@sphereon/jarm

import * as v from 'valibot'; declare const vTransformedResponseTypes: v.PicklistSchema<["vp_token", "id_token vp_token", "code", "token", "none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"], undefined>; type ResponseTypeOut = v.InferOutput<typeof vTransformedResponseTypes>; declare const vJarmResponseMode: v.PicklistSchema<["jwt", "query.jwt", "fragment.jwt", "form_post.jwt"], undefined>; type JarmResponseMode = v.InferInput<typeof vJarmResponseMode>; /** * * 'direct_post.jwt' The response is send as HTTP POST request using the application/x-www-form-urlencoded content type. The body contains a single parameter response which is the JWT encoded Response as defined in JARM 4.1 */ declare const vOpenid4vpJarmResponseMode: v.PicklistSchema<["direct_post.jwt"], undefined>; type Openid4vpJarmResponseMode = v.InferInput<typeof vOpenid4vpJarmResponseMode>; interface JarmAuthResponseSendInput { authRequestParams: { response_mode?: JarmResponseMode | Openid4vpJarmResponseMode; response_type: ResponseTypeOut; } & ({ response_uri: string; } | { redirect_uri: string; }); authResponse: string; state: string; } declare const jarmAuthResponseSend: (input: JarmAuthResponseSendInput) => Promise<Response>; declare const vJarmAuthResponseErrorParams: v.LooseObjectSchema<{ readonly error: v.StringSchema<undefined>; readonly state: v.OptionalSchema<v.StringSchema<undefined>, never>; readonly error_description: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "Text providing additional information, used to assist the client developer in understanding the error that occurred.">]>; readonly error_uri: v.SchemaWithPipe<[v.OptionalSchema<v.SchemaWithPipe<[v.StringSchema<undefined>, v.UrlAction<string, undefined>]>, never>, v.DescriptionAction<string | undefined, "A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error">]>; }, undefined>; declare const vJarmAuthResponseParams: v.LooseObjectSchema<{ readonly state: v.OptionalSchema<v.StringSchema<undefined>, never>; /** * The issuer URL of the authorization server that created the response */ readonly iss: v.StringSchema<undefined>; /** * Expiration of the JWT */ readonly exp: v.NumberSchema<undefined>; /** * The client_id of the client the response is intended for */ readonly aud: v.StringSchema<undefined>; }, undefined>; type JarmAuthResponseParams = v.InferInput<typeof vJarmAuthResponseParams>; declare const validateJarmAuthResponseParams: (input: { authRequestParams: { client_id: string; state?: string; }; authResponseParams: JarmAuthResponseParams; }) => void; declare const vJarmDirectPostJwtParams: v.LooseObjectSchema<{ readonly vp_token: v.UnionSchema<[v.StringSchema<undefined>, v.ArraySchema<v.SchemaWithPipe<[v.StringSchema<undefined>, v.NonEmptyAction<string, undefined>]>, undefined>], undefined>; readonly dcql_query: v.UnknownSchema; readonly nonce: v.OptionalSchema<v.StringSchema<undefined>, never>; readonly iss: v.OptionalSchema<v.StringSchema<undefined>, never>; readonly exp: v.OptionalSchema<v.NumberSchema<undefined>, never>; readonly aud: v.OptionalSchema<v.StringSchema<undefined>, never>; readonly state: v.OptionalSchema<v.StringSchema<undefined>, never>; }, undefined>; type JarmDirectPostJwtResponseParams = v.InferInput<typeof vJarmDirectPostJwtParams>; declare const jarmAuthResponseDirectPostValidateParams: (input: { authRequestParams: { state?: string; }; authResponseParams: JarmDirectPostJwtResponseParams; }) => void; declare const vAuthRequestParams: v.LooseObjectSchema<{ readonly state: v.OptionalSchema<v.StringSchema<undefined>, never>; readonly response_mode: v.OptionalSchema<v.UnionSchema<[v.PicklistSchema<["jwt", "query.jwt", "fragment.jwt", "form_post.jwt"], undefined>, v.PicklistSchema<["direct_post.jwt"], undefined>], undefined>, never>; readonly client_id: v.StringSchema<undefined>; readonly response_type: v.SchemaWithPipe<[v.StringSchema<undefined>, v.TransformAction<string, string>, v.PicklistSchema<["vp_token", "id_token vp_token", "code", "token", "none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"], undefined>]>; readonly client_metadata: v.LooseObjectSchema<{ readonly jwks: v.OptionalSchema<v.ObjectSchema<{ readonly keys: v.ArraySchema<v.LooseObjectSchema<{ readonly kid: v.OptionalSchema<v.StringSchema<undefined>, never>; readonly kty: v.StringSchema<undefined>; }, undefined>, undefined>; }, undefined>, never>; readonly jwks_uri: v.OptionalSchema<v.StringSchema<undefined>, never>; }, undefined>; }, undefined>; type AuthRequestParams = v.InferInput<typeof vAuthRequestParams>; declare const vOAuthAuthRequestGetParamsOut: v.ObjectSchema<{ readonly authRequestParams: v.LooseObjectSchema<{ readonly state: v.OptionalSchema<v.StringSchema<undefined>, never>; readonly response_mode: v.OptionalSchema<v.UnionSchema<[v.PicklistSchema<["jwt", "query.jwt", "fragment.jwt", "form_post.jwt"], undefined>, v.PicklistSchema<["direct_post.jwt"], undefined>], undefined>, never>; readonly client_id: v.StringSchema<undefined>; readonly response_type: v.SchemaWithPipe<[v.StringSchema<undefined>, v.TransformAction<string, string>, v.PicklistSchema<["vp_token", "id_token vp_token", "code", "token", "none", "id_token", "code token", "code id_token", "id_token token", "code id_token token"], undefined>]>; readonly client_metadata: v.LooseObjectSchema<{ readonly jwks: v.OptionalSchema<v.ObjectSchema<{ readonly keys: v.ArraySchema<v.LooseObjectSchema<{ readonly kid: v.OptionalSchema<v.StringSchema<undefined>, never>; readonly kty: v.StringSchema<undefined>; }, undefined>, undefined>; }, undefined>, never>; readonly jwks_uri: v.OptionalSchema<v.StringSchema<undefined>, never>; }, undefined>; }, undefined>; }, undefined>; type OAuthAuthRequestGetParamsOut = v.InferOutput<typeof vOAuthAuthRequestGetParamsOut>; interface JarmDirectPostJwtAuthResponseValidationContext { openid4vp: { authRequest: { getParams: (input: JarmAuthResponseParams | JarmDirectPostJwtResponseParams) => Promise<OAuthAuthRequestGetParamsOut>; }; }; jwe: { decryptCompact: (input: { jwe: string; jwk: { kid: string; }; }) => Promise<{ plaintext: string; }>; }; } interface JarmDirectPostJwtAuthResponseValidation { /** * The JARM response parameter conveyed either as url query param, fragment param, or application/x-www-form-urlencoded in the body of a post request */ response: string; } /** * Validate a JARM direct_post.jwt compliant authentication response * * The decryption key should be resolvable using the the protected header's 'kid' field * * The signature verification jwk should be resolvable using the jws protected header's 'kid' field and the payload's 'iss' field. */ declare const jarmAuthResponseDirectPostJwtValidate: (input: JarmDirectPostJwtAuthResponseValidation, ctx: JarmDirectPostJwtAuthResponseValidationContext) => Promise<{ authRequestParams: { response_type: string; client_metadata: { jwks?: { keys: ({ kty: string; kid?: string | undefined; } & { [key: string]: unknown; })[]; } | undefined; jwks_uri?: string | undefined; } & { [key: string]: unknown; }; client_id: string; state?: string | undefined; response_mode?: "jwt" | "query.jwt" | "fragment.jwt" | "form_post.jwt" | "direct_post.jwt" | undefined; } & { [key: string]: unknown; }; authResponseParams: { vp_token: string | string[]; dcql_query: unknown; state?: string | undefined; iss?: string | undefined; exp?: number | undefined; aud?: string | undefined; nonce?: string | undefined; } & { [key: string]: unknown; }; type: "signed encrypted" | "encrypted" | "signed"; }>; declare const vJarmClientMetadataSign: v.ObjectSchema<{ readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>; readonly authorization_encrypted_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>; readonly authorization_encrypted_response_enc: v.OptionalSchema<v.NeverSchema<undefined>, never>; }, undefined>; declare const vJarmClientMetadataEncrypt: v.ObjectSchema<{ readonly authorization_signed_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>; readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; }, undefined>; declare const vJarmClientMetadataSignEncrypt: v.ObjectSchema<{ readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>; }, undefined>; /** * Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters. */ declare const vJarmClientMetadata: v.UnionSchema<[v.ObjectSchema<{ readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>; readonly authorization_encrypted_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>; readonly authorization_encrypted_response_enc: v.OptionalSchema<v.NeverSchema<undefined>, never>; }, undefined>, v.ObjectSchema<{ readonly authorization_signed_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>; readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; }, undefined>, v.ObjectSchema<{ readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>; }, undefined>], undefined>; type JarmClientMetadata = v.InferInput<typeof vJarmClientMetadata>; /** * Authorization servers SHOULD publish the supported algorithms for signing and encrypting the JWT of an authorization response by utilizing OAuth 2.0 Authorization Server Metadata [RFC8414] parameters. */ declare const vJarmServerMetadata: v.ObjectSchema<{ readonly authorization_signing_alg_values_supported: v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to sign the response.">]>; readonly authorization_encryption_alg_values_supported: v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.">]>; readonly authorization_encryption_enc_values_supported: v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.">]>; }, undefined>; type JarmServerMetadata = v.InferInput<typeof vJarmServerMetadata>; declare const vJarmAuthResponseValidateMetadataInput: v.ObjectSchema<{ readonly client_metadata: v.UnionSchema<[v.ObjectSchema<{ readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>; readonly authorization_encrypted_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>; readonly authorization_encrypted_response_enc: v.OptionalSchema<v.NeverSchema<undefined>, never>; }, undefined>, v.ObjectSchema<{ readonly authorization_signed_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>; readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; }, undefined>, v.ObjectSchema<{ readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>; }, undefined>], undefined>; readonly server_metadata: Omit<v.ObjectSchema<{ readonly authorization_signing_alg_values_supported: v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to sign the response.">]>; readonly authorization_encryption_alg_values_supported: v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.">]>; readonly authorization_encryption_enc_values_supported: v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.">]>; }, undefined>, "_types" | "_run" | "entries"> & { readonly entries: { readonly authorization_signing_alg_values_supported: v.OptionalSchema<v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWS [RFC7515] signing algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to sign the response.">]>, never>; readonly authorization_encryption_alg_values_supported: v.OptionalSchema<v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWE [RFC7516] encryption algorithms (alg values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.">]>, never>; readonly authorization_encryption_enc_values_supported: v.OptionalSchema<v.SchemaWithPipe<[v.ArraySchema<v.StringSchema<undefined>, undefined>, v.DescriptionAction<string[], "JSON array containing a list of the JWE [RFC7516] encryption algorithms (enc values) JWA [RFC7518] supported by the authorization endpoint to encrypt the response.">]>, never>; }; readonly _run: (dataset: v.Dataset<unknown, never>, config: v.Config<v.BaseIssue<unknown>>) => v.Dataset<{ authorization_signing_alg_values_supported?: string[] | undefined; authorization_encryption_alg_values_supported?: string[] | undefined; authorization_encryption_enc_values_supported?: string[] | undefined; }, v.StringIssue | v.ObjectIssue | v.ArrayIssue>; readonly _types?: { readonly input: { authorization_signing_alg_values_supported?: string[] | undefined; authorization_encryption_alg_values_supported?: string[] | undefined; authorization_encryption_enc_values_supported?: string[] | undefined; }; readonly output: { authorization_signing_alg_values_supported?: string[] | undefined; authorization_encryption_alg_values_supported?: string[] | undefined; authorization_encryption_enc_values_supported?: string[] | undefined; }; readonly issue: v.StringIssue | v.ObjectIssue | v.ArrayIssue; } | undefined; }; }, undefined>; type JarmMetadataValidate = v.InferInput<typeof vJarmAuthResponseValidateMetadataInput>; declare const vJarmMetadataValidateOut: v.VariantSchema<"type", [v.ObjectSchema<{ readonly type: v.LiteralSchema<"signed", undefined>; readonly client_metadata: v.ObjectSchema<{ readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>; readonly authorization_encrypted_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>; readonly authorization_encrypted_response_enc: v.OptionalSchema<v.NeverSchema<undefined>, never>; }, undefined>; }, undefined>, v.ObjectSchema<{ readonly type: v.LiteralSchema<"encrypted", undefined>; readonly client_metadata: v.ObjectSchema<{ readonly authorization_signed_response_alg: v.OptionalSchema<v.NeverSchema<undefined>, never>; readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; }, undefined>; }, undefined>, v.ObjectSchema<{ readonly type: v.LiteralSchema<"signed encrypted", undefined>; readonly client_metadata: v.ObjectSchema<{ readonly authorization_encrypted_response_alg: v.SchemaWithPipe<[v.StringSchema<undefined>, v.DescriptionAction<string, "JWE alg algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; readonly authorization_encrypted_response_enc: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, "A128CBC-HS256">, v.DescriptionAction<string, "JWE enc algorithm JWA. If both signing and encryption are requested, the response will be signed then encrypted with the provided algorithm.">]>; readonly authorization_signed_response_alg: v.SchemaWithPipe<[v.OptionalSchema<v.StringSchema<undefined>, never>, v.DescriptionAction<string | undefined, "JWA. If this is specified, the response will be signed using JWS and the configured algorithm. The algorithm none is not allowed.">]>; }, undefined>; }, undefined>], undefined>; declare const jarmMetadataValidate: (vJarmMetadataValidate: JarmMetadataValidate) => v.InferOutput<typeof vJarmMetadataValidateOut>; export { type AuthRequestParams, type JarmAuthResponseParams, type JarmClientMetadata, type JarmDirectPostJwtAuthResponseValidation, type JarmDirectPostJwtAuthResponseValidationContext, type JarmDirectPostJwtResponseParams, type JarmMetadataValidate, type JarmServerMetadata, type OAuthAuthRequestGetParamsOut, jarmAuthResponseDirectPostJwtValidate, jarmAuthResponseDirectPostValidateParams, jarmAuthResponseSend, jarmMetadataValidate, vAuthRequestParams, vJarmAuthResponseErrorParams, vJarmAuthResponseParams, vJarmAuthResponseValidateMetadataInput, vJarmClientMetadata, vJarmClientMetadataEncrypt, vJarmClientMetadataSign, vJarmClientMetadataSignEncrypt, vJarmDirectPostJwtParams, vJarmMetadataValidateOut, vJarmServerMetadata, vOAuthAuthRequestGetParamsOut, validateJarmAuthResponseParams };