@openid4vc/openid4vp 0.3.0-alpha-20250320222745 → 0.3.0-alpha-20250321120839

package/dist/index.mjs

@@ -1,6 +1,6 @@
 // src/client-identifier-scheme/parse-client-identifier-scheme.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes2, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError2, getGlobalConfig } from "@openid4vc/oauth2";
-import { URL as URL2 } from "@openid4vc/utils";
+import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from "@openid4vc/oauth2";
+import { URL as URL2, zHttpsUrl as zHttpsUrl3 } from "@openid4vc/utils";
 
 // src/authorization-request/z-authorization-request-dc-api.ts
 import { z as z5 } from "zod";
@@ -139,37 +139,31 @@ var zOpenid4vpAuthorizationRequestFromUriParams = z4.string().url().transform((u
 );
 
 // src/authorization-request/z-authorization-request-dc-api.ts
+var zOpenid4vpResponseModeDcApi = z5.enum(["dc_api", "dc_api.jwt", "w3c_dc_api.jwt", "w3c_dc_api"]);
 var zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
-  client_id: true,
   response_type: true,
-  response_mode: true,
   nonce: true,
   presentation_definition: true,
   client_metadata: true,
   transaction_data: true,
   dcql_query: true,
-  trust_chain: true
+  trust_chain: true,
+  state: true
 }).extend({
   client_id: z5.optional(z5.string()),
   expected_origins: z5.array(z5.string()).optional(),
-  response_mode: z5.enum(["dc_api", "dc_api.jwt", "w3c_dc_api.jwt", "w3c_dc_api"]),
-  client_id_scheme: z5.enum([
-    "pre-registered",
-    "redirect_uri",
-    "entity_id",
-    "did",
-    "verifier_attestation",
-    "x509_san_dns",
-    "x509_san_uri"
-  ]).optional()
-}).strip();
+  response_mode: zOpenid4vpResponseModeDcApi,
+  // Not allowed with dc_api, but added to make working with interfaces easier
+  client_id_scheme: z5.never().optional(),
+  scope: z5.never().optional()
+  // TODO: should we disallow any properties specifically, such as redirect_uri and response_uri?
+});
 function isOpenid4vpAuthorizationRequestDcApi(request) {
-  return request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt" || request.response_mode === "w3c_dc_api.jwt" || request.response_mode === "w3c_dc_api";
+  return request.response_mode !== void 0 && zOpenid4vpResponseModeDcApi.options.includes(
+    request.response_mode
+  );
 }
 
-// src/version.ts
-import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from "@openid4vc/oauth2";
-
 // src/client-identifier-scheme/z-client-id-scheme.ts
 import { z as z6 } from "zod";
 var zClientIdScheme = z6.enum([
@@ -182,155 +176,114 @@ var zClientIdScheme = z6.enum([
   "x509_san_uri",
   "web-origin"
 ]);
-
-// src/version.ts
-function parseAuthorizationRequestVersion(request) {
-  const requirements = [];
-  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
-    requirements.push(["<", 23]);
-    requirements.push([">=", 21]);
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(request) && request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt") {
-    requirements.push([">=", 23]);
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
-    requirements.push([">=", 23]);
-  }
-  if (request.dcql_query) {
-    requirements.push([">=", 22]);
-  }
-  if (request.transaction_data) {
-    requirements.push([">=", 22]);
-  }
-  if (request.client_id_scheme) {
-    requirements.push(["<", 22]);
-  }
-  if (request.client_id) {
-    const colonIndex = request.client_id.indexOf(":");
-    const schemePart = request.client_id.substring(0, colonIndex);
-    const parsedScheme = zClientIdScheme.safeParse(schemePart);
-    if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
-      requirements.push([">=", 22]);
-    }
-  }
-  if (!request.client_id) {
-    requirements.push([">=", 21]);
-  }
-  if ("client_metadata_uri" in request) {
-    requirements.push(["<", 21]);
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(request)) {
-    requirements.push([">=", 21]);
-  }
-  if ("request_uri_method" in request || "wallet_nonce" in request) {
-    requirements.push([">=", 21]);
-  }
-  if (request.client_id_scheme === "verifier_attestation") {
-    requirements.push([">=", 20]);
-  }
-  if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
-    requirements.push([">=", 19]);
-  }
-  const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
-  const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
-  const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 24;
-  const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
-  if (lowestRequiredVersion > highestPossibleVersion) {
-    throw new Oauth2ServerErrorResponseError({
-      error: Oauth2ErrorCodes.InvalidRequest,
-      error_description: "Could not infer openid4vp version from the openid4vp request payload."
-    });
-  }
-  return highestPossibleVersion;
-}
+var zLegacyClientIdScheme = z6.enum([
+  "pre-registered",
+  "redirect_uri",
+  "entity_id",
+  "did",
+  "verifier_attestation",
+  "x509_san_dns",
+  "x509_san_uri"
+]);
 
 // src/client-identifier-scheme/parse-client-identifier-scheme.ts
 function getOpenid4vpClientId(options) {
-  const version = parseAuthorizationRequestVersion(options.authorizationRequestPayload);
-  if (version < 22) {
-    return getLegacyClientId(options);
-  }
   if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
     if (!options.origin) {
-      throw new Oauth2ServerErrorResponseError2({
-        error: Oauth2ErrorCodes2.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError({
+        error: Oauth2ErrorCodes.InvalidRequest,
         error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
       });
     }
-    if (!options.jar || !options.authorizationRequestPayload.client_id) return `web-origin:${options.origin}`;
-    return options.authorizationRequestPayload.client_id;
+    return {
+      clientId: options.authorizationRequestPayload.client_id ?? `web-origin:${options.origin}`
+    };
   }
-  return options.authorizationRequestPayload.client_id;
-}
-function getLegacyClientId(options) {
-  const legacyClientIdScheme = options.authorizationRequestPayload.client_id_scheme ?? "pre-registered";
-  const clientIdScheme = legacyClientIdScheme === "entity_id" ? "https" : legacyClientIdScheme;
-  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
-    if (!options.origin) {
-      throw new Oauth2ServerErrorResponseError2({
-        error: Oauth2ErrorCodes2.InvalidRequest,
-        error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
+  if (!options.authorizationRequestPayload.client_id) {
+    throw new Oauth2ServerErrorResponseError({
+      error: Oauth2ErrorCodes.InvalidRequest,
+      error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.authorizationRequestPayload.response_mode}'.`
+    });
+  }
+  if (options.authorizationRequestPayload.client_id_scheme) {
+    const parsedClientIdScheme = zLegacyClientIdScheme.safeParse(options.authorizationRequestPayload.client_id_scheme);
+    if (!parsedClientIdScheme.success) {
+      throw new Oauth2ServerErrorResponseError({
+        error: Oauth2ErrorCodes.InvalidRequest,
+        error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.authorizationRequestPayload.client_id_scheme}'.`
       });
     }
-    if (!options.jar || !options.authorizationRequestPayload.client_id) return `web-origin:${options.origin}`;
-    return `${clientIdScheme}:${options.authorizationRequestPayload.client_id}`;
-  }
-  if (clientIdScheme === "https" || clientIdScheme === "did") {
-    return options.authorizationRequestPayload.client_id;
-  }
-  if (clientIdScheme === "pre-registered") {
-    return options.authorizationRequestPayload.client_id;
+    const clientIdScheme = parsedClientIdScheme.data === "entity_id" ? "https" : parsedClientIdScheme.data;
+    if (clientIdScheme === "https" || clientIdScheme === "did" || clientIdScheme === "pre-registered") {
+      return { clientId: options.authorizationRequestPayload.client_id };
+    }
+    return {
+      clientId: `${clientIdScheme}:${options.authorizationRequestPayload.client_id}`,
+      legacyClientId: options.authorizationRequestPayload.client_id
+    };
   }
-  return `${clientIdScheme}:${options.authorizationRequestPayload.client_id}`;
+  return {
+    clientId: options.authorizationRequestPayload.client_id
+  };
 }
 function parseClientIdentifier(options, parserConfig) {
-  const { authorizationRequestPayload, jar } = options;
+  const { authorizationRequestPayload, jar, origin } = options;
   const parserConfigWithDefaults = {
     supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options)
   };
-  const clientId = getOpenid4vpClientId(options);
+  const { clientId, legacyClientId } = getOpenid4vpClientId({
+    authorizationRequestPayload,
+    origin
+  });
   const colonIndex = clientId.indexOf(":");
   if (colonIndex === -1) {
     return {
       scheme: "pre-registered",
       identifier: clientId,
       originalValue: clientId,
+      legacyClientId,
       clientMetadata: authorizationRequestPayload.client_metadata
     };
   }
   const schemePart = clientId.substring(0, colonIndex);
   const identifierPart = clientId.substring(colonIndex + 1);
   if (!parserConfigWithDefaults.supportedSchemes.includes(schemePart)) {
-    throw new Oauth2ServerErrorResponseError2({
-      error: Oauth2ErrorCodes2.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError({
+      error: Oauth2ErrorCodes.InvalidRequest,
       error_description: `Unsupported client identifier scheme. ${schemePart} is not supported.`
     });
   }
   const scheme = schemePart;
   if (scheme === "https") {
-    if (!clientId.startsWith("https://") && !(getGlobalConfig().allowInsecureUrls && clientId.startsWith("http://"))) {
-      throw new Oauth2ServerErrorResponseError2({
-        error: Oauth2ErrorCodes2.InvalidRequest,
-        error_description: "Invalid client identifier. Client identifier must start with https:// or http:// if allowInsecureUrls is true."
-      });
+    if (!zHttpsUrl3.safeParse(clientId).success) {
+      throw new Oauth2ServerErrorResponseError(
+        {
+          error: Oauth2ErrorCodes.InvalidRequest,
+          error_description: "Invalid client identifier. Client identifier must start with https://"
+        },
+        {
+          internalMessage: `Insecure http:// urls can be enabled by setting the 'allowInsecureUrls' option using setGlobalConfig`
+        }
+      );
     }
     return {
       scheme,
       identifier: clientId,
       originalValue: clientId,
+      legacyClientId,
       trustChain: authorizationRequestPayload.trust_chain
     };
   }
   if (scheme === "redirect_uri") {
     if (jar) {
-      throw new Oauth2ServerErrorResponseError2({
-        error: Oauth2ErrorCodes2.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError({
+        error: Oauth2ErrorCodes.InvalidRequest,
         error_description: 'Using client identifier scheme "redirect_uri" the request MUST NOT be signed.'
       });
     }
     if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
-      throw new Oauth2ServerErrorResponseError2({
-        error: Oauth2ErrorCodes2.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError({
+        error: Oauth2ErrorCodes.InvalidRequest,
         error_description: `The client identifier scheme 'redirect_uri' is not supported when using the dc_api response mode.`
       });
     }
@@ -338,31 +291,32 @@ function parseClientIdentifier(options, parserConfig) {
       scheme,
       identifier: identifierPart,
       originalValue: clientId,
+      legacyClientId,
       redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
     };
   }
   if (scheme === "did") {
     if (!jar) {
-      throw new Oauth2ServerErrorResponseError2({
-        error: Oauth2ErrorCodes2.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError({
+        error: Oauth2ErrorCodes.InvalidRequest,
         error_description: 'Using client identifier scheme "did" requires a signed JAR request.'
       });
     }
     if (!clientId.startsWith("did:")) {
-      throw new Oauth2ServerErrorResponseError2({
-        error: Oauth2ErrorCodes2.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError({
+        error: Oauth2ErrorCodes.InvalidRequest,
         error_description: "Invalid client identifier. Client identifier must start with 'did:'"
       });
     }
     if (!jar.signer.publicJwk.kid) {
-      throw new Oauth2ServerErrorResponseError2({
-        error: Oauth2ErrorCodes2.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError({
+        error: Oauth2ErrorCodes.InvalidRequest,
         error_description: `Missing required 'kid' for client identifier scheme: did`
       });
     }
     if (!jar.signer.publicJwk.kid?.startsWith(clientId)) {
-      throw new Oauth2ServerErrorResponseError2({
-        error: Oauth2ErrorCodes2.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError({
+        error: Oauth2ErrorCodes.InvalidRequest,
         error_description: 'With client identifier scheme "did" the JAR request must be signed by the same DID as the client identifier.'
       });
     }
@@ -370,27 +324,28 @@ function parseClientIdentifier(options, parserConfig) {
       scheme,
       identifier: clientId,
       originalValue: clientId,
+      legacyClientId,
       didUrl: jar.signer.publicJwk.kid
     };
   }
   if (scheme === "x509_san_dns" || scheme === "x509_san_uri") {
     if (!jar) {
-      throw new Oauth2ServerErrorResponseError2({
-        error: Oauth2ErrorCodes2.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError({
+        error: Oauth2ErrorCodes.InvalidRequest,
         error_description: 'Using client identifier scheme "x509_san_dns" or "x509_san_uri" requires a signed JAR request.'
       });
     }
     if (jar.signer.method !== "x5c") {
-      throw new Oauth2ServerErrorResponseError2({
-        error: Oauth2ErrorCodes2.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError({
+        error: Oauth2ErrorCodes.InvalidRequest,
         error_description: "Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns."
       });
     }
     if (scheme === "x509_san_dns") {
       if (!options.callbacks.getX509CertificateMetadata) {
-        throw new Oauth2ServerErrorResponseError2(
+        throw new Oauth2ServerErrorResponseError(
           {
-            error: Oauth2ErrorCodes2.ServerError
+            error: Oauth2ErrorCodes.ServerError
           },
           {
             internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_dns' client id scheme"
@@ -399,25 +354,25 @@ function parseClientIdentifier(options, parserConfig) {
       }
       const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
       if (!sanDnsNames.includes(identifierPart)) {
-        throw new Oauth2ServerErrorResponseError2({
-          error: Oauth2ErrorCodes2.InvalidRequest,
+        throw new Oauth2ServerErrorResponseError({
+          error: Oauth2ErrorCodes.InvalidRequest,
           error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${identifierPart}'. `
         });
       }
       if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
         const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri;
         if (!uri || new URL2(uri).hostname !== identifierPart) {
-          throw new Oauth2ServerErrorResponseError2({
-            error: Oauth2ErrorCodes2.InvalidRequest,
+          throw new Oauth2ServerErrorResponseError({
+            error: Oauth2ErrorCodes.InvalidRequest,
             error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
           });
         }
       }
     } else if (scheme === "x509_san_uri") {
       if (!options.callbacks.getX509CertificateMetadata) {
-        throw new Oauth2ServerErrorResponseError2(
+        throw new Oauth2ServerErrorResponseError(
           {
-            error: Oauth2ErrorCodes2.ServerError
+            error: Oauth2ErrorCodes.ServerError
           },
           {
             internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_uri' client id scheme"
@@ -426,16 +381,16 @@ function parseClientIdentifier(options, parserConfig) {
       }
       const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
       if (!sanUriNames.includes(identifierPart)) {
-        throw new Oauth2ServerErrorResponseError2({
-          error: Oauth2ErrorCodes2.InvalidRequest,
+        throw new Oauth2ServerErrorResponseError({
+          error: Oauth2ErrorCodes.InvalidRequest,
           error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${identifierPart}'.`
         });
       }
       if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
         const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri;
         if (!uri || uri !== identifierPart) {
-          throw new Oauth2ServerErrorResponseError2({
-            error: Oauth2ErrorCodes2.InvalidRequest,
+          throw new Oauth2ServerErrorResponseError({
+            error: Oauth2ErrorCodes.InvalidRequest,
             error_description: "The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri"
           });
         }
@@ -445,6 +400,7 @@ function parseClientIdentifier(options, parserConfig) {
       scheme,
       identifier: identifierPart,
       originalValue: clientId,
+      legacyClientId,
       x5c: jar.signer.x5c
     };
   }
@@ -453,13 +409,14 @@ function parseClientIdentifier(options, parserConfig) {
       scheme,
       identifier: identifierPart,
       originalValue: clientId,
+      legacyClientId,
       clientMetadata: authorizationRequestPayload.client_metadata
     };
   }
   if (scheme === "verifier_attestation") {
     if (!jar) {
-      throw new Oauth2ServerErrorResponseError2({
-        error: Oauth2ErrorCodes2.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError({
+        error: Oauth2ErrorCodes.InvalidRequest,
         error_description: 'Using client identifier scheme "verifier_attestation" requires a signed JAR request.'
       });
     }
@@ -467,6 +424,7 @@ function parseClientIdentifier(options, parserConfig) {
   return {
     scheme,
     identifier: identifierPart,
+    legacyClientId,
     originalValue: clientId
   };
 }
@@ -622,94 +580,94 @@ async function createJarAuthorizationRequest(options) {
 }
 
 // src/authorization-request/validate-authorization-request.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes3, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError3 } from "@openid4vc/oauth2";
-import { zHttpsUrl as zHttpsUrl3 } from "@openid4vc/utils";
+import { Oauth2ErrorCodes as Oauth2ErrorCodes2, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError2 } from "@openid4vc/oauth2";
+import { zHttpsUrl as zHttpsUrl4 } from "@openid4vc/utils";
 var validateOpenid4vpAuthorizationRequestPayload = (options) => {
   const { params, walletVerificationOptions } = options;
   if (!params.redirect_uri && !params.response_uri) {
-    throw new Oauth2ServerErrorResponseError3({
-      error: Oauth2ErrorCodes3.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError2({
+      error: Oauth2ErrorCodes2.InvalidRequest,
       error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
     });
   }
   if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) {
-    throw new Oauth2ServerErrorResponseError3({
-      error: Oauth2ErrorCodes3.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError2({
+      error: Oauth2ErrorCodes2.InvalidRequest,
       error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
     });
   }
   if ([params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(
     Boolean
   ).length > 1) {
-    throw new Oauth2ServerErrorResponseError3({
-      error: Oauth2ErrorCodes3.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError2({
+      error: Oauth2ErrorCodes2.InvalidRequest,
       error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
     });
   }
   if (params.request_uri_method && !params.request_uri) {
-    throw new Oauth2ServerErrorResponseError3({
-      error: Oauth2ErrorCodes3.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError2({
+      error: Oauth2ErrorCodes2.InvalidRequest,
       error_description: 'The "request_uri_method" parameter MUST NOT be present in the authorization request if the "request_uri" parameter is not present.'
     });
   }
   if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) {
-    throw new Oauth2ServerErrorResponseError3({
-      error: Oauth2ErrorCodes3.InvalidRequestUriMethod,
+    throw new Oauth2ServerErrorResponseError2({
+      error: Oauth2ErrorCodes2.InvalidRequestUriMethod,
       error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
     });
   }
-  if (params.trust_chain && !zHttpsUrl3.safeParse(params.client_id).success) {
-    throw new Oauth2ServerErrorResponseError3({
-      error: Oauth2ErrorCodes3.InvalidRequest,
+  if (params.trust_chain && !zHttpsUrl4.safeParse(params.client_id).success) {
+    throw new Oauth2ServerErrorResponseError2({
+      error: Oauth2ErrorCodes2.InvalidRequest,
       error_description: 'The "trust_chain" parameter MUST NOT be present in the authorization request if the "client_id" is not an OpenId Federation Entity Identifier starting with http:// or https://.'
     });
   }
   if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {
-    throw new Oauth2ServerErrorResponseError3({
-      error: Oauth2ErrorCodes3.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError2({
+      error: Oauth2ErrorCodes2.InvalidRequest,
       error_description: 'The "wallet_nonce" parameter MUST be present in the authorization request when the "expectedNonce" parameter is provided.'
     });
   }
   if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {
-    throw new Oauth2ServerErrorResponseError3({
-      error: Oauth2ErrorCodes3.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError2({
+      error: Oauth2ErrorCodes2.InvalidRequest,
       error_description: 'The "wallet_nonce" parameter MUST match the "expectedNonce" parameter when the "expectedNonce" parameter is provided.'
     });
   }
   if (params.client_id.startsWith("web-origin:")) {
-    throw new Oauth2ServerErrorResponseError3({
-      error: Oauth2ErrorCodes3.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError2({
+      error: Oauth2ErrorCodes2.InvalidRequest,
       error_description: `The 'client_id' parameter MUST NOT use client identifier scheme 'web-origin' when not using the dc_api response mode. Current: ${params.client_id}`
     });
   }
 };
 
 // src/authorization-request/validate-authorization-request-dc-api.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes4, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError4 } from "@openid4vc/oauth2";
+import { Oauth2ErrorCodes as Oauth2ErrorCodes3, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError3 } from "@openid4vc/oauth2";
 var validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
   const { params, isJarRequest, disableOriginValidation, origin } = options;
   if (isJarRequest && !params.expected_origins) {
-    throw new Oauth2ServerErrorResponseError4({
-      error: Oauth2ErrorCodes4.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
       error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
     });
   }
   if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {
-    throw new Oauth2ServerErrorResponseError4({
-      error: Oauth2ErrorCodes4.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
       error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
     });
   }
   if (params.expected_origins && !disableOriginValidation) {
     if (!origin) {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes4.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError3({
+        error: Oauth2ErrorCodes3.InvalidRequest,
         error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
       });
     }
     if (params.expected_origins && !params.expected_origins.includes(origin)) {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes4.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError3({
+        error: Oauth2ErrorCodes3.InvalidRequest,
         error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
       });
     }
@@ -789,25 +747,25 @@ import { parseWithErrorHandling as parseWithErrorHandling3 } from "@openid4vc/ut
 import z10 from "zod";
 
 // src/jar/z-jar-authorization-request.ts
-import { Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError5 } from "@openid4vc/oauth2";
-import { zHttpsUrl as zHttpsUrl4 } from "@openid4vc/utils";
+import { Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError4 } from "@openid4vc/oauth2";
+import { zHttpsUrl as zHttpsUrl5 } from "@openid4vc/utils";
 import { z as z9 } from "zod";
 var zJarAuthorizationRequest = z9.object({
   request: z9.optional(z9.string()),
-  request_uri: z9.optional(zHttpsUrl4),
+  request_uri: z9.optional(zHttpsUrl5),
   request_uri_method: z9.optional(z9.string()),
   client_id: z9.optional(z9.string())
 }).passthrough();
 function validateJarRequestParams(options) {
   const { jarRequestParams } = options;
   if (jarRequestParams.request && jarRequestParams.request_uri) {
-    throw new Oauth2ServerErrorResponseError5({
+    throw new Oauth2ServerErrorResponseError4({
       error: "invalid_request_object",
       error_description: "request and request_uri cannot both be present in a JAR request"
     });
   }
   if (!jarRequestParams.request && !jarRequestParams.request_uri) {
-    throw new Oauth2ServerErrorResponseError5({
+    throw new Oauth2ServerErrorResponseError4({
       error: "invalid_request_object",
       error_description: "request or request_uri must be present"
     });
@@ -870,7 +828,7 @@ import { parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/ut
 import z14 from "zod";
 
 // src/fetch-client-metadata.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes5, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError6 } from "@openid4vc/oauth2";
+import { Oauth2ErrorCodes as Oauth2ErrorCodes4, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError5 } from "@openid4vc/oauth2";
 import { ContentType, createZodFetcher } from "@openid4vc/utils";
 async function fetchClientMetadata(options) {
   const { fetch, clientMetadataUri } = options;
@@ -882,15 +840,15 @@ async function fetchClientMetadata(options) {
     }
   });
   if (!response.ok) {
-    throw new Oauth2ServerErrorResponseError6({
+    throw new Oauth2ServerErrorResponseError5({
       error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,
-      error: Oauth2ErrorCodes5.InvalidRequestUri
+      error: Oauth2ErrorCodes4.InvalidRequestUri
     });
   }
   if (!result || !result.success) {
-    throw new Oauth2ServerErrorResponseError6({
+    throw new Oauth2ServerErrorResponseError5({
       error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,
-      error: Oauth2ErrorCodes5.InvalidRequestObject
+      error: Oauth2ErrorCodes4.InvalidRequestObject
     });
   }
   return result.data;
@@ -907,6 +865,68 @@ import {
   zCompactJwt as zCompactJwt2
 } from "@openid4vc/oauth2";
 
+// src/version.ts
+import { Oauth2ErrorCodes as Oauth2ErrorCodes5, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError6 } from "@openid4vc/oauth2";
+function parseAuthorizationRequestVersion(request) {
+  const requirements = [];
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
+    requirements.push(["<", 23]);
+    requirements.push([">=", 21]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt") {
+    requirements.push([">=", 23]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
+    requirements.push([">=", 23]);
+  }
+  if (request.dcql_query) {
+    requirements.push([">=", 22]);
+  }
+  if (request.transaction_data) {
+    requirements.push([">=", 22]);
+  }
+  if (request.client_id_scheme) {
+    requirements.push(["<", 22]);
+  }
+  if (request.client_id) {
+    const colonIndex = request.client_id.indexOf(":");
+    const schemePart = request.client_id.substring(0, colonIndex);
+    const parsedScheme = zClientIdScheme.safeParse(schemePart);
+    if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
+      requirements.push([">=", 22]);
+    }
+  }
+  if (!request.client_id) {
+    requirements.push([">=", 21]);
+  }
+  if (request.client_metadata_uri) {
+    requirements.push(["<", 21]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request)) {
+    requirements.push([">=", 21]);
+  }
+  if (request.request_uri_method || request.wallet_nonce) {
+    requirements.push([">=", 21]);
+  }
+  if (request.client_id_scheme === "verifier_attestation") {
+    requirements.push([">=", 20]);
+  }
+  if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
+    requirements.push([">=", 19]);
+  }
+  const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
+  const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
+  const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 24;
+  const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
+  if (lowestRequiredVersion > highestPossibleVersion) {
+    throw new Oauth2ServerErrorResponseError6({
+      error: Oauth2ErrorCodes5.InvalidRequest,
+      error_description: "Could not infer openid4vp version from the openid4vp request payload."
+    });
+  }
+  return highestPossibleVersion;
+}
+
 // src/jar/jar-request-object/fetch-jar-request-object.ts
 import { Oauth2ErrorCodes as Oauth2ErrorCodes6, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError7 } from "@openid4vc/oauth2";
 import { ContentType as ContentType2, createZodFetcher as createZodFetcher2, objectToQueryParams as objectToQueryParams2 } from "@openid4vc/utils";
@@ -955,7 +975,7 @@ async function verifyJarRequest(options) {
   const { callbacks, wallet = {} } = options;
   const jarRequestParams = validateJarRequestParams(options);
   const sendBy = jarRequestParams.request ? "value" : "reference";
-  const clientIdentifierScheme = jarRequestParams.client_id ? zClientIdScheme.parse(jarRequestParams.client_id.split(":")[0]) : "web-origin";
+  const clientIdentifierScheme = jarRequestParams.client_id ? zClientIdScheme.safeParse(jarRequestParams.client_id.split(":")[0]).data : "web-origin";
   const method = jarRequestParams.request_uri_method ?? "GET";
   if (method !== "GET" && method !== "POST") {
     throw new Oauth2ServerErrorResponseError8({
@@ -1263,7 +1283,7 @@ async function createOpenid4vpAuthorizationResponse(options) {
   const { authorizationRequestPayload, jarm, callbacks } = options;
   const authorizationResponsePayload = {
     ...options.authorizationResponsePayload,
-    ..."state" in authorizationRequestPayload && { state: authorizationRequestPayload.state }
+    state: authorizationRequestPayload.state
   };
   if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode) && !jarm) {
     throw new Oauth2Error7(
@@ -1447,7 +1467,7 @@ function parseDcqlVpToken(vpToken) {
 // src/authorization-response/validate-authorization-response.ts
 function validateOpenid4vpAuthorizationResponsePayload(options) {
   const { authorizationRequestPayload, authorizationResponsePayload } = options;
-  if ("state" in authorizationRequestPayload && authorizationRequestPayload.state !== authorizationResponsePayload.state) {
+  if (authorizationRequestPayload.state && authorizationRequestPayload.state !== authorizationResponsePayload.state) {
     throw new Oauth2Error10("OpenId4Vp Authorization Response state mismatch.");
   }
   if (authorizationResponsePayload.id_token) {
@@ -1459,7 +1479,7 @@ function validateOpenid4vpAuthorizationResponsePayload(options) {
     }
     return {
       type: "pex",
-      pex: "scope" in authorizationRequestPayload && authorizationRequestPayload.scope ? {
+      pex: authorizationRequestPayload.scope ? {
         scope: authorizationRequestPayload.scope,
         presentationSubmission: authorizationResponsePayload.presentation_submission,
         presentations: parsePexVpToken(authorizationResponsePayload.vp_token)
@@ -1474,7 +1494,7 @@ function validateOpenid4vpAuthorizationResponsePayload(options) {
     const presentations = parseDcqlVpToken(authorizationResponsePayload.vp_token);
     return {
       type: "dcql",
-      dcql: "scope" in authorizationRequestPayload && authorizationRequestPayload.scope ? {
+      dcql: authorizationRequestPayload.scope ? {
         scope: authorizationRequestPayload.scope,
         presentations
       } : {
@@ -1568,13 +1588,18 @@ async function parseJarmAuthorizationResponse(options) {
 // src/authorization-response/parse-authorization-response.ts
 async function parseOpenid4vpAuthorizationResponse(options) {
   const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options;
-  const expectedClientId = getOpenid4vpClientId({ authorizationRequestPayload, origin });
+  const expectedClientId = getOpenid4vpClientId({
+    origin,
+    authorizationRequestPayload
+  });
   if (authorizationResponse.response) {
     return parseJarmAuthorizationResponse({
       jarmResponseJwt: authorizationResponse.response,
       callbacks,
       authorizationRequestPayload,
-      expectedClientId
+      // If client_id_scheme was provided we should use the legacy (unprefixed) client id scheme
+      // TODO: allow both versions, in case of e.g. did:
+      expectedClientId: expectedClientId.legacyClientId ?? expectedClientId.clientId
     });
   }
   const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(authorizationResponse);