@atcute/oauth-browser-client 1.0.3 → 1.0.5

package/README.md

@@ -5,16 +5,12 @@ minimal OAuth browser client implementation for AT Protocol.
 - **only the bare minimum**: enough code to get authentication reasonably working, with only one
   happy path is supported (only ES256 keys for DPoP. PKCE and DPoP-bound PAR is required.)
 - **does not use IndexedDB**: makes the library work under Safari's lockdown mode, and has less
-  [maintenance headache][indexeddb-woes] overall, but it also means this is "less secure" (it won't
-  be able to use non-exportable keys as recommended by [DPoP specification][idb-dpop-spec].)
-- **no independent DNS/HTTP handle checks**: the default handle resolver makes use of Bluesky's
-  AppView to retrieve the correct DID identifier. you should be able to write your own resolver
-  function that'll resolve via DNS-over-HTTPS or via other PDSes.
+  maintenance headache overall, but it also means this is "less secure" (it won't be able to use
+  non-exportable keys as recommended by [DPoP specification][idb-dpop-spec].)
 - **not well-tested**: it has been used in personal projects for quite some time, but hasn't seen
   any use outside of that. using the [reference implementation][oauth-atproto-lib] is recommended if
   you are unsure about the implications presented here.
 
-[indexeddb-woes]: https://gist.github.com/pesterhazy/4de96193af89a6dd5ce682ce2adff49a
 [idb-dpop-spec]: https://datatracker.ietf.org/doc/html/rfc9449#section-2-4
 [oauth-atproto-lib]: https://npm.im/@atproto/oauth-client-browser
 
@@ -38,6 +34,14 @@ configureOAuth({
 
 ### starting an authorization flow
 
+> [!CAUTION]  
+> the built-in handle resolution makes use of Bluesky-hosted services to return the intended DID,
+> and this can mean sharing the user's IP address and the handle identifiers to Bluesky.
+>
+> while Bluesky has a declared privacy policy, both developers and users need to be informed and
+> aware of the privacy implications of this arrangement. read [this guide](#doing-handle-resolution)
+> on how you can implement your own resolution code.
+
 if your application involves asking for the user's handle or DID, you can use `resolveFromIdentity`
 which resolves the user's identity to get its PDS, and the metadata of its authorization server.
 
@@ -157,3 +161,289 @@ try {
 	deleteStoredSession(did);
 }
 ```
+
+## additional guide
+
+### configuring your Vite project
+
+you might want to configure the server options in your Vite config so you'll never end up visiting
+your app in `localhost`, which is specifically forbidden by AT Protocol's OAuth, let's change it so
+it'll always use `127.0.0.1`:
+
+```ts
+/// vite.config.ts
+import { defineConfig } from 'vite';
+
+const SERVER_HOST = '127.0.0.1';
+const SERVER_PORT = 12520;
+
+export default defineConfig({
+	server: {
+		host: SERVER_HOST,
+		port: SERVER_PORT,
+	},
+});
+```
+
+additionally, to make it easier to develop locally and deploy to production, you should consider
+adding a plugin that'll inject the necessary values for you through environment variables:
+
+```ts
+/// vite.config.ts
+import metadata from './public/oauth/client-metadata.json' with { type: 'json' };
+
+export default defineConfig({
+	// ...
+
+	plugins: [
+		// injects OAuth-related environment variables
+		{
+			config(_conf, { command }) {
+				if (command === 'build') {
+					process.env.VITE_OAUTH_CLIENT_ID = metadata.client_id;
+					process.env.VITE_OAUTH_REDIRECT_URI = metadata.redirect_uris[0];
+				} else {
+					const redirectUri = (() => {
+						const url = new URL(metadata.redirect_uris[0]);
+						return `http://${SERVER_HOST}:${SERVER_PORT}${url.pathname}`;
+					})();
+
+					const clientId =
+						`http://localhost` +
+						`?redirect_uri=${encodeURIComponent(redirectUri)}` +
+						`&scope=${encodeURIComponent(metadata.scope)}`;
+
+					process.env.VITE_DEV_SERVER_PORT = '' + SERVER_PORT;
+					process.env.VITE_OAUTH_CLIENT_ID = clientId;
+					process.env.VITE_OAUTH_REDIRECT_URI = redirectUri;
+				}
+
+				process.env.VITE_CLIENT_URI = metadata.client_uri;
+				process.env.VITE_OAUTH_SCOPE = metadata.scope;
+			},
+		},
+	],
+});
+```
+
+we'll augment the type declarations to get type-checking on it:
+
+```ts
+/// src/vite-env.d.ts
+
+interface ImportMetaEnv {
+	readonly VITE_DEV_SERVER_PORT?: string;
+	readonly VITE_CLIENT_URI: string;
+	readonly VITE_OAUTH_CLIENT_ID: string;
+	readonly VITE_OAUTH_REDIRECT_URI: string;
+	readonly VITE_OAUTH_SCOPE: string;
+}
+
+interface ImportMeta {
+	readonly env: ImportMetaEnv;
+}
+```
+
+et voilà! you can now use this to configure the client.
+
+```ts
+configureOAuth({
+	metadata: {
+		client_id: import.meta.env.VITE_OAUTH_CLIENT_ID,
+		redirect_uri: import.meta.env.VITE_OAUTH_REDIRECT_URI,
+	},
+});
+
+// ... later during sign-in process
+const authUrl = await createAuthorizationUrl({
+	metadata: metadata,
+	identity: identity,
+	scope: import.meta.env.VITE_OAUTH_SCOPE,
+});
+```
+
+adjust the code here as necessary, the plugin adds more environment variables than what is actually
+needed, you can remove them if you don't think you'd need it.
+
+### doing handle resolution
+
+there are two ways that a handle can be verified:
+
+1. HTTP verification: there is a file at `/.well-known/atproto-did` containing your account's DID
+2. DNS verification: there is an `_atproto` TXT record containing your account's DID
+
+you'd want to resolve both of these. if both methods return a response but does not match each other
+then it should ideally be thrown.
+
+verify that the DID matches the intended format
+
+```ts
+const isDid = (did: string): did is At.DID => {
+	return /^did:([a-z]+):([a-zA-Z0-9._:%-]*[a-zA-Z0-9._-])$/.test(did);
+};
+```
+
+pass this resolved DID to `resolveFromIdentity`, and carry on as per usual.
+
+#### HTTP handle resolution
+
+this is very straightforward, make a request to `https://<handle>/.well-known/atproto-did` without
+following redirects. check if the response status is 200 and trim off any excess whitespaces.
+
+some web servers might not set a permissible CORS header to access this resource, in which case
+there is nothing that can be done, unless you'd want to proxy the requests.
+
+```ts
+const resolveHandleViaHttp = async (handle: string): Promise<At.DID> => {
+	const url = new URL('/.well-known/atproto-did', `https://${handle}`);
+
+	const response = await fetch(url, { redirect: 'error' });
+	if (!response.ok) {
+		throw new ResolverError(`domain is unreachable`);
+	}
+
+	const text = await response.text();
+
+	const did = text.split('\n')[0]!.trim();
+	if (isDid(did)) {
+		return did;
+	}
+
+	throw new ResolverError(`failed to resolve ${handle}`);
+};
+```
+
+#### DNS handle resolution
+
+as websites can't do DNS resolution on their own, we'd have to rely on DNS-over-HTTPS (DoH)
+services. it should be noted that this _can_ have privacy implications of its own, please read
+through the privacy policy of whichever DoH service you end up using and make the user aware of it
+as well.
+
+for this example, we'll be using Cloudflare's DoH resolver for Firefox ([privacy
+policy][cf-resolver-firefox-privacy]) as it has support for `application/dns-json` format which
+allows us to query and see the responses in JSON.
+
+```ts
+const SUBDOMAIN = '_atproto';
+const PREFIX = 'did=';
+
+const resolveHandleViaDoH = async (handle: string): Promise<At.DID> => {
+	const url = new URL('https://mozilla.cloudflare-dns.com/dns-query');
+	url.searchParams.set('type', 'TXT');
+	url.searchParams.set('name', `${SUBDOMAIN}.${handle}`);
+
+	const response = await fetch(url, {
+		method: 'GET',
+		headers: { accept: 'application/dns-json' },
+		redirect: 'follow',
+	});
+
+	const type = response.headers.get('content-type')?.trim();
+	if (!response.ok) {
+		const message = type?.startsWith('text/plain')
+			? await response.text()
+			: `failed to resolve ${handle}`;
+
+		throw new ResolverError(message);
+	}
+
+	if (type !== 'application/dns-json') {
+		throw new ResolverError(`unexpected response from DoH server`);
+	}
+
+	const result = asResult(await response.json());
+	const answers = result.Answer?.filter(isAnswerTxt).map(extractTxtData) ?? [];
+
+	for (let i = 0; i < answers.length; i++) {
+		// skip if the line does not start with "did="
+		if (!answers[i].startsWith(PREFIX)) {
+			continue;
+		}
+
+		// ensure there is no other entry starting with "did="
+		for (let j = i + 1; j < answers.length; j++) {
+			if (answers[j].startsWith(PREFIX)) {
+				break;
+			}
+		}
+
+		const did = answers[i].slice(PREFIX.length);
+		if (isDid(did)) {
+			return did;
+		}
+
+		break;
+	}
+
+	throw new ResolverError(`failed to resolve ${handle}`);
+};
+
+type Result = { Status: number; Answer?: Answer[] };
+const isResult = (result: unknown): result is Result => {
+	if (result === null || typeof result !== 'object') {
+		return false;
+	}
+
+	return (
+		'Status' in result &&
+		typeof result.Status === 'number' &&
+		(!('Answer' in result) || (Array.isArray(result.Answer) && result.Answer.every(isAnswer)))
+	);
+};
+const asResult = (result: unknown): Result => {
+	if (!isResult(result)) {
+		throw new TypeError(`unexpected DoH response`);
+	}
+
+	return result;
+};
+
+type Answer = { name: string; type: number; data: string; TTL: number };
+const isAnswer = (answer: unknown): answer is Answer => {
+	if (answer === null || typeof answer !== 'object') {
+		return false;
+	}
+
+	return (
+		'name' in answer &&
+		typeof answer.name === 'string' &&
+		'type' in answer &&
+		typeof answer.type === 'number' &&
+		'data' in answer &&
+		typeof answer.data === 'string' &&
+		'TTL' in answer &&
+		typeof answer.TTL === 'number'
+	);
+};
+
+type AnswerTxt = Answer & { type: 16 };
+const isAnswerTxt = (answer: Answer): answer is AnswerTxt => {
+	return answer.type === 16;
+};
+
+const extractTxtData = (answer: AnswerTxt): string => {
+	return answer.data.replace(/^"|"$/g, '').replace(/\\"/g, '"');
+};
+```
+
+[cf-resolver-firefox-privacy]:
+	https://developers.cloudflare.com/1.1.1.1/privacy/cloudflare-resolver-firefox/
+
+#### using your PDS for handle resolution
+
+alternatively, if you operate your own PDS, you can make use of it as a handle resolver.
+
+```ts
+const resolveHandleViaPds = async (handle: string): Promise<At.DID> => {
+	const rpc = new XRPC({ handler: simpleFetchHandler({ service: `https://my-pds.example.com` }) });
+
+	const { data } = await rpc.get('com.atproto.identity.resolveHandle', {
+		params: {
+			handle: handle,
+		},
+	});
+
+	return data.did;
+};
+```

package/dist/agents/server-agent.js

@@ -73,19 +73,20 @@ export class OAuthServerAgent {
         }
     }
     #processTokenResponse(res) {
-        const sub = res.sub;
-        const scope = res.scope;
-        if (!sub) {
+        if (!res.sub) {
             throw new TypeError(`missing sub field in token response`);
         }
-        if (!scope) {
+        if (!res.scope) {
             throw new TypeError(`missing scope field in token response`);
         }
+        if (res.token_type !== 'DPoP') {
+            throw new TypeError(`token response returned a non-dpop token`);
+        }
         return {
-            scope: scope,
+            scope: res.scope,
             refresh: res.refresh_token,
             access: res.access_token,
-            type: res.token_type ?? 'Bearer',
+            type: res.token_type,
             expires_at: typeof res.expires_in === 'number' ? Date.now() + res.expires_in * 1_000 : undefined,
         };
     }

package/dist/agents/server-agent.js.map

@@ -1 +1 @@
-{"version":3,"file":"server-agent.js","sourceRoot":"","sources":["../../lib/agents/server-agent.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACzF,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAKtD,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AACxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D,MAAM,OAAO,gBAAgB;IAC5B,MAAM,CAAe;IACrB,SAAS,CAAuC;IAEhD,YAAY,QAA8C,EAAE,OAAgB;QAC3E,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;QAC1B,IAAI,CAAC,MAAM,GAAG,eAAe,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IACzD,CAAC;IASD,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,OAAgC;QAC/D,MAAM,GAAG,GAAwB,IAAI,CAAC,SAAiB,CAAC,GAAG,QAAQ,WAAW,CAAC,CAAC;QAChF,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,mBAAmB,QAAQ,EAAE,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE;YACvC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;SAC1D,CAAC,CAAC;QAEH,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACjE,MAAM,IAAI,kBAAkB,CAAC,QAAQ,EAAE,CAAC,EAAE,yBAAyB,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC;QACb,CAAC;aAAM,CAAC;YACP,MAAM,IAAI,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC9C,CAAC;IACF,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACzB,IAAI,CAAC;YACJ,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACX,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,QAAiB;QACjD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAC5C,UAAU,EAAE,oBAAoB;YAChC,YAAY,EAAE,YAAY;YAC1B,IAAI,EAAE,IAAI;YACV,aAAa,EAAE,QAAQ;SACvB,CAAC,CAAC;QAEH,IAAI,CAAC;YACJ,OAAO,MAAM,IAAI,CAAC,wBAAwB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YACzC,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,KAAK,EAAqC;QAC9D,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,iBAAiB,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAC5C,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,KAAK,CAAC,OAAO;SAC5B,CAAC,CAAC;QAEH,IAAI,CAAC;YACJ,IAAI,GAAG,KAAK,QAAQ,CAAC,GAAG,EAAE,CAAC;gBAC1B,MAAM,IAAI,iBAAiB,CAAC,GAAG,EAAE,uCAAuC,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC;YACzF,CAAC;YAED,OAAO,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YAEzC,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;IAED,qBAAqB,CAAC,GAAuB;QAC5C,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACpB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;QACxB,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,CAAC,KAAK,EAAE,CAAC;YACZ,MAAM,IAAI,SAAS,CAAC,uCAAuC,CAAC,CAAC;QAC9D,CAAC;QAED,OAAO;YACN,KAAK,EAAE,KAAK;YACZ,OAAO,EAAE,GAAG,CAAC,aAAa;YAC1B,MAAM,EAAE,GAAG,CAAC,YAAY;YACxB,IAAI,EAAE,GAAG,CAAC,UAAU,IAAI,QAAQ;YAChC,UAAU,EAAE,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS;SAChG,CAAC;IACH,CAAC;IAED,KAAK,CAAC,wBAAwB,CAAC,GAAuB;QACrD,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACpB,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,GAAG,CAAC,CAAC;QAEhD,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,KAAK,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CAAC,wBAAwB,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACzE,CAAC;QAED,OAAO;YACN,KAAK,EAAE,KAAK;YACZ,IAAI,EAAE;gBACL,GAAG,EAAE,GAAa;gBAClB,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI;gBAC/B,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE;oBAC/B,QAAQ;oBACR,wBAAwB;oBACxB,wBAAwB;oBACxB,uCAAuC;oBACvC,qBAAqB;oBACrB,gBAAgB;iBAChB,CAAC;aACF;SACD,CAAC;IACH,CAAC;CACD"}
+{"version":3,"file":"server-agent.js","sourceRoot":"","sources":["../../lib/agents/server-agent.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACzF,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAKtD,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AACxC,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D,MAAM,OAAO,gBAAgB;IAC5B,MAAM,CAAe;IACrB,SAAS,CAAuC;IAEhD,YAAY,QAA8C,EAAE,OAAgB;QAC3E,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;QAC1B,IAAI,CAAC,MAAM,GAAG,eAAe,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IACzD,CAAC;IASD,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,OAAgC;QAC/D,MAAM,GAAG,GAAwB,IAAI,CAAC,SAAiB,CAAC,GAAG,QAAQ,WAAW,CAAC,CAAC;QAChF,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,mBAAmB,QAAQ,EAAE,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE;YACvC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;SAC1D,CAAC,CAAC;QAEH,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,kBAAkB,EAAE,CAAC;YACjE,MAAM,IAAI,kBAAkB,CAAC,QAAQ,EAAE,CAAC,EAAE,yBAAyB,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC;QACb,CAAC;aAAM,CAAC;YACP,MAAM,IAAI,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAC9C,CAAC;IACF,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACzB,IAAI,CAAC;YACJ,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACX,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,QAAiB;QACjD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAC5C,UAAU,EAAE,oBAAoB;YAChC,YAAY,EAAE,YAAY;YAC1B,IAAI,EAAE,IAAI;YACV,aAAa,EAAE,QAAQ;SACvB,CAAC,CAAC;QAEH,IAAI,CAAC;YACJ,OAAO,MAAM,IAAI,CAAC,wBAAwB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YACzC,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,KAAK,EAAqC;QAC9D,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,iBAAiB,CAAC,GAAG,EAAE,4BAA4B,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE;YAC5C,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,KAAK,CAAC,OAAO;SAC5B,CAAC,CAAC;QAEH,IAAI,CAAC;YACJ,IAAI,GAAG,KAAK,QAAQ,CAAC,GAAG,EAAE,CAAC;gBAC1B,MAAM,IAAI,iBAAiB,CAAC,GAAG,EAAE,uCAAuC,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC;YACzF,CAAC;YAED,OAAO,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YAEzC,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;IAED,qBAAqB,CAAC,GAAuB;QAC5C,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,SAAS,CAAC,uCAAuC,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,GAAG,CAAC,UAAU,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,SAAS,CAAC,0CAA0C,CAAC,CAAC;QACjE,CAAC;QAED,OAAO;YACN,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,OAAO,EAAE,GAAG,CAAC,aAAa;YAC1B,MAAM,EAAE,GAAG,CAAC,YAAY;YACxB,IAAI,EAAE,GAAG,CAAC,UAAU;YACpB,UAAU,EAAE,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS;SAChG,CAAC;IACH,CAAC;IAED,KAAK,CAAC,wBAAwB,CAAC,GAAuB;QACrD,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QACpB,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,GAAG,CAAC,CAAC;QAEhD,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,KAAK,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC;YACxD,MAAM,IAAI,SAAS,CAAC,wBAAwB,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACzE,CAAC;QAED,OAAO;YACN,KAAK,EAAE,KAAK;YACZ,IAAI,EAAE;gBACL,GAAG,EAAE,GAAa;gBAClB,GAAG,EAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI;gBAC/B,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE;oBAC/B,QAAQ;oBACR,wBAAwB;oBACxB,wBAAwB;oBACxB,uCAAuC;oBACvC,qBAAqB;oBACrB,gBAAgB;iBAChB,CAAC;aACF;SACD,CAAC;IACH,CAAC;CACD"}

package/dist/store/db.js

@@ -27,7 +27,7 @@ export const createOAuthDatabase = ({ name }) => {
                     store = undefined;
                 }
             };
-            window.addEventListener('storage', listener, { signal });
+            globalThis.addEventListener('storage', listener, { signal });
         }
         {
             const cleanup = async (lock) => {

package/dist/store/db.js.map

@@ -1 +1 @@
-{"version":3,"file":"db.js","sourceRoot":"","sources":["../../lib/store/db.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAC;AAkC5C,MAAM,KAAK,GAAG,CAAC,GAAkB,EAAE,EAAE;IACpC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QACjB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;YACpB,OAAO,MAAM,CAAC;QACf,CAAC;IACF,CAAC;IAED,OAAO,EAAE,CAAC;AACX,CAAC,CAAC;AAIF,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,EAAE,IAAI,EAAwB,EAAE,EAAE;IACrE,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;IAEjC,MAAM,WAAW,GAAG,CACnB,OAAU,EACV,SAAsD,EACF,EAAE;QACtD,IAAI,KAAU,CAAC;QAEf,MAAM,UAAU,GAAG,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC;QAExC,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,KAAK,IAAI,YAAY,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACvF,MAAM,IAAI,GAAG,GAAG,EAAE;YACjB,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;YACjC,CAAC;YAED,OAAO,CAAC,KAAK,KAAK,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC5D,CAAC,CAAC;QAEF,CAAC;YACA,MAAM,QAAQ,GAAG,CAAC,EAAgB,EAAE,EAAE;gBACrC,IAAI,EAAE,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;oBAC3B,KAAK,GAAG,SAAS,CAAC;gBACnB,CAAC;YACF,CAAC,CAAC;YAEF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,CAAC;YACA,MAAM,OAAO,GAAG,KAAK,EAAE,IAAwB,EAAE,EAAE;gBAClD,IAAI,CAAC,IAAI,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBAC7B,OAAO;gBACR,CAAC;gBAED,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;gBAC5D,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBACpB,OAAO;gBACR,CAAC;gBAED,IAAI,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;gBACrB,IAAI,OAAO,GAAG,KAAK,CAAC;gBAEpB,IAAI,EAAE,CAAC;gBAEP,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;oBACzB,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC;oBACxB,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;oBAEjC,IAAI,SAAS,KAAK,IAAI,IAAI,GAAG,GAAG,SAAS,EAAE,CAAC;wBAC3C,OAAO,GAAG,IAAI,CAAC;wBACf,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC;oBACnB,CAAC;gBACF,CAAC;gBAED,IAAI,OAAO,EAAE,CAAC;oBACb,OAAO,EAAE,CAAC;gBACX,CAAC;YACF,CAAC,CAAC;YAEF,IAAI,KAAK,EAAE,CAAC;gBACX,KAAK,CAAC,OAAO,CAAC,GAAG,UAAU,UAAU,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,OAAO,CAAC,CAAC;YACxE,CAAC;iBAAM,CAAC;gBACP,OAAO,CAAC,IAAI,CAAC,CAAC;YACf,CAAC;QACF,CAAC;QAED,OAAO;YACN,GAAG,CAAC,GAAG;gBACN,IAAI,EAAE,CAAC;gBAEP,MAAM,IAAI,GAAmC,KAAK,CAAC,GAAG,CAAC,CAAC;gBACxD,IAAI,CAAC,IAAI,EAAE,CAAC;oBACX,OAAO;gBACR,CAAC;gBAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;gBACjC,IAAI,SAAS,KAAK,IAAI,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,EAAE,CAAC;oBAClD,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC;oBAClB,OAAO,EAAE,CAAC;oBAEV,OAAO;gBACR,CAAC;gBAED,OAAO,IAAI,CAAC,KAAK,CAAC;YACnB,CAAC;YACD,GAAG,CAAC,GAAG,EAAE,KAAK;gBACb,IAAI,EAAE,CAAC;gBAEP,MAAM,IAAI,GAAmC;oBAC5C,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC;oBAC3B,KAAK,EAAE,KAAK;iBACZ,CAAC;gBAEF,KAAK,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;gBAClB,OAAO,EAAE,CAAC;YACX,CAAC;YACD,MAAM,CAAC,GAAG;gBACT,IAAI,EAAE,CAAC;gBAEP,IAAI,KAAK,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;oBAC9B,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC;oBAClB,OAAO,EAAE,CAAC;gBACX,CAAC;YACF,CAAC;YACD,IAAI;gBACH,IAAI,EAAE,CAAC;gBAEP,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC3B,CAAC;SACD,CAAC;IACH,CAAC,CAAC;IAEF,OAAO;QACN,OAAO,EAAE,GAAG,EAAE;YACb,UAAU,CAAC,KAAK,EAAE,CAAC;QACpB,CAAC;QAED,QAAQ,EAAE,WAAW,CAAC,UAAU,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;YAC/C,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBACnB,OAAO,IAAI,CAAC;YACb,CAAC;YAED,OAAO,KAAK,CAAC,UAAU,IAAI,IAAI,CAAC;QACjC,CAAC,CAAC;QACF,MAAM,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC;QACtE,UAAU,EAAE,WAAW,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC;KAC9E,CAAC;AACH,CAAC,CAAC"}
+{"version":3,"file":"db.js","sourceRoot":"","sources":["../../lib/store/db.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAC;AAkC5C,MAAM,KAAK,GAAG,CAAC,GAAkB,EAAE,EAAE;IACpC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QACjB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;YACpB,OAAO,MAAM,CAAC;QACf,CAAC;IACF,CAAC;IAED,OAAO,EAAE,CAAC;AACX,CAAC,CAAC;AAIF,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,EAAE,IAAI,EAAwB,EAAE,EAAE;IACrE,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;IAEjC,MAAM,WAAW,GAAG,CACnB,OAAU,EACV,SAAsD,EACF,EAAE;QACtD,IAAI,KAAU,CAAC;QAEf,MAAM,UAAU,GAAG,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC;QAExC,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,KAAK,IAAI,YAAY,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACvF,MAAM,IAAI,GAAG,GAAG,EAAE;YACjB,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;YACjC,CAAC;YAED,OAAO,CAAC,KAAK,KAAK,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC5D,CAAC,CAAC;QAEF,CAAC;YACA,MAAM,QAAQ,GAAG,CAAC,EAAgB,EAAE,EAAE;gBACrC,IAAI,EAAE,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;oBAC3B,KAAK,GAAG,SAAS,CAAC;gBACnB,CAAC;YACF,CAAC,CAAC;YAEF,UAAU,CAAC,gBAAgB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAC9D,CAAC;QAED,CAAC;YACA,MAAM,OAAO,GAAG,KAAK,EAAE,IAAwB,EAAE,EAAE;gBAClD,IAAI,CAAC,IAAI,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBAC7B,OAAO;gBACR,CAAC;gBAED,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;gBAC5D,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBACpB,OAAO;gBACR,CAAC;gBAED,IAAI,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;gBACrB,IAAI,OAAO,GAAG,KAAK,CAAC;gBAEpB,IAAI,EAAE,CAAC;gBAEP,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;oBACzB,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC;oBACxB,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;oBAEjC,IAAI,SAAS,KAAK,IAAI,IAAI,GAAG,GAAG,SAAS,EAAE,CAAC;wBAC3C,OAAO,GAAG,IAAI,CAAC;wBACf,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC;oBACnB,CAAC;gBACF,CAAC;gBAED,IAAI,OAAO,EAAE,CAAC;oBACb,OAAO,EAAE,CAAC;gBACX,CAAC;YACF,CAAC,CAAC;YAEF,IAAI,KAAK,EAAE,CAAC;gBACX,KAAK,CAAC,OAAO,CAAC,GAAG,UAAU,UAAU,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,OAAO,CAAC,CAAC;YACxE,CAAC;iBAAM,CAAC;gBACP,OAAO,CAAC,IAAI,CAAC,CAAC;YACf,CAAC;QACF,CAAC;QAED,OAAO;YACN,GAAG,CAAC,GAAG;gBACN,IAAI,EAAE,CAAC;gBAEP,MAAM,IAAI,GAAmC,KAAK,CAAC,GAAG,CAAC,CAAC;gBACxD,IAAI,CAAC,IAAI,EAAE,CAAC;oBACX,OAAO;gBACR,CAAC;gBAED,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;gBACjC,IAAI,SAAS,KAAK,IAAI,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,EAAE,CAAC;oBAClD,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC;oBAClB,OAAO,EAAE,CAAC;oBAEV,OAAO;gBACR,CAAC;gBAED,OAAO,IAAI,CAAC,KAAK,CAAC;YACnB,CAAC;YACD,GAAG,CAAC,GAAG,EAAE,KAAK;gBACb,IAAI,EAAE,CAAC;gBAEP,MAAM,IAAI,GAAmC;oBAC5C,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC;oBAC3B,KAAK,EAAE,KAAK;iBACZ,CAAC;gBAEF,KAAK,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;gBAClB,OAAO,EAAE,CAAC;YACX,CAAC;YACD,MAAM,CAAC,GAAG;gBACT,IAAI,EAAE,CAAC;gBAEP,IAAI,KAAK,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;oBAC9B,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC;oBAClB,OAAO,EAAE,CAAC;gBACX,CAAC;YACF,CAAC;YACD,IAAI;gBACH,IAAI,EAAE,CAAC;gBAEP,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC3B,CAAC;SACD,CAAC;IACH,CAAC,CAAC;IAEF,OAAO;QACN,OAAO,EAAE,GAAG,EAAE;YACb,UAAU,CAAC,KAAK,EAAE,CAAC;QACpB,CAAC;QAED,QAAQ,EAAE,WAAW,CAAC,UAAU,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;YAC/C,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBACnB,OAAO,IAAI,CAAC;YACb,CAAC;YAED,OAAO,KAAK,CAAC,UAAU,IAAI,IAAI,CAAC;QACjC,CAAC,CAAC;QACF,MAAM,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC;QACtE,UAAU,EAAE,WAAW,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC;KAC9E,CAAC;AACH,CAAC,CAAC"}

package/lib/agents/exchange.ts

@@ -0,0 +1,115 @@
+import { createES256Key } from '../dpop.js';
+import { CLIENT_ID, database, REDIRECT_URI } from '../environment.js';
+import { AuthorizationError, LoginError } from '../errors.js';
+import type { IdentityMetadata } from '../types/identity.js';
+import type { AuthorizationServerMetadata } from '../types/server.js';
+import type { Session } from '../types/token.js';
+import { generatePKCE, generateState } from '../utils/runtime.js';
+
+import { OAuthServerAgent } from './server-agent.js';
+import { storeSession } from './sessions.js';
+
+export interface AuthorizeOptions {
+	metadata: AuthorizationServerMetadata;
+	identity?: IdentityMetadata;
+	scope: string;
+}
+
+/**
+ * Create authentication URL for authorization
+ * @param options
+ * @returns URL to redirect the user for authorization
+ */
+export const createAuthorizationUrl = async ({
+	metadata,
+	identity,
+	scope,
+}: AuthorizeOptions): Promise<URL> => {
+	const state = generateState();
+
+	const pkce = await generatePKCE();
+	const dpopKey = await createES256Key();
+
+	const params = {
+		redirect_uri: REDIRECT_URI,
+		code_challenge: pkce.challenge,
+		code_challenge_method: pkce.method,
+		state: state,
+		login_hint: identity?.raw,
+		response_mode: 'fragment',
+		response_type: 'code',
+		display: 'page',
+		// id_token_hint: undefined,
+		// max_age: undefined,
+		// prompt: undefined,
+		scope: scope,
+		// ui_locales: undefined,
+	} satisfies Record<string, string | undefined>;
+
+	database.states.set(state, {
+		dpopKey: dpopKey,
+		metadata: metadata,
+		verifier: pkce.verifier,
+	});
+
+	const server = new OAuthServerAgent(metadata, dpopKey);
+	const response = await server.request('pushed_authorization_request', params);
+
+	const authUrl = new URL(metadata.authorization_endpoint);
+	authUrl.searchParams.set('client_id', CLIENT_ID);
+	authUrl.searchParams.set('request_uri', response.request_uri);
+
+	return authUrl;
+};
+
+/**
+ * Finalize authorization
+ * @param params Search params
+ * @returns Session object, which you can use to instantiate user agents
+ */
+export const finalizeAuthorization = async (params: URLSearchParams) => {
+	const issuer = params.get('iss');
+	const state = params.get('state');
+	const code = params.get('code');
+	const error = params.get('error');
+
+	if (!state || !(code || error)) {
+		throw new LoginError(`missing parameters`);
+	}
+
+	const stored = database.states.get(state);
+	if (stored) {
+		// Delete now that we've caught it
+		database.states.delete(state);
+	} else {
+		throw new LoginError(`unknown state provided`);
+	}
+
+	const dpopKey = stored.dpopKey;
+	const metadata = stored.metadata;
+
+	if (error) {
+		throw new AuthorizationError(params.get('error_description') || error);
+	}
+	if (!code) {
+		throw new LoginError(`missing code parameter`);
+	}
+
+	if (issuer === null) {
+		throw new LoginError(`missing issuer parameter`);
+	} else if (issuer !== metadata.issuer) {
+		throw new LoginError(`issuer mismatch`);
+	}
+
+	// Retrieve authentication tokens
+	const server = new OAuthServerAgent(metadata, dpopKey);
+	const { info, token } = await server.exchangeCode(code, stored.verifier);
+
+	// We're finished!
+	const sub = info.sub;
+	const session: Session = { dpopKey, info, token };
+
+	await storeSession(sub, session);
+
+	return session;
+};

package/lib/agents/server-agent.ts

@@ -0,0 +1,149 @@
+import type { At } from '@atcute/client/lexicons';
+
+import { createDPoPFetch } from '../dpop.js';
+import { CLIENT_ID, REDIRECT_URI } from '../environment.js';
+import { FetchResponseError, OAuthResponseError, TokenRefreshError } from '../errors.js';
+import { resolveFromIdentity } from '../resolvers.js';
+import type { DPoPKey } from '../types/dpop.js';
+import type { OAuthParResponse } from '../types/par.js';
+import type { PersistedAuthorizationServerMetadata } from '../types/server.js';
+import type { ExchangeInfo, OAuthTokenResponse, TokenInfo } from '../types/token.js';
+import { pick } from '../utils/misc.js';
+import { extractContentType } from '../utils/response.js';
+
+export class OAuthServerAgent {
+	#fetch: typeof fetch;
+	#metadata: PersistedAuthorizationServerMetadata;
+
+	constructor(metadata: PersistedAuthorizationServerMetadata, dpopKey: DPoPKey) {
+		this.#metadata = metadata;
+		this.#fetch = createDPoPFetch(CLIENT_ID, dpopKey, true);
+	}
+
+	async request(
+		endpoint: 'pushed_authorization_request',
+		payload: Record<string, unknown>,
+	): Promise<OAuthParResponse>;
+	async request(endpoint: 'token', payload: Record<string, unknown>): Promise<OAuthTokenResponse>;
+	async request(endpoint: 'revocation', payload: Record<string, unknown>): Promise<any>;
+	async request(endpoint: 'introspection', payload: Record<string, unknown>): Promise<any>;
+	async request(endpoint: string, payload: Record<string, unknown>): Promise<any> {
+		const url: string | undefined = (this.#metadata as any)[`${endpoint}_endpoint`];
+		if (!url) {
+			throw new Error(`no endpoint for ${endpoint}`);
+		}
+
+		const response = await this.#fetch(url, {
+			method: 'post',
+			headers: { 'content-type': 'application/json' },
+			body: JSON.stringify({ ...payload, client_id: CLIENT_ID }),
+		});
+
+		if (extractContentType(response.headers) !== 'application/json') {
+			throw new FetchResponseError(response, 2, `unexpected content-type`);
+		}
+
+		const json = await response.json();
+
+		if (response.ok) {
+			return json;
+		} else {
+			throw new OAuthResponseError(response, json);
+		}
+	}
+
+	async revoke(token: string): Promise<void> {
+		try {
+			await this.request('revocation', { token: token });
+		} catch {}
+	}
+
+	async exchangeCode(code: string, verifier?: string): Promise<{ info: ExchangeInfo; token: TokenInfo }> {
+		const response = await this.request('token', {
+			grant_type: 'authorization_code',
+			redirect_uri: REDIRECT_URI,
+			code: code,
+			code_verifier: verifier,
+		});
+
+		try {
+			return await this.#processExchangeResponse(response);
+		} catch (err) {
+			await this.revoke(response.access_token);
+			throw err;
+		}
+	}
+
+	async refresh({ sub, token }: { sub: At.DID; token: TokenInfo }): Promise<TokenInfo> {
+		if (!token.refresh) {
+			throw new TokenRefreshError(sub, 'no refresh token available');
+		}
+
+		const response = await this.request('token', {
+			grant_type: 'refresh_token',
+			refresh_token: token.refresh,
+		});
+
+		try {
+			if (sub !== response.sub) {
+				throw new TokenRefreshError(sub, `sub mismatch in token response; got ${response.sub}`);
+			}
+
+			return this.#processTokenResponse(response);
+		} catch (err) {
+			await this.revoke(response.access_token);
+
+			throw err;
+		}
+	}
+
+	#processTokenResponse(res: OAuthTokenResponse): TokenInfo {
+		if (!res.sub) {
+			throw new TypeError(`missing sub field in token response`);
+		}
+		if (!res.scope) {
+			throw new TypeError(`missing scope field in token response`);
+		}
+		if (res.token_type !== 'DPoP') {
+			throw new TypeError(`token response returned a non-dpop token`);
+		}
+
+		return {
+			scope: res.scope,
+			refresh: res.refresh_token,
+			access: res.access_token,
+			type: res.token_type,
+			expires_at: typeof res.expires_in === 'number' ? Date.now() + res.expires_in * 1_000 : undefined,
+		};
+	}
+
+	async #processExchangeResponse(res: OAuthTokenResponse): Promise<{ info: ExchangeInfo; token: TokenInfo }> {
+		const sub = res.sub;
+		if (!sub) {
+			throw new TypeError(`missing sub field in token response`);
+		}
+
+		const token = this.#processTokenResponse(res);
+		const resolved = await resolveFromIdentity(sub);
+
+		if (resolved.metadata.issuer !== this.#metadata.issuer) {
+			throw new TypeError(`issuer mismatch; got ${resolved.metadata.issuer}`);
+		}
+
+		return {
+			token: token,
+			info: {
+				sub: sub as At.DID,
+				aud: resolved.identity.pds.href,
+				server: pick(resolved.metadata, [
+					'issuer',
+					'authorization_endpoint',
+					'introspection_endpoint',
+					'pushed_authorization_request_endpoint',
+					'revocation_endpoint',
+					'token_endpoint',
+				]),
+			},
+		};
+	}
+}