diff --git a/packages/client/lib/AccessTokenClient.ts b/packages/client/lib/AccessTokenClient.ts index 660dae32..13d8f3a5 100644 --- a/packages/client/lib/AccessTokenClient.ts +++ b/packages/client/lib/AccessTokenClient.ts @@ -7,7 +7,7 @@ import { AuthzFlowType, convertJsonToURI, createDPoP, - CreateDPoPClientOptions, + CreateDPoPClientOpts, EndpointMetadata, formPost, getIssuerFromCredentialOfferPayload, @@ -30,7 +30,7 @@ import { LOG } from './types'; export class AccessTokenClient { public async acquireAccessToken(opts: AccessTokenRequestOpts): Promise> { - const { asOpts, pin, codeVerifier, code, redirectUri, metadata, createDPoPOptions } = opts; + const { asOpts, pin, codeVerifier, code, redirectUri, metadata, createDPoPOpts } = opts; const credentialOffer = opts.credentialOffer ? await assertedUniformCredentialOffer(opts.credentialOffer) : undefined; const pinMetadata: TxCodeAndPinRequired | undefined = credentialOffer && this.getPinMetadata(credentialOffer.credential_offer); @@ -61,7 +61,7 @@ export class AccessTokenClient { metadata, asOpts, issuerOpts, - createDPoPOptions, + createDPoPOpts: createDPoPOpts, }); } @@ -71,14 +71,14 @@ export class AccessTokenClient { metadata, asOpts, issuerOpts, - createDPoPOptions, + createDPoPOpts, }: { accessTokenRequest: AccessTokenRequest; pinMetadata?: TxCodeAndPinRequired; metadata?: EndpointMetadata; asOpts?: AuthorizationServerOpts; issuerOpts?: IssuerOpts; - createDPoPOptions?: CreateDPoPClientOptions; + createDPoPOpts?: CreateDPoPClientOpts; }): Promise> { this.validate(accessTokenRequest, pinMetadata); @@ -93,16 +93,16 @@ export class AccessTokenClient { }); let dPoP: string | undefined; - if (createDPoPOptions?.dPoPSigningAlgValuesSupported && createDPoPOptions?.dPoPSigningAlgValuesSupported.length > 0) { + if (createDPoPOpts?.dPoPSigningAlgValuesSupported && createDPoPOpts.dPoPSigningAlgValuesSupported.length > 0) { const htu = requestTokenURL.split('?')[0].split('#')[0]; - dPoP = createDPoPOptions - ? await createDPoP({ ...createDPoPOptions, jwtPayloadProps: { ...createDPoPOptions.jwtPayloadProps, htu, htm: 'POST' } }) + dPoP = createDPoPOpts + ? await createDPoP({ ...createDPoPOpts, jwtPayloadProps: { ...createDPoPOpts.jwtPayloadProps, htu, htm: 'POST' } }) : undefined; } return this.sendAuthCode(requestTokenURL, accessTokenRequest, { dPoP }); } - public async createAccessTokenRequest(opts: Omit): Promise { + public async createAccessTokenRequest(opts: Omit): Promise { const { asOpts, pin, codeVerifier, code, redirectUri } = opts; // eslint-disable-next-line @typescript-eslint/ban-ts-comment // @ts-ignore @@ -236,10 +236,10 @@ export class AccessTokenClient { private async sendAuthCode( requestTokenURL: string, accessTokenRequest: AccessTokenRequest, - options?: { dPoP?: string }, + opts?: { dPoP?: string }, ): Promise> { return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest, { mode: JsonURIMode.X_FORM_WWW_URLENCODED }), { - customHeaders: { ...(options?.dPoP && { dpop: options.dPoP }) }, + customHeaders: { ...(opts?.dPoP && { dpop: opts.dPoP }) }, }); } diff --git a/packages/client/lib/AccessTokenClientV1_0_11.ts b/packages/client/lib/AccessTokenClientV1_0_11.ts index 1f12996c..a94833c7 100644 --- a/packages/client/lib/AccessTokenClientV1_0_11.ts +++ b/packages/client/lib/AccessTokenClientV1_0_11.ts @@ -7,7 +7,7 @@ import { AuthzFlowType, convertJsonToURI, createDPoP, - CreateDPoPClientOptions, + CreateDPoPClientOpts, CredentialOfferV1_0_11, CredentialOfferV1_0_13, EndpointMetadata, @@ -34,7 +34,7 @@ const debug = Debug('sphereon:oid4vci:token'); export class AccessTokenClientV1_0_11 { public async acquireAccessToken(opts: AccessTokenRequestOpts): Promise> { - const { asOpts, pin, codeVerifier, code, redirectUri, metadata, createDPoPOptions } = opts; + const { asOpts, pin, codeVerifier, code, redirectUri, metadata, createDPoPOpts } = opts; const credentialOffer = opts.credentialOffer ? await assertedUniformCredentialOffer(opts.credentialOffer) : undefined; const isPinRequired = credentialOffer && this.isPinRequiredValue(credentialOffer.credential_offer); @@ -65,7 +65,7 @@ export class AccessTokenClientV1_0_11 { metadata, asOpts, issuerOpts, - createDPoPOptions, + createDPoPOpts, }); } @@ -74,7 +74,7 @@ export class AccessTokenClientV1_0_11 { isPinRequired, metadata, asOpts, - createDPoPOptions, + createDPoPOpts, issuerOpts, }: { accessTokenRequest: AccessTokenRequest; @@ -82,7 +82,7 @@ export class AccessTokenClientV1_0_11 { metadata?: EndpointMetadata; asOpts?: AuthorizationServerOpts; issuerOpts?: IssuerOpts; - createDPoPOptions?: CreateDPoPClientOptions; + createDPoPOpts?: CreateDPoPClientOpts; }): Promise> { this.validate(accessTokenRequest, isPinRequired); @@ -97,17 +97,17 @@ export class AccessTokenClientV1_0_11 { }); let dPoP: string | undefined; - if (createDPoPOptions?.dPoPSigningAlgValuesSupported && createDPoPOptions.dPoPSigningAlgValuesSupported.length > 0) { + if (createDPoPOpts?.dPoPSigningAlgValuesSupported && createDPoPOpts.dPoPSigningAlgValuesSupported.length > 0) { const htu = requestTokenURL.split('?')[0].split('#')[0]; - dPoP = createDPoPOptions - ? await createDPoP({ ...createDPoPOptions, jwtPayloadProps: { ...createDPoPOptions.jwtPayloadProps, htu, htm: 'POST' } }) + dPoP = createDPoPOpts + ? await createDPoP({ ...createDPoPOpts, jwtPayloadProps: { ...createDPoPOpts.jwtPayloadProps, htu, htm: 'POST' } }) : undefined; } return this.sendAuthCode(requestTokenURL, accessTokenRequest, { dPoP }); } - public async createAccessTokenRequest(opts: Omit): Promise { + public async createAccessTokenRequest(opts: Omit): Promise { const { asOpts, pin, codeVerifier, code, redirectUri } = opts; const credentialOfferRequest = opts.credentialOffer ? await toUniformCredentialOfferRequest(opts.credentialOffer as CredentialOfferV1_0_11 | CredentialOfferV1_0_13) @@ -220,10 +220,10 @@ export class AccessTokenClientV1_0_11 { private async sendAuthCode( requestTokenURL: string, accessTokenRequest: AccessTokenRequest, - options?: { dPoP?: string }, + opts?: { dPoP?: string }, ): Promise> { return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest, { mode: JsonURIMode.X_FORM_WWW_URLENCODED }), { - customHeaders: { ...(options?.dPoP && { dpop: options.dPoP }) }, + customHeaders: { ...(opts?.dPoP && { dpop: opts.dPoP }) }, }); } diff --git a/packages/client/lib/CredentialRequestClient.ts b/packages/client/lib/CredentialRequestClient.ts index e9e2805c..f987e9bb 100644 --- a/packages/client/lib/CredentialRequestClient.ts +++ b/packages/client/lib/CredentialRequestClient.ts @@ -1,7 +1,7 @@ import { acquireDeferredCredential, createDPoP, - CreateDPoPClientOptions, + CreateDPoPClientOpts, CredentialRequestV1_0_13, CredentialResponse, getCredentialRequestForVersion, @@ -91,7 +91,7 @@ export class CredentialRequestClient { context?: string[]; format?: CredentialFormat | OID4VCICredentialFormat; subjectIssuance?: ExperimentalSubjectIssuance; - createDPoPOptions?: CreateDPoPClientOptions; + createDPoPOps?: CreateDPoPClientOpts; }): Promise & { access_token: string }> { const { credentialIdentifier, credentialTypes, proofInput, format, context, subjectIssuance } = opts; @@ -104,12 +104,12 @@ export class CredentialRequestClient { credentialIdentifier, subjectIssuance, }); - return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOptions); + return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOps); } public async acquireCredentialsUsingRequest( uniformRequest: UniformCredentialRequest, - createDPoPOptions?: CreateDPoPClientOptions, + createDPoPOps?: CreateDPoPClientOpts, ): Promise & { access_token: string }> { if (this.version() < OpenId4VCIVersion.VER_1_0_13) { throw new Error('Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.'); @@ -125,19 +125,19 @@ export class CredentialRequestClient { const requestToken: string = this.credentialRequestOpts.token; let dPoP: string | undefined; - if (createDPoPOptions) { + if (createDPoPOps) { const htu = credentialEndpoint.split('?')[0].split('#')[0]; - dPoP = createDPoPOptions + dPoP = createDPoPOps ? await createDPoP({ - ...createDPoPOptions, - jwtPayloadProps: { ...createDPoPOptions.jwtPayloadProps, htu, htm: 'POST', accessToken: requestToken }, + ...createDPoPOps, + jwtPayloadProps: { ...createDPoPOps.jwtPayloadProps, htu, htm: 'POST', accessToken: requestToken }, }) : undefined; } let response = (await post(credentialEndpoint, JSON.stringify(request), { bearerToken: requestToken, - customHeaders: { ...(createDPoPOptions && { dpop: dPoP }) }, + customHeaders: { ...(createDPoPOps && { dpop: dPoP }) }, })) as OpenIDResponse & { access_token: string; }; diff --git a/packages/client/lib/CredentialRequestClientV1_0_11.ts b/packages/client/lib/CredentialRequestClientV1_0_11.ts index 15358c39..8e8ea44f 100644 --- a/packages/client/lib/CredentialRequestClientV1_0_11.ts +++ b/packages/client/lib/CredentialRequestClientV1_0_11.ts @@ -1,7 +1,7 @@ import { acquireDeferredCredential, createDPoP, - CreateDPoPClientOptions, + CreateDPoPClientOpts, CredentialResponse, getCredentialRequestForVersion, getUniformFormat, @@ -66,7 +66,7 @@ export class CredentialRequestClientV1_0_11 { credentialTypes?: string | string[]; context?: string[]; format?: CredentialFormat | OID4VCICredentialFormat; - createDPoPOptions?: CreateDPoPClientOptions; + createDPoPOptions?: CreateDPoPClientOpts; }): Promise & { access_token: string }> { const { credentialTypes, proofInput, format, context } = opts; @@ -76,7 +76,7 @@ export class CredentialRequestClientV1_0_11 { public async acquireCredentialsUsingRequest( uniformRequest: UniformCredentialRequest, - createDPoPOptions?: CreateDPoPClientOptions, + createDPoPOptions?: CreateDPoPClientOpts, ): Promise & { access_token: string }> { const request = getCredentialRequestForVersion(uniformRequest, this.version()); const credentialEndpoint: string = this.credentialRequestOpts.credentialEndpoint; diff --git a/packages/common/lib/functions/DPoP.ts b/packages/common/lib/functions/DPoP.ts index 4b57ddf4..16b7219a 100644 --- a/packages/common/lib/functions/DPoP.ts +++ b/packages/common/lib/functions/DPoP.ts @@ -9,13 +9,32 @@ import { JWK } from '../types/CredentialIssuance.types'; import { calculateJwkThumbprint } from './JwkThumbprint'; import { CreateJwtCallback, JwtIssuerJwk } from './JwtIssuer'; import { VerifyJwtCallbackBase } from './JwtVerifier'; - +import { parseJWT } from './jwtUtils'; export interface DPoPJwtIssuerWithContext extends JwtIssuerJwk { type: 'dpop'; dPoPSigningAlgValuesSupported?: string[]; } +/** + * The maximum allowed clock skew time in seconds. If an time based validation + * is performed against current time (`now`), the validation can be of by the skew + * time. + * + * See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5 + */ +const DEFAULT_SKEW_TIME = 300; + +function getNowSkewed(now?: number, skewTime?: number) { + const _now = now ? now : epochTime(); + const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME; + + return { + nowSkewedPast: _now - _skewTime, + nowSkewedFuture: _now + _skewTime, + }; +} + /** * Returns the current unix timestamp in seconds. */ @@ -34,27 +53,27 @@ export type DPoPJwtPayloadProps = { export type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK }; export type CreateDPoPJwtPayloadProps = Omit & { accessToken?: string }; -export interface CreateDPoPOptions { +export interface CreateDPoPOpts { createJwtCallback: CreateJwtCallback; jwtIssuer: Omit; jwtPayloadProps: Record & JwtPayloadProps; - dPoPSigningAlgValuesSupported?: string[]; + dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[]; } -export type CreateDPoPClientOptions = CreateDPoPOptions>; +export type CreateDPoPClientOpts = CreateDPoPOpts>; -export async function createDPoP(options: CreateDPoPOptions): Promise { +export async function createDPoP(options: CreateDPoPOpts): Promise { const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options; if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') || jwtPayloadProps.accessToken?.startsWith('Bearer '))) { - throw new Error('expected accessToken without scheme'); + throw new Error('expected access token without scheme'); } const ath = jwtPayloadProps.accessToken ? u8a.toString(SHA('sha256').update(jwtPayloadProps.accessToken).digest(), 'base64url') : undefined; return createJwtCallback( { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported }, { - header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, }, + header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk }, payload: { ...jwtPayloadProps, iat: epochTime(), @@ -68,7 +87,7 @@ export async function createDPoP(options: CreateDPoPOptions): Promise { export type DPoPVerifyJwtCallback = VerifyJwtCallbackBase; export interface DPoPVerifyOptions { expectedNonce?: string; - acceptedAlgorithms?: SigningAlgo[]; + acceptedAlgorithms?: (string | SigningAlgo)[]; // defaults to 300 seconds (5 minutes) maxIatAgeInSeconds?: number; expectAccessToken?: boolean; @@ -86,8 +105,7 @@ export async function verifyDPoP( } // The DPoP HTTP request header field value is a single and well-formed JWT. - const dPoPHeader = jwtDecode>(dpop, { header: true }); - const dPoPPayload = jwtDecode>(dpop, { header: false }); + const { header: dPoPHeader, payload: dPoPPayload } = parseJWT>(dpop); // Ensure all required header claims are present if (dPoPHeader.typ !== 'dpop+jwt' || !dPoPHeader.alg || !dPoPHeader.jwk || typeof dPoPHeader.jwk !== 'object' || dPoPHeader.jwk.d) { @@ -149,8 +167,11 @@ export async function verifyDPoP( } // Validate iat claim - const now = epochTime(); - if (dPoPPayload.iat > now + (options.maxIatAgeInSeconds ?? 300) || dPoPPayload.iat < now - (options.maxIatAgeInSeconds ?? 300)) { + const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(); + if ( + dPoPPayload.iat > nowSkewedFuture + (options.maxIatAgeInSeconds ?? 300) || + dPoPPayload.iat < nowSkewedPast - (options.maxIatAgeInSeconds ?? 300) + ) { // 5 minute window throw new Error('invalid_dpop_proof. Invalid iat claim'); } diff --git a/packages/common/lib/functions/JwtIssuer.ts b/packages/common/lib/functions/JwtIssuer.ts index abb16076..dd90312f 100644 --- a/packages/common/lib/functions/JwtIssuer.ts +++ b/packages/common/lib/functions/JwtIssuer.ts @@ -1,4 +1,4 @@ -import { JwtHeader, JwtPayload, JwtProtectionMethod, SigningAlgo } from '..'; +import { JWK, JwtHeader, JwtPayload, JwtProtectionMethod, SigningAlgo } from '..'; export interface JwtIssuerBase { method: JwtProtectionMethod; @@ -11,12 +11,12 @@ export interface JwtIssuerBase { export interface JwtIssuerDid extends JwtIssuerBase { method: 'did'; didUrl: string; - alg: SigningAlgo; + alg: SigningAlgo | string; } export interface JwtIssuerX5c extends JwtIssuerBase { method: 'x5c'; - alg: SigningAlgo; + alg: SigningAlgo | string; /** * @@ -42,8 +42,8 @@ export interface JwtIssuerX5c extends JwtIssuerBase { export interface JwtIssuerJwk extends JwtIssuerBase { method: 'jwk'; - alg: SigningAlgo; - jwk: JsonWebKey; + alg: SigningAlgo | string; + jwk: JWK; } export interface JwtIssuerCustom extends JwtIssuerBase { diff --git a/packages/common/lib/functions/JwtVerifier.ts b/packages/common/lib/functions/JwtVerifier.ts index b6ebe083..690f092e 100644 --- a/packages/common/lib/functions/JwtVerifier.ts +++ b/packages/common/lib/functions/JwtVerifier.ts @@ -1,4 +1,4 @@ -import { JwtHeader, JwtPayload, SigningAlgo } from '..'; +import { JWK, JwtHeader, JwtPayload, SigningAlgo } from '..'; import { JwtProtectionMethod, JwtType } from './jwtUtils'; @@ -10,14 +10,14 @@ export interface JwtVerifierBase { export interface DidJwtVerifier extends JwtVerifierBase { method: 'did'; - alg: SigningAlgo; + alg: SigningAlgo | string; didUrl: string; } export interface X5cJwtVerifier extends JwtVerifierBase { method: 'x5c'; - alg: SigningAlgo; + alg: SigningAlgo | string; /** * @@ -44,9 +44,9 @@ export interface OpenIdFederationJwtVerifier extends JwtVerifierBase { export interface JwkJwtVerifier extends JwtVerifierBase { method: 'jwk'; - alg: SigningAlgo; + alg: SigningAlgo | string; - jwk: JsonWebKey; + jwk: JWK; } export interface CustomJwtVerifier extends JwtVerifierBase { diff --git a/packages/common/lib/functions/jwtUtils.ts b/packages/common/lib/functions/jwtUtils.ts index 8c4f5dde..6303b51c 100644 --- a/packages/common/lib/functions/jwtUtils.ts +++ b/packages/common/lib/functions/jwtUtils.ts @@ -6,9 +6,9 @@ export type JwtType = 'id-token' | 'request-object' | 'verifier-attestation' | ' export type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'openid-federation' | 'custom'; -export function parseJWT(jwt: string) { - const header = jwtDecode(jwt, { header: true }); - const payload = jwtDecode(jwt, { header: false }); +export function parseJWT
(jwt: string) { + const header = jwtDecode
(jwt, { header: true }); + const payload = jwtDecode(jwt, { header: false }); if (!payload || !header) { throw new Error('Jwt Payload and/or Header could not be parsed'); diff --git a/packages/common/lib/types/Authorization.types.ts b/packages/common/lib/types/Authorization.types.ts index 4138981d..e70612a8 100644 --- a/packages/common/lib/types/Authorization.types.ts +++ b/packages/common/lib/types/Authorization.types.ts @@ -1,4 +1,4 @@ -import { CreateDPoPClientOptions } from '../functions/DPoP'; +import { CreateDPoPClientOpts as CreateDPoPClientOpts } from '../functions/DPoP'; import { Alg, CredentialOfferPayload, ProofOfPossessionCallbacks, UniformCredentialOffer } from './CredentialIssuance.types'; import { @@ -221,9 +221,9 @@ export interface AccessTokenRequestOpts { redirectUri?: string; // only required for authorization flow pin?: string; // Pin-number. Only used when required pinMetadata?: TxCodeAndPinRequired; // OPTIONAL. String value containing a Transaction Code. This value MUST be present if a tx_code object was present in the Credential Offer (including if the object was empty). This parameter MUST only be used if the grant_type is urn:ietf:params:oauth:grant-type:pre-authorized_code. - // if the CreateDPoPOptions are provided, a dPoP will be created using the provided callback, + // if the CreateDPoPOpts are provided, a dPoP will be created using the provided callback, // if the authorization server indicates that it supports dPoP via the dpop_signing_alg_values_supported parameter. - createDPoPOptions?: CreateDPoPClientOptions; + createDPoPOpts?: CreateDPoPClientOpts; // eslint-disable-next-line @typescript-eslint/no-explicit-any additionalParams?: Record; } diff --git a/packages/common/lib/types/Jwt.types.ts b/packages/common/lib/types/Jwt.types.ts index 1e43c55f..d81fb124 100644 --- a/packages/common/lib/types/Jwt.types.ts +++ b/packages/common/lib/types/Jwt.types.ts @@ -1,9 +1,11 @@ import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode'; + +import { JWK } from './CredentialIssuance.types'; export type JwtHeader = jwtDecodeJwtHeader & { alg?: string; x5c?: string[]; kid?: string; - jwk?: JsonWebKey; + jwk?: JWK; jwt?: string; } & Record; diff --git a/packages/common/lib/types/ServerMetadata.ts b/packages/common/lib/types/ServerMetadata.ts index 97fd87e1..9332244b 100644 --- a/packages/common/lib/types/ServerMetadata.ts +++ b/packages/common/lib/types/ServerMetadata.ts @@ -1,3 +1,5 @@ +import { SigningAlgo } from './Jwt.types'; + export interface AuthorizationServerMetadata { issuer: string; authorization_endpoint?: string; @@ -28,7 +30,7 @@ export interface AuthorizationServerMetadata { require_pushed_authorization_requests?: boolean; // Boolean parameter indicating whether Indicates whether the client is required to use PAR to initiate authorization. If omitted, the default value is false. 'pre-authorized_grant_anonymous_access_supported': boolean; // OPTIONAL. A JSON Boolean indicating whether the issuer accepts a Token Request with a Pre-Authorized Code but without a client id. The default is false // A JSON array containing a list of the JWS alg values (from the [IANA.JOSE.ALGS] registry) supported by the authorization server for DPoP proof JWTs. - dpop_signing_alg_values_supported?: string[]; + dpop_signing_alg_values_supported?: (string | SigningAlgo)[]; // OIDC values frontchannel_logout_supported?: boolean; frontchannel_logout_session_supported?: boolean; diff --git a/packages/siop-oid4vp/lib/schemas/AuthorizationResponseOpts.schema.ts b/packages/siop-oid4vp/lib/schemas/AuthorizationResponseOpts.schema.ts index af7ceb37..1cb7464e 100644 --- a/packages/siop-oid4vp/lib/schemas/AuthorizationResponseOpts.schema.ts +++ b/packages/siop-oid4vp/lib/schemas/AuthorizationResponseOpts.schema.ts @@ -1556,7 +1556,14 @@ export const AuthorizationResponseOptsSchemaObj = { "type": "string" }, "alg": { - "$ref": "#/definitions/SigningAlgo" + "anyOf": [ + { + "$ref": "#/definitions/SigningAlgo" + }, + { + "type": "string" + } + ] } }, "required": [ @@ -1579,7 +1586,14 @@ export const AuthorizationResponseOptsSchemaObj = { "description": "Additional options for the issuance context" }, "alg": { - "$ref": "#/definitions/SigningAlgo" + "anyOf": [ + { + "$ref": "#/definitions/SigningAlgo" + }, + { + "type": "string" + } + ] }, "x5c": { "type": "array", @@ -1622,85 +1636,17 @@ export const AuthorizationResponseOptsSchemaObj = { "description": "Additional options for the issuance context" }, "alg": { - "$ref": "#/definitions/SigningAlgo" - }, - "jwk": { - "type": "object", - "properties": { - "alg": { - "type": "string" - }, - "crv": { - "type": "string" - }, - "d": { - "type": "string" - }, - "dp": { - "type": "string" - }, - "dq": { - "type": "string" - }, - "e": { - "type": "string" - }, - "ext": { - "type": "boolean" - }, - "k": { - "type": "string" - }, - "key_ops": { - "type": "array", - "items": { - "type": "string" - } - }, - "kty": { - "type": "string" - }, - "n": { - "type": "string" - }, - "oth": { - "type": "array", - "items": { - "type": "object", - "properties": { - "d": { - "type": "string" - }, - "r": { - "type": "string" - }, - "t": { - "type": "string" - } - }, - "additionalProperties": false - } - }, - "p": { - "type": "string" - }, - "q": { - "type": "string" - }, - "qi": { - "type": "string" - }, - "use": { - "type": "string" - }, - "x": { - "type": "string" + "anyOf": [ + { + "$ref": "#/definitions/SigningAlgo" }, - "y": { + { "type": "string" } - }, - "additionalProperties": false + ] + }, + "jwk": { + "$ref": "#/definitions/JWK" } }, "required": [ @@ -1710,6 +1656,102 @@ export const AuthorizationResponseOptsSchemaObj = { ], "additionalProperties": false }, + "JWK": { + "type": "object", + "properties": { + "kty": { + "type": "string" + }, + "crv": { + "type": "string" + }, + "x": { + "type": "string" + }, + "y": { + "type": "string" + }, + "e": { + "type": "string" + }, + "n": { + "type": "string" + }, + "alg": { + "type": "string" + }, + "d": { + "type": "string" + }, + "dp": { + "type": "string" + }, + "dq": { + "type": "string" + }, + "ext": { + "type": "boolean" + }, + "k": { + "type": "string" + }, + "key_ops": { + "type": "array", + "items": { + "type": "string" + } + }, + "kid": { + "type": "string" + }, + "oth": { + "type": "array", + "items": { + "type": "object", + "properties": { + "d": { + "type": "string" + }, + "r": { + "type": "string" + }, + "t": { + "type": "string" + } + }, + "additionalProperties": false + } + }, + "p": { + "type": "string" + }, + "q": { + "type": "string" + }, + "qi": { + "type": "string" + }, + "use": { + "type": "string" + }, + "x5c": { + "type": "array", + "items": { + "type": "string" + } + }, + "x5t": { + "type": "string" + }, + "x5t#S256": { + "type": "string" + }, + "x5u": { + "type": "string" + } + }, + "additionalProperties": {} + }, "JwtIssuerCustom": { "type": "object", "properties": {