@deque/axe-auth 1.1.0-next.6b702982 → 1.1.0-next.74c778ee
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/oauth/discoverOIDC.js +26 -0
- package/package.json +1 -1
|
@@ -70,6 +70,31 @@ function parseConfiguration(body, url) {
|
|
|
70
70
|
endSessionEndpoint: optionalString(body.end_session_endpoint),
|
|
71
71
|
};
|
|
72
72
|
}
|
|
73
|
+
/**
|
|
74
|
+
* `code_challenge_methods_supported` is OPTIONAL in OIDC discovery, so its
|
|
75
|
+
* absence proves nothing — older providers may support PKCE without
|
|
76
|
+
* advertising it. But when the list IS present and does not include
|
|
77
|
+
* `S256` (the only method this CLI uses, per RFC 7636), the server has
|
|
78
|
+
* explicitly declared it does not support the flow we need. Fail fast
|
|
79
|
+
* with an actionable message instead of letting the user hit a generic
|
|
80
|
+
* OAuth error several steps deeper into the flow.
|
|
81
|
+
*
|
|
82
|
+
* An empty list (`[]`) is treated the same as a populated list missing
|
|
83
|
+
* `S256`: the server has explicitly advertised zero supported methods,
|
|
84
|
+
* which is incompatible.
|
|
85
|
+
*
|
|
86
|
+
* Called from `discoverOIDC` after issuer verification so that a
|
|
87
|
+
* tampered discovery doc surfaces the more security-critical issuer
|
|
88
|
+
* mismatch first.
|
|
89
|
+
*/
|
|
90
|
+
function assertPKCESupport(body, url) {
|
|
91
|
+
const methods = body.code_challenge_methods_supported;
|
|
92
|
+
if (!Array.isArray(methods))
|
|
93
|
+
return;
|
|
94
|
+
if (methods.includes("S256"))
|
|
95
|
+
return;
|
|
96
|
+
throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `OpenID configuration at ${url} advertises code_challenge_methods_supported = ${JSON.stringify(methods)}, but axe-auth requires S256 (PKCE per RFC 7636). The OAuth client used by axe-auth needs PKCE enabled, or you may be on an axe server version that predates OAuth-based MCP authentication.`);
|
|
97
|
+
}
|
|
73
98
|
/**
|
|
74
99
|
* Fetches and parses the OpenID Connect discovery document for a given
|
|
75
100
|
* issuer. Fails fast (no retry) so the caller does not open a browser
|
|
@@ -143,5 +168,6 @@ async function discoverOIDC(issuerURL, options = {}) {
|
|
|
143
168
|
if (config.endSessionEndpoint) {
|
|
144
169
|
assertSecureURL(config.endSessionEndpoint, "end_session_endpoint", allowInsecure);
|
|
145
170
|
}
|
|
171
|
+
assertPKCESupport(body, url);
|
|
146
172
|
return config;
|
|
147
173
|
}
|