@cloudflare/workers-oauth-provider 0.0.13 → 0.1.0

package/dist/oauth-provider.d.ts

@@ -94,6 +94,12 @@ interface ResolveExternalTokenResult {
      * These properties are set in the execution context (ctx.props) when the external token is validated
      */
     props: any;
+    /**
+     * Audience claim from the external token (RFC 7519 Section 4.1.3)
+     * If provided, will be validated against the resource server identity
+     *
+     */
+    audience?: string | string[];
 }
 interface OAuthProviderOptions {
     /**
@@ -304,6 +310,10 @@ interface AuthRequest {
      * PKCE code challenge method (plain or S256)
      */
     codeChallengeMethod?: string;
+    /**
+     * Resource parameter indicating target resource(s) (RFC 8707)
+     */
+    resource?: string | string[];
 }
 /**
  * OAuth client registration information
@@ -472,6 +482,11 @@ interface Grant {
      * Only present during the authorization code exchange process
      */
     codeChallengeMethod?: string;
+    /**
+     * Resource parameter from authorization request (RFC 8707 Section 2.1)
+     * Indicates the protected resource(s) for which access is requested
+     */
+    resource?: string | string[];
 }
 /**
  * Token record stored in KV
@@ -500,6 +515,11 @@ interface Token {
      * Unix timestamp when the token expires
      */
     expiresAt: number;
+    /**
+     * Intended audience for this token (RFC 7519 Section 4.1.3)
+     * Can be a single string or array of strings
+     */
+    audience?: string | string[];
     /**
      * The encryption key for props, wrapped with this token
      */

package/dist/oauth-provider.js

@@ -231,7 +231,8 @@ var OAuthProviderImpl = class {
     }
     const formData = await request.formData();
     for (const [key, value] of formData.entries()) {
-      body[key] = value;
+      const allValues = formData.getAll(key);
+      body[key] = allValues.length > 1 ? allValues : value;
     }
     const authHeader = request.headers.get("Authorization");
     let clientId = "";
@@ -549,12 +550,32 @@ var OAuthProviderImpl = class {
       grantData.expiresAt = expiresAt;
     }
     await this.saveGrantWithTTL(env, grantKey, grantData, now);
+    if (body.resource && grantData.resource) {
+      const requestedResources = Array.isArray(body.resource) ? body.resource : [body.resource];
+      const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
+      for (const requested of requestedResources) {
+        if (!grantedResources.includes(requested)) {
+          return this.createErrorResponse(
+            "invalid_target",
+            "Requested resource was not included in the authorization request"
+          );
+        }
+      }
+    }
+    const audience = parseResourceParameter(body.resource || grantData.resource);
+    if ((body.resource || grantData.resource) && !audience) {
+      return this.createErrorResponse(
+        "invalid_target",
+        "The resource parameter must be a valid absolute URI without a fragment"
+      );
+    }
     const accessTokenData = {
       id: accessTokenId,
       grantId,
       userId,
       createdAt: now,
       expiresAt: accessTokenExpiresAt,
+      audience,
       wrappedEncryptionKey: accessTokenWrappedKey,
       grant: {
         clientId: grantData.clientId,
@@ -574,6 +595,9 @@ var OAuthProviderImpl = class {
     if (refreshToken) {
       tokenResponse.refresh_token = refreshToken;
     }
+    if (audience) {
+      tokenResponse.resource = audience;
+    }
     return new Response(JSON.stringify(tokenResponse), {
       headers: { "Content-Type": "application/json" }
     });
@@ -701,12 +725,32 @@ var OAuthProviderImpl = class {
     grantData.refreshTokenId = newRefreshTokenId;
     grantData.refreshTokenWrappedKey = newRefreshTokenWrappedKey;
     await this.saveGrantWithTTL(env, grantKey, grantData, now);
+    if (body.resource && grantData.resource) {
+      const requestedResources = Array.isArray(body.resource) ? body.resource : [body.resource];
+      const grantedResources = Array.isArray(grantData.resource) ? grantData.resource : [grantData.resource];
+      for (const requested of requestedResources) {
+        if (!grantedResources.includes(requested)) {
+          return this.createErrorResponse(
+            "invalid_target",
+            "Requested resource was not included in the authorization request"
+          );
+        }
+      }
+    }
+    const audience = parseResourceParameter(body.resource || grantData.resource);
+    if ((body.resource || grantData.resource) && !audience) {
+      return this.createErrorResponse(
+        "invalid_target",
+        "The resource parameter must be a valid absolute URI without a fragment"
+      );
+    }
     const accessTokenData = {
       id: accessTokenId,
       grantId,
       userId,
       createdAt: now,
       expiresAt: accessTokenExpiresAt,
+      audience,
       wrappedEncryptionKey: accessTokenWrappedKey,
       grant: {
         clientId: grantData.clientId,
@@ -724,6 +768,9 @@ var OAuthProviderImpl = class {
       refresh_token: newRefreshToken,
       scope: grantData.scope.join(" ")
     };
+    if (audience) {
+      tokenResponse.resource = audience;
+    }
     return new Response(JSON.stringify(tokenResponse), {
       headers: { "Content-Type": "application/json" }
     });
@@ -965,6 +1012,17 @@ var OAuthProviderImpl = class {
           "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
         });
       }
+      if (tokenData.audience) {
+        const requestUrl = new URL(request.url);
+        const resourceServer = `${requestUrl.protocol}//${requestUrl.host}`;
+        const audiences = Array.isArray(tokenData.audience) ? tokenData.audience : [tokenData.audience];
+        const matches = audiences.some((aud) => audienceMatches(resourceServer, aud));
+        if (!matches) {
+          return this.createErrorResponse("invalid_token", "Token audience does not match resource server", 401, {
+            "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token", error_description="Invalid audience"'
+          });
+        }
+      }
       const encryptionKey = await unwrapKeyWithToken(accessToken, tokenData.wrappedEncryptionKey);
       const decryptedProps = await decryptProps(encryptionKey, tokenData.grant.encryptedProps);
       ctx.props = decryptedProps;
@@ -975,6 +1033,17 @@ var OAuthProviderImpl = class {
           "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token"'
         });
       }
+      if (ext.audience) {
+        const requestUrl = new URL(request.url);
+        const resourceServer = `${requestUrl.protocol}//${requestUrl.host}`;
+        const audiences = Array.isArray(ext.audience) ? ext.audience : [ext.audience];
+        const matches = audiences.some((aud) => audienceMatches(resourceServer, aud));
+        if (!matches) {
+          return this.createErrorResponse("invalid_token", "Token audience does not match resource server", 401, {
+            "WWW-Authenticate": 'Bearer realm="OAuth", error="invalid_token", error_description="Invalid audience"'
+          });
+        }
+      }
       ctx.props = ext.props;
     }
     if (!env.OAUTH_PROVIDER) {
@@ -1051,6 +1120,41 @@ var OAuthProviderImpl = class {
 };
 var DEFAULT_ACCESS_TOKEN_TTL = 60 * 60;
 var TOKEN_LENGTH = 32;
+function validateResourceUri(uri) {
+  if (!uri || typeof uri !== "string") {
+    return false;
+  }
+  try {
+    const parsed = new URL(uri);
+    if (!parsed.protocol) {
+      return false;
+    }
+    if (parsed.hash) {
+      return false;
+    }
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+function audienceMatches(resourceServerUrl, audienceValue) {
+  return resourceServerUrl === audienceValue;
+}
+function parseResourceParameter(value) {
+  if (!value) {
+    return void 0;
+  }
+  const uris = Array.isArray(value) ? value : [value];
+  for (const uri of uris) {
+    if (typeof uri !== "string" || !validateResourceUri(uri)) {
+      return void 0;
+    }
+  }
+  return value;
+}
 async function hashSecret(secret) {
   return generateTokenId(secret);
 }
@@ -1244,7 +1348,13 @@ var OAuthHelpersImpl = class {
     const state = url.searchParams.get("state") || "";
     const codeChallenge = url.searchParams.get("code_challenge") || void 0;
     const codeChallengeMethod = url.searchParams.get("code_challenge_method") || "plain";
+    const resourceParams = url.searchParams.getAll("resource");
+    const resourceParam = resourceParams.length > 0 ? resourceParams.length === 1 ? resourceParams[0] : resourceParams : void 0;
     validateRedirectUriScheme(redirectUri);
+    const resource = parseResourceParameter(resourceParam);
+    if (resourceParam && !resource) {
+      throw new Error("The resource parameter must be a valid absolute URI without a fragment");
+    }
     if (responseType === "token" && !this.provider.options.allowImplicitFlow) {
       throw new Error("The implicit grant flow is not enabled for this provider");
     }
@@ -1268,7 +1378,8 @@ var OAuthHelpersImpl = class {
       scope,
       state,
       codeChallenge,
-      codeChallengeMethod
+      codeChallengeMethod,
+      resource
     };
   }
   /**
@@ -1307,6 +1418,10 @@ var OAuthHelpersImpl = class {
       const accessTokenTTL = this.provider.options.accessTokenTTL || DEFAULT_ACCESS_TOKEN_TTL;
       const accessTokenExpiresAt = now + accessTokenTTL;
       const accessTokenWrappedKey = await wrapKeyWithToken(accessToken, encryptionKey);
+      const audience = parseResourceParameter(options.request.resource);
+      if (options.request.resource && !audience) {
+        throw new Error("The resource parameter must be a valid absolute URI without a fragment");
+      }
       const grant = {
         id: grantId,
         clientId: options.request.clientId,
@@ -1314,7 +1429,8 @@ var OAuthHelpersImpl = class {
         scope: options.scope,
         metadata: options.metadata,
         encryptedProps: encryptedData,
-        createdAt: now
+        createdAt: now,
+        resource: options.request.resource
       };
       const grantKey = `grant:${options.userId}:${grantId}`;
       await this.env.OAUTH_KV.put(grantKey, JSON.stringify(grant));
@@ -1324,6 +1440,7 @@ var OAuthHelpersImpl = class {
         userId: options.userId,
         createdAt: now,
         expiresAt: accessTokenExpiresAt,
+        audience,
         wrappedEncryptionKey: accessTokenWrappedKey,
         grant: {
           clientId: options.request.clientId,
@@ -1366,7 +1483,8 @@ var OAuthHelpersImpl = class {
         // Store the wrapped key
         // Store PKCE parameters if provided
         codeChallenge: options.request.codeChallenge,
-        codeChallengeMethod: options.request.codeChallengeMethod
+        codeChallengeMethod: options.request.codeChallengeMethod,
+        resource: options.request.resource
       };
       const grantKey = `grant:${options.userId}:${grantId}`;
       const codeExpiresIn = 600;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.0.13",
+  "version": "0.1.0",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",