@atproto/oauth-client 0.5.5 → 0.5.7

package/src/util.ts

@@ -1,54 +1,8 @@
 export type Awaitable<T> = T | PromiseLike<T>
 export type Simplify<T> = { [K in keyof T]: T[K] } & NonNullable<unknown>
 
-// @ts-expect-error
-Symbol.dispose ??= Symbol('@@dispose')
-
 export const ifString = <V>(v: V) => (typeof v === 'string' ? v : undefined)
 
-/**
- * @todo (?) move to common package
- */
-export const timeoutSignal = (
-  timeout: number,
-  options?: { signal?: AbortSignal },
-): AbortSignal & Disposable => {
-  if (!Number.isInteger(timeout) || timeout < 0) {
-    throw new TypeError('Expected a positive integer')
-  }
-
-  options?.signal?.throwIfAborted()
-
-  const controller = new AbortController()
-  const { signal } = controller
-
-  options?.signal?.addEventListener(
-    'abort',
-    (reason) => controller.abort(reason),
-    { once: true, signal },
-  )
-
-  const timeoutId = setTimeout(
-    (err) => controller.abort(err),
-    timeout,
-    // create Error here to keep original stack trace
-    new Error('Timeout'),
-  )
-
-  timeoutId?.unref?.() // NodeJS only
-
-  signal.addEventListener('abort', () => clearTimeout(timeoutId), {
-    once: true,
-    signal,
-  })
-
-  Object.defineProperty(signal, Symbol.dispose, {
-    value: () => controller.abort(),
-  })
-
-  return signal as AbortSignal & Disposable
-}
-
 export function contentMime(headers: Headers): string | undefined {
   return headers.get('content-type')?.split(';')[0]!.trim()
 }
@@ -120,50 +74,10 @@ export class CustomEventTarget<EventDetailMap extends Record<string, unknown>> {
   }
 }
 
-export type SpaceSeparatedValue<Value extends string> =
-  | `${Value}`
-  | `${Value} ${string}`
-  | `${string} ${Value}`
-  | `${string} ${Value} ${string}`
-
-export const includesSpaceSeparatedValue = <Value extends string>(
-  input: string,
-  value: Value,
-): input is SpaceSeparatedValue<Value> => {
-  if (value.length === 0) throw new TypeError('Value cannot be empty')
-  if (value.includes(' ')) throw new TypeError('Value cannot contain spaces')
-
-  // Optimized version of:
-  // return input.split(' ').includes(value)
-
-  const inputLength = input.length
-  const valueLength = value.length
-
-  if (inputLength < valueLength) return false
-
-  let idx = input.indexOf(value)
-  let idxEnd: number
-
-  while (idx !== -1) {
-    idxEnd = idx + valueLength
-
-    if (
-      // at beginning or preceded by space
-      (idx === 0 || input[idx - 1] === ' ') &&
-      // at end or followed by space
-      (idxEnd === inputLength || input[idxEnd] === ' ')
-    ) {
-      return true
-    }
-
-    idx = input.indexOf(value, idxEnd + 1)
-  }
-
-  return false
-}
-
-export function combineSignals(signals: readonly (AbortSignal | undefined)[]) {
-  const controller = new AbortController()
+export function combineSignals(
+  signals: readonly (AbortSignal | undefined)[],
+): AbortController & Disposable {
+  const controller = new DisposableAbortController()
 
   const onAbort = function (this: AbortSignal, _event: Event) {
     const reason = new Error('This operation was aborted', {
@@ -173,26 +87,27 @@ export function combineSignals(signals: readonly (AbortSignal | undefined)[]) {
     controller.abort(reason)
   }
 
-  for (const sig of signals) {
-    if (!sig) continue
-
-    if (sig.aborted) {
-      // Remove "abort" listener that was added to sig in previous iterations
-      controller.abort()
-
-      throw new Error('One of the signals is already aborted', {
-        cause: sig.reason,
-      })
+  try {
+    for (const sig of signals) {
+      if (sig) {
+        sig.throwIfAborted()
+        sig.addEventListener('abort', onAbort, { signal: controller.signal })
+      }
     }
 
-    sig.addEventListener('abort', onAbort, { signal: controller.signal })
+    return controller
+  } catch (err) {
+    controller.abort(err)
+    throw err
   }
+}
 
-  controller[Symbol.dispose] = () => {
-    const reason = new Error('AbortController was disposed')
-
-    controller.abort(reason)
+/**
+ * Allows using {@link AbortController} with the `using` keyword, in order to
+ * automatically abort them once the execution block ends.
+ */
+class DisposableAbortController extends AbortController implements Disposable {
+  [Symbol.dispose]() {
+    this.abort(new Error('AbortController was disposed'))
   }
-
-  return controller as AbortController & Disposable
 }

package/src/validate-client-metadata.ts

@@ -56,15 +56,28 @@ export function validateClientMetadata(
         )
       }
 
-      const signingKeys = keyset
-        ? Array.from(keyset.list({ use: 'sig' })).filter(
-            (key) => key.isPrivate && key.kid,
-          )
-        : null
+      if (!keyset) {
+        throw new TypeError(
+          `Client authentication method "${method}" requires a keyset`,
+        )
+      }
+
+      // @NOTE This reproduces the logic from `negotiateClientAuthMethod` at
+      // initialization time to ensure that every key that might end-up being
+      // used is indeed valid & advertised in the metadata.
+      const signingKeys = Array.from(keyset.list({ usage: 'sign' })).filter(
+        (key) => key.kid,
+      )
+
+      if (!signingKeys.length) {
+        throw new TypeError(
+          `Client authentication method "${method}" requires at least one active signing key with a "kid" property`,
+        )
+      }
 
-      if (!signingKeys?.some((key) => key.algorithms.includes(FALLBACK_ALG))) {
+      if (!signingKeys.some((key) => key.algorithms.includes(FALLBACK_ALG))) {
         throw new TypeError(
-          `Client authentication method "${method}" requires at least one "${FALLBACK_ALG}" signing key with a "kid" property`,
+          `Client authentication method "${method}" requires at least one active "${FALLBACK_ALG}" signing key`,
         )
       }
 
@@ -72,8 +85,12 @@ export function validateClientMetadata(
         // Ensure that all the signing keys that could end-up being used are
         // advertised in the JWKS.
         for (const key of signingKeys) {
-          if (!metadata.jwks.keys.some((k) => k.kid === key.kid)) {
-            throw new TypeError(`Key with kid "${key.kid}" not found in jwks`)
+          if (
+            !metadata.jwks.keys.some((k) => k.kid === key.kid && !k.revoked)
+          ) {
+            throw new TypeError(
+              `Missing or inactive key "${key.kid}" in jwks. Make sure that every signing key of the Keyset is declared as an active key in the Metadata's JWKS.`,
+            )
           }
         }
       } else if (metadata.jwks_uri) {

package/tsconfig.build.tsbuildinfo

@@ -1 +1 @@
-{"root":["./src/atproto-token-response.ts","./src/constants.ts","./src/fetch-dpop.ts","./src/identity-resolver.ts","./src/index.ts","./src/lock.ts","./src/oauth-authorization-server-metadata-resolver.ts","./src/oauth-callback-error.ts","./src/oauth-client-auth.ts","./src/oauth-client.ts","./src/oauth-protected-resource-metadata-resolver.ts","./src/oauth-resolver-error.ts","./src/oauth-resolver.ts","./src/oauth-response-error.ts","./src/oauth-server-agent.ts","./src/oauth-server-factory.ts","./src/oauth-session.ts","./src/runtime-implementation.ts","./src/runtime.ts","./src/session-getter.ts","./src/state-store.ts","./src/types.ts","./src/util.ts","./src/validate-client-metadata.ts","./src/errors/auth-method-unsatisfiable-error.ts","./src/errors/token-invalid-error.ts","./src/errors/token-refresh-error.ts","./src/errors/token-revoked-error.ts"],"version":"5.8.2"}
+{"root":["./src/constants.ts","./src/fetch-dpop.ts","./src/identity-resolver.ts","./src/index.ts","./src/lock.ts","./src/oauth-authorization-server-metadata-resolver.ts","./src/oauth-callback-error.ts","./src/oauth-client-auth.ts","./src/oauth-client.ts","./src/oauth-protected-resource-metadata-resolver.ts","./src/oauth-resolver-error.ts","./src/oauth-resolver.ts","./src/oauth-response-error.ts","./src/oauth-server-agent.ts","./src/oauth-server-factory.ts","./src/oauth-session.ts","./src/runtime-implementation.ts","./src/runtime.ts","./src/session-getter.ts","./src/state-store.ts","./src/types.ts","./src/util.ts","./src/validate-client-metadata.ts","./src/errors/auth-method-unsatisfiable-error.ts","./src/errors/token-invalid-error.ts","./src/errors/token-refresh-error.ts","./src/errors/token-revoked-error.ts"],"version":"5.8.2"}

package/dist/atproto-token-response.d.ts

@@ -1,110 +0,0 @@
-import { TypeOf, z } from 'zod';
-import { SpaceSeparatedValue } from './util';
-export type AtprotoScope = SpaceSeparatedValue<'atproto'>;
-export declare const isAtprotoScope: (input: string) => input is AtprotoScope;
-export declare const atprotoScopeSchema: z.ZodEffects<z.ZodString, AtprotoScope, string>;
-export declare const atprotoTokenResponseSchema: z.ZodObject<z.objectUtil.extendShape<{
-    access_token: z.ZodString;
-    token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
-    scope: z.ZodOptional<z.ZodString>;
-    refresh_token: z.ZodOptional<z.ZodString>;
-    expires_in: z.ZodOptional<z.ZodNumber>;
-    id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
-    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
-        type: z.ZodString;
-        locations: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, `${string}:${string}`, string>, "many">>;
-        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        identifier: z.ZodOptional<z.ZodString>;
-        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    }, "strip", z.ZodTypeAny, {
-        type: string;
-        locations?: `${string}:${string}`[] | undefined;
-        actions?: string[] | undefined;
-        datatypes?: string[] | undefined;
-        identifier?: string | undefined;
-        privileges?: string[] | undefined;
-    }, {
-        type: string;
-        locations?: string[] | undefined;
-        actions?: string[] | undefined;
-        datatypes?: string[] | undefined;
-        identifier?: string | undefined;
-        privileges?: string[] | undefined;
-    }>, "many">>;
-}, {
-    token_type: z.ZodLiteral<"DPoP">;
-    sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
-    scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
-    id_token: z.ZodOptional<z.ZodNever>;
-}>, "passthrough", z.ZodTypeAny, z.objectOutputType<z.objectUtil.extendShape<{
-    access_token: z.ZodString;
-    token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
-    scope: z.ZodOptional<z.ZodString>;
-    refresh_token: z.ZodOptional<z.ZodString>;
-    expires_in: z.ZodOptional<z.ZodNumber>;
-    id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
-    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
-        type: z.ZodString;
-        locations: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, `${string}:${string}`, string>, "many">>;
-        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        identifier: z.ZodOptional<z.ZodString>;
-        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    }, "strip", z.ZodTypeAny, {
-        type: string;
-        locations?: `${string}:${string}`[] | undefined;
-        actions?: string[] | undefined;
-        datatypes?: string[] | undefined;
-        identifier?: string | undefined;
-        privileges?: string[] | undefined;
-    }, {
-        type: string;
-        locations?: string[] | undefined;
-        actions?: string[] | undefined;
-        datatypes?: string[] | undefined;
-        identifier?: string | undefined;
-        privileges?: string[] | undefined;
-    }>, "many">>;
-}, {
-    token_type: z.ZodLiteral<"DPoP">;
-    sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
-    scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
-    id_token: z.ZodOptional<z.ZodNever>;
-}>, z.ZodTypeAny, "passthrough">, z.objectInputType<z.objectUtil.extendShape<{
-    access_token: z.ZodString;
-    token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
-    scope: z.ZodOptional<z.ZodString>;
-    refresh_token: z.ZodOptional<z.ZodString>;
-    expires_in: z.ZodOptional<z.ZodNumber>;
-    id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
-    authorization_details: z.ZodOptional<z.ZodArray<z.ZodObject<{
-        type: z.ZodString;
-        locations: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, `${string}:${string}`, string>, "many">>;
-        actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        datatypes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        identifier: z.ZodOptional<z.ZodString>;
-        privileges: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    }, "strip", z.ZodTypeAny, {
-        type: string;
-        locations?: `${string}:${string}`[] | undefined;
-        actions?: string[] | undefined;
-        datatypes?: string[] | undefined;
-        identifier?: string | undefined;
-        privileges?: string[] | undefined;
-    }, {
-        type: string;
-        locations?: string[] | undefined;
-        actions?: string[] | undefined;
-        datatypes?: string[] | undefined;
-        identifier?: string | undefined;
-        privileges?: string[] | undefined;
-    }>, "many">>;
-}, {
-    token_type: z.ZodLiteral<"DPoP">;
-    sub: z.ZodEffects<z.ZodString, `did:plc:${string}` | `did:web:${string}`, string>;
-    scope: z.ZodEffects<z.ZodString, AtprotoScope, string>;
-    id_token: z.ZodOptional<z.ZodNever>;
-}>, z.ZodTypeAny, "passthrough">>;
-export type AtprotoTokenResponse = TypeOf<typeof atprotoTokenResponseSchema>;
-//# sourceMappingURL=atproto-token-response.d.ts.map

package/dist/atproto-token-response.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"atproto-token-response.d.ts","sourceRoot":"","sources":["../src/atproto-token-response.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAG/B,OAAO,EAAE,mBAAmB,EAA+B,MAAM,QAAQ,CAAA;AAEzE,MAAM,MAAM,YAAY,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAA;AACzD,eAAO,MAAM,cAAc,GAAI,OAAO,MAAM,KAAG,KAAK,IAAI,YACT,CAAA;AAC/C,eAAO,MAAM,kBAAkB,iDAE6B,CAAA;AAE5D,eAAO,MAAM,0BAA0B;kBATiC,EAExE,SAAS;gBAAkB,EAAE,QAAQ,EAAE,EAAE,UAAU,CAAC,EAAE,SACjD,mBAAkB,EAAG,UAAU,CAAE,EAAC,SAAS;WACvC,EAAG,WAAW,CAAC,EAAE,SAAS;mBAC3B,EAAG,WAAW,CAAC,EAAE,SAAS;gBAE9B,EAAG,WAAW,CAAC,EAAE,SAAS;cAAiB,EAAG,WAAU,CAE5D,EAAC,UAAU,CAAE,EAAC,UAAU,CAAC,EAAE,SAAS;2BAErB,EAAG,WACd,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;cACZ,EAAE,SAAS;mBAAoB,EAAG,WAC3C,CAAC,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,EAC/B,SAEI;iBAA4D,EAAG,WAClE,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;mBAA8B,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;oBAA+B,EAAG,WAAW,CAAC,EAAE,SAAS;oBAAsB,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;gBAA2B,EAAG,UAAU;;iBAA2C,CAAC;eAAsD,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;iBAAwE,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;;;;;;kBAlB/nB,EAExE,SAAS;gBAAkB,EAAE,QAAQ,EAAE,EAAE,UAAU,CAAC,EAAE,SACjD,mBAAkB,EAAG,UAAU,CAAE,EAAC,SAAS;WACvC,EAAG,WAAW,CAAC,EAAE,SAAS;mBAC3B,EAAG,WAAW,CAAC,EAAE,SAAS;gBAE9B,EAAG,WAAW,CAAC,EAAE,SAAS;cAAiB,EAAG,WAAU,CAE5D,EAAC,UAAU,CAAE,EAAC,UAAU,CAAC,EAAE,SAAS;2BAErB,EAAG,WACd,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;cACZ,EAAE,SAAS;mBAAoB,EAAG,WAC3C,CAAC,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,EAC/B,SAEI;iBAA4D,EAAG,WAClE,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;mBAA8B,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;oBAA+B,EAAG,WAAW,CAAC,EAAE,SAAS;oBAAsB,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;gBAA2B,EAAG,UAAU;;iBAA2C,CAAC;eAAsD,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;iBAAwE,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;;;;;;kBAlB/nB,EAExE,SAAS;gBAAkB,EAAE,QAAQ,EAAE,EAAE,UAAU,CAAC,EAAE,SACjD,mBAAkB,EAAG,UAAU,CAAE,EAAC,SAAS;WACvC,EAAG,WAAW,CAAC,EAAE,SAAS;mBAC3B,EAAG,WAAW,CAAC,EAAE,SAAS;gBAE9B,EAAG,WAAW,CAAC,EAAE,SAAS;cAAiB,EAAG,WAAU,CAE5D,EAAC,UAAU,CAAE,EAAC,UAAU,CAAC,EAAE,SAAS;2BAErB,EAAG,WACd,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;cACZ,EAAE,SAAS;mBAAoB,EAAG,WAC3C,CAAC,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,EAC/B,SAEI;iBAA4D,EAAG,WAClE,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;mBAA8B,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;oBAA+B,EAAG,WAAW,CAAC,EAAE,SAAS;oBAAsB,EAAG,WAAW,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS;gBAA2B,EAAG,UAAU;;iBAA2C,CAAC;eAAsD,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;iBAAwE,CAAC;eAAuC,CAAC;iBAAyC,CAAC;kBAA0C,CAAC;kBAAwC,CAAC;;;;;;;iCAHrsB,CAAA;AAEF,MAAM,MAAM,oBAAoB,GAAG,MAAM,CAAC,OAAO,0BAA0B,CAAC,CAAA"}

package/dist/atproto-token-response.js

@@ -1,20 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.atprotoTokenResponseSchema = exports.atprotoScopeSchema = exports.isAtprotoScope = void 0;
-const zod_1 = require("zod");
-const did_1 = require("@atproto/did");
-const oauth_types_1 = require("@atproto/oauth-types");
-const util_1 = require("./util");
-const isAtprotoScope = (input) => (0, util_1.includesSpaceSeparatedValue)(input, 'atproto');
-exports.isAtprotoScope = isAtprotoScope;
-exports.atprotoScopeSchema = zod_1.z
-    .string()
-    .refine(exports.isAtprotoScope, 'The "atproto" scope is required');
-exports.atprotoTokenResponseSchema = oauth_types_1.oauthTokenResponseSchema.extend({
-    token_type: zod_1.z.literal('DPoP'),
-    sub: did_1.atprotoDidSchema,
-    scope: exports.atprotoScopeSchema,
-    // OpenID is not compatible with atproto identities
-    id_token: zod_1.z.never().optional(),
-});
-//# sourceMappingURL=atproto-token-response.js.map

package/dist/atproto-token-response.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"atproto-token-response.js","sourceRoot":"","sources":["../src/atproto-token-response.ts"],"names":[],"mappings":";;;AAAA,6BAA+B;AAC/B,sCAA+C;AAC/C,sDAA+D;AAC/D,iCAAyE;AAGlE,MAAM,cAAc,GAAG,CAAC,KAAa,EAAyB,EAAE,CACrE,IAAA,kCAA2B,EAAC,KAAK,EAAE,SAAS,CAAC,CAAA;AADlC,QAAA,cAAc,kBACoB;AAClC,QAAA,kBAAkB,GAAG,OAAC;KAChC,MAAM,EAAE;KACR,MAAM,CAAC,sBAAc,EAAE,iCAAiC,CAAC,CAAA;AAE/C,QAAA,0BAA0B,GAAG,sCAAwB,CAAC,MAAM,CAAC;IACxE,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC7B,GAAG,EAAE,sBAAgB;IACrB,KAAK,EAAE,0BAAkB;IACzB,mDAAmD;IACnD,QAAQ,EAAE,OAAC,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAA"}

package/src/atproto-token-response.ts

@@ -1,21 +0,0 @@
-import { TypeOf, z } from 'zod'
-import { atprotoDidSchema } from '@atproto/did'
-import { oauthTokenResponseSchema } from '@atproto/oauth-types'
-import { SpaceSeparatedValue, includesSpaceSeparatedValue } from './util'
-
-export type AtprotoScope = SpaceSeparatedValue<'atproto'>
-export const isAtprotoScope = (input: string): input is AtprotoScope =>
-  includesSpaceSeparatedValue(input, 'atproto')
-export const atprotoScopeSchema = z
-  .string()
-  .refine(isAtprotoScope, 'The "atproto" scope is required')
-
-export const atprotoTokenResponseSchema = oauthTokenResponseSchema.extend({
-  token_type: z.literal('DPoP'),
-  sub: atprotoDidSchema,
-  scope: atprotoScopeSchema,
-  // OpenID is not compatible with atproto identities
-  id_token: z.never().optional(),
-})
-
-export type AtprotoTokenResponse = TypeOf<typeof atprotoTokenResponseSchema>