@keycardai/oauth 0.1.0

package/dist/cjs/base64url.d.ts

@@ -0,0 +1,6 @@
+declare const _default: {
+    encode: (data: ArrayBuffer) => string;
+    decode: (str: string) => ArrayBuffer;
+};
+export default _default;
+//# sourceMappingURL=base64url.d.ts.map

package/dist/cjs/base64url.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64url.d.ts","sourceRoot":"","sources":["../../src/base64url.ts"],"names":[],"mappings":";mBAoB0B,WAAW,KAAG,MAAM;kBAsBrB,MAAM,KAAG,WAAW;;AAvB7C,wBAiDE"}

package/dist/cjs/base64url.js

@@ -0,0 +1,50 @@
+"use strict";
+/*
+ * Base64URL-ArrayBuffer
+ * https://github.com/yackermann/Base64URL-ArrayBuffer
+ *
+ * Copyright (c) 2017 Yuriy Ackermann <ackermann.yuriy@gmail.com>
+ * Copyright (c) 2012 Niklas von Hertzen
+ * Licensed under the MIT license.
+ *
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const CHARACTERS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+// Use a lookup table to find the index.
+var lookup = new Uint8Array(256);
+for (var i = 0; i < CHARACTERS.length; i++) {
+    lookup[CHARACTERS.charCodeAt(i)] = i;
+}
+exports.default = {
+    encode: function (data) {
+        var bytes = new Uint8Array(data), i, len = bytes.length, str = "";
+        for (i = 0; i < len; i += 3) {
+            str += CHARACTERS[bytes[i] >> 2];
+            str += CHARACTERS[((bytes[i] & 3) << 4) | (bytes[i + 1] >> 4)];
+            str += CHARACTERS[((bytes[i + 1] & 15) << 2) | (bytes[i + 2] >> 6)];
+            str += CHARACTERS[bytes[i + 2] & 63];
+        }
+        if (len % 3 === 2) {
+            str = str.substring(0, str.length - 1);
+        }
+        else if (len % 3 === 1) {
+            str = str.substring(0, str.length - 2);
+        }
+        return str;
+    },
+    decode: function (str) {
+        var bufferLength = str.length * 0.75, len = str.length, i, p = 0, encoded1, encoded2, encoded3, encoded4;
+        var data = new ArrayBuffer(bufferLength), bytes = new Uint8Array(data);
+        for (i = 0; i < len; i += 4) {
+            encoded1 = lookup[str.charCodeAt(i)];
+            encoded2 = lookup[str.charCodeAt(i + 1)];
+            encoded3 = lookup[str.charCodeAt(i + 2)];
+            encoded4 = lookup[str.charCodeAt(i + 3)];
+            bytes[p++] = (encoded1 << 2) | (encoded2 >> 4);
+            bytes[p++] = ((encoded2 & 15) << 4) | (encoded3 >> 2);
+            bytes[p++] = ((encoded3 & 3) << 6) | (encoded4 & 63);
+        }
+        return data;
+    },
+};
+//# sourceMappingURL=base64url.js.map

package/dist/cjs/base64url.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64url.js","sourceRoot":"","sources":["../../src/base64url.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AAEH,MAAM,UAAU,GACd,kEAAkE,CAAC;AAErE,wCAAwC;AACxC,IAAI,MAAM,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;IAC3C,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;AACvC,CAAC;AAED,kBAAe;IACb,MAAM,EAAE,UAAU,IAAiB;QACjC,IAAI,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,EAC9B,CAAC,EACD,GAAG,GAAG,KAAK,CAAC,MAAM,EAClB,GAAG,GAAG,EAAE,CAAC;QAEX,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YACjC,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC/D,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACpE,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;QACvC,CAAC;QAED,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAClB,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACzC,CAAC;aAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACzC,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED,MAAM,EAAE,UAAU,GAAW;QAC3B,IAAI,YAAY,GAAG,GAAG,CAAC,MAAM,GAAG,IAAI,EAClC,GAAG,GAAG,GAAG,CAAC,MAAM,EAChB,CAAC,EACD,CAAC,GAAG,CAAC,EACL,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,QAAQ,CAAC;QAEX,IAAI,IAAI,GAAG,IAAI,WAAW,CAAC,YAAY,CAAC,EACtC,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;QAE/B,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;YACrC,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACzC,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACzC,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAEzC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC;YAC/C,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC;YACtD,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,GAAG,EAAE,CAAC,CAAC;QACvD,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF,CAAC"}

package/dist/cjs/discovery.d.ts

@@ -0,0 +1,27 @@
+import { z } from "zod";
+declare const OAuthAuthorizationServerMetadataSchema: z.ZodObject<{
+    issuer: z.ZodString;
+    authorization_endpoint: z.ZodOptional<z.ZodString>;
+    token_endpoint: z.ZodOptional<z.ZodString>;
+    jwks_uri: z.ZodOptional<z.ZodString>;
+    registration_endpoint: z.ZodOptional<z.ZodString>;
+    token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    issuer: z.ZodString;
+    authorization_endpoint: z.ZodOptional<z.ZodString>;
+    token_endpoint: z.ZodOptional<z.ZodString>;
+    jwks_uri: z.ZodOptional<z.ZodString>;
+    registration_endpoint: z.ZodOptional<z.ZodString>;
+    token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    issuer: z.ZodString;
+    authorization_endpoint: z.ZodOptional<z.ZodString>;
+    token_endpoint: z.ZodOptional<z.ZodString>;
+    jwks_uri: z.ZodOptional<z.ZodString>;
+    registration_endpoint: z.ZodOptional<z.ZodString>;
+    token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, z.ZodTypeAny, "passthrough">>;
+export type OAuthAuthorizationServerMetadata = z.infer<typeof OAuthAuthorizationServerMetadataSchema>;
+export declare function fetchAuthorizationServerMetadata(issuer: string): Promise<OAuthAuthorizationServerMetadata>;
+export {};
+//# sourceMappingURL=discovery.d.ts.map

package/dist/cjs/discovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gCAAgC,CAAC,CAsBhH"}

package/dist/cjs/discovery.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchAuthorizationServerMetadata = fetchAuthorizationServerMetadata;
+const zod_1 = require("zod");
+const OAuthAuthorizationServerMetadataSchema = zod_1.z.object({
+    issuer: zod_1.z.string(),
+    authorization_endpoint: zod_1.z.string().optional(),
+    token_endpoint: zod_1.z.string().optional(),
+    jwks_uri: zod_1.z.string().optional(),
+    registration_endpoint: zod_1.z.string().optional(),
+    token_endpoint_auth_methods_supported: zod_1.z.array(zod_1.z.string()).optional(),
+}).passthrough();
+async function fetchAuthorizationServerMetadata(issuer) {
+    const issuerURL = new URL(issuer);
+    let path = issuerURL.pathname;
+    if (path.endsWith("/")) {
+        path = path.slice(0, -1);
+    }
+    const url = new URL(`/.well-known/oauth-authorization-server${path}`, issuer);
+    const response = await fetch(url);
+    if (!response.ok) {
+        throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
+    }
+    const json = await response.json();
+    const metadata = OAuthAuthorizationServerMetadataSchema.parse(json);
+    if (metadata.issuer !== issuer) {
+        throw new Error(`Issuer mismatch in OAuth authorization server metadata for "${issuer}"`);
+    }
+    return metadata;
+}
+//# sourceMappingURL=discovery.js.map

package/dist/cjs/discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":";;AAaA,4EAsBC;AAnCD,6BAAwB;AAExB,MAAM,sCAAsC,GAAG,OAAC,CAAC,MAAM,CAAC;IACtD,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;IAClB,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,qBAAqB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,qCAAqC,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAC,WAAW,EAAE,CAAC;AAIV,KAAK,UAAU,gCAAgC,CAAC,MAAc;IACnE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC;IAC9B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,0CAA0C,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,4DAA4D,MAAM,GAAG,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,sCAAsC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,+DAA+D,MAAM,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/cjs/errors.d.ts

@@ -0,0 +1,19 @@
+export declare class HTTPError extends Error {
+    constructor(message: string);
+}
+export declare class BadRequestError extends HTTPError {
+}
+export declare class UnauthorizedError extends HTTPError {
+}
+export declare class OAuthError extends Error {
+    readonly errorCode: string;
+    readonly errorUri?: string | undefined;
+    constructor(errorCode: string, message: string, errorUri?: string | undefined);
+}
+export declare class InvalidTokenError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+export declare class InsufficientScopeError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/cjs/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,SAAU,SAAQ,KAAK;gBAEhC,OAAO,EAAE,MAAM;CAIlB;AAED,qBAAa,eAAgB,SAAQ,SAAS;CAC7C;AAED,qBAAa,iBAAkB,SAAQ,SAAS;CAC/C;AAED,qBAAa,UAAW,SAAQ,KAAK;aAEjB,SAAS,EAAE,MAAM;aAEjB,QAAQ,CAAC,EAAE,MAAM;gBAFjB,SAAS,EAAE,MAAM,EACjC,OAAO,EAAE,MAAM,EACC,QAAQ,CAAC,EAAE,MAAM,YAAA;CAIpC;AAED,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED,qBAAa,sBAAuB,SAAQ,UAAU;gBACxC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C"}

package/dist/cjs/errors.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InsufficientScopeError = exports.InvalidTokenError = exports.OAuthError = exports.UnauthorizedError = exports.BadRequestError = exports.HTTPError = void 0;
+class HTTPError extends Error {
+    constructor(message) {
+        super(message);
+    }
+}
+exports.HTTPError = HTTPError;
+class BadRequestError extends HTTPError {
+}
+exports.BadRequestError = BadRequestError;
+class UnauthorizedError extends HTTPError {
+}
+exports.UnauthorizedError = UnauthorizedError;
+class OAuthError extends Error {
+    constructor(errorCode, message, errorUri) {
+        super(message);
+        this.errorCode = errorCode;
+        this.errorUri = errorUri;
+    }
+}
+exports.OAuthError = OAuthError;
+class InvalidTokenError extends OAuthError {
+    constructor(message, errorUri) {
+        super("invalid_token", message, errorUri);
+    }
+}
+exports.InvalidTokenError = InvalidTokenError;
+class InsufficientScopeError extends OAuthError {
+    constructor(message, errorUri) {
+        super("insufficient_scope", message, errorUri);
+    }
+}
+exports.InsufficientScopeError = InsufficientScopeError;
+//# sourceMappingURL=errors.js.map

package/dist/cjs/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":";;;AAAA,MAAa,SAAU,SAAQ,KAAK;IAClC,YACE,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;IACjB,CAAC;CACF;AAND,8BAMC;AAED,MAAa,eAAgB,SAAQ,SAAS;CAC7C;AADD,0CACC;AAED,MAAa,iBAAkB,SAAQ,SAAS;CAC/C;AADD,8CACC;AAED,MAAa,UAAW,SAAQ,KAAK;IACnC,YACkB,SAAiB,EACjC,OAAe,EACC,QAAiB;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,cAAS,GAAT,SAAS,CAAQ;QAEjB,aAAQ,GAAR,QAAQ,CAAS;IAGnC,CAAC;CACF;AARD,gCAQC;AAED,MAAa,iBAAkB,SAAQ,UAAU;IAC/C,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;CACF;AAJD,8CAIC;AAED,MAAa,sBAAuB,SAAQ,UAAU;IACpD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;CACF;AAJD,wDAIC"}

package/dist/cjs/index.d.ts

@@ -0,0 +1,12 @@
+export type { OAuthKeyring, PrivateKeyring, IdentifiableKey } from "./keyring.js";
+export { JWKSOAuthKeyring } from "./keyring.js";
+export { default as base64url } from "./base64url.js";
+export { fetchAuthorizationServerMetadata } from "./discovery.js";
+export type { OAuthAuthorizationServerMetadata } from "./discovery.js";
+export { HTTPError, BadRequestError, UnauthorizedError, OAuthError, InvalidTokenError, InsufficientScopeError } from "./errors.js";
+export { JWTSigner } from "./jwt/signer.js";
+export type { JWTClaims } from "./jwt/signer.js";
+export { JWTVerifier } from "./jwt/verifier.js";
+export { TokenExchangeClient } from "./tokenExchange.js";
+export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions } from "./tokenExchange.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/cjs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAClF,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/cjs/index.js

@@ -0,0 +1,26 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenExchangeClient = exports.JWTVerifier = exports.JWTSigner = exports.InsufficientScopeError = exports.InvalidTokenError = exports.OAuthError = exports.UnauthorizedError = exports.BadRequestError = exports.HTTPError = exports.fetchAuthorizationServerMetadata = exports.base64url = exports.JWKSOAuthKeyring = void 0;
+var keyring_js_1 = require("./keyring.js");
+Object.defineProperty(exports, "JWKSOAuthKeyring", { enumerable: true, get: function () { return keyring_js_1.JWKSOAuthKeyring; } });
+var base64url_js_1 = require("./base64url.js");
+Object.defineProperty(exports, "base64url", { enumerable: true, get: function () { return __importDefault(base64url_js_1).default; } });
+var discovery_js_1 = require("./discovery.js");
+Object.defineProperty(exports, "fetchAuthorizationServerMetadata", { enumerable: true, get: function () { return discovery_js_1.fetchAuthorizationServerMetadata; } });
+var errors_js_1 = require("./errors.js");
+Object.defineProperty(exports, "HTTPError", { enumerable: true, get: function () { return errors_js_1.HTTPError; } });
+Object.defineProperty(exports, "BadRequestError", { enumerable: true, get: function () { return errors_js_1.BadRequestError; } });
+Object.defineProperty(exports, "UnauthorizedError", { enumerable: true, get: function () { return errors_js_1.UnauthorizedError; } });
+Object.defineProperty(exports, "OAuthError", { enumerable: true, get: function () { return errors_js_1.OAuthError; } });
+Object.defineProperty(exports, "InvalidTokenError", { enumerable: true, get: function () { return errors_js_1.InvalidTokenError; } });
+Object.defineProperty(exports, "InsufficientScopeError", { enumerable: true, get: function () { return errors_js_1.InsufficientScopeError; } });
+var signer_js_1 = require("./jwt/signer.js");
+Object.defineProperty(exports, "JWTSigner", { enumerable: true, get: function () { return signer_js_1.JWTSigner; } });
+var verifier_js_1 = require("./jwt/verifier.js");
+Object.defineProperty(exports, "JWTVerifier", { enumerable: true, get: function () { return verifier_js_1.JWTVerifier; } });
+var tokenExchange_js_1 = require("./tokenExchange.js");
+Object.defineProperty(exports, "TokenExchangeClient", { enumerable: true, get: function () { return tokenExchange_js_1.TokenExchangeClient; } });
+//# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;AACA,2CAAgD;AAAvC,8GAAA,gBAAgB,OAAA;AACzB,+CAAsD;AAA7C,0HAAA,OAAO,OAAa;AAC7B,+CAAkE;AAAzD,gIAAA,gCAAgC,OAAA;AAEzC,yCAAmI;AAA1H,sGAAA,SAAS,OAAA;AAAE,4GAAA,eAAe,OAAA;AAAE,8GAAA,iBAAiB,OAAA;AAAE,uGAAA,UAAU,OAAA;AAAE,8GAAA,iBAAiB,OAAA;AAAE,mHAAA,sBAAsB,OAAA;AAC7G,6CAA4C;AAAnC,sGAAA,SAAS,OAAA;AAElB,iDAAgD;AAAvC,0GAAA,WAAW,OAAA;AACpB,uDAAyD;AAAhD,uHAAA,mBAAmB,OAAA"}

package/dist/cjs/jwt/signer.d.ts

@@ -0,0 +1,19 @@
+import { PrivateKeyring } from "../keyring.js";
+export interface JWTClaims {
+    iss?: string;
+    sub?: string;
+    aud?: string | string[];
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+    scope?: string;
+    client_id?: string;
+    [key: string]: unknown;
+}
+export declare class JWTSigner {
+    #private;
+    constructor(keyring: PrivateKeyring);
+    sign(claims: JWTClaims): Promise<string>;
+}
+//# sourceMappingURL=signer.d.ts.map

package/dist/cjs/jwt/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../../src/jwt/signer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAG/C,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,qBAAa,SAAS;;gBAGR,OAAO,EAAE,cAAc;IAI7B,IAAI,CAAC,MAAM,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC;CA2B/C"}

package/dist/cjs/jwt/signer.js

@@ -0,0 +1,55 @@
+"use strict";
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+var _JWTSigner_privateKeyring;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWTSigner = void 0;
+const base64url_js_1 = __importDefault(require("../base64url.js"));
+class JWTSigner {
+    constructor(keyring) {
+        _JWTSigner_privateKeyring.set(this, void 0);
+        __classPrivateFieldSet(this, _JWTSigner_privateKeyring, keyring, "f");
+    }
+    async sign(claims) {
+        const { key, kid, issuer } = await __classPrivateFieldGet(this, _JWTSigner_privateKeyring, "f").key('sign');
+        const jsonHeader = {
+            alg: 'RS256',
+            kid: kid
+        };
+        const resolvedClaims = { ...claims };
+        if (issuer && !resolvedClaims.iss) {
+            resolvedClaims.iss = issuer;
+        }
+        const header = btoau(JSON.stringify(jsonHeader));
+        const payload = btoau(JSON.stringify(resolvedClaims));
+        const input = `${header}.${payload}`;
+        let signature = await crypto.subtle.sign({
+            name: 'RSASSA-PKCS1-v1_5',
+        }, key, stringToUint8Array(input));
+        return `${input}.${base64url_js_1.default.encode(signature)}`;
+    }
+}
+exports.JWTSigner = JWTSigner;
+_JWTSigner_privateKeyring = new WeakMap();
+function btoau(str) {
+    return btoa(str).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+// TextEncoder.encode() always returns a Uint8Array backed by ArrayBuffer,
+// but TS 5.7+ types .buffer as ArrayBufferLike (includes SharedArrayBuffer).
+// The cast is safe and necessary for crypto.subtle.sign's BufferSource parameter.
+function stringToUint8Array(str) {
+    return new TextEncoder().encode(str).buffer;
+}
+//# sourceMappingURL=signer.js.map

package/dist/cjs/jwt/signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.js","sourceRoot":"","sources":["../../../src/jwt/signer.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AACA,mEAAuC;AAevC,MAAa,SAAS;IAGpB,YAAY,OAAuB;QAFnC,4CAAgC;QAG9B,uBAAA,IAAI,6BAAmB,OAAO,MAAA,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,MAAiB;QAC1B,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,GAAI,MAAM,uBAAA,IAAI,iCAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAErE,MAAM,UAAU,GAAG;YACjB,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,GAAG;SACT,CAAC;QAEF,MAAM,cAAc,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;QACrC,IAAI,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,CAAC;YAClC,cAAc,CAAC,GAAG,GAAG,MAAM,CAAC;QAC9B,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC;QAEtD,MAAM,KAAK,GAAG,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC;QACrC,IAAI,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACtC;YACE,IAAI,EAAE,mBAAmB;SAC1B,EACD,GAAG,EACH,kBAAkB,CAAC,KAAK,CAAC,CAC1B,CAAC;QAEF,OAAO,GAAG,KAAK,IAAI,sBAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;IACnD,CAAC;CACF;AAlCD,8BAkCC;;AAED,SAAS,KAAK,CAAC,GAAW;IACxB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;AAC5E,CAAC;AAED,0EAA0E;AAC1E,6EAA6E;AAC7E,kFAAkF;AAClF,SAAS,kBAAkB,CAAC,GAAW;IACrC,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAqB,CAAC;AAC7D,CAAC"}

package/dist/cjs/jwt/verifier.d.ts

@@ -0,0 +1,8 @@
+import { OAuthKeyring } from "../keyring.js";
+import type { JWTClaims } from "./signer.js";
+export declare class JWTVerifier {
+    #private;
+    constructor(keyring: OAuthKeyring);
+    verify(token: string): Promise<JWTClaims>;
+}
+//# sourceMappingURL=verifier.d.ts.map

package/dist/cjs/jwt/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,qBAAa,WAAW;;gBAGV,OAAO,EAAE,YAAY;IAI3B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA2BhD"}

package/dist/cjs/jwt/verifier.js

@@ -0,0 +1,49 @@
+"use strict";
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+var _JWTVerifier_keyring;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWTVerifier = void 0;
+const errors_js_1 = require("../errors.js");
+const base64url_js_1 = __importDefault(require("../base64url.js"));
+class JWTVerifier {
+    constructor(keyring) {
+        _JWTVerifier_keyring.set(this, void 0);
+        __classPrivateFieldSet(this, _JWTVerifier_keyring, keyring, "f");
+    }
+    async verify(token) {
+        const [header, payload, signature, ...rest] = token.split('.');
+        const jsonHeader = JSON.parse(autob(header));
+        const jsonPayload = JSON.parse(autob(payload));
+        if (!jsonPayload.iss) {
+            throw new errors_js_1.InvalidTokenError("JWT missing issuer (iss) claim");
+        }
+        const key = await __classPrivateFieldGet(this, _JWTVerifier_keyring, "f").key(jsonPayload.iss, jsonHeader.kid);
+        const verified = await crypto.subtle.verify({
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: { name: 'SHA-256' },
+        }, key, base64url_js_1.default.decode(signature), new TextEncoder().encode(`${header}.${payload}`));
+        if (!verified) {
+            throw new errors_js_1.InvalidTokenError("Invalid signature");
+        }
+        return jsonPayload;
+    }
+}
+exports.JWTVerifier = JWTVerifier;
+_JWTVerifier_keyring = new WeakMap();
+function autob(data) {
+    return atob(data.replace(/-/g, '+').replace(/_/g, '/'));
+}
+//# sourceMappingURL=verifier.js.map

package/dist/cjs/jwt/verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AACA,4CAAiD;AACjD,mEAAwC;AAGxC,MAAa,WAAW;IAGtB,YAAY,OAAqB;QAFjC,uCAAuB;QAGrB,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE/D,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAc,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAE1D,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,6BAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,sBAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,6BAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;AAlCD,kCAkCC;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}

package/dist/cjs/keyring.d.ts

@@ -0,0 +1,15 @@
+export interface OAuthKeyring {
+    key(issuer: string, kid: string): Promise<CryptoKey>;
+}
+export type IdentifiableKey = {
+    key: CryptoKey;
+    issuer: string;
+    kid: string;
+};
+export interface PrivateKeyring {
+    key(usage: string): Promise<IdentifiableKey>;
+}
+export declare class JWKSOAuthKeyring implements OAuthKeyring {
+    key(issuer: string, kid: string): Promise<CryptoKey>;
+}
+//# sourceMappingURL=keyring.d.ts.map

package/dist/cjs/keyring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAyBD,qBAAa,gBAAiB,YAAW,YAAY;IAE7C,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA8B3D"}

package/dist/cjs/keyring.js

@@ -0,0 +1,49 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWKSOAuthKeyring = void 0;
+const zod_1 = require("zod");
+const discovery_js_1 = require("./discovery.js");
+const JWKSchema = zod_1.z.object({
+    kty: zod_1.z.string(),
+    alg: zod_1.z.string().optional(),
+    use: zod_1.z.string().optional(),
+    kid: zod_1.z.string().optional(),
+});
+const RSAJWKSchema = JWKSchema.extend({
+    n: zod_1.z.string(),
+    e: zod_1.z.string(),
+});
+const ECJWKSchema = JWKSchema.extend({
+    crv: zod_1.z.string(),
+    x: zod_1.z.string(),
+    y: zod_1.z.string(),
+});
+const JWKSetSchema = zod_1.z.object({
+    keys: zod_1.z.array(zod_1.z.union([RSAJWKSchema, ECJWKSchema])),
+});
+class JWKSOAuthKeyring {
+    async key(issuer, kid) {
+        const authorizationServer = await (0, discovery_js_1.fetchAuthorizationServerMetadata)(issuer);
+        if (!authorizationServer.jwks_uri) {
+            throw new Error(`No JSON Web Key Set available for "${issuer}"`);
+        }
+        const response = await fetch(authorizationServer.jwks_uri);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
+        }
+        const json = await response.json();
+        const jwkSet = JWKSetSchema.parse(json);
+        const jwk = jwkSet.keys.find((jwk) => jwk.kid === kid);
+        if (!jwk) {
+            throw new Error(`Failed to find key "${kid}" of "${issuer}"`);
+        }
+        // TODO: make this more robust to uses and algs
+        const key = await crypto.subtle.importKey('jwk', jwk, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: { name: 'SHA-256' },
+        }, true, ['verify']);
+        return key;
+    }
+}
+exports.JWKSOAuthKeyring = JWKSOAuthKeyring;
+//# sourceMappingURL=keyring.js.map

package/dist/cjs/keyring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AACxB,iDAAkE;AAiBlE,MAAM,SAAS,GAAG,OAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAEH,MAAa,gBAAgB;IAE3B,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,mBAAmB,GAAG,MAAM,IAAA,+CAAgC,EAAC,MAAM,CAAC,CAAC;QAC3E,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;QACnE,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAC3D,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,4DAA4D,MAAM,GAAG,CAAC,CAAC;QACzF,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;QACvD,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;QAChE,CAAC;QAED,+CAA+C;QAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;QACF,OAAO,GAAG,CAAC;IACb,CAAC;CACF;AAhCD,4CAgCC"}

package/dist/cjs/package.json

@@ -0,0 +1 @@
+{"type": "commonjs"}

package/dist/cjs/tokenExchange.d.ts

@@ -0,0 +1,31 @@
+export interface TokenExchangeRequest {
+    grantType?: string;
+    resource?: string;
+    audience?: string;
+    scope?: string;
+    requestedTokenType?: string;
+    subjectToken: string;
+    subjectTokenType?: string;
+    actorToken?: string;
+    actorTokenType?: string;
+    clientAssertion?: string;
+    clientAssertionType?: string;
+}
+export interface TokenResponse {
+    accessToken: string;
+    tokenType: string;
+    expiresIn?: number;
+    refreshToken?: string;
+    scope?: string[];
+    issuedTokenType?: string;
+}
+export interface TokenExchangeClientOptions {
+    clientId?: string;
+    clientSecret?: string;
+}
+export declare class TokenExchangeClient {
+    #private;
+    constructor(issuerUrl: string, options?: TokenExchangeClientOptions);
+    exchangeToken(request: TokenExchangeRequest): Promise<TokenResponse>;
+}
+//# sourceMappingURL=tokenExchange.d.ts.map

package/dist/cjs/tokenExchange.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAkDD,qBAAa,mBAAmB;;gBAOlB,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;IAM7D,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,aAAa,CAAC;CA2D3E"}