refactor: use TLS server validation instead of jwt signature validations

BREAKING CHANGE: Use the TLS server validation in `processAuthorizationCodeOpenIDResponse` to validate the issuer instead of checking the ID Token's signature. The function's `options` argument was removed.
BREAKING CHANGE: Use the TLS server validation in `processDeviceCodeResponse` to validate the issuer instead of checking the optional ID Token's signature. The function's `options` argument was removed.
BREAKING CHANGE: Use the TLS server validation in `processIntrospectionResponse` to validate the issuer instead of checking the optional JWT Introspection Response signature. The function's `options` argument was removed.
BREAKING CHANGE: Use the TLS server validation in `processRefreshTokenResponse` to validate the issuer instead of checking the optional ID Token's signature. The function's `options` argument was removed.
BREAKING CHANGE: Use the TLS server validation in `processUserInfoResponse` to validate the issuer instead of checking the optional JWT UserInfo Response signature. The function's `options` argument was removed.

conformance/fapi/invalid-signature.ts

@@ -1,5 +1,5 @@
-import { test, red, modules } from '../runner.js'
+import { test, skipped, modules } from '../runner.js'
 
 for (const module of modules('invalid-signature')) {
-  test.serial(red, module, 'JWT signature verification failed')
+  test.serial(skipped, module)
 }

conformance/oidc/idtoken-sig-none.ts

@@ -1,5 +1,5 @@
-import { test, red, modules } from '../runner.js'
+import { test, green, modules } from '../runner.js'
 
 for (const module of modules('idtoken-sig-none')) {
-  test.serial(red, module, 'unsupported JWS "alg" identifier', 'UnsupportedOperationError')
+  test.serial(green, module)
 }

conformance/oidc/invalid-sig-es256.ts

@@ -1,5 +1,5 @@
-import { test, red, modules } from '../runner.js'
+import { test, skipped, modules } from '../runner.js'
 
 for (const module of modules('invalid-sig-es256')) {
-  test.serial(red, module, 'JWT signature verification failed')
+  test.serial(skipped, module)
 }

conformance/oidc/invalid-sig-hs256.ts

@@ -1,5 +1,5 @@
-import { test, red, modules } from '../runner.js'
+import { test, skipped, modules } from '../runner.js'
 
 for (const module of modules('invalid-sig-hs256')) {
-  test.serial(red, module, 'unsupported JWS "alg" identifier', 'UnsupportedOperationError')
+  test.serial(skipped, module)
 }

conformance/oidc/invalid-sig-rs256.ts

@@ -1,5 +1,5 @@
-import { test, red, modules } from '../runner.js'
+import { test, skipped, modules } from '../runner.js'
 
 for (const module of modules('invalid-sig-rs256')) {
-  test.serial(red, module, 'JWT signature verification failed')
+  test.serial(skipped, module)
 }

conformance/oidc/kid-absent-multiple-jwks.ts

@@ -1,9 +1,5 @@
-import { test, red, modules } from '../runner.js'
+import { test, green, modules } from '../runner.js'
 
 for (const module of modules('kid-absent-multiple-jwks')) {
-  test.serial(
-    red,
-    module,
-    'error when selecting a JWT verification key, multiple applicable keys found, a "kid" JWT Header Parameter is required',
-  )
+  test.serial(green, module)
 }

docs/README.md

@@ -67,16 +67,10 @@
 - [OAuth2TokenEndpointResponse](interfaces/OAuth2TokenEndpointResponse.md)
 - [OpenIDTokenEndpointResponse](interfaces/OpenIDTokenEndpointResponse.md)
 - [PrivateKey](interfaces/PrivateKey.md)
-- [ProcessAuthorizationCodeOpenIDResponseOptions](interfaces/ProcessAuthorizationCodeOpenIDResponseOptions.md)
-- [ProcessDeviceCodeResponseOptions](interfaces/ProcessDeviceCodeResponseOptions.md)
-- [ProcessIntrospectionResponseOptions](interfaces/ProcessIntrospectionResponseOptions.md)
-- [ProcessRefreshTokenResponseOptions](interfaces/ProcessRefreshTokenResponseOptions.md)
-- [ProcessUserInfoResponseOptions](interfaces/ProcessUserInfoResponseOptions.md)
 - [ProtectedResourceRequestOptions](interfaces/ProtectedResourceRequestOptions.md)
 - [PushedAuthorizationRequestOptions](interfaces/PushedAuthorizationRequestOptions.md)
 - [PushedAuthorizationResponse](interfaces/PushedAuthorizationResponse.md)
 - [RevocationRequestOptions](interfaces/RevocationRequestOptions.md)
-- [SkipJWTSignatureCheckOptions](interfaces/SkipJWTSignatureCheckOptions.md)
 - [TokenEndpointRequestOptions](interfaces/TokenEndpointRequestOptions.md)
 - [TokenEndpointResponse](interfaces/TokenEndpointResponse.md)
 - [UserInfoRequestOptions](interfaces/UserInfoRequestOptions.md)

docs/functions/processAuthorizationCodeOpenIDResponse.md

@@ -2,7 +2,7 @@
 
 [💗 Help the project](https://github.com/sponsors/panva)
 
-▸ **processAuthorizationCodeOpenIDResponse**(`as`, `client`, `response`, `expectedNonce?`, `maxAge?`, `options?`): `Promise`<[`OpenIDTokenEndpointResponse`](../interfaces/OpenIDTokenEndpointResponse.md) \| [`OAuth2Error`](../interfaces/OAuth2Error.md)\>
+▸ **processAuthorizationCodeOpenIDResponse**(`as`, `client`, `response`, `expectedNonce?`, `maxAge?`): `Promise`<[`OpenIDTokenEndpointResponse`](../interfaces/OpenIDTokenEndpointResponse.md) \| [`OAuth2Error`](../interfaces/OAuth2Error.md)\>
 
 (OpenID Connect only) Validates Authorization Code Grant Response instance to be one coming from
 the [`as.token_endpoint`](../interfaces/AuthorizationServer.md#token_endpoint).
@@ -20,7 +20,6 @@ the [`as.token_endpoint`](../interfaces/AuthorizationServer.md#token_endpoint).
 | `response` | [`Response`]( https://developer.mozilla.org/en-US/docs/Web/API/Response ) | Resolved value from [authorizationCodeGrantRequest](authorizationCodeGrantRequest.md). |
 | `expectedNonce?` | `string` \| typeof [`expectNoNonce`](../variables/expectNoNonce.md) | Expected ID Token `nonce` claim value. Default is [expectNoNonce](../variables/expectNoNonce.md). |
 | `maxAge?` | `number` \| typeof [`skipAuthTimeCheck`](../variables/skipAuthTimeCheck.md) | ID Token [`auth_time`](../interfaces/IDToken.md#auth_time) claim value will be checked to be   present and conform to the `maxAge` value. Use of this option is required if you sent a   `max_age` parameter in an authorization request. Default is   [`client.default_max_age`](../interfaces/Client.md#default_max_age) and falls back to   [skipAuthTimeCheck](../variables/skipAuthTimeCheck.md). |
-| `options?` | [`ProcessAuthorizationCodeOpenIDResponseOptions`](../interfaces/ProcessAuthorizationCodeOpenIDResponseOptions.md) | - |
 
 #### Returns
 

docs/functions/processDeviceCodeResponse.md

@@ -2,7 +2,7 @@
 
 [💗 Help the project](https://github.com/sponsors/panva)
 
-▸ **processDeviceCodeResponse**(`as`, `client`, `response`, `options?`): `Promise`<[`TokenEndpointResponse`](../interfaces/TokenEndpointResponse.md) \| [`OAuth2Error`](../interfaces/OAuth2Error.md)\>
+▸ **processDeviceCodeResponse**(`as`, `client`, `response`): `Promise`<[`TokenEndpointResponse`](../interfaces/TokenEndpointResponse.md) \| [`OAuth2Error`](../interfaces/OAuth2Error.md)\>
 
 Validates Device Authorization Grant Response instance to be one coming from the
 [`as.token_endpoint`](../interfaces/AuthorizationServer.md#token_endpoint).
@@ -16,7 +16,6 @@ Validates Device Authorization Grant Response instance to be one coming from the
 | `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server Metadata. |
 | `client` | [`Client`](../interfaces/Client.md) | Client Metadata. |
 | `response` | [`Response`]( https://developer.mozilla.org/en-US/docs/Web/API/Response ) | Resolved value from [deviceCodeGrantRequest](deviceCodeGrantRequest.md). |
-| `options?` | [`ProcessDeviceCodeResponseOptions`](../interfaces/ProcessDeviceCodeResponseOptions.md) | - |
 
 #### Returns
 

docs/functions/processIntrospectionResponse.md

@@ -2,7 +2,7 @@
 
 [💗 Help the project](https://github.com/sponsors/panva)
 
-▸ **processIntrospectionResponse**(`as`, `client`, `response`, `options?`): `Promise`<[`IntrospectionResponse`](../interfaces/IntrospectionResponse.md) \| [`OAuth2Error`](../interfaces/OAuth2Error.md)\>
+▸ **processIntrospectionResponse**(`as`, `client`, `response`): `Promise`<[`IntrospectionResponse`](../interfaces/IntrospectionResponse.md) \| [`OAuth2Error`](../interfaces/OAuth2Error.md)\>
 
 Validates Response instance to be one coming from the
 [`as.introspection_endpoint`](../interfaces/AuthorizationServer.md#introspection_endpoint).
@@ -18,7 +18,6 @@ Validates Response instance to be one coming from the
 | `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server Metadata. |
 | `client` | [`Client`](../interfaces/Client.md) | Client Metadata. |
 | `response` | [`Response`]( https://developer.mozilla.org/en-US/docs/Web/API/Response ) | Resolved value from [introspectionRequest](introspectionRequest.md). |
-| `options?` | [`ProcessIntrospectionResponseOptions`](../interfaces/ProcessIntrospectionResponseOptions.md) | - |
 
 #### Returns
 

docs/functions/processRefreshTokenResponse.md

@@ -2,7 +2,7 @@
 
 [💗 Help the project](https://github.com/sponsors/panva)
 
-▸ **processRefreshTokenResponse**(`as`, `client`, `response`, `options?`): `Promise`<[`TokenEndpointResponse`](../interfaces/TokenEndpointResponse.md) \| [`OAuth2Error`](../interfaces/OAuth2Error.md)\>
+▸ **processRefreshTokenResponse**(`as`, `client`, `response`): `Promise`<[`TokenEndpointResponse`](../interfaces/TokenEndpointResponse.md) \| [`OAuth2Error`](../interfaces/OAuth2Error.md)\>
 
 Validates Refresh Token Grant Response instance to be one coming from the
 [`as.token_endpoint`](../interfaces/AuthorizationServer.md#token_endpoint).
@@ -18,7 +18,6 @@ Validates Refresh Token Grant Response instance to be one coming from the
 | `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server Metadata. |
 | `client` | [`Client`](../interfaces/Client.md) | Client Metadata. |
 | `response` | [`Response`]( https://developer.mozilla.org/en-US/docs/Web/API/Response ) | Resolved value from [refreshTokenGrantRequest](refreshTokenGrantRequest.md). |
-| `options?` | [`ProcessRefreshTokenResponseOptions`](../interfaces/ProcessRefreshTokenResponseOptions.md) | - |
 
 #### Returns
 

docs/functions/processUserInfoResponse.md

@@ -2,7 +2,7 @@
 
 [💗 Help the project](https://github.com/sponsors/panva)
 
-▸ **processUserInfoResponse**(`as`, `client`, `expectedSubject`, `response`, `options?`): `Promise`<[`UserInfoResponse`](../interfaces/UserInfoResponse.md)\>
+▸ **processUserInfoResponse**(`as`, `client`, `expectedSubject`, `response`): `Promise`<[`UserInfoResponse`](../interfaces/UserInfoResponse.md)\>
 
 Validates Response instance to be one coming from the
 [`as.userinfo_endpoint`](../interfaces/AuthorizationServer.md#userinfo_endpoint).
@@ -17,7 +17,6 @@ Validates Response instance to be one coming from the
 | `client` | [`Client`](../interfaces/Client.md) | Client Metadata. |
 | `expectedSubject` | `string` \| typeof [`skipSubjectCheck`](../variables/skipSubjectCheck.md) | Expected `sub` claim value. In response to OpenID Connect authentication   requests, the expected subject is the one from the ID Token claims retrieved from   [getValidatedIdTokenClaims](getValidatedIdTokenClaims.md). |
 | `response` | [`Response`]( https://developer.mozilla.org/en-US/docs/Web/API/Response ) | Resolved value from [userInfoRequest](userInfoRequest.md). |
-| `options?` | [`ProcessUserInfoResponseOptions`](../interfaces/ProcessUserInfoResponseOptions.md) | - |
 
 #### Returns
 

docs/interfaces/Client.md

@@ -59,21 +59,21 @@ ___
 
 ### id\_token\_signed\_response\_alg
 
-• `Optional` **id\_token\_signed\_response\_alg**: [`JWSAlgorithm`](../types/JWSAlgorithm.md)
+• `Optional` **id\_token\_signed\_response\_alg**: `string`
 
 JWS `alg` algorithm required for signing the ID Token issued to this Client. When not
-configured the default is to allow only [supported algorithms](../types/JWSAlgorithm.md) listed in
+configured the default is to allow only algorithms listed in
 [`as.id_token_signing_alg_values_supported`](AuthorizationServer.md#id_token_signing_alg_values_supported)
 and fall back to `RS256` when the authorization server metadata is not set.
 
 ___
 
 ### introspection\_signed\_response\_alg
 
-• `Optional` **introspection\_signed\_response\_alg**: [`JWSAlgorithm`](../types/JWSAlgorithm.md)
+• `Optional` **introspection\_signed\_response\_alg**: `string`
 
 JWS `alg` algorithm REQUIRED for signed introspection responses. When not configured the
-default is to allow only [supported algorithms](../types/JWSAlgorithm.md) listed in
+default is to allow only algorithms listed in
 [`as.introspection_signing_alg_values_supported`](AuthorizationServer.md#introspection_signing_alg_values_supported)
 and fall back to `RS256` when the authorization server metadata is not set.
 
@@ -99,9 +99,9 @@ ___
 
 ### userinfo\_signed\_response\_alg
 
-• `Optional` **userinfo\_signed\_response\_alg**: [`JWSAlgorithm`](../types/JWSAlgorithm.md)
+• `Optional` **userinfo\_signed\_response\_alg**: `string`
 
 JWS `alg` algorithm REQUIRED for signing UserInfo Responses. When not configured the default is
-to allow only [supported algorithms](../types/JWSAlgorithm.md) listed in
+to allow only algorithms listed in
 [`as.userinfo_signing_alg_values_supported`](AuthorizationServer.md#userinfo_signing_alg_values_supported)
 and fall back to `RS256` when the authorization server metadata is not set.