@openid4vc/openid4vp 0.3.0-alpha-20250711120307 → 0.3.0-alpha-20250713102850
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +46 -8
- package/dist/index.d.ts +46 -8
- package/dist/index.js +225 -211
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +160 -147
- package/dist/index.mjs.map +1 -1
- package/package.json +3 -3
package/dist/index.js
CHANGED
|
@@ -38,6 +38,7 @@ __export(index_exports, {
|
|
|
38
38
|
getOpenid4vpClientId: () => getOpenid4vpClientId,
|
|
39
39
|
isJarmResponseMode: () => isJarmResponseMode,
|
|
40
40
|
isOpenid4vpAuthorizationRequestDcApi: () => isOpenid4vpAuthorizationRequestDcApi,
|
|
41
|
+
parseAuthorizationRequestVersion: () => parseAuthorizationRequestVersion,
|
|
41
42
|
parseDcqlVpToken: () => parseDcqlVpToken,
|
|
42
43
|
parseJarmAuthorizationResponse: () => parseJarmAuthorizationResponse,
|
|
43
44
|
parseOpenid4VpAuthorizationResponsePayload: () => parseOpenid4VpAuthorizationResponsePayload,
|
|
@@ -658,6 +659,7 @@ async function validateOpenid4vpClientId(options, parserConfig) {
|
|
|
658
659
|
|
|
659
660
|
// src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
|
|
660
661
|
var import_oauth27 = require("@openid4vc/oauth2");
|
|
662
|
+
var import_utils7 = require("@openid4vc/utils");
|
|
661
663
|
var import_zod9 = __toESM(require("zod"));
|
|
662
664
|
|
|
663
665
|
// src/jarm/jarm-extract-jwks.ts
|
|
@@ -739,7 +741,10 @@ var decryptJarmAuthorizationResponseJwt = async (options) => {
|
|
|
739
741
|
if (!result.decrypted) {
|
|
740
742
|
throw new import_oauth27.Oauth2Error("Failed to decrypt jarm auth response.");
|
|
741
743
|
}
|
|
742
|
-
return
|
|
744
|
+
return {
|
|
745
|
+
decryptionJwk: result.decryptionJwk,
|
|
746
|
+
payload: result.payload
|
|
747
|
+
};
|
|
743
748
|
};
|
|
744
749
|
async function verifyJarmAuthorizationResponse(options) {
|
|
745
750
|
const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options;
|
|
@@ -748,21 +753,21 @@ async function verifyJarmAuthorizationResponse(options) {
|
|
|
748
753
|
jarmAuthorizationResponseJwt,
|
|
749
754
|
callbacks,
|
|
750
755
|
authorizationRequestPayload
|
|
751
|
-
}) : jarmAuthorizationResponseJwt;
|
|
752
|
-
const responseIsSigned = import_oauth27.zCompactJwt.safeParse(decryptedRequestData).success;
|
|
756
|
+
}) : { payload: jarmAuthorizationResponseJwt, decryptionJwk: void 0 };
|
|
757
|
+
const responseIsSigned = import_oauth27.zCompactJwt.safeParse(decryptedRequestData.payload).success;
|
|
753
758
|
if (!requestDataIsEncrypted && !responseIsSigned) {
|
|
754
759
|
throw new import_oauth27.Oauth2Error("Jarm Auth Response must be either encrypted, signed, or signed and encrypted.");
|
|
755
760
|
}
|
|
756
761
|
let jarmAuthorizationResponse;
|
|
757
762
|
if (responseIsSigned) {
|
|
758
763
|
const { header: jwsProtectedHeader, payload: jwsPayload } = (0, import_oauth27.decodeJwt)({
|
|
759
|
-
jwt: decryptedRequestData,
|
|
764
|
+
jwt: decryptedRequestData.payload,
|
|
760
765
|
headerSchema: import_zod9.default.object({ ...import_oauth27.zJwtHeader.shape, kid: import_zod9.default.string() })
|
|
761
766
|
});
|
|
762
767
|
const response = zJarmAuthorizationResponse.parse(jwsPayload);
|
|
763
768
|
const jwtSigner = (0, import_oauth27.jwtSignerFromJwt)({ header: jwsProtectedHeader, payload: jwsPayload });
|
|
764
769
|
const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {
|
|
765
|
-
compact: decryptedRequestData,
|
|
770
|
+
compact: decryptedRequestData.payload,
|
|
766
771
|
header: jwsProtectedHeader,
|
|
767
772
|
payload: jwsPayload
|
|
768
773
|
});
|
|
@@ -771,7 +776,10 @@ async function verifyJarmAuthorizationResponse(options) {
|
|
|
771
776
|
}
|
|
772
777
|
jarmAuthorizationResponse = response;
|
|
773
778
|
} else {
|
|
774
|
-
const jsonRequestData =
|
|
779
|
+
const jsonRequestData = (0, import_utils7.stringToJsonWithErrorHandling)(
|
|
780
|
+
decryptedRequestData.payload,
|
|
781
|
+
"Unable to parse decrypted JARM JWE body to JSON"
|
|
782
|
+
);
|
|
775
783
|
jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData);
|
|
776
784
|
}
|
|
777
785
|
jarmAuthorizationResponseValidate({
|
|
@@ -780,26 +788,135 @@ async function verifyJarmAuthorizationResponse(options) {
|
|
|
780
788
|
});
|
|
781
789
|
const type = requestDataIsEncrypted && responseIsSigned ? "SignedEncrypted" /* SignedEncrypted */ : requestDataIsEncrypted ? "Encrypted" /* Encrypted */ : "Signed" /* Signed */;
|
|
782
790
|
const issuer = jarmAuthorizationResponse.iss;
|
|
783
|
-
return {
|
|
791
|
+
return {
|
|
792
|
+
jarmAuthorizationResponse,
|
|
793
|
+
type,
|
|
794
|
+
issuer,
|
|
795
|
+
decryptionJwk: decryptedRequestData.decryptionJwk
|
|
796
|
+
};
|
|
797
|
+
}
|
|
798
|
+
|
|
799
|
+
// src/version.ts
|
|
800
|
+
var import_oauth28 = require("@openid4vc/oauth2");
|
|
801
|
+
function parseAuthorizationRequestVersion(request) {
|
|
802
|
+
const requirements = [];
|
|
803
|
+
if (request.verifier_info) {
|
|
804
|
+
requirements.push([">=", 100]);
|
|
805
|
+
}
|
|
806
|
+
if (request.verifier_attestations) {
|
|
807
|
+
requirements.push(["<", 100]);
|
|
808
|
+
}
|
|
809
|
+
if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) {
|
|
810
|
+
requirements.push([">=", 28]);
|
|
811
|
+
}
|
|
812
|
+
if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) {
|
|
813
|
+
requirements.push(["<", 28]);
|
|
814
|
+
}
|
|
815
|
+
if (request.client_metadata?.vp_formats) {
|
|
816
|
+
requirements.push([">=", 27]);
|
|
817
|
+
}
|
|
818
|
+
if (request.client_metadata?.vp_formats_supported) {
|
|
819
|
+
requirements.push(["<", 27]);
|
|
820
|
+
}
|
|
821
|
+
if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) {
|
|
822
|
+
requirements.push([">=", 26]);
|
|
823
|
+
}
|
|
824
|
+
if (request.client_id?.startsWith("did:")) {
|
|
825
|
+
requirements.push(["<", 26]);
|
|
826
|
+
}
|
|
827
|
+
if (request.presentation_definition || request.presentation_definition_uri) {
|
|
828
|
+
requirements.push([">=", 26]);
|
|
829
|
+
}
|
|
830
|
+
if (request.verifier_attestations) {
|
|
831
|
+
requirements.push([">=", 26]);
|
|
832
|
+
}
|
|
833
|
+
if (request.client_id?.startsWith("x509_san_uri:")) {
|
|
834
|
+
requirements.push(["<", 25]);
|
|
835
|
+
}
|
|
836
|
+
if (request.client_id?.startsWith("x509_hash:")) {
|
|
837
|
+
requirements.push([">=", 25]);
|
|
838
|
+
}
|
|
839
|
+
if (request.client_id?.startsWith("web-origin:")) {
|
|
840
|
+
requirements.push(["<", 25]);
|
|
841
|
+
}
|
|
842
|
+
if (request.client_id?.startsWith("origin:")) {
|
|
843
|
+
requirements.push([">=", 25]);
|
|
844
|
+
}
|
|
845
|
+
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
|
|
846
|
+
requirements.push(["<", 23]);
|
|
847
|
+
requirements.push([">=", 21]);
|
|
848
|
+
}
|
|
849
|
+
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) {
|
|
850
|
+
requirements.push([">=", 23]);
|
|
851
|
+
}
|
|
852
|
+
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
|
|
853
|
+
requirements.push([">=", 23]);
|
|
854
|
+
}
|
|
855
|
+
if (request.transaction_data) {
|
|
856
|
+
requirements.push([">=", 22]);
|
|
857
|
+
}
|
|
858
|
+
if (request.client_id_scheme) {
|
|
859
|
+
requirements.push(["<", 22]);
|
|
860
|
+
}
|
|
861
|
+
if (request.client_id) {
|
|
862
|
+
const colonIndex = request.client_id.indexOf(":");
|
|
863
|
+
const schemePart = request.client_id.substring(0, colonIndex);
|
|
864
|
+
const parsedScheme = zClientIdPrefix.safeParse(schemePart);
|
|
865
|
+
if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
|
|
866
|
+
requirements.push([">=", 22]);
|
|
867
|
+
}
|
|
868
|
+
}
|
|
869
|
+
if (!request.client_id) {
|
|
870
|
+
requirements.push([">=", 21]);
|
|
871
|
+
}
|
|
872
|
+
if (request.dcql_query) {
|
|
873
|
+
requirements.push([">=", 21]);
|
|
874
|
+
}
|
|
875
|
+
if (request.client_metadata_uri) {
|
|
876
|
+
requirements.push(["<", 21]);
|
|
877
|
+
}
|
|
878
|
+
if (isOpenid4vpAuthorizationRequestDcApi(request)) {
|
|
879
|
+
requirements.push([">=", 21]);
|
|
880
|
+
}
|
|
881
|
+
if (request.request_uri_method || request.wallet_nonce) {
|
|
882
|
+
requirements.push([">=", 21]);
|
|
883
|
+
}
|
|
884
|
+
if (request.client_id_scheme === "verifier_attestation") {
|
|
885
|
+
requirements.push([">=", 20]);
|
|
886
|
+
}
|
|
887
|
+
if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
|
|
888
|
+
requirements.push([">=", 19]);
|
|
889
|
+
}
|
|
890
|
+
const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
|
|
891
|
+
const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
|
|
892
|
+
const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 100;
|
|
893
|
+
const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
|
|
894
|
+
if (lowestRequiredVersion > highestPossibleVersion) {
|
|
895
|
+
throw new import_oauth28.Oauth2ServerErrorResponseError({
|
|
896
|
+
error: import_oauth28.Oauth2ErrorCodes.InvalidRequest,
|
|
897
|
+
error_description: `Could not infer openid4vp version from the openid4vp request payload. Based on specification requirements, lowest required version is ${lowestRequiredVersion} and highest possible version is ${highestPossibleVersion}`
|
|
898
|
+
});
|
|
899
|
+
}
|
|
900
|
+
return highestPossibleVersion;
|
|
784
901
|
}
|
|
785
902
|
|
|
786
903
|
// src/authorization-request/create-authorization-request.ts
|
|
787
|
-
var
|
|
788
|
-
var
|
|
904
|
+
var import_oauth212 = require("@openid4vc/oauth2");
|
|
905
|
+
var import_utils10 = require("@openid4vc/utils");
|
|
789
906
|
|
|
790
907
|
// src/jar/create-jar-authorization-request.ts
|
|
791
|
-
var
|
|
792
|
-
var
|
|
908
|
+
var import_oauth29 = require("@openid4vc/oauth2");
|
|
909
|
+
var import_utils8 = require("@openid4vc/utils");
|
|
793
910
|
async function createJarAuthorizationRequest(options) {
|
|
794
911
|
const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
|
|
795
912
|
let authorizationRequestJwt;
|
|
796
913
|
let encryptionJwk;
|
|
797
914
|
const now = options.now ?? /* @__PURE__ */ new Date();
|
|
798
915
|
const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
|
|
799
|
-
header: { ...(0,
|
|
916
|
+
header: { ...(0, import_oauth29.jwtHeaderFromJwtSigner)(jwtSigner), typ: "oauth-authz-req+jwt" },
|
|
800
917
|
payload: {
|
|
801
|
-
iat: (0,
|
|
802
|
-
exp: (0,
|
|
918
|
+
iat: (0, import_utils8.dateToSeconds)(now),
|
|
919
|
+
exp: (0, import_utils8.dateToSeconds)((0, import_utils8.addSecondsToDate)(now, options.expiresInSeconds)),
|
|
803
920
|
...options.additionalJwtPayload,
|
|
804
921
|
...authorizationRequestPayload
|
|
805
922
|
}
|
|
@@ -816,94 +933,94 @@ async function createJarAuthorizationRequest(options) {
|
|
|
816
933
|
}
|
|
817
934
|
|
|
818
935
|
// src/authorization-request/validate-authorization-request.ts
|
|
819
|
-
var
|
|
820
|
-
var
|
|
936
|
+
var import_oauth210 = require("@openid4vc/oauth2");
|
|
937
|
+
var import_utils9 = require("@openid4vc/utils");
|
|
821
938
|
var validateOpenid4vpAuthorizationRequestPayload = (options) => {
|
|
822
939
|
const { params, walletVerificationOptions } = options;
|
|
823
940
|
if (!params.redirect_uri && !params.response_uri) {
|
|
824
|
-
throw new
|
|
825
|
-
error:
|
|
941
|
+
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
942
|
+
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
826
943
|
error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
|
|
827
944
|
});
|
|
828
945
|
}
|
|
829
946
|
if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) {
|
|
830
|
-
throw new
|
|
831
|
-
error:
|
|
947
|
+
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
948
|
+
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
832
949
|
error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
|
|
833
950
|
});
|
|
834
951
|
}
|
|
835
952
|
if ([params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(
|
|
836
953
|
Boolean
|
|
837
954
|
).length > 1) {
|
|
838
|
-
throw new
|
|
839
|
-
error:
|
|
955
|
+
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
956
|
+
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
840
957
|
error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
|
|
841
958
|
});
|
|
842
959
|
}
|
|
843
960
|
if (params.request_uri_method && !params.request_uri) {
|
|
844
|
-
throw new
|
|
845
|
-
error:
|
|
961
|
+
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
962
|
+
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
846
963
|
error_description: 'The "request_uri_method" parameter MUST NOT be present in the authorization request if the "request_uri" parameter is not present.'
|
|
847
964
|
});
|
|
848
965
|
}
|
|
849
966
|
if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) {
|
|
850
|
-
throw new
|
|
851
|
-
error:
|
|
967
|
+
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
968
|
+
error: import_oauth210.Oauth2ErrorCodes.InvalidRequestUriMethod,
|
|
852
969
|
error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
|
|
853
970
|
});
|
|
854
971
|
}
|
|
855
|
-
if (params.trust_chain && !
|
|
856
|
-
throw new
|
|
857
|
-
error:
|
|
972
|
+
if (params.trust_chain && !import_utils9.zHttpsUrl.safeParse(params.client_id).success) {
|
|
973
|
+
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
974
|
+
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
858
975
|
error_description: 'The "trust_chain" parameter MUST NOT be present in the authorization request if the "client_id" is not an OpenId Federation Entity Identifier starting with http:// or https://.'
|
|
859
976
|
});
|
|
860
977
|
}
|
|
861
978
|
if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {
|
|
862
|
-
throw new
|
|
863
|
-
error:
|
|
979
|
+
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
980
|
+
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
864
981
|
error_description: 'The "wallet_nonce" parameter MUST be present in the authorization request when the "expectedNonce" parameter is provided.'
|
|
865
982
|
});
|
|
866
983
|
}
|
|
867
984
|
if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {
|
|
868
|
-
throw new
|
|
869
|
-
error:
|
|
985
|
+
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
986
|
+
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
870
987
|
error_description: 'The "wallet_nonce" parameter MUST match the "expectedNonce" parameter when the "expectedNonce" parameter is provided.'
|
|
871
988
|
});
|
|
872
989
|
}
|
|
873
990
|
if (params.client_id.startsWith("web-origin:") || params.client_id.startsWith("origin:")) {
|
|
874
|
-
throw new
|
|
875
|
-
error:
|
|
991
|
+
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
992
|
+
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
876
993
|
error_description: `The 'client_id' parameter MUST NOT use client identifier scheme '${params.client_id.split(":")[0]}' when not using the dc_api response mode. Current: ${params.client_id}`
|
|
877
994
|
});
|
|
878
995
|
}
|
|
879
996
|
};
|
|
880
997
|
|
|
881
998
|
// src/authorization-request/validate-authorization-request-dc-api.ts
|
|
882
|
-
var
|
|
999
|
+
var import_oauth211 = require("@openid4vc/oauth2");
|
|
883
1000
|
var validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
|
|
884
1001
|
const { params, isJarRequest, disableOriginValidation, origin } = options;
|
|
885
1002
|
if (isJarRequest && !params.expected_origins) {
|
|
886
|
-
throw new
|
|
887
|
-
error:
|
|
1003
|
+
throw new import_oauth211.Oauth2ServerErrorResponseError({
|
|
1004
|
+
error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
|
|
888
1005
|
error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
|
|
889
1006
|
});
|
|
890
1007
|
}
|
|
891
1008
|
if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {
|
|
892
|
-
throw new
|
|
893
|
-
error:
|
|
1009
|
+
throw new import_oauth211.Oauth2ServerErrorResponseError({
|
|
1010
|
+
error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
|
|
894
1011
|
error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
|
|
895
1012
|
});
|
|
896
1013
|
}
|
|
897
1014
|
if (params.expected_origins && !disableOriginValidation) {
|
|
898
1015
|
if (!origin) {
|
|
899
|
-
throw new
|
|
900
|
-
error:
|
|
1016
|
+
throw new import_oauth211.Oauth2ServerErrorResponseError({
|
|
1017
|
+
error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
|
|
901
1018
|
error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
|
|
902
1019
|
});
|
|
903
1020
|
}
|
|
904
1021
|
if (params.expected_origins && !params.expected_origins.includes(origin)) {
|
|
905
|
-
throw new
|
|
906
|
-
error:
|
|
1022
|
+
throw new import_oauth211.Oauth2ServerErrorResponseError({
|
|
1023
|
+
error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
|
|
907
1024
|
error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
|
|
908
1025
|
});
|
|
909
1026
|
}
|
|
@@ -916,13 +1033,13 @@ async function createOpenid4vpAuthorizationRequest(options) {
|
|
|
916
1033
|
let additionalJwtPayload;
|
|
917
1034
|
let authorizationRequestPayload;
|
|
918
1035
|
if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
|
|
919
|
-
authorizationRequestPayload = (0,
|
|
1036
|
+
authorizationRequestPayload = (0, import_utils10.parseWithErrorHandling)(
|
|
920
1037
|
zOpenid4vpAuthorizationRequestDcApi,
|
|
921
1038
|
options.authorizationRequestPayload,
|
|
922
1039
|
"Invalid authorization request. Could not parse openid4vp dc_api authorization request."
|
|
923
1040
|
);
|
|
924
1041
|
if (jar && !authorizationRequestPayload.expected_origins) {
|
|
925
|
-
throw new
|
|
1042
|
+
throw new import_oauth212.Oauth2Error(
|
|
926
1043
|
`The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`
|
|
927
1044
|
);
|
|
928
1045
|
}
|
|
@@ -932,7 +1049,7 @@ async function createOpenid4vpAuthorizationRequest(options) {
|
|
|
932
1049
|
disableOriginValidation: true
|
|
933
1050
|
});
|
|
934
1051
|
} else {
|
|
935
|
-
authorizationRequestPayload = (0,
|
|
1052
|
+
authorizationRequestPayload = (0, import_utils10.parseWithErrorHandling)(
|
|
936
1053
|
zOpenid4vpAuthorizationRequest,
|
|
937
1054
|
options.authorizationRequestPayload,
|
|
938
1055
|
"Invalid authorization request. Could not parse openid4vp authorization request."
|
|
@@ -952,10 +1069,10 @@ async function createOpenid4vpAuthorizationRequest(options) {
|
|
|
952
1069
|
additionalJwtPayload,
|
|
953
1070
|
callbacks
|
|
954
1071
|
});
|
|
955
|
-
const url2 = new
|
|
956
|
-
url2.search = `?${new
|
|
1072
|
+
const url2 = new import_utils10.URL(scheme);
|
|
1073
|
+
url2.search = `?${new import_utils10.URLSearchParams([
|
|
957
1074
|
...url2.searchParams.entries(),
|
|
958
|
-
...(0,
|
|
1075
|
+
...(0, import_utils10.objectToQueryParams)(jarResult.jarAuthorizationRequest).entries(),
|
|
959
1076
|
// Add client_id_scheme if defined for backwards compat
|
|
960
1077
|
...authorizationRequestPayload.client_id_scheme ? [["client_id_scheme", authorizationRequestPayload.client_id_scheme]] : []
|
|
961
1078
|
]).toString()}`;
|
|
@@ -966,10 +1083,10 @@ async function createOpenid4vpAuthorizationRequest(options) {
|
|
|
966
1083
|
jar: { ...jar, ...jarResult }
|
|
967
1084
|
};
|
|
968
1085
|
}
|
|
969
|
-
const url = new
|
|
970
|
-
url.search = `?${new
|
|
1086
|
+
const url = new import_utils10.URL(scheme);
|
|
1087
|
+
url.search = `?${new import_utils10.URLSearchParams([
|
|
971
1088
|
...url.searchParams.entries(),
|
|
972
|
-
...(0,
|
|
1089
|
+
...(0, import_utils10.objectToQueryParams)(authorizationRequestPayload).entries()
|
|
973
1090
|
]).toString()}`;
|
|
974
1091
|
return {
|
|
975
1092
|
authorizationRequestPayload,
|
|
@@ -980,30 +1097,30 @@ async function createOpenid4vpAuthorizationRequest(options) {
|
|
|
980
1097
|
}
|
|
981
1098
|
|
|
982
1099
|
// src/authorization-request/parse-authorization-request-params.ts
|
|
983
|
-
var
|
|
984
|
-
var
|
|
1100
|
+
var import_oauth214 = require("@openid4vc/oauth2");
|
|
1101
|
+
var import_utils12 = require("@openid4vc/utils");
|
|
985
1102
|
var import_zod11 = __toESM(require("zod"));
|
|
986
1103
|
|
|
987
1104
|
// src/jar/z-jar-authorization-request.ts
|
|
988
|
-
var
|
|
989
|
-
var
|
|
1105
|
+
var import_oauth213 = require("@openid4vc/oauth2");
|
|
1106
|
+
var import_utils11 = require("@openid4vc/utils");
|
|
990
1107
|
var import_zod10 = require("zod");
|
|
991
1108
|
var zJarAuthorizationRequest = import_zod10.z.object({
|
|
992
1109
|
request: import_zod10.z.optional(import_zod10.z.string()),
|
|
993
|
-
request_uri: import_zod10.z.optional(
|
|
1110
|
+
request_uri: import_zod10.z.optional(import_utils11.zHttpsUrl),
|
|
994
1111
|
request_uri_method: import_zod10.z.optional(import_zod10.z.string()),
|
|
995
1112
|
client_id: import_zod10.z.optional(import_zod10.z.string())
|
|
996
1113
|
}).passthrough();
|
|
997
1114
|
function validateJarRequestParams(options) {
|
|
998
1115
|
const { jarRequestParams } = options;
|
|
999
1116
|
if (jarRequestParams.request && jarRequestParams.request_uri) {
|
|
1000
|
-
throw new
|
|
1117
|
+
throw new import_oauth213.Oauth2ServerErrorResponseError({
|
|
1001
1118
|
error: "invalid_request_object",
|
|
1002
1119
|
error_description: "request and request_uri cannot both be present in a JAR request"
|
|
1003
1120
|
});
|
|
1004
1121
|
}
|
|
1005
1122
|
if (!jarRequestParams.request && !jarRequestParams.request_uri) {
|
|
1006
|
-
throw new
|
|
1123
|
+
throw new import_oauth213.Oauth2ServerErrorResponseError({
|
|
1007
1124
|
error: "invalid_request_object",
|
|
1008
1125
|
error_description: "request or request_uri must be present"
|
|
1009
1126
|
});
|
|
@@ -1021,21 +1138,21 @@ function parseOpenid4vpAuthorizationRequest(options) {
|
|
|
1021
1138
|
let params;
|
|
1022
1139
|
if (typeof authorizationRequest === "string") {
|
|
1023
1140
|
if (authorizationRequest.includes(":")) {
|
|
1024
|
-
params = (0,
|
|
1141
|
+
params = (0, import_utils12.parseWithErrorHandling)(
|
|
1025
1142
|
zOpenid4vpAuthorizationRequestFromUriParams,
|
|
1026
1143
|
authorizationRequest,
|
|
1027
1144
|
"Unable to parse openid4vp authorization request uri to a valid object"
|
|
1028
1145
|
);
|
|
1029
1146
|
provided = "uri";
|
|
1030
1147
|
} else {
|
|
1031
|
-
const decoded = (0,
|
|
1148
|
+
const decoded = (0, import_oauth214.decodeJwt)({ jwt: authorizationRequest });
|
|
1032
1149
|
params = decoded.payload;
|
|
1033
1150
|
provided = "jwt";
|
|
1034
1151
|
}
|
|
1035
1152
|
} else {
|
|
1036
1153
|
params = authorizationRequest;
|
|
1037
1154
|
}
|
|
1038
|
-
const parsedRequest = (0,
|
|
1155
|
+
const parsedRequest = (0, import_utils12.parseWithErrorHandling)(
|
|
1039
1156
|
import_zod11.default.union([zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest, zOpenid4vpAuthorizationRequestDcApi]),
|
|
1040
1157
|
params
|
|
1041
1158
|
);
|
|
@@ -1062,31 +1179,31 @@ function parseOpenid4vpAuthorizationRequest(options) {
|
|
|
1062
1179
|
|
|
1063
1180
|
// src/authorization-request/resolve-authorization-request.ts
|
|
1064
1181
|
var import_oauth220 = require("@openid4vc/oauth2");
|
|
1065
|
-
var
|
|
1182
|
+
var import_utils16 = require("@openid4vc/utils");
|
|
1066
1183
|
var import_zod15 = __toESM(require("zod"));
|
|
1067
1184
|
|
|
1068
1185
|
// src/fetch-client-metadata.ts
|
|
1069
|
-
var
|
|
1070
|
-
var
|
|
1186
|
+
var import_oauth215 = require("@openid4vc/oauth2");
|
|
1187
|
+
var import_utils13 = require("@openid4vc/utils");
|
|
1071
1188
|
async function fetchClientMetadata(options) {
|
|
1072
1189
|
const { fetch, clientMetadataUri } = options;
|
|
1073
|
-
const fetcher = (0,
|
|
1074
|
-
const { result, response } = await fetcher(zClientMetadata,
|
|
1190
|
+
const fetcher = (0, import_utils13.createZodFetcher)(fetch);
|
|
1191
|
+
const { result, response } = await fetcher(zClientMetadata, import_utils13.ContentType.Json, clientMetadataUri, {
|
|
1075
1192
|
method: "GET",
|
|
1076
1193
|
headers: {
|
|
1077
|
-
Accept:
|
|
1194
|
+
Accept: import_utils13.ContentType.Json
|
|
1078
1195
|
}
|
|
1079
1196
|
});
|
|
1080
1197
|
if (!response.ok) {
|
|
1081
|
-
throw new
|
|
1198
|
+
throw new import_oauth215.Oauth2ServerErrorResponseError({
|
|
1082
1199
|
error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,
|
|
1083
|
-
error:
|
|
1200
|
+
error: import_oauth215.Oauth2ErrorCodes.InvalidRequestUri
|
|
1084
1201
|
});
|
|
1085
1202
|
}
|
|
1086
1203
|
if (!result || !result.success) {
|
|
1087
|
-
throw new
|
|
1204
|
+
throw new import_oauth215.Oauth2ServerErrorResponseError({
|
|
1088
1205
|
error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,
|
|
1089
|
-
error:
|
|
1206
|
+
error: import_oauth215.Oauth2ErrorCodes.InvalidRequestObject
|
|
1090
1207
|
});
|
|
1091
1208
|
}
|
|
1092
1209
|
return result.data;
|
|
@@ -1096,113 +1213,9 @@ async function fetchClientMetadata(options) {
|
|
|
1096
1213
|
var import_oauth218 = require("@openid4vc/oauth2");
|
|
1097
1214
|
var import_zod13 = __toESM(require("zod"));
|
|
1098
1215
|
|
|
1099
|
-
// src/version.ts
|
|
1100
|
-
var import_oauth215 = require("@openid4vc/oauth2");
|
|
1101
|
-
function parseAuthorizationRequestVersion(request) {
|
|
1102
|
-
const requirements = [];
|
|
1103
|
-
if (request.verifier_info) {
|
|
1104
|
-
requirements.push([">=", 100]);
|
|
1105
|
-
}
|
|
1106
|
-
if (request.verifier_attestations) {
|
|
1107
|
-
requirements.push(["<", 100]);
|
|
1108
|
-
}
|
|
1109
|
-
if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) {
|
|
1110
|
-
requirements.push([">=", 28]);
|
|
1111
|
-
}
|
|
1112
|
-
if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) {
|
|
1113
|
-
requirements.push(["<", 28]);
|
|
1114
|
-
}
|
|
1115
|
-
if (request.client_metadata?.vp_formats) {
|
|
1116
|
-
requirements.push([">=", 27]);
|
|
1117
|
-
}
|
|
1118
|
-
if (request.client_metadata?.vp_formats_supported) {
|
|
1119
|
-
requirements.push(["<", 27]);
|
|
1120
|
-
}
|
|
1121
|
-
if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) {
|
|
1122
|
-
requirements.push([">=", 26]);
|
|
1123
|
-
}
|
|
1124
|
-
if (request.client_id?.startsWith("did:")) {
|
|
1125
|
-
requirements.push(["<", 26]);
|
|
1126
|
-
}
|
|
1127
|
-
if (request.presentation_definition || request.presentation_definition_uri) {
|
|
1128
|
-
requirements.push([">=", 26]);
|
|
1129
|
-
}
|
|
1130
|
-
if (request.verifier_attestations) {
|
|
1131
|
-
requirements.push([">=", 26]);
|
|
1132
|
-
}
|
|
1133
|
-
if (request.client_id?.startsWith("x509_san_uri:")) {
|
|
1134
|
-
requirements.push(["<", 25]);
|
|
1135
|
-
}
|
|
1136
|
-
if (request.client_id?.startsWith("x509_hash:")) {
|
|
1137
|
-
requirements.push([">=", 25]);
|
|
1138
|
-
}
|
|
1139
|
-
if (request.client_id?.startsWith("web-origin:")) {
|
|
1140
|
-
requirements.push(["<", 25]);
|
|
1141
|
-
}
|
|
1142
|
-
if (request.client_id?.startsWith("origin:")) {
|
|
1143
|
-
requirements.push([">=", 25]);
|
|
1144
|
-
}
|
|
1145
|
-
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
|
|
1146
|
-
requirements.push(["<", 23]);
|
|
1147
|
-
requirements.push([">=", 21]);
|
|
1148
|
-
}
|
|
1149
|
-
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) {
|
|
1150
|
-
requirements.push([">=", 23]);
|
|
1151
|
-
}
|
|
1152
|
-
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
|
|
1153
|
-
requirements.push([">=", 23]);
|
|
1154
|
-
}
|
|
1155
|
-
if (request.transaction_data) {
|
|
1156
|
-
requirements.push([">=", 22]);
|
|
1157
|
-
}
|
|
1158
|
-
if (request.client_id_scheme) {
|
|
1159
|
-
requirements.push(["<", 22]);
|
|
1160
|
-
}
|
|
1161
|
-
if (request.client_id) {
|
|
1162
|
-
const colonIndex = request.client_id.indexOf(":");
|
|
1163
|
-
const schemePart = request.client_id.substring(0, colonIndex);
|
|
1164
|
-
const parsedScheme = zClientIdPrefix.safeParse(schemePart);
|
|
1165
|
-
if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
|
|
1166
|
-
requirements.push([">=", 22]);
|
|
1167
|
-
}
|
|
1168
|
-
}
|
|
1169
|
-
if (!request.client_id) {
|
|
1170
|
-
requirements.push([">=", 21]);
|
|
1171
|
-
}
|
|
1172
|
-
if (request.dcql_query) {
|
|
1173
|
-
requirements.push([">=", 21]);
|
|
1174
|
-
}
|
|
1175
|
-
if (request.client_metadata_uri) {
|
|
1176
|
-
requirements.push(["<", 21]);
|
|
1177
|
-
}
|
|
1178
|
-
if (isOpenid4vpAuthorizationRequestDcApi(request)) {
|
|
1179
|
-
requirements.push([">=", 21]);
|
|
1180
|
-
}
|
|
1181
|
-
if (request.request_uri_method || request.wallet_nonce) {
|
|
1182
|
-
requirements.push([">=", 21]);
|
|
1183
|
-
}
|
|
1184
|
-
if (request.client_id_scheme === "verifier_attestation") {
|
|
1185
|
-
requirements.push([">=", 20]);
|
|
1186
|
-
}
|
|
1187
|
-
if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
|
|
1188
|
-
requirements.push([">=", 19]);
|
|
1189
|
-
}
|
|
1190
|
-
const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
|
|
1191
|
-
const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
|
|
1192
|
-
const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 100;
|
|
1193
|
-
const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
|
|
1194
|
-
if (lowestRequiredVersion > highestPossibleVersion) {
|
|
1195
|
-
throw new import_oauth215.Oauth2ServerErrorResponseError({
|
|
1196
|
-
error: import_oauth215.Oauth2ErrorCodes.InvalidRequest,
|
|
1197
|
-
error_description: `Could not infer openid4vp version from the openid4vp request payload. Based on specification requirements, lowest required version is ${lowestRequiredVersion} and highest possible version is ${highestPossibleVersion}`
|
|
1198
|
-
});
|
|
1199
|
-
}
|
|
1200
|
-
return highestPossibleVersion;
|
|
1201
|
-
}
|
|
1202
|
-
|
|
1203
1216
|
// src/jar/jar-request-object/fetch-jar-request-object.ts
|
|
1204
1217
|
var import_oauth216 = require("@openid4vc/oauth2");
|
|
1205
|
-
var
|
|
1218
|
+
var import_utils14 = require("@openid4vc/utils");
|
|
1206
1219
|
async function fetchJarRequestObject(options) {
|
|
1207
1220
|
const { requestUri, clientIdentifierScheme, method, wallet, fetch } = options;
|
|
1208
1221
|
let requestBody = wallet.metadata ? { wallet_metadata: wallet.metadata, wallet_nonce: wallet.nonce } : void 0;
|
|
@@ -1210,12 +1223,12 @@ async function fetchJarRequestObject(options) {
|
|
|
1210
1223
|
const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata;
|
|
1211
1224
|
requestBody = { ...requestBody, wallet_metadata: { ...rest } };
|
|
1212
1225
|
}
|
|
1213
|
-
const response = await (0,
|
|
1226
|
+
const response = await (0, import_utils14.createFetcher)(fetch)(requestUri, {
|
|
1214
1227
|
method,
|
|
1215
|
-
body: method === "post" ? (0,
|
|
1228
|
+
body: method === "post" ? (0, import_utils14.objectToQueryParams)(wallet.metadata ?? {}) : void 0,
|
|
1216
1229
|
headers: {
|
|
1217
|
-
Accept: `${
|
|
1218
|
-
"Content-Type":
|
|
1230
|
+
Accept: `${import_utils14.ContentType.OAuthAuthorizationRequestJwt}, ${import_utils14.ContentType.Jwt};q=0.9, text/plain`,
|
|
1231
|
+
"Content-Type": import_utils14.ContentType.XWwwFormUrlencoded
|
|
1219
1232
|
}
|
|
1220
1233
|
}).catch(() => {
|
|
1221
1234
|
throw new import_oauth216.Oauth2ServerErrorResponseError({
|
|
@@ -1381,7 +1394,7 @@ async function verifyJarRequestObject(options) {
|
|
|
1381
1394
|
|
|
1382
1395
|
// src/transaction-data/parse-transaction-data.ts
|
|
1383
1396
|
var import_oauth219 = require("@openid4vc/oauth2");
|
|
1384
|
-
var
|
|
1397
|
+
var import_utils15 = require("@openid4vc/utils");
|
|
1385
1398
|
|
|
1386
1399
|
// src/transaction-data/z-transaction-data.ts
|
|
1387
1400
|
var import_zod14 = require("zod");
|
|
@@ -1395,7 +1408,7 @@ var zTransactionData = import_zod14.z.array(zTransactionEntry);
|
|
|
1395
1408
|
// src/transaction-data/parse-transaction-data.ts
|
|
1396
1409
|
function parseTransactionData(options) {
|
|
1397
1410
|
const { transactionData } = options;
|
|
1398
|
-
const decoded = transactionData.map((tdEntry) => (0,
|
|
1411
|
+
const decoded = transactionData.map((tdEntry) => (0, import_utils15.parseIfJson)((0, import_utils15.encodeToUtf8String)((0, import_utils15.decodeBase64)(tdEntry))));
|
|
1399
1412
|
const parsedResult = zTransactionData.safeParse(decoded);
|
|
1400
1413
|
if (!parsedResult.success) {
|
|
1401
1414
|
throw new import_oauth219.Oauth2ServerErrorResponseError({
|
|
@@ -1414,7 +1427,7 @@ function parseTransactionData(options) {
|
|
|
1414
1427
|
async function resolveOpenid4vpAuthorizationRequest(options) {
|
|
1415
1428
|
const { wallet, callbacks, origin, disableOriginValidation } = options;
|
|
1416
1429
|
let authorizationRequestPayload;
|
|
1417
|
-
const parsed = (0,
|
|
1430
|
+
const parsed = (0, import_utils16.parseWithErrorHandling)(
|
|
1418
1431
|
import_zod15.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest]),
|
|
1419
1432
|
options.authorizationRequestPayload,
|
|
1420
1433
|
"Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request."
|
|
@@ -1422,7 +1435,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
|
|
|
1422
1435
|
let jar;
|
|
1423
1436
|
if (isJarAuthorizationRequest(parsed)) {
|
|
1424
1437
|
jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet });
|
|
1425
|
-
const parsedJarAuthorizationRequestPayload = (0,
|
|
1438
|
+
const parsedJarAuthorizationRequestPayload = (0, import_utils16.parseWithErrorHandling)(
|
|
1426
1439
|
import_zod15.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
|
|
1427
1440
|
jar.authorizationRequestPayload,
|
|
1428
1441
|
"Invalid authorization request. Could not parse jar request payload as openid4vp auth request."
|
|
@@ -1504,7 +1517,7 @@ function validateOpenId4vpAuthorizationRequestPayload(options) {
|
|
|
1504
1517
|
|
|
1505
1518
|
// src/authorization-response/create-authorization-response.ts
|
|
1506
1519
|
var import_oauth223 = require("@openid4vc/oauth2");
|
|
1507
|
-
var
|
|
1520
|
+
var import_utils17 = require("@openid4vc/utils");
|
|
1508
1521
|
|
|
1509
1522
|
// ../utils/src/date.ts
|
|
1510
1523
|
function addSecondsToDate2(date, seconds) {
|
|
@@ -1685,7 +1698,7 @@ async function createOpenid4vpAuthorizationResponse(options) {
|
|
|
1685
1698
|
additionalJwtPayload = {
|
|
1686
1699
|
iss: jarm.authorizationServer,
|
|
1687
1700
|
aud: jarm.audience,
|
|
1688
|
-
exp: jarm.expiresInSeconds ?? (0,
|
|
1701
|
+
exp: jarm.expiresInSeconds ?? (0, import_utils17.dateToSeconds)(addSecondsToDate2(/* @__PURE__ */ new Date(), 60 * 10))
|
|
1689
1702
|
// default: 10 minutes
|
|
1690
1703
|
};
|
|
1691
1704
|
}
|
|
@@ -1699,8 +1712,8 @@ async function createOpenid4vpAuthorizationResponse(options) {
|
|
|
1699
1712
|
jweEncryptor: jarm?.encryption ? {
|
|
1700
1713
|
method: "jwk",
|
|
1701
1714
|
publicJwk: encJwk,
|
|
1702
|
-
apu: jarm.encryption.nonce ? (0,
|
|
1703
|
-
apv: (0,
|
|
1715
|
+
apu: jarm.encryption.nonce ? (0, import_utils17.encodeToBase64Url)(jarm.encryption.nonce) : void 0,
|
|
1716
|
+
apv: (0, import_utils17.encodeToBase64Url)(authorizationRequestPayload.nonce),
|
|
1704
1717
|
alg,
|
|
1705
1718
|
enc
|
|
1706
1719
|
} : void 0,
|
|
@@ -1717,25 +1730,25 @@ async function createOpenid4vpAuthorizationResponse(options) {
|
|
|
1717
1730
|
|
|
1718
1731
|
// src/authorization-response/submit-authorization-response.ts
|
|
1719
1732
|
var import_oauth225 = require("@openid4vc/oauth2");
|
|
1720
|
-
var import_utils18 = require("@openid4vc/utils");
|
|
1721
1733
|
var import_utils19 = require("@openid4vc/utils");
|
|
1734
|
+
var import_utils20 = require("@openid4vc/utils");
|
|
1722
1735
|
|
|
1723
1736
|
// src/jarm/jarm-authorizatino-response-send.ts
|
|
1724
1737
|
var import_oauth224 = require("@openid4vc/oauth2");
|
|
1725
|
-
var
|
|
1738
|
+
var import_utils18 = require("@openid4vc/utils");
|
|
1726
1739
|
var jarmAuthorizationResponseSend = (options) => {
|
|
1727
1740
|
const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options;
|
|
1728
1741
|
const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri;
|
|
1729
1742
|
if (!responseEndpoint) {
|
|
1730
1743
|
throw new import_oauth224.Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST be present in the authorization request`);
|
|
1731
1744
|
}
|
|
1732
|
-
const responseEndpointUrl = new
|
|
1745
|
+
const responseEndpointUrl = new import_utils18.URL(responseEndpoint);
|
|
1733
1746
|
return handleDirectPostJwt(responseEndpointUrl, jarmAuthorizationResponseJwt, callbacks);
|
|
1734
1747
|
};
|
|
1735
1748
|
async function handleDirectPostJwt(responseEndpoint, responseJwt, callbacks) {
|
|
1736
|
-
const response = await (0,
|
|
1749
|
+
const response = await (0, import_utils18.createFetcher)(callbacks.fetch)(responseEndpoint, {
|
|
1737
1750
|
method: "POST",
|
|
1738
|
-
headers: { "Content-Type":
|
|
1751
|
+
headers: { "Content-Type": import_utils18.ContentType.XWwwFormUrlencoded },
|
|
1739
1752
|
body: `response=${responseJwt}`
|
|
1740
1753
|
});
|
|
1741
1754
|
return {
|
|
@@ -1760,13 +1773,13 @@ async function submitOpenid4vpAuthorizationResponse(options) {
|
|
|
1760
1773
|
"Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided."
|
|
1761
1774
|
);
|
|
1762
1775
|
}
|
|
1763
|
-
const fetch = (0,
|
|
1764
|
-
const encodedResponse = (0,
|
|
1776
|
+
const fetch = (0, import_utils19.createFetcher)(callbacks.fetch);
|
|
1777
|
+
const encodedResponse = (0, import_utils20.objectToQueryParams)(authorizationResponsePayload);
|
|
1765
1778
|
const submissionResponse = await fetch(url, {
|
|
1766
1779
|
method: "POST",
|
|
1767
1780
|
body: encodedResponse.toString(),
|
|
1768
1781
|
headers: {
|
|
1769
|
-
"Content-Type":
|
|
1782
|
+
"Content-Type": import_utils19.ContentType.XWwwFormUrlencoded
|
|
1770
1783
|
}
|
|
1771
1784
|
});
|
|
1772
1785
|
return {
|
|
@@ -1779,7 +1792,7 @@ async function submitOpenid4vpAuthorizationResponse(options) {
|
|
|
1779
1792
|
var import_oauth226 = require("@openid4vc/oauth2");
|
|
1780
1793
|
|
|
1781
1794
|
// src/vp-token/parse-vp-token.ts
|
|
1782
|
-
var
|
|
1795
|
+
var import_utils21 = require("@openid4vc/utils");
|
|
1783
1796
|
|
|
1784
1797
|
// src/vp-token/z-vp-token.ts
|
|
1785
1798
|
var import_zod17 = require("zod");
|
|
@@ -1805,17 +1818,17 @@ var zVpToken = zVpTokenDcql.or(zVpTokenPex);
|
|
|
1805
1818
|
|
|
1806
1819
|
// src/vp-token/parse-vp-token.ts
|
|
1807
1820
|
function parsePexVpToken(vpToken) {
|
|
1808
|
-
const parsedVpToken = (0,
|
|
1821
|
+
const parsedVpToken = (0, import_utils21.parseWithErrorHandling)(
|
|
1809
1822
|
zVpTokenPex,
|
|
1810
|
-
(0,
|
|
1823
|
+
(0, import_utils21.parseIfJson)(vpToken),
|
|
1811
1824
|
"Could not parse presentation exchange vp_token. Expected a string or an array of strings"
|
|
1812
1825
|
);
|
|
1813
1826
|
return Array.isArray(parsedVpToken) ? parsedVpToken : [parsedVpToken];
|
|
1814
1827
|
}
|
|
1815
1828
|
function parseDcqlVpToken(vpToken) {
|
|
1816
|
-
const parsedVpToken = (0,
|
|
1829
|
+
const parsedVpToken = (0, import_utils21.parseWithErrorHandling)(
|
|
1817
1830
|
zVpTokenDcql,
|
|
1818
|
-
(0,
|
|
1831
|
+
(0, import_utils21.parseIfJson)(vpToken),
|
|
1819
1832
|
"Could not parse dcql vp_token. Expected an object where the values are encoded presentations"
|
|
1820
1833
|
);
|
|
1821
1834
|
return Object.fromEntries(
|
|
@@ -1874,10 +1887,10 @@ function validateOpenid4vpAuthorizationResponsePayload(options) {
|
|
|
1874
1887
|
var import_oauth228 = require("@openid4vc/oauth2");
|
|
1875
1888
|
|
|
1876
1889
|
// src/authorization-response/parse-authorization-response-payload.ts
|
|
1877
|
-
var
|
|
1890
|
+
var import_utils23 = require("@openid4vc/utils");
|
|
1878
1891
|
|
|
1879
1892
|
// src/authorization-response/z-authorization-response.ts
|
|
1880
|
-
var
|
|
1893
|
+
var import_utils22 = require("@openid4vc/utils");
|
|
1881
1894
|
var import_zod19 = require("zod");
|
|
1882
1895
|
|
|
1883
1896
|
// src/models/z-pex.ts
|
|
@@ -1890,7 +1903,7 @@ var zOpenid4vpAuthorizationResponse = import_zod19.z.object({
|
|
|
1890
1903
|
state: import_zod19.z.string().optional(),
|
|
1891
1904
|
id_token: import_zod19.z.string().optional(),
|
|
1892
1905
|
vp_token: zVpToken,
|
|
1893
|
-
presentation_submission: zPexPresentationSubmission.or(
|
|
1906
|
+
presentation_submission: zPexPresentationSubmission.or(import_utils22.zStringToJson).optional(),
|
|
1894
1907
|
refresh_token: import_zod19.z.string().optional(),
|
|
1895
1908
|
token_type: import_zod19.z.string().optional(),
|
|
1896
1909
|
access_token: import_zod19.z.string().optional(),
|
|
@@ -1899,7 +1912,7 @@ var zOpenid4vpAuthorizationResponse = import_zod19.z.object({
|
|
|
1899
1912
|
|
|
1900
1913
|
// src/authorization-response/parse-authorization-response-payload.ts
|
|
1901
1914
|
function parseOpenid4VpAuthorizationResponsePayload(payload) {
|
|
1902
|
-
return (0,
|
|
1915
|
+
return (0, import_utils23.parseWithErrorHandling)(
|
|
1903
1916
|
zOpenid4vpAuthorizationResponse,
|
|
1904
1917
|
payload,
|
|
1905
1918
|
"Failed to parse openid4vp authorization response."
|
|
@@ -1908,11 +1921,11 @@ function parseOpenid4VpAuthorizationResponsePayload(payload) {
|
|
|
1908
1921
|
|
|
1909
1922
|
// src/authorization-response/parse-jarm-authorization-response.ts
|
|
1910
1923
|
var import_oauth227 = require("@openid4vc/oauth2");
|
|
1911
|
-
var
|
|
1924
|
+
var import_utils24 = require("@openid4vc/utils");
|
|
1912
1925
|
var import_zod20 = __toESM(require("zod"));
|
|
1913
1926
|
async function parseJarmAuthorizationResponse(options) {
|
|
1914
1927
|
const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options;
|
|
1915
|
-
const jarmAuthorizationResponseJwt = (0,
|
|
1928
|
+
const jarmAuthorizationResponseJwt = (0, import_utils24.parseWithErrorHandling)(
|
|
1916
1929
|
import_zod20.default.union([import_oauth227.zCompactJwt, import_oauth227.zCompactJwe]),
|
|
1917
1930
|
jarmResponseJwt,
|
|
1918
1931
|
"Invalid jarm authorization response jwt."
|
|
@@ -2009,7 +2022,7 @@ var Openid4vpClient = class {
|
|
|
2009
2022
|
|
|
2010
2023
|
// src/transaction-data/verify-transaction-data.ts
|
|
2011
2024
|
var import_oauth229 = require("@openid4vc/oauth2");
|
|
2012
|
-
var
|
|
2025
|
+
var import_utils25 = require("@openid4vc/utils");
|
|
2013
2026
|
async function verifyTransactionData(options) {
|
|
2014
2027
|
const parsedTransactionData = parseTransactionData({
|
|
2015
2028
|
transactionData: options.transactionData
|
|
@@ -2036,7 +2049,7 @@ async function verifyTransactionDataEntry({
|
|
|
2036
2049
|
);
|
|
2037
2050
|
const hashes = {};
|
|
2038
2051
|
for (const alg of supportedAlgs) {
|
|
2039
|
-
hashes[alg] = (0,
|
|
2052
|
+
hashes[alg] = (0, import_utils25.encodeToBase64Url)(await callbacks.hash((0, import_utils25.decodeUtf8String)(entry.encoded), alg));
|
|
2040
2053
|
}
|
|
2041
2054
|
for (const credentialId of entry.transactionData.credential_ids) {
|
|
2042
2055
|
const transactionDataHashesCredential = credentials[credentialId];
|
|
@@ -2139,6 +2152,7 @@ var zWalletMetadata = import_zod23.z.object({
|
|
|
2139
2152
|
getOpenid4vpClientId,
|
|
2140
2153
|
isJarmResponseMode,
|
|
2141
2154
|
isOpenid4vpAuthorizationRequestDcApi,
|
|
2155
|
+
parseAuthorizationRequestVersion,
|
|
2142
2156
|
parseDcqlVpToken,
|
|
2143
2157
|
parseJarmAuthorizationResponse,
|
|
2144
2158
|
parseOpenid4VpAuthorizationResponsePayload,
|