@sphereon/jarm 0.16.1-unstable.105

package/dist/metadata/v-jarm-server-metadata.js

@@ -0,0 +1,36 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.vJarmServerMetadata = void 0;
+const v = __importStar(require("valibot"));
+/**
+ * Authorization servers SHOULD publish the supported algorithms for signing and encrypting the JWT of an authorization response by utilizing OAuth 2.0 Authorization Server Metadata [RFC8414] parameters.
+ */
+exports.vJarmServerMetadata = v.object({
+    authorization_signing_alg_values_supported: v.pipe(v.array(v.string()), v.description('JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to sign the response.')),
+    authorization_encryption_alg_values_supported: v.pipe(v.array(v.string()), v.description('JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.')),
+    authorization_encryption_enc_values_supported: v.pipe(v.array(v.string()), v.description('JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.')),
+});
+//# sourceMappingURL=v-jarm-server-metadata.js.map

package/dist/metadata/v-jarm-server-metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"v-jarm-server-metadata.js","sourceRoot":"","sources":["../../lib/metadata/v-jarm-server-metadata.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAE7B;;GAEG;AACU,QAAA,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,0CAA0C,EAAE,CAAC,CAAC,IAAI,CAChD,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EACnB,CAAC,CAAC,WAAW,CACX,+JAA+J,CAChK,CACF;IAED,6CAA6C,EAAE,CAAC,CAAC,IAAI,CACnD,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EACnB,CAAC,CAAC,WAAW,CACX,qKAAqK,CACtK,CACF;IAED,6CAA6C,EAAE,CAAC,CAAC,IAAI,CACnD,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EACnB,CAAC,CAAC,WAAW,CACX,qKAAqK,CACtK,CACF;CACF,CAAC,CAAC"}

package/dist/utils.d.ts

@@ -0,0 +1,17 @@
+export declare function appendQueryParams(input: {
+    url: URL;
+    params: Record<string, string | number | boolean>;
+}): URL;
+export declare function appendFragmentParams(input: {
+    url: URL;
+    fragments: Record<string, string | number | boolean>;
+}): URL;
+interface AssertValueSupported<T> {
+    supported: T[];
+    actual: T;
+    error: Error;
+    required: boolean;
+}
+export declare function assertValueSupported<T>(input: AssertValueSupported<T>): T | undefined;
+export {};
+//# sourceMappingURL=utils.d.ts.map

package/dist/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../lib/utils.ts"],"names":[],"mappings":"AAAA,wBAAgB,iBAAiB,CAAC,KAAK,EAAE;IAAE,GAAG,EAAE,GAAG,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,CAAA;CAAE,OASvG;AAED,wBAAgB,oBAAoB,CAAC,KAAK,EAAE;IAAE,GAAG,EAAE,GAAG,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,CAAA;CAAE,OAe7G;AAED,UAAU,oBAAoB,CAAC,CAAC;IAC9B,SAAS,EAAE,CAAC,EAAE,CAAC;IACf,MAAM,EAAE,CAAC,CAAC;IACV,KAAK,EAAE,KAAK,CAAC;IACb,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,KAAK,EAAE,oBAAoB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,SAAS,CAMrF"}

package/dist/utils.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertValueSupported = exports.appendFragmentParams = exports.appendQueryParams = void 0;
+function appendQueryParams(input) {
+    const { url, params } = input;
+    // Append the new query parameters from the params object
+    for (const [key, value] of Object.entries(params)) {
+        url.searchParams.append(key, encodeURIComponent(value));
+    }
+    return url;
+}
+exports.appendQueryParams = appendQueryParams;
+function appendFragmentParams(input) {
+    const { url, fragments } = input;
+    // Convert existing fragment to an object and remove the leading '#'
+    const fragmentParams = new URLSearchParams(url.hash.slice(1)); // Remove the leading '#' from the fragment
+    // Append the new fragments from the fragments object
+    for (const [key, value] of Object.entries(fragments)) {
+        fragmentParams.append(key, encodeURIComponent(value));
+    }
+    // Rebuild the fragment string and assign it to the URL
+    url.hash = fragmentParams.toString();
+    return url;
+}
+exports.appendFragmentParams = appendFragmentParams;
+function assertValueSupported(input) {
+    const { required, error, supported, actual } = input;
+    const intersection = supported.find((value) => value === actual);
+    if (required && !intersection)
+        throw error;
+    return intersection;
+}
+exports.assertValueSupported = assertValueSupported;
+//# sourceMappingURL=utils.js.map

package/dist/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../lib/utils.ts"],"names":[],"mappings":";;;AAAA,SAAgB,iBAAiB,CAAC,KAAsE;IACtG,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;IAE9B,yDAAyD;IACzD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,EAAE,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AATD,8CASC;AAED,SAAgB,oBAAoB,CAAC,KAAyE;IAC5G,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,KAAK,CAAC;IAEjC,oEAAoE;IACpE,MAAM,cAAc,GAAG,IAAI,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,2CAA2C;IAE1G,qDAAqD;IACrD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QACrD,cAAc,CAAC,MAAM,CAAC,GAAG,EAAE,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC;IACxD,CAAC;IAED,uDAAuD;IACvD,GAAG,CAAC,IAAI,GAAG,cAAc,CAAC,QAAQ,EAAE,CAAC;IAErC,OAAO,GAAG,CAAC;AACb,CAAC;AAfD,oDAeC;AASD,SAAgB,oBAAoB,CAAI,KAA8B;IACpE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;IACrD,MAAM,YAAY,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,MAAM,CAAC,CAAC;IAEjE,IAAI,QAAQ,IAAI,CAAC,YAAY;QAAE,MAAM,KAAK,CAAC;IAC3C,OAAO,YAAY,CAAC;AACtB,CAAC;AAND,oDAMC"}

package/dist/v-response-mode-registry.d.ts

@@ -0,0 +1,30 @@
+import * as v from 'valibot';
+import type { ResponseTypeOut } from './v-response-type-registry.js';
+export declare const vJarmResponseMode: v.PicklistSchema<["jwt", "query.jwt", "fragment.jwt", "form_post.jwt"], undefined>;
+export type JarmResponseMode = v.InferInput<typeof vJarmResponseMode>;
+export declare const vOpenid4vpResponseMode: v.PicklistSchema<["direct_post"], undefined>;
+export type Openid4vpResponseMode = v.InferInput<typeof vOpenid4vpResponseMode>;
+/**
+ *  * 'direct_post.jwt' The response is send as HTTP POST request using the application/x-www-form-urlencoded content type. The body contains a single parameter response which is the JWT encoded Response as defined in JARM 4.1
+ */
+export declare const vOpenid4vpJarmResponseMode: v.PicklistSchema<["direct_post.jwt"], undefined>;
+export type Openid4vpJarmResponseMode = v.InferInput<typeof vOpenid4vpJarmResponseMode>;
+/**
+ *  The use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type.
+ *  * 'query' In this mode, Authorization Response parameters are encoded in the query string added to the redirect_uri when redirecting back to the Client.
+ *  * 'fragment' In this mode, Authorization Response parameters are encoded in the fragment added to the redirect_uri when redirecting back to the Client.
+ *  * 'direct_post' the Authorization Response is send to an endpoint controlled by the Verifier via an HTTP POST request.
+ */
+export declare const vResponseMode: v.SchemaWithPipe<[v.PicklistSchema<["query", "fragment", "direct_post", "jwt", "query.jwt", "fragment.jwt", "form_post.jwt", "direct_post.jwt"], undefined>, v.DescriptionAction<"jwt" | "query.jwt" | "fragment.jwt" | "form_post.jwt" | "direct_post" | "direct_post.jwt" | "query" | "fragment", "Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint.">]>;
+export type ResponseMode = v.InferInput<typeof vResponseMode>;
+export declare const getDefaultResponseMode: (input: {
+    response_type: ResponseTypeOut;
+}) => 'query' | 'fragment';
+export declare const getJarmDefaultResponseMode: (input: {
+    response_type: ResponseTypeOut;
+}) => 'query.jwt' | 'fragment.jwt';
+export declare const validateResponseMode: (input: {
+    response_type: ResponseTypeOut;
+    response_mode: ResponseMode;
+}) => void;
+//# sourceMappingURL=v-response-mode-registry.d.ts.map

package/dist/v-response-mode-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"v-response-mode-registry.d.ts","sourceRoot":"","sources":["../lib/v-response-mode-registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,SAAS,CAAC;AAE7B,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAErE,eAAO,MAAM,iBAAiB,oFAAoE,CAAC;AACnG,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,UAAU,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAEtE,eAAO,MAAM,sBAAsB,8CAA8B,CAAC;AAClE,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,UAAU,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEhF;;GAEG;AACH,eAAO,MAAM,0BAA0B,kDAAkC,CAAC;AAC1E,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,UAAU,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAExF;;;;;GAKG;AACH,eAAO,MAAM,aAAa,iaAGzB,CAAC;AACF,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AAkB9D,eAAO,MAAM,sBAAsB,UAAW;IAAE,aAAa,EAAE,eAAe,CAAA;CAAE,KAAG,OAAO,GAAG,UAiB5F,CAAC;AAEF,eAAO,MAAM,0BAA0B,UAAW;IAAE,aAAa,EAAE,eAAe,CAAA;CAAE,KAAG,WAAW,GAAG,cASpG,CAAC;AAEF,eAAO,MAAM,oBAAoB,UAAW;IAAE,aAAa,EAAE,eAAe,CAAC;IAAC,aAAa,EAAE,YAAY,CAAA;CAAE,SAM1G,CAAC"}

package/dist/v-response-mode-registry.js

@@ -0,0 +1,90 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateResponseMode = exports.getJarmDefaultResponseMode = exports.getDefaultResponseMode = exports.vResponseMode = exports.vOpenid4vpJarmResponseMode = exports.vOpenid4vpResponseMode = exports.vJarmResponseMode = void 0;
+const v = __importStar(require("valibot"));
+exports.vJarmResponseMode = v.picklist(['jwt', 'query.jwt', 'fragment.jwt', 'form_post.jwt']);
+exports.vOpenid4vpResponseMode = v.picklist(['direct_post']);
+/**
+ *  * 'direct_post.jwt' The response is send as HTTP POST request using the application/x-www-form-urlencoded content type. The body contains a single parameter response which is the JWT encoded Response as defined in JARM 4.1
+ */
+exports.vOpenid4vpJarmResponseMode = v.picklist(['direct_post.jwt']);
+/**
+ *  The use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type.
+ *  * 'query' In this mode, Authorization Response parameters are encoded in the query string added to the redirect_uri when redirecting back to the Client.
+ *  * 'fragment' In this mode, Authorization Response parameters are encoded in the fragment added to the redirect_uri when redirecting back to the Client.
+ *  * 'direct_post' the Authorization Response is send to an endpoint controlled by the Verifier via an HTTP POST request.
+ */
+exports.vResponseMode = v.pipe(v.picklist(['query', 'fragment', ...exports.vOpenid4vpResponseMode.options, ...exports.vJarmResponseMode.options, ...exports.vOpenid4vpJarmResponseMode.options]), v.description('Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint.'));
+const getDisAllowedResponseModes = (input) => {
+    const { response_type } = input;
+    switch (response_type) {
+        case 'code token':
+            return ['query'];
+        case 'code id_token':
+            return ['query'];
+        case 'id_token token':
+            return ['query'];
+        case 'code id_token token':
+            return ['query'];
+    }
+    return undefined;
+};
+const getDefaultResponseMode = (input) => {
+    const { response_type } = input;
+    switch (response_type) {
+        case 'code':
+        case 'none':
+            return 'query';
+        case 'token':
+        case 'id_token':
+        case 'code token':
+        case 'code id_token':
+        case 'id_token token':
+        case 'code id_token token':
+        case 'vp_token':
+        case 'id_token vp_token':
+            return 'fragment';
+    }
+};
+exports.getDefaultResponseMode = getDefaultResponseMode;
+const getJarmDefaultResponseMode = (input) => {
+    const responseMode = (0, exports.getDefaultResponseMode)(input);
+    switch (responseMode) {
+        case 'query':
+            return 'query.jwt';
+        case 'fragment':
+            return 'fragment.jwt';
+    }
+};
+exports.getJarmDefaultResponseMode = getJarmDefaultResponseMode;
+const validateResponseMode = (input) => {
+    const disallowedResponseModes = getDisAllowedResponseModes(input);
+    if (disallowedResponseModes === null || disallowedResponseModes === void 0 ? void 0 : disallowedResponseModes.includes(input.response_mode)) {
+        throw new Error(`Response_type '${input.response_type}' is not compatible with response_mode '${input.response_mode}'.`);
+    }
+};
+exports.validateResponseMode = validateResponseMode;
+//# sourceMappingURL=v-response-mode-registry.js.map

package/dist/v-response-mode-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"v-response-mode-registry.js","sourceRoot":"","sources":["../lib/v-response-mode-registry.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAIhB,QAAA,iBAAiB,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,eAAe,CAAC,CAAC,CAAC;AAGtF,QAAA,sBAAsB,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;AAGlE;;GAEG;AACU,QAAA,0BAA0B,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC;AAG1E;;;;;GAKG;AACU,QAAA,aAAa,GAAG,CAAC,CAAC,IAAI,CACjC,CAAC,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,8BAAsB,CAAC,OAAO,EAAE,GAAG,yBAAiB,CAAC,OAAO,EAAE,GAAG,kCAA0B,CAAC,OAAO,CAAC,CAAC,EACzI,CAAC,CAAC,WAAW,CAAC,wHAAwH,CAAC,CACxI,CAAC;AAGF,MAAM,0BAA0B,GAAG,CAAC,KAAyC,EAAiD,EAAE;IAC9H,MAAM,EAAE,aAAa,EAAE,GAAG,KAAK,CAAC;IAEhC,QAAQ,aAAa,EAAE,CAAC;QACtB,KAAK,YAAY;YACf,OAAO,CAAC,OAAO,CAAC,CAAC;QACnB,KAAK,eAAe;YAClB,OAAO,CAAC,OAAO,CAAC,CAAC;QACnB,KAAK,gBAAgB;YACnB,OAAO,CAAC,OAAO,CAAC,CAAC;QACnB,KAAK,qBAAqB;YACxB,OAAO,CAAC,OAAO,CAAC,CAAC;IACrB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC,CAAC;AAEK,MAAM,sBAAsB,GAAG,CAAC,KAAyC,EAAwB,EAAE;IACxG,MAAM,EAAE,aAAa,EAAE,GAAG,KAAK,CAAC;IAEhC,QAAQ,aAAa,EAAE,CAAC;QACtB,KAAK,MAAM,CAAC;QACZ,KAAK,MAAM;YACT,OAAO,OAAO,CAAC;QACjB,KAAK,OAAO,CAAC;QACb,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY,CAAC;QAClB,KAAK,eAAe,CAAC;QACrB,KAAK,gBAAgB,CAAC;QACtB,KAAK,qBAAqB,CAAC;QAC3B,KAAK,UAAU,CAAC;QAChB,KAAK,mBAAmB;YACtB,OAAO,UAAU,CAAC;IACtB,CAAC;AACH,CAAC,CAAC;AAjBW,QAAA,sBAAsB,0BAiBjC;AAEK,MAAM,0BAA0B,GAAG,CAAC,KAAyC,EAAgC,EAAE;IACpH,MAAM,YAAY,GAAG,IAAA,8BAAsB,EAAC,KAAK,CAAC,CAAC;IAEnD,QAAQ,YAAY,EAAE,CAAC;QACrB,KAAK,OAAO;YACV,OAAO,WAAW,CAAC;QACrB,KAAK,UAAU;YACb,OAAO,cAAc,CAAC;IAC1B,CAAC;AACH,CAAC,CAAC;AATW,QAAA,0BAA0B,8BASrC;AAEK,MAAM,oBAAoB,GAAG,CAAC,KAAsE,EAAE,EAAE;IAC7G,MAAM,uBAAuB,GAAG,0BAA0B,CAAC,KAAK,CAAC,CAAC;IAElE,IAAI,uBAAuB,aAAvB,uBAAuB,uBAAvB,uBAAuB,CAAE,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,kBAAkB,KAAK,CAAC,aAAa,2CAA2C,KAAK,CAAC,aAAa,IAAI,CAAC,CAAC;IAC3H,CAAC;AACH,CAAC,CAAC;AANW,QAAA,oBAAoB,wBAM/B"}

package/dist/v-response-type-registry.d.ts

@@ -0,0 +1,9 @@
+import * as v from 'valibot';
+export declare const oAuthResponseTypes: v.PicklistSchema<["code", "token"], undefined>;
+export declare const oAuthMRTEPResponseTypes: v.PicklistSchema<["none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"], undefined>;
+export declare const openid4vpResponseTypes: v.PicklistSchema<["vp_token", "id_token vp_token"], undefined>;
+export declare const vTransformedResponseTypes: v.PicklistSchema<["vp_token", "id_token vp_token", "code", "token", "none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"], undefined>;
+export declare const vResponseType: v.SchemaWithPipe<[v.StringSchema<undefined>, v.TransformAction<string, string>, v.PicklistSchema<["vp_token", "id_token vp_token", "code", "token", "none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"], undefined>]>;
+export type ResponseType = v.InferInput<typeof vTransformedResponseTypes>;
+export type ResponseTypeOut = v.InferOutput<typeof vTransformedResponseTypes>;
+//# sourceMappingURL=v-response-type-registry.d.ts.map

package/dist/v-response-type-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"v-response-type-registry.d.ts","sourceRoot":"","sources":["../lib/v-response-type-registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,SAAS,CAAC;AAE7B,eAAO,MAAM,kBAAkB,gDAAgC,CAAC;AAGhE,eAAO,MAAM,uBAAuB,2HAA2G,CAAC;AAEhJ,eAAO,MAAM,sBAAsB,gEAAgD,CAAC;AAEpF,eAAO,MAAM,yBAAyB,6KAIpC,CAAC;AAEH,eAAO,MAAM,aAAa,+PAIzB,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,UAAU,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAC1E,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,WAAW,CAAC,OAAO,yBAAyB,CAAC,CAAC"}

package/dist/v-response-type-registry.js

@@ -0,0 +1,38 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.vResponseType = exports.vTransformedResponseTypes = exports.openid4vpResponseTypes = exports.oAuthMRTEPResponseTypes = exports.oAuthResponseTypes = void 0;
+const v = __importStar(require("valibot"));
+exports.oAuthResponseTypes = v.picklist(['code', 'token']);
+// NOTE: MAKE SURE THAT THE RESPONSE TYPES ARE SORTED CORRECTLY
+exports.oAuthMRTEPResponseTypes = v.picklist(['none', 'id_token', 'code token', 'code id_token', 'id_token token', 'code id_token token']);
+exports.openid4vpResponseTypes = v.picklist(['vp_token', 'id_token vp_token']);
+exports.vTransformedResponseTypes = v.picklist([
+    ...exports.openid4vpResponseTypes.options,
+    ...exports.oAuthResponseTypes.options,
+    ...exports.oAuthMRTEPResponseTypes.options,
+]);
+exports.vResponseType = v.pipe(v.string(), v.transform((val) => val.split(' ').sort().join(' ')), exports.vTransformedResponseTypes);
+//# sourceMappingURL=v-response-type-registry.js.map

package/dist/v-response-type-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"v-response-type-registry.js","sourceRoot":"","sources":["../lib/v-response-type-registry.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAEhB,QAAA,kBAAkB,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;AAEhE,+DAA+D;AAClD,QAAA,uBAAuB,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,qBAAqB,CAAC,CAAC,CAAC;AAEnI,QAAA,sBAAsB,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,UAAU,EAAE,mBAAmB,CAAC,CAAC,CAAC;AAEvE,QAAA,yBAAyB,GAAG,CAAC,CAAC,QAAQ,CAAC;IAClD,GAAG,8BAAsB,CAAC,OAAO;IACjC,GAAG,0BAAkB,CAAC,OAAO;IAC7B,GAAG,+BAAuB,CAAC,OAAO;CACnC,CAAC,CAAC;AAEU,QAAA,aAAa,GAAG,CAAC,CAAC,IAAI,CACjC,CAAC,CAAC,MAAM,EAAE,EACV,CAAC,CAAC,SAAS,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EACrD,iCAAyB,CAC1B,CAAC"}

package/lib/index.ts

@@ -0,0 +1,3 @@
+export * from './jarm-auth-response-send/index.js';
+export * from './jarm-auth-response/index.js';
+export * from './metadata/index.js';

package/lib/jarm-auth-response/c-jarm-auth-response.ts

@@ -0,0 +1,41 @@
+import * as v from 'valibot';
+
+import { vJarmResponseMode, vOpenid4vpJarmResponseMode } from '../v-response-mode-registry.js';
+import { vResponseType } from '../v-response-type-registry.js';
+
+import type { JarmAuthResponseParams } from './v-jarm-auth-response-params.js';
+import type { JarmDirectPostJwtResponseParams } from './v-jarm-direct-post-jwt-auth-response-params.js';
+
+export const vAuthRequestParams = v.looseObject({
+  state: v.optional(v.string()),
+  response_mode: v.optional(v.union([vJarmResponseMode, vOpenid4vpJarmResponseMode])),
+  client_id: v.string(),
+  response_type: vResponseType,
+  client_metadata: v.looseObject({
+    jwks: v.optional(
+      v.object({
+        keys: v.array(v.looseObject({ kid: v.optional(v.string()), kty: v.string() })),
+      }),
+    ),
+    jwks_uri: v.optional(v.string()),
+  }),
+});
+
+export type AuthRequestParams = v.InferInput<typeof vAuthRequestParams>;
+
+export const vOAuthAuthRequestGetParamsOut = v.object({
+  authRequestParams: vAuthRequestParams,
+});
+
+export type OAuthAuthRequestGetParamsOut = v.InferOutput<typeof vOAuthAuthRequestGetParamsOut>;
+
+export interface JarmDirectPostJwtAuthResponseValidationContext {
+  openid4vp: {
+    authRequest: {
+      getParams: (input: JarmAuthResponseParams | JarmDirectPostJwtResponseParams) => Promise<OAuthAuthRequestGetParamsOut>;
+    };
+  };
+  jwe: {
+    decryptCompact: (input: { jwe: string; jwk: { kid: string } }) => Promise<{ plaintext: string }>;
+  };
+}

package/lib/jarm-auth-response/index.ts

@@ -0,0 +1,4 @@
+export * from './c-jarm-auth-response.js';
+export * from './jarm-auth-response.js';
+export * from './v-jarm-auth-response-params.js';
+export * from './v-jarm-direct-post-jwt-auth-response-params.js';

package/lib/jarm-auth-response/jarm-auth-response.ts

@@ -0,0 +1,106 @@
+import { decodeProtectedHeader, isJwe, isJws } from '@sphereon/oid4vc-common';
+import * as v from 'valibot';
+
+import type { JarmDirectPostJwtResponseParams } from '../index.js';
+
+import type { AuthRequestParams, JarmDirectPostJwtAuthResponseValidationContext } from './c-jarm-auth-response.js';
+import { vJarmAuthResponseErrorParams } from './v-jarm-auth-response-params.js';
+import { jarmAuthResponseDirectPostValidateParams, vJarmDirectPostJwtParams } from './v-jarm-direct-post-jwt-auth-response-params.js';
+
+export interface JarmDirectPostJwtAuthResponseValidation {
+  /**
+   * The JARM response parameter conveyed either as url query param, fragment param, or application/x-www-form-urlencoded in the body of a post request
+   */
+  response: string;
+}
+
+const parseJarmAuthResponseParams = <Schema extends v.BaseSchema<unknown, unknown, v.BaseIssue<unknown>>>(
+  schema: Schema,
+  responseParams: unknown,
+) => {
+  if (v.is(vJarmAuthResponseErrorParams, responseParams)) {
+    const errorResponseJson = JSON.stringify(responseParams, undefined, 2);
+    throw new Error(`Received error response from authorization server. '${errorResponseJson}'`);
+  }
+
+  return v.parse(schema, responseParams);
+};
+
+const decryptJarmAuthResponse = async (input: { response: string }, ctx: JarmDirectPostJwtAuthResponseValidationContext) => {
+  const { response } = input;
+
+  const responseProtectedHeader = decodeProtectedHeader(response);
+  if (!responseProtectedHeader.kid) {
+    throw new Error(`Jarm JWE is missing the protected header field 'kid'.`);
+  }
+
+  const { plaintext } = await ctx.jwe.decryptCompact({
+    jwe: response,
+    jwk: { kid: responseProtectedHeader.kid },
+  });
+
+  return plaintext;
+};
+
+/**
+ * Validate a JARM direct_post.jwt compliant authentication response
+ * * The decryption key should be resolvable using the the protected header's 'kid' field
+ * * The signature verification jwk should be resolvable using the jws protected header's 'kid' field and the payload's 'iss' field.
+ */
+export const jarmAuthResponseDirectPostJwtValidate = async (
+  input: JarmDirectPostJwtAuthResponseValidation,
+  ctx: JarmDirectPostJwtAuthResponseValidationContext,
+) => {
+  const { response } = input;
+
+  const responseIsEncrypted = isJwe(response);
+  const decryptedResponse = responseIsEncrypted ? await decryptJarmAuthResponse(input, ctx) : response;
+
+  const responseIsSigned = isJws(decryptedResponse);
+  if (!responseIsEncrypted && !responseIsSigned) {
+    throw new Error('Jarm Auth Response must be either encrypted, signed, or signed and encrypted.');
+  }
+
+  let authResponseParams: JarmDirectPostJwtResponseParams;
+  let authRequestParams: AuthRequestParams;
+
+  if (responseIsSigned) {
+    throw new Error('Signed JARM responses are not supported.');
+    //const jwsProtectedHeader = decodeProtectedHeader(decryptedResponse);
+    //const jwsPayload = decodeJwt(decryptedResponse);
+
+    //const schema = v.required(vJarmDirectPostJwtParams, ['iss', 'aud', 'exp']);
+    //const responseParams = parseJarmAuthResponseParams(schema, jwsPayload);
+    //({ authRequestParams } = await ctx.openid4vp.authRequest.getParams(responseParams));
+
+    //if (!jwsProtectedHeader.kid) {
+    //throw new Error(`Jarm JWS is missing the protected header field 'kid'.`);
+    //}
+
+    //await ctx.jose.jws.verifyJwt({
+    //jws: decryptedResponse,
+    //jwk: { kid: jwsProtectedHeader.kid, kty: 'auto' },
+    //});
+    //authResponseParams = responseParams;
+  } else {
+    const jsonResponse: unknown = JSON.parse(decryptedResponse);
+    authResponseParams = parseJarmAuthResponseParams(vJarmDirectPostJwtParams, jsonResponse);
+    ({ authRequestParams } = await ctx.openid4vp.authRequest.getParams(authResponseParams));
+  }
+
+  jarmAuthResponseDirectPostValidateParams({
+    authRequestParams,
+    authResponseParams,
+  });
+
+  let type: 'signed encrypted' | 'encrypted' | 'signed';
+  if (responseIsSigned && responseIsEncrypted) type = 'signed encrypted';
+  else if (responseIsEncrypted) type = 'encrypted';
+  else type = 'signed';
+
+  return {
+    authRequestParams,
+    authResponseParams,
+    type,
+  };
+};

package/lib/jarm-auth-response/v-jarm-auth-response-params.ts

@@ -0,0 +1,62 @@
+import { checkExp } from '@sphereon/oid4vc-common';
+import * as v from 'valibot';
+
+export const vJarmAuthResponseErrorParams = v.looseObject({
+  error: v.string(),
+  state: v.optional(v.string()),
+
+  error_description: v.pipe(
+    v.optional(v.string()),
+    v.description('Text providing additional information, used to assist the client developer in understanding the error that occurred.'),
+  ),
+
+  error_uri: v.pipe(
+    v.optional(v.pipe(v.string(), v.url())),
+    v.description(
+      'A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error',
+    ),
+  ),
+});
+
+export const vJarmAuthResponseParams = v.looseObject({
+  state: v.optional(v.string()),
+
+  /**
+   * The issuer URL of the authorization server that created the response
+   */
+  iss: v.string(),
+
+  /**
+   * The client_id of the client the response is intended for
+   */
+  exp: v.number(),
+
+  /**
+   * Expiration of the JWT
+   */
+  aud: v.string(),
+});
+
+export type JarmAuthResponseParams = v.InferInput<typeof vJarmAuthResponseParams>;
+
+export const validateJarmAuthResponseParams = (input: {
+  authRequestParams: { client_id: string; state?: string };
+  authResponseParams: JarmAuthResponseParams;
+}) => {
+  const { authRequestParams, authResponseParams } = input;
+  // 2. The client obtains the state parameter from the JWT and checks its binding to the user agent. If the check fails, the client MUST abort processing and refuse the response.
+  if (authRequestParams.state !== authResponseParams.state) {
+    throw new Error(`State missmatch in jarm-auth-response. Expected '${authRequestParams.state}' received '${authRequestParams.state}'.`);
+  }
+
+  // 4. The client obtains the aud element from the JWT and checks whether it matches the client id the client used to identify itself in the corresponding authorization request. If the check fails, the client MUST abort processing and refuse the response.
+  if (authRequestParams.client_id !== authResponseParams.client_id) {
+    throw new Error(`Invalid audience in jarm-auth-response. Expected '${authRequestParams.client_id}' received '${authResponseParams.aud}'.`);
+  }
+
+  // 5. The client checks the JWT's exp element to determine if the JWT is still valid. If the check fails, the client MUST abort processing and refuse the response.
+  // 120 seconds clock skew
+  if (checkExp({ exp: authResponseParams.exp })) {
+    throw new Error(`The '${authRequestParams.state}' and the jarm-auth-response.`);
+  }
+};

package/lib/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.ts

@@ -0,0 +1,26 @@
+import * as v from 'valibot';
+
+import { vJarmAuthResponseParams } from './v-jarm-auth-response-params.js';
+
+export const vJarmDirectPostJwtParams = v.looseObject({
+  ...v.omit(vJarmAuthResponseParams, ['iss', 'aud', 'exp']).entries,
+  ...v.partial(v.pick(vJarmAuthResponseParams, ['iss', 'aud', 'exp'])).entries,
+
+  vp_token: v.string(),
+  presentation_submission: v.unknown(),
+  nonce: v.optional(v.string()),
+});
+
+export type JarmDirectPostJwtResponseParams = v.InferInput<typeof vJarmDirectPostJwtParams>;
+
+export const jarmAuthResponseDirectPostValidateParams = (input: {
+  authRequestParams: { state?: string };
+  authResponseParams: JarmDirectPostJwtResponseParams;
+}) => {
+  const { authRequestParams, authResponseParams } = input;
+
+  // 2. The client obtains the state parameter from the JWT and checks its binding to the user agent. If the check fails, the client MUST abort processing and refuse the response.
+  if (authRequestParams.state !== authResponseParams.state) {
+    throw new Error(`State missmatch between auth request '${authRequestParams.state}' and the jarm-auth-response.`);
+  }
+};

package/lib/jarm-auth-response-send/index.ts

@@ -0,0 +1 @@
+export * from './jarm-auth-response-send.js';

package/lib/jarm-auth-response-send/jarm-auth-response-send.ts

@@ -0,0 +1,76 @@
+import { appendFragmentParams, appendQueryParams } from '../utils.js';
+import type { JarmResponseMode, Openid4vpJarmResponseMode } from '../v-response-mode-registry.js';
+import { getJarmDefaultResponseMode, validateResponseMode } from '../v-response-mode-registry.js';
+import type { ResponseTypeOut } from '../v-response-type-registry.js';
+
+interface JarmAuthResponseSendInput {
+  authRequestParams: {
+    response_mode?: JarmResponseMode | Openid4vpJarmResponseMode;
+    response_type: ResponseTypeOut;
+  } & (
+    | {
+        response_uri: string;
+      }
+    | {
+        redirect_uri: string;
+      }
+  );
+
+  authResponse: string;
+}
+
+export const jarmAuthResponseSend = async (input: JarmAuthResponseSendInput): Promise<Response> => {
+  const { authRequestParams, authResponse } = input;
+
+  const responseEndpoint = 'response_uri' in authRequestParams ? new URL(authRequestParams.response_uri) : new URL(authRequestParams.redirect_uri);
+
+  const responseMode =
+    authRequestParams.response_mode && authRequestParams.response_mode !== 'jwt'
+      ? authRequestParams.response_mode
+      : getJarmDefaultResponseMode(authRequestParams);
+
+  validateResponseMode({
+    response_type: authRequestParams.response_type,
+    response_mode: responseMode,
+  });
+
+  switch (responseMode) {
+    case 'direct_post.jwt':
+      return handleDirectPostJwt(responseEndpoint, authResponse);
+    case 'query.jwt':
+      return handleQueryJwt(responseEndpoint, authResponse);
+    case 'fragment.jwt':
+      return handleFragmentJwt(responseEndpoint, authResponse);
+    case 'form_post.jwt':
+      throw new Error('Not implemented');
+  }
+};
+
+async function handleDirectPostJwt(responseEndpoint: URL, responseJwt: string) {
+  const response = await fetch(responseEndpoint, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: `response=${responseJwt}`,
+  });
+
+  return response;
+}
+
+async function handleQueryJwt(responseEndpoint: URL, responseJwt: string) {
+  const responseUrl = appendQueryParams({
+    url: responseEndpoint,
+    params: { response: responseJwt },
+  });
+
+  const response = await fetch(responseUrl, { method: 'POST' });
+  return response;
+}
+
+async function handleFragmentJwt(responseEndpoint: URL, responseJwt: string) {
+  const responseUrl = appendFragmentParams({
+    url: responseEndpoint,
+    fragments: { response: responseJwt },
+  });
+  const response = await fetch(responseUrl, { method: 'POST' });
+  return response;
+}

package/lib/metadata/index.ts

@@ -0,0 +1,3 @@
+export * from './v-jarm-client-metadata.js';
+export * from './v-jarm-server-metadata.js';
+export * from './jarm-validate-metadata.js';