@openid4vc/oauth2 0.4.4-alpha-20260105092906 → 0.4.4-alpha-20260106132628

package/dist/index.mjs

@@ -1,5 +1,6 @@
 import { ContentType, Headers, InvalidFetchResponseError, InvalidFetchResponseError as InvalidFetchResponseError$1, OpenId4VcBaseError, URL, ValidationError, addSecondsToDate, createFetcher, createZodFetcher, dateToSeconds, decodeBase64, decodeUtf8String, encodeToBase64Url, encodeToUtf8String, encodeWwwAuthenticateHeader, formatZodError, getGlobalConfig, joinUriParts, objectToQueryParams, parseWithErrorHandling, parseWwwAuthenticateHeader, setGlobalConfig, stringToJsonWithErrorHandling, zHttpMethod, zHttpsUrl, zInteger } from "@openid4vc/utils";
 import z$1, { z } from "zod";
+import "zod/v4/core";
 
 //#region src/callbacks.ts
 /**
@@ -347,6 +348,533 @@ async function verifyJwt(options) {
 	} };
 }
 
+//#endregion
+//#region ../../node_modules/.pnpm/zod-validation-error@5.0.0_zod@4.3.5/node_modules/zod-validation-error/v4/index.mjs
+function isZodErrorLike(err) {
+	return err instanceof Object && "name" in err && (err.name === "ZodError" || err.name === "$ZodError") && "issues" in err && Array.isArray(err.issues);
+}
+var ZOD_VALIDATION_ERROR_NAME = "ZodValidationError";
+var ValidationError$2 = class extends Error {
+	name;
+	details;
+	constructor(message, options) {
+		super(message, options);
+		this.name = ZOD_VALIDATION_ERROR_NAME;
+		this.details = getIssuesFromErrorOptions(options);
+	}
+	toString() {
+		return this.message;
+	}
+};
+function getIssuesFromErrorOptions(options) {
+	if (options) {
+		const cause = options.cause;
+		if (isZodErrorLike(cause)) return cause.issues;
+	}
+	return [];
+}
+function parseCustomIssue(issue) {
+	return {
+		type: issue.code,
+		path: issue.path,
+		message: issue.message ?? "Invalid input"
+	};
+}
+function parseInvalidElementIssue(issue) {
+	return {
+		type: issue.code,
+		path: issue.path,
+		message: `unexpected element in ${issue.origin}`
+	};
+}
+function parseInvalidKeyIssue(issue) {
+	return {
+		type: issue.code,
+		path: issue.path,
+		message: `unexpected key in ${issue.origin}`
+	};
+}
+var vowelSoundCharSet = /* @__PURE__ */ new Set([
+	"a",
+	"e",
+	"i",
+	"o",
+	"u",
+	"h"
+]);
+function prependWithAOrAn(value) {
+	const firstLetter = value.charAt(0).toLowerCase();
+	return [vowelSoundCharSet.has(firstLetter) ? "an" : "a", value].join(" ");
+}
+function stringifySymbol(symbol) {
+	return symbol.description ?? "";
+}
+function stringify(value, options = {}) {
+	switch (typeof value) {
+		case "symbol": return stringifySymbol(value);
+		case "bigint":
+		case "number": switch (options.localization) {
+			case true: return value.toLocaleString();
+			case false: return value.toString();
+			default: return value.toLocaleString(options.localization);
+		}
+		case "string":
+			if (options.wrapStringValueInQuote) return `"${value}"`;
+			return value;
+		default:
+			if (value instanceof Date) switch (options.localization) {
+				case true: return value.toLocaleString();
+				case false: return value.toISOString();
+				default: return value.toLocaleString(options.localization);
+			}
+			return String(value);
+	}
+}
+function parseInvalidStringFormatIssue(issue, options) {
+	let message = "";
+	switch (issue.format) {
+		case "lowercase":
+		case "uppercase":
+			message += `expected ${issue.format} string`;
+			break;
+		case "starts_with":
+			message += `expected string to start with "${issue.prefix}"`;
+			break;
+		case "ends_with":
+			message += `expected string to end with "${issue.suffix}"`;
+			break;
+		case "includes":
+			message += `expected string to include "${issue.includes}"`;
+			break;
+		case "regex":
+			message += "expected string to match pattern";
+			if (options.displayInvalidFormatDetails) message += ` "${issue.pattern}"`;
+			break;
+		case "jwt":
+			message += "expected a jwt";
+			if (options.displayInvalidFormatDetails && issue.inst && "alg" in issue.inst._zod.def) message += `/${issue.inst._zod.def.alg}`;
+			message += " token";
+			break;
+		case "email":
+			message += "expected an email address";
+			break;
+		case "url":
+		case "uuid":
+		case "guid":
+		case "cuid":
+		case "cuid2":
+		case "ulid":
+		case "xid":
+		case "ksuid":
+			message += `expected a ${issue.format.toUpperCase()}`;
+			if (issue.inst && "version" in issue.inst._zod.def) message += ` ${issue.inst._zod.def.version}`;
+			break;
+		case "date":
+		case "datetime":
+		case "time":
+		case "duration":
+			message += `expected an ISO ${issue.format}`;
+			break;
+		case "ipv4":
+		case "ipv6":
+			message += `expected an ${issue.format.slice(0, 2).toUpperCase()}${issue.format.slice(2)} address`;
+			break;
+		case "cidrv4":
+		case "cidrv6":
+			message += `expected a ${issue.format.slice(0, 4).toUpperCase()}${issue.format.slice(4)} address range`;
+			break;
+		case "base64":
+		case "base64url":
+			message += `expected a ${issue.format} encoded string`;
+			break;
+		case "e164":
+			message += "expected an E.164 formatted phone number";
+			break;
+		default:
+			if (issue.format.startsWith("sha") || issue.format.startsWith("md5")) {
+				const [alg, encoding] = issue.format.split("_");
+				message += `expected a ${alg.toUpperCase()}`;
+				if (encoding) message += ` ${encoding}-encoded`;
+				message += ` hash`;
+				break;
+			}
+			message += `expected ${prependWithAOrAn(issue.format)}`;
+	}
+	if ("input" in issue && options.reportInput === "typeAndValue") {
+		const valueStr = stringify(issue.input, {
+			wrapStringValueInQuote: true,
+			localization: options.numberLocalization
+		});
+		message += `, received ${valueStr}`;
+	}
+	return {
+		type: issue.code,
+		path: issue.path,
+		message
+	};
+}
+function isPrimitive(value) {
+	if (value === null) return true;
+	switch (typeof value) {
+		case "string":
+		case "number":
+		case "bigint":
+		case "boolean":
+		case "symbol":
+		case "undefined": return true;
+		default: return false;
+	}
+}
+function parseInvalidTypeIssue(issue, options) {
+	let message = `expected ${issue.expected}`;
+	if ("input" in issue && options.reportInput !== false) {
+		const value = issue.input;
+		message += `, received ${getTypeName(value)}`;
+		if (options.reportInput === "typeAndValue") {
+			if (isPrimitive(value)) {
+				const valueStr = stringify(value, {
+					wrapStringValueInQuote: true,
+					localization: options.numberLocalization
+				});
+				message += ` (${valueStr})`;
+			} else if (value instanceof Date) {
+				const valueStr = stringify(value, { localization: options.dateLocalization });
+				message += ` (${valueStr})`;
+			}
+		}
+	}
+	return {
+		type: issue.code,
+		path: issue.path,
+		message
+	};
+}
+function getTypeName(value) {
+	if (typeof value === "object") {
+		if (value === null) return "null";
+		if (value === void 0) return "undefined";
+		if (Array.isArray(value)) return "array";
+		if (value instanceof Date) return "date";
+		if (value instanceof RegExp) return "regexp";
+		if (value instanceof Map) return "map";
+		if (value instanceof Set) return "set";
+		if (value instanceof Error) return "error";
+		if (value instanceof Function) return "function";
+		return "object";
+	}
+	return typeof value;
+}
+function parseInvalidUnionIssue(issue) {
+	return {
+		type: issue.code,
+		path: issue.path,
+		message: issue.message ?? "Invalid input"
+	};
+}
+function joinValues(values, options) {
+	const valuesToDisplay = (options.maxValuesToDisplay ? values.slice(0, options.maxValuesToDisplay) : values).map((value) => {
+		return stringify(value, { wrapStringValueInQuote: options.wrapStringValuesInQuote });
+	});
+	if (valuesToDisplay.length < values.length) valuesToDisplay.push(`${values.length - valuesToDisplay.length} more value(s)`);
+	return valuesToDisplay.reduce((acc, value, index) => {
+		if (index > 0) if (index === valuesToDisplay.length - 1 && options.lastSeparator) acc += options.lastSeparator;
+		else acc += options.separator;
+		acc += value;
+		return acc;
+	}, "");
+}
+function parseInvalidValueIssue(issue, options) {
+	let message;
+	if (issue.expected === "stringbool") message = "expected boolean as string";
+	else if (issue.values.length === 0) message = "invalid value";
+	else if (issue.values.length === 1) message = `expected value to be ${stringify(issue.values[0], { wrapStringValueInQuote: true })}`;
+	else message = `expected value to be one of ${joinValues(issue.values, {
+		separator: options.allowedValuesSeparator,
+		lastSeparator: options.allowedValuesLastSeparator,
+		wrapStringValuesInQuote: options.wrapAllowedValuesInQuote,
+		maxValuesToDisplay: options.maxAllowedValuesToDisplay
+	})}`;
+	if ("input" in issue && options.reportInput === "typeAndValue") {
+		if (isPrimitive(issue.input)) {
+			const valueStr = stringify(issue.input, {
+				wrapStringValueInQuote: true,
+				localization: options.numberLocalization
+			});
+			message += `, received ${valueStr}`;
+		} else if (issue.input instanceof Date) {
+			const valueStr = stringify(issue.input, { localization: options.dateLocalization });
+			message += `, received ${valueStr}`;
+		}
+	}
+	return {
+		type: issue.code,
+		path: issue.path,
+		message
+	};
+}
+function parseNotMultipleOfIssue(issue, options) {
+	let message = `expected multiple of ${issue.divisor}`;
+	if ("input" in issue && options.reportInput === "typeAndValue") {
+		const valueStr = stringify(issue.input, {
+			wrapStringValueInQuote: true,
+			localization: options.numberLocalization
+		});
+		message += `, received ${valueStr}`;
+	}
+	return {
+		type: issue.code,
+		path: issue.path,
+		message
+	};
+}
+function parseTooBigIssue(issue, options) {
+	const maxValueStr = issue.origin === "date" ? stringify(new Date(issue.maximum), { localization: options.dateLocalization }) : stringify(issue.maximum, { localization: options.numberLocalization });
+	let message = "";
+	switch (issue.origin) {
+		case "number":
+		case "int":
+		case "bigint":
+			message += `expected number to be less than${issue.inclusive ? " or equal to" : ""} ${maxValueStr}`;
+			break;
+		case "string":
+			message += `expected string to contain at most ${maxValueStr} character(s)`;
+			break;
+		case "date":
+			message += `expected date to be prior ${issue.inclusive ? "or equal to" : "to"} "${maxValueStr}"`;
+			break;
+		case "array":
+			message += `expected array to contain at most ${maxValueStr} item(s)`;
+			break;
+		case "set":
+			message += `expected set to contain at most ${maxValueStr} item(s)`;
+			break;
+		case "file":
+			message += `expected file to not exceed ${maxValueStr} byte(s) in size`;
+			break;
+		default: message += `expected value to be less than${issue.inclusive ? " or equal to" : ""} ${maxValueStr}`;
+	}
+	if ("input" in issue && options.reportInput === "typeAndValue") {
+		const value = issue.input;
+		if (isPrimitive(value)) {
+			const valueStr = stringify(value, {
+				wrapStringValueInQuote: true,
+				localization: options.numberLocalization
+			});
+			message += `, received ${valueStr}`;
+		} else if (value instanceof Date) {
+			const valueStr = stringify(value, { localization: options.dateLocalization });
+			message += `, received ${valueStr}`;
+		}
+	}
+	return {
+		type: issue.code,
+		path: issue.path,
+		message
+	};
+}
+function parseTooSmallIssue(issue, options) {
+	const minValueStr = issue.origin === "date" ? stringify(new Date(issue.minimum), { localization: options.dateLocalization }) : stringify(issue.minimum, { localization: options.numberLocalization });
+	let message = "";
+	switch (issue.origin) {
+		case "number":
+		case "int":
+		case "bigint":
+			message += `expected number to be greater than${issue.inclusive ? " or equal to" : ""} ${minValueStr}`;
+			break;
+		case "date":
+			message += `expected date to be ${issue.inclusive ? "later or equal to" : "later to"} "${minValueStr}"`;
+			break;
+		case "string":
+			message += `expected string to contain at least ${minValueStr} character(s)`;
+			break;
+		case "array":
+			message += `expected array to contain at least ${minValueStr} item(s)`;
+			break;
+		case "set":
+			message += `expected set to contain at least ${minValueStr} item(s)`;
+			break;
+		case "file":
+			message += `expected file to be at least ${minValueStr} byte(s) in size`;
+			break;
+		default: message += `expected value to be greater than${issue.inclusive ? " or equal to" : ""} ${minValueStr}`;
+	}
+	if ("input" in issue && options.reportInput === "typeAndValue") {
+		const value = issue.input;
+		if (isPrimitive(value)) {
+			const valueStr = stringify(value, {
+				wrapStringValueInQuote: true,
+				localization: options.numberLocalization
+			});
+			message += `, received ${valueStr}`;
+		} else if (value instanceof Date) {
+			const valueStr = stringify(value, { localization: options.dateLocalization });
+			message += `, received ${valueStr}`;
+		}
+	}
+	return {
+		type: issue.code,
+		path: issue.path,
+		message
+	};
+}
+function parseUnrecognizedKeysIssue(issue, options) {
+	const keysStr = joinValues(issue.keys, {
+		separator: options.unrecognizedKeysSeparator,
+		lastSeparator: options.unrecognizedKeysLastSeparator,
+		wrapStringValuesInQuote: options.wrapUnrecognizedKeysInQuote,
+		maxValuesToDisplay: options.maxUnrecognizedKeysToDisplay
+	});
+	return {
+		type: issue.code,
+		path: issue.path,
+		message: `unrecognized key(s) ${keysStr} in object`
+	};
+}
+var issueParsers = {
+	invalid_type: parseInvalidTypeIssue,
+	too_big: parseTooBigIssue,
+	too_small: parseTooSmallIssue,
+	invalid_format: parseInvalidStringFormatIssue,
+	invalid_value: parseInvalidValueIssue,
+	invalid_element: parseInvalidElementIssue,
+	not_multiple_of: parseNotMultipleOfIssue,
+	unrecognized_keys: parseUnrecognizedKeysIssue,
+	invalid_key: parseInvalidKeyIssue,
+	custom: parseCustomIssue,
+	invalid_union: parseInvalidUnionIssue
+};
+var defaultErrorMapOptions = {
+	reportInput: "type",
+	displayInvalidFormatDetails: false,
+	allowedValuesSeparator: ", ",
+	allowedValuesLastSeparator: " or ",
+	wrapAllowedValuesInQuote: true,
+	maxAllowedValuesToDisplay: 10,
+	unrecognizedKeysSeparator: ", ",
+	unrecognizedKeysLastSeparator: " and ",
+	wrapUnrecognizedKeysInQuote: true,
+	maxUnrecognizedKeysToDisplay: 5,
+	dateLocalization: true,
+	numberLocalization: true
+};
+function createErrorMap(partialOptions = {}) {
+	const options = {
+		...defaultErrorMapOptions,
+		...partialOptions
+	};
+	const errorMap = (issue) => {
+		if (issue.code === void 0) return "Not supported issue type";
+		const parseFunc = issueParsers[issue.code];
+		return parseFunc(issue, options).message;
+	};
+	return errorMap;
+}
+function isNonEmptyArray(value) {
+	return value.length !== 0;
+}
+var identifierRegex = /[$_\p{ID_Start}][$\u200c\u200d\p{ID_Continue}]*/u;
+function joinPath(path) {
+	if (path.length === 1) {
+		let propertyKey = path[0];
+		if (typeof propertyKey === "symbol") propertyKey = stringifySymbol(propertyKey);
+		return propertyKey.toString() || "\"\"";
+	}
+	return path.reduce((acc, propertyKey) => {
+		if (typeof propertyKey === "number") return acc + "[" + propertyKey.toString() + "]";
+		if (typeof propertyKey === "symbol") propertyKey = stringifySymbol(propertyKey);
+		if (propertyKey.includes("\"")) return acc + "[\"" + escapeQuotes(propertyKey) + "\"]";
+		if (!identifierRegex.test(propertyKey)) return acc + "[\"" + propertyKey + "\"]";
+		return acc + (acc.length === 0 ? "" : ".") + propertyKey;
+	}, "");
+}
+function escapeQuotes(str) {
+	return str.replace(/"/g, "\\\"");
+}
+function titleCase(value) {
+	if (value.length === 0) return value;
+	return value.charAt(0).toUpperCase() + value.slice(1);
+}
+var defaultMessageBuilderOptions = {
+	prefix: "Validation error",
+	prefixSeparator: ": ",
+	maxIssuesInMessage: 99,
+	unionSeparator: " or ",
+	issueSeparator: "; ",
+	includePath: true,
+	forceTitleCase: true
+};
+function createMessageBuilder(partialOptions = {}) {
+	const options = {
+		...defaultMessageBuilderOptions,
+		...partialOptions
+	};
+	return function messageBuilder(issues) {
+		return conditionallyPrefixMessage(issues.slice(0, options.maxIssuesInMessage).map((issue) => mapIssue(issue, options)).join(options.issueSeparator), options);
+	};
+}
+function mapIssue(issue, options) {
+	if (issue.code === "invalid_union" && isNonEmptyArray(issue.errors)) {
+		const individualMessages = issue.errors.map((issues) => issues.map((subIssue) => mapIssue({
+			...subIssue,
+			path: issue.path.concat(subIssue.path)
+		}, options)).join(options.issueSeparator));
+		return Array.from(new Set(individualMessages)).join(options.unionSeparator);
+	}
+	const buf = [];
+	if (options.forceTitleCase) buf.push(titleCase(issue.message));
+	else buf.push(issue.message);
+	pathCondition: if (options.includePath && issue.path !== void 0 && isNonEmptyArray(issue.path)) {
+		if (issue.path.length === 1) {
+			const identifier = issue.path[0];
+			if (typeof identifier === "number") {
+				buf.push(` at index ${identifier}`);
+				break pathCondition;
+			}
+		}
+		buf.push(` at "${joinPath(issue.path)}"`);
+	}
+	return buf.join("");
+}
+function conditionallyPrefixMessage(message, options) {
+	if (options.prefix != null) {
+		if (message.length > 0) return [options.prefix, message].join(options.prefixSeparator);
+		return options.prefix;
+	}
+	if (message.length > 0) return message;
+	return defaultMessageBuilderOptions.prefix;
+}
+function fromZodErrorWithoutRuntimeCheck(zodError, options = {}) {
+	const zodIssues = zodError.issues;
+	let message;
+	if (isNonEmptyArray(zodIssues)) message = createMessageBuilderFromOptions(options)(zodIssues);
+	else message = zodError.message;
+	return new ValidationError$2(message, { cause: zodError });
+}
+function createMessageBuilderFromOptions(options) {
+	if ("messageBuilder" in options) return options.messageBuilder;
+	return createMessageBuilder(options);
+}
+var toValidationError = (options = {}) => (err) => {
+	if (isZodErrorLike(err)) return fromZodErrorWithoutRuntimeCheck(err, options);
+	if (err instanceof Error) return new ValidationError$2(err.message, { cause: err });
+	return new ValidationError$2("Unknown error");
+};
+function fromError(err, options = {}) {
+	return toValidationError(options)(err);
+}
+
+//#endregion
+//#region ../utils/src/zod-error.ts
+z$1.config({ customError: createErrorMap() });
+function formatZodError$1(error) {
+	if (!error) return "";
+	return fromError(error, {
+		prefix: "",
+		prefixSeparator: "✖ ",
+		issueSeparator: "\n✖ "
+	}).toString();
+}
+
 //#endregion
 //#region ../utils/src/error/OpenId4VcBaseError.ts
 var OpenId4VcBaseError$1 = class extends Error {};
@@ -356,7 +884,7 @@ var OpenId4VcBaseError$1 = class extends Error {};
 var ValidationError$1 = class extends OpenId4VcBaseError$1 {
 	constructor(message, zodError) {
 		super(message);
-		this.message = `${message}\n${zodError ? z$1.prettifyError(zodError) : ""}`;
+		this.message = `${message}\n${zodError ? formatZodError$1(zodError) : ""}`;
 		Object.defineProperty(this, "zodError", {
 			value: zodError,
 			writable: false,
@@ -1074,12 +1602,14 @@ function parsePushedAuthorizationRequestUriReferenceValue(options) {
 const zAuthorizationResponse = z$1.object({
 	state: z$1.string().optional(),
 	code: z$1.string().nonempty(),
+	iss: zHttpsUrl.optional(),
 	error: z$1.optional(z$1.never())
 }).loose();
 const zAuthorizationResponseFromUriParams = z$1.url().transform((url) => Object.fromEntries(new URL(url).searchParams)).pipe(zAuthorizationResponse);
 const zAuthorizationErrorResponse = z$1.object({
 	...zOauth2ErrorResponse.shape,
 	state: z$1.string().optional(),
+	iss: zHttpsUrl.optional(),
 	code: z$1.optional(z$1.never())
 }).loose();
 
@@ -1100,6 +1630,30 @@ function parseAuthorizationResponseRedirectUrl(options) {
 	return parsedAuthorizationResponse.data;
 }
 
+//#endregion
+//#region src/authorization-response/verify-authorization-response.ts
+/**
+* Verifies an authorization (error) response.
+*
+* Currently it only verifies that the 'iss' value in an authorization (error) response matches the 'issuer' value of the authorization server metadata
+* according to RFC 9207.
+*
+* You can call this method after calling `parseAuthorizationResponse` and having fetched the associated session/authorization server
+* for the authorization response, to be able to verify the issuer
+*/
+function verifyAuthorizationResponse({ authorizationResponse, authorizationServerMetadata }) {
+	const expectedIssuer = authorizationServerMetadata.issuer;
+	const responseIssuer = authorizationResponse.iss;
+	if (authorizationServerMetadata.authorization_response_iss_parameter_supported && !responseIssuer) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequest,
+		error_description: "Authorization server requires 'iss' parameter in authorization response (authorization_response_iss_parameter_supported), but no 'iss' parameter is present in the authorization response."
+	});
+	if (responseIssuer && responseIssuer !== expectedIssuer) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequest,
+		error_description: "The 'iss' value in the authorization response does not match the expected 'issuer' value from the authorization server metadata."
+	});
+}
+
 //#endregion
 //#region src/z-grant-type.ts
 const zPreAuthorizedCodeGrantIdentifier = z$1.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
@@ -1590,7 +2144,8 @@ const zAuthorizationServerMetadata = z$1.object({
 	introspection_endpoint_auth_signing_alg_values_supported: z$1.optional(z$1.array(zAlgValueNotNone)),
 	authorization_challenge_endpoint: z$1.optional(zHttpsUrl),
 	"pre-authorized_grant_anonymous_access_supported": z$1.optional(z$1.boolean()),
-	client_attestation_pop_nonce_required: z$1.boolean().optional()
+	client_attestation_pop_nonce_required: z$1.boolean().optional(),
+	authorization_response_iss_parameter_supported: z$1.boolean().optional()
 }).loose().refine(({ introspection_endpoint_auth_methods_supported: methodsSupported, introspection_endpoint_auth_signing_alg_values_supported: algValuesSupported }) => {
 	if (!methodsSupported) return true;
 	if (!methodsSupported.includes("private_key_jwt") && !methodsSupported.includes("client_secret_jwt")) return true;
@@ -1621,6 +2176,7 @@ async function fetchAuthorizationServerMetadata(issuer, fetch) {
 	if (!authorizationServerResult) authorizationServerResult = await fetchWellKnownMetadata(openIdConfigurationWellKnownMetadataUrl, zAuthorizationServerMetadata, { fetch }).catch((error) => {
 		throw firstError ?? error;
 	});
+	if (!authorizationServerResult && firstError) throw firstError;
 	if (authorizationServerResult && authorizationServerResult.issuer !== issuer) throw new Oauth2Error(`The 'issuer' parameter '${authorizationServerResult.issuer}' in the well known authorization server metadata at '${authorizationServerWellKnownMetadataUrl}' does not match the provided issuer '${issuer}'.`);
 	return authorizationServerResult;
 }
@@ -2829,6 +3385,18 @@ var Oauth2Client = class {
 	async resourceRequest(options) {
 		return resourceRequest(options);
 	}
+	/**
+	* Parses an authorization response redirect URL into an authorization (error) response.
+	*
+	* Make sure to call `Oauth2Client.verifyAuthorizationResponse` after fetching the session
+	* based on the parsed response, to ensure the authorization response `iss` value is verified.
+	*/
+	parseAuthorizationResponseRedirectUrl(options) {
+		return parseAuthorizationResponseRedirectUrl(options);
+	}
+	verifyAuthorizationResponse(options) {
+		return verifyAuthorizationResponse(options);
+	}
 };
 
 //#endregion
@@ -2985,5 +3553,5 @@ async function verifyResourceRequest(options) {
 }
 
 //#endregion
-export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, createClientAttestationJwt, createJarAuthorizationRequest, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray, fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray, jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm, jwtAuthorizationRequestJwtHeaderTyp, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationResponseRedirectUrl, parsePushedAuthorizationRequestUriReferenceValue, preAuthorizedCodeGrantIdentifier, pushedAuthorizationRequestUriPrefix, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, signedAuthorizationRequestJwtHeaderTyp, validateJarRequestParams, verifyClientAttestationJwt, verifyIdTokenJwt, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationErrorResponse, zAuthorizationResponse, zAuthorizationResponseFromUriParams, zAuthorizationServerMetadata, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJarAuthorizationRequest, zJarRequestObjectPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zPushedAuthorizationRequestUriPrefix, zRefreshTokenGrantIdentifier };
+export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, createClientAttestationJwt, createJarAuthorizationRequest, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray, fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray, jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm, jwtAuthorizationRequestJwtHeaderTyp, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationResponseRedirectUrl, parsePushedAuthorizationRequestUriReferenceValue, preAuthorizedCodeGrantIdentifier, pushedAuthorizationRequestUriPrefix, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, signedAuthorizationRequestJwtHeaderTyp, validateJarRequestParams, verifyAuthorizationResponse, verifyClientAttestationJwt, verifyIdTokenJwt, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationErrorResponse, zAuthorizationResponse, zAuthorizationResponseFromUriParams, zAuthorizationServerMetadata, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJarAuthorizationRequest, zJarRequestObjectPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zPushedAuthorizationRequestUriPrefix, zRefreshTokenGrantIdentifier };
 //# sourceMappingURL=index.mjs.map