@blamejs/core 0.14.21 → 0.14.24

package/lib/auth/jwt-external.js

@@ -109,6 +109,14 @@ function _b64urlDecode(s) {
   return Buffer.from(padded, "base64");
 }
 
+// EC named-curve → the one ES* alg whose hash matches it (RFC 7518 §3.4).
+// A P-256 key signs ES256 and only ES256; the curve fixes the hash, so a
+// header alg of ES384 over a P-256 signature is self-inconsistent and a
+// conforming verifier rejects it. Naming the binding here lets the signer
+// derive the right header alg from the key instead of trusting a caller-
+// supplied alg the key can't actually produce.
+var _EC_CURVE_ALG = { prime256v1: "ES256", secp384r1: "ES384", secp521r1: "ES512" };
+
 function _verifyParamsForAlg(alg) {
   if (alg === "RS256") return { hash: "sha256", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
   if (alg === "RS384") return { hash: "sha384", padding: nodeCrypto.constants.RSA_PKCS1_PADDING };
@@ -124,6 +132,104 @@ function _verifyParamsForAlg(alg) {
     "alg '" + alg + "' is not supported by verifyExternal");
 }
 
+// _toPrivateKey — import the operator's classical signing key from any of
+// the three shapes node:crypto understands (KeyObject / PEM string|Buffer /
+// private JWK). The PQC framework signer (lib/auth/jwt.js) never travels
+// this path; this is the classical-interop importer only.
+function _toPrivateKey(value, label) {
+  if (!value) {
+    throw new AuthError("auth-jwt-external/sign-no-key", label + ": privateKey is required");
+  }
+  if (value instanceof nodeCrypto.KeyObject) return value;
+  try {
+    if (typeof value === "string" || Buffer.isBuffer(value)) {
+      return nodeCrypto.createPrivateKey({ key: value, format: "pem" });
+    }
+    if (typeof value === "object" && value.kty) {
+      return nodeCrypto.createPrivateKey({ key: value, format: "jwk" });
+    }
+  } catch (e) {
+    throw new AuthError("auth-jwt-external/sign-bad-key",
+      label + ": private key parse failed: " + ((e && e.message) || String(e)));
+  }
+  throw new AuthError("auth-jwt-external/sign-bad-key",
+    label + ": privateKey must be a PEM string/Buffer, private JWK object, or KeyObject");
+}
+
+// _resolveSignAlg — derive the JWS `alg` for a private key, validating any
+// explicit override against what the key can actually produce. A signer
+// that emitted a fixed `alg` header while signing with an incompatible key
+// (e.g. an `ES256` header over an Ed25519 signature) would mint a token no
+// conforming verifier accepts; deriving the alg from the key — or refusing
+// an incompatible explicit alg BEFORE signing — closes that self-invalid
+// shape. RFC 7518 §3.1 maps each `alg` to the key type it requires.
+function _resolveSignAlg(explicitAlg, privateKey, label) {
+  var kty = privateKey.asymmetricKeyType;
+  var defaultAlg, compatible;
+  if (kty === "ec") {
+    var curve = (privateKey.asymmetricKeyDetails && privateKey.asymmetricKeyDetails.namedCurve) || "";
+    defaultAlg = _EC_CURVE_ALG[curve];
+    if (!defaultAlg) {
+      throw new AuthError("auth-jwt-external/sign-key-unsupported",
+        label + ": EC curve '" + curve + "' has no JWS alg (use P-256 / P-384 / P-521)");
+    }
+    compatible = [defaultAlg];                       // an EC curve pins exactly one ES alg
+  } else if (kty === "rsa") {
+    defaultAlg = "RS256";
+    compatible = ["RS256", "RS384", "RS512", "PS256", "PS384", "PS512"];
+  } else if (kty === "rsa-pss") {
+    defaultAlg = "PS256";
+    compatible = ["PS256", "PS384", "PS512"];        // an RSA-PSS key cannot produce an RS* signature
+  } else if (kty === "ed25519" || kty === "ed448") {
+    defaultAlg = "EdDSA";
+    compatible = ["EdDSA"];
+  } else {
+    throw new AuthError("auth-jwt-external/sign-key-unsupported",
+      label + ": key type '" + String(kty) + "' is not a supported JWS signing key (EC / RSA / Ed25519 / Ed448)");
+  }
+  if (explicitAlg === undefined || explicitAlg === null) return defaultAlg;
+  if (explicitAlg === "none" || REFUSED_ALGS.indexOf(explicitAlg) !== -1) {
+    throw new AuthError("auth-jwt-external/sign-alg-refused",
+      label + ": alg '" + explicitAlg + "' is refused (HMAC / none are never valid for an asymmetric signer)");
+  }
+  if (SUPPORTED_CLASSICAL_ALGS.indexOf(explicitAlg) === -1) {
+    throw new AuthError("auth-jwt-external/sign-alg-unsupported",
+      label + ": alg '" + explicitAlg + "' is not a supported classical JWS algorithm (" +
+      SUPPORTED_CLASSICAL_ALGS.join(", ") + ")");
+  }
+  if (compatible.indexOf(explicitAlg) === -1) {
+    throw new AuthError("auth-jwt-external/sign-alg-key-mismatch",
+      label + ": alg '" + explicitAlg + "' is incompatible with the " + kty +
+      " key (compatible: " + compatible.join(", ") + ")");
+  }
+  return explicitAlg;
+}
+
+// _signCompactJws — produce the compact JWS serialization (protected
+// header . payload . signature) for an already-resolved alg + imported
+// private key. Header and payload are JCS-independent here: they are
+// serialized exactly once by the signer, base64url-encoded, and that byte
+// string IS the signing input, so there is no canonicalization gap a
+// verifier could diverge on.
+function _signCompactJws(header, payload, privateKey, alg) {
+  var params = _verifyParamsForAlg(alg);
+  var headerB64  = bCrypto.toBase64Url(Buffer.from(JSON.stringify(header), "utf8"));
+  var payloadB64 = bCrypto.toBase64Url(Buffer.from(JSON.stringify(payload), "utf8"));
+  var signingInput = headerB64 + "." + payloadB64;
+  var input = Buffer.from(signingInput, "ascii");
+  var sig;
+  if (params.hash === null) {
+    sig = nodeCrypto.sign(null, input, privateKey);     // EdDSA — no prehash
+  } else {
+    var keyParam = { key: privateKey };
+    if (params.padding !== undefined)     keyParam.padding     = params.padding;
+    if (params.saltLength !== undefined)  keyParam.saltLength  = params.saltLength;
+    if (params.dsaEncoding !== undefined) keyParam.dsaEncoding = params.dsaEncoding;
+    sig = nodeCrypto.sign(params.hash, input, keyParam);
+  }
+  return signingInput + "." + bCrypto.toBase64Url(sig);
+}
+
 function _jwkToKey(jwk) {
   try { return nodeCrypto.createPublicKey({ key: jwk, format: "jwk" }); }
   catch (e) {
@@ -512,12 +618,119 @@ async function verifyExternal(token, opts) {
   return { header: header, claims: payload };
 }
 
+/**
+ * @primitive b.auth.jws.sign
+ * @signature b.auth.jws.sign(claims, opts)
+ * @since     0.14.22
+ * @status    stable
+ * @compliance soc2
+ * @related   b.auth.jar.build, b.auth.jar.parse
+ *
+ * Mint a compact JWS (RFC 7515) over <code>claims</code> using a classical
+ * asymmetric algorithm — RS/PS256/384/512, ES256/384/512, or EdDSA. This
+ * primitive exists strictly for <strong>interop with external ecosystems</strong>:
+ * OAuth/OIDC OPs and RPs (and the wallet / FAPI profiles built on them)
+ * require a request object / assertion signed with a classical JWS alg, and
+ * the framework's own token signer (<code>b.auth.jwt.sign</code>) is
+ * PQC-only (ML-DSA / SLH-DSA). It is <strong>never the framework-internal
+ * token default</strong>; <code>lib/jwt.js</code> remains the signer for
+ * tokens blamejs itself issues. The verify counterpart is
+ * <code>b.auth.jwt.verifyExternal</code>; this is its inverse for the cases
+ * where blamejs is the client emitting a signed object to a third party.
+ *
+ * The signing <code>alg</code> is derived from the key type (RFC 7518 §3.1)
+ * so the header alg always matches the signature the key can actually
+ * produce; an explicit <code>opts.alg</code> is validated against the key
+ * and refused if incompatible. <code>alg: "none"</code> and HMAC algs are
+ * refused outright — an asymmetric signer never emits them. The protected
+ * header always carries <code>alg</code>; <code>typ</code> and <code>kid</code>
+ * are set from <code>opts</code> when supplied (callers minting a typed
+ * object such as a JAR request object pass <code>typ</code>). Extra
+ * <code>opts.header</code> members pass through with two refusals:
+ * <code>b64</code> (RFC 7797 unencoded payload — it changes the signing
+ * input, which this signer always base64url-encodes) and <code>crit</code>
+ * (RFC 7515 §4.1.11 — it promises extension semantics the signer does not
+ * implement). Emitting either would produce a JWS whose header claims
+ * semantics its signature was not computed under.
+ *
+ * @opts
+ *   {
+ *     privateKey:  KeyObject|PEM|JWK,  // required — classical signing key
+ *     alg?:        string,             // override; default inferred from the key (RS256 / ES256/384/512 / PS256 / EdDSA)
+ *     typ?:        string,             // protected-header typ (e.g. "oauth-authz-req+jwt")
+ *     kid?:        string,             // protected-header kid (JWKS key selection)
+ *     header?:     object,             // extra protected-header members (alg/typ/kid reserved; b64/crit refused)
+ *   }
+ *
+ * @example
+ *   var jws = b.auth.jws.sign(
+ *     { iss: "client", aud: "https://as.example.com", response_type: "code" },
+ *     { privateKey: clientKey, typ: "oauth-authz-req+jwt", kid: "c1" });
+ *   // → "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+ */
+function signExternal(claims, opts) {
+  if (claims === null || typeof claims !== "object" || Array.isArray(claims)) {
+    throw new AuthError("auth-jwt-external/sign-bad-claims",
+      "jws.sign: claims must be a plain object");
+  }
+  validateOpts.requireObject(opts, "jws.sign", AuthError, "auth-jwt-external/sign-bad-opts");
+  validateOpts(opts, ["privateKey", "alg", "typ", "kid", "header"], "auth.jws.sign");
+  if (opts.alg !== undefined && opts.alg !== null) {
+    validateOpts.requireNonEmptyString(opts.alg, "jws.sign: alg", AuthError, "auth-jwt-external/sign-bad-alg");
+  }
+  if (opts.typ !== undefined && opts.typ !== null) {
+    validateOpts.requireNonEmptyString(opts.typ, "jws.sign: typ", AuthError, "auth-jwt-external/sign-bad-typ");
+  }
+  if (opts.kid !== undefined && opts.kid !== null) {
+    validateOpts.requireNonEmptyString(opts.kid, "jws.sign: kid", AuthError, "auth-jwt-external/sign-bad-kid");
+  }
+  validateOpts.optionalPlainObject(opts.header, "jws.sign: header", AuthError, "auth-jwt-external/sign-bad-header",
+    "must be a plain object of extra protected-header members");
+  // RFC 7797 `b64: false` changes the JWS signing input (the payload is
+  // signed raw, not base64url-encoded) and RFC 7515 §4.1.11 `crit`
+  // promises the producer implements every extension it names.
+  // _signCompactJws always base64url-encodes the payload and implements
+  // no header extensions, so passing either member through would mint a
+  // JWS whose header advertises semantics its signature was not computed
+  // under — a compliant verifier derives a different signing input (or
+  // refuses the critical header). Refused until those semantics are
+  // actually implemented.
+  if (opts.header !== undefined && opts.header !== null &&
+      (Object.prototype.hasOwnProperty.call(opts.header, "b64") ||
+       Object.prototype.hasOwnProperty.call(opts.header, "crit"))) {
+    throw new AuthError("auth-jwt-external/sign-unsupported-header",
+      "jws.sign: header members 'b64' (RFC 7797 unencoded payload) and 'crit' " +
+      "(RFC 7515 §4.1.11 critical extensions) are not supported — the signer " +
+      "always base64url-encodes the payload and implements no critical extensions");
+  }
+
+  var key = _toPrivateKey(opts.privateKey, "jws.sign");
+  var alg = _resolveSignAlg(opts.alg, key, "jws.sign");
+
+  // Extra protected-header members first (alg/typ/kid reserved so a
+  // caller-supplied header object can never override the signer-set alg —
+  // the canonical alg-substitution shape), then the reserved members.
+  var header = validateOpts.assignOwnEnumerable({}, opts.header, ["alg", "typ", "kid"]);
+  header.alg = alg;
+  if (opts.typ !== undefined && opts.typ !== null) header.typ = opts.typ;
+  if (opts.kid !== undefined && opts.kid !== null) header.kid = opts.kid;
+
+  return _signCompactJws(header, claims, key, alg);
+}
+
 module.exports = {
   verifyExternal:           verifyExternal,
+  signExternal:             signExternal,
   SUPPORTED_CLASSICAL_ALGS: SUPPORTED_CLASSICAL_ALGS,
   REFUSED_ALGS:             REFUSED_ALGS,
   // Shared JOSE defenses — routed from oauth.verifyIdToken /
   // oid4vci proof verify / sd-jwt-vc.verify / openid-federation.
   _assertAlgKtyMatch:       _assertAlgKtyMatch,
   _issuerMatches:           _issuerMatches,
+  // Classical-JWS signer internals — composed by oauth.js's attestation
+  // builders so the alg-from-key + compact-JWS bodies live in exactly one
+  // place (the classical-JOSE domain owner).
+  _toPrivateKey:            _toPrivateKey,
+  _resolveSignAlg:          _resolveSignAlg,
+  _signCompactJws:          _signCompactJws,
 };

package/lib/auth/oauth.js

@@ -122,6 +122,11 @@ var lazyRequire = require("../lazy-require");
 // convention §3; no circular load — jwt-external requires nothing from
 // oauth.
 var jwtExternal = require("./jwt-external");
+// RFC 9101 request-object builder — composed by pushAuthorizationRequest
+// when the operator opts into sending a signed request object. Top-of-file
+// per convention §3; no circular load — jar requires jwt-external +
+// validate-opts only, nothing from oauth.
+var jar         = require("./jar");
 var audit       = lazyRequire(function () { return require("../audit"); });
 
 // Cap on responses parsed from upstream OAuth providers. Token /
@@ -517,97 +522,62 @@ var MAX_ATTESTATION_JWT_BYTES = C.BYTES.kib(16);
 var DEFAULT_POP_MAX_AGE_SEC = C.TIME.minutes(5) / C.TIME.seconds(1);
 
 // Sign/verify params keyed by alg — superset of _verifyParamsForAlg that
-// also covers EdDSA (used only on the attestation path; the ID-token
-// verifier keeps its own narrower table untouched).
+// also covers EdDSA (used only on the attestation verify path; the
+// ID-token verifier keeps its own narrower table untouched).
 function _attestationCryptoParams(alg) {
   if (alg === "EdDSA") return { hash: null };
   return _verifyParamsForAlg(alg);
 }
 
+// _toAttestationPrivateKey / _resolveAttestationAlg / _signAttestationJws —
+// thin wrappers over the classical-JWS signer that the jwt-external module
+// owns (b.auth.jws.sign internals). The attestation path keeps its own
+// `auth-oauth/attestation-*` error codes so operators routing alerts on
+// that class see no change; the signer BODIES (alg-from-key derivation,
+// compact-JWS assembly) live in exactly one place — the classical-JOSE
+// domain owner — rather than duplicated here. RFC 7518 §3.1 alg↔key
+// binding and the self-invalid-alg defenses are enforced by the composed
+// primitive.
+
 function _toAttestationPrivateKey(value, label) {
-  if (!value) {
-    throw new OAuthError("auth-oauth/attestation-no-key", label + ": privateKey is required");
-  }
-  if (value instanceof nodeCrypto.KeyObject) return value;
-  try {
-    if (typeof value === "string" || Buffer.isBuffer(value)) {
-      return nodeCrypto.createPrivateKey({ key: value, format: "pem" });
-    }
-    if (typeof value === "object" && value.kty) {
-      return nodeCrypto.createPrivateKey({ key: value, format: "jwk" });
-    }
-  } catch (e) {
-    throw new OAuthError("auth-oauth/attestation-bad-key",
-      label + ": private key parse failed: " + ((e && e.message) || String(e)));
+  try { return jwtExternal._toPrivateKey(value, label); }
+  catch (e) {
+    var code = (e && e.code) === "auth-jwt-external/sign-no-key"
+      ? "auth-oauth/attestation-no-key" : "auth-oauth/attestation-bad-key";
+    throw new OAuthError(code, (e && e.message) || String(e));
   }
-  throw new OAuthError("auth-oauth/attestation-bad-key",
-    label + ": privateKey must be a PEM string/Buffer, JWK object, or KeyObject");
 }
 
-// EC curve → the one ES* alg whose hash matches it (RFC 7518 §3.4).
-var _EC_CURVE_ALG = { prime256v1: "ES256", secp384r1: "ES384", secp521r1: "ES512" };
-
 // Resolve the JWS alg for an attestation / PoP signature. When the caller
-// gives no `algorithm`, infer the default that matches the key type so a
-// non-EC attester key (RSA, Ed25519) yields a self-consistent JWS — header
-// alg ⇄ signature key — instead of a fixed `ES256` header signed with the
-// real key, which `verifyClientAttestation`'s alg/kty cross-check would
-// then reject. An explicit alg incompatible with the key is refused BEFORE
-// signing rather than producing a self-invalid attestation.
+// gives no `algorithm`, the composed signer infers the default that matches
+// the key type so a non-EC attester key (RSA, Ed25519) yields a
+// self-consistent JWS — header alg ⇄ signature key — instead of a fixed
+// `ES256` header signed with the real key, which `verifyClientAttestation`'s
+// alg/kty cross-check would then reject. An explicit alg incompatible with
+// the key is refused BEFORE signing. The draft additionally floors the
+// accepted set to ATTESTATION_ALGS (no HMAC / none); the composed resolver
+// already refuses those, surfaced here as the attestation-specific code.
 function _resolveAttestationAlg(explicitAlg, privateKey, label) {
-  var kty = privateKey.asymmetricKeyType;
-  var defaultAlg, compatible;
-  if (kty === "ec") {
-    var curve = (privateKey.asymmetricKeyDetails && privateKey.asymmetricKeyDetails.namedCurve) || "";
-    defaultAlg = _EC_CURVE_ALG[curve];
-    if (!defaultAlg) {
-      throw new OAuthError("auth-oauth/attestation-key-unsupported",
-        label + ": EC curve '" + curve + "' has no attestation JWS alg (use P-256 / P-384 / P-521)");
-    }
-    compatible = [defaultAlg];                       // an EC curve pins exactly one ES alg
-  } else if (kty === "rsa") {
-    defaultAlg = "RS256";
-    compatible = ["RS256", "RS384", "RS512", "PS256", "PS384", "PS512"];
-  } else if (kty === "rsa-pss") {
-    defaultAlg = "PS256";
-    compatible = ["PS256", "PS384", "PS512"];        // an RSA-PSS key cannot produce an RS* signature
-  } else if (kty === "ed25519" || kty === "ed448") {
-    defaultAlg = "EdDSA";
-    compatible = ["EdDSA"];
-  } else {
-    throw new OAuthError("auth-oauth/attestation-key-unsupported",
-      label + ": key type '" + String(kty) + "' is not a supported attestation key (EC / RSA / Ed25519 / Ed448)");
-  }
-  if (explicitAlg === undefined || explicitAlg === null) return defaultAlg;
-  if (ATTESTATION_ALGS.indexOf(explicitAlg) === -1) {
-    throw new OAuthError("auth-oauth/attestation-alg-not-accepted",
-      label + ": alg '" + explicitAlg + "' is not an accepted attestation algorithm");
-  }
-  if (compatible.indexOf(explicitAlg) === -1) {
-    throw new OAuthError("auth-oauth/attestation-alg-key-mismatch",
-      label + ": alg '" + explicitAlg + "' is incompatible with the " + kty +
-      " key (compatible: " + compatible.join(", ") + ")");
+  try {
+    return jwtExternal._resolveSignAlg(explicitAlg, privateKey, label);
+  } catch (e) {
+    var ec = (e && e.code) || "";
+    if (ec === "auth-jwt-external/sign-alg-key-mismatch") {
+      throw new OAuthError("auth-oauth/attestation-alg-key-mismatch", (e && e.message) || String(e));
+    }
+    if (ec === "auth-jwt-external/sign-alg-refused" || ec === "auth-jwt-external/sign-alg-unsupported") {
+      throw new OAuthError("auth-oauth/attestation-alg-not-accepted",
+        label + ": alg '" + explicitAlg + "' is not an accepted attestation algorithm");
+    }
+    if (ec === "auth-jwt-external/sign-key-unsupported") {
+      throw new OAuthError("auth-oauth/attestation-key-unsupported", (e && e.message) || String(e));
+    }
+    throw new OAuthError("auth-oauth/attestation-bad-key", (e && e.message) || String(e));
   }
-  return explicitAlg;
 }
 
 function _signAttestationJws(header, payload, privateKey, alg) {
-  var params = _attestationCryptoParams(alg);
-  var headerB64  = _b64urlEncode(Buffer.from(JSON.stringify(header), "utf8"));
-  var payloadB64 = _b64urlEncode(Buffer.from(JSON.stringify(payload), "utf8"));
-  var signingInput = headerB64 + "." + payloadB64;
-  var sig;
-  var input = Buffer.from(signingInput, "ascii");
-  if (params.hash === null) {
-    sig = nodeCrypto.sign(null, input, privateKey);     // EdDSA — no prehash
-  } else {
-    var keyParam = { key: privateKey };
-    if (params.padding !== undefined)     keyParam.padding     = params.padding;
-    if (params.saltLength !== undefined)  keyParam.saltLength  = params.saltLength;
-    if (params.dsaEncoding !== undefined) keyParam.dsaEncoding = params.dsaEncoding;
-    sig = nodeCrypto.sign(params.hash, input, keyParam);
-  }
-  return signingInput + "." + _b64urlEncode(sig);
+  return jwtExternal._signCompactJws(header, payload, privateKey, alg);
 }
 
 // Verify a compact JWS against an already-imported public KeyObject. The
@@ -751,16 +721,9 @@ function buildClientAttestation(aopts) {
   };
   if (typeof aopts.nbf === "number") payload.nbf = aopts.nbf;
   // Operator extra claims merged WITHOUT overriding the spec-required
-  // fields (no prototype-pollution: only own enumerable keys, reserved
-  // names rejected).
+  // fields (proto-pollution sentinels skipped, the spec keys reserved).
   if (aopts.extraClaims && typeof aopts.extraClaims === "object" && !Array.isArray(aopts.extraClaims)) {
-    var ck = Object.keys(aopts.extraClaims);
-    for (var i = 0; i < ck.length; i += 1) {
-      var k = ck[i];
-      if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
-      if (Object.prototype.hasOwnProperty.call(payload, k)) continue;   // never override spec fields
-      payload[k] = aopts.extraClaims[k];
-    }
+    validateOpts.assignOwnEnumerable(payload, aopts.extraClaims, Object.keys(payload));
   }
   return _signAttestationJws(
     { typ: "oauth-client-attestation+jwt", alg: alg }, payload, key, alg);
@@ -1996,6 +1959,13 @@ function create(opts) {
   // browser-side redirect to /authorize. Defends against parameter
   // tampering by an MITM at the user-agent + against URL-length
   // overflow on long authorization requests.
+  //
+  // RFC 9101 signed request object: pass `signedRequestObject: { key,
+  // alg?, kid?, audience?, expiresInMs? }` to push a JAR request object
+  // instead of plain form params. The authorization parameters then
+  // travel as signed claims (RFC 9126 §3 — form body carries only
+  // `request` + client auth), so the PAR endpoint can verify they
+  // arrived exactly as the client signed them. Absent → plain-form PAR.
   async function pushAuthorizationRequest(uopts) {
     uopts = uopts || {};
     var endpoint;
@@ -2006,6 +1976,20 @@ function create(opts) {
         "pushed_authorization_request_endpoint (set opts.pushedAuthorizationRequestEndpoint " +
         "on create() if the IdP doesn't publish it)");
     }
+    // RFC 9101 signed-request-object opt: when the operator supplies
+    // `signedRequestObject` (a config object carrying the client's signing
+    // key), the authorization parameters travel as claims of a JAR request
+    // object rather than as bare form params. Validated config-time; absent
+    // → the existing plain-form path sends the same key/value set
+    // (form-encoded params are unordered per the media type).
+    var sro = uopts.signedRequestObject || null;
+    if (sro) {
+      validateOpts.optionalPlainObject(sro, "pushAuthorizationRequest: signedRequestObject",
+        OAuthError, "auth-oauth/par-bad-request-object-opt",
+        "must be an object { key, alg?, kid?, audience?, expiresInMs? }");
+      validateOpts(sro, ["key", "alg", "kid", "audience", "expiresInMs"],
+        "pushAuthorizationRequest.signedRequestObject");
+    }
     // Same PKCE-downgrade gate as authorizationUrl (RFC 9700 §4.13):
     // PAR pushes the identical S256 challenge, so an OP advertising
     // code_challenge_methods_supported without S256 is refused here too.
@@ -2015,31 +1999,60 @@ function create(opts) {
     var state = uopts.state || _generateRandomToken(STATE_NONCE_BYTES);
     var nonce = uopts.nonce || (isOidc ? _generateRandomToken(STATE_NONCE_BYTES) : null);
     var pkceVals = _generatePkce();
-    var body = new URLSearchParams();
-    body.set("response_type", "code");
-    body.set("client_id",     clientId);
-    body.set("redirect_uri",  redirectUri);
-    body.set("scope",         scope.join(" "));
-    body.set("state",         state);
-    if (nonce) body.set("nonce", nonce);
-    body.set("code_challenge",        pkceVals.challenge);
-    body.set("code_challenge_method", "S256");
-    if (responseMode) body.set("response_mode", responseMode);
-    if (uopts.prompt)    body.set("prompt", uopts.prompt);
-    if (uopts.loginHint) body.set("login_hint", uopts.loginHint);
-    if (uopts.maxAge != null) body.set("max_age", String(uopts.maxAge));
-    if (clientSecret) body.set("client_secret", clientSecret);
+    // The authorization-request parameters. On the plain path these are set
+    // on the form body directly; on the JAR path they become request-object
+    // claims and the form body carries only `request` + client auth.
+    var authzParams = {
+      response_type:        "code",
+      client_id:            clientId,
+      redirect_uri:         redirectUri,
+      scope:                scope.join(" "),
+      state:                state,
+      code_challenge:        pkceVals.challenge,
+      code_challenge_method: "S256",
+    };
+    if (nonce)        authzParams.nonce         = nonce;
+    if (responseMode) authzParams.response_mode = responseMode;
+    if (uopts.prompt)    authzParams.prompt     = uopts.prompt;
+    if (uopts.loginHint) authzParams.login_hint = uopts.loginHint;
+    if (uopts.maxAge != null) authzParams.max_age = String(uopts.maxAge);
     // RFC 9396 — push the fine-grained authorization request through PAR
     // identically to the redirect path (validated, then JSON-serialized).
     var requestedAuthzDetails = null;
     if (uopts.authorizationDetails !== undefined) {
       requestedAuthzDetails = _validateAuthorizationDetailsArray(
         uopts.authorizationDetails, "pushAuthorizationRequest");
-      body.set("authorization_details", JSON.stringify(requestedAuthzDetails));
+      authzParams.authorization_details = JSON.stringify(requestedAuthzDetails);
     }
     if (uopts.extraParams && typeof uopts.extraParams === "object") {
       var ek = Object.keys(uopts.extraParams);
-      for (var i = 0; i < ek.length; i++) body.set(ek[i], String(uopts.extraParams[ek[i]]));
+      for (var i = 0; i < ek.length; i++) authzParams[ek[i]] = String(uopts.extraParams[ek[i]]);
+    }
+
+    var body = new URLSearchParams();
+    if (sro) {
+      // RFC 9126 §3 — when a signed request object is pushed, the
+      // authorization parameters MUST appear ONLY as claims of the JWT;
+      // the form body carries `request` plus the parameters a client
+      // authentication method requires (client_id, and client_secret for
+      // the secret-based methods) and nothing else. The JAR `aud` is the
+      // AS issuer identifier (RFC 9101 §5) — the operator may override but
+      // it defaults to the configured `issuer`.
+      var requestJwt = jar.build(authzParams, {
+        clientId:    clientId,
+        audience:    sro.audience || issuer,
+        key:         sro.key,
+        alg:         sro.alg,
+        kid:         sro.kid,
+        expiresInMs: sro.expiresInMs,
+      });
+      body.set("request",   requestJwt);
+      body.set("client_id", clientId);                 // RFC 9126 §3 — client identification
+      if (clientSecret) body.set("client_secret", clientSecret);
+    } else {
+      var ak = Object.keys(authzParams);
+      for (var ap = 0; ap < ak.length; ap++) body.set(ak[ap], authzParams[ak[ap]]);
+      if (clientSecret) body.set("client_secret", clientSecret);
     }
     var rv = await _postForm(endpoint, body);
     if (!rv || typeof rv.request_uri !== "string" || rv.request_uri.length === 0) {
@@ -2062,6 +2075,7 @@ function create(opts) {
       requestUri:  rv.request_uri,
       expiresIn:   typeof rv.expires_in === "number" ? rv.expires_in : null,
       authorizationDetails: requestedAuthzDetails,
+      requestObjectSent:    !!sro,
     };
   }
 

package/lib/compliance.js

@@ -1580,9 +1580,46 @@ function fipsMode(enable) {
   return STATE.fipsMode;
 }
 
+// Postures whose jurisdictions restrict cross-border data transfer
+// (GDPR Art 44-46 / UK-GDPR / DPDP §16 / PIPL Art 38 / LGPD Art 33 /
+// APPI Art 28 / PDPA §26). The residency write gates (db-query local,
+// external-db backend/replica) refuse mismatched writes under these;
+// other postures observe-and-audit only.
+var CROSS_BORDER_REGULATED_POSTURES = Object.freeze([
+  "gdpr", "uk-gdpr", "dpdp", "pipl-cn", "lgpd-br", "appi-jp", "pdpa-sg",
+]);
+
+/**
+ * @primitive b.compliance.isCrossBorderRegulated
+ * @signature b.compliance.isCrossBorderRegulated(posture)
+ * @since     0.14.24
+ * @compliance gdpr
+ * @related   b.compliance.current, b.cryptoField.declarePerRowResidency
+ *
+ * Returns true when `posture` is one of the cross-border regulated
+ * postures (gdpr / uk-gdpr / dpdp / pipl-cn / lgpd-br / appi-jp /
+ * pdpa-sg) — the jurisdictions whose transfer restrictions flip the
+ * data-residency write gates from advisory to refusing. The set
+ * itself is exported as `CROSS_BORDER_REGULATED_POSTURES`; this
+ * helper is the membership test the local (`b.db.from`) and external
+ * (`b.externalDb.query`) gates share. Non-string and unknown postures
+ * return false.
+ *
+ * @example
+ *   b.compliance.isCrossBorderRegulated("gdpr");      // → true
+ *   b.compliance.isCrossBorderRegulated("soc2");      // → false
+ *   b.compliance.isCrossBorderRegulated(null);        // → false
+ */
+function isCrossBorderRegulated(posture) {
+  if (typeof posture !== "string" || posture.length === 0) return false;
+  return CROSS_BORDER_REGULATED_POSTURES.indexOf(posture) !== -1;
+}
+
 module.exports = {
   set:                    set,
   current:                current,
+  isCrossBorderRegulated: isCrossBorderRegulated,
+  CROSS_BORDER_REGULATED_POSTURES: CROSS_BORDER_REGULATED_POSTURES,
   assert:                 assert,
   clear:                  clear,
   describe:               describe,