@openid4vc/oauth2 0.3.0-alpha-20251029102217 → 0.3.0-alpha-20251030140425

package/dist/index.js

@@ -189,6 +189,7 @@ const zJwtPayload = zod.default.object({
 	nbf: __openid4vc_utils.zInteger.optional(),
 	nonce: zod.default.string().optional(),
 	jti: zod.default.string().optional(),
+	sub: zod.default.string().optional(),
 	cnf: zJwtConfirmationPayload.optional(),
 	status: zod.default.record(zod.default.string(), zod.default.any()).optional(),
 	trust_chain: zod.default.tuple([zod.default.string()], zod.default.string()).optional()
@@ -868,6 +869,91 @@ var Oauth2ResourceUnauthorizedError = class Oauth2ResourceUnauthorizedError exte
 	}
 };
 
+//#endregion
+//#region src/id-token/z-id-token-jwt.ts
+const zIdTokenJwtHeader = zod.default.object({ ...zJwtHeader.shape }).loose();
+const zIdTokenJwtPayload = zod.default.object({
+	...zJwtPayload.shape,
+	iss: zod.default.string(),
+	sub: zod.default.string(),
+	aud: zod.default.string(),
+	exp: __openid4vc_utils.zInteger,
+	iat: __openid4vc_utils.zInteger,
+	auth_time: __openid4vc_utils.zInteger.optional(),
+	acr: zod.default.string().optional(),
+	amr: zod.default.array(zod.default.string()).optional(),
+	azp: zod.default.string().optional(),
+	name: zod.default.string().optional(),
+	given_name: zod.default.string().optional(),
+	family_name: zod.default.string().optional(),
+	middle_name: zod.default.string().optional(),
+	nickname: zod.default.string().optional(),
+	preferred_username: zod.default.string().optional(),
+	profile: zod.default.url().optional(),
+	picture: zod.default.url().optional(),
+	website: zod.default.url().optional(),
+	email: zod.default.email().optional(),
+	email_verified: zod.default.boolean().optional(),
+	gender: zod.default.enum(["male", "female"]).or(zod.default.string()).optional(),
+	birthdate: zod.default.iso.date().optional(),
+	zoneinfo: zod.default.string().optional(),
+	locale: zod.default.string().optional(),
+	phone_number: zod.default.string().optional(),
+	phone_number_verified: zod.default.boolean().optional(),
+	address: zod.default.object({
+		formatted: zod.default.string().optional(),
+		street_address: zod.default.string().optional(),
+		locality: zod.default.string().optional(),
+		region: zod.default.string().optional(),
+		postal_code: zod.default.string().optional(),
+		country: zod.default.string().optional()
+	}).loose().optional(),
+	updated_at: __openid4vc_utils.zInteger.optional()
+}).loose();
+
+//#endregion
+//#region src/id-token/verify-id-token.ts
+/**
+* Verify an ID Token JWT.
+*/
+async function verifyJwtIdToken(options) {
+	const { header, payload } = decodeJwt({
+		jwt: options.idToken,
+		headerSchema: zIdTokenJwtHeader,
+		payloadSchema: zIdTokenJwtPayload
+	});
+	const jwksUrl = options.authorizationServer.jwks_uri;
+	if (!jwksUrl) throw new Oauth2Error(`Authorization server '${options.authorizationServer.issuer}' does not have a 'jwks_uri' parameter to fetch JWKs.`);
+	if (payload.iss !== options.authorizationServer.issuer) throw new Oauth2Error(`Invalid 'iss' claim in id token jwt. Expected '${options.authorizationServer.issuer}', got '${payload.iss}'.`);
+	if (payload.azp && payload.azp !== options.clientId) throw new Oauth2Error(`Invalid 'azp' claim in id token jwt. Expected '${options.clientId}', got '${payload.azp}'.`);
+	const jwks = await fetchJwks(jwksUrl, options.callbacks.fetch);
+	const publicJwk = extractJwkFromJwksForJwt({
+		kid: header.kid,
+		jwks,
+		use: "sig"
+	});
+	await verifyJwt({
+		compact: options.idToken,
+		header,
+		payload,
+		signer: {
+			method: "jwk",
+			publicJwk,
+			alg: header.alg
+		},
+		verifyJwtCallback: options.callbacks.verifyJwt,
+		errorMessage: "Error during verification of id token jwt.",
+		now: options.now,
+		expectedAudience: options.clientId,
+		expectedIssuer: options.authorizationServer.issuer,
+		expectedNonce: options.expectedNonce
+	});
+	return {
+		header,
+		payload
+	};
+}
+
 //#endregion
 //#region src/metadata/fetch-well-known-metadata.ts
 /**
@@ -2282,7 +2368,8 @@ var Oauth2Client = class {
 			scope: options.scope,
 			callbacks: this.options.callbacks,
 			pkceCodeVerifier: options.pkceCodeVerifier,
-			dpop: options.dpop
+			dpop: options.dpop,
+			state: options.state
 		});
 	}
 	async retrievePreAuthorizedCodeAccessToken({ authorizationServerMetadata, preAuthorizedCode, additionalRequestPayload, txCode, dpop, resource }) {
@@ -2501,6 +2588,12 @@ exports.Oauth2ServerErrorResponseError = Oauth2ServerErrorResponseError;
 exports.PkceCodeChallengeMethod = PkceCodeChallengeMethod;
 exports.SupportedAuthenticationScheme = SupportedAuthenticationScheme;
 exports.SupportedClientAuthenticationMethod = SupportedClientAuthenticationMethod;
+Object.defineProperty(exports, 'VerifiedClientAttestationJwt', {
+  enumerable: true,
+  get: function () {
+    return VerifiedClientAttestationJwt;
+  }
+});
 exports.authorizationCodeGrantIdentifier = authorizationCodeGrantIdentifier;
 exports.calculateJwkThumbprint = calculateJwkThumbprint;
 exports.clientAuthenticationAnonymous = clientAuthenticationAnonymous;
@@ -2534,13 +2627,17 @@ Object.defineProperty(exports, 'setGlobalConfig', {
     return __openid4vc_utils.setGlobalConfig;
   }
 });
+exports.verifyClientAttestationJwt = verifyClientAttestationJwt;
 exports.verifyJwt = verifyJwt;
+exports.verifyJwtIdToken = verifyJwtIdToken;
 exports.verifyResourceRequest = verifyResourceRequest;
 exports.zAlgValueNotNone = zAlgValueNotNone;
 exports.zAuthorizationCodeGrantIdentifier = zAuthorizationCodeGrantIdentifier;
 exports.zAuthorizationServerMetadata = zAuthorizationServerMetadata;
 exports.zCompactJwe = zCompactJwe;
 exports.zCompactJwt = zCompactJwt;
+exports.zIdTokenJwtHeader = zIdTokenJwtHeader;
+exports.zIdTokenJwtPayload = zIdTokenJwtPayload;
 exports.zJwk = zJwk;
 exports.zJwkSet = zJwkSet;
 exports.zJwtHeader = zJwtHeader;