@openid4vc/oauth2 0.3.0-alpha-20251107130226 → 0.3.0-alpha-20251107132439

package/dist/index.mjs

@@ -506,6 +506,149 @@ var Oauth2ServerErrorResponseError = class extends Oauth2Error {
 	}
 };
 
+//#endregion
+//#region src/common/jwt/z-jwe.ts
+const zCompactJwe = z.string().regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, { message: "Not a valid compact jwe" });
+
+//#endregion
+//#region src/jar/z-jar-authorization-request.ts
+const zJarAuthorizationRequest = z.object({
+	request: z.optional(z.string()),
+	request_uri: z.optional(zHttpsUrl),
+	client_id: z.optional(z.string())
+}).loose();
+function validateJarRequestParams(options) {
+	const { jarRequestParams } = options;
+	if (jarRequestParams.request && jarRequestParams.request_uri) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "request and request_uri cannot both be present in a JAR request"
+	});
+	if (!jarRequestParams.request && !jarRequestParams.request_uri) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "request or request_uri must be present"
+	});
+	return jarRequestParams;
+}
+function isJarAuthorizationRequest(request) {
+	return "request" in request || "request_uri" in request;
+}
+
+//#endregion
+//#region src/jar/z-jar-request-object.ts
+const zJarRequestObjectPayload = z.object({
+	...zJwtPayload.shape,
+	client_id: z.string()
+}).loose();
+const zSignedAuthorizationRequestJwtHeaderTyp = z.literal("oauth-authz-req+jwt");
+const signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value;
+const zJwtAuthorizationRequestJwtHeaderTyp = z.literal("jwt");
+const jwtAuthorizationRequestJwtHeaderTyp = zJwtAuthorizationRequestJwtHeaderTyp.value;
+
+//#endregion
+//#region src/jar/handle-jar-request/verify-jar-request.ts
+/**
+* Parse a JAR (JWT Secured Authorization Request) request by validating and optionally fetch from uri.
+*
+* @param options - The input parameters
+* @param options.jarRequestParams - The JAR authorization request parameters
+* @param options.callbacks - Context containing the relevant Jose crypto operations
+* @returns An object containing the transmission method ('value' or 'reference') and the JWT request object.
+*/
+async function parseJarRequest(options) {
+	const { callbacks } = options;
+	const jarRequestParams = {
+		...validateJarRequestParams(options),
+		...options.jarRequestParams
+	};
+	return {
+		sendBy: jarRequestParams.request ? "value" : "reference",
+		authorizationRequestJwt: jarRequestParams.request ?? await fetchJarRequestObject({
+			requestUri: jarRequestParams.request_uri,
+			fetch: callbacks.fetch
+		})
+	};
+}
+/**
+* Verifies a JAR (JWT Secured Authorization Request) request by validating and verifying signatures.
+*
+* @param options - The input parameters
+* @param options.jarRequestParams - The JAR authorization request parameters
+* @param options.callbacks - Context containing the relevant Jose crypto operations
+* @returns The verified authorization request parameters and metadata
+*/
+async function verifyJarRequest(options) {
+	const { jarRequestParams, authorizationRequestJwt, callbacks, jwtSigner } = options;
+	if (zCompactJwe.safeParse(authorizationRequestJwt).success) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "Encrypted JWE request objects are not supported."
+	});
+	if (!zCompactJwt.safeParse(authorizationRequestJwt).success) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "JAR request object is not a valid JWT."
+	});
+	const { authorizationRequestPayload, signer, jwt } = await verifyJarRequestObject({
+		authorizationRequestJwt,
+		callbacks,
+		jwtSigner
+	});
+	if (!authorizationRequestPayload.client_id) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "Jar Request Object is missing the required \"client_id\" field."
+	});
+	if (jarRequestParams.client_id !== authorizationRequestPayload.client_id) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequest,
+		error_description: "client_id does not match the request object client_id."
+	});
+	return {
+		jwt,
+		authorizationRequestPayload,
+		signer
+	};
+}
+async function fetchJarRequestObject(options) {
+	const { requestUri, fetch } = options;
+	const response = await createFetcher(fetch)(requestUri, {
+		method: "get",
+		headers: {
+			Accept: `${ContentType.OAuthAuthorizationRequestJwt}, ${ContentType.Jwt};q=0.9, text/plain`,
+			"Content-Type": ContentType.XWwwFormUrlencoded
+		}
+	}).catch(() => {
+		throw new Oauth2ServerErrorResponseError({
+			error_description: `Fetching request_object from request_uri '${requestUri}' failed`,
+			error: Oauth2ErrorCodes.InvalidRequestUri
+		});
+	});
+	if (!response.ok) throw new Oauth2ServerErrorResponseError({
+		error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,
+		error: Oauth2ErrorCodes.InvalidRequestUri
+	});
+	return await response.text();
+}
+async function verifyJarRequestObject(options) {
+	const { authorizationRequestJwt, callbacks, jwtSigner } = options;
+	const jwt = decodeJwt({
+		jwt: authorizationRequestJwt,
+		payloadSchema: zJarRequestObjectPayload
+	});
+	const { signer } = await verifyJwt({
+		verifyJwtCallback: callbacks.verifyJwt,
+		compact: authorizationRequestJwt,
+		header: jwt.header,
+		payload: jwt.payload,
+		signer: jwtSigner
+	});
+	if (jwt.header.typ !== signedAuthorizationRequestJwtHeaderTyp && jwt.header.typ !== jwtAuthorizationRequestJwtHeaderTyp) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: `Invalid Jar Request Object typ header. Expected "oauth-authz-req+jwt" or "jwt", received "${jwt.header.typ}".`
+	});
+	return {
+		signer,
+		jwt,
+		authorizationRequestPayload: jwt.payload
+	};
+}
+
 //#endregion
 //#region src/client-attestation/z-client-attestation.ts
 const zOauthClientAttestationHeader = z$1.literal("OAuth-Client-Attestation");
@@ -873,12 +1016,29 @@ const zPushedAuthorizationResponse = z$1.object({
 *
 * @throws {Oauth2ServerErrorResponseError}
 */
-function parsePushedAuthorizationRequest(options) {
-	const parsedAuthorizationRequest = zAuthorizationRequest.safeParse(options.authorizationRequest);
-	if (!parsedAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Error occurred during validation of pushed authorization request.\n${formatZodError(parsedAuthorizationRequest.error)}`
-	});
+async function parsePushedAuthorizationRequest(options) {
+	const parsed = parseWithErrorHandling(z$1.union([zAuthorizationRequest, zJarAuthorizationRequest]), options.authorizationRequest, "Invalid authorization request. Could not parse authorization request or jar.");
+	let parsedAuthorizationRequest;
+	let authorizationRequestJwt;
+	if (isJarAuthorizationRequest(parsed)) {
+		const parsedJar = await parseJarRequest({
+			jarRequestParams: parsed,
+			callbacks: options.callbacks
+		});
+		const jwt = decodeJwt({ jwt: parsedJar.authorizationRequestJwt });
+		parsedAuthorizationRequest = zAuthorizationRequest.safeParse(jwt.payload);
+		if (!parsedAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
+			error: Oauth2ErrorCodes.InvalidRequest,
+			error_description: `Invalid authorization request. Could not parse jar request payload.\n${formatZodError(parsedAuthorizationRequest.error)}`
+		});
+		authorizationRequestJwt = parsedJar.authorizationRequestJwt;
+	} else {
+		parsedAuthorizationRequest = zAuthorizationRequest.safeParse(options.authorizationRequest);
+		if (!parsedAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
+			error: Oauth2ErrorCodes.InvalidRequest,
+			error_description: `Error occurred during validation of pushed authorization request.\n${formatZodError(parsedAuthorizationRequest.error)}`
+		});
+	}
 	const authorizationRequest = parsedAuthorizationRequest.data;
 	const { clientAttestation, dpop } = parseAuthorizationRequest({
 		authorizationRequest,
@@ -886,6 +1046,7 @@ function parsePushedAuthorizationRequest(options) {
 	});
 	return {
 		authorizationRequest,
+		authorizationRequestJwt,
 		dpop,
 		clientAttestation
 	};
@@ -1036,10 +1197,6 @@ function clientAuthenticationClientAttestationJwt(options) {
 	};
 }
 
-//#endregion
-//#region src/common/jwt/z-jwe.ts
-const zCompactJwe = z.string().regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, { message: "Not a valid compact jwe" });
-
 //#endregion
 //#region src/error/Oauth2ClientErrorResponseError.ts
 var Oauth2ClientErrorResponseError = class extends Oauth2Error {
@@ -1173,6 +1330,57 @@ async function verifyIdTokenJwt(options) {
 	};
 }
 
+//#endregion
+//#region src/jar/create-jar-authorization-request.ts
+/**
+* Creates a JAR (JWT Authorization Request) request object.
+*
+* @param options - The input parameters
+* @param options.authorizationRequestPayload - The authorization request parameters
+* @param options.jwtSigner - The JWT signer
+* @param options.jweEncryptor - The JWE encryptor (optional) if provided, the request object will be encrypted
+* @param options.requestUri - The request URI (optional) if provided, the request object needs to be fetched from the URI
+* @param options.callbacks - The callback context
+* @returns the requestParams, signerJwk, encryptionJwk, and requestObjectJwt
+*/
+async function createJarAuthorizationRequest(options) {
+	const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
+	let authorizationRequestJwt;
+	let encryptionJwk;
+	const now = options.now ?? /* @__PURE__ */ new Date();
+	const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
+		header: {
+			...jwtHeaderFromJwtSigner(jwtSigner),
+			typ: "oauth-authz-req+jwt"
+		},
+		payload: {
+			iat: dateToSeconds(now),
+			exp: dateToSeconds(addSecondsToDate(now, options.expiresInSeconds)),
+			...options.additionalJwtPayload,
+			...authorizationRequestPayload
+		}
+	});
+	authorizationRequestJwt = jwt;
+	if (jweEncryptor) {
+		const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt);
+		authorizationRequestJwt = encryptionResult.jwe;
+		encryptionJwk = encryptionResult.encryptionJwk;
+	}
+	const client_id = authorizationRequestPayload.client_id;
+	return {
+		jarAuthorizationRequest: requestUri ? {
+			client_id,
+			request_uri: requestUri
+		} : {
+			client_id,
+			request: authorizationRequestJwt
+		},
+		signerJwk,
+		encryptionJwk,
+		authorizationRequestJwt
+	};
+}
+
 //#endregion
 //#region src/metadata/fetch-well-known-metadata.ts
 /**
@@ -1776,10 +1984,18 @@ function createPushedAuthorizationErrorResponse(options) {
 //#endregion
 //#region src/authorization-request/verify-pushed-authorization-request.ts
 async function verifyPushedAuthorizationRequest(options) {
+	let jar;
+	if (options.authorizationRequestJwt) jar = await verifyJarRequest({
+		authorizationRequestJwt: options.authorizationRequestJwt.jwt,
+		jarRequestParams: options.authorizationRequest,
+		callbacks: options.callbacks,
+		jwtSigner: options.authorizationRequestJwt.signer
+	});
 	const { clientAttestation, dpop } = await verifyAuthorizationRequest(options);
 	return {
 		dpop,
-		clientAttestation
+		clientAttestation,
+		jar
 	};
 }
 
@@ -1858,9 +2074,14 @@ var Oauth2AuthorizationServer = class {
 	/**
 	* Parse a pushed authorization request
 	*/
-	parsePushedAuthorizationRequest(options) {
-		return parsePushedAuthorizationRequest(options);
+	async parsePushedAuthorizationRequest(options) {
+		return await parsePushedAuthorizationRequest(options);
 	}
+	/**
+	* Verify pushed authorization request.
+	*
+	* Make sure to provide the `authorizationRequestJwt` if this was returned in the `parsePushedAuthorizationRequest`
+	*/
 	verifyPushedAuthorizationRequest(options) {
 		return verifyPushedAuthorizationRequest({
 			...options,
@@ -2590,5 +2811,5 @@ async function verifyResourceRequest(options) {
 }
 
 //#endregion
-export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, createClientAttestationJwt, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationResponseRedirectUrl, parsePushedAuthorizationRequestUriReferenceValue, preAuthorizedCodeGrantIdentifier, pushedAuthorizationRequestUriPrefix, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, verifyClientAttestationJwt, verifyIdTokenJwt, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationErrorResponse, zAuthorizationResponse, zAuthorizationResponseFromUriParams, zAuthorizationServerMetadata, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zPushedAuthorizationRequestUriPrefix, zRefreshTokenGrantIdentifier };
+export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, createClientAttestationJwt, createJarAuthorizationRequest, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwtAuthorizationRequestJwtHeaderTyp, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationResponseRedirectUrl, parsePushedAuthorizationRequestUriReferenceValue, preAuthorizedCodeGrantIdentifier, pushedAuthorizationRequestUriPrefix, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, signedAuthorizationRequestJwtHeaderTyp, validateJarRequestParams, verifyClientAttestationJwt, verifyIdTokenJwt, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationErrorResponse, zAuthorizationResponse, zAuthorizationResponseFromUriParams, zAuthorizationServerMetadata, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJarAuthorizationRequest, zJarRequestObjectPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zPushedAuthorizationRequestUriPrefix, zRefreshTokenGrantIdentifier };
 //# sourceMappingURL=index.mjs.map