npm - @sphereon/jarm - Versions diffs - 0.16.1-unstable.105 - Mend

@sphereon/jarm 0.16.1-unstable.105

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

package/LICENSE +201 -0
package/dist/index.d.ts +4 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +20 -0
package/dist/index.js.map +1 -0
package/dist/jarm-auth-response/c-jarm-auth-response.d.ts +55 -0
package/dist/jarm-auth-response/c-jarm-auth-response.d.ts.map +1 -0
package/dist/jarm-auth-response/c-jarm-auth-response.js +45 -0
package/dist/jarm-auth-response/c-jarm-auth-response.js.map +1 -0
package/dist/jarm-auth-response/index.d.ts +5 -0
package/dist/jarm-auth-response/index.d.ts.map +1 -0
package/dist/jarm-auth-response/index.js +21 -0
package/dist/jarm-auth-response/index.js.map +1 -0
package/dist/jarm-auth-response/jarm-auth-response.d.ts +48 -0
package/dist/jarm-auth-response/jarm-auth-response.d.ts.map +1 -0
package/dist/jarm-auth-response/jarm-auth-response.js +113 -0
package/dist/jarm-auth-response/jarm-auth-response.js.map +1 -0
package/dist/jarm-auth-response/v-jarm-auth-response-params.d.ts +31 -0
package/dist/jarm-auth-response/v-jarm-auth-response-params.d.ts.map +1 -0
package/dist/jarm-auth-response/v-jarm-auth-response-params.js +67 -0
package/dist/jarm-auth-response/v-jarm-auth-response-params.js.map +1 -0
package/dist/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.d.ts +18 -0
package/dist/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.d.ts.map +1 -0
package/dist/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.js +38 -0
package/dist/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.js.map +1 -0
package/dist/jarm-auth-response-send/index.d.ts +2 -0
package/dist/jarm-auth-response-send/index.d.ts.map +1 -0
package/dist/jarm-auth-response-send/index.js +18 -0
package/dist/jarm-auth-response-send/index.js.map +1 -0
package/dist/jarm-auth-response-send/jarm-auth-response-send.d.ts +16 -0
package/dist/jarm-auth-response-send/jarm-auth-response-send.d.ts.map +1 -0
package/dist/jarm-auth-response-send/jarm-auth-response-send.js +67 -0
package/dist/jarm-auth-response-send/jarm-auth-response-send.js.map +1 -0
package/dist/metadata/index.d.ts +4 -0
package/dist/metadata/index.d.ts.map +1 -0
package/dist/metadata/index.js +20 -0
package/dist/metadata/index.js.map +1 -0
package/dist/metadata/jarm-validate-metadata.d.ts +70 -0
package/dist/metadata/jarm-validate-metadata.d.ts.map +1 -0
package/dist/metadata/jarm-validate-metadata.js +98 -0
package/dist/metadata/jarm-validate-metadata.js.map +1 -0
package/dist/metadata/v-jarm-client-metadata.d.ts +34 -0
package/dist/metadata/v-jarm-client-metadata.d.ts.map +1 -0
package/dist/metadata/v-jarm-client-metadata.js +44 -0
package/dist/metadata/v-jarm-client-metadata.js.map +1 -0
package/dist/metadata/v-jarm-server-metadata.d.ts +11 -0
package/dist/metadata/v-jarm-server-metadata.d.ts.map +1 -0
package/dist/metadata/v-jarm-server-metadata.js +36 -0
package/dist/metadata/v-jarm-server-metadata.js.map +1 -0
package/dist/utils.d.ts +17 -0
package/dist/utils.d.ts.map +1 -0
package/dist/utils.js +34 -0
package/dist/utils.js.map +1 -0
package/dist/v-response-mode-registry.d.ts +30 -0
package/dist/v-response-mode-registry.d.ts.map +1 -0
package/dist/v-response-mode-registry.js +90 -0
package/dist/v-response-mode-registry.js.map +1 -0
package/dist/v-response-type-registry.d.ts +9 -0
package/dist/v-response-type-registry.d.ts.map +1 -0
package/dist/v-response-type-registry.js +38 -0
package/dist/v-response-type-registry.js.map +1 -0
package/lib/index.ts +3 -0
package/lib/jarm-auth-response/c-jarm-auth-response.ts +41 -0
package/lib/jarm-auth-response/index.ts +4 -0
package/lib/jarm-auth-response/jarm-auth-response.ts +106 -0
package/lib/jarm-auth-response/v-jarm-auth-response-params.ts +62 -0
package/lib/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.ts +26 -0
package/lib/jarm-auth-response-send/index.ts +1 -0
package/lib/jarm-auth-response-send/jarm-auth-response-send.ts +76 -0
package/lib/metadata/index.ts +3 -0
package/lib/metadata/jarm-validate-metadata.ts +80 -0
package/lib/metadata/v-jarm-client-metadata.ts +42 -0
package/lib/metadata/v-jarm-server-metadata.ts +29 -0
package/lib/utils.ts +42 -0
package/lib/v-response-mode-registry.ts +81 -0
package/lib/v-response-type-registry.ts +23 -0
package/package.json +44 -0

package/lib/metadata/jarm-validate-metadata.ts ADDED Viewed

@@ -0,0 +1,80 @@
+import * as v from 'valibot';
+import {
+  vJarmClientMetadata,
+  vJarmClientMetadataEncrypt,
+  vJarmClientMetadataSign,
+  vJarmClientMetadataSignEncrypt,
+} from '../metadata/v-jarm-client-metadata.js';
+import { vJarmServerMetadata } from '../metadata/v-jarm-server-metadata.js';
+import { assertValueSupported } from '../utils.js';
+export const vJarmAuthResponseValidateMetadataInput = v.object({
+  client_metadata: vJarmClientMetadata,
+  server_metadata: v.partial(vJarmServerMetadata),
+});
+export type JarmMetadataValidate = v.InferInput<typeof vJarmAuthResponseValidateMetadataInput>;
+export const vJarmMetadataValidateOut = v.variant('type', [
+  v.object({
+    type: v.literal('signed'),
+    client_metadata: vJarmClientMetadataSign,
+  }),
+  v.object({
+    type: v.literal('encrypted'),
+    client_metadata: vJarmClientMetadataEncrypt,
+  }),
+  v.object({
+    type: v.literal('signed encrypted'),
+    client_metadata: vJarmClientMetadataSignEncrypt,
+  }),
+]);
+export const jarmMetadataValidate = (vJarmMetadataValidate: JarmMetadataValidate): v.InferOutput<typeof vJarmMetadataValidateOut> => {
+  const { client_metadata, server_metadata } = vJarmMetadataValidate;
+  const { authorization_encrypted_response_alg, authorization_encrypted_response_enc, authorization_signed_response_alg } = client_metadata;
+  assertValueSupported({
+    supported: server_metadata.authorization_signing_alg_values_supported ?? [],
+    actual: authorization_signed_response_alg,
+    required: !!authorization_signed_response_alg,
+    error: new Error('Invalid authorization_signed_response_alg'),
+  });
+  assertValueSupported({
+    supported: server_metadata.authorization_encryption_alg_values_supported ?? [],
+    actual: authorization_encrypted_response_alg,
+    required: !!authorization_encrypted_response_alg,
+    error: new Error('Invalid authorization_encrypted_response_alg'),
+  });
+  assertValueSupported({
+    supported: server_metadata.authorization_encryption_enc_values_supported ?? [],
+    actual: authorization_encrypted_response_enc,
+    required: !!authorization_encrypted_response_enc,
+    error: new Error('Invalid authorization_encrypted_response_enc'),
+  });
+  if (authorization_signed_response_alg && authorization_encrypted_response_alg && authorization_encrypted_response_enc) {
+    return {
+      type: 'signed encrypted',
+      client_metadata: {
+        authorization_signed_response_alg,
+        authorization_encrypted_response_alg,
+        authorization_encrypted_response_enc,
+      },
+    };
+  } else if (authorization_signed_response_alg && !authorization_encrypted_response_alg && !authorization_encrypted_response_enc) {
+    return {
+      type: 'signed',
+      client_metadata: { authorization_signed_response_alg },
+    };
+  } else if (!authorization_signed_response_alg && authorization_encrypted_response_alg && authorization_encrypted_response_enc) {
+    return {
+      type: 'encrypted',
+      client_metadata: { authorization_encrypted_response_alg, authorization_encrypted_response_enc },
+    };
+  } else {
+    throw new Error(`Invalid jarm client_metadata combination`);
+  }
+};

package/lib/metadata/v-jarm-client-metadata.ts ADDED Viewed

@@ -0,0 +1,42 @@
+import * as v from 'valibot';
+export const vJarmClientMetadataSign = v.object({
+  authorization_signed_response_alg: v.pipe(
+    v.optional(v.string()), // @default 'RS256'  This makes no sense with openid4vp if just encrypted can be specified
+    v.description(
+      'JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.',
+    ),
+  ),
+  authorization_encrypted_response_alg: v.optional(v.never()),
+  authorization_encrypted_response_enc: v.optional(v.never()),
+});
+export const vJarmClientMetadataEncrypt = v.object({
+  authorization_signed_response_alg: v.optional(v.never()),
+  authorization_encrypted_response_alg: v.pipe(
+    v.string(),
+    v.description(
+      'JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.',
+    ),
+  ),
+  authorization_encrypted_response_enc: v.pipe(
+    v.optional(v.string(), 'A128CBC-HS256'),
+    v.description(
+      'JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.',
+    ),
+  ),
+});
+export const vJarmClientMetadataSignEncrypt = v.object({
+  ...v.pick(vJarmClientMetadataSign, ['authorization_signed_response_alg']).entries,
+  ...v.pick(vJarmClientMetadataEncrypt, ['authorization_encrypted_response_alg', 'authorization_encrypted_response_enc']).entries,
+});
+/**
+ * Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.
+ */
+export const vJarmClientMetadata = v.union([vJarmClientMetadataSign, vJarmClientMetadataEncrypt, vJarmClientMetadataSignEncrypt]);
+export type JarmClientMetadata = v.InferInput<typeof vJarmClientMetadata>;

package/lib/metadata/v-jarm-server-metadata.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import * as v from 'valibot';
+/**
+ * Authorization servers SHOULD publish the supported algorithms for signing and encrypting the JWT of an authorization response by utilizing OAuth 2.0 Authorization Server Metadata [RFC8414] parameters.
+ */
+export const vJarmServerMetadata = v.object({
+  authorization_signing_alg_values_supported: v.pipe(
+    v.array(v.string()),
+    v.description(
+      'JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to sign the response.',
+    ),
+  ),
+  authorization_encryption_alg_values_supported: v.pipe(
+    v.array(v.string()),
+    v.description(
+      'JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.',
+    ),
+  ),
+  authorization_encryption_enc_values_supported: v.pipe(
+    v.array(v.string()),
+    v.description(
+      'JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.',
+    ),
+  ),
+});
+export type JarmServerMetadata = v.InferInput<typeof vJarmServerMetadata>;

package/lib/utils.ts ADDED Viewed

@@ -0,0 +1,42 @@
+export function appendQueryParams(input: { url: URL; params: Record<string, string | number | boolean> }) {
+  const { url, params } = input;
+  // Append the new query parameters from the params object
+  for (const [key, value] of Object.entries(params)) {
+    url.searchParams.append(key, encodeURIComponent(value));
+  }
+  return url;
+}
+export function appendFragmentParams(input: { url: URL; fragments: Record<string, string | number | boolean> }) {
+  const { url, fragments } = input;
+  // Convert existing fragment to an object and remove the leading '#'
+  const fragmentParams = new URLSearchParams(url.hash.slice(1)); // Remove the leading '#' from the fragment
+  // Append the new fragments from the fragments object
+  for (const [key, value] of Object.entries(fragments)) {
+    fragmentParams.append(key, encodeURIComponent(value));
+  }
+  // Rebuild the fragment string and assign it to the URL
+  url.hash = fragmentParams.toString();
+  return url;
+}
+interface AssertValueSupported<T> {
+  supported: T[];
+  actual: T;
+  error: Error;
+  required: boolean;
+}
+export function assertValueSupported<T>(input: AssertValueSupported<T>): T | undefined {
+  const { required, error, supported, actual } = input;
+  const intersection = supported.find((value) => value === actual);
+  if (required && !intersection) throw error;
+  return intersection;
+}

package/lib/v-response-mode-registry.ts ADDED Viewed

@@ -0,0 +1,81 @@
+import * as v from 'valibot';
+import type { ResponseTypeOut } from './v-response-type-registry.js';
+export const vJarmResponseMode = v.picklist(['jwt', 'query.jwt', 'fragment.jwt', 'form_post.jwt']);
+export type JarmResponseMode = v.InferInput<typeof vJarmResponseMode>;
+export const vOpenid4vpResponseMode = v.picklist(['direct_post']);
+export type Openid4vpResponseMode = v.InferInput<typeof vOpenid4vpResponseMode>;
+/**
+ *  * 'direct_post.jwt' The response is send as HTTP POST request using the application/x-www-form-urlencoded content type. The body contains a single parameter response which is the JWT encoded Response as defined in JARM 4.1
+ */
+export const vOpenid4vpJarmResponseMode = v.picklist(['direct_post.jwt']);
+export type Openid4vpJarmResponseMode = v.InferInput<typeof vOpenid4vpJarmResponseMode>;
+/**
+ *  The use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type.
+ *  * 'query' In this mode, Authorization Response parameters are encoded in the query string added to the redirect_uri when redirecting back to the Client.
+ *  * 'fragment' In this mode, Authorization Response parameters are encoded in the fragment added to the redirect_uri when redirecting back to the Client.
+ *  * 'direct_post' the Authorization Response is send to an endpoint controlled by the Verifier via an HTTP POST request.
+ */
+export const vResponseMode = v.pipe(
+  v.picklist(['query', 'fragment', ...vOpenid4vpResponseMode.options, ...vJarmResponseMode.options, ...vOpenid4vpJarmResponseMode.options]),
+  v.description('Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint.'),
+);
+export type ResponseMode = v.InferInput<typeof vResponseMode>;
+const getDisAllowedResponseModes = (input: { response_type: ResponseTypeOut }): [ResponseMode, ...ResponseMode[]] | undefined => {
+  const { response_type } = input;
+  switch (response_type) {
+    case 'code token':
+      return ['query'];
+    case 'code id_token':
+      return ['query'];
+    case 'id_token token':
+      return ['query'];
+    case 'code id_token token':
+      return ['query'];
+  }
+  return undefined;
+};
+export const getDefaultResponseMode = (input: { response_type: ResponseTypeOut }): 'query' | 'fragment' => {
+  const { response_type } = input;
+  switch (response_type) {
+    case 'code':
+    case 'none':
+      return 'query';
+    case 'token':
+    case 'id_token':
+    case 'code token':
+    case 'code id_token':
+    case 'id_token token':
+    case 'code id_token token':
+    case 'vp_token':
+    case 'id_token vp_token':
+      return 'fragment';
+  }
+};
+export const getJarmDefaultResponseMode = (input: { response_type: ResponseTypeOut }): 'query.jwt' | 'fragment.jwt' => {
+  const responseMode = getDefaultResponseMode(input);
+  switch (responseMode) {
+    case 'query':
+      return 'query.jwt';
+    case 'fragment':
+      return 'fragment.jwt';
+  }
+};
+export const validateResponseMode = (input: { response_type: ResponseTypeOut; response_mode: ResponseMode }) => {
+  const disallowedResponseModes = getDisAllowedResponseModes(input);
+  if (disallowedResponseModes?.includes(input.response_mode)) {
+    throw new Error(`Response_type '${input.response_type}' is not compatible with response_mode '${input.response_mode}'.`);
+  }
+};

package/lib/v-response-type-registry.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import * as v from 'valibot';
+export const oAuthResponseTypes = v.picklist(['code', 'token']);
+// NOTE: MAKE SURE THAT THE RESPONSE TYPES ARE SORTED CORRECTLY
+export const oAuthMRTEPResponseTypes = v.picklist(['none', 'id_token', 'code token', 'code id_token', 'id_token token', 'code id_token token']);
+export const openid4vpResponseTypes = v.picklist(['vp_token', 'id_token vp_token']);
+export const vTransformedResponseTypes = v.picklist([
+  ...openid4vpResponseTypes.options,
+  ...oAuthResponseTypes.options,
+  ...oAuthMRTEPResponseTypes.options,
+]);
+export const vResponseType = v.pipe(
+  v.string(),
+  v.transform((val) => val.split(' ').sort().join(' ')),
+  vTransformedResponseTypes,
+);
+export type ResponseType = v.InferInput<typeof vTransformedResponseTypes>;
+export type ResponseTypeOut = v.InferOutput<typeof vTransformedResponseTypes>;

package/package.json ADDED Viewed

@@ -0,0 +1,44 @@
+{
+  "name": "@sphereon/jarm",
+  "version": "0.16.1-unstable.105+7effabd",
+  "description": "Sphereon JARM",
+  "source": "lib/index.ts",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc",
+    "build:clean": "tsc --build --clean && tsc --build"
+  },
+  "dependencies": {
+    "@sphereon/oid4vc-common": "0.16.1-unstable.105+7effabd",
+    "valibot": "^0.42.1"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "files": [
+    "lib/**/*",
+    "dist/**/*"
+  ],
+  "prettier": {
+    "singleQuote": true,
+    "printWidth": 150
+  },
+  "keywords": [
+    "Sphereon",
+    "Verifiable Credentials",
+    "OpenID",
+    "OpenID for Verifiable Credential Issuance",
+    "OAuth2",
+    "SSI",
+    "JARM",
+    "OpenId for Verifiable Presentations"
+  ],
+  "author": "Sphereon",
+  "license": "Apache-2.0",
+  "private": false,
+  "publishConfig": {
+    "access": "public"
+  },
+  "gitHead": "7effabdc57c70cdebe61d54e42890bcc83953b0b"
+}