@openid4vc/openid4vp 0.3.0-alpha-20250322171044 → 0.3.0-alpha-20250324183425
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +37 -26
- package/dist/index.d.ts +37 -26
- package/dist/index.js +240 -148
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +198 -105
- package/dist/index.mjs.map +1 -1
- package/package.json +3 -3
package/dist/index.mjs
CHANGED
|
@@ -120,7 +120,7 @@ var zOpenid4vpAuthorizationRequest = z4.object({
|
|
|
120
120
|
client_metadata_uri: zHttpsUrl2.optional(),
|
|
121
121
|
state: z4.string().optional(),
|
|
122
122
|
transaction_data: z4.array(z4.string().base64url()).optional(),
|
|
123
|
-
trust_chain: z4.
|
|
123
|
+
trust_chain: z4.array(z4.string()).nonempty().optional(),
|
|
124
124
|
client_id_scheme: z4.enum([
|
|
125
125
|
"pre-registered",
|
|
126
126
|
"redirect_uri",
|
|
@@ -160,13 +160,15 @@ var zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
|
|
|
160
160
|
scope: z5.never().optional()
|
|
161
161
|
// TODO: should we disallow any properties specifically, such as redirect_uri and response_uri?
|
|
162
162
|
});
|
|
163
|
+
function isOpenid4vpResponseModeDcApi(responseMode) {
|
|
164
|
+
return responseMode !== void 0 && zOpenid4vpResponseModeDcApi.options.includes(responseMode);
|
|
165
|
+
}
|
|
163
166
|
function isOpenid4vpAuthorizationRequestDcApi(request) {
|
|
164
|
-
return request.response_mode
|
|
165
|
-
request.response_mode
|
|
166
|
-
);
|
|
167
|
+
return isOpenid4vpResponseModeDcApi(request.response_mode);
|
|
167
168
|
}
|
|
168
169
|
|
|
169
170
|
// src/client-identifier-scheme/z-client-id-scheme.ts
|
|
171
|
+
import { getGlobalConfig } from "@openid4vc/utils";
|
|
170
172
|
import { z as z6 } from "zod";
|
|
171
173
|
var zClientIdScheme = z6.enum([
|
|
172
174
|
"pre-registered",
|
|
@@ -178,6 +180,18 @@ var zClientIdScheme = z6.enum([
|
|
|
178
180
|
"x509_san_uri",
|
|
179
181
|
"web-origin"
|
|
180
182
|
]);
|
|
183
|
+
var zClientIdToClientIdScheme = z6.union(
|
|
184
|
+
[
|
|
185
|
+
z6.string({ message: "client_id MUST be a string" }).includes(":").transform((clientId) => {
|
|
186
|
+
const clientIdScheme = clientId.split(":")[0];
|
|
187
|
+
return clientIdScheme === "http" && getGlobalConfig().allowInsecureUrls ? "https" : clientIdScheme;
|
|
188
|
+
}).pipe(zClientIdScheme.exclude(["pre-registered"])),
|
|
189
|
+
z6.string().refine((clientId) => clientId.includes(":") === false).transform(() => "pre-registered")
|
|
190
|
+
],
|
|
191
|
+
{
|
|
192
|
+
message: `client_id must either start with a known prefix followed by ':' or contain no ':'. Known prefixes are ${zClientIdScheme.exclude(["pre-registered"]).options.join(", ")}`
|
|
193
|
+
}
|
|
194
|
+
);
|
|
181
195
|
var zLegacyClientIdScheme = z6.enum([
|
|
182
196
|
"pre-registered",
|
|
183
197
|
"redirect_uri",
|
|
@@ -187,58 +201,80 @@ var zLegacyClientIdScheme = z6.enum([
|
|
|
187
201
|
"x509_san_dns",
|
|
188
202
|
"x509_san_uri"
|
|
189
203
|
]);
|
|
204
|
+
var zLegacyClientIdSchemeToClientIdScheme = zLegacyClientIdScheme.optional().default("pre-registered").transform((clientIdScheme) => clientIdScheme === "entity_id" ? "https" : clientIdScheme);
|
|
190
205
|
|
|
191
206
|
// src/client-identifier-scheme/parse-client-identifier-scheme.ts
|
|
192
207
|
function getOpenid4vpClientId(options) {
|
|
193
|
-
if (
|
|
194
|
-
if (!options.
|
|
208
|
+
if (isOpenid4vpResponseModeDcApi(options.responseMode)) {
|
|
209
|
+
if (!options.clientId) {
|
|
210
|
+
if (!options.origin) {
|
|
211
|
+
throw new Oauth2ServerErrorResponseError({
|
|
212
|
+
error: Oauth2ErrorCodes.InvalidRequest,
|
|
213
|
+
error_description: "Failed to parse client identifier. 'origin' is required for requests without a client_id and response_mode 'dc_api' and 'dc_api.jwt'"
|
|
214
|
+
});
|
|
215
|
+
}
|
|
216
|
+
return {
|
|
217
|
+
clientIdScheme: "web-origin",
|
|
218
|
+
clientId: `web-origin:${options.origin}`
|
|
219
|
+
};
|
|
220
|
+
}
|
|
221
|
+
const parsedClientIdScheme2 = zClientIdToClientIdScheme.safeParse(options.clientId);
|
|
222
|
+
if (!parsedClientIdScheme2.success) {
|
|
195
223
|
throw new Oauth2ServerErrorResponseError({
|
|
196
224
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
197
|
-
error_description:
|
|
225
|
+
error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
|
|
198
226
|
});
|
|
199
227
|
}
|
|
200
228
|
return {
|
|
201
|
-
clientId: options.
|
|
229
|
+
clientId: options.clientId,
|
|
230
|
+
clientIdScheme: parsedClientIdScheme2.data
|
|
202
231
|
};
|
|
203
232
|
}
|
|
204
|
-
if (!options.
|
|
233
|
+
if (!options.clientId) {
|
|
205
234
|
throw new Oauth2ServerErrorResponseError({
|
|
206
235
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
207
|
-
error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.
|
|
236
|
+
error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`
|
|
208
237
|
});
|
|
209
238
|
}
|
|
210
|
-
if (options.
|
|
211
|
-
const
|
|
212
|
-
if (!
|
|
239
|
+
if (options.legacyClientIdScheme) {
|
|
240
|
+
const parsedClientIdScheme2 = zLegacyClientIdSchemeToClientIdScheme.safeParse(options.legacyClientIdScheme);
|
|
241
|
+
if (!parsedClientIdScheme2.success) {
|
|
213
242
|
throw new Oauth2ServerErrorResponseError({
|
|
214
243
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
215
|
-
error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.
|
|
244
|
+
error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.legacyClientIdScheme}'.`
|
|
216
245
|
});
|
|
217
246
|
}
|
|
218
|
-
const clientIdScheme =
|
|
219
|
-
if (clientIdScheme === "https" || clientIdScheme === "did" || clientIdScheme === "pre-registered") {
|
|
220
|
-
return { clientId: options.authorizationRequestPayload.client_id };
|
|
221
|
-
}
|
|
247
|
+
const clientIdScheme = parsedClientIdScheme2.data;
|
|
222
248
|
return {
|
|
223
|
-
clientId: `${
|
|
224
|
-
|
|
249
|
+
clientId: clientIdScheme === "https" || clientIdScheme === "did" || clientIdScheme === "pre-registered" ? options.clientId : `${parsedClientIdScheme2.data}:${options.clientId}`,
|
|
250
|
+
clientIdScheme: parsedClientIdScheme2.data,
|
|
251
|
+
legacyClientId: options.clientId
|
|
225
252
|
};
|
|
226
253
|
}
|
|
254
|
+
const parsedClientIdScheme = zClientIdToClientIdScheme.safeParse(options.clientId);
|
|
255
|
+
if (!parsedClientIdScheme.success) {
|
|
256
|
+
throw new Oauth2ServerErrorResponseError({
|
|
257
|
+
error: Oauth2ErrorCodes.InvalidRequest,
|
|
258
|
+
error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
|
|
259
|
+
});
|
|
260
|
+
}
|
|
227
261
|
return {
|
|
228
|
-
clientId: options.
|
|
262
|
+
clientId: options.clientId,
|
|
263
|
+
clientIdScheme: parsedClientIdScheme.data
|
|
229
264
|
};
|
|
230
265
|
}
|
|
231
|
-
function
|
|
266
|
+
function validateOpenid4vpClientId(options, parserConfig) {
|
|
232
267
|
const { authorizationRequestPayload, jar, origin } = options;
|
|
233
268
|
const parserConfigWithDefaults = {
|
|
234
269
|
supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options)
|
|
235
270
|
};
|
|
236
|
-
const { clientId, legacyClientId } = getOpenid4vpClientId({
|
|
237
|
-
authorizationRequestPayload,
|
|
271
|
+
const { clientId, legacyClientId, clientIdScheme } = getOpenid4vpClientId({
|
|
272
|
+
clientId: authorizationRequestPayload.client_id,
|
|
273
|
+
legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
|
|
274
|
+
responseMode: authorizationRequestPayload.response_mode,
|
|
238
275
|
origin
|
|
239
276
|
});
|
|
240
|
-
|
|
241
|
-
if (colonIndex === -1) {
|
|
277
|
+
if (clientIdScheme === "pre-registered") {
|
|
242
278
|
return {
|
|
243
279
|
scheme: "pre-registered",
|
|
244
280
|
identifier: clientId,
|
|
@@ -247,16 +283,15 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
247
283
|
clientMetadata: authorizationRequestPayload.client_metadata
|
|
248
284
|
};
|
|
249
285
|
}
|
|
250
|
-
const
|
|
286
|
+
const colonIndex = clientId.indexOf(":");
|
|
251
287
|
const identifierPart = clientId.substring(colonIndex + 1);
|
|
252
|
-
if (!parserConfigWithDefaults.supportedSchemes.includes(
|
|
288
|
+
if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdScheme)) {
|
|
253
289
|
throw new Oauth2ServerErrorResponseError({
|
|
254
290
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
255
|
-
error_description: `Unsupported client identifier scheme. ${
|
|
291
|
+
error_description: `Unsupported client identifier scheme. ${clientIdScheme} is not supported.`
|
|
256
292
|
});
|
|
257
293
|
}
|
|
258
|
-
|
|
259
|
-
if (scheme === "https") {
|
|
294
|
+
if (clientIdScheme === "https") {
|
|
260
295
|
if (!zHttpsUrl3.safeParse(clientId).success) {
|
|
261
296
|
throw new Oauth2ServerErrorResponseError(
|
|
262
297
|
{
|
|
@@ -268,15 +303,27 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
268
303
|
}
|
|
269
304
|
);
|
|
270
305
|
}
|
|
306
|
+
if (!jar) {
|
|
307
|
+
throw new Oauth2ServerErrorResponseError({
|
|
308
|
+
error: Oauth2ErrorCodes.InvalidRequest,
|
|
309
|
+
error_description: 'Using client identifier scheme "https" requires a signed JAR request.'
|
|
310
|
+
});
|
|
311
|
+
}
|
|
312
|
+
if (jar.signer.method !== "federation") {
|
|
313
|
+
throw new Oauth2ServerErrorResponseError({
|
|
314
|
+
error: Oauth2ErrorCodes.InvalidRequest,
|
|
315
|
+
error_description: "Something went wrong. The JWT signer method is not federation but the client identifier scheme is https."
|
|
316
|
+
});
|
|
317
|
+
}
|
|
271
318
|
return {
|
|
272
|
-
scheme,
|
|
319
|
+
scheme: clientIdScheme,
|
|
273
320
|
identifier: clientId,
|
|
274
321
|
originalValue: clientId,
|
|
275
322
|
legacyClientId,
|
|
276
323
|
trustChain: authorizationRequestPayload.trust_chain
|
|
277
324
|
};
|
|
278
325
|
}
|
|
279
|
-
if (
|
|
326
|
+
if (clientIdScheme === "redirect_uri") {
|
|
280
327
|
if (jar) {
|
|
281
328
|
throw new Oauth2ServerErrorResponseError({
|
|
282
329
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
@@ -290,20 +337,26 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
290
337
|
});
|
|
291
338
|
}
|
|
292
339
|
return {
|
|
293
|
-
scheme,
|
|
340
|
+
scheme: clientIdScheme,
|
|
294
341
|
identifier: identifierPart,
|
|
295
342
|
originalValue: clientId,
|
|
296
343
|
legacyClientId,
|
|
297
344
|
redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
|
|
298
345
|
};
|
|
299
346
|
}
|
|
300
|
-
if (
|
|
347
|
+
if (clientIdScheme === "did") {
|
|
301
348
|
if (!jar) {
|
|
302
349
|
throw new Oauth2ServerErrorResponseError({
|
|
303
350
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
304
351
|
error_description: 'Using client identifier scheme "did" requires a signed JAR request.'
|
|
305
352
|
});
|
|
306
353
|
}
|
|
354
|
+
if (jar.signer.method !== "did") {
|
|
355
|
+
throw new Oauth2ServerErrorResponseError({
|
|
356
|
+
error: Oauth2ErrorCodes.InvalidRequest,
|
|
357
|
+
error_description: "Something went wrong. The JWT signer method is not did but the client identifier scheme is did."
|
|
358
|
+
});
|
|
359
|
+
}
|
|
307
360
|
if (!clientId.startsWith("did:")) {
|
|
308
361
|
throw new Oauth2ServerErrorResponseError({
|
|
309
362
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
@@ -323,14 +376,14 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
323
376
|
});
|
|
324
377
|
}
|
|
325
378
|
return {
|
|
326
|
-
scheme,
|
|
379
|
+
scheme: clientIdScheme,
|
|
327
380
|
identifier: clientId,
|
|
328
381
|
originalValue: clientId,
|
|
329
382
|
legacyClientId,
|
|
330
383
|
didUrl: jar.signer.publicJwk.kid
|
|
331
384
|
};
|
|
332
385
|
}
|
|
333
|
-
if (
|
|
386
|
+
if (clientIdScheme === "x509_san_dns" || clientIdScheme === "x509_san_uri") {
|
|
334
387
|
if (!jar) {
|
|
335
388
|
throw new Oauth2ServerErrorResponseError({
|
|
336
389
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
@@ -343,7 +396,7 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
343
396
|
error_description: "Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns."
|
|
344
397
|
});
|
|
345
398
|
}
|
|
346
|
-
if (
|
|
399
|
+
if (clientIdScheme === "x509_san_dns") {
|
|
347
400
|
if (!options.callbacks.getX509CertificateMetadata) {
|
|
348
401
|
throw new Oauth2ServerErrorResponseError(
|
|
349
402
|
{
|
|
@@ -370,7 +423,7 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
370
423
|
});
|
|
371
424
|
}
|
|
372
425
|
}
|
|
373
|
-
} else if (
|
|
426
|
+
} else if (clientIdScheme === "x509_san_uri") {
|
|
374
427
|
if (!options.callbacks.getX509CertificateMetadata) {
|
|
375
428
|
throw new Oauth2ServerErrorResponseError(
|
|
376
429
|
{
|
|
@@ -399,23 +452,23 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
399
452
|
}
|
|
400
453
|
}
|
|
401
454
|
return {
|
|
402
|
-
scheme,
|
|
455
|
+
scheme: clientIdScheme,
|
|
403
456
|
identifier: identifierPart,
|
|
404
457
|
originalValue: clientId,
|
|
405
458
|
legacyClientId,
|
|
406
459
|
x5c: jar.signer.x5c
|
|
407
460
|
};
|
|
408
461
|
}
|
|
409
|
-
if (
|
|
462
|
+
if (clientIdScheme === "web-origin") {
|
|
410
463
|
return {
|
|
411
|
-
scheme,
|
|
464
|
+
scheme: clientIdScheme,
|
|
412
465
|
identifier: identifierPart,
|
|
413
466
|
originalValue: clientId,
|
|
414
467
|
legacyClientId,
|
|
415
468
|
clientMetadata: authorizationRequestPayload.client_metadata
|
|
416
469
|
};
|
|
417
470
|
}
|
|
418
|
-
if (
|
|
471
|
+
if (clientIdScheme === "verifier_attestation") {
|
|
419
472
|
if (!jar) {
|
|
420
473
|
throw new Oauth2ServerErrorResponseError({
|
|
421
474
|
error: Oauth2ErrorCodes.InvalidRequest,
|
|
@@ -424,7 +477,7 @@ function parseClientIdentifier(options, parserConfig) {
|
|
|
424
477
|
}
|
|
425
478
|
}
|
|
426
479
|
return {
|
|
427
|
-
scheme,
|
|
480
|
+
scheme: clientIdScheme,
|
|
428
481
|
identifier: identifierPart,
|
|
429
482
|
legacyClientId,
|
|
430
483
|
originalValue: clientId
|
|
@@ -836,7 +889,7 @@ function parseOpenid4vpAuthorizationRequest(options) {
|
|
|
836
889
|
// src/authorization-request/resolve-authorization-request.ts
|
|
837
890
|
import { Oauth2ErrorCodes as Oauth2ErrorCodes9, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError10 } from "@openid4vc/oauth2";
|
|
838
891
|
import { parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/utils";
|
|
839
|
-
import
|
|
892
|
+
import z14 from "zod";
|
|
840
893
|
|
|
841
894
|
// src/fetch-client-metadata.ts
|
|
842
895
|
import { Oauth2ErrorCodes as Oauth2ErrorCodes4, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError5 } from "@openid4vc/oauth2";
|
|
@@ -867,6 +920,7 @@ async function fetchClientMetadata(options) {
|
|
|
867
920
|
|
|
868
921
|
// src/jar/handle-jar-request/verify-jar-request.ts
|
|
869
922
|
import {
|
|
923
|
+
Oauth2Error as Oauth2Error5,
|
|
870
924
|
Oauth2ErrorCodes as Oauth2ErrorCodes7,
|
|
871
925
|
Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError8,
|
|
872
926
|
decodeJwt as decodeJwt3,
|
|
@@ -875,6 +929,7 @@ import {
|
|
|
875
929
|
zCompactJwe as zCompactJwe2,
|
|
876
930
|
zCompactJwt as zCompactJwt2
|
|
877
931
|
} from "@openid4vc/oauth2";
|
|
932
|
+
import z12 from "zod";
|
|
878
933
|
|
|
879
934
|
// src/version.ts
|
|
880
935
|
import { Oauth2ErrorCodes as Oauth2ErrorCodes5, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError6 } from "@openid4vc/oauth2";
|
|
@@ -979,6 +1034,8 @@ var zJarRequestObjectPayload = z11.object({
|
|
|
979
1034
|
}).passthrough();
|
|
980
1035
|
|
|
981
1036
|
// src/jar/handle-jar-request/verify-jar-request.ts
|
|
1037
|
+
var zSignedAuthorizationRequestJwtHeaderTyp = z12.literal("oauth-authz-req+jwt");
|
|
1038
|
+
var signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value;
|
|
982
1039
|
async function verifyJarRequest(options) {
|
|
983
1040
|
const { callbacks, wallet = {} } = options;
|
|
984
1041
|
const jarRequestParams = validateJarRequestParams(options);
|
|
@@ -1058,7 +1115,41 @@ async function decryptJarRequest(options) {
|
|
|
1058
1115
|
async function verifyJarRequestObject(options) {
|
|
1059
1116
|
const { decryptedRequestObject, callbacks } = options;
|
|
1060
1117
|
const jwt = decodeJwt3({ jwt: decryptedRequestObject, payloadSchema: zJarRequestObjectPayload });
|
|
1061
|
-
|
|
1118
|
+
let jwtSigner;
|
|
1119
|
+
const { clientIdScheme } = getOpenid4vpClientId({
|
|
1120
|
+
responseMode: jwt.payload.response_mode,
|
|
1121
|
+
clientId: jwt.payload.client_id,
|
|
1122
|
+
legacyClientIdScheme: jwt.payload.client_id_scheme
|
|
1123
|
+
});
|
|
1124
|
+
const clientIdToSignerMethod = {
|
|
1125
|
+
did: ["did"],
|
|
1126
|
+
"pre-registered": ["custom", "did", "jwk"],
|
|
1127
|
+
"web-origin": [],
|
|
1128
|
+
// no signing allowed
|
|
1129
|
+
redirect_uri: [],
|
|
1130
|
+
// no signing allowed
|
|
1131
|
+
// Not 100% sure which one are allowed?
|
|
1132
|
+
verifier_attestation: ["did", "federation", "jwk", "x5c", "custom"],
|
|
1133
|
+
x509_san_dns: ["x5c"],
|
|
1134
|
+
x509_san_uri: ["x5c"],
|
|
1135
|
+
// Handled separately
|
|
1136
|
+
https: []
|
|
1137
|
+
};
|
|
1138
|
+
if (clientIdScheme === "https") {
|
|
1139
|
+
if (!jwt.header.kid) {
|
|
1140
|
+
throw new Oauth2Error5(
|
|
1141
|
+
`When OpenID Federation is used for signed authorization request, the 'kid' parameter is required.`
|
|
1142
|
+
);
|
|
1143
|
+
}
|
|
1144
|
+
jwtSigner = {
|
|
1145
|
+
method: "federation",
|
|
1146
|
+
alg: jwt.header.alg,
|
|
1147
|
+
trustChain: jwt.payload.trust_chain,
|
|
1148
|
+
kid: jwt.header.kid
|
|
1149
|
+
};
|
|
1150
|
+
} else {
|
|
1151
|
+
jwtSigner = jwtSignerFromJwt2({ ...jwt, allowedSignerMethods: clientIdToSignerMethod[clientIdScheme] });
|
|
1152
|
+
}
|
|
1062
1153
|
const { signer } = await verifyJwt({
|
|
1063
1154
|
verifyJwtCallback: callbacks.verifyJwt,
|
|
1064
1155
|
compact: decryptedRequestObject,
|
|
@@ -1085,13 +1176,13 @@ import { Oauth2ErrorCodes as Oauth2ErrorCodes8, Oauth2ServerErrorResponseError a
|
|
|
1085
1176
|
import { decodeBase64, encodeToUtf8String, parseIfJson } from "@openid4vc/utils";
|
|
1086
1177
|
|
|
1087
1178
|
// src/transaction-data/z-transaction-data.ts
|
|
1088
|
-
import { z as
|
|
1089
|
-
var zTransactionEntry =
|
|
1090
|
-
type:
|
|
1091
|
-
credential_ids:
|
|
1092
|
-
transaction_data_hashes_alg:
|
|
1179
|
+
import { z as z13 } from "zod";
|
|
1180
|
+
var zTransactionEntry = z13.object({
|
|
1181
|
+
type: z13.string(),
|
|
1182
|
+
credential_ids: z13.array(z13.string()).nonempty(),
|
|
1183
|
+
transaction_data_hashes_alg: z13.array(z13.string()).optional()
|
|
1093
1184
|
}).passthrough();
|
|
1094
|
-
var zTransactionData =
|
|
1185
|
+
var zTransactionData = z13.array(zTransactionEntry);
|
|
1095
1186
|
|
|
1096
1187
|
// src/transaction-data/parse-transaction-data.ts
|
|
1097
1188
|
function parseTransactionData(options) {
|
|
@@ -1116,7 +1207,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
|
|
|
1116
1207
|
const { wallet, callbacks, origin, disableOriginValidation } = options;
|
|
1117
1208
|
let authorizationRequestPayload;
|
|
1118
1209
|
const parsed = parseWithErrorHandling4(
|
|
1119
|
-
|
|
1210
|
+
z14.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest]),
|
|
1120
1211
|
options.authorizationRequestPayload,
|
|
1121
1212
|
"Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request."
|
|
1122
1213
|
);
|
|
@@ -1124,7 +1215,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
|
|
|
1124
1215
|
if (isJarAuthorizationRequest(parsed)) {
|
|
1125
1216
|
jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet });
|
|
1126
1217
|
const parsedJarAuthorizationRequestPayload = parseWithErrorHandling4(
|
|
1127
|
-
|
|
1218
|
+
z14.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
|
|
1128
1219
|
jar.authorizationRequestPayload,
|
|
1129
1220
|
"Invalid authorization request. Could not parse jar request payload as openid4vp auth request."
|
|
1130
1221
|
);
|
|
@@ -1148,7 +1239,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
|
|
|
1148
1239
|
if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) && !clientMetadata && authorizationRequestPayload.client_metadata_uri) {
|
|
1149
1240
|
clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri });
|
|
1150
1241
|
}
|
|
1151
|
-
const clientMeta =
|
|
1242
|
+
const clientMeta = validateOpenid4vpClientId({
|
|
1152
1243
|
authorizationRequestPayload: {
|
|
1153
1244
|
...authorizationRequestPayload,
|
|
1154
1245
|
client_metadata: clientMetadata
|
|
@@ -1204,7 +1295,7 @@ function validateOpenId4vpAuthorizationRequestPayload(options) {
|
|
|
1204
1295
|
|
|
1205
1296
|
// src/authorization-response/create-authorization-response.ts
|
|
1206
1297
|
import {
|
|
1207
|
-
Oauth2Error as
|
|
1298
|
+
Oauth2Error as Oauth2Error8,
|
|
1208
1299
|
Oauth2ErrorCodes as Oauth2ErrorCodes10,
|
|
1209
1300
|
Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError11,
|
|
1210
1301
|
fetchJwks
|
|
@@ -1218,7 +1309,7 @@ function addSecondsToDate2(date, seconds) {
|
|
|
1218
1309
|
|
|
1219
1310
|
// src/jarm/jarm-authorization-response-create.ts
|
|
1220
1311
|
import {
|
|
1221
|
-
Oauth2Error as
|
|
1312
|
+
Oauth2Error as Oauth2Error6,
|
|
1222
1313
|
jwtHeaderFromJwtSigner as jwtHeaderFromJwtSigner2
|
|
1223
1314
|
} from "@openid4vc/oauth2";
|
|
1224
1315
|
async function createJarmAuthorizationResponse(options) {
|
|
@@ -1235,7 +1326,7 @@ async function createJarmAuthorizationResponse(options) {
|
|
|
1235
1326
|
return { jarmAuthorizationResponseJwt: signed2.jwt };
|
|
1236
1327
|
}
|
|
1237
1328
|
if (!jwtSigner || !jweEncryptor) {
|
|
1238
|
-
throw new
|
|
1329
|
+
throw new Oauth2Error6("JWT signer and/or encryptor are required to create a JARM auth response.");
|
|
1239
1330
|
}
|
|
1240
1331
|
const signed = await callbacks.signJwt(jwtSigner, {
|
|
1241
1332
|
header: jwtHeaderFromJwtSigner2(jwtSigner),
|
|
@@ -1246,7 +1337,7 @@ async function createJarmAuthorizationResponse(options) {
|
|
|
1246
1337
|
}
|
|
1247
1338
|
|
|
1248
1339
|
// src/jarm/jarm-response-mode.ts
|
|
1249
|
-
import { z as
|
|
1340
|
+
import { z as z15 } from "zod";
|
|
1250
1341
|
var jarmResponseMode = [
|
|
1251
1342
|
"jwt",
|
|
1252
1343
|
"query.jwt",
|
|
@@ -1255,18 +1346,18 @@ var jarmResponseMode = [
|
|
|
1255
1346
|
"direct_post.jwt",
|
|
1256
1347
|
"dc_api.jwt"
|
|
1257
1348
|
];
|
|
1258
|
-
var zJarmResponseMode =
|
|
1349
|
+
var zJarmResponseMode = z15.enum(jarmResponseMode);
|
|
1259
1350
|
var isJarmResponseMode = (responseMode) => {
|
|
1260
1351
|
return jarmResponseMode.includes(responseMode);
|
|
1261
1352
|
};
|
|
1262
1353
|
|
|
1263
1354
|
// src/jarm/metadata/jarm-assert-metadata-supported.ts
|
|
1264
|
-
import { Oauth2Error as
|
|
1355
|
+
import { Oauth2Error as Oauth2Error7 } from "@openid4vc/oauth2";
|
|
1265
1356
|
function assertValueSupported(options) {
|
|
1266
1357
|
const { errorMessage, supported, actual } = options;
|
|
1267
1358
|
const intersection = supported.find((value) => value === actual);
|
|
1268
1359
|
if (!intersection) {
|
|
1269
|
-
throw new
|
|
1360
|
+
throw new Oauth2Error7(errorMessage);
|
|
1270
1361
|
}
|
|
1271
1362
|
return intersection;
|
|
1272
1363
|
}
|
|
@@ -1307,7 +1398,7 @@ async function createOpenid4vpAuthorizationResponse(options) {
|
|
|
1307
1398
|
state: authorizationRequestPayload.state
|
|
1308
1399
|
};
|
|
1309
1400
|
if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode) && !jarm) {
|
|
1310
|
-
throw new
|
|
1401
|
+
throw new Oauth2Error8(
|
|
1311
1402
|
`Missing jarm options for creating Jarm response with response mode '${authorizationRequestPayload.response_mode}'`
|
|
1312
1403
|
);
|
|
1313
1404
|
}
|
|
@@ -1317,7 +1408,7 @@ async function createOpenid4vpAuthorizationResponse(options) {
|
|
|
1317
1408
|
};
|
|
1318
1409
|
}
|
|
1319
1410
|
if (!authorizationRequestPayload.client_metadata) {
|
|
1320
|
-
throw new
|
|
1411
|
+
throw new Oauth2Error8("Missing client metadata in the request params to assert Jarm metadata support.");
|
|
1321
1412
|
}
|
|
1322
1413
|
let jwks;
|
|
1323
1414
|
if (authorizationRequestPayload.client_metadata.jwks) {
|
|
@@ -1392,18 +1483,18 @@ async function createOpenid4vpAuthorizationResponse(options) {
|
|
|
1392
1483
|
}
|
|
1393
1484
|
|
|
1394
1485
|
// src/authorization-response/submit-authorization-response.ts
|
|
1395
|
-
import { Oauth2Error as
|
|
1486
|
+
import { Oauth2Error as Oauth2Error10 } from "@openid4vc/oauth2";
|
|
1396
1487
|
import { ContentType as ContentType4, createFetcher as createFetcher3 } from "@openid4vc/utils";
|
|
1397
1488
|
import { objectToQueryParams as objectToQueryParams3 } from "@openid4vc/utils";
|
|
1398
1489
|
|
|
1399
1490
|
// src/jarm/jarm-authorizatino-response-send.ts
|
|
1400
|
-
import { Oauth2Error as
|
|
1491
|
+
import { Oauth2Error as Oauth2Error9 } from "@openid4vc/oauth2";
|
|
1401
1492
|
import { ContentType as ContentType3, URL as URL4, createFetcher as createFetcher2 } from "@openid4vc/utils";
|
|
1402
1493
|
var jarmAuthorizationResponseSend = (options) => {
|
|
1403
1494
|
const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options;
|
|
1404
1495
|
const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri;
|
|
1405
1496
|
if (!responseEndpoint) {
|
|
1406
|
-
throw new
|
|
1497
|
+
throw new Oauth2Error9(`Either 'response_uri' or 'redirect_uri' MUST be present in the authorization request`);
|
|
1407
1498
|
}
|
|
1408
1499
|
const responseEndpointUrl = new URL4(responseEndpoint);
|
|
1409
1500
|
return handleDirectPostJwt(responseEndpointUrl, jarmAuthorizationResponseJwt, callbacks);
|
|
@@ -1432,7 +1523,7 @@ async function submitOpenid4vpAuthorizationResponse(options) {
|
|
|
1432
1523
|
});
|
|
1433
1524
|
}
|
|
1434
1525
|
if (!url) {
|
|
1435
|
-
throw new
|
|
1526
|
+
throw new Oauth2Error10(
|
|
1436
1527
|
"Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided."
|
|
1437
1528
|
);
|
|
1438
1529
|
}
|
|
@@ -1452,23 +1543,23 @@ async function submitOpenid4vpAuthorizationResponse(options) {
|
|
|
1452
1543
|
}
|
|
1453
1544
|
|
|
1454
1545
|
// src/authorization-response/validate-authorization-response.ts
|
|
1455
|
-
import { Oauth2Error as
|
|
1546
|
+
import { Oauth2Error as Oauth2Error11 } from "@openid4vc/oauth2";
|
|
1456
1547
|
|
|
1457
1548
|
// src/vp-token/parse-vp-token.ts
|
|
1458
1549
|
import { parseIfJson as parseIfJson2, parseWithErrorHandling as parseWithErrorHandling5 } from "@openid4vc/utils";
|
|
1459
1550
|
|
|
1460
1551
|
// src/vp-token/z-vp-token.ts
|
|
1461
|
-
import { z as
|
|
1462
|
-
var zVpTokenPexEntry =
|
|
1552
|
+
import { z as z16 } from "zod";
|
|
1553
|
+
var zVpTokenPexEntry = z16.union([z16.string(), z16.record(z16.any())], {
|
|
1463
1554
|
message: "pex vp_token entry must be a string or object"
|
|
1464
1555
|
});
|
|
1465
|
-
var zVpTokenPex =
|
|
1466
|
-
[zVpTokenPexEntry,
|
|
1556
|
+
var zVpTokenPex = z16.union(
|
|
1557
|
+
[zVpTokenPexEntry, z16.array(zVpTokenPexEntry).nonempty("Must have at least entry in vp_token array")],
|
|
1467
1558
|
{
|
|
1468
1559
|
message: "pex vp_token must be a string, object or array of strings and objects"
|
|
1469
1560
|
}
|
|
1470
1561
|
);
|
|
1471
|
-
var zVpTokenDcql =
|
|
1562
|
+
var zVpTokenDcql = z16.record(z16.union([z16.string(), z16.record(z16.any())]), {
|
|
1472
1563
|
message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values the encoded (string or object) presentation"
|
|
1473
1564
|
});
|
|
1474
1565
|
var zVpToken = zVpTokenDcql.or(zVpTokenPex);
|
|
@@ -1494,14 +1585,14 @@ function parseDcqlVpToken(vpToken) {
|
|
|
1494
1585
|
function validateOpenid4vpAuthorizationResponsePayload(options) {
|
|
1495
1586
|
const { authorizationRequestPayload, authorizationResponsePayload } = options;
|
|
1496
1587
|
if (authorizationRequestPayload.state && authorizationRequestPayload.state !== authorizationResponsePayload.state) {
|
|
1497
|
-
throw new
|
|
1588
|
+
throw new Oauth2Error11("OpenId4Vp Authorization Response state mismatch.");
|
|
1498
1589
|
}
|
|
1499
1590
|
if (authorizationResponsePayload.id_token) {
|
|
1500
|
-
throw new
|
|
1591
|
+
throw new Oauth2Error11("OpenId4Vp Authorization Response id_token is not supported.");
|
|
1501
1592
|
}
|
|
1502
1593
|
if (authorizationResponsePayload.presentation_submission) {
|
|
1503
1594
|
if (!authorizationRequestPayload.presentation_definition) {
|
|
1504
|
-
throw new
|
|
1595
|
+
throw new Oauth2Error11("OpenId4Vp Authorization Request is missing the required presentation_definition.");
|
|
1505
1596
|
}
|
|
1506
1597
|
return {
|
|
1507
1598
|
type: "pex",
|
|
@@ -1529,7 +1620,7 @@ function validateOpenid4vpAuthorizationResponsePayload(options) {
|
|
|
1529
1620
|
}
|
|
1530
1621
|
};
|
|
1531
1622
|
}
|
|
1532
|
-
throw new
|
|
1623
|
+
throw new Oauth2Error11(
|
|
1533
1624
|
"Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query."
|
|
1534
1625
|
);
|
|
1535
1626
|
}
|
|
@@ -1542,23 +1633,23 @@ import { parseWithErrorHandling as parseWithErrorHandling6 } from "@openid4vc/ut
|
|
|
1542
1633
|
|
|
1543
1634
|
// src/authorization-response/z-authorization-response.ts
|
|
1544
1635
|
import { zStringToJson as zStringToJson2 } from "@openid4vc/utils";
|
|
1545
|
-
import { z as
|
|
1636
|
+
import { z as z18 } from "zod";
|
|
1546
1637
|
|
|
1547
1638
|
// src/models/z-pex.ts
|
|
1548
|
-
import { z as
|
|
1549
|
-
var zPexPresentationDefinition =
|
|
1550
|
-
var zPexPresentationSubmission =
|
|
1639
|
+
import { z as z17 } from "zod";
|
|
1640
|
+
var zPexPresentationDefinition = z17.record(z17.any());
|
|
1641
|
+
var zPexPresentationSubmission = z17.record(z17.any());
|
|
1551
1642
|
|
|
1552
1643
|
// src/authorization-response/z-authorization-response.ts
|
|
1553
|
-
var zOpenid4vpAuthorizationResponse =
|
|
1554
|
-
state:
|
|
1555
|
-
id_token:
|
|
1644
|
+
var zOpenid4vpAuthorizationResponse = z18.object({
|
|
1645
|
+
state: z18.string().optional(),
|
|
1646
|
+
id_token: z18.string().optional(),
|
|
1556
1647
|
vp_token: zVpToken,
|
|
1557
1648
|
presentation_submission: zPexPresentationSubmission.or(zStringToJson2).optional(),
|
|
1558
|
-
refresh_token:
|
|
1559
|
-
token_type:
|
|
1560
|
-
access_token:
|
|
1561
|
-
expires_in:
|
|
1649
|
+
refresh_token: z18.string().optional(),
|
|
1650
|
+
token_type: z18.string().optional(),
|
|
1651
|
+
access_token: z18.string().optional(),
|
|
1652
|
+
expires_in: z18.number().optional()
|
|
1562
1653
|
}).passthrough();
|
|
1563
1654
|
|
|
1564
1655
|
// src/authorization-response/parse-authorization-response-payload.ts
|
|
@@ -1571,13 +1662,13 @@ function parseOpenid4VpAuthorizationResponsePayload(payload) {
|
|
|
1571
1662
|
}
|
|
1572
1663
|
|
|
1573
1664
|
// src/authorization-response/parse-jarm-authorization-response.ts
|
|
1574
|
-
import { Oauth2Error as
|
|
1665
|
+
import { Oauth2Error as Oauth2Error12, decodeJwtHeader, zCompactJwe as zCompactJwe3, zCompactJwt as zCompactJwt3 } from "@openid4vc/oauth2";
|
|
1575
1666
|
import { parseWithErrorHandling as parseWithErrorHandling7 } from "@openid4vc/utils";
|
|
1576
|
-
import
|
|
1667
|
+
import z19 from "zod";
|
|
1577
1668
|
async function parseJarmAuthorizationResponse(options) {
|
|
1578
1669
|
const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options;
|
|
1579
1670
|
const jarmAuthorizationResponseJwt = parseWithErrorHandling7(
|
|
1580
|
-
|
|
1671
|
+
z19.union([zCompactJwt3, zCompactJwe3]),
|
|
1581
1672
|
jarmResponseJwt,
|
|
1582
1673
|
"Invalid jarm authorization response jwt."
|
|
1583
1674
|
);
|
|
@@ -1599,7 +1690,7 @@ async function parseJarmAuthorizationResponse(options) {
|
|
|
1599
1690
|
authorizationResponsePayload
|
|
1600
1691
|
});
|
|
1601
1692
|
if (!authorizationRequestPayload.response_mode || !isJarmResponseMode(authorizationRequestPayload.response_mode)) {
|
|
1602
|
-
throw new
|
|
1693
|
+
throw new Oauth2Error12(
|
|
1603
1694
|
`Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? "fragment"}'`
|
|
1604
1695
|
);
|
|
1605
1696
|
}
|
|
@@ -1616,7 +1707,9 @@ async function parseOpenid4vpAuthorizationResponse(options) {
|
|
|
1616
1707
|
const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options;
|
|
1617
1708
|
const expectedClientId = getOpenid4vpClientId({
|
|
1618
1709
|
origin,
|
|
1619
|
-
authorizationRequestPayload
|
|
1710
|
+
responseMode: authorizationRequestPayload.response_mode,
|
|
1711
|
+
clientId: authorizationRequestPayload.client_id,
|
|
1712
|
+
legacyClientIdScheme: authorizationRequestPayload.client_id_scheme
|
|
1620
1713
|
});
|
|
1621
1714
|
if (authorizationResponse.response) {
|
|
1622
1715
|
return parseJarmAuthorizationResponse({
|
|
@@ -1775,22 +1868,22 @@ var Openid4vpVerifier = class {
|
|
|
1775
1868
|
};
|
|
1776
1869
|
|
|
1777
1870
|
// src/models/z-credential-formats.ts
|
|
1778
|
-
import { z as
|
|
1779
|
-
var zCredentialFormat =
|
|
1871
|
+
import { z as z20 } from "zod";
|
|
1872
|
+
var zCredentialFormat = z20.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt", "vc+sd-jwt"]);
|
|
1780
1873
|
|
|
1781
1874
|
// src/models/z-proof-formats.ts
|
|
1782
|
-
import { z as
|
|
1783
|
-
var zProofFormat =
|
|
1875
|
+
import { z as z21 } from "zod";
|
|
1876
|
+
var zProofFormat = z21.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "vc+sd-jwt", "mso_mdoc"]);
|
|
1784
1877
|
|
|
1785
1878
|
// src/models/z-wallet-metadata.ts
|
|
1786
|
-
import { z as
|
|
1787
|
-
var zWalletMetadata =
|
|
1788
|
-
presentation_definition_uri_supported:
|
|
1879
|
+
import { z as z22 } from "zod";
|
|
1880
|
+
var zWalletMetadata = z22.object({
|
|
1881
|
+
presentation_definition_uri_supported: z22.optional(z22.boolean()),
|
|
1789
1882
|
vp_formats_supported: zVpFormatsSupported,
|
|
1790
|
-
client_id_schemes_supported:
|
|
1791
|
-
request_object_signing_alg_values_supported:
|
|
1792
|
-
authorization_encryption_alg_values_supported:
|
|
1793
|
-
authorization_encryption_enc_values_supported:
|
|
1883
|
+
client_id_schemes_supported: z22.optional(z22.array(zClientIdScheme)),
|
|
1884
|
+
request_object_signing_alg_values_supported: z22.optional(z22.array(z22.string())),
|
|
1885
|
+
authorization_encryption_alg_values_supported: z22.optional(z22.array(z22.string())),
|
|
1886
|
+
authorization_encryption_enc_values_supported: z22.optional(z22.array(z22.string()))
|
|
1794
1887
|
});
|
|
1795
1888
|
export {
|
|
1796
1889
|
JarmMode,
|