@atcute/oauth-browser-client 2.0.3 → 3.0.0

package/lib/dpop.ts

@@ -1,82 +1,20 @@
-import { fromBase64Url, toBase64Url } from '@atcute/multibase';
-import { encodeUtf8 } from '@atcute/uint8array';
-
-import { nanoid } from 'nanoid';
+import { createDpopProofSigner, sha256Base64Url, type DpopPrivateJwk } from '@atcute/oauth-crypto';
 
 import { database } from './environment.js';
-import type { DPoPKey } from './types/dpop.js';
 import { extractContentType } from './utils/response.js';
-import { stringToSha256 } from './utils/runtime.js';
-
-const ES256_ALG = { name: 'ECDSA', namedCurve: 'P-256' } as const;
-
-export const createES256Key = async (): Promise<DPoPKey> => {
-	const pair = await crypto.subtle.generateKey(ES256_ALG, true, ['sign', 'verify']);
-
-	const key = await crypto.subtle.exportKey('pkcs8', pair.privateKey);
-	const { ext: _ext, key_ops: _key_opts, ...jwk } = await crypto.subtle.exportKey('jwk', pair.publicKey);
-
-	const canonicalJwk = JSON.stringify({ crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y });
-	const jkt = await stringToSha256(canonicalJwk);
-
-	return {
-		typ: 'ES256',
-		key: toBase64Url(new Uint8Array(key)),
-		jwt: toBase64Url(encodeUtf8(JSON.stringify({ typ: 'dpop+jwt', alg: 'ES256', jwk: jwk }))),
-		jkt: jkt,
-	};
-};
-
-export const createDPoPSignage = (dpopKey: DPoPKey) => {
-	const headerString = dpopKey.jwt;
-	const keyPromise = crypto.subtle.importKey(
-		'pkcs8',
-		fromBase64Url(dpopKey.key) as Uint8Array<ArrayBuffer>,
-		ES256_ALG,
-		true,
-		['sign'],
-	);
-
-	const constructPayload = (htm: string, htu: string, nonce: string | undefined, ath: string | undefined) => {
-		const payload = {
-			ath: ath,
-			htm: htm,
-			htu: htu,
-			iat: Math.floor(Date.now() / 1_000),
-			jti: nanoid(24),
-			nonce: nonce,
-		};
-
-		return toBase64Url(encodeUtf8(JSON.stringify(payload)));
-	};
 
-	return async (method: string, htu: string, nonce: string | undefined, ath: string | undefined) => {
-		const payloadString = constructPayload(method, htu, nonce, ath);
-
-		const signed = await crypto.subtle.sign(
-			{ name: 'ECDSA', hash: { name: 'SHA-256' } },
-			await keyPromise,
-			encodeUtf8(headerString + '.' + payloadString) as Uint8Array<ArrayBuffer>,
-		);
-
-		const signatureString = toBase64Url(new Uint8Array(signed));
-
-		return headerString + '.' + payloadString + '.' + signatureString;
-	};
-};
-
-export const createDPoPFetch = (dpopKey: DPoPKey, isAuthServer?: boolean): typeof fetch => {
+export const createDPoPFetch = (dpopKey: DpopPrivateJwk, isAuthServer?: boolean): typeof fetch => {
 	const nonces = database.dpopNonces;
 	const pending = database.inflightDpop;
 
-	const sign = createDPoPSignage(dpopKey);
+	const sign = createDpopProofSigner(dpopKey);
 
 	return async (input, init) => {
 		const request = new Request(input, init);
 
 		const authorizationHeader = request.headers.get('authorization');
 		const ath = authorizationHeader?.startsWith('DPoP ')
-			? await stringToSha256(authorizationHeader.slice(5))
+			? await sha256Base64Url(authorizationHeader.slice(5))
 			: undefined;
 
 		const { method, url } = request;
@@ -84,44 +22,24 @@ export const createDPoPFetch = (dpopKey: DPoPKey, isAuthServer?: boolean): typeo
 
 		const htu = origin + pathname;
 
-		// See if we have a pending promise for this origin, we'll await before
-		// proceeding with this request, next comment describes what the promise
-		// is meant to be.
 		let deferred = pending.get(origin);
 		if (deferred) {
 			await deferred.promise;
 			deferred = undefined;
 		}
 
-		// Get our persisted nonce value for this origin
 		let initNonce: string | undefined;
 		let expiredOrMissing = false;
 		try {
 			const [nonce, lapsed] = nonces.getWithLapsed(origin);
 
 			initNonce = nonce;
-
-			// The problem with DPoP nonces is that we don't have insight as to when
-			// they'll expire, either we have a nonce value or we don't.
-			//
-			// Which is very unfortunate, if the client makes multiple requests at the
-			// same time, there's a chance that all of them will fail due to the nonce
-			// value having expired.
-			//
-			// To make this less painful, if it's been over 3 minutes since we last
-			// had a nonce value, or we never had one to begin with, we'll let this
-			// request through and defer everyone else until we get a possibly fresh
-			// nonce value.
-			//
-			// 3 minutes being the DPoP nonce expiration time set by the reference PDS
-			// implementation.
 			expiredOrMissing = lapsed > 3 * 60 * 1_000;
 		} catch {
-			// Ignore read errors, we'll just act like we're missing a nonce.
+			// ignore read errors
 		}
 
 		if (expiredOrMissing) {
-			// Defer everyone else until this request finishes.
 			pending.set(origin, (deferred = Promise.withResolvers()));
 		}
 
@@ -134,44 +52,30 @@ export const createDPoPFetch = (dpopKey: DPoPKey, isAuthServer?: boolean): typeo
 
 			nextNonce = initResponse.headers.get('dpop-nonce');
 			if (nextNonce === null || nextNonce === initNonce) {
-				// No nonce was returned or it is the same as the one we sent. No need to
-				// update the nonce store, or retry the request.
-
 				return initResponse;
 			}
 
-			// Store the fresh nonce for future requests
 			try {
 				nonces.set(origin, nextNonce);
 			} catch {
-				// Ignore write errors
+				// ignore write errors
 			}
 
 			const shouldRetry = await isUseDpopNonceError(initResponse, isAuthServer);
 			if (!shouldRetry) {
-				// Not a "use_dpop_nonce" error, so there is no need to retry
-
 				return initResponse;
 			}
 
 			if (input === request || init?.body instanceof ReadableStream) {
-				// If the input stream was already consumed, we cannot retry the request. A
-				// solution would be to clone() the request but that would bufferize the
-				// entire stream in memory which can lead to memory starvation. Instead, we
-				// will return the original response and let the calling code handle retries.
-
 				return initResponse;
 			}
 		} finally {
-			// Now everyone can have their turn.
 			if (deferred) {
 				pending.delete(origin);
 				deferred.resolve();
 			}
 		}
 
-		// We got here because we were asked to retry the request (due to missing
-		// nonce value in the first request), let's do just that.
 		{
 			const nextProof = await sign(method, htu, nextNonce, ath);
 			const nextRequest = new Request(input, init);
@@ -179,13 +83,12 @@ export const createDPoPFetch = (dpopKey: DPoPKey, isAuthServer?: boolean): typeo
 
 			const retryResponse = await fetch(nextRequest);
 
-			// Check if the server returned another new nonce in the retry response
 			const retryNonce = retryResponse.headers.get('dpop-nonce');
 			if (retryNonce !== null && retryNonce !== nextNonce) {
 				try {
 					nonces.set(origin, retryNonce);
 				} catch {
-					// Ignore write errors
+					// ignore write errors
 				}
 			}
 
@@ -195,8 +98,6 @@ export const createDPoPFetch = (dpopKey: DPoPKey, isAuthServer?: boolean): typeo
 };
 
 const isUseDpopNonceError = async (response: Response, isAuthServer?: boolean): Promise<boolean> => {
-	// https://datatracker.ietf.org/doc/html/rfc6750#section-3
-	// https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no
 	if (isAuthServer === undefined || isAuthServer === false) {
 		if (response.status === 401) {
 			const wwwAuth = response.headers.get('www-authenticate');
@@ -206,14 +107,12 @@ const isUseDpopNonceError = async (response: Response, isAuthServer?: boolean):
 		}
 	}
 
-	// https://datatracker.ietf.org/doc/html/rfc9449#name-authorization-server-provid
 	if (isAuthServer === undefined || isAuthServer === true) {
 		if (response.status === 400 && extractContentType(response.headers) === 'application/json') {
 			try {
 				const json = await response.clone().json();
 				return typeof json === 'object' && json?.['error'] === 'use_dpop_nonce';
 			} catch {
-				// Response too big (to be "use_dpop_nonce" error) or invalid JSON
 				return false;
 			}
 		}

package/lib/environment.ts

@@ -1,4 +1,4 @@
-import type { IdentityResolver } from './types/identity.js';
+import type { ActorResolver } from '@atcute/identity-resolver';
 
 import { createOAuthDatabase, type OAuthDatabase } from './store/db.js';
 import type { ClientAssertionFetcher } from './types/client-assertion.js';
@@ -10,7 +10,7 @@ export let fetchClientAssertion: ClientAssertionFetcher | undefined;
 
 export let database: OAuthDatabase;
 
-export let identityResolver: IdentityResolver;
+export let identityResolver: ActorResolver;
 
 export interface ConfigureOAuthOptions {
 	/**
@@ -22,7 +22,7 @@ export interface ConfigureOAuthOptions {
 	};
 
 	/** resolves actor identifiers into identity metadata */
-	identityResolver: IdentityResolver;
+	identityResolver: ActorResolver;
 
 	/**
 	 * optional function to fetch DPoP-bound client assertions from your backend.

package/lib/index.ts

@@ -3,17 +3,17 @@ export { configureOAuth, type ConfigureOAuthOptions } from './environment.js';
 export * from './errors.js';
 
 export * from './agents/exchange.js';
-export * from './agents/server-agent.js';
-export * from './agents/sessions.js';
+export {
+	getSession,
+	deleteStoredSession,
+	listStoredSessions,
+	type SessionGetOptions,
+} from './agents/sessions.js';
 export * from './agents/user-agent.js';
 
-export * from './types/client-assertion.js';
-export * from './types/client.js';
-export * from './types/dpop.js';
-export * from './types/identity.js';
-export * from './types/par.js';
-export * from './types/server.js';
-export * from './types/store.js';
-export * from './types/token.js';
-
-export * from './utils/identity-resolver.js';
+export type {
+	ClientAssertionCredentials,
+	ClientAssertionFetcher,
+	FetchClientAssertionParams,
+} from './types/client-assertion.js';
+export type { TokenInfo, ExchangeInfo, Session } from './types/token.js';

package/lib/resolvers.ts

@@ -1,15 +1,15 @@
+import type { ResolvedActor } from '@atcute/identity-resolver';
 import type { ActorIdentifier } from '@atcute/lexicons';
+import type { OAuthAuthorizationServerMetadata, OAuthProtectedResourceMetadata } from '@atcute/oauth-types';
 
 import { identityResolver } from './environment.js';
 import { ResolverError } from './errors.js';
-import type { ResolvedIdentity } from './types/identity.js';
-import type { AuthorizationServerMetadata, ProtectedResourceMetadata } from './types/server.js';
 import { extractContentType } from './utils/response.js';
 import { isValidUrl } from './utils/strings.js';
 
 export const resolveFromIdentifier = async (
 	ident: ActorIdentifier,
-): Promise<{ identity: ResolvedIdentity; metadata: AuthorizationServerMetadata }> => {
+): Promise<{ identity: ResolvedActor; metadata: OAuthAuthorizationServerMetadata }> => {
 	const identity = await identityResolver.resolve(ident);
 
 	return {
@@ -20,14 +20,14 @@ export const resolveFromIdentifier = async (
 
 export const resolveFromService = async (
 	host: string,
-): Promise<{ metadata: AuthorizationServerMetadata }> => {
+): Promise<{ metadata: OAuthAuthorizationServerMetadata }> => {
 	try {
 		const metadata = await getMetadataFromResourceServer(host);
 		return { metadata };
 	} catch (err) {
 		if (err instanceof ResolverError) {
 			try {
-				const metadata = await getAuthorizationServerMetadata(host);
+				const metadata = await getOAuthAuthorizationServerMetadata(host);
 				return { metadata };
 			} catch {}
 		}
@@ -36,7 +36,7 @@ export const resolveFromService = async (
 	}
 };
 
-const getProtectedResourceMetadata = async (host: string): Promise<ProtectedResourceMetadata> => {
+const getOAuthProtectedResourceMetadata = async (host: string): Promise<OAuthProtectedResourceMetadata> => {
 	const url = new URL(`/.well-known/oauth-protected-resource`, host);
 	const response = await fetch(url.href, {
 		redirect: 'manual',
@@ -49,7 +49,7 @@ const getProtectedResourceMetadata = async (host: string): Promise<ProtectedReso
 		throw new ResolverError(`unexpected response`);
 	}
 
-	const metadata = (await response.json()) as ProtectedResourceMetadata;
+	const metadata = (await response.json()) as OAuthProtectedResourceMetadata;
 	if (metadata.resource !== url.origin) {
 		throw new ResolverError(`unexpected issuer`);
 	}
@@ -57,7 +57,9 @@ const getProtectedResourceMetadata = async (host: string): Promise<ProtectedReso
 	return metadata;
 };
 
-const getAuthorizationServerMetadata = async (host: string): Promise<AuthorizationServerMetadata> => {
+const getOAuthAuthorizationServerMetadata = async (
+	host: string,
+): Promise<OAuthAuthorizationServerMetadata> => {
 	const url = new URL(`/.well-known/oauth-authorization-server`, host);
 	const response = await fetch(url.href, {
 		redirect: 'manual',
@@ -70,7 +72,7 @@ const getAuthorizationServerMetadata = async (host: string): Promise<Authorizati
 		throw new ResolverError(`unexpected response`);
 	}
 
-	const metadata = (await response.json()) as AuthorizationServerMetadata;
+	const metadata = (await response.json()) as OAuthAuthorizationServerMetadata;
 	if (metadata.issuer !== url.origin) {
 		throw new ResolverError(`unexpected issuer`);
 	}
@@ -93,7 +95,7 @@ const getAuthorizationServerMetadata = async (host: string): Promise<Authorizati
 };
 
 const getMetadataFromResourceServer = async (input: string) => {
-	const rs_metadata = await getProtectedResourceMetadata(input);
+	const rs_metadata = await getOAuthProtectedResourceMetadata(input);
 
 	if (rs_metadata.authorization_servers?.length !== 1) {
 		throw new ResolverError(`expected exactly one authorization server in the listing`);
@@ -101,7 +103,7 @@ const getMetadataFromResourceServer = async (input: string) => {
 
 	const issuer = rs_metadata.authorization_servers[0];
 
-	const as_metadata = await getAuthorizationServerMetadata(issuer);
+	const as_metadata = await getOAuthAuthorizationServerMetadata(issuer);
 
 	if (as_metadata.protected_resources) {
 		if (!as_metadata.protected_resources.includes(rs_metadata.resource)) {

package/lib/store/db.ts

@@ -1,9 +1,9 @@
 import type { Did } from '@atcute/lexicons';
+import type { DpopPrivateJwk } from '@atcute/oauth-crypto';
+import type { OAuthAuthorizationServerMetadata } from '@atcute/oauth-types';
 
-import type { DPoPKey } from '../types/dpop.js';
-import type { AuthorizationServerMetadata } from '../types/server.js';
 import type { SimpleStore } from '../types/store.js';
-import type { Session } from '../types/token.js';
+import type { RawSession } from '../types/token.js';
 import { locks } from '../utils/runtime.js';
 
 export interface OAuthDatabaseOptions {
@@ -19,7 +19,7 @@ interface SchemaItem<T> {
 interface Schema {
 	sessions: {
 		key: Did;
-		value: Session;
+		value: RawSession;
 		indexes: {
 			expiresAt: number;
 		};
@@ -27,8 +27,8 @@ interface Schema {
 	states: {
 		key: string;
 		value: {
-			dpopKey: DPoPKey;
-			metadata: AuthorizationServerMetadata;
+			dpopKey: DpopPrivateJwk;
+			metadata: OAuthAuthorizationServerMetadata;
 			verifier?: string;
 			state?: unknown;
 		};

package/lib/types/client-assertion.ts

@@ -6,18 +6,16 @@ export interface ClientAssertionCredentials {
 }
 
 export interface FetchClientAssertionParams {
-	/** JWK thumbprint of the DPoP key to bind the assertion to */
-	jkt: string;
 	/** authorization server issuer (audience for the assertion) */
 	aud: string;
-
 	/**
 	 * create a DPoP proof to prove you possess the key for the claimed jkt.
 	 *
 	 * @param htu origin and pathname to your backend
+	 * @param nonce optional DPoP nonce from the server
 	 * @returns DPoP proof that can be included in the assertion
 	 */
-	createDpopProof: (htu: string) => Promise<string>;
+	createDpopProof: (htu: string, nonce?: string) => Promise<string>;
 }
 
 export type ClientAssertionFetcher = (

package/lib/types/server.ts

@@ -1,62 +1,7 @@
-export interface ProtectedResourceMetadata {
-	resource: string;
-	jwks_uri?: string;
-	authorization_servers?: string[];
-	scopes_supported?: string[];
-	bearer_methods_supported?: ('header' | 'body' | 'query')[];
-	resource_signing_alg_values_supported?: string[];
-	resource_documentation?: string;
-	resource_policy_uri?: string;
-	resource_tos_uri?: string;
-}
-
-export interface AuthorizationServerMetadata {
-	issuer: string;
-	authorization_endpoint: string;
-	token_endpoint: string;
-	jwks_uri?: string;
-	scopes_supported?: string[];
-	claims_supported?: string[];
-	claims_locales_supported?: string[];
-	claims_parameter_supported?: boolean;
-	request_parameter_supported?: boolean;
-	request_uri_parameter_supported?: boolean;
-	require_request_uri_registration?: boolean;
-	subject_types_supported?: string[];
-	response_types_supported?: string[];
-	response_modes_supported?: string[];
-	grant_types_supported?: string[];
-	code_challenge_methods_supported?: string[];
-	ui_locales_supported?: string[];
-	id_token_signing_alg_values_supported?: string[];
-	display_values_supported?: string[];
-	request_object_signing_alg_values_supported?: string[];
-	authorization_response_iss_parameter_supported?: boolean;
-	authorization_details_types_supported?: string[];
-	request_object_encryption_alg_values_supported?: string[];
-	request_object_encryption_enc_values_supported?: string[];
-	token_endpoint_auth_methods_supported?: string[];
-	token_endpoint_auth_signing_alg_values_supported?: string[];
-	revocation_endpoint?: string;
-	revocation_endpoint_auth_methods_supported?: string[];
-	revocation_endpoint_auth_signing_alg_values_supported?: string[];
-	introspection_endpoint?: string;
-	introspection_endpoint_auth_methods_supported?: string[];
-	introspection_endpoint_auth_signing_alg_values_supported?: string[];
-	pushed_authorization_request_endpoint?: string;
-	pushed_authorization_request_endpoint_auth_methods_supported?: string[];
-	pushed_authorization_request_endpoint_auth_signing_alg_values_supported?: string[];
-	require_pushed_authorization_requests?: boolean;
-	userinfo_endpoint?: string;
-	end_session_endpoint?: string;
-	registration_endpoint?: string;
-	dpop_signing_alg_values_supported?: string[];
-	protected_resources?: string[];
-	client_id_metadata_document_supported?: boolean;
-}
+import type { OAuthAuthorizationServerMetadata } from '@atcute/oauth-types';
 
 export interface PersistedAuthorizationServerMetadata extends Pick<
-	AuthorizationServerMetadata,
+	OAuthAuthorizationServerMetadata,
 	| 'issuer'
 	| 'authorization_endpoint'
 	| 'introspection_endpoint'

package/lib/types/token.ts

@@ -1,29 +1,9 @@
 import type { Did } from '@atcute/lexicons';
+import type { DpopPrivateJwk } from '@atcute/oauth-crypto';
 
-import type { DPoPKey } from './dpop.js';
-import type { PersistedAuthorizationServerMetadata } from './server.js';
+import type { LegacyDpopKey } from '../utils/dpop-key.js';
 
-export interface OAuthTokenResponse {
-	access_token: string;
-	// Can be DPoP or Bearer, normalize casing.
-	token_type: string;
-	issuer?: string;
-	sub?: string;
-	scope?: string;
-	id_token?: `${string}.${string}.${string}`;
-	refresh_token?: string;
-	expires_in?: number;
-	authorization_details?:
-		| {
-				type: string;
-				locations?: string[];
-				actions?: string[];
-				datatypes?: string[];
-				identifier?: string;
-				privileges?: string[];
-		  }[]
-		| undefined;
-}
+import type { PersistedAuthorizationServerMetadata } from './server.js';
 
 export interface TokenInfo {
 	scope: string;
@@ -39,8 +19,14 @@ export interface ExchangeInfo {
 	server: PersistedAuthorizationServerMetadata;
 }
 
+export interface RawSession {
+	dpopKey: DpopPrivateJwk | LegacyDpopKey;
+	info: ExchangeInfo;
+	token: TokenInfo;
+}
+
 export interface Session {
-	dpopKey: DPoPKey;
+	dpopKey: DpopPrivateJwk;
 	info: ExchangeInfo;
 	token: TokenInfo;
 }

package/lib/utils/dpop-key.ts

@@ -0,0 +1,24 @@
+import { fromBase64Url } from '@atcute/multibase';
+import type { DpopPrivateJwk } from '@atcute/oauth-crypto';
+
+export interface LegacyDpopKey {
+	typ: 'ES256';
+	key: string;
+	jwt: string;
+	jkt?: string;
+}
+
+const ES256_ALG = { name: 'ECDSA', namedCurve: 'P-256' } as const;
+
+export const isLegacyDpopKey = (key: DpopPrivateJwk | LegacyDpopKey): key is LegacyDpopKey => {
+	return typeof (key as LegacyDpopKey).key === 'string' && typeof (key as LegacyDpopKey).jwt === 'string';
+};
+
+export const migrateLegacyDpopKey = async (key: LegacyDpopKey): Promise<DpopPrivateJwk> => {
+	const pkcs8 = fromBase64Url(key.key);
+	const cryptoKey = await crypto.subtle.importKey('pkcs8', pkcs8, ES256_ALG, true, ['sign']);
+	const jwk = (await crypto.subtle.exportKey('jwk', cryptoKey)) as DpopPrivateJwk;
+	jwk.alg = 'ES256';
+
+	return jwk;
+};

package/lib/utils/runtime.ts

@@ -1,23 +1 @@
-import { nanoid } from 'nanoid';
-
-import { toBase64Url } from '@atcute/multibase';
-import { encodeUtf8, toSha256 } from '@atcute/uint8array';
-
 export const locks: LockManager | undefined = typeof navigator !== 'undefined' ? navigator.locks : undefined;
-
-export const stringToSha256 = async (input: string): Promise<string> => {
-	const bytes = encodeUtf8(input);
-	const digest = await toSha256(bytes);
-
-	return toBase64Url(digest);
-};
-
-export const generatePKCE = async (): Promise<{ verifier: string; challenge: string; method: string }> => {
-	const verifier = nanoid(64);
-
-	return {
-		verifier: verifier,
-		challenge: await stringToSha256(verifier),
-		method: 'S256',
-	};
-};

package/package.json

@@ -1,7 +1,6 @@
 {
-  "type": "module",
   "name": "@atcute/oauth-browser-client",
-  "version": "2.0.3",
+  "version": "3.0.0",
   "description": "minimal OAuth browser client implementation for AT Protocol",
   "license": "0BSD",
   "repository": {
@@ -14,17 +13,22 @@
     "!lib/**/*.bench.ts",
     "!lib/**/*.test.ts"
   ],
+  "type": "module",
+  "sideEffects": false,
   "exports": {
     ".": "./dist/index.js"
   },
-  "sideEffects": false,
+  "publishConfig": {
+    "access": "public"
+  },
   "dependencies": {
     "nanoid": "^5.1.6",
-    "@atcute/client": "^4.1.1",
-    "@atcute/identity-resolver": "^1.2.0",
-    "@atcute/lexicons": "^1.2.5",
-    "@atcute/uint8array": "^1.0.6",
-    "@atcute/multibase": "^1.1.6"
+    "@atcute/client": "^4.2.1",
+    "@atcute/identity-resolver": "^1.2.2",
+    "@atcute/lexicons": "^1.2.7",
+    "@atcute/oauth-crypto": "^0.1.0",
+    "@atcute/multibase": "^1.1.7",
+    "@atcute/oauth-types": "^0.1.0"
   },
   "scripts": {
     "build": "tsgo --project tsconfig.build.json",

package/dist/types/client.d.ts

@@ -1,38 +0,0 @@
-export interface ClientMetadata {
-    redirect_uris: string[];
-    response_types: ('code' | 'token' | 'none' | 'code id_token token' | 'code id_token' | 'code token' | 'id_token token' | 'id_token')[];
-    grant_types: ('authorization_code' | 'implicit' | 'refresh_token' | 'password' | 'client_credentials' | 'urn:ietf:params:oauth:grant-type:jwt-bearer' | 'urn:ietf:params:oauth:grant-type:saml2-bearer')[];
-    scope?: string;
-    token_endpoint_auth_method?: 'none' | 'client_secret_basic' | 'client_secret_jwt' | 'client_secret_post' | 'private_key_jwt' | 'self_signed_tls_client_auth' | 'tls_client_auth';
-    token_endpoint_auth_signing_alg?: string;
-    introspection_endpoint_auth_method?: 'none' | 'client_secret_basic' | 'client_secret_jwt' | 'client_secret_post' | 'private_key_jwt' | 'self_signed_tls_client_auth' | 'tls_client_auth';
-    introspection_endpoint_auth_signing_alg?: string;
-    revocation_endpoint_auth_method?: 'none' | 'client_secret_basic' | 'client_secret_jwt' | 'client_secret_post' | 'private_key_jwt' | 'self_signed_tls_client_auth' | 'tls_client_auth';
-    revocation_endpoint_auth_signing_alg?: string;
-    pushed_authorization_request_endpoint_auth_method?: 'none' | 'client_secret_basic' | 'client_secret_jwt' | 'client_secret_post' | 'private_key_jwt' | 'self_signed_tls_client_auth' | 'tls_client_auth';
-    pushed_authorization_request_endpoint_auth_signing_alg?: string;
-    userinfo_signed_response_alg?: string;
-    userinfo_encrypted_response_alg?: string;
-    jwks_uri?: string;
-    jwks?: unknown;
-    application_type?: 'web' | 'native';
-    subject_type?: 'public' | 'pairwise';
-    request_object_signing_alg?: string;
-    id_token_signed_response_alg?: string;
-    authorization_signed_response_alg?: string;
-    authorization_encrypted_response_enc?: 'A128CBC-HS256';
-    authorization_encrypted_response_alg?: string;
-    client_id?: string;
-    client_name?: string;
-    client_uri?: string;
-    policy_uri?: string;
-    tos_uri?: string;
-    logo_uri?: string;
-    default_max_age?: number;
-    require_auth_time?: boolean;
-    contacts?: string[];
-    tls_client_certificate_bound_access_tokens?: boolean;
-    dpop_bound_access_tokens?: boolean;
-    authorization_details_types?: string[];
-}
-//# sourceMappingURL=client.d.ts.map

package/dist/types/client.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../lib/types/client.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,cAAc;IAC9B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,cAAc,EAAE,CACb,MAAM,GACN,OAAO,GACP,MAAM,GACN,qBAAqB,GACrB,eAAe,GACf,YAAY,GACZ,gBAAgB,GAChB,UAAU,CACZ,EAAE,CAAC;IACJ,WAAW,EAAE,CACV,oBAAoB,GACpB,UAAU,GACV,eAAe,GACf,UAAU,GACV,oBAAoB,GACpB,6CAA6C,GAC7C,+CAA+C,CACjD,EAAE,CAAC;IACJ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,0BAA0B,CAAC,EACxB,MAAM,GACN,qBAAqB,GACrB,mBAAmB,GACnB,oBAAoB,GACpB,iBAAiB,GACjB,6BAA6B,GAC7B,iBAAiB,CAAC;IACrB,+BAA+B,CAAC,EAAE,MAAM,CAAC;IACzC,kCAAkC,CAAC,EAChC,MAAM,GACN,qBAAqB,GACrB,mBAAmB,GACnB,oBAAoB,GACpB,iBAAiB,GACjB,6BAA6B,GAC7B,iBAAiB,CAAC;IACrB,uCAAuC,CAAC,EAAE,MAAM,CAAC;IACjD,+BAA+B,CAAC,EAC7B,MAAM,GACN,qBAAqB,GACrB,mBAAmB,GACnB,oBAAoB,GACpB,iBAAiB,GACjB,6BAA6B,GAC7B,iBAAiB,CAAC;IACrB,oCAAoC,CAAC,EAAE,MAAM,CAAC;IAC9C,iDAAiD,CAAC,EAC/C,MAAM,GACN,qBAAqB,GACrB,mBAAmB,GACnB,oBAAoB,GACpB,iBAAiB,GACjB,6BAA6B,GAC7B,iBAAiB,CAAC;IACrB,sDAAsD,CAAC,EAAE,MAAM,CAAC;IAChE,4BAA4B,CAAC,EAAE,MAAM,CAAC;IACtC,+BAA+B,CAAC,EAAE,MAAM,CAAC;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,gBAAgB,CAAC,EAAE,KAAK,GAAG,QAAQ,CAAC;IACpC,YAAY,CAAC,EAAE,QAAQ,GAAG,UAAU,CAAC;IACrC,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,4BAA4B,CAAC,EAAE,MAAM,CAAC;IACtC,iCAAiC,CAAC,EAAE,MAAM,CAAC;IAC3C,oCAAoC,CAAC,EAAE,eAAe,CAAC;IACvD,oCAAoC,CAAC,EAAE,MAAM,CAAC;IAC9C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,0CAA0C,CAAC,EAAE,OAAO,CAAC;IACrD,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC;CACvC"}

package/dist/types/client.js

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=client.js.map

package/dist/types/client.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../../lib/types/client.ts"],"names":[],"mappings":""}