@openid4vc/oauth2 0.3.0-alpha-20250206100745 → 0.3.0-alpha-20250224151429

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.d.mts +711 -641
  2. package/dist/index.d.ts +711 -641
  3. package/dist/index.js +409 -360
  4. package/dist/index.js.map +1 -1
  5. package/dist/index.mjs +338 -288
  6. package/dist/index.mjs.map +1 -1
  7. package/package.json +6 -6
package/dist/index.js CHANGED
@@ -31,7 +31,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
31
31
  var src_exports = {};
32
32
  __export(src_exports, {
33
33
  HashAlgorithm: () => HashAlgorithm,
34
- InvalidFetchResponseError: () => import_utils42.InvalidFetchResponseError,
34
+ InvalidFetchResponseError: () => import_utils43.InvalidFetchResponseError,
35
35
  Oauth2AuthorizationServer: () => Oauth2AuthorizationServer,
36
36
  Oauth2Client: () => Oauth2Client,
37
37
  Oauth2ClientAuthorizationChallengeError: () => Oauth2ClientAuthorizationChallengeError,
@@ -52,24 +52,28 @@ __export(src_exports, {
52
52
  clientAuthenticationDynamic: () => clientAuthenticationDynamic,
53
53
  clientAuthenticationNone: () => clientAuthenticationNone,
54
54
  decodeJwt: () => decodeJwt,
55
+ decodeJwtHeader: () => decodeJwtHeader,
55
56
  fetchAuthorizationServerMetadata: () => fetchAuthorizationServerMetadata,
56
57
  fetchJwks: () => fetchJwks,
57
58
  fetchWellKnownMetadata: () => fetchWellKnownMetadata,
58
59
  getAuthorizationServerMetadataFromList: () => getAuthorizationServerMetadataFromList,
59
- getGlobalConfig: () => import_utils41.getGlobalConfig,
60
+ getGlobalConfig: () => import_utils42.getGlobalConfig,
60
61
  isJwkInSet: () => isJwkInSet,
61
62
  jwtHeaderFromJwtSigner: () => jwtHeaderFromJwtSigner,
62
63
  jwtSignerFromJwt: () => jwtSignerFromJwt,
63
64
  preAuthorizedCodeGrantIdentifier: () => preAuthorizedCodeGrantIdentifier,
64
65
  refreshTokenGrantIdentifier: () => refreshTokenGrantIdentifier,
65
66
  resourceRequest: () => resourceRequest,
66
- setGlobalConfig: () => import_utils41.setGlobalConfig,
67
+ setGlobalConfig: () => import_utils42.setGlobalConfig,
67
68
  verifyJwt: () => verifyJwt,
68
69
  verifyResourceRequest: () => verifyResourceRequest,
70
+ zAlgValueNotNone: () => zAlgValueNotNone,
69
71
  zAuthorizationCodeGrantIdentifier: () => zAuthorizationCodeGrantIdentifier,
70
72
  zAuthorizationServerMetadata: () => zAuthorizationServerMetadata,
73
+ zCompactJwe: () => zCompactJwe,
71
74
  zCompactJwt: () => zCompactJwt,
72
75
  zJwk: () => zJwk,
76
+ zJwkSet: () => zJwkSet,
73
77
  zJwtHeader: () => zJwtHeader,
74
78
  zJwtPayload: () => zJwtPayload,
75
79
  zOauth2ErrorResponse: () => zOauth2ErrorResponse,
@@ -77,7 +81,7 @@ __export(src_exports, {
77
81
  zRefreshTokenGrantIdentifier: () => zRefreshTokenGrantIdentifier
78
82
  });
79
83
  module.exports = __toCommonJS(src_exports);
80
- var import_utils41 = require("@openid4vc/utils");
84
+ var import_utils42 = require("@openid4vc/utils");
81
85
 
82
86
  // src/common/z-oauth2-error.ts
83
87
  var import_zod = __toESM(require("zod"));
@@ -104,6 +108,17 @@ var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes2) => {
104
108
  Oauth2ErrorCodes2["InvalidProof"] = "invalid_proof";
105
109
  Oauth2ErrorCodes2["InvalidNonce"] = "invalid_nonce";
106
110
  Oauth2ErrorCodes2["InvalidEncryptionParameters"] = "invalid_encryption_parameters";
111
+ Oauth2ErrorCodes2["InvalidRequestUri"] = "invalid_request_uri";
112
+ Oauth2ErrorCodes2["InvalidRequestObject"] = "invalid_request_object";
113
+ Oauth2ErrorCodes2["RequestNotSupported"] = "request_not_supported";
114
+ Oauth2ErrorCodes2["RequestUriNotSupported"] = "request_uri_not_supported";
115
+ Oauth2ErrorCodes2["VpFormatsNotSupported"] = "vp_formats_not_supported";
116
+ Oauth2ErrorCodes2["AccessDenied"] = "access_denied";
117
+ Oauth2ErrorCodes2["InvalidPresentationDefinitionUri"] = "invalid_presentation_definition_uri";
118
+ Oauth2ErrorCodes2["InvalidPresentationDefinitionReference"] = "invalid_presentation_definition_reference";
119
+ Oauth2ErrorCodes2["InvalidRequestUriMethod"] = "invalid_request_uri_method";
120
+ Oauth2ErrorCodes2["InvalidTransactionData"] = "invalid_transaction_data";
121
+ Oauth2ErrorCodes2["WalletUnavailable"] = "wallet_unavailable";
107
122
  return Oauth2ErrorCodes2;
108
123
  })(Oauth2ErrorCodes || {});
109
124
  var zOauth2ErrorResponse = import_zod.default.object({
@@ -244,69 +259,13 @@ var zJwk = import_zod3.default.object({
244
259
  q: import_zod3.default.optional(import_zod3.default.string()),
245
260
  qi: import_zod3.default.optional(import_zod3.default.string()),
246
261
  use: import_zod3.default.optional(import_zod3.default.string()),
247
- x5c: import_zod3.default.optional(import_zod3.default.string()),
262
+ x5c: import_zod3.default.optional(import_zod3.default.array(import_zod3.default.string())),
248
263
  x5t: import_zod3.default.optional(import_zod3.default.string()),
249
264
  "x5t#S256": import_zod3.default.optional(import_zod3.default.string()),
250
265
  x5u: import_zod3.default.optional(import_zod3.default.string())
251
266
  }).passthrough();
252
267
  var zJwkSet = import_zod3.default.object({ keys: import_zod3.default.array(zJwk) }).passthrough();
253
268
 
254
- // src/common/jwt/verify-jwt.ts
255
- var import_utils2 = require("@openid4vc/utils");
256
-
257
- // src/error/Oauth2JwtVerificationError.ts
258
- var Oauth2JwtVerificationError = class extends Oauth2Error {
259
- constructor(message, options) {
260
- const errorMessage = message ?? "Error verifiying jwt.";
261
- super(errorMessage, options);
262
- }
263
- };
264
-
265
- // src/common/jwt/verify-jwt.ts
266
- async function verifyJwt(options) {
267
- const errorMessage = options.errorMessage ?? "Error during verification of jwt.";
268
- let signerJwk;
269
- try {
270
- const result = await options.verifyJwtCallback(options.signer, {
271
- header: options.header,
272
- payload: options.payload,
273
- compact: options.compact
274
- });
275
- if (!result.verified) throw new Oauth2JwtVerificationError(errorMessage);
276
- signerJwk = result.signerJwk;
277
- } catch (error) {
278
- if (error instanceof Oauth2JwtVerificationError) throw error;
279
- throw new Oauth2JwtVerificationError(errorMessage, { cause: error });
280
- }
281
- const nowInSeconds = (0, import_utils2.dateToSeconds)(options.now ?? /* @__PURE__ */ new Date());
282
- const skewInSeconds = options.allowedSkewInSeconds ?? 0;
283
- const timeBasedValidation = options.skipTimeBasedValidation !== void 0 ? !options.skipTimeBasedValidation : true;
284
- if (timeBasedValidation && options.payload.nbf && nowInSeconds < options.payload.nbf - skewInSeconds) {
285
- throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nbf' is in the future`);
286
- }
287
- if (timeBasedValidation && options.payload.exp && nowInSeconds > options.payload.exp + skewInSeconds) {
288
- throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'exp' is in the past`);
289
- }
290
- if (options.expectedAudience && options.expectedAudience !== options.payload.aud) {
291
- throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'aud' does not match expected value.`);
292
- }
293
- if (options.expectedIssuer && options.expectedIssuer !== options.payload.iss) {
294
- throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'iss' does not match expected value.`);
295
- }
296
- if (options.expectedNonce && options.expectedNonce !== options.payload.nonce) {
297
- throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nonce' does not match expected value.`);
298
- }
299
- if (options.expectedSubject && options.expectedSubject !== options.payload.sub) {
300
- throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'sub' does not match expected value.`);
301
- }
302
- return {
303
- signer: {
304
- ...options.signer,
305
- publicJwk: signerJwk
306
- }
307
- };
308
- }
309
-
310
269
  // src/common/jwt/decode-jwt.ts
311
270
  var import_utils4 = require("@openid4vc/utils");
312
271
 
@@ -318,8 +277,11 @@ var Oauth2JwtParseError = class extends Oauth2Error {
318
277
  }
319
278
  };
320
279
 
321
- // src/common/jwt/z-jwt.ts
280
+ // src/common/jwt/decode-jwt-header.ts
322
281
  var import_utils3 = require("@openid4vc/utils");
282
+
283
+ // src/common/jwt/z-jwt.ts
284
+ var import_utils2 = require("@openid4vc/utils");
323
285
  var import_zod5 = __toESM(require("zod"));
324
286
 
325
287
  // src/common/z-common.ts
@@ -338,9 +300,9 @@ var zJwtConfirmationPayload = import_zod5.default.object({
338
300
  var zJwtPayload = import_zod5.default.object({
339
301
  iss: import_zod5.default.string().optional(),
340
302
  aud: import_zod5.default.string().optional(),
341
- iat: import_utils3.zInteger.optional(),
342
- exp: import_utils3.zInteger.optional(),
343
- nbf: import_utils3.zInteger.optional(),
303
+ iat: import_utils2.zInteger.optional(),
304
+ exp: import_utils2.zInteger.optional(),
305
+ nbf: import_utils2.zInteger.optional(),
344
306
  nonce: import_zod5.default.string().optional(),
345
307
  jti: import_zod5.default.string().optional(),
346
308
  cnf: zJwtConfirmationPayload.optional(),
@@ -356,27 +318,43 @@ var zJwtHeader = import_zod5.default.object({
356
318
  trust_chain: import_zod5.default.array(import_zod5.default.string()).optional()
357
319
  }).passthrough();
358
320
 
321
+ // src/common/jwt/decode-jwt-header.ts
322
+ function decodeJwtHeader(options) {
323
+ const jwtParts = options.jwt.split(".");
324
+ if (jwtParts.length <= 2) {
325
+ throw new Oauth2JwtParseError("Jwt is not a valid jwt, unable to decode");
326
+ }
327
+ let headerJson;
328
+ try {
329
+ headerJson = (0, import_utils3.stringToJsonWithErrorHandling)(
330
+ (0, import_utils3.encodeToUtf8String)((0, import_utils3.decodeBase64)(jwtParts[0])),
331
+ "Unable to parse jwt header to JSON"
332
+ );
333
+ } catch (error) {
334
+ throw new Oauth2JwtParseError(`Error parsing JWT. ${error instanceof Error ? error.message : ""}`);
335
+ }
336
+ const header = (0, import_utils3.parseWithErrorHandling)(options.headerSchema ?? zJwtHeader, headerJson);
337
+ return {
338
+ header
339
+ };
340
+ }
341
+
359
342
  // src/common/jwt/decode-jwt.ts
360
343
  function decodeJwt(options) {
361
344
  const jwtParts = options.jwt.split(".");
362
345
  if (jwtParts.length !== 3) {
363
346
  throw new Oauth2JwtParseError("Jwt is not a valid jwt, unable to decode");
364
347
  }
365
- let headerJson;
366
348
  let payloadJson;
367
349
  try {
368
- headerJson = (0, import_utils4.stringToJsonWithErrorHandling)(
369
- (0, import_utils4.encodeToUtf8String)((0, import_utils4.decodeBase64)(jwtParts[0])),
370
- "Unable to parse jwt header to JSON"
371
- );
372
350
  payloadJson = (0, import_utils4.stringToJsonWithErrorHandling)(
373
351
  (0, import_utils4.encodeToUtf8String)((0, import_utils4.decodeBase64)(jwtParts[1])),
374
352
  "Unable to parse jwt payload to JSON"
375
353
  );
376
354
  } catch (error) {
377
- throw new Oauth2JwtParseError("Error parsing JWT");
355
+ throw new Oauth2JwtParseError(`Error parsing JWT. ${error instanceof Error ? error.message : ""}`);
378
356
  }
379
- const header = (0, import_utils4.parseWithErrorHandling)(options.headerSchema ?? zJwtHeader, headerJson);
357
+ const { header } = decodeJwtHeader({ jwt: options.jwt, headerSchema: options.headerSchema });
380
358
  const payload = (0, import_utils4.parseWithErrorHandling)(options.payloadSchema ?? zJwtPayload, payloadJson);
381
359
  return {
382
360
  header,
@@ -467,6 +445,41 @@ function jwtSignerFromJwt({ header, payload }) {
467
445
  };
468
446
  }
469
447
 
448
+ // src/common/jwt/z-jwe.ts
449
+ var import_zod6 = require("zod");
450
+ var zCompactJwe = import_zod6.z.string().regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, {
451
+ message: "Not a valid compact jwe"
452
+ });
453
+
454
+ // src/index.ts
455
+ var import_utils43 = require("@openid4vc/utils");
456
+
457
+ // src/error/Oauth2ClientErrorResponseError.ts
458
+ var Oauth2ClientErrorResponseError = class extends Oauth2Error {
459
+ constructor(message, errorResponse, response) {
460
+ super(`${message}
461
+ ${JSON.stringify(errorResponse, null, 2)}`);
462
+ this.errorResponse = errorResponse;
463
+ this.response = response.clone();
464
+ }
465
+ };
466
+
467
+ // src/error/Oauth2ClientAuthorizationChallengeError.ts
468
+ var Oauth2ClientAuthorizationChallengeError = class extends Oauth2ClientErrorResponseError {
469
+ constructor(message, errorResponse, response) {
470
+ super(message, errorResponse, response);
471
+ this.errorResponse = errorResponse;
472
+ }
473
+ };
474
+
475
+ // src/error/Oauth2JwtVerificationError.ts
476
+ var Oauth2JwtVerificationError = class extends Oauth2Error {
477
+ constructor(message, options) {
478
+ const errorMessage = message ?? "Error verifiying jwt.";
479
+ super(errorMessage, options);
480
+ }
481
+ };
482
+
470
483
  // src/error/Oauth2ResourceUnauthorizedError.ts
471
484
  var import_utils5 = require("@openid4vc/utils");
472
485
  var Oauth2ResourceUnauthorizedError = class _Oauth2ResourceUnauthorizedError extends Oauth2Error {
@@ -505,27 +518,6 @@ ${JSON.stringify(wwwAuthenticateHeaders, null, 2)}`);
505
518
  }
506
519
  };
507
520
 
508
- // src/index.ts
509
- var import_utils42 = require("@openid4vc/utils");
510
-
511
- // src/error/Oauth2ClientErrorResponseError.ts
512
- var Oauth2ClientErrorResponseError = class extends Oauth2Error {
513
- constructor(message, errorResponse, response) {
514
- super(`${message}
515
- ${JSON.stringify(errorResponse, null, 2)}`);
516
- this.errorResponse = errorResponse;
517
- this.response = response.clone();
518
- }
519
- };
520
-
521
- // src/error/Oauth2ClientAuthorizationChallengeError.ts
522
- var Oauth2ClientAuthorizationChallengeError = class extends Oauth2ClientErrorResponseError {
523
- constructor(message, errorResponse, response) {
524
- super(message, errorResponse, response);
525
- this.errorResponse = errorResponse;
526
- }
527
- };
528
-
529
521
  // src/error/Oauth2ServerErrorResponseError.ts
530
522
  var Oauth2ServerErrorResponseError = class extends Oauth2Error {
531
523
  constructor(errorResponse, options) {
@@ -539,50 +531,12 @@ ${JSON.stringify(errorResponse, null, 2)}`,
539
531
  }
540
532
  };
541
533
 
542
- // src/metadata/authorization-server/z-authorization-server-metadata.ts
543
- var import_utils6 = require("@openid4vc/utils");
544
- var import_zod6 = __toESM(require("zod"));
545
- var zAuthorizationServerMetadata = import_zod6.default.object({
546
- issuer: import_utils6.zHttpsUrl,
547
- token_endpoint: import_utils6.zHttpsUrl,
548
- token_endpoint_auth_methods_supported: import_zod6.default.optional(import_zod6.default.array(import_zod6.default.string())),
549
- authorization_endpoint: import_zod6.default.optional(import_utils6.zHttpsUrl),
550
- jwks_uri: import_zod6.default.optional(import_utils6.zHttpsUrl),
551
- // RFC7636
552
- code_challenge_methods_supported: import_zod6.default.optional(import_zod6.default.array(import_zod6.default.string())),
553
- // RFC9449
554
- dpop_signing_alg_values_supported: import_zod6.default.optional(import_zod6.default.array(import_zod6.default.string())),
555
- // RFC9126
556
- require_pushed_authorization_requests: import_zod6.default.optional(import_zod6.default.boolean()),
557
- pushed_authorization_request_endpoint: import_zod6.default.optional(import_utils6.zHttpsUrl),
558
- // RFC9068
559
- introspection_endpoint: import_zod6.default.optional(import_utils6.zHttpsUrl),
560
- introspection_endpoint_auth_methods_supported: import_zod6.default.optional(
561
- import_zod6.default.array(import_zod6.default.union([import_zod6.default.literal("client_secret_jwt"), import_zod6.default.literal("private_key_jwt"), import_zod6.default.string()]))
562
- ),
563
- introspection_endpoint_auth_signing_alg_values_supported: import_zod6.default.optional(import_zod6.default.array(zAlgValueNotNone)),
564
- // FiPA (no RFC yet)
565
- authorization_challenge_endpoint: import_zod6.default.optional(import_utils6.zHttpsUrl),
566
- // From OID4VCI specification
567
- pre_authorized_grant_anonymous_access_supported: import_zod6.default.optional(import_zod6.default.boolean())
568
- }).passthrough().refine(
569
- ({
570
- introspection_endpoint_auth_methods_supported: methodsSupported,
571
- introspection_endpoint_auth_signing_alg_values_supported: algValuesSupported
572
- }) => {
573
- if (!methodsSupported) return true;
574
- if (!methodsSupported.includes("private_key_jwt") && !methodsSupported.includes("client_secret_jwt")) return true;
575
- return algValuesSupported !== void 0 && algValuesSupported.length > 0;
576
- },
577
- `Metadata value 'introspection_endpoint_auth_signing_alg_values_supported' must be defined if metadata 'introspection_endpoint_auth_methods_supported' value contains values 'private_key_jwt' or 'client_secret_jwt'`
578
- );
579
-
580
534
  // src/metadata/authorization-server/authorization-server-metadata.ts
581
535
  var import_utils9 = require("@openid4vc/utils");
582
536
 
583
537
  // src/metadata/fetch-well-known-metadata.ts
538
+ var import_utils6 = require("@openid4vc/utils");
584
539
  var import_utils7 = require("@openid4vc/utils");
585
- var import_utils8 = require("@openid4vc/utils");
586
540
 
587
541
  // ../utils/src/error/ValidationError.ts
588
542
  var import_zod7 = require("zod");
@@ -665,13 +619,13 @@ var ValidationError = class extends Error {
665
619
 
666
620
  // src/metadata/fetch-well-known-metadata.ts
667
621
  async function fetchWellKnownMetadata(wellKnownMetadataUrl, schema, fetch) {
668
- const fetcher = (0, import_utils7.createZodFetcher)(fetch);
669
- const { result, response } = await fetcher(schema, import_utils7.ContentType.Json, wellKnownMetadataUrl);
622
+ const fetcher = (0, import_utils6.createZodFetcher)(fetch);
623
+ const { result, response } = await fetcher(schema, import_utils6.ContentType.Json, wellKnownMetadataUrl);
670
624
  if (response.status === 404) {
671
625
  return null;
672
626
  }
673
627
  if (!response.ok) {
674
- throw new import_utils8.InvalidFetchResponseError(
628
+ throw new import_utils7.InvalidFetchResponseError(
675
629
  `Fetching well known metadata from '${wellKnownMetadataUrl}' resulted in an unsuccessfull response with status '${response.status}'.`,
676
630
  await response.clone().text(),
677
631
  response
@@ -683,6 +637,44 @@ async function fetchWellKnownMetadata(wellKnownMetadataUrl, schema, fetch) {
683
637
  return result.data;
684
638
  }
685
639
 
640
+ // src/metadata/authorization-server/z-authorization-server-metadata.ts
641
+ var import_utils8 = require("@openid4vc/utils");
642
+ var import_zod8 = __toESM(require("zod"));
643
+ var zAuthorizationServerMetadata = import_zod8.default.object({
644
+ issuer: import_utils8.zHttpsUrl,
645
+ token_endpoint: import_utils8.zHttpsUrl,
646
+ token_endpoint_auth_methods_supported: import_zod8.default.optional(import_zod8.default.array(import_zod8.default.string())),
647
+ authorization_endpoint: import_zod8.default.optional(import_utils8.zHttpsUrl),
648
+ jwks_uri: import_zod8.default.optional(import_utils8.zHttpsUrl),
649
+ // RFC7636
650
+ code_challenge_methods_supported: import_zod8.default.optional(import_zod8.default.array(import_zod8.default.string())),
651
+ // RFC9449
652
+ dpop_signing_alg_values_supported: import_zod8.default.optional(import_zod8.default.array(import_zod8.default.string())),
653
+ // RFC9126
654
+ require_pushed_authorization_requests: import_zod8.default.optional(import_zod8.default.boolean()),
655
+ pushed_authorization_request_endpoint: import_zod8.default.optional(import_utils8.zHttpsUrl),
656
+ // RFC9068
657
+ introspection_endpoint: import_zod8.default.optional(import_utils8.zHttpsUrl),
658
+ introspection_endpoint_auth_methods_supported: import_zod8.default.optional(
659
+ import_zod8.default.array(import_zod8.default.union([import_zod8.default.literal("client_secret_jwt"), import_zod8.default.literal("private_key_jwt"), import_zod8.default.string()]))
660
+ ),
661
+ introspection_endpoint_auth_signing_alg_values_supported: import_zod8.default.optional(import_zod8.default.array(zAlgValueNotNone)),
662
+ // FiPA (no RFC yet)
663
+ authorization_challenge_endpoint: import_zod8.default.optional(import_utils8.zHttpsUrl),
664
+ // From OpenID4VCI specification
665
+ pre_authorized_grant_anonymous_access_supported: import_zod8.default.optional(import_zod8.default.boolean())
666
+ }).passthrough().refine(
667
+ ({
668
+ introspection_endpoint_auth_methods_supported: methodsSupported,
669
+ introspection_endpoint_auth_signing_alg_values_supported: algValuesSupported
670
+ }) => {
671
+ if (!methodsSupported) return true;
672
+ if (!methodsSupported.includes("private_key_jwt") && !methodsSupported.includes("client_secret_jwt")) return true;
673
+ return algValuesSupported !== void 0 && algValuesSupported.length > 0;
674
+ },
675
+ `Metadata value 'introspection_endpoint_auth_signing_alg_values_supported' must be defined if metadata 'introspection_endpoint_auth_methods_supported' value contains values 'private_key_jwt' or 'client_secret_jwt'`
676
+ );
677
+
686
678
  // src/metadata/authorization-server/authorization-server-metadata.ts
687
679
  var wellKnownAuthorizationServerSuffix = ".well-known/oauth-authorization-server";
688
680
  var wellKnownOpenIdConfigurationServerSuffix = ".well-known/openid-configuration";
@@ -754,25 +746,78 @@ async function fetchJwks(authorizationServer, fetch) {
754
746
  return result.data;
755
747
  }
756
748
 
757
- // src/access-token/z-access-token-jwt.ts
749
+ // src/common/jwt/verify-jwt.ts
758
750
  var import_utils12 = require("@openid4vc/utils");
759
- var import_zod8 = __toESM(require("zod"));
760
- var zAccessTokenProfileJwtHeader = import_zod8.default.object({
751
+ async function verifyJwt(options) {
752
+ const errorMessage = options.errorMessage ?? "Error during verification of jwt.";
753
+ let signerJwk;
754
+ try {
755
+ const result = await options.verifyJwtCallback(options.signer, {
756
+ header: options.header,
757
+ payload: options.payload,
758
+ compact: options.compact
759
+ });
760
+ if (!result.verified) throw new Oauth2JwtVerificationError(errorMessage);
761
+ signerJwk = result.signerJwk;
762
+ } catch (error) {
763
+ if (error instanceof Oauth2JwtVerificationError) throw error;
764
+ throw new Oauth2JwtVerificationError(errorMessage, { cause: error });
765
+ }
766
+ const nowInSeconds = (0, import_utils12.dateToSeconds)(options.now ?? /* @__PURE__ */ new Date());
767
+ const skewInSeconds = options.allowedSkewInSeconds ?? 0;
768
+ const timeBasedValidation = options.skipTimeBasedValidation !== void 0 ? !options.skipTimeBasedValidation : true;
769
+ if (timeBasedValidation && options.payload.nbf && nowInSeconds < options.payload.nbf - skewInSeconds) {
770
+ throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nbf' is in the future`);
771
+ }
772
+ if (timeBasedValidation && options.payload.exp && nowInSeconds > options.payload.exp + skewInSeconds) {
773
+ throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'exp' is in the past`);
774
+ }
775
+ if (options.expectedAudience && options.expectedAudience !== options.payload.aud) {
776
+ throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'aud' does not match expected value.`);
777
+ }
778
+ if (options.expectedIssuer && options.expectedIssuer !== options.payload.iss) {
779
+ throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'iss' does not match expected value.`);
780
+ }
781
+ if (options.expectedNonce && options.expectedNonce !== options.payload.nonce) {
782
+ throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nonce' does not match expected value.`);
783
+ }
784
+ if (options.expectedSubject && options.expectedSubject !== options.payload.sub) {
785
+ throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'sub' does not match expected value.`);
786
+ }
787
+ if (options.requiredClaims) {
788
+ for (const claim of options.requiredClaims) {
789
+ if (!options.payload[claim]) {
790
+ throw new Oauth2JwtVerificationError(`${errorMessage} jwt '${claim}' is missing.`);
791
+ }
792
+ }
793
+ }
794
+ return {
795
+ signer: {
796
+ ...options.signer,
797
+ publicJwk: signerJwk
798
+ }
799
+ };
800
+ }
801
+
802
+ // src/access-token/z-access-token-jwt.ts
803
+ var import_utils13 = require("@openid4vc/utils");
804
+ var import_zod9 = __toESM(require("zod"));
805
+ var zAccessTokenProfileJwtHeader = import_zod9.default.object({
761
806
  ...zJwtHeader.shape,
762
- typ: import_zod8.default.enum(["application/at+jwt", "at+jwt"])
807
+ typ: import_zod9.default.enum(["application/at+jwt", "at+jwt"])
763
808
  }).passthrough();
764
- var zAccessTokenProfileJwtPayload = import_zod8.default.object({
809
+ var zAccessTokenProfileJwtPayload = import_zod9.default.object({
765
810
  ...zJwtPayload.shape,
766
- iss: import_zod8.default.string(),
767
- exp: import_utils12.zInteger,
768
- iat: import_utils12.zInteger,
769
- aud: import_zod8.default.string(),
770
- sub: import_zod8.default.string(),
771
- // REQUIRED according to RFC 9068, but OID4VCI allows anonymous access
772
- client_id: import_zod8.default.optional(import_zod8.default.string()),
773
- jti: import_zod8.default.string(),
811
+ iss: import_zod9.default.string(),
812
+ exp: import_utils13.zInteger,
813
+ iat: import_utils13.zInteger,
814
+ aud: import_zod9.default.string(),
815
+ sub: import_zod9.default.string(),
816
+ // REQUIRED according to RFC 9068, but OpenID4VCI allows anonymous access
817
+ client_id: import_zod9.default.optional(import_zod9.default.string()),
818
+ jti: import_zod9.default.string(),
774
819
  // SHOULD be included in the authorization request contained it
775
- scope: import_zod8.default.optional(import_zod8.default.string())
820
+ scope: import_zod9.default.optional(import_zod9.default.string())
776
821
  }).passthrough();
777
822
 
778
823
  // src/access-token/verify-access-token.ts
@@ -817,26 +862,26 @@ async function verifyJwtProfileAccessToken(options) {
817
862
  }
818
863
 
819
864
  // src/resource-request/make-resource-request.ts
820
- var import_utils15 = require("@openid4vc/utils");
865
+ var import_utils16 = require("@openid4vc/utils");
821
866
 
822
867
  // src/dpop/dpop.ts
823
- var import_utils14 = require("@openid4vc/utils");
868
+ var import_utils15 = require("@openid4vc/utils");
824
869
 
825
870
  // src/dpop/z-dpop.ts
826
- var import_utils13 = require("@openid4vc/utils");
827
- var import_zod9 = __toESM(require("zod"));
828
- var zDpopJwtPayload = import_zod9.default.object({
871
+ var import_utils14 = require("@openid4vc/utils");
872
+ var import_zod10 = __toESM(require("zod"));
873
+ var zDpopJwtPayload = import_zod10.default.object({
829
874
  ...zJwtPayload.shape,
830
- iat: import_utils13.zInteger,
831
- htu: import_utils13.zHttpsUrl,
832
- htm: import_utils13.zHttpMethod,
833
- jti: import_zod9.default.string(),
875
+ iat: import_utils14.zInteger,
876
+ htu: import_utils14.zHttpsUrl,
877
+ htm: import_utils14.zHttpMethod,
878
+ jti: import_zod10.default.string(),
834
879
  // Only required when presenting in combination with access token
835
- ath: import_zod9.default.optional(import_zod9.default.string())
880
+ ath: import_zod10.default.optional(import_zod10.default.string())
836
881
  }).passthrough();
837
- var zDpopJwtHeader = import_zod9.default.object({
882
+ var zDpopJwtHeader = import_zod10.default.object({
838
883
  ...zJwtHeader.shape,
839
- typ: import_zod9.default.literal("dpop+jwt"),
884
+ typ: import_zod10.default.literal("dpop+jwt"),
840
885
  jwk: zJwk
841
886
  }).passthrough();
842
887
 
@@ -850,18 +895,18 @@ async function createDpopHeadersForRequest(options) {
850
895
  async function createDpopJwt(options) {
851
896
  let ath = void 0;
852
897
  if (options.accessToken) {
853
- ath = (0, import_utils14.encodeToBase64Url)(await options.callbacks.hash((0, import_utils14.decodeUtf8String)(options.accessToken), "SHA-256" /* Sha256 */));
898
+ ath = (0, import_utils15.encodeToBase64Url)(await options.callbacks.hash((0, import_utils15.decodeUtf8String)(options.accessToken), "SHA-256" /* Sha256 */));
854
899
  }
855
- const header = (0, import_utils14.parseWithErrorHandling)(zDpopJwtHeader, {
900
+ const header = (0, import_utils15.parseWithErrorHandling)(zDpopJwtHeader, {
856
901
  typ: "dpop+jwt",
857
902
  jwk: options.signer.publicJwk,
858
903
  alg: options.signer.alg
859
904
  });
860
- const payload = (0, import_utils14.parseWithErrorHandling)(zDpopJwtPayload, {
905
+ const payload = (0, import_utils15.parseWithErrorHandling)(zDpopJwtPayload, {
861
906
  htu: htuFromRequestUrl(options.request.url),
862
- iat: (0, import_utils14.dateToSeconds)(options.issuedAt),
907
+ iat: (0, import_utils15.dateToSeconds)(options.issuedAt),
863
908
  htm: options.request.method,
864
- jti: (0, import_utils14.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
909
+ jti: (0, import_utils15.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
865
910
  ath,
866
911
  nonce: options.nonce,
867
912
  ...options.additionalPayload
@@ -903,8 +948,8 @@ async function verifyDpopJwt(options) {
903
948
  throw new Oauth2Error(`Dpop jwt contains htu value '${payload.htu}', but expected htu value '${expectedHtu}'.`);
904
949
  }
905
950
  if (options.accessToken) {
906
- const expectedAth = (0, import_utils14.encodeToBase64Url)(
907
- await options.callbacks.hash((0, import_utils14.decodeUtf8String)(options.accessToken), "SHA-256" /* Sha256 */)
951
+ const expectedAth = (0, import_utils15.encodeToBase64Url)(
952
+ await options.callbacks.hash((0, import_utils15.decodeUtf8String)(options.accessToken), "SHA-256" /* Sha256 */)
908
953
  );
909
954
  if (!payload.ath) {
910
955
  throw new Oauth2Error(`Dpop jwt does not have a ath value, but expected ath value '${expectedAth}'.`);
@@ -944,7 +989,7 @@ async function verifyDpopJwt(options) {
944
989
  };
945
990
  }
946
991
  function htuFromRequestUrl(requestUrl) {
947
- const htu = new import_utils14.URL(requestUrl);
992
+ const htu = new import_utils15.URL(requestUrl);
948
993
  htu.search = "";
949
994
  htu.hash = "";
950
995
  return htu.toString();
@@ -1029,7 +1074,7 @@ async function resourceRequest(options) {
1029
1074
  nonce: options.dpop.nonce,
1030
1075
  accessToken: options.accessToken
1031
1076
  }) : void 0;
1032
- const fetch = options.callbacks.fetch ?? import_utils15.defaultFetcher;
1077
+ const fetch = options.callbacks.fetch ?? import_utils16.defaultFetcher;
1033
1078
  const response = await fetch(options.url, {
1034
1079
  ...options.requestOptions,
1035
1080
  headers: {
@@ -1077,40 +1122,40 @@ async function resourceRequest(options) {
1077
1122
  }
1078
1123
 
1079
1124
  // src/resource-request/verify-resource-request.ts
1080
- var import_utils20 = require("@openid4vc/utils");
1125
+ var import_utils21 = require("@openid4vc/utils");
1081
1126
 
1082
1127
  // src/access-token/introspect-token.ts
1083
- var import_utils17 = require("@openid4vc/utils");
1084
1128
  var import_utils18 = require("@openid4vc/utils");
1085
1129
  var import_utils19 = require("@openid4vc/utils");
1130
+ var import_utils20 = require("@openid4vc/utils");
1086
1131
 
1087
1132
  // src/access-token/z-token-introspection.ts
1088
- var import_utils16 = require("@openid4vc/utils");
1089
- var import_zod10 = __toESM(require("zod"));
1090
- var zTokenIntrospectionRequest = import_zod10.default.object({
1091
- token: import_zod10.default.string(),
1092
- token_type_hint: import_zod10.default.optional(import_zod10.default.string())
1133
+ var import_utils17 = require("@openid4vc/utils");
1134
+ var import_zod11 = __toESM(require("zod"));
1135
+ var zTokenIntrospectionRequest = import_zod11.default.object({
1136
+ token: import_zod11.default.string(),
1137
+ token_type_hint: import_zod11.default.optional(import_zod11.default.string())
1093
1138
  }).passthrough();
1094
- var zTokenIntrospectionResponse = import_zod10.default.object({
1095
- active: import_zod10.default.boolean(),
1096
- scope: import_zod10.default.optional(import_zod10.default.string()),
1097
- client_id: import_zod10.default.optional(import_zod10.default.string()),
1098
- username: import_zod10.default.optional(import_zod10.default.string()),
1099
- token_type: import_zod10.default.optional(import_zod10.default.string()),
1100
- exp: import_zod10.default.optional(import_utils16.zInteger),
1101
- iat: import_zod10.default.optional(import_utils16.zInteger),
1102
- nbf: import_zod10.default.optional(import_utils16.zInteger),
1103
- sub: import_zod10.default.optional(import_zod10.default.string()),
1104
- aud: import_zod10.default.optional(import_zod10.default.string()),
1105
- iss: import_zod10.default.optional(import_zod10.default.string()),
1106
- jti: import_zod10.default.optional(import_zod10.default.string()),
1107
- cnf: import_zod10.default.optional(zJwtConfirmationPayload)
1139
+ var zTokenIntrospectionResponse = import_zod11.default.object({
1140
+ active: import_zod11.default.boolean(),
1141
+ scope: import_zod11.default.optional(import_zod11.default.string()),
1142
+ client_id: import_zod11.default.optional(import_zod11.default.string()),
1143
+ username: import_zod11.default.optional(import_zod11.default.string()),
1144
+ token_type: import_zod11.default.optional(import_zod11.default.string()),
1145
+ exp: import_zod11.default.optional(import_utils17.zInteger),
1146
+ iat: import_zod11.default.optional(import_utils17.zInteger),
1147
+ nbf: import_zod11.default.optional(import_utils17.zInteger),
1148
+ sub: import_zod11.default.optional(import_zod11.default.string()),
1149
+ aud: import_zod11.default.optional(import_zod11.default.string()),
1150
+ iss: import_zod11.default.optional(import_zod11.default.string()),
1151
+ jti: import_zod11.default.optional(import_zod11.default.string()),
1152
+ cnf: import_zod11.default.optional(zJwtConfirmationPayload)
1108
1153
  }).passthrough();
1109
1154
 
1110
1155
  // src/access-token/introspect-token.ts
1111
1156
  async function introspectToken(options) {
1112
- const fetchWithZod = (0, import_utils17.createZodFetcher)(options.callbacks.fetch);
1113
- const introspectionRequest = (0, import_utils17.parseWithErrorHandling)(zTokenIntrospectionRequest, {
1157
+ const fetchWithZod = (0, import_utils18.createZodFetcher)(options.callbacks.fetch);
1158
+ const introspectionRequest = (0, import_utils18.parseWithErrorHandling)(zTokenIntrospectionRequest, {
1114
1159
  token: options.token,
1115
1160
  token_type_hint: options.tokenTypeHint,
1116
1161
  ...options.additionalPayload
@@ -1119,29 +1164,29 @@ async function introspectToken(options) {
1119
1164
  if (!introspectionEndpoint) {
1120
1165
  throw new Oauth2Error(`Missing required 'introspection_endpoint' parameter in authorization server metadata`);
1121
1166
  }
1122
- const headers = new import_utils19.Headers({
1123
- "Content-Type": import_utils17.ContentType.XWwwFormUrlencoded
1167
+ const headers = new import_utils20.Headers({
1168
+ "Content-Type": import_utils18.ContentType.XWwwFormUrlencoded
1124
1169
  });
1125
1170
  await options.callbacks.clientAuthentication({
1126
1171
  url: introspectionEndpoint,
1127
1172
  method: "POST",
1128
1173
  authorizationServerMetata: options.authorizationServerMetadata,
1129
1174
  body: introspectionRequest,
1130
- contentType: import_utils17.ContentType.XWwwFormUrlencoded,
1175
+ contentType: import_utils18.ContentType.XWwwFormUrlencoded,
1131
1176
  headers
1132
1177
  });
1133
1178
  const { result, response } = await fetchWithZod(
1134
1179
  zTokenIntrospectionResponse,
1135
- import_utils17.ContentType.Json,
1180
+ import_utils18.ContentType.Json,
1136
1181
  introspectionEndpoint,
1137
1182
  {
1138
- body: (0, import_utils17.objectToQueryParams)(introspectionRequest).toString(),
1183
+ body: (0, import_utils18.objectToQueryParams)(introspectionRequest).toString(),
1139
1184
  method: "POST",
1140
1185
  headers
1141
1186
  }
1142
1187
  );
1143
1188
  if (!response.ok || !result?.success) {
1144
- throw new import_utils18.InvalidFetchResponseError(
1189
+ throw new import_utils19.InvalidFetchResponseError(
1145
1190
  `Unable to introspect token from '${introspectionEndpoint}'. Received response with status ${response.status}`,
1146
1191
  await response.clone().text(),
1147
1192
  response
@@ -1185,7 +1230,7 @@ async function verifyResourceRequest(options) {
1185
1230
  resourceServer: options.resourceServer,
1186
1231
  now: options.now
1187
1232
  }).catch((error) => {
1188
- if (error instanceof Oauth2JwtParseError || error instanceof import_utils20.ValidationError) return null;
1233
+ if (error instanceof Oauth2JwtParseError || error instanceof import_utils21.ValidationError) return null;
1189
1234
  const errorMessage = error instanceof Oauth2Error ? error.message : "Invalid access token";
1190
1235
  throw new Oauth2ResourceUnauthorizedError(
1191
1236
  `Error occured during verification of jwt profile access token: ${error.message}`,
@@ -1285,7 +1330,7 @@ async function verifyResourceRequest(options) {
1285
1330
  }
1286
1331
 
1287
1332
  // src/client-authentication.ts
1288
- var import_utils21 = require("@openid4vc/utils");
1333
+ var import_utils22 = require("@openid4vc/utils");
1289
1334
  var SupportedClientAuthenticationMethod = /* @__PURE__ */ ((SupportedClientAuthenticationMethod2) => {
1290
1335
  SupportedClientAuthenticationMethod2["ClientSecretBasic"] = "client_secret_basic";
1291
1336
  SupportedClientAuthenticationMethod2["ClientSecretPost"] = "client_secret_post";
@@ -1348,7 +1393,7 @@ function clientAuthenticationClientSecretPost(options) {
1348
1393
  }
1349
1394
  function clientAuthenticationClientSecretBasic(options) {
1350
1395
  return ({ headers }) => {
1351
- const authorization = (0, import_utils21.encodeToBase64Url)((0, import_utils21.decodeUtf8String)(`${options.clientId}:${options.clientSecret}`));
1396
+ const authorization = (0, import_utils22.encodeToBase64Url)((0, import_utils22.decodeUtf8String)(`${options.clientId}:${options.clientSecret}`));
1352
1397
  headers.set("Authorization", `Basic ${authorization}`);
1353
1398
  };
1354
1399
  }
@@ -1358,22 +1403,22 @@ function clientAuthenticationNone() {
1358
1403
  }
1359
1404
 
1360
1405
  // src/Oauth2AuthorizationServer.ts
1361
- var import_utils33 = require("@openid4vc/utils");
1406
+ var import_utils34 = require("@openid4vc/utils");
1362
1407
 
1363
1408
  // src/access-token/create-access-token.ts
1364
- var import_utils22 = require("@openid4vc/utils");
1409
+ var import_utils23 = require("@openid4vc/utils");
1365
1410
  async function createAccessTokenJwt(options) {
1366
- const header = (0, import_utils22.parseWithErrorHandling)(zAccessTokenProfileJwtHeader, {
1411
+ const header = (0, import_utils23.parseWithErrorHandling)(zAccessTokenProfileJwtHeader, {
1367
1412
  ...jwtHeaderFromJwtSigner(options.signer),
1368
1413
  typ: "at+jwt"
1369
1414
  });
1370
1415
  const now = options.now ?? /* @__PURE__ */ new Date();
1371
- const payload = (0, import_utils22.parseWithErrorHandling)(zAccessTokenProfileJwtPayload, {
1372
- iat: (0, import_utils22.dateToSeconds)(now),
1373
- exp: (0, import_utils22.dateToSeconds)((0, import_utils22.addSecondsToDate)(now, options.expiresInSeconds)),
1416
+ const payload = (0, import_utils23.parseWithErrorHandling)(zAccessTokenProfileJwtPayload, {
1417
+ iat: (0, import_utils23.dateToSeconds)(now),
1418
+ exp: (0, import_utils23.dateToSeconds)((0, import_utils23.addSecondsToDate)(now, options.expiresInSeconds)),
1374
1419
  aud: options.audience,
1375
1420
  iss: options.authorizationServer,
1376
- jti: (0, import_utils22.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
1421
+ jti: (0, import_utils23.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
1377
1422
  client_id: options.clientId,
1378
1423
  sub: options.subject,
1379
1424
  scope: options.scope,
@@ -1396,45 +1441,45 @@ async function createAccessTokenJwt(options) {
1396
1441
  }
1397
1442
 
1398
1443
  // src/access-token/create-access-token-response.ts
1399
- var import_utils24 = require("@openid4vc/utils");
1444
+ var import_utils25 = require("@openid4vc/utils");
1400
1445
 
1401
1446
  // src/access-token/z-access-token.ts
1402
- var import_zod12 = __toESM(require("zod"));
1403
- var import_utils23 = require("@openid4vc/utils");
1447
+ var import_zod13 = __toESM(require("zod"));
1448
+ var import_utils24 = require("@openid4vc/utils");
1404
1449
 
1405
1450
  // src/z-grant-type.ts
1406
- var import_zod11 = __toESM(require("zod"));
1407
- var zPreAuthorizedCodeGrantIdentifier = import_zod11.default.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
1451
+ var import_zod12 = __toESM(require("zod"));
1452
+ var zPreAuthorizedCodeGrantIdentifier = import_zod12.default.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
1408
1453
  var preAuthorizedCodeGrantIdentifier = zPreAuthorizedCodeGrantIdentifier.value;
1409
- var zAuthorizationCodeGrantIdentifier = import_zod11.default.literal("authorization_code");
1454
+ var zAuthorizationCodeGrantIdentifier = import_zod12.default.literal("authorization_code");
1410
1455
  var authorizationCodeGrantIdentifier = zAuthorizationCodeGrantIdentifier.value;
1411
- var zRefreshTokenGrantIdentifier = import_zod11.default.literal("refresh_token");
1456
+ var zRefreshTokenGrantIdentifier = import_zod12.default.literal("refresh_token");
1412
1457
  var refreshTokenGrantIdentifier = zRefreshTokenGrantIdentifier.value;
1413
1458
 
1414
1459
  // src/access-token/z-access-token.ts
1415
- var zAccessTokenRequest = import_zod12.default.intersection(
1416
- import_zod12.default.object({
1460
+ var zAccessTokenRequest = import_zod13.default.intersection(
1461
+ import_zod13.default.object({
1417
1462
  // Pre authorized code flow
1418
- "pre-authorized_code": import_zod12.default.optional(import_zod12.default.string()),
1463
+ "pre-authorized_code": import_zod13.default.optional(import_zod13.default.string()),
1419
1464
  // Authorization code flow
1420
- code: import_zod12.default.optional(import_zod12.default.string()),
1421
- redirect_uri: import_zod12.default.string().url().optional(),
1465
+ code: import_zod13.default.optional(import_zod13.default.string()),
1466
+ redirect_uri: import_zod13.default.string().url().optional(),
1422
1467
  // Refresh token grant
1423
- refresh_token: import_zod12.default.optional(import_zod12.default.string()),
1424
- resource: import_zod12.default.optional(import_utils23.zHttpsUrl),
1425
- code_verifier: import_zod12.default.optional(import_zod12.default.string()),
1426
- grant_type: import_zod12.default.union([
1468
+ refresh_token: import_zod13.default.optional(import_zod13.default.string()),
1469
+ resource: import_zod13.default.optional(import_utils24.zHttpsUrl),
1470
+ code_verifier: import_zod13.default.optional(import_zod13.default.string()),
1471
+ grant_type: import_zod13.default.union([
1427
1472
  zPreAuthorizedCodeGrantIdentifier,
1428
1473
  zAuthorizationCodeGrantIdentifier,
1429
1474
  zRefreshTokenGrantIdentifier,
1430
1475
  // string makes the previous ones unessary, but it does help with error messages
1431
- import_zod12.default.string()
1476
+ import_zod13.default.string()
1432
1477
  ])
1433
1478
  }).passthrough(),
1434
- import_zod12.default.object({
1435
- tx_code: import_zod12.default.optional(import_zod12.default.string()),
1436
- // user_pin is from OID4VCI draft 11
1437
- user_pin: import_zod12.default.optional(import_zod12.default.string())
1479
+ import_zod13.default.object({
1480
+ tx_code: import_zod13.default.optional(import_zod13.default.string()),
1481
+ // user_pin is from OpenID4VCI draft 11
1482
+ user_pin: import_zod13.default.optional(import_zod13.default.string())
1438
1483
  }).passthrough().refine(({ tx_code, user_pin }) => !tx_code || !user_pin || user_pin === tx_code, {
1439
1484
  message: `If both 'tx_code' and 'user_pin' are present they must match`
1440
1485
  }).transform(({ tx_code, user_pin, ...rest }) => {
@@ -1444,19 +1489,19 @@ var zAccessTokenRequest = import_zod12.default.intersection(
1444
1489
  };
1445
1490
  })
1446
1491
  );
1447
- var zAccessTokenResponse = import_zod12.default.object({
1448
- access_token: import_zod12.default.string(),
1449
- token_type: import_zod12.default.string(),
1450
- expires_in: import_zod12.default.optional(import_zod12.default.number().int()),
1451
- scope: import_zod12.default.optional(import_zod12.default.string()),
1452
- state: import_zod12.default.optional(import_zod12.default.string()),
1453
- refresh_token: import_zod12.default.optional(import_zod12.default.string()),
1454
- // Oid4vci specific parameters
1455
- c_nonce: import_zod12.default.optional(import_zod12.default.string()),
1456
- c_nonce_expires_in: import_zod12.default.optional(import_zod12.default.number().int()),
1492
+ var zAccessTokenResponse = import_zod13.default.object({
1493
+ access_token: import_zod13.default.string(),
1494
+ token_type: import_zod13.default.string(),
1495
+ expires_in: import_zod13.default.optional(import_zod13.default.number().int()),
1496
+ scope: import_zod13.default.optional(import_zod13.default.string()),
1497
+ state: import_zod13.default.optional(import_zod13.default.string()),
1498
+ refresh_token: import_zod13.default.optional(import_zod13.default.string()),
1499
+ // OpenID4VCI specific parameters
1500
+ c_nonce: import_zod13.default.optional(import_zod13.default.string()),
1501
+ c_nonce_expires_in: import_zod13.default.optional(import_zod13.default.number().int()),
1457
1502
  // TODO: add additional params
1458
- authorization_details: import_zod12.default.array(
1459
- import_zod12.default.object({
1503
+ authorization_details: import_zod13.default.array(
1504
+ import_zod13.default.object({
1460
1505
  // requried when type is openid_credential (so we probably need a discriminator)
1461
1506
  // credential_identifiers: z.array(z.string()),
1462
1507
  }).passthrough()
@@ -1466,7 +1511,7 @@ var zAccessTokenErrorResponse = zOauth2ErrorResponse;
1466
1511
 
1467
1512
  // src/access-token/create-access-token-response.ts
1468
1513
  async function createAccessTokenResponse(options) {
1469
- const accessTokenResponse = (0, import_utils24.parseWithErrorHandling)(zAccessTokenResponse, {
1514
+ const accessTokenResponse = (0, import_utils25.parseWithErrorHandling)(zAccessTokenResponse, {
1470
1515
  access_token: options.accessToken,
1471
1516
  token_type: options.tokenType,
1472
1517
  expires_in: options.expiresInSeconds,
@@ -1535,7 +1580,7 @@ ${JSON.stringify(parsedAccessTokenRequest.error.issues, null, 2)}`
1535
1580
  }
1536
1581
 
1537
1582
  // src/pkce.ts
1538
- var import_utils25 = require("@openid4vc/utils");
1583
+ var import_utils26 = require("@openid4vc/utils");
1539
1584
  var PkceCodeChallengeMethod = /* @__PURE__ */ ((PkceCodeChallengeMethod2) => {
1540
1585
  PkceCodeChallengeMethod2["Plain"] = "plain";
1541
1586
  PkceCodeChallengeMethod2["S256"] = "S256";
@@ -1550,7 +1595,7 @@ async function createPkce(options) {
1550
1595
  throw new Oauth2Error(`Unable to create PKCE code verifier. 'allowedCodeChallengeMethods' is an empty array.`);
1551
1596
  }
1552
1597
  const codeChallengeMethod = allowedCodeChallengeMethods.includes("S256" /* S256 */) ? "S256" /* S256 */ : "plain" /* Plain */;
1553
- const codeVerifier = options.codeVerifier ?? (0, import_utils25.encodeToBase64Url)(await options.callbacks.generateRandom(64));
1598
+ const codeVerifier = options.codeVerifier ?? (0, import_utils26.encodeToBase64Url)(await options.callbacks.generateRandom(64));
1554
1599
  return {
1555
1600
  codeVerifier,
1556
1601
  codeChallenge: await calculateCodeChallenge({
@@ -1578,7 +1623,7 @@ async function calculateCodeChallenge(options) {
1578
1623
  return options.codeVerifier;
1579
1624
  }
1580
1625
  if (options.codeChallengeMethod === "S256" /* S256 */) {
1581
- return (0, import_utils25.encodeToBase64Url)(await options.hashCallback((0, import_utils25.decodeUtf8String)(options.codeVerifier), "SHA-256" /* Sha256 */));
1626
+ return (0, import_utils26.encodeToBase64Url)(await options.hashCallback((0, import_utils26.decodeUtf8String)(options.codeVerifier), "SHA-256" /* Sha256 */));
1582
1627
  }
1583
1628
  throw new Oauth2Error(`Unsupported code challenge method ${options.codeChallengeMethod}`);
1584
1629
  }
@@ -1711,69 +1756,69 @@ async function verifyAccessTokenRequestPkce(options, callbacks) {
1711
1756
  }
1712
1757
 
1713
1758
  // src/authorization-challenge/create-authorization-challenge-response.ts
1714
- var import_utils28 = require("@openid4vc/utils");
1759
+ var import_utils29 = require("@openid4vc/utils");
1715
1760
 
1716
1761
  // src/authorization-challenge/z-authorization-challenge.ts
1717
- var import_utils27 = require("@openid4vc/utils");
1718
- var import_zod14 = __toESM(require("zod"));
1762
+ var import_utils28 = require("@openid4vc/utils");
1763
+ var import_zod15 = __toESM(require("zod"));
1719
1764
 
1720
1765
  // src/authorization-request/z-authorization-request.ts
1721
- var import_utils26 = require("@openid4vc/utils");
1722
- var import_zod13 = __toESM(require("zod"));
1723
- var zAuthorizationRequest = import_zod13.default.object({
1724
- response_type: import_zod13.default.string(),
1725
- client_id: import_zod13.default.string(),
1726
- issuer_state: import_zod13.default.optional(import_zod13.default.string()),
1727
- redirect_uri: import_zod13.default.string().url().optional(),
1728
- resource: import_zod13.default.optional(import_utils26.zHttpsUrl),
1729
- scope: import_zod13.default.optional(import_zod13.default.string()),
1766
+ var import_utils27 = require("@openid4vc/utils");
1767
+ var import_zod14 = __toESM(require("zod"));
1768
+ var zAuthorizationRequest = import_zod14.default.object({
1769
+ response_type: import_zod14.default.string(),
1770
+ client_id: import_zod14.default.string(),
1771
+ issuer_state: import_zod14.default.optional(import_zod14.default.string()),
1772
+ redirect_uri: import_zod14.default.string().url().optional(),
1773
+ resource: import_zod14.default.optional(import_utils27.zHttpsUrl),
1774
+ scope: import_zod14.default.optional(import_zod14.default.string()),
1730
1775
  // DPoP jwk thumbprint
1731
- dpop_jkt: import_zod13.default.optional(import_zod13.default.string()),
1732
- code_challenge: import_zod13.default.optional(import_zod13.default.string()),
1733
- code_challenge_method: import_zod13.default.optional(import_zod13.default.string())
1776
+ dpop_jkt: import_zod14.default.optional(import_zod14.default.string()),
1777
+ code_challenge: import_zod14.default.optional(import_zod14.default.string()),
1778
+ code_challenge_method: import_zod14.default.optional(import_zod14.default.string())
1734
1779
  }).passthrough();
1735
- var zPushedAuthorizationRequest = import_zod13.default.object({
1736
- request_uri: import_zod13.default.string(),
1737
- client_id: import_zod13.default.string()
1780
+ var zPushedAuthorizationRequest = import_zod14.default.object({
1781
+ request_uri: import_zod14.default.string(),
1782
+ client_id: import_zod14.default.string()
1738
1783
  }).passthrough();
1739
- var zPushedAuthorizationResponse = import_zod13.default.object({
1740
- request_uri: import_zod13.default.string(),
1741
- expires_in: import_zod13.default.number().int()
1784
+ var zPushedAuthorizationResponse = import_zod14.default.object({
1785
+ request_uri: import_zod14.default.string(),
1786
+ expires_in: import_zod14.default.number().int()
1742
1787
  }).passthrough();
1743
1788
 
1744
1789
  // src/authorization-challenge/z-authorization-challenge.ts
1745
- var zAuthorizationChallengeRequest = import_zod14.default.object({
1790
+ var zAuthorizationChallengeRequest = import_zod15.default.object({
1746
1791
  // authorization challenge request can include same parameters as an authorization request
1747
1792
  // except for response_type (always `code`), and `client_id` is optional (becase
1748
1793
  // it's possible to do client authentication using different methods)
1749
1794
  ...zAuthorizationRequest.omit({ response_type: true, client_id: true }).shape,
1750
- client_id: import_zod14.default.optional(zAuthorizationRequest.shape.client_id),
1751
- auth_session: import_zod14.default.optional(import_zod14.default.string()),
1795
+ client_id: import_zod15.default.optional(zAuthorizationRequest.shape.client_id),
1796
+ auth_session: import_zod15.default.optional(import_zod15.default.string()),
1752
1797
  // DRAFT presentation during issuance
1753
- presentation_during_issuance_session: import_zod14.default.optional(import_zod14.default.string())
1798
+ presentation_during_issuance_session: import_zod15.default.optional(import_zod15.default.string())
1754
1799
  }).passthrough();
1755
- var zAuthorizationChallengeResponse = import_zod14.default.object({
1756
- authorization_code: import_zod14.default.string()
1800
+ var zAuthorizationChallengeResponse = import_zod15.default.object({
1801
+ authorization_code: import_zod15.default.string()
1757
1802
  }).passthrough();
1758
- var zAuthorizationChallengeErrorResponse = import_zod14.default.object({
1803
+ var zAuthorizationChallengeErrorResponse = import_zod15.default.object({
1759
1804
  ...zOauth2ErrorResponse.shape,
1760
- auth_session: import_zod14.default.optional(import_zod14.default.string()),
1761
- request_uri: import_zod14.default.optional(import_zod14.default.string()),
1762
- expires_in: import_zod14.default.optional(import_utils27.zInteger),
1805
+ auth_session: import_zod15.default.optional(import_zod15.default.string()),
1806
+ request_uri: import_zod15.default.optional(import_zod15.default.string()),
1807
+ expires_in: import_zod15.default.optional(import_utils28.zInteger),
1763
1808
  // DRAFT: presentation during issuance
1764
- presentation: import_zod14.default.optional(import_zod14.default.string())
1809
+ presentation: import_zod15.default.optional(import_zod15.default.string())
1765
1810
  }).passthrough();
1766
1811
 
1767
1812
  // src/authorization-challenge/create-authorization-challenge-response.ts
1768
1813
  function createAuthorizationChallengeResponse(options) {
1769
- const authorizationChallengeResponse = (0, import_utils28.parseWithErrorHandling)(zAuthorizationChallengeResponse, {
1814
+ const authorizationChallengeResponse = (0, import_utils29.parseWithErrorHandling)(zAuthorizationChallengeResponse, {
1770
1815
  ...options.additionalPayload,
1771
1816
  authorization_code: options.authorizationCode
1772
1817
  });
1773
1818
  return { authorizationChallengeResponse };
1774
1819
  }
1775
1820
  function createAuthorizationChallengeErrorResponse(options) {
1776
- const authorizationChallengeErrorResponse = (0, import_utils28.parseWithErrorHandling)(zAuthorizationChallengeErrorResponse, {
1821
+ const authorizationChallengeErrorResponse = (0, import_utils29.parseWithErrorHandling)(zAuthorizationChallengeErrorResponse, {
1777
1822
  ...options.additionalPayload,
1778
1823
  // General FiPA
1779
1824
  error: options.error,
@@ -1789,9 +1834,9 @@ function createAuthorizationChallengeErrorResponse(options) {
1789
1834
  }
1790
1835
 
1791
1836
  // src/authorization-challenge/parse-authorization-challenge-request.ts
1792
- var import_utils29 = require("@openid4vc/utils");
1837
+ var import_utils30 = require("@openid4vc/utils");
1793
1838
  function parseAuthorizationChallengeRequest(options) {
1794
- const authorizationChallengeRequest = (0, import_utils29.parseWithErrorHandling)(
1839
+ const authorizationChallengeRequest = (0, import_utils30.parseWithErrorHandling)(
1795
1840
  zAuthorizationChallengeRequest,
1796
1841
  options.authorizationChallengeRequest
1797
1842
  );
@@ -1799,52 +1844,52 @@ function parseAuthorizationChallengeRequest(options) {
1799
1844
  }
1800
1845
 
1801
1846
  // src/client-attestation/clent-attestation.ts
1802
- var import_utils31 = require("@openid4vc/utils");
1847
+ var import_utils32 = require("@openid4vc/utils");
1803
1848
 
1804
1849
  // src/client-attestation/z-client-attestation.ts
1805
- var import_utils30 = require("@openid4vc/utils");
1806
- var import_zod15 = __toESM(require("zod"));
1807
- var zOauthClientAttestationHeader = import_zod15.default.literal("OAuth-Client-Attestation");
1850
+ var import_utils31 = require("@openid4vc/utils");
1851
+ var import_zod16 = __toESM(require("zod"));
1852
+ var zOauthClientAttestationHeader = import_zod16.default.literal("OAuth-Client-Attestation");
1808
1853
  var oauthClientAttestationHeader = zOauthClientAttestationHeader.value;
1809
- var zClientAttestationJwtPayload = import_zod15.default.object({
1854
+ var zClientAttestationJwtPayload = import_zod16.default.object({
1810
1855
  ...zJwtPayload.shape,
1811
- iss: import_zod15.default.string(),
1812
- sub: import_zod15.default.string(),
1813
- exp: import_utils30.zInteger,
1814
- cnf: import_zod15.default.object({
1856
+ iss: import_zod16.default.string(),
1857
+ sub: import_zod16.default.string(),
1858
+ exp: import_utils31.zInteger,
1859
+ cnf: import_zod16.default.object({
1815
1860
  jwk: zJwk,
1816
- key_type: import_zod15.default.optional(
1817
- import_zod15.default.union([
1818
- import_zod15.default.enum(["software", "hardware", "tee", "secure_enclave", "strong_box", "secure_element", "hsm"]),
1819
- import_zod15.default.string()
1861
+ key_type: import_zod16.default.optional(
1862
+ import_zod16.default.union([
1863
+ import_zod16.default.enum(["software", "hardware", "tee", "secure_enclave", "strong_box", "secure_element", "hsm"]),
1864
+ import_zod16.default.string()
1820
1865
  ])
1821
1866
  ),
1822
- user_authentication: import_zod15.default.optional(
1823
- import_zod15.default.union([
1824
- import_zod15.default.enum(["system_biometry", "system_pin", "internal_biometry", "internal_pin", "secure_element_pin"]),
1825
- import_zod15.default.string()
1867
+ user_authentication: import_zod16.default.optional(
1868
+ import_zod16.default.union([
1869
+ import_zod16.default.enum(["system_biometry", "system_pin", "internal_biometry", "internal_pin", "secure_element_pin"]),
1870
+ import_zod16.default.string()
1826
1871
  ])
1827
1872
  )
1828
1873
  }).passthrough(),
1829
- aal: import_zod15.default.optional(import_zod15.default.string())
1874
+ aal: import_zod16.default.optional(import_zod16.default.string())
1830
1875
  }).passthrough();
1831
- var zClientAttestationJwtHeader = import_zod15.default.object({
1876
+ var zClientAttestationJwtHeader = import_zod16.default.object({
1832
1877
  ...zJwtHeader.shape,
1833
- typ: import_zod15.default.literal("oauth-client-attestation+jwt")
1878
+ typ: import_zod16.default.literal("oauth-client-attestation+jwt")
1834
1879
  }).passthrough();
1835
- var zOauthClientAttestationPopHeader = import_zod15.default.literal("OAuth-Client-Attestation-PoP");
1880
+ var zOauthClientAttestationPopHeader = import_zod16.default.literal("OAuth-Client-Attestation-PoP");
1836
1881
  var oauthClientAttestationPopHeader = zOauthClientAttestationPopHeader.value;
1837
- var zClientAttestationPopJwtPayload = import_zod15.default.object({
1882
+ var zClientAttestationPopJwtPayload = import_zod16.default.object({
1838
1883
  ...zJwtPayload.shape,
1839
- iss: import_zod15.default.string(),
1840
- exp: import_utils30.zInteger,
1841
- aud: import_utils30.zHttpsUrl,
1842
- jti: import_zod15.default.string(),
1843
- nonce: import_zod15.default.optional(import_zod15.default.string())
1884
+ iss: import_zod16.default.string(),
1885
+ exp: import_utils31.zInteger,
1886
+ aud: import_utils31.zHttpsUrl,
1887
+ jti: import_zod16.default.string(),
1888
+ nonce: import_zod16.default.optional(import_zod16.default.string())
1844
1889
  }).passthrough();
1845
- var zClientAttestationPopJwtHeader = import_zod15.default.object({
1890
+ var zClientAttestationPopJwtHeader = import_zod16.default.object({
1846
1891
  ...zJwtHeader.shape,
1847
- typ: import_zod15.default.literal("oauth-client-attestation-pop+jwt")
1892
+ typ: import_zod16.default.literal("oauth-client-attestation-pop+jwt")
1848
1893
  }).passthrough();
1849
1894
 
1850
1895
  // src/client-attestation/clent-attestation.ts
@@ -1870,14 +1915,14 @@ async function verifyClientAttestationJwt(options) {
1870
1915
  };
1871
1916
  }
1872
1917
  async function createClientAttestationJwt(options) {
1873
- const header = (0, import_utils31.parseWithErrorHandling)(zClientAttestationJwtHeader, {
1918
+ const header = (0, import_utils32.parseWithErrorHandling)(zClientAttestationJwtHeader, {
1874
1919
  typ: "oauth-client-attestation+jwt",
1875
1920
  ...jwtHeaderFromJwtSigner(options.signer)
1876
1921
  });
1877
- const payload = (0, import_utils31.parseWithErrorHandling)(zClientAttestationJwtPayload, {
1922
+ const payload = (0, import_utils32.parseWithErrorHandling)(zClientAttestationJwtPayload, {
1878
1923
  iss: options.issuer,
1879
- iat: (0, import_utils31.dateToSeconds)(options.issuedAt),
1880
- exp: (0, import_utils31.dateToSeconds)(options.expiresAt),
1924
+ iat: (0, import_utils32.dateToSeconds)(options.issuedAt),
1925
+ exp: (0, import_utils32.dateToSeconds)(options.expiresAt),
1881
1926
  sub: options.clientId,
1882
1927
  cnf: options.confirmation,
1883
1928
  ...options.additionalPayload
@@ -1904,7 +1949,7 @@ function extractClientAttestationJwtsFromHeaders(headers) {
1904
1949
  }
1905
1950
 
1906
1951
  // src/client-attestation/client-attestation-pop.ts
1907
- var import_utils32 = require("@openid4vc/utils");
1952
+ var import_utils33 = require("@openid4vc/utils");
1908
1953
  async function createClientAttestationForRequest(options) {
1909
1954
  const clientAttestationPopJwt = await createClientAttestationPopJwt({
1910
1955
  authorizationServer: options.authorizationServer,
@@ -1962,7 +2007,7 @@ async function verifyClientAttestationPopJwt(options) {
1962
2007
  };
1963
2008
  }
1964
2009
  async function createClientAttestationPopJwt(options) {
1965
- const header = (0, import_utils32.parseWithErrorHandling)(zClientAttestationPopJwtHeader, {
2010
+ const header = (0, import_utils33.parseWithErrorHandling)(zClientAttestationPopJwtHeader, {
1966
2011
  typ: "oauth-client-attestation-pop+jwt",
1967
2012
  alg: options.signer.alg
1968
2013
  });
@@ -1971,13 +2016,13 @@ async function createClientAttestationPopJwt(options) {
1971
2016
  headerSchema: zClientAttestationJwtHeader,
1972
2017
  payloadSchema: zClientAttestationJwtPayload
1973
2018
  });
1974
- const expiresAt = options.expiresAt ?? (0, import_utils32.addSecondsToDate)(options.issuedAt ?? /* @__PURE__ */ new Date(), 1 * 60);
1975
- const payload = (0, import_utils32.parseWithErrorHandling)(zClientAttestationPopJwtPayload, {
2019
+ const expiresAt = options.expiresAt ?? (0, import_utils33.addSecondsToDate)(options.issuedAt ?? /* @__PURE__ */ new Date(), 1 * 60);
2020
+ const payload = (0, import_utils33.parseWithErrorHandling)(zClientAttestationPopJwtPayload, {
1976
2021
  aud: options.authorizationServer,
1977
2022
  iss: clientAttestation.payload.sub,
1978
- iat: (0, import_utils32.dateToSeconds)(options.issuedAt),
1979
- exp: (0, import_utils32.dateToSeconds)(expiresAt),
1980
- jti: (0, import_utils32.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
2023
+ iat: (0, import_utils33.dateToSeconds)(options.issuedAt),
2024
+ exp: (0, import_utils33.dateToSeconds)(expiresAt),
2025
+ jti: (0, import_utils33.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
1981
2026
  nonce: options.nonce,
1982
2027
  ...options.additionalPayload
1983
2028
  });
@@ -1994,7 +2039,7 @@ var Oauth2AuthorizationServer = class {
1994
2039
  this.options = options;
1995
2040
  }
1996
2041
  createAuthorizationServerMetadata(authorizationServerMetadata) {
1997
- return (0, import_utils33.parseWithErrorHandling)(
2042
+ return (0, import_utils34.parseWithErrorHandling)(
1998
2043
  zAuthorizationServerMetadata,
1999
2044
  authorizationServerMetadata,
2000
2045
  "Error validating authorization server metadata"
@@ -2103,25 +2148,12 @@ var Oauth2AuthorizationServer = class {
2103
2148
  }
2104
2149
  };
2105
2150
 
2106
- // src/Oauth2ResourceServer.ts
2107
- var Oauth2ResourceServer = class {
2108
- constructor(options) {
2109
- this.options = options;
2110
- }
2111
- async verifyResourceRequest(options) {
2112
- return verifyResourceRequest({
2113
- callbacks: this.options.callbacks,
2114
- ...options
2115
- });
2116
- }
2117
- };
2118
-
2119
2151
  // src/Oauth2Client.ts
2120
- var import_utils40 = require("@openid4vc/utils");
2152
+ var import_utils41 = require("@openid4vc/utils");
2121
2153
 
2122
2154
  // src/access-token/retrieve-access-token.ts
2123
- var import_utils34 = require("@openid4vc/utils");
2124
2155
  var import_utils35 = require("@openid4vc/utils");
2156
+ var import_utils36 = require("@openid4vc/utils");
2125
2157
  async function retrievePreAuthorizedCodeAccessToken(options) {
2126
2158
  const request = {
2127
2159
  grant_type: preAuthorizedCodeGrantIdentifier,
@@ -2174,8 +2206,8 @@ async function retrieveRefreshTokenAccessToken(options) {
2174
2206
  });
2175
2207
  }
2176
2208
  async function retrieveAccessToken(options) {
2177
- const fetchWithZod = (0, import_utils34.createZodFetcher)(options.callbacks.fetch);
2178
- const accessTokenRequest = (0, import_utils34.parseWithErrorHandling)(
2209
+ const fetchWithZod = (0, import_utils35.createZodFetcher)(options.callbacks.fetch);
2210
+ const accessTokenRequest = (0, import_utils35.parseWithErrorHandling)(
2179
2211
  zAccessTokenRequest,
2180
2212
  options.request,
2181
2213
  "Error validating access token request"
@@ -2200,19 +2232,19 @@ async function retrieveAccessToken(options) {
2200
2232
  callbacks: options.callbacks,
2201
2233
  nonce: dpop.nonce
2202
2234
  }) : void 0;
2203
- const requestQueryParams = (0, import_utils34.objectToQueryParams)({
2235
+ const requestQueryParams = (0, import_utils35.objectToQueryParams)({
2204
2236
  ...accessTokenRequest,
2205
2237
  ...clientAttestation?.body
2206
2238
  });
2207
2239
  const { response, result } = await fetchWithZod(
2208
2240
  zAccessTokenResponse,
2209
- import_utils34.ContentType.Json,
2241
+ import_utils35.ContentType.Json,
2210
2242
  options.authorizationServerMetadata.token_endpoint,
2211
2243
  {
2212
2244
  body: requestQueryParams.toString(),
2213
2245
  method: "POST",
2214
2246
  headers: {
2215
- "Content-Type": import_utils34.ContentType.XWwwFormUrlencoded,
2247
+ "Content-Type": import_utils35.ContentType.XWwwFormUrlencoded,
2216
2248
  ...clientAttestation?.headers,
2217
2249
  ...dpopHeaders
2218
2250
  }
@@ -2229,7 +2261,7 @@ async function retrieveAccessToken(options) {
2229
2261
  response
2230
2262
  );
2231
2263
  }
2232
- throw new import_utils35.InvalidFetchResponseError(
2264
+ throw new import_utils36.InvalidFetchResponseError(
2233
2265
  `Unable to retrieve access token from '${options.authorizationServerMetadata.token_endpoint}'. Received response with status ${response.status}`,
2234
2266
  await response.clone().text(),
2235
2267
  response
@@ -2251,10 +2283,10 @@ async function retrieveAccessToken(options) {
2251
2283
  }
2252
2284
 
2253
2285
  // src/authorization-challenge/send-authorization-challenge.ts
2254
- var import_utils36 = require("@openid4vc/utils");
2255
2286
  var import_utils37 = require("@openid4vc/utils");
2287
+ var import_utils38 = require("@openid4vc/utils");
2256
2288
  async function sendAuthorizationChallengeRequest(options) {
2257
- const fetchWithZod = (0, import_utils36.createZodFetcher)(options.callbacks.fetch);
2289
+ const fetchWithZod = (0, import_utils37.createZodFetcher)(options.callbacks.fetch);
2258
2290
  const authorizationServerMetadata = options.authorizationServerMetadata;
2259
2291
  const authorizationChallengeEndpoint = authorizationServerMetadata.authorization_challenge_endpoint;
2260
2292
  if (!authorizationChallengeEndpoint) {
@@ -2272,7 +2304,7 @@ async function sendAuthorizationChallengeRequest(options) {
2272
2304
  clientAttestation: options.clientAttestation,
2273
2305
  callbacks: options.callbacks
2274
2306
  }) : void 0;
2275
- const authorizationChallengeRequest = (0, import_utils36.parseWithErrorHandling)(zAuthorizationChallengeRequest, {
2307
+ const authorizationChallengeRequest = (0, import_utils37.parseWithErrorHandling)(zAuthorizationChallengeRequest, {
2276
2308
  ...options.additionalRequestPayload,
2277
2309
  auth_session: options.authSession,
2278
2310
  client_id: options.clientId,
@@ -2297,15 +2329,15 @@ async function sendAuthorizationChallengeRequest(options) {
2297
2329
  }) : void 0;
2298
2330
  const { response, result } = await fetchWithZod(
2299
2331
  zAuthorizationChallengeResponse,
2300
- import_utils36.ContentType.Json,
2332
+ import_utils37.ContentType.Json,
2301
2333
  authorizationChallengeEndpoint,
2302
2334
  {
2303
2335
  method: "POST",
2304
- body: (0, import_utils36.objectToQueryParams)(authorizationChallengeRequest).toString(),
2336
+ body: (0, import_utils37.objectToQueryParams)(authorizationChallengeRequest).toString(),
2305
2337
  headers: {
2306
2338
  ...clientAttestation?.headers,
2307
2339
  ...dpopHeaders,
2308
- "Content-Type": import_utils36.ContentType.XWwwFormUrlencoded
2340
+ "Content-Type": import_utils37.ContentType.XWwwFormUrlencoded
2309
2341
  }
2310
2342
  }
2311
2343
  );
@@ -2320,14 +2352,14 @@ async function sendAuthorizationChallengeRequest(options) {
2320
2352
  response
2321
2353
  );
2322
2354
  }
2323
- throw new import_utils37.InvalidFetchResponseError(
2355
+ throw new import_utils38.InvalidFetchResponseError(
2324
2356
  `Error requesting authorization code from authorization challenge endpoint '${authorizationServerMetadata.authorization_challenge_endpoint}'. Received response with status ${response.status}`,
2325
2357
  await response.clone().text(),
2326
2358
  response
2327
2359
  );
2328
2360
  }
2329
2361
  if (!result.success) {
2330
- throw new import_utils36.ValidationError("Error validating authorization challenge response", result.error);
2362
+ throw new import_utils37.ValidationError("Error validating authorization challenge response", result.error);
2331
2363
  }
2332
2364
  const dpopNonce = extractDpopNonceFromHeaders(response.headers) ?? void 0;
2333
2365
  return {
@@ -2343,8 +2375,8 @@ async function sendAuthorizationChallengeRequest(options) {
2343
2375
  }
2344
2376
 
2345
2377
  // src/authorization-request/create-authorization-request.ts
2346
- var import_utils38 = require("@openid4vc/utils");
2347
2378
  var import_utils39 = require("@openid4vc/utils");
2379
+ var import_utils40 = require("@openid4vc/utils");
2348
2380
  async function createAuthorizationRequestUrl(options) {
2349
2381
  const authorizationServerMetadata = options.authorizationServerMetadata;
2350
2382
  const pushedAuthorizationRequestEndpoint = authorizationServerMetadata.pushed_authorization_request_endpoint;
@@ -2426,7 +2458,7 @@ async function createAuthorizationRequestUrl(options) {
2426
2458
  });
2427
2459
  }
2428
2460
  }
2429
- const authorizationRequestUrl = `${authorizationServerMetadata.authorization_endpoint}?${(0, import_utils38.objectToQueryParams)(pushedAuthorizationRequest ?? authorizationRequest).toString()}`;
2461
+ const authorizationRequestUrl = `${authorizationServerMetadata.authorization_endpoint}?${(0, import_utils39.objectToQueryParams)(pushedAuthorizationRequest ?? authorizationRequest).toString()}`;
2430
2462
  return {
2431
2463
  authorizationRequestUrl,
2432
2464
  pkce,
@@ -2434,7 +2466,7 @@ async function createAuthorizationRequestUrl(options) {
2434
2466
  };
2435
2467
  }
2436
2468
  async function pushAuthorizationRequest(options) {
2437
- const fetchWithZod = (0, import_utils38.createZodFetcher)(options.fetch);
2469
+ const fetchWithZod = (0, import_utils39.createZodFetcher)(options.fetch);
2438
2470
  if (options.authorizationRequest.request_uri) {
2439
2471
  throw new Oauth2Error(
2440
2472
  `Authorization request contains 'request_uri' parameter. This is not allowed for pushed authorization reuqests.`
@@ -2442,14 +2474,14 @@ async function pushAuthorizationRequest(options) {
2442
2474
  }
2443
2475
  const { response, result } = await fetchWithZod(
2444
2476
  zPushedAuthorizationResponse,
2445
- import_utils38.ContentType.Json,
2477
+ import_utils39.ContentType.Json,
2446
2478
  options.pushedAuthorizationRequestEndpoint,
2447
2479
  {
2448
2480
  method: "POST",
2449
- body: (0, import_utils38.objectToQueryParams)(options.authorizationRequest).toString(),
2481
+ body: (0, import_utils39.objectToQueryParams)(options.authorizationRequest).toString(),
2450
2482
  headers: {
2451
2483
  ...options.headers,
2452
- "Content-Type": import_utils38.ContentType.XWwwFormUrlencoded
2484
+ "Content-Type": import_utils39.ContentType.XWwwFormUrlencoded
2453
2485
  }
2454
2486
  }
2455
2487
  );
@@ -2464,7 +2496,7 @@ async function pushAuthorizationRequest(options) {
2464
2496
  response
2465
2497
  );
2466
2498
  }
2467
- throw new import_utils39.InvalidFetchResponseError(
2499
+ throw new import_utils40.InvalidFetchResponseError(
2468
2500
  `Unable to push authorization request to '${options.pushedAuthorizationRequestEndpoint}'. Received response with status ${response.status}`,
2469
2501
  await response.clone().text(),
2470
2502
  response
@@ -2534,7 +2566,7 @@ var Oauth2Client = class {
2534
2566
  const isRecoverableError = error instanceof Oauth2ClientAuthorizationChallengeError && error.errorResponse.error === "redirect_to_web" /* RedirectToWeb */;
2535
2567
  if (!isRecoverableError) throw error;
2536
2568
  if (error.errorResponse.request_uri) {
2537
- const authorizationRequestUrl = `${options.authorizationServerMetadata.authorization_endpoint}?${(0, import_utils40.objectToQueryParams)(
2569
+ const authorizationRequestUrl = `${options.authorizationServerMetadata.authorization_endpoint}?${(0, import_utils41.objectToQueryParams)(
2538
2570
  {
2539
2571
  request_uri: error.errorResponse.request_uri,
2540
2572
  client_id: options.clientId
@@ -2663,6 +2695,19 @@ var Oauth2Client = class {
2663
2695
  });
2664
2696
  }
2665
2697
  };
2698
+
2699
+ // src/Oauth2ResourceServer.ts
2700
+ var Oauth2ResourceServer = class {
2701
+ constructor(options) {
2702
+ this.options = options;
2703
+ }
2704
+ async verifyResourceRequest(options) {
2705
+ return verifyResourceRequest({
2706
+ callbacks: this.options.callbacks,
2707
+ ...options
2708
+ });
2709
+ }
2710
+ };
2666
2711
  // Annotate the CommonJS export names for ESM import in node:
2667
2712
  0 && (module.exports = {
2668
2713
  HashAlgorithm,
@@ -2687,6 +2732,7 @@ var Oauth2Client = class {
2687
2732
  clientAuthenticationDynamic,
2688
2733
  clientAuthenticationNone,
2689
2734
  decodeJwt,
2735
+ decodeJwtHeader,
2690
2736
  fetchAuthorizationServerMetadata,
2691
2737
  fetchJwks,
2692
2738
  fetchWellKnownMetadata,
@@ -2701,10 +2747,13 @@ var Oauth2Client = class {
2701
2747
  setGlobalConfig,
2702
2748
  verifyJwt,
2703
2749
  verifyResourceRequest,
2750
+ zAlgValueNotNone,
2704
2751
  zAuthorizationCodeGrantIdentifier,
2705
2752
  zAuthorizationServerMetadata,
2753
+ zCompactJwe,
2706
2754
  zCompactJwt,
2707
2755
  zJwk,
2756
+ zJwkSet,
2708
2757
  zJwtHeader,
2709
2758
  zJwtPayload,
2710
2759
  zOauth2ErrorResponse,