@openid4vc/openid4vp 0.3.0-alpha-20250322171044 → 0.3.0-alpha-20250324183425

package/dist/index.js

@@ -62,7 +62,7 @@ module.exports = __toCommonJS(src_exports);
 
 // src/client-identifier-scheme/parse-client-identifier-scheme.ts
 var import_oauth23 = require("@openid4vc/oauth2");
-var import_utils4 = require("@openid4vc/utils");
+var import_utils5 = require("@openid4vc/utils");
 
 // src/authorization-request/z-authorization-request-dc-api.ts
 var import_zod5 = require("zod");
@@ -182,7 +182,7 @@ var zOpenid4vpAuthorizationRequest = import_zod4.z.object({
   client_metadata_uri: import_utils3.zHttpsUrl.optional(),
   state: import_zod4.z.string().optional(),
   transaction_data: import_zod4.z.array(import_zod4.z.string().base64url()).optional(),
-  trust_chain: import_zod4.z.unknown().optional(),
+  trust_chain: import_zod4.z.array(import_zod4.z.string()).nonempty().optional(),
   client_id_scheme: import_zod4.z.enum([
     "pre-registered",
     "redirect_uri",
@@ -222,13 +222,15 @@ var zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
   scope: import_zod5.z.never().optional()
   // TODO: should we disallow any properties specifically, such as redirect_uri and response_uri?
 });
+function isOpenid4vpResponseModeDcApi(responseMode) {
+  return responseMode !== void 0 && zOpenid4vpResponseModeDcApi.options.includes(responseMode);
+}
 function isOpenid4vpAuthorizationRequestDcApi(request) {
-  return request.response_mode !== void 0 && zOpenid4vpResponseModeDcApi.options.includes(
-    request.response_mode
-  );
+  return isOpenid4vpResponseModeDcApi(request.response_mode);
 }
 
 // src/client-identifier-scheme/z-client-id-scheme.ts
+var import_utils4 = require("@openid4vc/utils");
 var import_zod6 = require("zod");
 var zClientIdScheme = import_zod6.z.enum([
   "pre-registered",
@@ -240,6 +242,18 @@ var zClientIdScheme = import_zod6.z.enum([
   "x509_san_uri",
   "web-origin"
 ]);
+var zClientIdToClientIdScheme = import_zod6.z.union(
+  [
+    import_zod6.z.string({ message: "client_id MUST be a string" }).includes(":").transform((clientId) => {
+      const clientIdScheme = clientId.split(":")[0];
+      return clientIdScheme === "http" && (0, import_utils4.getGlobalConfig)().allowInsecureUrls ? "https" : clientIdScheme;
+    }).pipe(zClientIdScheme.exclude(["pre-registered"])),
+    import_zod6.z.string().refine((clientId) => clientId.includes(":") === false).transform(() => "pre-registered")
+  ],
+  {
+    message: `client_id must either start with a known prefix followed by ':' or contain no ':'. Known prefixes are ${zClientIdScheme.exclude(["pre-registered"]).options.join(", ")}`
+  }
+);
 var zLegacyClientIdScheme = import_zod6.z.enum([
   "pre-registered",
   "redirect_uri",
@@ -249,58 +263,80 @@ var zLegacyClientIdScheme = import_zod6.z.enum([
   "x509_san_dns",
   "x509_san_uri"
 ]);
+var zLegacyClientIdSchemeToClientIdScheme = zLegacyClientIdScheme.optional().default("pre-registered").transform((clientIdScheme) => clientIdScheme === "entity_id" ? "https" : clientIdScheme);
 
 // src/client-identifier-scheme/parse-client-identifier-scheme.ts
 function getOpenid4vpClientId(options) {
-  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
-    if (!options.origin) {
+  if (isOpenid4vpResponseModeDcApi(options.responseMode)) {
+    if (!options.clientId) {
+      if (!options.origin) {
+        throw new import_oauth23.Oauth2ServerErrorResponseError({
+          error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
+          error_description: "Failed to parse client identifier. 'origin' is required for requests without a client_id and response_mode 'dc_api' and 'dc_api.jwt'"
+        });
+      }
+      return {
+        clientIdScheme: "web-origin",
+        clientId: `web-origin:${options.origin}`
+      };
+    }
+    const parsedClientIdScheme2 = zClientIdToClientIdScheme.safeParse(options.clientId);
+    if (!parsedClientIdScheme2.success) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
-        error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
+        error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
       });
     }
     return {
-      clientId: options.authorizationRequestPayload.client_id ?? `web-origin:${options.origin}`
+      clientId: options.clientId,
+      clientIdScheme: parsedClientIdScheme2.data
     };
   }
-  if (!options.authorizationRequestPayload.client_id) {
+  if (!options.clientId) {
     throw new import_oauth23.Oauth2ServerErrorResponseError({
       error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
-      error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.authorizationRequestPayload.response_mode}'.`
+      error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`
     });
   }
-  if (options.authorizationRequestPayload.client_id_scheme) {
-    const parsedClientIdScheme = zLegacyClientIdScheme.safeParse(options.authorizationRequestPayload.client_id_scheme);
-    if (!parsedClientIdScheme.success) {
+  if (options.legacyClientIdScheme) {
+    const parsedClientIdScheme2 = zLegacyClientIdSchemeToClientIdScheme.safeParse(options.legacyClientIdScheme);
+    if (!parsedClientIdScheme2.success) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
-        error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.authorizationRequestPayload.client_id_scheme}'.`
+        error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.legacyClientIdScheme}'.`
       });
     }
-    const clientIdScheme = parsedClientIdScheme.data === "entity_id" ? "https" : parsedClientIdScheme.data;
-    if (clientIdScheme === "https" || clientIdScheme === "did" || clientIdScheme === "pre-registered") {
-      return { clientId: options.authorizationRequestPayload.client_id };
-    }
+    const clientIdScheme = parsedClientIdScheme2.data;
     return {
-      clientId: `${clientIdScheme}:${options.authorizationRequestPayload.client_id}`,
-      legacyClientId: options.authorizationRequestPayload.client_id
+      clientId: clientIdScheme === "https" || clientIdScheme === "did" || clientIdScheme === "pre-registered" ? options.clientId : `${parsedClientIdScheme2.data}:${options.clientId}`,
+      clientIdScheme: parsedClientIdScheme2.data,
+      legacyClientId: options.clientId
     };
   }
+  const parsedClientIdScheme = zClientIdToClientIdScheme.safeParse(options.clientId);
+  if (!parsedClientIdScheme.success) {
+    throw new import_oauth23.Oauth2ServerErrorResponseError({
+      error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
+      error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
+    });
+  }
   return {
-    clientId: options.authorizationRequestPayload.client_id
+    clientId: options.clientId,
+    clientIdScheme: parsedClientIdScheme.data
   };
 }
-function parseClientIdentifier(options, parserConfig) {
+function validateOpenid4vpClientId(options, parserConfig) {
   const { authorizationRequestPayload, jar, origin } = options;
   const parserConfigWithDefaults = {
     supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options)
   };
-  const { clientId, legacyClientId } = getOpenid4vpClientId({
-    authorizationRequestPayload,
+  const { clientId, legacyClientId, clientIdScheme } = getOpenid4vpClientId({
+    clientId: authorizationRequestPayload.client_id,
+    legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
+    responseMode: authorizationRequestPayload.response_mode,
     origin
   });
-  const colonIndex = clientId.indexOf(":");
-  if (colonIndex === -1) {
+  if (clientIdScheme === "pre-registered") {
     return {
       scheme: "pre-registered",
       identifier: clientId,
@@ -309,17 +345,16 @@ function parseClientIdentifier(options, parserConfig) {
       clientMetadata: authorizationRequestPayload.client_metadata
     };
   }
-  const schemePart = clientId.substring(0, colonIndex);
+  const colonIndex = clientId.indexOf(":");
   const identifierPart = clientId.substring(colonIndex + 1);
-  if (!parserConfigWithDefaults.supportedSchemes.includes(schemePart)) {
+  if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdScheme)) {
     throw new import_oauth23.Oauth2ServerErrorResponseError({
       error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
-      error_description: `Unsupported client identifier scheme. ${schemePart} is not supported.`
+      error_description: `Unsupported client identifier scheme. ${clientIdScheme} is not supported.`
     });
   }
-  const scheme = schemePart;
-  if (scheme === "https") {
-    if (!import_utils4.zHttpsUrl.safeParse(clientId).success) {
+  if (clientIdScheme === "https") {
+    if (!import_utils5.zHttpsUrl.safeParse(clientId).success) {
       throw new import_oauth23.Oauth2ServerErrorResponseError(
         {
           error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
@@ -330,15 +365,27 @@ function parseClientIdentifier(options, parserConfig) {
         }
       );
     }
+    if (!jar) {
+      throw new import_oauth23.Oauth2ServerErrorResponseError({
+        error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
+        error_description: 'Using client identifier scheme "https" requires a signed JAR request.'
+      });
+    }
+    if (jar.signer.method !== "federation") {
+      throw new import_oauth23.Oauth2ServerErrorResponseError({
+        error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
+        error_description: "Something went wrong. The JWT signer method is not federation but the client identifier scheme is https."
+      });
+    }
     return {
-      scheme,
+      scheme: clientIdScheme,
       identifier: clientId,
       originalValue: clientId,
       legacyClientId,
       trustChain: authorizationRequestPayload.trust_chain
     };
   }
-  if (scheme === "redirect_uri") {
+  if (clientIdScheme === "redirect_uri") {
     if (jar) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
@@ -352,20 +399,26 @@ function parseClientIdentifier(options, parserConfig) {
       });
     }
     return {
-      scheme,
+      scheme: clientIdScheme,
       identifier: identifierPart,
       originalValue: clientId,
       legacyClientId,
       redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
     };
   }
-  if (scheme === "did") {
+  if (clientIdScheme === "did") {
     if (!jar) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
         error_description: 'Using client identifier scheme "did" requires a signed JAR request.'
       });
     }
+    if (jar.signer.method !== "did") {
+      throw new import_oauth23.Oauth2ServerErrorResponseError({
+        error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
+        error_description: "Something went wrong. The JWT signer method is not did but the client identifier scheme is did."
+      });
+    }
     if (!clientId.startsWith("did:")) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
@@ -385,14 +438,14 @@ function parseClientIdentifier(options, parserConfig) {
       });
     }
     return {
-      scheme,
+      scheme: clientIdScheme,
       identifier: clientId,
       originalValue: clientId,
       legacyClientId,
       didUrl: jar.signer.publicJwk.kid
     };
   }
-  if (scheme === "x509_san_dns" || scheme === "x509_san_uri") {
+  if (clientIdScheme === "x509_san_dns" || clientIdScheme === "x509_san_uri") {
     if (!jar) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
@@ -405,7 +458,7 @@ function parseClientIdentifier(options, parserConfig) {
         error_description: "Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns."
       });
     }
-    if (scheme === "x509_san_dns") {
+    if (clientIdScheme === "x509_san_dns") {
       if (!options.callbacks.getX509CertificateMetadata) {
         throw new import_oauth23.Oauth2ServerErrorResponseError(
           {
@@ -425,14 +478,14 @@ function parseClientIdentifier(options, parserConfig) {
       }
       if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
         const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri;
-        if (!uri || new import_utils4.URL(uri).hostname !== identifierPart) {
+        if (!uri || new import_utils5.URL(uri).hostname !== identifierPart) {
           throw new import_oauth23.Oauth2ServerErrorResponseError({
             error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
             error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
           });
         }
       }
-    } else if (scheme === "x509_san_uri") {
+    } else if (clientIdScheme === "x509_san_uri") {
       if (!options.callbacks.getX509CertificateMetadata) {
         throw new import_oauth23.Oauth2ServerErrorResponseError(
           {
@@ -461,23 +514,23 @@ function parseClientIdentifier(options, parserConfig) {
       }
     }
     return {
-      scheme,
+      scheme: clientIdScheme,
       identifier: identifierPart,
       originalValue: clientId,
       legacyClientId,
       x5c: jar.signer.x5c
     };
   }
-  if (scheme === "web-origin") {
+  if (clientIdScheme === "web-origin") {
     return {
-      scheme,
+      scheme: clientIdScheme,
       identifier: identifierPart,
       originalValue: clientId,
       legacyClientId,
       clientMetadata: authorizationRequestPayload.client_metadata
     };
   }
-  if (scheme === "verifier_attestation") {
+  if (clientIdScheme === "verifier_attestation") {
     if (!jar) {
       throw new import_oauth23.Oauth2ServerErrorResponseError({
         error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
@@ -486,7 +539,7 @@ function parseClientIdentifier(options, parserConfig) {
     }
   }
   return {
-    scheme,
+    scheme: clientIdScheme,
     identifier: identifierPart,
     legacyClientId,
     originalValue: clientId
@@ -511,7 +564,7 @@ function extractJwksFromClientMetadata(clientMetadata) {
 
 // src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
 var import_oauth25 = require("@openid4vc/oauth2");
-var import_utils5 = require("@openid4vc/utils");
+var import_utils6 = require("@openid4vc/utils");
 
 // src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts
 var import_oauth24 = require("@openid4vc/oauth2");
@@ -543,7 +596,7 @@ var jarmAuthorizationResponseValidate = (options) => {
       `Invalid 'aud' claim in JARM authorization response. Expected '${expectedClientId}' received '${JSON.stringify(authorizationResponse.aud)}'.`
     );
   }
-  if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < (0, import_utils5.dateToSeconds)()) {
+  if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < (0, import_utils6.dateToSeconds)()) {
     throw new import_oauth25.Oauth2Error("Jarm auth response is expired.");
   }
 };
@@ -611,11 +664,11 @@ async function verifyJarmAuthorizationResponse(options) {
 
 // src/authorization-request/create-authorization-request.ts
 var import_oauth210 = require("@openid4vc/oauth2");
-var import_utils8 = require("@openid4vc/utils");
+var import_utils9 = require("@openid4vc/utils");
 
 // src/jar/create-jar-authorization-request.ts
 var import_oauth27 = require("@openid4vc/oauth2");
-var import_utils6 = require("@openid4vc/utils");
+var import_utils7 = require("@openid4vc/utils");
 async function createJarAuthorizationRequest(options) {
   const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
   let authorizationRequestJwt;
@@ -624,8 +677,8 @@ async function createJarAuthorizationRequest(options) {
   const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
     header: { ...(0, import_oauth27.jwtHeaderFromJwtSigner)(jwtSigner), typ: "oauth-authz-req+jwt" },
     payload: {
-      iat: (0, import_utils6.dateToSeconds)(now),
-      exp: (0, import_utils6.dateToSeconds)((0, import_utils6.addSecondsToDate)(now, options.expiresInSeconds)),
+      iat: (0, import_utils7.dateToSeconds)(now),
+      exp: (0, import_utils7.dateToSeconds)((0, import_utils7.addSecondsToDate)(now, options.expiresInSeconds)),
       ...options.additionalJwtPayload,
       ...authorizationRequestPayload
     }
@@ -643,7 +696,7 @@ async function createJarAuthorizationRequest(options) {
 
 // src/authorization-request/validate-authorization-request.ts
 var import_oauth28 = require("@openid4vc/oauth2");
-var import_utils7 = require("@openid4vc/utils");
+var import_utils8 = require("@openid4vc/utils");
 var validateOpenid4vpAuthorizationRequestPayload = (options) => {
   const { params, walletVerificationOptions } = options;
   if (!params.redirect_uri && !params.response_uri) {
@@ -678,7 +731,7 @@ var validateOpenid4vpAuthorizationRequestPayload = (options) => {
       error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
     });
   }
-  if (params.trust_chain && !import_utils7.zHttpsUrl.safeParse(params.client_id).success) {
+  if (params.trust_chain && !import_utils8.zHttpsUrl.safeParse(params.client_id).success) {
     throw new import_oauth28.Oauth2ServerErrorResponseError({
       error: import_oauth28.Oauth2ErrorCodes.InvalidRequest,
       error_description: 'The "trust_chain" parameter MUST NOT be present in the authorization request if the "client_id" is not an OpenId Federation Entity Identifier starting with http:// or https://.'
@@ -742,7 +795,7 @@ async function createOpenid4vpAuthorizationRequest(options) {
   let additionalJwtPayload;
   let authorizationRequestPayload;
   if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
-    authorizationRequestPayload = (0, import_utils8.parseWithErrorHandling)(
+    authorizationRequestPayload = (0, import_utils9.parseWithErrorHandling)(
       zOpenid4vpAuthorizationRequestDcApi,
       options.authorizationRequestPayload,
       "Invalid authorization request. Could not parse openid4vp dc_api authorization request."
@@ -758,7 +811,7 @@ async function createOpenid4vpAuthorizationRequest(options) {
       disableOriginValidation: true
     });
   } else {
-    authorizationRequestPayload = (0, import_utils8.parseWithErrorHandling)(
+    authorizationRequestPayload = (0, import_utils9.parseWithErrorHandling)(
       zOpenid4vpAuthorizationRequest,
       options.authorizationRequestPayload,
       "Invalid authorization request. Could not parse openid4vp authorization request."
@@ -778,10 +831,10 @@ async function createOpenid4vpAuthorizationRequest(options) {
       additionalJwtPayload,
       callbacks
     });
-    const url2 = new import_utils8.URL(scheme);
-    url2.search = `?${new import_utils8.URLSearchParams([
+    const url2 = new import_utils9.URL(scheme);
+    url2.search = `?${new import_utils9.URLSearchParams([
       ...url2.searchParams.entries(),
-      ...(0, import_utils8.objectToQueryParams)(jarResult.jarAuthorizationRequest).entries(),
+      ...(0, import_utils9.objectToQueryParams)(jarResult.jarAuthorizationRequest).entries(),
       // Add client_id_scheme if defined for backwards compat
       ...authorizationRequestPayload.client_id_scheme ? [["client_id_scheme", authorizationRequestPayload.client_id_scheme]] : []
     ]).toString()}`;
@@ -792,10 +845,10 @@ async function createOpenid4vpAuthorizationRequest(options) {
       jar: { ...jar, ...jarResult }
     };
   }
-  const url = new import_utils8.URL(scheme);
-  url.search = `?${new import_utils8.URLSearchParams([
+  const url = new import_utils9.URL(scheme);
+  url.search = `?${new import_utils9.URLSearchParams([
     ...url.searchParams.entries(),
-    ...(0, import_utils8.objectToQueryParams)(authorizationRequestPayload).entries()
+    ...(0, import_utils9.objectToQueryParams)(authorizationRequestPayload).entries()
   ]).toString()}`;
   return {
     authorizationRequestPayload,
@@ -807,16 +860,16 @@ async function createOpenid4vpAuthorizationRequest(options) {
 
 // src/authorization-request/parse-authorization-request-params.ts
 var import_oauth212 = require("@openid4vc/oauth2");
-var import_utils10 = require("@openid4vc/utils");
+var import_utils11 = require("@openid4vc/utils");
 var import_zod10 = __toESM(require("zod"));
 
 // src/jar/z-jar-authorization-request.ts
 var import_oauth211 = require("@openid4vc/oauth2");
-var import_utils9 = require("@openid4vc/utils");
+var import_utils10 = require("@openid4vc/utils");
 var import_zod9 = require("zod");
 var zJarAuthorizationRequest = import_zod9.z.object({
   request: import_zod9.z.optional(import_zod9.z.string()),
-  request_uri: import_zod9.z.optional(import_utils9.zHttpsUrl),
+  request_uri: import_zod9.z.optional(import_utils10.zHttpsUrl),
   request_uri_method: import_zod9.z.optional(import_zod9.z.string()),
   client_id: import_zod9.z.optional(import_zod9.z.string())
 }).passthrough();
@@ -847,7 +900,7 @@ function parseOpenid4vpAuthorizationRequest(options) {
   let params;
   if (typeof authorizationRequest === "string") {
     if (authorizationRequest.includes("://")) {
-      params = (0, import_utils10.parseWithErrorHandling)(
+      params = (0, import_utils11.parseWithErrorHandling)(
         zOpenid4vpAuthorizationRequestFromUriParams,
         authorizationRequest,
         "Unable to parse openid4vp authorization request uri to a valid object"
@@ -861,7 +914,7 @@ function parseOpenid4vpAuthorizationRequest(options) {
   } else {
     params = authorizationRequest;
   }
-  const parsedRequest = (0, import_utils10.parseWithErrorHandling)(
+  const parsedRequest = (0, import_utils11.parseWithErrorHandling)(
     import_zod10.default.union([zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest, zOpenid4vpAuthorizationRequestDcApi]),
     params
   );
@@ -888,19 +941,19 @@ function parseOpenid4vpAuthorizationRequest(options) {
 
 // src/authorization-request/resolve-authorization-request.ts
 var import_oauth219 = require("@openid4vc/oauth2");
-var import_utils14 = require("@openid4vc/utils");
-var import_zod13 = __toESM(require("zod"));
+var import_utils15 = require("@openid4vc/utils");
+var import_zod14 = __toESM(require("zod"));
 
 // src/fetch-client-metadata.ts
 var import_oauth213 = require("@openid4vc/oauth2");
-var import_utils11 = require("@openid4vc/utils");
+var import_utils12 = require("@openid4vc/utils");
 async function fetchClientMetadata(options) {
   const { fetch, clientMetadataUri } = options;
-  const fetcher = (0, import_utils11.createZodFetcher)(fetch);
-  const { result, response } = await fetcher(zClientMetadata, import_utils11.ContentType.Json, clientMetadataUri, {
+  const fetcher = (0, import_utils12.createZodFetcher)(fetch);
+  const { result, response } = await fetcher(zClientMetadata, import_utils12.ContentType.Json, clientMetadataUri, {
     method: "GET",
     headers: {
-      Accept: import_utils11.ContentType.Json
+      Accept: import_utils12.ContentType.Json
     }
   });
   if (!response.ok) {
@@ -920,6 +973,7 @@ async function fetchClientMetadata(options) {
 
 // src/jar/handle-jar-request/verify-jar-request.ts
 var import_oauth217 = require("@openid4vc/oauth2");
+var import_zod12 = __toESM(require("zod"));
 
 // src/version.ts
 var import_oauth214 = require("@openid4vc/oauth2");
@@ -985,7 +1039,7 @@ function parseAuthorizationRequestVersion(request) {
 
 // src/jar/jar-request-object/fetch-jar-request-object.ts
 var import_oauth215 = require("@openid4vc/oauth2");
-var import_utils12 = require("@openid4vc/utils");
+var import_utils13 = require("@openid4vc/utils");
 async function fetchJarRequestObject(options) {
   const { requestUri, clientIdentifierScheme, method, wallet, fetch } = options;
   let requestBody = wallet.metadata ? { wallet_metadata: wallet.metadata, wallet_nonce: wallet.nonce } : void 0;
@@ -993,12 +1047,12 @@ async function fetchJarRequestObject(options) {
     const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata;
     requestBody = { ...requestBody, wallet_metadata: { ...rest } };
   }
-  const response = await (0, import_utils12.createFetcher)(fetch)(requestUri, {
+  const response = await (0, import_utils13.createFetcher)(fetch)(requestUri, {
     method,
-    body: method === "POST" ? (0, import_utils12.objectToQueryParams)(wallet.metadata ?? {}) : void 0,
+    body: method === "POST" ? (0, import_utils13.objectToQueryParams)(wallet.metadata ?? {}) : void 0,
     headers: {
-      Accept: `${import_utils12.ContentType.OAuthAuthorizationRequestJwt}, ${import_utils12.ContentType.Jwt};q=0.9, text/plain`,
-      "Content-Type": import_utils12.ContentType.XWwwFormUrlencoded
+      Accept: `${import_utils13.ContentType.OAuthAuthorizationRequestJwt}, ${import_utils13.ContentType.Jwt};q=0.9, text/plain`,
+      "Content-Type": import_utils13.ContentType.XWwwFormUrlencoded
     }
   }).catch(() => {
     throw new import_oauth215.Oauth2ServerErrorResponseError({
@@ -1024,6 +1078,8 @@ var zJarRequestObjectPayload = import_zod11.z.object({
 }).passthrough();
 
 // src/jar/handle-jar-request/verify-jar-request.ts
+var zSignedAuthorizationRequestJwtHeaderTyp = import_zod12.default.literal("oauth-authz-req+jwt");
+var signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value;
 async function verifyJarRequest(options) {
   const { callbacks, wallet = {} } = options;
   const jarRequestParams = validateJarRequestParams(options);
@@ -1103,7 +1159,41 @@ async function decryptJarRequest(options) {
 async function verifyJarRequestObject(options) {
   const { decryptedRequestObject, callbacks } = options;
   const jwt = (0, import_oauth217.decodeJwt)({ jwt: decryptedRequestObject, payloadSchema: zJarRequestObjectPayload });
-  const jwtSigner = (0, import_oauth217.jwtSignerFromJwt)(jwt);
+  let jwtSigner;
+  const { clientIdScheme } = getOpenid4vpClientId({
+    responseMode: jwt.payload.response_mode,
+    clientId: jwt.payload.client_id,
+    legacyClientIdScheme: jwt.payload.client_id_scheme
+  });
+  const clientIdToSignerMethod = {
+    did: ["did"],
+    "pre-registered": ["custom", "did", "jwk"],
+    "web-origin": [],
+    // no signing allowed
+    redirect_uri: [],
+    // no signing allowed
+    // Not 100% sure which one are allowed?
+    verifier_attestation: ["did", "federation", "jwk", "x5c", "custom"],
+    x509_san_dns: ["x5c"],
+    x509_san_uri: ["x5c"],
+    // Handled separately
+    https: []
+  };
+  if (clientIdScheme === "https") {
+    if (!jwt.header.kid) {
+      throw new import_oauth217.Oauth2Error(
+        `When OpenID Federation is used for signed authorization request, the 'kid' parameter is required.`
+      );
+    }
+    jwtSigner = {
+      method: "federation",
+      alg: jwt.header.alg,
+      trustChain: jwt.payload.trust_chain,
+      kid: jwt.header.kid
+    };
+  } else {
+    jwtSigner = (0, import_oauth217.jwtSignerFromJwt)({ ...jwt, allowedSignerMethods: clientIdToSignerMethod[clientIdScheme] });
+  }
   const { signer } = await (0, import_oauth217.verifyJwt)({
     verifyJwtCallback: callbacks.verifyJwt,
     compact: decryptedRequestObject,
@@ -1127,21 +1217,21 @@ async function verifyJarRequestObject(options) {
 
 // src/transaction-data/parse-transaction-data.ts
 var import_oauth218 = require("@openid4vc/oauth2");
-var import_utils13 = require("@openid4vc/utils");
+var import_utils14 = require("@openid4vc/utils");
 
 // src/transaction-data/z-transaction-data.ts
-var import_zod12 = require("zod");
-var zTransactionEntry = import_zod12.z.object({
-  type: import_zod12.z.string(),
-  credential_ids: import_zod12.z.array(import_zod12.z.string()).nonempty(),
-  transaction_data_hashes_alg: import_zod12.z.array(import_zod12.z.string()).optional()
+var import_zod13 = require("zod");
+var zTransactionEntry = import_zod13.z.object({
+  type: import_zod13.z.string(),
+  credential_ids: import_zod13.z.array(import_zod13.z.string()).nonempty(),
+  transaction_data_hashes_alg: import_zod13.z.array(import_zod13.z.string()).optional()
 }).passthrough();
-var zTransactionData = import_zod12.z.array(zTransactionEntry);
+var zTransactionData = import_zod13.z.array(zTransactionEntry);
 
 // src/transaction-data/parse-transaction-data.ts
 function parseTransactionData(options) {
   const { transactionData } = options;
-  const decoded = transactionData.map((tdEntry) => (0, import_utils13.parseIfJson)((0, import_utils13.encodeToUtf8String)((0, import_utils13.decodeBase64)(tdEntry))));
+  const decoded = transactionData.map((tdEntry) => (0, import_utils14.parseIfJson)((0, import_utils14.encodeToUtf8String)((0, import_utils14.decodeBase64)(tdEntry))));
   const parsedResult = zTransactionData.safeParse(decoded);
   if (!parsedResult.success) {
     throw new import_oauth218.Oauth2ServerErrorResponseError({
@@ -1160,16 +1250,16 @@ function parseTransactionData(options) {
 async function resolveOpenid4vpAuthorizationRequest(options) {
   const { wallet, callbacks, origin, disableOriginValidation } = options;
   let authorizationRequestPayload;
-  const parsed = (0, import_utils14.parseWithErrorHandling)(
-    import_zod13.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest]),
+  const parsed = (0, import_utils15.parseWithErrorHandling)(
+    import_zod14.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest]),
     options.authorizationRequestPayload,
     "Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request."
   );
   let jar;
   if (isJarAuthorizationRequest(parsed)) {
     jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet });
-    const parsedJarAuthorizationRequestPayload = (0, import_utils14.parseWithErrorHandling)(
-      import_zod13.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
+    const parsedJarAuthorizationRequestPayload = (0, import_utils15.parseWithErrorHandling)(
+      import_zod14.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
       jar.authorizationRequestPayload,
       "Invalid authorization request. Could not parse jar request payload as openid4vp auth request."
     );
@@ -1193,7 +1283,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
   if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) && !clientMetadata && authorizationRequestPayload.client_metadata_uri) {
     clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri });
   }
-  const clientMeta = parseClientIdentifier({
+  const clientMeta = validateOpenid4vpClientId({
     authorizationRequestPayload: {
       ...authorizationRequestPayload,
       client_metadata: clientMetadata
@@ -1249,7 +1339,7 @@ function validateOpenId4vpAuthorizationRequestPayload(options) {
 
 // src/authorization-response/create-authorization-response.ts
 var import_oauth222 = require("@openid4vc/oauth2");
-var import_utils15 = require("@openid4vc/utils");
+var import_utils16 = require("@openid4vc/utils");
 
 // ../utils/src/date.ts
 function addSecondsToDate2(date, seconds) {
@@ -1283,7 +1373,7 @@ async function createJarmAuthorizationResponse(options) {
 }
 
 // src/jarm/jarm-response-mode.ts
-var import_zod14 = require("zod");
+var import_zod15 = require("zod");
 var jarmResponseMode = [
   "jwt",
   "query.jwt",
@@ -1292,7 +1382,7 @@ var jarmResponseMode = [
   "direct_post.jwt",
   "dc_api.jwt"
 ];
-var zJarmResponseMode = import_zod14.z.enum(jarmResponseMode);
+var zJarmResponseMode = import_zod15.z.enum(jarmResponseMode);
 var isJarmResponseMode = (responseMode) => {
   return jarmResponseMode.includes(responseMode);
 };
@@ -1398,7 +1488,7 @@ async function createOpenid4vpAuthorizationResponse(options) {
     additionalJwtPayload = {
       iss: jarm.authorizationServer,
       aud: jarm.audience,
-      exp: jarm.expiresInSeconds ?? (0, import_utils15.dateToSeconds)(addSecondsToDate2(/* @__PURE__ */ new Date(), 60 * 10))
+      exp: jarm.expiresInSeconds ?? (0, import_utils16.dateToSeconds)(addSecondsToDate2(/* @__PURE__ */ new Date(), 60 * 10))
       // default: 10 minutes
     };
   }
@@ -1430,25 +1520,25 @@ async function createOpenid4vpAuthorizationResponse(options) {
 
 // src/authorization-response/submit-authorization-response.ts
 var import_oauth224 = require("@openid4vc/oauth2");
-var import_utils17 = require("@openid4vc/utils");
 var import_utils18 = require("@openid4vc/utils");
+var import_utils19 = require("@openid4vc/utils");
 
 // src/jarm/jarm-authorizatino-response-send.ts
 var import_oauth223 = require("@openid4vc/oauth2");
-var import_utils16 = require("@openid4vc/utils");
+var import_utils17 = require("@openid4vc/utils");
 var jarmAuthorizationResponseSend = (options) => {
   const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options;
   const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri;
   if (!responseEndpoint) {
     throw new import_oauth223.Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST  be present in the authorization request`);
   }
-  const responseEndpointUrl = new import_utils16.URL(responseEndpoint);
+  const responseEndpointUrl = new import_utils17.URL(responseEndpoint);
   return handleDirectPostJwt(responseEndpointUrl, jarmAuthorizationResponseJwt, callbacks);
 };
 async function handleDirectPostJwt(responseEndpoint, responseJwt, callbacks) {
-  const response = await (0, import_utils16.createFetcher)(callbacks.fetch)(responseEndpoint, {
+  const response = await (0, import_utils17.createFetcher)(callbacks.fetch)(responseEndpoint, {
     method: "POST",
-    headers: { "Content-Type": import_utils16.ContentType.XWwwFormUrlencoded },
+    headers: { "Content-Type": import_utils17.ContentType.XWwwFormUrlencoded },
     body: `response=${responseJwt}`
   });
   return {
@@ -1473,13 +1563,13 @@ async function submitOpenid4vpAuthorizationResponse(options) {
       "Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided."
     );
   }
-  const fetch = (0, import_utils17.createFetcher)(callbacks.fetch);
-  const encodedResponse = (0, import_utils18.objectToQueryParams)(authorizationResponsePayload);
+  const fetch = (0, import_utils18.createFetcher)(callbacks.fetch);
+  const encodedResponse = (0, import_utils19.objectToQueryParams)(authorizationResponsePayload);
   const submissionResponse = await fetch(url, {
     method: "POST",
     body: encodedResponse.toString(),
     headers: {
-      "Content-Type": import_utils17.ContentType.XWwwFormUrlencoded
+      "Content-Type": import_utils18.ContentType.XWwwFormUrlencoded
     }
   });
   return {
@@ -1492,37 +1582,37 @@ async function submitOpenid4vpAuthorizationResponse(options) {
 var import_oauth225 = require("@openid4vc/oauth2");
 
 // src/vp-token/parse-vp-token.ts
-var import_utils19 = require("@openid4vc/utils");
+var import_utils20 = require("@openid4vc/utils");
 
 // src/vp-token/z-vp-token.ts
-var import_zod15 = require("zod");
-var zVpTokenPexEntry = import_zod15.z.union([import_zod15.z.string(), import_zod15.z.record(import_zod15.z.any())], {
+var import_zod16 = require("zod");
+var zVpTokenPexEntry = import_zod16.z.union([import_zod16.z.string(), import_zod16.z.record(import_zod16.z.any())], {
   message: "pex vp_token entry must be a string or object"
 });
-var zVpTokenPex = import_zod15.z.union(
-  [zVpTokenPexEntry, import_zod15.z.array(zVpTokenPexEntry).nonempty("Must have at least entry in vp_token array")],
+var zVpTokenPex = import_zod16.z.union(
+  [zVpTokenPexEntry, import_zod16.z.array(zVpTokenPexEntry).nonempty("Must have at least entry in vp_token array")],
   {
     message: "pex vp_token must be a string, object or array of strings and objects"
   }
 );
-var zVpTokenDcql = import_zod15.z.record(import_zod15.z.union([import_zod15.z.string(), import_zod15.z.record(import_zod15.z.any())]), {
+var zVpTokenDcql = import_zod16.z.record(import_zod16.z.union([import_zod16.z.string(), import_zod16.z.record(import_zod16.z.any())]), {
   message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values the encoded (string or object) presentation"
 });
 var zVpToken = zVpTokenDcql.or(zVpTokenPex);
 
 // src/vp-token/parse-vp-token.ts
 function parsePexVpToken(vpToken) {
-  const parsedVpToken = (0, import_utils19.parseWithErrorHandling)(
+  const parsedVpToken = (0, import_utils20.parseWithErrorHandling)(
     zVpTokenPex,
-    (0, import_utils19.parseIfJson)(vpToken),
+    (0, import_utils20.parseIfJson)(vpToken),
     "Could not parse presentation exchange vp_token. Expected a string or an array of strings"
   );
   return Array.isArray(parsedVpToken) ? parsedVpToken : [parsedVpToken];
 }
 function parseDcqlVpToken(vpToken) {
-  return (0, import_utils19.parseWithErrorHandling)(
+  return (0, import_utils20.parseWithErrorHandling)(
     zVpTokenDcql,
-    (0, import_utils19.parseIfJson)(vpToken),
+    (0, import_utils20.parseIfJson)(vpToken),
     "Could not parse dcql vp_token. Expected an object where the values are encoded presentations"
   );
 }
@@ -1575,32 +1665,32 @@ function validateOpenid4vpAuthorizationResponsePayload(options) {
 var import_oauth227 = require("@openid4vc/oauth2");
 
 // src/authorization-response/parse-authorization-response-payload.ts
-var import_utils21 = require("@openid4vc/utils");
+var import_utils22 = require("@openid4vc/utils");
 
 // src/authorization-response/z-authorization-response.ts
-var import_utils20 = require("@openid4vc/utils");
-var import_zod17 = require("zod");
+var import_utils21 = require("@openid4vc/utils");
+var import_zod18 = require("zod");
 
 // src/models/z-pex.ts
-var import_zod16 = require("zod");
-var zPexPresentationDefinition = import_zod16.z.record(import_zod16.z.any());
-var zPexPresentationSubmission = import_zod16.z.record(import_zod16.z.any());
+var import_zod17 = require("zod");
+var zPexPresentationDefinition = import_zod17.z.record(import_zod17.z.any());
+var zPexPresentationSubmission = import_zod17.z.record(import_zod17.z.any());
 
 // src/authorization-response/z-authorization-response.ts
-var zOpenid4vpAuthorizationResponse = import_zod17.z.object({
-  state: import_zod17.z.string().optional(),
-  id_token: import_zod17.z.string().optional(),
+var zOpenid4vpAuthorizationResponse = import_zod18.z.object({
+  state: import_zod18.z.string().optional(),
+  id_token: import_zod18.z.string().optional(),
   vp_token: zVpToken,
-  presentation_submission: zPexPresentationSubmission.or(import_utils20.zStringToJson).optional(),
-  refresh_token: import_zod17.z.string().optional(),
-  token_type: import_zod17.z.string().optional(),
-  access_token: import_zod17.z.string().optional(),
-  expires_in: import_zod17.z.number().optional()
+  presentation_submission: zPexPresentationSubmission.or(import_utils21.zStringToJson).optional(),
+  refresh_token: import_zod18.z.string().optional(),
+  token_type: import_zod18.z.string().optional(),
+  access_token: import_zod18.z.string().optional(),
+  expires_in: import_zod18.z.number().optional()
 }).passthrough();
 
 // src/authorization-response/parse-authorization-response-payload.ts
 function parseOpenid4VpAuthorizationResponsePayload(payload) {
-  return (0, import_utils21.parseWithErrorHandling)(
+  return (0, import_utils22.parseWithErrorHandling)(
     zOpenid4vpAuthorizationResponse,
     payload,
     "Failed to parse openid4vp authorization response."
@@ -1609,12 +1699,12 @@ function parseOpenid4VpAuthorizationResponsePayload(payload) {
 
 // src/authorization-response/parse-jarm-authorization-response.ts
 var import_oauth226 = require("@openid4vc/oauth2");
-var import_utils22 = require("@openid4vc/utils");
-var import_zod18 = __toESM(require("zod"));
+var import_utils23 = require("@openid4vc/utils");
+var import_zod19 = __toESM(require("zod"));
 async function parseJarmAuthorizationResponse(options) {
   const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options;
-  const jarmAuthorizationResponseJwt = (0, import_utils22.parseWithErrorHandling)(
-    import_zod18.default.union([import_oauth226.zCompactJwt, import_oauth226.zCompactJwe]),
+  const jarmAuthorizationResponseJwt = (0, import_utils23.parseWithErrorHandling)(
+    import_zod19.default.union([import_oauth226.zCompactJwt, import_oauth226.zCompactJwe]),
     jarmResponseJwt,
     "Invalid jarm authorization response jwt."
   );
@@ -1653,7 +1743,9 @@ async function parseOpenid4vpAuthorizationResponse(options) {
   const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options;
   const expectedClientId = getOpenid4vpClientId({
     origin,
-    authorizationRequestPayload
+    responseMode: authorizationRequestPayload.response_mode,
+    clientId: authorizationRequestPayload.client_id,
+    legacyClientIdScheme: authorizationRequestPayload.client_id_scheme
   });
   if (authorizationResponse.response) {
     return parseJarmAuthorizationResponse({
@@ -1710,7 +1802,7 @@ var Openid4vpClient = class {
 
 // src/transaction-data/verify-transaction-data.ts
 var import_oauth228 = require("@openid4vc/oauth2");
-var import_utils23 = require("@openid4vc/utils");
+var import_utils24 = require("@openid4vc/utils");
 async function verifyTransactionData(options) {
   const parsedTransactionData = parseTransactionData({
     transactionData: options.transactionData
@@ -1737,7 +1829,7 @@ async function verifyTransactionDataEntry({
   );
   const hashes = {};
   for (const alg of supportedAlgs) {
-    hashes[alg] = (0, import_utils23.encodeToBase64Url)(await callbacks.hash((0, import_utils23.decodeUtf8String)(entry.encoded), alg));
+    hashes[alg] = (0, import_utils24.encodeToBase64Url)(await callbacks.hash((0, import_utils24.decodeUtf8String)(entry.encoded), alg));
   }
   for (const credentialId of entry.transactionData.credential_ids) {
     const transactionDataHashesCredential = credentials[credentialId];
@@ -1808,22 +1900,22 @@ var Openid4vpVerifier = class {
 };
 
 // src/models/z-credential-formats.ts
-var import_zod19 = require("zod");
-var zCredentialFormat = import_zod19.z.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt", "vc+sd-jwt"]);
+var import_zod20 = require("zod");
+var zCredentialFormat = import_zod20.z.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt", "vc+sd-jwt"]);
 
 // src/models/z-proof-formats.ts
-var import_zod20 = require("zod");
-var zProofFormat = import_zod20.z.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "vc+sd-jwt", "mso_mdoc"]);
+var import_zod21 = require("zod");
+var zProofFormat = import_zod21.z.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "vc+sd-jwt", "mso_mdoc"]);
 
 // src/models/z-wallet-metadata.ts
-var import_zod21 = require("zod");
-var zWalletMetadata = import_zod21.z.object({
-  presentation_definition_uri_supported: import_zod21.z.optional(import_zod21.z.boolean()),
+var import_zod22 = require("zod");
+var zWalletMetadata = import_zod22.z.object({
+  presentation_definition_uri_supported: import_zod22.z.optional(import_zod22.z.boolean()),
   vp_formats_supported: zVpFormatsSupported,
-  client_id_schemes_supported: import_zod21.z.optional(import_zod21.z.array(zClientIdScheme)),
-  request_object_signing_alg_values_supported: import_zod21.z.optional(import_zod21.z.array(import_zod21.z.string())),
-  authorization_encryption_alg_values_supported: import_zod21.z.optional(import_zod21.z.array(import_zod21.z.string())),
-  authorization_encryption_enc_values_supported: import_zod21.z.optional(import_zod21.z.array(import_zod21.z.string()))
+  client_id_schemes_supported: import_zod22.z.optional(import_zod22.z.array(zClientIdScheme)),
+  request_object_signing_alg_values_supported: import_zod22.z.optional(import_zod22.z.array(import_zod22.z.string())),
+  authorization_encryption_alg_values_supported: import_zod22.z.optional(import_zod22.z.array(import_zod22.z.string())),
+  authorization_encryption_enc_values_supported: import_zod22.z.optional(import_zod22.z.array(import_zod22.z.string()))
 });
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {