@openid4vc/openid4vp 0.3.0-alpha-20251001121503 → 0.3.0-alpha-20251017082202
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +31207 -31163
- package/dist/index.d.ts +31207 -31163
- package/dist/index.js +1708 -2100
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +1661 -2073
- package/dist/index.mjs.map +1 -1
- package/package.json +5 -5
package/dist/index.js
CHANGED
|
@@ -1,2215 +1,1823 @@
|
|
|
1
|
-
|
|
1
|
+
//#region rolldown:runtime
|
|
2
2
|
var __create = Object.create;
|
|
3
3
|
var __defProp = Object.defineProperty;
|
|
4
4
|
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
5
5
|
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
6
6
|
var __getProtoOf = Object.getPrototypeOf;
|
|
7
7
|
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
8
|
-
var __export = (target, all) => {
|
|
9
|
-
for (var name in all)
|
|
10
|
-
__defProp(target, name, { get: all[name], enumerable: true });
|
|
11
|
-
};
|
|
12
8
|
var __copyProps = (to, from, except, desc) => {
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
9
|
+
if (from && typeof from === "object" || typeof from === "function") for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
|
|
10
|
+
key = keys[i];
|
|
11
|
+
if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
|
|
12
|
+
get: ((k) => from[k]).bind(null, key),
|
|
13
|
+
enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
|
|
14
|
+
});
|
|
15
|
+
}
|
|
16
|
+
return to;
|
|
19
17
|
};
|
|
20
|
-
var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
)
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
18
|
+
var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
|
|
19
|
+
value: mod,
|
|
20
|
+
enumerable: true
|
|
21
|
+
}) : target, mod));
|
|
22
|
+
|
|
23
|
+
//#endregion
|
|
24
|
+
let __openid4vc_oauth2 = require("@openid4vc/oauth2");
|
|
25
|
+
__openid4vc_oauth2 = __toESM(__openid4vc_oauth2);
|
|
26
|
+
let __openid4vc_utils = require("@openid4vc/utils");
|
|
27
|
+
__openid4vc_utils = __toESM(__openid4vc_utils);
|
|
28
|
+
let zod = require("zod");
|
|
29
|
+
zod = __toESM(zod);
|
|
30
|
+
|
|
31
|
+
//#region src/jar/create-jar-authorization-request.ts
|
|
32
|
+
/**
|
|
33
|
+
* Creates a JAR (JWT Authorization Request) request object.
|
|
34
|
+
*
|
|
35
|
+
* @param options - The input parameters
|
|
36
|
+
* @param options.authorizationRequestPayload - The authorization request parameters
|
|
37
|
+
* @param options.jwtSigner - The JWT signer
|
|
38
|
+
* @param options.jweEncryptor - The JWE encryptor (optional) if provided, the request object will be encrypted
|
|
39
|
+
* @param options.requestUri - The request URI (optional) if provided, the request object needs to be fetched from the URI
|
|
40
|
+
* @param options.callbacks - The callback context
|
|
41
|
+
* @returns the requestParams, signerJwk, encryptionJwk, and requestObjectJwt
|
|
42
|
+
*/
|
|
43
|
+
async function createJarAuthorizationRequest(options) {
|
|
44
|
+
const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
|
|
45
|
+
let authorizationRequestJwt;
|
|
46
|
+
let encryptionJwk;
|
|
47
|
+
const now = options.now ?? /* @__PURE__ */ new Date();
|
|
48
|
+
const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
|
|
49
|
+
header: {
|
|
50
|
+
...(0, __openid4vc_oauth2.jwtHeaderFromJwtSigner)(jwtSigner),
|
|
51
|
+
typ: "oauth-authz-req+jwt"
|
|
52
|
+
},
|
|
53
|
+
payload: {
|
|
54
|
+
iat: (0, __openid4vc_utils.dateToSeconds)(now),
|
|
55
|
+
exp: (0, __openid4vc_utils.dateToSeconds)((0, __openid4vc_utils.addSecondsToDate)(now, options.expiresInSeconds)),
|
|
56
|
+
...options.additionalJwtPayload,
|
|
57
|
+
...authorizationRequestPayload
|
|
58
|
+
}
|
|
59
|
+
});
|
|
60
|
+
authorizationRequestJwt = jwt;
|
|
61
|
+
if (jweEncryptor) {
|
|
62
|
+
const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt);
|
|
63
|
+
authorizationRequestJwt = encryptionResult.jwe;
|
|
64
|
+
encryptionJwk = encryptionResult.encryptionJwk;
|
|
65
|
+
}
|
|
66
|
+
const client_id = authorizationRequestPayload.client_id;
|
|
67
|
+
return {
|
|
68
|
+
jarAuthorizationRequest: requestUri ? {
|
|
69
|
+
client_id,
|
|
70
|
+
request_uri: requestUri
|
|
71
|
+
} : {
|
|
72
|
+
client_id,
|
|
73
|
+
request: authorizationRequestJwt
|
|
74
|
+
},
|
|
75
|
+
signerJwk,
|
|
76
|
+
encryptionJwk,
|
|
77
|
+
authorizationRequestJwt
|
|
78
|
+
};
|
|
79
|
+
}
|
|
73
80
|
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
81
|
+
//#endregion
|
|
82
|
+
//#region src/authorization-request/validate-authorization-request.ts
|
|
83
|
+
/**
|
|
84
|
+
* Validate the OpenId4Vp Authorization Request parameters
|
|
85
|
+
*/
|
|
86
|
+
const validateOpenid4vpAuthorizationRequestPayload = (options) => {
|
|
87
|
+
const { params, walletVerificationOptions } = options;
|
|
88
|
+
if (!params.redirect_uri && !params.response_uri) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
89
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
90
|
+
error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
|
|
91
|
+
});
|
|
92
|
+
if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
93
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
94
|
+
error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
|
|
95
|
+
});
|
|
96
|
+
if ([
|
|
97
|
+
params.presentation_definition_uri,
|
|
98
|
+
params.presentation_definition,
|
|
99
|
+
params.dcql_query,
|
|
100
|
+
params.scope
|
|
101
|
+
].filter(Boolean).length > 1) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
102
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
103
|
+
error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
|
|
104
|
+
});
|
|
105
|
+
if (params.request_uri_method && !params.request_uri) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
106
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
107
|
+
error_description: "The \"request_uri_method\" parameter MUST NOT be present in the authorization request if the \"request_uri\" parameter is not present."
|
|
108
|
+
});
|
|
109
|
+
if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
110
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUriMethod,
|
|
111
|
+
error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
|
|
112
|
+
});
|
|
113
|
+
if (params.trust_chain && !__openid4vc_utils.zHttpsUrl.safeParse(params.client_id).success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
114
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
115
|
+
error_description: "The \"trust_chain\" parameter MUST NOT be present in the authorization request if the \"client_id\" is not an OpenId Federation Entity Identifier starting with http:// or https://."
|
|
116
|
+
});
|
|
117
|
+
if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
118
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
119
|
+
error_description: "The \"wallet_nonce\" parameter MUST be present in the authorization request when the \"expectedNonce\" parameter is provided."
|
|
120
|
+
});
|
|
121
|
+
if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
122
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
123
|
+
error_description: "The \"wallet_nonce\" parameter MUST match the \"expectedNonce\" parameter when the \"expectedNonce\" parameter is provided."
|
|
124
|
+
});
|
|
125
|
+
if (params.client_id.startsWith("web-origin:") || params.client_id.startsWith("origin:")) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
126
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
127
|
+
error_description: `The 'client_id' parameter MUST NOT use client identifier scheme '${params.client_id.split(":")[0]}' when not using the dc_api response mode. Current: ${params.client_id}`
|
|
128
|
+
});
|
|
129
|
+
};
|
|
77
130
|
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
131
|
+
//#endregion
|
|
132
|
+
//#region src/authorization-request/validate-authorization-request-dc-api.ts
|
|
133
|
+
/**
|
|
134
|
+
* Validate the OpenId4Vp Authorization Request parameters for the dc_api response mode
|
|
135
|
+
*/
|
|
136
|
+
const validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
|
|
137
|
+
const { params, isJarRequest, disableOriginValidation, origin } = options;
|
|
138
|
+
if (isJarRequest && !params.expected_origins) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
139
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
140
|
+
error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
|
|
141
|
+
});
|
|
142
|
+
if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
143
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
144
|
+
error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
|
|
145
|
+
});
|
|
146
|
+
if (params.expected_origins && !disableOriginValidation) {
|
|
147
|
+
if (!origin) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
148
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
149
|
+
error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
|
|
150
|
+
});
|
|
151
|
+
if (params.expected_origins && !params.expected_origins.includes(origin)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
152
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
153
|
+
error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
|
|
154
|
+
});
|
|
155
|
+
}
|
|
156
|
+
};
|
|
82
157
|
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
authorization_encrypted_response_alg: import_zod.z.optional(import_zod.z.never()),
|
|
90
|
-
authorization_encrypted_response_enc: import_zod.z.optional(import_zod.z.never())
|
|
158
|
+
//#endregion
|
|
159
|
+
//#region src/jarm/metadata/z-jarm-client-metadata.ts
|
|
160
|
+
const zJarmSignOnlyClientMetadata = zod.z.object({
|
|
161
|
+
authorization_signed_response_alg: __openid4vc_oauth2.zAlgValueNotNone,
|
|
162
|
+
authorization_encrypted_response_alg: zod.z.optional(zod.z.never()),
|
|
163
|
+
authorization_encrypted_response_enc: zod.z.optional(zod.z.never())
|
|
91
164
|
});
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
165
|
+
const zJarmEncryptOnlyClientMetadata = zod.z.object({
|
|
166
|
+
authorization_signed_response_alg: zod.z.optional(zod.z.never()),
|
|
167
|
+
authorization_encrypted_response_alg: zod.z.string(),
|
|
168
|
+
authorization_encrypted_response_enc: zod.z.optional(zod.z.string())
|
|
96
169
|
});
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
170
|
+
const zJarmSignEncryptClientMetadata = zod.z.object({
|
|
171
|
+
authorization_signed_response_alg: zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg,
|
|
172
|
+
authorization_encrypted_response_alg: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg,
|
|
173
|
+
authorization_encrypted_response_enc: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc
|
|
101
174
|
});
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
)
|
|
175
|
+
/**
|
|
176
|
+
* Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.
|
|
177
|
+
*/
|
|
178
|
+
const zJarmClientMetadata = zod.z.object({
|
|
179
|
+
authorization_signed_response_alg: zod.z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),
|
|
180
|
+
authorization_encrypted_response_alg: zod.z.optional(zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg),
|
|
181
|
+
authorization_encrypted_response_enc: zod.z.optional(zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc)
|
|
110
182
|
});
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
...signOnly.data,
|
|
143
|
-
authorization_signed_response_alg: parsedClientMeta.authorization_signed_response_alg
|
|
144
|
-
}
|
|
145
|
-
};
|
|
146
|
-
}
|
|
147
|
-
throw new import_oauth2.Oauth2Error("Invalid jarm client metadata. Failed to parse.");
|
|
183
|
+
const zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata) => {
|
|
184
|
+
const parsedClientMeta = (0, __openid4vc_utils.parseWithErrorHandling)(zod.z.union([
|
|
185
|
+
zJarmEncryptOnlyClientMetadata,
|
|
186
|
+
zJarmSignOnlyClientMetadata,
|
|
187
|
+
zJarmSignEncryptClientMetadata
|
|
188
|
+
]), client_metadata, "Invalid jarm client metadata.");
|
|
189
|
+
const SignEncrypt = zJarmSignEncryptClientMetadata.safeParse(parsedClientMeta);
|
|
190
|
+
if (SignEncrypt.success) return {
|
|
191
|
+
type: "sign_encrypt",
|
|
192
|
+
client_metadata: {
|
|
193
|
+
...SignEncrypt.data,
|
|
194
|
+
authorization_encrypted_response_enc: client_metadata.authorization_encrypted_response_enc
|
|
195
|
+
}
|
|
196
|
+
};
|
|
197
|
+
const encryptOnly = zJarmEncryptOnlyClientMetadata.safeParse(parsedClientMeta);
|
|
198
|
+
if (encryptOnly.success) return {
|
|
199
|
+
type: "encrypt",
|
|
200
|
+
client_metadata: {
|
|
201
|
+
...encryptOnly.data,
|
|
202
|
+
authorization_encrypted_response_enc: parsedClientMeta.authorization_encrypted_response_enc
|
|
203
|
+
}
|
|
204
|
+
};
|
|
205
|
+
const signOnly = zJarmSignOnlyClientMetadata.safeParse(parsedClientMeta);
|
|
206
|
+
if (signOnly.success) return {
|
|
207
|
+
type: "sign",
|
|
208
|
+
client_metadata: {
|
|
209
|
+
...signOnly.data,
|
|
210
|
+
authorization_signed_response_alg: parsedClientMeta.authorization_signed_response_alg
|
|
211
|
+
}
|
|
212
|
+
};
|
|
213
|
+
throw new __openid4vc_oauth2.Oauth2Error("Invalid jarm client metadata. Failed to parse.");
|
|
148
214
|
});
|
|
149
215
|
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
import_zod2.z.string(),
|
|
183
|
-
import_zod2.z.object({
|
|
184
|
-
alg_values_supported: import_zod2.z.optional(import_zod2.z.array(import_zod2.z.string()))
|
|
185
|
-
}).passthrough()
|
|
186
|
-
);
|
|
187
|
-
|
|
188
|
-
// src/models/z-client-metadata.ts
|
|
189
|
-
var zClientMetadata = import_zod3.z.object({
|
|
190
|
-
// Up until draft 22
|
|
191
|
-
jwks_uri: import_zod3.z.string().url().optional(),
|
|
192
|
-
jwks: import_zod3.z.optional(import_oauth22.zJwkSet),
|
|
193
|
-
// Up until draft 26
|
|
194
|
-
vp_formats: import_zod3.z.optional(zLegacyVpFormats),
|
|
195
|
-
// From draft 27
|
|
196
|
-
vp_formats_supported: import_zod3.z.optional(zVpFormatsSupported),
|
|
197
|
-
// From draft 28
|
|
198
|
-
encrypted_response_enc_values_supported: import_zod3.z.optional(import_zod3.z.array(import_zod3.z.string())),
|
|
199
|
-
...zJarmClientMetadata.shape,
|
|
200
|
-
logo_uri: import_utils2.zHttpsUrl.optional(),
|
|
201
|
-
client_name: import_zod3.z.string().optional()
|
|
216
|
+
//#endregion
|
|
217
|
+
//#region src/models/z-vp-formats-supported.ts
|
|
218
|
+
const zVpFormatsSupported = zod.z.object({
|
|
219
|
+
"dc+sd-jwt": zod.z.optional(zod.z.object({
|
|
220
|
+
"sd-jwt_alg_values": zod.z.optional(zod.z.array(zod.z.string()).nonempty()),
|
|
221
|
+
"kb-jwt_alg_values": zod.z.optional(zod.z.array(zod.z.string()).nonempty())
|
|
222
|
+
}).passthrough()),
|
|
223
|
+
jwt_vc_json: zod.z.optional(zod.z.object({ alg_values: zod.z.optional(zod.z.array(zod.z.string()).nonempty()) }).passthrough()),
|
|
224
|
+
ldp_vc: zod.z.optional(zod.z.object({
|
|
225
|
+
proof_type_values: zod.z.optional(zod.z.array(zod.z.string()).nonempty()),
|
|
226
|
+
cryptosuite_values: zod.z.optional(zod.z.array(zod.z.string()).nonempty())
|
|
227
|
+
}).passthrough()),
|
|
228
|
+
mso_mdoc: zod.z.optional(zod.z.object({
|
|
229
|
+
issuer_signed_alg_values: zod.z.optional(zod.z.array(zod.z.number()).nonempty()),
|
|
230
|
+
device_signed_alg_values: zod.z.optional(zod.z.array(zod.z.number()).nonempty()),
|
|
231
|
+
issuerauth_alg_values: zod.z.optional(zod.z.array(zod.z.number()).nonempty()),
|
|
232
|
+
deviceauth_alg_values: zod.z.optional(zod.z.array(zod.z.number()).nonempty())
|
|
233
|
+
}).passthrough())
|
|
234
|
+
}).passthrough().catchall(zod.z.object({}).passthrough());
|
|
235
|
+
const zLegacyVpFormats = zod.z.record(zod.z.string(), zod.z.object({ alg_values_supported: zod.z.optional(zod.z.array(zod.z.string())) }).passthrough());
|
|
236
|
+
|
|
237
|
+
//#endregion
|
|
238
|
+
//#region src/models/z-client-metadata.ts
|
|
239
|
+
const zClientMetadata = zod.z.object({
|
|
240
|
+
jwks_uri: zod.z.string().url().optional(),
|
|
241
|
+
jwks: zod.z.optional(__openid4vc_oauth2.zJwkSet),
|
|
242
|
+
vp_formats: zod.z.optional(zLegacyVpFormats),
|
|
243
|
+
vp_formats_supported: zod.z.optional(zVpFormatsSupported),
|
|
244
|
+
encrypted_response_enc_values_supported: zod.z.optional(zod.z.array(zod.z.string())),
|
|
245
|
+
...zJarmClientMetadata.shape,
|
|
246
|
+
logo_uri: __openid4vc_utils.zHttpsUrl.optional(),
|
|
247
|
+
client_name: zod.z.string().optional()
|
|
202
248
|
}).passthrough();
|
|
203
249
|
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
|
|
250
|
+
//#endregion
|
|
251
|
+
//#region src/models/z-verifier-attestations.ts
|
|
252
|
+
const zVerifierAttestation = zod.default.object({
|
|
253
|
+
format: zod.default.string(),
|
|
254
|
+
data: zod.default.record(zod.default.unknown()).or(zod.default.string()),
|
|
255
|
+
credential_ids: zod.default.array(zod.default.string()).optional()
|
|
210
256
|
});
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
|
|
239
|
-
|
|
240
|
-
|
|
241
|
-
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
|
|
257
|
+
const zVerifierAttestations = zod.default.array(zVerifierAttestation);
|
|
258
|
+
|
|
259
|
+
//#endregion
|
|
260
|
+
//#region src/authorization-request/z-authorization-request.ts
|
|
261
|
+
const zOpenid4vpAuthorizationRequest = zod.z.object({
|
|
262
|
+
response_type: zod.z.literal("vp_token"),
|
|
263
|
+
client_id: zod.z.string(),
|
|
264
|
+
redirect_uri: __openid4vc_utils.zHttpsUrl.optional(),
|
|
265
|
+
response_uri: __openid4vc_utils.zHttpsUrl.optional(),
|
|
266
|
+
request_uri: __openid4vc_utils.zHttpsUrl.optional(),
|
|
267
|
+
request_uri_method: zod.z.optional(zod.z.string()),
|
|
268
|
+
response_mode: zod.z.enum(["direct_post", "direct_post.jwt"]).optional(),
|
|
269
|
+
nonce: zod.z.string(),
|
|
270
|
+
wallet_nonce: zod.z.string().optional(),
|
|
271
|
+
scope: zod.z.string().optional(),
|
|
272
|
+
presentation_definition: zod.z.record(zod.z.any()).or(__openid4vc_utils.zStringToJson).optional(),
|
|
273
|
+
presentation_definition_uri: __openid4vc_utils.zHttpsUrl.optional(),
|
|
274
|
+
dcql_query: zod.z.record(zod.z.any()).or(__openid4vc_utils.zStringToJson).optional(),
|
|
275
|
+
client_metadata: zClientMetadata.optional(),
|
|
276
|
+
client_metadata_uri: __openid4vc_utils.zHttpsUrl.optional(),
|
|
277
|
+
state: zod.z.string().optional(),
|
|
278
|
+
transaction_data: zod.z.array(zod.z.string().base64url()).optional(),
|
|
279
|
+
trust_chain: zod.z.array(zod.z.string()).nonempty().optional(),
|
|
280
|
+
client_id_scheme: zod.z.enum([
|
|
281
|
+
"pre-registered",
|
|
282
|
+
"redirect_uri",
|
|
283
|
+
"entity_id",
|
|
284
|
+
"did",
|
|
285
|
+
"verifier_attestation",
|
|
286
|
+
"x509_san_dns",
|
|
287
|
+
"x509_san_uri",
|
|
288
|
+
"x509_hash"
|
|
289
|
+
]).optional(),
|
|
290
|
+
verifier_attestations: zVerifierAttestations.optional(),
|
|
291
|
+
verifier_info: zVerifierAttestations.optional()
|
|
245
292
|
}).passthrough();
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
|
|
293
|
+
const zOpenid4vpAuthorizationRequestFromUriParams = zod.z.string().url().transform((url) => Object.fromEntries(new __openid4vc_utils.URL(url).searchParams)).pipe(zod.z.object({
|
|
294
|
+
presentation_definition: __openid4vc_utils.zStringToJson.optional(),
|
|
295
|
+
client_metadata: __openid4vc_utils.zStringToJson.optional(),
|
|
296
|
+
dcql_query: __openid4vc_utils.zStringToJson.optional(),
|
|
297
|
+
transaction_data: __openid4vc_utils.zStringToJson.optional(),
|
|
298
|
+
verifier_attestations: __openid4vc_utils.zStringToJson.optional(),
|
|
299
|
+
verifier_info: __openid4vc_utils.zStringToJson.optional()
|
|
300
|
+
}).passthrough());
|
|
301
|
+
|
|
302
|
+
//#endregion
|
|
303
|
+
//#region src/authorization-request/z-authorization-request-dc-api.ts
|
|
304
|
+
const zOpenid4vpResponseModeDcApi = zod.z.enum([
|
|
305
|
+
"dc_api",
|
|
306
|
+
"dc_api.jwt",
|
|
307
|
+
"w3c_dc_api.jwt",
|
|
308
|
+
"w3c_dc_api"
|
|
309
|
+
]);
|
|
310
|
+
const zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
|
|
311
|
+
response_type: true,
|
|
312
|
+
nonce: true,
|
|
313
|
+
presentation_definition: true,
|
|
314
|
+
client_metadata: true,
|
|
315
|
+
transaction_data: true,
|
|
316
|
+
dcql_query: true,
|
|
317
|
+
trust_chain: true,
|
|
318
|
+
state: true,
|
|
319
|
+
verifier_attestations: true,
|
|
320
|
+
verifier_info: true
|
|
270
321
|
}).extend({
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
275
|
-
|
|
276
|
-
scope: import_zod6.z.never().optional()
|
|
277
|
-
// TODO: should we disallow any properties specifically, such as redirect_uri and response_uri?
|
|
322
|
+
client_id: zod.z.optional(zod.z.string()),
|
|
323
|
+
expected_origins: zod.z.array(zod.z.string()).optional(),
|
|
324
|
+
response_mode: zOpenid4vpResponseModeDcApi,
|
|
325
|
+
client_id_scheme: zod.z.never().optional(),
|
|
326
|
+
scope: zod.z.never().optional()
|
|
278
327
|
});
|
|
279
328
|
function isOpenid4vpResponseModeDcApi(responseMode) {
|
|
280
|
-
|
|
329
|
+
return responseMode !== void 0 && zOpenid4vpResponseModeDcApi.options.includes(responseMode);
|
|
281
330
|
}
|
|
282
331
|
function isOpenid4vpAuthorizationRequestDcApi(request) {
|
|
283
|
-
|
|
332
|
+
return isOpenid4vpResponseModeDcApi(request.response_mode);
|
|
284
333
|
}
|
|
285
334
|
|
|
286
|
-
|
|
287
|
-
|
|
288
|
-
|
|
289
|
-
|
|
290
|
-
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
|
|
294
|
-
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
"x509_san_dns",
|
|
306
|
-
"origin",
|
|
307
|
-
// from draft 25
|
|
308
|
-
"web-origin"
|
|
309
|
-
// pre-draft 25
|
|
310
|
-
]);
|
|
311
|
-
var zUniformClientIdPrefix = zClientIdPrefix.exclude(["did", "https", "web-origin"]);
|
|
312
|
-
var zClientIdToClientIdPrefixAndIdentifier = import_zod7.z.union(
|
|
313
|
-
[
|
|
314
|
-
import_zod7.z.string({ message: "client_id MUST be a string" }).includes(":").transform((clientId) => {
|
|
315
|
-
const colonIndex = clientId.indexOf(":");
|
|
316
|
-
const clientIdPrefix = clientId.slice(0, colonIndex);
|
|
317
|
-
const clientIdIdentifier = clientId.slice(colonIndex + 1);
|
|
318
|
-
if (clientIdPrefix === "http" && (0, import_utils4.getGlobalConfig)().allowInsecureUrls) {
|
|
319
|
-
return ["https", clientId];
|
|
320
|
-
}
|
|
321
|
-
if (clientIdPrefix === "did" || clientIdPrefix === "http" || clientIdPrefix === "https") {
|
|
322
|
-
return [clientIdPrefix, clientId];
|
|
323
|
-
}
|
|
324
|
-
return [clientIdPrefix, clientIdIdentifier];
|
|
325
|
-
}).pipe(import_zod7.z.tuple([zClientIdPrefix.exclude(["pre-registered"]), import_zod7.z.string()])),
|
|
326
|
-
import_zod7.z.string().refine((clientId) => clientId.includes(":") === false).transform((clientId) => ["pre-registered", clientId])
|
|
327
|
-
],
|
|
328
|
-
{
|
|
329
|
-
message: `client_id must either start with a known prefix followed by ':' or contain no ':'. Known prefixes are ${zClientIdPrefix.exclude(["pre-registered"]).options.join(", ")}`
|
|
330
|
-
}
|
|
331
|
-
);
|
|
332
|
-
var zClientIdPrefixToUniform = zClientIdPrefix.transform(
|
|
333
|
-
(prefix) => prefix === "did" ? "decentralized_identifier" : prefix === "https" ? "openid_federation" : prefix === "web-origin" ? "origin" : prefix
|
|
334
|
-
);
|
|
335
|
-
var zLegacyClientIdScheme = import_zod7.z.enum([
|
|
336
|
-
"pre-registered",
|
|
337
|
-
"redirect_uri",
|
|
338
|
-
"entity_id",
|
|
339
|
-
"did",
|
|
340
|
-
"verifier_attestation",
|
|
341
|
-
"x509_san_dns",
|
|
342
|
-
"x509_san_uri"
|
|
343
|
-
]);
|
|
344
|
-
var zLegacyClientIdSchemeToClientIdPrefix = zLegacyClientIdScheme.optional().default("pre-registered").transform(
|
|
345
|
-
(clientIdScheme) => clientIdScheme === "entity_id" ? "openid_federation" : clientIdScheme === "did" ? "decentralized_identifier" : clientIdScheme
|
|
346
|
-
);
|
|
347
|
-
|
|
348
|
-
// src/client-identifier-prefix/parse-client-identifier-prefix.ts
|
|
349
|
-
function getOpenid4vpClientId(options) {
|
|
350
|
-
const original = {
|
|
351
|
-
clientId: options.clientId
|
|
352
|
-
};
|
|
353
|
-
const version = options.version ?? 100;
|
|
354
|
-
if (isOpenid4vpResponseModeDcApi(options.responseMode)) {
|
|
355
|
-
if (!options.clientId) {
|
|
356
|
-
if (!options.origin) {
|
|
357
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
358
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
359
|
-
error_description: "Failed to parse client identifier. 'origin' is required for requests without a client_id and response_mode 'dc_api' and 'dc_api.jwt'"
|
|
360
|
-
});
|
|
361
|
-
}
|
|
362
|
-
return {
|
|
363
|
-
clientIdPrefix: "origin",
|
|
364
|
-
effectiveClientIdPrefix: "origin",
|
|
365
|
-
clientIdIdentifier: options.origin,
|
|
366
|
-
effectiveClientId: version >= 25 ? `origin:${options.origin}` : `web-origin:${options.origin}`,
|
|
367
|
-
original
|
|
368
|
-
};
|
|
369
|
-
}
|
|
370
|
-
const parsedClientIdPrefixAndIdentifier2 = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId);
|
|
371
|
-
if (!parsedClientIdPrefixAndIdentifier2.success) {
|
|
372
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
373
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
374
|
-
error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
|
|
375
|
-
});
|
|
376
|
-
}
|
|
377
|
-
const [clientIdScheme2, clientIdIdentifier2] = parsedClientIdPrefixAndIdentifier2.data;
|
|
378
|
-
const uniformClientIdScheme2 = zClientIdPrefixToUniform.safeParse(clientIdScheme2);
|
|
379
|
-
if (!uniformClientIdScheme2.success) {
|
|
380
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
381
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
382
|
-
error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
|
|
383
|
-
});
|
|
384
|
-
}
|
|
385
|
-
return {
|
|
386
|
-
effectiveClientId: options.clientId,
|
|
387
|
-
effectiveClientIdPrefix: clientIdScheme2,
|
|
388
|
-
original,
|
|
389
|
-
clientIdPrefix: uniformClientIdScheme2.data,
|
|
390
|
-
clientIdIdentifier: clientIdIdentifier2
|
|
391
|
-
};
|
|
392
|
-
}
|
|
393
|
-
if (!options.clientId) {
|
|
394
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
395
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
396
|
-
error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`
|
|
397
|
-
});
|
|
398
|
-
}
|
|
399
|
-
if (options.legacyClientIdScheme) {
|
|
400
|
-
const parsedClientIdPrefix = zLegacyClientIdSchemeToClientIdPrefix.safeParse(options.legacyClientIdScheme);
|
|
401
|
-
if (!parsedClientIdPrefix.success) {
|
|
402
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
403
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
404
|
-
error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.legacyClientIdScheme}'.`
|
|
405
|
-
});
|
|
406
|
-
}
|
|
407
|
-
const clientIdPrefix = parsedClientIdPrefix.data;
|
|
408
|
-
return {
|
|
409
|
-
effectiveClientId: options.clientId,
|
|
410
|
-
clientIdIdentifier: options.clientId,
|
|
411
|
-
clientIdPrefix,
|
|
412
|
-
effectiveClientIdPrefix: options.legacyClientIdScheme ?? "pre-registered",
|
|
413
|
-
original: {
|
|
414
|
-
...original,
|
|
415
|
-
clientIdScheme: options.legacyClientIdScheme
|
|
416
|
-
}
|
|
417
|
-
};
|
|
418
|
-
}
|
|
419
|
-
const parsedClientIdPrefixAndIdentifier = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId);
|
|
420
|
-
if (!parsedClientIdPrefixAndIdentifier.success) {
|
|
421
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
422
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
423
|
-
error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
|
|
424
|
-
});
|
|
425
|
-
}
|
|
426
|
-
const [clientIdScheme, clientIdIdentifier] = parsedClientIdPrefixAndIdentifier.data;
|
|
427
|
-
const uniformClientIdScheme = zClientIdPrefixToUniform.safeParse(clientIdScheme);
|
|
428
|
-
if (!uniformClientIdScheme.success) {
|
|
429
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
430
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
431
|
-
error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
|
|
432
|
-
});
|
|
433
|
-
}
|
|
434
|
-
return {
|
|
435
|
-
effectiveClientId: options.clientId,
|
|
436
|
-
clientIdPrefix: uniformClientIdScheme.data,
|
|
437
|
-
effectiveClientIdPrefix: clientIdScheme,
|
|
438
|
-
clientIdIdentifier,
|
|
439
|
-
original
|
|
440
|
-
};
|
|
441
|
-
}
|
|
442
|
-
async function validateOpenid4vpClientId(options, parserConfig) {
|
|
443
|
-
const { authorizationRequestPayload, jar, origin } = options;
|
|
444
|
-
const parserConfigWithDefaults = {
|
|
445
|
-
supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdPrefix.options)
|
|
446
|
-
};
|
|
447
|
-
const { clientIdIdentifier, clientIdPrefix, effectiveClientId, original } = getOpenid4vpClientId({
|
|
448
|
-
clientId: authorizationRequestPayload.client_id,
|
|
449
|
-
legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
|
|
450
|
-
responseMode: authorizationRequestPayload.response_mode,
|
|
451
|
-
origin
|
|
452
|
-
});
|
|
453
|
-
if (clientIdPrefix === "pre-registered") {
|
|
454
|
-
return {
|
|
455
|
-
prefix: "pre-registered",
|
|
456
|
-
identifier: clientIdIdentifier,
|
|
457
|
-
effective: effectiveClientId,
|
|
458
|
-
original
|
|
459
|
-
};
|
|
460
|
-
}
|
|
461
|
-
if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdPrefix)) {
|
|
462
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
463
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
464
|
-
error_description: `Unsupported client identifier prefix. ${clientIdPrefix} is not supported.`
|
|
465
|
-
});
|
|
466
|
-
}
|
|
467
|
-
if (clientIdPrefix === "openid_federation") {
|
|
468
|
-
if (!import_utils5.zHttpsUrl.safeParse(clientIdIdentifier).success) {
|
|
469
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError(
|
|
470
|
-
{
|
|
471
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
472
|
-
error_description: "Invalid client identifier. Client identifier must start with https://"
|
|
473
|
-
},
|
|
474
|
-
{
|
|
475
|
-
internalMessage: `Insecure http:// urls can be enabled by setting the 'allowInsecureUrls' option using setGlobalConfig`
|
|
476
|
-
}
|
|
477
|
-
);
|
|
478
|
-
}
|
|
479
|
-
if (!jar) {
|
|
480
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
481
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
482
|
-
error_description: 'Using client identifier prefix "https" requires a signed JAR request.'
|
|
483
|
-
});
|
|
484
|
-
}
|
|
485
|
-
if (jar.signer.method !== "federation") {
|
|
486
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
487
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
488
|
-
error_description: "Something went wrong. The JWT signer method is not federation but the client identifier prefix is https."
|
|
489
|
-
});
|
|
490
|
-
}
|
|
491
|
-
return {
|
|
492
|
-
prefix: "openid_federation",
|
|
493
|
-
identifier: clientIdIdentifier,
|
|
494
|
-
effective: effectiveClientId,
|
|
495
|
-
original,
|
|
496
|
-
trustChain: authorizationRequestPayload.trust_chain
|
|
497
|
-
};
|
|
498
|
-
}
|
|
499
|
-
if (clientIdPrefix === "redirect_uri") {
|
|
500
|
-
if (jar) {
|
|
501
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
502
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
503
|
-
error_description: 'Using client identifier prefix "redirect_uri" the request MUST NOT be signed.'
|
|
504
|
-
});
|
|
505
|
-
}
|
|
506
|
-
if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
|
|
507
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
508
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
509
|
-
error_description: `The client identifier prefix 'redirect_uri' is not supported when using the dc_api response mode.`
|
|
510
|
-
});
|
|
511
|
-
}
|
|
512
|
-
if (authorizationRequestPayload.redirect_uri && authorizationRequestPayload.redirect_uri !== clientIdIdentifier) {
|
|
513
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
514
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidClient,
|
|
515
|
-
error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the redirect_uri.`
|
|
516
|
-
});
|
|
517
|
-
}
|
|
518
|
-
if (authorizationRequestPayload.response_uri && authorizationRequestPayload.response_uri !== clientIdIdentifier) {
|
|
519
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
520
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidClient,
|
|
521
|
-
error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the response_uri.`
|
|
522
|
-
});
|
|
523
|
-
}
|
|
524
|
-
return {
|
|
525
|
-
prefix: clientIdPrefix,
|
|
526
|
-
identifier: clientIdIdentifier,
|
|
527
|
-
effective: effectiveClientId,
|
|
528
|
-
original,
|
|
529
|
-
clientMetadata: authorizationRequestPayload.client_metadata,
|
|
530
|
-
redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
|
|
531
|
-
};
|
|
532
|
-
}
|
|
533
|
-
if (clientIdPrefix === "decentralized_identifier") {
|
|
534
|
-
if (!jar) {
|
|
535
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
536
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
537
|
-
error_description: 'Using client identifier prefix "did" requires a signed JAR request.'
|
|
538
|
-
});
|
|
539
|
-
}
|
|
540
|
-
if (jar.signer.method !== "did") {
|
|
541
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
542
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
543
|
-
error_description: "Something went wrong. The JWT signer method is not did but the client identifier prefix is did."
|
|
544
|
-
});
|
|
545
|
-
}
|
|
546
|
-
if (!clientIdIdentifier.startsWith("did:")) {
|
|
547
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
548
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
549
|
-
error_description: "Invalid client identifier. Client id identifier must start with 'did:'"
|
|
550
|
-
});
|
|
551
|
-
}
|
|
552
|
-
const [did] = jar.signer.didUrl.split("#");
|
|
553
|
-
if (clientIdIdentifier !== did) {
|
|
554
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
555
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
556
|
-
error_description: `With client identifier prefix '${clientIdPrefix}' the JAR request must be signed by the same DID as the client identifier.`
|
|
557
|
-
});
|
|
558
|
-
}
|
|
559
|
-
return {
|
|
560
|
-
prefix: "decentralized_identifier",
|
|
561
|
-
identifier: clientIdIdentifier,
|
|
562
|
-
effective: effectiveClientId,
|
|
563
|
-
original,
|
|
564
|
-
clientMetadata: authorizationRequestPayload.client_metadata,
|
|
565
|
-
didUrl: jar.signer.didUrl
|
|
566
|
-
};
|
|
567
|
-
}
|
|
568
|
-
if (clientIdPrefix === "x509_san_dns" || clientIdPrefix === "x509_san_uri" || clientIdPrefix === "x509_hash") {
|
|
569
|
-
if (!jar) {
|
|
570
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
571
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
572
|
-
error_description: `Using client identifier prefix '${clientIdPrefix}' requires a signed JAR request.`
|
|
573
|
-
});
|
|
574
|
-
}
|
|
575
|
-
if (jar.signer.method !== "x5c") {
|
|
576
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
577
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
578
|
-
error_description: `Something went wrong. The JWT signer method is not x5c but the client identifier prefix is '${clientIdPrefix}'`
|
|
579
|
-
});
|
|
580
|
-
}
|
|
581
|
-
if (!options.callbacks.getX509CertificateMetadata) {
|
|
582
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError(
|
|
583
|
-
{
|
|
584
|
-
error: import_oauth23.Oauth2ErrorCodes.ServerError
|
|
585
|
-
},
|
|
586
|
-
{
|
|
587
|
-
internalMessage: `Missing required 'getX509CertificateMetadata' callback for verification of '${clientIdPrefix}' client id prefix`
|
|
588
|
-
}
|
|
589
|
-
);
|
|
590
|
-
}
|
|
591
|
-
if (clientIdPrefix === "x509_san_dns") {
|
|
592
|
-
const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
|
|
593
|
-
if (!sanDnsNames.includes(clientIdIdentifier)) {
|
|
594
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
595
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
596
|
-
error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${clientIdIdentifier}'. `
|
|
597
|
-
});
|
|
598
|
-
}
|
|
599
|
-
if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
|
|
600
|
-
const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri;
|
|
601
|
-
if (!uri || new import_utils5.URL(uri).hostname !== clientIdIdentifier) {
|
|
602
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
603
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
604
|
-
error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
|
|
605
|
-
});
|
|
606
|
-
}
|
|
607
|
-
}
|
|
608
|
-
} else if (clientIdPrefix === "x509_san_uri") {
|
|
609
|
-
const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
|
|
610
|
-
if (!sanUriNames.includes(clientIdIdentifier)) {
|
|
611
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
612
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
613
|
-
error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${clientIdIdentifier}'.`
|
|
614
|
-
});
|
|
615
|
-
}
|
|
616
|
-
if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
|
|
617
|
-
const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri;
|
|
618
|
-
if (!uri || uri !== clientIdIdentifier) {
|
|
619
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
620
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
621
|
-
error_description: "The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri"
|
|
622
|
-
});
|
|
623
|
-
}
|
|
624
|
-
}
|
|
625
|
-
} else if (clientIdPrefix === "x509_hash") {
|
|
626
|
-
const x509Hash = (0, import_utils5.encodeToBase64Url)(
|
|
627
|
-
await options.callbacks.hash((0, import_utils5.decodeBase64)(jar.signer.x5c[0]), import_oauth24.HashAlgorithm.Sha256)
|
|
628
|
-
);
|
|
629
|
-
if (x509Hash !== clientIdIdentifier) {
|
|
630
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
631
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
632
|
-
error_description: `Invalid client identifier. Expected the base64url encoded sha-256 hash of the leaf x5c certificate ('${x509Hash}') to match the client identifier '${clientIdIdentifier}'.`
|
|
633
|
-
});
|
|
634
|
-
}
|
|
635
|
-
}
|
|
636
|
-
return {
|
|
637
|
-
prefix: clientIdPrefix,
|
|
638
|
-
identifier: clientIdIdentifier,
|
|
639
|
-
effective: effectiveClientId,
|
|
640
|
-
original,
|
|
641
|
-
x5c: jar.signer.x5c,
|
|
642
|
-
clientMetadata: authorizationRequestPayload.client_metadata
|
|
643
|
-
};
|
|
644
|
-
}
|
|
645
|
-
if (clientIdPrefix === "origin") {
|
|
646
|
-
return {
|
|
647
|
-
prefix: clientIdPrefix,
|
|
648
|
-
identifier: clientIdIdentifier,
|
|
649
|
-
effective: effectiveClientId,
|
|
650
|
-
original,
|
|
651
|
-
clientMetadata: authorizationRequestPayload.client_metadata
|
|
652
|
-
};
|
|
653
|
-
}
|
|
654
|
-
if (clientIdPrefix === "verifier_attestation") {
|
|
655
|
-
if (!jar) {
|
|
656
|
-
throw new import_oauth23.Oauth2ServerErrorResponseError({
|
|
657
|
-
error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
|
|
658
|
-
error_description: 'Using client identifier prefix "verifier_attestation" requires a signed JAR request.'
|
|
659
|
-
});
|
|
660
|
-
}
|
|
661
|
-
}
|
|
662
|
-
return {
|
|
663
|
-
prefix: clientIdPrefix,
|
|
664
|
-
clientMetadata: authorizationRequestPayload.client_metadata,
|
|
665
|
-
identifier: clientIdIdentifier,
|
|
666
|
-
effective: effectiveClientId,
|
|
667
|
-
original
|
|
668
|
-
};
|
|
669
|
-
}
|
|
670
|
-
|
|
671
|
-
// src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
|
|
672
|
-
var import_oauth27 = require("@openid4vc/oauth2");
|
|
673
|
-
var import_utils7 = require("@openid4vc/utils");
|
|
674
|
-
var import_zod9 = __toESM(require("zod"));
|
|
675
|
-
|
|
676
|
-
// src/jarm/jarm-extract-jwks.ts
|
|
677
|
-
function extractEncryptionJwkFromJwks(jwks, {
|
|
678
|
-
kid,
|
|
679
|
-
supportedAlgValues
|
|
680
|
-
}) {
|
|
681
|
-
if (kid) {
|
|
682
|
-
return jwks.keys.find((jwk) => jwk.kid === kid);
|
|
683
|
-
}
|
|
684
|
-
let algFiltered = jwks.keys.filter((key) => key.alg && supportedAlgValues?.includes(key.alg));
|
|
685
|
-
if (algFiltered.length === 0) algFiltered = jwks.keys;
|
|
686
|
-
let encFiltered = algFiltered.filter((key) => key.use === "enc");
|
|
687
|
-
if (!encFiltered) encFiltered = algFiltered.filter((key) => key.use !== "sig");
|
|
688
|
-
return encFiltered.length > 0 ? encFiltered[0] : jwks.keys[0];
|
|
689
|
-
}
|
|
690
|
-
|
|
691
|
-
// src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
|
|
692
|
-
var import_oauth26 = require("@openid4vc/oauth2");
|
|
693
|
-
var import_utils6 = require("@openid4vc/utils");
|
|
694
|
-
|
|
695
|
-
// src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts
|
|
696
|
-
var import_oauth25 = require("@openid4vc/oauth2");
|
|
697
|
-
var import_zod8 = require("zod");
|
|
698
|
-
var zJarmHeader = import_zod8.z.object({ ...import_oauth25.zJwtHeader.shape, apu: import_zod8.z.string().optional(), apv: import_zod8.z.string().optional() });
|
|
699
|
-
var zJarmAuthorizationResponse = import_zod8.z.object({
|
|
700
|
-
/**
|
|
701
|
-
* iss: The issuer URL of the authorization server that created the response
|
|
702
|
-
* aud: The client_id of the client the response is intended for
|
|
703
|
-
* exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.
|
|
704
|
-
*/
|
|
705
|
-
...import_oauth25.zJwtPayload.shape,
|
|
706
|
-
...import_oauth25.zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,
|
|
707
|
-
state: import_zod8.z.optional(import_zod8.z.string())
|
|
708
|
-
}).passthrough();
|
|
709
|
-
var zJarmAuthorizationResponseEncryptedOnly = import_zod8.z.object({
|
|
710
|
-
...import_oauth25.zJwtPayload.shape,
|
|
711
|
-
state: import_zod8.z.optional(import_zod8.z.string())
|
|
712
|
-
}).passthrough();
|
|
713
|
-
|
|
714
|
-
// src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
|
|
715
|
-
var jarmAuthorizationResponseValidate = (options) => {
|
|
716
|
-
const { expectedClientId, authorizationResponse } = options;
|
|
717
|
-
if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) {
|
|
718
|
-
return;
|
|
719
|
-
}
|
|
720
|
-
if (expectedClientId !== authorizationResponse.aud) {
|
|
721
|
-
throw new import_oauth26.Oauth2Error(
|
|
722
|
-
`Invalid 'aud' claim in JARM authorization response. Expected '${expectedClientId}' received '${JSON.stringify(authorizationResponse.aud)}'.`
|
|
723
|
-
);
|
|
724
|
-
}
|
|
725
|
-
if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < (0, import_utils6.dateToSeconds)()) {
|
|
726
|
-
throw new import_oauth26.Oauth2Error("Jarm auth response is expired.");
|
|
727
|
-
}
|
|
728
|
-
};
|
|
729
|
-
|
|
730
|
-
// src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
|
|
731
|
-
var JarmMode = /* @__PURE__ */ ((JarmMode2) => {
|
|
732
|
-
JarmMode2["Signed"] = "Signed";
|
|
733
|
-
JarmMode2["Encrypted"] = "Encrypted";
|
|
734
|
-
JarmMode2["SignedEncrypted"] = "SignedEncrypted";
|
|
735
|
-
return JarmMode2;
|
|
736
|
-
})(JarmMode || {});
|
|
737
|
-
var decryptJarmAuthorizationResponseJwt = async (options) => {
|
|
738
|
-
const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options;
|
|
739
|
-
let encryptionJwk = void 0;
|
|
740
|
-
const { header } = (0, import_oauth27.decodeJwtHeader)({
|
|
741
|
-
jwt: jarmAuthorizationResponseJwt
|
|
742
|
-
});
|
|
743
|
-
if (authorizationRequestPayload.client_metadata?.jwks) {
|
|
744
|
-
encryptionJwk = extractEncryptionJwkFromJwks(authorizationRequestPayload.client_metadata.jwks, {
|
|
745
|
-
// Kid always take precedence
|
|
746
|
-
kid: header.kid,
|
|
747
|
-
// This value was removed in draft 26, but if it's still provided, we can use it to determine the key to use
|
|
748
|
-
supportedAlgValues: authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg ? [authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg] : void 0
|
|
749
|
-
});
|
|
750
|
-
}
|
|
751
|
-
const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk });
|
|
752
|
-
if (!result.decrypted) {
|
|
753
|
-
throw new import_oauth27.Oauth2Error("Failed to decrypt jarm auth response.");
|
|
754
|
-
}
|
|
755
|
-
return {
|
|
756
|
-
decryptionJwk: result.decryptionJwk,
|
|
757
|
-
payload: result.payload
|
|
758
|
-
};
|
|
759
|
-
};
|
|
760
|
-
async function verifyJarmAuthorizationResponse(options) {
|
|
761
|
-
const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options;
|
|
762
|
-
const requestDataIsEncrypted = import_oauth27.zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success;
|
|
763
|
-
const decryptedRequestData = requestDataIsEncrypted ? await decryptJarmAuthorizationResponseJwt({
|
|
764
|
-
jarmAuthorizationResponseJwt,
|
|
765
|
-
callbacks,
|
|
766
|
-
authorizationRequestPayload
|
|
767
|
-
}) : { payload: jarmAuthorizationResponseJwt, decryptionJwk: void 0 };
|
|
768
|
-
const responseIsSigned = import_oauth27.zCompactJwt.safeParse(decryptedRequestData.payload).success;
|
|
769
|
-
if (!requestDataIsEncrypted && !responseIsSigned) {
|
|
770
|
-
throw new import_oauth27.Oauth2Error("Jarm Auth Response must be either encrypted, signed, or signed and encrypted.");
|
|
771
|
-
}
|
|
772
|
-
let jarmAuthorizationResponse;
|
|
773
|
-
if (responseIsSigned) {
|
|
774
|
-
const { header: jwsProtectedHeader, payload: jwsPayload } = (0, import_oauth27.decodeJwt)({
|
|
775
|
-
jwt: decryptedRequestData.payload,
|
|
776
|
-
headerSchema: import_zod9.default.object({ ...import_oauth27.zJwtHeader.shape, kid: import_zod9.default.string() })
|
|
777
|
-
});
|
|
778
|
-
const response = zJarmAuthorizationResponse.parse(jwsPayload);
|
|
779
|
-
const jwtSigner = (0, import_oauth27.jwtSignerFromJwt)({ header: jwsProtectedHeader, payload: jwsPayload });
|
|
780
|
-
const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {
|
|
781
|
-
compact: decryptedRequestData.payload,
|
|
782
|
-
header: jwsProtectedHeader,
|
|
783
|
-
payload: jwsPayload
|
|
784
|
-
});
|
|
785
|
-
if (!verificationResult.verified) {
|
|
786
|
-
throw new import_oauth27.Oauth2Error("Jarm Auth Response is not valid.");
|
|
787
|
-
}
|
|
788
|
-
jarmAuthorizationResponse = response;
|
|
789
|
-
} else {
|
|
790
|
-
const jsonRequestData = (0, import_utils7.stringToJsonWithErrorHandling)(
|
|
791
|
-
decryptedRequestData.payload,
|
|
792
|
-
"Unable to parse decrypted JARM JWE body to JSON"
|
|
793
|
-
);
|
|
794
|
-
jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData);
|
|
795
|
-
}
|
|
796
|
-
jarmAuthorizationResponseValidate({
|
|
797
|
-
expectedClientId,
|
|
798
|
-
authorizationResponse: jarmAuthorizationResponse
|
|
799
|
-
});
|
|
800
|
-
const type = requestDataIsEncrypted && responseIsSigned ? "SignedEncrypted" /* SignedEncrypted */ : requestDataIsEncrypted ? "Encrypted" /* Encrypted */ : "Signed" /* Signed */;
|
|
801
|
-
const issuer = jarmAuthorizationResponse.iss;
|
|
802
|
-
return {
|
|
803
|
-
jarmAuthorizationResponse,
|
|
804
|
-
type,
|
|
805
|
-
issuer,
|
|
806
|
-
decryptionJwk: decryptedRequestData.decryptionJwk
|
|
807
|
-
};
|
|
808
|
-
}
|
|
809
|
-
|
|
810
|
-
// src/version.ts
|
|
811
|
-
var import_oauth28 = require("@openid4vc/oauth2");
|
|
812
|
-
function parseAuthorizationRequestVersion(request) {
|
|
813
|
-
const requirements = [];
|
|
814
|
-
if (request.verifier_info) {
|
|
815
|
-
requirements.push([">=", 100]);
|
|
816
|
-
}
|
|
817
|
-
if (request.verifier_attestations) {
|
|
818
|
-
requirements.push(["<", 100]);
|
|
819
|
-
}
|
|
820
|
-
if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) {
|
|
821
|
-
requirements.push([">=", 28]);
|
|
822
|
-
}
|
|
823
|
-
if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) {
|
|
824
|
-
requirements.push(["<", 28]);
|
|
825
|
-
}
|
|
826
|
-
if (request.client_metadata?.vp_formats_supported) {
|
|
827
|
-
requirements.push([">=", 27]);
|
|
828
|
-
}
|
|
829
|
-
if (request.client_metadata?.vp_formats) {
|
|
830
|
-
requirements.push(["<", 27]);
|
|
831
|
-
}
|
|
832
|
-
if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) {
|
|
833
|
-
requirements.push([">=", 26]);
|
|
834
|
-
}
|
|
835
|
-
if (request.client_id?.startsWith("did:")) {
|
|
836
|
-
requirements.push(["<", 26]);
|
|
837
|
-
}
|
|
838
|
-
if (request.presentation_definition || request.presentation_definition_uri) {
|
|
839
|
-
requirements.push(["<", 26]);
|
|
840
|
-
}
|
|
841
|
-
if (request.verifier_attestations) {
|
|
842
|
-
requirements.push([">=", 26]);
|
|
843
|
-
}
|
|
844
|
-
if (request.client_id?.startsWith("x509_san_uri:")) {
|
|
845
|
-
requirements.push(["<", 25]);
|
|
846
|
-
}
|
|
847
|
-
if (request.client_id?.startsWith("x509_hash:")) {
|
|
848
|
-
requirements.push([">=", 25]);
|
|
849
|
-
}
|
|
850
|
-
if (request.client_id?.startsWith("web-origin:")) {
|
|
851
|
-
requirements.push(["<", 25]);
|
|
852
|
-
}
|
|
853
|
-
if (request.client_id?.startsWith("origin:")) {
|
|
854
|
-
requirements.push([">=", 25]);
|
|
855
|
-
}
|
|
856
|
-
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
|
|
857
|
-
requirements.push(["<", 23]);
|
|
858
|
-
requirements.push([">=", 21]);
|
|
859
|
-
}
|
|
860
|
-
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) {
|
|
861
|
-
requirements.push([">=", 23]);
|
|
862
|
-
}
|
|
863
|
-
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
|
|
864
|
-
requirements.push([">=", 23]);
|
|
865
|
-
}
|
|
866
|
-
if (request.transaction_data) {
|
|
867
|
-
requirements.push([">=", 22]);
|
|
868
|
-
}
|
|
869
|
-
if (request.client_id_scheme) {
|
|
870
|
-
requirements.push(["<", 22]);
|
|
871
|
-
}
|
|
872
|
-
if (request.client_id) {
|
|
873
|
-
const colonIndex = request.client_id.indexOf(":");
|
|
874
|
-
const schemePart = request.client_id.substring(0, colonIndex);
|
|
875
|
-
const parsedScheme = zClientIdPrefix.safeParse(schemePart);
|
|
876
|
-
if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
|
|
877
|
-
requirements.push([">=", 22]);
|
|
878
|
-
}
|
|
879
|
-
}
|
|
880
|
-
if (!request.client_id) {
|
|
881
|
-
requirements.push([">=", 21]);
|
|
882
|
-
}
|
|
883
|
-
if (request.dcql_query) {
|
|
884
|
-
requirements.push([">=", 21]);
|
|
885
|
-
}
|
|
886
|
-
if (request.client_metadata_uri) {
|
|
887
|
-
requirements.push(["<", 21]);
|
|
888
|
-
}
|
|
889
|
-
if (isOpenid4vpAuthorizationRequestDcApi(request)) {
|
|
890
|
-
requirements.push([">=", 21]);
|
|
891
|
-
}
|
|
892
|
-
if (request.request_uri_method || request.wallet_nonce) {
|
|
893
|
-
requirements.push([">=", 21]);
|
|
894
|
-
}
|
|
895
|
-
if (request.client_id_scheme === "verifier_attestation") {
|
|
896
|
-
requirements.push([">=", 20]);
|
|
897
|
-
}
|
|
898
|
-
if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
|
|
899
|
-
requirements.push([">=", 19]);
|
|
900
|
-
}
|
|
901
|
-
const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
|
|
902
|
-
const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
|
|
903
|
-
const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 100;
|
|
904
|
-
const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
|
|
905
|
-
if (lowestRequiredVersion > highestPossibleVersion) {
|
|
906
|
-
throw new import_oauth28.Oauth2ServerErrorResponseError({
|
|
907
|
-
error: import_oauth28.Oauth2ErrorCodes.InvalidRequest,
|
|
908
|
-
error_description: `Could not infer openid4vp version from the openid4vp request payload. Based on specification requirements, lowest required version is ${lowestRequiredVersion} and highest possible version is ${highestPossibleVersion}`
|
|
909
|
-
});
|
|
910
|
-
}
|
|
911
|
-
return highestPossibleVersion;
|
|
912
|
-
}
|
|
913
|
-
|
|
914
|
-
// src/authorization-request/create-authorization-request.ts
|
|
915
|
-
var import_oauth212 = require("@openid4vc/oauth2");
|
|
916
|
-
var import_utils10 = require("@openid4vc/utils");
|
|
917
|
-
|
|
918
|
-
// src/jar/create-jar-authorization-request.ts
|
|
919
|
-
var import_oauth29 = require("@openid4vc/oauth2");
|
|
920
|
-
var import_utils8 = require("@openid4vc/utils");
|
|
921
|
-
async function createJarAuthorizationRequest(options) {
|
|
922
|
-
const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
|
|
923
|
-
let authorizationRequestJwt;
|
|
924
|
-
let encryptionJwk;
|
|
925
|
-
const now = options.now ?? /* @__PURE__ */ new Date();
|
|
926
|
-
const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
|
|
927
|
-
header: { ...(0, import_oauth29.jwtHeaderFromJwtSigner)(jwtSigner), typ: "oauth-authz-req+jwt" },
|
|
928
|
-
payload: {
|
|
929
|
-
iat: (0, import_utils8.dateToSeconds)(now),
|
|
930
|
-
exp: (0, import_utils8.dateToSeconds)((0, import_utils8.addSecondsToDate)(now, options.expiresInSeconds)),
|
|
931
|
-
...options.additionalJwtPayload,
|
|
932
|
-
...authorizationRequestPayload
|
|
933
|
-
}
|
|
934
|
-
});
|
|
935
|
-
authorizationRequestJwt = jwt;
|
|
936
|
-
if (jweEncryptor) {
|
|
937
|
-
const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt);
|
|
938
|
-
authorizationRequestJwt = encryptionResult.jwe;
|
|
939
|
-
encryptionJwk = encryptionResult.encryptionJwk;
|
|
940
|
-
}
|
|
941
|
-
const client_id = authorizationRequestPayload.client_id;
|
|
942
|
-
const jarAuthorizationRequest = requestUri ? { client_id, request_uri: requestUri } : { client_id, request: authorizationRequestJwt };
|
|
943
|
-
return { jarAuthorizationRequest, signerJwk, encryptionJwk, authorizationRequestJwt };
|
|
944
|
-
}
|
|
945
|
-
|
|
946
|
-
// src/authorization-request/validate-authorization-request.ts
|
|
947
|
-
var import_oauth210 = require("@openid4vc/oauth2");
|
|
948
|
-
var import_utils9 = require("@openid4vc/utils");
|
|
949
|
-
var validateOpenid4vpAuthorizationRequestPayload = (options) => {
|
|
950
|
-
const { params, walletVerificationOptions } = options;
|
|
951
|
-
if (!params.redirect_uri && !params.response_uri) {
|
|
952
|
-
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
953
|
-
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
954
|
-
error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
|
|
955
|
-
});
|
|
956
|
-
}
|
|
957
|
-
if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) {
|
|
958
|
-
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
959
|
-
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
960
|
-
error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
|
|
961
|
-
});
|
|
962
|
-
}
|
|
963
|
-
if ([params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(
|
|
964
|
-
Boolean
|
|
965
|
-
).length > 1) {
|
|
966
|
-
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
967
|
-
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
968
|
-
error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
|
|
969
|
-
});
|
|
970
|
-
}
|
|
971
|
-
if (params.request_uri_method && !params.request_uri) {
|
|
972
|
-
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
973
|
-
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
974
|
-
error_description: 'The "request_uri_method" parameter MUST NOT be present in the authorization request if the "request_uri" parameter is not present.'
|
|
975
|
-
});
|
|
976
|
-
}
|
|
977
|
-
if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) {
|
|
978
|
-
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
979
|
-
error: import_oauth210.Oauth2ErrorCodes.InvalidRequestUriMethod,
|
|
980
|
-
error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
|
|
981
|
-
});
|
|
982
|
-
}
|
|
983
|
-
if (params.trust_chain && !import_utils9.zHttpsUrl.safeParse(params.client_id).success) {
|
|
984
|
-
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
985
|
-
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
986
|
-
error_description: 'The "trust_chain" parameter MUST NOT be present in the authorization request if the "client_id" is not an OpenId Federation Entity Identifier starting with http:// or https://.'
|
|
987
|
-
});
|
|
988
|
-
}
|
|
989
|
-
if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {
|
|
990
|
-
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
991
|
-
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
992
|
-
error_description: 'The "wallet_nonce" parameter MUST be present in the authorization request when the "expectedNonce" parameter is provided.'
|
|
993
|
-
});
|
|
994
|
-
}
|
|
995
|
-
if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {
|
|
996
|
-
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
997
|
-
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
998
|
-
error_description: 'The "wallet_nonce" parameter MUST match the "expectedNonce" parameter when the "expectedNonce" parameter is provided.'
|
|
999
|
-
});
|
|
1000
|
-
}
|
|
1001
|
-
if (params.client_id.startsWith("web-origin:") || params.client_id.startsWith("origin:")) {
|
|
1002
|
-
throw new import_oauth210.Oauth2ServerErrorResponseError({
|
|
1003
|
-
error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
|
|
1004
|
-
error_description: `The 'client_id' parameter MUST NOT use client identifier scheme '${params.client_id.split(":")[0]}' when not using the dc_api response mode. Current: ${params.client_id}`
|
|
1005
|
-
});
|
|
1006
|
-
}
|
|
1007
|
-
};
|
|
1008
|
-
|
|
1009
|
-
// src/authorization-request/validate-authorization-request-dc-api.ts
|
|
1010
|
-
var import_oauth211 = require("@openid4vc/oauth2");
|
|
1011
|
-
var validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
|
|
1012
|
-
const { params, isJarRequest, disableOriginValidation, origin } = options;
|
|
1013
|
-
if (isJarRequest && !params.expected_origins) {
|
|
1014
|
-
throw new import_oauth211.Oauth2ServerErrorResponseError({
|
|
1015
|
-
error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
|
|
1016
|
-
error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
|
|
1017
|
-
});
|
|
1018
|
-
}
|
|
1019
|
-
if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {
|
|
1020
|
-
throw new import_oauth211.Oauth2ServerErrorResponseError({
|
|
1021
|
-
error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
|
|
1022
|
-
error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
|
|
1023
|
-
});
|
|
1024
|
-
}
|
|
1025
|
-
if (params.expected_origins && !disableOriginValidation) {
|
|
1026
|
-
if (!origin) {
|
|
1027
|
-
throw new import_oauth211.Oauth2ServerErrorResponseError({
|
|
1028
|
-
error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
|
|
1029
|
-
error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
|
|
1030
|
-
});
|
|
1031
|
-
}
|
|
1032
|
-
if (params.expected_origins && !params.expected_origins.includes(origin)) {
|
|
1033
|
-
throw new import_oauth211.Oauth2ServerErrorResponseError({
|
|
1034
|
-
error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
|
|
1035
|
-
error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
|
|
1036
|
-
});
|
|
1037
|
-
}
|
|
1038
|
-
}
|
|
1039
|
-
};
|
|
1040
|
-
|
|
1041
|
-
// src/authorization-request/create-authorization-request.ts
|
|
335
|
+
//#endregion
|
|
336
|
+
//#region src/authorization-request/create-authorization-request.ts
|
|
337
|
+
/**
|
|
338
|
+
* Creates an OpenID4VP authorization request, optionally with a JWT Secured Authorization Request (JAR)
|
|
339
|
+
* If the request is created after receiving wallet metadata via a POST to the request_uri endpoint, the wallet nonce needs to be provided
|
|
340
|
+
*
|
|
341
|
+
* @param options Configuration options for creating the authorization request
|
|
342
|
+
* @param input.scheme Optional URI scheme to use (defaults to 'openid4vp://')
|
|
343
|
+
* @param input.authorizationRequestPayload The OpenID4VP authorization request parameters
|
|
344
|
+
* @param input.jar Optional JWT Secured Authorization Request (JAR) configuration
|
|
345
|
+
* @param input.jar.requestUri The URI where the JAR will be accessible
|
|
346
|
+
* @param input.jar.jwtSigner Function to sign the JAR JWT
|
|
347
|
+
* @param input.jar.jweEncryptor Optional function to encrypt the JAR JWT
|
|
348
|
+
* @param input.jar.additionalJwtPayload Optional additional claims to include in JAR JWT
|
|
349
|
+
* @param input.wallet Optional wallet-specific parameters
|
|
350
|
+
* @param input.wallet.nonce Optional wallet nonce
|
|
351
|
+
* @param input.callbacks Callback functions for JWT operations
|
|
352
|
+
* @returns Object containing the authorization request parameters, URI and optional JAR details
|
|
353
|
+
*/
|
|
1042
354
|
async function createOpenid4vpAuthorizationRequest(options) {
|
|
1043
|
-
|
|
1044
|
-
|
|
1045
|
-
|
|
1046
|
-
|
|
1047
|
-
|
|
1048
|
-
|
|
1049
|
-
|
|
1050
|
-
|
|
1051
|
-
|
|
1052
|
-
|
|
1053
|
-
|
|
1054
|
-
|
|
1055
|
-
|
|
1056
|
-
|
|
1057
|
-
|
|
1058
|
-
|
|
1059
|
-
|
|
1060
|
-
|
|
1061
|
-
|
|
1062
|
-
|
|
1063
|
-
|
|
1064
|
-
|
|
1065
|
-
|
|
1066
|
-
|
|
1067
|
-
|
|
1068
|
-
|
|
1069
|
-
|
|
1070
|
-
|
|
1071
|
-
|
|
1072
|
-
|
|
1073
|
-
|
|
1074
|
-
|
|
1075
|
-
|
|
1076
|
-
|
|
1077
|
-
|
|
1078
|
-
|
|
1079
|
-
|
|
1080
|
-
|
|
1081
|
-
|
|
1082
|
-
|
|
1083
|
-
|
|
1084
|
-
|
|
1085
|
-
|
|
1086
|
-
|
|
1087
|
-
|
|
1088
|
-
|
|
1089
|
-
|
|
1090
|
-
|
|
1091
|
-
|
|
1092
|
-
|
|
1093
|
-
|
|
1094
|
-
|
|
1095
|
-
|
|
1096
|
-
}
|
|
1097
|
-
const url = new import_utils10.URL(scheme);
|
|
1098
|
-
url.search = `?${new import_utils10.URLSearchParams([
|
|
1099
|
-
...url.searchParams.entries(),
|
|
1100
|
-
...(0, import_utils10.objectToQueryParams)(authorizationRequestPayload).entries()
|
|
1101
|
-
]).toString()}`;
|
|
1102
|
-
return {
|
|
1103
|
-
authorizationRequestPayload,
|
|
1104
|
-
authorizationRequestObject: authorizationRequestPayload,
|
|
1105
|
-
authorizationRequest: url.toString(),
|
|
1106
|
-
jar: void 0
|
|
1107
|
-
};
|
|
355
|
+
const { jar, scheme = "openid4vp://", wallet, callbacks } = options;
|
|
356
|
+
let additionalJwtPayload;
|
|
357
|
+
let authorizationRequestPayload;
|
|
358
|
+
if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
|
|
359
|
+
authorizationRequestPayload = (0, __openid4vc_utils.parseWithErrorHandling)(zOpenid4vpAuthorizationRequestDcApi, options.authorizationRequestPayload, "Invalid authorization request. Could not parse openid4vp dc_api authorization request.");
|
|
360
|
+
if (jar && !authorizationRequestPayload.expected_origins) throw new __openid4vc_oauth2.Oauth2Error(`The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`);
|
|
361
|
+
validateOpenid4vpAuthorizationRequestDcApiPayload({
|
|
362
|
+
params: authorizationRequestPayload,
|
|
363
|
+
isJarRequest: Boolean(jar),
|
|
364
|
+
disableOriginValidation: true
|
|
365
|
+
});
|
|
366
|
+
} else {
|
|
367
|
+
authorizationRequestPayload = (0, __openid4vc_utils.parseWithErrorHandling)(zOpenid4vpAuthorizationRequest, options.authorizationRequestPayload, "Invalid authorization request. Could not parse openid4vp authorization request.");
|
|
368
|
+
validateOpenid4vpAuthorizationRequestPayload({
|
|
369
|
+
params: authorizationRequestPayload,
|
|
370
|
+
walletVerificationOptions: wallet
|
|
371
|
+
});
|
|
372
|
+
}
|
|
373
|
+
if (jar) {
|
|
374
|
+
if (!jar.additionalJwtPayload?.aud) additionalJwtPayload = {
|
|
375
|
+
...jar.additionalJwtPayload,
|
|
376
|
+
aud: jar.requestUri
|
|
377
|
+
};
|
|
378
|
+
const jarResult = await createJarAuthorizationRequest({
|
|
379
|
+
...jar,
|
|
380
|
+
authorizationRequestPayload,
|
|
381
|
+
additionalJwtPayload,
|
|
382
|
+
callbacks
|
|
383
|
+
});
|
|
384
|
+
const url$1 = new __openid4vc_utils.URL(scheme);
|
|
385
|
+
url$1.search = `?${new __openid4vc_utils.URLSearchParams([
|
|
386
|
+
...url$1.searchParams.entries(),
|
|
387
|
+
...(0, __openid4vc_utils.objectToQueryParams)(jarResult.jarAuthorizationRequest).entries(),
|
|
388
|
+
...authorizationRequestPayload.client_id_scheme ? [["client_id_scheme", authorizationRequestPayload.client_id_scheme]] : []
|
|
389
|
+
]).toString()}`;
|
|
390
|
+
return {
|
|
391
|
+
authorizationRequestPayload,
|
|
392
|
+
authorizationRequestObject: jarResult.jarAuthorizationRequest,
|
|
393
|
+
authorizationRequest: url$1.toString(),
|
|
394
|
+
jar: {
|
|
395
|
+
...jar,
|
|
396
|
+
...jarResult
|
|
397
|
+
}
|
|
398
|
+
};
|
|
399
|
+
}
|
|
400
|
+
const url = new __openid4vc_utils.URL(scheme);
|
|
401
|
+
url.search = `?${new __openid4vc_utils.URLSearchParams([...url.searchParams.entries(), ...(0, __openid4vc_utils.objectToQueryParams)(authorizationRequestPayload).entries()]).toString()}`;
|
|
402
|
+
return {
|
|
403
|
+
authorizationRequestPayload,
|
|
404
|
+
authorizationRequestObject: authorizationRequestPayload,
|
|
405
|
+
authorizationRequest: url.toString(),
|
|
406
|
+
jar: void 0
|
|
407
|
+
};
|
|
1108
408
|
}
|
|
1109
409
|
|
|
1110
|
-
|
|
1111
|
-
|
|
1112
|
-
|
|
1113
|
-
|
|
1114
|
-
|
|
1115
|
-
|
|
1116
|
-
|
|
1117
|
-
var import_utils11 = require("@openid4vc/utils");
|
|
1118
|
-
var import_zod10 = require("zod");
|
|
1119
|
-
var zJarAuthorizationRequest = import_zod10.z.object({
|
|
1120
|
-
request: import_zod10.z.optional(import_zod10.z.string()),
|
|
1121
|
-
request_uri: import_zod10.z.optional(import_utils11.zHttpsUrl),
|
|
1122
|
-
request_uri_method: import_zod10.z.optional(import_zod10.z.string()),
|
|
1123
|
-
client_id: import_zod10.z.optional(import_zod10.z.string())
|
|
410
|
+
//#endregion
|
|
411
|
+
//#region src/jar/z-jar-authorization-request.ts
|
|
412
|
+
const zJarAuthorizationRequest = zod.z.object({
|
|
413
|
+
request: zod.z.optional(zod.z.string()),
|
|
414
|
+
request_uri: zod.z.optional(__openid4vc_utils.zHttpsUrl),
|
|
415
|
+
request_uri_method: zod.z.optional(zod.z.string()),
|
|
416
|
+
client_id: zod.z.optional(zod.z.string())
|
|
1124
417
|
}).passthrough();
|
|
1125
418
|
function validateJarRequestParams(options) {
|
|
1126
|
-
|
|
1127
|
-
|
|
1128
|
-
|
|
1129
|
-
|
|
1130
|
-
|
|
1131
|
-
|
|
1132
|
-
|
|
1133
|
-
|
|
1134
|
-
|
|
1135
|
-
|
|
1136
|
-
error_description: "request or request_uri must be present"
|
|
1137
|
-
});
|
|
1138
|
-
}
|
|
1139
|
-
return jarRequestParams;
|
|
419
|
+
const { jarRequestParams } = options;
|
|
420
|
+
if (jarRequestParams.request && jarRequestParams.request_uri) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
421
|
+
error: "invalid_request_object",
|
|
422
|
+
error_description: "request and request_uri cannot both be present in a JAR request"
|
|
423
|
+
});
|
|
424
|
+
if (!jarRequestParams.request && !jarRequestParams.request_uri) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
425
|
+
error: "invalid_request_object",
|
|
426
|
+
error_description: "request or request_uri must be present"
|
|
427
|
+
});
|
|
428
|
+
return jarRequestParams;
|
|
1140
429
|
}
|
|
1141
430
|
function isJarAuthorizationRequest(request) {
|
|
1142
|
-
|
|
431
|
+
return "request" in request || "request_uri" in request;
|
|
1143
432
|
}
|
|
1144
433
|
|
|
1145
|
-
|
|
434
|
+
//#endregion
|
|
435
|
+
//#region src/authorization-request/parse-authorization-request-params.ts
|
|
1146
436
|
function parseOpenid4vpAuthorizationRequest(options) {
|
|
1147
|
-
|
|
1148
|
-
|
|
1149
|
-
|
|
1150
|
-
|
|
1151
|
-
|
|
1152
|
-
|
|
1153
|
-
|
|
1154
|
-
|
|
1155
|
-
|
|
1156
|
-
|
|
1157
|
-
|
|
1158
|
-
|
|
1159
|
-
|
|
1160
|
-
|
|
1161
|
-
|
|
1162
|
-
|
|
1163
|
-
|
|
1164
|
-
|
|
1165
|
-
|
|
1166
|
-
|
|
1167
|
-
|
|
1168
|
-
|
|
1169
|
-
|
|
1170
|
-
|
|
1171
|
-
|
|
1172
|
-
|
|
1173
|
-
|
|
1174
|
-
|
|
1175
|
-
|
|
1176
|
-
|
|
1177
|
-
|
|
1178
|
-
return {
|
|
1179
|
-
type: "openid4vp_dc_api",
|
|
1180
|
-
provided,
|
|
1181
|
-
params: parsedRequest
|
|
1182
|
-
};
|
|
1183
|
-
}
|
|
1184
|
-
return {
|
|
1185
|
-
type: "openid4vp",
|
|
1186
|
-
provided,
|
|
1187
|
-
params: parsedRequest
|
|
1188
|
-
};
|
|
437
|
+
const { authorizationRequest } = options;
|
|
438
|
+
let provided = "params";
|
|
439
|
+
let params;
|
|
440
|
+
if (typeof authorizationRequest === "string") if (authorizationRequest.includes(":")) {
|
|
441
|
+
params = (0, __openid4vc_utils.parseWithErrorHandling)(zOpenid4vpAuthorizationRequestFromUriParams, authorizationRequest, "Unable to parse openid4vp authorization request uri to a valid object");
|
|
442
|
+
provided = "uri";
|
|
443
|
+
} else {
|
|
444
|
+
params = (0, __openid4vc_oauth2.decodeJwt)({ jwt: authorizationRequest }).payload;
|
|
445
|
+
provided = "jwt";
|
|
446
|
+
}
|
|
447
|
+
else params = authorizationRequest;
|
|
448
|
+
const parsedRequest = (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([
|
|
449
|
+
zOpenid4vpAuthorizationRequest,
|
|
450
|
+
zJarAuthorizationRequest,
|
|
451
|
+
zOpenid4vpAuthorizationRequestDcApi
|
|
452
|
+
]), params);
|
|
453
|
+
if (isJarAuthorizationRequest(parsedRequest)) return {
|
|
454
|
+
type: "jar",
|
|
455
|
+
provided,
|
|
456
|
+
params: parsedRequest
|
|
457
|
+
};
|
|
458
|
+
if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) return {
|
|
459
|
+
type: "openid4vp_dc_api",
|
|
460
|
+
provided,
|
|
461
|
+
params: parsedRequest
|
|
462
|
+
};
|
|
463
|
+
return {
|
|
464
|
+
type: "openid4vp",
|
|
465
|
+
provided,
|
|
466
|
+
params: parsedRequest
|
|
467
|
+
};
|
|
1189
468
|
}
|
|
1190
469
|
|
|
1191
|
-
|
|
1192
|
-
|
|
1193
|
-
|
|
1194
|
-
|
|
470
|
+
//#endregion
|
|
471
|
+
//#region src/client-identifier-prefix/z-client-id-prefix.ts
|
|
472
|
+
const zClientIdPrefix = zod.z.enum([
|
|
473
|
+
"pre-registered",
|
|
474
|
+
"redirect_uri",
|
|
475
|
+
"verifier_attestation",
|
|
476
|
+
"https",
|
|
477
|
+
"openid_federation",
|
|
478
|
+
"did",
|
|
479
|
+
"decentralized_identifier",
|
|
480
|
+
"x509_san_uri",
|
|
481
|
+
"x509_hash",
|
|
482
|
+
"x509_san_dns",
|
|
483
|
+
"origin",
|
|
484
|
+
"web-origin"
|
|
485
|
+
]);
|
|
486
|
+
const zUniformClientIdPrefix = zClientIdPrefix.exclude([
|
|
487
|
+
"did",
|
|
488
|
+
"https",
|
|
489
|
+
"web-origin"
|
|
490
|
+
]);
|
|
491
|
+
const zClientIdToClientIdPrefixAndIdentifier = zod.z.union([zod.z.string({ message: "client_id MUST be a string" }).includes(":").transform((clientId) => {
|
|
492
|
+
const colonIndex = clientId.indexOf(":");
|
|
493
|
+
const clientIdPrefix = clientId.slice(0, colonIndex);
|
|
494
|
+
const clientIdIdentifier = clientId.slice(colonIndex + 1);
|
|
495
|
+
if (clientIdPrefix === "http" && (0, __openid4vc_utils.getGlobalConfig)().allowInsecureUrls) return ["https", clientId];
|
|
496
|
+
if (clientIdPrefix === "did" || clientIdPrefix === "http" || clientIdPrefix === "https") return [clientIdPrefix, clientId];
|
|
497
|
+
return [clientIdPrefix, clientIdIdentifier];
|
|
498
|
+
}).pipe(zod.z.tuple([zClientIdPrefix.exclude(["pre-registered"]), zod.z.string()])), zod.z.string().refine((clientId) => clientId.includes(":") === false).transform((clientId) => ["pre-registered", clientId])], { message: `client_id must either start with a known prefix followed by ':' or contain no ':'. Known prefixes are ${zClientIdPrefix.exclude(["pre-registered"]).options.join(", ")}` });
|
|
499
|
+
const zClientIdPrefixToUniform = zClientIdPrefix.transform((prefix) => prefix === "did" ? "decentralized_identifier" : prefix === "https" ? "openid_federation" : prefix === "web-origin" ? "origin" : prefix);
|
|
500
|
+
const zLegacyClientIdScheme = zod.z.enum([
|
|
501
|
+
"pre-registered",
|
|
502
|
+
"redirect_uri",
|
|
503
|
+
"entity_id",
|
|
504
|
+
"did",
|
|
505
|
+
"verifier_attestation",
|
|
506
|
+
"x509_san_dns",
|
|
507
|
+
"x509_san_uri"
|
|
508
|
+
]);
|
|
509
|
+
const zLegacyClientIdSchemeToClientIdPrefix = zLegacyClientIdScheme.optional().default("pre-registered").transform((clientIdScheme) => clientIdScheme === "entity_id" ? "openid_federation" : clientIdScheme === "did" ? "decentralized_identifier" : clientIdScheme);
|
|
510
|
+
|
|
511
|
+
//#endregion
|
|
512
|
+
//#region src/client-identifier-prefix/parse-client-identifier-prefix.ts
|
|
513
|
+
/**
|
|
514
|
+
* Get the client id for an authorization request based on the response_mode, client_id, client_id_scheme and origin values.
|
|
515
|
+
*
|
|
516
|
+
* It will return the client id prefix as used in OpenID4VP v1, and optionally provide the legacyClientId if the
|
|
517
|
+
* client id was provided with a client_id_scheme
|
|
518
|
+
*/
|
|
519
|
+
function getOpenid4vpClientId(options) {
|
|
520
|
+
const original = { clientId: options.clientId };
|
|
521
|
+
const version = options.version ?? 100;
|
|
522
|
+
if (isOpenid4vpResponseModeDcApi(options.responseMode)) {
|
|
523
|
+
if (!options.clientId) {
|
|
524
|
+
if (!options.origin) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
525
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
526
|
+
error_description: "Failed to parse client identifier. 'origin' is required for requests without a client_id and response_mode 'dc_api' and 'dc_api.jwt'"
|
|
527
|
+
});
|
|
528
|
+
return {
|
|
529
|
+
clientIdPrefix: "origin",
|
|
530
|
+
effectiveClientIdPrefix: "origin",
|
|
531
|
+
clientIdIdentifier: options.origin,
|
|
532
|
+
effectiveClientId: version >= 25 ? `origin:${options.origin}` : `web-origin:${options.origin}`,
|
|
533
|
+
original
|
|
534
|
+
};
|
|
535
|
+
}
|
|
536
|
+
const parsedClientIdPrefixAndIdentifier$1 = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId);
|
|
537
|
+
if (!parsedClientIdPrefixAndIdentifier$1.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
538
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
539
|
+
error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
|
|
540
|
+
});
|
|
541
|
+
const [clientIdScheme$1, clientIdIdentifier$1] = parsedClientIdPrefixAndIdentifier$1.data;
|
|
542
|
+
const uniformClientIdScheme$1 = zClientIdPrefixToUniform.safeParse(clientIdScheme$1);
|
|
543
|
+
if (!uniformClientIdScheme$1.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
544
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
545
|
+
error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
|
|
546
|
+
});
|
|
547
|
+
return {
|
|
548
|
+
effectiveClientId: options.clientId,
|
|
549
|
+
effectiveClientIdPrefix: clientIdScheme$1,
|
|
550
|
+
original,
|
|
551
|
+
clientIdPrefix: uniformClientIdScheme$1.data,
|
|
552
|
+
clientIdIdentifier: clientIdIdentifier$1
|
|
553
|
+
};
|
|
554
|
+
}
|
|
555
|
+
if (!options.clientId) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
556
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
557
|
+
error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`
|
|
558
|
+
});
|
|
559
|
+
if (options.legacyClientIdScheme) {
|
|
560
|
+
const parsedClientIdPrefix = zLegacyClientIdSchemeToClientIdPrefix.safeParse(options.legacyClientIdScheme);
|
|
561
|
+
if (!parsedClientIdPrefix.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
562
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
563
|
+
error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.legacyClientIdScheme}'.`
|
|
564
|
+
});
|
|
565
|
+
const clientIdPrefix = parsedClientIdPrefix.data;
|
|
566
|
+
return {
|
|
567
|
+
effectiveClientId: options.clientId,
|
|
568
|
+
clientIdIdentifier: options.clientId,
|
|
569
|
+
clientIdPrefix,
|
|
570
|
+
effectiveClientIdPrefix: options.legacyClientIdScheme ?? "pre-registered",
|
|
571
|
+
original: {
|
|
572
|
+
...original,
|
|
573
|
+
clientIdScheme: options.legacyClientIdScheme
|
|
574
|
+
}
|
|
575
|
+
};
|
|
576
|
+
}
|
|
577
|
+
const parsedClientIdPrefixAndIdentifier = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId);
|
|
578
|
+
if (!parsedClientIdPrefixAndIdentifier.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
579
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
580
|
+
error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
|
|
581
|
+
});
|
|
582
|
+
const [clientIdScheme, clientIdIdentifier] = parsedClientIdPrefixAndIdentifier.data;
|
|
583
|
+
const uniformClientIdScheme = zClientIdPrefixToUniform.safeParse(clientIdScheme);
|
|
584
|
+
if (!uniformClientIdScheme.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
585
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
586
|
+
error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
|
|
587
|
+
});
|
|
588
|
+
return {
|
|
589
|
+
effectiveClientId: options.clientId,
|
|
590
|
+
clientIdPrefix: uniformClientIdScheme.data,
|
|
591
|
+
effectiveClientIdPrefix: clientIdScheme,
|
|
592
|
+
clientIdIdentifier,
|
|
593
|
+
original
|
|
594
|
+
};
|
|
595
|
+
}
|
|
596
|
+
/**
|
|
597
|
+
* Parse and validate a client identifier
|
|
598
|
+
*/
|
|
599
|
+
async function validateOpenid4vpClientId(options, parserConfig) {
|
|
600
|
+
const { authorizationRequestPayload, jar, origin } = options;
|
|
601
|
+
const parserConfigWithDefaults = { supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdPrefix.options) };
|
|
602
|
+
const { clientIdIdentifier, clientIdPrefix, effectiveClientId, original } = getOpenid4vpClientId({
|
|
603
|
+
clientId: authorizationRequestPayload.client_id,
|
|
604
|
+
legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
|
|
605
|
+
responseMode: authorizationRequestPayload.response_mode,
|
|
606
|
+
origin
|
|
607
|
+
});
|
|
608
|
+
if (clientIdPrefix === "pre-registered") return {
|
|
609
|
+
prefix: "pre-registered",
|
|
610
|
+
identifier: clientIdIdentifier,
|
|
611
|
+
effective: effectiveClientId,
|
|
612
|
+
original
|
|
613
|
+
};
|
|
614
|
+
if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdPrefix)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
615
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
616
|
+
error_description: `Unsupported client identifier prefix. ${clientIdPrefix} is not supported.`
|
|
617
|
+
});
|
|
618
|
+
if (clientIdPrefix === "openid_federation") {
|
|
619
|
+
if (!__openid4vc_utils.zHttpsUrl.safeParse(clientIdIdentifier).success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
620
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
621
|
+
error_description: "Invalid client identifier. Client identifier must start with https://"
|
|
622
|
+
}, { internalMessage: `Insecure http:// urls can be enabled by setting the 'allowInsecureUrls' option using setGlobalConfig` });
|
|
623
|
+
if (!jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
624
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
625
|
+
error_description: "Using client identifier prefix \"https\" requires a signed JAR request."
|
|
626
|
+
});
|
|
627
|
+
if (jar.signer.method !== "federation") throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
628
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
629
|
+
error_description: "Something went wrong. The JWT signer method is not federation but the client identifier prefix is https."
|
|
630
|
+
});
|
|
631
|
+
return {
|
|
632
|
+
prefix: "openid_federation",
|
|
633
|
+
identifier: clientIdIdentifier,
|
|
634
|
+
effective: effectiveClientId,
|
|
635
|
+
original,
|
|
636
|
+
trustChain: authorizationRequestPayload.trust_chain
|
|
637
|
+
};
|
|
638
|
+
}
|
|
639
|
+
if (clientIdPrefix === "redirect_uri") {
|
|
640
|
+
if (jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
641
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
642
|
+
error_description: "Using client identifier prefix \"redirect_uri\" the request MUST NOT be signed."
|
|
643
|
+
});
|
|
644
|
+
if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
645
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
646
|
+
error_description: `The client identifier prefix 'redirect_uri' is not supported when using the dc_api response mode.`
|
|
647
|
+
});
|
|
648
|
+
if (authorizationRequestPayload.redirect_uri && authorizationRequestPayload.redirect_uri !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
649
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidClient,
|
|
650
|
+
error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the redirect_uri.`
|
|
651
|
+
});
|
|
652
|
+
if (authorizationRequestPayload.response_uri && authorizationRequestPayload.response_uri !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
653
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidClient,
|
|
654
|
+
error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the response_uri.`
|
|
655
|
+
});
|
|
656
|
+
return {
|
|
657
|
+
prefix: clientIdPrefix,
|
|
658
|
+
identifier: clientIdIdentifier,
|
|
659
|
+
effective: effectiveClientId,
|
|
660
|
+
original,
|
|
661
|
+
clientMetadata: authorizationRequestPayload.client_metadata,
|
|
662
|
+
redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
|
|
663
|
+
};
|
|
664
|
+
}
|
|
665
|
+
if (clientIdPrefix === "decentralized_identifier") {
|
|
666
|
+
if (!jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
667
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
668
|
+
error_description: "Using client identifier prefix \"did\" requires a signed JAR request."
|
|
669
|
+
});
|
|
670
|
+
if (jar.signer.method !== "did") throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
671
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
672
|
+
error_description: "Something went wrong. The JWT signer method is not did but the client identifier prefix is did."
|
|
673
|
+
});
|
|
674
|
+
if (!clientIdIdentifier.startsWith("did:")) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
675
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
676
|
+
error_description: "Invalid client identifier. Client id identifier must start with 'did:'"
|
|
677
|
+
});
|
|
678
|
+
const [did] = jar.signer.didUrl.split("#");
|
|
679
|
+
if (clientIdIdentifier !== did) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
680
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
681
|
+
error_description: `With client identifier prefix '${clientIdPrefix}' the JAR request must be signed by the same DID as the client identifier.`
|
|
682
|
+
});
|
|
683
|
+
return {
|
|
684
|
+
prefix: "decentralized_identifier",
|
|
685
|
+
identifier: clientIdIdentifier,
|
|
686
|
+
effective: effectiveClientId,
|
|
687
|
+
original,
|
|
688
|
+
clientMetadata: authorizationRequestPayload.client_metadata,
|
|
689
|
+
didUrl: jar.signer.didUrl
|
|
690
|
+
};
|
|
691
|
+
}
|
|
692
|
+
if (clientIdPrefix === "x509_san_dns" || clientIdPrefix === "x509_san_uri" || clientIdPrefix === "x509_hash") {
|
|
693
|
+
if (!jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
694
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
695
|
+
error_description: `Using client identifier prefix '${clientIdPrefix}' requires a signed JAR request.`
|
|
696
|
+
});
|
|
697
|
+
if (jar.signer.method !== "x5c") throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
698
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
699
|
+
error_description: `Something went wrong. The JWT signer method is not x5c but the client identifier prefix is '${clientIdPrefix}'`
|
|
700
|
+
});
|
|
701
|
+
if (!options.callbacks.getX509CertificateMetadata) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({ error: __openid4vc_oauth2.Oauth2ErrorCodes.ServerError }, { internalMessage: `Missing required 'getX509CertificateMetadata' callback for verification of '${clientIdPrefix}' client id prefix` });
|
|
702
|
+
if (clientIdPrefix === "x509_san_dns") {
|
|
703
|
+
const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
|
|
704
|
+
if (!sanDnsNames.includes(clientIdIdentifier)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
705
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
706
|
+
error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${clientIdIdentifier}'. `
|
|
707
|
+
});
|
|
708
|
+
if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
|
|
709
|
+
const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri;
|
|
710
|
+
if (!uri || new __openid4vc_utils.URL(uri).hostname !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
711
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
712
|
+
error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
|
|
713
|
+
});
|
|
714
|
+
}
|
|
715
|
+
} else if (clientIdPrefix === "x509_san_uri") {
|
|
716
|
+
const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
|
|
717
|
+
if (!sanUriNames.includes(clientIdIdentifier)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
718
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
719
|
+
error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${clientIdIdentifier}'.`
|
|
720
|
+
});
|
|
721
|
+
if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
|
|
722
|
+
const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri;
|
|
723
|
+
if (!uri || uri !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
724
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
725
|
+
error_description: "The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri"
|
|
726
|
+
});
|
|
727
|
+
}
|
|
728
|
+
} else if (clientIdPrefix === "x509_hash") {
|
|
729
|
+
const x509Hash = (0, __openid4vc_utils.encodeToBase64Url)(await options.callbacks.hash((0, __openid4vc_utils.decodeBase64)(jar.signer.x5c[0]), __openid4vc_oauth2.HashAlgorithm.Sha256));
|
|
730
|
+
if (x509Hash !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
731
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
732
|
+
error_description: `Invalid client identifier. Expected the base64url encoded sha-256 hash of the leaf x5c certificate ('${x509Hash}') to match the client identifier '${clientIdIdentifier}'.`
|
|
733
|
+
});
|
|
734
|
+
}
|
|
735
|
+
return {
|
|
736
|
+
prefix: clientIdPrefix,
|
|
737
|
+
identifier: clientIdIdentifier,
|
|
738
|
+
effective: effectiveClientId,
|
|
739
|
+
original,
|
|
740
|
+
x5c: jar.signer.x5c,
|
|
741
|
+
clientMetadata: authorizationRequestPayload.client_metadata
|
|
742
|
+
};
|
|
743
|
+
}
|
|
744
|
+
if (clientIdPrefix === "origin") return {
|
|
745
|
+
prefix: clientIdPrefix,
|
|
746
|
+
identifier: clientIdIdentifier,
|
|
747
|
+
effective: effectiveClientId,
|
|
748
|
+
original,
|
|
749
|
+
clientMetadata: authorizationRequestPayload.client_metadata
|
|
750
|
+
};
|
|
751
|
+
if (clientIdPrefix === "verifier_attestation") {
|
|
752
|
+
if (!jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
753
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
754
|
+
error_description: "Using client identifier prefix \"verifier_attestation\" requires a signed JAR request."
|
|
755
|
+
});
|
|
756
|
+
}
|
|
757
|
+
return {
|
|
758
|
+
prefix: clientIdPrefix,
|
|
759
|
+
clientMetadata: authorizationRequestPayload.client_metadata,
|
|
760
|
+
identifier: clientIdIdentifier,
|
|
761
|
+
effective: effectiveClientId,
|
|
762
|
+
original
|
|
763
|
+
};
|
|
764
|
+
}
|
|
1195
765
|
|
|
1196
|
-
|
|
1197
|
-
|
|
1198
|
-
var import_utils13 = require("@openid4vc/utils");
|
|
766
|
+
//#endregion
|
|
767
|
+
//#region src/fetch-client-metadata.ts
|
|
1199
768
|
async function fetchClientMetadata(options) {
|
|
1200
|
-
|
|
1201
|
-
|
|
1202
|
-
|
|
1203
|
-
|
|
1204
|
-
|
|
1205
|
-
|
|
1206
|
-
|
|
1207
|
-
|
|
1208
|
-
|
|
1209
|
-
|
|
1210
|
-
|
|
1211
|
-
|
|
1212
|
-
|
|
1213
|
-
|
|
1214
|
-
if (!result || !result.success) {
|
|
1215
|
-
throw new import_oauth215.Oauth2ServerErrorResponseError({
|
|
1216
|
-
error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,
|
|
1217
|
-
error: import_oauth215.Oauth2ErrorCodes.InvalidRequestObject
|
|
1218
|
-
});
|
|
1219
|
-
}
|
|
1220
|
-
return result.data;
|
|
769
|
+
const { fetch, clientMetadataUri } = options;
|
|
770
|
+
const { result, response } = await (0, __openid4vc_utils.createZodFetcher)(fetch)(zClientMetadata, __openid4vc_utils.ContentType.Json, clientMetadataUri, {
|
|
771
|
+
method: "GET",
|
|
772
|
+
headers: { Accept: __openid4vc_utils.ContentType.Json }
|
|
773
|
+
});
|
|
774
|
+
if (!response.ok) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
775
|
+
error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,
|
|
776
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUri
|
|
777
|
+
});
|
|
778
|
+
if (!result || !result.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
779
|
+
error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,
|
|
780
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject
|
|
781
|
+
});
|
|
782
|
+
return result.data;
|
|
1221
783
|
}
|
|
1222
784
|
|
|
1223
|
-
|
|
1224
|
-
|
|
1225
|
-
|
|
785
|
+
//#endregion
|
|
786
|
+
//#region src/version.ts
|
|
787
|
+
function parseAuthorizationRequestVersion(request) {
|
|
788
|
+
const requirements = [];
|
|
789
|
+
if (request.verifier_info) requirements.push([">=", 100]);
|
|
790
|
+
if (request.verifier_attestations) requirements.push(["<", 100]);
|
|
791
|
+
if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) requirements.push([">=", 28]);
|
|
792
|
+
if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) requirements.push(["<", 28]);
|
|
793
|
+
if (request.client_metadata?.vp_formats_supported) requirements.push([">=", 27]);
|
|
794
|
+
if (request.client_metadata?.vp_formats) requirements.push(["<", 27]);
|
|
795
|
+
if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) requirements.push([">=", 26]);
|
|
796
|
+
if (request.client_id?.startsWith("did:")) requirements.push(["<", 26]);
|
|
797
|
+
if (request.presentation_definition || request.presentation_definition_uri) requirements.push(["<", 26]);
|
|
798
|
+
if (request.verifier_attestations) requirements.push([">=", 26]);
|
|
799
|
+
if (request.client_id?.startsWith("x509_san_uri:")) requirements.push(["<", 25]);
|
|
800
|
+
if (request.client_id?.startsWith("x509_hash:")) requirements.push([">=", 25]);
|
|
801
|
+
if (request.client_id?.startsWith("web-origin:")) requirements.push(["<", 25]);
|
|
802
|
+
if (request.client_id?.startsWith("origin:")) requirements.push([">=", 25]);
|
|
803
|
+
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
|
|
804
|
+
requirements.push(["<", 23]);
|
|
805
|
+
requirements.push([">=", 21]);
|
|
806
|
+
}
|
|
807
|
+
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) requirements.push([">=", 23]);
|
|
808
|
+
if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) requirements.push([">=", 23]);
|
|
809
|
+
if (request.transaction_data) requirements.push([">=", 22]);
|
|
810
|
+
if (request.client_id_scheme) requirements.push(["<", 22]);
|
|
811
|
+
if (request.client_id) {
|
|
812
|
+
const colonIndex = request.client_id.indexOf(":");
|
|
813
|
+
const schemePart = request.client_id.substring(0, colonIndex);
|
|
814
|
+
const parsedScheme = zClientIdPrefix.safeParse(schemePart);
|
|
815
|
+
if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") requirements.push([">=", 22]);
|
|
816
|
+
}
|
|
817
|
+
if (!request.client_id) requirements.push([">=", 21]);
|
|
818
|
+
if (request.dcql_query) requirements.push([">=", 21]);
|
|
819
|
+
if (request.client_metadata_uri) requirements.push(["<", 21]);
|
|
820
|
+
if (isOpenid4vpAuthorizationRequestDcApi(request)) requirements.push([">=", 21]);
|
|
821
|
+
if (request.request_uri_method || request.wallet_nonce) requirements.push([">=", 21]);
|
|
822
|
+
if (request.client_id_scheme === "verifier_attestation") requirements.push([">=", 20]);
|
|
823
|
+
if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") requirements.push([">=", 19]);
|
|
824
|
+
const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
|
|
825
|
+
const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
|
|
826
|
+
const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 100;
|
|
827
|
+
const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
|
|
828
|
+
if (lowestRequiredVersion > highestPossibleVersion) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
829
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
830
|
+
error_description: `Could not infer openid4vp version from the openid4vp request payload. Based on specification requirements, lowest required version is ${lowestRequiredVersion} and highest possible version is ${highestPossibleVersion}`
|
|
831
|
+
});
|
|
832
|
+
return highestPossibleVersion;
|
|
833
|
+
}
|
|
1226
834
|
|
|
1227
|
-
|
|
1228
|
-
|
|
1229
|
-
|
|
835
|
+
//#endregion
|
|
836
|
+
//#region src/jar/jar-request-object/fetch-jar-request-object.ts
|
|
837
|
+
/**
|
|
838
|
+
* Fetch a request object and parse the response.
|
|
839
|
+
* If you want to fetch the request object without providing wallet_metadata or wallet_nonce as defined in jar you can use the `fetchJarRequestObject` function.
|
|
840
|
+
*
|
|
841
|
+
* Returns validated request object if successful response
|
|
842
|
+
* Throws error otherwise
|
|
843
|
+
*
|
|
844
|
+
* @throws {ValidationError} if successful response but validation of response failed
|
|
845
|
+
* @throws {InvalidFetchResponseError} if no successful or 404 response
|
|
846
|
+
* @throws {Error} if parsing json from response fails
|
|
847
|
+
*/
|
|
1230
848
|
async function fetchJarRequestObject(options) {
|
|
1231
|
-
|
|
1232
|
-
|
|
1233
|
-
|
|
1234
|
-
|
|
1235
|
-
|
|
1236
|
-
|
|
1237
|
-
|
|
1238
|
-
|
|
1239
|
-
|
|
1240
|
-
|
|
1241
|
-
|
|
1242
|
-
|
|
1243
|
-
|
|
1244
|
-
|
|
1245
|
-
|
|
1246
|
-
|
|
1247
|
-
|
|
1248
|
-
|
|
1249
|
-
|
|
1250
|
-
|
|
1251
|
-
|
|
1252
|
-
|
|
1253
|
-
|
|
1254
|
-
|
|
1255
|
-
|
|
1256
|
-
|
|
849
|
+
const { requestUri, clientIdPrefix, method, wallet, fetch } = options;
|
|
850
|
+
let requestBody = wallet.metadata ? {
|
|
851
|
+
wallet_metadata: wallet.metadata,
|
|
852
|
+
wallet_nonce: wallet.nonce
|
|
853
|
+
} : void 0;
|
|
854
|
+
if (requestBody?.wallet_metadata?.request_object_signing_alg_values_supported && clientIdPrefix === "redirect_uri") {
|
|
855
|
+
const { request_object_signing_alg_values_supported,...rest } = requestBody.wallet_metadata;
|
|
856
|
+
requestBody = {
|
|
857
|
+
...requestBody,
|
|
858
|
+
wallet_metadata: { ...rest }
|
|
859
|
+
};
|
|
860
|
+
}
|
|
861
|
+
const response = await (0, __openid4vc_utils.createFetcher)(fetch)(requestUri, {
|
|
862
|
+
method,
|
|
863
|
+
body: method === "post" ? (0, __openid4vc_utils.objectToQueryParams)(wallet.metadata ?? {}) : void 0,
|
|
864
|
+
headers: {
|
|
865
|
+
Accept: `${__openid4vc_utils.ContentType.OAuthAuthorizationRequestJwt}, ${__openid4vc_utils.ContentType.Jwt};q=0.9, text/plain`,
|
|
866
|
+
"Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded
|
|
867
|
+
}
|
|
868
|
+
}).catch(() => {
|
|
869
|
+
throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
870
|
+
error_description: `Fetching request_object from request_uri '${requestUri}' failed`,
|
|
871
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUri
|
|
872
|
+
});
|
|
873
|
+
});
|
|
874
|
+
if (!response.ok) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
875
|
+
error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,
|
|
876
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUri
|
|
877
|
+
});
|
|
878
|
+
return await response.text();
|
|
1257
879
|
}
|
|
1258
880
|
|
|
1259
|
-
|
|
1260
|
-
|
|
1261
|
-
|
|
1262
|
-
|
|
1263
|
-
|
|
1264
|
-
client_id: import_zod12.z.string()
|
|
881
|
+
//#endregion
|
|
882
|
+
//#region src/jar/jar-request-object/z-jar-request-object.ts
|
|
883
|
+
const zJarRequestObjectPayload = zod.z.object({
|
|
884
|
+
...__openid4vc_oauth2.zJwtPayload.shape,
|
|
885
|
+
client_id: zod.z.string()
|
|
1265
886
|
}).passthrough();
|
|
1266
887
|
|
|
1267
|
-
|
|
1268
|
-
|
|
1269
|
-
|
|
888
|
+
//#endregion
|
|
889
|
+
//#region src/jar/handle-jar-request/verify-jar-request.ts
|
|
890
|
+
const zSignedAuthorizationRequestJwtHeaderTyp = zod.default.literal("oauth-authz-req+jwt");
|
|
891
|
+
const signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value;
|
|
892
|
+
/**
|
|
893
|
+
* Verifies a JAR (JWT Secured Authorization Request) request by validating, decrypting, and verifying signatures.
|
|
894
|
+
*
|
|
895
|
+
* @param options - The input parameters
|
|
896
|
+
* @param options.jarRequestParams - The JAR authorization request parameters
|
|
897
|
+
* @param options.callbacks - Context containing the relevant Jose crypto operations
|
|
898
|
+
* @returns The verified authorization request parameters and metadata
|
|
899
|
+
*/
|
|
1270
900
|
async function verifyJarRequest(options) {
|
|
1271
|
-
|
|
1272
|
-
|
|
1273
|
-
|
|
1274
|
-
|
|
1275
|
-
|
|
1276
|
-
|
|
1277
|
-
|
|
1278
|
-
|
|
1279
|
-
|
|
1280
|
-
|
|
1281
|
-
|
|
1282
|
-
|
|
1283
|
-
|
|
1284
|
-
|
|
1285
|
-
|
|
1286
|
-
|
|
1287
|
-
|
|
1288
|
-
|
|
1289
|
-
|
|
1290
|
-
|
|
1291
|
-
|
|
1292
|
-
|
|
1293
|
-
|
|
1294
|
-
|
|
1295
|
-
|
|
1296
|
-
|
|
1297
|
-
|
|
1298
|
-
|
|
1299
|
-
|
|
1300
|
-
|
|
1301
|
-
|
|
1302
|
-
|
|
1303
|
-
|
|
1304
|
-
|
|
1305
|
-
|
|
1306
|
-
|
|
1307
|
-
|
|
1308
|
-
|
|
1309
|
-
|
|
1310
|
-
|
|
1311
|
-
|
|
1312
|
-
|
|
1313
|
-
|
|
1314
|
-
|
|
1315
|
-
|
|
1316
|
-
|
|
1317
|
-
|
|
1318
|
-
|
|
1319
|
-
|
|
1320
|
-
|
|
1321
|
-
sendBy,
|
|
1322
|
-
jwt,
|
|
1323
|
-
authorizationRequestPayload,
|
|
1324
|
-
signer,
|
|
1325
|
-
decryptionJwk
|
|
1326
|
-
};
|
|
901
|
+
const { callbacks, wallet = {} } = options;
|
|
902
|
+
const jarRequestParams = validateJarRequestParams(options);
|
|
903
|
+
const sendBy = jarRequestParams.request ? "value" : "reference";
|
|
904
|
+
const clientIdPrefix = jarRequestParams.client_id ? zClientIdPrefix.safeParse(jarRequestParams.client_id.split(":")[0]).data : "origin";
|
|
905
|
+
const method = jarRequestParams.request_uri_method ?? "get";
|
|
906
|
+
if (method !== "get" && method !== "post") throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
907
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUriMethod,
|
|
908
|
+
error_description: `Invalid request_uri_method. Must be 'get' or 'post'.`
|
|
909
|
+
});
|
|
910
|
+
const requestObject = jarRequestParams.request ?? await fetchJarRequestObject({
|
|
911
|
+
requestUri: jarRequestParams.request_uri,
|
|
912
|
+
clientIdPrefix,
|
|
913
|
+
method,
|
|
914
|
+
wallet,
|
|
915
|
+
fetch: callbacks.fetch
|
|
916
|
+
});
|
|
917
|
+
const { decryptionJwk, payload: decryptedRequestObject } = __openid4vc_oauth2.zCompactJwe.safeParse(requestObject).success ? await decryptJarRequest({
|
|
918
|
+
jwe: requestObject,
|
|
919
|
+
callbacks
|
|
920
|
+
}) : {
|
|
921
|
+
payload: requestObject,
|
|
922
|
+
decryptionJwk: void 0
|
|
923
|
+
};
|
|
924
|
+
if (!__openid4vc_oauth2.zCompactJwt.safeParse(decryptedRequestObject).success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
925
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject,
|
|
926
|
+
error_description: "JAR request object is not a valid JWT."
|
|
927
|
+
});
|
|
928
|
+
const { authorizationRequestPayload, signer, jwt } = await verifyJarRequestObject({
|
|
929
|
+
decryptedRequestObject,
|
|
930
|
+
callbacks
|
|
931
|
+
});
|
|
932
|
+
if (!authorizationRequestPayload.client_id) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
933
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject,
|
|
934
|
+
error_description: "Jar Request Object is missing the required \"client_id\" field."
|
|
935
|
+
});
|
|
936
|
+
if (!isOpenid4vpResponseModeDcApi(authorizationRequestPayload.response_mode) && jarRequestParams.client_id !== authorizationRequestPayload.client_id) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
937
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
938
|
+
error_description: "client_id does not match the request object client_id."
|
|
939
|
+
});
|
|
940
|
+
if (jarRequestParams.client_id_scheme && jarRequestParams.client_id_scheme !== authorizationRequestPayload.client_id_scheme) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
941
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
942
|
+
error_description: "client_id_scheme does not match the request object client_id_scheme."
|
|
943
|
+
});
|
|
944
|
+
return {
|
|
945
|
+
sendBy,
|
|
946
|
+
jwt,
|
|
947
|
+
authorizationRequestPayload,
|
|
948
|
+
signer,
|
|
949
|
+
decryptionJwk
|
|
950
|
+
};
|
|
1327
951
|
}
|
|
1328
952
|
async function decryptJarRequest(options) {
|
|
1329
|
-
|
|
1330
|
-
|
|
1331
|
-
|
|
1332
|
-
|
|
1333
|
-
|
|
1334
|
-
|
|
1335
|
-
|
|
1336
|
-
|
|
1337
|
-
|
|
1338
|
-
|
|
1339
|
-
|
|
1340
|
-
|
|
1341
|
-
error_description: "Failed to decrypt jar request object."
|
|
1342
|
-
});
|
|
1343
|
-
}
|
|
1344
|
-
return decryptionResult;
|
|
953
|
+
const { jwe, callbacks } = options;
|
|
954
|
+
const { header } = (0, __openid4vc_oauth2.decodeJwt)({ jwt: jwe });
|
|
955
|
+
if (!header.kid) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
956
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject,
|
|
957
|
+
error_description: "Jar JWE is missing the protected header field \"kid\"."
|
|
958
|
+
});
|
|
959
|
+
const decryptionResult = await callbacks.decryptJwe(jwe);
|
|
960
|
+
if (!decryptionResult.decrypted) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
961
|
+
error: "invalid_request_object",
|
|
962
|
+
error_description: "Failed to decrypt jar request object."
|
|
963
|
+
});
|
|
964
|
+
return decryptionResult;
|
|
1345
965
|
}
|
|
1346
966
|
async function verifyJarRequestObject(options) {
|
|
1347
|
-
|
|
1348
|
-
|
|
1349
|
-
|
|
1350
|
-
|
|
1351
|
-
|
|
1352
|
-
|
|
1353
|
-
|
|
1354
|
-
|
|
1355
|
-
|
|
1356
|
-
|
|
1357
|
-
|
|
1358
|
-
|
|
1359
|
-
|
|
1360
|
-
|
|
1361
|
-
|
|
1362
|
-
|
|
1363
|
-
|
|
1364
|
-
|
|
1365
|
-
|
|
1366
|
-
|
|
1367
|
-
|
|
1368
|
-
|
|
1369
|
-
|
|
1370
|
-
|
|
1371
|
-
|
|
1372
|
-
|
|
1373
|
-
|
|
1374
|
-
|
|
1375
|
-
|
|
1376
|
-
|
|
1377
|
-
|
|
1378
|
-
|
|
1379
|
-
|
|
1380
|
-
|
|
1381
|
-
|
|
1382
|
-
|
|
1383
|
-
|
|
1384
|
-
|
|
1385
|
-
|
|
1386
|
-
|
|
1387
|
-
|
|
1388
|
-
|
|
1389
|
-
|
|
1390
|
-
|
|
1391
|
-
|
|
1392
|
-
|
|
1393
|
-
|
|
1394
|
-
|
|
1395
|
-
|
|
1396
|
-
|
|
1397
|
-
|
|
1398
|
-
|
|
1399
|
-
|
|
1400
|
-
|
|
1401
|
-
|
|
1402
|
-
|
|
1403
|
-
|
|
967
|
+
const { decryptedRequestObject, callbacks } = options;
|
|
968
|
+
const jwt = (0, __openid4vc_oauth2.decodeJwt)({
|
|
969
|
+
jwt: decryptedRequestObject,
|
|
970
|
+
payloadSchema: zJarRequestObjectPayload
|
|
971
|
+
});
|
|
972
|
+
let jwtSigner;
|
|
973
|
+
const { clientIdPrefix } = getOpenid4vpClientId({
|
|
974
|
+
responseMode: jwt.payload.response_mode,
|
|
975
|
+
clientId: jwt.payload.client_id,
|
|
976
|
+
legacyClientIdScheme: jwt.payload.client_id_scheme
|
|
977
|
+
});
|
|
978
|
+
const clientIdToSignerMethod = {
|
|
979
|
+
decentralized_identifier: ["did"],
|
|
980
|
+
"pre-registered": [
|
|
981
|
+
"custom",
|
|
982
|
+
"did",
|
|
983
|
+
"jwk"
|
|
984
|
+
],
|
|
985
|
+
origin: [],
|
|
986
|
+
redirect_uri: [],
|
|
987
|
+
verifier_attestation: [
|
|
988
|
+
"did",
|
|
989
|
+
"federation",
|
|
990
|
+
"jwk",
|
|
991
|
+
"x5c",
|
|
992
|
+
"custom"
|
|
993
|
+
],
|
|
994
|
+
x509_san_dns: ["x5c"],
|
|
995
|
+
x509_san_uri: ["x5c"],
|
|
996
|
+
x509_hash: ["x5c"],
|
|
997
|
+
openid_federation: []
|
|
998
|
+
};
|
|
999
|
+
if (clientIdPrefix === "openid_federation") {
|
|
1000
|
+
if (!jwt.header.kid) throw new __openid4vc_oauth2.Oauth2Error(`When OpenID Federation is used for signed authorization request, the 'kid' parameter is required.`);
|
|
1001
|
+
jwtSigner = {
|
|
1002
|
+
method: "federation",
|
|
1003
|
+
alg: jwt.header.alg,
|
|
1004
|
+
trustChain: jwt.payload.trust_chain,
|
|
1005
|
+
kid: jwt.header.kid
|
|
1006
|
+
};
|
|
1007
|
+
} else jwtSigner = (0, __openid4vc_oauth2.jwtSignerFromJwt)({
|
|
1008
|
+
...jwt,
|
|
1009
|
+
allowedSignerMethods: clientIdToSignerMethod[clientIdPrefix]
|
|
1010
|
+
});
|
|
1011
|
+
const { signer } = await (0, __openid4vc_oauth2.verifyJwt)({
|
|
1012
|
+
verifyJwtCallback: callbacks.verifyJwt,
|
|
1013
|
+
compact: decryptedRequestObject,
|
|
1014
|
+
header: jwt.header,
|
|
1015
|
+
payload: jwt.payload,
|
|
1016
|
+
signer: jwtSigner
|
|
1017
|
+
});
|
|
1018
|
+
const version = parseAuthorizationRequestVersion(jwt.payload);
|
|
1019
|
+
if (jwt.header.typ !== "oauth-authz-req+jwt" && version >= 24) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
1020
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject,
|
|
1021
|
+
error_description: `Invalid Jar Request Object typ header. Expected "oauth-authz-req+jwt", received "${jwt.header.typ}".`
|
|
1022
|
+
});
|
|
1023
|
+
return {
|
|
1024
|
+
signer,
|
|
1025
|
+
jwt,
|
|
1026
|
+
authorizationRequestPayload: jwt.payload
|
|
1027
|
+
};
|
|
1404
1028
|
}
|
|
1405
1029
|
|
|
1406
|
-
|
|
1407
|
-
|
|
1408
|
-
|
|
1409
|
-
|
|
1410
|
-
|
|
1411
|
-
|
|
1412
|
-
var zTransactionEntry = import_zod14.z.object({
|
|
1413
|
-
type: import_zod14.z.string(),
|
|
1414
|
-
credential_ids: import_zod14.z.array(import_zod14.z.string()).nonempty(),
|
|
1415
|
-
// SD-JWT VC specific
|
|
1416
|
-
transaction_data_hashes_alg: import_zod14.z.array(import_zod14.z.string()).nonempty().optional()
|
|
1030
|
+
//#endregion
|
|
1031
|
+
//#region src/transaction-data/z-transaction-data.ts
|
|
1032
|
+
const zTransactionEntry = zod.z.object({
|
|
1033
|
+
type: zod.z.string(),
|
|
1034
|
+
credential_ids: zod.z.array(zod.z.string()).nonempty(),
|
|
1035
|
+
transaction_data_hashes_alg: zod.z.array(zod.z.string()).nonempty().optional()
|
|
1417
1036
|
}).passthrough();
|
|
1418
|
-
|
|
1037
|
+
const zTransactionData = zod.z.array(zTransactionEntry);
|
|
1419
1038
|
|
|
1420
|
-
|
|
1039
|
+
//#endregion
|
|
1040
|
+
//#region src/transaction-data/parse-transaction-data.ts
|
|
1421
1041
|
function parseTransactionData(options) {
|
|
1422
|
-
|
|
1423
|
-
|
|
1424
|
-
|
|
1425
|
-
|
|
1426
|
-
|
|
1427
|
-
|
|
1428
|
-
|
|
1429
|
-
|
|
1430
|
-
|
|
1431
|
-
|
|
1432
|
-
|
|
1433
|
-
|
|
1434
|
-
transactionDataIndex: index
|
|
1435
|
-
}));
|
|
1042
|
+
const { transactionData } = options;
|
|
1043
|
+
const decoded = transactionData.map((tdEntry) => (0, __openid4vc_utils.parseIfJson)((0, __openid4vc_utils.encodeToUtf8String)((0, __openid4vc_utils.decodeBase64)(tdEntry))));
|
|
1044
|
+
const parsedResult = zTransactionData.safeParse(decoded);
|
|
1045
|
+
if (!parsedResult.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
1046
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
|
|
1047
|
+
error_description: "Failed to parse transaction data."
|
|
1048
|
+
});
|
|
1049
|
+
return parsedResult.data.map((decoded$1, index) => ({
|
|
1050
|
+
transactionData: decoded$1,
|
|
1051
|
+
encoded: transactionData[index],
|
|
1052
|
+
transactionDataIndex: index
|
|
1053
|
+
}));
|
|
1436
1054
|
}
|
|
1437
1055
|
|
|
1438
|
-
|
|
1056
|
+
//#endregion
|
|
1057
|
+
//#region src/authorization-request/resolve-authorization-request.ts
|
|
1439
1058
|
async function resolveOpenid4vpAuthorizationRequest(options) {
|
|
1440
|
-
|
|
1441
|
-
|
|
1442
|
-
|
|
1443
|
-
|
|
1444
|
-
|
|
1445
|
-
|
|
1446
|
-
|
|
1447
|
-
|
|
1448
|
-
|
|
1449
|
-
|
|
1450
|
-
|
|
1451
|
-
|
|
1452
|
-
|
|
1453
|
-
|
|
1454
|
-
|
|
1455
|
-
|
|
1456
|
-
|
|
1457
|
-
|
|
1458
|
-
|
|
1459
|
-
|
|
1460
|
-
|
|
1461
|
-
|
|
1462
|
-
|
|
1463
|
-
|
|
1464
|
-
|
|
1465
|
-
|
|
1466
|
-
|
|
1467
|
-
|
|
1468
|
-
|
|
1469
|
-
|
|
1470
|
-
|
|
1471
|
-
|
|
1472
|
-
|
|
1473
|
-
|
|
1474
|
-
|
|
1475
|
-
|
|
1476
|
-
|
|
1477
|
-
|
|
1478
|
-
|
|
1479
|
-
|
|
1480
|
-
|
|
1481
|
-
|
|
1482
|
-
|
|
1483
|
-
|
|
1484
|
-
|
|
1485
|
-
|
|
1486
|
-
|
|
1487
|
-
|
|
1488
|
-
|
|
1489
|
-
|
|
1490
|
-
|
|
1491
|
-
|
|
1492
|
-
|
|
1493
|
-
|
|
1494
|
-
|
|
1495
|
-
|
|
1496
|
-
|
|
1497
|
-
|
|
1498
|
-
|
|
1499
|
-
|
|
1500
|
-
|
|
1501
|
-
|
|
1502
|
-
|
|
1503
|
-
const transactionData = authorizationRequestPayload.transaction_data ? parseTransactionData({ transactionData: authorizationRequestPayload.transaction_data }) : void 0;
|
|
1504
|
-
return {
|
|
1505
|
-
transactionData,
|
|
1506
|
-
authorizationRequestPayload,
|
|
1507
|
-
jar,
|
|
1508
|
-
client: clientMeta,
|
|
1509
|
-
pex,
|
|
1510
|
-
dcql,
|
|
1511
|
-
version
|
|
1512
|
-
};
|
|
1059
|
+
const { wallet, callbacks, origin, disableOriginValidation } = options;
|
|
1060
|
+
let authorizationRequestPayload;
|
|
1061
|
+
const parsed = (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([
|
|
1062
|
+
zOpenid4vpAuthorizationRequestDcApi,
|
|
1063
|
+
zOpenid4vpAuthorizationRequest,
|
|
1064
|
+
zJarAuthorizationRequest
|
|
1065
|
+
]), options.authorizationRequestPayload, "Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request.");
|
|
1066
|
+
let jar;
|
|
1067
|
+
if (isJarAuthorizationRequest(parsed)) {
|
|
1068
|
+
jar = await verifyJarRequest({
|
|
1069
|
+
jarRequestParams: parsed,
|
|
1070
|
+
callbacks,
|
|
1071
|
+
wallet
|
|
1072
|
+
});
|
|
1073
|
+
authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({
|
|
1074
|
+
authorizationRequestPayload: (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]), jar.authorizationRequestPayload, "Invalid authorization request. Could not parse jar request payload as openid4vp auth request."),
|
|
1075
|
+
wallet,
|
|
1076
|
+
jar: true,
|
|
1077
|
+
origin,
|
|
1078
|
+
disableOriginValidation
|
|
1079
|
+
});
|
|
1080
|
+
} else authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({
|
|
1081
|
+
authorizationRequestPayload: parsed,
|
|
1082
|
+
wallet,
|
|
1083
|
+
jar: false,
|
|
1084
|
+
origin,
|
|
1085
|
+
disableOriginValidation
|
|
1086
|
+
});
|
|
1087
|
+
const version = parseAuthorizationRequestVersion(authorizationRequestPayload);
|
|
1088
|
+
let clientMetadata = authorizationRequestPayload.client_metadata;
|
|
1089
|
+
if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) && !clientMetadata && authorizationRequestPayload.client_metadata_uri) clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri });
|
|
1090
|
+
const clientMeta = await validateOpenid4vpClientId({
|
|
1091
|
+
authorizationRequestPayload: {
|
|
1092
|
+
...authorizationRequestPayload,
|
|
1093
|
+
client_metadata: clientMetadata
|
|
1094
|
+
},
|
|
1095
|
+
jar,
|
|
1096
|
+
callbacks,
|
|
1097
|
+
origin,
|
|
1098
|
+
version
|
|
1099
|
+
});
|
|
1100
|
+
let pex;
|
|
1101
|
+
let dcql;
|
|
1102
|
+
if (authorizationRequestPayload.presentation_definition || authorizationRequestPayload.presentation_definition_uri) {
|
|
1103
|
+
if (authorizationRequestPayload.presentation_definition_uri) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
1104
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
1105
|
+
error_description: "Cannot fetch presentation definition from URI. Not supported."
|
|
1106
|
+
});
|
|
1107
|
+
pex = {
|
|
1108
|
+
presentation_definition: authorizationRequestPayload.presentation_definition,
|
|
1109
|
+
presentation_definition_uri: authorizationRequestPayload.presentation_definition_uri
|
|
1110
|
+
};
|
|
1111
|
+
}
|
|
1112
|
+
if (authorizationRequestPayload.dcql_query) dcql = { query: authorizationRequestPayload.dcql_query };
|
|
1113
|
+
return {
|
|
1114
|
+
transactionData: authorizationRequestPayload.transaction_data ? parseTransactionData({ transactionData: authorizationRequestPayload.transaction_data }) : void 0,
|
|
1115
|
+
authorizationRequestPayload,
|
|
1116
|
+
jar,
|
|
1117
|
+
client: clientMeta,
|
|
1118
|
+
pex,
|
|
1119
|
+
dcql,
|
|
1120
|
+
version
|
|
1121
|
+
};
|
|
1513
1122
|
}
|
|
1514
1123
|
function validateOpenId4vpAuthorizationRequestPayload(options) {
|
|
1515
|
-
|
|
1516
|
-
|
|
1517
|
-
|
|
1518
|
-
|
|
1519
|
-
|
|
1520
|
-
|
|
1521
|
-
|
|
1522
|
-
|
|
1523
|
-
|
|
1524
|
-
|
|
1525
|
-
|
|
1526
|
-
|
|
1527
|
-
|
|
1528
|
-
|
|
1529
|
-
|
|
1124
|
+
const { authorizationRequestPayload, wallet, jar, origin, disableOriginValidation } = options;
|
|
1125
|
+
if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
|
|
1126
|
+
validateOpenid4vpAuthorizationRequestDcApiPayload({
|
|
1127
|
+
params: authorizationRequestPayload,
|
|
1128
|
+
isJarRequest: jar,
|
|
1129
|
+
disableOriginValidation,
|
|
1130
|
+
origin
|
|
1131
|
+
});
|
|
1132
|
+
return authorizationRequestPayload;
|
|
1133
|
+
}
|
|
1134
|
+
validateOpenid4vpAuthorizationRequestPayload({
|
|
1135
|
+
params: authorizationRequestPayload,
|
|
1136
|
+
walletVerificationOptions: wallet
|
|
1137
|
+
});
|
|
1138
|
+
return authorizationRequestPayload;
|
|
1530
1139
|
}
|
|
1531
1140
|
|
|
1532
|
-
|
|
1533
|
-
|
|
1534
|
-
|
|
1535
|
-
|
|
1536
|
-
// ../utils/src/date.ts
|
|
1537
|
-
function addSecondsToDate2(date, seconds) {
|
|
1538
|
-
return new Date(date.getTime() + seconds * 1e3);
|
|
1141
|
+
//#endregion
|
|
1142
|
+
//#region ../utils/src/date.ts
|
|
1143
|
+
function addSecondsToDate(date, seconds) {
|
|
1144
|
+
return new Date(date.getTime() + seconds * 1e3);
|
|
1539
1145
|
}
|
|
1540
1146
|
|
|
1541
|
-
|
|
1542
|
-
|
|
1147
|
+
//#endregion
|
|
1148
|
+
//#region src/jarm/jarm-authorization-response-create.ts
|
|
1543
1149
|
async function createJarmAuthorizationResponse(options) {
|
|
1544
|
-
|
|
1545
|
-
|
|
1546
|
-
|
|
1547
|
-
|
|
1548
|
-
|
|
1549
|
-
|
|
1550
|
-
|
|
1551
|
-
|
|
1552
|
-
|
|
1553
|
-
|
|
1554
|
-
|
|
1555
|
-
|
|
1556
|
-
|
|
1557
|
-
|
|
1558
|
-
|
|
1559
|
-
|
|
1560
|
-
|
|
1561
|
-
|
|
1562
|
-
|
|
1563
|
-
|
|
1564
|
-
|
|
1150
|
+
const { jarmAuthorizationResponse, jweEncryptor, jwtSigner, callbacks } = options;
|
|
1151
|
+
if (!jwtSigner && jweEncryptor) {
|
|
1152
|
+
const { jwe } = await callbacks.encryptJwe(jweEncryptor, JSON.stringify(jarmAuthorizationResponse));
|
|
1153
|
+
return { jarmAuthorizationResponseJwt: jwe };
|
|
1154
|
+
}
|
|
1155
|
+
if (jwtSigner && !jweEncryptor) return { jarmAuthorizationResponseJwt: (await callbacks.signJwt(jwtSigner, {
|
|
1156
|
+
header: (0, __openid4vc_oauth2.jwtHeaderFromJwtSigner)(jwtSigner),
|
|
1157
|
+
payload: jarmAuthorizationResponse
|
|
1158
|
+
})).jwt };
|
|
1159
|
+
if (!jwtSigner || !jweEncryptor) throw new __openid4vc_oauth2.Oauth2Error("JWT signer and/or encryptor are required to create a JARM auth response.");
|
|
1160
|
+
const signed = await callbacks.signJwt(jwtSigner, {
|
|
1161
|
+
header: (0, __openid4vc_oauth2.jwtHeaderFromJwtSigner)(jwtSigner),
|
|
1162
|
+
payload: jarmAuthorizationResponse
|
|
1163
|
+
});
|
|
1164
|
+
return { jarmAuthorizationResponseJwt: (await callbacks.encryptJwe(jweEncryptor, signed.jwt)).jwe };
|
|
1165
|
+
}
|
|
1166
|
+
|
|
1167
|
+
//#endregion
|
|
1168
|
+
//#region src/jarm/jarm-extract-jwks.ts
|
|
1169
|
+
function extractEncryptionJwkFromJwks(jwks, { kid, supportedAlgValues }) {
|
|
1170
|
+
if (kid) return jwks.keys.find((jwk) => jwk.kid === kid);
|
|
1171
|
+
let algFiltered = jwks.keys.filter((key) => key.alg && supportedAlgValues?.includes(key.alg));
|
|
1172
|
+
if (algFiltered.length === 0) algFiltered = jwks.keys;
|
|
1173
|
+
let encFiltered = algFiltered.filter((key) => key.use === "enc");
|
|
1174
|
+
if (!encFiltered) encFiltered = algFiltered.filter((key) => key.use !== "sig");
|
|
1175
|
+
return encFiltered.length > 0 ? encFiltered[0] : jwks.keys[0];
|
|
1565
1176
|
}
|
|
1566
1177
|
|
|
1567
|
-
|
|
1568
|
-
|
|
1569
|
-
|
|
1570
|
-
|
|
1571
|
-
|
|
1572
|
-
|
|
1573
|
-
|
|
1574
|
-
|
|
1575
|
-
|
|
1178
|
+
//#endregion
|
|
1179
|
+
//#region src/jarm/jarm-response-mode.ts
|
|
1180
|
+
const jarmResponseMode = [
|
|
1181
|
+
"jwt",
|
|
1182
|
+
"query.jwt",
|
|
1183
|
+
"fragment.jwt",
|
|
1184
|
+
"form_post.jwt",
|
|
1185
|
+
"direct_post.jwt",
|
|
1186
|
+
"dc_api.jwt"
|
|
1576
1187
|
];
|
|
1577
|
-
|
|
1578
|
-
|
|
1579
|
-
|
|
1188
|
+
const zJarmResponseMode = zod.z.enum(jarmResponseMode);
|
|
1189
|
+
const isJarmResponseMode = (responseMode) => {
|
|
1190
|
+
return jarmResponseMode.includes(responseMode);
|
|
1580
1191
|
};
|
|
1581
1192
|
|
|
1582
|
-
|
|
1583
|
-
|
|
1193
|
+
//#endregion
|
|
1194
|
+
//#region src/jarm/metadata/jarm-assert-metadata-supported.ts
|
|
1584
1195
|
function assertValueSupported(options) {
|
|
1585
|
-
|
|
1586
|
-
|
|
1587
|
-
|
|
1588
|
-
|
|
1589
|
-
}
|
|
1590
|
-
return intersection;
|
|
1196
|
+
const { errorMessage, supported, actual } = options;
|
|
1197
|
+
const intersection = supported.find((value) => value === actual);
|
|
1198
|
+
if (!intersection) throw new __openid4vc_oauth2.Oauth2Error(errorMessage);
|
|
1199
|
+
return intersection;
|
|
1591
1200
|
}
|
|
1592
1201
|
function jarmAssertMetadataSupported(options) {
|
|
1593
|
-
|
|
1594
|
-
|
|
1595
|
-
|
|
1596
|
-
|
|
1597
|
-
|
|
1598
|
-
|
|
1599
|
-
|
|
1600
|
-
|
|
1601
|
-
|
|
1602
|
-
|
|
1603
|
-
|
|
1604
|
-
|
|
1605
|
-
|
|
1606
|
-
|
|
1607
|
-
|
|
1608
|
-
|
|
1609
|
-
|
|
1610
|
-
|
|
1611
|
-
|
|
1612
|
-
|
|
1613
|
-
supported: serverMetadata.authorization_signing_alg_values_supported,
|
|
1614
|
-
actual: parsedClientMetadata.client_metadata.authorization_signed_response_alg,
|
|
1615
|
-
errorMessage: "Invalid authorization_signed_response_alg"
|
|
1616
|
-
});
|
|
1617
|
-
}
|
|
1618
|
-
return parsedClientMetadata;
|
|
1202
|
+
const { clientMetadata, serverMetadata } = options;
|
|
1203
|
+
const parsedClientMetadata = zJarmClientMetadataParsed.parse(clientMetadata);
|
|
1204
|
+
if (parsedClientMetadata.type === "sign_encrypt" || parsedClientMetadata.type === "encrypt") {
|
|
1205
|
+
if (serverMetadata.authorization_encryption_alg_values_supported) assertValueSupported({
|
|
1206
|
+
supported: serverMetadata.authorization_encryption_alg_values_supported,
|
|
1207
|
+
actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_alg,
|
|
1208
|
+
errorMessage: "Invalid authorization_encryption_alg"
|
|
1209
|
+
});
|
|
1210
|
+
if (serverMetadata.authorization_encryption_enc_values_supported) assertValueSupported({
|
|
1211
|
+
supported: serverMetadata.authorization_encryption_enc_values_supported,
|
|
1212
|
+
actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_enc,
|
|
1213
|
+
errorMessage: "Invalid authorization_encryption_enc"
|
|
1214
|
+
});
|
|
1215
|
+
}
|
|
1216
|
+
if (serverMetadata.authorization_signing_alg_values_supported && (parsedClientMetadata.type === "sign" || parsedClientMetadata.type === "sign_encrypt")) assertValueSupported({
|
|
1217
|
+
supported: serverMetadata.authorization_signing_alg_values_supported,
|
|
1218
|
+
actual: parsedClientMetadata.client_metadata.authorization_signed_response_alg,
|
|
1219
|
+
errorMessage: "Invalid authorization_signed_response_alg"
|
|
1220
|
+
});
|
|
1221
|
+
return parsedClientMetadata;
|
|
1619
1222
|
}
|
|
1620
1223
|
|
|
1621
|
-
|
|
1224
|
+
//#endregion
|
|
1225
|
+
//#region src/authorization-response/create-authorization-response.ts
|
|
1622
1226
|
async function createOpenid4vpAuthorizationResponse(options) {
|
|
1623
|
-
|
|
1624
|
-
|
|
1625
|
-
|
|
1626
|
-
|
|
1627
|
-
|
|
1628
|
-
|
|
1629
|
-
|
|
1630
|
-
|
|
1631
|
-
|
|
1632
|
-
|
|
1633
|
-
|
|
1634
|
-
|
|
1635
|
-
|
|
1636
|
-
|
|
1637
|
-
|
|
1638
|
-
|
|
1639
|
-
|
|
1640
|
-
|
|
1641
|
-
|
|
1642
|
-
|
|
1643
|
-
|
|
1644
|
-
|
|
1645
|
-
|
|
1646
|
-
|
|
1647
|
-
|
|
1648
|
-
|
|
1649
|
-
|
|
1650
|
-
|
|
1651
|
-
|
|
1652
|
-
|
|
1653
|
-
|
|
1654
|
-
|
|
1655
|
-
|
|
1656
|
-
|
|
1657
|
-
|
|
1658
|
-
|
|
1659
|
-
|
|
1660
|
-
|
|
1661
|
-
|
|
1662
|
-
|
|
1663
|
-
|
|
1664
|
-
|
|
1665
|
-
|
|
1666
|
-
|
|
1667
|
-
|
|
1668
|
-
|
|
1669
|
-
|
|
1670
|
-
|
|
1671
|
-
|
|
1672
|
-
|
|
1673
|
-
|
|
1674
|
-
|
|
1675
|
-
|
|
1676
|
-
|
|
1677
|
-
|
|
1678
|
-
|
|
1679
|
-
|
|
1680
|
-
|
|
1681
|
-
|
|
1682
|
-
|
|
1683
|
-
|
|
1684
|
-
|
|
1685
|
-
|
|
1686
|
-
|
|
1687
|
-
|
|
1688
|
-
|
|
1689
|
-
|
|
1690
|
-
|
|
1691
|
-
|
|
1692
|
-
|
|
1693
|
-
|
|
1694
|
-
|
|
1695
|
-
|
|
1696
|
-
|
|
1697
|
-
|
|
1698
|
-
|
|
1699
|
-
|
|
1700
|
-
|
|
1701
|
-
|
|
1702
|
-
|
|
1703
|
-
|
|
1704
|
-
|
|
1705
|
-
|
|
1706
|
-
|
|
1707
|
-
|
|
1708
|
-
|
|
1709
|
-
|
|
1710
|
-
|
|
1711
|
-
error: import_oauth223.Oauth2ErrorCodes.InvalidRequest,
|
|
1712
|
-
error_description: "Missing required aud in JARM configuration for creating OpenID4VP authorization response."
|
|
1713
|
-
});
|
|
1714
|
-
}
|
|
1715
|
-
additionalJwtPayload = {
|
|
1716
|
-
iss: jarm.authorizationServer,
|
|
1717
|
-
aud: jarm.audience,
|
|
1718
|
-
exp: jarm.expiresInSeconds ?? (0, import_utils17.dateToSeconds)(addSecondsToDate2(/* @__PURE__ */ new Date(), 60 * 10))
|
|
1719
|
-
// default: 10 minutes
|
|
1720
|
-
};
|
|
1721
|
-
}
|
|
1722
|
-
const jarmResponsePayload = {
|
|
1723
|
-
...authorizationResponsePayload,
|
|
1724
|
-
...additionalJwtPayload
|
|
1725
|
-
};
|
|
1726
|
-
const result = await createJarmAuthorizationResponse({
|
|
1727
|
-
jarmAuthorizationResponse: jarmResponsePayload,
|
|
1728
|
-
jwtSigner: jarm?.jwtSigner,
|
|
1729
|
-
jweEncryptor: jarm?.encryption ? {
|
|
1730
|
-
method: "jwk",
|
|
1731
|
-
publicJwk: encJwk,
|
|
1732
|
-
apu: jarm.encryption.nonce ? (0, import_utils17.encodeToBase64Url)(jarm.encryption.nonce) : void 0,
|
|
1733
|
-
apv: (0, import_utils17.encodeToBase64Url)(authorizationRequestPayload.nonce),
|
|
1734
|
-
alg,
|
|
1735
|
-
enc
|
|
1736
|
-
} : void 0,
|
|
1737
|
-
callbacks: {
|
|
1738
|
-
signJwt: callbacks.signJwt,
|
|
1739
|
-
encryptJwe: callbacks.encryptJwe
|
|
1740
|
-
}
|
|
1741
|
-
});
|
|
1742
|
-
return {
|
|
1743
|
-
authorizationResponsePayload: jarmResponsePayload,
|
|
1744
|
-
jarm: { responseJwt: result.jarmAuthorizationResponseJwt, encryptionJwk: encJwk }
|
|
1745
|
-
};
|
|
1227
|
+
const { authorizationRequestPayload, jarm, callbacks, origin } = options;
|
|
1228
|
+
const authorizationResponsePayload = {
|
|
1229
|
+
...options.authorizationResponsePayload,
|
|
1230
|
+
state: authorizationRequestPayload.state
|
|
1231
|
+
};
|
|
1232
|
+
const { clientIdPrefix } = getOpenid4vpClientId({
|
|
1233
|
+
responseMode: authorizationRequestPayload.response_mode,
|
|
1234
|
+
clientId: authorizationRequestPayload.client_id,
|
|
1235
|
+
legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
|
|
1236
|
+
origin
|
|
1237
|
+
});
|
|
1238
|
+
if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode) && !jarm) throw new __openid4vc_oauth2.Oauth2Error(`Missing jarm options for creating Jarm response with response mode '${authorizationRequestPayload.response_mode}'`);
|
|
1239
|
+
if (!jarm) return { authorizationResponsePayload };
|
|
1240
|
+
if (clientIdPrefix === "openid_federation" && !options.clientMetadata) throw new __openid4vc_oauth2.Oauth2Error("When OpenID Federation is used as the client id prefix (https/openid_federation), passing externally fetched and verified 'clientMetadata' to the 'createOpenid4vpAuthorizationResponse' is required.");
|
|
1241
|
+
const clientMetadata = options.clientMetadata ?? authorizationRequestPayload.client_metadata;
|
|
1242
|
+
if (!clientMetadata) throw new __openid4vc_oauth2.Oauth2Error("Missing client metadata in the request params to assert Jarm metadata support.");
|
|
1243
|
+
let jwks;
|
|
1244
|
+
if (clientMetadata.jwks) jwks = clientMetadata.jwks;
|
|
1245
|
+
else if (clientMetadata.jwks_uri) jwks = await (0, __openid4vc_oauth2.fetchJwks)(clientMetadata.jwks_uri, options.callbacks.fetch);
|
|
1246
|
+
else throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
1247
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
1248
|
+
error_description: `Missing 'jwks' or 'jwks_uri' in client metadata. Cannot extract encryption JWK.`
|
|
1249
|
+
});
|
|
1250
|
+
if (clientMetadata.authorization_encrypted_response_alg || clientMetadata.authorization_encrypted_response_enc || clientMetadata.authorization_signed_response_alg) jarmAssertMetadataSupported({
|
|
1251
|
+
clientMetadata,
|
|
1252
|
+
serverMetadata: jarm.serverMetadata
|
|
1253
|
+
});
|
|
1254
|
+
const encJwk = jarm?.encryption?.jwk ?? extractEncryptionJwkFromJwks(jwks, { supportedAlgValues: jarm.serverMetadata.authorization_encryption_alg_values_supported ?? (clientMetadata.authorization_encrypted_response_alg ? [clientMetadata.authorization_encrypted_response_alg] : void 0) });
|
|
1255
|
+
if (!encJwk) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
1256
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
1257
|
+
error_description: "No encryption JWK provided and could not extract encryption JWK from client metadata. Failed to create JARM response."
|
|
1258
|
+
});
|
|
1259
|
+
let enc;
|
|
1260
|
+
if (clientMetadata.encrypted_response_enc_values_supported) enc = jarm.serverMetadata.authorization_encryption_enc_values_supported.find((enc$1) => clientMetadata.encrypted_response_enc_values_supported?.includes(enc$1)) ?? clientMetadata.encrypted_response_enc_values_supported[0];
|
|
1261
|
+
else enc = clientMetadata.authorization_encrypted_response_enc ?? "A128GCM";
|
|
1262
|
+
assertValueSupported({
|
|
1263
|
+
actual: enc,
|
|
1264
|
+
supported: jarm.serverMetadata.authorization_encryption_enc_values_supported,
|
|
1265
|
+
errorMessage: `Invalid 'enc' value ${enc}. Supported values are ${jarm.serverMetadata.authorization_encryption_enc_values_supported.join(", ")}`
|
|
1266
|
+
});
|
|
1267
|
+
const alg = encJwk.alg ?? clientMetadata.authorization_encrypted_response_alg ?? "ECDH-ES";
|
|
1268
|
+
assertValueSupported({
|
|
1269
|
+
actual: alg,
|
|
1270
|
+
supported: jarm.serverMetadata.authorization_encryption_alg_values_supported,
|
|
1271
|
+
errorMessage: `Invalid 'alg' value ${alg}. Supported values are ${jarm.serverMetadata.authorization_encryption_alg_values_supported.join(", ")}`
|
|
1272
|
+
});
|
|
1273
|
+
let additionalJwtPayload;
|
|
1274
|
+
if (jarm?.jwtSigner) {
|
|
1275
|
+
if (!jarm.authorizationServer) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
1276
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
1277
|
+
error_description: "Missing required iss in JARM configuration for creating OpenID4VP authorization response."
|
|
1278
|
+
});
|
|
1279
|
+
if (!jarm.audience) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
1280
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
|
|
1281
|
+
error_description: "Missing required aud in JARM configuration for creating OpenID4VP authorization response."
|
|
1282
|
+
});
|
|
1283
|
+
additionalJwtPayload = {
|
|
1284
|
+
iss: jarm.authorizationServer,
|
|
1285
|
+
aud: jarm.audience,
|
|
1286
|
+
exp: jarm.expiresInSeconds ?? (0, __openid4vc_utils.dateToSeconds)(addSecondsToDate(/* @__PURE__ */ new Date(), 600))
|
|
1287
|
+
};
|
|
1288
|
+
}
|
|
1289
|
+
const jarmResponsePayload = {
|
|
1290
|
+
...authorizationResponsePayload,
|
|
1291
|
+
...additionalJwtPayload
|
|
1292
|
+
};
|
|
1293
|
+
return {
|
|
1294
|
+
authorizationResponsePayload: jarmResponsePayload,
|
|
1295
|
+
jarm: {
|
|
1296
|
+
responseJwt: (await createJarmAuthorizationResponse({
|
|
1297
|
+
jarmAuthorizationResponse: jarmResponsePayload,
|
|
1298
|
+
jwtSigner: jarm?.jwtSigner,
|
|
1299
|
+
jweEncryptor: jarm?.encryption ? {
|
|
1300
|
+
method: "jwk",
|
|
1301
|
+
publicJwk: encJwk,
|
|
1302
|
+
apu: jarm.encryption.nonce ? (0, __openid4vc_utils.encodeToBase64Url)(jarm.encryption.nonce) : void 0,
|
|
1303
|
+
apv: (0, __openid4vc_utils.encodeToBase64Url)(authorizationRequestPayload.nonce),
|
|
1304
|
+
alg,
|
|
1305
|
+
enc
|
|
1306
|
+
} : void 0,
|
|
1307
|
+
callbacks: {
|
|
1308
|
+
signJwt: callbacks.signJwt,
|
|
1309
|
+
encryptJwe: callbacks.encryptJwe
|
|
1310
|
+
}
|
|
1311
|
+
})).jarmAuthorizationResponseJwt,
|
|
1312
|
+
encryptionJwk: encJwk
|
|
1313
|
+
}
|
|
1314
|
+
};
|
|
1746
1315
|
}
|
|
1747
1316
|
|
|
1748
|
-
|
|
1749
|
-
|
|
1750
|
-
|
|
1751
|
-
|
|
1752
|
-
|
|
1753
|
-
|
|
1754
|
-
|
|
1755
|
-
|
|
1756
|
-
|
|
1757
|
-
|
|
1758
|
-
|
|
1759
|
-
|
|
1760
|
-
|
|
1761
|
-
|
|
1762
|
-
|
|
1763
|
-
|
|
1764
|
-
|
|
1765
|
-
|
|
1766
|
-
|
|
1767
|
-
|
|
1768
|
-
|
|
1769
|
-
|
|
1770
|
-
|
|
1771
|
-
|
|
1772
|
-
responseMode: "direct_post.jwt",
|
|
1773
|
-
response
|
|
1774
|
-
};
|
|
1775
|
-
}
|
|
1317
|
+
//#endregion
|
|
1318
|
+
//#region src/models/z-pex.ts
|
|
1319
|
+
const zPexPresentationDefinition = zod.z.record(zod.z.any());
|
|
1320
|
+
const zPexPresentationSubmission = zod.z.record(zod.z.any());
|
|
1321
|
+
|
|
1322
|
+
//#endregion
|
|
1323
|
+
//#region src/vp-token/z-vp-token.ts
|
|
1324
|
+
const zVpTokenPresentationEntry = zod.z.union([zod.z.string(), zod.z.record(zod.z.any())], { message: "vp_token presentation entry must be string or object" });
|
|
1325
|
+
const zVpTokenPex = zod.z.union([zVpTokenPresentationEntry, zod.z.array(zVpTokenPresentationEntry).nonempty("Must have at least entry in vp_token array")], { message: "pex vp_token must be a string, object or non-empty array of strings and objects" });
|
|
1326
|
+
const zVpTokenDcql = zod.z.record(zod.z.union([zod.z.array(zVpTokenPresentationEntry).nonempty(), zVpTokenPresentationEntry]), { message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values a non-empty array of strings and objects, or string, or object" });
|
|
1327
|
+
const zVpToken = zVpTokenDcql.or(zVpTokenPex);
|
|
1328
|
+
|
|
1329
|
+
//#endregion
|
|
1330
|
+
//#region src/authorization-response/z-authorization-response.ts
|
|
1331
|
+
const zOpenid4vpAuthorizationResponse = zod.z.object({
|
|
1332
|
+
state: zod.z.string().optional(),
|
|
1333
|
+
id_token: zod.z.string().optional(),
|
|
1334
|
+
vp_token: zVpToken,
|
|
1335
|
+
presentation_submission: zPexPresentationSubmission.or(__openid4vc_utils.zStringToJson).optional(),
|
|
1336
|
+
refresh_token: zod.z.string().optional(),
|
|
1337
|
+
token_type: zod.z.string().optional(),
|
|
1338
|
+
access_token: zod.z.string().optional(),
|
|
1339
|
+
expires_in: zod.z.coerce.number().optional()
|
|
1340
|
+
}).passthrough();
|
|
1776
1341
|
|
|
1777
|
-
|
|
1778
|
-
|
|
1779
|
-
|
|
1780
|
-
|
|
1781
|
-
if (jarm) {
|
|
1782
|
-
return jarmAuthorizationResponseSend({
|
|
1783
|
-
authorizationRequestPayload,
|
|
1784
|
-
jarmAuthorizationResponseJwt: jarm.responseJwt,
|
|
1785
|
-
callbacks
|
|
1786
|
-
});
|
|
1787
|
-
}
|
|
1788
|
-
if (!url) {
|
|
1789
|
-
throw new import_oauth225.Oauth2Error(
|
|
1790
|
-
"Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided."
|
|
1791
|
-
);
|
|
1792
|
-
}
|
|
1793
|
-
const fetch = (0, import_utils19.createFetcher)(callbacks.fetch);
|
|
1794
|
-
const encodedResponse = (0, import_utils20.objectToQueryParams)(authorizationResponsePayload);
|
|
1795
|
-
const submissionResponse = await fetch(url, {
|
|
1796
|
-
method: "POST",
|
|
1797
|
-
body: encodedResponse.toString(),
|
|
1798
|
-
headers: {
|
|
1799
|
-
"Content-Type": import_utils19.ContentType.XWwwFormUrlencoded
|
|
1800
|
-
}
|
|
1801
|
-
});
|
|
1802
|
-
return {
|
|
1803
|
-
responseMode: "direct_post",
|
|
1804
|
-
response: submissionResponse
|
|
1805
|
-
};
|
|
1342
|
+
//#endregion
|
|
1343
|
+
//#region src/authorization-response/parse-authorization-response-payload.ts
|
|
1344
|
+
function parseOpenid4VpAuthorizationResponsePayload(payload) {
|
|
1345
|
+
return (0, __openid4vc_utils.parseWithErrorHandling)(zOpenid4vpAuthorizationResponse, payload, "Failed to parse openid4vp authorization response.");
|
|
1806
1346
|
}
|
|
1807
1347
|
|
|
1808
|
-
|
|
1809
|
-
|
|
1348
|
+
//#endregion
|
|
1349
|
+
//#region src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts
|
|
1350
|
+
const zJarmHeader = zod.z.object({
|
|
1351
|
+
...__openid4vc_oauth2.zJwtHeader.shape,
|
|
1352
|
+
apu: zod.z.string().optional(),
|
|
1353
|
+
apv: zod.z.string().optional()
|
|
1354
|
+
});
|
|
1355
|
+
const zJarmAuthorizationResponse = zod.z.object({
|
|
1356
|
+
...__openid4vc_oauth2.zJwtPayload.shape,
|
|
1357
|
+
...__openid4vc_oauth2.zJwtPayload.pick({
|
|
1358
|
+
iss: true,
|
|
1359
|
+
aud: true,
|
|
1360
|
+
exp: true
|
|
1361
|
+
}).required().shape,
|
|
1362
|
+
state: zod.z.optional(zod.z.string())
|
|
1363
|
+
}).passthrough();
|
|
1364
|
+
const zJarmAuthorizationResponseEncryptedOnly = zod.z.object({
|
|
1365
|
+
...__openid4vc_oauth2.zJwtPayload.shape,
|
|
1366
|
+
state: zod.z.optional(zod.z.string())
|
|
1367
|
+
}).passthrough();
|
|
1810
1368
|
|
|
1811
|
-
|
|
1812
|
-
|
|
1369
|
+
//#endregion
|
|
1370
|
+
//#region src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
|
|
1371
|
+
const jarmAuthorizationResponseValidate = (options) => {
|
|
1372
|
+
const { expectedClientId, authorizationResponse } = options;
|
|
1373
|
+
if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) return;
|
|
1374
|
+
if (expectedClientId !== authorizationResponse.aud) throw new __openid4vc_oauth2.Oauth2Error(`Invalid 'aud' claim in JARM authorization response. Expected '${expectedClientId}' received '${JSON.stringify(authorizationResponse.aud)}'.`);
|
|
1375
|
+
if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < (0, __openid4vc_utils.dateToSeconds)()) throw new __openid4vc_oauth2.Oauth2Error("Jarm auth response is expired.");
|
|
1376
|
+
};
|
|
1813
1377
|
|
|
1814
|
-
|
|
1815
|
-
|
|
1816
|
-
|
|
1817
|
-
|
|
1818
|
-
|
|
1819
|
-
|
|
1820
|
-
|
|
1821
|
-
|
|
1822
|
-
|
|
1823
|
-
|
|
1824
|
-
|
|
1825
|
-
|
|
1826
|
-
|
|
1827
|
-
)
|
|
1828
|
-
|
|
1829
|
-
|
|
1830
|
-
|
|
1831
|
-
|
|
1832
|
-
|
|
1833
|
-
)
|
|
1834
|
-
|
|
1378
|
+
//#endregion
|
|
1379
|
+
//#region src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
|
|
1380
|
+
let JarmMode = /* @__PURE__ */ function(JarmMode$1) {
|
|
1381
|
+
JarmMode$1["Signed"] = "Signed";
|
|
1382
|
+
JarmMode$1["Encrypted"] = "Encrypted";
|
|
1383
|
+
JarmMode$1["SignedEncrypted"] = "SignedEncrypted";
|
|
1384
|
+
return JarmMode$1;
|
|
1385
|
+
}({});
|
|
1386
|
+
/**
|
|
1387
|
+
* The client decrypts the JWT using the default key for the respective issuer or,
|
|
1388
|
+
* if applicable, determined by the kid JWT header parameter.
|
|
1389
|
+
* The key might be a private key, where the corresponding public key is registered
|
|
1390
|
+
* with the expected issuer of the response ("use":"enc" via the client's metadata jwks or jwks_uri)
|
|
1391
|
+
* or a key derived from its client secret (see Section 2.2).
|
|
1392
|
+
*/
|
|
1393
|
+
const decryptJarmAuthorizationResponseJwt = async (options) => {
|
|
1394
|
+
const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options;
|
|
1395
|
+
let encryptionJwk;
|
|
1396
|
+
const { header } = (0, __openid4vc_oauth2.decodeJwtHeader)({ jwt: jarmAuthorizationResponseJwt });
|
|
1397
|
+
if (authorizationRequestPayload.client_metadata?.jwks) encryptionJwk = extractEncryptionJwkFromJwks(authorizationRequestPayload.client_metadata.jwks, {
|
|
1398
|
+
kid: header.kid,
|
|
1399
|
+
supportedAlgValues: authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg ? [authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg] : void 0
|
|
1400
|
+
});
|
|
1401
|
+
const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk });
|
|
1402
|
+
if (!result.decrypted) throw new __openid4vc_oauth2.Oauth2Error("Failed to decrypt jarm auth response.");
|
|
1403
|
+
return {
|
|
1404
|
+
decryptionJwk: result.decryptionJwk,
|
|
1405
|
+
payload: result.payload
|
|
1406
|
+
};
|
|
1407
|
+
};
|
|
1408
|
+
/**
|
|
1409
|
+
* Validate a JARM direct_post.jwt compliant authentication response
|
|
1410
|
+
* * The decryption key should be resolvable using the the protected header's 'kid' field
|
|
1411
|
+
* * The signature verification jwk should be resolvable using the jws protected header's 'kid' field and the payload's 'iss' field.
|
|
1412
|
+
*/
|
|
1413
|
+
async function verifyJarmAuthorizationResponse(options) {
|
|
1414
|
+
const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options;
|
|
1415
|
+
const requestDataIsEncrypted = __openid4vc_oauth2.zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success;
|
|
1416
|
+
const decryptedRequestData = requestDataIsEncrypted ? await decryptJarmAuthorizationResponseJwt({
|
|
1417
|
+
jarmAuthorizationResponseJwt,
|
|
1418
|
+
callbacks,
|
|
1419
|
+
authorizationRequestPayload
|
|
1420
|
+
}) : {
|
|
1421
|
+
payload: jarmAuthorizationResponseJwt,
|
|
1422
|
+
decryptionJwk: void 0
|
|
1423
|
+
};
|
|
1424
|
+
const responseIsSigned = __openid4vc_oauth2.zCompactJwt.safeParse(decryptedRequestData.payload).success;
|
|
1425
|
+
if (!requestDataIsEncrypted && !responseIsSigned) throw new __openid4vc_oauth2.Oauth2Error("Jarm Auth Response must be either encrypted, signed, or signed and encrypted.");
|
|
1426
|
+
let jarmAuthorizationResponse;
|
|
1427
|
+
if (responseIsSigned) {
|
|
1428
|
+
const { header: jwsProtectedHeader, payload: jwsPayload } = (0, __openid4vc_oauth2.decodeJwt)({
|
|
1429
|
+
jwt: decryptedRequestData.payload,
|
|
1430
|
+
headerSchema: zod.default.object({
|
|
1431
|
+
...__openid4vc_oauth2.zJwtHeader.shape,
|
|
1432
|
+
kid: zod.default.string()
|
|
1433
|
+
})
|
|
1434
|
+
});
|
|
1435
|
+
const response = zJarmAuthorizationResponse.parse(jwsPayload);
|
|
1436
|
+
const jwtSigner = (0, __openid4vc_oauth2.jwtSignerFromJwt)({
|
|
1437
|
+
header: jwsProtectedHeader,
|
|
1438
|
+
payload: jwsPayload
|
|
1439
|
+
});
|
|
1440
|
+
if (!(await options.callbacks.verifyJwt(jwtSigner, {
|
|
1441
|
+
compact: decryptedRequestData.payload,
|
|
1442
|
+
header: jwsProtectedHeader,
|
|
1443
|
+
payload: jwsPayload
|
|
1444
|
+
})).verified) throw new __openid4vc_oauth2.Oauth2Error("Jarm Auth Response is not valid.");
|
|
1445
|
+
jarmAuthorizationResponse = response;
|
|
1446
|
+
} else {
|
|
1447
|
+
const jsonRequestData = (0, __openid4vc_utils.stringToJsonWithErrorHandling)(decryptedRequestData.payload, "Unable to parse decrypted JARM JWE body to JSON");
|
|
1448
|
+
jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData);
|
|
1449
|
+
}
|
|
1450
|
+
jarmAuthorizationResponseValidate({
|
|
1451
|
+
expectedClientId,
|
|
1452
|
+
authorizationResponse: jarmAuthorizationResponse
|
|
1453
|
+
});
|
|
1454
|
+
const type = requestDataIsEncrypted && responseIsSigned ? JarmMode.SignedEncrypted : requestDataIsEncrypted ? JarmMode.Encrypted : JarmMode.Signed;
|
|
1455
|
+
const issuer = jarmAuthorizationResponse.iss;
|
|
1456
|
+
return {
|
|
1457
|
+
jarmAuthorizationResponse,
|
|
1458
|
+
type,
|
|
1459
|
+
issuer,
|
|
1460
|
+
decryptionJwk: decryptedRequestData.decryptionJwk
|
|
1461
|
+
};
|
|
1462
|
+
}
|
|
1835
1463
|
|
|
1836
|
-
|
|
1464
|
+
//#endregion
|
|
1465
|
+
//#region src/vp-token/parse-vp-token.ts
|
|
1837
1466
|
function parsePexVpToken(vpToken) {
|
|
1838
|
-
|
|
1839
|
-
|
|
1840
|
-
(0, import_utils21.parseIfJson)(vpToken),
|
|
1841
|
-
"Could not parse presentation exchange vp_token. Expected a string or an array of strings"
|
|
1842
|
-
);
|
|
1843
|
-
return Array.isArray(parsedVpToken) ? parsedVpToken : [parsedVpToken];
|
|
1467
|
+
const parsedVpToken = (0, __openid4vc_utils.parseWithErrorHandling)(zVpTokenPex, (0, __openid4vc_utils.parseIfJson)(vpToken), "Could not parse presentation exchange vp_token. Expected a string or an array of strings");
|
|
1468
|
+
return Array.isArray(parsedVpToken) ? parsedVpToken : [parsedVpToken];
|
|
1844
1469
|
}
|
|
1845
1470
|
function parseDcqlVpToken(vpToken) {
|
|
1846
|
-
|
|
1847
|
-
|
|
1848
|
-
(0, import_utils21.parseIfJson)(vpToken),
|
|
1849
|
-
"Could not parse dcql vp_token. Expected an object where the values are encoded presentations"
|
|
1850
|
-
);
|
|
1851
|
-
return Object.fromEntries(
|
|
1852
|
-
Object.entries(parsedVpToken).map(([queryId, presentations]) => [
|
|
1853
|
-
queryId,
|
|
1854
|
-
Array.isArray(presentations) ? presentations : [presentations]
|
|
1855
|
-
])
|
|
1856
|
-
);
|
|
1471
|
+
const parsedVpToken = (0, __openid4vc_utils.parseWithErrorHandling)(zVpTokenDcql, (0, __openid4vc_utils.parseIfJson)(vpToken), "Could not parse dcql vp_token. Expected an object where the values are encoded presentations");
|
|
1472
|
+
return Object.fromEntries(Object.entries(parsedVpToken).map(([queryId, presentations]) => [queryId, Array.isArray(presentations) ? presentations : [presentations]]));
|
|
1857
1473
|
}
|
|
1858
1474
|
|
|
1859
|
-
|
|
1475
|
+
//#endregion
|
|
1476
|
+
//#region src/authorization-response/validate-authorization-response.ts
|
|
1477
|
+
/**
|
|
1478
|
+
* The following steps need to be performed outside of this library
|
|
1479
|
+
* - verifying the presentations
|
|
1480
|
+
* - validating the presentations against the presentation definition
|
|
1481
|
+
* - checking the revocation status of the presentations
|
|
1482
|
+
* - checking the nonce of the presentations matches the nonce of the request (for mdoc's)
|
|
1483
|
+
*/
|
|
1860
1484
|
function validateOpenid4vpAuthorizationResponsePayload(options) {
|
|
1861
|
-
|
|
1862
|
-
|
|
1863
|
-
|
|
1864
|
-
|
|
1865
|
-
|
|
1866
|
-
|
|
1867
|
-
|
|
1868
|
-
|
|
1869
|
-
|
|
1870
|
-
|
|
1871
|
-
|
|
1872
|
-
|
|
1873
|
-
|
|
1874
|
-
|
|
1875
|
-
|
|
1876
|
-
|
|
1877
|
-
|
|
1878
|
-
|
|
1879
|
-
|
|
1880
|
-
|
|
1881
|
-
|
|
1882
|
-
|
|
1883
|
-
|
|
1884
|
-
|
|
1885
|
-
|
|
1886
|
-
|
|
1887
|
-
|
|
1888
|
-
|
|
1889
|
-
|
|
1890
|
-
|
|
1891
|
-
|
|
1892
|
-
|
|
1893
|
-
query: authorizationRequestPayload.dcql_query,
|
|
1894
|
-
presentations
|
|
1895
|
-
}
|
|
1896
|
-
};
|
|
1897
|
-
}
|
|
1898
|
-
throw new import_oauth226.Oauth2Error(
|
|
1899
|
-
"Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query."
|
|
1900
|
-
);
|
|
1485
|
+
const { authorizationRequestPayload, authorizationResponsePayload } = options;
|
|
1486
|
+
if (authorizationRequestPayload.state && authorizationRequestPayload.state !== authorizationResponsePayload.state) throw new __openid4vc_oauth2.Oauth2Error("OpenId4Vp Authorization Response state mismatch.");
|
|
1487
|
+
if (authorizationResponsePayload.id_token) throw new __openid4vc_oauth2.Oauth2Error("OpenId4Vp Authorization Response id_token is not supported.");
|
|
1488
|
+
if (authorizationResponsePayload.presentation_submission) {
|
|
1489
|
+
if (!authorizationRequestPayload.presentation_definition) throw new __openid4vc_oauth2.Oauth2Error("OpenId4Vp Authorization Request is missing the required presentation_definition.");
|
|
1490
|
+
return {
|
|
1491
|
+
type: "pex",
|
|
1492
|
+
pex: authorizationRequestPayload.scope ? {
|
|
1493
|
+
scope: authorizationRequestPayload.scope,
|
|
1494
|
+
presentationSubmission: authorizationResponsePayload.presentation_submission,
|
|
1495
|
+
presentations: parsePexVpToken(authorizationResponsePayload.vp_token)
|
|
1496
|
+
} : {
|
|
1497
|
+
presentationDefinition: authorizationRequestPayload.presentation_definition,
|
|
1498
|
+
presentationSubmission: authorizationResponsePayload.presentation_submission,
|
|
1499
|
+
presentations: parsePexVpToken(authorizationResponsePayload.vp_token)
|
|
1500
|
+
}
|
|
1501
|
+
};
|
|
1502
|
+
}
|
|
1503
|
+
if (authorizationRequestPayload.dcql_query) {
|
|
1504
|
+
const presentations = parseDcqlVpToken(authorizationResponsePayload.vp_token);
|
|
1505
|
+
return {
|
|
1506
|
+
type: "dcql",
|
|
1507
|
+
dcql: authorizationRequestPayload.scope ? {
|
|
1508
|
+
scope: authorizationRequestPayload.scope,
|
|
1509
|
+
presentations
|
|
1510
|
+
} : {
|
|
1511
|
+
query: authorizationRequestPayload.dcql_query,
|
|
1512
|
+
presentations
|
|
1513
|
+
}
|
|
1514
|
+
};
|
|
1515
|
+
}
|
|
1516
|
+
throw new __openid4vc_oauth2.Oauth2Error("Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query.");
|
|
1901
1517
|
}
|
|
1902
1518
|
|
|
1903
|
-
|
|
1904
|
-
|
|
1905
|
-
|
|
1906
|
-
|
|
1907
|
-
|
|
1908
|
-
|
|
1909
|
-
|
|
1910
|
-
|
|
1911
|
-
|
|
1912
|
-
|
|
1913
|
-
|
|
1914
|
-
|
|
1915
|
-
|
|
1916
|
-
|
|
1917
|
-
|
|
1918
|
-
|
|
1919
|
-
|
|
1920
|
-
|
|
1921
|
-
|
|
1922
|
-
|
|
1923
|
-
|
|
1924
|
-
|
|
1925
|
-
|
|
1926
|
-
|
|
1927
|
-
|
|
1928
|
-
|
|
1519
|
+
//#endregion
|
|
1520
|
+
//#region src/authorization-response/parse-jarm-authorization-response.ts
|
|
1521
|
+
async function parseJarmAuthorizationResponse(options) {
|
|
1522
|
+
const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options;
|
|
1523
|
+
const jarmAuthorizationResponseJwt = (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([__openid4vc_oauth2.zCompactJwt, __openid4vc_oauth2.zCompactJwe]), jarmResponseJwt, "Invalid jarm authorization response jwt.");
|
|
1524
|
+
const verifiedJarmResponse = await verifyJarmAuthorizationResponse({
|
|
1525
|
+
jarmAuthorizationResponseJwt,
|
|
1526
|
+
callbacks,
|
|
1527
|
+
expectedClientId,
|
|
1528
|
+
authorizationRequestPayload
|
|
1529
|
+
});
|
|
1530
|
+
const { header: jarmHeader } = (0, __openid4vc_oauth2.decodeJwtHeader)({
|
|
1531
|
+
jwt: jarmAuthorizationResponseJwt,
|
|
1532
|
+
headerSchema: zJarmHeader
|
|
1533
|
+
});
|
|
1534
|
+
const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(verifiedJarmResponse.jarmAuthorizationResponse);
|
|
1535
|
+
const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
|
|
1536
|
+
authorizationRequestPayload,
|
|
1537
|
+
authorizationResponsePayload
|
|
1538
|
+
});
|
|
1539
|
+
if (!authorizationRequestPayload.response_mode || !isJarmResponseMode(authorizationRequestPayload.response_mode)) throw new __openid4vc_oauth2.Oauth2Error(`Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? "fragment"}'`);
|
|
1540
|
+
return {
|
|
1541
|
+
...validateOpenId4vpResponse,
|
|
1542
|
+
jarm: {
|
|
1543
|
+
...verifiedJarmResponse,
|
|
1544
|
+
jarmHeader
|
|
1545
|
+
},
|
|
1546
|
+
expectedNonce: authorizationRequestPayload.nonce,
|
|
1547
|
+
authorizationResponsePayload
|
|
1548
|
+
};
|
|
1549
|
+
}
|
|
1929
1550
|
|
|
1930
|
-
|
|
1931
|
-
|
|
1932
|
-
|
|
1933
|
-
|
|
1934
|
-
|
|
1935
|
-
|
|
1936
|
-
|
|
1551
|
+
//#endregion
|
|
1552
|
+
//#region src/authorization-response/parse-authorization-response.ts
|
|
1553
|
+
async function parseOpenid4vpAuthorizationResponse(options) {
|
|
1554
|
+
const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options;
|
|
1555
|
+
const expectedClientId = getOpenid4vpClientId({
|
|
1556
|
+
origin,
|
|
1557
|
+
responseMode: authorizationRequestPayload.response_mode,
|
|
1558
|
+
clientId: authorizationRequestPayload.client_id,
|
|
1559
|
+
legacyClientIdScheme: authorizationRequestPayload.client_id_scheme
|
|
1560
|
+
});
|
|
1561
|
+
if (authorizationResponse.response) return parseJarmAuthorizationResponse({
|
|
1562
|
+
jarmResponseJwt: authorizationResponse.response,
|
|
1563
|
+
callbacks,
|
|
1564
|
+
authorizationRequestPayload,
|
|
1565
|
+
expectedClientId: expectedClientId.effectiveClientId
|
|
1566
|
+
});
|
|
1567
|
+
const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(authorizationResponse);
|
|
1568
|
+
const validatedOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
|
|
1569
|
+
authorizationRequestPayload,
|
|
1570
|
+
authorizationResponsePayload
|
|
1571
|
+
});
|
|
1572
|
+
if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
1573
|
+
error: "invalid_request",
|
|
1574
|
+
error_description: "Invalid response mode for openid4vp response. Expected jarm response."
|
|
1575
|
+
}, { status: 400 });
|
|
1576
|
+
return {
|
|
1577
|
+
...validatedOpenId4vpResponse,
|
|
1578
|
+
expectedNonce: authorizationRequestPayload.nonce,
|
|
1579
|
+
authorizationResponsePayload,
|
|
1580
|
+
jarm: void 0
|
|
1581
|
+
};
|
|
1937
1582
|
}
|
|
1938
1583
|
|
|
1939
|
-
|
|
1940
|
-
|
|
1941
|
-
|
|
1942
|
-
|
|
1943
|
-
|
|
1944
|
-
|
|
1945
|
-
|
|
1946
|
-
|
|
1947
|
-
|
|
1948
|
-
|
|
1949
|
-
|
|
1950
|
-
|
|
1951
|
-
|
|
1952
|
-
|
|
1953
|
-
|
|
1954
|
-
|
|
1955
|
-
|
|
1956
|
-
const { header: jarmHeader } = (0, import_oauth227.decodeJwtHeader)({
|
|
1957
|
-
jwt: jarmAuthorizationResponseJwt,
|
|
1958
|
-
headerSchema: zJarmHeader
|
|
1959
|
-
});
|
|
1960
|
-
const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(
|
|
1961
|
-
verifiedJarmResponse.jarmAuthorizationResponse
|
|
1962
|
-
);
|
|
1963
|
-
const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
|
|
1964
|
-
authorizationRequestPayload,
|
|
1965
|
-
authorizationResponsePayload
|
|
1966
|
-
});
|
|
1967
|
-
if (!authorizationRequestPayload.response_mode || !isJarmResponseMode(authorizationRequestPayload.response_mode)) {
|
|
1968
|
-
throw new import_oauth227.Oauth2Error(
|
|
1969
|
-
`Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? "fragment"}'`
|
|
1970
|
-
);
|
|
1971
|
-
}
|
|
1972
|
-
return {
|
|
1973
|
-
...validateOpenId4vpResponse,
|
|
1974
|
-
jarm: { ...verifiedJarmResponse, jarmHeader },
|
|
1975
|
-
expectedNonce: authorizationRequestPayload.nonce,
|
|
1976
|
-
authorizationResponsePayload
|
|
1977
|
-
};
|
|
1584
|
+
//#endregion
|
|
1585
|
+
//#region src/jarm/jarm-authorizatino-response-send.ts
|
|
1586
|
+
const jarmAuthorizationResponseSend = (options) => {
|
|
1587
|
+
const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options;
|
|
1588
|
+
const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri;
|
|
1589
|
+
if (!responseEndpoint) throw new __openid4vc_oauth2.Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST be present in the authorization request`);
|
|
1590
|
+
return handleDirectPostJwt(new __openid4vc_utils.URL(responseEndpoint), jarmAuthorizationResponseJwt, callbacks);
|
|
1591
|
+
};
|
|
1592
|
+
async function handleDirectPostJwt(responseEndpoint, responseJwt, callbacks) {
|
|
1593
|
+
return {
|
|
1594
|
+
responseMode: "direct_post.jwt",
|
|
1595
|
+
response: await (0, __openid4vc_utils.createFetcher)(callbacks.fetch)(responseEndpoint, {
|
|
1596
|
+
method: "POST",
|
|
1597
|
+
headers: { "Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded },
|
|
1598
|
+
body: `response=${responseJwt}`
|
|
1599
|
+
})
|
|
1600
|
+
};
|
|
1978
1601
|
}
|
|
1979
1602
|
|
|
1980
|
-
|
|
1981
|
-
|
|
1982
|
-
|
|
1983
|
-
|
|
1984
|
-
|
|
1985
|
-
|
|
1986
|
-
|
|
1987
|
-
|
|
1988
|
-
|
|
1989
|
-
|
|
1990
|
-
|
|
1991
|
-
|
|
1992
|
-
|
|
1993
|
-
|
|
1994
|
-
|
|
1995
|
-
|
|
1996
|
-
|
|
1997
|
-
|
|
1998
|
-
|
|
1999
|
-
authorizationRequestPayload,
|
|
2000
|
-
authorizationResponsePayload
|
|
2001
|
-
});
|
|
2002
|
-
if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) {
|
|
2003
|
-
throw new import_oauth228.Oauth2ServerErrorResponseError(
|
|
2004
|
-
{
|
|
2005
|
-
error: "invalid_request",
|
|
2006
|
-
error_description: "Invalid response mode for openid4vp response. Expected jarm response."
|
|
2007
|
-
},
|
|
2008
|
-
{
|
|
2009
|
-
status: 400
|
|
2010
|
-
}
|
|
2011
|
-
);
|
|
2012
|
-
}
|
|
2013
|
-
return {
|
|
2014
|
-
...validatedOpenId4vpResponse,
|
|
2015
|
-
expectedNonce: authorizationRequestPayload.nonce,
|
|
2016
|
-
authorizationResponsePayload,
|
|
2017
|
-
jarm: void 0
|
|
2018
|
-
};
|
|
1603
|
+
//#endregion
|
|
1604
|
+
//#region src/authorization-response/submit-authorization-response.ts
|
|
1605
|
+
async function submitOpenid4vpAuthorizationResponse(options) {
|
|
1606
|
+
const { authorizationRequestPayload, authorizationResponsePayload, jarm, callbacks } = options;
|
|
1607
|
+
const url = authorizationRequestPayload.response_uri;
|
|
1608
|
+
if (jarm) return jarmAuthorizationResponseSend({
|
|
1609
|
+
authorizationRequestPayload,
|
|
1610
|
+
jarmAuthorizationResponseJwt: jarm.responseJwt,
|
|
1611
|
+
callbacks
|
|
1612
|
+
});
|
|
1613
|
+
if (!url) throw new __openid4vc_oauth2.Oauth2Error("Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided.");
|
|
1614
|
+
return {
|
|
1615
|
+
responseMode: "direct_post",
|
|
1616
|
+
response: await (0, __openid4vc_utils.createFetcher)(callbacks.fetch)(url, {
|
|
1617
|
+
method: "POST",
|
|
1618
|
+
body: (0, __openid4vc_utils.objectToQueryParams)(authorizationResponsePayload).toString(),
|
|
1619
|
+
headers: { "Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded }
|
|
1620
|
+
})
|
|
1621
|
+
};
|
|
2019
1622
|
}
|
|
2020
1623
|
|
|
2021
|
-
|
|
1624
|
+
//#endregion
|
|
1625
|
+
//#region src/models/z-credential-formats.ts
|
|
1626
|
+
const zCredentialFormat = zod.z.enum([
|
|
1627
|
+
"jwt_vc_json",
|
|
1628
|
+
"ldp_vc",
|
|
1629
|
+
"mso_mdoc",
|
|
1630
|
+
"dc+sd-jwt",
|
|
1631
|
+
"vc+sd-jwt"
|
|
1632
|
+
]);
|
|
1633
|
+
|
|
1634
|
+
//#endregion
|
|
1635
|
+
//#region src/models/z-proof-formats.ts
|
|
1636
|
+
const zProofFormat = zod.z.enum([
|
|
1637
|
+
"jwt_vp_json",
|
|
1638
|
+
"ldc_vp",
|
|
1639
|
+
"ac_vp",
|
|
1640
|
+
"dc+sd-jwt",
|
|
1641
|
+
"vc+sd-jwt",
|
|
1642
|
+
"mso_mdoc"
|
|
1643
|
+
]);
|
|
1644
|
+
|
|
1645
|
+
//#endregion
|
|
1646
|
+
//#region src/models/z-wallet-metadata.ts
|
|
1647
|
+
const zWalletMetadata = zod.z.object({
|
|
1648
|
+
presentation_definition_uri_supported: zod.z.optional(zod.z.boolean()),
|
|
1649
|
+
vp_formats_supported: zod.z.optional(zVpFormatsSupported.or(zLegacyVpFormats)),
|
|
1650
|
+
client_id_schemes_supported: zod.z.optional(zod.z.array(zClientIdPrefix.exclude(["decentralized_identifier", "openid_federation"]))),
|
|
1651
|
+
client_id_prefixes_supported: zod.z.optional(zod.z.array(zUniformClientIdPrefix)),
|
|
1652
|
+
request_object_signing_alg_values_supported: zod.z.optional(zod.z.array(zod.z.string())),
|
|
1653
|
+
authorization_encryption_alg_values_supported: zod.z.optional(zod.z.array(zod.z.string())),
|
|
1654
|
+
authorization_encryption_enc_values_supported: zod.z.optional(zod.z.array(zod.z.string()))
|
|
1655
|
+
});
|
|
1656
|
+
|
|
1657
|
+
//#endregion
|
|
1658
|
+
//#region src/Openid4vpClient.ts
|
|
2022
1659
|
var Openid4vpClient = class {
|
|
2023
|
-
|
|
2024
|
-
|
|
2025
|
-
|
|
2026
|
-
|
|
2027
|
-
|
|
2028
|
-
|
|
2029
|
-
|
|
2030
|
-
|
|
2031
|
-
|
|
2032
|
-
|
|
2033
|
-
|
|
2034
|
-
|
|
2035
|
-
|
|
2036
|
-
|
|
2037
|
-
|
|
1660
|
+
constructor(options) {
|
|
1661
|
+
this.options = options;
|
|
1662
|
+
}
|
|
1663
|
+
parseOpenid4vpAuthorizationRequest(options) {
|
|
1664
|
+
return parseOpenid4vpAuthorizationRequest(options);
|
|
1665
|
+
}
|
|
1666
|
+
async resolveOpenId4vpAuthorizationRequest(options) {
|
|
1667
|
+
return resolveOpenid4vpAuthorizationRequest({
|
|
1668
|
+
...options,
|
|
1669
|
+
callbacks: this.options.callbacks
|
|
1670
|
+
});
|
|
1671
|
+
}
|
|
1672
|
+
async createOpenid4vpAuthorizationResponse(options) {
|
|
1673
|
+
return createOpenid4vpAuthorizationResponse({
|
|
1674
|
+
...options,
|
|
1675
|
+
callbacks: this.options.callbacks
|
|
1676
|
+
});
|
|
1677
|
+
}
|
|
1678
|
+
async submitOpenid4vpAuthorizationResponse(options) {
|
|
1679
|
+
return submitOpenid4vpAuthorizationResponse({
|
|
1680
|
+
...options,
|
|
1681
|
+
callbacks: this.options.callbacks
|
|
1682
|
+
});
|
|
1683
|
+
}
|
|
2038
1684
|
};
|
|
2039
1685
|
|
|
2040
|
-
|
|
2041
|
-
|
|
2042
|
-
var import_utils25 = require("@openid4vc/utils");
|
|
1686
|
+
//#endregion
|
|
1687
|
+
//#region src/transaction-data/verify-transaction-data.ts
|
|
2043
1688
|
async function verifyTransactionData(options) {
|
|
2044
|
-
|
|
2045
|
-
|
|
2046
|
-
|
|
2047
|
-
|
|
2048
|
-
|
|
2049
|
-
|
|
2050
|
-
|
|
2051
|
-
|
|
2052
|
-
|
|
2053
|
-
|
|
2054
|
-
|
|
2055
|
-
}
|
|
2056
|
-
return matchedEntries;
|
|
1689
|
+
const parsedTransactionData = parseTransactionData({ transactionData: options.transactionData });
|
|
1690
|
+
const matchedEntries = [];
|
|
1691
|
+
for (const parsedEntry of parsedTransactionData) {
|
|
1692
|
+
const matchedEntry = await verifyTransactionDataEntry({
|
|
1693
|
+
entry: parsedEntry,
|
|
1694
|
+
callbacks: options.callbacks,
|
|
1695
|
+
credentials: options.credentials
|
|
1696
|
+
});
|
|
1697
|
+
matchedEntries.push(matchedEntry);
|
|
1698
|
+
}
|
|
1699
|
+
return matchedEntries;
|
|
2057
1700
|
}
|
|
2058
|
-
async function verifyTransactionDataEntry({
|
|
2059
|
-
|
|
2060
|
-
|
|
2061
|
-
|
|
2062
|
-
|
|
2063
|
-
|
|
2064
|
-
|
|
2065
|
-
|
|
2066
|
-
|
|
2067
|
-
|
|
2068
|
-
|
|
2069
|
-
|
|
2070
|
-
|
|
2071
|
-
|
|
2072
|
-
|
|
2073
|
-
|
|
2074
|
-
|
|
2075
|
-
|
|
2076
|
-
|
|
2077
|
-
|
|
2078
|
-
|
|
2079
|
-
|
|
2080
|
-
|
|
2081
|
-
|
|
2082
|
-
|
|
2083
|
-
|
|
2084
|
-
|
|
2085
|
-
|
|
2086
|
-
|
|
2087
|
-
|
|
2088
|
-
|
|
2089
|
-
|
|
2090
|
-
|
|
2091
|
-
|
|
2092
|
-
|
|
2093
|
-
|
|
2094
|
-
|
|
2095
|
-
|
|
2096
|
-
|
|
2097
|
-
|
|
2098
|
-
|
|
2099
|
-
|
|
2100
|
-
|
|
2101
|
-
hashAlg: alg,
|
|
2102
|
-
presentationIndex
|
|
2103
|
-
});
|
|
2104
|
-
}
|
|
2105
|
-
return {
|
|
2106
|
-
transactionDataEntry: entry,
|
|
2107
|
-
credentialId,
|
|
2108
|
-
presentations
|
|
2109
|
-
};
|
|
2110
|
-
}
|
|
2111
|
-
throw new import_oauth229.Oauth2ServerErrorResponseError({
|
|
2112
|
-
error: import_oauth229.Oauth2ErrorCodes.InvalidTransactionData,
|
|
2113
|
-
error_description: `Transaction data entry with index ${entry.transactionDataIndex} does not have a matching hash in any of the submitted credentials`
|
|
2114
|
-
});
|
|
1701
|
+
async function verifyTransactionDataEntry({ entry, credentials, callbacks }) {
|
|
1702
|
+
const allowedAlgs = entry.transactionData.transaction_data_hashes_alg ?? ["sha-256"];
|
|
1703
|
+
const supportedAlgs = allowedAlgs.filter((alg) => Object.values(__openid4vc_oauth2.HashAlgorithm).includes(alg));
|
|
1704
|
+
const hashes = {};
|
|
1705
|
+
for (const alg of supportedAlgs) hashes[alg] = (0, __openid4vc_utils.encodeToBase64Url)(await callbacks.hash((0, __openid4vc_utils.decodeUtf8String)(entry.encoded), alg));
|
|
1706
|
+
for (const credentialId of entry.transactionData.credential_ids) {
|
|
1707
|
+
const transactionDataHashesCredentials = credentials[credentialId];
|
|
1708
|
+
if (!transactionDataHashesCredentials) continue;
|
|
1709
|
+
const presentations = [];
|
|
1710
|
+
for (const transactionDataHashesCredential of transactionDataHashesCredentials) {
|
|
1711
|
+
const alg = transactionDataHashesCredential.transaction_data_hashes_alg ?? "sha-256";
|
|
1712
|
+
const hash = hashes[alg];
|
|
1713
|
+
const presentationIndex = transactionDataHashesCredentials.indexOf(transactionDataHashesCredential);
|
|
1714
|
+
if (!allowedAlgs.includes(alg)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
1715
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
|
|
1716
|
+
error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using alg '${alg}'. However transaction data only allows alg values ${allowedAlgs.join(", ")}.`
|
|
1717
|
+
});
|
|
1718
|
+
if (!hash) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
1719
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
|
|
1720
|
+
error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using unsupported alg '${alg}'. This library only supports verification of transaction data hashes using alg values ${Object.values(__openid4vc_oauth2.HashAlgorithm).join(", ")}. Either verify the hashes outside of this library, or limit the allowed alg values to the ones supported by this library.`
|
|
1721
|
+
});
|
|
1722
|
+
const credentialHashIndex = transactionDataHashesCredential.transaction_data_hashes.indexOf(hash);
|
|
1723
|
+
if (credentialHashIndex === -1) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
1724
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
|
|
1725
|
+
error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} does not have a matching hash in the transaction_data_hashes`
|
|
1726
|
+
});
|
|
1727
|
+
presentations.push({
|
|
1728
|
+
credentialHashIndex,
|
|
1729
|
+
hash,
|
|
1730
|
+
hashAlg: alg,
|
|
1731
|
+
presentationIndex
|
|
1732
|
+
});
|
|
1733
|
+
}
|
|
1734
|
+
return {
|
|
1735
|
+
transactionDataEntry: entry,
|
|
1736
|
+
credentialId,
|
|
1737
|
+
presentations
|
|
1738
|
+
};
|
|
1739
|
+
}
|
|
1740
|
+
throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
|
|
1741
|
+
error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
|
|
1742
|
+
error_description: `Transaction data entry with index ${entry.transactionDataIndex} does not have a matching hash in any of the submitted credentials`
|
|
1743
|
+
});
|
|
2115
1744
|
}
|
|
2116
1745
|
|
|
2117
|
-
|
|
1746
|
+
//#endregion
|
|
1747
|
+
//#region src/Openid4vpVerifier.ts
|
|
2118
1748
|
var Openid4vpVerifier = class {
|
|
2119
|
-
|
|
2120
|
-
|
|
2121
|
-
|
|
2122
|
-
|
|
2123
|
-
|
|
2124
|
-
|
|
2125
|
-
|
|
2126
|
-
|
|
2127
|
-
|
|
2128
|
-
|
|
2129
|
-
|
|
2130
|
-
|
|
2131
|
-
|
|
2132
|
-
|
|
2133
|
-
|
|
2134
|
-
|
|
2135
|
-
|
|
2136
|
-
|
|
2137
|
-
|
|
2138
|
-
|
|
2139
|
-
|
|
2140
|
-
|
|
2141
|
-
|
|
2142
|
-
|
|
2143
|
-
|
|
2144
|
-
|
|
2145
|
-
|
|
2146
|
-
|
|
2147
|
-
|
|
2148
|
-
|
|
2149
|
-
|
|
2150
|
-
|
|
2151
|
-
|
|
2152
|
-
|
|
2153
|
-
|
|
2154
|
-
|
|
2155
|
-
|
|
2156
|
-
|
|
1749
|
+
constructor(options) {
|
|
1750
|
+
this.options = options;
|
|
1751
|
+
}
|
|
1752
|
+
async createOpenId4vpAuthorizationRequest(options) {
|
|
1753
|
+
return createOpenid4vpAuthorizationRequest({
|
|
1754
|
+
...options,
|
|
1755
|
+
callbacks: this.options.callbacks
|
|
1756
|
+
});
|
|
1757
|
+
}
|
|
1758
|
+
parseOpenid4vpAuthorizationRequestPayload(options) {
|
|
1759
|
+
return parseOpenid4vpAuthorizationRequest(options);
|
|
1760
|
+
}
|
|
1761
|
+
parseOpenid4vpAuthorizationResponse(options) {
|
|
1762
|
+
return parseOpenid4vpAuthorizationResponse(options);
|
|
1763
|
+
}
|
|
1764
|
+
validateOpenid4vpAuthorizationResponsePayload(options) {
|
|
1765
|
+
return validateOpenid4vpAuthorizationResponsePayload(options);
|
|
1766
|
+
}
|
|
1767
|
+
parsePexVpToken(vpToken) {
|
|
1768
|
+
return parsePexVpToken(vpToken);
|
|
1769
|
+
}
|
|
1770
|
+
parseDcqlVpToken(vpToken) {
|
|
1771
|
+
return parseDcqlVpToken(vpToken);
|
|
1772
|
+
}
|
|
1773
|
+
parseTransactionData(options) {
|
|
1774
|
+
return parseTransactionData(options);
|
|
1775
|
+
}
|
|
1776
|
+
/**
|
|
1777
|
+
* Verify transaction data against submitted credentials.
|
|
1778
|
+
*
|
|
1779
|
+
* NOTE: this expects transaction data based authorization based on hashes. This is the method defined
|
|
1780
|
+
* for SD-JWT VC, but for mDOCs it's much more generic. If you're using transaction data with mDOCs based
|
|
1781
|
+
* on hashes, you can extract the values from the DeviceResponse, otherwise you must verify the transaction data
|
|
1782
|
+
* manually.
|
|
1783
|
+
*/
|
|
1784
|
+
verifyTransactionData(options) {
|
|
1785
|
+
return verifyTransactionData({
|
|
1786
|
+
...options,
|
|
1787
|
+
callbacks: this.options.callbacks
|
|
1788
|
+
});
|
|
1789
|
+
}
|
|
2157
1790
|
};
|
|
2158
1791
|
|
|
2159
|
-
|
|
2160
|
-
|
|
2161
|
-
|
|
2162
|
-
|
|
2163
|
-
|
|
2164
|
-
|
|
2165
|
-
|
|
2166
|
-
|
|
2167
|
-
|
|
2168
|
-
|
|
2169
|
-
|
|
2170
|
-
|
|
2171
|
-
|
|
2172
|
-
|
|
2173
|
-
|
|
2174
|
-
|
|
2175
|
-
|
|
2176
|
-
|
|
2177
|
-
|
|
2178
|
-
|
|
2179
|
-
|
|
2180
|
-
|
|
2181
|
-
|
|
2182
|
-
|
|
2183
|
-
|
|
2184
|
-
|
|
2185
|
-
|
|
2186
|
-
|
|
2187
|
-
|
|
2188
|
-
|
|
2189
|
-
|
|
2190
|
-
getOpenid4vpClientId,
|
|
2191
|
-
isJarmResponseMode,
|
|
2192
|
-
isOpenid4vpAuthorizationRequestDcApi,
|
|
2193
|
-
parseAuthorizationRequestVersion,
|
|
2194
|
-
parseDcqlVpToken,
|
|
2195
|
-
parseJarmAuthorizationResponse,
|
|
2196
|
-
parseOpenid4VpAuthorizationResponsePayload,
|
|
2197
|
-
parseOpenid4vpAuthorizationRequest,
|
|
2198
|
-
parseOpenid4vpAuthorizationResponse,
|
|
2199
|
-
parsePexVpToken,
|
|
2200
|
-
parseTransactionData,
|
|
2201
|
-
resolveOpenid4vpAuthorizationRequest,
|
|
2202
|
-
submitOpenid4vpAuthorizationResponse,
|
|
2203
|
-
validateOpenid4vpAuthorizationRequestPayload,
|
|
2204
|
-
validateOpenid4vpAuthorizationResponsePayload,
|
|
2205
|
-
verifyJarmAuthorizationResponse,
|
|
2206
|
-
zClientIdPrefix,
|
|
2207
|
-
zClientMetadata,
|
|
2208
|
-
zCredentialFormat,
|
|
2209
|
-
zJarmClientMetadata,
|
|
2210
|
-
zOpenid4vpAuthorizationResponse,
|
|
2211
|
-
zProofFormat,
|
|
2212
|
-
zVerifierAttestations,
|
|
2213
|
-
zWalletMetadata
|
|
2214
|
-
});
|
|
1792
|
+
//#endregion
|
|
1793
|
+
exports.JarmMode = JarmMode;
|
|
1794
|
+
exports.Openid4vpClient = Openid4vpClient;
|
|
1795
|
+
exports.Openid4vpVerifier = Openid4vpVerifier;
|
|
1796
|
+
exports.createOpenid4vpAuthorizationRequest = createOpenid4vpAuthorizationRequest;
|
|
1797
|
+
exports.createOpenid4vpAuthorizationResponse = createOpenid4vpAuthorizationResponse;
|
|
1798
|
+
exports.extractEncryptionJwkFromJwks = extractEncryptionJwkFromJwks;
|
|
1799
|
+
exports.getOpenid4vpClientId = getOpenid4vpClientId;
|
|
1800
|
+
exports.isJarmResponseMode = isJarmResponseMode;
|
|
1801
|
+
exports.isOpenid4vpAuthorizationRequestDcApi = isOpenid4vpAuthorizationRequestDcApi;
|
|
1802
|
+
exports.parseAuthorizationRequestVersion = parseAuthorizationRequestVersion;
|
|
1803
|
+
exports.parseDcqlVpToken = parseDcqlVpToken;
|
|
1804
|
+
exports.parseJarmAuthorizationResponse = parseJarmAuthorizationResponse;
|
|
1805
|
+
exports.parseOpenid4VpAuthorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload;
|
|
1806
|
+
exports.parseOpenid4vpAuthorizationRequest = parseOpenid4vpAuthorizationRequest;
|
|
1807
|
+
exports.parseOpenid4vpAuthorizationResponse = parseOpenid4vpAuthorizationResponse;
|
|
1808
|
+
exports.parsePexVpToken = parsePexVpToken;
|
|
1809
|
+
exports.parseTransactionData = parseTransactionData;
|
|
1810
|
+
exports.resolveOpenid4vpAuthorizationRequest = resolveOpenid4vpAuthorizationRequest;
|
|
1811
|
+
exports.submitOpenid4vpAuthorizationResponse = submitOpenid4vpAuthorizationResponse;
|
|
1812
|
+
exports.validateOpenid4vpAuthorizationRequestPayload = validateOpenid4vpAuthorizationRequestPayload;
|
|
1813
|
+
exports.validateOpenid4vpAuthorizationResponsePayload = validateOpenid4vpAuthorizationResponsePayload;
|
|
1814
|
+
exports.verifyJarmAuthorizationResponse = verifyJarmAuthorizationResponse;
|
|
1815
|
+
exports.zClientIdPrefix = zClientIdPrefix;
|
|
1816
|
+
exports.zClientMetadata = zClientMetadata;
|
|
1817
|
+
exports.zCredentialFormat = zCredentialFormat;
|
|
1818
|
+
exports.zJarmClientMetadata = zJarmClientMetadata;
|
|
1819
|
+
exports.zOpenid4vpAuthorizationResponse = zOpenid4vpAuthorizationResponse;
|
|
1820
|
+
exports.zProofFormat = zProofFormat;
|
|
1821
|
+
exports.zVerifierAttestations = zVerifierAttestations;
|
|
1822
|
+
exports.zWalletMetadata = zWalletMetadata;
|
|
2215
1823
|
//# sourceMappingURL=index.js.map
|