@cloudflare/workers-oauth-provider 0.0.0-75d3fe2 → 0.0.0-818a557

package/README.md

@@ -38,7 +38,7 @@ export default new OAuthProvider({
   // You can provide either an object with a fetch method (ExportedHandler)
   // or a class extending WorkerEntrypoint.
   apiHandler: ApiHandler, // Using a WorkerEntrypoint class
-  
+
   // For multi-handler setups, you can use apiHandlers instead of apiRoute+apiHandler.
   // This allows you to use different handlers for different API routes.
   // Note: You must use either apiRoute+apiHandler (single-handler) OR apiHandlers (multi-handler), not both.
@@ -87,7 +87,13 @@ export default new OAuthProvider({
   // Note: Creating public clients via the OAuthHelpers.createClient() method
   // is always allowed regardless of this setting.
   // Defaults to false.
-  disallowPublicClientRegistration: false
+  disallowPublicClientRegistration: false,
+
+  // Optional: Time-to-live for refresh tokens in seconds.
+  // If not specified, refresh tokens do not expire.
+  // Set to 0 to disable refresh tokens (only access tokens will be issued).
+  // For example: 3600 = 1 hour, 86400 = 1 day, 2592000 = 30 days
+  refreshTokenTTL: 2592000 // 30 days
 });
 
 // The default handler object - the OAuthProvider will pass through HTTP requests to this object's fetch method
@@ -261,6 +267,7 @@ The callback can:
 - Return only `accessTokenProps` to update just the current access token
 - Return only `newProps` to update both the grant and access token (the access token inherits these props)
 - Return `accessTokenTTL` to override the default TTL for this specific access token
+- Return `refreshTokenTTL` to override the default TTL for this specific refresh token
 - Return nothing to keep the original props unchanged
 
 The `accessTokenTTL` override is particularly useful when the application is also an OAuth client to another service and wants to match its access token TTL to the upstream access token TTL. This helps prevent situations where the downstream token is still valid but the upstream token has expired.

package/dist/oauth-provider.d.ts

@@ -33,6 +33,13 @@ interface TokenExchangeCallbackResult {
      * Value should be in seconds.
      */
     accessTokenTTL?: number;
+    /**
+     * Override the default refresh token TTL (time-to-live) for this specific grant.
+     * Value should be in seconds.
+     * Note: This is only honored during authorization code exchange. If returned during
+     * refresh token exchange, it will be ignored.
+     */
+    refreshTokenTTL?: number;
 }
 /**
  * Options for token exchange callback functions
@@ -61,6 +68,39 @@ interface TokenExchangeCallbackOptions {
      */
     props: any;
 }
+/**
+ * Input parameters for the resolveExternalToken callback function
+ */
+interface ResolveExternalTokenInput {
+    /**
+     * The token string that was provided in the Authorization header
+     */
+    token: string;
+    /**
+     * The original HTTP request
+     */
+    request: Request;
+    /**
+     * Cloudflare Worker environment variables
+     */
+    env: any;
+}
+/**
+ * Result returned from the resolveExternalToken callback function
+ */
+interface ResolveExternalTokenResult {
+    /**
+     * Application-specific properties that will be passed to the API handlers
+     * These properties are set in the execution context (ctx.props) when the external token is validated
+     */
+    props: any;
+    /**
+     * Audience claim from the external token (RFC 7519 Section 4.1.3)
+     * If provided, will be validated against the resource server identity
+     *
+     */
+    audience?: string | string[];
+}
 interface OAuthProviderOptions {
     /**
      * URL(s) for API routes. Requests with URLs starting with any of these prefixes
@@ -116,6 +156,12 @@ interface OAuthProviderOptions {
      * Defaults to 1 hour (3600 seconds) if not specified.
      */
     accessTokenTTL?: number;
+    /**
+     * Time-to-live for refresh tokens in seconds.
+     * If not specified, refresh tokens do not expire.
+     * For example: 3600 = 1 hour, 2592000 = 30 days
+     */
+    refreshTokenTTL?: number;
     /**
      * List of scopes supported by this OAuth provider.
      * If not provided, the 'scopes_supported' field will be omitted from the OAuth metadata.
@@ -144,6 +190,16 @@ interface OAuthProviderOptions {
      * If the callback returns nothing or undefined for a props field, the original props will be used.
      */
     tokenExchangeCallback?: (options: TokenExchangeCallbackOptions) => Promise<TokenExchangeCallbackResult | void> | TokenExchangeCallbackResult | void;
+    /**
+     * Optional callback function that is called when a provided token was not found in the internal KV.
+     * This allows authentication through external OAuth servers.
+     * For example, if a request includes an authenticated token from a different OAuth authentication server,
+     * the callback can be used to authenticate it and set the context props through it.
+     *
+     * The callback can optionally return props values that will passed-through to the apiHandlers.
+     * The callback can return `null` to signal resolution failure.
+     */
+    resolveExternalToken?: (input: ResolveExternalTokenInput) => Promise<ResolveExternalTokenResult | null>;
     /**
      * Optional callback function that is called whenever the OAuthProvider returns an error response
      * This allows the client to emit notifications or perform other actions when an error occurs.
@@ -254,6 +310,10 @@ interface AuthRequest {
      * PKCE code challenge method (plain or S256)
      */
     codeChallengeMethod?: string;
+    /**
+     * Resource parameter indicating target resource(s) (RFC 8707)
+     */
+    resource?: string | string[];
 }
 /**
  * OAuth client registration information
@@ -381,6 +441,10 @@ interface Grant {
      * Unix timestamp when the grant was created
      */
     createdAt: number;
+    /**
+     * Unix timestamp when the grant expires (if TTL is configured)
+     */
+    expiresAt?: number;
     /**
      * The hash of the current refresh token associated with this grant
      */
@@ -418,6 +482,11 @@ interface Grant {
      * Only present during the authorization code exchange process
      */
     codeChallengeMethod?: string;
+    /**
+     * Resource parameter from authorization request (RFC 8707 Section 2.1)
+     * Indicates the protected resource(s) for which access is requested
+     */
+    resource?: string | string[];
 }
 /**
  * Token record stored in KV
@@ -446,6 +515,11 @@ interface Token {
      * Unix timestamp when the token expires
      */
     expiresAt: number;
+    /**
+     * Intended audience for this token (RFC 7519 Section 4.1.3)
+     * Can be a single string or array of strings
+     */
+    audience?: string | string[];
     /**
      * The encryption key for props, wrapped with this token
      */
@@ -523,6 +597,10 @@ interface GrantSummary {
      * Unix timestamp when the grant was created
      */
     createdAt: number;
+    /**
+     * Unix timestamp when the grant expires (if TTL is configured)
+     */
+    expiresAt?: number;
 }
 /**
  * OAuth 2.0 Provider implementation for Cloudflare Workers
@@ -547,4 +625,4 @@ declare class OAuthProvider {
     fetch(request: Request, env: any, ctx: ExecutionContext): Promise<Response>;
 }
 
-export { type AuthRequest, type ClientInfo, type CompleteAuthorizationOptions, type Grant, type GrantSummary, type ListOptions, type ListResult, type OAuthHelpers, OAuthProvider, type OAuthProviderOptions, type Token, type TokenExchangeCallbackOptions, type TokenExchangeCallbackResult, OAuthProvider as default };
+export { type AuthRequest, type ClientInfo, type CompleteAuthorizationOptions, type Grant, type GrantSummary, type ListOptions, type ListResult, type OAuthHelpers, OAuthProvider, type OAuthProviderOptions, type ResolveExternalTokenInput, type ResolveExternalTokenResult, type Token, type TokenExchangeCallbackOptions, type TokenExchangeCallbackResult, OAuthProvider as default };

package/dist/oauth-provider.js

@@ -231,7 +231,8 @@ var OAuthProviderImpl = class {
     }
     const formData = await request.formData();
     for (const [key, value] of formData.entries()) {
-      body[key] = value;
+      const allValues = formData.getAll(key);
+      body[key] = allValues.length > 1 ? allValues : value;
     }
     const authHeader = request.headers.get("Authorization");
     let clientId = "";
@@ -478,12 +479,10 @@ var OAuthProviderImpl = class {
       }
     }
     const accessTokenSecret = generateRandomString(TOKEN_LENGTH);
-    const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
     const accessToken = `${userId}:${grantId}:${accessTokenSecret}`;
-    const refreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
     const accessTokenId = await generateTokenId(accessToken);
-    const refreshTokenId = await generateTokenId(refreshToken);
     let accessTokenTTL = this.options.accessTokenTTL;
+    let refreshTokenTTL = this.options.refreshTokenTTL;
     const encryptionKey = await unwrapKeyWithToken(code, grantData.authCodeWrappedKey);
     let grantEncryptionKey = encryptionKey;
     let accessTokenEncryptionKey = encryptionKey;
@@ -513,6 +512,9 @@ var OAuthProviderImpl = class {
         if (callbackResult.accessTokenTTL !== void 0) {
           accessTokenTTL = callbackResult.accessTokenTTL;
         }
+        if ("refreshTokenTTL" in callbackResult) {
+          refreshTokenTTL = callbackResult.refreshTokenTTL;
+        }
       }
       const grantResult = await encryptProps(grantProps);
       grantData.encryptedProps = grantResult.encryptedData;
@@ -528,23 +530,52 @@ var OAuthProviderImpl = class {
     }
     const now = Math.floor(Date.now() / 1e3);
     const accessTokenExpiresAt = now + accessTokenTTL;
+    const useRefreshToken = refreshTokenTTL !== 0;
     const accessTokenWrappedKey = await wrapKeyWithToken(accessToken, accessTokenEncryptionKey);
-    const refreshTokenWrappedKey = await wrapKeyWithToken(refreshToken, grantEncryptionKey);
     delete grantData.authCodeId;
     delete grantData.codeChallenge;
     delete grantData.codeChallengeMethod;
     delete grantData.authCodeWrappedKey;
-    grantData.refreshTokenId = refreshTokenId;
-    grantData.refreshTokenWrappedKey = refreshTokenWrappedKey;
-    grantData.previousRefreshTokenId = void 0;
-    grantData.previousRefreshTokenWrappedKey = void 0;
-    await env.OAUTH_KV.put(grantKey, JSON.stringify(grantData));
+    let refreshToken;
+    if (useRefreshToken) {
+      const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
+      refreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
+      const refreshTokenId = await generateTokenId(refreshToken);
+      const refreshTokenWrappedKey = await wrapKeyWithToken(refreshToken, grantEncryptionKey);
+      const expiresAt = refreshTokenTTL !== void 0 ? now + refreshTokenTTL : void 0;
+      grantData.refreshTokenId = refreshTokenId;
+      grantData.refreshTokenWrappedKey = refreshTokenWrappedKey;
+      grantData.previousRefreshTokenId = void 0;
+      grantData.previousRefreshTokenWrappedKey = void 0;
+      grantData.expiresAt = expiresAt;
+    }
+    await this.saveGrantWithTTL(env, grantKey, grantData, now);
+    if (body.resource && grantData.resource) {
+      const requestedResources = Array.isArray(body.resource) ? body.resource : [body.resource];
+      const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
+      for (const requested of requestedResources) {
+        if (!grantedResources.includes(requested)) {
+          return this.createErrorResponse(
+            "invalid_target",
+            "Requested resource was not included in the authorization request"
+          );
+        }
+      }
+    }
+    const audience = parseResourceParameter(body.resource || grantData.resource);
+    if ((body.resource || grantData.resource) && !audience) {
+      return this.createErrorResponse(
+        "invalid_target",
+        "The resource parameter must be a valid absolute URI without a fragment"
+      );
+    }
     const accessTokenData = {
       id: accessTokenId,
       grantId,
       userId,
       createdAt: now,
       expiresAt: accessTokenExpiresAt,
+      audience,
       wrappedEncryptionKey: accessTokenWrappedKey,
       grant: {
         clientId: grantData.clientId,
@@ -555,18 +586,21 @@ var OAuthProviderImpl = class {
     await env.OAUTH_KV.put(`token:${userId}:${grantId}:${accessTokenId}`, JSON.stringify(accessTokenData), {
       expirationTtl: accessTokenTTL
     });
-    return new Response(
-      JSON.stringify({
-        access_token: accessToken,
-        token_type: "bearer",
-        expires_in: accessTokenTTL,
-        refresh_token: refreshToken,
-        scope: grantData.scope.join(" ")
-      }),
-      {
-        headers: { "Content-Type": "application/json" }
-      }
-    );
+    const tokenResponse = {
+      access_token: accessToken,
+      token_type: "bearer",
+      expires_in: accessTokenTTL,
+      scope: grantData.scope.join(" ")
+    };
+    if (refreshToken) {
+      tokenResponse.refresh_token = refreshToken;
+    }
+    if (audience) {
+      tokenResponse.resource = audience;
+    }
+    return new Response(JSON.stringify(tokenResponse), {
+      headers: { "Content-Type": "application/json" }
+    });
   }
   /**
    * Handles the refresh token grant type
@@ -600,12 +634,15 @@ var OAuthProviderImpl = class {
     if (grantData.clientId !== clientInfo.clientId) {
       return this.createErrorResponse("invalid_grant", "Client ID mismatch");
     }
+    if (grantData.expiresAt !== void 0) {
+      const now2 = Math.floor(Date.now() / 1e3);
+      if (now2 >= grantData.expiresAt) {
+        return this.createErrorResponse("invalid_grant", "Refresh token has expired");
+      }
+    }
     const accessTokenSecret = generateRandomString(TOKEN_LENGTH);
     const newAccessToken = `${userId}:${grantId}:${accessTokenSecret}`;
     const accessTokenId = await generateTokenId(newAccessToken);
-    const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
-    const newRefreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
-    const newRefreshTokenId = await generateTokenId(newRefreshToken);
     let accessTokenTTL = this.options.accessTokenTTL;
     let wrappedKeyToUse;
     if (isCurrentToken) {
@@ -617,6 +654,7 @@ var OAuthProviderImpl = class {
     let grantEncryptionKey = encryptionKey;
     let accessTokenEncryptionKey = encryptionKey;
     let encryptedAccessTokenProps = grantData.encryptedProps;
+    let grantPropsChanged = false;
     if (this.options.tokenExchangeCallback) {
       const decryptedProps = await decryptProps(encryptionKey, grantData.encryptedProps);
       let grantProps = decryptedProps;
@@ -629,7 +667,6 @@ var OAuthProviderImpl = class {
         props: decryptedProps
       };
       const callbackResult = await Promise.resolve(this.options.tokenExchangeCallback(callbackOptions));
-      let grantPropsChanged = false;
       if (callbackResult) {
         if (callbackResult.newProps) {
           grantProps = callbackResult.newProps;
@@ -644,6 +681,12 @@ var OAuthProviderImpl = class {
         if (callbackResult.accessTokenTTL !== void 0) {
           accessTokenTTL = callbackResult.accessTokenTTL;
         }
+        if ("refreshTokenTTL" in callbackResult) {
+          return this.createErrorResponse(
+            "invalid_request",
+            "refreshTokenTTL cannot be changed during refresh token exchange"
+          );
+        }
       }
       if (grantPropsChanged) {
         const grantResult = await encryptProps(grantProps);
@@ -665,20 +708,49 @@ var OAuthProviderImpl = class {
       }
     }
     const now = Math.floor(Date.now() / 1e3);
+    if (grantData.expiresAt !== void 0) {
+      const remainingRefreshTokenLifetime = grantData.expiresAt - now;
+      if (remainingRefreshTokenLifetime > 0) {
+        accessTokenTTL = Math.min(accessTokenTTL, remainingRefreshTokenLifetime);
+      }
+    }
     const accessTokenExpiresAt = now + accessTokenTTL;
     const accessTokenWrappedKey = await wrapKeyWithToken(newAccessToken, accessTokenEncryptionKey);
+    const refreshTokenSecret = generateRandomString(TOKEN_LENGTH);
+    const newRefreshToken = `${userId}:${grantId}:${refreshTokenSecret}`;
+    const newRefreshTokenId = await generateTokenId(newRefreshToken);
     const newRefreshTokenWrappedKey = await wrapKeyWithToken(newRefreshToken, grantEncryptionKey);
     grantData.previousRefreshTokenId = providedTokenHash;
     grantData.previousRefreshTokenWrappedKey = wrappedKeyToUse;
     grantData.refreshTokenId = newRefreshTokenId;
     grantData.refreshTokenWrappedKey = newRefreshTokenWrappedKey;
-    await env.OAUTH_KV.put(grantKey, JSON.stringify(grantData));
+    await this.saveGrantWithTTL(env, grantKey, grantData, now);
+    if (body.resource && grantData.resource) {
+      const requestedResources = Array.isArray(body.resource) ? body.resource : [body.resource];
+      const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
+      for (const requested of requestedResources) {
+        if (!grantedResources.includes(requested)) {
+          return this.createErrorResponse(
+            "invalid_target",
+            "Requested resource was not included in the authorization request"
+          );
+        }
+      }
+    }
+    const audience = parseResourceParameter(body.resource || grantData.resource);
+    if ((body.resource || grantData.resource) && !audience) {
+      return this.createErrorResponse(
+        "invalid_target",
+        "The resource parameter must be a valid absolute URI without a fragment"
+      );
+    }
     const accessTokenData = {
       id: accessTokenId,
       grantId,
       userId,
       createdAt: now,
       expiresAt: accessTokenExpiresAt,
+      audience,
       wrappedEncryptionKey: accessTokenWrappedKey,
       grant: {
         clientId: grantData.clientId,
@@ -689,18 +761,19 @@ var OAuthProviderImpl = class {
     await env.OAUTH_KV.put(`token:${userId}:${grantId}:${accessTokenId}`, JSON.stringify(accessTokenData), {
       expirationTtl: accessTokenTTL
     });
-    return new Response(
-      JSON.stringify({
-        access_token: newAccessToken,
-        token_type: "bearer",
-        expires_in: accessTokenTTL,
-        refresh_token: newRefreshToken,
-        scope: grantData.scope.join(" ")
-      }),
-      {
-        headers: { "Content-Type": "application/json" }
-      }
-    );
+    const tokenResponse = {
+      access_token: newAccessToken,
+      token_type: "bearer",
+      expires_in: accessTokenTTL,
+      refresh_token: newRefreshToken,
+      scope: grantData.scope.join(" ")
+    };
+    if (audience) {
+      tokenResponse.resource = audience;
+    }
+    return new Response(JSON.stringify(tokenResponse), {
+      headers: { "Content-Type": "application/json" }
+    });
   }
   /**
    * Handles OAuth 2.0 token revocation requests (RFC 7009)
@@ -850,6 +923,9 @@ var OAuthProviderImpl = class {
       if (!redirectUris || redirectUris.length === 0) {
         throw new Error("At least one redirect URI is required");
       }
+      for (const uri of redirectUris) {
+        validateRedirectUriScheme(uri);
+      }
       clientInfo = {
         clientId,
         redirectUris,
@@ -914,30 +990,62 @@ var OAuthProviderImpl = class {
       });
     }
     const accessToken = authHeader.substring(7);
-    const tokenParts = accessToken.split(":");
-    if (tokenParts.length !== 3) {
-      return this.createErrorResponse("invalid_token", "Invalid token format", 401, {
-        "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
-      });
-    }
-    const [userId, grantId, _] = tokenParts;
-    const accessTokenId = await generateTokenId(accessToken);
-    const tokenKey = `token:${userId}:${grantId}:${accessTokenId}`;
-    const tokenData = await env.OAUTH_KV.get(tokenKey, { type: "json" });
-    if (!tokenData) {
+    const parts = accessToken.split(":");
+    const isPossiblyInternalFormat = parts.length === 3;
+    let tokenData = null;
+    let userId = "";
+    let grantId = "";
+    if (isPossiblyInternalFormat) {
+      [userId, grantId] = parts;
+      const id = await generateTokenId(accessToken);
+      tokenData = await env.OAUTH_KV.get(`token:${userId}:${grantId}:${id}`, { type: "json" });
+    }
+    if (!tokenData && !this.options.resolveExternalToken) {
       return this.createErrorResponse("invalid_token", "Invalid access token", 401, {
         "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
       });
     }
-    const now = Math.floor(Date.now() / 1e3);
-    if (tokenData.expiresAt < now) {
-      return this.createErrorResponse("invalid_token", "Access token expired", 401, {
-        "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
-      });
+    if (tokenData) {
+      const now = Math.floor(Date.now() / 1e3);
+      if (tokenData.expiresAt < now) {
+        return this.createErrorResponse("invalid_token", "Access token expired", 401, {
+          "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
+        });
+      }
+      if (tokenData.audience) {
+        const requestUrl = new URL(request.url);
+        const resourceServer = `${requestUrl.protocol}//${requestUrl.host}`;
+        const audiences = Array.isArray(tokenData.audience) ? tokenData.audience : [tokenData.audience];
+        const matches = audiences.some((aud) => audienceMatches(resourceServer, aud));
+        if (!matches) {
+          return this.createErrorResponse("invalid_token", "Token audience does not match resource server", 401, {
+            "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token", error_description="Invalid audience"'
+          });
+        }
+      }
+      const encryptionKey = await unwrapKeyWithToken(accessToken, tokenData.wrappedEncryptionKey);
+      const decryptedProps = await decryptProps(encryptionKey, tokenData.grant.encryptedProps);
+      ctx.props = decryptedProps;
+    } else if (this.options.resolveExternalToken) {
+      const ext = await this.options.resolveExternalToken({ token: accessToken, request, env });
+      if (!ext) {
+        return this.createErrorResponse("invalid_token", "Invalid access token", 401, {
+          "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
+        });
+      }
+      if (ext.audience) {
+        const requestUrl = new URL(request.url);
+        const resourceServer = `${requestUrl.protocol}//${requestUrl.host}`;
+        const audiences = Array.isArray(ext.audience) ? ext.audience : [ext.audience];
+        const matches = audiences.some((aud) => audienceMatches(resourceServer, aud));
+        if (!matches) {
+          return this.createErrorResponse("invalid_token", "Token audience does not match resource server", 401, {
+            "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token", error_description="Invalid audience"'
+          });
+        }
+      }
+      ctx.props = ext.props;
     }
-    const encryptionKey = await unwrapKeyWithToken(accessToken, tokenData.wrappedEncryptionKey);
-    const decryptedProps = await decryptProps(encryptionKey, tokenData.grant.encryptedProps);
-    ctx.props = decryptedProps;
     if (!env.OAUTH_PROVIDER) {
       env.OAUTH_PROVIDER = this.createOAuthHelpers(env);
     }
@@ -962,6 +1070,17 @@ var OAuthProviderImpl = class {
   createOAuthHelpers(env) {
     return new OAuthHelpersImpl(env, this);
   }
+  /**
+   * Saves a grant to KV with appropriate TTL based on expiration
+   * @param env - The environment bindings
+   * @param grantKey - The KV key for the grant
+   * @param grantData - The grant data to save
+   * @param now - Current timestamp in seconds
+   */
+  async saveGrantWithTTL(env, grantKey, grantData, now) {
+    const kvOptions = grantData.expiresAt !== void 0 ? { expiration: grantData.expiresAt } : {};
+    await env.OAUTH_KV.put(grantKey, JSON.stringify(grantData), kvOptions);
+  }
   /**
    * Fetches client information from KV storage
    * This method is not private because `OAuthHelpers` needs to call it. Note that since
@@ -1001,11 +1120,46 @@ var OAuthProviderImpl = class {
 };
 var DEFAULT_ACCESS_TOKEN_TTL = 60 * 60;
 var TOKEN_LENGTH = 32;
+function validateResourceUri(uri) {
+  if (!uri || typeof uri !== "string") {
+    return false;
+  }
+  try {
+    const parsed = new URL(uri);
+    if (!parsed.protocol) {
+      return false;
+    }
+    if (parsed.hash) {
+      return false;
+    }
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+function audienceMatches(resourceServerUrl, audienceValue) {
+  return resourceServerUrl === audienceValue;
+}
+function parseResourceParameter(value) {
+  if (!value) {
+    return void 0;
+  }
+  const uris = Array.isArray(value) ? value : [value];
+  for (const uri of uris) {
+    if (typeof uri !== "string" || !validateResourceUri(uri)) {
+      return void 0;
+    }
+  }
+  return value;
+}
 async function hashSecret(secret) {
   return generateTokenId(secret);
 }
 function generateRandomString(length) {
-  const characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  const characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
   let result = "";
   const values = new Uint8Array(length);
   crypto.getRandomValues(values);
@@ -1022,6 +1176,26 @@ async function generateTokenId(token) {
   const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
   return hashHex;
 }
+function validateRedirectUriScheme(redirectUri) {
+  const dangerousSchemes = ["javascript:", "data:", "vbscript:", "file:", "mailto:", "blob:"];
+  const normalized = redirectUri.trim();
+  for (let i = 0; i < normalized.length; i++) {
+    const code = normalized.charCodeAt(i);
+    if (code >= 0 && code <= 31 || code >= 127 && code <= 159) {
+      throw new Error("Invalid redirect URI");
+    }
+  }
+  const colonIndex = normalized.indexOf(":");
+  if (colonIndex === -1) {
+    throw new Error("Invalid redirect URI");
+  }
+  const scheme = normalized.substring(0, colonIndex + 1).toLowerCase();
+  for (const dangerousScheme of dangerousSchemes) {
+    if (scheme === dangerousScheme) {
+      throw new Error("Invalid redirect URI");
+    }
+  }
+}
 function base64UrlEncode(str) {
   return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
 }
@@ -1174,8 +1348,12 @@ var OAuthHelpersImpl = class {
     const state = url.searchParams.get("state") || "";
     const codeChallenge = url.searchParams.get("code_challenge") || void 0;
     const codeChallengeMethod = url.searchParams.get("code_challenge_method") || "plain";
-    if (!redirectUri.startsWith("http://") && !redirectUri.startsWith("https://")) {
-      throw new Error("Invalid redirect URI");
+    const resourceParams = url.searchParams.getAll("resource");
+    const resourceParam = resourceParams.length > 0 ? resourceParams.length === 1 ? resourceParams[0] : resourceParams : void 0;
+    validateRedirectUriScheme(redirectUri);
+    const resource = parseResourceParameter(resourceParam);
+    if (resourceParam && !resource) {
+      throw new Error("The resource parameter must be a valid absolute URI without a fragment");
     }
     if (responseType === "token" && !this.provider.options.allowImplicitFlow) {
       throw new Error("The implicit grant flow is not enabled for this provider");
@@ -1200,7 +1378,8 @@ var OAuthHelpersImpl = class {
       scope,
       state,
       codeChallenge,
-      codeChallengeMethod
+      codeChallengeMethod,
+      resource
     };
   }
   /**
@@ -1219,6 +1398,16 @@ var OAuthHelpersImpl = class {
    * @returns A Promise resolving to an object containing the redirect URL
    */
   async completeAuthorization(options) {
+    const { clientId, redirectUri } = options.request;
+    if (!clientId || !redirectUri) {
+      throw new Error("Client ID and Redirect URI are required in the authorization request.");
+    }
+    const clientInfo = await this.lookupClient(clientId);
+    if (!clientInfo || !clientInfo.redirectUris.includes(redirectUri)) {
+      throw new Error(
+        "Invalid redirect URI. The redirect URI provided does not match any registered URI for this client."
+      );
+    }
     const grantId = generateRandomString(16);
     const { encryptedData, key: encryptionKey } = await encryptProps(options.props);
     const now = Math.floor(Date.now() / 1e3);
@@ -1229,6 +1418,10 @@ var OAuthHelpersImpl = class {
       const accessTokenTTL = this.provider.options.accessTokenTTL || DEFAULT_ACCESS_TOKEN_TTL;
       const accessTokenExpiresAt = now + accessTokenTTL;
       const accessTokenWrappedKey = await wrapKeyWithToken(accessToken, encryptionKey);
+      const audience = parseResourceParameter(options.request.resource);
+      if (options.request.resource && !audience) {
+        throw new Error("The resource parameter must be a valid absolute URI without a fragment");
+      }
       const grant = {
         id: grantId,
         clientId: options.request.clientId,
@@ -1236,7 +1429,8 @@ var OAuthHelpersImpl = class {
         scope: options.scope,
         metadata: options.metadata,
         encryptedProps: encryptedData,
-        createdAt: now
+        createdAt: now,
+        resource: options.request.resource
       };
       const grantKey = `grant:${options.userId}:${grantId}`;
       await this.env.OAUTH_KV.put(grantKey, JSON.stringify(grant));
@@ -1246,6 +1440,7 @@ var OAuthHelpersImpl = class {
         userId: options.userId,
         createdAt: now,
         expiresAt: accessTokenExpiresAt,
+        audience,
         wrappedEncryptionKey: accessTokenWrappedKey,
         grant: {
           clientId: options.request.clientId,
@@ -1288,7 +1483,8 @@ var OAuthHelpersImpl = class {
         // Store the wrapped key
         // Store PKCE parameters if provided
         codeChallenge: options.request.codeChallenge,
-        codeChallengeMethod: options.request.codeChallengeMethod
+        codeChallengeMethod: options.request.codeChallengeMethod,
+        resource: options.request.resource
       };
       const grantKey = `grant:${options.userId}:${grantId}`;
       const codeExpiresIn = 600;
@@ -1325,6 +1521,9 @@ var OAuthHelpersImpl = class {
       registrationDate: Math.floor(Date.now() / 1e3),
       tokenEndpointAuthMethod
     };
+    for (const uri of newClient.redirectUris) {
+      validateRedirectUriScheme(uri);
+    }
     let clientSecret;
     if (!isPublicClient) {
       clientSecret = generateRandomString(32);
@@ -1444,7 +1643,8 @@ var OAuthHelpersImpl = class {
           userId: grantData.userId,
           scope: grantData.scope,
           metadata: grantData.metadata,
-          createdAt: grantData.createdAt
+          createdAt: grantData.createdAt,
+          expiresAt: grantData.expiresAt
         };
         grantSummaries.push(summary);
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.0.0-75d3fe2",
+  "version": "0.0.0-818a557",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",