@atproto/oauth-types 0.1.4 → 0.2.0

package/dist/util.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA,wBAAgB,IAAI,CAAC,QAAQ,EAAE,MAAM,WAQpC;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,CAAA;AAE9D,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,IAAI,YAAY,CAElE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAG1D;AAED,wBAAgB,OAAO,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,GAAG,GAAG,IAAI,CAMvD"}
+{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,WAQ5C;AAED,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,CAAA;AAE9D,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,IAAI,YAAY,CAElE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,CAG1D;AAED,wBAAgB,OAAO,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,GAAG,GAAG,IAAI,CAMvD;AAED,wBAAgB,cAAc,CAAC,GAAG,KAAA,OAsCjC"}

package/dist/util.js

@@ -1,7 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.safeUrl = exports.isLoopbackUrl = exports.isLoopbackHost = exports.isIP = void 0;
-function isIP(hostname) {
+exports.isHostnameIP = isHostnameIP;
+exports.isLoopbackHost = isLoopbackHost;
+exports.isLoopbackUrl = isLoopbackUrl;
+exports.safeUrl = safeUrl;
+exports.extractUrlPath = extractUrlPath;
+function isHostnameIP(hostname) {
     // IPv4
     if (hostname.match(/^\d+\.\d+\.\d+\.\d+$/))
         return true;
@@ -10,16 +14,13 @@ function isIP(hostname) {
         return true;
     return false;
 }
-exports.isIP = isIP;
 function isLoopbackHost(host) {
     return host === 'localhost' || host === '127.0.0.1' || host === '[::1]';
 }
-exports.isLoopbackHost = isLoopbackHost;
 function isLoopbackUrl(input) {
     const url = typeof input === 'string' ? new URL(input) : input;
     return isLoopbackHost(url.hostname);
 }
-exports.isLoopbackUrl = isLoopbackUrl;
 function safeUrl(input) {
     try {
         return new URL(input);
@@ -28,5 +29,34 @@ function safeUrl(input) {
         return null;
     }
 }
-exports.safeUrl = safeUrl;
+function extractUrlPath(url) {
+    // Extracts the path from a URL, without relying on the URL constructor
+    // (because it normalizes the URL)
+    const endOfProtocol = url.startsWith('https://')
+        ? 8
+        : url.startsWith('http://')
+            ? 7
+            : -1;
+    if (endOfProtocol === -1) {
+        throw new TypeError('URL must use the "https:" or "http:" protocol');
+    }
+    const hashIdx = url.indexOf('#', endOfProtocol);
+    const questionIdx = url.indexOf('?', endOfProtocol);
+    const queryStrIdx = questionIdx !== -1 && (hashIdx === -1 || questionIdx < hashIdx)
+        ? questionIdx
+        : -1;
+    const pathEnd = hashIdx === -1
+        ? queryStrIdx === -1
+            ? url.length
+            : queryStrIdx
+        : queryStrIdx === -1
+            ? hashIdx
+            : Math.min(hashIdx, queryStrIdx);
+    const slashIdx = url.indexOf('/', endOfProtocol);
+    const pathStart = slashIdx === -1 || slashIdx > pathEnd ? pathEnd : slashIdx;
+    if (endOfProtocol === pathStart) {
+        throw new TypeError('URL must contain a host');
+    }
+    return url.substring(pathStart, pathEnd);
+}
 //# sourceMappingURL=util.js.map

package/dist/util.js.map

@@ -1 +1 @@
-{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;;AAAA,SAAgB,IAAI,CAAC,QAAgB;IACnC,OAAO;IACP,IAAI,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,OAAO;IACP,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnE,OAAO,KAAK,CAAA;AACd,CAAC;AARD,oBAQC;AAID,SAAgB,cAAc,CAAC,IAAa;IAC1C,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,CAAA;AACzE,CAAC;AAFD,wCAEC;AAED,SAAgB,aAAa,CAAC,KAAmB;IAC/C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC9D,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AACrC,CAAC;AAHD,sCAGC;AAED,SAAgB,OAAO,CAAC,KAAmB;IACzC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAND,0BAMC"}
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":";;AAAA,oCAQC;AAID,wCAEC;AAED,sCAGC;AAED,0BAMC;AAED,wCAsCC;AAnED,SAAgB,YAAY,CAAC,QAAgB;IAC3C,OAAO;IACP,IAAI,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,OAAO;IACP,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnE,OAAO,KAAK,CAAA;AACd,CAAC;AAID,SAAgB,cAAc,CAAC,IAAa;IAC1C,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,CAAA;AACzE,CAAC;AAED,SAAgB,aAAa,CAAC,KAAmB;IAC/C,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC9D,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AACrC,CAAC;AAED,SAAgB,OAAO,CAAC,KAAmB;IACzC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,SAAgB,cAAc,CAAC,GAAG;IAChC,uEAAuE;IACvE,kCAAkC;IAClC,MAAM,aAAa,GAAG,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;QAC9C,CAAC,CAAC,CAAC;QACH,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;YACzB,CAAC,CAAC,CAAC;YACH,CAAC,CAAC,CAAC,CAAC,CAAA;IACR,IAAI,aAAa,KAAK,CAAC,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,SAAS,CAAC,+CAA+C,CAAC,CAAA;IACtE,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAC/C,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAEnD,MAAM,WAAW,GACf,WAAW,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,KAAK,CAAC,CAAC,IAAI,WAAW,GAAG,OAAO,CAAC;QAC7D,CAAC,CAAC,WAAW;QACb,CAAC,CAAC,CAAC,CAAC,CAAA;IAER,MAAM,OAAO,GACX,OAAO,KAAK,CAAC,CAAC;QACZ,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC;YAClB,CAAC,CAAC,GAAG,CAAC,MAAM;YACZ,CAAC,CAAC,WAAW;QACf,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC;YAClB,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,WAAW,CAAC,CAAA;IAEtC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAEhD,MAAM,SAAS,GAAG,QAAQ,KAAK,CAAC,CAAC,IAAI,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAA;IAE5E,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CAAC,yBAAyB,CAAC,CAAA;IAChD,CAAC;IAED,OAAO,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,CAAA;AAC1C,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atproto/oauth-types",
-  "version": "0.1.4",
+  "version": "0.2.0",
   "license": "MIT",
   "description": "OAuth typing & validation library",
   "keywords": [
@@ -29,7 +29,7 @@
     "@atproto/jwk": "0.1.1"
   },
   "devDependencies": {
-    "typescript": "^5.3.3"
+    "typescript": "^5.6.3"
   },
   "scripts": {
     "build": "tsc --build tsconfig.build.json"

package/src/atproto-loopback-client-metadata.ts

@@ -1,34 +1,21 @@
-import { isOAuthClientIdLoopback } from './oauth-client-id-loopback.js'
+import { parseOAuthLoopbackClientId } from './oauth-client-id-loopback.js'
 import { OAuthClientMetadataInput } from './oauth-client-metadata.js'
-import { parseOAuthClientIdUrl } from './oauth-client-id-url.js'
 
 export function atprotoLoopbackClientMetadata(
   clientId: string,
 ): OAuthClientMetadataInput {
-  if (!isOAuthClientIdLoopback(clientId)) {
-    throw new TypeError(`Invalid loopback client ID ${clientId}`)
-  }
-
-  const { origin, pathname, searchParams } = parseOAuthClientIdUrl(clientId)
-
-  for (const name of searchParams.keys()) {
-    if (name !== 'redirect_uri') {
-      throw new TypeError(`Invalid query parameter ${name} in client ID`)
-    }
-  }
-  const redirectUris = searchParams.getAll('redirect_uri')
+  const {
+    scope = 'atproto',
+    redirect_uris = [`http://127.0.0.1/`, `http://[::1]/`],
+  } = parseOAuthLoopbackClientId(clientId)
 
   return {
     client_id: clientId,
+    scope,
+    redirect_uris,
     client_name: 'Loopback client',
     response_types: ['code'],
     grant_types: ['authorization_code', 'refresh_token'],
-    redirect_uris: (redirectUris.length
-      ? redirectUris
-      : (['127.0.0.1', '[::1]'] as const).map(
-          (ip) =>
-            Object.assign(new URL(pathname, origin), { hostname: ip }).href,
-        )) as [string, ...string[]],
     token_endpoint_auth_method: 'none',
     application_type: 'native',
     dpop_bound_access_tokens: true,

package/src/constants.ts

@@ -1,18 +1,2 @@
-/**
- * A variable that allows to determine if unsecure origins should be allowed
- * in OAuth related URI's. This variable is only set to `true` when NODE_ENV
- * is either `development` or `test`.
- */
-export const ALLOW_UNSECURE_ORIGINS = (() => {
-  // try/catch to support running in a browser, including when process.env is
-  // shimmed (e.g. by webpack)
-  try {
-    const env = process.env.NODE_ENV
-    return env === 'development' || env === 'test'
-  } catch {
-    return false
-  }
-})()
-
 export const CLIENT_ASSERTION_TYPE_JWT_BEARER =
   'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'

package/src/index.ts

@@ -1,25 +1,38 @@
 export * from './constants.js'
 export * from './util.js'
 
-export * from './access-token.js'
 export * from './atproto-loopback-client-metadata.js'
-export * from './oauth-client-id-discoverable.js'
-export * from './oauth-client-id-loopback.js'
-export * from './oauth-authentication-request-parameters.js'
+export * from './oauth-access-token.js'
+export * from './oauth-authorization-code-grant-token-request.js'
 export * from './oauth-authorization-details.js'
+export * from './oauth-authorization-request-jar.js'
+export * from './oauth-authorization-request-par.js'
+export * from './oauth-authorization-request-parameters.js'
+export * from './oauth-authorization-request-query.js'
+export * from './oauth-authorization-request-uri.js'
 export * from './oauth-authorization-server-metadata.js'
+export * from './oauth-client-credentials-grant-token-request.js'
 export * from './oauth-client-credentials.js'
+export * from './oauth-client-id-discoverable.js'
+export * from './oauth-client-id-loopback.js'
 export * from './oauth-client-id.js'
-export * from './oauth-client-identification.js'
 export * from './oauth-client-metadata.js'
 export * from './oauth-endpoint-auth-method.js'
 export * from './oauth-endpoint-name.js'
 export * from './oauth-grant-type.js'
+export * from './oauth-introspection-response.js'
 export * from './oauth-issuer-identifier.js'
 export * from './oauth-par-response.js'
+export * from './oauth-password-grant-token-request.js'
 export * from './oauth-protected-resource-metadata.js'
+export * from './oauth-refresh-token-grant-token-request.js'
+export * from './oauth-refresh-token.js'
+export * from './oauth-request-uri.js'
 export * from './oauth-response-mode.js'
 export * from './oauth-response-type.js'
+export * from './oauth-scope.js'
+export * from './oauth-token-identification.js'
+export * from './oauth-token-request.js'
 export * from './oauth-token-response.js'
 export * from './oauth-token-type.js'
 export * from './oidc-claims-parameter.js'

package/src/oauth-access-token.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod'
+
+export const oauthAccessTokenSchema = z.string().min(1)
+export type OAuthAccessToken = z.infer<typeof oauthAccessTokenSchema>

package/src/oauth-authorization-code-grant-token-request.ts

@@ -0,0 +1,18 @@
+import { z } from 'zod'
+
+export const oauthAuthorizationCodeGrantTokenRequestSchema = z.object({
+  grant_type: z.literal('authorization_code'),
+  code: z.string().min(1),
+  redirect_uri: z.string().url(),
+  /** @see {@link https://datatracker.ietf.org/doc/html/rfc7636#section-4.1} */
+  code_verifier: z
+    .string()
+    .min(43)
+    .max(128)
+    .regex(/^[a-zA-Z0-9-._~]+$/)
+    .optional(),
+})
+
+export type OAuthAuthorizationCodeGrantTokenRequest = z.infer<
+  typeof oauthAuthorizationCodeGrantTokenRequestSchema
+>

package/src/oauth-authorization-request-jar.ts

@@ -0,0 +1,16 @@
+import { signedJwtSchema, unsignedJwtSchema } from '@atproto/jwk'
+import { z } from 'zod'
+
+export const oauthAuthorizationRequestJarSchema = z.object({
+  /**
+   * AuthorizationRequest inside a JWT:
+   * - "iat" is required and **MUST** be less than one minute
+   *
+   * @see {@link https://datatracker.ietf.org/doc/html/rfc9101}
+   */
+  request: z.union([signedJwtSchema, unsignedJwtSchema]),
+})
+
+export type OAuthAuthorizationRequestJar = z.infer<
+  typeof oauthAuthorizationRequestJarSchema
+>

package/src/oauth-authorization-request-par.ts

@@ -0,0 +1,13 @@
+import { z } from 'zod'
+
+import { oauthAuthorizationRequestJarSchema } from './oauth-authorization-request-jar.js'
+import { oauthAuthorizationRequestParametersSchema } from './oauth-authorization-request-parameters.js'
+
+export const oauthAuthorizationRequestParSchema = z.union([
+  oauthAuthorizationRequestParametersSchema,
+  oauthAuthorizationRequestJarSchema,
+])
+
+export type OAuthAuthorizationRequestPar = z.infer<
+  typeof oauthAuthorizationRequestParSchema
+>

package/src/{oauth-authentication-request-parameters.ts → oauth-authorization-request-parameters.ts}

@@ -3,7 +3,9 @@ import { z } from 'zod'
 
 import { oauthAuthorizationDetailsSchema } from './oauth-authorization-details.js'
 import { oauthClientIdSchema } from './oauth-client-id.js'
+import { oauthCodeChallengeMethodSchema } from './oauth-code-challenge-method.js'
 import { oauthResponseTypeSchema } from './oauth-response-type.js'
+import { oauthScopeSchema } from './oauth-scope.js'
 import { oidcClaimsParameterSchema } from './oidc-claims-parameter.js'
 import { oidcClaimsPropertiesSchema } from './oidc-claims-properties.js'
 import { oidcEntityTypeSchema } from './oidc-entity-type.js'
@@ -11,35 +13,32 @@ import { oidcEntityTypeSchema } from './oidc-entity-type.js'
 /**
  * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest | OIDC}
  */
-export const oauthAuthenticationRequestParametersSchema = z.object({
+export const oauthAuthorizationRequestParametersSchema = z.object({
   client_id: oauthClientIdSchema,
-
   state: z.string().optional(),
-  nonce: z.string().optional(),
-  dpop_jkt: z.string().optional(),
-
+  redirect_uri: z.string().url().optional(),
+  scope: oauthScopeSchema.optional(),
   response_type: oauthResponseTypeSchema,
 
-  // Default depend on response_type
-  response_mode: z.enum(['query', 'fragment', 'form_post']).optional(),
-
   // PKCE
+
   code_challenge: z.string().optional(),
-  code_challenge_method: z.enum(['S256', 'plain']).default('S256').optional(),
+  code_challenge_method: oauthCodeChallengeMethodSchema
+    .default('S256')
+    .optional(),
 
-  redirect_uri: z.string().url().optional(),
+  // DPOP
 
-  // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-1.4.1
-  // scope       = scope-token *( SP scope-token )
-  // scope-token = 1*( %x21 / %x23-5B / %x5D-7E )
-  // = Basically most ASCII characters except backslash and double quote
-  scope: z
-    .string()
-    .regex(/^[!\x23-\x5B\x5D-\x7E]+( [!\x23-\x5B\x5D-\x7E]+)*$/)
-    .optional(),
+  // https://datatracker.ietf.org/doc/html/rfc9449#section-12.3
+  dpop_jkt: z.string().optional(),
 
   // OIDC
 
+  // Default depend on response_type
+  response_mode: z.enum(['query', 'fragment', 'form_post']).optional(),
+
+  nonce: z.string().optional(),
+
   // Specifies the allowable elapsed time in seconds since the last time the
   // End-User was actively authenticated by the OP. If the elapsed time is
   // greater than this value, the OP MUST attempt to actively re-authenticate
@@ -74,7 +73,7 @@ export const oauthAuthenticationRequestParametersSchema = z.object({
   id_token_hint: signedJwtSchema.optional(),
 
   // Type of UI the AS is displayed on
-  display: z.enum(['page', 'popup', 'touch']).optional(),
+  display: z.enum(['page', 'popup', 'touch', 'wap']).optional(),
 
   /**
    * - "none" will only be allowed if the user already allowed the client on the same device
@@ -89,8 +88,8 @@ export const oauthAuthenticationRequestParametersSchema = z.object({
 })
 
 /**
- * @see {oauthAuthenticationRequestParametersSchema}
+ * @see {oauthAuthorizationRequestParametersSchema}
  */
-export type OAuthAuthenticationRequestParameters = z.infer<
-  typeof oauthAuthenticationRequestParametersSchema
+export type OAuthAuthorizationRequestParameters = z.infer<
+  typeof oauthAuthorizationRequestParametersSchema
 >

package/src/oauth-authorization-request-query.ts

@@ -0,0 +1,15 @@
+import { z } from 'zod'
+
+import { oauthAuthorizationRequestJarSchema } from './oauth-authorization-request-jar.js'
+import { oauthAuthorizationRequestParametersSchema } from './oauth-authorization-request-parameters.js'
+import { oauthAuthorizationRequestUriSchema } from './oauth-authorization-request-uri.js'
+
+export const oauthAuthorizationRequestQuerySchema = z.union([
+  oauthAuthorizationRequestParametersSchema,
+  oauthAuthorizationRequestJarSchema,
+  oauthAuthorizationRequestUriSchema,
+])
+
+export type OAuthAuthorizationRequestQuery = z.infer<
+  typeof oauthAuthorizationRequestQuerySchema
+>

package/src/oauth-authorization-request-uri.ts

@@ -0,0 +1,11 @@
+import { z } from 'zod'
+
+import { oauthRequestUriSchema } from './oauth-request-uri.js'
+
+export const oauthAuthorizationRequestUriSchema = z.object({
+  request_uri: oauthRequestUriSchema,
+})
+
+export type OAuthAuthorizationRequestUri = z.infer<
+  typeof oauthAuthorizationRequestUriSchema
+>

package/src/oauth-authorization-server-metadata.ts

@@ -1,5 +1,6 @@
 import { z } from 'zod'
 
+import { oauthCodeChallengeMethodSchema } from './oauth-code-challenge-method.js'
 import { oauthIssuerIdentifierSchema } from './oauth-issuer-identifier.js'
 
 /**
@@ -19,7 +20,10 @@ export const oauthAuthorizationServerMetadataSchema = z.object({
   response_types_supported: z.array(z.string()).optional(),
   response_modes_supported: z.array(z.string()).optional(),
   grant_types_supported: z.array(z.string()).optional(),
-  code_challenge_methods_supported: z.array(z.string()).min(1).optional(),
+  code_challenge_methods_supported: z
+    .array(oauthCodeChallengeMethodSchema)
+    .min(1)
+    .optional(),
   ui_locales_supported: z.array(z.string()).optional(),
   id_token_signing_alg_values_supported: z.array(z.string()).optional(),
   display_values_supported: z.array(z.string()).optional(),

package/src/oauth-client-credentials-grant-token-request.ts

@@ -0,0 +1,9 @@
+import { z } from 'zod'
+
+export const oauthClientCredentialsGrantTokenRequestSchema = z.object({
+  grant_type: z.literal('client_credentials'),
+})
+
+export type OAuthClientCredentialsGrantTokenRequest = z.infer<
+  typeof oauthClientCredentialsGrantTokenRequestSchema
+>

package/src/oauth-client-credentials.ts

@@ -14,19 +14,39 @@ export const oauthClientCredentialsJwtBearerSchema = z.object({
    * - The JWT MAY contain a "jti" (JWT ID) claim that provides a unique identifier for the token.
    * - Note that the authorization server may reject JWTs with an "exp" claim value that is unreasonably far in the future.
    *
-   * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-11#section-3}
+   * @see {@link https://datatracker.ietf.org/doc/html/rfc7523#section-3}
    */
   client_assertion: signedJwtSchema,
 })
 
+export type OAuthClientCredentialsJwtBearer = z.infer<
+  typeof oauthClientCredentialsJwtBearerSchema
+>
+
 export const oauthClientCredentialsSecretPostSchema = z.object({
   client_id: oauthClientIdSchema,
   client_secret: z.string(),
 })
 
+export type OAuthClientCredentialsSecretPost = z.infer<
+  typeof oauthClientCredentialsSecretPostSchema
+>
+
+export const oauthClientCredentialsNoneSchema = z.object({
+  client_id: oauthClientIdSchema,
+})
+
+export type OAuthClientCredentialsNone = z.infer<
+  typeof oauthClientCredentialsNoneSchema
+>
+
+//
+
 export const oauthClientCredentialsSchema = z.union([
   oauthClientCredentialsJwtBearerSchema,
   oauthClientCredentialsSecretPostSchema,
+  // Must be last since it is less specific
+  oauthClientCredentialsNoneSchema,
 ])
 
 export type OAuthClientCredentials = z.infer<

package/src/oauth-client-id-discoverable.ts

@@ -1,15 +1,14 @@
-import { parseOAuthClientIdUrl } from './oauth-client-id-url.js'
 import { OAuthClientId } from './oauth-client-id.js'
-import { isIP } from './util.js'
+import { extractUrlPath, isHostnameIP } from './util.js'
 
 /**
  * @see {@link https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html}
  */
 export type OAuthClientIdDiscoverable = OAuthClientId & `https://${string}`
 
-export function isOAuthClientIdDiscoverable<C extends OAuthClientId>(
-  clientId: C,
-): clientId is C & OAuthClientIdDiscoverable {
+export function isOAuthClientIdDiscoverable(
+  clientId: string,
+): clientId is OAuthClientIdDiscoverable {
   try {
     parseOAuthDiscoverableClientId(clientId)
     return true
@@ -18,48 +17,52 @@ export function isOAuthClientIdDiscoverable<C extends OAuthClientId>(
   }
 }
 
-export function parseOAuthDiscoverableClientId(clientId: OAuthClientId): URL {
-  const url = parseOAuthClientIdUrl(clientId)
-
-  // Optimization: cheap checks first
+export function assertOAuthDiscoverableClientId(
+  value: string,
+): asserts value is OAuthClientIdDiscoverable {
+  void parseOAuthDiscoverableClientId(value)
+}
 
-  if (url.hostname === 'localhost') {
-    throw new TypeError('ClientID must not be a loopback hostname')
-  }
+export function parseOAuthDiscoverableClientId(clientId: string): URL {
+  const url = new URL(clientId)
 
   if (url.protocol !== 'https:') {
     throw new TypeError('ClientID must use the "https:" protocol')
   }
 
+  if (url.username || url.password) {
+    throw new TypeError('ClientID must not contain credentials')
+  }
+
   if (url.hash) {
     throw new TypeError('ClientID must not contain a fragment')
   }
 
-  if (url.username || url.password) {
-    throw new TypeError('ClientID must not contain credentials')
+  if (url.hostname === 'localhost') {
+    throw new TypeError('ClientID hostname must not be "localhost"')
   }
 
   if (url.pathname === '/') {
     throw new TypeError(
-      'ClientID must contain a path (e.g. "/client-metadata")',
+      'ClientID must contain a path component (e.g. "/client-metadata.json")',
     )
   }
 
-  if (url.pathname !== '/' && url.pathname.endsWith('/')) {
-    throw new TypeError('ClientID must not end with a trailing slash')
+  if (url.pathname.endsWith('/')) {
+    throw new TypeError('ClientID path must not end with a trailing slash')
   }
 
-  if (url.pathname.includes('//')) {
-    throw new TypeError(
-      `ClientID must not contain any double slashes in its path`,
-    )
+  if (isHostnameIP(url.hostname)) {
+    throw new TypeError('ClientID hostname must not be an IP address')
   }
 
-  // Note: Query string is allowed
-  // Note: no restriction on the port for non-loopback URIs
-
-  if (isIP(url.hostname)) {
-    throw new TypeError('ClientID must not be an IP address')
+  // URL constructor normalizes the URL, so we extract the path manually to
+  // avoid normalization, then compare it to the normalized path to ensure
+  // that the URL does not contain path traversal or other unexpected characters
+  if (extractUrlPath(clientId) !== url.pathname) {
+    throw new TypeError(
+      `ClientID must be in canonical form ("${url.href}", got "${clientId}")`,
+    )
   }
 
   return url