@connectid-tools/rp-nodejs-sdk 4.2.1 → 5.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (56) hide show
  1. package/README.md +64 -71
  2. package/config.js +2 -31
  3. package/conformance/api/conformance-api.d.ts +38 -0
  4. package/conformance/api/conformance-api.js +53 -0
  5. package/conformance/conformance-config.d.ts +2 -0
  6. package/conformance/conformance-config.js +34 -0
  7. package/crypto/crypto-loader.d.ts +32 -0
  8. package/crypto/crypto-loader.js +49 -0
  9. package/crypto/jwt-helper.d.ts +61 -0
  10. package/crypto/jwt-helper.js +92 -0
  11. package/crypto/pkce-helper.d.ts +43 -0
  12. package/crypto/pkce-helper.js +75 -0
  13. package/endpoints/participants-endpoint.d.ts +55 -0
  14. package/endpoints/participants-endpoint.js +137 -0
  15. package/endpoints/pushed-authorisation-request-endpoint.d.ts +87 -0
  16. package/endpoints/pushed-authorisation-request-endpoint.js +192 -0
  17. package/endpoints/retrieve-token-endpoint.d.ts +66 -0
  18. package/endpoints/retrieve-token-endpoint.js +159 -0
  19. package/endpoints/userinfo-endpoint.d.ts +24 -0
  20. package/endpoints/userinfo-endpoint.js +50 -0
  21. package/fapi/fapi-utils.d.ts +6 -0
  22. package/fapi/fapi-utils.js +9 -0
  23. package/http/http-client-extensions.d.ts +60 -0
  24. package/http/http-client-extensions.js +106 -0
  25. package/http/http-client-factory.d.ts +27 -0
  26. package/http/http-client-factory.js +45 -0
  27. package/model/callback-params.d.ts +31 -0
  28. package/model/callback-params.js +1 -0
  29. package/model/claims.d.ts +100 -0
  30. package/model/claims.js +1 -0
  31. package/model/consolidated-token-set.d.ts +74 -0
  32. package/model/consolidated-token-set.js +100 -0
  33. package/model/discovery-service.d.ts +46 -0
  34. package/model/discovery-service.js +112 -0
  35. package/model/issuer-metadata.d.ts +165 -0
  36. package/model/issuer-metadata.js +1 -0
  37. package/model/jwks.d.ts +12 -0
  38. package/model/jwks.js +1 -0
  39. package/model/token-response.d.ts +31 -0
  40. package/model/token-response.js +1 -0
  41. package/model/token-set.d.ts +73 -0
  42. package/model/token-set.js +179 -0
  43. package/package.json +4 -5
  44. package/relying-party-client-sdk.d.ts +55 -24
  45. package/relying-party-client-sdk.js +90 -304
  46. package/test-data/large-participants-test-data.d.ts +865 -0
  47. package/test-data/large-participants-test-data.js +18907 -0
  48. package/test-data/participants-test-data.d.ts +149 -0
  49. package/test-data/participants-test-data.js +458 -0
  50. package/test-data/sandbox-participants-test-data.d.ts +865 -0
  51. package/test-data/sandbox-participants-test-data.js +3794 -0
  52. package/types.d.ts +61 -32
  53. package/utils/request-utils.d.ts +1 -1
  54. package/utils/request-utils.js +5 -5
  55. package/utils/user-agent.d.ts +1 -1
  56. package/utils/user-agent.js +1 -1
package/README.md CHANGED
@@ -1,12 +1,12 @@
1
- # Relying Party Node.JS SDK
1
+ # Relying Party Node.js SDK
2
2
 
3
3
  The rp-nodejs-sdk provides an SDK to allows Relying Parties easily integrate with the Digital Identity ecosystem.
4
4
 
5
5
  # Getting Started
6
6
 
7
- > A minimum of Node JS version 20.x is recommended. Download [here](https://nodejs.org/download/release/v20.9.0/).
7
+ > A minimum of Node.js version 20.x is recommended. Download [here](https://nodejs.org/download/release/v20.9.0/).
8
8
 
9
- Install the package in your nodejs project using:
9
+ Install the package in your Node.js project using:
10
10
 
11
11
  ```shell
12
12
  npm install @connectid-tools/rp-nodejs-sdk
@@ -36,9 +36,9 @@ The above code assumes that you have a config file called `config.js` in your pr
36
36
  the configuration required for the sdk, eg: the location of the certificate files, the client details,
37
37
  the callback urls, etc. The configuration attributes are described below.
38
38
 
39
- ## Using Typescript
39
+ ## Using TypeScript
40
40
 
41
- To use Node SDK with Typescript you need to make the following changes in your `tsconfig.json`:
41
+ To use the Node.js SDK with TypeScript you'll need to make the following changes in your `tsconfig.json`:
42
42
 
43
43
  - Set `"target: "es2016"` or higher
44
44
  - Have `"module": "ES2015"` or higher
@@ -61,7 +61,8 @@ Sample tsconfig:
61
61
 
62
62
  ### Setting up SDK config options
63
63
 
64
- `RelyingPartyClientSdkConfig` has some fixed values, specially inside `client` object, to be able to set the config options for the SDK some type gymnastics will be needed as shown below (see `as const`):
64
+ `RelyingPartyClientSdkConfig` has some fixed values. To be able to set the config
65
+ options for the SDK you can use the example as below:
65
66
 
66
67
  ```typescript
67
68
  // index.ts
@@ -75,37 +76,11 @@ const relyingPartyClientSdk = new RelyingPartyClientSdk(config)
75
76
  // config.ts
76
77
  export const config = {
77
78
  data: {
78
- .
79
- .
80
- .
81
- log_level: 'info' as const,
82
- .
83
- .
84
- .
85
- client: {
86
- .
87
- .
88
- .
89
- application_type: 'web' as const,
90
- grant_types: ['client_credentials', 'authorization_code', 'implicit'] as ['client_credentials', 'authorization_code', 'implicit'],
91
- id_token_signed_response_alg: 'PS256' as const,
92
- post_logout_redirect_uris: [] as [],
93
- require_auth_time: false as const,
94
- response_types: ['code id_token', 'code'] as ['code id_token', 'code'],
95
- subject_type: 'public' as const,
96
- token_endpoint_auth_method: 'private_key_jwt' as const,
97
- token_endpoint_auth_signing_alg: 'PS256' as const,
98
- introspection_endpoint_auth_method: 'private_key_jwt' as const,
99
- revocation_endpoint_auth_method: 'private_key_jwt' as const,
100
- request_object_signing_alg: 'PS256' as const,
101
- require_signed_request_object: true as const,
102
- require_pushed_authorization_requests: true as const,
103
- authorization_signed_response_alg: 'PS256' as const,
104
- tls_client_certificate_bound_access_tokens: true as const,
105
- backchannel_user_code_parameter: false as const,
106
- scope: 'openid' as const,
107
- software_roles: ['RP-CORE'] as ['RP-CORE'],
108
- },
79
+ .
80
+ .
81
+ .
82
+ log_level: 'info' as const,
83
+ }
109
84
  ```
110
85
 
111
86
  # rp-nodejs-sdk Configuration
@@ -124,31 +99,27 @@ const RelyingPartyClientSdk = require('@connectid-tools/rp-nodejs-sdk')
124
99
  const rpClient = new RelyingPartyClientSdk(config)
125
100
  ```
126
101
 
127
- | Property | Description | Example value |
128
- | ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
129
- | `ca_pem` | The collection of trusted root certificates that can be used for certification validation. May be an absolute or relative path. | `'./conf/ca.pem' ` |
130
- | `ca_pem_content` | The collection of trusted root certificates content (string) that can be used for certification validation. Overrides `ca_pem`. | `'-----BEGIN CERTIFICATE----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'` |
131
- | `signing_kid` | The id for the signing key in the JWKS. This can be found in the registry via Software Statements -> Client Details -> Certificates | `'Xf1Pf-GXyhryOY5wwg0ddL5yzUicIcQrOIxja0yHhpg'` |
132
- | `signing_key` | The path to the signing key used when signing requests. May be an absolute or relative path. `signing_key` or `signing_key_content` must be used to provide the signing key. | `'./conf/signing.key'` |
133
- | `signing_key_content` | The signing key content (string) used when signing requests. If supplied, will override the key data supplied via `signing_key`. | `'-----BEGIN PRIVATE KEY----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'` |
134
- | `registry_participants_uri` | The URI for the registry endpoint that provides the participant list | `https://data.directory.sandbox.connectid.com.au/participants` |
135
- | `signing_pem` | The path to the signing certificate used when signing requests. May be an absolute or relative path. | `'./conf/signing.pem'` |
136
- | `transport_key` | The path to the transport key used for mutual TLS. May be an absolute or relative path. `transport_key` or `transport_key_content` must be used to provide the transport key. | `'./conf/transport.key'` |
137
- | `transport_key_content` | The transport key content (string) used for mutual TLS. If supplied, will override the key data supplied via `transport_key`. | `'-----BEGIN PRIVATE KEY----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'` |
138
- | `transport_pem` | The path to the transport certificate used for mutual TLS. May be an absolute or relative path. `tranport_pem` or `transport_pem_content` must be used to provide the transport certificate | `'./conf/transport.pem'` |
139
- | `transport_pem_content` | The transport certificate content (string) used for mutual TLS. If supplied, will override the certificate supplied via `transport_pem`. | `'-----BEGIN CERTIFICATE----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'` |
140
- | `application_redirect_uri` | The specific redirect url used for all requests from this rp-nodejs-sdk instance. Must be one of the redirect_urls specified in the registry for the client | `'https://tpp.localhost/cb'` |
141
- | `client.client_id` | Identifies the client. This value is available from the Registry via Software Statements -> Client Details -> Client ID | `'https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a'` |
142
- | `client.organisation_id` | Identifies the organisation. This value is available from the Registry via Organisation Details | `'ab837240-9618-4953-966e-90fd1fa63999'` |
143
- | `client.jwks_uri` | The location of the JWKS for this client. Will be in the format: `'https://keystore.directory.sandbox.connectid.com.au/<organisation_id>/<client_id>/application.jwks'` | `'https://keystore.directory.sandbox.connectid.com.au/ab837240-9618-4953-966e-90fd1fa63999/090d41c6-fc27-4b1e-91e9-0fecfc240601/application.jwks'` |
144
- | `client.redirect_uris` | The list of redirect_uris supported by the client. Must only contain URIs specified in the registry. | `['https://demo.relyingpart.net/cb', 'https://tpp.localhost/cb',]` |
145
- | `log_level` | The log level to use for console logs, eg: 'info', 'debug'. Enabling 'debug' will cause all requests and responses to remote servers to be logged. 'debug' must not be used in Production as it will log Personal Information. | `'info'` |
146
- | `cache_ttl` | TTL for the participants list caching. Optional setting. Defaults to 600 seconds if not configured. | `600` |
147
- | `enable_auto_compliance_verification` | When running the OIDC FAPI compliance suite, it requires a call to userInfo after successfully decoding the response claims. If this is set to true, the SDK will automatically make the required call. | `false` |
148
- | `purpose` | The default purpose to be displayed to the consumer on the IDP consent screen to indicate why their data is being requested to be shared | `'verifying your identity'` |
149
- | `include_uncertified_participants` | By default the SDK will filter out all authorisation servers that are not fully certified. If you wish to test one of the uncertified auth servers you will need to set this to `true`. If not provided, defaults to 'false' | `false` |
150
- | `required_claims` | The list of claims that the RP will be using and requires IDPs to support. If supplied, this will be used to filter the list of IDPs returned from `getParticipants` so that only IDPs supporting the claims are returned. If this value is not supplied, no filtering by claim support will be performed. | `['name', 'address']` |
151
- | `required_participant_certifications` | The list of required certifications a server must support for the IDP use case (eg: TDIF Certification). If supplied, this will be used to filter the list of IDPs returned from `getParticipants` so that only IDPs with the certification are returned. If this value is not supplied, no filtering for specific certifications will be performed. | `[{ profileType: 'TDIF Accreditation', profileVariant: 'Identity Provider'}]` |
102
+ | Property | Description | Example value |
103
+ |---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|
104
+ | `ca_pem` | The collection of trusted root certificates that can be used for certification validation. May be an absolute or relative path. | `'./conf/ca.pem' ` |
105
+ | `ca_pem_content` | The collection of trusted root certificates content (string) that can be used for certification validation. Overrides `ca_pem`. | `'-----BEGIN CERTIFICATE----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'` |
106
+ | `signing_kid` | The id for the signing key in the JWKS. This can be found in the registry via Software Statements -> Client Details -> Certificates | `'Xf1Pf-GXyhryOY5wwg0ddL5yzUicIcQrOIxja0yHhpg'` |
107
+ | `signing_key` | The path to the signing key used when signing requests. May be an absolute or relative path. `signing_key` or `signing_key_content` must be used to provide the signing key. | `'./conf/signing.key'` |
108
+ | `signing_key_content` | The signing key content (string) used when signing requests. If supplied, will override the key data supplied via `signing_key`. | `'-----BEGIN PRIVATE KEY----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'` |
109
+ | `registry_participants_uri` | The URI for the registry endpoint that provides the participant list | `https://data.directory.sandbox.connectid.com.au/participants` |
110
+ | `signing_pem` | The path to the signing certificate used when signing requests. May be an absolute or relative path. | `'./conf/signing.pem'` |
111
+ | `transport_key` | The path to the transport key used for mutual TLS. May be an absolute or relative path. `transport_key` or `transport_key_content` must be used to provide the transport key. | `'./conf/transport.key'` |
112
+ | `transport_key_content` | The transport key content (string) used for mutual TLS. If supplied, will override the key data supplied via `transport_key`. | `'-----BEGIN PRIVATE KEY----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'` |
113
+ | `transport_pem` | The path to the transport certificate used for mutual TLS. May be an absolute or relative path. `tranport_pem` or `transport_pem_content` must be used to provide the transport certificate | `'./conf/transport.pem'` |
114
+ | `transport_pem_content` | The transport certificate content (string) used for mutual TLS. If supplied, will override the certificate supplied via `transport_pem`. | `'-----BEGIN CERTIFICATE----- MIIFnTCCBIWgAwIBAgIUKl2OAbHVc1r9isRs6WIExS/1BLgwDQYJKoZIhvcNAQEL...'` |
115
+ | `application_redirect_uri` | The specific redirect url used for all requests from this rp-nodejs-sdk instance. Must be one of the redirect_urls specified in the registry for the client | `'https://tpp.localhost/cb'` |
116
+ | `client_id` | Identifies the client. This value is available from the Registry via Software Statements -> Client Details -> Client ID | `'https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a'` |
117
+ | `log_level` | The log level to use for console logs, eg: 'info', 'debug'. Enabling 'debug' will cause all requests and responses to remote servers to be logged. 'debug' must not be used in Production as it will log Personal Information. | `'info'` |
118
+ | `enable_auto_compliance_verification` | When running the OIDC FAPI compliance suite, it requires a call to userInfo after successfully decoding the response claims. If this is set to true, the SDK will automatically make the required call. | `false` |
119
+ | `purpose` | The default purpose to be displayed to the consumer on the IDP consent screen to indicate why their data is being requested to be shared | `'verifying your identity'` |
120
+ | `include_uncertified_participants` | By default the SDK will filter out all authorisation servers that are not fully certified. If you wish to test one of the uncertified auth servers you will need to set this to `true`. If not provided, defaults to 'false' | `false` |
121
+ | `required_claims` | The list of claims that the RP will be using and requires IDPs to support. If supplied, this will be used to filter the list of IDPs returned from `getParticipants` so that only IDPs supporting the claims are returned. If this value is not supplied, no filtering by claim support will be performed. | `['name', 'address']` |
122
+ | `required_participant_certifications` | The list of required certifications a server must support for the IDP use case (eg: TDIF Certification). If supplied, this will be used to filter the list of IDPs returned from `getParticipants` so that only IDPs with the certification are returned. If this value is not supplied, no filtering for specific certifications will be performed. | `[{ profileType: 'TDIF Accreditation', profileVariant: 'Identity Provider'}]` |
152
123
 
153
124
  # Process Overview Sequence Diagram
154
125
 
@@ -354,7 +325,7 @@ The required function parameters are:
354
325
  If a user does not consent to `voluntary` claims, but does consent to `essential` claims, this will result in a successful transaction.
355
326
  - `purpose` - the purpose to be displayed to the consumer on the IDP consent screen to indicate why their data is being requested to be shared. If not supplied, the default purpose configured in the SDK config will be used.
356
327
 
357
- The method will return: `{ authUrl, code_verifier, state, nonce, xFapiInteractionId }`. The fields are:
328
+ The method will return: `{ authUrl, codeVerifier, state, nonce, xFapiInteractionId }`. The fields are:
358
329
 
359
330
  - `authUrl` - the URL the user must be redirected to in order to complete the authorisation process with their Identity Provider
360
331
  - `codeVerifier`
@@ -399,9 +370,8 @@ The required function parameters are:
399
370
  - `state` - from the response to the PAR for this identity request
400
371
  - `nonce` - from the response to the PAR for this identity request
401
372
 
402
- The method will return a `ConsolidatedTokenSet` which extends [Tokenset](https://github.com/panva/node-openid-client/blob/main/docs/README.md#class-tokenset)
403
- that contains the access_token and id_token. The user identity claims can be retrieved using the utility method `claims()`
404
- on the TokenSet. The `ConsolidatedTokenSet` provides a new method `consolidatedClaims()`, which will return a single
373
+ The method will return a `ConsolidatedTokenSet` that contains the access_token and id_token. The user identity claims can be retrieved using the utility method `claims()`
374
+ on the ConsolidatedTokenSet. The `ConsolidatedTokenSet` provides a method `consolidatedClaims()`, which will return a single
405
375
  object containing all the claims, including the extended claims, as a single object. The tokenset also contains an `xFapiInteractionId` which
406
376
  is a correlation id for the request that was sent to the IDP.
407
377
 
@@ -419,6 +389,29 @@ The required function parameters are:
419
389
 
420
390
  # Release Notes
421
391
 
392
+ ### 5.0.1 (Jan 16, 2026)
393
+
394
+ * Fixed packaging structure which caused conflicts when including the library.
395
+
396
+ ### 5.0.0 (Jan 15, 2026)
397
+
398
+ **Major architectural refactoring - Breaking Changes**
399
+
400
+ This release removes the dependency on `openid-client` and implements custom OIDC/FAPI flow logic to align with the Java and .NET SDKs.
401
+
402
+ **Breaking Changes:**
403
+ - **Removed `cache_ttl` configuration parameter**: Participant list caching has been removed to align with Java/.NET SDKs.
404
+ - **Internal architecture changes**: The SDK now uses a modular endpoint-based architecture with separate classes for each OIDC operation (PAR, token retrieval, userinfo, etc.).
405
+ - **Configuration changes**: The `client_id` parameter is no longer part of the `client` config, but moved up 1 level.
406
+ - **Configuration changes**: The configuration block for `client` with it's associated parameters is no longer required and has been removed. Please review the `config.ts` for the correct structure and update your configuration accordingly.
407
+
408
+ **Internal Improvements:**
409
+ - Replaced `openid-client` dependency with custom implementation using `jose` library for JWT operations
410
+ - Implemented custom HTTP client with mTLS support
411
+
412
+ **Note:** The public API remains mostly unchanged - all existing public methods maintain the same signatures and behavior, but some of the return types may have become stricter.
413
+ Note that the field `codeVerifier` has been renamed from `code_verifier` to `codeVerifier` to be more in line with TypeScript naming conventions.
414
+
422
415
  ### 4.2.1 (Nov 27, 2025)
423
416
 
424
417
  - Updated dependencies.
@@ -433,7 +426,7 @@ The required function parameters are:
433
426
 
434
427
  ### 4.0.5 (Feb 24, 2025)
435
428
 
436
- - Add README.md and license files to bundle.
429
+ - Add README.md and licence files to bundle.
437
430
 
438
431
  ### 4.0.4 (Feb 21, 2025)
439
432
 
@@ -471,7 +464,7 @@ async sendPushedAuthorisationRequest(authServerId: string, essentialClaims: stri
471
464
 
472
465
  ### 4.0.0 (Sep 23, 2024)
473
466
 
474
- - Updated Node version to 20.x.
467
+ - Updated Node.js version to 20.x.
475
468
  - Removed jest and axios dependencies.
476
469
 
477
470
  ### 3.0.0 (Aug 27, 2024)
@@ -513,7 +506,7 @@ async sendPushedAuthorisationRequest(authServerId: string, essentialClaims: stri
513
506
 
514
507
  ### 2.12.0 (October 19, 2023)
515
508
 
516
- - Added support to Node 18.
509
+ - Added support to Node.js 18.
517
510
 
518
511
  ### 2.11.2 (August 22, 2023)
519
512
 
@@ -592,7 +585,7 @@ async sendPushedAuthorisationRequest(authServerId: string, essentialClaims: stri
592
585
 
593
586
  ### 2.0.7 (Dec 22, 2022)
594
587
 
595
- - Run on Node 14 and 16 (openid-client lib does not support Node 18 yet).
588
+ - Run on Node.js 14 and 16 (openid-client lib does not support Node.js 18 yet).
596
589
 
597
590
  ### 2.0.6 (Dec 21, 2022)
598
591
 
@@ -621,7 +614,7 @@ async sendPushedAuthorisationRequest(authServerId: string, essentialClaims: stri
621
614
 
622
615
  ### 2.0.0 (Dec 19, 2022)
623
616
 
624
- - Typescript support.
617
+ - TypeScript support.
625
618
  - Breaking change: SDK imported using `require` will need to add a `default` at the end of the import.
626
619
 
627
620
  ```javascript
package/config.js CHANGED
@@ -40,36 +40,7 @@ export const config = {
40
40
  // The purpose to be displayed to the consumer to indicate why their data is being requested to be shared
41
41
  // Must be between 3 and 300 chars and not contain any of the following characters: <>(){}'\
42
42
  purpose: 'verifying your identity',
43
- cache_ttl: 600,
44
- client: {
45
- // Update with your client specific metadata. The client_id and organisation_id can be found in the registry.
46
- client_id: 'https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a',
47
- organisation_id: 'ab837240-9618-4953-966e-90fd1fa63999',
48
- jwks_uri: 'https://keystore.directory.sandbox.connectid.com.au/ab837240-9618-4953-966e-90fd1fa63999/280518db-9807-4824-b080-324d94b45f6a/application.jwks',
49
- redirect_uris: ['https://demo.relyingpart.net/cb', 'https://tpp.localhost/cb'],
50
- organisation_name: 'ConnectID Developer Tools Sample App',
51
- organisation_number: 'ABN123123123',
52
- software_description: 'App to demonstrate ConnectID end to end flows.',
53
- // The following config is here for reference - you should not need to change any of it
54
- application_type: 'web',
55
- grant_types: ['client_credentials', 'authorization_code', 'implicit'],
56
- id_token_signed_response_alg: 'PS256',
57
- post_logout_redirect_uris: [],
58
- require_auth_time: false,
59
- response_types: ['code id_token', 'code'],
60
- subject_type: 'public',
61
- token_endpoint_auth_method: 'private_key_jwt',
62
- token_endpoint_auth_signing_alg: 'PS256',
63
- introspection_endpoint_auth_method: 'private_key_jwt',
64
- revocation_endpoint_auth_method: 'private_key_jwt',
65
- request_object_signing_alg: 'PS256',
66
- require_signed_request_object: true,
67
- require_pushed_authorization_requests: true,
68
- authorization_signed_response_alg: 'PS256',
69
- tls_client_certificate_bound_access_tokens: true,
70
- backchannel_user_code_parameter: false,
71
- scope: 'openid',
72
- software_roles: ['RP-CORE'],
73
- },
43
+ // Update with your client specific metadata. The client_id can be found in the registry.
44
+ client_id: 'https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a',
74
45
  },
75
46
  };
package/conformance/api/conformance-api.d.ts ADDED
@@ -0,0 +1,38 @@
1
+ interface TestModuleInstance {
2
+ id: string;
3
+ name: string;
4
+ url: string;
5
+ }
6
+ interface PlanInfo {
7
+ id: string;
8
+ name: string;
9
+ modules: Module[];
10
+ }
11
+ interface Module {
12
+ testModule: string;
13
+ }
14
+ interface TestInformation {
15
+ planId: string;
16
+ testId: string;
17
+ testName: string;
18
+ started: string;
19
+ status: string;
20
+ result: string;
21
+ version: string;
22
+ }
23
+ interface ErrorResponse {
24
+ error: string;
25
+ message: string;
26
+ }
27
+ declare class ConformanceApi {
28
+ private readonly bearerToken;
29
+ private readonly baseUrl;
30
+ constructor(bearerToken: string, baseUrl?: string);
31
+ createPlan(planName: string, variant: string, config: ConformanceConfig): Promise<PlanInfo>;
32
+ createTestFromPlan(planId: string, testName: string): Promise<TestModuleInstance>;
33
+ getPlanInfo(planId: string): Promise<PlanInfo>;
34
+ getTestInformation(testId: string): Promise<TestInformation>;
35
+ }
36
+ declare class ConformanceConfig {
37
+ }
38
+ export { ConformanceApi, ConformanceConfig, TestModuleInstance, PlanInfo, Module, TestInformation, ErrorResponse };
package/conformance/api/conformance-api.js ADDED
@@ -0,0 +1,53 @@
1
+ import { URLSearchParams } from 'url';
2
+ class ConformanceApi {
3
+ constructor(bearerToken, baseUrl = 'https://www.certification.openid.net/') {
4
+ this.baseUrl = baseUrl;
5
+ this.bearerToken = bearerToken;
6
+ }
7
+ async createPlan(planName, variant, config) {
8
+ const urlSearchParams = new URLSearchParams({ planName, variant }).toString();
9
+ console.log('bearerToken', this.bearerToken);
10
+ console.log('baseUrl', this.baseUrl);
11
+ const response = await fetch(`${this.baseUrl}api/plan?${urlSearchParams}`, {
12
+ method: 'POST',
13
+ headers: {
14
+ 'Content-Type': 'application/json',
15
+ Authorization: `Bearer ${this.bearerToken}`,
16
+ },
17
+ body: JSON.stringify(config),
18
+ });
19
+ return await response.json();
20
+ }
21
+ async createTestFromPlan(planId, testName) {
22
+ const urlSearchParams = new URLSearchParams({ test: testName, plan: planId }).toString();
23
+ const response = await fetch(`${this.baseUrl}api/runner?${urlSearchParams}`, {
24
+ method: 'POST',
25
+ headers: {
26
+ 'Content-Type': 'application/json',
27
+ Authorization: `Bearer ${this.bearerToken}`,
28
+ },
29
+ });
30
+ return await response.json();
31
+ }
32
+ async getPlanInfo(planId) {
33
+ const response = await fetch(`${this.baseUrl}api/plan/${planId}`, {
34
+ headers: {
35
+ 'Content-Type': 'application/json',
36
+ Authorization: `Bearer ${this.bearerToken}`,
37
+ },
38
+ });
39
+ return await response.json();
40
+ }
41
+ async getTestInformation(testId) {
42
+ const response = await fetch(`${this.baseUrl}api/info/${testId}`, {
43
+ headers: {
44
+ 'Content-Type': 'application/json',
45
+ Authorization: `Bearer ${this.bearerToken}`,
46
+ },
47
+ });
48
+ return await response.json();
49
+ }
50
+ }
51
+ class ConformanceConfig {
52
+ }
53
+ export { ConformanceApi, ConformanceConfig };
package/conformance/conformance-config.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ import { RelyingPartyClientSdkConfig } from '../types';
2
+ export declare const conformanceConfig: RelyingPartyClientSdkConfig;
package/conformance/conformance-config.js ADDED
@@ -0,0 +1,34 @@
1
+ export const conformanceConfig = {
2
+ data: {
3
+ // Set the signing Key Id based on what is contained in the JWKS
4
+ signing_kid: 'lHf9shwoF1wEES2sB9TBafbs0AVrLiU-1_ntzCrBo8A',
5
+ // The location of the signing certificate and key that are used for signing purposes
6
+ signing_key: './certs/signing.key',
7
+ signing_pem: './certs/signing.pem', // TODO not being used atm
8
+ // The content (string) of the signing certificate and key that are used for signing purposes - overrides `signing_key` and `signing_pem`
9
+ signing_key_content: '',
10
+ signing_pem_content: '', // TODO not being used atm
11
+ // The location of the transport certificate and key that are used for mutual TLS
12
+ transport_key: './certs/transport.key',
13
+ transport_pem: './certs/transport.pem',
14
+ // The content (string) of the transport certificate and key that are used for mutual TLS - overrides `transport_key` and `transport_pem`
15
+ transport_key_content: '',
16
+ transport_pem_content: '',
17
+ // The location of the root certificate for the trust authority
18
+ ca_pem: './certs/ca.pem',
19
+ // The content (string) of the root certificate for the trust authority - overrides `ca_pem`
20
+ ca_pem_content: '',
21
+ // This is the URL that this application is actually running on and using for callbacks (noting that multiple may be registered for the client)
22
+ application_redirect_uri: 'https://tpp.localhost/cb',
23
+ // The registry API endpoint that will list all participants with their auth server details
24
+ registry_participants_uri: 'https://api.sandbox.connectid.com.au/oidf-conformance/participants?alias=a/conformance-nodejs',
25
+ // The application logging level (info - normal logging, debug - full request/response)
26
+ // This MUST not be set to debug in a production environment as it will log all personal data received
27
+ log_level: 'info',
28
+ // When running the OIDC FAPI compliance suite, it requires a call to user info after successfully decoding the
29
+ // response claims. If this is set to true, the SDK will automatically make the call.
30
+ enable_auto_compliance_verification: true,
31
+ // Update with your client specific metadata. The client_id and organisation_id can be found in the registry.
32
+ client_id: 'https://rp.directory.sandbox.connectid.com.au/openid_relying_party/280518db-9807-4824-b080-324d94b45f6a',
33
+ },
34
+ };
package/crypto/crypto-loader.d.ts ADDED
@@ -0,0 +1,32 @@
1
+ import { KeyObject } from 'node:crypto';
2
+ /**
3
+ * Utility class for loading cryptographic keys and certificates.
4
+ *
5
+ * Handles conversion from PEM format to Node.js crypto objects.
6
+ */
7
+ export declare class CryptoLoader {
8
+ /**
9
+ * Loads a private key from PEM format.
10
+ *
11
+ * @param keyPem - Private key in PEM format (string or Buffer)
12
+ * @returns KeyObject that can be used for signing operations
13
+ * @throws Error if the key cannot be loaded
14
+ */
15
+ static loadPrivateKey(keyPem: string | Buffer): KeyObject;
16
+ /**
17
+ * Loads a certificate from PEM format.
18
+ *
19
+ * @param certPem - Certificate in PEM format (string or Buffer)
20
+ * @returns Certificate as string
21
+ */
22
+ static loadCertificate(certPem: string | Buffer): string;
23
+ /**
24
+ * Loads a certificate chain from PEM format.
25
+ *
26
+ * Handles single or multiple certificates in a PEM bundle.
27
+ *
28
+ * @param caPem - CA certificate(s) in PEM format (string or Buffer)
29
+ * @returns Array of certificates as strings
30
+ */
31
+ static loadCertificateChain(caPem: string | Buffer): string[];
32
+ }
package/crypto/crypto-loader.js ADDED
@@ -0,0 +1,49 @@
1
+ import { createPrivateKey } from 'node:crypto';
2
+ /**
3
+ * Utility class for loading cryptographic keys and certificates.
4
+ *
5
+ * Handles conversion from PEM format to Node.js crypto objects.
6
+ */
7
+ export class CryptoLoader {
8
+ /**
9
+ * Loads a private key from PEM format.
10
+ *
11
+ * @param keyPem - Private key in PEM format (string or Buffer)
12
+ * @returns KeyObject that can be used for signing operations
13
+ * @throws Error if the key cannot be loaded
14
+ */
15
+ static loadPrivateKey(keyPem) {
16
+ try {
17
+ return createPrivateKey(keyPem);
18
+ }
19
+ catch (error) {
20
+ throw new Error(`Failed to load private key: ${error instanceof Error ? error.message : String(error)}`);
21
+ }
22
+ }
23
+ /**
24
+ * Loads a certificate from PEM format.
25
+ *
26
+ * @param certPem - Certificate in PEM format (string or Buffer)
27
+ * @returns Certificate as string
28
+ */
29
+ static loadCertificate(certPem) {
30
+ return typeof certPem === 'string' ? certPem : certPem.toString('utf-8');
31
+ }
32
+ /**
33
+ * Loads a certificate chain from PEM format.
34
+ *
35
+ * Handles single or multiple certificates in a PEM bundle.
36
+ *
37
+ * @param caPem - CA certificate(s) in PEM format (string or Buffer)
38
+ * @returns Array of certificates as strings
39
+ */
40
+ static loadCertificateChain(caPem) {
41
+ const pemString = typeof caPem === 'string' ? caPem : caPem.toString('utf-8');
42
+ // Split on BEGIN CERTIFICATE markers to handle certificate chains
43
+ const certificates = pemString
44
+ .split(/(?=-----BEGIN CERTIFICATE-----)/)
45
+ .map((cert) => cert.trim())
46
+ .filter((cert) => cert.length > 0);
47
+ return certificates;
48
+ }
49
+ }
package/crypto/jwt-helper.d.ts ADDED
@@ -0,0 +1,61 @@
1
+ import { KeyObject } from 'node:crypto';
2
+ import { ClaimsRequest } from '../types.js';
3
+ /**
4
+ * Parameters for generating a request JWT (PAR request object).
5
+ */
6
+ export interface RequestJwtParams {
7
+ issuer: string;
8
+ audience: string;
9
+ redirectUri: string;
10
+ scope: string;
11
+ responseType: string;
12
+ codeChallenge: string;
13
+ codeChallengeMethod: string;
14
+ state: string;
15
+ nonce: string;
16
+ claims: ClaimsRequest;
17
+ purpose: string;
18
+ prompt: string;
19
+ }
20
+ /**
21
+ * Helper class for JWT operations.
22
+ *
23
+ * Handles creation and signing of JWTs for:
24
+ * - Request objects (PAR)
25
+ * - Client assertions (token endpoint authentication)
26
+ *
27
+ * Uses the PS256 algorithm (RSA-PSS with SHA-256) as required by FAPI.
28
+ */
29
+ export declare class JwtHelper {
30
+ private readonly signingKey;
31
+ private readonly signingKid;
32
+ private readonly clientId;
33
+ /**
34
+ * Creates a new JwtHelper instance.
35
+ *
36
+ * @param signingKey - Private key for signing JWTs
37
+ * @param signingKid - Key ID to include in JWT header
38
+ * @param clientId - OAuth client ID
39
+ */
40
+ constructor(signingKey: KeyObject, signingKid: string, clientId: string);
41
+ /**
42
+ * Generates a signed request JWT for PAR.
43
+ *
44
+ * The request object contains all authorization request parameters
45
+ * and is signed to prevent tampering.
46
+ *
47
+ * @param params - Request parameters
48
+ * @returns Signed JWT string
49
+ */
50
+ generateRequestJwt(params: RequestJwtParams): Promise<string>;
51
+ /**
52
+ * Generates a client assertion JWT for token endpoint authentication.
53
+ *
54
+ * The client assertion proves the client's identity using JWT-based
55
+ * authentication (private_key_jwt method).
56
+ *
57
+ * @param audience - Token endpoint URL (or issuer)
58
+ * @returns Signed JWT string
59
+ */
60
+ generateClientAssertionJwt(audience: string): Promise<string>;
61
+ }