@cloudflare/workers-oauth-provider 0.0.0-b7784c7 → 0.0.0-f2b1372

package/dist/oauth-provider.d.ts

@@ -94,6 +94,12 @@ interface ResolveExternalTokenResult {
      * These properties are set in the execution context (ctx.props) when the external token is validated
      */
     props: any;
+    /**
+     * Audience claim from the external token (RFC 7519 Section 4.1.3)
+     * If provided, will be validated against the resource server identity
+     *
+     */
+    audience?: string | string[];
 }
 interface OAuthProviderOptions {
     /**
@@ -304,6 +310,10 @@ interface AuthRequest {
      * PKCE code challenge method (plain or S256)
      */
     codeChallengeMethod?: string;
+    /**
+     * Resource parameter indicating target resource(s) (RFC 8707)
+     */
+    resource?: string | string[];
 }
 /**
  * OAuth client registration information
@@ -472,6 +482,11 @@ interface Grant {
      * Only present during the authorization code exchange process
      */
     codeChallengeMethod?: string;
+    /**
+     * Resource parameter from authorization request (RFC 8707 Section 2.1)
+     * Indicates the protected resource(s) for which access is requested
+     */
+    resource?: string | string[];
 }
 /**
  * Token record stored in KV
@@ -500,6 +515,11 @@ interface Token {
      * Unix timestamp when the token expires
      */
     expiresAt: number;
+    /**
+     * Intended audience for this token (RFC 7519 Section 4.1.3)
+     * Can be a single string or array of strings
+     */
+    audience?: string | string[];
     /**
      * The encryption key for props, wrapped with this token
      */

package/dist/oauth-provider.js

@@ -231,7 +231,8 @@ var OAuthProviderImpl = class {
     }
     const formData = await request.formData();
     for (const [key, value] of formData.entries()) {
-      body[key] = value;
+      const allValues = formData.getAll(key);
+      body[key] = allValues.length > 1 ? allValues : value;
     }
     const authHeader = request.headers.get("Authorization");
     let clientId = "";
@@ -549,12 +550,32 @@ var OAuthProviderImpl = class {
       grantData.expiresAt = expiresAt;
     }
     await this.saveGrantWithTTL(env, grantKey, grantData, now);
+    if (body.resource && grantData.resource) {
+      const requestedResources = Array.isArray(body.resource) ? body.resource : [body.resource];
+      const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
+      for (const requested of requestedResources) {
+        if (!grantedResources.includes(requested)) {
+          return this.createErrorResponse(
+            "invalid_target",
+            "Requested resource was not included in the authorization request"
+          );
+        }
+      }
+    }
+    const audience = parseResourceParameter(body.resource || grantData.resource);
+    if ((body.resource || grantData.resource) && !audience) {
+      return this.createErrorResponse(
+        "invalid_target",
+        "The resource parameter must be a valid absolute URI without a fragment"
+      );
+    }
     const accessTokenData = {
       id: accessTokenId,
       grantId,
       userId,
       createdAt: now,
       expiresAt: accessTokenExpiresAt,
+      audience,
       wrappedEncryptionKey: accessTokenWrappedKey,
       grant: {
         clientId: grantData.clientId,
@@ -574,6 +595,9 @@ var OAuthProviderImpl = class {
     if (refreshToken) {
       tokenResponse.refresh_token = refreshToken;
     }
+    if (audience) {
+      tokenResponse.resource = audience;
+    }
     return new Response(JSON.stringify(tokenResponse), {
       headers: { "Content-Type": "application/json" }
     });
@@ -701,12 +725,32 @@ var OAuthProviderImpl = class {
     grantData.refreshTokenId = newRefreshTokenId;
     grantData.refreshTokenWrappedKey = newRefreshTokenWrappedKey;
     await this.saveGrantWithTTL(env, grantKey, grantData, now);
+    if (body.resource && grantData.resource) {
+      const requestedResources = Array.isArray(body.resource) ? body.resource : [body.resource];
+      const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
+      for (const requested of requestedResources) {
+        if (!grantedResources.includes(requested)) {
+          return this.createErrorResponse(
+            "invalid_target",
+            "Requested resource was not included in the authorization request"
+          );
+        }
+      }
+    }
+    const audience = parseResourceParameter(body.resource || grantData.resource);
+    if ((body.resource || grantData.resource) && !audience) {
+      return this.createErrorResponse(
+        "invalid_target",
+        "The resource parameter must be a valid absolute URI without a fragment"
+      );
+    }
     const accessTokenData = {
       id: accessTokenId,
       grantId,
       userId,
       createdAt: now,
       expiresAt: accessTokenExpiresAt,
+      audience,
       wrappedEncryptionKey: accessTokenWrappedKey,
       grant: {
         clientId: grantData.clientId,
@@ -724,6 +768,9 @@ var OAuthProviderImpl = class {
       refresh_token: newRefreshToken,
       scope: grantData.scope.join(" ")
     };
+    if (audience) {
+      tokenResponse.resource = audience;
+    }
     return new Response(JSON.stringify(tokenResponse), {
       headers: { "Content-Type": "application/json" }
     });
@@ -876,6 +923,9 @@ var OAuthProviderImpl = class {
       if (!redirectUris || redirectUris.length === 0) {
         throw new Error("At least one redirect URI is required");
       }
+      for (const uri of redirectUris) {
+        validateRedirectUriScheme(uri);
+      }
       clientInfo = {
         clientId,
         redirectUris,
@@ -962,6 +1012,17 @@ var OAuthProviderImpl = class {
           "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
         });
       }
+      if (tokenData.audience) {
+        const requestUrl = new URL(request.url);
+        const resourceServer = `${requestUrl.protocol}//${requestUrl.host}`;
+        const audiences = Array.isArray(tokenData.audience) ? tokenData.audience : [tokenData.audience];
+        const matches = audiences.some((aud) => audienceMatches(resourceServer, aud));
+        if (!matches) {
+          return this.createErrorResponse("invalid_token", "Token audience does not match resource server", 401, {
+            "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token", error_description="Invalid audience"'
+          });
+        }
+      }
       const encryptionKey = await unwrapKeyWithToken(accessToken, tokenData.wrappedEncryptionKey);
       const decryptedProps = await decryptProps(encryptionKey, tokenData.grant.encryptedProps);
       ctx.props = decryptedProps;
@@ -972,6 +1033,17 @@ var OAuthProviderImpl = class {
           "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
         });
       }
+      if (ext.audience) {
+        const requestUrl = new URL(request.url);
+        const resourceServer = `${requestUrl.protocol}//${requestUrl.host}`;
+        const audiences = Array.isArray(ext.audience) ? ext.audience : [ext.audience];
+        const matches = audiences.some((aud) => audienceMatches(resourceServer, aud));
+        if (!matches) {
+          return this.createErrorResponse("invalid_token", "Token audience does not match resource server", 401, {
+            "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token", error_description="Invalid audience"'
+          });
+        }
+      }
       ctx.props = ext.props;
     }
     if (!env.OAUTH_PROVIDER) {
@@ -1048,6 +1120,41 @@ var OAuthProviderImpl = class {
 };
 var DEFAULT_ACCESS_TOKEN_TTL = 60 * 60;
 var TOKEN_LENGTH = 32;
+function validateResourceUri(uri) {
+  if (!uri || typeof uri !== "string") {
+    return false;
+  }
+  try {
+    const parsed = new URL(uri);
+    if (!parsed.protocol) {
+      return false;
+    }
+    if (parsed.hash) {
+      return false;
+    }
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+function audienceMatches(resourceServerUrl, audienceValue) {
+  return resourceServerUrl === audienceValue;
+}
+function parseResourceParameter(value) {
+  if (!value) {
+    return void 0;
+  }
+  const uris = Array.isArray(value) ? value : [value];
+  for (const uri of uris) {
+    if (typeof uri !== "string" || !validateResourceUri(uri)) {
+      return void 0;
+    }
+  }
+  return value;
+}
 async function hashSecret(secret) {
   return generateTokenId(secret);
 }
@@ -1069,6 +1176,26 @@ async function generateTokenId(token) {
   const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
   return hashHex;
 }
+function validateRedirectUriScheme(redirectUri) {
+  const dangerousSchemes = ["javascript:", "data:", "vbscript:", "file:", "mailto:", "blob:"];
+  const normalized = redirectUri.trim();
+  for (let i = 0; i < normalized.length; i++) {
+    const code = normalized.charCodeAt(i);
+    if (code >= 0 && code <= 31 || code >= 127 && code <= 159) {
+      throw new Error("Invalid redirect URI");
+    }
+  }
+  const colonIndex = normalized.indexOf(":");
+  if (colonIndex === -1) {
+    throw new Error("Invalid redirect URI");
+  }
+  const scheme = normalized.substring(0, colonIndex + 1).toLowerCase();
+  for (const dangerousScheme of dangerousSchemes) {
+    if (scheme === dangerousScheme) {
+      throw new Error("Invalid redirect URI");
+    }
+  }
+}
 function base64UrlEncode(str) {
   return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
 }
@@ -1221,8 +1348,12 @@ var OAuthHelpersImpl = class {
     const state = url.searchParams.get("state") || "";
     const codeChallenge = url.searchParams.get("code_challenge") || void 0;
     const codeChallengeMethod = url.searchParams.get("code_challenge_method") || "plain";
-    if (redirectUri.startsWith("javascript:") || redirectUri.startsWith("data:") || redirectUri.startsWith("vbscript:") || redirectUri.startsWith("file:") || redirectUri.startsWith("mailto:") || redirectUri.startsWith("blob:")) {
-      throw new Error("Invalid redirect URI");
+    const resourceParams = url.searchParams.getAll("resource");
+    const resourceParam = resourceParams.length > 0 ? resourceParams.length === 1 ? resourceParams[0] : resourceParams : void 0;
+    validateRedirectUriScheme(redirectUri);
+    const resource = parseResourceParameter(resourceParam);
+    if (resourceParam && !resource) {
+      throw new Error("The resource parameter must be a valid absolute URI without a fragment");
     }
     if (responseType === "token" && !this.provider.options.allowImplicitFlow) {
       throw new Error("The implicit grant flow is not enabled for this provider");
@@ -1247,7 +1378,8 @@ var OAuthHelpersImpl = class {
       scope,
       state,
       codeChallenge,
-      codeChallengeMethod
+      codeChallengeMethod,
+      resource
     };
   }
   /**
@@ -1266,6 +1398,16 @@ var OAuthHelpersImpl = class {
    * @returns A Promise resolving to an object containing the redirect URL
    */
   async completeAuthorization(options) {
+    const { clientId, redirectUri } = options.request;
+    if (!clientId || !redirectUri) {
+      throw new Error("Client ID and Redirect URI are required in the authorization request.");
+    }
+    const clientInfo = await this.lookupClient(clientId);
+    if (!clientInfo || !clientInfo.redirectUris.includes(redirectUri)) {
+      throw new Error(
+        "Invalid redirect URI. The redirect URI provided does not match any registered URI for this client."
+      );
+    }
     const grantId = generateRandomString(16);
     const { encryptedData, key: encryptionKey } = await encryptProps(options.props);
     const now = Math.floor(Date.now() / 1e3);
@@ -1276,6 +1418,10 @@ var OAuthHelpersImpl = class {
       const accessTokenTTL = this.provider.options.accessTokenTTL || DEFAULT_ACCESS_TOKEN_TTL;
       const accessTokenExpiresAt = now + accessTokenTTL;
       const accessTokenWrappedKey = await wrapKeyWithToken(accessToken, encryptionKey);
+      const audience = parseResourceParameter(options.request.resource);
+      if (options.request.resource && !audience) {
+        throw new Error("The resource parameter must be a valid absolute URI without a fragment");
+      }
       const grant = {
         id: grantId,
         clientId: options.request.clientId,
@@ -1283,7 +1429,8 @@ var OAuthHelpersImpl = class {
         scope: options.scope,
         metadata: options.metadata,
         encryptedProps: encryptedData,
-        createdAt: now
+        createdAt: now,
+        resource: options.request.resource
       };
       const grantKey = `grant:${options.userId}:${grantId}`;
       await this.env.OAUTH_KV.put(grantKey, JSON.stringify(grant));
@@ -1293,6 +1440,7 @@ var OAuthHelpersImpl = class {
         userId: options.userId,
         createdAt: now,
         expiresAt: accessTokenExpiresAt,
+        audience,
         wrappedEncryptionKey: accessTokenWrappedKey,
         grant: {
           clientId: options.request.clientId,
@@ -1335,7 +1483,8 @@ var OAuthHelpersImpl = class {
         // Store the wrapped key
         // Store PKCE parameters if provided
         codeChallenge: options.request.codeChallenge,
-        codeChallengeMethod: options.request.codeChallengeMethod
+        codeChallengeMethod: options.request.codeChallengeMethod,
+        resource: options.request.resource
       };
       const grantKey = `grant:${options.userId}:${grantId}`;
       const codeExpiresIn = 600;
@@ -1372,6 +1521,9 @@ var OAuthHelpersImpl = class {
       registrationDate: Math.floor(Date.now() / 1e3),
       tokenEndpointAuthMethod
     };
+    for (const uri of newClient.redirectUris) {
+      validateRedirectUriScheme(uri);
+    }
     let clientSecret;
     if (!isPublicClient) {
       clientSecret = generateRandomString(32);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.0.0-b7784c7",
+  "version": "0.0.0-f2b1372",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",