@atproto/oauth-provider 0.1.3 → 0.2.1

package/src/client/client-manager.ts

@@ -17,6 +17,7 @@ import {
   isLoopbackUrl,
   isOAuthClientIdDiscoverable,
   isOAuthClientIdLoopback,
+  OAuthAuthorizationServerMetadata,
   OAuthClientIdDiscoverable,
   OAuthClientIdLoopback,
   OAuthClientMetadata,
@@ -55,9 +56,10 @@ export type LoopbackMetadataGetter = (
 
 export class ClientManager {
   protected readonly jwks: CachedGetter<string, Jwks>
-  protected readonly metadata: CachedGetter<string, OAuthClientMetadata>
+  protected readonly metadataGetter: CachedGetter<string, OAuthClientMetadata>
 
   constructor(
+    protected readonly serverMetadata: OAuthAuthorizationServerMetadata,
     protected readonly keyset: Keyset,
     protected readonly hooks: OAuthHooks,
     protected readonly store: ClientStore | null,
@@ -76,7 +78,7 @@ export class ClientManager {
       return jwks
     }, clientJwksCache)
 
-    this.metadata = new CachedGetter(async (uri, options) => {
+    this.metadataGetter = new CachedGetter(async (uri, options) => {
       const metadata = await fetch(buildJsonGetRequest(uri, options)).then(
         fetchMetadataHandler,
       )
@@ -159,7 +161,7 @@ export class ClientManager {
   ): Promise<OAuthClientMetadata> {
     const metadataUrl = parseDiscoverableClientId(clientId)
 
-    const metadata = await this.metadata.get(metadataUrl.href)
+    const metadata = await this.metadataGetter.get(metadataUrl.href)
 
     // Note: we do *not* re-validate the metadata here, as the metadata is
     // validated within the getter. This is to avoid double validation.
@@ -195,6 +197,18 @@ export class ClientManager {
       )
     }
 
+    // Known OIDC specific parameters
+    for (const k of [
+      'default_max_age',
+      'userinfo_signed_response_alg',
+      'id_token_signed_response_alg',
+      'userinfo_encrypted_response_alg',
+    ] as const) {
+      if (metadata[k] != null) {
+        throw new InvalidClientMetadataError(`Unsupported "${k}" parameter`)
+      }
+    }
+
     const clientUriUrl = metadata.client_uri
       ? new URL(metadata.client_uri)
       : null
@@ -204,13 +218,27 @@ export class ClientManager {
       throw new InvalidClientMetadataError('client_uri must be a valid URL')
     }
 
-    const scopes = metadata.scope?.split(' ')
-    if (
-      metadata.grant_types.includes('refresh_token') !==
-      (scopes?.includes('offline_access') ?? false)
-    ) {
+    const scopes = metadata.scope?.split(' ').filter(Boolean)
+
+    const dupScope = scopes?.find(isDuplicate)
+    if (dupScope) {
+      throw new InvalidClientMetadataError(`Duplicate scope "${dupScope}"`)
+    }
+
+    if (scopes) {
+      for (const scope of scopes) {
+        // Note, once we have dynamic scopes, this check will need to be
+        // updated to check against the server's supported scopes.
+        if (!this.serverMetadata.scopes_supported?.includes(scope)) {
+          throw new InvalidClientMetadataError(`Unsupported scope "${scope}"`)
+        }
+      }
+    }
+
+    const dupGrantType = metadata.grant_types.find(isDuplicate)
+    if (dupGrantType) {
       throw new InvalidClientMetadataError(
-        'Grant type "refresh_token" requires scope "offline_access" (and vice versa)',
+        `Duplicate grant type "${dupGrantType}"`,
       )
     }
 
@@ -218,8 +246,8 @@ export class ClientManager {
       switch (grantType) {
         case 'authorization_code':
         case 'refresh_token':
-        case 'implicit': // Required by OIDC (for id_token)
           continue
+        case 'implicit':
         case 'password':
           throw new InvalidClientMetadataError(
             `Grant type "${grantType}" is not allowed`,
@@ -241,35 +269,6 @@ export class ClientManager {
       )
     }
 
-    if (
-      metadata.userinfo_signed_response_alg &&
-      !this.keyset.signAlgorithms.includes(
-        metadata.userinfo_signed_response_alg,
-      )
-    ) {
-      throw new InvalidClientMetadataError(
-        `Unsupported "userinfo_signed_response_alg" ${metadata.userinfo_signed_response_alg}`,
-      )
-    }
-
-    if (
-      metadata.id_token_signed_response_alg &&
-      !this.keyset.signAlgorithms.includes(
-        metadata.id_token_signed_response_alg,
-      )
-    ) {
-      throw new InvalidClientMetadataError(
-        `Unsupported "id_token_signed_response_alg" ${metadata.id_token_signed_response_alg}`,
-      )
-    }
-
-    if (metadata.userinfo_encrypted_response_alg) {
-      // We only support signature for now.
-      throw new InvalidClientMetadataError(
-        'Encrypted userinfo response is not supported',
-      )
-    }
-
     const method = metadata[`token_endpoint_auth_method`]
     switch (method) {
       case undefined:
@@ -338,37 +337,28 @@ export class ClientManager {
     }
 
     for (const responseType of metadata.response_types) {
-      const rt = responseType.split(' ')
+      if (responseType.includes('id_token')) {
+        throw new InvalidClientMetadataError(
+          `OpenID Connect response type "${responseType}" is not supported`,
+        )
+      }
 
       // ATPROTO spec requires the use of PKCE
-      if (rt.includes('token')) {
+      if (responseType !== 'code') {
         throw new InvalidClientMetadataError(
-          '"token" response type is not compatible with PKCE (use "code" instead)',
+          `Unsupported response type "${responseType}"`,
         )
       }
 
       // Consistency check
       if (
-        rt.includes('code') &&
+        responseType === 'code' &&
         !metadata.grant_types.includes('authorization_code')
       ) {
         throw new InvalidClientMetadataError(
           `Response type "${responseType}" requires the "authorization_code" grant type`,
         )
       }
-
-      // Asking for "code token" or "code id_token" is fine (as long as the
-      // grant_types includes "authorization_code" and the scope includes
-      // "openid"). Asking for "token" or "id_token" (without "code") requires
-      // the "implicit" grant type.
-      if (
-        (rt.includes('token') || rt.includes('id_token')) &&
-        !metadata.grant_types.includes('implicit')
-      ) {
-        throw new InvalidClientMetadataError(
-          `Response type "${responseType}" requires the "implicit" grant type`,
-        )
-      }
     }
 
     if (metadata.application_type === 'native') {
@@ -383,11 +373,33 @@ export class ClientManager {
       // > accordingly.
     }
 
+    if (metadata.authorization_details_types?.length) {
+      const dupAuthDetailsType =
+        metadata.authorization_details_types.find(isDuplicate)
+      if (dupAuthDetailsType) {
+        throw new InvalidClientMetadataError(
+          `Duplicate authorization_details_type "${dupAuthDetailsType}"`,
+        )
+      }
+
+      const authorizationDetailsTypesSupported =
+        this.serverMetadata.authorization_details_types_supported
+      if (!authorizationDetailsTypesSupported) {
+        throw new InvalidClientMetadataError(
+          'authorization_details_types are not supported',
+        )
+      }
+      for (const type of metadata.authorization_details_types) {
+        if (!authorizationDetailsTypesSupported.includes(type)) {
+          throw new InvalidClientMetadataError(
+            `Unsupported authorization_details_type "${type}"`,
+          )
+        }
+      }
+    }
+
     if (!metadata.redirect_uris?.length) {
-      // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
-      //
-      // >  OPs can require that request_uri values used be pre-registered with
-      // > the require_request_uri_registration discovery parameter.
+      // ATPROTO spec requires that at least one redirect URI is provided
 
       throw new InvalidClientMetadataError(
         'At least one redirect_uri is required',
@@ -786,6 +798,12 @@ export class ClientManager {
   }
 }
 
+function isDuplicate<
+  T extends string | number | boolean | null | undefined | symbol,
+>(value: T, index: number, array: T[]) {
+  return array.includes(value, index + 1)
+}
+
 function reverseDomain(domain: string) {
   return domain.split('.').reverse().join('.')
 }

package/src/client/client.ts

@@ -140,6 +140,7 @@ export class Client {
           audience: checks.audience,
           subject: this.id,
           maxTokenAge: CLIENT_ASSERTION_MAX_AGE / 1000,
+          requiredClaims: ['jti'],
         }).catch((err) => {
           if (err instanceof JOSEError) {
             const msg = `Validation of "client_assertion" failed: ${err.message}`
@@ -153,10 +154,6 @@ export class Client {
           throw new InvalidClientError(`"kid" required in client_assertion`)
         }
 
-        if (!result.payload.jti) {
-          throw new InvalidClientError(`"jti" required in client_assertion`)
-        }
-
         const clientAuth: ClientAuth = {
           method: CLIENT_ASSERTION_TYPE_JWT_BEARER,
           jkt: await authJwkThumbprint(result.key),

package/src/constants.ts

@@ -67,3 +67,6 @@ export const DPOP_NONCE_MAX_AGE = 3 * MINUTE
 
 /** 5 seconds */
 export const SESSION_FIXATION_MAX_AGE = 5 * SECOND
+
+/** 1 day */
+export const CODE_CHALLENGE_REPLAY_TIMEFRAME = 1 * DAY

package/src/device/device-manager.ts

@@ -100,10 +100,16 @@ export class DeviceManager {
   public async load(
     req: IncomingMessage,
     res: ServerResponse,
+    forceRotate = false,
   ): Promise<{ deviceId: DeviceId }> {
     const cookie = await this.getCookie(req)
     if (cookie) {
-      return this.refresh(req, res, cookie.value, cookie.mustRotate)
+      return this.refresh(
+        req,
+        res,
+        cookie.value,
+        forceRotate || cookie.mustRotate,
+      )
     } else {
       return this.create(req, res)
     }

package/src/errors/invalid-authorization-details-error.ts

@@ -1,4 +1,5 @@
-import { OAuthError } from './oauth-error.js'
+import { OAuthAuthenticationRequestParameters } from '@atproto/oauth-types'
+import { AccessDeniedError } from './access-denied-error.js'
 
 /**
  * @see
@@ -15,8 +16,12 @@ import { OAuthError } from './oauth-error.js'
  *  - contains fields with invalid values for the authorization details type, or
  *  - is missing required fields for the authorization details type.
  */
-export class InvalidAuthorizationDetailsError extends OAuthError {
-  constructor(error_description: string, cause?: unknown) {
-    super('invalid_authorization_details', error_description, 400, cause)
+export class InvalidAuthorizationDetailsError extends AccessDeniedError {
+  constructor(
+    parameters: OAuthAuthenticationRequestParameters,
+    error_description: string,
+    cause?: unknown,
+  ) {
+    super(parameters, error_description, 'invalid_authorization_details', cause)
   }
 }

package/src/lib/http/request.ts

@@ -28,6 +28,27 @@ export async function validateRequestPayload<S extends z.ZodTypeAny>(
   return schema.parseAsync(payload, { path: ['body'] })
 }
 
+export function validateHeaderValue(
+  req: IncomingMessage,
+  name: keyof IncomingMessage['headers'],
+  allowedValues: readonly (string | null)[],
+) {
+  const value = req.headers[name] ?? null
+
+  if (Array.isArray(value)) {
+    throw createHttpError(400, `Invalid ${name} header`)
+  }
+
+  if (!allowedValues.includes(value)) {
+    throw createHttpError(
+      400,
+      value
+        ? `Forbidden ${name} header "${value}" (expected ${allowedValues})`
+        : `Missing ${name} header`,
+    )
+  }
+}
+
 export function validateFetchMode(
   req: IncomingMessage,
   res: ServerResponse,
@@ -39,20 +60,45 @@ export function validateFetchMode(
     | 'cors'
   )[],
 ) {
-  const reqMode = req.headers['sec-fetch-mode'] ?? null
+  validateHeaderValue(req, 'sec-fetch-mode', expectedMode)
+}
 
-  if (Array.isArray(reqMode)) {
-    throw createHttpError(400, `Invalid sec-fetch-mode header`)
-  }
+export function validateFetchDest(
+  req: IncomingMessage,
+  res: ServerResponse,
+  expectedDest: readonly (
+    | null
+    | 'document'
+    | 'embed'
+    | 'font'
+    | 'image'
+    | 'manifest'
+    | 'media'
+    | 'object'
+    | 'report'
+    | 'script'
+    | 'serviceworker'
+    | 'sharedworker'
+    | 'style'
+    | 'worker'
+    | 'xslt'
+  )[],
+) {
+  validateHeaderValue(req, 'sec-fetch-dest', expectedDest)
+}
 
-  if (!(expectedMode as (string | null)[]).includes(reqMode)) {
-    throw createHttpError(
-      403,
-      reqMode
-        ? `Forbidden sec-fetch-mode "${reqMode}" (expected ${expectedMode})`
-        : `Missing sec-fetch-mode (expected ${expectedMode})`,
-    )
-  }
+export function validateFetchSite(
+  req: IncomingMessage,
+  res: ServerResponse,
+  expectedSite: readonly (
+    | null
+    | 'same-origin'
+    | 'same-site'
+    | 'cross-site'
+    | 'none'
+  )[],
+) {
+  validateHeaderValue(req, 'sec-fetch-site', expectedSite)
 }
 
 export function validateReferer(
@@ -64,7 +110,7 @@ export function validateReferer(
   const referer = req.headers['referer']
   const refererUrl = referer ? new URL(referer) : null
   if (refererUrl ? !urlMatch(refererUrl, reference) : !allowNull) {
-    throw createHttpError(403, `Invalid referer ${referer}`)
+    throw createHttpError(400, `Invalid referer ${referer}`)
   }
 }
 
@@ -95,7 +141,7 @@ export function validateSameOrigin(
 ) {
   const reqOrigin = req.headers['origin']
   if (reqOrigin ? reqOrigin !== origin : !allowNull) {
-    throw createHttpError(403, `Invalid origin ${reqOrigin}`)
+    throw createHttpError(400, `Invalid origin ${reqOrigin}`)
   }
 }
 
@@ -113,7 +159,7 @@ export function validateCsrfToken(
     !cookieName ||
     cookies[cookieName] !== csrfToken
   ) {
-    throw createHttpError(403, `Invalid CSRF token`)
+    throw createHttpError(400, `Invalid CSRF token`)
   }
 
   if (clearCookie) {

package/src/metadata/build-metadata.ts

@@ -2,11 +2,9 @@ import { Keyset } from '@atproto/jwk'
 import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types'
 
 import { Client } from '../client/client.js'
-import { OIDC_STANDARD_CLAIMS } from '../oidc/claims.js'
 import { VERIFY_ALGOS } from '../lib/util/crypto.js'
 
 export type CustomMetadata = {
-  claims_supported?: string[]
   scopes_supported?: string[]
   authorization_details_types_supported?: string[]
   protected_resources?: string[]
@@ -25,35 +23,10 @@ export function buildMetadata(
     issuer,
 
     scopes_supported: [
-      'offline_access',
-      'openid',
-      'email',
-      'phone',
-      'profile',
-
+      'atproto',
+      //
       ...(customMetadata?.scopes_supported ?? []),
     ],
-    claims_supported: [
-      /* IESG (Always provided) */
-
-      'sub', // did
-      'iss', // Authorization Server Origin
-      'aud',
-      'exp',
-      'iat',
-      'jti',
-      'client_id',
-
-      /* OpenID */
-
-      // 'acr', // "0"
-      // 'amr',
-      // 'azp',
-      'auth_time', // number - seconds since epoch
-      'nonce', // always required in "id_token", why would it not be supported?
-
-      ...(customMetadata?.claims_supported ?? OIDC_STANDARD_CLAIMS),
-    ],
     subject_types_supported: [
       //
       'public', // The same "sub" is returned for all clients
@@ -62,15 +35,15 @@ export function buildMetadata(
     response_types_supported: [
       // OAuth
       'code',
-      'token',
+      // 'token',
 
       // OpenID
-      'none',
-      'code id_token token',
-      'code id_token',
-      'code token',
-      'id_token token',
-      'id_token',
+      // 'none',
+      // 'code id_token token',
+      // 'code id_token',
+      // 'code token',
+      // 'id_token token',
+      // 'id_token',
     ],
     response_modes_supported: [
       // https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes
@@ -93,7 +66,6 @@ export function buildMetadata(
       //
       'en-US',
     ],
-    id_token_signing_alg_values_supported: [...keyset.signAlgorithms],
     display_values_supported: [
       //
       'page',
@@ -110,10 +82,6 @@ export function buildMetadata(
     request_object_encryption_alg_values_supported: [], // None
     request_object_encryption_enc_values_supported: [], // None
 
-    // No claim makes sense to be translated
-    claims_locales_supported: [],
-
-    claims_parameter_supported: true,
     request_parameter_supported: true,
     request_uri_parameter_supported: true,
     require_request_uri_registration: true,
@@ -130,7 +98,6 @@ export function buildMetadata(
 
     introspection_endpoint: new URL('/oauth/introspect', issuer).href,
 
-    userinfo_endpoint: new URL('/oauth/userinfo', issuer).href,
     // end_session_endpoint: new URL('/oauth/logout', issuer).href,
 
     // https://datatracker.ietf.org/doc/html/rfc9126#section-5

package/src/oauth-hooks.ts

@@ -11,6 +11,7 @@ import { ClientAuth } from './client/client-auth.js'
 import { ClientId } from './client/client-id.js'
 import { ClientInfo } from './client/client-info.js'
 import { Client } from './client/client.js'
+import { InvalidAuthorizationDetailsError } from './errors/invalid-authorization-details-error.js'
 import { Awaitable } from './lib/util/type.js'
 
 // Make sure all types needed to implement the OAuthHooks are exported
@@ -20,6 +21,7 @@ export type {
   ClientAuth,
   ClientId,
   ClientInfo,
+  InvalidAuthorizationDetailsError,
   Jwks,
   OAuthAuthenticationRequestParameters,
   OAuthAuthorizationDetails,
@@ -42,7 +44,7 @@ export type OAuthHooks = {
 
   /**
    * Allows enriching the authorization details with additional information
-   * before the tokens are issued.
+   * when the tokens are issued.
    *
    * @see {@link https://datatracker.ietf.org/doc/html/rfc9396 | RFC 9396}
    */
@@ -51,16 +53,4 @@ export type OAuthHooks = {
     parameters: OAuthAuthenticationRequestParameters
     account: Account
   }) => Awaitable<undefined | OAuthAuthorizationDetails>
-
-  /**
-   * Allows altering the token response before it is sent to the client.
-   */
-  onTokenResponse?: (
-    tokenResponse: OAuthTokenResponse,
-    data: {
-      client: Client
-      parameters: OAuthAuthenticationRequestParameters
-      account: Account
-    },
-  ) => Awaitable<void>
 }