@atproto/oauth-client 0.3.22 → 0.4.1

package/dist/validate-client-metadata.js.map

@@ -1 +1 @@
-{"version":3,"file":"validate-client-metadata.js","sourceRoot":"","sources":["../src/validate-client-metadata.ts"],"names":[],"mappings":";;AAWA,wDA0EC;AApFD,sDAI6B;AAC7B,yCAAiE;AAEjE,MAAM,0BAA0B,GAAG,4BAA4B,CAAA;AAC/D,MAAM,+BAA+B,GAAG,iCAAiC,CAAA;AAEzE,SAAgB,sBAAsB,CACpC,KAA+B,EAC/B,MAAe;IAEf,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;QACf,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,SAAS,CAAC,mDAAmD,CAAC,CAAA;QAC1E,CAAC;QACD,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAClC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;gBACb,MAAM,IAAI,SAAS,CAAC,gCAAgC,CAAC,CAAA;YACvD,CAAC;iBAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAChC,MAAM,IAAI,SAAS,CAAC,iBAAiB,GAAG,CAAC,GAAG,uBAAuB,CAAC,CAAA;YACtE,CAAC;QACH,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,MAAM,EAAE,IAAI,EAAE,CAAC;QACnD,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,EAAE,CAAA;IAC7C,CAAC;IAED,MAAM,QAAQ,GAAG,+BAAoB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAElD,qBAAqB;IACrB,IAAI,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3C,IAAA,yCAA2B,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACjD,CAAC;SAAM,CAAC;QACN,IAAA,6CAA+B,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACrD,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;IACzC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,kDAAkD,CAAC,CAAA;IACzE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,SAAS,CAAC,iDAAiD,CAAC,CAAA;IACxE,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,0BAA0B,CAAC,CAAA;IACnD,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,SAAS;YACZ,MAAM,IAAI,SAAS,CAAC,GAAG,0BAA0B,mBAAmB,CAAC,CAAA;QACvE,KAAK,MAAM;YACT,IAAI,QAAQ,CAAC,+BAA+B,CAAC,EAAE,CAAC;gBAC9C,MAAM,IAAI,SAAS,CACjB,GAAG,+BAA+B,8BAA8B,0BAA0B,QAAQ,MAAM,GAAG,CAC5G,CAAA;YACH,CAAC;YACD,MAAK;QACP,KAAK,iBAAiB;YACpB,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;gBAClB,MAAM,IAAI,SAAS,CACjB,4CAA4C,0BAA0B,QAAQ,MAAM,GAAG,CACxF,CAAA;YACH,CAAC;YACD,IAAI,CAAC,QAAQ,CAAC,+BAA+B,CAAC,EAAE,CAAC;gBAC/C,MAAM,IAAI,SAAS,CACjB,GAAG,+BAA+B,0BAA0B,0BAA0B,QAAQ,MAAM,GAAG,CACxG,CAAA;YACH,CAAC;YACD,MAAK;QACP;YACE,MAAM,IAAI,SAAS,CACjB,+CAA+C,MAAM,EAAE,CACxD,CAAA;IACL,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC"}
+{"version":3,"file":"validate-client-metadata.js","sourceRoot":"","sources":["../src/validate-client-metadata.ts"],"names":[],"mappings":";;AASA,wDAyFC;AAjGD,sDAI6B;AAC7B,iDAA6C;AAC7C,yCAAiE;AAEjE,SAAgB,sBAAsB,CACpC,KAA+B,EAC/B,MAAe;IAEf,+DAA+D;IAC/D,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,MAAM,EAAE,IAAI,EAAE,CAAC;QACnD,KAAK,GAAG,EAAE,GAAG,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,EAAE,CAAA;IAC7C,CAAC;IAED,MAAM,QAAQ,GAAG,+BAAoB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAElD,qBAAqB;IACrB,IAAI,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC3C,IAAA,yCAA2B,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACjD,CAAC;SAAM,CAAC;QACN,IAAA,6CAA+B,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IACrD,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;IACzC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,kDAAkD,CAAC,CAAA;IACzE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,SAAS,CAAC,iDAAiD,CAAC,CAAA;IACxE,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,0BAA0B,CAAA;IAClD,MAAM,SAAS,GAAG,QAAQ,CAAC,+BAA+B,CAAA;IAC1D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,MAAM;YACT,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,IAAI,SAAS,CACjB,gGAAgG,MAAM,GAAG,CAC1G,CAAA;YACH,CAAC;YACD,MAAK;QAEP,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,SAAS,CACjB,4FAA4F,MAAM,GAAG,CACtG,CAAA;YACH,CAAC;YAED,MAAM,WAAW,GAAG,MAAM;gBACxB,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,MAAM,CAC5C,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,SAAS,IAAI,GAAG,CAAC,GAAG,CAClC;gBACH,CAAC,CAAC,IAAI,CAAA;YAER,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,2BAAY,CAAC,CAAC,EAAE,CAAC;gBACvE,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,4BAA4B,2BAAY,qCAAqC,CACrH,CAAA;YACH,CAAC;YAED,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAClB,oEAAoE;gBACpE,0BAA0B;gBAC1B,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;oBAC9B,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;wBACvD,MAAM,IAAI,SAAS,CAAC,iBAAiB,GAAG,CAAC,GAAG,qBAAqB,CAAC,CAAA;oBACpE,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBAC7B,wEAAwE;gBACxE,wEAAwE;gBACxE,2CAA2C;YAC7C,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,SAAS,CACjB,iCAAiC,MAAM,mBAAmB,CAC3D,CAAA;YACH,CAAC;YAED,MAAK;QACP,CAAC;QAED;YACE,MAAM,IAAI,SAAS,CACjB,mDAAmD,MAAM,EAAE,CAC5D,CAAA;IACL,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-client",
-  "version": "0.3.22",
+  "version": "0.4.1",
   "license": "MIT",
   "description": "OAuth client for ATPROTO PDS. This package serves as common base for environment-specific implementations (NodeJS, Browser, React-Native).",
   "keywords": [
@@ -27,16 +27,16 @@
   "dependencies": {
     "multiformats": "^9.9.0",
     "zod": "^3.23.8",
-    "@atproto-labs/did-resolver": "0.1.13",
     "@atproto-labs/fetch": "0.2.3",
-    "@atproto-labs/handle-resolver": "0.1.8",
-    "@atproto-labs/identity-resolver": "0.1.18",
+    "@atproto-labs/handle-resolver": "0.2.0",
+    "@atproto-labs/identity-resolver": "0.1.19",
     "@atproto-labs/simple-store": "0.2.0",
     "@atproto-labs/simple-store-memory": "0.1.3",
     "@atproto/did": "0.1.5",
-    "@atproto/jwk": "0.2.0",
-    "@atproto/oauth-types": "0.2.8",
-    "@atproto/xrpc": "0.7.0"
+    "@atproto/jwk": "0.4.0",
+    "@atproto/oauth-types": "0.3.1",
+    "@atproto/xrpc": "0.7.0",
+    "@atproto-labs/did-resolver": "0.2.0"
   },
   "devDependencies": {
     "typescript": "^5.6.3"

package/src/errors/auth-method-unsatisfiable-error.ts

@@ -0,0 +1 @@
+export class AuthMethodUnsatisfiableError extends Error {}

package/src/index.ts

@@ -7,8 +7,10 @@ export {
 export * from '@atproto-labs/handle-resolver'
 
 export * from '@atproto/did'
+export * from '@atproto/jwk'
 export * from '@atproto/oauth-types'
 
+export * from './lock.js'
 export * from './oauth-authorization-server-metadata-resolver.js'
 export * from './oauth-callback-error.js'
 export * from './oauth-client.js'

package/src/oauth-client-auth.ts

@@ -0,0 +1,182 @@
+import { Keyset } from '@atproto/jwk'
+import {
+  CLIENT_ASSERTION_TYPE_JWT_BEARER,
+  OAuthAuthorizationServerMetadata,
+  OAuthClientCredentials,
+} from '@atproto/oauth-types'
+import { FALLBACK_ALG } from './constants.js'
+import { AuthMethodUnsatisfiableError } from './errors/auth-method-unsatisfiable-error.js'
+import { Runtime } from './runtime.js'
+import { ClientMetadata } from './types.js'
+import { Awaitable } from './util.js'
+
+export type ClientAuthMethod =
+  | { method: 'none' }
+  | { method: 'private_key_jwt'; kid: string }
+
+export function negotiateClientAuthMethod(
+  serverMetadata: OAuthAuthorizationServerMetadata,
+  clientMetadata: ClientMetadata,
+  keyset?: Keyset,
+): ClientAuthMethod {
+  const method = clientMetadata.token_endpoint_auth_method
+
+  // @NOTE ATproto spec requires that AS support both "none" and
+  // "private_key_jwt", and that clients use one of the other. The following
+  // check ensures that the AS is indeed compliant with this client's
+  // configuration.
+  const methods = supportedMethods(serverMetadata)
+  if (!methods.includes(method)) {
+    throw new Error(
+      `The server does not support "${method}" authentication. Supported methods are: ${methods.join(
+        ', ',
+      )}.`,
+    )
+  }
+
+  if (method === 'private_key_jwt') {
+    // Invalid client configuration. This should not happen as
+    // "validateClientMetadata" already check this.
+    if (!keyset) throw new Error('A keyset is required for private_key_jwt')
+
+    const alg = supportedAlgs(serverMetadata)
+
+    // @NOTE we can't use `keyset.findPrivateKey` here because we can't enforce
+    // that the returned key contains a "kid". The following implementation is
+    // more robust against keysets containing keys without a "kid" property.
+    for (const key of keyset.list({ use: 'sig', alg })) {
+      // Return the first key from the key set that matches the server's
+      // supported algorithms.
+      if (key.isPrivate && key.kid) {
+        return { method: 'private_key_jwt', kid: key.kid }
+      }
+    }
+
+    throw new Error(
+      alg.includes(FALLBACK_ALG)
+        ? `Client authentication method "${method}" requires at least one "${FALLBACK_ALG}" signing key with a "kid" property`
+        : // AS is not compliant with the ATproto OAuth spec.
+          `Authorization server requires "${method}" authentication method, but does not support "${FALLBACK_ALG}" algorithm.`,
+    )
+  }
+
+  if (method === 'none') {
+    return { method: 'none' }
+  }
+
+  throw new Error(
+    `The ATProto OAuth spec requires that client use either "none" or "private_key_jwt" authentication method.` +
+      (method === 'client_secret_basic'
+        ? ' You might want to explicitly set "token_endpoint_auth_method" to one of those values in the client metadata document.'
+        : ` You set "${method}" which is not allowed.`),
+  )
+}
+
+export type ClientCredentialsFactory = () => Awaitable<{
+  headers?: Record<string, string>
+  payload?: OAuthClientCredentials
+}>
+
+/**
+ * @throws {AuthMethodUnsatisfiableError} if the authentication method is no
+ * long usable (either because the AS changed, of because the key is no longer
+ * available in the keyset).
+ */
+export function createClientCredentialsFactory(
+  authMethod: ClientAuthMethod,
+  serverMetadata: OAuthAuthorizationServerMetadata,
+  clientMetadata: ClientMetadata,
+  runtime: Runtime,
+  keyset?: Keyset,
+): ClientCredentialsFactory {
+  // Ensure the AS still supports the auth method.
+  if (!supportedMethods(serverMetadata).includes(authMethod.method)) {
+    throw new AuthMethodUnsatisfiableError(
+      `Client authentication method "${authMethod.method}" no longer supported`,
+    )
+  }
+
+  if (authMethod.method === 'none') {
+    return () => ({
+      payload: {
+        client_id: clientMetadata.client_id,
+      },
+    })
+  }
+
+  if (authMethod.method === 'private_key_jwt') {
+    try {
+      // The client used to be a confidential client but no longer has a keyset.
+      if (!keyset) throw new Error('A keyset is required for private_key_jwt')
+
+      // @NOTE throws if no matching key can be found
+      const { key, alg } = keyset.findPrivateKey({
+        use: 'sig',
+        kid: authMethod.kid,
+        alg: supportedAlgs(serverMetadata),
+      })
+
+      // https://www.rfc-editor.org/rfc/rfc7523.html#section-3
+      return async () => ({
+        payload: {
+          client_id: clientMetadata.client_id,
+          client_assertion_type: CLIENT_ASSERTION_TYPE_JWT_BEARER,
+          client_assertion: await key.createJwt(
+            { alg },
+            {
+              // > The JWT MUST contain an "iss" (issuer) claim that contains a
+              // > unique identifier for the entity that issued the JWT.
+              iss: clientMetadata.client_id,
+              // > For client authentication, the subject MUST be the
+              // > "client_id" of the OAuth client.
+              sub: clientMetadata.client_id,
+              // > The JWT MUST contain an "aud" (audience) claim containing a value
+              // > that identifies the authorization server as an intended audience.
+              // > The token endpoint URL of the authorization server MAY be used as a
+              // > value for an "aud" element to identify the authorization server as an
+              // > intended audience of the JWT.
+              aud: serverMetadata.issuer,
+              // > The JWT MAY contain a "jti" (JWT ID) claim that provides a
+              // > unique identifier for the token.
+              jti: await runtime.generateNonce(),
+              // > The JWT MAY contain an "iat" (issued at) claim that
+              // > identifies the time at which the JWT was issued.
+              iat: Math.floor(Date.now() / 1000),
+              // > The JWT MUST contain an "exp" (expiration time) claim that
+              // > limits the time window during which the JWT can be used.
+              exp: Math.floor(Date.now() / 1000) + 60, // 1 minute
+            },
+          ),
+        },
+      })
+    } catch (cause) {
+      throw new AuthMethodUnsatisfiableError('Failed to load private key', {
+        cause,
+      })
+    }
+  }
+
+  throw new AuthMethodUnsatisfiableError(
+    // @ts-expect-error
+    `Unsupported auth method ${authMethod.method}`,
+  )
+}
+
+function supportedMethods(serverMetadata: OAuthAuthorizationServerMetadata) {
+  return serverMetadata['token_endpoint_auth_methods_supported']
+}
+
+function supportedAlgs(serverMetadata: OAuthAuthorizationServerMetadata) {
+  return (
+    serverMetadata['token_endpoint_auth_signing_alg_values_supported'] ?? [
+      // @NOTE If not specified, assume that the server supports the ES256
+      // algorithm, as prescribed by the spec:
+      //
+      // > Clients and Authorization Servers currently must support the ES256
+      // > cryptographic system [for client authentication].
+      //
+      // https://atproto.com/specs/oauth#confidential-client-authentication
+      FALLBACK_ALG,
+    ]
+  )
+}

package/src/oauth-client.ts

@@ -10,6 +10,7 @@ import {
 import {
   AtprotoDid,
   DidCache,
+  DidResolver,
   DidResolverCached,
   DidResolverCommon,
   // eslint-disable-next-line @typescript-eslint/no-unused-vars
@@ -18,20 +19,22 @@ import {
 } from '@atproto-labs/did-resolver'
 import { Fetch } from '@atproto-labs/fetch'
 import {
-  AppViewHandleResolver,
   CachedHandleResolver,
   HandleCache,
   HandleResolver,
+  XrpcHandleResolver,
 } from '@atproto-labs/handle-resolver'
 import { IdentityResolver } from '@atproto-labs/identity-resolver'
 import { SimpleStoreMemory } from '@atproto-labs/simple-store-memory'
 import { FALLBACK_ALG } from './constants.js'
+import { AuthMethodUnsatisfiableError } from './errors/auth-method-unsatisfiable-error.js'
 import { TokenRevokedError } from './errors/token-revoked-error.js'
 import {
   AuthorizationServerMetadataCache,
   OAuthAuthorizationServerMetadataResolver,
 } from './oauth-authorization-server-metadata-resolver.js'
 import { OAuthCallbackError } from './oauth-callback-error.js'
+import { negotiateClientAuthMethod } from './oauth-client-auth.js'
 import {
   OAuthProtectedResourceMetadataResolver,
   ProtectedResourceMetadataCache,
@@ -53,23 +56,23 @@ import { CustomEventTarget } from './util.js'
 import { validateClientMetadata } from './validate-client-metadata.js'
 
 // Export all types needed to construct OAuthClientOptions
-export type {
-  AuthorizationServerMetadataCache,
-  DidCache,
-  DpopNonceCache,
-  Fetch,
-  HandleCache,
-  HandleResolver,
-  InternalStateData,
+export {
+  type AuthorizationServerMetadataCache,
+  type DidCache,
+  type DpopNonceCache,
+  type Fetch,
+  type HandleCache,
+  type HandleResolver,
+  type InternalStateData,
   Key,
   Keyset,
-  OAuthClientMetadata,
-  OAuthClientMetadataInput,
-  OAuthResponseMode,
-  ProtectedResourceMetadataCache,
-  RuntimeImplementation,
-  SessionStore,
-  StateStore,
+  type OAuthClientMetadata,
+  type OAuthClientMetadataInput,
+  type OAuthResponseMode,
+  type ProtectedResourceMetadataCache,
+  type RuntimeImplementation,
+  type SessionStore,
+  type StateStore,
 }
 
 export type OAuthClientOptions = {
@@ -103,7 +106,12 @@ export type OAuthClientOptions = {
   dpopNonceCache?: DpopNonceCache
 
   // Services
+  didResolver?: DidResolver<'plc' | 'web'>
   handleResolver: HandleResolver | URL | string
+  /**
+   * Used to instantiate the {@link OAuthClientOptions.didResolver} if none
+   * is provided.
+   */
   plcDirectoryUrl?: URL | string
   runtimeImplementation: RuntimeImplementation
   fetch?: Fetch
@@ -186,6 +194,7 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
 
     responseMode,
     clientMetadata,
+    didResolver,
     handleResolver,
     plcDirectoryUrl,
     runtimeImplementation,
@@ -205,14 +214,23 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
     this.fetch = fetch
     this.oauthResolver = new OAuthResolver(
       new IdentityResolver(
-        new DidResolverCached(
-          new DidResolverCommon({ fetch, plcDirectoryUrl, allowHttp }),
-          didCache,
-        ),
-        new CachedHandleResolver(
-          AppViewHandleResolver.from(handleResolver, { fetch }),
-          handleCache,
-        ),
+        didResolver instanceof DidResolverCached && !didCache
+          ? didResolver
+          : new DidResolverCached(
+              didResolver != null
+                ? didResolver
+                : new DidResolverCommon({ fetch, plcDirectoryUrl, allowHttp }),
+              didCache,
+            ),
+        handleResolver instanceof CachedHandleResolver && !handleCache
+          ? handleResolver
+          : new CachedHandleResolver(
+              typeof handleResolver === 'string' ||
+              handleResolver instanceof URL
+                ? new XrpcHandleResolver(handleResolver, { fetch })
+                : handleResolver,
+              handleCache,
+            ),
       ),
       new OAuthProtectedResourceMetadataResolver(
         protectedResourceMetadataCache,
@@ -290,11 +308,17 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
       metadata.dpop_signing_alg_values_supported || [FALLBACK_ALG],
     )
 
+    const authMethod = negotiateClientAuthMethod(
+      metadata,
+      this.clientMetadata,
+      this.keyset,
+    )
     const state = await this.runtime.generateNonce()
 
     await this.stateStore.set(state, {
       iss: metadata.issuer,
       dpopKey,
+      authMethod,
       verifier: pkce.verifier,
       appState: options?.state,
     })
@@ -327,7 +351,11 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
     }
 
     if (metadata.pushed_authorization_request_endpoint) {
-      const server = await this.serverFactory.fromMetadata(metadata, dpopKey)
+      const server = await this.serverFactory.fromMetadata(
+        metadata,
+        authMethod,
+        dpopKey,
+      )
       const parResponse = await server.request(
         'pushed_authorization_request',
         parameters,
@@ -423,6 +451,8 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
 
       const server = await this.serverFactory.fromIssuer(
         stateData.iss,
+        // Using the literal 'legacy' if the authMethod is not defined (because stateData was created through an old version of this lib)
+        stateData.authMethod ?? 'legacy',
         stateData.dpopKey,
       )
 
@@ -455,6 +485,7 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
       try {
         await this.sessionGetter.setStored(tokenSet.sub, {
           dpopKey: stateData.dpopKey,
+          authMethod: server.authMethod,
           tokenSet,
         })
 
@@ -486,24 +517,45 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
     // sub arg is lightly typed for convenience of library user
     assertAtprotoDid(sub)
 
-    const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
+    const {
+      dpopKey,
+      authMethod = 'legacy',
+      tokenSet,
+    } = await this.sessionGetter.get(sub, {
       noCache: refresh === true,
       allowStale: refresh === false,
     })
 
-    const server = await this.serverFactory.fromIssuer(tokenSet.iss, dpopKey, {
-      noCache: refresh === true,
-      allowStale: refresh === false,
-    })
+    try {
+      const server = await this.serverFactory.fromIssuer(
+        tokenSet.iss,
+        authMethod,
+        dpopKey,
+        {
+          noCache: refresh === true,
+          allowStale: refresh === false,
+        },
+      )
 
-    return this.createSession(server, sub)
+      return this.createSession(server, sub)
+    } catch (err) {
+      if (err instanceof AuthMethodUnsatisfiableError) {
+        await this.sessionGetter.delStored(sub, err)
+      }
+
+      throw err
+    }
   }
 
   async revoke(sub: string) {
     // sub arg is lightly typed for convenience of library user
     assertAtprotoDid(sub)
 
-    const { dpopKey, tokenSet } = await this.sessionGetter.get(sub, {
+    const {
+      dpopKey,
+      authMethod = 'legacy',
+      tokenSet,
+    } = await this.sessionGetter.get(sub, {
       allowStale: true,
     })
 
@@ -511,7 +563,11 @@ export class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
     // the tokens to be deleted even if it was not possible to fetch the issuer
     // data.
     try {
-      const server = await this.serverFactory.fromIssuer(tokenSet.iss, dpopKey)
+      const server = await this.serverFactory.fromIssuer(
+        tokenSet.iss,
+        authMethod,
+        dpopKey,
+      )
       await server.revoke(tokenSet.access_token)
     } finally {
       await this.sessionGetter.delStored(sub, new TokenRevokedError(sub))

package/src/oauth-server-agent.ts

@@ -1,10 +1,8 @@
 import { AtprotoDid } from '@atproto/did'
 import { Key, Keyset } from '@atproto/jwk'
 import {
-  CLIENT_ASSERTION_TYPE_JWT_BEARER,
   OAuthAuthorizationRequestPar,
   OAuthAuthorizationServerMetadata,
-  OAuthClientCredentials,
   OAuthEndpointName,
   OAuthParResponse,
   OAuthTokenRequest,
@@ -17,9 +15,13 @@ import {
   AtprotoTokenResponse,
   atprotoTokenResponseSchema,
 } from './atproto-token-response.js'
-import { FALLBACK_ALG } from './constants.js'
 import { TokenRefreshError } from './errors/token-refresh-error.js'
 import { dpopFetchWrapper } from './fetch-dpop.js'
+import {
+  ClientAuthMethod,
+  ClientCredentialsFactory,
+  createClientCredentialsFactory,
+} from './oauth-client-auth.js'
 import { OAuthResolver } from './oauth-resolver.js'
 import { OAuthResponseError } from './oauth-response-error.js'
 import { Runtime } from './runtime.js'
@@ -43,8 +45,13 @@ export type DpopNonceCache = SimpleStore<string, string>
 
 export class OAuthServerAgent {
   protected dpopFetch: Fetch<unknown>
+  protected clientCredentialsFactory: ClientCredentialsFactory
 
+  /**
+   * @throws see {@link createClientCredentialsFactory}
+   */
   constructor(
+    readonly authMethod: ClientAuthMethod,
     readonly dpopKey: Key,
     readonly serverMetadata: OAuthAuthorizationServerMetadata,
     readonly clientMetadata: ClientMetadata,
@@ -54,6 +61,14 @@ export class OAuthServerAgent {
     readonly keyset?: Keyset,
     fetch?: Fetch,
   ) {
+    this.clientCredentialsFactory = createClientCredentialsFactory(
+      authMethod,
+      serverMetadata,
+      clientMetadata,
+      runtime,
+      keyset,
+    )
+
     this.dpopFetch = dpopFetchWrapper<void>({
       fetch: bindFetch(fetch),
       key: dpopKey,
@@ -204,7 +219,7 @@ export class OAuthServerAgent {
     const url = this.serverMetadata[`${endpoint}_endpoint`]
     if (!url) throw new Error(`No ${endpoint} endpoint available`)
 
-    const auth = await this.buildClientAuth(endpoint)
+    const auth = await this.clientCredentialsFactory()
 
     // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13#section-3.2.2
     // https://datatracker.ietf.org/doc/html/rfc7009#section-2.1
@@ -232,73 +247,6 @@ export class OAuthServerAgent {
       throw new OAuthResponseError(response, json)
     }
   }
-
-  async buildClientAuth(endpoint: OAuthEndpointName): Promise<{
-    headers?: Record<string, string>
-    payload: OAuthClientCredentials
-  }> {
-    const methodSupported =
-      this.serverMetadata[`token_endpoint_auth_methods_supported`]
-
-    const method = this.clientMetadata[`token_endpoint_auth_method`]
-
-    if (
-      method === 'private_key_jwt' ||
-      (this.keyset &&
-        !method &&
-        (methodSupported?.includes('private_key_jwt') ?? false))
-    ) {
-      if (!this.keyset) throw new Error('No keyset available')
-
-      try {
-        const alg =
-          this.serverMetadata[
-            `token_endpoint_auth_signing_alg_values_supported`
-          ] ?? FALLBACK_ALG
-
-        // If jwks is defined, make sure to only sign using a key that exists in
-        // the jwks. If jwks_uri is defined, we can't be sure that the key we're
-        // looking for is in there so we will just assume it is.
-        const kid = this.clientMetadata.jwks?.keys
-          .map(({ kid }) => kid)
-          .filter((v): v is string => typeof v === 'string')
-
-        return {
-          payload: {
-            client_id: this.clientMetadata.client_id,
-            client_assertion_type: CLIENT_ASSERTION_TYPE_JWT_BEARER,
-            client_assertion: await this.keyset.createJwt(
-              { alg, kid },
-              {
-                iss: this.clientMetadata.client_id,
-                sub: this.clientMetadata.client_id,
-                aud: this.serverMetadata.issuer,
-                jti: await this.runtime.generateNonce(),
-                iat: Math.floor(Date.now() / 1000),
-              },
-            ),
-          },
-        }
-      } catch (err) {
-        if (method === 'private_key_jwt') throw err
-
-        // Else try next method
-      }
-    }
-
-    if (
-      method === 'none' ||
-      (!method && (methodSupported?.includes('none') ?? true))
-    ) {
-      return {
-        payload: {
-          client_id: this.clientMetadata.client_id,
-        },
-      }
-    }
-
-    throw new Error(`Unsupported ${endpoint} authentication method`)
-  }
 }
 
 function wwwFormUrlEncode(payload: Record<string, undefined | unknown>) {

package/src/oauth-server-factory.ts

@@ -2,6 +2,10 @@ import { Key, Keyset } from '@atproto/jwk'
 import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types'
 import { Fetch } from '@atproto-labs/fetch'
 import { GetCachedOptions } from './oauth-authorization-server-metadata-resolver.js'
+import {
+  ClientAuthMethod,
+  negotiateClientAuthMethod,
+} from './oauth-client-auth.js'
 import { OAuthResolver } from './oauth-resolver.js'
 import { DpopNonceCache, OAuthServerAgent } from './oauth-server-agent.js'
 import { Runtime } from './runtime.js'
@@ -17,19 +21,50 @@ export class OAuthServerFactory {
     readonly dpopNonceCache: DpopNonceCache,
   ) {}
 
-  async fromIssuer(issuer: string, dpopKey: Key, options?: GetCachedOptions) {
+  /**
+   * @param authMethod `undefined` means that we are restoring a session that
+   * was created before we started storing the `authMethod` in the session. In
+   * that case, we will use the first key from the keyset.
+   *
+   * Support for this might be removed in the future.
+   *
+   * @throws see {@link OAuthServerFactory.fromMetadata}
+   */
+  async fromIssuer(
+    issuer: string,
+    authMethod: 'legacy' | ClientAuthMethod,
+    dpopKey: Key,
+    options?: GetCachedOptions,
+  ) {
     const serverMetadata = await this.resolver.getAuthorizationServerMetadata(
       issuer,
       options,
     )
-    return this.fromMetadata(serverMetadata, dpopKey)
+
+    if (authMethod === 'legacy') {
+      // @NOTE Because we were previously not storing the authMethod in the
+      // session data, we provide a backwards compatible implementation by
+      // computing it here.
+      authMethod = negotiateClientAuthMethod(
+        serverMetadata,
+        this.clientMetadata,
+        this.keyset,
+      )
+    }
+
+    return this.fromMetadata(serverMetadata, authMethod, dpopKey)
   }
 
+  /**
+   * @throws see {@link OAuthServerAgent}
+   */
   async fromMetadata(
     serverMetadata: OAuthAuthorizationServerMetadata,
+    authMethod: ClientAuthMethod,
     dpopKey: Key,
   ) {
     return new OAuthServerAgent(
+      authMethod,
       dpopKey,
       serverMetadata,
       this.clientMetadata,