@bskyprism/atproto-oauth-client-cloudflare-workers 0.2.2

package/lib/oauth-client/oauth-client-auth.d.ts

@@ -0,0 +1,22 @@
+import { Keyset } from "@atproto/jwk";
+import { OAuthAuthorizationServerMetadata, OAuthClientCredentials } from "@atproto/oauth-types";
+import { Runtime } from "./runtime.js";
+import { ClientMetadata } from "./types.js";
+import { Awaitable } from "./util.js";
+export type ClientAuthMethod = {
+    method: "none";
+} | {
+    method: "private_key_jwt";
+    kid: string;
+};
+export declare function negotiateClientAuthMethod(serverMetadata: OAuthAuthorizationServerMetadata, clientMetadata: ClientMetadata, keyset?: Keyset): ClientAuthMethod;
+export type ClientCredentialsFactory = () => Awaitable<{
+    headers?: Record<string, string>;
+    payload?: OAuthClientCredentials;
+}>;
+/**
+ * @throws {AuthMethodUnsatisfiableError} if the authentication method is no
+ * long usable (either because the AS changed, of because the key is no longer
+ * available in the keyset).
+ */
+export declare function createClientCredentialsFactory(authMethod: ClientAuthMethod, serverMetadata: OAuthAuthorizationServerMetadata, clientMetadata: ClientMetadata, runtime: Runtime, keyset?: Keyset): ClientCredentialsFactory;

package/lib/oauth-client/oauth-client-auth.js

@@ -0,0 +1,127 @@
+import { CLIENT_ASSERTION_TYPE_JWT_BEARER, } from "@atproto/oauth-types";
+import { FALLBACK_ALG } from "./constants.js";
+import { AuthMethodUnsatisfiableError } from "./errors/auth-method-unsatisfiable-error.js";
+export function negotiateClientAuthMethod(serverMetadata, clientMetadata, keyset) {
+    const method = clientMetadata.token_endpoint_auth_method;
+    // @NOTE ATproto spec requires that AS support both "none" and
+    // "private_key_jwt", and that clients use one of the other. The following
+    // check ensures that the AS is indeed compliant with this client's
+    // configuration.
+    const methods = supportedMethods(serverMetadata);
+    if (!methods.includes(method)) {
+        throw new Error(`The server does not support "${method}" authentication. Supported methods are: ${methods.join(", ")}.`);
+    }
+    if (method === "private_key_jwt") {
+        // Invalid client configuration. This should not happen as
+        // "validateClientMetadata" already check this.
+        if (!keyset)
+            throw new Error("A keyset is required for private_key_jwt");
+        const alg = supportedAlgs(serverMetadata);
+        // @NOTE we can't use `keyset.findPrivateKey` here because we can't enforce
+        // that the returned key contains a "kid". The following implementation is
+        // more robust against keysets containing keys without a "kid" property.
+        for (const key of keyset.list({ use: "sig", alg })) {
+            // Return the first key from the key set that matches the server's
+            // supported algorithms.
+            if (key.isPrivate && key.kid) {
+                return { method: "private_key_jwt", kid: key.kid };
+            }
+        }
+        throw new Error(alg.includes(FALLBACK_ALG)
+            ? `Client authentication method "${method}" requires at least one "${FALLBACK_ALG}" signing key with a "kid" property`
+            : // AS is not compliant with the ATproto OAuth spec.
+                `Authorization server requires "${method}" authentication method, but does not support "${FALLBACK_ALG}" algorithm.`);
+    }
+    if (method === "none") {
+        return { method: "none" };
+    }
+    throw new Error(`The ATProto OAuth spec requires that client use either "none" or "private_key_jwt" authentication method.` +
+        (method === "client_secret_basic"
+            ? ' You might want to explicitly set "token_endpoint_auth_method" to one of those values in the client metadata document.'
+            : ` You set "${method}" which is not allowed.`));
+}
+/**
+ * @throws {AuthMethodUnsatisfiableError} if the authentication method is no
+ * long usable (either because the AS changed, of because the key is no longer
+ * available in the keyset).
+ */
+export function createClientCredentialsFactory(authMethod, serverMetadata, clientMetadata, runtime, keyset) {
+    // Ensure the AS still supports the auth method.
+    if (!supportedMethods(serverMetadata).includes(authMethod.method)) {
+        throw new AuthMethodUnsatisfiableError(`Client authentication method "${authMethod.method}" no longer supported`);
+    }
+    if (authMethod.method === "none") {
+        return () => ({
+            payload: {
+                client_id: clientMetadata.client_id,
+            },
+        });
+    }
+    if (authMethod.method === "private_key_jwt") {
+        try {
+            // The client used to be a confidential client but no longer has a keyset.
+            if (!keyset)
+                throw new Error("A keyset is required for private_key_jwt");
+            // @NOTE throws if no matching key can be found
+            const { key, alg } = keyset.findPrivateKey({
+                use: "sig",
+                kid: authMethod.kid,
+                alg: supportedAlgs(serverMetadata),
+            });
+            // https://www.rfc-editor.org/rfc/rfc7523.html#section-3
+            return async () => ({
+                payload: {
+                    client_id: clientMetadata.client_id,
+                    client_assertion_type: CLIENT_ASSERTION_TYPE_JWT_BEARER,
+                    client_assertion: await key.createJwt({ alg }, {
+                        // > The JWT MUST contain an "iss" (issuer) claim that contains a
+                        // > unique identifier for the entity that issued the JWT.
+                        iss: clientMetadata.client_id,
+                        // > For client authentication, the subject MUST be the
+                        // > "client_id" of the OAuth client.
+                        sub: clientMetadata.client_id,
+                        // > The JWT MUST contain an "aud" (audience) claim containing a value
+                        // > that identifies the authorization server as an intended audience.
+                        // > The token endpoint URL of the authorization server MAY be used as a
+                        // > value for an "aud" element to identify the authorization server as an
+                        // > intended audience of the JWT.
+                        aud: serverMetadata.issuer,
+                        // > The JWT MAY contain a "jti" (JWT ID) claim that provides a
+                        // > unique identifier for the token.
+                        jti: await runtime.generateNonce(),
+                        // > The JWT MAY contain an "iat" (issued at) claim that
+                        // > identifies the time at which the JWT was issued.
+                        iat: Math.floor(Date.now() / 1000),
+                        // > The JWT MUST contain an "exp" (expiration time) claim that
+                        // > limits the time window during which the JWT can be used.
+                        exp: Math.floor(Date.now() / 1000) + 60, // 1 minute
+                    }),
+                },
+            });
+        }
+        catch (cause) {
+            console.error(cause);
+            throw new AuthMethodUnsatisfiableError("Failed to load private key", {
+                cause,
+            });
+        }
+    }
+    throw new AuthMethodUnsatisfiableError(
+    // @ts-expect-error
+    `Unsupported auth method ${authMethod.method}`);
+}
+function supportedMethods(serverMetadata) {
+    return serverMetadata["token_endpoint_auth_methods_supported"];
+}
+function supportedAlgs(serverMetadata) {
+    return (serverMetadata["token_endpoint_auth_signing_alg_values_supported"] ?? [
+        // @NOTE If not specified, assume that the server supports the ES256
+        // algorithm, as prescribed by the spec:
+        //
+        // > Clients and Authorization Servers currently must support the ES256
+        // > cryptographic system [for client authentication].
+        //
+        // https://atproto.com/specs/oauth#confidential-client-authentication
+        FALLBACK_ALG,
+    ]);
+}

package/lib/oauth-client/oauth-client.d.ts

@@ -0,0 +1,311 @@
+import { Key, Keyset } from "@atproto/jwk";
+import { OAuthClientIdDiscoverable, OAuthClientMetadata, OAuthClientMetadataInput, OAuthResponseMode } from "@atproto/oauth-types";
+import { AtprotoDid } from "@atproto/did";
+import { DidCache } from "#did-resolver";
+import { Fetch } from "@atproto-labs/fetch";
+import { HandleCache, HandleResolver } from "#handle-resolver";
+import { IdentityResolverOptions } from "./identity-resolver.js";
+import { AuthorizationServerMetadataCache } from "./oauth-authorization-server-metadata-resolver.js";
+import { ProtectedResourceMetadataCache } from "./oauth-protected-resource-metadata-resolver.js";
+import { OAuthResolver } from "./oauth-resolver.js";
+import { DpopNonceCache, OAuthServerAgent } from "./oauth-server-agent.js";
+import { OAuthServerFactory } from "./oauth-server-factory.js";
+import { OAuthSession } from "./oauth-session.js";
+import { RuntimeImplementation } from "./runtime-implementation.js";
+import { Runtime } from "./runtime.js";
+import { SessionEventMap, SessionGetter, SessionStore } from "./session-getter.js";
+import { InternalStateData, StateStore } from "./state-store.js";
+import { AuthorizeOptions, ClientMetadata } from "./types.js";
+import { CustomEventTarget } from "./util.js";
+export { type AuthorizationServerMetadataCache, type DidCache, type DpopNonceCache, type Fetch, type HandleCache, type HandleResolver, type InternalStateData, Key, Keyset, type OAuthClientMetadata, type OAuthClientMetadataInput, type OAuthResponseMode, type ProtectedResourceMetadataCache, type RuntimeImplementation, type SessionStore, type StateStore, };
+export type OAuthClientOptions = IdentityResolverOptions & {
+    responseMode: OAuthResponseMode;
+    clientMetadata: Readonly<OAuthClientMetadataInput>;
+    keyset?: Keyset | Iterable<Key | undefined | null | false>;
+    /**
+     * Determines if the client will allow communicating with the OAuth Servers
+     * (Authorization & Resource), or to retrieve "did:web" documents, over
+     * unsafe HTTP connections. It is recommended to set this to `true` only for
+     * development purposes.
+     *
+     * @note This does not affect the identity resolution mechanism, which will
+     * allow HTTP connections to the PLC Directory (if the provided directory url
+     * is "http:" based).
+     * @default false
+     * @see {@link OAuthProtectedResourceMetadataResolver.allowHttpResource}
+     * @see {@link OAuthAuthorizationServerMetadataResolver.allowHttpIssuer}
+     * @see {@link DidResolverCommonOptions.allowHttp}
+     */
+    allowHttp?: boolean;
+    stateStore: StateStore;
+    sessionStore: SessionStore;
+    authorizationServerMetadataCache?: AuthorizationServerMetadataCache;
+    protectedResourceMetadataCache?: ProtectedResourceMetadataCache;
+    dpopNonceCache?: DpopNonceCache;
+    runtimeImplementation: RuntimeImplementation;
+    fetch?: Fetch;
+};
+export type OAuthClientEventMap = SessionEventMap;
+export type OAuthClientFetchMetadataOptions = {
+    clientId: OAuthClientIdDiscoverable;
+    fetch?: Fetch;
+    signal?: AbortSignal;
+};
+export declare class OAuthClient extends CustomEventTarget<OAuthClientEventMap> {
+    static fetchMetadata({ clientId, fetch, signal, }: OAuthClientFetchMetadataOptions): Promise<{
+        redirect_uris: [`http://[::1]${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | `${string}.${string}:/${string}`, ...(`http://[::1]${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | `${string}.${string}:/${string}`)[]];
+        response_types: ["code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token", ...("code" | "none" | "token" | "code id_token token" | "code id_token" | "code token" | "id_token token" | "id_token")[]];
+        grant_types: ["authorization_code" | "implicit" | "refresh_token" | "password" | "client_credentials" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer", ...("authorization_code" | "implicit" | "refresh_token" | "password" | "client_credentials" | "urn:ietf:params:oauth:grant-type:jwt-bearer" | "urn:ietf:params:oauth:grant-type:saml2-bearer")[]];
+        token_endpoint_auth_method: "client_secret_basic" | "client_secret_jwt" | "client_secret_post" | "none" | "private_key_jwt" | "self_signed_tls_client_auth" | "tls_client_auth";
+        application_type: "web" | "native";
+        subject_type: "public" | "pairwise";
+        authorization_signed_response_alg: string;
+        scope?: string | undefined;
+        token_endpoint_auth_signing_alg?: string | undefined;
+        userinfo_signed_response_alg?: string | undefined;
+        userinfo_encrypted_response_alg?: string | undefined;
+        jwks_uri?: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | undefined;
+        jwks?: {
+            keys: ({
+                kty: "RSA";
+                n: string;
+                e: string;
+                alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined;
+                kid?: string | undefined;
+                ext?: boolean | undefined;
+                use?: "sig" | "enc" | undefined;
+                key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                x5c?: string[] | undefined;
+                x5t?: string | undefined;
+                "x5t#S256"?: string | undefined;
+                x5u?: string | undefined;
+                d?: string | undefined;
+                p?: string | undefined;
+                q?: string | undefined;
+                dp?: string | undefined;
+                dq?: string | undefined;
+                qi?: string | undefined;
+                oth?: [{
+                    d?: string | undefined;
+                    r?: string | undefined;
+                    t?: string | undefined;
+                }, ...{
+                    d?: string | undefined;
+                    r?: string | undefined;
+                    t?: string | undefined;
+                }[]] | undefined;
+            } | {
+                kty: "EC";
+                crv: "P-256" | "P-384" | "P-521";
+                x: string;
+                y: string;
+                alg?: "ES256" | "ES384" | "ES512" | undefined;
+                kid?: string | undefined;
+                ext?: boolean | undefined;
+                use?: "sig" | "enc" | undefined;
+                key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                x5c?: string[] | undefined;
+                x5t?: string | undefined;
+                "x5t#S256"?: string | undefined;
+                x5u?: string | undefined;
+                d?: string | undefined;
+            } | {
+                kty: "EC";
+                crv: "secp256k1";
+                x: string;
+                y: string;
+                alg?: "ES256K" | undefined;
+                kid?: string | undefined;
+                ext?: boolean | undefined;
+                use?: "sig" | "enc" | undefined;
+                key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                x5c?: string[] | undefined;
+                x5t?: string | undefined;
+                "x5t#S256"?: string | undefined;
+                x5u?: string | undefined;
+                d?: string | undefined;
+            } | {
+                kty: "OKP";
+                crv: "Ed25519" | "Ed448";
+                x: string;
+                alg?: "EdDSA" | undefined;
+                kid?: string | undefined;
+                ext?: boolean | undefined;
+                use?: "sig" | "enc" | undefined;
+                key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                x5c?: string[] | undefined;
+                x5t?: string | undefined;
+                "x5t#S256"?: string | undefined;
+                x5u?: string | undefined;
+                d?: string | undefined;
+            } | {
+                kty: "oct";
+                k: string;
+                alg?: "HS256" | "HS384" | "HS512" | undefined;
+                kid?: string | undefined;
+                ext?: boolean | undefined;
+                use?: "sig" | "enc" | undefined;
+                key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                x5c?: string[] | undefined;
+                x5t?: string | undefined;
+                "x5t#S256"?: string | undefined;
+                x5u?: string | undefined;
+            } | {
+                kty: string;
+                alg?: string | undefined;
+                kid?: string | undefined;
+                ext?: boolean | undefined;
+                use?: "sig" | "enc" | undefined;
+                key_ops?: ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+                x5c?: string[] | undefined;
+                x5t?: string | undefined;
+                "x5t#S256"?: string | undefined;
+                x5u?: string | undefined;
+            })[];
+        } | undefined;
+        request_object_signing_alg?: string | undefined;
+        id_token_signed_response_alg?: string | undefined;
+        authorization_encrypted_response_enc?: "A128CBC-HS256" | undefined;
+        authorization_encrypted_response_alg?: string | undefined;
+        client_id?: string | undefined;
+        client_name?: string | undefined;
+        client_uri?: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | undefined;
+        policy_uri?: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | undefined;
+        tos_uri?: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | undefined;
+        logo_uri?: `http://[::1]${string}` | "http://localhost" | `http://localhost#${string}` | `http://localhost?${string}` | `http://localhost/${string}` | `http://localhost:${string}` | "http://127.0.0.1" | `http://127.0.0.1#${string}` | `http://127.0.0.1?${string}` | `http://127.0.0.1/${string}` | `http://127.0.0.1:${string}` | `https://${string}` | undefined;
+        default_max_age?: number | undefined;
+        require_auth_time?: boolean | undefined;
+        contacts?: string[] | undefined;
+        tls_client_certificate_bound_access_tokens?: boolean | undefined;
+        dpop_bound_access_tokens?: boolean | undefined;
+        authorization_details_types?: string[] | undefined;
+    }>;
+    readonly clientMetadata: ClientMetadata;
+    readonly responseMode: OAuthResponseMode;
+    readonly keyset?: Keyset;
+    readonly runtime: Runtime;
+    readonly fetch: Fetch;
+    readonly oauthResolver: OAuthResolver;
+    readonly serverFactory: OAuthServerFactory;
+    protected readonly sessionGetter: SessionGetter;
+    protected readonly stateStore: StateStore;
+    constructor(options: OAuthClientOptions);
+    get identityResolver(): import("#identity-resolver").IdentityResolver;
+    get jwks(): {
+        readonly keys: readonly ({
+            readonly kty: "RSA";
+            readonly n: string;
+            readonly e: string;
+            readonly alg?: "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | undefined | undefined;
+            readonly kid?: string | undefined | undefined;
+            readonly ext?: boolean | undefined | undefined;
+            readonly use?: "sig" | "enc" | undefined | undefined;
+            readonly key_ops?: readonly ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+            readonly x5c?: readonly string[] | undefined;
+            readonly x5t?: string | undefined | undefined;
+            readonly 'x5t#S256'?: string | undefined | undefined;
+            readonly x5u?: string | undefined | undefined;
+            readonly d?: string | undefined | undefined;
+            readonly p?: string | undefined | undefined;
+            readonly q?: string | undefined | undefined;
+            readonly dp?: string | undefined | undefined;
+            readonly dq?: string | undefined | undefined;
+            readonly qi?: string | undefined | undefined;
+            readonly oth?: readonly [{
+                readonly d?: string | undefined | undefined;
+                readonly r?: string | undefined | undefined;
+                readonly t?: string | undefined | undefined;
+            }, ...{
+                readonly d?: string | undefined | undefined;
+                readonly r?: string | undefined | undefined;
+                readonly t?: string | undefined | undefined;
+            }[]] | undefined;
+        } | {
+            readonly kty: "EC";
+            readonly crv: "P-256" | "P-384" | "P-521";
+            readonly x: string;
+            readonly y: string;
+            readonly alg?: "ES256" | "ES384" | "ES512" | undefined | undefined;
+            readonly kid?: string | undefined | undefined;
+            readonly ext?: boolean | undefined | undefined;
+            readonly use?: "sig" | "enc" | undefined | undefined;
+            readonly key_ops?: readonly ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+            readonly x5c?: readonly string[] | undefined;
+            readonly x5t?: string | undefined | undefined;
+            readonly 'x5t#S256'?: string | undefined | undefined;
+            readonly x5u?: string | undefined | undefined;
+            readonly d?: string | undefined | undefined;
+        } | {
+            readonly kty: "EC";
+            readonly crv: "secp256k1";
+            readonly x: string;
+            readonly y: string;
+            readonly alg?: "ES256K" | undefined | undefined;
+            readonly kid?: string | undefined | undefined;
+            readonly ext?: boolean | undefined | undefined;
+            readonly use?: "sig" | "enc" | undefined | undefined;
+            readonly key_ops?: readonly ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+            readonly x5c?: readonly string[] | undefined;
+            readonly x5t?: string | undefined | undefined;
+            readonly 'x5t#S256'?: string | undefined | undefined;
+            readonly x5u?: string | undefined | undefined;
+            readonly d?: string | undefined | undefined;
+        } | {
+            readonly kty: "OKP";
+            readonly crv: "Ed25519" | "Ed448";
+            readonly x: string;
+            readonly alg?: "EdDSA" | undefined | undefined;
+            readonly kid?: string | undefined | undefined;
+            readonly ext?: boolean | undefined | undefined;
+            readonly use?: "sig" | "enc" | undefined | undefined;
+            readonly key_ops?: readonly ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+            readonly x5c?: readonly string[] | undefined;
+            readonly x5t?: string | undefined | undefined;
+            readonly 'x5t#S256'?: string | undefined | undefined;
+            readonly x5u?: string | undefined | undefined;
+            readonly d?: string | undefined | undefined;
+        } | {
+            readonly kty: "oct";
+            readonly k: string;
+            readonly alg?: "HS256" | "HS384" | "HS512" | undefined | undefined;
+            readonly kid?: string | undefined | undefined;
+            readonly ext?: boolean | undefined | undefined;
+            readonly use?: "sig" | "enc" | undefined | undefined;
+            readonly key_ops?: readonly ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+            readonly x5c?: readonly string[] | undefined;
+            readonly x5t?: string | undefined | undefined;
+            readonly 'x5t#S256'?: string | undefined | undefined;
+            readonly x5u?: string | undefined | undefined;
+        } | {
+            readonly kty: string;
+            readonly alg?: string | undefined | undefined;
+            readonly kid?: string | undefined | undefined;
+            readonly ext?: boolean | undefined | undefined;
+            readonly use?: "sig" | "enc" | undefined | undefined;
+            readonly key_ops?: readonly ("sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits")[] | undefined;
+            readonly x5c?: readonly string[] | undefined;
+            readonly x5t?: string | undefined | undefined;
+            readonly 'x5t#S256'?: string | undefined | undefined;
+            readonly x5u?: string | undefined | undefined;
+        })[];
+    };
+    authorize(input: string, { signal, ...options }?: AuthorizeOptions): Promise<URL>;
+    /**
+     * This method allows the client to proactively revoke the request_uri it
+     * created through PAR.
+     */
+    abortRequest(authorizeUrl: URL): Promise<void>;
+    callback(params: URLSearchParams): Promise<{
+        session: OAuthSession;
+        state: string | null;
+    }>;
+    /**
+     * Load a stored session. This will refresh the token only if needed (about to
+     * expire) by default.
+     *
+     * @param refresh See {@link SessionGetter.getSession}
+     */
+    restore(sub: string, refresh?: boolean | "auto"): Promise<OAuthSession>;
+    revoke(sub: string): Promise<void>;
+    protected createSession(server: OAuthServerAgent, sub: AtprotoDid): OAuthSession;
+}