@openid4vc/openid4vp 0.3.0-alpha-20251001121503 → 0.3.0-alpha-20251017082202

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -1,2215 +1,1823 @@
1
- "use strict";
1
+ //#region rolldown:runtime
2
2
  var __create = Object.create;
3
3
  var __defProp = Object.defineProperty;
4
4
  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
5
5
  var __getOwnPropNames = Object.getOwnPropertyNames;
6
6
  var __getProtoOf = Object.getPrototypeOf;
7
7
  var __hasOwnProp = Object.prototype.hasOwnProperty;
8
- var __export = (target, all) => {
9
- for (var name in all)
10
- __defProp(target, name, { get: all[name], enumerable: true });
11
- };
12
8
  var __copyProps = (to, from, except, desc) => {
13
- if (from && typeof from === "object" || typeof from === "function") {
14
- for (let key of __getOwnPropNames(from))
15
- if (!__hasOwnProp.call(to, key) && key !== except)
16
- __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
17
- }
18
- return to;
9
+ if (from && typeof from === "object" || typeof from === "function") for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
10
+ key = keys[i];
11
+ if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
12
+ get: ((k) => from[k]).bind(null, key),
13
+ enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
14
+ });
15
+ }
16
+ return to;
19
17
  };
20
- var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
21
- // If the importer is in node compatibility mode or this is not an ESM
22
- // file that has been converted to a CommonJS file using a Babel-
23
- // compatible transform (i.e. "__esModule" has not been set), then set
24
- // "default" to the CommonJS "module.exports" for node compatibility.
25
- isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
26
- mod
27
- ));
28
- var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
29
-
30
- // src/index.ts
31
- var index_exports = {};
32
- __export(index_exports, {
33
- JarmMode: () => JarmMode,
34
- Openid4vpClient: () => Openid4vpClient,
35
- Openid4vpVerifier: () => Openid4vpVerifier,
36
- createOpenid4vpAuthorizationRequest: () => createOpenid4vpAuthorizationRequest,
37
- createOpenid4vpAuthorizationResponse: () => createOpenid4vpAuthorizationResponse,
38
- extractEncryptionJwkFromJwks: () => extractEncryptionJwkFromJwks,
39
- getOpenid4vpClientId: () => getOpenid4vpClientId,
40
- isJarmResponseMode: () => isJarmResponseMode,
41
- isOpenid4vpAuthorizationRequestDcApi: () => isOpenid4vpAuthorizationRequestDcApi,
42
- parseAuthorizationRequestVersion: () => parseAuthorizationRequestVersion,
43
- parseDcqlVpToken: () => parseDcqlVpToken,
44
- parseJarmAuthorizationResponse: () => parseJarmAuthorizationResponse,
45
- parseOpenid4VpAuthorizationResponsePayload: () => parseOpenid4VpAuthorizationResponsePayload,
46
- parseOpenid4vpAuthorizationRequest: () => parseOpenid4vpAuthorizationRequest,
47
- parseOpenid4vpAuthorizationResponse: () => parseOpenid4vpAuthorizationResponse,
48
- parsePexVpToken: () => parsePexVpToken,
49
- parseTransactionData: () => parseTransactionData,
50
- resolveOpenid4vpAuthorizationRequest: () => resolveOpenid4vpAuthorizationRequest,
51
- submitOpenid4vpAuthorizationResponse: () => submitOpenid4vpAuthorizationResponse,
52
- validateOpenid4vpAuthorizationRequestPayload: () => validateOpenid4vpAuthorizationRequestPayload,
53
- validateOpenid4vpAuthorizationResponsePayload: () => validateOpenid4vpAuthorizationResponsePayload,
54
- verifyJarmAuthorizationResponse: () => verifyJarmAuthorizationResponse,
55
- zClientIdPrefix: () => zClientIdPrefix,
56
- zClientMetadata: () => zClientMetadata,
57
- zCredentialFormat: () => zCredentialFormat,
58
- zJarmClientMetadata: () => zJarmClientMetadata,
59
- zOpenid4vpAuthorizationResponse: () => zOpenid4vpAuthorizationResponse,
60
- zProofFormat: () => zProofFormat,
61
- zVerifierAttestations: () => zVerifierAttestations,
62
- zWalletMetadata: () => zWalletMetadata
63
- });
64
- module.exports = __toCommonJS(index_exports);
65
-
66
- // src/client-identifier-prefix/parse-client-identifier-prefix.ts
67
- var import_oauth23 = require("@openid4vc/oauth2");
68
- var import_oauth24 = require("@openid4vc/oauth2");
69
- var import_utils5 = require("@openid4vc/utils");
70
-
71
- // src/authorization-request/z-authorization-request-dc-api.ts
72
- var import_zod6 = require("zod");
18
+ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
19
+ value: mod,
20
+ enumerable: true
21
+ }) : target, mod));
22
+
23
+ //#endregion
24
+ let __openid4vc_oauth2 = require("@openid4vc/oauth2");
25
+ __openid4vc_oauth2 = __toESM(__openid4vc_oauth2);
26
+ let __openid4vc_utils = require("@openid4vc/utils");
27
+ __openid4vc_utils = __toESM(__openid4vc_utils);
28
+ let zod = require("zod");
29
+ zod = __toESM(zod);
30
+
31
+ //#region src/jar/create-jar-authorization-request.ts
32
+ /**
33
+ * Creates a JAR (JWT Authorization Request) request object.
34
+ *
35
+ * @param options - The input parameters
36
+ * @param options.authorizationRequestPayload - The authorization request parameters
37
+ * @param options.jwtSigner - The JWT signer
38
+ * @param options.jweEncryptor - The JWE encryptor (optional) if provided, the request object will be encrypted
39
+ * @param options.requestUri - The request URI (optional) if provided, the request object needs to be fetched from the URI
40
+ * @param options.callbacks - The callback context
41
+ * @returns the requestParams, signerJwk, encryptionJwk, and requestObjectJwt
42
+ */
43
+ async function createJarAuthorizationRequest(options) {
44
+ const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
45
+ let authorizationRequestJwt;
46
+ let encryptionJwk;
47
+ const now = options.now ?? /* @__PURE__ */ new Date();
48
+ const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
49
+ header: {
50
+ ...(0, __openid4vc_oauth2.jwtHeaderFromJwtSigner)(jwtSigner),
51
+ typ: "oauth-authz-req+jwt"
52
+ },
53
+ payload: {
54
+ iat: (0, __openid4vc_utils.dateToSeconds)(now),
55
+ exp: (0, __openid4vc_utils.dateToSeconds)((0, __openid4vc_utils.addSecondsToDate)(now, options.expiresInSeconds)),
56
+ ...options.additionalJwtPayload,
57
+ ...authorizationRequestPayload
58
+ }
59
+ });
60
+ authorizationRequestJwt = jwt;
61
+ if (jweEncryptor) {
62
+ const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt);
63
+ authorizationRequestJwt = encryptionResult.jwe;
64
+ encryptionJwk = encryptionResult.encryptionJwk;
65
+ }
66
+ const client_id = authorizationRequestPayload.client_id;
67
+ return {
68
+ jarAuthorizationRequest: requestUri ? {
69
+ client_id,
70
+ request_uri: requestUri
71
+ } : {
72
+ client_id,
73
+ request: authorizationRequestJwt
74
+ },
75
+ signerJwk,
76
+ encryptionJwk,
77
+ authorizationRequestJwt
78
+ };
79
+ }
73
80
 
74
- // src/authorization-request/z-authorization-request.ts
75
- var import_utils3 = require("@openid4vc/utils");
76
- var import_zod5 = require("zod");
81
+ //#endregion
82
+ //#region src/authorization-request/validate-authorization-request.ts
83
+ /**
84
+ * Validate the OpenId4Vp Authorization Request parameters
85
+ */
86
+ const validateOpenid4vpAuthorizationRequestPayload = (options) => {
87
+ const { params, walletVerificationOptions } = options;
88
+ if (!params.redirect_uri && !params.response_uri) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
89
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
90
+ error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
91
+ });
92
+ if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
93
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
94
+ error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
95
+ });
96
+ if ([
97
+ params.presentation_definition_uri,
98
+ params.presentation_definition,
99
+ params.dcql_query,
100
+ params.scope
101
+ ].filter(Boolean).length > 1) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
102
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
103
+ error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
104
+ });
105
+ if (params.request_uri_method && !params.request_uri) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
106
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
107
+ error_description: "The \"request_uri_method\" parameter MUST NOT be present in the authorization request if the \"request_uri\" parameter is not present."
108
+ });
109
+ if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
110
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUriMethod,
111
+ error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
112
+ });
113
+ if (params.trust_chain && !__openid4vc_utils.zHttpsUrl.safeParse(params.client_id).success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
114
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
115
+ error_description: "The \"trust_chain\" parameter MUST NOT be present in the authorization request if the \"client_id\" is not an OpenId Federation Entity Identifier starting with http:// or https://."
116
+ });
117
+ if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
118
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
119
+ error_description: "The \"wallet_nonce\" parameter MUST be present in the authorization request when the \"expectedNonce\" parameter is provided."
120
+ });
121
+ if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
122
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
123
+ error_description: "The \"wallet_nonce\" parameter MUST match the \"expectedNonce\" parameter when the \"expectedNonce\" parameter is provided."
124
+ });
125
+ if (params.client_id.startsWith("web-origin:") || params.client_id.startsWith("origin:")) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
126
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
127
+ error_description: `The 'client_id' parameter MUST NOT use client identifier scheme '${params.client_id.split(":")[0]}' when not using the dc_api response mode. Current: ${params.client_id}`
128
+ });
129
+ };
77
130
 
78
- // src/models/z-client-metadata.ts
79
- var import_oauth22 = require("@openid4vc/oauth2");
80
- var import_utils2 = require("@openid4vc/utils");
81
- var import_zod3 = require("zod");
131
+ //#endregion
132
+ //#region src/authorization-request/validate-authorization-request-dc-api.ts
133
+ /**
134
+ * Validate the OpenId4Vp Authorization Request parameters for the dc_api response mode
135
+ */
136
+ const validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
137
+ const { params, isJarRequest, disableOriginValidation, origin } = options;
138
+ if (isJarRequest && !params.expected_origins) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
139
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
140
+ error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
141
+ });
142
+ if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
143
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
144
+ error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
145
+ });
146
+ if (params.expected_origins && !disableOriginValidation) {
147
+ if (!origin) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
148
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
149
+ error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
150
+ });
151
+ if (params.expected_origins && !params.expected_origins.includes(origin)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
152
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
153
+ error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
154
+ });
155
+ }
156
+ };
82
157
 
83
- // src/jarm/metadata/z-jarm-client-metadata.ts
84
- var import_oauth2 = require("@openid4vc/oauth2");
85
- var import_utils = require("@openid4vc/utils");
86
- var import_zod = require("zod");
87
- var zJarmSignOnlyClientMetadata = import_zod.z.object({
88
- authorization_signed_response_alg: import_oauth2.zAlgValueNotNone,
89
- authorization_encrypted_response_alg: import_zod.z.optional(import_zod.z.never()),
90
- authorization_encrypted_response_enc: import_zod.z.optional(import_zod.z.never())
158
+ //#endregion
159
+ //#region src/jarm/metadata/z-jarm-client-metadata.ts
160
+ const zJarmSignOnlyClientMetadata = zod.z.object({
161
+ authorization_signed_response_alg: __openid4vc_oauth2.zAlgValueNotNone,
162
+ authorization_encrypted_response_alg: zod.z.optional(zod.z.never()),
163
+ authorization_encrypted_response_enc: zod.z.optional(zod.z.never())
91
164
  });
92
- var zJarmEncryptOnlyClientMetadata = import_zod.z.object({
93
- authorization_signed_response_alg: import_zod.z.optional(import_zod.z.never()),
94
- authorization_encrypted_response_alg: import_zod.z.string(),
95
- authorization_encrypted_response_enc: import_zod.z.optional(import_zod.z.string())
165
+ const zJarmEncryptOnlyClientMetadata = zod.z.object({
166
+ authorization_signed_response_alg: zod.z.optional(zod.z.never()),
167
+ authorization_encrypted_response_alg: zod.z.string(),
168
+ authorization_encrypted_response_enc: zod.z.optional(zod.z.string())
96
169
  });
97
- var zJarmSignEncryptClientMetadata = import_zod.z.object({
98
- authorization_signed_response_alg: zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg,
99
- authorization_encrypted_response_alg: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg,
100
- authorization_encrypted_response_enc: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc
170
+ const zJarmSignEncryptClientMetadata = zod.z.object({
171
+ authorization_signed_response_alg: zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg,
172
+ authorization_encrypted_response_alg: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg,
173
+ authorization_encrypted_response_enc: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc
101
174
  });
102
- var zJarmClientMetadata = import_zod.z.object({
103
- authorization_signed_response_alg: import_zod.z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),
104
- authorization_encrypted_response_alg: import_zod.z.optional(
105
- zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg
106
- ),
107
- authorization_encrypted_response_enc: import_zod.z.optional(
108
- zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc
109
- )
175
+ /**
176
+ * Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.
177
+ */
178
+ const zJarmClientMetadata = zod.z.object({
179
+ authorization_signed_response_alg: zod.z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),
180
+ authorization_encrypted_response_alg: zod.z.optional(zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg),
181
+ authorization_encrypted_response_enc: zod.z.optional(zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc)
110
182
  });
111
- var zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata) => {
112
- const parsedClientMeta = (0, import_utils.parseWithErrorHandling)(
113
- import_zod.z.union([zJarmEncryptOnlyClientMetadata, zJarmSignOnlyClientMetadata, zJarmSignEncryptClientMetadata]),
114
- client_metadata,
115
- "Invalid jarm client metadata."
116
- );
117
- const SignEncrypt = zJarmSignEncryptClientMetadata.safeParse(parsedClientMeta);
118
- if (SignEncrypt.success) {
119
- return {
120
- type: "sign_encrypt",
121
- client_metadata: {
122
- ...SignEncrypt.data,
123
- authorization_encrypted_response_enc: client_metadata.authorization_encrypted_response_enc
124
- }
125
- };
126
- }
127
- const encryptOnly = zJarmEncryptOnlyClientMetadata.safeParse(parsedClientMeta);
128
- if (encryptOnly.success) {
129
- return {
130
- type: "encrypt",
131
- client_metadata: {
132
- ...encryptOnly.data,
133
- authorization_encrypted_response_enc: parsedClientMeta.authorization_encrypted_response_enc
134
- }
135
- };
136
- }
137
- const signOnly = zJarmSignOnlyClientMetadata.safeParse(parsedClientMeta);
138
- if (signOnly.success) {
139
- return {
140
- type: "sign",
141
- client_metadata: {
142
- ...signOnly.data,
143
- authorization_signed_response_alg: parsedClientMeta.authorization_signed_response_alg
144
- }
145
- };
146
- }
147
- throw new import_oauth2.Oauth2Error("Invalid jarm client metadata. Failed to parse.");
183
+ const zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata) => {
184
+ const parsedClientMeta = (0, __openid4vc_utils.parseWithErrorHandling)(zod.z.union([
185
+ zJarmEncryptOnlyClientMetadata,
186
+ zJarmSignOnlyClientMetadata,
187
+ zJarmSignEncryptClientMetadata
188
+ ]), client_metadata, "Invalid jarm client metadata.");
189
+ const SignEncrypt = zJarmSignEncryptClientMetadata.safeParse(parsedClientMeta);
190
+ if (SignEncrypt.success) return {
191
+ type: "sign_encrypt",
192
+ client_metadata: {
193
+ ...SignEncrypt.data,
194
+ authorization_encrypted_response_enc: client_metadata.authorization_encrypted_response_enc
195
+ }
196
+ };
197
+ const encryptOnly = zJarmEncryptOnlyClientMetadata.safeParse(parsedClientMeta);
198
+ if (encryptOnly.success) return {
199
+ type: "encrypt",
200
+ client_metadata: {
201
+ ...encryptOnly.data,
202
+ authorization_encrypted_response_enc: parsedClientMeta.authorization_encrypted_response_enc
203
+ }
204
+ };
205
+ const signOnly = zJarmSignOnlyClientMetadata.safeParse(parsedClientMeta);
206
+ if (signOnly.success) return {
207
+ type: "sign",
208
+ client_metadata: {
209
+ ...signOnly.data,
210
+ authorization_signed_response_alg: parsedClientMeta.authorization_signed_response_alg
211
+ }
212
+ };
213
+ throw new __openid4vc_oauth2.Oauth2Error("Invalid jarm client metadata. Failed to parse.");
148
214
  });
149
215
 
150
- // src/models/z-vp-formats-supported.ts
151
- var import_zod2 = require("zod");
152
- var zVpFormatsSupported = import_zod2.z.object({
153
- "dc+sd-jwt": import_zod2.z.optional(
154
- import_zod2.z.object({
155
- "sd-jwt_alg_values": import_zod2.z.optional(import_zod2.z.array(import_zod2.z.string()).nonempty()),
156
- "kb-jwt_alg_values": import_zod2.z.optional(import_zod2.z.array(import_zod2.z.string()).nonempty())
157
- }).passthrough()
158
- ),
159
- jwt_vc_json: import_zod2.z.optional(
160
- import_zod2.z.object({
161
- alg_values: import_zod2.z.optional(import_zod2.z.array(import_zod2.z.string()).nonempty())
162
- }).passthrough()
163
- ),
164
- ldp_vc: import_zod2.z.optional(
165
- import_zod2.z.object({
166
- proof_type_values: import_zod2.z.optional(import_zod2.z.array(import_zod2.z.string()).nonempty()),
167
- cryptosuite_values: import_zod2.z.optional(import_zod2.z.array(import_zod2.z.string()).nonempty())
168
- }).passthrough()
169
- ),
170
- mso_mdoc: import_zod2.z.optional(
171
- import_zod2.z.object({
172
- // Draft 27
173
- issuer_signed_alg_values: import_zod2.z.optional(import_zod2.z.array(import_zod2.z.number()).nonempty()),
174
- device_signed_alg_values: import_zod2.z.optional(import_zod2.z.array(import_zod2.z.number()).nonempty()),
175
- // Draft 28+
176
- issuerauth_alg_values: import_zod2.z.optional(import_zod2.z.array(import_zod2.z.number()).nonempty()),
177
- deviceauth_alg_values: import_zod2.z.optional(import_zod2.z.array(import_zod2.z.number()).nonempty())
178
- }).passthrough()
179
- )
180
- }).passthrough().catchall(import_zod2.z.object({}).passthrough());
181
- var zLegacyVpFormats = import_zod2.z.record(
182
- import_zod2.z.string(),
183
- import_zod2.z.object({
184
- alg_values_supported: import_zod2.z.optional(import_zod2.z.array(import_zod2.z.string()))
185
- }).passthrough()
186
- );
187
-
188
- // src/models/z-client-metadata.ts
189
- var zClientMetadata = import_zod3.z.object({
190
- // Up until draft 22
191
- jwks_uri: import_zod3.z.string().url().optional(),
192
- jwks: import_zod3.z.optional(import_oauth22.zJwkSet),
193
- // Up until draft 26
194
- vp_formats: import_zod3.z.optional(zLegacyVpFormats),
195
- // From draft 27
196
- vp_formats_supported: import_zod3.z.optional(zVpFormatsSupported),
197
- // From draft 28
198
- encrypted_response_enc_values_supported: import_zod3.z.optional(import_zod3.z.array(import_zod3.z.string())),
199
- ...zJarmClientMetadata.shape,
200
- logo_uri: import_utils2.zHttpsUrl.optional(),
201
- client_name: import_zod3.z.string().optional()
216
+ //#endregion
217
+ //#region src/models/z-vp-formats-supported.ts
218
+ const zVpFormatsSupported = zod.z.object({
219
+ "dc+sd-jwt": zod.z.optional(zod.z.object({
220
+ "sd-jwt_alg_values": zod.z.optional(zod.z.array(zod.z.string()).nonempty()),
221
+ "kb-jwt_alg_values": zod.z.optional(zod.z.array(zod.z.string()).nonempty())
222
+ }).passthrough()),
223
+ jwt_vc_json: zod.z.optional(zod.z.object({ alg_values: zod.z.optional(zod.z.array(zod.z.string()).nonempty()) }).passthrough()),
224
+ ldp_vc: zod.z.optional(zod.z.object({
225
+ proof_type_values: zod.z.optional(zod.z.array(zod.z.string()).nonempty()),
226
+ cryptosuite_values: zod.z.optional(zod.z.array(zod.z.string()).nonempty())
227
+ }).passthrough()),
228
+ mso_mdoc: zod.z.optional(zod.z.object({
229
+ issuer_signed_alg_values: zod.z.optional(zod.z.array(zod.z.number()).nonempty()),
230
+ device_signed_alg_values: zod.z.optional(zod.z.array(zod.z.number()).nonempty()),
231
+ issuerauth_alg_values: zod.z.optional(zod.z.array(zod.z.number()).nonempty()),
232
+ deviceauth_alg_values: zod.z.optional(zod.z.array(zod.z.number()).nonempty())
233
+ }).passthrough())
234
+ }).passthrough().catchall(zod.z.object({}).passthrough());
235
+ const zLegacyVpFormats = zod.z.record(zod.z.string(), zod.z.object({ alg_values_supported: zod.z.optional(zod.z.array(zod.z.string())) }).passthrough());
236
+
237
+ //#endregion
238
+ //#region src/models/z-client-metadata.ts
239
+ const zClientMetadata = zod.z.object({
240
+ jwks_uri: zod.z.string().url().optional(),
241
+ jwks: zod.z.optional(__openid4vc_oauth2.zJwkSet),
242
+ vp_formats: zod.z.optional(zLegacyVpFormats),
243
+ vp_formats_supported: zod.z.optional(zVpFormatsSupported),
244
+ encrypted_response_enc_values_supported: zod.z.optional(zod.z.array(zod.z.string())),
245
+ ...zJarmClientMetadata.shape,
246
+ logo_uri: __openid4vc_utils.zHttpsUrl.optional(),
247
+ client_name: zod.z.string().optional()
202
248
  }).passthrough();
203
249
 
204
- // src/models/z-verifier-attestations.ts
205
- var import_zod4 = __toESM(require("zod"));
206
- var zVerifierAttestation = import_zod4.default.object({
207
- format: import_zod4.default.string(),
208
- data: import_zod4.default.record(import_zod4.default.unknown()).or(import_zod4.default.string()),
209
- credential_ids: import_zod4.default.array(import_zod4.default.string()).optional()
250
+ //#endregion
251
+ //#region src/models/z-verifier-attestations.ts
252
+ const zVerifierAttestation = zod.default.object({
253
+ format: zod.default.string(),
254
+ data: zod.default.record(zod.default.unknown()).or(zod.default.string()),
255
+ credential_ids: zod.default.array(zod.default.string()).optional()
210
256
  });
211
- var zVerifierAttestations = import_zod4.default.array(zVerifierAttestation);
212
-
213
- // src/authorization-request/z-authorization-request.ts
214
- var zOpenid4vpAuthorizationRequest = import_zod5.z.object({
215
- response_type: import_zod5.z.literal("vp_token"),
216
- client_id: import_zod5.z.string(),
217
- redirect_uri: import_utils3.zHttpsUrl.optional(),
218
- response_uri: import_utils3.zHttpsUrl.optional(),
219
- request_uri: import_utils3.zHttpsUrl.optional(),
220
- request_uri_method: import_zod5.z.optional(import_zod5.z.string()),
221
- response_mode: import_zod5.z.enum(["direct_post", "direct_post.jwt"]).optional(),
222
- nonce: import_zod5.z.string(),
223
- wallet_nonce: import_zod5.z.string().optional(),
224
- scope: import_zod5.z.string().optional(),
225
- presentation_definition: import_zod5.z.record(import_zod5.z.any()).or(import_utils3.zStringToJson).optional(),
226
- presentation_definition_uri: import_utils3.zHttpsUrl.optional(),
227
- dcql_query: import_zod5.z.record(import_zod5.z.any()).or(import_utils3.zStringToJson).optional(),
228
- client_metadata: zClientMetadata.optional(),
229
- client_metadata_uri: import_utils3.zHttpsUrl.optional(),
230
- state: import_zod5.z.string().optional(),
231
- transaction_data: import_zod5.z.array(import_zod5.z.string().base64url()).optional(),
232
- trust_chain: import_zod5.z.array(import_zod5.z.string()).nonempty().optional(),
233
- client_id_scheme: import_zod5.z.enum([
234
- "pre-registered",
235
- "redirect_uri",
236
- "entity_id",
237
- "did",
238
- "verifier_attestation",
239
- "x509_san_dns",
240
- "x509_san_uri",
241
- "x509_hash"
242
- ]).optional(),
243
- verifier_attestations: zVerifierAttestations.optional(),
244
- verifier_info: zVerifierAttestations.optional()
257
+ const zVerifierAttestations = zod.default.array(zVerifierAttestation);
258
+
259
+ //#endregion
260
+ //#region src/authorization-request/z-authorization-request.ts
261
+ const zOpenid4vpAuthorizationRequest = zod.z.object({
262
+ response_type: zod.z.literal("vp_token"),
263
+ client_id: zod.z.string(),
264
+ redirect_uri: __openid4vc_utils.zHttpsUrl.optional(),
265
+ response_uri: __openid4vc_utils.zHttpsUrl.optional(),
266
+ request_uri: __openid4vc_utils.zHttpsUrl.optional(),
267
+ request_uri_method: zod.z.optional(zod.z.string()),
268
+ response_mode: zod.z.enum(["direct_post", "direct_post.jwt"]).optional(),
269
+ nonce: zod.z.string(),
270
+ wallet_nonce: zod.z.string().optional(),
271
+ scope: zod.z.string().optional(),
272
+ presentation_definition: zod.z.record(zod.z.any()).or(__openid4vc_utils.zStringToJson).optional(),
273
+ presentation_definition_uri: __openid4vc_utils.zHttpsUrl.optional(),
274
+ dcql_query: zod.z.record(zod.z.any()).or(__openid4vc_utils.zStringToJson).optional(),
275
+ client_metadata: zClientMetadata.optional(),
276
+ client_metadata_uri: __openid4vc_utils.zHttpsUrl.optional(),
277
+ state: zod.z.string().optional(),
278
+ transaction_data: zod.z.array(zod.z.string().base64url()).optional(),
279
+ trust_chain: zod.z.array(zod.z.string()).nonempty().optional(),
280
+ client_id_scheme: zod.z.enum([
281
+ "pre-registered",
282
+ "redirect_uri",
283
+ "entity_id",
284
+ "did",
285
+ "verifier_attestation",
286
+ "x509_san_dns",
287
+ "x509_san_uri",
288
+ "x509_hash"
289
+ ]).optional(),
290
+ verifier_attestations: zVerifierAttestations.optional(),
291
+ verifier_info: zVerifierAttestations.optional()
245
292
  }).passthrough();
246
- var zOpenid4vpAuthorizationRequestFromUriParams = import_zod5.z.string().url().transform((url) => Object.fromEntries(new import_utils3.URL(url).searchParams)).pipe(
247
- import_zod5.z.object({
248
- presentation_definition: import_utils3.zStringToJson.optional(),
249
- client_metadata: import_utils3.zStringToJson.optional(),
250
- dcql_query: import_utils3.zStringToJson.optional(),
251
- transaction_data: import_utils3.zStringToJson.optional(),
252
- verifier_attestations: import_utils3.zStringToJson.optional(),
253
- verifier_info: import_utils3.zStringToJson.optional()
254
- }).passthrough()
255
- );
256
-
257
- // src/authorization-request/z-authorization-request-dc-api.ts
258
- var zOpenid4vpResponseModeDcApi = import_zod6.z.enum(["dc_api", "dc_api.jwt", "w3c_dc_api.jwt", "w3c_dc_api"]);
259
- var zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
260
- response_type: true,
261
- nonce: true,
262
- presentation_definition: true,
263
- client_metadata: true,
264
- transaction_data: true,
265
- dcql_query: true,
266
- trust_chain: true,
267
- state: true,
268
- verifier_attestations: true,
269
- verifier_info: true
293
+ const zOpenid4vpAuthorizationRequestFromUriParams = zod.z.string().url().transform((url) => Object.fromEntries(new __openid4vc_utils.URL(url).searchParams)).pipe(zod.z.object({
294
+ presentation_definition: __openid4vc_utils.zStringToJson.optional(),
295
+ client_metadata: __openid4vc_utils.zStringToJson.optional(),
296
+ dcql_query: __openid4vc_utils.zStringToJson.optional(),
297
+ transaction_data: __openid4vc_utils.zStringToJson.optional(),
298
+ verifier_attestations: __openid4vc_utils.zStringToJson.optional(),
299
+ verifier_info: __openid4vc_utils.zStringToJson.optional()
300
+ }).passthrough());
301
+
302
+ //#endregion
303
+ //#region src/authorization-request/z-authorization-request-dc-api.ts
304
+ const zOpenid4vpResponseModeDcApi = zod.z.enum([
305
+ "dc_api",
306
+ "dc_api.jwt",
307
+ "w3c_dc_api.jwt",
308
+ "w3c_dc_api"
309
+ ]);
310
+ const zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
311
+ response_type: true,
312
+ nonce: true,
313
+ presentation_definition: true,
314
+ client_metadata: true,
315
+ transaction_data: true,
316
+ dcql_query: true,
317
+ trust_chain: true,
318
+ state: true,
319
+ verifier_attestations: true,
320
+ verifier_info: true
270
321
  }).extend({
271
- client_id: import_zod6.z.optional(import_zod6.z.string()),
272
- expected_origins: import_zod6.z.array(import_zod6.z.string()).optional(),
273
- response_mode: zOpenid4vpResponseModeDcApi,
274
- // Not allowed with dc_api, but added to make working with interfaces easier
275
- client_id_scheme: import_zod6.z.never().optional(),
276
- scope: import_zod6.z.never().optional()
277
- // TODO: should we disallow any properties specifically, such as redirect_uri and response_uri?
322
+ client_id: zod.z.optional(zod.z.string()),
323
+ expected_origins: zod.z.array(zod.z.string()).optional(),
324
+ response_mode: zOpenid4vpResponseModeDcApi,
325
+ client_id_scheme: zod.z.never().optional(),
326
+ scope: zod.z.never().optional()
278
327
  });
279
328
  function isOpenid4vpResponseModeDcApi(responseMode) {
280
- return responseMode !== void 0 && zOpenid4vpResponseModeDcApi.options.includes(responseMode);
329
+ return responseMode !== void 0 && zOpenid4vpResponseModeDcApi.options.includes(responseMode);
281
330
  }
282
331
  function isOpenid4vpAuthorizationRequestDcApi(request) {
283
- return isOpenid4vpResponseModeDcApi(request.response_mode);
332
+ return isOpenid4vpResponseModeDcApi(request.response_mode);
284
333
  }
285
334
 
286
- // src/client-identifier-prefix/z-client-id-prefix.ts
287
- var import_utils4 = require("@openid4vc/utils");
288
- var import_zod7 = require("zod");
289
- var zClientIdPrefix = import_zod7.z.enum([
290
- "pre-registered",
291
- "redirect_uri",
292
- "verifier_attestation",
293
- "https",
294
- // pre draft 26
295
- "openid_federation",
296
- // from draft 26
297
- "did",
298
- // pre draft 26
299
- "decentralized_identifier",
300
- // from draft 26
301
- "x509_san_uri",
302
- // pre-draft 25
303
- "x509_hash",
304
- // from draft 25
305
- "x509_san_dns",
306
- "origin",
307
- // from draft 25
308
- "web-origin"
309
- // pre-draft 25
310
- ]);
311
- var zUniformClientIdPrefix = zClientIdPrefix.exclude(["did", "https", "web-origin"]);
312
- var zClientIdToClientIdPrefixAndIdentifier = import_zod7.z.union(
313
- [
314
- import_zod7.z.string({ message: "client_id MUST be a string" }).includes(":").transform((clientId) => {
315
- const colonIndex = clientId.indexOf(":");
316
- const clientIdPrefix = clientId.slice(0, colonIndex);
317
- const clientIdIdentifier = clientId.slice(colonIndex + 1);
318
- if (clientIdPrefix === "http" && (0, import_utils4.getGlobalConfig)().allowInsecureUrls) {
319
- return ["https", clientId];
320
- }
321
- if (clientIdPrefix === "did" || clientIdPrefix === "http" || clientIdPrefix === "https") {
322
- return [clientIdPrefix, clientId];
323
- }
324
- return [clientIdPrefix, clientIdIdentifier];
325
- }).pipe(import_zod7.z.tuple([zClientIdPrefix.exclude(["pre-registered"]), import_zod7.z.string()])),
326
- import_zod7.z.string().refine((clientId) => clientId.includes(":") === false).transform((clientId) => ["pre-registered", clientId])
327
- ],
328
- {
329
- message: `client_id must either start with a known prefix followed by ':' or contain no ':'. Known prefixes are ${zClientIdPrefix.exclude(["pre-registered"]).options.join(", ")}`
330
- }
331
- );
332
- var zClientIdPrefixToUniform = zClientIdPrefix.transform(
333
- (prefix) => prefix === "did" ? "decentralized_identifier" : prefix === "https" ? "openid_federation" : prefix === "web-origin" ? "origin" : prefix
334
- );
335
- var zLegacyClientIdScheme = import_zod7.z.enum([
336
- "pre-registered",
337
- "redirect_uri",
338
- "entity_id",
339
- "did",
340
- "verifier_attestation",
341
- "x509_san_dns",
342
- "x509_san_uri"
343
- ]);
344
- var zLegacyClientIdSchemeToClientIdPrefix = zLegacyClientIdScheme.optional().default("pre-registered").transform(
345
- (clientIdScheme) => clientIdScheme === "entity_id" ? "openid_federation" : clientIdScheme === "did" ? "decentralized_identifier" : clientIdScheme
346
- );
347
-
348
- // src/client-identifier-prefix/parse-client-identifier-prefix.ts
349
- function getOpenid4vpClientId(options) {
350
- const original = {
351
- clientId: options.clientId
352
- };
353
- const version = options.version ?? 100;
354
- if (isOpenid4vpResponseModeDcApi(options.responseMode)) {
355
- if (!options.clientId) {
356
- if (!options.origin) {
357
- throw new import_oauth23.Oauth2ServerErrorResponseError({
358
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
359
- error_description: "Failed to parse client identifier. 'origin' is required for requests without a client_id and response_mode 'dc_api' and 'dc_api.jwt'"
360
- });
361
- }
362
- return {
363
- clientIdPrefix: "origin",
364
- effectiveClientIdPrefix: "origin",
365
- clientIdIdentifier: options.origin,
366
- effectiveClientId: version >= 25 ? `origin:${options.origin}` : `web-origin:${options.origin}`,
367
- original
368
- };
369
- }
370
- const parsedClientIdPrefixAndIdentifier2 = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId);
371
- if (!parsedClientIdPrefixAndIdentifier2.success) {
372
- throw new import_oauth23.Oauth2ServerErrorResponseError({
373
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
374
- error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
375
- });
376
- }
377
- const [clientIdScheme2, clientIdIdentifier2] = parsedClientIdPrefixAndIdentifier2.data;
378
- const uniformClientIdScheme2 = zClientIdPrefixToUniform.safeParse(clientIdScheme2);
379
- if (!uniformClientIdScheme2.success) {
380
- throw new import_oauth23.Oauth2ServerErrorResponseError({
381
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
382
- error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
383
- });
384
- }
385
- return {
386
- effectiveClientId: options.clientId,
387
- effectiveClientIdPrefix: clientIdScheme2,
388
- original,
389
- clientIdPrefix: uniformClientIdScheme2.data,
390
- clientIdIdentifier: clientIdIdentifier2
391
- };
392
- }
393
- if (!options.clientId) {
394
- throw new import_oauth23.Oauth2ServerErrorResponseError({
395
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
396
- error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`
397
- });
398
- }
399
- if (options.legacyClientIdScheme) {
400
- const parsedClientIdPrefix = zLegacyClientIdSchemeToClientIdPrefix.safeParse(options.legacyClientIdScheme);
401
- if (!parsedClientIdPrefix.success) {
402
- throw new import_oauth23.Oauth2ServerErrorResponseError({
403
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
404
- error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.legacyClientIdScheme}'.`
405
- });
406
- }
407
- const clientIdPrefix = parsedClientIdPrefix.data;
408
- return {
409
- effectiveClientId: options.clientId,
410
- clientIdIdentifier: options.clientId,
411
- clientIdPrefix,
412
- effectiveClientIdPrefix: options.legacyClientIdScheme ?? "pre-registered",
413
- original: {
414
- ...original,
415
- clientIdScheme: options.legacyClientIdScheme
416
- }
417
- };
418
- }
419
- const parsedClientIdPrefixAndIdentifier = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId);
420
- if (!parsedClientIdPrefixAndIdentifier.success) {
421
- throw new import_oauth23.Oauth2ServerErrorResponseError({
422
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
423
- error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
424
- });
425
- }
426
- const [clientIdScheme, clientIdIdentifier] = parsedClientIdPrefixAndIdentifier.data;
427
- const uniformClientIdScheme = zClientIdPrefixToUniform.safeParse(clientIdScheme);
428
- if (!uniformClientIdScheme.success) {
429
- throw new import_oauth23.Oauth2ServerErrorResponseError({
430
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
431
- error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
432
- });
433
- }
434
- return {
435
- effectiveClientId: options.clientId,
436
- clientIdPrefix: uniformClientIdScheme.data,
437
- effectiveClientIdPrefix: clientIdScheme,
438
- clientIdIdentifier,
439
- original
440
- };
441
- }
442
- async function validateOpenid4vpClientId(options, parserConfig) {
443
- const { authorizationRequestPayload, jar, origin } = options;
444
- const parserConfigWithDefaults = {
445
- supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdPrefix.options)
446
- };
447
- const { clientIdIdentifier, clientIdPrefix, effectiveClientId, original } = getOpenid4vpClientId({
448
- clientId: authorizationRequestPayload.client_id,
449
- legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
450
- responseMode: authorizationRequestPayload.response_mode,
451
- origin
452
- });
453
- if (clientIdPrefix === "pre-registered") {
454
- return {
455
- prefix: "pre-registered",
456
- identifier: clientIdIdentifier,
457
- effective: effectiveClientId,
458
- original
459
- };
460
- }
461
- if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdPrefix)) {
462
- throw new import_oauth23.Oauth2ServerErrorResponseError({
463
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
464
- error_description: `Unsupported client identifier prefix. ${clientIdPrefix} is not supported.`
465
- });
466
- }
467
- if (clientIdPrefix === "openid_federation") {
468
- if (!import_utils5.zHttpsUrl.safeParse(clientIdIdentifier).success) {
469
- throw new import_oauth23.Oauth2ServerErrorResponseError(
470
- {
471
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
472
- error_description: "Invalid client identifier. Client identifier must start with https://"
473
- },
474
- {
475
- internalMessage: `Insecure http:// urls can be enabled by setting the 'allowInsecureUrls' option using setGlobalConfig`
476
- }
477
- );
478
- }
479
- if (!jar) {
480
- throw new import_oauth23.Oauth2ServerErrorResponseError({
481
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
482
- error_description: 'Using client identifier prefix "https" requires a signed JAR request.'
483
- });
484
- }
485
- if (jar.signer.method !== "federation") {
486
- throw new import_oauth23.Oauth2ServerErrorResponseError({
487
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
488
- error_description: "Something went wrong. The JWT signer method is not federation but the client identifier prefix is https."
489
- });
490
- }
491
- return {
492
- prefix: "openid_federation",
493
- identifier: clientIdIdentifier,
494
- effective: effectiveClientId,
495
- original,
496
- trustChain: authorizationRequestPayload.trust_chain
497
- };
498
- }
499
- if (clientIdPrefix === "redirect_uri") {
500
- if (jar) {
501
- throw new import_oauth23.Oauth2ServerErrorResponseError({
502
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
503
- error_description: 'Using client identifier prefix "redirect_uri" the request MUST NOT be signed.'
504
- });
505
- }
506
- if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
507
- throw new import_oauth23.Oauth2ServerErrorResponseError({
508
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
509
- error_description: `The client identifier prefix 'redirect_uri' is not supported when using the dc_api response mode.`
510
- });
511
- }
512
- if (authorizationRequestPayload.redirect_uri && authorizationRequestPayload.redirect_uri !== clientIdIdentifier) {
513
- throw new import_oauth23.Oauth2ServerErrorResponseError({
514
- error: import_oauth23.Oauth2ErrorCodes.InvalidClient,
515
- error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the redirect_uri.`
516
- });
517
- }
518
- if (authorizationRequestPayload.response_uri && authorizationRequestPayload.response_uri !== clientIdIdentifier) {
519
- throw new import_oauth23.Oauth2ServerErrorResponseError({
520
- error: import_oauth23.Oauth2ErrorCodes.InvalidClient,
521
- error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the response_uri.`
522
- });
523
- }
524
- return {
525
- prefix: clientIdPrefix,
526
- identifier: clientIdIdentifier,
527
- effective: effectiveClientId,
528
- original,
529
- clientMetadata: authorizationRequestPayload.client_metadata,
530
- redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
531
- };
532
- }
533
- if (clientIdPrefix === "decentralized_identifier") {
534
- if (!jar) {
535
- throw new import_oauth23.Oauth2ServerErrorResponseError({
536
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
537
- error_description: 'Using client identifier prefix "did" requires a signed JAR request.'
538
- });
539
- }
540
- if (jar.signer.method !== "did") {
541
- throw new import_oauth23.Oauth2ServerErrorResponseError({
542
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
543
- error_description: "Something went wrong. The JWT signer method is not did but the client identifier prefix is did."
544
- });
545
- }
546
- if (!clientIdIdentifier.startsWith("did:")) {
547
- throw new import_oauth23.Oauth2ServerErrorResponseError({
548
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
549
- error_description: "Invalid client identifier. Client id identifier must start with 'did:'"
550
- });
551
- }
552
- const [did] = jar.signer.didUrl.split("#");
553
- if (clientIdIdentifier !== did) {
554
- throw new import_oauth23.Oauth2ServerErrorResponseError({
555
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
556
- error_description: `With client identifier prefix '${clientIdPrefix}' the JAR request must be signed by the same DID as the client identifier.`
557
- });
558
- }
559
- return {
560
- prefix: "decentralized_identifier",
561
- identifier: clientIdIdentifier,
562
- effective: effectiveClientId,
563
- original,
564
- clientMetadata: authorizationRequestPayload.client_metadata,
565
- didUrl: jar.signer.didUrl
566
- };
567
- }
568
- if (clientIdPrefix === "x509_san_dns" || clientIdPrefix === "x509_san_uri" || clientIdPrefix === "x509_hash") {
569
- if (!jar) {
570
- throw new import_oauth23.Oauth2ServerErrorResponseError({
571
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
572
- error_description: `Using client identifier prefix '${clientIdPrefix}' requires a signed JAR request.`
573
- });
574
- }
575
- if (jar.signer.method !== "x5c") {
576
- throw new import_oauth23.Oauth2ServerErrorResponseError({
577
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
578
- error_description: `Something went wrong. The JWT signer method is not x5c but the client identifier prefix is '${clientIdPrefix}'`
579
- });
580
- }
581
- if (!options.callbacks.getX509CertificateMetadata) {
582
- throw new import_oauth23.Oauth2ServerErrorResponseError(
583
- {
584
- error: import_oauth23.Oauth2ErrorCodes.ServerError
585
- },
586
- {
587
- internalMessage: `Missing required 'getX509CertificateMetadata' callback for verification of '${clientIdPrefix}' client id prefix`
588
- }
589
- );
590
- }
591
- if (clientIdPrefix === "x509_san_dns") {
592
- const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
593
- if (!sanDnsNames.includes(clientIdIdentifier)) {
594
- throw new import_oauth23.Oauth2ServerErrorResponseError({
595
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
596
- error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${clientIdIdentifier}'. `
597
- });
598
- }
599
- if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
600
- const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri;
601
- if (!uri || new import_utils5.URL(uri).hostname !== clientIdIdentifier) {
602
- throw new import_oauth23.Oauth2ServerErrorResponseError({
603
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
604
- error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
605
- });
606
- }
607
- }
608
- } else if (clientIdPrefix === "x509_san_uri") {
609
- const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
610
- if (!sanUriNames.includes(clientIdIdentifier)) {
611
- throw new import_oauth23.Oauth2ServerErrorResponseError({
612
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
613
- error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${clientIdIdentifier}'.`
614
- });
615
- }
616
- if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
617
- const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri;
618
- if (!uri || uri !== clientIdIdentifier) {
619
- throw new import_oauth23.Oauth2ServerErrorResponseError({
620
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
621
- error_description: "The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri"
622
- });
623
- }
624
- }
625
- } else if (clientIdPrefix === "x509_hash") {
626
- const x509Hash = (0, import_utils5.encodeToBase64Url)(
627
- await options.callbacks.hash((0, import_utils5.decodeBase64)(jar.signer.x5c[0]), import_oauth24.HashAlgorithm.Sha256)
628
- );
629
- if (x509Hash !== clientIdIdentifier) {
630
- throw new import_oauth23.Oauth2ServerErrorResponseError({
631
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
632
- error_description: `Invalid client identifier. Expected the base64url encoded sha-256 hash of the leaf x5c certificate ('${x509Hash}') to match the client identifier '${clientIdIdentifier}'.`
633
- });
634
- }
635
- }
636
- return {
637
- prefix: clientIdPrefix,
638
- identifier: clientIdIdentifier,
639
- effective: effectiveClientId,
640
- original,
641
- x5c: jar.signer.x5c,
642
- clientMetadata: authorizationRequestPayload.client_metadata
643
- };
644
- }
645
- if (clientIdPrefix === "origin") {
646
- return {
647
- prefix: clientIdPrefix,
648
- identifier: clientIdIdentifier,
649
- effective: effectiveClientId,
650
- original,
651
- clientMetadata: authorizationRequestPayload.client_metadata
652
- };
653
- }
654
- if (clientIdPrefix === "verifier_attestation") {
655
- if (!jar) {
656
- throw new import_oauth23.Oauth2ServerErrorResponseError({
657
- error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
658
- error_description: 'Using client identifier prefix "verifier_attestation" requires a signed JAR request.'
659
- });
660
- }
661
- }
662
- return {
663
- prefix: clientIdPrefix,
664
- clientMetadata: authorizationRequestPayload.client_metadata,
665
- identifier: clientIdIdentifier,
666
- effective: effectiveClientId,
667
- original
668
- };
669
- }
670
-
671
- // src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
672
- var import_oauth27 = require("@openid4vc/oauth2");
673
- var import_utils7 = require("@openid4vc/utils");
674
- var import_zod9 = __toESM(require("zod"));
675
-
676
- // src/jarm/jarm-extract-jwks.ts
677
- function extractEncryptionJwkFromJwks(jwks, {
678
- kid,
679
- supportedAlgValues
680
- }) {
681
- if (kid) {
682
- return jwks.keys.find((jwk) => jwk.kid === kid);
683
- }
684
- let algFiltered = jwks.keys.filter((key) => key.alg && supportedAlgValues?.includes(key.alg));
685
- if (algFiltered.length === 0) algFiltered = jwks.keys;
686
- let encFiltered = algFiltered.filter((key) => key.use === "enc");
687
- if (!encFiltered) encFiltered = algFiltered.filter((key) => key.use !== "sig");
688
- return encFiltered.length > 0 ? encFiltered[0] : jwks.keys[0];
689
- }
690
-
691
- // src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
692
- var import_oauth26 = require("@openid4vc/oauth2");
693
- var import_utils6 = require("@openid4vc/utils");
694
-
695
- // src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts
696
- var import_oauth25 = require("@openid4vc/oauth2");
697
- var import_zod8 = require("zod");
698
- var zJarmHeader = import_zod8.z.object({ ...import_oauth25.zJwtHeader.shape, apu: import_zod8.z.string().optional(), apv: import_zod8.z.string().optional() });
699
- var zJarmAuthorizationResponse = import_zod8.z.object({
700
- /**
701
- * iss: The issuer URL of the authorization server that created the response
702
- * aud: The client_id of the client the response is intended for
703
- * exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.
704
- */
705
- ...import_oauth25.zJwtPayload.shape,
706
- ...import_oauth25.zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,
707
- state: import_zod8.z.optional(import_zod8.z.string())
708
- }).passthrough();
709
- var zJarmAuthorizationResponseEncryptedOnly = import_zod8.z.object({
710
- ...import_oauth25.zJwtPayload.shape,
711
- state: import_zod8.z.optional(import_zod8.z.string())
712
- }).passthrough();
713
-
714
- // src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
715
- var jarmAuthorizationResponseValidate = (options) => {
716
- const { expectedClientId, authorizationResponse } = options;
717
- if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) {
718
- return;
719
- }
720
- if (expectedClientId !== authorizationResponse.aud) {
721
- throw new import_oauth26.Oauth2Error(
722
- `Invalid 'aud' claim in JARM authorization response. Expected '${expectedClientId}' received '${JSON.stringify(authorizationResponse.aud)}'.`
723
- );
724
- }
725
- if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < (0, import_utils6.dateToSeconds)()) {
726
- throw new import_oauth26.Oauth2Error("Jarm auth response is expired.");
727
- }
728
- };
729
-
730
- // src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
731
- var JarmMode = /* @__PURE__ */ ((JarmMode2) => {
732
- JarmMode2["Signed"] = "Signed";
733
- JarmMode2["Encrypted"] = "Encrypted";
734
- JarmMode2["SignedEncrypted"] = "SignedEncrypted";
735
- return JarmMode2;
736
- })(JarmMode || {});
737
- var decryptJarmAuthorizationResponseJwt = async (options) => {
738
- const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options;
739
- let encryptionJwk = void 0;
740
- const { header } = (0, import_oauth27.decodeJwtHeader)({
741
- jwt: jarmAuthorizationResponseJwt
742
- });
743
- if (authorizationRequestPayload.client_metadata?.jwks) {
744
- encryptionJwk = extractEncryptionJwkFromJwks(authorizationRequestPayload.client_metadata.jwks, {
745
- // Kid always take precedence
746
- kid: header.kid,
747
- // This value was removed in draft 26, but if it's still provided, we can use it to determine the key to use
748
- supportedAlgValues: authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg ? [authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg] : void 0
749
- });
750
- }
751
- const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk });
752
- if (!result.decrypted) {
753
- throw new import_oauth27.Oauth2Error("Failed to decrypt jarm auth response.");
754
- }
755
- return {
756
- decryptionJwk: result.decryptionJwk,
757
- payload: result.payload
758
- };
759
- };
760
- async function verifyJarmAuthorizationResponse(options) {
761
- const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options;
762
- const requestDataIsEncrypted = import_oauth27.zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success;
763
- const decryptedRequestData = requestDataIsEncrypted ? await decryptJarmAuthorizationResponseJwt({
764
- jarmAuthorizationResponseJwt,
765
- callbacks,
766
- authorizationRequestPayload
767
- }) : { payload: jarmAuthorizationResponseJwt, decryptionJwk: void 0 };
768
- const responseIsSigned = import_oauth27.zCompactJwt.safeParse(decryptedRequestData.payload).success;
769
- if (!requestDataIsEncrypted && !responseIsSigned) {
770
- throw new import_oauth27.Oauth2Error("Jarm Auth Response must be either encrypted, signed, or signed and encrypted.");
771
- }
772
- let jarmAuthorizationResponse;
773
- if (responseIsSigned) {
774
- const { header: jwsProtectedHeader, payload: jwsPayload } = (0, import_oauth27.decodeJwt)({
775
- jwt: decryptedRequestData.payload,
776
- headerSchema: import_zod9.default.object({ ...import_oauth27.zJwtHeader.shape, kid: import_zod9.default.string() })
777
- });
778
- const response = zJarmAuthorizationResponse.parse(jwsPayload);
779
- const jwtSigner = (0, import_oauth27.jwtSignerFromJwt)({ header: jwsProtectedHeader, payload: jwsPayload });
780
- const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {
781
- compact: decryptedRequestData.payload,
782
- header: jwsProtectedHeader,
783
- payload: jwsPayload
784
- });
785
- if (!verificationResult.verified) {
786
- throw new import_oauth27.Oauth2Error("Jarm Auth Response is not valid.");
787
- }
788
- jarmAuthorizationResponse = response;
789
- } else {
790
- const jsonRequestData = (0, import_utils7.stringToJsonWithErrorHandling)(
791
- decryptedRequestData.payload,
792
- "Unable to parse decrypted JARM JWE body to JSON"
793
- );
794
- jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData);
795
- }
796
- jarmAuthorizationResponseValidate({
797
- expectedClientId,
798
- authorizationResponse: jarmAuthorizationResponse
799
- });
800
- const type = requestDataIsEncrypted && responseIsSigned ? "SignedEncrypted" /* SignedEncrypted */ : requestDataIsEncrypted ? "Encrypted" /* Encrypted */ : "Signed" /* Signed */;
801
- const issuer = jarmAuthorizationResponse.iss;
802
- return {
803
- jarmAuthorizationResponse,
804
- type,
805
- issuer,
806
- decryptionJwk: decryptedRequestData.decryptionJwk
807
- };
808
- }
809
-
810
- // src/version.ts
811
- var import_oauth28 = require("@openid4vc/oauth2");
812
- function parseAuthorizationRequestVersion(request) {
813
- const requirements = [];
814
- if (request.verifier_info) {
815
- requirements.push([">=", 100]);
816
- }
817
- if (request.verifier_attestations) {
818
- requirements.push(["<", 100]);
819
- }
820
- if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) {
821
- requirements.push([">=", 28]);
822
- }
823
- if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) {
824
- requirements.push(["<", 28]);
825
- }
826
- if (request.client_metadata?.vp_formats_supported) {
827
- requirements.push([">=", 27]);
828
- }
829
- if (request.client_metadata?.vp_formats) {
830
- requirements.push(["<", 27]);
831
- }
832
- if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) {
833
- requirements.push([">=", 26]);
834
- }
835
- if (request.client_id?.startsWith("did:")) {
836
- requirements.push(["<", 26]);
837
- }
838
- if (request.presentation_definition || request.presentation_definition_uri) {
839
- requirements.push(["<", 26]);
840
- }
841
- if (request.verifier_attestations) {
842
- requirements.push([">=", 26]);
843
- }
844
- if (request.client_id?.startsWith("x509_san_uri:")) {
845
- requirements.push(["<", 25]);
846
- }
847
- if (request.client_id?.startsWith("x509_hash:")) {
848
- requirements.push([">=", 25]);
849
- }
850
- if (request.client_id?.startsWith("web-origin:")) {
851
- requirements.push(["<", 25]);
852
- }
853
- if (request.client_id?.startsWith("origin:")) {
854
- requirements.push([">=", 25]);
855
- }
856
- if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
857
- requirements.push(["<", 23]);
858
- requirements.push([">=", 21]);
859
- }
860
- if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) {
861
- requirements.push([">=", 23]);
862
- }
863
- if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
864
- requirements.push([">=", 23]);
865
- }
866
- if (request.transaction_data) {
867
- requirements.push([">=", 22]);
868
- }
869
- if (request.client_id_scheme) {
870
- requirements.push(["<", 22]);
871
- }
872
- if (request.client_id) {
873
- const colonIndex = request.client_id.indexOf(":");
874
- const schemePart = request.client_id.substring(0, colonIndex);
875
- const parsedScheme = zClientIdPrefix.safeParse(schemePart);
876
- if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
877
- requirements.push([">=", 22]);
878
- }
879
- }
880
- if (!request.client_id) {
881
- requirements.push([">=", 21]);
882
- }
883
- if (request.dcql_query) {
884
- requirements.push([">=", 21]);
885
- }
886
- if (request.client_metadata_uri) {
887
- requirements.push(["<", 21]);
888
- }
889
- if (isOpenid4vpAuthorizationRequestDcApi(request)) {
890
- requirements.push([">=", 21]);
891
- }
892
- if (request.request_uri_method || request.wallet_nonce) {
893
- requirements.push([">=", 21]);
894
- }
895
- if (request.client_id_scheme === "verifier_attestation") {
896
- requirements.push([">=", 20]);
897
- }
898
- if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
899
- requirements.push([">=", 19]);
900
- }
901
- const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
902
- const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
903
- const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 100;
904
- const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
905
- if (lowestRequiredVersion > highestPossibleVersion) {
906
- throw new import_oauth28.Oauth2ServerErrorResponseError({
907
- error: import_oauth28.Oauth2ErrorCodes.InvalidRequest,
908
- error_description: `Could not infer openid4vp version from the openid4vp request payload. Based on specification requirements, lowest required version is ${lowestRequiredVersion} and highest possible version is ${highestPossibleVersion}`
909
- });
910
- }
911
- return highestPossibleVersion;
912
- }
913
-
914
- // src/authorization-request/create-authorization-request.ts
915
- var import_oauth212 = require("@openid4vc/oauth2");
916
- var import_utils10 = require("@openid4vc/utils");
917
-
918
- // src/jar/create-jar-authorization-request.ts
919
- var import_oauth29 = require("@openid4vc/oauth2");
920
- var import_utils8 = require("@openid4vc/utils");
921
- async function createJarAuthorizationRequest(options) {
922
- const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
923
- let authorizationRequestJwt;
924
- let encryptionJwk;
925
- const now = options.now ?? /* @__PURE__ */ new Date();
926
- const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
927
- header: { ...(0, import_oauth29.jwtHeaderFromJwtSigner)(jwtSigner), typ: "oauth-authz-req+jwt" },
928
- payload: {
929
- iat: (0, import_utils8.dateToSeconds)(now),
930
- exp: (0, import_utils8.dateToSeconds)((0, import_utils8.addSecondsToDate)(now, options.expiresInSeconds)),
931
- ...options.additionalJwtPayload,
932
- ...authorizationRequestPayload
933
- }
934
- });
935
- authorizationRequestJwt = jwt;
936
- if (jweEncryptor) {
937
- const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt);
938
- authorizationRequestJwt = encryptionResult.jwe;
939
- encryptionJwk = encryptionResult.encryptionJwk;
940
- }
941
- const client_id = authorizationRequestPayload.client_id;
942
- const jarAuthorizationRequest = requestUri ? { client_id, request_uri: requestUri } : { client_id, request: authorizationRequestJwt };
943
- return { jarAuthorizationRequest, signerJwk, encryptionJwk, authorizationRequestJwt };
944
- }
945
-
946
- // src/authorization-request/validate-authorization-request.ts
947
- var import_oauth210 = require("@openid4vc/oauth2");
948
- var import_utils9 = require("@openid4vc/utils");
949
- var validateOpenid4vpAuthorizationRequestPayload = (options) => {
950
- const { params, walletVerificationOptions } = options;
951
- if (!params.redirect_uri && !params.response_uri) {
952
- throw new import_oauth210.Oauth2ServerErrorResponseError({
953
- error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
954
- error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
955
- });
956
- }
957
- if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) {
958
- throw new import_oauth210.Oauth2ServerErrorResponseError({
959
- error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
960
- error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
961
- });
962
- }
963
- if ([params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(
964
- Boolean
965
- ).length > 1) {
966
- throw new import_oauth210.Oauth2ServerErrorResponseError({
967
- error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
968
- error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
969
- });
970
- }
971
- if (params.request_uri_method && !params.request_uri) {
972
- throw new import_oauth210.Oauth2ServerErrorResponseError({
973
- error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
974
- error_description: 'The "request_uri_method" parameter MUST NOT be present in the authorization request if the "request_uri" parameter is not present.'
975
- });
976
- }
977
- if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) {
978
- throw new import_oauth210.Oauth2ServerErrorResponseError({
979
- error: import_oauth210.Oauth2ErrorCodes.InvalidRequestUriMethod,
980
- error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
981
- });
982
- }
983
- if (params.trust_chain && !import_utils9.zHttpsUrl.safeParse(params.client_id).success) {
984
- throw new import_oauth210.Oauth2ServerErrorResponseError({
985
- error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
986
- error_description: 'The "trust_chain" parameter MUST NOT be present in the authorization request if the "client_id" is not an OpenId Federation Entity Identifier starting with http:// or https://.'
987
- });
988
- }
989
- if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {
990
- throw new import_oauth210.Oauth2ServerErrorResponseError({
991
- error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
992
- error_description: 'The "wallet_nonce" parameter MUST be present in the authorization request when the "expectedNonce" parameter is provided.'
993
- });
994
- }
995
- if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {
996
- throw new import_oauth210.Oauth2ServerErrorResponseError({
997
- error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
998
- error_description: 'The "wallet_nonce" parameter MUST match the "expectedNonce" parameter when the "expectedNonce" parameter is provided.'
999
- });
1000
- }
1001
- if (params.client_id.startsWith("web-origin:") || params.client_id.startsWith("origin:")) {
1002
- throw new import_oauth210.Oauth2ServerErrorResponseError({
1003
- error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
1004
- error_description: `The 'client_id' parameter MUST NOT use client identifier scheme '${params.client_id.split(":")[0]}' when not using the dc_api response mode. Current: ${params.client_id}`
1005
- });
1006
- }
1007
- };
1008
-
1009
- // src/authorization-request/validate-authorization-request-dc-api.ts
1010
- var import_oauth211 = require("@openid4vc/oauth2");
1011
- var validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
1012
- const { params, isJarRequest, disableOriginValidation, origin } = options;
1013
- if (isJarRequest && !params.expected_origins) {
1014
- throw new import_oauth211.Oauth2ServerErrorResponseError({
1015
- error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
1016
- error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
1017
- });
1018
- }
1019
- if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {
1020
- throw new import_oauth211.Oauth2ServerErrorResponseError({
1021
- error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
1022
- error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
1023
- });
1024
- }
1025
- if (params.expected_origins && !disableOriginValidation) {
1026
- if (!origin) {
1027
- throw new import_oauth211.Oauth2ServerErrorResponseError({
1028
- error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
1029
- error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
1030
- });
1031
- }
1032
- if (params.expected_origins && !params.expected_origins.includes(origin)) {
1033
- throw new import_oauth211.Oauth2ServerErrorResponseError({
1034
- error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
1035
- error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
1036
- });
1037
- }
1038
- }
1039
- };
1040
-
1041
- // src/authorization-request/create-authorization-request.ts
335
+ //#endregion
336
+ //#region src/authorization-request/create-authorization-request.ts
337
+ /**
338
+ * Creates an OpenID4VP authorization request, optionally with a JWT Secured Authorization Request (JAR)
339
+ * If the request is created after receiving wallet metadata via a POST to the request_uri endpoint, the wallet nonce needs to be provided
340
+ *
341
+ * @param options Configuration options for creating the authorization request
342
+ * @param input.scheme Optional URI scheme to use (defaults to 'openid4vp://')
343
+ * @param input.authorizationRequestPayload The OpenID4VP authorization request parameters
344
+ * @param input.jar Optional JWT Secured Authorization Request (JAR) configuration
345
+ * @param input.jar.requestUri The URI where the JAR will be accessible
346
+ * @param input.jar.jwtSigner Function to sign the JAR JWT
347
+ * @param input.jar.jweEncryptor Optional function to encrypt the JAR JWT
348
+ * @param input.jar.additionalJwtPayload Optional additional claims to include in JAR JWT
349
+ * @param input.wallet Optional wallet-specific parameters
350
+ * @param input.wallet.nonce Optional wallet nonce
351
+ * @param input.callbacks Callback functions for JWT operations
352
+ * @returns Object containing the authorization request parameters, URI and optional JAR details
353
+ */
1042
354
  async function createOpenid4vpAuthorizationRequest(options) {
1043
- const { jar, scheme = "openid4vp://", wallet, callbacks } = options;
1044
- let additionalJwtPayload;
1045
- let authorizationRequestPayload;
1046
- if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
1047
- authorizationRequestPayload = (0, import_utils10.parseWithErrorHandling)(
1048
- zOpenid4vpAuthorizationRequestDcApi,
1049
- options.authorizationRequestPayload,
1050
- "Invalid authorization request. Could not parse openid4vp dc_api authorization request."
1051
- );
1052
- if (jar && !authorizationRequestPayload.expected_origins) {
1053
- throw new import_oauth212.Oauth2Error(
1054
- `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`
1055
- );
1056
- }
1057
- validateOpenid4vpAuthorizationRequestDcApiPayload({
1058
- params: authorizationRequestPayload,
1059
- isJarRequest: Boolean(jar),
1060
- disableOriginValidation: true
1061
- });
1062
- } else {
1063
- authorizationRequestPayload = (0, import_utils10.parseWithErrorHandling)(
1064
- zOpenid4vpAuthorizationRequest,
1065
- options.authorizationRequestPayload,
1066
- "Invalid authorization request. Could not parse openid4vp authorization request."
1067
- );
1068
- validateOpenid4vpAuthorizationRequestPayload({
1069
- params: authorizationRequestPayload,
1070
- walletVerificationOptions: wallet
1071
- });
1072
- }
1073
- if (jar) {
1074
- if (!jar.additionalJwtPayload?.aud) {
1075
- additionalJwtPayload = { ...jar.additionalJwtPayload, aud: jar.requestUri };
1076
- }
1077
- const jarResult = await createJarAuthorizationRequest({
1078
- ...jar,
1079
- authorizationRequestPayload,
1080
- additionalJwtPayload,
1081
- callbacks
1082
- });
1083
- const url2 = new import_utils10.URL(scheme);
1084
- url2.search = `?${new import_utils10.URLSearchParams([
1085
- ...url2.searchParams.entries(),
1086
- ...(0, import_utils10.objectToQueryParams)(jarResult.jarAuthorizationRequest).entries(),
1087
- // Add client_id_scheme if defined for backwards compat
1088
- ...authorizationRequestPayload.client_id_scheme ? [["client_id_scheme", authorizationRequestPayload.client_id_scheme]] : []
1089
- ]).toString()}`;
1090
- return {
1091
- authorizationRequestPayload,
1092
- authorizationRequestObject: jarResult.jarAuthorizationRequest,
1093
- authorizationRequest: url2.toString(),
1094
- jar: { ...jar, ...jarResult }
1095
- };
1096
- }
1097
- const url = new import_utils10.URL(scheme);
1098
- url.search = `?${new import_utils10.URLSearchParams([
1099
- ...url.searchParams.entries(),
1100
- ...(0, import_utils10.objectToQueryParams)(authorizationRequestPayload).entries()
1101
- ]).toString()}`;
1102
- return {
1103
- authorizationRequestPayload,
1104
- authorizationRequestObject: authorizationRequestPayload,
1105
- authorizationRequest: url.toString(),
1106
- jar: void 0
1107
- };
355
+ const { jar, scheme = "openid4vp://", wallet, callbacks } = options;
356
+ let additionalJwtPayload;
357
+ let authorizationRequestPayload;
358
+ if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
359
+ authorizationRequestPayload = (0, __openid4vc_utils.parseWithErrorHandling)(zOpenid4vpAuthorizationRequestDcApi, options.authorizationRequestPayload, "Invalid authorization request. Could not parse openid4vp dc_api authorization request.");
360
+ if (jar && !authorizationRequestPayload.expected_origins) throw new __openid4vc_oauth2.Oauth2Error(`The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`);
361
+ validateOpenid4vpAuthorizationRequestDcApiPayload({
362
+ params: authorizationRequestPayload,
363
+ isJarRequest: Boolean(jar),
364
+ disableOriginValidation: true
365
+ });
366
+ } else {
367
+ authorizationRequestPayload = (0, __openid4vc_utils.parseWithErrorHandling)(zOpenid4vpAuthorizationRequest, options.authorizationRequestPayload, "Invalid authorization request. Could not parse openid4vp authorization request.");
368
+ validateOpenid4vpAuthorizationRequestPayload({
369
+ params: authorizationRequestPayload,
370
+ walletVerificationOptions: wallet
371
+ });
372
+ }
373
+ if (jar) {
374
+ if (!jar.additionalJwtPayload?.aud) additionalJwtPayload = {
375
+ ...jar.additionalJwtPayload,
376
+ aud: jar.requestUri
377
+ };
378
+ const jarResult = await createJarAuthorizationRequest({
379
+ ...jar,
380
+ authorizationRequestPayload,
381
+ additionalJwtPayload,
382
+ callbacks
383
+ });
384
+ const url$1 = new __openid4vc_utils.URL(scheme);
385
+ url$1.search = `?${new __openid4vc_utils.URLSearchParams([
386
+ ...url$1.searchParams.entries(),
387
+ ...(0, __openid4vc_utils.objectToQueryParams)(jarResult.jarAuthorizationRequest).entries(),
388
+ ...authorizationRequestPayload.client_id_scheme ? [["client_id_scheme", authorizationRequestPayload.client_id_scheme]] : []
389
+ ]).toString()}`;
390
+ return {
391
+ authorizationRequestPayload,
392
+ authorizationRequestObject: jarResult.jarAuthorizationRequest,
393
+ authorizationRequest: url$1.toString(),
394
+ jar: {
395
+ ...jar,
396
+ ...jarResult
397
+ }
398
+ };
399
+ }
400
+ const url = new __openid4vc_utils.URL(scheme);
401
+ url.search = `?${new __openid4vc_utils.URLSearchParams([...url.searchParams.entries(), ...(0, __openid4vc_utils.objectToQueryParams)(authorizationRequestPayload).entries()]).toString()}`;
402
+ return {
403
+ authorizationRequestPayload,
404
+ authorizationRequestObject: authorizationRequestPayload,
405
+ authorizationRequest: url.toString(),
406
+ jar: void 0
407
+ };
1108
408
  }
1109
409
 
1110
- // src/authorization-request/parse-authorization-request-params.ts
1111
- var import_oauth214 = require("@openid4vc/oauth2");
1112
- var import_utils12 = require("@openid4vc/utils");
1113
- var import_zod11 = __toESM(require("zod"));
1114
-
1115
- // src/jar/z-jar-authorization-request.ts
1116
- var import_oauth213 = require("@openid4vc/oauth2");
1117
- var import_utils11 = require("@openid4vc/utils");
1118
- var import_zod10 = require("zod");
1119
- var zJarAuthorizationRequest = import_zod10.z.object({
1120
- request: import_zod10.z.optional(import_zod10.z.string()),
1121
- request_uri: import_zod10.z.optional(import_utils11.zHttpsUrl),
1122
- request_uri_method: import_zod10.z.optional(import_zod10.z.string()),
1123
- client_id: import_zod10.z.optional(import_zod10.z.string())
410
+ //#endregion
411
+ //#region src/jar/z-jar-authorization-request.ts
412
+ const zJarAuthorizationRequest = zod.z.object({
413
+ request: zod.z.optional(zod.z.string()),
414
+ request_uri: zod.z.optional(__openid4vc_utils.zHttpsUrl),
415
+ request_uri_method: zod.z.optional(zod.z.string()),
416
+ client_id: zod.z.optional(zod.z.string())
1124
417
  }).passthrough();
1125
418
  function validateJarRequestParams(options) {
1126
- const { jarRequestParams } = options;
1127
- if (jarRequestParams.request && jarRequestParams.request_uri) {
1128
- throw new import_oauth213.Oauth2ServerErrorResponseError({
1129
- error: "invalid_request_object",
1130
- error_description: "request and request_uri cannot both be present in a JAR request"
1131
- });
1132
- }
1133
- if (!jarRequestParams.request && !jarRequestParams.request_uri) {
1134
- throw new import_oauth213.Oauth2ServerErrorResponseError({
1135
- error: "invalid_request_object",
1136
- error_description: "request or request_uri must be present"
1137
- });
1138
- }
1139
- return jarRequestParams;
419
+ const { jarRequestParams } = options;
420
+ if (jarRequestParams.request && jarRequestParams.request_uri) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
421
+ error: "invalid_request_object",
422
+ error_description: "request and request_uri cannot both be present in a JAR request"
423
+ });
424
+ if (!jarRequestParams.request && !jarRequestParams.request_uri) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
425
+ error: "invalid_request_object",
426
+ error_description: "request or request_uri must be present"
427
+ });
428
+ return jarRequestParams;
1140
429
  }
1141
430
  function isJarAuthorizationRequest(request) {
1142
- return "request" in request || "request_uri" in request;
431
+ return "request" in request || "request_uri" in request;
1143
432
  }
1144
433
 
1145
- // src/authorization-request/parse-authorization-request-params.ts
434
+ //#endregion
435
+ //#region src/authorization-request/parse-authorization-request-params.ts
1146
436
  function parseOpenid4vpAuthorizationRequest(options) {
1147
- const { authorizationRequest } = options;
1148
- let provided = "params";
1149
- let params;
1150
- if (typeof authorizationRequest === "string") {
1151
- if (authorizationRequest.includes(":")) {
1152
- params = (0, import_utils12.parseWithErrorHandling)(
1153
- zOpenid4vpAuthorizationRequestFromUriParams,
1154
- authorizationRequest,
1155
- "Unable to parse openid4vp authorization request uri to a valid object"
1156
- );
1157
- provided = "uri";
1158
- } else {
1159
- const decoded = (0, import_oauth214.decodeJwt)({ jwt: authorizationRequest });
1160
- params = decoded.payload;
1161
- provided = "jwt";
1162
- }
1163
- } else {
1164
- params = authorizationRequest;
1165
- }
1166
- const parsedRequest = (0, import_utils12.parseWithErrorHandling)(
1167
- import_zod11.default.union([zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest, zOpenid4vpAuthorizationRequestDcApi]),
1168
- params
1169
- );
1170
- if (isJarAuthorizationRequest(parsedRequest)) {
1171
- return {
1172
- type: "jar",
1173
- provided,
1174
- params: parsedRequest
1175
- };
1176
- }
1177
- if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) {
1178
- return {
1179
- type: "openid4vp_dc_api",
1180
- provided,
1181
- params: parsedRequest
1182
- };
1183
- }
1184
- return {
1185
- type: "openid4vp",
1186
- provided,
1187
- params: parsedRequest
1188
- };
437
+ const { authorizationRequest } = options;
438
+ let provided = "params";
439
+ let params;
440
+ if (typeof authorizationRequest === "string") if (authorizationRequest.includes(":")) {
441
+ params = (0, __openid4vc_utils.parseWithErrorHandling)(zOpenid4vpAuthorizationRequestFromUriParams, authorizationRequest, "Unable to parse openid4vp authorization request uri to a valid object");
442
+ provided = "uri";
443
+ } else {
444
+ params = (0, __openid4vc_oauth2.decodeJwt)({ jwt: authorizationRequest }).payload;
445
+ provided = "jwt";
446
+ }
447
+ else params = authorizationRequest;
448
+ const parsedRequest = (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([
449
+ zOpenid4vpAuthorizationRequest,
450
+ zJarAuthorizationRequest,
451
+ zOpenid4vpAuthorizationRequestDcApi
452
+ ]), params);
453
+ if (isJarAuthorizationRequest(parsedRequest)) return {
454
+ type: "jar",
455
+ provided,
456
+ params: parsedRequest
457
+ };
458
+ if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) return {
459
+ type: "openid4vp_dc_api",
460
+ provided,
461
+ params: parsedRequest
462
+ };
463
+ return {
464
+ type: "openid4vp",
465
+ provided,
466
+ params: parsedRequest
467
+ };
1189
468
  }
1190
469
 
1191
- // src/authorization-request/resolve-authorization-request.ts
1192
- var import_oauth220 = require("@openid4vc/oauth2");
1193
- var import_utils16 = require("@openid4vc/utils");
1194
- var import_zod15 = __toESM(require("zod"));
470
+ //#endregion
471
+ //#region src/client-identifier-prefix/z-client-id-prefix.ts
472
+ const zClientIdPrefix = zod.z.enum([
473
+ "pre-registered",
474
+ "redirect_uri",
475
+ "verifier_attestation",
476
+ "https",
477
+ "openid_federation",
478
+ "did",
479
+ "decentralized_identifier",
480
+ "x509_san_uri",
481
+ "x509_hash",
482
+ "x509_san_dns",
483
+ "origin",
484
+ "web-origin"
485
+ ]);
486
+ const zUniformClientIdPrefix = zClientIdPrefix.exclude([
487
+ "did",
488
+ "https",
489
+ "web-origin"
490
+ ]);
491
+ const zClientIdToClientIdPrefixAndIdentifier = zod.z.union([zod.z.string({ message: "client_id MUST be a string" }).includes(":").transform((clientId) => {
492
+ const colonIndex = clientId.indexOf(":");
493
+ const clientIdPrefix = clientId.slice(0, colonIndex);
494
+ const clientIdIdentifier = clientId.slice(colonIndex + 1);
495
+ if (clientIdPrefix === "http" && (0, __openid4vc_utils.getGlobalConfig)().allowInsecureUrls) return ["https", clientId];
496
+ if (clientIdPrefix === "did" || clientIdPrefix === "http" || clientIdPrefix === "https") return [clientIdPrefix, clientId];
497
+ return [clientIdPrefix, clientIdIdentifier];
498
+ }).pipe(zod.z.tuple([zClientIdPrefix.exclude(["pre-registered"]), zod.z.string()])), zod.z.string().refine((clientId) => clientId.includes(":") === false).transform((clientId) => ["pre-registered", clientId])], { message: `client_id must either start with a known prefix followed by ':' or contain no ':'. Known prefixes are ${zClientIdPrefix.exclude(["pre-registered"]).options.join(", ")}` });
499
+ const zClientIdPrefixToUniform = zClientIdPrefix.transform((prefix) => prefix === "did" ? "decentralized_identifier" : prefix === "https" ? "openid_federation" : prefix === "web-origin" ? "origin" : prefix);
500
+ const zLegacyClientIdScheme = zod.z.enum([
501
+ "pre-registered",
502
+ "redirect_uri",
503
+ "entity_id",
504
+ "did",
505
+ "verifier_attestation",
506
+ "x509_san_dns",
507
+ "x509_san_uri"
508
+ ]);
509
+ const zLegacyClientIdSchemeToClientIdPrefix = zLegacyClientIdScheme.optional().default("pre-registered").transform((clientIdScheme) => clientIdScheme === "entity_id" ? "openid_federation" : clientIdScheme === "did" ? "decentralized_identifier" : clientIdScheme);
510
+
511
+ //#endregion
512
+ //#region src/client-identifier-prefix/parse-client-identifier-prefix.ts
513
+ /**
514
+ * Get the client id for an authorization request based on the response_mode, client_id, client_id_scheme and origin values.
515
+ *
516
+ * It will return the client id prefix as used in OpenID4VP v1, and optionally provide the legacyClientId if the
517
+ * client id was provided with a client_id_scheme
518
+ */
519
+ function getOpenid4vpClientId(options) {
520
+ const original = { clientId: options.clientId };
521
+ const version = options.version ?? 100;
522
+ if (isOpenid4vpResponseModeDcApi(options.responseMode)) {
523
+ if (!options.clientId) {
524
+ if (!options.origin) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
525
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
526
+ error_description: "Failed to parse client identifier. 'origin' is required for requests without a client_id and response_mode 'dc_api' and 'dc_api.jwt'"
527
+ });
528
+ return {
529
+ clientIdPrefix: "origin",
530
+ effectiveClientIdPrefix: "origin",
531
+ clientIdIdentifier: options.origin,
532
+ effectiveClientId: version >= 25 ? `origin:${options.origin}` : `web-origin:${options.origin}`,
533
+ original
534
+ };
535
+ }
536
+ const parsedClientIdPrefixAndIdentifier$1 = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId);
537
+ if (!parsedClientIdPrefixAndIdentifier$1.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
538
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
539
+ error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
540
+ });
541
+ const [clientIdScheme$1, clientIdIdentifier$1] = parsedClientIdPrefixAndIdentifier$1.data;
542
+ const uniformClientIdScheme$1 = zClientIdPrefixToUniform.safeParse(clientIdScheme$1);
543
+ if (!uniformClientIdScheme$1.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
544
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
545
+ error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
546
+ });
547
+ return {
548
+ effectiveClientId: options.clientId,
549
+ effectiveClientIdPrefix: clientIdScheme$1,
550
+ original,
551
+ clientIdPrefix: uniformClientIdScheme$1.data,
552
+ clientIdIdentifier: clientIdIdentifier$1
553
+ };
554
+ }
555
+ if (!options.clientId) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
556
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
557
+ error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`
558
+ });
559
+ if (options.legacyClientIdScheme) {
560
+ const parsedClientIdPrefix = zLegacyClientIdSchemeToClientIdPrefix.safeParse(options.legacyClientIdScheme);
561
+ if (!parsedClientIdPrefix.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
562
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
563
+ error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.legacyClientIdScheme}'.`
564
+ });
565
+ const clientIdPrefix = parsedClientIdPrefix.data;
566
+ return {
567
+ effectiveClientId: options.clientId,
568
+ clientIdIdentifier: options.clientId,
569
+ clientIdPrefix,
570
+ effectiveClientIdPrefix: options.legacyClientIdScheme ?? "pre-registered",
571
+ original: {
572
+ ...original,
573
+ clientIdScheme: options.legacyClientIdScheme
574
+ }
575
+ };
576
+ }
577
+ const parsedClientIdPrefixAndIdentifier = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId);
578
+ if (!parsedClientIdPrefixAndIdentifier.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
579
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
580
+ error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
581
+ });
582
+ const [clientIdScheme, clientIdIdentifier] = parsedClientIdPrefixAndIdentifier.data;
583
+ const uniformClientIdScheme = zClientIdPrefixToUniform.safeParse(clientIdScheme);
584
+ if (!uniformClientIdScheme.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
585
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
586
+ error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
587
+ });
588
+ return {
589
+ effectiveClientId: options.clientId,
590
+ clientIdPrefix: uniformClientIdScheme.data,
591
+ effectiveClientIdPrefix: clientIdScheme,
592
+ clientIdIdentifier,
593
+ original
594
+ };
595
+ }
596
+ /**
597
+ * Parse and validate a client identifier
598
+ */
599
+ async function validateOpenid4vpClientId(options, parserConfig) {
600
+ const { authorizationRequestPayload, jar, origin } = options;
601
+ const parserConfigWithDefaults = { supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdPrefix.options) };
602
+ const { clientIdIdentifier, clientIdPrefix, effectiveClientId, original } = getOpenid4vpClientId({
603
+ clientId: authorizationRequestPayload.client_id,
604
+ legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
605
+ responseMode: authorizationRequestPayload.response_mode,
606
+ origin
607
+ });
608
+ if (clientIdPrefix === "pre-registered") return {
609
+ prefix: "pre-registered",
610
+ identifier: clientIdIdentifier,
611
+ effective: effectiveClientId,
612
+ original
613
+ };
614
+ if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdPrefix)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
615
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
616
+ error_description: `Unsupported client identifier prefix. ${clientIdPrefix} is not supported.`
617
+ });
618
+ if (clientIdPrefix === "openid_federation") {
619
+ if (!__openid4vc_utils.zHttpsUrl.safeParse(clientIdIdentifier).success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
620
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
621
+ error_description: "Invalid client identifier. Client identifier must start with https://"
622
+ }, { internalMessage: `Insecure http:// urls can be enabled by setting the 'allowInsecureUrls' option using setGlobalConfig` });
623
+ if (!jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
624
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
625
+ error_description: "Using client identifier prefix \"https\" requires a signed JAR request."
626
+ });
627
+ if (jar.signer.method !== "federation") throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
628
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
629
+ error_description: "Something went wrong. The JWT signer method is not federation but the client identifier prefix is https."
630
+ });
631
+ return {
632
+ prefix: "openid_federation",
633
+ identifier: clientIdIdentifier,
634
+ effective: effectiveClientId,
635
+ original,
636
+ trustChain: authorizationRequestPayload.trust_chain
637
+ };
638
+ }
639
+ if (clientIdPrefix === "redirect_uri") {
640
+ if (jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
641
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
642
+ error_description: "Using client identifier prefix \"redirect_uri\" the request MUST NOT be signed."
643
+ });
644
+ if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
645
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
646
+ error_description: `The client identifier prefix 'redirect_uri' is not supported when using the dc_api response mode.`
647
+ });
648
+ if (authorizationRequestPayload.redirect_uri && authorizationRequestPayload.redirect_uri !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
649
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidClient,
650
+ error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the redirect_uri.`
651
+ });
652
+ if (authorizationRequestPayload.response_uri && authorizationRequestPayload.response_uri !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
653
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidClient,
654
+ error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the response_uri.`
655
+ });
656
+ return {
657
+ prefix: clientIdPrefix,
658
+ identifier: clientIdIdentifier,
659
+ effective: effectiveClientId,
660
+ original,
661
+ clientMetadata: authorizationRequestPayload.client_metadata,
662
+ redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
663
+ };
664
+ }
665
+ if (clientIdPrefix === "decentralized_identifier") {
666
+ if (!jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
667
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
668
+ error_description: "Using client identifier prefix \"did\" requires a signed JAR request."
669
+ });
670
+ if (jar.signer.method !== "did") throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
671
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
672
+ error_description: "Something went wrong. The JWT signer method is not did but the client identifier prefix is did."
673
+ });
674
+ if (!clientIdIdentifier.startsWith("did:")) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
675
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
676
+ error_description: "Invalid client identifier. Client id identifier must start with 'did:'"
677
+ });
678
+ const [did] = jar.signer.didUrl.split("#");
679
+ if (clientIdIdentifier !== did) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
680
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
681
+ error_description: `With client identifier prefix '${clientIdPrefix}' the JAR request must be signed by the same DID as the client identifier.`
682
+ });
683
+ return {
684
+ prefix: "decentralized_identifier",
685
+ identifier: clientIdIdentifier,
686
+ effective: effectiveClientId,
687
+ original,
688
+ clientMetadata: authorizationRequestPayload.client_metadata,
689
+ didUrl: jar.signer.didUrl
690
+ };
691
+ }
692
+ if (clientIdPrefix === "x509_san_dns" || clientIdPrefix === "x509_san_uri" || clientIdPrefix === "x509_hash") {
693
+ if (!jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
694
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
695
+ error_description: `Using client identifier prefix '${clientIdPrefix}' requires a signed JAR request.`
696
+ });
697
+ if (jar.signer.method !== "x5c") throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
698
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
699
+ error_description: `Something went wrong. The JWT signer method is not x5c but the client identifier prefix is '${clientIdPrefix}'`
700
+ });
701
+ if (!options.callbacks.getX509CertificateMetadata) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({ error: __openid4vc_oauth2.Oauth2ErrorCodes.ServerError }, { internalMessage: `Missing required 'getX509CertificateMetadata' callback for verification of '${clientIdPrefix}' client id prefix` });
702
+ if (clientIdPrefix === "x509_san_dns") {
703
+ const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
704
+ if (!sanDnsNames.includes(clientIdIdentifier)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
705
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
706
+ error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${clientIdIdentifier}'. `
707
+ });
708
+ if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
709
+ const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri;
710
+ if (!uri || new __openid4vc_utils.URL(uri).hostname !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
711
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
712
+ error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
713
+ });
714
+ }
715
+ } else if (clientIdPrefix === "x509_san_uri") {
716
+ const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
717
+ if (!sanUriNames.includes(clientIdIdentifier)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
718
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
719
+ error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${clientIdIdentifier}'.`
720
+ });
721
+ if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
722
+ const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri;
723
+ if (!uri || uri !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
724
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
725
+ error_description: "The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri"
726
+ });
727
+ }
728
+ } else if (clientIdPrefix === "x509_hash") {
729
+ const x509Hash = (0, __openid4vc_utils.encodeToBase64Url)(await options.callbacks.hash((0, __openid4vc_utils.decodeBase64)(jar.signer.x5c[0]), __openid4vc_oauth2.HashAlgorithm.Sha256));
730
+ if (x509Hash !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
731
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
732
+ error_description: `Invalid client identifier. Expected the base64url encoded sha-256 hash of the leaf x5c certificate ('${x509Hash}') to match the client identifier '${clientIdIdentifier}'.`
733
+ });
734
+ }
735
+ return {
736
+ prefix: clientIdPrefix,
737
+ identifier: clientIdIdentifier,
738
+ effective: effectiveClientId,
739
+ original,
740
+ x5c: jar.signer.x5c,
741
+ clientMetadata: authorizationRequestPayload.client_metadata
742
+ };
743
+ }
744
+ if (clientIdPrefix === "origin") return {
745
+ prefix: clientIdPrefix,
746
+ identifier: clientIdIdentifier,
747
+ effective: effectiveClientId,
748
+ original,
749
+ clientMetadata: authorizationRequestPayload.client_metadata
750
+ };
751
+ if (clientIdPrefix === "verifier_attestation") {
752
+ if (!jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
753
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
754
+ error_description: "Using client identifier prefix \"verifier_attestation\" requires a signed JAR request."
755
+ });
756
+ }
757
+ return {
758
+ prefix: clientIdPrefix,
759
+ clientMetadata: authorizationRequestPayload.client_metadata,
760
+ identifier: clientIdIdentifier,
761
+ effective: effectiveClientId,
762
+ original
763
+ };
764
+ }
1195
765
 
1196
- // src/fetch-client-metadata.ts
1197
- var import_oauth215 = require("@openid4vc/oauth2");
1198
- var import_utils13 = require("@openid4vc/utils");
766
+ //#endregion
767
+ //#region src/fetch-client-metadata.ts
1199
768
  async function fetchClientMetadata(options) {
1200
- const { fetch, clientMetadataUri } = options;
1201
- const fetcher = (0, import_utils13.createZodFetcher)(fetch);
1202
- const { result, response } = await fetcher(zClientMetadata, import_utils13.ContentType.Json, clientMetadataUri, {
1203
- method: "GET",
1204
- headers: {
1205
- Accept: import_utils13.ContentType.Json
1206
- }
1207
- });
1208
- if (!response.ok) {
1209
- throw new import_oauth215.Oauth2ServerErrorResponseError({
1210
- error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,
1211
- error: import_oauth215.Oauth2ErrorCodes.InvalidRequestUri
1212
- });
1213
- }
1214
- if (!result || !result.success) {
1215
- throw new import_oauth215.Oauth2ServerErrorResponseError({
1216
- error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,
1217
- error: import_oauth215.Oauth2ErrorCodes.InvalidRequestObject
1218
- });
1219
- }
1220
- return result.data;
769
+ const { fetch, clientMetadataUri } = options;
770
+ const { result, response } = await (0, __openid4vc_utils.createZodFetcher)(fetch)(zClientMetadata, __openid4vc_utils.ContentType.Json, clientMetadataUri, {
771
+ method: "GET",
772
+ headers: { Accept: __openid4vc_utils.ContentType.Json }
773
+ });
774
+ if (!response.ok) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
775
+ error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,
776
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUri
777
+ });
778
+ if (!result || !result.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
779
+ error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,
780
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject
781
+ });
782
+ return result.data;
1221
783
  }
1222
784
 
1223
- // src/jar/handle-jar-request/verify-jar-request.ts
1224
- var import_oauth218 = require("@openid4vc/oauth2");
1225
- var import_zod13 = __toESM(require("zod"));
785
+ //#endregion
786
+ //#region src/version.ts
787
+ function parseAuthorizationRequestVersion(request) {
788
+ const requirements = [];
789
+ if (request.verifier_info) requirements.push([">=", 100]);
790
+ if (request.verifier_attestations) requirements.push(["<", 100]);
791
+ if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) requirements.push([">=", 28]);
792
+ if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) requirements.push(["<", 28]);
793
+ if (request.client_metadata?.vp_formats_supported) requirements.push([">=", 27]);
794
+ if (request.client_metadata?.vp_formats) requirements.push(["<", 27]);
795
+ if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) requirements.push([">=", 26]);
796
+ if (request.client_id?.startsWith("did:")) requirements.push(["<", 26]);
797
+ if (request.presentation_definition || request.presentation_definition_uri) requirements.push(["<", 26]);
798
+ if (request.verifier_attestations) requirements.push([">=", 26]);
799
+ if (request.client_id?.startsWith("x509_san_uri:")) requirements.push(["<", 25]);
800
+ if (request.client_id?.startsWith("x509_hash:")) requirements.push([">=", 25]);
801
+ if (request.client_id?.startsWith("web-origin:")) requirements.push(["<", 25]);
802
+ if (request.client_id?.startsWith("origin:")) requirements.push([">=", 25]);
803
+ if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
804
+ requirements.push(["<", 23]);
805
+ requirements.push([">=", 21]);
806
+ }
807
+ if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) requirements.push([">=", 23]);
808
+ if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) requirements.push([">=", 23]);
809
+ if (request.transaction_data) requirements.push([">=", 22]);
810
+ if (request.client_id_scheme) requirements.push(["<", 22]);
811
+ if (request.client_id) {
812
+ const colonIndex = request.client_id.indexOf(":");
813
+ const schemePart = request.client_id.substring(0, colonIndex);
814
+ const parsedScheme = zClientIdPrefix.safeParse(schemePart);
815
+ if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") requirements.push([">=", 22]);
816
+ }
817
+ if (!request.client_id) requirements.push([">=", 21]);
818
+ if (request.dcql_query) requirements.push([">=", 21]);
819
+ if (request.client_metadata_uri) requirements.push(["<", 21]);
820
+ if (isOpenid4vpAuthorizationRequestDcApi(request)) requirements.push([">=", 21]);
821
+ if (request.request_uri_method || request.wallet_nonce) requirements.push([">=", 21]);
822
+ if (request.client_id_scheme === "verifier_attestation") requirements.push([">=", 20]);
823
+ if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") requirements.push([">=", 19]);
824
+ const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
825
+ const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
826
+ const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 100;
827
+ const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
828
+ if (lowestRequiredVersion > highestPossibleVersion) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
829
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
830
+ error_description: `Could not infer openid4vp version from the openid4vp request payload. Based on specification requirements, lowest required version is ${lowestRequiredVersion} and highest possible version is ${highestPossibleVersion}`
831
+ });
832
+ return highestPossibleVersion;
833
+ }
1226
834
 
1227
- // src/jar/jar-request-object/fetch-jar-request-object.ts
1228
- var import_oauth216 = require("@openid4vc/oauth2");
1229
- var import_utils14 = require("@openid4vc/utils");
835
+ //#endregion
836
+ //#region src/jar/jar-request-object/fetch-jar-request-object.ts
837
+ /**
838
+ * Fetch a request object and parse the response.
839
+ * If you want to fetch the request object without providing wallet_metadata or wallet_nonce as defined in jar you can use the `fetchJarRequestObject` function.
840
+ *
841
+ * Returns validated request object if successful response
842
+ * Throws error otherwise
843
+ *
844
+ * @throws {ValidationError} if successful response but validation of response failed
845
+ * @throws {InvalidFetchResponseError} if no successful or 404 response
846
+ * @throws {Error} if parsing json from response fails
847
+ */
1230
848
  async function fetchJarRequestObject(options) {
1231
- const { requestUri, clientIdPrefix, method, wallet, fetch } = options;
1232
- let requestBody = wallet.metadata ? { wallet_metadata: wallet.metadata, wallet_nonce: wallet.nonce } : void 0;
1233
- if (requestBody?.wallet_metadata?.request_object_signing_alg_values_supported && clientIdPrefix === "redirect_uri") {
1234
- const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata;
1235
- requestBody = { ...requestBody, wallet_metadata: { ...rest } };
1236
- }
1237
- const response = await (0, import_utils14.createFetcher)(fetch)(requestUri, {
1238
- method,
1239
- body: method === "post" ? (0, import_utils14.objectToQueryParams)(wallet.metadata ?? {}) : void 0,
1240
- headers: {
1241
- Accept: `${import_utils14.ContentType.OAuthAuthorizationRequestJwt}, ${import_utils14.ContentType.Jwt};q=0.9, text/plain`,
1242
- "Content-Type": import_utils14.ContentType.XWwwFormUrlencoded
1243
- }
1244
- }).catch(() => {
1245
- throw new import_oauth216.Oauth2ServerErrorResponseError({
1246
- error_description: `Fetching request_object from request_uri '${requestUri}' failed`,
1247
- error: import_oauth216.Oauth2ErrorCodes.InvalidRequestUri
1248
- });
1249
- });
1250
- if (!response.ok) {
1251
- throw new import_oauth216.Oauth2ServerErrorResponseError({
1252
- error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,
1253
- error: import_oauth216.Oauth2ErrorCodes.InvalidRequestUri
1254
- });
1255
- }
1256
- return await response.text();
849
+ const { requestUri, clientIdPrefix, method, wallet, fetch } = options;
850
+ let requestBody = wallet.metadata ? {
851
+ wallet_metadata: wallet.metadata,
852
+ wallet_nonce: wallet.nonce
853
+ } : void 0;
854
+ if (requestBody?.wallet_metadata?.request_object_signing_alg_values_supported && clientIdPrefix === "redirect_uri") {
855
+ const { request_object_signing_alg_values_supported,...rest } = requestBody.wallet_metadata;
856
+ requestBody = {
857
+ ...requestBody,
858
+ wallet_metadata: { ...rest }
859
+ };
860
+ }
861
+ const response = await (0, __openid4vc_utils.createFetcher)(fetch)(requestUri, {
862
+ method,
863
+ body: method === "post" ? (0, __openid4vc_utils.objectToQueryParams)(wallet.metadata ?? {}) : void 0,
864
+ headers: {
865
+ Accept: `${__openid4vc_utils.ContentType.OAuthAuthorizationRequestJwt}, ${__openid4vc_utils.ContentType.Jwt};q=0.9, text/plain`,
866
+ "Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded
867
+ }
868
+ }).catch(() => {
869
+ throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
870
+ error_description: `Fetching request_object from request_uri '${requestUri}' failed`,
871
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUri
872
+ });
873
+ });
874
+ if (!response.ok) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
875
+ error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,
876
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUri
877
+ });
878
+ return await response.text();
1257
879
  }
1258
880
 
1259
- // src/jar/jar-request-object/z-jar-request-object.ts
1260
- var import_oauth217 = require("@openid4vc/oauth2");
1261
- var import_zod12 = require("zod");
1262
- var zJarRequestObjectPayload = import_zod12.z.object({
1263
- ...import_oauth217.zJwtPayload.shape,
1264
- client_id: import_zod12.z.string()
881
+ //#endregion
882
+ //#region src/jar/jar-request-object/z-jar-request-object.ts
883
+ const zJarRequestObjectPayload = zod.z.object({
884
+ ...__openid4vc_oauth2.zJwtPayload.shape,
885
+ client_id: zod.z.string()
1265
886
  }).passthrough();
1266
887
 
1267
- // src/jar/handle-jar-request/verify-jar-request.ts
1268
- var zSignedAuthorizationRequestJwtHeaderTyp = import_zod13.default.literal("oauth-authz-req+jwt");
1269
- var signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value;
888
+ //#endregion
889
+ //#region src/jar/handle-jar-request/verify-jar-request.ts
890
+ const zSignedAuthorizationRequestJwtHeaderTyp = zod.default.literal("oauth-authz-req+jwt");
891
+ const signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value;
892
+ /**
893
+ * Verifies a JAR (JWT Secured Authorization Request) request by validating, decrypting, and verifying signatures.
894
+ *
895
+ * @param options - The input parameters
896
+ * @param options.jarRequestParams - The JAR authorization request parameters
897
+ * @param options.callbacks - Context containing the relevant Jose crypto operations
898
+ * @returns The verified authorization request parameters and metadata
899
+ */
1270
900
  async function verifyJarRequest(options) {
1271
- const { callbacks, wallet = {} } = options;
1272
- const jarRequestParams = validateJarRequestParams(options);
1273
- const sendBy = jarRequestParams.request ? "value" : "reference";
1274
- const clientIdPrefix = jarRequestParams.client_id ? zClientIdPrefix.safeParse(jarRequestParams.client_id.split(":")[0]).data : "origin";
1275
- const method = jarRequestParams.request_uri_method ?? "get";
1276
- if (method !== "get" && method !== "post") {
1277
- throw new import_oauth218.Oauth2ServerErrorResponseError({
1278
- error: import_oauth218.Oauth2ErrorCodes.InvalidRequestUriMethod,
1279
- error_description: `Invalid request_uri_method. Must be 'get' or 'post'.`
1280
- });
1281
- }
1282
- const requestObject = jarRequestParams.request ?? await fetchJarRequestObject({
1283
- requestUri: jarRequestParams.request_uri,
1284
- clientIdPrefix,
1285
- method,
1286
- wallet,
1287
- fetch: callbacks.fetch
1288
- });
1289
- const requestObjectIsEncrypted = import_oauth218.zCompactJwe.safeParse(requestObject).success;
1290
- const { decryptionJwk, payload: decryptedRequestObject } = requestObjectIsEncrypted ? await decryptJarRequest({ jwe: requestObject, callbacks }) : { payload: requestObject, decryptionJwk: void 0 };
1291
- const requestIsSigned = import_oauth218.zCompactJwt.safeParse(decryptedRequestObject).success;
1292
- if (!requestIsSigned) {
1293
- throw new import_oauth218.Oauth2ServerErrorResponseError({
1294
- error: import_oauth218.Oauth2ErrorCodes.InvalidRequestObject,
1295
- error_description: "JAR request object is not a valid JWT."
1296
- });
1297
- }
1298
- const { authorizationRequestPayload, signer, jwt } = await verifyJarRequestObject({
1299
- decryptedRequestObject,
1300
- callbacks
1301
- });
1302
- if (!authorizationRequestPayload.client_id) {
1303
- throw new import_oauth218.Oauth2ServerErrorResponseError({
1304
- error: import_oauth218.Oauth2ErrorCodes.InvalidRequestObject,
1305
- error_description: 'Jar Request Object is missing the required "client_id" field.'
1306
- });
1307
- }
1308
- if (!isOpenid4vpResponseModeDcApi(authorizationRequestPayload.response_mode) && jarRequestParams.client_id !== authorizationRequestPayload.client_id) {
1309
- throw new import_oauth218.Oauth2ServerErrorResponseError({
1310
- error: import_oauth218.Oauth2ErrorCodes.InvalidRequest,
1311
- error_description: "client_id does not match the request object client_id."
1312
- });
1313
- }
1314
- if (jarRequestParams.client_id_scheme && jarRequestParams.client_id_scheme !== authorizationRequestPayload.client_id_scheme) {
1315
- throw new import_oauth218.Oauth2ServerErrorResponseError({
1316
- error: import_oauth218.Oauth2ErrorCodes.InvalidRequest,
1317
- error_description: "client_id_scheme does not match the request object client_id_scheme."
1318
- });
1319
- }
1320
- return {
1321
- sendBy,
1322
- jwt,
1323
- authorizationRequestPayload,
1324
- signer,
1325
- decryptionJwk
1326
- };
901
+ const { callbacks, wallet = {} } = options;
902
+ const jarRequestParams = validateJarRequestParams(options);
903
+ const sendBy = jarRequestParams.request ? "value" : "reference";
904
+ const clientIdPrefix = jarRequestParams.client_id ? zClientIdPrefix.safeParse(jarRequestParams.client_id.split(":")[0]).data : "origin";
905
+ const method = jarRequestParams.request_uri_method ?? "get";
906
+ if (method !== "get" && method !== "post") throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
907
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUriMethod,
908
+ error_description: `Invalid request_uri_method. Must be 'get' or 'post'.`
909
+ });
910
+ const requestObject = jarRequestParams.request ?? await fetchJarRequestObject({
911
+ requestUri: jarRequestParams.request_uri,
912
+ clientIdPrefix,
913
+ method,
914
+ wallet,
915
+ fetch: callbacks.fetch
916
+ });
917
+ const { decryptionJwk, payload: decryptedRequestObject } = __openid4vc_oauth2.zCompactJwe.safeParse(requestObject).success ? await decryptJarRequest({
918
+ jwe: requestObject,
919
+ callbacks
920
+ }) : {
921
+ payload: requestObject,
922
+ decryptionJwk: void 0
923
+ };
924
+ if (!__openid4vc_oauth2.zCompactJwt.safeParse(decryptedRequestObject).success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
925
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject,
926
+ error_description: "JAR request object is not a valid JWT."
927
+ });
928
+ const { authorizationRequestPayload, signer, jwt } = await verifyJarRequestObject({
929
+ decryptedRequestObject,
930
+ callbacks
931
+ });
932
+ if (!authorizationRequestPayload.client_id) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
933
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject,
934
+ error_description: "Jar Request Object is missing the required \"client_id\" field."
935
+ });
936
+ if (!isOpenid4vpResponseModeDcApi(authorizationRequestPayload.response_mode) && jarRequestParams.client_id !== authorizationRequestPayload.client_id) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
937
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
938
+ error_description: "client_id does not match the request object client_id."
939
+ });
940
+ if (jarRequestParams.client_id_scheme && jarRequestParams.client_id_scheme !== authorizationRequestPayload.client_id_scheme) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
941
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
942
+ error_description: "client_id_scheme does not match the request object client_id_scheme."
943
+ });
944
+ return {
945
+ sendBy,
946
+ jwt,
947
+ authorizationRequestPayload,
948
+ signer,
949
+ decryptionJwk
950
+ };
1327
951
  }
1328
952
  async function decryptJarRequest(options) {
1329
- const { jwe, callbacks } = options;
1330
- const { header } = (0, import_oauth218.decodeJwt)({ jwt: jwe });
1331
- if (!header.kid) {
1332
- throw new import_oauth218.Oauth2ServerErrorResponseError({
1333
- error: import_oauth218.Oauth2ErrorCodes.InvalidRequestObject,
1334
- error_description: 'Jar JWE is missing the protected header field "kid".'
1335
- });
1336
- }
1337
- const decryptionResult = await callbacks.decryptJwe(jwe);
1338
- if (!decryptionResult.decrypted) {
1339
- throw new import_oauth218.Oauth2ServerErrorResponseError({
1340
- error: "invalid_request_object",
1341
- error_description: "Failed to decrypt jar request object."
1342
- });
1343
- }
1344
- return decryptionResult;
953
+ const { jwe, callbacks } = options;
954
+ const { header } = (0, __openid4vc_oauth2.decodeJwt)({ jwt: jwe });
955
+ if (!header.kid) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
956
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject,
957
+ error_description: "Jar JWE is missing the protected header field \"kid\"."
958
+ });
959
+ const decryptionResult = await callbacks.decryptJwe(jwe);
960
+ if (!decryptionResult.decrypted) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
961
+ error: "invalid_request_object",
962
+ error_description: "Failed to decrypt jar request object."
963
+ });
964
+ return decryptionResult;
1345
965
  }
1346
966
  async function verifyJarRequestObject(options) {
1347
- const { decryptedRequestObject, callbacks } = options;
1348
- const jwt = (0, import_oauth218.decodeJwt)({ jwt: decryptedRequestObject, payloadSchema: zJarRequestObjectPayload });
1349
- let jwtSigner;
1350
- const { clientIdPrefix } = getOpenid4vpClientId({
1351
- responseMode: jwt.payload.response_mode,
1352
- clientId: jwt.payload.client_id,
1353
- legacyClientIdScheme: jwt.payload.client_id_scheme
1354
- });
1355
- const clientIdToSignerMethod = {
1356
- decentralized_identifier: ["did"],
1357
- "pre-registered": ["custom", "did", "jwk"],
1358
- origin: [],
1359
- // no signing allowed
1360
- redirect_uri: [],
1361
- // no signing allowed
1362
- // Not 100% sure which one are allowed?
1363
- verifier_attestation: ["did", "federation", "jwk", "x5c", "custom"],
1364
- x509_san_dns: ["x5c"],
1365
- x509_san_uri: ["x5c"],
1366
- x509_hash: ["x5c"],
1367
- // Handled separately
1368
- openid_federation: []
1369
- };
1370
- if (clientIdPrefix === "openid_federation") {
1371
- if (!jwt.header.kid) {
1372
- throw new import_oauth218.Oauth2Error(
1373
- `When OpenID Federation is used for signed authorization request, the 'kid' parameter is required.`
1374
- );
1375
- }
1376
- jwtSigner = {
1377
- method: "federation",
1378
- alg: jwt.header.alg,
1379
- trustChain: jwt.payload.trust_chain,
1380
- kid: jwt.header.kid
1381
- };
1382
- } else {
1383
- jwtSigner = (0, import_oauth218.jwtSignerFromJwt)({ ...jwt, allowedSignerMethods: clientIdToSignerMethod[clientIdPrefix] });
1384
- }
1385
- const { signer } = await (0, import_oauth218.verifyJwt)({
1386
- verifyJwtCallback: callbacks.verifyJwt,
1387
- compact: decryptedRequestObject,
1388
- header: jwt.header,
1389
- payload: jwt.payload,
1390
- signer: jwtSigner
1391
- });
1392
- const version = parseAuthorizationRequestVersion(jwt.payload);
1393
- if (jwt.header.typ !== "oauth-authz-req+jwt" && version >= 24) {
1394
- throw new import_oauth218.Oauth2ServerErrorResponseError({
1395
- error: import_oauth218.Oauth2ErrorCodes.InvalidRequestObject,
1396
- error_description: `Invalid Jar Request Object typ header. Expected "oauth-authz-req+jwt", received "${jwt.header.typ}".`
1397
- });
1398
- }
1399
- return {
1400
- signer,
1401
- jwt,
1402
- authorizationRequestPayload: jwt.payload
1403
- };
967
+ const { decryptedRequestObject, callbacks } = options;
968
+ const jwt = (0, __openid4vc_oauth2.decodeJwt)({
969
+ jwt: decryptedRequestObject,
970
+ payloadSchema: zJarRequestObjectPayload
971
+ });
972
+ let jwtSigner;
973
+ const { clientIdPrefix } = getOpenid4vpClientId({
974
+ responseMode: jwt.payload.response_mode,
975
+ clientId: jwt.payload.client_id,
976
+ legacyClientIdScheme: jwt.payload.client_id_scheme
977
+ });
978
+ const clientIdToSignerMethod = {
979
+ decentralized_identifier: ["did"],
980
+ "pre-registered": [
981
+ "custom",
982
+ "did",
983
+ "jwk"
984
+ ],
985
+ origin: [],
986
+ redirect_uri: [],
987
+ verifier_attestation: [
988
+ "did",
989
+ "federation",
990
+ "jwk",
991
+ "x5c",
992
+ "custom"
993
+ ],
994
+ x509_san_dns: ["x5c"],
995
+ x509_san_uri: ["x5c"],
996
+ x509_hash: ["x5c"],
997
+ openid_federation: []
998
+ };
999
+ if (clientIdPrefix === "openid_federation") {
1000
+ if (!jwt.header.kid) throw new __openid4vc_oauth2.Oauth2Error(`When OpenID Federation is used for signed authorization request, the 'kid' parameter is required.`);
1001
+ jwtSigner = {
1002
+ method: "federation",
1003
+ alg: jwt.header.alg,
1004
+ trustChain: jwt.payload.trust_chain,
1005
+ kid: jwt.header.kid
1006
+ };
1007
+ } else jwtSigner = (0, __openid4vc_oauth2.jwtSignerFromJwt)({
1008
+ ...jwt,
1009
+ allowedSignerMethods: clientIdToSignerMethod[clientIdPrefix]
1010
+ });
1011
+ const { signer } = await (0, __openid4vc_oauth2.verifyJwt)({
1012
+ verifyJwtCallback: callbacks.verifyJwt,
1013
+ compact: decryptedRequestObject,
1014
+ header: jwt.header,
1015
+ payload: jwt.payload,
1016
+ signer: jwtSigner
1017
+ });
1018
+ const version = parseAuthorizationRequestVersion(jwt.payload);
1019
+ if (jwt.header.typ !== "oauth-authz-req+jwt" && version >= 24) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
1020
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject,
1021
+ error_description: `Invalid Jar Request Object typ header. Expected "oauth-authz-req+jwt", received "${jwt.header.typ}".`
1022
+ });
1023
+ return {
1024
+ signer,
1025
+ jwt,
1026
+ authorizationRequestPayload: jwt.payload
1027
+ };
1404
1028
  }
1405
1029
 
1406
- // src/transaction-data/parse-transaction-data.ts
1407
- var import_oauth219 = require("@openid4vc/oauth2");
1408
- var import_utils15 = require("@openid4vc/utils");
1409
-
1410
- // src/transaction-data/z-transaction-data.ts
1411
- var import_zod14 = require("zod");
1412
- var zTransactionEntry = import_zod14.z.object({
1413
- type: import_zod14.z.string(),
1414
- credential_ids: import_zod14.z.array(import_zod14.z.string()).nonempty(),
1415
- // SD-JWT VC specific
1416
- transaction_data_hashes_alg: import_zod14.z.array(import_zod14.z.string()).nonempty().optional()
1030
+ //#endregion
1031
+ //#region src/transaction-data/z-transaction-data.ts
1032
+ const zTransactionEntry = zod.z.object({
1033
+ type: zod.z.string(),
1034
+ credential_ids: zod.z.array(zod.z.string()).nonempty(),
1035
+ transaction_data_hashes_alg: zod.z.array(zod.z.string()).nonempty().optional()
1417
1036
  }).passthrough();
1418
- var zTransactionData = import_zod14.z.array(zTransactionEntry);
1037
+ const zTransactionData = zod.z.array(zTransactionEntry);
1419
1038
 
1420
- // src/transaction-data/parse-transaction-data.ts
1039
+ //#endregion
1040
+ //#region src/transaction-data/parse-transaction-data.ts
1421
1041
  function parseTransactionData(options) {
1422
- const { transactionData } = options;
1423
- const decoded = transactionData.map((tdEntry) => (0, import_utils15.parseIfJson)((0, import_utils15.encodeToUtf8String)((0, import_utils15.decodeBase64)(tdEntry))));
1424
- const parsedResult = zTransactionData.safeParse(decoded);
1425
- if (!parsedResult.success) {
1426
- throw new import_oauth219.Oauth2ServerErrorResponseError({
1427
- error: import_oauth219.Oauth2ErrorCodes.InvalidTransactionData,
1428
- error_description: "Failed to parse transaction data."
1429
- });
1430
- }
1431
- return parsedResult.data.map((decoded2, index) => ({
1432
- transactionData: decoded2,
1433
- encoded: transactionData[index],
1434
- transactionDataIndex: index
1435
- }));
1042
+ const { transactionData } = options;
1043
+ const decoded = transactionData.map((tdEntry) => (0, __openid4vc_utils.parseIfJson)((0, __openid4vc_utils.encodeToUtf8String)((0, __openid4vc_utils.decodeBase64)(tdEntry))));
1044
+ const parsedResult = zTransactionData.safeParse(decoded);
1045
+ if (!parsedResult.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
1046
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
1047
+ error_description: "Failed to parse transaction data."
1048
+ });
1049
+ return parsedResult.data.map((decoded$1, index) => ({
1050
+ transactionData: decoded$1,
1051
+ encoded: transactionData[index],
1052
+ transactionDataIndex: index
1053
+ }));
1436
1054
  }
1437
1055
 
1438
- // src/authorization-request/resolve-authorization-request.ts
1056
+ //#endregion
1057
+ //#region src/authorization-request/resolve-authorization-request.ts
1439
1058
  async function resolveOpenid4vpAuthorizationRequest(options) {
1440
- const { wallet, callbacks, origin, disableOriginValidation } = options;
1441
- let authorizationRequestPayload;
1442
- const parsed = (0, import_utils16.parseWithErrorHandling)(
1443
- import_zod15.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest]),
1444
- options.authorizationRequestPayload,
1445
- "Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request."
1446
- );
1447
- let jar;
1448
- if (isJarAuthorizationRequest(parsed)) {
1449
- jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet });
1450
- const parsedJarAuthorizationRequestPayload = (0, import_utils16.parseWithErrorHandling)(
1451
- import_zod15.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
1452
- jar.authorizationRequestPayload,
1453
- "Invalid authorization request. Could not parse jar request payload as openid4vp auth request."
1454
- );
1455
- authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({
1456
- authorizationRequestPayload: parsedJarAuthorizationRequestPayload,
1457
- wallet,
1458
- jar: true,
1459
- origin,
1460
- disableOriginValidation
1461
- });
1462
- } else {
1463
- authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({
1464
- authorizationRequestPayload: parsed,
1465
- wallet,
1466
- jar: false,
1467
- origin,
1468
- disableOriginValidation
1469
- });
1470
- }
1471
- const version = parseAuthorizationRequestVersion(authorizationRequestPayload);
1472
- let clientMetadata = authorizationRequestPayload.client_metadata;
1473
- if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) && !clientMetadata && authorizationRequestPayload.client_metadata_uri) {
1474
- clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri });
1475
- }
1476
- const clientMeta = await validateOpenid4vpClientId({
1477
- authorizationRequestPayload: {
1478
- ...authorizationRequestPayload,
1479
- client_metadata: clientMetadata
1480
- },
1481
- jar,
1482
- callbacks,
1483
- origin,
1484
- version
1485
- });
1486
- let pex;
1487
- let dcql;
1488
- if (authorizationRequestPayload.presentation_definition || authorizationRequestPayload.presentation_definition_uri) {
1489
- if (authorizationRequestPayload.presentation_definition_uri) {
1490
- throw new import_oauth220.Oauth2ServerErrorResponseError({
1491
- error: import_oauth220.Oauth2ErrorCodes.InvalidRequest,
1492
- error_description: "Cannot fetch presentation definition from URI. Not supported."
1493
- });
1494
- }
1495
- pex = {
1496
- presentation_definition: authorizationRequestPayload.presentation_definition,
1497
- presentation_definition_uri: authorizationRequestPayload.presentation_definition_uri
1498
- };
1499
- }
1500
- if (authorizationRequestPayload.dcql_query) {
1501
- dcql = { query: authorizationRequestPayload.dcql_query };
1502
- }
1503
- const transactionData = authorizationRequestPayload.transaction_data ? parseTransactionData({ transactionData: authorizationRequestPayload.transaction_data }) : void 0;
1504
- return {
1505
- transactionData,
1506
- authorizationRequestPayload,
1507
- jar,
1508
- client: clientMeta,
1509
- pex,
1510
- dcql,
1511
- version
1512
- };
1059
+ const { wallet, callbacks, origin, disableOriginValidation } = options;
1060
+ let authorizationRequestPayload;
1061
+ const parsed = (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([
1062
+ zOpenid4vpAuthorizationRequestDcApi,
1063
+ zOpenid4vpAuthorizationRequest,
1064
+ zJarAuthorizationRequest
1065
+ ]), options.authorizationRequestPayload, "Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request.");
1066
+ let jar;
1067
+ if (isJarAuthorizationRequest(parsed)) {
1068
+ jar = await verifyJarRequest({
1069
+ jarRequestParams: parsed,
1070
+ callbacks,
1071
+ wallet
1072
+ });
1073
+ authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({
1074
+ authorizationRequestPayload: (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]), jar.authorizationRequestPayload, "Invalid authorization request. Could not parse jar request payload as openid4vp auth request."),
1075
+ wallet,
1076
+ jar: true,
1077
+ origin,
1078
+ disableOriginValidation
1079
+ });
1080
+ } else authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({
1081
+ authorizationRequestPayload: parsed,
1082
+ wallet,
1083
+ jar: false,
1084
+ origin,
1085
+ disableOriginValidation
1086
+ });
1087
+ const version = parseAuthorizationRequestVersion(authorizationRequestPayload);
1088
+ let clientMetadata = authorizationRequestPayload.client_metadata;
1089
+ if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) && !clientMetadata && authorizationRequestPayload.client_metadata_uri) clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri });
1090
+ const clientMeta = await validateOpenid4vpClientId({
1091
+ authorizationRequestPayload: {
1092
+ ...authorizationRequestPayload,
1093
+ client_metadata: clientMetadata
1094
+ },
1095
+ jar,
1096
+ callbacks,
1097
+ origin,
1098
+ version
1099
+ });
1100
+ let pex;
1101
+ let dcql;
1102
+ if (authorizationRequestPayload.presentation_definition || authorizationRequestPayload.presentation_definition_uri) {
1103
+ if (authorizationRequestPayload.presentation_definition_uri) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
1104
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
1105
+ error_description: "Cannot fetch presentation definition from URI. Not supported."
1106
+ });
1107
+ pex = {
1108
+ presentation_definition: authorizationRequestPayload.presentation_definition,
1109
+ presentation_definition_uri: authorizationRequestPayload.presentation_definition_uri
1110
+ };
1111
+ }
1112
+ if (authorizationRequestPayload.dcql_query) dcql = { query: authorizationRequestPayload.dcql_query };
1113
+ return {
1114
+ transactionData: authorizationRequestPayload.transaction_data ? parseTransactionData({ transactionData: authorizationRequestPayload.transaction_data }) : void 0,
1115
+ authorizationRequestPayload,
1116
+ jar,
1117
+ client: clientMeta,
1118
+ pex,
1119
+ dcql,
1120
+ version
1121
+ };
1513
1122
  }
1514
1123
  function validateOpenId4vpAuthorizationRequestPayload(options) {
1515
- const { authorizationRequestPayload, wallet, jar, origin, disableOriginValidation } = options;
1516
- if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
1517
- validateOpenid4vpAuthorizationRequestDcApiPayload({
1518
- params: authorizationRequestPayload,
1519
- isJarRequest: jar,
1520
- disableOriginValidation,
1521
- origin
1522
- });
1523
- return authorizationRequestPayload;
1524
- }
1525
- validateOpenid4vpAuthorizationRequestPayload({
1526
- params: authorizationRequestPayload,
1527
- walletVerificationOptions: wallet
1528
- });
1529
- return authorizationRequestPayload;
1124
+ const { authorizationRequestPayload, wallet, jar, origin, disableOriginValidation } = options;
1125
+ if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
1126
+ validateOpenid4vpAuthorizationRequestDcApiPayload({
1127
+ params: authorizationRequestPayload,
1128
+ isJarRequest: jar,
1129
+ disableOriginValidation,
1130
+ origin
1131
+ });
1132
+ return authorizationRequestPayload;
1133
+ }
1134
+ validateOpenid4vpAuthorizationRequestPayload({
1135
+ params: authorizationRequestPayload,
1136
+ walletVerificationOptions: wallet
1137
+ });
1138
+ return authorizationRequestPayload;
1530
1139
  }
1531
1140
 
1532
- // src/authorization-response/create-authorization-response.ts
1533
- var import_oauth223 = require("@openid4vc/oauth2");
1534
- var import_utils17 = require("@openid4vc/utils");
1535
-
1536
- // ../utils/src/date.ts
1537
- function addSecondsToDate2(date, seconds) {
1538
- return new Date(date.getTime() + seconds * 1e3);
1141
+ //#endregion
1142
+ //#region ../utils/src/date.ts
1143
+ function addSecondsToDate(date, seconds) {
1144
+ return new Date(date.getTime() + seconds * 1e3);
1539
1145
  }
1540
1146
 
1541
- // src/jarm/jarm-authorization-response-create.ts
1542
- var import_oauth221 = require("@openid4vc/oauth2");
1147
+ //#endregion
1148
+ //#region src/jarm/jarm-authorization-response-create.ts
1543
1149
  async function createJarmAuthorizationResponse(options) {
1544
- const { jarmAuthorizationResponse, jweEncryptor, jwtSigner, callbacks } = options;
1545
- if (!jwtSigner && jweEncryptor) {
1546
- const { jwe } = await callbacks.encryptJwe(jweEncryptor, JSON.stringify(jarmAuthorizationResponse));
1547
- return { jarmAuthorizationResponseJwt: jwe };
1548
- }
1549
- if (jwtSigner && !jweEncryptor) {
1550
- const signed2 = await callbacks.signJwt(jwtSigner, {
1551
- header: (0, import_oauth221.jwtHeaderFromJwtSigner)(jwtSigner),
1552
- payload: jarmAuthorizationResponse
1553
- });
1554
- return { jarmAuthorizationResponseJwt: signed2.jwt };
1555
- }
1556
- if (!jwtSigner || !jweEncryptor) {
1557
- throw new import_oauth221.Oauth2Error("JWT signer and/or encryptor are required to create a JARM auth response.");
1558
- }
1559
- const signed = await callbacks.signJwt(jwtSigner, {
1560
- header: (0, import_oauth221.jwtHeaderFromJwtSigner)(jwtSigner),
1561
- payload: jarmAuthorizationResponse
1562
- });
1563
- const encrypted = await callbacks.encryptJwe(jweEncryptor, signed.jwt);
1564
- return { jarmAuthorizationResponseJwt: encrypted.jwe };
1150
+ const { jarmAuthorizationResponse, jweEncryptor, jwtSigner, callbacks } = options;
1151
+ if (!jwtSigner && jweEncryptor) {
1152
+ const { jwe } = await callbacks.encryptJwe(jweEncryptor, JSON.stringify(jarmAuthorizationResponse));
1153
+ return { jarmAuthorizationResponseJwt: jwe };
1154
+ }
1155
+ if (jwtSigner && !jweEncryptor) return { jarmAuthorizationResponseJwt: (await callbacks.signJwt(jwtSigner, {
1156
+ header: (0, __openid4vc_oauth2.jwtHeaderFromJwtSigner)(jwtSigner),
1157
+ payload: jarmAuthorizationResponse
1158
+ })).jwt };
1159
+ if (!jwtSigner || !jweEncryptor) throw new __openid4vc_oauth2.Oauth2Error("JWT signer and/or encryptor are required to create a JARM auth response.");
1160
+ const signed = await callbacks.signJwt(jwtSigner, {
1161
+ header: (0, __openid4vc_oauth2.jwtHeaderFromJwtSigner)(jwtSigner),
1162
+ payload: jarmAuthorizationResponse
1163
+ });
1164
+ return { jarmAuthorizationResponseJwt: (await callbacks.encryptJwe(jweEncryptor, signed.jwt)).jwe };
1165
+ }
1166
+
1167
+ //#endregion
1168
+ //#region src/jarm/jarm-extract-jwks.ts
1169
+ function extractEncryptionJwkFromJwks(jwks, { kid, supportedAlgValues }) {
1170
+ if (kid) return jwks.keys.find((jwk) => jwk.kid === kid);
1171
+ let algFiltered = jwks.keys.filter((key) => key.alg && supportedAlgValues?.includes(key.alg));
1172
+ if (algFiltered.length === 0) algFiltered = jwks.keys;
1173
+ let encFiltered = algFiltered.filter((key) => key.use === "enc");
1174
+ if (!encFiltered) encFiltered = algFiltered.filter((key) => key.use !== "sig");
1175
+ return encFiltered.length > 0 ? encFiltered[0] : jwks.keys[0];
1565
1176
  }
1566
1177
 
1567
- // src/jarm/jarm-response-mode.ts
1568
- var import_zod16 = require("zod");
1569
- var jarmResponseMode = [
1570
- "jwt",
1571
- "query.jwt",
1572
- "fragment.jwt",
1573
- "form_post.jwt",
1574
- "direct_post.jwt",
1575
- "dc_api.jwt"
1178
+ //#endregion
1179
+ //#region src/jarm/jarm-response-mode.ts
1180
+ const jarmResponseMode = [
1181
+ "jwt",
1182
+ "query.jwt",
1183
+ "fragment.jwt",
1184
+ "form_post.jwt",
1185
+ "direct_post.jwt",
1186
+ "dc_api.jwt"
1576
1187
  ];
1577
- var zJarmResponseMode = import_zod16.z.enum(jarmResponseMode);
1578
- var isJarmResponseMode = (responseMode) => {
1579
- return jarmResponseMode.includes(responseMode);
1188
+ const zJarmResponseMode = zod.z.enum(jarmResponseMode);
1189
+ const isJarmResponseMode = (responseMode) => {
1190
+ return jarmResponseMode.includes(responseMode);
1580
1191
  };
1581
1192
 
1582
- // src/jarm/metadata/jarm-assert-metadata-supported.ts
1583
- var import_oauth222 = require("@openid4vc/oauth2");
1193
+ //#endregion
1194
+ //#region src/jarm/metadata/jarm-assert-metadata-supported.ts
1584
1195
  function assertValueSupported(options) {
1585
- const { errorMessage, supported, actual } = options;
1586
- const intersection = supported.find((value) => value === actual);
1587
- if (!intersection) {
1588
- throw new import_oauth222.Oauth2Error(errorMessage);
1589
- }
1590
- return intersection;
1196
+ const { errorMessage, supported, actual } = options;
1197
+ const intersection = supported.find((value) => value === actual);
1198
+ if (!intersection) throw new __openid4vc_oauth2.Oauth2Error(errorMessage);
1199
+ return intersection;
1591
1200
  }
1592
1201
  function jarmAssertMetadataSupported(options) {
1593
- const { clientMetadata, serverMetadata } = options;
1594
- const parsedClientMetadata = zJarmClientMetadataParsed.parse(clientMetadata);
1595
- if (parsedClientMetadata.type === "sign_encrypt" || parsedClientMetadata.type === "encrypt") {
1596
- if (serverMetadata.authorization_encryption_alg_values_supported) {
1597
- assertValueSupported({
1598
- supported: serverMetadata.authorization_encryption_alg_values_supported,
1599
- actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_alg,
1600
- errorMessage: "Invalid authorization_encryption_alg"
1601
- });
1602
- }
1603
- if (serverMetadata.authorization_encryption_enc_values_supported) {
1604
- assertValueSupported({
1605
- supported: serverMetadata.authorization_encryption_enc_values_supported,
1606
- actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_enc,
1607
- errorMessage: "Invalid authorization_encryption_enc"
1608
- });
1609
- }
1610
- }
1611
- if (serverMetadata.authorization_signing_alg_values_supported && (parsedClientMetadata.type === "sign" || parsedClientMetadata.type === "sign_encrypt")) {
1612
- assertValueSupported({
1613
- supported: serverMetadata.authorization_signing_alg_values_supported,
1614
- actual: parsedClientMetadata.client_metadata.authorization_signed_response_alg,
1615
- errorMessage: "Invalid authorization_signed_response_alg"
1616
- });
1617
- }
1618
- return parsedClientMetadata;
1202
+ const { clientMetadata, serverMetadata } = options;
1203
+ const parsedClientMetadata = zJarmClientMetadataParsed.parse(clientMetadata);
1204
+ if (parsedClientMetadata.type === "sign_encrypt" || parsedClientMetadata.type === "encrypt") {
1205
+ if (serverMetadata.authorization_encryption_alg_values_supported) assertValueSupported({
1206
+ supported: serverMetadata.authorization_encryption_alg_values_supported,
1207
+ actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_alg,
1208
+ errorMessage: "Invalid authorization_encryption_alg"
1209
+ });
1210
+ if (serverMetadata.authorization_encryption_enc_values_supported) assertValueSupported({
1211
+ supported: serverMetadata.authorization_encryption_enc_values_supported,
1212
+ actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_enc,
1213
+ errorMessage: "Invalid authorization_encryption_enc"
1214
+ });
1215
+ }
1216
+ if (serverMetadata.authorization_signing_alg_values_supported && (parsedClientMetadata.type === "sign" || parsedClientMetadata.type === "sign_encrypt")) assertValueSupported({
1217
+ supported: serverMetadata.authorization_signing_alg_values_supported,
1218
+ actual: parsedClientMetadata.client_metadata.authorization_signed_response_alg,
1219
+ errorMessage: "Invalid authorization_signed_response_alg"
1220
+ });
1221
+ return parsedClientMetadata;
1619
1222
  }
1620
1223
 
1621
- // src/authorization-response/create-authorization-response.ts
1224
+ //#endregion
1225
+ //#region src/authorization-response/create-authorization-response.ts
1622
1226
  async function createOpenid4vpAuthorizationResponse(options) {
1623
- const { authorizationRequestPayload, jarm, callbacks, origin } = options;
1624
- const authorizationResponsePayload = {
1625
- ...options.authorizationResponsePayload,
1626
- state: authorizationRequestPayload.state
1627
- };
1628
- const { clientIdPrefix } = getOpenid4vpClientId({
1629
- responseMode: authorizationRequestPayload.response_mode,
1630
- clientId: authorizationRequestPayload.client_id,
1631
- legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
1632
- origin
1633
- });
1634
- if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode) && !jarm) {
1635
- throw new import_oauth223.Oauth2Error(
1636
- `Missing jarm options for creating Jarm response with response mode '${authorizationRequestPayload.response_mode}'`
1637
- );
1638
- }
1639
- if (!jarm) {
1640
- return {
1641
- authorizationResponsePayload
1642
- };
1643
- }
1644
- if (clientIdPrefix === "openid_federation" && !options.clientMetadata) {
1645
- throw new import_oauth223.Oauth2Error(
1646
- "When OpenID Federation is used as the client id prefix (https/openid_federation), passing externally fetched and verified 'clientMetadata' to the 'createOpenid4vpAuthorizationResponse' is required."
1647
- );
1648
- }
1649
- const clientMetadata = options.clientMetadata ?? authorizationRequestPayload.client_metadata;
1650
- if (!clientMetadata) {
1651
- throw new import_oauth223.Oauth2Error("Missing client metadata in the request params to assert Jarm metadata support.");
1652
- }
1653
- let jwks;
1654
- if (clientMetadata.jwks) {
1655
- jwks = clientMetadata.jwks;
1656
- } else if (clientMetadata.jwks_uri) {
1657
- jwks = await (0, import_oauth223.fetchJwks)(clientMetadata.jwks_uri, options.callbacks.fetch);
1658
- } else {
1659
- throw new import_oauth223.Oauth2ServerErrorResponseError({
1660
- error: import_oauth223.Oauth2ErrorCodes.InvalidRequest,
1661
- error_description: `Missing 'jwks' or 'jwks_uri' in client metadata. Cannot extract encryption JWK.`
1662
- });
1663
- }
1664
- if (clientMetadata.authorization_encrypted_response_alg || clientMetadata.authorization_encrypted_response_enc || clientMetadata.authorization_signed_response_alg) {
1665
- jarmAssertMetadataSupported({
1666
- clientMetadata,
1667
- serverMetadata: jarm.serverMetadata
1668
- });
1669
- }
1670
- const encJwk = (
1671
- // User-provided JWK takes precedence
1672
- jarm?.encryption?.jwk ?? extractEncryptionJwkFromJwks(jwks, {
1673
- supportedAlgValues: jarm.serverMetadata.authorization_encryption_alg_values_supported ?? (clientMetadata.authorization_encrypted_response_alg ? [clientMetadata.authorization_encrypted_response_alg] : void 0)
1674
- })
1675
- );
1676
- if (!encJwk) {
1677
- throw new import_oauth223.Oauth2ServerErrorResponseError({
1678
- error: import_oauth223.Oauth2ErrorCodes.InvalidRequest,
1679
- error_description: "No encryption JWK provided and could not extract encryption JWK from client metadata. Failed to create JARM response."
1680
- });
1681
- }
1682
- let enc;
1683
- if (clientMetadata.encrypted_response_enc_values_supported) {
1684
- enc = jarm.serverMetadata.authorization_encryption_enc_values_supported.find(
1685
- (enc2) => clientMetadata.encrypted_response_enc_values_supported?.includes(enc2)
1686
- ) ?? clientMetadata.encrypted_response_enc_values_supported[0];
1687
- } else {
1688
- enc = clientMetadata.authorization_encrypted_response_enc ?? "A128GCM";
1689
- }
1690
- assertValueSupported({
1691
- actual: enc,
1692
- supported: jarm.serverMetadata.authorization_encryption_enc_values_supported,
1693
- errorMessage: `Invalid 'enc' value ${enc}. Supported values are ${jarm.serverMetadata.authorization_encryption_enc_values_supported.join(", ")}`
1694
- });
1695
- const alg = encJwk.alg ?? clientMetadata.authorization_encrypted_response_alg ?? "ECDH-ES";
1696
- assertValueSupported({
1697
- actual: alg,
1698
- supported: jarm.serverMetadata.authorization_encryption_alg_values_supported,
1699
- errorMessage: `Invalid 'alg' value ${alg}. Supported values are ${jarm.serverMetadata.authorization_encryption_alg_values_supported.join(", ")}`
1700
- });
1701
- let additionalJwtPayload;
1702
- if (jarm?.jwtSigner) {
1703
- if (!jarm.authorizationServer) {
1704
- throw new import_oauth223.Oauth2ServerErrorResponseError({
1705
- error: import_oauth223.Oauth2ErrorCodes.InvalidRequest,
1706
- error_description: "Missing required iss in JARM configuration for creating OpenID4VP authorization response."
1707
- });
1708
- }
1709
- if (!jarm.audience) {
1710
- throw new import_oauth223.Oauth2ServerErrorResponseError({
1711
- error: import_oauth223.Oauth2ErrorCodes.InvalidRequest,
1712
- error_description: "Missing required aud in JARM configuration for creating OpenID4VP authorization response."
1713
- });
1714
- }
1715
- additionalJwtPayload = {
1716
- iss: jarm.authorizationServer,
1717
- aud: jarm.audience,
1718
- exp: jarm.expiresInSeconds ?? (0, import_utils17.dateToSeconds)(addSecondsToDate2(/* @__PURE__ */ new Date(), 60 * 10))
1719
- // default: 10 minutes
1720
- };
1721
- }
1722
- const jarmResponsePayload = {
1723
- ...authorizationResponsePayload,
1724
- ...additionalJwtPayload
1725
- };
1726
- const result = await createJarmAuthorizationResponse({
1727
- jarmAuthorizationResponse: jarmResponsePayload,
1728
- jwtSigner: jarm?.jwtSigner,
1729
- jweEncryptor: jarm?.encryption ? {
1730
- method: "jwk",
1731
- publicJwk: encJwk,
1732
- apu: jarm.encryption.nonce ? (0, import_utils17.encodeToBase64Url)(jarm.encryption.nonce) : void 0,
1733
- apv: (0, import_utils17.encodeToBase64Url)(authorizationRequestPayload.nonce),
1734
- alg,
1735
- enc
1736
- } : void 0,
1737
- callbacks: {
1738
- signJwt: callbacks.signJwt,
1739
- encryptJwe: callbacks.encryptJwe
1740
- }
1741
- });
1742
- return {
1743
- authorizationResponsePayload: jarmResponsePayload,
1744
- jarm: { responseJwt: result.jarmAuthorizationResponseJwt, encryptionJwk: encJwk }
1745
- };
1227
+ const { authorizationRequestPayload, jarm, callbacks, origin } = options;
1228
+ const authorizationResponsePayload = {
1229
+ ...options.authorizationResponsePayload,
1230
+ state: authorizationRequestPayload.state
1231
+ };
1232
+ const { clientIdPrefix } = getOpenid4vpClientId({
1233
+ responseMode: authorizationRequestPayload.response_mode,
1234
+ clientId: authorizationRequestPayload.client_id,
1235
+ legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
1236
+ origin
1237
+ });
1238
+ if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode) && !jarm) throw new __openid4vc_oauth2.Oauth2Error(`Missing jarm options for creating Jarm response with response mode '${authorizationRequestPayload.response_mode}'`);
1239
+ if (!jarm) return { authorizationResponsePayload };
1240
+ if (clientIdPrefix === "openid_federation" && !options.clientMetadata) throw new __openid4vc_oauth2.Oauth2Error("When OpenID Federation is used as the client id prefix (https/openid_federation), passing externally fetched and verified 'clientMetadata' to the 'createOpenid4vpAuthorizationResponse' is required.");
1241
+ const clientMetadata = options.clientMetadata ?? authorizationRequestPayload.client_metadata;
1242
+ if (!clientMetadata) throw new __openid4vc_oauth2.Oauth2Error("Missing client metadata in the request params to assert Jarm metadata support.");
1243
+ let jwks;
1244
+ if (clientMetadata.jwks) jwks = clientMetadata.jwks;
1245
+ else if (clientMetadata.jwks_uri) jwks = await (0, __openid4vc_oauth2.fetchJwks)(clientMetadata.jwks_uri, options.callbacks.fetch);
1246
+ else throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
1247
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
1248
+ error_description: `Missing 'jwks' or 'jwks_uri' in client metadata. Cannot extract encryption JWK.`
1249
+ });
1250
+ if (clientMetadata.authorization_encrypted_response_alg || clientMetadata.authorization_encrypted_response_enc || clientMetadata.authorization_signed_response_alg) jarmAssertMetadataSupported({
1251
+ clientMetadata,
1252
+ serverMetadata: jarm.serverMetadata
1253
+ });
1254
+ const encJwk = jarm?.encryption?.jwk ?? extractEncryptionJwkFromJwks(jwks, { supportedAlgValues: jarm.serverMetadata.authorization_encryption_alg_values_supported ?? (clientMetadata.authorization_encrypted_response_alg ? [clientMetadata.authorization_encrypted_response_alg] : void 0) });
1255
+ if (!encJwk) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
1256
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
1257
+ error_description: "No encryption JWK provided and could not extract encryption JWK from client metadata. Failed to create JARM response."
1258
+ });
1259
+ let enc;
1260
+ if (clientMetadata.encrypted_response_enc_values_supported) enc = jarm.serverMetadata.authorization_encryption_enc_values_supported.find((enc$1) => clientMetadata.encrypted_response_enc_values_supported?.includes(enc$1)) ?? clientMetadata.encrypted_response_enc_values_supported[0];
1261
+ else enc = clientMetadata.authorization_encrypted_response_enc ?? "A128GCM";
1262
+ assertValueSupported({
1263
+ actual: enc,
1264
+ supported: jarm.serverMetadata.authorization_encryption_enc_values_supported,
1265
+ errorMessage: `Invalid 'enc' value ${enc}. Supported values are ${jarm.serverMetadata.authorization_encryption_enc_values_supported.join(", ")}`
1266
+ });
1267
+ const alg = encJwk.alg ?? clientMetadata.authorization_encrypted_response_alg ?? "ECDH-ES";
1268
+ assertValueSupported({
1269
+ actual: alg,
1270
+ supported: jarm.serverMetadata.authorization_encryption_alg_values_supported,
1271
+ errorMessage: `Invalid 'alg' value ${alg}. Supported values are ${jarm.serverMetadata.authorization_encryption_alg_values_supported.join(", ")}`
1272
+ });
1273
+ let additionalJwtPayload;
1274
+ if (jarm?.jwtSigner) {
1275
+ if (!jarm.authorizationServer) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
1276
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
1277
+ error_description: "Missing required iss in JARM configuration for creating OpenID4VP authorization response."
1278
+ });
1279
+ if (!jarm.audience) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
1280
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
1281
+ error_description: "Missing required aud in JARM configuration for creating OpenID4VP authorization response."
1282
+ });
1283
+ additionalJwtPayload = {
1284
+ iss: jarm.authorizationServer,
1285
+ aud: jarm.audience,
1286
+ exp: jarm.expiresInSeconds ?? (0, __openid4vc_utils.dateToSeconds)(addSecondsToDate(/* @__PURE__ */ new Date(), 600))
1287
+ };
1288
+ }
1289
+ const jarmResponsePayload = {
1290
+ ...authorizationResponsePayload,
1291
+ ...additionalJwtPayload
1292
+ };
1293
+ return {
1294
+ authorizationResponsePayload: jarmResponsePayload,
1295
+ jarm: {
1296
+ responseJwt: (await createJarmAuthorizationResponse({
1297
+ jarmAuthorizationResponse: jarmResponsePayload,
1298
+ jwtSigner: jarm?.jwtSigner,
1299
+ jweEncryptor: jarm?.encryption ? {
1300
+ method: "jwk",
1301
+ publicJwk: encJwk,
1302
+ apu: jarm.encryption.nonce ? (0, __openid4vc_utils.encodeToBase64Url)(jarm.encryption.nonce) : void 0,
1303
+ apv: (0, __openid4vc_utils.encodeToBase64Url)(authorizationRequestPayload.nonce),
1304
+ alg,
1305
+ enc
1306
+ } : void 0,
1307
+ callbacks: {
1308
+ signJwt: callbacks.signJwt,
1309
+ encryptJwe: callbacks.encryptJwe
1310
+ }
1311
+ })).jarmAuthorizationResponseJwt,
1312
+ encryptionJwk: encJwk
1313
+ }
1314
+ };
1746
1315
  }
1747
1316
 
1748
- // src/authorization-response/submit-authorization-response.ts
1749
- var import_oauth225 = require("@openid4vc/oauth2");
1750
- var import_utils19 = require("@openid4vc/utils");
1751
- var import_utils20 = require("@openid4vc/utils");
1752
-
1753
- // src/jarm/jarm-authorizatino-response-send.ts
1754
- var import_oauth224 = require("@openid4vc/oauth2");
1755
- var import_utils18 = require("@openid4vc/utils");
1756
- var jarmAuthorizationResponseSend = (options) => {
1757
- const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options;
1758
- const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri;
1759
- if (!responseEndpoint) {
1760
- throw new import_oauth224.Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST be present in the authorization request`);
1761
- }
1762
- const responseEndpointUrl = new import_utils18.URL(responseEndpoint);
1763
- return handleDirectPostJwt(responseEndpointUrl, jarmAuthorizationResponseJwt, callbacks);
1764
- };
1765
- async function handleDirectPostJwt(responseEndpoint, responseJwt, callbacks) {
1766
- const response = await (0, import_utils18.createFetcher)(callbacks.fetch)(responseEndpoint, {
1767
- method: "POST",
1768
- headers: { "Content-Type": import_utils18.ContentType.XWwwFormUrlencoded },
1769
- body: `response=${responseJwt}`
1770
- });
1771
- return {
1772
- responseMode: "direct_post.jwt",
1773
- response
1774
- };
1775
- }
1317
+ //#endregion
1318
+ //#region src/models/z-pex.ts
1319
+ const zPexPresentationDefinition = zod.z.record(zod.z.any());
1320
+ const zPexPresentationSubmission = zod.z.record(zod.z.any());
1321
+
1322
+ //#endregion
1323
+ //#region src/vp-token/z-vp-token.ts
1324
+ const zVpTokenPresentationEntry = zod.z.union([zod.z.string(), zod.z.record(zod.z.any())], { message: "vp_token presentation entry must be string or object" });
1325
+ const zVpTokenPex = zod.z.union([zVpTokenPresentationEntry, zod.z.array(zVpTokenPresentationEntry).nonempty("Must have at least entry in vp_token array")], { message: "pex vp_token must be a string, object or non-empty array of strings and objects" });
1326
+ const zVpTokenDcql = zod.z.record(zod.z.union([zod.z.array(zVpTokenPresentationEntry).nonempty(), zVpTokenPresentationEntry]), { message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values a non-empty array of strings and objects, or string, or object" });
1327
+ const zVpToken = zVpTokenDcql.or(zVpTokenPex);
1328
+
1329
+ //#endregion
1330
+ //#region src/authorization-response/z-authorization-response.ts
1331
+ const zOpenid4vpAuthorizationResponse = zod.z.object({
1332
+ state: zod.z.string().optional(),
1333
+ id_token: zod.z.string().optional(),
1334
+ vp_token: zVpToken,
1335
+ presentation_submission: zPexPresentationSubmission.or(__openid4vc_utils.zStringToJson).optional(),
1336
+ refresh_token: zod.z.string().optional(),
1337
+ token_type: zod.z.string().optional(),
1338
+ access_token: zod.z.string().optional(),
1339
+ expires_in: zod.z.coerce.number().optional()
1340
+ }).passthrough();
1776
1341
 
1777
- // src/authorization-response/submit-authorization-response.ts
1778
- async function submitOpenid4vpAuthorizationResponse(options) {
1779
- const { authorizationRequestPayload, authorizationResponsePayload, jarm, callbacks } = options;
1780
- const url = authorizationRequestPayload.response_uri;
1781
- if (jarm) {
1782
- return jarmAuthorizationResponseSend({
1783
- authorizationRequestPayload,
1784
- jarmAuthorizationResponseJwt: jarm.responseJwt,
1785
- callbacks
1786
- });
1787
- }
1788
- if (!url) {
1789
- throw new import_oauth225.Oauth2Error(
1790
- "Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided."
1791
- );
1792
- }
1793
- const fetch = (0, import_utils19.createFetcher)(callbacks.fetch);
1794
- const encodedResponse = (0, import_utils20.objectToQueryParams)(authorizationResponsePayload);
1795
- const submissionResponse = await fetch(url, {
1796
- method: "POST",
1797
- body: encodedResponse.toString(),
1798
- headers: {
1799
- "Content-Type": import_utils19.ContentType.XWwwFormUrlencoded
1800
- }
1801
- });
1802
- return {
1803
- responseMode: "direct_post",
1804
- response: submissionResponse
1805
- };
1342
+ //#endregion
1343
+ //#region src/authorization-response/parse-authorization-response-payload.ts
1344
+ function parseOpenid4VpAuthorizationResponsePayload(payload) {
1345
+ return (0, __openid4vc_utils.parseWithErrorHandling)(zOpenid4vpAuthorizationResponse, payload, "Failed to parse openid4vp authorization response.");
1806
1346
  }
1807
1347
 
1808
- // src/authorization-response/validate-authorization-response.ts
1809
- var import_oauth226 = require("@openid4vc/oauth2");
1348
+ //#endregion
1349
+ //#region src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts
1350
+ const zJarmHeader = zod.z.object({
1351
+ ...__openid4vc_oauth2.zJwtHeader.shape,
1352
+ apu: zod.z.string().optional(),
1353
+ apv: zod.z.string().optional()
1354
+ });
1355
+ const zJarmAuthorizationResponse = zod.z.object({
1356
+ ...__openid4vc_oauth2.zJwtPayload.shape,
1357
+ ...__openid4vc_oauth2.zJwtPayload.pick({
1358
+ iss: true,
1359
+ aud: true,
1360
+ exp: true
1361
+ }).required().shape,
1362
+ state: zod.z.optional(zod.z.string())
1363
+ }).passthrough();
1364
+ const zJarmAuthorizationResponseEncryptedOnly = zod.z.object({
1365
+ ...__openid4vc_oauth2.zJwtPayload.shape,
1366
+ state: zod.z.optional(zod.z.string())
1367
+ }).passthrough();
1810
1368
 
1811
- // src/vp-token/parse-vp-token.ts
1812
- var import_utils21 = require("@openid4vc/utils");
1369
+ //#endregion
1370
+ //#region src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
1371
+ const jarmAuthorizationResponseValidate = (options) => {
1372
+ const { expectedClientId, authorizationResponse } = options;
1373
+ if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) return;
1374
+ if (expectedClientId !== authorizationResponse.aud) throw new __openid4vc_oauth2.Oauth2Error(`Invalid 'aud' claim in JARM authorization response. Expected '${expectedClientId}' received '${JSON.stringify(authorizationResponse.aud)}'.`);
1375
+ if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < (0, __openid4vc_utils.dateToSeconds)()) throw new __openid4vc_oauth2.Oauth2Error("Jarm auth response is expired.");
1376
+ };
1813
1377
 
1814
- // src/vp-token/z-vp-token.ts
1815
- var import_zod17 = require("zod");
1816
- var zVpTokenPresentationEntry = import_zod17.z.union([import_zod17.z.string(), import_zod17.z.record(import_zod17.z.any())], {
1817
- message: "vp_token presentation entry must be string or object"
1818
- });
1819
- var zVpTokenPex = import_zod17.z.union(
1820
- [
1821
- zVpTokenPresentationEntry,
1822
- import_zod17.z.array(zVpTokenPresentationEntry).nonempty("Must have at least entry in vp_token array")
1823
- ],
1824
- {
1825
- message: "pex vp_token must be a string, object or non-empty array of strings and objects"
1826
- }
1827
- );
1828
- var zVpTokenDcql = import_zod17.z.record(
1829
- import_zod17.z.union([import_zod17.z.array(zVpTokenPresentationEntry).nonempty(), zVpTokenPresentationEntry]),
1830
- {
1831
- message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values a non-empty array of strings and objects, or string, or object"
1832
- }
1833
- );
1834
- var zVpToken = zVpTokenDcql.or(zVpTokenPex);
1378
+ //#endregion
1379
+ //#region src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
1380
+ let JarmMode = /* @__PURE__ */ function(JarmMode$1) {
1381
+ JarmMode$1["Signed"] = "Signed";
1382
+ JarmMode$1["Encrypted"] = "Encrypted";
1383
+ JarmMode$1["SignedEncrypted"] = "SignedEncrypted";
1384
+ return JarmMode$1;
1385
+ }({});
1386
+ /**
1387
+ * The client decrypts the JWT using the default key for the respective issuer or,
1388
+ * if applicable, determined by the kid JWT header parameter.
1389
+ * The key might be a private key, where the corresponding public key is registered
1390
+ * with the expected issuer of the response ("use":"enc" via the client's metadata jwks or jwks_uri)
1391
+ * or a key derived from its client secret (see Section 2.2).
1392
+ */
1393
+ const decryptJarmAuthorizationResponseJwt = async (options) => {
1394
+ const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options;
1395
+ let encryptionJwk;
1396
+ const { header } = (0, __openid4vc_oauth2.decodeJwtHeader)({ jwt: jarmAuthorizationResponseJwt });
1397
+ if (authorizationRequestPayload.client_metadata?.jwks) encryptionJwk = extractEncryptionJwkFromJwks(authorizationRequestPayload.client_metadata.jwks, {
1398
+ kid: header.kid,
1399
+ supportedAlgValues: authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg ? [authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg] : void 0
1400
+ });
1401
+ const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk });
1402
+ if (!result.decrypted) throw new __openid4vc_oauth2.Oauth2Error("Failed to decrypt jarm auth response.");
1403
+ return {
1404
+ decryptionJwk: result.decryptionJwk,
1405
+ payload: result.payload
1406
+ };
1407
+ };
1408
+ /**
1409
+ * Validate a JARM direct_post.jwt compliant authentication response
1410
+ * * The decryption key should be resolvable using the the protected header's 'kid' field
1411
+ * * The signature verification jwk should be resolvable using the jws protected header's 'kid' field and the payload's 'iss' field.
1412
+ */
1413
+ async function verifyJarmAuthorizationResponse(options) {
1414
+ const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options;
1415
+ const requestDataIsEncrypted = __openid4vc_oauth2.zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success;
1416
+ const decryptedRequestData = requestDataIsEncrypted ? await decryptJarmAuthorizationResponseJwt({
1417
+ jarmAuthorizationResponseJwt,
1418
+ callbacks,
1419
+ authorizationRequestPayload
1420
+ }) : {
1421
+ payload: jarmAuthorizationResponseJwt,
1422
+ decryptionJwk: void 0
1423
+ };
1424
+ const responseIsSigned = __openid4vc_oauth2.zCompactJwt.safeParse(decryptedRequestData.payload).success;
1425
+ if (!requestDataIsEncrypted && !responseIsSigned) throw new __openid4vc_oauth2.Oauth2Error("Jarm Auth Response must be either encrypted, signed, or signed and encrypted.");
1426
+ let jarmAuthorizationResponse;
1427
+ if (responseIsSigned) {
1428
+ const { header: jwsProtectedHeader, payload: jwsPayload } = (0, __openid4vc_oauth2.decodeJwt)({
1429
+ jwt: decryptedRequestData.payload,
1430
+ headerSchema: zod.default.object({
1431
+ ...__openid4vc_oauth2.zJwtHeader.shape,
1432
+ kid: zod.default.string()
1433
+ })
1434
+ });
1435
+ const response = zJarmAuthorizationResponse.parse(jwsPayload);
1436
+ const jwtSigner = (0, __openid4vc_oauth2.jwtSignerFromJwt)({
1437
+ header: jwsProtectedHeader,
1438
+ payload: jwsPayload
1439
+ });
1440
+ if (!(await options.callbacks.verifyJwt(jwtSigner, {
1441
+ compact: decryptedRequestData.payload,
1442
+ header: jwsProtectedHeader,
1443
+ payload: jwsPayload
1444
+ })).verified) throw new __openid4vc_oauth2.Oauth2Error("Jarm Auth Response is not valid.");
1445
+ jarmAuthorizationResponse = response;
1446
+ } else {
1447
+ const jsonRequestData = (0, __openid4vc_utils.stringToJsonWithErrorHandling)(decryptedRequestData.payload, "Unable to parse decrypted JARM JWE body to JSON");
1448
+ jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData);
1449
+ }
1450
+ jarmAuthorizationResponseValidate({
1451
+ expectedClientId,
1452
+ authorizationResponse: jarmAuthorizationResponse
1453
+ });
1454
+ const type = requestDataIsEncrypted && responseIsSigned ? JarmMode.SignedEncrypted : requestDataIsEncrypted ? JarmMode.Encrypted : JarmMode.Signed;
1455
+ const issuer = jarmAuthorizationResponse.iss;
1456
+ return {
1457
+ jarmAuthorizationResponse,
1458
+ type,
1459
+ issuer,
1460
+ decryptionJwk: decryptedRequestData.decryptionJwk
1461
+ };
1462
+ }
1835
1463
 
1836
- // src/vp-token/parse-vp-token.ts
1464
+ //#endregion
1465
+ //#region src/vp-token/parse-vp-token.ts
1837
1466
  function parsePexVpToken(vpToken) {
1838
- const parsedVpToken = (0, import_utils21.parseWithErrorHandling)(
1839
- zVpTokenPex,
1840
- (0, import_utils21.parseIfJson)(vpToken),
1841
- "Could not parse presentation exchange vp_token. Expected a string or an array of strings"
1842
- );
1843
- return Array.isArray(parsedVpToken) ? parsedVpToken : [parsedVpToken];
1467
+ const parsedVpToken = (0, __openid4vc_utils.parseWithErrorHandling)(zVpTokenPex, (0, __openid4vc_utils.parseIfJson)(vpToken), "Could not parse presentation exchange vp_token. Expected a string or an array of strings");
1468
+ return Array.isArray(parsedVpToken) ? parsedVpToken : [parsedVpToken];
1844
1469
  }
1845
1470
  function parseDcqlVpToken(vpToken) {
1846
- const parsedVpToken = (0, import_utils21.parseWithErrorHandling)(
1847
- zVpTokenDcql,
1848
- (0, import_utils21.parseIfJson)(vpToken),
1849
- "Could not parse dcql vp_token. Expected an object where the values are encoded presentations"
1850
- );
1851
- return Object.fromEntries(
1852
- Object.entries(parsedVpToken).map(([queryId, presentations]) => [
1853
- queryId,
1854
- Array.isArray(presentations) ? presentations : [presentations]
1855
- ])
1856
- );
1471
+ const parsedVpToken = (0, __openid4vc_utils.parseWithErrorHandling)(zVpTokenDcql, (0, __openid4vc_utils.parseIfJson)(vpToken), "Could not parse dcql vp_token. Expected an object where the values are encoded presentations");
1472
+ return Object.fromEntries(Object.entries(parsedVpToken).map(([queryId, presentations]) => [queryId, Array.isArray(presentations) ? presentations : [presentations]]));
1857
1473
  }
1858
1474
 
1859
- // src/authorization-response/validate-authorization-response.ts
1475
+ //#endregion
1476
+ //#region src/authorization-response/validate-authorization-response.ts
1477
+ /**
1478
+ * The following steps need to be performed outside of this library
1479
+ * - verifying the presentations
1480
+ * - validating the presentations against the presentation definition
1481
+ * - checking the revocation status of the presentations
1482
+ * - checking the nonce of the presentations matches the nonce of the request (for mdoc's)
1483
+ */
1860
1484
  function validateOpenid4vpAuthorizationResponsePayload(options) {
1861
- const { authorizationRequestPayload, authorizationResponsePayload } = options;
1862
- if (authorizationRequestPayload.state && authorizationRequestPayload.state !== authorizationResponsePayload.state) {
1863
- throw new import_oauth226.Oauth2Error("OpenId4Vp Authorization Response state mismatch.");
1864
- }
1865
- if (authorizationResponsePayload.id_token) {
1866
- throw new import_oauth226.Oauth2Error("OpenId4Vp Authorization Response id_token is not supported.");
1867
- }
1868
- if (authorizationResponsePayload.presentation_submission) {
1869
- if (!authorizationRequestPayload.presentation_definition) {
1870
- throw new import_oauth226.Oauth2Error("OpenId4Vp Authorization Request is missing the required presentation_definition.");
1871
- }
1872
- return {
1873
- type: "pex",
1874
- pex: authorizationRequestPayload.scope ? {
1875
- scope: authorizationRequestPayload.scope,
1876
- presentationSubmission: authorizationResponsePayload.presentation_submission,
1877
- presentations: parsePexVpToken(authorizationResponsePayload.vp_token)
1878
- } : {
1879
- presentationDefinition: authorizationRequestPayload.presentation_definition,
1880
- presentationSubmission: authorizationResponsePayload.presentation_submission,
1881
- presentations: parsePexVpToken(authorizationResponsePayload.vp_token)
1882
- }
1883
- };
1884
- }
1885
- if (authorizationRequestPayload.dcql_query) {
1886
- const presentations = parseDcqlVpToken(authorizationResponsePayload.vp_token);
1887
- return {
1888
- type: "dcql",
1889
- dcql: authorizationRequestPayload.scope ? {
1890
- scope: authorizationRequestPayload.scope,
1891
- presentations
1892
- } : {
1893
- query: authorizationRequestPayload.dcql_query,
1894
- presentations
1895
- }
1896
- };
1897
- }
1898
- throw new import_oauth226.Oauth2Error(
1899
- "Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query."
1900
- );
1485
+ const { authorizationRequestPayload, authorizationResponsePayload } = options;
1486
+ if (authorizationRequestPayload.state && authorizationRequestPayload.state !== authorizationResponsePayload.state) throw new __openid4vc_oauth2.Oauth2Error("OpenId4Vp Authorization Response state mismatch.");
1487
+ if (authorizationResponsePayload.id_token) throw new __openid4vc_oauth2.Oauth2Error("OpenId4Vp Authorization Response id_token is not supported.");
1488
+ if (authorizationResponsePayload.presentation_submission) {
1489
+ if (!authorizationRequestPayload.presentation_definition) throw new __openid4vc_oauth2.Oauth2Error("OpenId4Vp Authorization Request is missing the required presentation_definition.");
1490
+ return {
1491
+ type: "pex",
1492
+ pex: authorizationRequestPayload.scope ? {
1493
+ scope: authorizationRequestPayload.scope,
1494
+ presentationSubmission: authorizationResponsePayload.presentation_submission,
1495
+ presentations: parsePexVpToken(authorizationResponsePayload.vp_token)
1496
+ } : {
1497
+ presentationDefinition: authorizationRequestPayload.presentation_definition,
1498
+ presentationSubmission: authorizationResponsePayload.presentation_submission,
1499
+ presentations: parsePexVpToken(authorizationResponsePayload.vp_token)
1500
+ }
1501
+ };
1502
+ }
1503
+ if (authorizationRequestPayload.dcql_query) {
1504
+ const presentations = parseDcqlVpToken(authorizationResponsePayload.vp_token);
1505
+ return {
1506
+ type: "dcql",
1507
+ dcql: authorizationRequestPayload.scope ? {
1508
+ scope: authorizationRequestPayload.scope,
1509
+ presentations
1510
+ } : {
1511
+ query: authorizationRequestPayload.dcql_query,
1512
+ presentations
1513
+ }
1514
+ };
1515
+ }
1516
+ throw new __openid4vc_oauth2.Oauth2Error("Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query.");
1901
1517
  }
1902
1518
 
1903
- // src/authorization-response/parse-authorization-response.ts
1904
- var import_oauth228 = require("@openid4vc/oauth2");
1905
-
1906
- // src/authorization-response/parse-authorization-response-payload.ts
1907
- var import_utils23 = require("@openid4vc/utils");
1908
-
1909
- // src/authorization-response/z-authorization-response.ts
1910
- var import_utils22 = require("@openid4vc/utils");
1911
- var import_zod19 = require("zod");
1912
-
1913
- // src/models/z-pex.ts
1914
- var import_zod18 = require("zod");
1915
- var zPexPresentationDefinition = import_zod18.z.record(import_zod18.z.any());
1916
- var zPexPresentationSubmission = import_zod18.z.record(import_zod18.z.any());
1917
-
1918
- // src/authorization-response/z-authorization-response.ts
1919
- var zOpenid4vpAuthorizationResponse = import_zod19.z.object({
1920
- state: import_zod19.z.string().optional(),
1921
- id_token: import_zod19.z.string().optional(),
1922
- vp_token: zVpToken,
1923
- presentation_submission: zPexPresentationSubmission.or(import_utils22.zStringToJson).optional(),
1924
- refresh_token: import_zod19.z.string().optional(),
1925
- token_type: import_zod19.z.string().optional(),
1926
- access_token: import_zod19.z.string().optional(),
1927
- expires_in: import_zod19.z.coerce.number().optional()
1928
- }).passthrough();
1519
+ //#endregion
1520
+ //#region src/authorization-response/parse-jarm-authorization-response.ts
1521
+ async function parseJarmAuthorizationResponse(options) {
1522
+ const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options;
1523
+ const jarmAuthorizationResponseJwt = (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([__openid4vc_oauth2.zCompactJwt, __openid4vc_oauth2.zCompactJwe]), jarmResponseJwt, "Invalid jarm authorization response jwt.");
1524
+ const verifiedJarmResponse = await verifyJarmAuthorizationResponse({
1525
+ jarmAuthorizationResponseJwt,
1526
+ callbacks,
1527
+ expectedClientId,
1528
+ authorizationRequestPayload
1529
+ });
1530
+ const { header: jarmHeader } = (0, __openid4vc_oauth2.decodeJwtHeader)({
1531
+ jwt: jarmAuthorizationResponseJwt,
1532
+ headerSchema: zJarmHeader
1533
+ });
1534
+ const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(verifiedJarmResponse.jarmAuthorizationResponse);
1535
+ const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
1536
+ authorizationRequestPayload,
1537
+ authorizationResponsePayload
1538
+ });
1539
+ if (!authorizationRequestPayload.response_mode || !isJarmResponseMode(authorizationRequestPayload.response_mode)) throw new __openid4vc_oauth2.Oauth2Error(`Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? "fragment"}'`);
1540
+ return {
1541
+ ...validateOpenId4vpResponse,
1542
+ jarm: {
1543
+ ...verifiedJarmResponse,
1544
+ jarmHeader
1545
+ },
1546
+ expectedNonce: authorizationRequestPayload.nonce,
1547
+ authorizationResponsePayload
1548
+ };
1549
+ }
1929
1550
 
1930
- // src/authorization-response/parse-authorization-response-payload.ts
1931
- function parseOpenid4VpAuthorizationResponsePayload(payload) {
1932
- return (0, import_utils23.parseWithErrorHandling)(
1933
- zOpenid4vpAuthorizationResponse,
1934
- payload,
1935
- "Failed to parse openid4vp authorization response."
1936
- );
1551
+ //#endregion
1552
+ //#region src/authorization-response/parse-authorization-response.ts
1553
+ async function parseOpenid4vpAuthorizationResponse(options) {
1554
+ const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options;
1555
+ const expectedClientId = getOpenid4vpClientId({
1556
+ origin,
1557
+ responseMode: authorizationRequestPayload.response_mode,
1558
+ clientId: authorizationRequestPayload.client_id,
1559
+ legacyClientIdScheme: authorizationRequestPayload.client_id_scheme
1560
+ });
1561
+ if (authorizationResponse.response) return parseJarmAuthorizationResponse({
1562
+ jarmResponseJwt: authorizationResponse.response,
1563
+ callbacks,
1564
+ authorizationRequestPayload,
1565
+ expectedClientId: expectedClientId.effectiveClientId
1566
+ });
1567
+ const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(authorizationResponse);
1568
+ const validatedOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
1569
+ authorizationRequestPayload,
1570
+ authorizationResponsePayload
1571
+ });
1572
+ if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
1573
+ error: "invalid_request",
1574
+ error_description: "Invalid response mode for openid4vp response. Expected jarm response."
1575
+ }, { status: 400 });
1576
+ return {
1577
+ ...validatedOpenId4vpResponse,
1578
+ expectedNonce: authorizationRequestPayload.nonce,
1579
+ authorizationResponsePayload,
1580
+ jarm: void 0
1581
+ };
1937
1582
  }
1938
1583
 
1939
- // src/authorization-response/parse-jarm-authorization-response.ts
1940
- var import_oauth227 = require("@openid4vc/oauth2");
1941
- var import_utils24 = require("@openid4vc/utils");
1942
- var import_zod20 = __toESM(require("zod"));
1943
- async function parseJarmAuthorizationResponse(options) {
1944
- const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options;
1945
- const jarmAuthorizationResponseJwt = (0, import_utils24.parseWithErrorHandling)(
1946
- import_zod20.default.union([import_oauth227.zCompactJwt, import_oauth227.zCompactJwe]),
1947
- jarmResponseJwt,
1948
- "Invalid jarm authorization response jwt."
1949
- );
1950
- const verifiedJarmResponse = await verifyJarmAuthorizationResponse({
1951
- jarmAuthorizationResponseJwt,
1952
- callbacks,
1953
- expectedClientId,
1954
- authorizationRequestPayload
1955
- });
1956
- const { header: jarmHeader } = (0, import_oauth227.decodeJwtHeader)({
1957
- jwt: jarmAuthorizationResponseJwt,
1958
- headerSchema: zJarmHeader
1959
- });
1960
- const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(
1961
- verifiedJarmResponse.jarmAuthorizationResponse
1962
- );
1963
- const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
1964
- authorizationRequestPayload,
1965
- authorizationResponsePayload
1966
- });
1967
- if (!authorizationRequestPayload.response_mode || !isJarmResponseMode(authorizationRequestPayload.response_mode)) {
1968
- throw new import_oauth227.Oauth2Error(
1969
- `Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? "fragment"}'`
1970
- );
1971
- }
1972
- return {
1973
- ...validateOpenId4vpResponse,
1974
- jarm: { ...verifiedJarmResponse, jarmHeader },
1975
- expectedNonce: authorizationRequestPayload.nonce,
1976
- authorizationResponsePayload
1977
- };
1584
+ //#endregion
1585
+ //#region src/jarm/jarm-authorizatino-response-send.ts
1586
+ const jarmAuthorizationResponseSend = (options) => {
1587
+ const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options;
1588
+ const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri;
1589
+ if (!responseEndpoint) throw new __openid4vc_oauth2.Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST be present in the authorization request`);
1590
+ return handleDirectPostJwt(new __openid4vc_utils.URL(responseEndpoint), jarmAuthorizationResponseJwt, callbacks);
1591
+ };
1592
+ async function handleDirectPostJwt(responseEndpoint, responseJwt, callbacks) {
1593
+ return {
1594
+ responseMode: "direct_post.jwt",
1595
+ response: await (0, __openid4vc_utils.createFetcher)(callbacks.fetch)(responseEndpoint, {
1596
+ method: "POST",
1597
+ headers: { "Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded },
1598
+ body: `response=${responseJwt}`
1599
+ })
1600
+ };
1978
1601
  }
1979
1602
 
1980
- // src/authorization-response/parse-authorization-response.ts
1981
- async function parseOpenid4vpAuthorizationResponse(options) {
1982
- const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options;
1983
- const expectedClientId = getOpenid4vpClientId({
1984
- origin,
1985
- responseMode: authorizationRequestPayload.response_mode,
1986
- clientId: authorizationRequestPayload.client_id,
1987
- legacyClientIdScheme: authorizationRequestPayload.client_id_scheme
1988
- });
1989
- if (authorizationResponse.response) {
1990
- return parseJarmAuthorizationResponse({
1991
- jarmResponseJwt: authorizationResponse.response,
1992
- callbacks,
1993
- authorizationRequestPayload,
1994
- expectedClientId: expectedClientId.effectiveClientId
1995
- });
1996
- }
1997
- const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(authorizationResponse);
1998
- const validatedOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
1999
- authorizationRequestPayload,
2000
- authorizationResponsePayload
2001
- });
2002
- if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) {
2003
- throw new import_oauth228.Oauth2ServerErrorResponseError(
2004
- {
2005
- error: "invalid_request",
2006
- error_description: "Invalid response mode for openid4vp response. Expected jarm response."
2007
- },
2008
- {
2009
- status: 400
2010
- }
2011
- );
2012
- }
2013
- return {
2014
- ...validatedOpenId4vpResponse,
2015
- expectedNonce: authorizationRequestPayload.nonce,
2016
- authorizationResponsePayload,
2017
- jarm: void 0
2018
- };
1603
+ //#endregion
1604
+ //#region src/authorization-response/submit-authorization-response.ts
1605
+ async function submitOpenid4vpAuthorizationResponse(options) {
1606
+ const { authorizationRequestPayload, authorizationResponsePayload, jarm, callbacks } = options;
1607
+ const url = authorizationRequestPayload.response_uri;
1608
+ if (jarm) return jarmAuthorizationResponseSend({
1609
+ authorizationRequestPayload,
1610
+ jarmAuthorizationResponseJwt: jarm.responseJwt,
1611
+ callbacks
1612
+ });
1613
+ if (!url) throw new __openid4vc_oauth2.Oauth2Error("Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided.");
1614
+ return {
1615
+ responseMode: "direct_post",
1616
+ response: await (0, __openid4vc_utils.createFetcher)(callbacks.fetch)(url, {
1617
+ method: "POST",
1618
+ body: (0, __openid4vc_utils.objectToQueryParams)(authorizationResponsePayload).toString(),
1619
+ headers: { "Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded }
1620
+ })
1621
+ };
2019
1622
  }
2020
1623
 
2021
- // src/Openid4vpClient.ts
1624
+ //#endregion
1625
+ //#region src/models/z-credential-formats.ts
1626
+ const zCredentialFormat = zod.z.enum([
1627
+ "jwt_vc_json",
1628
+ "ldp_vc",
1629
+ "mso_mdoc",
1630
+ "dc+sd-jwt",
1631
+ "vc+sd-jwt"
1632
+ ]);
1633
+
1634
+ //#endregion
1635
+ //#region src/models/z-proof-formats.ts
1636
+ const zProofFormat = zod.z.enum([
1637
+ "jwt_vp_json",
1638
+ "ldc_vp",
1639
+ "ac_vp",
1640
+ "dc+sd-jwt",
1641
+ "vc+sd-jwt",
1642
+ "mso_mdoc"
1643
+ ]);
1644
+
1645
+ //#endregion
1646
+ //#region src/models/z-wallet-metadata.ts
1647
+ const zWalletMetadata = zod.z.object({
1648
+ presentation_definition_uri_supported: zod.z.optional(zod.z.boolean()),
1649
+ vp_formats_supported: zod.z.optional(zVpFormatsSupported.or(zLegacyVpFormats)),
1650
+ client_id_schemes_supported: zod.z.optional(zod.z.array(zClientIdPrefix.exclude(["decentralized_identifier", "openid_federation"]))),
1651
+ client_id_prefixes_supported: zod.z.optional(zod.z.array(zUniformClientIdPrefix)),
1652
+ request_object_signing_alg_values_supported: zod.z.optional(zod.z.array(zod.z.string())),
1653
+ authorization_encryption_alg_values_supported: zod.z.optional(zod.z.array(zod.z.string())),
1654
+ authorization_encryption_enc_values_supported: zod.z.optional(zod.z.array(zod.z.string()))
1655
+ });
1656
+
1657
+ //#endregion
1658
+ //#region src/Openid4vpClient.ts
2022
1659
  var Openid4vpClient = class {
2023
- constructor(options) {
2024
- this.options = options;
2025
- }
2026
- parseOpenid4vpAuthorizationRequest(options) {
2027
- return parseOpenid4vpAuthorizationRequest(options);
2028
- }
2029
- async resolveOpenId4vpAuthorizationRequest(options) {
2030
- return resolveOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks });
2031
- }
2032
- async createOpenid4vpAuthorizationResponse(options) {
2033
- return createOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks });
2034
- }
2035
- async submitOpenid4vpAuthorizationResponse(options) {
2036
- return submitOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks });
2037
- }
1660
+ constructor(options) {
1661
+ this.options = options;
1662
+ }
1663
+ parseOpenid4vpAuthorizationRequest(options) {
1664
+ return parseOpenid4vpAuthorizationRequest(options);
1665
+ }
1666
+ async resolveOpenId4vpAuthorizationRequest(options) {
1667
+ return resolveOpenid4vpAuthorizationRequest({
1668
+ ...options,
1669
+ callbacks: this.options.callbacks
1670
+ });
1671
+ }
1672
+ async createOpenid4vpAuthorizationResponse(options) {
1673
+ return createOpenid4vpAuthorizationResponse({
1674
+ ...options,
1675
+ callbacks: this.options.callbacks
1676
+ });
1677
+ }
1678
+ async submitOpenid4vpAuthorizationResponse(options) {
1679
+ return submitOpenid4vpAuthorizationResponse({
1680
+ ...options,
1681
+ callbacks: this.options.callbacks
1682
+ });
1683
+ }
2038
1684
  };
2039
1685
 
2040
- // src/transaction-data/verify-transaction-data.ts
2041
- var import_oauth229 = require("@openid4vc/oauth2");
2042
- var import_utils25 = require("@openid4vc/utils");
1686
+ //#endregion
1687
+ //#region src/transaction-data/verify-transaction-data.ts
2043
1688
  async function verifyTransactionData(options) {
2044
- const parsedTransactionData = parseTransactionData({
2045
- transactionData: options.transactionData
2046
- });
2047
- const matchedEntries = [];
2048
- for (const parsedEntry of parsedTransactionData) {
2049
- const matchedEntry = await verifyTransactionDataEntry({
2050
- entry: parsedEntry,
2051
- callbacks: options.callbacks,
2052
- credentials: options.credentials
2053
- });
2054
- matchedEntries.push(matchedEntry);
2055
- }
2056
- return matchedEntries;
1689
+ const parsedTransactionData = parseTransactionData({ transactionData: options.transactionData });
1690
+ const matchedEntries = [];
1691
+ for (const parsedEntry of parsedTransactionData) {
1692
+ const matchedEntry = await verifyTransactionDataEntry({
1693
+ entry: parsedEntry,
1694
+ callbacks: options.callbacks,
1695
+ credentials: options.credentials
1696
+ });
1697
+ matchedEntries.push(matchedEntry);
1698
+ }
1699
+ return matchedEntries;
2057
1700
  }
2058
- async function verifyTransactionDataEntry({
2059
- entry,
2060
- credentials,
2061
- callbacks
2062
- }) {
2063
- const allowedAlgs = entry.transactionData.transaction_data_hashes_alg ?? ["sha-256"];
2064
- const supportedAlgs = allowedAlgs.filter(
2065
- (alg) => Object.values(import_oauth229.HashAlgorithm).includes(alg)
2066
- );
2067
- const hashes = {};
2068
- for (const alg of supportedAlgs) {
2069
- hashes[alg] = (0, import_utils25.encodeToBase64Url)(await callbacks.hash((0, import_utils25.decodeUtf8String)(entry.encoded), alg));
2070
- }
2071
- for (const credentialId of entry.transactionData.credential_ids) {
2072
- const transactionDataHashesCredentials = credentials[credentialId];
2073
- if (!transactionDataHashesCredentials) continue;
2074
- const presentations = [];
2075
- for (const transactionDataHashesCredential of transactionDataHashesCredentials) {
2076
- const alg = transactionDataHashesCredential.transaction_data_hashes_alg ?? "sha-256";
2077
- const hash = hashes[alg];
2078
- const presentationIndex = transactionDataHashesCredentials.indexOf(transactionDataHashesCredential);
2079
- if (!allowedAlgs.includes(alg)) {
2080
- throw new import_oauth229.Oauth2ServerErrorResponseError({
2081
- error: import_oauth229.Oauth2ErrorCodes.InvalidTransactionData,
2082
- error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using alg '${alg}'. However transaction data only allows alg values ${allowedAlgs.join(", ")}.`
2083
- });
2084
- }
2085
- if (!hash) {
2086
- throw new import_oauth229.Oauth2ServerErrorResponseError({
2087
- error: import_oauth229.Oauth2ErrorCodes.InvalidTransactionData,
2088
- error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using unsupported alg '${alg}'. This library only supports verification of transaction data hashes using alg values ${Object.values(import_oauth229.HashAlgorithm).join(", ")}. Either verify the hashes outside of this library, or limit the allowed alg values to the ones supported by this library.`
2089
- });
2090
- }
2091
- const credentialHashIndex = transactionDataHashesCredential.transaction_data_hashes.indexOf(hash);
2092
- if (credentialHashIndex === -1) {
2093
- throw new import_oauth229.Oauth2ServerErrorResponseError({
2094
- error: import_oauth229.Oauth2ErrorCodes.InvalidTransactionData,
2095
- error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} does not have a matching hash in the transaction_data_hashes`
2096
- });
2097
- }
2098
- presentations.push({
2099
- credentialHashIndex,
2100
- hash,
2101
- hashAlg: alg,
2102
- presentationIndex
2103
- });
2104
- }
2105
- return {
2106
- transactionDataEntry: entry,
2107
- credentialId,
2108
- presentations
2109
- };
2110
- }
2111
- throw new import_oauth229.Oauth2ServerErrorResponseError({
2112
- error: import_oauth229.Oauth2ErrorCodes.InvalidTransactionData,
2113
- error_description: `Transaction data entry with index ${entry.transactionDataIndex} does not have a matching hash in any of the submitted credentials`
2114
- });
1701
+ async function verifyTransactionDataEntry({ entry, credentials, callbacks }) {
1702
+ const allowedAlgs = entry.transactionData.transaction_data_hashes_alg ?? ["sha-256"];
1703
+ const supportedAlgs = allowedAlgs.filter((alg) => Object.values(__openid4vc_oauth2.HashAlgorithm).includes(alg));
1704
+ const hashes = {};
1705
+ for (const alg of supportedAlgs) hashes[alg] = (0, __openid4vc_utils.encodeToBase64Url)(await callbacks.hash((0, __openid4vc_utils.decodeUtf8String)(entry.encoded), alg));
1706
+ for (const credentialId of entry.transactionData.credential_ids) {
1707
+ const transactionDataHashesCredentials = credentials[credentialId];
1708
+ if (!transactionDataHashesCredentials) continue;
1709
+ const presentations = [];
1710
+ for (const transactionDataHashesCredential of transactionDataHashesCredentials) {
1711
+ const alg = transactionDataHashesCredential.transaction_data_hashes_alg ?? "sha-256";
1712
+ const hash = hashes[alg];
1713
+ const presentationIndex = transactionDataHashesCredentials.indexOf(transactionDataHashesCredential);
1714
+ if (!allowedAlgs.includes(alg)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
1715
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
1716
+ error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using alg '${alg}'. However transaction data only allows alg values ${allowedAlgs.join(", ")}.`
1717
+ });
1718
+ if (!hash) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
1719
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
1720
+ error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using unsupported alg '${alg}'. This library only supports verification of transaction data hashes using alg values ${Object.values(__openid4vc_oauth2.HashAlgorithm).join(", ")}. Either verify the hashes outside of this library, or limit the allowed alg values to the ones supported by this library.`
1721
+ });
1722
+ const credentialHashIndex = transactionDataHashesCredential.transaction_data_hashes.indexOf(hash);
1723
+ if (credentialHashIndex === -1) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
1724
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
1725
+ error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} does not have a matching hash in the transaction_data_hashes`
1726
+ });
1727
+ presentations.push({
1728
+ credentialHashIndex,
1729
+ hash,
1730
+ hashAlg: alg,
1731
+ presentationIndex
1732
+ });
1733
+ }
1734
+ return {
1735
+ transactionDataEntry: entry,
1736
+ credentialId,
1737
+ presentations
1738
+ };
1739
+ }
1740
+ throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
1741
+ error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
1742
+ error_description: `Transaction data entry with index ${entry.transactionDataIndex} does not have a matching hash in any of the submitted credentials`
1743
+ });
2115
1744
  }
2116
1745
 
2117
- // src/Openid4vpVerifier.ts
1746
+ //#endregion
1747
+ //#region src/Openid4vpVerifier.ts
2118
1748
  var Openid4vpVerifier = class {
2119
- constructor(options) {
2120
- this.options = options;
2121
- }
2122
- async createOpenId4vpAuthorizationRequest(options) {
2123
- return createOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks });
2124
- }
2125
- parseOpenid4vpAuthorizationRequestPayload(options) {
2126
- return parseOpenid4vpAuthorizationRequest(options);
2127
- }
2128
- parseOpenid4vpAuthorizationResponse(options) {
2129
- return parseOpenid4vpAuthorizationResponse(options);
2130
- }
2131
- validateOpenid4vpAuthorizationResponsePayload(options) {
2132
- return validateOpenid4vpAuthorizationResponsePayload(options);
2133
- }
2134
- parsePexVpToken(vpToken) {
2135
- return parsePexVpToken(vpToken);
2136
- }
2137
- parseDcqlVpToken(vpToken) {
2138
- return parseDcqlVpToken(vpToken);
2139
- }
2140
- parseTransactionData(options) {
2141
- return parseTransactionData(options);
2142
- }
2143
- /**
2144
- * Verify transaction data against submitted credentials.
2145
- *
2146
- * NOTE: this expects transaction data based authorization based on hashes. This is the method defined
2147
- * for SD-JWT VC, but for mDOCs it's much more generic. If you're using transaction data with mDOCs based
2148
- * on hashes, you can extract the values from the DeviceResponse, otherwise you must verify the transaction data
2149
- * manually.
2150
- */
2151
- verifyTransactionData(options) {
2152
- return verifyTransactionData({
2153
- ...options,
2154
- callbacks: this.options.callbacks
2155
- });
2156
- }
1749
+ constructor(options) {
1750
+ this.options = options;
1751
+ }
1752
+ async createOpenId4vpAuthorizationRequest(options) {
1753
+ return createOpenid4vpAuthorizationRequest({
1754
+ ...options,
1755
+ callbacks: this.options.callbacks
1756
+ });
1757
+ }
1758
+ parseOpenid4vpAuthorizationRequestPayload(options) {
1759
+ return parseOpenid4vpAuthorizationRequest(options);
1760
+ }
1761
+ parseOpenid4vpAuthorizationResponse(options) {
1762
+ return parseOpenid4vpAuthorizationResponse(options);
1763
+ }
1764
+ validateOpenid4vpAuthorizationResponsePayload(options) {
1765
+ return validateOpenid4vpAuthorizationResponsePayload(options);
1766
+ }
1767
+ parsePexVpToken(vpToken) {
1768
+ return parsePexVpToken(vpToken);
1769
+ }
1770
+ parseDcqlVpToken(vpToken) {
1771
+ return parseDcqlVpToken(vpToken);
1772
+ }
1773
+ parseTransactionData(options) {
1774
+ return parseTransactionData(options);
1775
+ }
1776
+ /**
1777
+ * Verify transaction data against submitted credentials.
1778
+ *
1779
+ * NOTE: this expects transaction data based authorization based on hashes. This is the method defined
1780
+ * for SD-JWT VC, but for mDOCs it's much more generic. If you're using transaction data with mDOCs based
1781
+ * on hashes, you can extract the values from the DeviceResponse, otherwise you must verify the transaction data
1782
+ * manually.
1783
+ */
1784
+ verifyTransactionData(options) {
1785
+ return verifyTransactionData({
1786
+ ...options,
1787
+ callbacks: this.options.callbacks
1788
+ });
1789
+ }
2157
1790
  };
2158
1791
 
2159
- // src/models/z-credential-formats.ts
2160
- var import_zod21 = require("zod");
2161
- var zCredentialFormat = import_zod21.z.enum(["jwt_vc_json", "ldp_vc", "mso_mdoc", "dc+sd-jwt", "vc+sd-jwt"]);
2162
-
2163
- // src/models/z-proof-formats.ts
2164
- var import_zod22 = require("zod");
2165
- var zProofFormat = import_zod22.z.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "vc+sd-jwt", "mso_mdoc"]);
2166
-
2167
- // src/models/z-wallet-metadata.ts
2168
- var import_zod23 = require("zod");
2169
- var zWalletMetadata = import_zod23.z.object({
2170
- presentation_definition_uri_supported: import_zod23.z.optional(import_zod23.z.boolean()),
2171
- // Up until draft 26 the legacy format was used
2172
- vp_formats_supported: import_zod23.z.optional(zVpFormatsSupported.or(zLegacyVpFormats)),
2173
- client_id_schemes_supported: import_zod23.z.optional(
2174
- // client_id_schemes_supported was from before decentralized_identifier and openid_federation were defined
2175
- import_zod23.z.array(zClientIdPrefix.exclude(["decentralized_identifier", "openid_federation"]))
2176
- ),
2177
- client_id_prefixes_supported: import_zod23.z.optional(import_zod23.z.array(zUniformClientIdPrefix)),
2178
- request_object_signing_alg_values_supported: import_zod23.z.optional(import_zod23.z.array(import_zod23.z.string())),
2179
- authorization_encryption_alg_values_supported: import_zod23.z.optional(import_zod23.z.array(import_zod23.z.string())),
2180
- authorization_encryption_enc_values_supported: import_zod23.z.optional(import_zod23.z.array(import_zod23.z.string()))
2181
- });
2182
- // Annotate the CommonJS export names for ESM import in node:
2183
- 0 && (module.exports = {
2184
- JarmMode,
2185
- Openid4vpClient,
2186
- Openid4vpVerifier,
2187
- createOpenid4vpAuthorizationRequest,
2188
- createOpenid4vpAuthorizationResponse,
2189
- extractEncryptionJwkFromJwks,
2190
- getOpenid4vpClientId,
2191
- isJarmResponseMode,
2192
- isOpenid4vpAuthorizationRequestDcApi,
2193
- parseAuthorizationRequestVersion,
2194
- parseDcqlVpToken,
2195
- parseJarmAuthorizationResponse,
2196
- parseOpenid4VpAuthorizationResponsePayload,
2197
- parseOpenid4vpAuthorizationRequest,
2198
- parseOpenid4vpAuthorizationResponse,
2199
- parsePexVpToken,
2200
- parseTransactionData,
2201
- resolveOpenid4vpAuthorizationRequest,
2202
- submitOpenid4vpAuthorizationResponse,
2203
- validateOpenid4vpAuthorizationRequestPayload,
2204
- validateOpenid4vpAuthorizationResponsePayload,
2205
- verifyJarmAuthorizationResponse,
2206
- zClientIdPrefix,
2207
- zClientMetadata,
2208
- zCredentialFormat,
2209
- zJarmClientMetadata,
2210
- zOpenid4vpAuthorizationResponse,
2211
- zProofFormat,
2212
- zVerifierAttestations,
2213
- zWalletMetadata
2214
- });
1792
+ //#endregion
1793
+ exports.JarmMode = JarmMode;
1794
+ exports.Openid4vpClient = Openid4vpClient;
1795
+ exports.Openid4vpVerifier = Openid4vpVerifier;
1796
+ exports.createOpenid4vpAuthorizationRequest = createOpenid4vpAuthorizationRequest;
1797
+ exports.createOpenid4vpAuthorizationResponse = createOpenid4vpAuthorizationResponse;
1798
+ exports.extractEncryptionJwkFromJwks = extractEncryptionJwkFromJwks;
1799
+ exports.getOpenid4vpClientId = getOpenid4vpClientId;
1800
+ exports.isJarmResponseMode = isJarmResponseMode;
1801
+ exports.isOpenid4vpAuthorizationRequestDcApi = isOpenid4vpAuthorizationRequestDcApi;
1802
+ exports.parseAuthorizationRequestVersion = parseAuthorizationRequestVersion;
1803
+ exports.parseDcqlVpToken = parseDcqlVpToken;
1804
+ exports.parseJarmAuthorizationResponse = parseJarmAuthorizationResponse;
1805
+ exports.parseOpenid4VpAuthorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload;
1806
+ exports.parseOpenid4vpAuthorizationRequest = parseOpenid4vpAuthorizationRequest;
1807
+ exports.parseOpenid4vpAuthorizationResponse = parseOpenid4vpAuthorizationResponse;
1808
+ exports.parsePexVpToken = parsePexVpToken;
1809
+ exports.parseTransactionData = parseTransactionData;
1810
+ exports.resolveOpenid4vpAuthorizationRequest = resolveOpenid4vpAuthorizationRequest;
1811
+ exports.submitOpenid4vpAuthorizationResponse = submitOpenid4vpAuthorizationResponse;
1812
+ exports.validateOpenid4vpAuthorizationRequestPayload = validateOpenid4vpAuthorizationRequestPayload;
1813
+ exports.validateOpenid4vpAuthorizationResponsePayload = validateOpenid4vpAuthorizationResponsePayload;
1814
+ exports.verifyJarmAuthorizationResponse = verifyJarmAuthorizationResponse;
1815
+ exports.zClientIdPrefix = zClientIdPrefix;
1816
+ exports.zClientMetadata = zClientMetadata;
1817
+ exports.zCredentialFormat = zCredentialFormat;
1818
+ exports.zJarmClientMetadata = zJarmClientMetadata;
1819
+ exports.zOpenid4vpAuthorizationResponse = zOpenid4vpAuthorizationResponse;
1820
+ exports.zProofFormat = zProofFormat;
1821
+ exports.zVerifierAttestations = zVerifierAttestations;
1822
+ exports.zWalletMetadata = zWalletMetadata;
2215
1823
  //# sourceMappingURL=index.js.map