@openid4vc/openid4vp 0.3.0-alpha-20250322171044 → 0.3.0-alpha-20250324175730

package/dist/index.js

@@ -182,7 +182,7 @@ var zOpenid4vpAuthorizationRequest = import_zod4.z.object({
   client_metadata_uri: import_utils3.zHttpsUrl.optional(),
   state: import_zod4.z.string().optional(),
   transaction_data: import_zod4.z.array(import_zod4.z.string().base64url()).optional(),
-  trust_chain: import_zod4.z.unknown().optional(),
+  trust_chain: import_zod4.z.array(import_zod4.z.string()).nonempty().optional(),
   client_id_scheme: import_zod4.z.enum([
     "pre-registered",
     "redirect_uri",
@@ -222,10 +222,11 @@ var zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
   scope: import_zod5.z.never().optional()
   // TODO: should we disallow any properties specifically, such as redirect_uri and response_uri?
 });
+function isOpenid4vpResponseModeDcApi(responseMode) {
+  return responseMode !== void 0 && zOpenid4vpResponseModeDcApi.options.includes(responseMode);
+}
 function isOpenid4vpAuthorizationRequestDcApi(request) {
-  return request.response_mode !== void 0 && zOpenid4vpResponseModeDcApi.options.includes(
-    request.response_mode
-  );
+  return isOpenid4vpResponseModeDcApi(request.response_mode);
 }
 
 // src/client-identifier-scheme/z-client-id-scheme.ts
@@ -240,6 +241,15 @@ var zClientIdScheme = import_zod6.z.enum([
   "x509_san_uri",
   "web-origin"
 ]);
+var zClientIdToClientIdScheme = import_zod6.z.union(
+  [
+    import_zod6.z.string({ message: "client_id MUST be a string" }).includes(":").transform((clientId) => clientId.split(":")[0]).pipe(zClientIdScheme.exclude(["pre-registered"])),
+    import_zod6.z.string().refine((clientId) => clientId.includes(":") === false).transform(() => "pre-registered")
+  ],
+  {
+    message: `client_id must either start with a known prefix followed by ':' or contain no ':'. Known prefixes are ${zClientIdScheme.exclude(["pre-registered"]).options.join(", ")}`
+  }
+);
 var zLegacyClientIdScheme = import_zod6.z.enum([
   "pre-registered",
   "redirect_uri",
@@ -249,58 +259,80 @@ var zLegacyClientIdScheme = import_zod6.z.enum([
   "x509_san_dns",
   "x509_san_uri"
 ]);
+var zLegacyClientIdSchemeToClientIdScheme = zLegacyClientIdScheme.optional().default("pre-registered").transform((clientIdScheme) => clientIdScheme === "entity_id" ? "https" : clientIdScheme);
 
 // src/client-identifier-scheme/parse-client-identifier-scheme.ts
 function getOpenid4vpClientId(options) {
-  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
-    if (!options.origin) {
+  if (isOpenid4vpResponseModeDcApi(options.responseMode)) {
+    if (!options.clientId) {
+      if (!options.origin) {
+        throw new import_oauth23.Oauth2ServerErrorResponseError({
+          error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
+          error_description: "Failed to parse client identifier. 'origin' is required for requests without a client_id and response_mode 'dc_api' and 'dc_api.jwt'"
+        });
+      }
+      return {
+        clientIdScheme: "web-origin",
+        clientId: `web-origin:${options.origin}`
+      };
+    }
+    const parsedClientIdScheme2 = zClientIdToClientIdScheme.safeParse(options.clientId);
+    if (!parsedClientIdScheme2.success) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
-        error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
+        error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
       });
     }
     return {
-      clientId: options.authorizationRequestPayload.client_id ?? `web-origin:${options.origin}`
+      clientId: options.clientId,
+      clientIdScheme: parsedClientIdScheme2.data
     };
   }
-  if (!options.authorizationRequestPayload.client_id) {
+  if (!options.clientId) {
     throw new import_oauth23.Oauth2ServerErrorResponseError({
       error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
-      error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.authorizationRequestPayload.response_mode}'.`
+      error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`
     });
   }
-  if (options.authorizationRequestPayload.client_id_scheme) {
-    const parsedClientIdScheme = zLegacyClientIdScheme.safeParse(options.authorizationRequestPayload.client_id_scheme);
-    if (!parsedClientIdScheme.success) {
+  if (options.legacyClientIdScheme) {
+    const parsedClientIdScheme2 = zLegacyClientIdSchemeToClientIdScheme.safeParse(options.legacyClientIdScheme);
+    if (!parsedClientIdScheme2.success) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
-        error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.authorizationRequestPayload.client_id_scheme}'.`
+        error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.legacyClientIdScheme}'.`
       });
     }
-    const clientIdScheme = parsedClientIdScheme.data === "entity_id" ? "https" : parsedClientIdScheme.data;
-    if (clientIdScheme === "https" || clientIdScheme === "did" || clientIdScheme === "pre-registered") {
-      return { clientId: options.authorizationRequestPayload.client_id };
-    }
+    const clientIdScheme = parsedClientIdScheme2.data;
     return {
-      clientId: `${clientIdScheme}:${options.authorizationRequestPayload.client_id}`,
-      legacyClientId: options.authorizationRequestPayload.client_id
+      clientId: clientIdScheme === "https" || clientIdScheme === "did" || clientIdScheme === "pre-registered" ? options.clientId : `${parsedClientIdScheme2.data}:${options.clientId}`,
+      clientIdScheme: parsedClientIdScheme2.data,
+      legacyClientId: options.clientId
     };
   }
+  const parsedClientIdScheme = zClientIdToClientIdScheme.safeParse(options.clientId);
+  if (!parsedClientIdScheme.success) {
+    throw new import_oauth23.Oauth2ServerErrorResponseError({
+      error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
+      error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
+    });
+  }
   return {
-    clientId: options.authorizationRequestPayload.client_id
+    clientId: options.clientId,
+    clientIdScheme: parsedClientIdScheme.data
   };
 }
-function parseClientIdentifier(options, parserConfig) {
+function validateOpenid4vpClientId(options, parserConfig) {
   const { authorizationRequestPayload, jar, origin } = options;
   const parserConfigWithDefaults = {
     supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options)
   };
-  const { clientId, legacyClientId } = getOpenid4vpClientId({
-    authorizationRequestPayload,
+  const { clientId, legacyClientId, clientIdScheme } = getOpenid4vpClientId({
+    clientId: authorizationRequestPayload.client_id,
+    legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
+    responseMode: authorizationRequestPayload.response_mode,
     origin
   });
-  const colonIndex = clientId.indexOf(":");
-  if (colonIndex === -1) {
+  if (clientIdScheme === "pre-registered") {
     return {
       scheme: "pre-registered",
       identifier: clientId,
@@ -309,16 +341,15 @@ function parseClientIdentifier(options, parserConfig) {
       clientMetadata: authorizationRequestPayload.client_metadata
     };
   }
-  const schemePart = clientId.substring(0, colonIndex);
+  const colonIndex = clientId.indexOf(":");
   const identifierPart = clientId.substring(colonIndex + 1);
-  if (!parserConfigWithDefaults.supportedSchemes.includes(schemePart)) {
+  if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdScheme)) {
     throw new import_oauth23.Oauth2ServerErrorResponseError({
       error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
-      error_description: `Unsupported client identifier scheme. ${schemePart} is not supported.`
+      error_description: `Unsupported client identifier scheme. ${clientIdScheme} is not supported.`
     });
   }
-  const scheme = schemePart;
-  if (scheme === "https") {
+  if (clientIdScheme === "https") {
     if (!import_utils4.zHttpsUrl.safeParse(clientId).success) {
       throw new import_oauth23.Oauth2ServerErrorResponseError(
         {
@@ -330,15 +361,27 @@ function parseClientIdentifier(options, parserConfig) {
         }
       );
     }
+    if (!jar) {
+      throw new import_oauth23.Oauth2ServerErrorResponseError({
+        error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
+        error_description: 'Using client identifier scheme "https" requires a signed JAR request.'
+      });
+    }
+    if (jar.signer.method !== "federation") {
+      throw new import_oauth23.Oauth2ServerErrorResponseError({
+        error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
+        error_description: "Something went wrong. The JWT signer method is not federation but the client identifier scheme is https."
+      });
+    }
     return {
-      scheme,
+      scheme: clientIdScheme,
       identifier: clientId,
       originalValue: clientId,
       legacyClientId,
       trustChain: authorizationRequestPayload.trust_chain
     };
   }
-  if (scheme === "redirect_uri") {
+  if (clientIdScheme === "redirect_uri") {
     if (jar) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
@@ -352,20 +395,26 @@ function parseClientIdentifier(options, parserConfig) {
       });
     }
     return {
-      scheme,
+      scheme: clientIdScheme,
       identifier: identifierPart,
       originalValue: clientId,
       legacyClientId,
       redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
     };
   }
-  if (scheme === "did") {
+  if (clientIdScheme === "did") {
     if (!jar) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
         error_description: 'Using client identifier scheme "did" requires a signed JAR request.'
       });
     }
+    if (jar.signer.method !== "did") {
+      throw new import_oauth23.Oauth2ServerErrorResponseError({
+        error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
+        error_description: "Something went wrong. The JWT signer method is not did but the client identifier scheme is did."
+      });
+    }
     if (!clientId.startsWith("did:")) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
@@ -385,14 +434,14 @@ function parseClientIdentifier(options, parserConfig) {
       });
     }
     return {
-      scheme,
+      scheme: clientIdScheme,
       identifier: clientId,
       originalValue: clientId,
       legacyClientId,
       didUrl: jar.signer.publicJwk.kid
     };
   }
-  if (scheme === "x509_san_dns" || scheme === "x509_san_uri") {
+  if (clientIdScheme === "x509_san_dns" || clientIdScheme === "x509_san_uri") {
     if (!jar) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
@@ -405,7 +454,7 @@ function parseClientIdentifier(options, parserConfig) {
         error_description: "Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns."
       });
     }
-    if (scheme === "x509_san_dns") {
+    if (clientIdScheme === "x509_san_dns") {
       if (!options.callbacks.getX509CertificateMetadata) {
         throw new import_oauth23.Oauth2ServerErrorResponseError(
           {
@@ -432,7 +481,7 @@ function parseClientIdentifier(options, parserConfig) {
           });
         }
       }
-    } else if (scheme === "x509_san_uri") {
+    } else if (clientIdScheme === "x509_san_uri") {
       if (!options.callbacks.getX509CertificateMetadata) {
         throw new import_oauth23.Oauth2ServerErrorResponseError(
           {
@@ -461,23 +510,23 @@ function parseClientIdentifier(options, parserConfig) {
       }
     }
     return {
-      scheme,
+      scheme: clientIdScheme,
       identifier: identifierPart,
       originalValue: clientId,
       legacyClientId,
       x5c: jar.signer.x5c
     };
   }
-  if (scheme === "web-origin") {
+  if (clientIdScheme === "web-origin") {
     return {
-      scheme,
+      scheme: clientIdScheme,
       identifier: identifierPart,
       originalValue: clientId,
       legacyClientId,
       clientMetadata: authorizationRequestPayload.client_metadata
     };
   }
-  if (scheme === "verifier_attestation") {
+  if (clientIdScheme === "verifier_attestation") {
     if (!jar) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
@@ -486,7 +535,7 @@ function parseClientIdentifier(options, parserConfig) {
     }
   }
   return {
-    scheme,
+    scheme: clientIdScheme,
     identifier: identifierPart,
     legacyClientId,
     originalValue: clientId
@@ -889,7 +938,7 @@ function parseOpenid4vpAuthorizationRequest(options) {
 // src/authorization-request/resolve-authorization-request.ts
 var import_oauth219 = require("@openid4vc/oauth2");
 var import_utils14 = require("@openid4vc/utils");
-var import_zod13 = __toESM(require("zod"));
+var import_zod14 = __toESM(require("zod"));
 
 // src/fetch-client-metadata.ts
 var import_oauth213 = require("@openid4vc/oauth2");
@@ -920,6 +969,7 @@ async function fetchClientMetadata(options) {
 
 // src/jar/handle-jar-request/verify-jar-request.ts
 var import_oauth217 = require("@openid4vc/oauth2");
+var import_zod12 = __toESM(require("zod"));
 
 // src/version.ts
 var import_oauth214 = require("@openid4vc/oauth2");
@@ -1024,6 +1074,8 @@ var zJarRequestObjectPayload = import_zod11.z.object({
 }).passthrough();
 
 // src/jar/handle-jar-request/verify-jar-request.ts
+var zSignedAuthorizationRequestJwtHeaderTyp = import_zod12.default.literal("oauth-authz-req+jwt");
+var signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value;
 async function verifyJarRequest(options) {
   const { callbacks, wallet = {} } = options;
   const jarRequestParams = validateJarRequestParams(options);
@@ -1103,7 +1155,41 @@ async function decryptJarRequest(options) {
 async function verifyJarRequestObject(options) {
   const { decryptedRequestObject, callbacks } = options;
   const jwt = (0, import_oauth217.decodeJwt)({ jwt: decryptedRequestObject, payloadSchema: zJarRequestObjectPayload });
-  const jwtSigner = (0, import_oauth217.jwtSignerFromJwt)(jwt);
+  let jwtSigner;
+  const { clientIdScheme } = getOpenid4vpClientId({
+    responseMode: jwt.payload.response_mode,
+    clientId: jwt.payload.client_id,
+    legacyClientIdScheme: jwt.payload.client_id_scheme
+  });
+  const clientIdToSignerMethod = {
+    did: ["did"],
+    "pre-registered": ["custom", "did", "jwk"],
+    "web-origin": [],
+    // no signing allowed
+    redirect_uri: [],
+    // no signing allowed
+    // Not 100% sure which one are allowed?
+    verifier_attestation: ["did", "federation", "jwk", "x5c", "custom"],
+    x509_san_dns: ["x5c"],
+    x509_san_uri: ["x5c"],
+    // Handled separately
+    https: []
+  };
+  if (clientIdScheme === "https") {
+    if (!jwt.header.kid) {
+      throw new import_oauth217.Oauth2Error(
+        `When OpenID Federation is used for signed authorization request, the 'kid' parameter is required.`
+      );
+    }
+    jwtSigner = {
+      method: "federation",
+      alg: jwt.header.alg,
+      trustChain: jwt.payload.trust_chain,
+      kid: jwt.header.kid
+    };
+  } else {
+    jwtSigner = (0, import_oauth217.jwtSignerFromJwt)({ ...jwt, allowedSignerMethods: clientIdToSignerMethod[clientIdScheme] });
+  }
   const { signer } = await (0, import_oauth217.verifyJwt)({
     verifyJwtCallback: callbacks.verifyJwt,
     compact: decryptedRequestObject,
@@ -1130,13 +1216,13 @@ var import_oauth218 = require("@openid4vc/oauth2");
 var import_utils13 = require("@openid4vc/utils");
 
 // src/transaction-data/z-transaction-data.ts
-var import_zod12 = require("zod");
-var zTransactionEntry = import_zod12.z.object({
-  type: import_zod12.z.string(),
-  credential_ids: import_zod12.z.array(import_zod12.z.string()).nonempty(),
-  transaction_data_hashes_alg: import_zod12.z.array(import_zod12.z.string()).optional()
+var import_zod13 = require("zod");
+var zTransactionEntry = import_zod13.z.object({
+  type: import_zod13.z.string(),
+  credential_ids: import_zod13.z.array(import_zod13.z.string()).nonempty(),
+  transaction_data_hashes_alg: import_zod13.z.array(import_zod13.z.string()).optional()
 }).passthrough();
-var zTransactionData = import_zod12.z.array(zTransactionEntry);
+var zTransactionData = import_zod13.z.array(zTransactionEntry);
 
 // src/transaction-data/parse-transaction-data.ts
 function parseTransactionData(options) {
@@ -1161,7 +1247,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
   const { wallet, callbacks, origin, disableOriginValidation } = options;
   let authorizationRequestPayload;
   const parsed = (0, import_utils14.parseWithErrorHandling)(
-    import_zod13.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest]),
+    import_zod14.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest]),
     options.authorizationRequestPayload,
     "Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request."
   );
@@ -1169,7 +1255,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
   if (isJarAuthorizationRequest(parsed)) {
     jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet });
     const parsedJarAuthorizationRequestPayload = (0, import_utils14.parseWithErrorHandling)(
-      import_zod13.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
+      import_zod14.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
       jar.authorizationRequestPayload,
       "Invalid authorization request. Could not parse jar request payload as openid4vp auth request."
     );
@@ -1193,7 +1279,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
   if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) && !clientMetadata && authorizationRequestPayload.client_metadata_uri) {
     clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri });
   }
-  const clientMeta = parseClientIdentifier({
+  const clientMeta = validateOpenid4vpClientId({
     authorizationRequestPayload: {
       ...authorizationRequestPayload,
       client_metadata: clientMetadata
@@ -1283,7 +1369,7 @@ async function createJarmAuthorizationResponse(options) {
 }
 
 // src/jarm/jarm-response-mode.ts
-var import_zod14 = require("zod");
+var import_zod15 = require("zod");
 var jarmResponseMode = [
   "jwt",
   "query.jwt",
@@ -1292,7 +1378,7 @@ var jarmResponseMode = [
   "direct_post.jwt",
   "dc_api.jwt"
 ];
-var zJarmResponseMode = import_zod14.z.enum(jarmResponseMode);
+var zJarmResponseMode = import_zod15.z.enum(jarmResponseMode);
 var isJarmResponseMode = (responseMode) => {
   return jarmResponseMode.includes(responseMode);
 };
@@ -1495,17 +1581,17 @@ var import_oauth225 = require("@openid4vc/oauth2");
 var import_utils19 = require("@openid4vc/utils");
 
 // src/vp-token/z-vp-token.ts
-var import_zod15 = require("zod");
-var zVpTokenPexEntry = import_zod15.z.union([import_zod15.z.string(), import_zod15.z.record(import_zod15.z.any())], {
+var import_zod16 = require("zod");
+var zVpTokenPexEntry = import_zod16.z.union([import_zod16.z.string(), import_zod16.z.record(import_zod16.z.any())], {
   message: "pex vp_token entry must be a string or object"
 });
-var zVpTokenPex = import_zod15.z.union(
-  [zVpTokenPexEntry, import_zod15.z.array(zVpTokenPexEntry).nonempty("Must have at least entry in vp_token array")],
+var zVpTokenPex = import_zod16.z.union(
+  [zVpTokenPexEntry, import_zod16.z.array(zVpTokenPexEntry).nonempty("Must have at least entry in vp_token array")],
   {
     message: "pex vp_token must be a string, object or array of strings and objects"
   }
 );
-var zVpTokenDcql = import_zod15.z.record(import_zod15.z.union([import_zod15.z.string(), import_zod15.z.record(import_zod15.z.any())]), {
+var zVpTokenDcql = import_zod16.z.record(import_zod16.z.union([import_zod16.z.string(), import_zod16.z.record(import_zod16.z.any())]), {
   message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values the encoded (string or object) presentation"
 });
 var zVpToken = zVpTokenDcql.or(zVpTokenPex);
@@ -1579,23 +1665,23 @@ var import_utils21 = require("@openid4vc/utils");
 
 // src/authorization-response/z-authorization-response.ts
 var import_utils20 = require("@openid4vc/utils");
-var import_zod17 = require("zod");
+var import_zod18 = require("zod");
 
 // src/models/z-pex.ts
-var import_zod16 = require("zod");
-var zPexPresentationDefinition = import_zod16.z.record(import_zod16.z.any());
-var zPexPresentationSubmission = import_zod16.z.record(import_zod16.z.any());
+var import_zod17 = require("zod");
+var zPexPresentationDefinition = import_zod17.z.record(import_zod17.z.any());
+var zPexPresentationSubmission = import_zod17.z.record(import_zod17.z.any());
 
 // src/authorization-response/z-authorization-response.ts
-var zOpenid4vpAuthorizationResponse = import_zod17.z.object({
-  state: import_zod17.z.string().optional(),
-  id_token: import_zod17.z.string().optional(),
+var zOpenid4vpAuthorizationResponse = import_zod18.z.object({
+  state: import_zod18.z.string().optional(),
+  id_token: import_zod18.z.string().optional(),
   vp_token: zVpToken,
   presentation_submission: zPexPresentationSubmission.or(import_utils20.zStringToJson).optional(),
-  refresh_token: import_zod17.z.string().optional(),
-  token_type: import_zod17.z.string().optional(),
-  access_token: import_zod17.z.string().optional(),
-  expires_in: import_zod17.z.number().optional()
+  refresh_token: import_zod18.z.string().optional(),
+  token_type: import_zod18.z.string().optional(),
+  access_token: import_zod18.z.string().optional(),
+  expires_in: import_zod18.z.number().optional()
 }).passthrough();
 
 // src/authorization-response/parse-authorization-response-payload.ts
@@ -1610,11 +1696,11 @@ function parseOpenid4VpAuthorizationResponsePayload(payload) {
 // src/authorization-response/parse-jarm-authorization-response.ts
 var import_oauth226 = require("@openid4vc/oauth2");
 var import_utils22 = require("@openid4vc/utils");
-var import_zod18 = __toESM(require("zod"));
+var import_zod19 = __toESM(require("zod"));
 async function parseJarmAuthorizationResponse(options) {
   const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options;
   const jarmAuthorizationResponseJwt = (0, import_utils22.parseWithErrorHandling)(
-    import_zod18.default.union([import_oauth226.zCompactJwt, import_oauth226.zCompactJwe]),
+    import_zod19.default.union([import_oauth226.zCompactJwt, import_oauth226.zCompactJwe]),
     jarmResponseJwt,
     "Invalid jarm authorization response jwt."
   );
@@ -1653,7 +1739,9 @@ async function parseOpenid4vpAuthorizationResponse(options) {
   const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options;
   const expectedClientId = getOpenid4vpClientId({
     origin,
-    authorizationRequestPayload
+    responseMode: authorizationRequestPayload.response_mode,
+    clientId: authorizationRequestPayload.client_id,
+    legacyClientIdScheme: authorizationRequestPayload.client_id_scheme
   });
   if (authorizationResponse.response) {
     return parseJarmAuthorizationResponse({
@@ -1808,22 +1896,22 @@ var Openid4vpVerifier = class {
 };
 
 // src/models/z-credential-formats.ts
-var import_zod19 = require("zod");
-var zCredentialFormat = import_zod19.z.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt", "vc+sd-jwt"]);
+var import_zod20 = require("zod");
+var zCredentialFormat = import_zod20.z.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt", "vc+sd-jwt"]);
 
 // src/models/z-proof-formats.ts
-var import_zod20 = require("zod");
-var zProofFormat = import_zod20.z.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "vc+sd-jwt", "mso_mdoc"]);
+var import_zod21 = require("zod");
+var zProofFormat = import_zod21.z.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "vc+sd-jwt", "mso_mdoc"]);
 
 // src/models/z-wallet-metadata.ts
-var import_zod21 = require("zod");
-var zWalletMetadata = import_zod21.z.object({
-  presentation_definition_uri_supported: import_zod21.z.optional(import_zod21.z.boolean()),
+var import_zod22 = require("zod");
+var zWalletMetadata = import_zod22.z.object({
+  presentation_definition_uri_supported: import_zod22.z.optional(import_zod22.z.boolean()),
   vp_formats_supported: zVpFormatsSupported,
-  client_id_schemes_supported: import_zod21.z.optional(import_zod21.z.array(zClientIdScheme)),
-  request_object_signing_alg_values_supported: import_zod21.z.optional(import_zod21.z.array(import_zod21.z.string())),
-  authorization_encryption_alg_values_supported: import_zod21.z.optional(import_zod21.z.array(import_zod21.z.string())),
-  authorization_encryption_enc_values_supported: import_zod21.z.optional(import_zod21.z.array(import_zod21.z.string()))
+  client_id_schemes_supported: import_zod22.z.optional(import_zod22.z.array(zClientIdScheme)),
+  request_object_signing_alg_values_supported: import_zod22.z.optional(import_zod22.z.array(import_zod22.z.string())),
+  authorization_encryption_alg_values_supported: import_zod22.z.optional(import_zod22.z.array(import_zod22.z.string())),
+  authorization_encryption_enc_values_supported: import_zod22.z.optional(import_zod22.z.array(import_zod22.z.string()))
 });
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {