/rXa995Jw925wFFRxKnvx02WZFftR6Fr/rvtBwZQA9LW5dE2EOH6hEzDJolNTrj7xPQX1daIgX9LVUZqiQTCIK+bRZy+gnmRXeGIDKG3WaWthBO8qAfRQQ1Zq4b7HVFL7tZxLgwzfJdjqUyAWOzm1e7x89iL+4pRBQFXY7EWNDSQ6TbgaeStF4bvby0V86S8PtHoj3FxGGSpihDWJ5gj6tbfVqVlgtaU3h6m2NU8rrUsvFm3sE1SVxhgOZpMYEDcr6jZgg7CCZ15eKbOKvIoflhbZsRSii1uIhdaRe2SoB2xZ2DTf8C5blGbYQyfWck6MjkDpqSI="
+                    ],
+                    "n": "ikku68s3okqL55DLEfiR02l0SMUn9UfZdhOUSGfkrEGBKRuf2ZeUJqGB6jG_bUOuvAL1HQjeddCNkaxpCTfRGKSI3D0p2fr-Aswq_Ms4J2jtkJ_bDL0Zdpjsf0hekKf1j1WCvCJK7zFQ6N7OA5oVp6UFtTFuT68ymeHB5lubKLSkjL4f5SbZBZ-jHw-zoIyiptd0y1KiXXCoIxEbd3Y5b_Dx5aG2YTVzidB0V-RUDoAKJYQbJMVYzlq30P3TkXWD5qwIa6GZr_CZpw6SncbkNqZMDQzgqFhd8J0KczVThXf-qlc4LNh0g0wbYjNcidQ6FDCHJESzDiZwECXT_XFc_w",
+                    "e": "AQAB",
+                    "kid": "6kWTo-i7nrIJrdl6jxfDyT0Nprw-aRT0mcZvxvXtKVE",
+                    "x5u": "https://keystore.directory.sandbox.connectid.com.au/ab837240-9618-4953-966e-90fd1fa63999/280518db-9807-4824-b080-324d94b45f6a/6kWTo-i7nrIJrdl6jxfDyT0Nprw-aRT0mcZvxvXtKVE.pem",
+                    "x5t#S256": "6kWTo-i7nrIJrdl6jxfDyT0Nprw-aRT0mcZvxvXtKVE",
+                    "x5dn": "CN=280518db-9807-4824-b080-324d94b45f6a,OU=ab837240-9618-4953-966e-90fd1fa63999,O=connectid,C=AU"
+                }
+            ]
+        },
+        "redirect_uri": "https://tpp.localhost/cb"
+    },
+    "consent": {},
+    "description": "NodeJS Conformance Test Template",
+    "server": {
+        "jwks": {
+            "keys": [
+                {
+                    "p": "9ROiJdNH4qHPe4K92GpxUpQY2T2EP2KjbdOp16TFaL6DmXdZLaJzaYEpinR4NtSnuEpO2nl441_kma1JP99p6VdtmLUvTRUeCEUJXdFh_bqhc0INfGHRuXNBeLLQFcrRRS5Vhi50IM_NqYmpO1GEshxNYfKCweTCTkEwsJzIZkM",
+                    "kty": "RSA",
+                    "q": "nluxAF8DH-LhGz8qB3qzVhBaD7y5JB_pZ3SMaYPCV92yWXRysgNvYx2CyaWOtrIPabfzTBauR1XXEiLccxzQRy2f8bQ7pwJZtQJJtmC4UwCnNnIcdQ1WsjzzHMqd0p45gJQVnXpxmPfThIZeotToW4f4CTHZjJW8fKbd2zDg61U",
+                    "d": "a6N1dGahEGBMd9KYBbwyuliqebughkoNsUeBRFDg29wReDYDfxsCx9nIqS-xNtkkVQYdG7t8FKL8IVapbuJGFcLKvu_w6kbJ7v2csTN71DETrIH4W1xHlor0QuCShYdKeUG_xZjkBznVv8m_2FwzpRNo4WaVHQGwNoiBU5cIBmeA9XxlaGuabaagU6F0z4ArJzl0DIR6XjLYH8DTxb4KFuMvouBS_o9eDw-t1ubU5ffD28nyOY7UvSTd2_kUw4xyWqfyCvN5oTvFNFaJ8EmgkaycvPDkxqWIWOBRoCEk2gAz0UV14t4iPCV75czuA5dc9HlzAh57Ds3k3frm8jAUoQ",
+                    "e": "AQAB",
+                    "use": "sig",
+                    "kid": "ruWVspGvgNx3V22h4ufR9yr64sjuOaaVwDB_i5rwdOM",
+                    "qi": "0dm4Eb27B9VAP8SoXfE7aUSp0RimmBN3LKlucdL5h1LGyaCFNeRgYHJHo6BL33TKL-tL8m9y0ztyePtVe_EMGtP0QEws6oti8-SUK0ynQ4cXet8fH5uqJx-ArGgW_KDi3xvTeScy4faK3toyzStPZCG4jFdWyv1f2vbv4qg4rDU",
+                    "dp": "8fkPmK8yA6bl17nvvbTi7LjCjAN8BqVaXT6mK_9I1jF8d9Lp3u_NafcYT9bNNr3iV0gu8PEMldsBN2Zrsz_gL36d_C-wYzgdbebT56irSryxWb522D8wth0BIK3UXB_jXZ3w3UoSaK8kDWeZCrNjBASDttidl9lIq8Eb1NUH3Ec",
+                    "alg": "PS256",
+                    "dq": "TTdAc4HgsCecxABkqgj2cTy_7XSEgkzdLojx_nE0zktXr67MTmjGY3n8T_7eO89PHKmJhMx6ZmZA3KMLA0ZFeK-SkfTkMWc__rcC4l7_AdoLrsyte5XpdDesA5n4or5sI3oRoBwYUBJnnPM4KgXO1vLRywn3nklVAyMKgtqukZE",
+                    "n": "l5nlgOnp5m-klhQGYjcxytnu-vM6CpPFyhzuLII31Y4JT2sJjpItN4DOWRVs5sWL7aj_otQNYWrBz9JJOUJJ2oGIQDq2UBn9nHDTKqCWCZ8r2Gtq9U7z-mFfHx8f67hY6KFmeuMdVcqCBcNN76ZHtCkvRiziglvtYkMpovWF2cGqeyCuunlTr0clMe2N_iA0wOgLwiYDBtvqLi8DBshRcGzTHHlncW-OLdspu0saOb2igGMEaBAuzY2EsL0E2jZODB5bfPfA3WDuo7Swi2FVqDuaudm3pJofOr02lDidJNQCOBJRJhHVH867vFK12_xtgCDAydWn9qNub19nDwl1Pw"
+                }
+            ]
+        }
+    }
+}

package/src/conformance/conformance-config.d.ts

@@ -0,0 +1,2 @@
+import { RelyingPartyClientSdkConfig } from '../types';
+export declare const conformanceConfig: RelyingPartyClientSdkConfig;

package/src/conformance/conformance-config.js

@@ -0,0 +1,34 @@
+export const conformanceConfig = {
+    data: {
+        // Set the signing Key Id based on what is contained in the JWKS
+        signing_kid: 'lHf9shwoF1wEES2sB9TBafbs0AVrLiU-1_ntzCrBo8A',
+        // The location of the signing certificate and key that are used for signing purposes
+        signing_key: './certs/signing.key',
+        signing_pem: './certs/signing.pem', // TODO not being used atm
+        // The content (string) of the signing certificate and key that are used for signing purposes - overrides `signing_key` and `signing_pem`
+        signing_key_content: '',
+        signing_pem_content: '', // TODO not being used atm
+        // The location of the transport certificate and key that are used for mutual TLS
+        transport_key: './certs/transport.key',
+        transport_pem: './certs/transport.pem',
+        // The content (string) of the transport certificate and key that are used for mutual TLS - overrides `transport_key` and `transport_pem`
+        transport_key_content: '',
+        transport_pem_content: '',
+        // The location of the root certificate for the trust authority
+        ca_pem: './certs/ca.pem',
+        // The content (string) of the root certificate for the trust authority - overrides `ca_pem`
+        ca_pem_content: '',
+        // This is the URL that this application is actually running on and using for callbacks (noting that multiple may be registered for the client)
+        application_redirect_uri: 'https://tpp.localhost/cb',
+        // The registry API endpoint that will list all participants with their auth server details
+        registry_participants_uri: 'https://api.sandbox.connectid.com.au/oidf-conformance/participants?alias=a/conformance-nodejs',
+        // The application logging level (info - normal logging, debug - full request/response)
+        // This MUST not be set to debug in a production environment as it will log all personal data received
+        log_level: 'info',
+        // When running the OIDC FAPI compliance suite, it requires a call to user info after successfully decoding the
+        // response claims. If this is set to true, the SDK will automatically make the call.
+        enable_auto_compliance_verification: true,
+        // Update with your client specific metadata. The client_id and organisation_id can be found in the registry.
+        client_id: 'https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a',
+    },
+};

package/src/conformance/conformance.test.js

@@ -0,0 +1,101 @@
+import RelyingPartyClientSdk from '../relying-party-client-sdk.js';
+import { conformanceConfig } from './conformance-config.js';
+import config from './config.json';
+import variant from './variant.json';
+import packageJson from '../../package.json';
+import { parse } from 'url';
+import { ConformanceApi } from './api/conformance-api.js';
+import winston from 'winston';
+import { describe, before, it } from 'node:test';
+import assert from 'node:assert';
+const alias = 'conformance-nodejs-' + Date.now();
+const conformanceEnv = process.env.CONFORMANCE_ENV || 'production';
+const conformanceApiToken = process.env.CONFORMANCE_API_TOKEN || '';
+const conformanceNodeVersion = process.env.CONFORMANCE_NODE_VERSION || 'unknown';
+const participantsEnv = conformanceEnv === 'production' ? '' : conformanceEnv;
+conformanceConfig.data.registry_participants_uri = `https://api.sandbox.connectid.com.au/oidf-conformance/participants?alias=a/${alias}&env=${participantsEnv}`;
+const rpClient = new RelyingPartyClientSdk(conformanceConfig);
+const conformanceEnvUrls = new Map([
+    ['staging', 'https://staging.certification.openid.net/'],
+    ['production', 'https://www.certification.openid.net/']
+]);
+const conformanceBaseUrl = conformanceEnvUrls.get(conformanceEnv);
+console.log(`Selected environment ${conformanceEnv}, baseUrl: ${conformanceBaseUrl}`);
+const conformanceApi = new ConformanceApi(conformanceApiToken, conformanceBaseUrl);
+describe('Conformance Test', { timeout: 600000 }, () => {
+    let planInfo;
+    before(async () => {
+        const planName = 'fapi2-message-signing-id1-client-test-plan';
+        config.description = `NodeJS SDK ${packageJson.version} (NodeJS v${conformanceNodeVersion})`;
+        config.alias = alias;
+        planInfo = await conformanceApi.createPlan(planName, JSON.stringify(variant), config);
+    });
+    it('should execute the conformance test', async () => {
+        const testModules = planInfo.modules.map((module) => module.testModule);
+        for (const testName of testModules) {
+            console.log(`Executing test ${testName}`);
+            // We are mimicking an application log here.
+            const logger = createTestLogger(testName);
+            rpClient.logger = logger;
+            const testInstance = await conformanceApi.createTestFromPlan(planInfo.id, testName);
+            let testInformation = await conformanceApi.getTestInformation(testInstance.id);
+            logger.info(`Executing version ${testInformation.version} of ${testName}`);
+            console.log(`See ${conformanceBaseUrl}log-detail.html?log=${testInstance.id}`);
+            const idps = await rpClient.getParticipants();
+            const authorisationServerId = idps[0].AuthorisationServers[0].AuthorisationServerId;
+            logger.info(`Sending PAR to ${authorisationServerId}`);
+            const essentialClaims = ['given_name', 'middle_name', 'family_name', 'phone_number', 'email', 'address', 'birthdate', 'txn'];
+            const parResponse = await rpClient.sendPushedAuthorisationRequest(authorisationServerId, essentialClaims);
+            const response = await fetch(parResponse.authUrl, {
+                redirect: 'manual',
+            });
+            if (response.status !== 303) {
+                console.error(`Expected 303, got ${response.status}`);
+                throw new Error(`Expected 303, got ${response.status}`);
+            }
+            const location = response.headers.get('location');
+            if (!location) {
+                throw new Error('No location header');
+            }
+            const locationObj = parse(location, true);
+            logger.info(`Executing ${testName}`);
+            try {
+                logger.info('Getting tokens');
+                await rpClient.retrieveTokens(authorisationServerId, locationObj.query, parResponse.codeVerifier, parResponse.state, parResponse.nonce);
+                logger.info('Tokens successfully retrieved');
+            }
+            catch (e) {
+                logger.error('An error occured while getting tokens:' + getErrorMessage(e));
+                console.log(e);
+            }
+            while (testInformation.status !== 'FINISHED') {
+                await delay(250);
+                testInformation = await conformanceApi.getTestInformation(testInstance.id);
+            }
+            logger.info(`Test finished with result: ${testInformation.result}, status: ${testInformation.status}`);
+            console.log('Full test information:', JSON.stringify(testInformation, null, 2));
+            assert.ok(['WARNING', 'PASSED'].includes(testInformation.result));
+            if (testInformation.result === 'WARNING') {
+                console.log(`*** A warning occurred while executing ${testName}, please check the logs!!! ***`);
+            }
+            // TODO: download the logs and store them in Github
+        }
+    });
+});
+function delay(time) {
+    // @ts-ignore
+    return new Promise((resolve) => setTimeout(resolve, time));
+}
+function getErrorMessage(error) {
+    if (error instanceof Error)
+        return error.message;
+    return String(error);
+}
+function createTestLogger(testName) {
+    return winston.createLogger({
+        level: 'info',
+        format: winston.format.simple(),
+        defaultMeta: { service: 'conformance-test' },
+        transports: [new winston.transports.File({ filename: `logs/${testName}.log` })],
+    });
+}

package/src/conformance/variant.json

@@ -0,0 +1 @@
+{ "client_auth_type": "private_key_jwt", "fapi_request_method": "signed_non_repudiation", "fapi_client_type": "oidc", "sender_constrain": "mtls", "fapi_profile": "connectid_au", "fapi_response_mode": "plain_response" }

package/src/crypto/crypto-loader.d.ts

@@ -0,0 +1,32 @@
+import { KeyObject } from 'node:crypto';
+/**
+ * Utility class for loading cryptographic keys and certificates.
+ *
+ * Handles conversion from PEM format to Node.js crypto objects.
+ */
+export declare class CryptoLoader {
+    /**
+     * Loads a private key from PEM format.
+     *
+     * @param keyPem - Private key in PEM format (string or Buffer)
+     * @returns KeyObject that can be used for signing operations
+     * @throws Error if the key cannot be loaded
+     */
+    static loadPrivateKey(keyPem: string | Buffer): KeyObject;
+    /**
+     * Loads a certificate from PEM format.
+     *
+     * @param certPem - Certificate in PEM format (string or Buffer)
+     * @returns Certificate as string
+     */
+    static loadCertificate(certPem: string | Buffer): string;
+    /**
+     * Loads a certificate chain from PEM format.
+     *
+     * Handles single or multiple certificates in a PEM bundle.
+     *
+     * @param caPem - CA certificate(s) in PEM format (string or Buffer)
+     * @returns Array of certificates as strings
+     */
+    static loadCertificateChain(caPem: string | Buffer): string[];
+}

package/src/crypto/crypto-loader.js

@@ -0,0 +1,49 @@
+import { createPrivateKey } from 'node:crypto';
+/**
+ * Utility class for loading cryptographic keys and certificates.
+ *
+ * Handles conversion from PEM format to Node.js crypto objects.
+ */
+export class CryptoLoader {
+    /**
+     * Loads a private key from PEM format.
+     *
+     * @param keyPem - Private key in PEM format (string or Buffer)
+     * @returns KeyObject that can be used for signing operations
+     * @throws Error if the key cannot be loaded
+     */
+    static loadPrivateKey(keyPem) {
+        try {
+            return createPrivateKey(keyPem);
+        }
+        catch (error) {
+            throw new Error(`Failed to load private key: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    /**
+     * Loads a certificate from PEM format.
+     *
+     * @param certPem - Certificate in PEM format (string or Buffer)
+     * @returns Certificate as string
+     */
+    static loadCertificate(certPem) {
+        return typeof certPem === 'string' ? certPem : certPem.toString('utf-8');
+    }
+    /**
+     * Loads a certificate chain from PEM format.
+     *
+     * Handles single or multiple certificates in a PEM bundle.
+     *
+     * @param caPem - CA certificate(s) in PEM format (string or Buffer)
+     * @returns Array of certificates as strings
+     */
+    static loadCertificateChain(caPem) {
+        const pemString = typeof caPem === 'string' ? caPem : caPem.toString('utf-8');
+        // Split on BEGIN CERTIFICATE markers to handle certificate chains
+        const certificates = pemString
+            .split(/(?=-----BEGIN CERTIFICATE-----)/)
+            .map((cert) => cert.trim())
+            .filter((cert) => cert.length > 0);
+        return certificates;
+    }
+}

package/src/crypto/jwt-helper.d.ts

@@ -0,0 +1,61 @@
+import { KeyObject } from 'node:crypto';
+import { ClaimsRequest } from '../types.js';
+/**
+ * Parameters for generating a request JWT (PAR request object).
+ */
+export interface RequestJwtParams {
+    issuer: string;
+    audience: string;
+    redirectUri: string;
+    scope: string;
+    responseType: string;
+    codeChallenge: string;
+    codeChallengeMethod: string;
+    state: string;
+    nonce: string;
+    claims: ClaimsRequest;
+    purpose: string;
+    prompt: string;
+}
+/**
+ * Helper class for JWT operations.
+ *
+ * Handles creation and signing of JWTs for:
+ * - Request objects (PAR)
+ * - Client assertions (token endpoint authentication)
+ *
+ * Uses the PS256 algorithm (RSA-PSS with SHA-256) as required by FAPI.
+ */
+export declare class JwtHelper {
+    private readonly signingKey;
+    private readonly signingKid;
+    private readonly clientId;
+    /**
+     * Creates a new JwtHelper instance.
+     *
+     * @param signingKey - Private key for signing JWTs
+     * @param signingKid - Key ID to include in JWT header
+     * @param clientId - OAuth client ID
+     */
+    constructor(signingKey: KeyObject, signingKid: string, clientId: string);
+    /**
+     * Generates a signed request JWT for PAR.
+     *
+     * The request object contains all authorization request parameters
+     * and is signed to prevent tampering.
+     *
+     * @param params - Request parameters
+     * @returns Signed JWT string
+     */
+    generateRequestJwt(params: RequestJwtParams): Promise<string>;
+    /**
+     * Generates a client assertion JWT for token endpoint authentication.
+     *
+     * The client assertion proves the client's identity using JWT-based
+     * authentication (private_key_jwt method).
+     *
+     * @param audience - Token endpoint URL (or issuer)
+     * @returns Signed JWT string
+     */
+    generateClientAssertionJwt(audience: string): Promise<string>;
+}

package/src/crypto/jwt-helper.js

@@ -0,0 +1,92 @@
+import { SignJWT } from 'jose';
+import { randomUUID } from 'node:crypto';
+/**
+ * Helper class for JWT operations.
+ *
+ * Handles creation and signing of JWTs for:
+ * - Request objects (PAR)
+ * - Client assertions (token endpoint authentication)
+ *
+ * Uses the PS256 algorithm (RSA-PSS with SHA-256) as required by FAPI.
+ */
+export class JwtHelper {
+    /**
+     * Creates a new JwtHelper instance.
+     *
+     * @param signingKey - Private key for signing JWTs
+     * @param signingKid - Key ID to include in JWT header
+     * @param clientId - OAuth client ID
+     */
+    constructor(signingKey, signingKid, clientId) {
+        this.signingKey = signingKey;
+        this.signingKid = signingKid;
+        this.clientId = clientId;
+    }
+    /**
+     * Generates a signed request JWT for PAR.
+     *
+     * The request object contains all authorization request parameters
+     * and is signed to prevent tampering.
+     *
+     * @param params - Request parameters
+     * @returns Signed JWT string
+     */
+    async generateRequestJwt(params) {
+        const now = Math.floor(Date.now() / 1000);
+        return new SignJWT({
+            // OAuth/OIDC parameters
+            iss: this.clientId,
+            aud: params.audience,
+            client_id: this.clientId,
+            scope: params.scope,
+            response_type: params.responseType,
+            redirect_uri: params.redirectUri,
+            // PKCE
+            code_challenge: params.codeChallenge,
+            code_challenge_method: params.codeChallengeMethod,
+            // OIDC parameters
+            state: params.state,
+            nonce: params.nonce,
+            claims: params.claims,
+            prompt: params.prompt,
+            // ConnectID extension
+            purpose: params.purpose,
+            // JWT metadata
+            jti: randomUUID(),
+        })
+            .setProtectedHeader({
+            alg: 'PS256',
+            kid: this.signingKid,
+            typ: 'oauth-authz-req+jwt',
+        })
+            .setIssuedAt(now)
+            .setNotBefore(now) // nbf = iat (required by FAPI)
+            .setExpirationTime(now + 300) // 5 minutes
+            .sign(this.signingKey);
+    }
+    /**
+     * Generates a client assertion JWT for token endpoint authentication.
+     *
+     * The client assertion proves the client's identity using JWT-based
+     * authentication (private_key_jwt method).
+     *
+     * @param audience - Token endpoint URL (or issuer)
+     * @returns Signed JWT string
+     */
+    async generateClientAssertionJwt(audience) {
+        const now = Math.floor(Date.now() / 1000);
+        return new SignJWT({
+            iss: this.clientId,
+            sub: this.clientId,
+            aud: audience,
+            jti: randomUUID(),
+        })
+            .setProtectedHeader({
+            alg: 'PS256',
+            kid: this.signingKid,
+        })
+            .setIssuedAt(now)
+            .setExpirationTime(now + 300) // 5 minutes
+            .sign(this.signingKey);
+    }
+}