@atproto/oauth-client 0.3.21 → 0.4.0

package/src/oauth-server-factory.ts

@@ -2,6 +2,10 @@ import { Key, Keyset } from '@atproto/jwk'
 import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types'
 import { Fetch } from '@atproto-labs/fetch'
 import { GetCachedOptions } from './oauth-authorization-server-metadata-resolver.js'
+import {
+  ClientAuthMethod,
+  negotiateClientAuthMethod,
+} from './oauth-client-auth.js'
 import { OAuthResolver } from './oauth-resolver.js'
 import { DpopNonceCache, OAuthServerAgent } from './oauth-server-agent.js'
 import { Runtime } from './runtime.js'
@@ -17,19 +21,50 @@ export class OAuthServerFactory {
     readonly dpopNonceCache: DpopNonceCache,
   ) {}
 
-  async fromIssuer(issuer: string, dpopKey: Key, options?: GetCachedOptions) {
+  /**
+   * @param authMethod `undefined` means that we are restoring a session that
+   * was created before we started storing the `authMethod` in the session. In
+   * that case, we will use the first key from the keyset.
+   *
+   * Support for this might be removed in the future.
+   *
+   * @throws see {@link OAuthServerFactory.fromMetadata}
+   */
+  async fromIssuer(
+    issuer: string,
+    authMethod: 'legacy' | ClientAuthMethod,
+    dpopKey: Key,
+    options?: GetCachedOptions,
+  ) {
     const serverMetadata = await this.resolver.getAuthorizationServerMetadata(
       issuer,
       options,
     )
-    return this.fromMetadata(serverMetadata, dpopKey)
+
+    if (authMethod === 'legacy') {
+      // @NOTE Because we were previously not storing the authMethod in the
+      // session data, we provide a backwards compatible implementation by
+      // computing it here.
+      authMethod = negotiateClientAuthMethod(
+        serverMetadata,
+        this.clientMetadata,
+        this.keyset,
+      )
+    }
+
+    return this.fromMetadata(serverMetadata, authMethod, dpopKey)
   }
 
+  /**
+   * @throws see {@link OAuthServerAgent}
+   */
   async fromMetadata(
     serverMetadata: OAuthAuthorizationServerMetadata,
+    authMethod: ClientAuthMethod,
     dpopKey: Key,
   ) {
     return new OAuthServerAgent(
+      authMethod,
       dpopKey,
       serverMetadata,
       this.clientMetadata,

package/src/oauth-session.ts

@@ -32,7 +32,6 @@ export class OAuthSession {
   ) {
     this.dpopFetch = dpopFetchWrapper<void>({
       fetch: bindFetch(fetch),
-      iss: server.clientMetadata.client_id,
       key: server.dpopKey,
       supportedAlgs: server.serverMetadata.dpop_signing_alg_values_supported,
       sha256: async (v) => server.runtime.sha256(v),

package/src/session-getter.ts

@@ -5,9 +5,11 @@ import {
   GetCachedOptions,
   SimpleStore,
 } from '@atproto-labs/simple-store'
+import { AuthMethodUnsatisfiableError } from './errors/auth-method-unsatisfiable-error.js'
 import { TokenInvalidError } from './errors/token-invalid-error.js'
 import { TokenRefreshError } from './errors/token-refresh-error.js'
 import { TokenRevokedError } from './errors/token-revoked-error.js'
+import { ClientAuthMethod } from './oauth-client-auth.js'
 import { OAuthResponseError } from './oauth-response-error.js'
 import { TokenSet } from './oauth-server-agent.js'
 import { OAuthServerFactory } from './oauth-server-factory.js'
@@ -16,6 +18,10 @@ import { CustomEventTarget, combineSignals, timeoutSignal } from './util.js'
 
 export type Session = {
   dpopKey: Key
+  /**
+   * Previous implementation of this lib did not define an `authMethod`
+   */
+  authMethod?: ClientAuthMethod
   tokenSet: TokenSet
 }
 
@@ -51,7 +57,7 @@ export class SessionGetter extends CachedGetter<AtprotoDid, Session> {
     private readonly runtime: Runtime,
   ) {
     super(
-      async (sub, options, storedSession): Promise<Session> => {
+      async (sub, options, storedSession) => {
         // There needs to be a previous session to be able to refresh. If
         // storedSession is undefined, it means that the store does not contain
         // a session for the given sub.
@@ -73,7 +79,7 @@ export class SessionGetter extends CachedGetter<AtprotoDid, Session> {
         // concurrent access (which, normally, should not happen if a proper
         // runtime lock was provided).
 
-        const { dpopKey, tokenSet } = storedSession
+        const { dpopKey, authMethod = 'legacy', tokenSet } = storedSession
 
         if (sub !== tokenSet.sub) {
           // Fool-proofing (e.g. against invalid session storage)
@@ -94,7 +100,11 @@ export class SessionGetter extends CachedGetter<AtprotoDid, Session> {
         // always possible. If no lock implementation is provided, we will use
         // the store to check if a concurrent refresh occurred.
 
-        const server = await serverFactory.fromIssuer(tokenSet.iss, dpopKey)
+        const server = await serverFactory.fromIssuer(
+          tokenSet.iss,
+          authMethod,
+          dpopKey,
+        )
 
         // Because refresh tokens can only be used once, we must not use the
         // "signal" to abort the refresh, or throw any abort error beyond this
@@ -111,7 +121,11 @@ export class SessionGetter extends CachedGetter<AtprotoDid, Session> {
             throw new TokenRefreshError(sub, 'Token set sub mismatch')
           }
 
-          return { dpopKey, tokenSet: newTokenSet }
+          return {
+            dpopKey,
+            tokenSet: newTokenSet,
+            authMethod: server.authMethod,
+          }
         } catch (cause) {
           // If the refresh token is invalid, let's try to recover from
           // concurrency issues, or make sure the session is deleted by throwing
@@ -173,17 +187,36 @@ export class SessionGetter extends CachedGetter<AtprotoDid, Session> {
                 30e3 * Math.random()
           )
         },
-        onStoreError: async (err, sub, { tokenSet, dpopKey }) => {
-          // If the token data cannot be stored, let's revoke it
-          const server = await serverFactory.fromIssuer(tokenSet.iss, dpopKey)
-          await server.revoke(tokenSet.refresh_token ?? tokenSet.access_token)
+        onStoreError: async (
+          err,
+          sub,
+          { tokenSet, dpopKey, authMethod = 'legacy' as const },
+        ) => {
+          if (!(err instanceof AuthMethodUnsatisfiableError)) {
+            // If the error was an AuthMethodUnsatisfiableError, there is no
+            // point in trying to call `fromIssuer`.
+            try {
+              // If the token data cannot be stored, let's revoke it
+              const server = await serverFactory.fromIssuer(
+                tokenSet.iss,
+                authMethod,
+                dpopKey,
+              )
+              await server.revoke(
+                tokenSet.refresh_token ?? tokenSet.access_token,
+              )
+            } catch {
+              // Let the original error propagate
+            }
+          }
+
           throw err
         },
         deleteOnError: async (err) =>
-          // Optimization: More likely to happen first
           err instanceof TokenRefreshError ||
           err instanceof TokenRevokedError ||
-          err instanceof TokenInvalidError,
+          err instanceof TokenInvalidError ||
+          err instanceof AuthMethodUnsatisfiableError,
       },
     )
   }

package/src/state-store.ts

@@ -1,9 +1,12 @@
 import { Key } from '@atproto/jwk'
 import { SimpleStore } from '@atproto-labs/simple-store'
+import { ClientAuthMethod } from './oauth-client-auth.js'
 
 export type InternalStateData = {
   iss: string
   dpopKey: Key
+  /** @note optional for legacy reasons */
+  authMethod?: ClientAuthMethod
   verifier?: string
   appState?: string
 }

package/src/validate-client-metadata.ts

@@ -4,28 +4,13 @@ import {
   assertOAuthDiscoverableClientId,
   assertOAuthLoopbackClientId,
 } from '@atproto/oauth-types'
+import { FALLBACK_ALG } from './constants.js'
 import { ClientMetadata, clientMetadataSchema } from './types.js'
 
-const TOKEN_ENDPOINT_AUTH_METHOD = `token_endpoint_auth_method`
-const TOKEN_ENDPOINT_AUTH_SIGNING_ALG = `token_endpoint_auth_signing_alg`
-
 export function validateClientMetadata(
   input: OAuthClientMetadataInput,
   keyset?: Keyset,
 ): ClientMetadata {
-  if (input.jwks) {
-    if (!keyset) {
-      throw new TypeError(`Keyset must not be provided when jwks is provided`)
-    }
-    for (const key of input.jwks.keys) {
-      if (!key.kid) {
-        throw new TypeError(`Key must have a "kid" property`)
-      } else if (!keyset.has(key.kid)) {
-        throw new TypeError(`Key with kid "${key.kid}" not found in keyset`)
-      }
-    }
-  }
-
   // Allow to pass a keyset and omit the jwks/jwks_uri properties
   if (!input.jwks && !input.jwks_uri && keyset?.size) {
     input = { ...input, jwks: keyset.toJSON() }
@@ -53,32 +38,60 @@ export function validateClientMetadata(
     throw new TypeError(`"grant_types" must include "authorization_code"`)
   }
 
-  const method = metadata[TOKEN_ENDPOINT_AUTH_METHOD]
+  const method = metadata.token_endpoint_auth_method
+  const methodAlg = metadata.token_endpoint_auth_signing_alg
   switch (method) {
-    case undefined:
-      throw new TypeError(`${TOKEN_ENDPOINT_AUTH_METHOD} must be provided`)
     case 'none':
-      if (metadata[TOKEN_ENDPOINT_AUTH_SIGNING_ALG]) {
+      if (methodAlg) {
         throw new TypeError(
-          `${TOKEN_ENDPOINT_AUTH_SIGNING_ALG} must not be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`,
+          `"token_endpoint_auth_signing_alg" must not be provided when "token_endpoint_auth_method" is "${method}"`,
         )
       }
       break
-    case 'private_key_jwt':
-      if (!keyset?.size) {
+
+    case 'private_key_jwt': {
+      if (!methodAlg) {
+        throw new TypeError(
+          `"token_endpoint_auth_signing_alg" must be provided when "token_endpoint_auth_method" is "${method}"`,
+        )
+      }
+
+      const signingKeys = keyset
+        ? Array.from(keyset.list({ use: 'sig' })).filter(
+            (key) => key.isPrivate && key.kid,
+          )
+        : null
+
+      if (!signingKeys?.some((key) => key.algorithms.includes(FALLBACK_ALG))) {
         throw new TypeError(
-          `A non-empty keyset must be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`,
+          `Client authentication method "${method}" requires at least one "${FALLBACK_ALG}" signing key with a "kid" property`,
         )
       }
-      if (!metadata[TOKEN_ENDPOINT_AUTH_SIGNING_ALG]) {
+
+      if (metadata.jwks) {
+        // Ensure that all the signing keys that could end-up being used are
+        // advertised in the JWKS.
+        for (const key of signingKeys) {
+          if (!metadata.jwks.keys.some((k) => k.kid === key.kid)) {
+            throw new TypeError(`Key with kid "${key.kid}" not found in jwks`)
+          }
+        }
+      } else if (metadata.jwks_uri) {
+        // @NOTE we only ensure that all the signing keys are referenced in JWKS
+        // when it is available (see previous "if") as we don't want to download
+        // that file here (for efficiency reasons).
+      } else {
         throw new TypeError(
-          `${TOKEN_ENDPOINT_AUTH_SIGNING_ALG} must be provided when ${TOKEN_ENDPOINT_AUTH_METHOD} is "${method}"`,
+          `Client authentication method "${method}" requires a JWKS`,
         )
       }
+
       break
+    }
+
     default:
       throw new TypeError(
-        `Invalid "token_endpoint_auth_method" value: ${method}`,
+        `Unsupported "token_endpoint_auth_method" value: ${method}`,
       )
   }
 

package/tsconfig.build.tsbuildinfo

@@ -1 +1 @@
-{"root":["./src/atproto-token-response.ts","./src/constants.ts","./src/fetch-dpop.ts","./src/index.ts","./src/lock.ts","./src/oauth-authorization-server-metadata-resolver.ts","./src/oauth-callback-error.ts","./src/oauth-client.ts","./src/oauth-protected-resource-metadata-resolver.ts","./src/oauth-resolver-error.ts","./src/oauth-resolver.ts","./src/oauth-response-error.ts","./src/oauth-server-agent.ts","./src/oauth-server-factory.ts","./src/oauth-session.ts","./src/runtime-implementation.ts","./src/runtime.ts","./src/session-getter.ts","./src/state-store.ts","./src/types.ts","./src/util.ts","./src/validate-client-metadata.ts","./src/errors/token-invalid-error.ts","./src/errors/token-refresh-error.ts","./src/errors/token-revoked-error.ts"],"version":"5.8.2"}
+{"root":["./src/atproto-token-response.ts","./src/constants.ts","./src/fetch-dpop.ts","./src/index.ts","./src/lock.ts","./src/oauth-authorization-server-metadata-resolver.ts","./src/oauth-callback-error.ts","./src/oauth-client-auth.ts","./src/oauth-client.ts","./src/oauth-protected-resource-metadata-resolver.ts","./src/oauth-resolver-error.ts","./src/oauth-resolver.ts","./src/oauth-response-error.ts","./src/oauth-server-agent.ts","./src/oauth-server-factory.ts","./src/oauth-session.ts","./src/runtime-implementation.ts","./src/runtime.ts","./src/session-getter.ts","./src/state-store.ts","./src/types.ts","./src/util.ts","./src/validate-client-metadata.ts","./src/errors/auth-method-unsatisfiable-error.ts","./src/errors/token-invalid-error.ts","./src/errors/token-refresh-error.ts","./src/errors/token-revoked-error.ts"],"version":"5.8.2"}