@absolutejs/auth 0.27.0-beta.4 → 0.27.0-beta.5

package/dist/index.d.ts

@@ -13477,6 +13477,8 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
     [x: string]: {
         post: {
             body: {
+                audience?: string | undefined;
+                resource?: string | undefined;
                 client_id?: string | undefined;
                 scope?: string | undefined;
                 refresh_token?: string | undefined;
@@ -13485,6 +13487,8 @@ export declare const auth: <UserType>({ providersConfiguration, authorizeRoute,
                 code?: string | undefined;
                 redirect_uri?: string | undefined;
                 code_verifier?: string | undefined;
+                subject_token?: string | undefined;
+                subject_token_type?: string | undefined;
             };
             params: {};
             query: unknown;

package/dist/index.js

@@ -4134,6 +4134,72 @@ var DEFAULT_ACCESS_TOKEN_TTL_MS2 = MILLISECONDS_IN_AN_HOUR;
 var DEFAULT_ID_TOKEN_TTL_MS = MILLISECONDS_IN_AN_HOUR;
 var DEFAULT_REFRESH_TOKEN_TTL_MS = MILLISECONDS_IN_A_DAY * REFRESH_TTL_DAYS;
 var nowSeconds = (milliseconds) => Math.floor(milliseconds / MS_PER_SECOND);
+var narrowScopes = (available, requested) => requested === undefined || requested.length === 0 ? available : requested.filter((scope) => available.includes(scope));
+var buildAccessClaims = ({
+  act,
+  audience,
+  clientId,
+  dpopJkt,
+  issuer,
+  now,
+  scopes,
+  sub,
+  ttl
+}) => {
+  const claims = {
+    aud: audience ?? clientId,
+    client_id: clientId,
+    exp: nowSeconds(now + ttl),
+    iat: nowSeconds(now),
+    iss: issuer,
+    jti: crypto.randomUUID(),
+    scope: scopes.join(" "),
+    sub,
+    token_use: "access"
+  };
+  if (act !== undefined)
+    claims.act = act;
+  if (dpopJkt !== undefined)
+    claims.cnf = { jkt: dpopJkt };
+  return claims;
+};
+var exchangeToken = async ({
+  actorClientId,
+  audience,
+  config,
+  dpopJkt,
+  now = Date.now(),
+  requestedScopes,
+  subjectToken
+}) => {
+  const verified = await verifyJwt(subjectToken, config.signingKey.publicJwk);
+  const payload = verified?.payload;
+  if (payload === undefined || typeof payload.sub !== "string" || typeof payload.exp !== "number" || payload.exp <= nowSeconds(now)) {
+    return { error: "invalid_grant", ok: false };
+  }
+  const available = typeof payload.scope === "string" ? payload.scope.split(" ") : [];
+  if (requestedScopes?.some((scope) => !available.includes(scope)) === true) {
+    return { error: "invalid_scope", ok: false };
+  }
+  const scopes = narrowScopes(available, requestedScopes);
+  const ttl = config.accessTokenTtlMs ?? DEFAULT_ACCESS_TOKEN_TTL_MS2;
+  return {
+    accessToken: await signJwt(buildAccessClaims({
+      act: { sub: actorClientId },
+      audience,
+      clientId: actorClientId,
+      dpopJkt,
+      issuer: config.issuer,
+      now,
+      scopes,
+      sub: payload.sub,
+      ttl
+    }), config.signingKey),
+    expiresIn: Math.floor(ttl / MS_PER_SECOND),
+    ok: true,
+    scope: scopes.join(" ")
+  };
+};
 var issueTokenSet = async ({
   claims,
   clientId,
@@ -4147,19 +4213,15 @@ var issueTokenSet = async ({
   const accessTtl = config.accessTokenTtlMs ?? DEFAULT_ACCESS_TOKEN_TTL_MS2;
   const idTtl = config.idTokenTtlMs ?? DEFAULT_ID_TOKEN_TTL_MS;
   const refreshTtl = config.refreshTokenTtlMs ?? DEFAULT_REFRESH_TOKEN_TTL_MS;
-  const accessPayload = {
-    aud: clientId,
-    client_id: clientId,
-    exp: nowSeconds(now + accessTtl),
-    iat: nowSeconds(now),
-    iss: config.issuer,
-    jti: crypto.randomUUID(),
-    scope: scopes.join(" "),
+  const accessPayload = buildAccessClaims({
+    clientId,
+    dpopJkt,
+    issuer: config.issuer,
+    now,
+    scopes,
     sub,
-    token_use: "access"
-  };
-  if (dpopJkt !== undefined)
-    accessPayload.cnf = { jkt: dpopJkt };
+    ttl: accessTtl
+  });
   const idPayload = {
     ...claims,
     aud: clientId,
@@ -4190,6 +4252,15 @@ var issueTokenSet = async ({
     token_type: dpopJkt === undefined ? "Bearer" : "DPoP"
   };
 };
+var mcpProtectedResourceMetadata = ({
+  issuer,
+  resource,
+  scopes
+}) => ({
+  authorization_servers: [issuer],
+  resource,
+  scopes_supported: scopes ?? []
+});
 var verifyPkce = async (codeVerifier, codeChallenge) => await hashToken(codeVerifier) === codeChallenge;
 
 // src/oidc/dpop.ts
@@ -4356,11 +4427,45 @@ var oidcProviderRoutes = (config) => {
       sub: record.userId
     }));
   };
+  const grantTokenExchange = async (client, body, dpop) => {
+    if (body.subject_token === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "invalid_request");
+    }
+    const dpopResult = dpop === undefined ? undefined : await verifyDpopProof({
+      htm: "POST",
+      htu: tokenUrl,
+      proof: dpop
+    });
+    if (dpop !== undefined && dpopResult === undefined) {
+      return oauthError2(HTTP_BAD_REQUEST2, "invalid_dpop_proof");
+    }
+    const result = await exchangeToken({
+      actorClientId: client.clientId,
+      audience: body.resource ?? body.audience,
+      config,
+      dpopJkt: dpopResult?.jkt,
+      requestedScopes: body.scope === undefined || body.scope.length === 0 ? undefined : body.scope.split(" "),
+      subjectToken: body.subject_token
+    });
+    if (!result.ok)
+      return oauthError2(HTTP_BAD_REQUEST2, result.error);
+    return jsonResponse({
+      access_token: result.accessToken,
+      expires_in: result.expiresIn,
+      issued_token_type: "urn:ietf:params:oauth:token-type:access_token",
+      scope: result.scope,
+      token_type: dpopResult === undefined ? "Bearer" : "DPoP"
+    }, HTTP_OK2);
+  };
   const discovery = {
     authorization_endpoint: `${issuer}${authorizeRoute}`,
     code_challenge_methods_supported: ["S256"],
     dpop_signing_alg_values_supported: ["ES256"],
-    grant_types_supported: ["authorization_code", "refresh_token"],
+    grant_types_supported: [
+      "authorization_code",
+      "refresh_token",
+      "urn:ietf:params:oauth:grant-type:token-exchange"
+    ],
     id_token_signing_alg_values_supported: ["ES256"],
     issuer,
     jwks_uri: `${issuer}${jwksRoute}`,
@@ -4467,9 +4572,13 @@ var oidcProviderRoutes = (config) => {
     if (body.grant_type === "refresh_token") {
       return grantRefreshToken(client, body, headers.dpop);
     }
+    if (body.grant_type === "urn:ietf:params:oauth:grant-type:token-exchange") {
+      return grantTokenExchange(client, body, headers.dpop);
+    }
     return oauthError2(HTTP_BAD_REQUEST2, "unsupported_grant_type");
   }, {
     body: t12.Object({
+      audience: t12.Optional(t12.String()),
       client_id: t12.Optional(t12.String()),
       client_secret: t12.Optional(t12.String()),
       code: t12.Optional(t12.String()),
@@ -4477,7 +4586,10 @@ var oidcProviderRoutes = (config) => {
       grant_type: t12.Optional(t12.String()),
       redirect_uri: t12.Optional(t12.String()),
       refresh_token: t12.Optional(t12.String()),
-      scope: t12.Optional(t12.String())
+      resource: t12.Optional(t12.String()),
+      scope: t12.Optional(t12.String()),
+      subject_token: t12.Optional(t12.String()),
+      subject_token_type: t12.Optional(t12.String())
     })
   }).get(jwksRoute, () => ({ keys: [toPublicJwk(signingKey)] })).get("/.well-known/openid-configuration", () => discovery);
 };
@@ -20524,6 +20636,7 @@ export {
   mfaRoutes,
   mfaEnrollmentsTable,
   mfaChallenge,
+  mcpProtectedResourceMetadata,
   loginHistoryTable,
   lockoutsTable,
   listUserSessions,
@@ -20560,6 +20673,7 @@ export {
   generateEncryptionKey,
   generateBackupCodes,
   extractPropFromIdentity,
+  exchangeToken,
   exchangeClientCredentials,
   evaluatePassword,
   endImpersonation,
@@ -20720,5 +20834,5 @@ export {
   AuthIdentityConflictError
 };
 
-//# debugId=C4383EA08F57C5E064756E2164756E21
+//# debugId=514E4AE78CF406D164756E2164756E21
 //# sourceMappingURL=index.js.map