@openid4vc/oauth2 0.3.0-alpha-20251031085020 → 0.3.0-alpha-20251031102233

package/dist/index.mjs

@@ -693,6 +693,248 @@ async function verifyClientAttestation({ authorizationServer, clientAttestationJ
 	}
 }
 
+//#endregion
+//#region src/dpop/z-dpop.ts
+const zDpopJwtPayload = z$1.object({
+	...zJwtPayload.shape,
+	iat: zInteger,
+	htu: zHttpsUrl,
+	htm: zHttpMethod,
+	jti: z$1.string(),
+	ath: z$1.optional(z$1.string())
+}).loose();
+const zDpopJwtHeader = z$1.object({
+	...zJwtHeader.shape,
+	typ: z$1.literal("dpop+jwt"),
+	jwk: zJwk
+}).loose();
+
+//#endregion
+//#region src/dpop/dpop.ts
+async function createDpopHeadersForRequest(options) {
+	return { DPoP: await createDpopJwt(options) };
+}
+async function createDpopJwt(options) {
+	let ath;
+	if (options.accessToken) ath = encodeToBase64Url(await options.callbacks.hash(decodeUtf8String(options.accessToken), HashAlgorithm.Sha256));
+	const header = parseWithErrorHandling(zDpopJwtHeader, {
+		typ: "dpop+jwt",
+		jwk: options.signer.publicJwk,
+		alg: options.signer.alg
+	});
+	const payload = parseWithErrorHandling(zDpopJwtPayload, {
+		htu: htuFromRequestUrl(options.request.url),
+		iat: dateToSeconds(options.issuedAt),
+		htm: options.request.method,
+		jti: encodeToBase64Url(await options.callbacks.generateRandom(32)),
+		ath,
+		nonce: options.nonce,
+		...options.additionalPayload
+	});
+	const { jwt } = await options.callbacks.signJwt(options.signer, {
+		header,
+		payload
+	});
+	return jwt;
+}
+async function verifyDpopJwt(options) {
+	try {
+		const { header, payload } = decodeJwt({
+			jwt: options.dpopJwt,
+			headerSchema: zDpopJwtHeader,
+			payloadSchema: zDpopJwtPayload
+		});
+		if (options.allowedSigningAlgs && !options.allowedSigningAlgs.includes(header.alg)) throw new Oauth2Error(`dpop jwt uses alg value '${header.alg}' but allowed dpop signging alg values are ${options.allowedSigningAlgs.join(", ")}.`);
+		if (options.expectedNonce) {
+			if (!payload.nonce) throw new Oauth2Error(`Dpop jwt does not have a nonce value, but expected nonce value '${options.expectedNonce}'`);
+			if (payload.nonce !== options.expectedNonce) throw new Oauth2Error(`Dpop jwt contains nonce value '${payload.nonce}', but expected nonce value '${options.expectedNonce}'`);
+		}
+		if (options.request.method !== payload.htm) throw new Oauth2Error(`Dpop jwt contains htm value '${payload.htm}', but expected htm value '${options.request.method}'`);
+		const expectedHtu = htuFromRequestUrl(options.request.url);
+		if (expectedHtu !== payload.htu) throw new Oauth2Error(`Dpop jwt contains htu value '${payload.htu}', but expected htu value '${expectedHtu}'.`);
+		if (options.accessToken) {
+			const expectedAth = encodeToBase64Url(await options.callbacks.hash(decodeUtf8String(options.accessToken), HashAlgorithm.Sha256));
+			if (!payload.ath) throw new Oauth2Error(`Dpop jwt does not have a ath value, but expected ath value '${expectedAth}'.`);
+			if (payload.ath !== expectedAth) throw new Oauth2Error(`Dpop jwt contains ath value '${payload.ath}', but expected ath value '${expectedAth}'.`);
+		}
+		const jwkThumbprint = await calculateJwkThumbprint({
+			hashAlgorithm: HashAlgorithm.Sha256,
+			hashCallback: options.callbacks.hash,
+			jwk: header.jwk
+		});
+		if (options.expectedJwkThumbprint && options.expectedJwkThumbprint !== jwkThumbprint) throw new Oauth2Error(`Dpop is signed with jwk with thumbprint value '${jwkThumbprint}', but expect jwk thumbprint value '${options.expectedJwkThumbprint}'`);
+		await verifyJwt({
+			signer: {
+				alg: header.alg,
+				method: "jwk",
+				publicJwk: header.jwk
+			},
+			now: options.now,
+			header,
+			payload,
+			compact: options.dpopJwt,
+			verifyJwtCallback: options.callbacks.verifyJwt,
+			errorMessage: "dpop jwt verification failed"
+		});
+		return {
+			header,
+			payload,
+			jwkThumbprint
+		};
+	} catch (error) {
+		if (error instanceof Oauth2Error) throw new Oauth2ServerErrorResponseError({
+			error: Oauth2ErrorCodes.InvalidDpopProof,
+			error_description: error.message
+		});
+		throw error;
+	}
+}
+function htuFromRequestUrl(requestUrl) {
+	const htu = new URL(requestUrl);
+	htu.search = "";
+	htu.hash = "";
+	return htu.toString();
+}
+function extractDpopNonceFromHeaders(headers) {
+	return headers.get("DPoP-Nonce");
+}
+function extractDpopJwtFromHeaders(headers) {
+	const dpopJwt = headers.get("DPoP");
+	if (!dpopJwt) return { valid: true };
+	if (!zCompactJwt.safeParse(dpopJwt).success) return { valid: false };
+	return {
+		valid: true,
+		dpopJwt
+	};
+}
+
+//#endregion
+//#region src/authorization-request/parse-authorization-request.ts
+/**
+* Parse an authorization request.
+*
+* @throws {Oauth2ServerErrorResponseError}
+*/
+function parseAuthorizationRequest(options) {
+	const extractedDpopJwt = extractDpopJwtFromHeaders(options.request.headers);
+	if (!extractedDpopJwt.valid) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidDpopProof,
+		error_description: `Request contains a 'DPoP' header, but the value is not a valid DPoP jwt`
+	});
+	const extractedClientAttestationJwts = extractClientAttestationJwtsFromHeaders(options.request.headers);
+	if (!extractedClientAttestationJwts.valid) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidClient,
+		error_description: "Request contains client attestation header, but the values are not valid client attestation and client attestation PoP header."
+	});
+	return {
+		dpop: extractedDpopJwt.dpopJwt ? {
+			jwt: extractedDpopJwt.dpopJwt,
+			jwkThumbprint: options.authorizationRequest.dpop_jkt
+		} : options.authorizationRequest.dpop_jkt ? {
+			jwt: extractedDpopJwt.dpopJwt,
+			jwkThumbprint: options.authorizationRequest.dpop_jkt
+		} : void 0,
+		clientAttestation: extractedClientAttestationJwts.clientAttestationHeader ? {
+			clientAttestationJwt: extractedClientAttestationJwts.clientAttestationHeader,
+			clientAttestationPopJwt: extractedClientAttestationJwts.clientAttestationPopHeader
+		} : void 0
+	};
+}
+
+//#endregion
+//#region src/authorization-request/z-authorization-request.ts
+const zPushedAuthorizationRequestUriPrefix = z$1.literal("urn:ietf:params:oauth:request_uri:");
+const pushedAuthorizationRequestUriPrefix = zPushedAuthorizationRequestUriPrefix.value;
+const zAuthorizationRequest = z$1.object({
+	response_type: z$1.string(),
+	client_id: z$1.string(),
+	issuer_state: z$1.optional(z$1.string()),
+	redirect_uri: z$1.url().optional(),
+	resource: z$1.optional(zHttpsUrl),
+	scope: z$1.optional(z$1.string()),
+	state: z$1.optional(z$1.string()),
+	dpop_jkt: z$1.optional(z$1.base64url()),
+	code_challenge: z$1.optional(z$1.string()),
+	code_challenge_method: z$1.optional(z$1.string())
+}).loose();
+const zPushedAuthorizationRequest = z$1.object({
+	request_uri: z$1.string(),
+	client_id: z$1.string()
+}).loose();
+const zPushedAuthorizationResponse = z$1.object({
+	request_uri: z$1.string(),
+	expires_in: z$1.number().int()
+}).loose();
+
+//#endregion
+//#region src/authorization-request/parse-pushed-authorization-request.ts
+/**
+* Parse an pushed authorization request.
+*
+* @throws {Oauth2ServerErrorResponseError}
+*/
+function parsePushedAuthorizationRequest(options) {
+	const parsedAuthorizationRequest = zAuthorizationRequest.safeParse(options.authorizationRequest);
+	if (!parsedAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequest,
+		error_description: `Error occurred during validation of pushed authorization request.\n${formatZodError(parsedAuthorizationRequest.error)}`
+	});
+	const authorizationRequest = parsedAuthorizationRequest.data;
+	const { clientAttestation, dpop } = parseAuthorizationRequest({
+		authorizationRequest,
+		request: options.request
+	});
+	return {
+		authorizationRequest,
+		dpop,
+		clientAttestation
+	};
+}
+/**
+* Parse a pushed authorization request URI prefixed with `urn:ietf:params:oauth:request_uri:`
+* and returns the identifier, without the prefix.
+*
+* @throws {Oauth2ServerErrorResponseError}
+*/
+function parsePushedAuthorizationRequestUri(options) {
+	if (!options.uri.startsWith(pushedAuthorizationRequestUriPrefix)) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequest,
+		error_description: `The 'request_uri' must start with the prefix "${pushedAuthorizationRequestUriPrefix}".`
+	});
+	return options.uri.substring(pushedAuthorizationRequestUriPrefix.length);
+}
+
+//#endregion
+//#region src/authorization-response/z-authorization-response.ts
+const zAuthorizationResponse = z$1.object({
+	state: z$1.string().optional(),
+	code: z$1.string().nonempty(),
+	error: z$1.optional(z$1.never())
+}).loose();
+const zAuthorizationResponseFromUriParams = z$1.url().transform((url) => Object.fromEntries(new URL(url).searchParams)).pipe(zAuthorizationResponse);
+const zAuthorizationErrorResponse = z$1.object({
+	...zOauth2ErrorResponse.shape,
+	state: z$1.string().optional(),
+	code: z$1.optional(z$1.never())
+}).loose();
+
+//#endregion
+//#region src/authorization-response/parse-authorization-response.ts
+/**
+* Parse an authorization response redirect URL.
+*
+* @throws {Oauth2ServerErrorResponseError}
+*/
+function parseAuthorizationResponseRedirectUrl(options) {
+	const searchParams = Object.fromEntries(new URL(options.url).searchParams);
+	const parsedAuthorizationResponse = z$1.union([zAuthorizationErrorResponse, zAuthorizationResponse]).safeParse(searchParams);
+	if (!parsedAuthorizationResponse.success) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequest,
+		error_description: `Error occurred during validation of authorization response redirect URL.\n${formatZodError(parsedAuthorizationResponse.error)}`
+	});
+	return parsedAuthorizationResponse.data;
+}
+
 //#endregion
 //#region src/z-grant-type.ts
 const zPreAuthorizedCodeGrantIdentifier = z$1.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
@@ -1095,121 +1337,6 @@ async function createAccessTokenResponse(options) {
 	});
 }
 
-//#endregion
-//#region src/dpop/z-dpop.ts
-const zDpopJwtPayload = z$1.object({
-	...zJwtPayload.shape,
-	iat: zInteger,
-	htu: zHttpsUrl,
-	htm: zHttpMethod,
-	jti: z$1.string(),
-	ath: z$1.optional(z$1.string())
-}).loose();
-const zDpopJwtHeader = z$1.object({
-	...zJwtHeader.shape,
-	typ: z$1.literal("dpop+jwt"),
-	jwk: zJwk
-}).loose();
-
-//#endregion
-//#region src/dpop/dpop.ts
-async function createDpopHeadersForRequest(options) {
-	return { DPoP: await createDpopJwt(options) };
-}
-async function createDpopJwt(options) {
-	let ath;
-	if (options.accessToken) ath = encodeToBase64Url(await options.callbacks.hash(decodeUtf8String(options.accessToken), HashAlgorithm.Sha256));
-	const header = parseWithErrorHandling(zDpopJwtHeader, {
-		typ: "dpop+jwt",
-		jwk: options.signer.publicJwk,
-		alg: options.signer.alg
-	});
-	const payload = parseWithErrorHandling(zDpopJwtPayload, {
-		htu: htuFromRequestUrl(options.request.url),
-		iat: dateToSeconds(options.issuedAt),
-		htm: options.request.method,
-		jti: encodeToBase64Url(await options.callbacks.generateRandom(32)),
-		ath,
-		nonce: options.nonce,
-		...options.additionalPayload
-	});
-	const { jwt } = await options.callbacks.signJwt(options.signer, {
-		header,
-		payload
-	});
-	return jwt;
-}
-async function verifyDpopJwt(options) {
-	try {
-		const { header, payload } = decodeJwt({
-			jwt: options.dpopJwt,
-			headerSchema: zDpopJwtHeader,
-			payloadSchema: zDpopJwtPayload
-		});
-		if (options.allowedSigningAlgs && !options.allowedSigningAlgs.includes(header.alg)) throw new Oauth2Error(`dpop jwt uses alg value '${header.alg}' but allowed dpop signging alg values are ${options.allowedSigningAlgs.join(", ")}.`);
-		if (options.expectedNonce) {
-			if (!payload.nonce) throw new Oauth2Error(`Dpop jwt does not have a nonce value, but expected nonce value '${options.expectedNonce}'`);
-			if (payload.nonce !== options.expectedNonce) throw new Oauth2Error(`Dpop jwt contains nonce value '${payload.nonce}', but expected nonce value '${options.expectedNonce}'`);
-		}
-		if (options.request.method !== payload.htm) throw new Oauth2Error(`Dpop jwt contains htm value '${payload.htm}', but expected htm value '${options.request.method}'`);
-		const expectedHtu = htuFromRequestUrl(options.request.url);
-		if (expectedHtu !== payload.htu) throw new Oauth2Error(`Dpop jwt contains htu value '${payload.htu}', but expected htu value '${expectedHtu}'.`);
-		if (options.accessToken) {
-			const expectedAth = encodeToBase64Url(await options.callbacks.hash(decodeUtf8String(options.accessToken), HashAlgorithm.Sha256));
-			if (!payload.ath) throw new Oauth2Error(`Dpop jwt does not have a ath value, but expected ath value '${expectedAth}'.`);
-			if (payload.ath !== expectedAth) throw new Oauth2Error(`Dpop jwt contains ath value '${payload.ath}', but expected ath value '${expectedAth}'.`);
-		}
-		const jwkThumbprint = await calculateJwkThumbprint({
-			hashAlgorithm: HashAlgorithm.Sha256,
-			hashCallback: options.callbacks.hash,
-			jwk: header.jwk
-		});
-		if (options.expectedJwkThumbprint && options.expectedJwkThumbprint !== jwkThumbprint) throw new Oauth2Error(`Dpop is signed with jwk with thumbprint value '${jwkThumbprint}', but expect jwk thumbprint value '${options.expectedJwkThumbprint}'`);
-		await verifyJwt({
-			signer: {
-				alg: header.alg,
-				method: "jwk",
-				publicJwk: header.jwk
-			},
-			now: options.now,
-			header,
-			payload,
-			compact: options.dpopJwt,
-			verifyJwtCallback: options.callbacks.verifyJwt,
-			errorMessage: "dpop jwt verification failed"
-		});
-		return {
-			header,
-			payload,
-			jwkThumbprint
-		};
-	} catch (error) {
-		if (error instanceof Oauth2Error) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidDpopProof,
-			error_description: error.message
-		});
-		throw error;
-	}
-}
-function htuFromRequestUrl(requestUrl) {
-	const htu = new URL(requestUrl);
-	htu.search = "";
-	htu.hash = "";
-	return htu.toString();
-}
-function extractDpopNonceFromHeaders(headers) {
-	return headers.get("DPoP-Nonce");
-}
-function extractDpopJwtFromHeaders(headers) {
-	const dpopJwt = headers.get("DPoP");
-	if (!dpopJwt) return { valid: true };
-	if (!zCompactJwt.safeParse(dpopJwt).success) return { valid: false };
-	return {
-		valid: true,
-		dpopJwt
-	};
-}
-
 //#endregion
 //#region src/access-token/parse-access-token-request.ts
 /**
@@ -1465,29 +1592,6 @@ async function verifyAccessTokenRequestPkce(options, callbacks) {
 	}
 }
 
-//#endregion
-//#region src/authorization-request/z-authorization-request.ts
-const zAuthorizationRequest = z$1.object({
-	response_type: z$1.string(),
-	client_id: z$1.string(),
-	issuer_state: z$1.optional(z$1.string()),
-	redirect_uri: z$1.url().optional(),
-	resource: z$1.optional(zHttpsUrl),
-	scope: z$1.optional(z$1.string()),
-	state: z$1.optional(z$1.string()),
-	dpop_jkt: z$1.optional(z$1.base64url()),
-	code_challenge: z$1.optional(z$1.string()),
-	code_challenge_method: z$1.optional(z$1.string())
-}).loose();
-const zPushedAuthorizationRequest = z$1.object({
-	request_uri: z$1.string(),
-	client_id: z$1.string()
-}).loose();
-const zPushedAuthorizationResponse = z$1.object({
-	request_uri: z$1.string(),
-	expires_in: z$1.number().int()
-}).loose();
-
 //#endregion
 //#region src/authorization-challenge/z-authorization-challenge.ts
 const zAuthorizationChallengeRequest = z$1.object({
@@ -1538,39 +1642,6 @@ function createAuthorizationChallengeErrorResponse(options) {
 	});
 }
 
-//#endregion
-//#region src/authorization-request/parse-authorization-request.ts
-/**
-* Parse an authorization request.
-*
-* @throws {Oauth2ServerErrorResponseError}
-*/
-function parseAuthorizationRequest(options) {
-	const extractedDpopJwt = extractDpopJwtFromHeaders(options.request.headers);
-	if (!extractedDpopJwt.valid) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidDpopProof,
-		error_description: `Request contains a 'DPoP' header, but the value is not a valid DPoP jwt`
-	});
-	const extractedClientAttestationJwts = extractClientAttestationJwtsFromHeaders(options.request.headers);
-	if (!extractedClientAttestationJwts.valid) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidClient,
-		error_description: "Request contains client attestation header, but the values are not valid client attestation and client attestation PoP header."
-	});
-	return {
-		dpop: extractedDpopJwt.dpopJwt ? {
-			jwt: extractedDpopJwt.dpopJwt,
-			jwkThumbprint: options.authorizationRequest.dpop_jkt
-		} : options.authorizationRequest.dpop_jkt ? {
-			jwt: extractedDpopJwt.dpopJwt,
-			jwkThumbprint: options.authorizationRequest.dpop_jkt
-		} : void 0,
-		clientAttestation: extractedClientAttestationJwts.clientAttestationHeader ? {
-			clientAttestationJwt: extractedClientAttestationJwts.clientAttestationHeader,
-			clientAttestationPopJwt: extractedClientAttestationJwts.clientAttestationPopHeader
-		} : void 0
-	};
-}
-
 //#endregion
 //#region src/authorization-challenge/parse-authorization-challenge-request.ts
 /**
@@ -1702,31 +1773,6 @@ function createPushedAuthorizationErrorResponse(options) {
 	});
 }
 
-//#endregion
-//#region src/authorization-request/parse-pushed-authorization-request.ts
-/**
-* Parse an pushed authorization request.
-*
-* @throws {Oauth2ServerErrorResponseError}
-*/
-function parsePushedAuthorizationRequest(options) {
-	const parsedAuthorizationRequest = zAuthorizationRequest.safeParse(options.authorizationRequest);
-	if (!parsedAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Error occurred during validation of pushed authorization request.\n${formatZodError(parsedAuthorizationRequest.error)}`
-	});
-	const authorizationRequest = parsedAuthorizationRequest.data;
-	const { clientAttestation, dpop } = parseAuthorizationRequest({
-		authorizationRequest,
-		request: options.request
-	});
-	return {
-		authorizationRequest,
-		dpop,
-		clientAttestation
-	};
-}
-
 //#endregion
 //#region src/authorization-request/verify-pushed-authorization-request.ts
 async function verifyPushedAuthorizationRequest(options) {
@@ -2544,5 +2590,5 @@ async function verifyResourceRequest(options) {
 }
 
 //#endregion
-export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, createClientAttestationJwt, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwtHeaderFromJwtSigner, jwtSignerFromJwt, preAuthorizedCodeGrantIdentifier, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, verifyClientAttestationJwt, verifyIdTokenJwt, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationServerMetadata, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zRefreshTokenGrantIdentifier };
+export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, createClientAttestationJwt, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationResponseRedirectUrl, parsePushedAuthorizationRequestUri, preAuthorizedCodeGrantIdentifier, pushedAuthorizationRequestUriPrefix, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, verifyClientAttestationJwt, verifyIdTokenJwt, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationErrorResponse, zAuthorizationResponse, zAuthorizationResponseFromUriParams, zAuthorizationServerMetadata, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zPushedAuthorizationRequestUriPrefix, zRefreshTokenGrantIdentifier };
 //# sourceMappingURL=index.mjs.map