@atproto/oauth-types 0.1.3 → 0.1.5

package/dist/util.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA,wBAAgB,IAAI,CAAC,QAAQ,EAAE,MAAM,WAQpC;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,CAAA;AAE9D,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,IAAI,YAAY,CAElE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAG1D;AAED,wBAAgB,OAAO,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,GAAG,GAAG,IAAI,CAMvD"}
+{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,WAQ5C;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,CAAA;AAE9D,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,IAAI,YAAY,CAElE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAG1D;AAED,wBAAgB,OAAO,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,GAAG,GAAG,IAAI,CAMvD;AAED,wBAAgB,cAAc,CAAC,GAAG,KAAA,OAsCjC"}

package/dist/util.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.safeUrl = exports.isLoopbackUrl = exports.isLoopbackHost = exports.isIP = void 0;
-function isIP(hostname) {
+exports.extractUrlPath = exports.safeUrl = exports.isLoopbackUrl = exports.isLoopbackHost = exports.isHostnameIP = void 0;
+function isHostnameIP(hostname) {
     // IPv4
     if (hostname.match(/^\d+\.\d+\.\d+\.\d+$/))
         return true;
@@ -10,7 +10,7 @@ function isIP(hostname) {
         return true;
     return false;
 }
-exports.isIP = isIP;
+exports.isHostnameIP = isHostnameIP;
 function isLoopbackHost(host) {
     return host === 'localhost' || host === '127.0.0.1' || host === '[::1]';
 }
@@ -29,4 +29,35 @@ function safeUrl(input) {
     }
 }
 exports.safeUrl = safeUrl;
+function extractUrlPath(url) {
+    // Extracts the path from a URL, without relying on the URL constructor
+    // (because it normalizes the URL)
+    const endOfProtocol = url.startsWith('https://')
+        ? 8
+        : url.startsWith('http://')
+            ? 7
+            : -1;
+    if (endOfProtocol === -1) {
+        throw new TypeError('URL must use the "https:" or "http:" protocol');
+    }
+    const hashIdx = url.indexOf('#', endOfProtocol);
+    const questionIdx = url.indexOf('?', endOfProtocol);
+    const queryStrIdx = questionIdx !== -1 && (hashIdx === -1 || questionIdx < hashIdx)
+        ? questionIdx
+        : -1;
+    const pathEnd = hashIdx === -1
+        ? queryStrIdx === -1
+            ? url.length
+            : queryStrIdx
+        : queryStrIdx === -1
+            ? hashIdx
+            : Math.min(hashIdx, queryStrIdx);
+    const slashIdx = url.indexOf('/', endOfProtocol);
+    const pathStart = slashIdx === -1 || slashIdx > pathEnd ? pathEnd : slashIdx;
+    if (endOfProtocol === pathStart) {
+        throw new TypeError('URL must contain a host');
+    }
+    return url.substring(pathStart, pathEnd);
+}
+exports.extractUrlPath = extractUrlPath;
 //# sourceMappingURL=util.js.map

package/dist/util.js.map

@@ -1 +1 @@
-{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAAA,SAAgB,IAAI,CAAC,QAAgB;IACnC,OAAO;IACP,IAAI,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,OAAO;IACP,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnE,OAAO,KAAK,CAAA;AACd,CAAC;AARD,oBAQC;AAID,SAAgB,cAAc,CAAC,IAAa;IAC1C,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,CAAA;AACzE,CAAC;AAFD,wCAEC;AAED,SAAgB,aAAa,CAAC,KAAmB;IAC/C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC9D,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AACrC,CAAC;AAHD,sCAGC;AAED,SAAgB,OAAO,CAAC,KAAmB;IACzC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAND,0BAMC"}
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAAA,SAAgB,YAAY,CAAC,QAAgB;IAC3C,OAAO;IACP,IAAI,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,OAAO;IACP,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnE,OAAO,KAAK,CAAA;AACd,CAAC;AARD,oCAQC;AAID,SAAgB,cAAc,CAAC,IAAa;IAC1C,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,CAAA;AACzE,CAAC;AAFD,wCAEC;AAED,SAAgB,aAAa,CAAC,KAAmB;IAC/C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC9D,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AACrC,CAAC;AAHD,sCAGC;AAED,SAAgB,OAAO,CAAC,KAAmB;IACzC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAND,0BAMC;AAED,SAAgB,cAAc,CAAC,GAAG;IAChC,uEAAuE;IACvE,kCAAkC;IAClC,MAAM,aAAa,GAAG,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;QAC9C,CAAC,CAAC,CAAC;QACH,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;YACzB,CAAC,CAAC,CAAC;YACH,CAAC,CAAC,CAAC,CAAC,CAAA;IACR,IAAI,aAAa,KAAK,CAAC,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,SAAS,CAAC,+CAA+C,CAAC,CAAA;IACtE,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAC/C,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAEnD,MAAM,WAAW,GACf,WAAW,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,KAAK,CAAC,CAAC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC7D,CAAC,CAAC,WAAW;QACb,CAAC,CAAC,CAAC,CAAC,CAAA;IAER,MAAM,OAAO,GACX,OAAO,KAAK,CAAC,CAAC;QACZ,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC;YAClB,CAAC,CAAC,GAAG,CAAC,MAAM;YACZ,CAAC,CAAC,WAAW;QACf,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC;YAClB,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;IAEtC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAEhD,MAAM,SAAS,GAAG,QAAQ,KAAK,CAAC,CAAC,IAAI,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAA;IAE5E,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;IAChD,CAAC;IAED,OAAO,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;AAC1C,CAAC;AAtCD,wCAsCC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-types",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "license": "MIT",
   "description": "OAuth typing & validation library",
   "keywords": [

package/src/atproto-loopback-client-metadata.ts

@@ -1,35 +1,21 @@
-import { isOAuthClientIdLoopback } from './oauth-client-id-loopback.js'
+import { parseOAuthLoopbackClientId } from './oauth-client-id-loopback.js'
 import { OAuthClientMetadataInput } from './oauth-client-metadata.js'
-import { parseOAuthClientIdUrl } from './oauth-client-id-url.js'
 
 export function atprotoLoopbackClientMetadata(
   clientId: string,
 ): OAuthClientMetadataInput {
-  if (!isOAuthClientIdLoopback(clientId)) {
-    throw new TypeError(`Invalid loopback client ID ${clientId}`)
-  }
-
-  const { origin, pathname, searchParams } = parseOAuthClientIdUrl(clientId)
-
-  for (const name of searchParams.keys()) {
-    if (name !== 'redirect_uri') {
-      throw new TypeError(`Invalid query parameter ${name} in client ID`)
-    }
-  }
-  const redirectUris = searchParams.getAll('redirect_uri')
+  const {
+    scope = 'atproto',
+    redirect_uris = [`http://127.0.0.1/`, `http://[::1]/`],
+  } = parseOAuthLoopbackClientId(clientId)
 
   return {
     client_id: clientId,
+    scope,
+    redirect_uris,
     client_name: 'Loopback client',
-    response_types: ['code id_token', 'code'],
-    grant_types: ['authorization_code', 'implicit', 'refresh_token'],
-    scope: 'openid profile offline_access',
-    redirect_uris: (redirectUris.length
-      ? redirectUris
-      : (['127.0.0.1', '[::1]'] as const).map(
-          (ip) =>
-            Object.assign(new URL(pathname, origin), { hostname: ip }).href,
-        )) as [string, ...string[]],
+    response_types: ['code'],
+    grant_types: ['authorization_code', 'refresh_token'],
     token_endpoint_auth_method: 'none',
     application_type: 'native',
     dpop_bound_access_tokens: true,

package/src/index.ts

@@ -1,25 +1,38 @@
 export * from './constants.js'
 export * from './util.js'
 
-export * from './access-token.js'
 export * from './atproto-loopback-client-metadata.js'
-export * from './oauth-client-id-discoverable.js'
-export * from './oauth-client-id-loopback.js'
-export * from './oauth-authentication-request-parameters.js'
+export * from './oauth-access-token.js'
+export * from './oauth-authorization-code-grant-token-request.js'
 export * from './oauth-authorization-details.js'
+export * from './oauth-authorization-request-jar.js'
+export * from './oauth-authorization-request-par.js'
+export * from './oauth-authorization-request-parameters.js'
+export * from './oauth-authorization-request-query.js'
+export * from './oauth-authorization-request-uri.js'
 export * from './oauth-authorization-server-metadata.js'
+export * from './oauth-client-credentials-grant-token-request.js'
 export * from './oauth-client-credentials.js'
+export * from './oauth-client-id-discoverable.js'
+export * from './oauth-client-id-loopback.js'
 export * from './oauth-client-id.js'
-export * from './oauth-client-identification.js'
 export * from './oauth-client-metadata.js'
 export * from './oauth-endpoint-auth-method.js'
 export * from './oauth-endpoint-name.js'
 export * from './oauth-grant-type.js'
+export * from './oauth-introspection-response.js'
 export * from './oauth-issuer-identifier.js'
 export * from './oauth-par-response.js'
+export * from './oauth-password-grant-token-request.js'
 export * from './oauth-protected-resource-metadata.js'
+export * from './oauth-refresh-token-grant-token-request.js'
+export * from './oauth-refresh-token.js'
+export * from './oauth-request-uri.js'
 export * from './oauth-response-mode.js'
 export * from './oauth-response-type.js'
+export * from './oauth-scope.js'
+export * from './oauth-token-identification.js'
+export * from './oauth-token-request.js'
 export * from './oauth-token-response.js'
 export * from './oauth-token-type.js'
 export * from './oidc-claims-parameter.js'

package/src/oauth-access-token.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod'
+
+export const oauthAccessTokenSchema = z.string().min(1)
+export type OAuthAccessToken = z.infer<typeof oauthAccessTokenSchema>

package/src/oauth-authorization-code-grant-token-request.ts

@@ -0,0 +1,18 @@
+import { z } from 'zod'
+
+export const oauthAuthorizationCodeGrantTokenRequestSchema = z.object({
+  grant_type: z.literal('authorization_code'),
+  code: z.string().min(1),
+  redirect_uri: z.string().url(),
+  /** @see {@link https://datatracker.ietf.org/doc/html/rfc7636#section-4.1} */
+  code_verifier: z
+    .string()
+    .min(43)
+    .max(128)
+    .regex(/^[a-zA-Z0-9-._~]+$/)
+    .optional(),
+})
+
+export type OAuthAuthorizationCodeGrantTokenRequest = z.infer<
+  typeof oauthAuthorizationCodeGrantTokenRequestSchema
+>

package/src/oauth-authorization-request-jar.ts

@@ -0,0 +1,16 @@
+import { signedJwtSchema, unsignedJwtSchema } from '@atproto/jwk'
+import { z } from 'zod'
+
+export const oauthAuthorizationRequestJarSchema = z.object({
+  /**
+   * AuthorizationRequest inside a JWT:
+   * - "iat" is required and **MUST** be less than one minute
+   *
+   * @see {@link https://datatracker.ietf.org/doc/html/rfc9101}
+   */
+  request: z.union([signedJwtSchema, unsignedJwtSchema]),
+})
+
+export type OAuthAuthorizationRequestJar = z.infer<
+  typeof oauthAuthorizationRequestJarSchema
+>

package/src/oauth-authorization-request-par.ts

@@ -0,0 +1,13 @@
+import { z } from 'zod'
+
+import { oauthAuthorizationRequestJarSchema } from './oauth-authorization-request-jar.js'
+import { oauthAuthorizationRequestParametersSchema } from './oauth-authorization-request-parameters.js'
+
+export const oauthAuthorizationRequestParSchema = z.union([
+  oauthAuthorizationRequestParametersSchema,
+  oauthAuthorizationRequestJarSchema,
+])
+
+export type OAuthAuthorizationRequestPar = z.infer<
+  typeof oauthAuthorizationRequestParSchema
+>

package/src/{oauth-authentication-request-parameters.ts → oauth-authorization-request-parameters.ts}

@@ -3,6 +3,9 @@ import { z } from 'zod'
 
 import { oauthAuthorizationDetailsSchema } from './oauth-authorization-details.js'
 import { oauthClientIdSchema } from './oauth-client-id.js'
+import { oauthCodeChallengeMethodSchema } from './oauth-code-challenge-method.js'
+import { oauthResponseTypeSchema } from './oauth-response-type.js'
+import { oauthScopeSchema } from './oauth-scope.js'
 import { oidcClaimsParameterSchema } from './oidc-claims-parameter.js'
 import { oidcClaimsPropertiesSchema } from './oidc-claims-properties.js'
 import { oidcEntityTypeSchema } from './oidc-entity-type.js'
@@ -10,44 +13,32 @@ import { oidcEntityTypeSchema } from './oidc-entity-type.js'
 /**
  * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest | OIDC}
  */
-export const oauthAuthenticationRequestParametersSchema = z.object({
+export const oauthAuthorizationRequestParametersSchema = z.object({
   client_id: oauthClientIdSchema,
-
   state: z.string().optional(),
-  nonce: z.string().optional(),
-  dpop_jkt: z.string().optional(),
-
-  response_type: z.enum([
-    // OAuth2 (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#section-4.1.1)
-    'code',
-    'token',
-
-    // OIDC (https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)
-    'id_token',
-    'none',
-    'code token',
-    'code id_token',
-    'id_token token',
-    'code id_token token',
-  ]),
-
-  // Default depend on response_type
-  response_mode: z.enum(['query', 'fragment', 'form_post']).optional(),
+  redirect_uri: z.string().url().optional(),
+  scope: oauthScopeSchema.optional(),
+  response_type: oauthResponseTypeSchema,
 
   // PKCE
+
   code_challenge: z.string().optional(),
-  code_challenge_method: z.enum(['S256', 'plain']).default('S256').optional(),
+  code_challenge_method: oauthCodeChallengeMethodSchema
+    .default('S256')
+    .optional(),
 
-  redirect_uri: z.string().url().optional(),
+  // DPOP
 
-  // email profile openid (other?)
-  scope: z
-    .string()
-    .regex(/^[a-zA-Z0-9_]+( [a-zA-Z0-9_]+)*$/)
-    .optional(),
+  // https://datatracker.ietf.org/doc/html/rfc9449#section-12.3
+  dpop_jkt: z.string().optional(),
 
   // OIDC
 
+  // Default depend on response_type
+  response_mode: z.enum(['query', 'fragment', 'form_post']).optional(),
+
+  nonce: z.string().optional(),
+
   // Specifies the allowable elapsed time in seconds since the last time the
   // End-User was actively authenticated by the OP. If the elapsed time is
   // greater than this value, the OP MUST attempt to actively re-authenticate
@@ -97,8 +88,8 @@ export const oauthAuthenticationRequestParametersSchema = z.object({
 })
 
 /**
- * @see {oauthAuthenticationRequestParametersSchema}
+ * @see {oauthAuthorizationRequestParametersSchema}
  */
-export type OAuthAuthenticationRequestParameters = z.infer<
-  typeof oauthAuthenticationRequestParametersSchema
+export type OAuthAuthorizationRequestParameters = z.infer<
+  typeof oauthAuthorizationRequestParametersSchema
 >

package/src/oauth-authorization-request-query.ts

@@ -0,0 +1,15 @@
+import { z } from 'zod'
+
+import { oauthAuthorizationRequestJarSchema } from './oauth-authorization-request-jar.js'
+import { oauthAuthorizationRequestParametersSchema } from './oauth-authorization-request-parameters.js'
+import { oauthAuthorizationRequestUriSchema } from './oauth-authorization-request-uri.js'
+
+export const oauthAuthorizationRequestQuerySchema = z.union([
+  oauthAuthorizationRequestParametersSchema,
+  oauthAuthorizationRequestJarSchema,
+  oauthAuthorizationRequestUriSchema,
+])
+
+export type OAuthAuthorizationRequestQuery = z.infer<
+  typeof oauthAuthorizationRequestQuerySchema
+>

package/src/oauth-authorization-request-uri.ts

@@ -0,0 +1,11 @@
+import { z } from 'zod'
+
+import { oauthRequestUriSchema } from './oauth-request-uri.js'
+
+export const oauthAuthorizationRequestUriSchema = z.object({
+  request_uri: oauthRequestUriSchema,
+})
+
+export type OAuthAuthorizationRequestUri = z.infer<
+  typeof oauthAuthorizationRequestUriSchema
+>

package/src/oauth-authorization-server-metadata.ts

@@ -1,5 +1,6 @@
 import { z } from 'zod'
 
+import { oauthCodeChallengeMethodSchema } from './oauth-code-challenge-method.js'
 import { oauthIssuerIdentifierSchema } from './oauth-issuer-identifier.js'
 
 /**
@@ -19,7 +20,10 @@ export const oauthAuthorizationServerMetadataSchema = z.object({
   response_types_supported: z.array(z.string()).optional(),
   response_modes_supported: z.array(z.string()).optional(),
   grant_types_supported: z.array(z.string()).optional(),
-  code_challenge_methods_supported: z.array(z.string()).min(1).optional(),
+  code_challenge_methods_supported: z
+    .array(oauthCodeChallengeMethodSchema)
+    .min(1)
+    .optional(),
   ui_locales_supported: z.array(z.string()).optional(),
   id_token_signing_alg_values_supported: z.array(z.string()).optional(),
   display_values_supported: z.array(z.string()).optional(),

package/src/oauth-client-credentials-grant-token-request.ts

@@ -0,0 +1,9 @@
+import { z } from 'zod'
+
+export const oauthClientCredentialsGrantTokenRequestSchema = z.object({
+  grant_type: z.literal('client_credentials'),
+})
+
+export type OAuthClientCredentialsGrantTokenRequest = z.infer<
+  typeof oauthClientCredentialsGrantTokenRequestSchema
+>

package/src/oauth-client-credentials.ts

@@ -14,19 +14,39 @@ export const oauthClientCredentialsJwtBearerSchema = z.object({
    * - The JWT MAY contain a "jti" (JWT ID) claim that provides a unique identifier for the token.
    * - Note that the authorization server may reject JWTs with an "exp" claim value that is unreasonably far in the future.
    *
-   * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-11#section-3}
+   * @see {@link https://datatracker.ietf.org/doc/html/rfc7523#section-3}
    */
   client_assertion: signedJwtSchema,
 })
 
+export type OAuthClientCredentialsJwtBearer = z.infer<
+  typeof oauthClientCredentialsJwtBearerSchema
+>
+
 export const oauthClientCredentialsSecretPostSchema = z.object({
   client_id: oauthClientIdSchema,
   client_secret: z.string(),
 })
 
+export type OAuthClientCredentialsSecretPost = z.infer<
+  typeof oauthClientCredentialsSecretPostSchema
+>
+
+export const oauthClientCredentialsNoneSchema = z.object({
+  client_id: oauthClientIdSchema,
+})
+
+export type OAuthClientCredentialsNone = z.infer<
+  typeof oauthClientCredentialsNoneSchema
+>
+
+//
+
 export const oauthClientCredentialsSchema = z.union([
   oauthClientCredentialsJwtBearerSchema,
   oauthClientCredentialsSecretPostSchema,
+  // Must be last since it is less specific
+  oauthClientCredentialsNoneSchema,
 ])
 
 export type OAuthClientCredentials = z.infer<

package/src/oauth-client-id-discoverable.ts

@@ -1,15 +1,14 @@
-import { parseOAuthClientIdUrl } from './oauth-client-id-url.js'
 import { OAuthClientId } from './oauth-client-id.js'
-import { isIP } from './util.js'
+import { extractUrlPath, isHostnameIP } from './util.js'
 
 /**
  * @see {@link https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html}
  */
 export type OAuthClientIdDiscoverable = OAuthClientId & `https://${string}`
 
-export function isOAuthClientIdDiscoverable<C extends OAuthClientId>(
-  clientId: C,
-): clientId is C & OAuthClientIdDiscoverable {
+export function isOAuthClientIdDiscoverable(
+  clientId: string,
+): clientId is OAuthClientIdDiscoverable {
   try {
     parseOAuthDiscoverableClientId(clientId)
     return true
@@ -18,48 +17,52 @@ export function isOAuthClientIdDiscoverable<C extends OAuthClientId>(
   }
 }
 
-export function parseOAuthDiscoverableClientId(clientId: OAuthClientId): URL {
-  const url = parseOAuthClientIdUrl(clientId)
-
-  // Optimization: cheap checks first
+export function assertOAuthDiscoverableClientId(
+  value: string,
+): asserts value is OAuthClientIdDiscoverable {
+  void parseOAuthDiscoverableClientId(value)
+}
 
-  if (url.hostname === 'localhost') {
-    throw new TypeError('ClientID must not be a loopback hostname')
-  }
+export function parseOAuthDiscoverableClientId(clientId: string): URL {
+  const url = new URL(clientId)
 
   if (url.protocol !== 'https:') {
     throw new TypeError('ClientID must use the "https:" protocol')
   }
 
+  if (url.username || url.password) {
+    throw new TypeError('ClientID must not contain credentials')
+  }
+
   if (url.hash) {
     throw new TypeError('ClientID must not contain a fragment')
   }
 
-  if (url.username || url.password) {
-    throw new TypeError('ClientID must not contain credentials')
+  if (url.hostname === 'localhost') {
+    throw new TypeError('ClientID hostname must not be "localhost"')
   }
 
   if (url.pathname === '/') {
     throw new TypeError(
-      'ClientID must contain a path (e.g. "/client-metadata")',
+      'ClientID must contain a path component (e.g. "/client-metadata.json")',
     )
   }
 
-  if (url.pathname !== '/' && url.pathname.endsWith('/')) {
-    throw new TypeError('ClientID must not end with a trailing slash')
+  if (url.pathname.endsWith('/')) {
+    throw new TypeError('ClientID path must not end with a trailing slash')
   }
 
-  if (url.pathname.includes('//')) {
-    throw new TypeError(
-      `ClientID must not contain any double slashes in its path`,
-    )
+  if (isHostnameIP(url.hostname)) {
+    throw new TypeError('ClientID hostname must not be an IP address')
   }
 
-  // Note: Query string is allowed
-  // Note: no restriction on the port for non-loopback URIs
-
-  if (isIP(url.hostname)) {
-    throw new TypeError('ClientID must not be an IP address')
+  // URL constructor normalizes the URL, so we extract the path manually to
+  // avoid normalization, then compare it to the normalized path to ensure
+  // that the URL does not contain path traversal or other unexpected characters
+  if (extractUrlPath(clientId) !== url.pathname) {
+    throw new TypeError(
+      `ClientID must be in canonical form ("${url.href}", got "${clientId}")`,
+    )
   }
 
   return url

package/src/oauth-client-id-loopback.ts

@@ -1,12 +1,15 @@
-import { parseOAuthClientIdUrl } from './oauth-client-id-url.js'
 import { OAuthClientId } from './oauth-client-id.js'
+import { OAuthScope, oauthScopeSchema } from './oauth-scope.js'
+import { isLoopbackHost, safeUrl } from './util.js'
+
+const OAUTH_CLIENT_ID_LOOPBACK_URL = 'http://localhost'
 
 export type OAuthClientIdLoopback = OAuthClientId &
-  `http://localhost${'' | `${'/' | '?' | '#'}${string}`}`
+  `${typeof OAUTH_CLIENT_ID_LOOPBACK_URL}${'' | '/'}${'' | `?${string}`}`
 
-export function isOAuthClientIdLoopback<C extends OAuthClientId>(
-  clientId: C,
-): clientId is C & OAuthClientIdLoopback {
+export function isOAuthClientIdLoopback(
+  clientId: string,
+): clientId is OAuthClientIdLoopback {
   try {
     parseOAuthLoopbackClientId(clientId)
     return true
@@ -15,44 +18,89 @@ export function isOAuthClientIdLoopback<C extends OAuthClientId>(
   }
 }
 
-export function parseOAuthLoopbackClientId(clientId: OAuthClientId): URL {
-  const url = parseOAuthClientIdUrl(clientId)
-
-  // Optimization: cheap checks first
+export function assertOAuthLoopbackClientId(
+  clientId: string,
+): asserts clientId is OAuthClientIdLoopback {
+  void parseOAuthLoopbackClientId(clientId)
+}
 
-  if (url.protocol !== 'http:') {
-    throw new TypeError('Loopback ClientID must use the "http:" protocol')
+// @TODO: should we turn this into a zod schema? (more coherent error with other
+// validation functions)
+export function parseOAuthLoopbackClientId(clientId: string): {
+  scope?: OAuthScope
+  redirect_uris?: [string, ...string[]]
+} {
+  if (!clientId.startsWith(OAUTH_CLIENT_ID_LOOPBACK_URL)) {
+    throw new TypeError(
+      `Loopback ClientID must start with "${OAUTH_CLIENT_ID_LOOPBACK_URL}"`,
+    )
+  } else if (clientId.includes('#', OAUTH_CLIENT_ID_LOOPBACK_URL.length)) {
+    throw new TypeError('Loopback ClientID must not contain a hash component')
   }
 
-  if (url.hostname !== 'localhost') {
-    throw new TypeError('Loopback ClientID must use the "localhost" hostname')
+  const queryStringIdx =
+    clientId.length > OAUTH_CLIENT_ID_LOOPBACK_URL.length &&
+    clientId[OAUTH_CLIENT_ID_LOOPBACK_URL.length] === '/'
+      ? OAUTH_CLIENT_ID_LOOPBACK_URL.length + 1
+      : OAUTH_CLIENT_ID_LOOPBACK_URL.length
+
+  if (clientId.length === queryStringIdx) {
+    return {} // no query string to parse
   }
 
-  if (url.hash) {
-    throw new TypeError('Loopback ClientID must not contain a fragment')
+  if (clientId[queryStringIdx] !== '?') {
+    throw new TypeError('Loopback ClientID must not contain a path component')
   }
 
-  if (url.username || url.password) {
-    throw new TypeError('Loopback ClientID must not contain credentials')
+  const searchParams = new URLSearchParams(clientId.slice(queryStringIdx + 1))
+
+  for (const name of searchParams.keys()) {
+    if (name !== 'redirect_uri' && name !== 'scope') {
+      throw new TypeError(`Invalid query parameter "${name}" in client ID`)
+    }
   }
 
-  if (url.port) {
-    throw new TypeError('Loopback ClientID must not contain a port')
+  const scope = searchParams.get('scope') ?? undefined
+  if (scope != null) {
+    if (searchParams.getAll('scope').length > 1) {
+      throw new TypeError(
+        'Loopback ClientID must contain at most one scope query parameter',
+      )
+    } else if (!oauthScopeSchema.safeParse(scope).success) {
+      throw new TypeError('Invalid scope query parameter in client ID')
+    }
   }
 
-  // Note: url.pathname === '/' is allowed for loopback URIs
+  const redirect_uris = searchParams.has('redirect_uri')
+    ? (searchParams.getAll('redirect_uri') as [string, ...string[]])
+    : undefined
 
-  if (url.pathname !== '/' && url.pathname.endsWith('/')) {
-    throw new TypeError('Loopback ClientID must not end with a trailing slash')
+  if (redirect_uris) {
+    for (const uri of redirect_uris) {
+      const url = safeUrl(uri)
+      if (!url) {
+        throw new TypeError(`Invalid redirect_uri in client ID: ${uri}`)
+      }
+      if (url.protocol !== 'http:') {
+        throw new TypeError(
+          `Loopback ClientID must use "http:" redirect_uri's (got ${uri})`,
+        )
+      }
+      if (url.hostname === 'localhost') {
+        throw new TypeError(
+          `Loopback ClientID must not use "localhost" as redirect_uri hostname (got ${uri})`,
+        )
+      }
+      if (!isLoopbackHost(url.hostname)) {
+        throw new TypeError(
+          `Loopback ClientID must use loopback addresses as redirect_uri's (got ${uri})`,
+        )
+      }
+    }
   }
 
-  if (url.pathname.includes('//')) {
-    throw new TypeError(
-      `Loopback ClientID must not contain any double slashes in its path`,
-    )
+  return {
+    scope,
+    redirect_uris,
   }
-
-  // Note: Query string is allowed
-
-  return url
 }

package/src/oauth-client-metadata.ts

@@ -5,6 +5,7 @@ import { oauthClientIdSchema } from './oauth-client-id.js'
 import { oauthEndpointAuthMethod } from './oauth-endpoint-auth-method.js'
 import { oauthGrantTypeSchema } from './oauth-grant-type.js'
 import { oauthResponseTypeSchema } from './oauth-response-type.js'
+import { oauthScopeSchema } from './oauth-scope.js'
 
 // https://openid.net/specs/openid-connect-registration-1_0.html
 // https://datatracker.ietf.org/doc/html/rfc7591
@@ -22,7 +23,7 @@ export const oauthClientMetadataSchema = z.object({
     // > If omitted, the default behavior is that the client will use only the
     // > "authorization_code" Grant Type.
     .default(['authorization_code']),
-  scope: z.string().optional(),
+  scope: oauthScopeSchema.optional(),
   token_endpoint_auth_method: oauthEndpointAuthMethod
     .default('none')
     .optional(),