@openid4vc/oauth2 0.3.0-alpha-20251107130106 → 0.3.0-alpha-20251107132439

package/dist/index.cjs

@@ -530,6 +530,149 @@ var Oauth2ServerErrorResponseError = class extends Oauth2Error {
 	}
 };
 
+//#endregion
+//#region src/common/jwt/z-jwe.ts
+const zCompactJwe = zod.z.string().regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, { message: "Not a valid compact jwe" });
+
+//#endregion
+//#region src/jar/z-jar-authorization-request.ts
+const zJarAuthorizationRequest = zod.z.object({
+	request: zod.z.optional(zod.z.string()),
+	request_uri: zod.z.optional(__openid4vc_utils.zHttpsUrl),
+	client_id: zod.z.optional(zod.z.string())
+}).loose();
+function validateJarRequestParams(options) {
+	const { jarRequestParams } = options;
+	if (jarRequestParams.request && jarRequestParams.request_uri) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "request and request_uri cannot both be present in a JAR request"
+	});
+	if (!jarRequestParams.request && !jarRequestParams.request_uri) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "request or request_uri must be present"
+	});
+	return jarRequestParams;
+}
+function isJarAuthorizationRequest(request) {
+	return "request" in request || "request_uri" in request;
+}
+
+//#endregion
+//#region src/jar/z-jar-request-object.ts
+const zJarRequestObjectPayload = zod.z.object({
+	...zJwtPayload.shape,
+	client_id: zod.z.string()
+}).loose();
+const zSignedAuthorizationRequestJwtHeaderTyp = zod.z.literal("oauth-authz-req+jwt");
+const signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value;
+const zJwtAuthorizationRequestJwtHeaderTyp = zod.z.literal("jwt");
+const jwtAuthorizationRequestJwtHeaderTyp = zJwtAuthorizationRequestJwtHeaderTyp.value;
+
+//#endregion
+//#region src/jar/handle-jar-request/verify-jar-request.ts
+/**
+* Parse a JAR (JWT Secured Authorization Request) request by validating and optionally fetch from uri.
+*
+* @param options - The input parameters
+* @param options.jarRequestParams - The JAR authorization request parameters
+* @param options.callbacks - Context containing the relevant Jose crypto operations
+* @returns An object containing the transmission method ('value' or 'reference') and the JWT request object.
+*/
+async function parseJarRequest(options) {
+	const { callbacks } = options;
+	const jarRequestParams = {
+		...validateJarRequestParams(options),
+		...options.jarRequestParams
+	};
+	return {
+		sendBy: jarRequestParams.request ? "value" : "reference",
+		authorizationRequestJwt: jarRequestParams.request ?? await fetchJarRequestObject({
+			requestUri: jarRequestParams.request_uri,
+			fetch: callbacks.fetch
+		})
+	};
+}
+/**
+* Verifies a JAR (JWT Secured Authorization Request) request by validating and verifying signatures.
+*
+* @param options - The input parameters
+* @param options.jarRequestParams - The JAR authorization request parameters
+* @param options.callbacks - Context containing the relevant Jose crypto operations
+* @returns The verified authorization request parameters and metadata
+*/
+async function verifyJarRequest(options) {
+	const { jarRequestParams, authorizationRequestJwt, callbacks, jwtSigner } = options;
+	if (zCompactJwe.safeParse(authorizationRequestJwt).success) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "Encrypted JWE request objects are not supported."
+	});
+	if (!zCompactJwt.safeParse(authorizationRequestJwt).success) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "JAR request object is not a valid JWT."
+	});
+	const { authorizationRequestPayload, signer, jwt } = await verifyJarRequestObject({
+		authorizationRequestJwt,
+		callbacks,
+		jwtSigner
+	});
+	if (!authorizationRequestPayload.client_id) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "Jar Request Object is missing the required \"client_id\" field."
+	});
+	if (jarRequestParams.client_id !== authorizationRequestPayload.client_id) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequest,
+		error_description: "client_id does not match the request object client_id."
+	});
+	return {
+		jwt,
+		authorizationRequestPayload,
+		signer
+	};
+}
+async function fetchJarRequestObject(options) {
+	const { requestUri, fetch } = options;
+	const response = await (0, __openid4vc_utils.createFetcher)(fetch)(requestUri, {
+		method: "get",
+		headers: {
+			Accept: `${__openid4vc_utils.ContentType.OAuthAuthorizationRequestJwt}, ${__openid4vc_utils.ContentType.Jwt};q=0.9, text/plain`,
+			"Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded
+		}
+	}).catch(() => {
+		throw new Oauth2ServerErrorResponseError({
+			error_description: `Fetching request_object from request_uri '${requestUri}' failed`,
+			error: Oauth2ErrorCodes.InvalidRequestUri
+		});
+	});
+	if (!response.ok) throw new Oauth2ServerErrorResponseError({
+		error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,
+		error: Oauth2ErrorCodes.InvalidRequestUri
+	});
+	return await response.text();
+}
+async function verifyJarRequestObject(options) {
+	const { authorizationRequestJwt, callbacks, jwtSigner } = options;
+	const jwt = decodeJwt({
+		jwt: authorizationRequestJwt,
+		payloadSchema: zJarRequestObjectPayload
+	});
+	const { signer } = await verifyJwt({
+		verifyJwtCallback: callbacks.verifyJwt,
+		compact: authorizationRequestJwt,
+		header: jwt.header,
+		payload: jwt.payload,
+		signer: jwtSigner
+	});
+	if (jwt.header.typ !== signedAuthorizationRequestJwtHeaderTyp && jwt.header.typ !== jwtAuthorizationRequestJwtHeaderTyp) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: `Invalid Jar Request Object typ header. Expected "oauth-authz-req+jwt" or "jwt", received "${jwt.header.typ}".`
+	});
+	return {
+		signer,
+		jwt,
+		authorizationRequestPayload: jwt.payload
+	};
+}
+
 //#endregion
 //#region src/client-attestation/z-client-attestation.ts
 const zOauthClientAttestationHeader = zod.default.literal("OAuth-Client-Attestation");
@@ -897,12 +1040,29 @@ const zPushedAuthorizationResponse = zod.default.object({
 *
 * @throws {Oauth2ServerErrorResponseError}
 */
-function parsePushedAuthorizationRequest(options) {
-	const parsedAuthorizationRequest = zAuthorizationRequest.safeParse(options.authorizationRequest);
-	if (!parsedAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Error occurred during validation of pushed authorization request.\n${(0, __openid4vc_utils.formatZodError)(parsedAuthorizationRequest.error)}`
-	});
+async function parsePushedAuthorizationRequest(options) {
+	const parsed = (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([zAuthorizationRequest, zJarAuthorizationRequest]), options.authorizationRequest, "Invalid authorization request. Could not parse authorization request or jar.");
+	let parsedAuthorizationRequest;
+	let authorizationRequestJwt;
+	if (isJarAuthorizationRequest(parsed)) {
+		const parsedJar = await parseJarRequest({
+			jarRequestParams: parsed,
+			callbacks: options.callbacks
+		});
+		const jwt = decodeJwt({ jwt: parsedJar.authorizationRequestJwt });
+		parsedAuthorizationRequest = zAuthorizationRequest.safeParse(jwt.payload);
+		if (!parsedAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
+			error: Oauth2ErrorCodes.InvalidRequest,
+			error_description: `Invalid authorization request. Could not parse jar request payload.\n${(0, __openid4vc_utils.formatZodError)(parsedAuthorizationRequest.error)}`
+		});
+		authorizationRequestJwt = parsedJar.authorizationRequestJwt;
+	} else {
+		parsedAuthorizationRequest = zAuthorizationRequest.safeParse(options.authorizationRequest);
+		if (!parsedAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
+			error: Oauth2ErrorCodes.InvalidRequest,
+			error_description: `Error occurred during validation of pushed authorization request.\n${(0, __openid4vc_utils.formatZodError)(parsedAuthorizationRequest.error)}`
+		});
+	}
 	const authorizationRequest = parsedAuthorizationRequest.data;
 	const { clientAttestation, dpop } = parseAuthorizationRequest({
 		authorizationRequest,
@@ -910,6 +1070,7 @@ function parsePushedAuthorizationRequest(options) {
 	});
 	return {
 		authorizationRequest,
+		authorizationRequestJwt,
 		dpop,
 		clientAttestation
 	};
@@ -1060,10 +1221,6 @@ function clientAuthenticationClientAttestationJwt(options) {
 	};
 }
 
-//#endregion
-//#region src/common/jwt/z-jwe.ts
-const zCompactJwe = zod.z.string().regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, { message: "Not a valid compact jwe" });
-
 //#endregion
 //#region src/error/Oauth2ClientErrorResponseError.ts
 var Oauth2ClientErrorResponseError = class extends Oauth2Error {
@@ -1197,6 +1354,57 @@ async function verifyIdTokenJwt(options) {
 	};
 }
 
+//#endregion
+//#region src/jar/create-jar-authorization-request.ts
+/**
+* Creates a JAR (JWT Authorization Request) request object.
+*
+* @param options - The input parameters
+* @param options.authorizationRequestPayload - The authorization request parameters
+* @param options.jwtSigner - The JWT signer
+* @param options.jweEncryptor - The JWE encryptor (optional) if provided, the request object will be encrypted
+* @param options.requestUri - The request URI (optional) if provided, the request object needs to be fetched from the URI
+* @param options.callbacks - The callback context
+* @returns the requestParams, signerJwk, encryptionJwk, and requestObjectJwt
+*/
+async function createJarAuthorizationRequest(options) {
+	const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
+	let authorizationRequestJwt;
+	let encryptionJwk;
+	const now = options.now ?? /* @__PURE__ */ new Date();
+	const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
+		header: {
+			...jwtHeaderFromJwtSigner(jwtSigner),
+			typ: "oauth-authz-req+jwt"
+		},
+		payload: {
+			iat: (0, __openid4vc_utils.dateToSeconds)(now),
+			exp: (0, __openid4vc_utils.dateToSeconds)((0, __openid4vc_utils.addSecondsToDate)(now, options.expiresInSeconds)),
+			...options.additionalJwtPayload,
+			...authorizationRequestPayload
+		}
+	});
+	authorizationRequestJwt = jwt;
+	if (jweEncryptor) {
+		const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt);
+		authorizationRequestJwt = encryptionResult.jwe;
+		encryptionJwk = encryptionResult.encryptionJwk;
+	}
+	const client_id = authorizationRequestPayload.client_id;
+	return {
+		jarAuthorizationRequest: requestUri ? {
+			client_id,
+			request_uri: requestUri
+		} : {
+			client_id,
+			request: authorizationRequestJwt
+		},
+		signerJwk,
+		encryptionJwk,
+		authorizationRequestJwt
+	};
+}
+
 //#endregion
 //#region src/metadata/fetch-well-known-metadata.ts
 /**
@@ -1800,10 +2008,18 @@ function createPushedAuthorizationErrorResponse(options) {
 //#endregion
 //#region src/authorization-request/verify-pushed-authorization-request.ts
 async function verifyPushedAuthorizationRequest(options) {
+	let jar;
+	if (options.authorizationRequestJwt) jar = await verifyJarRequest({
+		authorizationRequestJwt: options.authorizationRequestJwt.jwt,
+		jarRequestParams: options.authorizationRequest,
+		callbacks: options.callbacks,
+		jwtSigner: options.authorizationRequestJwt.signer
+	});
 	const { clientAttestation, dpop } = await verifyAuthorizationRequest(options);
 	return {
 		dpop,
-		clientAttestation
+		clientAttestation,
+		jar
 	};
 }
 
@@ -1882,9 +2098,14 @@ var Oauth2AuthorizationServer = class {
 	/**
 	* Parse a pushed authorization request
 	*/
-	parsePushedAuthorizationRequest(options) {
-		return parsePushedAuthorizationRequest(options);
+	async parsePushedAuthorizationRequest(options) {
+		return await parsePushedAuthorizationRequest(options);
 	}
+	/**
+	* Verify pushed authorization request.
+	*
+	* Make sure to provide the `authorizationRequestJwt` if this was returned in the `parsePushedAuthorizationRequest`
+	*/
 	verifyPushedAuthorizationRequest(options) {
 		return verifyPushedAuthorizationRequest({
 			...options,
@@ -2644,6 +2865,7 @@ exports.clientAuthenticationClientSecretPost = clientAuthenticationClientSecretP
 exports.clientAuthenticationDynamic = clientAuthenticationDynamic;
 exports.clientAuthenticationNone = clientAuthenticationNone;
 exports.createClientAttestationJwt = createClientAttestationJwt;
+exports.createJarAuthorizationRequest = createJarAuthorizationRequest;
 exports.decodeJwt = decodeJwt;
 exports.decodeJwtHeader = decodeJwtHeader;
 exports.fetchAuthorizationServerMetadata = fetchAuthorizationServerMetadata;
@@ -2657,6 +2879,7 @@ Object.defineProperty(exports, 'getGlobalConfig', {
   }
 });
 exports.isJwkInSet = isJwkInSet;
+exports.jwtAuthorizationRequestJwtHeaderTyp = jwtAuthorizationRequestJwtHeaderTyp;
 exports.jwtHeaderFromJwtSigner = jwtHeaderFromJwtSigner;
 exports.jwtSignerFromJwt = jwtSignerFromJwt;
 exports.parseAuthorizationResponseRedirectUrl = parseAuthorizationResponseRedirectUrl;
@@ -2671,6 +2894,8 @@ Object.defineProperty(exports, 'setGlobalConfig', {
     return __openid4vc_utils.setGlobalConfig;
   }
 });
+exports.signedAuthorizationRequestJwtHeaderTyp = signedAuthorizationRequestJwtHeaderTyp;
+exports.validateJarRequestParams = validateJarRequestParams;
 exports.verifyClientAttestationJwt = verifyClientAttestationJwt;
 exports.verifyIdTokenJwt = verifyIdTokenJwt;
 exports.verifyJwt = verifyJwt;
@@ -2685,6 +2910,8 @@ exports.zCompactJwe = zCompactJwe;
 exports.zCompactJwt = zCompactJwt;
 exports.zIdTokenJwtHeader = zIdTokenJwtHeader;
 exports.zIdTokenJwtPayload = zIdTokenJwtPayload;
+exports.zJarAuthorizationRequest = zJarAuthorizationRequest;
+exports.zJarRequestObjectPayload = zJarRequestObjectPayload;
 exports.zJwk = zJwk;
 exports.zJwkSet = zJwkSet;
 exports.zJwtHeader = zJwtHeader;