npm - @openid4vc/openid4vp - Versions diffs - 0.3.0-alpha-20250401105222 → 0.3.0-alpha-20250404180231 - Mend

@openid4vc/openid4vp 0.3.0-alpha-20250401105222 → 0.3.0-alpha-20250404180231

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -15926,6 +15926,15 @@ type Openid4vpAuthorizationResponse = z.infer<typeof zOpenid4vpAuthorizationResp
 interface CreateOpenid4vpAuthorizationResponseOptions {
     authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi;
+    /**
+     * Optional client metadata to use for sending the authorization response. In case of e.g. OpenID Federation
+     * the client metadata needs to be resolved and verified externally.
+     */
+    clientMetadata?: ClientMetadata;
+    /**
+     * The origin of the reuqest, required when creating a response for the Digital Credentials API.
+     */
+    origin?: string;
     authorizationResponsePayload: Openid4vpAuthorizationResponse & {
         state?: never;
     };

package/dist/index.d.ts CHANGED Viewed

@@ -15926,6 +15926,15 @@ type Openid4vpAuthorizationResponse = z.infer<typeof zOpenid4vpAuthorizationResp
 interface CreateOpenid4vpAuthorizationResponseOptions {
     authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi;
+    /**
+     * Optional client metadata to use for sending the authorization response. In case of e.g. OpenID Federation
+     * the client metadata needs to be resolved and verified externally.
+     */
+    clientMetadata?: ClientMetadata;
+    /**
+     * The origin of the reuqest, required when creating a response for the Digital Credentials API.
+     */
+    origin?: string;
     authorizationResponsePayload: Openid4vpAuthorizationResponse & {
         state?: never;
     };

package/dist/index.js CHANGED Viewed

@@ -983,15 +983,12 @@ function parseAuthorizationRequestVersion(request) {
     requirements.push(["<", 23]);
     requirements.push([">=", 21]);
   }
-  if (isOpenid4vpAuthorizationRequestDcApi(request) && request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt") {
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) {
     requirements.push([">=", 23]);
   }
   if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
     requirements.push([">=", 23]);
   }
-  if (request.dcql_query) {
-    requirements.push([">=", 22]);
-  }
   if (request.transaction_data) {
     requirements.push([">=", 22]);
   }
@@ -1428,11 +1425,17 @@ function jarmAssertMetadataSupported(options) {
 // src/authorization-response/create-authorization-response.ts
 async function createOpenid4vpAuthorizationResponse(options) {
-  const { authorizationRequestPayload, jarm, callbacks } = options;
+  const { authorizationRequestPayload, jarm, callbacks, origin } = options;
   const authorizationResponsePayload = {
     ...options.authorizationResponsePayload,
     state: authorizationRequestPayload.state
   };
+  const { clientIdScheme } = getOpenid4vpClientId({
+    responseMode: authorizationRequestPayload.response_mode,
+    clientId: authorizationRequestPayload.client_id,
+    legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
+    origin
+  });
   if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode) && !jarm) {
     throw new import_oauth222.Oauth2Error(
       `Missing jarm options for creating Jarm response with response mode '${authorizationRequestPayload.response_mode}'`
@@ -1443,14 +1446,20 @@ async function createOpenid4vpAuthorizationResponse(options) {
       authorizationResponsePayload
     };
   }
-  if (!authorizationRequestPayload.client_metadata) {
+  if (clientIdScheme === "https" && !options.clientMetadata) {
+    throw new import_oauth222.Oauth2Error(
+      "When OpenID Federation is used as the client id scheme (https), passing externally fetched and verified 'clientMetadata' to the 'createOpenid4vpAuthorizationResponse' is required."
+    );
+  }
+  const clientMetadata = options.clientMetadata ?? authorizationRequestPayload.client_metadata;
+  if (!clientMetadata) {
     throw new import_oauth222.Oauth2Error("Missing client metadata in the request params to assert Jarm metadata support.");
   }
   let jwks;
-  if (authorizationRequestPayload.client_metadata.jwks) {
-    jwks = authorizationRequestPayload.client_metadata.jwks;
-  } else if (authorizationRequestPayload.client_metadata.jwks_uri) {
-    jwks = await (0, import_oauth222.fetchJwks)(authorizationRequestPayload.client_metadata.jwks_uri, options.callbacks.fetch);
+  if (clientMetadata.jwks) {
+    jwks = clientMetadata.jwks;
+  } else if (clientMetadata.jwks_uri) {
+    jwks = await (0, import_oauth222.fetchJwks)(clientMetadata.jwks_uri, options.callbacks.fetch);
   } else {
     throw new import_oauth222.Oauth2ServerErrorResponseError({
       error: import_oauth222.Oauth2ErrorCodes.InvalidRequest,
@@ -1458,11 +1467,11 @@ async function createOpenid4vpAuthorizationResponse(options) {
     });
   }
   const supportedJarmMetadata = jarmAssertMetadataSupported({
-    clientMetadata: authorizationRequestPayload.client_metadata,
+    clientMetadata,
     serverMetadata: jarm.serverMetadata
   });
   const clientMetaJwks = extractJwksFromClientMetadata({
-    ...authorizationRequestPayload.client_metadata,
+    ...clientMetadata,
     jwks
   });
   if (!clientMetaJwks?.encJwk) {