@sphereon/jarm/dist/index.cjs.map

Sphereon JARM

{"version":3,"sources":["../lib/index.ts","../lib/utils.ts","../lib/v-response-mode-registry.ts","../lib/jarm-auth-response-send/jarm-auth-response-send.ts","../lib/jarm-auth-response/c-jarm-auth-response.ts","../lib/v-response-type-registry.ts","../lib/jarm-auth-response/jarm-auth-response.ts","../lib/jarm-auth-response/v-jarm-auth-response-params.ts","../lib/jarm-auth-response/v-jarm-direct-post-jwt-auth-response-params.ts","../lib/metadata/v-jarm-client-metadata.ts","../lib/metadata/v-jarm-server-metadata.ts","../lib/metadata/jarm-validate-metadata.ts"],"sourcesContent":["export * from './jarm-auth-response-send'\nexport * from './jarm-auth-response'\nexport * from './metadata'\n","export function appendQueryParams(input: { url: URL; params: Record<string, string | number | boolean> }) {\n  const { url, params } = input\n\n  // Append the new query parameters from the params object\n  for (const [key, value] of Object.entries(params)) {\n    url.searchParams.append(key, encodeURIComponent(value))\n  }\n\n  return url\n}\n\nexport function appendFragmentParams(input: { url: URL; fragments: Record<string, string | number | boolean> }) {\n  const { url, fragments } = input\n\n  // Convert existing fragment to an object and remove the leading '#'\n  const fragmentParams = new URLSearchParams(url.hash.slice(1)) // Remove the leading '#' from the fragment\n\n  // Append the new fragments from the fragments object\n  for (const [key, value] of Object.entries(fragments)) {\n    fragmentParams.append(key, encodeURIComponent(value))\n  }\n\n  // Rebuild the fragment string and assign it to the URL\n  url.hash = fragmentParams.toString()\n\n  return url\n}\n\ninterface AssertValueSupported<T> {\n  supported: T[]\n  actual: T\n  error: Error\n  required: boolean\n}\n\nexport function assertValueSupported<T>(input: AssertValueSupported<T>): T | undefined {\n  const { required, error, supported, actual } = input\n  const intersection = supported.find((value) => value === actual)\n\n  if (required && !intersection) throw error\n  return intersection\n}\n","import * as v from 'valibot'\n\nimport type { ResponseTypeOut } from './v-response-type-registry'\n\nexport const vJarmResponseMode = v.picklist(['jwt', 'query.jwt', 'fragment.jwt', 'form_post.jwt'])\nexport type JarmResponseMode = v.InferInput<typeof vJarmResponseMode>\n\nexport const vOpenid4vpResponseMode = v.picklist(['direct_post'])\nexport type Openid4vpResponseMode = v.InferInput<typeof vOpenid4vpResponseMode>\n\n/**\n *  * 'direct_post.jwt' The response is send as HTTP POST request using the application/x-www-form-urlencoded content type. The body contains a single parameter response which is the JWT encoded Response as defined in JARM 4.1\n */\nexport const vOpenid4vpJarmResponseMode = v.picklist(['direct_post.jwt'])\nexport type Openid4vpJarmResponseMode = v.InferInput<typeof vOpenid4vpJarmResponseMode>\n\n/**\n *  The use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type.\n *  * 'query' In this mode, Authorization Response parameters are encoded in the query string added to the redirect_uri when redirecting back to the Client.\n *  * 'fragment' In this mode, Authorization Response parameters are encoded in the fragment added to the redirect_uri when redirecting back to the Client.\n *  * 'direct_post' the Authorization Response is send to an endpoint controlled by the Verifier via an HTTP POST request.\n */\nexport const vResponseMode = v.pipe(\n  v.picklist(['query', 'fragment', ...vOpenid4vpResponseMode.options, ...vJarmResponseMode.options, ...vOpenid4vpJarmResponseMode.options]),\n  v.description('Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint.'),\n)\nexport type ResponseMode = v.InferInput<typeof vResponseMode>\n\nconst getDisAllowedResponseModes = (input: { response_type: ResponseTypeOut }): [ResponseMode, ...ResponseMode[]] | undefined => {\n  const { response_type } = input\n\n  switch (response_type) {\n    case 'code token':\n      return ['query']\n    case 'code id_token':\n      return ['query']\n    case 'id_token token':\n      return ['query']\n    case 'code id_token token':\n      return ['query']\n  }\n  return undefined\n}\n\nexport const getDefaultResponseMode = (input: { response_type: ResponseTypeOut }): 'query' | 'fragment' => {\n  const { response_type } = input\n\n  switch (response_type) {\n    case 'code':\n    case 'none':\n      return 'query'\n    case 'token':\n    case 'id_token':\n    case 'code token':\n    case 'code id_token':\n    case 'id_token token':\n    case 'code id_token token':\n    case 'vp_token':\n    case 'id_token vp_token':\n      return 'fragment'\n  }\n}\n\nexport const getJarmDefaultResponseMode = (input: { response_type: ResponseTypeOut }): 'query.jwt' | 'fragment.jwt' => {\n  const responseMode = getDefaultResponseMode(input)\n\n  switch (responseMode) {\n    case 'query':\n      return 'query.jwt'\n    case 'fragment':\n      return 'fragment.jwt'\n  }\n}\n\nexport const validateResponseMode = (input: { response_type: ResponseTypeOut; response_mode: ResponseMode }) => {\n  const disallowedResponseModes = getDisAllowedResponseModes(input)\n\n  if (disallowedResponseModes?.includes(input.response_mode)) {\n    throw new Error(`Response_type '${input.response_type}' is not compatible with response_mode '${input.response_mode}'.`)\n  }\n}\n","import { appendFragmentParams, appendQueryParams } from '../utils'\nimport type { JarmResponseMode, Openid4vpJarmResponseMode } from '../v-response-mode-registry'\nimport { getJarmDefaultResponseMode, validateResponseMode } from '../v-response-mode-registry'\nimport type { ResponseTypeOut } from '../v-response-type-registry'\n\ninterface JarmAuthResponseSendInput {\n  authRequestParams: {\n    response_mode?: JarmResponseMode | Openid4vpJarmResponseMode\n    response_type: ResponseTypeOut\n  } & (\n    | {\n        response_uri: string\n      }\n    | {\n        redirect_uri: string\n      }\n  )\n\n  authResponse: string\n  state: string\n}\n\nexport const jarmAuthResponseSend = async (input: JarmAuthResponseSendInput): Promise<Response> => {\n  const { authRequestParams, authResponse, state } = input\n\n  const responseEndpoint = 'response_uri' in authRequestParams ? new URL(authRequestParams.response_uri) : new URL(authRequestParams.redirect_uri)\n\n  const responseMode =\n    authRequestParams.response_mode && authRequestParams.response_mode !== 'jwt'\n      ? authRequestParams.response_mode\n      : getJarmDefaultResponseMode(authRequestParams)\n\n  validateResponseMode({\n    response_type: authRequestParams.response_type,\n    response_mode: responseMode,\n  })\n\n  switch (responseMode) {\n    case 'direct_post.jwt':\n      return handleDirectPostJwt(responseEndpoint, authResponse, state)\n    case 'query.jwt':\n      return handleQueryJwt(responseEndpoint, authResponse, state)\n    case 'fragment.jwt':\n      return handleFragmentJwt(responseEndpoint, authResponse, state)\n    case 'form_post.jwt':\n      throw new Error('Not implemented. form_post.jwt is not yet supported.')\n  }\n}\n\nasync function handleDirectPostJwt(responseEndpoint: URL, responseJwt: string, state: string) {\n  const response = await fetch(responseEndpoint, {\n    method: 'POST',\n    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n    body: `response=${responseJwt}&state=${state}`,\n  })\n  return response\n}\n\nasync function handleQueryJwt(responseEndpoint: URL, responseJwt: string, state: string) {\n  const responseUrl = appendQueryParams({\n    url: responseEndpoint,\n    params: { response: responseJwt, state },\n  })\n\n  const response = await fetch(responseUrl, { method: 'POST' })\n  return response\n}\n\nasync function handleFragmentJwt(responseEndpoint: URL, responseJwt: string, state: string) {\n  const responseUrl = appendFragmentParams({\n    url: responseEndpoint,\n    fragments: { response: responseJwt, state },\n  })\n  const response = await fetch(responseUrl, { method: 'POST' })\n  return response\n}\n","import * as v from 'valibot'\n\nimport { vJarmResponseMode, vOpenid4vpJarmResponseMode } from '../v-response-mode-registry'\nimport { vResponseType } from '../v-response-type-registry'\n\nimport type { JarmAuthResponseParams } from './v-jarm-auth-response-params'\nimport type { JarmDirectPostJwtResponseParams } from './v-jarm-direct-post-jwt-auth-response-params'\n\nexport const vAuthRequestParams = v.looseObject({\n  state: v.optional(v.string()),\n  response_mode: v.optional(v.union([vJarmResponseMode, vOpenid4vpJarmResponseMode])),\n  client_id: v.string(),\n  response_type: vResponseType,\n  client_metadata: v.looseObject({\n    jwks: v.optional(\n      v.object({\n        keys: v.array(v.looseObject({ kid: v.optional(v.string()), kty: v.string() })),\n      }),\n    ),\n    jwks_uri: v.optional(v.string()),\n  }),\n})\n\nexport type AuthRequestParams = v.InferInput<typeof vAuthRequestParams>\n\nexport const vOAuthAuthRequestGetParamsOut = v.object({\n  authRequestParams: vAuthRequestParams,\n})\n\nexport type OAuthAuthRequestGetParamsOut = v.InferOutput<typeof vOAuthAuthRequestGetParamsOut>\n\nexport interface JarmDirectPostJwtAuthResponseValidationContext {\n  openid4vp: {\n    authRequest: {\n      getParams: (input: JarmAuthResponseParams | JarmDirectPostJwtResponseParams) => Promise<OAuthAuthRequestGetParamsOut>\n    }\n  }\n  jwe: {\n    decryptCompact: (input: { jwe: string; jwk: { kid: string } }) => Promise<{ plaintext: string }>\n  }\n}\n","import * as v from 'valibot'\n\nexport const oAuthResponseTypes = v.picklist(['code', 'token'])\n\n// NOTE: MAKE SURE THAT THE RESPONSE TYPES ARE SORTED CORRECTLY\nexport const oAuthMRTEPResponseTypes = v.picklist(['none', 'id_token', 'code token', 'code id_token', 'id_token token', 'code id_token token'])\n\nexport const openid4vpResponseTypes = v.picklist(['vp_token', 'id_token vp_token'])\n\nexport const vTransformedResponseTypes = v.picklist([\n  ...openid4vpResponseTypes.options,\n  ...oAuthResponseTypes.options,\n  ...oAuthMRTEPResponseTypes.options,\n])\n\nexport const vResponseType = v.pipe(\n  v.string(),\n  v.transform((val) => val.split(' ').sort().join(' ')),\n  vTransformedResponseTypes,\n)\n\nexport type ResponseType = v.InferInput<typeof vTransformedResponseTypes>\nexport type ResponseTypeOut = v.InferOutput<typeof vTransformedResponseTypes>\n","import { decodeProtectedHeader, isJwe, isJws } from '@sphereon/oid4vc-common'\nimport * as v from 'valibot'\n\nimport type { AuthRequestParams, JarmDirectPostJwtAuthResponseValidationContext } from './c-jarm-auth-response'\nimport { vJarmAuthResponseErrorParams } from './v-jarm-auth-response-params'\nimport {\n  jarmAuthResponseDirectPostValidateParams,\n  JarmDirectPostJwtResponseParams,\n  vJarmDirectPostJwtParams,\n} from './v-jarm-direct-post-jwt-auth-response-params'\n\nexport interface JarmDirectPostJwtAuthResponseValidation {\n  /**\n   * The JARM response parameter conveyed either as url query param, fragment param, or application/x-www-form-urlencoded in the body of a post request\n   */\n  response: string\n}\n\nconst parseJarmAuthResponseParams = <Schema extends v.BaseSchema<unknown, unknown, v.BaseIssue<unknown>>>(\n  schema: Schema,\n  responseParams: unknown,\n) => {\n  if (v.is(vJarmAuthResponseErrorParams, responseParams)) {\n    const errorResponseJson = JSON.stringify(responseParams, undefined, 2)\n    throw new Error(`Received error response from authorization server. '${errorResponseJson}'`)\n  }\n\n  return v.parse(schema, responseParams)\n}\n\nconst decryptJarmAuthResponse = async (input: { response: string }, ctx: JarmDirectPostJwtAuthResponseValidationContext) => {\n  const { response } = input\n\n  const responseProtectedHeader = decodeProtectedHeader(response)\n  if (!responseProtectedHeader.kid) {\n    throw new Error(`Jarm JWE is missing the protected header field 'kid'.`)\n  }\n\n  const { plaintext } = await ctx.jwe.decryptCompact({\n    jwe: response,\n    jwk: { kid: responseProtectedHeader.kid },\n  })\n\n  return plaintext\n}\n\n/**\n * Validate a JARM direct_post.jwt compliant authentication response\n * * The decryption key should be resolvable using the the protected header's 'kid' field\n * * The signature verification jwk should be resolvable using the jws protected header's 'kid' field and the payload's 'iss' field.\n */\nexport const jarmAuthResponseDirectPostJwtValidate = async (\n  input: JarmDirectPostJwtAuthResponseValidation,\n  ctx: JarmDirectPostJwtAuthResponseValidationContext,\n) => {\n  const { response } = input\n\n  const responseIsEncrypted = isJwe(response)\n  const decryptedResponse = responseIsEncrypted ? await decryptJarmAuthResponse(input, ctx) : response\n\n  const responseIsSigned = isJws(decryptedResponse)\n  if (!responseIsEncrypted && !responseIsSigned) {\n    throw new Error('Jarm Auth Response must be either encrypted, signed, or signed and encrypted.')\n  }\n\n  let authResponseParams: JarmDirectPostJwtResponseParams\n  let authRequestParams: AuthRequestParams\n\n  if (responseIsSigned) {\n    throw new Error('Signed JARM responses are not supported.')\n    //const jwsProtectedHeader = decodeProtectedHeader(decryptedResponse);\n    //const jwsPayload = decodeJwt(decryptedResponse);\n\n    //const schema = v.required(vJarmDirectPostJwtParams, ['iss', 'aud', 'exp']);\n    //const responseParams = parseJarmAuthResponseParams(schema, jwsPayload);\n    //({ authRequestParams } = await ctx.openid4vp.authRequest.getParams(responseParams));\n\n    //if (!jwsProtectedHeader.kid) {\n    //throw new Error(`Jarm JWS is missing the protected header field 'kid'.`);\n    //}\n\n    //await ctx.jose.jws.verifyJwt({\n    //jws: decryptedResponse,\n    //jwk: { kid: jwsProtectedHeader.kid, kty: 'auto' },\n    //});\n    //authResponseParams = responseParams;\n  } else {\n    const jsonResponse: unknown = JSON.parse(decryptedResponse)\n    authResponseParams = parseJarmAuthResponseParams(vJarmDirectPostJwtParams, jsonResponse)\n    ;({ authRequestParams } = await ctx.openid4vp.authRequest.getParams(authResponseParams))\n  }\n\n  jarmAuthResponseDirectPostValidateParams({\n    authRequestParams,\n    authResponseParams,\n  })\n\n  let type: 'signed encrypted' | 'encrypted' | 'signed'\n  if (responseIsSigned && responseIsEncrypted) type = 'signed encrypted'\n  else if (responseIsEncrypted) type = 'encrypted'\n  else type = 'signed'\n\n  return {\n    authRequestParams,\n    authResponseParams,\n    type,\n  }\n}\n","import { checkExp } from '@sphereon/oid4vc-common'\nimport * as v from 'valibot'\n\nexport const vJarmAuthResponseErrorParams = v.looseObject({\n  error: v.string(),\n  state: v.optional(v.string()),\n\n  error_description: v.pipe(\n    v.optional(v.string()),\n    v.description('Text providing additional information, used to assist the client developer in understanding the error that occurred.'),\n  ),\n\n  error_uri: v.pipe(\n    v.optional(v.pipe(v.string(), v.url())),\n    v.description(\n      'A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error',\n    ),\n  ),\n})\n\nexport const vJarmAuthResponseParams = v.looseObject({\n  state: v.optional(v.string()),\n\n  /**\n   * The issuer URL of the authorization server that created the response\n   */\n  iss: v.string(),\n\n  /**\n   * Expiration of the JWT\n   */\n  exp: v.number(),\n\n  /**\n   * The client_id of the client the response is intended for\n   */\n  aud: v.string(),\n})\n\nexport type JarmAuthResponseParams = v.InferInput<typeof vJarmAuthResponseParams>\n\nexport const validateJarmAuthResponseParams = (input: {\n  authRequestParams: { client_id: string; state?: string }\n  authResponseParams: JarmAuthResponseParams\n}) => {\n  const { authRequestParams, authResponseParams } = input\n  // 2. The client obtains the state parameter from the JWT and checks its binding to the user agent. If the check fails, the client MUST abort processing and refuse the response.\n  if (authRequestParams.state !== authResponseParams.state) {\n    throw new Error(`State missmatch in jarm-auth-response. Expected '${authRequestParams.state}' received '${authRequestParams.state}'.`)\n  }\n\n  // 4. The client obtains the aud element from the JWT and checks whether it matches the client id the client used to identify itself in the corresponding authorization request. If the check fails, the client MUST abort processing and refuse the response.\n  if (authRequestParams.client_id !== authResponseParams.aud) {\n    throw new Error(`Invalid audience in jarm-auth-response. Expected '${authRequestParams.client_id}' received '${authResponseParams.aud}'.`)\n  }\n\n  // 5. The client checks the JWT's exp element to determine if the JWT is still valid. If the check fails, the client MUST abort processing and refuse the response.\n  // 120 seconds clock skew\n  if (checkExp({ exp: authResponseParams.exp })) {\n    throw new Error(`The '${authRequestParams.state}' and the jarm-auth-response.`)\n  }\n}\n","import * as v from 'valibot'\n\nimport { vJarmAuthResponseParams } from './v-jarm-auth-response-params'\n\nexport const vJarmDirectPostJwtParams = v.looseObject({\n  ...v.omit(vJarmAuthResponseParams, ['iss', 'aud', 'exp']).entries,\n  ...v.partial(v.pick(vJarmAuthResponseParams, ['iss', 'aud', 'exp'])).entries,\n\n  vp_token: v.union([v.string(), v.array(v.pipe(v.string(), v.nonEmpty()))]),\n  dcql_query: v.unknown(),\n  nonce: v.optional(v.string()),\n})\n\nexport type JarmDirectPostJwtResponseParams = v.InferInput<typeof vJarmDirectPostJwtParams>\n\nexport const jarmAuthResponseDirectPostValidateParams = (input: {\n  authRequestParams: { state?: string }\n  authResponseParams: JarmDirectPostJwtResponseParams\n}) => {\n  const { authRequestParams, authResponseParams } = input\n\n  // 2. The client obtains the state parameter from the JWT and checks its binding to the user agent. If the check fails, the client MUST abort processing and refuse the response.\n  if (authRequestParams.state !== authResponseParams.state) {\n    throw new Error(`State missmatch between auth request '${authRequestParams.state}' and the jarm-auth-response.`)\n  }\n}\n","import * as v from 'valibot'\n\nexport const vJarmClientMetadataSign = v.object({\n  authorization_signed_response_alg: v.pipe(\n    v.optional(v.string()), // @default 'RS256'  This makes no sense with openid4vp if just encrypted can be specified\n    v.description(\n      'JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.',\n    ),\n  ),\n\n  authorization_encrypted_response_alg: v.optional(v.never()),\n  authorization_encrypted_response_enc: v.optional(v.never()),\n})\n\nexport const vJarmClientMetadataEncrypt = v.object({\n  authorization_signed_response_alg: v.optional(v.never()),\n  authorization_encrypted_response_alg: v.pipe(\n    v.string(),\n    v.description(\n      'JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.',\n    ),\n  ),\n\n  authorization_encrypted_response_enc: v.pipe(\n    v.optional(v.string(), 'A128CBC-HS256'),\n    v.description(\n      'JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.',\n    ),\n  ),\n})\n\nexport const vJarmClientMetadataSignEncrypt = v.object({\n  ...v.pick(vJarmClientMetadataSign, ['authorization_signed_response_alg']).entries,\n  ...v.pick(vJarmClientMetadataEncrypt, ['authorization_encrypted_response_alg', 'authorization_encrypted_response_enc']).entries,\n})\n\n/**\n * Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.\n */\nexport const vJarmClientMetadata = v.union([vJarmClientMetadataSign, vJarmClientMetadataEncrypt, vJarmClientMetadataSignEncrypt])\n\nexport type JarmClientMetadata = v.InferInput<typeof vJarmClientMetadata>\n","import * as v from 'valibot'\n\n/**\n * Authorization servers SHOULD publish the supported algorithms for signing and encrypting the JWT of an authorization response by utilizing OAuth 2.0 Authorization Server Metadata [RFC8414] parameters.\n */\nexport const vJarmServerMetadata = v.object({\n  authorization_signing_alg_values_supported: v.pipe(\n    v.array(v.string()),\n    v.description(\n      'JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to sign the response.',\n    ),\n  ),\n\n  authorization_encryption_alg_values_supported: v.pipe(\n    v.array(v.string()),\n    v.description(\n      'JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.',\n    ),\n  ),\n\n  authorization_encryption_enc_values_supported: v.pipe(\n    v.array(v.string()),\n    v.description(\n      'JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.',\n    ),\n  ),\n})\n\nexport type JarmServerMetadata = v.InferInput<typeof vJarmServerMetadata>\n","import * as v from 'valibot'\n\nimport {\n  vJarmClientMetadata,\n  vJarmClientMetadataEncrypt,\n  vJarmClientMetadataSign,\n  vJarmClientMetadataSignEncrypt,\n} from '../metadata/v-jarm-client-metadata'\nimport { vJarmServerMetadata } from '../metadata/v-jarm-server-metadata'\nimport { assertValueSupported } from '../utils'\n\nexport const vJarmAuthResponseValidateMetadataInput = v.object({\n  client_metadata: vJarmClientMetadata,\n  server_metadata: v.partial(vJarmServerMetadata),\n})\nexport type JarmMetadataValidate = v.InferInput<typeof vJarmAuthResponseValidateMetadataInput>\n\nexport const vJarmMetadataValidateOut = v.variant('type', [\n  v.object({\n    type: v.literal('signed'),\n    client_metadata: vJarmClientMetadataSign,\n  }),\n  v.object({\n    type: v.literal('encrypted'),\n    client_metadata: vJarmClientMetadataEncrypt,\n  }),\n  v.object({\n    type: v.literal('signed encrypted'),\n    client_metadata: vJarmClientMetadataSignEncrypt,\n  }),\n])\n\nexport const jarmMetadataValidate = (vJarmMetadataValidate: JarmMetadataValidate): v.InferOutput<typeof vJarmMetadataValidateOut> => {\n  const { client_metadata, server_metadata } = vJarmMetadataValidate\n  const { authorization_encrypted_response_alg, authorization_encrypted_response_enc, authorization_signed_response_alg } = client_metadata\n\n  assertValueSupported({\n    supported: server_metadata.authorization_signing_alg_values_supported ?? [],\n    actual: authorization_signed_response_alg,\n    required: !!authorization_signed_response_alg,\n    error: new Error('Invalid authorization_signed_response_alg'),\n  })\n\n  assertValueSupported({\n    supported: server_metadata.authorization_encryption_alg_values_supported ?? [],\n    actual: authorization_encrypted_response_alg,\n    required: !!authorization_encrypted_response_alg,\n    error: new Error('Invalid authorization_encrypted_response_alg'),\n  })\n\n  assertValueSupported({\n    supported: server_metadata.authorization_encryption_enc_values_supported ?? [],\n    actual: authorization_encrypted_response_enc,\n    required: !!authorization_encrypted_response_enc,\n    error: new Error('Invalid authorization_encrypted_response_enc'),\n  })\n\n  if (authorization_signed_response_alg && authorization_encrypted_response_alg && authorization_encrypted_response_enc) {\n    return {\n      type: 'signed encrypted',\n      client_metadata: {\n        authorization_signed_response_alg,\n        authorization_encrypted_response_alg,\n        authorization_encrypted_response_enc,\n      },\n    }\n  } else if (authorization_signed_response_alg && !authorization_encrypted_response_alg && !authorization_encrypted_response_enc) {\n    return {\n      type: 'signed',\n      client_metadata: { authorization_signed_response_alg },\n    }\n  } else if (!authorization_signed_response_alg && authorization_encrypted_response_alg && authorization_encrypted_response_enc) {\n    return {\n      type: 'encrypted',\n      client_metadata: { authorization_encrypted_response_alg, authorization_encrypted_response_enc },\n    }\n  } else {\n    throw new Error(`Invalid jarm client_metadata combination`)\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;ACAO,SAASA,kBAAkBC,OAAsE;AACtG,QAAM,EAAEC,KAAAA,MAAKC,OAAM,IAAKF;AAGxB,aAAW,CAACG,KAAKC,KAAAA,KAAUC,OAAOC,QAAQJ,MAAAA,GAAS;AACjDD,IAAAA,KAAIM,aAAaC,OAAOL,KAAKM,mBAAmBL,KAAAA,CAAAA;EAClD;AAEA,SAAOH;AACT;AATgBF;AAWT,SAASW,qBAAqBV,OAAyE;AAC5G,QAAM,EAAEC,KAAAA,MAAKU,UAAS,IAAKX;AAG3B,QAAMY,iBAAiB,IAAIC,gBAAgBZ,KAAIa,KAAKC,MAAM,CAAA,CAAA;AAG1D,aAAW,CAACZ,KAAKC,KAAAA,KAAUC,OAAOC,QAAQK,SAAAA,GAAY;AACpDC,mBAAeJ,OAAOL,KAAKM,mBAAmBL,KAAAA,CAAAA;EAChD;AAGAH,EAAAA,KAAIa,OAAOF,eAAeI,SAAQ;AAElC,SAAOf;AACT;AAfgBS;AAwBT,SAASO,qBAAwBjB,OAA8B;AACpE,QAAM,EAAEkB,UAAUC,OAAOC,WAAWC,OAAM,IAAKrB;AAC/C,QAAMsB,eAAeF,UAAUG,KAAK,CAACnB,UAAUA,UAAUiB,MAAAA;AAEzD,MAAIH,YAAY,CAACI,aAAc,OAAMH;AACrC,SAAOG;AACT;AANgBL;;;ACnChB,QAAmB;AAIZ,IAAMO,oBAAsBC,WAAS;EAAC;EAAO;EAAa;EAAgB;CAAgB;AAG1F,IAAMC,yBAA2BD,WAAS;EAAC;CAAc;AAMzD,IAAME,6BAA+BF,WAAS;EAAC;CAAkB;AASjE,IAAMG,gBAAkBC,OAC3BJ,WAAS;EAAC;EAAS;KAAeC,uBAAuBI;KAAYN,kBAAkBM;KAAYH,2BAA2BG;CAAQ,GACtIC,cAAY,wHAAA,CAAA;AAIhB,IAAMC,6BAA6B,wBAACC,UAAAA;AAClC,QAAM,EAAEC,cAAa,IAAKD;AAE1B,UAAQC,eAAAA;IACN,KAAK;AACH,aAAO;QAAC;;IACV,KAAK;AACH,aAAO;QAAC;;IACV,KAAK;AACH,aAAO;QAAC;;IACV,KAAK;AACH,aAAO;QAAC;;EACZ;AACA,SAAOC;AACT,GAdmC;AAgB5B,IAAMC,yBAAyB,wBAACH,UAAAA;AACrC,QAAM,EAAEC,cAAa,IAAKD;AAE1B,UAAQC,eAAAA;IACN,KAAK;IACL,KAAK;AACH,aAAO;IACT,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;AACH,aAAO;EACX;AACF,GAjBsC;AAmB/B,IAAMG,6BAA6B,wBAACJ,UAAAA;AACzC,QAAMK,eAAeF,uBAAuBH,KAAAA;AAE5C,UAAQK,cAAAA;IACN,KAAK;AACH,aAAO;IACT,KAAK;AACH,aAAO;EACX;AACF,GAT0C;AAWnC,IAAMC,uBAAuB,wBAACN,UAAAA;AACnC,QAAMO,0BAA0BR,2BAA2BC,KAAAA;AAE3D,MAAIO,yBAAyBC,SAASR,MAAMS,aAAa,GAAG;AAC1D,UAAM,IAAIC,MAAM,kBAAkBV,MAAMC,aAAa,2CAA2CD,MAAMS,aAAa,IAAI;EACzH;AACF,GANoC;;;ACpD7B,IAAME,uBAAuB,8BAAOC,UAAAA;AACzC,QAAM,EAAEC,mBAAmBC,cAAcC,MAAK,IAAKH;AAEnD,QAAMI,mBAAmB,kBAAkBH,oBAAoB,IAAII,IAAIJ,kBAAkBK,YAAY,IAAI,IAAID,IAAIJ,kBAAkBM,YAAY;AAE/I,QAAMC,eACJP,kBAAkBQ,iBAAiBR,kBAAkBQ,kBAAkB,QACnER,kBAAkBQ,gBAClBC,2BAA2BT,iBAAAA;AAEjCU,uBAAqB;IACnBC,eAAeX,kBAAkBW;IACjCH,eAAeD;EACjB,CAAA;AAEA,UAAQA,cAAAA;IACN,KAAK;AACH,aAAOK,oBAAoBT,kBAAkBF,cAAcC,KAAAA;IAC7D,KAAK;AACH,aAAOW,eAAeV,kBAAkBF,cAAcC,KAAAA;IACxD,KAAK;AACH,aAAOY,kBAAkBX,kBAAkBF,cAAcC,KAAAA;IAC3D,KAAK;AACH,YAAM,IAAIa,MAAM,sDAAA;EACpB;AACF,GAzBoC;AA2BpC,eAAeH,oBAAoBT,kBAAuBa,aAAqBd,OAAa;AAC1F,QAAMe,WAAW,MAAMC,MAAMf,kBAAkB;IAC7CgB,QAAQ;IACRC,SAAS;MAAE,gBAAgB;IAAoC;IAC/DC,MAAM,YAAYL,WAAAA,UAAqBd,KAAAA;EACzC,CAAA;AACA,SAAOe;AACT;AAPeL;AASf,eAAeC,eAAeV,kBAAuBa,aAAqBd,OAAa;AACrF,QAAMoB,cAAcC,kBAAkB;IACpCC,KAAKrB;IACLsB,QAAQ;MAAER,UAAUD;MAAad;IAAM;EACzC,CAAA;AAEA,QAAMe,WAAW,MAAMC,MAAMI,aAAa;IAAEH,QAAQ;EAAO,CAAA;AAC3D,SAAOF;AACT;AAReJ;AAUf,eAAeC,kBAAkBX,kBAAuBa,aAAqBd,OAAa;AACxF,QAAMoB,cAAcI,qBAAqB;IACvCF,KAAKrB;IACLwB,WAAW;MAAEV,UAAUD;MAAad;IAAM;EAC5C,CAAA;AACA,QAAMe,WAAW,MAAMC,MAAMI,aAAa;IAAEH,QAAQ;EAAO,CAAA;AAC3D,SAAOF;AACT;AAPeH;;;ACpEf,IAAAc,KAAmB;;;ACAnB,IAAAC,KAAmB;AAEZ,IAAMC,qBAAuBC,YAAS;EAAC;EAAQ;CAAQ;AAGvD,IAAMC,0BAA4BD,YAAS;EAAC;EAAQ;EAAY;EAAc;EAAiB;EAAkB;CAAsB;AAEvI,IAAME,yBAA2BF,YAAS;EAAC;EAAY;CAAoB;AAE3E,IAAMG,4BAA8BH,YAAS;KAC/CE,uBAAuBE;KACvBL,mBAAmBK;KACnBH,wBAAwBG;CAC5B;AAEM,IAAMC,gBAAkBC,QAC3BC,UAAM,GACNC,aAAU,CAACC,QAAQA,IAAIC,MAAM,GAAA,EAAKC,KAAI,EAAGC,KAAK,GAAA,CAAA,GAChDT,yBAAAA;;;ADVK,IAAMU,qBAAuBC,eAAY;EAC9CC,OAASC,YAAWC,UAAM,CAAA;EAC1BC,eAAiBF,YAAWG,SAAM;IAACC;IAAmBC;GAA2B,CAAA;EACjFC,WAAaL,UAAM;EACnBM,eAAeC;EACfC,iBAAmBX,eAAY;IAC7BY,MAAQV,YACJW,UAAO;MACPC,MAAQC,SAAQf,eAAY;QAAEgB,KAAOd,YAAWC,UAAM,CAAA;QAAKc,KAAOd,UAAM;MAAG,CAAA,CAAA;IAC7E,CAAA,CAAA;IAEFe,UAAYhB,YAAWC,UAAM,CAAA;EAC/B,CAAA;AACF,CAAA;AAIO,IAAMgB,gCAAkCN,UAAO;EACpDO,mBAAmBrB;AACrB,CAAA;;;AE3BA,IAAAsB,wBAAoD;AACpD,IAAAC,KAAmB;;;ACDnB,2BAAyB;AACzB,IAAAC,KAAmB;AAEZ,IAAMC,+BAAiCC,eAAY;EACxDC,OAASC,UAAM;EACfC,OAASC,YAAWF,UAAM,CAAA;EAE1BG,mBAAqBC,QACjBF,YAAWF,UAAM,CAAA,GACjBK,eAAY,sHAAA,CAAA;EAGhBC,WAAaF,QACTF,YAAWE,QAAOJ,UAAM,GAAMO,OAAG,CAAA,CAAA,GACjCF,eACA,gKAAA,CAAA;AAGN,CAAA;AAEO,IAAMG,0BAA4BV,eAAY;EACnDG,OAASC,YAAWF,UAAM,CAAA;;;;EAK1BS,KAAOT,UAAM;;;;EAKbU,KAAOC,UAAM;;;;EAKbC,KAAOZ,UAAM;AACf,CAAA;AAIO,IAAMa,iCAAiC,wBAACC,UAAAA;AAI7C,QAAM,EAAEC,mBAAmBC,mBAAkB,IAAKF;AAElD,MAAIC,kBAAkBd,UAAUe,mBAAmBf,OAAO;AACxD,UAAM,IAAIgB,MAAM,oDAAoDF,kBAAkBd,KAAK,eAAec,kBAAkBd,KAAK,IAAI;EACvI;AAGA,MAAIc,kBAAkBG,cAAcF,mBAAmBJ,KAAK;AAC1D,UAAM,IAAIK,MAAM,qDAAqDF,kBAAkBG,SAAS,eAAeF,mBAAmBJ,GAAG,IAAI;EAC3I;AAIA,UAAIO,+BAAS;IAAET,KAAKM,mBAAmBN;EAAI,CAAA,GAAI;AAC7C,UAAM,IAAIO,MAAM,QAAQF,kBAAkBd,KAAK,+BAA+B;EAChF;AACF,GApB8C;;;ACzC9C,IAAAmB,KAAmB;AAIZ,IAAMC,2BAA6BC,eAAY;EACpD,GAAKC,QAAKC,yBAAyB;IAAC;IAAO;IAAO;GAAM,EAAEC;EAC1D,GAAKC,WAAUC,QAAKH,yBAAyB;IAAC;IAAO;IAAO;GAAM,CAAA,EAAGC;EAErEG,UAAYC,SAAM;IAAGC,UAAM;IAAMC,SAAQC,QAAOF,UAAM,GAAMG,YAAQ,CAAA,CAAA;GAAK;EACzEC,YAAcC,WAAO;EACrBC,OAASC,YAAWP,UAAM,CAAA;AAC5B,CAAA;AAIO,IAAMQ,2CAA2C,wBAACC,UAAAA;AAIvD,QAAM,EAAEC,mBAAmBC,mBAAkB,IAAKF;AAGlD,MAAIC,kBAAkBE,UAAUD,mBAAmBC,OAAO;AACxD,UAAM,IAAIC,MAAM,yCAAyCH,kBAAkBE,KAAK,+BAA+B;EACjH;AACF,GAVwD;;;AFGxD,IAAME,8BAA8B,wBAClCC,QACAC,mBAAAA;AAEA,MAAMC,MAAGC,8BAA8BF,cAAAA,GAAiB;AACtD,UAAMG,oBAAoBC,KAAKC,UAAUL,gBAAgBM,QAAW,CAAA;AACpE,UAAM,IAAIC,MAAM,uDAAuDJ,iBAAAA,GAAoB;EAC7F;AAEA,SAASK,SAAMT,QAAQC,cAAAA;AACzB,GAVoC;AAYpC,IAAMS,0BAA0B,8BAAOC,OAA6BC,QAAAA;AAClE,QAAM,EAAEC,SAAQ,IAAKF;AAErB,QAAMG,8BAA0BC,6CAAsBF,QAAAA;AACtD,MAAI,CAACC,wBAAwBE,KAAK;AAChC,UAAM,IAAIR,MAAM,uDAAuD;EACzE;AAEA,QAAM,EAAES,UAAS,IAAK,MAAML,IAAIM,IAAIC,eAAe;IACjDD,KAAKL;IACLO,KAAK;MAAEJ,KAAKF,wBAAwBE;IAAI;EAC1C,CAAA;AAEA,SAAOC;AACT,GAdgC;AAqBzB,IAAMI,wCAAwC,8BACnDV,OACAC,QAAAA;AAEA,QAAM,EAAEC,SAAQ,IAAKF;AAErB,QAAMW,0BAAsBC,6BAAMV,QAAAA;AAClC,QAAMW,oBAAoBF,sBAAsB,MAAMZ,wBAAwBC,OAAOC,GAAAA,IAAOC;AAE5F,QAAMY,uBAAmBC,6BAAMF,iBAAAA;AAC/B,MAAI,CAACF,uBAAuB,CAACG,kBAAkB;AAC7C,UAAM,IAAIjB,MAAM,+EAAA;EAClB;AAEA,MAAImB;AACJ,MAAIC;AAEJ,MAAIH,kBAAkB;AACpB,UAAM,IAAIjB,MAAM,0CAAA;EAiBlB,OAAO;AACL,UAAMqB,eAAwBxB,KAAKI,MAAMe,iBAAAA;AACzCG,yBAAqB5B,4BAA4B+B,0BAA0BD,YAAAA;AACzE,KAAA,EAAED,kBAAiB,IAAK,MAAMhB,IAAImB,UAAUC,YAAYC,UAAUN,kBAAAA;EACtE;AAEAO,2CAAyC;IACvCN;IACAD;EACF,CAAA;AAEA,MAAIQ;AACJ,MAAIV,oBAAoBH,oBAAqBa,QAAO;WAC3Cb,oBAAqBa,QAAO;MAChCA,QAAO;AAEZ,SAAO;IACLP;IACAD;IACAQ;EACF;AACF,GAxDqD;;;AGnDrD,IAAAC,KAAmB;AAEZ,IAAMC,0BAA4BC,UAAO;EAC9CC,mCAAqCC,QACjCC,YAAWC,UAAM,CAAA,GACjBC,eACA,mIAAA,CAAA;EAIJC,sCAAwCH,YAAWI,SAAK,CAAA;EACxDC,sCAAwCL,YAAWI,SAAK,CAAA;AAC1D,CAAA;AAEO,IAAME,6BAA+BT,UAAO;EACjDC,mCAAqCE,YAAWI,SAAK,CAAA;EACrDD,sCAAwCJ,QACpCE,UAAM,GACNC,eACA,8IAAA,CAAA;EAIJG,sCAAwCN,QACpCC,YAAWC,UAAM,GAAI,eAAA,GACrBC,eACA,8IAAA,CAAA;AAGN,CAAA;AAEO,IAAMK,iCAAmCV,UAAO;EACrD,GAAKW,QAAKZ,yBAAyB;IAAC;GAAoC,EAAEa;EAC1E,GAAKD,QAAKF,4BAA4B;IAAC;IAAwC;GAAuC,EAAEG;AAC1H,CAAA;AAKO,IAAMC,sBAAwBC,SAAM;EAACf;EAAyBU;EAA4BC;CAA+B;;;ACvChI,IAAAK,KAAmB;AAKZ,IAAMC,sBAAwBC,UAAO;EAC1CC,4CAA8CC,QAC1CC,SAAQC,UAAM,CAAA,GACdC,eACA,+JAAA,CAAA;EAIJC,+CAAiDJ,QAC7CC,SAAQC,UAAM,CAAA,GACdC,eACA,qKAAA,CAAA;EAIJE,+CAAiDL,QAC7CC,SAAQC,UAAM,CAAA,GACdC,eACA,qKAAA,CAAA;AAGN,CAAA;;;AC1BA,IAAAG,KAAmB;AAWZ,IAAMC,yCAA2CC,UAAO;EAC7DC,iBAAiBC;EACjBC,iBAAmBC,WAAQC,mBAAAA;AAC7B,CAAA;AAGO,IAAMC,2BAA6BC,WAAQ,QAAQ;EACtDP,UAAO;IACPQ,MAAQC,WAAQ,QAAA;IAChBR,iBAAiBS;EACnB,CAAA;EACEV,UAAO;IACPQ,MAAQC,WAAQ,WAAA;IAChBR,iBAAiBU;EACnB,CAAA;EACEX,UAAO;IACPQ,MAAQC,WAAQ,kBAAA;IAChBR,iBAAiBW;EACnB,CAAA;CACD;AAEM,IAAMC,uBAAuB,wBAACC,0BAAAA;AACnC,QAAM,EAAEb,iBAAiBE,gBAAe,IAAKW;AAC7C,QAAM,EAAEC,sCAAsCC,sCAAsCC,kCAAiC,IAAKhB;AAE1HiB,uBAAqB;IACnBC,WAAWhB,gBAAgBiB,8CAA8C,CAAA;IACzEC,QAAQJ;IACRK,UAAU,CAAC,CAACL;IACZM,OAAO,IAAIC,MAAM,2CAAA;EACnB,CAAA;AAEAN,uBAAqB;IACnBC,WAAWhB,gBAAgBsB,iDAAiD,CAAA;IAC5EJ,QAAQN;IACRO,UAAU,CAAC,CAACP;IACZQ,OAAO,IAAIC,MAAM,8CAAA;EACnB,CAAA;AAEAN,uBAAqB;IACnBC,WAAWhB,gBAAgBuB,iDAAiD,CAAA;IAC5EL,QAAQL;IACRM,UAAU,CAAC,CAACN;IACZO,OAAO,IAAIC,MAAM,8CAAA;EACnB,CAAA;AAEA,MAAIP,qCAAqCF,wCAAwCC,sCAAsC;AACrH,WAAO;MACLR,MAAM;MACNP,iBAAiB;QACfgB;QACAF;QACAC;MACF;IACF;EACF,WAAWC,qCAAqC,CAACF,wCAAwC,CAACC,sCAAsC;AAC9H,WAAO;MACLR,MAAM;MACNP,iBAAiB;QAAEgB;MAAkC;IACvD;EACF,WAAW,CAACA,qCAAqCF,wCAAwCC,sCAAsC;AAC7H,WAAO;MACLR,MAAM;MACNP,iBAAiB;QAAEc;QAAsCC;MAAqC;IAChG;EACF,OAAO;AACL,UAAM,IAAIQ,MAAM,0CAA0C;EAC5D;AACF,GA/CoC;","names":["appendQueryParams","input","url","params","key","value","Object","entries","searchParams","append","encodeURIComponent","appendFragmentParams","fragments","fragmentParams","URLSearchParams","hash","slice","toString","assertValueSupported","required","error","supported","actual","intersection","find","vJarmResponseMode","picklist","vOpenid4vpResponseMode","vOpenid4vpJarmResponseMode","vResponseMode","pipe","options","description","getDisAllowedResponseModes","input","response_type","undefined","getDefaultResponseMode","getJarmDefaultResponseMode","responseMode","validateResponseMode","disallowedResponseModes","includes","response_mode","Error","jarmAuthResponseSend","input","authRequestParams","authResponse","state","responseEndpoint","URL","response_uri","redirect_uri","responseMode","response_mode","getJarmDefaultResponseMode","validateResponseMode","response_type","handleDirectPostJwt","handleQueryJwt","handleFragmentJwt","Error","responseJwt","response","fetch","method","headers","body","responseUrl","appendQueryParams","url","params","appendFragmentParams","fragments","v","v","oAuthResponseTypes","picklist","oAuthMRTEPResponseTypes","openid4vpResponseTypes","vTransformedResponseTypes","options","vResponseType","pipe","string","transform","val","split","sort","join","vAuthRequestParams","looseObject","state","optional","string","response_mode","union","vJarmResponseMode","vOpenid4vpJarmResponseMode","client_id","response_type","vResponseType","client_metadata","jwks","object","keys","array","kid","kty","jwks_uri","vOAuthAuthRequestGetParamsOut","authRequestParams","import_oid4vc_common","v","v","vJarmAuthResponseErrorParams","looseObject","error","string","state","optional","error_description","pipe","description","error_uri","url","vJarmAuthResponseParams","iss","exp","number","aud","validateJarmAuthResponseParams","input","authRequestParams","authResponseParams","Error","client_id","checkExp","v","vJarmDirectPostJwtParams","looseObject","omit","vJarmAuthResponseParams","entries","partial","pick","vp_token","union","string","array","pipe","nonEmpty","dcql_query","unknown","nonce","optional","jarmAuthResponseDirectPostValidateParams","input","authRequestParams","authResponseParams","state","Error","parseJarmAuthResponseParams","schema","responseParams","is","vJarmAuthResponseErrorParams","errorResponseJson","JSON","stringify","undefined","Error","parse","decryptJarmAuthResponse","input","ctx","response","responseProtectedHeader","decodeProtectedHeader","kid","plaintext","jwe","decryptCompact","jwk","jarmAuthResponseDirectPostJwtValidate","responseIsEncrypted","isJwe","decryptedResponse","responseIsSigned","isJws","authResponseParams","authRequestParams","jsonResponse","vJarmDirectPostJwtParams","openid4vp","authRequest","getParams","jarmAuthResponseDirectPostValidateParams","type","v","vJarmClientMetadataSign","object","authorization_signed_response_alg","pipe","optional","string","description","authorization_encrypted_response_alg","never","authorization_encrypted_response_enc","vJarmClientMetadataEncrypt","vJarmClientMetadataSignEncrypt","pick","entries","vJarmClientMetadata","union","v","vJarmServerMetadata","object","authorization_signing_alg_values_supported","pipe","array","string","description","authorization_encryption_alg_values_supported","authorization_encryption_enc_values_supported","v","vJarmAuthResponseValidateMetadataInput","object","client_metadata","vJarmClientMetadata","server_metadata","partial","vJarmServerMetadata","vJarmMetadataValidateOut","variant","type","literal","vJarmClientMetadataSign","vJarmClientMetadataEncrypt","vJarmClientMetadataSignEncrypt","jarmMetadataValidate","vJarmMetadataValidate","authorization_encrypted_response_alg","authorization_encrypted_response_enc","authorization_signed_response_alg","assertValueSupported","supported","authorization_signing_alg_values_supported","actual","required","error","Error","authorization_encryption_alg_values_supported","authorization_encryption_enc_values_supported"]}