@openid4vc/oauth2 0.3.0-alpha-20250206100745 → 0.3.0-alpha-20250225095929
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +711 -641
- package/dist/index.d.ts +711 -641
- package/dist/index.js +409 -360
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +338 -288
- package/dist/index.mjs.map +1 -1
- package/package.json +6 -6
package/dist/index.mjs
CHANGED
|
@@ -26,6 +26,17 @@ var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes2) => {
|
|
|
26
26
|
Oauth2ErrorCodes2["InvalidProof"] = "invalid_proof";
|
|
27
27
|
Oauth2ErrorCodes2["InvalidNonce"] = "invalid_nonce";
|
|
28
28
|
Oauth2ErrorCodes2["InvalidEncryptionParameters"] = "invalid_encryption_parameters";
|
|
29
|
+
Oauth2ErrorCodes2["InvalidRequestUri"] = "invalid_request_uri";
|
|
30
|
+
Oauth2ErrorCodes2["InvalidRequestObject"] = "invalid_request_object";
|
|
31
|
+
Oauth2ErrorCodes2["RequestNotSupported"] = "request_not_supported";
|
|
32
|
+
Oauth2ErrorCodes2["RequestUriNotSupported"] = "request_uri_not_supported";
|
|
33
|
+
Oauth2ErrorCodes2["VpFormatsNotSupported"] = "vp_formats_not_supported";
|
|
34
|
+
Oauth2ErrorCodes2["AccessDenied"] = "access_denied";
|
|
35
|
+
Oauth2ErrorCodes2["InvalidPresentationDefinitionUri"] = "invalid_presentation_definition_uri";
|
|
36
|
+
Oauth2ErrorCodes2["InvalidPresentationDefinitionReference"] = "invalid_presentation_definition_reference";
|
|
37
|
+
Oauth2ErrorCodes2["InvalidRequestUriMethod"] = "invalid_request_uri_method";
|
|
38
|
+
Oauth2ErrorCodes2["InvalidTransactionData"] = "invalid_transaction_data";
|
|
39
|
+
Oauth2ErrorCodes2["WalletUnavailable"] = "wallet_unavailable";
|
|
29
40
|
return Oauth2ErrorCodes2;
|
|
30
41
|
})(Oauth2ErrorCodes || {});
|
|
31
42
|
var zOauth2ErrorResponse = z.object({
|
|
@@ -166,75 +177,19 @@ var zJwk = z3.object({
|
|
|
166
177
|
q: z3.optional(z3.string()),
|
|
167
178
|
qi: z3.optional(z3.string()),
|
|
168
179
|
use: z3.optional(z3.string()),
|
|
169
|
-
x5c: z3.optional(z3.string()),
|
|
180
|
+
x5c: z3.optional(z3.array(z3.string())),
|
|
170
181
|
x5t: z3.optional(z3.string()),
|
|
171
182
|
"x5t#S256": z3.optional(z3.string()),
|
|
172
183
|
x5u: z3.optional(z3.string())
|
|
173
184
|
}).passthrough();
|
|
174
185
|
var zJwkSet = z3.object({ keys: z3.array(zJwk) }).passthrough();
|
|
175
186
|
|
|
176
|
-
// src/common/jwt/verify-jwt.ts
|
|
177
|
-
import { dateToSeconds } from "@openid4vc/utils";
|
|
178
|
-
|
|
179
|
-
// src/error/Oauth2JwtVerificationError.ts
|
|
180
|
-
var Oauth2JwtVerificationError = class extends Oauth2Error {
|
|
181
|
-
constructor(message, options) {
|
|
182
|
-
const errorMessage = message ?? "Error verifiying jwt.";
|
|
183
|
-
super(errorMessage, options);
|
|
184
|
-
}
|
|
185
|
-
};
|
|
186
|
-
|
|
187
|
-
// src/common/jwt/verify-jwt.ts
|
|
188
|
-
async function verifyJwt(options) {
|
|
189
|
-
const errorMessage = options.errorMessage ?? "Error during verification of jwt.";
|
|
190
|
-
let signerJwk;
|
|
191
|
-
try {
|
|
192
|
-
const result = await options.verifyJwtCallback(options.signer, {
|
|
193
|
-
header: options.header,
|
|
194
|
-
payload: options.payload,
|
|
195
|
-
compact: options.compact
|
|
196
|
-
});
|
|
197
|
-
if (!result.verified) throw new Oauth2JwtVerificationError(errorMessage);
|
|
198
|
-
signerJwk = result.signerJwk;
|
|
199
|
-
} catch (error) {
|
|
200
|
-
if (error instanceof Oauth2JwtVerificationError) throw error;
|
|
201
|
-
throw new Oauth2JwtVerificationError(errorMessage, { cause: error });
|
|
202
|
-
}
|
|
203
|
-
const nowInSeconds = dateToSeconds(options.now ?? /* @__PURE__ */ new Date());
|
|
204
|
-
const skewInSeconds = options.allowedSkewInSeconds ?? 0;
|
|
205
|
-
const timeBasedValidation = options.skipTimeBasedValidation !== void 0 ? !options.skipTimeBasedValidation : true;
|
|
206
|
-
if (timeBasedValidation && options.payload.nbf && nowInSeconds < options.payload.nbf - skewInSeconds) {
|
|
207
|
-
throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nbf' is in the future`);
|
|
208
|
-
}
|
|
209
|
-
if (timeBasedValidation && options.payload.exp && nowInSeconds > options.payload.exp + skewInSeconds) {
|
|
210
|
-
throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'exp' is in the past`);
|
|
211
|
-
}
|
|
212
|
-
if (options.expectedAudience && options.expectedAudience !== options.payload.aud) {
|
|
213
|
-
throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'aud' does not match expected value.`);
|
|
214
|
-
}
|
|
215
|
-
if (options.expectedIssuer && options.expectedIssuer !== options.payload.iss) {
|
|
216
|
-
throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'iss' does not match expected value.`);
|
|
217
|
-
}
|
|
218
|
-
if (options.expectedNonce && options.expectedNonce !== options.payload.nonce) {
|
|
219
|
-
throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nonce' does not match expected value.`);
|
|
220
|
-
}
|
|
221
|
-
if (options.expectedSubject && options.expectedSubject !== options.payload.sub) {
|
|
222
|
-
throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'sub' does not match expected value.`);
|
|
223
|
-
}
|
|
224
|
-
return {
|
|
225
|
-
signer: {
|
|
226
|
-
...options.signer,
|
|
227
|
-
publicJwk: signerJwk
|
|
228
|
-
}
|
|
229
|
-
};
|
|
230
|
-
}
|
|
231
|
-
|
|
232
187
|
// src/common/jwt/decode-jwt.ts
|
|
233
188
|
import {
|
|
234
|
-
decodeBase64,
|
|
235
|
-
encodeToUtf8String,
|
|
236
|
-
parseWithErrorHandling as
|
|
237
|
-
stringToJsonWithErrorHandling
|
|
189
|
+
decodeBase64 as decodeBase642,
|
|
190
|
+
encodeToUtf8String as encodeToUtf8String2,
|
|
191
|
+
parseWithErrorHandling as parseWithErrorHandling3,
|
|
192
|
+
stringToJsonWithErrorHandling as stringToJsonWithErrorHandling2
|
|
238
193
|
} from "@openid4vc/utils";
|
|
239
194
|
|
|
240
195
|
// src/error/Oauth2JwtParseError.ts
|
|
@@ -245,6 +200,14 @@ var Oauth2JwtParseError = class extends Oauth2Error {
|
|
|
245
200
|
}
|
|
246
201
|
};
|
|
247
202
|
|
|
203
|
+
// src/common/jwt/decode-jwt-header.ts
|
|
204
|
+
import {
|
|
205
|
+
decodeBase64,
|
|
206
|
+
encodeToUtf8String,
|
|
207
|
+
parseWithErrorHandling as parseWithErrorHandling2,
|
|
208
|
+
stringToJsonWithErrorHandling
|
|
209
|
+
} from "@openid4vc/utils";
|
|
210
|
+
|
|
248
211
|
// src/common/jwt/z-jwt.ts
|
|
249
212
|
import { zInteger } from "@openid4vc/utils";
|
|
250
213
|
import z5 from "zod";
|
|
@@ -283,28 +246,44 @@ var zJwtHeader = z5.object({
|
|
|
283
246
|
trust_chain: z5.array(z5.string()).optional()
|
|
284
247
|
}).passthrough();
|
|
285
248
|
|
|
286
|
-
// src/common/jwt/decode-jwt.ts
|
|
287
|
-
function
|
|
249
|
+
// src/common/jwt/decode-jwt-header.ts
|
|
250
|
+
function decodeJwtHeader(options) {
|
|
288
251
|
const jwtParts = options.jwt.split(".");
|
|
289
|
-
if (jwtParts.length
|
|
252
|
+
if (jwtParts.length <= 2) {
|
|
290
253
|
throw new Oauth2JwtParseError("Jwt is not a valid jwt, unable to decode");
|
|
291
254
|
}
|
|
292
255
|
let headerJson;
|
|
293
|
-
let payloadJson;
|
|
294
256
|
try {
|
|
295
257
|
headerJson = stringToJsonWithErrorHandling(
|
|
296
258
|
encodeToUtf8String(decodeBase64(jwtParts[0])),
|
|
297
259
|
"Unable to parse jwt header to JSON"
|
|
298
260
|
);
|
|
299
|
-
|
|
300
|
-
|
|
261
|
+
} catch (error) {
|
|
262
|
+
throw new Oauth2JwtParseError(`Error parsing JWT. ${error instanceof Error ? error.message : ""}`);
|
|
263
|
+
}
|
|
264
|
+
const header = parseWithErrorHandling2(options.headerSchema ?? zJwtHeader, headerJson);
|
|
265
|
+
return {
|
|
266
|
+
header
|
|
267
|
+
};
|
|
268
|
+
}
|
|
269
|
+
|
|
270
|
+
// src/common/jwt/decode-jwt.ts
|
|
271
|
+
function decodeJwt(options) {
|
|
272
|
+
const jwtParts = options.jwt.split(".");
|
|
273
|
+
if (jwtParts.length !== 3) {
|
|
274
|
+
throw new Oauth2JwtParseError("Jwt is not a valid jwt, unable to decode");
|
|
275
|
+
}
|
|
276
|
+
let payloadJson;
|
|
277
|
+
try {
|
|
278
|
+
payloadJson = stringToJsonWithErrorHandling2(
|
|
279
|
+
encodeToUtf8String2(decodeBase642(jwtParts[1])),
|
|
301
280
|
"Unable to parse jwt payload to JSON"
|
|
302
281
|
);
|
|
303
282
|
} catch (error) {
|
|
304
|
-
throw new Oauth2JwtParseError(
|
|
283
|
+
throw new Oauth2JwtParseError(`Error parsing JWT. ${error instanceof Error ? error.message : ""}`);
|
|
305
284
|
}
|
|
306
|
-
const header =
|
|
307
|
-
const payload =
|
|
285
|
+
const { header } = decodeJwtHeader({ jwt: options.jwt, headerSchema: options.headerSchema });
|
|
286
|
+
const payload = parseWithErrorHandling3(options.payloadSchema ?? zJwtPayload, payloadJson);
|
|
308
287
|
return {
|
|
309
288
|
header,
|
|
310
289
|
payload,
|
|
@@ -394,6 +373,41 @@ function jwtSignerFromJwt({ header, payload }) {
|
|
|
394
373
|
};
|
|
395
374
|
}
|
|
396
375
|
|
|
376
|
+
// src/common/jwt/z-jwe.ts
|
|
377
|
+
import { z as z6 } from "zod";
|
|
378
|
+
var zCompactJwe = z6.string().regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, {
|
|
379
|
+
message: "Not a valid compact jwe"
|
|
380
|
+
});
|
|
381
|
+
|
|
382
|
+
// src/index.ts
|
|
383
|
+
import { InvalidFetchResponseError as InvalidFetchResponseError7 } from "@openid4vc/utils";
|
|
384
|
+
|
|
385
|
+
// src/error/Oauth2ClientErrorResponseError.ts
|
|
386
|
+
var Oauth2ClientErrorResponseError = class extends Oauth2Error {
|
|
387
|
+
constructor(message, errorResponse, response) {
|
|
388
|
+
super(`${message}
|
|
389
|
+
${JSON.stringify(errorResponse, null, 2)}`);
|
|
390
|
+
this.errorResponse = errorResponse;
|
|
391
|
+
this.response = response.clone();
|
|
392
|
+
}
|
|
393
|
+
};
|
|
394
|
+
|
|
395
|
+
// src/error/Oauth2ClientAuthorizationChallengeError.ts
|
|
396
|
+
var Oauth2ClientAuthorizationChallengeError = class extends Oauth2ClientErrorResponseError {
|
|
397
|
+
constructor(message, errorResponse, response) {
|
|
398
|
+
super(message, errorResponse, response);
|
|
399
|
+
this.errorResponse = errorResponse;
|
|
400
|
+
}
|
|
401
|
+
};
|
|
402
|
+
|
|
403
|
+
// src/error/Oauth2JwtVerificationError.ts
|
|
404
|
+
var Oauth2JwtVerificationError = class extends Oauth2Error {
|
|
405
|
+
constructor(message, options) {
|
|
406
|
+
const errorMessage = message ?? "Error verifiying jwt.";
|
|
407
|
+
super(errorMessage, options);
|
|
408
|
+
}
|
|
409
|
+
};
|
|
410
|
+
|
|
397
411
|
// src/error/Oauth2ResourceUnauthorizedError.ts
|
|
398
412
|
import { encodeWwwAuthenticateHeader, parseWwwAuthenticateHeader } from "@openid4vc/utils";
|
|
399
413
|
var Oauth2ResourceUnauthorizedError = class _Oauth2ResourceUnauthorizedError extends Oauth2Error {
|
|
@@ -432,27 +446,6 @@ ${JSON.stringify(wwwAuthenticateHeaders, null, 2)}`);
|
|
|
432
446
|
}
|
|
433
447
|
};
|
|
434
448
|
|
|
435
|
-
// src/index.ts
|
|
436
|
-
import { InvalidFetchResponseError as InvalidFetchResponseError7 } from "@openid4vc/utils";
|
|
437
|
-
|
|
438
|
-
// src/error/Oauth2ClientErrorResponseError.ts
|
|
439
|
-
var Oauth2ClientErrorResponseError = class extends Oauth2Error {
|
|
440
|
-
constructor(message, errorResponse, response) {
|
|
441
|
-
super(`${message}
|
|
442
|
-
${JSON.stringify(errorResponse, null, 2)}`);
|
|
443
|
-
this.errorResponse = errorResponse;
|
|
444
|
-
this.response = response.clone();
|
|
445
|
-
}
|
|
446
|
-
};
|
|
447
|
-
|
|
448
|
-
// src/error/Oauth2ClientAuthorizationChallengeError.ts
|
|
449
|
-
var Oauth2ClientAuthorizationChallengeError = class extends Oauth2ClientErrorResponseError {
|
|
450
|
-
constructor(message, errorResponse, response) {
|
|
451
|
-
super(message, errorResponse, response);
|
|
452
|
-
this.errorResponse = errorResponse;
|
|
453
|
-
}
|
|
454
|
-
};
|
|
455
|
-
|
|
456
449
|
// src/error/Oauth2ServerErrorResponseError.ts
|
|
457
450
|
var Oauth2ServerErrorResponseError = class extends Oauth2Error {
|
|
458
451
|
constructor(errorResponse, options) {
|
|
@@ -466,44 +459,6 @@ ${JSON.stringify(errorResponse, null, 2)}`,
|
|
|
466
459
|
}
|
|
467
460
|
};
|
|
468
461
|
|
|
469
|
-
// src/metadata/authorization-server/z-authorization-server-metadata.ts
|
|
470
|
-
import { zHttpsUrl } from "@openid4vc/utils";
|
|
471
|
-
import z6 from "zod";
|
|
472
|
-
var zAuthorizationServerMetadata = z6.object({
|
|
473
|
-
issuer: zHttpsUrl,
|
|
474
|
-
token_endpoint: zHttpsUrl,
|
|
475
|
-
token_endpoint_auth_methods_supported: z6.optional(z6.array(z6.string())),
|
|
476
|
-
authorization_endpoint: z6.optional(zHttpsUrl),
|
|
477
|
-
jwks_uri: z6.optional(zHttpsUrl),
|
|
478
|
-
// RFC7636
|
|
479
|
-
code_challenge_methods_supported: z6.optional(z6.array(z6.string())),
|
|
480
|
-
// RFC9449
|
|
481
|
-
dpop_signing_alg_values_supported: z6.optional(z6.array(z6.string())),
|
|
482
|
-
// RFC9126
|
|
483
|
-
require_pushed_authorization_requests: z6.optional(z6.boolean()),
|
|
484
|
-
pushed_authorization_request_endpoint: z6.optional(zHttpsUrl),
|
|
485
|
-
// RFC9068
|
|
486
|
-
introspection_endpoint: z6.optional(zHttpsUrl),
|
|
487
|
-
introspection_endpoint_auth_methods_supported: z6.optional(
|
|
488
|
-
z6.array(z6.union([z6.literal("client_secret_jwt"), z6.literal("private_key_jwt"), z6.string()]))
|
|
489
|
-
),
|
|
490
|
-
introspection_endpoint_auth_signing_alg_values_supported: z6.optional(z6.array(zAlgValueNotNone)),
|
|
491
|
-
// FiPA (no RFC yet)
|
|
492
|
-
authorization_challenge_endpoint: z6.optional(zHttpsUrl),
|
|
493
|
-
// From OID4VCI specification
|
|
494
|
-
pre_authorized_grant_anonymous_access_supported: z6.optional(z6.boolean())
|
|
495
|
-
}).passthrough().refine(
|
|
496
|
-
({
|
|
497
|
-
introspection_endpoint_auth_methods_supported: methodsSupported,
|
|
498
|
-
introspection_endpoint_auth_signing_alg_values_supported: algValuesSupported
|
|
499
|
-
}) => {
|
|
500
|
-
if (!methodsSupported) return true;
|
|
501
|
-
if (!methodsSupported.includes("private_key_jwt") && !methodsSupported.includes("client_secret_jwt")) return true;
|
|
502
|
-
return algValuesSupported !== void 0 && algValuesSupported.length > 0;
|
|
503
|
-
},
|
|
504
|
-
`Metadata value 'introspection_endpoint_auth_signing_alg_values_supported' must be defined if metadata 'introspection_endpoint_auth_methods_supported' value contains values 'private_key_jwt' or 'client_secret_jwt'`
|
|
505
|
-
);
|
|
506
|
-
|
|
507
462
|
// src/metadata/authorization-server/authorization-server-metadata.ts
|
|
508
463
|
import { joinUriParts } from "@openid4vc/utils";
|
|
509
464
|
|
|
@@ -610,6 +565,44 @@ async function fetchWellKnownMetadata(wellKnownMetadataUrl, schema, fetch) {
|
|
|
610
565
|
return result.data;
|
|
611
566
|
}
|
|
612
567
|
|
|
568
|
+
// src/metadata/authorization-server/z-authorization-server-metadata.ts
|
|
569
|
+
import { zHttpsUrl } from "@openid4vc/utils";
|
|
570
|
+
import z7 from "zod";
|
|
571
|
+
var zAuthorizationServerMetadata = z7.object({
|
|
572
|
+
issuer: zHttpsUrl,
|
|
573
|
+
token_endpoint: zHttpsUrl,
|
|
574
|
+
token_endpoint_auth_methods_supported: z7.optional(z7.array(z7.string())),
|
|
575
|
+
authorization_endpoint: z7.optional(zHttpsUrl),
|
|
576
|
+
jwks_uri: z7.optional(zHttpsUrl),
|
|
577
|
+
// RFC7636
|
|
578
|
+
code_challenge_methods_supported: z7.optional(z7.array(z7.string())),
|
|
579
|
+
// RFC9449
|
|
580
|
+
dpop_signing_alg_values_supported: z7.optional(z7.array(z7.string())),
|
|
581
|
+
// RFC9126
|
|
582
|
+
require_pushed_authorization_requests: z7.optional(z7.boolean()),
|
|
583
|
+
pushed_authorization_request_endpoint: z7.optional(zHttpsUrl),
|
|
584
|
+
// RFC9068
|
|
585
|
+
introspection_endpoint: z7.optional(zHttpsUrl),
|
|
586
|
+
introspection_endpoint_auth_methods_supported: z7.optional(
|
|
587
|
+
z7.array(z7.union([z7.literal("client_secret_jwt"), z7.literal("private_key_jwt"), z7.string()]))
|
|
588
|
+
),
|
|
589
|
+
introspection_endpoint_auth_signing_alg_values_supported: z7.optional(z7.array(zAlgValueNotNone)),
|
|
590
|
+
// FiPA (no RFC yet)
|
|
591
|
+
authorization_challenge_endpoint: z7.optional(zHttpsUrl),
|
|
592
|
+
// From OpenID4VCI specification
|
|
593
|
+
pre_authorized_grant_anonymous_access_supported: z7.optional(z7.boolean())
|
|
594
|
+
}).passthrough().refine(
|
|
595
|
+
({
|
|
596
|
+
introspection_endpoint_auth_methods_supported: methodsSupported,
|
|
597
|
+
introspection_endpoint_auth_signing_alg_values_supported: algValuesSupported
|
|
598
|
+
}) => {
|
|
599
|
+
if (!methodsSupported) return true;
|
|
600
|
+
if (!methodsSupported.includes("private_key_jwt") && !methodsSupported.includes("client_secret_jwt")) return true;
|
|
601
|
+
return algValuesSupported !== void 0 && algValuesSupported.length > 0;
|
|
602
|
+
},
|
|
603
|
+
`Metadata value 'introspection_endpoint_auth_signing_alg_values_supported' must be defined if metadata 'introspection_endpoint_auth_methods_supported' value contains values 'private_key_jwt' or 'client_secret_jwt'`
|
|
604
|
+
);
|
|
605
|
+
|
|
613
606
|
// src/metadata/authorization-server/authorization-server-metadata.ts
|
|
614
607
|
var wellKnownAuthorizationServerSuffix = ".well-known/oauth-authorization-server";
|
|
615
608
|
var wellKnownOpenIdConfigurationServerSuffix = ".well-known/openid-configuration";
|
|
@@ -681,25 +674,78 @@ async function fetchJwks(authorizationServer, fetch) {
|
|
|
681
674
|
return result.data;
|
|
682
675
|
}
|
|
683
676
|
|
|
677
|
+
// src/common/jwt/verify-jwt.ts
|
|
678
|
+
import { dateToSeconds } from "@openid4vc/utils";
|
|
679
|
+
async function verifyJwt(options) {
|
|
680
|
+
const errorMessage = options.errorMessage ?? "Error during verification of jwt.";
|
|
681
|
+
let signerJwk;
|
|
682
|
+
try {
|
|
683
|
+
const result = await options.verifyJwtCallback(options.signer, {
|
|
684
|
+
header: options.header,
|
|
685
|
+
payload: options.payload,
|
|
686
|
+
compact: options.compact
|
|
687
|
+
});
|
|
688
|
+
if (!result.verified) throw new Oauth2JwtVerificationError(errorMessage);
|
|
689
|
+
signerJwk = result.signerJwk;
|
|
690
|
+
} catch (error) {
|
|
691
|
+
if (error instanceof Oauth2JwtVerificationError) throw error;
|
|
692
|
+
throw new Oauth2JwtVerificationError(errorMessage, { cause: error });
|
|
693
|
+
}
|
|
694
|
+
const nowInSeconds = dateToSeconds(options.now ?? /* @__PURE__ */ new Date());
|
|
695
|
+
const skewInSeconds = options.allowedSkewInSeconds ?? 0;
|
|
696
|
+
const timeBasedValidation = options.skipTimeBasedValidation !== void 0 ? !options.skipTimeBasedValidation : true;
|
|
697
|
+
if (timeBasedValidation && options.payload.nbf && nowInSeconds < options.payload.nbf - skewInSeconds) {
|
|
698
|
+
throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nbf' is in the future`);
|
|
699
|
+
}
|
|
700
|
+
if (timeBasedValidation && options.payload.exp && nowInSeconds > options.payload.exp + skewInSeconds) {
|
|
701
|
+
throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'exp' is in the past`);
|
|
702
|
+
}
|
|
703
|
+
if (options.expectedAudience && options.expectedAudience !== options.payload.aud) {
|
|
704
|
+
throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'aud' does not match expected value.`);
|
|
705
|
+
}
|
|
706
|
+
if (options.expectedIssuer && options.expectedIssuer !== options.payload.iss) {
|
|
707
|
+
throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'iss' does not match expected value.`);
|
|
708
|
+
}
|
|
709
|
+
if (options.expectedNonce && options.expectedNonce !== options.payload.nonce) {
|
|
710
|
+
throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nonce' does not match expected value.`);
|
|
711
|
+
}
|
|
712
|
+
if (options.expectedSubject && options.expectedSubject !== options.payload.sub) {
|
|
713
|
+
throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'sub' does not match expected value.`);
|
|
714
|
+
}
|
|
715
|
+
if (options.requiredClaims) {
|
|
716
|
+
for (const claim of options.requiredClaims) {
|
|
717
|
+
if (!options.payload[claim]) {
|
|
718
|
+
throw new Oauth2JwtVerificationError(`${errorMessage} jwt '${claim}' is missing.`);
|
|
719
|
+
}
|
|
720
|
+
}
|
|
721
|
+
}
|
|
722
|
+
return {
|
|
723
|
+
signer: {
|
|
724
|
+
...options.signer,
|
|
725
|
+
publicJwk: signerJwk
|
|
726
|
+
}
|
|
727
|
+
};
|
|
728
|
+
}
|
|
729
|
+
|
|
684
730
|
// src/access-token/z-access-token-jwt.ts
|
|
685
731
|
import { zInteger as zInteger2 } from "@openid4vc/utils";
|
|
686
|
-
import
|
|
687
|
-
var zAccessTokenProfileJwtHeader =
|
|
732
|
+
import z8 from "zod";
|
|
733
|
+
var zAccessTokenProfileJwtHeader = z8.object({
|
|
688
734
|
...zJwtHeader.shape,
|
|
689
|
-
typ:
|
|
735
|
+
typ: z8.enum(["application/at+jwt", "at+jwt"])
|
|
690
736
|
}).passthrough();
|
|
691
|
-
var zAccessTokenProfileJwtPayload =
|
|
737
|
+
var zAccessTokenProfileJwtPayload = z8.object({
|
|
692
738
|
...zJwtPayload.shape,
|
|
693
|
-
iss:
|
|
739
|
+
iss: z8.string(),
|
|
694
740
|
exp: zInteger2,
|
|
695
741
|
iat: zInteger2,
|
|
696
|
-
aud:
|
|
697
|
-
sub:
|
|
698
|
-
// REQUIRED according to RFC 9068, but
|
|
699
|
-
client_id:
|
|
700
|
-
jti:
|
|
742
|
+
aud: z8.string(),
|
|
743
|
+
sub: z8.string(),
|
|
744
|
+
// REQUIRED according to RFC 9068, but OpenID4VCI allows anonymous access
|
|
745
|
+
client_id: z8.optional(z8.string()),
|
|
746
|
+
jti: z8.string(),
|
|
701
747
|
// SHOULD be included in the authorization request contained it
|
|
702
|
-
scope:
|
|
748
|
+
scope: z8.optional(z8.string())
|
|
703
749
|
}).passthrough();
|
|
704
750
|
|
|
705
751
|
// src/access-token/verify-access-token.ts
|
|
@@ -752,24 +798,24 @@ import {
|
|
|
752
798
|
dateToSeconds as dateToSeconds2,
|
|
753
799
|
decodeUtf8String as decodeUtf8String2,
|
|
754
800
|
encodeToBase64Url as encodeToBase64Url2,
|
|
755
|
-
parseWithErrorHandling as
|
|
801
|
+
parseWithErrorHandling as parseWithErrorHandling4
|
|
756
802
|
} from "@openid4vc/utils";
|
|
757
803
|
|
|
758
804
|
// src/dpop/z-dpop.ts
|
|
759
805
|
import { zHttpMethod, zHttpsUrl as zHttpsUrl2, zInteger as zInteger3 } from "@openid4vc/utils";
|
|
760
|
-
import
|
|
761
|
-
var zDpopJwtPayload =
|
|
806
|
+
import z9 from "zod";
|
|
807
|
+
var zDpopJwtPayload = z9.object({
|
|
762
808
|
...zJwtPayload.shape,
|
|
763
809
|
iat: zInteger3,
|
|
764
810
|
htu: zHttpsUrl2,
|
|
765
811
|
htm: zHttpMethod,
|
|
766
|
-
jti:
|
|
812
|
+
jti: z9.string(),
|
|
767
813
|
// Only required when presenting in combination with access token
|
|
768
|
-
ath:
|
|
814
|
+
ath: z9.optional(z9.string())
|
|
769
815
|
}).passthrough();
|
|
770
|
-
var zDpopJwtHeader =
|
|
816
|
+
var zDpopJwtHeader = z9.object({
|
|
771
817
|
...zJwtHeader.shape,
|
|
772
|
-
typ:
|
|
818
|
+
typ: z9.literal("dpop+jwt"),
|
|
773
819
|
jwk: zJwk
|
|
774
820
|
}).passthrough();
|
|
775
821
|
|
|
@@ -785,12 +831,12 @@ async function createDpopJwt(options) {
|
|
|
785
831
|
if (options.accessToken) {
|
|
786
832
|
ath = encodeToBase64Url2(await options.callbacks.hash(decodeUtf8String2(options.accessToken), "SHA-256" /* Sha256 */));
|
|
787
833
|
}
|
|
788
|
-
const header =
|
|
834
|
+
const header = parseWithErrorHandling4(zDpopJwtHeader, {
|
|
789
835
|
typ: "dpop+jwt",
|
|
790
836
|
jwk: options.signer.publicJwk,
|
|
791
837
|
alg: options.signer.alg
|
|
792
838
|
});
|
|
793
|
-
const payload =
|
|
839
|
+
const payload = parseWithErrorHandling4(zDpopJwtPayload, {
|
|
794
840
|
htu: htuFromRequestUrl(options.request.url),
|
|
795
841
|
iat: dateToSeconds2(options.issuedAt),
|
|
796
842
|
htm: options.request.method,
|
|
@@ -1013,37 +1059,37 @@ async function resourceRequest(options) {
|
|
|
1013
1059
|
import { ValidationError as ValidationError2 } from "@openid4vc/utils";
|
|
1014
1060
|
|
|
1015
1061
|
// src/access-token/introspect-token.ts
|
|
1016
|
-
import { ContentType as ContentType3, createZodFetcher as createZodFetcher3, objectToQueryParams, parseWithErrorHandling as
|
|
1062
|
+
import { ContentType as ContentType3, createZodFetcher as createZodFetcher3, objectToQueryParams, parseWithErrorHandling as parseWithErrorHandling5 } from "@openid4vc/utils";
|
|
1017
1063
|
import { InvalidFetchResponseError as InvalidFetchResponseError3 } from "@openid4vc/utils";
|
|
1018
1064
|
import { Headers } from "@openid4vc/utils";
|
|
1019
1065
|
|
|
1020
1066
|
// src/access-token/z-token-introspection.ts
|
|
1021
1067
|
import { zInteger as zInteger4 } from "@openid4vc/utils";
|
|
1022
|
-
import
|
|
1023
|
-
var zTokenIntrospectionRequest =
|
|
1024
|
-
token:
|
|
1025
|
-
token_type_hint:
|
|
1068
|
+
import z10 from "zod";
|
|
1069
|
+
var zTokenIntrospectionRequest = z10.object({
|
|
1070
|
+
token: z10.string(),
|
|
1071
|
+
token_type_hint: z10.optional(z10.string())
|
|
1026
1072
|
}).passthrough();
|
|
1027
|
-
var zTokenIntrospectionResponse =
|
|
1028
|
-
active:
|
|
1029
|
-
scope:
|
|
1030
|
-
client_id:
|
|
1031
|
-
username:
|
|
1032
|
-
token_type:
|
|
1033
|
-
exp:
|
|
1034
|
-
iat:
|
|
1035
|
-
nbf:
|
|
1036
|
-
sub:
|
|
1037
|
-
aud:
|
|
1038
|
-
iss:
|
|
1039
|
-
jti:
|
|
1040
|
-
cnf:
|
|
1073
|
+
var zTokenIntrospectionResponse = z10.object({
|
|
1074
|
+
active: z10.boolean(),
|
|
1075
|
+
scope: z10.optional(z10.string()),
|
|
1076
|
+
client_id: z10.optional(z10.string()),
|
|
1077
|
+
username: z10.optional(z10.string()),
|
|
1078
|
+
token_type: z10.optional(z10.string()),
|
|
1079
|
+
exp: z10.optional(zInteger4),
|
|
1080
|
+
iat: z10.optional(zInteger4),
|
|
1081
|
+
nbf: z10.optional(zInteger4),
|
|
1082
|
+
sub: z10.optional(z10.string()),
|
|
1083
|
+
aud: z10.optional(z10.string()),
|
|
1084
|
+
iss: z10.optional(z10.string()),
|
|
1085
|
+
jti: z10.optional(z10.string()),
|
|
1086
|
+
cnf: z10.optional(zJwtConfirmationPayload)
|
|
1041
1087
|
}).passthrough();
|
|
1042
1088
|
|
|
1043
1089
|
// src/access-token/introspect-token.ts
|
|
1044
1090
|
async function introspectToken(options) {
|
|
1045
1091
|
const fetchWithZod = createZodFetcher3(options.callbacks.fetch);
|
|
1046
|
-
const introspectionRequest =
|
|
1092
|
+
const introspectionRequest = parseWithErrorHandling5(zTokenIntrospectionRequest, {
|
|
1047
1093
|
token: options.token,
|
|
1048
1094
|
token_type_hint: options.tokenTypeHint,
|
|
1049
1095
|
...options.additionalPayload
|
|
@@ -1291,17 +1337,17 @@ function clientAuthenticationNone() {
|
|
|
1291
1337
|
}
|
|
1292
1338
|
|
|
1293
1339
|
// src/Oauth2AuthorizationServer.ts
|
|
1294
|
-
import { parseWithErrorHandling as
|
|
1340
|
+
import { parseWithErrorHandling as parseWithErrorHandling12 } from "@openid4vc/utils";
|
|
1295
1341
|
|
|
1296
1342
|
// src/access-token/create-access-token.ts
|
|
1297
|
-
import { addSecondsToDate, dateToSeconds as dateToSeconds3, encodeToBase64Url as encodeToBase64Url4, parseWithErrorHandling as
|
|
1343
|
+
import { addSecondsToDate, dateToSeconds as dateToSeconds3, encodeToBase64Url as encodeToBase64Url4, parseWithErrorHandling as parseWithErrorHandling6 } from "@openid4vc/utils";
|
|
1298
1344
|
async function createAccessTokenJwt(options) {
|
|
1299
|
-
const header =
|
|
1345
|
+
const header = parseWithErrorHandling6(zAccessTokenProfileJwtHeader, {
|
|
1300
1346
|
...jwtHeaderFromJwtSigner(options.signer),
|
|
1301
1347
|
typ: "at+jwt"
|
|
1302
1348
|
});
|
|
1303
1349
|
const now = options.now ?? /* @__PURE__ */ new Date();
|
|
1304
|
-
const payload =
|
|
1350
|
+
const payload = parseWithErrorHandling6(zAccessTokenProfileJwtPayload, {
|
|
1305
1351
|
iat: dateToSeconds3(now),
|
|
1306
1352
|
exp: dateToSeconds3(addSecondsToDate(now, options.expiresInSeconds)),
|
|
1307
1353
|
aud: options.audience,
|
|
@@ -1329,45 +1375,45 @@ async function createAccessTokenJwt(options) {
|
|
|
1329
1375
|
}
|
|
1330
1376
|
|
|
1331
1377
|
// src/access-token/create-access-token-response.ts
|
|
1332
|
-
import { parseWithErrorHandling as
|
|
1378
|
+
import { parseWithErrorHandling as parseWithErrorHandling7 } from "@openid4vc/utils";
|
|
1333
1379
|
|
|
1334
1380
|
// src/access-token/z-access-token.ts
|
|
1335
|
-
import
|
|
1381
|
+
import z12 from "zod";
|
|
1336
1382
|
import { zHttpsUrl as zHttpsUrl3 } from "@openid4vc/utils";
|
|
1337
1383
|
|
|
1338
1384
|
// src/z-grant-type.ts
|
|
1339
|
-
import
|
|
1340
|
-
var zPreAuthorizedCodeGrantIdentifier =
|
|
1385
|
+
import z11 from "zod";
|
|
1386
|
+
var zPreAuthorizedCodeGrantIdentifier = z11.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
|
|
1341
1387
|
var preAuthorizedCodeGrantIdentifier = zPreAuthorizedCodeGrantIdentifier.value;
|
|
1342
|
-
var zAuthorizationCodeGrantIdentifier =
|
|
1388
|
+
var zAuthorizationCodeGrantIdentifier = z11.literal("authorization_code");
|
|
1343
1389
|
var authorizationCodeGrantIdentifier = zAuthorizationCodeGrantIdentifier.value;
|
|
1344
|
-
var zRefreshTokenGrantIdentifier =
|
|
1390
|
+
var zRefreshTokenGrantIdentifier = z11.literal("refresh_token");
|
|
1345
1391
|
var refreshTokenGrantIdentifier = zRefreshTokenGrantIdentifier.value;
|
|
1346
1392
|
|
|
1347
1393
|
// src/access-token/z-access-token.ts
|
|
1348
|
-
var zAccessTokenRequest =
|
|
1349
|
-
|
|
1394
|
+
var zAccessTokenRequest = z12.intersection(
|
|
1395
|
+
z12.object({
|
|
1350
1396
|
// Pre authorized code flow
|
|
1351
|
-
"pre-authorized_code":
|
|
1397
|
+
"pre-authorized_code": z12.optional(z12.string()),
|
|
1352
1398
|
// Authorization code flow
|
|
1353
|
-
code:
|
|
1354
|
-
redirect_uri:
|
|
1399
|
+
code: z12.optional(z12.string()),
|
|
1400
|
+
redirect_uri: z12.string().url().optional(),
|
|
1355
1401
|
// Refresh token grant
|
|
1356
|
-
refresh_token:
|
|
1357
|
-
resource:
|
|
1358
|
-
code_verifier:
|
|
1359
|
-
grant_type:
|
|
1402
|
+
refresh_token: z12.optional(z12.string()),
|
|
1403
|
+
resource: z12.optional(zHttpsUrl3),
|
|
1404
|
+
code_verifier: z12.optional(z12.string()),
|
|
1405
|
+
grant_type: z12.union([
|
|
1360
1406
|
zPreAuthorizedCodeGrantIdentifier,
|
|
1361
1407
|
zAuthorizationCodeGrantIdentifier,
|
|
1362
1408
|
zRefreshTokenGrantIdentifier,
|
|
1363
1409
|
// string makes the previous ones unessary, but it does help with error messages
|
|
1364
|
-
|
|
1410
|
+
z12.string()
|
|
1365
1411
|
])
|
|
1366
1412
|
}).passthrough(),
|
|
1367
|
-
|
|
1368
|
-
tx_code:
|
|
1369
|
-
// user_pin is from
|
|
1370
|
-
user_pin:
|
|
1413
|
+
z12.object({
|
|
1414
|
+
tx_code: z12.optional(z12.string()),
|
|
1415
|
+
// user_pin is from OpenID4VCI draft 11
|
|
1416
|
+
user_pin: z12.optional(z12.string())
|
|
1371
1417
|
}).passthrough().refine(({ tx_code, user_pin }) => !tx_code || !user_pin || user_pin === tx_code, {
|
|
1372
1418
|
message: `If both 'tx_code' and 'user_pin' are present they must match`
|
|
1373
1419
|
}).transform(({ tx_code, user_pin, ...rest }) => {
|
|
@@ -1377,19 +1423,19 @@ var zAccessTokenRequest = z11.intersection(
|
|
|
1377
1423
|
};
|
|
1378
1424
|
})
|
|
1379
1425
|
);
|
|
1380
|
-
var zAccessTokenResponse =
|
|
1381
|
-
access_token:
|
|
1382
|
-
token_type:
|
|
1383
|
-
expires_in:
|
|
1384
|
-
scope:
|
|
1385
|
-
state:
|
|
1386
|
-
refresh_token:
|
|
1387
|
-
//
|
|
1388
|
-
c_nonce:
|
|
1389
|
-
c_nonce_expires_in:
|
|
1426
|
+
var zAccessTokenResponse = z12.object({
|
|
1427
|
+
access_token: z12.string(),
|
|
1428
|
+
token_type: z12.string(),
|
|
1429
|
+
expires_in: z12.optional(z12.number().int()),
|
|
1430
|
+
scope: z12.optional(z12.string()),
|
|
1431
|
+
state: z12.optional(z12.string()),
|
|
1432
|
+
refresh_token: z12.optional(z12.string()),
|
|
1433
|
+
// OpenID4VCI specific parameters
|
|
1434
|
+
c_nonce: z12.optional(z12.string()),
|
|
1435
|
+
c_nonce_expires_in: z12.optional(z12.number().int()),
|
|
1390
1436
|
// TODO: add additional params
|
|
1391
|
-
authorization_details:
|
|
1392
|
-
|
|
1437
|
+
authorization_details: z12.array(
|
|
1438
|
+
z12.object({
|
|
1393
1439
|
// requried when type is openid_credential (so we probably need a discriminator)
|
|
1394
1440
|
// credential_identifiers: z.array(z.string()),
|
|
1395
1441
|
}).passthrough()
|
|
@@ -1399,7 +1445,7 @@ var zAccessTokenErrorResponse = zOauth2ErrorResponse;
|
|
|
1399
1445
|
|
|
1400
1446
|
// src/access-token/create-access-token-response.ts
|
|
1401
1447
|
async function createAccessTokenResponse(options) {
|
|
1402
|
-
const accessTokenResponse =
|
|
1448
|
+
const accessTokenResponse = parseWithErrorHandling7(zAccessTokenResponse, {
|
|
1403
1449
|
access_token: options.accessToken,
|
|
1404
1450
|
token_type: options.tokenType,
|
|
1405
1451
|
expires_in: options.expiresInSeconds,
|
|
@@ -1644,69 +1690,69 @@ async function verifyAccessTokenRequestPkce(options, callbacks) {
|
|
|
1644
1690
|
}
|
|
1645
1691
|
|
|
1646
1692
|
// src/authorization-challenge/create-authorization-challenge-response.ts
|
|
1647
|
-
import { parseWithErrorHandling as
|
|
1693
|
+
import { parseWithErrorHandling as parseWithErrorHandling8 } from "@openid4vc/utils";
|
|
1648
1694
|
|
|
1649
1695
|
// src/authorization-challenge/z-authorization-challenge.ts
|
|
1650
1696
|
import { zInteger as zInteger5 } from "@openid4vc/utils";
|
|
1651
|
-
import
|
|
1697
|
+
import z14 from "zod";
|
|
1652
1698
|
|
|
1653
1699
|
// src/authorization-request/z-authorization-request.ts
|
|
1654
1700
|
import { zHttpsUrl as zHttpsUrl4 } from "@openid4vc/utils";
|
|
1655
|
-
import
|
|
1656
|
-
var zAuthorizationRequest =
|
|
1657
|
-
response_type:
|
|
1658
|
-
client_id:
|
|
1659
|
-
issuer_state:
|
|
1660
|
-
redirect_uri:
|
|
1661
|
-
resource:
|
|
1662
|
-
scope:
|
|
1701
|
+
import z13 from "zod";
|
|
1702
|
+
var zAuthorizationRequest = z13.object({
|
|
1703
|
+
response_type: z13.string(),
|
|
1704
|
+
client_id: z13.string(),
|
|
1705
|
+
issuer_state: z13.optional(z13.string()),
|
|
1706
|
+
redirect_uri: z13.string().url().optional(),
|
|
1707
|
+
resource: z13.optional(zHttpsUrl4),
|
|
1708
|
+
scope: z13.optional(z13.string()),
|
|
1663
1709
|
// DPoP jwk thumbprint
|
|
1664
|
-
dpop_jkt:
|
|
1665
|
-
code_challenge:
|
|
1666
|
-
code_challenge_method:
|
|
1710
|
+
dpop_jkt: z13.optional(z13.string()),
|
|
1711
|
+
code_challenge: z13.optional(z13.string()),
|
|
1712
|
+
code_challenge_method: z13.optional(z13.string())
|
|
1667
1713
|
}).passthrough();
|
|
1668
|
-
var zPushedAuthorizationRequest =
|
|
1669
|
-
request_uri:
|
|
1670
|
-
client_id:
|
|
1714
|
+
var zPushedAuthorizationRequest = z13.object({
|
|
1715
|
+
request_uri: z13.string(),
|
|
1716
|
+
client_id: z13.string()
|
|
1671
1717
|
}).passthrough();
|
|
1672
|
-
var zPushedAuthorizationResponse =
|
|
1673
|
-
request_uri:
|
|
1674
|
-
expires_in:
|
|
1718
|
+
var zPushedAuthorizationResponse = z13.object({
|
|
1719
|
+
request_uri: z13.string(),
|
|
1720
|
+
expires_in: z13.number().int()
|
|
1675
1721
|
}).passthrough();
|
|
1676
1722
|
|
|
1677
1723
|
// src/authorization-challenge/z-authorization-challenge.ts
|
|
1678
|
-
var zAuthorizationChallengeRequest =
|
|
1724
|
+
var zAuthorizationChallengeRequest = z14.object({
|
|
1679
1725
|
// authorization challenge request can include same parameters as an authorization request
|
|
1680
1726
|
// except for response_type (always `code`), and `client_id` is optional (becase
|
|
1681
1727
|
// it's possible to do client authentication using different methods)
|
|
1682
1728
|
...zAuthorizationRequest.omit({ response_type: true, client_id: true }).shape,
|
|
1683
|
-
client_id:
|
|
1684
|
-
auth_session:
|
|
1729
|
+
client_id: z14.optional(zAuthorizationRequest.shape.client_id),
|
|
1730
|
+
auth_session: z14.optional(z14.string()),
|
|
1685
1731
|
// DRAFT presentation during issuance
|
|
1686
|
-
presentation_during_issuance_session:
|
|
1732
|
+
presentation_during_issuance_session: z14.optional(z14.string())
|
|
1687
1733
|
}).passthrough();
|
|
1688
|
-
var zAuthorizationChallengeResponse =
|
|
1689
|
-
authorization_code:
|
|
1734
|
+
var zAuthorizationChallengeResponse = z14.object({
|
|
1735
|
+
authorization_code: z14.string()
|
|
1690
1736
|
}).passthrough();
|
|
1691
|
-
var zAuthorizationChallengeErrorResponse =
|
|
1737
|
+
var zAuthorizationChallengeErrorResponse = z14.object({
|
|
1692
1738
|
...zOauth2ErrorResponse.shape,
|
|
1693
|
-
auth_session:
|
|
1694
|
-
request_uri:
|
|
1695
|
-
expires_in:
|
|
1739
|
+
auth_session: z14.optional(z14.string()),
|
|
1740
|
+
request_uri: z14.optional(z14.string()),
|
|
1741
|
+
expires_in: z14.optional(zInteger5),
|
|
1696
1742
|
// DRAFT: presentation during issuance
|
|
1697
|
-
presentation:
|
|
1743
|
+
presentation: z14.optional(z14.string())
|
|
1698
1744
|
}).passthrough();
|
|
1699
1745
|
|
|
1700
1746
|
// src/authorization-challenge/create-authorization-challenge-response.ts
|
|
1701
1747
|
function createAuthorizationChallengeResponse(options) {
|
|
1702
|
-
const authorizationChallengeResponse =
|
|
1748
|
+
const authorizationChallengeResponse = parseWithErrorHandling8(zAuthorizationChallengeResponse, {
|
|
1703
1749
|
...options.additionalPayload,
|
|
1704
1750
|
authorization_code: options.authorizationCode
|
|
1705
1751
|
});
|
|
1706
1752
|
return { authorizationChallengeResponse };
|
|
1707
1753
|
}
|
|
1708
1754
|
function createAuthorizationChallengeErrorResponse(options) {
|
|
1709
|
-
const authorizationChallengeErrorResponse =
|
|
1755
|
+
const authorizationChallengeErrorResponse = parseWithErrorHandling8(zAuthorizationChallengeErrorResponse, {
|
|
1710
1756
|
...options.additionalPayload,
|
|
1711
1757
|
// General FiPA
|
|
1712
1758
|
error: options.error,
|
|
@@ -1722,9 +1768,9 @@ function createAuthorizationChallengeErrorResponse(options) {
|
|
|
1722
1768
|
}
|
|
1723
1769
|
|
|
1724
1770
|
// src/authorization-challenge/parse-authorization-challenge-request.ts
|
|
1725
|
-
import { parseWithErrorHandling as
|
|
1771
|
+
import { parseWithErrorHandling as parseWithErrorHandling9 } from "@openid4vc/utils";
|
|
1726
1772
|
function parseAuthorizationChallengeRequest(options) {
|
|
1727
|
-
const authorizationChallengeRequest =
|
|
1773
|
+
const authorizationChallengeRequest = parseWithErrorHandling9(
|
|
1728
1774
|
zAuthorizationChallengeRequest,
|
|
1729
1775
|
options.authorizationChallengeRequest
|
|
1730
1776
|
);
|
|
@@ -1732,52 +1778,52 @@ function parseAuthorizationChallengeRequest(options) {
|
|
|
1732
1778
|
}
|
|
1733
1779
|
|
|
1734
1780
|
// src/client-attestation/clent-attestation.ts
|
|
1735
|
-
import { dateToSeconds as dateToSeconds4, parseWithErrorHandling as
|
|
1781
|
+
import { dateToSeconds as dateToSeconds4, parseWithErrorHandling as parseWithErrorHandling10 } from "@openid4vc/utils";
|
|
1736
1782
|
|
|
1737
1783
|
// src/client-attestation/z-client-attestation.ts
|
|
1738
1784
|
import { zHttpsUrl as zHttpsUrl5, zInteger as zInteger6 } from "@openid4vc/utils";
|
|
1739
|
-
import
|
|
1740
|
-
var zOauthClientAttestationHeader =
|
|
1785
|
+
import z15 from "zod";
|
|
1786
|
+
var zOauthClientAttestationHeader = z15.literal("OAuth-Client-Attestation");
|
|
1741
1787
|
var oauthClientAttestationHeader = zOauthClientAttestationHeader.value;
|
|
1742
|
-
var zClientAttestationJwtPayload =
|
|
1788
|
+
var zClientAttestationJwtPayload = z15.object({
|
|
1743
1789
|
...zJwtPayload.shape,
|
|
1744
|
-
iss:
|
|
1745
|
-
sub:
|
|
1790
|
+
iss: z15.string(),
|
|
1791
|
+
sub: z15.string(),
|
|
1746
1792
|
exp: zInteger6,
|
|
1747
|
-
cnf:
|
|
1793
|
+
cnf: z15.object({
|
|
1748
1794
|
jwk: zJwk,
|
|
1749
|
-
key_type:
|
|
1750
|
-
|
|
1751
|
-
|
|
1752
|
-
|
|
1795
|
+
key_type: z15.optional(
|
|
1796
|
+
z15.union([
|
|
1797
|
+
z15.enum(["software", "hardware", "tee", "secure_enclave", "strong_box", "secure_element", "hsm"]),
|
|
1798
|
+
z15.string()
|
|
1753
1799
|
])
|
|
1754
1800
|
),
|
|
1755
|
-
user_authentication:
|
|
1756
|
-
|
|
1757
|
-
|
|
1758
|
-
|
|
1801
|
+
user_authentication: z15.optional(
|
|
1802
|
+
z15.union([
|
|
1803
|
+
z15.enum(["system_biometry", "system_pin", "internal_biometry", "internal_pin", "secure_element_pin"]),
|
|
1804
|
+
z15.string()
|
|
1759
1805
|
])
|
|
1760
1806
|
)
|
|
1761
1807
|
}).passthrough(),
|
|
1762
|
-
aal:
|
|
1808
|
+
aal: z15.optional(z15.string())
|
|
1763
1809
|
}).passthrough();
|
|
1764
|
-
var zClientAttestationJwtHeader =
|
|
1810
|
+
var zClientAttestationJwtHeader = z15.object({
|
|
1765
1811
|
...zJwtHeader.shape,
|
|
1766
|
-
typ:
|
|
1812
|
+
typ: z15.literal("oauth-client-attestation+jwt")
|
|
1767
1813
|
}).passthrough();
|
|
1768
|
-
var zOauthClientAttestationPopHeader =
|
|
1814
|
+
var zOauthClientAttestationPopHeader = z15.literal("OAuth-Client-Attestation-PoP");
|
|
1769
1815
|
var oauthClientAttestationPopHeader = zOauthClientAttestationPopHeader.value;
|
|
1770
|
-
var zClientAttestationPopJwtPayload =
|
|
1816
|
+
var zClientAttestationPopJwtPayload = z15.object({
|
|
1771
1817
|
...zJwtPayload.shape,
|
|
1772
|
-
iss:
|
|
1818
|
+
iss: z15.string(),
|
|
1773
1819
|
exp: zInteger6,
|
|
1774
1820
|
aud: zHttpsUrl5,
|
|
1775
|
-
jti:
|
|
1776
|
-
nonce:
|
|
1821
|
+
jti: z15.string(),
|
|
1822
|
+
nonce: z15.optional(z15.string())
|
|
1777
1823
|
}).passthrough();
|
|
1778
|
-
var zClientAttestationPopJwtHeader =
|
|
1824
|
+
var zClientAttestationPopJwtHeader = z15.object({
|
|
1779
1825
|
...zJwtHeader.shape,
|
|
1780
|
-
typ:
|
|
1826
|
+
typ: z15.literal("oauth-client-attestation-pop+jwt")
|
|
1781
1827
|
}).passthrough();
|
|
1782
1828
|
|
|
1783
1829
|
// src/client-attestation/clent-attestation.ts
|
|
@@ -1803,11 +1849,11 @@ async function verifyClientAttestationJwt(options) {
|
|
|
1803
1849
|
};
|
|
1804
1850
|
}
|
|
1805
1851
|
async function createClientAttestationJwt(options) {
|
|
1806
|
-
const header =
|
|
1852
|
+
const header = parseWithErrorHandling10(zClientAttestationJwtHeader, {
|
|
1807
1853
|
typ: "oauth-client-attestation+jwt",
|
|
1808
1854
|
...jwtHeaderFromJwtSigner(options.signer)
|
|
1809
1855
|
});
|
|
1810
|
-
const payload =
|
|
1856
|
+
const payload = parseWithErrorHandling10(zClientAttestationJwtPayload, {
|
|
1811
1857
|
iss: options.issuer,
|
|
1812
1858
|
iat: dateToSeconds4(options.issuedAt),
|
|
1813
1859
|
exp: dateToSeconds4(options.expiresAt),
|
|
@@ -1837,7 +1883,7 @@ function extractClientAttestationJwtsFromHeaders(headers) {
|
|
|
1837
1883
|
}
|
|
1838
1884
|
|
|
1839
1885
|
// src/client-attestation/client-attestation-pop.ts
|
|
1840
|
-
import { addSecondsToDate as addSecondsToDate2, dateToSeconds as dateToSeconds5, encodeToBase64Url as encodeToBase64Url6, parseWithErrorHandling as
|
|
1886
|
+
import { addSecondsToDate as addSecondsToDate2, dateToSeconds as dateToSeconds5, encodeToBase64Url as encodeToBase64Url6, parseWithErrorHandling as parseWithErrorHandling11 } from "@openid4vc/utils";
|
|
1841
1887
|
async function createClientAttestationForRequest(options) {
|
|
1842
1888
|
const clientAttestationPopJwt = await createClientAttestationPopJwt({
|
|
1843
1889
|
authorizationServer: options.authorizationServer,
|
|
@@ -1895,7 +1941,7 @@ async function verifyClientAttestationPopJwt(options) {
|
|
|
1895
1941
|
};
|
|
1896
1942
|
}
|
|
1897
1943
|
async function createClientAttestationPopJwt(options) {
|
|
1898
|
-
const header =
|
|
1944
|
+
const header = parseWithErrorHandling11(zClientAttestationPopJwtHeader, {
|
|
1899
1945
|
typ: "oauth-client-attestation-pop+jwt",
|
|
1900
1946
|
alg: options.signer.alg
|
|
1901
1947
|
});
|
|
@@ -1905,7 +1951,7 @@ async function createClientAttestationPopJwt(options) {
|
|
|
1905
1951
|
payloadSchema: zClientAttestationJwtPayload
|
|
1906
1952
|
});
|
|
1907
1953
|
const expiresAt = options.expiresAt ?? addSecondsToDate2(options.issuedAt ?? /* @__PURE__ */ new Date(), 1 * 60);
|
|
1908
|
-
const payload =
|
|
1954
|
+
const payload = parseWithErrorHandling11(zClientAttestationPopJwtPayload, {
|
|
1909
1955
|
aud: options.authorizationServer,
|
|
1910
1956
|
iss: clientAttestation.payload.sub,
|
|
1911
1957
|
iat: dateToSeconds5(options.issuedAt),
|
|
@@ -1927,7 +1973,7 @@ var Oauth2AuthorizationServer = class {
|
|
|
1927
1973
|
this.options = options;
|
|
1928
1974
|
}
|
|
1929
1975
|
createAuthorizationServerMetadata(authorizationServerMetadata) {
|
|
1930
|
-
return
|
|
1976
|
+
return parseWithErrorHandling12(
|
|
1931
1977
|
zAuthorizationServerMetadata,
|
|
1932
1978
|
authorizationServerMetadata,
|
|
1933
1979
|
"Error validating authorization server metadata"
|
|
@@ -2036,24 +2082,11 @@ var Oauth2AuthorizationServer = class {
|
|
|
2036
2082
|
}
|
|
2037
2083
|
};
|
|
2038
2084
|
|
|
2039
|
-
// src/Oauth2ResourceServer.ts
|
|
2040
|
-
var Oauth2ResourceServer = class {
|
|
2041
|
-
constructor(options) {
|
|
2042
|
-
this.options = options;
|
|
2043
|
-
}
|
|
2044
|
-
async verifyResourceRequest(options) {
|
|
2045
|
-
return verifyResourceRequest({
|
|
2046
|
-
callbacks: this.options.callbacks,
|
|
2047
|
-
...options
|
|
2048
|
-
});
|
|
2049
|
-
}
|
|
2050
|
-
};
|
|
2051
|
-
|
|
2052
2085
|
// src/Oauth2Client.ts
|
|
2053
2086
|
import { objectToQueryParams as objectToQueryParams5 } from "@openid4vc/utils";
|
|
2054
2087
|
|
|
2055
2088
|
// src/access-token/retrieve-access-token.ts
|
|
2056
|
-
import { ContentType as ContentType4, createZodFetcher as createZodFetcher4, objectToQueryParams as objectToQueryParams2, parseWithErrorHandling as
|
|
2089
|
+
import { ContentType as ContentType4, createZodFetcher as createZodFetcher4, objectToQueryParams as objectToQueryParams2, parseWithErrorHandling as parseWithErrorHandling13 } from "@openid4vc/utils";
|
|
2057
2090
|
import { InvalidFetchResponseError as InvalidFetchResponseError4 } from "@openid4vc/utils";
|
|
2058
2091
|
async function retrievePreAuthorizedCodeAccessToken(options) {
|
|
2059
2092
|
const request = {
|
|
@@ -2108,7 +2141,7 @@ async function retrieveRefreshTokenAccessToken(options) {
|
|
|
2108
2141
|
}
|
|
2109
2142
|
async function retrieveAccessToken(options) {
|
|
2110
2143
|
const fetchWithZod = createZodFetcher4(options.callbacks.fetch);
|
|
2111
|
-
const accessTokenRequest =
|
|
2144
|
+
const accessTokenRequest = parseWithErrorHandling13(
|
|
2112
2145
|
zAccessTokenRequest,
|
|
2113
2146
|
options.request,
|
|
2114
2147
|
"Error validating access token request"
|
|
@@ -2189,7 +2222,7 @@ import {
|
|
|
2189
2222
|
ValidationError as ValidationError3,
|
|
2190
2223
|
createZodFetcher as createZodFetcher5,
|
|
2191
2224
|
objectToQueryParams as objectToQueryParams3,
|
|
2192
|
-
parseWithErrorHandling as
|
|
2225
|
+
parseWithErrorHandling as parseWithErrorHandling14
|
|
2193
2226
|
} from "@openid4vc/utils";
|
|
2194
2227
|
import { InvalidFetchResponseError as InvalidFetchResponseError5 } from "@openid4vc/utils";
|
|
2195
2228
|
async function sendAuthorizationChallengeRequest(options) {
|
|
@@ -2211,7 +2244,7 @@ async function sendAuthorizationChallengeRequest(options) {
|
|
|
2211
2244
|
clientAttestation: options.clientAttestation,
|
|
2212
2245
|
callbacks: options.callbacks
|
|
2213
2246
|
}) : void 0;
|
|
2214
|
-
const authorizationChallengeRequest =
|
|
2247
|
+
const authorizationChallengeRequest = parseWithErrorHandling14(zAuthorizationChallengeRequest, {
|
|
2215
2248
|
...options.additionalRequestPayload,
|
|
2216
2249
|
auth_session: options.authSession,
|
|
2217
2250
|
client_id: options.clientId,
|
|
@@ -2602,6 +2635,19 @@ var Oauth2Client = class {
|
|
|
2602
2635
|
});
|
|
2603
2636
|
}
|
|
2604
2637
|
};
|
|
2638
|
+
|
|
2639
|
+
// src/Oauth2ResourceServer.ts
|
|
2640
|
+
var Oauth2ResourceServer = class {
|
|
2641
|
+
constructor(options) {
|
|
2642
|
+
this.options = options;
|
|
2643
|
+
}
|
|
2644
|
+
async verifyResourceRequest(options) {
|
|
2645
|
+
return verifyResourceRequest({
|
|
2646
|
+
callbacks: this.options.callbacks,
|
|
2647
|
+
...options
|
|
2648
|
+
});
|
|
2649
|
+
}
|
|
2650
|
+
};
|
|
2605
2651
|
export {
|
|
2606
2652
|
HashAlgorithm,
|
|
2607
2653
|
InvalidFetchResponseError7 as InvalidFetchResponseError,
|
|
@@ -2625,6 +2671,7 @@ export {
|
|
|
2625
2671
|
clientAuthenticationDynamic,
|
|
2626
2672
|
clientAuthenticationNone,
|
|
2627
2673
|
decodeJwt,
|
|
2674
|
+
decodeJwtHeader,
|
|
2628
2675
|
fetchAuthorizationServerMetadata,
|
|
2629
2676
|
fetchJwks,
|
|
2630
2677
|
fetchWellKnownMetadata,
|
|
@@ -2639,10 +2686,13 @@ export {
|
|
|
2639
2686
|
setGlobalConfig,
|
|
2640
2687
|
verifyJwt,
|
|
2641
2688
|
verifyResourceRequest,
|
|
2689
|
+
zAlgValueNotNone,
|
|
2642
2690
|
zAuthorizationCodeGrantIdentifier,
|
|
2643
2691
|
zAuthorizationServerMetadata,
|
|
2692
|
+
zCompactJwe,
|
|
2644
2693
|
zCompactJwt,
|
|
2645
2694
|
zJwk,
|
|
2695
|
+
zJwkSet,
|
|
2646
2696
|
zJwtHeader,
|
|
2647
2697
|
zJwtPayload,
|
|
2648
2698
|
zOauth2ErrorResponse,
|