@atxp/client 0.3.0 → 0.5.0

package/dist/node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js

@@ -1,24 +1,156 @@
 import pkceChallenge from '../../../../../pkce-challenge/dist/index.browser.js';
 import { LATEST_PROTOCOL_VERSION } from '../types.js';
-import { OAuthProtectedResourceMetadataSchema, OAuthMetadataSchema, OAuthClientInformationFullSchema, OAuthTokensSchema } from '../shared/auth.js';
+import { OAuthProtectedResourceMetadataSchema, OAuthMetadataSchema, OpenIdProviderDiscoveryMetadataSchema, OAuthClientInformationFullSchema, OAuthTokensSchema, OAuthErrorResponseSchema } from '../shared/auth.js';
 import { resourceUrlFromServerUrl, checkResourceAllowed } from '../shared/auth-utils.js';
+import { InvalidClientError, UnauthorizedClientError, InvalidGrantError, OAuthError, ServerError, OAUTH_ERRORS } from '../server/auth/errors.js';
 
 class UnauthorizedError extends Error {
     constructor(message) {
         super(message !== null && message !== void 0 ? message : "Unauthorized");
     }
 }
+/**
+ * Determines the best client authentication method to use based on server support and client configuration.
+ *
+ * Priority order (highest to lowest):
+ * 1. client_secret_basic (if client secret is available)
+ * 2. client_secret_post (if client secret is available)
+ * 3. none (for public clients)
+ *
+ * @param clientInformation - OAuth client information containing credentials
+ * @param supportedMethods - Authentication methods supported by the authorization server
+ * @returns The selected authentication method
+ */
+function selectClientAuthMethod(clientInformation, supportedMethods) {
+    const hasClientSecret = clientInformation.client_secret !== undefined;
+    // If server doesn't specify supported methods, use RFC 6749 defaults
+    if (supportedMethods.length === 0) {
+        return hasClientSecret ? "client_secret_post" : "none";
+    }
+    // Try methods in priority order (most secure first)
+    if (hasClientSecret && supportedMethods.includes("client_secret_basic")) {
+        return "client_secret_basic";
+    }
+    if (hasClientSecret && supportedMethods.includes("client_secret_post")) {
+        return "client_secret_post";
+    }
+    if (supportedMethods.includes("none")) {
+        return "none";
+    }
+    // Fallback: use what we have
+    return hasClientSecret ? "client_secret_post" : "none";
+}
+/**
+ * Applies client authentication to the request based on the specified method.
+ *
+ * Implements OAuth 2.1 client authentication methods:
+ * - client_secret_basic: HTTP Basic authentication (RFC 6749 Section 2.3.1)
+ * - client_secret_post: Credentials in request body (RFC 6749 Section 2.3.1)
+ * - none: Public client authentication (RFC 6749 Section 2.1)
+ *
+ * @param method - The authentication method to use
+ * @param clientInformation - OAuth client information containing credentials
+ * @param headers - HTTP headers object to modify
+ * @param params - URL search parameters to modify
+ * @throws {Error} When required credentials are missing
+ */
+function applyClientAuthentication(method, clientInformation, headers, params) {
+    const { client_id, client_secret } = clientInformation;
+    switch (method) {
+        case "client_secret_basic":
+            applyBasicAuth(client_id, client_secret, headers);
+            return;
+        case "client_secret_post":
+            applyPostAuth(client_id, client_secret, params);
+            return;
+        case "none":
+            applyPublicAuth(client_id, params);
+            return;
+        default:
+            throw new Error(`Unsupported client authentication method: ${method}`);
+    }
+}
+/**
+ * Applies HTTP Basic authentication (RFC 6749 Section 2.3.1)
+ */
+function applyBasicAuth(clientId, clientSecret, headers) {
+    if (!clientSecret) {
+        throw new Error("client_secret_basic authentication requires a client_secret");
+    }
+    const credentials = btoa(`${clientId}:${clientSecret}`);
+    headers.set("Authorization", `Basic ${credentials}`);
+}
+/**
+ * Applies POST body authentication (RFC 6749 Section 2.3.1)
+ */
+function applyPostAuth(clientId, clientSecret, params) {
+    params.set("client_id", clientId);
+    if (clientSecret) {
+        params.set("client_secret", clientSecret);
+    }
+}
+/**
+ * Applies public client authentication (RFC 6749 Section 2.1)
+ */
+function applyPublicAuth(clientId, params) {
+    params.set("client_id", clientId);
+}
+/**
+ * Parses an OAuth error response from a string or Response object.
+ *
+ * If the input is a standard OAuth2.0 error response, it will be parsed according to the spec
+ * and an instance of the appropriate OAuthError subclass will be returned.
+ * If parsing fails, it falls back to a generic ServerError that includes
+ * the response status (if available) and original content.
+ *
+ * @param input - A Response object or string containing the error response
+ * @returns A Promise that resolves to an OAuthError instance
+ */
+async function parseErrorResponse(input) {
+    const statusCode = input instanceof Response ? input.status : undefined;
+    const body = input instanceof Response ? await input.text() : input;
+    try {
+        const result = OAuthErrorResponseSchema.parse(JSON.parse(body));
+        const { error, error_description, error_uri } = result;
+        const errorClass = OAUTH_ERRORS[error] || ServerError;
+        return new errorClass(error_description || '', error_uri);
+    }
+    catch (error) {
+        // Not a valid OAuth error response, but try to inform the user of the raw data anyway
+        const errorMessage = `${statusCode ? `HTTP ${statusCode}: ` : ''}Invalid OAuth error response: ${error}. Raw body: ${body}`;
+        return new ServerError(errorMessage);
+    }
+}
 /**
  * Orchestrates the full auth flow with a server.
  *
  * This can be used as a single entry point for all authorization functionality,
  * instead of linking together the other lower-level functions in this module.
  */
-async function auth(provider, { serverUrl, authorizationCode, scope, resourceMetadataUrl }) {
+async function auth(provider, options) {
+    var _a, _b;
+    try {
+        return await authInternal(provider, options);
+    }
+    catch (error) {
+        // Handle recoverable error types by invalidating credentials and retrying
+        if (error instanceof InvalidClientError || error instanceof UnauthorizedClientError) {
+            await ((_a = provider.invalidateCredentials) === null || _a === void 0 ? void 0 : _a.call(provider, 'all'));
+            return await authInternal(provider, options);
+        }
+        else if (error instanceof InvalidGrantError) {
+            await ((_b = provider.invalidateCredentials) === null || _b === void 0 ? void 0 : _b.call(provider, 'tokens'));
+            return await authInternal(provider, options);
+        }
+        // Throw otherwise
+        throw error;
+    }
+}
+async function authInternal(provider, { serverUrl, authorizationCode, scope, resourceMetadataUrl, fetchFn, }) {
     let resourceMetadata;
-    let authorizationServerUrl = serverUrl;
+    let authorizationServerUrl;
     try {
-        resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl });
+        resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl }, fetchFn);
         if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {
             authorizationServerUrl = resourceMetadata.authorization_servers[0];
         }
@@ -26,8 +158,17 @@ async function auth(provider, { serverUrl, authorizationCode, scope, resourceMet
     catch (_a) {
         // Ignore errors and fall back to /.well-known/oauth-authorization-server
     }
+    /**
+     * If we don't get a valid authorization server metadata from protected resource metadata,
+     * fallback to the legacy MCP spec's implementation (version 2025-03-26): MCP server acts as the Authorization server.
+     */
+    if (!authorizationServerUrl) {
+        authorizationServerUrl = serverUrl;
+    }
     const resource = await selectResourceURL(serverUrl, provider, resourceMetadata);
-    const metadata = await discoverOAuthMetadata(authorizationServerUrl);
+    const metadata = await discoverAuthorizationServerMetadata(authorizationServerUrl, {
+        fetchFn,
+    });
     // Handle client registration if needed
     let clientInformation = await Promise.resolve(provider.clientInformation());
     if (!clientInformation) {
@@ -40,6 +181,7 @@ async function auth(provider, { serverUrl, authorizationCode, scope, resourceMet
         const fullInformation = await registerClient(authorizationServerUrl, {
             metadata,
             clientMetadata: provider.clientMetadata,
+            fetchFn,
         });
         await provider.saveClientInformation(fullInformation);
         clientInformation = fullInformation;
@@ -54,6 +196,8 @@ async function auth(provider, { serverUrl, authorizationCode, scope, resourceMet
             codeVerifier,
             redirectUri: provider.redirectUrl,
             resource,
+            addClientAuthentication: provider.addClientAuthentication,
+            fetchFn: fetchFn,
         });
         await provider.saveTokens(tokens);
         return "AUTHORIZED";
@@ -68,12 +212,19 @@ async function auth(provider, { serverUrl, authorizationCode, scope, resourceMet
                 clientInformation,
                 refreshToken: tokens.refresh_token,
                 resource,
+                addClientAuthentication: provider.addClientAuthentication,
+                fetchFn,
             });
             await provider.saveTokens(newTokens);
             return "AUTHORIZED";
         }
-        catch (_b) {
-            // Could not refresh OAuth tokens
+        catch (error) {
+            // If this is a ServerError, or an unknown type, log it out and try to continue. Otherwise, escalate so we can fix things and retry.
+            if (!(error instanceof OAuthError) || error instanceof ServerError) ;
+            else {
+                // Refresh failed for another reason, re-throw
+                throw error;
+            }
         }
     }
     const state = provider.state ? await provider.state() : undefined;
@@ -137,33 +288,12 @@ function extractResourceMetadataUrl(res) {
  * If the server returns a 404 for the well-known endpoint, this function will
  * return `undefined`. Any other errors will be thrown as exceptions.
  */
-async function discoverOAuthProtectedResourceMetadata(serverUrl, opts) {
-    var _a;
-    let url;
-    if (opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl) {
-        url = new URL(opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl);
-    }
-    else {
-        url = new URL("/.well-known/oauth-protected-resource", serverUrl);
-    }
-    let response;
-    try {
-        response = await fetch(url, {
-            headers: {
-                "MCP-Protocol-Version": (_a = opts === null || opts === void 0 ? void 0 : opts.protocolVersion) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION
-            }
-        });
-    }
-    catch (error) {
-        // CORS errors come back as TypeError
-        if (error instanceof TypeError) {
-            response = await fetch(url);
-        }
-        else {
-            throw error;
-        }
-    }
-    if (response.status === 404) {
+async function discoverOAuthProtectedResourceMetadata(serverUrl, opts, fetchFn = fetch) {
+    const response = await discoverMetadataWithFallback(serverUrl, 'oauth-protected-resource', fetchFn, {
+        protocolVersion: opts === null || opts === void 0 ? void 0 : opts.protocolVersion,
+        metadataUrl: opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl,
+    });
+    if (!response || response.status === 404) {
         throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);
     }
     if (!response.ok) {
@@ -174,15 +304,15 @@ async function discoverOAuthProtectedResourceMetadata(serverUrl, opts) {
 /**
  * Helper function to handle fetch with CORS retry logic
  */
-async function fetchWithCorsRetry(url, headers) {
+async function fetchWithCorsRetry(url, headers, fetchFn = fetch) {
     try {
-        return await fetch(url, { headers });
+        return await fetchFn(url, { headers });
     }
     catch (error) {
         if (error instanceof TypeError) {
             if (headers) {
                 // CORS errors come back as TypeError, retry without headers
-                return fetchWithCorsRetry(url);
+                return fetchWithCorsRetry(url, undefined, fetchFn);
             }
             else {
                 // We're getting CORS errors on retry too, return undefined
@@ -193,57 +323,162 @@ async function fetchWithCorsRetry(url, headers) {
     }
 }
 /**
- * Constructs the well-known path for OAuth metadata discovery
+ * Constructs the well-known path for auth-related metadata discovery
  */
-function buildWellKnownPath(pathname) {
-    let wellKnownPath = `/.well-known/oauth-authorization-server${pathname}`;
+function buildWellKnownPath(wellKnownPrefix, pathname = '', options = {}) {
+    // Strip trailing slash from pathname to avoid double slashes
     if (pathname.endsWith('/')) {
-        // Strip trailing slash from pathname to avoid double slashes
-        wellKnownPath = wellKnownPath.slice(0, -1);
+        pathname = pathname.slice(0, -1);
     }
-    return wellKnownPath;
+    return options.prependPathname
+        ? `${pathname}/.well-known/${wellKnownPrefix}`
+        : `/.well-known/${wellKnownPrefix}${pathname}`;
 }
 /**
  * Tries to discover OAuth metadata at a specific URL
  */
-async function tryMetadataDiscovery(url, protocolVersion) {
+async function tryMetadataDiscovery(url, protocolVersion, fetchFn = fetch) {
     const headers = {
         "MCP-Protocol-Version": protocolVersion
     };
-    return await fetchWithCorsRetry(url, headers);
+    return await fetchWithCorsRetry(url, headers, fetchFn);
 }
 /**
  * Determines if fallback to root discovery should be attempted
  */
 function shouldAttemptFallback(response, pathname) {
-    return !response || response.status === 404 && pathname !== '/';
+    return !response || (response.status >= 400 && response.status < 500) && pathname !== '/';
 }
 /**
- * Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata.
- *
- * If the server returns a 404 for the well-known endpoint, this function will
- * return `undefined`. Any other errors will be thrown as exceptions.
+ * Generic function for discovering OAuth metadata with fallback support
  */
-async function discoverOAuthMetadata(authorizationServerUrl, opts) {
-    var _a;
-    const issuer = new URL(authorizationServerUrl);
-    const protocolVersion = (_a = void 0 ) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION;
-    // Try path-aware discovery first (RFC 8414 compliant)
-    const wellKnownPath = buildWellKnownPath(issuer.pathname);
-    const pathAwareUrl = new URL(wellKnownPath, issuer);
-    let response = await tryMetadataDiscovery(pathAwareUrl, protocolVersion);
-    // If path-aware discovery fails with 404, try fallback to root discovery
-    if (shouldAttemptFallback(response, issuer.pathname)) {
-        const rootUrl = new URL("/.well-known/oauth-authorization-server", issuer);
-        response = await tryMetadataDiscovery(rootUrl, protocolVersion);
+async function discoverMetadataWithFallback(serverUrl, wellKnownType, fetchFn, opts) {
+    var _a, _b;
+    const issuer = new URL(serverUrl);
+    const protocolVersion = (_a = opts === null || opts === void 0 ? void 0 : opts.protocolVersion) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION;
+    let url;
+    if (opts === null || opts === void 0 ? void 0 : opts.metadataUrl) {
+        url = new URL(opts.metadataUrl);
     }
-    if (!response || response.status === 404) {
-        return undefined;
+    else {
+        // Try path-aware discovery first
+        const wellKnownPath = buildWellKnownPath(wellKnownType, issuer.pathname);
+        url = new URL(wellKnownPath, (_b = opts === null || opts === void 0 ? void 0 : opts.metadataServerUrl) !== null && _b !== void 0 ? _b : issuer);
+        url.search = issuer.search;
+    }
+    let response = await tryMetadataDiscovery(url, protocolVersion, fetchFn);
+    // If path-aware discovery fails with 404 and we're not already at root, try fallback to root discovery
+    if (!(opts === null || opts === void 0 ? void 0 : opts.metadataUrl) && shouldAttemptFallback(response, issuer.pathname)) {
+        const rootUrl = new URL(`/.well-known/${wellKnownType}`, issuer);
+        response = await tryMetadataDiscovery(rootUrl, protocolVersion, fetchFn);
+    }
+    return response;
+}
+/**
+ * Builds a list of discovery URLs to try for authorization server metadata.
+ * URLs are returned in priority order:
+ * 1. OAuth metadata at the given URL
+ * 2. OAuth metadata at root (if URL has path)
+ * 3. OIDC metadata endpoints
+ */
+function buildDiscoveryUrls(authorizationServerUrl) {
+    const url = typeof authorizationServerUrl === 'string' ? new URL(authorizationServerUrl) : authorizationServerUrl;
+    const hasPath = url.pathname !== '/';
+    const urlsToTry = [];
+    if (!hasPath) {
+        // Root path: https://example.com/.well-known/oauth-authorization-server
+        urlsToTry.push({
+            url: new URL('/.well-known/oauth-authorization-server', url.origin),
+            type: 'oauth'
+        });
+        // OIDC: https://example.com/.well-known/openid-configuration
+        urlsToTry.push({
+            url: new URL(`/.well-known/openid-configuration`, url.origin),
+            type: 'oidc'
+        });
+        return urlsToTry;
     }
-    if (!response.ok) {
-        throw new Error(`HTTP ${response.status} trying to load well-known OAuth metadata`);
+    // Strip trailing slash from pathname to avoid double slashes
+    let pathname = url.pathname;
+    if (pathname.endsWith('/')) {
+        pathname = pathname.slice(0, -1);
+    }
+    // 1. OAuth metadata at the given URL
+    // Insert well-known before the path: https://example.com/.well-known/oauth-authorization-server/tenant1
+    urlsToTry.push({
+        url: new URL(`/.well-known/oauth-authorization-server${pathname}`, url.origin),
+        type: 'oauth'
+    });
+    // Root path: https://example.com/.well-known/oauth-authorization-server
+    urlsToTry.push({
+        url: new URL('/.well-known/oauth-authorization-server', url.origin),
+        type: 'oauth'
+    });
+    // 3. OIDC metadata endpoints
+    // RFC 8414 style: Insert /.well-known/openid-configuration before the path
+    urlsToTry.push({
+        url: new URL(`/.well-known/openid-configuration${pathname}`, url.origin),
+        type: 'oidc'
+    });
+    // OIDC Discovery 1.0 style: Append /.well-known/openid-configuration after the path
+    urlsToTry.push({
+        url: new URL(`${pathname}/.well-known/openid-configuration`, url.origin),
+        type: 'oidc'
+    });
+    return urlsToTry;
+}
+/**
+ * Discovers authorization server metadata with support for RFC 8414 OAuth 2.0 Authorization Server Metadata
+ * and OpenID Connect Discovery 1.0 specifications.
+ *
+ * This function implements a fallback strategy for authorization server discovery:
+ * 1. Attempts RFC 8414 OAuth metadata discovery first
+ * 2. If OAuth discovery fails, falls back to OpenID Connect Discovery
+ *
+ * @param authorizationServerUrl - The authorization server URL obtained from the MCP Server's
+ *                                 protected resource metadata, or the MCP server's URL if the
+ *                                 metadata was not found.
+ * @param options - Configuration options
+ * @param options.fetchFn - Optional fetch function for making HTTP requests, defaults to global fetch
+ * @param options.protocolVersion - MCP protocol version to use, defaults to LATEST_PROTOCOL_VERSION
+ * @returns Promise resolving to authorization server metadata, or undefined if discovery fails
+ */
+async function discoverAuthorizationServerMetadata(authorizationServerUrl, { fetchFn = fetch, protocolVersion = LATEST_PROTOCOL_VERSION, } = {}) {
+    var _a;
+    const headers = { 'MCP-Protocol-Version': protocolVersion };
+    // Get the list of URLs to try
+    const urlsToTry = buildDiscoveryUrls(authorizationServerUrl);
+    // Try each URL in order
+    for (const { url: endpointUrl, type } of urlsToTry) {
+        const response = await fetchWithCorsRetry(endpointUrl, headers, fetchFn);
+        if (!response) {
+            /**
+             * CORS error occurred - don't throw as the endpoint may not allow CORS,
+             * continue trying other possible endpoints
+             */
+            continue;
+        }
+        if (!response.ok) {
+            // Continue looking for any 4xx response code.
+            if (response.status >= 400 && response.status < 500) {
+                continue; // Try next URL
+            }
+            throw new Error(`HTTP ${response.status} trying to load ${type === 'oauth' ? 'OAuth' : 'OpenID provider'} metadata from ${endpointUrl}`);
+        }
+        // Parse and validate based on type
+        if (type === 'oauth') {
+            return OAuthMetadataSchema.parse(await response.json());
+        }
+        else {
+            const metadata = OpenIdProviderDiscoveryMetadataSchema.parse(await response.json());
+            // MCP spec requires OIDC providers to support S256 PKCE
+            if (!((_a = metadata.code_challenge_methods_supported) === null || _a === void 0 ? void 0 : _a.includes('S256'))) {
+                throw new Error(`Incompatible OIDC provider at ${endpointUrl}: does not support S256 code challenge method required by MCP specification`);
+            }
+            return metadata;
+        }
     }
-    return OAuthMetadataSchema.parse(await response.json());
+    return undefined;
 }
 /**
  * Begins the authorization flow with the given server, by generating a PKCE challenge and constructing the authorization URL.
@@ -280,6 +515,12 @@ async function startAuthorization(authorizationServerUrl, { metadata, clientInfo
     if (scope) {
         authorizationUrl.searchParams.set("scope", scope);
     }
+    if (scope === null || scope === void 0 ? void 0 : scope.includes("offline_access")) {
+        // if the request includes the OIDC-only "offline_access" scope,
+        // we need to set the prompt to "consent" to ensure the user is prompted to grant offline access
+        // https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
+        authorizationUrl.searchParams.append("prompt", "consent");
+    }
     if (resource) {
         authorizationUrl.searchParams.set("resource", resource.href);
     }
@@ -287,50 +528,73 @@ async function startAuthorization(authorizationServerUrl, { metadata, clientInfo
 }
 /**
  * Exchanges an authorization code for an access token with the given server.
+ *
+ * Supports multiple client authentication methods as specified in OAuth 2.1:
+ * - Automatically selects the best authentication method based on server support
+ * - Falls back to appropriate defaults when server metadata is unavailable
+ *
+ * @param authorizationServerUrl - The authorization server's base URL
+ * @param options - Configuration object containing client info, auth code, etc.
+ * @returns Promise resolving to OAuth tokens
+ * @throws {Error} When token exchange fails or authentication is invalid
  */
-async function exchangeAuthorization(authorizationServerUrl, { metadata, clientInformation, authorizationCode, codeVerifier, redirectUri, resource, }) {
+async function exchangeAuthorization(authorizationServerUrl, { metadata, clientInformation, authorizationCode, codeVerifier, redirectUri, resource, addClientAuthentication, fetchFn, }) {
+    var _a;
     const grantType = "authorization_code";
-    let tokenUrl;
-    if (metadata) {
-        tokenUrl = new URL(metadata.token_endpoint);
-        if (metadata.grant_types_supported &&
-            !metadata.grant_types_supported.includes(grantType)) {
-            throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);
-        }
-    }
-    else {
-        tokenUrl = new URL("/token", authorizationServerUrl);
+    const tokenUrl = (metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint)
+        ? new URL(metadata.token_endpoint)
+        : new URL("/token", authorizationServerUrl);
+    if ((metadata === null || metadata === void 0 ? void 0 : metadata.grant_types_supported) &&
+        !metadata.grant_types_supported.includes(grantType)) {
+        throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);
     }
     // Exchange code for tokens
+    const headers = new Headers({
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Accept": "application/json",
+    });
     const params = new URLSearchParams({
         grant_type: grantType,
-        client_id: clientInformation.client_id,
         code: authorizationCode,
         code_verifier: codeVerifier,
         redirect_uri: String(redirectUri),
     });
-    if (clientInformation.client_secret) {
-        params.set("client_secret", clientInformation.client_secret);
+    if (addClientAuthentication) {
+        addClientAuthentication(headers, params, authorizationServerUrl, metadata);
+    }
+    else {
+        // Determine and apply client authentication method
+        const supportedMethods = (_a = metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint_auth_methods_supported) !== null && _a !== void 0 ? _a : [];
+        const authMethod = selectClientAuthMethod(clientInformation, supportedMethods);
+        applyClientAuthentication(authMethod, clientInformation, headers, params);
     }
     if (resource) {
         params.set("resource", resource.href);
     }
-    const response = await fetch(tokenUrl, {
+    const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(tokenUrl, {
         method: "POST",
-        headers: {
-            "Content-Type": "application/x-www-form-urlencoded",
-        },
+        headers,
         body: params,
     });
     if (!response.ok) {
-        throw new Error(`Token exchange failed: HTTP ${response.status}`);
+        throw await parseErrorResponse(response);
     }
     return OAuthTokensSchema.parse(await response.json());
 }
 /**
  * Exchange a refresh token for an updated access token.
+ *
+ * Supports multiple client authentication methods as specified in OAuth 2.1:
+ * - Automatically selects the best authentication method based on server support
+ * - Preserves the original refresh token if a new one is not returned
+ *
+ * @param authorizationServerUrl - The authorization server's base URL
+ * @param options - Configuration object containing client info, refresh token, etc.
+ * @returns Promise resolving to OAuth tokens (preserves original refresh_token if not replaced)
+ * @throws {Error} When token refresh fails or authentication is invalid
  */
-async function refreshAuthorization(authorizationServerUrl, { metadata, clientInformation, refreshToken, resource, }) {
+async function refreshAuthorization(authorizationServerUrl, { metadata, clientInformation, refreshToken, resource, addClientAuthentication, fetchFn, }) {
+    var _a;
     const grantType = "refresh_token";
     let tokenUrl;
     if (metadata) {
@@ -344,33 +608,39 @@ async function refreshAuthorization(authorizationServerUrl, { metadata, clientIn
         tokenUrl = new URL("/token", authorizationServerUrl);
     }
     // Exchange refresh token
+    const headers = new Headers({
+        "Content-Type": "application/x-www-form-urlencoded",
+    });
     const params = new URLSearchParams({
         grant_type: grantType,
-        client_id: clientInformation.client_id,
         refresh_token: refreshToken,
     });
-    if (clientInformation.client_secret) {
-        params.set("client_secret", clientInformation.client_secret);
+    if (addClientAuthentication) {
+        addClientAuthentication(headers, params, authorizationServerUrl, metadata);
+    }
+    else {
+        // Determine and apply client authentication method
+        const supportedMethods = (_a = metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint_auth_methods_supported) !== null && _a !== void 0 ? _a : [];
+        const authMethod = selectClientAuthMethod(clientInformation, supportedMethods);
+        applyClientAuthentication(authMethod, clientInformation, headers, params);
     }
     if (resource) {
         params.set("resource", resource.href);
     }
-    const response = await fetch(tokenUrl, {
+    const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(tokenUrl, {
         method: "POST",
-        headers: {
-            "Content-Type": "application/x-www-form-urlencoded",
-        },
+        headers,
         body: params,
     });
     if (!response.ok) {
-        throw new Error(`Token refresh failed: HTTP ${response.status}`);
+        throw await parseErrorResponse(response);
     }
     return OAuthTokensSchema.parse({ refresh_token: refreshToken, ...(await response.json()) });
 }
 /**
  * Performs OAuth 2.0 Dynamic Client Registration according to RFC 7591.
  */
-async function registerClient(authorizationServerUrl, { metadata, clientMetadata, }) {
+async function registerClient(authorizationServerUrl, { metadata, clientMetadata, fetchFn, }) {
     let registrationUrl;
     if (metadata) {
         if (!metadata.registration_endpoint) {
@@ -381,7 +651,7 @@ async function registerClient(authorizationServerUrl, { metadata, clientMetadata
     else {
         registrationUrl = new URL("/register", authorizationServerUrl);
     }
-    const response = await fetch(registrationUrl, {
+    const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(registrationUrl, {
         method: "POST",
         headers: {
             "Content-Type": "application/json",
@@ -389,10 +659,10 @@ async function registerClient(authorizationServerUrl, { metadata, clientMetadata
         body: JSON.stringify(clientMetadata),
     });
     if (!response.ok) {
-        throw new Error(`Dynamic client registration failed: HTTP ${response.status}`);
+        throw await parseErrorResponse(response);
     }
     return OAuthClientInformationFullSchema.parse(await response.json());
 }
 
-export { UnauthorizedError, auth, discoverOAuthMetadata, discoverOAuthProtectedResourceMetadata, exchangeAuthorization, extractResourceMetadataUrl, refreshAuthorization, registerClient, selectResourceURL, startAuthorization };
+export { UnauthorizedError, auth, buildDiscoveryUrls, discoverAuthorizationServerMetadata, discoverOAuthProtectedResourceMetadata, exchangeAuthorization, extractResourceMetadataUrl, parseErrorResponse, refreshAuthorization, registerClient, selectResourceURL, startAuthorization };
 //# sourceMappingURL=auth.js.map