@keycardai/express 0.3.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +5 -17
- package/README.md +28 -3
- package/dist/cjs/grant.d.ts +23 -1
- package/dist/cjs/grant.d.ts.map +1 -1
- package/dist/cjs/grant.js +45 -6
- package/dist/cjs/grant.js.map +1 -1
- package/dist/cjs/wellKnown.d.ts +7 -0
- package/dist/cjs/wellKnown.d.ts.map +1 -1
- package/dist/cjs/wellKnown.js +25 -0
- package/dist/cjs/wellKnown.js.map +1 -1
- package/dist/esm/grant.d.ts +23 -1
- package/dist/esm/grant.d.ts.map +1 -1
- package/dist/esm/grant.js +45 -6
- package/dist/esm/grant.js.map +1 -1
- package/dist/esm/wellKnown.d.ts +7 -0
- package/dist/esm/wellKnown.d.ts.map +1 -1
- package/dist/esm/wellKnown.js +25 -0
- package/dist/esm/wellKnown.js.map +1 -1
- package/package.json +2 -2
package/LICENSE
CHANGED
|
@@ -1,21 +1,9 @@
|
|
|
1
|
-
MIT
|
|
1
|
+
MIT LICENSE
|
|
2
2
|
|
|
3
|
-
Copyright
|
|
3
|
+
Copyright © 2026 Keycard Labs, inc.
|
|
4
4
|
|
|
5
|
-
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
-
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
-
in the Software without restriction, including without limitation the rights
|
|
8
|
-
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
-
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
-
furnished to do so, subject to the following conditions:
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
|
|
11
6
|
|
|
12
|
-
The above copyright notice and this permission notice shall be included in all
|
|
13
|
-
copies or substantial portions of the Software.
|
|
7
|
+
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
|
|
14
8
|
|
|
15
|
-
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
-
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
-
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
-
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
-
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
-
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
-
SOFTWARE.
|
|
9
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
package/README.md
CHANGED
|
@@ -20,7 +20,7 @@ import { requireBearerAuth } from "@keycardai/express";
|
|
|
20
20
|
|
|
21
21
|
const app = express();
|
|
22
22
|
|
|
23
|
-
app.use(requireBearerAuth({
|
|
23
|
+
app.use(requireBearerAuth({ zoneUrl: "https://your-zone.keycard.cloud" }));
|
|
24
24
|
|
|
25
25
|
app.get("/api/data", (req, res) => {
|
|
26
26
|
// req.auth is AccessToken: { token, clientId, scopes, ... }
|
|
@@ -36,7 +36,7 @@ import { ClientSecret } from "@keycardai/oauth/server";
|
|
|
36
36
|
|
|
37
37
|
const credential = new ClientSecret("your-client-id", "your-client-secret");
|
|
38
38
|
|
|
39
|
-
app.use(requireBearerAuth({
|
|
39
|
+
app.use(requireBearerAuth({ zoneUrl: "https://your-zone.keycard.cloud" }));
|
|
40
40
|
app.use(grant(["https://graph.microsoft.com"], {
|
|
41
41
|
zoneUrl: "https://your-zone.keycard.cloud",
|
|
42
42
|
applicationCredential: credential,
|
|
@@ -49,6 +49,29 @@ app.get("/api/email", async (req, res) => {
|
|
|
49
49
|
});
|
|
50
50
|
```
|
|
51
51
|
|
|
52
|
+
For multi-zone deployments, pass a zone-keyed `ClientSecret` and resolve the zone from each request's verified token:
|
|
53
|
+
|
|
54
|
+
```typescript
|
|
55
|
+
import { requireBearerAuth, grant } from "@keycardai/express";
|
|
56
|
+
import { ClientSecret } from "@keycardai/oauth/server";
|
|
57
|
+
|
|
58
|
+
const credential = new ClientSecret({
|
|
59
|
+
"zone-a": ["client-id-a", "client-secret-a"],
|
|
60
|
+
"zone-b": ["client-id-b", "client-secret-b"],
|
|
61
|
+
});
|
|
62
|
+
|
|
63
|
+
app.use(requireBearerAuth({ zoneUrl: "https://base-zone.keycard.cloud", enableMultiZone: true }));
|
|
64
|
+
|
|
65
|
+
// zoneId accepts a function that receives the verified AccessToken and
|
|
66
|
+
// returns the zone identifier for this request. AccessToken has no
|
|
67
|
+
// dedicated zone field — use whichever field encodes zone context in
|
|
68
|
+
// your deployment (e.g. a zone-prefixed clientId, or a custom claim).
|
|
69
|
+
app.use(grant(["https://api.example.com"], {
|
|
70
|
+
zoneId: (auth) => auth.clientId,
|
|
71
|
+
applicationCredential: credential,
|
|
72
|
+
}));
|
|
73
|
+
```
|
|
74
|
+
|
|
52
75
|
### Add OAuth discovery routes
|
|
53
76
|
|
|
54
77
|
```typescript
|
|
@@ -65,8 +88,9 @@ app.use(keycardMetadataRouter({ issuer: "https://your-zone.keycard.cloud" }));
|
|
|
65
88
|
| Export | Description |
|
|
66
89
|
|---|---|
|
|
67
90
|
| `requireBearerAuth(options)` | Middleware factory that validates a Bearer token and sets `req.auth: AccessToken`. Returns 401 with RFC 6750 `WWW-Authenticate` challenge on failure. |
|
|
68
|
-
| `grant(resources, options)` | Middleware factory that exchanges the bearer token for per-resource access tokens and sets `req.accessContext: AccessContext`. Must run after `requireBearerAuth`. |
|
|
91
|
+
| `grant(resources, options)` | Middleware factory that exchanges the bearer token for per-resource access tokens and sets `req.accessContext: AccessContext`. Must run after `requireBearerAuth`. `zoneId` accepts a static string or a function `(auth: AccessToken) => string` for per-request zone resolution. |
|
|
69
92
|
| `keycardMetadataRouter(options)` | Returns an Express Router with `/.well-known/oauth-protected-resource` and `/.well-known/oauth-authorization-server` routes. |
|
|
93
|
+
| `createKeycardMiddleware(options)` | Factory that returns pre-configured `{ requireBearerAuth(), grant() }` sharing a single zone config. You still need `keycardMetadataRouter` for discovery routes. |
|
|
70
94
|
| `AuthenticatedRequest` | `Request` extended with `auth: AccessToken`. |
|
|
71
95
|
| `GrantedRequest` | `Request` extended with `auth: AccessToken` and `accessContext: AccessContext`. |
|
|
72
96
|
|
|
@@ -74,4 +98,5 @@ app.use(keycardMetadataRouter({ issuer: "https://your-zone.keycard.cloud" }));
|
|
|
74
98
|
|
|
75
99
|
- [`@keycardai/oauth`](../oauth/) — Framework-free OAuth primitives this package builds on
|
|
76
100
|
- [`@keycardai/mcp`](../mcp/) — MCP-specific OAuth integration
|
|
101
|
+
- [`@keycardai/a2a`](../a2a/) — Agent-to-agent (A2A) protocol integration
|
|
77
102
|
- [Keycard TypeScript SDK](../../README.md) — Root documentation
|
package/dist/cjs/grant.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import type { RequestHandler } from "express";
|
|
1
|
+
import type { Request, RequestHandler } from "express";
|
|
2
2
|
import { AccessContext } from "@keycardai/oauth/server/accessContext";
|
|
3
3
|
import type { ApplicationCredential } from "@keycardai/oauth/credentials";
|
|
4
4
|
import type { AuthenticatedRequest } from "./bearerAuth.js";
|
|
@@ -33,6 +33,22 @@ export interface GrantOptions {
|
|
|
33
33
|
* are selected per request.
|
|
34
34
|
*/
|
|
35
35
|
applicationCredential?: ApplicationCredential;
|
|
36
|
+
/**
|
|
37
|
+
* Resolver for the user identity to impersonate. When set, each
|
|
38
|
+
* per-resource exchange uses the substitute-user impersonation flow
|
|
39
|
+
* (`TokenExchangeClient.impersonate`) with the resolved identifier
|
|
40
|
+
* instead of exchanging the caller's bearer token. The resolver runs
|
|
41
|
+
* once per request and may be async.
|
|
42
|
+
*
|
|
43
|
+
* ```ts
|
|
44
|
+
* grant(resources, {
|
|
45
|
+
* zoneUrl,
|
|
46
|
+
* applicationCredential,
|
|
47
|
+
* userIdentifier: (req) => req.auth.subject,
|
|
48
|
+
* });
|
|
49
|
+
* ```
|
|
50
|
+
*/
|
|
51
|
+
userIdentifier?: (req: Request) => string | Promise<string>;
|
|
36
52
|
}
|
|
37
53
|
/**
|
|
38
54
|
* Express middleware factory for delegated token exchange (RFC 8693).
|
|
@@ -45,6 +61,12 @@ export interface GrantOptions {
|
|
|
45
61
|
* `TokenResponse` for that resource. On partial failure, some resources
|
|
46
62
|
* may have errors while others succeed.
|
|
47
63
|
*
|
|
64
|
+
* If the request carries no verified bearer token, responds 401 with an
|
|
65
|
+
* RFC 6750 `WWW-Authenticate` challenge; the handler does not run.
|
|
66
|
+
*
|
|
67
|
+
* Multiple `grant()` middlewares may be stacked: each merges its
|
|
68
|
+
* per-resource tokens and errors into the existing `req.accessContext`.
|
|
69
|
+
*
|
|
48
70
|
* ```ts
|
|
49
71
|
* app.use(requireBearerAuth({ issuer: "https://zone.keycard.cloud" }));
|
|
50
72
|
* app.use(grant(["https://graph.microsoft.com"], { zoneUrl: "https://zone.keycard.cloud" }));
|
package/dist/cjs/grant.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,
|
|
1
|
+
{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAA0B,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAE1E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qCAAqC,CAAC;AAGvE,MAAM,WAAW,cAAe,SAAQ,oBAAoB;IAC1D,aAAa,EAAE,aAAa,CAAC;CAC9B;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,WAAW,KAAK,MAAM,CAAC,CAAC;IAClD;;;;;OAKG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;IAC9C;;;;;;;;;;;;;;OAcG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC7D;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,KAAK,CACnB,SAAS,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,EACrC,OAAO,EAAE,YAAY,GACpB,cAAc,CAyIhB"}
|
package/dist/cjs/grant.js
CHANGED
|
@@ -15,6 +15,12 @@ const errors_1 = require("@keycardai/oauth/errors");
|
|
|
15
15
|
* `TokenResponse` for that resource. On partial failure, some resources
|
|
16
16
|
* may have errors while others succeed.
|
|
17
17
|
*
|
|
18
|
+
* If the request carries no verified bearer token, responds 401 with an
|
|
19
|
+
* RFC 6750 `WWW-Authenticate` challenge; the handler does not run.
|
|
20
|
+
*
|
|
21
|
+
* Multiple `grant()` middlewares may be stacked: each merges its
|
|
22
|
+
* per-resource tokens and errors into the existing `req.accessContext`.
|
|
23
|
+
*
|
|
18
24
|
* ```ts
|
|
19
25
|
* app.use(requireBearerAuth({ issuer: "https://zone.keycard.cloud" }));
|
|
20
26
|
* app.use(grant(["https://graph.microsoft.com"], { zoneUrl: "https://zone.keycard.cloud" }));
|
|
@@ -35,17 +41,25 @@ function grant(resources, options) {
|
|
|
35
41
|
// requests — the TokenExchangeClient already caches the token_endpoint
|
|
36
42
|
// internally after the first discovery call.
|
|
37
43
|
const clientCache = new Map();
|
|
38
|
-
return async (req,
|
|
44
|
+
return async (req, res, next) => {
|
|
39
45
|
const authReq = req;
|
|
40
46
|
const subjectToken = authReq.auth?.token;
|
|
41
|
-
const accessCtx = new accessContext_1.AccessContext();
|
|
42
47
|
if (!subjectToken) {
|
|
43
|
-
|
|
44
|
-
|
|
48
|
+
// Unauthenticated request: respond 401 with an RFC 6750 challenge
|
|
49
|
+
// (same shape as requireBearerAuth) without invoking the handler.
|
|
50
|
+
const resourceMetadataUrl = `${req.protocol}://${req.host}/.well-known/oauth-protected-resource`;
|
|
51
|
+
res.set("WWW-Authenticate", `Bearer resource_metadata="${resourceMetadataUrl}"`);
|
|
52
|
+
res.status(401).json({
|
|
53
|
+
error: "invalid_request",
|
|
54
|
+
error_description: "Missing bearer token. Ensure requireBearerAuth() runs before grant().",
|
|
45
55
|
});
|
|
46
|
-
|
|
47
|
-
return next();
|
|
56
|
+
return;
|
|
48
57
|
}
|
|
58
|
+
// Reuse an existing context so stacked grant() middlewares accumulate
|
|
59
|
+
// per-resource tokens and errors instead of replacing earlier results.
|
|
60
|
+
const accessCtx = req.accessContext instanceof accessContext_1.AccessContext
|
|
61
|
+
? req.accessContext
|
|
62
|
+
: new accessContext_1.AccessContext();
|
|
49
63
|
// Resolve zone at request time — zoneId may be a static string or a
|
|
50
64
|
// function that extracts the zone from the verified access token.
|
|
51
65
|
let resolvedZoneId;
|
|
@@ -79,8 +93,33 @@ function grant(resources, options) {
|
|
|
79
93
|
? resources
|
|
80
94
|
: [resources];
|
|
81
95
|
const tokens = {};
|
|
96
|
+
// Resolve the impersonation target once per request. A resolver failure
|
|
97
|
+
// is recorded as a global error; the handler still runs and access()
|
|
98
|
+
// surfaces the failure.
|
|
99
|
+
let resolvedUserIdentifier;
|
|
100
|
+
if (options.userIdentifier) {
|
|
101
|
+
try {
|
|
102
|
+
resolvedUserIdentifier = await options.userIdentifier(req);
|
|
103
|
+
}
|
|
104
|
+
catch (e) {
|
|
105
|
+
accessCtx.setError({
|
|
106
|
+
message: "Failed to resolve userIdentifier.",
|
|
107
|
+
rawError: String(e),
|
|
108
|
+
});
|
|
109
|
+
req.accessContext = accessCtx;
|
|
110
|
+
return next();
|
|
111
|
+
}
|
|
112
|
+
}
|
|
82
113
|
for (const resource of resourceList) {
|
|
83
114
|
try {
|
|
115
|
+
if (resolvedUserIdentifier !== undefined) {
|
|
116
|
+
tokens[resource] = await client.impersonate({
|
|
117
|
+
userIdentifier: resolvedUserIdentifier,
|
|
118
|
+
resource,
|
|
119
|
+
zoneId: resolvedZoneId,
|
|
120
|
+
});
|
|
121
|
+
continue;
|
|
122
|
+
}
|
|
84
123
|
let exchangeRequest;
|
|
85
124
|
if (options.applicationCredential) {
|
|
86
125
|
exchangeRequest = await options.applicationCredential.prepareTokenExchangeRequest(subjectToken, resource, { zoneId: resolvedZoneId });
|
package/dist/cjs/grant.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":";;AAoFA,sBA4IC;AA/ND,kEAAqE;AACrE,yEAAsE;AAEtE,oDAAqF;AAsDrF;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,SAAgB,KAAK,CACnB,SAAqC,EACrC,OAAqB;IAErB,0DAA0D;IAC1D,MAAM,aAAa,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5D,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,uCAA8B,CACtC,iDAAiD,CAClD,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,wEAAwE;IACxE,uEAAuE;IACvE,6CAA6C;IAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,EAA+B,CAAC;IAE3D,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC/D,MAAM,OAAO,GAAG,GAA2B,CAAC;QAC5C,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;QAEzC,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,kEAAkE;YAClE,kEAAkE;YAClE,MAAM,mBAAmB,GAAG,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,uCAAuC,CAAC;YACjG,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,6BAA6B,mBAAmB,GAAG,CAAC,CAAC;YACjF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,iBAAiB;gBACxB,iBAAiB,EACf,uEAAuE;aAC1E,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,uEAAuE;QACvE,MAAM,SAAS,GACZ,GAAsB,CAAC,aAAa,YAAY,6BAAa;YAC5D,CAAC,CAAE,GAAsB,CAAC,aAAa;YACvC,CAAC,CAAC,IAAI,6BAAa,EAAE,CAAC;QAE1B,oEAAoE;QACpE,kEAAkE;QAClE,IAAI,cAAkC,CAAC;QACvC,IAAI,CAAC;YACH,cAAc;gBACZ,OAAO,OAAO,CAAC,MAAM,KAAK,UAAU;oBAClC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;oBAC9B,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACvB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,IAAI,YAAY,CAAC,cAAc,CAAC,CAAC;QACxE,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,SAAS,CAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC,CAAC;YAC/E,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,mDAAmD;QACnD,IAAI,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,+DAA+D;YAC/D,mEAAmE;YACnE,kDAAkD;YAClD,MAAM,GAAG,IAAI,mCAAmB,CAAC,eAAe,EAAE;gBAChD,UAAU,EAAE,OAAO,CAAC,qBAAqB;aAC1C,CAAC,CAAC;YACH,WAAW,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YAC3C,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,CAAC,SAAmB,CAAC,CAAC;QAC1B,MAAM,MAAM,GAAkC,EAAE,CAAC;QAEjD,wEAAwE;QACxE,qEAAqE;QACrE,wBAAwB;QACxB,IAAI,sBAA0C,CAAC;QAC/C,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,sBAAsB,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YAC7D,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,SAAS,CAAC,QAAQ,CAAC;oBACjB,OAAO,EAAE,mCAAmC;oBAC5C,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;iBACpB,CAAC,CAAC;gBACF,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;gBAClD,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;QACH,CAAC;QAED,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,IAAI,sBAAsB,KAAK,SAAS,EAAE,CAAC;oBACzC,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC;wBAC1C,cAAc,EAAE,sBAAsB;wBACtC,QAAQ;wBACR,MAAM,EAAE,cAAc;qBACvB,CAAC,CAAC;oBACH,SAAS;gBACX,CAAC;gBACD,IAAI,eAAe,CAAC;gBACpB,IAAI,OAAO,CAAC,qBAAqB,EAAE,CAAC;oBAClC,eAAe,GAAG,MAAM,OAAO,CAAC,qBAAqB,CAAC,2BAA2B,CAC/E,YAAY,EACZ,QAAQ,EACR,EAAE,MAAM,EAAE,cAAc,EAAE,CAC3B,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,eAAe,GAAG;wBAChB,YAAY;wBACZ,QAAQ;wBACR,gBAAgB,EAAE,+CAAwD;qBAC3E,CAAC;gBACJ,CAAC;gBACD,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,eAAe,EAAE;oBAC7D,MAAM,EAAE,cAAc;iBACvB,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,MAAM,GAAgF;oBAC1F,OAAO,EAAE,6BAA6B,QAAQ,EAAE;iBACjD,CAAC;gBACF,IAAI,CAAC,YAAY,mBAAU,EAAE,CAAC;oBAC5B,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC;oBAC1B,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC,OAAO,CAAC;gBACjC,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC9B,CAAC;gBACD,SAAS,CAAC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,SAAS,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC/B,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;QAClD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAe;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO,WAAW,MAAM,gBAAgB,CAAC;AAC3C,CAAC"}
|
package/dist/cjs/wellKnown.d.ts
CHANGED
|
@@ -22,6 +22,13 @@ export interface KeycardRouterOptions {
|
|
|
22
22
|
* Default: 10 000 ms.
|
|
23
23
|
*/
|
|
24
24
|
asMetadataTimeoutMs?: number;
|
|
25
|
+
/**
|
|
26
|
+
* Public JWKS to serve at `GET /.well-known/jwks.json`.
|
|
27
|
+
* When omitted, no JWKS route is registered.
|
|
28
|
+
*/
|
|
29
|
+
publicJwks?: {
|
|
30
|
+
keys: Record<string, unknown>[];
|
|
31
|
+
};
|
|
25
32
|
}
|
|
26
33
|
/**
|
|
27
34
|
* Returns an Express Router that serves the two OAuth discovery endpoints
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"wellKnown.d.ts","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGjC,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;OAEG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"wellKnown.d.ts","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGjC,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;OAEG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAA;KAAE,CAAC;CAClD;AAKD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,oBAAoB,GAAG,MAAM,CA4B3E"}
|
package/dist/cjs/wellKnown.js
CHANGED
|
@@ -2,6 +2,8 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.keycardMetadataRouter = keycardMetadataRouter;
|
|
4
4
|
const express_1 = require("express");
|
|
5
|
+
const CORS_ALLOW_METHODS = "GET, OPTIONS";
|
|
6
|
+
const CORS_ALLOW_HEADERS = "Content-Type, MCP-Protocol-Version";
|
|
5
7
|
/**
|
|
6
8
|
* Returns an Express Router that serves the two OAuth discovery endpoints
|
|
7
9
|
* required by RFC 9728 and RFC 8414:
|
|
@@ -25,10 +27,33 @@ const express_1 = require("express");
|
|
|
25
27
|
*/
|
|
26
28
|
function keycardMetadataRouter(options) {
|
|
27
29
|
const router = (0, express_1.Router)();
|
|
30
|
+
const metadataPaths = [
|
|
31
|
+
"/.well-known/oauth-protected-resource",
|
|
32
|
+
"/.well-known/oauth-authorization-server",
|
|
33
|
+
];
|
|
28
34
|
router.get("/.well-known/oauth-protected-resource", protectedResourceHandler(options));
|
|
29
35
|
router.get("/.well-known/oauth-authorization-server", authorizationServerHandler(options.issuer, options.asMetadataTimeoutMs ?? 10_000));
|
|
36
|
+
if (options.publicJwks) {
|
|
37
|
+
metadataPaths.push("/.well-known/jwks.json");
|
|
38
|
+
router.get("/.well-known/jwks.json", jwksHandler(options.publicJwks));
|
|
39
|
+
}
|
|
40
|
+
// CORS preflight for the metadata endpoints. Browsers send OPTIONS before
|
|
41
|
+
// cross-origin GETs that include headers such as MCP-Protocol-Version.
|
|
42
|
+
router.options(metadataPaths, preflightHandler);
|
|
30
43
|
return router;
|
|
31
44
|
}
|
|
45
|
+
const preflightHandler = (_req, res) => {
|
|
46
|
+
res.set("Access-Control-Allow-Origin", "*");
|
|
47
|
+
res.set("Access-Control-Allow-Methods", CORS_ALLOW_METHODS);
|
|
48
|
+
res.set("Access-Control-Allow-Headers", CORS_ALLOW_HEADERS);
|
|
49
|
+
res.status(204).end();
|
|
50
|
+
};
|
|
51
|
+
function jwksHandler(publicJwks) {
|
|
52
|
+
return (_req, res) => {
|
|
53
|
+
res.set("Access-Control-Allow-Origin", "*");
|
|
54
|
+
res.status(200).json(publicJwks);
|
|
55
|
+
};
|
|
56
|
+
}
|
|
32
57
|
function protectedResourceHandler(options) {
|
|
33
58
|
return (req, res) => {
|
|
34
59
|
const resource = `${req.protocol}://${req.host}`;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"wellKnown.js","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"wellKnown.js","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":";;AAyDA,sDA4BC;AArFD,qCAAiC;AAiCjC,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAC1C,MAAM,kBAAkB,GAAG,oCAAoC,CAAC;AAEhE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,SAAgB,qBAAqB,CAAC,OAA6B;IACjE,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAC;IAExB,MAAM,aAAa,GAAG;QACpB,uCAAuC;QACvC,yCAAyC;KAC1C,CAAC;IAEF,MAAM,CAAC,GAAG,CACR,uCAAuC,EACvC,wBAAwB,CAAC,OAAO,CAAC,CAClC,CAAC;IAEF,MAAM,CAAC,GAAG,CACR,yCAAyC,EACzC,0BAA0B,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,mBAAmB,IAAI,MAAM,CAAC,CAClF,CAAC;IAEF,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,aAAa,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QAC7C,MAAM,CAAC,GAAG,CAAC,wBAAwB,EAAE,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;IACxE,CAAC;IAED,0EAA0E;IAC1E,uEAAuE;IACvE,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,gBAAgB,CAAC,CAAC;IAEhD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,gBAAgB,GAAmB,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACrD,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;IAC5C,GAAG,CAAC,GAAG,CAAC,8BAA8B,EAAE,kBAAkB,CAAC,CAAC;IAC5D,GAAG,CAAC,GAAG,CAAC,8BAA8B,EAAE,kBAAkB,CAAC,CAAC;IAC5D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;AACxB,CAAC,CAAC;AAEF,SAAS,WAAW,CAAC,UAA+C;IAClE,OAAO,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QACnB,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACnC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAAC,OAA6B;IAC7D,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,QAAQ,GAA4B;YACxC,QAAQ;YACR,qBAAqB,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;SACxC,CAAC;QACF,IAAI,OAAO,CAAC,YAAY;YAAE,QAAQ,CAAC,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;QACxE,IAAI,OAAO,CAAC,eAAe;YAAE,QAAQ,CAAC,gBAAgB,GAAG,CAAC,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;QACtF,IAAI,OAAO,CAAC,qBAAqB;YAAE,QAAQ,CAAC,sBAAsB,GAAG,OAAO,CAAC,qBAAqB,CAAC;QAEnG,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,MAAc,EAAE,SAAiB;IACnE,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,MAAM,yCAAyC,EAClD,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAC3C,CAAC;YACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC,CAAC;gBAC3E,OAAO;YACT,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;YAElE,wEAAwE;YACxE,4EAA4E;YAC5E,IAAI,OAAO,QAAQ,CAAC,sBAAsB,KAAK,QAAQ,EAAE,CAAC;gBACxD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;gBACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;gBACtE,QAAQ,CAAC,sBAAsB,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;YACvD,CAAC;YAED,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,CAAC,CAAC,CAAC;QACV,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}
|
package/dist/esm/grant.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import type { RequestHandler } from "express";
|
|
1
|
+
import type { Request, RequestHandler } from "express";
|
|
2
2
|
import { AccessContext } from "@keycardai/oauth/server/accessContext";
|
|
3
3
|
import type { ApplicationCredential } from "@keycardai/oauth/credentials";
|
|
4
4
|
import type { AuthenticatedRequest } from "./bearerAuth.js";
|
|
@@ -33,6 +33,22 @@ export interface GrantOptions {
|
|
|
33
33
|
* are selected per request.
|
|
34
34
|
*/
|
|
35
35
|
applicationCredential?: ApplicationCredential;
|
|
36
|
+
/**
|
|
37
|
+
* Resolver for the user identity to impersonate. When set, each
|
|
38
|
+
* per-resource exchange uses the substitute-user impersonation flow
|
|
39
|
+
* (`TokenExchangeClient.impersonate`) with the resolved identifier
|
|
40
|
+
* instead of exchanging the caller's bearer token. The resolver runs
|
|
41
|
+
* once per request and may be async.
|
|
42
|
+
*
|
|
43
|
+
* ```ts
|
|
44
|
+
* grant(resources, {
|
|
45
|
+
* zoneUrl,
|
|
46
|
+
* applicationCredential,
|
|
47
|
+
* userIdentifier: (req) => req.auth.subject,
|
|
48
|
+
* });
|
|
49
|
+
* ```
|
|
50
|
+
*/
|
|
51
|
+
userIdentifier?: (req: Request) => string | Promise<string>;
|
|
36
52
|
}
|
|
37
53
|
/**
|
|
38
54
|
* Express middleware factory for delegated token exchange (RFC 8693).
|
|
@@ -45,6 +61,12 @@ export interface GrantOptions {
|
|
|
45
61
|
* `TokenResponse` for that resource. On partial failure, some resources
|
|
46
62
|
* may have errors while others succeed.
|
|
47
63
|
*
|
|
64
|
+
* If the request carries no verified bearer token, responds 401 with an
|
|
65
|
+
* RFC 6750 `WWW-Authenticate` challenge; the handler does not run.
|
|
66
|
+
*
|
|
67
|
+
* Multiple `grant()` middlewares may be stacked: each merges its
|
|
68
|
+
* per-resource tokens and errors into the existing `req.accessContext`.
|
|
69
|
+
*
|
|
48
70
|
* ```ts
|
|
49
71
|
* app.use(requireBearerAuth({ issuer: "https://zone.keycard.cloud" }));
|
|
50
72
|
* app.use(grant(["https://graph.microsoft.com"], { zoneUrl: "https://zone.keycard.cloud" }));
|
package/dist/esm/grant.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,
|
|
1
|
+
{"version":3,"file":"grant.d.ts","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAA0B,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AACtE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAE1E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAC5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qCAAqC,CAAC;AAGvE,MAAM,WAAW,cAAe,SAAQ,oBAAoB;IAC1D,aAAa,EAAE,aAAa,CAAC;CAC9B;AAED,MAAM,WAAW,YAAY;IAC3B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,WAAW,KAAK,MAAM,CAAC,CAAC;IAClD;;;;;OAKG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;IAC9C;;;;;;;;;;;;;;OAcG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC7D;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,KAAK,CACnB,SAAS,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,EACrC,OAAO,EAAE,YAAY,GACpB,cAAc,CAyIhB"}
|
package/dist/esm/grant.js
CHANGED
|
@@ -12,6 +12,12 @@ import { OAuthError, AuthProviderConfigurationError } from "@keycardai/oauth/err
|
|
|
12
12
|
* `TokenResponse` for that resource. On partial failure, some resources
|
|
13
13
|
* may have errors while others succeed.
|
|
14
14
|
*
|
|
15
|
+
* If the request carries no verified bearer token, responds 401 with an
|
|
16
|
+
* RFC 6750 `WWW-Authenticate` challenge; the handler does not run.
|
|
17
|
+
*
|
|
18
|
+
* Multiple `grant()` middlewares may be stacked: each merges its
|
|
19
|
+
* per-resource tokens and errors into the existing `req.accessContext`.
|
|
20
|
+
*
|
|
15
21
|
* ```ts
|
|
16
22
|
* app.use(requireBearerAuth({ issuer: "https://zone.keycard.cloud" }));
|
|
17
23
|
* app.use(grant(["https://graph.microsoft.com"], { zoneUrl: "https://zone.keycard.cloud" }));
|
|
@@ -32,17 +38,25 @@ export function grant(resources, options) {
|
|
|
32
38
|
// requests — the TokenExchangeClient already caches the token_endpoint
|
|
33
39
|
// internally after the first discovery call.
|
|
34
40
|
const clientCache = new Map();
|
|
35
|
-
return async (req,
|
|
41
|
+
return async (req, res, next) => {
|
|
36
42
|
const authReq = req;
|
|
37
43
|
const subjectToken = authReq.auth?.token;
|
|
38
|
-
const accessCtx = new AccessContext();
|
|
39
44
|
if (!subjectToken) {
|
|
40
|
-
|
|
41
|
-
|
|
45
|
+
// Unauthenticated request: respond 401 with an RFC 6750 challenge
|
|
46
|
+
// (same shape as requireBearerAuth) without invoking the handler.
|
|
47
|
+
const resourceMetadataUrl = `${req.protocol}://${req.host}/.well-known/oauth-protected-resource`;
|
|
48
|
+
res.set("WWW-Authenticate", `Bearer resource_metadata="${resourceMetadataUrl}"`);
|
|
49
|
+
res.status(401).json({
|
|
50
|
+
error: "invalid_request",
|
|
51
|
+
error_description: "Missing bearer token. Ensure requireBearerAuth() runs before grant().",
|
|
42
52
|
});
|
|
43
|
-
|
|
44
|
-
return next();
|
|
53
|
+
return;
|
|
45
54
|
}
|
|
55
|
+
// Reuse an existing context so stacked grant() middlewares accumulate
|
|
56
|
+
// per-resource tokens and errors instead of replacing earlier results.
|
|
57
|
+
const accessCtx = req.accessContext instanceof AccessContext
|
|
58
|
+
? req.accessContext
|
|
59
|
+
: new AccessContext();
|
|
46
60
|
// Resolve zone at request time — zoneId may be a static string or a
|
|
47
61
|
// function that extracts the zone from the verified access token.
|
|
48
62
|
let resolvedZoneId;
|
|
@@ -76,8 +90,33 @@ export function grant(resources, options) {
|
|
|
76
90
|
? resources
|
|
77
91
|
: [resources];
|
|
78
92
|
const tokens = {};
|
|
93
|
+
// Resolve the impersonation target once per request. A resolver failure
|
|
94
|
+
// is recorded as a global error; the handler still runs and access()
|
|
95
|
+
// surfaces the failure.
|
|
96
|
+
let resolvedUserIdentifier;
|
|
97
|
+
if (options.userIdentifier) {
|
|
98
|
+
try {
|
|
99
|
+
resolvedUserIdentifier = await options.userIdentifier(req);
|
|
100
|
+
}
|
|
101
|
+
catch (e) {
|
|
102
|
+
accessCtx.setError({
|
|
103
|
+
message: "Failed to resolve userIdentifier.",
|
|
104
|
+
rawError: String(e),
|
|
105
|
+
});
|
|
106
|
+
req.accessContext = accessCtx;
|
|
107
|
+
return next();
|
|
108
|
+
}
|
|
109
|
+
}
|
|
79
110
|
for (const resource of resourceList) {
|
|
80
111
|
try {
|
|
112
|
+
if (resolvedUserIdentifier !== undefined) {
|
|
113
|
+
tokens[resource] = await client.impersonate({
|
|
114
|
+
userIdentifier: resolvedUserIdentifier,
|
|
115
|
+
resource,
|
|
116
|
+
zoneId: resolvedZoneId,
|
|
117
|
+
});
|
|
118
|
+
continue;
|
|
119
|
+
}
|
|
81
120
|
let exchangeRequest;
|
|
82
121
|
if (options.applicationCredential) {
|
|
83
122
|
exchangeRequest = await options.applicationCredential.prepareTokenExchangeRequest(subjectToken, resource, { zoneId: resolvedZoneId });
|
package/dist/esm/grant.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AAEtE,OAAO,EAAE,UAAU,EAAE,8BAA8B,EAAE,MAAM,yBAAyB,CAAC;
|
|
1
|
+
{"version":3,"file":"grant.js","sourceRoot":"","sources":["../../src/grant.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AAEtE,OAAO,EAAE,UAAU,EAAE,8BAA8B,EAAE,MAAM,yBAAyB,CAAC;AAsDrF;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,KAAK,CACnB,SAAqC,EACrC,OAAqB;IAErB,0DAA0D;IAC1D,MAAM,aAAa,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5D,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,8BAA8B,CACtC,iDAAiD,CAClD,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,wEAAwE;IACxE,uEAAuE;IACvE,6CAA6C;IAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,EAA+B,CAAC;IAE3D,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC/D,MAAM,OAAO,GAAG,GAA2B,CAAC;QAC5C,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;QAEzC,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,kEAAkE;YAClE,kEAAkE;YAClE,MAAM,mBAAmB,GAAG,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,uCAAuC,CAAC;YACjG,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,6BAA6B,mBAAmB,GAAG,CAAC,CAAC;YACjF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,iBAAiB;gBACxB,iBAAiB,EACf,uEAAuE;aAC1E,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,uEAAuE;QACvE,MAAM,SAAS,GACZ,GAAsB,CAAC,aAAa,YAAY,aAAa;YAC5D,CAAC,CAAE,GAAsB,CAAC,aAAa;YACvC,CAAC,CAAC,IAAI,aAAa,EAAE,CAAC;QAE1B,oEAAoE;QACpE,kEAAkE;QAClE,IAAI,cAAkC,CAAC;QACvC,IAAI,CAAC;YACH,cAAc;gBACZ,OAAO,OAAO,CAAC,MAAM,KAAK,UAAU;oBAClC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;oBAC9B,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QACvB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,IAAI,YAAY,CAAC,cAAc,CAAC,CAAC;QACxE,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,SAAS,CAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC,CAAC;YAC/E,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;YAClD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,mDAAmD;QACnD,IAAI,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC9C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,+DAA+D;YAC/D,mEAAmE;YACnE,kDAAkD;YAClD,MAAM,GAAG,IAAI,mBAAmB,CAAC,eAAe,EAAE;gBAChD,UAAU,EAAE,OAAO,CAAC,qBAAqB;aAC1C,CAAC,CAAC;YACH,WAAW,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC;YAC3C,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,CAAC,SAAmB,CAAC,CAAC;QAC1B,MAAM,MAAM,GAAkC,EAAE,CAAC;QAEjD,wEAAwE;QACxE,qEAAqE;QACrE,wBAAwB;QACxB,IAAI,sBAA0C,CAAC;QAC/C,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,sBAAsB,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YAC7D,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,SAAS,CAAC,QAAQ,CAAC;oBACjB,OAAO,EAAE,mCAAmC;oBAC5C,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;iBACpB,CAAC,CAAC;gBACF,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;gBAClD,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;QACH,CAAC;QAED,KAAK,MAAM,QAAQ,IAAI,YAAY,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,IAAI,sBAAsB,KAAK,SAAS,EAAE,CAAC;oBACzC,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC;wBAC1C,cAAc,EAAE,sBAAsB;wBACtC,QAAQ;wBACR,MAAM,EAAE,cAAc;qBACvB,CAAC,CAAC;oBACH,SAAS;gBACX,CAAC;gBACD,IAAI,eAAe,CAAC;gBACpB,IAAI,OAAO,CAAC,qBAAqB,EAAE,CAAC;oBAClC,eAAe,GAAG,MAAM,OAAO,CAAC,qBAAqB,CAAC,2BAA2B,CAC/E,YAAY,EACZ,QAAQ,EACR,EAAE,MAAM,EAAE,cAAc,EAAE,CAC3B,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,eAAe,GAAG;wBAChB,YAAY;wBACZ,QAAQ;wBACR,gBAAgB,EAAE,+CAAwD;qBAC3E,CAAC;gBACJ,CAAC;gBACD,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,eAAe,EAAE;oBAC7D,MAAM,EAAE,cAAc;iBACvB,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,MAAM,GAAgF;oBAC1F,OAAO,EAAE,6BAA6B,QAAQ,EAAE;iBACjD,CAAC;gBACF,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC;oBAC5B,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC;oBAC1B,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC,OAAO,CAAC;gBACjC,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC9B,CAAC;gBACD,SAAS,CAAC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,SAAS,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC/B,GAAsB,CAAC,aAAa,GAAG,SAAS,CAAC;QAClD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAe;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAC9B,OAAO,WAAW,MAAM,gBAAgB,CAAC;AAC3C,CAAC"}
|
package/dist/esm/wellKnown.d.ts
CHANGED
|
@@ -22,6 +22,13 @@ export interface KeycardRouterOptions {
|
|
|
22
22
|
* Default: 10 000 ms.
|
|
23
23
|
*/
|
|
24
24
|
asMetadataTimeoutMs?: number;
|
|
25
|
+
/**
|
|
26
|
+
* Public JWKS to serve at `GET /.well-known/jwks.json`.
|
|
27
|
+
* When omitted, no JWKS route is registered.
|
|
28
|
+
*/
|
|
29
|
+
publicJwks?: {
|
|
30
|
+
keys: Record<string, unknown>[];
|
|
31
|
+
};
|
|
25
32
|
}
|
|
26
33
|
/**
|
|
27
34
|
* Returns an Express Router that serves the two OAuth discovery endpoints
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"wellKnown.d.ts","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGjC,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;OAEG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"wellKnown.d.ts","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGjC,MAAM,WAAW,oBAAoB;IACnC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,eAAe,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC;;OAEG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAA;KAAE,CAAC;CAClD;AAKD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,oBAAoB,GAAG,MAAM,CA4B3E"}
|
package/dist/esm/wellKnown.js
CHANGED
|
@@ -1,4 +1,6 @@
|
|
|
1
1
|
import { Router } from "express";
|
|
2
|
+
const CORS_ALLOW_METHODS = "GET, OPTIONS";
|
|
3
|
+
const CORS_ALLOW_HEADERS = "Content-Type, MCP-Protocol-Version";
|
|
2
4
|
/**
|
|
3
5
|
* Returns an Express Router that serves the two OAuth discovery endpoints
|
|
4
6
|
* required by RFC 9728 and RFC 8414:
|
|
@@ -22,10 +24,33 @@ import { Router } from "express";
|
|
|
22
24
|
*/
|
|
23
25
|
export function keycardMetadataRouter(options) {
|
|
24
26
|
const router = Router();
|
|
27
|
+
const metadataPaths = [
|
|
28
|
+
"/.well-known/oauth-protected-resource",
|
|
29
|
+
"/.well-known/oauth-authorization-server",
|
|
30
|
+
];
|
|
25
31
|
router.get("/.well-known/oauth-protected-resource", protectedResourceHandler(options));
|
|
26
32
|
router.get("/.well-known/oauth-authorization-server", authorizationServerHandler(options.issuer, options.asMetadataTimeoutMs ?? 10_000));
|
|
33
|
+
if (options.publicJwks) {
|
|
34
|
+
metadataPaths.push("/.well-known/jwks.json");
|
|
35
|
+
router.get("/.well-known/jwks.json", jwksHandler(options.publicJwks));
|
|
36
|
+
}
|
|
37
|
+
// CORS preflight for the metadata endpoints. Browsers send OPTIONS before
|
|
38
|
+
// cross-origin GETs that include headers such as MCP-Protocol-Version.
|
|
39
|
+
router.options(metadataPaths, preflightHandler);
|
|
27
40
|
return router;
|
|
28
41
|
}
|
|
42
|
+
const preflightHandler = (_req, res) => {
|
|
43
|
+
res.set("Access-Control-Allow-Origin", "*");
|
|
44
|
+
res.set("Access-Control-Allow-Methods", CORS_ALLOW_METHODS);
|
|
45
|
+
res.set("Access-Control-Allow-Headers", CORS_ALLOW_HEADERS);
|
|
46
|
+
res.status(204).end();
|
|
47
|
+
};
|
|
48
|
+
function jwksHandler(publicJwks) {
|
|
49
|
+
return (_req, res) => {
|
|
50
|
+
res.set("Access-Control-Allow-Origin", "*");
|
|
51
|
+
res.status(200).json(publicJwks);
|
|
52
|
+
};
|
|
53
|
+
}
|
|
29
54
|
function protectedResourceHandler(options) {
|
|
30
55
|
return (req, res) => {
|
|
31
56
|
const resource = `${req.protocol}://${req.host}`;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"wellKnown.js","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"wellKnown.js","sourceRoot":"","sources":["../../src/wellKnown.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAiCjC,MAAM,kBAAkB,GAAG,cAAc,CAAC;AAC1C,MAAM,kBAAkB,GAAG,oCAAoC,CAAC;AAEhE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAA6B;IACjE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IAExB,MAAM,aAAa,GAAG;QACpB,uCAAuC;QACvC,yCAAyC;KAC1C,CAAC;IAEF,MAAM,CAAC,GAAG,CACR,uCAAuC,EACvC,wBAAwB,CAAC,OAAO,CAAC,CAClC,CAAC;IAEF,MAAM,CAAC,GAAG,CACR,yCAAyC,EACzC,0BAA0B,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,mBAAmB,IAAI,MAAM,CAAC,CAClF,CAAC;IAEF,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,aAAa,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QAC7C,MAAM,CAAC,GAAG,CAAC,wBAAwB,EAAE,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;IACxE,CAAC;IAED,0EAA0E;IAC1E,uEAAuE;IACvE,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,gBAAgB,CAAC,CAAC;IAEhD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,gBAAgB,GAAmB,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;IACrD,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;IAC5C,GAAG,CAAC,GAAG,CAAC,8BAA8B,EAAE,kBAAkB,CAAC,CAAC;IAC5D,GAAG,CAAC,GAAG,CAAC,8BAA8B,EAAE,kBAAkB,CAAC,CAAC;IAC5D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;AACxB,CAAC,CAAC;AAEF,SAAS,WAAW,CAAC,UAA+C;IAClE,OAAO,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QACnB,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACnC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAAC,OAA6B;IAC7D,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QACjD,MAAM,QAAQ,GAA4B;YACxC,QAAQ;YACR,qBAAqB,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;SACxC,CAAC;QACF,IAAI,OAAO,CAAC,YAAY;YAAE,QAAQ,CAAC,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;QACxE,IAAI,OAAO,CAAC,eAAe;YAAE,QAAQ,CAAC,gBAAgB,GAAG,CAAC,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;QACtF,IAAI,OAAO,CAAC,qBAAqB;YAAE,QAAQ,CAAC,sBAAsB,GAAG,OAAO,CAAC,qBAAqB,CAAC;QAEnG,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,MAAc,EAAE,SAAiB;IACnE,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,MAAM,yCAAyC,EAClD,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAC3C,CAAC;YACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,CAAC,CAAC;gBAC3E,OAAO;YACT,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;YAElE,wEAAwE;YACxE,4EAA4E;YAC5E,IAAI,OAAO,QAAQ,CAAC,sBAAsB,KAAK,QAAQ,EAAE,CAAC;gBACxD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;gBACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;gBACtE,QAAQ,CAAC,sBAAsB,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;YACvD,CAAC;YAED,GAAG,CAAC,GAAG,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,CAAC,CAAC,CAAC;QACV,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@keycardai/express",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.5.0",
|
|
4
4
|
"description": "[Preview] Keycard auth middleware for Express: bearer token validation, RFC 6750 challenges, delegated token exchange, and OAuth discovery routes",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|
|
@@ -27,7 +27,7 @@
|
|
|
27
27
|
}
|
|
28
28
|
},
|
|
29
29
|
"dependencies": {
|
|
30
|
-
"@keycardai/oauth": "0.
|
|
30
|
+
"@keycardai/oauth": "0.16.0"
|
|
31
31
|
},
|
|
32
32
|
"peerDependencies": {
|
|
33
33
|
"express": ">=4.0.0"
|