@atcute/oauth-types 0.1.0 → 1.0.0

package/lib/schemas/atcute-public-client-metadata.ts

@@ -0,0 +1,101 @@
+import * as v from 'valibot';
+
+import { scopeSchema } from './atcute-client-shared.ts';
+import { oauthClientIdDiscoverableSchema } from './oauth-client-id-discoverable.ts';
+import { loopbackRedirectUriSchema, oauthRedirectUriSchema } from './oauth-redirect-uri.ts';
+import { nonLocalWebUriSchema, webUriSchema } from './uri.ts';
+
+const redirectUrisSchema = v.pipe(
+	v.array(oauthRedirectUriSchema),
+	v.minLength(1, `must have at least one redirect URI`),
+	v.checkItems((uri) => {
+		// private-use URIs don't have URL-style credentials
+		if (!uri.includes('://')) {
+			return true;
+		}
+		const url = new URL(uri);
+		return !url.username && !url.password;
+	}, `redirect URI must not contain credentials`),
+);
+
+const loopbackRedirectUrisSchema = v.pipe(
+	redirectUrisSchema,
+	v.checkItems(
+		(uri) => v.is(loopbackRedirectUriSchema, uri),
+		`loopback clients require loopback redirect URIs (127.0.0.1 or [::1])`,
+	),
+);
+
+/**
+ * user-facing client metadata for configuring a loopback public OAuth client.
+ *
+ * loopback clients are for localhost development and CLI tools. they use
+ * `http://localhost` as the client_id origin, which is built automatically
+ * from the redirect_uris and scope.
+ */
+export const loopbackClientMetadataSchema = v.looseObject({
+	/** must not be provided for loopback clients */
+	client_id: v.optional(v.undefined()),
+
+	/**
+	 * redirect URIs for authorization responses.
+	 *
+	 * must be loopback IP addresses (127.0.0.1 or [::1]).
+	 * per RFC 8252, port numbers are ignored during redirect URI matching,
+	 * allowing ephemeral ports.
+	 */
+	redirect_uris: loopbackRedirectUrisSchema,
+
+	/** OAuth scope (must include "atproto") */
+	scope: scopeSchema,
+});
+
+export type LoopbackClientMetadata = v.InferOutput<typeof loopbackClientMetadataSchema>;
+
+/**
+ * user-facing client metadata for configuring a discoverable public OAuth client.
+ *
+ * discoverable public clients have an HTTPS client_id URL where metadata is hosted,
+ * but don't use a keyset (token_endpoint_auth_method: 'none').
+ */
+export const discoverablePublicClientMetadataSchema = v.looseObject({
+	/** discoverable HTTPS client_id URL */
+	client_id: oauthClientIdDiscoverableSchema,
+
+	/** redirect URIs for authorization responses */
+	redirect_uris: redirectUrisSchema,
+
+	/** OAuth scope (must include "atproto") */
+	scope: scopeSchema,
+
+	/**
+	 * application type - defaults to 'web'.
+	 */
+	application_type: v.optional(v.picklist(['web', 'native'])),
+
+	/** optional client homepage */
+	client_uri: v.optional(webUriSchema),
+	/** optional display name */
+	client_name: v.optional(v.string()),
+	/** optional policy url */
+	policy_uri: v.optional(nonLocalWebUriSchema),
+	/** optional terms of service url */
+	tos_uri: v.optional(nonLocalWebUriSchema),
+	/** optional logo url */
+	logo_uri: v.optional(nonLocalWebUriSchema),
+});
+
+export type DiscoverablePublicClientMetadata = v.InferOutput<typeof discoverablePublicClientMetadataSchema>;
+
+/**
+ * user-facing client metadata for configuring a public OAuth client.
+ *
+ * - if `client_id` is omitted: loopback client (for localhost dev / CLI tools)
+ * - if `client_id` is provided: discoverable public client (HTTPS URL)
+ */
+export const publicClientMetadataSchema = v.union([
+	loopbackClientMetadataSchema,
+	discoverablePublicClientMetadataSchema,
+]);
+
+export type PublicClientMetadata = v.InferOutput<typeof publicClientMetadataSchema>;

package/lib/schemas/atproto-authorization-server-metadata.ts

@@ -1,32 +1,31 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { oauthAuthorizationServerMetadataValidator } from './oauth-authorization-server-metadata.js';
+import { oauthAuthorizationServerMetadataValidator } from './oauth-authorization-server-metadata.ts';
 
 /**
  * AT Protocol authorization server metadata with required fields and assertions.
  *
  * @see {@link https://atproto.com/specs/oauth}
  */
-export const atprotoAuthorizationServerMetadataValidator = oauthAuthorizationServerMetadataValidator.chain(
-	(data) => {
-		// atproto requires client_id_metadata_document support
-		if (data.client_id_metadata_document_supported !== true) {
-			return v.err({
-				message: `atproto requires client_id_metadata_document_supported to be true`,
-				path: ['client_id_metadata_document_supported'],
-			});
-		}
-
-		// atproto requires PAR
-		if (!data.pushed_authorization_request_endpoint) {
-			return v.err({
-				message: `atproto requires pushed_authorization_request_endpoint to be true`,
-				path: ['pushed_authorization_request_endpoint'],
-			});
-		}
-
-		return v.ok(data as typeof data & { pushed_authorization_request_endpoint: string });
-	},
+export const atprotoAuthorizationServerMetadataValidator = v.pipe(
+	oauthAuthorizationServerMetadataValidator,
+	v.forward(
+		v.check(
+			(data) => data.client_id_metadata_document_supported === true,
+			`atproto requires client_id_metadata_document_supported to be true`,
+		),
+		['client_id_metadata_document_supported'],
+	),
+	v.forward(
+		v.check(
+			(data) => !!data.pushed_authorization_request_endpoint,
+			`atproto requires pushed_authorization_request_endpoint to be true`,
+		),
+		['pushed_authorization_request_endpoint'],
+	),
+	v.transform((data) => data as typeof data & { pushed_authorization_request_endpoint: string }),
 );
 
-export type AtprotoAuthorizationServerMetadata = v.Infer<typeof atprotoAuthorizationServerMetadataValidator>;
+export type AtprotoAuthorizationServerMetadata = v.InferOutput<
+	typeof atprotoAuthorizationServerMetadataValidator
+>;

package/lib/schemas/atproto-oauth-scope.ts

@@ -1,7 +1,7 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { isOAuthScope } from './oauth-scope.js';
-import { isSpaceSeparatedValue } from './utils.js';
+import { isOAuthScope } from './oauth-scope.ts';
+import { isSpaceSeparatedValue } from './utils.ts';
 
 export const ATPROTO_SCOPE_VALUE = 'atproto';
 
@@ -10,9 +10,12 @@ const isAtprotoOAuthScope = (input: string): boolean => {
 };
 
 /** atproto OAuth scope (must include "atproto") */
-export const atprotoOAuthScopeSchema = v.string().assert(isAtprotoOAuthScope, `invalid atproto OAuth scope`);
+export const atprotoOAuthScopeSchema = v.pipe(
+	v.string(),
+	v.check(isAtprotoOAuthScope, `invalid atproto OAuth scope`),
+);
 
-export type AtprotoOAuthScope = v.Infer<typeof atprotoOAuthScopeSchema>;
+export type AtprotoOAuthScope = v.InferOutput<typeof atprotoOAuthScopeSchema>;
 
 /** default scope is for reading identity (did) only */
 export const DEFAULT_ATPROTO_OAUTH_SCOPE: AtprotoOAuthScope = ATPROTO_SCOPE_VALUE;

package/lib/schemas/atproto-oauth-token-response.ts

@@ -1,20 +1,21 @@
 import { isAtprotoDid } from '@atcute/identity';
+import type { Did } from '@atcute/lexicons/syntax';
 
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { atprotoOAuthScopeSchema } from './atproto-oauth-scope.js';
-import { oauthAuthorizationDetailsSchema } from './oauth-authorization-details.js';
+import { atprotoOAuthScopeSchema } from './atproto-oauth-scope.ts';
+import { oauthAuthorizationDetailsSchema } from './oauth-authorization-details.ts';
 
-export const atprotoOAuthTokenResponseSchema = v.object({
+export const atprotoOAuthTokenResponseSchema = v.looseObject({
 	access_token: v.string(),
 	token_type: v.literal('DPoP'),
-	sub: v.string().assert(isAtprotoDid, `must be a did:plc or did:web`),
+	sub: v.custom<Did>(isAtprotoDid, `must be a did:plc or did:web`),
 	scope: atprotoOAuthScopeSchema,
-	refresh_token: v.string().optional(),
-	expires_in: v.number().optional(),
+	refresh_token: v.optional(v.string()),
+	expires_in: v.optional(v.number()),
 	// https://datatracker.ietf.org/doc/html/rfc9396#name-enriched-authorization-deta
-	authorization_details: oauthAuthorizationDetailsSchema.optional(),
+	authorization_details: v.optional(oauthAuthorizationDetailsSchema),
 	// OpenID is not compatible with atproto identities
 });
 
-export type AtprotoOAuthTokenResponse = v.Infer<typeof atprotoOAuthTokenResponseSchema>;
+export type AtprotoOAuthTokenResponse = v.InferOutput<typeof atprotoOAuthTokenResponseSchema>;

package/lib/schemas/atproto-protected-resource-metadata.ts

@@ -1,24 +1,24 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { oauthProtectedResourceMetadataValidator } from './oauth-protected-resource-metadata.js';
+import { oauthProtectedResourceMetadataValidator } from './oauth-protected-resource-metadata.ts';
 
 /**
  * AT Protocol protected resource metadata with required fields.
  *
  * @see {@link https://atproto.com/specs/oauth}
  */
-export const atprotoProtectedResourceMetadataValidator = oauthProtectedResourceMetadataValidator.chain(
-	(data) => {
-		// atproto requires exactly one authorization server
-		if (data.authorization_servers?.length !== 1) {
-			return v.err({
-				message: `atproto requires exactly one authorization server`,
-				path: ['authorization_servers'],
-			});
-		}
-
-		return v.ok(data as typeof data & { authorization_servers: [string] });
-	},
+export const atprotoProtectedResourceMetadataValidator = v.pipe(
+	oauthProtectedResourceMetadataValidator,
+	v.forward(
+		v.check(
+			(data) => data.authorization_servers?.length === 1,
+			`atproto requires exactly one authorization server`,
+		),
+		['authorization_servers'],
+	),
+	v.transform((data) => data as typeof data & { authorization_servers: [string] }),
 );
 
-export type AtprotoProtectedResourceMetadata = v.Infer<typeof atprotoProtectedResourceMetadataValidator>;
+export type AtprotoProtectedResourceMetadata = v.InferOutput<
+	typeof atprotoProtectedResourceMetadataValidator
+>;

package/lib/schemas/jwk.ts

@@ -1,6 +1,6 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { isLastOccurrence } from './utils.js';
+import { isLastOccurrence } from './utils.ts';
 
 // key usage constants
 const PUBLIC_KEY_USAGE = ['verify', 'encrypt', 'wrapKey'] as const;
@@ -20,107 +20,94 @@ const isPrivateKeyUsage = (usage: unknown): usage is (typeof PRIVATE_KEY_USAGE)[
 const isSigKeyUsage = (v: InternalKeyUsage): boolean => v === 'verify';
 const isEncKeyUsage = (v: InternalKeyUsage): boolean => v === 'encrypt' || v === 'wrapKey';
 
-export const keyUsageSchema = v.union(
-	v.literal('verify'),
-	v.literal('encrypt'),
-	v.literal('wrapKey'),
-	v.literal('sign'),
-	v.literal('decrypt'),
-	v.literal('unwrapKey'),
-	v.literal('deriveKey'),
-	v.literal('deriveBits'),
-);
+export const keyUsageSchema = v.picklist(KEY_USAGE);
 
-export const publicKeyUsageSchema = v.union(v.literal('verify'), v.literal('encrypt'), v.literal('wrapKey'));
+export const publicKeyUsageSchema = v.picklist(PUBLIC_KEY_USAGE);
 
-const jwkBaseSchema = v.object({
+const jwkBaseEntries = {
 	kty: v.string(),
-	alg: v.string().optional(),
-	kid: v.string().optional(),
-	use: v.union(v.literal('sig'), v.literal('enc')).optional(),
-	key_ops: v.array(keyUsageSchema).optional(),
+	alg: v.optional(v.string()),
+	kid: v.optional(v.string()),
+	use: v.optional(v.picklist(['sig', 'enc'])),
+	key_ops: v.optional(v.array(keyUsageSchema)),
 
 	// X.509
-	x5c: v.array(v.string()).optional(),
-	x5t: v.string().optional(),
-	'x5t#S256': v.string().optional(),
-	x5u: v.string().optional(),
+	x5c: v.optional(v.array(v.string())),
+	x5t: v.optional(v.string()),
+	'x5t#S256': v.optional(v.string()),
+	x5u: v.optional(v.string()),
 
 	// WebCrypto
-	ext: v.boolean().optional(),
+	ext: v.optional(v.boolean()),
 
 	// Federation Historical Keys Response
-	iat: v.number().optional(),
-	exp: v.number().optional(),
-	nbf: v.number().optional(),
-	revoked: v
-		.object({
+	iat: v.optional(v.number()),
+	exp: v.optional(v.number()),
+	nbf: v.optional(v.number()),
+	revoked: v.optional(
+		v.looseObject({
 			revoked_at: v.number(),
-			reason: v.string().optional(),
-		})
-		.optional(),
-});
+			reason: v.optional(v.string()),
+		}),
+	),
+};
 
-const jwkRsaKeySchema = jwkBaseSchema.extend({
+const jwkRsaKeySchema = v.looseObject({
+	...jwkBaseEntries,
 	kty: v.literal('RSA'),
-	alg: v
-		.union(
-			v.literal('RS256'),
-			v.literal('RS384'),
-			v.literal('RS512'),
-			v.literal('PS256'),
-			v.literal('PS384'),
-			v.literal('PS512'),
-		)
-		.optional(),
+	alg: v.optional(v.picklist(['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512'])),
 	n: v.string(),
 	e: v.string(),
-	d: v.string().optional(),
-	p: v.string().optional(),
-	q: v.string().optional(),
-	dp: v.string().optional(),
-	dq: v.string().optional(),
-	qi: v.string().optional(),
-	oth: v
-		.array(
-			v.object({
-				r: v.string().optional(),
-				d: v.string().optional(),
-				t: v.string().optional(),
+	d: v.optional(v.string()),
+	p: v.optional(v.string()),
+	q: v.optional(v.string()),
+	dp: v.optional(v.string()),
+	dq: v.optional(v.string()),
+	qi: v.optional(v.string()),
+	oth: v.optional(
+		v.array(
+			v.looseObject({
+				r: v.optional(v.string()),
+				d: v.optional(v.string()),
+				t: v.optional(v.string()),
 			}),
-		)
-		.optional(),
+		),
+	),
 });
 
-const jwkEcKeySchema = jwkBaseSchema.extend({
+const jwkEcKeySchema = v.looseObject({
+	...jwkBaseEntries,
 	kty: v.literal('EC'),
-	alg: v.union(v.literal('ES256'), v.literal('ES384'), v.literal('ES512')).optional(),
-	crv: v.union(v.literal('P-256'), v.literal('P-384'), v.literal('P-521')),
+	alg: v.optional(v.picklist(['ES256', 'ES384', 'ES512'])),
+	crv: v.picklist(['P-256', 'P-384', 'P-521']),
 	x: v.string(),
 	y: v.string(),
-	d: v.string().optional(),
+	d: v.optional(v.string()),
 });
 
-const jwkEcSecp256k1KeySchema = jwkBaseSchema.extend({
+const jwkEcSecp256k1KeySchema = v.looseObject({
+	...jwkBaseEntries,
 	kty: v.literal('EC'),
-	alg: v.literal('ES256K').optional(),
+	alg: v.optional(v.literal('ES256K')),
 	crv: v.literal('secp256k1'),
 	x: v.string(),
 	y: v.string(),
-	d: v.string().optional(),
+	d: v.optional(v.string()),
 });
 
-const jwkOkpKeySchema = jwkBaseSchema.extend({
+const jwkOkpKeySchema = v.looseObject({
+	...jwkBaseEntries,
 	kty: v.literal('OKP'),
-	alg: v.literal('EdDSA').optional(),
-	crv: v.union(v.literal('Ed25519'), v.literal('Ed448')),
+	alg: v.optional(v.literal('EdDSA')),
+	crv: v.picklist(['Ed25519', 'Ed448']),
 	x: v.string(),
-	d: v.string().optional(),
+	d: v.optional(v.string()),
 });
 
-const jwkSymKeySchema = jwkBaseSchema.extend({
+const jwkSymKeySchema = v.looseObject({
+	...jwkBaseEntries,
 	kty: v.literal('oct'),
-	alg: v.union(v.literal('HS256'), v.literal('HS384'), v.literal('HS512')).optional(),
+	alg: v.optional(v.picklist(['HS256', 'HS384', 'HS512'])),
 	k: v.string(),
 });
 
@@ -133,57 +120,54 @@ const isPublicJwk = <J extends object>(jwk: J): boolean => {
 };
 
 /** JWK schema for known key types */
-export const jwkSchema = v
-	.union(jwkRsaKeySchema, jwkEcKeySchema, jwkEcSecp256k1KeySchema, jwkOkpKeySchema, jwkSymKeySchema)
-	.chain((k) => {
-		// "use" can only be used with public keys
-		if (k.use != null && !isPublicJwk(k)) {
-			return v.err({ message: `"use" can only be used with public keys`, path: ['use'] });
-		}
-
-		// private key usage not allowed for public keys
-		if (k.key_ops?.some(isPrivateKeyUsage) && isPublicJwk(k)) {
-			return v.err({ message: `private key usage not allowed for public keys`, path: ['key_ops'] });
-		}
-
-		// key_ops must not contain duplicates
-		if (k.key_ops && !k.key_ops.every(isLastOccurrence)) {
-			return v.err({ message: `key_ops must not contain duplicates`, path: ['key_ops'] });
-		}
-
-		// "use" and "key_ops" must be consistent
-		if (k.use != null && k.key_ops != null) {
-			const consistent =
-				(k.use === 'sig' && k.key_ops.every(isSigKeyUsage)) ||
-				(k.use === 'enc' && k.key_ops.every(isEncKeyUsage));
-			if (!consistent) {
-				return v.err({ message: `"key_ops" must be consistent with "use"`, path: ['key_ops'] });
+export const jwkSchema = v.pipe(
+	v.union([jwkRsaKeySchema, jwkEcKeySchema, jwkEcSecp256k1KeySchema, jwkOkpKeySchema, jwkSymKeySchema]),
+	v.forward(
+		v.check((k) => k.use == null || isPublicJwk(k), `"use" can only be used with public keys`),
+		['use'],
+	),
+	v.forward(
+		v.check(
+			(k) => !(k.key_ops?.some(isPrivateKeyUsage) && isPublicJwk(k)),
+			`private key usage not allowed for public keys`,
+		),
+		['key_ops'],
+	),
+	v.forward(
+		v.check((k) => !k.key_ops || k.key_ops.every(isLastOccurrence), `key_ops must not contain duplicates`),
+		['key_ops'],
+	),
+	v.forward(
+		v.check((k) => {
+			if (k.use == null || k.key_ops == null) {
+				return true;
 			}
-		}
-
-		return v.ok(k);
-	});
+			return (
+				(k.use === 'sig' && k.key_ops.every(isSigKeyUsage)) ||
+				(k.use === 'enc' && k.key_ops.every(isEncKeyUsage))
+			);
+		}, `"key_ops" must be consistent with "use"`),
+		['key_ops'],
+	),
+);
 
 /** public JWK schema (kid required, no private keys) */
-export const jwkPubSchema = jwkSchema.chain((k) => {
-	if (k.kid == null) {
-		return v.err({ message: `"kid" is required`, path: ['kid'] });
-	}
-
-	if (!isPublicJwk(k)) {
-		return v.err({ message: `private key not allowed` });
-	}
-
-	if (k.key_ops && !k.key_ops.every(isPublicKeyUsage)) {
-		return v.err({
-			message: `"key_ops" must not contain private key usage for public keys`,
-			path: ['key_ops'],
-		});
-	}
-
-	return v.ok(k);
-});
+export const jwkPubSchema = v.pipe(
+	jwkSchema,
+	v.forward(
+		v.check((k) => k.kid != null, `"kid" is required`),
+		['kid'],
+	),
+	v.check((k) => isPublicJwk(k), `private key not allowed`),
+	v.forward(
+		v.check(
+			(k) => !k.key_ops || k.key_ops.every(isPublicKeyUsage),
+			`"key_ops" must not contain private key usage for public keys`,
+		),
+		['key_ops'],
+	),
+);
 
-export type KeyUsage = v.Infer<typeof keyUsageSchema>;
-export type Jwk = v.Infer<typeof jwkSchema>;
-export type JwkPub = v.Infer<typeof jwkPubSchema>;
+export type KeyUsage = v.InferOutput<typeof keyUsageSchema>;
+export type Jwk = v.InferOutput<typeof jwkSchema>;
+export type JwkPub = v.InferOutput<typeof jwkPubSchema>;

package/lib/schemas/jwks.ts

@@ -1,45 +1,33 @@
-import * as v from '@badrap/valita';
-
-import { jwkPubSchema, jwkSchema, type Jwk, type JwkPub } from './jwk.js';
-
-/** JWKS (JSON Web Key Set) */
-export const jwksSchema = v.object({
-	keys: v.array(v.unknown()).chain((input, options) => {
-		// implementations SHOULD ignore JWKs within a JWK Set that use "kty"
-		// values that are not understood, are missing required members, or
-		// have values out of the supported ranges.
-		const keys: Jwk[] = [];
-
-		for (const item of input) {
-			const result = jwkSchema.try(item, options);
-			if (!result.ok) {
-				continue;
-			}
-
-			keys.push(result.value);
-		}
-
-		return v.ok(keys);
-	}),
+import * as v from 'valibot';
+
+import { jwkPubSchema, jwkSchema, type Jwk, type JwkPub } from './jwk.ts';
+
+/** JWKS (JSON Web Key Set). implementations SHOULD ignore JWKs within a JWK Set that use unknown
+ * `kty` values, are missing required members, or have values out of the supported ranges. */
+export const jwksSchema = v.looseObject({
+	keys: v.pipe(
+		v.array(v.unknown()),
+		v.transform((input): Jwk[] =>
+			input.flatMap((entry) => {
+				const result = v.safeParse(jwkSchema, entry);
+				return result.success ? [result.output] : [];
+			}),
+		),
+	),
 });
 
 /** public JWKS (JSON Web Key Set with only public keys) */
-export const jwksPubSchema = v.object({
-	keys: v.array(v.unknown()).chain((input, options) => {
-		const keys: JwkPub[] = [];
-
-		for (const item of input) {
-			const result = jwkPubSchema.try(item, options);
-			if (!result.ok) {
-				continue;
-			}
-
-			keys.push(result.value);
-		}
-
-		return v.ok(keys);
-	}),
+export const jwksPubSchema = v.looseObject({
+	keys: v.pipe(
+		v.array(v.unknown()),
+		v.transform((input): JwkPub[] =>
+			input.flatMap((entry) => {
+				const result = v.safeParse(jwkPubSchema, entry);
+				return result.success ? [result.output] : [];
+			}),
+		),
+	),
 });
 
-export type Jwks = v.Infer<typeof jwksSchema>;
-export type JwksPub = v.Infer<typeof jwksPubSchema>;
+export type Jwks = v.InferOutput<typeof jwksSchema>;
+export type JwksPub = v.InferOutput<typeof jwksPubSchema>;

package/lib/schemas/oauth-authorization-details.ts

@@ -1,43 +1,43 @@
-import * as v from '@badrap/valita';
+import * as v from 'valibot';
 
-import { urlSchema } from './uri.js';
+import { urlSchema } from './uri.ts';
 
 /**
  * @see {@link https://datatracker.ietf.org/doc/html/rfc9396#section-2 | RFC 9396, Section 2}
  */
-export const oauthAuthorizationDetailSchema = v.object({
+export const oauthAuthorizationDetailSchema = v.looseObject({
 	type: v.string(),
 	/**
 	 * an array of strings representing the location of the resource or RS. these
 	 * strings are typically URIs identifying the location of the RS.
 	 */
-	locations: v.array(urlSchema).optional(),
+	locations: v.optional(v.array(urlSchema)),
 	/**
 	 * an array of strings representing the kinds of actions to be taken at the
 	 * resource.
 	 */
-	actions: v.array(v.string()).optional(),
+	actions: v.optional(v.array(v.string())),
 	/**
 	 * an array of strings representing the kinds of data being requested from the
 	 * resource.
 	 */
-	datatypes: v.array(v.string()).optional(),
+	datatypes: v.optional(v.array(v.string())),
 	/**
 	 * a string identifier indicating a specific resource available at the API.
 	 */
-	identifier: v.string().optional(),
+	identifier: v.optional(v.string()),
 	/**
 	 * an array of strings representing the types or levels of privilege being
 	 * requested at the resource.
 	 */
-	privileges: v.array(v.string()).optional(),
+	privileges: v.optional(v.array(v.string())),
 });
 
-export type OAuthAuthorizationDetail = v.Infer<typeof oauthAuthorizationDetailSchema>;
+export type OAuthAuthorizationDetail = v.InferOutput<typeof oauthAuthorizationDetailSchema>;
 
 /**
  * @see {@link https://datatracker.ietf.org/doc/html/rfc9396#section-2 | RFC 9396, Section 2}
  */
 export const oauthAuthorizationDetailsSchema = v.array(oauthAuthorizationDetailSchema);
 
-export type OAuthAuthorizationDetails = v.Infer<typeof oauthAuthorizationDetailsSchema>;
+export type OAuthAuthorizationDetails = v.InferOutput<typeof oauthAuthorizationDetailsSchema>;