@atproto/oauth-provider 0.2.0 → 0.2.2

package/src/client/client-manager.ts

@@ -1,9 +1,11 @@
 import {
   bindFetch,
   Fetch,
+  FetchError,
   fetchJsonProcessor,
   fetchJsonZodProcessor,
   fetchOkProcessor,
+  FetchResponseError,
 } from '@atproto-labs/fetch'
 import { pipe } from '@atproto-labs/pipe'
 import {
@@ -14,7 +16,6 @@ import {
 import { Jwks, jwksSchema, Keyset } from '@atproto/jwk'
 import {
   isLoopbackHost,
-  isLoopbackUrl,
   isOAuthClientIdDiscoverable,
   isOAuthClientIdLoopback,
   OAuthAuthorizationServerMetadata,
@@ -24,12 +25,16 @@ import {
   OAuthClientMetadataInput,
   oauthClientMetadataSchema,
 } from '@atproto/oauth-types'
+import { ZodError } from 'zod'
 
-import { ALLOW_LOOPBACK_CLIENT_REFRESH_TOKEN } from '../constants.js'
 import { InvalidClientMetadataError } from '../errors/invalid-client-metadata-error.js'
 import { InvalidRedirectUriError } from '../errors/invalid-redirect-uri-error.js'
 import { OAuthError } from '../errors/oauth-error.js'
-import { parseDomain, parseUrlDomain } from '../lib/util/hostname.js'
+import {
+  isInternetHost,
+  isInternetUrl,
+  parseUrlPublicSuffix,
+} from '../lib/util/hostname.js'
 import { Awaitable } from '../lib/util/type.js'
 import { OAuthHooks } from '../oauth-hooks.js'
 import { ClientId } from './client-id.js'
@@ -106,20 +111,38 @@ export class ClientManager {
       })
 
       const isFirstParty = partialInfo?.isFirstParty ?? false
-      const isTrusted =
-        partialInfo?.isTrusted ??
-        (isFirstParty ||
-          // If the client was loaded from the store, we consider it trusted:
-          (!isOAuthClientIdLoopback(clientId) &&
-            !isOAuthClientIdDiscoverable(clientId)))
+      const isTrusted = partialInfo?.isTrusted ?? isFirstParty
 
       return new Client(clientId, metadata, jwks, { isFirstParty, isTrusted })
     } catch (err) {
-      if (err instanceof OAuthError) throw err
+      if (err instanceof OAuthError) {
+        throw err
+      }
+      if (err instanceof FetchError) {
+        const message =
+          err instanceof FetchResponseError || err.statusCode !== 500
+            ? // Only expose 500 message if it was generated on another server
+              `Failed to fetch client information: ${err.message}`
+            : `Failed to fetch client information due to an internal error`
+        throw new InvalidClientMetadataError(message, err)
+      }
+      if (err instanceof ZodError) {
+        const issues = err.issues
+          .map(
+            ({ path, message }) =>
+              `Validation${path.length ? ` of "${path.join('.')}"` : ''} failed with error: ${message}`,
+          )
+          .join(' ')
+        throw new InvalidClientMetadataError(issues || err.message, err)
+      }
       if (err?.['code'] === 'DEPTH_ZERO_SELF_SIGNED_CERT') {
         throw new InvalidClientMetadataError('Self-signed certificate', err)
       }
-      throw InvalidClientMetadataError.from(err)
+
+      throw InvalidClientMetadataError.from(
+        err,
+        `Unable to load client information for "${clientId}"`,
+      )
     }
   }
 
@@ -145,15 +168,11 @@ export class ClientManager {
       throw new InvalidClientMetadataError('Loopback clients are not allowed')
     }
 
-    const result = oauthClientMetadataSchema.safeParse(
+    const metadata = oauthClientMetadataSchema.parse(
       await loopbackMetadata(clientId),
     )
 
-    if (!result.success) {
-      throw InvalidClientMetadataError.from(result.error)
-    }
-
-    return this.validateClientMetadata(clientId, result.data)
+    return this.validateClientMetadata(clientId, metadata)
   }
 
   protected async getDiscoverableClientMetadata(
@@ -212,26 +231,34 @@ export class ClientManager {
     const clientUriUrl = metadata.client_uri
       ? new URL(metadata.client_uri)
       : null
-    const clientUriParsed = clientUriUrl ? parseUrlDomain(clientUriUrl) : null
+    const clientUriDomain = clientUriUrl
+      ? parseUrlPublicSuffix(clientUriUrl)
+      : null
 
-    if (clientUriUrl && !clientUriParsed) {
-      throw new InvalidClientMetadataError('client_uri must be a valid URL')
+    if (clientUriUrl && !clientUriDomain) {
+      throw new InvalidClientMetadataError('client_uri hostname is invalid')
     }
 
-    const scopes = metadata.scope?.split(' ').filter(Boolean)
+    const scopes = metadata.scope?.split(' ')
+
+    if (!scopes) {
+      throw new InvalidClientMetadataError('Missing scope property')
+    }
+
+    if (!scopes.includes('atproto')) {
+      throw new InvalidClientMetadataError('Missing "atproto" scope')
+    }
 
     const dupScope = scopes?.find(isDuplicate)
     if (dupScope) {
       throw new InvalidClientMetadataError(`Duplicate scope "${dupScope}"`)
     }
 
-    if (scopes) {
-      for (const scope of scopes) {
-        // Note, once we have dynamic scopes, this check will need to be
-        // updated to check against the server's supported scopes.
-        if (!this.serverMetadata.scopes_supported?.includes(scope)) {
-          throw new InvalidClientMetadataError(`Unsupported scope "${scope}"`)
-        }
+    for (const scope of scopes) {
+      // Note, once we have dynamic scopes, this check will need to be
+      // updated to check against the server's supported scopes.
+      if (!this.serverMetadata.scopes_supported?.includes(scope)) {
+        throw new InvalidClientMetadataError(`Unsupported scope "${scope}"`)
       }
     }
 
@@ -244,14 +271,24 @@ export class ClientManager {
 
     for (const grantType of metadata.grant_types) {
       switch (grantType) {
-        case 'authorization_code':
-        case 'refresh_token':
-          continue
         case 'implicit':
-        case 'password':
+          // Never allowed (unsafe)
           throw new InvalidClientMetadataError(
             `Grant type "${grantType}" is not allowed`,
           )
+
+        // @TODO: Add support (e.g. for first party client)
+        // case 'client_credentials':
+        // case 'password':
+        case 'authorization_code':
+        case 'refresh_token':
+          if (!this.serverMetadata.grant_types_supported?.includes(grantType)) {
+            throw new InvalidClientMetadataError(
+              `Unsupported grant type "${grantType}"`,
+            )
+          }
+          break
+
         default:
           throw new InvalidClientMetadataError(
             `Grant type "${grantType}" is not supported`,
@@ -336,41 +373,14 @@ export class ClientManager {
       )
     }
 
-    for (const responseType of metadata.response_types) {
-      if (responseType.includes('id_token')) {
-        throw new InvalidClientMetadataError(
-          `OpenID Connect response type "${responseType}" is not supported`,
-        )
-      }
-
-      // ATPROTO spec requires the use of PKCE
-      if (responseType !== 'code') {
-        throw new InvalidClientMetadataError(
-          `Unsupported response type "${responseType}"`,
-        )
-      }
-
+    // ATPROTO spec requires the use of PKCE, does not support OIDC
+    if (!metadata.response_types.includes('code')) {
+      throw new InvalidClientMetadataError('response_types must include "code"')
+    } else if (!metadata.grant_types.includes('authorization_code')) {
       // Consistency check
-      if (
-        responseType === 'code' &&
-        !metadata.grant_types.includes('authorization_code')
-      ) {
-        throw new InvalidClientMetadataError(
-          `Response type "${responseType}" requires the "authorization_code" grant type`,
-        )
-      }
-    }
-
-    if (metadata.application_type === 'native') {
-      // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
-      //
-      // > Except when using a mechanism like Dynamic Client Registration
-      // > [RFC7591] to provision per-instance secrets, native apps are
-      // > classified as public clients, as defined by Section 2.1 of OAuth 2.0
-      // > [RFC6749]; they MUST be registered with the authorization server as
-      // > such.  Authorization servers MUST record the client type in the
-      // > client registration details in order to identify and process requests
-      // > accordingly.
+      throw new InvalidClientMetadataError(
+        `The "code" response type requires that "grant_types" contains "authorization_code"`,
+      )
     }
 
     if (metadata.authorization_details_types?.length) {
@@ -433,47 +443,6 @@ export class ClientManager {
       }
     }
 
-    if (metadata.application_type === 'native') {
-      // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
-      //
-      // > Native Clients [as defined by "application_type"] MUST only
-      // > register redirect_uris using custom URI schemes or loopback URLs
-      // > using the http scheme; loopback URLs use localhost or the IP
-      // > loopback literals 127.0.0.1 or [::1] as the hostname.
-
-      for (const redirectUri of metadata.redirect_uris) {
-        const url = parseRedirectUri(redirectUri)
-        if (url.protocol !== 'http:') {
-          throw new InvalidRedirectUriError(
-            `Native clients must use HTTP redirect URIs (got ${url})`,
-          )
-        }
-
-        if (!isLoopbackHost(url.hostname) && !isPrivateUseUriScheme(url)) {
-          throw new InvalidRedirectUriError(
-            'Loopback redirect URIs are only allowed for native apps',
-          )
-        }
-      }
-    }
-
-    if (metadata.application_type === 'native') {
-      // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
-      //
-      // > Authorization Servers MAY reject Redirection URI values using
-      // > the http scheme, other than the loopback case for Native
-      // > Clients.
-
-      for (const redirectUri of metadata.redirect_uris) {
-        const url = parseRedirectUri(redirectUri)
-        if (url.protocol === 'http:' && !isLoopbackUrl(url)) {
-          throw new InvalidRedirectUriError(
-            `Native clients must not use HTTP redirect URIs (got ${url})`,
-          )
-        }
-      }
-    }
-
     for (const redirectUri of metadata.redirect_uris) {
       const url = parseRedirectUri(redirectUri)
 
@@ -502,16 +471,10 @@ export class ClientManager {
             `Loopback redirect URI ${url} is not allowed (use explicit IPs instead)`,
           )
         }
-        // falls through
+
         case url.hostname === '127.0.0.1':
         case url.hostname === '[::1]': {
-          // https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
-          //
-          // > Loopback redirect URIs use the "http" scheme and are constructed
-          // > with the loopback IP literal and whatever port the client is
-          // > listening on. That is, "http://127.0.0.1:{port}/{path}" for IPv4,
-          // > and "http://[::1]:{port}/{path}" for IPv6.
-
+          // Only allowed for native apps
           if (metadata.application_type !== 'native') {
             throw new InvalidRedirectUriError(
               `Loopback redirect URIs are only allowed for native apps`,
@@ -534,6 +497,12 @@ export class ClientManager {
           }
 
           if (url.protocol !== 'http:') {
+            // https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
+            //
+            // > Loopback redirect URIs use the "http" scheme and are constructed
+            // > with the loopback IP literal and whatever port the client is
+            // > listening on. That is, "http://127.0.0.1:{port}/{path}" for IPv4,
+            // > and "http://[::1]:{port}/{path}" for IPv6.
             throw new InvalidRedirectUriError(
               `Loopback redirect URI ${url} must use HTTP`,
             )
@@ -551,17 +520,23 @@ export class ClientManager {
           // > target Request Object is signed in a way that is verifiable by
           // > the OP.
           //
-          // TODO: Should we allow this (and check for signed request objects)?
+          // OIDC/Request Object are not supported. ATproto spec should not
+          // allow HTTP redirect URIs either.
+
+          // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
+          //
+          // > Authorization Servers MAY reject Redirection URI values using
+          // > the http scheme, other than the loopback case for Native
+          // > Clients.
           throw new InvalidRedirectUriError(
-            `Non loopback redirect URI ${url} must use HTTPS`,
+            'Only loopback redirect URIs are allowed to use the "http" scheme',
           )
         }
 
         case url.protocol === 'https:': {
-          const redirectUriDomain = parseUrlDomain(url)
-          if (!redirectUriDomain) {
+          if (!isInternetUrl(url)) {
             throw new InvalidRedirectUriError(
-              `Redirect URI ${url} must be a valid URL`,
+              `Redirect URI "${url}"'s domain name must belong to the Public Suffix List (PSL)`,
             )
           }
 
@@ -573,19 +548,29 @@ export class ClientManager {
           // > where two apps claim the same private-use URI scheme (where one
           // > app is acting maliciously).
           //
-          // Although this only applies to "native" clients (extract being from
-          // rfc8252), we apply this rule to "web" clients as well.
-          if (!clientUriParsed) {
-            throw new InvalidClientMetadataError(
-              'client_uri is required for HTTPS redirect URIs',
-            )
-          } else {
-            if (redirectUriDomain.domain !== clientUriParsed.domain) {
-              throw new InvalidRedirectUriError(
-                `Redirect URI ${url} must be under the same domain as client_uri ${metadata.client_uri}`,
-              )
-            }
-          }
+          // We can't enforce this here (in generic client validation) because
+          // we don't have a concept of generic proven ownership.
+          //
+          // Discoverable clients, however, will have this check covered in the
+          // `validateDiscoverableClientMetadata`, by using the client_id's
+          // domain as "proven ownership".
+
+          // The following restriction from OIDC is *not* enforced for clients
+          // as it prevents "App Links" / "Apple Universal Links" from being
+          // used as redirect URIs.
+          //
+          // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
+          //
+          // > Native Clients [as defined by "application_type"] MUST only
+          // > register redirect_uris using custom URI schemes or loopback URLs
+          // > using the http scheme; loopback URLs use localhost or the IP
+          // > loopback literals 127.0.0.1 or [::1] as the hostname.
+          //
+          // if (metadata.application_type === 'native') {
+          //   throw new InvalidRedirectUriError(
+          //     `Native clients must use custom URI schemes or loopback URLs`,
+          //   )
+          // }
 
           break
         }
@@ -604,16 +589,6 @@ export class ClientManager {
             )
           }
 
-          const redirectUriDomain = parseDomain(
-            reverseDomain(url.protocol.slice(0, -1)),
-          )
-
-          if (!redirectUriDomain) {
-            throw new InvalidRedirectUriError(
-              `Private-use URI Scheme redirect URI must be based on a valid domain name`,
-            )
-          }
-
           // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
           //
           // > In addition to the collision-resistant properties, requiring a
@@ -621,16 +596,17 @@ export class ClientManager {
           // > the app can help to prove ownership in the event of a dispute
           // > where two apps claim the same private-use URI scheme (where one
           // > app is acting maliciously).
-          if (!clientUriParsed) {
-            throw new InvalidClientMetadataError(
-              'client_uri is required for native apps using private-use URI Scheme redirect URIs',
+          //
+          // We can't check for ownership here (as there is no concept of
+          // proven ownership in the generic client validation), but we can
+          // check that the domain is a valid domain name.
+
+          const urlDomain = reverseDomain(url.protocol.slice(0, -1))
+
+          if (!isInternetHost(urlDomain)) {
+            throw new InvalidRedirectUriError(
+              `Private-use URI Scheme redirect URI must be based on a valid domain name`,
             )
-          } else {
-            if (redirectUriDomain.domain !== clientUriParsed.domain) {
-              throw new InvalidRedirectUriError(
-                `Private-Use URI Scheme redirect URI ${url} must be under the same domain as client_uri ${metadata.client_uri}`,
-              )
-            }
           }
 
           // https://datatracker.ietf.org/doc/html/rfc8252#section-7.1
@@ -689,15 +665,6 @@ export class ClientManager {
       )
     }
 
-    if (
-      !ALLOW_LOOPBACK_CLIENT_REFRESH_TOKEN &&
-      metadata.grant_types.includes('refresh_token')
-    ) {
-      throw new InvalidClientMetadataError(
-        'Loopback clients are not allowed to use the "refresh_token" grant type',
-      )
-    }
-
     const method = metadata[`token_endpoint_auth_method`]
     if (method !== 'none') {
       throw new InvalidClientMetadataError(
@@ -768,18 +735,34 @@ export class ClientManager {
 
     const method = metadata[`token_endpoint_auth_method`]
     switch (method) {
+      case 'none':
+      case 'private_key_jwt':
+      case undefined:
+        break
       case 'client_secret_post':
       case 'client_secret_basic':
       case 'client_secret_jwt':
         throw new InvalidClientMetadataError(
           `Client authentication method "${method}" is not allowed for discoverable clients`,
         )
+      default:
+        throw new InvalidClientMetadataError(
+          `Unsupported client authentication method "${method}"`,
+        )
     }
 
     for (const redirectUri of metadata.redirect_uris) {
       const url = parseRedirectUri(redirectUri)
 
       if (isPrivateUseUriScheme(url)) {
+        // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
+        //
+        // > In addition to the collision-resistant properties, requiring a
+        // > URI scheme based on a domain name that is under the control of
+        // > the app can help to prove ownership in the event of a dispute
+        // > where two apps claim the same private-use URI scheme (where one
+        // > app is acting maliciously).
+
         // https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html
         //
         // Fully qualified domain name (FQDN) of the client_id, in reverse
@@ -792,6 +775,25 @@ export class ClientManager {
           )
         }
       }
+
+      if (url.protocol === 'https:') {
+        // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
+        //
+        // > In addition to the collision-resistant properties, requiring a
+        // > URI scheme based on a domain name that is under the control of
+        // > the app can help to prove ownership in the event of a dispute
+        // > where two apps claim the same private-use URI scheme (where one
+        // > app is acting maliciously).
+        //
+        // Although this only applies to "native" clients (extract being from
+        // rfc8252), we apply this rule to "web" clients as well.
+
+        if (url.hostname !== clientIdUrl.hostname) {
+          throw new InvalidRedirectUriError(
+            `Redirect URI ${url} must be under the same domain as client_id ${metadata.client_uri}`,
+          )
+        }
+      }
     }
 
     return metadata

package/src/client/client-utils.ts

@@ -1,7 +1,5 @@
 import {
   OAuthClientIdDiscoverable,
-  OAuthClientIdLoopback,
-  parseOAuthLoopbackClientId,
   parseOAuthDiscoverableClientId,
 } from '@atproto/oauth-types'
 
@@ -25,19 +23,16 @@ export function parseDiscoverableClientId(
 
     // Extra validation, prevent usage of invalid internet domain names.
     if (!isInternetHost(url.hostname)) {
-      throw new InvalidClientIdError('ClientID is not a valid internet address')
+      throw new InvalidClientIdError(
+        "The client_id's TLD must belong to the Public Suffix List (PSL)",
+      )
     }
 
     return url
   } catch (err) {
-    throw InvalidClientIdError.from(err)
-  }
-}
-
-export function parseLoopbackClientId(clientId: OAuthClientIdLoopback): URL {
-  try {
-    return parseOAuthLoopbackClientId(clientId)
-  } catch (err) {
-    throw InvalidClientIdError.from(err)
+    throw InvalidClientIdError.from(
+      err,
+      'Invalid discoverable client identifier',
+    )
   }
 }

package/src/client/client.ts

@@ -1,7 +1,8 @@
 import { Jwks } from '@atproto/jwk'
 import {
   CLIENT_ASSERTION_TYPE_JWT_BEARER,
-  OAuthClientIdentification,
+  OAuthAuthorizationRequestParameters,
+  OAuthClientCredentials,
   OAuthClientMetadata,
 } from '@atproto/oauth-types'
 import {
@@ -20,9 +21,13 @@ import {
 } from 'jose'
 
 import { CLIENT_ASSERTION_MAX_AGE, JAR_MAX_AGE } from '../constants.js'
+import { InvalidAuthorizationDetailsError } from '../errors/invalid-authorization-details-error.js'
 import { InvalidClientError } from '../errors/invalid-client-error.js'
 import { InvalidClientMetadataError } from '../errors/invalid-client-metadata-error.js'
+import { InvalidParametersError } from '../errors/invalid-parameters-error.js'
 import { InvalidRequestError } from '../errors/invalid-request-error.js'
+import { InvalidScopeError } from '../errors/invalid-scope-error.js'
+import { compareRedirectUri } from '../lib/util/redirect-uri.js'
 import { ClientAuth, authJwkThumbprint } from './client-auth.js'
 import { ClientId } from './client-id.js'
 import { ClientInfo } from './client-info.js'
@@ -102,11 +107,11 @@ export class Client {
 
   /**
    * @see {@link https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1}
-   * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-11#section-3}
+   * @see {@link https://datatracker.ietf.org/doc/html/rfc7523#section-3}
    * @see {@link https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method}
    */
   public async verifyCredentials(
-    input: OAuthClientIdentification,
+    input: OAuthClientCredentials,
     checks: {
       audience: string
     },
@@ -218,4 +223,108 @@ export class Client {
     // @ts-expect-error
     throw new Error(`Invalid method "${clientAuth.method}"`)
   }
+
+  /**
+   * Validates the request parameters against the client metadata.
+   */
+  public validateRequest(
+    parameters: Readonly<OAuthAuthorizationRequestParameters>,
+  ): Readonly<OAuthAuthorizationRequestParameters> {
+    if (parameters.client_id !== this.id) {
+      throw new InvalidParametersError(
+        parameters,
+        'The "client_id" parameter field does not match the value used to authenticate the client',
+      )
+    }
+
+    if (parameters.scope !== undefined) {
+      // Any scope requested by the client must be registered in the client
+      // metadata.
+      const declaredScopes = this.metadata.scope?.split(' ')
+
+      if (!declaredScopes) {
+        throw new InvalidScopeError(
+          parameters,
+          'Client has no declared scopes in its metadata',
+        )
+      }
+
+      for (const scope of parameters.scope.split(' ')) {
+        if (!declaredScopes.includes(scope)) {
+          throw new InvalidScopeError(
+            parameters,
+            `Scope "${scope}" is not declared in the client metadata`,
+          )
+        }
+      }
+    }
+
+    if (!this.metadata.response_types.includes(parameters.response_type)) {
+      throw new InvalidParametersError(
+        parameters,
+        `Invalid response_type "${parameters.response_type}" requested by the client`,
+      )
+    }
+
+    if (parameters.response_type.includes('code')) {
+      if (!this.metadata.grant_types.includes('authorization_code')) {
+        throw new InvalidParametersError(
+          parameters,
+          `This client is not allowed to use the "authorization_code" grant type`,
+        )
+      }
+    }
+
+    const { redirect_uri } = parameters
+    if (redirect_uri) {
+      if (
+        !this.metadata.redirect_uris.some((uri) =>
+          compareRedirectUri(uri, redirect_uri),
+        )
+      ) {
+        throw new InvalidParametersError(
+          parameters,
+          `Invalid redirect_uri ${redirect_uri}`,
+        )
+      }
+    } else {
+      const { defaultRedirectUri } = this
+      if (defaultRedirectUri) {
+        parameters = { ...parameters, redirect_uri: defaultRedirectUri }
+      } else {
+        // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#authorization-request
+        //
+        // > "redirect_uri": OPTIONAL if only one redirect URI is registered for
+        // > this client. REQUIRED if multiple redirect URIs are registered for this
+        // > client.
+        throw new InvalidParametersError(parameters, 'redirect_uri is required')
+      }
+    }
+
+    if (parameters.authorization_details) {
+      const { authorization_details_types } = this.metadata
+      if (!authorization_details_types) {
+        throw new InvalidAuthorizationDetailsError(
+          parameters,
+          'Client Metadata does not declare any "authorization_details"',
+        )
+      }
+
+      for (const detail of parameters.authorization_details) {
+        if (!authorization_details_types?.includes(detail.type)) {
+          throw new InvalidAuthorizationDetailsError(
+            parameters,
+            `Client Metadata does not declare any "authorization_details" of type "${detail.type}"`,
+          )
+        }
+      }
+    }
+
+    return parameters
+  }
+
+  get defaultRedirectUri(): string | undefined {
+    const { redirect_uris } = this.metadata
+    return redirect_uris.length === 1 ? redirect_uris[0] : undefined
+  }
 }