@openid4vc/oauth2 0.2.1-alpha-20250130103023 → 0.3.0-alpha-20250202020720
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +9460 -1143
- package/dist/index.d.ts +9460 -1143
- package/dist/index.js +540 -529
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +505 -494
- package/dist/index.mjs.map +1 -1
- package/package.json +3 -3
package/dist/index.js
CHANGED
|
@@ -31,7 +31,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
|
|
|
31
31
|
var src_exports = {};
|
|
32
32
|
__export(src_exports, {
|
|
33
33
|
HashAlgorithm: () => HashAlgorithm,
|
|
34
|
-
InvalidFetchResponseError: () =>
|
|
34
|
+
InvalidFetchResponseError: () => import_utils42.InvalidFetchResponseError,
|
|
35
35
|
Oauth2AuthorizationServer: () => Oauth2AuthorizationServer,
|
|
36
36
|
Oauth2Client: () => Oauth2Client,
|
|
37
37
|
Oauth2ClientAuthorizationChallengeError: () => Oauth2ClientAuthorizationChallengeError,
|
|
@@ -56,31 +56,31 @@ __export(src_exports, {
|
|
|
56
56
|
fetchJwks: () => fetchJwks,
|
|
57
57
|
fetchWellKnownMetadata: () => fetchWellKnownMetadata,
|
|
58
58
|
getAuthorizationServerMetadataFromList: () => getAuthorizationServerMetadataFromList,
|
|
59
|
-
getGlobalConfig: () =>
|
|
59
|
+
getGlobalConfig: () => import_utils41.getGlobalConfig,
|
|
60
60
|
isJwkInSet: () => isJwkInSet,
|
|
61
61
|
jwtHeaderFromJwtSigner: () => jwtHeaderFromJwtSigner,
|
|
62
62
|
jwtSignerFromJwt: () => jwtSignerFromJwt,
|
|
63
63
|
preAuthorizedCodeGrantIdentifier: () => preAuthorizedCodeGrantIdentifier,
|
|
64
64
|
refreshTokenGrantIdentifier: () => refreshTokenGrantIdentifier,
|
|
65
65
|
resourceRequest: () => resourceRequest,
|
|
66
|
-
setGlobalConfig: () =>
|
|
67
|
-
vAuthorizationCodeGrantIdentifier: () => vAuthorizationCodeGrantIdentifier,
|
|
68
|
-
vAuthorizationServerMetadata: () => vAuthorizationServerMetadata,
|
|
69
|
-
vCompactJwt: () => vCompactJwt,
|
|
70
|
-
vJwk: () => vJwk,
|
|
71
|
-
vJwtHeader: () => vJwtHeader,
|
|
72
|
-
vJwtPayload: () => vJwtPayload,
|
|
73
|
-
vOauth2ErrorResponse: () => vOauth2ErrorResponse,
|
|
74
|
-
vPreAuthorizedCodeGrantIdentifier: () => vPreAuthorizedCodeGrantIdentifier,
|
|
75
|
-
vRefreshTokenGrantIdentifier: () => vRefreshTokenGrantIdentifier,
|
|
66
|
+
setGlobalConfig: () => import_utils41.setGlobalConfig,
|
|
76
67
|
verifyJwt: () => verifyJwt,
|
|
77
|
-
verifyResourceRequest: () => verifyResourceRequest
|
|
68
|
+
verifyResourceRequest: () => verifyResourceRequest,
|
|
69
|
+
zAuthorizationCodeGrantIdentifier: () => zAuthorizationCodeGrantIdentifier,
|
|
70
|
+
zAuthorizationServerMetadata: () => zAuthorizationServerMetadata,
|
|
71
|
+
zCompactJwt: () => zCompactJwt,
|
|
72
|
+
zJwk: () => zJwk,
|
|
73
|
+
zJwtHeader: () => zJwtHeader,
|
|
74
|
+
zJwtPayload: () => zJwtPayload,
|
|
75
|
+
zOauth2ErrorResponse: () => zOauth2ErrorResponse,
|
|
76
|
+
zPreAuthorizedCodeGrantIdentifier: () => zPreAuthorizedCodeGrantIdentifier,
|
|
77
|
+
zRefreshTokenGrantIdentifier: () => zRefreshTokenGrantIdentifier
|
|
78
78
|
});
|
|
79
79
|
module.exports = __toCommonJS(src_exports);
|
|
80
|
-
var
|
|
80
|
+
var import_utils41 = require("@openid4vc/utils");
|
|
81
81
|
|
|
82
|
-
// src/common/
|
|
83
|
-
var
|
|
82
|
+
// src/common/z-oauth2-error.ts
|
|
83
|
+
var import_zod = __toESM(require("zod"));
|
|
84
84
|
var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes2) => {
|
|
85
85
|
Oauth2ErrorCodes2["ServerError"] = "server_error";
|
|
86
86
|
Oauth2ErrorCodes2["InvalidTarget"] = "invalid_target";
|
|
@@ -106,52 +106,54 @@ var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes2) => {
|
|
|
106
106
|
Oauth2ErrorCodes2["InvalidEncryptionParameters"] = "invalid_encryption_parameters";
|
|
107
107
|
return Oauth2ErrorCodes2;
|
|
108
108
|
})(Oauth2ErrorCodes || {});
|
|
109
|
-
var
|
|
110
|
-
error:
|
|
111
|
-
error_description:
|
|
112
|
-
error_uri:
|
|
113
|
-
});
|
|
109
|
+
var zOauth2ErrorResponse = import_zod.default.object({
|
|
110
|
+
error: import_zod.default.union([import_zod.default.nativeEnum(Oauth2ErrorCodes), import_zod.default.string()]),
|
|
111
|
+
error_description: import_zod.default.string().optional(),
|
|
112
|
+
error_uri: import_zod.default.string().optional()
|
|
113
|
+
}).passthrough();
|
|
114
114
|
|
|
115
115
|
// src/common/jwk/jwk-thumbprint.ts
|
|
116
|
-
var v2 = __toESM(require("valibot"));
|
|
117
116
|
var import_utils = require("@openid4vc/utils");
|
|
118
|
-
var
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
),
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
}
|
|
149
|
-
|
|
150
|
-
)
|
|
151
|
-
|
|
117
|
+
var import_zod2 = __toESM(require("zod"));
|
|
118
|
+
var zJwkThumbprintComponents = import_zod2.default.discriminatedUnion("kty", [
|
|
119
|
+
import_zod2.default.object({
|
|
120
|
+
kty: import_zod2.default.literal("EC"),
|
|
121
|
+
crv: import_zod2.default.string(),
|
|
122
|
+
x: import_zod2.default.string(),
|
|
123
|
+
y: import_zod2.default.string()
|
|
124
|
+
}),
|
|
125
|
+
import_zod2.default.object({
|
|
126
|
+
kty: import_zod2.default.literal("OKP"),
|
|
127
|
+
crv: import_zod2.default.string(),
|
|
128
|
+
x: import_zod2.default.string()
|
|
129
|
+
}),
|
|
130
|
+
import_zod2.default.object({
|
|
131
|
+
kty: import_zod2.default.literal("RSA"),
|
|
132
|
+
e: import_zod2.default.string(),
|
|
133
|
+
n: import_zod2.default.string()
|
|
134
|
+
}),
|
|
135
|
+
import_zod2.default.object({
|
|
136
|
+
kty: import_zod2.default.literal("oct"),
|
|
137
|
+
k: import_zod2.default.string()
|
|
138
|
+
})
|
|
139
|
+
]).transform((data) => {
|
|
140
|
+
if (data.kty === "EC") {
|
|
141
|
+
return { crv: data.crv, kty: data.kty, x: data.x, y: data.y };
|
|
142
|
+
}
|
|
143
|
+
if (data.kty === "OKP") {
|
|
144
|
+
return { crv: data.crv, kty: data.kty, x: data.x };
|
|
145
|
+
}
|
|
146
|
+
if (data.kty === "RSA") {
|
|
147
|
+
return { e: data.e, kty: data.kty, n: data.n };
|
|
148
|
+
}
|
|
149
|
+
if (data.kty === "oct") {
|
|
150
|
+
return { k: data.k, kty: data.kty };
|
|
151
|
+
}
|
|
152
|
+
throw new Error("Unsupported kty");
|
|
153
|
+
});
|
|
152
154
|
async function calculateJwkThumbprint(options) {
|
|
153
155
|
const jwkThumbprintComponents = (0, import_utils.parseWithErrorHandling)(
|
|
154
|
-
|
|
156
|
+
zJwkThumbprintComponents,
|
|
155
157
|
options.jwk,
|
|
156
158
|
`Provided jwk does not match a supported jwk structure. Either the 'kty' is not supported, or required values are missing.`
|
|
157
159
|
);
|
|
@@ -212,44 +214,42 @@ async function isJwkInSet({
|
|
|
212
214
|
return false;
|
|
213
215
|
}
|
|
214
216
|
|
|
215
|
-
// src/common/jwk/
|
|
216
|
-
var
|
|
217
|
-
var
|
|
218
|
-
kty:
|
|
219
|
-
crv:
|
|
220
|
-
x:
|
|
221
|
-
y:
|
|
222
|
-
e:
|
|
223
|
-
n:
|
|
224
|
-
alg:
|
|
225
|
-
d:
|
|
226
|
-
dp:
|
|
227
|
-
dq:
|
|
228
|
-
ext:
|
|
229
|
-
k:
|
|
230
|
-
key_ops:
|
|
231
|
-
kid:
|
|
232
|
-
oth:
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
d:
|
|
236
|
-
r:
|
|
237
|
-
t:
|
|
238
|
-
})
|
|
217
|
+
// src/common/jwk/z-jwk.ts
|
|
218
|
+
var import_zod3 = __toESM(require("zod"));
|
|
219
|
+
var zJwk = import_zod3.default.object({
|
|
220
|
+
kty: import_zod3.default.string(),
|
|
221
|
+
crv: import_zod3.default.optional(import_zod3.default.string()),
|
|
222
|
+
x: import_zod3.default.optional(import_zod3.default.string()),
|
|
223
|
+
y: import_zod3.default.optional(import_zod3.default.string()),
|
|
224
|
+
e: import_zod3.default.optional(import_zod3.default.string()),
|
|
225
|
+
n: import_zod3.default.optional(import_zod3.default.string()),
|
|
226
|
+
alg: import_zod3.default.optional(import_zod3.default.string()),
|
|
227
|
+
d: import_zod3.default.optional(import_zod3.default.string()),
|
|
228
|
+
dp: import_zod3.default.optional(import_zod3.default.string()),
|
|
229
|
+
dq: import_zod3.default.optional(import_zod3.default.string()),
|
|
230
|
+
ext: import_zod3.default.optional(import_zod3.default.boolean()),
|
|
231
|
+
k: import_zod3.default.optional(import_zod3.default.string()),
|
|
232
|
+
key_ops: import_zod3.default.optional(import_zod3.default.string()),
|
|
233
|
+
kid: import_zod3.default.optional(import_zod3.default.string()),
|
|
234
|
+
oth: import_zod3.default.optional(
|
|
235
|
+
import_zod3.default.array(
|
|
236
|
+
import_zod3.default.object({
|
|
237
|
+
d: import_zod3.default.optional(import_zod3.default.string()),
|
|
238
|
+
r: import_zod3.default.optional(import_zod3.default.string()),
|
|
239
|
+
t: import_zod3.default.optional(import_zod3.default.string())
|
|
240
|
+
}).passthrough()
|
|
239
241
|
)
|
|
240
242
|
),
|
|
241
|
-
p:
|
|
242
|
-
q:
|
|
243
|
-
qi:
|
|
244
|
-
use:
|
|
245
|
-
x5c:
|
|
246
|
-
x5t:
|
|
247
|
-
"x5t#S256":
|
|
248
|
-
x5u:
|
|
249
|
-
});
|
|
250
|
-
var
|
|
251
|
-
keys: v3.array(vJwk)
|
|
252
|
-
});
|
|
243
|
+
p: import_zod3.default.optional(import_zod3.default.string()),
|
|
244
|
+
q: import_zod3.default.optional(import_zod3.default.string()),
|
|
245
|
+
qi: import_zod3.default.optional(import_zod3.default.string()),
|
|
246
|
+
use: import_zod3.default.optional(import_zod3.default.string()),
|
|
247
|
+
x5c: import_zod3.default.optional(import_zod3.default.string()),
|
|
248
|
+
x5t: import_zod3.default.optional(import_zod3.default.string()),
|
|
249
|
+
"x5t#S256": import_zod3.default.optional(import_zod3.default.string()),
|
|
250
|
+
x5u: import_zod3.default.optional(import_zod3.default.string())
|
|
251
|
+
}).passthrough();
|
|
252
|
+
var zJwkSet = import_zod3.default.object({ keys: import_zod3.default.array(zJwk) }).passthrough();
|
|
253
253
|
|
|
254
254
|
// src/common/jwt/verify-jwt.ts
|
|
255
255
|
var import_utils2 = require("@openid4vc/utils");
|
|
@@ -318,47 +318,43 @@ var Oauth2JwtParseError = class extends Oauth2Error {
|
|
|
318
318
|
}
|
|
319
319
|
};
|
|
320
320
|
|
|
321
|
-
// src/common/jwt/
|
|
321
|
+
// src/common/jwt/z-jwt.ts
|
|
322
322
|
var import_utils3 = require("@openid4vc/utils");
|
|
323
|
-
var
|
|
323
|
+
var import_zod5 = __toESM(require("zod"));
|
|
324
324
|
|
|
325
|
-
// src/common/
|
|
326
|
-
var
|
|
327
|
-
var
|
|
328
|
-
v4.string(),
|
|
329
|
-
v4.check((alg) => alg !== "none", `alg value may not be 'none'`)
|
|
330
|
-
);
|
|
325
|
+
// src/common/z-common.ts
|
|
326
|
+
var import_zod4 = __toESM(require("zod"));
|
|
327
|
+
var zAlgValueNotNone = import_zod4.default.string().refine((alg) => alg !== "none", { message: `alg value may not be 'none'` });
|
|
331
328
|
|
|
332
|
-
// src/common/jwt/
|
|
333
|
-
var
|
|
334
|
-
|
|
335
|
-
v5.regex(/^([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_\-\+\/=]*)$/, "Not a valid compact jwt")
|
|
336
|
-
);
|
|
337
|
-
var vJwtConfirmationPayload = v5.looseObject({
|
|
338
|
-
jwk: v5.optional(vJwk),
|
|
339
|
-
// RFC9449. jwk thumbprint of the dpop public key to which the access token is bound
|
|
340
|
-
jkt: v5.optional(v5.string())
|
|
329
|
+
// src/common/jwt/z-jwt.ts
|
|
330
|
+
var zCompactJwt = import_zod5.default.string().regex(/^([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_\-\+\/=]*)$/, {
|
|
331
|
+
message: "Not a valid compact jwt"
|
|
341
332
|
});
|
|
342
|
-
var
|
|
343
|
-
|
|
344
|
-
|
|
345
|
-
|
|
346
|
-
|
|
347
|
-
|
|
348
|
-
|
|
349
|
-
|
|
350
|
-
|
|
333
|
+
var zJwtConfirmationPayload = import_zod5.default.object({
|
|
334
|
+
jwk: zJwk.optional(),
|
|
335
|
+
// RFC9449. jwk thumbprint of the dpop public key to which the access token is bound
|
|
336
|
+
jkt: import_zod5.default.string().optional()
|
|
337
|
+
}).passthrough();
|
|
338
|
+
var zJwtPayload = import_zod5.default.object({
|
|
339
|
+
iss: import_zod5.default.string().optional(),
|
|
340
|
+
aud: import_zod5.default.string().optional(),
|
|
341
|
+
iat: import_utils3.zInteger.optional(),
|
|
342
|
+
exp: import_utils3.zInteger.optional(),
|
|
343
|
+
nbf: import_utils3.zInteger.optional(),
|
|
344
|
+
nonce: import_zod5.default.string().optional(),
|
|
345
|
+
jti: import_zod5.default.string().optional(),
|
|
346
|
+
cnf: zJwtConfirmationPayload.optional(),
|
|
351
347
|
// Reserved for status parameters
|
|
352
|
-
status:
|
|
353
|
-
});
|
|
354
|
-
var
|
|
355
|
-
alg:
|
|
356
|
-
typ:
|
|
357
|
-
kid:
|
|
358
|
-
jwk:
|
|
359
|
-
x5c:
|
|
360
|
-
trust_chain:
|
|
361
|
-
});
|
|
348
|
+
status: import_zod5.default.record(import_zod5.default.string(), import_zod5.default.any()).optional()
|
|
349
|
+
}).passthrough();
|
|
350
|
+
var zJwtHeader = import_zod5.default.object({
|
|
351
|
+
alg: zAlgValueNotNone,
|
|
352
|
+
typ: import_zod5.default.string().optional(),
|
|
353
|
+
kid: import_zod5.default.string().optional(),
|
|
354
|
+
jwk: zJwk.optional(),
|
|
355
|
+
x5c: import_zod5.default.array(import_zod5.default.string()).optional(),
|
|
356
|
+
trust_chain: import_zod5.default.array(import_zod5.default.string()).optional()
|
|
357
|
+
}).passthrough();
|
|
362
358
|
|
|
363
359
|
// src/common/jwt/decode-jwt.ts
|
|
364
360
|
function decodeJwt(options) {
|
|
@@ -380,8 +376,8 @@ function decodeJwt(options) {
|
|
|
380
376
|
} catch (error) {
|
|
381
377
|
throw new Oauth2JwtParseError("Error parsing JWT");
|
|
382
378
|
}
|
|
383
|
-
const header = (0, import_utils4.parseWithErrorHandling)(options.headerSchema ??
|
|
384
|
-
const payload = (0, import_utils4.parseWithErrorHandling)(options.payloadSchema ??
|
|
379
|
+
const header = (0, import_utils4.parseWithErrorHandling)(options.headerSchema ?? zJwtHeader, headerJson);
|
|
380
|
+
const payload = (0, import_utils4.parseWithErrorHandling)(options.payloadSchema ?? zJwtPayload, payloadJson);
|
|
385
381
|
return {
|
|
386
382
|
header,
|
|
387
383
|
payload,
|
|
@@ -510,7 +506,7 @@ ${JSON.stringify(wwwAuthenticateHeaders, null, 2)}`);
|
|
|
510
506
|
};
|
|
511
507
|
|
|
512
508
|
// src/index.ts
|
|
513
|
-
var
|
|
509
|
+
var import_utils42 = require("@openid4vc/utils");
|
|
514
510
|
|
|
515
511
|
// src/error/Oauth2ClientErrorResponseError.ts
|
|
516
512
|
var Oauth2ClientErrorResponseError = class extends Oauth2Error {
|
|
@@ -543,45 +539,42 @@ ${JSON.stringify(errorResponse, null, 2)}`,
|
|
|
543
539
|
}
|
|
544
540
|
};
|
|
545
541
|
|
|
546
|
-
// src/metadata/authorization-server/
|
|
542
|
+
// src/metadata/authorization-server/z-authorization-server-metadata.ts
|
|
547
543
|
var import_utils6 = require("@openid4vc/utils");
|
|
548
|
-
var
|
|
549
|
-
var
|
|
550
|
-
|
|
551
|
-
|
|
552
|
-
|
|
553
|
-
|
|
554
|
-
|
|
555
|
-
|
|
556
|
-
|
|
557
|
-
|
|
558
|
-
|
|
559
|
-
|
|
560
|
-
|
|
561
|
-
|
|
562
|
-
|
|
563
|
-
|
|
564
|
-
|
|
565
|
-
|
|
566
|
-
|
|
567
|
-
|
|
568
|
-
|
|
569
|
-
|
|
570
|
-
|
|
571
|
-
|
|
572
|
-
|
|
573
|
-
|
|
574
|
-
|
|
575
|
-
|
|
576
|
-
|
|
577
|
-
|
|
578
|
-
|
|
579
|
-
|
|
580
|
-
|
|
581
|
-
|
|
582
|
-
},
|
|
583
|
-
`Metadata value 'introspection_endpoint_auth_signing_alg_values_supported' must be defined if metadata 'introspection_endpoint_auth_methods_supported' value contains values 'private_key_jwt' or 'client_secret_jwt'`
|
|
584
|
-
)
|
|
544
|
+
var import_zod6 = __toESM(require("zod"));
|
|
545
|
+
var zAuthorizationServerMetadata = import_zod6.default.object({
|
|
546
|
+
issuer: import_utils6.zHttpsUrl,
|
|
547
|
+
token_endpoint: import_utils6.zHttpsUrl,
|
|
548
|
+
token_endpoint_auth_methods_supported: import_zod6.default.optional(import_zod6.default.array(import_zod6.default.string())),
|
|
549
|
+
authorization_endpoint: import_zod6.default.optional(import_utils6.zHttpsUrl),
|
|
550
|
+
jwks_uri: import_zod6.default.optional(import_utils6.zHttpsUrl),
|
|
551
|
+
// RFC7636
|
|
552
|
+
code_challenge_methods_supported: import_zod6.default.optional(import_zod6.default.array(import_zod6.default.string())),
|
|
553
|
+
// RFC9449
|
|
554
|
+
dpop_signing_alg_values_supported: import_zod6.default.optional(import_zod6.default.array(import_zod6.default.string())),
|
|
555
|
+
// RFC9126
|
|
556
|
+
require_pushed_authorization_requests: import_zod6.default.optional(import_zod6.default.boolean()),
|
|
557
|
+
pushed_authorization_request_endpoint: import_zod6.default.optional(import_utils6.zHttpsUrl),
|
|
558
|
+
// RFC9068
|
|
559
|
+
introspection_endpoint: import_zod6.default.optional(import_utils6.zHttpsUrl),
|
|
560
|
+
introspection_endpoint_auth_methods_supported: import_zod6.default.optional(
|
|
561
|
+
import_zod6.default.array(import_zod6.default.union([import_zod6.default.literal("client_secret_jwt"), import_zod6.default.literal("private_key_jwt"), import_zod6.default.string()]))
|
|
562
|
+
),
|
|
563
|
+
introspection_endpoint_auth_signing_alg_values_supported: import_zod6.default.optional(import_zod6.default.array(zAlgValueNotNone)),
|
|
564
|
+
// FiPA (no RFC yet)
|
|
565
|
+
authorization_challenge_endpoint: import_zod6.default.optional(import_utils6.zHttpsUrl),
|
|
566
|
+
// From OID4VCI specification
|
|
567
|
+
pre_authorized_grant_anonymous_access_supported: import_zod6.default.optional(import_zod6.default.boolean())
|
|
568
|
+
}).passthrough().refine(
|
|
569
|
+
({
|
|
570
|
+
introspection_endpoint_auth_methods_supported: methodsSupported,
|
|
571
|
+
introspection_endpoint_auth_signing_alg_values_supported: algValuesSupported
|
|
572
|
+
}) => {
|
|
573
|
+
if (!methodsSupported) return true;
|
|
574
|
+
if (!methodsSupported.includes("private_key_jwt") && !methodsSupported.includes("client_secret_jwt")) return true;
|
|
575
|
+
return algValuesSupported !== void 0 && algValuesSupported.length > 0;
|
|
576
|
+
},
|
|
577
|
+
`Metadata value 'introspection_endpoint_auth_signing_alg_values_supported' must be defined if metadata 'introspection_endpoint_auth_methods_supported' value contains values 'private_key_jwt' or 'client_secret_jwt'`
|
|
585
578
|
);
|
|
586
579
|
|
|
587
580
|
// src/metadata/authorization-server/authorization-server-metadata.ts
|
|
@@ -591,53 +584,88 @@ var import_utils9 = require("@openid4vc/utils");
|
|
|
591
584
|
var import_utils7 = require("@openid4vc/utils");
|
|
592
585
|
var import_utils8 = require("@openid4vc/utils");
|
|
593
586
|
|
|
594
|
-
// ../utils/src/
|
|
595
|
-
var
|
|
596
|
-
|
|
597
|
-
//
|
|
598
|
-
|
|
599
|
-
|
|
600
|
-
|
|
601
|
-
|
|
602
|
-
|
|
603
|
-
|
|
604
|
-
|
|
605
|
-
|
|
606
|
-
|
|
607
|
-
|
|
608
|
-
|
|
609
|
-
|
|
610
|
-
|
|
587
|
+
// ../utils/src/error/ValidationError.ts
|
|
588
|
+
var import_zod7 = require("zod");
|
|
589
|
+
var constants = {
|
|
590
|
+
// biome-ignore lint/suspicious/noMisleadingCharacterClass: expected
|
|
591
|
+
identifierRegex: /[$_\p{ID_Start}][$\u200c\u200d\p{ID_Continue}]*/u,
|
|
592
|
+
unionSeparator: ", or ",
|
|
593
|
+
issueSeparator: "\n - "
|
|
594
|
+
};
|
|
595
|
+
var ValidationError = class extends Error {
|
|
596
|
+
escapeQuotes(str) {
|
|
597
|
+
return str.replace(/"/g, '\\"');
|
|
598
|
+
}
|
|
599
|
+
joinPath(path) {
|
|
600
|
+
if (path.length === 1) {
|
|
601
|
+
return path[0].toString();
|
|
602
|
+
}
|
|
603
|
+
return path.reduce((acc, item) => {
|
|
604
|
+
if (typeof item === "number") {
|
|
605
|
+
return `${acc}[${item.toString()}]`;
|
|
606
|
+
}
|
|
607
|
+
if (item.includes('"')) {
|
|
608
|
+
return `${acc}["${this.escapeQuotes(item)}"]`;
|
|
611
609
|
}
|
|
610
|
+
if (!constants.identifierRegex.test(item)) {
|
|
611
|
+
return `${acc}["${item}"]`;
|
|
612
|
+
}
|
|
613
|
+
const separator = acc.length === 0 ? "" : ".";
|
|
614
|
+
return acc + separator + item;
|
|
615
|
+
}, "");
|
|
616
|
+
}
|
|
617
|
+
getMessageFromUnionErrors(unionErrors) {
|
|
618
|
+
return unionErrors.reduce((acc, zodError) => {
|
|
619
|
+
const newIssues = zodError.issues.map((issue) => this.getMessageFromZodIssue(issue)).join(constants.issueSeparator);
|
|
620
|
+
if (!acc.includes(newIssues)) acc.push(newIssues);
|
|
621
|
+
return acc;
|
|
622
|
+
}, []).join(constants.unionSeparator);
|
|
623
|
+
}
|
|
624
|
+
getMessageFromZodIssue(issue) {
|
|
625
|
+
if (issue.code === import_zod7.ZodIssueCode.invalid_union) {
|
|
626
|
+
return this.getMessageFromUnionErrors(issue.unionErrors);
|
|
612
627
|
}
|
|
613
|
-
|
|
614
|
-
|
|
615
|
-
|
|
616
|
-
|
|
617
|
-
// ../utils/src/parse.ts
|
|
618
|
-
function valibotRecursiveFlattenIssues(issues) {
|
|
619
|
-
let flattened = v7.flatten(issues);
|
|
620
|
-
for (const issue of issues) {
|
|
621
|
-
if (issue.issues) {
|
|
622
|
-
flattened = mergeDeep(flattened, valibotRecursiveFlattenIssues(issue.issues));
|
|
628
|
+
if (issue.code === import_zod7.ZodIssueCode.invalid_arguments) {
|
|
629
|
+
return [issue.message, ...issue.argumentsError.issues.map((issue2) => this.getMessageFromZodIssue(issue2))].join(
|
|
630
|
+
constants.issueSeparator
|
|
631
|
+
);
|
|
623
632
|
}
|
|
624
|
-
|
|
625
|
-
|
|
626
|
-
|
|
627
|
-
|
|
628
|
-
|
|
629
|
-
|
|
630
|
-
|
|
631
|
-
|
|
632
|
-
|
|
633
|
-
${
|
|
634
|
-
|
|
633
|
+
if (issue.code === import_zod7.ZodIssueCode.invalid_return_type) {
|
|
634
|
+
return [issue.message, ...issue.returnTypeError.issues.map((issue2) => this.getMessageFromZodIssue(issue2))].join(
|
|
635
|
+
constants.issueSeparator
|
|
636
|
+
);
|
|
637
|
+
}
|
|
638
|
+
if (issue.path.length !== 0) {
|
|
639
|
+
if (issue.path.length === 1) {
|
|
640
|
+
const identifier = issue.path[0];
|
|
641
|
+
if (typeof identifier === "number") {
|
|
642
|
+
return `${issue.message} at index ${identifier}`;
|
|
643
|
+
}
|
|
644
|
+
}
|
|
645
|
+
return `${issue.message} at "${this.joinPath(issue.path)}"`;
|
|
646
|
+
}
|
|
647
|
+
return issue.message;
|
|
648
|
+
}
|
|
649
|
+
formatError(error) {
|
|
650
|
+
if (!error) return "";
|
|
651
|
+
return error?.issues.map((issue) => this.getMessageFromZodIssue(issue)).join(constants.issueSeparator);
|
|
652
|
+
}
|
|
653
|
+
constructor(message, zodError) {
|
|
654
|
+
super(message);
|
|
655
|
+
const formattedError = this.formatError(zodError);
|
|
656
|
+
this.message = `${message}
|
|
657
|
+
- ${formattedError}`;
|
|
658
|
+
Object.defineProperty(this, "zodError", {
|
|
659
|
+
value: zodError,
|
|
660
|
+
writable: false,
|
|
661
|
+
enumerable: false
|
|
662
|
+
});
|
|
635
663
|
}
|
|
636
664
|
};
|
|
637
665
|
|
|
638
666
|
// src/metadata/fetch-well-known-metadata.ts
|
|
639
667
|
async function fetchWellKnownMetadata(wellKnownMetadataUrl, schema, fetch) {
|
|
640
|
-
const fetcher = (0, import_utils7.
|
|
668
|
+
const fetcher = (0, import_utils7.createZodFetcher)(fetch);
|
|
641
669
|
const { result, response } = await fetcher(schema, import_utils7.ContentType.Json, wellKnownMetadataUrl);
|
|
642
670
|
if (response.status === 404) {
|
|
643
671
|
return null;
|
|
@@ -649,10 +677,10 @@ async function fetchWellKnownMetadata(wellKnownMetadataUrl, schema, fetch) {
|
|
|
649
677
|
response
|
|
650
678
|
);
|
|
651
679
|
}
|
|
652
|
-
if (!result
|
|
653
|
-
throw new ValidationError(`Validation of metadata from '${wellKnownMetadataUrl}' failed`, result?.
|
|
680
|
+
if (!result?.success) {
|
|
681
|
+
throw new ValidationError(`Validation of metadata from '${wellKnownMetadataUrl}' failed`, result?.error);
|
|
654
682
|
}
|
|
655
|
-
return result.
|
|
683
|
+
return result.data;
|
|
656
684
|
}
|
|
657
685
|
|
|
658
686
|
// src/metadata/authorization-server/authorization-server-metadata.ts
|
|
@@ -663,7 +691,7 @@ async function fetchAuthorizationServerMetadata(issuer, fetch) {
|
|
|
663
691
|
const authorizationServerWellKnownMetadataUrl = (0, import_utils9.joinUriParts)(issuer, [wellKnownAuthorizationServerSuffix]);
|
|
664
692
|
const authorizationServerResult = await fetchWellKnownMetadata(
|
|
665
693
|
authorizationServerWellKnownMetadataUrl,
|
|
666
|
-
|
|
694
|
+
zAuthorizationServerMetadata,
|
|
667
695
|
fetch
|
|
668
696
|
);
|
|
669
697
|
if (authorizationServerResult) {
|
|
@@ -676,7 +704,7 @@ async function fetchAuthorizationServerMetadata(issuer, fetch) {
|
|
|
676
704
|
}
|
|
677
705
|
const openIdConfigurationResult = await fetchWellKnownMetadata(
|
|
678
706
|
openIdConfigurationWellKnownMetadataUrl,
|
|
679
|
-
|
|
707
|
+
zAuthorizationServerMetadata,
|
|
680
708
|
fetch
|
|
681
709
|
);
|
|
682
710
|
if (openIdConfigurationResult) {
|
|
@@ -705,14 +733,14 @@ function getAuthorizationServerMetadataFromList(authorizationServersMetadata, is
|
|
|
705
733
|
var import_utils10 = require("@openid4vc/utils");
|
|
706
734
|
var import_utils11 = require("@openid4vc/utils");
|
|
707
735
|
async function fetchJwks(authorizationServer, fetch) {
|
|
708
|
-
const fetcher = (0, import_utils10.
|
|
736
|
+
const fetcher = (0, import_utils10.createZodFetcher)(fetch);
|
|
709
737
|
const jwksUrl = authorizationServer.jwks_uri;
|
|
710
738
|
if (!jwksUrl) {
|
|
711
739
|
throw new Oauth2Error(
|
|
712
740
|
`Authorization server '${authorizationServer.issuer}' does not have a 'jwks_uri' parameter to fetch JWKs.`
|
|
713
741
|
);
|
|
714
742
|
}
|
|
715
|
-
const { result, response } = await fetcher(
|
|
743
|
+
const { result, response } = await fetcher(zJwkSet, import_utils10.ContentType.JwkSet, jwksUrl);
|
|
716
744
|
if (!response.ok) {
|
|
717
745
|
throw new import_utils11.InvalidFetchResponseError(
|
|
718
746
|
`Fetching JWKs from jwks_uri '${jwksUrl}' resulted in an unsuccessfull response with status code '${response.status}'.`,
|
|
@@ -720,32 +748,32 @@ async function fetchJwks(authorizationServer, fetch) {
|
|
|
720
748
|
response
|
|
721
749
|
);
|
|
722
750
|
}
|
|
723
|
-
if (!result
|
|
724
|
-
throw new ValidationError(`Validation of JWKs from jwks_uri '${jwksUrl}' failed`, result?.
|
|
751
|
+
if (!result?.success) {
|
|
752
|
+
throw new ValidationError(`Validation of JWKs from jwks_uri '${jwksUrl}' failed`, result?.error);
|
|
725
753
|
}
|
|
726
|
-
return result.
|
|
754
|
+
return result.data;
|
|
727
755
|
}
|
|
728
756
|
|
|
729
|
-
// src/access-token/
|
|
757
|
+
// src/access-token/z-access-token-jwt.ts
|
|
730
758
|
var import_utils12 = require("@openid4vc/utils");
|
|
731
|
-
var
|
|
732
|
-
var
|
|
733
|
-
...
|
|
734
|
-
typ:
|
|
735
|
-
});
|
|
736
|
-
var
|
|
737
|
-
...
|
|
738
|
-
iss:
|
|
739
|
-
exp: import_utils12.
|
|
740
|
-
iat: import_utils12.
|
|
741
|
-
aud:
|
|
742
|
-
sub:
|
|
759
|
+
var import_zod8 = __toESM(require("zod"));
|
|
760
|
+
var zAccessTokenProfileJwtHeader = import_zod8.default.object({
|
|
761
|
+
...zJwtHeader.shape,
|
|
762
|
+
typ: import_zod8.default.enum(["application/at+jwt", "at+jwt"])
|
|
763
|
+
}).passthrough();
|
|
764
|
+
var zAccessTokenProfileJwtPayload = import_zod8.default.object({
|
|
765
|
+
...zJwtPayload.shape,
|
|
766
|
+
iss: import_zod8.default.string(),
|
|
767
|
+
exp: import_utils12.zInteger,
|
|
768
|
+
iat: import_utils12.zInteger,
|
|
769
|
+
aud: import_zod8.default.string(),
|
|
770
|
+
sub: import_zod8.default.string(),
|
|
743
771
|
// REQUIRED according to RFC 9068, but OID4VCI allows anonymous access
|
|
744
|
-
client_id:
|
|
745
|
-
jti:
|
|
772
|
+
client_id: import_zod8.default.optional(import_zod8.default.string()),
|
|
773
|
+
jti: import_zod8.default.string(),
|
|
746
774
|
// SHOULD be included in the authorization request contained it
|
|
747
|
-
scope:
|
|
748
|
-
});
|
|
775
|
+
scope: import_zod8.default.optional(import_zod8.default.string())
|
|
776
|
+
}).passthrough();
|
|
749
777
|
|
|
750
778
|
// src/access-token/verify-access-token.ts
|
|
751
779
|
var SupportedAuthenticationScheme = /* @__PURE__ */ ((SupportedAuthenticationScheme2) => {
|
|
@@ -756,8 +784,8 @@ var SupportedAuthenticationScheme = /* @__PURE__ */ ((SupportedAuthenticationSch
|
|
|
756
784
|
async function verifyJwtProfileAccessToken(options) {
|
|
757
785
|
const decodedJwt = decodeJwt({
|
|
758
786
|
jwt: options.accessToken,
|
|
759
|
-
headerSchema:
|
|
760
|
-
payloadSchema:
|
|
787
|
+
headerSchema: zAccessTokenProfileJwtHeader,
|
|
788
|
+
payloadSchema: zAccessTokenProfileJwtPayload
|
|
761
789
|
});
|
|
762
790
|
const authorizationServer = options.authorizationServers.find(({ issuer }) => decodedJwt.payload.iss === issuer);
|
|
763
791
|
if (!authorizationServer) {
|
|
@@ -794,23 +822,23 @@ var import_utils15 = require("@openid4vc/utils");
|
|
|
794
822
|
// src/dpop/dpop.ts
|
|
795
823
|
var import_utils14 = require("@openid4vc/utils");
|
|
796
824
|
|
|
797
|
-
// src/dpop/
|
|
798
|
-
var v9 = __toESM(require("valibot"));
|
|
825
|
+
// src/dpop/z-dpop.ts
|
|
799
826
|
var import_utils13 = require("@openid4vc/utils");
|
|
800
|
-
var
|
|
801
|
-
|
|
802
|
-
|
|
803
|
-
|
|
804
|
-
|
|
805
|
-
|
|
827
|
+
var import_zod9 = __toESM(require("zod"));
|
|
828
|
+
var zDpopJwtPayload = import_zod9.default.object({
|
|
829
|
+
...zJwtPayload.shape,
|
|
830
|
+
iat: import_utils13.zInteger,
|
|
831
|
+
htu: import_utils13.zHttpsUrl,
|
|
832
|
+
htm: import_utils13.zHttpMethod,
|
|
833
|
+
jti: import_zod9.default.string(),
|
|
806
834
|
// Only required when presenting in combination with access token
|
|
807
|
-
ath:
|
|
808
|
-
});
|
|
809
|
-
var
|
|
810
|
-
...
|
|
811
|
-
typ:
|
|
812
|
-
jwk:
|
|
813
|
-
});
|
|
835
|
+
ath: import_zod9.default.optional(import_zod9.default.string())
|
|
836
|
+
}).passthrough();
|
|
837
|
+
var zDpopJwtHeader = import_zod9.default.object({
|
|
838
|
+
...zJwtHeader.shape,
|
|
839
|
+
typ: import_zod9.default.literal("dpop+jwt"),
|
|
840
|
+
jwk: zJwk
|
|
841
|
+
}).passthrough();
|
|
814
842
|
|
|
815
843
|
// src/dpop/dpop.ts
|
|
816
844
|
async function createDpopHeadersForRequest(options) {
|
|
@@ -824,12 +852,12 @@ async function createDpopJwt(options) {
|
|
|
824
852
|
if (options.accessToken) {
|
|
825
853
|
ath = (0, import_utils14.encodeToBase64Url)(await options.callbacks.hash((0, import_utils14.decodeUtf8String)(options.accessToken), "SHA-256" /* Sha256 */));
|
|
826
854
|
}
|
|
827
|
-
const header = (0, import_utils14.parseWithErrorHandling)(
|
|
855
|
+
const header = (0, import_utils14.parseWithErrorHandling)(zDpopJwtHeader, {
|
|
828
856
|
typ: "dpop+jwt",
|
|
829
857
|
jwk: options.signer.publicJwk,
|
|
830
858
|
alg: options.signer.alg
|
|
831
859
|
});
|
|
832
|
-
const payload = (0, import_utils14.parseWithErrorHandling)(
|
|
860
|
+
const payload = (0, import_utils14.parseWithErrorHandling)(zDpopJwtPayload, {
|
|
833
861
|
htu: htuFromRequestUrl(options.request.url),
|
|
834
862
|
iat: (0, import_utils14.dateToSeconds)(options.issuedAt),
|
|
835
863
|
htm: options.request.method,
|
|
@@ -847,8 +875,8 @@ async function createDpopJwt(options) {
|
|
|
847
875
|
async function verifyDpopJwt(options) {
|
|
848
876
|
const { header, payload } = decodeJwt({
|
|
849
877
|
jwt: options.dpopJwt,
|
|
850
|
-
headerSchema:
|
|
851
|
-
payloadSchema:
|
|
878
|
+
headerSchema: zDpopJwtHeader,
|
|
879
|
+
payloadSchema: zDpopJwtPayload
|
|
852
880
|
});
|
|
853
881
|
if (options.allowedSigningAlgs && !options.allowedSigningAlgs.includes(header.alg)) {
|
|
854
882
|
throw new Oauth2Error(
|
|
@@ -1056,33 +1084,33 @@ var import_utils17 = require("@openid4vc/utils");
|
|
|
1056
1084
|
var import_utils18 = require("@openid4vc/utils");
|
|
1057
1085
|
var import_utils19 = require("@openid4vc/utils");
|
|
1058
1086
|
|
|
1059
|
-
// src/access-token/
|
|
1087
|
+
// src/access-token/z-token-introspection.ts
|
|
1060
1088
|
var import_utils16 = require("@openid4vc/utils");
|
|
1061
|
-
var
|
|
1062
|
-
var
|
|
1063
|
-
token:
|
|
1064
|
-
token_type_hint:
|
|
1065
|
-
});
|
|
1066
|
-
var
|
|
1067
|
-
active:
|
|
1068
|
-
scope:
|
|
1069
|
-
client_id:
|
|
1070
|
-
username:
|
|
1071
|
-
token_type:
|
|
1072
|
-
exp:
|
|
1073
|
-
iat:
|
|
1074
|
-
nbf:
|
|
1075
|
-
sub:
|
|
1076
|
-
aud:
|
|
1077
|
-
iss:
|
|
1078
|
-
jti:
|
|
1079
|
-
cnf:
|
|
1080
|
-
});
|
|
1089
|
+
var import_zod10 = __toESM(require("zod"));
|
|
1090
|
+
var zTokenIntrospectionRequest = import_zod10.default.object({
|
|
1091
|
+
token: import_zod10.default.string(),
|
|
1092
|
+
token_type_hint: import_zod10.default.optional(import_zod10.default.string())
|
|
1093
|
+
}).passthrough();
|
|
1094
|
+
var zTokenIntrospectionResponse = import_zod10.default.object({
|
|
1095
|
+
active: import_zod10.default.boolean(),
|
|
1096
|
+
scope: import_zod10.default.optional(import_zod10.default.string()),
|
|
1097
|
+
client_id: import_zod10.default.optional(import_zod10.default.string()),
|
|
1098
|
+
username: import_zod10.default.optional(import_zod10.default.string()),
|
|
1099
|
+
token_type: import_zod10.default.optional(import_zod10.default.string()),
|
|
1100
|
+
exp: import_zod10.default.optional(import_utils16.zInteger),
|
|
1101
|
+
iat: import_zod10.default.optional(import_utils16.zInteger),
|
|
1102
|
+
nbf: import_zod10.default.optional(import_utils16.zInteger),
|
|
1103
|
+
sub: import_zod10.default.optional(import_zod10.default.string()),
|
|
1104
|
+
aud: import_zod10.default.optional(import_zod10.default.string()),
|
|
1105
|
+
iss: import_zod10.default.optional(import_zod10.default.string()),
|
|
1106
|
+
jti: import_zod10.default.optional(import_zod10.default.string()),
|
|
1107
|
+
cnf: import_zod10.default.optional(zJwtConfirmationPayload)
|
|
1108
|
+
}).passthrough();
|
|
1081
1109
|
|
|
1082
1110
|
// src/access-token/introspect-token.ts
|
|
1083
1111
|
async function introspectToken(options) {
|
|
1084
|
-
const
|
|
1085
|
-
const introspectionRequest = (0, import_utils17.parseWithErrorHandling)(
|
|
1112
|
+
const fetchWithZod = (0, import_utils17.createZodFetcher)(options.callbacks.fetch);
|
|
1113
|
+
const introspectionRequest = (0, import_utils17.parseWithErrorHandling)(zTokenIntrospectionRequest, {
|
|
1086
1114
|
token: options.token,
|
|
1087
1115
|
token_type_hint: options.tokenTypeHint,
|
|
1088
1116
|
...options.additionalPayload
|
|
@@ -1102,8 +1130,8 @@ async function introspectToken(options) {
|
|
|
1102
1130
|
contentType: import_utils17.ContentType.XWwwFormUrlencoded,
|
|
1103
1131
|
headers
|
|
1104
1132
|
});
|
|
1105
|
-
const { result, response } = await
|
|
1106
|
-
|
|
1133
|
+
const { result, response } = await fetchWithZod(
|
|
1134
|
+
zTokenIntrospectionResponse,
|
|
1107
1135
|
import_utils17.ContentType.Json,
|
|
1108
1136
|
introspectionEndpoint,
|
|
1109
1137
|
{
|
|
@@ -1119,7 +1147,7 @@ async function introspectToken(options) {
|
|
|
1119
1147
|
response
|
|
1120
1148
|
);
|
|
1121
1149
|
}
|
|
1122
|
-
return result.
|
|
1150
|
+
return result.data;
|
|
1123
1151
|
}
|
|
1124
1152
|
|
|
1125
1153
|
// src/resource-request/verify-resource-request.ts
|
|
@@ -1296,8 +1324,8 @@ function getSupportedClientAuthenticationMethod(authorizationServer, endpointTyp
|
|
|
1296
1324
|
}
|
|
1297
1325
|
function clientAuthenticationDynamic(options) {
|
|
1298
1326
|
return (callbackOptions) => {
|
|
1299
|
-
const { url
|
|
1300
|
-
const endpointType =
|
|
1327
|
+
const { url, authorizationServerMetata } = callbackOptions;
|
|
1328
|
+
const endpointType = url === authorizationServerMetata.introspection_endpoint ? "introspection" : "endpoint";
|
|
1301
1329
|
const method = getSupportedClientAuthenticationMethod(authorizationServerMetata, endpointType);
|
|
1302
1330
|
if (method === "client_secret_basic" /* ClientSecretBasic */) {
|
|
1303
1331
|
return clientAuthenticationClientSecretBasic(options)(callbackOptions);
|
|
@@ -1330,17 +1358,17 @@ function clientAuthenticationNone() {
|
|
|
1330
1358
|
}
|
|
1331
1359
|
|
|
1332
1360
|
// src/Oauth2AuthorizationServer.ts
|
|
1333
|
-
var
|
|
1361
|
+
var import_utils33 = require("@openid4vc/utils");
|
|
1334
1362
|
|
|
1335
1363
|
// src/access-token/create-access-token.ts
|
|
1336
1364
|
var import_utils22 = require("@openid4vc/utils");
|
|
1337
1365
|
async function createAccessTokenJwt(options) {
|
|
1338
|
-
const header = (0, import_utils22.parseWithErrorHandling)(
|
|
1366
|
+
const header = (0, import_utils22.parseWithErrorHandling)(zAccessTokenProfileJwtHeader, {
|
|
1339
1367
|
...jwtHeaderFromJwtSigner(options.signer),
|
|
1340
1368
|
typ: "at+jwt"
|
|
1341
1369
|
});
|
|
1342
1370
|
const now = options.now ?? /* @__PURE__ */ new Date();
|
|
1343
|
-
const payload = (0, import_utils22.parseWithErrorHandling)(
|
|
1371
|
+
const payload = (0, import_utils22.parseWithErrorHandling)(zAccessTokenProfileJwtPayload, {
|
|
1344
1372
|
iat: (0, import_utils22.dateToSeconds)(now),
|
|
1345
1373
|
exp: (0, import_utils22.dateToSeconds)((0, import_utils22.addSecondsToDate)(now, options.expiresInSeconds)),
|
|
1346
1374
|
aud: options.audience,
|
|
@@ -1370,84 +1398,75 @@ async function createAccessTokenJwt(options) {
|
|
|
1370
1398
|
// src/access-token/create-access-token-response.ts
|
|
1371
1399
|
var import_utils24 = require("@openid4vc/utils");
|
|
1372
1400
|
|
|
1373
|
-
// src/access-token/
|
|
1374
|
-
var
|
|
1401
|
+
// src/access-token/z-access-token.ts
|
|
1402
|
+
var import_zod12 = __toESM(require("zod"));
|
|
1375
1403
|
var import_utils23 = require("@openid4vc/utils");
|
|
1376
1404
|
|
|
1377
|
-
// src/
|
|
1378
|
-
var
|
|
1379
|
-
var
|
|
1380
|
-
var preAuthorizedCodeGrantIdentifier =
|
|
1381
|
-
var
|
|
1382
|
-
var authorizationCodeGrantIdentifier =
|
|
1383
|
-
var
|
|
1384
|
-
var refreshTokenGrantIdentifier =
|
|
1385
|
-
|
|
1386
|
-
// src/access-token/
|
|
1387
|
-
var
|
|
1388
|
-
|
|
1405
|
+
// src/z-grant-type.ts
|
|
1406
|
+
var import_zod11 = __toESM(require("zod"));
|
|
1407
|
+
var zPreAuthorizedCodeGrantIdentifier = import_zod11.default.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
|
|
1408
|
+
var preAuthorizedCodeGrantIdentifier = zPreAuthorizedCodeGrantIdentifier.value;
|
|
1409
|
+
var zAuthorizationCodeGrantIdentifier = import_zod11.default.literal("authorization_code");
|
|
1410
|
+
var authorizationCodeGrantIdentifier = zAuthorizationCodeGrantIdentifier.value;
|
|
1411
|
+
var zRefreshTokenGrantIdentifier = import_zod11.default.literal("refresh_token");
|
|
1412
|
+
var refreshTokenGrantIdentifier = zRefreshTokenGrantIdentifier.value;
|
|
1413
|
+
|
|
1414
|
+
// src/access-token/z-access-token.ts
|
|
1415
|
+
var zAccessTokenRequest = import_zod12.default.intersection(
|
|
1416
|
+
import_zod12.default.object({
|
|
1389
1417
|
// Pre authorized code flow
|
|
1390
|
-
"pre-authorized_code":
|
|
1418
|
+
"pre-authorized_code": import_zod12.default.optional(import_zod12.default.string()),
|
|
1391
1419
|
// Authorization code flow
|
|
1392
|
-
code:
|
|
1393
|
-
redirect_uri:
|
|
1420
|
+
code: import_zod12.default.optional(import_zod12.default.string()),
|
|
1421
|
+
redirect_uri: import_zod12.default.string().url().optional(),
|
|
1394
1422
|
// Refresh token grant
|
|
1395
|
-
refresh_token:
|
|
1396
|
-
resource:
|
|
1397
|
-
code_verifier:
|
|
1398
|
-
grant_type:
|
|
1399
|
-
|
|
1400
|
-
|
|
1401
|
-
|
|
1423
|
+
refresh_token: import_zod12.default.optional(import_zod12.default.string()),
|
|
1424
|
+
resource: import_zod12.default.optional(import_utils23.zHttpsUrl),
|
|
1425
|
+
code_verifier: import_zod12.default.optional(import_zod12.default.string()),
|
|
1426
|
+
grant_type: import_zod12.default.union([
|
|
1427
|
+
zPreAuthorizedCodeGrantIdentifier,
|
|
1428
|
+
zAuthorizationCodeGrantIdentifier,
|
|
1429
|
+
zRefreshTokenGrantIdentifier,
|
|
1402
1430
|
// string makes the previous ones unessary, but it does help with error messages
|
|
1403
|
-
|
|
1431
|
+
import_zod12.default.string()
|
|
1404
1432
|
])
|
|
1405
|
-
}),
|
|
1406
|
-
|
|
1407
|
-
|
|
1408
|
-
|
|
1409
|
-
|
|
1410
|
-
|
|
1411
|
-
|
|
1412
|
-
|
|
1413
|
-
|
|
1414
|
-
|
|
1415
|
-
|
|
1416
|
-
|
|
1417
|
-
|
|
1418
|
-
|
|
1419
|
-
|
|
1420
|
-
|
|
1421
|
-
|
|
1422
|
-
|
|
1423
|
-
|
|
1424
|
-
)
|
|
1425
|
-
|
|
1426
|
-
var vAccessTokenResponse = v12.looseObject({
|
|
1427
|
-
access_token: v12.string(),
|
|
1428
|
-
token_type: v12.string(),
|
|
1429
|
-
expires_in: v12.optional(v12.pipe(v12.number(), v12.integer())),
|
|
1430
|
-
scope: v12.optional(v12.string()),
|
|
1431
|
-
state: v12.optional(v12.string()),
|
|
1432
|
-
refresh_token: v12.optional(v12.string()),
|
|
1433
|
+
}).passthrough(),
|
|
1434
|
+
import_zod12.default.object({
|
|
1435
|
+
tx_code: import_zod12.default.optional(import_zod12.default.string()),
|
|
1436
|
+
// user_pin is from OID4VCI draft 11
|
|
1437
|
+
user_pin: import_zod12.default.optional(import_zod12.default.string())
|
|
1438
|
+
}).passthrough().refine(({ tx_code, user_pin }) => !tx_code || !user_pin || user_pin === tx_code, {
|
|
1439
|
+
message: `If both 'tx_code' and 'user_pin' are present they must match`
|
|
1440
|
+
}).transform(({ tx_code, user_pin, ...rest }) => {
|
|
1441
|
+
return {
|
|
1442
|
+
...rest,
|
|
1443
|
+
...tx_code ?? user_pin ? { tx_code: tx_code ?? user_pin } : {}
|
|
1444
|
+
};
|
|
1445
|
+
})
|
|
1446
|
+
);
|
|
1447
|
+
var zAccessTokenResponse = import_zod12.default.object({
|
|
1448
|
+
access_token: import_zod12.default.string(),
|
|
1449
|
+
token_type: import_zod12.default.string(),
|
|
1450
|
+
expires_in: import_zod12.default.optional(import_zod12.default.number().int()),
|
|
1451
|
+
scope: import_zod12.default.optional(import_zod12.default.string()),
|
|
1452
|
+
state: import_zod12.default.optional(import_zod12.default.string()),
|
|
1453
|
+
refresh_token: import_zod12.default.optional(import_zod12.default.string()),
|
|
1433
1454
|
// Oid4vci specific parameters
|
|
1434
|
-
c_nonce:
|
|
1435
|
-
c_nonce_expires_in:
|
|
1455
|
+
c_nonce: import_zod12.default.optional(import_zod12.default.string()),
|
|
1456
|
+
c_nonce_expires_in: import_zod12.default.optional(import_zod12.default.number().int()),
|
|
1436
1457
|
// TODO: add additional params
|
|
1437
|
-
authorization_details:
|
|
1438
|
-
|
|
1439
|
-
|
|
1440
|
-
|
|
1441
|
-
|
|
1442
|
-
|
|
1443
|
-
|
|
1444
|
-
|
|
1445
|
-
});
|
|
1446
|
-
var vAccessTokenErrorResponse = vOauth2ErrorResponse;
|
|
1458
|
+
authorization_details: import_zod12.default.array(
|
|
1459
|
+
import_zod12.default.object({
|
|
1460
|
+
// requried when type is openid_credential (so we probably need a discriminator)
|
|
1461
|
+
// credential_identifiers: z.array(z.string()),
|
|
1462
|
+
}).passthrough()
|
|
1463
|
+
).optional()
|
|
1464
|
+
}).passthrough();
|
|
1465
|
+
var zAccessTokenErrorResponse = zOauth2ErrorResponse;
|
|
1447
1466
|
|
|
1448
1467
|
// src/access-token/create-access-token-response.ts
|
|
1449
1468
|
async function createAccessTokenResponse(options) {
|
|
1450
|
-
const accessTokenResponse = (0, import_utils24.parseWithErrorHandling)(
|
|
1469
|
+
const accessTokenResponse = (0, import_utils24.parseWithErrorHandling)(zAccessTokenResponse, {
|
|
1451
1470
|
access_token: options.accessToken,
|
|
1452
1471
|
token_type: options.tokenType,
|
|
1453
1472
|
expires_in: options.expiresInSeconds,
|
|
@@ -1459,18 +1478,16 @@ async function createAccessTokenResponse(options) {
|
|
|
1459
1478
|
}
|
|
1460
1479
|
|
|
1461
1480
|
// src/access-token/parse-access-token-request.ts
|
|
1462
|
-
var import_utils25 = require("@openid4vc/utils");
|
|
1463
|
-
var v13 = __toESM(require("valibot"));
|
|
1464
1481
|
function parseAccessTokenRequest(options) {
|
|
1465
|
-
const parsedAccessTokenRequest =
|
|
1482
|
+
const parsedAccessTokenRequest = zAccessTokenRequest.safeParse(options.accessTokenRequest);
|
|
1466
1483
|
if (!parsedAccessTokenRequest.success) {
|
|
1467
1484
|
throw new Oauth2ServerErrorResponseError({
|
|
1468
1485
|
error: "invalid_request" /* InvalidRequest */,
|
|
1469
1486
|
error_description: `Error occured during validation of authorization request.
|
|
1470
|
-
${JSON.stringify(
|
|
1487
|
+
${JSON.stringify(parsedAccessTokenRequest.error.issues, null, 2)}`
|
|
1471
1488
|
});
|
|
1472
1489
|
}
|
|
1473
|
-
const accessTokenRequest = parsedAccessTokenRequest.
|
|
1490
|
+
const accessTokenRequest = parsedAccessTokenRequest.data;
|
|
1474
1491
|
let grant;
|
|
1475
1492
|
if (accessTokenRequest.grant_type === preAuthorizedCodeGrantIdentifier) {
|
|
1476
1493
|
if (!accessTokenRequest["pre-authorized_code"]) {
|
|
@@ -1518,7 +1535,7 @@ ${JSON.stringify((0, import_utils25.valibotRecursiveFlattenIssues)(parsedAccessT
|
|
|
1518
1535
|
}
|
|
1519
1536
|
|
|
1520
1537
|
// src/pkce.ts
|
|
1521
|
-
var
|
|
1538
|
+
var import_utils25 = require("@openid4vc/utils");
|
|
1522
1539
|
var PkceCodeChallengeMethod = /* @__PURE__ */ ((PkceCodeChallengeMethod2) => {
|
|
1523
1540
|
PkceCodeChallengeMethod2["Plain"] = "plain";
|
|
1524
1541
|
PkceCodeChallengeMethod2["S256"] = "S256";
|
|
@@ -1533,7 +1550,7 @@ async function createPkce(options) {
|
|
|
1533
1550
|
throw new Oauth2Error(`Unable to create PKCE code verifier. 'allowedCodeChallengeMethods' is an empty array.`);
|
|
1534
1551
|
}
|
|
1535
1552
|
const codeChallengeMethod = allowedCodeChallengeMethods.includes("S256" /* S256 */) ? "S256" /* S256 */ : "plain" /* Plain */;
|
|
1536
|
-
const codeVerifier = options.codeVerifier ?? (0,
|
|
1553
|
+
const codeVerifier = options.codeVerifier ?? (0, import_utils25.encodeToBase64Url)(await options.callbacks.generateRandom(64));
|
|
1537
1554
|
return {
|
|
1538
1555
|
codeVerifier,
|
|
1539
1556
|
codeChallenge: await calculateCodeChallenge({
|
|
@@ -1561,7 +1578,7 @@ async function calculateCodeChallenge(options) {
|
|
|
1561
1578
|
return options.codeVerifier;
|
|
1562
1579
|
}
|
|
1563
1580
|
if (options.codeChallengeMethod === "S256" /* S256 */) {
|
|
1564
|
-
return (0,
|
|
1581
|
+
return (0, import_utils25.encodeToBase64Url)(await options.hashCallback((0, import_utils25.decodeUtf8String)(options.codeVerifier), "SHA-256" /* Sha256 */));
|
|
1565
1582
|
}
|
|
1566
1583
|
throw new Oauth2Error(`Unsupported code challenge method ${options.codeChallengeMethod}`);
|
|
1567
1584
|
}
|
|
@@ -1694,69 +1711,69 @@ async function verifyAccessTokenRequestPkce(options, callbacks) {
|
|
|
1694
1711
|
}
|
|
1695
1712
|
|
|
1696
1713
|
// src/authorization-challenge/create-authorization-challenge-response.ts
|
|
1697
|
-
var import_utils29 = require("@openid4vc/utils");
|
|
1698
|
-
|
|
1699
|
-
// src/authorization-challenge/v-authorization-challenge.ts
|
|
1700
1714
|
var import_utils28 = require("@openid4vc/utils");
|
|
1701
|
-
var v15 = __toESM(require("valibot"));
|
|
1702
1715
|
|
|
1703
|
-
// src/authorization-
|
|
1716
|
+
// src/authorization-challenge/z-authorization-challenge.ts
|
|
1704
1717
|
var import_utils27 = require("@openid4vc/utils");
|
|
1705
|
-
var
|
|
1706
|
-
var vAuthorizationRequest = v14.looseObject({
|
|
1707
|
-
response_type: v14.string(),
|
|
1708
|
-
client_id: v14.string(),
|
|
1709
|
-
issuer_state: v14.optional(v14.string()),
|
|
1710
|
-
redirect_uri: v14.optional(v14.pipe(v14.string(), v14.url())),
|
|
1711
|
-
resource: v14.optional(import_utils27.vHttpsUrl),
|
|
1712
|
-
scope: v14.optional(v14.string()),
|
|
1713
|
-
// DPoP jwk thumbprint
|
|
1714
|
-
dpop_jkt: v14.optional(v14.string()),
|
|
1715
|
-
code_challenge: v14.optional(v14.string()),
|
|
1716
|
-
code_challenge_method: v14.optional(v14.string())
|
|
1717
|
-
});
|
|
1718
|
-
var vPushedAuthorizationRequest = v14.looseObject({
|
|
1719
|
-
request_uri: v14.string(),
|
|
1720
|
-
client_id: v14.string()
|
|
1721
|
-
});
|
|
1722
|
-
var vPushedAuthorizationResponse = v14.looseObject({
|
|
1723
|
-
request_uri: v14.string(),
|
|
1724
|
-
expires_in: v14.pipe(v14.number(), v14.integer())
|
|
1725
|
-
});
|
|
1718
|
+
var import_zod14 = __toESM(require("zod"));
|
|
1726
1719
|
|
|
1727
|
-
// src/authorization-
|
|
1728
|
-
var
|
|
1720
|
+
// src/authorization-request/z-authorization-request.ts
|
|
1721
|
+
var import_utils26 = require("@openid4vc/utils");
|
|
1722
|
+
var import_zod13 = __toESM(require("zod"));
|
|
1723
|
+
var zAuthorizationRequest = import_zod13.default.object({
|
|
1724
|
+
response_type: import_zod13.default.string(),
|
|
1725
|
+
client_id: import_zod13.default.string(),
|
|
1726
|
+
issuer_state: import_zod13.default.optional(import_zod13.default.string()),
|
|
1727
|
+
redirect_uri: import_zod13.default.string().url().optional(),
|
|
1728
|
+
resource: import_zod13.default.optional(import_utils26.zHttpsUrl),
|
|
1729
|
+
scope: import_zod13.default.optional(import_zod13.default.string()),
|
|
1730
|
+
// DPoP jwk thumbprint
|
|
1731
|
+
dpop_jkt: import_zod13.default.optional(import_zod13.default.string()),
|
|
1732
|
+
code_challenge: import_zod13.default.optional(import_zod13.default.string()),
|
|
1733
|
+
code_challenge_method: import_zod13.default.optional(import_zod13.default.string())
|
|
1734
|
+
}).passthrough();
|
|
1735
|
+
var zPushedAuthorizationRequest = import_zod13.default.object({
|
|
1736
|
+
request_uri: import_zod13.default.string(),
|
|
1737
|
+
client_id: import_zod13.default.string()
|
|
1738
|
+
}).passthrough();
|
|
1739
|
+
var zPushedAuthorizationResponse = import_zod13.default.object({
|
|
1740
|
+
request_uri: import_zod13.default.string(),
|
|
1741
|
+
expires_in: import_zod13.default.number().int()
|
|
1742
|
+
}).passthrough();
|
|
1743
|
+
|
|
1744
|
+
// src/authorization-challenge/z-authorization-challenge.ts
|
|
1745
|
+
var zAuthorizationChallengeRequest = import_zod14.default.object({
|
|
1729
1746
|
// authorization challenge request can include same parameters as an authorization request
|
|
1730
1747
|
// except for response_type (always `code`), and `client_id` is optional (becase
|
|
1731
1748
|
// it's possible to do client authentication using different methods)
|
|
1732
|
-
...
|
|
1733
|
-
client_id:
|
|
1734
|
-
auth_session:
|
|
1749
|
+
...zAuthorizationRequest.omit({ response_type: true, client_id: true }).shape,
|
|
1750
|
+
client_id: import_zod14.default.optional(zAuthorizationRequest.shape.client_id),
|
|
1751
|
+
auth_session: import_zod14.default.optional(import_zod14.default.string()),
|
|
1735
1752
|
// DRAFT presentation during issuance
|
|
1736
|
-
presentation_during_issuance_session:
|
|
1737
|
-
});
|
|
1738
|
-
var
|
|
1739
|
-
authorization_code:
|
|
1740
|
-
});
|
|
1741
|
-
var
|
|
1742
|
-
...
|
|
1743
|
-
auth_session:
|
|
1744
|
-
request_uri:
|
|
1745
|
-
expires_in:
|
|
1753
|
+
presentation_during_issuance_session: import_zod14.default.optional(import_zod14.default.string())
|
|
1754
|
+
}).passthrough();
|
|
1755
|
+
var zAuthorizationChallengeResponse = import_zod14.default.object({
|
|
1756
|
+
authorization_code: import_zod14.default.string()
|
|
1757
|
+
}).passthrough();
|
|
1758
|
+
var zAuthorizationChallengeErrorResponse = import_zod14.default.object({
|
|
1759
|
+
...zOauth2ErrorResponse.shape,
|
|
1760
|
+
auth_session: import_zod14.default.optional(import_zod14.default.string()),
|
|
1761
|
+
request_uri: import_zod14.default.optional(import_zod14.default.string()),
|
|
1762
|
+
expires_in: import_zod14.default.optional(import_utils27.zInteger),
|
|
1746
1763
|
// DRAFT: presentation during issuance
|
|
1747
|
-
presentation:
|
|
1748
|
-
});
|
|
1764
|
+
presentation: import_zod14.default.optional(import_zod14.default.string())
|
|
1765
|
+
}).passthrough();
|
|
1749
1766
|
|
|
1750
1767
|
// src/authorization-challenge/create-authorization-challenge-response.ts
|
|
1751
1768
|
function createAuthorizationChallengeResponse(options) {
|
|
1752
|
-
const authorizationChallengeResponse = (0,
|
|
1769
|
+
const authorizationChallengeResponse = (0, import_utils28.parseWithErrorHandling)(zAuthorizationChallengeResponse, {
|
|
1753
1770
|
...options.additionalPayload,
|
|
1754
1771
|
authorization_code: options.authorizationCode
|
|
1755
1772
|
});
|
|
1756
1773
|
return { authorizationChallengeResponse };
|
|
1757
1774
|
}
|
|
1758
1775
|
function createAuthorizationChallengeErrorResponse(options) {
|
|
1759
|
-
const authorizationChallengeErrorResponse = (0,
|
|
1776
|
+
const authorizationChallengeErrorResponse = (0, import_utils28.parseWithErrorHandling)(zAuthorizationChallengeErrorResponse, {
|
|
1760
1777
|
...options.additionalPayload,
|
|
1761
1778
|
// General FiPA
|
|
1762
1779
|
error: options.error,
|
|
@@ -1772,70 +1789,70 @@ function createAuthorizationChallengeErrorResponse(options) {
|
|
|
1772
1789
|
}
|
|
1773
1790
|
|
|
1774
1791
|
// src/authorization-challenge/parse-authorization-challenge-request.ts
|
|
1775
|
-
var
|
|
1792
|
+
var import_utils29 = require("@openid4vc/utils");
|
|
1776
1793
|
function parseAuthorizationChallengeRequest(options) {
|
|
1777
|
-
const authorizationChallengeRequest = (0,
|
|
1778
|
-
|
|
1794
|
+
const authorizationChallengeRequest = (0, import_utils29.parseWithErrorHandling)(
|
|
1795
|
+
zAuthorizationChallengeRequest,
|
|
1779
1796
|
options.authorizationChallengeRequest
|
|
1780
1797
|
);
|
|
1781
1798
|
return { authorizationChallengeRequest };
|
|
1782
1799
|
}
|
|
1783
1800
|
|
|
1784
1801
|
// src/client-attestation/clent-attestation.ts
|
|
1785
|
-
var import_utils32 = require("@openid4vc/utils");
|
|
1786
|
-
|
|
1787
|
-
// src/client-attestation/v-client-attestation.ts
|
|
1788
|
-
var v16 = __toESM(require("valibot"));
|
|
1789
1802
|
var import_utils31 = require("@openid4vc/utils");
|
|
1790
|
-
|
|
1791
|
-
|
|
1792
|
-
var
|
|
1793
|
-
|
|
1794
|
-
|
|
1795
|
-
|
|
1796
|
-
|
|
1797
|
-
|
|
1798
|
-
|
|
1799
|
-
|
|
1800
|
-
|
|
1801
|
-
|
|
1802
|
-
|
|
1803
|
+
|
|
1804
|
+
// src/client-attestation/z-client-attestation.ts
|
|
1805
|
+
var import_utils30 = require("@openid4vc/utils");
|
|
1806
|
+
var import_zod15 = __toESM(require("zod"));
|
|
1807
|
+
var zOauthClientAttestationHeader = import_zod15.default.literal("OAuth-Client-Attestation");
|
|
1808
|
+
var oauthClientAttestationHeader = zOauthClientAttestationHeader.value;
|
|
1809
|
+
var zClientAttestationJwtPayload = import_zod15.default.object({
|
|
1810
|
+
...zJwtPayload.shape,
|
|
1811
|
+
iss: import_zod15.default.string(),
|
|
1812
|
+
sub: import_zod15.default.string(),
|
|
1813
|
+
exp: import_utils30.zInteger,
|
|
1814
|
+
cnf: import_zod15.default.object({
|
|
1815
|
+
jwk: zJwk,
|
|
1816
|
+
key_type: import_zod15.default.optional(
|
|
1817
|
+
import_zod15.default.union([
|
|
1818
|
+
import_zod15.default.enum(["software", "hardware", "tee", "secure_enclave", "strong_box", "secure_element", "hsm"]),
|
|
1819
|
+
import_zod15.default.string()
|
|
1803
1820
|
])
|
|
1804
1821
|
),
|
|
1805
|
-
user_authentication:
|
|
1806
|
-
|
|
1807
|
-
|
|
1808
|
-
|
|
1822
|
+
user_authentication: import_zod15.default.optional(
|
|
1823
|
+
import_zod15.default.union([
|
|
1824
|
+
import_zod15.default.enum(["system_biometry", "system_pin", "internal_biometry", "internal_pin", "secure_element_pin"]),
|
|
1825
|
+
import_zod15.default.string()
|
|
1809
1826
|
])
|
|
1810
1827
|
)
|
|
1811
|
-
}),
|
|
1812
|
-
aal:
|
|
1813
|
-
});
|
|
1814
|
-
var
|
|
1815
|
-
...
|
|
1816
|
-
typ:
|
|
1817
|
-
});
|
|
1818
|
-
var
|
|
1819
|
-
var oauthClientAttestationPopHeader =
|
|
1820
|
-
var
|
|
1821
|
-
...
|
|
1822
|
-
iss:
|
|
1823
|
-
exp:
|
|
1824
|
-
aud:
|
|
1825
|
-
jti:
|
|
1826
|
-
nonce:
|
|
1827
|
-
});
|
|
1828
|
-
var
|
|
1829
|
-
...
|
|
1830
|
-
typ:
|
|
1831
|
-
});
|
|
1828
|
+
}).passthrough(),
|
|
1829
|
+
aal: import_zod15.default.optional(import_zod15.default.string())
|
|
1830
|
+
}).passthrough();
|
|
1831
|
+
var zClientAttestationJwtHeader = import_zod15.default.object({
|
|
1832
|
+
...zJwtHeader.shape,
|
|
1833
|
+
typ: import_zod15.default.literal("oauth-client-attestation+jwt")
|
|
1834
|
+
}).passthrough();
|
|
1835
|
+
var zOauthClientAttestationPopHeader = import_zod15.default.literal("OAuth-Client-Attestation-PoP");
|
|
1836
|
+
var oauthClientAttestationPopHeader = zOauthClientAttestationPopHeader.value;
|
|
1837
|
+
var zClientAttestationPopJwtPayload = import_zod15.default.object({
|
|
1838
|
+
...zJwtPayload.shape,
|
|
1839
|
+
iss: import_zod15.default.string(),
|
|
1840
|
+
exp: import_utils30.zInteger,
|
|
1841
|
+
aud: import_utils30.zHttpsUrl,
|
|
1842
|
+
jti: import_zod15.default.string(),
|
|
1843
|
+
nonce: import_zod15.default.optional(import_zod15.default.string())
|
|
1844
|
+
}).passthrough();
|
|
1845
|
+
var zClientAttestationPopJwtHeader = import_zod15.default.object({
|
|
1846
|
+
...zJwtHeader.shape,
|
|
1847
|
+
typ: import_zod15.default.literal("oauth-client-attestation-pop+jwt")
|
|
1848
|
+
}).passthrough();
|
|
1832
1849
|
|
|
1833
1850
|
// src/client-attestation/clent-attestation.ts
|
|
1834
1851
|
async function verifyClientAttestationJwt(options) {
|
|
1835
1852
|
const { header, payload } = decodeJwt({
|
|
1836
1853
|
jwt: options.clientAttestationJwt,
|
|
1837
|
-
headerSchema:
|
|
1838
|
-
payloadSchema:
|
|
1854
|
+
headerSchema: zClientAttestationJwtHeader,
|
|
1855
|
+
payloadSchema: zClientAttestationJwtPayload
|
|
1839
1856
|
});
|
|
1840
1857
|
const { signer } = await verifyJwt({
|
|
1841
1858
|
signer: jwtSignerFromJwt({ header, payload }),
|
|
@@ -1853,14 +1870,14 @@ async function verifyClientAttestationJwt(options) {
|
|
|
1853
1870
|
};
|
|
1854
1871
|
}
|
|
1855
1872
|
async function createClientAttestationJwt(options) {
|
|
1856
|
-
const header = (0,
|
|
1873
|
+
const header = (0, import_utils31.parseWithErrorHandling)(zClientAttestationJwtHeader, {
|
|
1857
1874
|
typ: "oauth-client-attestation+jwt",
|
|
1858
1875
|
...jwtHeaderFromJwtSigner(options.signer)
|
|
1859
1876
|
});
|
|
1860
|
-
const payload = (0,
|
|
1877
|
+
const payload = (0, import_utils31.parseWithErrorHandling)(zClientAttestationJwtPayload, {
|
|
1861
1878
|
iss: options.issuer,
|
|
1862
|
-
iat: (0,
|
|
1863
|
-
exp: (0,
|
|
1879
|
+
iat: (0, import_utils31.dateToSeconds)(options.issuedAt),
|
|
1880
|
+
exp: (0, import_utils31.dateToSeconds)(options.expiresAt),
|
|
1864
1881
|
sub: options.clientId,
|
|
1865
1882
|
cnf: options.confirmation,
|
|
1866
1883
|
...options.additionalPayload
|
|
@@ -1887,7 +1904,7 @@ function extractClientAttestationJwtsFromHeaders(headers) {
|
|
|
1887
1904
|
}
|
|
1888
1905
|
|
|
1889
1906
|
// src/client-attestation/client-attestation-pop.ts
|
|
1890
|
-
var
|
|
1907
|
+
var import_utils32 = require("@openid4vc/utils");
|
|
1891
1908
|
async function createClientAttestationForRequest(options) {
|
|
1892
1909
|
const clientAttestationPopJwt = await createClientAttestationPopJwt({
|
|
1893
1910
|
authorizationServer: options.authorizationServer,
|
|
@@ -1911,8 +1928,8 @@ async function createClientAttestationForRequest(options) {
|
|
|
1911
1928
|
async function verifyClientAttestationPopJwt(options) {
|
|
1912
1929
|
const { header, payload } = decodeJwt({
|
|
1913
1930
|
jwt: options.clientAttestationPopJwt,
|
|
1914
|
-
headerSchema:
|
|
1915
|
-
payloadSchema:
|
|
1931
|
+
headerSchema: zClientAttestationPopJwtHeader,
|
|
1932
|
+
payloadSchema: zClientAttestationPopJwtPayload
|
|
1916
1933
|
});
|
|
1917
1934
|
if (payload.iss !== options.clientAttestation.payload.sub) {
|
|
1918
1935
|
throw new Oauth2Error(
|
|
@@ -1945,22 +1962,22 @@ async function verifyClientAttestationPopJwt(options) {
|
|
|
1945
1962
|
};
|
|
1946
1963
|
}
|
|
1947
1964
|
async function createClientAttestationPopJwt(options) {
|
|
1948
|
-
const header = (0,
|
|
1965
|
+
const header = (0, import_utils32.parseWithErrorHandling)(zClientAttestationPopJwtHeader, {
|
|
1949
1966
|
typ: "oauth-client-attestation-pop+jwt",
|
|
1950
1967
|
alg: options.signer.alg
|
|
1951
1968
|
});
|
|
1952
1969
|
const clientAttestation = decodeJwt({
|
|
1953
1970
|
jwt: options.clientAttestation,
|
|
1954
|
-
headerSchema:
|
|
1955
|
-
payloadSchema:
|
|
1971
|
+
headerSchema: zClientAttestationJwtHeader,
|
|
1972
|
+
payloadSchema: zClientAttestationJwtPayload
|
|
1956
1973
|
});
|
|
1957
|
-
const expiresAt = options.expiresAt ?? (0,
|
|
1958
|
-
const payload = (0,
|
|
1974
|
+
const expiresAt = options.expiresAt ?? (0, import_utils32.addSecondsToDate)(options.issuedAt ?? /* @__PURE__ */ new Date(), 1 * 60);
|
|
1975
|
+
const payload = (0, import_utils32.parseWithErrorHandling)(zClientAttestationPopJwtPayload, {
|
|
1959
1976
|
aud: options.authorizationServer,
|
|
1960
1977
|
iss: clientAttestation.payload.sub,
|
|
1961
|
-
iat: (0,
|
|
1962
|
-
exp: (0,
|
|
1963
|
-
jti: (0,
|
|
1978
|
+
iat: (0, import_utils32.dateToSeconds)(options.issuedAt),
|
|
1979
|
+
exp: (0, import_utils32.dateToSeconds)(expiresAt),
|
|
1980
|
+
jti: (0, import_utils32.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
|
|
1964
1981
|
nonce: options.nonce,
|
|
1965
1982
|
...options.additionalPayload
|
|
1966
1983
|
});
|
|
@@ -1977,8 +1994,8 @@ var Oauth2AuthorizationServer = class {
|
|
|
1977
1994
|
this.options = options;
|
|
1978
1995
|
}
|
|
1979
1996
|
createAuthorizationServerMetadata(authorizationServerMetadata) {
|
|
1980
|
-
return (0,
|
|
1981
|
-
|
|
1997
|
+
return (0, import_utils33.parseWithErrorHandling)(
|
|
1998
|
+
zAuthorizationServerMetadata,
|
|
1982
1999
|
authorizationServerMetadata,
|
|
1983
2000
|
"Error validating authorization server metadata"
|
|
1984
2001
|
);
|
|
@@ -2100,12 +2117,11 @@ var Oauth2ResourceServer = class {
|
|
|
2100
2117
|
};
|
|
2101
2118
|
|
|
2102
2119
|
// src/Oauth2Client.ts
|
|
2103
|
-
var
|
|
2120
|
+
var import_utils40 = require("@openid4vc/utils");
|
|
2104
2121
|
|
|
2105
2122
|
// src/access-token/retrieve-access-token.ts
|
|
2123
|
+
var import_utils34 = require("@openid4vc/utils");
|
|
2106
2124
|
var import_utils35 = require("@openid4vc/utils");
|
|
2107
|
-
var import_utils36 = require("@openid4vc/utils");
|
|
2108
|
-
var v17 = __toESM(require("valibot"));
|
|
2109
2125
|
async function retrievePreAuthorizedCodeAccessToken(options) {
|
|
2110
2126
|
const request = {
|
|
2111
2127
|
grant_type: preAuthorizedCodeGrantIdentifier,
|
|
@@ -2158,9 +2174,9 @@ async function retrieveRefreshTokenAccessToken(options) {
|
|
|
2158
2174
|
});
|
|
2159
2175
|
}
|
|
2160
2176
|
async function retrieveAccessToken(options) {
|
|
2161
|
-
const
|
|
2162
|
-
const accessTokenRequest = (0,
|
|
2163
|
-
|
|
2177
|
+
const fetchWithZod = (0, import_utils34.createZodFetcher)(options.callbacks.fetch);
|
|
2178
|
+
const accessTokenRequest = (0, import_utils34.parseWithErrorHandling)(
|
|
2179
|
+
zAccessTokenRequest,
|
|
2164
2180
|
options.request,
|
|
2165
2181
|
"Error validating access token request"
|
|
2166
2182
|
);
|
|
@@ -2184,44 +2200,43 @@ async function retrieveAccessToken(options) {
|
|
|
2184
2200
|
callbacks: options.callbacks,
|
|
2185
2201
|
nonce: dpop.nonce
|
|
2186
2202
|
}) : void 0;
|
|
2187
|
-
const requestQueryParams = (0,
|
|
2203
|
+
const requestQueryParams = (0, import_utils34.objectToQueryParams)({
|
|
2188
2204
|
...accessTokenRequest,
|
|
2189
2205
|
...clientAttestation?.body
|
|
2190
2206
|
});
|
|
2191
|
-
const { response, result } = await
|
|
2192
|
-
|
|
2193
|
-
|
|
2207
|
+
const { response, result } = await fetchWithZod(
|
|
2208
|
+
zAccessTokenResponse,
|
|
2209
|
+
import_utils34.ContentType.Json,
|
|
2194
2210
|
options.authorizationServerMetadata.token_endpoint,
|
|
2195
2211
|
{
|
|
2196
2212
|
body: requestQueryParams.toString(),
|
|
2197
2213
|
method: "POST",
|
|
2198
2214
|
headers: {
|
|
2199
|
-
"Content-Type":
|
|
2215
|
+
"Content-Type": import_utils34.ContentType.XWwwFormUrlencoded,
|
|
2200
2216
|
...clientAttestation?.headers,
|
|
2201
2217
|
...dpopHeaders
|
|
2202
2218
|
}
|
|
2203
2219
|
}
|
|
2204
2220
|
);
|
|
2205
2221
|
if (!response.ok || !result) {
|
|
2206
|
-
const tokenErrorResponse =
|
|
2207
|
-
vAccessTokenErrorResponse,
|
|
2222
|
+
const tokenErrorResponse = zAccessTokenErrorResponse.safeParse(
|
|
2208
2223
|
await response.clone().json().catch(() => null)
|
|
2209
2224
|
);
|
|
2210
2225
|
if (tokenErrorResponse.success) {
|
|
2211
2226
|
throw new Oauth2ClientErrorResponseError(
|
|
2212
2227
|
`Unable to retrieve access token from '${options.authorizationServerMetadata.token_endpoint}'. Received token error response with status ${response.status}`,
|
|
2213
|
-
tokenErrorResponse.
|
|
2228
|
+
tokenErrorResponse.data,
|
|
2214
2229
|
response
|
|
2215
2230
|
);
|
|
2216
2231
|
}
|
|
2217
|
-
throw new
|
|
2232
|
+
throw new import_utils35.InvalidFetchResponseError(
|
|
2218
2233
|
`Unable to retrieve access token from '${options.authorizationServerMetadata.token_endpoint}'. Received response with status ${response.status}`,
|
|
2219
2234
|
await response.clone().text(),
|
|
2220
2235
|
response
|
|
2221
2236
|
);
|
|
2222
2237
|
}
|
|
2223
2238
|
if (!result.success) {
|
|
2224
|
-
throw new ValidationError("Error validating access token response", result.
|
|
2239
|
+
throw new ValidationError("Error validating access token response", result.error);
|
|
2225
2240
|
}
|
|
2226
2241
|
const dpopNonce = extractDpopNonceFromHeaders(response.headers) ?? void 0;
|
|
2227
2242
|
return {
|
|
@@ -2229,18 +2244,17 @@ async function retrieveAccessToken(options) {
|
|
|
2229
2244
|
...dpop,
|
|
2230
2245
|
nonce: dpopNonce
|
|
2231
2246
|
} : void 0,
|
|
2232
|
-
accessTokenResponse: result.
|
|
2247
|
+
accessTokenResponse: result.data
|
|
2233
2248
|
};
|
|
2234
2249
|
}
|
|
2235
2250
|
});
|
|
2236
2251
|
}
|
|
2237
2252
|
|
|
2238
2253
|
// src/authorization-challenge/send-authorization-challenge.ts
|
|
2254
|
+
var import_utils36 = require("@openid4vc/utils");
|
|
2239
2255
|
var import_utils37 = require("@openid4vc/utils");
|
|
2240
|
-
var import_utils38 = require("@openid4vc/utils");
|
|
2241
|
-
var v18 = __toESM(require("valibot"));
|
|
2242
2256
|
async function sendAuthorizationChallengeRequest(options) {
|
|
2243
|
-
const
|
|
2257
|
+
const fetchWithZod = (0, import_utils36.createZodFetcher)(options.callbacks.fetch);
|
|
2244
2258
|
const authorizationServerMetadata = options.authorizationServerMetadata;
|
|
2245
2259
|
const authorizationChallengeEndpoint = authorizationServerMetadata.authorization_challenge_endpoint;
|
|
2246
2260
|
if (!authorizationChallengeEndpoint) {
|
|
@@ -2258,7 +2272,7 @@ async function sendAuthorizationChallengeRequest(options) {
|
|
|
2258
2272
|
clientAttestation: options.clientAttestation,
|
|
2259
2273
|
callbacks: options.callbacks
|
|
2260
2274
|
}) : void 0;
|
|
2261
|
-
const authorizationChallengeRequest = (0,
|
|
2275
|
+
const authorizationChallengeRequest = (0, import_utils36.parseWithErrorHandling)(zAuthorizationChallengeRequest, {
|
|
2262
2276
|
...options.additionalRequestPayload,
|
|
2263
2277
|
auth_session: options.authSession,
|
|
2264
2278
|
client_id: options.clientId,
|
|
@@ -2281,40 +2295,39 @@ async function sendAuthorizationChallengeRequest(options) {
|
|
|
2281
2295
|
callbacks: options.callbacks,
|
|
2282
2296
|
nonce: dpop.nonce
|
|
2283
2297
|
}) : void 0;
|
|
2284
|
-
const { response, result } = await
|
|
2285
|
-
|
|
2286
|
-
|
|
2298
|
+
const { response, result } = await fetchWithZod(
|
|
2299
|
+
zAuthorizationChallengeResponse,
|
|
2300
|
+
import_utils36.ContentType.Json,
|
|
2287
2301
|
authorizationChallengeEndpoint,
|
|
2288
2302
|
{
|
|
2289
2303
|
method: "POST",
|
|
2290
|
-
body: (0,
|
|
2304
|
+
body: (0, import_utils36.objectToQueryParams)(authorizationChallengeRequest).toString(),
|
|
2291
2305
|
headers: {
|
|
2292
2306
|
...clientAttestation?.headers,
|
|
2293
2307
|
...dpopHeaders,
|
|
2294
|
-
"Content-Type":
|
|
2308
|
+
"Content-Type": import_utils36.ContentType.XWwwFormUrlencoded
|
|
2295
2309
|
}
|
|
2296
2310
|
}
|
|
2297
2311
|
);
|
|
2298
2312
|
if (!response.ok || !result) {
|
|
2299
|
-
const authorizationChallengeErrorResponse =
|
|
2300
|
-
vAuthorizationChallengeErrorResponse,
|
|
2313
|
+
const authorizationChallengeErrorResponse = zAuthorizationChallengeErrorResponse.safeParse(
|
|
2301
2314
|
await response.clone().json().catch(() => null)
|
|
2302
2315
|
);
|
|
2303
2316
|
if (authorizationChallengeErrorResponse.success) {
|
|
2304
2317
|
throw new Oauth2ClientAuthorizationChallengeError(
|
|
2305
2318
|
`Error requesting authorization code from authorization challenge endpoint '${authorizationServerMetadata.authorization_challenge_endpoint}'. Received response with status ${response.status}`,
|
|
2306
|
-
authorizationChallengeErrorResponse.
|
|
2319
|
+
authorizationChallengeErrorResponse.data,
|
|
2307
2320
|
response
|
|
2308
2321
|
);
|
|
2309
2322
|
}
|
|
2310
|
-
throw new
|
|
2323
|
+
throw new import_utils37.InvalidFetchResponseError(
|
|
2311
2324
|
`Error requesting authorization code from authorization challenge endpoint '${authorizationServerMetadata.authorization_challenge_endpoint}'. Received response with status ${response.status}`,
|
|
2312
2325
|
await response.clone().text(),
|
|
2313
2326
|
response
|
|
2314
2327
|
);
|
|
2315
2328
|
}
|
|
2316
2329
|
if (!result.success) {
|
|
2317
|
-
throw new
|
|
2330
|
+
throw new import_utils36.ValidationError("Error validating authorization challenge response", result.error);
|
|
2318
2331
|
}
|
|
2319
2332
|
const dpopNonce = extractDpopNonceFromHeaders(response.headers) ?? void 0;
|
|
2320
2333
|
return {
|
|
@@ -2323,16 +2336,15 @@ async function sendAuthorizationChallengeRequest(options) {
|
|
|
2323
2336
|
...dpop,
|
|
2324
2337
|
nonce: dpopNonce
|
|
2325
2338
|
} : void 0,
|
|
2326
|
-
authorizationChallengeResponse: result.
|
|
2339
|
+
authorizationChallengeResponse: result.data
|
|
2327
2340
|
};
|
|
2328
2341
|
}
|
|
2329
2342
|
});
|
|
2330
2343
|
}
|
|
2331
2344
|
|
|
2332
2345
|
// src/authorization-request/create-authorization-request.ts
|
|
2346
|
+
var import_utils38 = require("@openid4vc/utils");
|
|
2333
2347
|
var import_utils39 = require("@openid4vc/utils");
|
|
2334
|
-
var import_utils40 = require("@openid4vc/utils");
|
|
2335
|
-
var v19 = __toESM(require("valibot"));
|
|
2336
2348
|
async function createAuthorizationRequestUrl(options) {
|
|
2337
2349
|
const authorizationServerMetadata = options.authorizationServerMetadata;
|
|
2338
2350
|
const pushedAuthorizationRequestEndpoint = authorizationServerMetadata.pushed_authorization_request_endpoint;
|
|
@@ -2414,7 +2426,7 @@ async function createAuthorizationRequestUrl(options) {
|
|
|
2414
2426
|
});
|
|
2415
2427
|
}
|
|
2416
2428
|
}
|
|
2417
|
-
const authorizationRequestUrl = `${authorizationServerMetadata.authorization_endpoint}?${(0,
|
|
2429
|
+
const authorizationRequestUrl = `${authorizationServerMetadata.authorization_endpoint}?${(0, import_utils38.objectToQueryParams)(pushedAuthorizationRequest ?? authorizationRequest).toString()}`;
|
|
2418
2430
|
return {
|
|
2419
2431
|
authorizationRequestUrl,
|
|
2420
2432
|
pkce,
|
|
@@ -2422,50 +2434,49 @@ async function createAuthorizationRequestUrl(options) {
|
|
|
2422
2434
|
};
|
|
2423
2435
|
}
|
|
2424
2436
|
async function pushAuthorizationRequest(options) {
|
|
2425
|
-
const
|
|
2437
|
+
const fetchWithZod = (0, import_utils38.createZodFetcher)(options.fetch);
|
|
2426
2438
|
if (options.authorizationRequest.request_uri) {
|
|
2427
2439
|
throw new Oauth2Error(
|
|
2428
2440
|
`Authorization request contains 'request_uri' parameter. This is not allowed for pushed authorization reuqests.`
|
|
2429
2441
|
);
|
|
2430
2442
|
}
|
|
2431
|
-
const { response, result } = await
|
|
2432
|
-
|
|
2433
|
-
|
|
2443
|
+
const { response, result } = await fetchWithZod(
|
|
2444
|
+
zPushedAuthorizationResponse,
|
|
2445
|
+
import_utils38.ContentType.Json,
|
|
2434
2446
|
options.pushedAuthorizationRequestEndpoint,
|
|
2435
2447
|
{
|
|
2436
2448
|
method: "POST",
|
|
2437
|
-
body: (0,
|
|
2449
|
+
body: (0, import_utils38.objectToQueryParams)(options.authorizationRequest).toString(),
|
|
2438
2450
|
headers: {
|
|
2439
2451
|
...options.headers,
|
|
2440
|
-
"Content-Type":
|
|
2452
|
+
"Content-Type": import_utils38.ContentType.XWwwFormUrlencoded
|
|
2441
2453
|
}
|
|
2442
2454
|
}
|
|
2443
2455
|
);
|
|
2444
2456
|
if (!response.ok || !result) {
|
|
2445
|
-
const parErrorResponse =
|
|
2446
|
-
vOauth2ErrorResponse,
|
|
2457
|
+
const parErrorResponse = zOauth2ErrorResponse.safeParse(
|
|
2447
2458
|
await response.clone().json().catch(() => null)
|
|
2448
2459
|
);
|
|
2449
2460
|
if (parErrorResponse.success) {
|
|
2450
2461
|
throw new Oauth2ClientErrorResponseError(
|
|
2451
2462
|
`Unable to push authorization request to '${options.pushedAuthorizationRequestEndpoint}'. Received response with status ${response.status}`,
|
|
2452
|
-
parErrorResponse.
|
|
2463
|
+
parErrorResponse.data,
|
|
2453
2464
|
response
|
|
2454
2465
|
);
|
|
2455
2466
|
}
|
|
2456
|
-
throw new
|
|
2467
|
+
throw new import_utils39.InvalidFetchResponseError(
|
|
2457
2468
|
`Unable to push authorization request to '${options.pushedAuthorizationRequestEndpoint}'. Received response with status ${response.status}`,
|
|
2458
2469
|
await response.clone().text(),
|
|
2459
2470
|
response
|
|
2460
2471
|
);
|
|
2461
2472
|
}
|
|
2462
2473
|
if (!result.success) {
|
|
2463
|
-
throw new ValidationError("Error validating pushed authorization response", result.
|
|
2474
|
+
throw new ValidationError("Error validating pushed authorization response", result.error);
|
|
2464
2475
|
}
|
|
2465
2476
|
const dpopNonce = extractDpopNonceFromHeaders(response.headers);
|
|
2466
2477
|
return {
|
|
2467
2478
|
dpopNonce,
|
|
2468
|
-
pushedAuthorizationResponse: result.
|
|
2479
|
+
pushedAuthorizationResponse: result.data
|
|
2469
2480
|
};
|
|
2470
2481
|
}
|
|
2471
2482
|
|
|
@@ -2523,7 +2534,7 @@ var Oauth2Client = class {
|
|
|
2523
2534
|
const isRecoverableError = error instanceof Oauth2ClientAuthorizationChallengeError && error.errorResponse.error === "redirect_to_web" /* RedirectToWeb */;
|
|
2524
2535
|
if (!isRecoverableError) throw error;
|
|
2525
2536
|
if (error.errorResponse.request_uri) {
|
|
2526
|
-
const authorizationRequestUrl = `${options.authorizationServerMetadata.authorization_endpoint}?${(0,
|
|
2537
|
+
const authorizationRequestUrl = `${options.authorizationServerMetadata.authorization_endpoint}?${(0, import_utils40.objectToQueryParams)(
|
|
2527
2538
|
{
|
|
2528
2539
|
request_uri: error.errorResponse.request_uri,
|
|
2529
2540
|
client_id: options.clientId
|
|
@@ -2688,16 +2699,16 @@ var Oauth2Client = class {
|
|
|
2688
2699
|
refreshTokenGrantIdentifier,
|
|
2689
2700
|
resourceRequest,
|
|
2690
2701
|
setGlobalConfig,
|
|
2691
|
-
vAuthorizationCodeGrantIdentifier,
|
|
2692
|
-
vAuthorizationServerMetadata,
|
|
2693
|
-
vCompactJwt,
|
|
2694
|
-
vJwk,
|
|
2695
|
-
vJwtHeader,
|
|
2696
|
-
vJwtPayload,
|
|
2697
|
-
vOauth2ErrorResponse,
|
|
2698
|
-
vPreAuthorizedCodeGrantIdentifier,
|
|
2699
|
-
vRefreshTokenGrantIdentifier,
|
|
2700
2702
|
verifyJwt,
|
|
2701
|
-
verifyResourceRequest
|
|
2703
|
+
verifyResourceRequest,
|
|
2704
|
+
zAuthorizationCodeGrantIdentifier,
|
|
2705
|
+
zAuthorizationServerMetadata,
|
|
2706
|
+
zCompactJwt,
|
|
2707
|
+
zJwk,
|
|
2708
|
+
zJwtHeader,
|
|
2709
|
+
zJwtPayload,
|
|
2710
|
+
zOauth2ErrorResponse,
|
|
2711
|
+
zPreAuthorizedCodeGrantIdentifier,
|
|
2712
|
+
zRefreshTokenGrantIdentifier
|
|
2702
2713
|
});
|
|
2703
2714
|
//# sourceMappingURL=index.js.map
|