@sphereon/jarm 0.16.1-unstable.105

package/dist/jarm-auth-response/v-jarm-auth-response-params.js

@@ -0,0 +1,67 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateJarmAuthResponseParams = exports.vJarmAuthResponseParams = exports.vJarmAuthResponseErrorParams = void 0;
+const oid4vc_common_1 = require("@sphereon/oid4vc-common");
+const v = __importStar(require("valibot"));
+exports.vJarmAuthResponseErrorParams = v.looseObject({
+    error: v.string(),
+    state: v.optional(v.string()),
+    error_description: v.pipe(v.optional(v.string()), v.description('Text providing additional information, used to assist the client developer in understanding the error that occurred.')),
+    error_uri: v.pipe(v.optional(v.pipe(v.string(), v.url())), v.description('A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error')),
+});
+exports.vJarmAuthResponseParams = v.looseObject({
+    state: v.optional(v.string()),
+    /**
+     * The issuer URL of the authorization server that created the response
+     */
+    iss: v.string(),
+    /**
+     * The client_id of the client the response is intended for
+     */
+    exp: v.number(),
+    /**
+     * Expiration of the JWT
+     */
+    aud: v.string(),
+});
+const validateJarmAuthResponseParams = (input) => {
+    const { authRequestParams, authResponseParams } = input;
+    // 2. The client obtains the state parameter from the JWT and checks its binding to the user agent. If the check fails, the client MUST abort processing and refuse the response.
+    if (authRequestParams.state !== authResponseParams.state) {
+        throw new Error(`State missmatch in jarm-auth-response. Expected '${authRequestParams.state}' received '${authRequestParams.state}'.`);
+    }
+    // 4. The client obtains the aud element from the JWT and checks whether it matches the client id the client used to identify itself in the corresponding authorization request. If the check fails, the client MUST abort processing and refuse the response.
+    if (authRequestParams.client_id !== authResponseParams.client_id) {
+        throw new Error(`Invalid audience in jarm-auth-response. Expected '${authRequestParams.client_id}' received '${authResponseParams.aud}'.`);
+    }
+    // 5. The client checks the JWT's exp element to determine if the JWT is still valid. If the check fails, the client MUST abort processing and refuse the response.
+    // 120 seconds clock skew
+    if ((0, oid4vc_common_1.checkExp)({ exp: authResponseParams.exp })) {
+        throw new Error(`The '${authRequestParams.state}' and the jarm-auth-response.`);
+    }
+};
+exports.validateJarmAuthResponseParams = validateJarmAuthResponseParams;
+//# sourceMappingURL=v-jarm-auth-response-params.js.map

package/dist/jarm-auth-response/v-jarm-auth-response-params.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"v-jarm-auth-response-params.js","sourceRoot":"","sources":["../../lib/jarm-auth-response/v-jarm-auth-response-params.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2DAAmD;AACnD,2CAA6B;AAEhB,QAAA,4BAA4B,GAAG,CAAC,CAAC,WAAW,CAAC;IACxD,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAE7B,iBAAiB,EAAE,CAAC,CAAC,IAAI,CACvB,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EACtB,CAAC,CAAC,WAAW,CAAC,sHAAsH,CAAC,CACtI;IAED,SAAS,EAAE,CAAC,CAAC,IAAI,CACf,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,EACvC,CAAC,CAAC,WAAW,CACX,gKAAgK,CACjK,CACF;CACF,CAAC,CAAC;AAEU,QAAA,uBAAuB,GAAG,CAAC,CAAC,WAAW,CAAC;IACnD,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAE7B;;OAEG;IACH,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IAEf;;OAEG;IACH,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IAEf;;OAEG;IACH,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;CAChB,CAAC,CAAC;AAII,MAAM,8BAA8B,GAAG,CAAC,KAG9C,EAAE,EAAE;IACH,MAAM,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,GAAG,KAAK,CAAC;IACxD,iLAAiL;IACjL,IAAI,iBAAiB,CAAC,KAAK,KAAK,kBAAkB,CAAC,KAAK,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,oDAAoD,iBAAiB,CAAC,KAAK,eAAe,iBAAiB,CAAC,KAAK,IAAI,CAAC,CAAC;IACzI,CAAC;IAED,8PAA8P;IAC9P,IAAI,iBAAiB,CAAC,SAAS,KAAK,kBAAkB,CAAC,SAAS,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,qDAAqD,iBAAiB,CAAC,SAAS,eAAe,kBAAkB,CAAC,GAAG,IAAI,CAAC,CAAC;IAC7I,CAAC;IAED,mKAAmK;IACnK,yBAAyB;IACzB,IAAI,IAAA,wBAAQ,EAAC,EAAE,GAAG,EAAE,kBAAkB,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,QAAQ,iBAAiB,CAAC,KAAK,+BAA+B,CAAC,CAAC;IAClF,CAAC;AACH,CAAC,CAAC;AApBW,QAAA,8BAA8B,kCAoBzC"}

package/dist/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.d.ts

@@ -0,0 +1,18 @@
+import * as v from 'valibot';
+export declare const vJarmDirectPostJwtParams: v.LooseObjectSchema<{
+    readonly vp_token: v.StringSchema<undefined>;
+    readonly presentation_submission: v.UnknownSchema;
+    readonly nonce: v.OptionalSchema<v.StringSchema<undefined>, never>;
+    readonly iss: v.OptionalSchema<v.StringSchema<undefined>, never>;
+    readonly exp: v.OptionalSchema<v.NumberSchema<undefined>, never>;
+    readonly aud: v.OptionalSchema<v.StringSchema<undefined>, never>;
+    readonly state: v.OptionalSchema<v.StringSchema<undefined>, never>;
+}, undefined>;
+export type JarmDirectPostJwtResponseParams = v.InferInput<typeof vJarmDirectPostJwtParams>;
+export declare const jarmAuthResponseDirectPostValidateParams: (input: {
+    authRequestParams: {
+        state?: string;
+    };
+    authResponseParams: JarmDirectPostJwtResponseParams;
+}) => void;
+//# sourceMappingURL=v-jarm-direct-post-jwt-auth-response-params.d.ts.map

package/dist/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"v-jarm-direct-post-jwt-auth-response-params.d.ts","sourceRoot":"","sources":["../../lib/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,SAAS,CAAC;AAI7B,eAAO,MAAM,wBAAwB;;;;;;;;aAOnC,CAAC;AAEH,MAAM,MAAM,+BAA+B,GAAG,CAAC,CAAC,UAAU,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAE5F,eAAO,MAAM,wCAAwC,UAAW;IAC9D,iBAAiB,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACtC,kBAAkB,EAAE,+BAA+B,CAAC;CACrD,SAOA,CAAC"}

package/dist/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.js

@@ -0,0 +1,38 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jarmAuthResponseDirectPostValidateParams = exports.vJarmDirectPostJwtParams = void 0;
+const v = __importStar(require("valibot"));
+const v_jarm_auth_response_params_js_1 = require("./v-jarm-auth-response-params.js");
+exports.vJarmDirectPostJwtParams = v.looseObject(Object.assign(Object.assign(Object.assign({}, v.omit(v_jarm_auth_response_params_js_1.vJarmAuthResponseParams, ['iss', 'aud', 'exp']).entries), v.partial(v.pick(v_jarm_auth_response_params_js_1.vJarmAuthResponseParams, ['iss', 'aud', 'exp'])).entries), { vp_token: v.string(), presentation_submission: v.unknown(), nonce: v.optional(v.string()) }));
+const jarmAuthResponseDirectPostValidateParams = (input) => {
+    const { authRequestParams, authResponseParams } = input;
+    // 2. The client obtains the state parameter from the JWT and checks its binding to the user agent. If the check fails, the client MUST abort processing and refuse the response.
+    if (authRequestParams.state !== authResponseParams.state) {
+        throw new Error(`State missmatch between auth request '${authRequestParams.state}' and the jarm-auth-response.`);
+    }
+};
+exports.jarmAuthResponseDirectPostValidateParams = jarmAuthResponseDirectPostValidateParams;
+//# sourceMappingURL=v-jarm-direct-post-jwt-auth-response-params.js.map

package/dist/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"v-jarm-direct-post-jwt-auth-response-params.js","sourceRoot":"","sources":["../../lib/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,qFAA2E;AAE9D,QAAA,wBAAwB,GAAG,CAAC,CAAC,WAAW,+CAChD,CAAC,CAAC,IAAI,CAAC,wDAAuB,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,GAC9D,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,wDAAuB,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,KAE5E,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,EACpB,uBAAuB,EAAE,CAAC,CAAC,OAAO,EAAE,EACpC,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,IAC7B,CAAC;AAII,MAAM,wCAAwC,GAAG,CAAC,KAGxD,EAAE,EAAE;IACH,MAAM,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,GAAG,KAAK,CAAC;IAExD,iLAAiL;IACjL,IAAI,iBAAiB,CAAC,KAAK,KAAK,kBAAkB,CAAC,KAAK,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,yCAAyC,iBAAiB,CAAC,KAAK,+BAA+B,CAAC,CAAC;IACnH,CAAC;AACH,CAAC,CAAC;AAVW,QAAA,wCAAwC,4CAUnD"}

package/dist/jarm-auth-response-send/index.d.ts

@@ -0,0 +1,2 @@
+export * from './jarm-auth-response-send.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/jarm-auth-response-send/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../lib/jarm-auth-response-send/index.ts"],"names":[],"mappings":"AAAA,cAAc,8BAA8B,CAAC"}

package/dist/jarm-auth-response-send/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./jarm-auth-response-send.js"), exports);
+//# sourceMappingURL=index.js.map

package/dist/jarm-auth-response-send/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/jarm-auth-response-send/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,+DAA6C"}

package/dist/jarm-auth-response-send/jarm-auth-response-send.d.ts

@@ -0,0 +1,16 @@
+import type { JarmResponseMode, Openid4vpJarmResponseMode } from '../v-response-mode-registry.js';
+import type { ResponseTypeOut } from '../v-response-type-registry.js';
+interface JarmAuthResponseSendInput {
+    authRequestParams: {
+        response_mode?: JarmResponseMode | Openid4vpJarmResponseMode;
+        response_type: ResponseTypeOut;
+    } & ({
+        response_uri: string;
+    } | {
+        redirect_uri: string;
+    });
+    authResponse: string;
+}
+export declare const jarmAuthResponseSend: (input: JarmAuthResponseSendInput) => Promise<Response>;
+export {};
+//# sourceMappingURL=jarm-auth-response-send.d.ts.map

package/dist/jarm-auth-response-send/jarm-auth-response-send.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jarm-auth-response-send.d.ts","sourceRoot":"","sources":["../../lib/jarm-auth-response-send/jarm-auth-response-send.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAElG,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gCAAgC,CAAC;AAEtE,UAAU,yBAAyB;IACjC,iBAAiB,EAAE;QACjB,aAAa,CAAC,EAAE,gBAAgB,GAAG,yBAAyB,CAAC;QAC7D,aAAa,EAAE,eAAe,CAAC;KAChC,GAAG,CACA;QACE,YAAY,EAAE,MAAM,CAAC;KACtB,GACD;QACE,YAAY,EAAE,MAAM,CAAC;KACtB,CACJ,CAAC;IAEF,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,eAAO,MAAM,oBAAoB,UAAiB,yBAAyB,KAAG,QAAQ,QAAQ,CAyB7F,CAAC"}

package/dist/jarm-auth-response-send/jarm-auth-response-send.js

@@ -0,0 +1,67 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jarmAuthResponseSend = void 0;
+const utils_js_1 = require("../utils.js");
+const v_response_mode_registry_js_1 = require("../v-response-mode-registry.js");
+const jarmAuthResponseSend = (input) => __awaiter(void 0, void 0, void 0, function* () {
+    const { authRequestParams, authResponse } = input;
+    const responseEndpoint = 'response_uri' in authRequestParams ? new URL(authRequestParams.response_uri) : new URL(authRequestParams.redirect_uri);
+    const responseMode = authRequestParams.response_mode && authRequestParams.response_mode !== 'jwt'
+        ? authRequestParams.response_mode
+        : (0, v_response_mode_registry_js_1.getJarmDefaultResponseMode)(authRequestParams);
+    (0, v_response_mode_registry_js_1.validateResponseMode)({
+        response_type: authRequestParams.response_type,
+        response_mode: responseMode,
+    });
+    switch (responseMode) {
+        case 'direct_post.jwt':
+            return handleDirectPostJwt(responseEndpoint, authResponse);
+        case 'query.jwt':
+            return handleQueryJwt(responseEndpoint, authResponse);
+        case 'fragment.jwt':
+            return handleFragmentJwt(responseEndpoint, authResponse);
+        case 'form_post.jwt':
+            throw new Error('Not implemented');
+    }
+});
+exports.jarmAuthResponseSend = jarmAuthResponseSend;
+function handleDirectPostJwt(responseEndpoint, responseJwt) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const response = yield fetch(responseEndpoint, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: `response=${responseJwt}`,
+        });
+        return response;
+    });
+}
+function handleQueryJwt(responseEndpoint, responseJwt) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const responseUrl = (0, utils_js_1.appendQueryParams)({
+            url: responseEndpoint,
+            params: { response: responseJwt },
+        });
+        const response = yield fetch(responseUrl, { method: 'POST' });
+        return response;
+    });
+}
+function handleFragmentJwt(responseEndpoint, responseJwt) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const responseUrl = (0, utils_js_1.appendFragmentParams)({
+            url: responseEndpoint,
+            fragments: { response: responseJwt },
+        });
+        const response = yield fetch(responseUrl, { method: 'POST' });
+        return response;
+    });
+}
+//# sourceMappingURL=jarm-auth-response-send.js.map

package/dist/jarm-auth-response-send/jarm-auth-response-send.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jarm-auth-response-send.js","sourceRoot":"","sources":["../../lib/jarm-auth-response-send/jarm-auth-response-send.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,0CAAsE;AAEtE,gFAAkG;AAmB3F,MAAM,oBAAoB,GAAG,CAAO,KAAgC,EAAqB,EAAE;IAChG,MAAM,EAAE,iBAAiB,EAAE,YAAY,EAAE,GAAG,KAAK,CAAC;IAElD,MAAM,gBAAgB,GAAG,cAAc,IAAI,iBAAiB,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,iBAAiB,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,iBAAiB,CAAC,YAAY,CAAC,CAAC;IAEjJ,MAAM,YAAY,GAChB,iBAAiB,CAAC,aAAa,IAAI,iBAAiB,CAAC,aAAa,KAAK,KAAK;QAC1E,CAAC,CAAC,iBAAiB,CAAC,aAAa;QACjC,CAAC,CAAC,IAAA,wDAA0B,EAAC,iBAAiB,CAAC,CAAC;IAEpD,IAAA,kDAAoB,EAAC;QACnB,aAAa,EAAE,iBAAiB,CAAC,aAAa;QAC9C,aAAa,EAAE,YAAY;KAC5B,CAAC,CAAC;IAEH,QAAQ,YAAY,EAAE,CAAC;QACrB,KAAK,iBAAiB;YACpB,OAAO,mBAAmB,CAAC,gBAAgB,EAAE,YAAY,CAAC,CAAC;QAC7D,KAAK,WAAW;YACd,OAAO,cAAc,CAAC,gBAAgB,EAAE,YAAY,CAAC,CAAC;QACxD,KAAK,cAAc;YACjB,OAAO,iBAAiB,CAAC,gBAAgB,EAAE,YAAY,CAAC,CAAC;QAC3D,KAAK,eAAe;YAClB,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;IACvC,CAAC;AACH,CAAC,CAAA,CAAC;AAzBW,QAAA,oBAAoB,wBAyB/B;AAEF,SAAe,mBAAmB,CAAC,gBAAqB,EAAE,WAAmB;;QAC3E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,EAAE;YAC7C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,YAAY,WAAW,EAAE;SAChC,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;CAAA;AAED,SAAe,cAAc,CAAC,gBAAqB,EAAE,WAAmB;;QACtE,MAAM,WAAW,GAAG,IAAA,4BAAiB,EAAC;YACpC,GAAG,EAAE,gBAAgB;YACrB,MAAM,EAAE,EAAE,QAAQ,EAAE,WAAW,EAAE;SAClC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAC9D,OAAO,QAAQ,CAAC;IAClB,CAAC;CAAA;AAED,SAAe,iBAAiB,CAAC,gBAAqB,EAAE,WAAmB;;QACzE,MAAM,WAAW,GAAG,IAAA,+BAAoB,EAAC;YACvC,GAAG,EAAE,gBAAgB;YACrB,SAAS,EAAE,EAAE,QAAQ,EAAE,WAAW,EAAE;SACrC,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAC9D,OAAO,QAAQ,CAAC;IAClB,CAAC;CAAA"}

package/dist/metadata/index.d.ts

@@ -0,0 +1,4 @@
+export * from './v-jarm-client-metadata.js';
+export * from './v-jarm-server-metadata.js';
+export * from './jarm-validate-metadata.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/metadata/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../lib/metadata/index.ts"],"names":[],"mappings":"AAAA,cAAc,6BAA6B,CAAC;AAC5C,cAAc,6BAA6B,CAAC;AAC5C,cAAc,6BAA6B,CAAC"}

package/dist/metadata/index.js

@@ -0,0 +1,20 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./v-jarm-client-metadata.js"), exports);
+__exportStar(require("./v-jarm-server-metadata.js"), exports);
+__exportStar(require("./jarm-validate-metadata.js"), exports);
+//# sourceMappingURL=index.js.map

package/dist/metadata/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/metadata/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,8DAA4C;AAC5C,8DAA4C;AAC5C,8DAA4C"}

package/dist/metadata/jarm-validate-metadata.d.ts

@@ -0,0 +1,70 @@
+import * as v from 'valibot';
+export declare const vJarmAuthResponseValidateMetadataInput: v.ObjectSchema<{
+    readonly client_metadata: v.UnionSchema<[v.ObjectSchema<{
+        readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>;
+        readonly authorization_encrypted_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>;
+        readonly authorization_encrypted_response_enc: v.OptionalSchema<v.NeverSchema<undefined>, never>;
+    }, undefined>, v.ObjectSchema<{
+        readonly authorization_signed_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>;
+        readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+        readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+    }, undefined>, v.ObjectSchema<{
+        readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+        readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+        readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>;
+    }, undefined>], undefined>;
+    readonly server_metadata: Omit<v.ObjectSchema<{
+        readonly authorization_signing_alg_values_supported: v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to sign the response.">]>;
+        readonly authorization_encryption_alg_values_supported: v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.">]>;
+        readonly authorization_encryption_enc_values_supported: v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.">]>;
+    }, undefined>, "_types" | "_run" | "entries"> & {
+        readonly entries: {
+            readonly authorization_signing_alg_values_supported: v.OptionalSchema<v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to sign the response.">]>, never>;
+            readonly authorization_encryption_alg_values_supported: v.OptionalSchema<v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.">]>, never>;
+            readonly authorization_encryption_enc_values_supported: v.OptionalSchema<v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.">]>, never>;
+        };
+        readonly _run: (dataset: v.Dataset<unknown, never>, config: v.Config<v.BaseIssue<unknown>>) => v.Dataset<{
+            authorization_signing_alg_values_supported?: string[] | undefined;
+            authorization_encryption_alg_values_supported?: string[] | undefined;
+            authorization_encryption_enc_values_supported?: string[] | undefined;
+        }, v.StringIssue | v.ObjectIssue | v.ArrayIssue>;
+        readonly _types?: {
+            readonly input: {
+                authorization_signing_alg_values_supported?: string[] | undefined;
+                authorization_encryption_alg_values_supported?: string[] | undefined;
+                authorization_encryption_enc_values_supported?: string[] | undefined;
+            };
+            readonly output: {
+                authorization_signing_alg_values_supported?: string[] | undefined;
+                authorization_encryption_alg_values_supported?: string[] | undefined;
+                authorization_encryption_enc_values_supported?: string[] | undefined;
+            };
+            readonly issue: v.StringIssue | v.ObjectIssue | v.ArrayIssue;
+        } | undefined;
+    };
+}, undefined>;
+export type JarmMetadataValidate = v.InferInput<typeof vJarmAuthResponseValidateMetadataInput>;
+export declare const vJarmMetadataValidateOut: v.VariantSchema<"type", [v.ObjectSchema<{
+    readonly type: v.LiteralSchema<"signed", undefined>;
+    readonly client_metadata: v.ObjectSchema<{
+        readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>;
+        readonly authorization_encrypted_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>;
+        readonly authorization_encrypted_response_enc: v.OptionalSchema<v.NeverSchema<undefined>, never>;
+    }, undefined>;
+}, undefined>, v.ObjectSchema<{
+    readonly type: v.LiteralSchema<"encrypted", undefined>;
+    readonly client_metadata: v.ObjectSchema<{
+        readonly authorization_signed_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>;
+        readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+        readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+    }, undefined>;
+}, undefined>, v.ObjectSchema<{
+    readonly type: v.LiteralSchema<"signed encrypted", undefined>;
+    readonly client_metadata: v.ObjectSchema<{
+        readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+        readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+        readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>;
+    }, undefined>;
+}, undefined>], undefined>;
+export declare const jarmMetadataValidate: (vJarmMetadataValidate: JarmMetadataValidate) => v.InferOutput<typeof vJarmMetadataValidateOut>;
+//# sourceMappingURL=jarm-validate-metadata.d.ts.map

package/dist/metadata/jarm-validate-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jarm-validate-metadata.d.ts","sourceRoot":"","sources":["../../lib/metadata/jarm-validate-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,SAAS,CAAC;AAW7B,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;aAGjD,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,UAAU,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAE/F,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;0BAanC,CAAC;AAEH,eAAO,MAAM,oBAAoB,0BAA2B,oBAAoB,KAAG,EAAE,WAAW,CAAC,+BAA+B,CA+C/H,CAAC"}

package/dist/metadata/jarm-validate-metadata.js

@@ -0,0 +1,98 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jarmMetadataValidate = exports.vJarmMetadataValidateOut = exports.vJarmAuthResponseValidateMetadataInput = void 0;
+const v = __importStar(require("valibot"));
+const v_jarm_client_metadata_js_1 = require("../metadata/v-jarm-client-metadata.js");
+const v_jarm_server_metadata_js_1 = require("../metadata/v-jarm-server-metadata.js");
+const utils_js_1 = require("../utils.js");
+exports.vJarmAuthResponseValidateMetadataInput = v.object({
+    client_metadata: v_jarm_client_metadata_js_1.vJarmClientMetadata,
+    server_metadata: v.partial(v_jarm_server_metadata_js_1.vJarmServerMetadata),
+});
+exports.vJarmMetadataValidateOut = v.variant('type', [
+    v.object({
+        type: v.literal('signed'),
+        client_metadata: v_jarm_client_metadata_js_1.vJarmClientMetadataSign,
+    }),
+    v.object({
+        type: v.literal('encrypted'),
+        client_metadata: v_jarm_client_metadata_js_1.vJarmClientMetadataEncrypt,
+    }),
+    v.object({
+        type: v.literal('signed encrypted'),
+        client_metadata: v_jarm_client_metadata_js_1.vJarmClientMetadataSignEncrypt,
+    }),
+]);
+const jarmMetadataValidate = (vJarmMetadataValidate) => {
+    var _a, _b, _c;
+    const { client_metadata, server_metadata } = vJarmMetadataValidate;
+    const { authorization_encrypted_response_alg, authorization_encrypted_response_enc, authorization_signed_response_alg } = client_metadata;
+    (0, utils_js_1.assertValueSupported)({
+        supported: (_a = server_metadata.authorization_signing_alg_values_supported) !== null && _a !== void 0 ? _a : [],
+        actual: authorization_signed_response_alg,
+        required: !!authorization_signed_response_alg,
+        error: new Error('Invalid authorization_signed_response_alg'),
+    });
+    (0, utils_js_1.assertValueSupported)({
+        supported: (_b = server_metadata.authorization_encryption_alg_values_supported) !== null && _b !== void 0 ? _b : [],
+        actual: authorization_encrypted_response_alg,
+        required: !!authorization_encrypted_response_alg,
+        error: new Error('Invalid authorization_encrypted_response_alg'),
+    });
+    (0, utils_js_1.assertValueSupported)({
+        supported: (_c = server_metadata.authorization_encryption_enc_values_supported) !== null && _c !== void 0 ? _c : [],
+        actual: authorization_encrypted_response_enc,
+        required: !!authorization_encrypted_response_enc,
+        error: new Error('Invalid authorization_encrypted_response_enc'),
+    });
+    if (authorization_signed_response_alg && authorization_encrypted_response_alg && authorization_encrypted_response_enc) {
+        return {
+            type: 'signed encrypted',
+            client_metadata: {
+                authorization_signed_response_alg,
+                authorization_encrypted_response_alg,
+                authorization_encrypted_response_enc,
+            },
+        };
+    }
+    else if (authorization_signed_response_alg && !authorization_encrypted_response_alg && !authorization_encrypted_response_enc) {
+        return {
+            type: 'signed',
+            client_metadata: { authorization_signed_response_alg },
+        };
+    }
+    else if (!authorization_signed_response_alg && authorization_encrypted_response_alg && authorization_encrypted_response_enc) {
+        return {
+            type: 'encrypted',
+            client_metadata: { authorization_encrypted_response_alg, authorization_encrypted_response_enc },
+        };
+    }
+    else {
+        throw new Error(`Invalid jarm client_metadata combination`);
+    }
+};
+exports.jarmMetadataValidate = jarmMetadataValidate;
+//# sourceMappingURL=jarm-validate-metadata.js.map

package/dist/metadata/jarm-validate-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jarm-validate-metadata.js","sourceRoot":"","sources":["../../lib/metadata/jarm-validate-metadata.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B,qFAK+C;AAC/C,qFAA4E;AAC5E,0CAAmD;AAEtC,QAAA,sCAAsC,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7D,eAAe,EAAE,+CAAmB;IACpC,eAAe,EAAE,CAAC,CAAC,OAAO,CAAC,+CAAmB,CAAC;CAChD,CAAC,CAAC;AAGU,QAAA,wBAAwB,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE;IACxD,CAAC,CAAC,MAAM,CAAC;QACP,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;QACzB,eAAe,EAAE,mDAAuB;KACzC,CAAC;IACF,CAAC,CAAC,MAAM,CAAC;QACP,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;QAC5B,eAAe,EAAE,sDAA0B;KAC5C,CAAC;IACF,CAAC,CAAC,MAAM,CAAC;QACP,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC;QACnC,eAAe,EAAE,0DAA8B;KAChD,CAAC;CACH,CAAC,CAAC;AAEI,MAAM,oBAAoB,GAAG,CAAC,qBAA2C,EAAkD,EAAE;;IAClI,MAAM,EAAE,eAAe,EAAE,eAAe,EAAE,GAAG,qBAAqB,CAAC;IACnE,MAAM,EAAE,oCAAoC,EAAE,oCAAoC,EAAE,iCAAiC,EAAE,GAAG,eAAe,CAAC;IAE1I,IAAA,+BAAoB,EAAC;QACnB,SAAS,EAAE,MAAA,eAAe,CAAC,0CAA0C,mCAAI,EAAE;QAC3E,MAAM,EAAE,iCAAiC;QACzC,QAAQ,EAAE,CAAC,CAAC,iCAAiC;QAC7C,KAAK,EAAE,IAAI,KAAK,CAAC,2CAA2C,CAAC;KAC9D,CAAC,CAAC;IAEH,IAAA,+BAAoB,EAAC;QACnB,SAAS,EAAE,MAAA,eAAe,CAAC,6CAA6C,mCAAI,EAAE;QAC9E,MAAM,EAAE,oCAAoC;QAC5C,QAAQ,EAAE,CAAC,CAAC,oCAAoC;QAChD,KAAK,EAAE,IAAI,KAAK,CAAC,8CAA8C,CAAC;KACjE,CAAC,CAAC;IAEH,IAAA,+BAAoB,EAAC;QACnB,SAAS,EAAE,MAAA,eAAe,CAAC,6CAA6C,mCAAI,EAAE;QAC9E,MAAM,EAAE,oCAAoC;QAC5C,QAAQ,EAAE,CAAC,CAAC,oCAAoC;QAChD,KAAK,EAAE,IAAI,KAAK,CAAC,8CAA8C,CAAC;KACjE,CAAC,CAAC;IAEH,IAAI,iCAAiC,IAAI,oCAAoC,IAAI,oCAAoC,EAAE,CAAC;QACtH,OAAO;YACL,IAAI,EAAE,kBAAkB;YACxB,eAAe,EAAE;gBACf,iCAAiC;gBACjC,oCAAoC;gBACpC,oCAAoC;aACrC;SACF,CAAC;IACJ,CAAC;SAAM,IAAI,iCAAiC,IAAI,CAAC,oCAAoC,IAAI,CAAC,oCAAoC,EAAE,CAAC;QAC/H,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,eAAe,EAAE,EAAE,iCAAiC,EAAE;SACvD,CAAC;IACJ,CAAC;SAAM,IAAI,CAAC,iCAAiC,IAAI,oCAAoC,IAAI,oCAAoC,EAAE,CAAC;QAC9H,OAAO;YACL,IAAI,EAAE,WAAW;YACjB,eAAe,EAAE,EAAE,oCAAoC,EAAE,oCAAoC,EAAE;SAChG,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC,CAAC;AA/CW,QAAA,oBAAoB,wBA+C/B"}

package/dist/metadata/v-jarm-client-metadata.d.ts

@@ -0,0 +1,34 @@
+import * as v from 'valibot';
+export declare const vJarmClientMetadataSign: v.ObjectSchema<{
+    readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>;
+    readonly authorization_encrypted_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>;
+    readonly authorization_encrypted_response_enc: v.OptionalSchema<v.NeverSchema<undefined>, never>;
+}, undefined>;
+export declare const vJarmClientMetadataEncrypt: v.ObjectSchema<{
+    readonly authorization_signed_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>;
+    readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+    readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+}, undefined>;
+export declare const vJarmClientMetadataSignEncrypt: v.ObjectSchema<{
+    readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+    readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+    readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>;
+}, undefined>;
+/**
+ * Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.
+ */
+export declare const vJarmClientMetadata: v.UnionSchema<[v.ObjectSchema<{
+    readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>;
+    readonly authorization_encrypted_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>;
+    readonly authorization_encrypted_response_enc: v.OptionalSchema<v.NeverSchema<undefined>, never>;
+}, undefined>, v.ObjectSchema<{
+    readonly authorization_signed_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>;
+    readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+    readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+}, undefined>, v.ObjectSchema<{
+    readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+    readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>;
+    readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>;
+}, undefined>], undefined>;
+export type JarmClientMetadata = v.InferInput<typeof vJarmClientMetadata>;
+//# sourceMappingURL=v-jarm-client-metadata.d.ts.map

package/dist/metadata/v-jarm-client-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"v-jarm-client-metadata.d.ts","sourceRoot":"","sources":["../../lib/metadata/v-jarm-client-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,SAAS,CAAC;AAE7B,eAAO,MAAM,uBAAuB;;;;aAUlC,CAAC;AAEH,eAAO,MAAM,0BAA0B;;;;aAerC,CAAC;AAEH,eAAO,MAAM,8BAA8B;;;;aAGzC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;0BAAiG,CAAC;AAElI,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC"}

package/dist/metadata/v-jarm-client-metadata.js

@@ -0,0 +1,44 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.vJarmClientMetadata = exports.vJarmClientMetadataSignEncrypt = exports.vJarmClientMetadataEncrypt = exports.vJarmClientMetadataSign = void 0;
+const v = __importStar(require("valibot"));
+exports.vJarmClientMetadataSign = v.object({
+    authorization_signed_response_alg: v.pipe(v.optional(v.string()), // @default 'RS256'  This makes no sense with openid4vp if just encrypted can be specified
+    v.description('JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.')),
+    authorization_encrypted_response_alg: v.optional(v.never()),
+    authorization_encrypted_response_enc: v.optional(v.never()),
+});
+exports.vJarmClientMetadataEncrypt = v.object({
+    authorization_signed_response_alg: v.optional(v.never()),
+    authorization_encrypted_response_alg: v.pipe(v.string(), v.description('JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.')),
+    authorization_encrypted_response_enc: v.pipe(v.optional(v.string(), 'A128CBC-HS256'), v.description('JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.')),
+});
+exports.vJarmClientMetadataSignEncrypt = v.object(Object.assign(Object.assign({}, v.pick(exports.vJarmClientMetadataSign, ['authorization_signed_response_alg']).entries), v.pick(exports.vJarmClientMetadataEncrypt, ['authorization_encrypted_response_alg', 'authorization_encrypted_response_enc']).entries));
+/**
+ * Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.
+ */
+exports.vJarmClientMetadata = v.union([exports.vJarmClientMetadataSign, exports.vJarmClientMetadataEncrypt, exports.vJarmClientMetadataSignEncrypt]);
+//# sourceMappingURL=v-jarm-client-metadata.js.map

package/dist/metadata/v-jarm-client-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"v-jarm-client-metadata.js","sourceRoot":"","sources":["../../lib/metadata/v-jarm-client-metadata.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAEhB,QAAA,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,iCAAiC,EAAE,CAAC,CAAC,IAAI,CACvC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,0FAA0F;IAClH,CAAC,CAAC,WAAW,CACX,mIAAmI,CACpI,CACF;IAED,oCAAoC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC;IAC3D,oCAAoC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC;CAC5D,CAAC,CAAC;AAEU,QAAA,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,iCAAiC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC;IACxD,oCAAoC,EAAE,CAAC,CAAC,IAAI,CAC1C,CAAC,CAAC,MAAM,EAAE,EACV,CAAC,CAAC,WAAW,CACX,8IAA8I,CAC/I,CACF;IAED,oCAAoC,EAAE,CAAC,CAAC,IAAI,CAC1C,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,eAAe,CAAC,EACvC,CAAC,CAAC,WAAW,CACX,8IAA8I,CAC/I,CACF;CACF,CAAC,CAAC;AAEU,QAAA,8BAA8B,GAAG,CAAC,CAAC,MAAM,iCACjD,CAAC,CAAC,IAAI,CAAC,+BAAuB,EAAE,CAAC,mCAAmC,CAAC,CAAC,CAAC,OAAO,GAC9E,CAAC,CAAC,IAAI,CAAC,kCAA0B,EAAE,CAAC,sCAAsC,EAAE,sCAAsC,CAAC,CAAC,CAAC,OAAO,EAC/H,CAAC;AAEH;;GAEG;AACU,QAAA,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,+BAAuB,EAAE,kCAA0B,EAAE,sCAA8B,CAAC,CAAC,CAAC"}

package/dist/metadata/v-jarm-server-metadata.d.ts

@@ -0,0 +1,11 @@
+import * as v from 'valibot';
+/**
+ * Authorization servers SHOULD publish the supported algorithms for signing and encrypting the JWT of an authorization response by utilizing OAuth 2.0 Authorization Server Metadata [RFC8414] parameters.
+ */
+export declare const vJarmServerMetadata: v.ObjectSchema<{
+    readonly authorization_signing_alg_values_supported: v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to sign the response.">]>;
+    readonly authorization_encryption_alg_values_supported: v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.">]>;
+    readonly authorization_encryption_enc_values_supported: v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.">]>;
+}, undefined>;
+export type JarmServerMetadata = v.InferInput<typeof vJarmServerMetadata>;
+//# sourceMappingURL=v-jarm-server-metadata.d.ts.map

package/dist/metadata/v-jarm-server-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"v-jarm-server-metadata.d.ts","sourceRoot":"","sources":["../../lib/metadata/v-jarm-server-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,SAAS,CAAC;AAE7B;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;aAqB9B,CAAC;AAEH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC"}