@openid4vc/oauth2 0.3.0-alpha-20251029103950 → 0.3.0-alpha-20251030142433

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.d.mts +275 -2
  2. package/dist/index.d.ts +275 -2
  3. package/dist/index.js +90 -0
  4. package/dist/index.js.map +1 -1
  5. package/dist/index.mjs +87 -1
  6. package/dist/index.mjs.map +1 -1
  7. package/package.json +2 -2
package/dist/index.mjs CHANGED
@@ -164,6 +164,7 @@ const zJwtPayload = z$1.object({
164
164
  nbf: zInteger.optional(),
165
165
  nonce: z$1.string().optional(),
166
166
  jti: z$1.string().optional(),
167
+ sub: z$1.string().optional(),
167
168
  cnf: zJwtConfirmationPayload.optional(),
168
169
  status: z$1.record(z$1.string(), z$1.any()).optional(),
169
170
  trust_chain: z$1.tuple([z$1.string()], z$1.string()).optional()
@@ -843,6 +844,91 @@ var Oauth2ResourceUnauthorizedError = class Oauth2ResourceUnauthorizedError exte
843
844
  }
844
845
  };
845
846
 
847
+ //#endregion
848
+ //#region src/id-token/z-id-token-jwt.ts
849
+ const zIdTokenJwtHeader = z$1.object({ ...zJwtHeader.shape }).loose();
850
+ const zIdTokenJwtPayload = z$1.object({
851
+ ...zJwtPayload.shape,
852
+ iss: z$1.string(),
853
+ sub: z$1.string(),
854
+ aud: z$1.string(),
855
+ exp: zInteger,
856
+ iat: zInteger,
857
+ auth_time: zInteger.optional(),
858
+ acr: z$1.string().optional(),
859
+ amr: z$1.array(z$1.string()).optional(),
860
+ azp: z$1.string().optional(),
861
+ name: z$1.string().optional(),
862
+ given_name: z$1.string().optional(),
863
+ family_name: z$1.string().optional(),
864
+ middle_name: z$1.string().optional(),
865
+ nickname: z$1.string().optional(),
866
+ preferred_username: z$1.string().optional(),
867
+ profile: z$1.url().optional(),
868
+ picture: z$1.url().optional(),
869
+ website: z$1.url().optional(),
870
+ email: z$1.email().optional(),
871
+ email_verified: z$1.boolean().optional(),
872
+ gender: z$1.enum(["male", "female"]).or(z$1.string()).optional(),
873
+ birthdate: z$1.iso.date().optional(),
874
+ zoneinfo: z$1.string().optional(),
875
+ locale: z$1.string().optional(),
876
+ phone_number: z$1.string().optional(),
877
+ phone_number_verified: z$1.boolean().optional(),
878
+ address: z$1.object({
879
+ formatted: z$1.string().optional(),
880
+ street_address: z$1.string().optional(),
881
+ locality: z$1.string().optional(),
882
+ region: z$1.string().optional(),
883
+ postal_code: z$1.string().optional(),
884
+ country: z$1.string().optional()
885
+ }).loose().optional(),
886
+ updated_at: zInteger.optional()
887
+ }).loose();
888
+
889
+ //#endregion
890
+ //#region src/id-token/verify-id-token.ts
891
+ /**
892
+ * Verify an ID Token JWT.
893
+ */
894
+ async function verifyJwtIdToken(options) {
895
+ const { header, payload } = decodeJwt({
896
+ jwt: options.idToken,
897
+ headerSchema: zIdTokenJwtHeader,
898
+ payloadSchema: zIdTokenJwtPayload
899
+ });
900
+ const jwksUrl = options.authorizationServer.jwks_uri;
901
+ if (!jwksUrl) throw new Oauth2Error(`Authorization server '${options.authorizationServer.issuer}' does not have a 'jwks_uri' parameter to fetch JWKs.`);
902
+ if (payload.iss !== options.authorizationServer.issuer) throw new Oauth2Error(`Invalid 'iss' claim in id token jwt. Expected '${options.authorizationServer.issuer}', got '${payload.iss}'.`);
903
+ if (payload.azp && payload.azp !== options.clientId) throw new Oauth2Error(`Invalid 'azp' claim in id token jwt. Expected '${options.clientId}', got '${payload.azp}'.`);
904
+ const jwks = await fetchJwks(jwksUrl, options.callbacks.fetch);
905
+ const publicJwk = extractJwkFromJwksForJwt({
906
+ kid: header.kid,
907
+ jwks,
908
+ use: "sig"
909
+ });
910
+ await verifyJwt({
911
+ compact: options.idToken,
912
+ header,
913
+ payload,
914
+ signer: {
915
+ method: "jwk",
916
+ publicJwk,
917
+ alg: header.alg
918
+ },
919
+ verifyJwtCallback: options.callbacks.verifyJwt,
920
+ errorMessage: "Error during verification of id token jwt.",
921
+ now: options.now,
922
+ expectedAudience: options.clientId,
923
+ expectedIssuer: options.authorizationServer.issuer,
924
+ expectedNonce: options.expectedNonce
925
+ });
926
+ return {
927
+ header,
928
+ payload
929
+ };
930
+ }
931
+
846
932
  //#endregion
847
933
  //#region src/metadata/fetch-well-known-metadata.ts
848
934
  /**
@@ -2456,5 +2542,5 @@ async function verifyResourceRequest(options) {
2456
2542
  }
2457
2543
 
2458
2544
  //#endregion
2459
- export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, createClientAttestationJwt, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwtHeaderFromJwtSigner, jwtSignerFromJwt, preAuthorizedCodeGrantIdentifier, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationServerMetadata, zCompactJwe, zCompactJwt, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zRefreshTokenGrantIdentifier };
2545
+ export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, createClientAttestationJwt, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwtHeaderFromJwtSigner, jwtSignerFromJwt, preAuthorizedCodeGrantIdentifier, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, verifyClientAttestationJwt, verifyJwt, verifyJwtIdToken, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationServerMetadata, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zRefreshTokenGrantIdentifier };
2460
2546
  //# sourceMappingURL=index.mjs.map