@openid4vc/oauth2 0.3.0-alpha-20251029102217 → 0.3.0-alpha-20251030140425

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.d.mts +275 -2
  2. package/dist/index.d.ts +275 -2
  3. package/dist/index.js +98 -1
  4. package/dist/index.js.map +1 -1
  5. package/dist/index.mjs +89 -2
  6. package/dist/index.mjs.map +1 -1
  7. package/package.json +2 -2
package/dist/index.mjs CHANGED
@@ -164,6 +164,7 @@ const zJwtPayload = z$1.object({
164
164
  nbf: zInteger.optional(),
165
165
  nonce: z$1.string().optional(),
166
166
  jti: z$1.string().optional(),
167
+ sub: z$1.string().optional(),
167
168
  cnf: zJwtConfirmationPayload.optional(),
168
169
  status: z$1.record(z$1.string(), z$1.any()).optional(),
169
170
  trust_chain: z$1.tuple([z$1.string()], z$1.string()).optional()
@@ -843,6 +844,91 @@ var Oauth2ResourceUnauthorizedError = class Oauth2ResourceUnauthorizedError exte
843
844
  }
844
845
  };
845
846
 
847
+ //#endregion
848
+ //#region src/id-token/z-id-token-jwt.ts
849
+ const zIdTokenJwtHeader = z$1.object({ ...zJwtHeader.shape }).loose();
850
+ const zIdTokenJwtPayload = z$1.object({
851
+ ...zJwtPayload.shape,
852
+ iss: z$1.string(),
853
+ sub: z$1.string(),
854
+ aud: z$1.string(),
855
+ exp: zInteger,
856
+ iat: zInteger,
857
+ auth_time: zInteger.optional(),
858
+ acr: z$1.string().optional(),
859
+ amr: z$1.array(z$1.string()).optional(),
860
+ azp: z$1.string().optional(),
861
+ name: z$1.string().optional(),
862
+ given_name: z$1.string().optional(),
863
+ family_name: z$1.string().optional(),
864
+ middle_name: z$1.string().optional(),
865
+ nickname: z$1.string().optional(),
866
+ preferred_username: z$1.string().optional(),
867
+ profile: z$1.url().optional(),
868
+ picture: z$1.url().optional(),
869
+ website: z$1.url().optional(),
870
+ email: z$1.email().optional(),
871
+ email_verified: z$1.boolean().optional(),
872
+ gender: z$1.enum(["male", "female"]).or(z$1.string()).optional(),
873
+ birthdate: z$1.iso.date().optional(),
874
+ zoneinfo: z$1.string().optional(),
875
+ locale: z$1.string().optional(),
876
+ phone_number: z$1.string().optional(),
877
+ phone_number_verified: z$1.boolean().optional(),
878
+ address: z$1.object({
879
+ formatted: z$1.string().optional(),
880
+ street_address: z$1.string().optional(),
881
+ locality: z$1.string().optional(),
882
+ region: z$1.string().optional(),
883
+ postal_code: z$1.string().optional(),
884
+ country: z$1.string().optional()
885
+ }).loose().optional(),
886
+ updated_at: zInteger.optional()
887
+ }).loose();
888
+
889
+ //#endregion
890
+ //#region src/id-token/verify-id-token.ts
891
+ /**
892
+ * Verify an ID Token JWT.
893
+ */
894
+ async function verifyJwtIdToken(options) {
895
+ const { header, payload } = decodeJwt({
896
+ jwt: options.idToken,
897
+ headerSchema: zIdTokenJwtHeader,
898
+ payloadSchema: zIdTokenJwtPayload
899
+ });
900
+ const jwksUrl = options.authorizationServer.jwks_uri;
901
+ if (!jwksUrl) throw new Oauth2Error(`Authorization server '${options.authorizationServer.issuer}' does not have a 'jwks_uri' parameter to fetch JWKs.`);
902
+ if (payload.iss !== options.authorizationServer.issuer) throw new Oauth2Error(`Invalid 'iss' claim in id token jwt. Expected '${options.authorizationServer.issuer}', got '${payload.iss}'.`);
903
+ if (payload.azp && payload.azp !== options.clientId) throw new Oauth2Error(`Invalid 'azp' claim in id token jwt. Expected '${options.clientId}', got '${payload.azp}'.`);
904
+ const jwks = await fetchJwks(jwksUrl, options.callbacks.fetch);
905
+ const publicJwk = extractJwkFromJwksForJwt({
906
+ kid: header.kid,
907
+ jwks,
908
+ use: "sig"
909
+ });
910
+ await verifyJwt({
911
+ compact: options.idToken,
912
+ header,
913
+ payload,
914
+ signer: {
915
+ method: "jwk",
916
+ publicJwk,
917
+ alg: header.alg
918
+ },
919
+ verifyJwtCallback: options.callbacks.verifyJwt,
920
+ errorMessage: "Error during verification of id token jwt.",
921
+ now: options.now,
922
+ expectedAudience: options.clientId,
923
+ expectedIssuer: options.authorizationServer.issuer,
924
+ expectedNonce: options.expectedNonce
925
+ });
926
+ return {
927
+ header,
928
+ payload
929
+ };
930
+ }
931
+
846
932
  //#endregion
847
933
  //#region src/metadata/fetch-well-known-metadata.ts
848
934
  /**
@@ -2257,7 +2343,8 @@ var Oauth2Client = class {
2257
2343
  scope: options.scope,
2258
2344
  callbacks: this.options.callbacks,
2259
2345
  pkceCodeVerifier: options.pkceCodeVerifier,
2260
- dpop: options.dpop
2346
+ dpop: options.dpop,
2347
+ state: options.state
2261
2348
  });
2262
2349
  }
2263
2350
  async retrievePreAuthorizedCodeAccessToken({ authorizationServerMetadata, preAuthorizedCode, additionalRequestPayload, txCode, dpop, resource }) {
@@ -2455,5 +2542,5 @@ async function verifyResourceRequest(options) {
2455
2542
  }
2456
2543
 
2457
2544
  //#endregion
2458
- export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, createClientAttestationJwt, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwtHeaderFromJwtSigner, jwtSignerFromJwt, preAuthorizedCodeGrantIdentifier, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationServerMetadata, zCompactJwe, zCompactJwt, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zRefreshTokenGrantIdentifier };
2545
+ export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, VerifiedClientAttestationJwt, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, createClientAttestationJwt, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwtHeaderFromJwtSigner, jwtSignerFromJwt, preAuthorizedCodeGrantIdentifier, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, verifyClientAttestationJwt, verifyJwt, verifyJwtIdToken, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationServerMetadata, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zRefreshTokenGrantIdentifier };
2459
2546
  //# sourceMappingURL=index.mjs.map