npm - @atcute/oauth-browser-client - Versions diffs - 1.0.27 → 2.0.0 - Mend

@atcute/oauth-browser-client 1.0.27 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/README.md +122 -218
package/dist/agents/exchange.d.ts +18 -6
package/dist/agents/exchange.d.ts.map +1 -1
package/dist/agents/exchange.js +35 -17
package/dist/agents/exchange.js.map +1 -1
package/dist/agents/server-agent.d.ts.map +1 -1
package/dist/agents/server-agent.js +22 -5
package/dist/agents/server-agent.js.map +1 -1
package/dist/dpop.d.ts.map +1 -1
package/dist/dpop.js +3 -0
package/dist/dpop.js.map +1 -1
package/dist/environment.d.ts +12 -2
package/dist/environment.d.ts.map +1 -1
package/dist/environment.js +3 -0
package/dist/environment.js.map +1 -1
package/dist/index.d.ts +2 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -1
package/dist/index.js.map +1 -1
package/dist/resolvers.d.ts +5 -47
package/dist/resolvers.d.ts.map +1 -1
package/dist/resolvers.js +22 -122
package/dist/resolvers.js.map +1 -1
package/dist/store/db.d.ts +1 -0
package/dist/store/db.d.ts.map +1 -1
package/dist/store/db.js.map +1 -1
package/dist/types/client-assertion.d.ts +21 -0
package/dist/types/client-assertion.d.ts.map +1 -0
package/dist/types/client-assertion.js +3 -0
package/dist/types/client-assertion.js.map +1 -0
package/dist/types/dpop.d.ts +2 -0
package/dist/types/dpop.d.ts.map +1 -1
package/dist/types/identity.d.ts +12 -5
package/dist/types/identity.d.ts.map +1 -1
package/dist/utils/identity-resolver.d.ts +8 -0
package/dist/utils/identity-resolver.d.ts.map +1 -0
package/dist/utils/identity-resolver.js +44 -0
package/dist/utils/identity-resolver.js.map +1 -0
package/lib/agents/exchange.ts +52 -25
package/lib/agents/server-agent.ts +25 -5
package/lib/dpop.ts +4 -0
package/lib/environment.ts +19 -2
package/lib/index.ts +3 -1
package/lib/resolvers.ts +27 -142
package/lib/store/db.ts +1 -0
package/lib/types/client-assertion.ts +25 -0
package/lib/types/dpop.ts +2 -0
package/lib/types/identity.ts +14 -5
package/lib/utils/identity-resolver.ts +59 -0
package/package.json +5 -4

package/README.md CHANGED Viewed

@@ -18,60 +18,57 @@ minimal OAuth browser client implementation for AT Protocol.
 ### setup
-initialize the client by importing and calling `configureOAuth` with the client ID and redirect URL.
-this call should be placed before any other calls you make with this library.
+initialize the client by importing and calling `configureOAuth` with the client ID and redirect URL,
+along with the resolvers that will be used to resolve and verify account details. this call should
+be placed before any other calls you make with this library.
 ```ts
-import { configureOAuth } from '@atcute/oauth-browser-client';
+import { configureOAuth, defaultIdentityResolver } from '@atcute/oauth-browser-client';
+import {
+	CompositeDidDocumentResolver,
+	PlcDidDocumentResolver,
+	WebDidDocumentResolver,
+	XrpcHandleResolver,
+} from '@atcute/identity-resolver';
 configureOAuth({
 	metadata: {
 		client_id: 'https://example.com/oauth-client-metadata.json',
 		redirect_uri: 'https://example.com/oauth/callback',
 	},
+	identityResolver: defaultIdentityResolver({
+		// AT Protocol handles resolve via DNS TXT record or HTTP well-known endpoints.
+		// since web apps lack direct DNS access and face CORS restrictions, we're using
+		// Bluesky's AppView for this example.
+		//
+		// NOTE: Bluesky may log handle resolutions and requester info per their privacy
+		// policy. consider the privacy implications of this arrangement and change this
+		// setup if unsuitable for your use case.
+		handleResolver: new XrpcHandleResolver({ serviceUrl: 'https://public.api.bsky.app' }),
+		didDocumentResolver: new CompositeDidDocumentResolver({
+			methods: {
+				plc: new PlcDidDocumentResolver(),
+				web: new WebDidDocumentResolver(),
+			},
+		}),
+	}),
 });
 ```
 ### starting an authorization flow
-> [!CAUTION]
-> the built-in handle resolution makes use of Bluesky-hosted services to return the intended DID,
-> and this can mean sharing the user's IP address and the handle identifiers to Bluesky.
->
-> while Bluesky has a declared privacy policy, both developers and users need to be informed and
-> aware of the privacy implications of this arrangement. read [this guide](#doing-handle-resolution)
-> on how you can implement your own resolution code.
-if your application involves asking for the user's handle or DID, you can use `resolveFromIdentity`
-which resolves the user's identity to get its PDS, and the metadata of its authorization server.
-```ts
-import { resolveFromIdentity } from '@atcute/oauth-browser-client';
-const { identity, metadata } = await resolveFromIdentity('mary.my.id');
-```
-alternatively, if it involves asking for the user's PDS, then you can use `resolveFromService` which
-just grabs the authorization server metadata.
-```ts
-import { resolveFromService } from '@atcute/oauth-browser-client';
-const { metadata } = await resolveFromService('bsky.social');
-```
-we can then proceed with authorization by calling `createAuthorizationUrl` with the resolved
-`metadata` (and `identity`, if using `resolveFromIdentity`) along with the scope of the
-authorization, which should either match the one in your client metadata, or a reduced set of it.
+we can start authorization by calling `createAuthorizationUrl` with the intended account's
+identifier or service along with the scope of the authorization, which should either match the one
+in your client metadata, or a reduced set of it.
 ```ts
 import { createAuthorizationUrl } from '@atcute/oauth-browser-client';
-// passing `identity` is optional,
-// it allows for the login form to be autofilled with the user's handle or DID
 const authUrl = await createAuthorizationUrl({
-	metadata: metadata,
-	identity: identity,
+	target: { type: 'account', identifier: 'mary.my.id' },
+	//   or { type: 'pds', serviceUrl: 'https://bsky.social' }
 	scope: 'atproto transition:generic transition:chat.bsky',
 });
@@ -175,6 +172,93 @@ try {
 }
 ```
+## confidential client mode (optional)
+by default, `@atcute/oauth-browser-client` operates as a **public client**, resulting in shorter
+session lifetimes by authorization servers as it's deemed to be unable to securely store
+credentials.
+if you want longer-lived sessions and better security controls, you can enable **confidential client
+mode** by setting up a [client assertion backend](client-assertion-backend).
+[client-assertion-backend]:
+	https://github.com/bluesky-social/proposals/tree/main/0010-client-assertion-backend
+### setup
+configure the client with a function to fetch client assertions from your backend:
+```ts
+import { configureOAuth } from '@atcute/oauth-browser-client';
+configureOAuth({
+	// ... existing config
+	async fetchClientAssertion({ jkt, aud, createDpopProof }) {
+		const dpop = await createDpopProof('https://example.com/api/client-assertion');
+		const response = await fetch('https://example.com/api/client-assertion', {
+			method: 'POST',
+			headers: {
+				dpop: dpop,
+				'content-type': 'application/json',
+			},
+			body: JSON.stringify({ jkt, aud }),
+		});
+		const data = await response.json();
+		return {
+			client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+			client_assertion: data.assertion,
+		};
+	},
+});
+```
+the backend API is completely up to you—there's no standardized spec. design it however works best
+for your infrastructure (authentication, request format, error handling, etc.)
+your backend needs to validate the incoming DPoP proof and sign a client assertion JWT with the
+following interface:
+```ts
+interface ClientAssertionJwt {
+	/** your client ID */
+	iss: string;
+	/** also your client ID */
+	sub: string;
+	/** the authorization server receiving this token */
+	aud: string;
+	/** when this token expires  */
+	exp: number;
+	/** unique nonce */
+	jti: string;
+	/** asserts that this jkt is allowed */
+	cnf: { jkt: string };
+}
+```
+you're able to use the `jkt` to refuse assertions when necessary (suspicious activity, compromised
+code, etc.)
+### client metadata updates
+your OAuth client metadata document must also be updated for confidential clients:
+```json
+{
+	"client_id": "https://example.com/oauth-client-metadata.json",
+	"client_name": "My App",
+	"redirect_uris": ["https://example.com/oauth/callback"],
+	"scope": "atproto transition:generic",
+	"token_endpoint_auth_method": "private_key_jwt",
+	"jwks_uri": "https://example.com/oauth-jwks.json"
+}
+```
+the `jwks_uri` should expose the public keys used to sign client assertions.
 ## additional guide
 ### configuring your Vite project
@@ -265,195 +349,15 @@ configureOAuth({
 		client_id: import.meta.env.VITE_OAUTH_CLIENT_ID,
 		redirect_uri: import.meta.env.VITE_OAUTH_REDIRECT_URI,
 	},
+	// ...
 });
 // ... later during sign-in process
 const authUrl = await createAuthorizationUrl({
-	metadata: metadata,
-	identity: identity,
+	// ...
 	scope: import.meta.env.VITE_OAUTH_SCOPE,
 });
 ```
 adjust the code here as necessary, the plugin adds more environment variables than what is actually
 needed, you can remove them if you don't think you'd need it.
-### doing handle resolution
-there are two ways that a handle can be verified:
-1. HTTP verification: there is a file at `/.well-known/atproto-did` containing your account's DID
-2. DNS verification: there is an `_atproto` TXT record containing your account's DID
-you'd want to resolve both of these. if both methods return a response but does not match each other
-then it should ideally be thrown.
-verify that the DID matches the intended format
-```ts
-const isDid = (did: string): did is At.DID => {
-	return /^did:([a-z]+):([a-zA-Z0-9._:%-]*[a-zA-Z0-9._-])$/.test(did);
-};
-```
-pass this resolved DID to `resolveFromIdentity`, and carry on as per usual.
-#### HTTP handle resolution
-this is very straightforward, make a request to `https://<handle>/.well-known/atproto-did` without
-following redirects. check if the response status is 200 and trim off any excess whitespaces.
-some web servers might not set a permissible CORS header to access this resource, in which case
-there is nothing that can be done, unless you'd want to proxy the requests.
-```ts
-const resolveHandleViaHttp = async (handle: string): Promise<At.DID> => {
-	const url = new URL('/.well-known/atproto-did', `https://${handle}`);
-	const response = await fetch(url, { redirect: 'error' });
-	if (!response.ok) {
-		throw new ResolverError(`domain is unreachable`);
-	}
-	const text = await response.text();
-	const did = text.split('\n')[0]!.trim();
-	if (isDid(did)) {
-		return did;
-	}
-	throw new ResolverError(`failed to resolve ${handle}`);
-};
-```
-#### DNS handle resolution
-as websites can't do DNS resolution on their own, we'd have to rely on DNS-over-HTTPS (DoH)
-services. it should be noted that this _can_ have privacy implications of its own, please read
-through the privacy policy of whichever DoH service you end up using and make the user aware of it
-as well.
-for this example, we'll be using Cloudflare's DoH resolver for Firefox ([privacy
-policy][cf-resolver-firefox-privacy]) as it has support for `application/dns-json` format which
-allows us to query and see the responses in JSON.
-```ts
-const SUBDOMAIN = '_atproto';
-const PREFIX = 'did=';
-const resolveHandleViaDoH = async (handle: string): Promise<At.DID> => {
-	const url = new URL('https://mozilla.cloudflare-dns.com/dns-query');
-	url.searchParams.set('type', 'TXT');
-	url.searchParams.set('name', `${SUBDOMAIN}.${handle}`);
-	const response = await fetch(url, {
-		method: 'GET',
-		headers: { accept: 'application/dns-json' },
-		redirect: 'follow',
-	});
-	const type = response.headers.get('content-type')?.trim();
-	if (!response.ok) {
-		const message = type?.startsWith('text/plain') ? await response.text() : `failed to resolve ${handle}`;
-		throw new ResolverError(message);
-	}
-	if (type !== 'application/dns-json') {
-		throw new ResolverError(`unexpected response from DoH server`);
-	}
-	const result = asResult(await response.json());
-	const answers = result.Answer?.filter(isAnswerTxt).map(extractTxtData) ?? [];
-	for (let i = 0; i < answers.length; i++) {
-		// skip if the line does not start with "did="
-		if (!answers[i].startsWith(PREFIX)) {
-			continue;
-		}
-		// ensure there is no other entry starting with "did="
-		for (let j = i + 1; j < answers.length; j++) {
-			if (answers[j].startsWith(PREFIX)) {
-				throw new ResolverError(`handle returned multiple did values`);
-			}
-		}
-		const did = answers[i].slice(PREFIX.length);
-		if (isDid(did)) {
-			return did;
-		}
-		break;
-	}
-	throw new ResolverError(`failed to resolve ${handle}`);
-};
-type Result = { Status: number; Answer?: Answer[] };
-const isResult = (result: unknown): result is Result => {
-	if (result === null || typeof result !== 'object') {
-		return false;
-	}
-	return (
-		'Status' in result &&
-		typeof result.Status === 'number' &&
-		(!('Answer' in result) || (Array.isArray(result.Answer) && result.Answer.every(isAnswer)))
-	);
-};
-const asResult = (result: unknown): Result => {
-	if (!isResult(result)) {
-		throw new TypeError(`unexpected DoH response`);
-	}
-	return result;
-};
-type Answer = { name: string; type: number; data: string; TTL: number };
-const isAnswer = (answer: unknown): answer is Answer => {
-	if (answer === null || typeof answer !== 'object') {
-		return false;
-	}
-	return (
-		'name' in answer &&
-		typeof answer.name === 'string' &&
-		'type' in answer &&
-		typeof answer.type === 'number' &&
-		'data' in answer &&
-		typeof answer.data === 'string' &&
-		'TTL' in answer &&
-		typeof answer.TTL === 'number'
-	);
-};
-type AnswerTxt = Answer & { type: 16 };
-const isAnswerTxt = (answer: Answer): answer is AnswerTxt => {
-	return answer.type === 16;
-};
-const extractTxtData = (answer: AnswerTxt): string => {
-	return answer.data.replace(/^"|"$/g, '').replace(/\\"/g, '"');
-};
-```
-[cf-resolver-firefox-privacy]: https://developers.cloudflare.com/1.1.1.1/privacy/cloudflare-resolver-firefox/
-#### using your PDS for handle resolution
-alternatively, if you operate your own PDS, you can make use of it as a handle resolver.
-```ts
-const resolveHandleViaPds = async (handle: string): Promise<At.DID> => {
-	const rpc = new XRPC({ handler: simpleFetchHandler({ service: `https://my-pds.example.com` }) });
-	const { data } = await rpc.get('com.atproto.identity.resolveHandle', {
-		params: {
-			handle: handle,
-		},
-	});
-	return data.did;
-};
-```

package/dist/agents/exchange.d.ts CHANGED Viewed

@@ -1,21 +1,33 @@
-import type { IdentityMetadata } from '../types/identity.js';
-import type { AuthorizationServerMetadata } from '../types/server.js';
+import type { ActorIdentifier } from '@atcute/lexicons';
 import type { Session } from '../types/token.js';
+export type AuthorizeTargetOptions = {
+    type: 'account';
+    identifier: ActorIdentifier;
+} | {
+    type: 'pds';
+    serviceUrl: string;
+};
 export interface AuthorizeOptions {
-    metadata: AuthorizationServerMetadata;
-    identity?: IdentityMetadata;
+    target: AuthorizeTargetOptions;
     scope: string;
+    state?: unknown;
+    prompt?: 'none' | 'login' | 'consent' | 'select_account';
+    display?: 'page' | 'popup' | 'touch' | 'wap';
+    locale?: string;
 }
 /**
  * Create authentication URL for authorization
  * @param options
  * @returns URL to redirect the user for authorization
  */
-export declare const createAuthorizationUrl: ({ metadata, identity, scope, }: AuthorizeOptions) => Promise<URL>;
+export declare const createAuthorizationUrl: (options: AuthorizeOptions) => Promise<URL>;
 /**
  * Finalize authorization
  * @param params Search params
  * @returns Session object, which you can use to instantiate user agents
  */
-export declare const finalizeAuthorization: (params: URLSearchParams) => Promise<Session>;
+export declare const finalizeAuthorization: (params: URLSearchParams) => Promise<{
+    session: Session;
+    state: {} | null;
+}>;
 //# sourceMappingURL=exchange.d.ts.map

package/dist/agents/exchange.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"exchange.d.ts","sourceRoot":"","sources":["../../lib/agents/exchange.ts"],"names":[],"mappings":"~~AAKA~~,OAAO,KAAK,EAAE,~~gBAAgB~~,EAAE,MAAM,~~sBAAsB~~,CAAC;~~AAC7D~~,OAAO,KAAK,EAAE,~~2BAA2B~~,EAAE,MAAM,~~oBAAoB~~,CAAC;~~AACtE~~,~~OAAO~~,~~KAAK~~,EAAE,~~OAAO~~,EAAE,MAAM,~~mBAAmB~~,CAAC;~~AAMjD~~,MAAM,WAAW,gBAAgB;IAChC,~~QAAQ~~,EAAE,~~2BAA2B~~,CAAC;~~IACtC~~,~~QAAQ~~,CAAC,EAAE,gBAAgB,CAAC;~~IAC5B~~,KAAK,EAAE,MAAM,CAAC;~~CACd~~;AAED;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,GAAU,~~gCAI1C~~,gBAAgB,KAAG,OAAO,CAAC,GAAG,~~CAoChC~~,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,GAAU,QAAQ,eAAe,~~qBA6ClE,~~CAAC"}
1	+ {"version":3,"file":"exchange.d.ts","sourceRoot":"","sources":["../../lib/agents/exchange.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAOxD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAOjD,MAAM,MAAM,sBAAsB,GAC/B;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,UAAU,EAAE,eAAe,CAAA;CAAE,GAChD;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvC,MAAM,WAAW,gBAAgB;IAChC,MAAM,EAAE,sBAAsB,CAAC;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,GAAG,gBAAgB,CAAC;IACzD,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,KAAK,CAAC;IAC7C,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,GAAU,SAAS,gBAAgB,KAAG,OAAO,CAAC,GAAG,CAwDnF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,GAAU,QAAQ,eAAe;;;EA8ClE,CAAC"}

package/dist/agents/exchange.js CHANGED Viewed

@@ -3,6 +3,7 @@ import { createES256Key } from '../dpop.js';
 import { CLIENT_ID, database, REDIRECT_URI } from '../environment.js';
 import { AuthorizationError, LoginError } from '../errors.js';
 import { generatePKCE } from '../utils/runtime.js';
+import { resolveFromIdentifier, resolveFromService } from '../resolvers.js';
 import { OAuthServerAgent } from './server-agent.js';
 import { storeSession } from './sessions.js';
 /**
@@ -10,29 +11,45 @@ import { storeSession } from './sessions.js';
  * @param options
  * @returns URL to redirect the user for authorization
  */
-export const createAuthorizationUrl = async ({ metadata, identity, scope, }) => {
-    const state = nanoid(24);
+export const createAuthorizationUrl = async (options) => {
+    const { target, scope, state = null, ...reqs } = options;
+    let resolved;
+    switch (target.type) {
+        case 'account': {
+            resolved = await resolveFromIdentifier(target.identifier);
+            break;
+        }
+        case 'pds': {
+            resolved = await resolveFromService(target.serviceUrl);
+        }
+    }
+    const { identity, metadata } = resolved;
+    const loginHint = identity
+        ? identity.handle !== 'handle.invalid'
+            ? identity.handle
+            : identity.did
+        : undefined;
+    const sid = nanoid(24);
     const pkce = await generatePKCE();
     const dpopKey = await createES256Key();
     const params = {
+        display: reqs.display,
+        ui_locales: reqs.locale,
+        prompt: reqs.prompt,
         redirect_uri: REDIRECT_URI,
         code_challenge: pkce.challenge,
         code_challenge_method: pkce.method,
-        state: state,
-        login_hint: identity?.raw,
+        state: sid,
+        login_hint: loginHint,
         response_mode: 'fragment',
         response_type: 'code',
-        display: 'page',
-        // id_token_hint: undefined,
-        // max_age: undefined,
-        // prompt: undefined,
         scope: scope,
-        // ui_locales: undefined,
     };
-    database.states.set(state, {
+    database.states.set(sid, {
         dpopKey: dpopKey,
         metadata: metadata,
         verifier: pkce.verifier,
+        state: state,
     });
     const server = new OAuthServerAgent(metadata, dpopKey);
     const response = await server.request('pushed_authorization_request', params);
@@ -48,28 +65,29 @@ export const createAuthorizationUrl = async ({ metadata, identity, scope, }) =>
  */
 export const finalizeAuthorization = async (params) => {
     const issuer = params.get('iss');
-    const state = params.get('state');
+    const sid = params.get('state');
     const code = params.get('code');
     const error = params.get('error');
-    if (!state || !(code || error)) {
+    if (!sid || !(code || error)) {
         throw new LoginError(`missing parameters`);
     }
-    const stored = database.states.get(state);
+    const stored = database.states.get(sid);
     if (stored) {
         // Delete now that we've caught it
-        database.states.delete(state);
+        database.states.delete(sid);
     }
     else {
         throw new LoginError(`unknown state provided`);
     }
-    const dpopKey = stored.dpopKey;
-    const metadata = stored.metadata;
     if (error) {
         throw new AuthorizationError(params.get('error_description') || error);
     }
     if (!code) {
         throw new LoginError(`missing code parameter`);
     }
+    const dpopKey = stored.dpopKey;
+    const metadata = stored.metadata;
+    const state = stored.state ?? null;
     if (issuer === null) {
         throw new LoginError(`missing issuer parameter`);
     }
@@ -83,6 +101,6 @@ export const finalizeAuthorization = async (params) => {
     const sub = info.sub;
     const session = { dpopKey, info, token };
     await storeSession(sub, session);
-    return session;
+    return { session, state };
 };
 //# sourceMappingURL=exchange.js.map

package/dist/agents/exchange.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"exchange.js","sourceRoot":"","sources":["../../lib/agents/exchange.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;~~AAEhC~~,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI9D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;~~AAQ7C~~;;;;GAIG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,KAAK,EAAE,~~EAC5C~~,QAAQ,~~EACR~~,QAAQ,~~EACR~~,KAAK,~~GACa~~,~~EAAgB~~,EAAE;~~IACpC~~,MAAM,KAAK,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC;~~IAEzB~~,MAAM,IAAI,GAAG,MAAM,YAAY,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,MAAM,cAAc,EAAE,CAAC;IAEvC,MAAM,MAAM,GAAG;QACd,YAAY,EAAE,YAAY;QAC1B,cAAc,EAAE,IAAI,CAAC,SAAS;QAC9B,qBAAqB,EAAE,IAAI,CAAC,MAAM;QAClC,KAAK,EAAE,~~KAAK~~;~~QACZ~~,UAAU,EAAE,~~QAAQ,EAAE,GAAG~~;~~QACzB~~,aAAa,EAAE,UAAU;QACzB,aAAa,EAAE,MAAM;QACrB,~~OAAO,EAAE,MAAM;QACf,4BAA4B;QAC5B,sBAAsB;QACtB,qBAAqB;QACrB,~~KAAK,EAAE,KAAK;~~QACZ~~,~~yBAAyB;KACoB,~~CAAC;IAE/C,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,~~KAAK~~,EAAE;~~QAC1B~~,OAAO,EAAE,OAAO;QAChB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,IAAI,CAAC,QAAQ;~~KACvB~~,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,8BAA8B,EAAE,MAAM,CAAC,CAAC;IAE9E,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;IACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IACjD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC;IAE9D,OAAO,OAAO,CAAC;AAChB,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,KAAK,EAAE,MAAuB,EAAE,EAAE;IACtE,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACjC,MAAM,~~KAAK~~,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;~~IAClC~~,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAElC,IAAI,CAAC,~~KAAK~~,IAAI,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;~~QAChC~~,MAAM,IAAI,UAAU,CAAC,oBAAoB,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,~~KAAK~~,CAAC,CAAC;~~IAC1C~~,IAAI,MAAM,EAAE,CAAC;QACZ,kCAAkC;QAClC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,~~KAAK~~,CAAC,CAAC;~~IAC/B~~,CAAC;SAAM,CAAC;QACP,MAAM,IAAI,UAAU,CAAC,wBAAwB,CAAC,CAAC;IAChD,CAAC;IAED,~~MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IAEjC,~~IAAI,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,CAAC,IAAI,EAAE,CAAC;QACX,MAAM,IAAI,UAAU,CAAC,wBAAwB,CAAC,CAAC;IAChD,CAAC;IAED,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,UAAU,CAAC,0BAA0B,CAAC,CAAC;IAClD,CAAC;SAAM,IAAI,MAAM,KAAK,QAAQ,CAAC,MAAM,EAAE,CAAC;QACvC,MAAM,IAAI,UAAU,CAAC,iBAAiB,CAAC,CAAC;IACzC,CAAC;IAED,iCAAiC;IACjC,MAAM,MAAM,GAAG,IAAI,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACvD,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAEzE,kBAAkB;IAClB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;IACrB,MAAM,OAAO,GAAY,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IAElD,MAAM,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAEjC,OAAO,OAAO,CAAC;~~AAChB~~,CAAC,CAAC"}
1	+ {"version":3,"file":"exchange.js","sourceRoot":"","sources":["../../lib/agents/exchange.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAIhC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI9D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC5E,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAe7C;;;;GAIG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,KAAK,EAAE,OAAyB,EAAgB,EAAE;IACvF,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,GAAG,IAAI,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IAEzD,IAAI,QAAgF,CAAC;IACrF,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;QACrB,KAAK,SAAS,CAAC,CAAC,CAAC;YAChB,QAAQ,GAAG,MAAM,qBAAqB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAC1D,MAAM;QACP,CAAC;QACD,KAAK,KAAK,CAAC,CAAC,CAAC;YACZ,QAAQ,GAAG,MAAM,kBAAkB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACxD,CAAC;IACF,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,QAAQ,CAAC;IACxC,MAAM,SAAS,GAAG,QAAQ;QACzB,CAAC,CAAC,QAAQ,CAAC,MAAM,KAAK,gBAAgB;YACrC,CAAC,CAAC,QAAQ,CAAC,MAAM;YACjB,CAAC,CAAC,QAAQ,CAAC,GAAG;QACf,CAAC,CAAC,SAAS,CAAC;IAEb,MAAM,GAAG,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC;IAEvB,MAAM,IAAI,GAAG,MAAM,YAAY,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,MAAM,cAAc,EAAE,CAAC;IAEvC,MAAM,MAAM,GAAG;QACd,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,UAAU,EAAE,IAAI,CAAC,MAAM;QACvB,MAAM,EAAE,IAAI,CAAC,MAAM;QAEnB,YAAY,EAAE,YAAY;QAC1B,cAAc,EAAE,IAAI,CAAC,SAAS;QAC9B,qBAAqB,EAAE,IAAI,CAAC,MAAM;QAClC,KAAK,EAAE,GAAG;QACV,UAAU,EAAE,SAAS;QACrB,aAAa,EAAE,UAAU;QACzB,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE,KAAK;KACiC,CAAC;IAE/C,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE;QACxB,OAAO,EAAE,OAAO;QAChB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,KAAK,EAAE,KAAK;KACZ,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,IAAI,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,8BAA8B,EAAE,MAAM,CAAC,CAAC;IAE9E,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;IACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IACjD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC;IAE9D,OAAO,OAAO,CAAC;AAChB,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,KAAK,EAAE,MAAuB,EAAE,EAAE;IACtE,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACjC,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAChC,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAElC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,oBAAoB,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,MAAM,EAAE,CAAC;QACZ,kCAAkC;QAClC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACP,MAAM,IAAI,UAAU,CAAC,wBAAwB,CAAC,CAAC;IAChD,CAAC;IAED,IAAI,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,kBAAkB,CAAC,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,CAAC,IAAI,EAAE,CAAC;QACX,MAAM,IAAI,UAAU,CAAC,wBAAwB,CAAC,CAAC;IAChD,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;IAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IACjC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC;IAEnC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,UAAU,CAAC,0BAA0B,CAAC,CAAC;IAClD,CAAC;SAAM,IAAI,MAAM,KAAK,QAAQ,CAAC,MAAM,EAAE,CAAC;QACvC,MAAM,IAAI,UAAU,CAAC,iBAAiB,CAAC,CAAC;IACzC,CAAC;IAED,iCAAiC;IACjC,MAAM,MAAM,GAAG,IAAI,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACvD,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAEzE,kBAAkB;IAClB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;IACrB,MAAM,OAAO,GAAY,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IAElD,MAAM,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAEjC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC3B,CAAC,CAAC"}

package/dist/agents/server-agent.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"server-agent.d.ts","sourceRoot":"","sources":["../../lib/agents/server-agent.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAM5C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,KAAK,EAAE,oCAAoC,EAAE,MAAM,oBAAoB,CAAC;AAC/E,OAAO,KAAK,EAAE,YAAY,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAIrF,qBAAa,gBAAgB;;~~gBAIhB~~,QAAQ,EAAE,oCAAoC,EAAE,OAAO,EAAE,OAAO;~~IAKtE~~,OAAO,CACZ,QAAQ,EAAE,8BAA8B,EACxC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,OAAO,CAAC,gBAAgB,CAAC;IACtB,OAAO,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,kBAAkB,CAAC;IACzF,OAAO,CAAC,QAAQ,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC;IAC/E,OAAO,CAAC,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC;~~IA0BlF~~,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMpC,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,YAAY,CAAC;QAAC,KAAK,EAAE,SAAS,CAAA;KAAE,CAAC;IAgBhG,OAAO,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QAAE,GAAG,EAAE,GAAG,CAAC;QAAC,KAAK,EAAE,SAAS,CAAA;KAAE,GAAG,OAAO,CAAC,SAAS,CAAC;CAwEjF"}
1	+ {"version":3,"file":"server-agent.d.ts","sourceRoot":"","sources":["../../lib/agents/server-agent.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAM5C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAChD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,KAAK,EAAE,oCAAoC,EAAE,MAAM,oBAAoB,CAAC;AAC/E,OAAO,KAAK,EAAE,YAAY,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAIrF,qBAAa,gBAAgB;;gBAKhB,QAAQ,EAAE,oCAAoC,EAAE,OAAO,EAAE,OAAO;IAMtE,OAAO,CACZ,QAAQ,EAAE,8BAA8B,EACxC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,OAAO,CAAC,gBAAgB,CAAC;IACtB,OAAO,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,kBAAkB,CAAC;IACzF,OAAO,CAAC,QAAQ,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC;IAC/E,OAAO,CAAC,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC;IA4ClF,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMpC,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,YAAY,CAAC;QAAC,KAAK,EAAE,SAAS,CAAA;KAAE,CAAC;IAgBhG,OAAO,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;QAAE,GAAG,EAAE,GAAG,CAAC;QAAC,KAAK,EAAE,SAAS,CAAA;KAAE,GAAG,OAAO,CAAC,SAAS,CAAC;CAwEjF"}

package/dist/agents/server-agent.js CHANGED Viewed

@@ -1,14 +1,16 @@
-import { createDPoPFetch } from '../dpop.js';
-import { CLIENT_ID, REDIRECT_URI } from '../environment.js';
+import { createDPoPFetch, createDPoPSignage } from '../dpop.js';
+import { CLIENT_ID, fetchClientAssertion, REDIRECT_URI } from '../environment.js';
 import { FetchResponseError, OAuthResponseError, TokenRefreshError } from '../errors.js';
-import { resolveFromIdentity } from '../resolvers.js';
+import { resolveFromIdentifier } from '../resolvers.js';
 import { pick } from '../utils/misc.js';
 import { extractContentType } from '../utils/response.js';
 export class OAuthServerAgent {
     #fetch;
     #metadata;
+    #dpopKey;
     constructor(metadata, dpopKey) {
         this.#metadata = metadata;
+        this.#dpopKey = dpopKey;
         this.#fetch = createDPoPFetch(dpopKey, true);
     }
     async request(endpoint, payload) {
@@ -16,6 +18,21 @@ export class OAuthServerAgent {
         if (!url) {
             throw new Error(`no endpoint for ${endpoint}`);
         }
+        if (endpoint === 'token' && fetchClientAssertion !== undefined) {
+            const jkt = this.#dpopKey.jkt;
+            if (jkt === undefined) {
+                throw new Error(`DPoP key missing jkt field`);
+            }
+            const clientAssertionCredentials = await fetchClientAssertion({
+                jkt: jkt,
+                aud: this.#metadata.issuer,
+                createDpopProof: async (url) => {
+                    const sign = createDPoPSignage(this.#dpopKey);
+                    return await sign('POST', url, undefined, undefined);
+                },
+            });
+            payload = { ...payload, ...clientAssertionCredentials };
+        }
         const response = await this.#fetch(url, {
             method: 'post',
             headers: { 'content-type': 'application/json' },
@@ -96,7 +113,7 @@ export class OAuthServerAgent {
             throw new TypeError(`missing sub field in token response`);
         }
         const token = this.#processTokenResponse(res);
-        const resolved = await resolveFromIdentity(sub);
+        const resolved = await resolveFromIdentifier(sub);
         if (resolved.metadata.issuer !== this.#metadata.issuer) {
             throw new TypeError(`issuer mismatch; got ${resolved.metadata.issuer}`);
         }
@@ -104,7 +121,7 @@ export class OAuthServerAgent {
             token: token,
             info: {
                 sub: sub,
-                aud: resolved.identity.pds.href,
+                aud: resolved.identity.pds,
                 server: pick(resolved.metadata, [
                     'issuer',
                     'authorization_endpoint',

package/dist/agents/server-agent.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"server-agent.js","sourceRoot":"","sources":["../../lib/agents/server-agent.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;~~AAC7C~~,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;~~AAC5D~~,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACzF,OAAO,EAAE,~~mBAAmB~~,EAAE,MAAM,iBAAiB,CAAC;~~AAKtD~~,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AACxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D,MAAM,OAAO,gBAAgB;IAC5B,MAAM,CAAe;IACrB,SAAS,CAAuC;~~IAEhD~~,YAAY,QAA8C,EAAE,OAAgB;QAC3E,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;QAC1B,IAAI,CAAC,MAAM,GAAG,eAAe,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC9C,CAAC;IASD,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,OAAgC;QAC/D,MAAM,GAAG,GAAwB,IAAI,CAAC,SAAiB,CAAC,GAAG,QAAQ,WAAW,CAAC,CAAC;QAChF,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,mBAAmB,QAAQ,EAAE,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE;YACvC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;SAC1D,CAAC,CAAC;QAEH,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACjE,MAAM,IAAI,kBAAkB,CAAC,QAAQ,EAAE,CAAC,EAAE,yBAAyB,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC;QACb,CAAC;aAAM,CAAC;YACP,MAAM,IAAI,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC9C,CAAC;IACF,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACzB,IAAI,CAAC;YACJ,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACX,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,QAAiB;QACjD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAC5C,UAAU,EAAE,oBAAoB;YAChC,YAAY,EAAE,YAAY;YAC1B,IAAI,EAAE,IAAI;YACV,aAAa,EAAE,QAAQ;SACvB,CAAC,CAAC;QAEH,IAAI,CAAC;YACJ,OAAO,MAAM,IAAI,CAAC,wBAAwB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YACzC,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,KAAK,EAAkC;QAC3D,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,iBAAiB,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAC5C,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,KAAK,CAAC,OAAO;SAC5B,CAAC,CAAC;QAEH,IAAI,CAAC;YACJ,IAAI,GAAG,KAAK,QAAQ,CAAC,GAAG,EAAE,CAAC;gBAC1B,MAAM,IAAI,iBAAiB,CAAC,GAAG,EAAE,uCAAuC,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC;YACzF,CAAC;YAED,OAAO,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YAEzC,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;IAED,qBAAqB,CAAC,GAAuB;QAC5C,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CAAC,uCAAuC,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,GAAG,CAAC,UAAU,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,0CAA0C,CAAC,CAAC;QACjE,CAAC;QAED,OAAO;YACN,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,OAAO,EAAE,GAAG,CAAC,aAAa;YAC1B,MAAM,EAAE,GAAG,CAAC,YAAY;YACxB,IAAI,EAAE,GAAG,CAAC,UAAU;YACpB,UAAU,EAAE,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS;SAChG,CAAC;IACH,CAAC;IAED,KAAK,CAAC,wBAAwB,CAAC,GAAuB;QACrD,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACpB,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,MAAM,~~mBAAmB~~,CAAC,~~GAAG~~,CAAC,CAAC;~~QAEhD~~,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,KAAK,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CAAC,wBAAwB,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACzE,CAAC;QAED,OAAO;YACN,KAAK,EAAE,KAAK;YACZ,IAAI,EAAE;gBACL,GAAG,EAAE,GAAU;gBACf,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG~~,CAAC,IAAI~~;~~gBAC/B~~,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE;oBAC/B,QAAQ;oBACR,wBAAwB;oBACxB,wBAAwB;oBACxB,uCAAuC;oBACvC,qBAAqB;oBACrB,gBAAgB;iBAChB,CAAC;aACF;SACD,CAAC;IACH,CAAC;CACD"}
1	+ {"version":3,"file":"server-agent.js","sourceRoot":"","sources":["../../lib/agents/server-agent.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAClF,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACzF,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAKxD,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AACxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D,MAAM,OAAO,gBAAgB;IAC5B,MAAM,CAAe;IACrB,SAAS,CAAuC;IAChD,QAAQ,CAAU;IAElB,YAAY,QAA8C,EAAE,OAAgB;QAC3E,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;QAC1B,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,IAAI,CAAC,MAAM,GAAG,eAAe,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC9C,CAAC;IASD,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,OAAgC;QAC/D,MAAM,GAAG,GAAwB,IAAI,CAAC,SAAiB,CAAC,GAAG,QAAQ,WAAW,CAAC,CAAC;QAChF,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,mBAAmB,QAAQ,EAAE,CAAC,CAAC;QAChD,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;YAChE,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;YAC9B,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;YAC/C,CAAC;YAED,MAAM,0BAA0B,GAAG,MAAM,oBAAoB,CAAC;gBAC7D,GAAG,EAAE,GAAG;gBACR,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM;gBAC1B,eAAe,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;oBAC9B,MAAM,IAAI,GAAG,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;oBAC9C,OAAO,MAAM,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;gBACtD,CAAC;aACD,CAAC,CAAC;YAEH,OAAO,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,0BAA0B,EAAE,CAAC;QACzD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE;YACvC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;SAC1D,CAAC,CAAC;QAEH,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACjE,MAAM,IAAI,kBAAkB,CAAC,QAAQ,EAAE,CAAC,EAAE,yBAAyB,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC;QACb,CAAC;aAAM,CAAC;YACP,MAAM,IAAI,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC9C,CAAC;IACF,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACzB,IAAI,CAAC;YACJ,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACX,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,QAAiB;QACjD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAC5C,UAAU,EAAE,oBAAoB;YAChC,YAAY,EAAE,YAAY;YAC1B,IAAI,EAAE,IAAI;YACV,aAAa,EAAE,QAAQ;SACvB,CAAC,CAAC;QAEH,IAAI,CAAC;YACJ,OAAO,MAAM,IAAI,CAAC,wBAAwB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YACzC,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,KAAK,EAAkC;QAC3D,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,iBAAiB,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAC5C,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,KAAK,CAAC,OAAO;SAC5B,CAAC,CAAC;QAEH,IAAI,CAAC;YACJ,IAAI,GAAG,KAAK,QAAQ,CAAC,GAAG,EAAE,CAAC;gBAC1B,MAAM,IAAI,iBAAiB,CAAC,GAAG,EAAE,uCAAuC,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC;YACzF,CAAC;YAED,OAAO,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YAEzC,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;IAED,qBAAqB,CAAC,GAAuB;QAC5C,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CAAC,uCAAuC,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,GAAG,CAAC,UAAU,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,0CAA0C,CAAC,CAAC;QACjE,CAAC;QAED,OAAO;YACN,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,OAAO,EAAE,GAAG,CAAC,aAAa;YAC1B,MAAM,EAAE,GAAG,CAAC,YAAY;YACxB,IAAI,EAAE,GAAG,CAAC,UAAU;YACpB,UAAU,EAAE,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS;SAChG,CAAC;IACH,CAAC;IAED,KAAK,CAAC,wBAAwB,CAAC,GAAuB;QACrD,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACpB,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,GAAU,CAAC,CAAC;QAEzD,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,KAAK,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CAAC,wBAAwB,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACzE,CAAC;QAED,OAAO;YACN,KAAK,EAAE,KAAK;YACZ,IAAI,EAAE;gBACL,GAAG,EAAE,GAAU;gBACf,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG;gBAC1B,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE;oBAC/B,QAAQ;oBACR,wBAAwB;oBACxB,wBAAwB;oBACxB,uCAAuC;oBACvC,qBAAqB;oBACrB,gBAAgB;iBAChB,CAAC;aACF;SACD,CAAC;IACH,CAAC;CACD"}

package/dist/dpop.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"dpop.d.ts","sourceRoot":"","sources":["../lib/dpop.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAM/C,eAAO,MAAM,cAAc,QAAa,OAAO,CAAC,OAAO,~~CAWtD~~,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAAI,SAAS,OAAO,MAuBnC,QAAQ,MAAM,EAAE,KAAK,MAAM,EAAE,OAAO,MAAM,GAAG,SAAS,EAAE,KAAK,MAAM,GAAG,SAAS,oBAa7F,CAAC;AAEF,eAAO,MAAM,eAAe,GAAI,SAAS,OAAO,EAAE,eAAe,OAAO,KAAG,OAAO,KA+HjF,CAAC"}
1	+ {"version":3,"file":"dpop.d.ts","sourceRoot":"","sources":["../lib/dpop.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAM/C,eAAO,MAAM,cAAc,QAAa,OAAO,CAAC,OAAO,CAetD,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAAI,SAAS,OAAO,MAuBnC,QAAQ,MAAM,EAAE,KAAK,MAAM,EAAE,OAAO,MAAM,GAAG,SAAS,EAAE,KAAK,MAAM,GAAG,SAAS,oBAa7F,CAAC;AAEF,eAAO,MAAM,eAAe,GAAI,SAAS,OAAO,EAAE,eAAe,OAAO,KAAG,OAAO,KA+HjF,CAAC"}

package/dist/dpop.js CHANGED Viewed

@@ -9,10 +9,13 @@ export const createES256Key = async () => {
     const pair = await crypto.subtle.generateKey(ES256_ALG, true, ['sign', 'verify']);
     const key = await crypto.subtle.exportKey('pkcs8', pair.privateKey);
     const { ext: _ext, key_ops: _key_opts, ...jwk } = await crypto.subtle.exportKey('jwk', pair.publicKey);
+    const canonicalJwk = JSON.stringify({ crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y });
+    const jkt = await stringToSha256(canonicalJwk);
     return {
         typ: 'ES256',
         key: toBase64Url(new Uint8Array(key)),
         jwt: toBase64Url(encodeUtf8(JSON.stringify({ typ: 'dpop+jwt', alg: 'ES256', jwk: jwk }))),
+        jkt: jkt,
     };
 };
 export const createDPoPSignage = (dpopKey) => {