@atproto/oauth-provider 0.1.2 → 0.2.0

package/src/output/build-authorize-data.ts

@@ -8,12 +8,18 @@ import { Account } from '../account/account.js'
 import { Client } from '../client/client.js'
 import { RequestUri } from '../request/request-uri.js'
 
+export type ScopeDetail = {
+  scope: string
+  description?: string
+}
+
 export type AuthorizationResultAuthorize = {
   issuer: string
   client: Client
   parameters: OAuthAuthenticationRequestParameters
   authorize: {
     uri: RequestUri
+    scopeDetails?: ScopeDetail[]
     sessions: readonly {
       account: Account
       info: DeviceAccountInfo
@@ -44,6 +50,7 @@ export type AuthorizeData = {
   requestUri: string
   csrfCookie: string
   loginHint?: string
+  scopeDetails?: ScopeDetail[]
   newSessionsRequireConsent: boolean
   sessions: Session[]
 }
@@ -59,6 +66,7 @@ export function buildAuthorizeData(
     csrfCookie: `csrf-${data.authorize.uri}`,
     loginHint: data.parameters.login_hint,
     newSessionsRequireConsent: data.parameters.prompt === 'consent',
+    scopeDetails: data.authorize.scopeDetails,
     sessions: data.authorize.sessions.map(
       (session): Session => ({
         account: session.account,

package/src/replay/replay-manager.ts

@@ -2,6 +2,7 @@ import { ClientId } from '../client/client-id.js'
 import {
   CLIENT_ASSERTION_MAX_AGE,
   DPOP_NONCE_MAX_AGE,
+  CODE_CHALLENGE_REPLAY_TIMEFRAME,
   JAR_MAX_AGE,
 } from '../constants.js'
 import { ReplayStore } from './replay-store.js'
@@ -35,4 +36,12 @@ export class ReplayManager {
       asTimeFrame(DPOP_NONCE_MAX_AGE),
     )
   }
+
+  async uniqueCodeChallenge(challenge: string): Promise<boolean> {
+    return this.replayStore.unique(
+      'CodeChallenge',
+      challenge,
+      asTimeFrame(CODE_CHALLENGE_REPLAY_TIMEFRAME),
+    )
+  }
 }

package/src/replay/replay-store.ts

@@ -9,7 +9,7 @@ export interface ReplayStore {
    * strictly necessary for security purposes, the namespace should be used to
    * mitigate denial of service attacks from one client to the other.
    *
-   * @param timeFrame expressed in milliseconds. Will never exceed 24 hours.
+   * @param timeFrame expressed in milliseconds.
    */
   unique(
     namespace: string,

package/src/request/request-info.ts

@@ -1,4 +1,5 @@
 import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types'
+import { ClientId } from '../client/client-id.js'
 import { ClientAuth } from '../client/client-auth.js'
 import { RequestId } from './request-id.js'
 import { RequestUri } from './request-uri.js'
@@ -8,5 +9,6 @@ export type RequestInfo = {
   uri: RequestUri
   parameters: Readonly<OAuthAuthenticationRequestParameters>
   expiresAt: Date
+  clientId: ClientId
   clientAuth: ClientAuth
 }

package/src/request/request-manager.ts

@@ -4,7 +4,6 @@ import {
   OAuthAuthorizationServerMetadata,
 } from '@atproto/oauth-types'
 
-import { DeviceAccountInfo } from '../account/account-store.js'
 import { Account } from '../account/account.js'
 import { ClientAuth } from '../client/client-auth.js'
 import { ClientId } from '../client/client-id.js'
@@ -17,12 +16,12 @@ import {
 import { DeviceId } from '../device/device-id.js'
 import { AccessDeniedError } from '../errors/access-denied-error.js'
 import { ConsentRequiredError } from '../errors/consent-required-error.js'
+import { InvalidAuthorizationDetailsError } from '../errors/invalid-authorization-details-error.js'
 import { InvalidGrantError } from '../errors/invalid-grant-error.js'
 import { InvalidParametersError } from '../errors/invalid-parameters-error.js'
 import { InvalidRequestError } from '../errors/invalid-request-error.js'
 import { compareRedirectUri } from '../lib/util/redirect-uri.js'
 import { OAuthHooks } from '../oauth-hooks.js'
-import { OIDC_SCOPE_CLAIMS } from '../oidc/claims.js'
 import { Signer } from '../signer/signer.js'
 import { Code, generateCode } from './code.js'
 import {
@@ -44,7 +43,6 @@ export class RequestManager {
     protected readonly signer: Signer,
     protected readonly metadata: OAuthAuthorizationServerMetadata,
     protected readonly hooks: OAuthHooks,
-    protected readonly pkceRequired = true,
     protected readonly tokenMaxAge = TOKEN_MAX_AGE,
   ) {}
 
@@ -83,7 +81,7 @@ export class RequestManager {
     })
 
     const uri = encodeRequestUri(id)
-    return { id, uri, expiresAt, parameters, clientAuth }
+    return { id, uri, expiresAt, parameters, clientId: client.id, clientAuth }
   }
 
   async validate(
@@ -91,8 +89,28 @@ export class RequestManager {
     clientAuth: ClientAuth,
     parameters: Readonly<OAuthAuthenticationRequestParameters>,
     dpopJkt: null | string,
-    pkceRequired = this.pkceRequired,
   ): Promise<Readonly<OAuthAuthenticationRequestParameters>> {
+    for (const k of [
+      // Known unsupported OIDC parameters
+      'claims',
+      'id_token_hint',
+      'nonce', // note that OIDC "nonce" is redundant with PKCE
+    ] as const) {
+      if (parameters[k]) {
+        throw new InvalidParametersError(
+          parameters,
+          `Unsupported "${k}" parameter`,
+        )
+      }
+    }
+
+    if (parameters.response_type !== 'code') {
+      throw new InvalidParametersError(
+        parameters,
+        'Only "code" response type is allowed',
+      )
+    }
+
     // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-1.4.1
     // > The authorization server MAY fully or partially ignore the scope
     // > requested by the client, based on the authorization server policy or
@@ -101,59 +119,75 @@ export class RequestManager {
     // > server MUST include the scope response parameter in the token response
     // > (Section 3.2.3) to inform the client of the actual scope granted.
 
-    const cScopes = client.metadata.scope?.split(' ')
+    const cScopes = client.metadata.scope?.split(' ').filter(Boolean)
     const sScopes = this.metadata.scopes_supported
 
-    const scopes =
-      (parameters.scope || client.metadata.scope)
-        ?.split(' ')
-        .filter((scope) => !!scope && (sScopes?.includes(scope) ?? true)) ?? []
+    const scopes = new Set(
+      parameters.scope?.split(' ').filter(Boolean) || cScopes,
+    )
+
+    if (scopes.has('openid')) {
+      throw new InvalidParametersError(
+        parameters,
+        'OpenID Connect is not supported',
+      )
+    }
+
+    if (!scopes.has('atproto')) {
+      throw new InvalidParametersError(
+        parameters,
+        'The "atproto" scope is required',
+      )
+    }
 
     for (const scope of scopes) {
-      if (!cScopes?.includes(scope)) {
+      // Loopback clients do not define any scope in their metadata
+      if (cScopes && !cScopes.includes(scope)) {
         throw new InvalidParametersError(
           parameters,
           `Scope "${scope}" is not registered for this client`,
         )
       }
-    }
 
-    for (const [scope, claims] of Object.entries(OIDC_SCOPE_CLAIMS)) {
-      for (const claim of claims) {
-        if (
-          parameters?.claims?.id_token?.[claim]?.essential === true ||
-          parameters?.claims?.userinfo?.[claim]?.essential === true
-        ) {
-          if (!scopes?.includes(scope)) {
-            throw new InvalidParametersError(
-              parameters,
-              `Essential ${claim} claim requires "${scope}" scope`,
-            )
-          }
-        }
+      // Currently, the implementation requires all the scopes to be statically
+      // defined in the server metadata. In the future, we might add support
+      // for dynamic scopes.
+      if (!sScopes?.includes(scope)) {
+        throw new InvalidParametersError(
+          parameters,
+          `Scope "${scope}" is not supported by this server`,
+        )
       }
     }
 
-    parameters = { ...parameters, scope: scopes.join(' ') }
-
-    const responseTypes = parameters.response_type.split(' ')
+    parameters = { ...parameters, scope: [...scopes].join(' ') || undefined }
 
     if (parameters.authorization_details) {
       const clientAuthDetailsTypes = client.metadata.authorization_details_types
       if (!clientAuthDetailsTypes) {
-        throw new InvalidParametersError(
+        throw new InvalidAuthorizationDetailsError(
           parameters,
           'Client Metadata does not declare any "authorization_details"',
         )
       }
 
       for (const detail of parameters.authorization_details) {
-        if (!clientAuthDetailsTypes?.includes(detail.type)) {
-          throw new InvalidParametersError(
+        if (
+          !this.metadata.authorization_details_types_supported?.includes(
+            detail.type,
+          )
+        ) {
+          throw new InvalidAuthorizationDetailsError(
             parameters,
             `Unsupported "authorization_details" type "${detail.type}"`,
           )
         }
+        if (!clientAuthDetailsTypes?.includes(detail.type)) {
+          throw new InvalidAuthorizationDetailsError(
+            parameters,
+            `Client Metadata does not declare any "authorization_details" of type "${detail.type}"`,
+          )
+        }
       }
     }
 
@@ -197,16 +231,9 @@ export class RequestManager {
       )
     }
 
-    if (pkceRequired && responseTypes.includes('token')) {
-      throw new InvalidParametersError(
-        parameters,
-        `Response type "${parameters.response_type}" is incompatible with PKCE`,
-        'unsupported_response_type',
-      )
-    }
-
     // https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1
-    if (pkceRequired && !parameters.code_challenge) {
+    // PKCE is mandatory
+    if (!parameters.code_challenge) {
       throw new InvalidParametersError(parameters, 'code_challenge is required')
     }
 
@@ -229,50 +256,15 @@ export class RequestManager {
       )
     }
 
-    // https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest
-    //
-    // > nonce: REQUIRED if the Response Type of the request is "code id_token" or
-    // >   "code id_token token" and OPTIONAL when the Response Type of the
-    // >   request is "code token". It is a string value used to associate a
-    // >   Client session with an ID Token, and to mitigate replay attacks. The
-    // >   value is passed through unmodified from the Authentication Request to
-    // >   the ID Token. Sufficient entropy MUST be present in the nonce values
-    // >   used to prevent attackers from guessing values. For implementation
-    // >   notes, see Section 15.5.2.
-    if (responseTypes.includes('id_token') && !parameters.nonce) {
-      throw new InvalidParametersError(
-        parameters,
-        'nonce is required for implicit and hybrid flows',
-      )
-    }
-
-    // Make "expensive" checks after the "cheaper" checks
-
-    if (parameters.id_token_hint != null) {
-      const { payload } = await this.signer.verify(parameters.id_token_hint, {
-        // these are meant to be outdated when used as a hint
-        clockTolerance: Infinity,
-      })
-
-      if (!payload.sub) {
-        throw new InvalidParametersError(
-          parameters,
-          `Unexpected empty id_token_hint "sub"`,
-        )
-      } else if (parameters.login_hint == null) {
-        parameters = { ...parameters, login_hint: payload.sub }
-      } else if (parameters.login_hint !== payload.sub) {
-        throw new InvalidParametersError(
-          parameters,
-          'login_hint does not match "sub" of id_token_hint',
-        )
-      }
-    }
-
-    // ATPROTO extension: if the client is not trusted, force users to consent
-    // to authorization requests. We do this to avoid unauthenticated clients
-    // from being able to silently re-authenticate users.
-    if (clientAuth.method === 'none' && !client.info.isFirstParty) {
+    // ATPROTO extension: if the client is not trusted, and not authenticated,
+    // force users to consent to authorization requests. We do this to avoid
+    // unauthenticated clients from being able to silently re-authenticate
+    // users.
+    if (
+      !client.info.isTrusted &&
+      !client.info.isFirstParty &&
+      clientAuth.method === 'none'
+    ) {
       if (parameters.prompt === 'none') {
         throw new ConsentRequiredError(
           parameters,
@@ -346,6 +338,7 @@ export class RequestManager {
       uri,
       expiresAt: updates.expiresAt || data.expiresAt,
       parameters: data.parameters,
+      clientId: data.clientId,
       clientAuth: data.clientAuth,
     }
   }
@@ -355,8 +348,7 @@ export class RequestManager {
     uri: RequestUri,
     deviceId: DeviceId,
     account: Account,
-    info: DeviceAccountInfo,
-  ): Promise<{ code?: Code; token?: string; id_token?: string }> {
+  ): Promise<Code> {
     const id = decodeRequestUri(uri)
 
     const data = await this.store.readRequest(id)
@@ -385,18 +377,8 @@ export class RequestManager {
         )
       }
 
-      const responseType = data.parameters.response_type.split(' ')
-
-      if (responseType.includes('token')) {
-        throw new AccessDeniedError(
-          data.parameters,
-          'Implicit "token" forbidden (use "code" with PKCE instead)',
-        )
-      }
-
-      const code = responseType.includes('code')
-        ? await generateCode()
-        : undefined
+      // Only response_type=code is supported
+      const code = await generateCode()
 
       // Bind the request to the account, preventing it from being used again.
       await this.store.updateRequest(id, {
@@ -406,15 +388,7 @@ export class RequestManager {
         expiresAt: new Date(Date.now() + AUTHORIZATION_INACTIVITY_TIMEOUT),
       })
 
-      const id_token = responseType.includes('id_token')
-        ? await this.signer.idToken(client, data.parameters, account, {
-            auth_time: info.authenticatedAt,
-            exp: this.createTokenExpiry(),
-            code,
-          })
-        : undefined
-
-      return { code, id_token }
+      return code
     } catch (err) {
       await this.store.deleteRequest(id)
       throw err

package/src/signer/signer.ts

@@ -1,5 +1,3 @@
-import { randomBytes } from 'node:crypto'
-
 import {
   JwtPayload,
   JwtPayloadGetter,
@@ -12,14 +10,10 @@ import {
   OAuthAuthenticationRequestParameters,
   OAuthAuthorizationDetails,
 } from '@atproto/oauth-types'
-import { generate as hash } from 'oidc-token-hash'
 
 import { Account } from '../account/account.js'
 import { Client } from '../client/client.js'
-import { InvalidClientMetadataError } from '../errors/invalid-client-metadata-error.js'
 import { dateToEpoch } from '../lib/util/date.js'
-import { claimRequested } from '../parameters/claims-requested.js'
-import { oidcPayload } from '../parameters/oidc-payload.js'
 import { TokenId } from '../token/token-id.js'
 import {
   SignedTokenPayload,
@@ -105,61 +99,4 @@ export class Signer {
 
     return result
   }
-
-  async idToken(
-    client: Client,
-    params: OAuthAuthenticationRequestParameters,
-    account: Account,
-    extra: {
-      exp: Date
-      iat?: Date
-      auth_time?: Date
-      code?: string
-      access_token?: string
-    },
-  ): Promise<SignedJwt> {
-    // This can happen when a client is using password_grant. If a client is
-    // using password_grant, it should not set "require_auth_time" to true.
-    if (client.metadata.require_auth_time && extra.auth_time == null) {
-      throw new InvalidClientMetadataError(
-        '"require_auth_time" metadata is not compatible with "password_grant" flow',
-      )
-    }
-
-    return this.sign(
-      {
-        alg: client.metadata.id_token_signed_response_alg,
-        typ: 'JWT',
-      },
-      async ({ alg }, key) => ({
-        ...oidcPayload(params, account),
-
-        aud: client.id,
-        iat: dateToEpoch(extra.iat),
-        exp: dateToEpoch(extra.exp),
-        sub: account.sub,
-        jti: randomBytes(16).toString('hex'),
-        scope: params.scope,
-        nonce: params.nonce,
-
-        s_hash: params.state //
-          ? await hash(params.state, alg, key.crv)
-          : undefined,
-        c_hash: extra.code //
-          ? await hash(extra.code, alg, key.crv)
-          : undefined,
-        at_hash: extra.access_token //
-          ? await hash(extra.access_token, alg, key.crv)
-          : undefined,
-
-        // https://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html#rfc.section.5.2
-        auth_time:
-          client.metadata.require_auth_time ||
-          (extra.auth_time != null && params.max_age != null) ||
-          claimRequested(params, 'id_token', 'auth_time', extra.auth_time)
-            ? dateToEpoch(extra.auth_time!)
-            : undefined,
-      }),
-    )
-  }
 }

package/src/token/token-manager.ts

@@ -1,4 +1,4 @@
-import { isSignedJwt, SignedJwt } from '@atproto/jwk'
+import { isSignedJwt } from '@atproto/jwk'
 import {
   AccessToken,
   CLIENT_ASSERTION_TYPE_JWT_BEARER,
@@ -140,6 +140,10 @@ export class TokenManager {
       if (!('code_verifier' in input) || !input.code_verifier) {
         throw new InvalidGrantError('code_verifier is required')
       }
+      // Prevent client from generating too short code_verifiers
+      if (input.code_verifier.length < 43) {
+        throw new InvalidGrantError('code_verifier too short')
+      }
       switch (parameters.code_challenge_method) {
         case undefined: // Default is "plain" (per spec)
         case 'plain': {
@@ -181,8 +185,7 @@ export class TokenManager {
     }
 
     const tokenId = await generateTokenId()
-    const scopes = parameters.scope?.split(' ')
-    const refreshToken = scopes?.includes('offline_access')
+    const refreshToken = client.metadata.grant_types.includes('refresh_token')
       ? await generateRefreshToken()
       : undefined
 
@@ -222,22 +225,10 @@ export class TokenManager {
           authorization_details: authorizationDetails,
         })
 
-    const idToken = scopes?.includes('openid')
-      ? await this.signer.idToken(client, parameters, account, {
-          exp: expiresAt,
-          iat: now,
-          // If there is no deviceInfo, we are in a "password_grant" context
-          auth_time: device?.info.authenticatedAt || new Date(),
-          access_token: accessToken,
-          code,
-        })
-      : undefined
-
     return this.buildTokenResponse(
       client,
       accessToken,
       refreshToken,
-      idToken,
       expiresAt,
       parameters,
       account,
@@ -249,7 +240,6 @@ export class TokenManager {
     client: Client,
     accessToken: AccessToken,
     refreshToken: string | undefined,
-    idToken: SignedJwt | undefined,
     expiresAt: Date,
     parameters: OAuthAuthenticationRequestParameters,
     account: Account,
@@ -259,8 +249,7 @@ export class TokenManager {
       access_token: accessToken,
       token_type: parameters.dpop_jkt ? 'DPoP' : 'Bearer',
       refresh_token: refreshToken,
-      id_token: idToken,
-      scope: parameters.scope ?? '',
+      scope: parameters.scope,
       authorization_details: authorizationDetails,
       get expires_in() {
         return dateToRelativeSeconds(expiresAt)
@@ -272,12 +261,6 @@ export class TokenManager {
       sub: account.sub,
     }
 
-    await this.hooks.onTokenResponse?.call(null, tokenResponse, {
-      client,
-      parameters,
-      account,
-    })
-
     return tokenResponse
   }
 
@@ -316,7 +299,7 @@ export class TokenManager {
       throw new InvalidGrantError(`Invalid refresh token`)
     }
 
-    const { account, info, data } = tokenInfo
+    const { account, data } = tokenInfo
     const { parameters } = data
 
     try {
@@ -400,26 +383,10 @@ export class TokenManager {
             authorization_details,
           })
 
-      // https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.3.3
-      //
-      // >  In addition to the response parameters specified by OAuth 2.0, the
-      // >  following parameters MUST be included in the response:
-      // >  - id_token: ID Token value associated with the authenticated session.
-      const scopes = parameters.scope?.split(' ')
-      const idToken = scopes?.includes('openid')
-        ? await this.signer.idToken(client, parameters, account, {
-            exp: expiresAt,
-            iat: now,
-            auth_time: info?.authenticatedAt,
-            access_token: accessToken,
-          })
-        : undefined
-
       return this.buildTokenResponse(
         client,
         accessToken,
         nextRefreshToken,
-        idToken,
         expiresAt,
         parameters,
         account,

package/dist/oidc/claims.d.ts

@@ -1,16 +0,0 @@
-import { JwtPayload } from '@atproto/jwk';
-/**
- * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims | OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values}
- */
-export declare const OIDC_SCOPE_CLAIMS: Readonly<{
-    email: readonly ["email", "email_verified"];
-    phone: readonly ["phone_number", "phone_number_verified"];
-    address: readonly ["address"];
-    profile: readonly ["name", "family_name", "given_name", "middle_name", "nickname", "preferred_username", "gender", "picture", "profile", "website", "birthdate", "zoneinfo", "locale", "updated_at"];
-}>;
-export declare const OIDC_STANDARD_CLAIMS: readonly ("name" | "email" | "email_verified" | "phone_number" | "phone_number_verified" | "address" | "profile" | "family_name" | "given_name" | "middle_name" | "nickname" | "preferred_username" | "gender" | "picture" | "website" | "birthdate" | "zoneinfo" | "locale" | "updated_at")[];
-export type OIDCStandardClaim = (typeof OIDC_STANDARD_CLAIMS)[number];
-export type OIDCStandardPayload = Partial<{
-    [K in OIDCStandardClaim]?: JwtPayload[K];
-}>;
-//# sourceMappingURL=claims.d.ts.map

package/dist/oidc/claims.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"claims.d.ts","sourceRoot":"","sources":["../../src/oidc/claims.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AAEzC;;GAEG;AACH,eAAO,MAAM,iBAAiB;;;;;EAoB5B,CAAA;AAEF,eAAO,MAAM,oBAAoB,gSAEhC,CAAA;AAED,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,oBAAoB,CAAC,CAAC,MAAM,CAAC,CAAA;AACrE,MAAM,MAAM,mBAAmB,GAAG,OAAO,CAAC;KACvC,CAAC,IAAI,iBAAiB,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;CACzC,CAAC,CAAA"}

package/dist/oidc/claims.js

@@ -1,29 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.OIDC_STANDARD_CLAIMS = exports.OIDC_SCOPE_CLAIMS = void 0;
-/**
- * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims | OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values}
- */
-exports.OIDC_SCOPE_CLAIMS = Object.freeze({
-    email: Object.freeze(['email', 'email_verified']),
-    phone: Object.freeze(['phone_number', 'phone_number_verified']),
-    address: Object.freeze(['address']),
-    profile: Object.freeze([
-        'name',
-        'family_name',
-        'given_name',
-        'middle_name',
-        'nickname',
-        'preferred_username',
-        'gender',
-        'picture',
-        'profile',
-        'website',
-        'birthdate',
-        'zoneinfo',
-        'locale',
-        'updated_at',
-    ]),
-});
-exports.OIDC_STANDARD_CLAIMS = Object.freeze(Object.values(exports.OIDC_SCOPE_CLAIMS).flat());
-//# sourceMappingURL=claims.js.map

package/dist/oidc/claims.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"claims.js","sourceRoot":"","sources":["../../src/oidc/claims.ts"],"names":[],"mappings":";;;AAEA;;GAEG;AACU,QAAA,iBAAiB,GAAG,MAAM,CAAC,MAAM,CAAC;IAC7C,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,gBAAgB,CAAU,CAAC;IAC1D,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,cAAc,EAAE,uBAAuB,CAAU,CAAC;IACxE,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAU,CAAC;IAC5C,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC;QACrB,MAAM;QACN,aAAa;QACb,YAAY;QACZ,aAAa;QACb,UAAU;QACV,oBAAoB;QACpB,QAAQ;QACR,SAAS;QACT,SAAS;QACT,SAAS;QACT,WAAW;QACX,UAAU;QACV,QAAQ;QACR,YAAY;KACJ,CAAC;CACZ,CAAC,CAAA;AAEW,QAAA,oBAAoB,GAAG,MAAM,CAAC,MAAM,CAC/C,MAAM,CAAC,MAAM,CAAC,yBAAiB,CAAC,CAAC,IAAI,EAAE,CACxC,CAAA"}

package/dist/oidc/userinfo.d.ts

@@ -1,7 +0,0 @@
-import { OIDCStandardPayload } from './claims.js';
-export type Userinfo = OIDCStandardPayload & {
-    sub: string;
-    client_id: string;
-    username?: string;
-};
-//# sourceMappingURL=userinfo.d.ts.map

package/dist/oidc/userinfo.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"userinfo.d.ts","sourceRoot":"","sources":["../../src/oidc/userinfo.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAA;AAEjD,MAAM,MAAM,QAAQ,GAAG,mBAAmB,GAAG;IAE3C,GAAG,EAAE,MAAM,CAAA;IAGX,SAAS,EAAE,MAAM,CAAA;IAEjB,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB,CAAA"}

package/dist/oidc/userinfo.js

@@ -1,3 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=userinfo.js.map

package/dist/oidc/userinfo.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"userinfo.js","sourceRoot":"","sources":["../../src/oidc/userinfo.ts"],"names":[],"mappings":""}

package/dist/parameters/claims-requested.d.ts

@@ -1,3 +0,0 @@
-import { OAuthAuthenticationRequestParameters, OidcClaimsParameter, OidcEntityType } from '@atproto/oauth-types';
-export declare function claimRequested(parameters: OAuthAuthenticationRequestParameters, entityType: OidcEntityType, claimName: OidcClaimsParameter, value: unknown): boolean;
-//# sourceMappingURL=claims-requested.d.ts.map

package/dist/parameters/claims-requested.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"claims-requested.d.ts","sourceRoot":"","sources":["../../src/parameters/claims-requested.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,oCAAoC,EACpC,mBAAmB,EACnB,cAAc,EACf,MAAM,sBAAsB,CAAA;AAG7B,wBAAgB,cAAc,CAC5B,UAAU,EAAE,oCAAoC,EAChD,UAAU,EAAE,cAAc,EAC1B,SAAS,EAAE,mBAAmB,EAC9B,KAAK,EAAE,OAAO,GACb,OAAO,CA+BT"}