npm - @cloudflare/workers-oauth-provider - Versions diffs - 0.7.1 → 0.7.2 - Mend

@cloudflare/workers-oauth-provider 0.7.1 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -390,6 +390,19 @@ Setup:
 The AS enforces `resolved.issuer === iss` (confused-deputy guard) and validates ID-JAG `typ`, signature, audience, client binding, resource, `exp` / `iat` / `nbf`, max lifetime, and `jti` replay. Refresh tokens are not issued for this grant — the ID-JAG itself is the renewable assertion.
+### Public clients
+By default the EMA grant requires client authentication, so public clients (`token_endpoint_auth_method: 'none'`) are rejected. Set `allowPublicClients: true` to also accept them:
+```ts
+enterpriseManagedAuthorization: {
+  allowPublicClients: true,
+  // ... trustedIssuers, mapClaims ...
+}
+```
+This is useful for clients registered via a [Client ID Metadata Document (CIMD)](https://modelcontextprotocol.io/), which are always public and therefore cannot present a client secret. With this enabled, trust rests on the IdP-issued, signature-verified, short-lived, single-use ID-JAG assertion (audience-, resource-, and client-bound) rather than on a separately presented client secret. Leave it unset (default `false`) to keep the spec-default behavior of requiring client authentication.
 Experimental — the MCP extension is still a draft.
 ## Custom Error Responses

package/dist/oauth-provider.d.ts CHANGED Viewed

@@ -269,6 +269,22 @@ interface EmaOptions<Env = Cloudflare.Env> {
   clockSkewSeconds?: number;
   /** Maximum accepted assertion lifetime in seconds. Defaults to 300 seconds. */
   maxAssertionLifetimeSeconds?: number;
+  /**
+   * Allow public clients (`token_endpoint_auth_method: 'none'`) to use the
+   * enterprise-managed authorization (ID-JAG) grant.
+   *
+   * Defaults to `false`. By default the EMA grant requires client
+   * authentication, matching the MCP enterprise-managed-authorization draft.
+   *
+   * Set to `true` to also accept public clients on this grant — for example
+   * clients registered via a Client ID Metadata Document (CIMD), which are
+   * always public (`none`) and therefore cannot present a client secret. The
+   * security trade-off is documented in the README: the trust then rests on
+   * the IdP-issued, signature-verified, short-lived, single-use ID-JAG
+   * assertion (audience-, resource-, and client-bound) rather than on a
+   * separately presented client secret.
+   */
+  allowPublicClients?: boolean;
 }
 //#endregion
 //#region src/oauth-provider.d.ts

package/dist/oauth-provider.js CHANGED Viewed

@@ -1601,7 +1601,7 @@ var OAuthProviderImpl = class OAuthProviderImpl {
 	async handleJwtBearerGrant(body, clientInfo, env, requestUrl, request) {
 		const enterpriseOptions = this.options.enterpriseManagedAuthorization;
 		if (!enterpriseOptions) return this.createErrorResponse("unsupported_grant_type", { description: "Grant type not supported" });
-		if (clientInfo.tokenEndpointAuthMethod === "none") return this.createErrorResponse("invalid_client", {
+		if (clientInfo.tokenEndpointAuthMethod === "none" && !enterpriseOptions.allowPublicClients) return this.createErrorResponse("invalid_client", {
 			description: "Enterprise-managed authorization requires client authentication",
 			statusCode: 401
 		});

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@cloudflare/workers-oauth-provider",
-  "version": "0.7.1",
+  "version": "0.7.2",
   "description": "OAuth provider for Cloudflare Workers",
   "main": "dist/oauth-provider.js",
   "types": "dist/oauth-provider.d.ts",