@sphereon/jarm 0.17.0 → 0.17.1-feature.esm.cjs.25

package/dist/v-response-type-registry.js

@@ -1,38 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.vResponseType = exports.vTransformedResponseTypes = exports.openid4vpResponseTypes = exports.oAuthMRTEPResponseTypes = exports.oAuthResponseTypes = void 0;
-const v = __importStar(require("valibot"));
-exports.oAuthResponseTypes = v.picklist(['code', 'token']);
-// NOTE: MAKE SURE THAT THE RESPONSE TYPES ARE SORTED CORRECTLY
-exports.oAuthMRTEPResponseTypes = v.picklist(['none', 'id_token', 'code token', 'code id_token', 'id_token token', 'code id_token token']);
-exports.openid4vpResponseTypes = v.picklist(['vp_token', 'id_token vp_token']);
-exports.vTransformedResponseTypes = v.picklist([
-    ...exports.openid4vpResponseTypes.options,
-    ...exports.oAuthResponseTypes.options,
-    ...exports.oAuthMRTEPResponseTypes.options,
-]);
-exports.vResponseType = v.pipe(v.string(), v.transform((val) => val.split(' ').sort().join(' ')), exports.vTransformedResponseTypes);
-//# sourceMappingURL=v-response-type-registry.js.map

package/dist/v-response-type-registry.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"v-response-type-registry.js","sourceRoot":"","sources":["../lib/v-response-type-registry.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA6B;AAEhB,QAAA,kBAAkB,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;AAEhE,+DAA+D;AAClD,QAAA,uBAAuB,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,qBAAqB,CAAC,CAAC,CAAC;AAEnI,QAAA,sBAAsB,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,UAAU,EAAE,mBAAmB,CAAC,CAAC,CAAC;AAEvE,QAAA,yBAAyB,GAAG,CAAC,CAAC,QAAQ,CAAC;IAClD,GAAG,8BAAsB,CAAC,OAAO;IACjC,GAAG,0BAAkB,CAAC,OAAO;IAC7B,GAAG,+BAAuB,CAAC,OAAO;CACnC,CAAC,CAAC;AAEU,QAAA,aAAa,GAAG,CAAC,CAAC,IAAI,CACjC,CAAC,CAAC,MAAM,EAAE,EACV,CAAC,CAAC,SAAS,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EACrD,iCAAyB,CAC1B,CAAC"}

package/lib/__tests__/jarm.spec.ts

@@ -1,5 +0,0 @@
-describe('jarm', () => {
-  it('should create some tests', () => {
-    expect(true).toBe(true);
-  });
-});

package/lib/index.ts

@@ -1,3 +0,0 @@
-export * from './jarm-auth-response-send/index.js';
-export * from './jarm-auth-response/index.js';
-export * from './metadata/index.js';

package/lib/jarm-auth-response/c-jarm-auth-response.ts

@@ -1,41 +0,0 @@
-import * as v from 'valibot';
-
-import { vJarmResponseMode, vOpenid4vpJarmResponseMode } from '../v-response-mode-registry.js';
-import { vResponseType } from '../v-response-type-registry.js';
-
-import type { JarmAuthResponseParams } from './v-jarm-auth-response-params.js';
-import type { JarmDirectPostJwtResponseParams } from './v-jarm-direct-post-jwt-auth-response-params.js';
-
-export const vAuthRequestParams = v.looseObject({
-  state: v.optional(v.string()),
-  response_mode: v.optional(v.union([vJarmResponseMode, vOpenid4vpJarmResponseMode])),
-  client_id: v.string(),
-  response_type: vResponseType,
-  client_metadata: v.looseObject({
-    jwks: v.optional(
-      v.object({
-        keys: v.array(v.looseObject({ kid: v.optional(v.string()), kty: v.string() })),
-      }),
-    ),
-    jwks_uri: v.optional(v.string()),
-  }),
-});
-
-export type AuthRequestParams = v.InferInput<typeof vAuthRequestParams>;
-
-export const vOAuthAuthRequestGetParamsOut = v.object({
-  authRequestParams: vAuthRequestParams,
-});
-
-export type OAuthAuthRequestGetParamsOut = v.InferOutput<typeof vOAuthAuthRequestGetParamsOut>;
-
-export interface JarmDirectPostJwtAuthResponseValidationContext {
-  openid4vp: {
-    authRequest: {
-      getParams: (input: JarmAuthResponseParams | JarmDirectPostJwtResponseParams) => Promise<OAuthAuthRequestGetParamsOut>;
-    };
-  };
-  jwe: {
-    decryptCompact: (input: { jwe: string; jwk: { kid: string } }) => Promise<{ plaintext: string }>;
-  };
-}

package/lib/jarm-auth-response/index.ts

@@ -1,4 +0,0 @@
-export * from './c-jarm-auth-response.js';
-export * from './jarm-auth-response.js';
-export * from './v-jarm-auth-response-params.js';
-export * from './v-jarm-direct-post-jwt-auth-response-params.js';

package/lib/jarm-auth-response/jarm-auth-response.ts

@@ -1,106 +0,0 @@
-import { decodeProtectedHeader, isJwe, isJws } from '@sphereon/oid4vc-common';
-import * as v from 'valibot';
-
-import type { JarmDirectPostJwtResponseParams } from '../index.js';
-
-import type { AuthRequestParams, JarmDirectPostJwtAuthResponseValidationContext } from './c-jarm-auth-response.js';
-import { vJarmAuthResponseErrorParams } from './v-jarm-auth-response-params.js';
-import { jarmAuthResponseDirectPostValidateParams, vJarmDirectPostJwtParams } from './v-jarm-direct-post-jwt-auth-response-params.js';
-
-export interface JarmDirectPostJwtAuthResponseValidation {
-  /**
-   * The JARM response parameter conveyed either as url query param, fragment param, or application/x-www-form-urlencoded in the body of a post request
-   */
-  response: string;
-}
-
-const parseJarmAuthResponseParams = <Schema extends v.BaseSchema<unknown, unknown, v.BaseIssue<unknown>>>(
-  schema: Schema,
-  responseParams: unknown,
-) => {
-  if (v.is(vJarmAuthResponseErrorParams, responseParams)) {
-    const errorResponseJson = JSON.stringify(responseParams, undefined, 2);
-    throw new Error(`Received error response from authorization server. '${errorResponseJson}'`);
-  }
-
-  return v.parse(schema, responseParams);
-};
-
-const decryptJarmAuthResponse = async (input: { response: string }, ctx: JarmDirectPostJwtAuthResponseValidationContext) => {
-  const { response } = input;
-
-  const responseProtectedHeader = decodeProtectedHeader(response);
-  if (!responseProtectedHeader.kid) {
-    throw new Error(`Jarm JWE is missing the protected header field 'kid'.`);
-  }
-
-  const { plaintext } = await ctx.jwe.decryptCompact({
-    jwe: response,
-    jwk: { kid: responseProtectedHeader.kid },
-  });
-
-  return plaintext;
-};
-
-/**
- * Validate a JARM direct_post.jwt compliant authentication response
- * * The decryption key should be resolvable using the the protected header's 'kid' field
- * * The signature verification jwk should be resolvable using the jws protected header's 'kid' field and the payload's 'iss' field.
- */
-export const jarmAuthResponseDirectPostJwtValidate = async (
-  input: JarmDirectPostJwtAuthResponseValidation,
-  ctx: JarmDirectPostJwtAuthResponseValidationContext,
-) => {
-  const { response } = input;
-
-  const responseIsEncrypted = isJwe(response);
-  const decryptedResponse = responseIsEncrypted ? await decryptJarmAuthResponse(input, ctx) : response;
-
-  const responseIsSigned = isJws(decryptedResponse);
-  if (!responseIsEncrypted && !responseIsSigned) {
-    throw new Error('Jarm Auth Response must be either encrypted, signed, or signed and encrypted.');
-  }
-
-  let authResponseParams: JarmDirectPostJwtResponseParams;
-  let authRequestParams: AuthRequestParams;
-
-  if (responseIsSigned) {
-    throw new Error('Signed JARM responses are not supported.');
-    //const jwsProtectedHeader = decodeProtectedHeader(decryptedResponse);
-    //const jwsPayload = decodeJwt(decryptedResponse);
-
-    //const schema = v.required(vJarmDirectPostJwtParams, ['iss', 'aud', 'exp']);
-    //const responseParams = parseJarmAuthResponseParams(schema, jwsPayload);
-    //({ authRequestParams } = await ctx.openid4vp.authRequest.getParams(responseParams));
-
-    //if (!jwsProtectedHeader.kid) {
-    //throw new Error(`Jarm JWS is missing the protected header field 'kid'.`);
-    //}
-
-    //await ctx.jose.jws.verifyJwt({
-    //jws: decryptedResponse,
-    //jwk: { kid: jwsProtectedHeader.kid, kty: 'auto' },
-    //});
-    //authResponseParams = responseParams;
-  } else {
-    const jsonResponse: unknown = JSON.parse(decryptedResponse);
-    authResponseParams = parseJarmAuthResponseParams(vJarmDirectPostJwtParams, jsonResponse);
-    ({ authRequestParams } = await ctx.openid4vp.authRequest.getParams(authResponseParams));
-  }
-
-  jarmAuthResponseDirectPostValidateParams({
-    authRequestParams,
-    authResponseParams,
-  });
-
-  let type: 'signed encrypted' | 'encrypted' | 'signed';
-  if (responseIsSigned && responseIsEncrypted) type = 'signed encrypted';
-  else if (responseIsEncrypted) type = 'encrypted';
-  else type = 'signed';
-
-  return {
-    authRequestParams,
-    authResponseParams,
-    type,
-  };
-};

package/lib/jarm-auth-response/v-jarm-auth-response-params.ts

@@ -1,62 +0,0 @@
-import { checkExp } from '@sphereon/oid4vc-common';
-import * as v from 'valibot';
-
-export const vJarmAuthResponseErrorParams = v.looseObject({
-  error: v.string(),
-  state: v.optional(v.string()),
-
-  error_description: v.pipe(
-    v.optional(v.string()),
-    v.description('Text providing additional information, used to assist the client developer in understanding the error that occurred.'),
-  ),
-
-  error_uri: v.pipe(
-    v.optional(v.pipe(v.string(), v.url())),
-    v.description(
-      'A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error',
-    ),
-  ),
-});
-
-export const vJarmAuthResponseParams = v.looseObject({
-  state: v.optional(v.string()),
-
-  /**
-   * The issuer URL of the authorization server that created the response
-   */
-  iss: v.string(),
-
-  /**
-   * Expiration of the JWT
-   */
-  exp: v.number(),
-
-  /**
-   * The client_id of the client the response is intended for
-   */
-  aud: v.string(),
-});
-
-export type JarmAuthResponseParams = v.InferInput<typeof vJarmAuthResponseParams>;
-
-export const validateJarmAuthResponseParams = (input: {
-  authRequestParams: { client_id: string; state?: string };
-  authResponseParams: JarmAuthResponseParams;
-}) => {
-  const { authRequestParams, authResponseParams } = input;
-  // 2. The client obtains the state parameter from the JWT and checks its binding to the user agent. If the check fails, the client MUST abort processing and refuse the response.
-  if (authRequestParams.state !== authResponseParams.state) {
-    throw new Error(`State missmatch in jarm-auth-response. Expected '${authRequestParams.state}' received '${authRequestParams.state}'.`);
-  }
-
-  // 4. The client obtains the aud element from the JWT and checks whether it matches the client id the client used to identify itself in the corresponding authorization request. If the check fails, the client MUST abort processing and refuse the response.
-  if (authRequestParams.client_id !== authResponseParams.aud) {
-    throw new Error(`Invalid audience in jarm-auth-response. Expected '${authRequestParams.client_id}' received '${authResponseParams.aud}'.`);
-  }
-
-  // 5. The client checks the JWT's exp element to determine if the JWT is still valid. If the check fails, the client MUST abort processing and refuse the response.
-  // 120 seconds clock skew
-  if (checkExp({ exp: authResponseParams.exp })) {
-    throw new Error(`The '${authRequestParams.state}' and the jarm-auth-response.`);
-  }
-};

package/lib/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.ts

@@ -1,26 +0,0 @@
-import * as v from 'valibot';
-
-import { vJarmAuthResponseParams } from './v-jarm-auth-response-params.js';
-
-export const vJarmDirectPostJwtParams = v.looseObject({
-  ...v.omit(vJarmAuthResponseParams, ['iss', 'aud', 'exp']).entries,
-  ...v.partial(v.pick(vJarmAuthResponseParams, ['iss', 'aud', 'exp'])).entries,
-
-  vp_token: v.union([v.string(), v.array(v.pipe(v.string(), v.nonEmpty()))]),
-  presentation_submission: v.unknown(),
-  nonce: v.optional(v.string()),
-});
-
-export type JarmDirectPostJwtResponseParams = v.InferInput<typeof vJarmDirectPostJwtParams>;
-
-export const jarmAuthResponseDirectPostValidateParams = (input: {
-  authRequestParams: { state?: string };
-  authResponseParams: JarmDirectPostJwtResponseParams;
-}) => {
-  const { authRequestParams, authResponseParams } = input;
-
-  // 2. The client obtains the state parameter from the JWT and checks its binding to the user agent. If the check fails, the client MUST abort processing and refuse the response.
-  if (authRequestParams.state !== authResponseParams.state) {
-    throw new Error(`State missmatch between auth request '${authRequestParams.state}' and the jarm-auth-response.`);
-  }
-};

package/lib/jarm-auth-response-send/index.ts

@@ -1 +0,0 @@
-export * from './jarm-auth-response-send.js';

package/lib/jarm-auth-response-send/jarm-auth-response-send.ts

@@ -1,76 +0,0 @@
-import { appendFragmentParams, appendQueryParams } from '../utils.js';
-import type { JarmResponseMode, Openid4vpJarmResponseMode } from '../v-response-mode-registry.js';
-import { getJarmDefaultResponseMode, validateResponseMode } from '../v-response-mode-registry.js';
-import type { ResponseTypeOut } from '../v-response-type-registry.js';
-
-interface JarmAuthResponseSendInput {
-  authRequestParams: {
-    response_mode?: JarmResponseMode | Openid4vpJarmResponseMode;
-    response_type: ResponseTypeOut;
-  } & (
-    | {
-        response_uri: string;
-      }
-    | {
-        redirect_uri: string;
-      }
-  );
-
-  authResponse: string;
-  state: string;
-}
-
-export const jarmAuthResponseSend = async (input: JarmAuthResponseSendInput): Promise<Response> => {
-  const { authRequestParams, authResponse, state } = input;
-
-  const responseEndpoint = 'response_uri' in authRequestParams ? new URL(authRequestParams.response_uri) : new URL(authRequestParams.redirect_uri);
-
-  const responseMode =
-    authRequestParams.response_mode && authRequestParams.response_mode !== 'jwt'
-      ? authRequestParams.response_mode
-      : getJarmDefaultResponseMode(authRequestParams);
-
-  validateResponseMode({
-    response_type: authRequestParams.response_type,
-    response_mode: responseMode,
-  });
-
-  switch (responseMode) {
-    case 'direct_post.jwt':
-      return handleDirectPostJwt(responseEndpoint, authResponse, state);
-    case 'query.jwt':
-      return handleQueryJwt(responseEndpoint, authResponse, state);
-    case 'fragment.jwt':
-      return handleFragmentJwt(responseEndpoint, authResponse, state);
-    case 'form_post.jwt':
-      throw new Error('Not implemented. form_post.jwt is not yet supported.');
-  }
-};
-
-async function handleDirectPostJwt(responseEndpoint: URL, responseJwt: string, state: string) {
-  const response = await fetch(responseEndpoint, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-    body: `response=${responseJwt}&state=${state}`,
-  });
-  return response;
-}
-
-async function handleQueryJwt(responseEndpoint: URL, responseJwt: string, state: string) {
-  const responseUrl = appendQueryParams({
-    url: responseEndpoint,
-    params: { response: responseJwt, state },
-  });
-
-  const response = await fetch(responseUrl, { method: 'POST' });
-  return response;
-}
-
-async function handleFragmentJwt(responseEndpoint: URL, responseJwt: string, state: string) {
-  const responseUrl = appendFragmentParams({
-    url: responseEndpoint,
-    fragments: { response: responseJwt, state },
-  });
-  const response = await fetch(responseUrl, { method: 'POST' });
-  return response;
-}

package/lib/metadata/index.ts

@@ -1,3 +0,0 @@
-export * from './v-jarm-client-metadata.js';
-export * from './v-jarm-server-metadata.js';
-export * from './jarm-validate-metadata.js';

package/lib/metadata/jarm-validate-metadata.ts

@@ -1,80 +0,0 @@
-import * as v from 'valibot';
-
-import {
-  vJarmClientMetadata,
-  vJarmClientMetadataEncrypt,
-  vJarmClientMetadataSign,
-  vJarmClientMetadataSignEncrypt,
-} from '../metadata/v-jarm-client-metadata.js';
-import { vJarmServerMetadata } from '../metadata/v-jarm-server-metadata.js';
-import { assertValueSupported } from '../utils.js';
-
-export const vJarmAuthResponseValidateMetadataInput = v.object({
-  client_metadata: vJarmClientMetadata,
-  server_metadata: v.partial(vJarmServerMetadata),
-});
-export type JarmMetadataValidate = v.InferInput<typeof vJarmAuthResponseValidateMetadataInput>;
-
-export const vJarmMetadataValidateOut = v.variant('type', [
-  v.object({
-    type: v.literal('signed'),
-    client_metadata: vJarmClientMetadataSign,
-  }),
-  v.object({
-    type: v.literal('encrypted'),
-    client_metadata: vJarmClientMetadataEncrypt,
-  }),
-  v.object({
-    type: v.literal('signed encrypted'),
-    client_metadata: vJarmClientMetadataSignEncrypt,
-  }),
-]);
-
-export const jarmMetadataValidate = (vJarmMetadataValidate: JarmMetadataValidate): v.InferOutput<typeof vJarmMetadataValidateOut> => {
-  const { client_metadata, server_metadata } = vJarmMetadataValidate;
-  const { authorization_encrypted_response_alg, authorization_encrypted_response_enc, authorization_signed_response_alg } = client_metadata;
-
-  assertValueSupported({
-    supported: server_metadata.authorization_signing_alg_values_supported ?? [],
-    actual: authorization_signed_response_alg,
-    required: !!authorization_signed_response_alg,
-    error: new Error('Invalid authorization_signed_response_alg'),
-  });
-
-  assertValueSupported({
-    supported: server_metadata.authorization_encryption_alg_values_supported ?? [],
-    actual: authorization_encrypted_response_alg,
-    required: !!authorization_encrypted_response_alg,
-    error: new Error('Invalid authorization_encrypted_response_alg'),
-  });
-
-  assertValueSupported({
-    supported: server_metadata.authorization_encryption_enc_values_supported ?? [],
-    actual: authorization_encrypted_response_enc,
-    required: !!authorization_encrypted_response_enc,
-    error: new Error('Invalid authorization_encrypted_response_enc'),
-  });
-
-  if (authorization_signed_response_alg && authorization_encrypted_response_alg && authorization_encrypted_response_enc) {
-    return {
-      type: 'signed encrypted',
-      client_metadata: {
-        authorization_signed_response_alg,
-        authorization_encrypted_response_alg,
-        authorization_encrypted_response_enc,
-      },
-    };
-  } else if (authorization_signed_response_alg && !authorization_encrypted_response_alg && !authorization_encrypted_response_enc) {
-    return {
-      type: 'signed',
-      client_metadata: { authorization_signed_response_alg },
-    };
-  } else if (!authorization_signed_response_alg && authorization_encrypted_response_alg && authorization_encrypted_response_enc) {
-    return {
-      type: 'encrypted',
-      client_metadata: { authorization_encrypted_response_alg, authorization_encrypted_response_enc },
-    };
-  } else {
-    throw new Error(`Invalid jarm client_metadata combination`);
-  }
-};

package/lib/metadata/v-jarm-client-metadata.ts

@@ -1,42 +0,0 @@
-import * as v from 'valibot';
-
-export const vJarmClientMetadataSign = v.object({
-  authorization_signed_response_alg: v.pipe(
-    v.optional(v.string()), // @default 'RS256'  This makes no sense with openid4vp if just encrypted can be specified
-    v.description(
-      'JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.',
-    ),
-  ),
-
-  authorization_encrypted_response_alg: v.optional(v.never()),
-  authorization_encrypted_response_enc: v.optional(v.never()),
-});
-
-export const vJarmClientMetadataEncrypt = v.object({
-  authorization_signed_response_alg: v.optional(v.never()),
-  authorization_encrypted_response_alg: v.pipe(
-    v.string(),
-    v.description(
-      'JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.',
-    ),
-  ),
-
-  authorization_encrypted_response_enc: v.pipe(
-    v.optional(v.string(), 'A128CBC-HS256'),
-    v.description(
-      'JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.',
-    ),
-  ),
-});
-
-export const vJarmClientMetadataSignEncrypt = v.object({
-  ...v.pick(vJarmClientMetadataSign, ['authorization_signed_response_alg']).entries,
-  ...v.pick(vJarmClientMetadataEncrypt, ['authorization_encrypted_response_alg', 'authorization_encrypted_response_enc']).entries,
-});
-
-/**
- * Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.
- */
-export const vJarmClientMetadata = v.union([vJarmClientMetadataSign, vJarmClientMetadataEncrypt, vJarmClientMetadataSignEncrypt]);
-
-export type JarmClientMetadata = v.InferInput<typeof vJarmClientMetadata>;

package/lib/metadata/v-jarm-server-metadata.ts

@@ -1,29 +0,0 @@
-import * as v from 'valibot';
-
-/**
- * Authorization servers SHOULD publish the supported algorithms for signing and encrypting the JWT of an authorization response by utilizing OAuth 2.0 Authorization Server Metadata [RFC8414] parameters.
- */
-export const vJarmServerMetadata = v.object({
-  authorization_signing_alg_values_supported: v.pipe(
-    v.array(v.string()),
-    v.description(
-      'JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to sign the response.',
-    ),
-  ),
-
-  authorization_encryption_alg_values_supported: v.pipe(
-    v.array(v.string()),
-    v.description(
-      'JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.',
-    ),
-  ),
-
-  authorization_encryption_enc_values_supported: v.pipe(
-    v.array(v.string()),
-    v.description(
-      'JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.',
-    ),
-  ),
-});
-
-export type JarmServerMetadata = v.InferInput<typeof vJarmServerMetadata>;

package/lib/utils.ts

@@ -1,42 +0,0 @@
-export function appendQueryParams(input: { url: URL; params: Record<string, string | number | boolean> }) {
-  const { url, params } = input;
-
-  // Append the new query parameters from the params object
-  for (const [key, value] of Object.entries(params)) {
-    url.searchParams.append(key, encodeURIComponent(value));
-  }
-
-  return url;
-}
-
-export function appendFragmentParams(input: { url: URL; fragments: Record<string, string | number | boolean> }) {
-  const { url, fragments } = input;
-
-  // Convert existing fragment to an object and remove the leading '#'
-  const fragmentParams = new URLSearchParams(url.hash.slice(1)); // Remove the leading '#' from the fragment
-
-  // Append the new fragments from the fragments object
-  for (const [key, value] of Object.entries(fragments)) {
-    fragmentParams.append(key, encodeURIComponent(value));
-  }
-
-  // Rebuild the fragment string and assign it to the URL
-  url.hash = fragmentParams.toString();
-
-  return url;
-}
-
-interface AssertValueSupported<T> {
-  supported: T[];
-  actual: T;
-  error: Error;
-  required: boolean;
-}
-
-export function assertValueSupported<T>(input: AssertValueSupported<T>): T | undefined {
-  const { required, error, supported, actual } = input;
-  const intersection = supported.find((value) => value === actual);
-
-  if (required && !intersection) throw error;
-  return intersection;
-}

package/lib/v-response-mode-registry.ts

@@ -1,81 +0,0 @@
-import * as v from 'valibot';
-
-import type { ResponseTypeOut } from './v-response-type-registry.js';
-
-export const vJarmResponseMode = v.picklist(['jwt', 'query.jwt', 'fragment.jwt', 'form_post.jwt']);
-export type JarmResponseMode = v.InferInput<typeof vJarmResponseMode>;
-
-export const vOpenid4vpResponseMode = v.picklist(['direct_post']);
-export type Openid4vpResponseMode = v.InferInput<typeof vOpenid4vpResponseMode>;
-
-/**
- *  * 'direct_post.jwt' The response is send as HTTP POST request using the application/x-www-form-urlencoded content type. The body contains a single parameter response which is the JWT encoded Response as defined in JARM 4.1
- */
-export const vOpenid4vpJarmResponseMode = v.picklist(['direct_post.jwt']);
-export type Openid4vpJarmResponseMode = v.InferInput<typeof vOpenid4vpJarmResponseMode>;
-
-/**
- *  The use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type.
- *  * 'query' In this mode, Authorization Response parameters are encoded in the query string added to the redirect_uri when redirecting back to the Client.
- *  * 'fragment' In this mode, Authorization Response parameters are encoded in the fragment added to the redirect_uri when redirecting back to the Client.
- *  * 'direct_post' the Authorization Response is send to an endpoint controlled by the Verifier via an HTTP POST request.
- */
-export const vResponseMode = v.pipe(
-  v.picklist(['query', 'fragment', ...vOpenid4vpResponseMode.options, ...vJarmResponseMode.options, ...vOpenid4vpJarmResponseMode.options]),
-  v.description('Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint.'),
-);
-export type ResponseMode = v.InferInput<typeof vResponseMode>;
-
-const getDisAllowedResponseModes = (input: { response_type: ResponseTypeOut }): [ResponseMode, ...ResponseMode[]] | undefined => {
-  const { response_type } = input;
-
-  switch (response_type) {
-    case 'code token':
-      return ['query'];
-    case 'code id_token':
-      return ['query'];
-    case 'id_token token':
-      return ['query'];
-    case 'code id_token token':
-      return ['query'];
-  }
-  return undefined;
-};
-
-export const getDefaultResponseMode = (input: { response_type: ResponseTypeOut }): 'query' | 'fragment' => {
-  const { response_type } = input;
-
-  switch (response_type) {
-    case 'code':
-    case 'none':
-      return 'query';
-    case 'token':
-    case 'id_token':
-    case 'code token':
-    case 'code id_token':
-    case 'id_token token':
-    case 'code id_token token':
-    case 'vp_token':
-    case 'id_token vp_token':
-      return 'fragment';
-  }
-};
-
-export const getJarmDefaultResponseMode = (input: { response_type: ResponseTypeOut }): 'query.jwt' | 'fragment.jwt' => {
-  const responseMode = getDefaultResponseMode(input);
-
-  switch (responseMode) {
-    case 'query':
-      return 'query.jwt';
-    case 'fragment':
-      return 'fragment.jwt';
-  }
-};
-
-export const validateResponseMode = (input: { response_type: ResponseTypeOut; response_mode: ResponseMode }) => {
-  const disallowedResponseModes = getDisAllowedResponseModes(input);
-
-  if (disallowedResponseModes?.includes(input.response_mode)) {
-    throw new Error(`Response_type '${input.response_type}' is not compatible with response_mode '${input.response_mode}'.`);
-  }
-};