@openid4vc/oauth2 0.4.6-alpha-20260201172333 → 0.5.0-alpha-20260202155954

package/dist/index.mjs

@@ -1009,6 +1009,7 @@ let Oauth2ErrorCodes = /* @__PURE__ */ function(Oauth2ErrorCodes$1) {
 	Oauth2ErrorCodes$1["InvalidTransactionId"] = "invalid_transaction_id";
 	Oauth2ErrorCodes$1["UnsupportedCredentialType"] = "unsupported_credential_type";
 	Oauth2ErrorCodes$1["UnsupportedCredentialFormat"] = "unsupported_credential_format";
+	Oauth2ErrorCodes$1["MissingInteractionType"] = "missing_interaction_type";
 	Oauth2ErrorCodes$1["InvalidRequestUri"] = "invalid_request_uri";
 	Oauth2ErrorCodes$1["InvalidRequestObject"] = "invalid_request_object";
 	Oauth2ErrorCodes$1["RequestNotSupported"] = "request_not_supported";
@@ -1038,149 +1039,6 @@ var Oauth2ServerErrorResponseError = class extends Oauth2Error {
 	}
 };
 
-//#endregion
-//#region src/common/jwt/z-jwe.ts
-const zCompactJwe = z.string().regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, { message: "Not a valid compact jwe" });
-
-//#endregion
-//#region src/jar/z-jar-authorization-request.ts
-const zJarAuthorizationRequest = z.object({
-	request: z.optional(z.string()),
-	request_uri: z.optional(zHttpsUrl),
-	client_id: z.optional(z.string())
-}).loose();
-function validateJarRequestParams(options) {
-	const { jarRequestParams } = options;
-	if (jarRequestParams.request && jarRequestParams.request_uri) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "request and request_uri cannot both be present in a JAR request"
-	});
-	if (!jarRequestParams.request && !jarRequestParams.request_uri) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "request or request_uri must be present"
-	});
-	return jarRequestParams;
-}
-function isJarAuthorizationRequest(request) {
-	return "request" in request || "request_uri" in request;
-}
-
-//#endregion
-//#region src/jar/z-jar-request-object.ts
-const zJarRequestObjectPayload = z.object({
-	...zJwtPayload.shape,
-	client_id: z.string()
-}).loose();
-const zSignedAuthorizationRequestJwtHeaderTyp = z.literal("oauth-authz-req+jwt");
-const signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value;
-const zJwtAuthorizationRequestJwtHeaderTyp = z.literal("jwt");
-const jwtAuthorizationRequestJwtHeaderTyp = zJwtAuthorizationRequestJwtHeaderTyp.value;
-
-//#endregion
-//#region src/jar/handle-jar-request/verify-jar-request.ts
-/**
-* Parse a JAR (JWT Secured Authorization Request) request by validating and optionally fetch from uri.
-*
-* @param options - The input parameters
-* @param options.jarRequestParams - The JAR authorization request parameters
-* @param options.callbacks - Context containing the relevant Jose crypto operations
-* @returns An object containing the transmission method ('value' or 'reference') and the JWT request object.
-*/
-async function parseJarRequest(options) {
-	const { callbacks } = options;
-	const jarRequestParams = {
-		...validateJarRequestParams(options),
-		...options.jarRequestParams
-	};
-	return {
-		sendBy: jarRequestParams.request ? "value" : "reference",
-		authorizationRequestJwt: jarRequestParams.request ?? await fetchJarRequestObject({
-			requestUri: jarRequestParams.request_uri,
-			fetch: callbacks.fetch
-		})
-	};
-}
-/**
-* Verifies a JAR (JWT Secured Authorization Request) request by validating and verifying signatures.
-*
-* @param options - The input parameters
-* @param options.jarRequestParams - The JAR authorization request parameters
-* @param options.callbacks - Context containing the relevant Jose crypto operations
-* @returns The verified authorization request parameters and metadata
-*/
-async function verifyJarRequest(options) {
-	const { jarRequestParams, authorizationRequestJwt, callbacks, jwtSigner } = options;
-	if (zCompactJwe.safeParse(authorizationRequestJwt).success) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "Encrypted JWE request objects are not supported."
-	});
-	if (!zCompactJwt.safeParse(authorizationRequestJwt).success) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "JAR request object is not a valid JWT."
-	});
-	const { authorizationRequestPayload, signer, jwt } = await verifyJarRequestObject({
-		authorizationRequestJwt,
-		callbacks,
-		jwtSigner
-	});
-	if (!authorizationRequestPayload.client_id) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "Jar Request Object is missing the required \"client_id\" field."
-	});
-	if (jarRequestParams.client_id !== authorizationRequestPayload.client_id) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequest,
-		error_description: "client_id does not match the request object client_id."
-	});
-	return {
-		jwt,
-		authorizationRequestPayload,
-		signer
-	};
-}
-async function fetchJarRequestObject(options) {
-	const { requestUri, fetch } = options;
-	const response = await createFetcher(fetch)(requestUri, {
-		method: "get",
-		headers: {
-			Accept: `${ContentType.OAuthAuthorizationRequestJwt}, ${ContentType.Jwt};q=0.9, text/plain`,
-			"Content-Type": ContentType.XWwwFormUrlencoded
-		}
-	}).catch(() => {
-		throw new Oauth2ServerErrorResponseError({
-			error_description: `Fetching request_object from request_uri '${requestUri}' failed`,
-			error: Oauth2ErrorCodes.InvalidRequestUri
-		});
-	});
-	if (!response.ok) throw new Oauth2ServerErrorResponseError({
-		error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,
-		error: Oauth2ErrorCodes.InvalidRequestUri
-	});
-	return await response.text();
-}
-async function verifyJarRequestObject(options) {
-	const { authorizationRequestJwt, callbacks, jwtSigner } = options;
-	const jwt = decodeJwt({
-		jwt: authorizationRequestJwt,
-		payloadSchema: zJarRequestObjectPayload
-	});
-	const { signer } = await verifyJwt({
-		verifyJwtCallback: callbacks.verifyJwt,
-		compact: authorizationRequestJwt,
-		header: jwt.header,
-		payload: jwt.payload,
-		signer: jwtSigner
-	});
-	if (jwt.header.typ !== signedAuthorizationRequestJwtHeaderTyp && jwt.header.typ !== jwtAuthorizationRequestJwtHeaderTyp) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: `Invalid Jar Request Object typ header. Expected "oauth-authz-req+jwt" or "jwt", received "${jwt.header.typ}".`
-	});
-	return {
-		signer,
-		jwt,
-		authorizationRequestPayload: jwt.payload
-	};
-}
-
 //#endregion
 //#region src/client-attestation/z-client-attestation.ts
 const zOauthClientAttestationHeader = z$1.literal("OAuth-Client-Attestation");
@@ -1516,6 +1374,153 @@ function parseAuthorizationRequest(options) {
 	};
 }
 
+//#endregion
+//#region src/common/jwt/z-jwe.ts
+const zCompactJwe = z.string().regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, { message: "Not a valid compact jwe" });
+
+//#endregion
+//#region src/jar/z-jar-authorization-request.ts
+const zJarAuthorizationRequest = z.object({
+	request: z.optional(z.string()),
+	request_uri: z.optional(zHttpsUrl),
+	client_id: z.optional(z.string())
+}).loose();
+function validateJarRequestParams(options) {
+	const { jarRequestParams, allowRequestUri = true } = options;
+	if (jarRequestParams.request && jarRequestParams.request_uri) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "request and request_uri cannot both be present in a JAR request"
+	});
+	if (!jarRequestParams.request && !jarRequestParams.request_uri) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "request or request_uri must be present"
+	});
+	if (jarRequestParams.request_uri && !allowRequestUri) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "request_uri is not allowed"
+	});
+	return jarRequestParams;
+}
+function isJarAuthorizationRequest(request) {
+	return "request" in request || "request_uri" in request;
+}
+
+//#endregion
+//#region src/jar/z-jar-request-object.ts
+const zJarRequestObjectPayload = z.object({
+	...zJwtPayload.shape,
+	client_id: z.string()
+}).loose();
+const zSignedAuthorizationRequestJwtHeaderTyp = z.literal("oauth-authz-req+jwt");
+const signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value;
+const zJwtAuthorizationRequestJwtHeaderTyp = z.literal("jwt");
+const jwtAuthorizationRequestJwtHeaderTyp = zJwtAuthorizationRequestJwtHeaderTyp.value;
+
+//#endregion
+//#region src/jar/handle-jar-request/verify-jar-request.ts
+/**
+* Parse a JAR (JWT Secured Authorization Request) request by validating and optionally fetch from uri.
+*
+* @param options - The input parameters
+* @param options.jarRequestParams - The JAR authorization request parameters
+* @param options.callbacks - Context containing the relevant Jose crypto operations
+* @returns An object containing the transmission method ('value' or 'reference') and the JWT request object.
+*/
+async function parseJarRequest(options) {
+	const { callbacks } = options;
+	const jarRequestParams = {
+		...validateJarRequestParams(options),
+		...options.jarRequestParams
+	};
+	return {
+		sendBy: jarRequestParams.request ? "value" : "reference",
+		authorizationRequestJwt: jarRequestParams.request ?? await fetchJarRequestObject({
+			requestUri: jarRequestParams.request_uri,
+			fetch: callbacks.fetch
+		})
+	};
+}
+/**
+* Verifies a JAR (JWT Secured Authorization Request) request by validating and verifying signatures.
+*
+* @param options - The input parameters
+* @param options.jarRequestParams - The JAR authorization request parameters
+* @param options.callbacks - Context containing the relevant Jose crypto operations
+* @returns The verified authorization request parameters and metadata
+*/
+async function verifyJarRequest(options) {
+	const { jarRequestParams, authorizationRequestJwt, callbacks, jwtSigner } = options;
+	if (zCompactJwe.safeParse(authorizationRequestJwt).success) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "Encrypted JWE request objects are not supported."
+	});
+	if (!zCompactJwt.safeParse(authorizationRequestJwt).success) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "JAR request object is not a valid JWT."
+	});
+	const { authorizationRequestPayload, signer, jwt } = await verifyJarRequestObject({
+		authorizationRequestJwt,
+		callbacks,
+		jwtSigner
+	});
+	if (!authorizationRequestPayload.client_id) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: "Jar Request Object is missing the required \"client_id\" field."
+	});
+	if (jarRequestParams.client_id !== authorizationRequestPayload.client_id) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequest,
+		error_description: "client_id does not match the request object client_id."
+	});
+	return {
+		jwt,
+		authorizationRequestPayload,
+		signer
+	};
+}
+async function fetchJarRequestObject(options) {
+	const { requestUri, fetch } = options;
+	const response = await createFetcher(fetch)(requestUri, {
+		method: "get",
+		headers: {
+			Accept: `${ContentType.OAuthAuthorizationRequestJwt}, ${ContentType.Jwt};q=0.9, text/plain`,
+			"Content-Type": ContentType.XWwwFormUrlencoded
+		}
+	}).catch(() => {
+		throw new Oauth2ServerErrorResponseError({
+			error_description: `Fetching request_object from request_uri '${requestUri}' failed`,
+			error: Oauth2ErrorCodes.InvalidRequestUri
+		});
+	});
+	if (!response.ok) throw new Oauth2ServerErrorResponseError({
+		error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,
+		error: Oauth2ErrorCodes.InvalidRequestUri
+	});
+	return await response.text();
+}
+async function verifyJarRequestObject(options) {
+	const { authorizationRequestJwt, callbacks, jwtSigner } = options;
+	const jwt = decodeJwt({
+		jwt: authorizationRequestJwt,
+		payloadSchema: zJarRequestObjectPayload
+	});
+	const { signer } = await verifyJwt({
+		verifyJwtCallback: callbacks.verifyJwt,
+		compact: authorizationRequestJwt,
+		header: jwt.header,
+		payload: jwt.payload,
+		signer: jwtSigner
+	});
+	if (jwt.header.typ !== signedAuthorizationRequestJwtHeaderTyp && jwt.header.typ !== jwtAuthorizationRequestJwtHeaderTyp) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequestObject,
+		error_description: `Invalid Jar Request Object typ header. Expected "oauth-authz-req+jwt" or "jwt", received "${jwt.header.typ}".`
+	});
+	return {
+		signer,
+		jwt,
+		authorizationRequestPayload: jwt.payload
+	};
+}
+
 //#endregion
 //#region src/authorization-request/z-authorization-request.ts
 const zPushedAuthorizationRequestUriPrefix = z$1.literal("urn:ietf:params:oauth:request_uri:");
@@ -1550,7 +1555,7 @@ const zPushedAuthorizationResponse = z$1.object({
 */
 async function parsePushedAuthorizationRequest(options) {
 	const parsed = parseWithErrorHandling(z$1.union([zAuthorizationRequest, zJarAuthorizationRequest]), options.authorizationRequest, "Invalid authorization request. Could not parse authorization request or jar.");
-	let parsedAuthorizationRequest;
+	let authorizationRequest;
 	let authorizationRequestJwt;
 	if (isJarAuthorizationRequest(parsed)) {
 		const parsedJar = await parseJarRequest({
@@ -1558,20 +1563,14 @@ async function parsePushedAuthorizationRequest(options) {
 			callbacks: options.callbacks
 		});
 		const jwt = decodeJwt({ jwt: parsedJar.authorizationRequestJwt });
-		parsedAuthorizationRequest = zAuthorizationRequest.safeParse(jwt.payload);
+		const parsedAuthorizationRequest = zAuthorizationRequest.safeParse(jwt.payload);
 		if (!parsedAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
 			error: Oauth2ErrorCodes.InvalidRequest,
 			error_description: `Invalid authorization request. Could not parse jar request payload.\n${formatZodError(parsedAuthorizationRequest.error)}`
 		});
+		authorizationRequest = parsedAuthorizationRequest.data;
 		authorizationRequestJwt = parsedJar.authorizationRequestJwt;
-	} else {
-		parsedAuthorizationRequest = zAuthorizationRequest.safeParse(options.authorizationRequest);
-		if (!parsedAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Error occurred during validation of pushed authorization request.\n${formatZodError(parsedAuthorizationRequest.error)}`
-		});
-	}
-	const authorizationRequest = parsedAuthorizationRequest.data;
+	} else authorizationRequest = parsed;
 	const { clientAttestation, dpop } = parseAuthorizationRequest({
 		authorizationRequest,
 		request: options.request
@@ -1597,6 +1596,72 @@ function parsePushedAuthorizationRequestUriReferenceValue(options) {
 	return options.uri.substring(pushedAuthorizationRequestUriPrefix.length);
 }
 
+//#endregion
+//#region src/authorization-request/verify-authorization-request.ts
+async function verifyAuthorizationRequest(options) {
+	const dpopResult = options.dpop ? await verifyAuthorizationRequestDpop(options.dpop, options.request, options.callbacks, options.now) : void 0;
+	const clientAttestationResult = options.clientAttestation ? await verifyAuthorizationRequestClientAttestation(options.clientAttestation, options.authorizationServerMetadata, options.callbacks, dpopResult?.jwkThumbprint, options.now, options.authorizationRequest.client_id) : void 0;
+	return {
+		dpop: dpopResult?.jwkThumbprint ? {
+			jwkThumbprint: dpopResult.jwkThumbprint,
+			jwk: dpopResult.jwk
+		} : void 0,
+		clientAttestation: clientAttestationResult
+	};
+}
+async function verifyAuthorizationRequestClientAttestation(options, authorizationServerMetadata, callbacks, dpopJwkThumbprint, now, requestClientId) {
+	if (!options.clientAttestationJwt || !options.clientAttestationPopJwt) {
+		if (!options.required && !options.clientAttestationJwt && !options.clientAttestationPopJwt) return;
+		throw new Oauth2ServerErrorResponseError({
+			error: Oauth2ErrorCodes.InvalidClient,
+			error_description: `Missing required client attestation parameters in pushed authorization request. Make sure to provide the '${oauthClientAttestationHeader}' and '${oauthClientAttestationPopHeader}' header values.`
+		});
+	}
+	const verifiedClientAttestation = await verifyClientAttestation({
+		authorizationServer: authorizationServerMetadata.issuer,
+		callbacks,
+		clientAttestationJwt: options.clientAttestationJwt,
+		clientAttestationPopJwt: options.clientAttestationPopJwt,
+		now
+	});
+	if (requestClientId && requestClientId !== verifiedClientAttestation.clientAttestation.payload.sub) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidClient,
+		error_description: `The client_id '${requestClientId}' in the request does not match the client id '${verifiedClientAttestation.clientAttestation.payload.sub}' in the client attestation`
+	}, { status: 401 });
+	if (options.ensureConfirmationKeyMatchesDpopKey && dpopJwkThumbprint) {
+		if (await calculateJwkThumbprint({
+			hashAlgorithm: HashAlgorithm.Sha256,
+			hashCallback: callbacks.hash,
+			jwk: verifiedClientAttestation.clientAttestation.payload.cnf.jwk
+		}) !== dpopJwkThumbprint) throw new Oauth2ServerErrorResponseError({
+			error: Oauth2ErrorCodes.InvalidRequest,
+			error_description: "Expected the DPoP JWK thumbprint value to match the JWK thumbprint of the client attestation confirmation JWK. Ensure both DPoP and client attestation use the same key."
+		}, { status: 401 });
+	}
+	return verifiedClientAttestation;
+}
+async function verifyAuthorizationRequestDpop(options, request, callbacks, now) {
+	if (options.required && !options.jwt && !options.jwkThumbprint) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidDpopProof,
+		error_description: `Missing required DPoP parameters in authorization request. Either DPoP header or 'dpop_jkt' is required.`
+	});
+	const verifyDpopResult = options.jwt ? await verifyDpopJwt({
+		callbacks,
+		dpopJwt: options.jwt,
+		request,
+		allowedSigningAlgs: options.allowedSigningAlgs,
+		now
+	}) : void 0;
+	if (options.jwkThumbprint && verifyDpopResult && options.jwkThumbprint !== verifyDpopResult.jwkThumbprint) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidDpopProof,
+		error_description: `DPoP jwk thumbprint does not match with 'dpop_jkt' provided in authorization request`
+	});
+	return {
+		jwk: verifyDpopResult?.header.jwk,
+		jwkThumbprint: verifyDpopResult?.jwkThumbprint ?? options.jwkThumbprint
+	};
+}
+
 //#endregion
 //#region src/authorization-response/z-authorization-response.ts
 const zAuthorizationResponse = z$1.object({
@@ -1926,6 +1991,44 @@ var Oauth2ClientErrorResponseError = class extends Oauth2Error {
 	}
 };
 
+//#endregion
+//#region src/dpop/dpop-retry.ts
+async function authorizationServerRequestWithDpopRetry(options) {
+	try {
+		return await options.request(options.dpop);
+	} catch (error) {
+		if (options.dpop && error instanceof Oauth2ClientErrorResponseError) {
+			const dpopRetry = shouldRetryAuthorizationServerRequestWithDPoPNonce({
+				responseHeaders: error.response.headers,
+				errorResponse: error.errorResponse
+			});
+			if (dpopRetry.retry) return options.request({
+				...options.dpop,
+				nonce: dpopRetry.dpopNonce
+			});
+		}
+		throw error;
+	}
+}
+function shouldRetryAuthorizationServerRequestWithDPoPNonce(options) {
+	if (options.errorResponse.error !== "use_dpop_nonce") return { retry: false };
+	const dpopNonce = extractDpopNonceFromHeaders(options.responseHeaders);
+	if (!dpopNonce) throw new Oauth2Error(`Error response error contains error 'use_dpop_nonce' but the response headers do not include a valid 'DPoP-Nonce' header value.`);
+	return {
+		retry: true,
+		dpopNonce
+	};
+}
+function shouldRetryResourceRequestWithDPoPNonce(options) {
+	if (!options.resourceUnauthorizedError.wwwAuthenticateHeaders.find((challenge) => challenge.scheme === SupportedAuthenticationScheme.DPoP && challenge.error === Oauth2ErrorCodes.UseDpopNonce)) return { retry: false };
+	const dpopNonce = extractDpopNonceFromHeaders(options.responseHeaders);
+	if (!dpopNonce || typeof dpopNonce !== "string") throw new Oauth2Error(`Resource request error in 'WWW-Authenticate' response header contains error 'use_dpop_nonce' but the response headers do not include a valid 'DPoP-Nonce' value.`);
+	return {
+		retry: true,
+		dpopNonce
+	};
+}
+
 //#endregion
 //#region src/error/Oauth2ClientAuthorizationChallengeError.ts
 var Oauth2ClientAuthorizationChallengeError = class extends Oauth2ClientErrorResponseError {
@@ -2145,6 +2248,8 @@ const zAuthorizationServerMetadata = z$1.object({
 	introspection_endpoint_auth_methods_supported: z$1.optional(z$1.array(z$1.union([knownClientAuthenticationMethod, z$1.string()]))),
 	introspection_endpoint_auth_signing_alg_values_supported: z$1.optional(z$1.array(zAlgValueNotNone)),
 	authorization_challenge_endpoint: z$1.optional(zHttpsUrl),
+	interactive_authorization_endpoint: z$1.optional(zHttpsUrl),
+	require_interactive_authorization_request: z$1.optional(z$1.boolean()),
 	"pre-authorized_grant_anonymous_access_supported": z$1.optional(z$1.boolean()),
 	client_attestation_pop_nonce_required: z$1.boolean().optional(),
 	authorization_response_iss_parameter_supported: z$1.boolean().optional()
@@ -2152,7 +2257,7 @@ const zAuthorizationServerMetadata = z$1.object({
 	if (!methodsSupported) return true;
 	if (!methodsSupported.includes("private_key_jwt") && !methodsSupported.includes("client_secret_jwt")) return true;
 	return algValuesSupported !== void 0 && algValuesSupported.length > 0;
-}, `Metadata value 'introspection_endpoint_auth_signing_alg_values_supported' must be defined if metadata 'introspection_endpoint_auth_methods_supported' value contains values 'private_key_jwt' or 'client_secret_jwt'`);
+}, `Metadata value 'introspection_endpoint_auth_signing_alg_values_supported' must be defined if metadata 'introspection_endpoint_auth_methods_supported' value contains values 'private_key_jwt' or 'client_secret_jwt'`).refine(({ require_interactive_authorization_request, interactive_authorization_endpoint }) => !require_interactive_authorization_request || interactive_authorization_endpoint !== void 0, `Metadata value 'require_interactive_authorization_request' MUST NOT be present if 'interactive_authorization_endpoint' is omitted`);
 
 //#endregion
 //#region src/metadata/authorization-server/authorization-server-metadata.ts
@@ -2605,72 +2710,6 @@ function parseAuthorizationChallengeRequest(options) {
 	};
 }
 
-//#endregion
-//#region src/authorization-request/verify-authorization-request.ts
-async function verifyAuthorizationRequest(options) {
-	const dpopResult = options.dpop ? await verifyAuthorizationRequestDpop(options.dpop, options.request, options.callbacks, options.now) : void 0;
-	const clientAttestationResult = options.clientAttestation ? await verifyAuthorizationRequestClientAttestation(options.clientAttestation, options.authorizationServerMetadata, options.callbacks, dpopResult?.jwkThumbprint, options.now, options.authorizationRequest.client_id) : void 0;
-	return {
-		dpop: dpopResult?.jwkThumbprint ? {
-			jwkThumbprint: dpopResult.jwkThumbprint,
-			jwk: dpopResult.jwk
-		} : void 0,
-		clientAttestation: clientAttestationResult
-	};
-}
-async function verifyAuthorizationRequestClientAttestation(options, authorizationServerMetadata, callbacks, dpopJwkThumbprint, now, requestClientId) {
-	if (!options.clientAttestationJwt || !options.clientAttestationPopJwt) {
-		if (!options.required && !options.clientAttestationJwt && !options.clientAttestationPopJwt) return;
-		throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidClient,
-			error_description: `Missing required client attestation parameters in pushed authorization request. Make sure to provide the '${oauthClientAttestationHeader}' and '${oauthClientAttestationPopHeader}' header values.`
-		});
-	}
-	const verifiedClientAttestation = await verifyClientAttestation({
-		authorizationServer: authorizationServerMetadata.issuer,
-		callbacks,
-		clientAttestationJwt: options.clientAttestationJwt,
-		clientAttestationPopJwt: options.clientAttestationPopJwt,
-		now
-	});
-	if (requestClientId && requestClientId !== verifiedClientAttestation.clientAttestation.payload.sub) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidClient,
-		error_description: `The client_id '${requestClientId}' in the request does not match the client id '${verifiedClientAttestation.clientAttestation.payload.sub}' in the client attestation`
-	}, { status: 401 });
-	if (options.ensureConfirmationKeyMatchesDpopKey && dpopJwkThumbprint) {
-		if (await calculateJwkThumbprint({
-			hashAlgorithm: HashAlgorithm.Sha256,
-			hashCallback: callbacks.hash,
-			jwk: verifiedClientAttestation.clientAttestation.payload.cnf.jwk
-		}) !== dpopJwkThumbprint) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Expected the DPoP JWK thumbprint value to match the JWK thumbprint of the client attestation confirmation JWK. Ensure both DPoP and client attestation use the same key."
-		}, { status: 401 });
-	}
-	return verifiedClientAttestation;
-}
-async function verifyAuthorizationRequestDpop(options, request, callbacks, now) {
-	if (options.required && !options.jwt && !options.jwkThumbprint) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidDpopProof,
-		error_description: `Missing required DPoP parameters in authorization request. Either DPoP header or 'dpop_jkt' is required.`
-	});
-	const verifyDpopResult = options.jwt ? await verifyDpopJwt({
-		callbacks,
-		dpopJwt: options.jwt,
-		request,
-		allowedSigningAlgs: options.allowedSigningAlgs,
-		now
-	}) : void 0;
-	if (options.jwkThumbprint && verifyDpopResult && options.jwkThumbprint !== verifyDpopResult.jwkThumbprint) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidDpopProof,
-		error_description: `DPoP jwk thumbprint does not match with 'dpop_jkt' provided in authorization request`
-	});
-	return {
-		jwk: verifyDpopResult?.header.jwk,
-		jwkThumbprint: verifyDpopResult?.jwkThumbprint ?? options.jwkThumbprint
-	};
-}
-
 //#endregion
 //#region src/authorization-challenge/verify-authorization-challenge-request.ts
 async function verifyAuthorizationChallengeRequest(options) {
@@ -2875,44 +2914,6 @@ var Oauth2AuthorizationServer = class {
 	}
 };
 
-//#endregion
-//#region src/dpop/dpop-retry.ts
-async function authorizationServerRequestWithDpopRetry(options) {
-	try {
-		return await options.request(options.dpop);
-	} catch (error) {
-		if (options.dpop && error instanceof Oauth2ClientErrorResponseError) {
-			const dpopRetry = shouldRetryAuthorizationServerRequestWithDPoPNonce({
-				responseHeaders: error.response.headers,
-				errorResponse: error.errorResponse
-			});
-			if (dpopRetry.retry) return options.request({
-				...options.dpop,
-				nonce: dpopRetry.dpopNonce
-			});
-		}
-		throw error;
-	}
-}
-function shouldRetryAuthorizationServerRequestWithDPoPNonce(options) {
-	if (options.errorResponse.error !== "use_dpop_nonce") return { retry: false };
-	const dpopNonce = extractDpopNonceFromHeaders(options.responseHeaders);
-	if (!dpopNonce) throw new Oauth2Error(`Error response error contains error 'use_dpop_nonce' but the response headers do not include a valid 'DPoP-Nonce' header value.`);
-	return {
-		retry: true,
-		dpopNonce
-	};
-}
-function shouldRetryResourceRequestWithDPoPNonce(options) {
-	if (!options.resourceUnauthorizedError.wwwAuthenticateHeaders.find((challenge) => challenge.scheme === SupportedAuthenticationScheme.DPoP && challenge.error === Oauth2ErrorCodes.UseDpopNonce)) return { retry: false };
-	const dpopNonce = extractDpopNonceFromHeaders(options.responseHeaders);
-	if (!dpopNonce || typeof dpopNonce !== "string") throw new Oauth2Error(`Resource request error in 'WWW-Authenticate' response header contains error 'use_dpop_nonce' but the response headers do not include a valid 'DPoP-Nonce' value.`);
-	return {
-		retry: true,
-		dpopNonce
-	};
-}
-
 //#endregion
 //#region src/access-token/retrieve-access-token.ts
 async function retrievePreAuthorizedCodeAccessToken(options) {
@@ -3325,7 +3326,7 @@ var Oauth2Client = class {
 				return {
 					dpop: options.dpop ? {
 						...options.dpop,
-						nonce: dpopNonce
+						nonce: dpopNonce ?? void 0
 					} : void 0,
 					authorizationRequestUrl,
 					pkce
@@ -3581,5 +3582,5 @@ async function verifyResourceRequest(options) {
 }
 
 //#endregion
-export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, clientCredentialsGrantIdentifier, createClientAttestationJwt, createJarAuthorizationRequest, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray, fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray, jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm, jwtAuthorizationRequestJwtHeaderTyp, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationResponseRedirectUrl, parsePushedAuthorizationRequestUriReferenceValue, preAuthorizedCodeGrantIdentifier, pushedAuthorizationRequestUriPrefix, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, signedAuthorizationRequestJwtHeaderTyp, validateJarRequestParams, verifyAuthorizationResponse, verifyClientAttestationJwt, verifyIdTokenJwt, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationErrorResponse, zAuthorizationResponse, zAuthorizationResponseFromUriParams, zAuthorizationServerMetadata, zClientCredentialsGrantIdentifier, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJarAuthorizationRequest, zJarRequestObjectPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zPushedAuthorizationRequestUriPrefix, zRefreshTokenGrantIdentifier };
+export { HashAlgorithm, InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, PkceCodeChallengeMethod, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, authorizationCodeGrantIdentifier, authorizationServerRequestWithDpopRetry, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, clientCredentialsGrantIdentifier, createClientAttestationJwt, createDpopHeadersForRequest, createJarAuthorizationRequest, createPkce, decodeJwt, decodeJwtHeader, extractDpopNonceFromHeaders, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray, fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm, getAuthorizationServerMetadataFromList, getGlobalConfig, isJarAuthorizationRequest, isJwkInSet, jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray, jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm, jwtAuthorizationRequestJwtHeaderTyp, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationRequest, parseAuthorizationResponseRedirectUrl, parseJarRequest, parsePushedAuthorizationRequestUriReferenceValue, preAuthorizedCodeGrantIdentifier, pushedAuthorizationRequestUriPrefix, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, signedAuthorizationRequestJwtHeaderTyp, validateJarRequestParams, verifyAuthorizationRequest, verifyAuthorizationResponse, verifyClientAttestationJwt, verifyIdTokenJwt, verifyJarRequest, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationErrorResponse, zAuthorizationRequest, zAuthorizationResponse, zAuthorizationResponseFromUriParams, zAuthorizationServerMetadata, zClientCredentialsGrantIdentifier, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJarAuthorizationRequest, zJarRequestObjectPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zPushedAuthorizationRequestUriPrefix, zRefreshTokenGrantIdentifier };
 //# sourceMappingURL=index.mjs.map