@openid4vc/openid4vp 0.3.0-alpha-20250224151429 → 0.3.0-alpha-20250225103926

package/dist/index.mjs

@@ -47,16 +47,16 @@ var zJarmAuthResponseEncryptedOnly = z2.object({
 
 // src/jarm/jarm-auth-response/jarm-validate-auth-response.ts
 var jarmAuthResponseValidate = (options) => {
-  const { authRequest, authResponse } = options;
-  if (!zJarmAuthResponse.safeParse(authResponse).success) {
+  const { clientId, authorizationResponse } = options;
+  if (!zJarmAuthResponse.safeParse(authorizationResponse).success) {
     return;
   }
-  if (authRequest.client_id !== authResponse.aud) {
+  if (clientId !== authorizationResponse.aud) {
     throw new Oauth2Error(
-      `Invalid 'aud' claim in JARM authorization response. Expected '${authRequest.client_id}' received '${JSON.stringify(authResponse.aud)}'.`
+      `Invalid 'aud' claim in JARM authorization response. Expected '${clientId}' received '${JSON.stringify(authorizationResponse.aud)}'.`
     );
   }
-  if (authResponse.exp !== void 0 && authResponse.exp < dateToSeconds()) {
+  if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < dateToSeconds()) {
     throw new Oauth2Error("Jarm auth response is expired.");
   }
 };
@@ -103,18 +103,14 @@ async function verifyJarmAuthorizationResponse(options) {
     const jsonRequestData = JSON.parse(decryptedRequestData);
     jarmAuthResponse = zJarmAuthResponseEncryptedOnly.parse(jsonRequestData);
   }
-  const { authRequest } = await callbacks.getOpenid4vpAuthorizationRequest(jarmAuthResponse);
-  jarmAuthResponseValidate({ authRequest, authResponse: jarmAuthResponse });
-  let type;
-  if (responseIsSigned && requestDataIsEncrypted) {
-    type = "signed encrypted";
-  } else if (requestDataIsEncrypted) {
-    type = "encrypted";
-  } else {
-    type = "signed";
-  }
+  const { authorizationRequest } = await callbacks.getOpenid4vpAuthorizationRequest(jarmAuthResponse);
+  jarmAuthResponseValidate({
+    clientId: authorizationRequest.client_id,
+    authorizationResponse: jarmAuthResponse
+  });
+  const type = requestDataIsEncrypted && responseIsSigned ? "SignedEncrypted" /* SignedEncrypted */ : requestDataIsEncrypted ? "Encrypted" /* Encrypted */ : "Signed" /* Signed */;
   const issuer = jarmAuthResponse.iss;
-  return { authRequest, jarmAuthResponse, type, issuer };
+  return { authorizationRequest, jarmAuthResponse, type, issuer };
 }
 
 // src/jarm/metadata/z-jarm-client-metadata.ts
@@ -193,7 +189,7 @@ import {
   jwtHeaderFromJwtSigner
 } from "@openid4vc/oauth2";
 async function createJarAuthRequest(options) {
-  const { jwtSigner, jwtEncryptor, authRequestParams, requestUri, callbacks } = options;
+  const { jwtSigner, jweEncryptor, authRequestParams, requestUri, callbacks } = options;
   let requestObjectJwt;
   let encryptionJwk;
   const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
@@ -201,8 +197,8 @@ async function createJarAuthRequest(options) {
     payload: { ...options.additionalJwtPayload, ...authRequestParams }
   });
   requestObjectJwt = jwt;
-  if (jwtEncryptor) {
-    const encryptionResult = await callbacks.encryptJwe(jwtEncryptor, requestObjectJwt);
+  if (jweEncryptor) {
+    const encryptionResult = await callbacks.encryptJwe(jweEncryptor, requestObjectJwt);
     requestObjectJwt = encryptionResult.jwe;
     encryptionJwk = encryptionResult.encryptionJwk;
   }
@@ -476,36 +472,36 @@ function isJarAuthRequest(request) {
 
 // src/authorization-request/parse-authorization-request-params.ts
 function parseOpenid4vpAuthorizationRequestPayload(options) {
-  const { requestPayload } = options;
+  const { authorizationRequest } = options;
   let provided = "params";
   let params;
-  if (typeof requestPayload === "string") {
-    if (requestPayload.includes("://")) {
-      const url = new URL2(requestPayload);
+  if (typeof authorizationRequest === "string") {
+    if (authorizationRequest.includes("://")) {
+      const url = new URL2(authorizationRequest);
       params = Object.fromEntries(url.searchParams);
       provided = "uri";
     } else {
-      const decoded = decodeJwt2({ jwt: requestPayload });
+      const decoded = decodeJwt2({ jwt: authorizationRequest });
       params = decoded.payload;
       provided = "jwt";
     }
   } else {
-    params = requestPayload;
+    params = authorizationRequest;
   }
   const parsedRequest = parseWithErrorHandling3(
     z10.union([zOpenid4vpAuthorizationRequest, zJarAuthRequest, zOpenid4vpAuthorizationRequestDcApi]),
     params
   );
-  if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) {
+  if (isJarAuthRequest(parsedRequest)) {
     return {
-      type: "openid4vp_dc_api",
+      type: "jar",
       provided,
       params: parsedRequest
     };
   }
-  if (isJarAuthRequest(parsedRequest)) {
+  if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) {
     return {
-      type: "jar",
+      type: "openid4vp_dc_api",
       provided,
       params: parsedRequest
     };
@@ -523,36 +519,27 @@ import { parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/ut
 import z14 from "zod";
 
 // src/client-identifier-scheme/parse-client-identifier-scheme.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes3, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError4 } from "@openid4vc/oauth2";
-function getClientId(request, origin) {
-  const isDcApiRequest = isOpenid4vpAuthorizationRequestDcApi(request);
-  if (isDcApiRequest) {
-    if (request.client_id) {
-      return request.client_id;
-    }
-    if (!origin) {
+import { Oauth2ErrorCodes as Oauth2ErrorCodes3, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError4, getGlobalConfig } from "@openid4vc/oauth2";
+function getClientId(options) {
+  if (isOpenid4vpAuthorizationRequestDcApi(options.request)) {
+    if (!options.origin) {
       throw new Oauth2ServerErrorResponseError4({
         error: Oauth2ErrorCodes3.InvalidRequest,
-        error_description: 'Failed to parse client identifier. Missing required "client_id" parameter.'
+        error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
       });
     }
-    return `web-origin:${origin}`;
+    if (!options.jar || !options.request.client_id) return `web-origin:${options.origin}`;
+    return options.request.client_id;
   }
-  return request.client_id;
+  return options.request.client_id;
 }
 function parseClientIdentifier(options, parserConfig) {
   const { request, jar } = options;
   const isDcApiRequest = isOpenid4vpAuthorizationRequestDcApi(request);
-  const clientId = getClientId(request, options.origin);
+  const clientId = getClientId(options);
   const parserConfigWithDefaults = {
     supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options)
   };
-  if (isDcApiRequest && !jar && request.client_id) {
-    throw new Oauth2ServerErrorResponseError4({
-      error: Oauth2ErrorCodes3.InvalidRequest,
-      error_description: `The 'client_id' parameter MUST be omitted in unsigned openid4vp dc api authorization requests.`
-    });
-  }
   const colonIndex = clientId.indexOf(":");
   if (colonIndex === -1) {
     return {
@@ -578,7 +565,7 @@ function parseClientIdentifier(options, parserConfig) {
         error_description: `The client identifier scheme 'https' is not supported when using the dc_api response mode.`
       });
     }
-    if (!clientId.startsWith("https://") && !clientId.startsWith("http://")) {
+    if (!clientId.startsWith("https://") && !(getGlobalConfig().allowInsecureUrls && clientId.startsWith("http://"))) {
       throw new Oauth2ServerErrorResponseError4({
         error: Oauth2ErrorCodes3.InvalidRequest,
         error_description: "Invalid client identifier. Client identifier must start with https:// or http:// if allowInsecureUrls is true."
@@ -640,7 +627,7 @@ function parseClientIdentifier(options, parserConfig) {
       scheme,
       identifier: clientId,
       originalValue: clientId,
-      kid: jar.signer.publicJwk.kid
+      didUrl: jar.signer.publicJwk.kid
     };
   }
   if (scheme === "x509_san_dns" || scheme === "x509_san_uri") {
@@ -656,7 +643,17 @@ function parseClientIdentifier(options, parserConfig) {
         error_description: "Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns."
       });
     }
-    if (scheme === "x509_san_dns" && options.callbacks.getX509CertificateMetadata) {
+    if (scheme === "x509_san_dns") {
+      if (!options.callbacks.getX509CertificateMetadata) {
+        throw new Oauth2ServerErrorResponseError4(
+          {
+            error: Oauth2ErrorCodes3.ServerError
+          },
+          {
+            internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_dns' client id scheme"
+          }
+        );
+      }
       const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
       if (!sanDnsNames.includes(identifierPart)) {
         throw new Oauth2ServerErrorResponseError4({
@@ -671,7 +668,17 @@ function parseClientIdentifier(options, parserConfig) {
           error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
         });
       }
-    } else if (scheme === "x509_san_uri" && options.callbacks.getX509CertificateMetadata) {
+    } else if (scheme === "x509_san_uri") {
+      if (!options.callbacks.getX509CertificateMetadata) {
+        throw new Oauth2ServerErrorResponseError4(
+          {
+            error: Oauth2ErrorCodes3.ServerError
+          },
+          {
+            internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_uri' client id scheme"
+          }
+        );
+      }
       const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
       if (!sanUriNames.includes(identifierPart)) {
         throw new Oauth2ServerErrorResponseError4({
@@ -980,26 +987,26 @@ import {
   jwtHeaderFromJwtSigner as jwtHeaderFromJwtSigner2
 } from "@openid4vc/oauth2";
 async function createJarmAuthResponse(options) {
-  const { jarmAuthResponse, jwtEncryptor, jwtSigner, callbacks } = options;
-  if (!jwtSigner && jwtEncryptor) {
-    const { jwe } = await callbacks.encryptJwe(jwtEncryptor, JSON.stringify(jarmAuthResponse));
+  const { jarmAuthResponse, jweEncryptor, jwtSigner, callbacks } = options;
+  if (!jwtSigner && jweEncryptor) {
+    const { jwe } = await callbacks.encryptJwe(jweEncryptor, JSON.stringify(jarmAuthResponse));
     return { jarmAuthResponseJwt: jwe };
   }
-  if (jwtSigner && !jwtEncryptor) {
+  if (jwtSigner && !jweEncryptor) {
     const signed2 = await callbacks.signJwt(jwtSigner, {
       header: jwtHeaderFromJwtSigner2(jwtSigner),
       payload: jarmAuthResponse
     });
     return { jarmAuthResponseJwt: signed2.jwt };
   }
-  if (!jwtSigner || !jwtEncryptor) {
+  if (!jwtSigner || !jweEncryptor) {
     throw new Oauth2Error5("JWT signer and/or encryptor are required to create a JARM auth response.");
   }
   const signed = await callbacks.signJwt(jwtSigner, {
     header: jwtHeaderFromJwtSigner2(jwtSigner),
     payload: jarmAuthResponse
   });
-  const encrypted = await callbacks.encryptJwe(jwtEncryptor, signed.jwt);
+  const encrypted = await callbacks.encryptJwe(jweEncryptor, signed.jwt);
   return { jarmAuthResponseJwt: encrypted.jwe };
 }
 
@@ -1081,13 +1088,7 @@ async function createOpenid4vpAuthorizationResponse(options) {
   }
   if (!jarm) {
     return {
-      responseParams: openid4vpAuthResponseParams,
-      ...isOpenid4vpAuthorizationRequestDcApi(openid4vpAuthResponseParams) && {
-        dcApiResponseParams: {
-          protocol: "openid4vp",
-          data: openid4vpAuthResponseParams
-        }
-      }
+      responseParams: openid4vpAuthResponseParams
     };
   }
   if (!requestParams.client_metadata) {
@@ -1141,7 +1142,7 @@ async function createOpenid4vpAuthorizationResponse(options) {
   const result = await createJarmAuthResponse({
     jarmAuthResponse: jarmResponseParams,
     jwtSigner: jarm?.jwtSigner,
-    jwtEncryptor: jarm?.encryption && (supportedJarmMetadata.type === "encrypt" || supportedJarmMetadata.type === "sign_encrypt") ? {
+    jweEncryptor: jarm?.encryption && (supportedJarmMetadata.type === "encrypt" || supportedJarmMetadata.type === "sign_encrypt") ? {
       method: "jwk",
       publicJwk: clientMetaJwks.encJwk,
       apu: jarm.encryption?.nonce,
@@ -1156,13 +1157,7 @@ async function createOpenid4vpAuthorizationResponse(options) {
   });
   return {
     responseParams: jarmResponseParams,
-    jarm: { responseJwt: result.jarmAuthResponseJwt },
-    ...isOpenid4vpAuthorizationRequestDcApi(openid4vpAuthResponseParams) && {
-      dcApiResponseParams: {
-        protocol: "openid4vp",
-        data: jarmResponseParams
-      }
-    }
+    jarm: { responseJwt: result.jarmAuthResponseJwt }
   };
 }
 
@@ -1420,7 +1415,7 @@ import { z as z18 } from "zod";
 
 // src/vp-token/z-vp-token.ts
 import { z as z17 } from "zod";
-var zVpToken = z17.union([z17.string(), z17.array(z17.string()), z17.record(z17.string(), z17.unknown())]);
+var zVpToken = z17.union([z17.string(), z17.array(z17.union([z17.string(), z17.record(z17.any())])), z17.record(z17.any())]);
 
 // src/authorization-response/z-authorization-response.ts
 var zOpenid4vpAuthorizationResponse = z18.object({
@@ -1434,25 +1429,8 @@ var zOpenid4vpAuthorizationResponse = z18.object({
   expires_in: z18.number().optional()
 }).passthrough();
 
-// src/authorization-response/z-authorization-response-dc-api.ts
-import { z as z19 } from "zod";
-var zOpenid4vpAuthorizationResponseDcApi = z19.object({
-  protocol: z19.literal("openid4vp"),
-  data: zOpenid4vpAuthorizationResponse
-}).passthrough();
-function isOpenid4vpAuthorizationResponseDcApi(response) {
-  return "protocol" in response && "data" in response;
-}
-
 // src/authorization-response/parse-authorization-response-payload.ts
 function parseOpenid4VpAuthorizationResponsePayload(payload) {
-  if (isOpenid4vpAuthorizationRequestDcApi(payload)) {
-    return parseWithErrorHandling6(
-      zOpenid4vpAuthorizationResponseDcApi,
-      payload,
-      "Failed to to parse openid4vp dc_api authorization response."
-    );
-  }
   return parseWithErrorHandling6(
     zOpenid4vpAuthorizationResponse,
     payload,
@@ -1469,30 +1447,30 @@ import {
   zJwtHeader as zJwtHeader2
 } from "@openid4vc/oauth2";
 import { decodeBase64 as decodeBase642, encodeToUtf8String as encodeToUtf8String2, parseWithErrorHandling as parseWithErrorHandling7 } from "@openid4vc/utils";
-import z20 from "zod";
+import z19 from "zod";
 async function parseJarmAuthorizationResponse(options) {
   const { jarmResponseJwt, callbacks } = options;
   const jarmAuthorizationResponseJwt = parseWithErrorHandling7(
-    z20.union([zCompactJwt4, zCompactJwe3]),
+    z19.union([zCompactJwt4, zCompactJwe3]),
     jarmResponseJwt,
     "Invalid jarm authorization response jwt."
   );
   const verifiedJarmResponse = await verifyJarmAuthorizationResponse({ jarmAuthorizationResponseJwt, callbacks });
-  const zJarmHeader = z20.object({ ...zJwtHeader2.shape, apu: z20.string().optional(), apv: z20.string().optional() });
+  const zJarmHeader = z19.object({ ...zJwtHeader2.shape, apu: z19.string().optional(), apv: z19.string().optional() });
   const { header: jarmHeader } = decodeJwtHeader2({
     jwt: jarmAuthorizationResponseJwt,
     headerSchema: zJarmHeader
   });
   const parsedAuthorizationRequest = parseOpenid4vpAuthorizationRequestPayload({
-    requestPayload: verifiedJarmResponse.authRequest
+    authorizationRequest: verifiedJarmResponse.authorizationRequest
   });
-  if (parsedAuthorizationRequest.type !== "openid4vp") {
+  if (parsedAuthorizationRequest.type !== "openid4vp" && parsedAuthorizationRequest.type !== "openid4vp_dc_api") {
     throw new Oauth2Error12("Invalid authorization request. Could not parse openid4vp authorization request.");
   }
   const authResponsePayload = parseOpenid4VpAuthorizationResponsePayload(verifiedJarmResponse.jarmAuthResponse);
   const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponse({
     authorizationRequest: parsedAuthorizationRequest.params,
-    authorizationResponse: isOpenid4vpAuthorizationResponseDcApi(authResponsePayload) ? authResponsePayload.data : authResponsePayload
+    authorizationResponse: authResponsePayload
   });
   const authRequestPayload = parsedAuthorizationRequest.params;
   if (!authRequestPayload.response_mode || !isJarmResponseMode(authRequestPayload.response_mode)) {
@@ -1525,15 +1503,15 @@ async function parseOpenid4vpAuthorizationResponse(options) {
     return parseJarmAuthorizationResponse({ jarmResponseJwt: responsePayload.response, callbacks });
   }
   const authResponsePayload = parseOpenid4VpAuthorizationResponsePayload(responsePayload);
-  const authRequest = await callbacks.getOpenid4vpAuthorizationRequest(authResponsePayload);
-  const parsedAuthRequest = parseOpenid4vpAuthorizationRequestPayload({ requestPayload: authRequest.authRequest });
+  const { authorizationRequest } = await callbacks.getOpenid4vpAuthorizationRequest(authResponsePayload);
+  const parsedAuthRequest = parseOpenid4vpAuthorizationRequestPayload({ authorizationRequest });
   if (parsedAuthRequest.type !== "openid4vp" && parsedAuthRequest.type !== "openid4vp_dc_api") {
     throw new Oauth2Error13("Invalid authorization request. Could not parse openid4vp authorization request.");
   }
   const authRequestPayload = parsedAuthRequest.params;
   const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponse({
     authorizationRequest: authRequestPayload,
-    authorizationResponse: isOpenid4vpAuthorizationResponseDcApi(authResponsePayload) ? authResponsePayload.data : authResponsePayload
+    authorizationResponse: authResponsePayload
   });
   if (authRequestPayload.response_mode && isJarmResponseMode(authRequestPayload.response_mode)) {
     throw new Oauth2ServerErrorResponseError10(
@@ -1599,22 +1577,22 @@ var Openid4vpVerifier = class {
 };
 
 // src/models/z-credential-formats.ts
-import { z as z21 } from "zod";
-var zCredentialFormat = z21.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt"]);
+import { z as z20 } from "zod";
+var zCredentialFormat = z20.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt"]);
 
 // src/models/z-proof-formats.ts
-import { z as z22 } from "zod";
-var zProofFormat = z22.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "mso_mdoc"]);
+import { z as z21 } from "zod";
+var zProofFormat = z21.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "mso_mdoc"]);
 
 // src/models/z-wallet-metadata.ts
-import { z as z23 } from "zod";
-var zWalletMetadata = z23.object({
-  presentation_definition_uri_supported: z23.optional(z23.boolean()),
+import { z as z22 } from "zod";
+var zWalletMetadata = z22.object({
+  presentation_definition_uri_supported: z22.optional(z22.boolean()),
   vp_formats_supported: zVpFormatsSupported,
-  client_id_schemes_supported: z23.optional(z23.array(zClientIdScheme)),
-  request_object_signing_alg_values_supported: z23.optional(z23.array(z23.string())),
-  authorization_encryption_alg_values_supported: z23.optional(z23.array(z23.string())),
-  authorization_encryption_enc_values_supported: z23.optional(z23.array(z23.string()))
+  client_id_schemes_supported: z22.optional(z22.array(zClientIdScheme)),
+  request_object_signing_alg_values_supported: z22.optional(z22.array(z22.string())),
+  authorization_encryption_alg_values_supported: z22.optional(z22.array(z22.string())),
+  authorization_encryption_enc_values_supported: z22.optional(z22.array(z22.string()))
 });
 export {
   Openid4vpClient,
@@ -1623,7 +1601,6 @@ export {
   createOpenid4vpAuthorizationResponse,
   isJarmResponseMode,
   isOpenid4vpAuthorizationRequestDcApi,
-  isOpenid4vpAuthorizationResponseDcApi,
   parseJarmAuthorizationResponse,
   parseOpenid4vpAuthorizationRequestPayload,
   parseOpenid4vpAuthorizationResponse,
@@ -1639,7 +1616,6 @@ export {
   zCredentialFormat,
   zJarmClientMetadata,
   zOpenid4vpAuthorizationResponse,
-  zOpenid4vpAuthorizationResponseDcApi,
   zProofFormat,
   zWalletMetadata
 };