@cloudflare/workers-oauth-provider 0.0.0-4d02346 → 0.0.0-5a59d78

package/README.md

@@ -38,7 +38,7 @@ export default new OAuthProvider({
   // You can provide either an object with a fetch method (ExportedHandler)
   // or a class extending WorkerEntrypoint.
   apiHandler: ApiHandler, // Using a WorkerEntrypoint class
-  
+
   // For multi-handler setups, you can use apiHandlers instead of apiRoute+apiHandler.
   // This allows you to use different handlers for different API routes.
   // Note: You must use either apiRoute+apiHandler (single-handler) OR apiHandlers (multi-handler), not both.
@@ -87,7 +87,13 @@ export default new OAuthProvider({
   // Note: Creating public clients via the OAuthHelpers.createClient() method
   // is always allowed regardless of this setting.
   // Defaults to false.
-  disallowPublicClientRegistration: false
+  disallowPublicClientRegistration: false,
+
+  // Optional: Time-to-live for refresh tokens in seconds.
+  // If not specified, refresh tokens do not expire.
+  // Set to 0 to disable refresh tokens (only access tokens will be issued).
+  // For example: 3600 = 1 hour, 86400 = 1 day, 2592000 = 30 days
+  refreshTokenTTL: 2592000 // 30 days
 });
 
 // The default handler object - the OAuthProvider will pass through HTTP requests to this object's fetch method
@@ -261,6 +267,7 @@ The callback can:
 - Return only `accessTokenProps` to update just the current access token
 - Return only `newProps` to update both the grant and access token (the access token inherits these props)
 - Return `accessTokenTTL` to override the default TTL for this specific access token
+- Return `refreshTokenTTL` to override the default TTL for this specific refresh token
 - Return nothing to keep the original props unchanged
 
 The `accessTokenTTL` override is particularly useful when the application is also an OAuth client to another service and wants to match its access token TTL to the upstream access token TTL. This helps prevent situations where the downstream token is still valid but the upstream token has expired.

package/dist/oauth-provider.d.ts

@@ -33,6 +33,13 @@ interface TokenExchangeCallbackResult {
      * Value should be in seconds.
      */
     accessTokenTTL?: number;
+    /**
+     * Override the default refresh token TTL (time-to-live) for this specific grant.
+     * Value should be in seconds.
+     * Note: This is only honored during authorization code exchange. If returned during
+     * refresh token exchange, it will be ignored.
+     */
+    refreshTokenTTL?: number;
 }
 /**
  * Options for token exchange callback functions
@@ -61,6 +68,33 @@ interface TokenExchangeCallbackOptions {
      */
     props: any;
 }
+/**
+ * Input parameters for the resolveExternalToken callback function
+ */
+interface ResolveExternalTokenInput {
+    /**
+     * The token string that was provided in the Authorization header
+     */
+    token: string;
+    /**
+     * The original HTTP request
+     */
+    request: Request;
+    /**
+     * Cloudflare Worker environment variables
+     */
+    env: any;
+}
+/**
+ * Result returned from the resolveExternalToken callback function
+ */
+interface ResolveExternalTokenResult {
+    /**
+     * Application-specific properties that will be passed to the API handlers
+     * These properties are set in the execution context (ctx.props) when the external token is validated
+     */
+    props: any;
+}
 interface OAuthProviderOptions {
     /**
      * URL(s) for API routes. Requests with URLs starting with any of these prefixes
@@ -116,6 +150,12 @@ interface OAuthProviderOptions {
      * Defaults to 1 hour (3600 seconds) if not specified.
      */
     accessTokenTTL?: number;
+    /**
+     * Time-to-live for refresh tokens in seconds.
+     * If not specified, refresh tokens do not expire.
+     * For example: 3600 = 1 hour, 2592000 = 30 days
+     */
+    refreshTokenTTL?: number;
     /**
      * List of scopes supported by this OAuth provider.
      * If not provided, the 'scopes_supported' field will be omitted from the OAuth metadata.
@@ -144,6 +184,16 @@ interface OAuthProviderOptions {
      * If the callback returns nothing or undefined for a props field, the original props will be used.
      */
     tokenExchangeCallback?: (options: TokenExchangeCallbackOptions) => Promise<TokenExchangeCallbackResult | void> | TokenExchangeCallbackResult | void;
+    /**
+     * Optional callback function that is called when a provided token was not found in the internal KV.
+     * This allows authentication through external OAuth servers.
+     * For example, if a request includes an authenticated token from a different OAuth authentication server,
+     * the callback can be used to authenticate it and set the context props through it.
+     *
+     * The callback can optionally return props values that will passed-through to the apiHandlers.
+     * The callback can return `null` to signal resolution failure.
+     */
+    resolveExternalToken?: (input: ResolveExternalTokenInput) => Promise<ResolveExternalTokenResult | null>;
     /**
      * Optional callback function that is called whenever the OAuthProvider returns an error response
      * This allows the client to emit notifications or perform other actions when an error occurs.
@@ -381,6 +431,10 @@ interface Grant {
      * Unix timestamp when the grant was created
      */
     createdAt: number;
+    /**
+     * Unix timestamp when the grant expires (if TTL is configured)
+     */
+    expiresAt?: number;
     /**
      * The hash of the current refresh token associated with this grant
      */
@@ -523,6 +577,10 @@ interface GrantSummary {
      * Unix timestamp when the grant was created
      */
     createdAt: number;
+    /**
+     * Unix timestamp when the grant expires (if TTL is configured)
+     */
+    expiresAt?: number;
 }
 /**
  * OAuth 2.0 Provider implementation for Cloudflare Workers
@@ -547,4 +605,4 @@ declare class OAuthProvider {
     fetch(request: Request, env: any, ctx: ExecutionContext): Promise<Response>;
 }
 
-export { type AuthRequest, type ClientInfo, type CompleteAuthorizationOptions, type Grant, type GrantSummary, type ListOptions, type ListResult, type OAuthHelpers, OAuthProvider, type OAuthProviderOptions, type Token, type TokenExchangeCallbackOptions, type TokenExchangeCallbackResult, OAuthProvider as default };
+export { type AuthRequest, type ClientInfo, type CompleteAuthorizationOptions, type Grant, type GrantSummary, type ListOptions, type ListResult, type OAuthHelpers, OAuthProvider, type OAuthProviderOptions, type ResolveExternalTokenInput, type ResolveExternalTokenResult, type Token, type TokenExchangeCallbackOptions, type TokenExchangeCallbackResult, OAuthProvider as default };

package/dist/oauth-provider.js

@@ -142,7 +142,16 @@ var OAuthProviderImpl = class {
       return this.addCorsHeaders(response, request);
     }
     if (this.isTokenEndpoint(url)) {
-      const response = await this.handleTokenRequest(request, env);
+      const parsed = await this.parseTokenEndpointRequest(request, env);
+      if (parsed instanceof Response) {
+        return this.addCorsHeaders(parsed, request);
+      }
+      let response;
+      if (parsed.isRevocationRequest) {
+        response = await this.handleRevocationRequest(parsed.body, env);
+      } else {
+        response = await this.handleTokenRequest(parsed.body, parsed.clientInfo, env);
+      }
       return this.addCorsHeaders(response, request);
     }
     if (this.options.clientRegistrationEndpoint && this.isClientRegistrationEndpoint(url)) {
@@ -206,6 +215,67 @@ var OAuthProviderImpl = class {
     if (!this.options.clientRegistrationEndpoint) return false;
     return this.matchEndpoint(url, this.options.clientRegistrationEndpoint);
   }
+  /**
+   * Parses and validates a token endpoint request (used for both token exchange and revocation)
+   * @param request - The HTTP request to parse
+   * @returns Promise with parsed body and client info, or error response
+   */
+  async parseTokenEndpointRequest(request, env) {
+    if (request.method !== "POST") {
+      return this.createErrorResponse("invalid_request", "Method not allowed", 405);
+    }
+    let contentType = request.headers.get("Content-Type") || "";
+    let body = {};
+    if (!contentType.includes("application/x-www-form-urlencoded")) {
+      return this.createErrorResponse("invalid_request", "Content-Type must be application/x-www-form-urlencoded", 400);
+    }
+    const formData = await request.formData();
+    for (const [key, value] of formData.entries()) {
+      body[key] = value;
+    }
+    const authHeader = request.headers.get("Authorization");
+    let clientId = "";
+    let clientSecret = "";
+    if (authHeader && authHeader.startsWith("Basic ")) {
+      const credentials = atob(authHeader.substring(6));
+      const [id, secret] = credentials.split(":", 2);
+      clientId = decodeURIComponent(id);
+      clientSecret = decodeURIComponent(secret || "");
+    } else {
+      clientId = body.client_id;
+      clientSecret = body.client_secret || "";
+    }
+    if (!clientId) {
+      return this.createErrorResponse("invalid_client", "Client ID is required", 401);
+    }
+    const clientInfo = await this.getClient(env, clientId);
+    if (!clientInfo) {
+      return this.createErrorResponse("invalid_client", "Client not found", 401);
+    }
+    const isPublicClient = clientInfo.tokenEndpointAuthMethod === "none";
+    if (!isPublicClient) {
+      if (!clientSecret) {
+        return this.createErrorResponse("invalid_client", "Client authentication failed: missing client_secret", 401);
+      }
+      if (!clientInfo.clientSecret) {
+        return this.createErrorResponse(
+          "invalid_client",
+          "Client authentication failed: client has no registered secret",
+          401
+        );
+      }
+      const providedSecretHash = await hashSecret(clientSecret);
+      if (providedSecretHash !== clientInfo.clientSecret) {
+        return this.createErrorResponse("invalid_client", "Client authentication failed: invalid client_secret", 401);
+      }
+    }
+    const isRevocationRequest = !body.grant_type && !!body.token;
+    return {
+      body,
+      clientInfo,
+      isRevocationRequest
+    };
+  }
   /**
    * Checks if a URL matches a specific API route
    * @param url - The URL to check
@@ -329,59 +399,12 @@ var OAuthProviderImpl = class {
   /**
    * Handles client authentication and token issuance via the token endpoint
    * Supports authorization_code and refresh_token grant types
-   * @param request - The HTTP request
+   * @param body - The parsed request body
+   * @param clientInfo - The authenticated client information
    * @param env - Cloudflare Worker environment variables
    * @returns Response with token data or error
    */
-  async handleTokenRequest(request, env) {
-    if (request.method !== "POST") {
-      return this.createErrorResponse("invalid_request", "Method not allowed", 405);
-    }
-    let contentType = request.headers.get("Content-Type") || "";
-    let body = {};
-    if (!contentType.includes("application/x-www-form-urlencoded")) {
-      return this.createErrorResponse("invalid_request", "Content-Type must be application/x-www-form-urlencoded", 400);
-    }
-    const formData = await request.formData();
-    for (const [key, value] of formData.entries()) {
-      body[key] = value;
-    }
-    const authHeader = request.headers.get("Authorization");
-    let clientId = "";
-    let clientSecret = "";
-    if (authHeader && authHeader.startsWith("Basic ")) {
-      const credentials = atob(authHeader.substring(6));
-      const [id, secret] = credentials.split(":", 2);
-      clientId = decodeURIComponent(id);
-      clientSecret = decodeURIComponent(secret || "");
-    } else {
-      clientId = body.client_id;
-      clientSecret = body.client_secret || "";
-    }
-    if (!clientId) {
-      return this.createErrorResponse("invalid_client", "Client ID is required", 401);
-    }
-    const clientInfo = await this.getClient(env, clientId);
-    if (!clientInfo) {
-      return this.createErrorResponse("invalid_client", "Client not found", 401);
-    }
-    const isPublicClient = clientInfo.tokenEndpointAuthMethod === "none";
-    if (!isPublicClient) {
-      if (!clientSecret) {
-        return this.createErrorResponse("invalid_client", "Client authentication failed: missing client_secret", 401);
-      }
-      if (!clientInfo.clientSecret) {
-        return this.createErrorResponse(
-          "invalid_client",
-          "Client authentication failed: client has no registered secret",
-          401
-        );
-      }
-      const providedSecretHash = await hashSecret(clientSecret);
-      if (providedSecretHash !== clientInfo.clientSecret) {
-        return this.createErrorResponse("invalid_client", "Client authentication failed: invalid client_secret", 401);
-      }
-    }
+  async handleTokenRequest(body, clientInfo, env) {
     const grantType = body.grant_type;
     if (grantType === "authorization_code") {
       return this.handleAuthorizationCodeGrant(body, clientInfo, env);
@@ -455,12 +478,10 @@ var OAuthProviderImpl = class {
       }
     }
     const accessTokenSecret = generateRandomString(TOKEN_LENGTH);
-    const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
     const accessToken = `${userId}:${grantId}:${accessTokenSecret}`;
-    const refreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
     const accessTokenId = await generateTokenId(accessToken);
-    const refreshTokenId = await generateTokenId(refreshToken);
     let accessTokenTTL = this.options.accessTokenTTL;
+    let refreshTokenTTL = this.options.refreshTokenTTL;
     const encryptionKey = await unwrapKeyWithToken(code, grantData.authCodeWrappedKey);
     let grantEncryptionKey = encryptionKey;
     let accessTokenEncryptionKey = encryptionKey;
@@ -490,6 +511,9 @@ var OAuthProviderImpl = class {
         if (callbackResult.accessTokenTTL !== void 0) {
           accessTokenTTL = callbackResult.accessTokenTTL;
         }
+        if ("refreshTokenTTL" in callbackResult) {
+          refreshTokenTTL = callbackResult.refreshTokenTTL;
+        }
       }
       const grantResult = await encryptProps(grantProps);
       grantData.encryptedProps = grantResult.encryptedData;
@@ -505,17 +529,26 @@ var OAuthProviderImpl = class {
     }
     const now = Math.floor(Date.now() / 1e3);
     const accessTokenExpiresAt = now + accessTokenTTL;
+    const useRefreshToken = refreshTokenTTL !== 0;
     const accessTokenWrappedKey = await wrapKeyWithToken(accessToken, accessTokenEncryptionKey);
-    const refreshTokenWrappedKey = await wrapKeyWithToken(refreshToken, grantEncryptionKey);
     delete grantData.authCodeId;
     delete grantData.codeChallenge;
     delete grantData.codeChallengeMethod;
     delete grantData.authCodeWrappedKey;
-    grantData.refreshTokenId = refreshTokenId;
-    grantData.refreshTokenWrappedKey = refreshTokenWrappedKey;
-    grantData.previousRefreshTokenId = void 0;
-    grantData.previousRefreshTokenWrappedKey = void 0;
-    await env.OAUTH_KV.put(grantKey, JSON.stringify(grantData));
+    let refreshToken;
+    if (useRefreshToken) {
+      const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
+      refreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
+      const refreshTokenId = await generateTokenId(refreshToken);
+      const refreshTokenWrappedKey = await wrapKeyWithToken(refreshToken, grantEncryptionKey);
+      const expiresAt = refreshTokenTTL !== void 0 ? now + refreshTokenTTL : void 0;
+      grantData.refreshTokenId = refreshTokenId;
+      grantData.refreshTokenWrappedKey = refreshTokenWrappedKey;
+      grantData.previousRefreshTokenId = void 0;
+      grantData.previousRefreshTokenWrappedKey = void 0;
+      grantData.expiresAt = expiresAt;
+    }
+    await this.saveGrantWithTTL(env, grantKey, grantData, now);
     const accessTokenData = {
       id: accessTokenId,
       grantId,
@@ -532,18 +565,18 @@ var OAuthProviderImpl = class {
     await env.OAUTH_KV.put(`token:${userId}:${grantId}:${accessTokenId}`, JSON.stringify(accessTokenData), {
       expirationTtl: accessTokenTTL
     });
-    return new Response(
-      JSON.stringify({
-        access_token: accessToken,
-        token_type: "bearer",
-        expires_in: accessTokenTTL,
-        refresh_token: refreshToken,
-        scope: grantData.scope.join(" ")
-      }),
-      {
-        headers: { "Content-Type": "application/json" }
-      }
-    );
+    const tokenResponse = {
+      access_token: accessToken,
+      token_type: "bearer",
+      expires_in: accessTokenTTL,
+      scope: grantData.scope.join(" ")
+    };
+    if (refreshToken) {
+      tokenResponse.refresh_token = refreshToken;
+    }
+    return new Response(JSON.stringify(tokenResponse), {
+      headers: { "Content-Type": "application/json" }
+    });
   }
   /**
    * Handles the refresh token grant type
@@ -577,12 +610,15 @@ var OAuthProviderImpl = class {
     if (grantData.clientId !== clientInfo.clientId) {
       return this.createErrorResponse("invalid_grant", "Client ID mismatch");
     }
+    if (grantData.expiresAt !== void 0) {
+      const now2 = Math.floor(Date.now() / 1e3);
+      if (now2 >= grantData.expiresAt) {
+        return this.createErrorResponse("invalid_grant", "Refresh token has expired");
+      }
+    }
     const accessTokenSecret = generateRandomString(TOKEN_LENGTH);
     const newAccessToken = `${userId}:${grantId}:${accessTokenSecret}`;
     const accessTokenId = await generateTokenId(newAccessToken);
-    const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
-    const newRefreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
-    const newRefreshTokenId = await generateTokenId(newRefreshToken);
     let accessTokenTTL = this.options.accessTokenTTL;
     let wrappedKeyToUse;
     if (isCurrentToken) {
@@ -594,6 +630,7 @@ var OAuthProviderImpl = class {
     let grantEncryptionKey = encryptionKey;
     let accessTokenEncryptionKey = encryptionKey;
     let encryptedAccessTokenProps = grantData.encryptedProps;
+    let grantPropsChanged = false;
     if (this.options.tokenExchangeCallback) {
       const decryptedProps = await decryptProps(encryptionKey, grantData.encryptedProps);
       let grantProps = decryptedProps;
@@ -606,7 +643,6 @@ var OAuthProviderImpl = class {
         props: decryptedProps
       };
       const callbackResult = await Promise.resolve(this.options.tokenExchangeCallback(callbackOptions));
-      let grantPropsChanged = false;
       if (callbackResult) {
         if (callbackResult.newProps) {
           grantProps = callbackResult.newProps;
@@ -621,6 +657,12 @@ var OAuthProviderImpl = class {
         if (callbackResult.accessTokenTTL !== void 0) {
           accessTokenTTL = callbackResult.accessTokenTTL;
         }
+        if ("refreshTokenTTL" in callbackResult) {
+          return this.createErrorResponse(
+            "invalid_request",
+            "refreshTokenTTL cannot be changed during refresh token exchange"
+          );
+        }
       }
       if (grantPropsChanged) {
         const grantResult = await encryptProps(grantProps);
@@ -642,14 +684,23 @@ var OAuthProviderImpl = class {
       }
     }
     const now = Math.floor(Date.now() / 1e3);
+    if (grantData.expiresAt !== void 0) {
+      const remainingRefreshTokenLifetime = grantData.expiresAt - now;
+      if (remainingRefreshTokenLifetime > 0) {
+        accessTokenTTL = Math.min(accessTokenTTL, remainingRefreshTokenLifetime);
+      }
+    }
     const accessTokenExpiresAt = now + accessTokenTTL;
     const accessTokenWrappedKey = await wrapKeyWithToken(newAccessToken, accessTokenEncryptionKey);
+    const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
+    const newRefreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
+    const newRefreshTokenId = await generateTokenId(newRefreshToken);
     const newRefreshTokenWrappedKey = await wrapKeyWithToken(newRefreshToken, grantEncryptionKey);
     grantData.previousRefreshTokenId = providedTokenHash;
     grantData.previousRefreshTokenWrappedKey = wrappedKeyToUse;
     grantData.refreshTokenId = newRefreshTokenId;
     grantData.refreshTokenWrappedKey = newRefreshTokenWrappedKey;
-    await env.OAUTH_KV.put(grantKey, JSON.stringify(grantData));
+    await this.saveGrantWithTTL(env, grantKey, grantData, now);
     const accessTokenData = {
       id: accessTokenId,
       grantId,
@@ -666,18 +717,96 @@ var OAuthProviderImpl = class {
     await env.OAUTH_KV.put(`token:${userId}:${grantId}:${accessTokenId}`, JSON.stringify(accessTokenData), {
       expirationTtl: accessTokenTTL
     });
-    return new Response(
-      JSON.stringify({
-        access_token: newAccessToken,
-        token_type: "bearer",
-        expires_in: accessTokenTTL,
-        refresh_token: newRefreshToken,
-        scope: grantData.scope.join(" ")
-      }),
-      {
-        headers: { "Content-Type": "application/json" }
-      }
-    );
+    const tokenResponse = {
+      access_token: newAccessToken,
+      token_type: "bearer",
+      expires_in: accessTokenTTL,
+      refresh_token: newRefreshToken,
+      scope: grantData.scope.join(" ")
+    };
+    return new Response(JSON.stringify(tokenResponse), {
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  /**
+   * Handles OAuth 2.0 token revocation requests (RFC 7009)
+   * @param body - The parsed request body containing revocation parameters
+   * @param env - Cloudflare Worker environment variables
+   * @returns Response confirming revocation or error
+   */
+  async handleRevocationRequest(body, env) {
+    return this.revokeToken(body, env);
+  }
+  /**
+   * - Access tokens: Revokes only the specific token
+   * - Refresh tokens: Revokes the entire grant (access + refresh tokens)
+   * @param body - The parsed request body containing token parameter
+   * @param env - Cloudflare Worker environment variables
+   * @returns Response confirming revocation or error
+   */
+  async revokeToken(body, env) {
+    const token = body.token;
+    if (!token) {
+      return this.createErrorResponse("invalid_request", "Token parameter is required");
+    }
+    const tokenParts = token.split(":");
+    if (tokenParts.length !== 3) {
+      return new Response("", { status: 200 });
+    }
+    const [userId, grantId, _] = tokenParts;
+    const tokenId = await generateTokenId(token);
+    const isAccessToken = await this.validateAccessToken(tokenId, userId, grantId, env);
+    const isRefreshToken = await this.validateRefreshToken(tokenId, userId, grantId, env);
+    if (isAccessToken) {
+      await this.revokeSpecificAccessToken(tokenId, userId, grantId, env);
+    } else if (isRefreshToken) {
+      await this.createOAuthHelpers(env).revokeGrant(grantId, userId);
+    }
+    return new Response("", { status: 200 });
+  }
+  /**
+   * Revokes a specific access token without affecting the refresh token
+   * @param tokenId - The hashed token ID
+   * @param userId - The user ID extracted from the token
+   * @param grantId - The grant ID extracted from the token
+   * @param env - Cloudflare Worker environment variables
+   */
+  async revokeSpecificAccessToken(tokenId, userId, grantId, env) {
+    const tokenKey = `token:${userId}:${grantId}:${tokenId}`;
+    await env.OAUTH_KV.delete(tokenKey);
+  }
+  /**
+   * Validates if a token is a valid access token
+   * @param tokenId - The hashed token ID
+   * @param userId - The user ID extracted from the token
+   * @param grantId - The grant ID extracted from the token
+   * @param env - Cloudflare Worker environment variables
+   * @returns Promise<boolean> indicating if the token is valid
+   */
+  async validateAccessToken(tokenId, userId, grantId, env) {
+    const tokenKey = `token:${userId}:${grantId}:${tokenId}`;
+    const tokenData = await env.OAUTH_KV.get(tokenKey, { type: "json" });
+    if (!tokenData) {
+      return false;
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    return tokenData.expiresAt >= now;
+  }
+  /**
+   * Validates if a token is a valid refresh token
+   * @param tokenId - The hashed token ID
+   * @param userId - The user ID extracted from the token
+   * @param grantId - The grant ID extracted from the token
+   * @param env - Cloudflare Worker environment variables
+   * @returns Promise<boolean> indicating if the token is valid
+   */
+  async validateRefreshToken(tokenId, userId, grantId, env) {
+    const grantKey = `grant:${userId}:${grantId}`;
+    const grantData = await env.OAUTH_KV.get(grantKey, { type: "json" });
+    if (!grantData) {
+      return false;
+    }
+    return grantData.refreshTokenId === tokenId || grantData.previousRefreshTokenId === tokenId;
   }
   /**
    * Handles the dynamic client registration endpoint (RFC 7591)
@@ -811,30 +940,40 @@ var OAuthProviderImpl = class {
       });
     }
     const accessToken = authHeader.substring(7);
-    const tokenParts = accessToken.split(":");
-    if (tokenParts.length !== 3) {
-      return this.createErrorResponse("invalid_token", "Invalid token format", 401, {
-        "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
-      });
-    }
-    const [userId, grantId, _] = tokenParts;
-    const accessTokenId = await generateTokenId(accessToken);
-    const tokenKey = `token:${userId}:${grantId}:${accessTokenId}`;
-    const tokenData = await env.OAUTH_KV.get(tokenKey, { type: "json" });
-    if (!tokenData) {
+    const parts = accessToken.split(":");
+    const isPossiblyInternalFormat = parts.length === 3;
+    let tokenData = null;
+    let userId = "";
+    let grantId = "";
+    if (isPossiblyInternalFormat) {
+      [userId, grantId] = parts;
+      const id = await generateTokenId(accessToken);
+      tokenData = await env.OAUTH_KV.get(`token:${userId}:${grantId}:${id}`, { type: "json" });
+    }
+    if (!tokenData && !this.options.resolveExternalToken) {
       return this.createErrorResponse("invalid_token", "Invalid access token", 401, {
         "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
       });
     }
-    const now = Math.floor(Date.now() / 1e3);
-    if (tokenData.expiresAt < now) {
-      return this.createErrorResponse("invalid_token", "Access token expired", 401, {
-        "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
-      });
+    if (tokenData) {
+      const now = Math.floor(Date.now() / 1e3);
+      if (tokenData.expiresAt < now) {
+        return this.createErrorResponse("invalid_token", "Access token expired", 401, {
+          "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
+        });
+      }
+      const encryptionKey = await unwrapKeyWithToken(accessToken, tokenData.wrappedEncryptionKey);
+      const decryptedProps = await decryptProps(encryptionKey, tokenData.grant.encryptedProps);
+      ctx.props = decryptedProps;
+    } else if (this.options.resolveExternalToken) {
+      const ext = await this.options.resolveExternalToken({ token: accessToken, request, env });
+      if (!ext) {
+        return this.createErrorResponse("invalid_token", "Invalid access token", 401, {
+          "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
+        });
+      }
+      ctx.props = ext.props;
     }
-    const encryptionKey = await unwrapKeyWithToken(accessToken, tokenData.wrappedEncryptionKey);
-    const decryptedProps = await decryptProps(encryptionKey, tokenData.grant.encryptedProps);
-    ctx.props = decryptedProps;
     if (!env.OAUTH_PROVIDER) {
       env.OAUTH_PROVIDER = this.createOAuthHelpers(env);
     }
@@ -859,6 +998,17 @@ var OAuthProviderImpl = class {
   createOAuthHelpers(env) {
     return new OAuthHelpersImpl(env, this);
   }
+  /**
+   * Saves a grant to KV with appropriate TTL based on expiration
+   * @param env - The environment bindings
+   * @param grantKey - The KV key for the grant
+   * @param grantData - The grant data to save
+   * @param now - Current timestamp in seconds
+   */
+  async saveGrantWithTTL(env, grantKey, grantData, now) {
+    const kvOptions = grantData.expiresAt !== void 0 ? { expiration: grantData.expiresAt } : {};
+    await env.OAUTH_KV.put(grantKey, JSON.stringify(grantData), kvOptions);
+  }
   /**
    * Fetches client information from KV storage
    * This method is not private because `OAuthHelpers` needs to call it. Note that since
@@ -902,7 +1052,7 @@ async function hashSecret(secret) {
   return generateTokenId(secret);
 }
 function generateRandomString(length) {
-  const characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  const characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
   let result = "";
   const values = new Uint8Array(length);
   crypto.getRandomValues(values);
@@ -1071,15 +1221,16 @@ var OAuthHelpersImpl = class {
     const state = url.searchParams.get("state") || "";
     const codeChallenge = url.searchParams.get("code_challenge") || void 0;
     const codeChallengeMethod = url.searchParams.get("code_challenge_method") || "plain";
+    if (redirectUri.startsWith("javascript:") || redirectUri.startsWith("data:") || redirectUri.startsWith("vbscript:") || redirectUri.startsWith("file:") || redirectUri.startsWith("mailto:") || redirectUri.startsWith("blob:")) {
+      throw new Error("Invalid redirect URI");
+    }
     if (responseType === "token" && !this.provider.options.allowImplicitFlow) {
       throw new Error("The implicit grant flow is not enabled for this provider");
     }
     if (clientId) {
       const clientInfo = await this.lookupClient(clientId);
       if (!clientInfo) {
-        throw new Error(
-          `Invalid client. The clientId provided does not match to this client.`
-        );
+        throw new Error(`Invalid client. The clientId provided does not match to this client.`);
       }
       if (clientInfo && redirectUri) {
         if (!clientInfo.redirectUris.includes(redirectUri)) {
@@ -1115,6 +1266,16 @@ var OAuthHelpersImpl = class {
    * @returns A Promise resolving to an object containing the redirect URL
    */
   async completeAuthorization(options) {
+    const { clientId, redirectUri } = options.request;
+    if (!clientId || !redirectUri) {
+      throw new Error("Client ID and Redirect URI are required in the authorization request.");
+    }
+    const clientInfo = await this.lookupClient(clientId);
+    if (!clientInfo || !clientInfo.redirectUris.includes(redirectUri)) {
+      throw new Error(
+        "Invalid redirect URI. The redirect URI provided does not match any registered URI for this client."
+      );
+    }
     const grantId = generateRandomString(16);
     const { encryptedData, key: encryptionKey } = await encryptProps(options.props);
     const now = Math.floor(Date.now() / 1e3);
@@ -1340,7 +1501,8 @@ var OAuthHelpersImpl = class {
           userId: grantData.userId,
           scope: grantData.scope,
           metadata: grantData.metadata,
-          createdAt: grantData.createdAt
+          createdAt: grantData.createdAt,
+          expiresAt: grantData.expiresAt
         };
         grantSummaries.push(summary);
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.0.0-4d02346",
+  "version": "0.0.0-5a59d78",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",
@@ -26,11 +26,12 @@
   },
   "devDependencies": {
     "@changesets/changelog-github": "^0.5.1",
-    "@changesets/cli": "^2.29.5",
+    "@changesets/cli": "^2.29.7",
     "@cloudflare/workers-types": "^4.20250807.0",
+    "pkg-pr-new": "^0.0.59",
     "prettier": "^3.6.2",
     "tsup": "^8.5.0",
-    "tsx": "^4.20.3",
+    "tsx": "^4.20.5",
     "typescript": "^5.9.2",
     "vitest": "^3.2.4"
   },