@atproto/oauth-client 0.3.21 → 0.4.0

package/dist/validate-client-metadata.js

@@ -2,23 +2,9 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.validateClientMetadata = validateClientMetadata;
 const oauth_types_1 = require("@atproto/oauth-types");
+const constants_js_1 = require("./constants.js");
 const types_js_1 = require("./types.js");
-const TOKEN_ENDPOINT_AUTH_METHOD = `token_endpoint_auth_method`;
-const TOKEN_ENDPOINT_AUTH_SIGNING_ALG = `token_endpoint_auth_signing_alg`;
 function validateClientMetadata(input, keyset) {
-    if (input.jwks) {
-        if (!keyset) {
-            throw new TypeError(`Keyset must not be provided when jwks is provided`);
-        }
-        for (const key of input.jwks.keys) {
-            if (!key.kid) {
-                throw new TypeError(`Key must have a "kid" property`);
-            }
-            else if (!keyset.has(key.kid)) {
-                throw new TypeError(`Key with kid "${key.kid}" not found in keyset`);
-            }
-        }
-    }
     // Allow to pass a keyset and omit the jwks/jwks_uri properties
     if (!input.jwks && !input.jwks_uri && keyset?.size) {
         input = { ...input, jwks: keyset.toJSON() };
@@ -41,25 +27,45 @@ function validateClientMetadata(input, keyset) {
     if (!metadata.grant_types.includes('authorization_code')) {
         throw new TypeError(`"grant_types" must include "authorization_code"`);
     }
-    const method = metadata[TOKEN_ENDPOINT_AUTH_METHOD];
+    const method = metadata.token_endpoint_auth_method;
+    const methodAlg = metadata.token_endpoint_auth_signing_alg;
     switch (method) {
-        case undefined:
-            throw new TypeError(`${TOKEN_ENDPOINT_AUTH_METHOD} must be provided`);
         case 'none':
-            if (metadata[TOKEN_ENDPOINT_AUTH_SIGNING_ALG]) {
-                throw new TypeError(`${TOKEN_ENDPOINT_AUTH_SIGNING_ALG} must not be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`);
+            if (methodAlg) {
+                throw new TypeError(`"token_endpoint_auth_signing_alg" must not be provided when "token_endpoint_auth_method" is "${method}"`);
             }
             break;
-        case 'private_key_jwt':
-            if (!keyset?.size) {
-                throw new TypeError(`A non-empty keyset must be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`);
+        case 'private_key_jwt': {
+            if (!methodAlg) {
+                throw new TypeError(`"token_endpoint_auth_signing_alg" must be provided when "token_endpoint_auth_method" is "${method}"`);
             }
-            if (!metadata[TOKEN_ENDPOINT_AUTH_SIGNING_ALG]) {
-                throw new TypeError(`${TOKEN_ENDPOINT_AUTH_SIGNING_ALG} must be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`);
+            const signingKeys = keyset
+                ? Array.from(keyset.list({ use: 'sig' })).filter((key) => key.isPrivate && key.kid)
+                : null;
+            if (!signingKeys?.some((key) => key.algorithms.includes(constants_js_1.FALLBACK_ALG))) {
+                throw new TypeError(`Client authentication method "${method}" requires at least one "${constants_js_1.FALLBACK_ALG}" signing key with a "kid" property`);
+            }
+            if (metadata.jwks) {
+                // Ensure that all the signing keys that could end-up being used are
+                // advertised in the JWKS.
+                for (const key of signingKeys) {
+                    if (!metadata.jwks.keys.some((k) => k.kid === key.kid)) {
+                        throw new TypeError(`Key with kid "${key.kid}" not found in jwks`);
+                    }
+                }
+            }
+            else if (metadata.jwks_uri) {
+                // @NOTE we only ensure that all the signing keys are referenced in JWKS
+                // when it is available (see previous "if") as we don't want to download
+                // that file here (for efficiency reasons).
+            }
+            else {
+                throw new TypeError(`Client authentication method "${method}" requires a JWKS`);
             }
             break;
+        }
         default:
-            throw new TypeError(`Invalid "token_endpoint_auth_method" value: ${method}`);
+            throw new TypeError(`Unsupported "token_endpoint_auth_method" value: ${method}`);
     }
     return metadata;
 }

package/dist/validate-client-metadata.js.map

@@ -1 +1 @@
-{"version":3,"file":"validate-client-metadata.js","sourceRoot":"","sources":["../src/validate-client-metadata.ts"],"names":[],"mappings":";;AAWA,wDA0EC;AApFD,sDAI6B;AAC7B,yCAAiE;AAEjE,MAAM,0BAA0B,GAAG,4BAA4B,CAAA;AAC/D,MAAM,+BAA+B,GAAG,iCAAiC,CAAA;AAEzE,SAAgB,sBAAsB,CACpC,KAA+B,EAC/B,MAAe;IAEf,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;QACf,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,SAAS,CAAC,mDAAmD,CAAC,CAAA;QAC1E,CAAC;QACD,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAClC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;gBACb,MAAM,IAAI,SAAS,CAAC,gCAAgC,CAAC,CAAA;YACvD,CAAC;iBAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAChC,MAAM,IAAI,SAAS,CAAC,iBAAiB,GAAG,CAAC,GAAG,uBAAuB,CAAC,CAAA;YACtE,CAAC;QACH,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,MAAM,EAAE,IAAI,EAAE,CAAC;QACnD,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,EAAE,CAAA;IAC7C,CAAC;IAED,MAAM,QAAQ,GAAG,+BAAoB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAElD,qBAAqB;IACrB,IAAI,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3C,IAAA,yCAA2B,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACjD,CAAC;SAAM,CAAC;QACN,IAAA,6CAA+B,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACrD,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;IACzC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,kDAAkD,CAAC,CAAA;IACzE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,SAAS,CAAC,iDAAiD,CAAC,CAAA;IACxE,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,0BAA0B,CAAC,CAAA;IACnD,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,SAAS;YACZ,MAAM,IAAI,SAAS,CAAC,GAAG,0BAA0B,mBAAmB,CAAC,CAAA;QACvE,KAAK,MAAM;YACT,IAAI,QAAQ,CAAC,+BAA+B,CAAC,EAAE,CAAC;gBAC9C,MAAM,IAAI,SAAS,CACjB,GAAG,+BAA+B,8BAA8B,0BAA0B,QAAQ,MAAM,GAAG,CAC5G,CAAA;YACH,CAAC;YACD,MAAK;QACP,KAAK,iBAAiB;YACpB,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;gBAClB,MAAM,IAAI,SAAS,CACjB,4CAA4C,0BAA0B,QAAQ,MAAM,GAAG,CACxF,CAAA;YACH,CAAC;YACD,IAAI,CAAC,QAAQ,CAAC,+BAA+B,CAAC,EAAE,CAAC;gBAC/C,MAAM,IAAI,SAAS,CACjB,GAAG,+BAA+B,0BAA0B,0BAA0B,QAAQ,MAAM,GAAG,CACxG,CAAA;YACH,CAAC;YACD,MAAK;QACP;YACE,MAAM,IAAI,SAAS,CACjB,+CAA+C,MAAM,EAAE,CACxD,CAAA;IACL,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC"}
+{"version":3,"file":"validate-client-metadata.js","sourceRoot":"","sources":["../src/validate-client-metadata.ts"],"names":[],"mappings":";;AASA,wDAyFC;AAjGD,sDAI6B;AAC7B,iDAA6C;AAC7C,yCAAiE;AAEjE,SAAgB,sBAAsB,CACpC,KAA+B,EAC/B,MAAe;IAEf,+DAA+D;IAC/D,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,MAAM,EAAE,IAAI,EAAE,CAAC;QACnD,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,EAAE,CAAA;IAC7C,CAAC;IAED,MAAM,QAAQ,GAAG,+BAAoB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAElD,qBAAqB;IACrB,IAAI,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3C,IAAA,yCAA2B,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACjD,CAAC;SAAM,CAAC;QACN,IAAA,6CAA+B,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACrD,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;IACzC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,kDAAkD,CAAC,CAAA;IACzE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,SAAS,CAAC,iDAAiD,CAAC,CAAA;IACxE,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,0BAA0B,CAAA;IAClD,MAAM,SAAS,GAAG,QAAQ,CAAC,+BAA+B,CAAA;IAC1D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM;YACT,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,IAAI,SAAS,CACjB,gGAAgG,MAAM,GAAG,CAC1G,CAAA;YACH,CAAC;YACD,MAAK;QAEP,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,SAAS,CACjB,4FAA4F,MAAM,GAAG,CACtG,CAAA;YACH,CAAC;YAED,MAAM,WAAW,GAAG,MAAM;gBACxB,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,MAAM,CAC5C,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,SAAS,IAAI,GAAG,CAAC,GAAG,CAClC;gBACH,CAAC,CAAC,IAAI,CAAA;YAER,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,2BAAY,CAAC,CAAC,EAAE,CAAC;gBACvE,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,4BAA4B,2BAAY,qCAAqC,CACrH,CAAA;YACH,CAAC;YAED,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAClB,oEAAoE;gBACpE,0BAA0B;gBAC1B,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;oBAC9B,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;wBACvD,MAAM,IAAI,SAAS,CAAC,iBAAiB,GAAG,CAAC,GAAG,qBAAqB,CAAC,CAAA;oBACpE,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBAC7B,wEAAwE;gBACxE,wEAAwE;gBACxE,2CAA2C;YAC7C,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,mBAAmB,CAC3D,CAAA;YACH,CAAC;YAED,MAAK;QACP,CAAC;QAED;YACE,MAAM,IAAI,SAAS,CACjB,mDAAmD,MAAM,EAAE,CAC5D,CAAA;IACL,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-client",
-  "version": "0.3.21",
+  "version": "0.4.0",
   "license": "MIT",
   "description": "OAuth client for ATPROTO PDS. This package serves as common base for environment-specific implementations (NodeJS, Browser, React-Native).",
   "keywords": [
@@ -30,12 +30,12 @@
     "@atproto-labs/did-resolver": "0.1.13",
     "@atproto-labs/fetch": "0.2.3",
     "@atproto-labs/handle-resolver": "0.1.8",
-    "@atproto-labs/identity-resolver": "0.1.17",
+    "@atproto-labs/identity-resolver": "0.1.18",
     "@atproto-labs/simple-store": "0.2.0",
     "@atproto-labs/simple-store-memory": "0.1.3",
     "@atproto/did": "0.1.5",
-    "@atproto/jwk": "0.2.0",
-    "@atproto/oauth-types": "0.2.8",
+    "@atproto/jwk": "0.3.0",
+    "@atproto/oauth-types": "0.3.0",
     "@atproto/xrpc": "0.7.0"
   },
   "devDependencies": {

package/src/errors/auth-method-unsatisfiable-error.ts

@@ -0,0 +1 @@
+export class AuthMethodUnsatisfiableError extends Error {}

package/src/fetch-dpop.ts

@@ -12,7 +12,6 @@ const ReadableStream = globalThis.ReadableStream as
 
 export type DpopFetchWrapperOptions<C = FetchContext> = {
   key: Key
-  iss: string
   nonces: SimpleStore<string, string>
   supportedAlgs?: string[]
   sha256?: (input: string) => Promise<string>
@@ -30,7 +29,6 @@ export type DpopFetchWrapperOptions<C = FetchContext> = {
 
 export function dpopFetchWrapper<C = FetchContext>({
   key,
-  iss,
   // @TODO we should provide a default based on specs
   supportedAlgs,
   nonces,
@@ -70,7 +68,7 @@ export function dpopFetchWrapper<C = FetchContext>({
       // Ignore get errors, we will just not send a nonce
     }
 
-    const initProof = await buildProof(key, alg, iss, htm, htu, initNonce, ath)
+    const initProof = await buildProof(key, alg, htm, htu, initNonce, ath)
     request.headers.set('DPoP', initProof)
 
     const initResponse = await fetch.call(this, request)
@@ -118,7 +116,7 @@ export function dpopFetchWrapper<C = FetchContext>({
     // The initial response body must be consumed (see cancelBody's doc).
     await cancelBody(initResponse, 'log')
 
-    const nextProof = await buildProof(key, alg, iss, htm, htu, nextNonce, ath)
+    const nextProof = await buildProof(key, alg, htm, htu, nextNonce, ath)
     const nextRequest = new Request(input, init)
     nextRequest.headers.set('DPoP', nextProof)
 
@@ -163,7 +161,6 @@ function buildHtu(url: string): string {
 async function buildProof(
   key: Key,
   alg: string,
-  iss: string,
   htm: string,
   htu: string,
   nonce?: string,
@@ -184,7 +181,6 @@ async function buildProof(
       jwk,
     },
     {
-      iss,
       iat: now,
       // Any collision will cause the request to be rejected by the server. no biggie.
       jti: Math.random().toString(36).slice(2),

package/src/oauth-client-auth.ts

@@ -0,0 +1,182 @@
+import { Keyset } from '@atproto/jwk'
+import {
+  CLIENT_ASSERTION_TYPE_JWT_BEARER,
+  OAuthAuthorizationServerMetadata,
+  OAuthClientCredentials,
+} from '@atproto/oauth-types'
+import { FALLBACK_ALG } from './constants.js'
+import { AuthMethodUnsatisfiableError } from './errors/auth-method-unsatisfiable-error.js'
+import { Runtime } from './runtime.js'
+import { ClientMetadata } from './types.js'
+import { Awaitable } from './util.js'
+
+export type ClientAuthMethod =
+  | { method: 'none' }
+  | { method: 'private_key_jwt'; kid: string }
+
+export function negotiateClientAuthMethod(
+  serverMetadata: OAuthAuthorizationServerMetadata,
+  clientMetadata: ClientMetadata,
+  keyset?: Keyset,
+): ClientAuthMethod {
+  const method = clientMetadata.token_endpoint_auth_method
+
+  // @NOTE ATproto spec requires that AS support both "none" and
+  // "private_key_jwt", and that clients use one of the other. The following
+  // check ensures that the AS is indeed compliant with this client's
+  // configuration.
+  const methods = supportedMethods(serverMetadata)
+  if (!methods.includes(method)) {
+    throw new Error(
+      `The server does not support "${method}" authentication. Supported methods are: ${methods.join(
+        ', ',
+      )}.`,
+    )
+  }
+
+  if (method === 'private_key_jwt') {
+    // Invalid client configuration. This should not happen as
+    // "validateClientMetadata" already check this.
+    if (!keyset) throw new Error('A keyset is required for private_key_jwt')
+
+    const alg = supportedAlgs(serverMetadata)
+
+    // @NOTE we can't use `keyset.findPrivateKey` here because we can't enforce
+    // that the returned key contains a "kid". The following implementation is
+    // more robust against keysets containing keys without a "kid" property.
+    for (const key of keyset.list({ use: 'sig', alg })) {
+      // Return the first key from the key set that matches the server's
+      // supported algorithms.
+      if (key.isPrivate && key.kid) {
+        return { method: 'private_key_jwt', kid: key.kid }
+      }
+    }
+
+    throw new Error(
+      alg.includes(FALLBACK_ALG)
+        ? `Client authentication method "${method}" requires at least one "${FALLBACK_ALG}" signing key with a "kid" property`
+        : // AS is not compliant with the ATproto OAuth spec.
+          `Authorization server requires "${method}" authentication method, but does not support "${FALLBACK_ALG}" algorithm.`,
+    )
+  }
+
+  if (method === 'none') {
+    return { method: 'none' }
+  }
+
+  throw new Error(
+    `The ATProto OAuth spec requires that client use either "none" or "private_key_jwt" authentication method.` +
+      (method === 'client_secret_basic'
+        ? ' You might want to explicitly set "token_endpoint_auth_method" to one of those values in the client metadata document.'
+        : ` You set "${method}" which is not allowed.`),
+  )
+}
+
+export type ClientCredentialsFactory = () => Awaitable<{
+  headers?: Record<string, string>
+  payload?: OAuthClientCredentials
+}>
+
+/**
+ * @throws {AuthMethodUnsatisfiableError} if the authentication method is no
+ * long usable (either because the AS changed, of because the key is no longer
+ * available in the keyset).
+ */
+export function createClientCredentialsFactory(
+  authMethod: ClientAuthMethod,
+  serverMetadata: OAuthAuthorizationServerMetadata,
+  clientMetadata: ClientMetadata,
+  runtime: Runtime,
+  keyset?: Keyset,
+): ClientCredentialsFactory {
+  // Ensure the AS still supports the auth method.
+  if (!supportedMethods(serverMetadata).includes(authMethod.method)) {
+    throw new AuthMethodUnsatisfiableError(
+      `Client authentication method "${authMethod.method}" no longer supported`,
+    )
+  }
+
+  if (authMethod.method === 'none') {
+    return () => ({
+      payload: {
+        client_id: clientMetadata.client_id,
+      },
+    })
+  }
+
+  if (authMethod.method === 'private_key_jwt') {
+    try {
+      // The client used to be a confidential client but no longer has a keyset.
+      if (!keyset) throw new Error('A keyset is required for private_key_jwt')
+
+      // @NOTE throws if no matching key can be found
+      const [key, alg] = keyset.findPrivateKey({
+        use: 'sig',
+        kid: authMethod.kid,
+        alg: supportedAlgs(serverMetadata),
+      })
+
+      // https://www.rfc-editor.org/rfc/rfc7523.html#section-3
+      return async () => ({
+        payload: {
+          client_id: clientMetadata.client_id,
+          client_assertion_type: CLIENT_ASSERTION_TYPE_JWT_BEARER,
+          client_assertion: await key.createJwt(
+            { alg },
+            {
+              // > The JWT MUST contain an "iss" (issuer) claim that contains a
+              // > unique identifier for the entity that issued the JWT.
+              iss: clientMetadata.client_id,
+              // > For client authentication, the subject MUST be the
+              // > "client_id" of the OAuth client.
+              sub: clientMetadata.client_id,
+              // > The JWT MUST contain an "aud" (audience) claim containing a value
+              // > that identifies the authorization server as an intended audience.
+              // > The token endpoint URL of the authorization server MAY be used as a
+              // > value for an "aud" element to identify the authorization server as an
+              // > intended audience of the JWT.
+              aud: serverMetadata.issuer,
+              // > The JWT MAY contain a "jti" (JWT ID) claim that provides a
+              // > unique identifier for the token.
+              jti: await runtime.generateNonce(),
+              // > The JWT MAY contain an "iat" (issued at) claim that
+              // > identifies the time at which the JWT was issued.
+              iat: Math.floor(Date.now() / 1000),
+              // > The JWT MUST contain an "exp" (expiration time) claim that
+              // > limits the time window during which the JWT can be used.
+              exp: Math.floor(Date.now() / 1000) + 60, // 1 minute
+            },
+          ),
+        },
+      })
+    } catch (cause) {
+      throw new AuthMethodUnsatisfiableError('Failed to load private key', {
+        cause,
+      })
+    }
+  }
+
+  throw new AuthMethodUnsatisfiableError(
+    // @ts-expect-error
+    `Unsupported auth method ${authMethod.method}`,
+  )
+}
+
+function supportedMethods(serverMetadata: OAuthAuthorizationServerMetadata) {
+  return serverMetadata['token_endpoint_auth_methods_supported']
+}
+
+function supportedAlgs(serverMetadata: OAuthAuthorizationServerMetadata) {
+  return (
+    serverMetadata['token_endpoint_auth_signing_alg_values_supported'] ?? [
+      // @NOTE If not specified, assume that the server supports the ES256
+      // algorithm, as prescribed by the spec:
+      //
+      // > Clients and Authorization Servers currently must support the ES256
+      // > cryptographic system [for client authentication].
+      //
+      // https://atproto.com/specs/oauth#confidential-client-authentication
+      FALLBACK_ALG,
+    ]
+  )
+}

package/src/oauth-client.ts

@@ -26,12 +26,14 @@ import {
 import { IdentityResolver } from '@atproto-labs/identity-resolver'
 import { SimpleStoreMemory } from '@atproto-labs/simple-store-memory'
 import { FALLBACK_ALG } from './constants.js'
+import { AuthMethodUnsatisfiableError } from './errors/auth-method-unsatisfiable-error.js'
 import { TokenRevokedError } from './errors/token-revoked-error.js'
 import {
   AuthorizationServerMetadataCache,
   OAuthAuthorizationServerMetadataResolver,
 } from './oauth-authorization-server-metadata-resolver.js'
 import { OAuthCallbackError } from './oauth-callback-error.js'
+import { negotiateClientAuthMethod } from './oauth-client-auth.js'
 import {
   OAuthProtectedResourceMetadataResolver,
   ProtectedResourceMetadataCache,
@@ -290,11 +292,17 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
       metadata.dpop_signing_alg_values_supported || [FALLBACK_ALG],
     )
 
+    const authMethod = negotiateClientAuthMethod(
+      metadata,
+      this.clientMetadata,
+      this.keyset,
+    )
     const state = await this.runtime.generateNonce()
 
     await this.stateStore.set(state, {
       iss: metadata.issuer,
       dpopKey,
+      authMethod,
       verifier: pkce.verifier,
       appState: options?.state,
     })
@@ -307,9 +315,7 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
       code_challenge: pkce.challenge,
       code_challenge_method: pkce.method,
       state,
-      login_hint: identity
-        ? input // If input is a handle or a DID, use it as a login_hint
-        : undefined,
+      login_hint: identity?.handle ?? identity?.did,
       response_mode: this.responseMode,
       response_type: 'code' as const,
       scope: options?.scope ?? this.clientMetadata.scope,
@@ -329,7 +335,11 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
     }
 
     if (metadata.pushed_authorization_request_endpoint) {
-      const server = await this.serverFactory.fromMetadata(metadata, dpopKey)
+      const server = await this.serverFactory.fromMetadata(
+        metadata,
+        authMethod,
+        dpopKey,
+      )
       const parResponse = await server.request(
         'pushed_authorization_request',
         parameters,
@@ -425,6 +435,8 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
 
       const server = await this.serverFactory.fromIssuer(
         stateData.iss,
+        // Using the literal 'legacy' if the authMethod is not defined (because stateData was created through an old version of this lib)
+        stateData.authMethod ?? 'legacy',
         stateData.dpopKey,
       )
 
@@ -457,6 +469,7 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
       try {
         await this.sessionGetter.setStored(tokenSet.sub, {
           dpopKey: stateData.dpopKey,
+          authMethod: server.authMethod,
           tokenSet,
         })
 
@@ -488,24 +501,45 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
     // sub arg is lightly typed for convenience of library user
     assertAtprotoDid(sub)
 
-    const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
+    const {
+      dpopKey,
+      authMethod = 'legacy',
+      tokenSet,
+    } = await this.sessionGetter.get(sub, {
       noCache: refresh === true,
       allowStale: refresh === false,
     })
 
-    const server = await this.serverFactory.fromIssuer(tokenSet.iss, dpopKey, {
-      noCache: refresh === true,
-      allowStale: refresh === false,
-    })
+    try {
+      const server = await this.serverFactory.fromIssuer(
+        tokenSet.iss,
+        authMethod,
+        dpopKey,
+        {
+          noCache: refresh === true,
+          allowStale: refresh === false,
+        },
+      )
+
+      return this.createSession(server, sub)
+    } catch (err) {
+      if (err instanceof AuthMethodUnsatisfiableError) {
+        await this.sessionGetter.delStored(sub, err)
+      }
 
-    return this.createSession(server, sub)
+      throw err
+    }
   }
 
   async revoke(sub: string) {
     // sub arg is lightly typed for convenience of library user
     assertAtprotoDid(sub)
 
-    const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
+    const {
+      dpopKey,
+      authMethod = 'legacy',
+      tokenSet,
+    } = await this.sessionGetter.get(sub, {
       allowStale: true,
     })
 
@@ -513,7 +547,11 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
     // the tokens to be deleted even if it was not possible to fetch the issuer
     // data.
     try {
-      const server = await this.serverFactory.fromIssuer(tokenSet.iss, dpopKey)
+      const server = await this.serverFactory.fromIssuer(
+        tokenSet.iss,
+        authMethod,
+        dpopKey,
+      )
       await server.revoke(tokenSet.access_token)
     } finally {
       await this.sessionGetter.delStored(sub, new TokenRevokedError(sub))

package/src/oauth-server-agent.ts

@@ -1,10 +1,8 @@
 import { AtprotoDid } from '@atproto/did'
 import { Key, Keyset } from '@atproto/jwk'
 import {
-  CLIENT_ASSERTION_TYPE_JWT_BEARER,
   OAuthAuthorizationRequestPar,
   OAuthAuthorizationServerMetadata,
-  OAuthClientCredentials,
   OAuthEndpointName,
   OAuthParResponse,
   OAuthTokenRequest,
@@ -17,9 +15,13 @@ import {
   AtprotoTokenResponse,
   atprotoTokenResponseSchema,
 } from './atproto-token-response.js'
-import { FALLBACK_ALG } from './constants.js'
 import { TokenRefreshError } from './errors/token-refresh-error.js'
 import { dpopFetchWrapper } from './fetch-dpop.js'
+import {
+  ClientAuthMethod,
+  ClientCredentialsFactory,
+  createClientCredentialsFactory,
+} from './oauth-client-auth.js'
 import { OAuthResolver } from './oauth-resolver.js'
 import { OAuthResponseError } from './oauth-response-error.js'
 import { Runtime } from './runtime.js'
@@ -43,8 +45,13 @@ export type DpopNonceCache = SimpleStore<string, string>
 
 export class OAuthServerAgent {
   protected dpopFetch: Fetch<unknown>
+  protected clientCredentialsFactory: ClientCredentialsFactory
 
+  /**
+   * @throws see {@link createClientCredentialsFactory}
+   */
   constructor(
+    readonly authMethod: ClientAuthMethod,
     readonly dpopKey: Key,
     readonly serverMetadata: OAuthAuthorizationServerMetadata,
     readonly clientMetadata: ClientMetadata,
@@ -54,9 +61,16 @@ export class OAuthServerAgent {
     readonly keyset?: Keyset,
     fetch?: Fetch,
   ) {
+    this.clientCredentialsFactory = createClientCredentialsFactory(
+      authMethod,
+      serverMetadata,
+      clientMetadata,
+      runtime,
+      keyset,
+    )
+
     this.dpopFetch = dpopFetchWrapper<void>({
       fetch: bindFetch(fetch),
-      iss: clientMetadata.client_id,
       key: dpopKey,
       supportedAlgs: serverMetadata.dpop_signing_alg_values_supported,
       sha256: async (v) => runtime.sha256(v),
@@ -205,7 +219,7 @@ export class OAuthServerAgent {
     const url = this.serverMetadata[`${endpoint}_endpoint`]
     if (!url) throw new Error(`No ${endpoint} endpoint available`)
 
-    const auth = await this.buildClientAuth(endpoint)
+    const auth = await this.clientCredentialsFactory()
 
     // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13#section-3.2.2
     // https://datatracker.ietf.org/doc/html/rfc7009#section-2.1
@@ -233,73 +247,6 @@ export class OAuthServerAgent {
       throw new OAuthResponseError(response, json)
     }
   }
-
-  async buildClientAuth(endpoint: OAuthEndpointName): Promise<{
-    headers?: Record<string, string>
-    payload: OAuthClientCredentials
-  }> {
-    const methodSupported =
-      this.serverMetadata[`token_endpoint_auth_methods_supported`]
-
-    const method = this.clientMetadata[`token_endpoint_auth_method`]
-
-    if (
-      method === 'private_key_jwt' ||
-      (this.keyset &&
-        !method &&
-        (methodSupported?.includes('private_key_jwt') ?? false))
-    ) {
-      if (!this.keyset) throw new Error('No keyset available')
-
-      try {
-        const alg =
-          this.serverMetadata[
-            `token_endpoint_auth_signing_alg_values_supported`
-          ] ?? FALLBACK_ALG
-
-        // If jwks is defined, make sure to only sign using a key that exists in
-        // the jwks. If jwks_uri is defined, we can't be sure that the key we're
-        // looking for is in there so we will just assume it is.
-        const kid = this.clientMetadata.jwks?.keys
-          .map(({ kid }) => kid)
-          .filter((v): v is string => typeof v === 'string')
-
-        return {
-          payload: {
-            client_id: this.clientMetadata.client_id,
-            client_assertion_type: CLIENT_ASSERTION_TYPE_JWT_BEARER,
-            client_assertion: await this.keyset.createJwt(
-              { alg, kid },
-              {
-                iss: this.clientMetadata.client_id,
-                sub: this.clientMetadata.client_id,
-                aud: this.serverMetadata.issuer,
-                jti: await this.runtime.generateNonce(),
-                iat: Math.floor(Date.now() / 1000),
-              },
-            ),
-          },
-        }
-      } catch (err) {
-        if (method === 'private_key_jwt') throw err
-
-        // Else try next method
-      }
-    }
-
-    if (
-      method === 'none' ||
-      (!method && (methodSupported?.includes('none') ?? true))
-    ) {
-      return {
-        payload: {
-          client_id: this.clientMetadata.client_id,
-        },
-      }
-    }
-
-    throw new Error(`Unsupported ${endpoint} authentication method`)
-  }
 }
 
 function wwwFormUrlEncode(payload: Record<string, undefined | unknown>) {