@openid4vc/oauth2 0.3.0-alpha-20250322171044 → 0.3.0-alpha-20250324183425

package/dist/index.js

@@ -309,7 +309,9 @@ var zJwtPayload = import_zod5.default.object({
   jti: import_zod5.default.string().optional(),
   cnf: zJwtConfirmationPayload.optional(),
   // Reserved for status parameters
-  status: import_zod5.default.record(import_zod5.default.string(), import_zod5.default.any()).optional()
+  status: import_zod5.default.record(import_zod5.default.string(), import_zod5.default.any()).optional(),
+  // Reserved for OpenID Federation
+  trust_chain: import_zod5.default.array(import_zod5.default.string()).nonempty().optional()
 }).passthrough();
 var zJwtHeader = import_zod5.default.object({
   alg: zAlgValueNotNone,
@@ -317,7 +319,8 @@ var zJwtHeader = import_zod5.default.object({
   kid: import_zod5.default.string().optional(),
   jwk: zJwk.optional(),
   x5c: import_zod5.default.array(import_zod5.default.string()).optional(),
-  trust_chain: import_zod5.default.array(import_zod5.default.string()).optional()
+  // Reserved for OpenID Federation
+  trust_chain: import_zod5.default.array(import_zod5.default.string()).nonempty().optional()
 }).passthrough();
 
 // src/common/jwt/decode-jwt-header.ts
@@ -371,7 +374,7 @@ function jwtHeaderFromJwtSigner(signer) {
       kid: signer.didUrl
     };
   }
-  if (signer.method === "trustChain") {
+  if (signer.method === "federation") {
     return {
       alg: signer.alg,
       kid: signer.kid,
@@ -395,56 +398,101 @@ function jwtHeaderFromJwtSigner(signer) {
     alg: signer.alg
   };
 }
-function jwtSignerFromJwt({ header, payload }) {
+function jwtSignerFromJwt({
+  header,
+  payload,
+  allowedSignerMethods
+}) {
+  const found = [];
   if (header.x5c) {
-    return {
-      alg: header.alg,
+    found.push({
       method: "x5c",
-      x5c: header.x5c
-    };
+      valid: true,
+      signer: {
+        alg: header.alg,
+        method: "x5c",
+        x5c: header.x5c
+      }
+    });
   }
   if (header.trust_chain) {
     if (!header.kid) {
-      throw new Error(`When 'trust_chain' is used in jwt header, the 'kid' parameter is required.`);
+      found.push({
+        method: "federation",
+        valid: false,
+        error: `When 'trust_chain' is used in jwt header, the 'kid' parameter is required.`
+      });
+    } else {
+      found.push({
+        method: "federation",
+        valid: true,
+        signer: {
+          alg: header.alg,
+          trustChain: header.trust_chain,
+          kid: header.kid,
+          method: "federation"
+        }
+      });
     }
-    return {
-      method: "trustChain",
-      alg: header.alg,
-      trustChain: header.trust_chain,
-      kid: header.kid
-    };
   }
-  if (header.kid) {
-    if (header.kid.startsWith("did:")) {
-      if (payload.iss && header.kid.startsWith(payload.iss)) {
-      }
-      if (!header.kid.includes("#")) {
-      }
-      return {
+  if (header.kid?.startsWith("did:") || payload.iss?.startsWith("did:")) {
+    if (payload.iss && header.kid?.startsWith("did:") && !header.kid.startsWith(payload.iss)) {
+      found.push({
         method: "did",
-        didUrl: header.kid,
-        alg: header.alg
-      };
-    }
-    if (header.kid.startsWith("#") && payload.iss?.startsWith("did:")) {
-      return {
+        valid: false,
+        error: `kid in header starst with did that is different from did value in 'iss'`
+      });
+    } else if (!header.kid?.startsWith("did:") && !header.kid?.startsWith("#")) {
+      found.push({
         method: "did",
-        didUrl: `${payload.iss}${header.kid}`,
-        alg: header.alg
-      };
+        valid: false,
+        error: `kid in header must start with either 'did:' or '#' when 'iss' value is a did`
+      });
+    } else {
+      found.push({
+        method: "did",
+        valid: true,
+        signer: {
+          method: "did",
+          alg: header.alg,
+          didUrl: header.kid.startsWith("did:") ? header.kid : `${payload.iss}${header.kid}`
+        }
+      });
     }
   }
   if (header.jwk) {
-    return {
-      alg: header.alg,
+    found.push({
       method: "jwk",
-      publicJwk: header.jwk
+      signer: { alg: header.alg, method: "jwk", publicJwk: header.jwk },
+      valid: true
+    });
+  }
+  const allowedFoundMethods = found.filter((f) => !allowedSignerMethods || allowedSignerMethods?.includes(f.method));
+  const allowedValidMethods = allowedFoundMethods.filter((f) => f.valid);
+  if (allowedValidMethods.length > 0) {
+    return allowedValidMethods[0].signer;
+  }
+  if (allowedFoundMethods.length > 0) {
+    throw new Oauth2Error(
+      `Unable to extract signer method from jwt. Found ${allowedFoundMethods.length} allowed signer method(s) but contained invalid configuration:
+${allowedFoundMethods.map((m) => m.valid ? "" : `FAILED: method ${m.method} - ${m.error}`).join("\n")}`
+    );
+  }
+  if (found.length > 0) {
+    throw new Oauth2Error(
+      `Unable to extract signer method from jwt. Found ${found.length} signer method(s) that are not allowed:
+${found.map((m) => m.valid ? `SUCCEEDED: method ${m.method}` : `FAILED: method ${m.method} - ${m.error}`).join("\n")}`
+    );
+  }
+  if (!allowedSignerMethods || allowedSignerMethods.includes("custom")) {
+    return {
+      method: "custom",
+      alg: header.alg
     };
   }
-  return {
-    method: "custom",
-    alg: header.alg
-  };
+  throw new Oauth2Error(
+    `Unable to extract signer method from jwt. Found no signer methods and 'custom' signer method is not allowed.`
+  );
 }
 
 // src/common/jwt/z-jwe.ts