npm - @cloudflare/workers-oauth-provider - Versions diffs - 0.7.0 → 0.7.2 - Mend

@cloudflare/workers-oauth-provider 0.7.0 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -390,6 +390,19 @@ Setup:
 The AS enforces `resolved.issuer === iss` (confused-deputy guard) and validates ID-JAG `typ`, signature, audience, client binding, resource, `exp` / `iat` / `nbf`, max lifetime, and `jti` replay. Refresh tokens are not issued for this grant — the ID-JAG itself is the renewable assertion.
+### Public clients
+By default the EMA grant requires client authentication, so public clients (`token_endpoint_auth_method: 'none'`) are rejected. Set `allowPublicClients: true` to also accept them:
+```ts
+enterpriseManagedAuthorization: {
+  allowPublicClients: true,
+  // ... trustedIssuers, mapClaims ...
+}
+```
+This is useful for clients registered via a [Client ID Metadata Document (CIMD)](https://modelcontextprotocol.io/), which are always public and therefore cannot present a client secret. With this enabled, trust rests on the IdP-issued, signature-verified, short-lived, single-use ID-JAG assertion (audience-, resource-, and client-bound) rather than on a separately presented client secret. Leave it unset (default `false`) to keep the spec-default behavior of requiring client authentication.
 Experimental — the MCP extension is still a draft.
 ## Custom Error Responses

package/dist/oauth-provider.d.ts CHANGED Viewed

@@ -269,6 +269,22 @@ interface EmaOptions<Env = Cloudflare.Env> {
   clockSkewSeconds?: number;
   /** Maximum accepted assertion lifetime in seconds. Defaults to 300 seconds. */
   maxAssertionLifetimeSeconds?: number;
+  /**
+   * Allow public clients (`token_endpoint_auth_method: 'none'`) to use the
+   * enterprise-managed authorization (ID-JAG) grant.
+   *
+   * Defaults to `false`. By default the EMA grant requires client
+   * authentication, matching the MCP enterprise-managed-authorization draft.
+   *
+   * Set to `true` to also accept public clients on this grant — for example
+   * clients registered via a Client ID Metadata Document (CIMD), which are
+   * always public (`none`) and therefore cannot present a client secret. The
+   * security trade-off is documented in the README: the trust then rests on
+   * the IdP-issued, signature-verified, short-lived, single-use ID-JAG
+   * assertion (audience-, resource-, and client-bound) rather than on a
+   * separately presented client secret.
+   */
+  allowPublicClients?: boolean;
 }
 //#endregion
 //#region src/oauth-provider.d.ts
@@ -809,6 +825,18 @@ interface ClientInfo {
    * URL to the client's JSON Web Key Set for validating signatures
    */
   jwksUri?: string;
+  /**
+   * RFC 7591 §2.2 internationalized variants of the human-readable client
+   * metadata fields, keyed by the raw member name including its BCP 47 language
+   * tag (e.g. `"client_name#ja"`, `"tos_uri#fr"`).
+   *
+   * Only the human-readable fields the RFC names are captured here:
+   * `client_name`, `client_uri`, `logo_uri`, `tos_uri`, and `policy_uri`.
+   * The canonical (un-tagged) values continue to live in their own typed
+   * fields above; this map holds only the locale-specific variants so that
+   * consumers can perform their own locale selection.
+   */
+  i18n?: Record<string, string>;
   /**
    * List of email addresses for contacting the client developers
    */

package/dist/oauth-provider.js CHANGED Viewed

@@ -1601,7 +1601,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 	async handleJwtBearerGrant(body, clientInfo, env, requestUrl, request) {
 		const enterpriseOptions = this.options.enterpriseManagedAuthorization;
 		if (!enterpriseOptions) return this.createErrorResponse("unsupported_grant_type", { description: "Grant type not supported" });
-		if (clientInfo.tokenEndpointAuthMethod === "none") return this.createErrorResponse("invalid_client", {
+		if (clientInfo.tokenEndpointAuthMethod === "none" && !enterpriseOptions.allowPublicClients) return this.createErrorResponse("invalid_client", {
 			description: "Enterprise-managed authorization requires client authentication",
 			statusCode: 401
 		});
@@ -1921,12 +1921,13 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 			clientInfo = {
 				clientId,
 				redirectUris,
-				clientName: OAuthProviderImpl.validateStringField(clientMetadata.client_name),
-				logoUri: OAuthProviderImpl.validateStringField(clientMetadata.logo_uri),
-				clientUri: OAuthProviderImpl.validateStringField(clientMetadata.client_uri),
-				policyUri: OAuthProviderImpl.validateStringField(clientMetadata.policy_uri),
-				tosUri: OAuthProviderImpl.validateStringField(clientMetadata.tos_uri),
-				jwksUri: OAuthProviderImpl.validateStringField(clientMetadata.jwks_uri),
+				clientName: OAuthProviderImpl.validateStringField(clientMetadata.client_name, "client_name"),
+				logoUri: OAuthProviderImpl.validateOptionalUriField(clientMetadata.logo_uri, "logo_uri"),
+				clientUri: OAuthProviderImpl.validateOptionalUriField(clientMetadata.client_uri, "client_uri"),
+				policyUri: OAuthProviderImpl.validateOptionalUriField(clientMetadata.policy_uri, "policy_uri"),
+				tosUri: OAuthProviderImpl.validateOptionalUriField(clientMetadata.tos_uri, "tos_uri"),
+				jwksUri: OAuthProviderImpl.validateOptionalUriField(clientMetadata.jwks_uri, "jwks_uri"),
+				i18n: OAuthProviderImpl.extractI18nFields(clientMetadata),
 				contacts: OAuthProviderImpl.validateStringArray(clientMetadata.contacts),
 				grantTypes: OAuthProviderImpl.validateStringArray(clientMetadata.grant_types) || [
 					GrantType.AUTHORIZATION_CODE,
@@ -1960,6 +1961,9 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 			registration_client_uri: `${this.options.clientRegistrationEndpoint}/${clientId}`,
 			client_id_issued_at: clientInfo.registrationDate
 		};
+		if (clientInfo.i18n) {
+			for (const [key, value] of Object.entries(clientInfo.i18n)) if (!(key in response)) response[key] = value;
+		}
 		if (clientSecret) {
 			response.client_secret = clientSecret;
 			response.client_secret_expires_at = this.options.clientRegistrationTTL && clientInfo.registrationDate ? clientInfo.registrationDate + this.options.clientRegistrationTTL : 0;
@@ -2203,6 +2207,70 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 		return field;
 	}
 	/**
+	* Validates that a field is an optional URI string using a safe scheme.
+	*
+	* Client metadata URI fields (e.g. logo_uri, client_uri, policy_uri, tos_uri,
+	* jwks_uri) are frequently rendered into HTML attributes such as `<a href>` or
+	* `<img src>` on consent screens. Permitting non-http(s) schemes such as
+	* `javascript:` or `data:` would allow script execution in that context, so we
+	* require an absolute http: or https: URL here, matching how redirect URIs are
+	* already restricted.
+	*
+	* @param field - The field to validate
+	* @param fieldName - Name of the field for error messages
+	* @returns The validated URI string or undefined
+	* @throws Error if the field is not a string or is not an absolute http(s) URL
+	*/
+	static validateOptionalUriField(field, fieldName) {
+		const value = OAuthProviderImpl.validateStringField(field, fieldName);
+		if (value === void 0) return void 0;
+		let parsed;
+		try {
+			parsed = new URL(value);
+		} catch {
+			throw new Error(`Invalid ${fieldName}: must be an absolute http: or https: URL`);
+		}
+		if (parsed.protocol !== "http:" && parsed.protocol !== "https:") throw new Error(`Invalid ${fieldName}: must be an absolute http: or https: URL`);
+		return value;
+	}
+	static {
+		this.I18N_FIELDS = {
+			client_name: "string",
+			client_uri: "uri",
+			logo_uri: "uri",
+			tos_uri: "uri",
+			policy_uri: "uri"
+		};
+	}
+	/**
+	* Extracts RFC 7591 §2.2 internationalized metadata variants from a raw
+	* registration payload.
+	*
+	* Localized variants are expressed by appending a `#<BCP 47 language tag>`
+	* suffix to a metadata member name (e.g. `client_name#ja`, `tos_uri#fr`).
+	* Only the human-readable fields the RFC names are considered; each value is
+	* validated with the same rules as its canonical field (URI fields must be
+	* absolute http(s) URLs). The raw `field#tag` keys are preserved verbatim so
+	* that consumers can do their own locale matching.
+	*
+	* @param raw - The parsed client metadata object
+	* @returns A map of `field#tag` to validated value, or undefined if none present
+	* @throws Error if a localized value fails its field's validation
+	*/
+	static extractI18nFields(raw) {
+		const result = {};
+		for (const key of Object.keys(raw)) {
+			const hashIndex = key.indexOf("#");
+			if (hashIndex <= 0 || hashIndex === key.length - 1) continue;
+			const baseField = key.slice(0, hashIndex);
+			const kind = OAuthProviderImpl.I18N_FIELDS[baseField];
+			if (!kind) continue;
+			const validated = kind === "uri" ? OAuthProviderImpl.validateOptionalUriField(raw[key], key) : OAuthProviderImpl.validateStringField(raw[key], key);
+			if (validated !== void 0) result[key] = validated;
+		}
+		return Object.keys(result).length > 0 ? result : void 0;
+	}
+	/**
 	* Validates that a field is a string array or undefined
 	* @param arr - The array to validate
 	* @param fieldName - Name of the field for error messages
@@ -2250,11 +2318,12 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 				clientId,
 				redirectUris,
 				clientName: OAuthProviderImpl.validateStringField(rawMetadata.client_name, "client_name"),
-				clientUri: OAuthProviderImpl.validateStringField(rawMetadata.client_uri, "client_uri"),
-				logoUri: OAuthProviderImpl.validateStringField(rawMetadata.logo_uri, "logo_uri"),
-				policyUri: OAuthProviderImpl.validateStringField(rawMetadata.policy_uri, "policy_uri"),
-				tosUri: OAuthProviderImpl.validateStringField(rawMetadata.tos_uri, "tos_uri"),
-				jwksUri: OAuthProviderImpl.validateStringField(rawMetadata.jwks_uri, "jwks_uri"),
+				clientUri: OAuthProviderImpl.validateOptionalUriField(rawMetadata.client_uri, "client_uri"),
+				logoUri: OAuthProviderImpl.validateOptionalUriField(rawMetadata.logo_uri, "logo_uri"),
+				policyUri: OAuthProviderImpl.validateOptionalUriField(rawMetadata.policy_uri, "policy_uri"),
+				tosUri: OAuthProviderImpl.validateOptionalUriField(rawMetadata.tos_uri, "tos_uri"),
+				jwksUri: OAuthProviderImpl.validateOptionalUriField(rawMetadata.jwks_uri, "jwks_uri"),
+				i18n: OAuthProviderImpl.extractI18nFields(rawMetadata),
 				contacts: OAuthProviderImpl.validateStringArray(rawMetadata.contacts, "contacts"),
 				grantTypes: OAuthProviderImpl.validateStringArray(rawMetadata.grant_types, "grant_types") || ["authorization_code"],
 				responseTypes: OAuthProviderImpl.validateStringArray(rawMetadata.response_types, "response_types") || ["code"],
@@ -2942,6 +3011,7 @@ var OAuthHelpersImpl = class {
 			policyUri: clientInfo.policyUri,
 			tosUri: clientInfo.tosUri,
 			jwksUri: clientInfo.jwksUri,
+			i18n: clientInfo.i18n,
 			contacts: clientInfo.contacts,
 			grantTypes: clientInfo.grantTypes || [
 				GrantType.AUTHORIZATION_CODE,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.7.0",
+  "version": "0.7.2",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",