@sphereon/oid4vc-common 0.17.0 → 0.17.1-feature.esm.cjs.25

package/lib/dpop/DPoP.ts

@@ -1,242 +0,0 @@
-import { jwtDecode } from 'jwt-decode';
-import * as u8a from 'uint8arrays';
-import { v4 as uuidv4 } from 'uuid';
-
-import { defaultHasher } from '../hasher';
-
-import {
-  calculateJwkThumbprint,
-  CreateJwtCallback,
-  epochTime,
-  getNowSkewed,
-  JWK,
-  JwtHeader,
-  JwtIssuerJwk,
-  JwtPayload,
-  parseJWT,
-  SigningAlgo,
-  VerifyJwtCallbackBase,
-} from './../jwt';
-
-export const dpopTokenRequestNonceError = 'use_dpop_nonce';
-
-export interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {
-  type: 'dpop';
-  dPoPSigningAlgValuesSupported?: string[];
-}
-
-export type DPoPJwtPayloadProps = {
-  htu: string;
-  iat: number;
-  htm: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT' | 'PATCH';
-  ath?: string;
-  nonce?: string;
-  jti: string;
-};
-export type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK };
-export type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' | 'jti' | 'ath'> & { accessToken?: string };
-
-export interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {
-  createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>;
-  jwtIssuer: Omit<JwtIssuerJwk, 'method' | 'type'>;
-  jwtPayloadProps: Record<string, unknown> & JwtPayloadProps;
-  dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[];
-}
-
-export type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' | 'htu'>>;
-
-export function getCreateDPoPOptions(
-  createDPoPClientOpts: CreateDPoPClientOpts,
-  endPointUrl: string,
-  resourceRequestOpts?: { accessToken: string },
-): CreateDPoPOpts {
-  const htu = endPointUrl.split('?')[0].split('#')[0];
-  return {
-    ...createDPoPClientOpts,
-    jwtPayloadProps: {
-      ...createDPoPClientOpts.jwtPayloadProps,
-      htu,
-      htm: 'POST',
-      ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),
-    },
-  };
-}
-
-export async function createDPoP(options: CreateDPoPOpts): Promise<string> {
-  const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options;
-
-  if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') || jwtPayloadProps.accessToken?.startsWith('Bearer '))) {
-    throw new Error('expected access token without scheme');
-  }
-
-  const ath = jwtPayloadProps.accessToken ? u8a.toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined;
-  return createJwtCallback(
-    { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },
-    {
-      header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },
-      payload: {
-        ...jwtPayloadProps,
-        iat: epochTime(),
-        jti: uuidv4(),
-        ...(ath && { ath }),
-      },
-    },
-  );
-}
-
-export type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>;
-export interface DPoPVerifyOptions {
-  expectedNonce?: string;
-  acceptedAlgorithms?: (string | SigningAlgo)[];
-  // defaults to 300 seconds (5 minutes)
-  maxIatAgeInSeconds?: number;
-  expectAccessToken?: boolean;
-  jwtVerifyCallback: DPoPVerifyJwtCallback;
-  now?: number;
-}
-
-export async function verifyDPoP(
-  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,
-  options: DPoPVerifyOptions,
-) {
-  // There is not more than one DPoP HTTP request header field.
-  const dpop = request.headers['dpop'];
-  if (!dpop || typeof dpop !== 'string') {
-    throw new Error('missing or invalid dpop header. Expected compact JWT');
-  }
-
-  // The DPoP HTTP request header field value is a single and well-formed JWT.
-  const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop);
-
-  // Ensure all required header claims are present
-  if (dPoPHeader.typ !== 'dpop+jwt' || !dPoPHeader.alg || !dPoPHeader.jwk || typeof dPoPHeader.jwk !== 'object' || dPoPHeader.jwk.d) {
-    throw new Error('invalid_dpop_proof. Invalid header claims');
-  }
-
-  // Ensure all required payload claims are present
-  if (!dPoPPayload.htm || !dPoPPayload.htu || !dPoPPayload.iat || !dPoPPayload.jti) {
-    throw new Error('invalid_dpop_proof. Missing required claims');
-  }
-
-  // Validate alg is supported
-  if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {
-    throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`);
-  }
-
-  // Validate nonce if provided
-  if ((options?.expectedNonce && !dPoPPayload.nonce) || dPoPPayload.nonce !== options.expectedNonce) {
-    throw new Error('invalid_dpop_proof. Nonce mismatch');
-  }
-
-  // Verify JWT signature
-  try {
-    const verificationResult = await options.jwtVerifyCallback(
-      {
-        method: 'jwk',
-        type: 'dpop',
-        jwk: dPoPHeader.jwk,
-        alg: dPoPHeader.alg,
-      },
-      {
-        header: dPoPHeader,
-        payload: dPoPPayload,
-        raw: dpop,
-      },
-    );
-
-    if (!verificationResult) {
-      throw new Error('invalid_dpop_proof. Invalid JWT signature');
-    }
-  } catch (error: unknown) {
-    throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'));
-  }
-
-  // Validate htm claim
-  if (dPoPPayload.htm !== request.method) {
-    throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`);
-  }
-
-  // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.
-  const currentUri = request.fullUrl.split('?')[0].split('#')[0];
-  if (dPoPPayload.htu !== currentUri) {
-    throw new Error('invalid_dpop_proof. Invalid htu claim');
-  }
-
-  // Validate nonce if provided
-  if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) || (!options.expectedNonce && dPoPPayload.nonce)) {
-    throw new Error('invalid_dpop_proof. Nonce mismatch');
-  }
-
-  // Validate iat claim
-  const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now);
-  if (
-    // iat claim is too far in the future
-    nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat ||
-    // iat claim is too old
-    nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat
-  ) {
-    // 5 minute window
-    throw new Error('invalid_dpop_proof. Invalid iat claim');
-  }
-
-  // If access token is present, validate ath claim
-  const authorizationHeader = request.headers.authorization;
-  if (!options.expectAccessToken && authorizationHeader) {
-    throw new Error('invalid_dpop_proof. Received an unexpected authorization header.');
-  }
-
-  if (options.expectAccessToken) {
-    if (!dPoPPayload.ath) {
-      throw new Error('invalid_dpop_proof. Missing expected ath claim.');
-    }
-
-    // validate that the DPOP proof is made for the provided access token
-    if (!authorizationHeader || typeof authorizationHeader !== 'string' || !authorizationHeader.startsWith('DPoP ')) {
-      throw new Error('invalid_dpop_proof. Invalid authorization header.');
-    }
-
-    const accessToken = authorizationHeader.replace('DPoP ', '');
-    const expectedAth = u8a.toString(defaultHasher(accessToken, 'sha256'), 'base64url');
-    if (dPoPPayload.ath !== expectedAth) {
-      throw new Error('invalid_dpop_proof. Invalid ath claim');
-    }
-
-    // validate that the access token is signed with the same key as the DPOP proof
-    const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false });
-    if (!accessTokenPayload.cnf?.jkt) {
-      throw new Error('invalid_dpop_proof. Access token is missing the jkt claim');
-    }
-
-    const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256');
-    if (accessTokenPayload.cnf?.jkt !== thumprint) {
-      throw new Error('invalid_dpop_proof. JwkThumbprint mismatch');
-    }
-  }
-
-  // If all validations pass, return the dpop jwk
-  return dPoPHeader.jwk;
-}
-
-/**
- * DPoP verifications for resource requests
- * For Bearer token compatibility jwt's must have a token_type claim
- * The access token itself must be validated before using this method
- * If the token_type is not DPoP, then the request is not a DPoP request
- * and we don't need to verify the DPoP proof
- */
-export async function verifyResourceDPoP(
-  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,
-  options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,
-) {
-  if (!request.headers.authorization || typeof request.headers.authorization !== 'string') {
-    throw new Error('Received an invalid resource request. Missing authorization header.');
-  }
-  const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false });
-  const tokenType = tokenPayload.token_type;
-
-  if (tokenType !== 'DPoP') {
-    return;
-  }
-
-  return verifyDPoP(request, { ...options, expectAccessToken: true });
-}

package/lib/dpop/index.ts

@@ -1 +0,0 @@
-export * from './DPoP';

package/lib/hasher.ts

@@ -1,18 +0,0 @@
-import { Hasher } from '@sphereon/ssi-types';
-import sha from 'sha.js';
-
-const supportedAlgorithms = ['sha256', 'sha384', 'sha512'] as const;
-type SupportedAlgorithms = (typeof supportedAlgorithms)[number];
-
-export const defaultHasher: Hasher = (data, algorithm) => {
-  const sanitizedAlgorithm = algorithm.toLowerCase().replace(/[-_]/g, '');
-  if (!supportedAlgorithms.includes(sanitizedAlgorithm as SupportedAlgorithms)) {
-    throw new Error(`Unsupported hashing algorithm ${algorithm}`);
-  }
-
-  return new Uint8Array(
-    sha(sanitizedAlgorithm as SupportedAlgorithms)
-      .update(data)
-      .digest(),
-  );
-};

package/lib/index.ts

@@ -1,11 +0,0 @@
-import { Loggers } from '@sphereon/ssi-types';
-
-export const VCI_LOGGERS = Loggers.DEFAULT;
-export const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common');
-
-export * from './jwt';
-export * from './dpop';
-export * from './oauth';
-
-export { v4 as uuidv4 } from 'uuid';
-export { defaultHasher } from './hasher';

package/lib/jwt/Jwk.types.ts

@@ -1,38 +0,0 @@
-export interface BaseJWK {
-  kty?: string;
-  crv?: string;
-  x?: string;
-  y?: string;
-  e?: string;
-  n?: string;
-}
-
-export interface JWK extends BaseJWK {
-  alg?: string;
-  d?: string;
-  dp?: string;
-  dq?: string;
-  ext?: boolean;
-  k?: string;
-  key_ops?: string[];
-  kid?: string;
-  oth?: Array<{
-    d?: string;
-    r?: string;
-    t?: string;
-  }>;
-  p?: string;
-  q?: string;
-  qi?: string;
-  use?: string;
-  x5c?: string[];
-  x5t?: string;
-  'x5t#S256'?: string;
-  x5u?: string;
-
-  [propName: string]: unknown;
-}
-
-export type JWKS = {
-  keys: JWK[];
-};

package/lib/jwt/JwkThumbprint.ts

@@ -1,65 +0,0 @@
-import * as u8a from 'uint8arrays';
-
-import { defaultHasher } from '../hasher';
-import { DigestAlgorithm } from '../types';
-
-import { JWK } from '.';
-
-const check = (value: unknown, description: string) => {
-  if (typeof value !== 'string' || !value) {
-    throw Error(`${description} missing or invalid`);
-  }
-};
-
-export async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {
-  if (!jwk || typeof jwk !== 'object') {
-    throw new TypeError('JWK must be an object');
-  }
-  const algorithm = digestAlgorithm ?? 'sha256';
-  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {
-    throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"');
-  }
-  let components;
-  switch (jwk.kty) {
-    case 'EC':
-      check(jwk.crv, '"crv" (Curve) Parameter');
-      check(jwk.x, '"x" (X Coordinate) Parameter');
-      check(jwk.y, '"y" (Y Coordinate) Parameter');
-      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };
-      break;
-    case 'OKP':
-      check(jwk.crv, '"crv" (Subtype of Key Pair) Parameter');
-      check(jwk.x, '"x" (Public Key) Parameter');
-      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x };
-      break;
-    case 'RSA':
-      check(jwk.e, '"e" (Exponent) Parameter');
-      check(jwk.n, '"n" (Modulus) Parameter');
-      components = { e: jwk.e, kty: jwk.kty, n: jwk.n };
-      break;
-    case 'oct':
-      check(jwk.k, '"k" (Key Value) Parameter');
-      components = { k: jwk.k, kty: jwk.kty };
-      break;
-    default:
-      throw Error('"kty" (Key Type) Parameter missing or unsupported');
-  }
-  return u8a.toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url');
-}
-
-export async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {
-  const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\w+):/);
-  if (!match) {
-    throw new Error(`Invalid JWK thumbprint URI structure ${uri}`);
-  }
-  const algorithm = `sha${match[1]}` as DigestAlgorithm;
-  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {
-    throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`);
-  }
-  return algorithm;
-}
-
-export async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {
-  const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm);
-  return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`;
-}

package/lib/jwt/Jwt.types.ts

@@ -1,26 +0,0 @@
-import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode';
-
-import { JWK } from '.';
-
-export type JwtHeader = jwtDecodeJwtHeader & {
-  alg?: string;
-  x5c?: string[];
-  kid?: string;
-  jwk?: JWK;
-  jwt?: string;
-} & Record<string, unknown>;
-
-export type JwtPayload = jwtDecodePayload & {
-  client_id?: string;
-  nonce?: string;
-  request_uri?: string;
-  client_id_scheme?: string;
-} & Record<string, unknown>;
-
-export enum SigningAlgo {
-  EDDSA = 'EdDSA',
-  RS256 = 'RS256',
-  PS256 = 'PS256',
-  ES256 = 'ES256',
-  ES256K = 'ES256K',
-}

package/lib/jwt/JwtIssuer.ts

@@ -1,60 +0,0 @@
-import { JWK, JwtHeader, JwtPayload, JwtProtectionMethod, SigningAlgo } from '..';
-
-export interface JwtIssuerBase {
-  method: JwtProtectionMethod;
-  /**
-   * Additional options for the issuance context
-   */
-  options?: Record<string, unknown>;
-}
-
-export interface JwtIssuerDid extends JwtIssuerBase {
-  method: 'did';
-  didUrl: string;
-  alg: SigningAlgo | string;
-}
-
-export interface JwtIssuerX5c extends JwtIssuerBase {
-  method: 'x5c';
-  alg: SigningAlgo | string;
-
-  /**
-   *
-   * Array of base64-encoded certificate strings in the DER-format.
-   *
-   * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.
-   */
-  x5c: Array<string>;
-
-  /**
-   * The issuer jwt
-   *
-   * This value will be used as the iss value of the issue jwt.
-   * It is also used as the client_id.
-   * And will also be set as the redirect_uri
-   *
-   * It must match an entry in the x5c certificate leaf entry dnsName / uriName
-   */
-  issuer: string;
-}
-
-export interface JwtIssuerJwk extends JwtIssuerBase {
-  method: 'jwk';
-  alg: SigningAlgo | string;
-  jwk: JWK;
-}
-
-export interface JwtIssuerCustom extends JwtIssuerBase {
-  method: 'custom';
-}
-
-export type JwtIssuer = JwtIssuerDid | JwtIssuerX5c | JwtIssuerJwk | JwtIssuerCustom;
-
-export interface JwtIssuanceContextBase {
-  type: string;
-}
-
-export type CreateJwtCallback<T extends JwtIssuer & JwtIssuanceContextBase> = (
-  jwtIssuer: T,
-  jwt: { header: JwtHeader; payload: JwtPayload },
-) => Promise<string>;

package/lib/jwt/JwtVerifier.ts

@@ -1,130 +0,0 @@
-import { JWK, JwtHeader, JwtPayload, SigningAlgo } from '..';
-
-import { JwtProtectionMethod, JwtType } from './jwtUtils';
-
-export interface JwtVerifierBase {
-  type: JwtType;
-  method: JwtProtectionMethod;
-}
-
-export interface DidJwtVerifier extends JwtVerifierBase {
-  method: 'did';
-
-  alg: SigningAlgo | string;
-  didUrl: string;
-}
-
-export interface X5cJwtVerifier extends JwtVerifierBase {
-  method: 'x5c';
-
-  alg: SigningAlgo | string;
-
-  /**
-   *
-   * Array of base64-encoded certificate strings in the DER-format.
-   *
-   * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.
-   */
-  x5c: Array<string>;
-
-  /**
-   * The jwt issuer
-   */
-  issuer: string;
-}
-
-export interface OpenIdFederationJwtVerifier extends JwtVerifierBase {
-  method: 'openid-federation';
-
-  /**
-   * The OpenId federation Entity
-   */
-  entityId: string;
-}
-
-export interface JwkJwtVerifier extends JwtVerifierBase {
-  method: 'jwk';
-  alg: SigningAlgo | string;
-
-  jwk: JWK;
-}
-
-export interface CustomJwtVerifier extends JwtVerifierBase {
-  method: 'custom';
-}
-
-export type JwtVerifier = DidJwtVerifier | X5cJwtVerifier | CustomJwtVerifier | JwkJwtVerifier | OpenIdFederationJwtVerifier;
-
-export const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {
-  const { type } = options;
-  if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`);
-  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);
-
-  if (!jwt.header.kid.includes('#')) {
-    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`);
-  }
-  return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg };
-};
-
-const getIssuer = (type: JwtType, payload: JwtPayload): string => {
-  // For 'request-object' the `iss` value is not required so we map the issuer to client_id
-  if (type === 'request-object') {
-    if (!payload.client_id) {
-      throw new Error('Missing required field client_id in request object JWT');
-    }
-    return payload.client_id as string;
-  }
-
-  if (typeof payload.iss !== 'string') {
-    throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`);
-  }
-  return payload.iss;
-};
-
-export const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {
-  const { type } = options;
-  if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`);
-  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);
-
-  if (!Array.isArray(jwt.header.x5c) || jwt.header.x5c.length === 0 || !jwt.header.x5c.every((cert) => typeof cert === 'string')) {
-    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`);
-  }
-
-  return {
-    method: 'x5c',
-    x5c: jwt.header.x5c,
-    issuer: getIssuer(type, jwt.payload),
-    type: type,
-    alg: jwt.header.alg,
-  };
-};
-
-export const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {
-  const { type } = options;
-  if (!jwt.header.jwk) throw new Error(`Received an invalid JWT.  Missing jwk header.`);
-  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);
-
-  if (typeof jwt.header.jwk !== 'object') {
-    throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`);
-  }
-
-  return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg };
-};
-
-export const getJwtVerifierWithContext = async (
-  jwt: { header: JwtHeader; payload: JwtPayload },
-  options: { type: JwtType },
-): Promise<JwtVerifier> => {
-  const { header, payload } = jwt;
-
-  if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options);
-  else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options);
-  else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options);
-
-  return { method: 'custom', type: options.type };
-};
-
-export type VerifyJwtCallbackBase<T extends JwtVerifier> = (
-  jwtVerifier: T,
-  jwt: { header: JwtHeader; payload: JwtPayload; raw: string },
-) => Promise<boolean>;

package/lib/jwt/__tests__/JwkThumbprint.spec.ts

@@ -1,16 +0,0 @@
-import { calculateJwkThumbprint } from '../JwkThumbprint';
-
-describe('JwkThumbprint', () => {
-  test('correctly calculates jwk thumbprint', async () => {
-    // Based on https://www.rfc-editor.org/rfc/rfc7638.html#section-3.1
-    expect(
-      await calculateJwkThumbprint({
-        kty: 'RSA',
-        n: '0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw',
-        e: 'AQAB',
-        alg: 'RS256',
-        kid: '2011-04-29',
-      }),
-    ).toEqual('NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs');
-  });
-});

package/lib/jwt/index.ts

@@ -1,6 +0,0 @@
-export * from './JwkThumbprint';
-export * from './Jwt.types';
-export * from './JwtIssuer';
-export * from './JwtVerifier';
-export * from './jwtUtils';
-export * from './Jwk.types';