@sphereon/did-auth-siop-adapter 0.14.1-next.10

package/lib/DidJwtAdapter.ts

@@ -0,0 +1,67 @@
+import {
+  AuthorizationRequestPayload,
+  IDTokenPayload,
+  JwtHeader,
+  JwtIssuerWithContext,
+  JwtPayload,
+  RequestObjectPayload,
+} from '@sphereon/did-auth-siop'
+import { JwtVerifier } from '@sphereon/did-auth-siop/dist/types/JwtVerifier'
+import { Resolvable } from 'did-resolver'
+
+import { getAudience, getSubDidFromPayload, signIDTokenPayload, signRequestObjectPayload, validateLinkedDomainWithDid, verifyDidJWT } from './did'
+import { CheckLinkedDomain, ExternalSignature, ExternalVerification, InternalSignature, InternalVerification, SuppliedSignature } from './types'
+
+export const verfiyDidJwtAdapter = async (
+  jwtVerifier: JwtVerifier,
+  jwt: { header: JwtHeader; payload: JwtPayload; raw: string },
+  options: {
+    verification: InternalVerification | ExternalVerification
+    resolver: Resolvable
+  },
+): Promise<boolean> => {
+  if (jwtVerifier.method === 'did') {
+    const audience = options?.verification?.resolveOpts?.jwtVerifyOpts?.audience ?? getAudience(jwt.raw)
+
+    await verifyDidJWT(jwt.raw, options.resolver, { ...options.verification?.resolveOpts?.jwtVerifyOpts, audience })
+
+    if (jwtVerifier.type === 'request-object' && (jwt.payload as JwtPayload & { client_id?: string }).client_id?.startsWith('did:')) {
+      const authorizationRequestPayload = jwt.payload as AuthorizationRequestPayload
+      if (options.verification?.checkLinkedDomain && options.verification.checkLinkedDomain != CheckLinkedDomain.NEVER) {
+        await validateLinkedDomainWithDid(authorizationRequestPayload.client_id, options.verification)
+      } else if (!options.verification?.checkLinkedDomain && options.verification.wellknownDIDVerifyCallback) {
+        await validateLinkedDomainWithDid(authorizationRequestPayload.client_id, options.verification)
+      }
+    }
+
+    if (jwtVerifier.type === 'id-token') {
+      const issuerDid = getSubDidFromPayload(jwt.payload)
+      if (options.verification?.checkLinkedDomain && options.verification.checkLinkedDomain != CheckLinkedDomain.NEVER) {
+        await validateLinkedDomainWithDid(issuerDid, options.verification)
+      } else if (!options.verification?.checkLinkedDomain && options.verification.wellknownDIDVerifyCallback) {
+        await validateLinkedDomainWithDid(issuerDid, options.verification)
+      }
+    }
+
+    return true
+  }
+
+  throw new Error('Invalid use of the did-auth-siop create jwt adapter')
+}
+
+export const createDidJwtAdapter = async (
+  signature: InternalSignature | ExternalSignature | SuppliedSignature,
+  jwtIssuer: JwtIssuerWithContext,
+  jwt: { header: JwtHeader; payload: JwtPayload },
+): Promise<string> => {
+  if (jwtIssuer.method === 'did') {
+    const issuer = jwtIssuer.didUrl.split('#')[0]
+    jwt.payload.issuer = issuer
+    if (jwtIssuer.type === 'request-object') {
+      return await signRequestObjectPayload(jwt.payload as RequestObjectPayload, signature)
+    } else if (jwtIssuer.type === 'id-token') {
+      return await signIDTokenPayload(jwt.payload as IDTokenPayload, signature)
+    }
+  }
+  throw new Error('Invalid use of the did-auth-siop create jwt adapter')
+}

package/lib/did/DIDResolution.ts

@@ -0,0 +1,117 @@
+import { SubjectIdentifierType, SubjectSyntaxTypesSupportedValues } from '@sphereon/did-auth-siop'
+import { getUniResolver, UniResolver } from '@sphereon/did-uni-client'
+import { DIDResolutionOptions, DIDResolutionResult, ParsedDID, Resolvable, Resolver } from 'did-resolver'
+
+import { DIDDocument, ResolveOpts } from '../types'
+
+import { getMethodFromDid, toSIOPRegistrationDidMethod } from './index'
+
+export function getResolver(opts: ResolveOpts): Resolvable {
+  if (opts && typeof opts.resolver === 'object') {
+    return opts.resolver
+  }
+  if (!opts || !opts.subjectSyntaxTypesSupported) {
+    if (opts?.noUniversalResolverFallback) {
+      throw Error(`No subject syntax types nor did methods configured for DID resolution, but fallback to universal resolver has been disabled`)
+    }
+    console.log(
+      `Falling back to universal resolver as no resolve opts have been provided, or no subject syntax types supported are provided. It is wise to fix this`,
+    )
+    return new UniResolver()
+  }
+
+  const uniResolvers: {
+    [p: string]: (did: string, _parsed: ParsedDID, _didResolver: Resolver, _options: DIDResolutionOptions) => Promise<DIDResolutionResult>
+  }[] = []
+  if (opts.subjectSyntaxTypesSupported.indexOf(SubjectIdentifierType.DID) === -1) {
+    const specificDidMethods = opts.subjectSyntaxTypesSupported.filter((sst) => sst.includes('did:'))
+    if (!specificDidMethods.length) {
+      throw new Error('No did method found.')
+    }
+    for (const didMethod of specificDidMethods) {
+      const uniResolver = getUniResolver(getMethodFromDid(didMethod), { resolveUrl: opts.resolveUrl })
+      uniResolvers.push(uniResolver)
+    }
+    return new Resolver(...uniResolvers)
+  } else {
+    if (opts?.noUniversalResolverFallback) {
+      throw Error(`No subject syntax types nor did methods configured for DID resolution, but fallback to universal resolver has been disabled`)
+    }
+    console.log(
+      `Falling back to universal resolver as no resolve opts have been provided, or no subject syntax types supported are provided. It is wise to fix this`,
+    )
+    return new UniResolver()
+  }
+}
+
+/**
+ * This method returns a resolver object in OP/RP
+ * If the user of this library, configures OP/RP to have a customResolver, we will use that
+ * If the user of this library configures OP/RP to use a custom resolver for any specific did method, we will use that
+ * and in the end for the rest of the did methods, configured either with calling `addDidMethod` upon building OP/RP
+ * (without any resolver configuration) or declaring in the subject_syntax_types_supported of the registration object
+ * we will use universal resolver from Sphereon's DID Universal Resolver library
+ * @param customResolver
+ * @param subjectSyntaxTypesSupported
+ * @param resolverMap
+ */
+export function getResolverUnion(
+  customResolver: Resolvable,
+  subjectSyntaxTypesSupported: string[] | string,
+  resolverMap: Map<string, Resolvable>,
+): Resolvable {
+  if (customResolver) {
+    return customResolver
+  }
+  const fallbackResolver: Resolvable = customResolver ? customResolver : new UniResolver()
+  const uniResolvers: {
+    [p: string]: (did: string, _parsed: ParsedDID, _didResolver: Resolver, _options: DIDResolutionOptions) => Promise<DIDResolutionResult>
+  }[] = []
+  const subjectTypes: string[] = []
+  if (subjectSyntaxTypesSupported) {
+    typeof subjectSyntaxTypesSupported === 'string'
+      ? subjectTypes.push(subjectSyntaxTypesSupported)
+      : subjectTypes.push(...subjectSyntaxTypesSupported)
+  }
+  if (subjectTypes.indexOf(SubjectSyntaxTypesSupportedValues.DID.valueOf()) !== -1) {
+    return customResolver ? customResolver : new UniResolver()
+  }
+  const specificDidMethods = subjectTypes.filter((sst) => !!sst && sst.startsWith('did:'))
+  specificDidMethods.forEach((dm) => {
+    let methodResolver
+    if (!resolverMap.has(dm) || resolverMap.get(dm) === null) {
+      methodResolver = getUniResolver(getMethodFromDid(dm))
+    } else {
+      methodResolver = resolverMap.get(dm)
+    }
+    uniResolvers.push(methodResolver)
+  })
+  return subjectTypes.indexOf(SubjectSyntaxTypesSupportedValues.DID.valueOf()) !== -1
+    ? new Resolver(...{ fallbackResolver, ...uniResolvers })
+    : new Resolver(...uniResolvers)
+}
+
+export function mergeAllDidMethods(subjectSyntaxTypesSupported: string | string[], resolvers: Map<string, Resolvable>): string[] {
+  if (!Array.isArray(subjectSyntaxTypesSupported)) {
+    subjectSyntaxTypesSupported = [subjectSyntaxTypesSupported]
+  }
+  const unionSubjectSyntaxTypes = new Set()
+  subjectSyntaxTypesSupported.forEach((sst) => unionSubjectSyntaxTypes.add(sst))
+  resolvers.forEach((_, didMethod) => unionSubjectSyntaxTypes.add(toSIOPRegistrationDidMethod(didMethod)))
+  return Array.from(unionSubjectSyntaxTypes) as string[]
+}
+
+export async function resolveDidDocument(did: string, opts?: ResolveOpts): Promise<DIDDocument> {
+  // todo: The accept is only there because did:key used by Veramo requires it. According to the spec it is optional. It should not hurt, but let's test
+  const result = await getResolver({ ...opts }).resolve(did, { accept: 'application/did+ld+json' })
+  if (result?.didResolutionMetadata?.error) {
+    throw Error(result.didResolutionMetadata.error)
+  }
+  // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+  // @ts-ignore
+  if (!result.didDocument && result.id) {
+    // todo: This looks like a bug. It seems that sometimes we get back a DID document directly instead of a did resolution results
+    return result as unknown as DIDDocument
+  }
+  return result.didDocument
+}

package/lib/did/DidJWT.ts

@@ -0,0 +1,273 @@
+import { post } from '@sphereon/did-auth-siop'
+import {
+  DEFAULT_EXPIRATION_TIME,
+  IDTokenPayload,
+  RequestObjectPayload,
+  ResponseIss,
+  SignatureResponse,
+  SigningAlgo,
+  SIOPErrors,
+  SIOPResonse,
+  VerifiedJWT,
+} from '@sphereon/did-auth-siop'
+import {
+  createJWT,
+  decodeJWT,
+  EdDSASigner,
+  ES256KSigner,
+  ES256Signer,
+  hexToBytes,
+  JWTHeader,
+  JWTOptions,
+  JWTPayload,
+  JWTVerifyOptions,
+  Signer,
+  verifyJWT,
+} from 'did-jwt'
+import { Resolvable } from 'did-resolver'
+
+import { isExternalSignature, isInternalSignature, isSuppliedSignature } from '../helpers'
+import { ExternalSignature, InternalSignature, SuppliedSignature } from '../types'
+
+/**
+ *  Verifies given JWT. If the JWT is valid, the promise returns an object including the JWT, the payload of the JWT,
+ *  and the did doc of the issuer of the JWT.
+ *
+ *  @example
+ *  verifyDidJWT('did:key:example', resolver, {audience: '5A8bRWU3F7j3REx3vkJ...', callbackUrl: 'https://...'}).then(obj => {
+ *      const did = obj.did                 // DIDres of signer
+ *      const payload = obj.payload
+ *      const doc = obj.doc                 // DIDres Document of signer
+ *      const JWT = obj.JWT                 // JWT
+ *      const signerKeyId = obj.signerKeyId // ID of key in DIDres document that signed JWT
+ *      ...
+ *  })
+ *
+ *  @param    {String}            jwt                   a JSON Web Token to verify
+ *  @param    {Resolvable}        resolver
+ *  @param    {JWTVerifyOptions}  [options]             Options
+ *  @param    {String}            options.audience      DID of the recipient of the JWT
+ *  @param    {String}            options.callbackUrl   callback url in JWT
+ *  @return   {Promise<Object, Error>}                  a promise which resolves with a response object or rejects with an error
+ */
+export async function verifyDidJWT(jwt: string, resolver: Resolvable, options: JWTVerifyOptions): Promise<VerifiedJWT> {
+  return verifyJWT(jwt, { ...options, resolver })
+}
+
+/**
+ *  Creates a signed JWT given an address which becomes the issuer, a signer function, and a payload for which the withSignature is over.
+ *
+ *  @example
+ *  const signer = ES256KSigner(process.env.PRIVATE_KEY)
+ *  createJWT({address: '5A8bRWU3F7j3REx3vkJ...', signer}, {key1: 'value', key2: ..., ... }).then(JWT => {
+ *      ...
+ *  })
+ *
+ *  @param    {Object}            payload               payload object
+ *  @param    {Object}            [options]             an unsigned credential object
+ *  @param    {String}            options.issuer        The DID of the issuer (signer) of JWT
+ *  @param    {Signer}            options.signer        a `Signer` function, Please see `ES256KSigner` or `EdDSASigner`
+ *  @param    {boolean}           options.canonicalize  optional flag to canonicalize header and payload before signing
+ *  @param    {Object}            header                optional object to specify or customize the JWT header
+ *  @return   {Promise<Object, Error>}                  a promise which resolves with a signed JSON Web Token or rejects with an error
+ */
+export async function createDidJWT(
+  payload: Partial<JWTPayload>,
+  { issuer, signer, expiresIn, canonicalize }: JWTOptions,
+  header: Partial<JWTHeader>,
+): Promise<string> {
+  return createJWT(payload, { issuer, signer, expiresIn, canonicalize }, header)
+}
+
+export async function signIDTokenPayload(payload: IDTokenPayload, signature: InternalSignature | ExternalSignature | SuppliedSignature) {
+  if (isInternalSignature(signature)) {
+    return signDidJwtInternal(payload, payload.issuer, signature.hexPrivateKey, signature.alg, signature.kid, signature.customJwtSigner)
+  } else if (isExternalSignature(signature)) {
+    return signDidJwtExternal(payload, signature.signatureUri, signature.authZToken, signature.alg, signature.kid)
+  } else if (isSuppliedSignature(signature)) {
+    return signDidJwtSupplied(payload, payload.issuer, signature.signature, signature.alg, signature.kid)
+  } else {
+    throw new Error(
+      'Signature parameters should be internal signature with hexPrivateKey, did, and an optional kid, or external signature parameters with signatureUri, did, and optionals parameters authZToken, hexPublicKey, and kid',
+    )
+  }
+}
+
+export async function signRequestObjectPayload(payload: RequestObjectPayload, signature: InternalSignature | ExternalSignature | SuppliedSignature) {
+  let issuer = payload.iss
+  if (!issuer) {
+    issuer = signature.did
+  }
+  if (!issuer) {
+    throw Error('No issuer supplied to sign the JWT')
+  }
+  if (!payload.iss) {
+    payload.iss = issuer
+  }
+  if (!payload.sub) {
+    payload.sub = signature.did
+  }
+  if (isInternalSignature(signature)) {
+    return signDidJwtInternal(payload, issuer, signature.hexPrivateKey, signature.alg, signature.kid, signature.customJwtSigner)
+  } else if (isExternalSignature(signature)) {
+    return signDidJwtExternal(payload, signature.signatureUri, signature.authZToken, signature.alg, signature.kid)
+  } else if (isSuppliedSignature(signature)) {
+    return signDidJwtSupplied(payload, issuer, signature.signature, signature.alg, signature.kid)
+  } else {
+    throw new Error(
+      'Signature parameters should be internal signature with hexPrivateKey, did, and an optional kid, or external signature parameters with signatureUri, did, and optionals parameters authZToken, hexPublicKey, and kid',
+    )
+  }
+}
+
+export async function signDidJwtInternal(
+  payload: IDTokenPayload | RequestObjectPayload,
+  issuer: string,
+  hexPrivateKey: string,
+  alg: SigningAlgo,
+  kid: string,
+  customJwtSigner?: Signer,
+): Promise<string> {
+  const signer = determineSigner(alg, hexPrivateKey, customJwtSigner)
+  const header = {
+    alg,
+    kid,
+  }
+  const options = {
+    issuer,
+    signer,
+    expiresIn: DEFAULT_EXPIRATION_TIME,
+  }
+
+  return await createDidJWT({ ...payload }, options, header)
+}
+
+async function signDidJwtExternal(
+  payload: IDTokenPayload | RequestObjectPayload,
+  signatureUri: string,
+  authZToken: string,
+  alg: SigningAlgo,
+  kid?: string,
+): Promise<string> {
+  const body = {
+    issuer: payload.iss && payload.iss.includes('did:') ? payload.iss : payload.sub,
+    payload,
+    expiresIn: DEFAULT_EXPIRATION_TIME,
+    alg,
+    selfIssued: payload.iss.includes(ResponseIss.SELF_ISSUED_V2) ? payload.iss : undefined,
+    kid,
+  }
+
+  const response: SIOPResonse<SignatureResponse> = await post(signatureUri, JSON.stringify(body), { bearerToken: authZToken })
+  return response.successBody.jws
+}
+
+async function signDidJwtSupplied(
+  payload: IDTokenPayload | RequestObjectPayload,
+  issuer: string,
+  signer: Signer,
+  alg: SigningAlgo,
+  kid: string,
+): Promise<string> {
+  const header = {
+    alg,
+    kid,
+  }
+  const options = {
+    issuer,
+    signer,
+    expiresIn: DEFAULT_EXPIRATION_TIME,
+  }
+
+  return await createDidJWT({ ...payload }, options, header)
+}
+
+const determineSigner = (alg: SigningAlgo, hexPrivateKey?: string, customSigner?: Signer): Signer => {
+  if (customSigner) {
+    return customSigner
+  } else if (!hexPrivateKey) {
+    throw new Error('no private key provided')
+  }
+  const privateKey = hexToBytes(hexPrivateKey.replace('0x', ''))
+  switch (alg) {
+    case SigningAlgo.EDDSA:
+      return EdDSASigner(privateKey)
+    case SigningAlgo.ES256:
+      return ES256Signer(privateKey)
+    case SigningAlgo.ES256K:
+      return ES256KSigner(privateKey)
+    case SigningAlgo.PS256:
+      throw Error('PS256 is not supported yet. Please provide a custom signer')
+    case SigningAlgo.RS256:
+      throw Error('RS256 is not supported yet. Please provide a custom signer')
+  }
+}
+
+export function getAudience(jwt: string) {
+  const { payload } = decodeJWT(jwt)
+  if (!payload) {
+    throw new Error(SIOPErrors.NO_AUDIENCE)
+  } else if (!payload.aud) {
+    return undefined
+  } else if (Array.isArray(payload.aud)) {
+    throw new Error(SIOPErrors.INVALID_AUDIENCE)
+  }
+
+  return payload.aud
+}
+
+//TODO To enable automatic registration, it cannot be a did, but HTTPS URL
+function assertIssSelfIssuedOrDid(payload: JWTPayload) {
+  if (!payload.sub || !payload.sub.startsWith('did:') || !payload.iss || !isIssSelfIssued(payload)) {
+    throw new Error('Token does not have a iss DID')
+  }
+}
+
+export function getSubDidFromPayload(payload: JWTPayload, header?: JWTHeader): string {
+  assertIssSelfIssuedOrDid(payload)
+
+  if (isIssSelfIssued(payload)) {
+    let did
+    if (payload.sub && payload.sub.startsWith('did:')) {
+      did = payload.sub
+    }
+    if (!did && header && header.kid && header.kid.startsWith('did:')) {
+      did = header.kid.split('#')[0]
+    }
+    if (did) {
+      return did
+    }
+  }
+  return payload.sub
+}
+
+export function isIssSelfIssued(payload: JWTPayload): boolean {
+  return payload.iss.includes(ResponseIss.SELF_ISSUED_V1) || payload.iss.includes(ResponseIss.SELF_ISSUED_V2) || payload.iss === payload.sub
+}
+
+export function getMethodFromDid(did: string): string {
+  if (!did) {
+    throw new Error(SIOPErrors.BAD_PARAMS)
+  }
+  const split = did.split(':')
+  if (split.length == 1 && did.length > 0) {
+    return did
+  } else if (!did.startsWith('did:') || split.length < 2) {
+    throw new Error(SIOPErrors.BAD_PARAMS)
+  }
+
+  return split[1]
+}
+
+/**
+ * Since the OIDC SIOP spec incorrectly uses 'did:<method>:' and calls that a method, we have to fix it
+ * @param didOrMethod
+ */
+export function toSIOPRegistrationDidMethod(didOrMethod: string) {
+  let prefix = didOrMethod
+  if (!didOrMethod.startsWith('did:')) {
+    prefix = 'did:' + didOrMethod
+  }
+  const split = prefix.split(':')
+  return `${split[0]}:${split[1]}`
+}

package/lib/did/LinkedDomainValidations.ts

@@ -0,0 +1,98 @@
+import { IDomainLinkageValidation, ValidationStatusEnum, VerifyCallback, WDCErrors, WellKnownDidVerifier } from '@sphereon/wellknown-dids-client'
+
+import { DIDDocument } from '../types/SSI.types'
+
+import { CheckLinkedDomain, ExternalVerification, InternalVerification } from './../types/'
+import { resolveDidDocument } from './DIDResolution'
+import { getMethodFromDid, toSIOPRegistrationDidMethod } from './DidJWT'
+
+function getValidationErrorMessages(validationResult: IDomainLinkageValidation): string[] {
+  const messages = []
+  if (validationResult.message) {
+    messages.push(validationResult.message)
+  }
+  if (validationResult?.endpointDescriptors.length) {
+    for (const endpointDescriptor of validationResult.endpointDescriptors) {
+      if (endpointDescriptor.message) {
+        messages.push(endpointDescriptor.message)
+      }
+      if (endpointDescriptor.resources) {
+        for (const resource of endpointDescriptor.resources) {
+          if (resource.message) {
+            messages.push(resource.message)
+          }
+        }
+      }
+    }
+  }
+  return messages
+}
+
+/**
+ * @param validationErrorMessages
+ * @return returns false if the messages received from wellknown-dids-client makes this invalid for CheckLinkedDomain.IF_PRESENT plus the message itself
+ *                  and true for when we can move on
+ */
+function checkInvalidMessages(validationErrorMessages: string[]): { status: boolean; message?: string } {
+  if (!validationErrorMessages || !validationErrorMessages.length) {
+    return { status: false, message: 'linked domain is invalid.' }
+  }
+  const validMessages: string[] = [
+    WDCErrors.PROPERTY_LINKED_DIDS_DOES_NOT_CONTAIN_ANY_DOMAIN_LINK_CREDENTIALS.valueOf(),
+    WDCErrors.PROPERTY_LINKED_DIDS_NOT_PRESENT.valueOf(),
+    WDCErrors.PROPERTY_TYPE_NOT_CONTAIN_VALID_LINKED_DOMAIN.valueOf(),
+    WDCErrors.PROPERTY_SERVICE_NOT_PRESENT.valueOf(),
+  ]
+  for (const validationErrorMessage of validationErrorMessages) {
+    if (!validMessages.filter((vm) => validationErrorMessage.includes(vm)).pop()) {
+      return { status: false, message: validationErrorMessage }
+    }
+  }
+  return { status: true }
+}
+
+export async function validateLinkedDomainWithDid(did: string, verification: InternalVerification | ExternalVerification) {
+  const { checkLinkedDomain, resolveOpts, wellknownDIDVerifyCallback } = verification
+  if (checkLinkedDomain === CheckLinkedDomain.NEVER) {
+    return
+  }
+  const didDocument = await resolveDidDocument(did, {
+    ...resolveOpts,
+    subjectSyntaxTypesSupported: [toSIOPRegistrationDidMethod(getMethodFromDid(did))],
+  })
+  if (!didDocument) {
+    throw Error(`Could not resolve DID: ${did}`)
+  }
+  if ((!didDocument.service || !didDocument.service.find((s) => s.type === 'LinkedDomains')) && checkLinkedDomain === CheckLinkedDomain.IF_PRESENT) {
+    // No linked domains in DID document and it was optional. Let's cut it short here.
+    return
+  }
+  try {
+    const validationResult = await checkWellKnownDid({ didDocument, verifyCallback: wellknownDIDVerifyCallback })
+    if (validationResult.status === ValidationStatusEnum.INVALID) {
+      const validationErrorMessages = getValidationErrorMessages(validationResult)
+      const messageCondition: { status: boolean; message?: string } = checkInvalidMessages(validationErrorMessages)
+      if (checkLinkedDomain === CheckLinkedDomain.ALWAYS || (checkLinkedDomain === CheckLinkedDomain.IF_PRESENT && !messageCondition.status)) {
+        throw new Error(messageCondition.message ? messageCondition.message : validationErrorMessages[0])
+      }
+    }
+  } catch (err) {
+    const messageCondition: { status: boolean; message?: string } = checkInvalidMessages([err.message])
+    if (checkLinkedDomain === CheckLinkedDomain.ALWAYS || (checkLinkedDomain === CheckLinkedDomain.IF_PRESENT && !messageCondition.status)) {
+      throw new Error(err.message)
+    }
+  }
+}
+
+interface CheckWellKnownDidArgs {
+  didDocument: DIDDocument
+  verifyCallback: VerifyCallback
+}
+
+async function checkWellKnownDid(args: CheckWellKnownDidArgs): Promise<IDomainLinkageValidation> {
+  const verifier = new WellKnownDidVerifier({
+    verifySignatureCallback: args.verifyCallback,
+    onlyVerifyServiceDid: false,
+  })
+  return await verifier.verifyDomainLinkage({ didDocument: args.didDocument })
+}

package/lib/did/index.ts

@@ -0,0 +1,3 @@
+export * from './DidJWT'
+export * from './DIDResolution'
+export * from './LinkedDomainValidations'

package/lib/helpers.ts

@@ -0,0 +1,10 @@
+import { ExternalSignature, InternalSignature, NoSignature, SuppliedSignature } from './types/SIOP.types'
+
+export const isInternalSignature = (object: InternalSignature | ExternalSignature | SuppliedSignature | NoSignature): object is InternalSignature =>
+  'hexPrivateKey' in object && 'did' in object
+
+export const isExternalSignature = (object: InternalSignature | ExternalSignature | SuppliedSignature | NoSignature): object is ExternalSignature =>
+  'signatureUri' in object && 'did' in object
+
+export const isSuppliedSignature = (object: InternalSignature | ExternalSignature | SuppliedSignature | NoSignature): object is SuppliedSignature =>
+  'signature' in object

package/lib/index.ts

@@ -0,0 +1,5 @@
+export * from './did'
+
+export * from './types'
+export * from './DidJwtAdapter'
+export * from './helpers'

package/lib/types/SIOP.types.ts

@@ -0,0 +1,77 @@
+import { SigningAlgo } from '@sphereon/did-auth-siop'
+import { VerifyCallback as WellknownDIDVerifyCallback } from '@sphereon/wellknown-dids-client'
+import { JWTVerifyOptions } from 'did-jwt'
+import { Resolvable } from 'did-resolver'
+
+export enum CheckLinkedDomain {
+  NEVER = 'never', // We don't want to verify Linked domains
+  IF_PRESENT = 'if_present', // If present, did-auth-siop will check the linked domain, if exist and not valid, throws an exception
+  ALWAYS = 'always', // We'll always check the linked domains, if not exist or not valid, throws an exception
+}
+
+export interface InternalSignature {
+  hexPrivateKey: string // hex private key Only secp256k1 format
+  did: string
+
+  alg: SigningAlgo
+  kid?: string // Optional: key identifier
+
+  customJwtSigner?: Signer
+}
+
+export interface SuppliedSignature {
+  signature: (data: string | Uint8Array) => Promise<EcdsaSignature | string>
+
+  alg: SigningAlgo
+  did: string
+  kid: string
+}
+
+export interface NoSignature {
+  hexPublicKey: string // hex public key
+  did: string
+  kid?: string // Optional: key identifier
+}
+
+export interface ExternalSignature {
+  signatureUri: string // url to call to generate a withSignature
+  did: string
+  authZToken?: string // Optional: bearer token to use to the call
+  hexPublicKey?: string // Optional: hex encoded public key to compute JWK key, if not possible from DIDres Document
+
+  alg: SigningAlgo
+  kid?: string // Optional: key identifier. default did#keys-1
+}
+
+export enum VerificationMode {
+  INTERNAL,
+  EXTERNAL,
+}
+
+export interface EcdsaSignature {
+  r: string
+  s: string
+  recoveryParam?: number | null
+}
+export type Signer = (data: string | Uint8Array) => Promise<EcdsaSignature | string>
+
+export interface Verification {
+  checkLinkedDomain?: CheckLinkedDomain
+  wellknownDIDVerifyCallback?: WellknownDIDVerifyCallback
+  resolveOpts: ResolveOpts
+}
+
+export type InternalVerification = Verification
+
+export interface ExternalVerification extends Verification {
+  verifyUri: string // url to call to verify the id_token withSignature
+  authZToken?: string // Optional: bearer token to use to the call
+}
+
+export interface ResolveOpts {
+  jwtVerifyOpts?: JWTVerifyOptions
+  resolver?: Resolvable
+  resolveUrl?: string
+  noUniversalResolverFallback?: boolean
+  subjectSyntaxTypesSupported?: string[]
+}

package/lib/types/SSI.types.ts

@@ -0,0 +1,16 @@
+import { DIDDocument as DIFDIDDocument } from 'did-resolver'
+
+export interface LinkedDataProof {
+  type: string
+  created: string
+  creator: string
+  nonce: string
+  signatureValue: string
+}
+
+export interface DIDDocument extends DIFDIDDocument {
+  owner?: string
+  created?: string
+  updated?: string
+  proof?: LinkedDataProof
+}

package/lib/types/index.ts

@@ -0,0 +1,2 @@
+export * from './SIOP.types'
+export * from './SSI.types'