npm - @atproto/oauth-provider - Versions diffs - 0.1.2 → 0.2.0 - Mend

@atproto/oauth-provider 0.1.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

package/CHANGELOG.md +46 -0
package/dist/account/account.d.ts +6 -2
package/dist/account/account.d.ts.map +1 -1
package/dist/assets/app/bundle-manifest.json +3 -3
package/dist/assets/app/main.css +1 -1
package/dist/assets/app/main.js +3 -3
package/dist/assets/app/main.js.map +1 -1
package/dist/assets/assets-middleware.d.ts +2 -1
package/dist/assets/assets-middleware.d.ts.map +1 -1
package/dist/assets/assets-middleware.js +7 -0
package/dist/assets/assets-middleware.js.map +1 -1
package/dist/client/client-manager.d.ts +4 -3
package/dist/client/client-manager.d.ts.map +1 -1
package/dist/client/client-manager.js +91 -77
package/dist/client/client-manager.js.map +1 -1
package/dist/client/client.d.ts +2 -3
package/dist/client/client.d.ts.map +1 -1
package/dist/client/client.js +6 -12
package/dist/client/client.js.map +1 -1
package/dist/constants.d.ts +2 -0
package/dist/constants.d.ts.map +1 -1
package/dist/constants.js +3 -1
package/dist/constants.js.map +1 -1
package/dist/device/device-manager.d.ts +1 -1
package/dist/device/device-manager.d.ts.map +1 -1
package/dist/device/device-manager.js +2 -2
package/dist/device/device-manager.js.map +1 -1
package/dist/dpop/dpop-manager.d.ts +0 -1
package/dist/dpop/dpop-manager.d.ts.map +1 -1
package/dist/dpop/dpop-manager.js +1 -4
package/dist/dpop/dpop-manager.js.map +1 -1
package/dist/errors/invalid-authorization-details-error.d.ts +4 -3
package/dist/errors/invalid-authorization-details-error.d.ts.map +1 -1
package/dist/errors/invalid-authorization-details-error.js +4 -4
package/dist/errors/invalid-authorization-details-error.js.map +1 -1
package/dist/lib/http/parser.d.ts +13 -7
package/dist/lib/http/parser.d.ts.map +1 -1
package/dist/lib/http/parser.js +29 -9
package/dist/lib/http/parser.js.map +1 -1
package/dist/lib/http/request.d.ts +8 -5
package/dist/lib/http/request.d.ts.map +1 -1
package/dist/lib/http/request.js +24 -12
package/dist/lib/http/request.js.map +1 -1
package/dist/lib/http/stream.d.ts.map +1 -1
package/dist/lib/http/stream.js +3 -2
package/dist/lib/http/stream.js.map +1 -1
package/dist/metadata/build-metadata.d.ts +0 -1
package/dist/metadata/build-metadata.d.ts.map +1 -1
package/dist/metadata/build-metadata.js +9 -49
package/dist/metadata/build-metadata.js.map +1 -1
package/dist/oauth-hooks.d.ts +3 -10
package/dist/oauth-hooks.d.ts.map +1 -1
package/dist/oauth-provider.d.ts +10 -15
package/dist/oauth-provider.d.ts.map +1 -1
package/dist/oauth-provider.js +176 -114
package/dist/oauth-provider.js.map +1 -1
package/dist/oauth-verifier.d.ts +1 -2
package/dist/oauth-verifier.d.ts.map +1 -1
package/dist/oauth-verifier.js.map +1 -1
package/dist/output/build-authorize-data.d.ts +6 -0
package/dist/output/build-authorize-data.d.ts.map +1 -1
package/dist/output/build-authorize-data.js +1 -0
package/dist/output/build-authorize-data.js.map +1 -1
package/dist/replay/replay-manager.d.ts +1 -0
package/dist/replay/replay-manager.d.ts.map +1 -1
package/dist/replay/replay-manager.js +3 -0
package/dist/replay/replay-manager.js.map +1 -1
package/dist/replay/replay-store.d.ts +1 -1
package/dist/request/request-info.d.ts +2 -0
package/dist/request/request-info.d.ts.map +1 -1
package/dist/request/request-manager.d.ts +3 -9
package/dist/request/request-manager.d.ts.map +1 -1
package/dist/request/request-manager.js +52 -77
package/dist/request/request-manager.js.map +1 -1
package/dist/request/types.d.ts +10 -10
package/dist/signer/signed-token-payload.d.ts +88 -88
package/dist/signer/signer.d.ts +24 -31
package/dist/signer/signer.d.ts.map +1 -1
package/dist/signer/signer.js +0 -40
package/dist/signer/signer.js.map +1 -1
package/dist/token/token-claims.d.ts +84 -84
package/dist/token/token-manager.d.ts +1 -2
package/dist/token/token-manager.d.ts.map +1 -1
package/dist/token/token-manager.js +10 -37
package/dist/token/token-manager.js.map +1 -1
package/dist/token/types.d.ts +10 -10
package/package.json +3 -3
package/src/account/account.ts +11 -7
package/src/assets/app/backend-data.ts +9 -2
package/src/assets/app/components/accept-form.tsx +65 -51
package/src/assets/app/components/client-name.tsx +24 -16
package/src/assets/app/components/url-viewer.tsx +3 -3
package/src/assets/app/views/accept-view.tsx +7 -4
package/src/assets/app/views/authorize-view.tsx +2 -1
package/src/assets/assets-middleware.ts +14 -2
package/src/client/client-manager.ts +124 -120
package/src/client/client.ts +5 -17
package/src/constants.ts +3 -0
package/src/device/device-manager.ts +7 -1
package/src/dpop/dpop-manager.ts +1 -6
package/src/errors/invalid-authorization-details-error.ts +9 -4
package/src/lib/http/parser.ts +37 -13
package/src/lib/http/request.ts +61 -15
package/src/lib/http/stream.ts +5 -2
package/src/metadata/build-metadata.ts +9 -56
package/src/oauth-hooks.ts +3 -13
package/src/oauth-provider.ts +187 -177
package/src/oauth-verifier.ts +1 -2
package/src/output/build-authorize-data.ts +8 -0
package/src/replay/replay-manager.ts +9 -0
package/src/replay/replay-store.ts +1 -1
package/src/request/request-info.ts +2 -0
package/src/request/request-manager.ts +81 -107
package/src/signer/signer.ts +0 -63
package/src/token/token-manager.ts +8 -41
package/dist/oidc/claims.d.ts +0 -16
package/dist/oidc/claims.d.ts.map +0 -1
package/dist/oidc/claims.js +0 -29
package/dist/oidc/claims.js.map +0 -1
package/dist/oidc/userinfo.d.ts +0 -7
package/dist/oidc/userinfo.d.ts.map +0 -1
package/dist/oidc/userinfo.js +0 -3
package/dist/oidc/userinfo.js.map +0 -1
package/dist/parameters/claims-requested.d.ts +0 -3
package/dist/parameters/claims-requested.d.ts.map +0 -1
package/dist/parameters/claims-requested.js +0 -77
package/dist/parameters/claims-requested.js.map +0 -1
package/dist/parameters/oidc-payload.d.ts +0 -31
package/dist/parameters/oidc-payload.d.ts.map +0 -1
package/dist/parameters/oidc-payload.js +0 -25
package/dist/parameters/oidc-payload.js.map +0 -1
package/src/assets/app/components/client-identifier.tsx +0 -31
package/src/oidc/claims.ts +0 -35
package/src/oidc/userinfo.ts +0 -11
package/src/parameters/claims-requested.ts +0 -106
package/src/parameters/oidc-payload.ts +0 -28

package/src/client/client.ts CHANGED Viewed

@@ -3,7 +3,6 @@ import {
   CLIENT_ASSERTION_TYPE_JWT_BEARER,
   OAuthClientIdentification,
   OAuthClientMetadata,
-  OAuthEndpointName,
 } from '@atproto/oauth-types'
 import {
   UnsecuredJWT,
@@ -101,13 +100,6 @@ export class Client {
     })
   }
-  protected getAuthMethod(endpoint: OAuthEndpointName) {
-    return (
-      this.metadata[`${endpoint}_endpoint_auth_method`] ||
-      this.metadata[`token_endpoint_auth_method`]
-    )
-  }
   /**
    * @see {@link https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1}
    * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-11#section-3}
@@ -115,7 +107,6 @@ export class Client {
    */
   public async verifyCredentials(
     input: OAuthClientIdentification,
-    endpoint: OAuthEndpointName,
     checks: {
       audience: string
     },
@@ -124,7 +115,7 @@ export class Client {
     // for replay protection
     nonce?: string
   }> {
-    const method = this.getAuthMethod(endpoint)
+    const method = this.metadata[`token_endpoint_auth_method`]
     if (method === 'none') {
       const clientAuth: ClientAuth = { method: 'none' }
@@ -149,6 +140,7 @@ export class Client {
           audience: checks.audience,
           subject: this.id,
           maxTokenAge: CLIENT_ASSERTION_MAX_AGE / 1000,
+          requiredClaims: ['jti'],
         }).catch((err) => {
           if (err instanceof JOSEError) {
             const msg = `Validation of "client_assertion" failed: ${err.message}`
@@ -162,10 +154,6 @@ export class Client {
           throw new InvalidClientError(`"kid" required in client_assertion`)
         }
-        if (!result.payload.jti) {
-          throw new InvalidClientError(`"jti" required in client_assertion`)
-        }
         const clientAuth: ClientAuth = {
           method: CLIENT_ASSERTION_TYPE_JWT_BEARER,
           jkt: await authJwkThumbprint(result.key),
@@ -192,7 +180,7 @@ export class Client {
     }
     throw new InvalidClientMetadataError(
-      `Unsupported ${endpoint}_endpoint_auth_method "${method}"`,
+      `Unsupported token_endpoint_auth_method "${method}"`,
     )
   }
@@ -204,11 +192,11 @@ export class Client {
    */
   public async validateClientAuth(clientAuth: ClientAuth): Promise<boolean> {
     if (clientAuth.method === 'none') {
-      return this.getAuthMethod('token') === 'none'
+      return this.metadata[`token_endpoint_auth_method`] === 'none'
     }
     if (clientAuth.method === CLIENT_ASSERTION_TYPE_JWT_BEARER) {
-      if (this.getAuthMethod('token') !== 'private_key_jwt') {
+      if (this.metadata[`token_endpoint_auth_method`] !== 'private_key_jwt') {
         return false
       }
       try {

package/src/constants.ts CHANGED Viewed

@@ -67,3 +67,6 @@ export const DPOP_NONCE_MAX_AGE = 3 * MINUTE
 /** 5 seconds */
 export const SESSION_FIXATION_MAX_AGE = 5 * SECOND
+/** 1 day */
+export const CODE_CHALLENGE_REPLAY_TIMEFRAME = 1 * DAY

package/src/device/device-manager.ts CHANGED Viewed

@@ -100,10 +100,16 @@ export class DeviceManager {
   public async load(
     req: IncomingMessage,
     res: ServerResponse,
+    forceRotate = false,
   ): Promise<{ deviceId: DeviceId }> {
     const cookie = await this.getCookie(req)
     if (cookie) {
-      return this.refresh(req, res, cookie.value, cookie.mustRotate)
+      return this.refresh(
+        req,
+        res,
+        cookie.value,
+        forceRotate || cookie.mustRotate,
+      )
     } else {
       return this.create(req, res)
     }

package/src/dpop/dpop-manager.ts CHANGED Viewed

@@ -52,13 +52,12 @@ export class DpopManager {
     const { protectedHeader, payload } = await jwtVerify<{
       iat: number
-      exp: number
       jti: string
     }>(proof, EmbeddedJWK, {
       typ: 'dpop+jwt',
       maxTokenAge: 10,
       clockTolerance: DPOP_NONCE_MAX_AGE / 1e3,
-      requiredClaims: ['iat', 'exp', 'jti'],
+      requiredClaims: ['iat', 'jti'],
     }).catch((err) => {
       const message =
         err instanceof JOSEError
@@ -71,10 +70,6 @@ export class DpopManager {
       throw new InvalidDpopProofError('Invalid or missing jti property')
     }
-    if (payload.exp - payload.iat > DPOP_NONCE_MAX_AGE / 3 / 1e3) {
-      throw new InvalidDpopProofError('DPoP proof validity too long')
-    }
     // Note rfc9110#section-9.1 states that the method name is case-sensitive
     if (!htm || htm !== payload['htm']) {
       throw new InvalidDpopProofError('DPoP htm mismatch')

package/src/errors/invalid-authorization-details-error.ts CHANGED Viewed

@@ -1,4 +1,5 @@
-import { OAuthError } from './oauth-error.js'
+import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types'
+import { AccessDeniedError } from './access-denied-error.js'
 /**
  * @see
@@ -15,8 +16,12 @@ import { OAuthError } from './oauth-error.js'
  *  - contains fields with invalid values for the authorization details type, or
  *  - is missing required fields for the authorization details type.
  */
-export class InvalidAuthorizationDetailsError extends OAuthError {
-  constructor(error_description: string, cause?: unknown) {
-    super('invalid_authorization_details', error_description, 400, cause)
+export class InvalidAuthorizationDetailsError extends AccessDeniedError {
+  constructor(
+    parameters: OAuthAuthenticationRequestParameters,
+    error_description: string,
+    cause?: unknown,
+  ) {
+    super(parameters, error_description, 'invalid_authorization_details', cause)
   }
 }

package/src/lib/http/parser.ts CHANGED Viewed

@@ -1,13 +1,33 @@
 import { parse as parseJson } from '@hapi/bourne'
+import { type as hapiContentType } from '@hapi/content'
 import createHttpError from 'http-errors'
 export type JsonScalar = string | number | boolean | null
 export type Json = JsonScalar | Json[] | { [_ in string]?: Json }
+export const parseContentType = (type: string): ContentType => {
+  try {
+    return hapiContentType(type)
+  } catch (err) {
+    // De-boomify the error
+    if (err?.['isBoom']) {
+      throw createHttpError(err['output']['statusCode'], err['message'])
+    }
+    throw err
+  }
+}
+export type ContentType = {
+  mime: string
+  charset?: string
+  boundary?: string
+}
 export type Parser<T extends string = string, R = unknown> = {
   readonly name: string
-  readonly test: (type: string) => type is T
-  readonly parse: (buffer: Buffer) => R
+  readonly test: (mime: string) => mime is T
+  readonly parse: (buffer: Buffer, type: ContentType) => R
 }
 export type ParserName<P extends Parser> = P extends { readonly name: infer N }
@@ -22,12 +42,13 @@ export type ParserForType<P extends Parser, T> =
 export const parsers = [
   {
     name: 'json',
-    test: (
-      type: string,
-    ): type is `application/json` | `application/${string}+json` => {
-      return /^application\/(?:.+\+)?json$/.test(type)
+    test: (mime): mime is `application/json` | `application/${string}+json` => {
+      return /^application\/(?:.+\+)?json$/.test(mime)
     },
-    parse: (buffer: Buffer): Json => {
+    parse: (buffer, { charset }): Json => {
+      if (charset != null && !/^utf-?8$/i.test(charset)) {
+        throw createHttpError(415, 'Unsupported charset')
+      }
       try {
         return parseJson(buffer.toString())
       } catch (err) {
@@ -37,10 +58,13 @@ export const parsers = [
   },
   {
     name: 'urlencoded',
-    test: (type: string): type is 'application/x-www-form-urlencoded' => {
-      return type === 'application/x-www-form-urlencoded'
+    test: (mime): mime is 'application/x-www-form-urlencoded' => {
+      return mime === 'application/x-www-form-urlencoded'
     },
-    parse: (buffer: Buffer): Partial<Record<string, string>> => {
+    parse: (buffer, { charset }): Partial<Record<string, string>> => {
+      if (charset != null && !/^utf-?8$/i.test(charset)) {
+        throw createHttpError(415, 'Unsupported charset')
+      }
       try {
         if (!buffer.length) return {}
         return Object.fromEntries(new URLSearchParams(buffer.toString()))
@@ -51,10 +75,10 @@ export const parsers = [
   },
   {
     name: 'bytes',
-    test: (type: string): type is 'application/octet-stream' => {
-      return type === 'application/octet-stream'
+    test: (mime): mime is 'application/octet-stream' => {
+      return mime === 'application/octet-stream'
     },
-    parse: (buffer: Buffer): Buffer => buffer,
+    parse: (buffer): Buffer => buffer,
   },
 ] as const satisfies Parser[]

package/src/lib/http/request.ts CHANGED Viewed

@@ -28,6 +28,27 @@ export async function validateRequestPayload<S extends z.ZodTypeAny>(
   return schema.parseAsync(payload, { path: ['body'] })
 }
+export function validateHeaderValue(
+  req: IncomingMessage,
+  name: keyof IncomingMessage['headers'],
+  allowedValues: readonly (string | null)[],
+) {
+  const value = req.headers[name] ?? null
+  if (Array.isArray(value)) {
+    throw createHttpError(400, `Invalid ${name} header`)
+  }
+  if (!allowedValues.includes(value)) {
+    throw createHttpError(
+      400,
+      value
+        ? `Forbidden ${name} header "${value}" (expected ${allowedValues})`
+        : `Missing ${name} header`,
+    )
+  }
+}
 export function validateFetchMode(
   req: IncomingMessage,
   res: ServerResponse,
@@ -39,20 +60,45 @@ export function validateFetchMode(
     | 'cors'
   )[],
 ) {
-  const reqMode = req.headers['sec-fetch-mode'] ?? null
+  validateHeaderValue(req, 'sec-fetch-mode', expectedMode)
+}
-  if (Array.isArray(reqMode)) {
-    throw createHttpError(400, `Invalid sec-fetch-mode header`)
-  }
+export function validateFetchDest(
+  req: IncomingMessage,
+  res: ServerResponse,
+  expectedDest: readonly (
+    | null
+    | 'document'
+    | 'embed'
+    | 'font'
+    | 'image'
+    | 'manifest'
+    | 'media'
+    | 'object'
+    | 'report'
+    | 'script'
+    | 'serviceworker'
+    | 'sharedworker'
+    | 'style'
+    | 'worker'
+    | 'xslt'
+  )[],
+) {
+  validateHeaderValue(req, 'sec-fetch-dest', expectedDest)
+}
-  if (!(expectedMode as (string | null)[]).includes(reqMode)) {
-    throw createHttpError(
-      403,
-      reqMode
-        ? `Forbidden sec-fetch-mode "${reqMode}" (expected ${expectedMode})`
-        : `Missing sec-fetch-mode (expected ${expectedMode})`,
-    )
-  }
+export function validateFetchSite(
+  req: IncomingMessage,
+  res: ServerResponse,
+  expectedSite: readonly (
+    | null
+    | 'same-origin'
+    | 'same-site'
+    | 'cross-site'
+    | 'none'
+  )[],
+) {
+  validateHeaderValue(req, 'sec-fetch-site', expectedSite)
 }
 export function validateReferer(
@@ -64,7 +110,7 @@ export function validateReferer(
   const referer = req.headers['referer']
   const refererUrl = referer ? new URL(referer) : null
   if (refererUrl ? !urlMatch(refererUrl, reference) : !allowNull) {
-    throw createHttpError(403, `Invalid referer ${referer}`)
+    throw createHttpError(400, `Invalid referer ${referer}`)
   }
 }
@@ -95,7 +141,7 @@ export function validateSameOrigin(
 ) {
   const reqOrigin = req.headers['origin']
   if (reqOrigin ? reqOrigin !== origin : !allowNull) {
-    throw createHttpError(403, `Invalid origin ${reqOrigin}`)
+    throw createHttpError(400, `Invalid origin ${reqOrigin}`)
   }
 }
@@ -113,7 +159,7 @@ export function validateCsrfToken(
     !cookieName ||
     cookies[cookieName] !== csrfToken
   ) {
-    throw createHttpError(403, `Invalid CSRF token`)
+    throw createHttpError(400, `Invalid CSRF token`)
   }
   if (clearCookie) {

package/src/lib/http/stream.ts CHANGED Viewed

@@ -7,6 +7,7 @@ import {
   KnownNames,
   KnownParser,
   KnownTypes,
+  parseContentType,
   ParserForType,
   ParserResult,
   parsers,
@@ -64,9 +65,11 @@ export async function parseStream(
     throw createHttpError(400, 'Invalid content-type')
   }
+  const type = parseContentType(contentType)
   const parser = parsers.find(
     (parser) =>
-      allow?.includes(parser.name) !== false && parser.test(contentType),
+      allow?.includes(parser.name) !== false && parser.test(type.mime),
   )
   if (!parser) {
@@ -74,5 +77,5 @@ export async function parseStream(
   }
   const buffer = await readStream(req)
-  return parser.parse(buffer)
+  return parser.parse(buffer, type)
 }

package/src/metadata/build-metadata.ts CHANGED Viewed

@@ -2,11 +2,9 @@ import { Keyset } from '@atproto/jwk'
 import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types'
 import { Client } from '../client/client.js'
-import { OIDC_STANDARD_CLAIMS } from '../oidc/claims.js'
 import { VERIFY_ALGOS } from '../lib/util/crypto.js'
 export type CustomMetadata = {
-  claims_supported?: string[]
   scopes_supported?: string[]
   authorization_details_types_supported?: string[]
   protected_resources?: string[]
@@ -25,35 +23,10 @@ export function buildMetadata(
     issuer,
     scopes_supported: [
-      'offline_access',
-      'openid',
-      'email',
-      'phone',
-      'profile',
+      'atproto',
+      //
       ...(customMetadata?.scopes_supported ?? []),
     ],
-    claims_supported: [
-      /* IESG (Always provided) */
-      'sub', // did
-      'iss', // Authorization Server Origin
-      'aud',
-      'exp',
-      'iat',
-      'jti',
-      'client_id',
-      /* OpenID */
-      // 'acr', // "0"
-      // 'amr',
-      // 'azp',
-      'auth_time', // number - seconds since epoch
-      'nonce', // always required in "id_token", why would it not be supported?
-      ...(customMetadata?.claims_supported ?? OIDC_STANDARD_CLAIMS),
-    ],
     subject_types_supported: [
       //
       'public', // The same "sub" is returned for all clients
@@ -62,15 +35,15 @@ export function buildMetadata(
     response_types_supported: [
       // OAuth
       'code',
-      'token',
+      // 'token',
       // OpenID
-      'none',
-      'code id_token token',
-      'code id_token',
-      'code token',
-      'id_token token',
-      'id_token',
+      // 'none',
+      // 'code id_token token',
+      // 'code id_token',
+      // 'code token',
+      // 'id_token token',
+      // 'id_token',
     ],
     response_modes_supported: [
       // https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes
@@ -93,7 +66,6 @@ export function buildMetadata(
       //
       'en-US',
     ],
-    id_token_signing_alg_values_supported: [...keyset.signAlgorithms],
     display_values_supported: [
       //
       'page',
@@ -110,10 +82,6 @@ export function buildMetadata(
     request_object_encryption_alg_values_supported: [], // None
     request_object_encryption_enc_values_supported: [], // None
-    // No claim makes sense to be translated
-    claims_locales_supported: [],
-    claims_parameter_supported: true,
     request_parameter_supported: true,
     request_uri_parameter_supported: true,
     require_request_uri_registration: true,
@@ -127,28 +95,13 @@ export function buildMetadata(
     token_endpoint_auth_signing_alg_values_supported: [...VERIFY_ALGOS],
     revocation_endpoint: new URL('/oauth/revoke', issuer).href,
-    revocation_endpoint_auth_methods_supported: [
-      ...Client.AUTH_METHODS_SUPPORTED,
-    ],
-    revocation_endpoint_auth_signing_alg_values_supported: [...VERIFY_ALGOS],
     introspection_endpoint: new URL('/oauth/introspect', issuer).href,
-    introspection_endpoint_auth_methods_supported: [
-      ...Client.AUTH_METHODS_SUPPORTED,
-    ],
-    introspection_endpoint_auth_signing_alg_values_supported: [...VERIFY_ALGOS],
-    userinfo_endpoint: new URL('/oauth/userinfo', issuer).href,
     // end_session_endpoint: new URL('/oauth/logout', issuer).href,
     // https://datatracker.ietf.org/doc/html/rfc9126#section-5
     pushed_authorization_request_endpoint: new URL('/oauth/par', issuer).href,
-    pushed_authorization_request_endpoint_auth_methods_supported: [
-      ...Client.AUTH_METHODS_SUPPORTED,
-    ],
-    pushed_authorization_request_endpoint_auth_signing_alg_values_supported: [
-      ...VERIFY_ALGOS,
-    ],
     require_pushed_authorization_requests: true,

package/src/oauth-hooks.ts CHANGED Viewed

@@ -11,6 +11,7 @@ import { ClientAuth } from './client/client-auth.js'
 import { ClientId } from './client/client-id.js'
 import { ClientInfo } from './client/client-info.js'
 import { Client } from './client/client.js'
+import { InvalidAuthorizationDetailsError } from './errors/invalid-authorization-details-error.js'
 import { Awaitable } from './lib/util/type.js'
 // Make sure all types needed to implement the OAuthHooks are exported
@@ -20,6 +21,7 @@ export type {
   ClientAuth,
   ClientId,
   ClientInfo,
+  InvalidAuthorizationDetailsError,
   Jwks,
   OAuthAuthenticationRequestParameters,
   OAuthAuthorizationDetails,
@@ -42,7 +44,7 @@ export type OAuthHooks = {
   /**
    * Allows enriching the authorization details with additional information
-   * before the tokens are issued.
+   * when the tokens are issued.
    *
    * @see {@link https://datatracker.ietf.org/doc/html/rfc9396 | RFC 9396}
    */
@@ -51,16 +53,4 @@ export type OAuthHooks = {
     parameters: OAuthAuthenticationRequestParameters
     account: Account
   }) => Awaitable<undefined | OAuthAuthorizationDetails>
-  /**
-   * Allows altering the token response before it is sent to the client.
-   */
-  onTokenResponse?: (
-    tokenResponse: OAuthTokenResponse,
-    data: {
-      client: Client
-      parameters: OAuthAuthenticationRequestParameters
-      account: Account
-    },
-  ) => Awaitable<void>
 }