@sphereon/oid4vc-common 0.15.2-next.38
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +201 -0
- package/dist/dpop/DPoP.d.ts +60 -0
- package/dist/dpop/DPoP.d.ts.map +1 -0
- package/dist/dpop/DPoP.js +184 -0
- package/dist/dpop/DPoP.js.map +1 -0
- package/dist/dpop/index.d.ts +2 -0
- package/dist/dpop/index.d.ts.map +1 -0
- package/dist/dpop/index.js +18 -0
- package/dist/dpop/index.js.map +1 -0
- package/dist/hasher.d.ts +3 -0
- package/dist/hasher.d.ts.map +1 -0
- package/dist/hasher.js +18 -0
- package/dist/hasher.js.map +1 -0
- package/dist/index.d.ts +8 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +27 -0
- package/dist/index.js.map +1 -0
- package/dist/jwt/Jwk.types.d.ts +33 -0
- package/dist/jwt/Jwk.types.d.ts.map +1 -0
- package/dist/jwt/Jwk.types.js +3 -0
- package/dist/jwt/Jwk.types.js.map +1 -0
- package/dist/jwt/JwkThumbprint.d.ts +6 -0
- package/dist/jwt/JwkThumbprint.d.ts.map +1 -0
- package/dist/jwt/JwkThumbprint.js +102 -0
- package/dist/jwt/JwkThumbprint.js.map +1 -0
- package/dist/jwt/Jwt.types.d.ts +23 -0
- package/dist/jwt/Jwt.types.d.ts.map +1 -0
- package/dist/jwt/Jwt.types.js +12 -0
- package/dist/jwt/Jwt.types.js.map +1 -0
- package/dist/jwt/JwtIssuer.d.ts +52 -0
- package/dist/jwt/JwtIssuer.d.ts.map +1 -0
- package/dist/jwt/JwtIssuer.js +3 -0
- package/dist/jwt/JwtIssuer.js.map +1 -0
- package/dist/jwt/JwtVerifier.d.ts +72 -0
- package/dist/jwt/JwtVerifier.d.ts.map +1 -0
- package/dist/jwt/JwtVerifier.js +64 -0
- package/dist/jwt/JwtVerifier.js.map +1 -0
- package/dist/jwt/index.d.ts +7 -0
- package/dist/jwt/index.d.ts.map +1 -0
- package/dist/jwt/index.js +23 -0
- package/dist/jwt/index.js.map +1 -0
- package/dist/jwt/jwtUtils.d.ts +16 -0
- package/dist/jwt/jwtUtils.d.ts.map +1 -0
- package/dist/jwt/jwtUtils.js +38 -0
- package/dist/jwt/jwtUtils.js.map +1 -0
- package/dist/types/digest.types.d.ts +2 -0
- package/dist/types/digest.types.d.ts.map +1 -0
- package/dist/types/digest.types.js +3 -0
- package/dist/types/digest.types.js.map +1 -0
- package/dist/types/index.d.ts +2 -0
- package/dist/types/index.d.ts.map +1 -0
- package/dist/types/index.js +18 -0
- package/dist/types/index.js.map +1 -0
- package/lib/__tests__/dpop.spec.ts +124 -0
- package/lib/dpop/DPoP.ts +242 -0
- package/lib/dpop/index.ts +1 -0
- package/lib/hasher.ts +17 -0
- package/lib/index.ts +10 -0
- package/lib/jwt/Jwk.types.ts +34 -0
- package/lib/jwt/JwkThumbprint.ts +65 -0
- package/lib/jwt/Jwt.types.ts +25 -0
- package/lib/jwt/JwtIssuer.ts +62 -0
- package/lib/jwt/JwtVerifier.ts +113 -0
- package/lib/jwt/index.ts +6 -0
- package/lib/jwt/jwtUtils.ts +43 -0
- package/lib/types/digest.types.ts +1 -0
- package/lib/types/index.ts +1 -0
- package/package.json +56 -0
|
@@ -0,0 +1,102 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || function (mod) {
|
|
19
|
+
if (mod && mod.__esModule) return mod;
|
|
20
|
+
var result = {};
|
|
21
|
+
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
|
22
|
+
__setModuleDefault(result, mod);
|
|
23
|
+
return result;
|
|
24
|
+
};
|
|
25
|
+
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
26
|
+
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
27
|
+
return new (P || (P = Promise))(function (resolve, reject) {
|
|
28
|
+
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
29
|
+
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
30
|
+
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
31
|
+
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
32
|
+
});
|
|
33
|
+
};
|
|
34
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
35
|
+
exports.calculateJwkThumbprintUri = exports.getDigestAlgorithmFromJwkThumbprintUri = exports.calculateJwkThumbprint = void 0;
|
|
36
|
+
const u8a = __importStar(require("uint8arrays"));
|
|
37
|
+
const hasher_1 = require("../hasher");
|
|
38
|
+
const check = (value, description) => {
|
|
39
|
+
if (typeof value !== 'string' || !value) {
|
|
40
|
+
throw Error(`${description} missing or invalid`);
|
|
41
|
+
}
|
|
42
|
+
};
|
|
43
|
+
function calculateJwkThumbprint(jwk, digestAlgorithm) {
|
|
44
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
45
|
+
if (!jwk || typeof jwk !== 'object') {
|
|
46
|
+
throw new TypeError('JWK must be an object');
|
|
47
|
+
}
|
|
48
|
+
const algorithm = digestAlgorithm !== null && digestAlgorithm !== void 0 ? digestAlgorithm : 'sha256';
|
|
49
|
+
if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {
|
|
50
|
+
throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"');
|
|
51
|
+
}
|
|
52
|
+
let components;
|
|
53
|
+
switch (jwk.kty) {
|
|
54
|
+
case 'EC':
|
|
55
|
+
check(jwk.crv, '"crv" (Curve) Parameter');
|
|
56
|
+
check(jwk.x, '"x" (X Coordinate) Parameter');
|
|
57
|
+
check(jwk.y, '"y" (Y Coordinate) Parameter');
|
|
58
|
+
components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };
|
|
59
|
+
break;
|
|
60
|
+
case 'OKP':
|
|
61
|
+
check(jwk.crv, '"crv" (Subtype of Key Pair) Parameter');
|
|
62
|
+
check(jwk.x, '"x" (Public Key) Parameter');
|
|
63
|
+
components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x };
|
|
64
|
+
break;
|
|
65
|
+
case 'RSA':
|
|
66
|
+
check(jwk.e, '"e" (Exponent) Parameter');
|
|
67
|
+
check(jwk.n, '"n" (Modulus) Parameter');
|
|
68
|
+
components = { e: jwk.e, kty: jwk.kty, n: jwk.n };
|
|
69
|
+
break;
|
|
70
|
+
case 'oct':
|
|
71
|
+
check(jwk.k, '"k" (Key Value) Parameter');
|
|
72
|
+
components = { k: jwk.k, kty: jwk.kty };
|
|
73
|
+
break;
|
|
74
|
+
default:
|
|
75
|
+
throw Error('"kty" (Key Type) Parameter missing or unsupported');
|
|
76
|
+
}
|
|
77
|
+
return u8a.toString((0, hasher_1.defaultHasher)(algorithm, JSON.stringify(components)), 'base64url');
|
|
78
|
+
});
|
|
79
|
+
}
|
|
80
|
+
exports.calculateJwkThumbprint = calculateJwkThumbprint;
|
|
81
|
+
function getDigestAlgorithmFromJwkThumbprintUri(uri) {
|
|
82
|
+
return __awaiter(this, void 0, void 0, function* () {
|
|
83
|
+
const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\w+):/);
|
|
84
|
+
if (!match) {
|
|
85
|
+
throw new Error(`Invalid JWK thumbprint URI structure ${uri}`);
|
|
86
|
+
}
|
|
87
|
+
const algorithm = `sha${match[1]}`;
|
|
88
|
+
if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {
|
|
89
|
+
throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`);
|
|
90
|
+
}
|
|
91
|
+
return algorithm;
|
|
92
|
+
});
|
|
93
|
+
}
|
|
94
|
+
exports.getDigestAlgorithmFromJwkThumbprintUri = getDigestAlgorithmFromJwkThumbprintUri;
|
|
95
|
+
function calculateJwkThumbprintUri(jwk_1) {
|
|
96
|
+
return __awaiter(this, arguments, void 0, function* (jwk, digestAlgorithm = 'sha256') {
|
|
97
|
+
const thumbprint = yield calculateJwkThumbprint(jwk, digestAlgorithm);
|
|
98
|
+
return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`;
|
|
99
|
+
});
|
|
100
|
+
}
|
|
101
|
+
exports.calculateJwkThumbprintUri = calculateJwkThumbprintUri;
|
|
102
|
+
//# sourceMappingURL=JwkThumbprint.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"JwkThumbprint.js","sourceRoot":"","sources":["../../lib/jwt/JwkThumbprint.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AAEnC,sCAA0C;AAK1C,MAAM,KAAK,GAAG,CAAC,KAAc,EAAE,WAAmB,EAAE,EAAE;IACpD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;QACxC,MAAM,KAAK,CAAC,GAAG,WAAW,qBAAqB,CAAC,CAAC;IACnD,CAAC;AACH,CAAC,CAAC;AAEF,SAAsB,sBAAsB,CAAC,GAAQ,EAAE,eAAiC;;QACtF,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,SAAS,CAAC,uBAAuB,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,SAAS,GAAG,eAAe,aAAf,eAAe,cAAf,eAAe,GAAI,QAAQ,CAAC;QAC9C,IAAI,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC/E,MAAM,IAAI,SAAS,CAAC,6DAA6D,CAAC,CAAC;QACrF,CAAC;QACD,IAAI,UAAU,CAAC;QACf,QAAQ,GAAG,CAAC,GAAG,EAAE,CAAC;YAChB,KAAK,IAAI;gBACP,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;gBAC1C,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,8BAA8B,CAAC,CAAC;gBAC7C,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,8BAA8B,CAAC,CAAC;gBAC7C,UAAU,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;gBAChE,MAAM;YACR,KAAK,KAAK;gBACR,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,uCAAuC,CAAC,CAAC;gBACxD,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,4BAA4B,CAAC,CAAC;gBAC3C,UAAU,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;gBACtD,MAAM;YACR,KAAK,KAAK;gBACR,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,0BAA0B,CAAC,CAAC;gBACzC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,yBAAyB,CAAC,CAAC;gBACxC,UAAU,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;gBAClD,MAAM;YACR,KAAK,KAAK;gBACR,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,2BAA2B,CAAC,CAAC;gBAC1C,UAAU,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;gBACxC,MAAM;YACR;gBACE,MAAM,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACrE,CAAC;QACD,OAAO,GAAG,CAAC,QAAQ,CAAC,IAAA,sBAAa,EAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;IACzF,CAAC;CAAA;AAlCD,wDAkCC;AAED,SAAsB,sCAAsC,CAAC,GAAW;;QACtE,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QAC5E,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,wCAAwC,GAAG,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,EAAqB,CAAC;QACtD,IAAI,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC/E,MAAM,IAAI,KAAK,CAAC,+CAA+C,GAAG,EAAE,CAAC,CAAC;QACxE,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;CAAA;AAVD,wFAUC;AAED,SAAsB,yBAAyB;yDAAC,GAAQ,EAAE,kBAAmC,QAAQ;QACnG,MAAM,UAAU,GAAG,MAAM,sBAAsB,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;QACtE,OAAO,4CAA4C,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,UAAU,EAAE,CAAC;IAC/F,CAAC;CAAA;AAHD,8DAGC"}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode';
|
|
2
|
+
import { JWK } from '.';
|
|
3
|
+
export type JwtHeader = jwtDecodeJwtHeader & {
|
|
4
|
+
alg?: string;
|
|
5
|
+
x5c?: string[];
|
|
6
|
+
kid?: string;
|
|
7
|
+
jwk?: JWK;
|
|
8
|
+
jwt?: string;
|
|
9
|
+
} & Record<string, unknown>;
|
|
10
|
+
export type JwtPayload = jwtDecodePayload & {
|
|
11
|
+
client_id?: string;
|
|
12
|
+
nonce?: string;
|
|
13
|
+
request_uri?: string;
|
|
14
|
+
client_id_scheme?: string;
|
|
15
|
+
} & Record<string, unknown>;
|
|
16
|
+
export declare enum SigningAlgo {
|
|
17
|
+
EDDSA = "EdDSA",
|
|
18
|
+
RS256 = "RS256",
|
|
19
|
+
PS256 = "PS256",
|
|
20
|
+
ES256 = "ES256",
|
|
21
|
+
ES256K = "ES256K"
|
|
22
|
+
}
|
|
23
|
+
//# sourceMappingURL=Jwt.types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"Jwt.types.d.ts","sourceRoot":"","sources":["../../lib/jwt/Jwt.types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,IAAI,kBAAkB,EAAE,UAAU,IAAI,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE7F,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,CAAC;AACxB,MAAM,MAAM,SAAS,GAAG,kBAAkB,GAAG;IAC3C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,GAAG,CAAC;IACV,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAE5B,MAAM,MAAM,UAAU,GAAG,gBAAgB,GAAG;IAC1C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAE5B,oBAAY,WAAW;IACrB,KAAK,UAAU;IACf,KAAK,UAAU;IACf,KAAK,UAAU;IACf,KAAK,UAAU;IACf,MAAM,WAAW;CAClB"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.SigningAlgo = void 0;
|
|
4
|
+
var SigningAlgo;
|
|
5
|
+
(function (SigningAlgo) {
|
|
6
|
+
SigningAlgo["EDDSA"] = "EdDSA";
|
|
7
|
+
SigningAlgo["RS256"] = "RS256";
|
|
8
|
+
SigningAlgo["PS256"] = "PS256";
|
|
9
|
+
SigningAlgo["ES256"] = "ES256";
|
|
10
|
+
SigningAlgo["ES256K"] = "ES256K";
|
|
11
|
+
})(SigningAlgo || (exports.SigningAlgo = SigningAlgo = {}));
|
|
12
|
+
//# sourceMappingURL=Jwt.types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"Jwt.types.js","sourceRoot":"","sources":["../../lib/jwt/Jwt.types.ts"],"names":[],"mappings":";;;AAkBA,IAAY,WAMX;AAND,WAAY,WAAW;IACrB,8BAAe,CAAA;IACf,8BAAe,CAAA;IACf,8BAAe,CAAA;IACf,8BAAe,CAAA;IACf,gCAAiB,CAAA;AACnB,CAAC,EANW,WAAW,2BAAX,WAAW,QAMtB"}
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
import { JWK, JwtHeader, JwtPayload, JwtProtectionMethod, SigningAlgo } from '..';
|
|
2
|
+
export interface JwtIssuerBase {
|
|
3
|
+
method: JwtProtectionMethod;
|
|
4
|
+
/**
|
|
5
|
+
* Additional options for the issuance context
|
|
6
|
+
*/
|
|
7
|
+
options?: Record<string, unknown>;
|
|
8
|
+
}
|
|
9
|
+
export interface JwtIssuerDid extends JwtIssuerBase {
|
|
10
|
+
method: 'did';
|
|
11
|
+
didUrl: string;
|
|
12
|
+
alg: SigningAlgo | string;
|
|
13
|
+
}
|
|
14
|
+
export interface JwtIssuerX5c extends JwtIssuerBase {
|
|
15
|
+
method: 'x5c';
|
|
16
|
+
alg: SigningAlgo | string;
|
|
17
|
+
/**
|
|
18
|
+
*
|
|
19
|
+
* Array of base64-encoded certificate strings in the DER-format.
|
|
20
|
+
*
|
|
21
|
+
* The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.
|
|
22
|
+
*/
|
|
23
|
+
x5c: Array<string>;
|
|
24
|
+
/**
|
|
25
|
+
* The issuer jwt
|
|
26
|
+
*
|
|
27
|
+
* This value will be used as the iss value of the issue jwt.
|
|
28
|
+
* It is also used as the client_id.
|
|
29
|
+
* And will also be set as the redirect_uri
|
|
30
|
+
*
|
|
31
|
+
* It must match an entry in the x5c certificate leaf entry dnsName / uriName
|
|
32
|
+
*/
|
|
33
|
+
issuer: string;
|
|
34
|
+
clientIdScheme: 'x509_san_dns' | 'x509_san_uri';
|
|
35
|
+
}
|
|
36
|
+
export interface JwtIssuerJwk extends JwtIssuerBase {
|
|
37
|
+
method: 'jwk';
|
|
38
|
+
alg: SigningAlgo | string;
|
|
39
|
+
jwk: JWK;
|
|
40
|
+
}
|
|
41
|
+
export interface JwtIssuerCustom extends JwtIssuerBase {
|
|
42
|
+
method: 'custom';
|
|
43
|
+
}
|
|
44
|
+
export type JwtIssuer = JwtIssuerDid | JwtIssuerX5c | JwtIssuerJwk | JwtIssuerCustom;
|
|
45
|
+
export interface JwtIssuanceContextBase {
|
|
46
|
+
type: string;
|
|
47
|
+
}
|
|
48
|
+
export type CreateJwtCallback<T extends JwtIssuer & JwtIssuanceContextBase> = (jwtIssuer: T, jwt: {
|
|
49
|
+
header: JwtHeader;
|
|
50
|
+
payload: JwtPayload;
|
|
51
|
+
}) => Promise<string>;
|
|
52
|
+
//# sourceMappingURL=JwtIssuer.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"JwtIssuer.d.ts","sourceRoot":"","sources":["../../lib/jwt/JwtIssuer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,UAAU,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,IAAI,CAAC;AAElF,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,mBAAmB,CAAC;IAC5B;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,YAAa,SAAQ,aAAa;IACjD,MAAM,EAAE,KAAK,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,WAAW,GAAG,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,YAAa,SAAQ,aAAa;IACjD,MAAM,EAAE,KAAK,CAAC;IACd,GAAG,EAAE,WAAW,GAAG,MAAM,CAAC;IAE1B;;;;;OAKG;IACH,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAEnB;;;;;;;;OAQG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf,cAAc,EAAE,cAAc,GAAG,cAAc,CAAC;CACjD;AAED,MAAM,WAAW,YAAa,SAAQ,aAAa;IACjD,MAAM,EAAE,KAAK,CAAC;IACd,GAAG,EAAE,WAAW,GAAG,MAAM,CAAC;IAC1B,GAAG,EAAE,GAAG,CAAC;CACV;AAED,MAAM,WAAW,eAAgB,SAAQ,aAAa;IACpD,MAAM,EAAE,QAAQ,CAAC;CAClB;AAED,MAAM,MAAM,SAAS,GAAG,YAAY,GAAG,YAAY,GAAG,YAAY,GAAG,eAAe,CAAC;AAErF,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,MAAM,iBAAiB,CAAC,CAAC,SAAS,SAAS,GAAG,sBAAsB,IAAI,CAC5E,SAAS,EAAE,CAAC,EACZ,GAAG,EAAE;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,KAC5C,OAAO,CAAC,MAAM,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"JwtIssuer.js","sourceRoot":"","sources":["../../lib/jwt/JwtIssuer.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
import { JWK, JwtHeader, JwtPayload, SigningAlgo } from '..';
|
|
2
|
+
import { JwtProtectionMethod, JwtType } from './jwtUtils';
|
|
3
|
+
export interface JwtVerifierBase {
|
|
4
|
+
type: JwtType;
|
|
5
|
+
method: JwtProtectionMethod;
|
|
6
|
+
}
|
|
7
|
+
export interface DidJwtVerifier extends JwtVerifierBase {
|
|
8
|
+
method: 'did';
|
|
9
|
+
alg: SigningAlgo | string;
|
|
10
|
+
didUrl: string;
|
|
11
|
+
}
|
|
12
|
+
export interface X5cJwtVerifier extends JwtVerifierBase {
|
|
13
|
+
method: 'x5c';
|
|
14
|
+
alg: SigningAlgo | string;
|
|
15
|
+
/**
|
|
16
|
+
*
|
|
17
|
+
* Array of base64-encoded certificate strings in the DER-format.
|
|
18
|
+
*
|
|
19
|
+
* The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.
|
|
20
|
+
*/
|
|
21
|
+
x5c: Array<string>;
|
|
22
|
+
/**
|
|
23
|
+
* The jwt issuer
|
|
24
|
+
*/
|
|
25
|
+
issuer: string;
|
|
26
|
+
}
|
|
27
|
+
export interface OpenIdFederationJwtVerifier extends JwtVerifierBase {
|
|
28
|
+
method: 'openid-federation';
|
|
29
|
+
/**
|
|
30
|
+
* The OpenId federation Entity
|
|
31
|
+
*/
|
|
32
|
+
entityId: string;
|
|
33
|
+
}
|
|
34
|
+
export interface JwkJwtVerifier extends JwtVerifierBase {
|
|
35
|
+
method: 'jwk';
|
|
36
|
+
alg: SigningAlgo | string;
|
|
37
|
+
jwk: JWK;
|
|
38
|
+
}
|
|
39
|
+
export interface CustomJwtVerifier extends JwtVerifierBase {
|
|
40
|
+
method: 'custom';
|
|
41
|
+
}
|
|
42
|
+
export type JwtVerifier = DidJwtVerifier | X5cJwtVerifier | CustomJwtVerifier | JwkJwtVerifier | OpenIdFederationJwtVerifier;
|
|
43
|
+
export declare const getDidJwtVerifier: (jwt: {
|
|
44
|
+
header: JwtHeader;
|
|
45
|
+
payload: JwtPayload;
|
|
46
|
+
}, options: {
|
|
47
|
+
type: JwtType;
|
|
48
|
+
}) => DidJwtVerifier;
|
|
49
|
+
export declare const getX5cVerifier: (jwt: {
|
|
50
|
+
header: JwtHeader;
|
|
51
|
+
payload: JwtPayload;
|
|
52
|
+
}, options: {
|
|
53
|
+
type: JwtType;
|
|
54
|
+
}) => X5cJwtVerifier;
|
|
55
|
+
export declare const getJwkVerifier: (jwt: {
|
|
56
|
+
header: JwtHeader;
|
|
57
|
+
payload: JwtPayload;
|
|
58
|
+
}, options: {
|
|
59
|
+
type: JwtType;
|
|
60
|
+
}) => Promise<JwkJwtVerifier>;
|
|
61
|
+
export declare const getJwtVerifierWithContext: (jwt: {
|
|
62
|
+
header: JwtHeader;
|
|
63
|
+
payload: JwtPayload;
|
|
64
|
+
}, options: {
|
|
65
|
+
type: JwtType;
|
|
66
|
+
}) => Promise<JwtVerifier>;
|
|
67
|
+
export type VerifyJwtCallbackBase<T extends JwtVerifier> = (jwtVerifier: T, jwt: {
|
|
68
|
+
header: JwtHeader;
|
|
69
|
+
payload: JwtPayload;
|
|
70
|
+
raw: string;
|
|
71
|
+
}) => Promise<boolean>;
|
|
72
|
+
//# sourceMappingURL=JwtVerifier.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"JwtVerifier.d.ts","sourceRoot":"","sources":["../../lib/jwt/JwtVerifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,IAAI,CAAC;AAE7D,OAAO,EAAE,mBAAmB,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE1D,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,OAAO,CAAC;IACd,MAAM,EAAE,mBAAmB,CAAC;CAC7B;AAED,MAAM,WAAW,cAAe,SAAQ,eAAe;IACrD,MAAM,EAAE,KAAK,CAAC;IAEd,GAAG,EAAE,WAAW,GAAG,MAAM,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,cAAe,SAAQ,eAAe;IACrD,MAAM,EAAE,KAAK,CAAC;IAEd,GAAG,EAAE,WAAW,GAAG,MAAM,CAAC;IAE1B;;;;;OAKG;IACH,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAEnB;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,2BAA4B,SAAQ,eAAe;IAClE,MAAM,EAAE,mBAAmB,CAAC;IAE5B;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAe,SAAQ,eAAe;IACrD,MAAM,EAAE,KAAK,CAAC;IACd,GAAG,EAAE,WAAW,GAAG,MAAM,CAAC;IAE1B,GAAG,EAAE,GAAG,CAAC;CACV;AAED,MAAM,WAAW,iBAAkB,SAAQ,eAAe;IACxD,MAAM,EAAE,QAAQ,CAAC;CAClB;AAED,MAAM,MAAM,WAAW,GAAG,cAAc,GAAG,cAAc,GAAG,iBAAiB,GAAG,cAAc,GAAG,2BAA2B,CAAC;AAE7H,eAAO,MAAM,iBAAiB,QAAS;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,WAAW;IAAE,IAAI,EAAE,OAAO,CAAA;CAAE,KAAG,cAS/G,CAAC;AAEF,eAAO,MAAM,cAAc,QAAS;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,WAAW;IAAE,IAAI,EAAE,OAAO,CAAA;CAAE,KAAG,cAc5G,CAAC;AAEF,eAAO,MAAM,cAAc,QAAe;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,WAAW;IAAE,IAAI,EAAE,OAAO,CAAA;CAAE,KAAG,QAAQ,cAAc,CAUxI,CAAC;AAEF,eAAO,MAAM,yBAAyB,QAC/B;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,UAAU,CAAA;CAAE,WACtC;IAAE,IAAI,EAAE,OAAO,CAAA;CAAE,KACzB,QAAQ,WAAW,CAQrB,CAAC;AAEF,MAAM,MAAM,qBAAqB,CAAC,CAAC,SAAS,WAAW,IAAI,CACzD,WAAW,EAAE,CAAC,EACd,GAAG,EAAE;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,UAAU,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,KACzD,OAAO,CAAC,OAAO,CAAC,CAAC"}
|
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
3
|
+
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
4
|
+
return new (P || (P = Promise))(function (resolve, reject) {
|
|
5
|
+
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
6
|
+
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
7
|
+
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
8
|
+
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
|
+
});
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.getJwtVerifierWithContext = exports.getJwkVerifier = exports.getX5cVerifier = exports.getDidJwtVerifier = void 0;
|
|
13
|
+
const getDidJwtVerifier = (jwt, options) => {
|
|
14
|
+
const { type } = options;
|
|
15
|
+
if (!jwt.header.kid)
|
|
16
|
+
throw new Error(`Received an invalid JWT. Missing kid header.`);
|
|
17
|
+
if (!jwt.header.alg)
|
|
18
|
+
throw new Error(`Received an invalid JWT. Missing alg header.`);
|
|
19
|
+
if (!jwt.header.kid.includes('#')) {
|
|
20
|
+
throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`);
|
|
21
|
+
}
|
|
22
|
+
return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg };
|
|
23
|
+
};
|
|
24
|
+
exports.getDidJwtVerifier = getDidJwtVerifier;
|
|
25
|
+
const getX5cVerifier = (jwt, options) => {
|
|
26
|
+
const { type } = options;
|
|
27
|
+
if (!jwt.header.x5c)
|
|
28
|
+
throw new Error(`Received an invalid JWT. Missing x5c header.`);
|
|
29
|
+
if (!jwt.header.alg)
|
|
30
|
+
throw new Error(`Received an invalid JWT. Missing alg header.`);
|
|
31
|
+
if (!Array.isArray(jwt.header.x5c) || jwt.header.x5c.length === 0 || !jwt.header.x5c.every((cert) => typeof cert === 'string')) {
|
|
32
|
+
throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`);
|
|
33
|
+
}
|
|
34
|
+
if (typeof jwt.payload.iss !== 'string') {
|
|
35
|
+
throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim.`);
|
|
36
|
+
}
|
|
37
|
+
return { method: 'x5c', x5c: jwt.header.x5c, issuer: jwt.payload.iss, type: type, alg: jwt.header.alg };
|
|
38
|
+
};
|
|
39
|
+
exports.getX5cVerifier = getX5cVerifier;
|
|
40
|
+
const getJwkVerifier = (jwt, options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
41
|
+
const { type } = options;
|
|
42
|
+
if (!jwt.header.jwk)
|
|
43
|
+
throw new Error(`Received an invalid JWT. Missing jwk header.`);
|
|
44
|
+
if (!jwt.header.alg)
|
|
45
|
+
throw new Error(`Received an invalid JWT. Missing alg header.`);
|
|
46
|
+
if (typeof jwt.header.jwk !== 'object') {
|
|
47
|
+
throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`);
|
|
48
|
+
}
|
|
49
|
+
return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg };
|
|
50
|
+
});
|
|
51
|
+
exports.getJwkVerifier = getJwkVerifier;
|
|
52
|
+
const getJwtVerifierWithContext = (jwt, options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
53
|
+
var _a;
|
|
54
|
+
const { header, payload } = jwt;
|
|
55
|
+
if ((_a = header.kid) === null || _a === void 0 ? void 0 : _a.startsWith('did:'))
|
|
56
|
+
return (0, exports.getDidJwtVerifier)({ header, payload }, options);
|
|
57
|
+
else if (jwt.header.x5c)
|
|
58
|
+
return (0, exports.getX5cVerifier)({ header, payload }, options);
|
|
59
|
+
else if (jwt.header.jwk)
|
|
60
|
+
return (0, exports.getJwkVerifier)({ header, payload }, options);
|
|
61
|
+
return { method: 'custom', type: options.type };
|
|
62
|
+
});
|
|
63
|
+
exports.getJwtVerifierWithContext = getJwtVerifierWithContext;
|
|
64
|
+
//# sourceMappingURL=JwtVerifier.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"JwtVerifier.js","sourceRoot":"","sources":["../../lib/jwt/JwtVerifier.ts"],"names":[],"mappings":";;;;;;;;;;;;AAyDO,MAAM,iBAAiB,GAAG,CAAC,GAA+C,EAAE,OAA0B,EAAkB,EAAE;IAC/H,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;IACzB,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IACrF,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAErF,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,8BAA8B,IAAI,mCAAmC,CAAC,CAAC;IACzF,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;AACpF,CAAC,CAAC;AATW,QAAA,iBAAiB,qBAS5B;AAEK,MAAM,cAAc,GAAG,CAAC,GAA+C,EAAE,OAA0B,EAAkB,EAAE;IAC5H,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;IACzB,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IACrF,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAErF,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;QAC/H,MAAM,IAAI,KAAK,CAAC,8BAA8B,IAAI,mCAAmC,CAAC,CAAC;IACzF,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,kCAAkC,CAAC,CAAC;IACvF,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;AAC1G,CAAC,CAAC;AAdW,QAAA,cAAc,kBAczB;AAEK,MAAM,cAAc,GAAG,CAAO,GAA+C,EAAE,OAA0B,EAA2B,EAAE;IAC3I,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;IACzB,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACtF,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAErF,IAAI,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,mCAAmC,CAAC,CAAC;IACxF,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;AAC3E,CAAC,CAAA,CAAC;AAVW,QAAA,cAAc,kBAUzB;AAEK,MAAM,yBAAyB,GAAG,CACvC,GAA+C,EAC/C,OAA0B,EACJ,EAAE;;IACxB,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC;IAEhC,IAAI,MAAA,MAAM,CAAC,GAAG,0CAAE,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,IAAA,yBAAiB,EAAC,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC;SACtF,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAA,sBAAc,EAAC,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC;SACxE,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAA,sBAAc,EAAC,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC;IAE7E,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC;AAClD,CAAC,CAAA,CAAC;AAXW,QAAA,yBAAyB,6BAWpC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../lib/jwt/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAC;AAChC,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC"}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __exportStar = (this && this.__exportStar) || function(m, exports) {
|
|
14
|
+
for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
|
|
15
|
+
};
|
|
16
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
17
|
+
__exportStar(require("./JwkThumbprint"), exports);
|
|
18
|
+
__exportStar(require("./Jwt.types"), exports);
|
|
19
|
+
__exportStar(require("./JwtIssuer"), exports);
|
|
20
|
+
__exportStar(require("./JwtVerifier"), exports);
|
|
21
|
+
__exportStar(require("./jwtUtils"), exports);
|
|
22
|
+
__exportStar(require("./Jwk.types"), exports);
|
|
23
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/jwt/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,kDAAgC;AAChC,8CAA4B;AAC5B,8CAA4B;AAC5B,gDAA8B;AAC9B,6CAA2B;AAC3B,8CAA4B"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import { JwtHeader, JwtPayload } from '..';
|
|
2
|
+
export type JwtType = 'id-token' | 'request-object' | 'verifier-attestation' | 'dpop';
|
|
3
|
+
export type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'openid-federation' | 'custom';
|
|
4
|
+
export declare function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string): {
|
|
5
|
+
header: NonNullable<Header>;
|
|
6
|
+
payload: NonNullable<Payload>;
|
|
7
|
+
};
|
|
8
|
+
export declare function getNowSkewed(now?: number, skewTime?: number): {
|
|
9
|
+
nowSkewedPast: number;
|
|
10
|
+
nowSkewedFuture: number;
|
|
11
|
+
};
|
|
12
|
+
/**
|
|
13
|
+
* Returns the current unix timestamp in seconds.
|
|
14
|
+
*/
|
|
15
|
+
export declare function epochTime(): number;
|
|
16
|
+
//# sourceMappingURL=jwtUtils.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"jwtUtils.d.ts","sourceRoot":"","sources":["../../lib/jwt/jwtUtils.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAE3C,MAAM,MAAM,OAAO,GAAG,UAAU,GAAG,gBAAgB,GAAG,sBAAsB,GAAG,MAAM,CAAC;AAEtF,MAAM,MAAM,mBAAmB,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,mBAAmB,GAAG,QAAQ,CAAC;AAEzF,wBAAgB,QAAQ,CAAC,MAAM,GAAG,SAAS,EAAE,OAAO,GAAG,UAAU,EAAE,GAAG,EAAE,MAAM;;;EAQ7E;AAWD,wBAAgB,YAAY,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;;;EAQ3D;AAED;;GAEG;AACH,wBAAgB,SAAS,WAExB"}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.epochTime = exports.getNowSkewed = exports.parseJWT = void 0;
|
|
4
|
+
const jwt_decode_1 = require("jwt-decode");
|
|
5
|
+
function parseJWT(jwt) {
|
|
6
|
+
const header = (0, jwt_decode_1.jwtDecode)(jwt, { header: true });
|
|
7
|
+
const payload = (0, jwt_decode_1.jwtDecode)(jwt, { header: false });
|
|
8
|
+
if (!payload || !header) {
|
|
9
|
+
throw new Error('Jwt Payload and/or Header could not be parsed');
|
|
10
|
+
}
|
|
11
|
+
return { header, payload };
|
|
12
|
+
}
|
|
13
|
+
exports.parseJWT = parseJWT;
|
|
14
|
+
/**
|
|
15
|
+
* The maximum allowed clock skew time in seconds. If an time based validation
|
|
16
|
+
* is performed against current time (`now`), the validation can be of by the skew
|
|
17
|
+
* time.
|
|
18
|
+
*
|
|
19
|
+
* See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5
|
|
20
|
+
*/
|
|
21
|
+
const DEFAULT_SKEW_TIME = 60;
|
|
22
|
+
function getNowSkewed(now, skewTime) {
|
|
23
|
+
const _now = now ? now : epochTime();
|
|
24
|
+
const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME;
|
|
25
|
+
return {
|
|
26
|
+
nowSkewedPast: _now - _skewTime,
|
|
27
|
+
nowSkewedFuture: _now + _skewTime,
|
|
28
|
+
};
|
|
29
|
+
}
|
|
30
|
+
exports.getNowSkewed = getNowSkewed;
|
|
31
|
+
/**
|
|
32
|
+
* Returns the current unix timestamp in seconds.
|
|
33
|
+
*/
|
|
34
|
+
function epochTime() {
|
|
35
|
+
return Math.floor(Date.now() / 1000);
|
|
36
|
+
}
|
|
37
|
+
exports.epochTime = epochTime;
|
|
38
|
+
//# sourceMappingURL=jwtUtils.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"jwtUtils.js","sourceRoot":"","sources":["../../lib/jwt/jwtUtils.ts"],"names":[],"mappings":";;;AAAA,2CAAuC;AAQvC,SAAgB,QAAQ,CAA2C,GAAW;IAC5E,MAAM,MAAM,GAAG,IAAA,sBAAS,EAAS,GAAG,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,IAAA,sBAAS,EAAU,GAAG,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAE3D,IAAI,CAAC,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AAC7B,CAAC;AARD,4BAQC;AAED;;;;;;GAMG;AACH,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B,SAAgB,YAAY,CAAC,GAAY,EAAE,QAAiB;IAC1D,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,iBAAiB,CAAC;IAE1D,OAAO;QACL,aAAa,EAAE,IAAI,GAAG,SAAS;QAC/B,eAAe,EAAE,IAAI,GAAG,SAAS;KAClC,CAAC;AACJ,CAAC;AARD,oCAQC;AAED;;GAEG;AACH,SAAgB,SAAS;IACvB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AACvC,CAAC;AAFD,8BAEC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"digest.types.d.ts","sourceRoot":"","sources":["../../lib/types/digest.types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"digest.types.js","sourceRoot":"","sources":["../../lib/types/digest.types.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../lib/types/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __exportStar = (this && this.__exportStar) || function(m, exports) {
|
|
14
|
+
for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
|
|
15
|
+
};
|
|
16
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
17
|
+
__exportStar(require("./digest.types"), exports);
|
|
18
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/types/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,iDAA+B"}
|
|
@@ -0,0 +1,124 @@
|
|
|
1
|
+
import { createDPoP, getCreateDPoPOptions, verifyDPoP } from '../dpop';
|
|
2
|
+
|
|
3
|
+
describe('dpop', () => {
|
|
4
|
+
const alg = 'HS256';
|
|
5
|
+
const jwk = { kty: 'Ed25519', crv: 'Ed25519', x: '123', y: '123' };
|
|
6
|
+
const jwtIssuer = { alg, jwk };
|
|
7
|
+
const htm = 'POST';
|
|
8
|
+
const htu = 'https://example.com/token';
|
|
9
|
+
const nonce = 'nonce';
|
|
10
|
+
const jwtPayloadProps = { htm, htu, nonce } as const;
|
|
11
|
+
const jwtHeaderProps = { alg, jwk, typ: 'dpop+jwt' };
|
|
12
|
+
const unsignedDpop =
|
|
13
|
+
'eyJhbGciOiJIUzI1NiIsImp3ayI6eyJrdHkiOiJFZDI1NTE5IiwiY3J2IjoiRWQyNTUxOSIsIngiOiIxMjMiLCJ5IjoiMTIzIn0sInR5cCI6ImRwb3Arand0In0.eyJodG0iOiJQT1NUIiwiaHR1IjoiaHR0cHM6Ly9leGFtcGxlLmNvbS90b2tlbiIsIm5vbmNlIjoibm9uY2UiLCJpYXQiOjE3MjIzMjcxOTQsImp0aSI6Ijk4OWNiZTc4LWI1ZTYtNDViYS1iYjMzLWQ0MGE4ZGEwZjFhYSJ9';
|
|
14
|
+
|
|
15
|
+
it('should create a dpop with valid options', async () => {
|
|
16
|
+
const dpop = await createDPoP({
|
|
17
|
+
jwtIssuer,
|
|
18
|
+
jwtPayloadProps,
|
|
19
|
+
createJwtCallback: async (dpopJwtIssuerWithContext, jwt) => {
|
|
20
|
+
expect(dpopJwtIssuerWithContext.alg).toEqual(alg);
|
|
21
|
+
expect(dpopJwtIssuerWithContext.jwk).toEqual(jwk);
|
|
22
|
+
expect(dpopJwtIssuerWithContext.dPoPSigningAlgValuesSupported).toBeUndefined();
|
|
23
|
+
expect(dpopJwtIssuerWithContext.type).toEqual('dpop');
|
|
24
|
+
|
|
25
|
+
expect(jwt.header).toStrictEqual(jwtHeaderProps);
|
|
26
|
+
expect(jwt.payload).toStrictEqual({
|
|
27
|
+
...jwtPayloadProps,
|
|
28
|
+
iat: expect.any(Number),
|
|
29
|
+
jti: expect.any(String),
|
|
30
|
+
});
|
|
31
|
+
|
|
32
|
+
return unsignedDpop;
|
|
33
|
+
},
|
|
34
|
+
});
|
|
35
|
+
|
|
36
|
+
expect(unsignedDpop).toEqual(dpop);
|
|
37
|
+
expect.assertions(7);
|
|
38
|
+
});
|
|
39
|
+
|
|
40
|
+
it('should create a dpop with valid createDPoPOptions', async () => {
|
|
41
|
+
// eslint-disable-next-line @typescript-eslint/no-unused-vars
|
|
42
|
+
const { htm, htu, ...rest } = jwtPayloadProps;
|
|
43
|
+
const options = getCreateDPoPOptions(
|
|
44
|
+
{
|
|
45
|
+
jwtIssuer,
|
|
46
|
+
jwtPayloadProps: rest,
|
|
47
|
+
createJwtCallback: async (dpopJwtIssuerWithContext, jwt) => {
|
|
48
|
+
expect(dpopJwtIssuerWithContext.alg).toEqual(alg);
|
|
49
|
+
expect(dpopJwtIssuerWithContext.jwk).toEqual(jwk);
|
|
50
|
+
expect(dpopJwtIssuerWithContext.dPoPSigningAlgValuesSupported).toBeUndefined();
|
|
51
|
+
expect(dpopJwtIssuerWithContext.type).toEqual('dpop');
|
|
52
|
+
|
|
53
|
+
expect(jwt.header).toStrictEqual(jwtHeaderProps);
|
|
54
|
+
expect(jwt.payload).toStrictEqual({
|
|
55
|
+
...jwtPayloadProps,
|
|
56
|
+
iat: expect.any(Number),
|
|
57
|
+
jti: expect.any(String),
|
|
58
|
+
});
|
|
59
|
+
|
|
60
|
+
return unsignedDpop;
|
|
61
|
+
},
|
|
62
|
+
},
|
|
63
|
+
htu + '?123412341#xyaksdjfaksdjf',
|
|
64
|
+
);
|
|
65
|
+
|
|
66
|
+
const dpop = await createDPoP(options);
|
|
67
|
+
|
|
68
|
+
expect(unsignedDpop).toEqual(dpop);
|
|
69
|
+
expect.assertions(7);
|
|
70
|
+
});
|
|
71
|
+
|
|
72
|
+
it('verify dpop fails if jwtVerifyCallback throws an error', async () => {
|
|
73
|
+
await expect(
|
|
74
|
+
verifyDPoP(
|
|
75
|
+
{
|
|
76
|
+
headers: { dpop: unsignedDpop },
|
|
77
|
+
fullUrl: htu + '?123412341#xyaksdjfaksdjf',
|
|
78
|
+
method: 'POST',
|
|
79
|
+
},
|
|
80
|
+
{
|
|
81
|
+
jwtVerifyCallback: async () => {
|
|
82
|
+
throw new Error('jwtVerifyCallback');
|
|
83
|
+
},
|
|
84
|
+
expectedNonce: 'nonce',
|
|
85
|
+
expectAccessToken: false,
|
|
86
|
+
now: 1722327194,
|
|
87
|
+
},
|
|
88
|
+
),
|
|
89
|
+
).rejects.toThrow();
|
|
90
|
+
});
|
|
91
|
+
|
|
92
|
+
it('should verify a dpop with valid options', async () => {
|
|
93
|
+
const dpop = await verifyDPoP(
|
|
94
|
+
{
|
|
95
|
+
headers: { dpop: unsignedDpop },
|
|
96
|
+
fullUrl: htu + '?123412341#xyaksdjfaksdjf',
|
|
97
|
+
method: 'POST',
|
|
98
|
+
},
|
|
99
|
+
{
|
|
100
|
+
jwtVerifyCallback: async (jwtVerifier, jwt) => {
|
|
101
|
+
expect(jwtVerifier.method).toEqual('jwk');
|
|
102
|
+
expect(jwtVerifier.jwk).toEqual(jwk);
|
|
103
|
+
expect(jwtVerifier.type).toEqual('dpop');
|
|
104
|
+
expect(jwtVerifier.alg).toEqual(alg);
|
|
105
|
+
|
|
106
|
+
expect(jwt.header).toStrictEqual(jwtHeaderProps);
|
|
107
|
+
expect(jwt.payload).toStrictEqual({
|
|
108
|
+
...jwtPayloadProps,
|
|
109
|
+
iat: expect.any(Number),
|
|
110
|
+
jti: expect.any(String),
|
|
111
|
+
});
|
|
112
|
+
expect(jwt.raw).toEqual(unsignedDpop);
|
|
113
|
+
|
|
114
|
+
return true;
|
|
115
|
+
},
|
|
116
|
+
expectAccessToken: false,
|
|
117
|
+
expectedNonce: 'nonce',
|
|
118
|
+
now: 1722327194,
|
|
119
|
+
},
|
|
120
|
+
);
|
|
121
|
+
expect(dpop).toStrictEqual(jwk);
|
|
122
|
+
expect.assertions(8);
|
|
123
|
+
});
|
|
124
|
+
});
|