@atproto/oauth-provider 0.8.0 → 0.9.0

package/src/oauth-provider.ts

@@ -1,4 +1,6 @@
+import { createHash } from 'node:crypto'
 import type { Redis, RedisOptions } from 'ioredis'
+import { ZodError } from 'zod'
 import { Jwks, Keyset } from '@atproto/jwk'
 import type { Account } from '@atproto/oauth-provider-api'
 import {
@@ -33,7 +35,7 @@ import {
   DeviceAccount,
   asAccountStore,
 } from './account/account-store.js'
-import { ClientAuth, authJwkThumbprint } from './client/client-auth.js'
+import { ClientAuth, ClientAuthLegacy } from './client/client-auth.js'
 import { ClientId } from './client/client-id.js'
 import {
   ClientManager,
@@ -41,7 +43,14 @@ import {
 } from './client/client-manager.js'
 import { ClientStore, ifClientStore } from './client/client-store.js'
 import { Client } from './client/client.js'
-import { AUTHENTICATION_MAX_AGE, TOKEN_MAX_AGE } from './constants.js'
+import {
+  AUTHENTICATION_MAX_AGE,
+  CONFIDENTIAL_CLIENT_REFRESH_LIFETIME,
+  CONFIDENTIAL_CLIENT_SESSION_LIFETIME,
+  PUBLIC_CLIENT_REFRESH_LIFETIME,
+  PUBLIC_CLIENT_SESSION_LIFETIME,
+  TOKEN_MAX_AGE,
+} from './constants.js'
 import { Branding, BrandingInput } from './customization/branding.js'
 import {
   Customization,
@@ -58,8 +67,9 @@ import { DeviceStore, asDeviceStore } from './device/device-store.js'
 import { AccessDeniedError } from './errors/access-denied-error.js'
 import { AccountSelectionRequiredError } from './errors/account-selection-required-error.js'
 import { ConsentRequiredError } from './errors/consent-required-error.js'
+import { InvalidDpopKeyBindingError } from './errors/invalid-dpop-key-binding-error.js'
+import { InvalidDpopProofError } from './errors/invalid-dpop-proof-error.js'
 import { InvalidGrantError } from './errors/invalid-grant-error.js'
-import { InvalidParametersError } from './errors/invalid-parameters-error.js'
 import { InvalidRequestError } from './errors/invalid-request-error.js'
 import { LoginRequiredError } from './errors/login-required-error.js'
 import { HcaptchaConfig } from './lib/hcaptcha.js'
@@ -76,18 +86,20 @@ import {
 } from './oauth-verifier.js'
 import { ReplayStore, ifReplayStore } from './replay/replay-store.js'
 import { codeSchema } from './request/code.js'
-import { RequestInfo } from './request/request-info.js'
 import { RequestManager } from './request/request-manager.js'
-import { RequestStoreMemory } from './request/request-store-memory.js'
-import { RequestStoreRedis } from './request/request-store-redis.js'
-import { RequestStore, ifRequestStore } from './request/request-store.js'
+import { RequestStore, asRequestStore } from './request/request-store.js'
 import { requestUriSchema } from './request/request-uri.js'
 import { AuthorizationRedirectParameters } from './result/authorization-redirect-parameters.js'
 import { AuthorizationResultAuthorizePage } from './result/authorization-result-authorize-page.js'
 import { AuthorizationResultRedirect } from './result/authorization-result-redirect.js'
 import { ErrorHandler } from './router/error-handler.js'
+import { TokenData } from './token/token-data.js'
 import { TokenManager } from './token/token-manager.js'
-import { TokenStore, asTokenStore } from './token/token-store.js'
+import {
+  TokenStore,
+  asTokenStore,
+  refreshTokenSchema,
+} from './token/token-store.js'
 import {
   VerifyTokenClaimsOptions,
   VerifyTokenClaimsResult,
@@ -242,18 +254,17 @@ export class OAuthProvider extends OAuthVerifier {
     metadata,
 
     safeFetch = safeFetchWrap(),
-    redis,
     store, // compound store implementation
 
     // Requires stores
     accountStore = asAccountStore(store),
     deviceStore = asDeviceStore(store),
     tokenStore = asTokenStore(store),
+    requestStore = asRequestStore(store),
 
     // These are optional
     clientStore = ifClientStore(store),
     replayStore = ifReplayStore(store),
-    requestStore = ifRequestStore(store),
 
     clientJwksCache = new SimpleStoreMemory({
       maxSize: 50_000_000,
@@ -288,11 +299,7 @@ export class OAuthProvider extends OAuthVerifier {
     // be the responsibility of the super class.
     const superOptions: OAuthVerifierOptions = rest
 
-    super({ replayStore, redis, ...superOptions })
-
-    requestStore ??= redis
-      ? new RequestStoreRedis({ redis })
-      : new RequestStoreMemory()
+    super({ replayStore, ...superOptions })
 
     this.accessTokenMode = accessTokenMode
     this.authenticationMaxAge = authenticationMaxAge
@@ -363,97 +370,92 @@ export class OAuthProvider extends OAuthVerifier {
   }
 
   protected async authenticateClient(
-    credentials: OAuthClientCredentials,
-  ): Promise<[Client, ClientAuth]> {
-    const client = await this.clientManager.getClient(credentials.client_id)
-    const { clientAuth, nonce } = await client.verifyCredentials(credentials, {
-      audience: this.issuer,
-    })
+    clientCredentials: OAuthClientCredentials,
+    dpopProof: null | DpopProof,
+    options?: {
+      allowMissingDpopProof?: boolean
+    },
+  ): Promise<{
+    client: Client
+    clientAuth: ClientAuth
+  }> {
+    const client = await this.clientManager.getClient(
+      clientCredentials.client_id,
+    )
 
     if (
-      client.metadata.application_type === 'native' &&
-      clientAuth.method !== 'none'
+      client.metadata.dpop_bound_access_tokens &&
+      !dpopProof &&
+      !options?.allowMissingDpopProof
     ) {
-      // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
-      //
-      // > Except when using a mechanism like Dynamic Client Registration
-      // > [RFC7591] to provision per-instance secrets, native apps are
-      // > classified as public clients, as defined by Section 2.1 of OAuth 2.0
-      // > [RFC6749]; they MUST be registered with the authorization server as
-      // > such. Authorization servers MUST record the client type in the client
-      // > registration details in order to identify and process requests
-      // > accordingly.
+      throw new InvalidDpopProofError('DPoP proof required')
+    }
 
-      throw new InvalidGrantError(
-        'Native clients must authenticate using "none" method',
-      )
+    if (dpopProof && !client.metadata.dpop_bound_access_tokens) {
+      throw new InvalidDpopProofError('DPoP proof not allowed for this client')
     }
 
-    if (nonce != null) {
-      const unique = await this.replayManager.uniqueAuth(nonce, client.id)
+    const clientAuth = await client.authenticate(clientCredentials, {
+      authorizationServerIdentifier: this.issuer,
+    })
+
+    if (clientAuth.method === 'private_key_jwt') {
+      // Clients MUST NOT use their client assertion key to sign DPoP proofs
+      if (dpopProof && clientAuth.jkt === dpopProof.jkt) {
+        throw new InvalidRequestError(
+          'The DPoP proof must be signed with a different key than the client assertion',
+        )
+      }
+
+      // https://www.rfc-editor.org/rfc/rfc7523.html#section-3
+      // > 7.  [...] The authorization server MAY ensure that JWTs are not
+      // >     replayed by maintaining the set of used "jti" values for the
+      // >     length of time for which the JWT would be considered valid based
+      // >     on the applicable "exp" instant.
+
+      const unique = await this.replayManager.uniqueAuth(
+        clientAuth.jti,
+        client.id,
+        clientAuth.exp,
+      )
       if (!unique) {
         throw new InvalidGrantError(`${clientAuth.method} jti reused`)
       }
     }
 
-    return [client, clientAuth]
+    return { client, clientAuth }
   }
 
   protected async decodeJAR(
     client: Client,
     input: OAuthAuthorizationRequestJar,
-  ): Promise<
-    | {
-        payload: OAuthAuthorizationRequestParameters
-      }
-    | {
-        payload: OAuthAuthorizationRequestParameters
-        protectedHeader: { kid: string; alg: string }
-        jkt: string
-      }
-  > {
-    const result = await client.decodeRequestObject(input.request)
-    const payload = oauthAuthorizationRequestParametersSchema.parse(
-      result.payload,
+  ): Promise<OAuthAuthorizationRequestParameters> {
+    const { payload } = await client.decodeRequestObject(
+      input.request,
+      this.issuer,
     )
 
-    if (!result.payload.jti) {
-      throw new InvalidParametersError(
-        payload,
-        'Request object must contain a jti claim',
+    const { jti } = payload
+    if (!jti) {
+      throw new InvalidRequestError(
+        'Request object payload must contain a "jti" claim',
       )
     }
-
-    if (!(await this.replayManager.uniqueJar(result.payload.jti, client.id))) {
-      throw new InvalidParametersError(
-        payload,
-        'Request object jti is not unique',
-      )
+    if (!(await this.replayManager.uniqueJar(jti, client.id))) {
+      throw new InvalidRequestError('Request object was replayed')
     }
 
-    if ('protectedHeader' in result) {
-      if (!result.protectedHeader.kid) {
-        throw new InvalidParametersError(payload, 'Missing "kid" in header')
-      }
-
-      return {
-        jkt: await authJwkThumbprint(result.key),
-        payload,
-        protectedHeader: result.protectedHeader as {
-          alg: string
-          kid: string
-        },
-      }
-    }
-
-    if ('header' in result) {
-      return {
-        payload,
-      }
-    }
-
-    // Should never happen
-    throw new Error('Invalid request object')
+    const parameters = await oauthAuthorizationRequestParametersSchema
+      .parseAsync(payload)
+      .catch((err) => {
+        const message =
+          err instanceof ZodError
+            ? `Invalid request parameters: ${err.message}`
+            : `Invalid "request" object`
+        throw InvalidRequestError.from(err, message)
+      })
+
+    return parameters
   }
 
   /**
@@ -465,12 +467,43 @@ export class OAuthProvider extends OAuthVerifier {
     dpopProof: null | DpopProof,
   ): Promise<OAuthParResponse> {
     try {
-      const [client, clientAuth] = await this.authenticateClient(credentials)
+      const { client, clientAuth } = await this.authenticateClient(
+        credentials,
+        dpopProof,
+        // Allow missing DPoP header for PAR requests as rfc9449 allows it
+        // (though the dpop_jkt parameter must be present in that case, see
+        // check bellow).
+        { allowMissingDpopProof: true },
+      )
 
-      const { payload: parameters } =
+      const parameters =
         'request' in authorizationRequest // Handle JAR
           ? await this.decodeJAR(client, authorizationRequest)
-          : { payload: authorizationRequest }
+          : authorizationRequest
+
+      if (!parameters.dpop_jkt) {
+        if (client.metadata.dpop_bound_access_tokens) {
+          if (dpopProof) parameters.dpop_jkt = dpopProof.jkt
+          else {
+            // @NOTE When both PAR and DPoP are used, either the DPoP header, or
+            // the dpop_jkt parameter must be present. We do not enforce this
+            // for legacy reasons.
+            // https://datatracker.ietf.org/doc/html/rfc9449#section-10.1
+          }
+        }
+      } else {
+        if (!client.metadata.dpop_bound_access_tokens) {
+          throw new InvalidRequestError(
+            'DPoP bound access tokens are not enabled for this client',
+          )
+        }
+
+        // Proof is optional if the dpop_jkt is provided, but if it is provided,
+        // it must match the DPoP proof JKT.
+        if (dpopProof && dpopProof.jkt !== parameters.dpop_jkt) {
+          throw new InvalidDpopKeyBindingError()
+        }
+      }
 
       const { uri, expiresAt } =
         await this.requestManager.createAuthorizationRequest(
@@ -478,7 +511,6 @@ export class OAuthProvider extends OAuthVerifier {
           clientAuth,
           parameters,
           null,
-          dpopProof,
         )
 
       return {
@@ -501,7 +533,8 @@ export class OAuthProvider extends OAuthVerifier {
     client: Client,
     deviceId: DeviceId,
     query: OAuthAuthorizationRequestQuery,
-  ): Promise<RequestInfo> {
+  ) {
+    // PAR
     if ('request_uri' in query) {
       const requestUri = await requestUriSchema
         .parseAsync(query.request_uri, { path: ['query', 'request_uri'] })
@@ -515,43 +548,35 @@ export class OAuthProvider extends OAuthVerifier {
       return this.requestManager.get(requestUri, deviceId, client.id)
     }
 
+    // JAR
     if ('request' in query) {
-      const requestObject = await this.decodeJAR(client, query)
-
-      if ('protectedHeader' in requestObject && requestObject.protectedHeader) {
-        // Allow using signed JAR during "/authorize" as client authentication.
-        // This allows clients to skip PAR to initiate trusted sessions.
-        const clientAuth: ClientAuth = {
-          method: CLIENT_ASSERTION_TYPE_JWT_BEARER,
-          kid: requestObject.protectedHeader.kid,
-          alg: requestObject.protectedHeader.alg,
-          jkt: requestObject.jkt,
-        }
-
-        return this.requestManager.createAuthorizationRequest(
-          client,
-          clientAuth,
-          requestObject.payload,
-          deviceId,
-          null,
-        )
-      }
+      // @NOTE Since JAR are signed with the client's private key, a JAR *could*
+      // technically be used to authenticate the client when requests are
+      // created without PAR (i.e. created on the fly by the authorize
+      // endpoint). This implementation actually used to support this
+      // (un-spec'd) behavior. That support was removed:
+      // - Because it was not actually used
+      // - Because it was not part of any standard
+      // - Because it makes extending the client authentication mechanism more
+      //   complex since any extension would not only need to affect the
+      //   "private_key_jwt" auth method but also the JAR "request" object.
+      const parameters = await this.decodeJAR(client, query)
 
       return this.requestManager.createAuthorizationRequest(
         client,
-        { method: 'none' },
-        requestObject.payload,
-        deviceId,
         null,
+        parameters,
+        deviceId,
       )
     }
 
+    // "Regular" authorization request (created on the fly by directing the user
+    // to the authorization endpoint with all the parameters in the url).
     return this.requestManager.createAuthorizationRequest(
       client,
-      { method: 'none' },
+      null,
       query,
       deviceId,
-      null,
     )
   }
 
@@ -723,8 +748,10 @@ export class OAuthProvider extends OAuthVerifier {
     request: OAuthTokenRequest,
     dpopProof: null | DpopProof,
   ): Promise<OAuthTokenResponse> {
-    const [client, clientAuth] =
-      await this.authenticateClient(clientCredentials)
+    const { client, clientAuth } = await this.authenticateClient(
+      clientCredentials,
+      dpopProof,
+    )
 
     if (!this.metadata.grant_types_supported?.includes(request.grant_type)) {
       throw new InvalidGrantError(
@@ -739,7 +766,7 @@ export class OAuthProvider extends OAuthVerifier {
     }
 
     if (request.grant_type === 'authorization_code') {
-      return this.codeGrant(
+      return this.authorizationCodeGrant(
         client,
         clientAuth,
         clientMetadata,
@@ -763,116 +790,289 @@ export class OAuthProvider extends OAuthVerifier {
     )
   }
 
-  protected async codeGrant(
+  protected async compareClientAuth(
+    client: Client,
+    clientAuth: ClientAuth,
+    dpopProof: null | DpopProof,
+    initial: {
+      parameters: OAuthAuthorizationRequestParameters
+      clientId: ClientId
+      clientAuth: null | ClientAuth | ClientAuthLegacy
+    },
+  ): Promise<void> {
+    // Fool proofing, ensure that the client is authenticating using the right method
+    if (clientAuth.method !== client.metadata.token_endpoint_auth_method) {
+      throw new InvalidGrantError(
+        `Client authentication method mismatch (expected ${client.metadata.token_endpoint_auth_method}, got ${clientAuth.method})`,
+      )
+    }
+
+    if (initial.clientId !== client.id) {
+      throw new InvalidGrantError(`Token was not issued to this client`)
+    }
+
+    const { parameters } = initial
+    if (parameters.dpop_jkt) {
+      if (!dpopProof) {
+        throw new InvalidGrantError(`DPoP proof is required for this request`)
+      } else if (parameters.dpop_jkt !== dpopProof.jkt) {
+        throw new InvalidGrantError(
+          `DPoP proof does not match the expected JKT`,
+        )
+      }
+    }
+
+    if (!initial.clientAuth) {
+      // If the client did not use PAR, it was not authenticated when the request
+      // was initially created (see authorize() method in OAuthProvider). Since
+      // PAR is not mandatory, and since the token exchange currently taking place
+      // *is* authenticated (`clientAuth`), we allow "upgrading" the
+      // authentication method (the token created will be bound to the current
+      // clientAuth).
+      return
+    }
+
+    switch (initial.clientAuth.method) {
+      case CLIENT_ASSERTION_TYPE_JWT_BEARER: // LEGACY
+      case 'private_key_jwt':
+        if (clientAuth.method !== 'private_key_jwt') {
+          throw new InvalidGrantError(
+            `Client authentication method mismatch (expected ${initial.clientAuth.method})`,
+          )
+        }
+        if (
+          clientAuth.kid !== initial.clientAuth.kid ||
+          clientAuth.alg !== initial.clientAuth.alg ||
+          clientAuth.jkt !== initial.clientAuth.jkt
+        ) {
+          throw new InvalidGrantError(
+            `The session was initiated with a different key than the client assertion currently used`,
+          )
+        }
+        break
+      case 'none':
+        // @NOTE We allow the client to "upgrade" to a confidential client if
+        // the session was initially created without client authentication.
+        break
+      default:
+        throw new InvalidGrantError(
+          // @ts-expect-error (future proof, backwards compatibility)
+          `Invalid method "${initial.clientAuth.method}"`,
+        )
+    }
+  }
+
+  protected async authorizationCodeGrant(
     client: Client,
     clientAuth: ClientAuth,
     clientMetadata: RequestMetadata,
     input: OAuthAuthorizationCodeGrantTokenRequest,
     dpopProof: null | DpopProof,
   ): Promise<OAuthTokenResponse> {
-    const code = codeSchema.parse(input.code)
-    try {
-      const { sub, deviceId, parameters } = await this.requestManager.findCode(
-        client,
-        clientAuth,
-        code,
+    const code = await codeSchema
+      .parseAsync(input.code, { path: ['code'] })
+      .catch((err) => {
+        throw InvalidGrantError.from(
+          err,
+          err instanceof ZodError
+            ? `Invalid code: ${err.message}`
+            : `Invalid code`,
+        )
+      })
+
+    const data = await this.requestManager
+      .consumeCode(code)
+      .catch(async (err) => {
+        // Code not found in request manager: check for replays
+        const tokenInfo = await this.tokenManager.findByCode(code)
+        if (tokenInfo) {
+          // try/finally to ensure that both code path get executed (sequentially)
+          try {
+            // "code" was replayed, delete existing session
+            await this.tokenManager.deleteToken(tokenInfo.id)
+          } finally {
+            // As an additional security measure, we also sign the device out,
+            // so that the device cannot be used to access the account anymore
+            // without a new authentication.
+            const { deviceId, sub } = tokenInfo.data
+            if (deviceId) {
+              await this.accountManager.removeDeviceAccount(deviceId, sub)
+            }
+          }
+        }
+
+        throw InvalidGrantError.from(err, `Invalid code`)
+      })
+
+    // @NOTE at this point, the request data was removed from the store and only
+    // exists in memory here (in the "data" variable). Because of this, any
+    // error thrown after this point will permanently cause the request data to
+    // be lost.
+
+    await this.compareClientAuth(client, clientAuth, dpopProof, data)
+
+    // If the DPoP proof was not provided earlier (PAR / authorize), let's add
+    // it now.
+    const parameters =
+      dpopProof &&
+      client.metadata.dpop_bound_access_tokens &&
+      !data.parameters.dpop_jkt
+        ? { ...data.parameters, dpop_jkt: dpopProof.jkt }
+        : data.parameters
+
+    await this.validateCodeGrant(parameters, input)
+
+    const { account } = await this.accountManager.getAccount(data.sub)
+
+    return this.tokenManager.createToken(
+      client,
+      clientAuth,
+      clientMetadata,
+      account,
+      data.deviceId,
+      parameters,
+      code,
+    )
+  }
+
+  protected async validateCodeGrant(
+    parameters: OAuthAuthorizationRequestParameters,
+    input: OAuthAuthorizationCodeGrantTokenRequest,
+  ): Promise<void> {
+    if (parameters.redirect_uri !== input.redirect_uri) {
+      throw new InvalidGrantError(
+        'The redirect_uri parameter must match the one used in the authorization request',
       )
+    }
 
-      // the following check prevents re-use of PKCE challenges, enforcing the
-      // clients to generate a new challenge for each authorization request. The
-      // replay manager typically prevents replay over a certain time frame,
-      // which might not cover the entire lifetime of the token (depending on
-      // the implementation of the replay store). For this reason, we should
-      // ideally ensure that the code_challenge was not already used by any
-      // existing token or any other pending request.
-      //
-      // The current implementation will cause client devs not issuing a new
-      // code challenge for each authorization request to fail, which should be
-      // a good enough incentive to follow the best practices, until we have a
-      // better implementation.
-      //
-      // @TODO Use tokenManager to ensure uniqueness of code_challenge
-      if (parameters.code_challenge) {
-        const unique = await this.replayManager.uniqueCodeChallenge(
-          parameters.code_challenge,
-        )
-        if (!unique) {
-          throw new InvalidGrantError('Code challenge already used')
+    if (parameters.code_challenge) {
+      if (!input.code_verifier) {
+        throw new InvalidGrantError('code_verifier is required')
+      }
+      if (input.code_verifier.length < 43) {
+        throw new InvalidGrantError('code_verifier too short')
+      }
+      switch (parameters.code_challenge_method) {
+        case undefined: // default is "plain"
+        case 'plain':
+          if (parameters.code_challenge !== input.code_verifier) {
+            throw new InvalidGrantError('Invalid code_verifier')
+          }
+          break
+
+        case 'S256': {
+          const inputChallenge = Buffer.from(
+            parameters.code_challenge,
+            'base64',
+          )
+          const computedChallenge = createHash('sha256')
+            .update(input.code_verifier)
+            .digest()
+          if (inputChallenge.compare(computedChallenge) !== 0) {
+            throw new InvalidGrantError('Invalid code_verifier')
+          }
+          break
         }
+
+        default:
+          // Should never happen (because request validation should catch this)
+          throw new Error(`Unsupported code_challenge_method`)
       }
+      const unique = await this.replayManager.uniqueCodeChallenge(
+        parameters.code_challenge,
+      )
+      if (!unique) {
+        throw new InvalidGrantError('Code challenge already used')
+      }
+    } else if (input.code_verifier !== undefined) {
+      throw new InvalidRequestError("code_challenge parameter wasn't provided")
+    }
+  }
 
-      const { account } = await this.accountManager.getAccount(sub)
+  protected async refreshTokenGrant(
+    client: Client,
+    clientAuth: ClientAuth,
+    clientMetadata: RequestMetadata,
+    input: OAuthRefreshTokenGrantTokenRequest,
+    dpopProof: null | DpopProof,
+  ): Promise<OAuthTokenResponse> {
+    const refreshToken = await refreshTokenSchema
+      .parseAsync(input.refresh_token, { path: ['refresh_token'] })
+      .catch((err) => {
+        throw InvalidGrantError.from(err, `Invalid refresh token`)
+      })
 
-      return await this.tokenManager.create(
+    const tokenInfo = await this.tokenManager.consumeRefreshToken(refreshToken)
+
+    try {
+      const { data } = tokenInfo
+      await this.compareClientAuth(client, clientAuth, dpopProof, data)
+      await this.validateRefreshGrant(client, clientAuth, data)
+
+      return await this.tokenManager.rotateToken(
         client,
         clientAuth,
         clientMetadata,
-        account,
-        deviceId,
-        parameters,
-        input,
-        dpopProof,
+        tokenInfo,
       )
     } catch (err) {
-      // If a token is replayed, requestManager.findCode will throw. In that
-      // case, we need to revoke any token that was issued for this code.
-
-      const tokenInfo = await this.tokenManager.findByCode(code)
-      if (tokenInfo) {
-        await this.tokenManager.deleteToken(tokenInfo.id)
-
-        //  As an additional security measure, we also sign the device out, so
-        // that the device cannot be used to access the account anymore without
-        // a new authentication.
-        const { deviceId, sub } = tokenInfo.data
-        if (deviceId) {
-          await this.accountManager.removeDeviceAccount(deviceId, sub)
-        }
-      }
+      await this.tokenManager.deleteToken(tokenInfo.id)
 
       throw err
     }
   }
 
-  async refreshTokenGrant(
+  protected async validateRefreshGrant(
     client: Client,
     clientAuth: ClientAuth,
-    clientMetadata: RequestMetadata,
-    input: OAuthRefreshTokenGrantTokenRequest,
-    dpopProof: null | DpopProof,
-  ): Promise<OAuthTokenResponse> {
-    return this.tokenManager.refresh(
-      client,
-      clientAuth,
-      clientMetadata,
-      input,
-      dpopProof,
-    )
+    data: TokenData,
+  ): Promise<void> {
+    const [sessionLifetime, refreshLifetime] =
+      clientAuth.method !== 'none' || client.info.isFirstParty
+        ? [
+            CONFIDENTIAL_CLIENT_SESSION_LIFETIME,
+            CONFIDENTIAL_CLIENT_REFRESH_LIFETIME,
+          ]
+        : [PUBLIC_CLIENT_SESSION_LIFETIME, PUBLIC_CLIENT_REFRESH_LIFETIME]
+
+    const sessionAge = Date.now() - data.createdAt.getTime()
+    if (sessionAge > sessionLifetime) {
+      throw new InvalidGrantError(`Session expired`)
+    }
+
+    const refreshAge = Date.now() - data.updatedAt.getTime()
+    if (refreshAge > refreshLifetime) {
+      throw new InvalidGrantError(`Refresh token expired`)
+    }
   }
 
   /**
    * @see {@link https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 rfc7009}
    */
   public async revoke(
-    credentials: OAuthClientCredentials,
+    clientCredentials: OAuthClientCredentials,
     { token }: OAuthTokenIdentification,
+    dpopProof: null | DpopProof,
   ) {
     // > The authorization server first validates the client credentials (in
     // > case of a confidential client)
-    const [client, clientAuth] = await this.authenticateClient(credentials)
+    const { client, clientAuth } = await this.authenticateClient(
+      clientCredentials,
+      dpopProof,
+    )
 
     const tokenInfo = await this.tokenManager.findToken(token)
-
-    // > [...] and then verifies whether the token was issued to the client
-    // > making the revocation request. If this validation fails, the request is
-    // > refused and the client is informed of the error by the authorization
-    // > server as described below.
-    await this.tokenManager.validateAccess(client, clientAuth, tokenInfo)
-
-    // > In the next step, the authorization server invalidates the token. The
-    // > invalidation takes place immediately, and the token cannot be used
-    // > again after the revocation.
-    await this.tokenManager.deleteToken(tokenInfo.id)
+    if (tokenInfo) {
+      // > [...] and then verifies whether the token was issued to the client
+      // > making the revocation request.
+      const { data } = tokenInfo
+      await this.compareClientAuth(client, clientAuth, dpopProof, data)
+
+      // > In the next step, the authorization server invalidates the token. The
+      // > invalidation takes place immediately, and the token cannot be used
+      // > again after the revocation.
+      await this.tokenManager.deleteToken(tokenInfo.id)
+    }
   }
 
   protected override async verifyToken(