@atproto/oauth-types 0.1.3 → 0.1.5

package/dist/oauth-client-id-loopback.js

@@ -1,7 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.parseOAuthLoopbackClientId = exports.isOAuthClientIdLoopback = void 0;
-const oauth_client_id_url_js_1 = require("./oauth-client-id-url.js");
+exports.parseOAuthLoopbackClientId = exports.assertOAuthLoopbackClientId = exports.isOAuthClientIdLoopback = void 0;
+const oauth_scope_js_1 = require("./oauth-scope.js");
+const util_js_1 = require("./util.js");
+const OAUTH_CLIENT_ID_LOOPBACK_URL = 'http://localhost';
 function isOAuthClientIdLoopback(clientId) {
     try {
         parseOAuthLoopbackClientId(clientId);
@@ -12,33 +14,68 @@ function isOAuthClientIdLoopback(clientId) {
     }
 }
 exports.isOAuthClientIdLoopback = isOAuthClientIdLoopback;
+function assertOAuthLoopbackClientId(clientId) {
+    void parseOAuthLoopbackClientId(clientId);
+}
+exports.assertOAuthLoopbackClientId = assertOAuthLoopbackClientId;
+// @TODO: should we turn this into a zod schema? (more coherent error with other
+// validation functions)
 function parseOAuthLoopbackClientId(clientId) {
-    const url = (0, oauth_client_id_url_js_1.parseOAuthClientIdUrl)(clientId);
-    // Optimization: cheap checks first
-    if (url.protocol !== 'http:') {
-        throw new TypeError('Loopback ClientID must use the "http:" protocol');
+    if (!clientId.startsWith(OAUTH_CLIENT_ID_LOOPBACK_URL)) {
+        throw new TypeError(`Loopback ClientID must start with "${OAUTH_CLIENT_ID_LOOPBACK_URL}"`);
     }
-    if (url.hostname !== 'localhost') {
-        throw new TypeError('Loopback ClientID must use the "localhost" hostname');
+    else if (clientId.includes('#', OAUTH_CLIENT_ID_LOOPBACK_URL.length)) {
+        throw new TypeError('Loopback ClientID must not contain a hash component');
     }
-    if (url.hash) {
-        throw new TypeError('Loopback ClientID must not contain a fragment');
+    const queryStringIdx = clientId.length > OAUTH_CLIENT_ID_LOOPBACK_URL.length &&
+        clientId[OAUTH_CLIENT_ID_LOOPBACK_URL.length] === '/'
+        ? OAUTH_CLIENT_ID_LOOPBACK_URL.length + 1
+        : OAUTH_CLIENT_ID_LOOPBACK_URL.length;
+    if (clientId.length === queryStringIdx) {
+        return {}; // no query string to parse
     }
-    if (url.username || url.password) {
-        throw new TypeError('Loopback ClientID must not contain credentials');
+    if (clientId[queryStringIdx] !== '?') {
+        throw new TypeError('Loopback ClientID must not contain a path component');
     }
-    if (url.port) {
-        throw new TypeError('Loopback ClientID must not contain a port');
+    const searchParams = new URLSearchParams(clientId.slice(queryStringIdx + 1));
+    for (const name of searchParams.keys()) {
+        if (name !== 'redirect_uri' && name !== 'scope') {
+            throw new TypeError(`Invalid query parameter "${name}" in client ID`);
+        }
     }
-    // Note: url.pathname === '/' is allowed for loopback URIs
-    if (url.pathname !== '/' && url.pathname.endsWith('/')) {
-        throw new TypeError('Loopback ClientID must not end with a trailing slash');
+    const scope = searchParams.get('scope') ?? undefined;
+    if (scope != null) {
+        if (searchParams.getAll('scope').length > 1) {
+            throw new TypeError('Loopback ClientID must contain at most one scope query parameter');
+        }
+        else if (!oauth_scope_js_1.oauthScopeSchema.safeParse(scope).success) {
+            throw new TypeError('Invalid scope query parameter in client ID');
+        }
     }
-    if (url.pathname.includes('//')) {
-        throw new TypeError(`Loopback ClientID must not contain any double slashes in its path`);
+    const redirect_uris = searchParams.has('redirect_uri')
+        ? searchParams.getAll('redirect_uri')
+        : undefined;
+    if (redirect_uris) {
+        for (const uri of redirect_uris) {
+            const url = (0, util_js_1.safeUrl)(uri);
+            if (!url) {
+                throw new TypeError(`Invalid redirect_uri in client ID: ${uri}`);
+            }
+            if (url.protocol !== 'http:') {
+                throw new TypeError(`Loopback ClientID must use "http:" redirect_uri's (got ${uri})`);
+            }
+            if (url.hostname === 'localhost') {
+                throw new TypeError(`Loopback ClientID must not use "localhost" as redirect_uri hostname (got ${uri})`);
+            }
+            if (!(0, util_js_1.isLoopbackHost)(url.hostname)) {
+                throw new TypeError(`Loopback ClientID must use loopback addresses as redirect_uri's (got ${uri})`);
+            }
+        }
     }
-    // Note: Query string is allowed
-    return url;
+    return {
+        scope,
+        redirect_uris,
+    };
 }
 exports.parseOAuthLoopbackClientId = parseOAuthLoopbackClientId;
 //# sourceMappingURL=oauth-client-id-loopback.js.map

package/dist/oauth-client-id-loopback.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-client-id-loopback.js","sourceRoot":"","sources":["../src/oauth-client-id-loopback.ts"],"names":[],"mappings":";;;AAAA,qEAAgE;AAMhE,SAAgB,uBAAuB,CACrC,QAAW;IAEX,IAAI,CAAC;QACH,0BAA0B,CAAC,QAAQ,CAAC,CAAA;QACpC,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AATD,0DASC;AAED,SAAgB,0BAA0B,CAAC,QAAuB;IAChE,MAAM,GAAG,GAAG,IAAA,8CAAqB,EAAC,QAAQ,CAAC,CAAA;IAE3C,mCAAmC;IAEnC,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAC7B,MAAM,IAAI,SAAS,CAAC,iDAAiD,CAAC,CAAA;IACxE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,qDAAqD,CAAC,CAAA;IAC5E,CAAC;IAED,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACb,MAAM,IAAI,SAAS,CAAC,+CAA+C,CAAC,CAAA;IACtE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAA;IACvE,CAAC;IAED,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACb,MAAM,IAAI,SAAS,CAAC,2CAA2C,CAAC,CAAA;IAClE,CAAC;IAED,0DAA0D;IAE1D,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,SAAS,CAAC,sDAAsD,CAAC,CAAA;IAC7E,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CACjB,mEAAmE,CACpE,CAAA;IACH,CAAC;IAED,gCAAgC;IAEhC,OAAO,GAAG,CAAA;AACZ,CAAC;AAxCD,gEAwCC"}
+{"version":3,"file":"oauth-client-id-loopback.js","sourceRoot":"","sources":["../src/oauth-client-id-loopback.ts"],"names":[],"mappings":";;;AACA,qDAA+D;AAC/D,uCAAmD;AAEnD,MAAM,4BAA4B,GAAG,kBAAkB,CAAA;AAKvD,SAAgB,uBAAuB,CACrC,QAAgB;IAEhB,IAAI,CAAC;QACH,0BAA0B,CAAC,QAAQ,CAAC,CAAA;QACpC,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AATD,0DASC;AAED,SAAgB,2BAA2B,CACzC,QAAgB;IAEhB,KAAK,0BAA0B,CAAC,QAAQ,CAAC,CAAA;AAC3C,CAAC;AAJD,kEAIC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,SAAgB,0BAA0B,CAAC,QAAgB;IAIzD,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,4BAA4B,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,SAAS,CACjB,sCAAsC,4BAA4B,GAAG,CACtE,CAAA;IACH,CAAC;SAAM,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,EAAE,4BAA4B,CAAC,MAAM,CAAC,EAAE,CAAC;QACvE,MAAM,IAAI,SAAS,CAAC,qDAAqD,CAAC,CAAA;IAC5E,CAAC;IAED,MAAM,cAAc,GAClB,QAAQ,CAAC,MAAM,GAAG,4BAA4B,CAAC,MAAM;QACrD,QAAQ,CAAC,4BAA4B,CAAC,MAAM,CAAC,KAAK,GAAG;QACnD,CAAC,CAAC,4BAA4B,CAAC,MAAM,GAAG,CAAC;QACzC,CAAC,CAAC,4BAA4B,CAAC,MAAM,CAAA;IAEzC,IAAI,QAAQ,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;QACvC,OAAO,EAAE,CAAA,CAAC,2BAA2B;IACvC,CAAC;IAED,IAAI,QAAQ,CAAC,cAAc,CAAC,KAAK,GAAG,EAAE,CAAC;QACrC,MAAM,IAAI,SAAS,CAAC,qDAAqD,CAAC,CAAA;IAC5E,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,eAAe,CAAC,QAAQ,CAAC,KAAK,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC,CAAA;IAE5E,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,IAAI,EAAE,EAAE,CAAC;QACvC,IAAI,IAAI,KAAK,cAAc,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;YAChD,MAAM,IAAI,SAAS,CAAC,4BAA4B,IAAI,gBAAgB,CAAC,CAAA;QACvE,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,SAAS,CAAA;IACpD,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,SAAS,CACjB,kEAAkE,CACnE,CAAA;QACH,CAAC;aAAM,IAAI,CAAC,iCAAgB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;YACtD,MAAM,IAAI,SAAS,CAAC,4CAA4C,CAAC,CAAA;QACnE,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC;QACpD,CAAC,CAAE,YAAY,CAAC,MAAM,CAAC,cAAc,CAA2B;QAChE,CAAC,CAAC,SAAS,CAAA;IAEb,IAAI,aAAa,EAAE,CAAC;QAClB,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,MAAM,GAAG,GAAG,IAAA,iBAAO,EAAC,GAAG,CAAC,CAAA;YACxB,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,SAAS,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAA;YAClE,CAAC;YACD,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBAC7B,MAAM,IAAI,SAAS,CACjB,0DAA0D,GAAG,GAAG,CACjE,CAAA;YACH,CAAC;YACD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBACjC,MAAM,IAAI,SAAS,CACjB,4EAA4E,GAAG,GAAG,CACnF,CAAA;YACH,CAAC;YACD,IAAI,CAAC,IAAA,wBAAc,EAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClC,MAAM,IAAI,SAAS,CACjB,wEAAwE,GAAG,GAAG,CAC/E,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK;QACL,aAAa;KACd,CAAA;AACH,CAAC;AA7ED,gEA6EC"}

package/dist/oauth-client-metadata.d.ts

@@ -1427,9 +1427,9 @@ export declare const oauthClientMetadataSchema: z.ZodObject<{
     authorization_details_types?: string[] | undefined;
 }, {
     redirect_uris: [string, ...string[]];
+    scope?: string | undefined;
     response_types?: ["code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token", ...("code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token")[]] | undefined;
     grant_types?: ["authorization_code" | "implicit" | "refresh_token" | "password" | "client_credentials" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer", ...("authorization_code" | "implicit" | "refresh_token" | "password" | "client_credentials" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer")[]] | undefined;
-    scope?: string | undefined;
     token_endpoint_auth_method?: "client_secret_basic" | "client_secret_jwt" | "client_secret_post" | "none" | "private_key_jwt" | "self_signed_tls_client_auth" | "tls_client_auth" | undefined;
     token_endpoint_auth_signing_alg?: string | undefined;
     userinfo_signed_response_alg?: string | undefined;

package/dist/oauth-client-metadata.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-client-metadata.d.ts","sourceRoot":"","sources":["../src/oauth-client-metadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AASvB,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAqCpC;;;;;;OAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWH,CAAA;AAEF,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAA;AAC3E,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAA"}
+{"version":3,"file":"oauth-client-metadata.d.ts","sourceRoot":"","sources":["../src/oauth-client-metadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAUvB,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAqCpC;;;;;;OAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAWH,CAAA;AAEF,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAA;AAC3E,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAA"}

package/dist/oauth-client-metadata.js

@@ -7,6 +7,7 @@ const oauth_client_id_js_1 = require("./oauth-client-id.js");
 const oauth_endpoint_auth_method_js_1 = require("./oauth-endpoint-auth-method.js");
 const oauth_grant_type_js_1 = require("./oauth-grant-type.js");
 const oauth_response_type_js_1 = require("./oauth-response-type.js");
+const oauth_scope_js_1 = require("./oauth-scope.js");
 // https://openid.net/specs/openid-connect-registration-1_0.html
 // https://datatracker.ietf.org/doc/html/rfc7591
 exports.oauthClientMetadataSchema = zod_1.z.object({
@@ -23,7 +24,7 @@ exports.oauthClientMetadataSchema = zod_1.z.object({
         // > If omitted, the default behavior is that the client will use only the
         // > "authorization_code" Grant Type.
         .default(['authorization_code']),
-    scope: zod_1.z.string().optional(),
+    scope: oauth_scope_js_1.oauthScopeSchema.optional(),
     token_endpoint_auth_method: oauth_endpoint_auth_method_js_1.oauthEndpointAuthMethod
         .default('none')
         .optional(),

package/dist/oauth-client-metadata.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-client-metadata.js","sourceRoot":"","sources":["../src/oauth-client-metadata.ts"],"names":[],"mappings":";;;AAAA,sCAA4C;AAC5C,6BAAuB;AAEvB,6DAA0D;AAC1D,mFAAyE;AACzE,+DAA4D;AAC5D,qEAAkE;AAElE,gEAAgE;AAChE,gDAAgD;AACnC,QAAA,yBAAyB,GAAG,OAAC,CAAC,MAAM,CAAC;IAChD,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE;IACnD,cAAc,EAAE,OAAC;SACd,KAAK,CAAC,gDAAuB,CAAC;SAC9B,QAAQ,EAAE;QACX,wEAAwE;QACxE,mBAAmB;SAClB,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;IACpB,WAAW,EAAE,OAAC;SACX,KAAK,CAAC,0CAAoB,CAAC;SAC3B,QAAQ,EAAE;QACX,0EAA0E;QAC1E,qCAAqC;SACpC,OAAO,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,0BAA0B,EAAE,uDAAuB;SAChD,OAAO,CAAC,MAAM,CAAC;SACf,QAAQ,EAAE;IACb,+BAA+B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtD,4BAA4B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnD,+BAA+B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtD,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACrC,IAAI,EAAE,mBAAa,CAAC,QAAQ,EAAE;IAC9B,gBAAgB,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,EAAE,8BAA8B;IACrG,YAAY,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,QAAQ,EAAE;IACzE,0BAA0B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjD,4BAA4B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnD,iCAAiC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE;IACzE,oCAAoC,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC1E,oCAAoC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3D,SAAS,EAAE,wCAAmB,CAAC,QAAQ,EAAE;IACzC,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACvC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACvC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAErC;;;;;;OAMG;IACH,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtC,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACzC,QAAQ,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,0CAA0C,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAElE,4DAA4D;IAC5D,wBAAwB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAEhD,6DAA6D;IAC7D,2BAA2B,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC5D,CAAC,CAAA"}
+{"version":3,"file":"oauth-client-metadata.js","sourceRoot":"","sources":["../src/oauth-client-metadata.ts"],"names":[],"mappings":";;;AAAA,sCAA4C;AAC5C,6BAAuB;AAEvB,6DAA0D;AAC1D,mFAAyE;AACzE,+DAA4D;AAC5D,qEAAkE;AAClE,qDAAmD;AAEnD,gEAAgE;AAChE,gDAAgD;AACnC,QAAA,yBAAyB,GAAG,OAAC,CAAC,MAAM,CAAC;IAChD,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE;IACnD,cAAc,EAAE,OAAC;SACd,KAAK,CAAC,gDAAuB,CAAC;SAC9B,QAAQ,EAAE;QACX,wEAAwE;QACxE,mBAAmB;SAClB,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;IACpB,WAAW,EAAE,OAAC;SACX,KAAK,CAAC,0CAAoB,CAAC;SAC3B,QAAQ,EAAE;QACX,0EAA0E;QAC1E,qCAAqC;SACpC,OAAO,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAClC,KAAK,EAAE,iCAAgB,CAAC,QAAQ,EAAE;IAClC,0BAA0B,EAAE,uDAAuB;SAChD,OAAO,CAAC,MAAM,CAAC;SACf,QAAQ,EAAE;IACb,+BAA+B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtD,4BAA4B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnD,+BAA+B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtD,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACrC,IAAI,EAAE,mBAAa,CAAC,QAAQ,EAAE;IAC9B,gBAAgB,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,EAAE,8BAA8B;IACrG,YAAY,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,QAAQ,EAAE;IACzE,0BAA0B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjD,4BAA4B,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnD,iCAAiC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE;IACzE,oCAAoC,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC1E,oCAAoC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3D,SAAS,EAAE,wCAAmB,CAAC,QAAQ,EAAE;IACzC,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACvC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACvC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAErC;;;;;;OAMG;IACH,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACtC,iBAAiB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACzC,QAAQ,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,QAAQ,EAAE;IAChD,0CAA0C,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAElE,4DAA4D;IAC5D,wBAAwB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAEhD,6DAA6D;IAC7D,2BAA2B,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC5D,CAAC,CAAA"}

package/dist/oauth-code-challenge-method.d.ts

@@ -0,0 +1,3 @@
+import { z } from 'zod';
+export declare const oauthCodeChallengeMethodSchema: z.ZodEnum<["S256", "plain"]>;
+//# sourceMappingURL=oauth-code-challenge-method.d.ts.map

package/dist/oauth-code-challenge-method.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-code-challenge-method.d.ts","sourceRoot":"","sources":["../src/oauth-code-challenge-method.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,8BAA8B,8BAA4B,CAAA"}

package/dist/oauth-code-challenge-method.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthCodeChallengeMethodSchema = void 0;
+const zod_1 = require("zod");
+exports.oauthCodeChallengeMethodSchema = zod_1.z.enum(['S256', 'plain']);
+//# sourceMappingURL=oauth-code-challenge-method.js.map

package/dist/oauth-code-challenge-method.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-code-challenge-method.js","sourceRoot":"","sources":["../src/oauth-code-challenge-method.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,8BAA8B,GAAG,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA"}

package/dist/oauth-introspection-response.d.ts

@@ -0,0 +1,20 @@
+import { OAuthAuthorizationDetails } from './oauth-authorization-details.js';
+import { OAuthTokenType } from './oauth-token-type.js';
+export type OAuthIntrospectionResponse = {
+    active: false;
+} | {
+    active: true;
+    scope?: string;
+    client_id?: string;
+    username?: string;
+    token_type?: OAuthTokenType;
+    authorization_details?: OAuthAuthorizationDetails;
+    aud?: string | [string, ...string[]];
+    exp?: number;
+    iat?: number;
+    iss?: string;
+    jti?: string;
+    nbf?: number;
+    sub?: string;
+};
+//# sourceMappingURL=oauth-introspection-response.d.ts.map

package/dist/oauth-introspection-response.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-introspection-response.d.ts","sourceRoot":"","sources":["../src/oauth-introspection-response.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,yBAAyB,EAAE,MAAM,kCAAkC,CAAA;AAC5E,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AAGtD,MAAM,MAAM,0BAA0B,GAClC;IAAE,MAAM,EAAE,KAAK,CAAA;CAAE,GACjB;IACE,MAAM,EAAE,IAAI,CAAA;IAEZ,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,UAAU,CAAC,EAAE,cAAc,CAAA;IAC3B,qBAAqB,CAAC,EAAE,yBAAyB,CAAA;IAEjD,GAAG,CAAC,EAAE,MAAM,GAAG,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;IACpC,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;CACb,CAAA"}

package/dist/oauth-introspection-response.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=oauth-introspection-response.js.map

package/dist/oauth-introspection-response.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-introspection-response.js","sourceRoot":"","sources":["../src/oauth-introspection-response.ts"],"names":[],"mappings":""}

package/dist/oauth-par-response.d.ts

@@ -1,10 +1,13 @@
 import { z } from 'zod';
 export declare const oauthParResponseSchema: z.ZodObject<{
     request_uri: z.ZodString;
+    expires_in: z.ZodNumber;
 }, "strip", z.ZodTypeAny, {
     request_uri: string;
+    expires_in: number;
 }, {
     request_uri: string;
+    expires_in: number;
 }>;
 export type OAuthParResponse = z.infer<typeof oauthParResponseSchema>;
 //# sourceMappingURL=oauth-par-response.d.ts.map

package/dist/oauth-par-response.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-par-response.d.ts","sourceRoot":"","sources":["../src/oauth-par-response.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,sBAAsB;;;;;;EAEjC,CAAA;AAEF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA"}
+{"version":3,"file":"oauth-par-response.d.ts","sourceRoot":"","sources":["../src/oauth-par-response.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,sBAAsB;;;;;;;;;EAGjC,CAAA;AAEF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA"}

package/dist/oauth-par-response.js

@@ -4,5 +4,6 @@ exports.oauthParResponseSchema = void 0;
 const zod_1 = require("zod");
 exports.oauthParResponseSchema = zod_1.z.object({
     request_uri: zod_1.z.string(),
+    expires_in: zod_1.z.number().int().positive(),
 });
 //# sourceMappingURL=oauth-par-response.js.map

package/dist/oauth-par-response.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-par-response.js","sourceRoot":"","sources":["../src/oauth-par-response.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE;CACxB,CAAC,CAAA"}
+{"version":3,"file":"oauth-par-response.js","sourceRoot":"","sources":["../src/oauth-par-response.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE;IACvB,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CACxC,CAAC,CAAA"}

package/dist/oauth-password-grant-token-request.d.ts

@@ -0,0 +1,16 @@
+import { z } from 'zod';
+export declare const oauthPasswordGrantTokenRequestSchema: z.ZodObject<{
+    grant_type: z.ZodLiteral<"password">;
+    username: z.ZodString;
+    password: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    password: string;
+    grant_type: "password";
+    username: string;
+}, {
+    password: string;
+    grant_type: "password";
+    username: string;
+}>;
+export type OAuthPasswordGrantTokenRequest = z.infer<typeof oauthPasswordGrantTokenRequestSchema>;
+//# sourceMappingURL=oauth-password-grant-token-request.d.ts.map

package/dist/oauth-password-grant-token-request.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-password-grant-token-request.d.ts","sourceRoot":"","sources":["../src/oauth-password-grant-token-request.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,oCAAoC;;;;;;;;;;;;EAI/C,CAAA;AAEF,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAClD,OAAO,oCAAoC,CAC5C,CAAA"}

package/dist/oauth-password-grant-token-request.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthPasswordGrantTokenRequestSchema = void 0;
+const zod_1 = require("zod");
+exports.oauthPasswordGrantTokenRequestSchema = zod_1.z.object({
+    grant_type: zod_1.z.literal('password'),
+    username: zod_1.z.string(),
+    password: zod_1.z.string(),
+});
+//# sourceMappingURL=oauth-password-grant-token-request.js.map

package/dist/oauth-password-grant-token-request.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-password-grant-token-request.js","sourceRoot":"","sources":["../src/oauth-password-grant-token-request.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,oCAAoC,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3D,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IACjC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;CACrB,CAAC,CAAA"}

package/dist/oauth-refresh-token-grant-token-request.d.ts

@@ -0,0 +1,16 @@
+import { z } from 'zod';
+export declare const oauthRefreshTokenGrantTokenRequestSchema: z.ZodObject<{
+    grant_type: z.ZodLiteral<"refresh_token">;
+    refresh_token: z.ZodString;
+    client_id: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    refresh_token: string;
+    client_id: string;
+    grant_type: "refresh_token";
+}, {
+    refresh_token: string;
+    client_id: string;
+    grant_type: "refresh_token";
+}>;
+export type OAuthRefreshTokenGrantTokenRequest = z.infer<typeof oauthRefreshTokenGrantTokenRequestSchema>;
+//# sourceMappingURL=oauth-refresh-token-grant-token-request.d.ts.map

package/dist/oauth-refresh-token-grant-token-request.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-refresh-token-grant-token-request.d.ts","sourceRoot":"","sources":["../src/oauth-refresh-token-grant-token-request.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB,eAAO,MAAM,wCAAwC;;;;;;;;;;;;EAInD,CAAA;AAEF,MAAM,MAAM,kCAAkC,GAAG,CAAC,CAAC,KAAK,CACtD,OAAO,wCAAwC,CAChD,CAAA"}

package/dist/oauth-refresh-token-grant-token-request.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthRefreshTokenGrantTokenRequestSchema = void 0;
+const zod_1 = require("zod");
+const oauth_client_id_js_1 = require("./oauth-client-id.js");
+const oauth_refresh_token_js_1 = require("./oauth-refresh-token.js");
+exports.oauthRefreshTokenGrantTokenRequestSchema = zod_1.z.object({
+    grant_type: zod_1.z.literal('refresh_token'),
+    refresh_token: oauth_refresh_token_js_1.oauthRefreshTokenSchema,
+    client_id: oauth_client_id_js_1.oauthClientIdSchema,
+});
+//# sourceMappingURL=oauth-refresh-token-grant-token-request.js.map

package/dist/oauth-refresh-token-grant-token-request.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-refresh-token-grant-token-request.js","sourceRoot":"","sources":["../src/oauth-refresh-token-grant-token-request.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,6DAA0D;AAC1D,qEAAkE;AAErD,QAAA,wCAAwC,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/D,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,eAAe,CAAC;IACtC,aAAa,EAAE,gDAAuB;IACtC,SAAS,EAAE,wCAAmB;CAC/B,CAAC,CAAA"}

package/dist/oauth-refresh-token.d.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+export declare const oauthRefreshTokenSchema: z.ZodString;
+export type OAuthRefreshToken = z.infer<typeof oauthRefreshTokenSchema>;
+//# sourceMappingURL=oauth-refresh-token.d.ts.map

package/dist/oauth-refresh-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-refresh-token.d.ts","sourceRoot":"","sources":["../src/oauth-refresh-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,uBAAuB,aAAoB,CAAA;AACxD,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA"}

package/dist/oauth-refresh-token.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthRefreshTokenSchema = void 0;
+const zod_1 = require("zod");
+exports.oauthRefreshTokenSchema = zod_1.z.string().min(1);
+//# sourceMappingURL=oauth-refresh-token.js.map

package/dist/oauth-refresh-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-refresh-token.js","sourceRoot":"","sources":["../src/oauth-refresh-token.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA"}

package/dist/oauth-request-uri.d.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+export declare const oauthRequestUriSchema: z.ZodString;
+export type OAuthRequestUri = z.infer<typeof oauthRequestUriSchema>;
+//# sourceMappingURL=oauth-request-uri.d.ts.map

package/dist/oauth-request-uri.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-request-uri.d.ts","sourceRoot":"","sources":["../src/oauth-request-uri.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,eAAO,MAAM,qBAAqB,aAAa,CAAA;AAE/C,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAA"}

package/dist/oauth-request-uri.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthRequestUriSchema = void 0;
+const zod_1 = require("zod");
+exports.oauthRequestUriSchema = zod_1.z.string();
+//# sourceMappingURL=oauth-request-uri.js.map

package/dist/oauth-request-uri.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-request-uri.js","sourceRoot":"","sources":["../src/oauth-request-uri.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,qBAAqB,GAAG,OAAC,CAAC,MAAM,EAAE,CAAA"}

package/dist/oauth-response-type.js

@@ -3,10 +3,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.oauthResponseTypeSchema = void 0;
 const zod_1 = require("zod");
 exports.oauthResponseTypeSchema = zod_1.z.enum([
-    // OAuth
+    // OAuth2 (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-4.1.1)
     'code', // Authorization Code Grant
     'token', // Implicit Grant
-    // OpenID
+    // OIDC (https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)
     'none',
     'code id_token token',
     'code id_token',

package/dist/oauth-response-type.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-response-type.js","sourceRoot":"","sources":["../src/oauth-response-type.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,uBAAuB,GAAG,OAAC,CAAC,IAAI,CAAC;IAC5C,QAAQ;IACR,MAAM,EAAE,2BAA2B;IACnC,OAAO,EAAE,iBAAiB;IAE1B,SAAS;IACT,MAAM;IACN,qBAAqB;IACrB,eAAe;IACf,YAAY;IACZ,gBAAgB;IAChB,UAAU;CACX,CAAC,CAAA"}
+{"version":3,"file":"oauth-response-type.js","sourceRoot":"","sources":["../src/oauth-response-type.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEV,QAAA,uBAAuB,GAAG,OAAC,CAAC,IAAI,CAAC;IAC5C,wFAAwF;IACxF,MAAM,EAAE,2BAA2B;IACnC,OAAO,EAAE,iBAAiB;IAE1B,4EAA4E;IAC5E,MAAM;IACN,qBAAqB;IACrB,eAAe;IACf,YAAY;IACZ,gBAAgB;IAChB,UAAU;CACX,CAAC,CAAA"}

package/dist/oauth-scope.d.ts

@@ -0,0 +1,10 @@
+import { z } from 'zod';
+/**
+ * A space separated list of most non-control ASCII characters except backslash
+ * and double quote.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-1.4.1}
+ */
+export declare const oauthScopeSchema: z.ZodString;
+export type OAuthScope = z.infer<typeof oauthScopeSchema>;
+//# sourceMappingURL=oauth-scope.d.ts.map

package/dist/oauth-scope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-scope.d.ts","sourceRoot":"","sources":["../src/oauth-scope.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,aAIyC,CAAA;AAEtE,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA"}

package/dist/oauth-scope.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthScopeSchema = void 0;
+const zod_1 = require("zod");
+/**
+ * A space separated list of most non-control ASCII characters except backslash
+ * and double quote.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-1.4.1}
+ */
+exports.oauthScopeSchema = zod_1.z
+    .string()
+    // scope       = scope-token *( SP scope-token )
+    // scope-token = 1*( %x21 / %x23-5B / %x5D-7E )
+    .regex(/^[\x21\x23-\x5B\x5D-\x7E]+(?: [\x21\x23-\x5B\x5D-\x7E]+)*$/);
+//# sourceMappingURL=oauth-scope.js.map

package/dist/oauth-scope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-scope.js","sourceRoot":"","sources":["../src/oauth-scope.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB;;;;;GAKG;AACU,QAAA,gBAAgB,GAAG,OAAC;KAC9B,MAAM,EAAE;IACT,gDAAgD;IAChD,+CAA+C;KAC9C,KAAK,CAAC,4DAA4D,CAAC,CAAA"}

package/dist/oauth-token-identification.d.ts

@@ -0,0 +1,13 @@
+import { z } from 'zod';
+export declare const oauthTokenIdentificationSchema: z.ZodObject<{
+    token: z.ZodUnion<[z.ZodString, z.ZodString]>;
+    token_type_hint: z.ZodOptional<z.ZodEnum<["access_token", "refresh_token"]>>;
+}, "strip", z.ZodTypeAny, {
+    token: string;
+    token_type_hint?: "refresh_token" | "access_token" | undefined;
+}, {
+    token: string;
+    token_type_hint?: "refresh_token" | "access_token" | undefined;
+}>;
+export type OAuthTokenIdentification = z.infer<typeof oauthTokenIdentificationSchema>;
+//# sourceMappingURL=oauth-token-identification.d.ts.map

package/dist/oauth-token-identification.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-token-identification.d.ts","sourceRoot":"","sources":["../src/oauth-token-identification.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB,eAAO,MAAM,8BAA8B;;;;;;;;;EAGzC,CAAA;AAEF,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAC5C,OAAO,8BAA8B,CACtC,CAAA"}

package/dist/oauth-token-identification.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthTokenIdentificationSchema = void 0;
+const zod_1 = require("zod");
+const oauth_access_token_js_1 = require("./oauth-access-token.js");
+const oauth_refresh_token_js_1 = require("./oauth-refresh-token.js");
+exports.oauthTokenIdentificationSchema = zod_1.z.object({
+    token: zod_1.z.union([oauth_access_token_js_1.oauthAccessTokenSchema, oauth_refresh_token_js_1.oauthRefreshTokenSchema]),
+    token_type_hint: zod_1.z.enum(['access_token', 'refresh_token']).optional(),
+});
+//# sourceMappingURL=oauth-token-identification.js.map

package/dist/oauth-token-identification.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-token-identification.js","sourceRoot":"","sources":["../src/oauth-token-identification.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,mEAAgE;AAChE,qEAAkE;AAErD,QAAA,8BAA8B,GAAG,OAAC,CAAC,MAAM,CAAC;IACrD,KAAK,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,8CAAsB,EAAE,gDAAuB,CAAC,CAAC;IACjE,eAAe,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,cAAc,EAAE,eAAe,CAAC,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAA"}

package/dist/oauth-token-request.d.ts

@@ -0,0 +1,49 @@
+import { z } from 'zod';
+export declare const oauthTokenRequestSchema: z.ZodDiscriminatedUnion<"grant_type", [z.ZodObject<{
+    grant_type: z.ZodLiteral<"authorization_code">;
+    code: z.ZodString;
+    redirect_uri: z.ZodString;
+    code_verifier: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    code: string;
+    redirect_uri: string;
+    grant_type: "authorization_code";
+    code_verifier?: string | undefined;
+}, {
+    code: string;
+    redirect_uri: string;
+    grant_type: "authorization_code";
+    code_verifier?: string | undefined;
+}>, z.ZodObject<{
+    grant_type: z.ZodLiteral<"refresh_token">;
+    refresh_token: z.ZodString;
+    client_id: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    refresh_token: string;
+    client_id: string;
+    grant_type: "refresh_token";
+}, {
+    refresh_token: string;
+    client_id: string;
+    grant_type: "refresh_token";
+}>, z.ZodObject<{
+    grant_type: z.ZodLiteral<"password">;
+    username: z.ZodString;
+    password: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    password: string;
+    grant_type: "password";
+    username: string;
+}, {
+    password: string;
+    grant_type: "password";
+    username: string;
+}>, z.ZodObject<{
+    grant_type: z.ZodLiteral<"client_credentials">;
+}, "strip", z.ZodTypeAny, {
+    grant_type: "client_credentials";
+}, {
+    grant_type: "client_credentials";
+}>]>;
+export type OAuthTokenRequest = z.infer<typeof oauthTokenRequestSchema>;
+//# sourceMappingURL=oauth-token-request.d.ts.map

package/dist/oauth-token-request.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-token-request.d.ts","sourceRoot":"","sources":["../src/oauth-token-request.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAMvB,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAKlC,CAAA;AAEF,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA"}

package/dist/oauth-token-request.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.oauthTokenRequestSchema = void 0;
+const zod_1 = require("zod");
+const oauth_authorization_code_grant_token_request_js_1 = require("./oauth-authorization-code-grant-token-request.js");
+const oauth_client_credentials_grant_token_request_js_1 = require("./oauth-client-credentials-grant-token-request.js");
+const oauth_password_grant_token_request_js_1 = require("./oauth-password-grant-token-request.js");
+const oauth_refresh_token_grant_token_request_js_1 = require("./oauth-refresh-token-grant-token-request.js");
+exports.oauthTokenRequestSchema = zod_1.z.discriminatedUnion('grant_type', [
+    oauth_authorization_code_grant_token_request_js_1.oauthAuthorizationCodeGrantTokenRequestSchema,
+    oauth_refresh_token_grant_token_request_js_1.oauthRefreshTokenGrantTokenRequestSchema,
+    oauth_password_grant_token_request_js_1.oauthPasswordGrantTokenRequestSchema,
+    oauth_client_credentials_grant_token_request_js_1.oauthClientCredentialsGrantTokenRequestSchema,
+]);
+//# sourceMappingURL=oauth-token-request.js.map

package/dist/oauth-token-request.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-token-request.js","sourceRoot":"","sources":["../src/oauth-token-request.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,uHAAiH;AACjH,uHAAiH;AACjH,mGAA8F;AAC9F,6GAAuG;AAE1F,QAAA,uBAAuB,GAAG,OAAC,CAAC,kBAAkB,CAAC,YAAY,EAAE;IACxE,+FAA6C;IAC7C,qFAAwC;IACxC,4EAAoC;IACpC,+FAA6C;CAC9C,CAAC,CAAA"}

package/dist/oauth-token-response.d.ts

@@ -6,7 +6,6 @@ export declare const oauthTokenResponseSchema: z.ZodObject<{
     access_token: z.ZodString;
     token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
     issuer: z.ZodOptional<z.ZodString>;
-    sub: z.ZodOptional<z.ZodString>;
     scope: z.ZodOptional<z.ZodString>;
     id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
     refresh_token: z.ZodOptional<z.ZodString>;
@@ -37,7 +36,6 @@ export declare const oauthTokenResponseSchema: z.ZodObject<{
     access_token: z.ZodString;
     token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
     issuer: z.ZodOptional<z.ZodString>;
-    sub: z.ZodOptional<z.ZodString>;
     scope: z.ZodOptional<z.ZodString>;
     id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
     refresh_token: z.ZodOptional<z.ZodString>;
@@ -68,7 +66,6 @@ export declare const oauthTokenResponseSchema: z.ZodObject<{
     access_token: z.ZodString;
     token_type: z.ZodUnion<[z.ZodEffects<z.ZodString, "DPoP", string>, z.ZodEffects<z.ZodString, "Bearer", string>]>;
     issuer: z.ZodOptional<z.ZodString>;
-    sub: z.ZodOptional<z.ZodString>;
     scope: z.ZodOptional<z.ZodString>;
     id_token: z.ZodOptional<z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, `${string}.${string}.${string}`, string>>;
     refresh_token: z.ZodOptional<z.ZodString>;

package/dist/oauth-token-response.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-token-response.d.ts","sourceRoot":"","sources":["../src/oauth-token-response.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAKvB;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAcrB,CAAA;AAEhB;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAA"}
+{"version":3,"file":"oauth-token-response.d.ts","sourceRoot":"","sources":["../src/oauth-token-response.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAKvB;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gCAarB,CAAA;AAEhB;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAA"}

package/dist/oauth-token-response.js

@@ -13,7 +13,6 @@ exports.oauthTokenResponseSchema = zod_1.z
     access_token: zod_1.z.string(),
     token_type: oauth_token_type_js_1.oauthTokenTypeSchema,
     issuer: zod_1.z.string().url().optional(),
-    sub: zod_1.z.string().optional(),
     scope: zod_1.z.string().optional(),
     id_token: jwk_1.signedJwtSchema.optional(),
     refresh_token: zod_1.z.string().optional(),

package/dist/oauth-token-response.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-token-response.js","sourceRoot":"","sources":["../src/oauth-token-response.ts"],"names":[],"mappings":";;;AAAA,sCAA8C;AAC9C,6BAAuB;AAEvB,qFAAkF;AAClF,+DAA4D;AAE5D;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC;KACtC,MAAM,CAAC;IACN,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;IACxB,UAAU,EAAE,0CAAoB;IAChC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACnC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,QAAQ,EAAE,qBAAe,CAAC,QAAQ,EAAE;IACpC,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,qBAAqB,EAAE,gEAA+B,CAAC,QAAQ,EAAE;CAClE,CAAC;IACF,0DAA0D;IAC1D,qEAAqE;KACpE,WAAW,EAAE,CAAA"}
+{"version":3,"file":"oauth-token-response.js","sourceRoot":"","sources":["../src/oauth-token-response.ts"],"names":[],"mappings":";;;AAAA,sCAA8C;AAC9C,6BAAuB;AAEvB,qFAAkF;AAClF,+DAA4D;AAE5D;;GAEG;AACU,QAAA,wBAAwB,GAAG,OAAC;KACtC,MAAM,CAAC;IACN,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;IACxB,UAAU,EAAE,0CAAoB;IAChC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACnC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,QAAQ,EAAE,qBAAe,CAAC,QAAQ,EAAE;IACpC,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,qBAAqB,EAAE,gEAA+B,CAAC,QAAQ,EAAE;CAClE,CAAC;IACF,0DAA0D;IAC1D,qEAAqE;KACpE,WAAW,EAAE,CAAA"}

package/dist/util.d.ts

@@ -1,6 +1,7 @@
-export declare function isIP(hostname: string): boolean;
+export declare function isHostnameIP(hostname: string): boolean;
 export type LoopbackHost = 'localhost' | '127.0.0.1' | '[::1]';
 export declare function isLoopbackHost(host: unknown): host is LoopbackHost;
 export declare function isLoopbackUrl(input: URL | string): boolean;
 export declare function safeUrl(input: URL | string): URL | null;
+export declare function extractUrlPath(url: any): any;
 //# sourceMappingURL=util.d.ts.map