@pagopa/io-wallet-oauth2 0.3.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.d.mts +788 -130
  2. package/dist/index.d.ts +788 -130
  3. package/dist/index.js +309 -46
  4. package/dist/index.js.map +1 -1
  5. package/dist/index.mjs +314 -47
  6. package/dist/index.mjs.map +1 -1
  7. package/package.json +9 -4
package/dist/index.d.mts CHANGED
@@ -1,171 +1,829 @@
1
- import { CallbackContext, AuthorizationServerMetadata, RequestDpopOptions } from '@openid4vc/oauth2';
2
- import z from 'zod';
1
+ import * as _openid4vc_oauth2 from '@openid4vc/oauth2';
2
+ import { CallbackContext, AuthorizationServerMetadata, RequestDpopOptions, Jwk, JwtSignerJwk, HttpMethod, JwtSigner } from '@openid4vc/oauth2';
3
+ export { CallbackContext, GenerateRandomCallback, HttpMethod, Jwk, JwtSigner, JwtSignerJwk, Oauth2JwtParseError, RequestDpopOptions, SignJwtCallback, VerifyJwtCallback, decodeJwt } from '@openid4vc/oauth2';
4
+ import * as zod from 'zod';
5
+ import zod__default from 'zod';
6
+ export { Fetch } from '@openid4vc/utils';
3
7
 
4
- declare enum PkceCodeChallengeMethod {
5
- Plain = "plain",
6
- S256 = "S256"
7
- }
8
- interface CreatePkceOptions {
9
- /**
10
- * Also allows string values so it can be directly passed from the
11
- * 'code_challenge_methods_supported' metadata parameter
12
- */
13
- allowedCodeChallengeMethods?: Array<string | PkceCodeChallengeMethod>;
14
- /**
15
- * Code verifier to use. If not provided a value will be generated.
16
- */
17
- codeVerifier?: string;
18
- callbacks: Pick<CallbackContext, 'hash' | 'generateRandom'>;
19
- }
20
- interface CreatePkceReturn {
21
- codeVerifier: string;
22
- codeChallenge: string;
23
- codeChallengeMethod: PkceCodeChallengeMethod;
24
- }
25
- declare function createPkce(options: CreatePkceOptions): Promise<CreatePkceReturn>;
26
- interface VerifyPkceOptions {
27
- /**
28
- * secure random code verifier
29
- */
30
- codeVerifier: string;
31
- codeChallenge: string;
32
- codeChallengeMethod: PkceCodeChallengeMethod;
33
- callbacks: Pick<CallbackContext, 'hash'>;
34
- }
35
- declare function verifyPkce(options: VerifyPkceOptions): Promise<void>;
36
-
37
- declare const zAuthorizationRequest: z.ZodObject<{
38
- response_type: z.ZodString;
39
- response_mode: z.ZodString;
40
- client_id: z.ZodString;
41
- state: z.ZodString;
42
- code_challenge: z.ZodString;
43
- code_challenge_method: z.ZodString;
44
- scope: z.ZodString;
45
- authorization_details: z.ZodArray<z.ZodObject<{
46
- type: z.ZodLiteral<"openid_credential">;
47
- credential_configuration_id: z.ZodString;
48
- }, "strip", z.ZodTypeAny, {
49
- type?: "openid_credential";
50
- credential_configuration_id?: string;
8
+ declare const zAuthorizationRequest: zod__default.ZodObject<{
9
+ authorization_details: zod__default.ZodArray<zod__default.ZodObject<{
10
+ credential_configuration_id: zod__default.ZodString;
11
+ type: zod__default.ZodLiteral<"openid_credential">;
12
+ }, "strip", zod__default.ZodTypeAny, {
13
+ type: "openid_credential";
14
+ credential_configuration_id: string;
51
15
  }, {
52
- type?: "openid_credential";
53
- credential_configuration_id?: string;
16
+ type: "openid_credential";
17
+ credential_configuration_id: string;
54
18
  }>, "many">;
55
- redirect_uri: z.ZodOptional<z.ZodString>;
56
- issuer_state: z.ZodOptional<z.ZodString>;
57
- }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
58
- response_type: z.ZodString;
59
- response_mode: z.ZodString;
60
- client_id: z.ZodString;
61
- state: z.ZodString;
62
- code_challenge: z.ZodString;
63
- code_challenge_method: z.ZodString;
64
- scope: z.ZodString;
65
- authorization_details: z.ZodArray<z.ZodObject<{
66
- type: z.ZodLiteral<"openid_credential">;
67
- credential_configuration_id: z.ZodString;
68
- }, "strip", z.ZodTypeAny, {
69
- type?: "openid_credential";
70
- credential_configuration_id?: string;
19
+ client_id: zod__default.ZodString;
20
+ code_challenge: zod__default.ZodString;
21
+ code_challenge_method: zod__default.ZodString;
22
+ issuer_state: zod__default.ZodOptional<zod__default.ZodString>;
23
+ redirect_uri: zod__default.ZodOptional<zod__default.ZodString>;
24
+ response_mode: zod__default.ZodString;
25
+ response_type: zod__default.ZodString;
26
+ scope: zod__default.ZodString;
27
+ state: zod__default.ZodString;
28
+ }, "passthrough", zod__default.ZodTypeAny, zod__default.objectOutputType<{
29
+ authorization_details: zod__default.ZodArray<zod__default.ZodObject<{
30
+ credential_configuration_id: zod__default.ZodString;
31
+ type: zod__default.ZodLiteral<"openid_credential">;
32
+ }, "strip", zod__default.ZodTypeAny, {
33
+ type: "openid_credential";
34
+ credential_configuration_id: string;
71
35
  }, {
72
- type?: "openid_credential";
73
- credential_configuration_id?: string;
36
+ type: "openid_credential";
37
+ credential_configuration_id: string;
74
38
  }>, "many">;
75
- redirect_uri: z.ZodOptional<z.ZodString>;
76
- issuer_state: z.ZodOptional<z.ZodString>;
77
- }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
78
- response_type: z.ZodString;
79
- response_mode: z.ZodString;
80
- client_id: z.ZodString;
81
- state: z.ZodString;
82
- code_challenge: z.ZodString;
83
- code_challenge_method: z.ZodString;
84
- scope: z.ZodString;
85
- authorization_details: z.ZodArray<z.ZodObject<{
86
- type: z.ZodLiteral<"openid_credential">;
87
- credential_configuration_id: z.ZodString;
88
- }, "strip", z.ZodTypeAny, {
89
- type?: "openid_credential";
90
- credential_configuration_id?: string;
39
+ client_id: zod__default.ZodString;
40
+ code_challenge: zod__default.ZodString;
41
+ code_challenge_method: zod__default.ZodString;
42
+ issuer_state: zod__default.ZodOptional<zod__default.ZodString>;
43
+ redirect_uri: zod__default.ZodOptional<zod__default.ZodString>;
44
+ response_mode: zod__default.ZodString;
45
+ response_type: zod__default.ZodString;
46
+ scope: zod__default.ZodString;
47
+ state: zod__default.ZodString;
48
+ }, zod__default.ZodTypeAny, "passthrough">, zod__default.objectInputType<{
49
+ authorization_details: zod__default.ZodArray<zod__default.ZodObject<{
50
+ credential_configuration_id: zod__default.ZodString;
51
+ type: zod__default.ZodLiteral<"openid_credential">;
52
+ }, "strip", zod__default.ZodTypeAny, {
53
+ type: "openid_credential";
54
+ credential_configuration_id: string;
91
55
  }, {
92
- type?: "openid_credential";
93
- credential_configuration_id?: string;
56
+ type: "openid_credential";
57
+ credential_configuration_id: string;
94
58
  }>, "many">;
95
- redirect_uri: z.ZodOptional<z.ZodString>;
96
- issuer_state: z.ZodOptional<z.ZodString>;
97
- }, z.ZodTypeAny, "passthrough">>;
98
- type AuthorizationRequest = z.infer<typeof zAuthorizationRequest>;
99
- declare const zPushedAuthorizationRequestSigned: z.ZodObject<{
100
- request: z.ZodString;
101
- client_id: z.ZodString;
102
- }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
103
- request: z.ZodString;
104
- client_id: z.ZodString;
105
- }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
106
- request: z.ZodString;
107
- client_id: z.ZodString;
108
- }, z.ZodTypeAny, "passthrough">>;
109
- type PushedAuthorizationRequestSigned = z.infer<typeof zPushedAuthorizationRequestSigned>;
110
- declare const zPushedAuthorizationResponse: z.ZodObject<{
111
- request_uri: z.ZodString;
112
- expires_in: z.ZodNumber;
113
- }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
114
- request_uri: z.ZodString;
115
- expires_in: z.ZodNumber;
116
- }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
117
- request_uri: z.ZodString;
118
- expires_in: z.ZodNumber;
119
- }, z.ZodTypeAny, "passthrough">>;
120
- type PushedAuthorizationResponse = z.infer<typeof zPushedAuthorizationResponse>;
59
+ client_id: zod__default.ZodString;
60
+ code_challenge: zod__default.ZodString;
61
+ code_challenge_method: zod__default.ZodString;
62
+ issuer_state: zod__default.ZodOptional<zod__default.ZodString>;
63
+ redirect_uri: zod__default.ZodOptional<zod__default.ZodString>;
64
+ response_mode: zod__default.ZodString;
65
+ response_type: zod__default.ZodString;
66
+ scope: zod__default.ZodString;
67
+ state: zod__default.ZodString;
68
+ }, zod__default.ZodTypeAny, "passthrough">>;
69
+ type AuthorizationRequest = zod__default.infer<typeof zAuthorizationRequest>;
70
+ declare const zPushedAuthorizationRequestSigned: zod__default.ZodObject<{
71
+ client_id: zod__default.ZodString;
72
+ request: zod__default.ZodString;
73
+ }, "passthrough", zod__default.ZodTypeAny, zod__default.objectOutputType<{
74
+ client_id: zod__default.ZodString;
75
+ request: zod__default.ZodString;
76
+ }, zod__default.ZodTypeAny, "passthrough">, zod__default.objectInputType<{
77
+ client_id: zod__default.ZodString;
78
+ request: zod__default.ZodString;
79
+ }, zod__default.ZodTypeAny, "passthrough">>;
80
+ type PushedAuthorizationRequestSigned = zod__default.infer<typeof zPushedAuthorizationRequestSigned>;
81
+ declare const zPushedAuthorizationResponse: zod__default.ZodObject<{
82
+ expires_in: zod__default.ZodNumber;
83
+ request_uri: zod__default.ZodString;
84
+ }, "passthrough", zod__default.ZodTypeAny, zod__default.objectOutputType<{
85
+ expires_in: zod__default.ZodNumber;
86
+ request_uri: zod__default.ZodString;
87
+ }, zod__default.ZodTypeAny, "passthrough">, zod__default.objectInputType<{
88
+ expires_in: zod__default.ZodNumber;
89
+ request_uri: zod__default.ZodString;
90
+ }, zod__default.ZodTypeAny, "passthrough">>;
91
+ type PushedAuthorizationResponse = zod__default.infer<typeof zPushedAuthorizationResponse>;
121
92
 
122
93
  interface CreatePushedAuthorizationRequestOptions {
94
+ /**
95
+ * It MUST be set to the identifier of the Credential Issuer.
96
+ */
97
+ audience: string;
98
+ /**
99
+ * Allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON data structures
100
+ */
101
+ authorization_details: AuthorizationRequest["authorization_details"];
123
102
  /**
124
103
  * Callback context mostly for crypto related functionality
125
104
  */
126
- callbacks: Pick<CallbackContext, 'hash' | 'generateRandom' | 'signJwt'>;
127
- codeChallengeMethodsSupported: AuthorizationServerMetadata["code_challenge_methods_supported"];
105
+ callbacks: Pick<CallbackContext, "generateRandom" | "hash" | "signJwt">;
128
106
  /**
129
107
  * MUST be set to the thumbprint of the jwk value in the cnf parameter inside the Wallet Attestation.
130
108
  */
131
109
  clientId: string;
110
+ codeChallengeMethodsSupported: AuthorizationServerMetadata["code_challenge_methods_supported"];
132
111
  /**
133
- * It MUST be set to the identifier of the Credential Issuer.
112
+ * DPoP options
134
113
  */
135
- audience: string;
114
+ dpop: RequestDpopOptions;
136
115
  /**
137
- * Scope to request for the authorization request
116
+ * jti parameter to use for PAR. If not provided a value will generated automatically
138
117
  */
139
- scope: string;
118
+ jti?: string;
140
119
  /**
141
- * It MUST be one of the supported values (response_modes_supported) provided in the metadata of the Credential Issuer.
120
+ * Code verifier to use for pkce. If not provided a value will generated when pkce is supported
142
121
  */
143
- responseMode: string;
122
+ pkceCodeVerifier?: string;
144
123
  /**
145
124
  * Redirect uri to include in the authorization request
146
125
  */
147
126
  redirectUri: string;
148
127
  /**
149
- * Allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON data structures
128
+ * It MUST be one of the supported values (response_modes_supported) provided in the metadata of the Credential Issuer.
129
+ */
130
+ responseMode: string;
131
+ /**
132
+ * Scope to request for the authorization request
150
133
  */
151
- authorization_details: Record<string, unknown>[];
134
+ scope: string;
152
135
  /**
153
136
  * state parameter to use for PAR. If not provided a value will generated automatically
154
137
  */
155
138
  state?: string;
139
+ }
140
+ declare function createPushedAuthorizationRequest(options: CreatePushedAuthorizationRequestOptions): Promise<PushedAuthorizationRequestSigned>;
141
+
142
+ /**
143
+ * Configuration options for fetching pushed authorization response
144
+ */
145
+ interface fetchPushedAuthorizationResponseOptions {
156
146
  /**
157
- * jti parameter to use for PAR. If not provided a value will generated automatically
147
+ * Callback functions for making HTTP requests
148
+ * Allows for custom fetch implementations
149
+ */
150
+ callbacks: Pick<CallbackContext, "fetch">;
151
+ /**
152
+ * The client attestation Demonstration of Proof-of-Possession (DPoP) token
153
+ * Used for OAuth-Client-Attestation-PoP header to prove possession of the client key
154
+ */
155
+ clientAttestationDPoP: string;
156
+ /**
157
+ * The endpoint URL where the pushed authorization request will be sent
158
+ * This should be the authorization server's PAR endpoint
159
+ */
160
+ pushedAuthorizationRequestEndpoint: string;
161
+ /**
162
+ * The signed pushed authorization request object containing client_id and request JWT
163
+ * This object has been previously signed and is ready for transmission
164
+ */
165
+ pushedAuthorizationRequestSigned: PushedAuthorizationRequestSigned;
166
+ /**
167
+ * The wallet attestation JWT that proves the client's identity and capabilities
168
+ * Used for OAuth-Client-Attestation header
169
+ */
170
+ walletAttestation: string;
171
+ }
172
+ /**
173
+ * Sends a pushed authorization request to the authorization server and returns the response
174
+ *
175
+ * This function implements the IT Wallet Pushed Authorization Requests (PAR) specification,
176
+ * sending the signed authorization request to the server and handling the response.
177
+ *
178
+ * @param options - Configuration options for the pushed authorization request
179
+ * @returns Promise that resolves to the parsed pushed authorization response containing request_uri and expires_in
180
+ * @throws {UnexpectedStatusCodeError} When the server returns a non-201 status code
181
+ * @throws {ValidationError} When the response cannot be parsed or is invalid
182
+ */
183
+ declare function fetchPushedAuthorizationResponse(options: fetchPushedAuthorizationResponseOptions): Promise<PushedAuthorizationResponse>;
184
+
185
+ interface VerifyClientAttestationPopJwtOptions {
186
+ /**
187
+ * The issuer identifier of the authorization server handling the client attestation
188
+ */
189
+ authorizationServer: string;
190
+ /**
191
+ * Callbacks used for verifying client attestation pop jwt.
192
+ */
193
+ callbacks: Pick<CallbackContext, "verifyJwt">;
194
+ /**
195
+ * The compact client attestation pop jwt.
196
+ */
197
+ clientAttestationPopJwt: string;
198
+ /**
199
+ * The public JWK to verify the client attestation pop jwt.
200
+ */
201
+ clientAttestationPublicJwk: Jwk;
202
+ /**
203
+ * Expected nonce in the payload. If not provided the nonce won't be validated.
204
+ */
205
+ expectedNonce?: string;
206
+ /**
207
+ * Date to use for expiration. If not provided current date will be used.
208
+ */
209
+ now?: Date;
210
+ }
211
+ type VerifiedClientAttestationPopJwt = Awaited<ReturnType<typeof verifyClientAttestationPopJwt>>;
212
+ declare function verifyClientAttestationPopJwt(options: VerifyClientAttestationPopJwtOptions): Promise<{
213
+ header: zod.objectOutputType<{
214
+ alg: zod.ZodEffects<zod.ZodString, string, string>;
215
+ typ: zod.ZodOptional<zod.ZodString>;
216
+ kid: zod.ZodOptional<zod.ZodString>;
217
+ jwk: zod.ZodOptional<zod.ZodObject<{
218
+ kty: zod.ZodString;
219
+ crv: zod.ZodOptional<zod.ZodString>;
220
+ x: zod.ZodOptional<zod.ZodString>;
221
+ y: zod.ZodOptional<zod.ZodString>;
222
+ e: zod.ZodOptional<zod.ZodString>;
223
+ n: zod.ZodOptional<zod.ZodString>;
224
+ alg: zod.ZodOptional<zod.ZodString>;
225
+ d: zod.ZodOptional<zod.ZodString>;
226
+ dp: zod.ZodOptional<zod.ZodString>;
227
+ dq: zod.ZodOptional<zod.ZodString>;
228
+ ext: zod.ZodOptional<zod.ZodBoolean>;
229
+ k: zod.ZodOptional<zod.ZodString>;
230
+ key_ops: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
231
+ kid: zod.ZodOptional<zod.ZodString>;
232
+ oth: zod.ZodOptional<zod.ZodArray<zod.ZodObject<{
233
+ d: zod.ZodOptional<zod.ZodString>;
234
+ r: zod.ZodOptional<zod.ZodString>;
235
+ t: zod.ZodOptional<zod.ZodString>;
236
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
237
+ d: zod.ZodOptional<zod.ZodString>;
238
+ r: zod.ZodOptional<zod.ZodString>;
239
+ t: zod.ZodOptional<zod.ZodString>;
240
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
241
+ d: zod.ZodOptional<zod.ZodString>;
242
+ r: zod.ZodOptional<zod.ZodString>;
243
+ t: zod.ZodOptional<zod.ZodString>;
244
+ }, zod.ZodTypeAny, "passthrough">>, "many">>;
245
+ p: zod.ZodOptional<zod.ZodString>;
246
+ q: zod.ZodOptional<zod.ZodString>;
247
+ qi: zod.ZodOptional<zod.ZodString>;
248
+ use: zod.ZodOptional<zod.ZodString>;
249
+ x5c: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
250
+ x5t: zod.ZodOptional<zod.ZodString>;
251
+ "x5t#S256": zod.ZodOptional<zod.ZodString>;
252
+ x5u: zod.ZodOptional<zod.ZodString>;
253
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
254
+ kty: zod.ZodString;
255
+ crv: zod.ZodOptional<zod.ZodString>;
256
+ x: zod.ZodOptional<zod.ZodString>;
257
+ y: zod.ZodOptional<zod.ZodString>;
258
+ e: zod.ZodOptional<zod.ZodString>;
259
+ n: zod.ZodOptional<zod.ZodString>;
260
+ alg: zod.ZodOptional<zod.ZodString>;
261
+ d: zod.ZodOptional<zod.ZodString>;
262
+ dp: zod.ZodOptional<zod.ZodString>;
263
+ dq: zod.ZodOptional<zod.ZodString>;
264
+ ext: zod.ZodOptional<zod.ZodBoolean>;
265
+ k: zod.ZodOptional<zod.ZodString>;
266
+ key_ops: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
267
+ kid: zod.ZodOptional<zod.ZodString>;
268
+ oth: zod.ZodOptional<zod.ZodArray<zod.ZodObject<{
269
+ d: zod.ZodOptional<zod.ZodString>;
270
+ r: zod.ZodOptional<zod.ZodString>;
271
+ t: zod.ZodOptional<zod.ZodString>;
272
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
273
+ d: zod.ZodOptional<zod.ZodString>;
274
+ r: zod.ZodOptional<zod.ZodString>;
275
+ t: zod.ZodOptional<zod.ZodString>;
276
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
277
+ d: zod.ZodOptional<zod.ZodString>;
278
+ r: zod.ZodOptional<zod.ZodString>;
279
+ t: zod.ZodOptional<zod.ZodString>;
280
+ }, zod.ZodTypeAny, "passthrough">>, "many">>;
281
+ p: zod.ZodOptional<zod.ZodString>;
282
+ q: zod.ZodOptional<zod.ZodString>;
283
+ qi: zod.ZodOptional<zod.ZodString>;
284
+ use: zod.ZodOptional<zod.ZodString>;
285
+ x5c: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
286
+ x5t: zod.ZodOptional<zod.ZodString>;
287
+ "x5t#S256": zod.ZodOptional<zod.ZodString>;
288
+ x5u: zod.ZodOptional<zod.ZodString>;
289
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
290
+ kty: zod.ZodString;
291
+ crv: zod.ZodOptional<zod.ZodString>;
292
+ x: zod.ZodOptional<zod.ZodString>;
293
+ y: zod.ZodOptional<zod.ZodString>;
294
+ e: zod.ZodOptional<zod.ZodString>;
295
+ n: zod.ZodOptional<zod.ZodString>;
296
+ alg: zod.ZodOptional<zod.ZodString>;
297
+ d: zod.ZodOptional<zod.ZodString>;
298
+ dp: zod.ZodOptional<zod.ZodString>;
299
+ dq: zod.ZodOptional<zod.ZodString>;
300
+ ext: zod.ZodOptional<zod.ZodBoolean>;
301
+ k: zod.ZodOptional<zod.ZodString>;
302
+ key_ops: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
303
+ kid: zod.ZodOptional<zod.ZodString>;
304
+ oth: zod.ZodOptional<zod.ZodArray<zod.ZodObject<{
305
+ d: zod.ZodOptional<zod.ZodString>;
306
+ r: zod.ZodOptional<zod.ZodString>;
307
+ t: zod.ZodOptional<zod.ZodString>;
308
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
309
+ d: zod.ZodOptional<zod.ZodString>;
310
+ r: zod.ZodOptional<zod.ZodString>;
311
+ t: zod.ZodOptional<zod.ZodString>;
312
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
313
+ d: zod.ZodOptional<zod.ZodString>;
314
+ r: zod.ZodOptional<zod.ZodString>;
315
+ t: zod.ZodOptional<zod.ZodString>;
316
+ }, zod.ZodTypeAny, "passthrough">>, "many">>;
317
+ p: zod.ZodOptional<zod.ZodString>;
318
+ q: zod.ZodOptional<zod.ZodString>;
319
+ qi: zod.ZodOptional<zod.ZodString>;
320
+ use: zod.ZodOptional<zod.ZodString>;
321
+ x5c: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
322
+ x5t: zod.ZodOptional<zod.ZodString>;
323
+ "x5t#S256": zod.ZodOptional<zod.ZodString>;
324
+ x5u: zod.ZodOptional<zod.ZodString>;
325
+ }, zod.ZodTypeAny, "passthrough">>>;
326
+ x5c: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
327
+ trust_chain: zod.ZodOptional<zod.ZodArray<zod.ZodString, "atleastone">>;
328
+ }, zod.ZodTypeAny, "passthrough">;
329
+ payload: zod.objectOutputType<{
330
+ iss: zod.ZodOptional<zod.ZodString>;
331
+ aud: zod.ZodOptional<zod.ZodString>;
332
+ iat: zod.ZodOptional<zod.ZodNumber>;
333
+ exp: zod.ZodOptional<zod.ZodNumber>;
334
+ nbf: zod.ZodOptional<zod.ZodNumber>;
335
+ nonce: zod.ZodOptional<zod.ZodString>;
336
+ jti: zod.ZodOptional<zod.ZodString>;
337
+ cnf: zod.ZodOptional<zod.ZodObject<{
338
+ jwk: zod.ZodOptional<zod.ZodObject<{
339
+ kty: zod.ZodString;
340
+ crv: zod.ZodOptional<zod.ZodString>;
341
+ x: zod.ZodOptional<zod.ZodString>;
342
+ y: zod.ZodOptional<zod.ZodString>;
343
+ e: zod.ZodOptional<zod.ZodString>;
344
+ n: zod.ZodOptional<zod.ZodString>;
345
+ alg: zod.ZodOptional<zod.ZodString>;
346
+ d: zod.ZodOptional<zod.ZodString>;
347
+ dp: zod.ZodOptional<zod.ZodString>;
348
+ dq: zod.ZodOptional<zod.ZodString>;
349
+ ext: zod.ZodOptional<zod.ZodBoolean>;
350
+ k: zod.ZodOptional<zod.ZodString>;
351
+ key_ops: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
352
+ kid: zod.ZodOptional<zod.ZodString>;
353
+ oth: zod.ZodOptional<zod.ZodArray<zod.ZodObject<{
354
+ d: zod.ZodOptional<zod.ZodString>;
355
+ r: zod.ZodOptional<zod.ZodString>;
356
+ t: zod.ZodOptional<zod.ZodString>;
357
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
358
+ d: zod.ZodOptional<zod.ZodString>;
359
+ r: zod.ZodOptional<zod.ZodString>;
360
+ t: zod.ZodOptional<zod.ZodString>;
361
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
362
+ d: zod.ZodOptional<zod.ZodString>;
363
+ r: zod.ZodOptional<zod.ZodString>;
364
+ t: zod.ZodOptional<zod.ZodString>;
365
+ }, zod.ZodTypeAny, "passthrough">>, "many">>;
366
+ p: zod.ZodOptional<zod.ZodString>;
367
+ q: zod.ZodOptional<zod.ZodString>;
368
+ qi: zod.ZodOptional<zod.ZodString>;
369
+ use: zod.ZodOptional<zod.ZodString>;
370
+ x5c: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
371
+ x5t: zod.ZodOptional<zod.ZodString>;
372
+ "x5t#S256": zod.ZodOptional<zod.ZodString>;
373
+ x5u: zod.ZodOptional<zod.ZodString>;
374
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
375
+ kty: zod.ZodString;
376
+ crv: zod.ZodOptional<zod.ZodString>;
377
+ x: zod.ZodOptional<zod.ZodString>;
378
+ y: zod.ZodOptional<zod.ZodString>;
379
+ e: zod.ZodOptional<zod.ZodString>;
380
+ n: zod.ZodOptional<zod.ZodString>;
381
+ alg: zod.ZodOptional<zod.ZodString>;
382
+ d: zod.ZodOptional<zod.ZodString>;
383
+ dp: zod.ZodOptional<zod.ZodString>;
384
+ dq: zod.ZodOptional<zod.ZodString>;
385
+ ext: zod.ZodOptional<zod.ZodBoolean>;
386
+ k: zod.ZodOptional<zod.ZodString>;
387
+ key_ops: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
388
+ kid: zod.ZodOptional<zod.ZodString>;
389
+ oth: zod.ZodOptional<zod.ZodArray<zod.ZodObject<{
390
+ d: zod.ZodOptional<zod.ZodString>;
391
+ r: zod.ZodOptional<zod.ZodString>;
392
+ t: zod.ZodOptional<zod.ZodString>;
393
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
394
+ d: zod.ZodOptional<zod.ZodString>;
395
+ r: zod.ZodOptional<zod.ZodString>;
396
+ t: zod.ZodOptional<zod.ZodString>;
397
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
398
+ d: zod.ZodOptional<zod.ZodString>;
399
+ r: zod.ZodOptional<zod.ZodString>;
400
+ t: zod.ZodOptional<zod.ZodString>;
401
+ }, zod.ZodTypeAny, "passthrough">>, "many">>;
402
+ p: zod.ZodOptional<zod.ZodString>;
403
+ q: zod.ZodOptional<zod.ZodString>;
404
+ qi: zod.ZodOptional<zod.ZodString>;
405
+ use: zod.ZodOptional<zod.ZodString>;
406
+ x5c: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
407
+ x5t: zod.ZodOptional<zod.ZodString>;
408
+ "x5t#S256": zod.ZodOptional<zod.ZodString>;
409
+ x5u: zod.ZodOptional<zod.ZodString>;
410
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
411
+ kty: zod.ZodString;
412
+ crv: zod.ZodOptional<zod.ZodString>;
413
+ x: zod.ZodOptional<zod.ZodString>;
414
+ y: zod.ZodOptional<zod.ZodString>;
415
+ e: zod.ZodOptional<zod.ZodString>;
416
+ n: zod.ZodOptional<zod.ZodString>;
417
+ alg: zod.ZodOptional<zod.ZodString>;
418
+ d: zod.ZodOptional<zod.ZodString>;
419
+ dp: zod.ZodOptional<zod.ZodString>;
420
+ dq: zod.ZodOptional<zod.ZodString>;
421
+ ext: zod.ZodOptional<zod.ZodBoolean>;
422
+ k: zod.ZodOptional<zod.ZodString>;
423
+ key_ops: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
424
+ kid: zod.ZodOptional<zod.ZodString>;
425
+ oth: zod.ZodOptional<zod.ZodArray<zod.ZodObject<{
426
+ d: zod.ZodOptional<zod.ZodString>;
427
+ r: zod.ZodOptional<zod.ZodString>;
428
+ t: zod.ZodOptional<zod.ZodString>;
429
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
430
+ d: zod.ZodOptional<zod.ZodString>;
431
+ r: zod.ZodOptional<zod.ZodString>;
432
+ t: zod.ZodOptional<zod.ZodString>;
433
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
434
+ d: zod.ZodOptional<zod.ZodString>;
435
+ r: zod.ZodOptional<zod.ZodString>;
436
+ t: zod.ZodOptional<zod.ZodString>;
437
+ }, zod.ZodTypeAny, "passthrough">>, "many">>;
438
+ p: zod.ZodOptional<zod.ZodString>;
439
+ q: zod.ZodOptional<zod.ZodString>;
440
+ qi: zod.ZodOptional<zod.ZodString>;
441
+ use: zod.ZodOptional<zod.ZodString>;
442
+ x5c: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
443
+ x5t: zod.ZodOptional<zod.ZodString>;
444
+ "x5t#S256": zod.ZodOptional<zod.ZodString>;
445
+ x5u: zod.ZodOptional<zod.ZodString>;
446
+ }, zod.ZodTypeAny, "passthrough">>>;
447
+ jkt: zod.ZodOptional<zod.ZodString>;
448
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
449
+ jwk: zod.ZodOptional<zod.ZodObject<{
450
+ kty: zod.ZodString;
451
+ crv: zod.ZodOptional<zod.ZodString>;
452
+ x: zod.ZodOptional<zod.ZodString>;
453
+ y: zod.ZodOptional<zod.ZodString>;
454
+ e: zod.ZodOptional<zod.ZodString>;
455
+ n: zod.ZodOptional<zod.ZodString>;
456
+ alg: zod.ZodOptional<zod.ZodString>;
457
+ d: zod.ZodOptional<zod.ZodString>;
458
+ dp: zod.ZodOptional<zod.ZodString>;
459
+ dq: zod.ZodOptional<zod.ZodString>;
460
+ ext: zod.ZodOptional<zod.ZodBoolean>;
461
+ k: zod.ZodOptional<zod.ZodString>;
462
+ key_ops: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
463
+ kid: zod.ZodOptional<zod.ZodString>;
464
+ oth: zod.ZodOptional<zod.ZodArray<zod.ZodObject<{
465
+ d: zod.ZodOptional<zod.ZodString>;
466
+ r: zod.ZodOptional<zod.ZodString>;
467
+ t: zod.ZodOptional<zod.ZodString>;
468
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
469
+ d: zod.ZodOptional<zod.ZodString>;
470
+ r: zod.ZodOptional<zod.ZodString>;
471
+ t: zod.ZodOptional<zod.ZodString>;
472
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
473
+ d: zod.ZodOptional<zod.ZodString>;
474
+ r: zod.ZodOptional<zod.ZodString>;
475
+ t: zod.ZodOptional<zod.ZodString>;
476
+ }, zod.ZodTypeAny, "passthrough">>, "many">>;
477
+ p: zod.ZodOptional<zod.ZodString>;
478
+ q: zod.ZodOptional<zod.ZodString>;
479
+ qi: zod.ZodOptional<zod.ZodString>;
480
+ use: zod.ZodOptional<zod.ZodString>;
481
+ x5c: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
482
+ x5t: zod.ZodOptional<zod.ZodString>;
483
+ "x5t#S256": zod.ZodOptional<zod.ZodString>;
484
+ x5u: zod.ZodOptional<zod.ZodString>;
485
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
486
+ kty: zod.ZodString;
487
+ crv: zod.ZodOptional<zod.ZodString>;
488
+ x: zod.ZodOptional<zod.ZodString>;
489
+ y: zod.ZodOptional<zod.ZodString>;
490
+ e: zod.ZodOptional<zod.ZodString>;
491
+ n: zod.ZodOptional<zod.ZodString>;
492
+ alg: zod.ZodOptional<zod.ZodString>;
493
+ d: zod.ZodOptional<zod.ZodString>;
494
+ dp: zod.ZodOptional<zod.ZodString>;
495
+ dq: zod.ZodOptional<zod.ZodString>;
496
+ ext: zod.ZodOptional<zod.ZodBoolean>;
497
+ k: zod.ZodOptional<zod.ZodString>;
498
+ key_ops: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
499
+ kid: zod.ZodOptional<zod.ZodString>;
500
+ oth: zod.ZodOptional<zod.ZodArray<zod.ZodObject<{
501
+ d: zod.ZodOptional<zod.ZodString>;
502
+ r: zod.ZodOptional<zod.ZodString>;
503
+ t: zod.ZodOptional<zod.ZodString>;
504
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
505
+ d: zod.ZodOptional<zod.ZodString>;
506
+ r: zod.ZodOptional<zod.ZodString>;
507
+ t: zod.ZodOptional<zod.ZodString>;
508
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
509
+ d: zod.ZodOptional<zod.ZodString>;
510
+ r: zod.ZodOptional<zod.ZodString>;
511
+ t: zod.ZodOptional<zod.ZodString>;
512
+ }, zod.ZodTypeAny, "passthrough">>, "many">>;
513
+ p: zod.ZodOptional<zod.ZodString>;
514
+ q: zod.ZodOptional<zod.ZodString>;
515
+ qi: zod.ZodOptional<zod.ZodString>;
516
+ use: zod.ZodOptional<zod.ZodString>;
517
+ x5c: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
518
+ x5t: zod.ZodOptional<zod.ZodString>;
519
+ "x5t#S256": zod.ZodOptional<zod.ZodString>;
520
+ x5u: zod.ZodOptional<zod.ZodString>;
521
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
522
+ kty: zod.ZodString;
523
+ crv: zod.ZodOptional<zod.ZodString>;
524
+ x: zod.ZodOptional<zod.ZodString>;
525
+ y: zod.ZodOptional<zod.ZodString>;
526
+ e: zod.ZodOptional<zod.ZodString>;
527
+ n: zod.ZodOptional<zod.ZodString>;
528
+ alg: zod.ZodOptional<zod.ZodString>;
529
+ d: zod.ZodOptional<zod.ZodString>;
530
+ dp: zod.ZodOptional<zod.ZodString>;
531
+ dq: zod.ZodOptional<zod.ZodString>;
532
+ ext: zod.ZodOptional<zod.ZodBoolean>;
533
+ k: zod.ZodOptional<zod.ZodString>;
534
+ key_ops: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
535
+ kid: zod.ZodOptional<zod.ZodString>;
536
+ oth: zod.ZodOptional<zod.ZodArray<zod.ZodObject<{
537
+ d: zod.ZodOptional<zod.ZodString>;
538
+ r: zod.ZodOptional<zod.ZodString>;
539
+ t: zod.ZodOptional<zod.ZodString>;
540
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
541
+ d: zod.ZodOptional<zod.ZodString>;
542
+ r: zod.ZodOptional<zod.ZodString>;
543
+ t: zod.ZodOptional<zod.ZodString>;
544
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
545
+ d: zod.ZodOptional<zod.ZodString>;
546
+ r: zod.ZodOptional<zod.ZodString>;
547
+ t: zod.ZodOptional<zod.ZodString>;
548
+ }, zod.ZodTypeAny, "passthrough">>, "many">>;
549
+ p: zod.ZodOptional<zod.ZodString>;
550
+ q: zod.ZodOptional<zod.ZodString>;
551
+ qi: zod.ZodOptional<zod.ZodString>;
552
+ use: zod.ZodOptional<zod.ZodString>;
553
+ x5c: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
554
+ x5t: zod.ZodOptional<zod.ZodString>;
555
+ "x5t#S256": zod.ZodOptional<zod.ZodString>;
556
+ x5u: zod.ZodOptional<zod.ZodString>;
557
+ }, zod.ZodTypeAny, "passthrough">>>;
558
+ jkt: zod.ZodOptional<zod.ZodString>;
559
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
560
+ jwk: zod.ZodOptional<zod.ZodObject<{
561
+ kty: zod.ZodString;
562
+ crv: zod.ZodOptional<zod.ZodString>;
563
+ x: zod.ZodOptional<zod.ZodString>;
564
+ y: zod.ZodOptional<zod.ZodString>;
565
+ e: zod.ZodOptional<zod.ZodString>;
566
+ n: zod.ZodOptional<zod.ZodString>;
567
+ alg: zod.ZodOptional<zod.ZodString>;
568
+ d: zod.ZodOptional<zod.ZodString>;
569
+ dp: zod.ZodOptional<zod.ZodString>;
570
+ dq: zod.ZodOptional<zod.ZodString>;
571
+ ext: zod.ZodOptional<zod.ZodBoolean>;
572
+ k: zod.ZodOptional<zod.ZodString>;
573
+ key_ops: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
574
+ kid: zod.ZodOptional<zod.ZodString>;
575
+ oth: zod.ZodOptional<zod.ZodArray<zod.ZodObject<{
576
+ d: zod.ZodOptional<zod.ZodString>;
577
+ r: zod.ZodOptional<zod.ZodString>;
578
+ t: zod.ZodOptional<zod.ZodString>;
579
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
580
+ d: zod.ZodOptional<zod.ZodString>;
581
+ r: zod.ZodOptional<zod.ZodString>;
582
+ t: zod.ZodOptional<zod.ZodString>;
583
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
584
+ d: zod.ZodOptional<zod.ZodString>;
585
+ r: zod.ZodOptional<zod.ZodString>;
586
+ t: zod.ZodOptional<zod.ZodString>;
587
+ }, zod.ZodTypeAny, "passthrough">>, "many">>;
588
+ p: zod.ZodOptional<zod.ZodString>;
589
+ q: zod.ZodOptional<zod.ZodString>;
590
+ qi: zod.ZodOptional<zod.ZodString>;
591
+ use: zod.ZodOptional<zod.ZodString>;
592
+ x5c: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
593
+ x5t: zod.ZodOptional<zod.ZodString>;
594
+ "x5t#S256": zod.ZodOptional<zod.ZodString>;
595
+ x5u: zod.ZodOptional<zod.ZodString>;
596
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
597
+ kty: zod.ZodString;
598
+ crv: zod.ZodOptional<zod.ZodString>;
599
+ x: zod.ZodOptional<zod.ZodString>;
600
+ y: zod.ZodOptional<zod.ZodString>;
601
+ e: zod.ZodOptional<zod.ZodString>;
602
+ n: zod.ZodOptional<zod.ZodString>;
603
+ alg: zod.ZodOptional<zod.ZodString>;
604
+ d: zod.ZodOptional<zod.ZodString>;
605
+ dp: zod.ZodOptional<zod.ZodString>;
606
+ dq: zod.ZodOptional<zod.ZodString>;
607
+ ext: zod.ZodOptional<zod.ZodBoolean>;
608
+ k: zod.ZodOptional<zod.ZodString>;
609
+ key_ops: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
610
+ kid: zod.ZodOptional<zod.ZodString>;
611
+ oth: zod.ZodOptional<zod.ZodArray<zod.ZodObject<{
612
+ d: zod.ZodOptional<zod.ZodString>;
613
+ r: zod.ZodOptional<zod.ZodString>;
614
+ t: zod.ZodOptional<zod.ZodString>;
615
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
616
+ d: zod.ZodOptional<zod.ZodString>;
617
+ r: zod.ZodOptional<zod.ZodString>;
618
+ t: zod.ZodOptional<zod.ZodString>;
619
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
620
+ d: zod.ZodOptional<zod.ZodString>;
621
+ r: zod.ZodOptional<zod.ZodString>;
622
+ t: zod.ZodOptional<zod.ZodString>;
623
+ }, zod.ZodTypeAny, "passthrough">>, "many">>;
624
+ p: zod.ZodOptional<zod.ZodString>;
625
+ q: zod.ZodOptional<zod.ZodString>;
626
+ qi: zod.ZodOptional<zod.ZodString>;
627
+ use: zod.ZodOptional<zod.ZodString>;
628
+ x5c: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
629
+ x5t: zod.ZodOptional<zod.ZodString>;
630
+ "x5t#S256": zod.ZodOptional<zod.ZodString>;
631
+ x5u: zod.ZodOptional<zod.ZodString>;
632
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
633
+ kty: zod.ZodString;
634
+ crv: zod.ZodOptional<zod.ZodString>;
635
+ x: zod.ZodOptional<zod.ZodString>;
636
+ y: zod.ZodOptional<zod.ZodString>;
637
+ e: zod.ZodOptional<zod.ZodString>;
638
+ n: zod.ZodOptional<zod.ZodString>;
639
+ alg: zod.ZodOptional<zod.ZodString>;
640
+ d: zod.ZodOptional<zod.ZodString>;
641
+ dp: zod.ZodOptional<zod.ZodString>;
642
+ dq: zod.ZodOptional<zod.ZodString>;
643
+ ext: zod.ZodOptional<zod.ZodBoolean>;
644
+ k: zod.ZodOptional<zod.ZodString>;
645
+ key_ops: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
646
+ kid: zod.ZodOptional<zod.ZodString>;
647
+ oth: zod.ZodOptional<zod.ZodArray<zod.ZodObject<{
648
+ d: zod.ZodOptional<zod.ZodString>;
649
+ r: zod.ZodOptional<zod.ZodString>;
650
+ t: zod.ZodOptional<zod.ZodString>;
651
+ }, "passthrough", zod.ZodTypeAny, zod.objectOutputType<{
652
+ d: zod.ZodOptional<zod.ZodString>;
653
+ r: zod.ZodOptional<zod.ZodString>;
654
+ t: zod.ZodOptional<zod.ZodString>;
655
+ }, zod.ZodTypeAny, "passthrough">, zod.objectInputType<{
656
+ d: zod.ZodOptional<zod.ZodString>;
657
+ r: zod.ZodOptional<zod.ZodString>;
658
+ t: zod.ZodOptional<zod.ZodString>;
659
+ }, zod.ZodTypeAny, "passthrough">>, "many">>;
660
+ p: zod.ZodOptional<zod.ZodString>;
661
+ q: zod.ZodOptional<zod.ZodString>;
662
+ qi: zod.ZodOptional<zod.ZodString>;
663
+ use: zod.ZodOptional<zod.ZodString>;
664
+ x5c: zod.ZodOptional<zod.ZodArray<zod.ZodString, "many">>;
665
+ x5t: zod.ZodOptional<zod.ZodString>;
666
+ "x5t#S256": zod.ZodOptional<zod.ZodString>;
667
+ x5u: zod.ZodOptional<zod.ZodString>;
668
+ }, zod.ZodTypeAny, "passthrough">>>;
669
+ jkt: zod.ZodOptional<zod.ZodString>;
670
+ }, zod.ZodTypeAny, "passthrough">>>;
671
+ status: zod.ZodOptional<zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
672
+ trust_chain: zod.ZodOptional<zod.ZodArray<zod.ZodString, "atleastone">>;
673
+ }, zod.ZodTypeAny, "passthrough">;
674
+ signer: _openid4vc_oauth2.JwtSignerWithJwk;
675
+ }>;
676
+ interface CreateClientAttestationPopJwtOptions {
677
+ /**
678
+ * The audience authorization server identifier
679
+ */
680
+ authorizationServer: string;
681
+ /**
682
+ * Callback used for dpop
683
+ * generateRandom is mandatory if jti is not provided
684
+ */
685
+ callbacks: Partial<Pick<CallbackContext, "generateRandom">> & Pick<CallbackContext, "signJwt">;
686
+ /**
687
+ * The client attestation to create the Pop for
688
+ */
689
+ clientAttestation: string;
690
+ /**
691
+ * Expiration time of the JWT. If not provided 1 minute will be added to the `issuedAt`
692
+ */
693
+ expiresAt?: Date;
694
+ /**
695
+ * Creation time of the JWT. If not provided the current date will be used
696
+ */
697
+ issuedAt?: Date;
698
+ /**
699
+ * Optional jti to set in the payload. If not provided a random one will be generated
158
700
  */
159
701
  jti?: string;
160
702
  /**
161
- * Code verifier to use for pkce. If not provided a value will generated when pkce is supported
703
+ * The signer of jwt. Only jwk signer allowed.
704
+ *
705
+ * If not provided, the signer will be derived based on the
706
+ * `cnf.jwk` and `alg` in the client attestation.
162
707
  */
163
- pkceCodeVerifier?: string;
708
+ signer?: JwtSignerJwk;
709
+ }
710
+ declare function createClientAttestationPopJwt(options: CreateClientAttestationPopJwtOptions): Promise<string>;
711
+
712
+ /**
713
+ * HTTP Content-Type constants for OAuth2 requests
714
+ */
715
+ declare const CONTENT_TYPES: {
716
+ readonly FORM_URLENCODED: "application/x-www-form-urlencoded";
717
+ readonly JSON: "application/json";
718
+ };
719
+ /**
720
+ * HTTP Header constants
721
+ */
722
+ declare const HEADERS: {
723
+ readonly AUTHORIZATION: "Authorization";
724
+ readonly CONTENT_TYPE: "Content-Type";
725
+ readonly OAUTH_CLIENT_ATTESTATION: "OAuth-Client-Attestation";
726
+ readonly OAUTH_CLIENT_ATTESTATION_POP: "OAuth-Client-Attestation-PoP";
727
+ };
728
+
729
+ /**
730
+ * Generic error thrown on OAuth2 operations
731
+ */
732
+ declare class Oauth2Error extends Error {
733
+ readonly statusCode?: number | undefined;
734
+ constructor(message: string, statusCode?: number | undefined);
735
+ }
736
+ /**
737
+ * Custom error thrown when pushed authorization request operations fail
738
+ */
739
+ declare class PushedAuthorizationRequestError extends Oauth2Error {
740
+ readonly statusCode?: number | undefined;
741
+ constructor(message: string, statusCode?: number | undefined);
742
+ }
743
+ /**
744
+ * Error thrown in case {@link createTokenDPoP} is called without neither a custom jti
745
+ * nor a generateRandom callback or when the signJwt callback throws
746
+ */
747
+ declare class CreateTokenDPoPError extends Oauth2Error {
748
+ constructor(message: string);
749
+ }
750
+
751
+ declare enum PkceCodeChallengeMethod {
752
+ Plain = "plain",
753
+ S256 = "S256"
754
+ }
755
+ interface CreatePkceOptions {
164
756
  /**
165
- * DPoP options
757
+ * Also allows string values so it can be directly passed from the
758
+ * 'code_challenge_methods_supported' metadata parameter
166
759
  */
167
- dpop: RequestDpopOptions;
760
+ allowedCodeChallengeMethods?: (PkceCodeChallengeMethod | string)[];
761
+ callbacks: Pick<CallbackContext, "generateRandom" | "hash">;
762
+ /**
763
+ * Code verifier to use. If not provided a value will be generated.
764
+ */
765
+ codeVerifier?: string;
168
766
  }
169
- declare function createPushedAuthorizationRequest(options: CreatePushedAuthorizationRequestOptions): Promise<PushedAuthorizationRequestSigned>;
767
+ interface CreatePkceReturn {
768
+ codeChallenge: string;
769
+ codeChallengeMethod: PkceCodeChallengeMethod;
770
+ codeVerifier: string;
771
+ }
772
+ declare function createPkce(options: CreatePkceOptions): Promise<CreatePkceReturn>;
773
+ interface VerifyPkceOptions {
774
+ callbacks: Pick<CallbackContext, "hash">;
775
+ codeChallenge: string;
776
+ codeChallengeMethod: PkceCodeChallengeMethod;
777
+ /**
778
+ * secure random code verifier
779
+ */
780
+ codeVerifier: string;
781
+ }
782
+ declare function verifyPkce(options: VerifyPkceOptions): Promise<void>;
783
+
784
+ /**
785
+ * Options for Token Request DPoP generation
786
+ */
787
+ interface CreateTokenDPoPOptions {
788
+ /**
789
+ * Object containing callbacks for DPoP generation and signature
790
+ */
791
+ callbacks: Partial<Pick<CallbackContext, "generateRandom">> & Pick<CallbackContext, "signJwt">;
792
+ /**
793
+ * Customizable headers for DPoP signing.
794
+ * As per technical specifications, the key typ will be set to 'dpop+jwt',
795
+ * overriding any custom value passed. In case the alg and jwk properties
796
+ * will not be set, the responsibility of doing so is left to the signJwt
797
+ * callback, which may as well override such keys if passed
798
+ */
799
+ header: {
800
+ alg: string;
801
+ } & Record<string, unknown>;
802
+ /**
803
+ * Customizable payload for DPoP signing.
804
+ * Any field might be overridden by the signJwt callback
805
+ */
806
+ payload: {
807
+ htm: HttpMethod;
808
+ htu: string;
809
+ jti?: string;
810
+ } & Record<string, unknown>;
811
+ /**
812
+ * Jwt Signer corresponding to the DPoP's Crypto Context
813
+ */
814
+ signer: JwtSigner;
815
+ }
816
+ /**
817
+ * Creates a signed Token DPoP with the given cryptographic material and data.
818
+ * @param options {@link CreateTokenDPoPOptions}
819
+ * @returns A Promise that resolves with an object containing the signed DPoP JWT and
820
+ * its corresponding public JWK
821
+ * @throws {@link CreateTokenDPoPError} in case neither a default jti nor a generateRandom
822
+ * callback have been provided or the signJwt callback throws
823
+ */
824
+ declare function createTokenDPoP(options: CreateTokenDPoPOptions): Promise<{
825
+ jwt: string;
826
+ signerJwk: _openid4vc_oauth2.Jwk;
827
+ }>;
170
828
 
171
- export { type AuthorizationRequest, type CreatePkceOptions, type CreatePkceReturn, type CreatePushedAuthorizationRequestOptions, PkceCodeChallengeMethod, type PushedAuthorizationRequestSigned, type PushedAuthorizationResponse, type VerifyPkceOptions, createPkce, createPushedAuthorizationRequest, verifyPkce, zAuthorizationRequest, zPushedAuthorizationRequestSigned, zPushedAuthorizationResponse };
829
+ export { type AuthorizationRequest, CONTENT_TYPES, type CreateClientAttestationPopJwtOptions, type CreatePkceOptions, type CreatePkceReturn, type CreatePushedAuthorizationRequestOptions, CreateTokenDPoPError, type CreateTokenDPoPOptions, HEADERS, Oauth2Error, PkceCodeChallengeMethod, PushedAuthorizationRequestError, type PushedAuthorizationRequestSigned, type PushedAuthorizationResponse, type VerifiedClientAttestationPopJwt, type VerifyClientAttestationPopJwtOptions, type VerifyPkceOptions, createClientAttestationPopJwt, createPkce, createPushedAuthorizationRequest, createTokenDPoP, fetchPushedAuthorizationResponse, type fetchPushedAuthorizationResponseOptions, verifyClientAttestationPopJwt, verifyPkce, zAuthorizationRequest, zPushedAuthorizationRequestSigned, zPushedAuthorizationResponse };