@atproto/oauth-types 0.1.4 → 0.1.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-types",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "license": "MIT",
   "description": "OAuth typing & validation library",
   "keywords": [

package/src/atproto-loopback-client-metadata.ts

@@ -1,34 +1,21 @@
-import { isOAuthClientIdLoopback } from './oauth-client-id-loopback.js'
+import { parseOAuthLoopbackClientId } from './oauth-client-id-loopback.js'
 import { OAuthClientMetadataInput } from './oauth-client-metadata.js'
-import { parseOAuthClientIdUrl } from './oauth-client-id-url.js'
 
 export function atprotoLoopbackClientMetadata(
   clientId: string,
 ): OAuthClientMetadataInput {
-  if (!isOAuthClientIdLoopback(clientId)) {
-    throw new TypeError(`Invalid loopback client ID ${clientId}`)
-  }
-
-  const { origin, pathname, searchParams } = parseOAuthClientIdUrl(clientId)
-
-  for (const name of searchParams.keys()) {
-    if (name !== 'redirect_uri') {
-      throw new TypeError(`Invalid query parameter ${name} in client ID`)
-    }
-  }
-  const redirectUris = searchParams.getAll('redirect_uri')
+  const {
+    scope = 'atproto',
+    redirect_uris = [`http://127.0.0.1/`, `http://[::1]/`],
+  } = parseOAuthLoopbackClientId(clientId)
 
   return {
     client_id: clientId,
+    scope,
+    redirect_uris,
     client_name: 'Loopback client',
     response_types: ['code'],
     grant_types: ['authorization_code', 'refresh_token'],
-    redirect_uris: (redirectUris.length
-      ? redirectUris
-      : (['127.0.0.1', '[::1]'] as const).map(
-          (ip) =>
-            Object.assign(new URL(pathname, origin), { hostname: ip }).href,
-        )) as [string, ...string[]],
     token_endpoint_auth_method: 'none',
     application_type: 'native',
     dpop_bound_access_tokens: true,

package/src/index.ts

@@ -1,25 +1,38 @@
 export * from './constants.js'
 export * from './util.js'
 
-export * from './access-token.js'
 export * from './atproto-loopback-client-metadata.js'
-export * from './oauth-client-id-discoverable.js'
-export * from './oauth-client-id-loopback.js'
-export * from './oauth-authentication-request-parameters.js'
+export * from './oauth-access-token.js'
+export * from './oauth-authorization-code-grant-token-request.js'
 export * from './oauth-authorization-details.js'
+export * from './oauth-authorization-request-jar.js'
+export * from './oauth-authorization-request-par.js'
+export * from './oauth-authorization-request-parameters.js'
+export * from './oauth-authorization-request-query.js'
+export * from './oauth-authorization-request-uri.js'
 export * from './oauth-authorization-server-metadata.js'
+export * from './oauth-client-credentials-grant-token-request.js'
 export * from './oauth-client-credentials.js'
+export * from './oauth-client-id-discoverable.js'
+export * from './oauth-client-id-loopback.js'
 export * from './oauth-client-id.js'
-export * from './oauth-client-identification.js'
 export * from './oauth-client-metadata.js'
 export * from './oauth-endpoint-auth-method.js'
 export * from './oauth-endpoint-name.js'
 export * from './oauth-grant-type.js'
+export * from './oauth-introspection-response.js'
 export * from './oauth-issuer-identifier.js'
 export * from './oauth-par-response.js'
+export * from './oauth-password-grant-token-request.js'
 export * from './oauth-protected-resource-metadata.js'
+export * from './oauth-refresh-token-grant-token-request.js'
+export * from './oauth-refresh-token.js'
+export * from './oauth-request-uri.js'
 export * from './oauth-response-mode.js'
 export * from './oauth-response-type.js'
+export * from './oauth-scope.js'
+export * from './oauth-token-identification.js'
+export * from './oauth-token-request.js'
 export * from './oauth-token-response.js'
 export * from './oauth-token-type.js'
 export * from './oidc-claims-parameter.js'

package/src/oauth-access-token.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod'
+
+export const oauthAccessTokenSchema = z.string().min(1)
+export type OAuthAccessToken = z.infer<typeof oauthAccessTokenSchema>

package/src/oauth-authorization-code-grant-token-request.ts

@@ -0,0 +1,18 @@
+import { z } from 'zod'
+
+export const oauthAuthorizationCodeGrantTokenRequestSchema = z.object({
+  grant_type: z.literal('authorization_code'),
+  code: z.string().min(1),
+  redirect_uri: z.string().url(),
+  /** @see {@link https://datatracker.ietf.org/doc/html/rfc7636#section-4.1} */
+  code_verifier: z
+    .string()
+    .min(43)
+    .max(128)
+    .regex(/^[a-zA-Z0-9-._~]+$/)
+    .optional(),
+})
+
+export type OAuthAuthorizationCodeGrantTokenRequest = z.infer<
+  typeof oauthAuthorizationCodeGrantTokenRequestSchema
+>

package/src/oauth-authorization-request-jar.ts

@@ -0,0 +1,16 @@
+import { signedJwtSchema, unsignedJwtSchema } from '@atproto/jwk'
+import { z } from 'zod'
+
+export const oauthAuthorizationRequestJarSchema = z.object({
+  /**
+   * AuthorizationRequest inside a JWT:
+   * - "iat" is required and **MUST** be less than one minute
+   *
+   * @see {@link https://datatracker.ietf.org/doc/html/rfc9101}
+   */
+  request: z.union([signedJwtSchema, unsignedJwtSchema]),
+})
+
+export type OAuthAuthorizationRequestJar = z.infer<
+  typeof oauthAuthorizationRequestJarSchema
+>

package/src/oauth-authorization-request-par.ts

@@ -0,0 +1,13 @@
+import { z } from 'zod'
+
+import { oauthAuthorizationRequestJarSchema } from './oauth-authorization-request-jar.js'
+import { oauthAuthorizationRequestParametersSchema } from './oauth-authorization-request-parameters.js'
+
+export const oauthAuthorizationRequestParSchema = z.union([
+  oauthAuthorizationRequestParametersSchema,
+  oauthAuthorizationRequestJarSchema,
+])
+
+export type OAuthAuthorizationRequestPar = z.infer<
+  typeof oauthAuthorizationRequestParSchema
+>

package/src/{oauth-authentication-request-parameters.ts → oauth-authorization-request-parameters.ts}

@@ -3,7 +3,9 @@ import { z } from 'zod'
 
 import { oauthAuthorizationDetailsSchema } from './oauth-authorization-details.js'
 import { oauthClientIdSchema } from './oauth-client-id.js'
+import { oauthCodeChallengeMethodSchema } from './oauth-code-challenge-method.js'
 import { oauthResponseTypeSchema } from './oauth-response-type.js'
+import { oauthScopeSchema } from './oauth-scope.js'
 import { oidcClaimsParameterSchema } from './oidc-claims-parameter.js'
 import { oidcClaimsPropertiesSchema } from './oidc-claims-properties.js'
 import { oidcEntityTypeSchema } from './oidc-entity-type.js'
@@ -11,35 +13,32 @@ import { oidcEntityTypeSchema } from './oidc-entity-type.js'
 /**
  * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest | OIDC}
  */
-export const oauthAuthenticationRequestParametersSchema = z.object({
+export const oauthAuthorizationRequestParametersSchema = z.object({
   client_id: oauthClientIdSchema,
-
   state: z.string().optional(),
-  nonce: z.string().optional(),
-  dpop_jkt: z.string().optional(),
-
+  redirect_uri: z.string().url().optional(),
+  scope: oauthScopeSchema.optional(),
   response_type: oauthResponseTypeSchema,
 
-  // Default depend on response_type
-  response_mode: z.enum(['query', 'fragment', 'form_post']).optional(),
-
   // PKCE
+
   code_challenge: z.string().optional(),
-  code_challenge_method: z.enum(['S256', 'plain']).default('S256').optional(),
+  code_challenge_method: oauthCodeChallengeMethodSchema
+    .default('S256')
+    .optional(),
 
-  redirect_uri: z.string().url().optional(),
+  // DPOP
 
-  // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-1.4.1
-  // scope       = scope-token *( SP scope-token )
-  // scope-token = 1*( %x21 / %x23-5B / %x5D-7E )
-  // = Basically most ASCII characters except backslash and double quote
-  scope: z
-    .string()
-    .regex(/^[!\x23-\x5B\x5D-\x7E]+( [!\x23-\x5B\x5D-\x7E]+)*$/)
-    .optional(),
+  // https://datatracker.ietf.org/doc/html/rfc9449#section-12.3
+  dpop_jkt: z.string().optional(),
 
   // OIDC
 
+  // Default depend on response_type
+  response_mode: z.enum(['query', 'fragment', 'form_post']).optional(),
+
+  nonce: z.string().optional(),
+
   // Specifies the allowable elapsed time in seconds since the last time the
   // End-User was actively authenticated by the OP. If the elapsed time is
   // greater than this value, the OP MUST attempt to actively re-authenticate
@@ -89,8 +88,8 @@ export const oauthAuthenticationRequestParametersSchema = z.object({
 })
 
 /**
- * @see {oauthAuthenticationRequestParametersSchema}
+ * @see {oauthAuthorizationRequestParametersSchema}
  */
-export type OAuthAuthenticationRequestParameters = z.infer<
-  typeof oauthAuthenticationRequestParametersSchema
+export type OAuthAuthorizationRequestParameters = z.infer<
+  typeof oauthAuthorizationRequestParametersSchema
 >

package/src/oauth-authorization-request-query.ts

@@ -0,0 +1,15 @@
+import { z } from 'zod'
+
+import { oauthAuthorizationRequestJarSchema } from './oauth-authorization-request-jar.js'
+import { oauthAuthorizationRequestParametersSchema } from './oauth-authorization-request-parameters.js'
+import { oauthAuthorizationRequestUriSchema } from './oauth-authorization-request-uri.js'
+
+export const oauthAuthorizationRequestQuerySchema = z.union([
+  oauthAuthorizationRequestParametersSchema,
+  oauthAuthorizationRequestJarSchema,
+  oauthAuthorizationRequestUriSchema,
+])
+
+export type OAuthAuthorizationRequestQuery = z.infer<
+  typeof oauthAuthorizationRequestQuerySchema
+>

package/src/oauth-authorization-request-uri.ts

@@ -0,0 +1,11 @@
+import { z } from 'zod'
+
+import { oauthRequestUriSchema } from './oauth-request-uri.js'
+
+export const oauthAuthorizationRequestUriSchema = z.object({
+  request_uri: oauthRequestUriSchema,
+})
+
+export type OAuthAuthorizationRequestUri = z.infer<
+  typeof oauthAuthorizationRequestUriSchema
+>

package/src/oauth-authorization-server-metadata.ts

@@ -1,5 +1,6 @@
 import { z } from 'zod'
 
+import { oauthCodeChallengeMethodSchema } from './oauth-code-challenge-method.js'
 import { oauthIssuerIdentifierSchema } from './oauth-issuer-identifier.js'
 
 /**
@@ -19,7 +20,10 @@ export const oauthAuthorizationServerMetadataSchema = z.object({
   response_types_supported: z.array(z.string()).optional(),
   response_modes_supported: z.array(z.string()).optional(),
   grant_types_supported: z.array(z.string()).optional(),
-  code_challenge_methods_supported: z.array(z.string()).min(1).optional(),
+  code_challenge_methods_supported: z
+    .array(oauthCodeChallengeMethodSchema)
+    .min(1)
+    .optional(),
   ui_locales_supported: z.array(z.string()).optional(),
   id_token_signing_alg_values_supported: z.array(z.string()).optional(),
   display_values_supported: z.array(z.string()).optional(),

package/src/oauth-client-credentials-grant-token-request.ts

@@ -0,0 +1,9 @@
+import { z } from 'zod'
+
+export const oauthClientCredentialsGrantTokenRequestSchema = z.object({
+  grant_type: z.literal('client_credentials'),
+})
+
+export type OAuthClientCredentialsGrantTokenRequest = z.infer<
+  typeof oauthClientCredentialsGrantTokenRequestSchema
+>

package/src/oauth-client-credentials.ts

@@ -14,19 +14,39 @@ export const oauthClientCredentialsJwtBearerSchema = z.object({
    * - The JWT MAY contain a "jti" (JWT ID) claim that provides a unique identifier for the token.
    * - Note that the authorization server may reject JWTs with an "exp" claim value that is unreasonably far in the future.
    *
-   * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-11#section-3}
+   * @see {@link https://datatracker.ietf.org/doc/html/rfc7523#section-3}
    */
   client_assertion: signedJwtSchema,
 })
 
+export type OAuthClientCredentialsJwtBearer = z.infer<
+  typeof oauthClientCredentialsJwtBearerSchema
+>
+
 export const oauthClientCredentialsSecretPostSchema = z.object({
   client_id: oauthClientIdSchema,
   client_secret: z.string(),
 })
 
+export type OAuthClientCredentialsSecretPost = z.infer<
+  typeof oauthClientCredentialsSecretPostSchema
+>
+
+export const oauthClientCredentialsNoneSchema = z.object({
+  client_id: oauthClientIdSchema,
+})
+
+export type OAuthClientCredentialsNone = z.infer<
+  typeof oauthClientCredentialsNoneSchema
+>
+
+//
+
 export const oauthClientCredentialsSchema = z.union([
   oauthClientCredentialsJwtBearerSchema,
   oauthClientCredentialsSecretPostSchema,
+  // Must be last since it is less specific
+  oauthClientCredentialsNoneSchema,
 ])
 
 export type OAuthClientCredentials = z.infer<

package/src/oauth-client-id-discoverable.ts

@@ -1,15 +1,14 @@
-import { parseOAuthClientIdUrl } from './oauth-client-id-url.js'
 import { OAuthClientId } from './oauth-client-id.js'
-import { isIP } from './util.js'
+import { extractUrlPath, isHostnameIP } from './util.js'
 
 /**
  * @see {@link https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html}
  */
 export type OAuthClientIdDiscoverable = OAuthClientId & `https://${string}`
 
-export function isOAuthClientIdDiscoverable<C extends OAuthClientId>(
-  clientId: C,
-): clientId is C & OAuthClientIdDiscoverable {
+export function isOAuthClientIdDiscoverable(
+  clientId: string,
+): clientId is OAuthClientIdDiscoverable {
   try {
     parseOAuthDiscoverableClientId(clientId)
     return true
@@ -18,48 +17,52 @@ export function isOAuthClientIdDiscoverable<C extends OAuthClientId>(
   }
 }
 
-export function parseOAuthDiscoverableClientId(clientId: OAuthClientId): URL {
-  const url = parseOAuthClientIdUrl(clientId)
-
-  // Optimization: cheap checks first
+export function assertOAuthDiscoverableClientId(
+  value: string,
+): asserts value is OAuthClientIdDiscoverable {
+  void parseOAuthDiscoverableClientId(value)
+}
 
-  if (url.hostname === 'localhost') {
-    throw new TypeError('ClientID must not be a loopback hostname')
-  }
+export function parseOAuthDiscoverableClientId(clientId: string): URL {
+  const url = new URL(clientId)
 
   if (url.protocol !== 'https:') {
     throw new TypeError('ClientID must use the "https:" protocol')
   }
 
+  if (url.username || url.password) {
+    throw new TypeError('ClientID must not contain credentials')
+  }
+
   if (url.hash) {
     throw new TypeError('ClientID must not contain a fragment')
   }
 
-  if (url.username || url.password) {
-    throw new TypeError('ClientID must not contain credentials')
+  if (url.hostname === 'localhost') {
+    throw new TypeError('ClientID hostname must not be "localhost"')
   }
 
   if (url.pathname === '/') {
     throw new TypeError(
-      'ClientID must contain a path (e.g. "/client-metadata")',
+      'ClientID must contain a path component (e.g. "/client-metadata.json")',
     )
   }
 
-  if (url.pathname !== '/' && url.pathname.endsWith('/')) {
-    throw new TypeError('ClientID must not end with a trailing slash')
+  if (url.pathname.endsWith('/')) {
+    throw new TypeError('ClientID path must not end with a trailing slash')
   }
 
-  if (url.pathname.includes('//')) {
-    throw new TypeError(
-      `ClientID must not contain any double slashes in its path`,
-    )
+  if (isHostnameIP(url.hostname)) {
+    throw new TypeError('ClientID hostname must not be an IP address')
   }
 
-  // Note: Query string is allowed
-  // Note: no restriction on the port for non-loopback URIs
-
-  if (isIP(url.hostname)) {
-    throw new TypeError('ClientID must not be an IP address')
+  // URL constructor normalizes the URL, so we extract the path manually to
+  // avoid normalization, then compare it to the normalized path to ensure
+  // that the URL does not contain path traversal or other unexpected characters
+  if (extractUrlPath(clientId) !== url.pathname) {
+    throw new TypeError(
+      `ClientID must be in canonical form ("${url.href}", got "${clientId}")`,
+    )
   }
 
   return url

package/src/oauth-client-id-loopback.ts

@@ -1,12 +1,15 @@
-import { parseOAuthClientIdUrl } from './oauth-client-id-url.js'
 import { OAuthClientId } from './oauth-client-id.js'
+import { OAuthScope, oauthScopeSchema } from './oauth-scope.js'
+import { isLoopbackHost, safeUrl } from './util.js'
+
+const OAUTH_CLIENT_ID_LOOPBACK_URL = 'http://localhost'
 
 export type OAuthClientIdLoopback = OAuthClientId &
-  `http://localhost${'' | `${'/' | '?' | '#'}${string}`}`
+  `${typeof OAUTH_CLIENT_ID_LOOPBACK_URL}${'' | '/'}${'' | `?${string}`}`
 
-export function isOAuthClientIdLoopback<C extends OAuthClientId>(
-  clientId: C,
-): clientId is C & OAuthClientIdLoopback {
+export function isOAuthClientIdLoopback(
+  clientId: string,
+): clientId is OAuthClientIdLoopback {
   try {
     parseOAuthLoopbackClientId(clientId)
     return true
@@ -15,44 +18,89 @@ export function isOAuthClientIdLoopback<C extends OAuthClientId>(
   }
 }
 
-export function parseOAuthLoopbackClientId(clientId: OAuthClientId): URL {
-  const url = parseOAuthClientIdUrl(clientId)
-
-  // Optimization: cheap checks first
+export function assertOAuthLoopbackClientId(
+  clientId: string,
+): asserts clientId is OAuthClientIdLoopback {
+  void parseOAuthLoopbackClientId(clientId)
+}
 
-  if (url.protocol !== 'http:') {
-    throw new TypeError('Loopback ClientID must use the "http:" protocol')
+// @TODO: should we turn this into a zod schema? (more coherent error with other
+// validation functions)
+export function parseOAuthLoopbackClientId(clientId: string): {
+  scope?: OAuthScope
+  redirect_uris?: [string, ...string[]]
+} {
+  if (!clientId.startsWith(OAUTH_CLIENT_ID_LOOPBACK_URL)) {
+    throw new TypeError(
+      `Loopback ClientID must start with "${OAUTH_CLIENT_ID_LOOPBACK_URL}"`,
+    )
+  } else if (clientId.includes('#', OAUTH_CLIENT_ID_LOOPBACK_URL.length)) {
+    throw new TypeError('Loopback ClientID must not contain a hash component')
   }
 
-  if (url.hostname !== 'localhost') {
-    throw new TypeError('Loopback ClientID must use the "localhost" hostname')
+  const queryStringIdx =
+    clientId.length > OAUTH_CLIENT_ID_LOOPBACK_URL.length &&
+    clientId[OAUTH_CLIENT_ID_LOOPBACK_URL.length] === '/'
+      ? OAUTH_CLIENT_ID_LOOPBACK_URL.length + 1
+      : OAUTH_CLIENT_ID_LOOPBACK_URL.length
+
+  if (clientId.length === queryStringIdx) {
+    return {} // no query string to parse
   }
 
-  if (url.hash) {
-    throw new TypeError('Loopback ClientID must not contain a fragment')
+  if (clientId[queryStringIdx] !== '?') {
+    throw new TypeError('Loopback ClientID must not contain a path component')
   }
 
-  if (url.username || url.password) {
-    throw new TypeError('Loopback ClientID must not contain credentials')
+  const searchParams = new URLSearchParams(clientId.slice(queryStringIdx + 1))
+
+  for (const name of searchParams.keys()) {
+    if (name !== 'redirect_uri' && name !== 'scope') {
+      throw new TypeError(`Invalid query parameter "${name}" in client ID`)
+    }
   }
 
-  if (url.port) {
-    throw new TypeError('Loopback ClientID must not contain a port')
+  const scope = searchParams.get('scope') ?? undefined
+  if (scope != null) {
+    if (searchParams.getAll('scope').length > 1) {
+      throw new TypeError(
+        'Loopback ClientID must contain at most one scope query parameter',
+      )
+    } else if (!oauthScopeSchema.safeParse(scope).success) {
+      throw new TypeError('Invalid scope query parameter in client ID')
+    }
   }
 
-  // Note: url.pathname === '/' is allowed for loopback URIs
+  const redirect_uris = searchParams.has('redirect_uri')
+    ? (searchParams.getAll('redirect_uri') as [string, ...string[]])
+    : undefined
 
-  if (url.pathname !== '/' && url.pathname.endsWith('/')) {
-    throw new TypeError('Loopback ClientID must not end with a trailing slash')
+  if (redirect_uris) {
+    for (const uri of redirect_uris) {
+      const url = safeUrl(uri)
+      if (!url) {
+        throw new TypeError(`Invalid redirect_uri in client ID: ${uri}`)
+      }
+      if (url.protocol !== 'http:') {
+        throw new TypeError(
+          `Loopback ClientID must use "http:" redirect_uri's (got ${uri})`,
+        )
+      }
+      if (url.hostname === 'localhost') {
+        throw new TypeError(
+          `Loopback ClientID must not use "localhost" as redirect_uri hostname (got ${uri})`,
+        )
+      }
+      if (!isLoopbackHost(url.hostname)) {
+        throw new TypeError(
+          `Loopback ClientID must use loopback addresses as redirect_uri's (got ${uri})`,
+        )
+      }
+    }
   }
 
-  if (url.pathname.includes('//')) {
-    throw new TypeError(
-      `Loopback ClientID must not contain any double slashes in its path`,
-    )
+  return {
+    scope,
+    redirect_uris,
   }
-
-  // Note: Query string is allowed
-
-  return url
 }

package/src/oauth-client-metadata.ts

@@ -5,6 +5,7 @@ import { oauthClientIdSchema } from './oauth-client-id.js'
 import { oauthEndpointAuthMethod } from './oauth-endpoint-auth-method.js'
 import { oauthGrantTypeSchema } from './oauth-grant-type.js'
 import { oauthResponseTypeSchema } from './oauth-response-type.js'
+import { oauthScopeSchema } from './oauth-scope.js'
 
 // https://openid.net/specs/openid-connect-registration-1_0.html
 // https://datatracker.ietf.org/doc/html/rfc7591
@@ -22,7 +23,7 @@ export const oauthClientMetadataSchema = z.object({
     // > If omitted, the default behavior is that the client will use only the
     // > "authorization_code" Grant Type.
     .default(['authorization_code']),
-  scope: z.string().optional(),
+  scope: oauthScopeSchema.optional(),
   token_endpoint_auth_method: oauthEndpointAuthMethod
     .default('none')
     .optional(),

package/src/oauth-code-challenge-method.ts

@@ -0,0 +1,3 @@
+import { z } from 'zod'
+
+export const oauthCodeChallengeMethodSchema = z.enum(['S256', 'plain'])

package/src/oauth-introspection-response.ts

@@ -0,0 +1,23 @@
+import { OAuthAuthorizationDetails } from './oauth-authorization-details.js'
+import { OAuthTokenType } from './oauth-token-type.js'
+
+// https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
+export type OAuthIntrospectionResponse =
+  | { active: false }
+  | {
+      active: true
+
+      scope?: string
+      client_id?: string
+      username?: string
+      token_type?: OAuthTokenType
+      authorization_details?: OAuthAuthorizationDetails
+
+      aud?: string | [string, ...string[]]
+      exp?: number
+      iat?: number
+      iss?: string
+      jti?: string
+      nbf?: number
+      sub?: string
+    }

package/src/oauth-par-response.ts

@@ -2,6 +2,7 @@ import { z } from 'zod'
 
 export const oauthParResponseSchema = z.object({
   request_uri: z.string(),
+  expires_in: z.number().int().positive(),
 })
 
 export type OAuthParResponse = z.infer<typeof oauthParResponseSchema>

package/src/oauth-password-grant-token-request.ts

@@ -0,0 +1,11 @@
+import { z } from 'zod'
+
+export const oauthPasswordGrantTokenRequestSchema = z.object({
+  grant_type: z.literal('password'),
+  username: z.string(),
+  password: z.string(),
+})
+
+export type OAuthPasswordGrantTokenRequest = z.infer<
+  typeof oauthPasswordGrantTokenRequestSchema
+>

package/src/oauth-refresh-token-grant-token-request.ts

@@ -0,0 +1,13 @@
+import { z } from 'zod'
+import { oauthClientIdSchema } from './oauth-client-id.js'
+import { oauthRefreshTokenSchema } from './oauth-refresh-token.js'
+
+export const oauthRefreshTokenGrantTokenRequestSchema = z.object({
+  grant_type: z.literal('refresh_token'),
+  refresh_token: oauthRefreshTokenSchema,
+  client_id: oauthClientIdSchema,
+})
+
+export type OAuthRefreshTokenGrantTokenRequest = z.infer<
+  typeof oauthRefreshTokenGrantTokenRequestSchema
+>

package/src/oauth-refresh-token.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod'
+
+export const oauthRefreshTokenSchema = z.string().min(1)
+export type OAuthRefreshToken = z.infer<typeof oauthRefreshTokenSchema>

package/src/oauth-request-uri.ts

@@ -0,0 +1,5 @@
+import { z } from 'zod'
+
+export const oauthRequestUriSchema = z.string()
+
+export type OAuthRequestUri = z.infer<typeof oauthRequestUriSchema>