@openid4vc/oauth2 0.3.0-alpha-20251030140425 → 0.3.0-alpha-20251031085020
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +20 -20
- package/dist/index.d.ts +20 -20
- package/dist/index.js +11 -15
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +11 -9
- package/dist/index.mjs.map +1 -1
- package/package.json +2 -2
package/dist/index.mjs
CHANGED
|
@@ -158,7 +158,7 @@ const zJwtConfirmationPayload = z$1.object({
|
|
|
158
158
|
}).loose();
|
|
159
159
|
const zJwtPayload = z$1.object({
|
|
160
160
|
iss: z$1.string().optional(),
|
|
161
|
-
aud: z$1.string().optional(),
|
|
161
|
+
aud: z$1.union([z$1.string(), z$1.array(z$1.string())]).optional(),
|
|
162
162
|
iat: zInteger.optional(),
|
|
163
163
|
exp: zInteger.optional(),
|
|
164
164
|
nbf: zInteger.optional(),
|
|
@@ -332,7 +332,9 @@ async function verifyJwt(options) {
|
|
|
332
332
|
const timeBasedValidation = options.skipTimeBasedValidation !== void 0 ? !options.skipTimeBasedValidation : true;
|
|
333
333
|
if (timeBasedValidation && options.payload.nbf && nowInSeconds < options.payload.nbf - skewInSeconds) throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nbf' is in the future`);
|
|
334
334
|
if (timeBasedValidation && options.payload.exp && nowInSeconds > options.payload.exp + skewInSeconds) throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'exp' is in the past`);
|
|
335
|
-
if (options.expectedAudience
|
|
335
|
+
if (options.expectedAudience) {
|
|
336
|
+
if (Array.isArray(options.payload.aud) && !options.payload.aud.includes(options.expectedAudience) || typeof options.payload.aud === "string" && options.payload.aud !== options.expectedAudience) throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'aud' does not match expected value.`);
|
|
337
|
+
}
|
|
336
338
|
if (options.expectedIssuer && options.expectedIssuer !== options.payload.iss) throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'iss' does not match expected value.`);
|
|
337
339
|
if (options.expectedNonce && options.expectedNonce !== options.payload.nonce) throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nonce' does not match expected value.`);
|
|
338
340
|
if (options.expectedSubject && options.expectedSubject !== options.payload.sub) throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'sub' does not match expected value.`);
|
|
@@ -388,7 +390,7 @@ const zAccessTokenProfileJwtPayload = z$1.object({
|
|
|
388
390
|
iss: z$1.string(),
|
|
389
391
|
exp: zInteger,
|
|
390
392
|
iat: zInteger,
|
|
391
|
-
aud: z$1.string(),
|
|
393
|
+
aud: z$1.union([z$1.string(), z$1.array(z$1.string())]),
|
|
392
394
|
sub: z$1.string(),
|
|
393
395
|
client_id: z$1.optional(z$1.string()),
|
|
394
396
|
jti: z$1.string(),
|
|
@@ -527,7 +529,7 @@ const zClientAttestationPopJwtPayload = z$1.object({
|
|
|
527
529
|
...zJwtPayload.shape,
|
|
528
530
|
iss: z$1.string(),
|
|
529
531
|
exp: zInteger,
|
|
530
|
-
aud: zHttpsUrl,
|
|
532
|
+
aud: z$1.union([zHttpsUrl, z$1.array(zHttpsUrl)]),
|
|
531
533
|
jti: z$1.string(),
|
|
532
534
|
nonce: z$1.optional(z$1.string())
|
|
533
535
|
}).loose();
|
|
@@ -545,7 +547,6 @@ async function verifyClientAttestationPopJwt(options) {
|
|
|
545
547
|
payloadSchema: zClientAttestationPopJwtPayload
|
|
546
548
|
});
|
|
547
549
|
if (payload.iss !== options.clientAttestation.payload.sub) throw new Oauth2Error(`Client Attestation Pop jwt contains 'iss' (client_id) value '${payload.iss}', but expected 'sub' value from client attestation '${options.clientAttestation.payload.sub}'`);
|
|
548
|
-
if (payload.aud !== options.authorizationServer) throw new Oauth2Error(`Client Attestation Pop jwt contains 'aud' value '${payload.aud}', but expected authorization server identifier '${options.authorizationServer}'`);
|
|
549
550
|
const { signer } = await verifyJwt({
|
|
550
551
|
signer: {
|
|
551
552
|
alg: header.alg,
|
|
@@ -556,6 +557,7 @@ async function verifyClientAttestationPopJwt(options) {
|
|
|
556
557
|
header,
|
|
557
558
|
expectedNonce: options.expectedNonce,
|
|
558
559
|
payload,
|
|
560
|
+
expectedAudience: options.authorizationServer,
|
|
559
561
|
compact: options.clientAttestationPopJwt,
|
|
560
562
|
verifyJwtCallback: options.callbacks.verifyJwt,
|
|
561
563
|
errorMessage: "client attestation pop jwt verification failed"
|
|
@@ -851,7 +853,7 @@ const zIdTokenJwtPayload = z$1.object({
|
|
|
851
853
|
...zJwtPayload.shape,
|
|
852
854
|
iss: z$1.string(),
|
|
853
855
|
sub: z$1.string(),
|
|
854
|
-
aud: z$1.string(),
|
|
856
|
+
aud: z$1.union([z$1.string(), z$1.array(z$1.string())]),
|
|
855
857
|
exp: zInteger,
|
|
856
858
|
iat: zInteger,
|
|
857
859
|
auth_time: zInteger.optional(),
|
|
@@ -891,7 +893,7 @@ const zIdTokenJwtPayload = z$1.object({
|
|
|
891
893
|
/**
|
|
892
894
|
* Verify an ID Token JWT.
|
|
893
895
|
*/
|
|
894
|
-
async function
|
|
896
|
+
async function verifyIdTokenJwt(options) {
|
|
895
897
|
const { header, payload } = decodeJwt({
|
|
896
898
|
jwt: options.idToken,
|
|
897
899
|
headerSchema: zIdTokenJwtHeader,
|
|
@@ -2418,7 +2420,7 @@ const zTokenIntrospectionResponse = z$1.object({
|
|
|
2418
2420
|
iat: z$1.optional(zInteger),
|
|
2419
2421
|
nbf: z$1.optional(zInteger),
|
|
2420
2422
|
sub: z$1.optional(z$1.string()),
|
|
2421
|
-
aud: z$1.optional(z$1.string()),
|
|
2423
|
+
aud: z$1.optional(z$1.union([z$1.string(), z$1.array(z$1.string())])),
|
|
2422
2424
|
iss: z$1.optional(z$1.string()),
|
|
2423
2425
|
jti: z$1.optional(z$1.string()),
|
|
2424
2426
|
cnf: z$1.optional(zJwtConfirmationPayload)
|
|
@@ -2542,5 +2544,5 @@ async function verifyResourceRequest(options) {
|
|
|
2542
2544
|
}
|
|
2543
2545
|
|
|
2544
2546
|
//#endregion
|
|
2545
|
-
export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod,
|
|
2547
|
+
export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, createClientAttestationJwt, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwtHeaderFromJwtSigner, jwtSignerFromJwt, preAuthorizedCodeGrantIdentifier, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, verifyClientAttestationJwt, verifyIdTokenJwt, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationServerMetadata, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zRefreshTokenGrantIdentifier };
|
|
2546
2548
|
//# sourceMappingURL=index.mjs.map
|