@connectid-tools/rp-nodejs-sdk 4.2.1 → 5.0.1

package/crypto/jwt-helper.js

@@ -0,0 +1,92 @@
+import { SignJWT } from 'jose';
+import { randomUUID } from 'node:crypto';
+/**
+ * Helper class for JWT operations.
+ *
+ * Handles creation and signing of JWTs for:
+ * - Request objects (PAR)
+ * - Client assertions (token endpoint authentication)
+ *
+ * Uses the PS256 algorithm (RSA-PSS with SHA-256) as required by FAPI.
+ */
+export class JwtHelper {
+    /**
+     * Creates a new JwtHelper instance.
+     *
+     * @param signingKey - Private key for signing JWTs
+     * @param signingKid - Key ID to include in JWT header
+     * @param clientId - OAuth client ID
+     */
+    constructor(signingKey, signingKid, clientId) {
+        this.signingKey = signingKey;
+        this.signingKid = signingKid;
+        this.clientId = clientId;
+    }
+    /**
+     * Generates a signed request JWT for PAR.
+     *
+     * The request object contains all authorization request parameters
+     * and is signed to prevent tampering.
+     *
+     * @param params - Request parameters
+     * @returns Signed JWT string
+     */
+    async generateRequestJwt(params) {
+        const now = Math.floor(Date.now() / 1000);
+        return new SignJWT({
+            // OAuth/OIDC parameters
+            iss: this.clientId,
+            aud: params.audience,
+            client_id: this.clientId,
+            scope: params.scope,
+            response_type: params.responseType,
+            redirect_uri: params.redirectUri,
+            // PKCE
+            code_challenge: params.codeChallenge,
+            code_challenge_method: params.codeChallengeMethod,
+            // OIDC parameters
+            state: params.state,
+            nonce: params.nonce,
+            claims: params.claims,
+            prompt: params.prompt,
+            // ConnectID extension
+            purpose: params.purpose,
+            // JWT metadata
+            jti: randomUUID(),
+        })
+            .setProtectedHeader({
+            alg: 'PS256',
+            kid: this.signingKid,
+            typ: 'oauth-authz-req+jwt',
+        })
+            .setIssuedAt(now)
+            .setNotBefore(now) // nbf = iat (required by FAPI)
+            .setExpirationTime(now + 300) // 5 minutes
+            .sign(this.signingKey);
+    }
+    /**
+     * Generates a client assertion JWT for token endpoint authentication.
+     *
+     * The client assertion proves the client's identity using JWT-based
+     * authentication (private_key_jwt method).
+     *
+     * @param audience - Token endpoint URL (or issuer)
+     * @returns Signed JWT string
+     */
+    async generateClientAssertionJwt(audience) {
+        const now = Math.floor(Date.now() / 1000);
+        return new SignJWT({
+            iss: this.clientId,
+            sub: this.clientId,
+            aud: audience,
+            jti: randomUUID(),
+        })
+            .setProtectedHeader({
+            alg: 'PS256',
+            kid: this.signingKid,
+        })
+            .setIssuedAt(now)
+            .setExpirationTime(now + 300) // 5 minutes
+            .sign(this.signingKey);
+    }
+}

package/crypto/pkce-helper.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Helper class for PKCE (Proof Key for Code Exchange) operations.
+ *
+ * Implements RFC 7636 with S256 code challenge method.
+ * All random values use cryptographically secure random number generation.
+ */
+export declare class PkceHelper {
+    /**
+     * Generates a cryptographically random state parameter.
+     *
+     * Used to prevent CSRF attacks during the authorization flow.
+     *
+     * @returns Base64URL-encoded random string (48 bytes -> ~64 characters)
+     */
+    static generateState(): string;
+    /**
+     * Generates a cryptographically random nonce.
+     *
+     * Used to associate a client session with an ID token and mitigate replay attacks.
+     *
+     * @returns Base64URL-encoded random string (43 characters)
+     */
+    static generateNonce(): string;
+    /**
+     * Generates a code verifier for PKCE.
+     *
+     * The code verifier is a cryptographically random string that is used to
+     * correlate the authorization request with the token request.
+     *
+     * @returns Base64URL-encoded random string (43-128 characters)
+     */
+    static generateCodeVerifier(): string;
+    /**
+     * Generates a code challenge from a code verifier using S256 method.
+     *
+     * The code challenge is sent in the authorization request, and the
+     * code verifier is sent in the token request.
+     *
+     * @param codeVerifier - The code verifier to hash
+     * @returns Base64URL-encoded SHA256 hash of the code verifier
+     */
+    static generateCodeChallenge(codeVerifier: string): string;
+}

package/crypto/pkce-helper.js

@@ -0,0 +1,75 @@
+import { randomBytes, createHash } from 'node:crypto';
+/**
+ * Helper class for PKCE (Proof Key for Code Exchange) operations.
+ *
+ * Implements RFC 7636 with S256 code challenge method.
+ * All random values use cryptographically secure random number generation.
+ */
+export class PkceHelper {
+    /**
+     * Generates a cryptographically random state parameter.
+     *
+     * Used to prevent CSRF attacks during the authorization flow.
+     *
+     * @returns Base64URL-encoded random string (48 bytes -> ~64 characters)
+     */
+    static generateState() {
+        // 48 bytes of random data -> 64 chars in base64url
+        return base64urlEncode(randomBytes(48));
+    }
+    /**
+     * Generates a cryptographically random nonce.
+     *
+     * Used to associate a client session with an ID token and mitigate replay attacks.
+     *
+     * @returns Base64URL-encoded random string (43 characters)
+     */
+    static generateNonce() {
+        // Generate 32 bytes and take first 43 chars (OIDC spec requirement)
+        return base64urlEncode(randomBytes(32)).substring(0, 43);
+    }
+    /**
+     * Generates a code verifier for PKCE.
+     *
+     * The code verifier is a cryptographically random string that is used to
+     * correlate the authorization request with the token request.
+     *
+     * @returns Base64URL-encoded random string (43-128 characters)
+     */
+    static generateCodeVerifier() {
+        // 32 bytes -> 43 chars in base64url (minimum required by spec)
+        return base64urlEncode(randomBytes(32));
+    }
+    /**
+     * Generates a code challenge from a code verifier using S256 method.
+     *
+     * The code challenge is sent in the authorization request, and the
+     * code verifier is sent in the token request.
+     *
+     * @param codeVerifier - The code verifier to hash
+     * @returns Base64URL-encoded SHA256 hash of the code verifier
+     */
+    static generateCodeChallenge(codeVerifier) {
+        // SHA256 hash the code verifier and base64url encode it
+        const hash = createHash('sha256').update(codeVerifier).digest();
+        return base64urlEncode(hash);
+    }
+}
+/**
+ * Encodes a buffer to base64url format (RFC 4648).
+ *
+ * Base64URL is base64 with URL-safe characters:
+ * - '+' becomes '-'
+ * - '/' becomes '_'
+ * - Padding '=' is removed
+ *
+ * @param buffer - Data to encode
+ * @returns Base64URL-encoded string
+ */
+function base64urlEncode(buffer) {
+    return buffer
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+}

package/endpoints/participants-endpoint.d.ts

@@ -0,0 +1,55 @@
+import { Agent } from 'undici';
+import { Logger } from 'winston';
+import { AuthorisationServer, Participant, RelyingPartyClientSdkConfig } from '../types.js';
+import ParticipantFilters from '../filter/participant-filters.js';
+/**
+ * Participants Endpoint
+ *
+ * Handles fetching and filtering of participant lists from the registry.
+ * Does NOT cache - fetches fresh data on every call
+ */
+export declare class ParticipantsEndpoint {
+    private readonly sdkConfig;
+    private readonly participantFilters;
+    private readonly httpClient;
+    private readonly logger;
+    private readonly getCurrentDate;
+    constructor(sdkConfig: RelyingPartyClientSdkConfig, participantFilters: ParticipantFilters, httpClient: Agent, logger: Logger, getCurrentDate: () => Date);
+    /**
+     * Retrieves the list of active participants.
+     *
+     * Applies filtering based on SDK configuration:
+     * - Removes fallback identity service provider
+     * - Filters by certification status (if not include_uncertified_participants)
+     * - Filters by required claims (if specified)
+     * - Filters by required certifications (if specified)
+     * - Removes inactive auth servers
+     * - Removes participants without auth servers
+     *
+     * @returns Filtered list of participants
+     */
+    getParticipants(): Promise<Participant[]>;
+    /**
+     * Retrieves the list of fallback provider participants.
+     *
+     * Returns ONLY the fallback identity service provider participants.
+     * Applies certification filtering before returning.
+     *
+     * @returns List of fallback provider participants
+     */
+    getFallbackProviderParticipants(): Promise<Participant[]>;
+    /**
+     * Fetches participants from the registry.
+     *
+     * @param uri - Registry participants URI
+     * @returns Raw list of participants
+     */
+    fetchParticipants(uri: string): Promise<Participant[]>;
+    /**
+     * Gets authorization server details by ID.
+     *
+     * @param authServerId - Authorization server ID
+     * @returns Authorization server details
+     */
+    getAuthServerDetails(authServerId: string): Promise<AuthorisationServer>;
+}

package/endpoints/participants-endpoint.js

@@ -0,0 +1,137 @@
+import { HttpClientExtensions } from '../http/http-client-extensions.js';
+import { randomUUID } from 'node:crypto';
+/**
+ * Participants Endpoint
+ *
+ * Handles fetching and filtering of participant lists from the registry.
+ * Does NOT cache - fetches fresh data on every call
+ */
+export class ParticipantsEndpoint {
+    constructor(sdkConfig, participantFilters, httpClient, logger, getCurrentDate) {
+        this.sdkConfig = sdkConfig;
+        this.participantFilters = participantFilters;
+        this.httpClient = httpClient;
+        this.logger = logger;
+        this.getCurrentDate = getCurrentDate;
+    }
+    /**
+     * Retrieves the list of active participants.
+     *
+     * Applies filtering based on SDK configuration:
+     * - Removes fallback identity service provider
+     * - Filters by certification status (if not include_uncertified_participants)
+     * - Filters by required claims (if specified)
+     * - Filters by required certifications (if specified)
+     * - Removes inactive auth servers
+     * - Removes participants without auth servers
+     *
+     * @returns Filtered list of participants
+     */
+    async getParticipants() {
+        const participantsUri = this.sdkConfig.data.registry_participants_uri;
+        try {
+            const participants = await this.fetchParticipants(this.sdkConfig.data.registry_participants_uri);
+            this.logger.info(`Retrieved identity providers from ${participantsUri}, num orgs found: ${participants.length}`);
+            // Remove fallback identity service provider
+            let filteredParticipants = this.participantFilters.removeFallbackIdentityServiceProvider(participants);
+            // If include_uncertified_participants is true, skip certification filtering
+            if (this.sdkConfig.data.include_uncertified_participants) {
+                this.logger.info('Include uncertified participants enabled - skipping certification filters');
+                filteredParticipants = this.participantFilters.removeParticipantsWithoutAuthServers(filteredParticipants);
+                this.logger.info(`Returning ${filteredParticipants.length} participants (unfiltered)`);
+                return filteredParticipants;
+            }
+            // Apply certification filtering
+            filteredParticipants = this.participantFilters.removeOutOfDateCertifications(filteredParticipants, this.getCurrentDate());
+            filteredParticipants = this.participantFilters.removeUnofficialCertifications(filteredParticipants);
+            // Apply required claims filtering
+            if (this.sdkConfig.data.required_claims) {
+                this.logger.debug(`Identity provider list filtered for participants that support the following claims: ${JSON.stringify(this.sdkConfig.data.required_claims)}`);
+                filteredParticipants = this.participantFilters.filterAuthServersForSupportedClaims(filteredParticipants, this.sdkConfig.data.required_claims);
+            }
+            // Apply required certifications filtering
+            if (this.sdkConfig.data.required_participant_certifications) {
+                this.logger.debug(`Identity provider list filtered for participants that support the following certifications: ${JSON.stringify(this.sdkConfig.data.required_participant_certifications)}`);
+                filteredParticipants = this.participantFilters.filterForRequiredCertifications(filteredParticipants, this.sdkConfig.data.required_participant_certifications);
+            }
+            filteredParticipants = this.participantFilters.removeInactiveAuthServers(filteredParticipants);
+            filteredParticipants = this.participantFilters.removeParticipantsWithoutAuthServers(filteredParticipants);
+            this.logger.info(`Returning ${filteredParticipants.length} participants after filtering`);
+            return filteredParticipants;
+        }
+        catch (err) {
+            throw new Error(`Unable to get participants from ${participantsUri}, ${err}`);
+        }
+    }
+    /**
+     * Retrieves the list of fallback provider participants.
+     *
+     * Returns ONLY the fallback identity service provider participants.
+     * Applies certification filtering before returning.
+     *
+     * @returns List of fallback provider participants
+     */
+    async getFallbackProviderParticipants() {
+        const participantsUri = this.sdkConfig.data.registry_participants_uri;
+        try {
+            const participants = await this.fetchParticipants(participantsUri);
+            this.logger.info(`Retrieved identity providers from ${participantsUri}, num orgs found: ${participants.length}`);
+            // Apply certification filtering
+            let filteredParticipants = this.participantFilters.removeOutOfDateCertifications(participants, this.getCurrentDate());
+            filteredParticipants = this.participantFilters.removeUnofficialCertifications(filteredParticipants);
+            filteredParticipants = this.participantFilters.filterForFallbackIdentityServiceProviders(filteredParticipants);
+            filteredParticipants = this.participantFilters.removeParticipantsWithoutAuthServers(filteredParticipants);
+            this.logger.info(`Returning ${filteredParticipants.length} fallback provider participants`);
+            return filteredParticipants;
+        }
+        catch (err) {
+            throw new Error(`Unable to get participants from ${participantsUri}, ${err}`);
+        }
+    }
+    /**
+     * Fetches participants from the registry.
+     *
+     * @param uri - Registry participants URI
+     * @returns Raw list of participants
+     */
+    async fetchParticipants(uri) {
+        try {
+            const response = await HttpClientExtensions.get(uri, {
+                agent: this.httpClient,
+                clientId: this.sdkConfig.data.client_id,
+                xFapiInteractionId: randomUUID(),
+            });
+            return await HttpClientExtensions.parseJsonResponse(response);
+        }
+        catch (error) {
+            throw new Error(`Failed to fetch participants from ${uri}: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    /**
+     * Gets authorization server details by ID.
+     *
+     * @param authServerId - Authorization server ID
+     * @returns Authorization server details
+     */
+    async getAuthServerDetails(authServerId) {
+        // First, check in regular participants
+        const participantList = await this.getParticipants();
+        const servers = participantList.map(({ AuthorisationServers }) => AuthorisationServers).flat();
+        let found = servers.find(({ AuthorisationServerId }) => AuthorisationServerId === authServerId);
+        if (!found) {
+            // Check if it is one of the fallback servers
+            const fallbackIdps = await this.getFallbackProviderParticipants();
+            const fallbackServers = fallbackIdps.map(({ AuthorisationServers }) => AuthorisationServers).flat();
+            found = fallbackServers.find(({ AuthorisationServerId }) => AuthorisationServerId === authServerId);
+            if (!found) {
+                // Let the user know if it was an auth server that was filtered out
+                const allParticipants = await this.fetchParticipants(this.sdkConfig.data.registry_participants_uri);
+                const allAuthServers = allParticipants.map(({ AuthorisationServers }) => AuthorisationServers).flat();
+                const exists = allAuthServers.find(({ AuthorisationServerId }) => AuthorisationServerId === authServerId);
+                const additionalLogInfo = exists ? ` Server exists but was filtered from results due to config settings for 'include_uncertified_participants', 'required_participant_certifications' and 'required_claims'` : '';
+                throw new Error(`Unable to find specified Authorisation Server: ${authServerId}${additionalLogInfo}`);
+            }
+        }
+        return found;
+    }
+}

package/endpoints/pushed-authorisation-request-endpoint.d.ts

@@ -0,0 +1,87 @@
+import { Agent } from 'undici';
+import { Logger } from 'winston';
+import { RelyingPartyClientSdkConfig } from '../types.js';
+import { JwtHelper } from '../crypto/jwt-helper.js';
+import { ParticipantsEndpoint } from './participants-endpoint';
+/**
+ * Response from the Pushed Authorization Request endpoint.
+ */
+export interface PARResponse {
+    /**
+     * The full authorization URL to redirect the user to.
+     */
+    authUrl: string;
+    /**
+     * The PKCE code verifier (to be sent with token request).
+     */
+    codeVerifier: string;
+    /**
+     * The state parameter (for CSRF protection).
+     */
+    state: string;
+    /**
+     * The nonce parameter (for ID token validation).
+     */
+    nonce: string;
+    /**
+     * The fapi-interaction-id
+     */
+    xFapiInteractionId: string;
+}
+/**
+ * Pushed Authorization Request Endpoint
+ *
+ * Handles the PAR flow as defined in RFC 9126.
+ * Creates signed request objects and submits them to the PAR endpoint.
+ */
+export declare class PushedAuthorisationRequestEndpoint {
+    private readonly sdkConfig;
+    private readonly httpClient;
+    private readonly jwtHelper;
+    private readonly logger;
+    private readonly participantsEndpoint;
+    private static readonly EXTENDED_CLAIMS;
+    constructor(sdkConfig: RelyingPartyClientSdkConfig, httpClient: Agent, jwtHelper: JwtHelper, logger: Logger, participantsEndpoint: ParticipantsEndpoint);
+    /**
+     * Sends a Pushed Authorization Request to the authorization server.
+     *
+     * @param authServerId - Authorization server details
+     * @param essentialClaims - Claims that must be provided
+     * @param voluntaryClaims - Claims that are optional
+     * @param purpose - Purpose string for data sharing
+     * @returns PAR response with authorization URL and PKCE parameters
+     */
+    sendPushedAuthorisationRequest(authServerId: string, essentialClaims: string[], voluntaryClaims: string[], purpose: string): Promise<PARResponse>;
+    private generateRequest;
+    /**
+     * Generates the claims request object.
+     *
+     * Separates claims into basic and extended categories.
+     * Extended claims go into the verified_claims structure.
+     *
+     * @param essentialClaims - Claims that must be provided
+     * @param voluntaryClaims - Claims that are optional
+     * @returns Structured claims request
+     */
+    private generateClaimsRequest;
+    /**
+     * Sends the PAR request to the authorization server.
+     *
+     * @param parEndpoint - PAR endpoint URL
+     * @param requestJwt - Signed request JWT
+     * @param clientAssertion - Client assertion JWT for authentication
+     * @param xFapiInteractionId - FAPI interaction ID
+     * @returns PAR endpoint response
+     */
+    private sendPARRequest;
+    /**
+     * Constructs the authorization URL.
+     *
+     * Per RFC 9126, only client_id and request_uri should be included.
+     *
+     * @param authorizationEndpoint - Authorization endpoint URL
+     * @param requestUri - Request URI from PAR response
+     * @returns Full authorization URL
+     */
+    private constructAuthorizationUrl;
+}

package/endpoints/pushed-authorisation-request-endpoint.js

@@ -0,0 +1,192 @@
+import { PkceHelper } from '../crypto/pkce-helper.js';
+import { DiscoveryService } from '../model/discovery-service.js';
+import { HttpClientExtensions } from '../http/http-client-extensions.js';
+import { illegalPurposeChars, validatePurpose } from '../validator.js';
+import { generateXFapiInteractionId } from '../fapi/fapi-utils.js';
+/**
+ * Pushed Authorization Request Endpoint
+ *
+ * Handles the PAR flow as defined in RFC 9126.
+ * Creates signed request objects and submits them to the PAR endpoint.
+ */
+export class PushedAuthorisationRequestEndpoint {
+    constructor(sdkConfig, httpClient, jwtHelper, logger, participantsEndpoint) {
+        this.sdkConfig = sdkConfig;
+        this.httpClient = httpClient;
+        this.jwtHelper = jwtHelper;
+        this.logger = logger;
+        this.participantsEndpoint = participantsEndpoint;
+    }
+    /**
+     * Sends a Pushed Authorization Request to the authorization server.
+     *
+     * @param authServerId - Authorization server details
+     * @param essentialClaims - Claims that must be provided
+     * @param voluntaryClaims - Claims that are optional
+     * @param purpose - Purpose string for data sharing
+     * @returns PAR response with authorization URL and PKCE parameters
+     */
+    async sendPushedAuthorisationRequest(authServerId, essentialClaims, voluntaryClaims, purpose) {
+        // Validate purpose
+        const purposeValidation = validatePurpose(purpose);
+        if (purposeValidation === 'INVALID_LENGTH') {
+            this.logger.warn('Purpose must be between 3 and 300 characters');
+            throw new Error(`Invalid purpose for supplied for PAR: ${purpose}`);
+        }
+        if (purposeValidation === 'INVALID_CHARACTERS') {
+            this.logger.warn(`Purpose cannot contain any of the following characters: ${illegalPurposeChars.join(',')}, purpose supplied: [${purpose}]`);
+            throw new Error(`Invalid purpose for supplied for PAR: ${purpose}`);
+        }
+        const xFapiInteractionId = generateXFapiInteractionId();
+        try {
+            const essentialClaimsWithTxn = [...new Set([...essentialClaims, 'txn'])];
+            const claimsRequest = this.generateClaimsRequest(essentialClaims, voluntaryClaims);
+            const authServer = await this.participantsEndpoint.getAuthServerDetails(authServerId);
+            const { authUrl, codeVerifier, state, nonce } = await this.generateRequest(authServer, claimsRequest, purpose, xFapiInteractionId);
+            this.logger.info(`Sent PAR to auth server: ${authServer.AuthorisationServerId} - ${authServer.CustomerFriendlyName}, essential claims: ${essentialClaimsWithTxn}, voluntary claims: ${voluntaryClaims}, x-fapi-interaction-id: ${xFapiInteractionId}`);
+            return {
+                authUrl,
+                codeVerifier: codeVerifier,
+                state,
+                nonce,
+                xFapiInteractionId,
+            };
+        }
+        catch (err) {
+            this.logger.error(`Error sending pushed authorisation request to authorisation server ${authServerId}, x-fapi-interaction-id: ${xFapiInteractionId}.`, err);
+            throw new Error(`Unable to send pushed authorisation request to ${authServerId}, x-fapi-interaction-id: ${xFapiInteractionId} - ${err}`);
+        }
+    }
+    async generateRequest(authServer, claimsRequest, purpose, xFapiInteractionId) {
+        // Fetch discovery document
+        const discoveryMetadata = await DiscoveryService.fetchDiscoveryDocument(authServer.OpenIDDiscoveryDocument, this.httpClient);
+        if (!discoveryMetadata.pushed_authorization_request_endpoint) {
+            throw new Error(`Authorization server ${authServer.AuthorisationServerId} does not support PAR`);
+        }
+        // Generate PKCE parameters
+        const state = PkceHelper.generateState();
+        const nonce = PkceHelper.generateNonce();
+        const codeVerifier = PkceHelper.generateCodeVerifier();
+        const codeChallenge = PkceHelper.generateCodeChallenge(codeVerifier);
+        this.logger.debug(`Generated PKCE parameters - state: ${state.substring(0, 10)}..., nonce: ${nonce.substring(0, 10)}...`);
+        this.logger.debug(`Claims request: ${JSON.stringify(claimsRequest, null, 2)}`);
+        // Create signed request JWT
+        const requestJwt = await this.jwtHelper.generateRequestJwt({
+            issuer: this.sdkConfig.data.client_id,
+            audience: discoveryMetadata.issuer,
+            redirectUri: this.sdkConfig.data.application_redirect_uri,
+            scope: 'openid',
+            responseType: 'code',
+            codeChallenge,
+            codeChallengeMethod: 'S256',
+            state,
+            nonce,
+            claims: claimsRequest,
+            purpose,
+            prompt: 'consent',
+        });
+        // Create client assertion for authentication
+        const clientAssertion = await this.jwtHelper.generateClientAssertionJwt(discoveryMetadata.issuer);
+        // Send PAR request
+        const parResponse = await this.sendPARRequest(discoveryMetadata.pushed_authorization_request_endpoint, requestJwt, clientAssertion, xFapiInteractionId);
+        this.logger.info(`PAR request successful, request_uri: ${parResponse.request_uri}, expires_in: ${parResponse.expires_in}s`);
+        // Construct authorization URL
+        // RFC 9126: Only client_id and request_uri should be sent
+        const authUrl = this.constructAuthorizationUrl(discoveryMetadata.authorization_endpoint, parResponse.request_uri);
+        this.logger.debug(`Authorization URL: ${authUrl}`);
+        return {
+            authUrl,
+            codeVerifier: codeVerifier,
+            state,
+            nonce,
+        };
+    }
+    /**
+     * Generates the claims request object.
+     *
+     * Separates claims into basic and extended categories.
+     * Extended claims go into the verified_claims structure.
+     *
+     * @param essentialClaims - Claims that must be provided
+     * @param voluntaryClaims - Claims that are optional
+     * @returns Structured claims request
+     */
+    generateClaimsRequest(essentialClaims, voluntaryClaims) {
+        // Remove duplicates (essential takes precedence)
+        const filteredVoluntary = voluntaryClaims.filter((c) => !essentialClaims.includes(c));
+        // Partition claims into basic and extended
+        const essentialExtended = essentialClaims.filter((c) => PushedAuthorisationRequestEndpoint.EXTENDED_CLAIMS.includes(c));
+        const essentialBasic = essentialClaims.filter((c) => !PushedAuthorisationRequestEndpoint.EXTENDED_CLAIMS.includes(c));
+        const voluntaryExtended = filteredVoluntary.filter((c) => PushedAuthorisationRequestEndpoint.EXTENDED_CLAIMS.includes(c));
+        const voluntaryBasic = filteredVoluntary.filter((c) => !PushedAuthorisationRequestEndpoint.EXTENDED_CLAIMS.includes(c));
+        const claimsRequest = { id_token: {} };
+        // Add basic claims directly to id_token
+        essentialBasic.forEach((claim) => {
+            claimsRequest.id_token[claim] = { essential: true };
+        });
+        voluntaryBasic.forEach((claim) => {
+            claimsRequest.id_token[claim] = { essential: false };
+        });
+        // Add extended claims to verified_claims structure
+        if (essentialExtended.length > 0 || voluntaryExtended.length > 0) {
+            claimsRequest.id_token.verified_claims = {
+                verification: {
+                    trust_framework: { value: 'au_connectid' },
+                },
+                claims: {},
+            };
+            essentialExtended.forEach((claim) => {
+                claimsRequest.id_token.verified_claims.claims[claim] = {
+                    essential: true,
+                };
+            });
+            voluntaryExtended.forEach((claim) => {
+                claimsRequest.id_token.verified_claims.claims[claim] = {
+                    essential: false,
+                };
+            });
+        }
+        return claimsRequest;
+    }
+    /**
+     * Sends the PAR request to the authorization server.
+     *
+     * @param parEndpoint - PAR endpoint URL
+     * @param requestJwt - Signed request JWT
+     * @param clientAssertion - Client assertion JWT for authentication
+     * @param xFapiInteractionId - FAPI interaction ID
+     * @returns PAR endpoint response
+     */
+    async sendPARRequest(parEndpoint, requestJwt, clientAssertion, xFapiInteractionId) {
+        const body = new URLSearchParams({
+            request: requestJwt,
+            client_assertion: clientAssertion,
+            client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+        });
+        this.logger.debug(`Sending PAR request to: ${parEndpoint}`);
+        this.logger.debug(`  with body: ${body}`);
+        const response = await HttpClientExtensions.postForm(parEndpoint, body, {
+            agent: this.httpClient,
+            clientId: this.sdkConfig.data.client_id,
+            xFapiInteractionId,
+        });
+        return HttpClientExtensions.parseJsonResponse(response);
+    }
+    /**
+     * Constructs the authorization URL.
+     *
+     * Per RFC 9126, only client_id and request_uri should be included.
+     *
+     * @param authorizationEndpoint - Authorization endpoint URL
+     * @param requestUri - Request URI from PAR response
+     * @returns Full authorization URL
+     */
+    constructAuthorizationUrl(authorizationEndpoint, requestUri) {
+        const url = new URL(authorizationEndpoint);
+        url.searchParams.set('client_id', this.sdkConfig.data.client_id);
+        url.searchParams.set('request_uri', requestUri);
+        return url.toString();
+    }
+}
+// Extended claims list for ConnectID
+PushedAuthorisationRequestEndpoint.EXTENDED_CLAIMS = ['over16', 'over18', 'over21', 'over25', 'over65', 'beneficiary_account_au', 'beneficiary_account_au_payid', 'beneficiary_account_international', 'cba_loyalty'];