@atproto/oauth-provider 0.2.1 → 0.2.2

package/dist/oauth-provider.js

@@ -60,16 +60,15 @@ const build_error_payload_js_1 = require("./output/build-error-payload.js");
 const output_manager_js_1 = require("./output/output-manager.js");
 const send_authorize_redirect_js_1 = require("./output/send-authorize-redirect.js");
 const replay_store_js_1 = require("./replay/replay-store.js");
+const code_js_1 = require("./request/code.js");
 const request_manager_js_1 = require("./request/request-manager.js");
 const request_store_memory_js_1 = require("./request/request-store-memory.js");
 const request_store_redis_js_1 = require("./request/request-store-redis.js");
 const request_store_js_1 = require("./request/request-store.js");
 const request_uri_js_1 = require("./request/request-uri.js");
-const types_js_1 = require("./request/types.js");
 const token_id_js_1 = require("./token/token-id.js");
 const token_manager_js_1 = require("./token/token-manager.js");
 const token_store_js_1 = require("./token/token-store.js");
-const types_js_2 = require("./token/types.js");
 class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
     metadata;
     customization;
@@ -117,21 +116,35 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         }
         return authAge >= this.authenticationMaxAge;
     }
-    async authenticateClient(client, credentials) {
+    async authenticateClient(credentials) {
+        const client = await this.clientManager.getClient(credentials.client_id);
         const { clientAuth, nonce } = await client.verifyCredentials(credentials, {
             audience: this.issuer,
         });
+        if (client.metadata.application_type === 'native' &&
+            clientAuth.method !== 'none') {
+            // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
+            //
+            // > Except when using a mechanism like Dynamic Client Registration
+            // > [RFC7591] to provision per-instance secrets, native apps are
+            // > classified as public clients, as defined by Section 2.1 of OAuth 2.0
+            // > [RFC6749]; they MUST be registered with the authorization server as
+            // > such. Authorization servers MUST record the client type in the client
+            // > registration details in order to identify and process requests
+            // > accordingly.
+            throw new invalid_grant_error_js_1.InvalidGrantError('Native clients must authenticate using "none" method');
+        }
         if (nonce != null) {
             const unique = await this.replayManager.uniqueAuth(nonce, client.id);
             if (!unique) {
-                throw new invalid_client_error_js_1.InvalidClientError(`${clientAuth.method} jti reused`);
+                throw new invalid_grant_error_js_1.InvalidGrantError(`${clientAuth.method} jti reused`);
             }
         }
-        return clientAuth;
+        return [client, clientAuth];
     }
     async decodeJAR(client, input) {
         const result = await client.decodeRequestObject(input.request);
-        const payload = oauth_types_1.oauthAuthenticationRequestParametersSchema.parse(result.payload);
+        const payload = oauth_types_1.oauthAuthorizationRequestParametersSchema.parse(result.payload);
         if (!result.payload.jti) {
             throw new invalid_parameters_error_js_1.InvalidParametersError(payload, 'Request object must contain a jti claim');
         }
@@ -159,13 +172,12 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
     /**
      * @see {@link https://datatracker.ietf.org/doc/html/rfc9126}
      */
-    async pushedAuthorizationRequest(input, dpopJkt) {
+    async pushedAuthorizationRequest(credentials, authorizationRequest, dpopJkt) {
         try {
-            const client = await this.clientManager.getClient(input.client_id);
-            const clientAuth = await this.authenticateClient(client, input);
-            const { payload: parameters } = 'request' in input // Handle JAR
-                ? await this.decodeJAR(client, input)
-                : { payload: input };
+            const [client, clientAuth] = await this.authenticateClient(credentials);
+            const { payload: parameters } = 'request' in authorizationRequest // Handle JAR
+                ? await this.decodeJAR(client, authorizationRequest)
+                : { payload: authorizationRequest };
             const { uri, expiresAt } = await this.requestManager.createAuthorizationRequest(client, clientAuth, parameters, null, dpopJkt);
             return {
                 request_uri: uri,
@@ -184,14 +196,15 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             throw err;
         }
     }
-    async loadAuthorizationRequest(client, deviceId, input) {
-        // Load PAR
-        if ('request_uri' in input) {
-            return this.requestManager.get(input.request_uri, client.id, deviceId);
+    async processAuthorizationRequest(client, deviceId, query) {
+        if ('request_uri' in query) {
+            const requestUri = await request_uri_js_1.requestUriSchema
+                .parseAsync(query.request_uri, { path: ['query', 'request_uri'] })
+                .catch(throwInvalidRequest);
+            return this.requestManager.get(requestUri, client.id, deviceId);
         }
-        // Handle JAR
-        if ('request' in input) {
-            const requestObject = await this.decodeJAR(client, input);
+        if ('request' in query) {
+            const requestObject = await this.decodeJAR(client, query);
             if ('protectedHeader' in requestObject && requestObject.protectedHeader) {
                 // Allow using signed JAR during "/authorize" as client authentication.
                 // This allows clients to skip PAR to initiate trusted sessions.
@@ -205,7 +218,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             }
             return this.requestManager.createAuthorizationRequest(client, { method: 'none' }, requestObject.payload, deviceId, null);
         }
-        return this.requestManager.createAuthorizationRequest(client, { method: 'none' }, input, deviceId, null);
+        return this.requestManager.createAuthorizationRequest(client, { method: 'none' }, query, deviceId, null);
     }
     async deleteRequest(uri, parameters) {
         try {
@@ -215,79 +228,79 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             throw access_denied_error_js_1.AccessDeniedError.from(parameters, err);
         }
     }
-    async authorize(deviceId, input) {
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.1}
+     */
+    async authorize(deviceId, credentials, query) {
         const { issuer } = this;
-        const client = await this.clientManager.getClient(input.client_id);
+        // If there is a chance to redirect the user to the client, let's do
+        // it by wrapping the error in an AccessDeniedError.
+        const accessDeniedCatcher = 'redirect_uri' in query
+            ? (err) => {
+                // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.2.1
+                throw access_denied_error_js_1.AccessDeniedError.from(query, err, 'invalid_request');
+            }
+            : null;
+        const client = await this.clientManager
+            .getClient(credentials.client_id)
+            .catch(accessDeniedCatcher);
+        const { clientAuth, parameters, uri } = await this.processAuthorizationRequest(client, deviceId, query).catch(accessDeniedCatcher);
         try {
-            const { uri, parameters, clientAuth } = await this.loadAuthorizationRequest(client, deviceId, input);
-            try {
-                const sessions = await this.getSessions(client, clientAuth, deviceId, parameters);
-                if (parameters.prompt === 'none') {
-                    const ssoSessions = sessions.filter((s) => s.matchesHint);
-                    if (ssoSessions.length > 1) {
-                        throw new account_selection_required_error_js_1.AccountSelectionRequiredError(parameters);
-                    }
-                    if (ssoSessions.length < 1) {
-                        throw new login_required_error_js_1.LoginRequiredError(parameters);
-                    }
-                    const ssoSession = ssoSessions[0];
-                    if (ssoSession.loginRequired) {
-                        throw new login_required_error_js_1.LoginRequiredError(parameters);
-                    }
-                    if (ssoSession.consentRequired) {
-                        throw new consent_required_error_js_1.ConsentRequiredError(parameters);
-                    }
-                    const code = await this.requestManager.setAuthorized(client, uri, deviceId, ssoSession.account);
-                    return { issuer, client, parameters, redirect: { code } };
+            const sessions = await this.getSessions(client, clientAuth, deviceId, parameters);
+            if (parameters.prompt === 'none') {
+                const ssoSessions = sessions.filter((s) => s.matchesHint);
+                if (ssoSessions.length > 1) {
+                    throw new account_selection_required_error_js_1.AccountSelectionRequiredError(parameters);
                 }
-                // Automatic SSO when a did was provided
-                if (parameters.prompt == null && parameters.login_hint != null) {
-                    const ssoSessions = sessions.filter((s) => s.matchesHint);
-                    if (ssoSessions.length === 1) {
-                        const ssoSession = ssoSessions[0];
-                        if (!ssoSession.loginRequired && !ssoSession.consentRequired) {
-                            const code = await this.requestManager.setAuthorized(client, uri, deviceId, ssoSession.account);
-                            return { issuer, client, parameters, redirect: { code } };
-                        }
-                    }
+                if (ssoSessions.length < 1) {
+                    throw new login_required_error_js_1.LoginRequiredError(parameters);
                 }
-                return {
-                    issuer,
-                    client,
-                    parameters,
-                    authorize: {
-                        uri,
-                        sessions,
-                        scopeDetails: parameters.scope
-                            ?.split(/\s+/)
-                            .filter(Boolean)
-                            .sort((a, b) => a.localeCompare(b))
-                            .map((scope) => ({
-                            scope,
-                            // @TODO Allow to customize the scope descriptions (e.g.
-                            // using a hook)
-                            description: undefined,
-                        })),
-                    },
-                };
+                const ssoSession = ssoSessions[0];
+                if (ssoSession.loginRequired) {
+                    throw new login_required_error_js_1.LoginRequiredError(parameters);
+                }
+                if (ssoSession.consentRequired) {
+                    throw new consent_required_error_js_1.ConsentRequiredError(parameters);
+                }
+                const code = await this.requestManager.setAuthorized(client, uri, deviceId, ssoSession.account);
+                return { issuer, client, parameters, redirect: { code } };
             }
-            catch (err) {
-                await this.deleteRequest(uri, parameters);
-                // Transform into an AccessDeniedError to allow redirecting the user
-                // to the client with the error details.
-                throw access_denied_error_js_1.AccessDeniedError.from(parameters, err);
+            // Automatic SSO when a did was provided
+            if (parameters.prompt == null && parameters.login_hint != null) {
+                const ssoSessions = sessions.filter((s) => s.matchesHint);
+                if (ssoSessions.length === 1) {
+                    const ssoSession = ssoSessions[0];
+                    if (!ssoSession.loginRequired && !ssoSession.consentRequired) {
+                        const code = await this.requestManager.setAuthorized(client, uri, deviceId, ssoSession.account);
+                        return { issuer, client, parameters, redirect: { code } };
+                    }
+                }
             }
+            return {
+                issuer,
+                client,
+                parameters,
+                authorize: {
+                    uri,
+                    sessions,
+                    scopeDetails: parameters.scope
+                        ?.split(/\s+/)
+                        .filter(Boolean)
+                        .sort((a, b) => a.localeCompare(b))
+                        .map((scope) => ({
+                        scope,
+                        // @TODO Allow to customize the scope descriptions (e.g.
+                        // using a hook)
+                        description: undefined,
+                    })),
+                },
+            };
         }
         catch (err) {
-            if (err instanceof access_denied_error_js_1.AccessDeniedError) {
-                return {
-                    issuer,
-                    client,
-                    parameters: err.parameters,
-                    redirect: err.toJSON(),
-                };
-            }
-            throw err;
+            await this.deleteRequest(uri, parameters);
+            // Not using accessDeniedCatcher here because "parameters" will most
+            // likely contain the redirect_uri (using the client default).
+            throw access_denied_error_js_1.AccessDeniedError.from(parameters, err);
         }
     }
     async getSessions(client, clientAuth, deviceId, parameters) {
@@ -334,70 +347,54 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
     async acceptRequest(deviceId, uri, clientId, sub) {
         const { issuer } = this;
         const client = await this.clientManager.getClient(clientId);
+        const { parameters, clientAuth } = await this.requestManager.get(uri, clientId, deviceId);
         try {
-            const { parameters, clientAuth } = await this.requestManager.get(uri, clientId, deviceId);
-            try {
-                const { account, info } = await this.accountManager.get(deviceId, sub);
-                // The user is trying to authorize without a fresh login
-                if (this.loginRequired(client, parameters, info)) {
-                    throw new login_required_error_js_1.LoginRequiredError(parameters, 'Account authentication required.');
-                }
-                const code = await this.requestManager.setAuthorized(client, uri, deviceId, account);
-                await this.accountManager.addAuthorizedClient(deviceId, account, client, clientAuth);
-                return { issuer, client, parameters, redirect: { code } };
-            }
-            catch (err) {
-                await this.deleteRequest(uri, parameters);
-                // throw AccessDeniedError.from(parameters, err)
-                throw err;
+            const { account, info } = await this.accountManager.get(deviceId, sub);
+            // The user is trying to authorize without a fresh login
+            if (this.loginRequired(client, parameters, info)) {
+                throw new login_required_error_js_1.LoginRequiredError(parameters, 'Account authentication required.');
             }
+            const code = await this.requestManager.setAuthorized(client, uri, deviceId, account);
+            await this.accountManager.addAuthorizedClient(deviceId, account, client, clientAuth);
+            return { issuer, parameters, redirect: { code } };
         }
         catch (err) {
-            if (err instanceof access_denied_error_js_1.AccessDeniedError) {
-                const { parameters } = err;
-                return { issuer, client, parameters, redirect: err.toJSON() };
-            }
-            throw err;
+            await this.deleteRequest(uri, parameters);
+            throw access_denied_error_js_1.AccessDeniedError.from(parameters, err);
         }
     }
     async rejectRequest(deviceId, uri, clientId) {
-        try {
-            const { parameters } = await this.requestManager.get(uri, clientId, deviceId);
-            await this.deleteRequest(uri, parameters);
-            // Trigger redirect (see catch block)
-            throw new access_denied_error_js_1.AccessDeniedError(parameters, 'Access denied');
-        }
-        catch (err) {
-            if (err instanceof access_denied_error_js_1.AccessDeniedError) {
-                return {
-                    issuer: this.issuer,
-                    client: await this.clientManager.getClient(clientId),
-                    parameters: err.parameters,
-                    redirect: err.toJSON(),
-                };
-            }
-            throw err;
-        }
+        const { parameters } = await this.requestManager.get(uri, clientId, deviceId);
+        await this.deleteRequest(uri, parameters);
+        return {
+            issuer: this.issuer,
+            parameters: parameters,
+            redirect: {
+                error: 'access_denied',
+                error_description: 'Access denied',
+            },
+        };
     }
-    async token(input, dpopJkt) {
-        const client = await this.clientManager.getClient(input.client_id);
-        const clientAuth = await this.authenticateClient(client, input);
-        if (!client.metadata.grant_types.includes(input.grant_type)) {
-            throw new invalid_grant_error_js_1.InvalidGrantError(`"${input.grant_type}" grant type is not allowed for this client`);
+    async token(credentials, request, dpopJkt) {
+        const [client, clientAuth] = await this.authenticateClient(credentials);
+        if (!this.metadata.grant_types_supported?.includes(request.grant_type)) {
+            throw new invalid_grant_error_js_1.InvalidGrantError(`Grant type "${request.grant_type}" is not supported by the server`);
         }
-        if (input.grant_type === 'authorization_code') {
-            return this.codeGrant(client, clientAuth, input, dpopJkt);
+        if (!client.metadata.grant_types.includes(request.grant_type)) {
+            throw new invalid_grant_error_js_1.InvalidGrantError(`"${request.grant_type}" grant type is not allowed for this client`);
         }
-        if (input.grant_type === 'refresh_token') {
-            return this.refreshTokenGrant(client, clientAuth, input, dpopJkt);
+        if (request.grant_type === 'authorization_code') {
+            return this.codeGrant(client, clientAuth, request, dpopJkt);
         }
-        throw new invalid_grant_error_js_1.InvalidGrantError(
-        // @ts-expect-error: fool proof
-        `Grant type "${input.grant_type}" not supported`);
+        if (request.grant_type === 'refresh_token') {
+            return this.refreshTokenGrant(client, clientAuth, request, dpopJkt);
+        }
+        throw new invalid_grant_error_js_1.InvalidGrantError(`Grant type "${request.grant_type}" not supported`);
     }
     async codeGrant(client, clientAuth, input, dpopJkt) {
         try {
-            const { sub, deviceId, parameters } = await this.requestManager.findCode(client, clientAuth, input.code);
+            const code = code_js_1.codeSchema.parse(input.code);
+            const { sub, deviceId, parameters } = await this.requestManager.findCode(client, clientAuth, code);
             // the following check prevents re-use of PKCE challenges, enforcing the
             // clients to generate a new challenge for each authorization request. The
             // replay manager typically prevents replay over a certain time frame,
@@ -436,17 +433,16 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
     /**
      * @see {@link https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 rfc7009}
      */
-    async revoke(input) {
+    async revoke({ token }) {
         // @TODO this should also remove the account-device association (or, at
         // least, mark it as expired)
-        await this.tokenManager.revoke(input.token);
+        await this.tokenManager.revoke(token);
     }
     /**
      * @see {@link https://datatracker.ietf.org/doc/html/rfc7662#section-2.1 rfc7662}
      */
-    async introspect(input) {
-        const client = await this.clientManager.getClient(input.client_id);
-        const clientAuth = await this.authenticateClient(client, input);
+    async introspect(credentials, { token }) {
+        const [client, clientAuth] = await this.authenticateClient(credentials);
         // RFC7662 states the following:
         //
         // > To prevent token scanning attacks, the endpoint MUST also require some
@@ -460,7 +456,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         }
         const start = Date.now();
         try {
-            const tokenInfo = await this.tokenManager.clientTokenInfo(client, clientAuth, input.token);
+            const tokenInfo = await this.tokenManager.clientTokenInfo(client, clientAuth, token);
             return {
                 active: true,
                 scope: tokenInfo.data.parameters.scope,
@@ -499,9 +495,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         const router = this.buildRouter(options);
         return router.buildHandler();
     }
-    buildRouter({ onError = process.env['NODE_ENV'] === 'development'
-        ? (req, res, err, msg) => console.error(`OAuthProvider error (${msg}):`, err)
-        : undefined, } = {}) {
+    buildRouter(options) {
         const deviceManager = new device_manager_js_1.DeviceManager(this.deviceStore);
         const outputManager = new output_manager_js_1.OutputManager(this.customization);
         // eslint-disable-next-line @typescript-eslint/no-this-alias
@@ -511,6 +505,10 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         const router = new index_js_1.Router(issuerUrl);
         // Utils
         const csrfCookie = (uri) => `csrf-${uri}`;
+        const onError = options?.onError ??
+            (process.env['NODE_ENV'] === 'development'
+                ? (req, res, err, msg) => console.error(`OAuthProvider error (${msg}):`, err)
+                : undefined);
         /**
          * Creates a middleware that will serve static JSON content.
          */
@@ -562,7 +560,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
                 // OAuthError are used to build expected responses, so we don't log
                 // them as errors.
                 if (!(err instanceof oauth_error_js_1.OAuthError) || err.statusCode >= 500) {
-                    await onError?.(req, res, err, 'Unexpected error');
+                    onError?.(req, res, err, 'Unexpected error');
                 }
             }
         };
@@ -582,12 +580,30 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
                 }
             }
             catch (err) {
-                await onError?.(req, res, err, `Failed to handle navigation request to "${req.url}"`);
+                onError?.(req, res, err, `Failed to handle navigation request to "${req.url}"`);
                 if (!res.headersSent) {
                     await outputManager.sendErrorPage(res, err);
                 }
             }
         };
+        /**
+         * Provides a better UX when a request is denied by redirecting to the
+         * client with the error details. This will also log any error that caused
+         * the access to be denied (such as system errors).
+         */
+        const accessDeniedToRedirectCatcher = (req, res, err) => {
+            if (err instanceof access_denied_error_js_1.AccessDeniedError && err.parameters.redirect_uri) {
+                const { cause } = err;
+                if (cause)
+                    onError?.(req, res, cause, 'Access denied');
+                return {
+                    issuer: server.issuer,
+                    parameters: err.parameters,
+                    redirect: err.toJSON(),
+                };
+            }
+            throw err;
+        };
         //- Public OAuth endpoints
         router.get('/.well-known/oauth-authorization-server', staticJson(server.metadata));
         // CORS preflight
@@ -619,9 +635,15 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         router.get('/oauth/jwks', staticJson(server.jwks));
         router.options('/oauth/par', corsPreflight);
         router.post('/oauth/par', jsonHandler(async function (req, _res) {
-            const input = await validateRequest(req, types_js_1.pushedAuthorizationRequestSchema);
+            const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
+            const credentials = await oauth_types_1.oauthClientCredentialsSchema
+                .parseAsync(payload, { path: ['body'] })
+                .catch(throwInvalidRequest);
+            const authorizationRequest = await oauth_types_1.oauthAuthorizationRequestParSchema
+                .parseAsync(payload, { path: ['body'] })
+                .catch(throwInvalidRequest);
             const dpopJkt = await server.checkDpopProof(req.headers['dpop'], req.method, this.url);
-            return server.pushedAuthorizationRequest(input, dpopJkt);
+            return server.pushedAuthorizationRequest(credentials, authorizationRequest, dpopJkt);
         }, 201));
         // https://datatracker.ietf.org/doc/html/rfc9126#section-2.3
         // > If the request did not use the POST method, the authorization server
@@ -632,15 +654,24 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         });
         router.options('/oauth/token', corsPreflight);
         router.post('/oauth/token', jsonHandler(async function (req, _res) {
-            const input = await validateRequest(req, types_js_2.tokenRequestSchema);
+            const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
+            const credentials = await oauth_types_1.oauthClientCredentialsSchema
+                .parseAsync(payload, { path: ['body'] })
+                .catch(throwInvalidClient);
+            const tokenRequest = await oauth_types_1.oauthTokenRequestSchema
+                .parseAsync(payload, { path: ['body'] })
+                .catch(throwInvalidGrant);
             const dpopJkt = await server.checkDpopProof(req.headers['dpop'], req.method, this.url);
-            return server.token(input, dpopJkt);
+            return server.token(credentials, tokenRequest, dpopJkt);
         }));
         router.options('/oauth/revoke', corsPreflight);
         router.post('/oauth/revoke', jsonHandler(async function (req, res) {
-            const input = await validateRequest(req, types_js_2.revokeSchema);
+            const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
+            const tokenIdentification = await oauth_types_1.oauthTokenIdentificationSchema
+                .parseAsync(payload, { path: ['body'] })
+                .catch(throwInvalidRequest);
             try {
-                await server.revoke(input);
+                await server.revoke(tokenIdentification);
             }
             catch (err) {
                 onError?.(req, res, err, 'Failed to revoke token');
@@ -649,9 +680,11 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
         router.options('/oauth/revoke', corsPreflight);
         router.get('/oauth/revoke', navigationHandler(async function (req, res) {
             const query = Object.fromEntries(this.url.searchParams);
-            const input = types_js_2.revokeSchema.parse(query, { path: ['query'] });
+            const tokenIdentification = await oauth_types_1.oauthTokenIdentificationSchema
+                .parseAsync(query, { path: ['query'] })
+                .catch(throwInvalidRequest);
             try {
-                await server.revoke(input);
+                await server.revoke(tokenIdentification);
             }
             catch (err) {
                 onError?.(req, res, err, 'Failed to revoke token');
@@ -661,19 +694,33 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             throw new Error('You are successfully logged out. Redirect not implemented');
         }));
         router.post('/oauth/introspect', jsonHandler(async function (req, _res) {
-            const input = await validateRequest(req, types_js_2.introspectSchema);
-            return server.introspect(input);
+            const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
+            const credentials = await oauth_types_1.oauthClientCredentialsSchema
+                .parseAsync(payload, { path: ['body'] })
+                .catch(throwInvalidRequest);
+            const tokenIdentification = await oauth_types_1.oauthTokenIdentificationSchema
+                .parseAsync(payload, { path: ['body'] })
+                .catch(throwInvalidRequest);
+            return server.introspect(credentials, tokenIdentification);
         }));
         //- Private authorization endpoints
         router.use((0, assets_middleware_js_1.authorizeAssetsMiddleware)());
         router.get('/oauth/authorize', navigationHandler(async function (req, res) {
             (0, index_js_1.validateFetchSite)(req, res, ['cross-site', 'none']);
             const query = Object.fromEntries(this.url.searchParams);
-            const input = await types_js_1.authorizationRequestQuerySchema.parseAsync(query, {
-                path: ['query'],
-            });
+            const credentials = await oauth_types_1.oauthClientCredentialsSchema
+                .parseAsync(query, { path: ['body'] })
+                .catch(throwInvalidRequest);
+            if ('client_secret' in credentials) {
+                throw new invalid_request_error_js_1.InvalidRequestError('Client secret must not be provided');
+            }
+            const authorizationRequest = await oauth_types_1.oauthAuthorizationRequestQuerySchema
+                .parseAsync(query, { path: ['query'] })
+                .catch(throwInvalidRequest);
             const { deviceId } = await deviceManager.load(req, res);
-            const data = await server.authorize(deviceId, input);
+            const data = await server
+                .authorize(deviceId, credentials, authorizationRequest)
+                .catch((err) => accessDeniedToRedirectCatcher(req, res, err));
             switch (true) {
                 case 'redirect' in data: {
                     return (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, data);
@@ -699,7 +746,10 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             (0, index_js_1.validateFetchMode)(req, res, ['same-origin']);
             (0, index_js_1.validateFetchSite)(req, res, ['same-origin']);
             (0, index_js_1.validateSameOrigin)(req, res, issuerOrigin);
-            const input = await validateRequest(req, signInPayloadSchema);
+            const payload = await (0, index_js_1.parseHttpRequest)(req, ['json']);
+            const input = await signInPayloadSchema.parseAsync(payload, {
+                path: ['body'],
+            });
             (0, index_js_1.validateReferer)(req, res, {
                 origin: issuerOrigin,
                 pathname: '/oauth/authorize',
@@ -739,7 +789,9 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             });
             (0, index_js_1.validateCsrfToken)(req, res, input.csrf_token, csrfCookie(input.request_uri), true);
             const { deviceId } = await deviceManager.load(req, res);
-            const data = await server.acceptRequest(deviceId, input.request_uri, input.client_id, input.account_sub);
+            const data = await server
+                .acceptRequest(deviceId, input.request_uri, input.client_id, input.account_sub)
+                .catch((err) => accessDeniedToRedirectCatcher(req, res, err));
             return await (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, data);
         }));
         const rejectQuerySchema = zod_1.default.object({
@@ -772,27 +824,33 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
             });
             (0, index_js_1.validateCsrfToken)(req, res, input.csrf_token, csrfCookie(input.request_uri), true);
             const { deviceId } = await deviceManager.load(req, res);
-            const data = await server.rejectRequest(deviceId, input.request_uri, input.client_id);
+            const data = await server
+                .rejectRequest(deviceId, input.request_uri, input.client_id)
+                .catch((err) => accessDeniedToRedirectCatcher(req, res, err));
             return await (0, send_authorize_redirect_js_1.sendAuthorizeRedirect)(res, data);
         }));
         return router;
     }
 }
 exports.OAuthProvider = OAuthProvider;
-async function validateRequest(req, schema) {
-    try {
-        return await (0, index_js_1.validateRequestPayload)(req, schema);
-    }
-    catch (err) {
-        if (err instanceof zod_1.ZodError) {
-            const issue = err.issues[0];
-            if (issue?.path.length) {
-                // "part" will typically be
-                const [part, ...path] = issue.path;
-                throw new invalid_request_error_js_1.InvalidRequestError(`Validation of ${part}'s "${path.join('.')}" with error: ${issue.message}`, err);
-            }
+function throwInvalidGrant(err) {
+    throw new invalid_grant_error_js_1.InvalidGrantError(extractZodErrorMessage(err) || 'Invalid grant', err);
+}
+function throwInvalidClient(err) {
+    throw new invalid_client_error_js_1.InvalidClientError(extractZodErrorMessage(err) || 'Client authentication failed', err);
+}
+function throwInvalidRequest(err) {
+    throw new invalid_request_error_js_1.InvalidRequestError(extractZodErrorMessage(err) || 'Input validation error', err);
+}
+function extractZodErrorMessage(err) {
+    if (err instanceof zod_1.ZodError) {
+        const issue = err.issues[0];
+        if (issue?.path.length) {
+            // "part" will typically be "body" or "query"
+            const [part, ...path] = issue.path;
+            return `Validation of "${path.join('.')}" ${part} parameter failed: ${issue.message}`;
         }
-        throw new invalid_request_error_js_1.InvalidRequestError('Input validation error', err);
     }
+    return undefined;
 }
 //# sourceMappingURL=oauth-provider.js.map