@openid4vc/oauth2 0.5.0-alpha-20260202131209 → 0.5.0-alpha-20260202155954

package/dist/index.d.mts

@@ -29,6 +29,8 @@ declare const zAuthorizationServerMetadata: z$1.ZodObject<{
   }>, z$1.ZodString]>>>;
   introspection_endpoint_auth_signing_alg_values_supported: z$1.ZodOptional<z$1.ZodArray<z$1.ZodString>>;
   authorization_challenge_endpoint: z$1.ZodOptional<z$1.ZodURL>;
+  interactive_authorization_endpoint: z$1.ZodOptional<z$1.ZodURL>;
+  require_interactive_authorization_request: z$1.ZodOptional<z$1.ZodBoolean>;
   'pre-authorized_grant_anonymous_access_supported': z$1.ZodOptional<z$1.ZodBoolean>;
   client_attestation_pop_nonce_required: z$1.ZodOptional<z$1.ZodBoolean>;
   authorization_response_iss_parameter_supported: z$1.ZodOptional<z$1.ZodBoolean>;
@@ -465,6 +467,40 @@ interface RequestDpopOptions {
    */
   signer: JwtSignerJwk;
 }
+declare function createDpopHeadersForRequest(options: CreateDpopJwtOptions): Promise<{
+  DPoP: string;
+}>;
+interface CreateDpopJwtOptions {
+  request: Omit<RequestLike, 'headers'>;
+  /**
+   * Dpop nonce value
+   */
+  nonce?: string;
+  /**
+   * Creation time of the JWT. If not provided the current date will be used
+   */
+  issuedAt?: Date;
+  /**
+   * Additional payload to include in the dpop jwt payload. Will be applied after
+   * any default claims that are included, so add claims with caution.
+   */
+  additionalPayload?: Record<string, unknown>;
+  /**
+   * The access token to which the dpop jwt should be bound. Required
+   * when the dpop will be sent along with an access token.
+   *
+   * If provided, the `hashCallback` parameter also needs to be provided
+   */
+  accessToken?: string;
+  /**
+   * Callback used for dpop
+   */
+  callbacks: Pick<CallbackContext, 'generateRandom' | 'hash' | 'signJwt'>;
+  /**
+   * The signer of the dpop jwt. Only jwk signer allowed.
+   */
+  signer: JwtSignerJwk;
+}
 interface VerifyDpopJwtOptions {
   /**
    * The compact dpop jwt.
@@ -502,52 +538,7 @@ interface VerifyDpopJwtOptions {
   callbacks: Pick<CallbackContext, 'verifyJwt' | 'hash'>;
   now?: Date;
 }
-//#endregion
-//#region src/common/z-oauth2-error.d.ts
-declare enum Oauth2ErrorCodes {
-  ServerError = "server_error",
-  InvalidTarget = "invalid_target",
-  InvalidRequest = "invalid_request",
-  InvalidToken = "invalid_token",
-  InsufficientScope = "insufficient_scope",
-  InvalidGrant = "invalid_grant",
-  InvalidClient = "invalid_client",
-  UnauthorizedClient = "unauthorized_client",
-  UnsupportedGrantType = "unsupported_grant_type",
-  InvalidScope = "invalid_scope",
-  InvalidDpopProof = "invalid_dpop_proof",
-  UseDpopNonce = "use_dpop_nonce",
-  RedirectToWeb = "redirect_to_web",
-  InvalidSession = "invalid_session",
-  InsufficientAuthorization = "insufficient_authorization",
-  InvalidCredentialRequest = "invalid_credential_request",
-  CredentialRequestDenied = "credential_request_denied",
-  InvalidProof = "invalid_proof",
-  InvalidNonce = "invalid_nonce",
-  InvalidEncryptionParameters = "invalid_encryption_parameters",
-  UnknownCredentialConfiguration = "unknown_credential_configuration",
-  UnknownCredentialIdentifier = "unknown_credential_identifier",
-  InvalidTransactionId = "invalid_transaction_id",
-  UnsupportedCredentialType = "unsupported_credential_type",
-  UnsupportedCredentialFormat = "unsupported_credential_format",
-  InvalidRequestUri = "invalid_request_uri",
-  InvalidRequestObject = "invalid_request_object",
-  RequestNotSupported = "request_not_supported",
-  RequestUriNotSupported = "request_uri_not_supported",
-  VpFormatsNotSupported = "vp_formats_not_supported",
-  AccessDenied = "access_denied",
-  InvalidPresentationDefinitionUri = "invalid_presentation_definition_uri",
-  InvalidPresentationDefinitionReference = "invalid_presentation_definition_reference",
-  InvalidRequestUriMethod = "invalid_request_uri_method",
-  InvalidTransactionData = "invalid_transaction_data",
-  WalletUnavailable = "wallet_unavailable",
-}
-declare const zOauth2ErrorResponse: z$1.ZodObject<{
-  error: z$1.ZodUnion<readonly [z$1.ZodEnum<typeof Oauth2ErrorCodes>, z$1.ZodString]>;
-  error_description: z$1.ZodOptional<z$1.ZodString>;
-  error_uri: z$1.ZodOptional<z$1.ZodString>;
-}, z$1.core.$loose>;
-type Oauth2ErrorResponse = z$1.infer<typeof zOauth2ErrorResponse>;
+declare function extractDpopNonceFromHeaders(headers: FetchHeaders): string | null;
 //#endregion
 //#region src/access-token/z-access-token.d.ts
 declare const zAccessTokenRequest: z$1.ZodIntersection<z$1.ZodObject<{
@@ -1144,11 +1135,24 @@ declare enum PkceCodeChallengeMethod {
   Plain = "plain",
   S256 = "S256",
 }
+interface CreatePkceOptions {
+  /**
+   * Also allows string values so it can be directly passed from the
+   * 'code_challenge_methods_supported' metadata parameter
+   */
+  allowedCodeChallengeMethods?: Array<string | PkceCodeChallengeMethod>;
+  /**
+   * Code verifier to use. If not provided a value will be generated.
+   */
+  codeVerifier?: string;
+  callbacks: Pick<CallbackContext, 'hash' | 'generateRandom'>;
+}
 interface CreatePkceReturn {
   codeVerifier: string;
   codeChallenge: string;
   codeChallengeMethod: PkceCodeChallengeMethod;
 }
+declare function createPkce(options: CreatePkceOptions): Promise<CreatePkceReturn>;
 //#endregion
 //#region src/z-grant-type.d.ts
 declare const zPreAuthorizedCodeGrantIdentifier: z$1.ZodLiteral<"urn:ietf:params:oauth:grant-type:pre-authorized_code">;
@@ -1411,6 +1415,12 @@ declare const zTokenIntrospectionResponse: z$1.ZodObject<{
 type TokenIntrospectionResponse = z$1.infer<typeof zTokenIntrospectionResponse>;
 //#endregion
 //#region src/authorization-request/parse-authorization-request.d.ts
+interface ParseAuthorizationRequestOptions {
+  request: RequestLike;
+  authorizationRequest: {
+    dpop_jkt?: string;
+  };
+}
 interface ParseAuthorizationRequestResult {
   /**
    * The dpop params from the authorization request.
@@ -1436,6 +1446,12 @@ interface ParseAuthorizationRequestResult {
     clientAttestationPopJwt: string;
   };
 }
+/**
+ * Parse an authorization request.
+ *
+ * @throws {Oauth2ServerErrorResponseError}
+ */
+declare function parseAuthorizationRequest(options: ParseAuthorizationRequestOptions): ParseAuthorizationRequestResult;
 //#endregion
 //#region src/authorization-challenge/z-authorization-challenge.d.ts
 declare const zAuthorizationChallengeRequest: z$1.ZodObject<{
@@ -1483,7 +1499,7 @@ interface VerifyAuthorizationRequestDpop {
    */
   required?: boolean;
   /**
-   * The dpop jwt from the pushed authorization request.
+   * The dpop jwt from the pushed or interactive authorization request.
    *
    * If dpop is required, at least one of `jwt` or `jwkThumbprint` MUST
    * be provided. If both are provided, the jwk thumbprints are matched
@@ -1555,6 +1571,7 @@ interface VerifyAuthorizationRequestOptions {
   now?: Date;
   callbacks: Pick<CallbackContext, 'hash' | 'verifyJwt'>;
 }
+declare function verifyAuthorizationRequest(options: VerifyAuthorizationRequestOptions): Promise<VerifyAuthorizationRequestReturn>;
 //#endregion
 //#region src/authorization-challenge/verify-authorization-challenge-request.d.ts
 type VerifyAuthorizationChallengeRequestReturn = VerifyAuthorizationRequestReturn;
@@ -1614,6 +1631,53 @@ interface CreateAuthorizationRequestUrlOptions {
   dpop?: RequestDpopOptions;
 }
 //#endregion
+//#region src/common/z-oauth2-error.d.ts
+declare enum Oauth2ErrorCodes {
+  ServerError = "server_error",
+  InvalidTarget = "invalid_target",
+  InvalidRequest = "invalid_request",
+  InvalidToken = "invalid_token",
+  InsufficientScope = "insufficient_scope",
+  InvalidGrant = "invalid_grant",
+  InvalidClient = "invalid_client",
+  UnauthorizedClient = "unauthorized_client",
+  UnsupportedGrantType = "unsupported_grant_type",
+  InvalidScope = "invalid_scope",
+  InvalidDpopProof = "invalid_dpop_proof",
+  UseDpopNonce = "use_dpop_nonce",
+  RedirectToWeb = "redirect_to_web",
+  InvalidSession = "invalid_session",
+  InsufficientAuthorization = "insufficient_authorization",
+  InvalidCredentialRequest = "invalid_credential_request",
+  CredentialRequestDenied = "credential_request_denied",
+  InvalidProof = "invalid_proof",
+  InvalidNonce = "invalid_nonce",
+  InvalidEncryptionParameters = "invalid_encryption_parameters",
+  UnknownCredentialConfiguration = "unknown_credential_configuration",
+  UnknownCredentialIdentifier = "unknown_credential_identifier",
+  InvalidTransactionId = "invalid_transaction_id",
+  UnsupportedCredentialType = "unsupported_credential_type",
+  UnsupportedCredentialFormat = "unsupported_credential_format",
+  MissingInteractionType = "missing_interaction_type",
+  InvalidRequestUri = "invalid_request_uri",
+  InvalidRequestObject = "invalid_request_object",
+  RequestNotSupported = "request_not_supported",
+  RequestUriNotSupported = "request_uri_not_supported",
+  VpFormatsNotSupported = "vp_formats_not_supported",
+  AccessDenied = "access_denied",
+  InvalidPresentationDefinitionUri = "invalid_presentation_definition_uri",
+  InvalidPresentationDefinitionReference = "invalid_presentation_definition_reference",
+  InvalidRequestUriMethod = "invalid_request_uri_method",
+  InvalidTransactionData = "invalid_transaction_data",
+  WalletUnavailable = "wallet_unavailable",
+}
+declare const zOauth2ErrorResponse: z$1.ZodObject<{
+  error: z$1.ZodUnion<readonly [z$1.ZodEnum<typeof Oauth2ErrorCodes>, z$1.ZodString]>;
+  error_description: z$1.ZodOptional<z$1.ZodString>;
+  error_uri: z$1.ZodOptional<z$1.ZodString>;
+}, z$1.core.$loose>;
+type Oauth2ErrorResponse = z$1.infer<typeof zOauth2ErrorResponse>;
+//#endregion
 //#region src/authorization-request/create-pushed-authorization-response.d.ts
 interface CreatePushedAuthorizationResponseOptions {
   /**
@@ -1791,6 +1855,7 @@ declare const zJarAuthorizationRequest: z.ZodObject<{
 type JarAuthorizationRequest = z.infer<typeof zJarAuthorizationRequest>;
 declare function validateJarRequestParams(options: {
   jarRequestParams: JarAuthorizationRequest;
+  allowRequestUri?: boolean;
 }): JarAuthorizationRequest & ({
   request_uri: string;
   request?: never;
@@ -1798,6 +1863,7 @@ declare function validateJarRequestParams(options: {
   request: string;
   request_uri?: never;
 });
+declare function isJarAuthorizationRequest(request: JarAuthorizationRequest): request is JarAuthorizationRequest;
 //#endregion
 //#region src/jar/z-jar-request-object.d.ts
 declare const zJarRequestObjectPayload: z.ZodObject<{
@@ -1850,11 +1916,45 @@ declare const signedAuthorizationRequestJwtHeaderTyp: "oauth-authz-req+jwt";
 declare const jwtAuthorizationRequestJwtHeaderTyp: "jwt";
 //#endregion
 //#region src/jar/handle-jar-request/verify-jar-request.d.ts
+interface ParsedJarRequestOptions {
+  jarRequestParams: JarAuthorizationRequest;
+  callbacks: Pick<CallbackContext, 'fetch'>;
+}
+interface VerifyJarRequestOptions {
+  jarRequestParams: {
+    client_id?: string;
+  };
+  authorizationRequestJwt: string;
+  callbacks: Pick<CallbackContext, 'verifyJwt'>;
+  jwtSigner: JwtSigner;
+}
+interface ParsedJarRequest {
+  authorizationRequestJwt: string;
+  sendBy: 'value' | 'reference';
+}
 interface VerifiedJarRequest {
   authorizationRequestPayload: JarRequestObjectPayload;
   signer: JwtSignerWithJwk;
   jwt: ReturnType<typeof decodeJwt<undefined, typeof zJarRequestObjectPayload>>;
 }
+/**
+ * Parse a JAR (JWT Secured Authorization Request) request by validating and optionally fetch from uri.
+ *
+ * @param options - The input parameters
+ * @param options.jarRequestParams - The JAR authorization request parameters
+ * @param options.callbacks - Context containing the relevant Jose crypto operations
+ * @returns An object containing the transmission method ('value' or 'reference') and the JWT request object.
+ */
+declare function parseJarRequest(options: ParsedJarRequestOptions): Promise<ParsedJarRequest>;
+/**
+ * Verifies a JAR (JWT Secured Authorization Request) request by validating and verifying signatures.
+ *
+ * @param options - The input parameters
+ * @param options.jarRequestParams - The JAR authorization request parameters
+ * @param options.callbacks - Context containing the relevant Jose crypto operations
+ * @returns The verified authorization request parameters and metadata
+ */
+declare function verifyJarRequest(options: VerifyJarRequestOptions): Promise<VerifiedJarRequest>;
 //#endregion
 //#region src/authorization-request/verify-pushed-authorization-request.d.ts
 interface VerifyPushedAuthorizationRequestReturn extends VerifyAuthorizationRequestReturn {
@@ -2172,29 +2272,6 @@ declare class Oauth2Error extends Error {
   constructor(message?: string, options?: Oauth2ErrorOptions);
 }
 //#endregion
-//#region src/error/Oauth2ClientErrorResponseError.d.ts
-declare class Oauth2ClientErrorResponseError extends Oauth2Error {
-  readonly errorResponse: Oauth2ErrorResponse;
-  readonly response: FetchResponse;
-  constructor(message: string, errorResponse: Oauth2ErrorResponse, response: FetchResponse);
-}
-//#endregion
-//#region src/error/Oauth2ClientAuthorizationChallengeError.d.ts
-declare class Oauth2ClientAuthorizationChallengeError extends Oauth2ClientErrorResponseError {
-  readonly errorResponse: AuthorizationChallengeErrorResponse;
-  constructor(message: string, errorResponse: AuthorizationChallengeErrorResponse, response: FetchResponse);
-}
-//#endregion
-//#region src/error/Oauth2JwtParseError.d.ts
-declare class Oauth2JwtParseError extends Oauth2Error {
-  constructor(message?: string);
-}
-//#endregion
-//#region src/error/Oauth2JwtVerificationError.d.ts
-declare class Oauth2JwtVerificationError extends Oauth2Error {
-  constructor(message?: string, options?: Oauth2ErrorOptions);
-}
-//#endregion
 //#region src/error/Oauth2ResourceUnauthorizedError.d.ts
 interface WwwAuthenticateHeaderChallenge {
   scheme: SupportedAuthenticationScheme | (string & {});
@@ -2221,6 +2298,35 @@ declare class Oauth2ResourceUnauthorizedError extends Oauth2Error {
   toHeaderValue(): string;
 }
 //#endregion
+//#region src/dpop/dpop-retry.d.ts
+declare function authorizationServerRequestWithDpopRetry<T>(options: {
+  dpop?: RequestDpopOptions;
+  request: (dpop?: RequestDpopOptions) => Promise<T>;
+}): Promise<T>;
+//#endregion
+//#region src/error/Oauth2ClientErrorResponseError.d.ts
+declare class Oauth2ClientErrorResponseError extends Oauth2Error {
+  readonly errorResponse: Oauth2ErrorResponse;
+  readonly response: FetchResponse;
+  constructor(message: string, errorResponse: Oauth2ErrorResponse, response: FetchResponse);
+}
+//#endregion
+//#region src/error/Oauth2ClientAuthorizationChallengeError.d.ts
+declare class Oauth2ClientAuthorizationChallengeError extends Oauth2ClientErrorResponseError {
+  readonly errorResponse: AuthorizationChallengeErrorResponse;
+  constructor(message: string, errorResponse: AuthorizationChallengeErrorResponse, response: FetchResponse);
+}
+//#endregion
+//#region src/error/Oauth2JwtParseError.d.ts
+declare class Oauth2JwtParseError extends Oauth2Error {
+  constructor(message?: string);
+}
+//#endregion
+//#region src/error/Oauth2JwtVerificationError.d.ts
+declare class Oauth2JwtVerificationError extends Oauth2Error {
+  constructor(message?: string, options?: Oauth2ErrorOptions);
+}
+//#endregion
 //#region src/error/Oauth2ServerErrorResponseError.d.ts
 interface Oauth2ServerErrorResponseErrorOptions extends Oauth2ErrorOptions {
   internalMessage?: string;
@@ -2627,6 +2733,8 @@ declare function getAuthorizationServerMetadataFromList(authorizationServersMeta
   introspection_endpoint_auth_methods_supported?: string[] | undefined;
   introspection_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
   authorization_challenge_endpoint?: string | undefined;
+  interactive_authorization_endpoint?: string | undefined;
+  require_interactive_authorization_request?: boolean | undefined;
   'pre-authorized_grant_anonymous_access_supported'?: boolean | undefined;
   client_attestation_pop_nonce_required?: boolean | undefined;
   authorization_response_iss_parameter_supported?: boolean | undefined;
@@ -2833,6 +2941,8 @@ declare class Oauth2AuthorizationServer {
     introspection_endpoint_auth_methods_supported?: string[] | undefined;
     introspection_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
     authorization_challenge_endpoint?: string | undefined;
+    interactive_authorization_endpoint?: string | undefined;
+    require_interactive_authorization_request?: boolean | undefined;
     'pre-authorized_grant_anonymous_access_supported'?: boolean | undefined;
     client_attestation_pop_nonce_required?: boolean | undefined;
     authorization_response_iss_parameter_supported?: boolean | undefined;
@@ -3215,54 +3325,6 @@ declare class Oauth2AuthorizationServer {
   }>;
 }
 //#endregion
-//#region src/resource-request/make-resource-request.d.ts
-interface ResourceRequestOptions {
-  /**
-   * DPoP options
-   */
-  dpop?: RequestDpopOptions & {
-    /**
-     * Whether to retry the request if the server responds with an error indicating
-     * the request should be retried with a server provided dpop nonce
-     *
-     * @default true
-     */
-    retryWithNonce?: boolean;
-  };
-  /**
-   * Callbacks
-   */
-  callbacks: Pick<CallbackContext, 'fetch' | 'generateRandom' | 'signJwt' | 'hash'>;
-  /**
-   * Access token
-   */
-  accessToken: string;
-  url: string;
-  requestOptions: FetchRequestInit;
-}
-interface ResourceRequestResponseBase {
-  ok: boolean;
-  response: FetchResponse;
-  /**
-   * If the response included a dpop nonce to be used in subsequent requests
-   */
-  dpop?: {
-    nonce: string;
-  };
-}
-interface ResourceRequestResponseOk extends ResourceRequestResponseBase {
-  ok: true;
-}
-interface ResourceRequestResponseNotOk extends ResourceRequestResponseBase {
-  ok: false;
-  /**
-   * If a WWW-Authenticate was included in the headers of the response
-   * they will be parsed and added here.
-   */
-  wwwAuthenticate?: WwwAuthenticateHeaderChallenge[];
-}
-declare function resourceRequest(options: ResourceRequestOptions): Promise<ResourceRequestResponseOk | ResourceRequestResponseNotOk>;
-//#endregion
 //#region src/authorization-challenge/send-authorization-challenge.d.ts
 interface SendAuthorizationChallengeRequestOptions {
   /**
@@ -3315,6 +3377,54 @@ interface SendAuthorizationChallengeRequestOptions {
   dpop?: RequestDpopOptions;
 }
 //#endregion
+//#region src/resource-request/make-resource-request.d.ts
+interface ResourceRequestOptions {
+  /**
+   * DPoP options
+   */
+  dpop?: RequestDpopOptions & {
+    /**
+     * Whether to retry the request if the server responds with an error indicating
+     * the request should be retried with a server provided dpop nonce
+     *
+     * @default true
+     */
+    retryWithNonce?: boolean;
+  };
+  /**
+   * Callbacks
+   */
+  callbacks: Pick<CallbackContext, 'fetch' | 'generateRandom' | 'signJwt' | 'hash'>;
+  /**
+   * Access token
+   */
+  accessToken: string;
+  url: string;
+  requestOptions: FetchRequestInit;
+}
+interface ResourceRequestResponseBase {
+  ok: boolean;
+  response: FetchResponse;
+  /**
+   * If the response included a dpop nonce to be used in subsequent requests
+   */
+  dpop?: {
+    nonce: string;
+  };
+}
+interface ResourceRequestResponseOk extends ResourceRequestResponseBase {
+  ok: true;
+}
+interface ResourceRequestResponseNotOk extends ResourceRequestResponseBase {
+  ok: false;
+  /**
+   * If a WWW-Authenticate was included in the headers of the response
+   * they will be parsed and added here.
+   */
+  wwwAuthenticate?: WwwAuthenticateHeaderChallenge[];
+}
+declare function resourceRequest(options: ResourceRequestOptions): Promise<ResourceRequestResponseOk | ResourceRequestResponseNotOk>;
+//#endregion
 //#region src/Oauth2Client.d.ts
 interface Oauth2ClientOptions {
   /**
@@ -3357,6 +3467,8 @@ declare class Oauth2Client {
     introspection_endpoint_auth_methods_supported?: string[] | undefined;
     introspection_endpoint_auth_signing_alg_values_supported?: string[] | undefined;
     authorization_challenge_endpoint?: string | undefined;
+    interactive_authorization_endpoint?: string | undefined;
+    require_interactive_authorization_request?: boolean | undefined;
     'pre-authorized_grant_anonymous_access_supported'?: boolean | undefined;
     client_attestation_pop_nonce_required?: boolean | undefined;
     authorization_response_iss_parameter_supported?: boolean | undefined;
@@ -3378,13 +3490,6 @@ declare class Oauth2Client {
     authorizationRequestUrl: string;
     pkce: CreatePkceReturn | undefined;
     dpop: RequestDpopOptions | undefined;
-  } | {
-    dpop: {
-      nonce: string | null;
-      signer: JwtSignerJwk;
-    } | undefined;
-    authorizationRequestUrl: string;
-    pkce: CreatePkceReturn | undefined;
   }>;
   sendAuthorizationChallengeRequest(options: Omit<SendAuthorizationChallengeRequestOptions, 'callbacks'>): Promise<{
     pkce: CreatePkceReturn | undefined;
@@ -3770,5 +3875,5 @@ declare function verifyResourceRequest(options: VerifyResourceRequestOptions): P
   authorizationServer: string;
 }>;
 //#endregion
-export { type AccessTokenErrorResponse, type AccessTokenProfileJwtPayload, type AccessTokenResponse, type AuthorizationChallengeErrorResponse, type AuthorizationChallengeRequest, type AuthorizationChallengeResponse, type AuthorizationCodeGrantIdentifier, AuthorizationErrorResponse, AuthorizationResponse, type AuthorizationServerMetadata, type CalculateJwkThumbprintOptions, type CallbackContext, type ClientAttestationJwtHeader, type ClientAttestationJwtPayload, type ClientAttestationPopJwtHeader, type ClientAttestationPopJwtPayload, type ClientAuthenticationCallback, type ClientAuthenticationCallbackOptions, type ClientAuthenticationClientAttestationJwtOptions, type ClientAuthenticationClientSecretBasicOptions, type ClientAuthenticationClientSecretPostOptions, type ClientAuthenticationDynamicOptions, type ClientAuthenticationNoneOptions, type ClientCredentialsGrantIdentifier, type CreateAuthorizationRequestUrlOptions, type CreateClientAttestationJwtOptions, type CreateJarAuthorizationRequestOptions, type CreatePkceReturn, type CreatePushedAuthorizationErrorResponseOptions, type CreatePushedAuthorizationResponseOptions, type DecodeJwtHeaderResult, type DecodeJwtOptions, type DecodeJwtResult, type DecryptJweCallback, type DecryptJweCallbackOptions, type EncryptJweCallback, type GenerateRandomCallback, HashAlgorithm, type HashCallback, type HttpMethod, IdTokenJwtHeader, IdTokenJwtPayload, InvalidFetchResponseError, type JarAuthorizationRequest, type JarRequestObjectPayload, type JweEncryptor, type Jwk, type JwkSet, type JwtHeader, type JwtPayload, type JwtSigner, type JwtSignerCustom, type JwtSignerDid, type JwtSignerJwk, type JwtSignerWithJwk, type JwtSignerX5c, Oauth2AuthorizationServer, type Oauth2AuthorizationServerOptions, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, type Oauth2ClientOptions, Oauth2Error, Oauth2ErrorCodes, type Oauth2ErrorOptions, type Oauth2ErrorResponse, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, type Oauth2ResourceServerOptions, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, type Oid4vcTsConfig, type ParseAuthorizationChallengeRequestOptions, type ParseAuthorizationChallengeRequestResult, ParseAuthorizationResponseOptions, type ParsePushedAuthorizationRequestOptions, type ParsePushedAuthorizationRequestResult, PkceCodeChallengeMethod, type PreAuthorizedCodeGrantIdentifier, type PushedAuthorizationRequestUriPrefix, type RefreshTokenGrantIdentifier, type RequestClientAttestationOptions, type RequestDpopOptions, type RequestLike, type ResourceRequestOptions, type ResourceRequestResponseNotOk, type ResourceRequestResponseOk, type RetrieveAuthorizationCodeAccessTokenOptions, type RetrieveClientCredentialsAccessTokenOptions, type RetrievePreAuthorizedCodeAccessTokenOptions, type SignJwtCallback, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, type TokenIntrospectionResponse, type VerifiedClientAttestationJwt, type VerifyAccessTokenRequestReturn, type VerifyAuthorizationChallengeRequestOptions, type VerifyAuthorizationChallengeRequestReturn, VerifyAuthorizationResponseOptions, VerifyIdTokenJwtOptions, type VerifyJwtCallback, type VerifyPushedAuthorizationRequestOptions, type VerifyPushedAuthorizationRequestReturn, type VerifyResourceRequestOptions, type WwwAuthenticateHeaderChallenge, authorizationCodeGrantIdentifier, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, clientCredentialsGrantIdentifier, createClientAttestationJwt, createJarAuthorizationRequest, decodeJwt, decodeJwtHeader, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray, fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm, getAuthorizationServerMetadataFromList, getGlobalConfig, isJwkInSet, jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray, jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm, jwtAuthorizationRequestJwtHeaderTyp, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationResponseRedirectUrl, parsePushedAuthorizationRequestUriReferenceValue, preAuthorizedCodeGrantIdentifier, pushedAuthorizationRequestUriPrefix, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, signedAuthorizationRequestJwtHeaderTyp, validateJarRequestParams, verifyAuthorizationResponse, verifyClientAttestationJwt, verifyIdTokenJwt, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationErrorResponse, zAuthorizationResponse, zAuthorizationResponseFromUriParams, zAuthorizationServerMetadata, zClientCredentialsGrantIdentifier, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJarAuthorizationRequest, zJarRequestObjectPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zPushedAuthorizationRequestUriPrefix, zRefreshTokenGrantIdentifier };
+export { type AccessTokenErrorResponse, type AccessTokenProfileJwtPayload, type AccessTokenResponse, type AuthorizationChallengeErrorResponse, type AuthorizationChallengeRequest, type AuthorizationChallengeResponse, type AuthorizationCodeGrantIdentifier, AuthorizationErrorResponse, type AuthorizationRequest, AuthorizationResponse, type AuthorizationServerMetadata, type CalculateJwkThumbprintOptions, type CallbackContext, type ClientAttestationJwtHeader, type ClientAttestationJwtPayload, type ClientAttestationPopJwtHeader, type ClientAttestationPopJwtPayload, type ClientAuthenticationCallback, type ClientAuthenticationCallbackOptions, type ClientAuthenticationClientAttestationJwtOptions, type ClientAuthenticationClientSecretBasicOptions, type ClientAuthenticationClientSecretPostOptions, type ClientAuthenticationDynamicOptions, type ClientAuthenticationNoneOptions, type ClientCredentialsGrantIdentifier, type CreateAuthorizationRequestUrlOptions, type CreateClientAttestationJwtOptions, type CreateJarAuthorizationRequestOptions, type CreatePkceReturn, type CreatePushedAuthorizationErrorResponseOptions, type CreatePushedAuthorizationResponseOptions, type DecodeJwtHeaderResult, type DecodeJwtOptions, type DecodeJwtResult, type DecryptJweCallback, type DecryptJweCallbackOptions, type EncryptJweCallback, type GenerateRandomCallback, HashAlgorithm, type HashCallback, type HttpMethod, IdTokenJwtHeader, IdTokenJwtPayload, InvalidFetchResponseError, type JarAuthorizationRequest, type JarRequestObjectPayload, type JweEncryptor, type Jwk, type JwkSet, type JwtHeader, type JwtPayload, type JwtSigner, type JwtSignerCustom, type JwtSignerDid, type JwtSignerJwk, type JwtSignerWithJwk, type JwtSignerX5c, Oauth2AuthorizationServer, type Oauth2AuthorizationServerOptions, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, type Oauth2ClientOptions, Oauth2Error, Oauth2ErrorCodes, type Oauth2ErrorOptions, type Oauth2ErrorResponse, Oauth2JwtParseError, Oauth2JwtVerificationError, Oauth2ResourceServer, type Oauth2ResourceServerOptions, Oauth2ResourceUnauthorizedError, Oauth2ServerErrorResponseError, type Oid4vcTsConfig, type ParseAuthorizationChallengeRequestOptions, type ParseAuthorizationChallengeRequestResult, type ParseAuthorizationRequestOptions, type ParseAuthorizationRequestResult, ParseAuthorizationResponseOptions, type ParsePushedAuthorizationRequestOptions, type ParsePushedAuthorizationRequestResult, type ParsedJarRequest, type ParsedJarRequestOptions, PkceCodeChallengeMethod, type PreAuthorizedCodeGrantIdentifier, type PushedAuthorizationRequestUriPrefix, type RefreshTokenGrantIdentifier, type RequestClientAttestationOptions, type RequestDpopOptions, type RequestLike, type ResourceRequestOptions, type ResourceRequestResponseNotOk, type ResourceRequestResponseOk, type RetrieveAuthorizationCodeAccessTokenOptions, type RetrieveClientCredentialsAccessTokenOptions, type RetrievePreAuthorizedCodeAccessTokenOptions, type SignJwtCallback, SupportedAuthenticationScheme, SupportedClientAuthenticationMethod, type TokenIntrospectionResponse, type VerifiedClientAttestationJwt, type VerifiedJarRequest, type VerifyAccessTokenRequestReturn, type VerifyAuthorizationChallengeRequestOptions, type VerifyAuthorizationChallengeRequestReturn, type VerifyAuthorizationRequestOptions, type VerifyAuthorizationRequestReturn, VerifyAuthorizationResponseOptions, VerifyIdTokenJwtOptions, type VerifyJarRequestOptions, type VerifyJwtCallback, type VerifyPushedAuthorizationRequestOptions, type VerifyPushedAuthorizationRequestReturn, type VerifyResourceRequestOptions, type WwwAuthenticateHeaderChallenge, authorizationCodeGrantIdentifier, authorizationServerRequestWithDpopRetry, calculateJwkThumbprint, clientAuthenticationAnonymous, clientAuthenticationClientAttestationJwt, clientAuthenticationClientSecretBasic, clientAuthenticationClientSecretPost, clientAuthenticationDynamic, clientAuthenticationNone, clientCredentialsGrantIdentifier, createClientAttestationJwt, createDpopHeadersForRequest, createJarAuthorizationRequest, createPkce, decodeJwt, decodeJwtHeader, extractDpopNonceFromHeaders, fetchAuthorizationServerMetadata, fetchJwks, fetchWellKnownMetadata, fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray, fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm, getAuthorizationServerMetadataFromList, getGlobalConfig, isJarAuthorizationRequest, isJwkInSet, jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray, jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm, jwtAuthorizationRequestJwtHeaderTyp, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationRequest, parseAuthorizationResponseRedirectUrl, parseJarRequest, parsePushedAuthorizationRequestUriReferenceValue, preAuthorizedCodeGrantIdentifier, pushedAuthorizationRequestUriPrefix, refreshTokenGrantIdentifier, resourceRequest, setGlobalConfig, signedAuthorizationRequestJwtHeaderTyp, validateJarRequestParams, verifyAuthorizationRequest, verifyAuthorizationResponse, verifyClientAttestationJwt, verifyIdTokenJwt, verifyJarRequest, verifyJwt, verifyResourceRequest, zAlgValueNotNone, zAuthorizationCodeGrantIdentifier, zAuthorizationErrorResponse, zAuthorizationRequest, zAuthorizationResponse, zAuthorizationResponseFromUriParams, zAuthorizationServerMetadata, zClientCredentialsGrantIdentifier, zCompactJwe, zCompactJwt, zIdTokenJwtHeader, zIdTokenJwtPayload, zJarAuthorizationRequest, zJarRequestObjectPayload, zJwk, zJwkSet, zJwtHeader, zJwtPayload, zOauth2ErrorResponse, zPreAuthorizedCodeGrantIdentifier, zPushedAuthorizationRequestUriPrefix, zRefreshTokenGrantIdentifier };
 //# sourceMappingURL=index.d.mts.map