@openid4vc/openid4vp 0.3.0-alpha-20250711120307 → 0.3.0-alpha-20250713102850
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +46 -8
- package/dist/index.d.ts +46 -8
- package/dist/index.js +225 -211
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +160 -147
- package/dist/index.mjs.map +1 -1
- package/package.json +3 -3
package/dist/index.mjs
CHANGED
|
@@ -603,6 +603,7 @@ import {
|
|
|
603
603
|
zCompactJwt,
|
|
604
604
|
zJwtHeader as zJwtHeader2
|
|
605
605
|
} from "@openid4vc/oauth2";
|
|
606
|
+
import { stringToJsonWithErrorHandling } from "@openid4vc/utils";
|
|
606
607
|
import z9 from "zod";
|
|
607
608
|
|
|
608
609
|
// src/jarm/jarm-extract-jwks.ts
|
|
@@ -684,7 +685,10 @@ var decryptJarmAuthorizationResponseJwt = async (options) => {
|
|
|
684
685
|
if (!result.decrypted) {
|
|
685
686
|
throw new Oauth2Error3("Failed to decrypt jarm auth response.");
|
|
686
687
|
}
|
|
687
|
-
return
|
|
688
|
+
return {
|
|
689
|
+
decryptionJwk: result.decryptionJwk,
|
|
690
|
+
payload: result.payload
|
|
691
|
+
};
|
|
688
692
|
};
|
|
689
693
|
async function verifyJarmAuthorizationResponse(options) {
|
|
690
694
|
const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options;
|
|
@@ -693,21 +697,21 @@ async function verifyJarmAuthorizationResponse(options) {
|
|
|
693
697
|
jarmAuthorizationResponseJwt,
|
|
694
698
|
callbacks,
|
|
695
699
|
authorizationRequestPayload
|
|
696
|
-
}) : jarmAuthorizationResponseJwt;
|
|
697
|
-
const responseIsSigned = zCompactJwt.safeParse(decryptedRequestData).success;
|
|
700
|
+
}) : { payload: jarmAuthorizationResponseJwt, decryptionJwk: void 0 };
|
|
701
|
+
const responseIsSigned = zCompactJwt.safeParse(decryptedRequestData.payload).success;
|
|
698
702
|
if (!requestDataIsEncrypted && !responseIsSigned) {
|
|
699
703
|
throw new Oauth2Error3("Jarm Auth Response must be either encrypted, signed, or signed and encrypted.");
|
|
700
704
|
}
|
|
701
705
|
let jarmAuthorizationResponse;
|
|
702
706
|
if (responseIsSigned) {
|
|
703
707
|
const { header: jwsProtectedHeader, payload: jwsPayload } = decodeJwt({
|
|
704
|
-
jwt: decryptedRequestData,
|
|
708
|
+
jwt: decryptedRequestData.payload,
|
|
705
709
|
headerSchema: z9.object({ ...zJwtHeader2.shape, kid: z9.string() })
|
|
706
710
|
});
|
|
707
711
|
const response = zJarmAuthorizationResponse.parse(jwsPayload);
|
|
708
712
|
const jwtSigner = jwtSignerFromJwt({ header: jwsProtectedHeader, payload: jwsPayload });
|
|
709
713
|
const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {
|
|
710
|
-
compact: decryptedRequestData,
|
|
714
|
+
compact: decryptedRequestData.payload,
|
|
711
715
|
header: jwsProtectedHeader,
|
|
712
716
|
payload: jwsPayload
|
|
713
717
|
});
|
|
@@ -716,7 +720,10 @@ async function verifyJarmAuthorizationResponse(options) {
|
|
|
716
720
|
}
|
|
717
721
|
jarmAuthorizationResponse = response;
|
|
718
722
|
} else {
|
|
719
|
-
const jsonRequestData =
|
|
723
|
+
const jsonRequestData = stringToJsonWithErrorHandling(
|
|
724
|
+
decryptedRequestData.payload,
|
|
725
|
+
"Unable to parse decrypted JARM JWE body to JSON"
|
|
726
|
+
);
|
|
720
727
|
jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData);
|
|
721
728
|
}
|
|
722
729
|
jarmAuthorizationResponseValidate({
|
|
@@ -725,7 +732,116 @@ async function verifyJarmAuthorizationResponse(options) {
|
|
|
725
732
|
});
|
|
726
733
|
const type = requestDataIsEncrypted && responseIsSigned ? "SignedEncrypted" /* SignedEncrypted */ : requestDataIsEncrypted ? "Encrypted" /* Encrypted */ : "Signed" /* Signed */;
|
|
727
734
|
const issuer = jarmAuthorizationResponse.iss;
|
|
728
|
-
return {
|
|
735
|
+
return {
|
|
736
|
+
jarmAuthorizationResponse,
|
|
737
|
+
type,
|
|
738
|
+
issuer,
|
|
739
|
+
decryptionJwk: decryptedRequestData.decryptionJwk
|
|
740
|
+
};
|
|
741
|
+
}
|
|
742
|
+
|
|
743
|
+
// src/version.ts
|
|
744
|
+
import { Oauth2ErrorCodes as Oauth2ErrorCodes2, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError2 } from "@openid4vc/oauth2";
|
|
745
|
+
function parseAuthorizationRequestVersion(request) {
|
|
746
|
+
const requirements = [];
|
|
747
|
+
if (request.verifier_info) {
|
|
748
|
+
requirements.push([">=", 100]);
|
|
749
|
+
}
|
|
750
|
+
if (request.verifier_attestations) {
|
|
751
|
+
requirements.push(["<", 100]);
|
|
752
|
+
}
|
|
753
|
+
if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) {
|
|
754
|
+
requirements.push([">=", 28]);
|
|
755
|
+
}
|
|
756
|
+
if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) {
|
|
757
|
+
requirements.push(["<", 28]);
|
|
758
|
+
}
|
|
759
|
+
if (request.client_metadata?.vp_formats) {
|
|
760
|
+
requirements.push([">=", 27]);
|
|
761
|
+
}
|
|
762
|
+
if (request.client_metadata?.vp_formats_supported) {
|
|
763
|
+
requirements.push(["<", 27]);
|
|
764
|
+
}
|
|
765
|
+
if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) {
|
|
766
|
+
requirements.push([">=", 26]);
|
|
767
|
+
}
|
|
768
|
+
if (request.client_id?.startsWith("did:")) {
|
|
769
|
+
requirements.push(["<", 26]);
|
|
770
|
+
}
|
|
771
|
+
if (request.presentation_definition || request.presentation_definition_uri) {
|
|
772
|
+
requirements.push([">=", 26]);
|
|
773
|
+
}
|
|
774
|
+
if (request.verifier_attestations) {
|
|
775
|
+
requirements.push([">=", 26]);
|
|
776
|
+
}
|
|
777
|
+
if (request.client_id?.startsWith("x509_san_uri:")) {
|
|
778
|
+
requirements.push(["<", 25]);
|
|
779
|
+
}
|
|
780
|
+
if (request.client_id?.startsWith("x509_hash:")) {
|
|
781
|
+
requirements.push([">=", 25]);
|
|
782
|
+
}
|
|
783
|
+
if (request.client_id?.startsWith("web-origin:")) {
|
|
784
|
+
requirements.push(["<", 25]);
|
|
785
|
+
}
|
|
786
|
+
if (request.client_id?.startsWith("origin:")) {
|
|
787
|
+
requirements.push([">=", 25]);
|
|
788
|
+
}
|
|
789
|
+
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
|
|
790
|
+
requirements.push(["<", 23]);
|
|
791
|
+
requirements.push([">=", 21]);
|
|
792
|
+
}
|
|
793
|
+
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) {
|
|
794
|
+
requirements.push([">=", 23]);
|
|
795
|
+
}
|
|
796
|
+
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
|
|
797
|
+
requirements.push([">=", 23]);
|
|
798
|
+
}
|
|
799
|
+
if (request.transaction_data) {
|
|
800
|
+
requirements.push([">=", 22]);
|
|
801
|
+
}
|
|
802
|
+
if (request.client_id_scheme) {
|
|
803
|
+
requirements.push(["<", 22]);
|
|
804
|
+
}
|
|
805
|
+
if (request.client_id) {
|
|
806
|
+
const colonIndex = request.client_id.indexOf(":");
|
|
807
|
+
const schemePart = request.client_id.substring(0, colonIndex);
|
|
808
|
+
const parsedScheme = zClientIdPrefix.safeParse(schemePart);
|
|
809
|
+
if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
|
|
810
|
+
requirements.push([">=", 22]);
|
|
811
|
+
}
|
|
812
|
+
}
|
|
813
|
+
if (!request.client_id) {
|
|
814
|
+
requirements.push([">=", 21]);
|
|
815
|
+
}
|
|
816
|
+
if (request.dcql_query) {
|
|
817
|
+
requirements.push([">=", 21]);
|
|
818
|
+
}
|
|
819
|
+
if (request.client_metadata_uri) {
|
|
820
|
+
requirements.push(["<", 21]);
|
|
821
|
+
}
|
|
822
|
+
if (isOpenid4vpAuthorizationRequestDcApi(request)) {
|
|
823
|
+
requirements.push([">=", 21]);
|
|
824
|
+
}
|
|
825
|
+
if (request.request_uri_method || request.wallet_nonce) {
|
|
826
|
+
requirements.push([">=", 21]);
|
|
827
|
+
}
|
|
828
|
+
if (request.client_id_scheme === "verifier_attestation") {
|
|
829
|
+
requirements.push([">=", 20]);
|
|
830
|
+
}
|
|
831
|
+
if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
|
|
832
|
+
requirements.push([">=", 19]);
|
|
833
|
+
}
|
|
834
|
+
const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
|
|
835
|
+
const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
|
|
836
|
+
const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 100;
|
|
837
|
+
const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
|
|
838
|
+
if (lowestRequiredVersion > highestPossibleVersion) {
|
|
839
|
+
throw new Oauth2ServerErrorResponseError2({
|
|
840
|
+
error: Oauth2ErrorCodes2.InvalidRequest,
|
|
841
|
+
error_description: `Could not infer openid4vp version from the openid4vp request payload. Based on specification requirements, lowest required version is ${lowestRequiredVersion} and highest possible version is ${highestPossibleVersion}`
|
|
842
|
+
});
|
|
843
|
+
}
|
|
844
|
+
return highestPossibleVersion;
|
|
729
845
|
}
|
|
730
846
|
|
|
731
847
|
// src/authorization-request/create-authorization-request.ts
|
|
@@ -763,94 +879,94 @@ async function createJarAuthorizationRequest(options) {
|
|
|
763
879
|
}
|
|
764
880
|
|
|
765
881
|
// src/authorization-request/validate-authorization-request.ts
|
|
766
|
-
import { Oauth2ErrorCodes as
|
|
882
|
+
import { Oauth2ErrorCodes as Oauth2ErrorCodes3, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError3 } from "@openid4vc/oauth2";
|
|
767
883
|
import { zHttpsUrl as zHttpsUrl4 } from "@openid4vc/utils";
|
|
768
884
|
var validateOpenid4vpAuthorizationRequestPayload = (options) => {
|
|
769
885
|
const { params, walletVerificationOptions } = options;
|
|
770
886
|
if (!params.redirect_uri && !params.response_uri) {
|
|
771
|
-
throw new
|
|
772
|
-
error:
|
|
887
|
+
throw new Oauth2ServerErrorResponseError3({
|
|
888
|
+
error: Oauth2ErrorCodes3.InvalidRequest,
|
|
773
889
|
error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
|
|
774
890
|
});
|
|
775
891
|
}
|
|
776
892
|
if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) {
|
|
777
|
-
throw new
|
|
778
|
-
error:
|
|
893
|
+
throw new Oauth2ServerErrorResponseError3({
|
|
894
|
+
error: Oauth2ErrorCodes3.InvalidRequest,
|
|
779
895
|
error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
|
|
780
896
|
});
|
|
781
897
|
}
|
|
782
898
|
if ([params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(
|
|
783
899
|
Boolean
|
|
784
900
|
).length > 1) {
|
|
785
|
-
throw new
|
|
786
|
-
error:
|
|
901
|
+
throw new Oauth2ServerErrorResponseError3({
|
|
902
|
+
error: Oauth2ErrorCodes3.InvalidRequest,
|
|
787
903
|
error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
|
|
788
904
|
});
|
|
789
905
|
}
|
|
790
906
|
if (params.request_uri_method && !params.request_uri) {
|
|
791
|
-
throw new
|
|
792
|
-
error:
|
|
907
|
+
throw new Oauth2ServerErrorResponseError3({
|
|
908
|
+
error: Oauth2ErrorCodes3.InvalidRequest,
|
|
793
909
|
error_description: 'The "request_uri_method" parameter MUST NOT be present in the authorization request if the "request_uri" parameter is not present.'
|
|
794
910
|
});
|
|
795
911
|
}
|
|
796
912
|
if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) {
|
|
797
|
-
throw new
|
|
798
|
-
error:
|
|
913
|
+
throw new Oauth2ServerErrorResponseError3({
|
|
914
|
+
error: Oauth2ErrorCodes3.InvalidRequestUriMethod,
|
|
799
915
|
error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
|
|
800
916
|
});
|
|
801
917
|
}
|
|
802
918
|
if (params.trust_chain && !zHttpsUrl4.safeParse(params.client_id).success) {
|
|
803
|
-
throw new
|
|
804
|
-
error:
|
|
919
|
+
throw new Oauth2ServerErrorResponseError3({
|
|
920
|
+
error: Oauth2ErrorCodes3.InvalidRequest,
|
|
805
921
|
error_description: 'The "trust_chain" parameter MUST NOT be present in the authorization request if the "client_id" is not an OpenId Federation Entity Identifier starting with http:// or https://.'
|
|
806
922
|
});
|
|
807
923
|
}
|
|
808
924
|
if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {
|
|
809
|
-
throw new
|
|
810
|
-
error:
|
|
925
|
+
throw new Oauth2ServerErrorResponseError3({
|
|
926
|
+
error: Oauth2ErrorCodes3.InvalidRequest,
|
|
811
927
|
error_description: 'The "wallet_nonce" parameter MUST be present in the authorization request when the "expectedNonce" parameter is provided.'
|
|
812
928
|
});
|
|
813
929
|
}
|
|
814
930
|
if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {
|
|
815
|
-
throw new
|
|
816
|
-
error:
|
|
931
|
+
throw new Oauth2ServerErrorResponseError3({
|
|
932
|
+
error: Oauth2ErrorCodes3.InvalidRequest,
|
|
817
933
|
error_description: 'The "wallet_nonce" parameter MUST match the "expectedNonce" parameter when the "expectedNonce" parameter is provided.'
|
|
818
934
|
});
|
|
819
935
|
}
|
|
820
936
|
if (params.client_id.startsWith("web-origin:") || params.client_id.startsWith("origin:")) {
|
|
821
|
-
throw new
|
|
822
|
-
error:
|
|
937
|
+
throw new Oauth2ServerErrorResponseError3({
|
|
938
|
+
error: Oauth2ErrorCodes3.InvalidRequest,
|
|
823
939
|
error_description: `The 'client_id' parameter MUST NOT use client identifier scheme '${params.client_id.split(":")[0]}' when not using the dc_api response mode. Current: ${params.client_id}`
|
|
824
940
|
});
|
|
825
941
|
}
|
|
826
942
|
};
|
|
827
943
|
|
|
828
944
|
// src/authorization-request/validate-authorization-request-dc-api.ts
|
|
829
|
-
import { Oauth2ErrorCodes as
|
|
945
|
+
import { Oauth2ErrorCodes as Oauth2ErrorCodes4, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError4 } from "@openid4vc/oauth2";
|
|
830
946
|
var validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
|
|
831
947
|
const { params, isJarRequest, disableOriginValidation, origin } = options;
|
|
832
948
|
if (isJarRequest && !params.expected_origins) {
|
|
833
|
-
throw new
|
|
834
|
-
error:
|
|
949
|
+
throw new Oauth2ServerErrorResponseError4({
|
|
950
|
+
error: Oauth2ErrorCodes4.InvalidRequest,
|
|
835
951
|
error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
|
|
836
952
|
});
|
|
837
953
|
}
|
|
838
954
|
if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {
|
|
839
|
-
throw new
|
|
840
|
-
error:
|
|
955
|
+
throw new Oauth2ServerErrorResponseError4({
|
|
956
|
+
error: Oauth2ErrorCodes4.InvalidRequest,
|
|
841
957
|
error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
|
|
842
958
|
});
|
|
843
959
|
}
|
|
844
960
|
if (params.expected_origins && !disableOriginValidation) {
|
|
845
961
|
if (!origin) {
|
|
846
|
-
throw new
|
|
847
|
-
error:
|
|
962
|
+
throw new Oauth2ServerErrorResponseError4({
|
|
963
|
+
error: Oauth2ErrorCodes4.InvalidRequest,
|
|
848
964
|
error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
|
|
849
965
|
});
|
|
850
966
|
}
|
|
851
967
|
if (params.expected_origins && !params.expected_origins.includes(origin)) {
|
|
852
|
-
throw new
|
|
853
|
-
error:
|
|
968
|
+
throw new Oauth2ServerErrorResponseError4({
|
|
969
|
+
error: Oauth2ErrorCodes4.InvalidRequest,
|
|
854
970
|
error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
|
|
855
971
|
});
|
|
856
972
|
}
|
|
@@ -932,7 +1048,7 @@ import { parseWithErrorHandling as parseWithErrorHandling3 } from "@openid4vc/ut
|
|
|
932
1048
|
import z11 from "zod";
|
|
933
1049
|
|
|
934
1050
|
// src/jar/z-jar-authorization-request.ts
|
|
935
|
-
import { Oauth2ServerErrorResponseError as
|
|
1051
|
+
import { Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError5 } from "@openid4vc/oauth2";
|
|
936
1052
|
import { zHttpsUrl as zHttpsUrl5 } from "@openid4vc/utils";
|
|
937
1053
|
import { z as z10 } from "zod";
|
|
938
1054
|
var zJarAuthorizationRequest = z10.object({
|
|
@@ -944,13 +1060,13 @@ var zJarAuthorizationRequest = z10.object({
|
|
|
944
1060
|
function validateJarRequestParams(options) {
|
|
945
1061
|
const { jarRequestParams } = options;
|
|
946
1062
|
if (jarRequestParams.request && jarRequestParams.request_uri) {
|
|
947
|
-
throw new
|
|
1063
|
+
throw new Oauth2ServerErrorResponseError5({
|
|
948
1064
|
error: "invalid_request_object",
|
|
949
1065
|
error_description: "request and request_uri cannot both be present in a JAR request"
|
|
950
1066
|
});
|
|
951
1067
|
}
|
|
952
1068
|
if (!jarRequestParams.request && !jarRequestParams.request_uri) {
|
|
953
|
-
throw new
|
|
1069
|
+
throw new Oauth2ServerErrorResponseError5({
|
|
954
1070
|
error: "invalid_request_object",
|
|
955
1071
|
error_description: "request or request_uri must be present"
|
|
956
1072
|
});
|
|
@@ -1013,7 +1129,7 @@ import { parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/ut
|
|
|
1013
1129
|
import z15 from "zod";
|
|
1014
1130
|
|
|
1015
1131
|
// src/fetch-client-metadata.ts
|
|
1016
|
-
import { Oauth2ErrorCodes as
|
|
1132
|
+
import { Oauth2ErrorCodes as Oauth2ErrorCodes5, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError6 } from "@openid4vc/oauth2";
|
|
1017
1133
|
import { ContentType, createZodFetcher } from "@openid4vc/utils";
|
|
1018
1134
|
async function fetchClientMetadata(options) {
|
|
1019
1135
|
const { fetch, clientMetadataUri } = options;
|
|
@@ -1025,15 +1141,15 @@ async function fetchClientMetadata(options) {
|
|
|
1025
1141
|
}
|
|
1026
1142
|
});
|
|
1027
1143
|
if (!response.ok) {
|
|
1028
|
-
throw new
|
|
1144
|
+
throw new Oauth2ServerErrorResponseError6({
|
|
1029
1145
|
error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,
|
|
1030
|
-
error:
|
|
1146
|
+
error: Oauth2ErrorCodes5.InvalidRequestUri
|
|
1031
1147
|
});
|
|
1032
1148
|
}
|
|
1033
1149
|
if (!result || !result.success) {
|
|
1034
|
-
throw new
|
|
1150
|
+
throw new Oauth2ServerErrorResponseError6({
|
|
1035
1151
|
error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,
|
|
1036
|
-
error:
|
|
1152
|
+
error: Oauth2ErrorCodes5.InvalidRequestObject
|
|
1037
1153
|
});
|
|
1038
1154
|
}
|
|
1039
1155
|
return result.data;
|
|
@@ -1052,110 +1168,6 @@ import {
|
|
|
1052
1168
|
} from "@openid4vc/oauth2";
|
|
1053
1169
|
import z13 from "zod";
|
|
1054
1170
|
|
|
1055
|
-
// src/version.ts
|
|
1056
|
-
import { Oauth2ErrorCodes as Oauth2ErrorCodes5, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError6 } from "@openid4vc/oauth2";
|
|
1057
|
-
function parseAuthorizationRequestVersion(request) {
|
|
1058
|
-
const requirements = [];
|
|
1059
|
-
if (request.verifier_info) {
|
|
1060
|
-
requirements.push([">=", 100]);
|
|
1061
|
-
}
|
|
1062
|
-
if (request.verifier_attestations) {
|
|
1063
|
-
requirements.push(["<", 100]);
|
|
1064
|
-
}
|
|
1065
|
-
if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) {
|
|
1066
|
-
requirements.push([">=", 28]);
|
|
1067
|
-
}
|
|
1068
|
-
if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) {
|
|
1069
|
-
requirements.push(["<", 28]);
|
|
1070
|
-
}
|
|
1071
|
-
if (request.client_metadata?.vp_formats) {
|
|
1072
|
-
requirements.push([">=", 27]);
|
|
1073
|
-
}
|
|
1074
|
-
if (request.client_metadata?.vp_formats_supported) {
|
|
1075
|
-
requirements.push(["<", 27]);
|
|
1076
|
-
}
|
|
1077
|
-
if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) {
|
|
1078
|
-
requirements.push([">=", 26]);
|
|
1079
|
-
}
|
|
1080
|
-
if (request.client_id?.startsWith("did:")) {
|
|
1081
|
-
requirements.push(["<", 26]);
|
|
1082
|
-
}
|
|
1083
|
-
if (request.presentation_definition || request.presentation_definition_uri) {
|
|
1084
|
-
requirements.push([">=", 26]);
|
|
1085
|
-
}
|
|
1086
|
-
if (request.verifier_attestations) {
|
|
1087
|
-
requirements.push([">=", 26]);
|
|
1088
|
-
}
|
|
1089
|
-
if (request.client_id?.startsWith("x509_san_uri:")) {
|
|
1090
|
-
requirements.push(["<", 25]);
|
|
1091
|
-
}
|
|
1092
|
-
if (request.client_id?.startsWith("x509_hash:")) {
|
|
1093
|
-
requirements.push([">=", 25]);
|
|
1094
|
-
}
|
|
1095
|
-
if (request.client_id?.startsWith("web-origin:")) {
|
|
1096
|
-
requirements.push(["<", 25]);
|
|
1097
|
-
}
|
|
1098
|
-
if (request.client_id?.startsWith("origin:")) {
|
|
1099
|
-
requirements.push([">=", 25]);
|
|
1100
|
-
}
|
|
1101
|
-
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
|
|
1102
|
-
requirements.push(["<", 23]);
|
|
1103
|
-
requirements.push([">=", 21]);
|
|
1104
|
-
}
|
|
1105
|
-
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) {
|
|
1106
|
-
requirements.push([">=", 23]);
|
|
1107
|
-
}
|
|
1108
|
-
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
|
|
1109
|
-
requirements.push([">=", 23]);
|
|
1110
|
-
}
|
|
1111
|
-
if (request.transaction_data) {
|
|
1112
|
-
requirements.push([">=", 22]);
|
|
1113
|
-
}
|
|
1114
|
-
if (request.client_id_scheme) {
|
|
1115
|
-
requirements.push(["<", 22]);
|
|
1116
|
-
}
|
|
1117
|
-
if (request.client_id) {
|
|
1118
|
-
const colonIndex = request.client_id.indexOf(":");
|
|
1119
|
-
const schemePart = request.client_id.substring(0, colonIndex);
|
|
1120
|
-
const parsedScheme = zClientIdPrefix.safeParse(schemePart);
|
|
1121
|
-
if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
|
|
1122
|
-
requirements.push([">=", 22]);
|
|
1123
|
-
}
|
|
1124
|
-
}
|
|
1125
|
-
if (!request.client_id) {
|
|
1126
|
-
requirements.push([">=", 21]);
|
|
1127
|
-
}
|
|
1128
|
-
if (request.dcql_query) {
|
|
1129
|
-
requirements.push([">=", 21]);
|
|
1130
|
-
}
|
|
1131
|
-
if (request.client_metadata_uri) {
|
|
1132
|
-
requirements.push(["<", 21]);
|
|
1133
|
-
}
|
|
1134
|
-
if (isOpenid4vpAuthorizationRequestDcApi(request)) {
|
|
1135
|
-
requirements.push([">=", 21]);
|
|
1136
|
-
}
|
|
1137
|
-
if (request.request_uri_method || request.wallet_nonce) {
|
|
1138
|
-
requirements.push([">=", 21]);
|
|
1139
|
-
}
|
|
1140
|
-
if (request.client_id_scheme === "verifier_attestation") {
|
|
1141
|
-
requirements.push([">=", 20]);
|
|
1142
|
-
}
|
|
1143
|
-
if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
|
|
1144
|
-
requirements.push([">=", 19]);
|
|
1145
|
-
}
|
|
1146
|
-
const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
|
|
1147
|
-
const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
|
|
1148
|
-
const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 100;
|
|
1149
|
-
const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
|
|
1150
|
-
if (lowestRequiredVersion > highestPossibleVersion) {
|
|
1151
|
-
throw new Oauth2ServerErrorResponseError6({
|
|
1152
|
-
error: Oauth2ErrorCodes5.InvalidRequest,
|
|
1153
|
-
error_description: `Could not infer openid4vp version from the openid4vp request payload. Based on specification requirements, lowest required version is ${lowestRequiredVersion} and highest possible version is ${highestPossibleVersion}`
|
|
1154
|
-
});
|
|
1155
|
-
}
|
|
1156
|
-
return highestPossibleVersion;
|
|
1157
|
-
}
|
|
1158
|
-
|
|
1159
1171
|
// src/jar/jar-request-object/fetch-jar-request-object.ts
|
|
1160
1172
|
import { Oauth2ErrorCodes as Oauth2ErrorCodes6, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError7 } from "@openid4vc/oauth2";
|
|
1161
1173
|
import { ContentType as ContentType2, createFetcher, objectToQueryParams as objectToQueryParams2 } from "@openid4vc/utils";
|
|
@@ -2106,6 +2118,7 @@ export {
|
|
|
2106
2118
|
getOpenid4vpClientId,
|
|
2107
2119
|
isJarmResponseMode,
|
|
2108
2120
|
isOpenid4vpAuthorizationRequestDcApi,
|
|
2121
|
+
parseAuthorizationRequestVersion,
|
|
2109
2122
|
parseDcqlVpToken,
|
|
2110
2123
|
parseJarmAuthorizationResponse,
|
|
2111
2124
|
parseOpenid4VpAuthorizationResponsePayload,
|