@crossauth/sveltekit 1.1.2 → 1.1.3

package/dist/sveltekitoauthserver.js

@@ -5,6 +5,8 @@ import { CrossauthError, CrossauthLogger, j, OAuthFlows, ErrorCode } from '@cros
 import { json } from '@sveltejs/kit';
 import { JsonOrFormData } from './utils';
 import {} from 'cookie';
+import { OAuthClientBackend } from '@crossauth/backend';
+import {} from './tests/sveltemocks';
 const DEFAULT_UPSTREAM_SESSION_DATA_NAME = "upstreamoauth";
 ;
 ;
@@ -97,6 +99,7 @@ export class SvelteKitAuthorizationServer {
     jwksEndpointUrl = "/oauth/jwks";
     redirect;
     error;
+    sessionDataName = "oauth";
     /**
      * Constructor
      * @param svelteKitServer the SvelteKit server this belongs to
@@ -115,6 +118,7 @@ export class SvelteKitAuthorizationServer {
             this.error = options.error;
         this.authServer =
             new OAuthAuthorizationServer(this.clientStorage, keyStorage, authenticators, options);
+        let server = svelteKitServer;
         setParameter("loginUrl", ParamType.String, this, options, "LOGIN_URL");
         setParameter("refreshTokenType", ParamType.String, this, options, "OAUTH_REFRESH_TOKEN_TYPE");
         setParameter("refreshTokenCookieName", ParamType.String, this, options, "OAUTH_REFRESH_TOKEN_COOKIE_NAME");
@@ -126,6 +130,7 @@ export class SvelteKitAuthorizationServer {
         setParameter("authorizeEndpointUrl", ParamType.String, this, options, "OAUTH_AUTHORIZE_ENDPOINT");
         setParameter("tokenEndpointUrl", ParamType.String, this, options, "OAUTH_TOKEN_ENDPOINT");
         setParameter("jwksEndpointUrl", ParamType.String, this, options, "OAUTH_JWKS_ENDPOINT");
+        setParameter("sessionDataName", ParamType.String, this, options, "OAUTH_SESSION_DATA_NAME");
         if (this.refreshTokenType != "json") {
             if (this.svelteKitServer.sessionServer?.enableCsrfProtection == true) {
                 this.csrfTokens = this.svelteKitServer.sessionServer.sessionManager.csrfTokens;
@@ -250,8 +255,8 @@ export class SvelteKitAuthorizationServer {
             cookieParams.secure = true;
         event.cookies.set(this.refreshTokenCookieName, token, cookieParams);
     }
-    requireGetParam(event, name) {
-        const val = event.url.searchParams.get(name);
+    requireGetParam(url, name) {
+        const val = url.searchParams.get(name);
         if (!val)
             return {
                 ok: false,
@@ -269,26 +274,27 @@ export class SvelteKitAuthorizationServer {
             };
         return undefined;
     }
-    getAuthorizeQuery(event) {
-        let error = this.requireGetParam(event, "response_type");
+    getAuthorizeQuery(url) {
+        let error = this.requireGetParam(url, "response_type");
         if (error)
             return { error };
-        error = this.requireGetParam(event, "client_id");
+        error = this.requireGetParam(url, "client_id");
         if (error)
             return { error };
-        error = this.requireGetParam(event, "redirect_uri");
+        error = this.requireGetParam(url, "redirect_uri");
         if (error)
             return { error };
-        error = this.requireGetParam(event, "state");
+        error = this.requireGetParam(url, "state");
         if (error)
             return { error };
-        const response_type = event.url.searchParams.get("response_type") ?? "";
-        const client_id = event.url.searchParams.get("client_id") ?? "";
-        const redirect_uri = event.url.searchParams.get("redirect_uri") ?? "";
-        const scope = event.url.searchParams.get("scope") ?? undefined;
-        const state = event.url.searchParams.get("state") ?? "";
-        const code_challenge = event.url.searchParams.get("code_challenge") ?? undefined;
-        const code_challenge_method = event.url.searchParams.get("code_challenge_method") ?? undefined;
+        const response_type = url.searchParams.get("response_type") ?? "";
+        const client_id = url.searchParams.get("client_id") ?? "";
+        const redirect_uri = url.searchParams.get("redirect_uri") ?? "";
+        const scope = url.searchParams.get("scope") ?? undefined;
+        const state = url.searchParams.get("state") ?? "";
+        const code_challenge = url.searchParams.get("code_challenge") ?? undefined;
+        const code_challenge_method = url.searchParams.get("code_challenge_method") ?? undefined;
+        const next = url.searchParams.get("next") ?? undefined;
         let query = {
             response_type,
             client_id,
@@ -297,6 +303,7 @@ export class SvelteKitAuthorizationServer {
             state,
             code_challenge,
             code_challenge_method,
+            next,
         };
         return { query, error: { error: "Unknown error", error_description: "Unknown error", ok: true } };
     }
@@ -604,6 +611,117 @@ export class SvelteKitAuthorizationServer {
             throw this.error(500, error_description);
         }
     }
+    /**
+     * Called from the client side of an auth server with an upstream auth server
+     * @param event Sveltekit event
+     * @param url URL the originating client originally made to our auth server's /authorize endpoint
+     * @param upstream the label of the upstream client if we have seeral
+     * @returns
+     */
+    async saveDownstreamAuthzCodeFlow(event, url, upstream) {
+        let upstreamClient = undefined;
+        let upstreamClientOptions = undefined;
+        let upstreamLabel = upstream;
+        if (this.authServer.upstreamClient && this.authServer.upstreamClientOptions) {
+            upstreamClient = this.authServer.upstreamClient;
+            upstreamClientOptions = this.authServer.upstreamClientOptions;
+        }
+        else if (this.authServer.upstreamClients && this.authServer.upstreamClientOptionss) {
+            if (upstreamLabel) {
+                if (upstreamLabel in this.authServer.upstreamClients) {
+                    upstreamClient = this.authServer.upstreamClients[upstreamLabel];
+                    upstreamClientOptions = this.authServer.upstreamClientOptionss[upstreamLabel];
+                }
+                else {
+                    CrossauthLogger.logger.error(j({ "msg": "No upstream client defined for " + upstreamLabel }));
+                    return {
+                        ok: false,
+                        error: "server_error",
+                        error_description: "No upstream client defined for " + upstreamLabel
+                    };
+                }
+            }
+            else {
+                // this may be legitimate, if the request is to log in with a local account
+                CrossauthLogger.logger.warn(j({ "msg": "1 upstreamClients defined but no upstream parameter given in authorize request" }));
+            }
+        }
+        if (upstreamClient && upstreamClientOptions) {
+            const state = Crypto.randomValue(32);
+            let resp = this.getAuthorizeQuery(url);
+            if (!resp.query)
+                return resp.error;
+            let query = resp.query;
+            CrossauthLogger.logger.debug(j({ "msg": `Have upstream client with redirect_uri ${query.redirect_uri}` }));
+            if (query.response_type == "code") {
+                // validate client
+                let client;
+                try {
+                    client = await this.clientStorage.getClientById(query.client_id);
+                }
+                catch (e) {
+                    CrossauthLogger.logger.debug(j({ err: e }));
+                    throw new CrossauthError(ErrorCode.Unauthorized, "Client is unauthorized");
+                }
+                let scopes = undefined;
+                if (query.scope)
+                    scopes = decodeURIComponent(query.scope).split(" ");
+                scopes = scopes?.filter((a) => (a.length > 0));
+                // construct a url to call the /authorize endpoint on the upstream auth server
+                const resp = await upstreamClient.startAuthorizationCodeFlow(state, { scope: query.scope, codeChallenge: query.code_challenge, pkce: query.code_challenge != undefined });
+                if (resp.error) {
+                    return {
+                        ok: false,
+                        error: resp.error,
+                        error_description: resp.error_description,
+                    };
+                }
+                else {
+                    // create an authorization code
+                    const codeResp = await this.authServer.getAuthorizationCode(client, query.redirect_uri, scopes, state, query.code_challenge, query.code_challenge_method);
+                    if (!codeResp.code) {
+                        return {
+                            ok: false,
+                            error: "server_error",
+                            error_description: "Couldn't create authorization code",
+                        };
+                    }
+                    // store the original /authorize request in the session
+                    const sessionData = {
+                        scope: query.scope,
+                        state,
+                        code: codeResp.code,
+                        orig_client_id: query.client_id,
+                        orig_redirect_uri: query.redirect_uri,
+                        orig_state: query.state,
+                        upstream_label: upstreamLabel,
+                        next: query.next,
+                    };
+                    if (!upstreamClientOptions.options.redirect_uri) {
+                        return {
+                            ok: false,
+                            error: "server_error",
+                            error_description: "redirect uri not given for upstream client",
+                        };
+                    }
+                    const sessionDataName = upstreamClientOptions.sessionDataName ?? DEFAULT_UPSTREAM_SESSION_DATA_NAME;
+                    await this.storeSessionData(event, sessionData, sessionDataName);
+                    let url = resp.url;
+                    CrossauthLogger.logger.debug(j({ msg: "upstream url " + url }));
+                    //CrossauthLogger.logger.debug(j({msg: "upstream base url " + this.authServer.upstreamAuthServerBaseUrl}))
+                    // Redirect to the /authorize endpoint on the upstream server
+                    throw this.redirect(302, url);
+                }
+            }
+            else {
+                return {
+                    ok: false,
+                    error: "invalid_request",
+                    error_description: "authorize can only be called with response_type code",
+                };
+            }
+        }
+    }
     /**
      * `load` and `actions` functions for the authorize endpoint.
      *
@@ -618,12 +736,40 @@ export class SvelteKitAuthorizationServer {
             }
             // handle the case where we have an upstream authz server
             // either throw redirect or return error
+            let upstreamClient = undefined;
+            let upstreamClientOptions = undefined;
+            let upstreamLabel = undefined;
             if (this.authServer.upstreamClient && this.authServer.upstreamClientOptions) {
+                upstreamClient = this.authServer.upstreamClient;
+                upstreamClientOptions = this.authServer.upstreamClientOptions;
+            }
+            else if (this.authServer.upstreamClients && this.authServer.upstreamClientOptionss) {
+                upstreamLabel = event.url.searchParams.get("upstream") ?? undefined;
+                if (upstreamLabel) {
+                    if (upstreamLabel in this.authServer.upstreamClients) {
+                        upstreamClient = this.authServer.upstreamClients[upstreamLabel];
+                        upstreamClientOptions = this.authServer.upstreamClientOptionss[upstreamLabel];
+                    }
+                    else {
+                        CrossauthLogger.logger.error(j({ "msg": "No upstream client defined for " + upstreamLabel }));
+                        return {
+                            ok: false,
+                            error: "server_error",
+                            error_description: "No upstream client defined for " + upstreamLabel
+                        };
+                    }
+                }
+                else {
+                    CrossauthLogger.logger.warn(j({ "msg": "2 upstreamClients defined but no upstream parameter given in authorize request" }));
+                }
+            }
+            if (upstreamClient && upstreamClientOptions) {
                 const state = Crypto.randomValue(32);
-                let resp = this.getAuthorizeQuery(event);
+                let resp = this.getAuthorizeQuery(event.url);
                 if (!resp.query)
                     return resp.error;
                 let query = resp.query;
+                CrossauthLogger.logger.debug(j({ "msg": `Have upstream client with redirect_uri ${query.redirect_uri}` }));
                 if (query.response_type == "code") {
                     // validate client
                     let client;
@@ -639,7 +785,8 @@ export class SvelteKitAuthorizationServer {
                     if (query.scope)
                         scopes = decodeURIComponent(query.scope).split(" ");
                     scopes = scopes?.filter((a) => (a.length > 0));
-                    const resp = await this.authServer.upstreamClient.startAuthorizationCodeFlow(state, query.scope, query.code_challenge, query.code_challenge != undefined);
+                    // construct a url to call the /authorize endpoint on the upstream auth server
+                    const resp = await upstreamClient.startAuthorizationCodeFlow(state, { scope: query.scope, codeChallenge: query.code_challenge, pkce: query.code_challenge != undefined });
                     if (resp.error) {
                         return {
                             ok: false,
@@ -648,6 +795,7 @@ export class SvelteKitAuthorizationServer {
                         };
                     }
                     else {
+                        // create an authorization code
                         const codeResp = await this.authServer.getAuthorizationCode(client, query.redirect_uri, scopes, state, query.code_challenge, query.code_challenge_method);
                         if (!codeResp.code) {
                             return {
@@ -656,15 +804,18 @@ export class SvelteKitAuthorizationServer {
                                 error_description: "Couldn't create authorization code",
                             };
                         }
+                        // store the original /authorize request in the session
                         const sessionData = {
                             scope: query.scope,
                             state,
                             code: codeResp.code,
                             orig_client_id: query.client_id,
                             orig_redirect_uri: query.redirect_uri,
-                            orig_state: query.state
+                            orig_state: query.state,
+                            upstream_label: upstreamLabel,
+                            next: query.next,
                         };
-                        if (!this.authServer.upstreamClientOptions.options.redirect_uri) {
+                        if (!upstreamClientOptions.options.redirect_uri) {
                             return {
                                 ok: false,
                                 error: "server_error",
@@ -672,16 +823,8 @@ export class SvelteKitAuthorizationServer {
                             };
                         }
                         // we need a session to save the state
-                        const sessionDataName = this.authServer.upstreamClientOptions.sessionDataName ?? DEFAULT_UPSTREAM_SESSION_DATA_NAME;
+                        const sessionDataName = upstreamClientOptions.sessionDataName ?? DEFAULT_UPSTREAM_SESSION_DATA_NAME;
                         await this.storeSessionData(event, sessionData, sessionDataName);
-                        //await this.authServer.setAuthorizationCodeData(codeResp.code, sessionData);
-                        /*let url = this.authServer.upstreamClientOptions.authServerBaseUrl +
-                            "?response_type=code" +
-                            "&redirect_uri=" + encodeURIComponent(this.authServer.upstreamClientOptions.options.redirect_uri)
-                            "&client_id=" + encodeURIComponent(this.authServer.upstreamClient.client_id);
-                        if (this.authServer.upstreamClient.client_secret) url += "&client_secret=" + encodeURIComponent(this.authServer.upstreamClient.client_secret);
-                        if (query.state) url += "&state=" + encodeURIComponent(query.state);
-                        if (this.authServer.upstreamClientOptions.scopes) url += encodeURIComponent(this.authServer.upstreamClientOptions.scopes.join(" "));*/
                         let url = resp.url;
                         CrossauthLogger.logger.debug(j({ msg: "upstream url " + url }));
                         //CrossauthLogger.logger.debug(j({msg: "upstream base url " + this.authServer.upstreamAuthServerBaseUrl}))
@@ -699,7 +842,7 @@ export class SvelteKitAuthorizationServer {
             // we don't have an upstream server
             if (!event.locals.user)
                 return this.redirect(302, this.loginUrl + "?next=" + encodeURIComponent(event.request.url));
-            let resp = this.getAuthorizeQuery(event);
+            let resp = this.getAuthorizeQuery(event.url);
             if (!resp.query)
                 return resp.error;
             let query = resp.query;
@@ -718,7 +861,7 @@ export class SvelteKitAuthorizationServer {
             }
             else {
                 CrossauthLogger.logger.error(j({
-                    msg: "authorize parameter valid",
+                    msg: "authorize parameter invalid",
                     user: event.locals.user?.username
                 }));
             }
@@ -903,8 +1046,28 @@ export class SvelteKitAuthorizationServer {
                 const { client_id, client_secret } = this.getClientIdAndSecret(formData, event);
                 // if the grant type is authorization_code and we have an upstream client
                 // defined, we should already have tokens stored with the authoriazion code
+                let upstreamClient = undefined;
+                let upstreamClientOptions = undefined;
+                let upstreamLabel = undefined;
+                if (formData.grant_type == "authorization_code") {
+                    if (this.authServer.upstreamClient && this.authServer.upstreamClientOptions) {
+                        upstreamClient = this.authServer.upstreamClient;
+                        upstreamClientOptions = this.authServer.upstreamClientOptions;
+                    }
+                    else {
+                        const codeData = await this.authServer.getAuthorizationCodeData(formData.code);
+                        if (codeData?.upstream && this.authServer.upstreamClients && this.authServer.upstreamClientOptionss) {
+                            upstreamClient = this.authServer.upstreamClients[codeData?.upstream];
+                            upstreamClientOptions = this.authServer.upstreamClientOptionss[codeData?.upstream];
+                            upstreamLabel = codeData.upstream;
+                        }
+                    }
+                }
                 if (formData.grant_type == "authorization_code" &&
-                    this.authServer.upstreamClient && this.authServer.upstreamClientOptions) {
+                    upstreamClient && upstreamClientOptions) {
+                    // if it is the authorization code flow and we have an upstream client,
+                    // get the tokens that the our upstream redirect uri saved, keyed on 
+                    // the authorization code
                     const codeData = await this.authServer.getAuthorizationCodeData(formData.code);
                     if (codeData == undefined) {
                         return json({
@@ -916,12 +1079,42 @@ export class SvelteKitAuthorizationServer {
                         return json({ error: "access_denied", error_description: "No access token was issued" }, { status: 401 });
                     }
                     await this.authServer.deleteAuthorizationCodeData(formData.code);
+                    // determine whether we are also creating a refresh token
+                    let createRefreshToken = false;
+                    if (this.authServer.issueRefreshToken) {
+                        createRefreshToken = true;
+                    }
+                    if (this.authServer.issueRefreshToken &&
+                        this.authServer.rollingRefreshToken) {
+                        createRefreshToken = true;
+                    }
+                    // get client
+                    const clientResponse = await this.authServer.getClientById(client_id);
+                    if (!clientResponse.client)
+                        return json({
+                            error: clientResponse.error,
+                            error_description: clientResponse.error_description
+                        }, { status: CrossauthError.fromOAuthError(clientResponse.error ?? "server_error").httpStatus });
+                    const client = clientResponse.client;
+                    let refreshToken = await this.authServer.createRefreshToken(client, { upstreamRefreshToken: codeData.refresh_token, upstreamLabel: upstreamLabel });
+                    // save tokens so that this is treated as the logged in user
+                    // doesn't work - no cookie
+                    /*await this.storeSessionData(event, {
+                        access_token: codeData.access_token,
+                        id_token: codeData.id_token,
+                        id_payload: codeData.id_payload,
+                        refresh_token: refreshToken ?? upstreamLabel + ":" + codeData.refresh_token,
+                        expires_in: codeData.expires_in,
+                        upstream: upstreamLabel
+
+                    }, this.sessionDataName)*/
                     return json({
                         access_token: codeData.access_token,
                         id_token: codeData.id_token,
                         id_payload: codeData.id_payload,
-                        refresh_token: codeData.refresh_token,
+                        refresh_token: refreshToken ?? upstreamLabel + ":" + codeData.refresh_token,
                         expires_in: codeData.expires_in,
+                        upstream: upstreamLabel,
                     });
                 }
                 // if refreshTokenType is not "json", check if there
@@ -1004,11 +1197,12 @@ export class SvelteKitAuthorizationServer {
             }
         },
     };
+    // The upstream auth server will redirect to hear with an authorization code
     upstreamRedirectUriEndpoint = {
-        get: async (event) => {
+        get: async (event, upstream) => {
             let oauthData = {};
             try {
-                if (!this.authServer.upstreamClientOptions) {
+                if (!this.authServer.upstreamClientOptions && !this.authServer.upstreamClientOptionss) {
                     CrossauthLogger.logger.error(j({ msg: "Cannot call upstreamRedirectUriEndpoint if upstreamClient not defined" }));
                     return json({
                         ok: false,
@@ -1016,29 +1210,61 @@ export class SvelteKitAuthorizationServer {
                         error_description: "Cannot call upstreamRedirectUriEndpoint if upstreamClient not defined"
                     });
                 }
-                CrossauthLogger.logger.debug(j({ msg: "upstreamRedirectUriEndpoint" }));
-                if (!this.authServer.upstreamClient || !this.authServer.upstreamClientOptions.tokenMergeFn) {
+                CrossauthLogger.logger.debug(j({ msg: "upstreamRedirectUriEndpoint", upstream }));
+                // find which upstream client was used
+                let upstreamClient = undefined;
+                let upstreamClientOptions = undefined;
+                if (this.authServer.upstreamClient && this.authServer.upstreamClientOptions) {
+                    upstreamClient = this.authServer.upstreamClient;
+                    upstreamClientOptions = this.authServer.upstreamClientOptions;
+                }
+                else if (this.authServer.upstreamClients && this.authServer.upstreamClientOptionss) {
+                    if (!upstream) {
+                        CrossauthLogger.logger.error(j({ msg: "Have multiple upstream clients but upstream redirect uri not passed the upstream identifier" }));
+                        return this.redirectError(oauthData.orig_redirect_uri, "server_error", "Have multiple upstream clients but upstream redirect uri not passed the upstream identifier");
+                    }
+                    upstreamClient = this.authServer.upstreamClients[upstream];
+                    upstreamClientOptions = this.authServer.upstreamClientOptionss[upstream];
+                }
+                if (!upstreamClient || !upstreamClientOptions) {
                     CrossauthLogger.logger.error(j({ msg: "upstreamRedirectUri endpoint called but no upstreamClient or merge function set" }));
                     return this.redirectError(oauthData.orig_redirect_uri, "server_error", "upstreamRedirectUri endpoint called but no upstreamClient or merge function set");
                 }
+                // URL contains redirect URI parameters between us and the upstream auth server
+                // Session data contains parameters the originating client sent to our /authorize endpoint 
                 const code = event.url.searchParams.get("code") ?? "";
                 const state = event.url.searchParams.get("state") ?? undefined;
                 const error = event.url.searchParams.get("error") ?? undefined;
                 const error_description = event.url.searchParams.get("error") ?? undefined;
-                const sessionDataName = this.authServer.upstreamClientOptions.sessionDataName ?? DEFAULT_UPSTREAM_SESSION_DATA_NAME;
+                const sessionDataName = upstreamClientOptions.sessionDataName ?? DEFAULT_UPSTREAM_SESSION_DATA_NAME;
                 oauthData = await this.svelteKitServer.sessionAdapter?.getSessionData(event, sessionDataName) ?? {};
+                if (this.authServer.upstreamClients && (!("upstream_label" in oauthData) || !(oauthData.upstream_label in this.authServer.upstreamClients))) {
+                    return this.redirectError(oauthData.orig_redirect_uri, "server_error", "Invalid upstream client found in saessom");
+                }
+                if (this.authServer.upstreamClients) {
+                    upstreamClient = this.authServer.upstreamClients[oauthData.upstream_label];
+                }
                 if (oauthData?.state != state) {
                     CrossauthLogger.logger.error(j({ msg: "State does not match" }));
                     throw new CrossauthError(ErrorCode.Unauthorized, "State does not match");
                 }
-                const resp = await this.authServer.upstreamClient.redirectEndpoint(code, oauthData?.scope, oauthData?.codeVerifier, error, error_description);
+                // make the post to the upstream server's token endpoint to receive the tokens
+                const resp = await upstreamClient.redirectEndpoint({
+                    code,
+                    scope: oauthData?.scope,
+                    codeVerifier: oauthData?.codeVerifier,
+                    error,
+                    errorDescription: error_description
+                });
                 if (resp.error) {
                     CrossauthLogger.logger.error(j({ msg: resp.error_description }));
                     return this.redirectError(oauthData.orig_redirect_uri, resp.error, resp.error_description ?? "unknown error");
                 }
+                // some servers have the access token as a JWT.  For others, it is a simple string.
+                // ID token, if present, is always a JWT
                 let access_token = resp.access_token;
-                if (resp.access_token && this.authServer.upstreamClientOptions.accessTokenIsJwt) {
-                    const resp1 = await this.authServer.upstreamClient.getAccessPayload(resp.access_token, false);
+                if (resp.access_token && upstreamClientOptions.accessTokenIsJwt) {
+                    const resp1 = await upstreamClient.getAccessPayload(resp.access_token, false);
                     if (resp1.error)
                         return json(resp1);
                     else if (resp1.payload)
@@ -1048,9 +1274,12 @@ export class SvelteKitAuthorizationServer {
                         return this.redirectError(oauthData.orig_redirect_uri, "server_error", "No error or access payload received when querying access token");
                     }
                 }
-                const mergeResponse = await this.authServer.upstreamClientOptions.tokenMergeFn(access_token ?? "", resp.id_payload, this.authServer.userStorage);
+                // call user-supplied merge function to combine received ID token with entry in user storage
+                const mergeResponse = await upstreamClientOptions.tokenMergeFn(access_token ?? "", resp.id_payload, this.authServer.userStorage);
                 if (mergeResponse.authorized) {
-                    const ret = await this.authServer.createTokensFromPayload(oauthData.orig_client_id, mergeResponse.access_payload, mergeResponse.id_payload);
+                    // make ID token from the merged payload.  If the access token is a JWT, do the same for it
+                    const ret = await this.authServer.createTokensFromPayload(oauthData.orig_client_id, typeof (mergeResponse.access_payload) == "string" ? undefined : mergeResponse.access_payload, mergeResponse.id_payload);
+                    // I think this is redundant...
                     oauthData = {
                         ...oauthData,
                         access_token: ret.access_token,
@@ -1059,6 +1288,7 @@ export class SvelteKitAuthorizationServer {
                         expires_in: ret.expires_in,
                         refresh_token: resp.refresh_token,
                     };
+                    // get the tokens saved for the originating client when it's redirect URI called our token endpoint
                     let authzData = await this.authServer.getAuthorizationCodeData(oauthData.code);
                     authzData = {
                         ...authzData,
@@ -1066,9 +1296,13 @@ export class SvelteKitAuthorizationServer {
                         id_token: ret.id_token,
                         id_payload: ret.id_token,
                         refresh_token: resp.refresh_token,
-                        expires_in: ret.expires_in
+                        expires_in: ret.expires_in,
+                        upstream
                     };
+                    // save our new tokens, keyed on the authorization code
                     await this.authServer.setAuthorizationCodeData(oauthData.code, authzData);
+                    // redirect to the originating client's redirect URI 
+                    // our token endpoint will return the saved tokens
                     throw this.redirect(302, this.authServer.redirect_uri(oauthData.orig_redirect_uri, oauthData.code, oauthData.orig_state));
                 }
                 else {