@aooth/auth 0.1.18 → 0.1.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -39,12 +39,25 @@ interface PendingAuthorization {
39
39
  handle: string;
40
40
  /** Registered client id (Tier 2), absent for a public/loopback client. */
41
41
  clientId?: string;
42
+ /**
43
+ * Display name resolved at `/authorize` (DCR `client_name` or a registered
44
+ * client's label) — UNTRUSTED text staged for the consent prompt; render as
45
+ * a text node only. Snapshot-at-authorize: a later rename/GC of the
46
+ * registration doesn't change what consent shows for this grant.
47
+ */
48
+ clientName?: string;
42
49
  /** The client's validated `redirect_uri` — where the code is delivered. */
43
50
  redirectUri: string;
44
51
  /** PKCE S256 challenge (client-generated); verified against the verifier at `/token`. */
45
52
  codeChallenge: string;
46
53
  /** The client's `state`, echoed back on the redirect so the client can correlate. */
47
54
  clientState?: string;
55
+ /**
56
+ * RFC 8707 `resource` indicator from the authorize request. v1 records it
57
+ * (and checks `/token`-leg consistency) without audience enforcement — see
58
+ * OAUTH.md R4.
59
+ */
60
+ resource?: string;
48
61
  /** Granted scope (space-joined) — `requested ∩ allowed`; drives the `id_token` profile claims. */
49
62
  scope?: string;
50
63
  /** OIDC `nonce` from the authorize request — echoed into the `id_token` (Tier 2). */
@@ -72,9 +85,11 @@ interface PendingAuthorization {
72
85
  /** Input to {@link PendingAuthorizationStore.create} — `handle`/timestamps are store-assigned. */
73
86
  interface NewPendingAuthorization {
74
87
  clientId?: string;
88
+ clientName?: string;
75
89
  redirectUri: string;
76
90
  codeChallenge: string;
77
91
  clientState?: string;
92
+ resource?: string;
78
93
  scope?: string;
79
94
  nonce?: string;
80
95
  idToken?: boolean;
@@ -152,6 +167,12 @@ interface AuthCode {
152
167
  clientId?: string;
153
168
  /** Granted scope (space-joined) — drives the `id_token` profile claims. */
154
169
  scope?: string;
170
+ /**
171
+ * RFC 8707 `resource` indicator recorded at `/authorize`. The token endpoint
172
+ * checks consistency (a `/token`-leg `resource` must match) — no audience
173
+ * enforcement in v1 (OAUTH.md R4).
174
+ */
175
+ resource?: string;
155
176
  /** OIDC `nonce` from the authorize request — echoed into the `id_token` (Tier 2). */
156
177
  nonce?: string;
157
178
  /** Mint an `id_token` at `/token` (Tier 2). */
@@ -171,6 +192,7 @@ interface NewAuthCode {
171
192
  redirectUri: string;
172
193
  clientId?: string;
173
194
  scope?: string;
195
+ resource?: string;
174
196
  nonce?: string;
175
197
  idToken?: boolean;
176
198
  accessToken?: boolean;
@@ -216,4 +238,93 @@ declare class AuthCodeStoreMemory extends AuthCodeStore {
216
238
  consume(code: string): Promise<AuthCode | null>;
217
239
  }
218
240
  //#endregion
219
- export { NewAuthCode as a, PendingAuthorization as c, PendingAuthorizationStoreMemoryOptions as d, TokenPolicy as f, AuthCodeStoreMemoryOptions as i, PendingAuthorizationStore as l, AuthCodeStore as n, DEFAULT_PENDING_TTL_MS as o, AuthCodeStoreMemory as r, NewPendingAuthorization as s, AuthCode as t, PendingAuthorizationStoreMemory as u };
241
+ //#region src/authz/dynamic-client-store.d.ts
242
+ /**
243
+ * One dynamically-registered OAuth client (RFC 7591) — the record behind a
244
+ * connector-style public client that self-registered at `POST /register`.
245
+ * Everything here is **registrant-supplied** (post-validation) except
246
+ * `clientId` and the timestamps: treat `clientName` as untrusted display text
247
+ * and `redirectUris` as the exact-match delivery allowlist that
248
+ * `DynamicClientPolicy` enforces at `/authorize`.
249
+ */
250
+ interface DynamicClient {
251
+ /** Store-minted opaque client identifier (the DCR response `client_id`). */
252
+ clientId: string;
253
+ /** Sanitized display name (DCR `client_name`) — untrusted, rendered as text on consent. */
254
+ clientName?: string;
255
+ /** Validated redirect allowlist — https exact-match entries and/or loopback literals. */
256
+ redirectUris: string[];
257
+ /** v1 supports public clients only — PKCE is the binding, no secret exists. */
258
+ tokenEndpointAuthMethod: "none";
259
+ /** Registered grant types (narrowed to what the server supports). */
260
+ grantTypes: string[];
261
+ /** Registered response types (narrowed to what the server supports). */
262
+ responseTypes: string[];
263
+ /** Scope string from registration (space-joined) — an upper bound, not a grant. */
264
+ scope?: string;
265
+ createdAt: number;
266
+ /**
267
+ * Last time the client started an authorize request. Unset ⇒ the
268
+ * registration was never used — the garbage-collection target of
269
+ * {@link DynamicClientStore.deleteUnusedBefore} (anonymous `/register` spam
270
+ * registers but never authorizes).
271
+ */
272
+ lastUsedAt?: number;
273
+ }
274
+ /** Input to {@link DynamicClientStore.create} — `clientId`/timestamps are store-assigned. */
275
+ interface NewDynamicClient {
276
+ clientName?: string;
277
+ redirectUris: string[];
278
+ tokenEndpointAuthMethod: "none";
279
+ grantTypes: string[];
280
+ responseTypes: string[];
281
+ scope?: string;
282
+ }
283
+ /**
284
+ * Storage seam for dynamically-registered clients (OAUTH.md R2). Long-lived
285
+ * (unlike the pending-auth / auth-code stores): a connector caches its
286
+ * `client_id` and reuses it across grants, so rows survive until deleted or
287
+ * garbage-collected as never-used. An in-memory impl ships for single-process
288
+ * apps + tests; a durable impl (atscript-db) slots under the same
289
+ * `DYNAMIC_CLIENT_STORE_TOKEN` (from `@aooth/auth-moost`).
290
+ */
291
+ declare abstract class DynamicClientStore {
292
+ /** Persist a validated registration; mints and returns the full record (with `clientId`). */
293
+ abstract create(rec: NewDynamicClient): Promise<DynamicClient>;
294
+ /** Fetch by client id, or `null` when unknown. */
295
+ abstract get(clientId: string): Promise<DynamicClient | null>;
296
+ /** Remove a registration. Returns `true` when a row was removed. */
297
+ abstract delete(clientId: string): Promise<boolean>;
298
+ /** Number of stored registrations — the `maxClients` hard-cap check. */
299
+ abstract count(): Promise<number>;
300
+ /** Stamp `lastUsedAt` — marks the registration as used (exempt from never-used GC). */
301
+ abstract touch(clientId: string, at: number): Promise<void>;
302
+ /**
303
+ * Garbage-collect never-used registrations: delete rows with
304
+ * `createdAt < cutoff` AND no `lastUsedAt`. Returns the number removed.
305
+ * Used rows are NEVER evicted — a connector caches its `client_id`, and
306
+ * evicting it strands the client (see OAUTH.md R2 abuse posture).
307
+ */
308
+ abstract deleteUnusedBefore(cutoff: number): Promise<number>;
309
+ }
310
+ interface DynamicClientStoreMemoryOptions {
311
+ /** Injectable clock for deterministic `createdAt`. Defaults to {@link defaultClock}. */
312
+ clock?: Clock;
313
+ }
314
+ /**
315
+ * In-memory {@link DynamicClientStore} — the reference impl for a
316
+ * single-process app + tests. `structuredClone` on read/write isolates callers.
317
+ */
318
+ declare class DynamicClientStoreMemory extends DynamicClientStore {
319
+ private store;
320
+ private clock;
321
+ constructor(opts?: DynamicClientStoreMemoryOptions);
322
+ create(rec: NewDynamicClient): Promise<DynamicClient>;
323
+ get(clientId: string): Promise<DynamicClient | null>;
324
+ delete(clientId: string): Promise<boolean>;
325
+ count(): Promise<number>;
326
+ touch(clientId: string, at: number): Promise<void>;
327
+ deleteUnusedBefore(cutoff: number): Promise<number>;
328
+ }
329
+ //#endregion
330
+ export { TokenPolicy as _, NewDynamicClient as a, AuthCodeStoreMemory as c, DEFAULT_PENDING_TTL_MS as d, NewPendingAuthorization as f, PendingAuthorizationStoreMemoryOptions as g, PendingAuthorizationStoreMemory as h, DynamicClientStoreMemoryOptions as i, AuthCodeStoreMemoryOptions as l, PendingAuthorizationStore as m, DynamicClientStore as n, AuthCode as o, PendingAuthorization as p, DynamicClientStoreMemory as r, AuthCodeStore as s, DynamicClient as t, NewAuthCode as u };
@@ -39,12 +39,25 @@ interface PendingAuthorization {
39
39
  handle: string;
40
40
  /** Registered client id (Tier 2), absent for a public/loopback client. */
41
41
  clientId?: string;
42
+ /**
43
+ * Display name resolved at `/authorize` (DCR `client_name` or a registered
44
+ * client's label) — UNTRUSTED text staged for the consent prompt; render as
45
+ * a text node only. Snapshot-at-authorize: a later rename/GC of the
46
+ * registration doesn't change what consent shows for this grant.
47
+ */
48
+ clientName?: string;
42
49
  /** The client's validated `redirect_uri` — where the code is delivered. */
43
50
  redirectUri: string;
44
51
  /** PKCE S256 challenge (client-generated); verified against the verifier at `/token`. */
45
52
  codeChallenge: string;
46
53
  /** The client's `state`, echoed back on the redirect so the client can correlate. */
47
54
  clientState?: string;
55
+ /**
56
+ * RFC 8707 `resource` indicator from the authorize request. v1 records it
57
+ * (and checks `/token`-leg consistency) without audience enforcement — see
58
+ * OAUTH.md R4.
59
+ */
60
+ resource?: string;
48
61
  /** Granted scope (space-joined) — `requested ∩ allowed`; drives the `id_token` profile claims. */
49
62
  scope?: string;
50
63
  /** OIDC `nonce` from the authorize request — echoed into the `id_token` (Tier 2). */
@@ -72,9 +85,11 @@ interface PendingAuthorization {
72
85
  /** Input to {@link PendingAuthorizationStore.create} — `handle`/timestamps are store-assigned. */
73
86
  interface NewPendingAuthorization {
74
87
  clientId?: string;
88
+ clientName?: string;
75
89
  redirectUri: string;
76
90
  codeChallenge: string;
77
91
  clientState?: string;
92
+ resource?: string;
78
93
  scope?: string;
79
94
  nonce?: string;
80
95
  idToken?: boolean;
@@ -152,6 +167,12 @@ interface AuthCode {
152
167
  clientId?: string;
153
168
  /** Granted scope (space-joined) — drives the `id_token` profile claims. */
154
169
  scope?: string;
170
+ /**
171
+ * RFC 8707 `resource` indicator recorded at `/authorize`. The token endpoint
172
+ * checks consistency (a `/token`-leg `resource` must match) — no audience
173
+ * enforcement in v1 (OAUTH.md R4).
174
+ */
175
+ resource?: string;
155
176
  /** OIDC `nonce` from the authorize request — echoed into the `id_token` (Tier 2). */
156
177
  nonce?: string;
157
178
  /** Mint an `id_token` at `/token` (Tier 2). */
@@ -171,6 +192,7 @@ interface NewAuthCode {
171
192
  redirectUri: string;
172
193
  clientId?: string;
173
194
  scope?: string;
195
+ resource?: string;
174
196
  nonce?: string;
175
197
  idToken?: boolean;
176
198
  accessToken?: boolean;
@@ -216,4 +238,93 @@ declare class AuthCodeStoreMemory extends AuthCodeStore {
216
238
  consume(code: string): Promise<AuthCode | null>;
217
239
  }
218
240
  //#endregion
219
- export { NewAuthCode as a, PendingAuthorization as c, PendingAuthorizationStoreMemoryOptions as d, TokenPolicy as f, AuthCodeStoreMemoryOptions as i, PendingAuthorizationStore as l, AuthCodeStore as n, DEFAULT_PENDING_TTL_MS as o, AuthCodeStoreMemory as r, NewPendingAuthorization as s, AuthCode as t, PendingAuthorizationStoreMemory as u };
241
+ //#region src/authz/dynamic-client-store.d.ts
242
+ /**
243
+ * One dynamically-registered OAuth client (RFC 7591) — the record behind a
244
+ * connector-style public client that self-registered at `POST /register`.
245
+ * Everything here is **registrant-supplied** (post-validation) except
246
+ * `clientId` and the timestamps: treat `clientName` as untrusted display text
247
+ * and `redirectUris` as the exact-match delivery allowlist that
248
+ * `DynamicClientPolicy` enforces at `/authorize`.
249
+ */
250
+ interface DynamicClient {
251
+ /** Store-minted opaque client identifier (the DCR response `client_id`). */
252
+ clientId: string;
253
+ /** Sanitized display name (DCR `client_name`) — untrusted, rendered as text on consent. */
254
+ clientName?: string;
255
+ /** Validated redirect allowlist — https exact-match entries and/or loopback literals. */
256
+ redirectUris: string[];
257
+ /** v1 supports public clients only — PKCE is the binding, no secret exists. */
258
+ tokenEndpointAuthMethod: "none";
259
+ /** Registered grant types (narrowed to what the server supports). */
260
+ grantTypes: string[];
261
+ /** Registered response types (narrowed to what the server supports). */
262
+ responseTypes: string[];
263
+ /** Scope string from registration (space-joined) — an upper bound, not a grant. */
264
+ scope?: string;
265
+ createdAt: number;
266
+ /**
267
+ * Last time the client started an authorize request. Unset ⇒ the
268
+ * registration was never used — the garbage-collection target of
269
+ * {@link DynamicClientStore.deleteUnusedBefore} (anonymous `/register` spam
270
+ * registers but never authorizes).
271
+ */
272
+ lastUsedAt?: number;
273
+ }
274
+ /** Input to {@link DynamicClientStore.create} — `clientId`/timestamps are store-assigned. */
275
+ interface NewDynamicClient {
276
+ clientName?: string;
277
+ redirectUris: string[];
278
+ tokenEndpointAuthMethod: "none";
279
+ grantTypes: string[];
280
+ responseTypes: string[];
281
+ scope?: string;
282
+ }
283
+ /**
284
+ * Storage seam for dynamically-registered clients (OAUTH.md R2). Long-lived
285
+ * (unlike the pending-auth / auth-code stores): a connector caches its
286
+ * `client_id` and reuses it across grants, so rows survive until deleted or
287
+ * garbage-collected as never-used. An in-memory impl ships for single-process
288
+ * apps + tests; a durable impl (atscript-db) slots under the same
289
+ * `DYNAMIC_CLIENT_STORE_TOKEN` (from `@aooth/auth-moost`).
290
+ */
291
+ declare abstract class DynamicClientStore {
292
+ /** Persist a validated registration; mints and returns the full record (with `clientId`). */
293
+ abstract create(rec: NewDynamicClient): Promise<DynamicClient>;
294
+ /** Fetch by client id, or `null` when unknown. */
295
+ abstract get(clientId: string): Promise<DynamicClient | null>;
296
+ /** Remove a registration. Returns `true` when a row was removed. */
297
+ abstract delete(clientId: string): Promise<boolean>;
298
+ /** Number of stored registrations — the `maxClients` hard-cap check. */
299
+ abstract count(): Promise<number>;
300
+ /** Stamp `lastUsedAt` — marks the registration as used (exempt from never-used GC). */
301
+ abstract touch(clientId: string, at: number): Promise<void>;
302
+ /**
303
+ * Garbage-collect never-used registrations: delete rows with
304
+ * `createdAt < cutoff` AND no `lastUsedAt`. Returns the number removed.
305
+ * Used rows are NEVER evicted — a connector caches its `client_id`, and
306
+ * evicting it strands the client (see OAUTH.md R2 abuse posture).
307
+ */
308
+ abstract deleteUnusedBefore(cutoff: number): Promise<number>;
309
+ }
310
+ interface DynamicClientStoreMemoryOptions {
311
+ /** Injectable clock for deterministic `createdAt`. Defaults to {@link defaultClock}. */
312
+ clock?: Clock;
313
+ }
314
+ /**
315
+ * In-memory {@link DynamicClientStore} — the reference impl for a
316
+ * single-process app + tests. `structuredClone` on read/write isolates callers.
317
+ */
318
+ declare class DynamicClientStoreMemory extends DynamicClientStore {
319
+ private store;
320
+ private clock;
321
+ constructor(opts?: DynamicClientStoreMemoryOptions);
322
+ create(rec: NewDynamicClient): Promise<DynamicClient>;
323
+ get(clientId: string): Promise<DynamicClient | null>;
324
+ delete(clientId: string): Promise<boolean>;
325
+ count(): Promise<number>;
326
+ touch(clientId: string, at: number): Promise<void>;
327
+ deleteUnusedBefore(cutoff: number): Promise<number>;
328
+ }
329
+ //#endregion
330
+ export { TokenPolicy as _, NewDynamicClient as a, AuthCodeStoreMemory as c, DEFAULT_PENDING_TTL_MS as d, NewPendingAuthorization as f, PendingAuthorizationStoreMemoryOptions as g, PendingAuthorizationStoreMemory as h, DynamicClientStoreMemoryOptions as i, AuthCodeStoreMemoryOptions as l, PendingAuthorizationStore as m, DynamicClientStore as n, AuthCode as o, PendingAuthorization as p, DynamicClientStoreMemory as r, AuthCodeStore as s, DynamicClient as t, NewAuthCode as u };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@aooth/auth",
3
- "version": "0.1.18",
3
+ "version": "0.1.19",
4
4
  "description": "Auth method layer for aoothjs (sessions, tokens, password reset, MFA primitives)",
5
5
  "keywords": [
6
6
  "aoothjs",
@@ -30,7 +30,9 @@
30
30
  "src/atscript-db/pending-authorization.as",
31
31
  "src/atscript-db/pending-authorization.as.d.ts",
32
32
  "src/atscript-db/auth-code.as",
33
- "src/atscript-db/auth-code.as.d.ts"
33
+ "src/atscript-db/auth-code.as.d.ts",
34
+ "src/atscript-db/dynamic-client.as",
35
+ "src/atscript-db/dynamic-client.as.d.ts"
34
36
  ],
35
37
  "type": "module",
36
38
  "sideEffects": false,
@@ -87,6 +89,14 @@
87
89
  "types": "./src/atscript-db/auth-code.as.d.ts",
88
90
  "default": "./src/atscript-db/auth-code.as"
89
91
  },
92
+ "./atscript-db/dynamic-client": {
93
+ "types": "./src/atscript-db/dynamic-client.as.d.ts",
94
+ "default": "./src/atscript-db/dynamic-client.as"
95
+ },
96
+ "./atscript-db/dynamic-client.as": {
97
+ "types": "./src/atscript-db/dynamic-client.as.d.ts",
98
+ "default": "./src/atscript-db/dynamic-client.as"
99
+ },
90
100
  "./package.json": "./package.json"
91
101
  },
92
102
  "publishConfig": {
@@ -94,7 +104,7 @@
94
104
  },
95
105
  "dependencies": {
96
106
  "jose": "^6.2.3",
97
- "@aooth/user": "0.1.18"
107
+ "@aooth/user": "0.1.19"
98
108
  },
99
109
  "devDependencies": {
100
110
  "@atscript/core": "^0.1.75",
@@ -21,6 +21,8 @@ export interface AoothAuthCode {
21
21
  clientId?: string
22
22
  /** Granted scope (space-joined). */
23
23
  scope?: string
24
+ /** RFC 8707 `resource` indicator (recorded; consistency-checked at /token). */
25
+ resource?: string
24
26
  /** OIDC `nonce`, echoed into the `id_token` (Tier 2). */
25
27
  nonce?: string
26
28
  /** Mint an `id_token` at `/token` (Tier 2). */
@@ -20,6 +20,7 @@ export declare class AoothAuthCode {
20
20
  redirectUri: string
21
21
  clientId?: string
22
22
  scope?: string
23
+ resource?: string
23
24
  nonce?: string
24
25
  idToken?: boolean
25
26
  accessToken?: boolean
@@ -41,6 +42,7 @@ export declare class AoothAuthCode {
41
42
  "redirectUri": string
42
43
  "clientId"?: string
43
44
  "scope"?: string
45
+ "resource"?: string
44
46
  "nonce"?: string
45
47
  "idToken"?: boolean
46
48
  "accessToken"?: boolean
@@ -55,6 +57,7 @@ export declare class AoothAuthCode {
55
57
  "redirectUri": string
56
58
  "clientId"?: string
57
59
  "scope"?: string
60
+ "resource"?: string
58
61
  "nonce"?: string
59
62
  "idToken"?: boolean
60
63
  "accessToken"?: boolean
@@ -0,0 +1,44 @@
1
+ @db.table 'aooth_dynamic_clients'
2
+ @db.depth.limit 0
3
+ export interface AoothDynamicClient {
4
+ /**
5
+ * Opaque client identifier (PK) — the DCR response `client_id`.
6
+ * Server-generated UUID in `DynamicClientStoreAtscriptDb.create`.
7
+ */
8
+ @meta.id
9
+ clientId: string
10
+
11
+ /**
12
+ * Sanitized DCR `client_name` — untrusted registrant-supplied display text
13
+ * for the consent prompt; rendered as a text node only.
14
+ */
15
+ clientName?: string
16
+
17
+ /**
18
+ * Validated redirect allowlist, serialized as a JSON string array — same
19
+ * opaque-string pattern as `AoothPendingAuthorization.tokenPolicy` (a
20
+ * string[] column would need engine-specific array support; the adapter
21
+ * (de)serializes at the boundary and matching happens in
22
+ * `DynamicClientPolicy`).
23
+ */
24
+ redirectUris: string
25
+
26
+ /** v1 supports public clients only ("none") — PKCE is the binding. */
27
+ tokenEndpointAuthMethod: string
28
+
29
+ /** Registered grant types (narrowed to supported), JSON string array. */
30
+ grantTypes: string
31
+ /** Registered response types (narrowed to supported), JSON string array. */
32
+ responseTypes: string
33
+
34
+ /** Scope string from registration (space-joined) — an upper bound, not a grant. */
35
+ scope?: string
36
+
37
+ createdAt: number.timestamp
38
+ /**
39
+ * Last authorize-request use. Unset ⇒ never used — the GC target of
40
+ * `deleteUnusedBefore` (anonymous /register spam registers but never
41
+ * authorizes). Used rows are never evicted.
42
+ */
43
+ lastUsedAt?: number.timestamp
44
+ }
@@ -0,0 +1,59 @@
1
+ // prettier-ignore-start
2
+ /* eslint-disable */
3
+ /* oxlint-disable */
4
+ /// <reference path="./dynamic-client.as" />
5
+ /**
6
+ * 🪄 This file was generated by Atscript
7
+ * Do not edit this file!
8
+ */
9
+
10
+ import type { TAtscriptTypeObject, TAtscriptTypeComplex, TAtscriptTypeFinal, TAtscriptTypeArray, TAtscriptAnnotatedType, TMetadataMap, Validator, TValidatorOptions } from "@atscript/typescript/utils"
11
+
12
+ /**
13
+ * Atscript interface **AoothDynamicClient**
14
+ * @see {@link ./dynamic-client.as:3:18}
15
+ */
16
+ export declare class AoothDynamicClient {
17
+ clientId: string
18
+ clientName?: string
19
+ redirectUris: string
20
+ tokenEndpointAuthMethod: string
21
+ grantTypes: string
22
+ responseTypes: string
23
+ scope?: string
24
+ createdAt: number /* timestamp */
25
+ lastUsedAt?: number /* timestamp */
26
+ static __is_atscript_annotated_type: true
27
+ static type: TAtscriptTypeObject<keyof AoothDynamicClient, AoothDynamicClient>
28
+ static metadata: TMetadataMap<AtscriptMetadata>
29
+ static validator: (opts?: Partial<TValidatorOptions>) => Validator<typeof AoothDynamicClient>
30
+ /** @deprecated JSON Schema support is disabled. Calling this method will throw a runtime error. To enable, set `jsonSchema: 'lazy'` or `jsonSchema: 'bundle'` in tsPlugin options, or add `@emit.jsonSchema` annotation to individual interfaces. */
31
+ static toJsonSchema: () => any
32
+ /** @deprecated Example Data support is disabled. To enable, set `exampleData: true` in tsPlugin options. */
33
+ static toExampleData?: () => any
34
+ static __flat: {
35
+ "clientId": string
36
+ "clientName"?: string
37
+ "redirectUris": string
38
+ "tokenEndpointAuthMethod": string
39
+ "grantTypes": string
40
+ "responseTypes": string
41
+ "scope"?: string
42
+ "createdAt": number /* timestamp */
43
+ "lastUsedAt"?: number /* timestamp */
44
+ }
45
+ static __ownProps: {
46
+ "clientId": string
47
+ "clientName"?: string
48
+ "redirectUris": string
49
+ "tokenEndpointAuthMethod": string
50
+ "grantTypes": string
51
+ "responseTypes": string
52
+ "scope"?: string
53
+ "createdAt": number /* timestamp */
54
+ "lastUsedAt"?: number /* timestamp */
55
+ }
56
+
57
+ static __pk: string
58
+ }
59
+ // prettier-ignore-end
@@ -15,8 +15,15 @@ export interface AoothPendingAuthorization {
15
15
 
16
16
  /** Registered client id (Tier 2); absent for a public/loopback client. */
17
17
  clientId?: string
18
+ /**
19
+ * Display name resolved at /authorize (DCR `client_name` or a registered
20
+ * client's label) — untrusted text staged for the consent prompt.
21
+ */
22
+ clientName?: string
18
23
  /** The client's `state`, echoed back on the redirect so it can correlate. */
19
24
  clientState?: string
25
+ /** RFC 8707 `resource` indicator (recorded; consistency-checked at /token). */
26
+ resource?: string
20
27
  /** Granted scope (space-joined). */
21
28
  scope?: string
22
29
  /** OIDC `nonce`, echoed into the `id_token` (Tier 2). */
@@ -18,7 +18,9 @@ export declare class AoothPendingAuthorization {
18
18
  redirectUri: string
19
19
  codeChallenge: string
20
20
  clientId?: string
21
+ clientName?: string
21
22
  clientState?: string
23
+ resource?: string
22
24
  scope?: string
23
25
  nonce?: string
24
26
  idToken?: boolean
@@ -41,7 +43,9 @@ export declare class AoothPendingAuthorization {
41
43
  "redirectUri": string
42
44
  "codeChallenge": string
43
45
  "clientId"?: string
46
+ "clientName"?: string
44
47
  "clientState"?: string
48
+ "resource"?: string
45
49
  "scope"?: string
46
50
  "nonce"?: string
47
51
  "idToken"?: boolean
@@ -57,7 +61,9 @@ export declare class AoothPendingAuthorization {
57
61
  "redirectUri": string
58
62
  "codeChallenge": string
59
63
  "clientId"?: string
64
+ "clientName"?: string
60
65
  "clientState"?: string
66
+ "resource"?: string
61
67
  "scope"?: string
62
68
  "nonce"?: string
63
69
  "idToken"?: boolean