@keycardai/express 0.1.0 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +9 -0
- package/README.md +28 -3
- package/dist/cjs/grant.d.ts +16 -4
- package/dist/cjs/grant.d.ts.map +1 -1
- package/dist/cjs/grant.js +35 -11
- package/dist/cjs/grant.js.map +1 -1
- package/dist/cjs/wellKnown.d.ts +7 -0
- package/dist/cjs/wellKnown.d.ts.map +1 -1
- package/dist/cjs/wellKnown.js +25 -0
- package/dist/cjs/wellKnown.js.map +1 -1
- package/dist/esm/grant.d.ts +16 -4
- package/dist/esm/grant.d.ts.map +1 -1
- package/dist/esm/grant.js +35 -11
- package/dist/esm/grant.js.map +1 -1
- package/dist/esm/wellKnown.d.ts +7 -0
- package/dist/esm/wellKnown.d.ts.map +1 -1
- package/dist/esm/wellKnown.js +25 -0
- package/dist/esm/wellKnown.js.map +1 -1
- package/package.json +11 -11
package/LICENSE
ADDED
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
MIT LICENSE
|
|
2
|
+
|
|
3
|
+
Copyright © 2026 Keycard Labs, inc.
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
|
|
6
|
+
|
|
7
|
+
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
|
|
8
|
+
|
|
9
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
package/README.md
CHANGED
|
@@ -20,7 +20,7 @@ import { requireBearerAuth } from "@keycardai/express";
|
|
|
20
20
|
|
|
21
21
|
const app = express();
|
|
22
22
|
|
|
23
|
-
app.use(requireBearerAuth({
|
|
23
|
+
app.use(requireBearerAuth({ zoneUrl: "https://your-zone.keycard.cloud" }));
|
|
24
24
|
|
|
25
25
|
app.get("/api/data", (req, res) => {
|
|
26
26
|
// req.auth is AccessToken: { token, clientId, scopes, ... }
|
|
@@ -36,7 +36,7 @@ import { ClientSecret } from "@keycardai/oauth/server";
|
|
|
36
36
|
|
|
37
37
|
const credential = new ClientSecret("your-client-id", "your-client-secret");
|
|
38
38
|
|
|
39
|
-
app.use(requireBearerAuth({
|
|
39
|
+
app.use(requireBearerAuth({ zoneUrl: "https://your-zone.keycard.cloud" }));
|
|
40
40
|
app.use(grant(["https://graph.microsoft.com"], {
|
|
41
41
|
zoneUrl: "https://your-zone.keycard.cloud",
|
|
42
42
|
applicationCredential: credential,
|
|
@@ -49,6 +49,29 @@ app.get("/api/email", async (req, res) => {
|
|
|
49
49
|
});
|
|
50
50
|
```
|
|
51
51
|
|
|
52
|
+
For multi-zone deployments, pass a zone-keyed `ClientSecret` and resolve the zone from each request's verified token:
|
|
53
|
+
|
|
54
|
+
```typescript
|
|
55
|
+
import { requireBearerAuth, grant } from "@keycardai/express";
|
|
56
|
+
import { ClientSecret } from "@keycardai/oauth/server";
|
|
57
|
+
|
|
58
|
+
const credential = new ClientSecret({
|
|
59
|
+
"zone-a": ["client-id-a", "client-secret-a"],
|
|
60
|
+
"zone-b": ["client-id-b", "client-secret-b"],
|
|
61
|
+
});
|
|
62
|
+
|
|
63
|
+
app.use(requireBearerAuth({ zoneUrl: "https://base-zone.keycard.cloud", enableMultiZone: true }));
|
|
64
|
+
|
|
65
|
+
// zoneId accepts a function that receives the verified AccessToken and
|
|
66
|
+
// returns the zone identifier for this request. AccessToken has no
|
|
67
|
+
// dedicated zone field — use whichever field encodes zone context in
|
|
68
|
+
// your deployment (e.g. a zone-prefixed clientId, or a custom claim).
|
|
69
|
+
app.use(grant(["https://api.example.com"], {
|
|
70
|
+
zoneId: (auth) => auth.clientId,
|
|
71
|
+
applicationCredential: credential,
|
|
72
|
+
}));
|
|
73
|
+
```
|
|
74
|
+
|
|
52
75
|
### Add OAuth discovery routes
|
|
53
76
|
|
|
54
77
|
```typescript
|
|
@@ -65,8 +88,9 @@ app.use(keycardMetadataRouter({ issuer: "https://your-zone.keycard.cloud" }));
|
|
|
65
88
|
| Export | Description |
|
|
66
89
|
|---|---|
|
|
67
90
|
| `requireBearerAuth(options)` | Middleware factory that validates a Bearer token and sets `req.auth: AccessToken`. Returns 401 with RFC 6750 `WWW-Authenticate` challenge on failure. |
|
|
68
|
-
| `grant(resources, options)` | Middleware factory that exchanges the bearer token for per-resource access tokens and sets `req.accessContext: AccessContext`. Must run after `requireBearerAuth`. |
|
|
91
|
+
| `grant(resources, options)` | Middleware factory that exchanges the bearer token for per-resource access tokens and sets `req.accessContext: AccessContext`. Must run after `requireBearerAuth`. `zoneId` accepts a static string or a function `(auth: AccessToken) => string` for per-request zone resolution. |
|
|
69
92
|
| `keycardMetadataRouter(options)` | Returns an Express Router with `/.well-known/oauth-protected-resource` and `/.well-known/oauth-authorization-server` routes. |
|
|
93
|
+
| `createKeycardMiddleware(options)` | Factory that returns pre-configured `{ requireBearerAuth(), grant() }` sharing a single zone config. You still need `keycardMetadataRouter` for discovery routes. |
|
|
70
94
|
| `AuthenticatedRequest` | `Request` extended with `auth: AccessToken`. |
|
|
71
95
|
| `GrantedRequest` | `Request` extended with `auth: AccessToken` and `accessContext: AccessContext`. |
|
|
72
96
|
|
|
@@ -74,4 +98,5 @@ app.use(keycardMetadataRouter({ issuer: "https://your-zone.keycard.cloud" }));
|
|
|
74
98
|
|
|
75
99
|
- [`@keycardai/oauth`](../oauth/) — Framework-free OAuth primitives this package builds on
|
|
76
100
|
- [`@keycardai/mcp`](../mcp/) — MCP-specific OAuth integration
|
|
101
|
+
- [`@keycardai/a2a`](../a2a/) — Agent-to-agent (A2A) protocol integration
|
|
77
102
|
- [Keycard TypeScript SDK](../../README.md) — Root documentation
|
package/dist/cjs/grant.d.ts
CHANGED
|
@@ -2,6 +2,7 @@ import type { RequestHandler } from "express";
|
|
|
2
2
|
import { AccessContext } from "@keycardai/oauth/server/accessContext";
|
|
3
3
|
import type { ApplicationCredential } from "@keycardai/oauth/credentials";
|
|
4
4
|
import type { AuthenticatedRequest } from "./bearerAuth.js";
|
|
5
|
+
import type { AccessToken } from "@keycardai/oauth/server/accessToken";
|
|
5
6
|
export interface GrantedRequest extends AuthenticatedRequest {
|
|
6
7
|
accessContext: AccessContext;
|
|
7
8
|
}
|
|
@@ -12,13 +13,24 @@ export interface GrantOptions {
|
|
|
12
13
|
*/
|
|
13
14
|
zoneUrl?: string;
|
|
14
15
|
/**
|
|
15
|
-
* Keycard zone ID
|
|
16
|
-
*
|
|
16
|
+
* Keycard zone ID, or a function that resolves it from the verified
|
|
17
|
+
* access token at request time. Use the function form for multi-zone
|
|
18
|
+
* deployments where each request may target a different zone.
|
|
19
|
+
*
|
|
20
|
+
* ```ts
|
|
21
|
+
* // Static zone
|
|
22
|
+
* grant(resources, { zoneId: "zone-abc" });
|
|
23
|
+
*
|
|
24
|
+
* // Dynamic zone extracted from the token's clientId
|
|
25
|
+
* grant(resources, { zoneId: (auth) => auth.clientId });
|
|
26
|
+
* ```
|
|
17
27
|
*/
|
|
18
|
-
zoneId?: string;
|
|
28
|
+
zoneId?: string | ((auth: AccessToken) => string);
|
|
19
29
|
/**
|
|
20
30
|
* Application credential provider for authenticated token exchange.
|
|
21
|
-
*
|
|
31
|
+
* For multi-zone deployments, pass a `ClientSecret` constructed with a
|
|
32
|
+
* `Record<zoneId, [clientId, clientSecret]>` so the correct credentials
|
|
33
|
+
* are selected per request.
|
|
22
34
|
*/
|
|
23
35
|
applicationCredential?: ApplicationCredential;
|
|
24
36
|
}
|
package/dist/cjs/grant.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAE1E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAE1E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qCAAqC,CAAC;AAGvE,MAAM,WAAW,cAAe,SAAQ,oBAAoB;IAC1D,aAAa,EAAE,aAAa,CAAC;CAC9B;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,WAAW,KAAK,MAAM,CAAC,CAAC;IAClD;;;;;OAKG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;CAC/C;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,KAAK,CACnB,SAAS,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,EACrC,OAAO,EAAE,YAAY,GACpB,cAAc,CAuGhB"}
|
package/dist/cjs/grant.js
CHANGED
|
@@ -25,10 +25,16 @@ const errors_1 = require("@keycardai/oauth/errors");
|
|
|
25
25
|
* ```
|
|
26
26
|
*/
|
|
27
27
|
function grant(resources, options) {
|
|
28
|
-
|
|
29
|
-
|
|
28
|
+
// Validate at construction time that a zone is specified.
|
|
29
|
+
const hasZoneOption = !!(options.zoneUrl || options.zoneId);
|
|
30
|
+
if (!hasZoneOption) {
|
|
30
31
|
throw new errors_1.AuthProviderConfigurationError("grant: either `zoneUrl` or `zoneId` is required");
|
|
31
32
|
}
|
|
33
|
+
// Cache TokenExchangeClient instances keyed by resolved zone URL.
|
|
34
|
+
// One client per zone amortizes AS discovery (GET /.well-known/) across
|
|
35
|
+
// requests — the TokenExchangeClient already caches the token_endpoint
|
|
36
|
+
// internally after the first discovery call.
|
|
37
|
+
const clientCache = new Map();
|
|
32
38
|
return async (req, _res, next) => {
|
|
33
39
|
const authReq = req;
|
|
34
40
|
const subjectToken = authReq.auth?.token;
|
|
@@ -40,19 +46,35 @@ function grant(resources, options) {
|
|
|
40
46
|
req.accessContext = accessCtx;
|
|
41
47
|
return next();
|
|
42
48
|
}
|
|
43
|
-
|
|
49
|
+
// Resolve zone at request time — zoneId may be a static string or a
|
|
50
|
+
// function that extracts the zone from the verified access token.
|
|
51
|
+
let resolvedZoneId;
|
|
44
52
|
try {
|
|
45
|
-
|
|
46
|
-
|
|
53
|
+
resolvedZoneId =
|
|
54
|
+
typeof options.zoneId === "function"
|
|
55
|
+
? options.zoneId(authReq.auth)
|
|
56
|
+
: options.zoneId;
|
|
47
57
|
}
|
|
48
58
|
catch (e) {
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
59
|
+
return next(e);
|
|
60
|
+
}
|
|
61
|
+
const resolvedZoneUrl = options.zoneUrl ?? buildZoneUrl(resolvedZoneId);
|
|
62
|
+
if (!resolvedZoneUrl) {
|
|
63
|
+
accessCtx.setError({ message: "Could not resolve zone URL for this request." });
|
|
53
64
|
req.accessContext = accessCtx;
|
|
54
65
|
return next();
|
|
55
66
|
}
|
|
67
|
+
// Look up or create a cached client for this zone.
|
|
68
|
+
let client = clientCache.get(resolvedZoneUrl);
|
|
69
|
+
if (!client) {
|
|
70
|
+
// Pass the credential directly so TokenExchangeClient can call
|
|
71
|
+
// getAuth(zoneId) at exchange time, enabling multi-zone credential
|
|
72
|
+
// routing without pre-resolving credentials here.
|
|
73
|
+
client = new tokenExchange_1.TokenExchangeClient(resolvedZoneUrl, {
|
|
74
|
+
credential: options.applicationCredential,
|
|
75
|
+
});
|
|
76
|
+
clientCache.set(resolvedZoneUrl, client);
|
|
77
|
+
}
|
|
56
78
|
const resourceList = Array.isArray(resources)
|
|
57
79
|
? resources
|
|
58
80
|
: [resources];
|
|
@@ -61,7 +83,7 @@ function grant(resources, options) {
|
|
|
61
83
|
try {
|
|
62
84
|
let exchangeRequest;
|
|
63
85
|
if (options.applicationCredential) {
|
|
64
|
-
exchangeRequest = await options.applicationCredential.prepareTokenExchangeRequest(subjectToken, resource);
|
|
86
|
+
exchangeRequest = await options.applicationCredential.prepareTokenExchangeRequest(subjectToken, resource, { zoneId: resolvedZoneId });
|
|
65
87
|
}
|
|
66
88
|
else {
|
|
67
89
|
exchangeRequest = {
|
|
@@ -70,7 +92,9 @@ function grant(resources, options) {
|
|
|
70
92
|
subjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
|
|
71
93
|
};
|
|
72
94
|
}
|
|
73
|
-
tokens[resource] = await client.exchangeToken(exchangeRequest
|
|
95
|
+
tokens[resource] = await client.exchangeToken(exchangeRequest, {
|
|
96
|
+
zoneId: resolvedZoneId,
|
|
97
|
+
});
|
|
74
98
|
}
|
|
75
99
|
catch (e) {
|
|
76
100
|
const detail = {
|
package/dist/cjs/grant.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":";;AA8DA,sBA0GC;AAvKD,kEAAqE;AACrE,yEAAsE;AAEtE,oDAAqF;AAsCrF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAgB,KAAK,CACnB,SAAqC,EACrC,OAAqB;IAErB,0DAA0D;IAC1D,MAAM,aAAa,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5D,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,uCAA8B,CACtC,iDAAiD,CAClD,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,wEAAwE;IACxE,uEAAuE;IACvE,6CAA6C;IAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,EAA+B,CAAC;IAE3D,OAAO,KAAK,EAAE,GAAY,EAAE,IAAc,EAAE,IAAkB,EAAE,EAAE;QAChE,MAAM,OAAO,GAAG,GAA2B,CAAC;QAC5C,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;QAEzC,MAAM,SAAS,GAAG,IAAI,6BAAa,EAAE,CAAC;QAEtC,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,SAAS,CAAC,QAAQ,CAAC;gBACjB,OAAO,EACL,0EAA0E;aAC7E,CAAC,CAAC;YACF,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,oEAAoE;QACpE,kEAAkE;QAClE,IAAI,cAAkC,CAAC;QACvC,IAAI,CAAC;YACH,cAAc;gBACZ,OAAO,OAAO,CAAC,MAAM,KAAK,UAAU;oBAClC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;oBAC9B,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACvB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,IAAI,YAAY,CAAC,cAAc,CAAC,CAAC;QACxE,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,SAAS,CAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC,CAAC;YAC/E,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,mDAAmD;QACnD,IAAI,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,+DAA+D;YAC/D,mEAAmE;YACnE,kDAAkD;YAClD,MAAM,GAAG,IAAI,mCAAmB,CAAC,eAAe,EAAE;gBAChD,UAAU,EAAE,OAAO,CAAC,qBAAqB;aAC1C,CAAC,CAAC;YACH,WAAW,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YAC3C,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,CAAC,SAAmB,CAAC,CAAC;QAC1B,MAAM,MAAM,GAAkC,EAAE,CAAC;QAEjD,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,IAAI,eAAe,CAAC;gBACpB,IAAI,OAAO,CAAC,qBAAqB,EAAE,CAAC;oBAClC,eAAe,GAAG,MAAM,OAAO,CAAC,qBAAqB,CAAC,2BAA2B,CAC/E,YAAY,EACZ,QAAQ,EACR,EAAE,MAAM,EAAE,cAAc,EAAE,CAC3B,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,eAAe,GAAG;wBAChB,YAAY;wBACZ,QAAQ;wBACR,gBAAgB,EAAE,+CAAwD;qBAC3E,CAAC;gBACJ,CAAC;gBACD,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,eAAe,EAAE;oBAC7D,MAAM,EAAE,cAAc;iBACvB,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,MAAM,GAAgF;oBAC1F,OAAO,EAAE,6BAA6B,QAAQ,EAAE;iBACjD,CAAC;gBACF,IAAI,CAAC,YAAY,mBAAU,EAAE,CAAC;oBAC5B,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC;oBAC1B,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC,OAAO,CAAC;gBACjC,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC9B,CAAC;gBACD,SAAS,CAAC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,SAAS,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC/B,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;QAClD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAe;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO,WAAW,MAAM,gBAAgB,CAAC;AAC3C,CAAC"}
|
package/dist/cjs/wellKnown.d.ts
CHANGED
|
@@ -22,6 +22,13 @@ export interface KeycardRouterOptions {
|
|
|
22
22
|
* Default: 10 000 ms.
|
|
23
23
|
*/
|
|
24
24
|
asMetadataTimeoutMs?: number;
|
|
25
|
+
/**
|
|
26
|
+
* Public JWKS to serve at `GET /.well-known/jwks.json`.
|
|
27
|
+
* When omitted, no JWKS route is registered.
|
|
28
|
+
*/
|
|
29
|
+
publicJwks?: {
|
|
30
|
+
keys: Record<string, unknown>[];
|
|
31
|
+
};
|
|
25
32
|
}
|
|
26
33
|
/**
|
|
27
34
|
* Returns an Express Router that serves the two OAuth discovery endpoints
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"wellKnown.d.ts","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGjC,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;OAEG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"wellKnown.d.ts","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGjC,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;OAEG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAA;KAAE,CAAC;CAClD;AAKD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,oBAAoB,GAAG,MAAM,CA4B3E"}
|
package/dist/cjs/wellKnown.js
CHANGED
|
@@ -2,6 +2,8 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.keycardMetadataRouter = keycardMetadataRouter;
|
|
4
4
|
const express_1 = require("express");
|
|
5
|
+
const CORS_ALLOW_METHODS = "GET, OPTIONS";
|
|
6
|
+
const CORS_ALLOW_HEADERS = "Content-Type, MCP-Protocol-Version";
|
|
5
7
|
/**
|
|
6
8
|
* Returns an Express Router that serves the two OAuth discovery endpoints
|
|
7
9
|
* required by RFC 9728 and RFC 8414:
|
|
@@ -25,10 +27,33 @@ const express_1 = require("express");
|
|
|
25
27
|
*/
|
|
26
28
|
function keycardMetadataRouter(options) {
|
|
27
29
|
const router = (0, express_1.Router)();
|
|
30
|
+
const metadataPaths = [
|
|
31
|
+
"/.well-known/oauth-protected-resource",
|
|
32
|
+
"/.well-known/oauth-authorization-server",
|
|
33
|
+
];
|
|
28
34
|
router.get("/.well-known/oauth-protected-resource", protectedResourceHandler(options));
|
|
29
35
|
router.get("/.well-known/oauth-authorization-server", authorizationServerHandler(options.issuer, options.asMetadataTimeoutMs ?? 10_000));
|
|
36
|
+
if (options.publicJwks) {
|
|
37
|
+
metadataPaths.push("/.well-known/jwks.json");
|
|
38
|
+
router.get("/.well-known/jwks.json", jwksHandler(options.publicJwks));
|
|
39
|
+
}
|
|
40
|
+
// CORS preflight for the metadata endpoints. Browsers send OPTIONS before
|
|
41
|
+
// cross-origin GETs that include headers such as MCP-Protocol-Version.
|
|
42
|
+
router.options(metadataPaths, preflightHandler);
|
|
30
43
|
return router;
|
|
31
44
|
}
|
|
45
|
+
const preflightHandler = (_req, res) => {
|
|
46
|
+
res.set("Access-Control-Allow-Origin", "*");
|
|
47
|
+
res.set("Access-Control-Allow-Methods", CORS_ALLOW_METHODS);
|
|
48
|
+
res.set("Access-Control-Allow-Headers", CORS_ALLOW_HEADERS);
|
|
49
|
+
res.status(204).end();
|
|
50
|
+
};
|
|
51
|
+
function jwksHandler(publicJwks) {
|
|
52
|
+
return (_req, res) => {
|
|
53
|
+
res.set("Access-Control-Allow-Origin", "*");
|
|
54
|
+
res.status(200).json(publicJwks);
|
|
55
|
+
};
|
|
56
|
+
}
|
|
32
57
|
function protectedResourceHandler(options) {
|
|
33
58
|
return (req, res) => {
|
|
34
59
|
const resource = `${req.protocol}://${req.host}`;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"wellKnown.js","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"wellKnown.js","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":";;AAyDA,sDA4BC;AArFD,qCAAiC;AAiCjC,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAC1C,MAAM,kBAAkB,GAAG,oCAAoC,CAAC;AAEhE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,SAAgB,qBAAqB,CAAC,OAA6B;IACjE,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAC;IAExB,MAAM,aAAa,GAAG;QACpB,uCAAuC;QACvC,yCAAyC;KAC1C,CAAC;IAEF,MAAM,CAAC,GAAG,CACR,uCAAuC,EACvC,wBAAwB,CAAC,OAAO,CAAC,CAClC,CAAC;IAEF,MAAM,CAAC,GAAG,CACR,yCAAyC,EACzC,0BAA0B,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,mBAAmB,IAAI,MAAM,CAAC,CAClF,CAAC;IAEF,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,aAAa,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QAC7C,MAAM,CAAC,GAAG,CAAC,wBAAwB,EAAE,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;IACxE,CAAC;IAED,0EAA0E;IAC1E,uEAAuE;IACvE,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,gBAAgB,CAAC,CAAC;IAEhD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,gBAAgB,GAAmB,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACrD,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;IAC5C,GAAG,CAAC,GAAG,CAAC,8BAA8B,EAAE,kBAAkB,CAAC,CAAC;IAC5D,GAAG,CAAC,GAAG,CAAC,8BAA8B,EAAE,kBAAkB,CAAC,CAAC;IAC5D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;AACxB,CAAC,CAAC;AAEF,SAAS,WAAW,CAAC,UAA+C;IAClE,OAAO,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QACnB,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACnC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAAC,OAA6B;IAC7D,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,QAAQ,GAA4B;YACxC,QAAQ;YACR,qBAAqB,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;SACxC,CAAC;QACF,IAAI,OAAO,CAAC,YAAY;YAAE,QAAQ,CAAC,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;QACxE,IAAI,OAAO,CAAC,eAAe;YAAE,QAAQ,CAAC,gBAAgB,GAAG,CAAC,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;QACtF,IAAI,OAAO,CAAC,qBAAqB;YAAE,QAAQ,CAAC,sBAAsB,GAAG,OAAO,CAAC,qBAAqB,CAAC;QAEnG,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,MAAc,EAAE,SAAiB;IACnE,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,MAAM,yCAAyC,EAClD,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAC3C,CAAC;YACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC,CAAC;gBAC3E,OAAO;YACT,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;YAElE,wEAAwE;YACxE,4EAA4E;YAC5E,IAAI,OAAO,QAAQ,CAAC,sBAAsB,KAAK,QAAQ,EAAE,CAAC;gBACxD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;gBACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;gBACtE,QAAQ,CAAC,sBAAsB,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;YACvD,CAAC;YAED,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,CAAC,CAAC,CAAC;QACV,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}
|
package/dist/esm/grant.d.ts
CHANGED
|
@@ -2,6 +2,7 @@ import type { RequestHandler } from "express";
|
|
|
2
2
|
import { AccessContext } from "@keycardai/oauth/server/accessContext";
|
|
3
3
|
import type { ApplicationCredential } from "@keycardai/oauth/credentials";
|
|
4
4
|
import type { AuthenticatedRequest } from "./bearerAuth.js";
|
|
5
|
+
import type { AccessToken } from "@keycardai/oauth/server/accessToken";
|
|
5
6
|
export interface GrantedRequest extends AuthenticatedRequest {
|
|
6
7
|
accessContext: AccessContext;
|
|
7
8
|
}
|
|
@@ -12,13 +13,24 @@ export interface GrantOptions {
|
|
|
12
13
|
*/
|
|
13
14
|
zoneUrl?: string;
|
|
14
15
|
/**
|
|
15
|
-
* Keycard zone ID
|
|
16
|
-
*
|
|
16
|
+
* Keycard zone ID, or a function that resolves it from the verified
|
|
17
|
+
* access token at request time. Use the function form for multi-zone
|
|
18
|
+
* deployments where each request may target a different zone.
|
|
19
|
+
*
|
|
20
|
+
* ```ts
|
|
21
|
+
* // Static zone
|
|
22
|
+
* grant(resources, { zoneId: "zone-abc" });
|
|
23
|
+
*
|
|
24
|
+
* // Dynamic zone extracted from the token's clientId
|
|
25
|
+
* grant(resources, { zoneId: (auth) => auth.clientId });
|
|
26
|
+
* ```
|
|
17
27
|
*/
|
|
18
|
-
zoneId?: string;
|
|
28
|
+
zoneId?: string | ((auth: AccessToken) => string);
|
|
19
29
|
/**
|
|
20
30
|
* Application credential provider for authenticated token exchange.
|
|
21
|
-
*
|
|
31
|
+
* For multi-zone deployments, pass a `ClientSecret` constructed with a
|
|
32
|
+
* `Record<zoneId, [clientId, clientSecret]>` so the correct credentials
|
|
33
|
+
* are selected per request.
|
|
22
34
|
*/
|
|
23
35
|
applicationCredential?: ApplicationCredential;
|
|
24
36
|
}
|
package/dist/esm/grant.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAE1E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAE1E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qCAAqC,CAAC;AAGvE,MAAM,WAAW,cAAe,SAAQ,oBAAoB;IAC1D,aAAa,EAAE,aAAa,CAAC;CAC9B;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,WAAW,KAAK,MAAM,CAAC,CAAC;IAClD;;;;;OAKG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;CAC/C;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,KAAK,CACnB,SAAS,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,EACrC,OAAO,EAAE,YAAY,GACpB,cAAc,CAuGhB"}
|
package/dist/esm/grant.js
CHANGED
|
@@ -22,10 +22,16 @@ import { OAuthError, AuthProviderConfigurationError } from "@keycardai/oauth/err
|
|
|
22
22
|
* ```
|
|
23
23
|
*/
|
|
24
24
|
export function grant(resources, options) {
|
|
25
|
-
|
|
26
|
-
|
|
25
|
+
// Validate at construction time that a zone is specified.
|
|
26
|
+
const hasZoneOption = !!(options.zoneUrl || options.zoneId);
|
|
27
|
+
if (!hasZoneOption) {
|
|
27
28
|
throw new AuthProviderConfigurationError("grant: either `zoneUrl` or `zoneId` is required");
|
|
28
29
|
}
|
|
30
|
+
// Cache TokenExchangeClient instances keyed by resolved zone URL.
|
|
31
|
+
// One client per zone amortizes AS discovery (GET /.well-known/) across
|
|
32
|
+
// requests — the TokenExchangeClient already caches the token_endpoint
|
|
33
|
+
// internally after the first discovery call.
|
|
34
|
+
const clientCache = new Map();
|
|
29
35
|
return async (req, _res, next) => {
|
|
30
36
|
const authReq = req;
|
|
31
37
|
const subjectToken = authReq.auth?.token;
|
|
@@ -37,19 +43,35 @@ export function grant(resources, options) {
|
|
|
37
43
|
req.accessContext = accessCtx;
|
|
38
44
|
return next();
|
|
39
45
|
}
|
|
40
|
-
|
|
46
|
+
// Resolve zone at request time — zoneId may be a static string or a
|
|
47
|
+
// function that extracts the zone from the verified access token.
|
|
48
|
+
let resolvedZoneId;
|
|
41
49
|
try {
|
|
42
|
-
|
|
43
|
-
|
|
50
|
+
resolvedZoneId =
|
|
51
|
+
typeof options.zoneId === "function"
|
|
52
|
+
? options.zoneId(authReq.auth)
|
|
53
|
+
: options.zoneId;
|
|
44
54
|
}
|
|
45
55
|
catch (e) {
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
56
|
+
return next(e);
|
|
57
|
+
}
|
|
58
|
+
const resolvedZoneUrl = options.zoneUrl ?? buildZoneUrl(resolvedZoneId);
|
|
59
|
+
if (!resolvedZoneUrl) {
|
|
60
|
+
accessCtx.setError({ message: "Could not resolve zone URL for this request." });
|
|
50
61
|
req.accessContext = accessCtx;
|
|
51
62
|
return next();
|
|
52
63
|
}
|
|
64
|
+
// Look up or create a cached client for this zone.
|
|
65
|
+
let client = clientCache.get(resolvedZoneUrl);
|
|
66
|
+
if (!client) {
|
|
67
|
+
// Pass the credential directly so TokenExchangeClient can call
|
|
68
|
+
// getAuth(zoneId) at exchange time, enabling multi-zone credential
|
|
69
|
+
// routing without pre-resolving credentials here.
|
|
70
|
+
client = new TokenExchangeClient(resolvedZoneUrl, {
|
|
71
|
+
credential: options.applicationCredential,
|
|
72
|
+
});
|
|
73
|
+
clientCache.set(resolvedZoneUrl, client);
|
|
74
|
+
}
|
|
53
75
|
const resourceList = Array.isArray(resources)
|
|
54
76
|
? resources
|
|
55
77
|
: [resources];
|
|
@@ -58,7 +80,7 @@ export function grant(resources, options) {
|
|
|
58
80
|
try {
|
|
59
81
|
let exchangeRequest;
|
|
60
82
|
if (options.applicationCredential) {
|
|
61
|
-
exchangeRequest = await options.applicationCredential.prepareTokenExchangeRequest(subjectToken, resource);
|
|
83
|
+
exchangeRequest = await options.applicationCredential.prepareTokenExchangeRequest(subjectToken, resource, { zoneId: resolvedZoneId });
|
|
62
84
|
}
|
|
63
85
|
else {
|
|
64
86
|
exchangeRequest = {
|
|
@@ -67,7 +89,9 @@ export function grant(resources, options) {
|
|
|
67
89
|
subjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
|
|
68
90
|
};
|
|
69
91
|
}
|
|
70
|
-
tokens[resource] = await client.exchangeToken(exchangeRequest
|
|
92
|
+
tokens[resource] = await client.exchangeToken(exchangeRequest, {
|
|
93
|
+
zoneId: resolvedZoneId,
|
|
94
|
+
});
|
|
71
95
|
}
|
|
72
96
|
catch (e) {
|
|
73
97
|
const detail = {
|
package/dist/esm/grant.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AAEtE,OAAO,EAAE,UAAU,EAAE,8BAA8B,EAAE,MAAM,yBAAyB,CAAC;
|
|
1
|
+
{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AAEtE,OAAO,EAAE,UAAU,EAAE,8BAA8B,EAAE,MAAM,yBAAyB,CAAC;AAsCrF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,KAAK,CACnB,SAAqC,EACrC,OAAqB;IAErB,0DAA0D;IAC1D,MAAM,aAAa,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5D,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,8BAA8B,CACtC,iDAAiD,CAClD,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,wEAAwE;IACxE,uEAAuE;IACvE,6CAA6C;IAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,EAA+B,CAAC;IAE3D,OAAO,KAAK,EAAE,GAAY,EAAE,IAAc,EAAE,IAAkB,EAAE,EAAE;QAChE,MAAM,OAAO,GAAG,GAA2B,CAAC;QAC5C,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;QAEzC,MAAM,SAAS,GAAG,IAAI,aAAa,EAAE,CAAC;QAEtC,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,SAAS,CAAC,QAAQ,CAAC;gBACjB,OAAO,EACL,0EAA0E;aAC7E,CAAC,CAAC;YACF,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,oEAAoE;QACpE,kEAAkE;QAClE,IAAI,cAAkC,CAAC;QACvC,IAAI,CAAC;YACH,cAAc;gBACZ,OAAO,OAAO,CAAC,MAAM,KAAK,UAAU;oBAClC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;oBAC9B,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACvB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,IAAI,YAAY,CAAC,cAAc,CAAC,CAAC;QACxE,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,SAAS,CAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC,CAAC;YAC/E,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,mDAAmD;QACnD,IAAI,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,+DAA+D;YAC/D,mEAAmE;YACnE,kDAAkD;YAClD,MAAM,GAAG,IAAI,mBAAmB,CAAC,eAAe,EAAE;gBAChD,UAAU,EAAE,OAAO,CAAC,qBAAqB;aAC1C,CAAC,CAAC;YACH,WAAW,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YAC3C,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,CAAC,SAAmB,CAAC,CAAC;QAC1B,MAAM,MAAM,GAAkC,EAAE,CAAC;QAEjD,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,IAAI,eAAe,CAAC;gBACpB,IAAI,OAAO,CAAC,qBAAqB,EAAE,CAAC;oBAClC,eAAe,GAAG,MAAM,OAAO,CAAC,qBAAqB,CAAC,2BAA2B,CAC/E,YAAY,EACZ,QAAQ,EACR,EAAE,MAAM,EAAE,cAAc,EAAE,CAC3B,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,eAAe,GAAG;wBAChB,YAAY;wBACZ,QAAQ;wBACR,gBAAgB,EAAE,+CAAwD;qBAC3E,CAAC;gBACJ,CAAC;gBACD,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,eAAe,EAAE;oBAC7D,MAAM,EAAE,cAAc;iBACvB,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,MAAM,GAAgF;oBAC1F,OAAO,EAAE,6BAA6B,QAAQ,EAAE;iBACjD,CAAC;gBACF,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC;oBAC5B,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC;oBAC1B,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC,OAAO,CAAC;gBACjC,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC9B,CAAC;gBACD,SAAS,CAAC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,SAAS,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC/B,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;QAClD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAe;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO,WAAW,MAAM,gBAAgB,CAAC;AAC3C,CAAC"}
|
package/dist/esm/wellKnown.d.ts
CHANGED
|
@@ -22,6 +22,13 @@ export interface KeycardRouterOptions {
|
|
|
22
22
|
* Default: 10 000 ms.
|
|
23
23
|
*/
|
|
24
24
|
asMetadataTimeoutMs?: number;
|
|
25
|
+
/**
|
|
26
|
+
* Public JWKS to serve at `GET /.well-known/jwks.json`.
|
|
27
|
+
* When omitted, no JWKS route is registered.
|
|
28
|
+
*/
|
|
29
|
+
publicJwks?: {
|
|
30
|
+
keys: Record<string, unknown>[];
|
|
31
|
+
};
|
|
25
32
|
}
|
|
26
33
|
/**
|
|
27
34
|
* Returns an Express Router that serves the two OAuth discovery endpoints
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"wellKnown.d.ts","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGjC,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;OAEG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"wellKnown.d.ts","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGjC,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;OAEG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAA;KAAE,CAAC;CAClD;AAKD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,oBAAoB,GAAG,MAAM,CA4B3E"}
|
package/dist/esm/wellKnown.js
CHANGED
|
@@ -1,4 +1,6 @@
|
|
|
1
1
|
import { Router } from "express";
|
|
2
|
+
const CORS_ALLOW_METHODS = "GET, OPTIONS";
|
|
3
|
+
const CORS_ALLOW_HEADERS = "Content-Type, MCP-Protocol-Version";
|
|
2
4
|
/**
|
|
3
5
|
* Returns an Express Router that serves the two OAuth discovery endpoints
|
|
4
6
|
* required by RFC 9728 and RFC 8414:
|
|
@@ -22,10 +24,33 @@ import { Router } from "express";
|
|
|
22
24
|
*/
|
|
23
25
|
export function keycardMetadataRouter(options) {
|
|
24
26
|
const router = Router();
|
|
27
|
+
const metadataPaths = [
|
|
28
|
+
"/.well-known/oauth-protected-resource",
|
|
29
|
+
"/.well-known/oauth-authorization-server",
|
|
30
|
+
];
|
|
25
31
|
router.get("/.well-known/oauth-protected-resource", protectedResourceHandler(options));
|
|
26
32
|
router.get("/.well-known/oauth-authorization-server", authorizationServerHandler(options.issuer, options.asMetadataTimeoutMs ?? 10_000));
|
|
33
|
+
if (options.publicJwks) {
|
|
34
|
+
metadataPaths.push("/.well-known/jwks.json");
|
|
35
|
+
router.get("/.well-known/jwks.json", jwksHandler(options.publicJwks));
|
|
36
|
+
}
|
|
37
|
+
// CORS preflight for the metadata endpoints. Browsers send OPTIONS before
|
|
38
|
+
// cross-origin GETs that include headers such as MCP-Protocol-Version.
|
|
39
|
+
router.options(metadataPaths, preflightHandler);
|
|
27
40
|
return router;
|
|
28
41
|
}
|
|
42
|
+
const preflightHandler = (_req, res) => {
|
|
43
|
+
res.set("Access-Control-Allow-Origin", "*");
|
|
44
|
+
res.set("Access-Control-Allow-Methods", CORS_ALLOW_METHODS);
|
|
45
|
+
res.set("Access-Control-Allow-Headers", CORS_ALLOW_HEADERS);
|
|
46
|
+
res.status(204).end();
|
|
47
|
+
};
|
|
48
|
+
function jwksHandler(publicJwks) {
|
|
49
|
+
return (_req, res) => {
|
|
50
|
+
res.set("Access-Control-Allow-Origin", "*");
|
|
51
|
+
res.status(200).json(publicJwks);
|
|
52
|
+
};
|
|
53
|
+
}
|
|
29
54
|
function protectedResourceHandler(options) {
|
|
30
55
|
return (req, res) => {
|
|
31
56
|
const resource = `${req.protocol}://${req.host}`;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"wellKnown.js","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"wellKnown.js","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAiCjC,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAC1C,MAAM,kBAAkB,GAAG,oCAAoC,CAAC;AAEhE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAA6B;IACjE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IAExB,MAAM,aAAa,GAAG;QACpB,uCAAuC;QACvC,yCAAyC;KAC1C,CAAC;IAEF,MAAM,CAAC,GAAG,CACR,uCAAuC,EACvC,wBAAwB,CAAC,OAAO,CAAC,CAClC,CAAC;IAEF,MAAM,CAAC,GAAG,CACR,yCAAyC,EACzC,0BAA0B,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,mBAAmB,IAAI,MAAM,CAAC,CAClF,CAAC;IAEF,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,aAAa,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QAC7C,MAAM,CAAC,GAAG,CAAC,wBAAwB,EAAE,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;IACxE,CAAC;IAED,0EAA0E;IAC1E,uEAAuE;IACvE,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,gBAAgB,CAAC,CAAC;IAEhD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,gBAAgB,GAAmB,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACrD,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;IAC5C,GAAG,CAAC,GAAG,CAAC,8BAA8B,EAAE,kBAAkB,CAAC,CAAC;IAC5D,GAAG,CAAC,GAAG,CAAC,8BAA8B,EAAE,kBAAkB,CAAC,CAAC;IAC5D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;AACxB,CAAC,CAAC;AAEF,SAAS,WAAW,CAAC,UAA+C;IAClE,OAAO,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QACnB,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACnC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAAC,OAA6B;IAC7D,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,QAAQ,GAA4B;YACxC,QAAQ;YACR,qBAAqB,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;SACxC,CAAC;QACF,IAAI,OAAO,CAAC,YAAY;YAAE,QAAQ,CAAC,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;QACxE,IAAI,OAAO,CAAC,eAAe;YAAE,QAAQ,CAAC,gBAAgB,GAAG,CAAC,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;QACtF,IAAI,OAAO,CAAC,qBAAqB;YAAE,QAAQ,CAAC,sBAAsB,GAAG,OAAO,CAAC,qBAAqB,CAAC;QAEnG,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,MAAc,EAAE,SAAiB;IACnE,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,MAAM,yCAAyC,EAClD,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAC3C,CAAC;YACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC,CAAC;gBAC3E,OAAO;YACT,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;YAElE,wEAAwE;YACxE,4EAA4E;YAC5E,IAAI,OAAO,QAAQ,CAAC,sBAAsB,KAAK,QAAQ,EAAE,CAAC;gBACxD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;gBACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;gBACtE,QAAQ,CAAC,sBAAsB,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;YACvD,CAAC;YAED,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,CAAC,CAAC,CAAC;QACV,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@keycardai/express",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.4.0",
|
|
4
4
|
"description": "[Preview] Keycard auth middleware for Express: bearer token validation, RFC 6750 challenges, delegated token exchange, and OAuth discovery routes",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|
|
@@ -26,16 +26,8 @@
|
|
|
26
26
|
]
|
|
27
27
|
}
|
|
28
28
|
},
|
|
29
|
-
"scripts": {
|
|
30
|
-
"build": "pnpm run build:esm && pnpm run build:cjs",
|
|
31
|
-
"build:esm": "tsc -p tsconfig.prod.json && echo '{\"type\": \"module\"}' > dist/esm/package.json",
|
|
32
|
-
"build:cjs": "tsc -p tsconfig.cjs.json && echo '{\"type\": \"commonjs\"}' > dist/cjs/package.json",
|
|
33
|
-
"test": "NODE_OPTIONS='--experimental-vm-modules' jest",
|
|
34
|
-
"typecheck": "tsc --noEmit",
|
|
35
|
-
"clean": "rm -rf dist"
|
|
36
|
-
},
|
|
37
29
|
"dependencies": {
|
|
38
|
-
"@keycardai/oauth": "
|
|
30
|
+
"@keycardai/oauth": "0.16.0"
|
|
39
31
|
},
|
|
40
32
|
"peerDependencies": {
|
|
41
33
|
"express": ">=4.0.0"
|
|
@@ -49,5 +41,13 @@
|
|
|
49
41
|
"supertest": "^7.1.1",
|
|
50
42
|
"ts-jest": "^29.4.0",
|
|
51
43
|
"typescript": "^5.8.3"
|
|
44
|
+
},
|
|
45
|
+
"scripts": {
|
|
46
|
+
"build": "pnpm run build:esm && pnpm run build:cjs",
|
|
47
|
+
"build:esm": "tsc -p tsconfig.prod.json && echo '{\"type\": \"module\"}' > dist/esm/package.json",
|
|
48
|
+
"build:cjs": "tsc -p tsconfig.cjs.json && echo '{\"type\": \"commonjs\"}' > dist/cjs/package.json",
|
|
49
|
+
"test": "NODE_OPTIONS='--experimental-vm-modules' jest",
|
|
50
|
+
"typecheck": "tsc --noEmit",
|
|
51
|
+
"clean": "rm -rf dist"
|
|
52
52
|
}
|
|
53
|
-
}
|
|
53
|
+
}
|