@openid4vc/oauth2 0.3.0-alpha-20251021082313 → 0.3.0-alpha-20251029093110
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +12 -1
- package/dist/index.d.ts +12 -1
- package/dist/index.js +15 -11
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +15 -11
- package/dist/index.mjs.map +1 -1
- package/package.json +2 -2
package/dist/index.mjs
CHANGED
|
@@ -18,7 +18,7 @@ let HashAlgorithm = /* @__PURE__ */ function(HashAlgorithm$1) {
|
|
|
18
18
|
//#region src/error/Oauth2Error.ts
|
|
19
19
|
var Oauth2Error = class extends Error {
|
|
20
20
|
constructor(message, options) {
|
|
21
|
-
const errorMessage = message ?? "Unknown error
|
|
21
|
+
const errorMessage = message ?? "Unknown error occurred.";
|
|
22
22
|
const causeMessage = options?.cause instanceof Error ? ` ${options.cause.message}` : options?.cause ? ` ${options?.cause}` : "";
|
|
23
23
|
super(`${errorMessage}${causeMessage}`);
|
|
24
24
|
this.cause = options?.cause;
|
|
@@ -263,7 +263,7 @@ function jwtSignerFromJwt({ header, payload, allowedSignerMethods }) {
|
|
|
263
263
|
if (header.kid?.startsWith("did:") || payload.iss?.startsWith("did:")) if (payload.iss && header.kid?.startsWith("did:") && !header.kid.startsWith(payload.iss)) found.push({
|
|
264
264
|
method: "did",
|
|
265
265
|
valid: false,
|
|
266
|
-
error: `kid in header
|
|
266
|
+
error: `kid in header starts with did that is different from did value in 'iss'`
|
|
267
267
|
});
|
|
268
268
|
else if (!header.kid?.startsWith("did:") && !header.kid?.startsWith("#")) found.push({
|
|
269
269
|
method: "did",
|
|
@@ -1386,6 +1386,7 @@ const zAuthorizationRequest = z$1.object({
|
|
|
1386
1386
|
redirect_uri: z$1.url().optional(),
|
|
1387
1387
|
resource: z$1.optional(zHttpsUrl),
|
|
1388
1388
|
scope: z$1.optional(z$1.string()),
|
|
1389
|
+
state: z$1.optional(z$1.string()),
|
|
1389
1390
|
dpop_jkt: z$1.optional(z$1.base64url()),
|
|
1390
1391
|
code_challenge: z$1.optional(z$1.string()),
|
|
1391
1392
|
code_challenge_method: z$1.optional(z$1.string())
|
|
@@ -1424,7 +1425,7 @@ const zAuthorizationChallengeErrorResponse = z$1.object({
|
|
|
1424
1425
|
/**
|
|
1425
1426
|
* Create an authorization challenge response
|
|
1426
1427
|
*
|
|
1427
|
-
* @throws {ValidationError} if an error
|
|
1428
|
+
* @throws {ValidationError} if an error occurred during verification of the {@link AuthorizationChallengeResponse}
|
|
1428
1429
|
*/
|
|
1429
1430
|
function createAuthorizationChallengeResponse(options) {
|
|
1430
1431
|
return { authorizationChallengeResponse: parseWithErrorHandling(zAuthorizationChallengeResponse, {
|
|
@@ -1435,7 +1436,7 @@ function createAuthorizationChallengeResponse(options) {
|
|
|
1435
1436
|
/**
|
|
1436
1437
|
* Create an authorization challenge error response
|
|
1437
1438
|
*
|
|
1438
|
-
* @throws {ValidationError} if an error
|
|
1439
|
+
* @throws {ValidationError} if an error occurred during validation of the {@link AuthorizationChallengeErrorResponse}
|
|
1439
1440
|
*/
|
|
1440
1441
|
function createAuthorizationChallengeErrorResponse(options) {
|
|
1441
1442
|
return parseWithErrorHandling(zAuthorizationChallengeErrorResponse, {
|
|
@@ -1591,7 +1592,7 @@ async function verifyAuthorizationChallengeRequest(options) {
|
|
|
1591
1592
|
/**
|
|
1592
1593
|
* Create an pushed authorization response
|
|
1593
1594
|
*
|
|
1594
|
-
* @throws {ValidationError} if an error
|
|
1595
|
+
* @throws {ValidationError} if an error occurred during verification of the {@link PushedAuthorizationResponse}
|
|
1595
1596
|
*/
|
|
1596
1597
|
function createPushedAuthorizationResponse(options) {
|
|
1597
1598
|
return { pushedAuthorizationResponse: parseWithErrorHandling(zPushedAuthorizationResponse, {
|
|
@@ -1603,7 +1604,7 @@ function createPushedAuthorizationResponse(options) {
|
|
|
1603
1604
|
/**
|
|
1604
1605
|
* Create a pushed authorization error response
|
|
1605
1606
|
*
|
|
1606
|
-
* @throws {ValidationError} if an error
|
|
1607
|
+
* @throws {ValidationError} if an error occurred during validation of the {@link PushedAuthorizationErrorResponse}
|
|
1607
1608
|
*/
|
|
1608
1609
|
function createPushedAuthorizationErrorResponse(options) {
|
|
1609
1610
|
return parseWithErrorHandling(zAccessTokenErrorResponse, {
|
|
@@ -1624,7 +1625,7 @@ function parsePushedAuthorizationRequest(options) {
|
|
|
1624
1625
|
const parsedAuthorizationRequest = zAuthorizationRequest.safeParse(options.authorizationRequest);
|
|
1625
1626
|
if (!parsedAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
|
|
1626
1627
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
1627
|
-
error_description: `Error
|
|
1628
|
+
error_description: `Error occurred during validation of pushed authorization request.\n${formatZodError(parsedAuthorizationRequest.error)}`
|
|
1628
1629
|
});
|
|
1629
1630
|
const authorizationRequest = parsedAuthorizationRequest.data;
|
|
1630
1631
|
const { clientAttestation, dpop } = parseAuthorizationRequest({
|
|
@@ -1935,13 +1936,13 @@ async function retrieveAccessToken(options) {
|
|
|
1935
1936
|
*
|
|
1936
1937
|
* @throws {Oauth2ClientAuthorizationChallengeError} if the request failed and a {@link AuthorizationChallengeErrorResponse} is returned
|
|
1937
1938
|
* @throws {InvalidFetchResponseError} if the request failed but no error response could be parsed
|
|
1938
|
-
* @throws {ValidationError} if a successful response was received but an error
|
|
1939
|
+
* @throws {ValidationError} if a successful response was received but an error occurred during verification of the {@link AuthorizationChallengeResponse}
|
|
1939
1940
|
*/
|
|
1940
1941
|
async function sendAuthorizationChallengeRequest(options) {
|
|
1941
1942
|
const fetchWithZod = createZodFetcher(options.callbacks.fetch);
|
|
1942
1943
|
const authorizationServerMetadata = options.authorizationServerMetadata;
|
|
1943
1944
|
const authorizationChallengeEndpoint = authorizationServerMetadata.authorization_challenge_endpoint;
|
|
1944
|
-
if (!authorizationChallengeEndpoint) throw new Oauth2Error(`Unable to send authorization
|
|
1945
|
+
if (!authorizationChallengeEndpoint) throw new Oauth2Error(`Unable to send authorization challenge. Authorization server '${authorizationServerMetadata.issuer}' has no 'authorization_challenge_endpoint'`);
|
|
1945
1946
|
const pkce = authorizationServerMetadata.code_challenge_methods_supported && !options.authSession ? await createPkce({
|
|
1946
1947
|
allowedCodeChallengeMethods: authorizationServerMetadata.code_challenge_methods_supported,
|
|
1947
1948
|
callbacks: options.callbacks,
|
|
@@ -1951,6 +1952,7 @@ async function sendAuthorizationChallengeRequest(options) {
|
|
|
1951
1952
|
...options.additionalRequestPayload,
|
|
1952
1953
|
auth_session: options.authSession,
|
|
1953
1954
|
scope: options.scope,
|
|
1955
|
+
redirect_uri: options.redirectUri,
|
|
1954
1956
|
resource: options.resource,
|
|
1955
1957
|
code_challenge: pkce?.codeChallenge,
|
|
1956
1958
|
code_challenge_method: pkce?.codeChallengeMethod,
|
|
@@ -2028,6 +2030,7 @@ async function createAuthorizationRequestUrl(options) {
|
|
|
2028
2030
|
redirect_uri: options.redirectUri,
|
|
2029
2031
|
resource: options.resource,
|
|
2030
2032
|
scope: options.scope,
|
|
2033
|
+
state: options.state,
|
|
2031
2034
|
code_challenge: pkce?.codeChallenge,
|
|
2032
2035
|
code_challenge_method: pkce?.codeChallengeMethod
|
|
2033
2036
|
};
|
|
@@ -2077,7 +2080,7 @@ async function createAuthorizationRequestUrl(options) {
|
|
|
2077
2080
|
}
|
|
2078
2081
|
async function pushAuthorizationRequest(options) {
|
|
2079
2082
|
const fetchWithZod = createZodFetcher(options.callbacks.fetch);
|
|
2080
|
-
if (options.authorizationRequest.request_uri) throw new Oauth2Error(`Authorization request contains 'request_uri' parameter. This is not allowed for pushed authorization
|
|
2083
|
+
if (options.authorizationRequest.request_uri) throw new Oauth2Error(`Authorization request contains 'request_uri' parameter. This is not allowed for pushed authorization requests.`);
|
|
2081
2084
|
const headers = new Headers({
|
|
2082
2085
|
...options.headers,
|
|
2083
2086
|
"Content-Type": ContentType.XWwwFormUrlencoded
|
|
@@ -2201,6 +2204,7 @@ var Oauth2Client = class {
|
|
|
2201
2204
|
authorizationServerMetadata: options.authorizationServerMetadata,
|
|
2202
2205
|
additionalRequestPayload: options.additionalRequestPayload,
|
|
2203
2206
|
pkceCodeVerifier: pkce?.codeVerifier,
|
|
2207
|
+
redirectUri: options.redirectUri,
|
|
2204
2208
|
scope: options.scope,
|
|
2205
2209
|
resource: options.resource,
|
|
2206
2210
|
dpop: options.dpop
|
|
@@ -2431,7 +2435,7 @@ async function verifyResourceRequest(options) {
|
|
|
2431
2435
|
})).header.jwk;
|
|
2432
2436
|
} catch (error) {
|
|
2433
2437
|
const errorMessage = error instanceof Oauth2Error ? error.message : "Error verifying DPoP jwt";
|
|
2434
|
-
throw new Oauth2ResourceUnauthorizedError(`Error
|
|
2438
|
+
throw new Oauth2ResourceUnauthorizedError(`Error occurred during verification of jwt profile access token: ${error instanceof Error ? error.message : error}`, {
|
|
2435
2439
|
scheme,
|
|
2436
2440
|
error: Oauth2ErrorCodes.InvalidDpopProof,
|
|
2437
2441
|
error_description: errorMessage
|