UNPKG

@sphereon/oid4vci-issuer

Version:

OpenID 4 Verifiable Credential Issuance issuer REST endpoints

31 lines (27 loc) 1.34 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import { decodeJwt, decodeProtectedHeader } from '@sphereon/oid4vc-common' import { ClientMetadata, JWTHeader, JWTVerifyCallback, JwtVerifyResult } from '@sphereon/oid4vci-common' import { oidcDiscoverIssuer, oidcGetClient } from '@sphereon/ssi-express-support' export function oidcAccessTokenVerifyCallback(opts: { credentialIssuer: string authorizationServer: string clientMetadata?: ClientMetadata }): JWTVerifyCallback { const clientMetadata = opts.clientMetadata ?? { client_id: opts.credentialIssuer } return async (args: { jwt: string; kid?: string }): Promise<JwtVerifyResult> => { const oidcIssuer = await oidcDiscoverIssuer({ issuerUrl: opts.authorizationServer }) const oidcClient = await oidcGetClient(oidcIssuer.issuer, clientMetadata) const introspection = await oidcClient.introspect(args.jwt) if (!introspection.active) { return Promise.reject(Error('Access token is not active or invalid')) } const jwt = { header: decodeProtectedHeader(args.jwt) as JWTHeader, payload: decodeJwt(args.jwt) } return { jwt, alg: jwt.header.alg, ...(jwt.header.jwk && { jwk: jwt.header.jwk }), ...(jwt.header.x5c && { x5c: jwt.header.x5c }), ...(jwt.header.kid && { kid: jwt.header.kid }), // We could resolve the did document here if the kid is a VM } } }