@openid4vc/openid4vp 0.3.0-alpha-20250322171044 → 0.3.0-alpha-20250324175730
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +37 -26
- package/dist/index.d.ts +37 -26
- package/dist/index.js +175 -87
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +194 -105
- package/dist/index.mjs.map +1 -1
- package/package.json +3 -3
package/dist/index.mjs
CHANGED
|
@@ -120,7 +120,7 @@ var zOpenid4vpAuthorizationRequest = z4.object({
|
|
|
120
120
|
client_metadata_uri: zHttpsUrl2.optional(),
|
|
121
121
|
state: z4.string().optional(),
|
|
122
122
|
transaction_data: z4.array(z4.string().base64url()).optional(),
|
|
123
|
-
trust_chain: z4.
|
|
123
|
+
trust_chain: z4.array(z4.string()).nonempty().optional(),
|
|
124
124
|
client_id_scheme: z4.enum([
|
|
125
125
|
"pre-registered",
|
|
126
126
|
"redirect_uri",
|
|
@@ -160,10 +160,11 @@ var zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
|
|
|
160
160
|
scope: z5.never().optional()
|
|
161
161
|
// TODO: should we disallow any properties specifically, such as redirect_uri and response_uri?
|
|
162
162
|
});
|
|
163
|
+
function isOpenid4vpResponseModeDcApi(responseMode) {
|
|
164
|
+
return responseMode !== void 0 && zOpenid4vpResponseModeDcApi.options.includes(responseMode);
|
|
165
|
+
}
|
|
163
166
|
function isOpenid4vpAuthorizationRequestDcApi(request) {
|
|
164
|
-
return request.response_mode
|
|
165
|
-
request.response_mode
|
|
166
|
-
);
|
|
167
|
+
return isOpenid4vpResponseModeDcApi(request.response_mode);
|
|
167
168
|
}
|
|
168
169
|
|
|
169
170
|
// src/client-identifier-scheme/z-client-id-scheme.ts
|
|
@@ -178,6 +179,15 @@ var zClientIdScheme = z6.enum([
|
|
|
178
179
|
"x509_san_uri",
|
|
179
180
|
"web-origin"
|
|
180
181
|
]);
|
|
182
|
+
var zClientIdToClientIdScheme = z6.union(
|
|
183
|
+
[
|
|
184
|
+
z6.string({ message: "client_id MUST be a string" }).includes(":").transform((clientId) => clientId.split(":")[0]).pipe(zClientIdScheme.exclude(["pre-registered"])),
|
|
185
|
+
z6.string().refine((clientId) => clientId.includes(":") === false).transform(() => "pre-registered")
|
|
186
|
+
],
|
|
187
|
+
{
|
|
188
|
+
message: `client_id must either start with a known prefix followed by ':' or contain no ':'. Known prefixes are ${zClientIdScheme.exclude(["pre-registered"]).options.join(", ")}`
|
|
189
|
+
}
|
|
190
|
+
);
|
|
181
191
|
var zLegacyClientIdScheme = z6.enum([
|
|
182
192
|
"pre-registered",
|
|
183
193
|
"redirect_uri",
|
|
@@ -187,58 +197,80 @@ var zLegacyClientIdScheme = z6.enum([
|
|
|
187
197
|
"x509_san_dns",
|
|
188
198
|
"x509_san_uri"
|
|
189
199
|
]);
|
|
200
|
+
var zLegacyClientIdSchemeToClientIdScheme = zLegacyClientIdScheme.optional().default("pre-registered").transform((clientIdScheme) => clientIdScheme === "entity_id" ? "https" : clientIdScheme);
|
|
190
201
|
|
|
191
202
|
// src/client-identifier-scheme/parse-client-identifier-scheme.ts
|
|
192
203
|
function getOpenid4vpClientId(options) {
|
|
193
|
-
if (
|
|
194
|
-
if (!options.
|
|
204
|
+
if (isOpenid4vpResponseModeDcApi(options.responseMode)) {
|
|
205
|
+
if (!options.clientId) {
|
|
206
|
+
if (!options.origin) {
|
|
207
|
+
throw new Oauth2ServerErrorResponseError({
|
|
208
|
+
error: Oauth2ErrorCodes.InvalidRequest,
|
|
209
|
+
error_description: "Failed to parse client identifier. 'origin' is required for requests without a client_id and response_mode 'dc_api' and 'dc_api.jwt'"
|
|
210
|
+
});
|
|
211
|
+
}
|
|
212
|
+
return {
|
|
213
|
+
clientIdScheme: "web-origin",
|
|
214
|
+
clientId: `web-origin:${options.origin}`
|
|
215
|
+
};
|
|
216
|
+
}
|
|
217
|
+
const parsedClientIdScheme2 = zClientIdToClientIdScheme.safeParse(options.clientId);
|
|
218
|
+
if (!parsedClientIdScheme2.success) {
|
|
195
219
|
throw new Oauth2ServerErrorResponseError({
|
|
196
220
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
197
|
-
error_description:
|
|
221
|
+
error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
|
|
198
222
|
});
|
|
199
223
|
}
|
|
200
224
|
return {
|
|
201
|
-
clientId: options.
|
|
225
|
+
clientId: options.clientId,
|
|
226
|
+
clientIdScheme: parsedClientIdScheme2.data
|
|
202
227
|
};
|
|
203
228
|
}
|
|
204
|
-
if (!options.
|
|
229
|
+
if (!options.clientId) {
|
|
205
230
|
throw new Oauth2ServerErrorResponseError({
|
|
206
231
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
207
|
-
error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.
|
|
232
|
+
error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`
|
|
208
233
|
});
|
|
209
234
|
}
|
|
210
|
-
if (options.
|
|
211
|
-
const
|
|
212
|
-
if (!
|
|
235
|
+
if (options.legacyClientIdScheme) {
|
|
236
|
+
const parsedClientIdScheme2 = zLegacyClientIdSchemeToClientIdScheme.safeParse(options.legacyClientIdScheme);
|
|
237
|
+
if (!parsedClientIdScheme2.success) {
|
|
213
238
|
throw new Oauth2ServerErrorResponseError({
|
|
214
239
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
215
|
-
error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.
|
|
240
|
+
error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.legacyClientIdScheme}'.`
|
|
216
241
|
});
|
|
217
242
|
}
|
|
218
|
-
const clientIdScheme =
|
|
219
|
-
if (clientIdScheme === "https" || clientIdScheme === "did" || clientIdScheme === "pre-registered") {
|
|
220
|
-
return { clientId: options.authorizationRequestPayload.client_id };
|
|
221
|
-
}
|
|
243
|
+
const clientIdScheme = parsedClientIdScheme2.data;
|
|
222
244
|
return {
|
|
223
|
-
clientId: `${
|
|
224
|
-
|
|
245
|
+
clientId: clientIdScheme === "https" || clientIdScheme === "did" || clientIdScheme === "pre-registered" ? options.clientId : `${parsedClientIdScheme2.data}:${options.clientId}`,
|
|
246
|
+
clientIdScheme: parsedClientIdScheme2.data,
|
|
247
|
+
legacyClientId: options.clientId
|
|
225
248
|
};
|
|
226
249
|
}
|
|
250
|
+
const parsedClientIdScheme = zClientIdToClientIdScheme.safeParse(options.clientId);
|
|
251
|
+
if (!parsedClientIdScheme.success) {
|
|
252
|
+
throw new Oauth2ServerErrorResponseError({
|
|
253
|
+
error: Oauth2ErrorCodes.InvalidRequest,
|
|
254
|
+
error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
|
|
255
|
+
});
|
|
256
|
+
}
|
|
227
257
|
return {
|
|
228
|
-
clientId: options.
|
|
258
|
+
clientId: options.clientId,
|
|
259
|
+
clientIdScheme: parsedClientIdScheme.data
|
|
229
260
|
};
|
|
230
261
|
}
|
|
231
|
-
function
|
|
262
|
+
function validateOpenid4vpClientId(options, parserConfig) {
|
|
232
263
|
const { authorizationRequestPayload, jar, origin } = options;
|
|
233
264
|
const parserConfigWithDefaults = {
|
|
234
265
|
supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options)
|
|
235
266
|
};
|
|
236
|
-
const { clientId, legacyClientId } = getOpenid4vpClientId({
|
|
237
|
-
authorizationRequestPayload,
|
|
267
|
+
const { clientId, legacyClientId, clientIdScheme } = getOpenid4vpClientId({
|
|
268
|
+
clientId: authorizationRequestPayload.client_id,
|
|
269
|
+
legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
|
|
270
|
+
responseMode: authorizationRequestPayload.response_mode,
|
|
238
271
|
origin
|
|
239
272
|
});
|
|
240
|
-
|
|
241
|
-
if (colonIndex === -1) {
|
|
273
|
+
if (clientIdScheme === "pre-registered") {
|
|
242
274
|
return {
|
|
243
275
|
scheme: "pre-registered",
|
|
244
276
|
identifier: clientId,
|
|
@@ -247,16 +279,15 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
247
279
|
clientMetadata: authorizationRequestPayload.client_metadata
|
|
248
280
|
};
|
|
249
281
|
}
|
|
250
|
-
const
|
|
282
|
+
const colonIndex = clientId.indexOf(":");
|
|
251
283
|
const identifierPart = clientId.substring(colonIndex + 1);
|
|
252
|
-
if (!parserConfigWithDefaults.supportedSchemes.includes(
|
|
284
|
+
if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdScheme)) {
|
|
253
285
|
throw new Oauth2ServerErrorResponseError({
|
|
254
286
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
255
|
-
error_description: `Unsupported client identifier scheme. ${
|
|
287
|
+
error_description: `Unsupported client identifier scheme. ${clientIdScheme} is not supported.`
|
|
256
288
|
});
|
|
257
289
|
}
|
|
258
|
-
|
|
259
|
-
if (scheme === "https") {
|
|
290
|
+
if (clientIdScheme === "https") {
|
|
260
291
|
if (!zHttpsUrl3.safeParse(clientId).success) {
|
|
261
292
|
throw new Oauth2ServerErrorResponseError(
|
|
262
293
|
{
|
|
@@ -268,15 +299,27 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
268
299
|
}
|
|
269
300
|
);
|
|
270
301
|
}
|
|
302
|
+
if (!jar) {
|
|
303
|
+
throw new Oauth2ServerErrorResponseError({
|
|
304
|
+
error: Oauth2ErrorCodes.InvalidRequest,
|
|
305
|
+
error_description: 'Using client identifier scheme "https" requires a signed JAR request.'
|
|
306
|
+
});
|
|
307
|
+
}
|
|
308
|
+
if (jar.signer.method !== "federation") {
|
|
309
|
+
throw new Oauth2ServerErrorResponseError({
|
|
310
|
+
error: Oauth2ErrorCodes.InvalidRequest,
|
|
311
|
+
error_description: "Something went wrong. The JWT signer method is not federation but the client identifier scheme is https."
|
|
312
|
+
});
|
|
313
|
+
}
|
|
271
314
|
return {
|
|
272
|
-
scheme,
|
|
315
|
+
scheme: clientIdScheme,
|
|
273
316
|
identifier: clientId,
|
|
274
317
|
originalValue: clientId,
|
|
275
318
|
legacyClientId,
|
|
276
319
|
trustChain: authorizationRequestPayload.trust_chain
|
|
277
320
|
};
|
|
278
321
|
}
|
|
279
|
-
if (
|
|
322
|
+
if (clientIdScheme === "redirect_uri") {
|
|
280
323
|
if (jar) {
|
|
281
324
|
throw new Oauth2ServerErrorResponseError({
|
|
282
325
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
@@ -290,20 +333,26 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
290
333
|
});
|
|
291
334
|
}
|
|
292
335
|
return {
|
|
293
|
-
scheme,
|
|
336
|
+
scheme: clientIdScheme,
|
|
294
337
|
identifier: identifierPart,
|
|
295
338
|
originalValue: clientId,
|
|
296
339
|
legacyClientId,
|
|
297
340
|
redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
|
|
298
341
|
};
|
|
299
342
|
}
|
|
300
|
-
if (
|
|
343
|
+
if (clientIdScheme === "did") {
|
|
301
344
|
if (!jar) {
|
|
302
345
|
throw new Oauth2ServerErrorResponseError({
|
|
303
346
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
304
347
|
error_description: 'Using client identifier scheme "did" requires a signed JAR request.'
|
|
305
348
|
});
|
|
306
349
|
}
|
|
350
|
+
if (jar.signer.method !== "did") {
|
|
351
|
+
throw new Oauth2ServerErrorResponseError({
|
|
352
|
+
error: Oauth2ErrorCodes.InvalidRequest,
|
|
353
|
+
error_description: "Something went wrong. The JWT signer method is not did but the client identifier scheme is did."
|
|
354
|
+
});
|
|
355
|
+
}
|
|
307
356
|
if (!clientId.startsWith("did:")) {
|
|
308
357
|
throw new Oauth2ServerErrorResponseError({
|
|
309
358
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
@@ -323,14 +372,14 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
323
372
|
});
|
|
324
373
|
}
|
|
325
374
|
return {
|
|
326
|
-
scheme,
|
|
375
|
+
scheme: clientIdScheme,
|
|
327
376
|
identifier: clientId,
|
|
328
377
|
originalValue: clientId,
|
|
329
378
|
legacyClientId,
|
|
330
379
|
didUrl: jar.signer.publicJwk.kid
|
|
331
380
|
};
|
|
332
381
|
}
|
|
333
|
-
if (
|
|
382
|
+
if (clientIdScheme === "x509_san_dns" || clientIdScheme === "x509_san_uri") {
|
|
334
383
|
if (!jar) {
|
|
335
384
|
throw new Oauth2ServerErrorResponseError({
|
|
336
385
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
@@ -343,7 +392,7 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
343
392
|
error_description: "Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns."
|
|
344
393
|
});
|
|
345
394
|
}
|
|
346
|
-
if (
|
|
395
|
+
if (clientIdScheme === "x509_san_dns") {
|
|
347
396
|
if (!options.callbacks.getX509CertificateMetadata) {
|
|
348
397
|
throw new Oauth2ServerErrorResponseError(
|
|
349
398
|
{
|
|
@@ -370,7 +419,7 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
370
419
|
});
|
|
371
420
|
}
|
|
372
421
|
}
|
|
373
|
-
} else if (
|
|
422
|
+
} else if (clientIdScheme === "x509_san_uri") {
|
|
374
423
|
if (!options.callbacks.getX509CertificateMetadata) {
|
|
375
424
|
throw new Oauth2ServerErrorResponseError(
|
|
376
425
|
{
|
|
@@ -399,23 +448,23 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
399
448
|
}
|
|
400
449
|
}
|
|
401
450
|
return {
|
|
402
|
-
scheme,
|
|
451
|
+
scheme: clientIdScheme,
|
|
403
452
|
identifier: identifierPart,
|
|
404
453
|
originalValue: clientId,
|
|
405
454
|
legacyClientId,
|
|
406
455
|
x5c: jar.signer.x5c
|
|
407
456
|
};
|
|
408
457
|
}
|
|
409
|
-
if (
|
|
458
|
+
if (clientIdScheme === "web-origin") {
|
|
410
459
|
return {
|
|
411
|
-
scheme,
|
|
460
|
+
scheme: clientIdScheme,
|
|
412
461
|
identifier: identifierPart,
|
|
413
462
|
originalValue: clientId,
|
|
414
463
|
legacyClientId,
|
|
415
464
|
clientMetadata: authorizationRequestPayload.client_metadata
|
|
416
465
|
};
|
|
417
466
|
}
|
|
418
|
-
if (
|
|
467
|
+
if (clientIdScheme === "verifier_attestation") {
|
|
419
468
|
if (!jar) {
|
|
420
469
|
throw new Oauth2ServerErrorResponseError({
|
|
421
470
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
@@ -424,7 +473,7 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
424
473
|
}
|
|
425
474
|
}
|
|
426
475
|
return {
|
|
427
|
-
scheme,
|
|
476
|
+
scheme: clientIdScheme,
|
|
428
477
|
identifier: identifierPart,
|
|
429
478
|
legacyClientId,
|
|
430
479
|
originalValue: clientId
|
|
@@ -836,7 +885,7 @@ function parseOpenid4vpAuthorizationRequest(options) {
|
|
|
836
885
|
// src/authorization-request/resolve-authorization-request.ts
|
|
837
886
|
import { Oauth2ErrorCodes as Oauth2ErrorCodes9, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError10 } from "@openid4vc/oauth2";
|
|
838
887
|
import { parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/utils";
|
|
839
|
-
import
|
|
888
|
+
import z14 from "zod";
|
|
840
889
|
|
|
841
890
|
// src/fetch-client-metadata.ts
|
|
842
891
|
import { Oauth2ErrorCodes as Oauth2ErrorCodes4, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError5 } from "@openid4vc/oauth2";
|
|
@@ -867,6 +916,7 @@ async function fetchClientMetadata(options) {
|
|
|
867
916
|
|
|
868
917
|
// src/jar/handle-jar-request/verify-jar-request.ts
|
|
869
918
|
import {
|
|
919
|
+
Oauth2Error as Oauth2Error5,
|
|
870
920
|
Oauth2ErrorCodes as Oauth2ErrorCodes7,
|
|
871
921
|
Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError8,
|
|
872
922
|
decodeJwt as decodeJwt3,
|
|
@@ -875,6 +925,7 @@ import {
|
|
|
875
925
|
zCompactJwe as zCompactJwe2,
|
|
876
926
|
zCompactJwt as zCompactJwt2
|
|
877
927
|
} from "@openid4vc/oauth2";
|
|
928
|
+
import z12 from "zod";
|
|
878
929
|
|
|
879
930
|
// src/version.ts
|
|
880
931
|
import { Oauth2ErrorCodes as Oauth2ErrorCodes5, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError6 } from "@openid4vc/oauth2";
|
|
@@ -979,6 +1030,8 @@ var zJarRequestObjectPayload = z11.object({
|
|
|
979
1030
|
}).passthrough();
|
|
980
1031
|
|
|
981
1032
|
// src/jar/handle-jar-request/verify-jar-request.ts
|
|
1033
|
+
var zSignedAuthorizationRequestJwtHeaderTyp = z12.literal("oauth-authz-req+jwt");
|
|
1034
|
+
var signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value;
|
|
982
1035
|
async function verifyJarRequest(options) {
|
|
983
1036
|
const { callbacks, wallet = {} } = options;
|
|
984
1037
|
const jarRequestParams = validateJarRequestParams(options);
|
|
@@ -1058,7 +1111,41 @@ async function decryptJarRequest(options) {
|
|
|
1058
1111
|
async function verifyJarRequestObject(options) {
|
|
1059
1112
|
const { decryptedRequestObject, callbacks } = options;
|
|
1060
1113
|
const jwt = decodeJwt3({ jwt: decryptedRequestObject, payloadSchema: zJarRequestObjectPayload });
|
|
1061
|
-
|
|
1114
|
+
let jwtSigner;
|
|
1115
|
+
const { clientIdScheme } = getOpenid4vpClientId({
|
|
1116
|
+
responseMode: jwt.payload.response_mode,
|
|
1117
|
+
clientId: jwt.payload.client_id,
|
|
1118
|
+
legacyClientIdScheme: jwt.payload.client_id_scheme
|
|
1119
|
+
});
|
|
1120
|
+
const clientIdToSignerMethod = {
|
|
1121
|
+
did: ["did"],
|
|
1122
|
+
"pre-registered": ["custom", "did", "jwk"],
|
|
1123
|
+
"web-origin": [],
|
|
1124
|
+
// no signing allowed
|
|
1125
|
+
redirect_uri: [],
|
|
1126
|
+
// no signing allowed
|
|
1127
|
+
// Not 100% sure which one are allowed?
|
|
1128
|
+
verifier_attestation: ["did", "federation", "jwk", "x5c", "custom"],
|
|
1129
|
+
x509_san_dns: ["x5c"],
|
|
1130
|
+
x509_san_uri: ["x5c"],
|
|
1131
|
+
// Handled separately
|
|
1132
|
+
https: []
|
|
1133
|
+
};
|
|
1134
|
+
if (clientIdScheme === "https") {
|
|
1135
|
+
if (!jwt.header.kid) {
|
|
1136
|
+
throw new Oauth2Error5(
|
|
1137
|
+
`When OpenID Federation is used for signed authorization request, the 'kid' parameter is required.`
|
|
1138
|
+
);
|
|
1139
|
+
}
|
|
1140
|
+
jwtSigner = {
|
|
1141
|
+
method: "federation",
|
|
1142
|
+
alg: jwt.header.alg,
|
|
1143
|
+
trustChain: jwt.payload.trust_chain,
|
|
1144
|
+
kid: jwt.header.kid
|
|
1145
|
+
};
|
|
1146
|
+
} else {
|
|
1147
|
+
jwtSigner = jwtSignerFromJwt2({ ...jwt, allowedSignerMethods: clientIdToSignerMethod[clientIdScheme] });
|
|
1148
|
+
}
|
|
1062
1149
|
const { signer } = await verifyJwt({
|
|
1063
1150
|
verifyJwtCallback: callbacks.verifyJwt,
|
|
1064
1151
|
compact: decryptedRequestObject,
|
|
@@ -1085,13 +1172,13 @@ import { Oauth2ErrorCodes as Oauth2ErrorCodes8, Oauth2ServerErrorResponseError a
|
|
|
1085
1172
|
import { decodeBase64, encodeToUtf8String, parseIfJson } from "@openid4vc/utils";
|
|
1086
1173
|
|
|
1087
1174
|
// src/transaction-data/z-transaction-data.ts
|
|
1088
|
-
import { z as
|
|
1089
|
-
var zTransactionEntry =
|
|
1090
|
-
type:
|
|
1091
|
-
credential_ids:
|
|
1092
|
-
transaction_data_hashes_alg:
|
|
1175
|
+
import { z as z13 } from "zod";
|
|
1176
|
+
var zTransactionEntry = z13.object({
|
|
1177
|
+
type: z13.string(),
|
|
1178
|
+
credential_ids: z13.array(z13.string()).nonempty(),
|
|
1179
|
+
transaction_data_hashes_alg: z13.array(z13.string()).optional()
|
|
1093
1180
|
}).passthrough();
|
|
1094
|
-
var zTransactionData =
|
|
1181
|
+
var zTransactionData = z13.array(zTransactionEntry);
|
|
1095
1182
|
|
|
1096
1183
|
// src/transaction-data/parse-transaction-data.ts
|
|
1097
1184
|
function parseTransactionData(options) {
|
|
@@ -1116,7 +1203,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
|
|
|
1116
1203
|
const { wallet, callbacks, origin, disableOriginValidation } = options;
|
|
1117
1204
|
let authorizationRequestPayload;
|
|
1118
1205
|
const parsed = parseWithErrorHandling4(
|
|
1119
|
-
|
|
1206
|
+
z14.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest]),
|
|
1120
1207
|
options.authorizationRequestPayload,
|
|
1121
1208
|
"Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request."
|
|
1122
1209
|
);
|
|
@@ -1124,7 +1211,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
|
|
|
1124
1211
|
if (isJarAuthorizationRequest(parsed)) {
|
|
1125
1212
|
jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet });
|
|
1126
1213
|
const parsedJarAuthorizationRequestPayload = parseWithErrorHandling4(
|
|
1127
|
-
|
|
1214
|
+
z14.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
|
|
1128
1215
|
jar.authorizationRequestPayload,
|
|
1129
1216
|
"Invalid authorization request. Could not parse jar request payload as openid4vp auth request."
|
|
1130
1217
|
);
|
|
@@ -1148,7 +1235,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
|
|
|
1148
1235
|
if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) && !clientMetadata && authorizationRequestPayload.client_metadata_uri) {
|
|
1149
1236
|
clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri });
|
|
1150
1237
|
}
|
|
1151
|
-
const clientMeta =
|
|
1238
|
+
const clientMeta = validateOpenid4vpClientId({
|
|
1152
1239
|
authorizationRequestPayload: {
|
|
1153
1240
|
...authorizationRequestPayload,
|
|
1154
1241
|
client_metadata: clientMetadata
|
|
@@ -1204,7 +1291,7 @@ function validateOpenId4vpAuthorizationRequestPayload(options) {
|
|
|
1204
1291
|
|
|
1205
1292
|
// src/authorization-response/create-authorization-response.ts
|
|
1206
1293
|
import {
|
|
1207
|
-
Oauth2Error as
|
|
1294
|
+
Oauth2Error as Oauth2Error8,
|
|
1208
1295
|
Oauth2ErrorCodes as Oauth2ErrorCodes10,
|
|
1209
1296
|
Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError11,
|
|
1210
1297
|
fetchJwks
|
|
@@ -1218,7 +1305,7 @@ function addSecondsToDate2(date, seconds) {
|
|
|
1218
1305
|
|
|
1219
1306
|
// src/jarm/jarm-authorization-response-create.ts
|
|
1220
1307
|
import {
|
|
1221
|
-
Oauth2Error as
|
|
1308
|
+
Oauth2Error as Oauth2Error6,
|
|
1222
1309
|
jwtHeaderFromJwtSigner as jwtHeaderFromJwtSigner2
|
|
1223
1310
|
} from "@openid4vc/oauth2";
|
|
1224
1311
|
async function createJarmAuthorizationResponse(options) {
|
|
@@ -1235,7 +1322,7 @@ async function createJarmAuthorizationResponse(options) {
|
|
|
1235
1322
|
return { jarmAuthorizationResponseJwt: signed2.jwt };
|
|
1236
1323
|
}
|
|
1237
1324
|
if (!jwtSigner || !jweEncryptor) {
|
|
1238
|
-
throw new
|
|
1325
|
+
throw new Oauth2Error6("JWT signer and/or encryptor are required to create a JARM auth response.");
|
|
1239
1326
|
}
|
|
1240
1327
|
const signed = await callbacks.signJwt(jwtSigner, {
|
|
1241
1328
|
header: jwtHeaderFromJwtSigner2(jwtSigner),
|
|
@@ -1246,7 +1333,7 @@ async function createJarmAuthorizationResponse(options) {
|
|
|
1246
1333
|
}
|
|
1247
1334
|
|
|
1248
1335
|
// src/jarm/jarm-response-mode.ts
|
|
1249
|
-
import { z as
|
|
1336
|
+
import { z as z15 } from "zod";
|
|
1250
1337
|
var jarmResponseMode = [
|
|
1251
1338
|
"jwt",
|
|
1252
1339
|
"query.jwt",
|
|
@@ -1255,18 +1342,18 @@ var jarmResponseMode = [
|
|
|
1255
1342
|
"direct_post.jwt",
|
|
1256
1343
|
"dc_api.jwt"
|
|
1257
1344
|
];
|
|
1258
|
-
var zJarmResponseMode =
|
|
1345
|
+
var zJarmResponseMode = z15.enum(jarmResponseMode);
|
|
1259
1346
|
var isJarmResponseMode = (responseMode) => {
|
|
1260
1347
|
return jarmResponseMode.includes(responseMode);
|
|
1261
1348
|
};
|
|
1262
1349
|
|
|
1263
1350
|
// src/jarm/metadata/jarm-assert-metadata-supported.ts
|
|
1264
|
-
import { Oauth2Error as
|
|
1351
|
+
import { Oauth2Error as Oauth2Error7 } from "@openid4vc/oauth2";
|
|
1265
1352
|
function assertValueSupported(options) {
|
|
1266
1353
|
const { errorMessage, supported, actual } = options;
|
|
1267
1354
|
const intersection = supported.find((value) => value === actual);
|
|
1268
1355
|
if (!intersection) {
|
|
1269
|
-
throw new
|
|
1356
|
+
throw new Oauth2Error7(errorMessage);
|
|
1270
1357
|
}
|
|
1271
1358
|
return intersection;
|
|
1272
1359
|
}
|
|
@@ -1307,7 +1394,7 @@ async function createOpenid4vpAuthorizationResponse(options) {
|
|
|
1307
1394
|
state: authorizationRequestPayload.state
|
|
1308
1395
|
};
|
|
1309
1396
|
if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode) && !jarm) {
|
|
1310
|
-
throw new
|
|
1397
|
+
throw new Oauth2Error8(
|
|
1311
1398
|
`Missing jarm options for creating Jarm response with response mode '${authorizationRequestPayload.response_mode}'`
|
|
1312
1399
|
);
|
|
1313
1400
|
}
|
|
@@ -1317,7 +1404,7 @@ async function createOpenid4vpAuthorizationResponse(options) {
|
|
|
1317
1404
|
};
|
|
1318
1405
|
}
|
|
1319
1406
|
if (!authorizationRequestPayload.client_metadata) {
|
|
1320
|
-
throw new
|
|
1407
|
+
throw new Oauth2Error8("Missing client metadata in the request params to assert Jarm metadata support.");
|
|
1321
1408
|
}
|
|
1322
1409
|
let jwks;
|
|
1323
1410
|
if (authorizationRequestPayload.client_metadata.jwks) {
|
|
@@ -1392,18 +1479,18 @@ async function createOpenid4vpAuthorizationResponse(options) {
|
|
|
1392
1479
|
}
|
|
1393
1480
|
|
|
1394
1481
|
// src/authorization-response/submit-authorization-response.ts
|
|
1395
|
-
import { Oauth2Error as
|
|
1482
|
+
import { Oauth2Error as Oauth2Error10 } from "@openid4vc/oauth2";
|
|
1396
1483
|
import { ContentType as ContentType4, createFetcher as createFetcher3 } from "@openid4vc/utils";
|
|
1397
1484
|
import { objectToQueryParams as objectToQueryParams3 } from "@openid4vc/utils";
|
|
1398
1485
|
|
|
1399
1486
|
// src/jarm/jarm-authorizatino-response-send.ts
|
|
1400
|
-
import { Oauth2Error as
|
|
1487
|
+
import { Oauth2Error as Oauth2Error9 } from "@openid4vc/oauth2";
|
|
1401
1488
|
import { ContentType as ContentType3, URL as URL4, createFetcher as createFetcher2 } from "@openid4vc/utils";
|
|
1402
1489
|
var jarmAuthorizationResponseSend = (options) => {
|
|
1403
1490
|
const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options;
|
|
1404
1491
|
const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri;
|
|
1405
1492
|
if (!responseEndpoint) {
|
|
1406
|
-
throw new
|
|
1493
|
+
throw new Oauth2Error9(`Either 'response_uri' or 'redirect_uri' MUST be present in the authorization request`);
|
|
1407
1494
|
}
|
|
1408
1495
|
const responseEndpointUrl = new URL4(responseEndpoint);
|
|
1409
1496
|
return handleDirectPostJwt(responseEndpointUrl, jarmAuthorizationResponseJwt, callbacks);
|
|
@@ -1432,7 +1519,7 @@ async function submitOpenid4vpAuthorizationResponse(options) {
|
|
|
1432
1519
|
});
|
|
1433
1520
|
}
|
|
1434
1521
|
if (!url) {
|
|
1435
|
-
throw new
|
|
1522
|
+
throw new Oauth2Error10(
|
|
1436
1523
|
"Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided."
|
|
1437
1524
|
);
|
|
1438
1525
|
}
|
|
@@ -1452,23 +1539,23 @@ async function submitOpenid4vpAuthorizationResponse(options) {
|
|
|
1452
1539
|
}
|
|
1453
1540
|
|
|
1454
1541
|
// src/authorization-response/validate-authorization-response.ts
|
|
1455
|
-
import { Oauth2Error as
|
|
1542
|
+
import { Oauth2Error as Oauth2Error11 } from "@openid4vc/oauth2";
|
|
1456
1543
|
|
|
1457
1544
|
// src/vp-token/parse-vp-token.ts
|
|
1458
1545
|
import { parseIfJson as parseIfJson2, parseWithErrorHandling as parseWithErrorHandling5 } from "@openid4vc/utils";
|
|
1459
1546
|
|
|
1460
1547
|
// src/vp-token/z-vp-token.ts
|
|
1461
|
-
import { z as
|
|
1462
|
-
var zVpTokenPexEntry =
|
|
1548
|
+
import { z as z16 } from "zod";
|
|
1549
|
+
var zVpTokenPexEntry = z16.union([z16.string(), z16.record(z16.any())], {
|
|
1463
1550
|
message: "pex vp_token entry must be a string or object"
|
|
1464
1551
|
});
|
|
1465
|
-
var zVpTokenPex =
|
|
1466
|
-
[zVpTokenPexEntry,
|
|
1552
|
+
var zVpTokenPex = z16.union(
|
|
1553
|
+
[zVpTokenPexEntry, z16.array(zVpTokenPexEntry).nonempty("Must have at least entry in vp_token array")],
|
|
1467
1554
|
{
|
|
1468
1555
|
message: "pex vp_token must be a string, object or array of strings and objects"
|
|
1469
1556
|
}
|
|
1470
1557
|
);
|
|
1471
|
-
var zVpTokenDcql =
|
|
1558
|
+
var zVpTokenDcql = z16.record(z16.union([z16.string(), z16.record(z16.any())]), {
|
|
1472
1559
|
message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values the encoded (string or object) presentation"
|
|
1473
1560
|
});
|
|
1474
1561
|
var zVpToken = zVpTokenDcql.or(zVpTokenPex);
|
|
@@ -1494,14 +1581,14 @@ function parseDcqlVpToken(vpToken) {
|
|
|
1494
1581
|
function validateOpenid4vpAuthorizationResponsePayload(options) {
|
|
1495
1582
|
const { authorizationRequestPayload, authorizationResponsePayload } = options;
|
|
1496
1583
|
if (authorizationRequestPayload.state && authorizationRequestPayload.state !== authorizationResponsePayload.state) {
|
|
1497
|
-
throw new
|
|
1584
|
+
throw new Oauth2Error11("OpenId4Vp Authorization Response state mismatch.");
|
|
1498
1585
|
}
|
|
1499
1586
|
if (authorizationResponsePayload.id_token) {
|
|
1500
|
-
throw new
|
|
1587
|
+
throw new Oauth2Error11("OpenId4Vp Authorization Response id_token is not supported.");
|
|
1501
1588
|
}
|
|
1502
1589
|
if (authorizationResponsePayload.presentation_submission) {
|
|
1503
1590
|
if (!authorizationRequestPayload.presentation_definition) {
|
|
1504
|
-
throw new
|
|
1591
|
+
throw new Oauth2Error11("OpenId4Vp Authorization Request is missing the required presentation_definition.");
|
|
1505
1592
|
}
|
|
1506
1593
|
return {
|
|
1507
1594
|
type: "pex",
|
|
@@ -1529,7 +1616,7 @@ function validateOpenid4vpAuthorizationResponsePayload(options) {
|
|
|
1529
1616
|
}
|
|
1530
1617
|
};
|
|
1531
1618
|
}
|
|
1532
|
-
throw new
|
|
1619
|
+
throw new Oauth2Error11(
|
|
1533
1620
|
"Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query."
|
|
1534
1621
|
);
|
|
1535
1622
|
}
|
|
@@ -1542,23 +1629,23 @@ import { parseWithErrorHandling as parseWithErrorHandling6 } from "@openid4vc/ut
|
|
|
1542
1629
|
|
|
1543
1630
|
// src/authorization-response/z-authorization-response.ts
|
|
1544
1631
|
import { zStringToJson as zStringToJson2 } from "@openid4vc/utils";
|
|
1545
|
-
import { z as
|
|
1632
|
+
import { z as z18 } from "zod";
|
|
1546
1633
|
|
|
1547
1634
|
// src/models/z-pex.ts
|
|
1548
|
-
import { z as
|
|
1549
|
-
var zPexPresentationDefinition =
|
|
1550
|
-
var zPexPresentationSubmission =
|
|
1635
|
+
import { z as z17 } from "zod";
|
|
1636
|
+
var zPexPresentationDefinition = z17.record(z17.any());
|
|
1637
|
+
var zPexPresentationSubmission = z17.record(z17.any());
|
|
1551
1638
|
|
|
1552
1639
|
// src/authorization-response/z-authorization-response.ts
|
|
1553
|
-
var zOpenid4vpAuthorizationResponse =
|
|
1554
|
-
state:
|
|
1555
|
-
id_token:
|
|
1640
|
+
var zOpenid4vpAuthorizationResponse = z18.object({
|
|
1641
|
+
state: z18.string().optional(),
|
|
1642
|
+
id_token: z18.string().optional(),
|
|
1556
1643
|
vp_token: zVpToken,
|
|
1557
1644
|
presentation_submission: zPexPresentationSubmission.or(zStringToJson2).optional(),
|
|
1558
|
-
refresh_token:
|
|
1559
|
-
token_type:
|
|
1560
|
-
access_token:
|
|
1561
|
-
expires_in:
|
|
1645
|
+
refresh_token: z18.string().optional(),
|
|
1646
|
+
token_type: z18.string().optional(),
|
|
1647
|
+
access_token: z18.string().optional(),
|
|
1648
|
+
expires_in: z18.number().optional()
|
|
1562
1649
|
}).passthrough();
|
|
1563
1650
|
|
|
1564
1651
|
// src/authorization-response/parse-authorization-response-payload.ts
|
|
@@ -1571,13 +1658,13 @@ function parseOpenid4VpAuthorizationResponsePayload(payload) {
|
|
|
1571
1658
|
}
|
|
1572
1659
|
|
|
1573
1660
|
// src/authorization-response/parse-jarm-authorization-response.ts
|
|
1574
|
-
import { Oauth2Error as
|
|
1661
|
+
import { Oauth2Error as Oauth2Error12, decodeJwtHeader, zCompactJwe as zCompactJwe3, zCompactJwt as zCompactJwt3 } from "@openid4vc/oauth2";
|
|
1575
1662
|
import { parseWithErrorHandling as parseWithErrorHandling7 } from "@openid4vc/utils";
|
|
1576
|
-
import
|
|
1663
|
+
import z19 from "zod";
|
|
1577
1664
|
async function parseJarmAuthorizationResponse(options) {
|
|
1578
1665
|
const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options;
|
|
1579
1666
|
const jarmAuthorizationResponseJwt = parseWithErrorHandling7(
|
|
1580
|
-
|
|
1667
|
+
z19.union([zCompactJwt3, zCompactJwe3]),
|
|
1581
1668
|
jarmResponseJwt,
|
|
1582
1669
|
"Invalid jarm authorization response jwt."
|
|
1583
1670
|
);
|
|
@@ -1599,7 +1686,7 @@ async function parseJarmAuthorizationResponse(options) {
|
|
|
1599
1686
|
authorizationResponsePayload
|
|
1600
1687
|
});
|
|
1601
1688
|
if (!authorizationRequestPayload.response_mode || !isJarmResponseMode(authorizationRequestPayload.response_mode)) {
|
|
1602
|
-
throw new
|
|
1689
|
+
throw new Oauth2Error12(
|
|
1603
1690
|
`Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? "fragment"}'`
|
|
1604
1691
|
);
|
|
1605
1692
|
}
|
|
@@ -1616,7 +1703,9 @@ async function parseOpenid4vpAuthorizationResponse(options) {
|
|
|
1616
1703
|
const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options;
|
|
1617
1704
|
const expectedClientId = getOpenid4vpClientId({
|
|
1618
1705
|
origin,
|
|
1619
|
-
authorizationRequestPayload
|
|
1706
|
+
responseMode: authorizationRequestPayload.response_mode,
|
|
1707
|
+
clientId: authorizationRequestPayload.client_id,
|
|
1708
|
+
legacyClientIdScheme: authorizationRequestPayload.client_id_scheme
|
|
1620
1709
|
});
|
|
1621
1710
|
if (authorizationResponse.response) {
|
|
1622
1711
|
return parseJarmAuthorizationResponse({
|
|
@@ -1775,22 +1864,22 @@ var Openid4vpVerifier = class {
|
|
|
1775
1864
|
};
|
|
1776
1865
|
|
|
1777
1866
|
// src/models/z-credential-formats.ts
|
|
1778
|
-
import { z as
|
|
1779
|
-
var zCredentialFormat =
|
|
1867
|
+
import { z as z20 } from "zod";
|
|
1868
|
+
var zCredentialFormat = z20.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt", "vc+sd-jwt"]);
|
|
1780
1869
|
|
|
1781
1870
|
// src/models/z-proof-formats.ts
|
|
1782
|
-
import { z as
|
|
1783
|
-
var zProofFormat =
|
|
1871
|
+
import { z as z21 } from "zod";
|
|
1872
|
+
var zProofFormat = z21.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "vc+sd-jwt", "mso_mdoc"]);
|
|
1784
1873
|
|
|
1785
1874
|
// src/models/z-wallet-metadata.ts
|
|
1786
|
-
import { z as
|
|
1787
|
-
var zWalletMetadata =
|
|
1788
|
-
presentation_definition_uri_supported:
|
|
1875
|
+
import { z as z22 } from "zod";
|
|
1876
|
+
var zWalletMetadata = z22.object({
|
|
1877
|
+
presentation_definition_uri_supported: z22.optional(z22.boolean()),
|
|
1789
1878
|
vp_formats_supported: zVpFormatsSupported,
|
|
1790
|
-
client_id_schemes_supported:
|
|
1791
|
-
request_object_signing_alg_values_supported:
|
|
1792
|
-
authorization_encryption_alg_values_supported:
|
|
1793
|
-
authorization_encryption_enc_values_supported:
|
|
1879
|
+
client_id_schemes_supported: z22.optional(z22.array(zClientIdScheme)),
|
|
1880
|
+
request_object_signing_alg_values_supported: z22.optional(z22.array(z22.string())),
|
|
1881
|
+
authorization_encryption_alg_values_supported: z22.optional(z22.array(z22.string())),
|
|
1882
|
+
authorization_encryption_enc_values_supported: z22.optional(z22.array(z22.string()))
|
|
1794
1883
|
});
|
|
1795
1884
|
export {
|
|
1796
1885
|
JarmMode,
|