npm - @openid4vc/oauth2 - Versions diffs - 0.3.0-alpha-20251017102623 → 0.3.0-alpha-20251017122507 - Mend

@openid4vc/oauth2 0.3.0-alpha-20251017102623 → 0.3.0-alpha-20251017122507

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.mjs CHANGED Viewed

@@ -1,5 +1,5 @@
 import { ContentType, Headers, InvalidFetchResponseError, InvalidFetchResponseError as InvalidFetchResponseError$1, URL, ValidationError, addSecondsToDate, createFetcher, createZodFetcher, dateToSeconds, decodeBase64, decodeUtf8String, encodeToBase64Url, encodeToUtf8String, encodeWwwAuthenticateHeader, formatZodError, getGlobalConfig, joinUriParts, objectToQueryParams, parseWithErrorHandling, parseWwwAuthenticateHeader, setGlobalConfig, stringToJsonWithErrorHandling, zHttpMethod, zHttpsUrl, zInteger } from "@openid4vc/utils";
-import z, { ZodIssueCode, z as z$1 } from "zod";
+import z$1, { z } from "zod";
 //#region src/callbacks.ts
 /**
@@ -27,26 +27,26 @@ var Oauth2Error = class extends Error {
 //#endregion
 //#region src/common/jwk/jwk-thumbprint.ts
-const zJwkThumbprintComponents = z.discriminatedUnion("kty", [
-	z.object({
-		kty: z.literal("EC"),
-		crv: z.string(),
-		x: z.string(),
-		y: z.string()
+const zJwkThumbprintComponents = z$1.discriminatedUnion("kty", [
+	z$1.object({
+		kty: z$1.literal("EC"),
+		crv: z$1.string(),
+		x: z$1.string(),
+		y: z$1.string()
 	}),
-	z.object({
-		kty: z.literal("OKP"),
-		crv: z.string(),
-		x: z.string()
+	z$1.object({
+		kty: z$1.literal("OKP"),
+		crv: z$1.string(),
+		x: z$1.string()
 	}),
-	z.object({
-		kty: z.literal("RSA"),
-		e: z.string(),
-		n: z.string()
+	z$1.object({
+		kty: z$1.literal("RSA"),
+		e: z$1.string(),
+		n: z$1.string()
 	}),
-	z.object({
-		kty: z.literal("oct"),
-		k: z.string()
+	z$1.object({
+		kty: z$1.literal("oct"),
+		k: z$1.string()
 	})
 ]).transform((data) => {
 	if (data.kty === "EC") return {
@@ -114,68 +114,68 @@ var Oauth2JwtParseError = class extends Oauth2Error {
 //#endregion
 //#region src/common/jwk/z-jwk.ts
-const zJwk = z.object({
-	kty: z.string(),
-	crv: z.optional(z.string()),
-	x: z.optional(z.string()),
-	y: z.optional(z.string()),
-	e: z.optional(z.string()),
-	n: z.optional(z.string()),
-	alg: z.optional(z.string()),
-	d: z.optional(z.string()),
-	dp: z.optional(z.string()),
-	dq: z.optional(z.string()),
-	ext: z.optional(z.boolean()),
-	k: z.optional(z.string()),
-	key_ops: z.optional(z.array(z.string())),
-	kid: z.optional(z.string()),
-	oth: z.optional(z.array(z.object({
-		d: z.optional(z.string()),
-		r: z.optional(z.string()),
-		t: z.optional(z.string())
-	}).passthrough())),
-	p: z.optional(z.string()),
-	q: z.optional(z.string()),
-	qi: z.optional(z.string()),
-	use: z.optional(z.string()),
-	x5c: z.optional(z.array(z.string())),
-	x5t: z.optional(z.string()),
-	"x5t#S256": z.optional(z.string()),
-	x5u: z.optional(z.string())
-}).passthrough();
-const zJwkSet = z.object({ keys: z.array(zJwk) }).passthrough();
+const zJwk = z$1.object({
+	kty: z$1.string(),
+	crv: z$1.optional(z$1.string()),
+	x: z$1.optional(z$1.string()),
+	y: z$1.optional(z$1.string()),
+	e: z$1.optional(z$1.string()),
+	n: z$1.optional(z$1.string()),
+	alg: z$1.optional(z$1.string()),
+	d: z$1.optional(z$1.string()),
+	dp: z$1.optional(z$1.string()),
+	dq: z$1.optional(z$1.string()),
+	ext: z$1.optional(z$1.boolean()),
+	k: z$1.optional(z$1.string()),
+	key_ops: z$1.optional(z$1.array(z$1.string())),
+	kid: z$1.optional(z$1.string()),
+	oth: z$1.optional(z$1.array(z$1.object({
+		d: z$1.optional(z$1.string()),
+		r: z$1.optional(z$1.string()),
+		t: z$1.optional(z$1.string())
+	}).loose())),
+	p: z$1.optional(z$1.string()),
+	q: z$1.optional(z$1.string()),
+	qi: z$1.optional(z$1.string()),
+	use: z$1.optional(z$1.string()),
+	x5c: z$1.optional(z$1.array(z$1.string())),
+	x5t: z$1.optional(z$1.string()),
+	"x5t#S256": z$1.optional(z$1.string()),
+	x5u: z$1.optional(z$1.string())
+}).loose();
+const zJwkSet = z$1.object({ keys: z$1.array(zJwk) }).loose();
 //#endregion
 //#region src/common/z-common.ts
-const zAlgValueNotNone = z.string().refine((alg) => alg !== "none", { message: `alg value may not be 'none'` });
+const zAlgValueNotNone = z$1.string().refine((alg) => alg !== "none", { message: `alg value may not be 'none'` });
 //#endregion
 //#region src/common/jwt/z-jwt.ts
-const zCompactJwt = z.string().regex(/^([a-zA-Z0-9-_]+)\.([a-zA-Z0-9-_]+)\.([a-zA-Z0-9-_]+)$/, { message: "Not a valid compact jwt" });
-const zJwtConfirmationPayload = z.object({
+const zCompactJwt = z$1.string().regex(/^([a-zA-Z0-9-_]+)\.([a-zA-Z0-9-_]+)\.([a-zA-Z0-9-_]+)$/, { message: "Not a valid compact jwt" });
+const zJwtConfirmationPayload = z$1.object({
 	jwk: zJwk.optional(),
-	jkt: z.string().optional()
-}).passthrough();
-const zJwtPayload = z.object({
-	iss: z.string().optional(),
-	aud: z.string().optional(),
+	jkt: z$1.string().optional()
+}).loose();
+const zJwtPayload = z$1.object({
+	iss: z$1.string().optional(),
+	aud: z$1.string().optional(),
 	iat: zInteger.optional(),
 	exp: zInteger.optional(),
 	nbf: zInteger.optional(),
-	nonce: z.string().optional(),
-	jti: z.string().optional(),
+	nonce: z$1.string().optional(),
+	jti: z$1.string().optional(),
 	cnf: zJwtConfirmationPayload.optional(),
-	status: z.record(z.string(), z.any()).optional(),
-	trust_chain: z.array(z.string()).nonempty().optional()
-}).passthrough();
-const zJwtHeader = z.object({
+	status: z$1.record(z$1.string(), z$1.any()).optional(),
+	trust_chain: z$1.tuple([z$1.string()], z$1.string()).optional()
+}).loose();
+const zJwtHeader = z$1.object({
 	alg: zAlgValueNotNone,
-	typ: z.string().optional(),
-	kid: z.string().optional(),
+	typ: z$1.string().optional(),
+	kid: z$1.string().optional(),
 	jwk: zJwk.optional(),
-	x5c: z.array(z.string()).optional(),
-	trust_chain: z.array(z.string()).nonempty().optional()
-}).passthrough();
+	x5c: z$1.array(z$1.string()).optional(),
+	trust_chain: z$1.tuple([z$1.string()], z$1.string()).optional()
+}).loose();
 //#endregion
 //#region src/common/jwt/decode-jwt-header.ts
@@ -343,60 +343,12 @@ async function verifyJwt(options) {
 	} };
 }
-//#endregion
-//#region ../utils/src/zod-error.ts
-/**
-* Some code comes from `zod-validation-error` package (MIT License) and
-* was slightly simplified to fit our needs.
-*/
-const constants = {
-	identifierRegex: /[$_\p{ID_Start}][$\u200c\u200d\p{ID_Continue}]*/u,
-	unionSeparator: ", or ",
-	issueSeparator: "\n	- "
-};
-function escapeQuotes(str) {
-	return str.replace(/"/g, "\\\"");
-}
-function joinPath(path) {
-	if (path.length === 1) return path[0].toString();
-	return path.reduce((acc, item) => {
-		if (typeof item === "number") return `${acc}[${item.toString()}]`;
-		if (item.includes("\"")) return `${acc}["${escapeQuotes(item)}"]`;
-		if (!constants.identifierRegex.test(item)) return `${acc}["${item}"]`;
-		return acc + (acc.length === 0 ? "" : ".") + item;
-	}, "");
-}
-function getMessageFromZodIssue(issue) {
-	if (issue.code === ZodIssueCode.invalid_union) return getMessageFromUnionErrors(issue.unionErrors);
-	if (issue.code === ZodIssueCode.invalid_arguments) return [issue.message, ...issue.argumentsError.issues.map((issue$1) => getMessageFromZodIssue(issue$1))].join(constants.issueSeparator);
-	if (issue.code === ZodIssueCode.invalid_return_type) return [issue.message, ...issue.returnTypeError.issues.map((issue$1) => getMessageFromZodIssue(issue$1))].join(constants.issueSeparator);
-	if (issue.path.length !== 0) {
-		if (issue.path.length === 1) {
-			const identifier = issue.path[0];
-			if (typeof identifier === "number") return `${issue.message} at index ${identifier}`;
-		}
-		return `${issue.message} at "${joinPath(issue.path)}"`;
-	}
-	return issue.message;
-}
-function getMessageFromUnionErrors(unionErrors) {
-	return unionErrors.reduce((acc, zodError) => {
-		const newIssues = zodError.issues.map((issue) => getMessageFromZodIssue(issue)).join(constants.issueSeparator);
-		if (!acc.includes(newIssues)) acc.push(newIssues);
-		return acc;
-	}, []).join(constants.unionSeparator);
-}
-function formatZodError$1(error) {
-	if (!error) return "";
-	return `\t- ${error?.issues.map((issue) => getMessageFromZodIssue(issue)).join(constants.issueSeparator)}`;
-}
 //#endregion
 //#region ../utils/src/error/ValidationError.ts
 var ValidationError$1 = class extends Error {
 	constructor(message, zodError) {
 		super(message);
-		this.message = `${message}\n${formatZodError$1(zodError)}`;
+		this.message = `${message}\n${zodError ? z$1.prettifyError(zodError) : ""}`;
 		Object.defineProperty(this, "zodError", {
 			value: zodError,
 			writable: false,
@@ -425,21 +377,21 @@ async function fetchJwks(jwksUrl, fetch) {
 //#endregion
 //#region src/access-token/z-access-token-jwt.ts
-const zAccessTokenProfileJwtHeader = z.object({
+const zAccessTokenProfileJwtHeader = z$1.object({
 	...zJwtHeader.shape,
-	typ: z.enum(["application/at+jwt", "at+jwt"])
-}).passthrough();
-const zAccessTokenProfileJwtPayload = z.object({
+	typ: z$1.enum(["application/at+jwt", "at+jwt"])
+}).loose();
+const zAccessTokenProfileJwtPayload = z$1.object({
 	...zJwtPayload.shape,
-	iss: z.string(),
+	iss: z$1.string(),
 	exp: zInteger,
 	iat: zInteger,
-	aud: z.string(),
-	sub: z.string(),
-	client_id: z.optional(z.string()),
-	jti: z.string(),
-	scope: z.optional(z.string())
-}).passthrough();
+	aud: z$1.string(),
+	sub: z$1.string(),
+	client_id: z$1.optional(z$1.string()),
+	jti: z$1.string(),
+	scope: z$1.optional(z$1.string())
+}).loose();
 //#endregion
 //#region src/access-token/verify-access-token.ts
@@ -534,11 +486,11 @@ let Oauth2ErrorCodes = /* @__PURE__ */ function(Oauth2ErrorCodes$1) {
 	Oauth2ErrorCodes$1["WalletUnavailable"] = "wallet_unavailable";
 	return Oauth2ErrorCodes$1;
 }({});
-const zOauth2ErrorResponse = z.object({
-	error: z.union([z.nativeEnum(Oauth2ErrorCodes), z.string()]),
-	error_description: z.string().optional(),
-	error_uri: z.string().optional()
-}).passthrough();
+const zOauth2ErrorResponse = z$1.object({
+	error: z$1.union([z$1.enum(Oauth2ErrorCodes), z$1.string()]),
+	error_description: z$1.string().optional(),
+	error_uri: z$1.string().optional()
+}).loose();
 //#endregion
 //#region src/error/Oauth2ServerErrorResponseError.ts
@@ -552,35 +504,35 @@ var Oauth2ServerErrorResponseError = class extends Oauth2Error {
 //#endregion
 //#region src/client-attestation/z-client-attestation.ts
-const zOauthClientAttestationHeader = z.literal("OAuth-Client-Attestation");
+const zOauthClientAttestationHeader = z$1.literal("OAuth-Client-Attestation");
 const oauthClientAttestationHeader = zOauthClientAttestationHeader.value;
-const zClientAttestationJwtPayload = z.object({
+const zClientAttestationJwtPayload = z$1.object({
 	...zJwtPayload.shape,
-	iss: z.string(),
-	sub: z.string(),
+	iss: z$1.string(),
+	sub: z$1.string(),
 	exp: zInteger,
-	cnf: z.object({ jwk: zJwk }).passthrough(),
-	wallet_name: z.string().optional(),
-	wallet_link: z.string().url().optional()
-}).passthrough();
-const zClientAttestationJwtHeader = z.object({
+	cnf: z$1.object({ jwk: zJwk }).loose(),
+	wallet_name: z$1.string().optional(),
+	wallet_link: z$1.url().optional()
+}).loose();
+const zClientAttestationJwtHeader = z$1.object({
 	...zJwtHeader.shape,
-	typ: z.literal("oauth-client-attestation+jwt")
-}).passthrough();
-const zOauthClientAttestationPopHeader = z.literal("OAuth-Client-Attestation-PoP");
+	typ: z$1.literal("oauth-client-attestation+jwt")
+}).loose();
+const zOauthClientAttestationPopHeader = z$1.literal("OAuth-Client-Attestation-PoP");
 const oauthClientAttestationPopHeader = zOauthClientAttestationPopHeader.value;
-const zClientAttestationPopJwtPayload = z.object({
+const zClientAttestationPopJwtPayload = z$1.object({
 	...zJwtPayload.shape,
-	iss: z.string(),
+	iss: z$1.string(),
 	exp: zInteger,
 	aud: zHttpsUrl,
-	jti: z.string(),
-	nonce: z.optional(z.string())
-}).passthrough();
-const zClientAttestationPopJwtHeader = z.object({
+	jti: z$1.string(),
+	nonce: z$1.optional(z$1.string())
+}).loose();
+const zClientAttestationPopJwtHeader = z$1.object({
 	...zJwtHeader.shape,
-	typ: z.literal("oauth-client-attestation-pop+jwt")
-}).passthrough();
+	typ: z$1.literal("oauth-client-attestation-pop+jwt")
+}).loose();
 //#endregion
 //#region src/client-attestation/client-attestation-pop.ts
@@ -739,11 +691,11 @@ async function verifyClientAttestation({ authorizationServer, clientAttestationJ
 //#endregion
 //#region src/z-grant-type.ts
-const zPreAuthorizedCodeGrantIdentifier = z.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
+const zPreAuthorizedCodeGrantIdentifier = z$1.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
 const preAuthorizedCodeGrantIdentifier = zPreAuthorizedCodeGrantIdentifier.value;
-const zAuthorizationCodeGrantIdentifier = z.literal("authorization_code");
+const zAuthorizationCodeGrantIdentifier = z$1.literal("authorization_code");
 const authorizationCodeGrantIdentifier = zAuthorizationCodeGrantIdentifier.value;
-const zRefreshTokenGrantIdentifier = z.literal("refresh_token");
+const zRefreshTokenGrantIdentifier = z$1.literal("refresh_token");
 const refreshTokenGrantIdentifier = zRefreshTokenGrantIdentifier.value;
 //#endregion
@@ -840,7 +792,7 @@ function clientAuthenticationClientAttestationJwt(options) {
 //#endregion
 //#region src/common/jwt/z-jwe.ts
-const zCompactJwe = z$1.string().regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, { message: "Not a valid compact jwe" });
+const zCompactJwe = z.string().regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, { message: "Not a valid compact jwe" });
 //#endregion
 //#region src/error/Oauth2ClientErrorResponseError.ts
@@ -913,31 +865,31 @@ async function fetchWellKnownMetadata(wellKnownMetadataUrl, schema, fetch) {
 //#endregion
 //#region src/metadata/authorization-server/z-authorization-server-metadata.ts
-const knownClientAuthenticationMethod = z.enum([
+const knownClientAuthenticationMethod = z$1.enum([
 	"client_secret_basic",
 	"client_secret_post",
 	"attest_jwt_client_auth",
 	"client_secret_jwt",
 	"private_key_jwt"
 ]);
-const zAuthorizationServerMetadata = z.object({
+const zAuthorizationServerMetadata = z$1.object({
 	issuer: zHttpsUrl,
 	token_endpoint: zHttpsUrl,
-	token_endpoint_auth_methods_supported: z.optional(z.array(z.union([knownClientAuthenticationMethod, z.string()]))),
-	authorization_endpoint: z.optional(zHttpsUrl),
-	jwks_uri: z.optional(zHttpsUrl),
-	grant_types_supported: z.optional(z.array(z.string())),
-	code_challenge_methods_supported: z.optional(z.array(z.string())),
-	dpop_signing_alg_values_supported: z.optional(z.array(z.string())),
-	require_pushed_authorization_requests: z.optional(z.boolean()),
-	pushed_authorization_request_endpoint: z.optional(zHttpsUrl),
-	introspection_endpoint: z.optional(zHttpsUrl),
-	introspection_endpoint_auth_methods_supported: z.optional(z.array(z.union([knownClientAuthenticationMethod, z.string()]))),
-	introspection_endpoint_auth_signing_alg_values_supported: z.optional(z.array(zAlgValueNotNone)),
-	authorization_challenge_endpoint: z.optional(zHttpsUrl),
-	"pre-authorized_grant_anonymous_access_supported": z.optional(z.boolean()),
-	client_attestation_pop_nonce_required: z.boolean().optional()
-}).passthrough().refine(({ introspection_endpoint_auth_methods_supported: methodsSupported, introspection_endpoint_auth_signing_alg_values_supported: algValuesSupported }) => {
+	token_endpoint_auth_methods_supported: z$1.optional(z$1.array(z$1.union([knownClientAuthenticationMethod, z$1.string()]))),
+	authorization_endpoint: z$1.optional(zHttpsUrl),
+	jwks_uri: z$1.optional(zHttpsUrl),
+	grant_types_supported: z$1.optional(z$1.array(z$1.string())),
+	code_challenge_methods_supported: z$1.optional(z$1.array(z$1.string())),
+	dpop_signing_alg_values_supported: z$1.optional(z$1.array(z$1.string())),
+	require_pushed_authorization_requests: z$1.optional(z$1.boolean()),
+	pushed_authorization_request_endpoint: z$1.optional(zHttpsUrl),
+	introspection_endpoint: z$1.optional(zHttpsUrl),
+	introspection_endpoint_auth_methods_supported: z$1.optional(z$1.array(z$1.union([knownClientAuthenticationMethod, z$1.string()]))),
+	introspection_endpoint_auth_signing_alg_values_supported: z$1.optional(z$1.array(zAlgValueNotNone)),
+	authorization_challenge_endpoint: z$1.optional(zHttpsUrl),
+	"pre-authorized_grant_anonymous_access_supported": z$1.optional(z$1.boolean()),
+	client_attestation_pop_nonce_required: z$1.boolean().optional()
+}).loose().refine(({ introspection_endpoint_auth_methods_supported: methodsSupported, introspection_endpoint_auth_signing_alg_values_supported: algValuesSupported }) => {
 	if (!methodsSupported) return true;
 	if (!methodsSupported.includes("private_key_jwt") && !methodsSupported.includes("client_secret_jwt")) return true;
 	return algValuesSupported !== void 0 && algValuesSupported.length > 0;
@@ -952,26 +904,15 @@ const wellKnownOpenIdConfigurationServerSuffix = ".well-known/openid-configurati
 *  a 404, the openid-configuration metadata will be fetched.
 */
 async function fetchAuthorizationServerMetadata(issuer, fetch) {
-	const openIdConfigurationWellKnownMetadataUrl = joinUriParts(issuer, [wellKnownOpenIdConfigurationServerSuffix]);
 	const parsedIssuerUrl = new URL(issuer);
+	const openIdConfigurationWellKnownMetadataUrl = joinUriParts(issuer, [wellKnownOpenIdConfigurationServerSuffix]);
 	const authorizationServerWellKnownMetadataUrl = joinUriParts(parsedIssuerUrl.origin, [wellKnownAuthorizationServerSuffix, parsedIssuerUrl.pathname]);
-	const authorizationServerResult = await fetchWellKnownMetadata(authorizationServerWellKnownMetadataUrl, zAuthorizationServerMetadata, fetch);
-	if (authorizationServerResult) {
-		if (authorizationServerResult.issuer !== issuer) throw new Oauth2Error(`The 'issuer' parameter '${authorizationServerResult.issuer}' in the well known authorization server metadata at '${authorizationServerWellKnownMetadataUrl}' does not match the provided issuer '${issuer}'.`);
-		return authorizationServerResult;
-	}
 	const nonCompliantAuthorizationServerWellKnownMetadataUrl = joinUriParts(issuer, [wellKnownAuthorizationServerSuffix]);
-	const alternativeAuthorizationServerResult = nonCompliantAuthorizationServerWellKnownMetadataUrl !== authorizationServerWellKnownMetadataUrl ? await fetchWellKnownMetadata(nonCompliantAuthorizationServerWellKnownMetadataUrl, zAuthorizationServerMetadata, fetch) : void 0;
-	if (alternativeAuthorizationServerResult) {
-		if (alternativeAuthorizationServerResult.issuer !== issuer) throw new Oauth2Error(`The 'issuer' parameter '${alternativeAuthorizationServerResult.issuer}' in the well known authorization server metadata at '${nonCompliantAuthorizationServerWellKnownMetadataUrl}' does not match the provided issuer '${issuer}'.`);
-		return alternativeAuthorizationServerResult;
-	}
-	const openIdConfigurationResult = await fetchWellKnownMetadata(openIdConfigurationWellKnownMetadataUrl, zAuthorizationServerMetadata, fetch);
-	if (openIdConfigurationResult) {
-		if (openIdConfigurationResult.issuer !== issuer) throw new Oauth2Error(`The 'issuer' parameter '${openIdConfigurationResult.issuer}' in the well known openid configuration metadata at '${openIdConfigurationWellKnownMetadataUrl}' does not match the provided issuer '${issuer}'.`);
-		return openIdConfigurationResult;
-	}
-	return null;
+	let authorizationServerResult = await fetchWellKnownMetadata(authorizationServerWellKnownMetadataUrl, zAuthorizationServerMetadata, fetch);
+	if (!authorizationServerResult && nonCompliantAuthorizationServerWellKnownMetadataUrl !== authorizationServerWellKnownMetadataUrl) authorizationServerResult = await fetchWellKnownMetadata(nonCompliantAuthorizationServerWellKnownMetadataUrl, zAuthorizationServerMetadata, fetch);
+	if (!authorizationServerResult) authorizationServerResult = await fetchWellKnownMetadata(openIdConfigurationWellKnownMetadataUrl, zAuthorizationServerMetadata, fetch);
+	if (authorizationServerResult && authorizationServerResult.issuer !== issuer) throw new Oauth2Error(`The 'issuer' parameter '${authorizationServerResult.issuer}' in the well known authorization server metadata at '${authorizationServerWellKnownMetadataUrl}' does not match the provided issuer '${issuer}'.`);
+	return authorizationServerResult;
 }
 function getAuthorizationServerMetadataFromList(authorizationServersMetadata, issuer) {
 	const authorizationServerMetadata = authorizationServersMetadata.find((authorizationServerMetadata$1) => authorizationServerMetadata$1.issuer === issuer);
@@ -1016,39 +957,39 @@ async function createAccessTokenJwt(options) {
 //#endregion
 //#region src/access-token/z-access-token.ts
-const zAccessTokenRequest = z.intersection(z.object({
-	"pre-authorized_code": z.optional(z.string()),
-	code: z.optional(z.string()),
-	redirect_uri: z.string().url().optional(),
-	refresh_token: z.optional(z.string()),
-	resource: z.optional(zHttpsUrl),
-	code_verifier: z.optional(z.string()),
-	grant_type: z.union([
+const zAccessTokenRequest = z$1.intersection(z$1.object({
+	"pre-authorized_code": z$1.optional(z$1.string()),
+	code: z$1.optional(z$1.string()),
+	redirect_uri: z$1.url().optional(),
+	refresh_token: z$1.optional(z$1.string()),
+	resource: z$1.optional(zHttpsUrl),
+	code_verifier: z$1.optional(z$1.string()),
+	grant_type: z$1.union([
 		zPreAuthorizedCodeGrantIdentifier,
 		zAuthorizationCodeGrantIdentifier,
 		zRefreshTokenGrantIdentifier,
-		z.string()
+		z$1.string()
 	])
-}).passthrough(), z.object({
-	tx_code: z.optional(z.string()),
-	user_pin: z.optional(z.string())
-}).passthrough().refine(({ tx_code, user_pin }) => !tx_code || !user_pin || user_pin === tx_code, { message: `If both 'tx_code' and 'user_pin' are present they must match` }).transform(({ tx_code, user_pin,...rest }) => {
+}).loose(), z$1.object({
+	tx_code: z$1.optional(z$1.string()),
+	user_pin: z$1.optional(z$1.string())
+}).loose().refine(({ tx_code, user_pin }) => !tx_code || !user_pin || user_pin === tx_code, { message: `If both 'tx_code' and 'user_pin' are present they must match` }).transform(({ tx_code, user_pin,...rest }) => {
 	return {
 		...rest,
 		...tx_code ?? user_pin ? { tx_code: tx_code ?? user_pin } : {}
 	};
 }));
-const zAccessTokenResponse = z.object({
-	access_token: z.string(),
-	token_type: z.string(),
-	expires_in: z.optional(z.number().int()),
-	scope: z.optional(z.string()),
-	state: z.optional(z.string()),
-	refresh_token: z.optional(z.string()),
-	c_nonce: z.optional(z.string()),
-	c_nonce_expires_in: z.optional(z.number().int()),
-	authorization_details: z.array(z.object({}).passthrough()).optional()
-}).passthrough();
+const zAccessTokenResponse = z$1.object({
+	access_token: z$1.string(),
+	token_type: z$1.string(),
+	expires_in: z$1.optional(z$1.number().int()),
+	scope: z$1.optional(z$1.string()),
+	state: z$1.optional(z$1.string()),
+	refresh_token: z$1.optional(z$1.string()),
+	c_nonce: z$1.optional(z$1.string()),
+	c_nonce_expires_in: z$1.optional(z$1.number().int()),
+	authorization_details: z$1.array(z$1.object({}).loose()).optional()
+}).loose();
 const zAccessTokenErrorResponse = zOauth2ErrorResponse;
 //#endregion
@@ -1067,19 +1008,19 @@ async function createAccessTokenResponse(options) {
 //#endregion
 //#region src/dpop/z-dpop.ts
-const zDpopJwtPayload = z.object({
+const zDpopJwtPayload = z$1.object({
 	...zJwtPayload.shape,
 	iat: zInteger,
 	htu: zHttpsUrl,
 	htm: zHttpMethod,
-	jti: z.string(),
-	ath: z.optional(z.string())
-}).passthrough();
-const zDpopJwtHeader = z.object({
+	jti: z$1.string(),
+	ath: z$1.optional(z$1.string())
+}).loose();
+const zDpopJwtHeader = z$1.object({
 	...zJwtHeader.shape,
-	typ: z.literal("dpop+jwt"),
+	typ: z$1.literal("dpop+jwt"),
 	jwk: zJwk
-}).passthrough();
+}).loose();
 //#endregion
 //#region src/dpop/dpop.ts
@@ -1437,45 +1378,45 @@ async function verifyAccessTokenRequestPkce(options, callbacks) {
 //#endregion
 //#region src/authorization-request/z-authorization-request.ts
-const zAuthorizationRequest = z.object({
-	response_type: z.string(),
-	client_id: z.string(),
-	issuer_state: z.optional(z.string()),
-	redirect_uri: z.string().url().optional(),
-	resource: z.optional(zHttpsUrl),
-	scope: z.optional(z.string()),
-	dpop_jkt: z.optional(z.string().base64url()),
-	code_challenge: z.optional(z.string()),
-	code_challenge_method: z.optional(z.string())
-}).passthrough();
-const zPushedAuthorizationRequest = z.object({
-	request_uri: z.string(),
-	client_id: z.string()
-}).passthrough();
-const zPushedAuthorizationResponse = z.object({
-	request_uri: z.string(),
-	expires_in: z.number().int()
-}).passthrough();
+const zAuthorizationRequest = z$1.object({
+	response_type: z$1.string(),
+	client_id: z$1.string(),
+	issuer_state: z$1.optional(z$1.string()),
+	redirect_uri: z$1.url().optional(),
+	resource: z$1.optional(zHttpsUrl),
+	scope: z$1.optional(z$1.string()),
+	dpop_jkt: z$1.optional(z$1.base64url()),
+	code_challenge: z$1.optional(z$1.string()),
+	code_challenge_method: z$1.optional(z$1.string())
+}).loose();
+const zPushedAuthorizationRequest = z$1.object({
+	request_uri: z$1.string(),
+	client_id: z$1.string()
+}).loose();
+const zPushedAuthorizationResponse = z$1.object({
+	request_uri: z$1.string(),
+	expires_in: z$1.number().int()
+}).loose();
 //#endregion
 //#region src/authorization-challenge/z-authorization-challenge.ts
-const zAuthorizationChallengeRequest = z.object({
+const zAuthorizationChallengeRequest = z$1.object({
 	...zAuthorizationRequest.omit({
 		response_type: true,
 		client_id: true
 	}).shape,
-	client_id: z.optional(zAuthorizationRequest.shape.client_id),
-	auth_session: z.optional(z.string()),
-	presentation_during_issuance_session: z.optional(z.string())
-}).passthrough();
-const zAuthorizationChallengeResponse = z.object({ authorization_code: z.string() }).passthrough();
-const zAuthorizationChallengeErrorResponse = z.object({
+	client_id: z$1.optional(zAuthorizationRequest.shape.client_id),
+	auth_session: z$1.optional(z$1.string()),
+	presentation_during_issuance_session: z$1.optional(z$1.string())
+}).loose();
+const zAuthorizationChallengeResponse = z$1.object({ authorization_code: z$1.string() }).loose();
+const zAuthorizationChallengeErrorResponse = z$1.object({
 	...zOauth2ErrorResponse.shape,
-	auth_session: z.optional(z.string()),
-	request_uri: z.optional(z.string()),
-	expires_in: z.optional(zInteger),
-	presentation: z.optional(z.string())
-}).passthrough();
+	auth_session: z$1.optional(z$1.string()),
+	request_uri: z$1.optional(z$1.string()),
+	expires_in: z$1.optional(zInteger),
+	presentation: z$1.optional(z$1.string())
+}).loose();
 //#endregion
 //#region src/authorization-challenge/create-authorization-challenge-response.ts
@@ -2368,25 +2309,25 @@ var Oauth2ResourceServer = class {
 //#endregion
 //#region src/access-token/z-token-introspection.ts
-const zTokenIntrospectionRequest = z.object({
-	token: z.string(),
-	token_type_hint: z.optional(z.string())
-}).passthrough();
-const zTokenIntrospectionResponse = z.object({
-	active: z.boolean(),
-	scope: z.optional(z.string()),
-	client_id: z.optional(z.string()),
-	username: z.optional(z.string()),
-	token_type: z.optional(z.string()),
-	exp: z.optional(zInteger),
-	iat: z.optional(zInteger),
-	nbf: z.optional(zInteger),
-	sub: z.optional(z.string()),
-	aud: z.optional(z.string()),
-	iss: z.optional(z.string()),
-	jti: z.optional(z.string()),
-	cnf: z.optional(zJwtConfirmationPayload)
-}).passthrough();
+const zTokenIntrospectionRequest = z$1.object({
+	token: z$1.string(),
+	token_type_hint: z$1.optional(z$1.string())
+}).loose();
+const zTokenIntrospectionResponse = z$1.object({
+	active: z$1.boolean(),
+	scope: z$1.optional(z$1.string()),
+	client_id: z$1.optional(z$1.string()),
+	username: z$1.optional(z$1.string()),
+	token_type: z$1.optional(z$1.string()),
+	exp: z$1.optional(zInteger),
+	iat: z$1.optional(zInteger),
+	nbf: z$1.optional(zInteger),
+	sub: z$1.optional(z$1.string()),
+	aud: z$1.optional(z$1.string()),
+	iss: z$1.optional(z$1.string()),
+	jti: z$1.optional(z$1.string()),
+	cnf: z$1.optional(zJwtConfirmationPayload)
+}).loose();
 //#endregion
 //#region src/access-token/introspect-token.ts