@openid4vc/oauth2 0.3.0-alpha-20250328114752 → 0.3.0-alpha-20250329201438

package/dist/index.d.mts

@@ -160,7 +160,7 @@ declare const zAuthorizationServerMetadata: z__default.ZodEffects<z__default.Zod
     introspection_endpoint_auth_methods_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodUnion<[z__default.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z__default.ZodString]>, "many">>;
     introspection_endpoint_auth_signing_alg_values_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodEffects<z__default.ZodString, string, string>, "many">>;
     authorization_challenge_endpoint: z__default.ZodOptional<z__default.ZodEffects<z__default.ZodString, string, string>>;
-    pre_authorized_grant_anonymous_access_supported: z__default.ZodOptional<z__default.ZodBoolean>;
+    'pre-authorized_grant_anonymous_access_supported': z__default.ZodOptional<z__default.ZodBoolean>;
     client_attestation_pop_nonce_required: z__default.ZodOptional<z__default.ZodBoolean>;
 }, "passthrough", z__default.ZodTypeAny, z__default.objectOutputType<{
     issuer: z__default.ZodEffects<z__default.ZodString, string, string>;
@@ -176,7 +176,7 @@ declare const zAuthorizationServerMetadata: z__default.ZodEffects<z__default.Zod
     introspection_endpoint_auth_methods_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodUnion<[z__default.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z__default.ZodString]>, "many">>;
     introspection_endpoint_auth_signing_alg_values_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodEffects<z__default.ZodString, string, string>, "many">>;
     authorization_challenge_endpoint: z__default.ZodOptional<z__default.ZodEffects<z__default.ZodString, string, string>>;
-    pre_authorized_grant_anonymous_access_supported: z__default.ZodOptional<z__default.ZodBoolean>;
+    'pre-authorized_grant_anonymous_access_supported': z__default.ZodOptional<z__default.ZodBoolean>;
     client_attestation_pop_nonce_required: z__default.ZodOptional<z__default.ZodBoolean>;
 }, z__default.ZodTypeAny, "passthrough">, z__default.objectInputType<{
     issuer: z__default.ZodEffects<z__default.ZodString, string, string>;
@@ -192,7 +192,7 @@ declare const zAuthorizationServerMetadata: z__default.ZodEffects<z__default.Zod
     introspection_endpoint_auth_methods_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodUnion<[z__default.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z__default.ZodString]>, "many">>;
     introspection_endpoint_auth_signing_alg_values_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodEffects<z__default.ZodString, string, string>, "many">>;
     authorization_challenge_endpoint: z__default.ZodOptional<z__default.ZodEffects<z__default.ZodString, string, string>>;
-    pre_authorized_grant_anonymous_access_supported: z__default.ZodOptional<z__default.ZodBoolean>;
+    'pre-authorized_grant_anonymous_access_supported': z__default.ZodOptional<z__default.ZodBoolean>;
     client_attestation_pop_nonce_required: z__default.ZodOptional<z__default.ZodBoolean>;
 }, z__default.ZodTypeAny, "passthrough">>, z__default.objectOutputType<{
     issuer: z__default.ZodEffects<z__default.ZodString, string, string>;
@@ -208,7 +208,7 @@ declare const zAuthorizationServerMetadata: z__default.ZodEffects<z__default.Zod
     introspection_endpoint_auth_methods_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodUnion<[z__default.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z__default.ZodString]>, "many">>;
     introspection_endpoint_auth_signing_alg_values_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodEffects<z__default.ZodString, string, string>, "many">>;
     authorization_challenge_endpoint: z__default.ZodOptional<z__default.ZodEffects<z__default.ZodString, string, string>>;
-    pre_authorized_grant_anonymous_access_supported: z__default.ZodOptional<z__default.ZodBoolean>;
+    'pre-authorized_grant_anonymous_access_supported': z__default.ZodOptional<z__default.ZodBoolean>;
     client_attestation_pop_nonce_required: z__default.ZodOptional<z__default.ZodBoolean>;
 }, z__default.ZodTypeAny, "passthrough">, z__default.objectInputType<{
     issuer: z__default.ZodEffects<z__default.ZodString, string, string>;
@@ -224,7 +224,7 @@ declare const zAuthorizationServerMetadata: z__default.ZodEffects<z__default.Zod
     introspection_endpoint_auth_methods_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodUnion<[z__default.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z__default.ZodString]>, "many">>;
     introspection_endpoint_auth_signing_alg_values_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodEffects<z__default.ZodString, string, string>, "many">>;
     authorization_challenge_endpoint: z__default.ZodOptional<z__default.ZodEffects<z__default.ZodString, string, string>>;
-    pre_authorized_grant_anonymous_access_supported: z__default.ZodOptional<z__default.ZodBoolean>;
+    'pre-authorized_grant_anonymous_access_supported': z__default.ZodOptional<z__default.ZodBoolean>;
     client_attestation_pop_nonce_required: z__default.ZodOptional<z__default.ZodBoolean>;
 }, z__default.ZodTypeAny, "passthrough">>;
 type AuthorizationServerMetadata = z__default.infer<typeof zAuthorizationServerMetadata>;
@@ -244,7 +244,7 @@ interface ClientAuthenticationDynamicOptions {
  * Only `client_secret_post`, `client_secret_basic`, and `none` supported.
  *
  * It also supports anonymous access to the token endpoint for pre-authorized code flow
- * if the authorization server has enabled `pre_authorized_grant_anonymous_access_supported`
+ * if the authorization server has enabled `pre-authorized_grant_anonymous_access_supported`
  */
 declare function clientAuthenticationDynamic(options: ClientAuthenticationDynamicOptions): ClientAuthenticationCallback;
 /**
@@ -7584,7 +7584,7 @@ declare function getAuthorizationServerMetadataFromList(authorizationServersMeta
     introspection_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z.ZodString]>, "many">>;
     introspection_endpoint_auth_signing_alg_values_supported: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
     authorization_challenge_endpoint: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
-    pre_authorized_grant_anonymous_access_supported: z.ZodOptional<z.ZodBoolean>;
+    'pre-authorized_grant_anonymous_access_supported': z.ZodOptional<z.ZodBoolean>;
     client_attestation_pop_nonce_required: z.ZodOptional<z.ZodBoolean>;
 }, z.ZodTypeAny, "passthrough">;
 
@@ -9959,7 +9959,7 @@ declare class Oauth2AuthorizationServer {
         introspection_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z.ZodString]>, "many">>;
         introspection_endpoint_auth_signing_alg_values_supported: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
         authorization_challenge_endpoint: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
-        pre_authorized_grant_anonymous_access_supported: z.ZodOptional<z.ZodBoolean>;
+        'pre-authorized_grant_anonymous_access_supported': z.ZodOptional<z.ZodBoolean>;
         client_attestation_pop_nonce_required: z.ZodOptional<z.ZodBoolean>;
     }, z.ZodTypeAny, "passthrough">;
     /**
@@ -11524,7 +11524,7 @@ declare class Oauth2Client {
         introspection_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z.ZodString]>, "many">>;
         introspection_endpoint_auth_signing_alg_values_supported: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
         authorization_challenge_endpoint: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
-        pre_authorized_grant_anonymous_access_supported: z.ZodOptional<z.ZodBoolean>;
+        'pre-authorized_grant_anonymous_access_supported': z.ZodOptional<z.ZodBoolean>;
         client_attestation_pop_nonce_required: z.ZodOptional<z.ZodBoolean>;
     }, z.ZodTypeAny, "passthrough"> | null>;
     /**

package/dist/index.d.ts

@@ -160,7 +160,7 @@ declare const zAuthorizationServerMetadata: z__default.ZodEffects<z__default.Zod
     introspection_endpoint_auth_methods_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodUnion<[z__default.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z__default.ZodString]>, "many">>;
     introspection_endpoint_auth_signing_alg_values_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodEffects<z__default.ZodString, string, string>, "many">>;
     authorization_challenge_endpoint: z__default.ZodOptional<z__default.ZodEffects<z__default.ZodString, string, string>>;
-    pre_authorized_grant_anonymous_access_supported: z__default.ZodOptional<z__default.ZodBoolean>;
+    'pre-authorized_grant_anonymous_access_supported': z__default.ZodOptional<z__default.ZodBoolean>;
     client_attestation_pop_nonce_required: z__default.ZodOptional<z__default.ZodBoolean>;
 }, "passthrough", z__default.ZodTypeAny, z__default.objectOutputType<{
     issuer: z__default.ZodEffects<z__default.ZodString, string, string>;
@@ -176,7 +176,7 @@ declare const zAuthorizationServerMetadata: z__default.ZodEffects<z__default.Zod
     introspection_endpoint_auth_methods_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodUnion<[z__default.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z__default.ZodString]>, "many">>;
     introspection_endpoint_auth_signing_alg_values_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodEffects<z__default.ZodString, string, string>, "many">>;
     authorization_challenge_endpoint: z__default.ZodOptional<z__default.ZodEffects<z__default.ZodString, string, string>>;
-    pre_authorized_grant_anonymous_access_supported: z__default.ZodOptional<z__default.ZodBoolean>;
+    'pre-authorized_grant_anonymous_access_supported': z__default.ZodOptional<z__default.ZodBoolean>;
     client_attestation_pop_nonce_required: z__default.ZodOptional<z__default.ZodBoolean>;
 }, z__default.ZodTypeAny, "passthrough">, z__default.objectInputType<{
     issuer: z__default.ZodEffects<z__default.ZodString, string, string>;
@@ -192,7 +192,7 @@ declare const zAuthorizationServerMetadata: z__default.ZodEffects<z__default.Zod
     introspection_endpoint_auth_methods_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodUnion<[z__default.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z__default.ZodString]>, "many">>;
     introspection_endpoint_auth_signing_alg_values_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodEffects<z__default.ZodString, string, string>, "many">>;
     authorization_challenge_endpoint: z__default.ZodOptional<z__default.ZodEffects<z__default.ZodString, string, string>>;
-    pre_authorized_grant_anonymous_access_supported: z__default.ZodOptional<z__default.ZodBoolean>;
+    'pre-authorized_grant_anonymous_access_supported': z__default.ZodOptional<z__default.ZodBoolean>;
     client_attestation_pop_nonce_required: z__default.ZodOptional<z__default.ZodBoolean>;
 }, z__default.ZodTypeAny, "passthrough">>, z__default.objectOutputType<{
     issuer: z__default.ZodEffects<z__default.ZodString, string, string>;
@@ -208,7 +208,7 @@ declare const zAuthorizationServerMetadata: z__default.ZodEffects<z__default.Zod
     introspection_endpoint_auth_methods_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodUnion<[z__default.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z__default.ZodString]>, "many">>;
     introspection_endpoint_auth_signing_alg_values_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodEffects<z__default.ZodString, string, string>, "many">>;
     authorization_challenge_endpoint: z__default.ZodOptional<z__default.ZodEffects<z__default.ZodString, string, string>>;
-    pre_authorized_grant_anonymous_access_supported: z__default.ZodOptional<z__default.ZodBoolean>;
+    'pre-authorized_grant_anonymous_access_supported': z__default.ZodOptional<z__default.ZodBoolean>;
     client_attestation_pop_nonce_required: z__default.ZodOptional<z__default.ZodBoolean>;
 }, z__default.ZodTypeAny, "passthrough">, z__default.objectInputType<{
     issuer: z__default.ZodEffects<z__default.ZodString, string, string>;
@@ -224,7 +224,7 @@ declare const zAuthorizationServerMetadata: z__default.ZodEffects<z__default.Zod
     introspection_endpoint_auth_methods_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodUnion<[z__default.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z__default.ZodString]>, "many">>;
     introspection_endpoint_auth_signing_alg_values_supported: z__default.ZodOptional<z__default.ZodArray<z__default.ZodEffects<z__default.ZodString, string, string>, "many">>;
     authorization_challenge_endpoint: z__default.ZodOptional<z__default.ZodEffects<z__default.ZodString, string, string>>;
-    pre_authorized_grant_anonymous_access_supported: z__default.ZodOptional<z__default.ZodBoolean>;
+    'pre-authorized_grant_anonymous_access_supported': z__default.ZodOptional<z__default.ZodBoolean>;
     client_attestation_pop_nonce_required: z__default.ZodOptional<z__default.ZodBoolean>;
 }, z__default.ZodTypeAny, "passthrough">>;
 type AuthorizationServerMetadata = z__default.infer<typeof zAuthorizationServerMetadata>;
@@ -244,7 +244,7 @@ interface ClientAuthenticationDynamicOptions {
  * Only `client_secret_post`, `client_secret_basic`, and `none` supported.
  *
  * It also supports anonymous access to the token endpoint for pre-authorized code flow
- * if the authorization server has enabled `pre_authorized_grant_anonymous_access_supported`
+ * if the authorization server has enabled `pre-authorized_grant_anonymous_access_supported`
  */
 declare function clientAuthenticationDynamic(options: ClientAuthenticationDynamicOptions): ClientAuthenticationCallback;
 /**
@@ -7584,7 +7584,7 @@ declare function getAuthorizationServerMetadataFromList(authorizationServersMeta
     introspection_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z.ZodString]>, "many">>;
     introspection_endpoint_auth_signing_alg_values_supported: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
     authorization_challenge_endpoint: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
-    pre_authorized_grant_anonymous_access_supported: z.ZodOptional<z.ZodBoolean>;
+    'pre-authorized_grant_anonymous_access_supported': z.ZodOptional<z.ZodBoolean>;
     client_attestation_pop_nonce_required: z.ZodOptional<z.ZodBoolean>;
 }, z.ZodTypeAny, "passthrough">;
 
@@ -9959,7 +9959,7 @@ declare class Oauth2AuthorizationServer {
         introspection_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z.ZodString]>, "many">>;
         introspection_endpoint_auth_signing_alg_values_supported: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
         authorization_challenge_endpoint: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
-        pre_authorized_grant_anonymous_access_supported: z.ZodOptional<z.ZodBoolean>;
+        'pre-authorized_grant_anonymous_access_supported': z.ZodOptional<z.ZodBoolean>;
         client_attestation_pop_nonce_required: z.ZodOptional<z.ZodBoolean>;
     }, z.ZodTypeAny, "passthrough">;
     /**
@@ -11524,7 +11524,7 @@ declare class Oauth2Client {
         introspection_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodEnum<["client_secret_basic", "client_secret_post", "attest_jwt_client_auth", "client_secret_jwt", "private_key_jwt"]>, z.ZodString]>, "many">>;
         introspection_endpoint_auth_signing_alg_values_supported: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
         authorization_challenge_endpoint: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
-        pre_authorized_grant_anonymous_access_supported: z.ZodOptional<z.ZodBoolean>;
+        'pre-authorized_grant_anonymous_access_supported': z.ZodOptional<z.ZodBoolean>;
         client_attestation_pop_nonce_required: z.ZodOptional<z.ZodBoolean>;
     }, z.ZodTypeAny, "passthrough"> | null>;
     /**

package/dist/index.js

@@ -1001,7 +1001,7 @@ var zAuthorizationServerMetadata = import_zod9.default.object({
   // FiPA (no RFC yet)
   authorization_challenge_endpoint: import_zod9.default.optional(import_utils12.zHttpsUrl),
   // From OpenID4VCI specification
-  pre_authorized_grant_anonymous_access_supported: import_zod9.default.optional(import_zod9.default.boolean()),
+  "pre-authorized_grant_anonymous_access_supported": import_zod9.default.optional(import_zod9.default.boolean()),
   // Attestation Based Client Auth (draft 5)
   client_attestation_pop_nonce_required: import_zod9.default.boolean().optional()
 }).passthrough().refine(
@@ -1704,7 +1704,7 @@ function clientAuthenticationDynamic(options) {
     const { url, authorizationServerMetadata, body } = callbackOptions;
     const endpointType = url === authorizationServerMetadata.introspection_endpoint ? "introspection" : url === authorizationServerMetadata.token_endpoint ? "token" : "endpoint";
     const method = getSupportedClientAuthenticationMethod(authorizationServerMetadata, endpointType);
-    if (endpointType === "token" && body.grant_type === preAuthorizedCodeGrantIdentifier && authorizationServerMetadata.pre_authorized_grant_anonymous_access_supported) {
+    if (endpointType === "token" && body.grant_type === preAuthorizedCodeGrantIdentifier && authorizationServerMetadata["pre-authorized_grant_anonymous_access_supported"]) {
       return clientAuthenticationAnonymous()(callbackOptions);
     }
     if (method === "client_secret_basic" /* ClientSecretBasic */) {
@@ -2335,7 +2335,7 @@ async function verifyAuthorizationRequestClientAttestation(options, authorizatio
       return void 0;
     }
     throw new Oauth2ServerErrorResponseError({
-      error: "invalid_dpop_proof" /* InvalidDpopProof */,
+      error: "invalid_client" /* InvalidClient */,
       error_description: `Missing required client attestation parameters in pushed authorization request. Make sure to provide the '${oauthClientAttestationHeader}' and '${oauthClientAttestationPopHeader}' header values.`
     });
   }