@atproto/oauth-types 0.1.0

package/dist/oauth-token-response.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-token-response.js","sourceRoot":"","sources":["../src/oauth-token-response.ts"],"names":[],"mappings":";;;AAAA,sCAA8C;AAC9C,6BAAuB;AAEvB,qFAAkF;AAClF,+DAA4D;AAE5D;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC;KACtC,MAAM,CAAC;IACN,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;IACxB,UAAU,EAAE,0CAAoB;IAChC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACnC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,QAAQ,EAAE,qBAAe,CAAC,QAAQ,EAAE;IACpC,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,qBAAqB,EAAE,gEAA+B,CAAC,QAAQ,EAAE;CAClE,CAAC;IACF,0DAA0D;IAC1D,qEAAqE;KACpE,WAAW,EAAE,CAAA"}

package/dist/oauth-token-type.d.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+export declare const oauthTokenTypeSchema: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
+export type OAuthTokenType = z.infer<typeof oauthTokenTypeSchema>;
+//# sourceMappingURL=oauth-token-type.d.ts.map

package/dist/oauth-token-type.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-token-type.d.ts","sourceRoot":"","sources":["../src/oauth-token-type.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,eAAO,MAAM,oBAAoB,sGAS/B,CAAA;AAEF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA"}

package/dist/oauth-token-type.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthTokenTypeSchema = void 0;
+const zod_1 = require("zod");
+// Case insensitive input, normalized output
+exports.oauthTokenTypeSchema = zod_1.z.union([
+    zod_1.z
+        .string()
+        .regex(/^DPoP$/i)
+        .transform(() => 'DPoP'),
+    zod_1.z
+        .string()
+        .regex(/^Bearer$/i)
+        .transform(() => 'Bearer'),
+]);
+//# sourceMappingURL=oauth-token-type.js.map

package/dist/oauth-token-type.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-token-type.js","sourceRoot":"","sources":["../src/oauth-token-type.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,4CAA4C;AAC/B,QAAA,oBAAoB,GAAG,OAAC,CAAC,KAAK,CAAC;IAC1C,OAAC;SACE,MAAM,EAAE;SACR,KAAK,CAAC,SAAS,CAAC;SAChB,SAAS,CAAC,GAAG,EAAE,CAAC,MAAe,CAAC;IACnC,OAAC;SACE,MAAM,EAAE;SACR,KAAK,CAAC,WAAW,CAAC;SAClB,SAAS,CAAC,GAAG,EAAE,CAAC,QAAiB,CAAC;CACtC,CAAC,CAAA"}

package/dist/oidc-claims-parameter.d.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+export declare const oidcClaimsParameterSchema: z.ZodEnum<["auth_time", "nonce", "acr", "name", "family_name", "given_name", "middle_name", "nickname", "preferred_username", "gender", "picture", "profile", "website", "birthdate", "zoneinfo", "locale", "updated_at", "email", "email_verified", "phone_number", "phone_number_verified", "address"]>;
+export type OidcClaimsParameter = z.infer<typeof oidcClaimsParameterSchema>;
+//# sourceMappingURL=oidc-claims-parameter.d.ts.map

package/dist/oidc-claims-parameter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-claims-parameter.d.ts","sourceRoot":"","sources":["../src/oidc-claims-parameter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,yBAAyB,2SAmCpC,CAAA;AAEF,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAA"}

package/dist/oidc-claims-parameter.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oidcClaimsParameterSchema = void 0;
+const zod_1 = require("zod");
+exports.oidcClaimsParameterSchema = zod_1.z.enum([
+    // https://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html#rfc.section.5.2
+    // if client metadata "require_auth_time" is true, this *must* be provided
+    'auth_time',
+    // OIDC
+    'nonce',
+    'acr',
+    // OpenID: "profile" scope
+    'name',
+    'family_name',
+    'given_name',
+    'middle_name',
+    'nickname',
+    'preferred_username',
+    'gender',
+    'picture',
+    'profile',
+    'website',
+    'birthdate',
+    'zoneinfo',
+    'locale',
+    'updated_at',
+    // OpenID: "email" scope
+    'email',
+    'email_verified',
+    // OpenID: "phone" scope
+    'phone_number',
+    'phone_number_verified',
+    // OpenID: "address" scope
+    'address',
+]);
+//# sourceMappingURL=oidc-claims-parameter.js.map

package/dist/oidc-claims-parameter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-claims-parameter.js","sourceRoot":"","sources":["../src/oidc-claims-parameter.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,yBAAyB,GAAG,OAAC,CAAC,IAAI,CAAC;IAC9C,oGAAoG;IACpG,0EAA0E;IAC1E,WAAW;IAEX,OAAO;IACP,OAAO;IACP,KAAK;IAEL,0BAA0B;IAC1B,MAAM;IACN,aAAa;IACb,YAAY;IACZ,aAAa;IACb,UAAU;IACV,oBAAoB;IACpB,QAAQ;IACR,SAAS;IACT,SAAS;IACT,SAAS;IACT,WAAW;IACX,UAAU;IACV,QAAQ;IACR,YAAY;IAEZ,wBAAwB;IACxB,OAAO;IACP,gBAAgB;IAEhB,wBAAwB;IACxB,cAAc;IACd,uBAAuB;IAEvB,0BAA0B;IAC1B,SAAS;CACV,CAAC,CAAA"}

package/dist/oidc-claims-properties.d.ts

@@ -0,0 +1,16 @@
+import { z } from 'zod';
+export declare const oidcClaimsPropertiesSchema: z.ZodObject<{
+    essential: z.ZodOptional<z.ZodBoolean>;
+    value: z.ZodOptional<z.ZodUnion<[z.ZodString, z.ZodNumber, z.ZodBoolean]>>;
+    values: z.ZodOptional<z.ZodArray<z.ZodUnion<[z.ZodString, z.ZodNumber, z.ZodBoolean]>, "many">>;
+}, "strip", z.ZodTypeAny, {
+    values?: (string | number | boolean)[] | undefined;
+    value?: string | number | boolean | undefined;
+    essential?: boolean | undefined;
+}, {
+    values?: (string | number | boolean)[] | undefined;
+    value?: string | number | boolean | undefined;
+    essential?: boolean | undefined;
+}>;
+export type OidcClaimsProperties = z.infer<typeof oidcClaimsPropertiesSchema>;
+//# sourceMappingURL=oidc-claims-properties.d.ts.map

package/dist/oidc-claims-properties.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-claims-properties.d.ts","sourceRoot":"","sources":["../src/oidc-claims-properties.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB,eAAO,MAAM,0BAA0B;;;;;;;;;;;;EAIrC,CAAA;AAEF,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA"}

package/dist/oidc-claims-properties.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oidcClaimsPropertiesSchema = void 0;
+const zod_1 = require("zod");
+const oidcClaimsValueSchema = zod_1.z.union([zod_1.z.string(), zod_1.z.number(), zod_1.z.boolean()]);
+exports.oidcClaimsPropertiesSchema = zod_1.z.object({
+    essential: zod_1.z.boolean().optional(),
+    value: oidcClaimsValueSchema.optional(),
+    values: zod_1.z.array(oidcClaimsValueSchema).optional(),
+});
+//# sourceMappingURL=oidc-claims-properties.js.map

package/dist/oidc-claims-properties.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-claims-properties.js","sourceRoot":"","sources":["../src/oidc-claims-properties.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,MAAM,qBAAqB,GAAG,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;AAE/D,QAAA,0BAA0B,GAAG,OAAC,CAAC,MAAM,CAAC;IACjD,SAAS,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACjC,KAAK,EAAE,qBAAqB,CAAC,QAAQ,EAAE;IACvC,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC,QAAQ,EAAE;CAClD,CAAC,CAAA"}

package/dist/oidc-entity-type.d.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+export declare const oidcEntityTypeSchema: z.ZodEnum<["userinfo", "id_token"]>;
+export type OidcEntityType = z.infer<typeof oidcEntityTypeSchema>;
+//# sourceMappingURL=oidc-entity-type.d.ts.map

package/dist/oidc-entity-type.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-entity-type.d.ts","sourceRoot":"","sources":["../src/oidc-entity-type.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,oBAAoB,qCAAmC,CAAA;AAEpE,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA"}

package/dist/oidc-entity-type.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oidcEntityTypeSchema = void 0;
+const zod_1 = require("zod");
+exports.oidcEntityTypeSchema = zod_1.z.enum(['userinfo', 'id_token']);
+//# sourceMappingURL=oidc-entity-type.js.map

package/dist/oidc-entity-type.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-entity-type.js","sourceRoot":"","sources":["../src/oidc-entity-type.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,oBAAoB,GAAG,OAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC,CAAA"}

package/dist/util.d.ts

@@ -0,0 +1,5 @@
+export declare function isIP(hostname: string): boolean;
+export type LoopbackHost = 'localhost' | '127.0.0.1' | '[::1]';
+export declare function isLoopbackHost(host: unknown): host is LoopbackHost;
+export declare function isLoopbackUrl(input: URL | string): boolean;
+//# sourceMappingURL=util.d.ts.map

package/dist/util.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA,wBAAgB,IAAI,CAAC,QAAQ,EAAE,MAAM,WAQpC;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,CAAA;AAE9D,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,IAAI,YAAY,CAElE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAG1D"}

package/dist/util.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isLoopbackUrl = exports.isLoopbackHost = exports.isIP = void 0;
+function isIP(hostname) {
+    // IPv4
+    if (hostname.match(/^\d+\.\d+\.\d+\.\d+$/))
+        return true;
+    // IPv6
+    if (hostname.startsWith('[') && hostname.endsWith(']'))
+        return true;
+    return false;
+}
+exports.isIP = isIP;
+function isLoopbackHost(host) {
+    return host === 'localhost' || host === '127.0.0.1' || host === '[::1]';
+}
+exports.isLoopbackHost = isLoopbackHost;
+function isLoopbackUrl(input) {
+    const url = typeof input === 'string' ? new URL(input) : input;
+    return isLoopbackHost(url.hostname);
+}
+exports.isLoopbackUrl = isLoopbackUrl;
+//# sourceMappingURL=util.js.map

package/dist/util.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAAA,SAAgB,IAAI,CAAC,QAAgB;IACnC,OAAO;IACP,IAAI,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,OAAO;IACP,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnE,OAAO,KAAK,CAAA;AACd,CAAC;AARD,oBAQC;AAID,SAAgB,cAAc,CAAC,IAAa;IAC1C,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,CAAA;AACzE,CAAC;AAFD,wCAEC;AAED,SAAgB,aAAa,CAAC,KAAmB;IAC/C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC9D,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AACrC,CAAC;AAHD,sCAGC"}

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@atproto/oauth-types",
+  "version": "0.1.0",
+  "license": "MIT",
+  "description": "OAuth typing & validation library",
+  "keywords": [
+    "atproto",
+    "oauth",
+    "types",
+    "isomorphic"
+  ],
+  "homepage": "https://atproto.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/bluesky-social/atproto",
+    "directory": "packages/oauth/oauth-types"
+  },
+  "type": "commonjs",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "dependencies": {
+    "zod": "^3.23.8",
+    "@atproto/jwk": "0.1.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.3.3"
+  },
+  "scripts": {
+    "build": "tsc --build tsconfig.build.json"
+  }
+}

package/src/access-token.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod'
+
+export const accessTokenSchema = z.string().min(1)
+export type AccessToken = z.infer<typeof accessTokenSchema>

package/src/atproto-loopback-client-metadata.ts

@@ -0,0 +1,30 @@
+import { isOAuthClientIdLoopback } from './oauth-client-id-loopback.js'
+import { OAuthClientMetadataInput } from './oauth-client-metadata.js'
+import { parseOAuthClientIdUrl } from './oauth-client-id-url.js'
+
+export function atprotoLoopbackClientMetadata(
+  clientId: string,
+): OAuthClientMetadataInput {
+  if (!isOAuthClientIdLoopback(clientId)) {
+    throw new TypeError(`Invalid loopback client ID ${clientId}`)
+  }
+
+  const { origin, pathname, searchParams } = parseOAuthClientIdUrl(clientId)
+
+  return {
+    client_id: clientId,
+    client_name: 'Loopback client',
+    response_types: ['code id_token', 'code'],
+    grant_types: ['authorization_code', 'implicit', 'refresh_token'],
+    scope: 'openid profile offline_access',
+    redirect_uris: searchParams.has('redirect_uri')
+      ? (searchParams.getAll('redirect_uri') as [string, ...string[]])
+      : (['127.0.0.1', '[::1]'].map(
+          (ip) =>
+            Object.assign(new URL(pathname, origin), { hostname: ip }).href,
+        ) as [string, ...string[]]),
+    token_endpoint_auth_method: 'none',
+    application_type: 'native',
+    dpop_bound_access_tokens: true,
+  }
+}

package/src/constants.ts

@@ -0,0 +1,9 @@
+export const CLIENT_ASSERTION_TYPE_JWT_BEARER =
+  'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+
+export const OAUTH_AUTHENTICATED_ENDPOINT_NAMES = [
+  'token',
+  'revocation',
+  'introspection',
+  'pushed_authorization_request',
+] as const

package/src/index.ts

@@ -0,0 +1,27 @@
+export * from './constants.js'
+export * from './util.js'
+
+export * from './access-token.js'
+export * from './atproto-loopback-client-metadata.js'
+export * from './oauth-client-id-discoverable.js'
+export * from './oauth-client-id-loopback.js'
+export * from './oauth-authentication-request-parameters.js'
+export * from './oauth-authorization-details.js'
+export * from './oauth-authorization-server-metadata.js'
+export * from './oauth-client-credentials.js'
+export * from './oauth-client-id.js'
+export * from './oauth-client-identification.js'
+export * from './oauth-client-metadata.js'
+export * from './oauth-endpoint-auth-method.js'
+export * from './oauth-endpoint-name.js'
+export * from './oauth-grant-type.js'
+export * from './oauth-issuer-identifier.js'
+export * from './oauth-par-response.js'
+export * from './oauth-protected-resource-metadata.js'
+export * from './oauth-response-mode.js'
+export * from './oauth-response-type.js'
+export * from './oauth-token-response.js'
+export * from './oauth-token-type.js'
+export * from './oidc-claims-parameter.js'
+export * from './oidc-claims-properties.js'
+export * from './oidc-entity-type.js'

package/src/oauth-authentication-request-parameters.ts

@@ -0,0 +1,104 @@
+import { signedJwtSchema } from '@atproto/jwk'
+import { z } from 'zod'
+
+import { oauthAuthorizationDetailsSchema } from './oauth-authorization-details.js'
+import { oauthClientIdSchema } from './oauth-client-id.js'
+import { oidcClaimsParameterSchema } from './oidc-claims-parameter.js'
+import { oidcClaimsPropertiesSchema } from './oidc-claims-properties.js'
+import { oidcEntityTypeSchema } from './oidc-entity-type.js'
+
+/**
+ * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest | OIDC}
+ */
+export const oauthAuthenticationRequestParametersSchema = z.object({
+  client_id: oauthClientIdSchema,
+
+  state: z.string().optional(),
+  nonce: z.string().optional(),
+  dpop_jkt: z.string().optional(),
+
+  response_type: z.enum([
+    // OAuth2 (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-4.1.1)
+    'code',
+    'token',
+
+    // OIDC (https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)
+    'id_token',
+    'none',
+    'code token',
+    'code id_token',
+    'id_token token',
+    'code id_token token',
+  ]),
+
+  // Default depend on response_type
+  response_mode: z.enum(['query', 'fragment', 'form_post']).optional(),
+
+  // PKCE
+  code_challenge: z.string().optional(),
+  code_challenge_method: z.enum(['S256', 'plain']).default('S256').optional(),
+
+  redirect_uri: z.string().url().optional(),
+
+  // email profile openid (other?)
+  scope: z
+    .string()
+    .regex(/^[a-zA-Z0-9_]+( [a-zA-Z0-9_]+)*$/)
+    .optional(),
+
+  // OIDC
+
+  // Specifies the allowable elapsed time in seconds since the last time the
+  // End-User was actively authenticated by the OP. If the elapsed time is
+  // greater than this value, the OP MUST attempt to actively re-authenticate
+  // the End-User. (The max_age request parameter corresponds to the OpenID 2.0
+  // PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used,
+  // the ID Token returned MUST include an auth_time Claim Value. Note that
+  // max_age=0 is equivalent to prompt=login.
+  max_age: z.number().int().min(0).optional(),
+
+  claims: z
+    .record(
+      oidcEntityTypeSchema,
+      z.record(
+        oidcClaimsParameterSchema,
+        z.union([z.literal(null), oidcClaimsPropertiesSchema]),
+      ),
+    )
+    .optional(),
+
+  // https://openid.net/specs/openid-connect-core-1_0.html#RegistrationParameter
+  // Not supported by this library (yet?)
+  // registration: clientMetadataSchema.optional(),
+
+  login_hint: z.string().min(1).optional(),
+
+  ui_locales: z
+    .string()
+    .regex(/^[a-z]{2}(-[A-Z]{2})?( [a-z]{2}(-[A-Z]{2})?)*$/) // fr-CA fr en
+    .optional(),
+
+  // Previous ID Token, should be provided when prompt=none is used
+  id_token_hint: signedJwtSchema.optional(),
+
+  // Type of UI the AS is displayed on
+  display: z.enum(['page', 'popup', 'touch']).optional(),
+
+  /**
+   * - "none" will only be allowed if the user already allowed the client on the same device
+   * - "login" will force the user to login again, unless he very recently logged in
+   * - "consent" will force the user to consent again
+   * - "select_account" will force the user to select an account
+   */
+  prompt: z.enum(['none', 'login', 'consent', 'select_account']).optional(),
+
+  // https://datatracker.ietf.org/doc/html/rfc9396
+  authorization_details: oauthAuthorizationDetailsSchema.optional(),
+})
+
+/**
+ * @see {oauthAuthenticationRequestParametersSchema}
+ */
+export type OAuthAuthenticationRequestParameters = z.infer<
+  typeof oauthAuthenticationRequestParametersSchema
+>

package/src/oauth-authorization-details.ts

@@ -0,0 +1,28 @@
+import { z } from 'zod'
+
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9396#section-2 | RFC 9396, Section 2}
+ */
+export const oauthAuthorizationDetailSchema = z.object({
+  type: z.string(),
+  locations: z.array(z.string().url()).optional(),
+  actions: z.array(z.string()).optional(),
+  datatypes: z.array(z.string()).optional(),
+  identifier: z.string().optional(),
+  privileges: z.array(z.string()).optional(),
+})
+
+export type OAuthAuthorizationDetail = z.infer<
+  typeof oauthAuthorizationDetailSchema
+>
+
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9396#section-2 | RFC 9396, Section 2}
+ */
+export const oauthAuthorizationDetailsSchema = z.array(
+  oauthAuthorizationDetailSchema,
+)
+
+export type OAuthAuthorizationDetails = z.infer<
+  typeof oauthAuthorizationDetailsSchema
+>

package/src/oauth-authorization-server-metadata.ts

@@ -0,0 +1,106 @@
+import { z } from 'zod'
+
+import { oauthIssuerIdentifierSchema } from './oauth-issuer-identifier.js'
+
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc8414}
+ */
+export const oauthAuthorizationServerMetadataSchema = z.object({
+  issuer: oauthIssuerIdentifierSchema,
+
+  claims_supported: z.array(z.string()).optional(),
+  claims_locales_supported: z.array(z.string()).optional(),
+  claims_parameter_supported: z.boolean().optional(),
+  request_parameter_supported: z.boolean().optional(),
+  request_uri_parameter_supported: z.boolean().optional(),
+  require_request_uri_registration: z.boolean().optional(),
+  scopes_supported: z.array(z.string()).optional(),
+  subject_types_supported: z.array(z.string()).optional(),
+  response_types_supported: z.array(z.string()).optional(),
+  response_modes_supported: z.array(z.string()).optional(),
+  grant_types_supported: z.array(z.string()).optional(),
+  code_challenge_methods_supported: z.array(z.string()).min(1).optional(),
+  ui_locales_supported: z.array(z.string()).optional(),
+  id_token_signing_alg_values_supported: z.array(z.string()).optional(),
+  display_values_supported: z.array(z.string()).optional(),
+  request_object_signing_alg_values_supported: z.array(z.string()).optional(),
+  authorization_response_iss_parameter_supported: z.boolean().optional(),
+  authorization_details_types_supported: z.array(z.string()).optional(),
+  request_object_encryption_alg_values_supported: z
+    .array(z.string())
+    .optional(),
+  request_object_encryption_enc_values_supported: z
+    .array(z.string())
+    .optional(),
+
+  jwks_uri: z.string().url().optional(),
+
+  authorization_endpoint: z.string().url(), // .optional(),
+
+  token_endpoint: z.string().url(), // .optional(),
+  token_endpoint_auth_methods_supported: z.array(z.string()).optional(),
+  token_endpoint_auth_signing_alg_values_supported: z
+    .array(z.string())
+    .optional(),
+
+  revocation_endpoint: z.string().url().optional(),
+  revocation_endpoint_auth_methods_supported: z.array(z.string()).optional(),
+  revocation_endpoint_auth_signing_alg_values_supported: z
+    .array(z.string())
+    .optional(),
+
+  introspection_endpoint: z.string().url().optional(),
+  introspection_endpoint_auth_methods_supported: z.array(z.string()).optional(),
+  introspection_endpoint_auth_signing_alg_values_supported: z
+    .array(z.string())
+    .optional(),
+
+  pushed_authorization_request_endpoint: z.string().url().optional(),
+  pushed_authorization_request_endpoint_auth_methods_supported: z
+    .array(z.string())
+    .optional(),
+  pushed_authorization_request_endpoint_auth_signing_alg_values_supported: z
+    .array(z.string())
+    .optional(),
+
+  require_pushed_authorization_requests: z.boolean().optional(),
+
+  userinfo_endpoint: z.string().url().optional(),
+  end_session_endpoint: z.string().url().optional(),
+  registration_endpoint: z.string().url().optional(),
+
+  // https://datatracker.ietf.org/doc/html/rfc9449#section-5.1
+  dpop_signing_alg_values_supported: z.array(z.string()).optional(),
+
+  // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05#section-4
+  protected_resources: z.array(z.string().url()).optional(),
+})
+
+export type OAuthAuthorizationServerMetadata = z.infer<
+  typeof oauthAuthorizationServerMetadataSchema
+>
+
+export const oauthAuthorizationServerMetadataValidator =
+  oauthAuthorizationServerMetadataSchema
+    .superRefine((data, ctx) => {
+      if (
+        data.require_pushed_authorization_requests &&
+        !data.pushed_authorization_request_endpoint
+      ) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message:
+            '"pushed_authorization_request_endpoint" required when "require_pushed_authorization_requests" is true',
+        })
+      }
+    })
+    .superRefine((data, ctx) => {
+      if (data.response_types_supported) {
+        if (!data.response_types_supported.includes('code')) {
+          ctx.addIssue({
+            code: z.ZodIssueCode.custom,
+            message: 'Response type "code" is required',
+          })
+        }
+      }
+    })

package/src/oauth-client-credentials.ts

@@ -0,0 +1,34 @@
+import { z } from 'zod'
+import { signedJwtSchema } from '@atproto/jwk'
+
+import { oauthClientIdSchema } from './oauth-client-id.js'
+import { CLIENT_ASSERTION_TYPE_JWT_BEARER } from './constants.js'
+
+export const oauthClientCredentialsJwtBearerSchema = z.object({
+  client_id: oauthClientIdSchema,
+  client_assertion_type: z.literal(CLIENT_ASSERTION_TYPE_JWT_BEARER),
+  /**
+   * - "sub" the subject MUST be the "client_id" of the OAuth client
+   * - "iat" is required and MUST be less than one minute
+   * - "aud" must containing a value that identifies the authorization server
+   * - The JWT MAY contain a "jti" (JWT ID) claim that provides a unique identifier for the token.
+   * - Note that the authorization server may reject JWTs with an "exp" claim value that is unreasonably far in the future.
+   *
+   * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-11#section-3}
+   */
+  client_assertion: signedJwtSchema,
+})
+
+export const oauthClientCredentialsSecretPostSchema = z.object({
+  client_id: oauthClientIdSchema,
+  client_secret: z.string(),
+})
+
+export const oauthClientCredentialsSchema = z.union([
+  oauthClientCredentialsJwtBearerSchema,
+  oauthClientCredentialsSecretPostSchema,
+])
+
+export type OAuthClientCredentials = z.infer<
+  typeof oauthClientCredentialsSchema
+>

package/src/oauth-client-id-discoverable.ts

@@ -0,0 +1,66 @@
+import { parseOAuthClientIdUrl } from './oauth-client-id-url.js'
+import { OAuthClientId } from './oauth-client-id.js'
+import { isIP } from './util.js'
+
+/**
+ * @see {@link https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html}
+ */
+export type OAuthClientIdDiscoverable = OAuthClientId & `https://${string}`
+
+export function isOAuthClientIdDiscoverable<C extends OAuthClientId>(
+  clientId: C,
+): clientId is C & OAuthClientIdDiscoverable {
+  try {
+    parseOAuthDiscoverableClientId(clientId)
+    return true
+  } catch {
+    return false
+  }
+}
+
+export function parseOAuthDiscoverableClientId(clientId: OAuthClientId): URL {
+  const url = parseOAuthClientIdUrl(clientId)
+
+  // Optimization: cheap checks first
+
+  if (url.hostname === 'localhost') {
+    throw new TypeError('ClientID must not be a loopback hostname')
+  }
+
+  if (url.protocol !== 'https:') {
+    throw new TypeError('ClientID must use the "https:" protocol')
+  }
+
+  if (url.hash) {
+    throw new TypeError('ClientID must not contain a fragment')
+  }
+
+  if (url.username || url.password) {
+    throw new TypeError('ClientID must not contain credentials')
+  }
+
+  if (url.pathname === '/') {
+    throw new TypeError(
+      'ClientID must contain a path (e.g. "/client-metadata")',
+    )
+  }
+
+  if (url.pathname !== '/' && url.pathname.endsWith('/')) {
+    throw new TypeError('ClientID must not end with a trailing slash')
+  }
+
+  if (url.pathname.includes('//')) {
+    throw new TypeError(
+      `ClientID must not contain any double slashes in its path`,
+    )
+  }
+
+  // Note: Query string is allowed
+  // Note: no restriction on the port for non-loopback URIs
+
+  if (isIP(url.hostname)) {
+    throw new TypeError('ClientID must not be an IP address')
+  }
+
+  return url
+}