@atproto/oauth-provider 0.8.0 → 0.9.0

package/src/client/client-manager.ts

@@ -311,13 +311,7 @@ export class ClientManager {
       )
     }
 
-    const method = metadata[`token_endpoint_auth_method`]
-    switch (method) {
-      case undefined:
-        throw new InvalidClientMetadataError(
-          'Missing token_endpoint_auth_method client metadata',
-        )
-
+    switch (metadata.token_endpoint_auth_method) {
       case 'none':
         if (metadata.token_endpoint_auth_signing_alg) {
           throw new InvalidClientMetadataError(
@@ -346,7 +340,7 @@ export class ClientManager {
 
       default:
         throw new InvalidClientMetadataError(
-          `${method} is not a supported "token_endpoint_auth_method". Use "private_key_jwt" or "none".`,
+          `Unsupported client authentication method "${metadata.token_endpoint_auth_method}". Make sure "token_endpoint_auth_method" is set to one of: "${Client.AUTH_METHODS_SUPPORTED.join('", "')}"`,
         )
     }
 
@@ -421,6 +415,29 @@ export class ClientManager {
       )
     }
 
+    if (
+      metadata.application_type === 'native' &&
+      metadata.token_endpoint_auth_method !== 'none'
+    ) {
+      // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
+      //
+      // > Except when using a mechanism like Dynamic Client Registration
+      // > [RFC7591] to provision per-instance secrets, native apps are
+      // > classified as public clients, as defined by Section 2.1 of OAuth 2.0
+      // > [RFC6749]; they MUST be registered with the authorization server as
+      // > such. Authorization servers MUST record the client type in the client
+      // > registration details in order to identify and process requests
+      // > accordingly.
+
+      // @NOTE We may want to remove this restriction in the future, for example
+      // if https://github.com/bluesky-social/proposals/tree/main/0010-client-assertion-backend
+      // gets adopted
+
+      throw new InvalidClientMetadataError(
+        'Native clients must authenticate using "none" method',
+      )
+    }
+
     if (
       metadata.application_type === 'web' &&
       metadata.grant_types.includes('implicit')
@@ -670,7 +687,7 @@ export class ClientManager {
       )
     }
 
-    const method = metadata[`token_endpoint_auth_method`]
+    const method = metadata.token_endpoint_auth_method
     if (method !== 'none') {
       throw new InvalidClientMetadataError(
         `Loopback clients are not allowed to use "token_endpoint_auth_method" ${method}`,
@@ -738,24 +755,6 @@ export class ClientManager {
       }
     }
 
-    const method = metadata[`token_endpoint_auth_method`]
-    switch (method) {
-      case 'none':
-      case 'private_key_jwt':
-      case undefined:
-        break
-      case 'client_secret_post':
-      case 'client_secret_basic':
-      case 'client_secret_jwt':
-        throw new InvalidClientMetadataError(
-          `Client authentication method "${method}" is not allowed for discoverable clients`,
-        )
-      default:
-        throw new InvalidClientMetadataError(
-          `Unsupported client authentication method "${method}"`,
-        )
-    }
-
     for (const redirectUri of metadata.redirect_uris) {
       const url = parseRedirectUri(redirectUri)
 

package/src/client/client.ts

@@ -1,18 +1,21 @@
 import {
+  JWTClaimVerificationOptions,
+  type JWTHeaderParameters,
   type JWTPayload,
-  type JWTVerifyGetKey,
   type JWTVerifyOptions,
   type JWTVerifyResult,
   type KeyLike,
   type ResolvedKey,
   UnsecuredJWT,
   type UnsecuredResult,
+  calculateJwkThumbprint,
   createLocalJWKSet,
   createRemoteJWKSet,
   errors,
+  exportJWK,
   jwtVerify,
 } from 'jose'
-import { Jwks } from '@atproto/jwk'
+import { Jwks, SignedJwt, UnsignedJwt } from '@atproto/jwk'
 import {
   CLIENT_ASSERTION_TYPE_JWT_BEARER,
   OAuthAuthorizationRequestParameters,
@@ -27,8 +30,10 @@ import { InvalidClientMetadataError } from '../errors/invalid-client-metadata-er
 import { InvalidParametersError } from '../errors/invalid-parameters-error.js'
 import { InvalidRequestError } from '../errors/invalid-request-error.js'
 import { InvalidScopeError } from '../errors/invalid-scope-error.js'
+import { asArray } from '../lib/util/cast.js'
 import { compareRedirectUri } from '../lib/util/redirect-uri.js'
-import { ClientAuth, authJwkThumbprint } from './client-auth.js'
+import { Awaitable } from '../lib/util/type.js'
+import { ClientAuth } from './client-auth.js'
 import { ClientId } from './client-id.js'
 import { ClientInfo } from './client-info.js'
 
@@ -40,7 +45,9 @@ export class Client {
    */
   static readonly AUTH_METHODS_SUPPORTED = ['none', 'private_key_jwt'] as const
 
-  private readonly keyGetter: JWTVerifyGetKey
+  private readonly keyGetter: (
+    protectedHeader: JWTHeaderParameters,
+  ) => Awaitable<KeyLike | Uint8Array>
 
   constructor(
     public readonly id: ClientId,
@@ -55,26 +62,42 @@ export class Client {
         : createRemoteJWKSet(new URL(metadata.jwks_uri), {})
   }
 
-  public async decodeRequestObject(jar: string) {
+  /**
+   * @see {@link https://www.rfc-editor.org/rfc/rfc9101.html#name-request-object-2}
+   */
+  public async decodeRequestObject(
+    jar: SignedJwt | UnsignedJwt,
+    audience: string,
+  ) {
+    // https://www.rfc-editor.org/rfc/rfc9101.html#name-request-object-2
+    // > If signed, the Authorization Request Object SHOULD contain the Claims
+    // > iss (issuer) and aud (audience) as members with their semantics being
+    // > the same as defined in the JWT [RFC7519] specification. The value of
+    // > aud should be the value of the authorization server (AS) issuer, as
+    // > defined in RFC 8414 [RFC8414].
     try {
-      switch (this.metadata.request_object_signing_alg) {
-        case 'none':
-          return await this.jwtVerifyUnsecured(jar, {
-            maxTokenAge: JAR_MAX_AGE / 1000,
-          })
-        case undefined:
-          // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
-          // > The default, if omitted, is that any algorithm supported by the OP
-          // > and the RP MAY be used.
-          return await this.jwtVerify(jar, {
-            maxTokenAge: JAR_MAX_AGE / 1000,
-          })
-        default:
-          return await this.jwtVerify(jar, {
-            maxTokenAge: JAR_MAX_AGE / 1000,
-            algorithms: [this.metadata.request_object_signing_alg],
-          })
+      // We need to special case the "none" algorithm, as the validation method
+      // is different for signed and unsigned JWTs.
+      if (this.metadata.request_object_signing_alg === 'none') {
+        return await this.jwtVerifyUnsecured(jar, {
+          audience,
+          maxTokenAge: JAR_MAX_AGE / 1e3,
+          allowMissingAudience: true,
+          allowMissingIssuer: true,
+        })
       }
+
+      return await this.jwtVerify(jar, {
+        audience,
+        maxTokenAge: JAR_MAX_AGE / 1e3,
+        algorithms: this.metadata.request_object_signing_alg
+          ? [this.metadata.request_object_signing_alg]
+          : // https://openid.net/specs/openid-connect-registration-1_0.html#rfc.section.2
+            //
+            // > The default, if omitted, is that any algorithm supported by the OP
+            // > and the RP MAY be used.
+            undefined,
+      })
     } catch (err) {
       const message =
         err instanceof JOSEError
@@ -87,12 +110,38 @@ export class Client {
 
   protected async jwtVerifyUnsecured<PayloadType = JWTPayload>(
     token: string,
-    options?: Omit<JWTVerifyOptions, 'issuer'>,
+    {
+      audience,
+      allowMissingAudience = false,
+      allowMissingIssuer = false,
+      ...options
+    }: Omit<JWTClaimVerificationOptions, 'issuer'> & {
+      allowMissingIssuer?: boolean
+      allowMissingAudience?: boolean
+    } = {},
   ): Promise<UnsecuredResult<PayloadType>> {
-    return UnsecuredJWT.decode(token, {
-      ...options,
-      issuer: this.id,
-    })
+    // jose does not support `allowMissingAudience` and `allowMissingIssuer`
+    // options, so we need to handle audience and issuer checks manually (see
+    // bellow).
+
+    const result = UnsecuredJWT.decode<PayloadType>(token, options)
+
+    if (!allowMissingIssuer || result.payload.iss != null) {
+      if (result.payload.iss !== this.id) {
+        throw new JOSEError(`Invalid "iss" claim "${result.payload.iss}"`)
+      }
+    }
+
+    if (!allowMissingAudience || result.payload.aud != null) {
+      if (audience != null) {
+        const payloadAud = asArray(result.payload.aud)
+        if (!asArray(audience).some((aud) => payloadAud.includes(aud))) {
+          throw new JOSEError(`Invalid "aud" claim "${result.payload.aud}"`)
+        }
+      }
+    }
+
+    return result
   }
 
   protected async jwtVerify<PayloadType = JWTPayload>(
@@ -110,63 +159,103 @@ export class Client {
    * @see {@link https://datatracker.ietf.org/doc/html/rfc7523#section-3}
    * @see {@link https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method}
    */
-  public async verifyCredentials(
+  public async authenticate(
     input: OAuthClientCredentials,
     checks: {
-      audience: string
+      authorizationServerIdentifier: string
     },
-  ): Promise<{
-    clientAuth: ClientAuth
-    // for replay protection
-    nonce?: string
-  }> {
-    const method = this.metadata[`token_endpoint_auth_method`]
+  ): Promise<ClientAuth> {
+    const method = this.metadata.token_endpoint_auth_method
 
     if (method === 'none') {
-      const clientAuth: ClientAuth = { method: 'none' }
-      return { clientAuth }
+      return { method: 'none' }
     }
 
     if (method === 'private_key_jwt') {
-      if (!('client_assertion_type' in input) || !input.client_assertion_type) {
-        throw new InvalidRequestError(
-          `client_assertion_type required for "${method}"`,
-        )
-      } else if (!input.client_assertion) {
+      if (!('client_assertion' in input)) {
         throw new InvalidRequestError(
-          `client_assertion required for "${method}"`,
+          `client authentication method "${method}" required a "client_assertion"`,
         )
       }
 
       if (input.client_assertion_type === CLIENT_ASSERTION_TYPE_JWT_BEARER) {
+        // https://www.rfc-editor.org/rfc/rfc7523.html#section-3
+
         const result = await this.jwtVerify<{
           jti: string
+          exp?: number
         }>(input.client_assertion, {
-          audience: checks.audience,
+          // > 1. The JWT MUST contain an "iss" (issuer) claim that contains a
+          // >    unique identifier for the entity that issued the JWT.
+          //
+          // The "issuer" is already checked by jwtVerify()
+
+          // > 2. The JWT MUST contain a "sub" (subject) claim identifying the
+          // >    principal that is the subject of the JWT. Two cases need to be
+          // >    differentiated: [...] For client authentication, the subject
+          // >    MUST be the "client_id" of the OAuth client.
           subject: this.id,
+
+          // > 3. The JWT MUST contain an "aud" (audience) claim containing a
+          // >    value that identifies the authorization server as an intended
+          // >    audience. The token endpoint URL of the authorization server
+          // >    MAY be used as a value for an "aud" element to identify the
+          // >    authorization server as an intended audience of the JWT.
+          audience: checks.authorizationServerIdentifier,
+
+          requiredClaims: [
+            // > 4. The JWT MUST contain an "exp" (expiration time) claim that
+            // >    limits the time window during which the JWT can be used.
+            //
+            // @TODO The presence of "exp" didn't use to be enforced by this
+            // implementation (or provided by the oauth-client). This is mostly
+            // fine because "iat" *is* required, but this makes this
+            // implementation non compliant with RFC7523. We can't just make it
+            // required as it might break existing clients.
+
+            // 'exp',
+
+            // > 7. The JWT MAY contain a "jti" (JWT ID) claim that provides a
+            // >    unique identifier for the token. The authorization server
+            // >    MAY ensure that JWTs are not replayed by maintaining the set
+            // >    of used "jti" values for the length of time for which the
+            // >    JWT would be considered valid based on the applicable "exp"
+            // >    instant.
+            'jti',
+          ],
+
+          // > 5. The JWT MAY contain an "nbf" (not before) claim that
+          // >    identifies the time before which the token MUST NOT be
+          // >    accepted for processing.
+          //
+          // This is already enforced by jose
+
+          // > 6. The JWT MAY contain an "iat" (issued at) claim that identifies
+          // >    the time at which the JWT was issued.  Note that the
+          // >    authorization server may reject JWTs with an "iat" claim value
+          // >    that is unreasonably far in the past.
           maxTokenAge: CLIENT_ASSERTION_MAX_AGE / 1000,
-          requiredClaims: ['jti'],
         }).catch((err) => {
-          if (err instanceof JOSEError) {
-            const msg = `Validation of "client_assertion" failed: ${err.message}`
-            throw new InvalidClientError(msg, err)
-          }
+          const msg =
+            err instanceof JOSEError
+              ? `Validation of "client_assertion" failed: ${err.message}`
+              : `Unable to verify "client_assertion" JWT`
 
-          throw err
+          throw new InvalidClientError(msg, err)
         })
 
         if (!result.protectedHeader.kid) {
           throw new InvalidClientError(`"kid" required in client_assertion`)
         }
 
-        const clientAuth: ClientAuth = {
-          method: CLIENT_ASSERTION_TYPE_JWT_BEARER,
+        return {
+          method: 'private_key_jwt',
+          jti: result.payload.jti,
+          exp: result.payload.exp,
           jkt: await authJwkThumbprint(result.key),
           alg: result.protectedHeader.alg,
           kid: result.protectedHeader.kid,
         }
-
-        return { clientAuth, nonce: result.payload.jti }
       }
 
       throw new InvalidClientError(
@@ -189,41 +278,6 @@ export class Client {
     )
   }
 
-  /**
-   * Ensures that a {@link ClientAuth} generated in the past is still valid wrt
-   * the current client metadata & jwks. This is used to invalidate tokens when
-   * the client stops advertising the key that it used to authenticate itself
-   * during the initial token request.
-   */
-  public async validateClientAuth(clientAuth: ClientAuth): Promise<boolean> {
-    if (clientAuth.method === 'none') {
-      return this.metadata[`token_endpoint_auth_method`] === 'none'
-    }
-
-    if (clientAuth.method === CLIENT_ASSERTION_TYPE_JWT_BEARER) {
-      if (this.metadata[`token_endpoint_auth_method`] !== 'private_key_jwt') {
-        return false
-      }
-      try {
-        const key = await this.keyGetter(
-          {
-            kid: clientAuth.kid,
-            alg: clientAuth.alg,
-          },
-          { payload: '', signature: '' },
-        )
-        const jtk = await authJwkThumbprint(key)
-
-        return jtk === clientAuth.jkt
-      } catch (e) {
-        return false
-      }
-    }
-
-    // @ts-expect-error
-    throw new Error(`Invalid method "${clientAuth.method}"`)
-  }
-
   /**
    * Validates the request parameters against the client metadata.
    */
@@ -328,3 +382,13 @@ export class Client {
     return redirect_uris.length === 1 ? redirect_uris[0] : undefined
   }
 }
+
+export async function authJwkThumbprint(
+  key: Uint8Array | KeyLike,
+): Promise<string> {
+  try {
+    return await calculateJwkThumbprint(await exportJWK(key), 'sha512')
+  } catch (err) {
+    throw new InvalidClientError('Unable to compute JWK thumbprint', err)
+  }
+}

package/src/constants.ts

@@ -38,17 +38,17 @@ export const TOKEN_MAX_AGE = 60 * MINUTE
 /** 5 minutes */
 export const AUTHORIZATION_INACTIVITY_TIMEOUT = 5 * MINUTE
 
-/** 1 months */
-export const AUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT = 1 * MONTH
+/** 1 week */
+export const PUBLIC_CLIENT_SESSION_LIFETIME = 1 * WEEK
 
 /** 2 days */
-export const UNAUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT = 2 * DAY
-
-/** 1 week */
-export const UNAUTHENTICATED_REFRESH_LIFETIME = 1 * WEEK
+export const PUBLIC_CLIENT_REFRESH_LIFETIME = 2 * DAY
 
 /** 1 year */
-export const AUTHENTICATED_REFRESH_LIFETIME = 1 * YEAR
+export const CONFIDENTIAL_CLIENT_SESSION_LIFETIME = 1 * YEAR
+
+/** 1 months */
+export const CONFIDENTIAL_CLIENT_REFRESH_LIFETIME = 1 * MONTH
 
 /** 5 minutes */
 export const PAR_EXPIRES_IN = 5 * MINUTE
@@ -73,3 +73,5 @@ export const SESSION_FIXATION_MAX_AGE = 5 * SECOND
 
 /** 1 day */
 export const CODE_CHALLENGE_REPLAY_TIMEFRAME = 1 * DAY
+
+export const NODE_ENV = process.env.NODE_ENV || 'production'

package/src/metadata/build-metadata.ts

@@ -2,7 +2,7 @@ import { Keyset } from '@atproto/jwk'
 import {
   OAuthAuthorizationServerMetadata,
   OAuthIssuerIdentifier,
-  oauthAuthorizationServerMetadataSchema,
+  oauthAuthorizationServerMetadataValidator,
 } from '@atproto/oauth-types'
 import { Client } from '../client/client.js'
 import { VERIFY_ALGOS } from '../lib/util/crypto.js'
@@ -22,7 +22,7 @@ export function buildMetadata(
   keyset: Keyset,
   customMetadata?: CustomMetadata,
 ): OAuthAuthorizationServerMetadata {
-  return oauthAuthorizationServerMetadataSchema.parse({
+  return oauthAuthorizationServerMetadataValidator.parse({
     issuer,
 
     scopes_supported: [