@connectid-tools/rp-nodejs-sdk 4.2.1 → 5.0.0

package/src/conformance/conformance.test.js

@@ -0,0 +1,101 @@
+import RelyingPartyClientSdk from '../relying-party-client-sdk.js';
+import { conformanceConfig } from './conformance-config.js';
+import config from './config.json';
+import variant from './variant.json';
+import packageJson from '../../package.json';
+import { parse } from 'url';
+import { ConformanceApi } from './api/conformance-api.js';
+import winston from 'winston';
+import { describe, before, it } from 'node:test';
+import assert from 'node:assert';
+const alias = 'conformance-nodejs-' + Date.now();
+const conformanceEnv = process.env.CONFORMANCE_ENV || 'production';
+const conformanceApiToken = process.env.CONFORMANCE_API_TOKEN || '';
+const conformanceNodeVersion = process.env.CONFORMANCE_NODE_VERSION || 'unknown';
+const participantsEnv = conformanceEnv === 'production' ? '' : conformanceEnv;
+conformanceConfig.data.registry_participants_uri = `https://api.sandbox.connectid.com.au/oidf-conformance/participants?alias=a/${alias}&env=${participantsEnv}`;
+const rpClient = new RelyingPartyClientSdk(conformanceConfig);
+const conformanceEnvUrls = new Map([
+    ['staging', 'https://staging.certification.openid.net/'],
+    ['production', 'https://www.certification.openid.net/']
+]);
+const conformanceBaseUrl = conformanceEnvUrls.get(conformanceEnv);
+console.log(`Selected environment ${conformanceEnv}, baseUrl: ${conformanceBaseUrl}`);
+const conformanceApi = new ConformanceApi(conformanceApiToken, conformanceBaseUrl);
+describe('Conformance Test', { timeout: 600000 }, () => {
+    let planInfo;
+    before(async () => {
+        const planName = 'fapi2-message-signing-id1-client-test-plan';
+        config.description = `NodeJS SDK ${packageJson.version} (NodeJS v${conformanceNodeVersion})`;
+        config.alias = alias;
+        planInfo = await conformanceApi.createPlan(planName, JSON.stringify(variant), config);
+    });
+    it('should execute the conformance test', async () => {
+        const testModules = planInfo.modules.map((module) => module.testModule);
+        for (const testName of testModules) {
+            console.log(`Executing test ${testName}`);
+            // We are mimicking an application log here.
+            const logger = createTestLogger(testName);
+            rpClient.logger = logger;
+            const testInstance = await conformanceApi.createTestFromPlan(planInfo.id, testName);
+            let testInformation = await conformanceApi.getTestInformation(testInstance.id);
+            logger.info(`Executing version ${testInformation.version} of ${testName}`);
+            console.log(`See ${conformanceBaseUrl}log-detail.html?log=${testInstance.id}`);
+            const idps = await rpClient.getParticipants();
+            const authorisationServerId = idps[0].AuthorisationServers[0].AuthorisationServerId;
+            logger.info(`Sending PAR to ${authorisationServerId}`);
+            const essentialClaims = ['given_name', 'middle_name', 'family_name', 'phone_number', 'email', 'address', 'birthdate', 'txn'];
+            const parResponse = await rpClient.sendPushedAuthorisationRequest(authorisationServerId, essentialClaims);
+            const response = await fetch(parResponse.authUrl, {
+                redirect: 'manual',
+            });
+            if (response.status !== 303) {
+                console.error(`Expected 303, got ${response.status}`);
+                throw new Error(`Expected 303, got ${response.status}`);
+            }
+            const location = response.headers.get('location');
+            if (!location) {
+                throw new Error('No location header');
+            }
+            const locationObj = parse(location, true);
+            logger.info(`Executing ${testName}`);
+            try {
+                logger.info('Getting tokens');
+                await rpClient.retrieveTokens(authorisationServerId, locationObj.query, parResponse.codeVerifier, parResponse.state, parResponse.nonce);
+                logger.info('Tokens successfully retrieved');
+            }
+            catch (e) {
+                logger.error('An error occured while getting tokens:' + getErrorMessage(e));
+                console.log(e);
+            }
+            while (testInformation.status !== 'FINISHED') {
+                await delay(250);
+                testInformation = await conformanceApi.getTestInformation(testInstance.id);
+            }
+            logger.info(`Test finished with result: ${testInformation.result}, status: ${testInformation.status}`);
+            console.log('Full test information:', JSON.stringify(testInformation, null, 2));
+            assert.ok(['WARNING', 'PASSED'].includes(testInformation.result));
+            if (testInformation.result === 'WARNING') {
+                console.log(`*** A warning occurred while executing ${testName}, please check the logs!!! ***`);
+            }
+            // TODO: download the logs and store them in Github
+        }
+    });
+});
+function delay(time) {
+    // @ts-ignore
+    return new Promise((resolve) => setTimeout(resolve, time));
+}
+function getErrorMessage(error) {
+    if (error instanceof Error)
+        return error.message;
+    return String(error);
+}
+function createTestLogger(testName) {
+    return winston.createLogger({
+        level: 'info',
+        format: winston.format.simple(),
+        defaultMeta: { service: 'conformance-test' },
+        transports: [new winston.transports.File({ filename: `logs/${testName}.log` })],
+    });
+}

package/src/conformance/variant.json

@@ -0,0 +1 @@
+{ "client_auth_type": "private_key_jwt", "fapi_request_method": "signed_non_repudiation", "fapi_client_type": "oidc", "sender_constrain": "mtls", "fapi_profile": "connectid_au", "fapi_response_mode": "plain_response" }

package/src/crypto/crypto-loader.d.ts

@@ -0,0 +1,32 @@
+import { KeyObject } from 'node:crypto';
+/**
+ * Utility class for loading cryptographic keys and certificates.
+ *
+ * Handles conversion from PEM format to Node.js crypto objects.
+ */
+export declare class CryptoLoader {
+    /**
+     * Loads a private key from PEM format.
+     *
+     * @param keyPem - Private key in PEM format (string or Buffer)
+     * @returns KeyObject that can be used for signing operations
+     * @throws Error if the key cannot be loaded
+     */
+    static loadPrivateKey(keyPem: string | Buffer): KeyObject;
+    /**
+     * Loads a certificate from PEM format.
+     *
+     * @param certPem - Certificate in PEM format (string or Buffer)
+     * @returns Certificate as string
+     */
+    static loadCertificate(certPem: string | Buffer): string;
+    /**
+     * Loads a certificate chain from PEM format.
+     *
+     * Handles single or multiple certificates in a PEM bundle.
+     *
+     * @param caPem - CA certificate(s) in PEM format (string or Buffer)
+     * @returns Array of certificates as strings
+     */
+    static loadCertificateChain(caPem: string | Buffer): string[];
+}

package/src/crypto/crypto-loader.js

@@ -0,0 +1,49 @@
+import { createPrivateKey } from 'node:crypto';
+/**
+ * Utility class for loading cryptographic keys and certificates.
+ *
+ * Handles conversion from PEM format to Node.js crypto objects.
+ */
+export class CryptoLoader {
+    /**
+     * Loads a private key from PEM format.
+     *
+     * @param keyPem - Private key in PEM format (string or Buffer)
+     * @returns KeyObject that can be used for signing operations
+     * @throws Error if the key cannot be loaded
+     */
+    static loadPrivateKey(keyPem) {
+        try {
+            return createPrivateKey(keyPem);
+        }
+        catch (error) {
+            throw new Error(`Failed to load private key: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    /**
+     * Loads a certificate from PEM format.
+     *
+     * @param certPem - Certificate in PEM format (string or Buffer)
+     * @returns Certificate as string
+     */
+    static loadCertificate(certPem) {
+        return typeof certPem === 'string' ? certPem : certPem.toString('utf-8');
+    }
+    /**
+     * Loads a certificate chain from PEM format.
+     *
+     * Handles single or multiple certificates in a PEM bundle.
+     *
+     * @param caPem - CA certificate(s) in PEM format (string or Buffer)
+     * @returns Array of certificates as strings
+     */
+    static loadCertificateChain(caPem) {
+        const pemString = typeof caPem === 'string' ? caPem : caPem.toString('utf-8');
+        // Split on BEGIN CERTIFICATE markers to handle certificate chains
+        const certificates = pemString
+            .split(/(?=-----BEGIN CERTIFICATE-----)/)
+            .map((cert) => cert.trim())
+            .filter((cert) => cert.length > 0);
+        return certificates;
+    }
+}

package/src/crypto/jwt-helper.d.ts

@@ -0,0 +1,61 @@
+import { KeyObject } from 'node:crypto';
+import { ClaimsRequest } from '../types.js';
+/**
+ * Parameters for generating a request JWT (PAR request object).
+ */
+export interface RequestJwtParams {
+    issuer: string;
+    audience: string;
+    redirectUri: string;
+    scope: string;
+    responseType: string;
+    codeChallenge: string;
+    codeChallengeMethod: string;
+    state: string;
+    nonce: string;
+    claims: ClaimsRequest;
+    purpose: string;
+    prompt: string;
+}
+/**
+ * Helper class for JWT operations.
+ *
+ * Handles creation and signing of JWTs for:
+ * - Request objects (PAR)
+ * - Client assertions (token endpoint authentication)
+ *
+ * Uses the PS256 algorithm (RSA-PSS with SHA-256) as required by FAPI.
+ */
+export declare class JwtHelper {
+    private readonly signingKey;
+    private readonly signingKid;
+    private readonly clientId;
+    /**
+     * Creates a new JwtHelper instance.
+     *
+     * @param signingKey - Private key for signing JWTs
+     * @param signingKid - Key ID to include in JWT header
+     * @param clientId - OAuth client ID
+     */
+    constructor(signingKey: KeyObject, signingKid: string, clientId: string);
+    /**
+     * Generates a signed request JWT for PAR.
+     *
+     * The request object contains all authorization request parameters
+     * and is signed to prevent tampering.
+     *
+     * @param params - Request parameters
+     * @returns Signed JWT string
+     */
+    generateRequestJwt(params: RequestJwtParams): Promise<string>;
+    /**
+     * Generates a client assertion JWT for token endpoint authentication.
+     *
+     * The client assertion proves the client's identity using JWT-based
+     * authentication (private_key_jwt method).
+     *
+     * @param audience - Token endpoint URL (or issuer)
+     * @returns Signed JWT string
+     */
+    generateClientAssertionJwt(audience: string): Promise<string>;
+}

package/src/crypto/jwt-helper.js

@@ -0,0 +1,92 @@
+import { SignJWT } from 'jose';
+import { randomUUID } from 'node:crypto';
+/**
+ * Helper class for JWT operations.
+ *
+ * Handles creation and signing of JWTs for:
+ * - Request objects (PAR)
+ * - Client assertions (token endpoint authentication)
+ *
+ * Uses the PS256 algorithm (RSA-PSS with SHA-256) as required by FAPI.
+ */
+export class JwtHelper {
+    /**
+     * Creates a new JwtHelper instance.
+     *
+     * @param signingKey - Private key for signing JWTs
+     * @param signingKid - Key ID to include in JWT header
+     * @param clientId - OAuth client ID
+     */
+    constructor(signingKey, signingKid, clientId) {
+        this.signingKey = signingKey;
+        this.signingKid = signingKid;
+        this.clientId = clientId;
+    }
+    /**
+     * Generates a signed request JWT for PAR.
+     *
+     * The request object contains all authorization request parameters
+     * and is signed to prevent tampering.
+     *
+     * @param params - Request parameters
+     * @returns Signed JWT string
+     */
+    async generateRequestJwt(params) {
+        const now = Math.floor(Date.now() / 1000);
+        return new SignJWT({
+            // OAuth/OIDC parameters
+            iss: this.clientId,
+            aud: params.audience,
+            client_id: this.clientId,
+            scope: params.scope,
+            response_type: params.responseType,
+            redirect_uri: params.redirectUri,
+            // PKCE
+            code_challenge: params.codeChallenge,
+            code_challenge_method: params.codeChallengeMethod,
+            // OIDC parameters
+            state: params.state,
+            nonce: params.nonce,
+            claims: params.claims,
+            prompt: params.prompt,
+            // ConnectID extension
+            purpose: params.purpose,
+            // JWT metadata
+            jti: randomUUID(),
+        })
+            .setProtectedHeader({
+            alg: 'PS256',
+            kid: this.signingKid,
+            typ: 'oauth-authz-req+jwt',
+        })
+            .setIssuedAt(now)
+            .setNotBefore(now) // nbf = iat (required by FAPI)
+            .setExpirationTime(now + 300) // 5 minutes
+            .sign(this.signingKey);
+    }
+    /**
+     * Generates a client assertion JWT for token endpoint authentication.
+     *
+     * The client assertion proves the client's identity using JWT-based
+     * authentication (private_key_jwt method).
+     *
+     * @param audience - Token endpoint URL (or issuer)
+     * @returns Signed JWT string
+     */
+    async generateClientAssertionJwt(audience) {
+        const now = Math.floor(Date.now() / 1000);
+        return new SignJWT({
+            iss: this.clientId,
+            sub: this.clientId,
+            aud: audience,
+            jti: randomUUID(),
+        })
+            .setProtectedHeader({
+            alg: 'PS256',
+            kid: this.signingKid,
+        })
+            .setIssuedAt(now)
+            .setExpirationTime(now + 300) // 5 minutes
+            .sign(this.signingKey);
+    }
+}

package/src/crypto/pkce-helper.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Helper class for PKCE (Proof Key for Code Exchange) operations.
+ *
+ * Implements RFC 7636 with S256 code challenge method.
+ * All random values use cryptographically secure random number generation.
+ */
+export declare class PkceHelper {
+    /**
+     * Generates a cryptographically random state parameter.
+     *
+     * Used to prevent CSRF attacks during the authorization flow.
+     *
+     * @returns Base64URL-encoded random string (48 bytes -> ~64 characters)
+     */
+    static generateState(): string;
+    /**
+     * Generates a cryptographically random nonce.
+     *
+     * Used to associate a client session with an ID token and mitigate replay attacks.
+     *
+     * @returns Base64URL-encoded random string (43 characters)
+     */
+    static generateNonce(): string;
+    /**
+     * Generates a code verifier for PKCE.
+     *
+     * The code verifier is a cryptographically random string that is used to
+     * correlate the authorization request with the token request.
+     *
+     * @returns Base64URL-encoded random string (43-128 characters)
+     */
+    static generateCodeVerifier(): string;
+    /**
+     * Generates a code challenge from a code verifier using S256 method.
+     *
+     * The code challenge is sent in the authorization request, and the
+     * code verifier is sent in the token request.
+     *
+     * @param codeVerifier - The code verifier to hash
+     * @returns Base64URL-encoded SHA256 hash of the code verifier
+     */
+    static generateCodeChallenge(codeVerifier: string): string;
+}

package/src/crypto/pkce-helper.js

@@ -0,0 +1,75 @@
+import { randomBytes, createHash } from 'node:crypto';
+/**
+ * Helper class for PKCE (Proof Key for Code Exchange) operations.
+ *
+ * Implements RFC 7636 with S256 code challenge method.
+ * All random values use cryptographically secure random number generation.
+ */
+export class PkceHelper {
+    /**
+     * Generates a cryptographically random state parameter.
+     *
+     * Used to prevent CSRF attacks during the authorization flow.
+     *
+     * @returns Base64URL-encoded random string (48 bytes -> ~64 characters)
+     */
+    static generateState() {
+        // 48 bytes of random data -> 64 chars in base64url
+        return base64urlEncode(randomBytes(48));
+    }
+    /**
+     * Generates a cryptographically random nonce.
+     *
+     * Used to associate a client session with an ID token and mitigate replay attacks.
+     *
+     * @returns Base64URL-encoded random string (43 characters)
+     */
+    static generateNonce() {
+        // Generate 32 bytes and take first 43 chars (OIDC spec requirement)
+        return base64urlEncode(randomBytes(32)).substring(0, 43);
+    }
+    /**
+     * Generates a code verifier for PKCE.
+     *
+     * The code verifier is a cryptographically random string that is used to
+     * correlate the authorization request with the token request.
+     *
+     * @returns Base64URL-encoded random string (43-128 characters)
+     */
+    static generateCodeVerifier() {
+        // 32 bytes -> 43 chars in base64url (minimum required by spec)
+        return base64urlEncode(randomBytes(32));
+    }
+    /**
+     * Generates a code challenge from a code verifier using S256 method.
+     *
+     * The code challenge is sent in the authorization request, and the
+     * code verifier is sent in the token request.
+     *
+     * @param codeVerifier - The code verifier to hash
+     * @returns Base64URL-encoded SHA256 hash of the code verifier
+     */
+    static generateCodeChallenge(codeVerifier) {
+        // SHA256 hash the code verifier and base64url encode it
+        const hash = createHash('sha256').update(codeVerifier).digest();
+        return base64urlEncode(hash);
+    }
+}
+/**
+ * Encodes a buffer to base64url format (RFC 4648).
+ *
+ * Base64URL is base64 with URL-safe characters:
+ * - '+' becomes '-'
+ * - '/' becomes '_'
+ * - Padding '=' is removed
+ *
+ * @param buffer - Data to encode
+ * @returns Base64URL-encoded string
+ */
+function base64urlEncode(buffer) {
+    return buffer
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+}

package/src/endpoints/participants-endpoint.d.ts

@@ -0,0 +1,55 @@
+import { Agent } from 'undici';
+import { Logger } from 'winston';
+import { AuthorisationServer, Participant, RelyingPartyClientSdkConfig } from '../types.js';
+import ParticipantFilters from '../filter/participant-filters.js';
+/**
+ * Participants Endpoint
+ *
+ * Handles fetching and filtering of participant lists from the registry.
+ * Does NOT cache - fetches fresh data on every call
+ */
+export declare class ParticipantsEndpoint {
+    private readonly sdkConfig;
+    private readonly participantFilters;
+    private readonly httpClient;
+    private readonly logger;
+    private readonly getCurrentDate;
+    constructor(sdkConfig: RelyingPartyClientSdkConfig, participantFilters: ParticipantFilters, httpClient: Agent, logger: Logger, getCurrentDate: () => Date);
+    /**
+     * Retrieves the list of active participants.
+     *
+     * Applies filtering based on SDK configuration:
+     * - Removes fallback identity service provider
+     * - Filters by certification status (if not include_uncertified_participants)
+     * - Filters by required claims (if specified)
+     * - Filters by required certifications (if specified)
+     * - Removes inactive auth servers
+     * - Removes participants without auth servers
+     *
+     * @returns Filtered list of participants
+     */
+    getParticipants(): Promise<Participant[]>;
+    /**
+     * Retrieves the list of fallback provider participants.
+     *
+     * Returns ONLY the fallback identity service provider participants.
+     * Applies certification filtering before returning.
+     *
+     * @returns List of fallback provider participants
+     */
+    getFallbackProviderParticipants(): Promise<Participant[]>;
+    /**
+     * Fetches participants from the registry.
+     *
+     * @param uri - Registry participants URI
+     * @returns Raw list of participants
+     */
+    fetchParticipants(uri: string): Promise<Participant[]>;
+    /**
+     * Gets authorization server details by ID.
+     *
+     * @param authServerId - Authorization server ID
+     * @returns Authorization server details
+     */
+    getAuthServerDetails(authServerId: string): Promise<AuthorisationServer>;
+}

package/src/endpoints/participants-endpoint.js

@@ -0,0 +1,137 @@
+import { HttpClientExtensions } from '../http/http-client-extensions.js';
+import { randomUUID } from 'node:crypto';
+/**
+ * Participants Endpoint
+ *
+ * Handles fetching and filtering of participant lists from the registry.
+ * Does NOT cache - fetches fresh data on every call
+ */
+export class ParticipantsEndpoint {
+    constructor(sdkConfig, participantFilters, httpClient, logger, getCurrentDate) {
+        this.sdkConfig = sdkConfig;
+        this.participantFilters = participantFilters;
+        this.httpClient = httpClient;
+        this.logger = logger;
+        this.getCurrentDate = getCurrentDate;
+    }
+    /**
+     * Retrieves the list of active participants.
+     *
+     * Applies filtering based on SDK configuration:
+     * - Removes fallback identity service provider
+     * - Filters by certification status (if not include_uncertified_participants)
+     * - Filters by required claims (if specified)
+     * - Filters by required certifications (if specified)
+     * - Removes inactive auth servers
+     * - Removes participants without auth servers
+     *
+     * @returns Filtered list of participants
+     */
+    async getParticipants() {
+        const participantsUri = this.sdkConfig.data.registry_participants_uri;
+        try {
+            const participants = await this.fetchParticipants(this.sdkConfig.data.registry_participants_uri);
+            this.logger.info(`Retrieved identity providers from ${participantsUri}, num orgs found: ${participants.length}`);
+            // Remove fallback identity service provider
+            let filteredParticipants = this.participantFilters.removeFallbackIdentityServiceProvider(participants);
+            // If include_uncertified_participants is true, skip certification filtering
+            if (this.sdkConfig.data.include_uncertified_participants) {
+                this.logger.info('Include uncertified participants enabled - skipping certification filters');
+                filteredParticipants = this.participantFilters.removeParticipantsWithoutAuthServers(filteredParticipants);
+                this.logger.info(`Returning ${filteredParticipants.length} participants (unfiltered)`);
+                return filteredParticipants;
+            }
+            // Apply certification filtering
+            filteredParticipants = this.participantFilters.removeOutOfDateCertifications(filteredParticipants, this.getCurrentDate());
+            filteredParticipants = this.participantFilters.removeUnofficialCertifications(filteredParticipants);
+            // Apply required claims filtering
+            if (this.sdkConfig.data.required_claims) {
+                this.logger.debug(`Identity provider list filtered for participants that support the following claims: ${JSON.stringify(this.sdkConfig.data.required_claims)}`);
+                filteredParticipants = this.participantFilters.filterAuthServersForSupportedClaims(filteredParticipants, this.sdkConfig.data.required_claims);
+            }
+            // Apply required certifications filtering
+            if (this.sdkConfig.data.required_participant_certifications) {
+                this.logger.debug(`Identity provider list filtered for participants that support the following certifications: ${JSON.stringify(this.sdkConfig.data.required_participant_certifications)}`);
+                filteredParticipants = this.participantFilters.filterForRequiredCertifications(filteredParticipants, this.sdkConfig.data.required_participant_certifications);
+            }
+            filteredParticipants = this.participantFilters.removeInactiveAuthServers(filteredParticipants);
+            filteredParticipants = this.participantFilters.removeParticipantsWithoutAuthServers(filteredParticipants);
+            this.logger.info(`Returning ${filteredParticipants.length} participants after filtering`);
+            return filteredParticipants;
+        }
+        catch (err) {
+            throw new Error(`Unable to get participants from ${participantsUri}, ${err}`);
+        }
+    }
+    /**
+     * Retrieves the list of fallback provider participants.
+     *
+     * Returns ONLY the fallback identity service provider participants.
+     * Applies certification filtering before returning.
+     *
+     * @returns List of fallback provider participants
+     */
+    async getFallbackProviderParticipants() {
+        const participantsUri = this.sdkConfig.data.registry_participants_uri;
+        try {
+            const participants = await this.fetchParticipants(participantsUri);
+            this.logger.info(`Retrieved identity providers from ${participantsUri}, num orgs found: ${participants.length}`);
+            // Apply certification filtering
+            let filteredParticipants = this.participantFilters.removeOutOfDateCertifications(participants, this.getCurrentDate());
+            filteredParticipants = this.participantFilters.removeUnofficialCertifications(filteredParticipants);
+            filteredParticipants = this.participantFilters.filterForFallbackIdentityServiceProviders(filteredParticipants);
+            filteredParticipants = this.participantFilters.removeParticipantsWithoutAuthServers(filteredParticipants);
+            this.logger.info(`Returning ${filteredParticipants.length} fallback provider participants`);
+            return filteredParticipants;
+        }
+        catch (err) {
+            throw new Error(`Unable to get participants from ${participantsUri}, ${err}`);
+        }
+    }
+    /**
+     * Fetches participants from the registry.
+     *
+     * @param uri - Registry participants URI
+     * @returns Raw list of participants
+     */
+    async fetchParticipants(uri) {
+        try {
+            const response = await HttpClientExtensions.get(uri, {
+                agent: this.httpClient,
+                clientId: this.sdkConfig.data.client_id,
+                xFapiInteractionId: randomUUID(),
+            });
+            return await HttpClientExtensions.parseJsonResponse(response);
+        }
+        catch (error) {
+            throw new Error(`Failed to fetch participants from ${uri}: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    /**
+     * Gets authorization server details by ID.
+     *
+     * @param authServerId - Authorization server ID
+     * @returns Authorization server details
+     */
+    async getAuthServerDetails(authServerId) {
+        // First, check in regular participants
+        const participantList = await this.getParticipants();
+        const servers = participantList.map(({ AuthorisationServers }) => AuthorisationServers).flat();
+        let found = servers.find(({ AuthorisationServerId }) => AuthorisationServerId === authServerId);
+        if (!found) {
+            // Check if it is one of the fallback servers
+            const fallbackIdps = await this.getFallbackProviderParticipants();
+            const fallbackServers = fallbackIdps.map(({ AuthorisationServers }) => AuthorisationServers).flat();
+            found = fallbackServers.find(({ AuthorisationServerId }) => AuthorisationServerId === authServerId);
+            if (!found) {
+                // Let the user know if it was an auth server that was filtered out
+                const allParticipants = await this.fetchParticipants(this.sdkConfig.data.registry_participants_uri);
+                const allAuthServers = allParticipants.map(({ AuthorisationServers }) => AuthorisationServers).flat();
+                const exists = allAuthServers.find(({ AuthorisationServerId }) => AuthorisationServerId === authServerId);
+                const additionalLogInfo = exists ? ` Server exists but was filtered from results due to config settings for 'include_uncertified_participants', 'required_participant_certifications' and 'required_claims'` : '';
+                throw new Error(`Unable to find specified Authorisation Server: ${authServerId}${additionalLogInfo}`);
+            }
+        }
+        return found;
+    }
+}